{"id":436,"date":"2026-06-27T10:18:17","date_gmt":"2026-06-27T10:18:17","guid":{"rendered":"https:\/\/ip4.market\/blog\/436-2\/"},"modified":"2026-06-27T10:18:18","modified_gmt":"2026-06-27T10:18:18","slug":"ipv4-bgp-best-practices-a-configuration-guide","status":"publish","type":"post","link":"https:\/\/ip4.market\/blog\/ipv4-bgp-best-practices-a-configuration-guide\/","title":{"rendered":"IPv4 BGP Best Practices: A Configuration Guide"},"content":{"rendered":"

Run IPv4 BGP Best Practices<\/strong> right and you sleep better. Get them wrong, and well\u2014you know the drill. Outages, route leaks, the works. For network engineers and IT managers, the Border Gateway Protocol is essentially the glue holding the internet together. But it\u2019s fragile. This guide cuts through the theory to give you actionable advice on optimizing your configuration for IPv4 blocks, keeping your enterprise network from becoming a case study.<\/p>\n

\nIn this article:<\/strong><\/p>\n
    \n
  1. Planning and Preparation<\/a><\/li>\n
  2. Security and Authentication<\/a><\/li>\n
  3. Route Filtering and Policy<\/a><\/li>\n
  4. Optimizing Route Selection<\/a><\/li>\n
  5. Monitoring and Validation<\/a><\/li>\n<\/ol>\n<\/div>\n

    Planning and Preparation<\/h2>\n

    Don’t touch a command line yet. Proper planning comes first. It starts with your IP space\u2014how you acquire it and how you manage it. Maybe you’re bringing your own addresses (BYOIP) to a cloud setup, or perhaps you’re establishing multi-homing with different ISPs. Either way, the cleanliness of your IPv4 block is non-negotiable.<\/p>\n

    \nTip:<\/strong> Check your registration. Make sure your IPv4 addresses are correctly registered in regional internet registries (RIRs) like ARIN, RIPE, or APNIC. Bad WHOIS data? Upstream providers will filter you, and it\u2019s a headache to fix.\n<\/div>\n

    Expanding the network often means acquiring more blocks. It’s a messy market. Working with a trusted marketplace like IP4 Market<\/a> simplifies this. You get verified blocks from reputable sellers, which streamlines the transfer process and, honestly, saves you from the nightmare of administrative rejection during the RIR transfer.<\/p>\n

    Security and Authentication<\/h2>\n

    Security is the bedrock of IPv4 BGP Best Practices<\/strong>. Let’s be honest: BGP was designed in a trusting era. The internet isn’t like that anymore. You need rigid controls to stop route hijacking and unauthorized peering before they start.<\/p>\n

    TTL Security and MD5<\/h3>\n

    Some of the best fixes are the oldest ones. Enable TCP MD5 signatures for your BGP sessions. It adds a cryptographic checksum to the segments. Spoofed TCP packets can’t tear down a session if they don’t have the key.<\/p>\n

    Then, turn on TTL Security (BGP TTL Security Check). Standard EBGP uses a TTL of 1. TTL Security checks for a TTL of 255\u2014the maximum. This means the packet must have originated from a directly connected neighbor. It shuts down remote attackers trying to inject routes.<\/p>\n

    \nWarning:<\/strong> Don’t get lazy with security. Plain BGP communities aren’t enough. Implement MD5 passwords and, if your hardware supports it, use AO (Authentication Option) key chains. It’s worth the extra config time.\n<\/div>\n

    Route Filtering and Policy<\/h2>\n

    You have to filter. It\u2019s that simple. Otherwise, you risk becoming a transit for traffic you shouldn’t carry, or worse, accepting bogus routes from the wild west of the internet.<\/p>\n

    Inbound Filtering<\/h3>\n

    Be strict about what you accept from peers. Use prefix-lists to force your ISP to send only what they’re supposed to.<\/p>\n

      \n
    • Max-length:<\/strong> If you own a \/24, don’t let your ISP send you a \/23 or a \/25 of that space. It breaks things.<\/li>\n
    • RFC 1918 Filtering:<\/strong> Explicitly deny private ranges (10.0.0.0\/8, 192.168.0.0\/16, 172.16.0.0\/12) from external peers. They shouldn’t be there.<\/li>\n
    • Bogon Filtering:<\/strong> Drop routes that have no business on the internet (martian addresses).<\/li>\n<\/ul>\n

      Outbound Filtering<\/h3>\n

      Be a good neighbor. Advertise only the prefixes you actually own.<\/p>\n

        \n
      • Prefix Summarization:<\/strong> Advertise aggregates where possible. It keeps the global routing tables manageable.<\/li>\n
      • No Export:<\/strong> Make sure your customers aren’t using your network as a free ride to your other upstream providers, unless they paid for transit.<\/li>\n<\/ul>\n
        \n\n\n\n\n\n\n\n
        Filter Type<\/th>\nPurpose<\/th>\nRecommendation<\/th>\n<\/tr>\n<\/thead>\n
        Prefix-list<\/td>\nPermits\/Denies specific IP prefixes<\/td>\nUse for both inbound and outbound prefix limits.<\/td>\n<\/tr>\n
        Route-map<\/td>\nModifies attributes (Local Pref, MED)<\/td>\nUse for influencing path selection and tagging routes.<\/td>\n<\/tr>\n
        AS-path Filter<\/td>\nFiltering based on AS number path<\/td>\nUse to prevent accepting routes containing your own ASN.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

        Optimizing Route Selection<\/h2>\n

        BGP path selection is a beast. It uses a complex algorithm of attributes. If you’re multi-homed, you need to ensure your traffic is actually using the most efficient exit point, not just the first one it sees.<\/p>\n

        Local Preference<\/h3>\n

        The Local Preference<\/strong> (Local Pref) is the heavy hitter for outbound traffic inside your Autonomous System (AS). It’s standard IPv4 BGP Best Practice<\/strong> to use Local Pref to dictate which ISP handles your traffic.<\/p>\n

        Here’s a common setup: set a higher Local Pref (say, 100) on routes from your primary ISP\u2014the cheaper or faster one. Set a lower one (like 50) on the backup. Traffic flows out the primary pipe. If that fails, you flip to the backup.<\/p>\n

        MED and AS-Path Prepending<\/h3>\n

        Local Pref controls how you leave. MED (Multi-Exit Discriminator)<\/strong> and AS-Path Prepending<\/strong>? Those control how you come in.<\/p>\n

          \n
        • MED:<\/strong> This suggests to a neighbor how to enter your AS. Use it when you have multiple connections to the same<\/em> ISP.<\/li>\n
        • AS-Path Prepending:<\/strong> You make your route look “longer” by adding your own ASN multiple times. It\u2019s a hack, but it works to de-prioritize a link for inbound traffic from a different ISP.<\/li>\n<\/ul>\n
          \nTip:<\/strong> When you grab new IPv4 blocks from a place like IP4 Market, check the reputation. You don’t want blacklisted IPs. Clean reputation means other ISPs will accept your routes without filtering them out due to past abuse.\n<\/div>\n

          Monitoring and Validation<\/h2>\n

          Configuration isn’t a “set it and forget it” task. Anyone who tells you otherwise is selling something. You need continuous monitoring to keep things honest.<\/p>\n

          RPKI (Resource Public Key Infrastructure)<\/h3>\n

          RPKI is quickly becoming the industry standard. It cryptographically signs route origins so routers can validate that an ISP is actually authorized to advertise a specific prefix.<\/p>\n

          Deploy RPKI validation on your edge routers. Configure the network to drop “Invalid” routes. It’s one of the most effective shields against route hijacks targeting your IPv4 blocks.<\/p>\n

          Looking Glasses and Route Collectors<\/h3>\n

          Get into the habit of checking external looking glass servers. See how the internet views your prefixes. Ensure your announcements are propagating globally and aren’t getting filtered because of malformed attributes.<\/p>\n

          \n

          Frequently Asked Questions<\/h3>\n

          Q: Do I need a Public ASN to configure BGP?<\/strong>
          \nA: Yes. For direct public internet peering, you need a Public ASN (2-byte or 4-byte) and provider-independent (PI) IP space. Or, provider-aggregable (PA) space, but only with your ISP’s permission.<\/p>\n

          Q: Can I use BGP for internal routing?<\/strong>
          \nA: You can. iBGP is used within an AS, often in large enterprises or MPLS VPNs. That said, OSPF or IS-IS usually wins out for internal topology because they converge faster.<\/p>\n<\/div>\n

          Conclusion<\/h2>\n

          Mastering IPv4 BGP Best Practices<\/strong> isn’t a destination; it’s an ongoing process. It takes rigorous security, precise filtering, and smart traffic engineering. As the IPv4 space dries up and the value of clean blocks goes up, keeping your routing environment stable is more critical than ever.<\/p>\n

          Whether you’re expanding or swapping out hardware, sourcing your infrastructure from verified partners like IP4 Market<\/strong> gives you a solid foundation. Stick to these guidelines, and you keep your network resilient, secure, and running fast.<\/p>\n","protected":false},"excerpt":{"rendered":"

          Run IPv4 BGP Best Practices right and you sleep better. Get them wrong, and well\u2014you know the drill. Outages, route leaks, the works. For network engineers and IT managers, the…<\/p>\n","protected":false},"author":1,"featured_media":438,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-436","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-networking"],"_links":{"self":[{"href":"https:\/\/ip4.market\/blog\/wp-json\/wp\/v2\/posts\/436","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ip4.market\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ip4.market\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ip4.market\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ip4.market\/blog\/wp-json\/wp\/v2\/comments?post=436"}],"version-history":[{"count":1,"href":"https:\/\/ip4.market\/blog\/wp-json\/wp\/v2\/posts\/436\/revisions"}],"predecessor-version":[{"id":437,"href":"https:\/\/ip4.market\/blog\/wp-json\/wp\/v2\/posts\/436\/revisions\/437"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ip4.market\/blog\/wp-json\/wp\/v2\/media\/438"}],"wp:attachment":[{"href":"https:\/\/ip4.market\/blog\/wp-json\/wp\/v2\/media?parent=436"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ip4.market\/blog\/wp-json\/wp\/v2\/categories?post=436"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ip4.market\/blog\/wp-json\/wp\/v2\/tags?post=436"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}