BGP Labs: Stop the Fat-Finger Incidents

Last time, we discussed the first line of defense against fat finger incidents: limiting the number of BGP prefixes your router accepts from a BGP neighbor. However, you can do much more without deploying customer-specific filters (which might require a customer database) or ROV/RPKI.

You can practice the default filters you should always deploy on EBGP sessions with your customers in the Stop the Propagation of Configuration Errors lab exercise.

keep reading


  1. You categorized it as a challenge. Will you also publish solutions for your challenges?

    1. Where's the fun in that? The lab has a Verification section to help you check whether you filtered out all the unwanted prefixes.

    2. Maybe something along these lines (done with FRR):

      hostname rtr
      router bgp 65000
       neighbor peer-group CUSTOMER
       neighbor peer-group CUSTOMER
       address-family ipv4 unicast
        neighbor CUSTOMER maximum-prefix 5
        neighbor CUSTOMER route-map CUSTOMER_IN in
      ip prefix-list MORE_SPECIFIC_PREFIXES seq 5 permit ge 25 le 32
      ip prefix-list LESS_SPECIFIC_PREFIXES seq 5 permit ge 0 le 15
      ip prefix-list RFC_1918 seq 5 permit ge 8 le 32
      ip prefix-list RFC_1918 seq 10 permit ge 16 le 32
      ip prefix-list RFC_1918 seq 15 permit ge 12 le 32
      ip prefix-list RFC_1918 seq 20 permit ge 16 le 32
      bgp as-path access-list MORE_THAN_FIVE_AS_PREPEND permit ([0-9]+)_\1_\1_\1_\1_\1_
      bgp as-path access-list MORE_THAN_ONE_AS permit [0-9]+_[0-9]+
      route-map CUSTOMER_IN deny 10
       match ip address prefix-list RFC_1918
      route-map CUSTOMER_IN deny 20
       match ip address prefix-list MORE_SPECIFIC_PREFIXES
      route-map CUSTOMER_IN deny 30
       match ip address prefix-list LESS_SPECIFIC_PREFIXES
      route-map CUSTOMER_IN deny 40
       match as-path MORE_THAN_ONE_AS
      route-map CUSTOMER_IN deny 50
       match as-path MORE_THAN_FIVE_AS_PREPEND
      route-map CUSTOMER_IN permit 100

      I couldn't get the AS prepend regex working with FRR 🤷‍♂️

Add comment