APRICOT II

APRICOT II

Internet Exchange Point

A Case Study and Commentary

(Draft Version 1.0)

By Praveen Akarraju, Cisco Systems

Introduction

The APRICOT Internet eXchange Point (IXP) was conceived as a way to demonstrate how Internet service providers can work with each other while demonstrating some of the basic principles of how to configure an IXP.

Many thanks to the group of people who put in extra time and effort in the early morning hours to make this a success.

IXP Configuration Case Study :

Network Description :

The APRICOT IXP network consists of 7 routers (A - K) each in its own AS connected via an FDDI ring. Router K connects to the Hong Kong Internet Exchange (HKIX) AS4635 and 2 other commercial ISP’s. The traffic from the APRICOT IXP is routed out to the Internet via. A T-1 circuit from Globalone (AS4000).

The routing configuration is setup such that the central router, Router K and an edge router, Router A carry full routes while the rest of the routers carry local routes and routes from ISP’s directly connected to them. One such setup is Router B which is connected to the commercial ISP HongKong Star AS4515. Most of the 7 routers are grouped together in a Peer-Group which optimizes and allows for easy enforcement of common policies. There are also inbound and outbound policy rules applied to routing updates using Route Maps, Filter Lists and Distribute Lists. Route Flap Dampening is enabled on Router B such that an external flap doesn’t adversely affect the stability of routers in the IXP. Router K also has Netflow switching enabled which allows for very good traffic analysis.

One interesting case is that of AS4515 which is Multihomed into the IXP. It connects directly to AS7712 (Router B) and via. AS4635, the HKIX to AS7722 (Router K). This case study contains configurations from 2 typical routers and some "show" outputs which give information on the state of the protocols, interfaces etc.

Some of the router commands displayed are :

- write term -> Displays the running configurations

- sh ip bgp summary -> Displays a list of BGP neighbors

- sh ip bgp neighbor -> Specific information on a neighbor

- sh ip bgp <network> -> Displays the BGP table entry for the network

- sh ip bgp regexp _4515$ -> BGP table entries for routes originating

in AS 4515

- sh ip route <network> -> Displays routing table entries for the network

- traceroute <network> -> Performs a traceroute to specified network

The configurations and the outputs are explained in detail below.

K#wr t

Current configuration:

version 11.1

hostname K

ip subnet-zero

interface Fddi1/0

description Apricot Test GIX Backbone

ip address 169.223.0.15 255.255.255.0

no ip redirects

no ip directed-broadcast

no ip proxy-arp

ip route-cache same-interface

ip route-cache flow

no keepalive

interface Serial6/0

description T1 to HKT NetPlus network

ip address 169.223.1.21 255.255.255.252

no ip redirects

no ip directed-broadcast

no ip proxy-arp

ip route-cache flow

interface Serial6/1

description T1 to HKIX exchange

ip address 169.223.1.25 255.255.255.252

no ip redirects

no ip directed-broadcast

no ip proxy-arp

ip route-cache flow

no fair-queue

autonomous-system 7722

router bgp 7722

no synchronization

bgp dampening

aggregate-address 169.222.0.0 255.254.0.0

aggregate-address 169.222.0.0 255.255.0.0

aggregate-address 169.223.0.0 255.255.0.0

aggregate-address 169.223.0.0 255.255.128.0

aggregate-address 169.223.128.0 255.255.128.0

redistribute connected route-map connected-to-bgp

redistribute static route-map connected-to-bgp

Routers (A - F) can be combined into the Peer Group "External" since router K has the same outbound routing policy to all of them. Using the Peer Group allows for all the policy statements to be defined just one time. The configuration is hence simpler, the other advantage is the reduction in CPU utilization due to optimization of the routing update process in the router.

This peer-group basically groups together all the router who are a part of the IXP setup.

neighbor external peer-group

neighbor external send-community

neighbor external version 4

neighbor external distribute-list 180 in

neighbor external distribute-list 180 out

neighbor external route-map in-peer in

neighbor external filter-list 198 out

Routers in the Peer Group "External" have the Access-List 180 applied to Routing Updates being received from and sent to them. Also, the Route-Map "in-peer" is applied to received updates and filter-list 198 is applied to updates being sent out.

Distribute-List 180 : This policy rule applied in the inbound and outbound routing updates ensures that the RFC1918 private addresses are no sent out or received in.

Filter-List 198 : This when applied to updates in the outbound direction ensures that only routes originating in AS4000, AS4635, AS4637 are sent to members of the IXP peer group "external".

Route-Map In-Peer : This policy rule applied in the inbound direction is used to set the Multi-Exit-Discriminator field on all incoming routes to 10.

neighbor oddball peer-group

neighbor oddball version 4

neighbor oddball distribute-list 180 in

neighbor oddball distribute-list 180 out

neighbor oddball route-map in-peer in

neighbor full peer-group

neighbor full version 4

neighbor full distribute-list 180 in

neighbor full distribute-list 180 out

neighbor full route-map in-peer in

This part of the configuration lists the BGP neighbors of router K

neighbor 169.223.0.3 remote-as 7717

neighbor 169.223.0.3 peer-group oddball

neighbor 169.223.0.4 remote-as 7717

neighbor 169.223.0.4 peer-group oddball

neighbor 169.223.0.10 remote-as 7711

neighbor 169.223.0.10 peer-group full

neighbor 169.223.0.11 remote-as 7712

neighbor 169.223.0.11 peer-group external

neighbor 169.223.0.12 remote-as 7713

neighbor 169.223.0.12 peer-group external

neighbor 169.223.0.13 remote-as 7714

neighbor 169.223.0.13 peer-group external

neighbor 169.223.0.14 remote-as 7715

neighbor 169.223.0.14 peer-group external

neighbor 169.223.0.20 remote-as 7716

neighbor 169.223.0.20 peer-group external

neighbor 202.40.161.1 remote-as 4635

neighbor 202.40.161.1 version 4

neighbor 202.40.161.1 distribute-list 190 in

neighbor 202.40.161.1 distribute-list 191 out

neighbor 202.40.161.1 route-map from-transit in

neighbor 204.59.88.29 remote-as 4000

neighbor 204.59.88.29 version 4

neighbor 204.59.88.29 distribute-list 190 in

neighbor 204.59.88.29 distribute-list 191 out

neighbor 204.59.88.29 route-map from-transit in

neighbor 205.252.130.169 remote-as 4637

neighbor 205.252.130.169 version 4

neighbor 205.252.130.169 distribute-list 190 in

neighbor 205.252.130.169 distribute-list 191 out

neighbor 205.252.130.169 route-map from-transit in

no auto-summary

ip classless

ip route 169.222.0.0 255.254.0.0 Null0

ip route 169.222.31.0 255.255.255.128 169.222.47.1

ip route 169.223.128.0 255.255.128.0 Null0

ip route 202.40.161.1 255.255.255.255 169.223.1.26

ip route 205.252.130.169 255.255.255.255 169.223.1.22

ip as-path access-list 198 permit ^$

ip as-path access-list 198 permit ^(4000|4635|4637)$

Listed here are the Access Lists which are applied to the incoming and outgoing routing updates. (The function of each of these lists is described in more detail below)

access-list 100 deny ip any any

access-list 101 deny ip any any

access-list 180 deny ip host 0.0.0.0 any

access-list 180 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255

access-list 180 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255

access-list 180 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255

access-list 180 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255

access-list 180 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255

access-list 180 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255

access-list 180 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255

access-list 180 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255

access-list 180 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255

access-list 180 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255

access-list 180 permit ip any any

access-list 190 deny ip host 0.0.0.0 any

access-list 190 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255

access-list 190 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255

access-list 190 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255

access-list 190 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255

access-list 190 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255

access-list 190 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255

access-list 190 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255

access-list 190 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255

access-list 190 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255

access-list 190 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255

access-list 190 deny ip any 255.255.255.128 0.0.0.127

access-list 190 permit ip any any

access-list 191 permit ip host 169.222.0.0 host 255.254.0.0

access-list 191 permit ip host 169.222.0.0 host 255.255.0.0

access-list 191 permit ip host 169.223.0.0 host 255.255.0.0

access-list 191 permit ip host 169.223.0.0 host 255.255.128.0

access-list 191 permit ip host 169.223.128.0 host 255.255.128.0

access-list 191 deny ip any any

This section contains the Route Maps which enforce policy rules

route-map connected-to-bgp permit 10

set origin igp

route-map in-peer permit 10

set metric 10

set community 7722:6 additive

Apricot GIX Hong Kong

K.ix.hk.apricot.net

end

The output of a sh ip bgp summary provides the following information :

- List of BGP neighbors.

- Number of entries in the BGP table and the associated memory usage.

- Number of routes affected by Flap Dampening

Note the AS number associated with each Neighbor. In this case all the routers in the IXP (Routers A- F) are EBGP peered with each other.

K#sh ip bgp summary

BGP table version is 274609, main routing table version 274609

42593 network entries (43712/87144 paths) using 7565272 bytes of memory

7705 BGP path attribute entries using 981356 bytes of memory

3776 BGP route-map cache entries using 60416 bytes of memory

3776 BGP filter-list cache entries using 60416 bytes of memory

Dampening enabled. 167 history paths, 85 dampened paths

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State

169.223.0.3 4 7717 1234 210478 274609 0 0 00:03:39

169.223.0.4 4 7717 1622 167227 274609 0 0 15:53:43

169.223.0.10 4 7711 2471 54753 274609 0 0 19:53:21

169.223.0.11 4 7712 2263 2143 274609 0 0 18:53:43

169.223.0.12 4 7713 2023 2072 274609 0 0 18:44:11

169.223.0.13 4 7714 2040 2073 274609 0 0 18:42:55

169.223.0.14 4 7715 2009 2069 274609 0 0 18:41:31

169.223.0.20 4 7716 2268 2076 274609 0 0 18:40:01

202.40.161.1 4 4635 7246 1472 274598 0 0 18:17:11

204.59.88.29 4 4000 17570 1450 274598 0 0 1d00h

205.252.130.169 4 4637 96694 2005 274598 0 0 1d07h

The output of a "sh ip bgp neighbor" give detailed information on the associated EBGP neighbor. This includes the policy rules applied to updates coming from and going to this neighbor, traffic information as well as information on the BGP state machine.

K#sh ip bgp neighbor 169.223.0.11

BGP neighbor is 169.223.0.11, remote AS 7712, external link

Index 1, Offset 0, Mask 0x2

external peer-group member

Community attribute sent to this neighbor

BGP version 4, remote router ID 169.223.1.5

BGP state = Established, table version = 274610, up for 18:54:07

Last read 00:00:08, hold time is 180, keepalive interval is 60 seconds

Minimum time between advertisement runs is 5 seconds

Received 2264 messages, 0 notifications, 0 in queue

Sent 2144 messages, 0 notifications, 0 in queue

Inbound path policy configured

Outbound path policy configured

Incoming update network filter list is 180

Outgoing update network filter list is 180

Outgoing update AS path filter list is 198

Route map for incoming advertisements is in-peer

Route map for outgoing advertisements is out-peer

Connections established 15; dropped 14

Connection state is ESTAB, I/O status: 1, unread input bytes: 0

Local host: 169.223.0.15, Local port: 179

Foreign host: 169.223.0.11, Foreign port: 12808

Enqueued packets for retransmit: 0, input: 0, saved: 0

Event Timers (current time is 0x71B0228):

Timer Starts Wakeups Next

Retrans 1154 0 0x0

TimeWait 0 0 0x0

AckHold 1140 782 0x0

SendWnd 0 0 0x0

KeepAlive 0 0 0x0

GiveUp 0 0 0x0

PmtuAger 0 0 0x0

iss: 491726530 snduna: 491749646 sndnxt: 491749646 sndwnd: 14864

irs: 491733038 rcvnxt: 491754960 rcvwnd: 16042 delrcvwnd: 342

SRTT: 300 ms, RTTO: 607 ms, RTV: 3 ms, KRTT: 0 ms

minRTT: 0 ms, maxRTT: 500 ms, ACK hold: 300 ms

Flags: passive open, nagle, gen tcbs

Datagrams (max data segment is 4312 bytes):

Rcvd: 2293 (out of order: 0), with data: 1140, total data bytes: 21921

Sent: 1942 (retransmit: 0), with data: 1153, total data bytes: 23115

Using the command "sh ip bgp regexp _4515$" we can view the list of routes that originated in the AS 4515. The output shown here is the BGP table entries of routes from AS 4515 along with metric, local preference and AS path info.

K#sh ip bgp regexp _4515$

BGP table version is 274639, local router ID is 169.223.1.29

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

* 165.202.0.0 202.40.161.1 0 4635 4515 i

* 169.223.0.11 10 0 7716 7712 4515 i