[c-nsp] prefix lists updates and max prefix filters

Pete Templin petelists at templin.org
Thu Dec 8 12:47:10 EST 2011

On 12/8/2011 11:37 AM, Mack McBride wrote:
> Not filtering announcements isn't really an answer.
> You run into the same problems with a route-map.
> The best solution is to use both a route-map and a prefix-filter.
> Your upstream should also be using a filter.

Say what?  Nobody's recommending that the OP not filter.  They're 
recommending that they filter on the way into their network, where the 
filtering can be done at a very granular level (this customer can send 
me this, that customer can send me that).  Any routes that meet said 
criteria are given a certificate (in the form of a 32-bit BGP community) 
indicating it's allowed to exist and allowed to leave.  At egress 
points, the only routes allowed to leave are those that possess the 
magic certificate.  Easy (in the grand scheme of things), scalable (new 
customer only requires provisioning at the ingress router), done.


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Blake Dunlap
> Sent: Monday, December 05, 2011 11:35 AM
> To: James Ashton
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] prefix lists updates and max prefix filters
> This is straight up a design problem. Don't filter what you announce, filter what you accept, and allow what you specify via route map community matching out.

(And Gert posted a more-detailed version of this.)

More information about the cisco-nsp mailing list