Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015....
Transcript of Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015....
![Page 1: Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015. #include std-disclaimer. IXP Peer 3 Peer 1 Peer 2 ISP. Expect to receive traffic](https://reader034.fdocuments.net/reader034/viewer/2022042415/5f30c1debd14e4300334df63/html5/thumbnails/1.jpg)
Protecting your peering edge.
Graham Beneke AfPIF 2015
![Page 2: Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015. #include std-disclaimer. IXP Peer 3 Peer 1 Peer 2 ISP. Expect to receive traffic](https://reader034.fdocuments.net/reader034/viewer/2022042415/5f30c1debd14e4300334df63/html5/thumbnails/2.jpg)
#include std-disclaimer
![Page 3: Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015. #include std-disclaimer. IXP Peer 3 Peer 1 Peer 2 ISP. Expect to receive traffic](https://reader034.fdocuments.net/reader034/viewer/2022042415/5f30c1debd14e4300334df63/html5/thumbnails/3.jpg)
IXP
Peer 3
Peer 1
Peer 2ISP
![Page 4: Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015. #include std-disclaimer. IXP Peer 3 Peer 1 Peer 2 ISP. Expect to receive traffic](https://reader034.fdocuments.net/reader034/viewer/2022042415/5f30c1debd14e4300334df63/html5/thumbnails/4.jpg)
Expect to receive traffic not destined
to your network.
You will need to protect your network!
![Page 5: Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015. #include std-disclaimer. IXP Peer 3 Peer 1 Peer 2 ISP. Expect to receive traffic](https://reader034.fdocuments.net/reader034/viewer/2022042415/5f30c1debd14e4300334df63/html5/thumbnails/5.jpg)
FIB: NET_GREEN NET_BLUE
NET_REDFIB: NET_GREEN
NET_RED
IX
![Page 6: Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015. #include std-disclaimer. IXP Peer 3 Peer 1 Peer 2 ISP. Expect to receive traffic](https://reader034.fdocuments.net/reader034/viewer/2022042415/5f30c1debd14e4300334df63/html5/thumbnails/6.jpg)
Route Reflector Client
Route Reflector
Peering RouterIXP
![Page 7: Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015. #include std-disclaimer. IXP Peer 3 Peer 1 Peer 2 ISP. Expect to receive traffic](https://reader034.fdocuments.net/reader034/viewer/2022042415/5f30c1debd14e4300334df63/html5/thumbnails/7.jpg)
route-map filter-to-my-peering-routermatch criteria only_my_customers
permit only_my_customers
![Page 8: Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015. #include std-disclaimer. IXP Peer 3 Peer 1 Peer 2 ISP. Expect to receive traffic](https://reader034.fdocuments.net/reader034/viewer/2022042415/5f30c1debd14e4300334df63/html5/thumbnails/8.jpg)
Whom are you protecting against?
![Page 9: Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015. #include std-disclaimer. IXP Peer 3 Peer 1 Peer 2 ISP. Expect to receive traffic](https://reader034.fdocuments.net/reader034/viewer/2022042415/5f30c1debd14e4300334df63/html5/thumbnails/9.jpg)
IX
FIB: NET_GREEN NET_BLUE
NET_RED
FIB: NET_GREENNET_RED
![Page 10: Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015. #include std-disclaimer. IXP Peer 3 Peer 1 Peer 2 ISP. Expect to receive traffic](https://reader034.fdocuments.net/reader034/viewer/2022042415/5f30c1debd14e4300334df63/html5/thumbnails/10.jpg)
No valid 0/0 Partial Routes iACLs1 32
![Page 11: Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015. #include std-disclaimer. IXP Peer 3 Peer 1 Peer 2 ISP. Expect to receive traffic](https://reader034.fdocuments.net/reader034/viewer/2022042415/5f30c1debd14e4300334df63/html5/thumbnails/11.jpg)
• BGP advertisement classification
• QoS Policy Propagation via BGP (QPPB).
![Page 12: Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015. #include std-disclaimer. IXP Peer 3 Peer 1 Peer 2 ISP. Expect to receive traffic](https://reader034.fdocuments.net/reader034/viewer/2022042415/5f30c1debd14e4300334df63/html5/thumbnails/12.jpg)
Step 1: Tag peer prefixes uniquely within BGP and FIB tables - peer prefixes set with community attribute (P) and tag (P)
- customer prefixes are set with community attribute (C) and tag (C)
route-policy qosgroup_map
if community matches-any (C1) then
set qos-group 7
elseif community matches-any (C2)
then set qos-group 2
else set qos-group 1
endifend-policyrouter bgp <your ASN>
address-family ipv4 unicast
table-policy qosgroup_map
![Page 13: Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015. #include std-disclaimer. IXP Peer 3 Peer 1 Peer 2 ISP. Expect to receive traffic](https://reader034.fdocuments.net/reader034/viewer/2022042415/5f30c1debd14e4300334df63/html5/thumbnails/13.jpg)
Step 2: Tag external packets at peering locations based upon longest prefix match within FIB: - tag (P) for packets received from peer and destined to a prefix in the FIB with tag (P), - tag (C) for packets received from peer and destined to a prefix in the FIB with tag (C).
int Gig 0/0 ipv4 bgp policy propagation input qos-group destination
![Page 14: Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015. #include std-disclaimer. IXP Peer 3 Peer 1 Peer 2 ISP. Expect to receive traffic](https://reader034.fdocuments.net/reader034/viewer/2022042415/5f30c1debd14e4300334df63/html5/thumbnails/14.jpg)
ISP forwards or discards packets that ingress peering interconnects based upon associated packet tag value: - Packets with tag (P) are discarded - Packets with tag (C) are forwarded
match q
os-group
2
end-cla
ss-map
!clas
s-map ma
tch-any
EXT
match q
os-group
7
end-cla
ss-map
!poli
cy-map q
ppb_set_
dscp
class T
WO
set ds
cp af21
! cla
ss EXT
police
rate 10
00000 bp
s burst
31250 by
tes peak
-burst 3
1250 byt
es
confo
rm-actio
n drop
Step 3 (Packet classification via MQC):
int Gig 0/0 ipv4 bgp policy propagation input qos-group destination
service-policy input qppb_set_dscp
![Page 15: Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015. #include std-disclaimer. IXP Peer 3 Peer 1 Peer 2 ISP. Expect to receive traffic](https://reader034.fdocuments.net/reader034/viewer/2022042415/5f30c1debd14e4300334df63/html5/thumbnails/15.jpg)
handouts available for
IOS, IOS-XR and JunOS
![Page 16: Protecting your peering edge. - AfPIF · Protecting your peering edge. Graham Beneke AfPIF 2015. #include std-disclaimer. IXP Peer 3 Peer 1 Peer 2 ISP. Expect to receive traffic](https://reader034.fdocuments.net/reader034/viewer/2022042415/5f30c1debd14e4300334df63/html5/thumbnails/16.jpg)
• Hardware forwarding platform.
• Classification is a key requirement.