Recommended
More Related Content
What's hot
What's hot (20)
Similar to AWS Advanced Networking: BGP
Similar to AWS Advanced Networking: BGP (20)
Recently uploaded
Recently uploaded (20)
AWS Advanced Networking: BGP
- 1. 1 Advanced Networking Part 3: Border Gateway Protocol September 27, 2019
- 2. 2 Today’s Agenda • Recap: IP, Routing • Multiple Route • Examples: Using AWS DirectConnect
- 3. 3 Haftungsausschluss Negante Take Notice • Adv Networking • Prerequisite: Basic understanding of networking, IP addressing, subnetting, routing • Big topic
- 4. 4 Recap What we’ve discussed previously
- 5. 5 Routing Quick Overview: Transitive Routing 192.168.0.0/24 Network A Network B 192.168.1.1192.168.0.1 Destination Gateway 192.168.1.0/24 192.168.1.1 Destination Gateway 192.168.0.0/24 192.168.0.1 Network C 192.168.2.1 Destination Gateway 192.168.1.0/24 192.168.2.0/24 Destination Gateway 192.168.1.0/24 192.168.1.1 Destination Gateway 192.168.0.0/24 192.168.0.1 192.168.2.0/24 192.168.2.1 Destination Gateway 192.168.1.0/24 192.168.1.1 192.168.2.0/24 192.168.1.1 Destination Gateway 192.168.1.0/24 192.168.1.1 192.168.0.0/24 192.168.1.1 RECAP
- 6. 6 Multiple Paths! Eek 192.168.0.0/24 Network A Network B 192.168.1.1192.168.0.1 Network C 192.168.2.1 192.168.1.0/24 192.168.2.0/24 192.168.4.0/24 Network E 192.168.4.1 Destination Gateway 192.168.0.0/24 192.168.0.1 192.168.1.0/24 ???? 192.168.2.0/24 ???? 192.168.3.0/24 192.168.3.1 192.168.3.0/24 Network D 192.168.3.1 Destination Gateway 192.168.4.0/24 192.168.4.1 192.168.1.0/24 192.168.1.1 192.168.2.0/24 ???? 192.168.3.0/24 ????
- 7. 7 Many, Multiple Paths How do we get there? • How do we figure out all these routes? • How can we further simplify route discovery? • How do we handle multiple paths to the same network?
- 8. 8 Multiple Route Problems, but a path ain’t one How do I get there?
- 9. 9 Route discovery Routing Protocols • Distance Vector Protocols • Track hop count • Sends its neighbor copies of its routes • Ex: RIP, RIP2 • Link State Protocols • Stitches a complete picture of its topology • Knows what node is connected to what other node • Each node independently calculates a best path to another • Ex: OSPF • Internal Routing Protocols
- 10. 10 Route discovery Routing Protocols • Path Vector Protocol – BGP • Understands that there are multiple paths to a destination • Think “GPS maps” • What’s the best path to get to where I want to go? • Considers nodes as autonomous systems to determine path
- 11. 11 What is BGP “Border Gateway Protocol is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems on the Internet”
- 12. 12 What is an AS(N) “An autonomous system (AS) is a network or a collection of networks that are all managed and supervised by a single entity or organization.” • Internet: Network of networks • These networks are numbered, e.g. 64514 (16bit) • BGP manipulates its route or determines its path by tracking ASN’s
- 13. 13 BGP Multiple paths 192.168.0.0/24 Network A Network B 192.168.1.1192.168.0.1 Network C 192.168.2.1 192.168.1.0/24 192.168.2.0/24 192.168.4.0/24 Network E 192.168.4.1 192.168.3.0/24 Network D 192.168.3.1 A A, B A, B, C A, B, C, D A, E A, E, D 1 Mbps 100 Mbps 100 Mbps 100 Mbps 100 Mbps
- 14. 14 AS_PATH prepending Manipulating Paths • Several methods by which paths can be weighted or manipulated • AS_Path prepending • Artificially increase route cost • Shared with neighbors • Add additional AS paths to create the illusion of a less desirable route • Propagated to neighbors
- 15. 15 BGP Path manipulation 192.168.0.0/24 Network A Network B 192.168.1.1192.168.0.1 Network C 192.168.2.1 192.168.1.0/24 192.168.2.0/24 192.168.4.0/24 Network E 192.168.4.1 192.168.3.0/24 Network D 192.168.3.1 A A, B A, B, C A, B, C, D A, E A, E, D 1 Mbps 100 Mbps 100 Mbps 100 Mbps 100 Mbps A, E, E, E A, E, E, E, D
- 16. 16 Overarching inbound and outbound traffic BGP Path Decision Process Weight (highest) LOCAL_PREF Locally generated route (aggregated) Shortest AS_PATH Lowest ORIGINLowest MED eBGP over iBGP Closest IGP neighbor Oldest eBGP route Lowest neighbor BGP Lowest neighbor IP address
- 17. 17 Examples Practical Examples Route Advertisements and AWS DirectConnect
- 18. 18 Public virtual interface vs Private virtual interface for AWS Direct Connect Public Virtual Interface • Connect to AWS public endpoints such as S3 or EC2 • Connect to all AWS public IP spaces globally. • Access Amazon services in any region Private Virtual Interface • Private services such as VPC • Connect on your private IP addresses or endpoint.
- 19. 19 Controlling routes advertised and received to specific scope • Control routes over AWS public virtual interface with Direct Connect. • DC supports a range of BGP community tags • Control scope to regional, continent or global • Use combination of community tags to control routes over public VIF
- 20. 20 Public VIF—Global Public Access AWS Direct Connect applies the following BGP communities to its advertised routes: • 7224:8100 Routes that originate from the same AWS Region in which the AWS Direct Connect point of presence is associated • 7224:8200 Routes that originate from the same continent with which the AWS Direct Connect point of presence is associated • No tag Global (all public AWS Regions)
- 21. 21 Public VIF – Same Region (Ireland)
- 22. 22 Public VIF – Same Continent (Frankfurt)
- 23. 23 Public VIF – Global (Canada)
- 24. 24 Public VIF— Global Public Access You can use the following BGP communities for your prefixes: • 7224:9100 Local AWS Region • 7224:9200 All AWS regions for a continent (for example, North America–wide) • 7224:9300 Global (all public AWS Regions)
- 25. 25 Private VIF – Egress local-pref • 7224:7100 Low Preference • 7224:7200 Medium Preference • 7224:7300 High Preference
- 26. 26 Active / Passive Direct Connect
- 27. 27 Active / Passive Direct Connect • Two routers to terminate primary and secondary DX connections • Private virtual interface on each DX routers terminate to same VPC • HA routing protocols on two routers – allow local servers to use multiple routers that act as a single virtual router. • Active/Passive or Failover – AS path prepend
- 28. 28 Active / Active Direct Connect
- 29. 29 Active / Active Direct Connect • DX connections to separate DX routers in two locations from two independently configured customer devices. • VGW will prefer to send to 10.0.0.0/16 traffic to Data Center 1 • VGW will prefer to send 10.1.0.0/16 to Data Center 2 • Only reroute traffic if connectivity is down.
- 30. © 2018 Slalom, LLC. All rights reserved. The information herein is for informational purposes only and represents the current view of Slalom, LLC. as of the date of this presentation. SLALOM MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Editor's Notes
- Big topic: not CCNA CCIP, or CCIE, not comprehensive
- In Part 1, Network Fundamentals, we discussed IP’s and subnetting In Part 2, Transit Gateway, we discussed routing and how networks talk to each other You might remember this nugget
- Pl-id = logical representation of IP’s for server (S3)
- To use the GPS analogy, the nodes are considered autonomous systems
- Pl-id = logical representation of IP’s for server (S3)
- Notice routers, moving them to the edge Let’s look at the world from Network A’s perspective A wants to talk to D
- Up to now Route Discovery and Management Next Zubin: practical examples and WHAT we propagate
- https://aws.amazon.com/premiumsupport/knowledge-center/control-routes-direct-connect/ Direct Connect supports a range of Border Gateway Protocol (BGP) community tags to help control the scope of routes advertised and received over a public VIF. And the scope options being regional, continent, or global. AWS has something called Scope BGP communities to allow you to achieve the scope. A community is piece of metadata attached to a route when its being advertised. Show an example of this in the following slides. You can use any combination of the community tags to control the routes advertised and received over an AWS public VIF. There is also something called Local Preference BGP Communities which you can use to achieve load balancing and route preference for incoming traffic to your network on a private virtual interface.
- These tags are set by the AWS, and are not managed by you. They are attached on routes AWS advertises to you over the public vif. This is so you can filter based on geographies. -- Review PowerPoint So for example If you connect to AWS North America and only use north America based resources you have the ability to filter routes that you learn from direct connect with the 7224:8200 route. Based on the filter you can accept or deny these routes into your route table. So for example accept all routes that are tagged with 7224:8200.
- 52.218.48.0/24 (CIDR used for S3) is in Dublin So this gives you the community tag of 8100 and 8200 since it is in the same region and contintent
- 52.219.73.0/24 (CIDR used for S3) is in Frankfurt So this gives you the community tag of 8200 since Frankfurt it is in the same region and contintent
- 52.95.147.0/24 (CIDR used for S3) is in Canada So this gives you the community tag of no-export, or no tag since you are outside the region or continent and at a global level.
- These are AWS route scoping tags that are applied by you and sent to AWS. These are how far customer accouncements propagate within aws. -- powerpoint For example: if you attach 7224:9100 to the routes you advertise AWS contain that announcement and only use it within that region.
- No community tags attached from AWS towards the customer gateway or you. These are attached to routes being sent by you to AWS. The route with the highest preference is preferred, if all paths are equal including this local preference then the shortest AS_path will be chosen. However, if you applied the High Preference to the longer AS_Path then you can engineer the traffic to the longer path without adding more specific routes.
- https://aws.amazon.com/premiumsupport/knowledge-center/active-passive-direct-connect/ Active Passive or failover, One connection is handling traffic and other is on standby. If the active connection becomes unavailable, all traffic is routed through the passive connection.
- https://aws.amazon.com/answers/networking/aws-multiple-data-center-ha-network-connectivity/ Avoids a single point of device failure This maintains connectivity even if the primary router fails. The secondary router will take over and become active. It can run an internal routing protocol such as iBGP (explain iBGP) which will learn routes from DX EBGP (explain) and distribute prefixes to internal iBGP gateways. To achieve Active/Passive or Failover you will need to AS path prepend the routes on one of your links for it to be the passive link. This related to the The BGP Best Path Algorithm which decides how the best path to an autonomous system is selected. Common value is the AS Path length. When two or more routes exist to reach a particular prefix the default in BGP is to prefer the route with the shortest AS Path. The secondary router will advertise a longer AS path so traffic from VPC to network will
- https://aws.amazon.com/answers/networking/aws-multiple-data-center-ha-network-connectivity/ Active / Active or BGP multipath is the default configuration where both connections are active. AWS DX supports multipathing to multiple virtual interfaces within the same location. Traffic is load shared between interfaces based on flow. If one connection becomes unavailable, all traffic is routed through the other connection.
- https://aws.amazon.com/answers/networking/aws-multiple-data-center-ha-network-connectivity/ More specific routes: With this approach, both Customer Device 1 and Customer Device 2 advertise a summary route of 10.0.0.0/15. In addition, Customer Device 1 advertises 10.0.0.0/16 and Customer Device 2 advertises 10.1.0.0/16. AWS will use the more specific routes to send traffic to the appropriate data center, and will fail back to the other data center following the summarized route if the more specific route becomes temporarily unavailable. AS-path prepending: With this approach, both Customer Device 1 and Customer Device 2 advertise 10.0.0.0/16 and 10.1.0.0/16. However, Customer Device 1 uses AS-path prepending when advertising the 10.1.0.0/16 network to make this route less preferred. Likewise, Customer Device 2 uses AS-path prepending when advertising the 10.0.0.0/16 network to make this route less preferred. AWS will use the preferred routes to send traffic to the appropriate data center, and will fail back to the other data center following the less preferred routes when necessary. If your organization already leverages AS-path prepending for influencing route preferences, then the latter approach will likely align more closely with your existing routing policies. Otherwise, the approach using more specific routes is a great place to start.