Interconnection Quarterly

https://static1.squarespace.com/static/5e013aba1c79407e08cf53bc/t/60610a0a5517c019d36a2083/1616972299607/Foundations+-+Interconnection+Quarterly+%284Q2020%29+.pdf

From Christian Koch from Foundations

I am excited to reveal that my quarterly interconnection update has
transformed into the Interconnection Quarterly, a hand-tailored,
independent briefing on the interconnection industry. Right now, my plans
are to publish the Interconnection Quarterly shortly after the last public
companies report earnings, as I’ve done with the previous updates. This
may change in the future, but for now, this is the plan.
In this inaugural issue, you’ll find the latest financial and business metrics
for select data center operators and interconnection platforms, as well as
insights into key developments and newsworthy events that occurred
within the fourth quarter of 2020.
We’re at an important juncture for interconnection, and while it still may
be seen by some as just a basic service that a data center or colocation
provider must offer, the truth is, that interconnection is much more
important.
From cross-connects to cloud networks, the constant here is in the
connection. How that connection is established and what you can do
with it is what’s changing as we adapt to a world powered by software in
the cloud.

Preseem now supports IPv6

https://docs.preseem.com/changes

Features

IPv6

Preseem now supports IPv6 for all use cases. This includes the ability to assign subscribers a prefix of arbitrary length.

IPv4 with Prefixes of Arbitrary Length

Previously Preseem modelled subnet assignments to customers as a number of /32 assignments. For example a subscriber who was assigned a /30 would result in four internal /32 mappings. Preseem now supports assigning any prefix length to a subscriber without expanding these into /32 entries internally.

OpenGear Resilience gateway for ISPs

Some quick notes and screenshots from the OpenGear Resilience Gateway https://opengear.com/products/acm7000-resilience-gateway . The model I am working with is the ACM7004-2-L. It has 4 serial Cisco Straight pinout, Dual 1 GbE Ethernet, Global 4G LTE-A Pro cellular, 2 DIO, and 2 output ports.

So what does this thing do and what can it do for you as an ISP? At the basic level, this is a console server with multi wan capability. What this means is when the crap hits the fan you should be able to login to this device across the internet and see what your switches and routers are doing across a console connection. In most ISP scenarios they are bringing in their internet connections from another provider and landing it on a switch or a router. As most followers of this blog know I am a fan of switch-centric based setups. this means your transport and internet connections are landed on a switch or switches and then a router on a stick attaches to these switches.

So why would you need this setup? Not every POP site justifies, or has available multiple transport or internet connections. Imagine you have a switch plugged in and that switch doesn’t come back from a reboot or power event? Without a console server such as this you are driving to the site and plugging in a console cable to see what is going on. With this you can access the device over on of the multiple wan connections, including a cellular connection to gain console access.

Even in redundant setups, a console server can give you insight into what is going on with a router or switch. You can access the console port without ever having to drive. Is the switch booting? Is it getting stuck on a bootloader somewhere? This is all information you can gain from the console port.

Some Screenshots of the Gui. One of the things I like is the dashboard. I am a sucker for dashboards. One reason I am is on any new piece of gear I am reviewing or learning a well thought out dashboard will give me much of the information I need to know. Are my interfaces up? Have VPN connections established? These can help me learn as well as save time troubleshooting

Some interesting notes about the features of this device. It does have environmental status indicators. If you have a device that you can plug into one of the console ports either via USB or rj45 console you can use the gateway to monitor this. Couple this with the Nagios and/or SNMP integration you now have a temperature, door alarm, or other sensors for your remote sites.

View of the back of the unit.

Other notable features include Digital Input and output, remote syslog monitoring, IPSec and OpenVPN, and many other features. If you are deploying lots of these Opengear has a Lighthouse Server for centralized management.

One of the best things I like about this is you are able to access the console server via the web interface. And the best thing? No Java required. This saves from remembering complicated port numbers, for when you ssh and want to access a specific device.

So how am I using this in a network? this device is going at a data center. The client has two cisco switches and two mikrotik routers which will plug into this. It will have an in-band wan connection on a management vlan directly into both routers. If both of these routers are down the gateway has a cellular backup with a IPSEC VPN to a router in a remote data center. You could always switch this up by connecting your second ethernet port into a secondary ISP in the data center. Some networks have a management router where management devices such as this plug into. I have done this with Mikrotik 4011s and it works just fine. I can plug an in-band connection into the mikrotik and a secondary ISP such as a cable or other ISP in the data center.

The cost may discourage some folks. On Amazon, these are just under a thousand dollars. If you need more console ports the price goes up from there. To them, I say what are the costs of downtime and your time. For this client, the closest tech is an hour away. I am two hours away. If a simple firmware or bootloader command fixes a switch not booting and turns 2 hours of minimum downtime into 5 minutes that is a huge win.

Look for a video overview soon.

Cisco High Availability design

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon
Already a qualifying Patreon member? Refresh to access this content.

Hurricane Electric now requires IRR and filters invalid RPKI

If you are a Hurricane Electric customer you may be receiving e-mails like the following:

Dear ASXXX,

Routing Security Report for ASXXX

Hurricane Electric cares about your routing security.  We filter all BGP sessions using prefix filters based on IRR and RPKI.

This report is being sent to help you identify prefixes which may need either their IRR or RPKI information created or updated 
and to also help you identify possibly hijacked routes you may be accepting and reannouncing.  

Routes with RPKI status INVALID_ASN strongly indicate a serious problem.

IPv4 SUMMARY

Routes accepted: 3
Routes rejected: 3
Routes with RPKI status VALID: 0
Routes with RPKI status INVALID: 0

IPv6 SUMMARY

Routes accepted: 1
Routes rejected: 0
Routes with RPKI status VALID: 0
Routes with RPKI status INVALID: 0

We currently do not have a valid as-set name for your network.  Please add an export line to your aut-num ASXXXX 
that references your as-set name.  For example,

export: to AS-ANY announce your-as-set-name

If you do not currently have an as-set, we recommend you create one named ASXXXX:AS-ALL

Your as-set should contain just your ASN and your customers' ASNs and/or as-sets (not your peers or upstream providers).

What does this mean for you as a service provider? If you use Hurricane Electric as transit or peer with them on an exchange you will need to have ROAs for your blocksand have routing registry objects. I did a tutorial based upon Arin which can be found at: https://blog.j2sw.com/networking/routing-registries-and-you/

In short you need to do the following:

  • Create a mntner object (equivalent of a user account) to give you the ability to create IRR objects in your selected IRR database
  • Create an aut-num to represent your autonomous system and describe its contact information (admin and technical) and your routing policy
  • Create an as-set to describe which autonous system numbers your peers should expect to see from you (namely your own and your transit customers)
  • Create a route/route6 object for every prefix originated from your network
  • Update your peeringdb profile to include your IRR peering policy
  • Generate RPKI https://www.arin.net/resources/manage/rpki/roa_request/#creating-a-roa-in-arin-online

Clarification:
Some folks are confusing having valid ROAs with your router supporting RPKI with route origin validation in real-time. These two are separate things. You create ROA records with your RIR, such as ARIN, which has nothing to do with route validation on your router.

Also, HE is filtering any RPKI INVALID routes. Does this mean they are requiring RPKI? You be the judge.