BGP Techniques for Internet Service Provider 101

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
yes okay so my name is David pronto I'm Jamie Cisco so I'll be presenting be technical which be techniques for service providers so the main objective is just cover BGP basics discuss scaling techniques and best practices I would like to acknowledge lips miss who originally developed this tutorial so we are just continuing that toriel he did most of the work I just updated it a little bit there will be a self-guided map available practice lab available and will give you directions or guides on how to use the practice lab will distribute the guides so it's not going to be you know it we are not going to do the lab during this session so it is something that you can do for the next one week I will keep it up for one week and you can practice any time during that one week and you'll be assigned a lab part at the end of these sessions will give you the part number and a link to the lab guide so debate the agenda is its this session is divided into two sessions the 101 and 102 so the first session until 3:30 will focus on which be basic which be scaling and communities and then we'll discuss about the lab logistics just briefly and second session will deploy will focus on bgp deployment and best practices okay so the first section will cover what's BGP BGP attributes which piece path the base path selection algorithm and how to apply BGP policy and which be capability exchange we have a lot of topic to cover so we'll be going quickly through these slides so I apologize for that so what's BGP BGP is a routing protocol used for exchanging routes between different autonomous systems although it can be used within just a single autonomous system it's described in RFC 42 71 and several correlated RFC's the ITF working group is Internet domain routing and secure idea so the tour the main working groups and you have the links there in case you don't have those links so alternate system is the cornerstone of BGP and we'll discuss about the autonomous system so what's autonomous system it is a collection of networks within a single item is to administration they have a single internal rafting or IGP until gateway routing protocol and usually they are under a single administration and they have but it has a consistent policy within that stuff typically it will have automata member as are two octet or a four octets and we'll discuss that later on so alternate system numbers the - okay total s number ranged from zero to six five thousand and thirty-two bits range is from that up to to the power of 32 which is about four billion and the zero and 65535 are reserved it and there is also some block reserved for documentation purpose to avoid confusion so that people don't just copy and paste I reload on a system number and there is also block set up just for private zone system numbers the ultimatum numbers are disputed by the by the registries so you can get off mr. numbers from the registries as Kristine bits or 32 bits ozone system number so to come back to the BGP basics of BGP the protocol runs over TCP port 179 it uses a distance vector it's a distance vector protocol it peirong is the cornerstone so you will have peering within the single autonomous system or between autonomous systems and we'll discuss that so that's internal and external be peering and it uses incremental update so it doesn't just dump the entire out every time it does up top this so when you when you start you'll get the full update depending on the policy but as things change you get incremental updates incremental app advertisements or withdrawals another term that you need to be familiar with at the MZ in this context means in the BGP context means the shared network between different autonomous systems so in this case the link between a and C is a TMZ or the broadcast network between B D and E is also a DMZ so and there are three autonomous systems so the general operation is BGP learners multiple paths we are internal and external BGP peering and then it selects the best paths based on baseball algorithm and then installs the base pass into the routing table and then advertises a base pass to neighbors to external neighbors as well as internal neighbors so we have both internal and external peeling or use of PGP internally and externally with ibgp is normally used to carry internal routes like customer prefixes as well as internal infrastructure prefixes but ebgp is used to advertise summarize the prefix essentially or aggregated prefixes and exchange external routes so here is a conceptual representation so here you have four autonomous systems interconnected linearly and within each one of them there is interrogate with protocol running within the network so those are separated they do not talk to one another the idea is between autonomous systems and there is external ebgp between the autonomous systems and there is internal ibgp between wizz and alternate systems so between bgp speakers of different SS you will have a BGP and is usually used on a directly connected interface and you don't run any ibgp IGP entire gateway protocol on that DMZ so those of the game is the links on the name of the link you don't run ibid P protocol Europe you only run a BGP so so I believe the ibgp is between routers running the same alternate system ibgp speakers do not have to be directly connected the variability between ibgp speakers is taking care of by IGP their gateway protocol so they don't need to run they don't have to be directly connected but there's a requirement to be fully meshed and we'll discuss that later on how to mitigate that scalability issue it is topology independent so you just run because it runs on top of TCP and it uses IGP as to reach one another between the routers the it doesn't depend on the topology of the internal network okay the peering between I I be GP speakers or the peering between BGP speakers within the same autonomous system is typically done using a loopback IP address you can do it using interface IP address but if you do that whenever the interface flops then the peering flops which is not really necessary and it has adverse effects so BGP appearing within an autonomous system is done between loopback IP addresses so the key for BGP is each update or each route has attributes and there are different attributes and those attributes are used for path selection policy enforcement's signaling information and so on and we'll discuss each one of them so one of the key attributes is a spots as path is the path traverse it further up it to reach to this router or this autonomous system so it is used to decide on the base paths longer path means less preferred than shorter paths when it says path here in terms of the number of autonomous systems it troubles although you can call with BGP there's a lot of policy flexibility so you can override that but that's usually done with the number the amount of path is used as a path selection second one and very important is loop detection when and we'll see that how that's done but here you can see that the route received in ace 400 has two different routes to different was received there and you'll see the a s pass the first one has 300 200 100 it's usually the last one is where the routes originated and the first one is where the immediate autonomous system so for this case the alternated in is hundred and two received from s 300 and it has gone through s 200 so with the introduction of a four octet ozone the system number for a long time even today most service providers use just a to updates automaton but that's running out so a four update automata number is being introduced was probably introduced for quite some time and when you have a for updates bottom system number and if you have a router that doesn't support for updates Auto new system number then it has to be replaced with a result with address which is two three four five six so two three four five six signifies an older system that has that is a four octet of autonomous system but it's not understood by at two octaves the router that doesn't support for a total system number so the loop detection the basic principle in loop detection is if router receives an update that contains its own autonomous system number in the a spazz then it is considered a loop and the update will be dropped so if you look at this in this example Ottoman system 100 is receiving one eighty 1000 16 which was originated from itself and it has in the update it has its own s number as soon as it detects its own s number it drops it so it will not take that update so that our words are out looping so it is it's used for loop detection the other important and mandatory attribute which you attribute is next hop next hop tells bgp what is the next hop to reach to this destination so usually that next hub is known we are a GP and a recursive lookup will be done to do to say first do a lookup it gives you another out and then you look that route into an IEP and gives you that outgoing interface and you send up you send the traffic out that way so next hub is important from that perspective so next hub in the case of ebgp is the peering address so for example if you look at this B has received two updates so the C has received two updates the same thing with BB has received two updates and the case of P the next hub points to 150 ten one one which is appearing address of B to the image VP where the route is received but when the route is sent over IB to appear normally by default the next hop is not updated so it's the same next hub is propagated so C also receives the the update with the next hub of 150 ten one one and keeps the same next hub so which means C has to know about 150 ten one one in its repeatable and usually that's not desire and we'll see later on how to override this default behavior so the in this particular case this is for ibgp learned routes so when a router in this case take for example router router be when router B injects routes for 121 1-0 for 24 and 121 to 54 2/32 it will sorry that's in IGP when it injects 121 one 0/24 it will inject it with an X hub set to itself itself means it's new park interface IP address so when the other routers receive the next hub will be the loopback IP address of P which is 121 to 54.2 so for ibgp learner droughts or routes originated within that autonomous system the next hub is set to the new park IP address of the router that originated around third party mix hub this is rarely used but it's important to understand what how it works so in this particular case three autonomous systems a B and C routers a B and C which are in three different autonomous systems even though only two autumn systems are shown here are peering with one another with ebgp when they peel with one other with ebgp so sorry C is peeling with a and B is peeling with a now if by default it uses the peeling IP address so if B uses the peeling IP address for routes 121 to eight six one zero it will first send that route to a that traffic to a and then a will send it to to C but this is a waste of bandwidth so when when there is a shared network when a advertises are out to be it will change the next half to be the third party mix hub which is the next hub of C okay so base plugs for next hub so the default for ebgp is the the default for BGP is not to change the next hub when it's advertised via ibgp but with this it means that you have to inject the interface address into IGP but this is a lot of overhead for for for IGP it will also create a little bit of instability so the best option is to change the next hub to the loopback IP address of that router so the the peering router okay okay so in summary IDP is used to carry the next hub for BGP so the in some case it's possible that BGP make it an exhale for BGP but eventually it has to recurse back to IGP so IGP carries the next up for BGP recursive no copy is used to do a BGP lookup so the beach field cap gives an exam of ITP and then an IP lookup will take care of the actual outgoing interface so it unlinks this behavior and links PGP from the actual topology of the network the internal network another BGP attribute is origin this is historical in nature in that originally with the EGP which is another EGP protocol predates BGP so if the route was originated from EGP protocol as opposed to BGP it will have a different origin so there are three types I GP e GP and incomplete and there are still three types but eg P is not used because there is no route of the France eg P nowadays so there you have two types of origins IGP and incomplete RG p is used if the route is injected using a network segment and incomplete is used if are out is injected into bgp using by distributing a GP into bgp or by distributing static route into bgp instead of using a network statement so the network statement is a preferred one so during the route selection a GP will be preferred over incomplete during pass election the another attribute is aggregator so in BGP when an ISP receives routes from other ISPs the ISP can aggregate those routes and advertise its rare normally if there is an agreement between the downstream is peace and upstream ISP the optimized P can aggregate multiple ISPs and advertise it's good for Internet but they have to have an agreement so in that case when the when a BGP route our aggregate routes it has to convey the the route of that aggregated data out so it puts its IP address as an aggregator to that route local preference this is very important it's used for influencing how traffic is exits the network so let's say route is let's say 160 1000 16 in this case it advertises through two different paths but as 400mm a want to prefer a path through B instead of a in that case when s is 400 receives the updates through B it will set local preference to 800 in this particular example and when it receives it from D it sets the local preference to five hundred when series shifts are out it will pick the path received therapy instead of VRC because the route received baby has a higher local preference and higher local preference is preferred so it is used to influence how traffic exists the network and traffic will go that way so it is non transits non-transitive optional attributes which means it is used within a single autonomous system it's not advertised outside that autonomous system so in the previous example here B sets the local preference a also sets a local preference that local preference is advertised that along the route to see but when C sends updates to another router to another ebgp neighbor it will not set the local preference that will remove the local preference so local preference is transitive and it's optional it's a non-transitive sorry and used to influence how traffic is going out of the autonomous system okay so posit of kind of the opposite of local preference is multi active discriminator or made it's used to influence how traffic is received inside into the network so if is 200 in this particular case prefers receiving traffic receiving traffic through D instead of C it will send or saga it and this case 201 prefers receiving traffic tested for one twenty sixty eight one zero coming through coming through B instead of a then it will set a lower metric for sorry a s 200 will settle or metric for outs updated through D and a higher metric for outside we sent out through C so the maid is sent on ebgp updates so as opposed to local preference which is sent on only on ibgp update maid is also non-transitive so you send it to the the next Ottoman system but the next comment system will not send that same wait value to subsequent Ottoman systems it will only use for itself it may send another man takes discriminator but its own not the one received from the upstream service provider or the the other service provider okay and another important thing for made is made is considered as a matrix so lower is preferred than higher so as opposed to local preference where higher is preferred watch out for metric confusion when the RFC was first when BGP was first specified he didn't specify the default value for mate made is optional so it doesn't specify what made value to say it or to assume for a route that doesn't have and made us rated with it so same vendor some vendors assumed zero same vendors some vendors assumed the maximum and that created a confusion later on it was rectified there are different tariffs it's not listed here but still you can have a router that doesn't adhere to the tally FC because that's more recent RFC so you have to make sure that right values followed the default should be zero if it is assumed if you don't receive a default value to zero most vendors give you a knob to force a default behavior so you can say if it is a meeting made assume zero or the meeting head made assume infinity or the maximum another very important attribute is community this simplifies configuration management application of policy it is used to classify routes into communities or into classes essentially so it is a such a bit integer it is usually specified in a colon format where the first one is the local ultimate system number but it can be anything but usual is used with the local autonomous system number and the second one actually identifies the class or the community to which aroud belongs or a prefix belongs a prefix can belong to one or more communities or it may not have any community at all so it's used to group destinations once you group a destination then you can apply policy on the group instead of on specific prefixes so that's where the scalability counts and the it simplifies the configuration of configuration management so here just to demonstrate that it shows you it shows you without committee how it works and with community how it works and trying to find out how much time is left okay okay I'll just use mine okay so in this case without community let's say first you have this scenario so which means you have 160 1000 16 coming in and you accept it and on on the appealing to is SP 400 you want to unload that prefix to go out so you have a prefix list you add that prefix to that prefix list and then you have another customer coming when this customer comes you have to update your prefix list on that pier in addition to the actual customer configuration so you have to take that configuration and changing a BGP policy has impacts whenever you change you may depending on scenario you may have to soft clear the BGP peer which has to update the BGP table so it has impact so you don't want you you want to avoid as much as possible making changes anyways so now you have a prefix coming in but you don't want to allow that so you don't enter you don't add any entry for that now with a community what you do is whenever you receive are out you associate a community with it in this case 300 : 1 and you will have a configuration on ISP one that says any prefix with a community 301 allow allow it to go out on this pier now when you nee have another customer coming in you just set the community you don't need to change the BGP policy going out from E to F now when you receive another update and that you don't want that update to go to s 400 now you say it with a different community in this case 300 : 1 and that update will not go out of peel the EF peer so you can see that it simplifies the configuration management tremendously there are several well-known communities and so the most common ones are that the remaining time so so the most common ones are no export and we'll see what that means it means you don't advertise to another autonomous system no advertise don't advertise to any peer no export sub Confederation don't advertise to a sub configuration we'll discuss a lot later on and no peer means don't advertise to a bilateral peer so in the case of no exports in this case this if you apply if if the route has an export community are treated with it then it will not be sent from a 100 to ace 200 or from NES to NES because it has the no exports if it is no peer you not advertised to any peer at fault okay so what about a four byte code on a system number it is it's defined in RFC 1998 sorry the the 1998 defines how the community the community is defined which is a two octave essay number and a committee number but when you have a four octave SN what do do is it because community is just a started to beat entity so you cannot you cannot split it into two different values so some they just continue with some predefined value as it is others have started using two three four five six as SN number and others are waiting for the verdict it's extended community generic to be implemented that draft to be implemented so again communities emotional attributes but being careless can create confusion it's very important to know so some vendors advertise communities to ibgp peers some vendors advertise comments by default to ebgp peers so you have to know the implementation the standard doesn't mandates sending up lists so it is a configure your vendors documentation and make sure that if you want to out send it it is being sent and if you don't want to send it it's not being sent okay pass an election this is very important so the to understand how it works there are some variations between vendors but the standard also specifies what the preferences but in addition that vendors also add additional features so here we will just discuss the general path selection algorithm so the key is you do not consider or out that who's next hub is not reachable so if you have a far-out has if a pass has an X hub that's not reachable then you just discard it you don't use it you do not consider a pass that has the highest made value which is 230 to minus 1 so you also discard that then comes the selection algorithm the first the third one which is the first selection algorithm the first selection criteria is highest weight and that depends on the vendor it's not a standard so it's not an administrative value you can depending on the vendor Cisco uses the weight so if you configure a weight then it will overwrite all other criteria most people don't but if for administrative or migration purpose you need to configure that then you can configure it the next one is local preference we have already discussed that so the highest local preference wins the next one is locally originated abroad winds locally or unit means locally originate on this router wins because that's obvious if it is originated from this router it should have higher preference the next one is the ACE path length if it is a longer shorter path is preferred over our longer path of course in most of these cases you will have knobs to tweak the selection algorithm but this is so in this particular case you can use BGP based passes pass ignore and it will ignore a spot algorithm but that's not that uncommon the next one is origin code a GP is preferred over incomplete and it's preferred over EGP EGP is not common so you can ignore that so if you ignore that then are out that is injected using a network statement is preferred over route that is redistributed that's what the origin means the next one yes I don't know the source works now yeah my name is Richard Serra kaya from Hawaii I am complete about IBG my GP and ibgp are they the same thing No so I BGP is internal BGP IGP is interior gateway protocol so the interior gateway protocol runs is like OSPF i sized for service providers and enterprise they use drip edge RP and other protocols but the two main IP protocols are no spare and is is so they are only used within the autonomous system i BGP is part of BGP that's used for internal peeling so between peering between BGP speaking routers within a single on a system okay so the next one is a lower made value is preferred over a higher mate and made is only considered for route that's received from the same autonomous system if were out is received from two different autonomous systems it will not be considered that they made will not be considered unless you override it with a node in this case BGP always compare mate but there are you know there are other nodes as well but by default made is only considered for routes received from the same autonomous system otherwise it will defeat the purpose but some people want to use it for route solicited from multiple autonomous systems in that case you can use that knob the next one is preferred ebgp over ibgp paths so if you receive the same routes over ibgp and over ebgp you would prefer the one received over a BGP remember that this is probably for external route because for internal route the Espace languages 0 so so that will over the ebgp ibgp it's only when the two are the same one the automata a spazz language is the same the maid is the same the local preference is the same then you prefer ebgp over ibgp if all that is the same then you look at the next hub and the IGP matrix for the next hub so the lost winds if those two are the same then you take the router ID the lost router ID of the originator so of the router flector if that's not the case then you go to the shortest cluster list and we'll come to that that's for out reflector again then the last one is the most neighbor IP address where you receive the route and that's always unique so you pick one that one so the key thing is in a milk melting in that environment you have to know the differences there are slight variations so it's very important to know the differences they all follow the same standard but they have additional tweaks so and additional defaults so it's good to understand that and important to avoid the mid confusion okay so applying policy so why do we apply policy one we want to block some prefixes that we don't want to receive we don't we want to block some prefixes that we don't want to advertise second we want to influence traffic weather how it is sent traffic engineering how traffic flows so in the case of highest peace nobody just plug and configure a BGP peering and done that's that's not the case it is heavily policy oriented so they need to control when they appear who they appear what routes they receive from which peer and how to load balance also for traffic engineering so we'll see each one of these so how do we how do we apply policies is usually using some kind of route policy language and by setting by manipulating the attributes we said made or the Esper's lens you can influence the s path length there are ways to increase this path length by prepending multiple s number SS by changing the local preference by changing the weights also you can filter based on prefixes based on community well don s paths you can say if this part if this updates coming through this is i don't want to receive this path or I want to I want to have less preference for that round and so you can change the preference for that route so it is by setting and by setting values as well as by filtering based on different attributes so the BGP attributes are useful from that perspective so most implementations and vendor implementations have tools to achieve this like prefix lists as pass lists as pal manipulation language regular expressions committee attribute settings community attribute marching mechanisms and some kind of programmatic language to do the policy as well any questions bgp capabilities so this is extending BGP so there are different which be capabilities when BGP was first introduced it has been no the bare minimum protocol and then other features or other capillaries were added as those copies are added BGP speakers have to understand who supports what and that's negotiated also so the capability exchange documented in RFC 20 28 42 it is used when the session is established when a big possession established they will exchange capabilities I will know who supports which capability and their negotiates and settle down on the ones that both of them support and the capabilities number is assigned by iana the rotors 3 is by consensus i8f consensus and then 64th 127 is on first-come first-serve basis and 122 to reach 5 it is derivative just for vendor-specific so these are the difference which we cap abilities 0 is reserved it one is multi-protocol extension and you can see the list rule goes through each one of them so I'll go to the next slide so the multi-protocol extension so the multi protocol is in your case in in this room I BGP is used mostly for ipv4 unicast but beach P also supporters ipv4 multicast ipv6 unicast sorry here's ipv4 and ipv6 unicast typically but BGP is also used for ipv4 unicast multicast for VPLS for multicast redistribution for a number of other functionalities so that is supported in the BGP couple in multiples of extension second one is an important one that we'll cover here is route refresh this also reduces the amount the churn required during policy change and we will see that later on so we'll cover that later on the third one is for octet sa number support so when the two sections come up they will exchange capabilities and they will know whether both of them support or not support for of it or a SN and will also cover that one later on and there are a number of other couple is being developed and most of them are implemented even though they are not yet full standards so between scale with techniques so we'll discuss different techniques that are used for b2b scalability including dynamic reconfiguration which is also wrap around refresh and you will see how that's used we'll look at route reflectors which is very very important for scaling the number of peers required BGP configuration confederations that's also required for bid for scaling the number of killing the full the finish peeling requirement and then deploying for updates SN okay so I'll skip here so current best practice is to use route refresh and we will cover that shortly which it's very important to use configuration templates because it reduces errors update groups some vendors to dynamic update group so you don't need to do any configuration per se in that case but if your vendor doesn't support or your software doesn't support dynamic update groups then you have to think about that because that that skilled that improves scalability a lot router reflector is very very important we'll discuss that route aggregation that's also very important not just for a service provider but or the entire internet so we'll also discuss that and deploying four of the ASN we're running out of talked it so that's important and stop being able to support 42 SSN is important so going to route refresh why do we need to out refresh and what's the problem is trying to solve so if you let's say you you have a beach be peering where you say I want to accept this set of prefixes bears don't different attributes either community or a spasmosaur or other or prefix lists and then you will say I don't want to accept the set of prefixes or you may want to say I accept these prefixes with this local preference except these prefixes with this local preference and so on once you apply that policy for one reason or another at some point you wanted to change that policy when you change that policy now remember that when the BGP is incremental which means it's only advertises any new changes so the ones that you received last time if you reject them it's not in your routing table now if you want to add them then you cannot add them without bringing down the pier Andrey stablishing the pier it's called hard reset that's not desirable it will cause the route churn not just in that alternate system but across the internet so to to counter that some vendors came up with a soft reset and the soft reset is when a route when when a router receives updates it skips it keeps updates received even though they are dropped by policy it keeps them in in table in memory and whenever a policy change is applied it will reapply the polls change to those internally stork updates so that it doesn't require resetting the pier how doing harvest it that but that would require a lot of memory allows our memory because on each peer now you have to keep routes received from that peer if you have a thousand peer then you have to have thousand times the number of routes you receive from each peer that's a huge amount of memory and CPU check so instead of that the preferred option is roughly fresh router refresh is both authors agree that they support allows refresh so once you do that whenever there's a policy change the route of that changing the policy will send please do a soft reset and the other party will send the full updates to this router and this router will reapply the policy so it doesn't need to keep the routes in memory so that's basically the main motivation for it okay scaling a BGP mesh so think of remember we said that within a single autonomous system all routers have to be fully meshed that means each router has to peel with every other rod the reason for that is the rule so the rule for the region that is important is to avoid route looping in the case of when you cross multiple essence you will use the SN number to detect loops but within a single system autonomous system the principle is once you receive a route from ebgp you advertise this to all your HP peers but if you receive allowed to ibgp you don't advertise it back to ibgp you only advertise to a BGP that way you avoid loop but wait to do that all which be speakers within a single ultimate system have to be fully meshed but that's a huge problem that's the N and minus one n times n minus one over to scale problem right so if you have a hundred if we have a 1,000 routers bgp then you will have half a million peelings to manage that's a huge amount so there are two ways to scale for this one is route reflector which is a most commonly used and probably the most efficient the second one is Confederations and we'll discuss both of them with the route reflector now the rule on the route reflector is relaxing the ruling the reflector becomes if our out reflector receives a route on ibgp from a client from a route reflector client then it will it can send it to any peer both to another client to an end client as well as to ebgp peers if it receives a route through an NP R then sorry an end client I will appear it will advertise it on to a client I will prepare it can advertise on to a client I will appear and of course to ebgp peers but and then route reflector if our author is not a reflector the rule still remains the same that means if it receives ibgp updates it will not send it back onto another a BT updates okay so so basically what will happen is each router will peer with one reflector or two reflectors for redundancy purpose and then the route reflectors will have a full mesh between themselves or you cannot even a hierarchy so that way now the scale is reduced you are subdividing the network in this particular case you can see it is so divided into three different clusters in each cluster each router is connected to one Roth reflector the Klan's and then the clients are fully meshed in the triangle in this case so the Pala G is you divide the backbone into multiple clusters and then you will have one reflector in each cluster and and each clan will connect to the router flector usually a client will connect to two rows of lectures which means to be no stew to cluster you still have one IGP that doesn't change so you will have a huge scalability so now with the route reflector how do I avoid loop looping it uses originator ID and cluster lists a cluster usually the cluster a club when or not a lot of references are out and sends an update to another peer it will set its own cluster ID as it will obtain this from classifier ID and send it so if that router receives the same cluster ID then it will drop it so it uses the cluster ID in the cluster list to detect loops redundancy is very important obviously so typically you'll have to in some cases three route reflectors for each clan so usually you'll have let's say suppose you have twenty clans and two relative flexors each of the twenty clans will appear whose post with both route reflectors and then you can have a hierarchy or you can have as other clusters and then the clusters will be will have a full mesh so redundancy is very important so here is an example of redundancy so here this example shows three pups each pup has two route reflectors which means two clusters per pod so even though it says here cluster one and two you actually have in effect you have six clusters in this case so two clusters per pub each client connects to two route of Lecter's in each of the two clusters so the benefit is it's always I finish it doesn't impact packet forwarding it has a little bit impact in that that altar collector makes a pass selection and sends the best path to the Klan's so it's not that the clients receive all the paths but still the forwarding the eventual forwarding doesn't get affected it's an easy migration to go from a full mesh to a router flector topology and you can have multiple apps table so proud reflectors so the migration is usually very simple you can start from a small cluster and expand throughout the network so this is showing an example of migration in this particular case it's it's just doing the route reflector within that pub so it creates a router Flixter deep cancel out reflector and everybody e removes all its peers and just piece with a reflector e same thing with F and G but B and C still remains in a finish and you can upgrade them later on to become part of the router flicker topology but the key is it is incremental configuration has the same effects but in a different way it used to deal with to deal with the full mesh problem in this case it is it creates multiple sub Confederations its sub configuration becomes its own autonomous system it usually use the private s for the sub Confederation it is still one out on a system but with sub autonomous systems it uses just a single ID PHP doesn't change the sub corporation is not visible to the outside world it's only for internal use within the service provider within within a single zone a system here is an example so here you have s 200 with three Confederations a 65536 5 5 3 1 in 6 5 5 3 2 usually the private case and number used for Confederation and you have a BGP between Confederations and I believe within the Confederation you can have a b2b page mesh within the Confederation or you can even mix the round reflector in the Confederation itself so here is a an example configuration for Confederation so in this case first you say I have to this Confederation which is 6 5 5 3 2 has two sub Confederation peers 3 5 6 5 5 3 0 & 3 1 and then for each one of them and you have the configuration ID the configuration identifier which is the ACE number for the entire autonomous system so the AC pins number this is very important to understand here so if you look at the route received from appear from outside peer from peer 200 s 201 a t-1000 16 when it is advertised to the next Confederation to Confederation 6 5 0 0 4 it has 200 and then 6500 2 which is the Confederation s number and then when it's advertised that to the next Confederation it will add additional Confederation ID but when it hit eventually advertise it to the outside world the Confederation ace number is replaced with actual s number which is 100 and sent so it's only used for internal purposes key for Confederation is so the external pieces still refer to this router as with its honk of the ace number but the internal peering is done with the configuration s number so Pearson a difference is preferred local preference made everything remains the same so external peers refer refers normal to external assets so that key differences between the two both of them can be used for Internet connectivity they both support multi level hierarchy they both support policy control the key difference is in terms of scalability router if later scales better arguably and also from a migration perspective route reflector has normai Gration overhead compared to compared Confederations but in some cases where you are absorbing one service problems another service provider Confederation may be a better choice so let me check what I was checking just a slide number okay so for update or ASN it is documented in 48 93 RFC 49th Street and those related RFC's that you see there and it reserves two three four five six in two opted a SN to present a for octet or SN in a two octave SN wallet so a topic SN refers to on to my SN or 16 bits SN refers to the range 0 to 65535 a four octave SN refers from 65,000 to four billion and a four octet is a saint poom refers to the entire range from zero to four billion the key terms you can get a 40 SN from registries so there has been changes but now there is no difference between how you get a four update and I talked to the SN same process so representation now it's very difficult to represent four billion number in a nice way so some people want to change that and use a dot notation so it splits the SN into two octaves to two octaves instead of once for octet number so as a result we have three different formats s plane which is the entire four octet represented as one number s dot which is the SNL present that other two octaves represented separated by a dot but it only represents a for octet SN and then s dot plus representing both a two octave and the four octave SN in a dot notation but when you create both a start and a start plus creates a problem for regular expressions filtering and so on that you have you have to rewrite all your regular expressions and filtering that you use for a s ends and this example shows you why that's the case so how do you go from a two octave to a for octet the key is there is no flag day so you can incrementally go from or totally to for updates first thing that you can do is just start upgrading your routers 200 rockets to a version that supports four of it or SN and most do and you will see that later on once you have that then you can start supporting the for update SN and it works fine if you have a totally sane you will continue your tour today SN but you will we still be able to accept and see a four octave SN paths okay so the key is when when you have a router that supports our talked it and another router that supports a for octet and the router that opposed the forked it has a four of it s in then when you configure the router that that doesn't support for of database in has to be configured to talk to s number two three four five six instead of the actual SN number because it doesn't understand for update or a SN that's the key from a configuration perspective but that's if you have a router that doesn't support for updates SN which is very rare nowadays okay so this is a compile compatibility mode so when you have that the takata SN always see stocked 8 SN paths and the four of the SN number E is replaced by two three four five six and this difference is that example and they say in this example you can see that s which one has received updates from s 80,000 but the 80,000 and $70,000 placed both of them are placed with two three four five six so you will see multiple of that in s path because each one it repellants just a random not a random a specific four of the SN so you may see in a sparse multiple two three four five six appearing in the spots doesn't indicate a look and it doesn't fail loop detection new protection is when you see your own SN in received paths so this is not a loop so what has changed so two attributes we used to have s pulse now a new attribute is for paths is introduced in addition s for aggregator is also introduced when you do proud aggregation and also a new s number is reserved eight two three four five six as as trance what do they look like so here is s-plane notation in a splint format so the top one is in s plain format and the s-plane format you will see the full ace is pass information in a stud format you will see 2.0 and 3.5 and instead of that long number so it makes the number of shorter so that the reason why some people wanted to use that notation because it simplifies the representation so how does that same path look like in a two octet world just replace those four octet SNS with two three four five six okay so what is the impact of not supporting a four Rockets ASN so one of the problems is you don't really know the exact paths taking because every product that is autonomous system is represented as 2 3 4 5 6 so that's the main problem and it's difficult to deal with and another one is incorrect NetFlow summary when if you use net flow based on a snubber so as you can see most vendors there's a complete list is shown in that link and you have most vendors have have been supporting it for quite some time as you can see from here ok so service providers use of communities how service providers to use communities to make life easier we have already seen that but some additional techniques so usually commas are used at the edge as well at the customer age or at the border age or Internet age so whenever you receive routes you classify the prefix order out into a class or into one or more communities and then you have you assign those communities to that route and then internally a policy is used bid on that community to either block that update to go out somewhere or increase a lot preference or or advertise it or block it into another peer and so on so let's see an example for customer age so in this particular case it tries to demonstrate how an ISP that has three different internet connections I expects be inter exchange connections private peeling with another ISP in the same region and transit provider to the entire internet now a customer may have option to buy connectivity to the entire internet or only to two inter exchange carriers within that same network or to some private peers so a customer may may purchase let's say customer has another connection to another peering and they may only prefer the private plane purchase instead of the whole internet so depending on that customers are classified into different classes so customers who buy the whole Internet are not assigned any committee cus customers who buy IXP connections are as and 120 100 community and the hassanis who by private is the privateering are assigned boss so the internet means everybody gets the internet and some some customers come gates in addition to that connection some may get the private connection as well so here when a customer out is received on an aggregation router it is tagged with appropriate community based on what the customer has purchased if the customer has purchased everything they will have all the communities the customer has purchased just the inter exchange then they will have the inter exchange community and so on then based on that when the routers will will be advertised it to the appropriate prefix or they will receive to the appropriate prefixes so it is used both for inbound and outbound traffic in this case this is for inbound traffic so for outbound traffic now you don't need to change as customers are added in this case you only have one policy on the board or router and you don't need to change that policy whenever you add a customer you just classify the customer into a specific community and you will not need to change the policy on the border router which minimizes errors change always as a risk of making an error it also could impact route updates and create charts as well okay so that's what stress here now in this particular case it is for internet age so that is you classify to a prefix received on the Internet age so that outgoing traffic is impacted in this case so ISP has four types of BGP peers can have a customer which BPA for some customers only for multihomed customers and we'll discuss about that later on and for inter exchange peer and then private peering so inter exchange and private peeling are similar except that the inter exchange is usually done in a multi-tenant scenario so the inter exchange carriers basically the transit provider that's where you get your full Internet connectivity and the prefix received from each one of this is classified in different communities so that they are advertise it to the customers accordingly based on what the customers has purchased so commute estimate assignments so customers who purchased so in this particular case actually customer prefix are assigned a specific community inter exchange prefix service and another comma state and private people fixed are assigned different communicate and paid on that you can assign different policies so again no need to change caste customized filter for each customer or for each peer you just classify them into classes so as PB GP communities one of the problem is there are no any recommended communities but some service providers document their community setting or what comments they expect from their customers or what community Commons they will advertise to their customers if you are peering with with that particular service provider so that's listed here is an example for a sprint I'll just discuss the one for Sprint and then you can go with the rest of you can look at the rest so in this case for example first one do not advertise so if you don't want sprint know to advertise your prefix you can just target with that particular community you can say string and that and then this is so how so this is for different regions Asia Europe and so on so it shows you the different s is the different advertisements going behind it s so here is another example for an entity and you can go through that and so and for Verizon and others so I'll just skip through that they are different it's there for your friends and you can actually go to that to the links the links are already shown there and look for yourself okay so any questions okay so our discuss about the lab and then we'll open up for questions so we have we have a lab and we'll distribute paper where you will have access how to get access and your pad number so the lab is set up in a virtualized environment and it uses IRS X our subscribers XR it has it has a six router topology for each part we have I think about 14 parts so you would have access to one of the paths you can have access to one of the parts you'll get part number and the lab that is also included in the in that documentation and you can go and the practice will open it up for one week and after that you may not be able to log into it but you can continue practicing for one week and the guide tells you how to save your configuration how to start the lab and how to load the page configuration there's already a base configuration where you have the IBPS already established the ebgp is established and the IDP protocol established in the IP address or gasps signed you can't change change those but it's a starting point for you and then you can apply policies as you want and there are suggested exercises there that you can you can do also routes are also injected from different routers you'll have you'll see also different types of routes with different s paths so you can use differential commands also that document includes the document linkage there and I put it in a drop box so that can access it includes information on how what type of exercises to execute and how to save your configurations as well questions it's a quiet crowd hi my name is Paris Robbie I'm a master student at Georgia Tech so I have a question about how BGP and IGP interact so if BP is used to announce prefixes she appears but let us say that I have not been anounced a prefix but I already know that prefixes within an autonomous system what prevents me from just sending out a network packet with that destination to that router and just expecting it to be transmitted to that s even without a route being announced to me is this taken care of at the IGP level you mean if you are a different s and you see you don't receive updates but you try to send traffic to that router so you already have a relationship with that autonomous system right normally so if let's say that's in that case it's either a private plane or a vinter exchange peering some of them will also implement a prefix filtering so they will only accept traffic destined for two specific destinations from specific destinations on that pier so they they do that as well so that will prevent it but some of them may not do but if you violate your pinning relationship also also you also have a paper agreement or email agreement if you violate and they found out they they will have tools like net flow and other tools to collect flow information and they can find out what you are sending and they can terminate your peering relationship and probably even seek damage for it right so even though some people from the audience may comment on that but it again against a cooperative scenario there are things that you can do to block it but some of them may not implement filtering because we're telling sometimes it's expensive allows filtering or no trust between traffic filtering sometimes is expensive and has performance here depending on the platform but if you have that support you can filter it's good to implement the filtering the traffic will carry an urgent route filtering which is the common practice may I ask a quick follow-up yeah so what happens if you do not have any kind of peering agreement and the other person does not have a filter set up and you just try to pump packets into the network then you are well I'm not sure what argument you will have so if you have if you have if you have a prenup made usually it is settlement fee which means you are sending traffic and they are sending traffic to you and there is a proportion of tract that you have to meet but if you don't have a peering agreements then probably are paying them for a bundles and they're probably measuring it or a receiving flat-rate so you really still have to pay for that thank you questions okay we are bitterly about eight minutes I thought I'll be uh I'll have shorter time but I think we skipped through quickly so the next one is it's at 4-4 right 4:30 okay so we'll meet 4:30 here and we'll continue with the deployment of deploying between IP networks and we'll discuss some of those questions as well okay thank you
Info
Channel: NANOG
Views: 9,545
Rating: 4.647059 out of 5
Keywords:
Id: cOn0mF25uOU
Channel Id: undefined
Length: 83min 35sec (5015 seconds)
Published: Thu May 12 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.