BGP filter with mikrotik
4 likes6,247 views
The document outlines a webinar hosted by GLC Networks on August 10, 2017, focusing on BGP (Border Gateway Protocol) filtering. It provides an overview of GLC Networks, introduces the trainer, Achmad Mardiansyah, and explains the concept of BGP, including types of peering and potential issues with routing. The training aims to educate participants on effectively setting up BGP filters to manage routing information and prevent traffic problems.
BGP filter with mikrotik
- 1. www.glcnetworks.com BGP filter GLC webinar, 10 august 2017 Achmad Mardiansyah achmad@glcnetworks.com GLC Networks, Indonesia 1
- 2. www.glcnetworks.com Agenda β Introduction β BGP β BGP filter β Demo β Q & A 2
- 3. www.glcnetworks.com What is GLC? β Garda Lintas Cakrawala (www.glcnetworks.com) β An Indonesian company β Located in Bandung β Areas: Training, IT Consulting β Mikrotik Certified Training Partner/Consultant/Distributor β Ubiquiti Certified Trainer/Consultant β RedHat Certified Trainer 3
- 4. www.glcnetworks.com About GLC webinar? β First webinar: january 1, 2010 (title: tahun baru bersama solaris - new year with solaris OS) β As a sharing event with various topics: linux, networking, wireless, database, programming, etc β Regular schedule: every 2 weeks β Irregular schedule: as needed β Checking schedule: http://www.glcnetworks.com/main/sc hedule β You are invited to be a presenter β No need to be an expert β This is a forum for sharing: knowledge, experiences, information 4
- 5. www.glcnetworks.com Trainer Introduction β Name: Achmad Mardiansyah β Base: bandung, Indonesia β Linux user (since 1999), Mikrotik user (since 2007), ubnt user (since 2011) β Certified Trainer (Mikrotik, Ubiquiti, Redhat) β Certified Consultant β Work: Telco engineer, Sysadmin, PHP programmer, and Lecturer β Personal website: http://achmadjournal.com β More info: http://au.linkedin.com/in/achmadmardiansyah 5
- 6. www.glcnetworks.com Please introduce yourself β Your name β Your company/university? β Your networking experience? β Your mikrotik experience? β Your expectation from this course? 6
- 8. www.glcnetworks.com AS and BGP β AS (Autonomous System) β Collection of routers and prefixes under single administration (can be an organisation) which also apply single routing policy β AS is identified by AS number, given by IANA via Regional Registry β BGP (Border Gateway Protocol) β A protocol that is used between AS for exchanging routing information (prefixes) β BGP see an AS as a (big) node which can forward packet based on layer 3 β 8
- 9. www.glcnetworks.com β Traditional routing: based on router HOP count β BGP routing: based on AS HOP count Traditional routing VS. BGP routing 9
- 10. www.glcnetworks.com BGP peering types: β Internal (iBGP) β peering inside AS β usually is backed-up by IGP (Interior Gateway Protocol). E.g. OSPF, RIP, EIGRP, etc β Unless route-reflector is used, every router inside AS need to setup peering each other (full-mesh peering). β External (eBGP) β Peering between AS border router During ebgp peering, each router will exchange: β Outgoing: inform own prefix to the world β Incoming: receive prefixes from other AS BGP peering 10 Other AS
- 11. www.glcnetworks.com β Announce wrong prefix β Example: AS2 announcing wrong prefix (e.g. 8.8.8.0/24) to AS5 and AS3 β Receiving wrong prefix β Example: AS3 and AS5 receiving wrong prefix (8.8.8.0/24) from AS 2 BGP peering problem (example) 11 Wrong prefix Wrong prefix Other AS
- 12. www.glcnetworks.com β Other AS (AS5, AS3, AS4, AS1) will see prefix 8.8.8.0/24 is very close to them, compared to the real AS that own that ip block β Traffic goes to 8.8.8.0/24 will be forwarded to AS2 β AS2 will receive flood of traffic β packets never reach the destination (because its landed in wrong AS) β Packets will moving around in AS2 until TTL expired -> causing congestion β Customers complain internet is slow BGP peering problem (effect) 12 Wrong prefix Wrong prefix Other AS
- 13. www.glcnetworks.com β Setup outgoing filter on AS2 β Only allow prefix that AS2 really own β Setup incoming filter on AS3 and AS5 β Only allow prefix that AS2 really own BGP FILTER is used to protect YOU from INTERNET and to protect INTERNET from YOU BGP peering problem (solution) 13 filter filter Other AS
- 14. www.glcnetworks.com BGP filter on Mikrotik 14
- 15. www.glcnetworks.com Filter on BGP peering Filter can be applied on BGP peering: - In-filter - Out-filter This is just an example only, not taken from real environment 15
- 16. www.glcnetworks.com /routing filter (outgoing) β Outgoing filter β In this example we only allow our own prefix (20.0.0.0/24) to announce it to moratel peer /routing filter add action=accept chain=moratel-out prefix=20.0.0.0/24 prefix-length=23-24 β Reject anything else /routing filter add action=reject chain=moratel-out 16
- 17. www.glcnetworks.com /routing filter (incoming) β Incoming filter β In this example: we only allow prefix 50.0.0.0/8 from moratel to enter our routing table /routing filter add action=accept chain=moratel-in prefix=50.0.0.0/8 prefix-length=8-24 β Reject anything else /routing filter add action=reject chain=moratel-in 17
- 18. www.glcnetworks.com Interested? Just come to our training... Special price for webinar attendees⦠http://www.glcnetworks.c om/main/schedule 18
- 19. www.glcnetworks.com End of slides β Thank you for your attention β Please submit your feedback: http://bit.ly/glcfeedback β Like our facebook page: βGLC networksβ β Slide: http://www.slideshare.net/r41nbuw β Recording: https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg β Stay tune with our schedule 19