[c-nsp] Peer pointing default route to us

Lukas Tribus luky-37 at hotmail.com
Tue Sep 30 04:49:11 EDT 2014


> But most importantly.
> Even though the above is not implemented they should not be able
> to exit your network via your upstream or peering links if you
> have the BCP 38 filtering implemented.

BCP 38 is about ingress filtering on customer links, not egress
filtering on peers/upstream links, or am I missing something?

> Would you please consider implementing filters on your upstream
> links to only allow prefixes that you actually advertise to your
> upstreams to exit your network?
> It is really easy.
> Just check the routes you advertise via BGP to your upstreams and
> create filters based on the outputs.
> Apply the filters in the out direction.

Are you talking about static ACLs matching source IPs and applying
it in the egress direction on peers/upstreams?

I don't see how that is supposed to scale.

BCP38 (ingress filtering) sure, but egress filtering will just break
your network, imho.



More information about the cisco-nsp mailing list