BGP Best Practices

ACLs on the Internet facing interface

You should permit BGP only with known peers, to prevent malicious entities attempting to harm your BGP process by spoofing your neighbor’s IP.

You should permit inbound traffic only to your prefixes. There’s no sense accepting traffic for networks you don’t own.

You should deny inbound traffic from bogons.

MD5 passphrase with peers
ttl-security with peers (especially if you’re doing MD5)

Internet good naturedness
Control outbound advertisements
Use prefix lists to ensure that you only advertise your prefixes
Control inbound traffic:
Route RFC1918 traffic to null
Use URPF to ensure your outbound traffic isn’t spoofed
Disable NTP on Internet facing interface


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s