frankfurt

Frankfurt route server guide

Route server information

DE-CIX operates so-called route server systems (see RFC7947 for a detailed description) to facilitate the exchange of BGP announcements between peers at DE-CIX. Each peer needs only to set up a BGP connection to the route server in order to receive the BGP announcements of all other peers with a BGP connection to the route server.

In addition to the conventional route servers, DE-CIX also operates a so-called Blackholing route server in Frankfurt. This Blackholing route server only distributes BGP announcements marked as blackholes, which are typically used to fight massive DDoS attacks. Please also see our Blackholing Guide to learn more about this topic.

BGP session parameters

This section provides a brief overview of the BGP session parameters to connect to the conventional and Blackholing route servers:

rs180.81.192.157
2001:7f8::1a27:5051:c09d
rs280.81.193.157
2001:7f8::1a27:5051:c19d
rsbh (optional)80.81.192.158
2001:7f8::1a27:5051:c09e
AS6695
RIR macro (AS-SET)IPv4: AS-DECIX
IPv6: AS-DECIX-V6
Recommended prefix limit rs1/rs2 (your side):IPv4: 350,000
IPv6: 70,000
Recommended prefix limit rsbh (your side):IPv4: 15,000
IPv6: 1,000

BGP announcement filtering

This section describes the filtering mechanism that can be used to filter BGP announcements.

Your side

You can safely accept any BGP announcements received via the conventional and Blackholing route servers, as DE-CIX filters all incoming BGP announcements from all peers. The filtering mechanism is described below in the section "DE-CIX side".

If you additionally want to filter on your side based on AS-SETs, you can do so by using one or more of the following AS-SETs registered in the RIPE database:

RIR macro (AS-SET)Purpose
AS-DECIXAS-SETs of all DE-CIX FRA customers (IPv4)
AS-DECIX-V6AS-SETs of all DE-CIX FRA customers (IPv6)
AS-DECIX-CONNECTEDASNs of all DE-CIX FRA customers

DE-CIX side

At DE-CIX, the conventional and Blackholing route servers filter based on AS-path as well as IP prefixes. The BGP announcements that a route server receives from a peer are checked against the AS-SET the peer has provided. The AS-SET can be changed by contacting the DE-CIX Customer Service team.

How and what the route servers filters
The DE-CIX filters are updated every 6 hours. Don't forget to register your IP prefixes in the IRR database well in advance (at least 24h before announcing the first time).

Bogon and Martian filtering
Please make sure not to announce routes that

  • are > /24 (IPv4) and > /48 (IPv6) (RFC7454)
  • have a different BGP next-hop to the IP of your own router
  • are bogons/martians (private and reserved IP prefixes as defined by RFC1918, RFC2544, RFC3927RFC 5735RFC5737RFC6598 and RFC6890)
  • are a DE-CIX peering LAN (please also do not announce any of our peering LANs in the DFZ!)
  • contain bogon ASNs in the BGP AS path (private and reserved ASN numbers as defined by RFC7607RFC6793RFC5398, RFC6996RFC7300)
  • differ in the leftmost ASN in the AS path from your own ASN
  • have an AS path length > 32
  • are < /8 (IPv4) and < /19 (IPv6) (RFC7454)

We will drop these kinds of routes.

Check the status of your routes
You can check the status of your announced routes to us in the DE-CIX Looking Glass – the reason why a route is filtered is also shown, as is a hint on how to fix the issue.

You can find more info on how to use the DE-CIX Looking Glass here.

IRR and RPKI validation
Any routes you announce will also be RPKI (RFC6811, RFC7115) validated and checked against Internet Routing Registry (IRR) data. The AS-SET you provide to us will be recursively resolved. Then filtering is executed as follows:

  • The origin ASN needs to be in the customer cone (make sure that your AS-SET is well maintained and that all your downstreams are included)
  • Is the route a blackhole (RFC7999)?
    • If not, the route undergoes strict RPKI validation filtering (both origin and maxLength):
      • If the result is RPKI Valid, the route is accepted (a missing route object will have no implication in this case).
      • If the result is RPKI Invalid, the route is rejected.
      • If the result is RPKI NotFound/Unknown, we check if the route is resolvable for its origin ASN (this will be the case if a proper route object exists) and it might get accepted or rejected depending on the result.**
         
    • If it is, the route undergoes loose RPKI validation filtering (origin only):
      • If the result is RPKI Valid, the route is accepted.
      • if the result is RPKI Invalid, the route is rejected.
      • If the result is RPKI NotFound/Unknown, we check if the route is resolvable for its origin ASN (this will be the case if a proper route object exists) and it might get accepted or rejected depending on the result.**
Route server filters

**Loose filtering on IRRDB route objects
We perform loose filtering on IRRDB route objects. For example: If you have a route object for 46.31.120.0/21, we will also accept e.g. 46.31.120.0/22 and other more specifics (up to /24 and up to /32 for blackholes). If this is not a desired behavior, we strongly encourage you to create a ROA and set the maxLength attribute accordingly. As RPKI validation is performed before the IRRDB route object check, it will render all undesired more specifics as RPKI Invalid, which will result in rejection of these. Please note that this method only works for non-blackholes as we perform loose RPKI validation on blackholes (i.e. ignore maxLength).

Route server setup

The route server setup at DE-CIX Frankfurt consists of three machines: two conventional route servers and a blackhole route server. The software utilized to provide the route server service is BIRD. Only one of the two conventional route servers is required. However, in order to use the route server service, every peer is requested to connect to both machines for redundancy purposes, so that if one machine is out of order (e.g. maintenance), the route server service can still be used.

If the route servers system receive a BGP announcement marked as a blackhole, the NO-EXPORT community and the BLACKHOLE Community are added if these communities are not already present. This makes sure each BGP announcement marked 'Blackhole' can be easily filtered and does not spread widely in the Internet routing system.

Route server control

Operational BGP Communities can be used to control various functions of the route server. With these communities, you can:

  • control the redistribution of advertised prefixes,
  • prepend your own AS up to three times,
  • trigger the calculation of a new alternate path (if available) for your advertised prefixes before commencing any maintenance tasks.

More information can be found here.

Route server prefix information

Informational BGP communities are used to signal various information about redistributed prefixes. The DE-CIX route servers tag all prefixes with certain BGP communities to indicate their origin. You can use this information to determine where a certain prefix has been injected into the DE-CIX switching platform. This gives you the possibility to filter routes learned from the route servers based on geographical location. 

More information can be found here.

Route server session types

We offer two session types:

Standard/public session (default)

  • We re-distribute all your announcements to other peers while honoring the BGP Communities which allow you to restrict your announcements
     
  • We advertise all announcements from other peers to you while honoring the BGP Communities which allow others peers to restrict their announcements

Monitor session

From an operational point of view, we advise setting up BGP sessions to both route servers, even if you do not want to peer with (i.e. advertise prefixes to) the route servers. This helps DE-CIX staff to quickly monitor the availability of each peer.

Please note that you are required to set up BGP sessions with (but don't need to advertise prefixes to) the DE-CIX route servers to be able to claim credits for the GlobePEER service. Otherwise DE-CIX may not be able to comply with its SLA (please see DE-CIX GlobePEER Technical Service Description - III. IP LAYER CONFIGURATION (ISO/OSI LAYER 3) - Interface configuration).

If your decision not to establish BGP sessions with the route servers was made due to your peering policy, please contact us to establish a monitoring-only session. You don’t have to advertise any prefixes and you won’t receive any prefixes from us during that session.

Sample configurations

The following section contains configuration examples for different router operating systems:

 

    1. !
    2. ! Config example for Cisco IOS
    3. ! Peer and session templates, (S)AFI format and some basic filtering
    4. ! DE-CIX route servers rs1, rs2, rsbh
    5. ! In this example, all three route servers are used for Blackholing. Recommended: Blackhole only via rsbh
    6. ! Your example ASN: 64500 (replace with your real ASN)
    7. ! Local preference route servers: 125
    8. ! Local preference Blackholing route server: 150
    9. !
    10. router bgp 64500
    11. bgp router-id <YOUR_ROUTER_ID>
    12. ! Requires all your sessions to reset to take effect (if not already enabled)
    13. bgp graceful-restart
    14. bgp graceful-restart restart-time 120
    15. bgp graceful-restart stalepath-time 360
    16. template peer-policy PP_DECIX_ROUTE_SERVERS_COMMON
    17. ! Optional: Keep a pre-ingress-route-map copy of the peer table (if you have the memory; useful for debugging)
    18. soft-reconfiguration inbound
    19. ! Strip private ASNs from BGP AS-PATH
    20. remove-private-as
    21. ! Send standard and extended BGP communities
    22. send-community both
    23. exit-peer-policy
    24. !
    25. template peer-policy PP_DECIX_ROUTE_SERVERS_4
    26. ! Apply ingress route map
    27. route-map RM_DECIX_ROUTE_SERVERS_IN in
    28. ! Apply egress IPv4 route map
    29. route-map RM_DECIX_ROUTE_SERVERS_OUT_4 out
    30. ! Please accept up to 350,000 IPv4 prefixes from us
    31. maximum-prefix 350000
    32. inherit peer-policy PP_DECIX_ROUTE_SERVERS_COMMON 1
    33. exit-peer-policy
    34. !
    35. template peer-policy PP_DECIX_ROUTE_SERVERS_6
    36. ! Apply ingress route map
    37. route-map RM_DECIX_ROUTE_SERVERS_IN in
    38. ! Apply egress IPv6 route map
    39. route-map RM_DECIX_ROUTE_SERVERS_OUT_6 out
    40. ! Please accept up to 70,000 IPv6 prefixes from us
    41. maximum-prefix 70000
    42. inherit peer-policy PP_DECIX_ROUTE_SERVERS_COMMON 1
    43. exit-peer-policy
    44. !
    45. template peer-session PS_DECIX_ROUTE_SERVERS
    46. ! ASN of DE-CIX route servers
    47. remote-as 6695
    48. ! The route servers are passive and waiting for you side to initiate the sessions
    49. transport connection-mode active
    50. ! Use BGP version 4 and skip version negotiation
    51. version 4
    52. ! Please do not use aggressive timers (60/180 should be fine) to reduce the risk of flapping sessions
    53. timers 60 180
    54. exit-peer-session
    55. !
    56. ! Our route servers are transparent: Ignore first AS in AS path not being your peer AS (i.e. 6695)
    57. no bgp enforce-first-as
    58. bgp log-neighbor-changes
    59. neighbor 80.81.192.157 inherit peer-session PS_DECIX_ROUTE_SERVERS
    60. neighbor 80.81.192.157 description RS1.FRA.DE-CIX.NET
    61. neighbor 2001:7F8::1A27:5051:C09D inherit peer-session PS_DECIX_ROUTE_SERVERS
    62. neighbor 2001:7F8::1A27:5051:C09D description RS1.FRA.DE-CIX.NET
    63. neighbor 80.81.193.157 inherit peer-session PS_DECIX_ROUTE_SERVERS
    64. neighbor 80.81.193.157 description RS2.FRA.DE-CIX.NET
    65. neighbor 2001:7F8::1A27:5051:C19D inherit peer-session PS_DECIX_ROUTE_SERVERS
    66. neighbor 2001:7F8::1A27:5051:C19D description RS2.FRA.DE-CIX.NET
    67. neighbor 80.81.192.158 inherit peer-session PS_DECIX_ROUTE_SERVERS
    68. neighbor 80.81.192.158 description RSBH.FRA.DE-CIX.NET
    69. neighbor 2001:7F8::1A27:5051:C09E inherit peer-session PS_DECIX_ROUTE_SERVERS
    70. neighbor 2001:7F8::1A27:5051:C09E description RSBH.FRA.DE-CIX.NET
    71. !
    72. address-family ipv4 unicast
    73. ! Some example IPv4 prefixes to announce
    74. network 192.0.2.0
    75. network 198.51.100.0
    76. network 203.0.113.0
    77. ! We do not support IPv6 over IPv4 transport
    78. no neighbor 2001:7F8::1A27:5051:C09D activate
    79. no neighbor 2001:7F8::1A27:5051:C19D activate
    80. no neighbor 2001:7F8::1A27:5051:C09E activate
    81. neighbor 80.81.192.157 activate
    82. neighbor 80.81.192.157 inherit peer-policy PP_DECIX_ROUTE_SERVERS_4
    83. neighbor 80.81.193.157 activate
    84. neighbor 80.81.193.157 inherit peer-policy PP_DECIX_ROUTE_SERVERS_4
    85. neighbor 80.81.192.158 activate
    86. neighbor 80.81.192.158 inherit peer-policy PP_DECIX_ROUTE_SERVERS_4
    87. ! Overwrite route-maps from peer policy template for rsbh
    88. neighbor 80.81.192.158 route-map RM_DECIX_BLACKHOLE_IN in
    89. neighbor 80.81.192.158 route-map RM_DECIX_BLACKHOLE_OUT out
    90. neighbor 80.81.192.158 maximum-prefix 15000
    91. exit-address-family
    92. !
    93. address-family ipv6 unicast
    94. ! Some example IPv6 prefixes to announce
    95. network 2001:DB8:1234::/48
    96. network 2001:DB8:ABCD::/48
    97. network 2001:DB8:FFFF::/48
    98. neighbor 2001:7F8::1A27:5051:C09D activate
    99. neighbor 2001:7F8::1A27:5051:C09D inherit peer-policy PP_DECIX_ROUTE_SERVERS_6
    100. neighbor 2001:7F8::1A27:5051:C19D activate
    101. neighbor 2001:7F8::1A27:5051:C19D inherit peer-policy PP_DECIX_ROUTE_SERVERS_6
    102. neighbor 2001:7F8::1A27:5051:C09E activate
    103. neighbor 2001:7F8::1A27:5051:C09E inherit peer-policy PP_DECIX_ROUTE_SERVERS_6
    104. ! Overwrite route-maps from peer policy template for rsbh
    105. neighbor 2001:7F8::1A27:5051:C09E route-map RM_DECIX_BLACKHOLE_IN in
    106. neighbor 2001:7F8::1A27:5051:C09E route-map RM_DECIX_BLACKHOLE_OUT out
    107. neighbor 2001:7F8::1A27:5051:C09E maximum-prefix 1000
    108. exit-address-family
    109. !
    110. ! Use new BGP community format
    111. ip bgp-community new-format
    112. !
    113. ! We will not advertise IPv4 prefixes less specific than /8 and more specific than /24
    114. ! Exception: Blackhole next-hop and/or BLACKHOLE Community is set.
    115. ! Please allow up to /32 if you wish to receive all blackholed prefixes from rs1/rs2. Recommended: Use rsbh for Blackholing
    116. ! Prefix list example: Allow every IPv4 prefix up to /32 from the route servers
    117. ip prefix-list PL_DECIX_ROUTE_SERVERS_IN_4 seq 5 permit 0.0.0.0/0 le 32
    118. !
    119. ! We will not advertise IPv6 prefixes less specific than /19 and more specific than /48
    120. ! Exception: Blackhole next-hop and/or BLACKHOLE Community is set.
    121. ! Please allow up to /128 if you wish to receive all blackholed prefixes from rs1/rs2. Recommended: Use rsbh for Blackholing
    122. ! Prefix list example: Allow every IPv6 prefix up to /128 from the route servers
    123. ipv6 prefix-list PL_DECIX_ROUTE_SERVERS_IN_6 seq 5 permit ::/0 le 128
    124. !
    125. ! We do not accept IPv4 prefixes less specific than /8 and more specific than /24
    126. ! Exception: Up to /32 allowed when Blackhole next-hop and/or BLACKHOLE Community is set
    127. ! Prefix list example: Make sure to only advertise your own IPv4 prefixes/those of your customers
    128. ip prefix-list PL_DECIX_ROUTE_SERVERS_OUT_4 seq 5 permit 192.0.2.0/24
    129. ip prefix-list PL_DECIX_ROUTE_SERVERS_OUT_4 seq 10 permit 203.0.113.0/24
    130. !
    131. ! We do not accept IPv6 prefixes less specific than /19 and more specific than /48
    132. ! Exception: Up to /128 allowed when Blackhole next-hop and/or BLACKHOLE Community is set
    133. ! Prefix list example: Make sure to only advertise your own IPv6 prefixes/those of your customers
    134. ipv6 prefix-list PL_DECIX_ROUTE_SERVERS_OUT_6 seq 5 permit 2001:DB8:1234::/48
    135. ipv6 prefix-list PL_DECIX_ROUTE_SERVERS_OUT_6 seq 10 permit 2001:DB8:FFFF::/48
    136. !
    137. ! Please allow up to /32 from the Blackholing route server
    138. ! Prefix list example: Allow every IPv4 prefixes up to /32 from the Blackholing route server
    139. ip prefix-list PL_DECIX_BLACKHOLE_IN_4 seq 5 permit 0.0.0.0/0 le 32
    140. !
    141. ! Please allow up to /128 from the Blackholing route server
    142. ! Prefix list example: Allow every IPv6 prefix up to /128 from the Blackholing route server
    143. ipv6 prefix-list PL_DECIX_BLACKHOLE_IN_6 seq 5 permit ::/0 le 128
    144. !
    145. ! Prefix list example: IPv4 prefixes to blackhole (used for all route servers)
    146. ip prefix-list PL_DECIX_BLACKHOLE_OUT_4 seq 5 permit 198.51.100.0/24
    147. !
    148. ! Prefix list example: IPv6 prefixes to blackhole (used for all route servers)
    149. ipv6 prefix-list PL_DECIX_BLACKHOLE_OUT_6 seq 5 permit 2001:DB8:ABCD::/48
    150. !
    151. ! Route-Map example: Set local-preference for traditional route servers to 125
    152. route-map RM_DECIX_ROUTE_SERVERS_IN permit 10
    153. match ip address prefix-list PL_DECIX_ROUTE_SERVERS_IN_4
    154. match ipv6 address prefix-list PL_DECIX_ROUTE_SERVERS_IN_6
    155. set local-preference 125
    156. !
    157. ! Route-Map example:
    158. ! Use community 0:64501 for not allowing AS64501 to receive your prefixes
    159. ! Use extended community rt 0:65550 for not allowing AS65550 (4 byte ASN) to receive your prefixes
    160. ! Use community 6695:6695 for allowing the route servers to advertise your prefixes to all (other) peers
    161. ! For all available communities, please see "Route Server Control"
    162. route-map RM_DECIX_ROUTE_SERVERS_OUT_4 permit 10
    163. match ip address prefix-list PL_DECIX_ROUTE_SERVERS_OUT_4
    164. set community 6695:6695 0:64501 additive
    165. set extcommunity rt 0:65550 additive
    166. !
    167. ! Route-Map example: Blackhole IPv4 prefixes via traditional route servers (rs1/rs2) - omit if you use the Blackholing route server
    168. route-map RM_DECIX_ROUTE_SERVERS_OUT_4 permit 20
    169. match ip address prefix-list PL_DECIX_BLACKHOLE_OUT_4
    170. set community 6695:6695 additive
    171. set community 65535:666 additive
    172. !
    173. ! Route-Map example:
    174. ! Use community 0:6695 in combination with 6695:65550 to allow no one except AS65550 to receive your IPv6 prefixes
    175. route-map RM_DECIX_ROUTE_SERVERS_OUT_6 permit 10
    176. match ipv6 address prefix-list PL_DECIX_ROUTE_SERVERS_OUT_6
    177. set community 0:6695 additive
    178. set extcommunity rt 6695:65550 additive
    179. !
    180. ! Route-Map example: Blackhole IPv6 prefixes via traditional route servers (rs1/rs2) - omit if you use the Blackholing route server
    181. route-map RM_DECIX_ROUTE_SERVERS_OUT_6 permit 20
    182. match ipv6 address prefix-list PL_DECIX_BLACKHOLE_OUT_6
    183. set community 6695:6695 additive
    184. set community 65535:666 additive
    185. !
    186. ! Route-Map example: Set local-preference for Blackholing route server to 150
    187. route-map RM_DECIX_BLACKHOLE_IN permit 10
    188. match ip address prefix-list PL_DECIX_BLACKHOLE_IN_4
    189. match ipv6 address prefix-list PL_DECIX_BLACKHOLE_IN_6
    190. set local-preference 150
    191. !
    192. ! Route-Map example: Allow advertisement of blackholed prefixes to all peers (via Blackholing route server)
    193. route-map RM_DECIX_BLACKHOLE_OUT permit 10
    194. match ip address prefix-list PL_DECIX_BLACKHOLE_OUT_4
    195. match ipv6 address prefix-list PL_DECIX_BLACKHOLE_OUT_6
    196. set community 6695:6695 additive
    197. set community 65535:666 additive
    198. !
    1. !!
    2. !! Config example for Cisco IOS XR
    3. !! Session-, AF- and neighbor groups as well as some basic filtering
    4. !! DE-CIX route servers rs1, rs2, rsbh
    5. !! In this example, all three route servers are used for Blackholing. Recommended: Blackhole only via rsbh
    6. !! Your example ASN: 64500 (replace with your real ASN)
    7. !! Local preference route servers: 125
    8. !! Local preference Blackholing route server: 150
    9. !!
    10. !
    11. !! We do not accept IPv4 prefixes less specific than /8 and more specific than /24
    12. !! Exception: Up to /32 allowed when Blackhole next-hop and/or BLACKHOLE Community is set
    13. !! Prefix set example: Make sure to only advertise your own IPv4 prefixes/those of your customers
    14. prefix-set PS_DECIX_ROUTE_SERVERS_OUT_4
    15. 192.0.2.0/24,
    16. 203.0.113.0/24
    17. end-set
    18. !
    19. !! We do not accept IPv6 prefixes less specific than /19 and more specific than /48
    20. !! Exception: Up to /128 allowed when Blackhole next-hop and/or BLACKHOLE Community is set
    21. !! Prefix set example: Make sure to only advertise your own IPv6 prefixes/those of your customers
    22. prefix-set PS_DECIX_ROUTE_SERVERS_OUT_6
    23. 2001:db8:1234::/48,
    24. 2001:db8:ffff::/48
    25. end-set
    26. !
    27. !! Prefix set example: IPv4 prefixes to blackhole (used for all route servers)
    28. prefix-set PS_DECIX_BLACKHOLE_OUT_4
    29. 198.51.100.0/24
    30. end-set
    31. !
    32. !! Prefix set example: IPv6 prefixes to blackhole (used for all route servers)
    33. prefix-set PS_DECIX_BLACKHOLE_OUT_6
    34. 2001:db8:abcd::/48
    35. end-set
    36. !
    37. !! Use this community for allowing the route servers to advertise your prefixes to all peers
    38. !! For all available communities, please see "Route Server Control"
    39. !! Community set example: Community set for DE-CIX "advertise to all peers" community
    40. community-set CS_DECIX_ADVERTISE_TO_ALL_PEERS
    41. 6695:6695
    42. end-set
    43. !
    44. community-set CS_DECIX_BLACKHOLE
    45. 65535:666
    46. end-set
    47. !
    48. !! We will not advertise IPv4 prefixes less specific than /8 and more specific than /24
    49. !! Exception: Blackhole next-hop and/or BLACKHOLE Community is set.
    50. !! Please allow up to /32 if you wish to receive all blackholed prefixes from rs1/rs2. Recommended: Use rsbh for Blackholing
    51. !! Route Policy example: Allow every IPv4 prefix from the route servers and set local preference to 125
    52. route-policy RPL_DECIX_ROUTE_SERVERS_IN_4
    53. set local-preference 125
    54. pass
    55. end-policy
    56. !
    57. !! We will not advertise IPv6 prefixes less specific than /19 and more specific than /48
    58. !! Exception: Blackhole next-hop and/or BLACKHOLE Community is set.
    59. !! Please allow up to /128 if you wish to receive all blackholed prefixes from rs1/rs2. Recommended: Use rsbh for Blackholing
    60. !! Route Policy example: Allow every IPv6 prefix from the route servers and set local preference to 125
    61. route-policy RPL_DECIX_ROUTE_SERVERS_IN_6
    62. set local-preference 125
    63. pass
    64. end-policy
    65. !
    66. !! Route Policy example:
    67. !! Advertise IPv4 prefixes from prefix sets PS_DECIX_ROUTE_SERVERS_OUT_4 and PS_DECIX_BLACKHOLE_OUT_4 (prefixes to blackhole) to traditional route servers
    68. !! Use community 0:64501 for not allowing AS64501 to receive your prefixes
    69. !! Use extended community rt 0:65550 for not allowing AS65550 (4 byte ASN) to receive your prefixes
    70. !! Use community 6695:6695 for allowing the route servers to advertise your prefixes to all (other) peers
    71. !! Set DE-CIX BLACKHOLE Community
    72. !! For all available communities, please see "Route Server Control"
    73. route-policy RPL_DECIX_ROUTE_SERVERS_OUT_4
    74. if destination in PS_DECIX_ROUTE_SERVERS_OUT_4 then
    75. set community CS_DECIX_ADVERTISE_TO_ALL_PEERS additive
    76. set community (0:64501) additive
    77. set extcommunity rt (0:65550) additive
    78. pass
    79. !! Blackhole via traditional route servers (rs1/rs2) - omit if you use the Blackholing route server
    80. elseif destination in PS_DECIX_BLACKHOLE_OUT_4 then
    81. !! Allow all peers to receive your blackholed prefixes
    82. set community CS_DECIX_ADVERTISE_TO_ALL_PEERS additive
    83. !! Set BLACKHOLE Community
    84. set community CS_DECIX_BLACKHOLE additive
    85. pass
    86. else
    87. drop
    88. endif
    89. end-policy
    90. !
    91. !! Route Policy example:
    92. !! Advertise IPv6 prefixes from prefix sets PS_DECIX_ROUTE_SERVERS_OUT_6 and PS_DECIX_BLACKHOLE_OUT_6 (prefixes to blackhole) to traditional route servers
    93. !! Use community 0:6695 in combination with 6695:65550 to allow no one except AS65550 to receive your IPv6 prefixes
    94. !! Set DE-CIX BLACKHOLE Community
    95. route-policy RPL_DECIX_ROUTE_SERVERS_OUT_6
    96. if destination in PS_DECIX_ROUTE_SERVERS_OUT_6 then
    97. set community (0:6695) additive
    98. set extcommunity rt (6695:65550) additive
    99. pass
    100. !! Blackhole via traditional route servers (rs1/rs2) - omit if you use the Blackholing route server
    101. elseif destination in PS_DECIX_BLACKHOLE_OUT_6 then
    102. !! Allow all peers to receive your blackholed prefixes
    103. set community CS_DECIX_ADVERTISE_TO_ALL_PEERS additive
    104. !! Set BLACKHOLE Community
    105. set community CS_DECIX_BLACKHOLE additive
    106. pass
    107. else
    108. drop
    109. endif
    110. end-policy
    111. !
    112. !! Route Policy example: Allow every IPv4 prefix from Blackholing route server and set local preference to 150
    113. route-policy RPL_DECIX_BLACKHOLE_IN_4
    114. set local-preference 150
    115. pass
    116. end-policy
    117. !
    118. !! Route Policy example: Allow every IPv6 prefix from Blackholing route server and set local preference 150
    119. route-policy RPL_DECIX_BLACKHOLE_IN_6
    120. set local-preference 150
    121. pass
    122. end-policy
    123. !
    124. !! Route Policy example: Allow advertisement of blackholed IPv4 prefixes to all peers (via Blackholing route server)
    125. route-policy RPL_DECIX_BLACKHOLE_OUT_4
    126. if destination in PS_DECIX_BLACKHOLE_OUT_4 then
    127. !! Allow all peers to receive your blackholed prefixes
    128. set community CS_DECIX_ADVERTISE_TO_ALL_PEERS additive
    129. !! Set BLACKHOLE Community
    130. set community CS_DECIX_BLACKHOLE additive
    131. pass
    132. else
    133. drop
    134. endif
    135. end-policy
    136. !
    137. !! Route Policy example: Allow advertisement of blackholed IPv6 prefixes to all peers (via Blackholing route server)
    138. route-policy RPL_DECIX_BLACKHOLE_OUT_6
    139. if destination in PS_DECIX_BLACKHOLE_OUT_6 then
    140. !! Allow all peers to receive your blackholed prefixes
    141. set community CS_DECIX_ADVERTISE_TO_ALL_PEERS additive
    142. !! Set BLACKHOLE Community
    143. set community CS_DECIX_BLACKHOLE additive
    144. pass
    145. else
    146. drop
    147. endif
    148. end-policy
    149. !
    150. router bgp 64500
    151. bgp router-id <YOUR_ROUTER_ID>
    152. bgp graceful-restart
    153. address-family ipv4 unicast
    154. !! Some example IPv4 prefixes to announce
    155. network 192.0.2.0/24
    156. network 198.51.100.0/24
    157. network 203.0.113.0/24
    158. !
    159. address-family ipv6 unicast
    160. !! Some example IPv6 prefixes to announce
    161. network 2001:db8:1234::/48
    162. network 2001:db8:abcd::/48
    163. network 2001:db8:ffff::/48
    164. !
    165. af-group AG_DECIX_ROUTE_SERVERS_4 address-family ipv4 unicast
    166. !! Allow sending of BGP standard and extended communities to control advertising of your prefixes
    167. !! For available communities, please see "Route Server Control"
    168. send-community-ebgp
    169. send-extended-community-ebgp
    170. !! Inbound IPv4 policy
    171. route-policy RPL_DECIX_ROUTE_SERVERS_IN_4 in
    172. !! Outbound IPv4 policy
    173. route-policy RPL_DECIX_ROUTE_SERVERS_OUT_4 out
    174. !! Please accept up to 350,000 IPv4 prefixes from us
    175. maximum-prefix 350000 75
    176. !! Strip private ASNs from BGP AS-PATH
    177. remove-private-AS
    178. !! Optional: Keep a pre-ingress-route-map copy of the peer table even if route refresh is supported (if you have the memory; useful for debugging)
    179. soft-reconfiguration inbound always
    180. !
    181. af-group AG_DECIX_ROUTE_SERVERS_6 address-family ipv6 unicast
    182. !! Allow sending of BGP standard and extended communities to control advertising of your prefixes
    183. !! For available communities, please see "Route Server Control"
    184. send-community-ebgp
    185. send-extended-community-ebgp
    186. !! Inbound IPv6 policy
    187. route-policy RPL_DECIX_ROUTE_SERVERS_IN_6 in
    188. !! Outbound IPv6 policy
    189. route-policy RPL_DECIX_ROUTE_SERVERS_OUT_6 out
    190. !! Please accept up to 70,000 IPv6 prefixes from us
    191. maximum-prefix 70000 75
    192. !! Strip private ASNs from BGP AS-PATH
    193. remove-private-AS
    194. !! Optional: Keep a pre-ingress-route-map copy of the peer table even if route refresh is supported (if you have the memory; useful for debugging)
    195. soft-reconfiguration inbound always
    196. !
    197. session-group SG_DECIX_ROUTE_SERVERS
    198. !! ASN of DE-CIX route servers
    199. remote-as 6695
    200. !! Please do not use aggressive timers (60/180 should be fine) to reduce the risk of flapping sessions
    201. timers 60 180
    202. !! Our route servers are transparent: Ignore first AS in AS path not being your peer AS (i.e. 6695)
    203. enforce-first-as disable
    204. !! Allow BGP graceful restart
    205. graceful-restart
    206. !! The route servers are passive and waiting for you side to initiate the sessions
    207. session-open-mode active-only
    208. !
    209. neighbor-group NG_DECIX_ROUTE_SERVERS_4
    210. use session-group SG_DECIX_ROUTE_SERVERS
    211. address-family ipv4 unicast
    212. use af-group AG_DECIX_ROUTE_SERVERS_4
    213. !
    214. !
    215. neighbor-group NG_DECIX_ROUTE_SERVERS_6
    216. use session-group SG_DECIX_ROUTE_SERVERS
    217. address-family ipv6 unicast
    218. use af-group AG_DECIX_ROUTE_SERVERS_6
    219. !
    220. !
    221. neighbor 80.81.192.157
    222. use neighbor-group NG_DECIX_ROUTE_SERVERS_4
    223. description RS1.FRA.DE-CIX.NET
    224. !
    225. neighbor 2001:7f8::1a27:5051:c09d
    226. use neighbor-group NG_DECIX_ROUTE_SERVERS_6
    227. description RS1.FRA.DE-CIX.NET
    228. !
    229. neighbor 80.81.193.157
    230. use neighbor-group NG_DECIX_ROUTE_SERVERS_4
    231. description RS2.FRA.DE-CIX.NET
    232. !
    233. neighbor 2001:7f8::1a27:5051:c19d
    234. use neighbor-group NG_DECIX_ROUTE_SERVERS_6
    235. description RS2.FRA.DE-CIX.NET
    236. !
    237. neighbor 80.81.192.158
    238. use neighbor-group NG_DECIX_ROUTE_SERVERS_4
    239. description RSBH.FRA.DE-CIX.NET
    240. !! Overwrite IPv4 route policies and maxpref from route server neighbor group for rsbh
    241. address-family ipv4 unicast
    242. route-policy RPL_DECIX_BLACKHOLE_IN_4 in
    243. route-policy RPL_DECIX_BLACKHOLE_OUT_4 out
    244. maximum-prefix 15000 75
    245. !
    246. !
    247. neighbor 2001:7f8::1a27:5051:c09e
    248. use neighbor-group NG_DECIX_ROUTE_SERVERS_6
    249. description RSBH.FRA.DE-CIX.NET
    250. !! Overwrite IPv6 route policies and maxpref from route server neighbor group for rsbh
    251. address-family ipv6 unicast
    252. route-policy RPL_DECIX_BLACKHOLE_IN_6 in
    253. route-policy RPL_DECIX_BLACKHOLE_OUT_6 out
    254. maximum-prefix 1000 75
    255. !
    256. !
    257. !
    258. end