Cisco Configuration Blueprint – Single-Homed CE Device with EBGP

Introduction

In this example, we will show recommended configuration for a Single-homed Single CE device using private AS with an upstream ISP. It is assumed that management of this device will be performed from a dedicated server residing within Customer’s Network.

This type of setup is quite common in an environment where a dedicated firewall performing source NAT function is setup to protect customer infrastructure.

Cisco Single Homed CE
Cisco Single Homed CE

Please note, that the Management Station is connected directly to the LAN interface for illustration purpose only. In real production deployments, Management Station must be protected by a firewall.

BGP Configuration

BGP configuration can be split in the following tasks:

  • Accept the default route from the ISP while discarding all other advertisements that might be sent to your CE
  • Advertise your subnet (120.0.50.0/24) while making sure that no other routers are erroneously injected
  • Secure BGP session by configuring a MD5 key

The actual configuration is comprised of the following blocks:

  1. Configure Two prefix lists – one with the subnet you’ll advertise upstream and the other one with the default route you’ll be receiving from your ISP:
ip prefix-list default-only seq 10 permit 0.0.0.0/0

ip prefix-list originated-out seq 10 permit 120.0.50.0/24

 

  1. Configure BGP session with prefix-filtering and MD5 session protection
router bgp 111100

 bgp log-neighbor-changes

 network 120.0.50.0 mask 255.255.255.0

 neighbor 120.0.4.17 remote-as 100

 neighbor 120.0.4.17 description PE2

 neighbor 120.0.4.17 password 7 14141B180F0B

 neighbor 120.0.4.17 soft-reconfiguration inbound

 neighbor 120.0.4.17 prefix-list default-only in

 neighbor 120.0.4.17 prefix-list originated-out out

!

Securing the Router

Next step is to secure the router itself. But default, it will pass any traffic (with some exceptions, not covered in this article) and accept connections from anywhere on the Internet. Your job is to make sure that only trusted sources can communicate with your device (control plane protection) and spoofed traffic is not allowed in and out of your network (data plane protection).

Data Plane Protection

  1. Configure access-list to block spoofed traffic originated on the Internet:
ip access-list extended martians

 deny   ip host 255.255.255.255 any

 deny   ip 0.0.0.0 0.255.255.255 any

 deny   ip 127.0.0.0 0.255.255.255 any

 deny   ip 10.0.0.0 0.255.255.255 any

 deny   ip 172.16.0.0 0.15.255.255 any

 deny   ip 192.168.0.0 0.0.255.255 any

 deny   ip 196.18.0.0 10.1.255.255 any

 deny   ip 240.0.0.0 15.255.255.255 any

 deny   ip 224.0.0.0 15.255.255.255 any

 deny   ip 169.254.0.0 0.0.255.255 any

 deny   ip 192.0.0.0 0.255.255.255 any

 deny   ip 198.0.0.0 0.255.255.255 any

 deny   ip 203.0.0.0 0.255.255.255 any

 deny   ip 100.64.0.0 0.0.63.255 any

! ßLocal Traffic, should not be arriving from the Internet à 

 deny   ip 120.0.50.0 0.0.0.255 any

 permit ip any any
  1. Configure interface with security commands and uRPF on the LAN interface. Note that ‘no ip unreachables’ will block traceroute.
interface GigabitEthernet2

 description 'CE5->PE2'

 ip address 120.0.4.18 255.255.255.252

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip access-group martians in

 negotiation auto

!

interface GigabitEthernet3

 description 'LAN Segment'

 ip address 120.0.50.1 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip verify unicast source reachable-via rx

 negotiation auto

!

Control Plane Protection

  1. Configure Logging; Enable SSH and SNMP access-lists, disabled unnecessary services and protocols:
no ip http server

no ip http secure-server

ip route 192.168.74.0 255.255.255.0 192.168.3.18

ip ssh rsa keypair-name ssh-key

ip ssh version 2


logging host 120.0.50.10

access-list 10 permit 120.0.50.10

snmp-server community t0ps3crrr3t RO 10

line vty 0 4

 access-class 10 in

 exec-timeout 11 0

 password d0ntt3ll

 login local

 transport input ssh

!

 

  1. Configure Control Plane (CPP) Protection
! Routing Protocols (BGP)

access-list 120 permit tcp any gt 1024 host 120.0.4.18 eq bgp

access-list 120 permit tcp any eq bgp host 120.0.4.18 gt 1024 established



! Management Protocols (SSH, SNMP)

access-list 121 permit tcp host 120.0.50.10 host 120.0.50.1 eq 22

access-list 121 permit tcp host 120.0.50.10 eq 22 host 120.0.50.1 established

access-list 121 permit udp host 120.0.50.10 host 120.0.50.1 eq snmp



! Ping / Traceroute LAN Interface

access-list 122 permit icmp any host 120.0.50.1 echo

access-list 122 permit icmp any host 120.0.50.1 echo-reply

access-list 122 permit icmp any host 120.0.50.1 ttl-exceeded

access-list 122 permit icmp any host 120.0.50.1 packet-too-big

access-list 122 permit icmp any host 120.0.50.1 port-unreachable

access-list 122 permit icmp any host 120.0.50.1 unreachable



! Ping/Traceroute WAN Interface

access-list 122 permit icmp any host 120.0.4.18 echo

access-list 122 permit icmp any host 120.0.4.18 echo-reply

access-list 122 permit icmp any host 120.0.4.18 ttl-exceeded

access-list 122 permit icmp any host 120.0.4.18 packet-too-big

access-list 122 permit icmp any host 120.0.4.18 port-unreachable

access-list 122 permit icmp any host 120.0.4.18 unreachable


! Undesired Traffic

access-list 123 permit icmp any any fragments

access-list 123 permit udp any any fragments

access-list 123 permit tcp any any fragments

access-list 123 permit ip any any fragments

access-list 123 permit tcp any any eq bgp rst



! All Other Traffic

access-list 124 permit tcp any any

access-list 124 permit udp any any

access-list 124 permit icmp any any

access-list 124 permit ip any any

!



! Define Class-Maps

class-map match-all Catch-All-IP

 match access-group 124

class-map match-all Management

 match access-group 121

class-map match-all Normal

 match access-group 122

class-map match-all Undesirable

 match access-group 123

class-map match-all Routing

 match access-group 120

!



! Configure CoPP Policy

policy-map RTR_CoPP

 class Undesirable

  police 8000 1500 1500 conform-action drop  exceed-action drop

 class Routing

  police 100000 5000 5000 conform-action transmit  exceed-action transmit

 class Management

  police 100000 20000 20000 conform-action transmit  exceed-action drop

 class Normal

  police 50000 5000 5000 conform-action transmit  exceed-action drop

 class Catch-All-IP

  police 50000 5000 5000 conform-action transmit  exceed-action drop

 class class-default

  police 8000 1500 1500 conform-action transmit  exceed-action drop



! Apply CoPP Policy

control-plane

 service-policy input RTR_CoPP

!

Complete Router Configuration

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption!

hostname CE11

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 $1$9Ah6$7tFkcd/bJRrHSx0grfmYA1

!

no aaa new-model

no ip source-route




no ip domain lookup

!

username cisco privilege 15 secret 5 $1$ZJAP$Hmq/nCv7qQcwPHyB4Ixdo0

!

!

class-map match-all Catch-All-IP

 match access-group 124

class-map match-all Management

 match access-group 121

class-map match-all Normal

 match access-group 122

class-map match-all Undesirable

 match access-group 123

class-map match-all Routing

 match access-group 120

!

policy-map RTR_CoPP

 class Undesirable

  police 8000 1500 1500 conform-action drop  exceed-action drop

 class Routing

  police 100000 5000 5000 conform-action transmit  exceed-action transmit

 class Management

  police 100000 20000 20000 conform-action transmit  exceed-action drop

 class Normal

  police 50000 5000 5000 conform-action transmit  exceed-action drop

 class Catch-All-IP

  police 50000 5000 5000 conform-action transmit  exceed-action drop

 class class-default

  police 8000 1500 1500 conform-action transmit  exceed-action drop

!

!

interface GigabitEthernet1

 description 'Out-of-Band Management'

 ip address 192.168.3.231 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 negotiation auto

!

interface GigabitEthernet2

 description 'CE5->PE2'

 ip address 120.0.4.18 255.255.255.252

 no ip redirects

 no ip proxy-arp

 ip access-group martians in

 negotiation auto

!

interface GigabitEthernet3

 description 'LAN Segment'

 ip address 120.0.50.1 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip verify unicast source reachable-via rx

 negotiation auto

!

router bgp 111100

 bgp log-neighbor-changes

 network 120.0.50.0 mask 255.255.255.0

 neighbor 120.0.4.17 remote-as 100

 neighbor 120.0.4.17 description PE2

 neighbor 120.0.4.17 password 7 14141B180F0B

 neighbor 120.0.4.17 soft-reconfiguration inbound

 neighbor 120.0.4.17 prefix-list default-only in

 neighbor 120.0.4.17 prefix-list originated-out out

!

virtual-service csr_mgmt

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip route 192.168.74.0 255.255.255.0 192.168.3.18

ip ssh rsa keypair-name ssh-key

ip ssh version 2

!

ip access-list extended martians

 deny   ip host 255.255.255.255 any

 deny   ip 0.0.0.0 0.255.255.255 any

 deny   ip 127.0.0.0 0.255.255.255 any

 deny   ip 10.0.0.0 0.255.255.255 any

 deny   ip 172.16.0.0 0.15.255.255 any

 deny   ip 192.168.0.0 0.0.255.255 any

 deny   ip 196.18.0.0 10.1.255.255 any

 deny   ip 240.0.0.0 15.255.255.255 any

 deny   ip 224.0.0.0 15.255.255.255 any

 deny   ip 169.254.0.0 0.0.255.255 any

 deny   ip 192.0.0.0 0.255.255.255 any

 deny   ip 198.0.0.0 0.255.255.255 any

 deny   ip 203.0.0.0 0.255.255.255 any

 deny   ip 100.64.0.0 0.0.63.255 any

 deny   ip 120.0.50.0 0.0.0.255 any

 permit ip any any

!

!

ip prefix-list default-only seq 10 permit 0.0.0.0/0

!

ip prefix-list originated-out seq 10 permit 120.0.50.0/24

logging host 120.0.50.10

access-list 10 permit 120.0.50.10

access-list 10 permit 192.168.0.0 0.0.255.255

access-list 120 permit tcp any gt 1024 host 120.0.4.18 eq bgp

access-list 120 permit tcp any eq bgp host 120.0.4.18 gt 1024 established

access-list 121 permit tcp host 120.0.50.10 host 120.0.50.1 eq 22

access-list 121 permit tcp host 120.0.50.10 eq 22 host 120.0.50.1 established

access-list 121 permit udp host 120.0.50.10 host 120.0.50.1 eq snmp

access-list 122 permit icmp any host 120.0.50.1 echo

access-list 122 permit icmp any host 120.0.50.1 echo-reply

access-list 122 permit icmp any host 120.0.50.1 ttl-exceeded

access-list 122 permit icmp any host 120.0.50.1 packet-too-big

access-list 122 permit icmp any host 120.0.50.1 port-unreachable

access-list 122 permit icmp any host 120.0.50.1 unreachable

access-list 122 permit icmp any host 120.0.4.18 echo

access-list 122 permit icmp any host 120.0.4.18 echo-reply

access-list 122 permit icmp any host 120.0.4.18 ttl-exceeded

access-list 122 permit icmp any host 120.0.4.18 packet-too-big

access-list 122 permit icmp any host 120.0.4.18 port-unreachable

access-list 122 permit icmp any host 120.0.4.18 unreachable

access-list 124 permit tcp any any

access-list 124 permit udp any any

access-list 124 permit icmp any any

access-list 124 permit ip any any

!

snmp-server community t0ps3crrr3t RO 10

!

!

control-plane

 service-policy input RTR_CoPP

!

banner motd ^C

Disconnect IMMEDIATELY if you are not an authorized user!


^C

!

line con 0

 exec-timeout 11 0

 password d0ntt3ll

 stopbits 1

line vty 0 4

 access-class 10 in

 exec-timeout 11 0

 password d0ntt3ll

 login local

 transport input ssh

!

!

end

Leave a Reply

Your email address will not be published. Required fields are marked *