On Tuesday, March 25, 2014 06:12:52 PM Gert Doering wrote: > We use BGP for that. I just don't trust hosts taking > part in my IGP...
As this is internal, we can reasonably trust the servers, since they are under the management of the the Network team. However, we do have strict routing policies for the IGP redistribution between OSPF and IS-IS that permit only the Anycast address from the servers, and nothing else. We don't even allow the server to see the router's Loopback address (not that that adds any extra level of security, but...). > (Which, admittedly, needs lots more configuration to do > anycast for IPv4+IPv6, as opposed to "just turn on > OSPFv3 multi-af on the interface") Using the IGP works well for us because we can always be sure that cost (which for us is latency + bandwidth) is always true, and uninfluenced by any potential BGP factors. Mark.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
