Routers / external connectivity (HSRP) Web farm, mail servers

Similar documents
Unit 3: Dynamic Routing

BGP Multihoming ISP/IXP Workshops

BGP and the Internet. Why Multihome? Why Multihome? Why Multihome? Why Multihome? Why Multihome? Redundancy. Reliability

IPv6 Module 6x ibgp and Basic ebgp

IPv6 Module 6 ibgp and Basic ebgp

Module 12 Multihoming to the Same ISP

BGP Multihoming. ISP/IXP Workshops

IPv6 Address Planning

Introduction to BGP. ISP/IXP Workshops

Multihoming with BGP and NAT

Introduction to BGP. ISP Workshops. Last updated 30 October 2013

IPv6 Switching: Provider Edge Router over MPLS

The Loopback Interface

Lab 3 Multihoming to the Same ISP

Introduction to BGP ISP/IXP Workshops

BGP in the Internet Best Current Practices

Advanced Multihoming. BGP Traffic Engineering

Service Provider Multihoming

Introduction to IP Routing. Geoff Huston

3/10/2011. Copyright Link Technologies, Inc.

Module 6 Implementing BGP

Module 6 IPv6 ibgp and Basic ebgp

IPv6 Module 4 OSPF to IS-IS for IPv6

Module 16 An Internet Exchange Point

Configuring BGP. Cisco s BGP Implementation

IPv6 Module 16 An IPv6 Internet Exchange Point

Service Provider Multihoming

The Loopback Interface

Inter-Domain Routing: BGP

Module 1b IS-IS. Prerequisites: The setup section of Module 1. The following will be the common topology used for the first series of labs.

Routing Basics. Campus Network Design & Operations Workshop

MPLS VPN Carrier Supporting Carrier

Module 13 Multihoming to Different ISPs

Routing Basics. ISP Workshops. Last updated 10 th December 2015

FlexVPN HA Dual Hub Configuration Example

CS 43: Computer Networks. 24: Internet Routing November 19, 2018

Connecting to a Service Provider Using External BGP

IPv6 Switching: Provider Edge Router over MPLS

Module 6 More ibgp, and Basic ebgp Configuration

MPLS VPN Carrier Supporting Carrier Using LDP and an IGP

Top-Down Network Design

Configuring BGP on Cisco Routers Volume 1

Introduction. Keith Barker, CCIE #6783. YouTube - Keith6783.

Choosing Routers for the Campus

Border Gateway Protocol - BGP

Module 6 ibgp and Basic ebgp

IPv6 Module 11 Advanced Router Configuration

BGP. Daniel Zappala. CS 460 Computer Networking Brigham Young University

BGP Attributes and Path Selection

COMP/ELEC 429 Introduction to Computer Networks

IPv6 Module 1a OSPF. Prerequisites: IPv4 Lab Module 1, knowledge of Cisco router CLI, and previous hands on experience.

Ravi Chandra cisco Systems Cisco Systems Confidential

MPLS VPN Multipath Support for Inter-AS VPNs

CS4700/CS5700 Fundamentals of Computer Networks

Module 8 Multihoming Strategies Lab

MPLS VPN Carrier Supporting Carrier Using LDP and an IGP

BTnet Resilient Extra White Paper for BT People and Prospective Customers

Unicast Routing. Information About Layer 3 Unicast Routing CHAPTER

Network Security - ISA 656 Routing Security

BTEC Level 3 Extended Diploma

ISP and IXP Design. Point of Presence Topologies. ISP Network Design. PoP Topologies. Modular PoP Design. PoP Design INET 2000 NTW

BGP for Internet Service Providers

CS 43: Computer Networks Internet Routing. Kevin Webb Swarthmore College November 16, 2017

Asymmetric Satellite Services. Introduction and Background. Transmit Interface Command. Agenda. Asymmetric Satellite Services

Implementing Cisco IP Routing

LARGE SCALE IP ROUTING

BGP101. Howard C. Berkowitz. (703)

MPLS VPN C H A P T E R S U P P L E M E N T. BGP Advertising IPv4 Prefixes with a Label

Service Provider Multihoming

An Operational Perspective on BGP Security. Geoff Huston February 2005

Steven M. Bellovin AT&T Labs Research Florham Park, NJ 07932

Module 2 More ibgp, and Basic ebgp Configuration

Scaling IGPs in ISP Networks. Philip Smith SANOG 8, Karachi 3rd August 2006

Routing Basics. ISP Workshops

BGP Multihoming Techniques

BGP Multihoming Techniques

Simple Multihoming. ISP Workshops. Last updated 9 th December 2015

MPLS VPN Half-Duplex VRF

Setup a Professional ISP Using MikroTik and Bandwidth Control in Bridge mode

Simple Multihoming. ISP Workshops. Last updated 25 September 2013

Connecting to a Service Provider Using External BGP

BGP Case Studies. ISP Workshops

Choosing Switches and Routers for the Campus

Module: Routing Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

MPLS VPN--Inter-AS Option AB

2015/07/23 23:32 1/8 More ibgp and Basic ebgp

Routing Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols

Module 14 Transit. Objective: To investigate methods for providing transit services. Prerequisites: Modules 12 and 13, and the Transit Presentation

BGP and the Internet

CS 43: Computer Networks Internet Routing. Kevin Webb Swarthmore College November 14, 2013

BGP and the Internet

FAQ. Version: Copyright ImageStream Internet Solutions, Inc., All rights Reserved.

ISP Workshop Lab. Module 2 OSPF Areas

Routing Security* CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - Spring * Thanks to Steve Bellovin for slide source material.

Service Provider Multihoming

MPLS in the DCN. Introduction CHAPTER

Multihoming Complex Cases & Caveats

Topology for: EIGRP, BGP, Redistribution


DE-CIX Academy: BGP Introduction. Notice of Liability. BGP Configuration Examples. Network Diagram for all examples. Links and Examples

Transcription:

Routers / external connectivity (HSRP) hubs/switches Office network!#"%$'&)(+*-,/.10#23*-&4$5!6$5!7&)(6879:(;&<2107= Web farm, mail servers Customer hosted servers

It s better to have part of your network fail than your whole network fail Keep different types of traffic - especially different levels of trust - on PHYSICALLY SEPARATE NETWORKS (not just separate subnets on secondary addresses on the same cable) - separated at layer 3 If you have anything redundant (e.g. power supplies, fans, network links), make sure they are continually monitored 7 7 (1) Buy components which are inherently resilient (2) Build your network so it can withstand failures (3) Do both

External connectivity (upstream ISPs, peers, links to other sites)!"# $% &' Single-attached networks Dual-attached networks.0/1/32 &54:"767&2 & $98;: Network within a single site. If you have multiple sites, replicate this design at each site

4:" 2)" 6 & 2 &4$98 Links (switch ports) can be 10M, 100M, gigabit, or any combination Whenever you run out of router ports, just plug another router (or pair) into the core Core switches give you very high aggregate bandwidth: e.g. 5 routers, each with two 100M interfaces = 1000M total bandwidth 9 ( &2 &)9 0 4 9 All routers are dual-attached; can withstand a failure of any single interface, cable, or core switch OSPF provides end-to-end test of each link Traffic is always active down both paths, so you have confidence that they are working " (:9-. 3" & 0:$ 9#0#" 0 4 9 Can power down and exchange core switches one at a time, with minimal disruption to network Flexibility to mix and match routers; outages limited to part of network Observation: all packets go through no more than 2 routers to reach their destination. P.S. There is no magic in this design. An alternative way of thinking about it is that you have a bunch of routers which exchange data via a private network (two of them, for resilience)

External connectivity (upstream ISPs, peers, links to other sites) 9#, & 0#.;2). 2 8 Border routers connect to your upstream providers or peers. Backbone routers connect to WAN links between your sites. As far as this design is concerned, they are the same. Each router is dual-homed: one ethernet interface into each core. If you only have a single border router that s fine, there will be no BGP, just a static default to your upstream provider. It s a single point of failure of course. If you have multiple border/backbone routers, they will ibgp peer with each other. Your ibgp peering sessions should be between loopback interfaces on your routers. This is so that if connectivity into the core switches changes, it does not affect any ibgp sessions. neighbor x.x.x.x remote-as yyyy neighbor x.x.x.x update-source Loopback0

9#0 9#,/" 2 Thanks to equal-cost multipath, a router with 2x10M connections has 20M of bandwidth available; a router with 2x100M connections has 200M available Border routers only should originate defaultroute into the OSPF cloud. Never attempt to redistribute BGP into OSPF! Originate defaultroute with a different metric from each border router (If you follow these recommendations, the router with the lowest defaultroute metric will be the "preferred" router for outgoing traffic from the access routers. Routing of outgoing traffic may not be optimal - it may hit the wrong router first and be bounced to the right one - but this is typically not a problem) Use MD5 authentication. Disable OSPF except on necessary interfaces. For ease of maintenance: use hellointerval 2 secs, routerdeadinterval 8 secs Choose appropriate costs, so that 10M is more expensive than 100M, and 100M more expensive than gigabit Try to keep routes within one site within larger netblocks. This will allow you to use multi-area OSPF and aggregation later. (Often not possible with customer netblocks) Notice that the same routers are visible as neighbors by multiple paths. Some older versions of IOS, e.g. 11.3(8), had problems with this; if you lost one connection, they would think that the neighbor was not reachable via the other. Use a recent 12.0 release.!#. & 4 96. ( *-&4$ 4!#9:( :0#.#$ 9 #(%$ 6#9-(%* & $ 4#!#9 ( 0#.#$! 16 ( The key feature to look for is non-blocking. performance The scalability depends on being able to pump more and more traffic through the switch without it losing packets. Appropriate number and speed of ports for the types of routers you want to connect For extra reliability, choose switches with redundant power supplies and fans if you can afford them SNMP management (allocate one IP address on each core to the switch itself)

Single-attached networks & 0 2;2<9 " $ $/" 4#!#9 8 0#9%$ *+.1, ( Dual-attached networks switch.1070#9 4 $ & 0#28 &)"72 & 03( 9#, 9,/(. Single router connects into both cores. Where resilience is less important, or cannot be provided anyway (e.g. serial ports to leased lined customers) #" 2 " $ $/" 4#!#9 8 0#9%$ *+.1, ( Two routers, using HSRP/VRRP or equivalent Use for essential services such as mail and dial-in servers Note that the two routers will still have to connect to a common switch, which is a single point of failure. So it s still worth putting servers on separate IP subnets where you can: especially radius servers, DNS servers. In theory, you could connect them directly into the core switches, IF they have two ethernet ports, AND they have an OSPF implementation that you trust, AND you are sure they will not flap routes (e.g. announce a separate /32 for each dial-in user!) Safer bet to connect them downstream of access router(s), with defaultroute/hsrp. Use static routes on the access routers to point to their dial-in IP pool. These routers will then "redistribute static" to let the other routers know about it. Gives you more control and less reliance on possibly unreliable OSPF implementations.!#. &54 96.,/. :$ 9#, Enough ports, including 2 ethernet ports to link into core. A 5-port ethernet router will only give you 3 ports usable for networks, since the other 2 are for linking into the core. Enough performance to handle the full load of traffic to/from the core. Robust OSPF implementation with equal-cost multipath support. On large Ciscos: remember to enable Cisco Express Forwarding (ip cef [distributed]). Redundant PSUs and fans are nice, especially for single-attached networks

Redistribute static into OSPF Static route:.192/26 via.7.7. Static route:.192/26 via.7.192/26 Dial-in pool NAS does not need to participate in OSPF Single netblock for dial-in pool announced to rest of network!! You will break static IP accounts unless all static IP users hit the same NAS!!

'. 8. /,/. &)8 9-"6( $/"%$ &54 8 &)"72 & 03( 9#, &54 9#= IT DOESN T SCALE The last thing you want is flapping /32 routes throughout your network whenever customers dial in or hang up. They will kill your routers. It might work now, but you will have severe problems in the future Supporting it will become very expensive #2 2 9:( $/9 8(:.;2 :$ &).10 1. Make sure that all static IP addresses are within the same netblock(s) 2. Make sure your existing static IP users all hit ONE NAS. You may have to set up a separate telephone number (hunt group) and get them to use this number. 3. Static route this netblock to this NAS 4. DON T SELL ANY MORE STATIC IP ACCOUNTS '. 8.,+4 #(%$. 9,/( 0 9:9 8(%$ "%$ &54 "#0 8 *+" 87= In many cases, what they really want is SMTP mail delivery. There are other ways of providing this. Set up a mailserver which can kick out mail via SMTP to their dynamic IP address. (Tools you can use include fetchmail and serialmail ). It can be triggered by dialling in (in your radius server), or by ETRN. Unfortunately this requires some scripting or coding. Usually this is for NT Exchange servers, and there is now a module available which can pull mail using POP3 instead. If there is a big financial disincentive to using static IP, customers will be more creative in finding alternative solutions.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback