[c-nsp] Peer pointing default route to us
redscorpion69
redscorpion69 at gmail.com
Tue Sep 30 05:08:20 EDT 2014
Thanks for all the suggestions.
1. We don't have dedicated routers/vrf for peering session.
2. BCP 38 looks like ok solution, but it does look like burden to manage
since it has to be updated every time new prefix is announced...
So it looks like it would break stuff.
Regards
On Tue, Sep 30, 2014 at 10:49 AM, Lukas Tribus <luky-37 at hotmail.com> wrote:
> Hi,
>
>
> > But most importantly.
> > Even though the above is not implemented they should not be able
> > to exit your network via your upstream or peering links if you
> > have the BCP 38 filtering implemented.
>
> BCP 38 is about ingress filtering on customer links, not egress
> filtering on peers/upstream links, or am I missing something?
>
>
>
> > Would you please consider implementing filters on your upstream
> > links to only allow prefixes that you actually advertise to your
> > upstreams to exit your network?
> >
> > It is really easy.
> > Just check the routes you advertise via BGP to your upstreams and
> > create filters based on the outputs.
> > Apply the filters in the out direction.
>
> Are you talking about static ACLs matching source IPs and applying
> it in the egress direction on peers/upstreams?
>
> I don't see how that is supposed to scale.
>
>
> BCP38 (ingress filtering) sure, but egress filtering will just break
> your network, imho.
>
>
>
> Lukas
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list