Internet Multihoming TechniquesAPNIC Technical Tutorial

03 April, 2017

Iloilo City, Philippines

27th PCTA Convention

Tashi Phuntsho

Senior Training Officer, APNIC

Tashi has experience in network design, operation, and maintenance havingworked for more than 10 years as a core network engineer. He has been involvedin capacity development in the APNIC community by providing training in numberof technical areas, such as Routing & Switching, Network Design and Architecture,Network Security, IPv6, DNSSEC, and so on.

Tashi completed his undergraduate degree in electrical and electronics engineeringfrom India, and postgraduate (research) in Network Security from Japan,complemented by a Masters degree in Network Systems from Australia.

Areas of Interest:

BGP, IS-IS/OSPF, IPv6, Blockchain Technology, Securing Internet Routing (RPKI),DWDM, Network Security, Next Generation Networks (SDN, Internet of Things),DNS and DNSSEC.

Contact:Email: tashi@apnic.net

Presenter

Bani Lara

Science Research Specialist, ASTI

Bani Lara, a science research specialist at the Advanced Science and TechnologyInstitute (ASTI), has 13 years of experience leading the network operations groupof the Philippine Research Education and Government Information Network. Healso takes care of the routing infrastructure of the Philippine Open InternetExchange, as well as the core network of the Philipping Government broadbandnetwork. He earned his degree in Computer Science at the University of thePhilippines in Los Banos.

Areas of Interest:

BGP, IS-IS/OSPF, IPv6, DWDM, Network Security, Next Generation Networks (SDN,Internet of Things), DNS and DNSSEC.

Contact:Email: bani@asti.dost.gov.ph

Presenter

4

References:

• Philip Smith (www.bgp4all.com.au)

• Cisco (www.cisco.com)

Agenda

• TCP/IP communication and IP Routing• Internet Routing and Routing Protocols

• BGP operation and attributes

• Multihoming & BGP path control

• APNIC multihoming resource policy

• Live demo - APNIC Training ISP

5

6

TCP/IP Communication

Device to device– IPv4/IPv6 address

E2E connectivity (app-to-app)– Port numbers (sockets)

Media access control

– MAC address

Addressing is the key!

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application (HTTP, DNS, FTP)

Transport (TCP/UDP)

Internet (IPv4/IPv6)

Network Access

(Ethernet, PPP)

DataTransport Header

IP Header

DataTransport Header

Data

DataTransport Header

IP Header

Frame Header

0011010100000111

Transport (TCP/UDP)

Internet (IPv4/IPv6)

Network Access

(Ethernet, PPP)

Application (HTTP, DNS, FTP)

Internet/Network Layer

7

• Host to host communication across networks– Addressing

• unique and hierarchical network-wide address

– Routing• the best path to the destination

• Current protocols– IPv4 and IPv6

L3 Device/Router

• L3 device gets the packet one step closer – The next hop to reach the destination!

• Router– Finds the best path to the destination, and– Forwards the packet to the next hop (a step closer) to reach

the destination

8

Best path lookup – Routing Decision

• Inspects the destination address of the packet– Network portion

• Looks up its routing table for a “best match”– Longest matching left-most bits

• If no match, checks for default route– If no default route, drop the packet!

9

Best path (route) lookup

10

R2#sh ip route

10.0.0.0/8 via R310.1.0.0/16 via R4………………………

R1 R2

R3

R4

Dest IP: 10.1.1.110.0.0.0/8

10.1.0.0/16

GE 1/0

GE 1/1GE 0/0

10.0.0.0/8 255.0.0.0 00001010.00000000.00000000.00000000

10.1.0.0/16 255.255.0.0 00001010.00000001.00000000.00000000

Best path – longest match

11

R2#sh ip route

10.0.0.0/8 via R310.1.0.0/16 via R4………………………

R1 R2

R3

R4

Dest IP: 10.1.1.110.0.0.0/8

10.1.0.0/16

GE 1/0

GE 1/1GE 0/0

10.1.1.1 = 00001010.00000001.00000001.00000001AND

255.0.0.0 = 11111111.00000000.00000000.00000000

= 00001010.00000000.00000000.00000000

Match!

Best path – longest match

12

R2#sh ip route

10.0.0.0/8 via R310.1.0.0/16 via R4………………………

R1 R2

R3

R4

Dest IP: 10.1.1.110.0.0.0/8

10.1.0.0/16

GE 1/0

GE 1/1GE 0/0

10.1.1.1 = 00001010.00000001.00000001.00000001AND

255.255.0.0 = 11111111.11111111.00000000.00000000

= 00001010.00000001.00000000.00000000

LongestMatch!

Forwarding Decision

• If a best match is found, the router determines – the correct exit interface to reach the next-hop/destination

13

Is the best match a subnet of ….

Directly connected interface?

Remote Network?

Is there a gateway of last resort?

Forward to host on local subnet

Forward out the exit interface to

the next-hop

Forward out the exit interface to

the next-hop

NO

YES

NO

YES

YESNODrop the packet!

Process vs Hardware Switching

• Incoming packet forwarded to the control plane (CPU) – routing table (RIB) lookup, frame re-write (next-hop MAC),

and forwarded to the exit interface

14

Control PlaneRIB

Data PlaneIncoming Packets Outgoing Packets

Process vs Hardware Switching

• Instead two hardware(data plane) based tables– FIB derived from the RIB- all destinations and next-hops– Adjacency table from the ARP table- L2 header info for each

next-hop in the FIB

15

Control PlaneRIB

Data PlaneIncoming Packets Outgoing PacketsFIB & Adjacency Table

Questions?

Agenda

• TCP/IP communication and IP Routing

• Internet Routing and Routing Protocols• BGP operation and attributes

• Multihoming & BGP path control

• APNIC multihoming resource policy

• Live demo - APNIC Training ISP

17

Internet Routing

• How does a user in PH access a service hosted in the US?

– The ISP in PH could directly connect to the ISP in US• Neither scalable nor economical

– Instead, the PH ISP shares its network information with its neighbor ISPs

– The ISP in US does the same with its own neighbors• Neighbor ISPs propagate the information to their neighbors, and so on…• Eventually, they both learn about each other’s network!

18

19

Exchange of network information – RoutingNetworks (ASes) connected together – Internet

Internet Routing

AS100

PH

Routing flow Traffic flow

AS700US

AS300

SGAS500

DE

Autonomous System (AS)

• A group of networks with the same routing policy– Usually under single administrative control

20

AS 999

Routing Flow & Traffic Flow

• Traffic and network info always flow in opposite direction!– network info exchanged in both directions for bi-directional

traffic flow

– manipulate inbound/outbound routing info to influence outgoing/incoming traffic

21

AS 1 AS 2

Packet Flow

Routing Flow

Packet Flow

Routing Flow

AS 1

Advertise

Accept

Receive

SendR1 R2

22

Routing & Traffic Flow: Internet

AS1PH

Routing flow Traffic flow

AS7US

AS3SG

AS5DE

• For user (N1) in AS1 to send traffic to user (N7) in AS7:– AS7 must originate and announce N7 to AS5.– AS5 must accept N7 from AS7, and advertise to AS3.– AS3 must accept and forward N7 to AS1– AS1 must accept N7 from AS3

23

Routing Policy Limitations

• For the above policy, AS1– Needs to accept routes originating from Red AS over Red

link, and Green AS over Green link

• But any intermediate AS (AS2) needs to cooperate

Red

Green

AS 1Internet(other ASes)

AS2

Packet Flow

24

Routing Protocols

• How do routers exchange network information with each other?– Routing Protocols!– IGP & EGP

25

Interior Gateway Protocol (IGP)

• To exchange network info within an AS– To carry infrastructure info (loopbacks & ptp)

• No customer routes!

– Allows all routers within an AS to learn about each other

• Two most widely used IGPs in operator networks– OSPF & IS-IS

• Uses the SPF algorithm• Best path selection based on lowest cost/metric• Supports hierarchical routing – scalability!

26

Exterior Gateway Protocol (EGP - BGP)

• To exchange network info between ASes– Implement routing policies (manipulate traffic path)– Define administrative boundary

• BGP is the de facto EGP!

27

Routing Protocols Hierarchy

eBGP

iBGP &OSPF/IS-IS

Other ISPs

CustomersIX or direct Peers

Static/eBGP

eBGP

Questions?

Agenda

• TCP/IP communication and IP Routing

• Internet Routing and Routing Protocols

• BGP – operation and attributes• Multihoming & BGP path control

• APNIC multihoming resource policy

• Live demo - APNIC Training ISP

29

Border Gateway Protocol - BGP

• Runs over TCP (port 179)– TCP connection required before BGP session– Need to be reachable!

• Path vector routing protocol– Best path selection based on path attributes– Route: destination and the attributes of the path to reach

the destination

• Incremental BGP updates

30

Internal & External BGP

• eBGP used to:– Exchange networks/routes between ASes

• Aggregates and sub-aggregates

– Implement routing policies• To manipulate inbound and outbound traffic

• iBGP is used to:– Carry customer networks/prefixes– Internet routes (some or all) across the AS backbone

31

BGP Message Types

• Open:– After a TCP connection has been established between two

BGP routers, an Open message is sent• Once the open message is confirmed (keepalive), the BGP session is

established – become BGP peers/neigbors!

– Contains:• Sender’s ASN• BGP version• BGP router ID• Hold-time (3 x keepalive interval)

32

BGP Message Types• Keepalive:

– Exchanged initially to acknowledge Open messages– Exchanged periodically (60 secs) to maintain BGP session

• Dataless packet

• Update:– BGP peers exchange network information through Update

messages• One update for each path!

– Contains:• Withdrawn routes – no more reachable• Path attributes – attributes for this path to reach the destinations

specified by the NLRI• NLRI – list of networks reachable through this path <prefix, length>

33

BGP Message Types

• Notification:– Sent when an error condition is detected– The BGP session is torn down immediately!– Contains:

• Error code• Error sub-code• Data related to error

34

BGP Neighbor States• A BGP router goes through six different states

– Idle• The router is looking for a route to its neighbor

– Connect• BGP router moves from Idle to Connect state if it has found a route to its

neighbor, and has started the 3-way TCP handshake• If the 3-way handshake is complete, sends an Open message

– Active• A router transitions to Active state if the initial 3-way handshake was not

successful• Initiates a new 3-way handshake• If the 3-way handshake is complete, sends an Open message• Else, falls back to Idle

35

BGP Neighbor States• A BGP router goes through six different states

– Open Sent• An Open message has been sent to the neighbor• If it receives a keepalive, moves to Open Confirm, else back to Active

– Open Confirm• Has received an acknowledgment for its Open message, and is waiting

for the initial keepalive• If it receives the intial keepalive, transitions to Established

– Established• The BGP neighbor relationship (session) is established!• Routing information can now be exchanged

36

BGP Neighbor Relationship• eBGP neighbors/peers

– BGP session established between routers in different ASes– Generally directly connected!

• Session established using directly connected intf IP• Peering address must match the TCP session!

– Else, we need a static route to reach the neighbor and change the eBGP TTL value (default 1)

37

AS 1 AS 2

router bgp 1neighbor 172.16.12.2 remote-as 2

!address-family ipv4neighbor 172.16.12.2 activate

!

172.16.12.0/30

.1 .2

BGP Neighbor Relationship

• iBGP neighbors/peers– BGP session established between routers within the same AS

– Does not need to be directly connected• IGP ensure reachability (TCP connection)

– Generally using loopback addresses

38

AS 100 router bgp 100neighbor 10.10.10.2 remote-as 100

!

iBGP Operation

• iBGP routers must:– Originate directly connected routes

– Carry routes learned from outside the AS to all routers within the AS• Fully-meshed instead of redistributing!• Advertise routes learned from eBGP peers to all iBGP peers!

– To prevent routing loops (in a fully-meshed network)• iBGP routers are not allowed to advertise iBGP learned routes to other

iBGP peers!

39

iBGP full-mesh

40

router bgp 100neighbor 10.10.10.2 remote-as 100neighbor 10.10.10.3 remote-as 100neighbor 10.10.10.4 remote-as 100!

AS100

R1

R2

R3

R4

Sourcing iBGP from Loopback

41

• By default, routers use the exit-interface address as the source address for locally originated packets (updates)– If the BGP TCP session was established using any other

interface (loopbacks) addresses, the source address for BGP updates must match!

• The update-source loopback command achieves this

router bgp 100neighbor 10.10.10.1 remote-as 100neighbor 10.10.10.1 update-source loopback 0

!

42

AS 111 AS 222 AS 333

iBGP iBGP iBGP

IGP IGP IGP

eBGP eBGP

How it all works?

BGP Path Attributes

• Attributes describe the path to a network(s)/NLRI– Used to enforce routing policies for path control!

43

Well-known Mandatory

Well-known Discretionary

Optional Transitive

Optional Non-transitive

AS_PATHNEXT_HOP

ORIGIN

LOCAL_PREFATOMIC_AGGREGATE

COMMUNITYAGGREGATOR

MED

Always included in BGP updates Can be included (for path control)!

AS_PATH

• Indicates the list of ASes a route has passed through to reach the local AS– the list of ASes to reach a destination– can influence path selection!

44

AS100100.10.0.0/16

AS200130.10.0.0/16

AS300 AS900

100.10.0.0/16 300 200 100130.10.0.0/16 300 200

100.10.0.0/16 200 100 130.10.0.0/16 200

AS_PATH

• Used to ensure a loop-free exchange of routing info between ASes – If own AS is seen in an update from an eBGP peer, loop is

detected (Update is dropped)!

45

AS100100.10.0.0/16

AS200130.10.0.0/16

100.10.0.0/16 300 200 100130.10.0.0/16 300 200160.10.0.0/16 300AS300

160.10.0.0/16

X

NEXT_HOP

• Indicates the next hop address to reach the destination– Source of the update packet!

• For eBGP– eBGP neighbor address (to reach the next AS)

• For iBGP– Generally the loopback address

46

NEXT_HOP• eBGP learned routes are advertised to iBGP peers

without changing the next hop

– Routers within the AS need to be able to reach the next hop (IGP or static)

– Else, external routes not installed in the routing table!

47

AS 200130.10.0.0/16

AS 300160.10.0.0/16

130.10.0.0/30

.1 .2AS 100eBGP

iBGP

R1 R2

R3R3:160.10.0.0/16 130.10.0.1130.10.0.0/16 130.10.0.1

NEXT-HOP-SELF• Override the eBGP next hop default behavior with next-hop-self command– Advertises itself as the next hop for external routes

• Reachable through IGP

48

AS 200130.10.0.0/16

AS 300160.10.0.0/16

130.10.0.0/30.1 .2AS 100eBGP

iBGP

R1 R2

R3

100.10.0.10

100.10.0.11

R2:router bgp 100neighbor 100.10.0.11 remote-as 100neighbor 100.10.0.11 next-hop-self

!

R3:160.10.0.0/16 100.10.0.10130.10.0.0/16 100.10.0.10

ORIGIN• Indicates the origin of the route

– IGP (i)• Interior to the originating AS (advertised with the network command)

– EGP (e)• Generated by EGP (obsolete!)

– Incomplete (?)• Route’s origin is unknown (usually redistributed)

49

ORIGIN

50

LOCAL_PREF• Local preference tells routers within the AS (local)

the preferred path to exit the AS– Path with highest local_pref wins

• Outbound traffic!

• Local to the AS– Advertised only to iBGP peers!

51

AS 200130.10.0.0/16

AS 300

AS 100

R1

R2AS 500

LP-200

LP-500

R3

COMMUNITY• Used to group prefixes (incoming/outgoing) and

apply policies to the communities– A prefix can belong to more than one community

• Is (was?) a 32-bit integer – Represented as two 16-bit integers [ASN:number]

• Works well for 2-byte ASN

• With 4-byte ASNs– Common to see [private-ASN:number]– RFC 8092 (BGP Large Communities): 96-bit integer

• [32-bit ASN:32-bit:32-bit]

52

MED• Multi-exit discriminator is inter-AS non-transitive

– Indicates to neighbor AS about the preferred entry points into the local AS (incoming traffic)

• The path with lowest MED wins!

53

AS 200

160.10.0.0/16R1

R2

MED-10

MED-200

MED-10

MED-200R4

R3AS 300

R5

BGP Operation

• BGP learns routes from iBGP and eBGP peers

– Selects best path based on the attributes

– Installs best path in the routing table

– Advertises the best paths to its other BGP peers• eBGP learned routes to iBGP peers• iBGP learned routes to eBGP peers

54

Advertising Networks in BGP

• The network statement– allows BGP to inject routes into BGP table and advertise to

neighbors only if it already exists in the routing table!

• BGP “Synchronization Rule”:– iBGP learned routes should not be installed in the routing

table nor advertised to eBGP peers unless the route was learned through an IGP first!• Prevents black-hole routes!

55

router bgp 100address-family ipv4 unicastnetwork <prefix> mask <subnet-mask>address-family ipv6 unicastnetwork <prefix/length>

BGP Tables

• Neighbor Table– List of all BGP neighbors

• BGP Table– List of routes learned from all BGP neighbors– (And locally originated routes!)

• Routing (Forwarding) Table– All best paths

• selected based on attributes and whose next-hops are reachable!

56

BGP Best Path Selection

57

Highest Local Preference

Locally originated routes

Shortest AS Path

Lowest Origin Code (i<e<?)

Lowest MED/metric

eBGP over iBGP

Lowest IGP cost to next-hop

Oldest eBGP route

Lowest neighbor router-ID

Lowest neighbor IP address

Questions?

Agenda

• TCP/IP communication and IP Routing

• Internet Routing and Routing Protocols

• BGP – operation and attributes

• Multihoming & BGP path control• APNIC multihoming resource policy

• Live demo - APNIC Training ISP

59

60

ISP Hierarchy• Default free zone

– Made of Tier-1 ISPs who have explicit routes to every network on the Internet• No need for default routes!

61

Exchanging Routes

• Pay someone to advertise your networks– TRANSIT– Make sure they have good onward peering/transit!

• Interconnect with as other ASes to exchange locally originated routes and traffic– PEERING– Private Peering

• Between two ASes

– Public Peering• at an IXP (domestic/global)

62

Achieving Redundancy • More than one path to the same ISP

– Dual-homed

YOU

YOU ISP

ISPYOU

ISP

Single-homed

Dual-homed

63

Achieving Redundancy –Multihoming

• More than one upstream ISP– Multi-homed

ISP2

ISP1

YOU

YOU

ISP2

ISP1

64

Multihoming

• One upstream and local peering

You

ISP-A

Internet

Transit

Local PeerPeering

65

Multihoming

• More than one upstream ISP and local peering

You

ISP-BISP-A

Internet

Transit

Local PeerPeering

66

Multihoming

• More than one upstream ISP with local and public peering

You

ISP-BISP-A

Internet

Transit

Local PeerPeering

IXP

Peering

Influence Path Selection –Policy

67

Routing Table

Local Router

PeerPeer

Inbound updates

Outbound updates

(best paths)BGP Table

Prefix-list

Filter-list

Route-maps

Best Paths

Policy Tools

• Prefix-list– To filter routes/prefixes

• Filter-list– To filter based on AS-path– To apply AS-path ACLs

• Route-map– modify attributes based on condition matches

68

Prefix List

• Allows any prefix with prefix length between 8 and 24– Implicit DENY at the end!

69

ip prefix-list name/num [permit | deny] prefix/length [ge value][le value]

ip prefix-list TEST permit 0.0.0.0/0 ge 8 le 24

AS-path ACL

• AS-path access list use regular expressions

. Matches any one character* Matches any sequence of pattern before *+ match at least one preceding expression^ beginning with$ ending with_ matches start, end, space, comma, braces

70

ip as-path access-list num [permit|deny] regex

AS-path ACL

• Example regular expressions:

^$ locally originated routes_100$ originated by AS 100_100_200_ passing through 100 and 200^(_100)+$ originated by 100, multiple occurrence

71

ip as-path access-list 10 permit ^100$

Route Map

72

route-map name [permit | deny] [sequence]

If {(A or B or C)and D} matchThen {set X and Y}

ElseIf E matchesThen set Z

Else (for everything else)Do/set nothing

route-map TEST permit 20match Eset Z

route-map TEST permit 30

route-map TEST permit 10match A B Cmatch Dset Xset Y

• Default is permit– Implicit DENY at the end!

Match (conditions) &Set (actions)

Command Descriptionmatch community BGP community tagmatch as-path AS-path access listmatch ip address Access list or prefix-list

73

Command Descriptionset as-path <prepend> Modify AS-pathset community Apply BGP community tagset metric Modify MEDset local-preference Modify local preference

Path control - Attributes

• Inbound Traffic:– AS-Path, MED, Community

• Outbound Traffic:– Local Preference

74

Two Upstream – One backup

75

• Both incoming and outgoing traffic via R1

• R2 path to be used only if the path via R1 fails

– AS-PATH to control inbound traffic

– LOCAL-PREF for outbound

AS 100

AS 30AS 20

Internet

Primary Backup

R1 R2

• Always announce the aggregate on both!

• R1 (main link) config:

76

Two Upstream – One backup

router bgp 100network 100.100.0.0 mask 255.255.224.0neighbor 20.20.20.1 remote-as 20neighbor 20.20.20.1 prefix-list AGGR outneighbor 20.20.20.1 prefix-list DEF in!ip prefix-list AGGR permit 100.100.0.0/19ip prefix-list DEF permit 0.0.0.0/0!ip route 100.100.0.0 255.255.224.0 null0

Prefix-list applied to outbound routes

Prefix-list applied to inbound routes

Advertise aggregate in BGP

Define the prefix-lists

Aggregate should exist in the routing table

(pull-up route)

• R2 (backup) config:

77

router bgp 100network 100.100.0.0 mask 255.255.224.0neighbor 30.30.30.1 remote-as 30neighbor 30.30.30.1 prefix-list AGGR outneighbor 30.30.30.1 route-map BACKUP-OUT outneighbor 30.30.30.1 prefix-list DEF inneighbor 30.30.30.1 route-map BACKUP-IN in!ip prefix-list AGGR permit 121.10.0.0/19ip prefix-list DEF permit 0.0.0.0/0!ip route 100.100.0.0 255.255.224.0 null0route-map BACKUP-OUT permit 10set as-path prepend 100 100 100!route-map BACKUP-IN permit 10set local-preference 80

Route-map applied to outbound routes

Advertise aggregate in BGP

Define the prefix-lists

BACKUP-OUT prepends the AS-PATH for all outbound

BGP updates

Route-map applied to inbound routes

BACKUP-in sets lowers local-pref for all inbound

BGP updates

Two Upstream – One backup

Two Upstream – Load Sharing (Inbound Traffic)

78

• Always announce aggregate on both!– Announce one sub-aggregate on

first, and the other on the second link.

• Requires good address planning– Customers need to be assigned

from both address blocksAS 100

AS 30AS 20

Internet

Load Share

R1 R2

79

Two Upstream – Load Sharing (Inbound Traffic)

router bgp 100network 100.100.0.0 mask 255.255.224.0network 100.100.0.0 mask 255.255.240.0neighbor 20.20.20.1 remote-as 20neighbor 20.20.20.1 prefix-list SUB-A outneighbor 20.20.20.1 prefix-list DEF in!ip prefix-list SUB-A permit 100.100.0.0/19ip prefix-list SUB-A permit 100.100.0.0/20ip prefix-list DEF permit 0.0.0.0/0!ip route 100.100.0.0 255.255.224.0 null0ip route 100.100.0.0 255.255.240.0 null0

Advertise sub-aggregate along with

the aggregate

Advertise both aggregate and first sub-prefix in BGP

Sub-aggregate should exist in the routing

table (pull-up route)

• R1 config:

80

Two Upstream – Load Sharing (Inbound Traffic)

• R2 config:

router bgp 100network 100.100.0.0 mask 255.255.224.0network 100.100.16.0 mask 255.255.240.0neighbor 30.30.30.1 remote-as 30neighbor 30.30.30.1 prefix-list SUB-B outneighbor 30.30.30.1 prefix-list DEF in!ip prefix-list SUB-B permit 100.100.0.0/19ip prefix-list SUB-B permit 100.100.16.0/20ip prefix-list DEF permit 0.0.0.0/0!ip route 100.100.0.0 255.255.224.0 null0ip route 100.100.16.0 255.255.240.0 null0

Advertise sub-aggregate along with

the aggregate

Advertise both aggregate and second

sub-prefix in BGP

Sub-aggregate should exist in the routing

table (pull-up route)

Load Sharing – Outbound(Full)

81

• What about outbound traffic load balancing?

• Case I: Full Internet routes (more memory/CPU)– Accept default route from one (AS20)

– Full routes from the other (AS30)• Higher local-pref prefixes originated by AS30 and its immediate

neighbors (one AS hop away) – traffic goes via AS30

• Lower local-pref all other routes (lower than 100) – traffic to these goes via AS20

Load Sharing – Outbound (Partial)

82

• Partial Routes – less HW resources!

• Case II: Partial Internet routes– Accept default from AS20– Default and full from AS30 (well-connected than AS20)– filter to only accept prefixes originated by AS30 and its

neighbor ASes (AS-Path ACLs)• Higher pref those routes• Low pref the default route• so that traffic to these goes via AS20

– Traffic to rest of Internet via AS 20

83

AS 100

AS 30

AS 20

Internet

Rest of the Internet

R1 R2

AS X

Load Sharing – Outbound (Partial)

84

router bgp 100neighbor 20.20.20.1 remote-as 20neighbor 20.20.20.1 prefix-list DEF in!ip prefix-list DEF permit 0.0.0.0/0!

• R1 configuration:

Load Sharing – Outbound (Partial)

85

• R2 config:

Load Sharing – Outbound (Partial)

router bgp 100neighbor 30.30.30.1 remote-as 30neighbor 30.30.30.1 filter-list 30 inneighbor 20.20.20.1 prefix-list ALL inneighbor 30.30.30.1 route-map DEF-LOW in!ip prefix-list DEF permit 0.0.0.0/0prefix-!ip prefix-list ALL deny <bogons-rfc1918>ip prefix-list ALL permit 0.0.0.0/0 le 32!ip as-path access-list 30 permit ^(30_)+$ip as-path access-list 30 permit ^(30_)+_[0-9]+$!route-map DEF-LOW permit 10match ip address prefix-list DEFset local-preference 90route-map DEF-LOW permit 20

Accept full internet feed except bogon routes and

RFC 1918 routes

Filter inbound routes with AS-PATH ACL using filter-list

Purely for redundancy (if path via AS 20 fails)

Accept routes local to and received from AS30

(AS-path prepend included)

Received from AS30 but AS-PATH length of two

(its neighbor ASes)

Low-pref default route

Using Communities

86

• Community attribute provides greater flexibility for traffic shaping than prefix-list– Simplifies BGP configuration– Greater policy control

• Not sent by default to BGP peers– Need to explicitly send (neighbor x.x.x.x send-community)

• Can carry policy information– Example:

• ASN:80 (set local-pref 80)• ASN:1 (set as-path prepend ASN)• ASN:888 (set ip next-hop 192.0.2.1 – Cymru bogons)

Setting Communities

87

router bgp 100neighbor 20.20.20.1 remote-as 20neighbor 20.20.20.1 send-community!address-family ipv4 unicastnetwork 100.100.0.0 mask 255.255.224.0 route-map SET-COMM-AGGnetwork 100.100.0.0 mask 255.255.248.0 route-map SET-COMM-3Gnetwork 100.100.8.0 mask 255.255.248.0 route-map SET-COMM-BBnetwork 100.100.16.0 mask 255.255.248.0 route-map SET-COMM-ENTnetwork 100.100.24.0 mask 255.255.248.0 route-map SET-COMM-CORP

!ip route 100.100.0.0 255.255.224.0 null0ip route 100.100.0.0 255.255.248.0 null0 254ip route 100.100.8.0 255.255.248.0 null0 254ip route 100.100.16.0 255.255.248.0 null0 254ip route 100.100.24.0 255.255.248.0 null0 254!

Setting Communities

88

!route-map SET-COMM-AGG permit 10set community 100:1000

!route-map SET-COMM-3G permit 10set community 100:1101

!route-map SET-COMM-BB permit 10set community 100:1102

!route-map SET-COMM-ENT permit 10set community 100:1103

!route-map SET-COMM-CORP permit 10set community 100:1104

!

Grouping Communities

89

!ip community-list 20 permit 100:1000ip community-list 21 permit 100:1101ip community-list 22 permit 100:1102ip community-list 23 permit 100:1103ip community-list 24 permit 100:1104!

• We can group communities together using community-list:

Two Upstream and IXP –Communities

90

AS 100

AS 30AS 20

Internet

Transit

IXP

Peering

AS111 AS222

R1 R2

R3

Two Upstream and IXP• R3 (IXP) configuration:

– both incoming and outgoing traffic, IXP should be the preferred path!

91

router bgp 100neighbor IX-PEERS peer-groupneighbor 12.12.12.111 remote-as 111neighbor 12.12.12.111 peer-group IX-PEERSneighbor 12.12.12.222 remote-as 222neighbor 12.12.12.222 peer-group IX-PEERS

!address-family ipv4neighbor IX-PEERS send-communityneighbor IX-PEERS remove-private-asneighbor IX-PEERS route-map IX-IN inneighbor IX-PEERS route-map IX-OUT out

Add neighbors to the peer group

Define peer-groups for all IX peers

Define common policies applied to all neighbors on the peer-group- Send communities- Remove private

ASNs

Apply inbound and outbound routing policies

Two Upstream and IXP

• R3 (IXP) configuration (contd..):

92

!ip community-list 20 permit 100:1000ip community-list 21 permit 100:1101ip community-list 22 permit 100:1102ip community-list 23 permit 100:1103ip community-list 24 permit 100:1104!route-map IX-IN permit 10set local-preference 250set community 100:1212 add !(IX ASN)

!route-map IX-OUT permit 10match community 20 21 22 23 24set metric 10

!

Define the communities

High local-pref for routes received from IX peers (outbound traffic via IX)

Send all our prefixes (aggregates and sub-

aggregates)

Define a community for all routes learned via IXP

Set lower MED for all routes sent to IX peers (inbound traffic via IX)

Two Upstream and IXP

• For Transit/Upstream:– Tier-1 ISPs (or ISPs who are run properly) use communities

to group their regional prefixes– Filter based on those to shape outbound traffic to Internet!

• Ex: receive US routes from one ISP, and Europe routes from the other

– Example:• NTT US – 2914:3000• NTT Europe – 2914:3200• NTT Asia – 2914:3400• NTT South America – 2914:3600

93

Two Upstream and IXP

• For Inbound traffic:– We can use our sub-prefixes to balance incoming traffic

– Advertise half of our routes to one, and the other half to the other • keep playing until we reach symmetry!

– But remember to announce the aggregate to both (REDUNDANCY!)

94

Two Upstream and IXP• R1 configuration:

– Let us assume NTT (AS2914) as transit here

95

router bgp 100neighbor 29.29.29.1 remote-as 2914neighbor 29.29.29.1 description eBGP with NTT

!address-family ipv4neighbor 29.29.29.1 send-communityneighbor 29.29.29.1 route-map NTT-IN inneighbor 29.29.29.1 route-map NTT-OUT out

!! We want Asia, US and SA routesip community-list 1 permit 2914:3000 !USip community-list 1 permit 2914:3400 !ASip community-list 1 permit 2914:3600 !SAip community-list 2 permit 2914:3200 !EU

- Send communities- Apply inbound and

outbound routing policies

Define communities for NTT global routes- In this example, we

will source US and Asia routes from NTT

Two Upstream and IXP• R1 configuration (contd..):

96

!route-map NTT-IN permit 10match community 1set local-preference 210

route-map NTT-IN permit 20match community 2set local-preference 50

route-map NTT-IN permit 40!route-map NTT-OUT permit 10match community 20match community 21match community 22

!

Route-map to influence outbound traffic- Set higher local-pref for US,

Asia, and SA routes (outbound traffic)

- Still lower than IX!

Lower local-pref for EU routes (will prefer the second ISP, but available if that link fails)

Route-map to influence inbound traffic- Send our aggregate (in case

ISP2 fails)- And half of our sub-prefixes

Two Upstream and IXP• R2 configuration:

– Let us assume Zayo/AboveNet (AS6461) as transit here

97

router bgp 100neighbor 64.64.64.1 remote-as 6461neighbor 64.64.64.1 description eBGP with Zayo

!address-family ipv4neighbor 64.64.64.1 send-communityneighbor 64.64.64.1 route-map ZAYO-IN inneighbor 64.64.64.1 route-map ZAYO-OUT out

!! Zayo Europe routesip community-list 3 permit 6461:5996ip community-list 3 permit 6461:5998ip community-list 3 permit 6461:5999! Zayo Global routesip community-list 4 permit 6461:5997

- Send communities- Apply inbound and

outbound routing policies

Define communities for Zayo global routes- In this example, we

will source EU routes from Zayo

Two Upstream and IXP• R2 configuration (contd..):

98

!route-map ZAYO-IN permit 10match community 3set local-preference 210

route-map ZAYO-IN permit 20match community 4set local-preference 50

route-map ZAYO-IN permit 40!route-map ZAYO-OUT permit 10match community 20match community 23match community 24

!

Route-map to influence outbound traffic- Set higher local-pref for EU

routes (outbound traffic)- Still lower than IX!

Lower local-pref for global routes (NTT is preferred, but will work if that link fails)

Route-map to influence inbound traffic- Send our aggregate (in case

ISP1 fails), and- other second-half of our sub-

prefixes

Questions?

Agenda

• TCP/IP communication and IP Routing

• Internet Routing and Routing Protocols

• BGP – operation and attributes

• Multihoming & BGP path control

• APNIC multihoming resource policy• Live demo - APNIC Training ISP

100

101

Get your IP address

• Ask your ISP– Non-portable address space– Requires renumbering of your infra when changing upstream

• Ask your RIR (APNIC)– Portable address space– No need for renumbering– Traffic engineering flexibility

• Eligibility??

102

Resources Hierarchy

ARIN

IANA

RIPELACNICAPNICAFRINIC

ISPs

EU EU

103

Get your IP address (contd.)

• APNIC’s eligibility criteria

– Service Provider• Demonstrate immediate /24 need, and• Demonstrate utilization plan for /23 within a year

– Multihoming• Currently multihomed, or• Intention to multihome• Demonstrate immediate utilization of 25%, and 50% within a year

Questions?

Agenda

• TCP/IP communication and IP Routing

• Internet Routing and Routing Protocols

• BGP – operation and attributes

• Multihoming & BGP path control

• APNIC multihoming resource policy

• Live demo - APNIC Training ISP

105

Thank you