05-11-2012 06:05 AM - edited 03-04-2019 04:19 PM
Hi Experts
i wanna protect my BGP Router connected to ISPs on GE Link to mitigate such Deny of service or smurf attack and Control plane of these BGP Router,but my ip addresses connected to these ISPs are fake in form of 10.100.x.x and 192.168.x.x,so do i need to allow them in the Inbound and outbound filter since the in-acl and out-acl applied on these GE Interface?
thanks
jamil
05-11-2012 06:42 AM
Hi Ibrahim,
You need to use BGP in and out fileters with prefex list.
Find the below link will helps you...
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t11/feature/guide/ft11borf.html
Please rate all the helpfull posts.
Regards,
Naidu.
05-11-2012 06:43 AM
Hello Jamil,
locally generated packets like BGP messages are not blocked by outbound filter on the interface. However, the inbound filter would block BGP packets received on the interface. Another point is that the BGP well known port is used only by one endpoint in a BGP session but this is negotiated
so to allow the BGP session inbound you can use two statements like
access-list 101 permit tcp host
access-list 101 permit tcp host
access-list 101 remark deny statements for private ip addresses
access-list 101 deny ip 10.0.0.0.0 0.255.255.255 any
....
access-list 101 remark final permit for all other traffic
access-list 101 permit ip any any
int gix/y
ip access-group 101 in
Hope to help
Giuseppe
05-11-2012 07:10 AM
Thanks for ur reply
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide