Is it time to abandon bogon prefix filters?
jared at puck.nether.net
Mon Aug 18 07:33:08 CDT 2008
On Sun, Aug 17, 2008 at 07:57:25PM -0500, Pete Templin wrote:
> Tomas L. Byrnes wrote:
>> Since there are ways to dynamically filter the bogons, using BGP or DNS,
>> I don't really see the need to stop doing so. If you're managing your
>> routing and firewall filters manually, you have bigger problems than the
>> release of Bogon space.
> Can you share the Cisco configuration snippet you recommend to
> dynamically FILTER bogons using BGP or DNS?
On a router with full routes (ie: no default) the command
Router(config-if)#ip verify unicast source reachable-via any
Go ahead and try it out. you can view the resulting
drop counter via the 'show ip int <x/y>' command.
While you're at it, you also placed the reachable-via rx on
all your customer interfaces. If you're paranoid, start with the 'any'
rpf and then move to the strict rpf. The strict rpf also helps with
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the NANOG