EOX GitLab Instance

Skip to content
Snippets Groups Projects
Commit 354051d0 authored by Karl Grube's avatar Karl Grube
Browse files

functional trusted_peers

parent 79cd4b6b
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
defaults/main.yml
+ 2
0
View file @ 354051d0
...@@ -8,3 +8,5 @@ dc4_ranges: [] ...@@ -8,3 +8,5 @@ dc4_ranges: []
anycast_ranges: [] anycast_ranges: []
anycast4_ranges: [] anycast4_ranges: []
trusted_peers: []
templates/frr_conf.j2
+ 18
0
View file @ 354051d0
...@@ -15,9 +15,22 @@ router bgp {{bgp_asn}} ...@@ -15,9 +15,22 @@ router bgp {{bgp_asn}}
{% endfor %} {% endfor %}
neighbor outside peer-group neighbor outside peer-group
neighbor outside remote-as external neighbor outside remote-as external
neighbor trusted-peers peer-group
neighbor trusted-peers remote-as internal
neighbor trusted-peers bfd
{% for neighbor in trusted_peers %}
{% if (neighbor|ansible.utils.ipv6) or (neighbor|ansible.utils.ipv4) %}
neighbor {{ neighbor }} peer-group trusted-peers
{% else %}
neighbor {{ neighbor }} interface peer-group trusted-peers
{% endif %}
{% endfor %}
! !
address-family ipv4 unicast address-family ipv4 unicast
network 0.0.0.0/0 network 0.0.0.0/0
neighbor trusted-peers activate
neighbor trusted-peers prefix-list all out
neighbor trusted-peers prefix-list all in
{% for neighbor in internet_connections %} {% for neighbor in internet_connections %}
{% for ip in neighbor.peer_ips %} {% for ip in neighbor.peer_ips %}
{% if ip|ansible.utils.ipv4 %} {% if ip|ansible.utils.ipv4 %}
...@@ -30,6 +43,9 @@ router bgp {{bgp_asn}} ...@@ -30,6 +43,9 @@ router bgp {{bgp_asn}}
! !
address-family ipv6 unicast address-family ipv6 unicast
network ::/0 network ::/0
neighbor trusted-peers activate
neighbor trusted-peers prefix-list all out
neighbor trusted-peers prefix-list all in
{% for neighbor in internet_connections %} {% for neighbor in internet_connections %}
{% for ip in neighbor.peer_ips %} {% for ip in neighbor.peer_ips %}
{% if ip|ansible.utils.ipv6 %} {% if ip|ansible.utils.ipv6 %}
...@@ -128,3 +144,5 @@ ip prefix-list my-networks seq {{(loop.index|int)*10}} permit {{range}} ...@@ -128,3 +144,5 @@ ip prefix-list my-networks seq {{(loop.index|int)*10}} permit {{range}}
ip prefix-list my-networks seq {{(loop.index|int)*10+10}} deny any ip prefix-list my-networks seq {{(loop.index|int)*10+10}} deny any
{% endif %} {% endif %}
{% endfor %} {% endfor %}
ip prefix-list all seq 10 permit any
ipv6 prefix-list all seq 10 permit any
templates/int_rtr.nft.j2
+ 1
1
View file @ 354051d0
...@@ -44,7 +44,7 @@ table inet filter { ...@@ -44,7 +44,7 @@ table inet filter {
iif == lo accept iif == lo accept
tcp dport ssh accept tcp dport ssh accept
{% for range in dc_ranges %} {% for range in dc_ranges %}
ip{% if range|ansible.utils.ipv6%}6{% endif %} saddr {{range}} tcp dport ssh accept ip{% if range|ansible.utils.ipv6%}6{% endif %} saddr {{range}} accept
{% endfor %} {% endfor %}
{% for neighbor in internet_connections %} {% for neighbor in internet_connections %}
{% for ip in neighbor.peer_ips %} {% for ip in neighbor.peer_ips %}
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment