Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

BGP with access lists

Hello,

Can someone explain to me why we use access lists in a mpls cloud that uses IBGP. I thought for the most part  access lists were used on firewalls not routers running BGP. Do we even need access lists with bgp can't bgp work without access lists. What are the reasons for having access lists on a router for IBGP on a mpls cloud?

Thanks,

6 REPLIES

BGP with access lists

I'm not sure what you are asking, access-lists could be used to filter BGP routes although prefix-lists are vastly superior.

Routers running BGP are often on the edge of the network so doing filtering there makes sense. It could be to filter RFC1918 and Bogon space from entering the network. Also to filter someone from spoofing from your own IP range. Then there are other reasons to filter malicious traffic and so on.

This could be the first line of defense and more advanced features could be deployed further into the network.

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib CCIE #37149 Please rate helpful posts.
Community Member

BGP with access lists

I understand  access lists are used to filter malicious traffic, however if there is an mpls cloud thru an ISP that only the company's  sites connect thru each other for routing packets within the company network. Why do we need prefix list or access list between an internal network with mpls cloud that goes thru the company ISP. I thought a private mpls cloud is secure but not secure only when going thru Internet. Are prefix lists or access lists used for bgp  as we'll as eigrp, ospf or is it because it goes thru the mpls cloud?

Re: BGP with access lists

Where do have the ACL.? We have similar setup to you and we have anACL used with a route map when we are redistributing routes back into EIGRP at sites ,we might not want all routes to be seen

Sent from Cisco Technical Support iPad App

BGP with access lists

Even if it's a MPLS L3VPN there could be some filtering. Maybe the spoke sites are only allowed certain type of traffic to the HQ. This could be filtered both inbound at HQ and outbound at a spoke.

When running MPLS the traffic is private but it's not secure because it is not encrypted. For full security IPSEC would be combined with MPLS.

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib CCIE #37149 Please rate helpful posts.
Community Member

BGP with access lists

Hi Daniel,

So if we have a private mpls cloud with our company's circuits it's still not 100% secure because its not encrypted.  My question is why and who we are encrypted our company's packets from if no one from outside our network would have access because we have a ASA firewall. Are we encrypting our packets from our ISP who provides us our mpls cloud or do other organizations that have service with our ISP could hack into our mpls cloud?

BGP with access lists

The only way to get access to your network is if the ISP misconfigures so that another company gets access to your IP networks by mistake or that someone gets access to a PC on the inside and can reach the networks from there. It could happen if someone accidentally downloads an e-mail attachment or something like that.

It all depends on how critical the traffic is. If it's a bank there could be regulations in place that demands that all traffic is encrypted even if it is supposed to be private. If you compare it to a leased line, it's also secure as long as someone doesn't get access to it. So MPLS is like a virtual leased line in comparison.

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib CCIE #37149 Please rate helpful posts.
184
Views
0
Helpful
6
Replies
CreatePlease to create content