nanog mailing list archives

Re: Packets from net 10 (no, not the lyrics)

From: "Todd R. Stroup" <tstroup () fibernet net>
Date: Tue, 23 Sep 1997 12:43:29 -0400 (EDT)


Why not use a standard access-list like : 

access-list 50 deny 0.0.0.0 0.0.0.0
access-list 50 deny 127.0.0.0 0.255.255.255
access-list 50 deny 10.0.0.0 0.255.255.255
access-list 50 deny 172.16.0.0 0.15.255.255
access-list 50 deny 192.168.0.0 0.0.255.255
access-list 50 deny 192.0.2.0 0.0.0.255
access-list 50 deny 128.0.0.0 0.0.255.255
access-list 50 deny 191.255.0.0 0.0.255.255 
access-list 50 deny 198.32.184.0 0.0.0.255 ! MAE-WEST  (could be done)
access-list 50 deny 198.32.136.0 0.0.0.255 ! MAE-WEST  (to include all EPs)
access-list 50 deny 198.32.186.0 0.0.0.255 ! MAE-EAST
access-list 50 deny 192.41.177.0 0.0.0.255 ! MAE-EAST
access-list 50 deny 198.32.130.0 0.0.0.255 ! AADS
access-list 50 deny 206.183.224.0 0.0.31.255  ! FNSI
access-list 50 deny 209.41.192.0 0.0.31.255   ! FNSI
access-list 50 deny 209.115.0.0 0.0.31.255    ! FNSI
access-list 50 deny 223.255.255.0 0.0.0.255
access-list 50 deny 224.0.0.0 31.255.255.255
access-list 50 permit any

Then apply this to your peer session on the inbound with the command :

 neighbor x.x.x.x distribute-list 50 in

You want to filter on an interface for this?  If you get the route into
your routing table thats where the problem starts.  Attaching the filter
to the peer session will at least get rid of the bad routes from the
start.  I would rather use CPU on keeping the BGP sessions clean than
wasting it on checking the interface for packets with 10/8.  If anyone
has any better suggestions, I would love to hear them. 

Todd R. Stroup
Fiber Network Solutions, Inc.

On Tue, 23 Sep 1997 bmanning () ISI EDU wrote:

! Loopback
access-list 100 deny   ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
! RFC 1918 private blocks
access-list 100 deny   ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 100 deny   ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
access-list 100 deny   ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
! Test Network
access-list 100 deny   ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255
! Tiny networks.
access-list 100 deny   ip any 255.255.255.128 0.0.0.127
access-list 100 permit ip any any


      The operative phrase here is border. 
      That means ASN border, i.e. where you BGP
      peer with others.  At the provider/subscriber
      interface, within your IGP, using RFC 1918 space
      is ok.

-- 
--bill

Current thread:

Packets from net 10 (no, not the lyrics) Dennis Simpson (Sep 23)
- Re: Packets from net 10 (no, not the lyrics) bmanning (Sep 23)
  - Re: Packets from net 10 (no, not the lyrics) Mohamad Eljazzar (Sep 23)
    - Re: Packets from net 10 (no, not the lyrics) bmanning (Sep 23)
    - Re: Packets from net 10 (no, not the lyrics) Mohamad Eljazzar (Sep 23)
    - Re: Packets from net 10 (no, not the lyrics) bmanning (Sep 23)
    - Re: Packets from net 10 (no, not the lyrics) Todd R. Stroup (Sep 23)
    - Re: Packets from net 10 (no, not the lyrics) bmanning (Sep 23)
    - Re: Packets from net 10 (no, not the lyrics) Alec H. Peterson (Sep 23)
    - Re: Packets from net 10 (no, not the lyrics) Todd R. Stroup (Sep 23)
    - Re: Packets from net 10 (no, not the lyrics) Alec H. Peterson (Sep 23)
    - Re: Packets from net 10 (no, not the lyrics) Todd R. Stroup (Sep 23)
    - Re: Packets from net 10 (no, not the lyrics) John A. Tamplin (Sep 23)
    - Re: Packets from net 10 (no, not the lyrics) Todd R. Stroup (Sep 23)
    - Re: Packets from net 10 (no, not the lyrics) John A. Tamplin (Sep 23)
- Re: Packets from net 10 (no, not the lyrics) Alec H. Peterson (Sep 23)
- <Possible follow-ups>
- Re: Packets from net 10 (no, not the lyrics) Randall S. Benn (Sep 23)

(Thread continues...)