James, I get what you are saying! You have a point there.
On Tue, Nov 29, 2011 at 7:14 AM, James Roc <[email protected]> wrote: > There is no loop in the topology, so there would be no reason for routes > not to be accepted. > > AS101 - AS50 - AS102 - ASXXX - AS300 > > In this scenario, AS300 would have routes to AS101 but due to the as-path > filtering, AS101 would not have routes to AS300. > > So, in theory, AS300 could still send packets to AS101, thus transitting > AS50. > > On Mon, Nov 28, 2011 at 11:17 PM, Oluwagbenga Oyebande < > [email protected]> wrote: > >> Saleh, >> >> It seems ip as-path access-list 1 permit ^102_[0-9]*$ will not meet the >> requirements because it will also permit AS300 to transit AS50 >> >> James, >> >> I thought BGP's inherent loop prevention mechanism takes care of that >> path you are looking at. If my AS is in the AS path I wouldn't accept such >> a route. That would be a loop. >> >> >> On Mon, Nov 28, 2011 at 1:55 AM, James Roc <[email protected]> wrote: >> >>> yep, I missed the ) thats a typo >>> >>> although its the lack of outbound route filtering that Im interested in. >>> >>> It looks like the DSG solution doesnt completely prevent AS50 from being >>> a transit AS. >>> >>> On Mon, Nov 28, 2011 at 9:16 AM, Oluwagbenga Oyebande < >>> [email protected]> wrote: >>> >>>> did you mean to type ip as-path access-list 73 permit ^102(_[0-9]+*)* >>>> ?$ >>>> >>>> On Sun, Nov 27, 2011 at 12:30 PM, James Roc <[email protected]>wrote: >>>> >>>>> Hi All, >>>>> >>>>> This question asks to 'ensure that only directly connected clients of >>>>> AS102 >>>>> can transit AS50'. >>>>> >>>>> AS101 - AS50 - AS102 - ASXXX >>>>> >>>>> The DSG uses the following inbound as-path acl on the AS50 router >>>>> peering >>>>> to AS102: >>>>> >>>>> ip as-path access-list 73 permit ^102(_[0-9]+?$ >>>>> >>>>> This filters the required routes entering AS50 from AS102 but there >>>>> are no >>>>> outbound filters. >>>>> >>>>> In the following topology, routes from AS101 could pass through AS50 to >>>>> AS102 and beyond. >>>>> >>>>> AS101 - AS50 - AS102 - ASXXX - AS300 >>>>> >>>>> So while AS101 would not have a synchronous return route, AS300 could >>>>> still >>>>> transit AS50 to reach AS101. >>>>> >>>>> Given that changes can only be done on AS50, whats the best way to >>>>> prevent >>>>> this? >>>>> >>>>> Cheers >>>>> James >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>>>> >>>>> To Unsubscribe from this list please visit the following link and >>>>> follow the directions to unsubscribe. >>>>> http://onlinestudylist.com/mailman/listinfo/ccie_rs >>>>> >>>> >>>> >>>> >>>> -- >>>> -- >>>> Olugbenga Oyebande >>>> MD, DAIT >>>> 234-803-302-5287 >>>> http://www.dait-ng.com >>>> Cisco Unified Network, VPN >>>> DAIT Enterprise Network Servers >>>> Broadband Internet Deployment & ISP Consultancy >>>> >>>> >>> >> >> >> -- >> -- >> Olugbenga Oyebande >> MD, DAIT >> 234-803-302-5287 >> http://www.dait-ng.com >> Cisco Unified Network, VPN >> DAIT Enterprise Network Servers >> Broadband Internet Deployment & ISP Consultancy >> >> > -- -- Olugbenga Oyebande MD, DAIT 234-803-302-5287 http://www.dait-ng.com Cisco Unified Network, VPN DAIT Enterprise Network Servers Broadband Internet Deployment & ISP Consultancy _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com To Unsubscribe from this list please visit the following link and follow the directions to unsubscribe. http://onlinestudylist.com/mailman/listinfo/ccie_rs
