[c-nsp] BGP peer/customer routes

Keegan Holley keegan.holley at sungard.com
Tue May 31 07:17:03 EDT 2011 

2011/5/31 vince anton <mvanton at gmail.com>

> Hello everyone,
>
> need some insight from the list as how to best approach a bgp
> routing/policy
> issue, and whats generally done and considered good practise and good
> policy.
>
> Not to be rude but this might actually be the least specific question I've
ever heard.  A good routing policy takes alot.  It also ties into the
buisness model of your company.  You should be able to find some basic do's
and don't via google though.  Cisco.com/Juniper.net should have some
implementation guides.  Then there are third parties like cymru, nanog,
etc...

>
> I operate a transit AS (say AS10), and I have a customer (AS 5) who buys
> transit from me.
>
> I also peer with AS11 - no transit either way on this, just peering, ie
> sending my networks to AS11, and receiving AS11's networks
>
> Now AS5 also becomes a transit customer of AS11, and so on the peering link
> with AS11, I now can see the IP Blocks of my customer AS 5
>

Until you're allowed to fire customers you should block these routes.

>
> AS Path length, and Localpref sorts out most routing issues here, except
> for
> the case where AS5 advertises a more specific route to AS11, than to me
> (AS10).
>
> Not good.. Block them using prefix lists based on your ARIN assignments and
what your other customers are advertising.  This will also require you to
keep some kind of routing database so you can keep the filteres up to date.
Your prefix lists should look something like "ip prefix-list ARIN#/20 le 32"
that should cover the more specifics.  You should also track exactly what
your customers can and cannot advertise to you and make them call you to add
blocks to that list.  What happens if the geniuses in AS5 advertise you a
default or a miscofigured /8.

>
> So what happens now is that for this more specific customer prefix, I have
> a
> specific route saying some AS5 nets are preferable via the peering link
> than
> via the direct customer link,  and if I want to deliver transit traffic to
> my customer, my router would choose the peering link.  This is not
> desirable
> behaviour.
>

yep.  bad and potentially expensive.


>
>
> Is the solution here, filtering any customer prefixes from any other links
> (ie filtering AS5 nets on link to AS11), or is there any other way of going
> about this ?
>
> The only safe thing to do is to control specifically what comes in and out
of your AS using specifically designed prefix lists at all peering points.


>
>
>
> Thanks,
>
> anton
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

More information about the cisco-nsp mailing list