BGP Cookbook for Connecting to HFXIX


  • Public Autonomous System Number (ASN) as issued by ARIN. See the application form at
  • Edge router capable of running BGP4+. The memory requirements for peering with HFXIX are modest since there are only a few routes. However peering with an ISP may require handling over 500,000 routes and can be a memory hog if you do not use default routing. If you need more info, please ask.

Router Config

This router configuration is for Cisco. It can be adapted for JunOS, Quagga, BIRD, and others. Fields that are in red italics are ones that must be customized for each client.

Configure your router port. The actual IP addresses will be assigned to you by HFXIX. The lines that start “ipv6 nd” are there to make sure the router port does not advertise itself to IXP peers with IPv6 autoconfig router advertisements. Different router models may use slightly different syntax (e.g. “ipv6 nd prefix default no-advertise” and “ipv6 nd ra suppress”).

interface Gigx/x
 description HFXIX peering
 ip address 206.130.15.x
 ipv6 address 2001:504:37:10::xxx/64
 ipv6 nd prefix default no-autoconfig no-rtr-address
 ipv6 nd suppress-ra

Define a filter list called “My_IPv4_routes_out” (or whatever you want to call it) for locally sourced IPv4 routes, and do the same for IPv6. This is a useful filter for all your BGP peers since it prevents accidentally advertising one to the other and making you a transit between them.

ip prefix-list My_IPv4_routes_out description Outbound IPv4 routes filter list
ip prefix-list My_IPv4_routes_out permit
ipv6 prefix-list My_IPv6_routes_out description Outbound IPv6 routes filter list
ipv6 prefix-list My_IPv6_routes_out permit 2001:DB8:10::/48

Start the BGP configuration by identifying your own ASN. Both 16 bit and 32 bit ASNs are usable. An IXP such as HFXIX will not add its own ASN to BGP announcements, so the second line is required for the IXP announcements to be accepted.

router bgp 123456
no bgp enforce-first-as

Define the neighbors and set a password. The IP numbers in this example are the correct ones to use, but the password has to be coordinated with HFXIX technical staff.

neighbor remote-as 13770
neighbor description >>HFXIX Castor<<
neighbor password password
neighbor remote-as 13770
neighbor description >>HFXIX Pollux<<
neighbor password password

Same thing for IPv6.

neighbor 2001:504:37:10::20 remote-as 13770
neighbor 2001:504:37:10::20 description >>HFXIX Castor<<
neighbor 2001:504:37:10::20 password password
neighbor 2001:504:37:10::30 remote-as 13770
neighbor 2001:504:37:10::30 description >>HFXIX Pollux<<
neighbor 2001:504:37:10::30 password password

Still working under the “router bgp” clause, activate the IPv4 protocol and apply the prefix filter. The route map “HFXIX_community_out” and the filter-list “55” are also used to control route distribution (see “Filter ISP Routes” below).

Your upstream ISP might be peering at HFXIX. If so they will have their own policy about exchanging traffic with you via HFXIX. You can control whether you exchange BGP routes with them with the statements in green italics in this and the following sections.

address-family ipv4
 neighbor activate
 neighbor send-community
 neighbor soft-reconfiguration inbound
 neighbor route-map HFXIX_community_out out
 neighbor filter-list 55 in
 neighbor prefix-list My_IPv4_routes_out out
 neighbor activate
 neighbor soft-reconfiguration inbound
 neighbor send-community
 neighbor route-map HFXIX_community_out out
 neighbor filter-list 55 in
 neighbor prefix-list My_IPv4_routes_out out

…and activate the IPv6 sessions

address-family ipv6
 neighbor 2001:504:37:10::20 activate
 neighbor 2001:504:37:10::20 send-community
 neighbor 2001:504:37:10::20 soft-reconfiguration inbound
 neighbor 2001:504:37:10::20 route-map HFXIX_community_out out
 neighbor 2001:504:37:10::20 filter-list 55 in
 neighbor 2001:504:37:10::20 prefix-list My_IPv6_routes_out out
 neighbor 2001:504:37:10::30 activate
 neighbor 2001:504:37:10::30 send-community
 neighbor 2001:504:37:10::30 soft-reconfiguration inbound
 neighbor 2001:504:37:10::30 route-map HFXIX_community_out out
 neighbor 2001:504:37:10::30 filter-list 55 in
 neighbor 2001:504:37:10::30 prefix-list My_IPv6_routes_out out
Filter ISP Routes

Configurations from here down are optional depending on your arrangements with your upstream ISP.

You may not want to peer with your ISP via this connection, and your ISP may not want you to either. HFXIX can provide other mechanisms to easily set up an ISP peer, but for the sake of this configuration we may want to filter them out. Statements in green italics in this and the previous sections will do the filtering.

Add a community string to your advertisements to prevent them from being sent to your ISP. For the sake of this example we have assumed you have two ISPs with AS numbers 999 and 12345. This community string says “do not advertise me to ASN 999 or ASN 12345, but do advertise me to everyone else”. See

ip bgp-community new-format
route-map HFXIX_community_out permit 10
 set community 0:999
 set community 0:12345
 set community 13770:13770

You may also want to filter out incoming routes from your ISP via HFXIX if there are any (the ISP is likely already doing some filtering). In that case you should filter all incoming routes that have your ISP’s ASN as the first entry. We do that by defining an as-path access list that matches your ISP’s ASN as the first entry using a regular expression (regexp). The regexp in the example below says “filter out any AS path that starts with ASN 999 (note: not 9990 or 99923 etc.) or ASN 12345 and may include zero or more ASNs after that, but allow all others”.

For information on regular expressions, especially as they apply to BGP strings, see

ip as-path access-list 55 deny ^999_
ip as-path access-list 55 deny ^12345_
ip as-path access-list 55 permit .*