> ./ioxr_pop_generator config_files/pop_demo.in ! TWDX Routing Policy Generator (IOS-XR) 3.01 ! $twdx: blackmesa/bengi/ioxr_pop_generator.bash,v 3.01 2018-03-31 17:18:24Z blahdy $ ! Loading config_files/pop_demo.in: 27552 twdx inet.0(172.18.0.1) inet6.0(2001:4830:ff::172.18.0.1) ! Read locations (ASR 9906 (Torchwood)): 0/RSP0/CPU0 0/RSP1/CPU0 0/0/CPU0 0/1/CPU0 0/2/CPU0 0/3/CPU0 ! Building configuration..[OK] !! ** System Parameters ** ! service unsupported-transceiver hostname dcr02.bos01 clock timezone EST -5 clock summer-time EDT recurring domain name twdx.net domain name-server 172.18.0.100 ! username rancid group netadmin group operator secret 5 ! banner login ^C Unauthorized Access is Prohibited. For operational problems please contact ip-admin@twdx.net or call +1-. **AS-27552 IP BACKBONE FACILITY ROUTER** Load Zone: KZBW 701 Hostname: dcr02.bos01 Loadout: ASR 9906 (Torchwood) 0/RSP0/CPU0: A99-RSP-TR 0/RSP1/CPU0: A99-RSP-TR 0/0/CPU0: A9K-4X100GE 0/1/CPU0: A9K-24X10GE-1G-TR 0/2/CPU0: A9K-MOD200-SE 0/3/CPU0: A99-32X100GE-TR This device is for authorized personnel use only. Unauthorized access is prohibited by title 18 USC 2701(a). Violators are subject to criminal and civil penalties under title 18 USC 2701(b), and will be prosecuted to the fullest extent of the law. If you are not an authorized user, disconnect immediately. Pursuant to title 18 USC section 2511 (2)(a)(i), individuals using this device are subject to having any and all of their activities monitored, recorded, and examined. Any material so recorded may be disclosed to law enforcement as appropriate. Anyone using this device consents to these terms. ^C ! line default exec-timeout 0 0 ! snmp-server community RO ntp server 172.18.0.100 drift aging time 65535 ! bfd multipath include location 0/0/CPU0 multipath include location 0/1/CPU0 multipath include location 0/2/CPU0 multipath include location 0/3/CPU0 ! ! %%ERR-11-NOT_IMPLEMENTED: syslog not yet done for IOS-XR ! host 172.18.0.100 { ! source-address 172.18.0.1; ! } ! Press Enter when ready to continue. ! [ ^C to break ] >> ! Building configuration..[OK] !! ** Network Base ** ! interface Loopback0 description BGP-Lo ipv4 address 172.18.0.1 255.255.255.255 ipv6 address 2001:4830:ff::172.18.0.1/128 ! ipv6 access-list inet6_border-ingress 5 deny ipv6 2001:db8::/32 any 20 deny ipv6 any 2001:db8::/32 255 permit ipv6 any any ! ipv4 access-list inet_border-ingress 5 deny ipv4 192.168.2.0/24 any 10 deny ipv4 any 192.168.2.0/24 255 permit ipv4 any any ! router static address-family ipv4 unicast 10.0.0.0/8 Null0 100.64.0.0/10 Null0 127.0.0.0/8 Null0 169.254.0.0/16 Null0 192.0.2.0/24 Null0 192.168.0.0/16 Null0 ! address-family ipv6 unicast 2001:db8::/32 Null0 fc00::/16 Null0 ! ! ipv4 unnumbered mpls traffic-eng Loopback0 ! router ospf twdx router-id 172.18.0.1 area 0.0.0.0 mpls traffic-eng ! interface Loopback0 cost 1 ! ! mpls traffic-eng router-id Loopback0 ! mpls traffic-eng ! auto-tunnel backup tunnel-id min 3000 max 4000 ! ! ! Press Enter when ready to continue. ! [ ^C to break ] >> ! Building configuration..[OK] !! ** Routing Policy Base ** ! prefix-set inet_rejects 0.0.0.0/8 le 32, 10.0.0.0/8 le 32, 100.64.0.0/10 le 32, 127.0.0.0/8 le 32, 169.254.0.0/16 le 32, 172.16.0.0/12 le 32, 192.0.2.0/24 le 32, 192.168.0.0/16 le 32, 0.0.0.0/0, 0.0.0.0/0 ge 25 end-set ! prefix-set inet_twdx_reject_own 172.18.0.0/16 le 32 end-set ! ! prefix-set inet6_rejects 2001:db8::/32 le 128, 3ffe::/16 le 128, fe80::/16 le 128, fc00::/16 le 128, ::/0, ::/0 ge 49 end-set ! prefix-set inet6_twdx_reject_own 2001:db8:500::/40 le 128 end-set ! ! prefix-set ipv4_no-export_smalls 0.0.0.0/0 ge 25 le 32 end-set ! prefix-set ipv6_no-export_smalls ::/0 ge 49 le 128 end-set ! ! community-set a-all-net ios-regex '^27552:5....$' end-set ! community-set a-on-net ios-regex '^27552:5...[4-5]$' end-set ! community-set n-blackhole 27552:911, 65535:666 end-set ! large-community-set ln-local-blackhole 27552:911:0, 27552:911:701, 27552:911:64512 end-set ! community-set n-blackhole-install ios-regex '^27552:91[1-2]$', 65535:666 end-set ! community-set set-tag_peer 27552:57012 end-set ! community-set set-tag_transit 27552:57011 end-set ! community-set user-serviceable ios-regex '^.*:4....$', ios-regex '^27552:(50|100|150|200|250|900|911|31337)$', 65535:0, 65535:666 end-set ! large-community-set ln-user-serviceable ios-regex '^27552:4...[1-9]:.*$' end-set ! community-set n-27552-continue ios-regex '^(0|27552|64512):4(701|000)5$' end-set ! community-set n-27552-no-export ios-regex '^(0|27552|64512):4(701|000)0$' end-set ! community-set n-27552-prepend-1 ios-regex '^(0|27552|64512):4(701|000)1$' end-set ! community-set n-27552-prepend-2 ios-regex '^(0|27552|64512):4(701|000)2$' end-set ! community-set n-27552-prepend-3 ios-regex '^(0|27552|64512):4(701|000)3$' end-set ! community-set n-27552-action-9 ios-regex '^(0|27552|64512):4(701|000)9$', 27552:900 end-set ! large-community-set ln-27552-continue ios-regex '^27552:4(701|000)5:(0|27552|64512)$' end-set ! large-community-set ln-27552-no-export ios-regex '^27552:4(701|000)0:(0|27552|64512)$' end-set ! large-community-set ln-27552-prepend-1 ios-regex '^27552:4(701|000)1:(0|27552|64512)$' end-set ! large-community-set ln-27552-prepend-2 ios-regex '^27552:4(701|000)2:(0|27552|64512)$' end-set ! large-community-set ln-27552-prepend-3 ios-regex '^27552:4(701|000)3:(0|27552|64512)$' end-set ! large-community-set ln-27552-action-9 ios-regex '^27552:4(701|000)9:(0|27552|64512)$' end-set ! as-path-set DROP_LARGE_NETS ios-regex '_(701|1239|3356|1668|174|209|2914|3549|3320|1299|7018|286|5511|6453|6762|12956|2828|6461|3257|7922|6939|15169|16509|8075)_.+' end-set ! route-policy no drop end-policy ! ! Press Enter when ready to continue. ! [ ^C to break ] >> ! Building configuration..[OK] !! ** Routing Policy Statements ** ! route-policy mpd_core_local-originate # As of 3.0, we go no longer handle blackhole NH here: # Instead, bnh is now applied on ingress route-policy from RRs # if community matches-any a-all-net and path-type is ebgp then set next-hop self done elseif community matches-any a-all-net then done else drop endif end-policy ! !! Route-reflector RTBH next-hop fix for 6PE route-policy inet6lu_rs_install_blackhole if large-community matches-any ln-local-blackhole then if community matches-any a-on-net then set next-hop discard endif elseif community matches-any n-blackhole-install and community matches-any a-on-net then set next-hop discard endif done end-policy ! ! apply blackhole route-policy inet_rs_install_ln_blackhole if large-community matches-any ln-local-blackhole then if community matches-any a-on-net then set next-hop discard endif elseif community matches-any n-blackhole-install and community matches-any a-on-net then set next-hop discard endif done end-policy ! ! !! Import policies: peer & transit !! Use example for transit neighbors: !! IPv4: inet_internet_in( rpm64_transit ) !! IPv6: inet6_internet_in( rpm64_transit ) !! Use example for peer neighbors: !! IPv4: inet_internet_in( rpm64_peer ) !! IPv6: inet6_internet_in( rpm64_peer ) !! route-policy inet_internet_in($import_map) if destination in inet_rejects or destination in inet_twdx_reject_own then drop elseif as-path passes-through '[64512..65535]' then drop endif delete community all apply $import_map done end-policy ! route-policy inet_internet_in_keep_comms($import_map) # Used for transit or special peer types where peer's communities # should be kept on ingress. if destination in inet_rejects or destination in inet_twdx_reject_own then drop elseif as-path passes-through '[64512..65535]' then drop endif apply $import_map done end-policy ! route-policy inet6_internet_in($import_map) if destination in inet6_rejects or destination in inet6_twdx_reject_own then drop elseif as-path passes-through '[64512..65535]' then drop endif delete community all apply $import_map done end-policy ! route-policy inet6_internet_in_keep_comms($import_map) # Used for transit or special peer types where peer's communities # should be kept on ingress. if destination in inet6_rejects or destination in inet6_twdx_reject_own then drop elseif as-path passes-through '[64512..65535]' then drop endif delete community all apply $import_map done end-policy ! route-policy rpm64_transit # Copy rpm64_ function for any peer network-specific policies (ie. to filter specific # routes from a transit provider, copy this RPL function and customize it) set community set-tag_transit set local-preference 100 set med 0 end-policy ! route-policy rpm64_peer # Copy rpm64_ function for any peer network-specific policies (ie. to filter specific # routes from a peer, copy this RPL function and customize it) set community set-tag_peer set local-preference 200 set med 0 end-policy ! ! Press Enter when ready to continue. ! [ ^C to break ] >> ! Building configuration..[OK] ! !! Import policies: customer !! Use example: !! IPv4: mpd_customer_in( CUSTOMER:22147, ipv4_no-export_smalls ) !! IPv6: mpd_customer_in( CUSTOMER6:22147, ipv6_no-export_smalls ) !! route-policy mpd_customer_in($pfx_list, $af_no_export_smalls ) if not destination in $pfx_list then drop elseif as-path in DROP_LARGE_NETS then drop endif delete community not in user-serviceable delete large-community not in ln-user-serviceable if destination in $af_no_export_smalls then set community ( 0:40000 ) additive if large-community matches-any ln-local-blackhole or community matches-any n-blackhole then # NB: Customer may only request blackhole routing on pfxlen /25-/32, /49-/128 # Always add 0:40000 no-export for sanity check. We override no-export on # peer/transit specific RPLs when we need to leak BN routes to upstreams. # set next-hop discard set community ( 27552:57014 ) additive set local-preference 300 done endif endif if community matches-any ( 27552:[50..250] ) then if community matches-any ( 27552:50 ) then set local-preference 50 set community ( 27552:57014 ) additive done elseif community matches-any ( 27552:100 ) then set local-preference 100 set community ( 27552:57014 ) additive done elseif community matches-any ( 27552:150 ) then set local-preference 150 set community ( 27552:57014 ) additive done elseif community matches-any ( 27552:200 ) then set local-preference 200 set community ( 27552:57014 ) additive done elseif community matches-any ( 27552:250 ) then set local-preference 250 set community ( 27552:57014 ) additive done endif elseif community matches-any ( 65535:0 ) then # GRACEFUL_SHUTDOWN set local-preference 0 set community ( 27552:57014 ) additive done endif set local-preference 300 set community ( 27552:57014 ) additive done end-policy ! ! Press Enter when ready to continue. ! [ ^C to break ] >> ! Building configuration..[OK] ! !! Origination maps: **for use with AF network advertisements** !! !! Use Examples for Customer-Type route: !! IPv4: network x.x.x.x/y route-policy adv_mpd_customer( ipv4_no-export_smalls ) !! IPv6: network x:x:x::/y route-policy adv_mpd_customer( ipv6_no-export_smalls ) !! Use Examples for Internal-Type route: !! IPv4: network x.x.x.x/y route-policy adv_mpd_internal( ipv4_no-export_smalls ) !! IPv6: network x:x:x::/y route-policy adv_mpd_internal( ipv6_no-export_smalls ) !! Use Examples for Blackhole/Discard route: !! IPv4: network x.x.x.x/y route-policy adv_inet_discard !! IPv6: network x:x::/y route-policy adv_inet6_discard !! Use Examples for Aggregate Announcements !! IPv4: network x.x.x.x/y route-policy adv_inet_aggregate !! IPv6: network x:x::/y route-policy adv_inet6_aggregate !! route-policy adv_mpd_customer( $af_no_export_smalls ) set local-preference 300 set community ( 27552:57014 ) if destination in $af_no_export_smalls then set community ( 0:40000 ) additive endif done end-policy ! route-policy adv_mpd_internal( $af_no_export_smalls ) set local-preference 400 set community ( 27552:57015 ) if destination in $af_no_export_smalls then set community ( 0:40000 ) additive endif done end-policy ! route-policy adv_inet_aggregate set local-preference 400 set community ( 27552:900, 27552:912, 27552:57015 ) set next-hop 192.0.2.1 done end-policy ! route-policy adv_inet6_aggregate set local-preference 400 set community ( 27552:900, 27552:912, 27552:57015 ) set next-hop 2001:db8::1 done end-policy ! route-policy adv_inet_discard set local-preference 400 set community ( 27552:911, 27552:57015 ) set next-hop 192.0.2.1 if destination in ipv4_no-export_smalls then set community ( 0:40000 ) additive endif done end-policy ! route-policy adv_inet6_discard set local-preference 400 set community ( 27552:911, 27552:57015 ) set next-hop 2001:db8::1 if destination in ipv6_no-export_smalls then set community ( 0:40000 ) additive endif done end-policy ! ! Press Enter when ready to continue. ! [ ^C to break ] >> ! Building configuration..[OK] ! !! Export policies !! Use example for CUSTOMER-TYPE session, receiving FULL ROUTES: !! IPv4: mp64_common_out( inet_rejects, rpm64_out_customer, a-all-net ) !! IPv6: mp64_common_out( inet6_rejects, rpm64_out_customer, a-all-net ) !! !! Use examples for CUSTOMER-TYPE session, receiving PARTIAL ROUTES: !! IPv4: mp64_common_out( inet_rejects, rpm64_out_customer, a-on-net ) !! !! Use example for PEER-TYPE session: !! IPv4: mp64_common_out( inet_rejects, rpm64_out_peer_comcast, a-on-net ) !! ** Use adj_transit/peer scripts to generate "rpm64_out_peer_$Peer-Name" ** !! route-policy mp64_common_out( $reject_list, $apply_map, $export_patn ) if not community matches-any $export_patn then drop endif if large-community matches-any ln-local-blackhole or community matches-any n-blackhole then # NB: reject_list will drop prefixes too small for internet bgp: # we need to setup exemption for bnh prefixes as they're typically small pass elseif destination in $reject_list then drop endif apply $apply_map end-policy ! !! Export policies: customer route-policy rpm64_out_customer if large-community matches-any ln-27552-continue or community matches-any n-27552-continue then set med igp-cost done elseif large-community matches-any ln-27552-no-export or community matches-any n-27552-no-export then drop endif set med igp-cost # The following can only be acted upon our own originated routes (a-on-net) if community matches-any a-on-net then if large-community matches-any ln-27552-prepend-1 or community matches-any n-27552-prepend-1 then prepend as-path 27552 done elseif large-community matches-any ln-27552-prepend-2 or community matches-any n-27552-prepend-2 then prepend as-path 27552 2 done elseif large-community matches-any ln-27552-prepend-3 or community matches-any n-27552-prepend-3 then prepend as-path 27552 3 done elseif large-community matches-any ln-27552-action-9 or community matches-any n-27552-action-9 then set med 0 done endif endif done end-policy ! ! Press Enter when ready to continue. ! [ ^C to break ] >> ! Building configuration..[OK] !! ** Protocols: BGP ** ! router bgp 27552 bgp router-id 172.18.0.1 address-family ipv4 unicast ! address-family ipv6 unicast label mode per-vrf allocate-label all ! address-family l2vpn vpls-vpws ! neighbor-group twdx-backbone_mp64 remote-as 27552 update-source Loopback0 address-family ipv4 unicast route-policy inet_rs_install_ln_blackhole in route-policy mpd_core_local-originate out ! address-family ipv6 labeled-unicast route-policy inet6lu_rs_install_blackhole in route-policy mpd_core_local-originate out ! address-family l2vpn vpls-vpws route-policy mpd_core_local-originate out ! ! neighbor-group inet-customers-default ignore-connected-check address-family ipv4 unicast maximum-prefix 100 90 restart 2 route-policy no out default-originate ! neighbor-group inet-customers-full ignore-connected-check address-family ipv4 unicast send-community-ebgp maximum-prefix 100 90 restart 2 route-policy mp64_common_out( inet_rejects, rpm64_out_customer, a-all-net ) out remove-private-AS ! neighbor-group inet-customers-full-w-default ignore-connected-check address-family ipv4 unicast send-community-ebgp maximum-prefix 100 90 restart 2 route-policy mp64_common_out( inet_rejects, rpm64_out_customer, a-all-net ) out remove-private-AS default-originate ! neighbor-group inet-customers-partial ignore-connected-check address-family ipv4 unicast send-community-ebgp maximum-prefix 100 90 restart 2 route-policy mp64_common_out( inet_rejects, rpm64_out_customer, a-on-net ) out remove-private-AS ! neighbor-group inet-customers-partial-w-default ignore-connected-check address-family ipv4 unicast send-community-ebgp maximum-prefix 100 90 restart 2 route-policy mp64_common_out( inet_rejects, rpm64_out_customer, a-on-net ) out remove-private-AS default-originate ! neighbor-group inet6-customers-default ignore-connected-check address-family ipv6 unicast maximum-prefix 100 90 restart 2 route-policy no out default-originate ! neighbor-group inet6-customers-full ignore-connected-check address-family ipv6 unicast send-community-ebgp maximum-prefix 20 90 restart 2 route-policy mp64_common_out( inet6_rejects, rpm64_out_customer, a-all-net ) out remove-private-AS ! neighbor-group inet6-customers-full-w-default ignore-connected-check address-family ipv6 unicast send-community-ebgp maximum-prefix 20 90 restart 2 route-policy mp64_common_out( inet6_rejects, rpm64_out_customer, a-all-net ) out remove-private-AS default-originate ! neighbor-group inet6-customers-partial ignore-connected-check address-family ipv6 unicast send-community-ebgp maximum-prefix 20 90 restart 2 route-policy mp64_common_out( inet6_rejects, rpm64_out_customer, a-on-net ) out remove-private-AS ! neighbor-group inet6-customers-partial-w-default ignore-connected-check address-family ipv6 unicast send-community-ebgp maximum-prefix 20 90 restart 2 route-policy mp64_common_out( inet6_rejects, rpm64_out_customer, a-on-net ) out remove-private-AS default-originate ! !! ** Use Example for Customer Session 192.168.0.1 ** !! ! !! neighbor 192.168.0.1 !! remote-as 64512 !! use neighbor-group inet-customers-default !! address-family ipv4 unicast !! route-policy mpd_customer_in(CUSTOMER:AS64512, ipv4_no-export_smalls) in !! ! ! !! Execution completed for dcr02.bos01 (ASR 9906 (Torchwood)) >