02-13-2007 10:44 PM - edited 03-03-2019 03:45 PM
Hi All,
Any precaution should be taken on Bgp when peering between two ASs (One of them is private & the othe is Public.
Thanks for your feedback,
02-14-2007 01:00 AM
Hello,
You should apply the proper inbound and outbound filters to be sure an ISP mistake will not get you in trouble. I am assuming your IP addresses to be announced are from network 1.1.0.0/16. An example configuration would look like this:
interface Ethernet0/1
description to ISP
ip address 1.4.5.2 255.255.255.252
router bgp 65000
network 1.1.0.0 mask 255.255.0.0
neighbor 1.4.5.1 remote-as 1
neighbor 1.4.5.1 prefix-list NoTrash in
neighbor 1.4.5.1 filter-list 1 out
no auto-summary
ip as-path access-list 1 permit ^$
ip prefix-list NoTrash deny 192.168.0.0/16 le 32
ip prefix-list NoTrash deny 172.16.0.0/12 le 32
ip prefix-list NoTrash deny 10.0.0.0/8 le 32
ip prefix-list NoTrash deny 1.1.0.0/16 le 32
ip prefix-list NoTrash permit 0.0.0.0/0 le 32
ip route 1.1.0.0 255.255.0.0 Null 0 250
This would announce only the official IP addresses to the ISP. Also all RFC1918 routes are blocked. You could extend this and use the BOGON list for filtering, but this would require more maintainance, because you have to adjust the filters from time to time. For a customer it should be sufficient to block all routes you potentially have internally.
This is just in case the ISP messes up his filters. Outgoing filterlist 1 is not really needed in such an environment, but with two ISPs to prevent the customer from becoming transit AS. You can omit this, if only one ISP is present.
Hope this helps! Please rate all posts.
Regards, Martin
02-14-2007 05:08 AM
Martin,
Can we not achieve the same with only one prefix entry ip prefix-list NoTrash permit 0.0.0.0/0 le 32 .
All others would be denied implicitly
Narayan
02-14-2007 05:18 AM
Hi Narayan,
ip prefix-list NoTrash permit 0.0.0.0/0 le 32
means "everything", i.e any route with a mask between /0 and /32.
This is like access-list 100 permit ip any any
As there will always be a match, nothing would be implicitly denied.
Hope this helps! Please use the rating system.
Regards, Martin
02-14-2007 06:42 AM
Sorry martin,
I didn't read the le parameter.
What i wanted to ask was tf we use only the 0.0.0.0/0 ge 32 le 32 as a prefix entry, it should allow only the default route and not anything else and hence need not require to deny the RFC 1918 address
Narayan
02-14-2007 07:25 AM
Ok,
but this will only work, if the SP sends the default route, which can of course be negotiated. In this case the following prefix list would be simpler yet do the same:
ip prefix-list NoTrash permit 0.0.0.0/0
This will only allow the default route.
Hope this helps!
Regards, Martin
02-14-2007 07:40 AM
Thanks martin..
Actually i have used the following configuration on my router. Hope the config accepts only the default even if other prefixes are sent
router bgp xxxxx
neighbor x.x.x.x remote-as yyyy
neighbor x.x.x.x route-map acceptroutes in
route-map acceptroutes permit 10
match ip address 3
access-list 3 permit 0.0.0.0
Narayan
02-14-2007 07:45 AM
Narayan,
your config will achieve exactly this, though I personally prefer the prefix-list. You never know for what you need a route-map in future ;-)
Besides the prefix-list is more easy to read (no multiple config scrolling to find all "ingredients")
Regards, Martin
02-16-2007 03:40 AM
Precaution? Remember not to propagate Private BGP AS number to internet.
One of the use of this type of configuration is provided to customers who subscribed to two uplinks connection to the same ISP with two subnets using BGP load sharing for incoming traffic (plus link redundancy). Between the provider and the customer, they use Private BGP AS.
For the ISP not to propagate the Private BGP AS to internet, the ISP should remove Private BGP AS number on its BGP configuration. See sample http://www.cisco.com/warp/public/459/36.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide