On a cisco 6509 sup720, that has peerroutes and transit routes, is their a way to limit a customer to only the peerroutes. I've seen issues with a customer still sending me traffic that's not destined for any network in his bgp peer routes that I sent him. and as such, the router still routes it out.
Is their a way to limit the inbound traffic from a client, to only accept traffic that is destined to the routes that I have sent him via bgp. ie, denying him using me as a default route.
EDIT: Try policy based routing, since they can use route-map, you may be able to use the route-map you use to advertise to your client thru BGP. But it may not be the best and 100% solutions.
Some client advertise their prefixes thru BGP to their upstream ISP so that the internet can reach them but because their router don't have enough RAM to received full internet route, they block your advetisement and replace it with default route.
As an ISP, you have access to virtually all valid IP address (allocated by IANA and routable). But since your client make you their default route/gateway (which includes RFC 1918, IANA unallocated IP Addresses), I suggest you route BOGONS to NULL, filter multicast.
Check this link how to route BOGONS to NULL and filter multicast http://www.cymru.com/Documents/secure-ios-template.html
Even still, they can add a static default route and dump the traffic to me for legitmate traffic.
I'm not talking about bogons.
I'm talking about them reaching destinations through me that they should not be.
ie, i'm not sending them att routes, but they are using a static default route on their end to force traffic to me, which my router knows how to go to, even tho I am not sending them those routes via bgp. So the router then forwards it across instead of dropping it.
Is their a way to drop traffic that is not in the bgp route table that I am sending them?
Does this means you don't resell internet bandwidth to them 100% and the client have other upstream to reach other prefixes that you don't advertise to them (i.e. AT&T)?
If I am understanding correctly your post and its description of your situation you have a customer to whom you advertise certain external routes via BGP. That customer is apparently using you as their default route even though you are not advertising a default route to them. You want to accept all traffic from them that is to destination networks that you advertise to them and you want to drop all other traffic from them.
If this is a correct understanding then I would suggest that you could use policy based routing to accomplish this. Configure PBR on the interface that receives traffic from them. In the route map have the first statement refer to an extended access list and in the extended access list permit all traffic that has their network as source and the networks that you advertise as destination. Then have a second statement in the route map which will set the next hop as null0. This should drop all traffic from them to destinations that you have not advertised.
If this was not a correct understanding of your situation then please clarify.
Your correct, however, My problem is, with using an acl, your saying to manually edit each and every peer network that we connect to? I have like 80,000 routes directly connected to my network, and to add that to an acl would proboly kill the router, not to mention it's not dynamic.
Is their any way to have a policy/routemap be checked against a bgp advertisements? or possibly based on as#'s?
Thanks for the help.. I guess if not, then I'll have to buy another router, but that's not an option right now at every location.
Correct, we are only sending them peer routes (networks that we are directly connected to) not global routes that we receive from our providers.
PBR uses "route-map", i.e.
route-map CLIENT-1 permit 1
Route-map can match "as-path", i.e.
match as-path 1
As-path can define regular expression, i.e.
ip as-path access-list 1 permit ^$
ip as-path access-list 1 deny .*
You can fine tune the "as-path" and "route-map" to what you are trying to achieve.
I'm sending the routes using communities, any way to use PBR to match based on community? Would be easier then adding so many AS permits.
Yes, in the "route-map" you can replace "as-path" with "community". i.e.
route-map CLIENT-1 permit 1
match community whatever