Traffic destined for 100.114.128.0/24
Mark Tinka
mark.tinka at seacom.mu
Thu Apr 9 13:34:59 UTC 2020
On 9/Apr/20 15:24, Tom Hill wrote:
> Short answer: filter 100.64.0.0/10 from your upstreams, as you would
> 192.168.0.0/16 or 10.0.0.0/8.
I was trying to remind myself what we did back in the day. Looks like
that's been in on our end for yonks:
tinka at all.boxes-re0# show firewall family inet filter filter-incoming
term 10 {
from {
source-address {
10.0.0.0/8;
100.64.0.0/10;
127.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
192.0.2.0/24;
192.42.172.0/24;
192.168.0.0/16;
198.18.0.0/15;
198.51.100.0/24;
203.0.113.0/24;
41.87.96.0/19;
41.206.96.0/19;
41.217.212.0/22;
105.16.0.0/12;
}
destination-address {
0.0.0.0/0;
}
}
then {
count filter-incoming-anti-spoofing-counter;
syslog;
discard;
}
}
term 65535 {
then {
policy-map UPSTREAM-TRAFFIC-INBOUND;
forwarding-class best-effort;
accept;
}
}
{master}[edit]
tinka at all.boxes-re0#
>
> Longer answers will no doubt be available. :)
As the Afrikaaners say, "Finish & Klaar" :-).
Mark.
More information about the NANOG
mailing list