DOs and DONTs for small ISP

• Previous message (by thread): DOs and DONTs for small ISP
• Next message (by thread): DOs and DONTs for small ISP
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/3/19 9:56 AM, Jon Lewis wrote:
> 3) Don't advertise one transit provider's routes to another.  Each should
>     be filtering your routes, but you never know.  Come up with, and use
>     BGP communities to control route propagation.  As you grow, it sucks
>     having to update prefix-list filters in multiple places every time
>     something changes...like a new customer with their own IPs.

To reiterate all this, FILTER EVERYTHING.

To start with, explicitly specify in a route-map or similar everything 
you want to advertise.  I usually create a separate route-map for each 
transit/peer and include what I want to advertise via prefix lists (for 
my IP space) and/or communities (for downstream BGP-speaking customers 
if anticipated).

When you turn on the session, check what you're squawking AND WHAT 
YOU'RE FILTERING.  You shouldn't be filtering anything you don't expect. 
  Belt + suspenders.

The same goes for anything you accept.  Obviously for a blended full 
transit BGP edge router, you're probably going to accept almost 
everything.  But if you only want default + on-net, try to filter using 
communities from the peer, etc.  Again, right when you turn on the 
session, "sh ip bgp ... filtered" of whatever's equivalent on your 
platform.  If you're filtering something you don't expect to be 
receiving at all, figure out where the misunderstanding or 
misconfiguration lies.

And of course it goes without saying that, if you've got BGP speaking 
customers, you filter the heck out of them.  Use ROAs and/or RPKI if you 
can to automatically generate filter lists.  Encourage your upstreams to 
do the same if they're filtering you (and they probably are, or at least 
should be, if you're new).  Remember that you are responsible for every 
route you advertise, at the end of the day, even if you only advertised 
it because a downstream network made a boo-boo and you didn't filter it.

Filters are useful on your IGP, too, but there's so many ways to set all 
that up that it's a bit more difficult to come up with nearly universal 
best practices.  Generally speaking, be careful with redistribution, 
never distribute BGP into IGP or vice versa unless you have a really, 
really good reason to, and consider filters between both IGP 
areas/regions or protocols (e.g. RIP coming into OSPF) as well as on 
redistributions of static/connected to prevent simple typos on a static 
route or interface configuration from taking down more than just local 
stuff.

It's way, way easier to remove or relax filters later if they prove more 
of an operational hazard than asset than it is to add or tighten them if 
they prove insufficient.
-- 
Brandon Martin

• Previous message (by thread): DOs and DONTs for small ISP
• Next message (by thread): DOs and DONTs for small ISP
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]