This is an old revision of the document!
BGP Filter
- Everyone is free to filter on his AS as he wishes, however it is recommended to deny the default route1), inbound and outbound.
- It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions:
- Non-RFC1918 addresses reachable via GLaNET.
- GLaNET services addresses (192.168.248.0/22 and
fd00:6b64:f3b0::/48
).
Example prefix lists
IPv4
ip prefix-list glanet-in description BGP IPv4 import filter ! Deny default route ip prefix-list glanet-in seq 10 deny 0.0.0.0/0 ! Deny prefixes with high risk of collision within GLaNET range ip prefix-list glanet-in seq 20 deny 192.168.0.0/22 le 32 ip prefix-list glanet-in seq 21 deny 192.168.8.0/22 le 32 ip prefix-list glanet-in seq 22 deny 192.168.100.0/22 le 32 ip prefix-list glanet-in seq 23 deny 192.168.200.0/22 le 32 ip prefix-list glanet-in seq 24 deny 192.168.252.0/22 le 32 ! Deny other RFC1918 prefixes ip prefix-list glanet-in seq 30 deny 10.0.0.0/8 le 32 ip prefix-list glanet-in seq 31 deny 172.16.0.0/12 le 32 ! Deny shared address space ip prefix-list glanet-in seq 40 deny 100.64.0.0/10 le 32 ! Allow everything ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32
IPv6
! Deny default route ipv6 prefix-list glanet6-in deny 0::/0 ! Deny 6bone prefix (not used anymore) ipv6 prefix-list glanet6-in deny 3ffe::/16 le 128 ! Deny documentation prefix ipv6 prefix-list glanet6-in deny 2001:db8::/32 le 128 ! Teredo prefix must be exactly 32-bit long ipv6 prefix-list glanet6-in permit 2001::/32 ipv6 prefix-list glanet6-in deny 2001::/32 le 128 ! 6to4 prefix must be exactly 16-bit long ipv6 prefix-list glanet6-in permit 2002::/16 ipv6 prefix-list glanet6-in deny 2002::/16 le 128 ! Deny loopback/unspecified/v4-mapped prefix ipv6 prefix-list glanet6-in deny 0000::/8 le 128 ! Deny multicast prefixes ipv6 prefix-list glanet6-in deny fe00::/9 le 128 ipv6 prefix-list glanet6-in deny ff00::/8 le 128 ! Permit everything else ipv6 prefix-list glanet6-in permit 0::/0 le 128
1)
IPv4:
0.0.0.0/0
| IPv6: ::0/0