BGP Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Releases

Martian address checks

Updated: February 28, 2026

Want to summarize with AI?

On this page

Overview

Examples
Restrictions:
Disable the Martian address check in BGP

Overview

Explains Martian address checks for identifying invalid BGP addresses and details procedures to disable Martian address checks in BGP when necessary for specific scenarios.

A Martian address check is a router security feature that

prevents routers from accepting packets with reserved or illogical IP address prefixes
is applied by default in BGP configurations to drop packets originating from Martian addresses, and
can be disabled to allow routers to process routes from specific sites using designated IPv4 or IPv6 prefixes.

Examples

Martian addresses are reserved or undefined IP address ranges that should not appear in legitimate internet routing tables. Filtering these addresses improves network security by helping ensure that only valid, routable addresses are accepted during routing.

Common Martian address prefixes include:

IPv4:
- 0.0.0.0/8
- 127.0.0.0/8
- 224.0.0.0/4
IPv6:
- ::
- ::0002 through ::ffff
- ::ffff:a.b.c.d
- fe80:xxxx
- ffxx:xxxx

Restrictions:

Routers running OSPF or IS-IS protocols cannot access routes with Martian address prefixes, even if the Martian address check is disabled.

Disable the Martian address check in BGP

By default, Cisco routers drop routes and packets with Martian (reserved or unusual) IP prefixes during BGP operations. You may need to override this security check to allow routing for certain special network scenarios.

Before you begin

Make sure you have console or privileged EXEC access to the Cisco 8000 Series Router.

Procedure

Enter router BGP configuration mode, and use the default-martian-check disable command to disable the Martian address check.

Example:

Router# configure
Router(config)# router bgp 100
Router(config-bgp)# address-family ipv4 unicast
Router(config-bgp-af)# default-martian-check disable
Router(config-bgp-af)# commit

Use the show bgp ipv4 unicast command or show bgp ipv6 unicast command to check whether the Martian address check is enabled or disabled in your BGP configuration.

Example:

Router# show bgp ipv6 unicast
BGP router identifier 10.2.2.1, local AS number 1
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0xe0800000 RD version: 29
BGP main routing table version 29
BGP NSR Initial initsync version 4 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
Dampening enabled
BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
Network                   Next Hop           Metric   LocPrf     Weight Path
*>i::/0               1:1:1:1:1:1:1:1         100        0            i
* i192:1::/112        1.1.1.1                   0      100            0 ?
*>i                   1:1:1:1:1:1:1:1           0      100            0 ?
* iff11:1123::/64     1.1.1.1                   2      100            0 ?
*>i                   1:1:1:1:1:1:1:1           2      100            0 ?

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.