Beruflich Dokumente
Kultur Dokumente
1300_05_2000_c2
ISP Essentials
Best Practice
Cisco IOS Techniques
to Scale the Internet
Session XXXX
Version 4
I3302
1300_05_2000_c2
General Features
ISP Security
Routing Configuration Guidelines and
Updates
Operations Essentials
3302
1300_05_2000_c2
I3302
1300_05_2000_c2
Agenda
3302
1300_05_2000_c2
I3302
ISP/IXP
Workshops
1300_05_2000_c2
1999,
2000, Cisco Systems, Inc.
www.cisco.com
What Is an IGP?
infrastructure construction
3 Limiting
scope of failure
3 Healing
3302
1300_05_2000_c2
What Is an EGP?
scope of failure
Policy
3 Control
3 Merge
reachability to prefixes
separate organizations
3 Connect
3302
1300_05_2000_c2
multiple IGPs
10
3
3302
1300_05_2000_c2
automatic
neighbour
discovery
generally trust
your IGP routers
prefixes go to all
IGP routers
binds routers in
one AS together
Exterior
3
specifically
configured peers
connecting with
outside networks
set administrative
boundaries
binds ASs
together
11
3302
1300_05_2000_c2
Carries ISP
infrastructure
addresses only
ISPs aim to keep
the IGP small for
efficiency and
scalability
Exterior
3
Carries customer
prefixes
Carries Internet
prefixes
EGPs are
independent of ISP
network topology
12
13
Definition of terms
Neighbours - ASs which directly exchange routing
information
Announce - send routing information to a
neighbour
Accept - receive and use routing information sent
by a neighbour
Originate - insert routing information into external
announcements (usually as a result of the IGP)
Peers - routers in neighbouring ASs or within one
AS which exchange routing and policy information
3302
1300_05_2000_c2
14
AS 1
accep
routing flow
t
announce
announce
accept
AS 2
packet flow
15
3 filtering
3302
1300_05_2000_c2
16
Forward Table
Static Routes
3302
1300_05_2000_c2
17
Default Administrative
Distances
Route Source
Default Distance
Connected Interface
Static Route
Enhanced IGRP Summary Route
External BGP
Internal Enhanced IGRP
IGRP
OSPF
IS-IS
RIP
EGP
External Enhanced IGRP
Internal BGP
Unknown
3302
1300_05_2000_c2
0
1
5
20
90
100
110
115
120
140
170
200
255
18
CIDR Features
The Internet is a classless world. All
routers connect to the Internet must be
CIDR compliant, else there will be
problems with the network connection to
the Internet.
All Cisco routers should have the
following commands configured for CIDR:
3
ip subnet-zero
ip classless
3302
1300_05_2000_c2
19
Introduction to
IGPs
OSPF and ISIS
I3302
1300_05_2000_c2
APRICOT 2001
2000,Cisco
Cisco Systems,
Systems, Inc.
2001,
Inc.
www.cisco.com
20
Route summarisation
3302
1300_05_2000_c2
21
22
Backbone
Area #0
Area #1
Area #2
Area #3
23
OSPF
3Implement
3Enforces
area hierarchy
24
I3302
1300_05_2000_c2
25
I3302
ISP/IXP
Workshops
1300_05_2000_c2
1999,
2000, Cisco Systems, Inc.
www.cisco.com
26
OSPF
Open Shortest
Path First
Link state or SPF
technology
Fast convergence
Variable-length
subnet masks
Discontiguous
subnets
Developed by OSPF
working group of IETF
environment
3302
1300_05_2000_c2
No periodic updates
Route authentication
Delivered two years
after IGRP
27
Area 2
Area 0
Area 4
Area 1
Do not partition
area (0)
Internet
Internal
Router
Backbone
Router
Backbone must
be contiguous
3302
1300_05_2000_c2
Area 3
Autonomous
System (AS)
Border Router
28
OSPF Hierarchy
External links
ASBR
Backbone
Area #0
1.A
1.B
1.C
1.D
3.A
3.B
3.C
3.D
2.A
2.B
2.C
1.B
3.B
1.A
POP
POP
POP
2.B
POP
1.C
3.A
POP
3.C
1.D
3.D
2.A
POP
2.C
3302
1300_05_2000_c2
29
OSPF Design
Attack addressing first - OSPF and
Addressing go together.
3 Objective
3 Create
3 Separate
3302
1300_05_2000_c2
30
OSPF Design
Examine physical topology
3 Is
it meshed or hub-and-spoke?
OSPF Design
One SPF per area, flooding done
per area
3Watch
areas
3Stub areas
3Totally stubby (stub no-summary)
3Not so stubby areas (NSSA)
3302
1300_05_2000_c2
32
OSPF Design
Redundancy
3 Dual
3 Too
much redundancy
33
3302
1300_05_2000_c2
3 OSPF
Router ID Command
3 OSPF
Process Clear/Restart
34
OSPF BCP
Adding Networks
I3302
ISP/IXP
Workshops
1300_05_2000_c2
1999,
2000, Cisco Systems, Inc.
www.cisco.com
35
3302
1300_05_2000_c2
ISP Backbone
OC12c
OC48
Use IP Unnumbered
Interfaces or BGP to carry
/30s to customers
OSPF should only carry
infrastructure routes in an
ISPs network.
2000, Cisco Systems, Inc.
OC12c
Customer Connections
36
Three Techniques
3 redistributed
connect subnets
3302
1300_05_2000_c2
37
statements - specific
38
39
Stability
3 Reduces
3 Speeds
3302
1300_05_2000_c2
Convergence Time
40
I3302
ISP/IXP
Workshops
1300_05_2000_c2
1999,
2000, Cisco Systems, Inc.
www.cisco.com
41
3302
1300_05_2000_c2
42
3302
1300_05_2000_c2
43
44
= 10^8/BW
Syntax:
3ospf
45
OSPF Router ID
If the loopback interface exists and has an
IP address, that is used as the router ID in
routing protocols - stability!
If the loopback interface does not exist, or
has no IP address, the router ID is the
highest IP address configured - danger!
New sub command to manually set the
OSPF Router ID:
router-id <ip address>
3302
1300_05_2000_c2
46
OSPF Clear/Restart
clear ip ospf [pid] redistribution
This command can now clear redistribution based on OSPF routing process
ID. If no pid is given, it assumes all OSPF processes.
47
I3302
ISP/IXP
Workshops
1300_05_2000_c2
1999,
2000, Cisco Systems, Inc.
www.cisco.com
48
BGP
RFC 1771
Border Gateway
Protocol
Classless Inter
Domain Routing
Version 4 is current
(CIDR)
Exterior routing
Widely used for
protocol (vs.
Internet backbone
interior)
Autonomous
Uses TCP for
systems
transport
3302
1300_05_2000_c2
49
BGP Basics
Peering
A
AS 100
AS 101
B
AS 102
Path vector
protocol
Incremental update
3302
1300_05_2000_c2
50
12.6.126.0/24 207.126.96.43
1021
3302
1300_05_2000_c2
51
AS11268
AS7018
AS500
AS6461
AS600
3302
1300_05_2000_c2
52
3302
1300_05_2000_c2
53
AS 100
AS 101
C
B
54
Policy Drives
BGP Requirements
Static
Route
AS 200
BGP
AS 100
BGP
AS 400
BGP
AS 300
55
3 used
3 NOT
3302
1300_05_2000_c2
56
customer prefixes
eBGP used to
3
3302
1300_05_2000_c2
57
DO NOT:
3 distribute
3 distribute
3 use
58
I3302
ISP/IXP
Workshops
1300_05_2000_c2
1999,
2000, Cisco Systems, Inc.
www.cisco.com
59
BGP
There are key BGP features that should be
configured by ISPs:
3302
1300_05_2000_c2
update-source loopback 0
ip bgp-community new-format
no synchronization
bgp dampening
no auto-summary
60
iBGP configuration
Use loopback interface
3
3302
1300_05_2000_c2
61
eg 13107210
eg 200:10
3302
1300_05_2000_c2
Format AS:xxxx
ip bgp-community new-format
62
BGP Synchronization
BGP does not advertise a route before all
routers in the AS have learned it via an
IGP
Disable synchronization if:
3302
1300_05_2000_c2
no synchronization
63
Configuration example:
3
64
BGP Dampening
Route flap dampening to minimise
instability in local network and Internet
4000
Suppress limit
3000
Penalty
2000
Reuse limit
1000
0
0 1 2 3 4 5 6 7 8 9 101112131415 161718 19202122232425
Time
Network
Announced
3302
1300_05_2000_c2
Network
Not Announced
Network
Re-announced
65
BGP Dampening
Recommended values and sample
configurations for ISPs at:
3 http://www.ripe.net/docs/ripe-210.html
Example techniques:
3 Internet
Halabi
3 bgp
3302
1300_05_2000_c2
dampening
66
auto-summary
67
BGP Neighbour
Authentication
MD5 authentication between two peers
3 password
3302
1300_05_2000_c2
68
message
3 Maximum:
3302
1300_05_2000_c2
69
70
Sample logs:
3
3302
1300_05_2000_c2
71
BGP log-neighbor-changes
Log neighbour up/down events, and the
reason for the last neighbour peering reset
In 11.1 CC and 12.0 releases
Syntax (router subcommand):
[no] log-neighbor-changes
3302
1300_05_2000_c2
72
BGP Peering
this
3302
1300_05_2000_c2
no bgp fast-external-fallover
73
configuration simplified
74
Prefix Lists
High performing access-list
Faster loading of large lists
Incremental configuration
3
no ip prefix-list sequence-number
ip prefix-list <list-name>
75
Prefix-list Command
[no] ip prefix-list <list-name> [seq <seq-value>] deny |
permit <network>/<len> [ge <ge-value>] [le <le-value>]
<network>/<len>: The prefix and its length
ge <ge-value>: "greater than or equal to"
le <le-value>: "less than or equal to"
Both "ge" and "le" are optional. Used to specify the range
of the prefix length to be matched for prefixes that are
more specific than <network>/<len>
3302
1300_05_2000_c2
76
Permit all
3
3302
1300_05_2000_c2
77
3302
1300_05_2000_c2
78
Prefix-list route-map
command
route-map <name> permit|deny <seq-num>
match ip address | prefix-list <name>
[<name> ...]
79
BGP BCPs
Generating an
Aggregate
I3302
ISP/IXP
Workshops
1300_05_2000_c2
1999,
2000, Cisco Systems, Inc.
www.cisco.com
80
Aggregation
ISPs receive address block from
Regional Registry or upstream
provider
Aggregation means announcing the
address block only, not subprefixes
Aggregate should be generated
internally
3302
1300_05_2000_c2
81
3302
1300_05_2000_c2
82
BGP BCPs
Announcing Aggregate
I3302
ISP/IXP
Workshops
1300_05_2000_c2
1999,
2000, Cisco Systems, Inc.
www.cisco.com
83
Aggregation
3302
1300_05_2000_c2
84
85
Announcing an Aggregate
ISPs who dont and wont aggregate
are held in poor regard by community
Registries minimum allocation sizes
are /19s or /20s now
3 no
3 BUT
3302
1300_05_2000_c2
BGP BCPs
Receiving Prefixes
I3302
ISP/IXP
Workshops
1300_05_2000_c2
1999,
2000, Cisco Systems, Inc.
www.cisco.com
87
3302
1300_05_2000_c2
89
circumstances
a default-route
3 announce
default
3302
1300_05_2000_c2
90
91
92
3302
1300_05_2000_c2
93
! Block default
3302
1300_05_2000_c2
94
http://www.ietf.org/internet-drafts/draft-manning-dsua-01.txt
3302
1300_05_2000_c2
95
BGP BCPs
Prefixes into BGP
I3302
ISP/IXP
Workshops
1300_05_2000_c2
1999,
2000, Cisco Systems, Inc.
www.cisco.com
96
use IGP
97
Router Configuration
Example:
interface loopback 0
ip address 215.17.3.1 255.255.255.255
!
interface Serial 5/0
ip unnumbered loopback 0
ip verify unicast reverse-path
!
ip route 215.34.10.0 255.255.252.0 Serial 5/0
!
router bgp 100
network 215.34.10.0 mask 255.255.252.0
3302
1300_05_2000_c2
98
ip routepermanent
Router Configuration
Example:
ip route 215.34.10.0 255.255.252.0 Serial 5/0
!
router bgp 100
redistribute static route-map static-to-bgp
<snip>
!
route-map static-to-bgp permit 10
match ip address prefix-list ISP-block
set origin igp
<snip>
!
ip prefix-list ISP-block permit 215.34.10.0/22 le 30
!
3302
1300_05_2000_c2
100
3 setting
3302
1300_05_2000_c2
101
Dynamic
Reconfiguration
Soft Reconfiguration and Route
Refresh
I3302
Presentation_ID
1300_05_2000_c2
2000,
1999, Cisco Systems, Inc.
www.cisco.com
102
Dynamic Reconfiguration
packet flow
accept
AS 1 announce
routing flow
announce
accept
AS 2
packet flow
103
Soft Reconfiguration
Problem:
Hard BGP peer clear required after every
policy change because the router does
not store prefixes that are denied by a
filter
Hard BGP peer clearing consumes CPU
and affects connectivity for all networks
Solution:
Soft-reconfiguration
3302
1300_05_2000_c2
104
Soft Reconfiguration
discarded
peer
normal
soft
3302
1300_05_2000_c2
accepted
BGP in
table
received
peer
BGP in
process
received
and used
BGP
table
BGP out
process
105
Soft Reconfiguration
106
107
3x.x.x.x
IP address of a peer
3*
all peers
3ASN
all peers in an AS
3external
3peer-group
3302
1300_05_2000_c2
<name>
109
3302
1300_05_2000_c2
110
AS 321
192.168.100.0/24
BGP:
BGP: 192.168.100.2
192.168.100.2 open
open active,
active, local
local address
address 192.168.100.1
192.168.100.1
BGP:
BGP: 192.168.100.2
192.168.100.2 went
went from
from Active
Active to
to OpenSent
OpenSent
BGP:
BGP: 192.168.100.2
192.168.100.2 sending
sending OPEN,
OPEN, version
version 44
BGP:
BGP: 192.168.100.2
192.168.100.2 OPEN
OPEN rcvd,
rcvd, version
version 44
BGP:
BGP: 192.168.100.2
192.168.100.2 rcv
rcv OPEN
OPEN w/
w/ option
option parameter
parameter type:
type: 2,
2, len:
len:
66
BGP:
BGP: 192.168.100.2
192.168.100.2 OPEN
OPEN has
has CAPABILITY
CAPABILITY code:
code: 1,
1, length
length 44
BGP:
BGP: 192.168.100.2
192.168.100.2 OPEN
OPEN has
has MP_EXT
MP_EXT CAP
CAP for
for afi/safi:
afi/safi: 1/1
1/1
BGP:
BGP: 192.168.100.2
192.168.100.2 rcv
rcv OPEN
OPEN w/
w/ option
option parameter
parameter type:
type: 2,
2, len:
len:
66
BGP:
BGP: 192.168.100.2
192.168.100.2 OPEN
OPEN has
has CAPABILITY
CAPABILITY code:
code: 1,
1, length
length 44
BGP:
BGP: 192.168.100.2
192.168.100.2 OPEN
OPEN has
has MP_EXT
MP_EXT CAP
CAP for
for afi/safi:
afi/safi: 1/2
1/2
BGP:
BGP: 192.168.100.2
192.168.100.2 went
went from
from OpenSent
OpenSent to
to OpenConfirm
OpenConfirm
BGP:
BGP: 192.168.100.2
192.168.100.2 went
went from
from OpenConfirm
OpenConfirmto
to Established
Established
3302
1300_05_2000_c2
111
112
3302
1300_05_2000_c2
113
Dynamic Reconfiguration
packet flow
accept
AS 1 announce
routing flow
announce
accept
AS 2
packet flow
clear ip bgp <addr> - Hard reset of the peer. Clears tables on both
sides - traffic flow stops.
clear ip bgp <addr> [soft] out - Resents the outbound advertisements.
Traffic flow does not stop.
clear ip bgp <addr> [soft] in - The soft-reconfiguration is required keeps a copy of all inbound advertisements - takes up more memory.
Traffic flow does not stop.
clear ip bgp <addr> soft - Tells peer to resend data - both peers
resend. Traffic flow does not stop. If capability not negotiated, then it is
ignored.
3302
1300_05_2000_c2
114
http://www.cisco.com/public/cons/isp/documents/IO
SEssentialsPDF.zip
http://www.cisco.com/public/cons/isp/
3302
1300_05_2000_c2
115
116
3302
1300_05_2000_c2
117
118