First, I accept this might not really right list for request, have use nsp
cisco list but only first post to was succeed, sent several other for past
4 day and none appear (verified by list archive) so please excuse request.
I am in need of a cisco config for BGP setup, we have a require to include
IX peering at new location as well as our Verizon link, we like to take
full bgp from Verizon and send to IX what they send us, I spend days
reading google, and so many conflict web site example, so many example seem
insecure no prefix list so on. end result to date is only sore eyes, would
someone who do same (not need be Verizon) be kind to send us off list
working running config (yes without your password heh) or at least how to
apply to BGP router including access/prefix list and interfaces so we have
an idea on what do, if you take two full BGP feed from two transit
carrierin load share and IX, that good, because that our stage three plan,
but I can work without two transit.
I am not ignorant with cisco 7201, but am total newby to BGP.
Why would you want to advertise full verizon routes out to the ix? You
shoud only be advertising your own network via ix
many example seem
insecure no prefix list so on.
I am not ignorant with cisco 7201, but am total newby to BGP.
Your concern about a lack of any prefix-lists in the documentation /
examples you have read is justified. If you are connecting to an IX
it may offer route-servers which have prefix-lists maintained by the
IX staff and tools. However, as you may already know, you will only
receive the "best path" to each prefix from an IX route-server. This
is often a motive (among others) to establish direct eBGP sessions
with other IX members. Once you start doing that, you had better
filter routes from those neighbors, or you will subject your network
to your peers' mistakes and glitches.
If you imagine that the IX has other members like yourself, who also
do not know much about BGP, then you can understand why you do not
want your peers' mistakes to cause outages on your network.
Doing a "cut, replace, and paste" from online examples is obviously a
bad idea. If I were you, I would find a local consultant (perhaps
someone on the staff of the IX or another member) who can assist you
with your initial configuration, and help you in the event of a severe
emergency. Otherwise, frankly, you are going to be better off by just
buying transit from Verizon and being single-homed. The added
complexity of BGP is not an asset to an organization that doesn't have
I am not, I wish all transit by Verizon, but if traffic come in from IX, it
only fair I send trafic to them if they in that IX, they be closest path
Google for "team cymru secure bgp template" for a good starting point.
This is a perfect example of why it is crucial that inbound route filters be scrupulously maintained in upstream BGP providers. Who knows who is out there.
sorry, my english not so perfect, at no time I mean send to IX what Verizon
send me, I'm not THAT stupid hehe
I mean if destination/origin is via IX, then send THAT traffic only by IX
and not Verizon.
I understood what you mean. The recommendations in my earlier reply
are still the best ones you've received:
1) hire a consultant to assist you both now and with any future problems
or 2) do not worry about being multi-homed, because the extra
complexity will do you more harm than good
Imagine if you took your car to a shop and asked for new tires, and
the mechanic said, "well, I have never changed tires before and I'm
not sure I have the right tools, but if you give me a couple of days I
think I can read about it on the Internet and figure it out." Of
course you would not buy tires from him, you would go to another shop.
That mechanic would quickly find that, if he wants to sell tires, he
needs to learn how to install them or hire someone to do it for him.
What you are asking your boss/company to do is trust you to put tires
on their car without the right tools or knowledge. The result of that
is probably how your network will end up: "a wreck."
Reminds me of the look on my original boss' face when I said, "Well, I have no BGP experience, but I think I'm going to redo this entire BGP config. It doesn't look right." I then proceeded to try every ? hierarchy under bgp in the then cisco routers and read up on every command until I understood each one.
Okay, it was simple, had no route-maps, and used access-lists instead of prefix-lists. It worked for a single 7206 BGP aggregation router.
Now I have the mile long monstrosity that uses BGP communities for everything, and of route-maps/policies with prefix-lists for downstream customers. You have to start somewhere.
cymru secure bgp templates is probably a good beginning. Careful study of your routing platform, what it supports, and reading up on what it means. If you don't understand something, use vendor specific lists/forums/documentation/google until you do.
I guess ten years of watching RIRs and users de-bogon new /8s didn't
teach you why those Cymru examples are more dangerous than they are
Have to read the current cymru bgp templates?
! Team Cymru has removed all static bogon references from this template
! due to the high probability that the application of these bogon filters
! will be a one-time event. Unfortunately many of these templates are
! applied and never re-visited, despite our dire warnings that bogons do
! This doesn't mean bogon filtering can't be accomplished in an automated
! manner. Why not consider peering with our globally distributed bogon
! route-server project? Alternately you can obtain a current and well
! maintained bogon feed from our DNS and RADb services. Read more at the
! link below to learn how!
I'm not telling you something you don't already know, but for the
novices who regard this list as a source of expertise, I will explain
in greater detail why this is a really dumb idea.
If you took a list of bogons over eBGP from Cymru, you would get
unused /8s and similar. What you don't get is a route that matches
whatever silly thing someone on the DFZ accidentally leaked: a
more-specific that will still cause you to route traffic to their
leaked prefix out to the Internet (and presumably, to their network.)
There is nothing good about this. It's just adding unnecessary
complexity for no operational benefit. There is bad about it. It
adds complexity and risk. What is that risk? If you decide that the
Cymru "distributed bogon route-server" is for you, and simply rewrite
next-hops received on that session to Null0, it is possible that Cymru
could make an error, or otherwise introduce non-bogon routes into your
network as if they were bogons, causing black-holes. This is
obviously too much to risk for something that has no operational
The Cymru guys do many positive things. One of the more questionable
things they do, though, is operate a route-server with the intention
of black-holing botnet C&C IPs on a very wide scale. This is
certainly a positive thing to do, but it was not done in a transparent
manner; and in fact didn't even have management approval at Cogent
when they configured it on their network. There was no established
channel to find out why your IP address appeared on this list or to
get it removed. All it took for me to get the whole idea canned at
Cogent was one inquiry to management, asking why engineers had quietly
started using a clandestine blackhole list operated by a third-party
and would not give any answers to a customer if one of their IPs
appeared on that list. The IP address I inquired about was certainly
not a botnet C&C node, and how it ended up on that list is a mystery.
I'm not saying there was any malicious intent, but it was a mistake at
Trusting that "bogon" black-hole list to do something you don't even
need to do anyway is not smart. It's *especially* not smart for some
novice who doesn't understand the implications of his decision. This
is the danger of "cut & paste engineering."
If you follow "all" the CYMRU examples and subscribe to the BGP bogon
feed, that isn't an issue...
This thread makes me want to LAUGH and VOMIT at the same time...
This guy is asking for advice and all this list can do is poke and make
fun at him for trying to learn the right way to do things...
We ALL need to remember...NONE of us come out of the womb being BGP
experts... and anyone who says they are...are lying through their teeth.
I have had to work with such people who talked a big game...but in the
end didn't know their ass from a hole in the ground.
And to the original post Edward...if you follow "team CYMRU" you are
pretty much on the right path to being successful in your ventures...