The purpose of this part of the lab is introduce an Internet Exchange Point into our lab. IXPs are a very important if not critical component of today’s Internet architecture, and it is vitally important to ensure the correct configuration so that network operators gain maximum advantage from their participation at an IXP.
The lab topology has been further enhanced according to the diagram below. An Internet Exchange Point and its router server are now installed.
Each group should now configure their link to the IXP according to the above diagram.
Consult the Address Plan document for the address space used by the IXP. Following the document, configure the interface on the router accordingly.
interface GigabitEthernet 3/0 description Link to IXP ip address 100.127.1.5 255.255.255.0 ipv6 address 2001:DB8:FFFF:1::5/64 !
Note the subnet masks - this time the ethernet is NOT a point-to-point link but a shared LAN media. Once the interfaces have been configured see if you can ping any of the other groups on their IXP addresses (both IPv4 and IPv6). Are you able to ping the Route Server too?
Do not configure IS-IS towards any IXP peer! They are not part of your autonomous system.
However, so that traceroutes across the IXP do not break, we might wish to carry the IXP LAN address block within our IS-IS (not iBGP). To do this, we simply mark the IXP facing interface as passive in the IS-IS configuration. Here is an example for AS106:
router isis as106 passive-interface GigabitEthernet 3/0
If you recall from the IS-IS presentation, this will tell IS-IS to announce the subnet attached to this interface.
Now all routers in your AS will see the IXP LAN address - check from your Core and Border routers, just to make sure.
We now configure eBGP with the Exchange Point’s Route Server (we might add in bi-lateral BGP peering later, but for now we will just peer with the Route Server).
The Route Server sits in AS 65534 - this is a private AS, and is not visible on the public Internet. In fact, we don’t want this AS to be visible inside our own AS either, and that’s one of the unique features of a Route Server - it does not add its AS into the AS path when distributing prefixes to its eBGP neighbours.
DO NOT forget to filter what you hear from the Route Server, and what you send to the Route Server. You should only accept their address blocks from the other IXP participants (they may send you more by mistake!), and you should only send prefixes you originated!
Here is a configuration example for AS104 - note that we are reusing some configuration we have set up earlier:
ip prefix-list AS104-block permit 100.68.40.0/24 ipv6 prefix-list AS104-v6block permit 2001:DB8:40::/48 ! ip prefix-list IXP-RS permit 100.68.10.0/24 ip prefix-list IXP-RS permit 100.68.20.0/24 ip prefix-list IXP-RS permit 100.68.30.0/24 ip prefix-list IXP-RS permit 100.68.40.0/24 ip prefix-list IXP-RS permit 100.68.50.0/24 ip prefix-list IXP-RS permit 100.68.60.0/24 ! ipv6 prefix-list IXP-v6RS permit 2001:DB8:10::/48 ipv6 prefix-list IXP-v6RS permit 2001:DB8:20::/48 ipv6 prefix-list IXP-v6RS permit 2001:DB8:30::/48 ipv6 prefix-list IXP-v6RS permit 2001:DB8:40::/48 ipv6 prefix-list IXP-v6RS permit 2001:DB8:50::/48 ipv6 prefix-list IXP-v6RS permit 2001:DB8:60::/48 ! router bgp 104 address-family ipv4 neighbor 100.127.1.254 remote-as 65534 neighbor 100.127.1.254 description eBGP with IXP RS neighbor 100.127.1.254 password ixp-rs neighbor 100.127.1.254 prefix-list AS104-block out neighbor 100.127.1.254 prefix-list IXP-RS in ! address-family ipv6 neighbor 2001:DB8:FFFF:1::FE remote-as 65534 neighbor 2001:DB8:FFFF:1::FE description eBGP with IXP RS neighbor 2001:DB8:FFFF:1::FE password ixp-rs neighbor 2001:DB8:FFFF:1::FE prefix-list AS104-v6block out neighbor 2001:DB8:FFFF:1::FE prefix-list IXP-v6RS in !
Once this has been configured, has the BGP session with the Route Server established? If not, why not? What do the router logs tell you?
You will notice from the logs that the router is complaining about a BGP peer AS not being in the announced AS path - this is Cisco IOS protecting against improper BGP announcements, as according to the BGP RFC, the AS PATH of the neighbouring AS must appear as the adjacent AS in the AS PATH. And if you recall from early in the notes, that was a special feature of the Route Server: its AS does not appear in the path.
So we need to turn this safety check off in IOS:
router bgp 105 no bgp enforce-first-as
and once this has been done you will now see that the eBGP session with the Route Server will have been established.
What do you now see in the BGP table?
What about the routes between you and your private peer that you set up earlier? Which is the best path now? Through the IXP, or over the private peering link?
We are now going to deal with the issue where we see two paths between us and our private peer. One is via our private peering link, the other is via our peering with them across the IXP.
In day to day Internet operations, network operators prioritise links according to the value they attach to them - the list goes something like this:
|Type of Link||Priority (local preference)|
Obviously there will be many variations on this theme, but the principle remains the same. Peering links have no operational cost, so are highly preferred over links which have an operational cost (transit). Private peering links are preferred over IXP links as the former is brokered directly with the partner, while the IXP links are via a third party infrastructure. It is not physically possible to peer privately with every operator, and this is the function that the IXP then provides (as was covered in the course presentations).
We will now attach local preference to the routes we hear from our private peer and from the IXP Route Server, according to the table above.
To do this we will create two route-maps, one for the private peer, the other for the RS peering. Here is an example for AS101:
route-map private-peer-in permit 10 set local-preference 200 ! route-map IXP-RS-peer-in permit 10 set local-preference 170 ! router bgp 101 address-family ipv4 neighbor 100.68.10.26 route-map private-peer-in in neighbor 100.127.1.254 route-map IXP-RS-peer-in in ! address-family ipv6 neighbor 2001:DB8:10:12::1 route-map private-peer-in in neighbor 2001:DB8:FFFF:1::FE route-map IXP-RS-peer-in in !
Once this is configured, do a route-refresh inbound on the two peering, and now you should now see the local preferences attached to the routes from the IXP and from the private peer. What has happened now?
Check on the Border, Core, Access and Peering Routers for what you now see in the BGP table.
What is the best path to your private peer? What does trace route tell you?
Hopefully you will see that the best path to your private peer will be via the private peering link. And the routes to the rest of the class will be via the Internet Exchange Point. The only traffic going via the Upstream Provider now will be traffic out to the Internet itself. If this is not the case, you will need to start doing some troubleshooting!
The final part of this workshop lab is to investigate how to set up peering directly with IXP Peers. There are three types of peering policies adopted by network operators today:
|Open||Network Operator will peer with allcomers, no questions asked. At an IXP this means they will peer with the Route Server.|
|Selective||Network Operator will usually peer with most operators, but enters a conversation with the peering partner first before establishing the link. At an IXP this means they will set up a direct peering across the IX fabric.|
|Restricted||Network Operator will choose who they peer with, under very stringent conditions. They rarely show up at an IXP, and if they do, peering will be directly across the IX fabric.|
We have set up our peering at the moment to assume that all groups have an Open peering policy. But what if they had a Selective policy instead? How do we configure that?
What we will do now is modify our eBGP at the IXP so that we also include a direct eBGP session with our IXP peers. We’ll set this up to supplement the Route Server (or we could simply remove the Route Server peering once we have peered with all members of the IXP).
Here is a configuration example for AS102, peering with AS103 (again noting that we are re-using configuration created earlier on):
ip prefix-list AS102-block permit 100.68.20.0/24 ipv6 prefix-list AS102-v6block permit 2001:DB8:20::/48 ! ip prefix-list AS103-block permit 100.68.30.0/24 ipv6 prefix-list AS103-v6block permit 2001:DB8:30::/48 ! route-map IXP-bilateral-in permit 10 set local-preference 170 ! router bgp 102 address-family ipv4 neighbor 100.127.1.3 remote-as 103 neighbor 100.127.1.3 description eBGP with AS103 neighbor 100.127.1.3 password cisco neighbor 100.127.1.3 prefix-list AS102-block out neighbor 100.127.1.3 prefix-list AS103-block in neighnor 100.127.1.3 route-map IXP-bilateral-in in ! address-family ipv6 neighbor 2001:DB8:FFFF:1::3 remote-as 103 neighbor 2001:DB8:FFFF:1::3 description eBGP with AS103 neighbor 2001:DB8:FFFF:1::3 password cisco neighbor 2001:DB8:FFFF:1::3 prefix-list AS102-v6block out neighbor 2001:DB8:FFFF:1::3 prefix-list AS103-v6block in neighbor 2001:DB8:FFFF:1::3 route-map IXP-bilateral-in in !
What do you see now?
You should see two paths to your IXP peers - they are almost indistinguishable apart from the router-id of the neighbouring router - one will be of the route-server, the other will be of the direct eBGP peer.
Repeat the above for all the members of the IXP.
Once you are peering with all of the members of the IXP, you can remove your peering with the Route Server if you wish:
This appendix shows the configuration of the route server used for this workshop. It is Cisco IOS based - most route servers today run either on BIRD or a modified version of Quagga.
interface FastEthernet0/0 description IXP LAN ip address 100.127.1.254 255.255.255.0 ipv6 address 2001:DB8:FFFF:1::FE/64 ! router bgp 65534 bgp log-neighbor-changes bgp deterministic-med no bgp default ipv4-unicast neighbor ixp-peers peer-group neighbor ixp-peers password ixp-rs neighbor v6ixp-peers peer-group neighbor v6ixp-peers password ixp-rs neighbor 100.127.1.1 remote-as 101 neighbor 100.127.1.1 peer-group ixp-peers neighbor 100.127.1.1 description AS101 peer neighbor 100.127.1.2 remote-as 102 neighbor 100.127.1.2 peer-group ixp-peers neighbor 100.127.1.2 description AS102 peer neighbor 100.127.1.3 remote-as 103 neighbor 100.127.1.3 peer-group ixp-peers neighbor 100.127.1.3 description AS103 peer neighbor 100.127.1.4 remote-as 104 neighbor 100.127.1.4 peer-group ixp-peers neighbor 100.127.1.4 description AS104 peer neighbor 100.127.1.5 remote-as 105 neighbor 100.127.1.5 peer-group ixp-peers neighbor 100.127.1.5 description AS105 peer neighbor 100.127.1.6 remote-as 106 neighbor 100.127.1.6 peer-group ixp-peers neighbor 100.127.1.6 description AS106 peer neighbor 2001:DB8:FFFF:1::1 remote-as 101 neighbor 2001:DB8:FFFF:1::1 peer-group v6ixp-peers neighbor 2001:DB8:FFFF:1::1 description AS101 peer neighbor 2001:DB8:FFFF:1::2 remote-as 102 neighbor 2001:DB8:FFFF:1::2 peer-group v6ixp-peers neighbor 2001:DB8:FFFF:1::2 description AS102 peer neighbor 2001:DB8:FFFF:1::3 remote-as 103 neighbor 2001:DB8:FFFF:1::3 peer-group v6ixp-peers neighbor 2001:DB8:FFFF:1::3 description AS103 peer neighbor 2001:DB8:FFFF:1::4 remote-as 104 neighbor 2001:DB8:FFFF:1::4 peer-group v6ixp-peers neighbor 2001:DB8:FFFF:1::4 description AS104 peer neighbor 2001:DB8:FFFF:1::5 remote-as 105 neighbor 2001:DB8:FFFF:1::5 peer-group v6ixp-peers neighbor 2001:DB8:FFFF:1::5 description AS105 peer neighbor 2001:DB8:FFFF:1::6 remote-as 106 neighbor 2001:DB8:FFFF:1::6 peer-group v6ixp-peers neighbor 2001:DB8:FFFF:1::6 description AS106 peer ! address-family ipv4 neighbor ixp-peers route-server-client neighbor 100.127.1.1 activate neighbor 100.127.1.2 activate neighbor 100.127.1.3 activate neighbor 100.127.1.4 activate neighbor 100.127.1.5 activate neighbor 100.127.1.6 activate distance bgp 200 200 200 exit-address-family ! address-family ipv6 neighbor v6ixp-peers route-server-client neighbor 2001:DB8:FFFF:1::1 activate neighbor 2001:DB8:FFFF:1::2 activate neighbor 2001:DB8:FFFF:1::3 activate neighbor 2001:DB8:FFFF:1::4 activate neighbor 2001:DB8:FFFF:1::5 activate neighbor 2001:DB8:FFFF:1::6 activate distance bgp 200 200 200 exit-address-family ! ip route 0.0.0.0 0.0.0.0 Null0 ipv6 route ::/0 Null0