Welcome to TiddlyWiki created by Jeremy Ruston, Copyright © 2007 UnaMesa Association
<!--{{{-->
<link rel='alternate' type='application/rss+xml' title='RSS' href='index.xml'/>
<!--}}}-->
Background: #fff
Foreground: #000
PrimaryPale: #8cf
PrimaryLight: #18f
PrimaryMid: #04b
PrimaryDark: #014
SecondaryPale: #ffc
SecondaryLight: #fe8
SecondaryMid: #db4
SecondaryDark: #841
TertiaryPale: #eee
TertiaryLight: #ccc
TertiaryMid: #999
TertiaryDark: #666
Error: #f88
/*{{{*/
body {background:[[ColorPalette::Background]]; color:[[ColorPalette::Foreground]];}
a {color:[[ColorPalette::PrimaryMid]];}
a:hover {background-color:[[ColorPalette::PrimaryMid]]; color:[[ColorPalette::Background]];}
a img {border:0;}
h1,h2,h3,h4,h5,h6 {color:[[ColorPalette::SecondaryDark]]; background:transparent;}
h1 {border-bottom:2px solid [[ColorPalette::TertiaryLight]];}
h2,h3 {border-bottom:1px solid [[ColorPalette::TertiaryLight]];}
.button {color:[[ColorPalette::PrimaryDark]]; border:1px solid [[ColorPalette::Background]];}
.button:hover {color:[[ColorPalette::PrimaryDark]]; background:[[ColorPalette::SecondaryLight]]; border-color:[[ColorPalette::SecondaryMid]];}
.button:active {color:[[ColorPalette::Background]]; background:[[ColorPalette::SecondaryMid]]; border:1px solid [[ColorPalette::SecondaryDark]];}
.header {background:[[ColorPalette::PrimaryMid]];}
.headerShadow {color:[[ColorPalette::Foreground]];}
.headerShadow a {font-weight:normal; color:[[ColorPalette::Foreground]];}
.headerForeground {color:[[ColorPalette::Background]];}
.headerForeground a {font-weight:normal; color:[[ColorPalette::PrimaryPale]];}
.tabSelected{color:[[ColorPalette::PrimaryDark]];
background:[[ColorPalette::TertiaryPale]];
border-left:1px solid [[ColorPalette::TertiaryLight]];
border-top:1px solid [[ColorPalette::TertiaryLight]];
border-right:1px solid [[ColorPalette::TertiaryLight]];
}
.tabUnselected {color:[[ColorPalette::Background]]; background:[[ColorPalette::TertiaryMid]];}
.tabContents {color:[[ColorPalette::PrimaryDark]]; background:[[ColorPalette::TertiaryPale]]; border:1px solid [[ColorPalette::TertiaryLight]];}
.tabContents .button {border:0;}
#sidebar {}
#sidebarOptions input {border:1px solid [[ColorPalette::PrimaryMid]];}
#sidebarOptions .sliderPanel {background:[[ColorPalette::PrimaryPale]];}
#sidebarOptions .sliderPanel a {border:none;color:[[ColorPalette::PrimaryMid]];}
#sidebarOptions .sliderPanel a:hover {color:[[ColorPalette::Background]]; background:[[ColorPalette::PrimaryMid]];}
#sidebarOptions .sliderPanel a:active {color:[[ColorPalette::PrimaryMid]]; background:[[ColorPalette::Background]];}
.wizard {background:[[ColorPalette::PrimaryPale]]; border:1px solid [[ColorPalette::PrimaryMid]];}
.wizard h1 {color:[[ColorPalette::PrimaryDark]]; border:none;}
.wizard h2 {color:[[ColorPalette::Foreground]]; border:none;}
.wizardStep {background:[[ColorPalette::Background]]; color:[[ColorPalette::Foreground]];
border:1px solid [[ColorPalette::PrimaryMid]];}
.wizardStep.wizardStepDone {background:[[ColorPalette::TertiaryLight]];}
.wizardFooter {background:[[ColorPalette::PrimaryPale]];}
.wizardFooter .status {background:[[ColorPalette::PrimaryDark]]; color:[[ColorPalette::Background]];}
.wizard .button {color:[[ColorPalette::Foreground]]; background:[[ColorPalette::SecondaryLight]]; border: 1px solid;
border-color:[[ColorPalette::SecondaryPale]] [[ColorPalette::SecondaryDark]] [[ColorPalette::SecondaryDark]] [[ColorPalette::SecondaryPale]];}
.wizard .button:hover {color:[[ColorPalette::Foreground]]; background:[[ColorPalette::Background]];}
.wizard .button:active {color:[[ColorPalette::Background]]; background:[[ColorPalette::Foreground]]; border: 1px solid;
border-color:[[ColorPalette::PrimaryDark]] [[ColorPalette::PrimaryPale]] [[ColorPalette::PrimaryPale]] [[ColorPalette::PrimaryDark]];}
#messageArea {border:1px solid [[ColorPalette::SecondaryMid]]; background:[[ColorPalette::SecondaryLight]]; color:[[ColorPalette::Foreground]];}
#messageArea .button {color:[[ColorPalette::PrimaryMid]]; background:[[ColorPalette::SecondaryPale]]; border:none;}
.popupTiddler {background:[[ColorPalette::TertiaryPale]]; border:2px solid [[ColorPalette::TertiaryMid]];}
.popup {background:[[ColorPalette::TertiaryPale]]; color:[[ColorPalette::TertiaryDark]]; border-left:1px solid [[ColorPalette::TertiaryMid]]; border-top:1px solid [[ColorPalette::TertiaryMid]]; border-right:2px solid [[ColorPalette::TertiaryDark]]; border-bottom:2px solid [[ColorPalette::TertiaryDark]];}
.popup hr {color:[[ColorPalette::PrimaryDark]]; background:[[ColorPalette::PrimaryDark]]; border-bottom:1px;}
.popup li.disabled {color:[[ColorPalette::TertiaryMid]];}
.popup li a, .popup li a:visited {color:[[ColorPalette::Foreground]]; border: none;}
.popup li a:hover {background:[[ColorPalette::SecondaryLight]]; color:[[ColorPalette::Foreground]]; border: none;}
.popup li a:active {background:[[ColorPalette::SecondaryPale]]; color:[[ColorPalette::Foreground]]; border: none;}
.popupHighlight {background:[[ColorPalette::Background]]; color:[[ColorPalette::Foreground]];}
.listBreak div {border-bottom:1px solid [[ColorPalette::TertiaryDark]];}
.tiddler .defaultCommand {font-weight:bold;}
.shadow .title {color:[[ColorPalette::TertiaryDark]];}
.title {color:[[ColorPalette::SecondaryDark]];}
.subtitle {color:[[ColorPalette::TertiaryDark]];}
.toolbar {color:[[ColorPalette::PrimaryMid]];}
.toolbar a {color:[[ColorPalette::TertiaryLight]];}
.selected .toolbar a {color:[[ColorPalette::TertiaryMid]];}
.selected .toolbar a:hover {color:[[ColorPalette::Foreground]];}
.tagging, .tagged {border:1px solid [[ColorPalette::TertiaryPale]]; background-color:[[ColorPalette::TertiaryPale]];}
.selected .tagging, .selected .tagged {background-color:[[ColorPalette::TertiaryLight]]; border:1px solid [[ColorPalette::TertiaryMid]];}
.tagging .listTitle, .tagged .listTitle {color:[[ColorPalette::PrimaryDark]];}
.tagging .button, .tagged .button {border:none;}
.footer {color:[[ColorPalette::TertiaryLight]];}
.selected .footer {color:[[ColorPalette::TertiaryMid]];}
.sparkline {background:[[ColorPalette::PrimaryPale]]; border:0;}
.sparktick {background:[[ColorPalette::PrimaryDark]];}
.error, .errorButton {color:[[ColorPalette::Foreground]]; background:[[ColorPalette::Error]];}
.warning {color:[[ColorPalette::Foreground]]; background:[[ColorPalette::SecondaryPale]];}
.lowlight {background:[[ColorPalette::TertiaryLight]];}
.zoomer {background:none; color:[[ColorPalette::TertiaryMid]]; border:3px solid [[ColorPalette::TertiaryMid]];}
.imageLink, #displayArea .imageLink {background:transparent;}
.annotation {background:[[ColorPalette::SecondaryLight]]; color:[[ColorPalette::Foreground]]; border:2px solid [[ColorPalette::SecondaryMid]];}
.viewer .listTitle {list-style-type:none; margin-left:-2em;}
.viewer .button {border:1px solid [[ColorPalette::SecondaryMid]];}
.viewer blockquote {border-left:3px solid [[ColorPalette::TertiaryDark]];}
.viewer table, table.twtable {border:2px solid [[ColorPalette::TertiaryDark]];}
.viewer th, .viewer thead td, .twtable th, .twtable thead td {background:[[ColorPalette::SecondaryMid]]; border:1px solid [[ColorPalette::TertiaryDark]]; color:[[ColorPalette::Background]];}
.viewer td, .viewer tr, .twtable td, .twtable tr {border:1px solid [[ColorPalette::TertiaryDark]];}
.viewer pre {border:1px solid [[ColorPalette::SecondaryLight]]; background:[[ColorPalette::SecondaryPale]];}
.viewer code {color:[[ColorPalette::SecondaryDark]];}
.viewer hr {border:0; border-top:dashed 1px [[ColorPalette::TertiaryDark]]; color:[[ColorPalette::TertiaryDark]];}
.highlight, .marked {background:[[ColorPalette::SecondaryLight]];}
.editor input {border:1px solid [[ColorPalette::PrimaryMid]];}
.editor textarea {border:1px solid [[ColorPalette::PrimaryMid]]; width:100%;}
.editorFooter {color:[[ColorPalette::TertiaryMid]];}
#backstageArea {background:[[ColorPalette::Foreground]]; color:[[ColorPalette::TertiaryMid]];}
#backstageArea a {background:[[ColorPalette::Foreground]]; color:[[ColorPalette::Background]]; border:none;}
#backstageArea a:hover {background:[[ColorPalette::SecondaryLight]]; color:[[ColorPalette::Foreground]]; }
#backstageArea a.backstageSelTab {background:[[ColorPalette::Background]]; color:[[ColorPalette::Foreground]];}
#backstageButton a {background:none; color:[[ColorPalette::Background]]; border:none;}
#backstageButton a:hover {background:[[ColorPalette::Foreground]]; color:[[ColorPalette::Background]]; border:none;}
#backstagePanel {background:[[ColorPalette::Background]]; border-color: [[ColorPalette::Background]] [[ColorPalette::TertiaryDark]] [[ColorPalette::TertiaryDark]] [[ColorPalette::TertiaryDark]];}
.backstagePanelFooter .button {border:none; color:[[ColorPalette::Background]];}
.backstagePanelFooter .button:hover {color:[[ColorPalette::Foreground]];}
#backstageCloak {background:[[ColorPalette::Foreground]]; opacity:0.6; filter:'alpha(opacity:60)';}
/*}}}*/
/*{{{*/
* html .tiddler {height:1%;}
body {font-size:.75em; font-family:arial,helvetica; margin:0; padding:0;}
h1,h2,h3,h4,h5,h6 {font-weight:bold; text-decoration:none;}
h1,h2,h3 {padding-bottom:1px; margin-top:1.2em;margin-bottom:0.3em;}
h4,h5,h6 {margin-top:1em;}
h1 {font-size:1.35em;}
h2 {font-size:1.25em;}
h3 {font-size:1.1em;}
h4 {font-size:1em;}
h5 {font-size:.9em;}
hr {height:1px;}
a {text-decoration:none;}
dt {font-weight:bold;}
ol {list-style-type:decimal;}
ol ol {list-style-type:lower-alpha;}
ol ol ol {list-style-type:lower-roman;}
ol ol ol ol {list-style-type:decimal;}
ol ol ol ol ol {list-style-type:lower-alpha;}
ol ol ol ol ol ol {list-style-type:lower-roman;}
ol ol ol ol ol ol ol {list-style-type:decimal;}
.txtOptionInput {width:11em;}
#contentWrapper .chkOptionInput {border:0;}
.externalLink {text-decoration:underline;}
.indent {margin-left:3em;}
.outdent {margin-left:3em; text-indent:-3em;}
code.escaped {white-space:nowrap;}
.tiddlyLinkExisting {font-weight:bold;}
.tiddlyLinkNonExisting {font-style:italic;}
/* the 'a' is required for IE, otherwise it renders the whole tiddler in bold */
a.tiddlyLinkNonExisting.shadow {font-weight:bold;}
#mainMenu .tiddlyLinkExisting,
#mainMenu .tiddlyLinkNonExisting,
#sidebarTabs .tiddlyLinkNonExisting {font-weight:normal; font-style:normal;}
#sidebarTabs .tiddlyLinkExisting {font-weight:bold; font-style:normal;}
.header {position:relative;}
.header a:hover {background:transparent;}
.headerShadow {position:relative; padding:4.5em 0em 1em 1em; left:-1px; top:-1px;}
.headerForeground {position:absolute; padding:4.5em 0em 1em 1em; left:0px; top:0px;}
.siteTitle {font-size:3em;}
.siteSubtitle {font-size:1.2em;}
#mainMenu {position:absolute; left:0; width:10em; text-align:right; line-height:1.6em; padding:1.5em 0.5em 0.5em 0.5em; font-size:1.1em;}
#sidebar {position:absolute; right:3px; width:16em; font-size:.9em;}
#sidebarOptions {padding-top:0.3em;}
#sidebarOptions a {margin:0em 0.2em; padding:0.2em 0.3em; display:block;}
#sidebarOptions input {margin:0.4em 0.5em;}
#sidebarOptions .sliderPanel {margin-left:1em; padding:0.5em; font-size:.85em;}
#sidebarOptions .sliderPanel a {font-weight:bold; display:inline; padding:0;}
#sidebarOptions .sliderPanel input {margin:0 0 .3em 0;}
#sidebarTabs .tabContents {width:15em; overflow:hidden;}
.wizard {padding:0.1em 1em 0em 2em;}
.wizard h1 {font-size:2em; font-weight:bold; background:none; padding:0em 0em 0em 0em; margin:0.4em 0em 0.2em 0em;}
.wizard h2 {font-size:1.2em; font-weight:bold; background:none; padding:0em 0em 0em 0em; margin:0.4em 0em 0.2em 0em;}
.wizardStep {padding:1em 1em 1em 1em;}
.wizard .button {margin:0.5em 0em 0em 0em; font-size:1.2em;}
.wizardFooter {padding:0.8em 0.4em 0.8em 0em;}
.wizardFooter .status {padding:0em 0.4em 0em 0.4em; margin-left:1em;}
.wizard .button {padding:0.1em 0.2em 0.1em 0.2em;}
#messageArea {position:fixed; top:2em; right:0em; margin:0.5em; padding:0.5em; z-index:2000; _position:absolute;}
.messageToolbar {display:block; text-align:right; padding:0.2em 0.2em 0.2em 0.2em;}
#messageArea a {text-decoration:underline;}
.tiddlerPopupButton {padding:0.2em 0.2em 0.2em 0.2em;}
.popupTiddler {position: absolute; z-index:300; padding:1em 1em 1em 1em; margin:0;}
.popup {position:absolute; z-index:300; font-size:.9em; padding:0; list-style:none; margin:0;}
.popup .popupMessage {padding:0.4em;}
.popup hr {display:block; height:1px; width:auto; padding:0; margin:0.2em 0em;}
.popup li.disabled {padding:0.4em;}
.popup li a {display:block; padding:0.4em; font-weight:normal; cursor:pointer;}
.listBreak {font-size:1px; line-height:1px;}
.listBreak div {margin:2px 0;}
.tabset {padding:1em 0em 0em 0.5em;}
.tab {margin:0em 0em 0em 0.25em; padding:2px;}
.tabContents {padding:0.5em;}
.tabContents ul, .tabContents ol {margin:0; padding:0;}
.txtMainTab .tabContents li {list-style:none;}
.tabContents li.listLink { margin-left:.75em;}
#contentWrapper {display:block;}
#splashScreen {display:none;}
#displayArea {margin:1em 17em 0em 14em;}
.toolbar {text-align:right; font-size:.9em;}
.tiddler {padding:1em 1em 0em 1em;}
.missing .viewer,.missing .title {font-style:italic;}
.title {font-size:1.6em; font-weight:bold;}
.missing .subtitle {display:none;}
.subtitle {font-size:1.1em;}
.tiddler .button {padding:0.2em 0.4em;}
.tagging {margin:0.5em 0.5em 0.5em 0; float:left; display:none;}
.isTag .tagging {display:block;}
.tagged {margin:0.5em; float:right;}
.tagging, .tagged {font-size:0.9em; padding:0.25em;}
.tagging ul, .tagged ul {list-style:none; margin:0.25em; padding:0;}
.tagClear {clear:both;}
.footer {font-size:.9em;}
.footer li {display:inline;}
.annotation {padding:0.5em; margin:0.5em;}
* html .viewer pre {width:99%; padding:0 0 1em 0;}
.viewer {line-height:1.4em; padding-top:0.5em;}
.viewer .button {margin:0em 0.25em; padding:0em 0.25em;}
.viewer blockquote {line-height:1.5em; padding-left:0.8em;margin-left:2.5em;}
.viewer ul, .viewer ol {margin-left:0.5em; padding-left:1.5em;}
.viewer table, table.twtable {border-collapse:collapse; margin:0.8em 1.0em;}
.viewer th, .viewer td, .viewer tr,.viewer caption,.twtable th, .twtable td, .twtable tr,.twtable caption {padding:3px;}
table.listView {font-size:0.85em; margin:0.8em 1.0em;}
table.listView th, table.listView td, table.listView tr {padding:0px 3px 0px 3px;}
.viewer pre {padding:0.5em; margin-left:0.5em; font-size:1.2em; line-height:1.4em; overflow:auto;}
.viewer code {font-size:1.2em; line-height:1.4em;}
.editor {font-size:1.1em;}
.editor input, .editor textarea {display:block; width:100%; font:inherit;}
.editorFooter {padding:0.25em 0em; font-size:.9em;}
.editorFooter .button {padding-top:0px; padding-bottom:0px;}
.fieldsetFix {border:0; padding:0; margin:1px 0px 1px 0px;}
.sparkline {line-height:1em;}
.sparktick {outline:0;}
.zoomer {font-size:1.1em; position:absolute; overflow:hidden;}
.zoomer div {padding:1em;}
* html #backstage {width:99%;}
* html #backstageArea {width:99%;}
#backstageArea {display:none; position:relative; overflow: hidden; z-index:150; padding:0.3em 0.5em 0.3em 0.5em;}
#backstageToolbar {position:relative;}
#backstageArea a {font-weight:bold; margin-left:0.5em; padding:0.3em 0.5em 0.3em 0.5em;}
#backstageButton {display:none; position:absolute; z-index:175; top:0em; right:0em;}
#backstageButton a {padding:0.1em 0.4em 0.1em 0.4em; margin:0.1em 0.1em 0.1em 0.1em;}
#backstage {position:relative; width:100%; z-index:50;}
#backstagePanel {display:none; z-index:100; position:absolute; margin:0em 3em 0em 3em; padding:1em 1em 1em 1em;}
.backstagePanelFooter {padding-top:0.2em; float:right;}
.backstagePanelFooter a {padding:0.2em 0.4em 0.2em 0.4em;}
#backstageCloak {display:none; z-index:20; position:absolute; width:100%; height:100px;}
.whenBackstage {display:none;}
.backstageVisible .whenBackstage {display:block;}
/*}}}*/
/***
StyleSheet for use when a translation requires any css style changes.
This StyleSheet can be used directly by languages such as Chinese, Japanese and Korean which need larger font sizes.
***/
/*{{{*/
body {font-size:0.8em;}
#sidebarOptions {font-size:1.05em;}
#sidebarOptions a {font-style:normal;}
#sidebarOptions .sliderPanel {font-size:0.95em;}
.subtitle {font-size:0.8em;}
.viewer table.listView {font-size:0.95em;}
/*}}}*/
/*{{{*/
@media print {
#mainMenu, #sidebar, #messageArea, .toolbar, #backstageButton, #backstageArea {display: none ! important;}
#displayArea {margin: 1em 1em 0em 1em;}
/* Fixes a feature in Firefox 1.5.0.2 where print preview displays the noscript content */
noscript {display:none;}
}
/*}}}*/
<!--{{{-->
<div class='header' macro='gradient vert [[ColorPalette::PrimaryLight]] [[ColorPalette::PrimaryMid]]'>
<div class='headerShadow'>
<span class='siteTitle' refresh='content' tiddler='SiteTitle'></span>
<span class='siteSubtitle' refresh='content' tiddler='SiteSubtitle'></span>
</div>
<div class='headerForeground'>
<span class='siteTitle' refresh='content' tiddler='SiteTitle'></span>
<span class='siteSubtitle' refresh='content' tiddler='SiteSubtitle'></span>
</div>
</div>
<div id='mainMenu' refresh='content' tiddler='MainMenu'></div>
<div id='sidebar'>
<div id='sidebarOptions' refresh='content' tiddler='SideBarOptions'></div>
<div id='sidebarTabs' refresh='content' force='true' tiddler='SideBarTabs'></div>
</div>
<div id='displayArea'>
<div id='messageArea'></div>
<div id='tiddlerDisplay'></div>
</div>
<!--}}}-->
<!--{{{-->
<div class='toolbar' macro='toolbar [[ToolbarCommands::ViewToolbar]]'></div>
<div class='title' macro='view title'></div>
<div class='subtitle'><span macro='view modifier link'></span>, <span macro='view modified date'></span> (<span macro='message views.wikified.createdPrompt'></span> <span macro='view created date'></span>)</div>
<div class='tagging' macro='tagging'></div>
<div class='tagged' macro='tags'></div>
<div class='viewer' macro='view text wikified'></div>
<div class='tagClear'></div>
<!--}}}-->
<!--{{{-->
<div class='toolbar' macro='toolbar [[ToolbarCommands::EditToolbar]]'></div>
<div class='title' macro='view title'></div>
<div class='editor' macro='edit title'></div>
<div macro='annotations'></div>
<div class='editor' macro='edit text'></div>
<div class='editor' macro='edit tags'></div><div class='editorFooter'><span macro='message views.editor.tagPrompt'></span><span macro='tagChooser'></span></div>
<!--}}}-->
To get started with this blank TiddlyWiki, you'll need to modify the following tiddlers:
* SiteTitle & SiteSubtitle: The title and subtitle of the site, as shown above (after saving, they will also appear in the browser title bar)
* MainMenu: The menu (usually on the left)
* DefaultTiddlers: Contains the names of the tiddlers that you want to appear when the TiddlyWiki is opened
You'll also need to enter your username for signing your edits: <<option txtUserName>>
These InterfaceOptions for customising TiddlyWiki are saved in your browser
Your username for signing your edits. Write it as a WikiWord (eg JoeBloggs)
<<option txtUserName>>
<<option chkSaveBackups>> SaveBackups
<<option chkAutoSave>> AutoSave
<<option chkRegExpSearch>> RegExpSearch
<<option chkCaseSensitiveSearch>> CaseSensitiveSearch
<<option chkAnimate>> EnableAnimations
----
Also see AdvancedOptions
My name is Thomas Mangin
You can find more professional information about me [[here|http://www.linkedin.com/in/thomasmangin]]
My PGP key is available [[here|http://www.exa-networks.co.uk/pgp.html]]
You can email me at firstname @ surname dot com
Should you want to link to this site please use the domain thomas.mangin.com and use the link_ tags created on the page, for example this pages can be linked as [[http://thomas.mangin.com/#tag:link_welcome|http://thomas.mangin.com/#tag:link_welcome]]
This configuration is quite old (as I do not use Cisco for EBGP anymore), in particular the bogon list contains ~IPs which have since have allocated to LIR. As well, RIPE Best Practice document does not recommend route dampening anymore.
Route damping was left in but should really not be used as recomended by [[ripe-378|http://www.ripe.net/ripe/docs/routeflap-damping.html]] which obsoletes ripe-229, ripe-210 and ripe-178
The IP address are allocated following this [[Topology]]
{{{
! Undocumented command to improve the speed at which BGP routes are learned
spd headroom 1000
interface Loopback0
ip address 10.2.3.14 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
no ip directed-broadcast
no ip unreachables
interface FastEthernet0/0
description "ISP Backbone"
ip address 10.0.0.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip directed-broadcast
ip route-cache flow
speed 100
ip route-cache same-interface
full-duplex
interface FastEthernet1/0
description "Primary Exchange Connection"
ip address 172.16.0.100 255.255.254.0
ip access-group network_isp_in in
ip access-group network_isp_out out
no ip redirects
no ip unreachables
no ip proxy-arp
no ip directed-broadcast
no ip mask-reply
ip verify unicast reverse-path
rate-limit input access-group 110 2048000 8000 8000 \
conform-action transmit exceed-action drop
ip route-cache flow
speed 100
full-duplex
no cdp enable
! Improve the speed at which we learn BGP routes
hold-queue 1500 in
interface FastEthernet1/1
description "Secondary Exchange Connection"
ip address 172.16.2.100 255.255.254.0
ip access-group network_isp_in in
ip access-group network_isp_out out
no ip redirects
no ip unreachables
no ip proxy-arp
no ip directed-broadcast
no ip mask-reply
ip verify unicast reverse-path
rate-limit input access-group 110 2048000 8000 8000 \
conform-action transmit exceed-action drop
ip route-cache flow
speed 100
full-duplex
no cdp enable
hold-queue 1500 in
router eigrp 65200
redistribute connected
redistribute static
passive-interface FastEthernet1/0
passive-interface FastEthernet1/1
network 10.2.2.0
distribute-list 10 out
no auto-summary
eigrp log-neighbor-changes
router bgp 65200
no synchronization
no bgp fast-external-fallover
bgp log-neighbor-changes
bgp dampening route-map graded-flap-dampening
maximum-paths 2
aggregate-address 10.0.0.0 255.254.0.0 summary-only
network 10.2.3.0
neighbor peer-ibgp peer-group
neighbor peer-ibgp remote-as 65200
neighbor peer-ibgp update-source Loopback0
neighbor peer-ibgp version 4
neighbor peer-ibgp send-community
neighbor peer-ibgp soft-reconfiguration inbound
neighbor peer-nap-high peer-group
neighbor peer-nap-high description "Peering (High Preference)"
neighbor peer-nap-high version 4
neighbor peer-nap-high next-hop-self
neighbor peer-nap-high send-community
neighbor peer-nap-high soft-reconfiguration inbound
neighbor peer-nap-high route-map peer-nap-high-in in
neighbor peer-nap-high route-map peer-nap-out out
neighbor peer-nap-high maximum-prefix 100
neighbor peer-nap-low peer-group
neighbor peer-nap-low description "Peering (Low Preference)"
neighbor peer-nap-low version 4
neighbor peer-nap-low next-hop-self
neighbor peer-nap-low send-community
neighbor peer-nap-low soft-reconfiguration inbound
neighbor peer-nap-low route-map peer-nap-low-in in
neighbor peer-nap-low route-map peer-nap-out out
neighbor peer-nap-low maximum-prefix 100
neighbor 10.2.3.10 peer-group peer-ibgp
neighbor 10.2.3.11 peer-group peer-ibgp
neighbor 10.2.3.12 peer-group peer-ibgp
neighbor 10.2.3.13 peer-group peer-ibgp
neighbor 10.2.3.15 peer-group peer-ibgp
neighbor 10.2.3.16 peer-group peer-ibgp
neighbor 10.2.3.17 peer-group peer-ibgp
neighbor 10.2.3.18 peer-group peer-ibgp
neighbor 172.16.0.10 remote-as 65300
neighbor 172.16.0.10 peer-group peer-nap-high
neighbor 172.16.0.10 description "ISP One Primary"
neighbor 172.16.0.10 maximum-prefix 1000
neighbor 172.16.2.10 remote-as 65300
neighbor 172.16.2.10 peer-group peer-nap-high
neighbor 172.16.2.10 description "ISP One Secondary"
neighbor 172.16.2.10 maximum-prefix 1000
neighbor 172.16.0.20 remote-as 65310
neighbor 172.16.0.20 peer-group peer-nap-low
neighbor 172.16.0.20 description "ISP Two Primary"
neighbor 172.16.2.20 remote-as 65310
neighbor 172.16.2.20 peer-group peer-nap-low
neighbor 172.16.2.20 description "ISP Two Secondary"
distribute-list prefix bogon-external out FastEthernet0/0
distribute-list prefix bogon-internal in FastEthernet0/0
distribute-list prefix bogon-internal out FastEthernet1/0
distribute-list prefix bogon-external in FastEthernet1/0
distribute-list prefix bogon-internal out FastEthernet1/1
distribute-list prefix bogon-external in FastEthernet1/1
no auto-summary
ip flow-export source Loopback0
ip flow-export version 5 peer-as
ip flow-export destination 10.2.3.205 2055
ip bgp-community new-format
ip as-path access-list 60 permit ^$
ip as-path access-list 50 permit .*
ip as-path access-list 70 permit ^$
ip as-path access-list 70 permit ^65350_
ip as-path access-list 70 permit ^65360_
ip as-path access-list 100 permit ^65350_
ip as-path access-list 105 permit ^65360_
ip pim bidir-enable
ip as-path access-list 10 deny _(6451[2-9]|645[2-9][0-9]|64[6-9][0-9][0-9]|
65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5])_
ip as-path access-list 10 permit .*
ip prefix-list bogon-external seq 1 deny 0.0.0.0/0
ip prefix-list bogon-external seq 10 deny 0.0.0.0/7 le 32
ip prefix-list bogon-external seq 20 deny 2.0.0.0/8 le 32
ip prefix-list bogon-external seq 30 deny 5.0.0.0/8 le 32
ip prefix-list bogon-external seq 40 deny 7.0.0.0/8 le 32
ip prefix-list bogon-external seq 50 deny 10.0.0.0/8 le 32
ip prefix-list bogon-external seq 60 deny 23.0.0.0/8 le 32
ip prefix-list bogon-external seq 70 deny 27.0.0.0/8 le 32
ip prefix-list bogon-external seq 80 deny 31.0.0.0/8 le 32
ip prefix-list bogon-external seq 90 deny 36.0.0.0/7 le 32
ip prefix-list bogon-external seq 100 deny 39.0.0.0/8 le 32
ip prefix-list bogon-external seq 110 deny 41.0.0.0/8 le 32
ip prefix-list bogon-external seq 120 deny 42.0.0.0/8 le 32
ip prefix-list bogon-external seq 130 deny 49.0.0.0/8 le 32
ip prefix-list bogon-external seq 140 deny 50.0.0.0/8 le 32
ip prefix-list bogon-external seq 150 deny 58.0.0.0/7 le 32
ip prefix-list bogon-external seq 160 deny 60.0.0.0/8 le 32
ip prefix-list bogon-external seq 170 deny 70.0.0.0/7 le 32
ip prefix-list bogon-external seq 180 deny 72.0.0.0/5 le 32
ip prefix-list bogon-external seq 190 deny 83.0.0.0/8 le 32
ip prefix-list bogon-external seq 200 deny 84.0.0.0/6 le 32
ip prefix-list bogon-external seq 210 deny 88.0.0.0/5 le 32
ip prefix-list bogon-external seq 220 deny 96.0.0.0/3 le 32
ip prefix-list bogon-external seq 230 deny 169.254.0.0/16 le 32
ip prefix-list bogon-external seq 240 deny 172.16.0.0/12 le 32
ip prefix-list bogon-external seq 250 deny 192.0.2.0/24 le 32
ip prefix-list bogon-external seq 260 deny 192.168.0.0/16 le 32
ip prefix-list bogon-external seq 270 deny 197.0.0.0/8 le 32
ip prefix-list bogon-external seq 280 deny 198.18.0.0/15 le 32
ip prefix-list bogon-external seq 290 deny 201.0.0.0/8 le 32
ip prefix-list bogon-external seq 300 deny 222.0.0.0/7 le 32
ip prefix-list bogon-external seq 310 deny 224.0.0.0/3 le 32
ip prefix-list bogon-external seq 500 deny 159.101.0.0/16 le 32
ip prefix-list bogon-external seq 510 deny 10.0.0.0/16 le 32
ip prefix-list bogon-external seq 520 deny 10.1.0.0/16 le 32
ip prefix-list bogon-external seq 900 permit 0.0.0.0/0 le 24
ip prefix-list bogon-internal seq 1 deny 0.0.0.0/0
ip prefix-list bogon-internal seq 10 deny 0.0.0.0/7 le 32
ip prefix-list bogon-internal seq 20 deny 2.0.0.0/8 le 32
ip prefix-list bogon-internal seq 30 deny 5.0.0.0/8 le 32
ip prefix-list bogon-internal seq 40 deny 7.0.0.0/8 le 32
ip prefix-list bogon-internal seq 50 deny 10.0.0.0/8 le 32
ip prefix-list bogon-internal seq 60 deny 23.0.0.0/8 le 32
ip prefix-list bogon-internal seq 70 deny 27.0.0.0/8 le 32
ip prefix-list bogon-internal seq 80 deny 31.0.0.0/8 le 32
ip prefix-list bogon-internal seq 90 deny 36.0.0.0/7 le 32
ip prefix-list bogon-internal seq 100 deny 39.0.0.0/8 le 32
ip prefix-list bogon-internal seq 110 deny 41.0.0.0/8 le 32
ip prefix-list bogon-internal seq 120 deny 42.0.0.0/8 le 32
ip prefix-list bogon-internal seq 130 deny 49.0.0.0/8 le 32
ip prefix-list bogon-internal seq 140 deny 50.0.0.0/8 le 32
ip prefix-list bogon-internal seq 150 deny 58.0.0.0/7 le 32
ip prefix-list bogon-internal seq 160 deny 60.0.0.0/8 le 32
ip prefix-list bogon-internal seq 170 deny 70.0.0.0/7 le 32
ip prefix-list bogon-internal seq 180 deny 72.0.0.0/5 le 32
ip prefix-list bogon-internal seq 190 deny 83.0.0.0/8 le 32
ip prefix-list bogon-internal seq 200 deny 84.0.0.0/6 le 32
ip prefix-list bogon-internal seq 210 deny 88.0.0.0/5 le 32
ip prefix-list bogon-internal seq 220 deny 96.0.0.0/3 le 32
ip prefix-list bogon-internal seq 230 deny 169.254.0.0/16 le 32
ip prefix-list bogon-internal seq 240 deny 172.16.0.0/12 le 32
ip prefix-list bogon-internal seq 250 deny 192.0.2.0/24 le 32
ip prefix-list bogon-internal seq 260 deny 192.168.0.0/16 le 32
ip prefix-list bogon-internal seq 270 deny 197.0.0.0/8 le 32
ip prefix-list bogon-internal seq 280 deny 198.18.0.0/15 le 32
ip prefix-list bogon-internal seq 290 deny 201.0.0.0/8 le 32
ip prefix-list bogon-internal seq 300 deny 222.0.0.0/7 le 32
ip prefix-list bogon-internal seq 310 deny 224.0.0.0/3 le 32
ip prefix-list bogon-internal seq 900 permit 0.0.0.0/0 le 24
ip prefix-list golden-networks description "root DNS server networks"
ip prefix-list golden-networks seq 100 permit 198.41.0.0/24
ip prefix-list golden-networks seq 105 permit 128.9.0.0/16
ip prefix-list golden-networks seq 110 permit 192.33.4.0/24
ip prefix-list golden-networks seq 115 permit 128.8.0.0/16
ip prefix-list golden-networks seq 120 permit 192.203.230.0/24
ip prefix-list golden-networks seq 125 permit 192.5.5.0/24
ip prefix-list golden-networks seq 130 permit 192.112.36.0/24
ip prefix-list golden-networks seq 135 permit 128.63.0.0/16
ip prefix-list golden-networks seq 140 permit 192.36.148.0/24
ip prefix-list golden-networks seq 145 permit 192.58.128.0/24
ip prefix-list golden-networks seq 150 permit 193.0.14.0/24
ip prefix-list golden-networks seq 155 permit 198.32.64.0/24
ip prefix-list golden-networks seq 160 permit 202.12.27.0/24
ip prefix-list golden-networks seq 165 permit 192.5.6.0/24
ip prefix-list golden-networks seq 170 permit 192.33.14.0/24
ip prefix-list golden-networks seq 175 permit 192.26.92.0/24
ip prefix-list golden-networks seq 180 permit 192.31.80.0/24
ip prefix-list golden-networks seq 185 permit 192.12.94.0/24
ip prefix-list golden-networks seq 190 permit 192.35.51.0/24
ip prefix-list golden-networks seq 195 permit 192.42.93.0/24
ip prefix-list golden-networks seq 200 permit 192.54.112.0/24
ip prefix-list golden-networks seq 205 permit 192.43.172.0/24
ip prefix-list golden-networks seq 210 permit 192.48.79.0/24
ip prefix-list golden-networks seq 215 permit 192.52.178.0/24
ip prefix-list golden-networks seq 220 permit 192.41.162.0/24
ip prefix-list golden-networks seq 225 permit 192.55.83.0/24
ip prefix-list max22-23 description Apply to /22 and /23 prefixes
ip prefix-list max22-23 seq 5 permit 0.0.0.0/0 ge 22 le 23
ip prefix-list min24 description Apply to /24 and longer prefixes
ip prefix-list min24 seq 5 permit 0.0.0.0/0 ge 24
ip access-list standard network_isp_in
deny 10.2.3.0 0.0.0.255 log
deny 10.0.0.0 0.0.255.255
deny 10.1.0.0 0.0.255.255
permit any
ip access-list standard network_isp_out
permit 10.2.3.0 0.0.0.255 log
permit 10.0.0.0 0.0.255.255
permit 10.1.0.0 0.0.255.255
permit 192.168.0.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
deny any
access-list 10 deny 0.0.0.0
access-list 10 permit any
access-list 11 permit 0.0.0.0
access-list 11 deny any
access-list 20 permit 10.2.3.200
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
route-map peer-nap-high-in permit 10
set ip next-hop peer-address
set local-preference 150
set community 65200:65400
route-map peer-nap-low-in permit 10
set ip next-hop peer-address
set local-preference 145
set community 65200:65400
route-map peer-nap-out permit 10
match as-path 70
set community 65200:65200
route-map graded-flap-dampening deny 10
match ip address prefix-list golden-networks
route-map graded-flap-dampening permit 20
match ip address prefix-list min24
set dampening 30 820 3000 60
route-map graded-flap-dampening permit 30
match ip address prefix-list max22-23
set dampening 15 750 3000 45
route-map graded-flap-dampening permit 40
set dampening 10 1500 3000 30
}}}
his configuration is quite old (as I do not use Cisco for EBGP anymore), in particular the bogon list contains ~IPs which have since have allocated to LIR. As well, RIPE Best Practice document does not recommend route dampening anymore.
The IP address are allocated following this [[Topology]]
{{{
interface Loopback0
ip address 10.2.3.14 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
no ip directed-broadcast
no ip unreachables
interface FastEthernet0/0
description "ISP Backbone"
ip address 10.0.0.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip directed-broadcast
ip route-cache flow
speed 100
ip route-cache same-interface
full-duplex
router eigrp 65200
redistribute connected
redistribute static
passive-interface FastEthernet1/0
passive-interface FastEthernet1/1
network 10.2.2.0
distribute-list 10 out
no auto-summary
eigrp log-neighbor-changes
router bgp 65200
no synchronization
no bgp fast-external-fallover
bgp log-neighbor-changes
maximum-paths 2
! relation with other router in the same AS
neighbor peer-ibgp peer-group
neighbor peer-ibgp remote-as 65200
neighbor peer-ibgp update-source Loopback0
neighbor peer-ibgp version 4
neighbor peer-ibgp send-community
neighbor peer-ibgp soft-reconfiguration inbound
! This customer only want a default route
neighbor client-reliable-connection description "..."
neighbor client-reliable-connection ebgp-multihop 2
neighbor client-reliable-connection version 4
neighbor client-reliable-connection send-community
neighbor client-reliable-connection soft-reconfiguration inbound
neighbor client-reliable-connection route-map client-reliable-in in
neighbor client-reliable-connection route-map client-reliable-out out
neighbor client-reliable-connection default-originate
! This customer have a full feed, and have an unreliable connection
neighbor client-unreliable-connection description "..."
neighbor client-unreliable-connection ebgp-multihop 2
neighbor client-unreliable-connection version 4
neighbor client-unreliable-connection send-community
neighbor client-unreliable-connection soft-reconfiguration inbound
neighbor client-unreliable-connection route-map client-unreliable-in in
neighbor client-unreliable-connection route-map client-unreliable-out out
neighbor client-unreliable-connection timers 10
neighbor 10.2.3.10 peer-group peer-ibgp
neighbor 10.2.3.11 peer-group peer-ibgp
neighbor 10.2.3.12 peer-group peer-ibgp
neighbor 10.2.3.13 peer-group peer-ibgp
neighbor 10.2.3.15 peer-group peer-ibgp
neighbor 10.2.3.16 peer-group peer-ibgp
neighbor 10.2.3.17 peer-group peer-ibgp
neighbor 10.2.3.18 peer-group peer-ibgp
neighbor 192.168.0.254 remote-as 65350
neighbor 192.168.0.254 peer-group client-reliable-connection
neighbor 192.168.0.254 description "Client One"
neighbor 192.168.1.254 remote-as 65360
neighbor 192.168.1.254 peer-group client-unreliable-connection
neighbor 192.168.1.254 description "Client Two"
distribute-list prefix bogon-external out FastEthernet0/0
distribute-list prefix bogon-internal in FastEthernet0/0
no auto-summary
ip flow-export source Loopback0
ip flow-export version 5 peer-as
ip flow-export destination 10.2.3.205 2055
ip bgp-community new-format
ip as-path access-list 60 permit ^$
ip as-path access-list 50 permit .*
ip as-path access-list 70 permit ^$
ip as-path access-list 70 permit ^65350_
ip as-path access-list 70 permit ^65360_
ip as-path access-list 100 permit ^65350_
ip as-path access-list 105 permit ^65360_
ip pim bidir-enable
ip as-path access-list 10 deny _(6451[2-9]|645[2-9][0-9]|64[6-9][0-9][0-9]|
65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5])_
ip as-path access-list 10 permit .*
ip prefix-list bogon-external seq 1 deny 0.0.0.0/0
ip prefix-list bogon-external seq 10 deny 0.0.0.0/7 le 32
ip prefix-list bogon-external seq 20 deny 2.0.0.0/8 le 32
ip prefix-list bogon-external seq 30 deny 5.0.0.0/8 le 32
ip prefix-list bogon-external seq 40 deny 7.0.0.0/8 le 32
ip prefix-list bogon-external seq 50 deny 10.0.0.0/8 le 32
ip prefix-list bogon-external seq 60 deny 23.0.0.0/8 le 32
ip prefix-list bogon-external seq 70 deny 27.0.0.0/8 le 32
ip prefix-list bogon-external seq 80 deny 31.0.0.0/8 le 32
ip prefix-list bogon-external seq 90 deny 36.0.0.0/7 le 32
ip prefix-list bogon-external seq 100 deny 39.0.0.0/8 le 32
ip prefix-list bogon-external seq 110 deny 41.0.0.0/8 le 32
ip prefix-list bogon-external seq 120 deny 42.0.0.0/8 le 32
ip prefix-list bogon-external seq 130 deny 49.0.0.0/8 le 32
ip prefix-list bogon-external seq 140 deny 50.0.0.0/8 le 32
ip prefix-list bogon-external seq 150 deny 58.0.0.0/7 le 32
ip prefix-list bogon-external seq 160 deny 60.0.0.0/8 le 32
ip prefix-list bogon-external seq 170 deny 70.0.0.0/7 le 32
ip prefix-list bogon-external seq 180 deny 72.0.0.0/5 le 32
ip prefix-list bogon-external seq 190 deny 83.0.0.0/8 le 32
ip prefix-list bogon-external seq 200 deny 84.0.0.0/6 le 32
ip prefix-list bogon-external seq 210 deny 88.0.0.0/5 le 32
ip prefix-list bogon-external seq 220 deny 96.0.0.0/3 le 32
ip prefix-list bogon-external seq 230 deny 169.254.0.0/16 le 32
ip prefix-list bogon-external seq 240 deny 172.16.0.0/12 le 32
ip prefix-list bogon-external seq 250 deny 192.0.2.0/24 le 32
ip prefix-list bogon-external seq 260 deny 192.168.0.0/16 le 32
ip prefix-list bogon-external seq 270 deny 197.0.0.0/8 le 32
ip prefix-list bogon-external seq 280 deny 198.18.0.0/15 le 32
ip prefix-list bogon-external seq 290 deny 201.0.0.0/8 le 32
ip prefix-list bogon-external seq 300 deny 222.0.0.0/7 le 32
ip prefix-list bogon-external seq 310 deny 224.0.0.0/3 le 32
ip prefix-list bogon-external seq 500 deny 159.101.0.0/16 le 32
ip prefix-list bogon-external seq 510 deny 10.0.0.0/16 le 32
ip prefix-list bogon-external seq 520 deny 10.1.0.0/16 le 32
ip prefix-list bogon-external seq 900 permit 0.0.0.0/0 le 24
ip prefix-list bogon-internal seq 1 deny 0.0.0.0/0
ip prefix-list bogon-internal seq 10 deny 0.0.0.0/7 le 32
ip prefix-list bogon-internal seq 20 deny 2.0.0.0/8 le 32
ip prefix-list bogon-internal seq 30 deny 5.0.0.0/8 le 32
ip prefix-list bogon-internal seq 40 deny 7.0.0.0/8 le 32
ip prefix-list bogon-internal seq 50 deny 10.0.0.0/8 le 32
ip prefix-list bogon-internal seq 60 deny 23.0.0.0/8 le 32
ip prefix-list bogon-internal seq 70 deny 27.0.0.0/8 le 32
ip prefix-list bogon-internal seq 80 deny 31.0.0.0/8 le 32
ip prefix-list bogon-internal seq 90 deny 36.0.0.0/7 le 32
ip prefix-list bogon-internal seq 100 deny 39.0.0.0/8 le 32
ip prefix-list bogon-internal seq 110 deny 41.0.0.0/8 le 32
ip prefix-list bogon-internal seq 120 deny 42.0.0.0/8 le 32
ip prefix-list bogon-internal seq 130 deny 49.0.0.0/8 le 32
ip prefix-list bogon-internal seq 140 deny 50.0.0.0/8 le 32
ip prefix-list bogon-internal seq 150 deny 58.0.0.0/7 le 32
ip prefix-list bogon-internal seq 160 deny 60.0.0.0/8 le 32
ip prefix-list bogon-internal seq 170 deny 70.0.0.0/7 le 32
ip prefix-list bogon-internal seq 180 deny 72.0.0.0/5 le 32
ip prefix-list bogon-internal seq 190 deny 83.0.0.0/8 le 32
ip prefix-list bogon-internal seq 200 deny 84.0.0.0/6 le 32
ip prefix-list bogon-internal seq 210 deny 88.0.0.0/5 le 32
ip prefix-list bogon-internal seq 220 deny 96.0.0.0/3 le 32
ip prefix-list bogon-internal seq 230 deny 169.254.0.0/16 le 32
ip prefix-list bogon-internal seq 240 deny 172.16.0.0/12 le 32
ip prefix-list bogon-internal seq 250 deny 192.0.2.0/24 le 32
ip prefix-list bogon-internal seq 260 deny 192.168.0.0/16 le 32
ip prefix-list bogon-internal seq 270 deny 197.0.0.0/8 le 32
ip prefix-list bogon-internal seq 280 deny 198.18.0.0/15 le 32
ip prefix-list bogon-internal seq 290 deny 201.0.0.0/8 le 32
ip prefix-list bogon-internal seq 300 deny 222.0.0.0/7 le 32
ip prefix-list bogon-internal seq 310 deny 224.0.0.0/3 le 32
ip prefix-list bogon-internal seq 900 permit 0.0.0.0/0 le 24
! Not used
ip access-list standard network_isp_in
deny 10.2.3.0 0.0.0.255 log
deny 10.0.0.0 0.0.255.255
deny 10.1.0.0 0.0.255.255
permit any
! Not used
ip access-list standard network_isp_out
permit 10.2.3.0 0.0.0.255 log
permit 10.0.0.0 0.0.255.255
permit 10.1.0.0 0.0.255.255
permit 192.168.0.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
deny any
access-list 10 deny 0.0.0.0
access-list 10 permit any
access-list 11 permit 0.0.0.0
access-list 11 deny any
access-list 20 permit 10.2.3.200
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
route-map client-reliable-in permit 10
match as-path 100
set local-preference 150
route-map client-reliable-out deny 10
match ip address 11
route-map client-unreliable-in permit 10
match as-path 105
set local-preference 150
route-map client-unreliable-out deny 10
match as-path 50
}}}
This configuration is quite old (as I do not use Cisco for EBGP anymore), in particular the bogon list contains ~IPs which have since have allocated to LIR. As well, RIPE Best Practice document does not recommend route dampening anymore.
The IP address are allocated following this [[Topology]]
This template is incomplete (written quite a few year ago - it may be a IOS 12.1 syntax) but still useful.
{{{
! Help telnet connection
service nagle
no service pad
! Deal with dead connections gracefully
service tcp-keepalives-in
service tcp-keepalives-out
! Logging information structure
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service slave-log
service password-encryption
! Remove all useless services
no service compress-config
no service udp-small-servers
no service tcp-small-servers
no service config
no service dhcp
no ip bootp server
no ip finger
no ip identd
! _Only_ use if you are really concerned about the router physical security
! no service password-recovery
! Router name
hostname my_router
! Log in memory and not to console
logging buffered 16384 errors
no logging console
! create user (for telnet and console login)
username the_login_name password 0 the_password
! set a password for the priviledged mode
enable secret 0 the_enable_password
! Set time for UK
clock timezone GMT 0
clock summer-time BST recurring
! Allow use of all subnet
ip subnet-zero
! Do not allow packet to specify their own route
no ip source-route
! Enable Cisco Express Forwarding technology
ip cef
! Do not do any host lookup but configure it should we want it
no ip domain-lookup
ip domain-list isp.net.uk
ip domain-list .
ip domain-name isp.net.uk
ip name-server 10.0.0.1
ip name-server 10.1.0.1
! Always use loopback for management and logging
interface Loopback0
description "Management Interface"
ip address xxx.xxx.xxx.xxx 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
no ip directed-broadcast
no ip unreachables
interface FastEthernet0/0
description "ISP Backbone"
no ip address
shutdown
! Please look the cisco website for each of the option
no ip unreachables
no ip proxy-arp
no ip directed-broadcast
! Force speed and duplex
speed 100
full-duplex
! optimise routing for traffic entering and leaving the same interface
ip route-cache same-interface
! Should you want to use EIGRP as IGP
router eigrp 65200
! let the other router know what we know
redistribute connected
redistribute static
! but any default route
distribute-list 10 out
! EIGRP perform automatic summarisation per default
no auto-summary
! Log neibourg flapping
eigrp log-neighbor-changes
! Allow any netmask size
ip classless
! Should we not know a route send it to the EIGRP router which have a route for 10.0.1.0
ip default-network 10.0.1.0
! Do not allow http management
no ip http server
! Log all the information to a remote syslog server
logging trap debugging
logging facility local6
logging source-interface Loopback0
logging 10.2.3.201
! All but default route
access-list 10 deny 0.0.0.0
access-list 10 permit any
! Only the snmp server IP
access-list 20 permit 10.2.3.200
! Match ICMP traffic
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
! Allow snmp monitoring from the snmp server only
snmp-server community snmp_community_password RO 20
snmp-server host 10.2.3.200 snmp_community_password
! Welcome banner when telneting to the router
banner login ^C
*******************************************************************************
NOTICE TO USERS
This equipment is for authorized use only. Users (authorized or unauthorized)
have no explicit or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be intercepted,
monitored, recorded, copied, audited, inspected, anddisclosed to authorized
site and law enforcement personnel.
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the discretion of
authorized site.
Unauthorized or improper use of this system may result in administrative
disciplinary action and civil and criminal penalties. By continuing to use
this system you indicate your awareness of and consent to these terms and
conditions of use.
LOG OFF NOW if you do not agree to the conditions stated in this warning.
ISP - noc@isp.net.uk - Phone number : 00 44 ..........
*******************************************************************************
^C
! Protect our router asking for username and password and then enable password
line con 0
login local
line aux 0
login local
transport input all
transport output none
line vty 0 4
! One hour timeout is not very secure but much practical ..
exec-timeout 60 0
login local
! Keep a higher command history
history size 256
! Keep the router time correct
ntp server 10.2.3.202
}}}
This patch was ''not'' created for load balancing web request.
If you want to achieve this kind of things, try looking at [[LVS|http://www.linuxvirtualserver.org/]], [[Ultra Monkey|http://www.ultramonkey.org/]] [[wackamole|http://www.backhand.org/wackamole/]] and [[spread|http://www.spread.org/]], which is surely what you want to do. An explanation of the why and how can be found on [[Jonathan de Boyne Pollard site|http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-round-robin-is-useless.html]].
This patch was created to help balance traffic between a cluster of MX frontend and a farm of virus scanners. A connection to a scanner part of the round-robin group failing would cause the next email delivery attempt to go to another machine allowing to remove scanners from the farm with minimal impact on mail transit time.
The patch for the djbdns caching application (not the authoritative nameserver - tinydns) can be downloaded [[here|/data/source/djbdns-round-robin.patch.bz2]].
!Todo
I wrote it ages ago, this document do not present the problems associated with:
* reverse zone
* secondary problems
* zone transfert from ISP to ISP.
!Prelude
DNS is the service on which Internet is based, however, quite strangely it is often overlooked.
In order to provide the best possible reliability, a lot of energy is placed on the hosting. All major e-commerce sites are load-balanced with redundant database back-ends, etc.
Without a resilient and reliable DNS server, no one can hope to smoothly run any Internet services. However, lots of highly redundant web servers are based on weak DNS foundations.
DNS is often misunderstood and it is assumed to be resistant to failure "by design". Those who think like this will probably suffer a DNS outage sooner or later, however this could have easily been avoided by just taking a little care.
DNS resilience should be the second concern after routing resilience. According to experience (at least mine) lots of ISP and big accounts do not have reliable DNS
Getting more Information
This document is not intended to explain DNS basics but to provide good practical advise. If you want to learn more about DNS and understand which DNS is good for you please consult the very good DJBDNS FAQ. located at http://cr.yp.to/djbdns/faq.html
You will probably find theses pages very interesting as well:
* http://www.djbdns.org/
* http://www.lifewithdjbdns.org/
* http://homepages.tesco.net/~J.deBoynePollard/FGA/
* http://www.fefe.de/djbdns
* http://www.bgpdns.org/
* http://www.ripe.net/ripencc/pub-services/db/whois/whois.html
* http://nms.lcs.mit.edu/projects/dns/
* http://www.cymru.com/Documents/secure-bind-template.html
Please, do not contact me to fix your DNS. Even so I am litterate with both DJBDNS and BIND, I do not wish to spend my time supporting it. Please refer to your ISP support department, read the ~FAQs, read newsgroups, Most BIND questions have already been answered numerous times.
However, please free to report any fault or inexactitude about this document
!Good DNS record
Having a reliable and resilient DNS server is only the first step to secure DNS informtation. Hosting valid and well formed DNS information is crutial as well.
Lots of good books such as "DNS and BIND" will provide your with all the information you need to configure BIND. However, a well formed BIND file is only the start for good DNS management.
Used DNS example
The following domains will be used as examples within this document:
/var/named/domain.net on ns0.domain.net
domain.net, the firm main domain name ie: bbc.co.uk, cnn.com, isp.net
{{{
$ORIGIN domain.net.
domain.net. 86400 IN SOA
ns0.domain.net. hostmaster.domain.net. (
2002020819 28800 7200 604800 86400 )
NS ns0.domain.net.
NS ns1.domain.net.
NS ns2.domain.net.
MX 10 mx
MX 20 secondary
mx A 10.0.0.25
A 10.0.0.26
A 10.0.0.27
A 10.0.0.27
secondary A 169.254.0.25
A 169.254.0.26
A 169.254.0.27
A 169.254.0.28
ns0 A 10.0.0.1
ns1 A 10.0.0.2
ns2 A 10.0.0.3
ns-secondary0 A 10.0.0.4
ns-cache0 A 10.0.0.5
ns-cache1 A 10.0.0.6
ns-staff0 A 192.168.0.254
smtp A 10.0.0.25
pop CNAME pop3
pop3 A 10.0.0.110
imap CNAME imap4
imap4 A 10.0.0.143
webmail A 10.0.0.443
www A 10.0.0.80
staff NS ns-staff0
NS ns-secondary0
}}}
/var/named/staff.domain.net on ns0-staff.domain.net
staff.domain.net, a delegated domain used by the employee for their own site.
{{{
$ORIGIN staff.domain.net.
staff.domain.net.
86400 IN SOA
ns-staff0.domain.net. hostmaster.domain.net. (
2002021312 28800 7200 604800 86400 )
NS ns-staff0.domain.net.
A 192.168.0.80
MX 10 mx.domain.net.
MX 20 secondary.domain.net.
firewall A 192.168.0.254
smtp A 192.168.0.25
www CNAME firewall
* CNAME www
www.* CNAME www
}}}
/var/named/customer.com on ns0.domain.net
customer.com, a domain managed by domain.net owned by one of its customer.
{{{
$ORIGIN customer.com.
customer.com. 86400 IN SOA
ns0.domain.net. hostmaster.domain.net. (
2002020819 28800 7200 604800 86400 )
NS ns0.domain.net.
NS ns1.domain.net.
NS ns2.domain.net.
MX 10 mx.domain.net.
MX 20 secondary.domain.net.
smtp CNAME smtp.domain.net.
pop CNAME pop.domain.net
imap CNAME imap.domain.net.
www CNAME www.domain.net.
}}}
/var/named/0.168.192.in-addr.arpa on ns0.domain.net
0.168.192.in-addr.arpais the domain which allow IP to Name DNS
{{{
$ORIGIN 0.168.192.in-addr.arpa.
0.168.192.in-addr.arpa.
86400 IN SOA
ns0.domain.net. hostmaster.domain.net. (
2002021415 28800 7200 604800 86400 )
NS ns0.domain.net.
NS ns1.domain.net.
NS ns2.domain.net.
0 A 255.255.255.0
PTR domain.net.
1 PTR server-at-ip-1.domain.net.
PTR another-server-at-ip-1.domain.net.
25 PTR smtp.staff.domain.net.
254 PTR firewall.staff.domain.net.
}}}
!DNS records context
domain.net is an isp or firm domain. The DNS server ns0, ns1 and ns2 for domain.net. are known from the DNS root server (ie: have glue records).
This domain contains all the services that the user of the domain needs to access, such as:
* pop
* smtp
* www
The domain staff.domain.net. is a delegation controlled by the employee and customer.com is the customer domain. it is used for the staff web server
The staff.domain.net only has one DNS server as it is a non-important service. In this example, the DNS is provided by the same server which provides mail and web. This is the only case where you should allow a zone (and with reticence) to only have one DNS server as SOA.
!DNS code of conduct
As a genaral rule, all services which are going to be used by an end-user (understand everyone outside the firm IT department) should always be on different IP address, even if all services are provided by single computers.
Whenever possible try to use reserved class C to preserve the pool of real world address.
This is important to make sure that you can migrate any service from the server at any time without disturbing end-users. Using FQDN is not sufficient as you can not be sure that end-users have not misconfigured their computers.
As a golden rule, it is important to not use any mail records for SMTP, POP, IMAP service as this limits your scalability options. There is no such thing such as a mail service.
Also, keep the SMTP and MX record separated. It allows to use simple round-robin for the MX service. Ultimately you could have to have all customer accessible services, such as SMTP, POP, IMAP and HTTP behind load balancers to provide the highest availibility possible.
In the case of SMTP, you can probably use the same server as for MX. However, the secondary MX server will most probably be situated outside your network to avoid mail bouncing in case of network outage.
Whenever possible try to use reserved class C to to preserve the pool of real world addresses. Reserved class C are IP addresses you can not find in the internet reserved for office and private network use. The most frequently used range are:
* 10.0.0.0/8
* 192.168.0.0/16
* 172.16.0.0/16
* 169.254.0.0/16 (for transfer networks)
Within the domain.net network, customers will use the IP of ns-cache0 and ns-cache1 as their resolving DNS. ns0 and ns1.domain.net should only be queried by other DNS servers for authoritative answers.
The staff.domain.net domain make use of wildcards (star) to catch all DNS name not already present in the list.
As a consequence, the employee will be able to use surname-name.staff.domain.net and www.surname-name.staff.domain.net as names for their web site. No DNS change will be necessary when new staff start or leave the firm.
Be reminded that the use of CNAME record with MX information is not allowed.
As well, if a customer is using your own mail servers, you should never redefine the MX service. Just use your own mx record in their zone file.
Finally, do not redefine customer services pointing to your server per IP but always alias them with CNAME records.
As DNS is a caching system, changes that need quick propagation change must be prepared. To do so you can change the TTL (Time To Live) of a record which represents how long a DNS will keep DNS information. The TTL is expressed in second and is placed just after the name.
Please bear in mind that the first changes performed on the DNS zone file will take up to the previous TTL to be known by all the internet. Restarting your own cache DNS server can speed-up local updates.
For example, if you are planning to move your web server of room and IP.
Initial record
{{{
www A 10.0.0.80
}}}
Make sure you have low TTL on your www record. Then wait for the information to propagate.
TTL change to 5 minutes
{{{
# www A 10.0.0.80
www 300 A 10.0.0.80
}}}
You can move the web server to the new IP as if there are problems you can change the IP address to the previous one in less than 5 minutes.
New information
{{{
# www A 10.0.0.80
www A 10.0.0.60
}}}
Do not forget to restore the default TTL once everything is fine.
Built in failover limitation
Unlike the web, DNS was designed with service failure in mind. As it is a crucial service, it is possible to have more than one DNS server answering authoritatively for a domain. However, a common mistake is to think that having two DNS means you are safe. You should make sure that your DNS are on different networks.
In order to achieve the best possible reliability, ISP often have peering agreements to host each others DNS servers.
For example, serious ISP often have one of their Authoritative DNS servers located on another backbone. It provides them protection against BGP problems and Telco faults.
This is very important for mail servers which are performing reverse DNS looking, whithout this precaution any serious outage would cause mail bouncing.
As well, additional protection against malicious plannified Deny Of Service can be deployed to insure the highest DNS uptime possible.
Number of DNS
For example, a small/medium ISP will have:
* Two authoritative DNS servers in its network
* One authoritative DNS servers located remotely
* One secondary DNS server for its customers wanting control of their zone
* Four caching DNS servers for customers
DNS servers should be presented to the customer classed by proximity depending on their location (for obvious performance reason, DNS is mostly UDP).
Hopefully, DNS can be allocated dynamicly per customer at connection time for most DSL, ISDN or Modem like connection making it easy to change and scale.
Local DNS
Every service relies heavily on DNS such as SMTP servers should use its own DNS server and have local resolv.conf like:
/etc/resolv.conf
{{{
search mydomain.com
domain mydomain.com
nameserver 127.0.0.1
nameserver 10.0.0.1
nameserver 10.0.1.1
}}}
Where 10.0.0.1 and 10.0.1.1 are trusted DNS for the server to use should the local DNS server fail.
Delegation
Delegation can typically be used when you feel the need to register a new domain name such as : domain-forum.com, domain-resellers.com, domain-users.com, domain-staff.com, etc.
As well, it allows content filter application (such as ~N2H2, ~WebSense or ~SurfControl) to block sub-site without affecting the main site. Ie: webnews.firm.com is better than www.site.com/webnews (Some NewsGroups can provide adult material which may be unsuitable for young surfers).
Delegation allows you to create new domains, independant of your master domain name. These domains are real domains and as such can have different DNS servers as well as different mail or web servers.
The previous example names can be changed as follows:
delegated name
|forum.domain.com|is better than|domain-forum.com|
|resellers.domain.com|instead of|domain-resellers.com|
|users.domain.com|instead of|domain-users.com|
|staff.domain.com|instead of|domain-staff.com|
One obvious advantage is that you do not have to pay for a new domain name.
In addition, it is nearly impossible for a firm to market and advertise more than one domain name and network identity. By using delegation, end users feel secure as they recognise a known domain name.
Delegation can also be used to manage your DNS record. For example, if you provide DSL or a similar kind of connectivity, you may have in your DNS something like:
* dsl-10-0-0-1.domain.com
* dsl-10-0-0-2.domain.com
* ...
* dsl-10-0-0-253.domain.com
This will make the DNS zone file to fill quickly, which is both bad for management and performance. This can be avoided with the creation of a dsl.domain.com zone:
* 10-0-0-1.dsl.domain.com
* 10-0-0-2.dsl.domain.com
* ...
* 10-0-0-253.dsl.domain.com
This is only possible if you have DNS management tools with easy front-end. and remember to add these delegations to your /etc/resolv.conf to not have to tape the FQDN (Fully Qualified Domain Name)
Zone delegation works quite well with split horizon, you can have a delegated domain for each office like london.domain.com and paris.domain.com, these domains are invisible outside the offices' firewalls.
Used in conjonction with the web, it is very handy to manage localisation: www.uk.domain.com can be situated within the uk firm isp when www.fr.domain.com can be hosted in france.
Whois and Zone Transfer
Whois is a tool to find information for a domain. It will return the authoritative DNS servers as well as well as some information regarding the registar.
For example the output of "whois bind.com" is:
{{{
Whois Server Version 1.3
Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: BIND.COM
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: NS1.DNS.WEBACT.COM
Name Server: NS2.DNS.WEBACT.COM
Name Server: NS3.DNS.WEBACT.COM
Name Server: NS4.DNS.WEBACT.COM
Updated Date: 07-jan-2002
>>> Last update of whois database: Tue, 5 Mar 2002 05:19:23 EST <<<
The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.
Found InterNIC referral to whois.networksolutions.com.
The Data in the VeriSign Registrar WHOIS database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information about
or related to a domain name registration record. VeriSign does not guarantee
its accuracy. Additionally, the data may not reflect updates to billing contact
information. By submitting a WHOIS query, you agree to use this Data only
for lawful purposes and that under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail, telephone, or facsimile; or
(2) enable high volume, automated, electronic processes that apply to VeriSign
(or its computer systems). The compilation, repackaging, dissemination or
other use of this Data is expressly prohibited without the prior written
consent of VeriSign. VeriSign reserves the right to terminate your access to
the VeriSign Registrar WHOIS database in its sole discretion, including
without limitation, for excessive querying of the WHOIS database or for failure
to otherwise abide by this policy. VeriSign reserves the right to modify these
terms at any time. By submitting this query, you agree to abide by this policy.
Registrant:
Quest Technologies, Inc (BIND2-DOM)
2107 O St. NW
Washington, DC 20037
US
Domain Name: BIND.COM
Administrative Contact:
WebAct Administration (HFJTVUVSUO) abuse@WEBACT.COM
WebAct
2107 O St. NW
Washington, DC 20037
US
202-872-0883
Fax- 208-460-8163
Technical Contact:
WebAct Network Operations Center (DWOHKUSAGO) noc@WEBACT.COM
WebAct
2107 O St. NW
Washington, DC 20037
US
202-872-0883
Fax- 208-460-8163
Billing Contact:
WebAct Accounts Payable (XYYGBUVAFO) billing@WEBACT.COM
WebAct
2107 O St. NW
Washington, DC 20037
US
202-872-0883
Fax- 208-460-8163
Record last updated on 07-Jan-2002.
Record expires on 24-Aug-2002.
Record created on 23-Aug-1996.
Database last updated on 5-Mar-2002 03:30:00 EST.
Domain servers in listed order:
NS1.DNS.WEBACT.COM 207.76.173.19
NS2.DNS.WEBACT.COM 207.76.173.20
NS3.DNS.WEBACT.COM 207.76.173.128
NS4.DNS.WEBACT.COM 207.76.173.129
}}}
Zone transfer is a way to get a carbon copy of a zone file from a DNS. Some ISP are blocking this feature to pervent massive security weakness scan (security through obscurity).
!Software
Misconfigured DNS servers can cause very hard to debug problems. These problems can remain undetected for month.
If you are serious about DNS you have four options:
* To not use BIND 4.x
* To not use BIND 8.x
* To not use BIND 9.x
* To use a software to manage your BIND files
It should be obvious for the reader that I do like D. J. Bernstein's DJBDNS.
But if after have spent some time reading the DJBDNS site you still want to use BIND, you should use management software for BIND. BIND configuration files are confusing and mistake prone. A badly placed character in a configuration file could cause BIND to refuse reloading or starting.
I am very pleased with a web software called [[NameSurfer|http://www.nixusoftware.com/]] I advise you to take a look at it (it is however far from free).
!Conclusion
When you manage your DNS:
* have at least one authoritative DNS outside your network
* have a clear zone file template for your customers
* splitting service on different IP to force customer to use the right FQDN
* differenciate MX, SECONDARY MX, and SMTP to be able to scale your mail
* use subdelegation
* use some tools to keep your reverse DNS correct
!Glossary
A reserved class C IP is an IP address you can not find on the internet. it is reserved for office and private network use. The available ranges are listed at: http://again.net/cidr. You can as well consult the rfc1918.
Authoritative DNS
An authoritative DNS, a abuse of language for DNS servers containing authoritative DNS records, is a DNS which contains the source information for a domain and is registered as such within Internet and answers as such when asked.
Glue Record
A glue record is an IP kept by a DNS in order to be able to locate another DNS server. This is used when a DNS is is authoritative for its own domain name.
IE: if ns0.domain.net is authoritative for domain.net, the DNS servers in charge of the .net record need to record the IP of ns0.domain.net in order for other DNS servers to contact it.
SOA
NS: DNS record which indicates to the DNS server which server should act authoritatively.
A: DNS record which indicates to the DNS server which server contains DNS information for a given zone
PTR: DNS record which indicates the IP address for a given name
Split horizon, DNS record which indicates the name of a server given its IP. This is not managed automagically by DNS from the A and CNAME record. As a consequence the information can be missing or wrong.
Split horizon DNS are used in conjunction with NAT and firewalls. It means that the DNS answers to the internal DNS queries for local hosts and that it can figure out the IP of external hosts as well.
FQDN: Fully Qualified Domain Name, the name used to name a computer with DNS including the full domain name. Ie: smtp.cnn.com is a FQDN, www or cnn.com are not
The DNS root servers, www.domain.net is in fact an abreviation for www.domain.net. which last dot represent the root DNS server of the Internet (Internet DNS server are a tree structure).
[[TINYDNS|http://cr.yp.to/djbdns/tinydns.html]] is a good DNS server, however [[tinydns-data|http://cr.yp.to/djbdns/tinydns-data.html]] is missing some builtin syntax for the generation of NAPTR and SRV record.
Anders Brownworth wrote a nice web page on which generate those record using the [[tinydns|http://cr.yp.to/djbdns/tinydns.html]] generic record syntax [[here|http://www.anders.com/projects/sysadmin/djbdnsRecordBuilder/]].
However I needed to be able to generate those record for the configuration of IENUM (technically ENUM on private DNS) from some of our python code.
As a result I wrote the following "[[library|http://thomas.mangin.com/data/source/sipdns.py]]" to generate some domain SIP NAPTR and SRV records.
Hopefully it may save someone the time to reverse engineering Anders' page output.
To get started with this blank ~TiddlyWiki, you'll need to modify the following tiddlers:
* SiteTitle & SiteSubtitle: The title and subtitle of the site, as shown above (after saving, they will also appear in the browser title bar)
* MainMenu: The menu (usually on the left)
* DefaultTiddlers: Contains the names of the tiddlers that you want to appear when the ~TiddlyWiki is opened
You'll also need to enter your username for signing your edits: <<option txtUserName>>
* [[Software]] related stuff
* [[Network]] related stuff
* [[About]] this site and me
Should you want to contact me feel free to email me here.
My public PGP key is here.
Should you want to link to this site please use http://thomas.mangin.com/ as hostname
!IRR dummy tools
!First get the good stuff
[[IRRPT|http://irrpt.sourceforge.net]] provides a great way to gather and track prefixes announced by ebgp speakers but does not provide anything to help you to keep the configuration files and your network in sync. This is what this tools do.
IRRDT is written in Python but will will parse the PHP configuration of IIRPT (as long you are not using some weird PHP syntax).
It will as well require some extra configuration option in the file.
!Warning ..
This code is a work in progress, this site was only announced at LINX 57 and did not see much improvement since. It have a few known rought corners.
!How to use it
First [[get it here|/data/source/irrdt-0.2.tgz]]
(the previous version is [[here|/data/source/irrdt-0.1.tgz]])
I will write some good docs but for the moment you mostly will have to figure how it works yourself with the examples below. Just make sure you save your config to a local folder using juniper archival feature
{{{
[edit system archival]
configuration {
transfer-on-commit;
archive-sites {
"ftp://user:password@server/router-name/";
}
}
}
}}}
Each of your neighbour should have a peer-as set for the parser to work and a comment of the form:
{{{
"AS-ACCEPTED | Peer name | noc@peer.co.uk | AS-SENT"
}}}
AS-SENT (or ASN), is optional as otherwise taken from the tools command line.
IRRDT is looking for the following configuration options
{{{
$cfg['global']['asn'] = "12345";
$cfg['global']['as-macro'] = "AS-YOURSELF";
$cfg['global']['parse'] = "juniper";
$cfg['paths']['juniper'] = "/location/of/your/ftpd/juniper/files";
$cfg['juniper']['peer'] = "export-peer";
$cfg['juniper']['transit'] = "export-transit";
$cfg['juniper']['customer'] = "export-customer";
$cfg['irrdb']['export'] = "peer customer transit";
$cfg['ripe']['transit'] = "0";
$cfg['ripe']['peer'] = "50";
$cfg['ripe']['customer'] = "";
}}}
you can create a file called "ripe.secret" in the conf/ directory to get you mail to ripe accepted (if you have a
The names should be self-explanatory. I only wrote a Juniper configuration parser. The type of connection is detected inspecting the export and import statement for special policy-options. The code is expecting the peers and transit to be in different groups (which names are used in the ripe output).
An example would be like follows:
{{{
group transit {
type external;
local-preference 75;
remove-private;
neighbor 195.219.195.45 {
inactive: traceoptions {
file bgp-vsnl size 1m files 5;
}
description "ANY | Teleglobe / VSNL | email@vsnlinternational.com |";
local-address 195.219.195.46;
import [ no-ix no-bogons no-small-prefixes tag-transit tag-vsnl damping local-preference-transit no-community-import ];
export [ originate-community originate-customer no-transit no-small-prefixes export-transit export-vsnl no-community-export next-hop-self ];
peer-as 6453;
}
}
}}}
!Usage example
There is two way to use the tools :
* use the ripe.py file which is taking all its info from the configuration files
* look at the ripe.sh file which allow you to use only part of the code to better fit your needs
For the ripe.py, generate your irrdb.conf, which allow you to fetch the peers prefixes
!!aggregate
The aggregate program recommended by RAS seems to have a serious O(exp n) problem - we speak in term of 10's of minutes to get a large sets of IP aggregated.
I have write a python program aggregate.py performing the same aggregation (and is still suboptimal) but perform the same work in a few seconds.
!Generating the prefix
The tools to generate the prefix are currently broken ... come back later or try (the syntax and command location may have changed):
[thomas@linx-meeting-57 app]$ ./import/juniper.py ../../ftpd/ | grep router-name | xargs cat - | parse/juniper.py 30740 AS-EXA -p export-peer -c export-customer -t export-transit | ./export/asn.py | xargs ./export/prefix.py
Should you be looking at using a Juniper router for an EBGP connection, I hope the following Junos configuration will prove useful.
I have tried to keep it short removing community based firewalling (as you can read about it [[here|http://thomas.mangin.com/#tag:link_rib_firewall]], class-of-service, logical-routers, event-options, snmp, and god knows what more to try to keep the resulting configuration short.
A basic ISIS section was left to show how to routes can be originated on the router itself.
A skeleton of firewall filters was left to give a taste of what can be done to protect the core from spoofed traffic, ICMP flooding,etc.
Should it be something of interrest please consider reading [[The Junos secure template|http://www.cymru.com/gillsr/documents/junos-template.pdf]]
Route damping was left in but is inactive as recomended by [[ripe-378|http://www.ripe.net/ripe/docs/routeflap-damping.html]] which obsoletes ripe-229, ripe-210 and ripe-178
A lot is still present tho like community controlled route announcement, communitiy triggered route blackholing and bgp leak mitigation using as-path.
I am pretty sure that in the fury of cut, paste and replace done, I must have broken enough of the configuration to make it unadviseable to try to use it "as it" but it should give you a good head start if you never done it before.
The configuration is not yet commented (or split in part) but I will try to fix this at some point (as well as fix the formating which this wiki likes to remove)
Use at your own risk and feel free to let me know if something is wrong (I never had the opportunity to test the bgp triggered route black blackhole yet).
{{{
version 8.2R3.6;
}}}
{{{
/* Template for all the interface on the router */
groups {
peering-interface {
interfaces {
<*> {
unit <*> {
family inet {
filter {
input external-incoming-peer;
}
}
}
}
}
}
physical-interface {
interfaces {
traceoptions {
file interfaces size 1m files 5;
flag change-events;
}
<ge-*> {
traps;
vlan-tagging;
link-mode full-duplex;
gigether-options {
flow-control;
}
unit <*> {
family inet {
no-redirects;
}
}
}
}
}
core-interface {
interfaces {
<*> {
unit <*> {
family inet {
no-redirects;
}
}
}
}
}
transit-interface {
interfaces {
<*> {
unit <*> {
family inet {
rpf-check {
mode loose;
}
filter {
input-list [ sample-netflow external-incoming-transit ];
}
}
}
}
}
}
customer-interface {
interfaces {
<*> {
unit <*> {
family inet {
rpf-check {
mode loose;
}
filter {
input external-incoming-customer;
}
}
}
}
}
}
}
}}}
{{{
/* System Configuration */
system {
host-name m7i;
domain-name business.net.uk;
domain-search [ business.net.uk ];
time-zone Europe/London;
no-redirects;
authentication-order tacplus;
location {
country-code UK;
postal-code "";
building "Telehouse";
rack 123;
}
ports {
console type vt100;
}
root-authentication {
encrypted-password "$"; ## SECRET-DATA
}
name-server {
ip;
ip;
}
tacplus-server {
ip {
secret "$"; ## SECRET-DATA
timeout 5;
}
}
accounting {
events [ login change-log interactive-commands ];
destination {
tacplus {
server {
ip secret "$"; ## SECRET-DATA
}
}
}
}
scripts {
/* See juniper.cluepon.net */
}
login {
message "******************************************************************************\n NOTICE TO USERS\n\nThis equipment is for authorized use only. Users (authorized or unauthorized)\nhave no explicit or implicit expectation of privacy.\n\nAny or all uses of this system and all files on this system may be intercepted,\nmonitored, recorded, copied, audited, inspected, and disclosed to authorized\nsite and law enforcement personnel.\n\nBy using this system, the user consents to such interception, monitoring,\nrecording, copying, auditing, inspection, and disclosure at the discretion of\nauthorized site.\n\nUnauthorized or improper use of this system may result in administrative\ndisciplinary action and civil and criminal penalties. By continuing to use\nthis system you indicate your awareness of and consent to these terms and\nconditions of use.\n\nLOG OFF NOW if you do not agree to the conditions stated in this warning.\n\nBusiness Limited - noc@business.co.uk - +44 \n*****************************************************************************\n\n";
class administrator {
idle-timeout 60;
permissions all;
}
class linx {
permissions [ field interface routing trace view view-configuration ];
}
user admin {
full-name "Admin";
uid 1000;
class administrator;
authentication {
encrypted-password "$"; ## SECRET-DATA
}
}
user linx {
full-name "Linx Staff Access";
uid 1001;
class linx;
authentication {
encrypted-password "$"; ## SECRET-DATA
}
}
}
static-host-mapping {
tacplus inet ip;
syslog inet ip;
localhost inet 127.0.0.1;
m7i-4.u3.tcw.uk {
inet ip;
sysid 0822.1900.0068;
}
}
services {
ssh {
root-login deny-password;
protocol-version v2;
connection-limit 5;
rate-limit 10;
}
telnet {
connection-limit 5;
rate-limit 10;
}
}
syslog {
archive size 1m files 10;
user * {
any error;
}
host ip {
/* none, info, notice, warning, error, critical, alert, emmergency */
any notice;
facility-override local6;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
file system {
daemon any;
kernel any;
}
file firewall {
firewall any;
}
file security {
authorization any;
interactive-commands any;
}
file user-comand {
interactive-commands info;
}
console {
any error;
}
source-address ip;
}
no-compress-configuration-files;
archival {
configuration {
transfer-on-commit;
archive-sites {
"ftp://user:pass@ip/text/router-name/";
}
}
}
ntp {
boot-server ip;
server ip;
server ip;
}
}
}}}
{{{
/* Prevent an alarm if nothing is plugged on the console */
chassis {
no-source-route;
alarm {
management-ethernet {
link-down ignore;
}
}
}
}}}
{{{
/* Interfaces Configuration */
interfaces {
apply-groups physical-interface;
ge-0/3/0 {
description "LAN";
unit A-VLAN {
apply-groups core-interface;
description "Internal Switches";
vlan-id THE-VLAN-NUMBER;
family inet {
address range/netmask;
}
}
unit A-VLAN {
apply-groups core-interface;
description "to Elsewhere";
bandwidth 40;
vlan-id THE-VLAN-NUMBER;
family inet {
filter {
/* Filter ddos on output as it seems to cause issue on input on internal interface */
output ddos-protect;
}
address ip/30;
}
family iso;
}
}
ge-1/3/0 {
description "Upstream Interface";
unit 123 {
apply-groups peering-interface;
description Linx;
vlan-id THE-VLAN-NUMBER;
family inet {
address 195.66.224.---/23;
}
}
}
fxp0 {
description "Management Interface";
unit 0 {
family inet {
no-redirects;
filter {
input protect-management;
}
}
}
}
lo0 {
unit 0 {
description Loopback;
family inet {
no-redirects;
address ip/32;
}
family iso {
address 49.0001.0822.1900.0071.00;
}
}
}
}
}}}
{{{
forwarding-options {
sampling {
input {
family inet {
rate 1000;
inactive: run-length 4;
max-packets-per-second 7000;
}
}
output {
cflowd ip {
port 2055;
source-address ip;
version 8;
no-local-dump;
autonomous-system-type origin;
aggregation {
autonomous-system;
}
}
}
}
hash-key {
family inet {
layer-4;
}
}
}
}}}
{{{
routing-options {
options {
syslog {
level debug;
}
}
graceful-restart;
interface-routes {
rib-group inet if-rib;
}
/* Black Hole route */
route 127.0.0.2/32 {
discard;
retain;
no-readvertise;
}
aggregate {
route your-network/range {
community 54321:54321;
as-path {
origin igp;
}
}
}
rib-groups {
if-rib {
import-rib [ inet.0 inet.2 ];
}
isis-rib {
export-rib inet.0;
import-rib [ inet.0 inet.2 ];
}
mcast-rib {
export-rib inet.2;
import-rib inet.2;
}
}
router-id ip;
autonomous-system 54321;
forwarding-table {
export [ load-balancing ];
unicast-reverse-path feasible-paths;
}
}
}}}
{{{
protocols {
bgp {
path-selection always-compare-med;
log-updown;
inactive: damping;
graceful-restart;
group ibgp {
type internal;
traceoptions {
file bgp-ibgp size 1m files 5;
}
local-address ip;
import blackhole;
authentication-key "$"; ## SECRET-DATA
export [ originate-community originate-customer export-ibgp next-hop-self ];
peer-as 54321;
neighbor ip;
}
group transit {
type external;
local-preference 75;
remove-private;
neighbor IP {
inactive: traceoptions {
file bgp-transit1 size 1m files 5;
}
description "ANY | Transit 1 | myfault@transit1 |";
local-address ip;
import [ no-ix no-bogons no-small-prefixes tag-transit tag-transit1 damping local-preference-transit no-community-import ];
export [ originate-community originate-customer no-transit no-small-prefixes export-transit export-transit1 no-community-export next-hop-self ];
peer-as 1234;
}
}
group linx-collector {
type external;
inactive: traceoptions {
file bgp-linx-collector size 1m files 5;
flag all;
}
description "Linx Route Collector";
local-preference 150;
local-address 195.66.224.---;
import [ no-ix no-bogons no-small-prefixes no-leak tag-peering tag-linx damping local-preference-peer no-community-import ];
export [ originate-community originate-customer no-transit no-small-prefixes export-peering export-linx no-community-export next-hop-self ];
remove-private;
neighbor 195.66.224.254 {
/* See cluepon.juniper.net for the op script which transform this */
apply-macro inet {
prefix-limit 500;
}
description "NOT ANY | Linx Route Collector | |";
family inet {
unicast {
prefix-limit {
maximum 500;
}
}
}
authentication-key "$"; ## SECRET-DATA
peer-as 5459;
}
}
group linx-route-server {
type external;
inactive: traceoptions {
file bgp-linx-rs size 1m files 5;
flag all;
}
description "LINX Route Servers";
local-preference 125;
local-address 195.66.224.---;
import [ no-ix no-bogons no-small-prefixes no-leak tag-peering tag-linx damping no-community-import ];
export [ originate-community originate-customer no-transit no-small-prefixes export-peering export-linx no-community-export next-hop-self ];
remove-private;
neighbor 195.66.225.230 {
apply-macro inet {
prefix-limit 19534;
}
description "ANY | Linx route server | | AS-EXA";
authentication-key "$"; ## SECRET-DATA
peer-as 8714;
}
neighbor 195.66.225.231 {
apply-macro inet {
prefix-limit 19229;
}
description "ANY | Linx route server | | AS-EXA";
authentication-key "$"; ## SECRET-DATA
peer-as 8714;
}
}
group renesys {
type external;
inactive: traceoptions {
file bgp-renesys size 1m files 5;
}
description "A full routing table for Renesys at Linx";
local-address 195.66.224.---;
import deny-all;
export [ originate-community originate-customer no-small-prefixes no-community-export next-hop-self ];
remove-private;
neighbor 195.66.225.--- {
peer-as 64---;
}
}
group linx {
type external;
traceoptions {
file bgp-linx size 1m files 5;
flag state;
flag route;
flag general;
flag normal;
flag open;
flag policy;
}
local-preference 150;
local-address 195.66.224.---;
import [ no-ix no-bogons no-small-prefixes no-leak tag-peering tag-linx damping local-preference-peer no-community-import ];
export [ originate-community originate-customer no-transit no-small-prefixes export-peering export-linx no-community-export next-hop-self ];
remove-private;
neighbor ip {
apply-macro inet {
prefix-limit 500;
}
description "AS-MACRO | Name | noc@isp |";
peer-as 65555;
}
}
}
}
}}}
{{{
protocols {
isis {
traceoptions {
file isis size 1m files 5;
flag normal;
flag error;
}
export static-to-isis;
loose-authentication-check;
no-ipv6-routing;
rib-group inet isis-rib;
level 1 {
authentication-key "$"; ## SECRET-DATA
authentication-type simple; ## SECRET-DATA
}
level 2 {
authentication-key "$"; ## SECRET-DATA
authentication-type simple; ## SECRET-DATA
}
interface ge-0/3/0.VLAN-1 {
lsp-interval 33;
checksum;
level 1 {
hello-interval 10;
hold-time 30;
}
level 2 {
hello-interval 10;
hold-time 30;
}
}
interface ge-1/3/0.VLAN-2 {
passive;
}
interface all {
level 1 disable;
}
interface fxp0.0 {
disable;
}
interface lo0.0 {
passive;
}
}
}
}}}
{{{
policy-options {
prefix-list root-servers {
/* Add routes servers here : see www.cymru.com */
}
prefix-list rfc1918-reserved {
/* RFC 1918 addresses */
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
}
prefix-list protected-address {
/* IP ADDRESS The internet should not be able to reach within your network */
}
prefix-list business-external {
/* Part of your ip space used for interconnect to customers (so to be allowed in the network) */
}
prefix-list ssh-address {
/* What IPs can SSH/telnet in */
}
prefix-list bgp-address {
/* Your BGP peers */
}
prefix-list dns-address {
/* Your DNS servers */
}
prefix-list ntp-address {
/* Your NTP servers */
}
prefix-list snmp-address {
/* Your SNMP server - pulling and trap .. */
}
prefix-list radius-address {
/* Your radius server */
}
prefix-list tacacs-address {
/* The ip of the tacacs */
}
prefix-list isis-address {
/* The ranges you are running ISIS on */
}
prefix-list management-address {
/* The IP you want to allow management to */
}
prefix-list static-to-isis {
/* Range to redistribute from static to ISIS (so they diseapar if the link goes down) */
}
policy-statement blackhole {
term rewrite-next-hop {
from {
protocol bgp;
community blackhole-here;
}
then {
community add no-export;
next-hop 127.0.0.2;
accept;
}
}
}
policy-statement damping {
term 1 {
from {
prefix-list root-servers;
}
then {
damping damp-none;
next policy;
}
}
term 2 {
from {
route-filter 0.0.0.0/0 upto /21 damping damp-short;
route-filter 0.0.0.0/0 upto /23 damping damp-medium;
route-filter 0.0.0.0/0 orlonger damping damp-long;
}
then next policy;
}
}
policy-statement deny-all {
then reject;
}
policy-statement export-customer {
term remove {
from {
protocol bgp;
community withdraw-customer;
}
then reject;
}
term prepend-one-time {
from {
protocol bgp;
community prepend1-customer;
}
then as-path-prepend 54321;
}
term prepend-two-times {
from {
protocol bgp;
community prepend2-customer;
}
then as-path-prepend "54321 54321";
}
term prepend-four-times {
from {
protocol bgp;
community prepend4-customer;
}
then as-path-prepend "54321 54321 54321 54321";
}
}
policy-statement export-ibgp {
term remove-community {
from {
protocol bgp;
community withdraw-ibgp;
}
then reject;
}
}
policy-statement export-linx {
term remove {
from {
protocol bgp;
community withdraw-linx;
}
then reject;
}
term prepend-one-time {
from {
protocol bgp;
community prepend1-linx;
}
then as-path-prepend 54321;
}
term prepend-two-times {
from {
protocol bgp;
community prepend2-linx;
}
then as-path-prepend "54321 54321";
}
term prepend-four-times {
from {
protocol bgp;
community prepend4-linx;
}
then as-path-prepend "54321 54321 54321 54321";
}
}
policy-statement export-peering {
term remove-peering {
from {
protocol bgp;
community route-peering;
}
then reject;
}
term remove-transit {
from {
protocol bgp;
community route-transit;
}
then reject;
}
term remove-community {
from {
protocol bgp;
community withdraw-peering;
}
then reject;
}
term prepend-one-time {
from {
protocol bgp;
community prepend1-peering;
}
then as-path-prepend 54321;
}
term prepend-two-times {
from {
protocol bgp;
community prepend2-peering;
}
then as-path-prepend "54321 54321";
}
term prepend-four-times {
from {
protocol bgp;
community prepend4-peering;
}
then as-path-prepend "54321 54321 54321 54321";
}
}
policy-statement export-transit {
term remove-peering {
from {
protocol bgp;
community route-peering;
}
then reject;
}
term remove-transit {
from {
protocol bgp;
community route-transit;
}
then reject;
}
term remove-community {
from {
protocol bgp;
community withdraw-transit;
}
then reject;
}
term prepend-one-time {
from {
protocol bgp;
community prepend1-transit;
}
then as-path-prepend 54321;
}
term prepend-two-times {
from {
protocol bgp;
community prepend2-transit;
}
then as-path-prepend "54321 54321";
}
term prepend-four-times {
from {
protocol bgp;
community prepend4-transit;
}
then as-path-prepend "54321 54321 54321 54321";
}
}
policy-statement export-transit1 {
term remove {
from {
protocol bgp;
community withdraw-transit1;
}
then reject;
}
term prepend-one-time {
from {
protocol bgp;
community prepend1-transit1;
}
then as-path-prepend 54321;
}
term prepend-two-times {
from {
protocol bgp;
community prepend2-transit1;
}
then as-path-prepend "54321 54321";
}
term prepend-four-times {
from {
protocol bgp;
community prepend4-transit1;
}
then as-path-prepend "54321 54321 54321 54321";
}
}
/* Load balance packet through all possible routes */
policy-statement load-balancing {
then {
load-balance per-packet;
}
}
policy-statement local-preference-customer {
term more {
from {
protocol bgp;
community local_preference_12;
}
then {
local-preference 300;
}
}
term normal {
from {
protocol bgp;
community local_preference_11;
}
then {
local-preference 275;
}
}
term less {
from {
protocol bgp;
community local_preference_10;
}
then {
local-preference 250;
}
}
}
policy-statement local-preference-peer {
term default {
from protocol bgp;
then {
local-preference 175;
}
}
term more {
from {
protocol bgp;
community local_preference_08;
}
then {
local-preference 200;
}
}
term normal {
from {
protocol bgp;
community local_preference_07;
}
then {
local-preference 175;
}
}
term less {
from {
protocol bgp;
community local_preference_06;
}
then {
local-preference 150;
}
}
}
policy-statement local-preference-transit {
term default {
from protocol bgp;
then {
local-preference 75;
}
}
}
policy-statement next-hop-self {
then {
next-hop self;
}
}
policy-statement no-bogons {
term default-route {
from {
route-filter 0.0.0.0/0 businessct;
}
then reject;
}
term reserved {
from {
route-filter 10.0.0.0/8 orlonger;
route-filter 172.16.0.0/12 orlonger;
route-filter 192.168.0.0/16 orlonger;
route-filter 169.254.0.0/16 orlonger;
route-filter 192.0.2.0/24 orlonger;
route-filter 240.0.0.0/4 orlonger;
route-filter 192.42.172.0/24 orlonger;
route-filter 198.18.0.0/15 orlonger;
route-filter 127.0.0.0/8 orlonger;
}
then reject;
}
term multicast {
from {
route-filter 224.0.0.0/4 orlonger;
}
then reject;
}
term too-short {
from {
route-filter 0.0.0.0/0 prefix-length-range /0-/5;
}
then reject;
}
}
policy-statement no-community-export {
then {
community delete blackhole-everywhere;
community delete originate;
community delete originate-customer;
community delete internal;
}
}
policy-statement no-community-import {
then {
community delete originate;
community delete originate-customer;
community delete route-customer;
community delete internal;
}
}
policy-statement no-export {
then {
community add no-export;
}
}
policy-statement no-ix {
from {
/* Enlix */
route-filter 193.189.130.0/24 orlonger reject;
/* LINX */
route-filter 195.66.224.0/22 orlonger reject;
}
then reject;
}
policy-statement no-leak {
term remove-path {
from {
protocol bgp;
as-path [ leaked-quest leaked-verizon-na leaked-verizon-eu leaked-verizon-ap leaked-sprint leaked-telia leaked-atdn leaked-tiscali leaked-deutsche-telekom leaked-level3 leaked-savvis leaked-france-telecom leaked-telecom-italia leaked-att leaked-ntt leaked-global-crossing leaked-vsnl leaked-cogent ];
}
then reject;
}
}
policy-statement no-small-prefixes {
from {
route-filter 0.0.0.0/0 prefix-length-range /25-/32 reject;
}
then reject;
}
policy-statement no-transit {
term remove-path {
from {
protocol bgp;
as-path [ transit1-routes ];
}
then reject;
}
}
policy-statement originate-community {
from community originate;
then {
next-hop self;
accept;
}
}
policy-statement originate-customer {
from community originate-customer;
then {
next-hop self;
accept;
}
}
policy-statement originate-default {
from {
route-filter 0.0.0.0/0 businessct;
}
then accept;
}
policy-statement static-to-isis {
from {
protocol static;
prefix-list static-to-isis;
}
to protocol isis;
then accept;
}
policy-statement tag-customer {
then {
community add route-customer;
}
}
policy-statement tag-linx {
then {
community add route-linx;
}
}
policy-statement tag-peering {
then {
community add route-peering;
}
}
policy-statement tag-transit {
then {
community add route-transit;
}
}
policy-statement tag-transit1 {
then {
community add route-transit1;
}
}
community blackhole-customer members 65100:65004;
community blackhole-everywhere members [ 65100:65001 65100:65002 65100:65003 65100:65004 ];
community blackhole-here members [ 65100:65001 65100:65002 65100:65003 65100:65004 ];
community blackhole-ibgp members 65100:65001;
community blackhole-peering members 65100:65002;
community blackhole-transit members 65100:65003;
/* Cymru communities */
community internal members [ 65000:* 65001:* 65002:* 65003:* 65004:* 65100:* ];
community local_preference_01 members 65005:65201;
community local_preference_02 members 65005:65202;
community local_preference_03 members 65005:65203;
community local_preference_04 members 65005:65204;
community local_preference_05 members 65005:65205;
community local_preference_06 members 65005:65206;
community local_preference_07 members 65005:65207;
community local_preference_08 members 65005:65208;
community local_preference_09 members 65005:65209;
community local_preference_10 members 65005:65210;
community local_preference_11 members 65005:65211;
community local_preference_12 members 65005:65212;
community local_preference_13 members 65005:65213;
community no-export members no-export;
community originate members 54321:54321;
community originate-customer members 54321:0;
community prepend1-customer members 65001:65004;
community prepend1-linx members 65001:5459;
community prepend1-peering members 65001:65002;
community prepend1-transit members 65001:65003;
community prepend1-transit1 members 65001:1234;
community prepend2-customer members 65002:65004;
community prepend2-linx members 65002:5459;
community prepend2-peering members 65002:65002;
community prepend2-transit members 65002:65003;
community prepend2-transit1 members 65002:1234;
community prepend4-customer members 65004:65004;
community prepend4-linx members 65004:5459;
community prepend4-peering members 65004:65002;
community prepend4-transit members 65004:65003;
community prepend4-transit1 members 65004:1234;
community route-customer members 54321:65004;
community route-ibgp members 54321:65001;
community route-linx members 54321:5459;
community route-peering members 54321:65002;
community route-transit members 54321:65003;
community route-transit1 members 54321:1234;
community routes-dsl members 54321:65101;
community routes-mpls members 54321:65102;
community routes-transit1 members 54321:1234;
community withdraw-customer members 65000:65004;
community withdraw-everywhere members [ 65000:65001 65000:65002 65000:65003 65000:65004 ];
community withdraw-ibgp members 65000:65001;
community withdraw-linx members 65000:5459;
community withdraw-peering members 65000:65002;
community withdraw-transit members 65000:65003;
community withdraw-transit1 members 65000:1234;
as-path private-asn-range 64512-65535;
as-path leaked-quest ".{1,}209.*";
as-path leaked-verizon-na ".{1,}701.*";
as-path leaked-verizon-eu ".{1,}702.*";
as-path leaked-verizon-ap ".{1,}703.*";
as-path leaked-sprint ".{1,}1239.*";
as-path leaked-telia ".{1,}1299.*";
as-path leaked-atdn ".{1,}1668.*";
as-path leaked-tiscali ".{1,}3257.*";
as-path leaked-deutsche-telekom ".{1,}3320.*";
as-path leaked-level3 ".{1,}3356.*";
as-path leaked-savvis ".{1,}3561.*";
as-path leaked-france-telecom ".{1,}5511.*";
as-path leaked-telecom-italia ".{1,}6762.*";
as-path leaked-att ".{1,}7018.*";
as-path leaked-ntt ".{1,}1914.*";
as-path leaked-global-crossing ".{1,}3549.*";
as-path leaked-vsnl ".{1,}6453.*";
as-path leaked-cogent ".{1,}174.*";
as-path transit1-routes 1234.*;
/* Min: 30 min, Max: 60 min, dampen at 3 flaps */
damping damp-long {
half-life 30;
reuse 1640;
suppress 6000;
max-suppress 60;
}
/* Min: 15 min, Max: 45 min, dampen at 3 flaps */
damping damp-medium {
half-life 15;
reuse 1500;
suppress 6000;
max-suppress 45;
}
/* Min: 10 min, Max: 30 min, dampen at 3 flaps */
damping damp-short {
half-life 10;
reuse 3000;
suppress 6000;
max-suppress 30;
}
/* Do not dampen */
damping damp-none {
disable;
}
}
}}}
{{{
firewall {
filter external-outgoing {
term valid-outgoing-traffic { }
term log-spoofing { }
}
filter flood-detect {
term tcp-syn-count { }
term tcp-rst-count { }
term tcp-fin-count { }
term tcp-allow { }
term udp-allow { }
}
filter protect-bgp {
term bgp-connection-limit { }
term bgp-allow { }
term default-deny { }
}
filter protect-management {
term icmp-limit { }
term trace-route-limit { }
term ssh-connection-limit { }
term ssh-limit { }
term dns-limit { }
term ntp-limit { }
term snmp-limit { }
term auth-limit { }
term telnet-limit { }
term default-deny { }
}
filter protect-icmp {
term icmp-allow { }
term default-deny { }
}
filter protect-isis {
term isis-connection-limit { }
term isis-allow { }
term default-deny { }
}
filter external-incoming-customer {
term transfer-allow { }
term originate-deny { }
term peer-deny { }
term transit-deny { }
term rfc1918-deny { }
term manangement-allow { }
term infrastructure-icmp-allow { }
term infrastructure-deny { }
term icmp-limit { }
term multicast-limit { }
term default-allow { }
}
filter external-incoming-transit {
term transfer-allow { }
term originate-deny { }
term peer-deny { }
term customer-deny { }
term free-transit-deny { }
term rfc1918-deny { }
term manangement-allow { }
term infrastructure-icmp-allow { }
term infrastructure-deny { }
term icmp-limit { }
term multicast-limit { }
term default-allow { }
}
filter external-incoming-peer {
term transfer-allow { }
term originate-deny { }
term customer-deny { }
term transit-deny { }
term free-transit-deny { }
term rfc1918-deny { }
term manangement-allow { }
term infrastructure-icmp-allow { }
term infrastructure-deny { }
term icmp-limit { }
term multicast-limit { }
term default-allow { }
}
filter sample-netflow { }
filter ddos-protect { }
}
}}}
[[Welcome]]
[[Network]]
[[Software]]
[[Rambling]]
''Use the patch provided here at your own risk : do not use if you are not able to understand the code provided''
Before using this patch, you may want to read this [[thread|http://tech.groups.yahoo.com/group/postfix-users/message/230005]] on the postfix-user mailing list where I was told:
* that I am ill advised to want such a patch in postfix as its ''//approach is fundamentally flawed//''
* that this patch is too resource intensive
In order to address the last point, I made sure that :
* the feature is turned off by default
* the maximum among of memory available to the feature can be set.
With the default values :
smtpd_client_connection_count_limit (default: 50)
smtpd_recipient_limit (default: 1000)
line_length_limit (default: 2048)
The worse case memory utilisation for the feature is around 2Mb per smtpd instance which is 40Mb with the default settings - which are exceptionally large for the recipient limit. Limiting mails to 50 recipients makes the worse case overhead per smtpd 100kb.
40 Mb is indeed a lot for an old machine but on recent hardware it will not even be noticed (and this memory will only be allocated if the mails received have lots of recipients).
The other way to get all the recipients of a mail would be to track the "recipient" sent to the policy server at each RCPT using the "instance" attribute and use the result at the DATA state.
With this approach the policy server need :
* to be called at each RCPT (and not only at DATA)
* keep track of the recipients for each mail
* to perform some cleaning should the connection close between the RCPT and DATA state
The patch provides two new configuration options:
* a boolean : access_delegation_recipients, which need to be turned on to use the feature
* an integer : smtpd_recipients_length_limit, which limit the among of memory the list of recipients can take, it is set to zero by default meaning that no limitation will be performed. Should its value be under "line_length_limit", the value will be changed at run time to this default.
It changes the [[SMTPD POLICY Protocol|http://www.postfix.org/SMTPD_POLICY_README.html]] adding a line starting with "recipients=". The key contains a "\r" separated list of the mail recipients (or the single recipient, exactly as the recipient key).
The list is only set during the ~DATA and ~END_OF_DATA state and __only__ if the lenght of the string is under the value set in smtpd_recipients_lenght_limit.
This patch/feature _is_ useful for :
* boucing spam to a list of forged inexistent email addresses (especially when your MX and storage servers are not on the same machines).
* to allow per domain policies, ie per domain white-listing, etc.
* you tell me
You can download the ''fourth'' version (released the 26th of November 2007) of this patch
[[here for postfix 2.6 20071111|http://thomas.mangin.com/data/source/postfix-all_recipients-4-20071111.patch]]
I have updated the patch to apply cleanly on a more recent version of postfix
[[here for postfix 2.6 20080201|http://thomas.mangin.com/data/source/postfix-all_recipients-4-20080201.patch]] (which applies cleanly on postfix-2.5.1-rc1)
Should you have downloaded any previous version, please update as the third contain a memory leak which cause the memory utilisation to be up to two times what it should and any version before should simply not be used.
All the documents related to networking are tagged with 'Network', you can find them using the search feature or the 'Tags' tab.
Some old code form Uni ..
|Description|Simple code to create C++ plugin using dynamic linking library|
|Operating System |Linux|
|Language |C++|
|Building |Autoconf / Automake|
|Finished |My conclusion about what was possible/impossible are wrong|
|Known bugs |none|
|Download |[[Here|/data/source/plugin.tar.bz2]]|
|Description|An Image deformation program based on recursively coded Bezier Curves|
|Operating System |Linux|
|Language |C|
|Building |Makefile|
|Finished |yes|
|Known bugs |Somewhere Sub-optimal recursion stopping test (Possible speedup 4x)|
|Download |[[Here|/data/source/bezier.tar.bz2]]|
|Description|Simple Ftp like client and server (UDP and TCP)|
|Operating System |Linux|
|Language |C++|
|Building |Makefile|
|Finished |yes|
|Known bugs |Nasty OO interface, UDP code buggy in vicious case|
|Download |Here|
|Description|A simple TEX to HTML converter using Lex|
|Operating System |Linux|
|Language |Lex and C|
|Building |Compile it yourself|
|Finished |only handle _very_ few HTML tags ...|
|Known bugs |none|
|Download |[[Here|/data/source/ftp.tar.bz2]]|
|Description|A really minimal compilator that generate a pseudo assembler code|
|Operating System |Linux|
|Language |Lex, Yacc and C|
|Building |Makefile for Debian 2.1|
|Finished |Does what it is supposed to ...|
|Known bugs |(DAG not created after parsing the tree)|
|Download |[[Here|/data/source/compil.tar.bz2]]|
|Description|The base of a virtual machine which run assembler ascii file|
|Operating System |Linux|
|Language |C++|
|Building |Makefile|
|Finished |no, Core completed but you have to write yourself your instructions|
|Know bugs |None, but the code could be improved|
|Download |[[Here|/data/source/emule.tar.bz2]]|
|Description|A Flat, Gouraud and Phong renderer of 3D Sudio 4 files|
|Operating System |~DOS with ~DOS4GW (VESA 2.0 video card Needed)|
|Language |C++|
|Building |Watcom Makefile|
|Finished |yes|
|Know bugs |3DS File reading assume correctly sized and centered object , ''slow''|
|Download |[[Here|/data/source/phong.tar.bz2]]|
|Description|Simple fractal (julia and mandelbrot) drawers|
|Operating System |DOS and Linux (needs GGI)|
|Language |C|
|Building |Just do it|
|Finished |yes|
|Know bugs |none|
|Download |[[Here|/data/source/fractal.tar.bz2]]|
<!--{{{-->
<div class='header' macro="gradient vert #5c4894 #6b69ad">
<div>
<span class='siteTitle' refresh='content' tiddler='SiteTitle'></span>
<span class='siteSubtitle' refresh='content' tiddler='SiteSubtitle'></span>
</div>
<div id='topMenu'>
<span refresh='content' tiddler='MainMenu'></span>
</div>
</div>
<div id='sidebar'>
<div id='sidebarOptions' refresh='content' tiddler='SideBarOptions'></div>
<div id='sidebarTabs' refresh='content' force='true' tiddler='SideBarTabs'></div>
</div>
<div id='displayArea'>
<div id='messageArea'></div>
<div id='tiddlerDisplay'></div>
</div>
<!--}}}-->
Up to recently, ISP felt that they had the same status as traditional telcommunication provider and were protected from prosecution for the traffic going through their network. It was then none of their business to police the information flowing through their network.
The situation became hazier when BT decided to deploy [[cleanfeed|http://en.wikipedia.org/wiki/Cleanfeed_(content_blocking_system)|cleanfeed]]. Up to that point ISP had been transproxying web traffic in order to cache the web page requested and save on bandwidth cost but had never actively interfered with the data passing through their network.
More recently [[threat of legislation|http://news.bbc.co.uk/1/hi/technology/7258437.stm]] pushed by the [[IFPI|http://www.ifpi.org/]], [[children protection lobby|http://www.law.ed.ac.uk/ahrc/SCRIPT-ed/vol3-3/editorial.asp]], and [[government|http://www.theregister.co.uk/2007/11/16/isps_brown_terror/]] (all ignoring that transproxying can be easily evaded) seems to be changing the landscape for ISP, which are now under increased pressure to police their traffic for the benefit of who can afford to lobby them.
Deploying large scale filtering/transproxying solution is expensive, and with little chance of seeing the cost paid the either the end user or the legislator, It is only natural for ISP to seek some kind of form or remineration of the cost of deploying such possibly soon legally required solutions.
In that context it is not that strange to see the UK largest ISP [[sell their customer web traffic|http://www.nytimes.com/2008/02/18/technology/18target.html]] (not protect by any data protection law) to an organisation selling targeted advertising.
Up to now, advertiser had to rely on [[cookies|http://en.wikipedia.org/wiki/HTTP_cookie]] to track surfing habit, making it possible for customers to protect their privacy (refusing them or using [[anomymisers|http://www.google.co.uk/search?q=anonymizer]]).
With this [[new system|http://www.phorm.com/]] (described [[here|http://www.theregister.co.uk/2008/02/29/phorm_documents/]]) our average UK broadband users can only hope that the ISP marketing firm will honor its promise to not monitor their traffic.
The most interesting part seems to be that even once 'unsubscribed' the traffic may still go through the advertiser 'anomyser proxies'.
One can only wonder if those proxies role will not block cookies from competitors giving Phorm a quasi monopoly for advertising in the UK.
Leaking BGP routes is a common sport among the ISP community. I done a (apauling) presentation on my personal experience at [[Linx 57|http://www.linx.net/]].
!Background
If you are joining an exchange you should assume that other member will leak, and be prepared.
Please consider those methode as non-exclusive, the more you filter the less likely you are to leak.
!Things noone should announce or accept
!!Small Prefixes
Many ISP carry their customer routes (DSL, etc.) in iBGP as the IGP should remain stable and small to converge quickly.
Should an ISP leask those route, you could see thousands of /32-/2x routes, as the smaller prefix routeable over the internet is a /24, make sure to not accept very small prefixes
{{{
/* match and refuse any route smaller/longer than a /24 */
[edit policy-options]
policy-statement no-small-prefixes {
from {
route-filter 0.0.0.0/0 prefix-length-range /25-/32 reject;
}
then reject;
}
}}}
!!BOGONS
As well, make sure you do not accept (or announce) reserved ranges and non-routable ones.
{{{
/* bogon, rfc1918, etc. */
[edit policy-options]
policy-statement no-bogons {
from {
route-filter 224.0.0.0/4 orlonger reject;
......
}
}
}}}
!!Things obviously wrong ..
Only you can know what you can not learn from your peers but the transfer lan of an IX may look like something you would only learn from a mis-configuration
{{{
/* Linx LAN */
[edit policy-options]
policy-statement no-ix {
from {
route-filter 195.66.224.0/22 orlonger reject;
}
then reject;
}
}}}
And then make sure you never see it .. or announce it
{{{
/* should never get in or out */
[edit protocols bgp group linx]
export [ no-small-prefixes no-ix no-bogons ];
import [ no-small-prefixes no-ix no-bogons ];
}}}
!Protect yourself
!!Max Prefix
The quickest and simplest way to get some form of protection is a max-prefix limit, ie to put an upper bound to the number of routes you will accept from your peers
The router will prefix then will shutdown a session should the ebgp speaker send you more than a predefined number of routes (was it necessary to say it ?)
{{{
neighbor 195.66.224.xxx {
description "AS-ACCEPTED | Peer name | noc@peer.co.uk | AS-SENT";
family inet {
unicast {
prefix-limit {
maximum 150;
teardown 80 idle-timeout 5;
}
}
}
peer-as 1234;
}
}}}
!! Max Prefix Limitations
On cisco this works great as the count is performed on prefix accepted. On juniper not as good the counting is done on prefix received (before any kind of filtering) which is much less useful.
For the clueful
Go and thanks RAS for his excelent max-prefix auto-tuning work at http://juniper.cluepon.net/index.php/OS_Auto_Tuning_Prefix_Limits
Please push for this feature to your SE.
!!Peers are not your transit providers
As an ISP you know who your transit providers are and their ASN. You should filter from your annoucement any route with an AS-PATH which contain them
Here is an example for Juniper (assuming your transit is from Level3 and Sprint)
{{{
/* define the routes we have learned from transit (example) */
as-path routes-level3 3356.*;
as-path routes-sprint 1239.*;
/* create a policy blocking their distribution */
[edit policy-options]
policy-statement no-transit {
term remove-path {
from {
protocol bgp;
as-path [ routes-level3 route-sprint ];
}
then reject;
}
}
/* make sure that no linx peer will ever get them again */
[edit protocols bgp group linx]
export [ no-transit ];
}}}
!!Peers are not your customers
You should never see your customers routes from your peers neither.
Peers should know better
Your peers should not neither leak routes with reserved ASN, mainly when they can be filtered with one line.
{{{
[edit protocol bgp group linx]
remove-private;
}}}
!Protect your reputation
!!Filtering routes using communities
First you must tag your route to know what is what
It is in every book, your tag your route inbound and filter them outbound.
{{{
/* define a communtiy to identify routes learned from transit */
community route-transit members 1234:1239;
/* create a policy to apply this community to a route */
policy-statement tag-transit {
then {
community add route-transit;
}
}
/* make sure all routes from transit have that community */
[edit protocols bgp group transit]
import [ tag-transit tag-transit-provider-specific ];
(repeat with peers)
}}}
Then your use this to stop the annoucement to your peers
{{{
/* define a policy rejecting routes identified as transit */
[edit policy-options]
policy-statement export-transit {
term remove-peering {
from {
protocol bgp;
community route-transit;
}
then reject;
}
term remove-peering ...
term remove-community ...
term prepend-one-time ...
}
/* and make sure no linx peer sees it */
[edit protocols bgp group linx]
export [ export-peering export-linx ];
}}}
Don't make a typo with your community definition without filtering on as-path as it hurts.
!!Filter using AS-PATH
Most large networks have very "private" peering policies and it is unlikely that you should ever learn any of their route via peering (otherwise it would be called transit).
{{{
/* define the routes you will never see through peers */
as-path leaked-sprint ".{1,}1239.*";
as-path leaked-telia ".{1,}1299.*";
/* create a policy blocking their distribution */
[edit policy-options]
policy-statement no-leak {
term remove-path {
from {
protocol bgp;
as-path [ leaked-telia leaked-sprint ];
}
then reject;
}
}
/* make sure that no linx peer will ever get them again */
[edit protocols bgp group linx]
import [ no-leak ];
}}}
!!Filtering using the registry DB
Some tools exist to help with the generation of filter based on the content of the IRR DB (RIPE, ARIN, etc.) http://irrpt.sourceforce.net/ Gather and Track prefix within AS-Macro.
The program implement most of the file (see man 4 magic) program in python.
This code does not recognise the whole magic definition, as I concluded that the magic format was way too limited for my needs. It is however able to classify most file as well as the file program does. Things missing are binaries operators, string compaction and like, which are not used by most rules. Feel free to submit patches.
The magic definition does not permit recursively refered data extraction and reference (which is needed to extract information from MPEG for example).
Download it [[here|/data/source/magic.tar.bz2]]
! What is greylisting ?
If you landed on this page without knowning what is greylisting click [[here|http://projects.puremagic.com/greylisting/]] or [[here|http://www.greylisting.org/]]
!Overview
Recently, I decided that it was time for me to use [[greylisting|http://projects.puremagic.com/greylisting/]] with my [[qmail|http://www.qmail.org]] servers. As I wanted something lightweight (ie without database), I started to code a simple application, but before putting more work into it, I decided to have a look around (just in case someone else had already done the work for me) and found that I was not the first one to have implemented greylisting the way I wanted it.
http://www.jonatkins.com/page/software/qgreylist,
http://www.datenklause.de/en/software/qgreylistrbl.html,
http://oss.albawaba.com/cqgreylist.html
had released simple greylisting code well before I did.
However, the code on those alternatives is more complicated that it need to be as [[rblsmtpd|http://cr.yp.to/ucspi-tcp/rblsmtpd.html]] is already designed to handle limited SMTP conversation and return 451 messages.
The result of my work is the following [[python|http://www.python.org]] [[code|/data/source/qmail-greyd]].
This script should cut most of spam and is easy to install as it does not need to have qmail patched in any way or form, so it can be used with "plain" or "net" qmail (or in my case qmail-ldap).
!The code
You can download the code [[here|/data/source/qmail-greyd]] (tested on python 2.4)
It seems to do what it says on the tin and is running on a group of MX servers in charge for over 1,000 busy domains.
I do not have a fancy versioning scheme, the version on my private svn repository for this download is 16 - updated on the 21st of April 2006.
!And how to use it
You will need to have a qmail-smtpd calling the qmail-greyd application like
example of qmail-smtp/run
{{{
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`head -1 /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
GREYD="/var/qmail/bin/internal/qmail-greyd"
RBLSMTPD="/usr/bin/rblsmtpd"
BLACKLIST=`cat /var/qmail/control/blacklists|grep -v '^#'`
exec /usr/bin/softlimit -m 15000000 \
/usr/bin/tcpserver \
-v \
-R \
-p \
-x /var/qmail/control/tcprules/qmail-smtpd.cdb \
-c "$MAXSMTPD" \
-u $QMAILDUID -g $NOFILESGID \
0 smtp \
$GREYD \
$RBLSMTPD \
$BLACKLIST \
$SMTPD \
2>&1
}}}
create a folder called /var/qmail/grey
{{{
mkdir -p /var/qmail/grey
chown qmaild:nofiles /var/qmail/grey
}}}
A empty /var/qmail/control/blacklists file would look like this :
{{{
# you can add RBL sites to this file by using -r[host] (refer to rblsmtpd)
#-rbl.spamcop.net
}}}
and enable it for the range you want with the GREY environment variable.
example of tcpserver file for qmail-smtpd
{{{
192.168.:allow,RELAYCLIENT=""
:allow,GREY=""
}}}
!Final notes ...
Obviously you may have to run two instances of qmail-smtpd on the same box if you use things like SMTPAUTH, one for your MX record and one as your SMTP with SMTPAUTH
This code does not include whitelisting as it is not necessary (I said I was minimalist :p). To whitelist some hosts or ranges, generate some entries for them without the GREY environment value set in your tcpserver configuration file.
Should you want to share the greylisting information between several servers, feel free to mount the qmail-greyd folder from NFS, it should just work but it is untested (afaik).
! What is this page all about ?
This document will explain how to rewrite domain name to use the first part of the name as a user within the rest of the name
The same technique can be used to perform arbitrary rewrite.
!Not clear enough ? So let see use a small example:
Let's say you are running a firm which have a support department. you want people to send an email to name@support.firm.com, where name can be any name but where the mail arrives at support@firm.com.
How does it work ?
It rewrite the email address from name@support.firm.com to support@firm.com or support-name@firm.com depending on how you want to use it.
You can then decide to use a qmail file to send the mail away or use a catch-all deliver the mail of previous employee to someone else.
!How is it possible ?
Qmail comes with a powerful user management backend. This backend is already well used by software such as vpopmail which allows to create virtual domain on the mail server under the control of one independant administrator
This is just a simple example using the power of this backend
!Qmail configuration
The following Qmail file presentation assume that you want the mail to be ultimately delivered to a local system user (having a entry in the /etc/password file and a valid Maildir directory).
You can alternatively deliver the domain through the virtualdomains