We use community-based routing for our internet customers in that any static routes or accepted BGP routes are tagged with a community, such that we'll know what we should and should not export to our upstreams. This helps to avoid having to maintain large prefix-lists on each node. I'm now struggling to find another way to prevent our customers from spoofing. The previous method relied on a firewall filter which indeed references a prefix-list of all our customers' space. I'm having a hard time getting away from this, as I can't create a firewall filter which will look up the community assigned to a source-address (to see if it's legitimately a customer). How have others gotten around this? Am I overlooking something? Or is maintaining large lists the only way to go ?
David _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
