TOWARDSAPROGRAMMABLETRAFFICENGINEERINGENGINE

GRNOG9KostasZorbadelos

kzorbaATnixlyDOTnet

1

OUTLINEProblemdescriptionBGProleSolutioncomponentsIP/MPLSReferenceNetworksimulationBGPpolicydesignConfigurationmanagementLABDemo

2

PROBLEMDESCRIPTION

3

TargettedmainlyinISPnetworksDownstreamtrafficisdominantIPNetworkwithmultiplepointsofpresense/geographicallydispersedProvidingcustomertransitservicesHavingmultipleInternettransitprovidersandpeers(inIXesorPNIs)Varyingcostsintransitcapacity,submarinecapacitycanalsobeinvolved

4

NeedtooptimizeincomingtrafficstreamsanddistributethemamongavailablecapacityDoitreliably,withouterrorsDoitquickly,evenrealtime,dependingoncurrenttrafficconditionsAlinkfailure(especiallyinsubmarinecapacity)wouldneedproperactiontobypassthefailureEconomicsarealsoinvolvedintransitservices

5

BGPROLE

6

BGPistheexteriorroutingprotocolbetweenASes

BGPisusedextensivelyfortrafficengineering(whydoyouthinktheFIRTissobig?)

7

BGPTRAFFICENGINEERINGTRICKS

LotsoftricksfortrafficengineeringCommunitiesinannouncementsthataffectmultipleaspectsupstream(LOCAL_PREFERENCE,furtherannouncementstoupstreampeers,evenblackholing)ASPATHprependingMorespecifics(<–quiteeffective)MED(notmuchusedincustomer-transit)ManytimestrialanderrorsinceyouactuallyhavenocontroloutsideofyourAS

8

SOLUTIONCOMPONENTS

9

ManualconfigurationonroutersiscumbersomeInconsistentconfiguration,error-proneRoutersinvolvedcouldbemany,fastreactionnotpossibleConfigurationcouldbeperformedbynetworkoperatorsorevenaprogramwithouthumaninvolvementIdeallyvendorneutral(multiplevendorequipmentinmanynetworks)

10

StandardizedBGPpolicyconfigurationgeneratedbyautomationtoolshighlydesirableTaggingofprefixes(BGPcommunities)affectspolicyCentralizedconfigurationpointConfigurationmanagementtool(salt-sproxy+NAPALM)toenforcestatetoalledgeroutersOnlyneedtothink(orgenerate)thepropertagsintheroutestogetthedesiredoutcomeDesignflexibility,alltrafficengineeringtricksshouldbesupported

11

IP/MPLSREFERENCENETWORKSIMULATION

12

AlabenvironmentwasnecessaryforthedevelopmentCloseemulationoftheproductionIPnetworkMultiplepeerings,transitproviders/peers/customersLabsetupachallengingtaskwithlimitedresourcesThemajorityofthedevelopmenttimewasspentonthenetworkemulationenvironmentTherestwaspolicydesignandautomation

13

LABRESOURCES

Four(4)physicalJuniperrouters(MX240,MX104,2xMX5)One(1)oldserver

EmulationoffullIP/MPLScorewith6routers,3transitproviders,4IXes,PNIs,transitcustomers,totalof21emulatedpeersplusmanagementhostwithSaltinstallation

IBMSystemx3650M3(withdrawnnolongeravailableforordering)Intel(R)Xeon(R)CPUE5640,4cores8threads16GBRAM2x1TBSASdisks

14

Juniperlogicalsystemsanddockertotherescue!EachlabrouterimplementedasalogicalsystemonthephysicalJunipermachinesBGPspeakersaredockercontainerswithGoBGP(triedalsoExaBGP…)Configurationemulatescloselyproductionnetwork(noProuters,onlyPEhavingallthecustomersandpeerings)CompleteIPv4/IPv6addressing,ASnumbersandcommunitiesspecification

15

16

Mainroutingtablecontainsonlyp2plinksandloopbacks(akaIGP)InternetserviceinadedicatedVRFIPv4andIPv6serviceoverMPLStransport(IPv6using6vPE)FullmeshIBGPpeeringsStandardizedBGPOUT-boundpoliciesinEBGPpeerings(forannouncements)Propertaggingofallprefixes

17

BGPPOLICYDESIGN

18

BGPCOMMUNITIES

ABGPcommunityisagroupofdestinationsthatshareacommonpropertyInthebeginningwehadstandardcommunities[rfc1997],32-bit/4octetvalues(as-number:community-value)Networkingenhancements,suchasVPNsbroughtextendedcommunities[rfc4360],64-bit/8-octetvalues(type:administrator:assigned-number)

19

BGPLARGECOMMUNITIES

Bothregularandextendedcommunitiescannotencodetwo32-bitASNvaluesBGPlargecommunities[rfc8092]arecentdevelopment,12octets,three4-byteintegers(example21351:602:6799)toovercomepolicydesignlimitationswith32-bitASNs[rfc8195]UseofBGPLargeCommunitiesinformationalRFCgivingexcellentpolicyexamplesAnIETF“blessed”waytocreatepolicies! 20

LOCATIONCOMMUNITIES(INFORMATIONAL)

Communityvalue

Description

<ASN>:1:<LOC_CODE>

RouteofASNbelongs/originates/wasimportedinlocationwithcodeLOC_CODE

/*locationcommunities*//*codeisISO3166countrycode*/L_LOCATION_FRmemberslarge:65000:1:250L_LOCATION_GFmemberslarge:65000:1:254L_LOCATION_GPmemberslarge:65000:1:312L_LOCATION_MFmemberslarge:65000:1:663L_LOCATION_MQmemberslarge:65000:1:474L_LOCATION_USmemberslarge:65000:1:840

21

DONOTANNOUNCETOPEERAS(ACTION)

Communityvalue

Description

<ASN>:40:<PEER_ASN>

Donotannouncerouteof<ASN>to<PEER_ASN>

L_NO_ANNOUNCE_AS65100memberslarge:65000:40:65100L_NO_ANNOUNCE_AS65101memberslarge:65000:40:65101L_NO_ANNOUNCE_AS65102memberslarge:65000:40:65102L_NO_ANNOUNCE_AS65103memberslarge:65000:40:65103L_NO_ANNOUNCE_AS65200memberslarge:65000:40:65200L_NO_ANNOUNCE_AS65201memberslarge:65000:40:65201L_NO_ANNOUNCE_AS65202memberslarge:65000:40:65202L_NO_ANNOUNCE_AS65203memberslarge:65000:40:65203L_NO_ANNOUNCE_AS65300memberslarge:65000:40:65300L_NO_ANNOUNCE_AS65301memberslarge:65000:40:65301L_NO_ANNOUNCE_AS65302memberslarge:65000:40:65302L_NO_ANNOUNCE_AS65303memberslarge:65000:40:65303

22

ANNOUNCETOPEERAS(ACTION)

Communityvalue

Description

<ASN>:41:<PEER_ASN>

Announcerouteof<ASN>to<PEER_ASN>

/*(tobeusedincombinationwithdonotannouncetolocation)*/L_ANNOUNCE_AS65100memberslarge:65000:41:65100L_ANNOUNCE_AS65101memberslarge:65000:41:65101L_ANNOUNCE_AS65102memberslarge:65000:41:65102L_ANNOUNCE_AS65103memberslarge:65000:41:65103L_ANNOUNCE_AS65200memberslarge:65000:41:65200L_ANNOUNCE_AS65201memberslarge:65000:41:65201L_ANNOUNCE_AS65202memberslarge:65000:41:65202L_ANNOUNCE_AS65203memberslarge:65000:41:65203L_ANNOUNCE_AS65300memberslarge:65000:41:65300L_ANNOUNCE_AS65301memberslarge:65000:41:65301L_ANNOUNCE_AS65302memberslarge:65000:41:65302L_ANNOUNCE_AS65303memberslarge:65000:41:65303

23

PREPENDTOPEERAS(ACTION)

Communityvalue

Description

<ASN>:61:<PEER_ASN>

Prepend<ASN>onceto<PEER_ASN>

<ASN>:62:<PEER_ASN>

Prepend<ASN>twiceto<PEER_ASN>

<ASN>:63:<PEER_ASN>

Prepend<ASN>threetimesto<PEER_ASN>

/*Examples*/L_PREPENDx1_AS65100memberslarge:65000:61:65100L_PREPENDx2_AS65100memberslarge:65000:62:65100L_PREPENDx3_AS65100memberslarge:65000:63:65100 24

DONOTANNOUNCEINLOCATION(ACTION)

Communityvalue

Description

<ASN>:400:<LOC_CODE>

Donotannouncerouteof<ASN>tolocationwithcode<LOC_CODE>

/*<LOC_CODE>isISO3166countrycode*/L_NO_ANNOUNCE_FRmemberslarge:65000:400:250L_NO_ANNOUNCE_GFmemberslarge:65000:400:254L_NO_ANNOUNCE_GPmemberslarge:65000:400:312L_NO_ANNOUNCE_MFmemberslarge:65000:400:663L_NO_ANNOUNCE_MQmemberslarge:65000:400:474L_NO_ANNOUNCE_USmemberslarge:65000:400:840

25

PREPENDINLOCATION(ACTION)

Communityvalue

Description

<ASN>:601:<LOC_CODE>

Prepend<ASN>oncetoallpeersinlocation<LOC_CODE>

<ASN>:602:<LOC_CODE>

twice...

<ASN>:603:<LOC_CODE>

threetimes

26

ROUTETYPES(INFORMATIONAL)

Communityvalue

Description

<ASN>:3:<TYPE_CODE>

RouteofASNisofspecifiedtype

/*Ouraddressspace*/L_ROUTE_INTERNAL_DEFAULTmemberslarge:65000:3:10L_ROUTE_INTERNAL_P2Pmemberslarge:65000:3:101L_ROUTE_INTERNAL_LOOPBACKmemberslarge:65000:3:110L_ROUTE_INTERNAL_AGGREGATEmemberslarge:65000:3:111L_ROUTE_INTERNAL_B2B_CUSTOMERSmemberslarge:65000:3:112L_ROUTE_INTERNAL_RES_CUSTOMERSmemberslarge:65000:3:122L_ROUTE_INTERNAL_PPPmemberslarge:65000:3:132L_ROUTE_ANNOUNCEMENTmemberslarge:65000:3:199

27

ROUTETYPES(CONTINUED)/*Customerroutes*/L_ROUTE_CUSTOMERmemberslarge:65000:3:200/*Peeringpartnerroutes*/L_ROUTE_PEERINGmemberslarge:65000:3:300L_ROUTE_PEERING_LANmemberslarge:65000:3:301L_ROUTE_PEERING_PNImemberslarge:65000:3:302/*Transitroutes*/L_ROUTE_TRANSITmemberslarge:65000:3:400L_ROUTE_TRANSIT_P2Pmemberslarge:65000:3:401

28

STANDARDIZEDEBGPOUTPOLICYPolicyname:<ASN>_<PEER>-V[46]-OUT

cleanRouteTargets/*Part1:handlespecificpeerannouncementsannounceornot*/if(INTERNAL_ANNOUNCEMENT_ROUTEORCUSTOMER_ROUTE)AND(DO_NOT_ANNOUNCE_PEER){reject}if(INTERNAL_ANNOUNCEMENT_ROUTEORCUSTOMER_ROUTE)AND(ANNOUNCE_PEER){accept}...

29

...

/*Part2:handlespecificpeerannouncements*//*prependNtimes*/

if(INTERNAL_ANNOUNCEMENT_ROUTEORCUSTOMER_ROUTE)AND(ROUTE_PREPEND_x_N_PEER){as-path-prepend_x_N<ASN>}

...

30

...

/*Part3:Locationprocessing*/

if(INTERNAL_ANNOUNCEMENT_ROUTEORCUSTOMER_ROUTE)AND(DO_NOT_ANNOUNCE_LOCATION){reject}

if(INTERNAL_ANNOUNCEMENT_ROUTEORCUSTOMER_ROUTE)AND(PREPEND_x_N_LOCATION){as-path-prepend_x_N<ASN>}

...

31

...

/*Final:defaultactions*/

if(INTERNAL_ANNOUNCEMENT_ROUTEORCUSTOMER_ROUTE){accept}

DEFAULT{reject}

32

CONFIGURATIONMANAGEMENT

33

TOOLSSELECTION

AlotofopensourceconfigurationmanagementframeworksSalt(sometimesreferredtoasSaltStack)isanopen-sourcesoftwareforevent-drivenITautomation,remotetaskexecution,andconfigurationmanagementNAPALMisavendorneutral,cross-platformopensourceprojectthatprovidesaunifiedAPItonetworkdevicesAllPythonbased

34

WHYSALTSTACK/SALT?

SaltisaveryflexibleframeworkAnsible++Integratedmodulesfornetworkdeviceconfiguration(NAPALMoneofthem)ScalableandprovenEventdrivenactioncapabilitiesAbitofasteeplearningcurve

35

SALT-ARCHITECTURE

Agentsrunonmanageddevices(minions)InnetworkequipmentproxyminionsareusedOneprocessperdeviceneeded

36

SALT-SPROXY

NewopensourceprojectNotembracedbySaltstack(yet)GivesallSaltframeworkandcapabilities,withouttheneedtorunandhandleminionprocesses(proxy)minionsarestartedon-demandsaltmasternecessarytouseAPIandeventbus

37

LABDEMO

38

39

Terminalrecordeddemo

40

REFERENCES1.

2.3. salt-sproxy

4. :NetworkAutomationandProgrammabilityAbstractionLayerwithMultivendorsupport

5.6.

RFC4364:BGP/MPLSIPVirtualPrivateNetworks(VPNs)JuniperRoutingPoliciesforBGPCommunities

https://github.com/mirceaulinic/salt-sproxyNAPALM

RFC8092:BGPLargeCommunitiesAttributeRFC8195:UseofBGPLargeCommunities

41