[c-nsp] Peering module
Howard C. Berkowitz
hcb at gettcomm.com
Fri Apr 29 07:55:18 EDT 2005
Some Cisco presentations recommend replacing conventional
interprovider routers with "peering modules" of two routers
interconnected with an L2/L3 switch. The main rationale is to have a
greater number of central processors and/or line card engines over
which packet inspection and filtering can be distributed, as well as
using the interconnecting switch to provide a place for firewall,
network management, IDS, etc. blades.
What has not been clear in the PPT's I've seen is the BGP
relationship between the two routers, which are meant to be treated
as one subsystem. The ingress router (with respect to the outside)
clearly has to have its BGP isolated from the rest of the AS, so it
can't be part of the iBGP mesh.
My assumption is that the ingress router has to be either a
confederation AS, or router reflector client, talking to the egress
router. The latter is part of the main iBGP mesh, although it could
be a client in a next hierarchical reflection cluster.
Is this a correct architectural assumption? Can anyone point me to,
or provide a representative configuration?
Also, I'm unclear, in the peering module configuration, if static ARP
between the two routers, via the switch, is preferred. I understand
that is the recommended logic in a sinkhole, as a partial guard
against exploits that overwhelm the ingress router.
Howard
More information about the cisco-nsp
mailing list