On Fri, Oct 30, 2015 at 06:31:35PM +0100, Job Snijders wrote:
> On Fri, Oct 30, 2015 at 05:27:22PM +0000, Nick Hilliard wrote:
> > On 30/10/2015 16:57, James Bensley wrote:
> > > What do others have, what have I missed?
> >
> > the asn32 filter can be written as "_42........_", or perhaps "_42[0-9]{8}_"
> >
> > TBH, I'd question the value of filtering weird asns. What matters is
> > filtering out weird prefixes. If you filter out weird ASNs, all you're
> > doing is chewing up the CPU on your RP.
>
> My take: private ASNs have no place in the DFZ, I consider it healthy to
> ignore any and all prefixes which have a private ASN anywhere in the
> AS_PATH.
>
> I'd also drop anything that has _23456_ in the AS_PATH if you know all
> your equipment supports 4-byte ASNs
I do agree with Nick's sentiment that you should consider CPU power a
scarce resource which should not be spend lightly. Avoiding complex
regular expressions might make it easier to maintain the filters.
On JunOS you can block ranges of ASNs like this:
set policy-options as-path AS_MARTIAN_ASNS ".*[64496-65551].*"
On IOS XR:
as-path-set AS_MARTIAN_ASNS
passes-through ’[64496..65551]’
end-set
What platform are you working on?
Kind regards,
Job
