[56759] in North American Network Operators' Group
Re: route filtering in large networks
daemon@ATHENA.MIT.EDU (Lars Erik Gullerud)
Thu Mar 13 12:50:13 2003
From: Lars Erik Gullerud <lerik@nolink.net>
To: Richard A Steenbergen <ras@e-gerbil.net>
Cc: nanog@merit.edu
In-Reply-To: <20030313034721.GY8839@overlord.e-gerbil.net>
Date: 13 Mar 2003 18:45:36 +0100
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 2003-03-13 at 04:47, Richard A Steenbergen wrote:
> Personally I don't think it's "too" hard to setup some scripts scripts
> which can apply updated bogon and other important prefix-list updates
> globally. Rancid and about 15 lines of shell script should do you just
> fine. If you're lucky enough to have Juniper's, you can use the same
> prefix-list to filter both routes and packets.
Sorry to break in here with something as inappropriate as a technical
comment but... Actually, you can't. But it is a common error people do
on J boxes. If you use prefix-lists in your routing policy on the Js,
they will only match the exact prefix-length specified, not longer
prefixes from within it. If you want to match prefixes of any given
length within say, a /8 (a typical entry in a bogon list), you have to
use route-lists (route-filter statements), which can not be used in your
packet filters (firewall config)...
/leg
