Managing CE eBGP details & common/accepted CE-facing BGP practices

Justin Shore justin at
Sun Dec 21 01:22:41 UTC 2008

Does anyone have any preferred ways to manage their customer-facing BGP 
details?  I'm thinking about the customer's ASN (SP assigned private ASN 
or RIR assigned ASN), permitted prefixes, etc?  While I'm sure this 
could be easily stored in a spreadsheet I'm not sure if there is any 
merit to storing some of these details outside of the configuration on 
the PE (assuming of course that the PE's config is regularly archived). 
  Now if the PE's BGP config was auto-generated via a script then it 
would make sense for all the details to be stored off in a DB in the 
NOC.  Beyond that is there a good reason to do archive it in a textual 
format off of the PE and if there is a sound reason to do it, is therea 
good or preferred way to do accomplish this?

We're moving beyond our typical residential and very small SMB service 
to larger customers over the next few months.  These areas have larger, 
more advanced customers and I'm sure we'll run into multi-homed 
environments and customer who will expect BGP peering options.  I would 
like to be prepared with sound practices before we get our first 
customer that wants to get a default route via BGP, wants full tables, 
or has their own ASN and is bringing their own PI space with them.  Some 
of this of course implies multiple processes to confirm that the ASN 
belongs to the customer in question, that the PI space belongs to the 
customer in question, notifying our upstreams to accept the customer's 
PI space, etc.  It's hammering out the scalable and best practice config 
details that I'm concerned with at the moment.

When assigning private ASNs to customers, are there any gotchas to be 
aware of?  Is it possible to use the same private ASN for more than one 
customer on the same PE?

What are common and accepted CE-facing BGP practices?  MD5 AUTH, GTSM, 
max prefix limits?  Which is preferred, route-maps or prefix-lists for 
controlling advertised and/or received routes?  Do any SPs utilize 
AS-Path ACLs to check that prefixes from an customer's ASN are claimed 
to originate from there?  Are there any SPs out there offering BFD 
support for BGP or CE-facing peering sessions?

Should we have the customer announce their PA space to us or do we 
advertise it for them (redist a static)?  Do SPs restrict access to 
tcp/179 on the CE from the Internet in the CE-facing ACL?  Do SPs block 
access to the PE-CE subnet from the outside world like what was 
described in the Router Security Strategies book (pages 189-193)?  What 
about dropping incoming traffic to everything but the CE IP?

While I don't predict our CE-facing BGP load to be terribly significant 
at this point, I would like to establish sound practices now rather than 
down the road once we're neck deep in temporarily production workarounds.

Is there any consensus on what's best practice for CE-facing BGP?  I 
imagine most SP engineer's BGP practices could be better equated to a 
religious holy war on par with Chevy vs Ford or Mac vs PC.  I would be 
interested in hearing what they are though and learning from the group's 


More information about the NANOG mailing list