I have been given a rare opportunity to basically start from scratch with our BGP peering configuration to our Internet providers. Don't downgoat yet, this is not a "how do I?" post. I just want your thoughts.
If you are a service provider, I'd like to have a candid perspective. What do your customers do that you absolutely hate? What do your "model" customers do that most do not? You see where I'm going with this.
Whether or not you are an ISP, what are some best practices? While BCP 194 is full of great advice, it is not the be-all, end-all, and is generally SP-oriented.
Our setup: We peer with two ISPs from both of our centralized data centers. That is, ISP1 terminates on DC1-Edge1 and DC2-Edge1, and ISP2 terminates on DC1-Edge2 and DC2-Edge2. Our circuits into the secondary DC are low bandwidth / burstable; they are low-cost DR connections unless we mess up and use them in non-DR situations.
ASN: We have one ARIN-assigned ASN. If I need to push for a second one, now is the time.
IPv4: We actually have an ARIN-assigned Class B. It rarely sees the light of day on the Internet, but our firewalls use addresses from the upper-most /21 for NAT. In particular, DC1 will use addresses from anywhere in the 252.0 - 255.255 range, and DC2 will use addresses from the 248.0 - 251.255 range.
Our DMZ and most other public-facing services use address space from a /21 allocated from ISP1. Not really sure why we did that, but it's deeply embedded at this point. We do announce that /21 to both providers.
The current plan is to announce the aggregate /16 and /21 from both data centers, to both ISPs, with 3x prepend out of DC2. Out of DC2, I was also going to announce the longer 248.0/22 with no prepending.
IPv6: We have an ARIN-assigned /36, but we're not as cool as you because we don't use ours in any real capacity at this time. I was going to simply announce the /36 from both DCs, with 3x prepending out of DC2.
Thoughts? Either on the design or in general?
No comments:
Post a Comment