[afnog] Private IP Filters in bgp

Sun May 27 07:36:19 UTC 2012

Hello Philip,

Thanks very much

Actually I used prefix filters with length boundaries

This was my last test from all the advises I received from folks and I just left this is place,

Therefore by chance I did this and as you explain it is the BCP introduced by Cisco,

Thanks Philip.

Yasini.

-----Original Message-----
From: afnog-bounces at afnog.org [mailto:afnog-bounces at afnog.org] On Behalf Of Philip Smith
Sent: Sunday, May 27, 2012 8:59 AM
To: afnog at afnog.org
Subject: Re: [afnog] Private IP Filters in bgp

Please don't use access-lists for filtering BGP prefix announcements...
Cisco introduced prefix-lists in 1996 for a very good reason... :-)

You can see why when you compare the two ways of doing exactly the same thing (Noah's and Nishal's answers). The prefix-list version is somewhat simpler (and more intuitive) to configure, and is actually significantly faster for the router to process (don't remember how much, but at least an order of magnitude).

In the spirit of Nishal's AfNOG SIE Workshop reply, check the Wednesday morning BGP Policy presentation for the AfNOG Advanced Routing workshop:

http://www.ws.afnog.org/afnog2012/are/detail.html

philip
--

Maina Noah said the following on 25/05/12 22:05 :
>> Message: 3
>> Date: Fri, 25 May 2012 11:14:22 +0000
>> From: Yasini Kilima <ykilima at tra.go.tz>
>> To: "afnog at afnog.org" <afnog at afnog.org>
>> Subject: [afnog] Private IP Filters in bgp
>
>> Hello Gurus,
>
> Hello Yasin,
>
>> I am trying to create an IP prefix filter to filter bogons Private
>> blocks received from one of my peer provider's announcements.
>
> Great.
>
>> I don't want to receive his PRIVATE prefixes what should I do?
>
> Create the access-list like example below that will match the above
> distribute list defined in ur bgp config.
>
> access-list 100 remark RFC1918-Bogon-prefixes
> access-list 100 deny   ip host 0.0.0.0 any
> access-list 100 deny   ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
> access-list 100 deny   ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
> access-list 100 deny   ip 169.254.0.0 0.0.255.255 255.255.0.0 0.0.255.255
> access-list 100 deny   ip 17.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
> access-list 100 deny   ip 192.168.0.0 0.0.255.255 255.255.255.0 0.0.0.255
> access-list 100 deny   ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255
> access-list 100 deny   ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255
> access-list 100 deny   ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
> access-list 100 permit ip any any
>
> Then, under your bgp config mode, define a distribute list like;
>
> router bgp xyz
>  neighbor a.b.c.d distribute-list 100 in
>
>> Please help me!
>
> I hope the above will help.
>
>> Yasini.
>>
>
> ./noah maina
>
>
>
> _______________________________________________
> afnog mailing list
> http://afnog.org/mailman/listinfo/afnog
>

_______________________________________________
afnog mailing list
http://afnog.org/mailman/listinfo/afnog

________________________________

DISCLAIMER: This e-mail and any attachments are proprietary to TANZANIA REVENUE AUTHORITY.Any unauthorized use or interception is illegal. The views and opinions expressed are those of the sender, unless clearly stated as being those of TANZANIA REVENUE AUTHORITY. This e-mail is only addressed to the addressee and TANZANIA REVENUE AUTHORITY shall not be responsible for any further publication of the contents of this e-mail. If this e-mail is not addressed to you, you may not copy, print, distribute or disclose the contents to anyone nor act on its contents. If you received this in error, please inform the sender and delete this e-mail from your computer.