Issues with 4-octet BGP AS and Akamai?
Greg Gombas -X (grgombas)
grgombas at cisco.com
Tue Nov 14 19:02:19 UTC 2017
Unfortunately we had a limited window to test so could not check the reverse path.
During our failover testing we stopped advertising out the primary path and only advertised out the secondary path. Routes are advertised out the secondary path through a DDOS prevention company called F5 Silverline which is reached via a GRE tunnel running over the Optimum Lightpath network.
So outgoing traffic would go from NYULH going out the Optimum Lightpath circuit and return traffic coming in on F5 Silverline’s network then tunneled over Optimum Lightpath back to NYULH.
So traffic was definitely routing asymmetrically.
However F5 Silverline assured us they have many customers using a similar setup but have no issues with Akamai.
I would think that many customers using similar DDOS prevention services such as F5 Silverline and Prolexic are routing asymmetrically as well, wouldn’t uRPF be affecting them all?
CCIE# 19649 – R&S
Network Consulting Engineer
grgombas at cisco.com<mailto:grgombas at cisco.com>
Cisco Systems Limited
One Penn Plaza
6th & 9th Floors
New York, NY 10119
[Think before you print.]Think before you print.
This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
For corporate legal information go to:
From: Tyler Conrad [mailto:tyler at tgconrad.com]
Sent: Tuesday, November 14, 2017 1:30 PM
To: james machado <hvgeekwtrvl at gmail.com>
Cc: Greg Gombas -X (grgombas) <grgombas at cisco.com>; nanog at nanog.org
Subject: Re: Issues with 4-octet BGP AS and Akamai?
Are you advertising out multiple circuits? Check the pathing both directions if you can. A lot of CDNs enforce uRPF strict.
On Tuesday, November 14, 2017, james machado <hvgeekwtrvl at gmail.com<mailto:hvgeekwtrvl at gmail.com>> wrote:
I have a 4 byte ASN and have not had any issues with reach ability,
including the 2 websites you have linked.
More information about the NANOG