[c-nsp] Best practise/security design for BGP and OSPF

CiscoNSP List CiscoNSP_list at hotmail.com
Tue May 23 02:44:40 EDT 2017 

Hi Everyone,

Just doing a bit of a refresh of our current bgp+ospf templates to ensure they are inline with todays "best pracitse"

(I have googled this, but majority of the exmaples are from circa 2012 or earlier....so hoping someone can provide some feebdack :)

Current BGP (We use RR's with a bunch of PEs (primarily vrf solutions + standard Inet)

Current setup/template is:


router bgp XXXX
 template peer-policy TO_RR
  prefix-length-size 2
  next-hop-self
  soft-reconfiguration inbound
  maximum-prefix 12000 85 warning-only
  send-community both
  advertise best-external
 exit-peer-policy
!
 template peer-policy TO_RR_2
  prefix-length-size 2
  next-hop-self
  soft-reconfiguration inbound
  maximum-prefix 12000 85 warning-only
  send-community both
  advertise best-external
 exit-peer-policy

 template peer-session IBGP
  remote-as XXXX
  ttl-security hops 10   <-- This recommended
  version 4  <- still rquired?
  password foobar  <-- Add it here, or use a different pass for each neigh
  update-source Loopback0
  ha-mode graceful-restart
 exit-peer-session

bgp router-id XXX.YYY.76.131
 bgp log-neighbor-changes
 bgp graceful-restart restart-time 120
 bgp graceful-restart stalepath-time 360
 bgp graceful-restart
 bgp bestpath compare-routerid
 bgp maxas-limit 54
 no bgp default ipv4-unicast

Then a neigbour example:

 neighbor XXX.YYY.76.204 inherit peer-session IBGP
 neighbor XXX.YYY.76.204 transport path-mtu-discovery disable  <- MTU can occassionally rendomly change on carrir interppo links

Address family example

 address-family ipv4
  no bgp recursion host
  bgp additional-paths select best-external
  bgp additional-paths install
  bgp nexthop route-map BGP_NHT
  bgp nexthop trigger delay 0
  redistribute connected route-map TEST_RANGES
  redistribute static route-map TEST_RANGES
  neighbor XXX.YYY.76.212 activate
  neighbor XXX.YYY.76.212 inherit peer-policy TO_RR
  neighbor XXX.YYY.76.212 route-map FROM_TEST_RR in
  neighbor XXX.YYY.76.212 route-map TO_TEST_RR out
!



OSPF Example/template:


router ospf 100
 router-id xxx.xxx.xx.xxx
 log-adjacency-changes detail
 max-lsa 10000 warning-only
 prefix-priority high route-map IP_FRR
 fast-reroute per-prefix enable area 0 prefix-priority high
 fast-reroute per-prefix remote-lfa area 0 tunnel mpls-ldp
 fast-reroute per-prefix tie-break linecard-disjoint index 10
 fast-reroute per-prefix tie-break interface-disjoint index 20
 fast-reroute per-prefix tie-break primary-path index 30
 fast-reroute per-prefix tie-break node-protecting index 40
 fast-reroute per-prefix tie-break lowest-metric index 50
 fast-reroute per-prefix tie-break downstream index 60
 timers throttle lsa 0 50 5000
 timers lsa arrival 10
 timers pacing flood 5
 passive-interface default
 no passive-interface GigabitEthernet0/0/3
 network xxx.xxx.xxx.xxx 0.0.0.1 area 0
 mpls ldp sync

interface GigabitEthernet0/0/3
 description
ip ospf ttl-security  x  <-- Recommended?
 dampening
 mtu 9100
 ip address  xxx.xxx.xxx.xxx 255.255.255.254
 no ip proxy-arp
 ip ospf authentication key-chain OSPF_HELLO
 ip ospf network point-to-point
 ip ospf flood-reduction
 ip ospf bfd
 ip ospf cost 240
 load-interval 30
 carrier-delay msec 0
 negotiation auto
 mpls ip
 mpls ldp igp sync delay 10
 bfd interval 50 min_rx 50 multiplier 3
 no bfd echo
end


Thanks in advance.

More information about the cisco-nsp mailing list