nanog mailing list archives
Re: Redundant Routes, BGP with MPLS provider
From: Lee <ler762 () gmail com>
Date: Fri, 31 Aug 2012 18:29:26 -0400
On 8/31/12, Bill.Ingrum () t-systems com <Bill.Ingrum () t-systems com> wrote:
I work for an MPLS provider, so I guess I tend to trust them ;)
For certain definitions of "trust" I would also. But.. Monday? I was told that $AGENCY had just completed an audit of our network and we had to change the exec timeout from 15 to 10 minutes on all routers and switches. Apparently that extra 5 minutes is an unacceptable security risk. But leaving the network wide-open to all sorts of routing hijinks via MPLS? (I don't have route filters & acls on all of the mpls interfaces yet) nada We can't trust the people in our office area to not to take advantage of an unattended terminal but we can trust our MPLS providers to not take advantage of their unrestricted access? Seems backwards to me. Regards, Lee
Bill -----Original Message----- From: Lee [mailto:ler762 () gmail com] Sent: Friday, August 31, 2012 11:28 AM To: Ingrum, Bill Cc: WTribble () sterneagee com; nanog () nanog org Subject: Re: Redundant Routes, BGP with MPLS provider On 8/31/12, Bill.Ingrum () t-systems com <Bill.Ingrum () t-systems com> wrote:I think having a GRE tunnel for the internal routing protocol is unnecessary.It might be, but we have a requirement for multicast over the wan so the GRE tunnels had to be there.Can you explain the reasoning behind this? I understand the technical issue whereby GRE will allow multicast for EIGRP, OSPF, etc,but why not just redistribute into BGP?I see no reason to trust the provider that much.I work on a lot of MPLS CE routers, and in general you can accomplish anything you need by redistributing your internal routing protocol into BGP, and adjusting LP, MED and AS Prepend as needed.Sure.. but how do you *know* you're not getting anything added/removed by the provider? LeeThanks, Bill -----Original Message----- From: Lee [mailto:ler762 () gmail com] Sent: Friday, August 31, 2012 11:15 AM To: Tribble, Wesley Cc: nanog () nanog org Subject: Re: Redundant Routes, BGP with MPLS provider On 8/30/12, Tribble, Wesley <WTribble () sterneagee com> wrote:Hello all, I am an Network Operator working in an Enterprise environment with offices all over the country(mostly connected via MPLS). We are currently working towards building a Disaster Recovery Site that willhost some of our vendor routers and provide the capability to access these vendors from both our primary and backup data center locations.The routes(as advertised by the vendor's routers) will be the same atboth locations. I would like to advertise the routes from multiple locations at the same time, rather than suppress the routes andadvertise conditionally. At work, we have our internal routing protocol running on GRE over IPSec tunnels & keep the BGP sessions with the MPLS provider limited to just the MPLS network. And have an ACL on the MPLS network interface that allows only what's expected in... some providers are better than others at not having anything hit the 'deny any any log' line Regards, LeeWhat is the best method to Instruct the provider's network to prefer the Primary Data Center routes over the DR site? Keep in mind that Iam only peering with the provider over BGP and I have no visibility tothe underlying MPLS architecture or configuration. Although if you have specific questions about their architecture, I can work to getanswers.Discussing in house, we have gone over a few different options: -Advertise specific routes from primary site and summary routes from the DR site. Most specific will always be chosen. -Prepend the routes from the DR site so that they will have a longer AS-path than the Primary location -Use Community Strings to influencelocal preference.(Still working to find out if Provider will pass ourcommunity strings) Just looking for some ideas and best practices. Any thoughts or insight would be much welcomed and appreciated. This is my first message on NANOG, so please be gentle. I apologize in advance if I have done something incorrectly. Wes ________________________________ ********************************************************************* * **************************** Sterne Agee Group, Inc. and its subsidiaries request that you do not transmit orders and instructionsregarding your Sterne Agee account by e-mail. Transactional details donot supersede normal trade confirmations or statements. The information contained in this transmission is privileged and confidential. It is intended for the use of the individual or entity named above. The information contained herein is based on sources we believe reliable but is not considered all-inclusive. Opinions are ourcurrent opinions only and are subject to change without notice. Offerings are subject to prior sale and/or change in price. Prices, quotes, rates and yields are subject to change without notice. SterneAgee & Leach, Inc. member FINRA and SIPC, is a registered broker-dealer subsidiary of Sterne Agee Group, Inc. Generally, investments are NOT FDIC INSURED, NOT BANK GUARANTEED, and MAY LOSE VALUE. Please contact your Financial Advisor with information regarding specific investments. Sterne Agee reserves the right to monitor all electronic correspondence.********************************************************************** ** **************************
Current thread:
- Redundant Routes, BGP with MPLS provider Tribble, Wesley (Aug 31)
- Re: Redundant Routes, BGP with MPLS provider Christopher Morrow (Aug 31)
- Re: Redundant Routes, BGP with MPLS provider Walter Keen (Aug 31)
- Re: Redundant Routes, BGP with MPLS provider William Herrin (Aug 31)
- Re: Redundant Routes, BGP with MPLS provider Lee (Aug 31)
- RE: Redundant Routes, BGP with MPLS provider Bill.Ingrum (Aug 31)
- Re: Redundant Routes, BGP with MPLS provider Lee (Aug 31)
- RE: Redundant Routes, BGP with MPLS provider Bill.Ingrum (Aug 31)
- Re: Redundant Routes, BGP with MPLS provider Blake Dunlap (Aug 31)
- Re: Redundant Routes, BGP with MPLS provider PC (Aug 31)
- Re: Redundant Routes, BGP with MPLS provider Lee (Aug 31)
- RE: Redundant Routes, BGP with MPLS provider Bill.Ingrum (Aug 31)
- Re: Redundant Routes, BGP with MPLS provider Christopher Morrow (Aug 31)
- Re: Redundant Routes, BGP with MPLS provider virendra rode (Aug 31)