Information Technology Reference
In-Depth Information
•
0.0.0.0/8 addressing
—The 0.0.0.0 through 0.255.255.255 address space is used
internally by some systems. It is not assigned and should not be used. This does not
include the default route 0.0.0.0/0.
•
Test network addressing
—The 192.0.2.0/24 address space is reserved for test
networks. This prefix is intended for use in documentation and sample code.
•
Class D and E address space
—Class D addresses are not actual host addresses;
they represent IP multicast groups. These groups are not advertised by unicast routing
protocols and should not be received via BGP. The Class D address space is 224.0.0.0/4.
The Class E address space, 240.0.0.0/4, is reserved and not in use.
The other block of address space that you should never receive an advertisement for is your
own address space. This includes prefix advertisements that are equal to or longer than your
netblock. This does not include advertisements that are shorter than your netblock, because
this could represent an aggregate of which your netblock is a component. Example 6-1
shows a sample filter. Note that the last statement permits any prefixes that have not been
explicitly denied.
Inbound Martian Prefix Filtering
Example 6-1
Router#show running-config | begin prefix
ip prefix-list MARTIAN seq 5 deny 0.0.0.0/8 le 32
ip prefix-list MARTIAN seq 10 deny 10.0.0.0/8 le 32
ip prefix-list MARTIAN seq 15 deny 172.16.0.0/12 le 32
ip prefix-list MARTIAN seq 20 deny 192.168.0.0/16 le 32
ip prefix-list MARTIAN seq 25 deny 127.0.0.0/8 le 32
ip prefix-list MARTIAN seq 30 deny 169.254.0.0/16 le 32
ip prefix-list MARTIAN seq 35 deny 192.0.2.0/24 le 32
ip prefix-list MARTIAN seq 40 deny 224.0.0.0/4 le 32
ip prefix-list MARTIAN seq 50 deny 240.0.0.0/4 le 32
ip prefix-list MARTIAN seq 55 permit 0.0.0.0/0 le 32
!
Outbound Filtering
The prefix information that is sent to your upstream providers should also be carefully
filtered to ensure that only the enterprise networks are advertised to the upstream providers.
If the enterprise network is multihomed to different providers, it could provide transit for
the two providers if outbound filters are not applied.
It is typically advised that you provide multiple layers of outbound filtering to protect
against misconfiguration. The first layer is prefix filtering using either prefix lists or distrib-
ute lists. The second layer of filtering uses a filter list to filter on AS_PATH so that only pre-
fixes originated by the enterprise AS are sent to the upstream provider.
