Cisco
Visit their website
The configuration snippets provided for conformance check only, they are not intended as the implementation guidance. Specific set of features depend on the specific platform that is being used. Not all the products may support these features.
Description for Scenarios
| Scenario | Programme | Action |
|---|---|---|
Scenario 1 Filtering | Action1. Prevent propagation of incorrect routing information | |
Scenario 2 Anti-spoofing | ||
Action 2. Prevent traffic with illegitimate source IP addresses | ||
Scenario 3 Filtering (IXP) | Action 1. Prevent propagation of incorrect routing information. (Route Server) | |
Scenario 4 Protect L2 (IXP) |
Implementation of MANRS Action 1
Scenario 1 Filtering
Creating filters based on prefix lists:OS/Product line: IOS-XR
prefix-set pfxs
192.1.0.0/16,
192.2.0.0/16 ge 16
end-set
!
route-policy asd
if destination in pfxs then
pass
endif
end-policy
!
OS/Product line: IOS-XE
router bgp 2
neighbor 10.10.10.1 remote-as 1
!
address-family ipv4
neighbor 10.10.10.1 activate
neighbor 10.10.10.1 prefix-list example-list in
exit-address-family
!
!
ip prefix-list example-list seq 5 permit 192.1.0.0/16
or
router bgp 2
neighbor 10.10.10.1 remote-as 1
!
address-family ipv4
neighbor 10.10.10.1 activate
neighbor 10.10.10.1 route-map example-map in
exit-address-family
!
!
ip prefix-list example-list seq 5 permit 192.1.0.0/16
!
route-map example-map permit 10
match ip address prefix-list example-listCreating filters based on as-path:
OS/Product line: IOS-XR
as-set asset1
2914,
174,
3356
end-set
!
route-policy asd
if as-path originates-from asset1 then
pass
endif
end-policy
!
router bgp 100
address-family ipv4 unicast
!
neighbor 11.11.11.5
address-family ipv4 unicast
route-policy asd in
OS/Product line: IOS-XE
ip as-path access-list 1 permit ^4_[0-9]*$
router bgp 1
neighbor 4.4.4.4 remote-as 4
address-family ipv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 route-map foo in
route-map foo permit 10
match as-path 1Creating filters based on RPKI:
OS/Product line: IOS-XR
route-policy rpki
if validation-state is invalid then
drop
endif
end-policy
!
router bgp 3
rpki server 1.2.3.4
password encrypted 13071810
username alice
transport ssh port 22
!
address-family ipv4 unicast
bgp origin-as validation enable
!
neighbor 11.11.11.5
address-family ipv4 unicast
route-policy rpki in
OS/Product line: IOS-XE
router bgp 65000
address-family ipv4 unicast
neighbor 10.0.102.1 route-map rtmap-PEX1-3 in
!
route-map rtmap-PEX1-3 deny 10
match rpki invalid
!
route-map rtmap-PEX1-3 permit 20Applicability:
IOS-XR provides many ways to filter routes in BGP. These are some relevant examples. For more detail and more examples, see: https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-3/routing/command/reference/b-routing-cr-asr9000-73x/routing-policy-language-commands.html and https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-3/routing/configuration/guide/b-routing-cg-asr9000-73x/implementing-routing-policy.html For more detail regarding IOS-XE, see: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13754-26.html#t5 and https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-xe-3s-book/bgp-origin-as-validation.html#d74041e2218a1635
Scenario 2 Anti-spoofing
Creating filters based on prefix lists:IOS-XR:
Under interface configuration:
RP/0/0/CPU0:R5(config-if)#ipv4 verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
IOS-XE:
Under interface configuration
ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [list]
Where list is a list of ACLs.Implementing source address validation using access lists:
IOS-XE provides for a list of ACLs in the ip verify unicast command. Both IOS-XE and IOS-XR provide for IP access lists in the ip access-list command.Applicability:
Anti-spoofing is implemented as unicast reverse path filtering. See https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-6/ip-addresses/configuration/guide/b-ip-addresses-cg-asr9000-66x/b-ip-addresses-cg-asr9000-66x_chapter_01001.html#con_1093368
Scenario 3 Filtering (IXP)
Creating filters based on prefix lists:IOS-XE supports the Route Server feature and the configuration of Scenario 3 is the same as for Scenario 1.Creating filters based on as-path:
IOS-XE supports the Route Server feature and the configuration of Scenario 3 is the same as for Scenario 1.Creating filters based on RPKI:
IOS-XE supports the Route Server feature and the configuration of Scenario 3 is the same as for Scenario 1.
Scenario 4 Protect L2 (IXP)
Creating controls preventing unwanted traffic:IOS-XE: (config)#mac access-list extended macext5 (config-ext-macl)#permit any host 0000.0000.0009 (config-ext-macl)#permit any host 0000.0000.0010 (config-ext-macl)# exit (config)# interface gigabitEthernet 0/2/1 (config-if)# service instance 1120 ethernet (config-if-srv)# encapsulation dot1q 141 (config-if-srv)# mac access-group macext2 in IOS-XR: (config)# ethernet-service access-list L2ACL2 (config-es-al)# 10 permit 00ff.eedd.0010 (config-es-al)# end (config)# interface gigabitethernet 0/2/0/ (config-if)# ethernet-services access-group L2ACL2 ingress (config-if)# endApplicability:
MAC access control lists described at IOS-XE: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/asr903/16-12-1/b-sec-data-acl-xe-16-12-asr900/m_mac-acl.html?dtid=osscdc000283 Layer 2 Access Lists IOS-XR: https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-4/lxvpn/configuration/guide/b-l2vpn-cg-asr9000-74x/implementing-of-layer-2-access-lists.html
Implementation of MANRS Action 2
Describe your implementation of Action 2-1:Action 2-1 status: Not Implemented
Describe your implementation of Action 2-2:
Action 2-1 status: Implemented
Describe your implementation of Action 2-3:
Action 2-1 status: Planned
Describe your implementation of Action 2-4:
Action 2-1 status: Not Implemented