Run IPv4 BGP Best Practices right and you sleep better. Get them wrong, and well—you know the drill. Outages, route leaks, the works. For network engineers and IT managers, the Border Gateway Protocol is essentially the glue holding the internet together. But it’s fragile. This guide cuts through the theory to give you actionable advice on optimizing your configuration for IPv4 blocks, keeping your enterprise network from becoming a case study.

In this article:

  1. Planning and Preparation
  2. Security and Authentication
  3. Route Filtering and Policy
  4. Optimizing Route Selection
  5. Monitoring and Validation

Planning and Preparation

Don’t touch a command line yet. Proper planning comes first. It starts with your IP space—how you acquire it and how you manage it. Maybe you’re bringing your own addresses (BYOIP) to a cloud setup, or perhaps you’re establishing multi-homing with different ISPs. Either way, the cleanliness of your IPv4 block is non-negotiable.

Need IPv4 addresses?

Browse clean, RIPE-verified subnets at $0.50/IP/month.

Browse Subnets →

Tip: Check your registration. Make sure your IPv4 addresses are correctly registered in regional internet registries (RIRs) like ARIN, RIPE, or APNIC. Bad WHOIS data? Upstream providers will filter you, and it’s a headache to fix.

Expanding the network often means acquiring more blocks. It’s a messy market. Working with a trusted marketplace like IP4 Market simplifies this. You get verified blocks from reputable sellers, which streamlines the transfer process and, honestly, saves you from the nightmare of administrative rejection during the RIR transfer.

Security and Authentication

Security is the bedrock of IPv4 BGP Best Practices. Let’s be honest: BGP was designed in a trusting era. The internet isn’t like that anymore. You need rigid controls to stop route hijacking and unauthorized peering before they start.

TTL Security and MD5

Some of the best fixes are the oldest ones. Enable TCP MD5 signatures for your BGP sessions. It adds a cryptographic checksum to the segments. Spoofed TCP packets can’t tear down a session if they don’t have the key.

Then, turn on TTL Security (BGP TTL Security Check). Standard EBGP uses a TTL of 1. TTL Security checks for a TTL of 255—the maximum. This means the packet must have originated from a directly connected neighbor. It shuts down remote attackers trying to inject routes.

Warning: Don’t get lazy with security. Plain BGP communities aren’t enough. Implement MD5 passwords and, if your hardware supports it, use AO (Authentication Option) key chains. It’s worth the extra config time.

Route Filtering and Policy

You have to filter. It’s that simple. Otherwise, you risk becoming a transit for traffic you shouldn’t carry, or worse, accepting bogus routes from the wild west of the internet.

Inbound Filtering

Be strict about what you accept from peers. Use prefix-lists to force your ISP to send only what they’re supposed to.

  • Max-length: If you own a /24, don’t let your ISP send you a /23 or a /25 of that space. It breaks things.
  • RFC 1918 Filtering: Explicitly deny private ranges (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12) from external peers. They shouldn’t be there.
  • Bogon Filtering: Drop routes that have no business on the internet (martian addresses).

Outbound Filtering

Be a good neighbor. Advertise only the prefixes you actually own.

  • Prefix Summarization: Advertise aggregates where possible. It keeps the global routing tables manageable.
  • No Export: Make sure your customers aren’t using your network as a free ride to your other upstream providers, unless they paid for transit.
Filter Type Purpose Recommendation
Prefix-list Permits/Denies specific IP prefixes Use for both inbound and outbound prefix limits.
Route-map Modifies attributes (Local Pref, MED) Use for influencing path selection and tagging routes.
AS-path Filter Filtering based on AS number path Use to prevent accepting routes containing your own ASN.

Optimizing Route Selection

BGP path selection is a beast. It uses a complex algorithm of attributes. If you’re multi-homed, you need to ensure your traffic is actually using the most efficient exit point, not just the first one it sees.

Local Preference

The Local Preference (Local Pref) is the heavy hitter for outbound traffic inside your Autonomous System (AS). It’s standard IPv4 BGP Best Practice to use Local Pref to dictate which ISP handles your traffic.

Here’s a common setup: set a higher Local Pref (say, 100) on routes from your primary ISP—the cheaper or faster one. Set a lower one (like 50) on the backup. Traffic flows out the primary pipe. If that fails, you flip to the backup.

MED and AS-Path Prepending

Local Pref controls how you leave. MED (Multi-Exit Discriminator) and AS-Path Prepending? Those control how you come in.

  • MED: This suggests to a neighbor how to enter your AS. Use it when you have multiple connections to the same ISP.
  • AS-Path Prepending: You make your route look “longer” by adding your own ASN multiple times. It’s a hack, but it works to de-prioritize a link for inbound traffic from a different ISP.
Tip: When you grab new IPv4 blocks from a place like IP4 Market, check the reputation. You don’t want blacklisted IPs. Clean reputation means other ISPs will accept your routes without filtering them out due to past abuse.

Monitoring and Validation

Configuration isn’t a “set it and forget it” task. Anyone who tells you otherwise is selling something. You need continuous monitoring to keep things honest.

RPKI (Resource Public Key Infrastructure)

RPKI is quickly becoming the industry standard. It cryptographically signs route origins so routers can validate that an ISP is actually authorized to advertise a specific prefix.

Deploy RPKI validation on your edge routers. Configure the network to drop “Invalid” routes. It’s one of the most effective shields against route hijacks targeting your IPv4 blocks.

Looking Glasses and Route Collectors

Get into the habit of checking external looking glass servers. See how the internet views your prefixes. Ensure your announcements are propagating globally and aren’t getting filtered because of malformed attributes.

Frequently Asked Questions

Q: Do I need a Public ASN to configure BGP?
A: Yes. For direct public internet peering, you need a Public ASN (2-byte or 4-byte) and provider-independent (PI) IP space. Or, provider-aggregable (PA) space, but only with your ISP’s permission.

Q: Can I use BGP for internal routing?
A: You can. iBGP is used within an AS, often in large enterprises or MPLS VPNs. That said, OSPF or IS-IS usually wins out for internal topology because they converge faster.

Conclusion

Mastering IPv4 BGP Best Practices isn’t a destination; it’s an ongoing process. It takes rigorous security, precise filtering, and smart traffic engineering. As the IPv4 space dries up and the value of clean blocks goes up, keeping your routing environment stable is more critical than ever.

Whether you’re expanding or swapping out hardware, sourcing your infrastructure from verified partners like IP4 Market gives you a solid foundation. Stick to these guidelines, and you keep your network resilient, secure, and running fast.

Share:
IP4

ip4.market Team

Expert content on IPv4 leasing, IP address management, and network infrastructure from the ip4.market team.