[c-nsp] BGP route filtering question about upstreams
Gert Doering
gert at greenie.muc.de
Tue Oct 7 16:28:00 EDT 2014
Hi,
On Tue, Oct 07, 2014 at 11:47:08AM -0400, Justin M. Streiner wrote:
> Better to let BGP do what it does in a relatively unfettered way.
[..]
> Don't make the routing policies any more complicated than they need to be,
> especially if someone who is less familiar with them will be expected to
> troubleshoot connectivity issues at 3 AM.
This is good advice, and cannot be said often enough.
Most important is "filter what you accept from downstream" (ONLY what
is documented in a proper way - RIPE DB over here, reasonable IRRs
if they exist elsewhere), combined with "filter what you announce to
upstream and peers" (only yours + customer).
For all the rest, BGP will usually do the right thing - but can be
tricked into unstable configurations which need lots of time to tweak
and massage, so you really do not want to go there.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 291 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20141007/1ec81297/attachment.sig>
More information about the cisco-nsp
mailing list