[afnog] Private IP Filters in bgp
Patrick Okui
pokui at psg.com
Fri May 25 19:19:29 UTC 2012
Hi Yasini,
In addition to the excellent advice you've already received, I'd add one
more bit:
On 25/05/2012 2:14 PM, Yasini Kilima wrote:
[snip]
> ip prefix-list DENY-PRIVATE description Filter bogons
> ip prefix-list DENY-PRIVATE deny 0.0.0.0/8
> ip prefix-list DENY-PRIVATE deny 10.0.0.0/8
> ip prefix-list DENY-PRIVATE deny 127.0.0.0/8
> ip prefix-list DENY-PRIVATE deny 169.254.0.0/16
> ip prefix-list DENY-PRIVATE deny 172.16.0.0/12
> ip prefix-list DENY-PRIVATE deny 192.0.2.0/24
> ip prefix-list DENY-PRIVATE deny 192.168.0.0/16
> ip prefix-list DENY-PRIVATE deny 240.0.0.0/4
On 25/05/2012 2:58 PM, Nishal Goburdhan wrote:
> try:
> ip prefix-list DENY-PRIVATE permit 0.0.0.0/0 le 32
as configured, each of these terms except Nishal's addition match
specific advertisments. e.g your list will drop an advertisment for the
network 10.0.0.0/8 but will permit an advertisment for 10.0.0.0/24 or
10.10.0.0/16 (because 10/24 != 10/8).
you may want to modify your prefix list to:
ip prefix-list DENY-PRIVATE deny 0.0.0.0/8 le 32
ip prefix-list DENY-PRIVATE deny 10.0.0.0/8 le 32
ip prefix-list DENY-PRIVATE deny 127.0.0.0/8 le 32
ip prefix-list DENY-PRIVATE deny 169.254.0.0/16 le 32
ip prefix-list DENY-PRIVATE deny 172.16.0.0/12 le 32
ip prefix-list DENY-PRIVATE deny 192.0.2.0/24 le 32
ip prefix-list DENY-PRIVATE deny 192.168.0.0/16 le 32
ip prefix-list DENY-PRIVATE deny 240.0.0.0/4 le 32
ip prefix-list DENY-PRIVATE permit 0.0.0.0/0 le 32
you could also chose to drop any advertisment longer than a /24 but
that's left as an exercise for the original poster.
--
patrick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://afnog.org/pipermail/afnog/attachments/20120525/26030cd9/attachment.sig>
More information about the afnog
mailing list