[afnog] Private IP Filters in bgp
Yasini Kilima
ykilima at tra.go.tz
Sun May 27 07:36:19 UTC 2012
Hello Philip,
Thanks very much
Actually I used prefix filters with length boundaries
This was my last test from all the advises I received from folks and I just left this is place,
Therefore by chance I did this and as you explain it is the BCP introduced by Cisco,
Thanks Philip.
Yasini.
-----Original Message-----
From: afnog-bounces at afnog.org [mailto:afnog-bounces at afnog.org] On Behalf Of Philip Smith
Sent: Sunday, May 27, 2012 8:59 AM
To: afnog at afnog.org
Subject: Re: [afnog] Private IP Filters in bgp
Please don't use access-lists for filtering BGP prefix announcements...
Cisco introduced prefix-lists in 1996 for a very good reason... :-)
You can see why when you compare the two ways of doing exactly the same thing (Noah's and Nishal's answers). The prefix-list version is somewhat simpler (and more intuitive) to configure, and is actually significantly faster for the router to process (don't remember how much, but at least an order of magnitude).
In the spirit of Nishal's AfNOG SIE Workshop reply, check the Wednesday morning BGP Policy presentation for the AfNOG Advanced Routing workshop:
http://www.ws.afnog.org/afnog2012/are/detail.html
philip
--
Maina Noah said the following on 25/05/12 22:05 :
>> Message: 3
>> Date: Fri, 25 May 2012 11:14:22 +0000
>> From: Yasini Kilima <ykilima at tra.go.tz>
>> To: "afnog at afnog.org" <afnog at afnog.org>
>> Subject: [afnog] Private IP Filters in bgp
>
>> Hello Gurus,
>
> Hello Yasin,
>
>> I am trying to create an IP prefix filter to filter bogons Private
>> blocks received from one of my peer provider's announcements.
>
> Great.
>
>> I don't want to receive his PRIVATE prefixes what should I do?
>
> Create the access-list like example below that will match the above
> distribute list defined in ur bgp config.
>
> access-list 100 remark RFC1918-Bogon-prefixes
> access-list 100 deny ip host 0.0.0.0 any
> access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
> access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
> access-list 100 deny ip 169.254.0.0 0.0.255.255 255.255.0.0 0.0.255.255
> access-list 100 deny ip 17.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
> access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.255.0 0.0.0.255
> access-list 100 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255
> access-list 100 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255
> access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
> access-list 100 permit ip any any
>
> Then, under your bgp config mode, define a distribute list like;
>
> router bgp xyz
> neighbor a.b.c.d distribute-list 100 in
>
>> Please help me!
>
> I hope the above will help.
>
>> Yasini.
>>
>
> ./noah maina
>
>
>
> _______________________________________________
> afnog mailing list
> http://afnog.org/mailman/listinfo/afnog
>
_______________________________________________
afnog mailing list
http://afnog.org/mailman/listinfo/afnog
________________________________
DISCLAIMER: This e-mail and any attachments are proprietary to TANZANIA REVENUE AUTHORITY.Any unauthorized use or interception is illegal. The views and opinions expressed are those of the sender, unless clearly stated as being those of TANZANIA REVENUE AUTHORITY. This e-mail is only addressed to the addressee and TANZANIA REVENUE AUTHORITY shall not be responsible for any further publication of the contents of this e-mail. If this e-mail is not addressed to you, you may not copy, print, distribute or disclose the contents to anyone nor act on its contents. If you received this in error, please inform the sender and delete this e-mail from your computer.
More information about the afnog
mailing list