os_v7_bgp
https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall
- Step 1:
- /ip/firewall/address-list/
- add list=XXX-ISP address=x.x.x.0/24
- add list=XXX-ISP address=x.x.x.0/24
- Step 2:
- /ip/route
- add dst-address=x.x.x.0/24 blackhole
- add dst-address=x.x.x.0/24 blackhole
- Step 3:
- /routing filter rule
- add chain=IIG-IN disabled=no rule=“if (dst ==0.0.0.0/0) { accept; }”
- add chain=IIG-IN disabled=no rule=“reject;”
- add chain=IIG-OUT disabled=no rule=“if (dst ==x.x.x.0/24) { accept; }”
- add chain=IIG-OUT disabled=no rule=“if (dst ==x.x.x.x/24) { accept; }”
- add chain=IIG-OUT disabled=no rule=“if (dst in x.x.x.x/23 && dst-len in 23-24) { set bgp-path-prepend 2; accept; }”
- add chain=IIG-OUT disabled=no rule=“if (dst-len in 0-32) { reject; }”
- Step 3 V6:
- /routing filter rule
- add chain=IIG-IN-V6 disabled=no rule=“if (dst == ::/0) { accept; }”
- add chain=IIG-IN-V6 disabled=no rule=“reject;”
- add chain=IIG-Local-1-V6-OUT disabled=no rule=“if (dst == xxx:xxx:xxx::/48) { accept; }”
- add chain=IIG-Local-1-V6-OUT disabled=yes rule=“if (dst == xxx:xxx:xxx::/48) { set bgp-path-prepend 2; accept; }”
- add chain=IIG-Local-1-V6-OUT disabled=no rule=“reject;”
- Step 4:
- /routing bgp connection
- add as=XXX connect=yes disabled=no listen=yes local.role=ebgp name=XXX-IIG-PEER output.filter-chain=IIG-OUT .network=XXX-ISP .no-client-to-client-reflection=yes remote.address=10.56.79.249/32 .as=58717 router-id=10.56.79.250 routing-table=main templates=default
- Step 5:
- /routing/bgp/advertisements print
- /routing/bgp/connection/print
- /routing/bgp/session/print
- /ip route print detail where 210.4.64.0/24 in dst-address
- /routing/bgp/session/refresh address-family=ip numbers=CCL-BDIX-IPV4-1
- /ip route print detail where 103.11.138.0 in dst-address received-from =CCl
- routing bgp advertisements print where nexthop=103.197.204.250 as-path ~ “150335\$”
- routing bgp advertisements print where nexthop=103.197.204.250 dst=103.203.237.0/24
- 0 peer=CCL-BDIX-IPV4-1 dst=103.203.237.0/24 afi=ip nexthop=103.197.204.250 origin=0 as-path=sequence 58717 140632 atomic-aggregate=yes
- [nazmul@TO-Core] > ipv6/firewall/address-list/export
- /ipv6 firewall address-list
- add address=2001:df2:66c0::/48 list=SCL-IPv6-OUT
- [nazmul@TO-Core] > ipv6/route/export
- /ipv6 route
- add blackhole disabled=no dst-address=2001:df2:66c0::/48 gateway=“” routing-table=main
- add disabled=no dst-address=::/0 gateway=2405:1500:30:1::5 routing-table=main
- [nazmul@TO-Core] > routing/bgp/connection/export
- /routing bgp connection
- ddress-families=ipv6 as=151318 disabled=no local.role=ebgp name=SCL-IIG-IPv6 output.filter-chain=SCL-IPv6-OUT .network=SCL-IPv6-OUT remote.address=\
- 2405:1500:30:1::5/128 .as=58717 routing-table=main templates=Talora-AS
- [nazmul@TO-Core] >
- /routing filter rule
- add chain=SCL-IPv6-OUT disabled=no rule=“if (dst==2001:DF2:66C0::/48) {accept;}”
- /routing filter community-list
- add communities=58717:36759 disabled=no list=CCL
- /routing filter rule
- add chain=SCL-CCL-IN disabled=no rule=“if (bgp-communities equal-list CCL) { set bgp-local-pref 80; accept; }”
- add chain=SCL-CCL-IN disabled=no rule=“if (dst in 0.0.0.0 && dst-len == 0) { reject; }”
- add chain=SCL-CCL-IN disabled=no rule=“if (dst in 192.168.0.0/16 && dst-len in 16-32) {reject;}”
- add chain=SCL-CCL-IN disabled=no rule=“if (dst in 0.0.0.0/0 && dst-len in 0-64) { reject; }”
- add chain=SCL-CCL-IN disabled=yes rule=“if (dst-len>30 ) { reject;}”
- add chain=SCL-CCL-IN disabled=no rule=“if (dst in 116.193.216.176/28 && dst-len>28) { reject;}”
- add chain=SCL-CCL-IN disabled=no rule=“if ( not bgp-network) {reject; }”
- add chain=SCL-CCL-IN disabled=no rule=“if (dst == 103.138.144.0/24) { set bgp-communities 58717:36759; set bgp-local-pref 95; accept; }”
- add chain=SCL-CCL-OUT disabled=no rule=“accept;”
- add chain=SCL-CCL-OUT disabled=no rule=“if (dst-len in 30-32) { reject; }”
- add chain=HM-COMM disabled=no rule=“if (dst in 1.1.1.0/23 && dst-len in 23-24) { accept; }\r\
- \n”
- add chain=HM-COMM disabled=no rule=“if (dst ==2.2.2.0/24) { accept; }”
- add chain=HM-COMM disabled=no rule=“if (dst-len in 0-32) { reject; }”
- add chain=HM-COMM disabled=no rule=“reject;”
- # serial number = HE208J6CTY9
- /routing bgp template
- set default as=64512 disabled=no router-id=10.31.53.250 routing-table=main
- /routing bgp connection
- add address-families=ip as=64512/0 connect=yes disabled=no listen=yes local.role=ebgp name=BDIX nexthop-choice=default output.redistribute=bgp \
- remote.address=10.31.53.249/32 .as=58717 router-id=10.31.53.250 routing-table=main templates=default
- /ip route print detail where gateway=10.225.98.161
- /ip route print detail where bgp-as-path ~ “137213\$”
- /ip route print detail where 59.152.101.254 in dst-address
- /routing/bgp/network print
- /routing/bgp/peer reset
- /routing/bgp/advertisements print
- /ip route/print where bgp
- /ip route/print
- /ip/firewall/address-list/
- add list=bgp-SCL address=103.138.144.0/24
- add list=bgp-SCL address=103.138.145.0/24
- /ip/route
- add dst-address=103.138.144.0/24 blackhole
- add dst-address=103.138.145.0/24 blackhole
- /routing/bgp/connection
- set peer_name output.network=bgp-SCL
- /routing bgp connection
- add as=139008 cisco-vpls-nlri-len-fmt=auto-bits connect=yes disabled=no listen=yes local.role=ebgp name=Summit-IIG-IN output.filter-chain=SComm-IIG-OUT .network=bgp-SCL .no-client-to-client-reflection=yes remote.address=10.56.79.249/32 .as=58717 \.port=179 router-id=10.56.79.250 routing-table=main templates=default
- /routing filter rule
- add chain=“IIG Blackhole” disabled=no rule=“if (dst in 0.0.0.0/0 && dst-len == 32) { accept; }”
- add chain=“IIG Blackhole” disabled=no rule=“reject;”
- add chain=Summit-IIG-IN disabled=no rule=“if (dst == 0.0.0.0/0) { accept; }”
- add chain=Summit-IIG-IN disabled=no rule=“reject;”
- add chain=Summit-IIG-OUT disabled=no rule=“if (dst == 103.138.144.0/23 && bgp-as-path-slow-legacy \”139008\“) { set bgp-path-prepend 4; accept; }”
- /routing filter rule
- add chain=SComm-IIG-OUT disabled=no rule=“if (dst == 103.138.144.0/24) { set bgp-path-prepend 2; accept; }”
- add chain=SComm-IIG-OUT disabled=no rule=“if (dst == 103.138.145.0/24) { set bgp-path-prepend 2; accept; }”
- add chain=SComm-IIG-OUT disabled=no rule=“reject;”
- add chain=Summit-IIG-IN-V6 disabled=no rule=“if (dst == ::/0) { accept; }”
- add chain=Summit-IIG-IN-V6 disabled=no rule=“reject;”
- add chain=Summit-IIG-OUT-V6 disabled=no rule=“reject;”
- add chain=IIG-Local-1-V6-OUT disabled=yes rule=“if (dst == 2406:2c0:1101::/48) { accept; }”
- add chain=IIG-Local-1-V6-OUT disabled=no rule=“if (dst == ::/0 && distance == 20) { accept; }”
- add chain=IIG-Local-1-V6-OUT disabled=no rule=“reject;”
- add chain=NO-Route disabled=no rule=“reject;”
- add chain=Prefix_not_send disabled=no rule=“if (dst == 10.10.10.0/24) { reject; }”
- add chain=SCOMM-OUT disabled=no rule=“if (dst == 103.138.144.0/23) { set bgp-path-prepend 4; accept; }”
- add chain=SCOMM-OUT disabled=no rule=“if (dst in 103.138.144.0/23 && dst-len in 23-24) { set bgp-path-prepend 3; accept; }”
- [Neef@Core IIG] >
- /routing filter community-list
- add communities=15121:200 disabled=no list=Summit_GGC
- add communities=15121:300 disabled=no list=Summit_FNA
- add communities=15121:400 disabled=no list=Summit_BDIX
- add communities=15121:100 disabled=no list=Summit_INT
- add communities=15121:500 disabled=no list=Summit_CDN
- /routing filter rule
- add chain=Summit_INT disabled=no rule=“if ( dst==0.0.0.0/0){set bgp-communities Summit_INT ;accept ;}”
- add chain=Summit_OUT disabled=no rule=“if ( dst==103.133.246.0/23) { set bgp-path-prepend 2; accept; }”
- add chain=Summit_OUT disabled=no rule=“if ( dst==103.133.246.0/24) { set bgp-path-prepend 2; accept; }”
- add chain=Summit_OUT disabled=no rule=“if ( dst==103.133.247.0/24) { set bgp-path-prepend 2; accept; }”
- add chain=Summit_CDN_INT disabled=no rule=“if ( dst-len >=0||dst-len ⇐32){set bgp-local-pref 1000;set bgp-communities Summit_CDN ; accept;}”
- add chain=Summit_CDN_OUT disabled=no rule=“if ( dst==103.133.246.0/23) { accept; }”
- add chain=Summit_CDN_OUT disabled=no rule=“if ( dst==103.133.246.0/24) { accept; }”
- add chain=Summit_CDN_OUT disabled=no rule=“if ( dst==103.133.247.0/24) { accept; }”
- add chain=Summit_GGC disabled=no rule=“if ( dst-len >=0||dst-len ⇐32){set bgp-communities Summit_GGC ;accept }”
- add chain=Summit_FNA disabled=no rule=“if ( dst-len >=0||dst-len ⇐32){set bgp-communities Summit_FNA ;accept }”
- add chain=Summit_BDIX disabled=no rule=“if ( dst-len >=0||dst-len ⇐32){set bgp-communities Summit_BDIX;accept }”
- add chain=DIS_GGC_OUT rule=“if ( bgp-communities equal-list Summit_GGC ){accept ;}”
- add chain=DIS_INT_OUT disabled=no rule=“if ( bgp-communities equal-list Summit_INT ){accept ;}”
- add chain=DIS_FNA_OUT rule=“if ( bgp-communities equal-list Summit_FNA){accept ;}”
- add chain=DIS_BDIX_OUT rule=“if ( bgp-communities equal-list Summit_BDIX){accept ;}”
- add chain=Client_INT_OUT disabled=no rule=“if ( dst==0.0.0.0/0){accept ;}”
- add chain=Client_CDN_OUT disabled=no rule=“if ( bgp-communities equal-list Summit_CDN ){accept ;}”
- add chain=FTP_BDIX disabled=yes rule=“if ( dst-len >=0||dst-len ⇐32){set bgp-communities Summit_BDIX;accept }”
- add chain=Summit_CDN_INT disabled=yes rule=“if ( dst-len >=0||dst-len ⇐32){set bgp-local-pref 1000; accept;}”
- add chain=Summit_CDN_INT disabled=yes rule=“if ( dst-len >=0||dst-len ⇐32){set bgp-communities Summit_INT ;accept }”
- add chain=Summit_BDIX disabled=yes rule=“if ( dst in 0.0.0.0/0){reject ;}”
- add chain=Summit_BDIX disabled=yes rule=“if ( dst in 0.0.0.0/8 && dst-len in 8-32){reject ;}”
os_v7_bgp.txt · Last modified: 2023/12/15 14:53 by sysadm