Changes in 84a5821: Updated vyos (markdown)

howto/vyos.md

@@ -151,5 +151,66 @@ set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-

 set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA 

 ```

- 

+## Example Route Map

+### No RPKI/ROA and Internal Network Falls Into DN42 Range

+```

+##Build prefix list to match personal internal network

+set policy prefix-list BlockIPConflicts description 'Prevent Conflicting Routes'

+set policy prefix-list BlockIPConflicts rule 10 action 'permit'

+set policy prefix-list BlockIPConflicts rule 10 description 'Internal IP Space'

+set policy prefix-list BlockIPConflicts rule 10 le '32'

+set policy prefix-list BlockIPConflicts rule 10 prefix '10.10.0.0/16'

+

+

+##Build prefix list to match personal internal network

+set policy prefix-list6 BlockIPConflicts-v6 description 'Prevent Conflicting Routes'

+set policy prefix-list6 BlockIPConflicts-v6 rule 10 action 'permit'

+set policy prefix-list6 BlockIPConflicts-v6 rule 10 description 'Internal IP Space'

+set policy prefix-list6 BlockIPConflicts-v6 rule 10 le '128'

+set policy prefix-list6 BlockIPConflicts-v6 rule 10 prefix 'fd42:4242:1111::/48'

+

+

+

+##Build prefix list to match DN42's IPv4 network

+set policy prefix-list DN42-Network rule 10 action 'permit'

+set policy prefix-list DN42-Network rule 10 le '32'

+set policy prefix-list DN42-Network rule 10 prefix '172.20.0.0/14'

+set policy prefix-list DN42-Network rule 20 action 'permit'

+set policy prefix-list DN42-Network rule 20 le '32'

+set policy prefix-list DN42-Network rule 20 prefix '10.0.0.0/8'

+

+

+##Build prefix list to match DN42's IPv6 network

+set policy prefix-list6 DN42-Network-v6 rule 10 action 'permit'

+set policy prefix-list6 DN42-Network-v6 rule 10 le '128'

+set policy prefix-list6 DN42-Network-v6 rule 10 prefix 'fd00::/8'

+

+

+

+

+##Block prefixes within internal network range, then allow everything else within DN42, then block everything else.

+set policy route-map Default-Peering rule 10 action 'deny'

+set policy route-map Default-Peering rule 10 description 'Prevent IP Conflicts'

+set policy route-map Default-Peering rule 10 match ip address prefix-list 'BlockIPConflicts'

+set policy route-map Default-Peering rule 11 action 'deny'

+set policy route-map Default-Peering rule 11 description 'Prevent IP Conflicts'

+set policy route-map Default-Peering rule 11 match ip address prefix-list6 'BlockIPConflicts-v6'

+set policy route-map Default-Peering rule 20 action 'permit'

+set policy route-map Default-Peering rule 20 description 'Allow DN42-Network'

+set policy route-map Default-Peering rule 20 match ip address prefix-list 'DN42-Network-Network'

+set policy route-map Default-Peering rule 21 action 'permit'

+set policy route-map Default-Peering rule 21 description 'Allow DN42-Network'

+set policy route-map Default-Peering rule 21 match ip address prefix-list6 'DN42-Network-Network-v6'

+set policy route-map Default-Peering rule 99 action 'deny'

+

+

+##Apply the route-map on import/export

+

+set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv4-unicast route-map export 'Default-Peering'

+set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv4-unicast route-map import 'Default-Peering'

+set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-map export 'Default-Peering'

+set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-map import 'Default-Peering'

+```

+

+

 This page is a work-in-progress by Owens Research. If you have any suggestions or questions please reach out.

\ No newline at end of file

...	...	@@ -151,5 +151,66 @@ set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-
151	151	set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA
152	152	```
153	153
154		-
	154	+## Example Route Map
	155	+### No RPKI/ROA and Internal Network Falls Into DN42 Range
	156	+```
	157	+##Build prefix list to match personal internal network
	158	+set policy prefix-list BlockIPConflicts description 'Prevent Conflicting Routes'
	159	+set policy prefix-list BlockIPConflicts rule 10 action 'permit'
	160	+set policy prefix-list BlockIPConflicts rule 10 description 'Internal IP Space'
	161	+set policy prefix-list BlockIPConflicts rule 10 le '32'
	162	+set policy prefix-list BlockIPConflicts rule 10 prefix '10.10.0.0/16'
	163	+
	164	+
	165	+##Build prefix list to match personal internal network
	166	+set policy prefix-list6 BlockIPConflicts-v6 description 'Prevent Conflicting Routes'
	167	+set policy prefix-list6 BlockIPConflicts-v6 rule 10 action 'permit'
	168	+set policy prefix-list6 BlockIPConflicts-v6 rule 10 description 'Internal IP Space'
	169	+set policy prefix-list6 BlockIPConflicts-v6 rule 10 le '128'
	170	+set policy prefix-list6 BlockIPConflicts-v6 rule 10 prefix 'fd42:4242:1111::/48'
	171	+
	172	+
	173	+
	174	+##Build prefix list to match DN42's IPv4 network
	175	+set policy prefix-list DN42-Network rule 10 action 'permit'
	176	+set policy prefix-list DN42-Network rule 10 le '32'
	177	+set policy prefix-list DN42-Network rule 10 prefix '172.20.0.0/14'
	178	+set policy prefix-list DN42-Network rule 20 action 'permit'
	179	+set policy prefix-list DN42-Network rule 20 le '32'
	180	+set policy prefix-list DN42-Network rule 20 prefix '10.0.0.0/8'
	181	+
	182	+
	183	+##Build prefix list to match DN42's IPv6 network
	184	+set policy prefix-list6 DN42-Network-v6 rule 10 action 'permit'
	185	+set policy prefix-list6 DN42-Network-v6 rule 10 le '128'
	186	+set policy prefix-list6 DN42-Network-v6 rule 10 prefix 'fd00::/8'
	187	+
	188	+
	189	+
	190	+
	191	+##Block prefixes within internal network range, then allow everything else within DN42, then block everything else.
	192	+set policy route-map Default-Peering rule 10 action 'deny'
	193	+set policy route-map Default-Peering rule 10 description 'Prevent IP Conflicts'
	194	+set policy route-map Default-Peering rule 10 match ip address prefix-list 'BlockIPConflicts'
	195	+set policy route-map Default-Peering rule 11 action 'deny'
	196	+set policy route-map Default-Peering rule 11 description 'Prevent IP Conflicts'
	197	+set policy route-map Default-Peering rule 11 match ip address prefix-list6 'BlockIPConflicts-v6'
	198	+set policy route-map Default-Peering rule 20 action 'permit'
	199	+set policy route-map Default-Peering rule 20 description 'Allow DN42-Network'
	200	+set policy route-map Default-Peering rule 20 match ip address prefix-list 'DN42-Network-Network'
	201	+set policy route-map Default-Peering rule 21 action 'permit'
	202	+set policy route-map Default-Peering rule 21 description 'Allow DN42-Network'
	203	+set policy route-map Default-Peering rule 21 match ip address prefix-list6 'DN42-Network-Network-v6'
	204	+set policy route-map Default-Peering rule 99 action 'deny'
	205	+
	206	+
	207	+##Apply the route-map on import/export
	208	+
	209	+set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv4-unicast route-map export 'Default-Peering'
	210	+set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv4-unicast route-map import 'Default-Peering'
	211	+set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-map export 'Default-Peering'
	212	+set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-map import 'Default-Peering'
	213	+```
	214	+
	215	+
155	216	This page is a work-in-progress by Owens Research. If you have any suggestions or questions please reach out.
...	...	\ No newline at end of file