Cisco router traditional bogons
Cisco router traditional bogons
This page aggregates all of the examples referenced on the Bogon Route Server Project (Bogons via BGP) page. Please see that page for full details of the Bogon Route Server Project, system requirements, caveats, etc.
router bgp <your asn>
neighbor x.x.x.x remote-as 65332
neighbor x.x.x.x ebgp-multihop 255
neighbor x.x.x.x description <your description>
neighbor x.x.x.x prefix-list cymru-out out
neighbor x.x.x.x route-map CYMRUBOGONS in
neighbor x.x.x.x password <your password>
neighbor x.x.x.x maximum-prefix 100 threshold 90
! You'll need to increase the maximum to at least 50000 with an
! appropriate thresholds if you're receiving one or both fullbogons
! feeds.
! Depending on IOS version, you may need to configure your router
! for new-style community syntax.
ip bgp-community new-format
! Set a bogon next-hop on all routers that receive the bogons.
ip route null0
! Configure a community list to accept the bogon prefixes into the
! route-map.
ip community-list 10 permit 65332:888
! Configure the route-map. Remember to apply it to the proper
! peering sessions.
route-map CYMRUBOGONS permit 10
description Filter bogons learned from bogon route-servers
match community 10
set ip next-hop
ip prefix-list cymru-out seq 5 deny le 32
Cisco peer-groups traditional bogons
With the advent of multiple bogon route-servers, the use of BGP peer-groups on Cisco routers is very convenient. Thanks to John Brown for the original example.
router bgp <your asn>
neighbor cymru-bogon peer-group
neighbor cymru-bogon ebgp-multihop 255
neighbor cymru-bogon description <general description>
neighbor cymru-bogon prefix-list cymru-out out
neighbor cymru-bogon route-map CYMRUBOGONS in
neighbor cymru-bogon maximum-prefix 100 threshold 90
! You'll need to increase the maximum to at least 50000 with an
! appropriate thresholds if you're receiving one or both fullbogons
! feeds.
neighbor x.x.x.x remote-as 65332
neighbor x.x.x.x peer-group cymru-bogon
neighbor x.x.x.x description <specific description>
neighbor x.x.x.x password <your password>
Juniper router traditional bogons
routing-options {
static {
route {
/* If you have declared as a bogon add this entry. */
martians { exact allow;
autonomous-system <your AS here>;
protocols {
bgp {
group CYMRU {
type external;
description "peering to receive bogons from CYMRU";
import CYMRU-bogons-in;
authentication-key "secretkey"; # SECRET-DATA
export deny-all;
peer-as 65332;
/* Below may also be expressed as "multihop 255;" depending on your version */
multihop {
ttl 255;
neighbor <bogon rs IP>;
local-address <your IP we are peering with>;
family inet {
unicast {
/* You'll need to increase the prefix limit below to
at least 50000 if you're receiving one or both of
the fullbogons feeds
prefix-limit {
maximum 100;
teardown 100;
policy-options {
policy-statement CYMRU-bogons-in {
term 1 {
from {
protocol bgp;
as-path CYMRU-private-asn;
community CYMRU-bogon-community;
then {
/* backup in case no-export is cleared internally */
community add dont-announce;
then reject; # default action
policy-statement deny-all {
then reject;
community dont-announce members <your as here>:<some community that supresses anouncements outside your as>;
community CYMRU-bogon-community members [ no-export 65332:888 ];
as-path CYMRU-private-asn 65332;
Force10 router traditional bogons
router bgp <your asn>
neighbor IPV4_BOGONS peer-group
neighbor IPV4_BOGONS route-map CYMRUBOGONS in
neighbor IPV4_BOGONS distribute-list CYMRU-OUT out
neighbor IPV4_BOGONS maximum-prefix 100 90
neighbor IPV4_BOGONS soft-reconfiguration inbound
neighbor IPV4_BOGONS no shutdown
neighbor x.x.x.x remote-as 65332
neighbor x.x.x.x peer-group IPV4_BOGONS
neighbor x.x.x.x description <your description>
neighbor x.x.x.x ebgp-multihop 255
neighbor x.x.x.x password <your password>
neighbor x.x.x.x no shutdown
! Set a bogon next-hop on all routers that receive the bogons.
ip route null0
! Configure a community list to accept the bogon prefixes into the
! route-map.
ip community-list CYMRU_COMMUNITY
permit 65332:888
! Configure the route-map. Remember to apply it to the proper
! peering sessions.
route-map CYMRU_BOGONS permit 10
description Filter bogons learned from bogon route-servers
match community CYMRU_COMMUNITY
set next-hop
ip prefix-list CYMRU_OUT
seq 5 deny any
OpenBSD bgpd traditional bogons
OpenBSD’s bgpd project can also be used to peer with the bogon route-servers. Our thanks to Pete Vickers for this example.
# config snippet for /etc/bgpd.conf
# Based on config by Pete Vickers 05/2004.
# Modified slightly to intermingle with pf, and
# also to apply policy to cymru-sourced routes
# received from IBGP peers.
# Configure sessions with cymru reprobates
group "peering bogon" {
remote-as 65332
local-address <MY-ROUTER-IP>
multihop 64
announce none
max-prefix 1000
# You'll need to increase the max-prefix number above to at least
# 50000 if you're receiving either or both of the fullbogons feeds
tcp md5sig password <PASSWORD>
# ... etc
# What to do with updates (can be used with updates from
# cymru peers, and also from IBGP peers if other routers
# in this AS also take a bogon feed). The "nexthop
# blackhole" is a little extraneous given the pf config,
# worth keeping in case the packet filter is disabled
# at any point.
allow from any community 65332:888 set pftable "bogons"
allow from any community 65332:888 set nexthop blackhole
# config snippet for /etc/pf.conf
table <bogons> persist
# no bogon sources or destinations
block quick from <bogons> to any
block quick from any to <bogons>
Mikrotik RouterOS traditional bogons
This example of how to configure a Mikrotik RouterOS box to use the Bogon Route Server Project is thanks to Ariel S. Weher.
# Config by Ariel S. Weher, based on Team Cymru's Cisco Template.
# Working in the 3.X version of Mikrotik RouterOS.
# 2009-02-06 Modified by Sam Norris, Fine Tuned. Removed static routes
# and used "set-type=blackhole".
/routing bgp instance
set default as=<YOUR_ASN_NUMBER> router-id=<Your router wan ip address>
/ip firewall address-list
add address=<SESSION#1.Team-Cymru's.IP.Address> comment="TEAM-CYMRU BOGON Server #1" \
disabled=no list=BGP-NEIGHBORS
add address=<SESSION#2.Team-Cymru's.IP.Address> comment="TEAM-CYMRU BOGON Server #2" \
disabled=no list=BGP-NEIGHBORS
/ip firewall filter
add action=accept chain=input comment="BGP Neighbors" disabled=no dst-port=179 \
protocol=tcp src-address-list=BGP-NEIGHBORS
# You'll need to increase the max-prefix-limit values in the lines below to
# at least 50000 if you're receiving either or both of the fullbogons feeds
/routing bgp peer
add comment="TEAM-CYMRU BOGON Server #1" hold-time=3m in-filter=BOGON-SERVER-IN \
instance=default max-prefix-limit=50 multihop=yes name=CYMRU-1 nexthop-choice=default \
out-filter=BGP-DROP remote-address=<SESSION#1.Team-Cymru's.IP.Address> \
remote-as=65332 route-reflect=no tcp-md5-key=<Password_Received_From_Cymru> ttl=255
add comment="TEAM-CYMRU BOGON Server #2" hold-time=3m in-filter=BOGON-SERVER-IN \
instance=default max-prefix-limit=50 multihop=yes name=CYMRU-1 nexthop-choice=default \
out-filter=BGP-DROP remote-address=<SESSION#2.Team-Cymru's.IP.Address> \
remote-as=65332 route-reflect=no tcp-md5-key=<Password_Received_From_Cymru> ttl=255
/routing filter
add action=accept bgp-communities=65332:888 chain=BOGON-SERVER-IN comment="" \
disabled=no invert-match=no set-type=blackhole
add action=discard chain=BOGON-SERVER-IN comment="" disabled=no invert-match=no
add action=discard chain=BGP-DROP comment="" disabled=no invert-match=no
Cisco fullbogons IPv4 and IPv6 (IPv4 transport)
router bgp <your asn>
! Session 1
neighbor A.B.C.D remote-as 65332
neighbor A.B.C.D description <your description>
neighbor A.B.C.D ebgp-multihop 255
neighbor A.B.C.D password <your password>
! Session 2
neighbor E.F.G.H remote-as 65332
neighbor E.F.G.H description <your description>
neighbor E.F.G.H ebgp-multihop 255
neighbor E.F.G.H password <your password>
address-family ipv4
! Session 1
neighbor A.B.C.D activate
neighbor A.B.C.D soft-reconfiguration inbound
neighbor A.B.C.D prefix-list cymru-out-v4 out
neighbor A.B.C.D route-map CYMRUBOGONS-V4 in
! Session 2
neighbor E.F.G.H activate
neighbor E.F.G.H soft-reconfiguration inbound
neighbor E.F.G.H prefix-list cymru-out-v4 out
neighbor E.F.G.H route-map CYMRUBOGONS-V4 in
address-family ipv6
! Session 1
neighbor A.B.C.D activate
neighbor A.B.C.D soft-reconfiguration inbound
neighbor A.B.C.D prefix-list cymru-out-v6 out
neighbor A.B.C.D route-map CYMRUBOGONS-V6 in
! Session 2
neighbor E.F.G.H activate
neighbor E.F.G.H soft-reconfiguration inbound
neighbor E.F.G.H prefix-list cymru-out-v6 out
neighbor E.F.G.H route-map CYMRUBOGONS-V6 in
! Depending on IOS version, you may need to configure your router
! for new-style community syntax.
ip bgp-community new-format
ip community-list 100 permit 65332:888
ip route Null0
ip prefix-list cymru-out-v4 seq 5 deny le 32
ipv6 route 0100::/64 Null0
ipv6 prefix-list cymru-out-v6 seq 5 deny ::/0 le 128
route-map CYMRUBOGONS-V6 permit 10
description IPv6 Filter bogons learned from bogon route-servers
match community 100
set ipv6 next-hop 0100::
route-map CYMRUBOGONS-V4 permit 10
description IPv4 Filter bogons learned from bogon route-servers
match community 100
set ip next-hop
Note: You can receive both IPv4 and IPv6 fullbogons over IPv4 transport. If you only requested one set of fullbogons, simply remove all references to the other set from the example above.
Cisco fullbogons IPv4 and IPv6 (IPv6 transport)
Thanks to Thomas Brandstetter for this example of configuring a Cisco router to receive the IPv4 and IPv6 fullbogons over IPv6 transit.
router bgp <your asn>
neighbor XXXX:XXX:XXXX::XXXX:XXXX remote-as 65332
neighbor XXXX:XXX:XXXX::XXXX:XXXX description <your description>
neighbor XXXX:XXX:XXXX::XXXX:XXXX ebgp-multihop 255
neighbor XXXX:XXX:XXXX::XXXX:XXXX password <your password>
address-family ipv4
neighbor XXXX:XXX:XXXX::XXXX:XXXX activate
neighbor XXXX:XXX:XXXX::XXXX:XXXX soft-reconfiguration inbound
neighbor XXXX:XXX:XXXX::XXXX:XXXX prefix-list cymru-out-v4 out
address-family ipv6
neighbor XXXX:XXX:XXXX::XXXX:XXXX activate
neighbor XXXX:XXX:XXXX::XXXX:XXXX soft-reconfiguration inbound
neighbor XXXX:XXX:XXXX::XXXX:XXXX prefix-list cymru-out-v6 out
! Depending on IOS version, you may need to configure your router
! for new-style community syntax.
ip bgp-community new-format
ip community-list 100 permit 65332:888
ip route Null0
ip prefix-list cymru-out-v4 seq 5 deny le 32
ipv6 route 0100::/64 Null0
ipv6 prefix-list cymru-out-v6 seq 5 deny ::/0 le 128
route-map CYMRUBOGONS-V6 permit 10
description IPv6 Filter bogons learned from bogon route-servers
match community 100
set ipv6 next-hop 0100::
route-map CYMRUBOGONS-V4 permit 10
description IPv4 Filter bogons learned from bogon route-servers
match community 100
set ip next-hop
Note: You can receive both IPv4 and IPv6 fullbogons over IPv6 transport. If you only requested one set of fullbogons, simply remove all references to the other set from the example above.
Juniper JunOS Fullbogons IPv4 and IPv6
Thanks to David Hill at Hostcentral for the below example!
* Define BGP peer group
delete protocols bgp group cymru-bogons
set protocols bgp group cymru-bogons type external
set protocols bgp group cymru-bogons description "cymru fullbogon bgp feed (ipv4 + 6)"
set protocols bgp group cymru-bogons multihop ttl 255
set protocols bgp group cymru-bogons import cymru-bogons-in
* Define MD5 password in quotes
set protocols bgp group cymru-bogons authentication-key "<YOUR PASSWORD>"
set protocols bgp group cymru-bogons export deny-all
set protocols bgp group cymru-bogons peer-as 65332
* Replace values below as appropriate
set protocols bgp group cymru-bogons neighbor A.B.C.D local-address <YOUR IP>
set protocols bgp group cymru-bogons neighbor A.B.C.D family inet unicast
set protocols bgp group cymru-bogons neighbor A.B.C.D family inet6 unicast
set protocols bgp group cymru-bogons neighbor E.F.G.H local-address <YOUR IP>
set protocols bgp group cymru-bogons neighbor E.F.G.H family inet unicast
set protocols bgp group cymru-bogons neighbor E.F.G.H family inet6 unicast
* Define CYMRU import policy
delete policy-options policy-statement cymru-bogons-in
set policy-options policy-statement cymru-bogons-in term 1 from family inet
set policy-options policy-statement cymru-bogons-in term 1 from community comm-cymru-bogon
set policy-options policy-statement cymru-bogons-in term 1 then community add no-export
set policy-options policy-statement cymru-bogons-in term 1 then next-hop discard
set policy-options policy-statement cymru-bogons-in term 1 then accept
set policy-options policy-statement cymru-bogons-in term 2 from family inet6
set policy-options policy-statement cymru-bogons-in term 2 from community comm-cymru-bogon
set policy-options policy-statement cymru-bogons-in term 2 then community add no-export
set policy-options policy-statement cymru-bogons-in term 2 then next-hop discard
set policy-options policy-statement cymru-bogons-in term 2 then accept
set policy-options policy-statement cymru-bogons-in then reject
* Define deny-all export policy
delete policy-options policy-statement deny-all
set policy-options policy-statement deny-all then reject
* Define CYMRU Bogon community
delete policy-options community comm-cymru-bogon
set policy-options community comm-cymru-bogon members no-export
set policy-options community comm-cymru-bogon members 65332:888
* Define internal no-export community
delete policy-options community comm-no-export
set policy-options community comm-no-export members no-export
Quagga fullbogons IPv6
The following example will import and null-route the IPv6 fullbogons, peered over IPv4 transit, using the Quagga software router package.
router bgp <your asn>
no bgp default ipv4-unicast
timers bgp 3600 10800
neighbor cymru-bogon peer-group
neighbor cymru-bogon remote-as 65332
neighbor cymru-bogon ebgp-multihop 255
neighbor cymru-bogon activate
neighbor cymru-bogon soft-reconfiguration inbound
neighbor cymru-bogon prefix-list cymru-out out
neighbor cymru-bogon route-map CYMRUBOGONS in
neighbor xx.xx.xx.xx peer-group cymru-bogon
address-family ipv6
neighbor cymru-bogon activate
neighbor cymru-bogon prefix-list v6cymru-out out
neighbor xx.xx.xx.xx peer-group cymru-bogon
neighbor xx.xx.xx.xx soft-reconfiguration inbound
ip prefix-list cymru-except description Don't want to import these networks
ip prefix-list cymru-except seq 20 permit ge 8
ipv6 prefix-list cymru-out seq 5 deny ::/0 le 128
ipv6 prefix-list v6cymru-out seq 5 deny any
ip community-list 10 permit 65332:888
route-map CYMRUBOGONS permit 10
description Filter bogons learned from bogon route-servers
match community 10
match ip address prefix-list cymru-except
set ip next-hop
set ipv6 next-hop global 0100::
If you wish to receive both IPv4 and IPv6 fullbogons over the same peering session, you will typically need to replicate the statements in the above example’s “address-family ipv6” section to an “address-family ipv4” section, with an appropriate change to the prefix-list applied to the peer-group.
Mikrotik RouterOS fullbogons
# Full Bogons Mikrotik Template
# Work on RouterOS 4.X
# 2010-11-01 by Ricardo Ozelo
# BGP instance setup
/routing bgp instance set default as=<YOUR_ASN> \
# ROUTING FILTERS - Install these routes as blackholes,
# does NOT receive or announce anything else
/routing filter add action=accept bgp-communities=65332:888 \
chain=cymru-in comment="" disabled=no invert-match=no \
/routing filter add action=discard chain=cymru-in comment="" \
disabled=no invert-match=no
/routing filter add action=discard chain=cymru-out comment="" \
disabled=no invert-match=no
# Peering #1
/routing bgp peer add address-families=ip,ipv6 disabled=no in-filter=cymru-in \
instance=default multihop=yes name=FULLBOGONS-CYMRU-1 out-filter=cymru-out \
remote-address=<CYMRU_IP_ADDRESS_1> remote-as=65332 tcp-md5-key=<CYMRU_MD5_PASSWORD>
# Peering #2
/routing bgp peer add address-families=ip,ipv6 disabled=no in-filter=cymru-in \
instance=default multihop=yes name=FULLBOGONS-CYMRU-2 out-filter=cymru-out \
remote-address=<CYMRU_IP_ADDRESS_2> remote-as=65332 tcp-md5-key=<CYMRU_MD5_PASSWORD>
BIRD Internet Routing Daemon fullbogons
Courtesy of Miłosz Oller.
PLEASE NOTE: As of version 1.3.11 Bird does not allow you to run IPv4 and IPv6 simultaneously. Therefore you should use EITHER bgp_cymru_v4_1 and bgp_cymru_v4_2 OR bgp_cymru_v6_1 and bgp_cymru_v6_2 in your config. x For dual-stack systems can run two instances of Bird with one peering over IPv4 and the other over IPv6.
filter cymru_bogons_import
filter cymru_bogons_export
protocol bgp bgp_cymru_v4_1 {
description "Cymru Bogons RS1";
import filter cymru_bogons_import;
export filter cymru_bogons_export;
multihop 255;
password "pass_here";
local as my_asn;
neighbor X.X.X.X as 65332;
source address IPv4_here;
protocol bgp bgp_cymru_v4_2 {
description "Cymru Bogons RS2";
import filter cymru_bogons_import;
export filter cymru_bogons_export;
multihop 255;
password "pass_here";
local as my_asn;
neighbor as 65332;
source address IPv4_here;
protocol bgp bgp_cymru_v6_1 {
description "Cymru Bogons RS1 v6";
import filter cymru_bogons_import;
export filter cymru_bogons_export;
multihop 255;
password "pass_here";
local as my_asn;
neighbor 2620:0:6B0::26E5:4207 as 65332;
source address IPv6_here;
protocol bgp bgp_cymru_v6_2 {
description "Cymru Bogons RS2 v6";
import filter cymru_bogons_import;
export filter cymru_bogons_export;
multihop 255;
password "pass_here";
local as my_asn;
neighbor 2001:B30:1000:19::2 as 65332;
source address IPv6_here;
Cisco ASA Firewalls fullbogons
Courtesy of Abe Marji.
PLEASE NOTE: ASA Firewalls began supporting BGP as of version 9.2.
! ASA 55xx - IOS Version 9.2.1
conf terminal
! Prefix list used to BLOCK any route annoucement to Cymru Service
prefix-list CYMRU-OUT-V4 seq 1000 deny le 32
! We like bgp new-format
bgp-community new-format
! create a new community list, 100, to validate Cymru ASN:Community
community-list expanded 100 permit 65332:888
! Route map is used to set the next hop for any route being learned with a Cyrmu community tag to specific route which points to null0
route-map CYMRU-IN-V4 permit 10
match community 100
set ip next-hop
! Basic BGP Routing configuration
router bgp [your_ASN_here]
bgp log-neighbor-changes
timers bgp 15 45 0
address-family ipv4 unicast
neighbor [Cymru bgp peer1 IP] remote-as [Cymru ASN]
neighbor [Cymru bgp peer1 IP] description Cymru Peer 1
neighbor [Cymru bgp peer1 IP] ebgp-multihop 255
neighbor [Cymru bgp peer1 IP] password [password]
neighbor [Cymru bgp peer1 IP] version 4
neighbor [Cymru bgp peer1 IP] activate
neighbor [Cymru bgp peer1 IP] send-community
neighbor [Cymru bgp peer1 IP] prefix-list CYMRU-OUT-V4 out
neighbor [Cymru bgp peer1 IP] route-map CYMRU-IN-V4 in
neighbor [Cymru bgp peer2 IP] remote-as [Cymru ASN]
neighbor [Cymru bgp peer2 IP] description Cymru Peer 2
neighbor [Cymru bgp peer2 IP] ebgp-multihop 255
neighbor [Cymru bgp peer2 IP] password [password]
neighbor [Cymru bgp peer2 IP] version 4
neighbor [Cymru bgp peer2 IP] activate
neighbor [Cymru bgp peer2 IP] send-community
neighbor [Cymru bgp peer2 IP] prefix-list CYMRU-OUT-V4 out
neighbor [Cymru bgp peer2 IP] route-map CYMRU-IN-V4 in
maximum-paths 2
default-information originate
no auto-summary
no synchronization
! Create a dummy route pointing to Null0
route Null0 1
! Route Cymru BGP Peer IP's
route outside [Cymru bgp peer1 IP] [Your Next Hop] 1
route outside [Cymru bgp peer2 IP] [Your Next Hop] 1
Nokia SR OS IPv4 and IPv6 Classic CLI
Courtesy of Greg Hankins
# TiMOS-B-16.0.R3 both/hops64 Nokia 7750 SR Copyright (c) 2000-2018 Nokia.
# All rights reserved. All use subject to applicable license agreements.
# Built on Wed Aug 29 12:48:09 PDT 2018 by builder in /builds/160B/R3/panos/main
# Generated WED OCT 17 07:51:05 2018 UTC
exit all
echo "Router (Network Side) Configuration"
router Base
echo "Static Route Configuration"
static-route-entry X.X.X.X
no shutdown
static-route-entry X:X:X:X
no shutdown
echo "Router (Service Side) Configuration"
router Base
echo "Policy Configuration"
policy-statement "DENY_ALL"
default-action drop
policy-statement "RP_IMPORT_BOGONS"
entry 10
protocol bgp
family ipv4
action accept
next-hop X.X.X.X
entry 20
protocol bgp
family ipv6
action accept
next-hop X:X:X:X
default-action drop
echo "BGP Configuration"
group "BOGONS"
description "Team Cymru Bogons"
multihop 255
export "DENY_ALL"
neighbor X.X.X.X
description "Team Cymru Bogons IPv4 Session #1"
family ipv4
prefix-limit ipv4 10000
peer-as 65332
neighbor X.X.X.X
description "Team Cymru Bogons IPv4 Session #2"
family ipv4
prefix-limit ipv4 10000
peer-as 65332
neighbor X:X:X:X
description "Team Cymru Bogons IPv6 Session #1"
family ipv6
prefix-limit ipv6 150000
peer-as 65332
neighbor X:X:X:X
description "Team Cymru Bogons IPv6 Session #2"
family ipv6
prefix-limit ipv6 150000
peer-as 65332
no shutdown
exit all
Nokia SR OS IPv4 and IPv6 MD-CLI
Courtesy of Greg Hankins
# TiMOS-B-16.0.R3 both/hops64 Nokia 7750 SR Copyright (c) 2000-2018 Nokia.
# All rights reserved. All use subject to applicable license agreements.
# Built on Wed Aug 29 12:48:09 PDT 2018 by builder in /builds/160B/R3/panos/main
# Generated THU OCT 18 01:47:26 2018 UTC
configure {
policy-options {
policy-statement "DENY_ALL" {
default-action {
action-type reject
policy-statement "RP_IMPORT_BOGONS" {
entry 10 {
from {
family [ipv4]
protocol {
name [bgp]
action {
action-type accept
next-hop "X.X.X.X"
entry 20 {
from {
family [ipv6]
protocol {
name [bgp]
action {
action-type accept
next-hop "X:X:X:X"
default-action {
action-type reject
router "Base" {
bgp {
group "BOGONS" {
description "Team Cymru Bogons"
multihop 255
import {
export {
policy ["DENY_ALL"]
neighbor "X.X.X.X" {
description "Team Cymru Bogons IPv4 Session #1"
group "BOGONS"
peer-as 65332
family {
ipv4 true
authentication-key {
prefix-limit ipv4 {
maximum 10000
neighbor "X.X.X.X" {
description "Team Cymru Bogons IPv4 Session #2"
group "BOGONS"
peer-as 65332
family {
ipv4 true
authentication-key {
prefix-limit ipv4 {
maximum 10000
neighbor "X:X:X:X" {
description "Team Cymru Bogons IPv6 Session #1"
group "BOGONS"
peer-as 65332
family {
ipv6 true
authentication-key {
prefix-limit ipv6 {
maximum 150000
neighbor "X:X:X:X" {
description "Team Cymru Bogons IPv6 Session #2"
group "BOGONS"
peer-as 65332
family {
ipv6 true
authentication-key {
prefix-limit ipv6 {
maximum 150000
static-routes {
route X.X.X.X route-type unicast {
blackhole {
admin-state enable
route X:X:X:X route-type unicast {
blackhole {
admin-state enable
Cisco IOS-XR Fullbogons
Courtesy of Fulvio Picecchi
PLEASE NOTE: For traditional bogons you only need to update the remote-as directive.
router bgp
neighbor x.x.x.x
remote-as 65332
ebgp-multihop 255
password clear
description Team CYMRU full bogons
! Establish BGP session from local IP address
update-source Loopback0
address-family ipv4 unicast
route-policy CYMRU-IN in
! You may need to adjust depending to actual levels
maximum-prefix 5000 85
route-policy CYMRU-OUT out
soft-reconfiguration inbound always
remote-as 65332
ebgp-multihop 255
password clear
description Team CYMRU full bogons
! Establish BGP session from local IP address
update-source Loopback0
address-family ipv6 unicast
route-policy CYMRU-IN in
! You may need to adjust depending to actual levels
maximum-prefix 100000 90
route-policy CYMRU-OUT out
soft-reconfiguration inbound always
interface Loopback0
ipv4 address x.x.x.x
ipv6 address XXXX:XXX:XXXX::XXXX:XXXX/128
! set next-hop discard has been introduced in Cisco IOS XR Version 4.3.0
! if not available you may need to configure your router with local route to
route-policy CYMRU-IN
if community matches-every (65332:888, no-export) then
set next-hop discard
route-policy CYMRU-OUT
! Don't export anything to Team Cymru
Huawei NE20E
bgp <ASN number>
peer A.B.C.D as-number 65332
peer A.B.C.D description CYMRU_BOGONS.v4
peer A.B.C.D ebgp-max-hop 255
peer A.B.C.D password cipher
peer XXXX:XXXX::XXXX:XXXX as-number 65332
peer XXXX:XXXX::XXXX:XXXX ebgp-max-hop 255
peer XXXX:XXXX::XXXX:XXXX password cipher
ipv4-family unicast
peer A.B.C.D enable
peer A.B.C.D route-policy CYMRU_BOGONS-in import
peer A.B.C.D route-policy CYMRU_BOGONS-out export # ipv6-family unicast
peer XXXX:XXXX::XXXX:XXXX enable
peer XXXX:XXXX::XXXX:XXXX route-policy CYMRU_BOGONS_v6-in import
peer XXXX:XXXX::XXXX:XXXX route-policy CYMRU_BOGONS_v6-out export
route-policy CYMRU_BOGONS-in permit node 10
if-match community-filter 2
apply ip-address next-hop
route-policy CYMRU_BOGONS-out deny node 10
if-match ip-prefix CYMRU_BOGONS-out
route-policy CYMRU_BOGONS_v6-in permit node 10
if-match community-filter 2
apply ipv6 next-hop 0100::
route-policy CYMRU_BOGONS_v6-out deny node 10
if-match ipv6 address prefix-list CYMRU_BOGONS_v6-out
ip ip-prefix CYMRU_BOGONS-out index 10 deny 0 less-equal 32
ip community-filter 2 permit 888
ip community-filter 2 permit 65332:888
ip community-filter 2 permit no-advertise
ip community-filter 2 permit no-export
ip route-static NULL0 description
ipv6 route-static 0100:: 64 NULL0 description BLACKHOLE_BOGONS
ip ipv6-prefix CYMRU_BOGONS_v6-out index 10 deny :: 0 less-equal 128