Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
489
Views
0
Helpful
6
Replies

BGP with access lists

Horacio Gutierrez
Level 2
Level 2

‎12-28-2013 10:30 AM - edited ‎03-07-2019 05:17 PM

Hello,

Can someone explain to me why we use access lists in a mpls cloud that uses IBGP. I thought for the most part  access lists were used on firewalls not routers running BGP. Do we even need access lists with bgp can't bgp work without access lists. What are the reasons for having access lists on a router for IBGP on a mpls cloud?

Thanks,

Labels:
0 Helpful
6 Replies 6

daniel.dib
Level 7
Level 7

‎12-28-2013 12:28 PM

I'm not sure what you are asking, access-lists could be used to filter BGP routes although prefix-lists are vastly superior.

Routers running BGP are often on the edge of the network so doing filtering there makes sense. It could be to filter RFC1918 and Bogon space from entering the network. Also to filter someone from spoofing from your own IP range. Then there are other reasons to filter malicious traffic and so on.

This could be the first line of defense and more advanced features could be deployed further into the network.

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.
0 Helpful

Horacio Gutierrez
Level 2
Level 2
In response to daniel.dib

‎12-28-2013 03:58 PM

I understand  access lists are used to filter malicious traffic, however if there is an mpls cloud thru an ISP that only the company's  sites connect thru each other for routing packets within the company network. Why do we need prefix list or access list between an internal network with mpls cloud that goes thru the company ISP. I thought a private mpls cloud is secure but not secure only when going thru Internet. Are prefix lists or access lists used for bgp  as we'll as eigrp, ospf or is it because it goes thru the mpls cloud?

0 Helpful

Richard Bradfield
Level 6
Level 6
In response to Horacio Gutierrez

‎12-28-2013 09:31 PM

Where do have the ACL.? We have similar setup to you and we have anACL used with a route map when we are redistributing routes back into EIGRP at sites ,we might not want all routes to be seen

Sent from Cisco Technical Support iPad App

0 Helpful

daniel.dib
Level 7
Level 7
In response to Horacio Gutierrez

‎12-29-2013 01:33 AM

Even if it's a MPLS L3VPN there could be some filtering. Maybe the spoke sites are only allowed certain type of traffic to the HQ. This could be filtered both inbound at HQ and outbound at a spoke.

When running MPLS the traffic is private but it's not secure because it is not encrypted. For full security IPSEC would be combined with MPLS.

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.
0 Helpful

Horacio Gutierrez
Level 2
Level 2
In response to daniel.dib

‎12-29-2013 09:06 AM

Hi Daniel,

So if we have a private mpls cloud with our company's circuits it's still not 100% secure because its not encrypted.  My question is why and who we are encrypted our company's packets from if no one from outside our network would have access because we have a ASA firewall. Are we encrypting our packets from our ISP who provides us our mpls cloud or do other organizations that have service with our ISP could hack into our mpls cloud?

0 Helpful

daniel.dib
Level 7
Level 7
In response to Horacio Gutierrez

‎12-29-2013 11:58 AM

The only way to get access to your network is if the ISP misconfigures so that another company gets access to your IP networks by mistake or that someone gets access to a PC on the inside and can reach the networks from there. It could happen if someone accidentally downloads an e-mail attachment or something like that.

It all depends on how critical the traffic is. If it's a bank there could be regulations in place that demands that all traffic is encrypted even if it is supposed to be private. If you compare it to a leased line, it's also secure as long as someone doesn't get access to it. So MPLS is like a virtual leased line in comparison.

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card