[c-nsp] Peer pointing default route to us
Vitkovský Adam
adam.vitkovsky at swan.sk
Tue Sep 30 04:20:05 EDT 2014
As Saku and Mark mentioned already peering boxes should not have a default route or full BGP table.
You could either use a dedicated box or a vrf that carries only customer prefixes.
But most importantly.
Even though the above is not implemented they should not be able to exit your network via your upstream or peering links if you have the BCP 38 filtering implemented.
Would you please consider implementing filters on your upstream links to only allow prefixes that you actually advertise to your upstreams to exit your network?
It is really easy.
Just check the routes you advertise via BGP to your upstreams and create filters based on the outputs.
Apply the filters in the out direction.
If someone starts to complain they are definitely doing something fishy.
adam
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> redscorpion69
> Sent: Monday, September 29, 2014 3:12 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Peer pointing default route to us
>
> This is not Cisco-centric question, but maybe you could help me out.
>
> What is the best way to filter traffic comming in from one of our peers and
> going upstream. Basically we see the peer is sending traffic to IPs we're not
> announcing to them. They may very well have a default route pointing to us
> as well.
>
> Not going into fact that this is breaking peering policy rules, is there a
> dynamic way to filter this on (Juniper/Cisco) ?
>
> Regards
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list