FTOS Template

The actual commands are in BOLD text so that they stand out from the comment blocks.

! Our ASN is 111
router bgp 111
! Be a little more forgiving of an occasional missed keepalive.
 no bgp fast-external-fallover
! Set the router ID to the loopback IP address of the router.
 bgp router-id
! Track and punt, via syslog, all interesting observations about our
! neighbors. This command is enabled by default.
 bgp log-neighbor-changes
! Announce our netblock(s) in a manner that does not increase CPU
! utilization. Redistributing from an IGP is dangerous as it increases
! the likelihood of flapping and instability. Redistributing static is
! more stable, but requires the CPU to peruse the routing table at a set
! interval to capture any changes. The network statement, combined with
! a null route, is the least expensive (in terms of CPU utilization) and
! most reliable (in terms of stability) option.
! Our first neighbor,, is an eBGP peer with the ASN of 333.
 neighbor remote-as 333
! Set for soft reconfiguration, thus preventing a complete withdrawal
! of all announced prefixes when clear ip bgp x.x.x.x is typed.
 neighbor soft-reconfiguration inbound
! Type in a description for future reference. Not everyone memorizes
! ASNs. :-)
 neighbor description "eBGP with ISP333"
! Set up a password for authentication.
 neighbor password bgpwith333
! Block any inbound announcments that include bogon networks.
! See the actual bogons prefix-list below.
 neighbor distribute-list bogons in
! Announce only those networks we specifically list. This also prevents
! the network from becoming a transit provider. An added bit of protection
! and good netizenship. See the announce prefix-list below.
 neighbor distribute-list announce out
! Prevent a mistake or mishap by our peer (or someone with whom our peer
! has a peering agreement) from causing router meltdown by filling the
! routing and BGP tables. This is a hard limit. At 75% of this limit,
! FTOS will issue log messages warning that the neighbor is approaching
! the limit. All log messages should be sent to a remote syslog host.
! The warning water mark can be modified by placing a value after the
! maximum prefix value, e.g. maximum-prefix 250000 50. This will set
! FTOS to issue warning messages when the neighbor reaches 50% of the limit.
! Note that this number may need to be adjusted upward in the future to
! account for growth in the Internet routing table.
 neighbor maximum-prefix 250000
! Our next neighbor is, an eBGP peer with the ASN of 222.
 neighbor remote-as 222
 neighbor soft-reconfiguration inbound
 neighbor description "eBGP with ISP222"
 neighbor password bgpwith222
 neighbor distribute-list bogons in
 neighbor distribute-list announce out
 neighbor maximum-prefix 250000
! This is our iBGP peer,
 neighbor remote-as 111
 neighbor soft-reconfiguration inbound
! Again, a handy description.
 neighbor description "iBGP with our other router"
 neighbor password bgpwith111
! Use the loopback interface for iBGP announcements. This increases the
! stability of iBGP.
 neighbor update-source Loopback0
 neighbor next-hop-self
 neighbor distribute-list bogons in
 neighbor maximum-prefix 250000
! If we have multiple links on the same router to the same AS, we like to
! put them to good use. Load balance, per destination, with maximum-paths.
! The limit is sixteen. For our example, we will assume two equal size pipes
! to the same AS.
 maximum-paths ebgp 2
 maximum-paths ibgp 2
! Disable proxy ARP on each routed interface
no ip proxy-arp
! Now add our null route and the loopback/iBGP route. Remember to add
! more specific non-null routes so that the packets travel to their
! intended destination!
ip route Null0
ip route
ip route
ip route
ip route
! We protect TCP port 179 (BGP port) from miscreants by limiting
! access. Allow our peers to connect and log all other attempts.
! Remember to apply this ACL to the interfaces of the router or
! add it to existing ACLs.
! Please note that ACL block-bgp would block ALL traffic as written. This
! is designed to focus only on protecting BGP. You MUST modify ACL
! block-bgp to fit your environment and approved traffic patterns.
! This access list MUST then be applied to interface Loopback0.
ip access-list extended block-bgp
 seq 5 permit tcp host host eq 179
 seq 10 permit tcp host eq 179 host
 seq 15 permit tcp host host eq 179
 seq 20 permit tcp host eq 179 host
 seq 25 permit tcp host host eq 179
 seq 30 permit tcp host eq 179 host
 seq 35 deny tcp any any eq 179 log
! The announce prefix list prevents us from announcing anything beyond
! our aggregated netblock(s).
ip prefix-list announce
 description Our allowed routing announcements
 seq 5 permit
 seq 10 deny any
! Allow all prefixes up to /27. Your mileage may vary,
! so adjust this to fit your specific requirements.
 seq 525 permit le 27