Using non-world routable space on interfaces makes for difficulties in some situations with PMTU-D and with troubleshooting (useless information in traceroutes for example).
Owen On Jan 19, 2011, at 6:04 PM, jim deleskie wrote: > Never put a firewall in front of a router, it will die first. The team > CYMRU stuff is great make sure you have ACL's on your VTY and allow access > only from trusted internal IPs. I also like using non world routable space > on any interface I can. > > > On Wed, Jan 19, 2011 at 9:38 PM, Brandon Kim > <brandon....@brandontek.com>wrote: > >> >> >> >> What an insightful link! Thank you, I am reading it now..... >> >> >> >> >>> From: bryan.we...@arrisi.com >>> To: nanog@nanog.org >>> Date: Wed, 19 Jan 2011 16:38:43 -0800 >>> Subject: RE: Securing Border Routers >>> >>> I ALWAYS start with the CYMRU secure bgp templates, found here: >>> http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html >>> >>> I personally would not recommend a firewall in front of your router, >> sufficient ACL'ing should be enough for securing the router itself. >>> >>> >>> Bryan >>> >>> -----Original Message----- >>> From: Brandon Kim [mailto:brandon....@brandontek.com] >>> Sent: Wednesday, January 19, 2011 4:36 PM >>> To: nanog group >>> Subject: Securing Border Routers >>> >>> >>> Gents: >>> >>> What measures do you take to protect your border routers? Our routers are >> running BGP so I'm interested if there is any way to secure them without >> interfering with BGP? Is it normal to put a firewall in front of the border >> routers? >>> >>> I'm concerned about DDOS attacks mainly....although we haven't had any, I >> don't welcome them..... >>> >>> Brandon >>> >>> >>> >>> >>> >>> >> >>