5-Sec Module 7 Route Map

APNIC Network Security Workshop Lab [v1.
0]
Module 7 – Securing Routing Policy Using Route Map

Objective: All the routers are pre-configured with basic interface, OSPF and BGP configuration
according to the following topology diagram. At this stage all POP routers are sending and
receiving every prefixes it learn from other peers to and from the CPE routers. Without any
policy filter lab network is acting as transit for all customer and upstream peers. You need to
create proper policy filter (Using route map) to make sure organizational business policy is
reflected into your configuration and that will secure your network to operate smoothly.
Prerequisites: Knowledge of Cisco router CLI, ACL, regular expression, IPv6 etc.
The following will be the common topology and IP address plan used for the labs.
DNS MAIL WWW DNS MAIL WWW
CPE Infra 172.16.0.0/23 172.16.2.0/23 Infra CPE

2406:6400:8000::/48
2406:6400:800::/39 2406:6400:a00::/39
2406:6400:a000::/48
172.16.11.0/30
172.16.16.0/23
2406:6400:10::/64 172.16.11.64/30
172.16.20.0/23
r13-CAR1 R1 R4 2406:6400:18::/64 r15-CAR2
11 22 11 65 1 2 66 11
fa0/0 fa0/1 fa0/0 e1/0 e1/0 fa0/0 fa0/1
fa0/0
2406:6400:e:10::/64
22 2 26
2406:6400:e::/64
172.16.10.24/30
91
172.16.10.0/30
lo 0 lo 0 1 33
e1/1
172.16.15.2/32 172.16.15.5/32
e1/1
2406:6400::2/128 2406:6400::5/128
lo 0
e1/3
lo 0 172.16.15.4/32
e1/3
e1/0
172.16.15.1/32
e1/0
2406:6400::4/128
2406:6400:e:12::/64
2406:6400:e:2::/64
11
11
2406:6400::1/128
R2
172.16.10.32/30
172.16.10.8/30
172.16.13.0/24 R5
11 2406:6400:3::/48 1 25
fa0/1 fa0/0 1 29
51
11
lo 0 22
2406:6400:e:11::/64
2406:6400:e:1::/64
22
172.16.15.3/32
11
lo 0
172.16.10.28/30
172.16.10.4/30
fa0/0
e1/1
e1/1
2406:6400::3/128 172.16.12.0/24
fa0/1
172.16.15.6/32
2406:6400:2::/48 2406:6400::6/128
2406:6400:9800::/48
e1/1
2406:6400:b800::/48
e1/1
172.16.18.0/23
172.16.22.0/23
2 34
r14-CBR1 10 2 R3 R6 r16-CBR2
fa0/2
fa0/5
11 11
fa0/1 e1/0 e1/0 fa0/0 fa0/1
fa0/0 fa0/0
fa0/0 62 97 1 2 98
34 2 1 33 2 30
172.16.11.32/30 172.16.11.96/30
2406:6400:14::/64 2406:6400:1c::/64
fa0/2 fa0/5
SW1 SW2
172.16.11.192/30
fa0/11 fa0/8
2406:6400:e000::/48
2406:6400:c000::/48
2406:6400:28::/64 172.16.11.128/30
172.16.28.0/23
172.16.24.0/23
r19-CAR4 R10 R7 2406:6400:20::/64 r17-CAR3
fa0/8
fa0/11
11 194 2 1 193 129 1 2 130 11

fa0/1 fa0/0 e1/0 e1/0 fa0/0 fa0/1
fa0/0 fa0/0
2406:6400:e:20::/64
2406:6400:e:30::/64
74 2 2 50
172.16.10.48/30
172.16.10.72/30
81 1 1 57
e1/1
e1/1
lo 0
fa0/0
fa0/1
lo 0 172.16.15.7/32
172.16.15.10/32
e1/0
2406:6400::7/128
33
e1/0
44
2406:6400::10/128
2406:6400:e:22::/64
R11
2406:6400:e:32::/64
R8
172.16.10.56/30
172.16.10.80/30
44 33
1 49
73 1 fa0/1 fa0/0 1 53
77 1
11
11
2406:6400:e:21::/64
2406:6400:e:31::/64
e1/1
e1/1
172.16.10.52/30
172.16.10.76/30
lo 0
e1/3
e1/3
lo 0
172.16.15.12/32 AS17821 172.16.15.9/32
2406:6400::12/128 2406:6400::9/128
lo 0 lo 0
e1/1
2406:6400:d800::/48
2406:6400:f800::/48
e1/1
172.16.15.11/32 172.16.15.8/32
172.16.26.0/23
172.16.30.0/23
2406:6400::11/128 2406:6400::8/128 2 58
r20-CBR4 82 2 R12 R9 r18-CBR3
11 11
fa0/1 fa0/0 e1/0 e1/0 fa0/0 fa0/1
fa0/0 226 2 1 225 2 162 fa0/0
78 2 2 54 161 1
172.16.11.224/30 172.16.11.160/30
2406:6400:2c::/64 2406:6400:24::/64
CPE Infra 172.16.6.0/23 172.16.4.0/23 Infra CPE
2406:6400:e00::/39 2406:6400:c00::/39
DNS MAIL WWW DNS MAIL WWW
Figure 1 – ISP Lab Basic Configuration
1 ©APNIC
Created: 02 May 2013
Updated: 02 May 2013
Wednesday, May 20, 2015
Lab Notes
All the required prefix filters need to be applied on to the edge routers. In our lab we need to create
filter on POP routers i.e. R1, R3, R4, R6, R7, R9, R10, R12 and CPE routers R13, R14, R15, R16,
R17, R18, R19, R20 for both IN and OUT direction. This is how we will secure our perimeter routers
(Both Service provider and Customer) by filtering unwanted prefixes and eventually unauthorised
traffic. There is a significant difference between filtering traffic using ACL (Data plane) and prefix list
(Control plane). Before you start configuring filters please check routing tables on both edge and CPE
routers and note down the available prefixes. Then look at the prefix exchange policy in next section,
configure required route map and verify the outcome by looking at the routing table again on both
POP and CPE routers.
It is advisable to spend some time (Before your start the lab) to be familiar with the network topology,
addressing plan, check routing table, BGP table, received and advertised prefix to all BGP peers etc.
Route Exchange Policy:

a. POP Router OUT
1. ISP send its own prefix & originated locally. Create ACL to match ISP prefix, create as-path access list
to match prefix originated locally.
2. ISP send other directly connected customer prefix & legitimate prefix length. Create prefix list to match
/32 and /48, create as path access list to match directly connected customer.
3. Group all policy in a route map with proper sequence number.
4. Attach it in POP router OUR direction
b. POP Router IN
1. ISP accepts its customer prefix & originated by the customer AS. Create ACL to match customer prefix,
create as-path access list to match prefix originated by customer AS.
2. Group those policy in a route map with proper sequence number.
3. Attach it in POP router IN direction
c. CEP Router IN
1. Customer router accepts default prefix from ISP & ISP own aggregated prefix. Create ACL to match
default prefix, ISP own aggregated.
2. Customer routers accept legitimate prefixes of ISP’s directly connected other customer prefix. Create
prefix list to match legitimate prefixes and as-path access list to match prefixes originated by ISP and ISP
directly connected customers.
4. Attach it in CEP router IN direction.
d. CEP Router OUT

1. Customer router send its own prefix & originated by its own AS number. Create ACL to match its own
prefix, and as-path access list to match prefix originated locally.
3. Attach it in CEP router OUT direction.
e. List of Prefixes and AS numbers

1. ISP Prefix: 2406:6400::/32
2. ISP AS number 17821
3. Customer prefixes and AS number: R13 2406:6400:8000::/48, AS 65001
R14 2406:6400:9800::/48, AS 65002
R15 2406:6400:a000::/48, AS 65003
R16 2406:6400:b800::/48, AS 65004
R17 2406:6400:c000::/48, AS 65005
R18 2406:6400:d800::/48, AS 65006
R19 2406:6400:e000::/48, AS 65007
R20 2406:6400:f800::/48, AS 65008
2
APNIC Network Security Workshop Lab [v1.0]
Lab Exercise
a) Configuration steps for POP router OUT:
1. IPv6 prefix list configuration on edge router to match ISP aggregated prefix.
Here is an example configuration for POP router R1

config t
ipv6 prefix-list IPV6-MY-PREFIX seq 15 permit 2406:6400::/32
2. IPv6 aggregation prefix filter to match /32 and /48 prefix length.
ipv6 prefix-list IPV6-CUSTOMER-OUT seq 20 permit ::/0 ge 32 le 32

3. AS path filter to match prefix originated locally to this AS.
ip as-path access-list 100 permit ^$
4. AS path filter to match prefix originated from direct connected customer using their AS
number.
ip as-path access-list 101 permit ^[0-9]+$
5. Create route-map to match ISP aggregated prefix and originated by ISP ASN.
route-map IPV6-CUSTOMER-OUT permit 10

match as-path 100
match ipv6 address prefix-list IPV6-MY-PREFIX
6. Create route-map to match aggregation filter and direct customer originated prefix

match as-path 101
match ipv6 address prefix-list IPV6-CUSTOMER-OUT
exit
3 ©APNIC
7. Add route-map to BGP neighbor or peer group
router bgp 17821

address-family ipv6
neighbor IPV6-eBGP-CUSTOMER-REG1-POP1 route-map IPV6-CUSTOMER-OUT out
exit
exit
exit
8. Send dynamic refresh to your BGP peer for the new policy to be activated.
clear bgp ipv6 unicast 2406:6400:10::2 soft out

wr
b) Configuration steps for POP router IN:
1. IPv6 prefix-list match customer prefix.

config t
ipv6 prefix-list IPV6-CAR1-IN seq 15 permit 2406:6400:8000::/48
2. AS path match customer AS number.
ip as-path access-list 500 permit _65001$
3. Create route-map to match customer prefix and customer origin AS..
route-map IPV6-CUST-CAR1-IN permit 10

match as-path 500
match ipv6 address prefix-list IPV6-CAR1-IN
exit
4. Add route-map to BGP neighbor.
router bgp 17821

address-family ipv6
neighbor 2406:6400:10::2 route-map IPV6-CUST-CAR1-IN in
exit
exit
exit
4
clear bgp ipv6 unicast 2406:6400:10::2 soft in

wr
c) Configuration steps for CPE router IN:
1. IPv6 prefix list configuration on CPE router to match default prefix and ISP aggregated
prefix.

config t
ipv6 prefix-list IPV6-ISP-PREFIX seq 10 permit ::/0
ipv6 prefix-list IPV6-ISP-PREFIX seq 15 permit 2406:6400::/32
2. IPv6 aggregation prefix filter to match /32 and /48 prefix length.
ipv6 prefix-list IPV6-AGGREGATION-IN seq 20 permit ::/0 ge 32 le 32

3. AS path filter to match prefix originated ISP and originated by ISP direct customer.

ip as-path access-list 101 permit _17821_
4. Create route-map to match ISP prefix and origin by ISP AS.
route-map IPV6-ISP-IN permit 10

match as-path 100
match ipv6 address prefix-list IPV6-ISP-PREFIX
5. Create route-map to match other prefix via ISP and with legitimate prefix length (/32 &
/48).

match as-path 101
match ipv6 address prefix-list IPV6-AGGREGATION-IN
exit
5 ©APNIC
router bgp 65001

address-family ipv6
neighbor 2406:6400:10::1 route-map IPV6-ISP-IN in
exit
exit
exit

wr
d) Configuration steps for CPE router OUT:
1. IPv6 prefix-list match customer prefix

config t
ipv6 prefix-list IPV6-MY-PREFIX-OUT seq 15 permit 2406:6400:8000::/48
2. AS path match customer AS number.
3. Create route-map to match customer prefix and customer origin AS.
route-map IPV6-MY-PREFIX-OUT permit 10

match as-path 200
match ipv6 address prefix-list IPV6-MY-PREFIX-OUT
exit
router bgp 65001

address-family ipv6
neighbor 2406:6400:10::1 route-map IPV6-MY-PREFIX-OUT out
exit
exit
exit
6

wr
7 ©APNIC
Workshop templates for reference purpose only:

Router 1 Out
config t
match as-path 100
match as-path 101
exit
router bgp 17821
address-family ipv6
exit
exit
exit
wr
Router 1 In
config t
ipv6 prefix-list IPV6-CAR1-IN seq 15 permit 2406:6400:8000::/48
match as-path 500
exit
router bgp 17821
address-family ipv6
exit
exit
exit
wr
Router 13 In
config t
match as-path 100
match as-path 101
8
exit
router bgp 65001
address-family ipv6
exit
exit
exit
wr
Router 13 Out
config t
match as-path 200
exit
router bgp 65001
address-family ipv6
exit
exit
exit
wr
Router 3 Out
config t
match as-path 100
match as-path 101
exit
router bgp 17821
address-family ipv6
exit
exit
exit
wr
9 ©APNIC
Router 3 In
config t
ipv6 prefix-list IPV6-CBR1-IN seq 15 permit 2406:6400:9800::/48
route-map IPV6-CUST-CBR1-IN permit 10
match as-path 500
match ipv6 address prefix-list IPV6-CBR1-IN
exit
router bgp 17821
address-family ipv6
neighbor 2406:6400:14::2 route-map IPV6-CUST-CBR1-IN in
exit
exit
exit
wr
Router 14 In
config t
match as-path 100
match as-path 101
exit
router bgp 65002
address-family ipv6
exit
exit
exit
wr
Router 14 Out
config t
match as-path 200
exit
router bgp 65002
address-family ipv6
exit
exit
exit
wr
10
Router 4 Out
config t
match as-path 100
match as-path 101
exit
router bgp 17821
address-family ipv6
exit
exit
exit
wr
Router 4 In
config t
ipv6 prefix-list IPV6-CAR2-IN seq 15 permit 2406:6400:a000::/48
match as-path 500
exit
router bgp 17821
address-family ipv6
exit
exit
exit
wr
Router 15 In
config t
match as-path 100
match as-path 101
exit
11 ©APNIC
router bgp 65003

address-family ipv6
exit
exit
exit
wr
Router 15 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX-OUT seq 15 permit 2406:6400:a000::/48
match as-path 200
exit
router bgp 65003
address-family ipv6
exit
exit
exit
wr
Router 6 Out
config t
match as-path 100
match as-path 101
exit
router bgp 17821
address-family ipv6
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:1c::2 soft out
wr
Router 6 In
config t
ipv6 prefix-list IPV6-CBR2-IN seq 15 permit 2406:6400:b800::/48
match as-path 500
12

exit
router bgp 17821
address-family ipv6
neighbor 2406:6400:1c::2 route-map IPV6-CUST-CBR2-IN in
exit
exit
exit
clear bgp ipv6 unicast 2406:6400:1c::2 soft in
wr
Router 16 In
config t
match as-path 100
match as-path 101
exit
router bgp 65004
address-family ipv6
neighbor 2406:6400:1c::1 route-map IPV6-ISP-IN in
exit
exit
exit
wr
Router 16 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX-OUT seq 15 permit 2406:6400:b800::/48
match as-path 200
exit
router bgp 65004
address-family ipv6
neighbor 2406:6400:1c::1 route-map IPV6-MY-PREFIX-OUT out
exit
exit
exit
wr
13 ©APNIC
Router 7 Out
config t
match as-path 100
match as-path 101
exit
router bgp 17821
address-family ipv6
exit
exit
exit
wr
Router 7 In
config t
ipv6 prefix-list IPV6-CAR3-IN seq 15 permit 2406:6400:c000::/48
match as-path 500
exit
router bgp 17821
address-family ipv6
exit
exit
exit
wr
Router 17 In
config t
match as-path 100
match as-path 101
exit
14
router bgp 65005

address-family ipv6
exit
exit
exit
wr
Router 17 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX-OUT seq 15 permit 2406:6400:C000::/48
match as-path 200
exit
router bgp 65005
address-family ipv6
exit
exit
exit
wr
Router 9 Out
config t
match as-path 100
match as-path 101
exit
router bgp 17821
address-family ipv6
exit
exit
exit
wr
15 ©APNIC
Router 9 In
config t
ipv6 prefix-list IPV6-CBR3-IN seq 15 permit 2406:6400:d800::/48
match as-path 500
exit
router bgp 17821
address-family ipv6
neighbor 2406:6400:24::2 route-map IPV6-CUST-CBR3-IN in
exit
exit
exit
wr
Router 18 In
config t
match as-path 100
match as-path 101
exit
router bgp 65006
address-family ipv6
exit
exit
exit
wr
Router 18 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX-OUT seq 15 permit 2406:6400:d800::/48
match as-path 200
exit
router bgp 65006
address-family ipv6
exit
exit
exit
16

wr
Router 10 Out
config t
match as-path 100
match as-path 101
exit
router bgp 17821
address-family ipv6
exit
exit
exit
wr
Router 10 In
config t
ipv6 prefix-list IPV6-CBR1-IN seq 15 permit 2406:6400:e000::/48
match as-path 500
exit
router bgp 17821
address-family ipv6
neighbor IPV6-eBGP-CUSTOMER-REG4-POP1 route-map IPV6-CUST-CAR4-IN in
exit
exit
exit
wr
Router 19 In
config t
match as-path 100
17 ©APNIC
match as-path 101

exit
router bgp 65007
address-family ipv6
exit
exit
exit
wr
Router 19 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX-OUT seq 15 permit 2406:6400:e000::/48
match as-path 200
exit
router bgp 65007
address-family ipv6
exit
exit
exit
wr
Router 12 Out
config t
match as-path 100
match as-path 101
exit
router bgp 17821
address-family ipv6
exit
exit
exit
wr
18
Router 12 In
config t
ipv6 prefix-list IPV6-CBR1-IN seq 15 permit 2406:6400:f800::/48
match as-path 500
exit
router bgp 17821
address-family ipv6
neighbor 2406:6400:2c::2 route-map IPV6-CUST-CBR4-IN in
exit
exit
exit
wr
Router 20 In
config t
match as-path 100
match as-path 101
exit
router bgp 65008
address-family ipv6
neighbor 2406:6400:2c::1 route-map IPV6-ISP-IN in
exit
exit
exit
wr
Router 20 Out
config t
ipv6 prefix-list IPV6-MY-PREFIX-OUT seq 15 permit 2406:6400:f800::/48
match as-path 200
exit
router bgp 65008
address-family ipv6
neighbor 2406:6400:2c::1 route-map IPV6-MY-PREFIX-OUT out
exit
exit
exit
wr
19 ©APNIC

5-Sec Module 7 Route Map

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

5-Sec Module 7 Route Map

Enviado por

Direitos autorais:

Formatos disponíveis

APNIC Network Security Workshop Lab [v1.

Module 7 – Securing Routing Policy Using Route Map

DNS MAIL WWW DNS MAIL WWW

CPE Infra 172.16.0.0/23 172.16.2.0/23 Infra CPE

11 194 2 1 193 129 1 2 130 11

DNS MAIL WWW DNS MAIL WWW

Figure 1 – ISP Lab Basic Configuration

Route Exchange Policy:

d. CEP Router OUT

e. List of Prefixes and AS numbers

Here is an example configuration for POP router R1

Here is an example configuration for POP router R1

ipv6 prefix-list IPV6-CUSTOMER-OUT seq 20 permit ::/0 ge 32 le 32

3. AS path filter to match prefix originated locally to this AS.

Here is an example configuration for POP router R1

ip as-path access-list 100 permit ^$

Here is an example configuration for POP router R1

ip as-path access-list 101 permit ^[0-9]+$

Here is an example configuration for POP router R1

route-map IPV6-CUSTOMER-OUT permit 10

Here is an example configuration for POP router R1

route-map IPV6-CUSTOMER-OUT permit 20

7. Add route-map to BGP neighbor or peer group

Here is an example configuration for POP router R1

router bgp 17821

Here is an example configuration for POP router R1

clear bgp ipv6 unicast 2406:6400:10::2 soft out

b) Configuration steps for POP router IN:

1. IPv6 prefix-list match customer prefix.

Here is an example configuration for POP router R1

2. AS path match customer AS number.

Here is an example configuration for POP router R1

ip as-path access-list 500 permit _65001$

3. Create route-map to match customer prefix and customer origin AS..

Here is an example configuration for POP router R1

route-map IPV6-CUST-CAR1-IN permit 10

4. Add route-map to BGP neighbor.

Here is an example configuration for POP router R1

router bgp 17821

Here is an example configuration for POP router R13

clear bgp ipv6 unicast 2406:6400:10::2 soft in

c) Configuration steps for CPE router IN:

Here is an example configuration for POP router R13

Here is an example configuration for POP router R13

ipv6 prefix-list IPV6-AGGREGATION-IN seq 20 permit ::/0 ge 32 le 32

Here is an example configuration for POP router R13

ip as-path access-list 100 permit _17821$

4. Create route-map to match ISP prefix and origin by ISP AS.

Here is an example configuration for POP router R13

route-map IPV6-ISP-IN permit 10

Here is an example configuration for POP router R13

route-map IPV6-ISP-IN permit 20

6. Add route-map to BGP neighbor.

Here is an example configuration for POP router R13

router bgp 65001

Here is an example configuration for POP router R13

clear bgp ipv6 unicast 2406:6400:10::1 soft in

d) Configuration steps for CPE router OUT:

1. IPv6 prefix-list match customer prefix

Here is an example configuration for POP router R13

2. AS path match customer AS number.

Here is an example configuration for POP router R13

ip as-path access-list 200 permit ^$

3. Create route-map to match customer prefix and customer origin AS.