[lacnog] BGP Filtering

Chriztoffer Hansen chriztoffer en netravnen.de
Mar Mar 3 09:00:00 GMT+3 2020


On Tue, 3 Mar 2020 at 12:54, Chriztoffer wrote:
> On Tue, 3 Mar 2020 at 01:15, Diego Aguilar Rosado
> <diegoaguilar9661 en gmail.com> wrote:
> > Aplicar AccessList como seguridad para mi  ASN es un hecho pero mi duda es, ¿Cual es la recomendación de donde aplicar ACLs, en la interface o como distributed-list en el proceso de router bgp?.
>
> Applying prefix-list(s) inside route-maps (MT calls it routeing filter
> [2]) - and route-maps to your eBGP peer session(s) - is most often the
> recommendation.
>
> E.g. using /routing bgp peer set [id] in-filter=[in-filter-name]
> out-filter=[out-filter-name] -- [0][1]
>
> [0]: https://wiki.mikrotik.com/wiki/Manual:Routing/BGP#Peer
> [1]: https://wiki.mikrotik.com/wiki/Manual:Simple_BGP_Multihoming#Network_Advertisements_and_Routing_Filters
> [2]: https://wiki.mikrotik.com/wiki/Manual:Routing/Routing_filters

For restricting management access, using the inbound prefix-list
available to be configured under /ip services could be an option.
[3][4]

[3]: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
[4]: https://www.manitonetworks.com/networking/2017/7/25/mikrotik-router-hardening#services

NB: The above assumes the use of MT. If not, please use input only for
reference reading.


Más información sobre la lista de distribución LACNOG