Preventing private route advertising

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View


How do I prevent a router from advertising a private network (10.0.0.0/8,
172.166.0.0/12, 192.168.0.0/16) on the Internet with RIP, EIGRP and OSPF?

Let say, to give an example, the topology is:

hostA--switch--R1--R2--R3--switch--hostB

with the following networks:
LAN "hostA--switch--R1" is  172.18.81.0/24
WAN "R1--R2" is                  62.235.14.128/26
WAN "R2--R3" is                  198.133.219.64/27
LAN "R3--switch--hostB" is   10.22.33.0/24

If you configure one routing protocol as EIGRP on the three routers, hostA
is allowed to reach hostB and vice versa.
With real networks, you can't. Routers are not supposed to route packets
with a private destination address through the internet.
How is this prevented? What command is used?

Thanks to throw light on this point.

Bernard.




Re: Preventing private route advertising


Bernard Herickx wrote:

Quoted text here. Click to load it


Keep in mind that there is nothing special about RFC 1918 addresses.
It's only by convention that we block these from propagating into the
world.

So for EIGRP you could use an outbound distribute-list and apply it
under "router eigrp" for the interface in question.

--

hsb


"Somehow I imagined this experience would be more rewarding" Calvin
**************************ROT13 MY ADDRESS*************************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
********************************************************************


Re: Preventing private route advertising


Bear in mind, most/all peering between entites and their Tier 1 or 2
providers are done via BGP, which is very much policy-friendly. A typical
BGP configuration is locked down to only permit certain advertisments out.
Unless you are redistributing and not filtering, it would be rather
difficult to accidentally leak these routes.

Beyond that, many providers will have route-maps on their end that will only
permit whatever subnets you've told them you want to advertise.

-Jon

Quoted text here. Click to load it




Site Timeline