01-20-2008 06:15 AM - edited 03-03-2019 08:19 PM
Hi,
I config the bgp is up and running. However, I have some concern about the routing. following is the config
!bgp router
router bgp 123
bgp log-neighbor-changes
neighbor x.x.x.x remote-as 45
neighbor x.x.x.x description connect to provider A
neighbor y.y.y.y remote-as 67
neighbor y.y.y.y description connect to provider B
!
address-family ipv4
neighbor x.x.x.x activate
neighbor x.x.x.x soft-reconfiguration inbound
neighbor x.x.x.x filter-list 100 out
neighbor y.y.y.y activate
neighbor y.y.y.y soft-reconfiguration inbound
neighbor y.y.y.y filter-list 100 out
no auto-summary
no synchronization
network 192.x.x.x
exit-address-family
!
ip as-path access-list 100 permit ^$
!
If the provider A mis-config and set a "default route" point to me, does my bgp router handle the traffic and send to provider B?
if so, how do I solve it?
BR
Solved! Go to Solution.
01-20-2008 05:56 PM
Hi,
Yes, but include the Anti-Spoofing. If your IOS support Extended ACL, try this (remove remarks after !);
!
! Extended ACL
ip access-list extended BOGONS
remark Deny All Non-Allocated IPv4 Blocks (Secure BGP Template Version 5.0 29 October 2007).
! Anti-Spoofing. Do not use this if CEF has been configured to take care of Spoofing.
deny ip 208.x.x.x 0.0.3.255 any
! Bogons
deny ip 0.0.0.0 0.255.255.255 any
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 46.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 173.0.0.0 0.255.255.255 any
deny ip 174.0.0.0 0.255.255.255 any
deny ip 175.0.0.0 0.255.255.255 any
deny ip 176.0.0.0 0.255.255.255 any
deny ip 177.0.0.0 0.255.255.255 any
deny ip 178.0.0.0 0.255.255.255 any
deny ip 179.0.0.0 0.255.255.255 any
deny ip 180.0.0.0 0.255.255.255 any
deny ip 181.0.0.0 0.255.255.255 any
deny ip 182.0.0.0 0.255.255.255 any
deny ip 183.0.0.0 0.255.255.255 any
deny ip 184.0.0.0 0.255.255.255 any
deny ip 185.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 223.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
! Drop all ICMP fragments
deny icmp any any fragments
! Allow IP access to the intranet (firewall filters specific ports)
permit ip any 208.x.x.x 0.0.3.255 any
! Allow multicast to enter.
permit ip any 224.0.0.0 15.255.255.255
! Our explicit drop all rule
deny ip any any
!
! ISP-A
Interface FastEthernet0
ip access-group BOGONS in
!
! ISP-B
Interface FastEthernet0
ip access-group BOGONS in
!
end
Regards,
Dandy
01-20-2008 08:03 AM
Hi,
Put ACL in the interface connected to ISP A and ISP B for incoming traffic. Permit only traffic destined to your network to prevent you as transit if you are NOT.
A good example is the BOGONS ACL 2010 in this link http://www.cymru.com/Documents/secure-ios-template.html
Regards,
Dandy
01-20-2008 08:49 AM
Hi Dandy
so, I will keep 2010 ACL except following:
access-list 2010 permit ip any 7.7.7.0 0.0.0.255
I will change it to
access-list 2010 permit ip any 208.x.x.x 0.0.3.255
where 208.x.x.x/22 is our network
inter faste 0
ip access-group 2010 in
inter faste 1
ip access-group 2010 in
any missing?
Rgds
01-20-2008 05:56 PM
Hi,
Yes, but include the Anti-Spoofing. If your IOS support Extended ACL, try this (remove remarks after !);
!
! Extended ACL
ip access-list extended BOGONS
remark Deny All Non-Allocated IPv4 Blocks (Secure BGP Template Version 5.0 29 October 2007).
! Anti-Spoofing. Do not use this if CEF has been configured to take care of Spoofing.
deny ip 208.x.x.x 0.0.3.255 any
! Bogons
deny ip 0.0.0.0 0.255.255.255 any
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 46.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 173.0.0.0 0.255.255.255 any
deny ip 174.0.0.0 0.255.255.255 any
deny ip 175.0.0.0 0.255.255.255 any
deny ip 176.0.0.0 0.255.255.255 any
deny ip 177.0.0.0 0.255.255.255 any
deny ip 178.0.0.0 0.255.255.255 any
deny ip 179.0.0.0 0.255.255.255 any
deny ip 180.0.0.0 0.255.255.255 any
deny ip 181.0.0.0 0.255.255.255 any
deny ip 182.0.0.0 0.255.255.255 any
deny ip 183.0.0.0 0.255.255.255 any
deny ip 184.0.0.0 0.255.255.255 any
deny ip 185.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 223.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
! Drop all ICMP fragments
deny icmp any any fragments
! Allow IP access to the intranet (firewall filters specific ports)
permit ip any 208.x.x.x 0.0.3.255 any
! Allow multicast to enter.
permit ip any 224.0.0.0 15.255.255.255
! Our explicit drop all rule
deny ip any any
!
! ISP-A
Interface FastEthernet0
ip access-group BOGONS in
!
! ISP-B
Interface FastEthernet0
ip access-group BOGONS in
!
end
Regards,
Dandy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide