nanog mailing list archives

Re: Traffic destined for 100.114.128.0/24

From: Mark Tinka <mark.tinka () seacom mu>
Date: Thu, 9 Apr 2020 15:34:59 +0200



On 9/Apr/20 15:24, Tom Hill wrote:

Short answer: filter 100.64.0.0/10 from your upstreams, as you would
192.168.0.0/16 or 10.0.0.0/8.


I was trying to remind myself what we did back in the day. Looks like
that's been in on our end for yonks:

tinka@all.boxes-re0# show firewall family inet filter filter-incoming
term 10 {
    from {
        source-address {
            10.0.0.0/8;
            100.64.0.0/10;
            127.0.0.0/8;
            169.254.0.0/16;
            172.16.0.0/12;
            192.0.2.0/24;
            192.42.172.0/24;
            192.168.0.0/16;
            198.18.0.0/15;
            198.51.100.0/24;
            203.0.113.0/24;
            41.87.96.0/19;
            41.206.96.0/19;
            41.217.212.0/22;
            105.16.0.0/12;
        }
        destination-address {
            0.0.0.0/0;
        }
    }
    then {
        count filter-incoming-anti-spoofing-counter;
        syslog;
        discard;
    }
}
term 65535 {
    then {
        policy-map UPSTREAM-TRAFFIC-INBOUND;
        forwarding-class best-effort;
        accept;
    }
}

{master}[edit]
tinka@all.boxes-re0#


Longer answers will no doubt be available. :)


As the Afrikaaners say, "Finish & Klaar" :-).

Mark.

Current thread:

Traffic destined for 100.114.128.0/24 Drew Weaver (Apr 08)
- Re: Traffic destined for 100.114.128.0/24 Brandon Martin (Apr 08)
- Re: Traffic destined for 100.114.128.0/24 Tom Hill (Apr 09)
  - Re: Traffic destined for 100.114.128.0/24 Mark Tinka (Apr 09)
    - Re: Traffic destined for 100.114.128.0/24 Randy Bush (Apr 09)
    - Re: Traffic destined for 100.114.128.0/24 Mark Tinka (Apr 09)