cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
622
Views
8
Helpful
3
Replies

BGP Routers_Filter_IN and Filter_OUT

Ibrahim Jamil
Level 6
Level 6

Hi Experts

i wanna protect my BGP Router connected to ISPs on GE Link to mitigate such Deny of service or smurf attack and Control plane of these BGP Router,but my ip addresses connected to these ISPs are fake in form of 10.100.x.x and 192.168.x.x,so do i need to allow them in the Inbound and outbound filter since the in-acl and out-acl applied on these GE Interface?

thanks

jamil

3 Replies 3

Latchum Naidu
VIP Alumni
VIP Alumni

Hi Ibrahim,

You need to use BGP in and out fileters with prefex list.
Find the below link will helps you...
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t11/feature/guide/ft11borf.html


Please rate all the helpfull posts.
Regards,
Naidu.

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Jamil,

locally generated packets like BGP messages are not blocked by outbound filter on the interface. However, the inbound filter would block BGP packets received on the interface. Another point is that  the BGP well known port is used only by one endpoint in a BGP session but this is negotiated

so to allow the BGP session inbound you can use two statements like

access-list 101 permit tcp host eq bgp host

access-list 101 permit tcp host   host eq bgp

access-list 101 remark deny statements for private ip addresses

access-list 101 deny ip 10.0.0.0.0 0.255.255.255 any

....

access-list 101 remark final permit for all other traffic

access-list 101 permit ip any any

int gix/y

ip access-group 101 in

Hope to help

Giuseppe

Thanks for ur reply

Review Cisco Networking for a $25 gift card