so the folks over at Qrator have proposed some additions to BGP. At the heart of this is the addition of roles in a BGP session. You would have four possible roles: customer, provider,peer, and internal.
Below are some basic Filter Rules for Mikrotik BGP filtering. These are not complex and can be very easily implemented on your BGP peers.
Before we get to the code there are a few assumptions
1.Your own IP space in this example is 1.1.1.0/22
2.These filters are not fancy and are geared toward upstream ISPs, not your own internal routers or clients.
3.If you copy and paste the below code make sure there is one command per line. Some browsers will cut the line off and then it won’t paste right. If in doubt paste it into notepad, textedit, etc. and clean it up.
So what does this do?
-The first 6 lines filter out non routeable IP space. There should be no reason these are being advertised to you from the public internet.
-Next we are saying if we see our own IP space being advertised to us (in this case 1.1.1.0/22) discard that. There should be no reason we see our own IP space on a public peer.
-The next line filters out prefixes that are a /25 and smaller. Just about every provider out there has a minimum size of a /24 they will accept as an advertisement. If you are getting anything smaller it’s a good practice to drop that. If there happens to be smaller prefixes they can be sent to a default route to the provider. This helps trim your routing table, which makes lookups and convergence time quicker.
Under the INET-OUT rules we are advertising our IP space to our upstream.
Pretty simple eh? We could get complicated and add in chains, and more rules. But, this is a start. We will do some more advanced rules in a later post.
OSPF areas are one of the more common topics I am asked about as networks grow. Before we dig into this, we need to understand the reasons why OSPF areas were created in the first place. Next, we will go into how to apply areas to modern network designs.
Why did areas come into being?
Let’s rewind to a time where RAM in routers was very expensive. Processors were expensive. One of the biggest reasons OSPF areas came into play was ram limitations. Every route in your routing table takes up ram. The more routes you have the more ram that is taken up in each router to hold that table. Also, in order to calculate these routes processor power is used up.
So what do areas do for me?
OSPF areas have many advantages. However, in most WISP and ISP networks they serve two purposes.
The first purpose is they group similar devices into logical groups. These groups can have filtering policies applied to them.
The second purpose is more important. Implementing areas reduces the size of the routing table. By doing this your routers spend less time calculating routes, and less time updating the database during a topology change. By reducing the routing table you also speed up what is called convergence time. This is the time the entire network needs to agree on the current routing topology. If a major backbone link is flapping your routers could be spending a fair amount of their resources calculating routing tables.
An important thing to note with implementing areas is you must have a good IP network design. This means your sites/pops/towers should have a logical design which allows for easy route summarization and consolidation. If you are looking into areas make sure you can summarize your routes in that area easily. The following examples illustrate why this is important.
In the above example we have created “Area1”. Since we have a good IP network design we can summarize our routing table in and out of area1 into a few different ways. If we want to reserve the whole 10.5.0.0/16 for future expansion then we can. Or if we want to break this down into 10.5.0.0/20 or even smaller we can. Part of this depends on growth plans. With areas you have to keep in mind every area needs to touch the backbone (area 0.0.0.0) directly. Now, you can use Virtual Links to have one non-backbone area traverse another non-backbone area. However, even though is a standard, is a workaround at best. There are many disadvantages to virtual links.
Now, back to our example. If we create an area the 10.6.1.0/24 and 10.6.2.0/24 routers are the “in roads” to Area1. These are known as area border routers (ABR).The main function of ABRs is to summarize sub networks found throughout the OSPF network. It stores many copies of its link-state database in memory when one of the stored copies shows an area where the actual router is connected. The ABR holds a minimum of two copies of the routing tables. One from the backbone area, and one from each area it is connected to.
But, I thought areas were supposed to cut down on ram and CPU usage? Well, everything has a tradeoff. This is where the philosophy side of things come into play, and probably the reason you have read this far.
When, how, and should I implement areas?
In today’s modern world with fast ram, fast links, and fast processors OSPF areas are needed less and less. Routers today have more ram than even 5 years ago. This means they can hold larger routing tables and do more calculations.
If you are thinking about implementing areas the first thing to look at is your IP design. In order to take the best advantage of areas you should have a logical, and congruent design. What I mean by this is your towers should be able to summarized as much as possible. If you can fit 20 towers into a single route statement that is one good place an area would make sense. If those 20 towers are not able to be summarized then adding an area is not going to be much of a benefit to you.
Network size does not necessarily dictate the need for OSPF areas. If you have a neatly summarized IP network the need for areas is lessened.
What about if you are trying to join two different networks?
Say you purchased a neighboring ISP and want to join the new network with your own. If you have overlapping IP space then things might not mesh together well, even with areas. Most times you are better off running BGP with the two separate networks. This allows each network to have it’s own space, own routing policies, but still be able to share bandwidth and other resources. You simply don’t announce any overlapping space to each network until things are re-numbered.
One question I get in this scenario is my router can’t handle BGP. BGP is a fairly lightweight protocol. The issues arise when you start pulling in full or partial internet routing tables. This is the same concept as mentioned above with the OSPF routes.
As I am preparing talks for the upcoming WISPAPALOOZA 2014 in Las Vegas I am making some notes on advanced BGP. If you are running BGP, and want to lock it down a little here are some general hints. If you want more attend my session in Vegas or look here afterwords for the full rundown.
General Hints for BGP filter.
1.Filter all all the bogon addresses unless you have a specific need. If you have to ask you probably don’t have a need so filter it. Bogons are: 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
2.Don’t accept your own IP space from upstreams. There should be no reason someone is advertising your own IP space back to you that is not a downstream customer. I mean dowstream as to someone you have assigned your own IP space to.
3.Limit the maximum number of prefixes your router will accept.
4.Most ISPs don’t announce anything less than a /24. Configure your filters to not accept anything smaller than a /24 unless you have a specific need to do so.
5. Separate iBGP from eBGP.
6.Understand the defaults for the platform you are using.
MTIN is happy to announce free ipV6 peering in Indianapolis. If you are a provider with a presence at 733 Henry Street Indianapolis, Indiana we will peer on the IPv6 backbone with you for free. All you have to do is make it to us via a cross connect. If you want to peer on IPv4, and are not already, we might be able to assume the cost of that cross-connect.
A looking glass can help you see how certain parts of the Internet view your advertisements. This can be very helpful in troubleshooting. Is someone in Europe seeing your advertisement? How about the guy next door?
You must be logged in to post a comment.