Cisco
Visit their website
The configuration snippets provided for conformance check only, they are not intended as the implementation guidance. Specific set of features depend on the specific platform that is being used. Not all the products may support these features.
Description for Scenarios
Scenario | Programme | Action |
---|---|---|
Scenario 1 Filtering | Action1. Prevent propagation of incorrect routing information | |
Scenario 2 Anti-spoofing | ||
Action 2. Prevent traffic with illegitimate source IP addresses | ||
Scenario 3 Filtering (IXP) | Action 1. Prevent propagation of incorrect routing information. (Route Server) | |
Scenario 4 Protect L2 (IXP) |
Implementation of MANRS Action 1
Scenario 1 Filtering
Creating filters based on prefix lists:OS/Product line: IOS-XR prefix-set pfxs 192.1.0.0/16, 192.2.0.0/16 ge 16 end-set ! route-policy asd if destination in pfxs then pass endif end-policy ! OS/Product line: IOS-XE router bgp 2 neighbor 10.10.10.1 remote-as 1 ! address-family ipv4 neighbor 10.10.10.1 activate neighbor 10.10.10.1 prefix-list example-list in exit-address-family ! ! ip prefix-list example-list seq 5 permit 192.1.0.0/16 or router bgp 2 neighbor 10.10.10.1 remote-as 1 ! address-family ipv4 neighbor 10.10.10.1 activate neighbor 10.10.10.1 route-map example-map in exit-address-family ! ! ip prefix-list example-list seq 5 permit 192.1.0.0/16 ! route-map example-map permit 10 match ip address prefix-list example-listCreating filters based on as-path:
OS/Product line: IOS-XR as-set asset1 2914, 174, 3356 end-set ! route-policy asd if as-path originates-from asset1 then pass endif end-policy ! router bgp 100 address-family ipv4 unicast ! neighbor 11.11.11.5 address-family ipv4 unicast route-policy asd in OS/Product line: IOS-XE ip as-path access-list 1 permit ^4_[0-9]*$ router bgp 1 neighbor 4.4.4.4 remote-as 4 address-family ipv4 neighbor 4.4.4.4 activate neighbor 4.4.4.4 route-map foo in route-map foo permit 10 match as-path 1Creating filters based on RPKI:
OS/Product line: IOS-XR route-policy rpki if validation-state is invalid then drop endif end-policy ! router bgp 3 rpki server 1.2.3.4 password encrypted 13071810 username alice transport ssh port 22 ! address-family ipv4 unicast bgp origin-as validation enable ! neighbor 11.11.11.5 address-family ipv4 unicast route-policy rpki in OS/Product line: IOS-XE router bgp 65000 address-family ipv4 unicast neighbor 10.0.102.1 route-map rtmap-PEX1-3 in ! route-map rtmap-PEX1-3 deny 10 match rpki invalid ! route-map rtmap-PEX1-3 permit 20Applicability:
IOS-XR provides many ways to filter routes in BGP. These are some relevant examples. For more detail and more examples, see: https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-3/routing/command/reference/b-routing-cr-asr9000-73x/routing-policy-language-commands.html and https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-3/routing/configuration/guide/b-routing-cg-asr9000-73x/implementing-routing-policy.html For more detail regarding IOS-XE, see: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13754-26.html#t5 and https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-xe-3s-book/bgp-origin-as-validation.html#d74041e2218a1635
Scenario 2 Anti-spoofing
Creating filters based on prefix lists:IOS-XR: Under interface configuration: RP/0/0/CPU0:R5(config-if)#ipv4 verify unicast source reachable-via ? any Source is reachable via any interface rx Source is reachable via interface on which packet was received IOS-XE: Under interface configuration ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [list] Where list is a list of ACLs.Implementing source address validation using access lists:
IOS-XE provides for a list of ACLs in the ip verify unicast command. Both IOS-XE and IOS-XR provide for IP access lists in the ip access-list command.Applicability:
Anti-spoofing is implemented as unicast reverse path filtering. See https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-6/ip-addresses/configuration/guide/b-ip-addresses-cg-asr9000-66x/b-ip-addresses-cg-asr9000-66x_chapter_01001.html#con_1093368
Scenario 3 Filtering (IXP)
Creating filters based on prefix lists:IOS-XE supports the Route Server feature and the configuration of Scenario 3 is the same as for Scenario 1.Creating filters based on as-path:
IOS-XE supports the Route Server feature and the configuration of Scenario 3 is the same as for Scenario 1.Creating filters based on RPKI:
IOS-XE supports the Route Server feature and the configuration of Scenario 3 is the same as for Scenario 1.
Scenario 4 Protect L2 (IXP)
Creating controls preventing unwanted traffic:IOS-XE: (config)#mac access-list extended macext5 (config-ext-macl)#permit any host 0000.0000.0009 (config-ext-macl)#permit any host 0000.0000.0010 (config-ext-macl)# exit (config)# interface gigabitEthernet 0/2/1 (config-if)# service instance 1120 ethernet (config-if-srv)# encapsulation dot1q 141 (config-if-srv)# mac access-group macext2 in IOS-XR: (config)# ethernet-service access-list L2ACL2 (config-es-al)# 10 permit 00ff.eedd.0010 (config-es-al)# end (config)# interface gigabitethernet 0/2/0/ (config-if)# ethernet-services access-group L2ACL2 ingress (config-if)# endApplicability:
MAC access control lists described at IOS-XE: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/asr903/16-12-1/b-sec-data-acl-xe-16-12-asr900/m_mac-acl.html?dtid=osscdc000283 Layer 2 Access Lists IOS-XR: https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-4/lxvpn/configuration/guide/b-l2vpn-cg-asr9000-74x/implementing-of-layer-2-access-lists.html
Implementation of MANRS Action 2
Describe your implementation of Action 2-1:Action 2-1 status: Not Implemented
Describe your implementation of Action 2-2:
Action 2-1 status: Implemented
Describe your implementation of Action 2-3:
Action 2-1 status: Planned
Describe your implementation of Action 2-4:
Action 2-1 status: Not Implemented