Examples for configuring a Cisco, Juniper, or FRR router as an IPv4 Route Views route server.
Cisco
ip bgp-community new-format
!
ip classless
ip subnet-zero
ip multicast-routing
!
interface FastEthernet0/0
no ip redirects
!
router bgp <ASN>
bgp log-neighbor-changes
bgp dampening
no auto-summary
no sync
neighbor mcast-ebgp peer-group nlri unicast multicast
neighbor mcast-ebgp ebgp-multihop 255
neighbor mcast-ebgp update-source FastEthernet0/0
neighbor mcast-ebgp next-hop-self
neighbor mcast-ebgp distribute-list 100 out
neighbor mcast-ebgp route-map set-nexthop in
!
neighbor <peer ip> remote-as <peer AS>
neighbor <peer ip> peer-group mcast-ebgp
neighbor <peer ip> description <peer name>
!
ip route 0.0.0.0 0.0.0.0 <default-gw>
ip route <peer ip> 255.255.255.255 <default-gw>
!
access-list 100 deny ip any any
!
route-map set-nexthop permit 10
set ip next-hop peer-address
!
line vty 0 4
session-timeout 20 output
exec-timeout 5 0
timeout login response 0
logging synchronous
no login
end
Miscellaneous:
- Extended ping can be abused for DOS attacks and should be disabled. By
default, logins have privilege level 1 (one). At privilege level 1,
extended ping is not allowed. It is not allowed until level 15, which
should NOT be given to anonymous logins! - If the SNMP server is enabled, it should be protected with an access-list.
snmp-server community RO
- If the image in use includes a HTTP server, disable it.
no ip http server
Juniper
system {
no-redirects;
host-name <router hostname>
root-authentication {
encrypted-password "XXXX";
}
login {
message "\n\n Login as user rviews and password rviews\n\n";
class rviews {
permissions [ network view ];
deny-commands "(file|ftp|ping .*rapid|request|junos-script|show (arp|config|pfe|system)|test)";
}
user rviews {
uid 2001;
class rviews;
authentication {
encrypted-password "XXXXX";
}
}
}
services {
ssh;
telnet;
}
}
routing-options {
rib inet6.0 {
static {
route ::/0 next-hop 2001::XXXX;
}
}
static {
route 0.0.0.0/0 next-hop A.B.C.D;
}
interface-routes {
rib-group inet if-rib;
}
rib-groups {
if-rib {
import-rib [ inet.0 inet.2 ];
}
}
autonomous-system <ASN>;
}
protocols {
bgp {
log-updown;
group v4 {
type external;
description "v4 uni/multicast peers";
multihop {
ttl 255;
}
damping;
import [ graded-flap-dampening set-nexthop final ];
family inet {
unicast;
multicast;
}
export [ nothing ];
local-as <ASN>;
neighbor <peer ip> {
description "<peer name>";
peer-as <peer ASN>;
local-address <router interface ip>;
}
}
group v6 {
type external;
description "v6 uni/multicast peers";
multihop {
ttl 255;
}
damping;
import [ graded-flap-dampening set-nexthop final ];
family inet6 {
unicast;
multicast;
}
export [ nothing ];
local-as <ASN>;
neighbor <peer v6 ip> {
description "<peer name>";
peer-as <peer ASN>;
local-address <router interface v6 ip>;
}
}
}
}
policy-options {
prefix-list golden-networks {
128.8.0.0/16;
128.9.0.0/16;
128.63.0.0/16;
192.5.4.0/23;
192.5.6.0/24;
192.12.94.0/24;
192.26.92.0/24;
192.31.80.0/24;
192.33.4.0/24;
192.35.51.0/24;
192.36.144.0/24;
192.36.148.0/24;
192.41.162.0/24;
192.42.93.0/24;
192.112.36.0/24;
192.203.230.0/24;
193.0.14.0/24;
198.32.64.0/24;
198.41.0.0/24;
202.12.27.0/24;
202.153.112.0/20;
203.181.96.0/19;
210.132.96.0/19;
213.177.192.0/21;
}
policy-statement nothing {
then reject;
}
policy-statement graded-flap-dampening {
term exclude {
from {
prefix-list golden-networks;
}
then {
damping set-none;
next policy;
}
}
from {
route-filter 0.0.0.0/0 upto /21 damping set-normal;
route-filter 0.0.0.0/0 upto /23 damping set-medium;
route-filter 0.0.0.0/0 orlonger damping set-high;
}
then next policy;
}
policy-statement final {
then accept;
}
policy-statement set-nexthop {
then {
next-hop peer-address;
next policy;
}
}
damping set-none {
disable;
}
damping set-normal {
half-life 10;
reuse 3000;
suppress 6000;
max-suppress 30;
}
damping set-medium {
half-life 15;
reuse 1500;
suppress 6000;
max-suppress 45;
}
damping set-high {
half-life 30;
reuse 1640;
suppress 6000;
max-suppress 60;
}
}
Miscellaneous:
- By default, if ssh or ftp are enabled and not filtered, the user configured
for anonymous access can use scp or ftp to save files to their home
directory and directories with write permissions for others (such as /tmp).
To avoid becoming a file relay, perform the following:juniper> start shell % su % chgrp field /tmp /var/tmp /var/tmp/vi.recover % chmod 1775 /tmp /var/tmp /var/tmp/vi.recover % cd /var/home % rm -rf <anon-user> % ln -s /var/tmp <anon-user>
Then edit /etc/rc and add the following to end, just before the date command.
# # make sure permissions are tight on /tmp and /var/tmp # echo "Fixing permissions on /tmp, /var/tmp, and /var/tmp/vi.recover" chgrp field /tmp /var/tmp /var/tmp/vi.recover chmod 1775 /tmp /var/tmp /var/tmp/vi.recover
Note: this does not prevent transfer of files which are readable by “others”
from the router.
Note: installation of new versions of JunOS will likely overwrite /etc/rc
and the changes will have to be re-applied.
Note: the JunOS filesystem and permissions check, “show system audit”, may
not approve of these changes.
Zebra
!
service password-encryption
enable password <router password>
!
hostname <router hostname>
!
route-map nothing deny 1
!
router bgp <ASN>
bgp router-id <router interface ip>
!
neighbor <peer ip> remote-as <peer ASN>
neighbor <peer ip> activate
neighbor <peer ip> ebgp-multihop 255
neighbor <peer ip> update-source <router interface ip>
neighbor <peer ip> route-map nothing out
neighbor <peer ip> description <peer name>
address-family ipv4 multicast
neighbor <peer ip> activate
neighbor <peer ip> route-map nothing out
exit-address-family
!
! dump bgp information to MRT files
!
dump bgp updates /<path to storage>/Y.%m/UPDATES/updates.%Y%m%d.%H%M 15m
dump bgp routes-mrt /<path to storage>/Y.%m/RIBS/rib.%Y%m%d.%H%M 2h
!
! VTYs
!
line vty
no login
exec-timeout 10
no exec-timeout
!
end
Miscellaneous:
- In most cases, it is not desirable for a Route Views server to announce any
prefixes. Zebra has a compile time option, –disable-bgp-announce, which
disables announcements. - By default, Zebra’s bgpd will listen on port 2605/tcp, while telnet connects
to port 23/tcp by default. The listening port can be changed by specifying
the -P option when the daemon is started, eg: bgpd -P 23. - Installing routes received by bgpd into the kernel routing table will likely
cause problems, especially when the bgp sessions are multi-hop. To avoid
installing routes, do not run the zebra daemon.
14 May 2003
help@routeviews.org