BGP (Border Gateway Protocol)
BGP - протокол маршрутизации для обмена информацией о доступности сетей между автономными системами (AS) в интернете.
Обзор
BGP (RFC 4271) - path-vector протокол, являющийся стандартом де-факто для inter-domain маршрутизации.
Характеристики:
- Протокол уровня приложений (TCP порт 179)
- Path-vector алгоритм (использует AS path)
- Policy-based routing
- Масштабируемость (весь интернет)
- Медленная конвергенция (стабильность важнее скорости)
Типы BGP:
- eBGP (External BGP) - между разными AS
- iBGP (Internal BGP) - внутри одной AS
Применение:
- Подключение к интернет провайдеру (ISP)
- Multi-homing (несколько ISP)
- Transit AS
- Enterprise с собственным ASN
- Дата-центры (BGP в ЦОД)
- Cloud connectivity (AWS, Azure, GCP)
Автономная система (AS)
AS - группа сетей под единым административным управлением с общей routing policy.
AS Number (ASN)
Диапазоны:
- 1-64511 - публичные ASN (требуют регистрации в RIR)
- 64512-65534 - приватные ASN (для internal use)
- 65535 - зарезервирован
- 4-byte ASN: 65536-4294967295 (RFC 6793)
Получение публичного ASN:
- Через Regional Internet Registry (RIR)
- Для России: RIPE NCC
- Требует обоснование использования
Установка ASN
set protocols bgp system-as 65001
commitОбязательный параметр для запуска BGP.
Router ID
Уникальный идентификатор BGP маршрутизатора (формат IPv4 адреса).
set protocols bgp parameters router-id 10.0.0.1
commitВыбор Router ID (если не настроен явно):
- Наибольший IP loopback интерфейса
- Наибольший IP физического интерфейса
Рекомендация: Всегда настраивайте router-id явно.
Базовая конфигурация
eBGP с одним ISP
# AS configuration
set protocols bgp system-as 65001
set protocols bgp parameters router-id 10.0.0.1
# ISP neighbor
set protocols bgp neighbor 203.0.113.1 remote-as 65000
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast
# Announce own network
set protocols bgp address-family ipv4-unicast network 192.0.2.0/24
commit
saveПроверка
show ip bgp summary
show ip bgp neighbors
show ip bgpNeighbor Configuration
Базовый neighbor
IPv4:
set protocols bgp neighbor 203.0.113.1 remote-as 65000
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast
commitIPv6:
set protocols bgp neighbor 2001:db8::1 remote-as 65000
set protocols bgp neighbor 2001:db8::1 address-family ipv6-unicast
commitRemote AS
eBGP (разные AS):
set protocols bgp system-as 65001
set protocols bgp neighbor 203.0.113.1 remote-as 65000iBGP (одна AS):
set protocols bgp system-as 65001
set protocols bgp neighbor 10.0.0.2 remote-as 65001Update Source
Использовать конкретный интерфейс/IP для BGP соединения:
set protocols bgp neighbor 10.0.0.2 update-source 10.0.0.1
commitПолезно для iBGP через loopback интерфейсы.
eBGP Multihop
Для eBGP через не-directly connected neighbors:
set protocols bgp neighbor 203.0.113.10 ebgp-multihop 2
commitЗначение - максимальное количество hops (по умолчанию eBGP работает только с directly connected).
Password Authentication
MD5 authentication для BGP сессии:
set protocols bgp neighbor 203.0.113.1 password 'SecurePassword123!'
commitПароль должен совпадать на обеих сторонах.
TTL Security
Защита от spoofing атак:
set protocols bgp neighbor 203.0.113.1 ttl-security hops 1
commitПроверяет TTL пакета (должен быть 255 - hops).
Description
set protocols bgp neighbor 203.0.113.1 description 'ISP1 - AS65000'
commitPeer Groups
Группировка neighbors с общими параметрами.
Создание peer group
set protocols bgp peer-group ISP-PEERS remote-as 65000
set protocols bgp peer-group ISP-PEERS address-family ipv4-unicast
set protocols bgp peer-group ISP-PEERS password 'SharedSecret!'
commitДобавление neighbors в группу
set protocols bgp neighbor 203.0.113.1 peer-group ISP-PEERS
set protocols bgp neighbor 203.0.113.2 peer-group ISP-PEERS
commitNeighbors наследуют параметры от peer-group.
Override параметров
set protocols bgp neighbor 203.0.113.1 peer-group ISP-PEERS
set protocols bgp neighbor 203.0.113.1 password 'DifferentPassword!'
commitИндивидуальные параметры имеют приоритет.
Address Families
BGP поддерживает различные протоколы через Multiprotocol Extensions (RFC 4760).
IPv4 Unicast
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast
commitПо умолчанию включен для IPv4 neighbors.
IPv6 Unicast
set protocols bgp neighbor 2001:db8::1 address-family ipv6-unicast
commitMultiprotocol BGP
Анонс IPv4 через IPv6 соединение:
set protocols bgp neighbor 2001:db8::1 address-family ipv4-unicast
set protocols bgp neighbor 2001:db8::1 address-family ipv6-unicast
commitNetwork Advertisement
Network Statement
Анонс конкретной сети:
set protocols bgp address-family ipv4-unicast network 192.0.2.0/24
commitТребование: Сеть должна существовать в routing table (через connected, static, или другой протокол).
Добавление static route:
set protocols static route 192.0.2.0/24 blackhole distance 254
set protocols bgp address-family ipv4-unicast network 192.0.2.0/24
commitAggregate Address
Суммирование нескольких сетей:
set protocols bgp address-family ipv4-unicast aggregate-address 192.0.2.0/23
commitАнонсирует суммарный префикс вместо более специфичных.
Summary-only
Анонсировать только суммарный префикс:
set protocols bgp address-family ipv4-unicast aggregate-address 192.0.2.0/23 summary-only
commitПодавляет более специфичные префиксы.
Route Redistribution
Импорт маршрутов из других источников в BGP.
Redistribution источников
Connected interfaces:
set protocols bgp address-family ipv4-unicast redistribute connected
commitStatic routes:
set protocols bgp address-family ipv4-unicast redistribute static
commitOSPF:
set protocols bgp address-family ipv4-unicast redistribute ospf
commitKernel routes:
set protocols bgp address-family ipv4-unicast redistribute kernel
commitSelective Redistribution
С route-map для фильтрации:
set protocols bgp address-family ipv4-unicast redistribute connected route-map CONN-TO-BGP
commitRoute Filtering
Prefix Lists
Создание prefix-list:
set policy prefix-list ALLOW-CUSTOMER rule 10 action permit
set policy prefix-list ALLOW-CUSTOMER rule 10 prefix 192.0.2.0/24
set policy prefix-list ALLOW-CUSTOMER rule 20 action permit
set policy prefix-list ALLOW-CUSTOMER rule 20 prefix 198.51.100.0/24
commitС диапазоном prefix length:
set policy prefix-list FILTER-SMALL rule 10 action deny
set policy prefix-list FILTER-SMALL rule 10 prefix 0.0.0.0/0
set policy prefix-list FILTER-SMALL rule 10 le 24
set policy prefix-list FILTER-SMALL rule 20 action permit
set policy prefix-list FILTER-SMALL rule 20 prefix 0.0.0.0/0
set policy prefix-list FILTER-SMALL rule 20 le 32
commit- le (less or equal) - максимальная длина префикса
- ge (greater or equal) - минимальная длина префикса
Применение prefix-list к neighbor
Incoming (import):
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast prefix-list import ALLOW-CUSTOMER
commitOutgoing (export):
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast prefix-list export MY-NETWORKS
commitRoute Maps
Более гибкая фильтрация и изменение атрибутов.
Базовый route-map
set policy route-map BGP-IN rule 10 action permit
set policy route-map BGP-IN rule 10 match ip address prefix-list ALLOWED-PREFIXES
set policy route-map BGP-IN rule 20 action deny
commitИзменение атрибутов
Local Preference:
set policy route-map PREFER-ISP1 rule 10 action permit
set policy route-map PREFER-ISP1 rule 10 set local-preference 150
commitMED (Multi-Exit Discriminator):
set policy route-map SET-MED rule 10 action permit
set policy route-map SET-MED rule 10 set metric 100
commitAS-path prepend:
set policy route-map PREPEND-PATH rule 10 action permit
set policy route-map PREPEND-PATH rule 10 set as-path prepend '65001 65001'
commitCommunity:
set policy route-map TAG-ROUTES rule 10 action permit
set policy route-map TAG-ROUTES rule 10 set community '65001:100'
commitПрименение route-map
Import:
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast route-map import BGP-IN
commitExport:
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast route-map export BGP-OUT
commitBGP Attributes
Local Preference
Предпочтение маршрута для iBGP (выше = лучше).
set protocols bgp neighbor 10.0.0.2 address-family ipv4-unicast route-map import SET-LOCAL-PREF
set policy route-map SET-LOCAL-PREF rule 10 action permit
set policy route-map SET-LOCAL-PREF rule 10 set local-preference 200
commitПо умолчанию: 100.
Использование: Влиять на outbound traffic selection.
MED (Multi-Exit Discriminator)
Hint для соседних AS о предпочтительном входе (ниже = лучше).
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast route-map export SET-MED
set policy route-map SET-MED rule 10 action permit
set policy route-map SET-MED rule 10 set metric 50
commitПо умолчанию: 0.
Использование: Влиять на inbound traffic от peer.
AS Path
Список AS через которые прошел маршрут.
Prepend (добавление своего AS):
set policy route-map PREPEND rule 10 action permit
set policy route-map PREPEND rule 10 set as-path prepend '65001 65001 65001'
commitИспользуется для depreference маршрута (более длинный path = хуже).
Weight
Cisco-специфичный атрибут (в VyOS используется через route-map).
Установка weight:
set policy route-map SET-WEIGHT rule 10 action permit
set policy route-map SET-WEIGHT rule 10 set weight 100
commitВыше = предпочтительнее. Локальное значение (не передается neighbors).
BGP Communities
Метки для группировки и фильтрации маршрутов.
Standard Communities
Формат: AS:VALUE (32-bit)
Добавление community:
set policy route-map TAG rule 10 action permit
set policy route-map TAG rule 10 set community '65001:100'
commitMultiple communities:
set policy route-map TAG rule 10 set community '65001:100'
set policy route-map TAG rule 10 set community '65001:200' additive
commitWell-known Communities
- no-export (65535:65281) - не анонсировать в eBGP
- no-advertise (65535:65282) - не анонсировать никому
- local-as (65535:65283) - не анонсировать за пределы confederation
set policy route-map NO-EXPORT rule 10 action permit
set policy route-map NO-EXPORT rule 10 set community 'no-export'
commitCommunity Lists
Фильтрация по community:
set policy community-list CUSTOMER-A rule 10 action permit
set policy community-list CUSTOMER-A rule 10 regex '65001:1.*'
set policy route-map FILTER-COMMUNITY rule 10 action permit
set policy route-map FILTER-COMMUNITY rule 10 match community community-list CUSTOMER-A
commitLarge Communities
RFC 8092 - формат: AS:VALUE1:VALUE2 (96-bit)
set policy route-map TAG-LARGE rule 10 action permit
set policy route-map TAG-LARGE rule 10 set large-community '65001:100:1'
commitAS Path Filtering
Фильтрация на основе AS path.
AS Path List
set policy as-path-list ALLOW-DIRECT rule 10 action permit
set policy as-path-list ALLOW-DIRECT rule 10 regex '^65000_'
set policy as-path-list DENY-TRANSIT rule 10 action deny
set policy as-path-list DENY-TRANSIT rule 10 regex '_65123_'
commitRegex patterns:
^- начало$- конец_- separator (space, начало, или конец).*- любые символы[0-9]+- одна или более цифр
Применение AS Path Filter
set policy route-map FILTER-AS rule 10 action permit
set policy route-map FILTER-AS rule 10 match as-path as-path-list ALLOW-DIRECT
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast route-map import FILTER-AS
commitiBGP
Internal BGP внутри одной AS.
Базовая iBGP конфигурация
Router 1:
set protocols bgp system-as 65001
set protocols bgp parameters router-id 10.0.0.1
set protocols bgp neighbor 10.0.0.2 remote-as 65001
set protocols bgp neighbor 10.0.0.2 update-source 10.0.0.1
set protocols bgp neighbor 10.0.0.2 address-family ipv4-unicast
commitRouter 2:
set protocols bgp system-as 65001
set protocols bgp parameters router-id 10.0.0.2
set protocols bgp neighbor 10.0.0.1 remote-as 65001
set protocols bgp neighbor 10.0.0.1 update-source 10.0.0.2
set protocols bgp neighbor 10.0.0.1 address-family ipv4-unicast
commitiBGP Full Mesh
Для N роутеров требуется N(N-1)/2 сессий.
Проблема масштабирования:
- 3 роутера = 3 сессии
- 10 роутеров = 45 сессий
- 100 роутеров = 4950 сессий
Решения: Route Reflector или Confederation.
Route Reflector
Снижает количество iBGP сессий.
Конфигурация Route Reflector
Route Reflector (RR):
set protocols bgp system-as 65001
set protocols bgp parameters router-id 10.0.0.1
set protocols bgp parameters cluster-id 10.0.0.1
# RR clients
set protocols bgp neighbor 10.0.0.10 remote-as 65001
set protocols bgp neighbor 10.0.0.10 address-family ipv4-unicast route-reflector-client
set protocols bgp neighbor 10.0.0.11 remote-as 65001
set protocols bgp neighbor 10.0.0.11 address-family ipv4-unicast route-reflector-client
commitRR Client:
set protocols bgp system-as 65001
set protocols bgp parameters router-id 10.0.0.10
set protocols bgp neighbor 10.0.0.1 remote-as 65001
set protocols bgp neighbor 10.0.0.1 address-family ipv4-unicast
commitClients не нужна full mesh - только соединение с RR.
Multiple Route Reflectors
Для redundancy:
# Client
set protocols bgp neighbor 10.0.0.1 remote-as 65001
set protocols bgp neighbor 10.0.0.2 remote-as 65001
commitОба RR должны иметь один cluster-id.
BGP Confederation
Альтернатива Route Reflector - разделение AS на sub-AS.
Конфигурация
AS 65001 (public AS):
- Sub-AS 65001.1 (private)
- Sub-AS 65001.2 (private)
Router в Sub-AS 65001.1:
set protocols bgp system-as 65101
set protocols bgp parameters router-id 10.0.1.1
set protocols bgp parameters confederation identifier 65001
set protocols bgp parameters confederation peers 65102
# iBGP внутри sub-AS
set protocols bgp neighbor 10.0.1.2 remote-as 65101
# eBGP с другим sub-AS
set protocols bgp neighbor 10.0.2.1 remote-as 65102
commitRouter в Sub-AS 65001.2:
set protocols bgp system-as 65102
set protocols bgp parameters router-id 10.0.2.1
set protocols bgp parameters confederation identifier 65001
set protocols bgp parameters confederation peers 65101
set protocols bgp neighbor 10.0.1.1 remote-as 65101
commitBFD Integration
Bidirectional Forwarding Detection для быстрого обнаружения отказов.
Включение BFD
set protocols bgp neighbor 203.0.113.1 bfd
commitНастройка BFD профиля
set protocols bfd profile bgp-peers interval transmit 300
set protocols bfd profile bgp-peers interval receive 300
set protocols bfd profile bgp-peers interval multiplier 3
set protocols bgp neighbor 203.0.113.1 bfd profile bgp-peers
commitBFD обнаруживает отказ за секунды вместо минут (BGP keepalive).
Timers
Keepalive и Hold Time
set protocols bgp neighbor 203.0.113.1 timers keepalive 30
set protocols bgp neighbor 203.0.113.1 timers holdtime 90
commitПо умолчанию:
- Keepalive: 60 секунд
- Hold time: 180 секунд
Рекомендация: Hold time минимум в 3 раза больше keepalive.
Advertisement Interval
set protocols bgp neighbor 203.0.113.1 advertisement-interval 30
commitМинимальный интервал между update сообщениями.
Graceful Restart
Позволяет сохранить forwarding при restart BGP процесса.
set protocols bgp parameters graceful-restart
commitRestart time:
set protocols bgp parameters graceful-restart restart-time 120
commitПримеры конфигурации
Dual-homed к двум ISP
# Local AS
set protocols bgp system-as 65001
set protocols bgp parameters router-id 10.0.0.1
# ISP1 (primary)
set protocols bgp neighbor 203.0.113.1 remote-as 65000
set protocols bgp neighbor 203.0.113.1 description 'ISP1 Primary'
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast route-map import ISP1-IN
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast route-map export MY-NETWORKS
# ISP2 (backup)
set protocols bgp neighbor 198.51.100.1 remote-as 65002
set protocols bgp neighbor 198.51.100.1 description 'ISP2 Backup'
set protocols bgp neighbor 198.51.100.1 address-family ipv4-unicast
set protocols bgp neighbor 198.51.100.1 address-family ipv4-unicast route-map import ISP2-IN
set protocols bgp neighbor 198.51.100.1 address-family ipv4-unicast route-map export MY-NETWORKS-PREPEND
# Announce networks
set protocols bgp address-family ipv4-unicast network 192.0.2.0/24
# Route-maps
set policy route-map ISP1-IN rule 10 action permit
set policy route-map ISP1-IN rule 10 set local-preference 200
set policy route-map ISP2-IN rule 10 action permit
set policy route-map ISP2-IN rule 10 set local-preference 100
set policy route-map MY-NETWORKS rule 10 action permit
set policy route-map MY-NETWORKS rule 10 match ip address prefix-list MY-PREFIXES
set policy route-map MY-NETWORKS-PREPEND rule 10 action permit
set policy route-map MY-NETWORKS-PREPEND rule 10 match ip address prefix-list MY-PREFIXES
set policy route-map MY-NETWORKS-PREPEND rule 10 set as-path prepend '65001 65001'
set policy prefix-list MY-PREFIXES rule 10 action permit
set policy prefix-list MY-PREFIXES rule 10 prefix 192.0.2.0/24
commit
saveiBGP с Route Reflector
Route Reflector:
set protocols bgp system-as 65001
set protocols bgp parameters router-id 10.255.255.1
set protocols bgp parameters cluster-id 10.255.255.1
# RR Clients
set protocols bgp neighbor 10.0.1.1 remote-as 65001
set protocols bgp neighbor 10.0.1.1 update-source 10.255.255.1
set protocols bgp neighbor 10.0.1.1 address-family ipv4-unicast route-reflector-client
set protocols bgp neighbor 10.0.1.2 remote-as 65001
set protocols bgp neighbor 10.0.1.2 update-source 10.255.255.1
set protocols bgp neighbor 10.0.1.2 address-family ipv4-unicast route-reflector-client
set protocols bgp neighbor 10.0.1.3 remote-as 65001
set protocols bgp neighbor 10.0.1.3 update-source 10.255.255.1
set protocols bgp neighbor 10.0.1.3 address-family ipv4-unicast route-reflector-client
commit
saveClient:
set protocols bgp system-as 65001
set protocols bgp parameters router-id 10.0.1.1
set protocols bgp neighbor 10.255.255.1 remote-as 65001
set protocols bgp neighbor 10.255.255.1 update-source 10.0.1.1
set protocols bgp neighbor 10.255.255.1 address-family ipv4-unicast
commit
saveBGP over IPsec VTI
# IPsec VTI
set interfaces vti vti0 address 172.16.0.1/30
# BGP через VTI
set protocols bgp system-as 65001
set protocols bgp parameters router-id 10.0.0.1
set protocols bgp neighbor 172.16.0.2 remote-as 65002
set protocols bgp neighbor 172.16.0.2 address-family ipv4-unicast
set protocols bgp address-family ipv4-unicast network 192.168.1.0/24
commit
saveEnterprise с филиалами
HQ:
set protocols bgp system-as 65001
set protocols bgp parameters router-id 10.0.0.1
# ISP
set protocols bgp neighbor 203.0.113.1 remote-as 65000
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast
# Branch offices (iBGP)
set protocols bgp neighbor 10.0.1.1 remote-as 65001
set protocols bgp neighbor 10.0.1.1 update-source 10.0.0.1
set protocols bgp neighbor 10.0.1.1 address-family ipv4-unicast
set protocols bgp neighbor 10.0.2.1 remote-as 65001
set protocols bgp neighbor 10.0.2.1 update-source 10.0.0.1
set protocols bgp neighbor 10.0.2.1 address-family ipv4-unicast
# Announce HQ network
set protocols bgp address-family ipv4-unicast network 192.168.1.0/24
# Redistribute connected branches
set protocols bgp address-family ipv4-unicast redistribute connected route-map BRANCHES
set policy route-map BRANCHES rule 10 action permit
set policy route-map BRANCHES rule 10 match interface vti0
set policy route-map BRANCHES rule 10 match interface vti1
commit
saveОперационные команды
BGP Summary
show ip bgp summaryВывод:
BGP router identifier 10.0.0.1, local AS number 65001
IPv4 Unicast Summary:
Neighbor V AS MsgRcvd MsgSent Up/Down State/PfxRcd
203.0.113.1 4 65000 1234 1456 01:23:45 12345BGP Neighbors
show ip bgp neighborsДетали конкретного neighbor:
show ip bgp neighbors 203.0.113.1BGP Routes
Все BGP маршруты:
show ip bgpКонкретный префикс:
show ip bgp 192.0.2.0/24Received routes (до фильтрации):
show ip bgp neighbors 203.0.113.1 received-routesAdvertised routes:
show ip bgp neighbors 203.0.113.1 advertised-routesBGP Statistics
show ip bgp statisticsClear BGP Session
Soft reset (без разрыва TCP):
clear ip bgp 203.0.113.1 softHard reset:
clear ip bgp 203.0.113.1All sessions:
clear ip bgp *Troubleshooting
BGP session не устанавливается
Проверьте:
TCP connectivity:
ping 203.0.113.1 telnet 203.0.113.1 179Firewall:
set firewall ipv4 input filter rule 100 action accept set firewall ipv4 input filter rule 100 destination port 179 set firewall ipv4 input filter rule 100 protocol tcp commitASN совпадает:
show configuration commands | grep "remote-as"Password (если настроен):
show ip bgp neighbors 203.0.113.1Логи:
show log | grep bgp
Routes не получаются
Проверьте:
Address family активирована:
show protocols bgp neighbor 203.0.113.1Prefix filters не блокируют:
show ip bgp neighbors 203.0.113.1 received-routesRoute-maps:
show policy route-map
Routes не анонсируются
Проверьте:
Network существует в routing table:
show ip route 192.0.2.0/24Outbound filters:
show ip bgp neighbors 203.0.113.1 advertised-routesRoute-map export:
show configuration commands | grep export
Субоптимальная маршрутизация
Проверьте:
BGP attributes:
show ip bgp 192.0.2.0/24Local Preference (для iBGP)
MED (от peer)
AS-path length
Используйте route-maps для изменения атрибутов.
Лучшие практики
- Всегда настраивайте router-id явно
- Используйте prefix-lists для фильтрации
- Password authentication для eBGP
- BFD для быстрого failover
- Route Reflector вместо full mesh iBGP (при > 5 роутеров)
- Loopback interfaces для iBGP update-source
- Maximum-prefix для защиты от route leak:
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast maximum-prefix 100000 - Документируйте каждого neighbor (description)
- Мониторинг состояния BGP сессий
- Graceful restart для плановых обслуживаний
Безопасность
Рекомендации
TTL Security:
set protocols bgp neighbor 203.0.113.1 ttl-security hops 1Password Authentication:
set protocols bgp neighbor 203.0.113.1 password 'StrongPassword123!'Prefix Filtering:
- Фильтруйте Bogon prefixes
- Фильтруйте собственные префиксы на import
- Анонсируйте только свои префиксы
Maximum Prefix Limit:
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast maximum-prefix 1000AS Path Filtering:
- Блокируйте private AS на eBGP
- Блокируйте неожиданные AS paths
Firewall:
set firewall ipv4 input filter rule 100 action accept set firewall ipv4 input filter rule 100 source address 203.0.113.1 set firewall ipv4 input filter rule 100 destination port 179 set firewall ipv4 input filter rule 100 protocol tcpLogging:
set protocols bgp parameters log-neighbor-changesRPKI (Resource Public Key Infrastructure) для валидации origin AS
Bogon Filtering
Блокируйте reserved/private IP:
set policy prefix-list BOGONS rule 10 action deny
set policy prefix-list BOGONS rule 10 prefix 0.0.0.0/8 le 32
set policy prefix-list BOGONS rule 20 action deny
set policy prefix-list BOGONS rule 20 prefix 10.0.0.0/8 le 32
set policy prefix-list BOGONS rule 30 action deny
set policy prefix-list BOGONS rule 30 prefix 172.16.0.0/12 le 32
set policy prefix-list BOGONS rule 40 action deny
set policy prefix-list BOGONS rule 40 prefix 192.168.0.0/16 le 32
set policy prefix-list BOGONS rule 50 action deny
set policy prefix-list BOGONS rule 50 prefix 224.0.0.0/4 le 32
set policy prefix-list BOGONS rule 100 action permit
set policy prefix-list BOGONS rule 100 prefix 0.0.0.0/0 le 32
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast prefix-list import BOGONS
commitСледующие шаги
- OSPF - для enterprise internal routing
- Static Routes - backup для BGP
- Route-maps - детальная фильтрация
- BFD - быстрое обнаружение отказов
- VRF - изоляция routing tables