Hi,

You can achieve this by putting below prefix-list at customer bgp config

ip prefix-list bgp-cust-deny-in seq 15 deny 10.0.0.0/8 le 32
ip prefix-list bgp-cust-deny-in seq 20 deny 172.16.0.0/12 le 32
ip prefix-list bgp-cust-deny-in seq 25 deny 192.168.0.0/16 le 32
ip prefix-list bgp-cust-deny-in seq 30 deny 0.0.0.0/8 le 32
ip prefix-list bgp-cust-deny-in seq 35 deny 127.0.0.0/8 le 32

This way any of the packet with source ip as above will be blocked. For static customers isp put a route-map along with

redistribute static statement

like

router bgp <>

redistribute static route-map STATIC-CUSTOMERS

route-map STATIC-CUSTOMERS deny 10

match ip address prefix-list bgp-cust-deny-in

route-map STATIC-CUSTOMERS permit 10

Regards

Mahesh

With this config you don't deny packets with an private IP address as source. You only deny static routes to private IP subnets from being advertised to BGP neighbors. This is the configuration of a PE router so there shouldn't be static routes to private IP subnets to the customers anyway.

And even this is not going to work with this config.

If you use an access-list or prefix-list in a route-map you match traffic or deny traffic from being matched. So if you use deny rules in your prefix-list you don't deny this subnets from being advertised but denies them from being matched by the route-map entry.

On the end of a prefix-list is an implicit deny. So with this prefix-list you deny all prefixes from being matched

Your first route-map entry which is intended to deny routes from being advertised, as stated above don't match any prefix and therefore don't deny any subnet from being advertised. Your second route-map entry matches any traffic and therefore all subnets are advertised by this config.

If you want this to work you should change all the denies on the pre-fix list to permits. Then the first route-map entry will match this subnets and denies them from being advertised.

To come back on the question. Most likely an ISP don't only wants to block traffic sourced from private IP addresses but only wants to permit traffic with a source address that is assigned to the customer to prevent IP spoofing. This can be done by using Unicast Reverse Path Forwarding ( uRPF) or by placing an access-list inside on the customer interface wit:

permit ip cust_ip any

deny ip any any

Hello,

uRPF is something which cross check for source ip in routing table.

Say for example: I have permitted every prefix at PE end coming from customer. Now customer is advt. private IP say 10.0.0.0/24 ,

PE will permit the private one because  there is no prefix-list which deny anything. Now customer send packet with source as 10.0.0.1 for which uRPF will check for that source ip in routing table and it found matching one and it will permit those IP's. So uRPF is having no meaning if prefix-list with deny private ip is not there.

The next option is the access-list on interface, Let's it will block the packet with source ip as private one. But is it really
scalable option? Well I have never seen ISP who put access-list on interface for their internet customers.

The link shared by reza is all talking about blocking at customer end which I feel scalable as customer will not be having
more than 3-4 internet connection.

But for ISP who is having 1000's of connection it is not meaningful for those  ISP who do manual provisioning. (I agree it is ok for those ISP who use automatic tool for service delivery config.)

I feel uRPF with prefix-list (denying private IP's / permit only customer owned ip's or provider assigned IP's) is very good option.

I really not mean to criticize someone but trying to figure out what is the scalable option for ISP.

I appreciate if people can share their more views on this

Regards

Mahesh