Re: algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters

[Jared Mauch <jared () puck Nether net>]

On Thu, Feb 04, 2016 at 05:52:54PM +0100, Randy Bush wrote:
> > > > We record the customer ASN and the AS-SET for each AFI (v4|v6) and
> > > > expand these and push updated lists to devices daily or on demand
> > > > based on customer need.
> > >
> > > do you trust the state of the acl on the router and only send a delta,
> > > or do you send the whole acl?
> >
> > We send the whole ACL.
> >
> > (infact, we send the full router config each time).
>
> i bet that scales well.  though i would not trust the router either.

        it works well enough, software bugs aside.  much better than
wondering what state a device is in.  our customer migration team
was able to use this toolization to move over 200 discrete interfaces
in one night without error recently.

        having the proper tooling and inventory of customers is
key here.  when turning up the first few customers, i get having
a manual process but the ROI on automation is well worth it.

        there's many variations of this graphic out there but
it's important when justifying why you have a network engineer
who can also code and do more than one thing:

http://www.geeksaresexy.net/2012/01/05/geeks-vs-non-geeks-picture/

there's also this related item, you do have to maintain it:

https://xkcd.com/1319/

if you avoid feature creep the tools can be done properly.  I've
seen many a project delayed by someone trying to wedge something
in, or alter a schema from one that works to one that is more
technically pure and make it harder to do work.

you must also have the culture that works with the tools, it can't
be the one tool that $powerUser operates, it has to be part
of the busines process.

        - Jared

-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.