Protecting your Peering Edge
0 likes869 views
This document provides a 3-step process for protecting a network peering edge: 1. Tag prefixes received from peers and customers uniquely in BGP and FIB tables. 2. Tag external packets at peering locations based on the longest prefix match to identify packets from peers and customers. 3. Classify packets via MQC based on the tags and apply policies such as dropping packets tagged as coming from peers to protect the network. Hardware support is needed for classification.
Protecting your Peering Edge
- 1. Protecting your peering edge. Graham Beneke AfPIF 2015
- 3. IXP Peer 3 Peer 1 Peer 2ISP
- 4. Expect to receive traffic not destined to your network. You will need to protect your network!
- 6. Route Reflector Client Route Reflector Peering Router IXP
- 7. route-map filter-to-my-peering-router match criteria only_my_customers permit only_my_customers
- 8. Whom are you protecting against?
- 11. • BGP advertisement classification • QoS Policy Propagation via BGP (QPPB).
- 12. Step 1: Tag peer prefixes uniquely within BGP and FIB tables - peer prefixes set with community attribute (P) and tag (P) - customer prefixes are set with community attribute (C) and tag (C) route-policy qosgroup_map if community matches-any set qos-group 7 elseif community matches-a then set qos-group 2 else set qos-group 1 endifend-policy router bgp <your ASN> address-family ipv4 unicast table-policy qosgroup_map
- 13. Step 2: Tag external packets at peering locations based upon longest prefix match within FIB: - tag (P) for packets received from peer and destined to a prefix in the FIB with tag (P), - tag (C) for packets received from peer and destined to a prefix in the FIB with tag (C). int Gig 0/0 ipv4 bgp policy propagation input qos-group destination
- 14. ISP forwards or discards packets that ingress peering interconnects based upon associated packet tag value: - Packets with tag (P) are discarded - Packets with tag (C) are forwarded a end-cla ! class-map match-any match qos-group 7 end-class-map ! policy-map qppb_set_dscp class TWO set dscp af21 ! class EXT police rate 1000000 bps burst 31250 bytes peak-burst 31250 bytes conform-action drop Step 3 (Packet classification via MQC): int Gig 0/0 ipv4 bgp policy propagation input qos-group destination service-policy input qppb_set_dscp
- 15. handouts available for IOS, IOS-XR and JunOS
- 16. • Hardware forwarding platform. • Classification is a key requirement.