[rbak-nsp] Validating RADIUS routes???

David Freedman david.freedman at uk.clara.net
Fri Oct 15 05:56:59 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matthew S. Crocker wrote:
> 
> I have a SE-400 running Redback Networks SmartEdge OS Version SEOS-5.0.3.1-Release
> 
> I just had a tech screw up a RADIUS entry, when the subscriber connected the SE-400 happily routed 0.0.0.0 to the PPPoE session.  Is there a way I can put some sanity checks in the SE-400 config to it doesn't happily insert stupid routes into the routing table?
> 
> -Matt
> 
> 

Yes, when you are injecting sub information into your routing protocols,
apply a route-map :)


e.g

context foonet
!
router bgp 1234
 address-family ipv4 unicast
 redistribute subscriber route-map SANITY-MAP
!
 route-map SANITY-MAP permit 10
  match ip address prefix-list SANITY-LIST
!
 ip prefix-list SANITY-LIST
  description Used to check subscriber routes are sane
  seq 10 deny 0.0.0.0/0
  seq 20 permit 0.0.0.0/0 le 32
!

A better list would permit more specifics from your own netblocks only,
for example

!
 ip prefix-list SANITY-LIST
  description Used to check subscriber routes are sane, only permit our
netblocks
  seq 10 permit 192.0.2.0/24 le 32
!


- --

David Freedman
Group Network Engineering

david.freedman at uk.clara.net
Tel +44 (0) 20 7685 8000

Claranet Group
21 Southampton Row
London - WC1B 5HA - UK
http://www.claranet.com

Company Registration: 3152737 - Place of registration: England

All the information contained within this electronic message from
Claranet Ltd is covered by the disclaimer at
http://www.claranet.co.uk/disclaimer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAky4JWsACgkQtFWeqpgEZrLyYwCggHX3OGjIDUt1Wa6FrMYg4JX3
/pwAniWfs/qAbqpmq0bTKXT5YniUWbmV
=IMJz
-----END PGP SIGNATURE-----


More information about the redback-nsp mailing list