[c-nsp] Modern BGP peering border router and DDoS attack defense
recommendations?
Justin M. Streiner
streiner at cluebyfour.org
Fri Jun 10 09:44:31 EDT 2005
On Fri, 10 Jun 2005, Sam Crooks wrote:
> So... given this type of arrangement (Ethernet physical connectivity)...
> being an end-user to 2+ SPs, but no peering (ISP business-sense... I have no
> customers to provide transit for) with regional or global AS's, I need
> either BGP with default route only or partial with default routes?
Default-only is only useful if you want to run in an active-standby mode.
If you want to do active-active, you need more than that. If you have a
platform that can handle multiple full route feeds, it doesn't hurt to
take them. That gives you the most control over how you choose to route
your traffic.
> Would full routes with default be wasted on me, since I have 2+ exits, and
> am peering (BGP sense) for access (transit), not peering to provide transit
> for my customers?
See above.
> Given Ethernet physical connectivity ... would a 3750, 4948, 6500, etc make
> more sense as a "border router" than a say 7200, 7600 etc... DDoS is the
> primary concern, followed closely by cost... if a 3750 switch used as the
> border router/switch to a BGP peer will fall over under and moderate to
> medium DDoS attack vs. a 7200 vs a 6500/7600 ... better to buy the 7200
> router or 7600 router.... difference in price seems to be at least an order
> of magnitude for 3750 or 4948 or 7200 vs a 6500/7600, given my performance
> needs near the low end of the 6500/7600 (not to mention 12000) spectrum...
The 6500 is a fine option, but you will pay for it. If you choose to
take full routes, you need to use a supervisor engine that can take at a
minimum 256 MB of RAM and can handle the CPU load of managing full feeds.
6500s are also good because you can add flexwan modules if you have to
handle a traditional WAN circuit for some reason. While the 3750 can do
layer 3 routing, I don't think it would make a good choice for a border
router. I won'd have any experience with the 4948, so I really couldn't
comment on that.
> My understanding is:
>
> I colo in a particular facility
>
> As part of the colo bundle, I get 10 Mbps (burstable to 100Mbps) to the
> layer 2 LAN where the 42+ carriers peer with customers and each other.
>
> I have to separately arrange paid transit with whatever 2+ carriers are
> ultimately decided upon as the SPs
>
> Get an AS (maybe before previous step)
You will need an AS before you can speak BGP with multiple providers.
> I have to either have my own /24 CIDR block (ARIN assigned, maybe difficult
> to get) OR get a /24+ from an SP, and get the other N+ carriers to announce
> it for me
Once you are speaking BGP with your upstreams, or as a part of establishing
service, you will announce your own >=/24 routes and your upstreams will
propagate that announcement into the global Internet routing table. The
/24 can come from one of your providers, and once you get enough space to
justify a block of provider independent space from ARIN, then that's the way
to go. I believe multi-homed networks need to have at least a /22 of space
before they can request space from ARIN.
> ....Something similar for a backup colo facility, ie: connectivity, and
> transit agreement for announcing a small CIDR block of another SP, as going
> to my AS.
> Arrange whatever connectivity (metro Ethernet, DS-x, whatever) from coloA
> and coloB to my office for my management/maintenance purposes, as well as
> what ever point-to-point connection services between coloA and coloB I need.
Correct.
jms
More information about the cisco-nsp
mailing list