BGP Labs: Stop the Fat-Finger Incidents

Last time, we discussed the first line of defense against fat finger incidents: limiting the number of BGP prefixes your router accepts from a BGP neighbor. However, you can do much more without deploying customer-specific filters (which might require a customer database) or ROV/RPKI.

You can practice the default filters you should always deploy on EBGP sessions with your customers in the Stop the Propagation of Configuration Errors lab exercise.

Explore the lab exercise

Latest blog posts in this series

More blog posts in this series

Recent posts in the same categories

1 comments:

  1. Anonymous 21 March 2024 08:05

    You categorized it as a challenge. Will you also publish solutions for your challenges?

    Replies
    1. Ivan Pepelnjak 22 March 2024 08:58

      Where's the fun in that? The lab has a Verification section to help you check whether you filtered out all the unwanted prefixes.

    2. Anonymous 23 March 2024 03:18

      Maybe something along these lines (done with FRR): 

      hostname rtr
!
router bgp 65000
 neighbor 10.1.0.1 peer-group CUSTOMER
 neighbor 10.1.0.5 peer-group CUSTOMER
 !
 address-family ipv4 unicast
  neighbor CUSTOMER maximum-prefix 5
  neighbor CUSTOMER route-map CUSTOMER_IN in
 exit-address-family
!
ip prefix-list MORE_SPECIFIC_PREFIXES seq 5 permit 0.0.0.0/0 ge 25 le 32
ip prefix-list LESS_SPECIFIC_PREFIXES seq 5 permit 0.0.0.0/0 ge 0 le 15
ip prefix-list RFC_1918 seq 5 permit 10.0.0.0/8 ge 8 le 32
ip prefix-list RFC_1918 seq 10 permit 169.254.0.0/16 ge 16 le 32
ip prefix-list RFC_1918 seq 15 permit 172.16.0.0/12 ge 12 le 32
ip prefix-list RFC_1918 seq 20 permit 192.168.0.0/16 ge 16 le 32
!
bgp as-path access-list MORE_THAN_FIVE_AS_PREPEND permit ([0-9]+)_\1_\1_\1_\1_\1_
bgp as-path access-list MORE_THAN_ONE_AS permit [0-9]+_[0-9]+
!
route-map CUSTOMER_IN deny 10
 match ip address prefix-list RFC_1918
!
route-map CUSTOMER_IN deny 20
 match ip address prefix-list MORE_SPECIFIC_PREFIXES
!
route-map CUSTOMER_IN deny 30
 match ip address prefix-list LESS_SPECIFIC_PREFIXES
!
route-map CUSTOMER_IN deny 40
 match as-path MORE_THAN_ONE_AS
!
route-map CUSTOMER_IN deny 50
 match as-path MORE_THAN_FIVE_AS_PREPEND
!
route-map CUSTOMER_IN permit 100

      I couldn't get the AS prepend regex working with FRR 🤷‍♂️

Add comment
Home
Sidebar