Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

A simple routing question

If, I say I have 4 imaginary routers, all configured with 4 different AS no# and configured to run BGP in a series configuration. Also, say that all these 4 routers have routes to public addresses and thus can go to Internet. Also, assuming that I do not have any ingress or egress filtering based on source IP address on all these 4 routers.

So, imagine that if I have a host configured with a RFC1918 (say 10.3.0.35/24) IP addressing and is attached to one of these 4 BGP routers.

The question here is that if I were to ping, say to Cisco.com. Can I say that the PING ICMP packets will be able to reach Cisco.com public IP address, but has not way to come back due to the fact that all the 4 BGP and other intermediate routers has no routes to a private subnet of 10.3.0.0.24 ? Again, the assumption here is that there is no whatsoever of any ingress or egress filtering at all the intermediate routers that drops packets (based on source IP) from the host to Cisco.com.

What I am trying to say is that BGP routing protocol is based on destination IP address, despite the souce IP is private and hence as long as the destination IP is valid and available in the routing table, the router will route the packets, right ?

If my statement is wrong, then what is the thing/feature from BGP that can drop a packet with an invalid source IP of 10.3.0.35, despite the fact that there is not any ingress and egress flter that drops 10.3.0.35-source IP packets ?

1 REPLY
Gold

Re: A simple routing question

Lacking configuration of filters or unicast RPF checks to the contrary, yes, traffic sourced from your RFC1918 space will reach its destination, but it cannot be returned due to lack of a return path.

There exists a feature called "Unicast RPF", invoked on an interface with "ip verify unicast reverse-path", which requires that any traffic that arrives on that interface have a source address with a return path down that same interface, or it is dropped. This is a quick and flexible way to set up anti-spoofing and bogon (like RFC1918) filters, in addition, some platforms can do it in hardware.

This isn't part of BGP really but can use routes from BGP (or any IGP) to make its RPF checks. Search CCO for documentation on Unicast RPF.

106
Views
0
Helpful
1
Replies
CreatePlease to create content