BGP Labs: Stop the Fat-Finger Incidents

Thursday, March 21, 2024 09:04 +0100

BGP Labs: Stop the Fat-Finger Incidents

Last time, we discussed the first line of defense against fat finger incidents: limiting the number of BGP prefixes your router accepts from a BGP neighbor. However, you can do much more without deploying customer-specific filters (which might require a customer database) or ROV/RPKI.

You can practice the default filters you should always deploy on EBGP sessions with your customers in the Stop the Propagation of Configuration Errors lab exercise.

keep reading

BGP
netlab

hostname rtr ! router bgp 65000 neighbor 10.1.0.1 peer-group CUSTOMER neighbor 10.1.0.5 peer-group CUSTOMER ! address-family ipv4 unicast neighbor CUSTOMER maximum-prefix 5 neighbor CUSTOMER route-map CUSTOMER_IN in exit-address-family ! ip prefix-list MORE_SPECIFIC_PREFIXES seq 5 permit 0.0.0.0/0 ge 25 le 32 ip prefix-list LESS_SPECIFIC_PREFIXES seq 5 permit 0.0.0.0/0 ge 0 le 15 ip prefix-list RFC_1918 seq 5 permit 10.0.0.0/8 ge 8 le 32 ip prefix-list RFC_1918 seq 10 permit 169.254.0.0/16 ge 16 le 32 ip prefix-list RFC_1918 seq 15 permit 172.16.0.0/12 ge 12 le 32 ip prefix-list RFC_1918 seq 20 permit 192.168.0.0/16 ge 16 le 32 ! bgp as-path access-list MORE_THAN_FIVE_AS_PREPEND permit ([0-9]+)_\1_\1_\1_\1_\1_ bgp as-path access-list MORE_THAN_ONE_AS permit [0-9]+_[0-9]+ ! route-map CUSTOMER_IN deny 10 match ip address prefix-list RFC_1918 ! route-map CUSTOMER_IN deny 20 match ip address prefix-list MORE_SPECIFIC_PREFIXES ! route-map CUSTOMER_IN deny 30 match ip address prefix-list LESS_SPECIFIC_PREFIXES ! route-map CUSTOMER_IN deny 40 match as-path MORE_THAN_ONE_AS ! route-map CUSTOMER_IN deny 50 match as-path MORE_THAN_FIVE_AS_PREPEND ! route-map CUSTOMER_IN permit 100

Recent posts in the same categories

BGP

netlab

1 comments: