Why not use a standard access-list like : access-list 50 deny 0.0.0.0 0.0.0.0 access-list 50 deny 127.0.0.0 0.255.255.255 access-list 50 deny 10.0.0.0 0.255.255.255 access-list 50 deny 172.16.0.0 0.15.255.255 access-list 50 deny 192.168.0.0 0.0.255.255 access-list 50 deny 192.0.2.0 0.0.0.255 access-list 50 deny 128.0.0.0 0.0.255.255 access-list 50 deny 191.255.0.0 0.0.255.255 access-list 50 deny 198.32.184.0 0.0.0.255 ! MAE-WEST (could be done) access-list 50 deny 198.32.136.0 0.0.0.255 ! MAE-WEST (to include all EPs) access-list 50 deny 198.32.186.0 0.0.0.255 ! MAE-EAST access-list 50 deny 192.41.177.0 0.0.0.255 ! MAE-EAST access-list 50 deny 198.32.130.0 0.0.0.255 ! AADS access-list 50 deny 206.183.224.0 0.0.31.255 ! FNSI access-list 50 deny 209.41.192.0 0.0.31.255 ! FNSI access-list 50 deny 209.115.0.0 0.0.31.255 ! FNSI access-list 50 deny 223.255.255.0 0.0.0.255 access-list 50 deny 224.0.0.0 31.255.255.255 access-list 50 permit any Then apply this to your peer session on the inbound with the command : neighbor x.x.x.x distribute-list 50 in You want to filter on an interface for this? If you get the route into your routing table thats where the problem starts. Attaching the filter to the peer session will at least get rid of the bad routes from the start. I would rather use CPU on keeping the BGP sessions clean than wasting it on checking the interface for packets with 10/8. If anyone has any better suggestions, I would love to hear them. Todd R. Stroup Fiber Network Solutions, Inc.
On Tue, 23 Sep 1997 bmanning@ISI.EDU wrote:
! Loopback access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 ! RFC 1918 private blocks access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 ! Test Network access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 ! Tiny networks. access-list 100 deny ip any 255.255.255.128 0.0.0.127 access-list 100 permit ip any any
The operative phrase here is border. That means ASN border, i.e. where you BGP peer with others. At the provider/subscriber interface, within your IGP, using RFC 1918 space is ok.
-- --bill