[afnog] Private IP Filters in bgp
Mohamed Faye
mohamed.faye at qcell.gm
Sat May 26 06:38:38 UTC 2012
Hello Yasini,
when blocking private address space in bgp you have to use bgp sanity
filter, this does the job, you always have to do this as a best
practice, they say in bgp that you don't have to trust your upstream
provider so always do a sanity filter. i have corrected it below for you
so you can just copy and paste it should be fine.
match ip address prefix-list bgp-sanity-filter
ip prefix-list bgp-sanity-filter deny 0.0.0.0/8 le 32
ip prefix-list bgp-sanity-filter deny 10.0.0.0/8 le 32
ip prefix-list bgp-sanity-filter deny 127.0.0.0/8 le 32
ip prefix-list bgp-sanity-filter deny 169.254.0.0/16 le 32
ip prefix-list bgp-sanity-filter deny 172.16.0.0/12 le 32
ip prefix-list bgp-sanity-filter deny 192.0.2.0/24 le 32
ip prefix-list bgp-sanity-filter deny 192.168.0.0/16 le 32
ip prefix-list bgp-sanity-filter deny 240.0.0.0/4 le 32
ip prefix-list bgp-sanity-filter permit 0.0.0.0/0 le 32
Regards,
Mohamed Faye
On 05/25/2012 11:14 AM, Yasini Kilima wrote:
> Hello Gurus,
>
> I am trying to create an IP prefix filter to filter bogons Private blocks received from one of my peer provider's announcements.
> I know the following filter would help me but surprisingly the last entry of the list doesn't execute, is it the problem of my IOS for my ASBR or what?
>
> ip prefix-list DENY-PRIVATE description Filter bogons
> ip prefix-list DENY-PRIVATE deny 0.0.0.0/8
> ip prefix-list DENY-PRIVATE deny 10.0.0.0/8
> ip prefix-list DENY-PRIVATE deny 127.0.0.0/8
> ip prefix-list DENY-PRIVATE deny 169.254.0.0/16
> ip prefix-list DENY-PRIVATE deny 172.16.0.0/12
> ip prefix-list DENY-PRIVATE deny 192.0.2.0/24
> ip prefix-list DENY-PRIVATE deny 192.168.0.0/16
> ip prefix-list DENY-PRIVATE deny 240.0.0.0/4
> ip prefix-list DENY-PRIVATE permit any
>
> ip prefix-list DENY-PRIVATE permit any (This doesn't execute it gives an error as here below):
>
> INTERNET_LINK(config)#$ist DENY-PRIVATE description Filter bogons
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE deny 0.0.0.0/8
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE deny 10.0.0.0/8
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE deny 127.0.0.0/8
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE deny 169.254.0.0/16
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE deny 172.16.0.0/12
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE deny 192.0.2.0/24
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE deny 192.168.0.0/16
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE deny 240.0.0.0/4
> INTERNET_LINK(config)#ip prefix-list DENY-PRIVATE permit any
> ^
> % Invalid input detected at '^' marker.
>
> INTERNET_LINK(config)#
>
> I am sure of the command to be correct you can correct me if I am wrong,
> How can I permit any then
> Is it an IOS issue or I am not correct, if that then what should I do in order to permit any
> When I apply the list regardless I can't get any bgp routes from that provider even the PUBLIC prefixes but I can receive from other providers the PUBLIC prefixes as usual.
>
> I don't want to receive his PRIVATE prefixes what should I do?
>
> Please help me!
>
> Yasini.
>
> ________________________________
>
>
>
> DISCLAIMER: This e-mail and any attachments are proprietary to TANZANIA REVENUE AUTHORITY.Any unauthorized use or interception is illegal. The views and opinions expressed are those of the sender, unless clearly stated as being those of TANZANIA REVENUE AUTHORITY. This e-mail is only addressed to the addressee and TANZANIA REVENUE AUTHORITY shall not be responsible for any further publication of the contents of this e-mail. If this e-mail is not addressed to you, you may not copy, print, distribute or disclose the contents to anyone nor act on its contents. If you received this in error, please inform the sender and delete this e-mail from your computer.
>
>
>
> _______________________________________________
> afnog mailing list
> http://afnog.org/mailman/listinfo/afnog
>
More information about the afnog
mailing list