Route-Views Configuration Examples

Examples for configuring a Cisco, Juniper, or Zebra router as an IPv4 Route-Views-like route server.

Cisco -

ip bgp-community new-format
!
ip classless
ip subnet-zero
ip multicast-routing
!
interface FastEthernet0/0
 no ip redirects
!
router bgp <ASN>
 bgp log-neighbor-changes
 bgp dampening
 no auto-summary
 no sync
 neighbor mcast-ebgp peer-group nlri unicast multicast
 neighbor mcast-ebgp ebgp-multihop 255
 neighbor mcast-ebgp update-source FastEthernet0/0
 neighbor mcast-ebgp next-hop-self
 neighbor mcast-ebgp distribute-list 100 out
 neighbor mcast-ebgp route-map set-nexthop in
 !
 neighbor <peer ip> remote-as <peer AS>
 neighbor <peer ip> peer-group mcast-ebgp
 neighbor <peer ip> description <peer name>
!
ip route 0.0.0.0 0.0.0.0 <default-gw>
ip route <peer ip> 255.255.255.255 <default-gw>
!
access-list 100 deny   ip any any
!
route-map set-nexthop permit 10
 set ip next-hop peer-address
!
line vty 0 4
 session-timeout 20  output
 exec-timeout 5 0
 timeout login response 0
 logging synchronous
 no login 
end

• Extended ping can be abused for DOS attacks and should be disabled. By default, logins have privledge level 1 (one). At privledge level 1, extended ping is not allowed. It is not allowed until level 15, which should NOT be given to anonymous logins!
• If the snmp server is enabled, it should be protected with an access-list.
  

      snmp-server community  RO 
    

• If the image in use includes a HTTP server, disable it.
  

      no ip http server
    

Juniper -

system {
    no-redirects;
    host-name <router hostname>
    root-authentication {
        encrypted-password "XXXX";
    }
    login {
        message "\n\n Login as user rviews and password rviews\n\n";
        class rviews {
            permissions [ network view ];
            deny-commands "(file|ftp|ping .*rapid|request|junos-script|show (arp|config|pfe|system)|test)";
        }
        user rviews {
            uid 2001;
            class rviews;
            authentication {
                encrypted-password "XXXXX";
            }
        }
    }
    services {
        ssh;
        telnet;
    }
}
routing-options {
    rib inet6.0 {
        static {
            route ::/0 next-hop 2001::XXXX;
        }
    }
    static {
        route 0.0.0.0/0 next-hop A.B.C.D;
    }
    interface-routes {
        rib-group inet if-rib;
    }
    rib-groups {
        if-rib {
            import-rib [ inet.0 inet.2 ];
        }
    }
    autonomous-system <ASN>;
}
protocols {
    bgp {
        log-updown;
        group v4 {
            type external;
            description "v4 uni/multicast peers";
            multihop {
                ttl 255;
            }
            damping;
            import [ graded-flap-dampening set-nexthop final ];
            family inet {
                unicast;
                multicast;
            }
            export [ nothing ];
            local-as <ASN>;
            neighbor <peer ip> {
                description "<peer name>";
                peer-as <peer ASN>;
                local-address <router interface ip>;
            }
        }
        group v6 {
            type external;
            description "v6 uni/multicast peers";
            multihop {
                ttl 255;
            }
            damping;
            import [ graded-flap-dampening set-nexthop final ];
            family inet6 {
                unicast;
                multicast;
            }
            export [ nothing ];
            local-as <ASN>;
            neighbor <peer v6 ip> {
                description "<peer name>";
                peer-as <peer ASN>;
                local-address <router interface v6 ip>;
            }
        }
    }
}
policy-options {
    prefix-list golden-networks {
        128.8.0.0/16;
        128.9.0.0/16;
        128.63.0.0/16;
        192.5.4.0/23;
        192.5.6.0/24;
        192.12.94.0/24;
        192.26.92.0/24;
        192.31.80.0/24;
        192.33.4.0/24;
        192.35.51.0/24;
        192.36.144.0/24;
        192.36.148.0/24;
        192.41.162.0/24;
        192.42.93.0/24;
        192.112.36.0/24;
        192.203.230.0/24;
        193.0.14.0/24;
        198.32.64.0/24;
        198.41.0.0/24;
        202.12.27.0/24;
        202.153.112.0/20;
        203.181.96.0/19;
        210.132.96.0/19;
        213.177.192.0/21;
    }
    policy-statement nothing {
        then reject;
    }
    policy-statement graded-flap-dampening {
        term exclude {
            from {
                prefix-list golden-networks;
            }
            then {
                damping set-none;
                next policy;
            }
        }
        from { 
            route-filter 0.0.0.0/0 upto /21 damping set-normal;
            route-filter 0.0.0.0/0 upto /23 damping set-medium;
            route-filter 0.0.0.0/0 orlonger damping set-high;
        }
        then next policy;
    }
    policy-statement final {
        then accept;
    }
    policy-statement set-nexthop {
        then {
            next-hop peer-address;
            next policy;
        }
    }
    damping set-none {
        disable;
    }
    damping set-normal {
        half-life 10;
        reuse 3000;
        suppress 6000;
        max-suppress 30;
    }
    damping set-medium {
        half-life 15;
        reuse 1500;
        suppress 6000;
        max-suppress 45;
    }
    damping set-high {
        half-life 30;
        reuse 1640;
        suppress 6000;
        max-suppress 60;
    }
}

• By default, if ssh or ftp are enabled and not filtered, the user configured for anonymous access can use scp or ftp to save files to their home directory and directories with write permissions for others (such as /tmp). To avoid becoming a file relay, perform the following:

     juniper> start shell
     % su
     % chgrp field /tmp /var/tmp /var/tmp/vi.recover
     % chmod 1775 /tmp /var/tmp /var/tmp/vi.recover
     % cd /var/home
     % rm -rf <anon-user>
     % ln -s /var/tmp <anon-user>
    

  Then edit /etc/rc and add the following to end, just before the date command.

     #
     # make sure permissions are tight on /tmp and /var/tmp
     #
     echo "Fixing permissions on /tmp, /var/tmp, and /var/tmp/vi.recover"
     chgrp field /tmp /var/tmp /var/tmp/vi.recover
     chmod 1775 /tmp /var/tmp /var/tmp/vi.recover
    

  Note: this does not prevent transfer of files which are readable by "others" from the router.
  Note: installation of new versions of JunOS will likely overwrite /etc/rc and the changes will have to be re-applied.
  Note: the JunOS filesystem and permissions check, "show system audit", may not approve of these changes.

Zebra -

!
service password-encryption
enable password <router password>
!
hostname <router hostname>
!
route-map nothing deny 1
!
router bgp <ASN>
 bgp router-id <router interface ip>
 !
 neighbor <peer ip> remote-as <peer ASN>
 neighbor <peer ip> activate
 neighbor <peer ip> ebgp-multihop 255
 neighbor <peer ip> update-source <router interface ip>
 neighbor <peer ip> route-map nothing out
 neighbor <peer ip> description <peer name>
 address-family ipv4 multicast
  neighbor <peer ip> activate
  neighbor <peer ip> route-map nothing out
 exit-address-family
!
! dump bgp information to MRT files
!
dump bgp updates    /<path to storage>/Y.%m/UPDATES/updates.%Y%m%d.%H%M 15m
dump bgp routes-mrt /<path to storage>/Y.%m/RIBS/rib.%Y%m%d.%H%M 2h
!
! VTYs
!
line vty
 no login
 exec-timeout 10
 no exec-timeout
!         
end

Miscellaneous:

 

  In most cases, it is not desirable for a route-views server to announce any
  prefixes.  Zebra has a compile time option, --disable-bgp-announce, which
  disables announcements.
 
 

  By default, Zebra's bgpd will listen on port 2605/tcp, while telnet connects
  to port 23/tcp by default.  The listening port can be changed by specifying
  the -P option when the daemon is started, eg: bgpd -P 23.
 
 

  Installing routes received by bgpd into the kernel routing table will likely
  cause problems, especially when the bgp sessions are multi-hop.  To avoid
  installing routes, do not run the zebra daemon.
 





14 May 2003
help@routeviews.org