[nsp] community-based ip filtering

Matt Ryan Matt.Ryan at telewest.co.uk
Thu Feb 27 10:00:49 EST 2003 

Glitch in The Matrix?
<http://www.cctec.com/maillists/nanog/historical/9801/msg00149.html>


Matt.

-----Original Message-----
From: Alexandre Snarskii [mailto:snar at paranoia.ru]
Sent: 27 February 2003 07:57
To: Niklas at hoglund.pp.se
Cc: cisco-nsp at puck.nether.net
Subject: Re: [nsp] community-based ip filtering


On Wed, Feb 26, 2003 at 08:46:41AM +0100, Niklas at hoglund.pp.se wrote:
> Hi,
> 
> does cisco do community-based ip filtering?
> e.g.
> int fddi0
> ip access-group community-list 10 in
> !
> ip community-list 10 permit AA:BB
> ip community-list 10 permit CC:DD
> !
> 
> Can I do it? =)

What should you filter with these sentences ? ip packets with 
communities set ? :))) 

Short answer is: no, you can't filter ip packets based on community,
because of fact that ip packets does not contains information about
communities.

Longer is: yes, in some situations you can. 
Just filter bgp announces from some router on this interface,

 route-map COMM-IN 
   match community 1 
 router bgp XXXX
   nei Y.Y.Y.Y route-map COMM-IN in

then add 

 in fddi 0 
  ip verify unicast reverse-path

into your configuration, and only packets sourced form networks
pointing to that interface backward will be accepted. 

Be wery careful using this!
Assuming your upstream announcing a.b.c.0/19 with community AA:BB
via fddi0, but you have some route to a.b.c.0/20 known via other 
interface. If the packet from a.b.c.0/20 comes to you via fddi0 
it will be dropped.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

------------------------------------------------------------------------------
Live Life in Broadband
www.telewest.co.uk


The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material.
Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer.


==============================================================================

More information about the cisco-nsp mailing list