[j-nsp] Filter created from bgp route tag ?
Thomas Mangin
thomas.mangin at exa-networks.co.uk
Fri Aug 26 03:27:24 EDT 2005
a.dhingra at neu.edu wrote:
>Do you really need to check the prefix-list. By default a route
>will not be sent to the upstream neighbor if its not in the routing table.
>
>
I was looking at those filter to possibly :
1 - to make sure one of my customer servers are not used to send dos
traffic out using spoofed addresses
2 - prevent customers/peers to send me traffic which is not from one of
the route they advertise to me.
3 - prevent traffic which source address is mine or one of my customer
to enter my network from transit.
I never deployed "ip verify unicast rpf" on my cisco router as I always
relied on hardcoded acl before, so I do not have any operational
experience of it but from my poor understanding of, it should only do #1
and #2 so I need something to do #3 as well without having to use
prefix-list.
>1. If Customer is using our space, then we are aggregating it, and send
>it to our upstream peers.
>
>
It is a good idea to keep peers :p
>2. If the customer is a BGP customer and then all routes are taged with x
>community. on our upstream peers we match on that community, and send it
>upstream. But if they withdraw the route, then I don't have a route with
>its matching community, so I don't worry about it.
>
>
I am now doing a similar things, allowing preprending or route
withdrawal as well.
>3. If its a static route customer with their own space then we
>redistribute the static into bgp.
>
>
I was told recently that if you inject static route into BGP you can not
then process the route down the bgp export list but that you have to do
everything on the policy in which you import the route and accept it.
Does someone knows the reason for it ?
Thomas
More information about the juniper-nsp
mailing list