OcNOS SP : Layer 3 Guide : Border Gateway Protocol Configuration : BGP Bogon Prefix Filtering IPv4
BGP Bogon Prefix Filtering IPv4
Overview
Bogon filters block invalid or reserved IP addresses, known as Bogon prefixes, from propagating through a network. These prefixes typically include IP ranges not allocated by IANA and should not appear in the global routing table. In BGP, bogon filtering prevents the acceptance of such invalid routes. By default in OcNOS, BGP does not filter bogon prefixes in incoming route updates, except for Class-E Experimental IPv4 Addresses (240.0.0.0/4) and Multicast Addresses (224.0.0.0/4 and 224.0.0.0/24). The new CLI command bgp enable-bogon-filtering allows users to manage this filtering process, adding flexibility to network security.
Feature Characteristics
A list of BOGON prefixes in OcNOS that should not route on the internet:
0.0.0.0/8: Reserves addresses for special use, typically for traffic from hosts without an assigned IP address.
127.0.0.0/8: Reserves addresses for loopback, used for internal host communication.
192.0.0.0/24: Reserves addresses for IETF Protocol Assignments.
192.0.2.0/24: Reserves addresses for documentation and examples.
BOGON and Class-E Experimental Address Range
240.0.0.0/4: Class-E addresses, reserved for experimental purposes. Avoid using them in production environments.
Note:  
After filtering or allowing prefixes, BGP bogon filtering policy changes apply only to new incoming updates. The system does not automatically refresh previously filtered or allowed prefixes. When making changes to the BGP bogon filtering configuration, it is recommended to perform a hard reset of BGP or reboot the device.
No filtering applies to IPv6 prefixes, as BGP allows all IPv6 prefixes by default.
Benefits
Security: Enabling bogon prefix filtering improves network security by preventing the propagation of invalid or reserved IP addresses.
Flexibility: The option to enable or disable filtering provides network administrators control over BGP route updates.
Compliance: Ensures adherence to best practices by allowing for the exclusion of non-routable IP address ranges.
Prerequisites
Based on the running configuration provided for R1 and R2, configure BGP between two routers (R1 and R2) with the same Autonomous System (AS) number and IPv4 unicast address family. This configuration allows both routers to establish a BGP session and exchange routes.
R1#show running-config
!
hostname R1
!
ip vrf management
!
interface eth0
ip vrf forwarding management
ip address dhcp
!
interface lo
ip address 127.0.0.1/8
ipv6 address ::1/128
!
interface lo.management
ip vrf forwarding management
ip address 127.0.0.1/8
ipv6 address ::1/128
!
interface xe27
ip address 100.1.1.1/24
!
router bgp 100
neighbor 100.1.1.2 remote-as 100
!
address-family ipv4 unicast
redistribute static
neighbor 100.1.1.2 activate
exit-address-family
!
exit
!
!
end
 
R2#show running-config
!
hostname R2
!
ip vrf management
!
interface eth0
ip vrf forwarding management
ip address dhcp
!
interface lo
ip address 127.0.0.1/8
ipv6 address ::1/128
!
interface lo.management
ip vrf forwarding management
ip address 127.0.0.1/8
ipv6 address ::1/128
!
interface xe27
ip address 100.1.1.2/24
!
router bgp 100
neighbor 100.1.1.1 remote-as 100
!
address-family ipv4 unicast
neighbor 100.1.1.1 activate
exit-address-family
!
exit
!
!
end
 
Configuration
Ensure the OcNOS routers properly filter out bogon prefixes and enhance network security by preventing the routing of invalid or reserved IP addresses with the below configurations
Topology
Two routers (R1 and R2) connect via interface xe27, using the same AS number (AS 100), to establish a BGP session and exchange routes within the IPv4 unicast address family.
BGP Bogon Filter
Note: Before configuration, meet all Prerequisites.
Configure Invalid IP Addresses on R1 and R2
Configure the invalid (bogon) routes before enabling BGP bogon filtering:
R2(config)#ip route 12.0.0.0/8 xe27
R2(config)#ip route 192.0.0.0/24 xe27 << Bogon prefixes
 
Verify the injected routes (12.0.0.0/8 and 192.0.0.0/24) in the BGP table.
R2#show ip bgp
BGP table version is 6, local router ID is 100.1.1.2
Status codes: s suppressed, d damped, h history, a add-path, b back-up, * valid, > best, i - internal,
l - labeled, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
 
Network Next Hop Metric LocPrf Weight Path
*> 12.0.0.0 0.0.0.0 0 100 32768 ?
*> 192.0.0.0 0.0.0.0 0 100 32768 ?
 
Total number of prefixes 2
R2#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2,
ia - IS-IS inter area, E - EVPN,
v - vrf leaked
* - candidate default
 
IP Route Table for VRF "default"
S 12.0.0.0/8 [1/0] is directly connected, xe27, installed 00:07:25, last update 00:07:25 ago
C 100.1.1.0/24 is directly connected, xe27, installed 00:10:25, last update 00:10:25 ago
C 127.0.0.0/8 is directly connected, lo, installed 00:57:51, last update 00:57:51 ago
S 192.0.0.0/24 [1/0] is directly connected, xe27, installed 00:07:25, last update 00:07:25 ago
 
Gateway of last resort is not set
Enable BGP Bogon Filtering on R1 and R2
Enable the bogon filtering command to block invalid prefixes. This command automatically removes invalid or reserved prefixes from the BGP table.
R2(config)#bgp enable-bogon-filtering
Validation
Verify the 192.0.0.0/24 bogon prefix is removed from the BGP table.
R2#show ip bgp
BGP table version is 7, local router ID is 100.1.1.2
Status codes: s suppressed, d damped, h history, a add-path, b back-up, * valid, > best, i - internal,
l - labeled, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
 
Network Next Hop Metric LocPrf Weight Path
*> 12.0.0.0 0.0.0.0 0 100 32768 ?
 
Total number of prefixes 1
 
R2#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2,
ia - IS-IS inter area, E - EVPN,
v - vrf leaked
* - candidate default
 
IP Route Table for VRF "default"
S 12.0.0.0/8 [1/0] is directly connected, xe27, installed 00:07:25, last update 00:07:25 ago
C 100.1.1.0/24 is directly connected, xe27, installed 00:10:25, last update 00:10:25 ago
C 127.0.0.0/8 is directly connected, lo, installed 00:57:51, last update 00:57:51 ago
 
Gateway of last resort is not set
BGP Bogon Prefix Filtering Command
The bogon prefix filtering introduces the following configuration command:
bgp enable-bogon-filtering
Use this command to enable or disable the filtering of bogon prefixes from NLRIs in incoming BGP updates.
Command Syntax
bgp enable-bogon-filtering
Parameters
None
Default
Disabled.
Command Mode
Configure mode
Applicability
Introduced in OcNOS version 6.5.3.
Example
In OcNOS, enable BGP bogon filtering and perform a hard reset or device reboot as recommended.
OcNOS#configure terminal
OcNOS(config)#bgp enable-bogon-filtering
OcNOS(config)#commit
2098 Apr 24 21:11:07.665 : OcNOS : BGP : CRITI : % Changing the bogon filter does not automatically refresh the permitted/filtered routes. A hard reset or device reboot is recommended.
 
Glossary
The following provides definitions for key terms or abbreviations and their meanings used throughout this document:
 
Key Terms/Acronym
Description
Bogon Filter
A mechanism that blocks invalid or reserved IP addresses, known as Bogon prefixes, from entering a network through routing updates.
Bogon Prefix
IP address ranges that are not allocated by IANA and should not appear in the global routing table.
Internet Assigned Numbers Authority (IANA)
The organization responsible for allocating global IP addresses and managing other critical Internet resources.
Autonomous System (AS)
A collection of IP networks managed by a single entity that presents a unified routing policy to the Internet.