[nsp] ACL based on BGP community tag
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Sun Jun 22 12:37:51 EDT 2003
Sean,
> In the same router, can anyone think of a way to set up the
> equivalent of an interface ACL based on a BGP community tag?
>
> What I would like to do is permit (or deny) traffic
> from certain networks by tagging the routes in BGP, such
> as only allowing "customer tagged" BGP routes to send
> packets through an particular interface. But I don't want
> to change how the router passes traffic to/from other
> interfaces.
>
> In cisco-speak do I want to use BGP QOS Policy Propagation,
> with a QOS policy of null routing the traffic? Or is there
> a better/simplier method?
You can use a technique referred to "shunning". It uses loose uRPF on
the interface and a static Null route for a fake/unused address on the
router (i.e. 192.168.1.1/32 -> Null0). Then you configure an ingress BGP
route-map to set the next-hop of all the networks you want to deny
traffic from to 192.168.1.1.
As loose uRPF drops packets from networks who a) have no FIB entry or b)
have a Null0 route, traffic from those networks is effectively dropped.
This technique is commonly used in mitigating DoS attacks where you want
to deny traffic from a given network to be dropped on all your
gateway/border routers. Here you use iBGP to distribute a BGP path with
the next-hop set to the fake address to all border routers which
activates the "filter" on all those routers. More details can be found
at
http://www.cisco.com/global/EMEA/networkers/presentations/SEC-301_Michae
l_Behringer.pdf.gz
oli
More information about the cisco-nsp
mailing list