On Tue, 23 Sep 1997, Todd R. Stroup wrote:
You want to filter on an interface for this? If you get the route into your routing table thats where the problem starts. Attaching the filter to the peer session will at least get rid of the bad routes from the start. I would rather use CPU on keeping the BGP sessions clean than wasting it on checking the interface for packets with 10/8. If anyone has any better suggestions, I would love to hear them.
Maybe I am missing something, but we use an inbound access list on all external links that eliminates IP address spoofing, as well as some basic security issues (blocking NFS, r* commands, etc just in case some machine inside is misconfigured). If you have an inbound access list that filters based on the source address already, why would you not add the private addresses to that? John Tamplin Traveller Information Services jat@Traveller.COM 2104 West Ferry Way 205/883-4233x7007 Huntsville, AL 35801