[106925] in North American Network Operators' Group
Re: Is it time to abandon bogon prefix filters?
daemon@ATHENA.MIT.EDU (Jared Mauch)
Mon Aug 18 08:33:17 2008
Date: Mon, 18 Aug 2008 08:33:08 -0400
From: Jared Mauch <jared@puck.nether.net>
To: Pete Templin <petelists@templin.org>
In-Reply-To: <48A8C8F5.7080102@templin.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Sun, Aug 17, 2008 at 07:57:25PM -0500, Pete Templin wrote:
> Tomas L. Byrnes wrote:
>> Since there are ways to dynamically filter the bogons, using BGP or DNS,
>> I don't really see the need to stop doing so. If you're managing your
>> routing and firewall filters manually, you have bigger problems than the
>> release of Bogon space.
>
> Can you share the Cisco configuration snippet you recommend to
> dynamically FILTER bogons using BGP or DNS?
On a router with full routes (ie: no default) the command
is:
Router(config-if)#ip verify unicast source reachable-via any
Go ahead and try it out. you can view the resulting
drop counter via the 'show ip int <x/y>' command.
While you're at it, you also placed the reachable-via rx on
all your customer interfaces. If you're paranoid, start with the 'any'
rpf and then move to the strict rpf. The strict rpf also helps with
routing loops.
- Jared
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
