how to multi-home avi freedman vp engineering abovenet communications
TRANSCRIPT
How to Multi-Home
Avi Freedman
VP Engineering
AboveNet Communications
What is Multi-Homing?
• Multi-homing is the process of selecting, provisioning, and installing a redundant connection to the Internet.
• Could be the same provider, or a different provider.
Why Multi-Home?
• Slow is 1,000,000% better than dead.
• You may be out of bandwidth.
• And– Telco circuits die.– Routers die.– Providers’ networks fail.– Different networks have better performance to
different sites.
A Multi-Homed Architecture
• Ideally, take advantage of the opportunity to multi-home to remove all single points of failure in your network.
• Use -– Multiple providers, unless your current
provider will let you have cheap backup– Multiple routers– Multiple telco vendors
Multi-Homed Architecture
• Two routers, each with a different WAN connection from a different telco vendor.
• Use HSRP or VRRP internally to make both routers look like one “virtual” router.
• Eventually, multiple providers.
• Upcoming Boardwatch article with configs.
How the Internet Works• Well, it breaks more than it works but when it
does work -
• The Internet is a network of networks.
• Each network (called Autonomous System) on the Internet announces “routes”, which are lists of the IP addresses of the boxes on their network.
• You need to be able to send packets *to*, and get packets *from*, everywhere.
Inbound Traffic - Routes• Routes are announced via BGP4 (the Border
Gateway Protocol)
• Routers are announced to BGP peers.
• Each “BGP peer” can be a “network peer” or a “transit peer”.
• Network peers exchange just lists of customer routes.
• Each route is tagged by the ASNs it passes through.
Inbound Traffic - Routes
• So when AboveNet and UUNET peer, only AboveNet and UUNET routes are exchanged. No Sprint, PSI, etc...
• Transit peers -– Announce to their customers all of the routes on
the ‘net (AboveNet, UUNET, Sprint, PSI, and the 60,000+ routes on the ‘net).
– Announce to their peers all routes heard via transit.
Inbound Traffic - Routes
• So if you advertise 207.106.96.0/19 to AboveNet, -– If you’re a network peer, they only re-announce
207.106.96.0/19 to customers (and use it internally);
– If you’re a transit peer/customer, they announce 207.106.96.0/19 to all of their network peers.
• That’s how you get global *inbound* reachability.
Address Space Issues
• Noone wants to hear a route for you unless -– You are multi-homed (even then, some people
don’t want to hear routers), or– You have your own direct IP space allocation from
ARIN, RIPE, or APNIC.
• So, when you’re single-homed without your own space, your IPs are reachable because they’re part of your provider’s “aggregate” block.
Address Space Issues
• For example, your provider has 207.8.128.0/17.
• You have 27.8.197.0/24 from them.
• You’re single-homed.
• The only route on the ‘net for you is the 207.8.128.0/17 route, “originated” by your provider’s ASN (and you don’t have to do anything special).
Address Space Issues
• If you have your own CIDR block and are single-homed, your provider will originate it.
• So, if you have 219.190.64.0/19, it’ll be visible as an announcement by your provider, originated into the BGP mesh with your provider’s ASN as the “origin”.
Address Space Issues
• If you have your own IP space and want to multi-home, addressing issues are simple.
• Your other provider will start also originating your IP blocks.
• Or you’ll start speaking BGP, originate your IP blocks, and your providers will re-advertise them to the world.
Address Space Issues
• If you don’t have your own IP space, it’s a bit more complicated.
• So, normally your ISP will only be advertising 207.8.128.0/17 if you have 207.8.200.0/23.
• If you’re multi-homed, your other provider will have to advertise 207.8.200.0/23.
• But *so will your first provider*.
• Why?
Address Space Issues
• Routes are chosen first by specificity.
• That is, to how many IP addresses they refer.
• The route “covering” the fewest IP is the most specific, and wins.
• (Otherwise default would always win and nothing would work.)
Address Space Issues
• So, if ISP 1 advertises only 207.8.128.0/17 and ISP 2 advertises only 207.8.200.0/23, all inbound traffic from the ‘net will come in on ISP2.
• So, ISP 1 needs to “blow a hole in their filters” to “leak” the more specific 207.8.200.0/23 route.
Address Space: Filtering
• Some ISPs do or did filter on routes smaller than (more specific than) /19s in > 205.0.0.0 space.
• But it doesn’t matter as long as your two upstreams have good connectivity.
• Why?
Address Space: Filtering
• If Sprint doesn’t see 207.8.200.0/23 from ISP1 or ISP2, they’ll still see your provider’s 207.8.128.0/17 route.
• So if your connectivity to ISP1 (the owner of 207.8.128.0/17) goes down, all will be well as long as ISP1 still sees 207.8.200.0/23 from ISP2.
• Sprint -> ISP1 -> ISP2
• This is why people don’t let you take IPs...
Load-Balancing Outbound
• You can use static default routes to control outbound packets. – ip route 0.0.0.0 0.0.0.0 serial0/0– ip route 0.0.0.0 0.0.0.0 serial1/0
• If they’re equal-cost (no metric at the end), it’ll load-balance based on *destination*, by default.
Load-Balancing Outbound
• Why load-balance based on destination?
• For internal networking, sometimes per-packet-load balancing makes sense.
• But if you’re trying to talk to England and one provider has a 60ms path and the other has a 150ms path, packets will arrive out of order and TCP and UDP apps get unhappy and slow.
How it works, Single-Homed
• Outbound (easy):– Use a default route to your provider.
• Inbound:– Your provider originates a large (aggregate)
BGP route, and gives you some space from inside it; and/or
– Your provider originates BGP routes for your ARIN/RIPE/APNIC CIDR blocks as well.
How it Works, Multi-Homed, Static• Outbound (easy):
– Load-balance default routes to deal with outbound packets.
• Inbound:– Your providers both originate BGP routes for just
the address space you’re using, even if it’s out of one provider’s space; and/or
– Your providers both originate BGP routes for your ARIN/RIPE/APNIC CIDR blocks as well.
How it Works, Multi-Homed, Static• Special note:
– When providers configure BGP for single-homed customers, they will generally “nail up” your routes (even your directly-issued) CIDR blocks, so that if your connection goes down and up and down and ..., they don’t have to flap that route out to the whole Internet. This is a good thing.
How it Works, Multi-Homed, Static• Special note (ctd):
– But you NEED to make sure, when you’re multi-homed, that the providers are NOT nailing your routes up.
– Why?– Because if they do, when one T1 goes down,
that provider will still advertise you to the world, thus “blackholing” you.
How it Works, Multi-Homed, BGP
• Topic of next talk.
• You either load-balance outbound with statics, or take full routes from your providers (if you can).
• You originate advertisements under your ASN for your directly-issued CIDR blocks, AND for the parts of your providers’ space that you’re using (with their permission).
The Transition: Static Routing
• To transition:– Turn up the other T1/T3/Ethernet.– Put IPs on the interface. – Run tests end-end.– Start load-balancing default to the new T1.– Then, in the middle of the night, have the new
provider start advertising your IP space. Make sure you have reachability to every other ISP you can think of afterwards.
The Transition: Static Routing
• To transition (ctd):– After testing it live, turn off your other transit
pipes and make sure that, after a few minutes, you still have connectivity.
The Transition: BGP Routing
• To transition:– Turn up the other T1/T3/Ethernet.– Put IPs on the interface. – Run tests end-end.– Start load-balancing default to the new T1.– Then, undo that and bring up a BGP session that
permits no routes either way.– Then start taking routes, and watch outbound
traffic.
The Transition: BGP Routing
• To transition (ctd):– Then, start announcing your routes.– Then, in the middle of the night, have your ISP take
out the static route and BGP announcement they were making.
– Make sure your route is propagating.– Test reachability.– Turn off your other pipes.– Test reachability.
BGP or no?• Advantages of doing static -
– Cheaper/smaller routers (less true nowadays)
– Simpler to configure
• Advantages of doing BGP -– More control of your destiny (have providers stop
announcing you)
– Faster/more intelligent selection of where to send outbound packets.
– Better debugging of net problems (you can see the Internet topology now)
Same Provider or Multiple?
• If your provider is reliable and fast, and affordably, and offers good tech-support, you may want to multi-home initially to them via Frame, SMDS, or some backup path (slow is 1,000,000% better than dead).
• Eventually you’ll want t multi-home to different providers, to avoid failure modes due to one provider’s architecture decisions.
• Nailing routes