On Thu, 28 Feb 2013, Jerry Bacon wrote:
On 2/27/2013 7:45 PM, Jon Lewis wrote:
On Wed, 27 Feb 2013, Jay Hennigan wrote:
You could simplify that to:
ip as-path access-list 10 deny _11xx1_
ip as-path access-list 10 permit .* <- Dangerous outbound to transit
connections.
Or simplify things more by using prefix filters / route-maps on the
customer BGP sessions to deny/accept+tag routes with communities that tell
the rest of your network what to do with the routes (i.e. whether a route
gets advertised to your transit providers, etc.). That ends up being much
saner as you have smaller filters in more places rather than monster
filters at the border where you'll lose track of why things are there.
I do have filters on the customer BGP sessions, but I have to disallow his AS
from my upstreams, or I become a transit for those routes.
So this is a BGP peering...but you're not providing transit? We have a
cummunity string for that. The above advice still stands.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
