On 20-Nov-2006, at 09:03, Mikael Abrahamsson wrote:
On Mon, 20 Nov 2006, Alexander Koch wrote:
ehm, when you have filter lists, why max-prefix? do you really use
filters, if so what kind of? i would be really curious to know
what other ISPs do.
Security in depth is actually a very good concept.
There's a more direct reason to implement for some networks, too.
If you have loose filters which allow your customers to deaggregate,
you can add a maximum-prefix filter to stop ridiculous deaggregation
which might blow maximum-prefix limits in your peers' routers, or
course devices in your own network to run out of RAM, etc.
router bgp 9327
neighbor 4.1.2.3 remote-as 3356
neighbor 4.1.2.3 peer-group hypothetical-customers
neighbor 4.1.2.3 prefix-list AS3356 in
neighbor 4.1.2.3 maximum-prefix 200
!
ip prefix-list AS3356 permit 8.0.0.0/8 le 24
In this case the prefix filter controls the kind of routes you're
willing to accept from your customer (anything covered by 8.0.0.0/8
with a prefix length of 24 bits or less), and the maximum-prefix
limit controls the number of routes you're prepared to accept (200).
Joe