[afnog] Private IP Filters in bgp

[Patrick Okui]

Hi Yasini,

In addition to the excellent advice you've already received, I'd add one
more bit:

On 25/05/2012 2:14 PM, Yasini Kilima wrote:
[snip]
> ip prefix-list DENY-PRIVATE description Filter bogons
> ip prefix-list DENY-PRIVATE deny 0.0.0.0/8
> ip prefix-list DENY-PRIVATE deny 10.0.0.0/8
> ip prefix-list DENY-PRIVATE deny 127.0.0.0/8
> ip prefix-list DENY-PRIVATE deny 169.254.0.0/16
> ip prefix-list DENY-PRIVATE deny 172.16.0.0/12
> ip prefix-list DENY-PRIVATE deny 192.0.2.0/24
> ip prefix-list DENY-PRIVATE deny 192.168.0.0/16
> ip prefix-list DENY-PRIVATE deny 240.0.0.0/4

On 25/05/2012 2:58 PM, Nishal Goburdhan wrote:
> try:
> ip prefix-list DENY-PRIVATE permit 0.0.0.0/0 le 32


as configured, each of these terms except Nishal's addition match
specific advertisments. e.g your list will drop an advertisment for the
network 10.0.0.0/8 but will permit an advertisment for 10.0.0.0/24 or
10.10.0.0/16 (because 10/24 != 10/8).

you may want to modify your prefix list to:

ip prefix-list DENY-PRIVATE deny 0.0.0.0/8 le 32
ip prefix-list DENY-PRIVATE deny 10.0.0.0/8 le 32
ip prefix-list DENY-PRIVATE deny 127.0.0.0/8 le 32
ip prefix-list DENY-PRIVATE deny 169.254.0.0/16 le 32
ip prefix-list DENY-PRIVATE deny 172.16.0.0/12 le 32
ip prefix-list DENY-PRIVATE deny 192.0.2.0/24 le 32
ip prefix-list DENY-PRIVATE deny 192.168.0.0/16 le 32
ip prefix-list DENY-PRIVATE deny 240.0.0.0/4 le 32
ip prefix-list DENY-PRIVATE permit 0.0.0.0/0 le 32

you could also chose to drop any advertisment longer than a /24 but
that's left as an exercise for the original poster.

--
patrick



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://afnog.org/pipermail/afnog/attachments/20120525/26030cd9/attachment.sig>