[c-nsp] Peer pointing default route to us

Vitkovský Adam adam.vitkovsky at swan.sk
Tue Sep 30 08:33:51 EDT 2014


Hi Gert, 

> From: Gert Doering [mailto:gert at greenie.muc.de]
> Sent: Tuesday, September 30, 2014 1:39 PM
> > It is really easy.
> > Just check the routes you advertise via BGP to your upstreams and create
> filters based on the outputs.
> > Apply the filters in the out direction.
> > If someone starts to complain they are definitely doing something fishy.
> 
> This is actually pretty poor advice if you have downstream BGP that
> frequently (for whatever reasons) changes the prefix set they announce to
> you.

Of course there are corner cases and this should not be performed during busy hours. 
Also customers as well as network OPS should be informed in advance what to look for if things break. 

> 
> BCP38 should be applied on ingress to your network (so you can see *who*
> is sending you garbage), not on egress - and for BGP customers, it should not
> be done by "looking at routes" but be integrated into the tool set that
> updates your BGP ingress filters to update the ingress ACL right away.
> 
Agreed, it is an ideal solution.  
Though it's not so appealing for a busy network engineer that needs to deal with the problem asap. 
Anyways so the above is how you guys have implemented the BCP 38 network wide right? 


adam



More information about the cisco-nsp mailing list