0.0.0.0 in prefix-list filter (Why?)

omagico · August 2011

Can anyone think of a reason to have the 0.0.0.0 filters in an inbound BGP connection prefix-list?

ip prefix-list RFC1918 seq 10 deny 0.0.0.0/0

ip prefix-list RFC1918 seq 20 deny 0.0.0.0/8 le 32

ip prefix-list RFC1918 seq 30 deny 10.0.0.0/8 le 32

ip prefix-list RFC1918 seq 40 deny 127.0.0.0/8 le 32

ip prefix-list RFC1918 seq 50 deny 169.254.0.0/16 le 32

ip prefix-list RFC1918 seq 60 deny 172.16.0.0/12 le 32

ip prefix-list RFC1918 seq 70 deny 192.0.2.0/24 le 32

ip prefix-list RFC1918 seq 80 deny 192.168.0.0/16 le 32

ip prefix-list RFC1918 seq 90 deny 224.0.0.0/3 le 32

ip prefix-list RFC1918 seq 100 deny 0.0.0.0/0 ge 25

ip prefix-list RFC1918 seq 110 permit 0.0.0.0/0 le 32

Thanks
Rich

daniel.dib · August 2011

Yes,

Because you don't want to receive a default route. If somebody fatfingers the BGP configuration you want to protect yourself from receiving the route in. The 0.0.0.0/8 is to protect from somebody announcing that network, it should only be used as src IP not destination.

Then you have the RFC1918 addresses, loopback range, multicast range etc. And you deny routes that have a /25 mask or longer. This is common practice, there is no guarantee that even a /24 will be announced.

Brian McGahan · August 2011

Sequence 10 denies a default route. Sequence 100 denies all routes with a mask greater than or equal to 25. Sequence 110 permits all other routes.

Brian McGahan, CCIE #8593 (R&S/SP/Security)
[email protected]

Internetwork Expert, Inc.
http://www.INE.com
Online Community: http://www.IEOC.com
CCIE Blog: http://blog.INE.com

From: [email protected] [mailto:[email protected]] On Behalf Of omagico
Sent: Tuesday, August 30, 2011 2:01 PM
To: Brian McGahan
Subject: [CCIE R&S] 0.0.0.0 in prefix-list filter (Why?)