I have changed the permalink structure to make the pages more friendly and more SEO friendly. Let me know if you see any issues or can’t reach things.
BGP communities can be powerful, but an almost mystical thing. If you aren’t familiar with communities start here at Wikipedia. For the purpose of part one of this article, we will talk about communities and how they can be utilized for traffic coming into your network. Part two of this article will talk about applying what you have classified to your peers.
So let’s jump into it. Let’s start with XYZ ISP. They have the following BGP peers:
-Peer one is Typhoon Electric. XYZ ISP buys an internet connection from Typhoon.
-Peer two is Basement3. XYZ ISP also buy an internet connection from Basement3
-Peer three is Mauler Automotive. XYZ ISP sells internet to Mauler Automotive.
-Peer four is HopOffACloud web hosting. XYZ ISP and HopOffACloud are in the data center and have determined they exchange enough traffic amongst their ASN’s to justify a dedicated connection between them.
-Peer five is the local Internet exchange (IX) in the data center.
So now that we know who our peers are, we need to assign some communities and classify who goes in what community. The Thing to keep in mind here, is communities are something you come up with. There are common numbers people use for communities, but there is no rule on what you have to number your communities as. So before we proceed we will need to also know what our own ASN is. For XYZ we will say they were assigned AS64512. For those of you who are familiar with BGP, you will see this is a private ASN. I just used this to lessen any confusion. If you are following along at home replace 65412 with your own ASN.
So we will create four communities .
64512:100 = transit
64512:200 = peers
64512:300 = customers
64512:400 = my routes
Where did we create these? For now on paper.
So let’s break down each of these and how they apply to XYZ network. If you need some help with the terminology see this previous post.
64512:100 – Transit
Transit will apply to Typhoon Electric and Basement3. These are companies you are buying internet transit from.
64512:200 – Peers
Peers apply to HopOffACloud and the IX. These are folks you are just exchanging your own and your customer’s routes with.
64512:300 – Customers
This applies to Mauler Automotive. This is a customer buying Internet from you. They transit your network to get to the Internet.
64512:200 – Local
This applies to your own prefixes. These are routes within your own network or this particular ASN.
Our next step is to take the incoming traffic and classify into one of these communities. Once we have it classified we can do stuff with it.
If we wanted to classify the Typhoon Electric traffic we would do the following in Mikrotik land:
/routing filter add action=passthrough chain=TYPHOON-IN prefix=0.0.0.0/0 prefix-length=0-32 set-bgp-communities=64512:100 comment="Tag incoming prefixes with :100"
This would go at the top of your filter chain for the Typhoon Electric peer. This simply applies 64512:100 to the prefixes learned from Typhoon.
In Cisco Land our configuration would look like this:
route-map Typhoon-in permit 20 match ip address 102 set community 64512:100
The above Cisco configuration creates a route map, matches a pre-existing access list named 102, and applies community 64512:100 to prefixes learned.
For Juniper you can add the following command to an incoming peer in policy-options:
set community Typhoon-in members 64512:100
Similar to the others you are applying this community to a policy.
So what have we done so far, we have taken the received prefixes from Typhoon Electric and applied community 64512:100 to it. This simply puts a classifier on all traffic from that peer. We could modify the above example to classify traffic from our other peers based upon what community we want them tagged as.
In our next segment we will learn what we can do with these communities.
As a service provider you have a mountain of terms to deal with. As you dive into the realm of BGP, you will hear many terms in regards to peers. Knowing their names AND your definition of them will serve you well. I emphasized the and in the last sentence because many people have different definitions of what these terms means. This can be due to how long they have been dealing with networks, what they do with them, and other such things. For example, many content providers use the term transit differently than an ISP. So, let’s get on to it.
Transit or upstream
This is what you will hear most often. A transit peer is someone who you go “through” in order to reach the internet. You transit their network to reach other networks. Many folks use the term “upstream provider” when talking about someone they buy their internet from.
Someone who is “downstream” is someone you are providing Internet to. They are “transiting” your network to reach the Internet. This is typically someone you are selling Internet to.
This is the term which probably needs the most clarification when communicating with others about how your BGP is setup. A peer is most often used as a generic term, much like Soda (or pop depending on where you are from). For example someone could say:
“I have a peer setup with my upstream provider who is Cogent.” This is perfectly acceptable when used with the addition of “my upstream provider”. Peers are often referred to as “neighbors” or “BGP neighbors”.
Local or Private Peer
So what is a local peer? A local peer is a network you are “peering” with and you are only exchanging routes which are their own or their downstream networks. A local peer usually happens most often at an Internet Exchange (IX) but can happen in common points where networks meet. The most important thing that defines a local peer is you are not using them to reach IP space which is not being advertised form their ASN. Your peering relationship is just between the two of you. This gets a little muddy when you are peering on an IX, but thats being picky.
I have trained myself to qualify what I mean by a peer when talking about them. I will often say a “transit peer” or a “local peer”. This helps to add a little bit of clarity to what you mean.
Why is this all important? For one, it helps with keeping everyone on the same page when talking about peering. I had a case a few weeks ago where a Content provider and I wasted configuration time because our definition of transit was different. Secondly, you want to be able to classify your peers so you can apply different filter rules to them. For example, with a downstream peer you only want to accept the IP space they have shown you which is their own. That way you are not sending your own transit traffic over their network. This would be bad. However, if you are accepting full routes from your transit provider, you want your filters to accept much more IP than a downstream provider. So if you have a team being able to be on the same page about peers will help when it comes to writing filters, and how your routers “treat” the peer in terms of access lists, route filters, etc.
Are you signing your domains with dnssec? You should be.
Do you use a wifi finnder app on your Android device? If so, your username and password may have been compromised. The above article identifies the apps which “leak” passwords.