[afnog] Private IP Filters in bgp
Philip Smith
pfsinoz at gmail.com
Sun May 27 05:58:58 UTC 2012
Please don't use access-lists for filtering BGP prefix announcements...
Cisco introduced prefix-lists in 1996 for a very good reason... :-)
You can see why when you compare the two ways of doing exactly the same
thing (Noah's and Nishal's answers). The prefix-list version is somewhat
simpler (and more intuitive) to configure, and is actually significantly
faster for the router to process (don't remember how much, but at least
an order of magnitude).
In the spirit of Nishal's AfNOG SIE Workshop reply, check the Wednesday
morning BGP Policy presentation for the AfNOG Advanced Routing workshop:
http://www.ws.afnog.org/afnog2012/are/detail.html
philip
--
Maina Noah said the following on 25/05/12 22:05 :
>> Message: 3
>> Date: Fri, 25 May 2012 11:14:22 +0000
>> From: Yasini Kilima <ykilima at tra.go.tz>
>> To: "afnog at afnog.org" <afnog at afnog.org>
>> Subject: [afnog] Private IP Filters in bgp
>
>> Hello Gurus,
>
> Hello Yasin,
>
>> I am trying to create an IP prefix filter to filter bogons Private blocks
>> received from one of my peer provider's announcements.
>
> Great.
>
>> I don't want to receive his PRIVATE prefixes what should I do?
>
> Create the access-list like example below that will match the above
> distribute list defined in ur bgp config.
>
> access-list 100 remark RFC1918-Bogon-prefixes
> access-list 100 deny ip host 0.0.0.0 any
> access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
> access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
> access-list 100 deny ip 169.254.0.0 0.0.255.255 255.255.0.0 0.0.255.255
> access-list 100 deny ip 17.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
> access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.255.0 0.0.0.255
> access-list 100 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255
> access-list 100 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255
> access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
> access-list 100 permit ip any any
>
> Then, under your bgp config mode, define a distribute list like;
>
> router bgp xyz
> neighbor a.b.c.d distribute-list 100 in
>
>> Please help me!
>
> I hope the above will help.
>
>> Yasini.
>>
>
> ./noah maina
>
>
>
> _______________________________________________
> afnog mailing list
> http://afnog.org/mailman/listinfo/afnog
>
More information about the afnog
mailing list