Re: Bogon filtering (don't ban me)

[Ian Dickinson <ian.dickinson () pipex net>]

Cliff Albert wrote:
> On Sun, Dec 05, 2004 at 12:41:32PM -0500, Joe Abley wrote:
>>
> > > I have one question regarding the CYMRU bogon route-server. What good 
> > > is it if more-specific bogons are going around in the BGP table ?
> >
> > With OpenBSD 3.6 running pf and bgpd, you can apply a filter rule to 
> > BGP updates received from individual peers which updates a pf radix 
> > table with the network received:

Nice - anyone know of anything equivalent for ipf/pfil on Solaris?

> Interesting, but no option on Juniper/IOS boxes/foundry boxen. 

Since 12.0(29)S and 12.2(25)S, this feature:

BGP Support for IP Prefix Import from Global Table into a VRF Table
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s29/cs_bgivt.htm

does the trick nicely, as long as you trust builds that new,
and your linecards are new enough.  Worked fine in my testing.

This is effectively a way of populating a VRF and then pointing uRPF at
it.  I think it was aimed at feasible path uRPF, but can do the bogon
stuff as well.
--
Ian Dickinson
Development Engineer
PIPEX
ian.dickinson () pipex net
http://www.pipex.net

This e-mail is subject to: http://www.pipex.net/disclaimer.html