On Wed, Mar 12, 2003 at 10:22:53PM -0500, Andy Dills wrote:
Randy, you've run a huge network. I have not had that opportunity, and I don't have "banana eaters" working for me (and I'm not sure what that phrase means exactly, but I'll assume it isn't racial).
I believe he is referring to the class of people who do stuff without understand why that we sometimes call monkeys... Leave it to Randy to defend and offend in the same e-mail, but fortunately I don't think anyone is going to complain about species-ism. :)
I must not understand something. How would the banana eaters screw up applying the same prefix-list outbound to all neighbors? Seems like an easy protocol to follow. I could understand the problems with applying inbound filters (unique huge filter for each neighbor), but if you're willing to localize bogon routes to the border router, without redistributing them, you get the job done. So filter announcements to every neighbor.
Simple, apply a bogon list and then fail to update it. If you are not ready willing and able to keep your lists updated, you probably shouldn't have applied them in the first place. I routinely see people doing absurd things like applying ipfw bogon filters on individual servers to "protect against DoS" that end up costing them way more in performance than they could possibly gain from filtering the bogons. Let's keep it real folks, these filters aren't needed everywhere. Personally I don't think it's "too" hard to setup some scripts scripts which can apply updated bogon and other important prefix-list updates globally. Rancid and about 15 lines of shell script should do you just fine. If you're lucky enough to have Juniper's, you can use the same prefix-list to filter both routes and packets. That said, I'm sure we would all LOVE a protocol which can dynamically supply routes for various route and packet filter operations throughout a large network. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)