[j-nsp] Transit only to some ISPs

Rafał Szarecki rszarecki at gmail.com
Fri Mar 31 09:19:12 EST 2006 

Hi,

This is common  issue on the world...
 First of all, You have to solve two cases:

1 how to play with traffic comming from Internet to customer.
This is simplest to do - just do not annouce perfixes of customer to COM 
peer, and anouce to ACAD peer.

2 how to play with egress traffic (customer to  any IP exept AS A nad 
prefixes from ACAD.
The best solution will be on router wher customer is conected, check 
destination IP and if not belong to AS A and is not annouced by ACAD, 
then drop packet.
Of course You need some clever way to generate filter. The ceneral 
concept is to use DCU.
a) Base on information in inet.0 (as-path is empty or first (not 
originating, which is last) AS on path is ACAD), set destination-class 
flag. This has to be done on router where customer is connected.
b) write firewall filter, which in 1st term  match destination class and 
accept. (implicite last term is drop all)
c) apply filter on customer interface for incoming traffic.

Known limitation of this solution:
- only 256 DCU are supported in latest JUNOS.
- Is some prefix is announced by COM and ACAD, and path via COM is 
better, then traffic will be dropped (has to be droped, because other 
way will be forwarded to COM). To overcome this you have to go for VPN 
solution, Policy routing, or Policy routing+MPLS-TE .

Rafal Szarecki JNCIE

 


Raniery Pontes napisał(a):
> Hello,
>
>    I´m looking for hints on what to do in the following situation. 
> Suppose you´re an AS "A" with two upstream providers "COM" and "ACAD", 
> running only J boxes. Upstream COM announces full routes but upstream 
> ACAD sends you only some "special" prefixes.
>
> Most customers in AS A have full transit to both providers COM and ACAD, 
> beside common transit to other customers inside AS A.
>
> Now, suppose some new customers (inside AS A, no BGP with them) should 
> get transit inside AS A *and* to upstream ACAD *only*.
>
> What would be an scalable and elegante way of doing this ? MPLS/VPN´s ? 
> Source-routing ? Anything else?
>
> I´m more concerned in finding what to do instead of how to do.
> But full config examples would be accepted ;)
>
> Thanks
>
> Raniery Pontes
>
>
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
>

More information about the juniper-nsp mailing list