07-30-2011 06:52 AM - edited 03-04-2019 01:08 PM
As attached diagram, what can we do to prevent such thing, there should be a term for this scenerio?
Solved! Go to Solution.
07-30-2011 08:32 AM
that's explains it. as I said, there are reasons why people don't configure iBGP between two routers
07-30-2011 07:03 AM
You could / should advertise your prefixes only to either ISPA or ISPB. This way you are not a transit AS for the customers.
HTH
Samir
07-30-2011 07:20 AM
Hi,
First, if you are multi homing running BGP with ISPA and ISPB. Announce only your prefix. Here is a sample for connection to ISPA. I'm only giving you basic configuration here.
!
router bgp YOUR_ASN
neighbor ISPA_INTERFACE_IP_FACING_YOU remote-as ISPA_ASN
neighbor ISPA_INTERFACE_IP_FACING_YOU description IPV4-BGP with ISPA
neighbor ISPA_INTERFACE_IP_FACING_YOU password
neighbor ISPA_INTERFACE_IP_FACING_YOU version 4
!
address-family ipv4
network YOUR_IPV4_PREFIX mask YOUR_IPV4_MASK
aggregate-address YOUR_IPV4_PREFIX mask YOUR_IPV4_MASK summary-only
neighbor ISPA_INTERFACE_IP_FACING_YOU activate
neighbor ISPA_INTERFACE_IP_FACING_YOU soft-reconfiguration inbound
neighbor ISPA_INTERFACE_IP_FACING_YOU prefix-list IPV4-ISPA-OUT out
!
ip prefix-list IPV4-ISPA-OUT seq 5 permit YOUR_IPV4_PREFIX
Second put an ACL in your interface connecting to your ISPA and ISPB. Here is a sample for connection to ISPA, I'm only giving you basic configuration here.
!
interface CONNECTING_TO_ISPA
ip access-group IPV4-BOGONS in
ip access-group IPV4-ISPA-OUT out
!
ip access-list extended IPV4-BOGONS
deny ip YOUR_IPV4_PREFIX WILDCARD_MASK any
permit ip any YOUR_IPV4_PREFIX WILDCARD_MASK
permit ip any host IP_OF_THE_INTERFACE_CONNECTING_TO_ISPA
deny ip any any
!
ip access-list extended IPV4-ISPA-OUT
permit ip YOUR_IPV4_PREFIX WILDCARD_MASK any
permit ip host host IP_OF_THE_INTERFACE_CONNECTING_TO_ISPA any
deny ip any any
Google TEAM-CYMRU BGP IOS Template.
Dandy
07-30-2011 07:28 AM
We have 2 routers, r1 connected to ISP A, r2 connected to ISP B. We do advertised our prefix 1.1.1.0/24 to both ISP, so i still need to use access-list to prevent this AS transit? In our case, it is a must to run ibgp between r1 and r2?
07-30-2011 07:37 AM
Typical setup for multi homing. You have R1 connected to ISPA and R2 connected to ISPB (R1 and R2 are interconnected);
- you need to run iBGP between R1 and R2.
- you need to statically advertise only your prefix to ISPA and ISPB.
- you need to put ACL in your interface connected to ISPA and ISPB to prevent spoofing and also prevent becoming an internet blackhole.
07-30-2011 07:51 AM
can please give me some example to how to prevent AS transit, spoofing and internet blackhole in our case? And we are using HSRP for r1 and r2, so still need to use IBGP?
07-30-2011 07:53 AM
The ACL I mentioned in my first reply to you. The "second" instruction.
07-30-2011 07:57 AM
We are using HSRP for r1 and r2, so still need to use IBGP?
07-30-2011 08:07 AM
It is "recommended" to run iBGP between two routers running eBGP with upstream ISP. There are reasons why people don't run iBGP.
07-30-2011 08:18 AM
if i run ibgp and hsrp still the same time, will that cause any problem?
07-30-2011 08:25 AM
you configure HSRP in R1 and R2 for your internal host internet gateway right?
Running iBGP between R1 and R2 will make them share routing table received from upstream ISPs and use the best path so you will have outgoing traffic going out ISPA and ISPB.
If you don't run iBGP between R1 and R2 and you have only one HSRP process and R1 is the active HSRP router, all your outgoing traffic will go out ISPA.
You might be running MHSRP,which you split your network into two and one HSRP active router is R1 while the other is R2?
07-30-2011 08:30 AM
yes, you are right, but we wanted R1 to our prefer gateway and always use ISP A to Internet, while ISP B is a backup when ISP A is down.
07-30-2011 08:32 AM
that's explains it. as I said, there are reasons why people don't configure iBGP between two routers
07-30-2011 09:32 AM
ISP A is AS 65531, so if i using ip as-path access-list 25 permit _65531$ to avoid AS transit, it is ok?
07-30-2011 04:42 PM
to avoid the transit in the out going direction make you BGP advertisment controlled by only advertising your own local BGP AS prefixes by using the bellow AS path filtering
permit only ^$
example
ip as-path access-list 8 permit ^$
route-map map1 10
match as-path 8
under BGP in each of Router A and Router B
neighbor ISP_Next_Hop_IP route-map map1out
this will prevent your BGP AS to be transit AS for the ISPs
http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009456d.shtml
HTH
if helpful Rate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide