Re: "Neighbor maximum-prefix" option on routers

[Joe Abley <jabley () ca afilias info>]

On 20-Nov-2006, at 09:03, Mikael Abrahamsson wrote:

> On Mon, 20 Nov 2006, Alexander Koch wrote:
>
> > ehm, when you have filter lists, why max-prefix? do you really use  
> > filters, if so what kind of? i would be really curious to know  
> > what other ISPs do.
>
> Security in depth is actually a very good concept.

There's a more direct reason to implement for some networks, too.

If you have loose filters which allow your customers to deaggregate,  
you can add a maximum-prefix filter to stop ridiculous deaggregation  
which might blow maximum-prefix limits in your peers' routers, or  
course devices in your own network to run out of RAM, etc.

router bgp 9327
 neighbor 4.1.2.3 remote-as 3356
 neighbor 4.1.2.3 peer-group hypothetical-customers
 neighbor 4.1.2.3 prefix-list AS3356 in
 neighbor 4.1.2.3 maximum-prefix 200
!
ip prefix-list AS3356 permit 8.0.0.0/8 le 24

In this case the prefix filter controls the kind of routes you're  
willing to accept from your customer (anything covered by 8.0.0.0/8  
with a prefix length of 24 bits or less), and the maximum-prefix  
limit controls the number of routes you're prepared to accept (200).


Joe