shsingh · March 20, 2023 00:32
diff --git a/f5-cgnat b/f5-cgnat
 - Ensure 'bash' access to device
 - SSH into device
 - Configure device before BGP
diff --git a/f5-cgnat_module-bgp-implementation-script b/f5-cgnat_module-bgp-implementation-script
 router bgp <BGP_ASN>
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 bgp graceful-restart restart-time 30
 redistribute kernel
 timers bgp 4 12
 neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> remote-as <BGP_REMOTE_AS_SUBSCRIBER_PEER>
 neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> fall-over bfd
 neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> activate
 neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> next-hop-self
 neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> soft-reconfiguration inbound
 neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> prefix-list ipv4-subscriber-only in
 neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> prefix-list default-only out
 neighbor <BGP_NEIGHBOUR_INTERNET_PEER> remote-as <BGP_REMOTE_AS_INTERNET_PEER>
 neighbor <BGP_NEIGHBOUR_INTERNET_PEER> fall-over bfd
 neighbor <BGP_NEIGHBOUR_INTERNET_PEER> activate
 neighbor <BGP_NEIGHBOUR_INTERNET_PEER> soft-reconfiguration inbound
 neighbor <BGP_NEIGHBOUR_INTERNET_PEER> prefix-list default-only in
 neighbor <BGP_NEIGHBOUR_INTERNET_PEER> prefix-list ipv4-cgnat-only out
 !
 !
 ip prefix-list default-only seq 5 permit 0.0.0.0/0
 ip prefix-list ipv4-cgnat-only seq 5 permit <CGNAT_V4_CIDR>
 ip prefix-list ipv4-subscriber-only seq 5 permit <SUBSCRIBER_V4_CIDR>
 !
diff --git a/f5-cgnat_module-device-implementation-script b/f5-cgnat_module-device-implementation-script
 ############################# POWER UP ===========================

 tmsh modify sys management-route default gateway <OOB_DEFAULT_ROUTE>
 tmsh sys save config



 ### Activate License
 get_dossier -b <key>
 ### log into the license portal and get a license for the dossier
 cd /config
 vi bigip.license
 :%d
 ### paste the content of the provided license and save and exit
 :wq

 ### Reload License

 reloadlic

 #### Enable CGNAT 
 tmsh mod sys feature-module cgnat enabled
 tmsh save sys config

 #### Change Device Name #### 
 tmsh modify /sys global-settings hostname <DEVICE_HOSTNAME>
 tmsh save sys config

 #### Renew cert 
 bigstart stop httpd
 cd /config/httpd/conf/ssl.crt/
 mv -f server.crt server.crt.old
 cd /config/httpd/conf/ssl.key/
 mv -f server.key server.key.old
 tmsh create sys crypto key server.key consumer webserver key-type rsa-private security-type normal key-size 2048
 tmsh create sys crypto cert server.crt consumer webserver key server.key lifetime 3650 common-name <DEVICE_HOSTNAME> organization <ORGANISATION> ou <CITY_CODE> city <CITY> state <STATE> country <COUNTRY>
 bigstart start httpd


 ##### Create Trunks
 tmsh create net trunk <TRUNK_NAME> interfaces add { <INTERFACES_IN_TRUNK> } lacp enabled lacp-mode  passive lacp-timeout long distribution-hash src-dst-ipport link-select-policy auto

 ##### Create VLANs

 tmsh create net vlan vl_subscriber app-service none cmp-hash src-ip interfaces add { <TRUNK_NAME> { tagged } } tag <VLAN_SUBSCRIBER>
 tmsh create net vlan vl_internet app-service none cmp-hash dst-ip interfaces add { <TRUNK_NAME> { tagged } } tag <VLAN_INTERNET>
 tmsh create net vlan vl_control app-service none cmp-hash src-ip interfaces add { <TRUNK_NAME> { tagged } } tag <VLAN_CONTROL>

 #### Create Route Domains

 tmsh create net route-domain Internet { id 100 routing-protocol { BGP } vlans { <VLAN_INTERNET> <VLAN_SUBSCRIBER> } }
 tmsh create net route-domain Control { id 500 routing-protocol { OSPFv2 } vlans { <VLAN_CONTROL> } }

 #### create SELF IPs

 tmsh create net self self_subcriber_v4 { address <SELFIP_SUBSCRIBER_V4>%100/<SELFIP_SUBSCRIBER_V4_SUBNET_MASK> traffic-group traffic-group-1 vlan <VLAN_SUBSCRIBER> }
 tmsh create net self self_internet_v4 { address <SELFIP_INTERNET_V4>%100/<SELFIP_INTERNET_V4_SUBNET_MASK> traffic-group traffic-group-1 vlan <VLAN_INTERNET> }

 tmsh create net self self_control_v4 { address <SELFIP_CONTROL_V4>%500/<SELFIP_CONTROL_V4_SUBNET_MASK> traffic-group traffic-group-1 vlan <VLAN_CONTROL> }
	- Ensure 'bash' access to device
	- SSH into device
	- Configure device before BGP
	router bgp <BGP_ASN>
	no bgp default ipv4-unicast
	bgp log-neighbor-changes
	bgp graceful-restart restart-time 30
	redistribute kernel
	timers bgp 4 12
	neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> remote-as <BGP_REMOTE_AS_SUBSCRIBER_PEER>
	neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> fall-over bfd
	neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> activate
	neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> next-hop-self
	neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> soft-reconfiguration inbound
	neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> prefix-list ipv4-subscriber-only in
	neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> prefix-list default-only out
	neighbor <BGP_NEIGHBOUR_INTERNET_PEER> remote-as <BGP_REMOTE_AS_INTERNET_PEER>
	neighbor <BGP_NEIGHBOUR_INTERNET_PEER> fall-over bfd
	neighbor <BGP_NEIGHBOUR_INTERNET_PEER> activate
	neighbor <BGP_NEIGHBOUR_INTERNET_PEER> soft-reconfiguration inbound
	neighbor <BGP_NEIGHBOUR_INTERNET_PEER> prefix-list default-only in
	neighbor <BGP_NEIGHBOUR_INTERNET_PEER> prefix-list ipv4-cgnat-only out
	!
	!
	ip prefix-list default-only seq 5 permit 0.0.0.0/0
	ip prefix-list ipv4-cgnat-only seq 5 permit <CGNAT_V4_CIDR>
	ip prefix-list ipv4-subscriber-only seq 5 permit <SUBSCRIBER_V4_CIDR>
	!
	############################# POWER UP ===========================

	tmsh modify sys management-route default gateway <OOB_DEFAULT_ROUTE>
	tmsh sys save config



	### Activate License
	get_dossier -b <key>
	### log into the license portal and get a license for the dossier
	cd /config
	vi bigip.license
	:%d
	### paste the content of the provided license and save and exit
	:wq

	### Reload License

	reloadlic

	#### Enable CGNAT
	tmsh mod sys feature-module cgnat enabled
	tmsh save sys config

	#### Change Device Name ####
	tmsh modify /sys global-settings hostname <DEVICE_HOSTNAME>
	tmsh save sys config

	#### Renew cert
	bigstart stop httpd
	cd /config/httpd/conf/ssl.crt/
	mv -f server.crt server.crt.old
	cd /config/httpd/conf/ssl.key/
	mv -f server.key server.key.old
	tmsh create sys crypto key server.key consumer webserver key-type rsa-private security-type normal key-size 2048
	tmsh create sys crypto cert server.crt consumer webserver key server.key lifetime 3650 common-name <DEVICE_HOSTNAME> organization <ORGANISATION> ou <CITY_CODE> city <CITY> state <STATE> country <COUNTRY>
	bigstart start httpd


	##### Create Trunks
	tmsh create net trunk <TRUNK_NAME> interfaces add { <INTERFACES_IN_TRUNK> } lacp enabled lacp-mode passive lacp-timeout long distribution-hash src-dst-ipport link-select-policy auto

	##### Create VLANs

	tmsh create net vlan vl_subscriber app-service none cmp-hash src-ip interfaces add { <TRUNK_NAME> { tagged } } tag <VLAN_SUBSCRIBER>
	tmsh create net vlan vl_internet app-service none cmp-hash dst-ip interfaces add { <TRUNK_NAME> { tagged } } tag <VLAN_INTERNET>
	tmsh create net vlan vl_control app-service none cmp-hash src-ip interfaces add { <TRUNK_NAME> { tagged } } tag <VLAN_CONTROL>

	#### Create Route Domains

	tmsh create net route-domain Internet { id 100 routing-protocol { BGP } vlans { <VLAN_INTERNET> <VLAN_SUBSCRIBER> } }
	tmsh create net route-domain Control { id 500 routing-protocol { OSPFv2 } vlans { <VLAN_CONTROL> } }

	#### create SELF IPs

	tmsh create net self self_subcriber_v4 { address <SELFIP_SUBSCRIBER_V4>%100/<SELFIP_SUBSCRIBER_V4_SUBNET_MASK> traffic-group traffic-group-1 vlan <VLAN_SUBSCRIBER> }
	tmsh create net self self_internet_v4 { address <SELFIP_INTERNET_V4>%100/<SELFIP_INTERNET_V4_SUBNET_MASK> traffic-group traffic-group-1 vlan <VLAN_INTERNET> }

	tmsh create net self self_control_v4 { address <SELFIP_CONTROL_V4>%500/<SELFIP_CONTROL_V4_SUBNET_MASK> traffic-group traffic-group-1 vlan <VLAN_CONTROL> }