This morning we apparently had a problem with our routers not handling the full table. So I am looking into culling the least useful prefixes from our tables. I can hardly be the first one to take on that kind of project, and I am wondering if there is a ready made prefix list or similar?
Or maybe we have a list of worst offenders? I am looking for ASN that announces a lot of unnecessary /24 prefixes and which happens to be far away from us? I would filter those to something like /20 and then just have a default route to catch all.
We recently filtered out >=/24 prefixes since we're impacted by 768k day.
I'm attaching our lightly researched list of exceptions. I'm interested in
what others' operational experience is with filtering in this way.
We recently filtered out >=/24 prefixes since we're impacted by 768k day.
What kind of network are you running? Doing such prefix filtering on an eyeball network strikes me as insane - you'd be cutting off customers from huge swathes of the Internet (including small companies like us) that don't have large IPv4 sequential allocations.
If you have multiple transit providers and still want to be able to push traffic to the best path (no default route), then maybe a filter that will accept only AS Path 2/3 or shorter per transit provider, and a default route for the rest. You will get significantly less prefixes, and BGP path selection will work “locally”. For far away prefixes though (more than 4 ASes away), you will not (always) pick the best path.
We're an eyeball network. We accept default routes from our transit
providers so in theory there should be no impact on reachability.
I'm pretty concerned about things that I don't know due to inefficient
routing, e.g. customers hitting a public anycast DNS server in the wrong
location resulting in Geolocation issues.
We're an eyeball network. We accept default routes from our transit providers so in theory there should be no impact on reachability.
I'm pretty concerned about things that I don't know due to inefficient routing, e.g. customers hitting a public anycast DNS server in the wrong location resulting in Geolocation issues.
Ah! Understood. The default route(s) was the bit I missed. Makes a lot of sense if you can't justify buying new routers.
Have you seen issues with Anycast routing thus far? One would assume that routing would still be fairly efficient unless you're picking up transit from non-local providers over extended L2 links.
This may be too old to be terribly useful other than as a starting point, but we went through essentially the same thing a little more than 10 years ago:
Lots of good non-big vendor options these days - times have changed for sure.
I'm running an EdgeRouter Infinity with BGP feeds for v4 and v6 at home - very reasonably priced router with lots of ports and functionality.
Even the old EdgeRouter Lite supported multiple BGP tables - and that was 7 years ago at a ~ $100 price point. But, for sub 200 can get an ER4 which will do most of the things the $1000+ routers will do.
'Tik, white box Linux/BSD, etc all offer good options at varying price points.
That's a good question - I've not gotten past 10G yet.
Cheaply, you could get ConnectX-3 40G PCIe cards and throw them in your favorite Dell/HP/Supermicro/other rack mount server with your Linux/BSD distro of choice, or VyOS for that matter.
There are instructions online on converting the IB versions of the Mellanox cards to their Ethernet counterparts, if you want to cut some cost even more.
did you find https://labs.ripe.net/Members/emileaben/768k-day-will-it-happen-did-it-happen
? It has further links at the end as well.
If you hit the 768k issue for IPv4 you might look at IPv6 as well as
there might be a 64k limit on some tcam profiles. If there is no IPv6
in use (very sad face) there might be the option to switch to a 1m
IPv4 route profile.
Using a default route might influence Reverse Path Forwarding on the
device. But you can apply outbound ACL on upstream ports as well.
This is very true. I picked up a nicely equipped juniper mx240 - waayyyy
overkill for my current operation - for far, far cheaper than anything I
could have otherwise afforded new. Absolutely killer could not be
happier, and J has won a convert. But, I find this seems to be the thing
- needing capacity/feature sets/etc just to be able to stand still, but
not having the revenue stream to actually pay new for what these vendors
want to charge for their gear/licenses/etc.
You can start here : http://www.cidr-report.org/as2.0/#Gains
You will have to do some manual work in order to identify how to optimally filter, but you may save some space.
But the more important questions are:
- how long will it last after one round of clean-up ?
- can't you afford to use default route ?
You can use tools like AS-Stats (or the more expensive and much more powerful alternatives) if your hardware allows it, in order to get the ASes that you have close to no traffic towards and leave those via default.
Or, if you can afford a dedicated internet border router, there are models that start getting to decent pricing level on refurbished market (a thought to ASR9001 that should be pretty cheap these days).
