Protecting your Peering Edge
-
Upload
internet-society -
Category
Internet
-
view
683 -
download
2
Transcript of Protecting your Peering Edge
Protecting your peering edge.
Graham Beneke AfPIF 2015
#include std-disclaimer
IXP
Peer 3
Peer 1
Peer 2ISP
Expect to receive traffic not destined
to your network.
You will need to protect your network!
FIB: NET_GREEN NET_BLUE
NET_REDFIB: NET_GREEN
NET_RED
IX
Route Reflector Client
Route Reflector
Peering RouterIXP
route-map filter-to-my-peering-routermatch criteria only_my_customers
permit only_my_customers
Whom are you protecting against?
IX
FIB: NET_GREEN NET_BLUE
NET_RED
FIB: NET_GREENNET_RED
No valid 0/0 Partial Routes iACLs1 32
• BGP advertisement classification
• QoS Policy Propagation via BGP (QPPB).
Step 1: Tag peer prefixes uniquely within BGP and FIB tables - peer prefixes set with community attribute (P) and tag (P)
- customer prefixes are set with community attribute (C) and tag (C)
route-policy qosgroup_map
if community matches-any (C1) then
set qos-group 7
elseif community matches-any (C2)
then set qos-group 2
else set qos-group 1
endifend-policyrouter bgp <your ASN>
address-family ipv4 unicast
table-policy qosgroup_map
Step 2: Tag external packets at peering locations based upon longest prefix match within FIB: - tag (P) for packets received from peer and destined to a prefix in the FIB with tag (P), - tag (C) for packets received from peer and destined to a prefix in the FIB with tag (C).
int Gig 0/0 ipv4 bgp policy propagation input qos-group destination
ISP forwards or discards packets that ingress peering interconnects based upon associated packet tag value: - Packets with tag (P) are discarded - Packets with tag (C) are forwarded
match q
os-group
2
end-cla
ss-map
!clas
s-map ma
tch-any
EXT
match q
os-group
7
end-cla
ss-map
!poli
cy-map q
ppb_set_
dscp
class T
WO
set ds
cp af21
! cla
ss EXT
police
rate 10
00000 bp
s burst
31250 by
tes peak
-burst 3
1250 byt
es
confo
rm-actio
n drop
Step 3 (Packet classification via MQC):
int Gig 0/0 ipv4 bgp policy propagation input qos-group destination
service-policy input qppb_set_dscp
handouts available for
IOS, IOS-XR and JunOS
• Hardware forwarding platform.
• Classification is a key requirement.