Kaj, However (and I'm sorry for the spam), I don't fully understand how URPF or interface ACL is relevant on an interface used for inter-AS VPN. URPF will just do a lookup for IPv4 packets, which would be the directly connected neighbour and not any VPN prefixes as they are essentially label switched by CEF.
To be clear, we are talking here about option-B where there is a VPNv4 BGP session on a link between two SP. NHS option sends traffic across the path with one label (VPN) and send-label option uses two labels (IPv4, VPN). Are you saying that you can configure an iACL permitting the VPN routes and the ACL will filter labelled packets? This isn't something I've tried before, I've only filtered in the control-plane. Obviously, there is no LDP here so label filtering there isn't an option. --Dan > -----Original Message----- > From: [email protected] [mailto:ccie_sp- > [email protected]] On Behalf Of Daniel Holme > Sent: 10 September 2009 10:25 > To: Kaj Niemi > Cc: [email protected]; Francisco; [email protected] > Subject: Re: [OSL | CCIE_SP] Inter-AS VPN Option B and send-label > > Ah, when you filter the label you filter them based on the IP prefix > right? > > I thought you were talking about filtering the actual label value (I > wasn't sure how you would achieve that tbh), which would have changed > upon reload. > > In that case, sure! :-) > > > --Dan > > > -----Original Message----- > > From: Kaj Niemi [mailto:[email protected]] > > Sent: 10 September 2009 10:21 > > To: Daniel Holme > > Cc: [email protected]; Francisco; [email protected]; Jo > > Knight; Bryan Bartik > > Subject: Re: [OSL | CCIE_SP] Inter-AS VPN Option B and send-label > > > > I would prefer to. > > > > For quite a while ago people did ingress spoof acls by hand (or by > script) - > > those that did them at all. Once urpf came along people kind of > stopped > > doing that because the way urpf is implemented is that it's automatic. > Still > > doesn't mean the whole world uses urpf or even spoof acls in 2009 but > those > > that use them tend to believe that they're effective. Similarly iACLs > > protect your network if you bother to implement them. Why wouldn't I > want to > > filter on labels if I had the choice? IF implemented properly it > should be > > one more option under the interface config and that's that. > > > > The other side reloading their box isn't a problem as I'd filter on > ingress > > ;-) > > > > > > > > Kaj > > > > > > > > > From: Daniel Holme <[email protected]> > > > Date: Thu, 10 Sep 2009 01:59:38 -0700 > > > To: Kaj Niemi <[email protected]> > > > Cc: <[email protected]>, Francisco > <[email protected]>, > > > <[email protected]>, Jo Knight <[email protected]>, Bryan > Bartik > > > <[email protected]> > > > Subject: RE: [OSL | CCIE_SP] Inter-AS VPN Option B and send-label > > > > > > Would you perform label filtering from a foreign AS with which you > were > > > doing inter-AS VPN option B. > > > > > > What if they reloaded their box and changed all their labels? > This email has been scanned for all viruses. > > Please consider the environment before printing this email. > > The content of this email and any attachment is private and may be > privileged. If you are not the intended recipient, any use, disclosure, > copying or forwarding of this email and/or its attachments is unauthorised. > If you have received this email in error please notify the sender by email > and delete this message and any attachments immediately. Nothing in this > email shall bind the Company or any of its subsidiaries or businesses in any > contract or obligation, unless we have specifically agreed to be bound. > > > KCOM Group PLC is a public limited company incorporated in England and > Wales, company number 02150618 and whose registered office is at 37 Carr > Lane, Hull, HU1 3RE. > > 118288 - KCOM UK Directory Enquiries. Calls will cost no more than 49p > connection + 14p per minute including VAT from a KC or BT landline. Call > charges from mobiles and other networks may vary. If you are calling from a > mobile you will now receive your requested number via text message. You will > not be charged for the text message. > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > This email has been scanned for all viruses. > > Please consider the environment before printing this email. > > The content of this email and any attachment is private and may be > privileged. If you are not the intended recipient, any use, disclosure, > copying or forwarding of this email and/or its attachments is unauthorised. > If you have received this email in error please notify the sender by email > and delete this message and any attachments immediately. Nothing in this > email shall bind the Company or any of its subsidiaries or businesses in any > contract or obligation, unless we have specifically agreed to be bound. > > > KCOM Group PLC is a public limited company incorporated in England and > Wales, company number 02150618 and whose registered office is at 37 Carr > Lane, Hull, HU1 3RE. > > 118288 - KCOM UK Directory Enquiries. Calls will cost no more than 49p > connection + 14p per minute including VAT from a KC or BT landline. Call > charges from mobiles and other networks may vary. If you are calling from a > mobile you will now receive your requested number via text message. You will > not be charged for the text message. This email has been scanned for all viruses. Please consider the environment before printing this email. The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any contract or obligation, unless we have specifically agreed to be bound. KCOM Group PLC is a public limited company incorporated in England and Wales, company number 02150618 and whose registered office is at 37 Carr Lane, Hull, HU1 3RE. 118288 - KCOM UK Directory Enquiries. Calls will cost no more than 49p connection + 14p per minute including VAT from a KC or BT landline. Call charges from mobiles and other networks may vary. If you are calling from a mobile you will now receive your requested number via text message. You will not be charged for the text message. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
