nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Route Management Best Practices

From: Joe Marr <jimmy.changa007 () gmail com>
Date: Tue, 31 Jan 2012 16:02:11 -0500
Thanks for the advice. Filtering and route manipulation hasn’t been a
problem for me. I’m very careful to prevent leakage, etc. My current issue
is scaling my management of our prefix announcements. Every time I add a
new block, I need to modify all of my edge routers etc. I understand I can
use IRR etc. to automate prefix-list deployments, but the blocks need to
still be injected into the network? So my thought was to use a routeserver
(quagga or a 7200) to do this.



Im looking to understand how others handle this.


On Tue, Jan 31, 2012 at 2:59 PM, Tony Tauber <ttauber () 1-4-5 net> wrote:


To elaborate slightly on what others have said in terms of protecting
against leaks;
it's a good idea to filter outbound in a conservative way such that you
only send
what you "expect" in terms of community values and/or prefixes and/or
AS-paths.

For instance, if something gets into your BGP that isn't tagged with one
of your expected
communities (e.g. applied where you inject your aggs), don't re-advertise
it.
If something has the right community, but not an expected AS-path (e.g.
contains the AS
of one of your transit providers), don't re-advertise.
Implicitly deny all unexpected cases.

Building that kind of restrictive logic will be less likely to you
becoming a path for traffic you
didn't expect (and might swamp you) and also you'll be a better citizen in
general.

Cheers,
Tony


On Tue, Jan 31, 2012 at 1:52 PM, Joe Marr <jimmy.changa007 () gmail com>wrote:


Thanks Mark,

This helps and definitely shows Im heading in the right direction.

Thanks,


On Tue, Jan 31, 2012 at 2:17 AM, Mark Tinka <mtinka () globaltransit net

wrote:



On Tuesday, January 31, 2012 03:04:15 PM Joe Marr wrote:


What do you use for reflectors, hardware(Cisco/Juniper)
or software daemons(Quagga)?


We operate 2x networks.

One of them runs Cisco 7201 routers as route reflectors,
while the other runs Juniper M120 routers.

The large Juniper routers were due to particular BGP AFI's
that Cisco IOS does not support (yet).


I've been toying with the idea of using Quagga route
servers to announce our prefixes to our edge routers and
redistribute BGP annoucements learned from downstream
customers.


You can certainly use any device in your network to
originate your allocations. We just use the route reflectors
because it is a natural fit, but you can use any device
provided it would be as stable and independent as a route
reflector.

The last thing you want is a blackhole or a route going away
because your backhaul failed or your customer DoS'ed your
edge router :-).


Only drawback is the lack of support for
tagged static routes, so it looks like I'm going to have
to use a network statement w/ route-map to set the
attributes.


There was a time when networks were ran without prefix
lists, BGP communities or even route maps. I'm too young to
have ever experienced those times, but I always joke with a
friend (from those times) about how good we have it today,
and how hard life must have been for Internet engineers of
old :-).

If you have the opportunity, I'd advise against operating
without these very useful tools.


Has anyone tried this, or is it suicide?


I'm sure there are several networks out there that are
intimidated by additional BGP features such as communities,
advanced routing policy, e.t.c. They do survive without
having to deal with this, probably because they're networks
are small and the pain is better than trying something new.
But I certainly wouldn't recommend it to anyone (except, as
Randy would say, my competitors).

Mark.
Previous By Date Next
Previous By Thread Next

Current thread: