Sanity Check on Route Filters
Hey all, Just looking to get a sanity check done on a route filter. If an AS is receiving routes from an IX route server, will this allow routes from the RS to be received? I'm confident it will, however just looking for validation before we test it. /routing filter rule add chain=AS64496-V4-IN disabled=no rule="if ( bgp-input-remote-as 64496) { set bgp-local-pref 200; accept }" Regards, Christopher Hawker
Hi Chris, That will work, however I'm wondering what the point of " bgp-input-remote-as 64496" is when you're applying the filter to that bgp peer connection anyway? What scenario would arise where that would actually filter anything, unless you accidentally applied that filter to another connection? My filter from IX Route servers in simply: jump validate_route; (this filters bogons, rejects our prefixes, validates rpki, adds pref-src IP and returns) set bgp-local-pref 150; accept; Regards, Dirk Bermingham -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Christopher Hawker via Public Sent: Monday, November 6, 2023 10:10 AM To: public@talk.mikrotik.com.au Cc: Christopher Hawker <chris@thesysadmin.dev> Subject: [MT-AU Public] Sanity Check on Route Filters Hey all, Just looking to get a sanity check done on a route filter. If an AS is receiving routes from an IX route server, will this allow routes from the RS to be received? I'm confident it will, however just looking for validation before we test it. /routing filter rule add chain=AS64496-V4-IN disabled=no rule="if ( bgp-input-remote-as 64496) { set bgp-local-pref 200; accept }" Regards, Christopher Hawker _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Dirk, It was more or less intended to confirm that the actual route learnt originates from the AS it's supposed to. I've re-worked it as below. Still need to incorporate RPKI into the mix. /routing filter rule add chain=AS64496-V4-IN disabled=no rule="if ( dst in 0.0.0.0/0 && afi ipv4 ) { jump validate_route4 }" comment="AS64496 - Peering RS" add chain=AS64496-V4-IN disabled=no rule="{ set bgp-local-pref 200; accept }" add chain=validate_route4 disabled=no rule="if ( dst in 10.0.0.0/8 && dst-len >= 8 ) { reject }" comment="v4 Bogons" add chain=validate_route4 disabled=no rule="if ( dst in 192.168.0.0/16 && dst-len >= 16 ) { reject }" add chain=validate_route4 disabled=no rule="if ( dst in 127.0.0.0/8 && dst-len >= 8 ) { reject }" add chain=validate_route4 disabled=no rule="if ( dst in 169.254.0.0/16 && dst-len >= 16 ) { reject }" add chain=validate_route4 disabled=no rule="if ( dst in 172.16.0.0/12 && dst-len >= 12 ) { reject }" add chain=validate_route4 disabled=no rule="if ( dst in 224.0.0.0/4 && dst-len >= 4 ) { reject }" add chain=validate_route4 disabled=no rule="if ( dst in 240.0.0.0/4 && dst-len >= 4 ) { reject }" add chain=validate_route4 disabled=no rule="if ( dst in 192.0.2.0/24 && afi ipv4 ) { reject }" comment="v4 Reject Own" add chain=validate_route4 disabled=no rule="{ return }" Regards, Christopher Hawker ________________________________ From: Two Fat Monkeys - Dirk Bermingham <dirk@twofatmonkeys.com> Sent: Monday, November 6, 2023 10:26 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Cc: Christopher Hawker <chris@thesysadmin.dev> Subject: RE: Sanity Check on Route Filters Hi Chris, That will work, however I'm wondering what the point of " bgp-input-remote-as 64496" is when you're applying the filter to that bgp peer connection anyway? What scenario would arise where that would actually filter anything, unless you accidentally applied that filter to another connection? My filter from IX Route servers in simply: jump validate_route; (this filters bogons, rejects our prefixes, validates rpki, adds pref-src IP and returns) set bgp-local-pref 150; accept; Regards, Dirk Bermingham -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Christopher Hawker via Public Sent: Monday, November 6, 2023 10:10 AM To: public@talk.mikrotik.com.au Cc: Christopher Hawker <chris@thesysadmin.dev> Subject: [MT-AU Public] Sanity Check on Route Filters Hey all, Just looking to get a sanity check done on a route filter. If an AS is receiving routes from an IX route server, will this allow routes from the RS to be received? I'm confident it will, however just looking for validation before we test it. /routing filter rule add chain=AS64496-V4-IN disabled=no rule="if ( bgp-input-remote-as 64496) { set bgp-local-pref 200; accept }" Regards, Christopher Hawker _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (2)
-
Christopher Hawker
-
Two Fat Monkeys - Dirk Bermingham