Re: BGP routes filter

rajeshk200_2 · ‎05-14-2006

Hi all,

If we have border router running both BGP peered with isp BGP router ..wht is the normal practice to filter out overwhelming route updates from isp router.

How do we redistribute the bgp routes in to IGP?

I knew that by configuring ^$ regular expression as-path accesslist we can avoid transit route for the isp...Like this is there any standard filter for incomig updates?

I would pleased to see sample config for this.

Regards,

Rajesh

mheusinger · ‎05-14-2006

Hello,

I am assuming your IP addresses are from network 1.1.0.0/16.

You should apply the proper inbound and outbound filters to be sure an ISP failure will not get you in trouble. An example configuration would look like this:

interface Ethernet0/1

description to ISP

ip address 1.4.5.2 255.255.255.252

router bgp 65000

network 1.1.0.0 mask 255.255.0.0

neighbor 1.4.5.1 remote-as 1

neighbor 1.4.5.1 prefix-list NoTrash in

neighbor 1.4.5.1 filter-list 1 out

neighbor 1.4.5.1 weight 150

no auto-summary

ip as-path access-list 1 permit ^$

ip prefix-list NoTrash deny 192.168.0.0/16 le 32

ip prefix-list NoTrash deny 172.16.0.0/12 le 32

ip prefix-list NoTrash deny 10.0.0.0/8 le 32

ip prefix-list NoTrash deny 1.1.0.0/16 le 32

ip prefix-list NoTrash permit 0.0.0.0/0 le 32

ip route 1.1.0.0 255.255.0.0 Null 0 250

This would announce only the official IP addresses to the ISP. Also all RFC1918 routes are blocked. You could extend this and use the BOGON list for filtering, but this would require more maintainance, because you have to adjust the filters from time to time. For a customer it should be sufficient to block all routes you potentially have internally.

Alternatively you can restrict everything accepted to the default route, in case the ISP is willing to send you one (he should have no problem).

ip prefix-list NoTrash permit 0.0.0.0/0

I would NEVER redistribute BGP into your IGP. This could kill your network once a failure - config or IOS - happens. Rather use a default route created by your IGP. An example:

router ospf 123

default-information originate always

Hope this helps! Please rate all posts.

Regards, Martin

rajeshk200_2 · ‎05-15-2006

Martin,

Thanks for the response..

Is getting only default route is normal practice for enterprises...if yes then only isp's exchanges full routing tables not enterprises.

in your sample config you are filtering all private addresses from the updates sent by isp router and allowing only default route coorrect me if i am wrong.

1) ip prefix-list NoTrash deny 1.1.0.0/16 le 32

ip route 1.1.0.0 255.255.0.0 Null 0 250

I do not understand purpose of these two commands in the sample config.

2)do we have to configure anything further on ospf configuration to get bgp default route in to ospf routing table?

3)If it is multihomed and both the isp's are advertising default route how do we give priority to the one isp route over other one.

Regards,

Rajesh

mheusinger · ‎05-15-2006

Hello,

there are enterprises handling the full BGP table as well. This is usually the case, when there are two ISPs for redundancy. In case you have only one ISP, a default route might just be enough.

A1) the prefix-list will not allow updates about your own networks. This could happen, if someone in the Internet is announcing your addresses (by error ...).

BGP will only insert a network into the BGP table if the exact match is found in the IP routing table. Thus ip route 1.1.0.0 255.255.0.0 Null 0 250 "organizes" this required entry. The assumption is, that in reality subnetting will be used and thus 1.1.0.0/16 is not present in the routing table.

2) There is no further config required in OSPF. You could however omitt the "always" to conditionally advertise a default route, IF it is found in the routing table. This requires however your ISP to announce one or you use static default route.

3) The priority can be given by setting a different cost value in OSPF "default-information ... metric 1000"

Hope this helps! Please rate all posts.

Regards, Martin