Re: OSPF vs IS-IS vs PrivateAS eBGP
On 19 Aug 2009, at 16:12, Clue Store wrote: I would like to run an IGP (currently OSPF) to our customers that are multi-homed in a non-mpls environment. They are multi-homed with small prefixes that are swipped from my ARIN allocations. [...] Customers do, err, interesting and creative things, in unexpected ways. Develop a standard filtering/protection layer from them and deploy it however they connect to you - ergo use one routing protocol. Using bgp means you can transit people who aren't pinching your own arin space with the same filtering techniques. The filtering methods and techniques for customer/provider edges are well understood and documented for bgp so if you need help, then help is out there. With bgp you'd also leave less of a time bomb for whoever succeed you in the future. This is before we even look at the technical reasons why bgp is more suitable than a flooding RP for this deployment. Use BGP ;-) A
Re: Anyone else seeing (invalid or corrupt AS path) 3 bytes E01100 ?
On Tue, Aug 18, 2009 at 09:37:22AM +0200, Ivan Pepelnjak wrote: Anybody have a handy route-map that will deny anything with a as-path longer than say 15-20? ;-) http://wiki.nil.com/Filter_excessively_prepended_BGP_paths It will still be a while before we see unbroken 4byte AS behavior (that whole 'fix the teardown on a anyone sneezing' problem). But like with stale bogon filters, I expect folks inclined to use this to drop it in and forget about it. So it would be wise to adjust the recommended filter to anticipate a 2byteAS view allowing multiple instances of AS-TRANS; there's likely a more elegant approach, but the quick step of explicitly allowing _(23465_)+ before you deny _([0-9]+)_\1_\1_\1_\1_ Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: OSPF vs IS-IS vs PrivateAS eBGP
Unless you want your customers to have very substantial control over your internal network, don't use an SPF IGP like ospf or is-is. with your customer ^ i know that's what you meant, but i thought it worth making it very explicit. practice safe routing, do not share blood with customer. is-is in core with ibgp, and well-filtered ebgp (and packet filters a la bcp 38) to customers. randy
Re: Anyone else seeing (invalid or corrupt AS path) 3 bytes E01100 ?
On 19/08/2009, at 6:58 AM, Ivan Pepelnjak wrote: No. You cannot influence the inbound traffic apart from not advertising some of your prefixes to some of your neighbors or giving them hints with BGP communities or AS-path prepending. Whatever you do with BGP on your routers influences only the paths the outbound traffic is taking. What you'd actually need is remote-triggered black hole. Search the Nanog archives for RTBH, you'll find a number of links in a message from Frank Bulk sent a few days ago. Or, you can prepend your advertisement with the troublesome ASN. Works for one or two troublesome ASNs as a quick hack at 3am - don't do it unless you understand why it works and why you shouldn't do it. -- Nathan Ward
RE: OSPF vs IS-IS vs PrivateAS eBGP
Do not EVER run an SPF routing protocol with your customer. They can insert anything they want into it (due to configuration mistake, malicious intent or third-party hijacking) and your whole network (or at least the other customers) will be affected. Just to give you a few examples: * They could hijack the host route to your DNS server and spoof every other customer of yours that uses your DNS * They could hijack the host route to your POP3 server and collect the usernames and passwords of your residential users * Company A could hijack the host route to the web server of company B. * They could insert a better default route than you do and at least some of your routers will listen to them. * If they ever make a total mess and start flapping their LSAs, your whole network will be affected and all your routers will burn CPU running SPF algorithm. If you absolutely insist on not using BGP (but then BGP is the only currently available routing protocol designed to handle routing in scenarios where the two parties don't necessarily trust each other), use RIP. It's safer than OSPF, at least you can filter the incoming updates. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Clue Store [mailto:cluest...@gmail.com] Sent: Wednesday, August 19, 2009 5:13 PM To: nanog@nanog.org Subject: OSPF vs IS-IS vs PrivateAS eBGP Hi All, I know this has been discussed probably many times on this list, but I was looking for some specifics about what others are doing in the following situations. I would like to run an IGP (currently OSPF) to our customers that are multi-homed in a non-mpls environment. They are multi-homed with small prefixes that are swipped from my ARIN allocations. OSPF has been flaky at best under certain conditions and I am thinking of making the move to IS-IS. I have also seen others going to private AS and running eBGP. This seems a bit much, but if it works, i'd make the move to it as I like bgp the most (all of the BGP knobs give me the warm and fuzzies :). I'd also like to see what folks are using in a MPLS network?? OSPFv3 or IS-IS or right to MP-BGP and redist static from the CE to PE??? On and off list are welcome. I'll make a summary after I gather the info. Thanks, Clue
Re: OSPF vs IS-IS vs PrivateAS eBGP
On Wed, Aug 19, 2009 at 12:58:01PM -0500, Clue Store wrote: [snip] would like to go with , but I have had some in the industry say this is not as good as running an IGP with the customer. Name and shame. TTBOMK, no-one who thought walking that road was a Good Idea did so for long after starting down the path. As far as 'customer choice' goes, the customer is indeed always right when it comes to their *desired goal* in the abstract (multihoming, etc), but rarely if ever in its implementation. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: OSPF vs IS-IS vs PrivateAS eBGP
Clue Store said the following on 20/8/09 01:12 : I know this has been discussed probably many times on this list, but I was looking for some specifics about what others are doing in the following situations. Discussed on list, presented in tutorials, how much more advice is actually required? ;-) I would like to run an IGP (currently OSPF) to our customers that are multi-homed Several have replied saying don't ever do this. The I in IGP stands for interior - which means inside your network, which does not mean outside your network. For the latter, we have BGP - if BGP for some reason seems too hard, check out the NANOG tutorials on the subject. Good luck! philip --
Re: OSPF vs IS-IS vs PrivateAS eBGP
Thanks again for all of the replies on and off list. As I stated earlier, I didn't not think IGP was the protocol of choice for running to customers, i've just been to many different houses that do actually do this. 99% of all of our customer CPE is not managed by the customer, so that leaves it up to me to decide what to run to them. The only issue with using ebgp is getting enough of my staff that actually understand bgp to the point where they can deploy it themselves without having to get me involved on every install. I think I can make this pretty cookie-cutter config to start off and then work from there. We are moving to a new NOC so this network will get a fresh start (new 7513-sup720, few m10i's, and a dozen or so 7200vxr's). So my deployment strategy will be ebgp with multihmed customers. I just had to poke the fire so I had some ammo for upper management when they ask why I decide to go ebgp. And yes Philip, I actually have many of those presentations saved on my drive as they were all for not ;) Once again, thanks all for the replies. Clue On Thu, Aug 20, 2009 at 8:26 AM, Philip Smith p...@cisco.com wrote: Clue Store said the following on 20/8/09 01:12 : I know this has been discussed probably many times on this list, but I was looking for some specifics about what others are doing in the following situations. Discussed on list, presented in tutorials, how much more advice is actually required? ;-) I would like to run an IGP (currently OSPF) to our customers that are multi-homed Several have replied saying don't ever do this. The I in IGP stands for interior - which means inside your network, which does not mean outside your network. For the latter, we have BGP - if BGP for some reason seems too hard, check out the NANOG tutorials on the subject. Good luck! philip --
RE: F5/Cisco catalyst configuration question
Darren, It's the F5-BIG-LTM-6400, pair of them. Thanks for your info. Got alot of good, helpful responses. Best regards, Scott Spencer Data Center Asset Recovery/Remarketing Manager Duane Whitlow Co. Inc. Nationwide Toll Free: 800.977.7473. Direct: 972.865.1395 Fax: 972.931.3340 mailto:sc...@dwc-computer.com sc...@dwc-computer.com http://www.dwc-it.com/ www.dwc-it.com Cisco/Juniper/F5/Foundry/Brocade/Sun/IBM/Dell/Liebert and more ~ _ From: packetmon...@gmail.com [mailto:packetmon...@gmail.com] On Behalf Of Darren Bolding Sent: Wednesday, August 19, 2009 6:58 PM To: Christopher Greves Cc: Scott Spencer; nanog@nanog.org Subject: Re: F5/Cisco catalyst configuration question What model BIG-IP? On some models I have had to set the BIG-IP's or the 6500 (can't remember which) to specified speed/duplex and the other side to auto. I believe it was auto on the BIG-IP and fixed on the 6500. Setting both sides the same did not work. On Wed, Aug 19, 2009 at 10:41 AM, Christopher Greves christopher.gre...@mindspark.com wrote: Scott, We've had issues in the past with IOS 6500's auto-negotiating uplink ports with an LTM into ISL Trunk mode. This only occurred when we had the port on the LTM configured as a tagged interface. It was easily solved by forcing the port on the 6500 into dot1q encapsulation. I'm not sure this necessarily explains why you aren't seeing a link light on the LTM though. I can't remember what the interface status was on both sides. This does correlate to why it's working on the 2950's as they don't support ISL and would likely negotiate into dot1q. Chris Christopher Greves | Senior Systems Engineer One North Lexington Ave, 9th Floor - White Plains, NY 10601 T 914-826-2067 | C 914.420.8340 | E christopher.gre...@mindspark.com Mindspark Interactive Network, Inc. is an IAC company. -Original Message- From: Scott Spencer [mailto:sc...@dwc-computer.com] Sent: Wednesday, August 19, 2009 1:13 PM To: nanog@nanog.org Subject: F5/Cisco catalyst configuration question Trying to link an F5 Local Traffic Manager with a Cisco Catalyst 6500 , have matched ports (speed,duplex ect..) but no link light at all on the F5. Does link with a Cisco 2950 switch in between but I need a direct connection with the 6500. Any suggestions what to try? Best regards, Scott Spencer Data Center Asset Recovery/Remarketing Manager Duane Whitlow Co. Inc. Nationwide Toll Free: 800.977.7473. Direct: 972.865.1395 Fax: 972.931.3340 mailto:sc...@dwc-computer.com sc...@dwc-computer.com http://www.dwc-it.com/ www.dwc-it.com Cisco/Juniper/F5/Foundry/Brocade/Sun/IBM/Dell/Liebert and more ~ -- -- Darren Bolding -- -- dar...@bolding.org --
RE: F5/Cisco catalyst configuration question
This couldn't be something as simple as a crossover cable, could it? -Original Message- From: Scott Spencer [mailto:sc...@dwc-computer.com] Sent: Thursday, August 20, 2009 11:24 AM To: 'Darren Bolding'; 'Christopher Greves' Cc: nanog@nanog.org Subject: RE: F5/Cisco catalyst configuration question Darren, It's the F5-BIG-LTM-6400, pair of them. Thanks for your info. Got alot of good, helpful responses. Best regards, Scott Spencer Data Center Asset Recovery/Remarketing Manager Duane Whitlow Co. Inc. Nationwide Toll Free: 800.977.7473. Direct: 972.865.1395 Fax: 972.931.3340 mailto:sc...@dwc-computer.com sc...@dwc-computer.com http://www.dwc-it.com/ www.dwc-it.com Cisco/Juniper/F5/Foundry/Brocade/Sun/IBM/Dell/Liebert and more ~ _ From: packetmon...@gmail.com [mailto:packetmon...@gmail.com] On Behalf Of Darren Bolding Sent: Wednesday, August 19, 2009 6:58 PM To: Christopher Greves Cc: Scott Spencer; nanog@nanog.org Subject: Re: F5/Cisco catalyst configuration question What model BIG-IP? On some models I have had to set the BIG-IP's or the 6500 (can't remember which) to specified speed/duplex and the other side to auto. I believe it was auto on the BIG-IP and fixed on the 6500. Setting both sides the same did not work. On Wed, Aug 19, 2009 at 10:41 AM, Christopher Greves christopher.gre...@mindspark.com wrote: Scott, We've had issues in the past with IOS 6500's auto-negotiating uplink ports with an LTM into ISL Trunk mode. This only occurred when we had the port on the LTM configured as a tagged interface. It was easily solved by forcing the port on the 6500 into dot1q encapsulation. I'm not sure this necessarily explains why you aren't seeing a link light on the LTM though. I can't remember what the interface status was on both sides. This does correlate to why it's working on the 2950's as they don't support ISL and would likely negotiate into dot1q. Chris Christopher Greves | Senior Systems Engineer One North Lexington Ave, 9th Floor - White Plains, NY 10601 T 914-826-2067 | C 914.420.8340 | E christopher.gre...@mindspark.com Mindspark Interactive Network, Inc. is an IAC company. -Original Message- From: Scott Spencer [mailto:sc...@dwc-computer.com] Sent: Wednesday, August 19, 2009 1:13 PM To: nanog@nanog.org Subject: F5/Cisco catalyst configuration question Trying to link an F5 Local Traffic Manager with a Cisco Catalyst 6500 , have matched ports (speed,duplex ect..) but no link light at all on the F5. Does link with a Cisco 2950 switch in between but I need a direct connection with the 6500. Any suggestions what to try? Best regards, Scott Spencer Data Center Asset Recovery/Remarketing Manager Duane Whitlow Co. Inc. Nationwide Toll Free: 800.977.7473. Direct: 972.865.1395 Fax: 972.931.3340 mailto:sc...@dwc-computer.com sc...@dwc-computer.com http://www.dwc-it.com/ www.dwc-it.com Cisco/Juniper/F5/Foundry/Brocade/Sun/IBM/Dell/Liebert and more ~ -- -- Darren Bolding -- -- dar...@bolding.org --
RE: F5/Cisco catalyst configuration question
That is what I was thinking when I first read your email. I would agree with Darren. CL -Original Message- From: Dylan Ebner [mailto:dylan.eb...@crlmed.com] Sent: Thursday, August 20, 2009 10:36 AM To: Scott Spencer; 'Darren Bolding'; 'Christopher Greves' Cc: nanog@nanog.org Subject: RE: F5/Cisco catalyst configuration question This couldn't be something as simple as a crossover cable, could it? -Original Message- From: Scott Spencer [mailto:sc...@dwc-computer.com] Sent: Thursday, August 20, 2009 11:24 AM To: 'Darren Bolding'; 'Christopher Greves' Cc: nanog@nanog.org Subject: RE: F5/Cisco catalyst configuration question Darren, It's the F5-BIG-LTM-6400, pair of them. Thanks for your info. Got alot of good, helpful responses. Best regards, Scott Spencer Data Center Asset Recovery/Remarketing Manager Duane Whitlow Co. Inc. Nationwide Toll Free: 800.977.7473. Direct: 972.865.1395 Fax: 972.931.3340 mailto:sc...@dwc-computer.com sc...@dwc-computer.com http://www.dwc-it.com/ www.dwc-it.com Cisco/Juniper/F5/Foundry/Brocade/Sun/IBM/Dell/Liebert and more ~ _ From: packetmon...@gmail.com [mailto:packetmon...@gmail.com] On Behalf Of Darren Bolding Sent: Wednesday, August 19, 2009 6:58 PM To: Christopher Greves Cc: Scott Spencer; nanog@nanog.org Subject: Re: F5/Cisco catalyst configuration question What model BIG-IP? On some models I have had to set the BIG-IP's or the 6500 (can't remember which) to specified speed/duplex and the other side to auto. I believe it was auto on the BIG-IP and fixed on the 6500. Setting both sides the same did not work. On Wed, Aug 19, 2009 at 10:41 AM, Christopher Greves christopher.gre...@mindspark.com wrote: Scott, We've had issues in the past with IOS 6500's auto-negotiating uplink ports with an LTM into ISL Trunk mode. This only occurred when we had the port on the LTM configured as a tagged interface. It was easily solved by forcing the port on the 6500 into dot1q encapsulation. I'm not sure this necessarily explains why you aren't seeing a link light on the LTM though. I can't remember what the interface status was on both sides. This does correlate to why it's working on the 2950's as they don't support ISL and would likely negotiate into dot1q. Chris Christopher Greves | Senior Systems Engineer One North Lexington Ave, 9th Floor - White Plains, NY 10601 T 914-826-2067 | C 914.420.8340 | E christopher.gre...@mindspark.com Mindspark Interactive Network, Inc. is an IAC company. -Original Message- From: Scott Spencer [mailto:sc...@dwc-computer.com] Sent: Wednesday, August 19, 2009 1:13 PM To: nanog@nanog.org Subject: F5/Cisco catalyst configuration question Trying to link an F5 Local Traffic Manager with a Cisco Catalyst 6500 , have matched ports (speed,duplex ect..) but no link light at all on the F5. Does link with a Cisco 2950 switch in between but I need a direct connection with the 6500. Any suggestions what to try? Best regards, Scott Spencer Data Center Asset Recovery/Remarketing Manager Duane Whitlow Co. Inc. Nationwide Toll Free: 800.977.7473. Direct: 972.865.1395 Fax: 972.931.3340 mailto:sc...@dwc-computer.com sc...@dwc-computer.com http://www.dwc-it.com/ www.dwc-it.com Cisco/Juniper/F5/Foundry/Brocade/Sun/IBM/Dell/Liebert and more ~ -- -- Darren Bolding -- -- dar...@bolding.org --
Re: OSPF vs IS-IS vs PrivateAS eBGP
Am I alone in my view that BGP is _far_ more simple and straight-forward than OSPF this is a very telling statement in a number of ways. that ospf has become exceedingly complex, and all that results thereof. that both are known for their complexity. randy
Re: OSPF vs IS-IS vs PrivateAS eBGP
Gary T. Giesen wrote: FWIW, we use BGP to our multihomed customers (even when we manage the CPE), using a private AS. OSPF doesn't have the right toolset to provide protection for inter-network route propogation, and the risk of some customer's CPE screwing up you routing is just too high to go naked. A basic CPE BGP config is not too difficult to template, and you don't necessarily have to use prefix filters on it (although you definitely need them on YOUR) side. And once you've got it deployed, you'll find the knobs you can turn to do things like TE (ie. data down one pipe, voice down the other, and failover for both) will have both you and your customers loving it. (What? I can actually use that spare circuit that normally does nothing?!?). This is pretty much how I do it for our 100Mb fibre clients. Most of them are upgrading from a 2Mbps SDSL circuit (which has been hugely profitable) to 100Mb Ethernet over fibre. Instead of erasing the revenue of the SDSL, I had this bold approach (mgmt speak) whereas I'd make both circuits worthwhile, by making them redundant. Configure eBGP from your edge to the client edge using private-AS. Since I already have copy/paste templates (thanks to RANCID), I make it a habit to ensure filters are at both ends. Goes without saying that BCP-38 is followed, and strict is deployed everywhere possible. peer-group and regexes are handy. Even for clients who have a single connection (particularly where we control the CPE), I implement eBGP on it so that if I so have the need, I can move their connection about my network with relative ease, even if I know they will never be multi-homed into us. Since my upstream doesn't allow me to BGP peer with them (v4) (they statically route my own ARIN block to me), my v4 experience ends within my own network. *sigh* Either way, even though I'm small and perhaps irrelevant, if in the same sentence you read my network and customer network, use BGP. Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: OSPF vs IS-IS vs PrivateAS eBGP
Clue Store wrote: I couldn't agree more. Most of my staff are still under the impression in Cisco land that the network 10.0.0.0 255.255.255.0 statement injects that network into OSPF, when it simply turns on OSPF for the interfaces that are in that network. I'm really glad to see Cisco that made this change in OSPFv3 for v6. Cisco legacy commands make it hard on those learning fresh. I still get annoyed when I can't use CIDR notation in a config statement. I think, if nothing else, v6 is giving Cisco a fresh start at reimplementing some things. After dealing with Juniper awhile, I shifted some policies to mirror Juniper's method of doing things. At least that sorted out some confusion for others in the routers. Sadly, Cisco specific shortcuts still look cleaner and easier to manage in the config, but they also require more thought and understanding of what is going on. Jack