! device: R1-EOS (vEOS, EOS-4.30.1F) ! ! boot system flash:/vEOS-lab.swi ! transceiver qsfp default-mode 4x10G ! service routing protocols model multi-agent ! hostname R1-EOS ! spanning-tree mode mstp ! no aaa root ! vrf instance CUSTOMER_A rd 65000:100 route-target import evpn 65000:100 route-target import evpn 65000:200 route-target export evpn 65000:100 ! vrf instance CUSTOMER_B rd 65000:200 route-target import evpn 65000:200 route-target export evpn 65000:200 ! vrf instance MGMT ! interface Port-Channel10 description Port-channel to Distribution no switchport ip address 10.3.1.1/30 ip ospf network point-to-point ip ospf area 0.0.0.0 ! interface Ethernet1 description Core Link to R2 no switchport ip address 10.1.1.1/30 ip ospf cost 10 ip ospf network point-to-point ip ospf bfd ip ospf area 0.0.0.0 ! interface Ethernet2 description NSSA Area Link no switchport ip address 10.1.2.1/30 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 7 SecureKey123 ip ospf priority 100 ip ospf area 0.0.0.1 ! interface Ethernet3 description VRF Customer A no switchport vrf CUSTOMER_A ip address 172.16.1.1/24 ! interface Ethernet4 description ISP Uplink no switchport ip address 10.100.1.2/30 ! interface Ethernet5 description Bundle member channel-group 10 mode active ! interface Ethernet6 description Bundle member channel-group 10 mode active ! interface Ethernet20 description 100G Core Link no switchport mtu 9214 ip address 10.2.1.1/30 ip ospf network point-to-point ip ospf area 0.0.0.0 ! interface Loopback0 description Router ID and Management ip address 10.0.0.1/32 ip ospf area 0.0.0.0 ! interface Loopback100 description BGP Update Source ip address 192.168.1.1/32 ip ospf area 0.0.0.0 ! interface Management1 description OOB Management vrf MGMT ip address 172.20.20.10/24 ! interface Tunnel10 description GRE Tunnel to Branch ip address 172.31.10.1/30 tunnel source Loopback0 tunnel destination 10.0.0.10 tunnel mode gre ip ospf network point-to-point ip ospf cost 100 ip ospf area 0.0.0.0 ! interface Vlan10 description Data VLAN ip address 192.168.10.1/24 ip virtual-router address 192.168.10.254 vrrp 10 priority 120 vrrp 10 authentication md5-key 7 MyVRRPKey vrrp 10 ipv4 192.168.10.254 ! interface Vlan20 description Voice VLAN ip address 192.168.20.1/24 ip virtual-router address 192.168.20.254 vrrp 20 priority 110 vrrp 20 ipv4 192.168.20.254 ! ip routing ip routing vrf CUSTOMER_A ip routing vrf CUSTOMER_B no ip routing vrf MGMT ! ip prefix-list ISP1_PREFIX_IN seq 10 permit 0.0.0.0/0 seq 100 deny 0.0.0.0/0 le 32 ! ip prefix-list ISP1_PREFIX_OUT seq 10 permit 10.0.0.0/16 le 24 seq 20 permit 192.168.0.0/16 le 24 seq 100 deny 0.0.0.0/0 le 32 ! ip prefix-list CONNECTED_LOOPBACKS seq 10 permit 10.0.0.0/24 le 32 seq 20 permit 192.168.1.0/24 le 32 ! ip prefix-list CUSTOMER_A_ALLOWED seq 10 permit 172.16.0.0/16 le 24 seq 20 permit 192.168.0.0/16 le 32 ! route-map ISP1_IN permit 10 description Accept default from ISP1 with high local-pref match ip address prefix-list ISP1_PREFIX_IN set local-preference 250 set metric 50 set community 65000:100 additive ! route-map ISP1_IN deny 100 ! route-map ISP1_OUT permit 10 description Advertise aggregated prefixes to ISP1 match ip address prefix-list ISP1_PREFIX_OUT set as-path prepend 65000 65000 set community 65000:200 set metric 100 ! route-map ISP1_OUT deny 100 ! route-map ISP2_IN permit 10 description Accept default from ISP2 with lower local-pref set local-preference 150 set metric 100 set community 65000:101 additive ! route-map ISP2_OUT permit 10 description Advertise to ISP2 with AS-path prepend match ip address prefix-list ISP1_PREFIX_OUT set as-path prepend 65000 65000 65000 65000 set community 65000:201 ! route-map OSPF_TO_BGP permit 10 description Redistribute OSPF routes to BGP match ip address prefix-list CONNECTED_LOOPBACKS set metric 500 set origin igp set community no-export ! route-map OSPF_TO_BGP deny 100 ! route-map BGP_TO_OSPF permit 10 description Redistribute BGP routes to OSPF set metric 1000 set metric-type type-1 set tag 65000 ! route-map BGP_TO_OSPF deny 100 ! route-map CONNECTED_TO_BGP permit 10 description Redistribute connected routes to BGP match ip address prefix-list CONNECTED_LOOPBACKS set origin igp set community 65000:300 ! route-map CONNECTED_TO_BGP deny 100 ! route-map CONNECTED_TO_OSPF permit 10 description Redistribute connected to OSPF match ip address prefix-list CONNECTED_LOOPBACKS ! route-map CONNECTED_TO_OSPF deny 100 ! route-map DEFAULT_ROUTE_CHECK permit 10 description Check before advertising default in OSPF ! route-map IMPORT_FILTER permit 10 description VRF import policy set community 65000:100 additive ! route-map EXPORT_FILTER permit 10 description VRF export policy set community 65000:200 additive ! route-map CUSTOMER_A_IN permit 10 description Customer A inbound policy match ip address prefix-list CUSTOMER_A_ALLOWED set local-preference 180 set community 65000:400 additive ! route-map CUSTOMER_A_IN deny 100 ! route-map CUSTOMER_A_OUT permit 10 description Customer A outbound policy set community 65000:500 ! router ospf 1 router-id 10.0.0.1 log-adjacency-changes detail auto-cost reference-bandwidth 100000 bfd default passive-interface default no passive-interface Ethernet1 no passive-interface Ethernet2 no passive-interface Ethernet20 no passive-interface Port-Channel10 no passive-interface Tunnel10 area 0.0.0.0 range 10.0.0.0/16 cost 100 area 0.0.0.1 nssa no-summary area 0.0.0.1 authentication message-digest redistribute bgp route-map BGP_TO_OSPF redistribute connected route-map CONNECTED_TO_OSPF default-information originate always metric 10 metric-type 1 route-map DEFAULT_ROUTE_CHECK max-lsa 12000 ! router bgp 65000 router-id 192.168.1.1 bgp log-neighbor-changes bgp bestpath as-path multipath-relax bgp bestpath compare-routerid bgp bestpath med missing-as-worst bgp graceful-restart bgp graceful-restart restart-time 120 maximum-paths 8 maximum-paths ibgp 8 neighbor RR_CLIENTS peer group neighbor RR_CLIENTS remote-as 65000 neighbor RR_CLIENTS update-source Loopback100 neighbor RR_CLIENTS password 7 MyIBGPPass neighbor RR_CLIENTS send-community extended neighbor RR_CLIENTS route-reflector-client neighbor RR_CLIENTS next-hop-self neighbor 192.168.1.2 peer group RR_CLIENTS neighbor 192.168.1.2 description R2-RR-Client neighbor 192.168.1.3 peer group RR_CLIENTS neighbor 192.168.1.3 description R3-RR-Client neighbor 192.168.1.4 peer group RR_CLIENTS neighbor 192.168.1.4 description R4-RR-Client neighbor 10.100.1.1 remote-as 65001 neighbor 10.100.1.1 description ISP1-Primary-EBGP neighbor 10.100.1.1 ebgp-multihop 2 neighbor 10.100.1.1 update-source Ethernet4 neighbor 10.100.1.1 password 7 MyEBGPPass neighbor 10.100.1.1 timers 10 30 neighbor 10.100.1.1 send-community neighbor 10.100.1.1 maximum-routes 500000 warning-limit 85 warning-only neighbor 10.100.2.1 remote-as 65002 neighbor 10.100.2.1 description ISP2-Backup-EBGP neighbor 10.100.2.1 ebgp-multihop 2 ! address-family ipv4 neighbor RR_CLIENTS activate neighbor 192.168.1.2 activate neighbor 192.168.1.3 activate neighbor 192.168.1.4 activate neighbor 10.100.1.1 activate neighbor 10.100.1.1 route-map ISP1_IN in neighbor 10.100.1.1 route-map ISP1_OUT out neighbor 10.100.1.1 prefix-list ISP1_PREFIX_IN in neighbor 10.100.2.1 activate neighbor 10.100.2.1 route-map ISP2_IN in neighbor 10.100.2.1 route-map ISP2_OUT out network 10.0.0.0/16 network 192.168.1.0/24 aggregate-address 10.0.0.0/16 summary-only redistribute ospf match internal route-map OSPF_TO_BGP redistribute connected route-map CONNECTED_TO_BGP ! address-family ipv6 network 2001:db8::/32 ! vrf CUSTOMER_A rd 65000:100 route-target import evpn 65000:100 route-target import evpn 65000:200 route-target export evpn 65000:100 neighbor 172.16.1.10 remote-as 65100 neighbor 172.16.1.10 description Customer-A-CE-Router neighbor 172.16.1.10 maximum-routes 10000 ! address-family ipv4 neighbor 172.16.1.10 activate neighbor 172.16.1.10 as-override neighbor 172.16.1.10 route-map CUSTOMER_A_IN in neighbor 172.16.1.10 route-map CUSTOMER_A_OUT out redistribute connected redistribute static ! management api http-commands no shutdown ! vrf MGMT no shutdown ! ! Static routes ip route 0.0.0.0/0 10.100.1.1 name DEFAULT_TO_ISP1 ip route 192.168.0.0/16 Null0 250 name AGGREGATE_ROUTE ip route 10.200.0.0/16 10.1.1.2 100 tag 100 ip route vrf CUSTOMER_A 192.168.100.0/24 172.16.1.254 ip route vrf CUSTOMER_A 10.0.0.0/8 egress-vrf default 10.0.0.1 ! ! Access Lists ip access-list standard MGMT_HOSTS remark Management station access 10 permit 192.168.10.0/24 20 permit host 10.0.0.100 30 deny any log ! ip access-list ALLOW_WEB_TRAFFIC remark Web services ACL 10 permit tcp any any eq 80 20 permit tcp any any eq 443 30 permit tcp any any eq 8080 40 deny ip any any log ! ip access-list CUSTOMER_INGRESS 10 remark Customer A ingress filtering 20 permit ip 172.16.0.0/16 any 30 permit ip 192.168.0.0/16 any 40 deny ip any any log ! ! Community lists ip community-list ALLOWED_COMMUNITIES permit 65000:100 ip community-list ALLOWED_COMMUNITIES permit 65000:200 ip community-list ALLOWED_COMMUNITIES permit 65000:300 ip community-list regexp CUSTOMER_COMMUNITIES permit _65[0-9]{3}:[0-9]+_ ip community-list NO_EXPORT_COMMUNITIES permit no-export ip community-list NO_EXPORT_COMMUNITIES permit no-advertise ! ! AS-path access lists ip as-path access-list ALLOW_OWN_AS permit ^65000_ ip as-path access-list ALLOW_OWN_AS deny .* ip as-path access-list BLOCK_PRIVATE_AS deny _64[5-9][0-9]{2}_ ip as-path access-list BLOCK_PRIVATE_AS deny _65[0-4][0-9]{2}_ ip as-path access-list BLOCK_PRIVATE_AS deny _655[0-2][0-9]_ ip as-path access-list BLOCK_PRIVATE_AS deny _6553[0-5]_ ip as-path access-list BLOCK_PRIVATE_AS permit .* ! end