SlideShare uma empresa Scribd logo

IX Best Practices by Tay Chee Yong

MyNOG
MyNOG

IX Best Practices by Tay Chee Yong

Tecnologia
1 de 22
Baixar para ler offline
IXP Best Practices Tay Chee Yong MyNOG 3 28 November 2013 1
IXP Essentials •  Layer 2 Ethernet network consisting of one or more switches •  Members connects to the network with an assigned IP address •  Only BGP is allowed –  Bi-lateral (BGP between members) –  Multi-lateral (BGP with route servers) 2
IXP Essentials •  Announce own origin and customer routes •  Exchange traffic with all other members to improve traffic gravity and performance –  Members save cost on Internet transit –  Better user experience (reduced latency) •  One port with many peers –  Allows exchange of routes/traffic among all IXP members 3
IXP Benefits •  Keep the local traffic local! –  ISP within the country/region peer with each other –  Doesn’t need to take a long route out and return –  Improved latency and efficiency •  Save money! –  Traffic stays local means save transit bandwidth = save money •  Improve network performance –  Better RTT between end points –  Direct traffic forwarding instead of sub-optimal routing 4
Be responsible! •  IXP operator responsible to ensure infrastructure is stable and secure –  Choice of hardware/software –  Stability of route server daemon –  Security measures –  Competent operational staffs •  Usual BGP best practices still apply to all members •  IXP best practices and etiquettes to be adhered 5
Leaking of IX prefix to Internet •  Announce IXP prefix outside of AS boundary is not a good idea •  Providing free transit for IXP prefix •  Vulnerable to DDOS attacks •  Common reason : redistribute connected to bgp •  Prefix list/route maps to deny IXP prefix announcement 6
Routing control discipline •  Same set of routes should be announced over both transit links and IX port •  Consistent routing policy over different IXP •  Members announcing more specific routes, may result in transit over the IXP •  No Static/Default route! 7
Unwanted protocols towards IXP •  Interior routing protocols : OSPF, IS-IS, EIGRP, RIP -  Generates unwanted broadcast/multicast traffic •  Layer 2 protocols : -  STP, VTP, Proxy Arp •  Network discovery : -  CDP, LLDP, EDP 8
Proxy ARP •  Members acting as a arp relay, potentially very dangerous •  Leading to hijacking of packets destined to other members •  Usual culprits are of Cisco equipment •  IOS : enabled by default •  IOS-XR : disabled by default •  JUNOS : disabled by default #sh arp 219 202.yyy.yyy.yyy 225 202.yyy.yyy.yyy 242 202.yyy.yyy.yyy 316 202.yyy.yyy.yyy 0012.7fxx.xxxx 0012.7fxx.xxxx 0012.7fxx.xxxx 0012.7fxx.xxxx Dynamic Dynamic Dynamic Dynamic 0 0 0 0 15/20 15/20 15/20 15/20 9
Proxy ARP •  Tools to detect members with proxy arp enabled •  Violation logs to be sent to NMS monitoring •  Enhance internal monitoring & operational process •  Follow up , Follow up 10
Looping back an Ethernet Port… •  Loopback towards on an IXP port is never a good idea •  Result : broadcast storm towards all other members •  Cripple the IXP, and disrupting traffic 11
Peering with route servers •  Facilitate implementation of peering arrangement •  Allow new members to join the community easily •  Generally have 2 route servers for redundancy •  Single routing daemon •  Dual routing daemon •  Reduced the number of peering sessions •  Just peer with 2 to get all routes from all members •  Ability to manipulate routing policy via bgp communities 12
Port Security •  MAC address filtering •  Only permit specific IP ethertypes •  IPv4, ARP, IPv6 •  Drop everything else •  Enforce one-mac-address-per-port rule •  No additional devices are permitted •  Prevent noise from any intermediate L2 devices (eg. STP) •  Inform your IXP if you are doing any migration or change of device •  Mac address change 13
Prefix Filtering •  Applied on route servers •  Per neighbor prefix filtering •  Pros •  Prevent unintentional route hijack or route leak by members •  Treat IXP as a normal upstream provider to update prefix list •  Cons •  Accidental of route denial – reduction in traffic •  Solutions : Route update using IRR where possible •  Challenge : Route objects should be updated regularly 14
Configuration Automation •  Fat fingers and human nature at times cause issues in IXP -  Applying incorrect switch configuration -  Forgot to apply port security -  Typo error -  etc •  Reduce errors during provisioning of switch or route servers •  Increase IXP productivity and efficiency •  Standardize configuration across IXP platform 15
Transparent AS •  AS-PATH Transparency : Route servers do not insert its own AS number in the AS-PATH updates to members •  In route servers, well-known BGP attributes (AS-Path, MED, next-hop, communities) are not modified before redistributing to other members. •  Peering sessions appears to be directly between members, but the RS is mediating the session. •  Common problem seen with Cisco routers due to default behavior •  IOS : no bgp enforce-first-as •  IOS XR : bgp enforce-first-as disable 16
Transparent AS •  Non route server setup 10.10.0.0/16 20.20.0.0/16 AS10 Prefix 20.20.0.0/16 AS100 AS-PATH 100 20 AS20 Prefix 10.10.0.0/16 AS-PATH 100 10 17
Transparent AS •  With route server setup 10.10.0.0/16 20.20.0.0/16 IXP A AS 100 AS10 Prefix 20.20.0.0/16 AS20 AS-PATH 20 Prefix 10.10.0.0/16 AS-PATH 10 18
Storm Control •  Broadcast storm into an IXP a major challenge for the operator – beyond their control •  IXP hardware to have better storm control capability or features to counter •  Various hardware vendors has employed certain level of storm control detection and mitigation feature Vendor Mechanism/Capability Cisco Nexus •  Interface level (Threshold : Interface bandwidth) Brocade MLX •  Interface level ACL/rate-limit •  Global Level / VPLS Level (Threshold : # of packets) Extreme •  Interface level ACL/rate-limit •  Global/CPU level (Threshold : # of packets) 19
Summary of Best Practices Members Operator •  Disable unwanted traffic towards IXP •  Do not loop towards IXP •  Do not leak IXP prefix to Internet •  Peering with route servers •  Consistent route announcement •  •  •  •  •  Port Security Prefix Filtering Configuration Automation Transparent AS Storm Control 20
Reference •  AMS-IX •  https://www.ams-ix.net/technical/specifications-descriptions/ config-guide •  Euro-IX •  https://www.euro-ix.net/ixp-bcp 21
chee-yong.tay@ap.equinix.com 22

Recomendados

VXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfVXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfNelAlv1
 
Brkdcn 2035 multi-x
Brkdcn 2035 multi-xBrkdcn 2035 multi-x
Brkdcn 2035 multi-xMason Mei
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
IPv6 Address Planning
IPv6 Address PlanningIPv6 Address Planning
IPv6 Address PlanningAPNIC
 
MPLS WC 2014 Segment Routing TI-LFA Fast ReRoute
MPLS WC 2014 Segment Routing TI-LFA Fast ReRouteMPLS WC 2014 Segment Routing TI-LFA Fast ReRoute
MPLS WC 2014 Segment Routing TI-LFA Fast ReRouteBruno Decraene
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
MPLS Deployment Chapter 1 - Basic
MPLS Deployment Chapter 1 - BasicMPLS Deployment Chapter 1 - Basic
MPLS Deployment Chapter 1 - BasicEricsson
 
Introduction to CoAP
Introduction to CoAPIntroduction to CoAP
Introduction to CoAPEMQ
 

Recomendados

VXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfVXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfNelAlv1
 
Brkdcn 2035 multi-x
Brkdcn 2035 multi-xBrkdcn 2035 multi-x
Brkdcn 2035 multi-xMason Mei
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
IPv6 Address Planning
IPv6 Address PlanningIPv6 Address Planning
IPv6 Address PlanningAPNIC
 
MPLS WC 2014 Segment Routing TI-LFA Fast ReRoute
MPLS WC 2014 Segment Routing TI-LFA Fast ReRouteMPLS WC 2014 Segment Routing TI-LFA Fast ReRoute
MPLS WC 2014 Segment Routing TI-LFA Fast ReRouteBruno Decraene
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
MPLS Deployment Chapter 1 - Basic
MPLS Deployment Chapter 1 - BasicMPLS Deployment Chapter 1 - Basic
MPLS Deployment Chapter 1 - BasicEricsson
 
Introduction to CoAP
Introduction to CoAPIntroduction to CoAP
Introduction to CoAPEMQ
 
How BGP Works
How BGP WorksHow BGP Works
How BGP WorksThousandEyes
 
Border Gatway Protocol
Border Gatway ProtocolBorder Gatway Protocol
Border Gatway ProtocolShashank Asthana
 
pfSense firewall workshop guide
pfSense firewall workshop guidepfSense firewall workshop guide
pfSense firewall workshop guideSopon Tumchota
 
IPv6 Transition Techniques
IPv6 Transition TechniquesIPv6 Transition Techniques
IPv6 Transition TechniquesAPNIC
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDKDenys Haryachyy
 
Introduction to vxlan
Introduction to vxlanIntroduction to vxlan
Introduction to vxlanMohammed Umair
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterRobb Boyd
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN IntroductionBangladesh Network Operators Group
 
Segment Routing Lab
Segment Routing Lab Segment Routing Lab
Segment Routing Lab Cisco Canada
 
MPLS Presentation
MPLS PresentationMPLS Presentation
MPLS PresentationUnni Kannan VijayaKumar
 
Ip multicast
Ip multicastIp multicast
Ip multicastAshutosh Pateriya
 
Internet Peering and the Role of an IXP
Internet Peering and the Role of an IXPInternet Peering and the Role of an IXP
Internet Peering and the Role of an IXPJacob Dagunduro
 
IPv6 next generation protocol
IPv6 next generation protocolIPv6 next generation protocol
IPv6 next generation protocolRupshanker Mishra
 
Demystifying EVPN in the data center: Part 1 in 2 episode series
Demystifying EVPN in the data center: Part 1 in 2 episode seriesDemystifying EVPN in the data center: Part 1 in 2 episode series
Demystifying EVPN in the data center: Part 1 in 2 episode seriesCumulus Networks
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6Ahmed AbdelSalam
 
Access Network Evolution
Access Network Evolution Access Network Evolution
Access Network Evolution Cisco Canada
 
Logical addressing
Logical addressingLogical addressing
Logical addressingAvinash Gautam
 
Deploying Carrier Ethernet features on ASR 9000
Deploying Carrier Ethernet features on ASR 9000Deploying Carrier Ethernet features on ASR 9000
Deploying Carrier Ethernet features on ASR 9000Vinod Kumar Balasubramanyam
 
Anycast all the things
Anycast all the thingsAnycast all the things
Anycast all the thingsMaximilan Wilhelm
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksAPNIC
 
chapter 1 &2 RIPv1&2.ppt
chapter 1 &2 RIPv1&2.pptchapter 1 &2 RIPv1&2.ppt
chapter 1 &2 RIPv1&2.pptbirhanugebisa1
 
Routing protocols
Routing protocolsRouting protocols
Routing protocolsSourabh Goyal
 

Mais conteúdo relacionado

Mais procurados

pfSense firewall workshop guide
pfSense firewall workshop guidepfSense firewall workshop guide
pfSense firewall workshop guideSopon Tumchota
 
IPv6 Transition Techniques
IPv6 Transition TechniquesIPv6 Transition Techniques
IPv6 Transition TechniquesAPNIC
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterRobb Boyd
 
Segment Routing Lab
Segment Routing Lab Segment Routing Lab
Segment Routing Lab Cisco Canada
 
Internet Peering and the Role of an IXP
Internet Peering and the Role of an IXPInternet Peering and the Role of an IXP
Internet Peering and the Role of an IXPJacob Dagunduro
 
IPv6 next generation protocol
IPv6 next generation protocolIPv6 next generation protocol
IPv6 next generation protocolRupshanker Mishra
 
Demystifying EVPN in the data center: Part 1 in 2 episode series
Demystifying EVPN in the data center: Part 1 in 2 episode seriesDemystifying EVPN in the data center: Part 1 in 2 episode series
Demystifying EVPN in the data center: Part 1 in 2 episode seriesCumulus Networks
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6Ahmed AbdelSalam
 
Access Network Evolution
Access Network Evolution Access Network Evolution
Access Network Evolution Cisco Canada
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksAPNIC
 

Mais procurados (20)

How BGP Works
How BGP WorksHow BGP Works
How BGP Works
 
Border Gatway Protocol
Border Gatway ProtocolBorder Gatway Protocol
Border Gatway Protocol
 
pfSense firewall workshop guide
pfSense firewall workshop guidepfSense firewall workshop guide
pfSense firewall workshop guide
 
IPv6 Transition Techniques
IPv6 Transition TechniquesIPv6 Transition Techniques
IPv6 Transition Techniques
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
 
Introduction to vxlan
Introduction to vxlanIntroduction to vxlan
Introduction to vxlan
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
 
Segment Routing Lab
Segment Routing Lab Segment Routing Lab
Segment Routing Lab
 
MPLS Presentation
MPLS PresentationMPLS Presentation
MPLS Presentation
 
Ip multicast
Ip multicastIp multicast
Ip multicast
 
Internet Peering and the Role of an IXP
Internet Peering and the Role of an IXPInternet Peering and the Role of an IXP
Internet Peering and the Role of an IXP
 
IPv6 next generation protocol
IPv6 next generation protocolIPv6 next generation protocol
IPv6 next generation protocol
 
Demystifying EVPN in the data center: Part 1 in 2 episode series
Demystifying EVPN in the data center: Part 1 in 2 episode seriesDemystifying EVPN in the data center: Part 1 in 2 episode series
Demystifying EVPN in the data center: Part 1 in 2 episode series
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6
 
Access Network Evolution
Access Network Evolution Access Network Evolution
Access Network Evolution
 
Logical addressing
Logical addressingLogical addressing
Logical addressing
 
Deploying Carrier Ethernet features on ASR 9000
Deploying Carrier Ethernet features on ASR 9000Deploying Carrier Ethernet features on ASR 9000
Deploying Carrier Ethernet features on ASR 9000
 
Anycast all the things
Anycast all the thingsAnycast all the things
Anycast all the things
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
 

Semelhante a IX Best Practices by Tay Chee Yong

chapter 1 &2 RIPv1&2.ppt
chapter 1 &2 RIPv1&2.pptchapter 1 &2 RIPv1&2.ppt
chapter 1 &2 RIPv1&2.pptbirhanugebisa1
 
Final Presentation on the Network layer
Final Presentation on the Network layerFinal Presentation on the Network layer
Final Presentation on the Network layerZee Haak
 
IPv6 Segment Routing : an end-to-end solution ?
IPv6 Segment Routing : an end-to-end solution ?IPv6 Segment Routing : an end-to-end solution ?
IPv6 Segment Routing : an end-to-end solution ?Olivier Bonaventure
 
Router configuration
Router configurationRouter configuration
Router configuration97148881557
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaAPNIC
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-KeynoteLKNOG
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
CCNA Training in Bangalore | Best Networking course in Bangalore
CCNA Training in Bangalore | Best Networking course in BangaloreCCNA Training in Bangalore | Best Networking course in Bangalore
CCNA Training in Bangalore | Best Networking course in BangaloreTIB Academy
 
Internet standard routing protocols
Internet standard routing protocolsInternet standard routing protocols
Internet standard routing protocolsOnline
 
CCNA_RSE_Chp3_Dynamic Routing NETWORKINGFBU.pptx
CCNA_RSE_Chp3_Dynamic Routing NETWORKINGFBU.pptxCCNA_RSE_Chp3_Dynamic Routing NETWORKINGFBU.pptx
CCNA_RSE_Chp3_Dynamic Routing NETWORKINGFBU.pptxManishkumarSharma338257
 
Interautonomous System PLS VPN Advanced Concepts
Interautonomous System PLS VPN Advanced ConceptsInterautonomous System PLS VPN Advanced Concepts
Interautonomous System PLS VPN Advanced ConceptsBrozaa
 
DEVNET-1191 BGP Enabled Application Development
DEVNET-1191 BGP Enabled Application DevelopmentDEVNET-1191 BGP Enabled Application Development
DEVNET-1191 BGP Enabled Application DevelopmentCisco DevNet
 

Semelhante a IX Best Practices by Tay Chee Yong (20)

chapter 1 &2 RIPv1&2.ppt
chapter 1 &2 RIPv1&2.pptchapter 1 &2 RIPv1&2.ppt
chapter 1 &2 RIPv1&2.ppt
 
Routing protocols
Routing protocolsRouting protocols
Routing protocols
 
Final Presentation on the Network layer
Final Presentation on the Network layerFinal Presentation on the Network layer
Final Presentation on the Network layer
 
CCNA part 5 routing
CCNA part 5 routingCCNA part 5 routing
CCNA part 5 routing
 
IPv6 Segment Routing : an end-to-end solution ?
IPv6 Segment Routing : an end-to-end solution ?IPv6 Segment Routing : an end-to-end solution ?
IPv6 Segment Routing : an end-to-end solution ?
 
Router configuration
Router configurationRouter configuration
Router configuration
 
EIGRP, DHCP, OSPF, NAT
EIGRP, DHCP, OSPF, NATEIGRP, DHCP, OSPF, NAT
EIGRP, DHCP, OSPF, NAT
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-Keynote
 
Router configuration
Router configurationRouter configuration
Router configuration
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
CCNA Training in Bangalore | Best Networking course in Bangalore
CCNA Training in Bangalore | Best Networking course in BangaloreCCNA Training in Bangalore | Best Networking course in Bangalore
CCNA Training in Bangalore | Best Networking course in Bangalore
 
Internet standard routing protocols
Internet standard routing protocolsInternet standard routing protocols
Internet standard routing protocols
 
Dynamic routing
Dynamic routingDynamic routing
Dynamic routing
 
CCNA part 6 igrp,ospf,eigrp
CCNA part 6 igrp,ospf,eigrpCCNA part 6 igrp,ospf,eigrp
CCNA part 6 igrp,ospf,eigrp
 
CCNA_RSE_Chp3_Dynamic Routing NETWORKINGFBU.pptx
CCNA_RSE_Chp3_Dynamic Routing NETWORKINGFBU.pptxCCNA_RSE_Chp3_Dynamic Routing NETWORKINGFBU.pptx
CCNA_RSE_Chp3_Dynamic Routing NETWORKINGFBU.pptx
 
Ccna routing
Ccna routingCcna routing
Ccna routing
 
Interautonomous System PLS VPN Advanced Concepts
Interautonomous System PLS VPN Advanced ConceptsInterautonomous System PLS VPN Advanced Concepts
Interautonomous System PLS VPN Advanced Concepts
 
DEVNET-1191 BGP Enabled Application Development
DEVNET-1191 BGP Enabled Application DevelopmentDEVNET-1191 BGP Enabled Application Development
DEVNET-1191 BGP Enabled Application Development
 

Mais de MyNOG

Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10MyNOG
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023MyNOG
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksMyNOG
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersMyNOG
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureMyNOG
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network ControllerMyNOG
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformMyNOG
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalidsMyNOG
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXMyNOG
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in KubernetesMyNOG
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKIMyNOG
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmMyNOG
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEMyNOG
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...MyNOG
 
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveFUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveMyNOG
 
Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...MyNOG
 
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...MyNOG
 
MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyNOG
 
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...MyNOG
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearMyNOG
 

Mais de MyNOG (20)

Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier Networks
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New Frontiers
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native Infrastructure
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network Controller
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalids
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIX
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in Kubernetes
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable Paradigm
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
 
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveFUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
 
Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...
 
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
 
MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIX
 
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, Opengear
 

Último

Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 

Último (20)

Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 

IX Best Practices by Tay Chee Yong

  • 1. IXP Best Practices Tay Chee Yong MyNOG 3 28 November 2013 1
  • 2. IXP Essentials •  Layer 2 Ethernet network consisting of one or more switches •  Members connects to the network with an assigned IP address •  Only BGP is allowed –  Bi-lateral (BGP between members) –  Multi-lateral (BGP with route servers) 2
  • 3. IXP Essentials •  Announce own origin and customer routes •  Exchange traffic with all other members to improve traffic gravity and performance –  Members save cost on Internet transit –  Better user experience (reduced latency) •  One port with many peers –  Allows exchange of routes/traffic among all IXP members 3
  • 4. IXP Benefits •  Keep the local traffic local! –  ISP within the country/region peer with each other –  Doesn’t need to take a long route out and return –  Improved latency and efficiency •  Save money! –  Traffic stays local means save transit bandwidth = save money •  Improve network performance –  Better RTT between end points –  Direct traffic forwarding instead of sub-optimal routing 4
  • 5. Be responsible! •  IXP operator responsible to ensure infrastructure is stable and secure –  Choice of hardware/software –  Stability of route server daemon –  Security measures –  Competent operational staffs •  Usual BGP best practices still apply to all members •  IXP best practices and etiquettes to be adhered 5
  • 6. Leaking of IX prefix to Internet •  Announce IXP prefix outside of AS boundary is not a good idea •  Providing free transit for IXP prefix •  Vulnerable to DDOS attacks •  Common reason : redistribute connected to bgp •  Prefix list/route maps to deny IXP prefix announcement 6
  • 7. Routing control discipline •  Same set of routes should be announced over both transit links and IX port •  Consistent routing policy over different IXP •  Members announcing more specific routes, may result in transit over the IXP •  No Static/Default route! 7
  • 8. Unwanted protocols towards IXP •  Interior routing protocols : OSPF, IS-IS, EIGRP, RIP -  Generates unwanted broadcast/multicast traffic •  Layer 2 protocols : -  STP, VTP, Proxy Arp •  Network discovery : -  CDP, LLDP, EDP 8
  • 9. Proxy ARP •  Members acting as a arp relay, potentially very dangerous •  Leading to hijacking of packets destined to other members •  Usual culprits are of Cisco equipment •  IOS : enabled by default •  IOS-XR : disabled by default •  JUNOS : disabled by default #sh arp 219 202.yyy.yyy.yyy 225 202.yyy.yyy.yyy 242 202.yyy.yyy.yyy 316 202.yyy.yyy.yyy 0012.7fxx.xxxx 0012.7fxx.xxxx 0012.7fxx.xxxx 0012.7fxx.xxxx Dynamic Dynamic Dynamic Dynamic 0 0 0 0 15/20 15/20 15/20 15/20 9
  • 10. Proxy ARP •  Tools to detect members with proxy arp enabled •  Violation logs to be sent to NMS monitoring •  Enhance internal monitoring & operational process •  Follow up , Follow up 10
  • 11. Looping back an Ethernet Port… •  Loopback towards on an IXP port is never a good idea •  Result : broadcast storm towards all other members •  Cripple the IXP, and disrupting traffic 11
  • 12. Peering with route servers •  Facilitate implementation of peering arrangement •  Allow new members to join the community easily •  Generally have 2 route servers for redundancy •  Single routing daemon •  Dual routing daemon •  Reduced the number of peering sessions •  Just peer with 2 to get all routes from all members •  Ability to manipulate routing policy via bgp communities 12
  • 13. Port Security •  MAC address filtering •  Only permit specific IP ethertypes •  IPv4, ARP, IPv6 •  Drop everything else •  Enforce one-mac-address-per-port rule •  No additional devices are permitted •  Prevent noise from any intermediate L2 devices (eg. STP) •  Inform your IXP if you are doing any migration or change of device •  Mac address change 13
  • 14. Prefix Filtering •  Applied on route servers •  Per neighbor prefix filtering •  Pros •  Prevent unintentional route hijack or route leak by members •  Treat IXP as a normal upstream provider to update prefix list •  Cons •  Accidental of route denial – reduction in traffic •  Solutions : Route update using IRR where possible •  Challenge : Route objects should be updated regularly 14
  • 15. Configuration Automation •  Fat fingers and human nature at times cause issues in IXP -  Applying incorrect switch configuration -  Forgot to apply port security -  Typo error -  etc •  Reduce errors during provisioning of switch or route servers •  Increase IXP productivity and efficiency •  Standardize configuration across IXP platform 15
  • 16. Transparent AS •  AS-PATH Transparency : Route servers do not insert its own AS number in the AS-PATH updates to members •  In route servers, well-known BGP attributes (AS-Path, MED, next-hop, communities) are not modified before redistributing to other members. •  Peering sessions appears to be directly between members, but the RS is mediating the session. •  Common problem seen with Cisco routers due to default behavior •  IOS : no bgp enforce-first-as •  IOS XR : bgp enforce-first-as disable 16
  • 17. Transparent AS •  Non route server setup 10.10.0.0/16 20.20.0.0/16 AS10 Prefix 20.20.0.0/16 AS100 AS-PATH 100 20 AS20 Prefix 10.10.0.0/16 AS-PATH 100 10 17
  • 18. Transparent AS •  With route server setup 10.10.0.0/16 20.20.0.0/16 IXP A AS 100 AS10 Prefix 20.20.0.0/16 AS20 AS-PATH 20 Prefix 10.10.0.0/16 AS-PATH 10 18
  • 19. Storm Control •  Broadcast storm into an IXP a major challenge for the operator – beyond their control •  IXP hardware to have better storm control capability or features to counter •  Various hardware vendors has employed certain level of storm control detection and mitigation feature Vendor Mechanism/Capability Cisco Nexus •  Interface level (Threshold : Interface bandwidth) Brocade MLX •  Interface level ACL/rate-limit •  Global Level / VPLS Level (Threshold : # of packets) Extreme •  Interface level ACL/rate-limit •  Global/CPU level (Threshold : # of packets) 19
  • 20. Summary of Best Practices Members Operator •  Disable unwanted traffic towards IXP •  Do not loop towards IXP •  Do not leak IXP prefix to Internet •  Peering with route servers •  Consistent route announcement •  •  •  •  •  Port Security Prefix Filtering Configuration Automation Transparent AS Storm Control 20