[afnog] Private IP Filters in bgp

Shake Righa shake.righa at gmail.com
Fri May 25 14:21:42 UTC 2012


Yasini,

You could try and instead of using prefixes for the filters only make the
use of a route-map.This would add more felxibility such as adding of
local-pref or communities to the incoming routes.

Sample route-map could be

route-map PEER_PERMIT deny 10
match ip address prefix-list PRIVATE_IPS_PREFIX_LIST
route-map PEER_PERMIT permit 20

The route-map would be applied as your incoming filter with your peer.

What the route-map does is deny any private IP's and then permit anything
else.

Hope this answers your question.

Regards,
Shake Righa


On Fri, May 25, 2012 at 2:14 PM, Yasini Kilima <ykilima at tra.go.tz> wrote:

> Hello Gurus,
>
> I am trying to create an IP prefix filter to filter bogons Private blocks
> received from one of my peer provider's announcements.
> I know the following filter would help me but surprisingly the last entry
> of the list doesn't execute, is it the problem of my IOS for my ASBR or
> what?
>
> ip prefix-list DENY-PRIVATE description Filter bogons
> ip prefix-list DENY-PRIVATE deny 0.0.0.0/8
> ip prefix-list DENY-PRIVATE deny 10.0.0.0/8
> ip prefix-list DENY-PRIVATE deny 127.0.0.0/8
> ip prefix-list DENY-PRIVATE deny 169.254.0.0/16
> ip prefix-list DENY-PRIVATE deny 172.16.0.0/12
> ip prefix-list DENY-PRIVATE deny 192.0.2.0/24
> ip prefix-list DENY-PRIVATE deny 192.168.0.0/16
> ip prefix-list DENY-PRIVATE deny 240.0.0.0/4
> ip prefix-list DENY-PRIVATE permit any
>
> ip prefix-list DENY-PRIVATE permit any (This doesn't execute it gives an
> error as here below):
>
> INTERNET_LINK(config)#$ist DENY-PRIVATE description Filter bogons
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE deny 0.0.0.0/8
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE deny 10.0.0.0/8
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE deny 127.0.0.0/8
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE deny 169.254.0.0/16
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE deny 172.16.0.0/12
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE deny 192.0.2.0/24
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE deny 192.168.0.0/16
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE deny 240.0.0.0/4
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE permit any
>                                                             ^
> % Invalid input detected at '^' marker.
>
> INTERNET_LINK(config)#
>
> I am sure of the command to be correct you can correct me if I am wrong,
> How can I permit any then
> Is it an IOS issue or I am not correct, if that then what should I do in
> order to permit any
> When I apply the list regardless I can't get any bgp routes from that
> provider even the PUBLIC prefixes but I can receive from other providers
> the PUBLIC prefixes as usual.
>
> I don't want to receive his PRIVATE prefixes what should I do?
>
> Please help me!
>
> Yasini.
>
> ________________________________
>
>
>
> DISCLAIMER: This e-mail and any attachments are proprietary to TANZANIA
> REVENUE AUTHORITY.Any unauthorized use or interception is illegal. The
> views and opinions expressed are those of the sender, unless clearly stated
> as being those of TANZANIA REVENUE AUTHORITY. This e-mail is only addressed
> to the addressee and TANZANIA REVENUE AUTHORITY shall not be responsible
> for any further publication of the contents of this e-mail. If this e-mail
> is not addressed to you, you may not copy, print, distribute or disclose
> the contents to anyone nor act on its contents. If you received this in
> error, please inform the sender and delete this e-mail from your computer.
>
>
>
> _______________________________________________
> afnog mailing list
> http://afnog.org/mailman/listinfo/afnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://afnog.org/pipermail/afnog/attachments/20120525/d8049295/attachment.html>


More information about the afnog mailing list