mark.tees at digitalpacific.com.au
Thu Sep 27 18:13:05 EST 2012
This one has been bugging me for a while now given the common place problem of someone storming on one of the peering networks. Trying to work out if it is just an old school train of thought or if there are real life limitations or advantages on using layer3 in multi lateral peering setups.
The points Ivan raises for layer-2 in that article appear to be along the lines of:
* Scenarios where participants want run BGP directly between themselves.
* Hardware costs (in the past maybe?).
* All points towards bilateral peering.
I only have experience with Pipe NSW IX and Equinix Peering. Read a little bit about LINX and AMS-IX.
Judging from what I have read peering points like LINX moving to VPLS setups has not really helped the problem.
Do the majority of people who connect to the peering fabrics in Australia just connect to the route servers in an MLP fashion?
The people who use the IX ports for private connections could possibly have a second port provisioned or a single port VLAN'd o MPLS CCC'd? Cross connect costs might be a problem.
So, for MLP type setups is it feasible to use layer 3 switching between participants?
Participants ports would ideally be routed interfaces on layer 3 switches with a BGP session to the switch they connect to. You could then limit a switch to only X number of members and each switch exchanges routes via iBGP either in a mesh or RR setup.
If a customer then goes nuts and starts flooding their port it should be contained to the device they connect to. Hopefully, ACLs in place prevent problem traffic from getting to the control plane.
There are other things that could be done on layer 2 in terms of ACLs for customer ports and monitoring that could prevent some of these problems we see. My first thought towards that would be as soon as customer port X multicast/broadcast counters start exceeding the average in a big way then shut it down.
More information about the AusNOG