[c-nsp] Best way to filter local traffic from Internet traffic

Deepak Jain deepak at ai.net
Mon Jun 9 18:02:54 EDT 2008



Justin M. Streiner wrote:
> On Mon, 9 Jun 2008, root net wrote:
> 
>> I have a customer that wants a 100/1000 Mb/s pipe into our network for 
>> our
>> local customers.  This customer is also a customer but he has a 
>> dedicated 10
>> Mb/s circuit to the Internet and is maxing out on bandwidth.  Wishes 
>> to buy
>> the 100/1000 Mb/s pipe for our local network access only not 
>> Internet.  What
>> is the best way to filter this?
> 
> If you're running BGP with this customer, or can do so, you can feed them
> your local and customer routes and you can have them announce their 
> blocks to you over that pipe.  Use the knobs that BGP provides, such as 
> local preference or MED to make the prefixes sent and received over the 
> 100/1000 Mb/s pipe preferred over their normal transit pipe.  This will 
> push traffic between your network and theirs over the higher bandwidth 
> link, and only use the 10 Mb/s pipe if the larger one is down.
> 
> That's a pretty simplistic view of it and doesn't take into account any 
> other connectivity the customer might have.

If you know your list of customer prefixes (whether by BGP community, or 
some other knowable means, like a prefix list) you can set all traffic 
over the 1000/100mb/s pipe to drop (by ACL) all packets not destined for 
your customers at the input interface. This is deal if he is mostly 
pushing bytes into your network.

Internally to your network, you can use MEDs to pref the 100/1000 mb/s 
interface for traffic to him, but once the packets get into your network 
(either from your customers or from the internet) you get into much more 
complicated issues about what constitutes "local" vs "internet" traffic 
and MPLS or PBR are probably unavoidable.

Deepak Jain
AiNET


More information about the cisco-nsp mailing list