Arrcus Inc
Visit their website
The configuration snippets provided for conformance check only, they are not intended as the implementation guidance. Specific set of features depend on the specific platform that is being used. Not all the products may support these features.
Description for Scenarios
| Scenario | Programme | Action |
|---|---|---|
Scenario 1 Filtering | Action1. Prevent propagation of incorrect routing information | |
Scenario 2 Anti-spoofing | ||
Action 2. Prevent traffic with illegitimate source IP addresses | ||
Scenario 3 Filtering (IXP) | Action 1. Prevent propagation of incorrect routing information. (Route Server) | |
Scenario 4 Protect L2 (IXP) |
Implementation of MANRS Action 1
Scenario 1 Filtering
Creating filters based on prefix lists:routing-policy defined-sets prefix-set my-prefix-policy
prefix 10.0.0.0/8 16..24
prefix 10.0.0.0/8 exact
prefix 20.1.0.0/16 16..24
prefix 20.2.0.0/16 20..24
routing-policy policy-definition my-prefix-rpol
statement 10
conditions match-prefix-set prefix-set my-prefix-policy
actions accept-route
statement 20
actions reject-route
network-instance default
protocol BGP bgp
neighbor 201.0.0.1
afi-safi IPV4_UNICAST
apply-policy import-policy [ my-prefix-rpol ]Creating filters based on as-path:
routing-policy defined-sets bgp-defined-sets as-path-set my-as-path-policy
as-path-set-member [ 61005 "^200 600 .*" ]
routing-policy policy-definition my-as-path-rpol
statement 10
conditions bgp-conditions match-as-path-set as-path-set my-as-path-policy
actions accept-route
statement 20
actions reject-route
network-instance default
protocol BGP bgp
neighbor 201.0.0.1
afi-safi IPV4_UNICAST
apply-policy import-policy [ my-as-path-rpol ]Creating filters based on RPKI:
routing-policy policy-definition my-rov-rpol
statement valid
conditions bgp-conditions rov-state-eq VALID
actions accept-route
actions bgp-actions set-local-pref 200
statement invalid
conditions bgp-conditions rov-state-eq INVALID
actions reject-route
statement unknown
conditions bgp-conditions rov-state-eq UNKNOWN
actions accept-route
actions bgp-actions set-local-pref 90
neighbor 201.0.0.1
afi-safi IPV4_UNICAST
apply-policy import-policy [ my-rov-rpol ]Applicability:
RPKI based filtering is available starting with the upcoming ArcOS release in early Q1 2022.
Scenario 2 Anti-spoofing
Creating filters based on prefix lists:In the roadmap.Implementing source address validation using access lists:
acl acl-set acl_ingress_ipv4 ACL_IPV4 acl-entry 1 ipv4 source-address 205.0.0.0/24 actions forwarding-action ACCEPT interface swp3 acl-service-policies ingress-acl-sets acl-set ACL_IPV4 set-name acl_ingress_ipv4Applicability:
ACL is supported on hardware platforms.
Scenario 3 Filtering (IXP)
Creating filters based on prefix lists:routing-policy defined-sets prefix-set my-prefix-policy
prefix 10.0.0.0/8 16..24
prefix 10.0.0.0/8 exact
prefix 20.1.0.0/16 16..24
prefix 20.2.0.0/16 20..24
routing-policy policy-definition my-prefix-rpol
statement 10
conditions match-prefix-set prefix-set my-prefix-policy
actions accept-route
statement 20
actions reject-route
network-instance default
protocol BGP bgp
neighbor 201.0.0.1
afi-safi IPV4_UNICAST
apply-policy import-policy [ my-prefix-rpol ]Creating filters based on as-path:
routing-policy defined-sets bgp-defined-sets as-path-set my-as-path-policy
as-path-set-member [ 61005 "^200 600 .*" ]
routing-policy policy-definition my-as-path-rpol
statement 10
conditions bgp-conditions match-as-path-set as-path-set my-as-path-policy
actions accept-route
statement 20
actions reject-route
network-instance default
protocol BGP bgp
neighbor 201.0.0.1
afi-safi IPV4_UNICAST
apply-policy import-policy [ my-as-path-rpol ]Creating filters based on RPKI:
routing-policy policy-definition my-rov-rpol
statement valid
conditions bgp-conditions rov-state-eq VALID
actions accept-route
actions bgp-actions set-local-pref 200
statement invalid
conditions bgp-conditions rov-state-eq INVALID
actions reject-route
statement unknown
conditions bgp-conditions rov-state-eq UNKNOWN
actions accept-route
actions bgp-actions set-local-pref 90
network-instance default
protocol BGP bgp
neighbor 201.0.0.1
afi-safi IPV4_UNICAST
apply-policy import-policy [ my-rov-rpol ]Applicability:
RPKI based filtering is available starting with the upcoming ArcOS release in early Q1 2022.
To ensure next-hop is unchanged when sending update to client, apply next-hop UNCHANGED. For example,
network-instance default
protocol BGP bgp
neighbor 201.0.0.1
afi-safi IPV4_UNICAST
next-hop UNCHANGEDImplementation of MANRS Action 2
Describe your implementation of Action 2-1:Action 2-1 status: Planned
Describe your implementation of Action 2-2:
Action 2-1 status: Implemented
Describe your implementation of Action 2-3:
Action 2-1 status: Planned
Describe your implementation of Action 2-4:
Action 2-1 status: Planned
Why Arrcus Inc Supports MANRS
In our hyper-connected world, secure networks are critical to ensuring robust and reliable infrastructure worldwide. Arrcus strongly endorses the MANRS belief that security is a key tenet of the global network architecture - it has been a key guiding principle for us as we have built our ACE platform to support enterprise and service provider customers. Arrcus is proud to support MANRS and the important work being done developing standards to help ensure a more securely connected global internet.