I'm going to be setting up some peering with multiple (maybe 20) customers/vendors we work with over private circuits either with direct cross connects or virtual ones using Equinix ECX. They need to be able to send traffic to our datacenter and we want return traffic to go back over the same link.
My thoughts were to setup a VRF per customer and assign an /29 subnet in the 10/8 network for the link. On our end we would use our main ASN and on their end they can use a real ASN if they have one otherwise they can just use a private ASN. BGP between us and them with prefix lists filtering everything inbound/outbound to IPs we agree on. Some customers may not own their own IP blocks/ASN so we would want to be careful what we allow.
On our end we advertise the same public IPs we also advertise over the internet. We accept public IPs from the customer.
Once the routes are advertised between them and our VRF we leak their routes from the VRF into our default routing table and let it propagate to the rest of our network. Same story in reverse for some routes in our default VRF to them.
The reason I am looking at VRF is so they can't route anything to us but traffic destined for our datacenter. We don't want them to advertise our IP blocks to their upstream carriers and we won't advertise their IPs to ours. Neither of us want to be used as a transit ASN for the other.
Is this a good approach or is there something else I should be doing?
No comments:
Post a Comment