On Tue, 12 Oct 2004, Niels Bakker wrote:
* christopher.morrow@mci.com (Christopher L. Morrow) [Tue 12 Oct 2004, 05:18 CEST]:
a common occurance we've seen is a customer of a customer NOT announcing , nor planning on announcing, their routes to their upstream#1 which they use ONLY for outbound traffic (cheap transit for instance, and perhaps only for some portions of their total sources) though they announce to upstreams#2-N the proper sources to gather the return traffic. These things make uRPF 'difficult'.
You could use uRPF-loose there, or the customer could do:
! route-map outbound-only permit 10 match prefix-list myprefixes set community no-export !
this does not address the problem, the customer's customer isn't announcing routes for this traffic so there is nothing to no-export :( Example: the 'chris.net' network is a customer of MCI, his customer "bakker.net". 'bakker.net' decides 'chris.net' has priced transit cheaply this year/month/day and choses not to accept traffic from 'chris.net' but send all outbound traffic through 'chris.net'. 'chris.net' never seens routes for the sources sending this traffic, yet passes it along to the upstream, which also has no routes for 'bakker.net' via 'chris.net'. Regardless, the point here is: "Things seem like they may be getting better, as 'security' requirements are now firmly being included into new equipment purchases."