[NCLUG] Egress Filtering
Sean Reifschneider
jafo-nclug at tummy.com
Fri Aug 10 21:31:48 MDT 2001
On Fri, Aug 10, 2001 at 11:39:51AM -0600, mike cullerton wrote:
>well, perhaps it's time for them to get a bigger router :)
Do you now, or have you ever been a shareholder in Cisco?
>um, you should always know what ip's are valid for your network. anything
>else is bad (tm).
If you are routing traffic for somone else's AS, and they add some IPs, you
probably won't find out *UNLESS* you are doing filtering. ;-/
>they will announce over bgp and you should be filtering those announcements.
>you can then create an access-list based on those announcements and apply it
>to the traffic coming in over that interface.
Really? Automatically? Cool...
>however, if everyone who isn't in this boat did filter, the world would be a
>better place.
Agreed. I didn't say that people SHOULDN'T filter, I just was giving some
explanations as to why they don't. I think it's a very good idea.
Sean
--
A computer is like an Old Testament god, with a lot of rules and no mercy.
-- Joseph Campbell
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
More information about the NCLUG
mailing list