[nsp] BGP aggr and cust prefix leakage
Pete Templin
petelists at templin.org
Mon Mar 22 17:54:45 EST 2004
Jeremy Hinton wrote:
> For those of
> you injecting customer prefixes into iBGP (either via network statements
> or redistribute maps), what method are you using to prevent those
> prefixes from leaking to your peers? A couple of possibilities i've come
> up with:
3) Communities. Attach a community (the numeric value doesn't matter;
however, having a cheat sheet so humans can decode the code is
priceless) to each of the customer routes. At appropriate edges, permit
or deny based on the community string.
In my case, it required a re-engineering of my whole architecture, but
if you're doing that anyway, it brings tremendous benefits (filter by
prefix list on customer ingress, tag those routes that pass, filter by
community at provider and peer egress; no need to update customer prefix
lists on every edge device).
pt
More information about the cisco-nsp
mailing list