protect your peering edge - review - afpif · protect your peering edge -review internet solutions...
TRANSCRIPT
![Page 2: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/2.jpg)
Internet Solutions is a division of Dimension Data 2
TABLE OF CONTENTS
SECTION 1Review on why protecting the peering edge?
SECTION 2Options to protect the peering edge.
SECTION 3Summary.
![Page 3: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/3.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 3
• You will receive traffic not destined for you or your clients.
Why?
• To limit the risk of becoming an unintended transit provider.
![Page 4: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/4.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 4
• No valid 0/0.
• Partial advertisements from RRs.
• iACLs.
• Split transit and peering layers.
Option 1: “First steps”
![Page 5: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/5.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 5
Advantages of this approach?
ü Easy to implement.
ü Covering the majority of cases.
![Page 6: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/6.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 6
Disadvantages of this approach?Manual approach.
Error prune.
No multiservice edge approach.
“Trickier” relationships.
![Page 7: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/7.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 7
• Cisco, Huawei: QPPB.
• Juniper: SCU/DCU.
• Alcatel, Nokia: QPPB.
Option 2: QPPB (QoS Policy Propagation via BGP)
![Page 8: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/8.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 8
• QPPB: QoS Policy Propagation via BGP.
• BGP advertisement classification.
• The BGP advertisement inherits the classification of theassociated BGP session.
• Any ingress packet will get the same classification as thedestination.
What is QPPB?
![Page 9: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/9.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 9
What is QPPB? (2)
![Page 10: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/10.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 10
Step 1: Tag peer prefixes uniquely within BGP and FIB tables.
• Mark peer prefixes with community attribute (P) and tag (P).
• Mark transit prefixes with community attribute (P) and tag
(P).
• Mark client prefixes with community attribute (C) and tag (C).
route-policy qosgroup_mapif community matches-any P-commthenset qos-group 7elseset qos-group 1endifend-policy!router bgp <your ASN>address-family ipv4 unicasttable-policy qosgroup_map
How does QPPB work?
![Page 11: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/11.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 11
Step 2: Tag external packets at peering locations based upon longest
prefix matching within FIB.
• Received from peer/transit and destined to peer/transit: tag as (P).
• Received from peer/transit and destined to client: tag as (C).
int gi0/0/0ipv4 bgp policy propagation input qos-group destination
How does QPPB work? (2)
![Page 12: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/12.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 12
Step 3: Packet classification via MQC.
class-map match-any EXTmatch qos-group 7 end-class-map
!policy-map qppb_set_dscpclass EXTpolice rate percent 1 conform-action drop
!class class-defaultset dscp af11
end-policy-map!int gi0/0/0service-policy input qppb_set_dscp
How does QPPB work? (3)
![Page 13: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/13.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 13
Advantages of QPPB?ü Sustainable option.
ü Multiservice functionality can be done.
ü No need to do filtering on RRes.
![Page 14: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/14.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 14
Disadvantages of QPPB?Difficult to understand.
Still prune to configuration errors (”human factor”):Blackholing.Missing enforcement.
Only granular to a BGP level.
![Page 15: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/15.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 15
• Based on a Segment Routing (SR) implementation.
• SR will bring you benefits such as the following:• Less protocols.• Programmability.• Scaling.• Better granular control.
• Tutorials on SR: http://www.segment-routing.net/tutorials/
Option 3: BGP EPE
![Page 16: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/16.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 16
BGP EPE (Egress Peer Engineering)• Problem statement (RFC7855): “A centralized controller should instruct
ingress PE to use a specific egress PE.”
• ”How To”: draft-ietf-spring-segment-routing-central-epe.
![Page 17: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/17.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 17
BGP EPE (2)• BGP Peering SIDs.
• Locally assigned labels to identify eBGP peers.
![Page 18: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/18.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 18
BGP EPE (3)• BGP EPE enabled border routers.
• Border device compiling the BGP Peering SIDs.
![Page 19: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/19.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 19
BGP EPE (4)• BGP EPE ingress policy.
• Program path to BGP EPE edge router.
![Page 20: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/20.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 20
BGP EPE (5)• BGP EPE Controller.
• PCE based.
![Page 21: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/21.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 21
BGP EPE (6)• Example 1: Traffic from A to D.
![Page 22: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/22.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 22
BGP EPE (7)• Example 2: Traffic from D to F.
![Page 23: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/23.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 23
ü No longer solely dependent on the classification of BGP.
ü Controller is responsible for classification.
ü Flexibility to override general rules.
Advantages of BGP EPE
![Page 24: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/24.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 24
Does need a controller.
Complexity is moved from network to a controller.
SR needs to be in use by operator.
Only limited efficiency (i.e. when labels can be imposed).
Disadvantages of BGP EPE
![Page 25: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/25.jpg)
Protect your peering edge - review
Internet Solutions is a division of Dimension Data 25
Summary
• BGP EPE:• More suitable for typical traffic steering implementation.
• QPPB:• Currently the best option for protecting your peering edge.
![Page 26: Protect your peering edge - review - AfPIF · Protect your peering edge -review Internet Solutions is a division of Dimension Data 25 Summary • BGP EPE: • More suitable for typical](https://reader030.vdocuments.us/reader030/viewer/2022040620/5f30c1debd14e4300334df64/html5/thumbnails/26.jpg)
Contact UsWe want to hear from you. Get in touch with us
www.is.co.za/contact-us/
P H O N E+ 2 7 1 1 5 7 5 1 0 0 0
E M A I Lr i a a n . v o s @ i s . c o . z a
W E B S I T Ew w w . i s . c o . z a