AS Edge/Transit/Peering Filtering

Generic settings to be used with transit providers and peering agreements.

Also refer to: https://www.rfc-editor.org/rfc/rfc7454.txt

IOS (filter inbound/outbound prefixes, remove bogons, remove private AS numbers, strip DSCP values ingress, set max AS length, set max prefix count, enable uRPF):

! Interface settings
interface Te4/3
description Transit/Peering L3 Port
no cdp enable
no keepalive no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast no ip mask-reply
no lldp receive
no lldp transmit ntp disable ipv6 address x:x:x:x:x::y/127 ipv6 nd ra suppress all no ipv6 redirects
no ipv6 unreachables
no ipv6 mld router ipv6 verify unicast source reachable-via any ! "via any" is ok for transit facing interface in the case of asymmetric routing ip address x.x.x.x 255.255.255.254 ip verify unicast source reachable-via any ! In the case of downstream/single homed customers "via rx" is preferred load-interval 30 no cdp enable no loopback service-policy input Transit-Ingress ! Remove DSCP values ! Or we can configure "no mls qos trust" mtu 9192 ! We can reduce the full table convergence time by reducing TCP overhead hold-queue xxx in ! We can increase the input hold-queue for packets that are being CPU punted (such as BGP packets) ! to avoid drops and TCP retransmisions policy-map Transit-Ingress class class-default set dscp default ! 0

Not all devices will support IPv6 uRPF in hardware, this error is from a 7600 using LAN cards:

abr1(config-if)#ipv6 verify unicast source reachable-via any
%Warning: Feature not supported in hardware.
           Packets for TenGigabitEthernet4/3 will be software switched.
abr1(config-if)#
abr1(config-if)#no ipv6 verify unicast source reachable-via any
TenGigabitEthernet4/3 packets will now be hardware switched.
! BGP settings
router bgp 12345

 ! 2015-01-30 longest path in DFZ is about 35 AS hops
 bgp maxas-limit 50

 neighbor 1.2.3.4 remote-as 55555
 neighbor 1.2.3.4 description Transit-Provider-1
neighbor 1.2.3.4 update-source Te4/3 neighbor x:x:x:x:x::z remote-as 55555 neighbor x:x:x:x:x::z description Transit-Provider-1
neighbor x:x:x:x:x::z update-source Te4/3 address-family ipv4 unicast neighbor 1.2.3.4 activate neighbor 1.2.3.4 send-community neighbor 1.2.3.4 remove-private-as all neighbor 1.2.3.4 maximum-prefix 975000 ! This example is for a 7600 with "mls cef maximum-routes ipv6 16", ! which allows for a maximum of 983040 IPv4 routes. This means the 7600 ! should be able to sustain reasonable DFZ growth. neighbor 1.2.3.4 maximum-prefix 600000 ! 2015-06-16 DFZ is 540,000~ routes, adjust as needed neighbor 1.2.3.4 ttl-security hops 1 ! Set to 2 for loopbacks neighbor 1.2.3.4 route-map TRANSIT-IN-IPV4 in neighbor 1.2.3.4 route-map TRANSIT-OUT-IPV4 out exit-address-family address-family ipv6 neighbor x:x:x:x:x::z activate neighbor x:x:x:x:x::z send-community neighbor x:x:x:x:x::z remove-private-as all neighbor x:x:x:x:x::z route-map TRANSIT-IN-IPV6 in neighbor x:x:x:x:x::z route-map TRANSIT-OUT-IPV6 out neighbor x:x:x:x:x::z maximum-prefix 30000 ! 2015-06-16 DFZ is 22000~, adjust as needed exit-address-family exit route-map TRANSIT-IN-IPV4 deny 10 match ip address prefix-list BOGONS-IPV4 route-map TRANSIT-IN-IPV4 deny 20 match ip address prefix-list LOCAL-AS-PREFIXES-IPV4 route-map TRANSIT-IN-IPV4 deny 30 match ip address prefix-list DENIED-PREFIX-SIZES-IPV4 route-map TRANSIT-IN-IPV4 permit 30 ! These settings are OK for single-homed upstreams set metric 0 set origin incomplete set community 12345:XXXXX ! Or, remove any of our own communities coming in (ok for transit,
! for peering and downstream customers allow a sub-set such as
! our RTBHR community and prepend communities)
set comm-list DENIED-COMM-IN-IPV4 delete ! Inbound denied community list ip community-list expanded DENIED-COMM-IN-IPV4 permit 12345:.* ! Our local ASN ! Inbount Prefix Filter ! Default route ip prefix-list BOGONS-IPV4 permit 0.0.0.0/0 ! Broadcast range in RFC 1700 ip prefix-list BOGONS-IPV4 permit 0.0.0.0/8 le 32 ! RFC 1918 Addresses ip prefix-list BOGONS-IPV4 permit 10.0.0.0/8 le 32 ip prefix-list BOGONS-IPV4 permit 172.16.0.0/12 le 32 ip prefix-list BOGONS-IPV4 permit 192.168.0.0/16 le 32 ! RFC 2544 Benchmarking Methodology for Network Interconnect Devices ip prefix-list BOGONS-IPV4 permit 198.18.0.0/15 le 32 ! RFC 3068 An Anycast Prefix for 6to4 Relay Routers ip prefix-list BOGONS-IPV4 permit 192.88.99.0/24 le 32 ! RFC 5737 IPv4 Address Blocks Reserved for Documentation ip prefix-list BOGONS-IPV4 permit 192.0.2.0/24 le 32 ! TEST-NET-1 ip prefix-list BOGONS-IPV4 permit 198.51.100.0/24 le 32 ! TEST-NET-2 ip prefix-list BOGONS-IPV4 permit 203.0.113.0/24 le 32 ! TEST-NET-3 ! RFC 5771 IANA Guidelines for IPv4 Multicast Address Assignments ip prefix-list BOGONS-IPV4 permit 224.0.0.0/4 le 32 ! RFC 6333 Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion ip prefix-list BOGONS-IPV4 permit 192.0.0.0/29 le 32 ! RFC 6598 IANA-Reserved IPv4 Prefix for Shared Address Space ip prefix-list BOGONS-IPV4 permit 100.64.0.0/10 le 32 ! CGNAT ! RFC 6890 Special-Purpose IP Address Registries ip prefix-list BOGONS-IPV4 permit 127.0.0.0/8 le 32 ! Loopback range ip prefix-list BOGONS-IPV4 permit 169.254.0.0/16 le 32 ! Autoconf range ip prefix-list BOGONS-IPV4 permit 240.0.0.0/4 le 32 ! Reserved ! Local AS public prefixes ip prefix-list LOCAL-AS-PREFIXES-IPV4 permit 1.2.3.0/24 le 32 ip prefix-list LOCAL-AS-PREFIXES-IPV4 permit 4.5.6.0/24 le 32 ! The biggest allocations I can see in the DFZ as of 2017-07 are various /8 for IPv4 ip prefix-list DENIED-PREFIX-SIZES-IPV4 seq 10 permit 0.0.0.0/0 ge 25 ip prefix-list DENIED-PREFIX-SIZES-IPV4 seq 20 permit 0.0.0.0/0 le 5 route-map TRANSIT-OUT-IPV4 deny 10 match ip address prefix-list BOGONS-IPV4 route-map TRANSIT-OUT-IPV4 deny 30 match ip address prefix-list DENIED-PREFIX-SIZES-IPV4 route-map TRANSIT-OUT-IPV4 permit 1000 match ip address prefix-list LOCAL-AS-PREFIXES-IPV4 match community 12345:12345 ! Communities are preferred over prefix lists ! Local AS public prefixes ip prefix-list PERMITED-PREFIXES-OUT-TRANSIT-IPV4 permit 1.2.3.0/24 le 32 ip prefix-list PERMITED-PREFIXES-OUT-TRANSIT-IPV4 permit 4.5.6.0/24 le 32 route-map TRANSIT-IN-IPV6 deny 10 match ipv6 address prefix-list BOGONS-IPV6 route-map TRANSIT-IN-IPV6 deny 20 match ipv6 address prefix-list LOCAL-AS-PREFIXES-IPV6 route-map TRANSIT-IN-IPV6 deny 30 match ipv6 address prefix-list DENIED-PREFIX-SIZES-IPV6 route-map TRANSIT-IN-IPV6 permit 1000 set metric 0 set origin incomplete set community 12345:xxxxx
! If not overwriting the incoming communities they could be deleted:
! ip community-list expanded MATCH-AS12345 permit 12345:.*
! set comm-list MATCH-AS12345 delete
! Inbount Prefix Filter ! Default route ipv6 prefix-list BOGONS-IPV6 seq 10 permit ::/0 ! Used for loopback ipv6 prefix-list BOGONS-IPV6 seq 15 permit ::/8 le 128 ! For IPv6 Documentation user ipv6 prefix-list BOGONS-IPV66 seq 20 permit 2001:DB8::/32 le 128 ! The parent /16 can be denied as it is abandoned (RFC7526):
ipv6 prefix-list BOGONS-IPV6 seq 25 permit 2002::/16 le 128
! ! 6to4 relays (IPv4 private 10.0.0.0/8 network) ! ipv6 prefix-list BOGONS-IPV6 seq 25 permit 2002:A00::/24 le 128 ! ! ! 6to4 relays (IPv4 private 172.16.0.0/12 network) ! ipv6 prefix-list BOGONS-IPV6 seq 30 permit 2002:AC10::/28 le 128 ! ! ! 6to4 relays (IPv4 private 192.168.0.0/16 network) ! ipv6 prefix-list BOGONS-IPV6 seq 35 permit 2002:C0A8::/32 le 128 ! Old 6bone range ipv6 prefix-list BOGONS-IPV6 seq 40 permit 3FFE::/16 le 128 ! Unique local addresses ipv6 prefix-list BOGONS-IPV6 seq 45 permit FC00::/7 le 128 ! IETF Reserved ipv6 prefix-list BOGONS-IPV6 seq 50 permit FE00::/9 le 128 ! Link local unicast ipv6 prefix-list BOGONS-IPV6 seq 55 permit FE80::/10 le 128 ! IETF Reserved ipv6 prefix-list BOGONS-IPV6 seq 60 permit FEC0::/10 le 128 ! Multicast address ipv6 prefix-list BOGONS-IPV6 seq 65 permit FF00::/8 le 128 ! Local AS public ranges ipv6 prefix-list LOCAL-AS-PREFIXES-IPV6 seq 10 permit 2A02:xxxx::/32 le 128 ipv6 prefix-list LOCAL-AS-PREFIXES-IPV6 seq 20 permit 2A04:yyyy::/29 le 128 ! The biggest allocations I can see in the DFZ as of 2017-07 is 2002::/16 ipv6 prefix-list DENIED-PREFIX-SIZES-IPV6 seq 10 permit ::/0 ge 65 route-map TRANSIT-OUT-IPV6 deny 10 match ipv6 address prefix-list BOGONS-IPV6 route-map TRANSIT-OUT-IPV6 deny 30 match ipv6 address prefix-list DENIED-PREFIX-SIZES-IPV6 route-map TRANSIT-OUT-IPV6 permit 1000 match ipv6 address prefix-list LOCAL-AS-PREFIXES-IPV6 match community 12345:12345 ! Communities are preferred over prefix lists

IOS-XR (filter inbound/outbound prefixes, remove bogons, remove private AS numbers, strip DSCP values ingress, set max AS length, set max prefix count, enable uRPF):

policy-map Transit-Ingress
 class class-default
  set dscp 0

interface TenGigE0/0/2/3
 service-policy input Transit-Ingress
 ipv4 address x.x.x.x
 ipv4 verify unicast source reachable-via any ! This is loose mode, not ideal !
 ipv6 nd suppress-ra
 ipv6 verify unicast source reachable-via any ! This is loose mode, not idea !
 ipv6 address x:x:x:x:x::y/126
 load-interval 30
 dampening
 no cdp
 no ipv4 mask-reply
 no ipv4 redirects
 no ipv4 directed-broadcast
 ipv4 unreachables disable
 ipv6 nd suppress-ra
 ipv6 verify unicast source reachable-via any
 ipv6 unreachables disable
 no lldp
 lldp
  receive disable
  transmit disable
 !
!

router bgp 12345

 neighbor 1.2.3.4

  remote-as 55555
  description Transit-Provider-1
  password encrypted XXXX
  ! password clear test
  ttl-security
! For a peering LAN route server session, one might have configure the following:
! enforce-first-as disable address-family ipv4 unicast ! This is much higher on an ASR9000 for example, but in line ! with the example above for a 7600 on IOS, if peering with ! the same network on two different devices it's best to limit ! to the ability of the lesser capable device. maximum-prefix 975000 75 route-policy TRANSIT-IN-IPV4 in route-policy TRANSIT-OUT-IPV4 out remove-private-AS exit exit neighbor x:x:x:x:x::z remote-as 55555 description Transit-Provider-1 password encrypted XXXX ! password clear test ttl-security
! For a peering LAN route server session, one might have configure the following:
! enforce-first-as disable address-family ipv6 unicast maximum-prefix 30000 75 route-policy TRANSIT-IN-IPV6 in route-policy TRANSIT-OUT-IPV6 out remove-private-AS exit exit exit ! The biggest allocations I can see in the DFZ as of 2017-07 are 2002::/16 for IPv6 and various /8 for IPv4 route-policy TRANSIT-IN-IPV4 if destination in TRANSIT-IN-IPV4-DENY then drop elseif as-path length ge 50 then drop
elseif as-path in BOGONS-ASNs then
    drop
elseif destination in (0.0.0.0/0 le 5) or destination in (0.0.0.0/0 ge 26) then
drop endif set community (12345:xxxxx) set origin incomplete ! set med 0
! prepend as-path most-recent 5
! set local-preference 67890 end-policy route-policy TRANSIT-IN-IPV6 if destination in TRANSIT-IN-IPV6-DENY then drop endif if as-path length ge 50 then drop
elseif destination in (:: ::7fff:ffff:ffff:ffff ge 65) then
drop endif set community (12345:xxxxx) set origin incomplete ! set med 0
! prepend as-path most-recent 5
! set local-preference 67890 end-policy route-policy TRANSIT-OUT-IPV4
if community matches-any (12345:xxxx) then
if destination in BOGONS-IPV4 then
drop
elseif destination if (0.0.0.0/0 le 5) or destination in (0.0.0.0/0 ge 26) then
drop
else
        remove as-path private-as
        prepend as-path most-recent 5
        delete community in (12345:*)
        pass
endif
else
drop
endif
! Prefix are less preferred over community matching ! if destination in TRANSIT-OUT-IPV4-PERMIT then ! pass ! else ! drop ! endif
! end-policy route-policy TRANSIT-OUT-IPV6
if community matches-any (12345:xxxx) then
if destination in BOGONS-IPV6 then
drop
elseif destination if (0::0 0::7fff:ffff:ffff:ffff ge 65) then
drop
else
        remove as-path private-as
        prepend as-path most-recent 5
        delete community in (12345:*)
        pass
endif
else
drop
endif ! Prefix are less preferred over community matching ! if destination in TRANSIT-OUT-IPV6-PERMIT then ! pass ! else ! drop ! endif
! end-policy
prefix-set TRANSIT-OUT-IPV4-PERMIT ! These are the local AS PI ranges... 1.2.3.0/24, 4.5.6.0/24 end-set prefix-set TRANSIT-OUT-IPV6-PERMIT ! These are the local AS PI ranges... 2A02:xxxx::/32, 2A04:yyyy::/34 end-set prefix-set TRANSIT-IN-IPV4-DENY ! These are BOGONs... 0.0.0.0/0, 0.0.0.0/8 le 32, 10.0.0.0/8 le 32, 100.64.0.0/10 le 32, 127.0.0.0/8 le 32, 169.254.0.0/16 le 32, 172.16.0.0/12 le 32, 192.0.0.0/24 le 32, 192.0.2.0/24 le 32, 192.168.0.0/16 le 32, 198.18.0.0/15 le 32, 198.51.100.0/24 le 32, 203.0.113.0/24 le 32, 224.0.0.0/3 le 32, ! Plus the local AS PI ranges... 1.2.3.0/24 le 32, 4.5.6.0/24 le 32, end-set prefix-set TRANSIT-IN-IPV6-DENY ! These are IPV6 BOGONs.... ::/0, ::/8 le 128, 2001:db8::/32 le 128, 2002:a00::/24 le 128, 2002:ac10::/28 le 128, 2002:c0a8::/32 le 128, 3ffe::/16 le 128, fc00::/7 le 128, fe00::/9 le 128, fe80::/10 le 128, fec0::/10 le 128, ff00::/8 le 128 2A02:xxxx::/32 le 128, 2A04:yyyy::/36 le 128 end-set

 

BGP SPD (Selective Packet Discard)

When peering on older CPU based IOS devices (like 7200's) BGP SPD might need adjusting.

Note:
IP packets with normal precedence are allowed to enqueue up to the default queue limit (75) High priority IP packets are allowed to enqueue up to the default queue limit + spd_headroom (175 or 1075 based on the Cisco IOS software release) CLNS, IGP and LC keepalive packets are allowed to enqueue up to the default queue limit + spd_headroom + spd_ext_headroom (185 or 1085 based on the Cisco IOS software release).

The default values are usually ("show ip spd"):
Input queue size = 75
SPD headroom size = 100
Extended headroom size = 10

spd enable     ! DEFAULT

interface FastEthernet0/0
 hold-queue 150 in
 exit

spd headroom 120
spd extended-headroom 150
ip spd mode aggressive
ip spd queue threshold minimum 75 maximum 150