Solved: Re: BGP commands to prevent ISP traffoc go through your network

Foo Chuan Soon · ‎07-30-2011

As attached diagram, what can we do to prevent such thing, there should be a term for this scenerio?

Danilo Dy · ‎07-30-2011

that's explains it. as I said, there are reasons why people don't configure iBGP between two routers

cisco_lad2004 · ‎07-30-2011

You could / should advertise your prefixes only to either ISPA or ISPB. This way you are not a transit AS for the customers.

HTH

Samir

Danilo Dy · ‎07-30-2011

Hi,

First, if you are multi homing running BGP with ISPA and ISPB. Announce only your prefix. Here is a sample for connection to ISPA. I'm only giving you basic configuration here.

!
router bgp YOUR_ASN
neighbor ISPA_INTERFACE_IP_FACING_YOU remote-as ISPA_ASN
neighbor ISPA_INTERFACE_IP_FACING_YOU description IPV4-BGP with ISPA
neighbor ISPA_INTERFACE_IP_FACING_YOU password
neighbor ISPA_INTERFACE_IP_FACING_YOU version 4
!
address-family ipv4
network YOUR_IPV4_PREFIX mask YOUR_IPV4_MASK
aggregate-address YOUR_IPV4_PREFIX mask YOUR_IPV4_MASK summary-only
neighbor ISPA_INTERFACE_IP_FACING_YOU activate
neighbor ISPA_INTERFACE_IP_FACING_YOU soft-reconfiguration inbound
neighbor ISPA_INTERFACE_IP_FACING_YOU prefix-list IPV4-ISPA-OUT out
!
ip prefix-list IPV4-ISPA-OUT seq 5 permit YOUR_IPV4_PREFIX

Second put an ACL in your interface connecting to your ISPA and ISPB. Here is a sample for connection to ISPA, I'm only giving you basic configuration here.

!

interface CONNECTING_TO_ISPA
ip access-group IPV4-BOGONS in
ip access-group IPV4-ISPA-OUT out
!
ip access-list extended IPV4-BOGONS
deny   ip YOUR_IPV4_PREFIX WILDCARD_MASK any
permit ip any YOUR_IPV4_PREFIX WILDCARD_MASK
permit ip any host IP_OF_THE_INTERFACE_CONNECTING_TO_ISPA
deny   ip any any
!
ip access-list extended IPV4-ISPA-OUT
permit ip YOUR_IPV4_PREFIX WILDCARD_MASK any
permit ip host host IP_OF_THE_INTERFACE_CONNECTING_TO_ISPA any
deny   ip any any

Google TEAM-CYMRU BGP IOS Template.

Dandy

Foo Chuan Soon · ‎07-30-2011

We have 2 routers, r1 connected to ISP A, r2 connected to ISP B. We do advertised our prefix 1.1.1.0/24 to both ISP, so i still need to use access-list to prevent this AS transit? In our case, it is a must to run ibgp between r1 and r2?

Danilo Dy · ‎07-30-2011

Typical setup for multi homing. You have R1 connected to ISPA and R2 connected to ISPB (R1 and R2 are interconnected);

- you need to run iBGP between R1 and R2.

- you need to statically advertise only your prefix to ISPA and ISPB.

- you need to put ACL in your interface connected to ISPA and ISPB to prevent spoofing and also prevent becoming an internet blackhole.

Foo Chuan Soon · ‎07-30-2011

can please give me some example to how to prevent AS transit, spoofing and internet blackhole in our case? And we are using HSRP for r1 and r2, so still need to use IBGP?

Danilo Dy · ‎07-30-2011

The ACL I mentioned in my first reply to you. The "second" instruction.

Foo Chuan Soon · ‎07-30-2011

We are using HSRP for r1 and r2, so still need to use IBGP?

Danilo Dy · ‎07-30-2011

It is "recommended" to run iBGP between two routers running eBGP with upstream ISP. There are reasons why people don't run iBGP.

Foo Chuan Soon · ‎07-30-2011

if i run ibgp and hsrp still the same time, will that cause any problem?

Danilo Dy · ‎07-30-2011

you configure HSRP in R1 and R2 for your internal host internet gateway right?

Running iBGP between R1 and R2 will make them share routing table received from upstream ISPs and use the best path so you will have outgoing traffic going out ISPA and ISPB.

If you don't run iBGP between R1 and R2 and you have only one HSRP process and R1 is the active HSRP router, all your outgoing traffic will go out ISPA.

You might be running MHSRP,which you split your network into two and one HSRP active router is R1 while the other is R2?

Foo Chuan Soon · ‎07-30-2011

yes, you are right, but we wanted R1 to our prefer gateway and always use ISP A to Internet, while ISP B is a backup when ISP A is down.

Danilo Dy · ‎07-30-2011

that's explains it. as I said, there are reasons why people don't configure iBGP between two routers

Foo Chuan Soon · ‎07-30-2011

ISP A is AS 65531, so if i using ip as-path access-list 25 permit _65531$ to avoid AS transit, it is ok?

Marwan ALshawi · ‎07-30-2011

to avoid the transit in the out going direction make you BGP advertisment controlled by only advertising your own local BGP AS prefixes by using the bellow AS path filtering

permit only ^$

example

ip as-path access-list 8 permit ^$

route-map map1 10

match as-path 8

under BGP in each of Router A and Router B

neighbor ISP_Next_Hop_IP route-map map1out

this will prevent your BGP AS to be transit AS for the ISPs

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009456d.shtml

HTH

if helpful Rate

BGP commands to prevent ISP traffoc go through your network to other networks