Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

BGP Routers_Filter_IN and Filter_OUT

Hi Experts

i wanna protect my BGP Router connected to ISPs on GE Link to mitigate such Deny of service or smurf attack and Control plane of these BGP Router,but my ip addresses connected to these ISPs are fake in form of 10.100.x.x and 192.168.x.x,so do i need to allow them in the Inbound and outbound filter since the in-acl and out-acl applied on these GE Interface?

thanks

jamil

3 REPLIES

BGP Routers_Filter_IN and Filter_OUT

Hi Ibrahim,

You need to use BGP in and out fileters with prefex list.
Find the below link will helps you...
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t11/feature/guide/ft11borf.html


Please rate all the helpfull posts.
Regards,
Naidu.

Hall of Fame Super Silver

Re: BGP Routers_Filter_IN and Filter_OUT

Hello Jamil,

locally generated packets like BGP messages are not blocked by outbound filter on the interface. However, the inbound filter would block BGP packets received on the interface. Another point is that  the BGP well known port is used only by one endpoint in a BGP session but this is negotiated

so to allow the BGP session inbound you can use two statements like

access-list 101 permit tcp host eq bgp host

access-list 101 permit tcp host   host eq bgp

access-list 101 remark deny statements for private ip addresses

access-list 101 deny ip 10.0.0.0.0 0.255.255.255 any

....

access-list 101 remark final permit for all other traffic

access-list 101 permit ip any any

int gix/y

ip access-group 101 in

Hope to help

Giuseppe

New Member

BGP Routers_Filter_IN and Filter_OUT

Thanks for ur reply

237
Views
8
Helpful
3
Replies