Tuesday, December 8, 2020

BGP Filtering Question

Novice BGP question --

I've only been doing BGP for the last year on my internal network, no WAN. I'm going to begin advertising our first ARIN assigned subnet to our ISPs which will require BGP peering with them. Up until now I've had no Import/Export rules in place since it was all internal. Obviously I'll want to fix that before peering with our ISPs.

1a) On my (edge) Palo Alto firewalls to my core switches, is there any reason I shouldn't just write an export rule that limits the advertisement to my core to only the three RFC1918 blocks? Since my default route from the core is my firewall anyway, I don't see any reason why any explicit WAN routes would need to be on my core -- including even just the ISPs default.1b) To my ISPs, I'm assuming I'll want to limit my export rule to only include nothing but my ARIN assigned subnet... Nothing else?

2a) In the opposite direction, as for import rules, I'm assuming coming from the core to my firewall, it'd be fine to do the same of just writing an import rule that limits the advertisement from my core to only the three RFC1918 blocks?2b) For my import rules from my ISPs, they're supposed to only be sending me a default route (not the entire table) so I assume I should be able to write a rule matching only the IP block they're routing from and nothing else.

Does all of this sound correct? Anything I'm missing?

Thank you!



No comments:

Post a Comment