Secure BGP Template

! Our ASN is 64496
router bgp 64496
!
! Set graceful restart-time to 120 and stalepath-time to 360 for route handling optimization.
! Time listed is in seconds
bgp graceful-restart
!
! Don't wait for the IGP to catch up.
no synchronization
!
! Be a little more forgiving of an occasional missed keepalive.
no bgp fast-external-fallover
!
! Track and punt, via syslog, all interesting observations about our
! neighbors.
bgp log-neighbor-changes
!
! Set Maximum AS-Path Prepends to 10 to limit an insane number of prepends.
! The Cisco IOS command, which would limit prepends to a sane level would be :
bgp maxas-limit 10
! (supported from 12.2, 12.0(17)S, 12.2(33)SRA, 12.2SX and upwards, see
! http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_bgp1.html#wp1013932
! for more details)
!
! Announce our netblock(s) in a manner that does not increase CPU
! utilization. Redistributing from an IGP is dangerous as it increases
! the likelihood of flapping and instability. Redistributing static is
! more stable, but requires the CPU to peruse the routing table at a set
! interval to capture any changes. The network statement, combined with
! a null route, is the least expensive (in terms of CPU utilization) and
! most reliable (in terms of stability) option.
network 192.0.2.0 mask 255.255.255.0
!
! Our first neighbor, 10.10.5.1, is an eBGP peer with the ASN of 64511.
neighbor 10.10.5.1 remote-as 64511
!
! Cisco provides a TTL security check feature. This is designed
! to limit the number of remote devices that can send BGP (TCP
! 179) packets to our router. Ideally this will lock down BGP
! access to the remote peering router only; it will certainly
! help, especially when coupled with other security techniques
! such as ACLs. Note that this isn't a 100% solution in a LAN
! (e.g. peering exchange) environment. It also must be adjusted
! so that the correct number of hops is set. Please verify the
! hop count using the 'trace' command before setting this option.
! You can read more about this feature here:
! http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_btsh.html
!
neighbor 10.10.5.1 ttl-security hops 2
!
!
! Set for soft reconfiguration, thus preventing a complete withdrawal
! of all announced prefixes when clear ip bgp x.x.x.x is typed.
neighbor 10.10.5.1 soft-reconfiguration inbound
!
! Type in a description for future reference. Not everyone memorizes
! ASNs. :-)
neighbor 10.10.5.1 description eBGP with ISP64511
!
! Set up a password for authentication.
neighbor 10.10.5.1 password bgpwith64511
!
! Hard-set for version 4. Disabled BGP version negotiation, thus
! bringing the peering session on-line more quickly.
neighbor 10.10.5.1 version 4
!
! Block any inbound announcments that include bogon networks. A prefix
! list is used because it is:
!  1) Easier on the CPU than ACLs, and
!  2) Easier to modify.
! See the actual bogons prefix-list below.
neighbor 10.10.5.1 prefix-list bogons in
!
! Announce only those networks we specifically list. This also prevents
! the network from becoming a transit provider. An added bit of protection
! and good netizenship. See the announce prefix-list below.
neighbor 10.10.5.1 prefix-list announce out
!
! Prevent a mistake or mishap by our peer (or someone with whom our peer
! has a peering agreement) from causing router meltdown by filling the
! routing and BGP tables. This is a hard limit. At 75% of this limit,
! the IOS will issue log messages warning that the neighbor is approaching
! the limit. All log messages should be sent to a remote syslog host.
! The warning water mark can be modified by placing a value after the
! maximum prefix value, e.g. maximum-prefix 250000 50. This will set the
! IOS to issue warning messages when the neighbor reaches 50% of the limit.
! Note that this number may need to be adjusted upward in the future to
! account for growth in the Internet routing table.
neighbor 10.10.5.1 maximum-prefix 250000
!
! Our next neighbor is 10.10.10.1, an eBGP peer with the ASN of 64500.
neighbor 10.10.10.1 remote-as 64500
neighbor 10.10.10.1 ttl-security hops 2
neighbor 10.10.10.1 soft-reconfiguration inbound
neighbor 10.10.10.1 description eBGP with ISP64500
neighbor 10.10.10.1 password bgpwith64500
neighbor 10.10.10.1 version 4
neighbor 10.10.10.1 prefix-list bogons in
neighbor 10.10.10.1 prefix-list announce out
neighbor 10.10.10.1 maximum-prefix 350000
!
! This is our iBGP peer, 172.17.70.2.
neighbor 172.17.70.2 remote-as 64496
neighbor 172.17.70.2 ttl-security hops 2
neighbor 172.17.70.2 soft-reconfiguration inbound
!
! Again, a handy description.
neighbor 172.17.70.2 description iBGP with our other router
!
neighbor 172.17.70.2 password bgpwith64496
! Use the loopback interface for iBGP announcements. This increases the
! stability of iBGP.
neighbor 172.17.70.2 update-source Loopback0
neighbor 172.17.70.2 version 4
neighbor 172.17.70.2 next-hop-self
neighbor 172.17.70.2 prefix-list bogons in
neighbor 172.17.70.2 maximum-prefix 250000
!
! Do not automatically summarize our announcements.
no auto-summary
!
! If we have multiple links on the same router to the same AS, we like to
! put them to good use. Load balance, per destination, with maximum-paths.
! The limit is six. For our example, we will assume two equal size pipes
! to the same AS.
maximum-paths 2
!
! Now add our null route and the loopback/iBGP route. Remember to add
! more specific non-null routes so that the packets travel to their
! intended destination!
ip route 192.0.2.0 255.255.255.0 Null0
ip route 192.0.2.0 255.255.255.128 192.168.50.5
ip route 192.0.2.128 255.255.255.128 192.168.50.8
ip route 172.17.70.2 255.255.255.255 192.168.50.2
!
! We protect TCP port 179 (BGP port) from miscreants by limiting
! access. Allow our peers to connect and log all other attempts.
! Remember to apply this ACL to the interfaces of the router or
! add it to existing ACLs.
! Please note that ACL 185 would block ALL traffic as written. This
! is designed to focus only on protecting BGP. You MUST modify ACL
! 185 to fit your environment and approved traffic patterns.
access-list 185 permit tcp host 10.10.5.1 host 10.10.5.2 eq 179
access-list 185 permit tcp host 10.10.5.1 eq bgp host 10.10.5.2
access-list 185 permit tcp host 10.10.10.1 host 10.10.10.2 eq 179
access-list 185 permit tcp host 10.10.10.1 eq bgp host 10.10.10.2
access-list 185 permit tcp host 172.17.70.2 host 172.17.70.1 eq 179
access-list 185 permit tcp host 172.17.70.2 eq bgp host 172.17.70.1
access-list 185 deny tcp any any eq 179 log-input
!
! The announce prefix list prevents us from announcing anything beyond
! our aggregated netblock(s).
ip prefix-list announce description Our allowed routing announcements
ip prefix-list announce seq 5 permit 192.0.2.0/24
ip prefix-list announce seq 10 deny 0.0.0.0/0 le 32
!
! Team Cymru has removed all static bogon references from this template
! due to the high probability that the application of these bogon filters
! will be a one-time event. Unfortunately many of these templates are
! applied and never re-visited, despite our dire warnings that bogons do
! change.
!
! This doesn't mean bogon filtering can't be accomplished in an automated
! manner. Why not consider peering with our globally distributed bogon
! route-server project? Alternately you can obtain a current and well
! maintained bogon feed from our DNS and RADb services. Read more at the
! link below to learn how!
!
!   https://www.team-cymru.org/Services/Bogons/
!
! END

== CBT BGP ==

Last watched: 03