Monthly Archives: August 2013

CDQ: Basic BGP prefix ingress filtering

Posted on by

I’ve been doing a lot of BGP lately. I’ve seen some config that has made me cringe. I’ve also seen a bunch of routing loops and other tomfoolery because people weren’t cleaning their prefixes properly.

This is a very quick inbound prefix list that should be the minimum that you apply to your peers. This is a basic sanity check and is in no way exhaustive.


ip prefix-list BasicPrefixFilterIn deny 0.0.0.0/8 le 32
ip prefix-list BasicPrefixFilterIn deny 10.0.0.0/8 le 32
ip prefix-list BasicPrefixFilterIn deny 100.64.0.0/10 le 32
ip prefix-list BasicPrefixFilterIn deny 127.0.0.0/8 le 32
ip prefix-list BasicPrefixFilterIn deny 169.254.0.0/16 le 32
ip prefix-list BasicPrefixFilterIn deny 172.16.0.0/12 le 32
ip prefix-list BasicPrefixFilterIn deny 192.0.2.0/24
ip prefix-list BasicPrefixFilterIn deny 192.168.0.0/16 le 32
ip prefix-list BasicPrefixFilterIn deny 198.18.0.0/15 le 32
ip prefix-list BasicPrefixFilterIn deny 198.51.100.0/24
ip prefix-list BasicPrefixFilterIn deny 203.0.113.0/24
ip prefix-list BasicPrefixFilterIn deny 224.0.0.0/4 le 32
ip prefix-list BasicPrefixFilterIn deny 240.0.0.0/4 le 32
ip prefix-list BasicPrefixFilterIn permit 0.0.0.0/0 ge 8 le 24
ip prefix-list BasicPrefixFilterIn deny 0.0.0.0/0 le 32

The list starts with RFC5735 (special use) address space being denied. Then, allow things that have a prefix length between a /8 and a /24 (inclusive). Lastly, block everything else.

NOTE: this list will block the default route. Be warned.

This post was inspired by the sample config file that the folks over at OpenBGPd distribute. You guys rock!