set interfaces ethernet eth0 address '192.0.2.100/25' set interfaces ethernet eth0 address '2001:db8::ffff/64' set interfaces ethernet eth0 offload gro set interfaces loopback lo set policy large-community-list ANYCAST_ALL rule 10 action 'permit' set policy large-community-list ANYCAST_ALL rule 10 description 'Allow all anycast from anywhere' set policy large-community-list ANYCAST_ALL rule 10 regex '4242420696:100:.*' set policy large-community-list ANYCAST_INT rule 10 action 'permit' set policy large-community-list ANYCAST_INT rule 10 description 'Allow all anycast from int' set policy large-community-list ANYCAST_INT rule 10 regex '4242420696:100:1' set policy prefix-list BGP-BACKBONE-IN description 'Inbound backbone routes from other sites' set policy prefix-list BGP-BACKBONE-IN rule 10 action 'deny' set policy prefix-list BGP-BACKBONE-IN rule 10 description 'Block default route' set policy prefix-list BGP-BACKBONE-IN rule 10 prefix '0.0.0.0/0' set policy prefix-list BGP-BACKBONE-IN rule 20 action 'deny' set policy prefix-list BGP-BACKBONE-IN rule 20 description 'Block int primary' set policy prefix-list BGP-BACKBONE-IN rule 20 ge '21' set policy prefix-list BGP-BACKBONE-IN rule 20 prefix '192.168.0.0/20' set policy prefix-list BGP-BACKBONE-IN rule 30 action 'deny' set policy prefix-list BGP-BACKBONE-IN rule 30 description 'Block loopbacks' set policy prefix-list BGP-BACKBONE-IN rule 30 ge '25' set policy prefix-list BGP-BACKBONE-IN rule 30 prefix '192.168.253.0/24' set policy prefix-list BGP-BACKBONE-IN rule 40 action 'deny' set policy prefix-list BGP-BACKBONE-IN rule 40 description 'Block backbone peering' set policy prefix-list BGP-BACKBONE-IN rule 40 ge '25' set policy prefix-list BGP-BACKBONE-IN rule 40 prefix '192.168.254.0/24' set policy prefix-list BGP-BACKBONE-IN rule 999 action 'permit' set policy prefix-list BGP-BACKBONE-IN rule 999 description 'Allow everything else' set policy prefix-list BGP-BACKBONE-IN rule 999 ge '1' set policy prefix-list BGP-BACKBONE-IN rule 999 prefix '0.0.0.0/0' set policy prefix-list BGP-BACKBONE-OUT description 'Outbound backbone routes to other sites' set policy prefix-list BGP-BACKBONE-OUT rule 10 action 'permit' set policy prefix-list BGP-BACKBONE-OUT rule 10 description 'Int primary' set policy prefix-list BGP-BACKBONE-OUT rule 10 ge '23' set policy prefix-list BGP-BACKBONE-OUT rule 10 prefix '192.168.0.0/20' set policy prefix-list GLOBAL description 'Globally redistributed routes' set policy prefix-list GLOBAL rule 10 action 'permit' set policy prefix-list GLOBAL rule 10 prefix '192.168.100.1/32' set policy prefix-list GLOBAL rule 20 action 'permit' set policy prefix-list GLOBAL rule 20 prefix '192.168.7.128/25' set policy prefix-list6 BGP-BACKBONE-IN-V6 description 'Inbound backbone routes from other sites' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 10 action 'deny' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 10 description 'Block default route' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 10 prefix '::/0' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 20 action 'deny' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 20 description 'Block int primary' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 20 ge '53' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 20 prefix 'fd52:d62e:8011::/52' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 30 action 'deny' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 30 description 'Block peering and stuff' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 30 ge '53' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 30 prefix 'fd52:d62e:8011:f000::/52' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 999 action 'permit' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 999 description 'Allow everything else' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 999 ge '1' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 999 prefix '::/0' set policy prefix-list6 BGP-BACKBONE-OUT-V6 description 'Outbound backbone routes to other sites' set policy prefix-list6 BGP-BACKBONE-OUT-V6 rule 10 action 'permit' set policy prefix-list6 BGP-BACKBONE-OUT-V6 rule 10 ge '64' set policy prefix-list6 BGP-BACKBONE-OUT-V6 rule 10 prefix 'fd52:d62e:8011::/52' set policy prefix-list6 GLOBAL-V6 description 'Globally redistributed routes' set policy prefix-list6 GLOBAL-V6 rule 10 action 'permit' set policy prefix-list6 GLOBAL-V6 rule 10 ge '64' set policy prefix-list6 GLOBAL-V6 rule 10 prefix 'fd52:d62e:8011:2::/63' set policy route-map BGP-BACKBONE-IN rule 10 action 'permit' set policy route-map BGP-BACKBONE-IN rule 10 match ip address prefix-list 'BGP-BACKBONE-IN' set policy route-map BGP-BACKBONE-IN rule 20 action 'permit' set policy route-map BGP-BACKBONE-IN rule 20 match ipv6 address prefix-list 'BGP-BACKBONE-IN-V6' set policy route-map BGP-BACKBONE-IN rule 30 action 'permit' set policy route-map BGP-BACKBONE-IN rule 30 match large-community large-community-list 'ANYCAST_ALL' set policy route-map BGP-BACKBONE-OUT rule 10 action 'permit' set policy route-map BGP-BACKBONE-OUT rule 10 match ip address prefix-list 'BGP-BACKBONE-OUT' set policy route-map BGP-BACKBONE-OUT rule 20 action 'permit' set policy route-map BGP-BACKBONE-OUT rule 20 match ipv6 address prefix-list 'BGP-BACKBONE-OUT-V6' set policy route-map BGP-BACKBONE-OUT rule 30 action 'permit' set policy route-map BGP-BACKBONE-OUT rule 30 match large-community large-community-list 'ANYCAST_INT' set policy route-map BGP-BACKBONE-OUT rule 30 set as-path prepend '4242420666' set policy route-map BGP-REDISTRIBUTE rule 10 action 'permit' set policy route-map BGP-REDISTRIBUTE rule 10 description 'Prepend AS and allow VPN and modem' set policy route-map BGP-REDISTRIBUTE rule 10 match ip address prefix-list 'GLOBAL' set policy route-map BGP-REDISTRIBUTE rule 10 set as-path prepend '4242420666' set policy route-map BGP-REDISTRIBUTE rule 20 action 'permit' set policy route-map BGP-REDISTRIBUTE rule 20 description 'Allow VPN' set policy route-map BGP-REDISTRIBUTE rule 20 match ipv6 address prefix-list 'GLOBAL-V6' set protocols bfd peer 192.168.253.1 interval receive '50' set protocols bfd peer 192.168.253.1 interval transmit '50' set protocols bfd peer 192.168.253.1 multihop set protocols bfd peer 192.168.253.1 source address '192.168.253.3' set protocols bfd peer 192.168.253.2 interval receive '50' set protocols bfd peer 192.168.253.2 interval transmit '50' set protocols bfd peer 192.168.253.2 multihop set protocols bfd peer 192.168.253.2 source address '192.168.253.3' set protocols bfd peer 192.168.253.6 interval receive '50' set protocols bfd peer 192.168.253.6 interval transmit '50' set protocols bfd peer 192.168.253.6 multihop set protocols bfd peer 192.168.253.6 source address '192.168.253.3' set protocols bfd peer 192.168.253.7 interval receive '50' set protocols bfd peer 192.168.253.7 interval transmit '50' set protocols bfd peer 192.168.253.7 multihop set protocols bfd peer 192.168.253.7 source address '192.168.253.3' set protocols bfd peer 192.168.253.12 interval receive '100' set protocols bfd peer 192.168.253.12 interval transmit '100' set protocols bfd peer 192.168.253.12 multihop set protocols bfd peer 192.168.253.12 source address '192.168.253.3' set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:1 interval receive '50' set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:1 interval transmit '50' set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:1 multihop set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:1 source address 'fd52:d62e:8011:fffe:192:168:253:3' set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:2 interval receive '50' set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:2 interval transmit '50' set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:2 multihop set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:2 source address 'fd52:d62e:8011:fffe:192:168:253:3' set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:6 interval receive '50' set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:6 interval transmit '50' set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:6 multihop set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:6 source address 'fd52:d62e:8011:fffe:192:168:253:3' set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:7 interval receive '50' set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:7 interval transmit '50' set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:7 multihop set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:7 source address 'fd52:d62e:8011:fffe:192:168:253:3' set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:12 interval receive '100' set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:12 interval transmit '100' set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:12 multihop set protocols bfd peer fd52:d62e:8011:fffe:192:168:253:12 source address 'fd52:d62e:8011:fffe:192:168:253:3' set protocols bgp address-family ipv4-unicast redistribute connected route-map 'BGP-REDISTRIBUTE' set protocols bgp address-family ipv4-unicast redistribute static route-map 'BGP-REDISTRIBUTE' set protocols bgp address-family ipv6-unicast redistribute connected route-map 'BGP-REDISTRIBUTE' set protocols bgp neighbor 192.168.253.1 peer-group 'INT' set protocols bgp neighbor 192.168.253.2 peer-group 'INT' set protocols bgp neighbor 192.168.253.6 peer-group 'DAL13' set protocols bgp neighbor 192.168.253.7 peer-group 'DAL13' set protocols bgp neighbor 192.168.253.12 address-family ipv4-unicast route-map export 'BGP-BACKBONE-OUT' set protocols bgp neighbor 192.168.253.12 address-family ipv4-unicast route-map import 'BGP-BACKBONE-IN' set protocols bgp neighbor 192.168.253.12 address-family ipv4-unicast soft-reconfiguration inbound set protocols bgp neighbor 192.168.253.12 bfd set protocols bgp neighbor 192.168.253.12 ebgp-multihop '2' set protocols bgp neighbor 192.168.253.12 remote-as '4242420669' set protocols bgp neighbor 192.168.253.12 update-source 'dum0' set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:1 peer-group 'INTv6' set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:2 peer-group 'INTv6' set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:6 peer-group 'DAL13v6' set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:7 peer-group 'DAL13v6' set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:12 address-family ipv6-unicast route-map export 'BGP-BACKBONE-OUT' set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:12 address-family ipv6-unicast route-map import 'BGP-BACKBONE-IN' set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:12 address-family ipv6-unicast soft-reconfiguration inbound set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:12 bfd set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:12 ebgp-multihop '2' set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:12 remote-as '4242420669' set protocols bgp neighbor fd52:d62e:8011:fffe:192:168:253:12 update-source 'dum0' set protocols bgp parameters confederation identifier '4242420696' set protocols bgp parameters confederation peers '4242420668' set protocols bgp parameters confederation peers '4242420669' set protocols bgp parameters distance global external '220' set protocols bgp parameters distance global internal '220' set protocols bgp parameters distance global local '220' set protocols bgp parameters graceful-restart set protocols bgp peer-group DAL13 address-family ipv4-unicast route-map export 'BGP-BACKBONE-OUT' set protocols bgp peer-group DAL13 address-family ipv4-unicast route-map import 'BGP-BACKBONE-IN' set protocols bgp peer-group DAL13 address-family ipv4-unicast soft-reconfiguration inbound set protocols bgp peer-group DAL13 bfd set protocols bgp peer-group DAL13 ebgp-multihop '2' set protocols bgp peer-group DAL13 remote-as '4242420668' set protocols bgp peer-group DAL13 update-source 'dum0' set protocols bgp peer-group DAL13v6 address-family ipv6-unicast route-map export 'BGP-BACKBONE-OUT' set protocols bgp peer-group DAL13v6 address-family ipv6-unicast route-map import 'BGP-BACKBONE-IN' set protocols bgp peer-group DAL13v6 address-family ipv6-unicast soft-reconfiguration inbound set protocols bgp peer-group DAL13v6 bfd set protocols bgp peer-group DAL13v6 ebgp-multihop '2' set protocols bgp peer-group DAL13v6 remote-as '4242420668' set protocols bgp peer-group DAL13v6 update-source 'dum0' set protocols bgp peer-group INT address-family ipv4-unicast default-originate set protocols bgp peer-group INT address-family ipv4-unicast soft-reconfiguration inbound set protocols bgp peer-group INT bfd set protocols bgp peer-group INT remote-as '4242420666' set protocols bgp peer-group INT update-source 'dum0' set protocols bgp peer-group INTv6 address-family ipv6-unicast default-originate set protocols bgp peer-group INTv6 address-family ipv6-unicast soft-reconfiguration inbound set protocols bgp peer-group INTv6 bfd set protocols bgp peer-group INTv6 remote-as '4242420666' set protocols bgp peer-group INTv6 update-source 'dum0' set protocols bgp system-as '4242420666' set service ntp allow-client address '0.0.0.0/0' set service ntp allow-client address '::/0' set service ntp server 0.pool.ntp.org set service ntp server 1.pool.ntp.org set service ntp server 2.pool.ntp.org set system config-management commit-revisions '200' set system conntrack modules ftp set system conntrack modules h323 set system conntrack modules nfs set system conntrack modules pptp set system conntrack modules sip set system conntrack modules sqlnet set system conntrack modules tftp set system console device ttyS0 speed '115200' set system host-name 'vyos' set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/' set system login user vyos authentication plaintext-password '' set system syslog global facility all level 'info' set system syslog global facility local7 level 'debug' set system time-zone 'Europe/Berlin'