mpls based traffic shunt n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
MPLS-based Traffic Shunt PowerPoint Presentation
Download Presentation
MPLS-based Traffic Shunt

Loading in 2 Seconds...

play fullscreen
1 / 25

MPLS-based Traffic Shunt - PowerPoint PPT Presentation


  • 127 Views
  • Uploaded on

MPLS-based Traffic Shunt. NANOG28 Salt Lake City June 2003. Yehuda Afek – Riverhead Networks Roy Brooks – Cisco Systems Nicolas Fischbach – COLT Telecom. Credits. Cisco Systems: Paul Quinn COLT Telecom: Andreas Friedrich, Marc Binderberger Riverhead Networks:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'MPLS-based Traffic Shunt' - urban


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
mpls based traffic shunt

MPLS-based Traffic Shunt

NANOG28

Salt Lake City

June 2003

Yehuda Afek – Riverhead Networks

Roy Brooks – Cisco Systems

Nicolas Fischbach – COLT Telecom

credits
Credits
  • Cisco Systems:

Paul Quinn

  • COLT Telecom:

Andreas Friedrich, Marc Binderberger

  • Riverhead Networks:

Anat Bremler-Barr, Boaz Elgar, Roi Hermoni

sink hole

Announce:

61.1.1.1 -> Sink Hole

Sink Hole

61.1.1.1

Sink hole server

traffic shunt
Traffic Shunt

61.1.1.1

Sink hole server

applications
Applications
  • Cleaning DDoS traffic
  • Reverse proxy
  • On-demand traffic analysis
sink hole shunt
Unidirectional: Data in & not out

IP-based

Blackholing DDoS, forensic

CenterTrack [Stone NANOG 17]

Bidirectional: Data in, processed and out

Tunnels: GRE, IPIP, MPLS, L2TPv3

DDoS cleaning

Reverse proxy, traffic analysis

Bellwether [Hardie Wessels NANOG 19]

Sink Hole Shunt
traffic shunt1
Traffic Shunt

61.1.1.1

Careful setup required to prevent infinite loops

traffic shunt2
Traffic Shunt

Tunnels: Peering - Sink

61.1.1.1

Returned traffic must not pass through a peering router

traffic shunt3
Traffic Shunt

Tunnels: Sink – CPE router

61.1.1.1

tunnels
Tunnels
  • GRE/IPIP
    • Cisco GSRs and Juniper routers require special interface cards
    • Processing overhead
  • MPLS
    • Supported without any special interface
    • No extra H/W
    • From IOS-12.0(7)S and JunOS 5.3 and up
mpls shunt requirements
MPLS Shunt: Requirements
  • No dynamic configuration
      • Only one-time set-up
  • Minimum initial (static) configuration
  • No need for sink hole router/device to speak MPLS
      • But could!
two mpls methods
Two MPLS methods
  • Method #1: Pure MPLS using Proxy Egress LSP
    • Penultimate hop popping
    • RFC3031
  • Method #2: MPLS VPN
method 1 mpls lsp proxy egress

iBGP

Penultimate Router

2

5

6

5

4

2

2

IP

IP

IP Lookup

MPLS Table

MPLS Table

MPLS Table

In

In

Out

Out

In

Out

(5, 42)

(2, 3)

(5, 25 )

(6, 3 )

IP: a Loop back

(2, 42)

25

42

3

IP

IP

IP

Method 1: MPLS LSP Proxy Egress

Loopback

LSP

IP:

a

Sink router

MPLS Table

In

Out

(4, 25)

(2, untagged)

LSP Proxy Egress

method 1 mpls lsp proxy egress1

iBGP

Method 1: MPLS LSP Proxy Egress

61.1.1.1

Penultimate Router

actual deployment
Actual Deployment

LONDON#show mpls forwarding-table 61.222.65.77

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

503 560 61.222.65.77/32 0 PO11/0 point2point

FRANKFURT#show mpls forwarding-table labels 16

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

16 Untagged 61.222.65.77/32 24831266 Gi6/0 61.44.88.111

method 2 mpls vpn vrf

Advertise 61.1.1.1

iBGP IPv4

Method 2: MPLS VPN - VRF

Sink  CPE router

MP-BGP VPNv4

61.1.1.1

VRF interface to MPLS VPN

method 2 mpls vpn vrf1

iBGP IPv4

Method 2: MPLS VPN - VRF

Sink  CPE router

61.1.1.1

CORE-2#sh ip route vrf rx-monitor

B 61.1.1.1 [200/0] via 11.61.128.7, 00:00:53

CORE-2#sh ip cef vrf rx-monitor 61.1.1.1

fast tag rewrite with PO0/0, point2point, tags imposed {45 118}

via 11.61.128.7, 0 dependencies, recursive

method 2 mpls vpn vrf2

iBGP IPv4

Method 2: MPLS VPN - VRF

Sink  CPE router

61.1.1.1

ip route vrf rx-monitor 61.1.1.1 255.255.255.255 14.0.1.2 global

core-as#sh ip cef vrf rx-monitor 61.1.1.1

via 14.0.1.2, 0 dependencies, recursive

next hop 14.0.1.2, FastEthernet1/0 via 14.0.1.2/32 (Default)

tag rewrite with Fa1/0, 14.0.1.2, tags imposed {}

method 2 mpls vpn vrf select

ip vrf receive tx-monitor

vrf selection source 61.1.1.1 255.255.255.255 vrf tx-monitor

!

interface GigabitEthernet5/0

ip vrf select source

ip address 14.0.1.2 255.255.255.252

Method 2: MPLS VPN - VRF SELECT

Monitor the outgoing traffic

VRF SELECT interface to MPLS VPN

61.1.1.1

Sink

Server

methods requirements
Methods Requirements
  • Method #1: Pure MPLS Using Proxy Egress LSP
    • IOS 12.0(17)ST
    • JunOS 5.4
  • Method #2: MPLS VPN
    • VRF – IOS12.0(11)ST
    • VRF Select – IOS12.0(22)S
    • JunOS 5.3
caveats
MPLS VPN

Support & availability

Proxy Egress LSP

Peering router which is also an access router

Caveats

Shunt:

  • DDoS or other traffic thru the backbone
  • Latency (few extra hops)
advantages
Advantages
  • Not on the critical path
  • Does not effect normal traffic
  • No additional load on the routers
  • LDP need to advertise only sink-hole loop-back
  • Simple to deploy & Scalable
thank you
Thank you!

afek@riverhead.com

rbrooks@cisco.com

nicolas.fischbach@colt.ch