[93454] in North American Network Operators' Group
Re: "Neighbor maximum-prefix" option on routers
daemon@ATHENA.MIT.EDU (Joe Abley)
Mon Nov 20 03:33:17 2006
In-Reply-To: <Pine.LNX.4.64.0611200901570.4972@uplift.swm.pp.se>
Cc: nanog@nanog.org
From: Joe Abley <jabley@ca.afilias.info>
Date: Mon, 20 Nov 2006 09:32:12 +0100
To: Mikael Abrahamsson <swmike@swm.pp.se>
Errors-To: owner-nanog@merit.edu
On 20-Nov-2006, at 09:03, Mikael Abrahamsson wrote:
> On Mon, 20 Nov 2006, Alexander Koch wrote:
>
>> ehm, when you have filter lists, why max-prefix? do you really use
>> filters, if so what kind of? i would be really curious to know
>> what other ISPs do.
>
> Security in depth is actually a very good concept.
There's a more direct reason to implement for some networks, too.
If you have loose filters which allow your customers to deaggregate,
you can add a maximum-prefix filter to stop ridiculous deaggregation
which might blow maximum-prefix limits in your peers' routers, or
course devices in your own network to run out of RAM, etc.
router bgp 9327
neighbor 4.1.2.3 remote-as 3356
neighbor 4.1.2.3 peer-group hypothetical-customers
neighbor 4.1.2.3 prefix-list AS3356 in
neighbor 4.1.2.3 maximum-prefix 200
!
ip prefix-list AS3356 permit 8.0.0.0/8 le 24
In this case the prefix filter controls the kind of routes you're
willing to accept from your customer (anything covered by 8.0.0.0/8
with a prefix length of 24 bits or less), and the maximum-prefix
limit controls the number of routes you're prepared to accept (200).
Joe
