Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

BGP border router

Hi Experts

How to secure a BGP border router connected to upstream ISPs against DoS and DDoS attack and other attacks which exist out there in order to protect my customers since our border represents the fit..we receive just a default route from ISPs

waiting for ur kind advise



Community Member

BGP border router

jamil, here are some ideas:

neighbor password 7 XXXXXXXXXXXXX  ! prevent another router from trying

neighbor update-source GigabitEthernet0/1 ! specifically says which interface BGP uses

neighbor version 4  ! ensure newest BGP version

neighbor ttl-security 3 ! prevent BGP sessions more than 3 hops away

neighbor prefix-list PL_DEFAULT_ONLY in ! only accept default

neighbor prefix-list PL_AS65000_ONLY out ! only advertise your AS out

neighbor maximum-prefix 750000 80 restart 30  ! not really need in your case of default only.

you can also add an ACL on the outside interface for bgp protocol. this is pretty easy, but a bit cumbersome to support.

BGP border router

Hi Ibrahim,

You can find to below a great link by Cisco, which address exactly your question.

It describes all the BGP mechanisms with Configuration sample in order to protect the BGP protocol against to common threats such as BGP Route Manipulation, BGP Route Hijacking and  DoS attack.

Hope that helps!


Community Member

BGP border router


where the DoS and DDoS mitigation in ur great posts?u know its a border router i can't put FW and IPS



Re: BGP border router


Another thing to consider is to filter Bogons from your external interface. These are source address that should not appear in an IP packet on an interface that faces the public Internet. A good example are address in the RFC 1918 address range. External attackers will try to spoof your internal addres space in order to gain acces to your network or to launch DDoS attacks.

For more information see:

Apply an in bound ACL on your external interface to filter the subnets that can be found at this web site: The ACL also needs to allow legitimate inbound subnets from your ISP.

See below an example config

interface GigabitEthernet0/0

description *** Outside Interface**

ip address X.X.X.X

ip access-group PROTECT in

ip access-list extended PROTECT

remark *** Deny Spoofed traffic ***
deny ip any log
deny ip any log

deny ip

remark ** Permit Legitimate Traffic ***

permit ip X.X.X.X X.X.X.X

permit ip X.X.X.X X.X.X.X

remark *** DENY ALL ELSE AND LOG ***

deny   ip any any log

They also have a config example for filtering Bogons via BGP

BGP border router

Hi Ibrahim,

I thought that you are interested in finding methods to protect only BGP.

It seems that you are looking for techniques to protect your network for DoS and DDoS attacks.

Please read the next doc

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

It provides configuration techniques (e,g ip verify unicast reverse-path, AL, CAR) to eliminate the impact of any DoS attack to your network.

Hope that helps


Community Member

Re: BGP border router

Thanks a lot guys for ur great contribution,i gonna use thes posts as my reference now i can proceed to protect my network and a bit my customer they will be protected since our border is the first line of defense my customer will use FW and IPS this stuff up to them

i have read that asr with ios XE has a built in security features against DoS and DDoS?any comments?

CAR at the border it might shape legitimate connection , then we my get performance issue!!!!!

guys,i wondering , if u receive default route from the ISPs do y need the whole filtering

I Do appreciate ur answers



CreatePlease to create content