On 2/27/2013 7:45 PM, Jon Lewis wrote:
On Wed, 27 Feb 2013, Jay Hennigan wrote:
You could simplify that to:
ip as-path access-list 10 deny _11xx1_
ip as-path access-list 10 permit .* <- Dangerous outbound to transit
connections.
Or simplify things more by using prefix filters / route-maps on the
customer BGP sessions to deny/accept+tag routes with communities that
tell the rest of your network what to do with the routes (i.e. whether
a route gets advertised to your transit providers, etc.). That ends
up being much saner as you have smaller filters in more places rather
than monster filters at the border where you'll lose track of why
things are there.
I do have filters on the customer BGP sessions, but I have to disallow
his AS from my upstreams, or I become a transit for those routes.
--
Jerry Bacon
Senior Network Engineer
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
