Page 1 of 1

Creating Communities to apply to BGP

Posted: Fri May 04, 2018 4:44 pm
by webix
Hello all.

Before i start describing my problem, i will try to explain the better i can the configuration i have (picture bellow for a better view).
- I have my own range of IP addresses that i am announcing with my own ASN.
- I have only one internet provider wich i connect to directly.
- The above internet provider doesn't have communities.
- I have a GRE tunnel established with a 2nd provider.
- I am announcing the IPs on both providers with BGP.
- I am very new to BGP and routing and i've been reading about BGP and Mikrotik configurations since some time now and the configuration i made so far is very basic (even the filters).

Now, here's the complicated part: My problem.
I want to split the incoming traffic between national and international. I want that all my national traffic comes directly thru ISP Provider 1 and the rest over ISP Provider 2.

I've been reading several posts here and over internet. Some say it's not possible to control the incoming traffic, others say it's possible to control the traffic incoming to my ASN. So, i am really a bit confused about it.

What i know, is that i can control the incoming traffic with communities. But my provider doesn't have communities.
So... i come up with this idea: Has the IP space on my country doesn't change too much, is it possible that i create my self a list with the ranges on my country and set them on a community wich i will then apply to the BGP? Will that work?

If anybody has a better suggestion, i am all ears.

Note: I've already seen someone controling this the way i wanted. He doesn't have communities either. But, for obvious reasons, he doesn't want to help on this.

Regards

Re: Creating Communities to apply to BGP

Posted: Sun May 06, 2018 2:28 pm
by Vooray
The only way to control your announce propogation on upstream side is communities (yes, you can ask your isp to change announcement scheme for you personally, but it is not desired). If your isp does not support em, you can not do anything on your side.
Splitting traffic on national and international does not make sense for me, cos your national networks coud come to your network from international sources.
Using gre for border routing does not make sense for me too. There are some specific cases, when you have to do so, but should not be used on regular basis.

Re: Creating Communities to apply to BGP

Posted: Mon May 07, 2018 4:07 pm
by sri2007
Hi... that's correct, if your provider doesn't support communities, then you don't have too much work, however, have you tried to use prepends? if you're provider doesn't support communities, I think that its local preference value are default for everything (100), you'll need to double check this with a looking glass. The second idea, is like the second provider is an IXP or maybe a NAP? those are really common, and you don't need to do some weird stuffs, just advertise them the same prefixes as your international provider, then this path will always be preferred within the national network.

Where are you trying to implement this?? I've some particular cases in Chile where the IXP do support communities.

Re: Creating Communities to apply to BGP

Posted: Tue May 08, 2018 3:22 pm
by webix
Splitting traffic on national and international does not make sense for me, cos your national networks coud come to your network from international sources.
Using gre for border routing does not make sense for me too. There are some specific cases, when you have to do so, but should not be used on regular basis.
Our network is many times the destination of DDoS attacks, that come 98% from international sources. The GRE tunnel is established with a ISP that can block a very high volume of DDoS attacks. The downside is that the latency is high.
On the National, the attacks are very low because the network doesn't have enough power to provide an attack that can make the router unavailable.

This is why we want to split the traffic national and international.
Hi... that's correct, if your provider doesn't support communities, then you don't have too much work, however, have you tried to use prepends? if you're provider doesn't support communities, I think that its local preference value are default for everything (100), you'll need to double check this with a looking glass. The second idea, is like the second provider is an IXP or maybe a NAP? those are really common, and you don't need to do some weird stuffs, just advertise them the same prefixes as your international provider, then this path will always be preferred within the national network.
Where are you trying to implement this?? I've some particular cases in Chile where the IXP do support communities.
I already configured the prepends to its max (16). All national traffic comes from ISP1, but still the traffic from Cogentco is coming too. Everything else is coming thru ISP2 has intended.
About the local preference, i tried to set a value of 99 to ISP1 and 101 to ISP2, but i got everything down... Maybe i am doing some mistakes here...

Regards

Re: Creating Communities to apply to BGP

Posted: Wed May 09, 2018 2:47 pm
by Vooray
Hey. Ddos protection topic is more complicated than bgp communities. And i dont think, that you can solve it buy splitting traffic on national for unfiltered and international filtered. More to say, this ddos international traffic can be originated in your country but with spoofed sources. Do you use urpf in your AS? Not everyone do so, and it leads to such spoofed ddos attacks.

Re: Creating Communities to apply to BGP

Posted: Tue May 15, 2018 10:59 pm
by webix
Hey. Ddos protection topic is more complicated than bgp communities. And i dont think, that you can solve it buy splitting traffic on national for unfiltered and international filtered. More to say, this ddos international traffic can be originated in your country but with spoofed sources. Do you use urpf in your AS? Not everyone do so, and it leads to such spoofed ddos attacks.
Hey Vooray.

I use a loose source validation on my AS. I understand that DDoS is a complicated topic and i need to build up some mixed setup with SFlow to complement the already cymru config i have.
I already tried to change the imports entries on the RIPE database, but i still can't get things splitted correctly.

Only the BGP Prepend effectively does something... but not enough.

Cheers