Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Internet Multihoming TechniquesAPNIC Technical Tutorial
03 April, 2017
Iloilo City, Philippines
27th PCTA Convention
Tashi Phuntsho
Senior Training Officer, APNIC
Tashi has experience in network design, operation, and maintenance havingworked for more than 10 years as a core network engineer. He has been involvedin capacity development in the APNIC community by providing training in numberof technical areas, such as Routing & Switching, Network Design and Architecture,Network Security, IPv6, DNSSEC, and so on.
Tashi completed his undergraduate degree in electrical and electronics engineeringfrom India, and postgraduate (research) in Network Security from Japan,complemented by a Masters degree in Network Systems from Australia.
Areas of Interest:
BGP, IS-IS/OSPF, IPv6, Blockchain Technology, Securing Internet Routing (RPKI),DWDM, Network Security, Next Generation Networks (SDN, Internet of Things),DNS and DNSSEC.
Contact:Email: [email protected]
Presenter
Bani Lara
Science Research Specialist, ASTI
Bani Lara, a science research specialist at the Advanced Science and TechnologyInstitute (ASTI), has 13 years of experience leading the network operations groupof the Philippine Research Education and Government Information Network. Healso takes care of the routing infrastructure of the Philippine Open InternetExchange, as well as the core network of the Philipping Government broadbandnetwork. He earned his degree in Computer Science at the University of thePhilippines in Los Banos.
Areas of Interest:
BGP, IS-IS/OSPF, IPv6, DWDM, Network Security, Next Generation Networks (SDN,Internet of Things), DNS and DNSSEC.
Contact:Email: [email protected]
Presenter
4
References:
• Philip Smith (www.bgp4all.com.au)
• Cisco (www.cisco.com)
Agenda
• TCP/IP communication and IP Routing• Internet Routing and Routing Protocols
• BGP operation and attributes
• Multihoming & BGP path control
• APNIC multihoming resource policy
• Live demo - APNIC Training ISP
5
6
TCP/IP Communication
Device to device– IPv4/IPv6 address
E2E connectivity (app-to-app)– Port numbers (sockets)
Media access control
– MAC address
Addressing is the key!
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application (HTTP, DNS, FTP)
Transport (TCP/UDP)
Internet (IPv4/IPv6)
Network Access
(Ethernet, PPP)
DataTransport Header
IP Header
DataTransport Header
Data
DataTransport Header
IP Header
Frame Header
0011010100000111
Transport (TCP/UDP)
Internet (IPv4/IPv6)
Network Access
(Ethernet, PPP)
Application (HTTP, DNS, FTP)
Internet/Network Layer
7
• Host to host communication across networks– Addressing
• unique and hierarchical network-wide address
– Routing• the best path to the destination
• Current protocols– IPv4 and IPv6
L3 Device/Router
• L3 device gets the packet one step closer – The next hop to reach the destination!
• Router– Finds the best path to the destination, and– Forwards the packet to the next hop (a step closer) to reach
the destination
8
Best path lookup – Routing Decision
• Inspects the destination address of the packet– Network portion
• Looks up its routing table for a “best match”– Longest matching left-most bits
• If no match, checks for default route– If no default route, drop the packet!
9
Best path (route) lookup
10
R2#sh ip route
10.0.0.0/8 via R310.1.0.0/16 via R4………………………
R1 R2
R3
R4
Dest IP: 10.1.1.110.0.0.0/8
10.1.0.0/16
GE 1/0
GE 1/1GE 0/0
10.0.0.0/8 255.0.0.0 00001010.00000000.00000000.00000000
10.1.0.0/16 255.255.0.0 00001010.00000001.00000000.00000000
Best path – longest match
11
R2#sh ip route
10.0.0.0/8 via R310.1.0.0/16 via R4………………………
R1 R2
R3
R4
Dest IP: 10.1.1.110.0.0.0/8
10.1.0.0/16
GE 1/0
GE 1/1GE 0/0
10.1.1.1 = 00001010.00000001.00000001.00000001AND
255.0.0.0 = 11111111.00000000.00000000.00000000
= 00001010.00000000.00000000.00000000
Match!
Best path – longest match
12
R2#sh ip route
10.0.0.0/8 via R310.1.0.0/16 via R4………………………
R1 R2
R3
R4
Dest IP: 10.1.1.110.0.0.0/8
10.1.0.0/16
GE 1/0
GE 1/1GE 0/0
10.1.1.1 = 00001010.00000001.00000001.00000001AND
255.255.0.0 = 11111111.11111111.00000000.00000000
= 00001010.00000001.00000000.00000000
LongestMatch!
Forwarding Decision
• If a best match is found, the router determines – the correct exit interface to reach the next-hop/destination
13
Is the best match a subnet of ….
Directly connected interface?
Remote Network?
Is there a gateway of last resort?
Forward to host on local subnet
Forward out the exit interface to
the next-hop
Forward out the exit interface to
the next-hop
NO
YES
NO
YES
YESNODrop the packet!
Process vs Hardware Switching
• Incoming packet forwarded to the control plane (CPU) – routing table (RIB) lookup, frame re-write (next-hop MAC),
and forwarded to the exit interface
14
Control PlaneRIB
Data PlaneIncoming Packets Outgoing Packets
Process vs Hardware Switching
• Instead two hardware(data plane) based tables– FIB derived from the RIB- all destinations and next-hops– Adjacency table from the ARP table- L2 header info for each
next-hop in the FIB
15
Control PlaneRIB
Data PlaneIncoming Packets Outgoing PacketsFIB & Adjacency Table
Questions?
Agenda
• TCP/IP communication and IP Routing
• Internet Routing and Routing Protocols• BGP operation and attributes
• Multihoming & BGP path control
• APNIC multihoming resource policy
• Live demo - APNIC Training ISP
17
Internet Routing
• How does a user in PH access a service hosted in the US?
– The ISP in PH could directly connect to the ISP in US• Neither scalable nor economical
– Instead, the PH ISP shares its network information with its neighbor ISPs
– The ISP in US does the same with its own neighbors• Neighbor ISPs propagate the information to their neighbors, and so on…• Eventually, they both learn about each other’s network!
18
19
Exchange of network information – RoutingNetworks (ASes) connected together – Internet
Internet Routing
AS100
PH
Routing flow Traffic flow
AS700US
AS300
SGAS500
DE
Autonomous System (AS)
• A group of networks with the same routing policy– Usually under single administrative control
20
AS 999
Routing Flow & Traffic Flow
• Traffic and network info always flow in opposite direction!– network info exchanged in both directions for bi-directional
traffic flow
– manipulate inbound/outbound routing info to influence outgoing/incoming traffic
21
AS 1 AS 2
Packet Flow
Routing Flow
Packet Flow
Routing Flow
AS 1
Advertise
Accept
Receive
SendR1 R2
22
Routing & Traffic Flow: Internet
AS1PH
Routing flow Traffic flow
AS7US
AS3SG
AS5DE
• For user (N1) in AS1 to send traffic to user (N7) in AS7:– AS7 must originate and announce N7 to AS5.– AS5 must accept N7 from AS7, and advertise to AS3.– AS3 must accept and forward N7 to AS1– AS1 must accept N7 from AS3
23
Routing Policy Limitations
• For the above policy, AS1– Needs to accept routes originating from Red AS over Red
link, and Green AS over Green link
• But any intermediate AS (AS2) needs to cooperate
Red
Green
AS 1Internet(other ASes)
AS2
Packet Flow
24
Routing Protocols
• How do routers exchange network information with each other?– Routing Protocols!– IGP & EGP
25
Interior Gateway Protocol (IGP)
• To exchange network info within an AS– To carry infrastructure info (loopbacks & ptp)
• No customer routes!
– Allows all routers within an AS to learn about each other
• Two most widely used IGPs in operator networks– OSPF & IS-IS
• Uses the SPF algorithm• Best path selection based on lowest cost/metric• Supports hierarchical routing – scalability!
26
Exterior Gateway Protocol (EGP - BGP)
• To exchange network info between ASes– Implement routing policies (manipulate traffic path)– Define administrative boundary
• BGP is the de facto EGP!
27
Routing Protocols Hierarchy
eBGP
iBGP &OSPF/IS-IS
Other ISPs
CustomersIX or direct Peers
Static/eBGP
eBGP
Questions?
Agenda
• TCP/IP communication and IP Routing
• Internet Routing and Routing Protocols
• BGP – operation and attributes• Multihoming & BGP path control
• APNIC multihoming resource policy
• Live demo - APNIC Training ISP
29
Border Gateway Protocol - BGP
• Runs over TCP (port 179)– TCP connection required before BGP session– Need to be reachable!
• Path vector routing protocol– Best path selection based on path attributes– Route: destination and the attributes of the path to reach
the destination
• Incremental BGP updates
30
Internal & External BGP
• eBGP used to:– Exchange networks/routes between ASes
• Aggregates and sub-aggregates
– Implement routing policies• To manipulate inbound and outbound traffic
• iBGP is used to:– Carry customer networks/prefixes– Internet routes (some or all) across the AS backbone
31
BGP Message Types
• Open:– After a TCP connection has been established between two
BGP routers, an Open message is sent• Once the open message is confirmed (keepalive), the BGP session is
established – become BGP peers/neigbors!
– Contains:• Sender’s ASN• BGP version• BGP router ID• Hold-time (3 x keepalive interval)
32
BGP Message Types• Keepalive:
– Exchanged initially to acknowledge Open messages– Exchanged periodically (60 secs) to maintain BGP session
• Dataless packet
• Update:– BGP peers exchange network information through Update
messages• One update for each path!
– Contains:• Withdrawn routes – no more reachable• Path attributes – attributes for this path to reach the destinations
specified by the NLRI• NLRI – list of networks reachable through this path <prefix, length>
33
BGP Message Types
• Notification:– Sent when an error condition is detected– The BGP session is torn down immediately!– Contains:
• Error code• Error sub-code• Data related to error
34
BGP Neighbor States• A BGP router goes through six different states
– Idle• The router is looking for a route to its neighbor
– Connect• BGP router moves from Idle to Connect state if it has found a route to its
neighbor, and has started the 3-way TCP handshake• If the 3-way handshake is complete, sends an Open message
– Active• A router transitions to Active state if the initial 3-way handshake was not
successful• Initiates a new 3-way handshake• If the 3-way handshake is complete, sends an Open message• Else, falls back to Idle
35
BGP Neighbor States• A BGP router goes through six different states
– Open Sent• An Open message has been sent to the neighbor• If it receives a keepalive, moves to Open Confirm, else back to Active
– Open Confirm• Has received an acknowledgment for its Open message, and is waiting
for the initial keepalive• If it receives the intial keepalive, transitions to Established
– Established• The BGP neighbor relationship (session) is established!• Routing information can now be exchanged
36
BGP Neighbor Relationship• eBGP neighbors/peers
– BGP session established between routers in different ASes– Generally directly connected!
• Session established using directly connected intf IP• Peering address must match the TCP session!
– Else, we need a static route to reach the neighbor and change the eBGP TTL value (default 1)
37
AS 1 AS 2
router bgp 1neighbor 172.16.12.2 remote-as 2
!address-family ipv4neighbor 172.16.12.2 activate
!
172.16.12.0/30
.1 .2
BGP Neighbor Relationship
• iBGP neighbors/peers– BGP session established between routers within the same AS
– Does not need to be directly connected• IGP ensure reachability (TCP connection)
– Generally using loopback addresses
38
AS 100 router bgp 100neighbor 10.10.10.2 remote-as 100
!
iBGP Operation
• iBGP routers must:– Originate directly connected routes
– Carry routes learned from outside the AS to all routers within the AS• Fully-meshed instead of redistributing!• Advertise routes learned from eBGP peers to all iBGP peers!
– To prevent routing loops (in a fully-meshed network)• iBGP routers are not allowed to advertise iBGP learned routes to other
iBGP peers!
39
iBGP full-mesh
40
router bgp 100neighbor 10.10.10.2 remote-as 100neighbor 10.10.10.3 remote-as 100neighbor 10.10.10.4 remote-as 100!
AS100
R1
R2
R3
R4
Sourcing iBGP from Loopback
41
• By default, routers use the exit-interface address as the source address for locally originated packets (updates)– If the BGP TCP session was established using any other
interface (loopbacks) addresses, the source address for BGP updates must match!
• The update-source loopback command achieves this
router bgp 100neighbor 10.10.10.1 remote-as 100neighbor 10.10.10.1 update-source loopback 0
!
42
AS 111 AS 222 AS 333
iBGP iBGP iBGP
IGP IGP IGP
eBGP eBGP
How it all works?
BGP Path Attributes
• Attributes describe the path to a network(s)/NLRI– Used to enforce routing policies for path control!
43
Well-known Mandatory
Well-known Discretionary
Optional Transitive
Optional Non-transitive
AS_PATHNEXT_HOP
ORIGIN
LOCAL_PREFATOMIC_AGGREGATE
COMMUNITYAGGREGATOR
MED
Always included in BGP updates Can be included (for path control)!
AS_PATH
• Indicates the list of ASes a route has passed through to reach the local AS– the list of ASes to reach a destination– can influence path selection!
44
AS100100.10.0.0/16
AS200130.10.0.0/16
AS300 AS900
100.10.0.0/16 300 200 100130.10.0.0/16 300 200
100.10.0.0/16 200 100 130.10.0.0/16 200
AS_PATH
• Used to ensure a loop-free exchange of routing info between ASes – If own AS is seen in an update from an eBGP peer, loop is
detected (Update is dropped)!
45
AS100100.10.0.0/16
AS200130.10.0.0/16
100.10.0.0/16 300 200 100130.10.0.0/16 300 200160.10.0.0/16 300AS300
160.10.0.0/16
X
NEXT_HOP
• Indicates the next hop address to reach the destination– Source of the update packet!
• For eBGP– eBGP neighbor address (to reach the next AS)
• For iBGP– Generally the loopback address
46
NEXT_HOP• eBGP learned routes are advertised to iBGP peers
without changing the next hop
– Routers within the AS need to be able to reach the next hop (IGP or static)
– Else, external routes not installed in the routing table!
47
AS 200130.10.0.0/16
AS 300160.10.0.0/16
130.10.0.0/30
.1 .2AS 100eBGP
iBGP
R1 R2
R3R3:160.10.0.0/16 130.10.0.1130.10.0.0/16 130.10.0.1
NEXT-HOP-SELF• Override the eBGP next hop default behavior with next-hop-self command– Advertises itself as the next hop for external routes
• Reachable through IGP
48
AS 200130.10.0.0/16
AS 300160.10.0.0/16
130.10.0.0/30.1 .2AS 100eBGP
iBGP
R1 R2
R3
100.10.0.10
100.10.0.11
R2:router bgp 100neighbor 100.10.0.11 remote-as 100neighbor 100.10.0.11 next-hop-self
!
R3:160.10.0.0/16 100.10.0.10130.10.0.0/16 100.10.0.10
ORIGIN• Indicates the origin of the route
– IGP (i)• Interior to the originating AS (advertised with the network command)
– EGP (e)• Generated by EGP (obsolete!)
– Incomplete (?)• Route’s origin is unknown (usually redistributed)
49
ORIGIN
50
LOCAL_PREF• Local preference tells routers within the AS (local)
the preferred path to exit the AS– Path with highest local_pref wins
• Outbound traffic!
• Local to the AS– Advertised only to iBGP peers!
51
AS 200130.10.0.0/16
AS 300
AS 100
R1
R2AS 500
LP-200
LP-500
R3
COMMUNITY• Used to group prefixes (incoming/outgoing) and
apply policies to the communities– A prefix can belong to more than one community
• Is (was?) a 32-bit integer – Represented as two 16-bit integers [ASN:number]
• Works well for 2-byte ASN
• With 4-byte ASNs– Common to see [private-ASN:number]– RFC 8092 (BGP Large Communities): 96-bit integer
• [32-bit ASN:32-bit:32-bit]
52
MED• Multi-exit discriminator is inter-AS non-transitive
– Indicates to neighbor AS about the preferred entry points into the local AS (incoming traffic)
• The path with lowest MED wins!
53
AS 200
160.10.0.0/16R1
R2
MED-10
MED-200
MED-10
MED-200R4
R3AS 300
R5
BGP Operation
• BGP learns routes from iBGP and eBGP peers
– Selects best path based on the attributes
– Installs best path in the routing table
– Advertises the best paths to its other BGP peers• eBGP learned routes to iBGP peers• iBGP learned routes to eBGP peers
54
Advertising Networks in BGP
• The network statement– allows BGP to inject routes into BGP table and advertise to
neighbors only if it already exists in the routing table!
• BGP “Synchronization Rule”:– iBGP learned routes should not be installed in the routing
table nor advertised to eBGP peers unless the route was learned through an IGP first!• Prevents black-hole routes!
55
router bgp 100address-family ipv4 unicastnetwork <prefix> mask <subnet-mask>address-family ipv6 unicastnetwork <prefix/length>
BGP Tables
• Neighbor Table– List of all BGP neighbors
• BGP Table– List of routes learned from all BGP neighbors– (And locally originated routes!)
• Routing (Forwarding) Table– All best paths
• selected based on attributes and whose next-hops are reachable!
56
BGP Best Path Selection
57
Highest Local Preference
Locally originated routes
Shortest AS Path
Lowest Origin Code (i<e<?)
Lowest MED/metric
eBGP over iBGP
Lowest IGP cost to next-hop
Oldest eBGP route
Lowest neighbor router-ID
Lowest neighbor IP address
Questions?
Agenda
• TCP/IP communication and IP Routing
• Internet Routing and Routing Protocols
• BGP – operation and attributes
• Multihoming & BGP path control• APNIC multihoming resource policy
• Live demo - APNIC Training ISP
59
60
ISP Hierarchy• Default free zone
– Made of Tier-1 ISPs who have explicit routes to every network on the Internet• No need for default routes!
61
Exchanging Routes
• Pay someone to advertise your networks– TRANSIT– Make sure they have good onward peering/transit!
• Interconnect with as other ASes to exchange locally originated routes and traffic– PEERING– Private Peering
• Between two ASes
– Public Peering• at an IXP (domestic/global)
62
Achieving Redundancy • More than one path to the same ISP
– Dual-homed
YOU
YOU ISP
ISPYOU
ISP
Single-homed
Dual-homed
63
Achieving Redundancy –Multihoming
• More than one upstream ISP– Multi-homed
ISP2
ISP1
YOU
YOU
ISP2
ISP1
64
Multihoming
• One upstream and local peering
You
ISP-A
Internet
Transit
Local PeerPeering
65
Multihoming
• More than one upstream ISP and local peering
You
ISP-BISP-A
Internet
Transit
Local PeerPeering
66
Multihoming
• More than one upstream ISP with local and public peering
You
ISP-BISP-A
Internet
Transit
Local PeerPeering
IXP
Peering
Influence Path Selection –Policy
67
Routing Table
Local Router
PeerPeer
Inbound updates
Outbound updates
(best paths)BGP Table
Prefix-list
Filter-list
Route-maps
Best Paths
Policy Tools
• Prefix-list– To filter routes/prefixes
• Filter-list– To filter based on AS-path– To apply AS-path ACLs
• Route-map– modify attributes based on condition matches
68
Prefix List
• Allows any prefix with prefix length between 8 and 24– Implicit DENY at the end!
69
ip prefix-list name/num [permit | deny] prefix/length [ge value][le value]
ip prefix-list TEST permit 0.0.0.0/0 ge 8 le 24
AS-path ACL
• AS-path access list use regular expressions
. Matches any one character* Matches any sequence of pattern before *+ match at least one preceding expression^ beginning with$ ending with_ matches start, end, space, comma, braces
70
ip as-path access-list num [permit|deny] regex
AS-path ACL
• Example regular expressions:
^$ locally originated routes_100$ originated by AS 100_100_200_ passing through 100 and 200^(_100)+$ originated by 100, multiple occurrence
71
ip as-path access-list 10 permit ^100$
Route Map
72
route-map name [permit | deny] [sequence]
If {(A or B or C)and D} matchThen {set X and Y}
ElseIf E matchesThen set Z
Else (for everything else)Do/set nothing
route-map TEST permit 20match Eset Z
route-map TEST permit 30
route-map TEST permit 10match A B Cmatch Dset Xset Y
• Default is permit– Implicit DENY at the end!
Match (conditions) &Set (actions)
Command Descriptionmatch community BGP community tagmatch as-path AS-path access listmatch ip address Access list or prefix-list
73
Command Descriptionset as-path <prepend> Modify AS-pathset community Apply BGP community tagset metric Modify MEDset local-preference Modify local preference
Path control - Attributes
• Inbound Traffic:– AS-Path, MED, Community
• Outbound Traffic:– Local Preference
74
Two Upstream – One backup
75
• Both incoming and outgoing traffic via R1
• R2 path to be used only if the path via R1 fails
– AS-PATH to control inbound traffic
– LOCAL-PREF for outbound
AS 100
AS 30AS 20
Internet
Primary Backup
R1 R2
• Always announce the aggregate on both!
• R1 (main link) config:
76
Two Upstream – One backup
router bgp 100network 100.100.0.0 mask 255.255.224.0neighbor 20.20.20.1 remote-as 20neighbor 20.20.20.1 prefix-list AGGR outneighbor 20.20.20.1 prefix-list DEF in!ip prefix-list AGGR permit 100.100.0.0/19ip prefix-list DEF permit 0.0.0.0/0!ip route 100.100.0.0 255.255.224.0 null0
Prefix-list applied to outbound routes
Prefix-list applied to inbound routes
Advertise aggregate in BGP
Define the prefix-lists
Aggregate should exist in the routing table
(pull-up route)
• R2 (backup) config:
77
router bgp 100network 100.100.0.0 mask 255.255.224.0neighbor 30.30.30.1 remote-as 30neighbor 30.30.30.1 prefix-list AGGR outneighbor 30.30.30.1 route-map BACKUP-OUT outneighbor 30.30.30.1 prefix-list DEF inneighbor 30.30.30.1 route-map BACKUP-IN in!ip prefix-list AGGR permit 121.10.0.0/19ip prefix-list DEF permit 0.0.0.0/0!ip route 100.100.0.0 255.255.224.0 null0route-map BACKUP-OUT permit 10set as-path prepend 100 100 100!route-map BACKUP-IN permit 10set local-preference 80
Route-map applied to outbound routes
Advertise aggregate in BGP
Define the prefix-lists
BACKUP-OUT prepends the AS-PATH for all outbound
BGP updates
Route-map applied to inbound routes
BACKUP-in sets lowers local-pref for all inbound
BGP updates
Two Upstream – One backup
Two Upstream – Load Sharing (Inbound Traffic)
78
• Always announce aggregate on both!– Announce one sub-aggregate on
first, and the other on the second link.
• Requires good address planning– Customers need to be assigned
from both address blocksAS 100
AS 30AS 20
Internet
Load Share
R1 R2
79
Two Upstream – Load Sharing (Inbound Traffic)
router bgp 100network 100.100.0.0 mask 255.255.224.0network 100.100.0.0 mask 255.255.240.0neighbor 20.20.20.1 remote-as 20neighbor 20.20.20.1 prefix-list SUB-A outneighbor 20.20.20.1 prefix-list DEF in!ip prefix-list SUB-A permit 100.100.0.0/19ip prefix-list SUB-A permit 100.100.0.0/20ip prefix-list DEF permit 0.0.0.0/0!ip route 100.100.0.0 255.255.224.0 null0ip route 100.100.0.0 255.255.240.0 null0
Advertise sub-aggregate along with
the aggregate
Advertise both aggregate and first sub-prefix in BGP
Sub-aggregate should exist in the routing
table (pull-up route)
• R1 config:
80
Two Upstream – Load Sharing (Inbound Traffic)
• R2 config:
router bgp 100network 100.100.0.0 mask 255.255.224.0network 100.100.16.0 mask 255.255.240.0neighbor 30.30.30.1 remote-as 30neighbor 30.30.30.1 prefix-list SUB-B outneighbor 30.30.30.1 prefix-list DEF in!ip prefix-list SUB-B permit 100.100.0.0/19ip prefix-list SUB-B permit 100.100.16.0/20ip prefix-list DEF permit 0.0.0.0/0!ip route 100.100.0.0 255.255.224.0 null0ip route 100.100.16.0 255.255.240.0 null0
Advertise sub-aggregate along with
the aggregate
Advertise both aggregate and second
sub-prefix in BGP
Sub-aggregate should exist in the routing
table (pull-up route)
Load Sharing – Outbound(Full)
81
• What about outbound traffic load balancing?
• Case I: Full Internet routes (more memory/CPU)– Accept default route from one (AS20)
– Full routes from the other (AS30)• Higher local-pref prefixes originated by AS30 and its immediate
neighbors (one AS hop away) – traffic goes via AS30
• Lower local-pref all other routes (lower than 100) – traffic to these goes via AS20
Load Sharing – Outbound (Partial)
82
• Partial Routes – less HW resources!
• Case II: Partial Internet routes– Accept default from AS20– Default and full from AS30 (well-connected than AS20)– filter to only accept prefixes originated by AS30 and its
neighbor ASes (AS-Path ACLs)• Higher pref those routes• Low pref the default route• so that traffic to these goes via AS20
– Traffic to rest of Internet via AS 20
83
AS 100
AS 30
AS 20
Internet
Rest of the Internet
R1 R2
AS X
Load Sharing – Outbound (Partial)
84
router bgp 100neighbor 20.20.20.1 remote-as 20neighbor 20.20.20.1 prefix-list DEF in!ip prefix-list DEF permit 0.0.0.0/0!
• R1 configuration:
Load Sharing – Outbound (Partial)
85
• R2 config:
Load Sharing – Outbound (Partial)
router bgp 100neighbor 30.30.30.1 remote-as 30neighbor 30.30.30.1 filter-list 30 inneighbor 20.20.20.1 prefix-list ALL inneighbor 30.30.30.1 route-map DEF-LOW in!ip prefix-list DEF permit 0.0.0.0/0prefix-!ip prefix-list ALL deny <bogons-rfc1918>ip prefix-list ALL permit 0.0.0.0/0 le 32!ip as-path access-list 30 permit ^(30_)+$ip as-path access-list 30 permit ^(30_)+_[0-9]+$!route-map DEF-LOW permit 10match ip address prefix-list DEFset local-preference 90route-map DEF-LOW permit 20
Accept full internet feed except bogon routes and
RFC 1918 routes
Filter inbound routes with AS-PATH ACL using filter-list
Purely for redundancy (if path via AS 20 fails)
Accept routes local to and received from AS30
(AS-path prepend included)
Received from AS30 but AS-PATH length of two
(its neighbor ASes)
Low-pref default route
Using Communities
86
• Community attribute provides greater flexibility for traffic shaping than prefix-list– Simplifies BGP configuration– Greater policy control
• Not sent by default to BGP peers– Need to explicitly send (neighbor x.x.x.x send-community)
• Can carry policy information– Example:
• ASN:80 (set local-pref 80)• ASN:1 (set as-path prepend ASN)• ASN:888 (set ip next-hop 192.0.2.1 – Cymru bogons)
Setting Communities
87
router bgp 100neighbor 20.20.20.1 remote-as 20neighbor 20.20.20.1 send-community!address-family ipv4 unicastnetwork 100.100.0.0 mask 255.255.224.0 route-map SET-COMM-AGGnetwork 100.100.0.0 mask 255.255.248.0 route-map SET-COMM-3Gnetwork 100.100.8.0 mask 255.255.248.0 route-map SET-COMM-BBnetwork 100.100.16.0 mask 255.255.248.0 route-map SET-COMM-ENTnetwork 100.100.24.0 mask 255.255.248.0 route-map SET-COMM-CORP
!ip route 100.100.0.0 255.255.224.0 null0ip route 100.100.0.0 255.255.248.0 null0 254ip route 100.100.8.0 255.255.248.0 null0 254ip route 100.100.16.0 255.255.248.0 null0 254ip route 100.100.24.0 255.255.248.0 null0 254!
Setting Communities
88
!route-map SET-COMM-AGG permit 10set community 100:1000
!route-map SET-COMM-3G permit 10set community 100:1101
!route-map SET-COMM-BB permit 10set community 100:1102
!route-map SET-COMM-ENT permit 10set community 100:1103
!route-map SET-COMM-CORP permit 10set community 100:1104
!
Grouping Communities
89
!ip community-list 20 permit 100:1000ip community-list 21 permit 100:1101ip community-list 22 permit 100:1102ip community-list 23 permit 100:1103ip community-list 24 permit 100:1104!
• We can group communities together using community-list:
Two Upstream and IXP –Communities
90
AS 100
AS 30AS 20
Internet
Transit
IXP
Peering
AS111 AS222
R1 R2
R3
Two Upstream and IXP• R3 (IXP) configuration:
– both incoming and outgoing traffic, IXP should be the preferred path!
91
router bgp 100neighbor IX-PEERS peer-groupneighbor 12.12.12.111 remote-as 111neighbor 12.12.12.111 peer-group IX-PEERSneighbor 12.12.12.222 remote-as 222neighbor 12.12.12.222 peer-group IX-PEERS
!address-family ipv4neighbor IX-PEERS send-communityneighbor IX-PEERS remove-private-asneighbor IX-PEERS route-map IX-IN inneighbor IX-PEERS route-map IX-OUT out
Add neighbors to the peer group
Define peer-groups for all IX peers
Define common policies applied to all neighbors on the peer-group- Send communities- Remove private
ASNs
Apply inbound and outbound routing policies
Two Upstream and IXP
• R3 (IXP) configuration (contd..):
92
!ip community-list 20 permit 100:1000ip community-list 21 permit 100:1101ip community-list 22 permit 100:1102ip community-list 23 permit 100:1103ip community-list 24 permit 100:1104!route-map IX-IN permit 10set local-preference 250set community 100:1212 add !(IX ASN)
!route-map IX-OUT permit 10match community 20 21 22 23 24set metric 10
!
Define the communities
High local-pref for routes received from IX peers (outbound traffic via IX)
Send all our prefixes (aggregates and sub-
aggregates)
Define a community for all routes learned via IXP
Set lower MED for all routes sent to IX peers (inbound traffic via IX)
Two Upstream and IXP
• For Transit/Upstream:– Tier-1 ISPs (or ISPs who are run properly) use communities
to group their regional prefixes– Filter based on those to shape outbound traffic to Internet!
• Ex: receive US routes from one ISP, and Europe routes from the other
– Example:• NTT US – 2914:3000• NTT Europe – 2914:3200• NTT Asia – 2914:3400• NTT South America – 2914:3600
93
Two Upstream and IXP
• For Inbound traffic:– We can use our sub-prefixes to balance incoming traffic
– Advertise half of our routes to one, and the other half to the other • keep playing until we reach symmetry!
– But remember to announce the aggregate to both (REDUNDANCY!)
94
Two Upstream and IXP• R1 configuration:
– Let us assume NTT (AS2914) as transit here
95
router bgp 100neighbor 29.29.29.1 remote-as 2914neighbor 29.29.29.1 description eBGP with NTT
!address-family ipv4neighbor 29.29.29.1 send-communityneighbor 29.29.29.1 route-map NTT-IN inneighbor 29.29.29.1 route-map NTT-OUT out
!! We want Asia, US and SA routesip community-list 1 permit 2914:3000 !USip community-list 1 permit 2914:3400 !ASip community-list 1 permit 2914:3600 !SAip community-list 2 permit 2914:3200 !EU
- Send communities- Apply inbound and
outbound routing policies
Define communities for NTT global routes- In this example, we
will source US and Asia routes from NTT
Two Upstream and IXP• R1 configuration (contd..):
96
!route-map NTT-IN permit 10match community 1set local-preference 210
route-map NTT-IN permit 20match community 2set local-preference 50
route-map NTT-IN permit 40!route-map NTT-OUT permit 10match community 20match community 21match community 22
!
Route-map to influence outbound traffic- Set higher local-pref for US,
Asia, and SA routes (outbound traffic)
- Still lower than IX!
Lower local-pref for EU routes (will prefer the second ISP, but available if that link fails)
Route-map to influence inbound traffic- Send our aggregate (in case
ISP2 fails)- And half of our sub-prefixes
Two Upstream and IXP• R2 configuration:
– Let us assume Zayo/AboveNet (AS6461) as transit here
97
router bgp 100neighbor 64.64.64.1 remote-as 6461neighbor 64.64.64.1 description eBGP with Zayo
!address-family ipv4neighbor 64.64.64.1 send-communityneighbor 64.64.64.1 route-map ZAYO-IN inneighbor 64.64.64.1 route-map ZAYO-OUT out
!! Zayo Europe routesip community-list 3 permit 6461:5996ip community-list 3 permit 6461:5998ip community-list 3 permit 6461:5999! Zayo Global routesip community-list 4 permit 6461:5997
- Send communities- Apply inbound and
outbound routing policies
Define communities for Zayo global routes- In this example, we
will source EU routes from Zayo
Two Upstream and IXP• R2 configuration (contd..):
98
!route-map ZAYO-IN permit 10match community 3set local-preference 210
route-map ZAYO-IN permit 20match community 4set local-preference 50
route-map ZAYO-IN permit 40!route-map ZAYO-OUT permit 10match community 20match community 23match community 24
!
Route-map to influence outbound traffic- Set higher local-pref for EU
routes (outbound traffic)- Still lower than IX!
Lower local-pref for global routes (NTT is preferred, but will work if that link fails)
Route-map to influence inbound traffic- Send our aggregate (in case
ISP1 fails), and- other second-half of our sub-
prefixes
Questions?
Agenda
• TCP/IP communication and IP Routing
• Internet Routing and Routing Protocols
• BGP – operation and attributes
• Multihoming & BGP path control
• APNIC multihoming resource policy• Live demo - APNIC Training ISP
100
101
Get your IP address
• Ask your ISP– Non-portable address space– Requires renumbering of your infra when changing upstream
• Ask your RIR (APNIC)– Portable address space– No need for renumbering– Traffic engineering flexibility
• Eligibility??
102
Resources Hierarchy
ARIN
IANA
RIPELACNICAPNICAFRINIC
ISPs
EU EU
103
Get your IP address (contd.)
• APNIC’s eligibility criteria
– Service Provider• Demonstrate immediate /24 need, and• Demonstrate utilization plan for /23 within a year
– Multihoming• Currently multihomed, or• Intention to multihome• Demonstrate immediate utilization of 25%, and 50% within a year
Questions?
Agenda
• TCP/IP communication and IP Routing
• Internet Routing and Routing Protocols
• BGP – operation and attributes
• Multihoming & BGP path control
• APNIC multihoming resource policy
• Live demo - APNIC Training ISP
105
Thank you