[j-nsp] Dealing with multihomed customer BGP primary/backup links
Cydon Satyr
cydonsatyr at gmail.com
Thu Jul 14 09:14:46 EDT 2016
Hi,
I understand, but if you are forcing customer to always use primary link if
it is up, and customer advertises his routes over backup link ONLY, then he
can go around uRPF restriction.
With uRPF you are assuming he advertises all of his routes over primary
link where router can prioritize them. Correct?
@Alan
I'll have a look at at MC-LAG. Looks like this might work (customer must
not enable lacp).
And yes, I agree 95th percentile metering both primary/backup works best.
What we have here is unfortunate case of trying to put band-aid over
something which is supposed to work differently.
Regards
On Thu, Jul 14, 2016 at 9:48 AM, Harald F. Karlsen <elfkin at gmail.com> wrote:
> On 14.07.2016 01:43, Cydon Satyr wrote:
>
>> uRPF check doesn't work since customer can just advertise his routes over
>> backup link.
>> I had some hopes for conditional bgp advertisement and SCU/DCU but I don't
>> think it works not to mention it's like trying to kill a bee with a
>> hammer.
>>
>> I'm talking about uRPF *strict* mode, not loose.
>
> uRPF strict should work. The customer will advertise his routes over both
> the primary and the backup link, but you will decide to use only the
> primary (using local pref) and with no active route in the forwarding table
> toward the customers backup link, uRPF strict will deny any traffic on that
> link.
>
> If the primary link goes down, the routes in the forwarding table are
> moved to the backup link and uRPF strict will start accepting traffic on
> that link.
>
> To me this seems like the simplest and most secure solution.
>
> --
> Harald
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list