Bogon IPv4 Ingress and Egress Filtering in Cisco IOS-XR

As mentioned from the previous post, Bogon prefixes or routes should never appear in the Internet routing table. Network Engineers should implement “Best Practices” in their network, that includes filtering of bogons as it maybe used in DDoS attacks or Spams. Refer to https://freenetworktutorials.com/ipv4-and-ipv6-bogon-address-list  for more info.
“Martians” bogons may changed occasionally so at least make sure private address mentioned in https://freenetworktutorials.com/ipv4-classful-and-reserved-addresses are filtered so it wont leak out into the Internet.

Here is sample steps and configuration.

1. Create the Ingress and Egress ACL
Example list of Bogon IPs to filter:
0.0.0.0/8 “This” network
127.0.0.0/8 Loopback
169.254.0.0/16 Link local
192.0.2.0/24 TEST-NET-1
192.168.0.0/16 Private-use networks
224.0.0.0/4 Multicast
10.0.0.0/8 Private-use networks
172.16.0.0/12 Private-use networks

RP/0/RP0/CPU0:ASR9K#configure
RP/0/RP0/CPU0:ASR9K(config)#

ipv4 access-list ACL_IN
10 deny ipv4 0.0.0.0 0.255.255.255 any
20 deny ipv4 127.0.0.0 0.255.255.255 any
30 deny ipv4 any 127.0.0.0 0.255.255.255
40 deny ipv4 169.254.0.0 0.0.255.255 any
50 deny ipv4 any 169.254.0.0 0.0.255.255
60 deny ipv4 192.0.2.0 0.0.0.255 any
70 deny ipv4 any 192.0.2.0 0.0.0.255
80 deny ipv4 192.168.0.0 0.0.255.255 any
90 deny ipv4 any 192.168.0.0 0.0.255.255
100 deny ipv4 224.0.0.0 31.255.255.255 any
110 deny ipv4 10.0.0.0 0.255.255.255 any
120 deny ipv4 any 10.0.0.0 0.255.255.255
130 deny ipv4 172.16.0.0 0.15.255.255 any
140 deny ipv4 any 172.16.0.0 0.15.255.255
150 permit ipv4 any any

Note: For ACL Ingress, the idea is deny all the bogons (also those ports you want to block) and permit everything

Example:  own network prefix to advertise (111.111.111.0/24)
RP/0/RP0/CPU0:ASR9k(config)#

ipv4 access-list ACL_OUT
10 deny ipv4 0.0.0.0 0.255.255.255 any
20 deny ipv4 127.0.0.0 0.255.255.255 any
30 deny ipv4 any 127.0.0.0 0.255.255.255
40 deny ipv4 169.254.0.0 0.0.255.255 any
50 deny ipv4 any 169.254.0.0 0.0.255.255
60 deny ipv4 192.0.2.0 0.0.0.255 any
70 deny ipv4 any 192.0.2.0 0.0.0.255
80 deny ipv4 192.168.0.0 0.0.255.255 any
90 deny ipv4 any 192.168.0.0 0.0.255.255
100 deny ipv4 224.0.0.0 31.255.255.255 any
110 deny ipv4 10.0.0.0 0.255.255.255 any
120 deny ipv4 any 10.0.0.0 0.255.255.255
130 deny ipv4 172.16.0.0 0.15.255.255 any
140 deny ipv4 any 172.16.0.0 0.15.255.255
150 permit ipv4 111.111.111.0 0.0.0.255 any
160 deny ipv4 any any

Note: For ACL Egress, the idea is deny all the bogons (also those ports you want to block) ,allow your own networks to advertise in your BGP peering (e.g.111.111.111.0/24) and deny everything

RP/0/RP0/CPU0:ASR9k(config)#commit

2.Apply the ACL
RP/0/RP0/CPU0:ASR9K(config)#

interface Bundle-Ether111
ipv4 access-group ACL_IN ingress
ipv4 access-group ACL_OUT egress

RP/0/RP0/CPU0:ASR9k(config)#commit

3. Verify:

show access-lists ACL_IN
show access-lists ACL_OUT

One Comment

Leave a Reply