[c-nsp] Peer pointing default route to us
Lukas Tribus
luky-37 at hotmail.com
Tue Sep 30 04:49:11 EDT 2014
Hi,
> But most importantly.
> Even though the above is not implemented they should not be able
> to exit your network via your upstream or peering links if you
> have the BCP 38 filtering implemented.
BCP 38 is about ingress filtering on customer links, not egress
filtering on peers/upstream links, or am I missing something?
> Would you please consider implementing filters on your upstream
> links to only allow prefixes that you actually advertise to your
> upstreams to exit your network?
>
> It is really easy.
> Just check the routes you advertise via BGP to your upstreams and
> create filters based on the outputs.
> Apply the filters in the out direction.
Are you talking about static ACLs matching source IPs and applying
it in the egress direction on peers/upstreams?
I don't see how that is supposed to scale.
BCP38 (ingress filtering) sure, but egress filtering will just break
your network, imho.
Lukas
More information about the cisco-nsp
mailing list