in our case, we do the following setup: 1. allow up to /32 within customer's prefix(es) 2. check for 27552:666 (null comm), if matched, set to null'd nexthop 3. now match any prefixes that are longer than /22 on 0.0.0.0/1, that are longer than /22 on 128.0.0.0/2, that are longer than /24 on 192.0.0.0/3. if any of these longer prefixes are matched, tag them with 27552:31337 (which is our equivalent of no-export).
If a customer has a legitimate reason to send a /24 within say, 0.0.0.0/1, then we can always override it by adding a deny rule to the matching prefix-list used by the route-map. 4. finally, add maximum-prefix limit to 500 I'll be more than glad to provide config template if anyone is interested. Also have ipv6 version of it as well if interested. -J On Wed, Mar 03, 2004 at 10:22:16PM +0000, Stephen J. Wilcox wrote: > > > > I'm puzzled by one aspect on the implementation.. how to build your customer > > > prefix filters.. that is, we have prefix-lists for prefix and length. > > > Therefore at present we can only accept a tagged route for a whole block.. > > > not good if the announcement is a /16 etc ! > > > > MCI handles this by only filtering on prefix, not length. Well, > > allowing you to only announce up to your length, not shorter, but > > longer is allowed. > > Hmm not keen, have moved acl->prefix w/len to stop folks from doing this, in > addition we have an extra filter which overrides anything that would deny > anything longer than a /24. I'm not keen to change that.. LART appears to have > little or no effect with my customers, preemption appears to be the only way! > > Steve > > > > > Now, I could do as per the website at secsup.org which means we have a > > > route-map > > > entry to match the community before the filtering .. but that would > > > allow the > > > customer to null route any ip. > > > > > > What we need is one to allow them to announce any route including more > > > specifics of the prefix list - how are folks doing this? > > > > It's not hard. I think the old UUNET just used standard ACLs (1->99). > > :) But with prefix filters, you can set gt & lt prefix lengths on the > > filters trivially. > > > > Of course, your customers can then deaggregate to their hearts content. > > If they do, you should hunt them down and LART them. But it is useful > > for some things, especially when combined with no_export, the > > black-hole communities, or other communities. > > > > -- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing [EMAIL PROTECTED] Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net