-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathcisco-nexus9000-nxos.config
47 lines (47 loc) · 1.53 KB
/
cisco-nexus9000-nxos.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
! This configuration uses vlan-maps to block the BGP traffic for the IXPs
! Assumption: IX peering vlan 10
! The Peering LAN prefix in this example is 206.126.225.0/24 and 2001:504:2f::/64
!
! Tested on:
! Model: cisco Nexus9000 93180YC-EX chassis
! SW: NXOS: version 7.0(3)I7(2)
!
hardware profile tcam resource template TCAMTEMPLATE ref-template l2-l3
hardware profile tcam resource service-template TCAMTEMPLATE
! note:
! after recarving the TCAM, a reboot is needed
!
!
ip access-list MATCH-ALL-V4
10 permit ip any any
ipv6 access-list MATCH-ALL-V6
10 permit ipv6 any any
!
!
ip access-list MATCH-BGP-V4
10 permit tcp 206.126.225.0/24 eq bgp 206.126.225.0/24
20 permit tcp 206.126.225.0/24 206.126.225.0/24 eq bgp
ipv6 access-list MATCH-BGP-V6
10 permit tcp 2001:504:2f::/64 eq bgp 2001:504:2f::/64
20 permit tcp 2001:504:2f::/64 2001:504:2f::/64 eq bgp
!
!
! VLAN access-map is almost like a route-map for VLANs, matching on the ACL and drop.
vlan access-map VACL-DROP-BGP 10
match ip address MATCH-BGP-V4
match ipv6 address MATCH-BGP-V6
action drop
statistics per-entry
! Forward everything else that does not match the ACL located in VAM seq 10.
vlan access-map VACL-DROP-BGP 20
match ip address MATCH-ALL-V4
match ipv6 address MATCH-ALL-V6
action forward
!
!
cli alias name shutbgp vlan filter VACL-DROP-BGP vlan-list 10
cli alias name noshutbgp no vlan filter VACL-DROP-BGP vlan-list 10
!
!
! now in "conf t" mode, a caretaker can type "shutbgp" to start the culling
! and stop the culling in "conf t" mode by typing "noshutbgp"