Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

bgp question

Hi,

I config the bgp is up and running. However, I have some concern about the routing. following is the config

!bgp router

router bgp 123

bgp log-neighbor-changes

neighbor x.x.x.x remote-as 45

neighbor x.x.x.x description connect to provider A

neighbor y.y.y.y remote-as 67

neighbor y.y.y.y description connect to provider B

!

address-family ipv4

neighbor x.x.x.x activate

neighbor x.x.x.x soft-reconfiguration inbound

neighbor x.x.x.x filter-list 100 out

neighbor y.y.y.y activate

neighbor y.y.y.y soft-reconfiguration inbound

neighbor y.y.y.y filter-list 100 out

no auto-summary

no synchronization

network 192.x.x.x

exit-address-family

!

ip as-path access-list 100 permit ^$

!

If the provider A mis-config and set a "default route" point to me, does my bgp router handle the traffic and send to provider B?

if so, how do I solve it?

BR

1 ACCEPTED SOLUTION

Accepted Solutions

Re: bgp question

Hi,

Yes, but include the Anti-Spoofing. If your IOS support Extended ACL, try this (remove remarks after !);

!

! Extended ACL

ip access-list extended BOGONS

remark Deny All Non-Allocated IPv4 Blocks (Secure BGP Template Version 5.0 29 October 2007).

! Anti-Spoofing. Do not use this if CEF has been configured to take care of Spoofing.

deny ip 208.x.x.x 0.0.3.255 any

! Bogons

deny ip 0.0.0.0 0.255.255.255 any

deny ip 1.0.0.0 0.255.255.255 any

deny ip 2.0.0.0 0.255.255.255 any

deny ip 5.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 23.0.0.0 0.255.255.255 any

deny ip 27.0.0.0 0.255.255.255 any

deny ip 31.0.0.0 0.255.255.255 any

deny ip 36.0.0.0 0.255.255.255 any

deny ip 37.0.0.0 0.255.255.255 any

deny ip 39.0.0.0 0.255.255.255 any

deny ip 42.0.0.0 0.255.255.255 any

deny ip 46.0.0.0 0.255.255.255 any

deny ip 49.0.0.0 0.255.255.255 any

deny ip 50.0.0.0 0.255.255.255 any

deny ip 100.0.0.0 0.255.255.255 any

deny ip 101.0.0.0 0.255.255.255 any

deny ip 102.0.0.0 0.255.255.255 any

deny ip 103.0.0.0 0.255.255.255 any

deny ip 104.0.0.0 0.255.255.255 any

deny ip 105.0.0.0 0.255.255.255 any

deny ip 106.0.0.0 0.255.255.255 any

deny ip 107.0.0.0 0.255.255.255 any

deny ip 108.0.0.0 0.255.255.255 any

deny ip 109.0.0.0 0.255.255.255 any

deny ip 110.0.0.0 0.255.255.255 any

deny ip 111.0.0.0 0.255.255.255 any

deny ip 112.0.0.0 0.255.255.255 any

deny ip 113.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 173.0.0.0 0.255.255.255 any

deny ip 174.0.0.0 0.255.255.255 any

deny ip 175.0.0.0 0.255.255.255 any

deny ip 176.0.0.0 0.255.255.255 any

deny ip 177.0.0.0 0.255.255.255 any

deny ip 178.0.0.0 0.255.255.255 any

deny ip 179.0.0.0 0.255.255.255 any

deny ip 180.0.0.0 0.255.255.255 any

deny ip 181.0.0.0 0.255.255.255 any

deny ip 182.0.0.0 0.255.255.255 any

deny ip 183.0.0.0 0.255.255.255 any

deny ip 184.0.0.0 0.255.255.255 any

deny ip 185.0.0.0 0.255.255.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 197.0.0.0 0.255.255.255 any

deny ip 223.0.0.0 0.255.255.255 any

deny ip 224.0.0.0 31.255.255.255 any

! Drop all ICMP fragments

deny icmp any any fragments

! Allow IP access to the intranet (firewall filters specific ports)

permit ip any 208.x.x.x 0.0.3.255 any

! Allow multicast to enter.

permit ip any 224.0.0.0 15.255.255.255

! Our explicit drop all rule

deny ip any any

!

! ISP-A

Interface FastEthernet0

ip access-group BOGONS in

!

! ISP-B

Interface FastEthernet0

ip access-group BOGONS in

!

end

Regards,

Dandy

3 REPLIES

Re: bgp question

Hi,

Put ACL in the interface connected to ISP A and ISP B for incoming traffic. Permit only traffic destined to your network to prevent you as transit if you are NOT.

A good example is the BOGONS ACL 2010 in this link http://www.cymru.com/Documents/secure-ios-template.html

Regards,

Dandy

New Member

Re: bgp question

Hi Dandy

so, I will keep 2010 ACL except following:

access-list 2010 permit ip any 7.7.7.0 0.0.0.255

I will change it to

access-list 2010 permit ip any 208.x.x.x 0.0.3.255

where 208.x.x.x/22 is our network

inter faste 0

ip access-group 2010 in

inter faste 1

ip access-group 2010 in

any missing?

Rgds

Re: bgp question

Hi,

Yes, but include the Anti-Spoofing. If your IOS support Extended ACL, try this (remove remarks after !);

!

! Extended ACL

ip access-list extended BOGONS

remark Deny All Non-Allocated IPv4 Blocks (Secure BGP Template Version 5.0 29 October 2007).

! Anti-Spoofing. Do not use this if CEF has been configured to take care of Spoofing.

deny ip 208.x.x.x 0.0.3.255 any

! Bogons

deny ip 0.0.0.0 0.255.255.255 any

deny ip 1.0.0.0 0.255.255.255 any

deny ip 2.0.0.0 0.255.255.255 any

deny ip 5.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 23.0.0.0 0.255.255.255 any

deny ip 27.0.0.0 0.255.255.255 any

deny ip 31.0.0.0 0.255.255.255 any

deny ip 36.0.0.0 0.255.255.255 any

deny ip 37.0.0.0 0.255.255.255 any

deny ip 39.0.0.0 0.255.255.255 any

deny ip 42.0.0.0 0.255.255.255 any

deny ip 46.0.0.0 0.255.255.255 any

deny ip 49.0.0.0 0.255.255.255 any

deny ip 50.0.0.0 0.255.255.255 any

deny ip 100.0.0.0 0.255.255.255 any

deny ip 101.0.0.0 0.255.255.255 any

deny ip 102.0.0.0 0.255.255.255 any

deny ip 103.0.0.0 0.255.255.255 any

deny ip 104.0.0.0 0.255.255.255 any

deny ip 105.0.0.0 0.255.255.255 any

deny ip 106.0.0.0 0.255.255.255 any

deny ip 107.0.0.0 0.255.255.255 any

deny ip 108.0.0.0 0.255.255.255 any

deny ip 109.0.0.0 0.255.255.255 any

deny ip 110.0.0.0 0.255.255.255 any

deny ip 111.0.0.0 0.255.255.255 any

deny ip 112.0.0.0 0.255.255.255 any

deny ip 113.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 173.0.0.0 0.255.255.255 any

deny ip 174.0.0.0 0.255.255.255 any

deny ip 175.0.0.0 0.255.255.255 any

deny ip 176.0.0.0 0.255.255.255 any

deny ip 177.0.0.0 0.255.255.255 any

deny ip 178.0.0.0 0.255.255.255 any

deny ip 179.0.0.0 0.255.255.255 any

deny ip 180.0.0.0 0.255.255.255 any

deny ip 181.0.0.0 0.255.255.255 any

deny ip 182.0.0.0 0.255.255.255 any

deny ip 183.0.0.0 0.255.255.255 any

deny ip 184.0.0.0 0.255.255.255 any

deny ip 185.0.0.0 0.255.255.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 197.0.0.0 0.255.255.255 any

deny ip 223.0.0.0 0.255.255.255 any

deny ip 224.0.0.0 31.255.255.255 any

! Drop all ICMP fragments

deny icmp any any fragments

! Allow IP access to the intranet (firewall filters specific ports)

permit ip any 208.x.x.x 0.0.3.255 any

! Allow multicast to enter.

permit ip any 224.0.0.0 15.255.255.255

! Our explicit drop all rule

deny ip any any

!

! ISP-A

Interface FastEthernet0

ip access-group BOGONS in

!

! ISP-B

Interface FastEthernet0

ip access-group BOGONS in

!

end

Regards,

Dandy

90
Views
0
Helpful
3
Replies
CreatePlease to create content