wit-network-config/templates/frr.conf.wit

!!# this file is dynamic and managed by wit-network-config, any changes will be lost

frr defaults datacenter
username cumulus nopassword
!
service integrated-vtysh-config
!
log syslog
!
interface feth1
 ipv6 nd ra-interval 10
 no ipv6 nd suppress-ra
!
interface feth2
 ipv6 nd ra-interval 10
 no ipv6 nd suppress-ra
!
!!! FRR_IFS
!
router bgp NODEASN
 bgp router-id FRRROUTERID
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 bgp default show-hostname
 bgp deterministic-med
 coalesce-time 1000
 bgp bestpath as-path multipath-relax
 bgp bestpath compare-routerid
 bgp network import-check
 timers bgp 3 9
 neighbor fabric peer-group
 neighbor fabric remote-as external
 neighbor fabric timers connect 10
 neighbor feth1 interface peer-group fabric
 neighbor feth2 interface peer-group fabric
 !!!  neighbor GRE peer-group
 !!!  neighbor GRE remote-as external
 !!!  neighbor GRE local-as FRR_GRE_ASN
 !!!  neighbor GRE password wIt2Go
 !!!  neighbor GRE ebgp-multihop 255
 !!!  neighbor GRE timers connect 10
 !!!  neighbor eBGPv4 peer-group
 !!!  neighbor eBGPv4 remote-as external
 !!!  neighbor eBGPv4 timers connect 10
 !!!  neighbor eBGPv6 peer-group
 !!!  neighbor eBGPv6 remote-as external
 !!!  neighbor eBGPv6 timers connect 10
 !!!  neighbor iBGP peer-group
 !!!  neighbor iBGP remote-as internal
 !!!  neighbor iBGP timers connect 10
 !!!  neighbor CUSTOMERv4 peer-group
 !!!  neighbor CUSTOMERv4 remote-as external
 !!!  neighbor CUSTOMERv4 timers connect 10
 !!!  neighbor CUSTOMERv6 peer-group
 !!!  neighbor CUSTOMERv6 remote-as external
 !!!  neighbor CUSTOMERv6 timers connect 10
 !!! FRR_EDGE_NEIGH
 !
 address-family ipv4 unicast
  redistribute kernel route-map EIPv4
  redistribute connected route-map LOCALNETSv4
  neighbor fabric activate
  neighbor fabric soft-reconfiguration inbound
  !!!  neighbor fabric default-originate
  !!!  neighbor fabric route-map FABRICv4-OUT out
  !!!  neighbor GRE activate
  !!!  neighbor GRE default-originate
  !!!  neighbor GRE soft-reconfiguration inbound
  !!!  neighbor GRE allowas-in 1
  !!!  neighbor GRE route-map GREv4-IN in
  !!!  neighbor GRE route-map FABRICv4-OUT out
  !!!  neighbor eBGPv4 activate
  !!!  neighbor eBGPv4 next-hop-self
  !!!  neighbor eBGPv4 remove-private-AS
  !!!  neighbor eBGPv4 soft-reconfiguration inbound
  !!!  neighbor eBGPv4 route-map eBGPv4-IN in
  !!!  neighbor eBGPv4 route-map eBGPv4-OUT out
  !!!  neighbor iBGP activate
  !!!  neighbor iBGP next-hop-self
  !!!  neighbor iBGP soft-reconfiguration inbound
  !!!  neighbor iBGP allowas-in 1
  !!!  neighbor CUSTOMERv4 activate
  !!!  neighbor CUSTOMERv4 next-hop-self
  !!!  neighbor CUSTOMERv4 remove-private-AS
  !!!  neighbor CUSTOMERv4 soft-reconfiguration inbound
  !!!  neighbor CUSTOMERv4 route-map CUSTOMERv4-IN in
  !!!  neighbor CUSTOMERv4 route-map eBGPv4-IN out
  !!! FRR_IPV4_EDGE_SUMMARIES_AGGREGATS
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute kernel route-map EIPv6
  redistribute connected route-map LOCALNETSv6
  neighbor fabric activate
  neighbor fabric soft-reconfiguration inbound
  !!!  neighbor fabric default-originate
  !!!  neighbor fabric route-map FABRICv6-OUT out
  !!!  neighbor GRE activate
  !!!  neighbor GRE default-originate
  !!!  neighbor GRE soft-reconfiguration inbound
  !!!  neighbor GRE allowas-in 1
  !!!  neighbor GRE route-map GREv6-IN in
  !!!  neighbor GRE route-map FABRICv6-OUT out
  !!!  neighbor eBGPv6 activate
  !!!  neighbor eBGPv6 soft-reconfiguration inbound
  !!!  neighbor eBGPv6 remove-private-AS
  !!!  neighbor eBGPv6 route-map eBGPv6-IN in
  !!!  neighbor eBGPv6 route-map eBGPv6-OUT out
  !!!  neighbor iBGP activate
  !!!  neighbor iBGP next-hop-self
  !!!  neighbor iBGP soft-reconfiguration inbound
  !!!  neighbor iBGP allowas-in 1
  !!!  neighbor CUSTOMERv6 activate
  !!!  neighbor CUSTOMERv6 next-hop-self
  !!!  neighbor CUSTOMERv6 remove-private-AS
  !!!  neighbor CUSTOMERv6 soft-reconfiguration inbound
  !!!  neighbor CUSTOMERv6 route-map CUSTOMERv6-IN in
  !!!  neighbor CUSTOMERv6 route-map eBGPv6-IN out
  !!! FRR_IPV6_EDGE_SUMMARIES_AGGREGATS
 exit-address-family
 !
 address-family l2vpn evpn
  !!!  neighbor GRE activate
  !!!  neighbor GRE allowas-in 1
  neighbor fabric activate
  advertise-all-vni
 exit-address-family
!

!!! FRR_IPV4_LOOPBACK_PFLIST

!!! FRR_IPV4_EDGE_SUMMARIES_PFLIST

!!! FRR_IPV4_CUSTOMERS_PFLIST

!!!PEERCUSTOMER FRR_IPV4_PEERCUSTOMERS_PFLIST

ip prefix-list DEFAULT seq 5 permit 0.0.0.0/0
ip prefix-list ALL seq 5 permit 0.0.0.0/0 le 32
ip prefix-list rfc1918 seq 5 permit 0.0.0.0/8 le 32
ip prefix-list rfc1918 seq 10 permit 10.0.0.0/8 le 32
ip prefix-list rfc1918 seq 15 permit 127.0.0.0/8 le 32
ip prefix-list rfc1918 seq 20 permit 169.254.0.0/16 le 32
ip prefix-list rfc1918 seq 25 permit 172.16.0.0/12 le 32
ip prefix-list rfc1918 seq 30 permit 192.168.0.0/16 le 32
ip prefix-list rfc1918 seq 35 permit 224.0.0.0/3 le 32
ip prefix-list rfc1918 seq 40 permit 100.64.0.0/10 le 32

!!BASTION  ip prefix-list BASTION seq 5 permit BASTION-PUBLIC-IP/32

!!! FRR_IPV6_LOOPBACK_PFLIST

!!! FRR_IPV6_EDGE_SUMMARIES_PFLIST

!!! FRR_IPV6_CUSTOMERS_PFLIST

!!!PEERCUSTOMER FRR_IPV6_PEERCUSTOMERS_PFLIST

ipv6 prefix-list DEFAULT seq 5 permit ::/0
ipv6 prefix-list ALL seq 5 permit ::/0 le 128
!!!  ipv6 prefix-list eBGPv6-RELAXED seq 5 deny 3ffe::/16 le 128
!!!  ipv6 prefix-list eBGPv6-RELAXED seq 10 deny 2001:db8::/32 le 128
!!!  ipv6 prefix-list eBGPv6-RELAXED seq 15 permit 2001::/32
!!!  ipv6 prefix-list eBGPv6-RELAXED seq 20 deny 2001::/32 le 128
!!!  ipv6 prefix-list eBGPv6-RELAXED seq 25 permit 2002::/16
!!!  ipv6 prefix-list eBGPv6-RELAXED seq 30 deny 2002::/16 le 128
!!!  ipv6 prefix-list eBGPv6-RELAXED seq 35 deny ::/8 le 128
!!!  ipv6 prefix-list eBGPv6-RELAXED seq 40 deny fe00::/9 le 128
!!!  ipv6 prefix-list eBGPv6-RELAXED seq 45 deny ff00::/8 le 128
!!!  ipv6 prefix-list eBGPv6-RELAXED seq 50 permit 2000::/3 le 48
!!!  ipv6 prefix-list eBGPv6-RELAXED seq 55 deny ::/0 le 128



route-map EIPv4 permit 5
 match ip address prefix-list WITv4-CUSTOMERS
!
route-map EIPv6 permit 5
 match ipv6 address prefix-list WITv6-CUSTOMERS
!

route-map LOCALNETSv4 permit 5
 description "permit loopback ips"
 match ip address prefix-list LOOPBACKv4

!!BASTION  route-map LOCALNETSv4 permit 10
!!BASTION   description permit bastion public loopback ip
!!BASTION   match ip address prefix-list BASTION

route-map LOCALNETSv6 permit 5
 description "permit ipv6 loopback ips"
 match ipv6 address prefix-list LOOPBACKv6

!!BASTION  route-map LOCALNETSv6 permit 10
!!BASTION   description permit bastion mgmt ip
!!BASTION   match ipv6 address prefix-list MGMT


!!!  route-map eBGPv4-IN deny 5
!!!   description "deny any incoming private IP blocks"
!!!   match ip address prefix-list rfc1918
!!!  !
!!!  route-map eBGPv4-IN permit 10
!!!   description "Accept all routes advertised to us"
!!!   match ip address prefix-list ALL
!!!  !


!!!  route-map eBGPv4-OUT permit 5
!!!   description "match IP block owned by WIT"
!!!   match ip address prefix-list WITv4-SUMMARIES
!!!  !
!!!  route-map eBGPv4-OUT permit 10
!!!   match ip address prefix-list PEERv4-CUSTOMER



!!!  route-map eBGPv6-IN permit 5
!!!   description "Accept all routes advertised to us"
!!!   match ipv6 address prefix-list eBGPv6-RELAXED
!!!  !
!!!  route-map eBGPv6-IN permit 10
!!!   description "Accept default route"
!!!   match ipv6 address prefix-list DEFAULT
!!!  !


!!!  route-map eBGPv6-OUT permit 5
!!!   description "match IP block owned by WIT"
!!!   match ipv6 address prefix-list WITv6-SUMMARIES
!!!  !
!!!  route-map eBGPv6-OUT permit 10
!!!   match ipv6 address prefix-list PEERv6-CUSTOMER


!!!  route-map CUSTOMERv4-IN permit 5
!!!   description "match IP block expected from Customer"
!!!   match ip address prefix-list PEERv4-CUSTOMER


!!!  route-map CUSTOMERv6-IN permit 5
!!!   description "match IP block expected from Customer"
!!!   match ipv6 address prefix-list PEERv6-CUSTOMER



!!!  route-map FABRICv4-OUT permit 5
!!!   description "allow default route"
!!!   match ip address prefix-list DEFAULT
!!!  !
!!!  route-map FABRICv4-OUT permit 10
!!!   description "allow WIT customer IPs"
!!!   match ip address prefix-list WITv4-CUSTOMERS
!!!  !
!!!  route-map FABRICv4-OUT permit 15
!!!   description "allow WIT loopback IPs"
!!!   match ip address prefix-list LOOPBACKv4
!!!  !


!!!  route-map FABRICv6-OUT permit 5
!!!   description "allow default route"
!!!   match ipv6 address prefix-list DEFAULT
!!!  !
!!!  route-map FABRICv6-OUT permit 10
!!!   description "allow WIT customer IPs"
!!!   match ipv6 address prefix-list WITv6-CUSTOMERS
!!!  !


!!!  route-map GREv4-IN deny 5
!!!   description "deny default route in"
!!!   match ip address prefix-list DEFAULT
!!!  !
!!!  route-map GREv4-IN permit 10
!!!   description "accept all the rest"
!!!   match ip address prefix-list ALL
!!!  !


!!!  route-map GREv6-IN deny 5
!!!   description "deny default route in"
!!!   match ipv6 address prefix-list DEFAULT
!!!  !
!!!  route-map GREv6-IN permit 10
!!!   description "accept all the rest"
!!!   match ipv6 address prefix-list ALL
!!!  !


!!BASTION  route-map BASTIONv4 permit 5
!!BASTION   match ip address prefix-len 0
!!BASTION   set src BASTION-PUBLIC-IP

!!BASTION  route-map BASTIONv4 permit 10
!!BASTION   match ip address prefix-list ALL

!!BASTION  ip protocol bgp route-map BASTIONv4

!!BASTION  route-map BASTIONv6 permit 5
!!BASTION   match ipv6 address prefix-list ALL
!!BASTION   set src LOOPBACK-IPV6

!!BASTION  ipv6 protocol bgp route-map BASTIONv6

!
line vty
!