Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: URPF on small BGP-enabled customers?

  • From: Andre Oppermann
  • Date: Fri Jun 03 09:59:52 2005

christian.macnevin@uk.bnpparibas.com wrote:
At an old transit provider I was at, we had a pig of a time dealing with
uRPF. It doesn't like asymmetric routing at all, which is commonplace when
you've got customers homed at exchange points for one.
This is why I say there should be a feature that will work like a dynamic
ACL but is fed from BGP.  All the prefixes you learn from customer A via
BGP are put into an automatic ACL, default is deny.  Then you apply this
dynamic ACL to the interface the customer is connected to.  Of course it
still doesn't work if you send traffic from prefixes you don't announce but
for 70-80% of the cases it's a big step forward in automation.  This also
gets rid of any differences between ACL on the forwarding plane and on the
routing protocol plane.  All prefix filters are defined in BGP configuration.
Forwarding layer follows and never gets out of sync again.

Random example syntax:

 router bgp 65500
   neighbor 192.168.2.2 remote-as 65501
   neighbor 192.168.2.2 dynamic ACL 10001 receive  #put received prefixes here
   neighbor 192.168.2.2 prefix-list CUST65501
   ... #usual stuff

 #only this one is controlled
 ip prefix-list extended CUST65501
   permit ip 172.16.0.0/16 any
   permit ip 10.0.0.0/8 any

 #ACL on interface follows BGP received prefixes
 interface f0/0/0
   ip access-group 10001 in  #same as in BGP neighbor config


And Voila!  Problem automagically solved.

--
Andre




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.