Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
221
Views
0
Helpful
1
Replies

A simple routing question

tj6512
Level 1
Level 1

‎08-06-2002 07:35 PM - edited ‎03-02-2019 12:28 AM

If, I say I have 4 imaginary routers, all configured with 4 different AS no# and configured to run BGP in a series configuration. Also, say that all these 4 routers have routes to public addresses and thus can go to Internet. Also, assuming that I do not have any ingress or egress filtering based on source IP address on all these 4 routers.

So, imagine that if I have a host configured with a RFC1918 (say 10.3.0.35/24) IP addressing and is attached to one of these 4 BGP routers.

The question here is that if I were to ping, say to Cisco.com. Can I say that the PING ICMP packets will be able to reach Cisco.com public IP address, but has not way to come back due to the fact that all the 4 BGP and other intermediate routers has no routes to a private subnet of 10.3.0.0.24 ? Again, the assumption here is that there is no whatsoever of any ingress or egress filtering at all the intermediate routers that drops packets (based on source IP) from the host to Cisco.com.

What I am trying to say is that BGP routing protocol is based on destination IP address, despite the souce IP is private and hence as long as the destination IP is valid and available in the routing table, the router will route the packets, right ?

If my statement is wrong, then what is the thing/feature from BGP that can drop a packet with an invalid source IP of 10.3.0.35, despite the fact that there is not any ingress and egress flter that drops 10.3.0.35-source IP packets ?

Labels:
0 Helpful
1 Reply 1

jasyoung
Level 7
Level 7

‎08-06-2002 08:57 PM

Lacking configuration of filters or unicast RPF checks to the contrary, yes, traffic sourced from your RFC1918 space will reach its destination, but it cannot be returned due to lack of a return path.

There exists a feature called "Unicast RPF", invoked on an interface with "ip verify unicast reverse-path", which requires that any traffic that arrives on that interface have a source address with a return path down that same interface, or it is dropped. This is a quick and flexible way to set up anti-spoofing and bogon (like RFC1918) filters, in addition, some platforms can do it in hardware.

This isn't part of BGP really but can use routes from BGP (or any IGP) to make its RPF checks. Search CCO for documentation on Unicast RPF.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents