Back to Blog
โ˜…โ˜…โ˜†Intermediate๐Ÿ”€ Routing & Switching
BGPRoutingSecurityEnterprise

BGP Route Filtering Best Practices for Enterprise Networks

June 15, 2024ยท3 min read

Introduction

Border Gateway Protocol (BGP) is the routing protocol that powers the internet. In enterprise environments, BGP is commonly used for ISP peering, data center interconnects, and SD-WAN overlays. However, improper BGP configuration can lead to route leaks, suboptimal routing, or even full network outages affecting thousands of users.

In this article, I'll share battle-tested BGP route filtering practices based on 8+ years managing global enterprise networks across 40+ countries.

Why BGP Route Filtering Matters

BGP accepts and redistributes routes by default. Without proper filtering:

  • Route leaks can accidentally advertise internal prefixes to the internet
  • Accepting all routes from a peer exposes you to deaggregated or bogon prefixes
  • No prefix limits can lead to RIB table exhaustion during BGP attacks

I've personally resolved two Severity-1 outages caused by route leaks in ISP peering sessions. Both were preventable with proper filtering.

Core Filtering Strategies

1. Prefix Lists Over Route Maps

Always use prefix-lists for prefix matching โ€” they're significantly more efficient than route-maps for this purpose:

bash
ip prefix-list PEER-IN seq 10 deny 0.0.0.0/8 le 32ip prefix-list PEER-IN seq 20 deny 10.0.0.0/8 le 32ip prefix-list PEER-IN seq 30 deny 172.16.0.0/12 le 32ip prefix-list PEER-IN seq 40 deny 192.168.0.0/16 le 32ip prefix-list PEER-IN seq 50 deny 0.0.0.0/0ip prefix-list PEER-IN seq 60 permit 0.0.0.0/0 le 24

2. Maximum Prefix Limits

Always configure maximum-prefix on all BGP peers:

bash
neighbor 203.0.113.1 maximum-prefix 1000 80 warning-only

This prevents route table overflow and provides early warning when a peer starts advertising unexpectedly.

3. RPKI for Route Origin Validation

Resource Public Key Infrastructure (RPKI) allows you to validate that a BGP route originated from an authorized AS. On Cisco IOS-XE:

bash
router bgp 65000 bgp rpki server tcp 192.0.2.1 port 3323 refresh 60!neighbor 203.0.113.1 route-map RPKI-VALIDATE in

Outbound Filtering

Never forget outbound filtering. Only advertise what you own:

bash
ip prefix-list OUR-PREFIXES seq 10 permit 198.51.100.0/22 le 24!route-map ADVERTISE-OUT permit 10 match ip address prefix-list OUR-PREFIXES

Conclusion

BGP filtering is not optional in production environments. A few lines of configuration can prevent catastrophic route leaks and protect your network's stability. Combined with RPKI and strict peer policies, you'll dramatically reduce your blast radius in case of upstream issues.

In my next post, I'll cover BGP communities and traffic engineering for multi-homed enterprises.