Re: [c-nsp] BGP - advertising default route to Branch offices
Thanks Mike for the input. Its bgp end to end (branch switches <-bgp-> core switches <-bgp-> edge devices). branch switches dual home to two core switches. On Wed, Aug 12, 2020 at 9:31 PM Mike wrote: > On 8/12/20 5:20 PM, Yham wrote: > > Hello Gentlemen, > > I have 100+ branch offices peering BGP with Core and I need to advertise > > the default route (only) to them. Core switches are receiving the default > > route via eBGP from upstream devices. I can think of two ways to > advertise > > the default route as follows > > > > 1- advertise/pass on the default route that core switches receive from > > upstream edge devices. Along with that add a static default route > pointing > > to null0 with higher administrative distance and redistribute into BGP. > > that way if for any reason upstream edge devices stop advertising the > > default route, the static default route will kick in. > > 2 - default-originate command under every BGP neighborship. I have 100+ > > neighbors so configure this command for all. > > > > Can anyone please tell which is considered a best practice when it comes > to > > the advertising default route? If any vendor documentation addresses > this, > > please feel free to share. > > > Hello > > This really sounds like OSPF may have been a better choice, IMHO. > > Do you have more than one link back to core from each site? If not, then > why not just stick with/use a static default? Easier to configure and > nearly goof-proof. > > Otherwise, I would think that 'default-originate' would be the better > choice under each neighborship. > > Mike- > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP - advertising default route to Branch offices
Hello Gentlemen, I have 100+ branch offices peering BGP with Core and I need to advertise the default route (only) to them. Core switches are receiving the default route via eBGP from upstream devices. I can think of two ways to advertise the default route as follows 1- advertise/pass on the default route that core switches receive from upstream edge devices. Along with that add a static default route pointing to null0 with higher administrative distance and redistribute into BGP. that way if for any reason upstream edge devices stop advertising the default route, the static default route will kick in. 2 - default-originate command under every BGP neighborship. I have 100+ neighbors so configure this command for all. Can anyone please tell which is considered a best practice when it comes to the advertising default route? If any vendor documentation addresses this, please feel free to share. Regards ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP Multipath
Hello Gentlemen, I wanted to configure whether BGP multipath feature work for/install a route learned from the same AS but eBGPand iBGP neighbors. for example, I have four routers A, B, C & D. Router A and B are iBGP neigbors in ASN100 and a prefix 10.0.0.0/8 attache to both. Router C and D are iBGP neighbors in ASN100. Router A has an eBGP with Router C and Router B has an eBGP neighborship with Router D. Now Router A receives prefix 10.0.0.0/8 from Router C via eBGP and from Router B via iBGP. In this scenario, Router A install the prefix in routing table that learned from Router C because it learned via eBGP. So the question is can I have both eBGPand iBGP paths install in the routing table with the help of multipath feature? I tried but it didn't work. In a nutshell, i wanted to ask if Multipath work for a prefix that being learned from eBGP and iBGP? >From my understanding, all the best path criteria have to tie before multipath comes in picture. Regards ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP Maximum Prefix limit on Edge routers
Hello Gentlemen, I wanted to ask if this is common practice to apply Maximum prefix limit on BGP neighborship with Internet providers from where you are getting the entire routing table. I know its consider a best practice but want to know if its also common. If yes, what would be the max limit of routes? Google search tells me that the size of the routing table today is approx 800K prefixes Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Campus Network - Deployment mode of Perimeter Firewalls
Hello Nick, Thanks for your comments. I kinda agree with you on avoid using transparent mode however not clear why you wouldn't want your north-south traffic pass through perimeter security devices (FWs). how would you protect your network from outside if you don't have firewalls in the traffic path? I have seen some enterprises use by-pass switches to go around the firewalls in case of an unexpected failure from where firewalls can't recover. Thanks On Mon, Aug 10, 2020 at 3:41 PM Nick Hilliard wrote: > Yham wrote on 10/08/2020 19:53: > > Hello Gentlemen, > > > > We are redesigning the core network where we have > > - Edge routers peering BGP with internet providers and partners > > - Perimeter firewalls to secure north-south traffic > > Unless there's a specific policy objective which overrides any technical > consideration, you may want to consider not putting firewalls inline > like this, as they often introduce serious failure modes which are > difficult to work around. Best case in a service provider environment, > they should service only the addresses which need to be firewalled and > should not be used as the default configuration for all traffic. > > > I wanted to ask if there are the best practices when deploying the > > perimeter firewalls? > > > Is Active/Active is better than Active/Standby HA model? > > No, active/active is troublesome - you end up sharing state between > multiple systems, which introduces complexity and potential for failure. > Active/standby also keeps you honest by ensuring that you end up with > resiliency. > > > Is a pair of Firewalls in Routed mode performs better than in > > Transparent/Layer2 mode? > > you lose features in transparent mode, e.g. routing and a bunch of > others. There's no compelling reason to use it for most situations. > > > Regarding Firewalls mode, I know you can't use some firewall features > (such > > as VPN, NAT etc) when in layer2 mode however in some Next-Gen firewalls, > > you can make certain pair of interfaces transparent to your upstream and > > downstream and another pair of interfaces in layer3 mode for VPN, NAT > etc. > > > > Any comments, please? > > Keep as much traffic away from firewalls as possible. Keep your > configuration as simple as possible (this takes time and effort). If > you're using Juniper firewalls, keep each customer in an apply-group. > > Nick > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Campus Network - Deployment mode of Perimeter Firewalls
Hello Gentlemen, We are redesigning the core network where we have - Edge routers peering BGP with internet providers and partners - Perimeter firewalls to secure north-south traffic - High-end core switches where all distribution switches connect. logical diagram: Internet providers/partners -> Edge routers -> Firewalls -> Core switches -> Distribution/Access switches We plan to use BGP(with bfd) from distribution all the way up to Edge routers and core network has to be highly available. I wanted to ask if there are the best practices when deploying the perimeter firewalls? Is Active/Active is better than Active/Standby HA model? Is a pair of Firewalls in Routed mode performs better than in Transparent/Layer2 mode? My thoughts On a pair of firewalls in Active/Active mode, 1) both uplinks/downlinks can be utilized with ECMP but I don't understand why its consider an advantage because regardless of having both links active, you can't oversubscribe because you want to make sure there is no impact when one of the firewalls goes down. 2) In fact, I could be wrong but i think A/A creates asymmetric flows that are difficult to troubleshoot. 3) however with A/A, I think the convergence can be faster depending on the underlying routing Regarding Firewalls mode, I know you can't use some firewall features (such as VPN, NAT etc) when in layer2 mode however in some Next-Gen firewalls, you can make certain pair of interfaces transparent to your upstream and downstream and another pair of interfaces in layer3 mode for VPN, NAT etc. Any comments, please? If you know of any good document on this very topic, please share it with me. Thanks Yham ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP-EVPN vs Traditional Nexus 7k/5k Design
Hi Gentlemen, We are planning to upgrade our data centers which were built on cisco' traditional design at that time i.e nexus7Ks as core and nexus5Ks and 2Ks as distribution and access layer (TOR). In this design, 7Ks run layer-3 and extend layer2 via VPC down to 5Ks. We have the multi-tenant environment (VDCs and VRFs) and host customer's critical services For the upgrade, we are exploring BGP-EVPN with VXLAN option? can someone please give me the pros and cons when compare with traditional 7ks/5ks vpc design? I read about cisco's bgp-evpn design but not sure yet what is the real value. are there real benefits or its just marketing fluff to sell nexus 9Ks and part of SDN buzz. cisco also offer ACI and we may want to try it in green field deployment but don't think it mature enough and ready for us to migrate the critical customer's service over it now. Regards ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Multicast within VLAN on Nexus7K over vPC
Hi All, I have two cisco nexus 7K as core switches and two cisco 4500 as distribution/access switches. Nexus switches have vPC with each downstream 4500 switch and there is no connection between 4500 switch. Vlan100 exist on all four switches and all devices part of this vlan are connected to 4500 switches. I believe this is pretty standard design. Though vlan 100 has regular users and services that communicate over unicast but there are some devices that need to send and receive multicast. Both Multicast sender and receivers are in same vlan but receivers are spread across both 4500 switches. In diagram (no link below), receivers connected to switch 4K-1 (where source is connected) can receive the multicast stream but receivers connected to 4K-2 don't see anything. I believe its expected behavior due to IGMP snooping enabled on switches by default but i am trying to figure out how to make receivers on other switch able to get multicast stream. I did some research and found different ways but unfortunately i don't have non-production devices to test which one actually works. Here what i found 1) configuring IGMP querier for vlan 100 on all four switches 2) only enable 'ip pim sparse-mode' under SVIs (interface vlan100) at N7K-01 & N7K-02 3) disable IGMP snooping for vlan 100 on all four switches (which i don't think a right solution) Topology Diagram https://s22.postimg.org/3tsnta4s1/topology.png Your any help will be highly appreciated. Thanks YH ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus 7710 BGP hold timer and ISSU
Hi All, As Nexus 7K platform doesn't support multihop BFD so i have to use faster the BGP hello and hold timers. When i try to configure BGP timers to "timers 2 6" (hold time = 6), i get a warning message as below "% ISSU will be affected if hold time is less than system switchover time (8 seconds)" Does it means if hold time is higher than 8 seconds (e.g. timers 3 10 or timers 5 15), ISSU can be performed in future. I was in impression that if i make any change in default timers (keepalive 60sec & hold 180sec), ISSU is not longer an option. Moreover, below highlighted in red seem contrary statements. Can someone please clarify? ISSU Cisco NX-OS supports in-service software upgrades (ISSU). ISSU allows you to upgrade software without impacting forwarding. The following conditions are required to support ISSU: - Graceful restart must be enabled (default) - *Keepalive and hold timers must not be smaller than their default values* If either of these requirements is not met, Cisco NX-OS issues a warning. You can proceed with the upgrade or downgrade, but service might be disrupted. Note -- *Cisco NX-OS cannot guarantee ISSU for non-default timer values if the negotiated hold time between BGP peers is less than the system switchover time.* Source: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/unicast/configuration/guide/b-7k-Cisco-Nexus-7000-Series-NX-OS-Unicast-Routing-Configuration-Guide-Release-6x/n7k_unicast_config_adv_bgp.html#concept_3126984786C2406680150E527351AA2D Thanks YH ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus 7K - Routing over vPC Peer-link between chassis
Hi All, Could you please tell me what is the disadvantage of running routing protocols e.g. iBGP between SVIs of two chassis over vPC peer-link? I heard a lot that cisco recommend to use a separate link for layer-3 but why? logically peer-link should be more reliable as generally it bundle with multiple physical links. Thanks in advance. Regards YH ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus 7K vPC with Object Tracking
Hi Folks, Topology is something like two N7K have two downstream N5K running dual vPC. Each N7K is single homed with core. So since each N7K learns remote networks for that only core link so if the link goes down the traffic black hole because both N7K are not exchange routes. I want to configure object tracking under vpc so if uplink core link goes down, tracking bring down the downlinks toward N5K. Is anybody using object tracking ? are there any drawbacks/limitations or any design consideration. Please share your thoughts. Thanks Regards ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 7K vPC with Object Tracking
Thank you Oliver, If N7K switches have more than 100 vrfs and each vrf have more than one vlans then means it is required to run equal numbers of routing processes. In this case what you think which is best take: routing protocol per vrf or enabling tracking? There may be better option other than these. Regards On Fri, Jan 17, 2014 at 1:55 PM, Oliver Garraux oli...@g.garraux.netwrote: You might consider putting a L3 network in place between the two N7K's for routing, so that they can re-route upstream traffic through the core link on the other N7K during a failure rather than bringing the physical links down. It can just be a VLAN w/ SVI's trunked over the VPC peer link. - Oliver Garraux Check out my blog: blog.garraux.net Follow me on Twitter: twitter.com/olivergarraux On Fri, Jan 17, 2014 at 7:48 AM, Yham yhamee...@gmail.com wrote: Hi Folks, Topology is something like two N7K have two downstream N5K running dual vPC. Each N7K is single homed with core. So since each N7K learns remote networks for that only core link so if the link goes down the traffic black hole because both N7K are not exchange routes. I want to configure object tracking under vpc so if uplink core link goes down, tracking bring down the downlinks toward N5K. Is anybody using object tracking ? are there any drawbacks/limitations or any design consideration. Please share your thoughts. Thanks Regards ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MPLS-TP OAM
Hi Friends, I am trying to read about mpls-tp oam features that look probably the key reason that lead service provider to deploy it. Someone please tell me what are the key oam features are in mpls-tp that cannot be deployed in mpls/ip network with or without traffic engineering? As a network guy unfortunately i dont have much idea how what oam features/attributes are used in dwdm based transport. Thanks Rameez ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MPLS-TP on CPT platform vs IP/MPLS core on ASR with TE
Hi Guys, If a provider already have ciena as transport with ip/mpls core on cisco ASR, why would they want to deploy CPT with mpls-tp? Can we compare mpls-te vs mpls-tp or is this comparison of apples and oranges? I am new to mpls-tp and trying to understand in which area mpls-tp really help. it is said that mpls-tp has better oam features, its ipless but whats wrong if i have ip/mpls core, i have TE that provide all redundancy, can configure diverse paths, reserve bandwidth, all maintenance features like local repair. I will be thankful if you share your thoughts Regards ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [j-nsp] NTP Sources placement in MPLS network
Thanks Jared. I am planning deploy ntp source that will point to global NTP. I am curious to know where service provider with mpls network position the NTP? Any best practices ? Regards On Mon, Nov 18, 2013 at 5:57 PM, Jared Mauch ja...@puck.nether.net wrote: In this case you can sync to any other device or devices that are globally reachable. Typically you can just use some IP that doesn’t often change, e.g.: loopback. If you are running 100% of the network, you can also use the ‘ntp broadcast’ and similar interface commands to listen/send this data hop-by-hop. There’s lots of ways to do this, and not necessarily a ‘wrong’ way. - Jared On Nov 18, 2013, at 5:54 PM, Yham yhamee...@gmail.com wrote: Thank Jared, NTP is only needed to synchronize the logs so on event of failure, logs from related devices can be correlated. Thanks On Mon, Nov 18, 2013 at 2:52 PM, Jared Mauch ja...@puck.nether.net wrote: This all depends on what you need the clocking for. If you want just generic time for accurate logs? Depending on what you want to do, there's cheap NTP clocks like this: http://www.netburnerstore.com/product_p/pk70ex-ntp.htm For about $350 (including S/H in the US) you get a GPS clock. With the right location/antenna you can get signal through some roofs. There's a variety of higher-end timing options depending on what you need. - Jared On Nov 18, 2013, at 2:33 PM, Yham yhamee...@gmail.com wrote: Hi Guys, In a SP environment where there are hundreds of PEs and P devices that got hundreds of customers VRFs, what is the best place to connect NTP sources. The place i can think of is connecting with VPNv4 Route Reflectors because they exist on top of hierarchy and so clock can travel downward from RR to PEs and P and from PEs to CEs and further down if required. Any thoughts on this please. Regards ___ juniper-nsp mailing list juniper-...@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [j-nsp] NTP Sources placement in MPLS network
Hi Mark, Jared, Do you really think enabling NTP service on routers can burdening them. I mean in hierarchical way where RR and directly connected with ntp sources and then all PEs use RR as ntp master and CEs further down use PEs as NTP master? Jared, Quick question, why you think anycast IP on NTP servers is better then configuring multiple individual servers on devices. One advantage of anycast i can think is since (i believe) device choose ntp that has better stratum and if its same it choose ntp who respond first if multiple ntp servers are configured so if anycast ip is used, device will reach only to closest device. I try to read about ntp with anycast ip and found a doc that talk about some risk that i couldn't understand. below is the snippet and source. can you please comment on this please? NTP will also normally work with Anycast. A small risk with NTP is that it generally requires at least two packets from both server and client to get a proper synchronization. If the server fails after the first packet, it will take an extra packet to synchronize with the next available NTP server. The Simple Network Time Protocol (SNTP) does not have this problem. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.116.6367rep=rep1type=pdf page-8 Regards Regards On Tue, Nov 19, 2013 at 10:31 AM, Mark Tinka mark.ti...@seacom.mu wrote: On Tuesday, November 19, 2013 02:02:43 PM Jared Mauch wrote: We have servers in each location with NTP synced to local stratum 1 or 2 clocks. Customers are given an anycast ip that points to these for time sources. We configure routers to point at these local sources. Agree - better to put that on servers running than burdening routers with NTP functionality in addition to other daily tasks. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NTP Sources placement in MPLS network
Hi Guys, In a SP environment where there are hundreds of PEs and P devices that got hundreds of customers VRFs, what is the best place to connect NTP sources. The place i can think of is connecting with VPNv4 Route Reflectors because they exist on top of hierarchy and so clock can travel downward from RR to PEs and P and from PEs to CEs and further down if required. Any thoughts on this please. Regards ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [j-nsp] NTP Sources placement in MPLS network
Thank Jared, NTP is only needed to synchronize the logs so on event of failure, logs from related devices can be correlated. Thanks On Mon, Nov 18, 2013 at 2:52 PM, Jared Mauch ja...@puck.nether.net wrote: This all depends on what you need the clocking for. If you want just generic time for accurate logs? Depending on what you want to do, there's cheap NTP clocks like this: http://www.netburnerstore.com/product_p/pk70ex-ntp.htm For about $350 (including S/H in the US) you get a GPS clock. With the right location/antenna you can get signal through some roofs. There's a variety of higher-end timing options depending on what you need. - Jared On Nov 18, 2013, at 2:33 PM, Yham yhamee...@gmail.com wrote: Hi Guys, In a SP environment where there are hundreds of PEs and P devices that got hundreds of customers VRFs, what is the best place to connect NTP sources. The place i can think of is connecting with VPNv4 Route Reflectors because they exist on top of hierarchy and so clock can travel downward from RR to PEs and P and from PEs to CEs and further down if required. Any thoughts on this please. Regards ___ juniper-nsp mailing list juniper-...@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] eBGP with internet provider from DataCenters
Hi Guys, If we have two active/active DataCenters on different geographical locations and going to peer with the same provider for internet. What are the pros and cons of having same Autonomous Number on both data centers. In other word which is more scalable and practical, having both data cernter on single public ASN or should be two different when peering with same internet providers. Can you please share you thoughts on it. Regards ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/