[c-nsp] IPv6 filters
Tony Tauber
ttauber at 1-4-5.net
Fri Nov 15 07:56:39 EST 2013
Yes, explicitly filtering prefixes outbound if you're an edge site and
inbound if you're a service provider is the right way to do it, whether
it's v4 or v6.
For BGP particularly, IPv6 is really nothing special at all; just mirror
your configurations and policies.
Depending on your OS, you may have to explicitly disable v6 routes being
sent over a v4 session.
That's possible to do but I don't know why one would want to in a truly
dual-stack deployment.
In v6 the only "v4 artifact" will be that the router ID is still a 32-bit
number which is most commonly set to the v4 loopback or some such.
Tony
On Thu, Nov 14, 2013 at 3:25 PM, Gert Doering <gert at greenie.muc.de> wrote:
> Hi,
>
> On Thu, Nov 14, 2013 at 07:58:26AM -0800, Scott Voll wrote:
> > I'm currently using a filter list:
> >
> > ip as-path access-list 1 permit ^$
> > ip as-path access-list 1 deny .*
> >
> > to make sure I'm not a transit provider.
> >
> > in my googleing around I'm not seeing that done in IPv6
>
> Besides the CPU impact (what Nick pointed out), this is actually *good*
> practice, both for IPv4 and for IPv6.
>
> Easier on CPU load but more maintenance if prefixes keep being added
> is to filter by prefix-list... so it depends a bit on how fast your
> router's CPU is, how often prefixes change, etc.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
> //
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list