Thanks for the advice. Filtering and route manipulation hasn’t been a problem for me. I’m very careful to prevent leakage, etc. My current issue is scaling my management of our prefix announcements. Every time I add a new block, I need to modify all of my edge routers etc. I understand I can use IRR etc. to automate prefix-list deployments, but the blocks need to still be injected into the network? So my thought was to use a routeserver (quagga or a 7200) to do this.
Im looking to understand how others handle this. On Tue, Jan 31, 2012 at 2:59 PM, Tony Tauber <ttau...@1-4-5.net> wrote: > To elaborate slightly on what others have said in terms of protecting > against leaks; > it's a good idea to filter outbound in a conservative way such that you > only send > what you "expect" in terms of community values and/or prefixes and/or > AS-paths. > > For instance, if something gets into your BGP that isn't tagged with one > of your expected > communities (e.g. applied where you inject your aggs), don't re-advertise > it. > If something has the right community, but not an expected AS-path (e.g. > contains the AS > of one of your transit providers), don't re-advertise. > Implicitly deny all unexpected cases. > > Building that kind of restrictive logic will be less likely to you > becoming a path for traffic you > didn't expect (and might swamp you) and also you'll be a better citizen in > general. > > Cheers, > Tony > > > On Tue, Jan 31, 2012 at 1:52 PM, Joe Marr <jimmy.changa...@gmail.com>wrote: > >> Thanks Mark, >> >> This helps and definitely shows Im heading in the right direction. >> >> Thanks, >> >> >> On Tue, Jan 31, 2012 at 2:17 AM, Mark Tinka <mti...@globaltransit.net >> >wrote: >> >> > On Tuesday, January 31, 2012 03:04:15 PM Joe Marr wrote: >> > >> > > What do you use for reflectors, hardware(Cisco/Juniper) >> > > or software daemons(Quagga)? >> > >> > We operate 2x networks. >> > >> > One of them runs Cisco 7201 routers as route reflectors, >> > while the other runs Juniper M120 routers. >> > >> > The large Juniper routers were due to particular BGP AFI's >> > that Cisco IOS does not support (yet). >> > >> > > I've been toying with the idea of using Quagga route >> > > servers to announce our prefixes to our edge routers and >> > > redistribute BGP annoucements learned from downstream >> > > customers. >> > >> > You can certainly use any device in your network to >> > originate your allocations. We just use the route reflectors >> > because it is a natural fit, but you can use any device >> > provided it would be as stable and independent as a route >> > reflector. >> > >> > The last thing you want is a blackhole or a route going away >> > because your backhaul failed or your customer DoS'ed your >> > edge router :-). >> > >> > > Only drawback is the lack of support for >> > > tagged static routes, so it looks like I'm going to have >> > > to use a network statement w/ route-map to set the >> > > attributes. >> > >> > There was a time when networks were ran without prefix >> > lists, BGP communities or even route maps. I'm too young to >> > have ever experienced those times, but I always joke with a >> > friend (from those times) about how good we have it today, >> > and how hard life must have been for Internet engineers of >> > old :-). >> > >> > If you have the opportunity, I'd advise against operating >> > without these very useful tools. >> > >> > > Has anyone tried this, or is it suicide? >> > >> > I'm sure there are several networks out there that are >> > intimidated by additional BGP features such as communities, >> > advanced routing policy, e.t.c. They do survive without >> > having to deal with this, probably because they're networks >> > are small and the pain is better than trying something new. >> > But I certainly wouldn't recommend it to anyone (except, as >> > Randy would say, my competitors). >> > >> > Mark. >> > >> > >