Download - Advances BGP
-
8/9/2019 Advances BGP
1/89
-
8/9/2019 Advances BGP
2/89
Advances in BGPBRKRST-3371
Gunter Van de Velde
Sr. Technical Leader
-
8/9/2019 Advances BGP
3/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
What is BGP?
Without BGP the Internet woucurrent stable and simple form
It is the plumbing technology o
What a Google search “bgp abbreviation” finds?
– Source: http://www.all-acronyms.com/BGP
Border Gateway Protocol Bacterial Growth Potential Battlegroup Becker, Green and Pearson
Bermuda grass pollen Berri Gas Plant beta-glycerophosphate biliary glycoprotein
blood group bone gamma-carboxyglutamic acid protei… bone gamma-carboxyglutamic acid-contai… bone gla protein bone Gla-containing protein Borders Group, Inc. brain-type glycogen phosphorylase Bridge Gateway Protocol Broader Gateway Protocol Bureau de Gestion de Projet Brain Gain Program
http://www.all-acronyms.com/BGP/Border_Gateway_Protocol/4870http://www.all-acronyms.com/BGP/Bacterial_Growth_Potential/851409http://www.all-acronyms.com/BGP/Battlegroup/1129015http://www.all-acronyms.com/BGP/Becker,_Green_and_Pearson/1003328http://www.all-acronyms.com/BGP/Bermuda_grass_pollen/849470http://www.all-acronyms.com/BGP/Berri_Gas_Plant/1223429http://www.all-acronyms.com/BGP/beta-glycerophosphate/848267http://www.all-acronyms.com/BGP/biliary_glycoprotein/846387http://www.all-acronyms.com/BGP/blood_group/55208http://www.all-acronyms.com/BGP/bone_gamma-carboxyglutamic_acid_protein/850178http://www.all-acronyms.com/BGP/bone_gamma-carboxyglutamic_acid-containing_protein/847202http://www.all-acronyms.com/BGP/bone_gla_protein/55209http://www.all-acronyms.com/BGP/bone_Gla-containing_protein/850193http://www.all-acronyms.com/BGP/Borders_Group,_Inc./42974http://www.all-acronyms.com/BGP/brain-type_glycogen_phosphorylase/849876http://www.all-acronyms.com/BGP/Bridge_Gateway_Protocol/1279817http://www.all-acronyms.com/BGP/Broader_Gateway_Protocol/96403http://www.all-acronyms.com/BGP/Bureau_de_Gestion_de_Projet/197282http://www.all-acronyms.com/BGP/Brain_Gain_Program/1319634http://www.all-acronyms.com/BGP/Brain_Gain_Program/1319634http://www.all-acronyms.com/BGP/Bureau_de_Gestion_de_Projet/197282http://www.all-acronyms.com/BGP/Broader_Gateway_Protocol/96403http://www.all-acronyms.com/BGP/Bridge_Gateway_Protocol/1279817http://www.all-acronyms.com/BGP/brain-type_glycogen_phosphorylase/849876http://www.all-acronyms.com/BGP/Borders_Group,_Inc./42974http://www.all-acronyms.com/BGP/bone_Gla-containing_protein/850193http://www.all-acronyms.com/BGP/bone_gla_protein/55209http://www.all-acronyms.com/BGP/bone_gamma-carboxyglutamic_acid-containing_protein/847202http://www.all-acronyms.com/BGP/bone_gamma-carboxyglutamic_acid_protein/850178http://www.all-acronyms.com/BGP/blood_group/55208http://www.all-acronyms.com/BGP/biliary_glycoprotein/846387http://www.all-acronyms.com/BGP/beta-glycerophosphate/848267http://www.all-acronyms.com/BGP/Berri_Gas_Plant/1223429http://www.all-acronyms.com/BGP/Bermuda_grass_pollen/849470http://www.all-acronyms.com/BGP/Becker,_Green_and_Pearson/1003328http://www.all-acronyms.com/BGP/Battlegroup/1129015http://www.all-acronyms.com/BGP/Bacterial_Growth_Potential/851409http://www.all-acronyms.com/BGP/Border_Gateway_Protocol/4870
-
8/9/2019 Advances BGP
4/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Agenda
Motivation to Enhance BGP
Scale and Performance Enhancements What happened in BGP Landscape?
Some new Cool features that may interest you
-
8/9/2019 Advances BGP
5/89© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Agenda
Motivation to Enhance BGP
Scale and Performance Enhancements What happened in BGP Landscape?
Some new Cool features that may interest you
-
8/9/2019 Advances BGP
6/89© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
BGP started in 1989…
Motivation and Development ofBGP:
When the Internet grew andmoved to an autonomous system(AS) mesh architecture it was neededto have stable, non-chatty and lowCPU consuming protocol to connectall of these AS’s together.
In June 1989, the first version of thisnew routing protocol was formalized,with the publishing of RFC 1105, ABorder Gateway Protocol (BGP).
-
8/9/2019 Advances BGP
7/89© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Service Provider Routing and Services prog
Multimedia, Mobile Internet and Cloud Services will generate massive bandwidth explosion
Prefix growth is almost a linear curve
Evolution of offered BGP services go from basic technologies to very advanced infrastructur
-
8/9/2019 Advances BGP
8/89© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Control-plane EvolutionMost of services are progressing towards BGP
Service/transp ort Before 2008 2013 and futu re
IDR (Peering) BGP BGP (IPv6)
SP L3VPN BGP BGP + FRR + Scalability
SP Multicast VPN PIM BGP Multicast VPN
DDOS mitigation CLI BGP flowspec
Network Monitoring SNMP BGP monitoring protocol
Security Filters BGP Sec (RPKI), DDoS Mitigation
Proximity BGP connected app API
SP-L3VPN-DC BGP Inter-AS, VPN4DC
Business & CE L2VPN LDP BGP PW Sign (VPLS)
DC Interconnect L2VPN BGP MAC Sign (EVPN)
MPLS transport LDP BGP+Label (Unified MPLS)
Data Center OSPF/ISIS BGP + Multipath
Massive Scale DMVPN NHRP / EIGRP BGP + Path Diversity
Campus/Ent L3VPN BGP (IOS) BGP (NX-OS)
-
8/9/2019 Advances BGP
9/89© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Why BGP is so successful ?
Robustness: Run over TCP
Low Overhead protocol: sends an update once and then remains silentScalability: Path Vector Protocol, allows full mesh
High Availability: NSR, PIC,…
Well Known : Tons of engineers know BGP
Simplicity: BGP is simple (even if knobs make BGP BIG and sometimes less
Multi-protocol: IPv4, IPv6, L2VPN, L3VPN, Multicast
Incremental: easy to extend: NLRI,Path Attribute, Community
Flexible: Policy
-
8/9/2019 Advances BGP
10/89© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Scale & Performance Enhancements
Update Generation Enhancements – Update generation is the most important, time-critical task
– Is now a separate process, to provide more CPU Quantum
Parallel Route Refresh – Significant delay (up to 15-30 minutes) seen in advertising incremental updates while RR is servicing rout
converging newly established peers
– Refresh and incremental updates run in parrallel
Keepalive Enhancements – Loosing or delayed keep-alive message result in session flaps – Hence keep-alive processing is now placed into a separate process using priority queuing mechanism
Adaptive Update Cache Size – Instead of using a fixed cache size, the new code dynamically adapts to the address family used, the avai
and the number of peers in an update group
BGP Scaling
-
8/9/2019 Advances BGP
11/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Agenda
Motivation to Enhance BGP
Scale and Performance Enhancements What happened in BGP Landscape?
Some new Cool features that may interest you
-
8/9/2019 Advances BGP
12/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Scale & Performance Enhancements
PE Scaling – PE-CE Optimization In old code slow convergence was experienced with large numbers of CE’s Improved by intelligently evaluating VPN prefixes based upon the prefixes in the CE’s VRF
– VRF-Based Advertise Bits Increased memory consumption when number of VRF’s was scaled on a PE Smart reuse of advertise bit space for VRF
Route Reflector Scaling
– Selective RIB Download A Route-Reflector needs to receive the full RIB, however not all prefixes MUST be in the Forwarding In So, we now allow by using user policy to only download selected prefixes in the FIB
More about BGP Performance tuning in BRKRST-3321
-
8/9/2019 Advances BGP
13/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
BGP Resiliency/HA Enhancement
Issue: Slow peers in update groups block convergence of o
update group members by filling message queues/transmitt
Persistent network issue affecting all BGP routers
Two components to solution
DetectionProtection
Detection
BGP update timestamps
Peer’s TCP connection characteristics
Slow Peer Management
-
8/9/2019 Advances BGP
14/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
BGP Resiliency/HA Enhancement
Protection
Move slower peers out of update group
Separate slow update group with matching policies crea
Any slow members are moved to slow update group
Detection can be automatic or manual with CLI comman
Automatic recoverySlow peers are periodically checked for recovery
Recovered peers rejoin the main update group
Isolation of slow peers unblocks faster peers and lets them coas fast as possible
Slow Peer Management
-
8/9/2019 Advances BGP
15/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
ASR1000 RP2, RP1, ASR1001 and 7200 BGP Route andScalabil ity Comparison - RR
• Tested with BGP selective download feature for ipv4/ipv6 for dedicated RR application. This featureprevents ipv4/ipv6 BGP routes to be installed in RIB and FIB. It reduces memory usage per ipv4/ipv6 preand CPU utilization
• ASR 1000 with RP1 allocates ~1.7GB to IOSd, ASR 1001 with 4GB allocates ~1.4GB to IOSd, whereas NPE-G2 entire 2G is used by IOS
7200 NPE-
G2 (2GB)
ASR1000
RP1 (4GB)
ASR1001
(4GB)
ASR1001
(8GB)
ASR1001
(16GB)
ASR1000
RP2 (8GB
ipv4 routes 4M 7M* 2M* 9M* 17M* 12M*
vpnv4 routes 7M 6M 2M 8M 16M 10M
ipv6 routes 2M 5M* 2M* 8M* 15M* 9M*
vpnv6 routes 6M 5M 1.5M 7.5M 14.5M 9M
BGPsessions
-
8/9/2019 Advances BGP
16/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
ASR 1000 RP1 and RP2 Convergence Performance Comparison
Tested with peer groups (1K RR clients per peer group) 7200 NPE-G2 can not converge in the above test cases. ASR1000 RP2 converges about twice faster than 7200 NPE-G2 based on RR customer profile testing CPU utilization below 5% after convergence
Link to Isocore report http://www.cisco.com/en/US/prod/collateral/routers/ps9343/ITD13029-ASR1000-RP2Validation
Tested with 1M Total Unique
Routes
Total Routes Reflected by RR
to All Clients (Number of
routes x Number of Clients)
ASR1000 RP1 (4GB)
Convergence
(in seconds)
ASR1001 (16GB)
Convergence
(in seconds)
A
C
(
ipv4 (1K RR clients) 1Billion 220 133
vpnv4 (1K RR clients , 8K RT) 1Billion 680 489
ipv6 (1K RR clients) 1Billion 720 393
vpnv6 (1K RR clients , 8K RT) 1Billion 877 811
ipv4 (2K RR clients) 2 Billion 375 270
vpnv4 (2K RR clients , 8K RT) 2 Billion 1285 797 ipv6 (2K RR clients) 2 Billion 1126 897
vpnv6 (2K RR clients , 8K RT) 2 Billion 1766 1691
http://www.cisco.com/en/US/prod/collateral/routers/ps9343/ITD13029-ASR1000-RP2Validationv1_1.pdfhttp://www.cisco.com/en/US/prod/collateral/routers/ps9343/ITD13029-ASR1000-RP2Validationv1_1.pdf
-
8/9/2019 Advances BGP
17/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Agenda
Motivation to Enhance BGP
Scale and Performance Enhancements
What happened in BGP Landscape?
Some new Cool features that may interest you
-
8/9/2019 Advances BGP
18/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
What Happened in XR Landscape?
4.0 4.1 4.1.1 4.2 4.2.1 4.2.3 4.2.4 4.
• Add Path Support• Accumulated
Interior GatewayProtocol (AIGP)
Metric Attribute• Unipath PIC for
non-VPN address-families(6PE/IPv6/IPv4Unicast)
• RT-Constraint
• BGP Accept Own
• Multi-Instance/Multi-AS
• BGP 3107 PIC Updatefor Global Prefixes
• Prefix Origin Validationbased on RPKI
• PIC for RIB and FIB
• Attribute Filtering andError handling
• DMZ Link B
Unequal CoLoad Balan
• Selective V• 6PE/6vPE o• Next-Gener
Multicast VP
-
8/9/2019 Advances BGP
19/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
What Happened in IOS Landscape?
15.2(1)S 15.2(2)S 15.2(4)S 15.3(1)S 15.3(2)S
Origin AS Validation
Gracefull ShutdowniBGP NSRmVPN BGP SAFI 129NSR without Route-Refresh
Additional Path Attribute Filtering and Error HandlingDiverse PathGraceful ShutdownIPv6 client for Single hop BFDIPv6 PIC Core and EdgeRT ConstraintIP Prefix export from a VRF into global Table
mVPNv6 Extranet Support
Local-AS allow-policyRT/VPN-ID Attribute RewriteVRF Aware Conditional Anno
-
8/9/2019 Advances BGP
20/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
What Happened in XE Landscape?
3.8 3.9
Multicast VPN BGP DampeningMultiple Cluster IDsVPN Distinguisher Attribute
IPv6 NSRLocal-AS Allow-policyRT or VPN-ID Rewrite Wildcard
VRF Aware Conditional Advertisement
-
8/9/2019 Advances BGP
21/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
What Happened NXOS Landscape?
5.2 6.0 6.1 6.2
Default information originate su
Flexible distance manipulationInject mapUnsupress mapas-format command for AS-plaEnhancements for removal of enable route target import-expInterAS option B-liteBGP Authentication for Prefix-
BGP AddPathBGP send community bothBGP Neighbor AF weight command
BGP med confed and AS multipath-relaxBGP next hop self for route reflector
Prefix Independent Convergence (Core)local-as AS Override (allowas-in)Disable 4-byte AS advertisementMP BGP – MPLS VPNs, 6PE, MDT
-
8/9/2019 Advances BGP
22/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Agenda
Motivation to Enhance BGP
Scale and Performance Enhancements What happened in BGP Landscape?
Some new Cool features that may interest you
-
8/9/2019 Advances BGP
23/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
PIC Edge Feature Overview
Internet Service Providers provide strict SLAs to their Financial a
Business VPN customers where they need to offer a sub-second cin the case of Core/Edge Link or node failures in their network
Prefix Independent Convergence (PIC) has been supported in IOfor a while for CORE link failures as well as edge node failures
BGP Best-External project provides support for advertisement of
External path to the iBGP/RR peers when a locally selected bestpan internal peer
BGP PIC Unipath provides a capability to install a backup path inforwarding table to provide prefix independent convergence in casCE link failure
-
8/9/2019 Advances BGP
24/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
10.1.1.0/24VPN1 Site #1
MPLS Cloud
Traffic Flow10V
PE1
PE2
PE3
PE4
CE1 CE2
Primary
Backup
RR
PIC Edge: PE-CE Link Protection
PE3 configured as primary, PE4 as backup – PE3 preferred over PE4 by local preference
– CE2 has different RDs in VRFs on PE3 and PE4
– PE4: advertise-best-external, to advertise route via PE4-CE2 link
– PE3: additional-paths install, to install primary and backup path
BGP Resiliency/HA Enhancement
-
8/9/2019 Advances BGP
25/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
10.1.1.0/24VPN1 Site #1
MPLS Cloud
Traffic Flow10.2VPN
PE1
PE2
PE3
PE4
CE1 CE2
Primary
Backup
RR
PIC Edge: Link Protection
PE3 has primary and backup path
– Primary via directly connected PE3-CE2 link
– Backup via PE4 best external route
What happens when PE3-CE2 link fails?
BGP Resiliency/HA Enhancement
-
8/9/2019 Advances BGP
26/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
10.1.1.0/24VPN1 Site #1
MPLS Cloud
Traffic Flow10.2VPN
PE1
PE2
PE3
PE4
CE1 CE2
Primary
Backup
RR
PIC Edge: Link Protection
CEF (via BFD or link layer mechanism) detects PE3-CE2 link failur
– CEF immediately swaps to repair path labelTraffic shunted to PE4 and across PE4-CE2 link
BGP Resiliency/HA Enhancement
-
8/9/2019 Advances BGP
27/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
10.1.1.0/24VPN1 Site #1
MPLS Cloud
Traffic Flow
10.2VPN
PE1
PE2
PE3
PE4
CE1 CE2
Primary
Backup
RR
Withdrawroute v ia PE3
PIC Edge: Link Protection
PE3 withdraws route via PE3-CE2 link
– Update propagated to remote PE routers
BGP Resiliency/HA Enhancement
-
8/9/2019 Advances BGP
28/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
10.1.1.0/24VPN1 Site #1
MPLS Cloud
Traffic Flow
10.2.2.0VPN1 S
#2
PE1
PE2
PE3
PE4
CE1 CE2
Primary
Backup
RR
Withdrawroute vi a PE3
PIC Edge: Link Protection
BGP on remote PEs selects new bestpath
– New bestpath is via PE4
– Traffic flows directly to PE4 instead of via PE3
BGP Resiliency/HA Enhancement
-
8/9/2019 Advances BGP
29/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
10.1.1.0/24VPN1 Site #1
MPLS Cloud
Traffic Flow10.2VP
PE1
PE2
PE3
PE4
CE1 CE2
Primary
Backup
RR
PIC Edge: Edge Node Protection
PE3 configured as primary, PE4 as backup
– PE3 preferred over PE4 by local preference
– CE2 has different RDs in VRFs on PE3 and PE4
– PE4: advertise-best-external, to advertise route via PE4-CE2 link
– PE1: additional-paths install, to install primary and backup path
BGP Resiliency/HA Enhancement
-
8/9/2019 Advances BGP
30/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
10.1.1.0/24VPN1 Site #1
MPLS Cloud
Traffic Flow
1V
PE1
PE2
PE3
PE4
CE1 CE2
Primary
Backup
RR
PIC Edge: Edge Node Protection
PE1 has primary and backup path – Primary via PE3
– Backup via PE4 best external route
What happens when node PE3 fails?
BGP Resiliency/HA Enhancement
-
8/9/2019 Advances BGP
31/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
10.1.1.0/24VPN1 Site #1
MPLS Cloud
Traffic Flow
10.2VP
PE1
PE2
PE3
PE4
CE1 CE2
Primary
Backup
RR
PE3
s /32host route
removed fromIGP
PIC Edge: Edge Node Protection
BGP Resil iency/HA Enhancement
BGP Resiliency/HA Enhancement
-
8/9/2019 Advances BGP
32/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
10.1.1.0/24VPN1 Site #1
MPLS Cloud
Traffic Flow
10.2.VPN
#
PE1
PE2
PE3
PE4
CE1 CE2
Primary
Backup
RR
PE3
s /32host route
removed fromIGP
PIC Edge: Edge Node Protection
PE1 detects loss of PE3’s /32 host route in IGP – CEF immediately swaps forwarding destination label from
PE3 to PE4 using backup path
BGP on PE1 computes a new bestpath later, choosing PE4
BGP Resiliency/HA Enhancement
Enabling BGP PIC – Enabling IP Routing Fas
-
8/9/2019 Advances BGP
33/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
g g gConvergence
BGP PIC leverages IGP convergence Make sure IGP converge
IOS-XR: IGP Timers pretty-much tuned by default
IOS: Sample OSPF config:
process-max-time 50
ip routing protocol purge interface
interface …
carrier-delay msec 0
negotiation auto
ip ospf network point-to-point
bfd interval 100 min_rx 100 mul 3
router ospf 1
ispf
timers throttle spf 50 100 5000
timers throttle lsa all 0 20 1000
timers lsa arrival 20
timers pacing flood 15
passive-interface Loopback 0
bfd all-interfaces
-
8/9/2019 Advances BGP
34/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Enabling BGP PIC Edge: IOS-XR
Two BGP-PIC Edge Flavors: BGP PIC Edge Multipath and Unipath
Multipath: Re-routing router load-balances across multiple next-hops, bac
are actively taking traffic, are active in the routing/forwarding plane,commonly found in active/active redundancy scenarios. – No configuration, apart from enabling BGP multipath (maximum-paths ... )
Unipath: Backup path(s) are NOT taking traffic, as found in active/standby
route-policy backup! Currently, only a single backup path is supported
set path-selection backup 1 install [multipath-protect] [advertise]
end-policy
router bgp ...
address-family ipv4 unicast
additional-paths selection route-policy backup
!
address-family vpnv4 unicast
additional-paths selection route-policy backup
!
-
8/9/2019 Advances BGP
35/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Enabling BGP PIC Edge: IOS
As in IOS-XR, PIC-Edge w/ multipath requires no additional config
PIC-Edge unipath needs to be enabled explicitly ...
router bgp ...
address-family ipv4 [vrf ...]
or
address-family vpnv4
bgp additional-paths install
http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_bgp_mp_pic.htm
http://www.cisco.com/en/US/docs/ios/ios_xe/iproute_bgp/configuration/guide/irg_best_exte
... or implicitly when enabling best external
router bgp ...
address-family ipv4 [vrf ...]
or
address-family vpnv4
bgp advertise-best-external
Question: How wil l my PE’s learn about the
-
8/9/2019 Advances BGP
36/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
yalternate Paths?
By default my RR Only-Reflects the Best-Route
RR
PE2
PE3
Z
NH:PE3, P:Z
NH:PE2, P:Z
PE1
Prefix ZVia PE2
E0
E0
Prefix ZVia E0
Prefix ZVia E0
NH:PE2, P:Z
Diverse BGP Path Distribution
-
8/9/2019 Advances BGP
37/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Shadow Session
Easy deployment – no upgrade of any existing router is required, juiBGP session per each extra path (CLI knob in RR1)
Diverse iBGP session does announce the 2nd best path
RR1
NH:PE2, P:Z
NH:PE2, P:Z
Prefix Via PEVia PENH:PE3, P:Z
NH:PE3, P:Z
PE2
PE3
ZPE1
BGP Add P th
-
8/9/2019 Advances BGP
38/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
BGP Add-Path
Add-Path will signal diverse paths from 2 to X paths
Required all Add-Path receiver BGP router to support Add-Path ca
RR1 NH:PE2, P:Z AP 1NH:PE2, P:Z
Prefix ZVia PE2Via PE3NH:PE3, P:Z AP 2
NH:PE3, P:Z
PE2
PE3
Z
PE1
BGP Add th fl
-
8/9/2019 Advances BGP
39/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
BGP Add-path flavors
IETF defines 5 flavors of Add-x-Path. 2 are implemented by Cisco:
Add-n-path: with add-n-path the route reflector will do best path computation fo
send n best to BR/PE. – Usecase: Primary + n-1 Backup scenario. (n is maximal for IOS-XR 2 and 3 for IOS).
Add-all -path: with add-all-path, the route reflector will do the primary best path (only on first path) and then send all path to BR/PE. – Usecase: Large DC ECMP load balancing, hot potato routing scenario
Add th l ti d b t
-
8/9/2019 Advances BGP
40/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Add-path: selecting second best
1. Select best
2. Remove all paths whose next-hop == best’s (including best)
3. Run bestpath selection again on the remaining paths to select ba
Simple rule
Add P th C fi ti IOS XR
-
8/9/2019 Advances BGP
41/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Add-Path Configuration – IOS-XR
Enable in global address-family mode – Enables for all IBGP neighbors
Enable/Disable in neighbor mode
router bgp 100
address-family ipv4 unicastadditional-paths send
!address-family vpnv4 unicastadditional-paths send
!neighbor 1.1.1.1remote-as 100address-family ipv4 unicast!
address-family vpnv4 unicast!!neighbor 2.2.2.2remote-as 100capability additional-paths se
address-family ipv4 unicast!
Add Path Configuration IOS XR
-
8/9/2019 Advances BGP
42/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Add-Path Configuration – IOS-XR
Enable in global address-family mode – Enables for all IBGP neighbors
Enable/Disable in neighbor mode
router bgp 100address-family ipv4 unicastadditional-paths receive
!address-family vpnv4 unicastadditional-paths receive
!neighbor 1.1.1.1remote-as 100address-family ipv4 unicast!address-family vpnv4 unicast!
!neighbor 2.2.2.2remote-as 100capability addit ional-paths receive
disable
address-family ipv4 unicast!!!
PIC Edge: Test Results
-
8/9/2019 Advances BGP
43/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
PIC Edge: Test Results
Test Setup Node Failure Link F
No PIC Edge, No BFD 12-14 sec 8-17
BFD Only 10-12 sec 6-12
PIC Edge Only 8 sec 4 s
PIC Edge, BFD 0 sec 0 s
BGP Resiliency/HA Enhancement
Automated Route Target Filtering
-
8/9/2019 Advances BGP
44/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Automated Route Target Filtering
Increased VPN service deployment increases load on VPN routers
– 10% YOY VPN table growth – Highly desirable to filter unwanted VPN routes
Multiple filtering approaches – New RT filter address family
– Extended community ORF
BGP Feature
Automated Route Target Filtering
-
8/9/2019 Advances BGP
45/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Automated Route Target Filtering
Derive RT filtering information from VPN RT import lists automatica
Exchange filtering info via RT filter AF or extended community OR
Translate filter info received from neighbors into outbound filtering
Generate incremental updates for received RT update queries
Incremental deployment possible/desirable
BGP Feature
Automated Route Target Filtering
-
8/9/2019 Advances BGP
46/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
PE-1
PE-2
PE-3
PE-4
RR-1 RR-2
VRF- Blue
VRF- Red
VRF- Red
VRF- Green
RT-Constraint:
NLRI= {VRF-Blue, VRF-Red}
RT-Constraint:
NLRI= {VRF-Green, VRF-Purple}
RT-Constraint:
NLRI= {VRF-Purple, VRF-Blue}
RT-Constraint:
NLRI= {VRF-Red, VRF-Green}
RT-Constraint:
NLRI= {VRF-Blue, VRF-Red, VRF-Green}
RT-Constraint:
NLRI={VRF-Green, VRF-Purple, VRF-Blue}
VRF- G
VRF- P
VRF- P
VRF- B
Automated Route Target Filtering
Improves PE and RR scaling and performance by sending only relevaroutes
IOS XR - Accept own
-
8/9/2019 Advances BGP
47/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
IOS XR - Accept own
Accept own
This feature allows movement from a PE-Based service provisioning model to acentralized router reflector (RR)-based serviceprovisioning model. With this feature, you candefine route TO service-VRF mapping within acentralized route reflector and then propagatethis information down to all the PE clients ofthat RR. Without this feature, you would definethe route TO service VRF mapping in all PEdevices, thereby incurring a high configuration
overhead, which could result in more errors.
This feature enables a route reflector to modifythe Route Target (RT) list of a VPN route thatis distributed by the route reflector, enablingthe route reflector to control how a routeoriginated within one VRF is imported intoother VRFs.
router#configure
router(config)#router bgp 100
router(config-bgp)#neighbor 10.2.
router(config-bgp-nbr)#address-fa
router(config-bgp-nbr-af)#accept-o
Overview – AIGP
-
8/9/2019 Advances BGP
48/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
AIGP (Accumulated IGP Metric Attribute for BGP)
http://tools.ietf.org/html/draft-ietf-idr-aigp-09
Optional, non-transitive BGP path attribute
BGP attribute to provide BGP a way to make its routing decthe IGP metric, to choose the “shortest” path between two ndifferent AS.
The main driving force for this feature is to solve the IGP sc
in some ISP core network. Mainly to be deployed to carry nexthop prefixes/labels acro
within the same administrative domain.
The remote ingress PE select its best path using the modifiselection process using AIGP metric.
Overview – AIGP
Overview – AIGP
-
8/9/2019 Advances BGP
49/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Overview AIGP
Passing AIGP attribute to non-AIGP capable neighbors• Translate AIGP into cost-community
• 2 POI of pre-best-path and igp-cost are supported• A transitive keyword to make cost-comm transitive to eBGP neighbors• Redistribute BGP (with AIGP) into IGP –• Translate AIGP value into BGP MED
Other software components• Route installation – for BGP to tag AIGP metric during route installation• NH notification – when AIGP metric changed
– Update generation throttling is not supported in 4.0 – It is highly recommended to deploy BGP best-external and Additional-path in co
the AIGP attribute, to effectively achieve the desired routing policy.
AIGP: Originating AIGP
-
8/9/2019 Advances BGP
50/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
AIGP: Originating AIGP
router bgp 1
address-family ipv4 unicast
redistribute ospf 1 route-pol
route-policy set_aigp_1
if destination in (61.1.1.0/24 le 32) then
set aigp-metric 111
elseif destination in (2100::1:0/112,2100::2:0/112) then
set aigp-metric igp-cost
Endif
end-policy
AIGP is enabled between iBGP neighbors by default
AIGP between eBGP neighbors need to be enabled
AIGP can be originated by using redistribute ospf, redistribute isis, redistrib
static or the BGP network command. AIGP can also be originated using neighbor address-family inbound oroutbound policy to set AIGP to be the IGP cost or to a fixed value.
What is Multi-Instance BGP?
-
8/9/2019 Advances BGP
51/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
What is Multi Instance BGP?
A new IOS-XR BGP architecture to support multiple instances alonof OSPF instances
Each BGP instance is a separate process running on the same or aRP/DRP node
The BGP instances do not share any prefix table between them
No need for a common adj-rib-in (bRIB) as is the case with distribu
The BGP instances do not communicate with each other and do nopeering with each other
Each individual instance can set up peering with another router ind
What is Multi-AS BGP?
-
8/9/2019 Advances BGP
52/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
What is Multi AS BGP?
It will be possible to configure each instance of a multi-instances BGP
different AS number Global address families can’t be configured under more than one AS e
vpnv4 and vpnv6
VPN address-families may be configured under multiple AS instancesnot share any VRFs
Configuration Example
-
8/9/2019 Advances BGP
53/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Configuration Example
Attribute Filtering and error-handling
-
8/9/2019 Advances BGP
54/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Attribute Filtering and error handling
Attribute filtering – Unwanted optional transitive attribute such as ATTR_SET, CONFED seg
AS4_PATH causing outage in some equipments. – Prevent unwanted/unknown BGP attributes from hitting legacy equipmen Block specific attributes Block a range of non-mandatory attributes
Error-handling – draft-ietf-idr-optional-transitive-04.txt
– Punishment should not exceed the crime – Gracefully fix or ignore non-severe errors
– Avoid session resets for most cases
– Never discard update error, as that can lead to inconsistencies
Architecture
-
8/9/2019 Advances BGP
55/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Invalid Attribute Contents
Wrong AttributeLength
Unknown Attributes Unwanted Attributes
Malformed BGP Updates Transitive Attributes
Attribute Filtering
Error-handling
NLRI processing…
Attribute filtering
-
8/9/2019 Advances BGP
56/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
g
First level of inbound filtering
Filtering is configured as a range of attribute codes and a correspo
to take (Note: Never Discard Update as that can lead towards inco Actions
– Discard the attribute
– Treat-as-withdraw
Applied when parsing each attribute in the received Update messa – When a attribute matches the filter, further processing of the attribute is s
the corresponding action is taken
Error-handling
-
8/9/2019 Advances BGP
57/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
g
Comes into play after attribute-filtering is applied
When we detect one or more malformed attributes or NLRIs or oth
the Update message Steps
– Classification of errors
– Actions to be taken
– Logging
-
8/9/2019 Advances BGP
58/89
Prefix hijacking
-
8/9/2019 Advances BGP
59/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
j g
Announce someone else’s prefix
Announce a more specific of someone else’s prefix
Either way, you are trying to “steal” someone else’s traffic by gettinyou – Capture, sniff, redirect, manipulate traffic as you wish
Source: nanog 46 preso
How does the Solution look like?
-
8/9/2019 Advances BGP
60/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Multicast VPN Solution Space
-
8/9/2019 Advances BGP
61/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
(complete solution is now available)
LSMEncapsulation
/Forwarding IP/GRE
P2MP T(pt-mpt)
PIM(pt-mpt)
Core TreeSignaling
MLDP(pt-mpt | mpt-mpt)
mVPN
IPv4
Native
IPv6
mVP
IPv
Service Native
IPv4
BGPPIMC-Multicast
Signaling
PORT
Multicast VPN – BGP Signaling
-
8/9/2019 Advances BGP
62/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
BGP customer-multicast signaling and BGPauto-discover is now added to the multicastVPN solution.
BGP as overlay allows Service Providers tocapitalize on a single protocol
Auto-Discovery of PEs andCore tree/tunnel informatio
PE1
PE2
PE3
PE4
CE1CE3
RR
Re
Source
CE4ReCE2
RP
BGP Auto-Discovery
BGP C-mroutes
PIM C-Join(*,G) or (S,G)
PIM C-Join(*,G) or (S,G)
Advertisement of CustomeMulticast routes
BGP
BGP Graceful Shutdown
-
8/9/2019 Advances BGP
63/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
RFC 6198 – April 2011
Old Behaviour – If session drops then BGP will
withdraw all prefixes learned over thatsession
– BGP has no mechanism to signalprefix will soon be unreachable (formaintenance for example)
Historically RR’s have worsened theissue as they tend to hide thealternate path as they only forwardthe best path
BGP Graceful Shutdown allows to do maintwithout service disruption.
This new knob allows a router to notify neigtraffic to other paths and after some time sessions.
The notification could be done using Local or user community attribute
#Graceful Shutdown
Please wait…
BGP/ Prefix 10.45 / localpref : 10
12
Graceful Shutdown
-
8/9/2019 Advances BGP
64/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
GSHUT well-known community
The GSHUT community attribute is applied to a neighbor specifiedneighbor shutdown graceful command, thereby gracefully shuttilink in an expected number of seconds
The GSHUT community is specified in a community list, which is rea route map and then used to make policy routing decisions.
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdf
neighbor {ipv4-address | ipv6-address | peer-group-name} shutdown graceful seconds
value [local-preference value] | local-preference value}
DDoS Mitigation – a stepstone approach
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdf
-
8/9/2019 Advances BGP
65/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Phase III
– Dynamic application aware redirection and traffic handling
Phase II
– Malicious traffic mitigation
– Cleaning of Malicious traffic
– Dirty and clean traffic handling
– Usage of Multi-instance BGP
Phase I
– ACL
– RTBH
– PBR
– uRPF
IOS-XR 4.3.1IOS-XE partial
IOS-XR 5.2.0IOS-XE 3.1.2
-
8/9/2019 Advances BGP
66/89
DDOS impact on Customer Business
-
8/9/2019 Advances BGP
67/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
DDoS mitigation architecture1. Detection (no DDoS)
-
8/9/2019 Advances BGP
68/89
© 2013 Cisco and/or its affiliates All rights reservedBRKRST-3371 Cisco Public
DDOSscrubber
SecurityServer
DDOS Analyser
SampleNetflow
Scan Netflow datato detect DDOS attacks
DDoS mitigation architecture2. Detection (DDOS)
-
8/9/2019 Advances BGP
69/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
DDOSscrubber
SecurityServer
DDOS Analyser
SampleNetflow
Scan Netflow dataFind DDOS signature
-
8/9/2019 Advances BGP
70/89
DDoS Mitigation: Architecture Considera
-
8/9/2019 Advances BGP
71/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Normal traffic flow when there is no attack
Redirect traffic from any edge PE to any specific DDoS scrubber
Including the PE that is connected to the host network
Granular (prefix level/network) diversion
Customers buy DDoS mitigation service for some prefixes
Pre-provisioned DDoS service for those prefixes (using policy such as standard community flag)
Centralized controller that injects the diversion route
VPN based Labeled return path for the clean traffic
To prevent routing loops
Solution support redirection of BGP less/more specific prefixes or local originated prefroute, redistributed route)
Support for multi-homed customersDuring attack, send clean traffic from DDOS scrubber to multiple PE’s
The concept
-
8/9/2019 Advances BGP
72/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Traffic under normal conditions
Internet users
Traffic under norm
conditions
• Traffic takes shortest p• Upstream and downstrtraditional routingServer
Scrubber
ISP
Pre-provisioned D
instrumentation• Traffic Scrubber
Separate clean an
• Security Analyser Analyses Netflow/traffic flows
• Security server Actions upon trafficommunication to
Security analyser
Security server
PE3
PE2
PE1
BGP based DDoS
-
8/9/2019 Advances BGP
73/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Traffic under DDoS condition
Internet users
Traffic under DD• Traffic is redirected
• Scrubber separatethe malicious traffi
• Clean traffic is retudestination server
Goal
• Do not drop all tr• Collect traffic intell• Operational simpli• Easy to remove re
normalizes
ServerScrubber
ISP
Security analyser
Security server
PE3
PE2
PE1
How does it work?
-
8/9/2019 Advances BGP
74/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Normal traffic condition
Internet users
• All PE’s peer with th
• All PE’s exchange bInternet and VPN p
• All PE interfaces ar• Security analyser is
doing analyses
ServerScrubber
ISP
Internet and VPN
Route-Reflector
1.1.1.1/32
2.2.2.2
3.3.3.3
4.4.4.4
5.5.5.5
Security analyser
Security server
Destination Next-hop
1.1.1.1/32 2.2.2.2
PE3
PE2
PE1
How does it work?
-
8/9/2019 Advances BGP
75/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Server is under DDoS
Internet users
• Flow is detected a
Security analyser• Result : Server is u• Traffic needs to be
scrubber to mitigate
ServerScrubber
ISP
Internet and VPN
Route-Reflector
1.1.1.1/32
2.2.2.2
3.3.3.3
4.4.4.4
5.5.5.5
Security analyser
Security server
Destination Next-hop
1.1.1.1/32 2.2.2.2
PE3
PE2
PE1
How does it work?
-
8/9/2019 Advances BGP
76/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Internet users
• DDoS Route-Refvisioned
• Mitigation route toinjected on the DDSecurity server
• Mitigation route topointing to 3.3.3.3mitigation RR
ServerScrubber
ISP
Internet and VPN
Route-Reflector
1.1.1.1/32
2.2.2.2
3.3.3.3
4.4.4.4
5.5.5.5
Security server
DDoS
Route-Reflector
5.5.5.5
Destination Next-h
1.1.1.1/32 3.3.3.3
PE3
PE2
PE1
Server is under DDoS
How does it work?Destination Next-hop
-
8/9/2019 Advances BGP
77/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Internet users
• Mitigation route to
pointing to 3.3.3.3PE’s
• All PE’s receive thfrom the DDoS Mi
• Each PE will nowreach 1.1.1.1/32
• Which route will
ServerScrubber
ISP
Internet and VPN
Route-Reflector
1.1.1.1/32
2.2.2.2
3.3.3.3
4.4.4.4
5.5.5.5
Security server
DDoS
Route-Reflector
5.5.5.5
1.1.1.1/32 3.3.3.3
Destination Next-hop
1.1.1.1/32 2.2.2.2
1.1.1.1/32 3.3.3.3
Destination Next-hop
1.1.1.1/32 ????????????
BGP Table Routing Table
PE3
PE2
PE1
Server is under DDoS
How does it work?
-
8/9/2019 Advances BGP
78/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Internet users
Trick #• The DDoS mitigati
ALWAYS be prefer• Both prefix lensame
• DDoS prefix is• Original prefix
administrative
ServerScrubber
ISP
Internet and VPN
Route-Reflector
1.1.1.1/32
2.2.2.2
3.3.3.3
4.4.4.4
5.5.5.5
Security server
DDoS
Route-Reflector
5.5.5.5
Destination Next-hop
1.1.1.1/32 2.2.2.2
1.1.1.1/32 3.3.3.3
Destination Next-hop
1.1.1.1/32 3.3.3.3
Routing TableBGP Table
PE3
PE2
PE1
Server is under DDoS
How does it work?
Th iti t d t ffi
-
8/9/2019 Advances BGP
79/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Internet users
• The mitigated trafficPE3 (3.3.3.3)
• PE3 is sending the towards the scrubb
• The scrubber will• Handle and re
traffic within th• Send the clea
towards the or(1.1.1.1 at PE2
ServerScrubber
ISP
Internet and VPN
Route-Reflector
1.1.1.1/32
2.2.2.2
3.3.3.3
4.4.4.4
5.5.5.5
DDoS
Route-Reflector
5.5.5.5
Destination Next-hop
1.1.1.1/32 2.2.2.2
1.1.1.1/32 3.3.3.3
Destination Next-hop
1.1.1.1/32 3.3.3.3
Routing TableBGP Table
PE3
PE2
Clean
traffic
PE1
Server is under DDoS
How does it work?
-
8/9/2019 Advances BGP
80/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Internet users
Problem• Scrubber sends tra• PE3 does routing
and finds that it is • ROUTING LOOP!• How do we fix this
• We use a newtable for the c
• This routing tprovisioned I
ServerScrubber
ISP
Internet and VPN
Route-Reflector
1.1.1.1/32
2.2.2.2
3.3.3.3
4.4.4.4
5.5.5.5
DDoS
Route-Reflector
5.5.5.5
Destination Next-hop
1.1.1.1/32 2.2.2.2
1.1.1.1/32 3.3.3.3
Destination Next-hop
1.1.1.1/32 3.3.3.3
Routing TableBGP Table
PE3
PE2
Clean
traffic
PE1
Server is under DDoS
How does it work?
-
8/9/2019 Advances BGP
81/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Internet users
ServerScrubber
ISP
1.1.1.1/32
2.2.2.2
3.3.3.3
4.4.4.4
Destination Next-hop
1.1.1.1/32 2.2.2.2
1.1.1.1/32 3.3.3.3
Destination Next-hop
1.1.1.1/32 3.3.3.3
1.1.1.1/32 2.2.2.2
Routing TableBGP Table
PE3
PE2
• The clean traffic will bon an interface memb
• PE3 will now do a rou
lookup for 1.1.1.1 in V• The matching routingpointing towards PE2
• The clean flow, whichClean is sent towards2.2.2.2
VPN Clean
PE1
Server is under DDoS
How does it work?
Ro ting Table
-
8/9/2019 Advances BGP
82/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Internet users
ServerScrubber
ISP
1.1.1.1/32
2.2.2.2
3.3.3.3
4.4.4.4
PE3
PE2CE1
Destination Next-hop VPN
1.1.1.1/32 3.3.3.3 Global
1.1.1.1/32 CE1 Clean
Routing Table • PE2 receivewithin VPN
• PE2 does arouting look
• A matchingclean
• Flow is forwonwards to
HOLD on a mPE2 does not have any interface
All interfaces on PE2 are gloso how did that clean route for 1.
clean?
PE1
Server is under DDoS
How does it work?
BGP T bl Routing Table
-
8/9/2019 Advances BGP
83/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Internet users
ServerScrubber
ISP
1.1.1.1/32
2.2.2.2
3.3.3.3
4.4.4.4
Destination Next-
hop
VPN
1.1.1.1/32 CE1 Global
1.1.1.1/32 3.3.3.3 Global
1.1.1.1 CE1 clean
BGP Table
PE3
PE2CE1
Trick• Copy the locally B
directly into VPN • Neighbour details
the global table (i• Outgoing int• Next-hop
• Interface pointinNOT VPN aware
• This VPN clean dVPN
• New CLI commanimport from default-vr
advertise-as-vpn
Destination Next-hop VPN
1.1.1.1/32 3.3.3.3 Global
1.1.1.1/32 CE1 Clean
Routing Table
PE1
Going back to traditional traffic flow
S i d DD S
-
8/9/2019 Advances BGP
84/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Internet users
• Remove the routMitigation DDoS
• No more route isthe DDoS Mitiga
• Traffic flows norm
ServerScrubber
ISP
Internet and VPN
Route-Reflector
1.1.1.1/32
2.2.2.2
3.3.3.3
4.4.4.4
5.5.5.5
Security server
DDoS
Route-Reflector
5.5.5.5
Destination Next-hop
1.1.1.1/32 3.3.3.3
PE1
Server is under DDoS
-
8/9/2019 Advances BGP
85/89
-
8/9/2019 Advances BGP
86/89
-
8/9/2019 Advances BGP
87/89
Complete Your Online Session Evaluation
-
8/9/2019 Advances BGP
88/89
© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public
Maximize your Cisco Live expfree Cisco Live 365 account. DPDFs, view sessions on-demalive activities throughout the yCisco Live 365 button in your log in.
Give us your feedback andyou could win fabulous prizes.Winners announced daily.
Receive 20 Cisco Daily Challengepoints for each session evaluationyou complete.
Complete your session evaluationonline now through either the mobileapp or internet kiosk stations.
-
8/9/2019 Advances BGP
89/89