Last updated: 14-06-2019 18:34

• Applying Policy with BGP
• Prefix List
• Regular Expressions
• Route maps
  • AS PATH filtering
  • Matching communities
  • Continue
• Order of processing BGP policy
• Managing Policy Changes
• Peering
  • Transit
  • Peering
    • Private Interconnect (PNI)
    • Internet eXchange Point
    • Types of Peering
    • Peering database
    • ISP Goals
    • How it works
    • IXP role
    • Who peers at an IXP?
    • The IXP's role
    • IXP types
    • Which IXP to choose
    • Connectivity decisions
    • Transit Goals
    • Peering or transit
    • Value propositions

Applying Policy with BGP

Policy-based on AS path, community or the prefix for rejecting/accepting selected routes and/or setting attributes to influence path selection.

• Prefix-list (filters prefixes)
• Filter-list (filters ASes)
• Route-maps and communities

Prefix List

Per neighbour prefix filter with incremental configuration can be applied either inbound or outbound. It is based upon network numbers (using familiar IP address/mask format)

Note: Using access-lists in Cisco IOS for filtering prefixes was deprecated long ago and is strongly discouraged.

  ip[v6] prefix-list list-name [seq value] permit|deny network/len [ge value] [le value]
  

• ge value # greater than or equal to
• le value # less than or equal to

Both “ge” and “le” are optional and are used to specify the range of the prefix length to be matched for prefixes that are more specific than network/len. Sequence number is also optional.

Deny default route

  Router(config)# ip prefix-list EG deny 0.0.0.0/0
  

Permit the prefix 35.0.0.0/8

  Router(config)# ip prefix-list EG permit 35.0.0.0/8
  

Deny the prefix 172.16.0.0/12

  Router(config)# ip prefix-list EG deny 172.16.0.0/12
  

In 192/8 allow up to /24

  Router(config)# ip prefix-list EG permit 192.0.0.0/8 le 24
  

This allows all prefix sizes in the 192.0.0.0/8 address block, apart from /25, /26, /27, /28, /29, /30, /31 and /32.

In 192/8 deny /25 and above. This denies all prefix sizes /25, /26, /27, /28, /29, /30, /31 and /32 in the address block 192.0.0.0/8. It has the same effect as the previous example.

  Router(config)# ip prefix-list EG deny 192.0.0.0/8 ge 25
  

In 193/8 permit prefixes between /12 and /20. This denies all prefix sizes /8, /9, /10, /11, /21, /22, ... and higher in the address block 193.0.0.0/8.

  Router(config)# ip prefix-list EG permit 193.0.0.0/8 ge 12 le 20
  

Permit all prefixes, 0.0.0.0 matches all possible addresses, 0 le 32 matches all possible prefix lengths.

  Router(config)# ip prefix-list EG permit 0.0.0.0/0 le 32
  

Example configuration:

  Router(config)# router bgp 100
  Router(config-router)# network 105.7.0.0 mask 255.255.0.0
  Router(config-router)# neighbor 102.10.1.1 remote-as 110
  Router(config-router)# neighbor 102.10.1.1 prefix-list AS110-IN in
  Router(config-router)# neighbor 102.10.1.1 prefix-list AS110-OUT out
  Router(config-router)# exit
  Router(config)# ip prefix-list AS110-IN deny 218.10.0.0/16
  Router(config)# ip prefix-list AS110-IN permit 0.0.0.0/0 le 32
  Router(config)# ip prefix-list AS110-OUT permit 105.7.0.0/16
  Router(config)# ip prefix-list AS110-OUT deny 0.0.0.0/0 le 32
  

Filter routes based on AS path for both inbound or outbound. Example Configuration:

  Router(config)# router bgp 100
  Router(config-router)# network 105.7.0.0 mask 255.255.0.0
  Router(config-router)# neighbor 102.10.1.1 filter-list 5 out
  Router(config-router)# neighbor 102.10.1.1 filter-list 6 in
  Router(config-router)# exit
  Router(config)# ip as-path access-list 5 permit ^200$
  Router(config)# ip as-path access-list 6 permit ^150$
  

Regular Expressions

Like Unix regular expressions

Route maps

A route-map is like a “programme” for IOS Has “line” numbers, like programmes. Each line is a separate condition/action Concept is basically:

• if match then do expression and exit
• else
• if match then do expression and exit
• else etc

Route-map continue lets ISPs apply multiple conditions and actions in one route-map.

There is an implicit deny at the end of the route-map; however, it is good practice for readibility to add a deny at the end of permit statements.

Lines can have multiple set statements. All set statements are implemented

  Router(config)# route-map SAMPLE permit 10
  Router(config-route-map)# set community 300:1
  Router(config-route-map)# set local-preference 120
  

Lines can have multiple match statements, all conditions must match.

  Router(config)# route-map SAMPLE permit 10
  Router(config-route-map)# match community 1
  Router(config-route-map)# match ip address prefix-list MY-LIST
  Router(config-route-map)# set local-preference 300
  

A match statement can have multiple commands, at least one command must match.

  Router(config)# route-map SAMPLE permit 10
  Router(config-route-map)# match ip address prefix-list MY-LIST OTHER-LIST
  Router(config-route-map)# set community 300:10
  

Route-map with only a match statement, only prefixes matching go through, the rest are dropped

  Router(config)# route-map SAMPLE permit 10
  Router(config-route-map)# match ip address prefix-list MY-LIST
  

Line with only a set statement, all prefixes are matched and set and any following lines are ignored.

  Router(config)# route-map SAMPLE permit 10
  Router(config-route-map)# set local-preference 120
  
  Router(config-route-map)# route-map SAMPLE permit 20
  Router(config-route-map)# remark This line is ignored
  Router(config-route-map)# set community 300:5
  

Line with a match/set statement and no following lines. Only prefixes matching the condition are set, the rest are dropped.

  Router(config)# route-map SAMPLE permit 10
  Router(config-route-map)# match ip address prefix-list MY-LIST
  Router(config-route-map)# set local-preference 120
  

Omitting the third line below means that prefixes not matching list-one or list-two are dropped.

  Router(config)# route-map SAMPLE permit 10
  Router(config-route-map)# match ip address prefix-list LIST-ONE
  Router(config-route-map)# set local-preference 120
  
  Router(config-route-map)# route-map SAMPLE permit 20
  Router(config-route-map)# match ip address prefix-list LIST-TWO
  Router(config-route-map)# set local-preference 80
  
  Router(config-route-map)# route-map SAMPLE permit 30
  Router(config-route-map)# remark Don’t forget this
  

Matching prefixes. If address matches HIGH-PREF set local-pref 120, and then exit, otherwise if address matches LOW-PREF, set local-pref 80, and then exit. No other condition, so all other prefixes are dropped.

  Router(config)# router bgp 100
  Router(config-router)# neighbor 1.1.1.1 route-map INFILTER in
  Router(config-router)# exit
  
  route-map INFILTER permit 10
  Router(config-route-map)# match ip address prefix-list HIGH-PREF
  Router(config-route-map)# set local-preference 120
  
  Router(config-route-map)# route-map INFILTER permit 20
  Router(config-route-map)# match ip address prefix-list LOW-PREF
  Router(config-route-map)# set local-preference 80
  Router(config-route-map)# exit
  
  Router(config)# ip prefix-list HIGH-PREF permit 10.0.0.0/8
  Router(config)# ip prefix-list LOW-PREF permit 20.0.0.0/8
  

AS PATH filtering

If prefix originated from AS150, then set local-pref to 80, and exit, otherwise if prefix transited AS210 (ie AS210 appears in the path), then set local-pref to 200, and exit. No other condition, so all other prefixes are dropped.

  Router(config)# router bgp 100
  Router(config-router)# neighbor 102.10.1.2 remote-as 200
  Router(config-router)# neighbor 102.10.1.2 route-map FILTER-ON-ASPATH in
  
  Router(config)# route-map FILTER-ON-ASPATH permit 10
  Router(config-route-map)# match as-path 1
  Router(config-route-map)# set local-preference 80
  
  Router(config)# route-map FILTER-ON-ASPATH permit 20
  Router(config-route-map)# match as-path 2
  Router(config-route-map)# set local-preference 200
  Router(config-route-map)# exit
  
  Router(config)# ip as-path access-list 1 permit _150$
  Router(config)# ip as-path access-list 2 permit _210_
  

Example configuration of AS-PATH prepend. Use your own AS number when prepending. Otherwise BGP loop detection may cause disconnects. Deliberate insertion of other ASNs is called AS PATH poisoning.

  Router(config)# router bgp 100
  Router(config-router)# network 105.7.0.0 mask 255.255.0.0
  Router(config-router)# neighbor 102.10.1.2 remote-as 300
  Router(config-router)# neighbor 102.10.1.2 route-map SETPATH out
  Router(config-router)# exit
  
  Router(config)# route-map SETPATH permit 10
  Router(config-route-map)# set as-path prepend 100 100
  

Matching communities

If prefix belongs to communities 150:3 AND 200:5, then set local-pref to 50, and exit Otherwise if prefix belongs to ONLY community 88:6, then set local-pref to 200, and exit No other condition, so all other prefixes are dropped.

  Router(config)# router bgp 100
  Router(config-router)# neighbor 102.10.1.2 remote-as 200
  Router(config-router)# neighbor 102.10.1.2 route-map FILTER-ON-COMMUNITY in
  
  Router(config)# route-map FILTER-ON-COMMUNITY permit 10
  Router(config-route-map)# match community 1
  Router(config-route-map)# set local-preference 50
  
  Router(config-route-map)# route-map FILTER-ON-COMMUNITY permit 20
  Router(config-route-map)# match community 2 exact-match
  Router(config-route-map)# set local-preference 200
  Router(config-route-map)# exit
  
  Router(config)# ip community-list 1 permit 150:3 200:5
  Router(config)# ip community-list 2 permit 88:6
  

When multiple values are configured in the same community list statement, a logical AND condition is created. All community values must match to satisfy an AND condition.

  Router(config)# ip community-list 1 permit 150:3 200:5
  

When multiple values are configured in separate community list statements, a logical OR condition is created. The first list that matches a condition is processed.

  Router(config)# ip community-list 1 permit 150:3
  Router(config)# ip community-list 1 permit 200:5
  

Setting Communities

  Router(config)# router bgp 100
  Router(config-router)# network 105.7.0.0 mask 255.255.0.0
  Router(config-router)# neighbor 102.10.1.1 remote-as 200
  Router(config-router)# neighbor 102.10.1.1 send-community
  Router(config-router)# neighbor 102.10.1.1 route-map SET-COMMUNITY out
  
  Router(config)# route-map SET-COMMUNITY permit 10
  Router(config-route-map)# match ip address prefix-list NO-ANNOUNCE
  Router(config-route-map)# set community no-export
  
  Router(config-route-map)# route-map SET-COMMUNITY permit 20
  Router(config-route-map)# match ip address prefix-list AGGREGATE
  Router(config-route-map)# exit
  
  Router(config)# ip prefix-list NO-ANNOUNCE permit 105.7.0.0/16 ge 17
  Router(config)# ip prefix-list AGGREGATE permit 105.7.0.0/16
  

Continue

Handling multiple conditions and actions in one route-map (for BGP neighbour relationships only).

  Router(config)# route-map PEER-FILTER permit 10
  Router(config-route-map)# match ip address prefix-list GROUP-ONE
  Router(config-route-map)# continue 30
  Router(config-route-map)# set metric 2000
  
  Router(config-route-map)# route-map PEER-FILTER permit 20
  Router(config-route-map)# match ip address prefix-list GROUP-TWO
  Router(config-route-map)# set community no-export
  
  Router(config-route-map)# route-map PEER-FILTER permit 30
  Router(config-route-map)# match ip address prefix-list GROUP-THREE
  Router(config-route-map)# set as-path prepend 100 100
  

Order of processing BGP policy

For policies applied to a specific BGP neighbour, the following sequence is applied:

For inbound updates, the order is:

1. Route-map
2. Filter-list
3. Prefix-list

For outbound updates, the order is:

1. Prefix-list
2. Filter-list
3. Route-map

Managing Policy Changes

New policies only apply to the updates going through the router AFTER the policy has been introduced or changed. To facilitate policy changes on the entire BGP table the router handles the BGP peerings need to be refreshed. This is done by clearing the BGP session either in or out. Do NOT forget in or out — forgetting results in a hard reset of the BGP session

  Router# clear ip bgp <neighbour-addr> in|out
  

Ability to clear the BGP sessions of groups of neighbours configured according to several criteria.

• <neighbour-addr> may be any of the following
• x.x.x.x # IP address of a peer
• * # All peers
• ASN # All peers in an AS
• external # All external peers
• peer-group <name> # All peers in a peer-group

Peering

Internet is made up of ISPs of all shapes and sizes. Some have local coverage (access providers) while others can provide regional or per country coverage and others are global in scale.

These ISPs interconnect their businesses, they don’t interconnect with every other ISP (over 49500 distinct autonomous networks) – won't scale. They interconnect according to practical and business needs. Some ISPs provide transit to others, they interconnect other ISP networks. Around 6300 autonomous networks provide transit.

Transit

Carrying traffic across a network usually for a fee. An example: Access provider connects to a regional provider.

Peering

Exchanging routing information and traffic usually for no fee. This is sometimes called settlement free peering. Example: Regional provider connects to another regional provider.

Private Interconnect (PNI)

Two ISPs connect their networks over a private link. Can be peering arrangementwith no charge for traffic and share cost of the link or can be transit arrangement where one ISP charges the other for traffic and one ISP (the customer) pays for the link.

Internet eXchange Point

Several ISPs meeting in a common neutral location and interconnect their networks, usually is a peering arrangement between their networks.

Bi-lateral Peering - Very similar to Private Peering, but may take place at a public peering point (IXP).

Multilateral Peering - Takes place at Internet Exchange Points, where operators all peer with each other via a Router Server.

Mandatory Multilateral Peering - Where operators are forced to peer with each other as condition of IXP membership. Strongly discouraged: Has no record of success.

Types of Peering

Open Peering

• Where an ISP publicly states that they will peer with all parties who approach them for peering Commonly found at IXPs where ISP participates via the Route Server.

Selective Peering

• Where an ISP’s peering policy depends on the nature of the operator who requests peering with them At IXPs, operator will not peer with RS but will only peer bilaterally

Closed Peering

• Where an ISP decides who its peering partners are, and is generally not approachable to creating peering opportunities.

Peering database

Peering Database documents ISPs peering policies:

Peering Database

All operators of ASNs should register in the peeringdb. Participation in peering fora is encouraged too.

• Global Peering Forum (GPF)
• Regional Peering Fora (European, Middle Eastern, Asian, Caribbean, Latin American and African Peering Peering and Interconnection Forum (AfPIF))

ISP Goals

Minimise the cost of operating the business:

Transit

• ISP has to pay for circuit (international or domestic)
• ISP has to pay for data (usually per Mbps)
• Repeat for each transit provider
• Significant cost of being a service provider

Peering

• ISP shares circuit cost with peer (private) or runs circuit to public peering point (one off cost)
• No need to pay for data
• Reduces transit data volume, therefore reducing cost.

How it works

• Small access provider provides Internet access for a city’s population
  • Mixture of dial up, wireless and fixed broadband
  • Possibly some business customers
  • Possibly also some Internet cafes.
• How do their customers get access to the rest of the Internet?
• ISP buys access from one, two or more larger ISPs who already have visibility of the rest of the Internet
  • This is transit – they pay for the physical connection to the upstream and for the traffic volume on the link
• If two ISPs are of equivalent sizes, they have:
  • Equivalent network infrastructure coverage
  • Equivalent customer size
  • Similar content volumes to be shared with the Internet
  • Potentially similar traffic flows to each other’s networks
• This makes them good peering partners
• If they don’t peer
  • They both have to pay an upstream provider for access to each other’s network/customers/content
  • Upstream benefits from this arrangement, the two ISPs both have to fund the transit costs.

IXP role

• Private peering makes sense when there are very few equivalent players
  • Connecting to one other ISP costs X
  • Connecting to two other ISPs costs 2 times X
  • Connecting to three other ISPs costs 3 times X
  • Etc... (where X is half the circuit cost plus a port cost)
• The more private peers, the greater the cost
• IXP is a more scalable solution to this problem
• Connecting to an IXP: ISP costs: one router port, one circuit, and one router to locate at the IXP
• Some IXPs charge annual maintenance fees, the maintenance fee has potential to significantly influence the cost balance for an ISP
• Generally connecting to an IXP and peering there becomes cost effective when there are at least three other peers
  • The real $ amount varies from region to region, IXP to IXP

Who peers at an IXP?

Access Providers - Don’t have to pay their regional provider transit fees for local traffic. It keeps latency and costs for local traffic low. There is Unlimited bandwidth through the IXP (compared with costly and limited bandwidth through transit provider).

Regional Providers - Don't have to pay their global provider transit fees for local and regional traffic. It keeps latency and costs for local and regional traffic low Unlimited bandwidth through the IXP (compared with costly and limited bandwidth through global provider).

Content Providers & Content Distribution Services - Don't have to pay their regional provider transit fees for local traffic. Keeps latency and costs for local traffic low Unlimited bandwidth through the IXP (compared with costly and limited bandwidth through transit provider).

Root, ccTLD and gTLD operators - Adds to the resiliency of the global DNS system. Keeps latency and response time for local resolver traffic very low.

The IXP's role

Global Providers can be located close to IXPs attracted by the potential transit business available. This is advantageous for access & regional providers as they can peer with other similar providers at the IXP and in the same facility pay for transit to their regional or global provider (Not across the IXP fabric, but a separate connection).

IXP types

A local IXP is defined as:

"a public peering point serving the local Internet industry"

Local means where it becomes cheaper to interconnect with other ISPs at a common location than it is to pay transit to another ISP to reach the same consumer base.

A Regional ISP is a local IXP that has attracted regional ISPs and ISPs from outside the locality. Regional ISPs peer with each other and show up at several of these Regional IXPs. Local ISPs peer with ISPs from outside the locality but they don't compete in each other's markets. In this way local ISPs don’t have to pay transit costs and ISPs from outside the locality don’t have to pay transit costs. Quite often ISPs of disparate sizes and influences will happily peer to defray transit costs.

Which IXP to choose

• How many routes are available?
• What is the cost of co-lo space?
• What is the cost of running a circuit to the location?
• What is the cost of remote hands/assistance?

Connectivity decisions

Transit

• Almost every ISP needs transit to reach rest of Internet; one provider = no redundancy.
• Two providers: ideal for traffic engineering as well as redundancy
• Three providers = better redundancy, traffic engineering gets harder
• More then three = diminishing returns, rapidly escalating costs and complexity.

Peering

• Means low (or zero) cost access to another network
• Private or Public Peering (or both).

Transit Goals

Minimise number of transit providers while maintaining reduedancy. Aggregate capacity to transit providers to gain better value per Mb/s.

Peering or transit

It comes down to cost of going to an IXP; Free peering or paying for transit from an ISP co-located in same facility, or perhaps close by. THe alternative is not going to an IXP and paying for the cost of transit directly to an upstream provider.

Value propositions

• Peering at a local IXP
  • Reduces latency & transit costs for local traffic
  • Improves Internet quality perception.
• Participating at a Regional IXP
  • A means of offsetting transit costs
  • Managing connection back to home network. -Improving Internet Quality perception for customers.