|
|
- # $OpenBSD: bgpd.conf,v 1.7 2004/10/01 15:12:16 henning Exp $
- # sample bgpd configuration file
- # see bgpd.conf(5)
-
- #macros
- peer1="10.1.0.2"
- peer2="10.1.0.3"
-
- # global configuration
- AS 65001
- router-id 10.0.0.1
- # holdtime 180
- # holdtime min 3
- # listen on 127.0.0.1
- # listen on ::1
- # fib-update no
- # route-collector no
- # log updates
- # network 10.0.1.0/24
-
- # neighbors and peers
- group "peering AS65002" {
- remote-as 65002
- neighbor $peer1 {
- descr "AS 65001 peer 1"
- announce self
- tcp md5sig password mekmitasdigoat
- }
- neighbor $peer2 {
- descr "AS 65001 peer 2"
- announce all
- local-address 10.0.0.8
- ipsec esp ike
- }
- }
-
- group "peering AS65042" {
- descr "peering AS 65042"
- local-address 10.0.0.8
- ipsec ah ike
- neighbor 10.2.0.1
- neighbor 10.2.0.2
- }
-
- neighbor 10.0.1.0 {
- remote-as 65003
- descr upstream
- multihop 2
- local-address 10.0.0.8
- passive
- holdtime 180
- holdtime min 3
- announce none
- tcp md5sig key deadbeef
- }
-
- neighbor 10.0.2.0 {
- remote-as 65004
- descr upstream2
- local-address 10.0.0.8
- ipsec ah ike
- }
-
- neighbor 10.0.0.0/24 {
- descr "template for local peers"
- }
-
- neighbor 10.2.1.1 {
- remote-as 65023
- local-address 10.0.0.8
- ipsec esp in spi 10 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \
- aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e
- ipsec esp out spi 12 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \
- aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b
- }
-
- # filter out prefixes longer than 24 or shorter than 8 bits
- deny from any
- allow from any prefixlen 8 - 24
-
- # do not accept a default route
- deny from any prefix 0.0.0.0/0
-
- # filter bogus networks
- deny from any prefix 10.0.0.0/8 prefixlen >= 8
- deny from any prefix 172.16.0.0/12 prefixlen >= 12
- deny from any prefix 192.168.0.0/16 prefixlen >= 16
- deny from any prefix 169.254.0.0/16 prefixlen >= 16
- deny from any prefix 192.0.2.0/24 prefixlen >= 24
- deny from any prefix 224.0.0.0/4 prefixlen >= 4
- deny from any prefix 240.0.0.0/4 prefixlen >= 4
|
