On 30 Oct 2015 19:00, "Job Snijders" <[email protected]> wrote: > > On Fri, Oct 30, 2015 at 06:31:35PM +0100, Job Snijders wrote: > > On Fri, Oct 30, 2015 at 05:27:22PM +0000, Nick Hilliard wrote: > > > On 30/10/2015 16:57, James Bensley wrote: > > > > What do others have, what have I missed? > > > > > > the asn32 filter can be written as "_42........_", or perhaps "_42[0-9]{8}_" > > > > > > TBH, I'd question the value of filtering weird asns. What matters is > > > filtering out weird prefixes. If you filter out weird ASNs, all you're > > > doing is chewing up the CPU on your RP. > > > > My take: private ASNs have no place in the DFZ, I consider it healthy to > > ignore any and all prefixes which have a private ASN anywhere in the > > AS_PATH. > > > > I'd also drop anything that has _23456_ in the AS_PATH if you know all > > your equipment supports 4-byte ASNs > > I do agree with Nick's sentiment that you should consider CPU power a > scarce resource which should not be spend lightly. Avoiding complex > regular expressions might make it easier to maintain the filters. > > On JunOS you can block ranges of ASNs like this: > > set policy-options as-path AS_MARTIAN_ASNS ".*[64496-65551].*" > > On IOS XR: > > as-path-set AS_MARTIAN_ASNS > passes-through ’[64496..65551]’ > end-set > > What platform are you working on? > > Kind regards, > > Job
Again, thanks for the info! As per my other email I'm trying to condense my IOS regex first because it's the most cumbersome, and as you know it doesn't support number ranges. I expect the Jumps and IOS-XR to be much more strait forwarded. What ever I come up with, I'll post all the final syntaxes back to the list so they get archived, a quick search with Google hasn't revealed any real-world working examples which I'm surprised by. Cheers, James.
