Basic EBGP Policy

I wrote in the past couple of posts that (1) you need to be very careful about peering with routers outside of your administrative control, and (2) good edge polices are essential both to protect yourself and to be a good neighbor by protecting the networks with which you’re peering.

There are a few essentials to responsible and safe external BGP (EBGP) configuration.

First, a word about redistributing between BGP and your IGP:

Don’t do it!

Redistributing from your IGP to outgoing BGP gives you almost no control over what gets advertised to your external peer, which just isn’t responsible. And redistributing incoming BGP advertisements into your IGP can be fatal. OSPF, EIGRP, and IS-IS cannot handle a full Internet table (over 200,000 routes) and will cause a network meltdown. What’s worse, recovering from such a meltdown is extremely difficult and can take hours. Even if you are only taking partial routes from your upstream provider, do not redistribute them. Setting a limit on the number of prefixes you’ll accept further protects you.

Second, always use authentication to any external BGP (EBGP) peer, and always use a different password for each peer.

Third, use an access list to protect your BGP port (TCP port 179) by permitting packets only between your external interface IP address and the IP address of your external peer; deny (and log) packets from any other source trying to get to TCP port 179.

With those basic protection measures in place, you are ready to regulate what is advertised in and out of your network.

I'll write about that in the next posts.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2007 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)