Location of upstream connections & BGP templates

• Previous message (by thread): Location of upstream connections & BGP templates
• Next message (by thread): Location of upstream connections & BGP templates
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2010.02.17 19:38, Scott Weeks wrote:
> --- steve at ibctech.ca wrote:

> 
> layered. My thinking is that my 'upstream' connections should be moved
> out of the core, and onto the edge. My reasoning for this is so that I
> 
> What do other providers do? Are your transit peers connected directly to
> the core? I can understand such a setup for transit-only providers, but
> --------------------------------------------
> 
> 
> Border, core, access.  
> 
> Border routers only connect the core to the upstreams.  They do nothing else.  No acls, just prefix filters.  For example, block 1918 space from leaving your network.  Block other bad stuff from leaving your network too.  Allow in only what you're expecting from the upstream; again 1918 space, etc.  They can fat finger like anyone else.

This was my thought. However... no fat-finger accidents using Team Cymru
in conjunction with my internal RTBH triggers with uRPF enabled on every
single 'edge' interface ;)

This was the basis of my original question. I want to keep this setup at
edge-only, and don't want to have to apply it within the core gear.

> Core is for moving bits as efficiently as possible: no acls; no filters.

...which is what I visualize, and essentially want.

> Connect downstream BGP customers to access routers that participate in the iBGP mesh.  Filter them only allowing what they're supposed to advertise.  They'll mess it up a lot if they're like my customers by announcing everything under the sun.  Filter what you're announcing to them.  You can fat finger just as well as anyone else.  ;-)

I guess I see 'border' and 'access' as the same. Fat-fingering is
important to me. My pref-list is created long before I turn up a BGP
session to a client, and the peering is tested internally before I allow
them to advertise anything (or I advertise anything to them).

At this point, I only have one _true_ peer that advertises their space
directly to me, and it is tied down to the last bit. I even informed
them that I will perform max path, so they will drop if they break it.
Not scalable for multiple clients, but I've learnt a lot. I need to
learn now how to scale, which is why the second half of my question
dealt with templates.

One template, less chance for me to fat-finger :)

Cheers,

STeve

• Previous message (by thread): Location of upstream connections & BGP templates
• Next message (by thread): Location of upstream connections & BGP templates
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]