Exercise: Fix BGP Route Leaks

I created a netlab topology you can use to practice BGP security tools I described in the Internet Routing Security webinar:

  • The lab topology mirrors the sample topology I described in the Classification of BGP Route Leaks (RFC 7908) blog post with one router per autonomous system
  • BGP is configured on all devices, and EBGP sessions are set up between all directly-connected devices.
Lab topology (unfortunately turned around)

Lab topology (unfortunately turned around)

Autonomous systems advertise prefixes from three address ranges:

AS type Address range
Transit providers
Regional ISPs

I also created a custom configuration template that reflects a typical ISP setup:

  • Customer routes have BGP local preference 200. It’s always best to send traffic over links someone else is paying for.
  • Peer routes have BGP local preference 150. It’s better to send traffic over zero-settlement links than over links where we have to pay for transit.
  • Routes received from transit providers have default local preference. They are used only when we have no customer- or peer routes to a destination.

While you can use the lab with any supported device, I created the custom configuration template for FRR containers, Cumulus Linux, and Arista EOS.

I did not configure any BGP route filters, so you’ll get tons of “simple” route leaks from customers and peers, giving you plenty of opportunity to figure out how to stop them. On top of that:

  • One of the customers announces way too many prefixes (a customer shall not advertise more than two prefixes)
  • Another customer is advertising an internal prefix from the block
  • The third customers is advertising a prefix that belongs to an ISP (you’ll notice the same prefix is advertised as belonging to two different autonomous systems).
  • An ISP is advertising a /25 prefix that should not be propagated in the global Internet

Fix the lab routing with BGP filters, do not change the route advertisements.

Running the Lab

The optimal way to run the lab is with Linux containers:


  1. 1) Will there be a prize (e. g. giveaway) to win for solving the exercise? :D
    2) Will there be a solution published after some time?
    3) What are the smallest hardware requirements to run the lab?

    1. 1) 😂

      2) Yes, I plan to write a series of blog posts covering various aspects of BGP security. Based on my past performance it might take a long while...

      3) 2GB of RAM and 2 vCPU should be good enough. More in another blog post

  2. looks easy. Just do what is done in real world and everything will be fine:

    1. on links from ISP to customers (and from trans to ISPs) - put bgp ingress filters, accepts only asset/prefixes related to particular customer.
    2. on ISP side - put higher pref to customers and lower pref to upstreams like this: customer pref > peering pref > upstream pref isp - isp link is peering link transit - transit link is peering link cust - isp is upstream/downstream isp - transit is upstream/downstream

    So a few filter policies and correct local-preference will "simulate" real life ISP behavior. Of course, you didn't provide any RIPE-like database to determine peering or upstream/downstream relationships.

    1. Of course it's easy, which makes it even more annoying that so many people can't be bothered to get it right 🤷‍♂️

Add comment