susa2018 ‘Advanced BGP network design for stabilly and security Q Seaventhe TeohTorost Network - \dvanced BGP network design for stability and security s yore wh knows Borer Gateway Protocol (56) ready knows i's hard but he secre arable IP notwork retut mkeit worth it. You may hove worked your way rom sme trough advance robleshotng but there's more Ts essntal BGP guce dives dep nto BGP I network design and challenges hat presont themseles the more you work wth. Checkout sing SGP in alarge network design, gtng beter cal wth MPLS inthe core and BGP on he edge, and upping network scuny so customers cet acddentaly harm your BGP routing data as wells the terre re Anyone who knows Border Gateway Protocol (BGP) ateacy knows is hard, but the secure and stable IP network results make it wortht. You may have worked your way from simple through advanced troublasheating but there's more. This essential BGP guide dives deep into BGP IP network % cesign ans chalengos that presont themselves the more you work witht. Checkout using BGP ina large network design, geting better scab with [B_ MPLS inthe core and BGP on the edge, and upping network secur so customers cart accidentally harm your BGP routing data (as wellas the — Internet a are) Yes, Boxter Galaway Pratacal (BGP) has the reputation of being the hardest routing protocal to desig, configure and maintain. But whl this notion has some vat, thee are situations where BGP is the ontytool availabe to got the ob done, of where deploying BGP throughout your network can increase its security or stabil [GP's complexity is primarily due to te large number of attributes it can attach toa route. its complex route selection rules, and the manual configuration of neighboring routers (which are discovered automaticaly in most other routing protocols) needed to ensure the security ofthe routing information exchange. Having a large numberof configuration options and BGP-spectic filtering mechanisms availble on routers trom itferent mejor vendors dossrit help either. ‘SoWMLoAD THis FREE GUDE Optical Network Design and Transport 101 Gin bost practices for optical network design - including access. melro and core network isues affecting ber deployment - as well as 3 art overview of DWDM optical network transport Corporate E-mail Address: corporat onal across Download Now ys yu paral oration yu spe thal Teck Taget and senre my ona you ean hpliearchielecom echargel.comifeature/Advanced-GP-network-designfor-stabily-and-secury wnasusa2018 ‘Advanced BGP network design for stabilly and security Pot rd and roves th Ute Sates, and at you rad ard arate Te of se ane Py Jl Five essential reasons for BGP in your network In this guide, i ve you fve scenarios where BGP isthe bast match for your network requirements, “Ubteret service advantages Iryoutre an Internet servee provider (SP), running BGP In your network Is almost a must. ve seen consumer-focused ISPs that Wed to get ‘ar0und ths recommendation and used BGP solely to peer with their uosieam ISPs, but they eventvaly had to bit the bullet and deploy BGP to increase the stall of ther network, provide end-to-end qualty-ofservice or penetrate enterprise markets. Erterprise-focused ISPs have to ‘un SGP from the start to suppor their mult-homed customers). 2 Layer 3 VPN serves ‘Weve seen a variety of technologies used to implement Layer VPN services in recent years, and MPLS-based VPNs have undoubtedly proven tobe the most scalable solution, sally due to using BGP asthe underyng routing protocol Fortunately you doc'thave to deploy 8G? ‘everywhere in your network if you want to deploy MPLS/VPN solitons. I's enough to deploy BGP on the Provider Edge (PE) routers that {connect your VPN customers and on afew core devices that act as route servers (these devices should not be expected to forward heavy traffic loads) 3 freroashg network stably ‘Altnough Ive met networking engineer trying 1 Use BGP asthe sole routing pratocoin tel networks, that's not how you should use Any decent SGP design should rely on another faster routing protocol (fr example, OSPF, EIGRP or 1S-1S) fo prove core routing in the network, ‘with BGP responsibi forthe edge/custorer routing, With the separation of core and edge routing into twe routing protocols, your network core becomes more stable, asthe edge probloms cannot lsrupt the core. Tis design has been used very successful in large enterorse networks with haphazard addressing schemes tha dete attempts at route summarization. It should also be used in almost all service provider erwronments. You should never carry your customers" routes in your core routing protocol, customer’ inte problems could quickly affect the stabilty of your own network | must note that it's amazing what you can seein the fil. sa an ISP running OSPF wit ts customers few years age. In that setup. rogue ‘or ignorant customer could have easly disrupt the whole service prover network, 4. Automatie response to denla-f-sordce attacks ‘Among other pacuarites, BGP allows you to specty any IP address as the next-hop for an IP arefix. This property is most-often used to ensure ‘optimum routing across a BGP autonomous system. You can also uso it to implomentnetwork-wide sinkholes and remote blackhoes to quickly ‘slop worms and denalo!-servce atacks an yout network Please note that you dont have to migrate your routing to BGP if you want to use these mechanisms. To implement remote backhoes ts ‘enough that you deploy BGP on stratege points in your network and lnk them via BGP sessions with a central router through which youl insert, the IP adéresses to block, 45 Large-scab QOS or web caching deployment Not only does BGP carry a number o attrbues describing the IP routes. it allows you to add extra baggage to every P rout advertises inthe form of BGP communities that are totaly transparent to BGP (unless youre manually configuring route selection ules to use ther) out propagated throughout the network. ‘Atew technologies completely urrolted to BGP alow you to use these atibutes to implement large-scale designs. For example, Qualty-o ‘Service Policy Propagation with 8G? (QPPB) allows you to set oS bits for specific BGP destinations based on BGP communities and other {GP attributes. Similarly, you can control the Web Cache Communication Protacol(WCCP)-based web eaching policy with BGP. Eventhough BGP is categorized asa complex and hard-to-configue routing protocoL its deployment in lrge enterprise networks can bring sigaiieat benets, which i almost mandatory in a service provider environment. IR Designing large-scale BGP networks Considering the relative compleaty of Border Gateway Protocol (BGP) isnot surprising that you would consider various design aspects belore rushing head-on into implementing in your network. I nothing els, a good design and careful planning you could save you afew tense roubleshoating sessions. In Wis article, try to give you afew generic guidelines that you should folow when designing your BGP network. Dor’ forget that experionce ‘comes only with practice, however, When designing you Tit few BGP networks, you should get expert help, ether i-house rom your vendor or from a quaified professional services organization. ‘Use a pull autonomous system number hpliearchtelecom echtargel.comifeature/Advanced-GP-network-designfor-stabilly-and-secury 2asusa2018 ‘Advanced BGP network design for stabilly and security BGP uses autonomous system (AS) numbers to track networks theough wich the traffic would have to pass to reach the final destination. AS numbers vise in the pubic Internat have tobe globally nique and are allocated by various Internet registries. you vant te oer public Internet services, having a public AS numbers mandatory. Ifyou are in hurry and just need BGP to offer other IP-based services (for example, Layer 3 VEN, services based on MPLS VPN), you could use a private AS numbers specie in RFC 1880 (AS 6482 through AS 6553), but then you might be faced with challenging migration scenarios i you'd ever want to offer public Intemet services. ‘Use BGP only h comblnalon wth another routing protocol [BGP was designed tobe a robust, conservative routing protocol able to carry hundreds of thousands oP prefixes It was never meant tobe a fast Converging protocol needed to implement modern IP-based services (lor example, Voice-overP or Triple Pay services). Vou should always use [BGP on top of a modern, fas-converging Interior Routing Protocol (GP), for example OSPF o IS.5,n sucha design, the IGP provides optimum paths through the network core ané BGP provides edge-to-edge routing across these paths un Internal BGP between loopback htertaces [EGP uses TCP asa elable transport to exchange routing information between manually comvigured BGP peers (there is no neighbor discovery in LEGP), TCPis always ied toa pir of local anc remote IP addresses, Should ay one ofthese become unreachable, the TGP session and consequently BGP routing would become disrupted eventhough the routers are stil operational Intornal BGP sossions (BGP session botweon routers in your network) should thus always be run between Jaaracinlortacas, ensuring thatthe TCP session stays operational along as there isa east one path between the BGP neighbors (eventhough the physical interfaces trough which the neighbors are reached might change). External BGP neighbors are usually directly connected (your BGP router is crac alached to your customer’ or peering partner's BGP router The external BGP sessions are tus commoniy un between adjacent IP addresses assigned to psicl interfaces. un BGP hn the whole network. Historically, some service providers red to avid tuning BGP inthe whole network to reduce the memory requirements and CPU utilization of thet routers, relying on ingesious desions that inevitably became too complex once their networks started to grow I's best to accept the fact that BGP isinevitable na serious service provider network and design the whole network fort frm the very start. Obviously, you dont need to run BGP on every router in your network For example, clahup servers or DSL concentrators can rely on default routing supplied by the notwork core, but the edge routers conocting enterprise cuslomers could aready need BGP lo catr to the needs ofthe multiomes customers, staticaly configure advertised prefies youre offering public Internet services, you have to advertise publ IP address space assigned to you via various Internet registries into BGP. ‘Sometimes the engineers try to reach this goal through a complex process of route edistabution from IGP into BGP and subsequent route _sédaregation within BGP, I's much simoer to advertise the exact arafnes youve been alocate on a few Key BGP routers {When you decide to spit the routing of your Internet customers from your core routing figh¥ recommenda) and carry customer IP prefixes in 'BGP, they could be redistributed rom IGP (or rom statc routes on the edge routers), but tagged witn the well-known NO_EXPORT community to prevent ther propagation into adjacent autonomous systoms NOTE: Diferent rules apply when you run BGP in MPLS VPN environments, where two-way redistribution between BGP and customer's IGPis very Do not change BGP attrbutes wth your network ‘Any routing protocol (BGP included) works best al routers the network have a consistent view ofthe network. To ensure the consistent routing in your network, do not change ary BGP atiibutes on uncates sent to 8G? neighbors (most router vendors woud alo you to do that). On the other hand, i's OK to change BGP attributes on “+ Routes received trom external AGP neighbors, Most commenly, the local preference atribute is sett indicate preferred/ackup exit points, + Routes reistrbuted into SGP trom other sources. Some BGP attributes (for example, Mult-Eut Discriminator are set automatically, others can be eat onthe redistributing route. Redtrbute external subnets fio your IGP ach IP prefix carried by SGP has @ next hop attribute, specifying the IP adress ofthe next-hop BGP router, It's the job ofthe IGP t igure out the ‘optimum path toward the next hop. By defaut, BGP advertises IP prefixes received from an extemal neighdor (rom your peering partner, fr example) wth the next hap attribute pointing to the IP aires ofthe external peer. This property allows you to implement perfect load sharing toward thos Inernet Exchange Points hpliearchtelecom echtargel.comifeature/Advanced-GP-network-designfor-stabilly-and-secury ata