Escolar Documentos
Profissional Documentos
Cultura Documentos
0]
Prerequisites: Knowledge of Cisco router CLI, ACL, regular expression, IPv6 etc.
The following will be the common topology and IP address plan used for the labs.
2406:6400:800::/39 2406:6400:a00::/39
2406:6400:a000::/48
172.16.11.0/30
172.16.16.0/23
2406:6400:10::/64 172.16.11.64/30
172.16.20.0/23
r13-CAR1 R1 R4 2406:6400:18::/64 r15-CAR2
11 22 11 65 1 2 66 11
fa0/0 fa0/1 fa0/0 e1/0 e1/0 fa0/0 fa0/1
fa0/0
2406:6400:e:10::/64
22 2 26
2406:6400:e::/64
172.16.10.24/30
91
172.16.10.0/30
lo 0 lo 0 1 33
e1/1
172.16.15.2/32 172.16.15.5/32
e1/1
2406:6400::2/128 2406:6400::5/128
lo 0
e1/3
lo 0 172.16.15.4/32
e1/3
e1/0
172.16.15.1/32
e1/0
2406:6400::4/128
2406:6400:e:12::/64
2406:6400:e:2::/64
11
11
2406:6400::1/128
R2
172.16.10.32/30
172.16.10.8/30
172.16.13.0/24 R5
11 2406:6400:3::/48 1 25
fa0/1 fa0/0 1 29
51
11
lo 0 22
2406:6400:e:11::/64
2406:6400:e:1::/64
22
172.16.15.3/32
11
lo 0
172.16.10.28/30
172.16.10.4/30
fa0/0
e1/1
e1/1
2406:6400::3/128 172.16.12.0/24
fa0/1
172.16.15.6/32
2406:6400:2::/48 2406:6400::6/128
2406:6400:9800::/48
e1/1
2406:6400:b800::/48
e1/1
172.16.18.0/23
172.16.22.0/23
2 34
r14-CBR1 10 2 R3 R6 r16-CBR2
fa0/2
fa0/5
11 11
fa0/1 e1/0 e1/0 fa0/0 fa0/1
fa0/0 fa0/0
fa0/0 62 97 1 2 98
34 2 1 33 2 30
172.16.11.32/30 172.16.11.96/30
2406:6400:14::/64 2406:6400:1c::/64
fa0/2 fa0/5
SW1 SW2
172.16.11.192/30
fa0/11 fa0/8
2406:6400:e000::/48
2406:6400:c000::/48
2406:6400:28::/64 172.16.11.128/30
172.16.28.0/23
172.16.24.0/23
r19-CAR4 R10 R7 2406:6400:20::/64 r17-CAR3
fa0/8
fa0/11
74 2 2 50
172.16.10.48/30
172.16.10.72/30
81 1 1 57
e1/1
e1/1
lo 0
fa0/0
fa0/1
lo 0 172.16.15.7/32
172.16.15.10/32
e1/0
2406:6400::7/128
33
e1/0
44
2406:6400::10/128
2406:6400:e:22::/64
R11
2406:6400:e:32::/64
R8
172.16.10.56/30
172.16.10.80/30
44 33
1 49
73 1 fa0/1 fa0/0 1 53
77 1
11
11
2406:6400:e:21::/64
2406:6400:e:31::/64
e1/1
e1/1
172.16.10.52/30
172.16.10.76/30
lo 0
e1/3
e1/3
lo 0
172.16.15.12/32 AS17821 172.16.15.9/32
2406:6400::12/128 2406:6400::9/128
lo 0 lo 0
e1/1
2406:6400:d800::/48
2406:6400:f800::/48
e1/1
172.16.15.11/32 172.16.15.8/32
172.16.26.0/23
172.16.30.0/23
2406:6400::11/128 2406:6400::8/128 2 58
r20-CBR4 82 2 R12 R9 r18-CBR3
11 11
fa0/1 fa0/0 e1/0 e1/0 fa0/0 fa0/1
fa0/0 226 2 1 225 2 162 fa0/0
78 2 2 54 161 1
172.16.11.224/30 172.16.11.160/30
2406:6400:2c::/64 2406:6400:24::/64
CPE Infra 172.16.6.0/23 172.16.4.0/23 Infra CPE
2406:6400:e00::/39 2406:6400:c00::/39
1 ©APNIC
Created: 02 May 2013
Updated: 02 May 2013
Wednesday, May 20, 2015
Lab Notes
All the required prefix filters need to be applied on to the edge routers. In our lab we need to create
filter on POP routers i.e. R1, R3, R4, R6, R7, R9, R10, R12 and CPE routers R13, R14, R15, R16,
R17, R18, R19, R20 for both IN and OUT direction. This is how we will secure our perimeter routers
(Both Service provider and Customer) by filtering unwanted prefixes and eventually unauthorised
traffic. There is a significant difference between filtering traffic using ACL (Data plane) and prefix list
(Control plane). Before you start configuring filters please check routing tables on both edge and CPE
routers and note down the available prefixes. Then look at the prefix exchange policy in next section,
configure required route map and verify the outcome by looking at the routing table again on both
POP and CPE routers.
It is advisable to spend some time (Before your start the lab) to be familiar with the network topology,
addressing plan, check routing table, BGP table, received and advertised prefix to all BGP peers etc.
b. POP Router IN
1. ISP accepts its customer prefix & originated by the customer AS. Create ACL to match customer prefix,
create as-path access list to match prefix originated by customer AS.
2. Group those policy in a route map with proper sequence number.
3. Attach it in POP router IN direction
c. CEP Router IN
1. Customer router accepts default prefix from ISP & ISP own aggregated prefix. Create ACL to match
default prefix, ISP own aggregated.
2. Customer routers accept legitimate prefixes of ISP’s directly connected other customer prefix. Create
prefix list to match legitimate prefixes and as-path access list to match prefixes originated by ISP and ISP
directly connected customers.
3. Group all policy in a route map with proper sequence number.
4. Attach it in CEP router IN direction.
2
APNIC Network Security Workshop Lab [v1.0]
Lab Exercise
a) Configuration steps for POP router OUT:
1. IPv6 prefix list configuration on edge router to match ISP aggregated prefix.
2. IPv6 aggregation prefix filter to match /32 and /48 prefix length.
4. AS path filter to match prefix originated from direct connected customer using their AS
number.
5. Create route-map to match ISP aggregated prefix and originated by ISP ASN.
6. Create route-map to match aggregation filter and direct customer originated prefix
3 ©APNIC
Created: 02 May 2013
Updated: 02 May 2013
Wednesday, May 20, 2015
8. Send dynamic refresh to your BGP peer for the new policy to be activated.
4
APNIC Network Security Workshop Lab [v1.0]
5. Send dynamic refresh to your BGP peer for the new policy to be activated.
1. IPv6 prefix list configuration on CPE router to match default prefix and ISP aggregated
prefix.
2. IPv6 aggregation prefix filter to match /32 and /48 prefix length.
3. AS path filter to match prefix originated ISP and originated by ISP direct customer.
5. Create route-map to match other prefix via ISP and with legitimate prefix length (/32 &
/48).
5 ©APNIC
Created: 02 May 2013
Updated: 02 May 2013
Wednesday, May 20, 2015
7. Send dynamic refresh to your BGP peer for the new policy to be activated.
6
APNIC Network Security Workshop Lab [v1.0]
5. Send dynamic refresh to your BGP peer for the new policy to be activated.
7 ©APNIC
Created: 02 May 2013
Updated: 02 May 2013
Wednesday, May 20, 2015
config t
ipv6 prefix-list IPV6-MY-PREFIX seq 15 permit 2406:6400::/32
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 20 permit ::/0 ge 32 le 32
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 25 permit ::/0 ge 48 le 48
ip as-path access-list 100 permit ^$
ip as-path access-list 101 permit ^[0-9]+$
route-map IPV6-CUSTOMER-OUT permit 10
match as-path 100
match ipv6 address prefix-list IPV6-MY-PREFIX
route-map IPV6-CUSTOMER-OUT permit 20
match as-path 101
match ipv6 address prefix-list IPV6-CUSTOMER-OUT
exit
router bgp 17821
address-family ipv6
neighbor IPV6-eBGP-CUSTOMER-REG1-POP1 route-map IPV6-CUSTOMER-OUT out
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:10::2 soft out
wr
Router 1 In
config t
ipv6 prefix-list IPV6-CAR1-IN seq 15 permit 2406:6400:8000::/48
ip as-path access-list 500 permit _65001$
route-map IPV6-CUST-CAR1-IN permit 10
match as-path 500
match ipv6 address prefix-list IPV6-CAR1-IN
exit
router bgp 17821
address-family ipv6
neighbor 2406:6400:10::2 route-map IPV6-CUST-CAR1-IN in
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:10::2 soft in
wr
Router 13 In
config t
ipv6 prefix-list IPV6-ISP-PREFIX seq 10 permit ::/0
ipv6 prefix-list IPV6-ISP-PREFIX seq 15 permit 2406:6400::/32
ipv6 prefix-list IPV6-AGGREGATION-IN seq 20 permit ::/0 ge 32 le 32
ipv6 prefix-list IPV6-AGGREGATION-IN seq 25 permit ::/0 ge 48 le 48
ip as-path access-list 100 permit _17821$
ip as-path access-list 101 permit _17821_
route-map IPV6-ISP-IN permit 10
match as-path 100
match ipv6 address prefix-list IPV6-ISP-PREFIX
route-map IPV6-ISP-IN permit 20
match as-path 101
match ipv6 address prefix-list IPV6-AGGREGATION-IN
8
APNIC Network Security Workshop Lab [v1.0]
exit
router bgp 65001
address-family ipv6
neighbor 2406:6400:10::1 route-map IPV6-ISP-IN in
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:10::1 soft in
wr
Router 13 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX-OUT seq 15 permit 2406:6400:8000::/48
ip as-path access-list 200 permit ^$
route-map IPV6-MY-PREFIX-OUT permit 10
match as-path 200
match ipv6 address prefix-list IPV6-MY-PREFIX-OUT
exit
router bgp 65001
address-family ipv6
neighbor 2406:6400:10::1 route-map IPV6-MY-PREFIX-OUT out
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:10::1 soft out
wr
Router 3 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX seq 15 permit 2406:6400::/32
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 20 permit ::/0 ge 32 le 32
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 25 permit ::/0 ge 48 le 48
ip as-path access-list 100 permit ^$
ip as-path access-list 101 permit ^[0-9]+$
route-map IPV6-CUSTOMER-OUT permit 10
match as-path 100
match ipv6 address prefix-list IPV6-MY-PREFIX
route-map IPV6-CUSTOMER-OUT permit 20
match as-path 101
match ipv6 address prefix-list IPV6-CUSTOMER-OUT
exit
router bgp 17821
address-family ipv6
neighbor IPV6-eBGP-CUSTOMER-REG1-POP2 route-map IPV6-CUSTOMER-OUT out
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:14::2 soft out
wr
9 ©APNIC
Created: 02 May 2013
Updated: 02 May 2013
Wednesday, May 20, 2015
Router 3 In
config t
ipv6 prefix-list IPV6-CBR1-IN seq 15 permit 2406:6400:9800::/48
ip as-path access-list 500 permit _65002$
route-map IPV6-CUST-CBR1-IN permit 10
match as-path 500
match ipv6 address prefix-list IPV6-CBR1-IN
exit
router bgp 17821
address-family ipv6
neighbor 2406:6400:14::2 route-map IPV6-CUST-CBR1-IN in
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:14::2 soft in
wr
Router 14 In
config t
ipv6 prefix-list IPV6-ISP-PREFIX seq 10 permit ::/0
ipv6 prefix-list IPV6-ISP-PREFIX seq 15 permit 2406:6400::/32
ipv6 prefix-list IPV6-AGGREGATION-IN seq 20 permit ::/0 ge 32 le 32
ipv6 prefix-list IPV6-AGGREGATION-IN seq 25 permit ::/0 ge 48 le 48
ip as-path access-list 100 permit _17821$
ip as-path access-list 101 permit _17821_
route-map IPV6-ISP-IN permit 10
match as-path 100
match ipv6 address prefix-list IPV6-ISP-PREFIX
route-map IPV6-ISP-IN permit 20
match as-path 101
match ipv6 address prefix-list IPV6-AGGREGATION-IN
exit
router bgp 65002
address-family ipv6
neighbor 2406:6400:14::1 route-map IPV6-ISP-IN in
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:14::1 soft in
wr
Router 14 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX-OUT seq 15 permit 2406:6400:9800::/48
ip as-path access-list 200 permit ^$
route-map IPV6-MY-PREFIX-OUT permit 10
match as-path 200
match ipv6 address prefix-list IPV6-MY-PREFIX-OUT
exit
router bgp 65002
address-family ipv6
neighbor 2406:6400:14::1 route-map IPV6-MY-PREFIX-OUT out
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:14::1 soft out
wr
10
APNIC Network Security Workshop Lab [v1.0]
Router 4 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX seq 15 permit 2406:6400::/32
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 20 permit ::/0 ge 32 le 32
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 25 permit ::/0 ge 48 le 48
ip as-path access-list 100 permit ^$
ip as-path access-list 101 permit ^[0-9]+$
route-map IPV6-CUSTOMER-OUT permit 10
match as-path 100
match ipv6 address prefix-list IPV6-MY-PREFIX
route-map IPV6-CUSTOMER-OUT permit 20
match as-path 101
match ipv6 address prefix-list IPV6-CUSTOMER-OUT
exit
router bgp 17821
address-family ipv6
neighbor IPV6-eBGP-CUSTOMER-REG2-POP1 route-map IPV6-CUSTOMER-OUT out
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:18::2 soft out
wr
Router 4 In
config t
ipv6 prefix-list IPV6-CAR2-IN seq 15 permit 2406:6400:a000::/48
ip as-path access-list 500 permit _65003$
route-map IPV6-CUST-CAR2-IN permit 10
match as-path 500
match ipv6 address prefix-list IPV6-CAR2-IN
exit
router bgp 17821
address-family ipv6
neighbor 2406:6400:18::2 route-map IPV6-CUST-CAR2-IN in
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:18::2 soft in
wr
Router 15 In
config t
ipv6 prefix-list IPV6-ISP-PREFIX seq 10 permit ::/0
ipv6 prefix-list IPV6-ISP-PREFIX seq 15 permit 2406:6400::/32
ipv6 prefix-list IPV6-AGGREGATION-IN seq 20 permit ::/0 ge 32 le 32
ipv6 prefix-list IPV6-AGGREGATION-IN seq 25 permit ::/0 ge 48 le 48
ip as-path access-list 100 permit _17821$
ip as-path access-list 101 permit _17821_
route-map IPV6-ISP-IN permit 10
match as-path 100
match ipv6 address prefix-list IPV6-ISP-PREFIX
route-map IPV6-ISP-IN permit 20
match as-path 101
match ipv6 address prefix-list IPV6-AGGREGATION-IN
exit
11 ©APNIC
Created: 02 May 2013
Updated: 02 May 2013
Wednesday, May 20, 2015
Router 15 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX-OUT seq 15 permit 2406:6400:a000::/48
ip as-path access-list 200 permit ^$
route-map IPV6-MY-PREFIX-OUT permit 10
match as-path 200
match ipv6 address prefix-list IPV6-MY-PREFIX-OUT
exit
router bgp 65003
address-family ipv6
neighbor 2406:6400:18::1 route-map IPV6-MY-PREFIX-OUT out
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:18::1 soft out
wr
Router 6 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX seq 15 permit 2406:6400::/32
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 20 permit ::/0 ge 32 le 32
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 25 permit ::/0 ge 48 le 48
ip as-path access-list 100 permit ^$
ip as-path access-list 101 permit ^[0-9]+$
route-map IPV6-CUSTOMER-OUT permit 10
match as-path 100
match ipv6 address prefix-list IPV6-MY-PREFIX
route-map IPV6-CUSTOMER-OUT permit 20
match as-path 101
match ipv6 address prefix-list IPV6-CUSTOMER-OUT
exit
router bgp 17821
address-family ipv6
neighbor IPV6-eBGP-CUSTOMER-REG2-POP2 route-map IPV6-CUSTOMER-OUT out
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:1c::2 soft out
wr
Router 6 In
config t
ipv6 prefix-list IPV6-CBR2-IN seq 15 permit 2406:6400:b800::/48
ip as-path access-list 500 permit _65004$
route-map IPV6-CUST-CBR2-IN permit 10
match as-path 500
12
APNIC Network Security Workshop Lab [v1.0]
Router 16 In
config t
ipv6 prefix-list IPV6-ISP-PREFIX seq 10 permit ::/0
ipv6 prefix-list IPV6-ISP-PREFIX seq 15 permit 2406:6400::/32
ipv6 prefix-list IPV6-AGGREGATION-IN seq 20 permit ::/0 ge 32 le 32
ipv6 prefix-list IPV6-AGGREGATION-IN seq 25 permit ::/0 ge 48 le 48
ip as-path access-list 100 permit _17821$
ip as-path access-list 101 permit _17821_
route-map IPV6-ISP-IN permit 10
match as-path 100
match ipv6 address prefix-list IPV6-ISP-PREFIX
route-map IPV6-ISP-IN permit 20
match as-path 101
match ipv6 address prefix-list IPV6-AGGREGATION-IN
exit
router bgp 65004
address-family ipv6
neighbor 2406:6400:1c::1 route-map IPV6-ISP-IN in
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:1c::1 soft in
wr
Router 16 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX-OUT seq 15 permit 2406:6400:b800::/48
ip as-path access-list 200 permit ^$
route-map IPV6-MY-PREFIX-OUT permit 10
match as-path 200
match ipv6 address prefix-list IPV6-MY-PREFIX-OUT
exit
router bgp 65004
address-family ipv6
neighbor 2406:6400:1c::1 route-map IPV6-MY-PREFIX-OUT out
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:1c::1 soft out
wr
13 ©APNIC
Created: 02 May 2013
Updated: 02 May 2013
Wednesday, May 20, 2015
Router 7 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX seq 15 permit 2406:6400::/32
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 20 permit ::/0 ge 32 le 32
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 25 permit ::/0 ge 48 le 48
ip as-path access-list 100 permit ^$
ip as-path access-list 101 permit ^[0-9]+$
route-map IPV6-CUSTOMER-OUT permit 10
match as-path 100
match ipv6 address prefix-list IPV6-MY-PREFIX
route-map IPV6-CUSTOMER-OUT permit 20
match as-path 101
match ipv6 address prefix-list IPV6-CUSTOMER-OUT
exit
router bgp 17821
address-family ipv6
neighbor IPV6-eBGP-CUSTOMER-REG3-POP1 route-map IPV6-CUSTOMER-OUT out
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:20::2 soft out
wr
Router 7 In
config t
ipv6 prefix-list IPV6-CAR3-IN seq 15 permit 2406:6400:c000::/48
ip as-path access-list 500 permit _65005$
route-map IPV6-CUST-CAR3-IN permit 10
match as-path 500
match ipv6 address prefix-list IPV6-CAR3-IN
exit
router bgp 17821
address-family ipv6
neighbor 2406:6400:20::2 route-map IPV6-CUST-CAR3-IN in
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:20::2 soft in
wr
Router 17 In
config t
ipv6 prefix-list IPV6-ISP-PREFIX seq 10 permit ::/0
ipv6 prefix-list IPV6-ISP-PREFIX seq 15 permit 2406:6400::/32
ipv6 prefix-list IPV6-AGGREGATION-IN seq 20 permit ::/0 ge 32 le 32
ipv6 prefix-list IPV6-AGGREGATION-IN seq 25 permit ::/0 ge 48 le 48
ip as-path access-list 100 permit _17821$
ip as-path access-list 101 permit _17821_
route-map IPV6-ISP-IN permit 10
match as-path 100
match ipv6 address prefix-list IPV6-ISP-PREFIX
route-map IPV6-ISP-IN permit 20
match as-path 101
match ipv6 address prefix-list IPV6-AGGREGATION-IN
exit
14
APNIC Network Security Workshop Lab [v1.0]
Router 17 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX-OUT seq 15 permit 2406:6400:C000::/48
ip as-path access-list 200 permit ^$
route-map IPV6-MY-PREFIX-OUT permit 10
match as-path 200
match ipv6 address prefix-list IPV6-MY-PREFIX-OUT
exit
router bgp 65005
address-family ipv6
neighbor 2406:6400:20::1 route-map IPV6-MY-PREFIX-OUT out
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:20::1 soft out
wr
Router 9 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX seq 15 permit 2406:6400::/32
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 20 permit ::/0 ge 32 le 32
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 25 permit ::/0 ge 48 le 48
ip as-path access-list 100 permit ^$
ip as-path access-list 101 permit ^[0-9]+$
route-map IPV6-CUSTOMER-OUT permit 10
match as-path 100
match ipv6 address prefix-list IPV6-MY-PREFIX
route-map IPV6-CUSTOMER-OUT permit 20
match as-path 101
match ipv6 address prefix-list IPV6-CUSTOMER-OUT
exit
router bgp 17821
address-family ipv6
neighbor IPV6-eBGP-CUSTOMER-REG3-POP2 route-map IPV6-CUSTOMER-OUT out
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:24::2 soft out
wr
15 ©APNIC
Created: 02 May 2013
Updated: 02 May 2013
Wednesday, May 20, 2015
Router 9 In
config t
ipv6 prefix-list IPV6-CBR3-IN seq 15 permit 2406:6400:d800::/48
ip as-path access-list 500 permit _65006$
route-map IPV6-CUST-CBR3-IN permit 10
match as-path 500
match ipv6 address prefix-list IPV6-CBR3-IN
exit
router bgp 17821
address-family ipv6
neighbor 2406:6400:24::2 route-map IPV6-CUST-CBR3-IN in
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:24::2 soft in
wr
Router 18 In
config t
ipv6 prefix-list IPV6-ISP-PREFIX seq 10 permit ::/0
ipv6 prefix-list IPV6-ISP-PREFIX seq 15 permit 2406:6400::/32
ipv6 prefix-list IPV6-AGGREGATION-IN seq 20 permit ::/0 ge 32 le 32
ipv6 prefix-list IPV6-AGGREGATION-IN seq 25 permit ::/0 ge 48 le 48
ip as-path access-list 100 permit _17821$
ip as-path access-list 101 permit _17821_
route-map IPV6-ISP-IN permit 10
match as-path 100
match ipv6 address prefix-list IPV6-ISP-PREFIX
route-map IPV6-ISP-IN permit 20
match as-path 101
match ipv6 address prefix-list IPV6-AGGREGATION-IN
exit
router bgp 65006
address-family ipv6
neighbor 2406:6400:24::1 route-map IPV6-ISP-IN in
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:24::1 soft in
wr
Router 18 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX-OUT seq 15 permit 2406:6400:d800::/48
ip as-path access-list 200 permit ^$
route-map IPV6-MY-PREFIX-OUT permit 10
match as-path 200
match ipv6 address prefix-list IPV6-MY-PREFIX-OUT
exit
router bgp 65006
address-family ipv6
neighbor 2406:6400:24::1 route-map IPV6-MY-PREFIX-OUT out
exit
exit
exit
16
APNIC Network Security Workshop Lab [v1.0]
Router 10 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX seq 15 permit 2406:6400::/32
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 20 permit ::/0 ge 32 le 32
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 25 permit ::/0 ge 48 le 48
ip as-path access-list 100 permit ^$
ip as-path access-list 101 permit ^[0-9]+$
route-map IPV6-CUSTOMER-OUT permit 10
match as-path 100
match ipv6 address prefix-list IPV6-MY-PREFIX
route-map IPV6-CUSTOMER-OUT permit 20
match as-path 101
match ipv6 address prefix-list IPV6-CUSTOMER-OUT
exit
router bgp 17821
address-family ipv6
neighbor IPV6-eBGP-CUSTOMER-REG4-POP1 route-map IPV6-CUSTOMER-OUT out
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:28::2 soft out
wr
Router 10 In
config t
ipv6 prefix-list IPV6-CBR1-IN seq 15 permit 2406:6400:e000::/48
ip as-path access-list 500 permit _65007$
route-map IPV6-CUST-CAR4-IN permit 10
match as-path 500
match ipv6 address prefix-list IPV6-CAR4-IN
exit
router bgp 17821
address-family ipv6
neighbor IPV6-eBGP-CUSTOMER-REG4-POP1 route-map IPV6-CUST-CAR4-IN in
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:28::2 soft in
wr
Router 19 In
config t
ipv6 prefix-list IPV6-ISP-PREFIX seq 10 permit ::/0
ipv6 prefix-list IPV6-ISP-PREFIX seq 15 permit 2406:6400::/32
ipv6 prefix-list IPV6-AGGREGATION-IN seq 20 permit ::/0 ge 32 le 32
ipv6 prefix-list IPV6-AGGREGATION-IN seq 25 permit ::/0 ge 48 le 48
ip as-path access-list 100 permit _17821$
ip as-path access-list 101 permit _17821_
route-map IPV6-ISP-IN permit 10
match as-path 100
match ipv6 address prefix-list IPV6-ISP-PREFIX
route-map IPV6-ISP-IN permit 20
17 ©APNIC
Created: 02 May 2013
Updated: 02 May 2013
Wednesday, May 20, 2015
Router 19 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX-OUT seq 15 permit 2406:6400:e000::/48
ip as-path access-list 200 permit ^$
route-map IPV6-MY-PREFIX-OUT permit 10
match as-path 200
match ipv6 address prefix-list IPV6-MY-PREFIX-OUT
exit
router bgp 65007
address-family ipv6
neighbor 2406:6400:28::1 route-map IPV6-MY-PREFIX-OUT out
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:28::1 soft out
wr
Router 12 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX seq 15 permit 2406:6400::/32
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 20 permit ::/0 ge 32 le 32
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 25 permit ::/0 ge 48 le 48
ip as-path access-list 100 permit ^$
ip as-path access-list 101 permit ^[0-9]+$
route-map IPV6-CUSTOMER-OUT permit 10
match as-path 100
match ipv6 address prefix-list IPV6-MY-PREFIX
route-map IPV6-CUSTOMER-OUT permit 20
match as-path 101
match ipv6 address prefix-list IPV6-CUSTOMER-OUT
exit
router bgp 17821
address-family ipv6
neighbor IPV6-eBGP-CUSTOMER-REG4-POP2 route-map IPV6-CUSTOMER-OUT out
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:2c::2 soft out
wr
18
APNIC Network Security Workshop Lab [v1.0]
Router 12 In
config t
ipv6 prefix-list IPV6-CBR1-IN seq 15 permit 2406:6400:f800::/48
ip as-path access-list 500 permit _65008$
route-map IPV6-CUST-CBR4-IN permit 10
match as-path 500
match ipv6 address prefix-list IPV6-CBR4-IN
exit
router bgp 17821
address-family ipv6
neighbor 2406:6400:2c::2 route-map IPV6-CUST-CBR4-IN in
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:2c::2 soft in
wr
Router 20 In
config t
ipv6 prefix-list IPV6-ISP-PREFIX seq 10 permit ::/0
ipv6 prefix-list IPV6-ISP-PREFIX seq 15 permit 2406:6400::/32
ipv6 prefix-list IPV6-AGGREGATION-IN seq 20 permit ::/0 ge 32 le 32
ipv6 prefix-list IPV6-AGGREGATION-IN seq 25 permit ::/0 ge 48 le 48
ip as-path access-list 100 permit _17821$
ip as-path access-list 101 permit _17821_
route-map IPV6-ISP-IN permit 10
match as-path 100
match ipv6 address prefix-list IPV6-ISP-PREFIX
route-map IPV6-ISP-IN permit 20
match as-path 101
match ipv6 address prefix-list IPV6-AGGREGATION-IN
exit
router bgp 65008
address-family ipv6
neighbor 2406:6400:2c::1 route-map IPV6-ISP-IN in
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:2c::1 soft in
wr
Router 20 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX-OUT seq 15 permit 2406:6400:f800::/48
ip as-path access-list 200 permit ^$
route-map IPV6-MY-PREFIX-OUT permit 10
match as-path 200
match ipv6 address prefix-list IPV6-MY-PREFIX-OUT
exit
router bgp 65008
address-family ipv6
neighbor 2406:6400:2c::1 route-map IPV6-MY-PREFIX-OUT out
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:2c::1 soft out
wr
19 ©APNIC
Created: 02 May 2013
Updated: 02 May 2013