From d901032b78f34db89b2f39ee228c12c9b8fc09d8 Mon Sep 17 00:00:00 2001
From: Karl Grube <karl@hudlergrube.com>
Date: Mon, 30 Oct 2023 21:07:49 +0100
Subject: [PATCH] internet router work for today done
---
templates/frr_conf.j2 | 40 +++++++++++++++++++++++++++++++---------
1 file changed, 31 insertions(+), 9 deletions(-)
diff --git a/templates/frr_conf.j2 b/templates/frr_conf.j2
index ef3e679..04925c5 100644
--- a/templates/frr_conf.j2
+++ b/templates/frr_conf.j2
@@ -16,15 +16,15 @@ router bgp {{bgp_asn}}
neighbor outside peer-group
neighbor outside remote-as external
neighbor nat peer-group
- neighbor nat remote-as internal
+ neighbor nat remote-as external
neighbor nat bfd
neighbor nat capability extended-nexthop
neighbor firewall4s peer-group
- neighbor firewall4s remote-as internal
+ neighbor firewall4s remote-as external
neighbor firewall4s bfd
neighbor firewall4s capability extended-nexthop
neighbor firewalls peer-group
- neighbor firewalls remote-as internal
+ neighbor firewalls remote-as external
neighbor firewalls bfd
{% for neighbor in firewall4s %}
{% if (neighbor|ansible.utils.ipv6) or (neighbor|ansible.utils.ipv4) %}
@@ -49,13 +49,16 @@ router bgp {{bgp_asn}}
{% endfor %}
!
address-family ipv4 unicast
+{% for range in dc4_ranges %}
+ aggregate-address {{range}} route-map reject_local_origin
+{% endfor %}
network 0.0.0.0/0
neighbor firewall4s activate
neighbor firewall4s prefix-list all out
- neighbor firewall4s prefix-list my-networks in
+ neighbor firewall4s prefix-list internal in
neighbor nat activate
neighbor nat prefix-list all out
- neighbor nat prefix-list nat in
+ neighbor nat prefix-list internal in
{% for neighbor in internet_connections %}
{% for ip in neighbor.peer_ips %}
{% if ip|ansible.utils.ipv4 %}
@@ -67,13 +70,16 @@ router bgp {{bgp_asn}}
{% endfor %}
!
address-family ipv6 unicast
+{% for range in dc_ranges %}
+ aggregate-address {{range}} route-map reject_local_origin
+{% endfor %}
network ::/0
neighbor nat activate
neighbor nat prefix-list internet out
neighbor nat prefix-list none in
neighbor firewalls activate
neighbor firewalls prefix-list all out
- neighbor firewalls prefix-list my-networks in
+ neighbor firewalls prefix-list internal in
{% for neighbor in internet_connections %}
{% for ip in neighbor.peer_ips %}
{% if ip|ansible.utils.ipv6 %}
@@ -141,6 +147,14 @@ ipv6 prefix-list my-networks seq {{(loop.index|int)*10+10}} deny any
{% endif %}
{% endfor %}
!
+{% for range in dc_ranges %}
+ipv6 prefix-list internal seq {{(loop.index|int)*20-10}} permit {{range}}
+ipv6 prefix-list internal seq {{(loop.index|int)*20}} permit {{range}} ge {{((range|regex_replace('.*/',''))|int)+1}}
+{% if loop.last %}
+ipv6 prefix-list internal seq {{(loop.index|int)*20+10}} deny any
+{% endif %}
+{% endfor %}
+!
ip prefix-list none seq 10 deny any
{% if allow_default_ipv4 == True %}
ip prefix-list internet seq 5 permit 0.0.0.0/0
@@ -169,10 +183,10 @@ ip prefix-list internet seq {{(loop.index|int)*10+170}} permit any
{% endfor %}
!
{% for range in dc4_ranges %}
-ip prefix-list nat seq {{(loop.index|int)*20-10}} permit {{range}}
-ip prefix-list nat seq {{(loop.index|int)*20}} permit {{range}} ge {{((range|regex_replace('.*/',''))|int)+1}}
+ip prefix-list internal seq {{(loop.index|int)*20-10}} permit {{range}}
+ip prefix-list internal seq {{(loop.index|int)*20}} permit {{range}} ge {{((range|regex_replace('.*/',''))|int)+1}}
{% if loop.last %}
-ip prefix-list nat seq {{(loop.index|int)*20+10}} deny any
+ip prefix-list internal seq {{(loop.index|int)*20+10}} deny any
{% endif %}
{% endfor %}
{% for range in dc4_ranges + anycast4_ranges %}
@@ -183,3 +197,11 @@ ip prefix-list my-networks seq {{(loop.index|int)*10+10}} deny any
{% endfor %}
ip prefix-list all seq 10 permit any
ipv6 prefix-list all seq 10 permit any
+!
+route-map reject_local_origin deny 10
+ match as-path {{bgp_asn}}
+exit
+!
+route-map reject_local_origin permit 20
+exit
+!
--
GitLab