On Wed, 27 Feb 2013, Jay Hennigan wrote:
On 2/27/13 4:07 PM, Jerry Bacon wrote:
I've tried with and without next-hop-self on R3, it doesn't seem to make
any difference.
ip as-path access-list 10 permit ^11xx1
ip as-path access-list 10 deny _11xx1_
ip as-path access-list 10 permit .*
You could simplify that to:
ip as-path access-list 10 deny _11xx1_
ip as-path access-list 10 permit .* <- Dangerous outbound to transit
connections.
Or simplify things more by using prefix filters / route-maps on the
customer BGP sessions to deny/accept+tag routes with communities that tell
the rest of your network what to do with the routes (i.e. whether a route
gets advertised to your transit providers, etc.). That ends up being much
saner as you have smaller filters in more places rather than monster
filters at the border where you'll lose track of why things are there.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
