[c-nsp] prefix lists updates and max prefix filters
Pete Templin
petelists at templin.org
Thu Dec 8 12:47:10 EST 2011
On 12/8/2011 11:37 AM, Mack McBride wrote:
> Not filtering announcements isn't really an answer.
> You run into the same problems with a route-map.
> The best solution is to use both a route-map and a prefix-filter.
> Your upstream should also be using a filter.
Say what? Nobody's recommending that the OP not filter. They're
recommending that they filter on the way into their network, where the
filtering can be done at a very granular level (this customer can send
me this, that customer can send me that). Any routes that meet said
criteria are given a certificate (in the form of a 32-bit BGP community)
indicating it's allowed to exist and allowed to leave. At egress
points, the only routes allowed to leave are those that possess the
magic certificate. Easy (in the grand scheme of things), scalable (new
customer only requires provisioning at the ingress router), done.
pt
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Blake Dunlap
> Sent: Monday, December 05, 2011 11:35 AM
> To: James Ashton
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] prefix lists updates and max prefix filters
>
> This is straight up a design problem. Don't filter what you announce, filter what you accept, and allow what you specify via route map community matching out.
(And Gert posted a more-detailed version of this.)
More information about the cisco-nsp
mailing list