Total 286 Blogs

Created by - Orhan Ergun

Settlement-Free Peering Requirements

Settlement-Free Peering Requirements. I am explaining this topic in deep detail in my  “BGP Zero to Hero”  Course.   I explained the Peering , Types of Peering basics in one of the previous posts. When we talk about peering, we generally mean settlement-free peering. But what are the common requirements for companies to peer with each other ?   Settlement-free peering is called as Internet Peering as well.   So, companies setup BGP neighborship, advertise each others their infrastructure and the customer prefixes, nothing more.And of course, they do settlement-free peering , because it is free. They don’t exchange money. If my customer sends a packet to your customer, I don’t pay you. You don’t pay me.   In this post, I will mention the generic requirements, which might be requested by most of the companies during peering negotiations.   Settlement-Free Peering Requirements :   Backbone capacity and Diversity: Peer can ask from the other specific amount of backbone capacity and redundant paths for reliability. Companies advertise their backbone capacity and many other parameters in peeringdb. POP Locations: It is important to have POP locations where there are maximum amount of traffic or closer to the eyeballs. Number of POP can be a peering requirement as well Traffic Requirement: Traffic requirement is important factor for Internet peering , it is economically make sense to peer with someone which you have a good amount of traffic, otherwise having an IP Transit might be cheaper. Operational Requirement: is also important, for example peer should have a 24/7 NOC team which can response when failure or attack happens. Traffic Requirement , POP Locations and Backbone capacity may not be important for the companies which have Open Peering Policy. But Operational requirements are important for every company. Nobody wants to peer with someone who don’t response to their calls, in case of failure or when their peering links are utilised. Also generally companies don’t want to peer with their existing customers so simultaneous peering and customer relationship cannot happen, though a network become larger in backbone size , number of customers and so on and by the time can become a peer of their provider

Published - Tue, 26 Nov 2019

Created by - Orhan Ergun

What is IPv6 Dual stack? What does IPv6 dual stack exactly mean?

What is IPv6 dual stack ? From some questions and comments on the website, I understand that there is a confusion about it. So, what does exactly dual stack IPv6 mean ? IPv6 is not a luxury anymore. It is not avoidable for the Service Providers especially. The biggest problem for the Service Providers is IPv4 address exhaustion. If a provider requests an IPv4 public address, RIRs (Regional Internet Registries) cannot provide anymore an IPv4 public addresses. All available addresses are allocated. Does it mean, operators have to deploy IPv6 ? Of course not ! Still there are many methods to postpone the deployment of IPv6. These are; Buying an IPv4 public addresses from the other companies – This is real, in fact, some of my customers purchased public IPv4 address blocks. They are in Middle East and currently they don’t have any problem with their new address blocks. I see many companies doing LSN (Large Scale NAT) or it is more commonly known as CGN (Carrier Grade NAT). There are more problems with LSN than purchasing an IPv4 address blocks from market space. I won’t go to details of alternatives of IPv6 in this post but will continue with the definition of IPv6 dual stack. If you say that we have IPv6 dual stack, it means , the customer access network device (Modems, ONUs, Phones) , provider network devices , applications inside the operator network, Internet peering and transit links , everything are running both IPv4 and IPv6. I see many different deployment models on my customer and the students networks, and those who have deployed IPv6 only on their networking devices and the transit links are saying that they have an IPv6 dual stack deployment. This is not true. They just deployed IPv6 on the operator network and the upstream operator connections. But most of their users are not using IPv6, since they don’t provide an IPv6 addresses to their customers. Having IPv6 ready core network doesn’t mean , your users are using IPv6 path to reach destinations. Destination can be Internet , Customer VPN sites , SP Datacenter and so on. IPv6 have to be deployed on all these locations. Of course IPv4, alongside with IPv6 need to be deployed for dual stack. But this is not always possible. Do you know why ? Read my ‘ Is IPv6 dual stack really a best approach for IPv6 deployment ‘ post.

Published - Tue, 26 Nov 2019

Created by - Orhan Ergun

Is IPV6 Dual-Stack really a best method for IPv6 design ?

There are mainly three IPv6 transition methods; Dual-Stack, Tunnelling, and Translation. Careful engineers can understand the difference between IPv6 migration and IPv6 transition. All of these three technologies are used to bring IPv6 protocol capabilities in addition to IPv4, they are not migration mechanisms. Migration means removing IPv4 completely and running only IPv6 only in the network which might not be the case at least for the next decade. In this post, I will explain why IPv6 dual-stack unlike most people believe is not the best transition approach.   There is a saying, Dual-stack where you can, tunnel when you must, translate if you have a gun in your head.Vendor materials and many industry experts also recommend dual-stack as the best approach, but it is definitely misleading. They shouldn’t do this and you should think at least three times when you listen to vendor engineers! In order to understand why the above statement is not true (dual-stack is not the best approach for IPv6 design), we have to understand what is IPv6 dual-stack in the first place.   What does IPv6 Dual-stack mean? Dual stack refers to running IPv6 and IPv4 in the network together. But not only on the routers and switches but also on all the links, host operating systems and most importantly on the applications. In the Enterprise networks, this can be local area network, wide area network, and the datacenters but in the service provider networks, it will be access nodes, pre-aggregation, aggregation, edge, and core networks, also datacenters, and the RAN (Radio Access Network) network, mobile handset and the applications inside the handset, CPE modem and many other devices. As you can see, it is not just about network routers that are IPv6 capable but everything in the network that needs to support IPv6. Actually, the easiest part is to enable IPv6 dual-stack on the routers. The hardest two parts of the IPv6 dual-stack deployment are the applications and the CPEs. CPE is a term used in the Service Provider networks which define the devices in the customer location. For example, an ADSL modem is a CPE for broadband service. Since there might be millions of ADSL modems that need to support IPv6, imagine the size of the deployment, and the time to complete these types of deployments, especially if the hardware needs to be replaced. Also with Dual-Stack, in addition to IPv4, you will have IPv6 as well, memory and CPU requirements will be much more compared to IPv6-only networks or other IPv6 transition technologies. Thus you change the routers with the bigger ones (Scale-UP) generally which is good for the networking vendors (Juniper, Alcatel, Cisco, etc). It wouldn’t be wrong if I say that this is one of the reasons they are advertising that dual-stack is the best approach for IPv6 design. If you think that dual-stack is hard if not impossible for many of these networks just because of the scale of the deployment, you are wrong. There are other things.   IPv4 addresses exhaustion and common solutions: As you know public IPv4 addresses have been exhausted. Most of the RIRs (Regional Internet Registry) already assigned their last IPv4 address blocks to the Service Providers. So if you go to the RIPE, ARIN, or any other RIR today and ask IPv4 address, you might not get anything. IPv4 is done. This doesn’t mean Service Providers ran out of IPv4 addresses as well.So as an Enterprise customer, if you ask your Service Provider to assign an IPv4 address, you might still get a small block, but many of my customers recently tried to get a new address block (Very small, /25, /26) and their service providers asked justifications and wanted the customer to pay them a lot of money. But how can service providers solve their IPv4 issue if they cannot receive an IPv4 address from the Regional Registries? The very common answer is CGN (Carrier Grade NAT). Most of the Service Providers today implement Carrier Grade NAT. CGN is also known as LSN (Large Scale NAT). And in my opinion, it should be called LSN since there is nothing for CGN to be a carrier grade. It is just a NAT. CGN Double NAT With CGN, Service Providers do NAT44 on the CPE from private address to another private address (Well known /10 prefix which is allocated by IANA) and another NAT44 on the Service Provider network. That’s why you can hear CGN, LSN, Double NAT or NAT444. All of them refer to the same thing.But with CGN you are not enabling IPv6. You are just trying to solve the IPv4 depletion problem in a very problematic way. I won’t talk about the problems of NAT in this post though. Companies are also using trade-market to purchase IPv4 public addresses. Average cost per IPv4 address is around 8-10$ currently. This might increase by the time. And it would be wise to expect to see much bigger DFZ space by the time because of de-aggregation. With CGN, IPv4 private addresses are shared among many customers and those shared addresses are NATed at the CGN node twice.So far in the post the size of the deployment and IPv4 exhaustion problems are mentioned to explain why dual-stack is very hard to deploy. But wait there are others. There will be always some applications which run IPv4 only, in this case you have to use a Translator. I am talking about IPv6 to IPv4 translator and vice versa. So dual-stack may not be possible because fancy – free a lot of applications don’t support IPv6 today. (Most common example is Skype and some VOIP applications) Common solution for translating IPv6 to IPv4 is NAT 64 + DNS 64. NAT-PT was the early version of Ipv6 to IPv4 translator but there were security problems such as DNSSEC thus NAT-PT is obsolete now.   NAT 64 + DNS 64 is good for translating v6 to v4 so IPv6 only host can reach IPv4 only host but wait, that’s not all yet either. How you will support an application which doesn’t rely on DNS? For example, Skype? Skype is very common applications which uses hard coded IPv4 addresses and doesn’t rely on DNS. NAT 64 + DNS 64 cannot be a solution for that. Just because of these type of applications, companies which enabled dual-stack everywhere place a translation at the host device. For example, Mobile operators uses 464XLAT on the handheld devices to support IPv4 application.   NAT46 is performed at the handset (Smart phone, tablet, etc.) by providing dummy IPv4 address to the application, and performing 4 to 6 NAT at the handset.For example T-Mobile in U.S deployed 464XLAT to support IPv6 only devices to run over IPv6 only network. What about IPv6 tunneling? When it might be needed? Tunneling is necessary if the company cannot enable IPv6 on some part of the network. For example if Broadband Service Providers DSLAM doesn’t support IPv6, it is hard if not impossible to replace those until the hardware refresh cycle. Most common tunnelling technology by these type of companies is 6rd (6 Rapid Deployment). Or Enterprise network which wants to enable IPv6 in their LAB environment, need tunnelling over the IPv4 network until all the links and routers support dual-stack. IPv6 6rd can be used as a router to router IPv6 over IPv4 environment for this type of deployment, as well as host to host or host to router tunnelling technologies such as ISATAP can be used. Conclusion: There will always be a need to use all these transition mechanisms together in the network. Dual-Stack is the hardest to support IPv6 transition method among all the other by the large scale companies and the IPv6 to IPv4 translation technologies breaks most of the applications. Tunnelling is a solution to support IPv6 over IPv4 network and can be the interim solution until dual-stack is enabled on all the nodes and links. Our end goal shouldn’t be IPv6 dual-stack! Our goal is to have an IPv6 only network and remove IPv4 completely. This can be only achieved with networking vendors, Service Providers, Operating System manufacturer, application developers, website owners, CDN companies and many others. Otherwise CGN or Trade-market (Buying IPv4 public address from the other companies) type of interim solution only buy a time and those solutions will be expensive for the companies day by day without IPv6. There are companies who has IPv6 only network today!

Published - Tue, 26 Nov 2019

Created by - Orhan Ergun

CCDE Real Labs/Scenarios

CCDE Real Lab Scenarios - I think it is time to write otherwise people will loose their money for nothing.   Today I got a whatsapp message from someone who says ‘ I can’t join your Onsite CCDE training, is there a way to buy REAL scenarios Online ‘. I didn’t understand initially. I thought someone is asking whether I sell real CCDE scenarios. Then in an hour 4 5 of my students showed me a message through Skype ( my study group is on Skype ).In the message it says ‘ I am going to conduct an Onsite bootcamp , I will teach real CCDE scenarios , it will be most successful bootcamp, challenge to all my competitors and so on ‘. We laughed ? But situation was really serious and I realized that I should have stopped laughing and share some information with everyone. There are many problems with this message. First, I don’t have scheduled bootcamp in Qatar and in fact I never opened a bootcamp in Qatar. Only conducted one session in Qatar University during my Online 11 days bootcamp. Second wrong thing is, talking on the real scenario is not teaching. You should say I don’t know anything about design thus I can only talk if there is question and answer in front of me. Third problem with this message , When you share with someone the real scenarios and if they pass, you don’t see this as a success, students shouldn’t see too. Can you tell them students ? Thats another point ! Last but not least, challenge to all my competitors. This was I laughed mostly. These guys seriously think that they are competitor. ?? What the heck is happening ? People who are in this field know that there are only two serious CCDE providers currently which mean I have only one competitor and I hear good things about him and I respect. We have different methods of doing trainings but at the end He knows and teaches network design as well. By the way I forgot to say, important point is, these guys are using my name in their advertisement. They use my personal phone number which is accessible publicly (On almost all my social media accounts) but they give you a fake email address. Students showed me some forums and it was weird to see my name and my never scheduled training there ? So , I will use my name and will say I will sell real scenarios. Hmmm, I am sure anymore, these guys are sick or they think people don’t know me. After I got message from the students I understood what the guy who sent me a whatsapp message was trying to say. He got the email and my phone number. Email is fake and whoever is doing this probably believe that people will send an email but not verify with the phone call etc. Probably this is true and they are selling the piece of shit (At least it will be shortly) but not after this post I believe. I started to talk about paper CCDE months before and suggested something on ‘Keeping the CCDE exam Secure‘. Unfortunately Cisco couldn’t keep it secure in my opinion for Feb exam, as even the newly graduate people passed the CCDE exam as I heard. But Cisco made a statement on this and they said, They are seriously considering and following these guys. Which mean they are aware and they will take an action. I am sure good things will be on May exam and hope CCDE will continue to be the most valuable certificate. But please be aware, I always advertise my training through my website. You can check my CCDE Training schedule from here. And I use [email protected] as business email. Don’t pay anyone even 1 dollar for the real scenarios. When the scenarios change without understanding, without knowledge you will definitely fail. And scenarios will change very soon trust me.I don’t share these guys name here, no need for marketing, maybe whole point of them is this. You should just know, Cisco is going to keep the exam secure and If you pay money for the scenario, you will be sorry later on.

Published - Tue, 26 Nov 2019

Created by - Orhan Ergun

MPLS Traffic Engineering – What are the alternatives ?

There are many posts about MPLS Traffic Engineering with RSVP on the Website, in this post we will look at the alternative approaches to the MPLS TE with RSVP.   MPLS Traffic Engineering has some drawbacks as well. IP Fast Reroute Mechanisms can be seen as successful alternative to MPLS Traffic Engineering if you are using MPLS TE for only fast convergence purpose. One of the main drivers for the MPLS Traffic Engineering is explicit path routing.   We can define the desired path from Ingress tunnel router explicitly.If packet needs to go from New York to Seattle , you can send it to Amsterdam even :).   RSVP ( Resource Reservation Protocol ) is used to allocate label and Link-state routing protocols ( OSPF and IS-IS ) are used to advertise link attributes such as metric, available, used and unreserved bandwidth or link colouring in the context of MPLS Traffic Engineering.   In 2013 Cisco,Ericsson, Google and couple other big companies published a draft about Segment Routing which is alternative method to established explicit path without using RSVP or any separate label distribution protocol. Conclusion : Segment routing is an alternative method to MPLS Traffic Engineering for creating explicit path routing, IP Fast Reroute mechanisms are alternative methods to MPLS TE for fast rerouting.   It’s Your Turn Do you think that Segment Routing is a revolution?. Or did you hear it first time here ? Share your insights and feelings about it in the comments box below.

Published - Tue, 26 Nov 2019

Created by - Orhan Ergun

Is MPLS mandatory for Traffic Engineering?

Is MPLS mandatory for Traffic Engineering? What is Traffic Engineering in the first place ?   Wikipedia defines traffic engineering as below. ” Internet traffic engineering is defined as that aspect of Internet network engineering dealing with the issue of performance evaluation and performance optimization of operational IP networks.” So we are managing the performance with traffic engineering. We divert network traffic when it is necessary. Maybe there are some idle links, maybe there are over provisioned capacity which we would like to use, maybe some applications require low latency links and maybe some applications are okay with higher latency links but require higher bandwidth for the operations. Okay, based on our applications and required traffic demand we should be able to use any of our available link in the network. For very small scale network, maybe you don’t have any alternative but you have to use all available links. But in large scale networks, there are always optimal paths for different traffic demand and with traffic engineering we exactly manage the traffic demands. But, If I ask you , why you do traffic engineering ? What is the overall purpose ? Probably you jumped immediately and think about sending different applications traffic through different paths, creating LSPs over different physical paths maybe and how to send traffic though available unused paths. If you do that, you don’t ask correct questions and as I always say, asking correct questions show your intelligence. And asking the correct questions teach you how to be a master in ant technology. Well, you do traffic engineering to save the cost. Main reason is cost reduction, avoidance or savings. I talked as a finance guy I know but I learned that they are different things ? Is MPLS only way to do traffic engineering ? This is the topic of this post. What do you think ? Let me tell you something. Think always out of the box. What I told you before , how would you do the traffic engineering ? You will send different traffic flows through different paths based on some criteria. For this you don’t need MPLS Traffic Engineering of course. You can do it with PBR , IGP , BGP , anything. Actually you are doing traffic engineering everyday. Even with static routing. Just different technologies use different approach for traffic engineering. You do MPLS Traffic Engineering by creating tunnels, with IGP by using metric and with BGP by using communities. Ultimately, you manage to send different traffic demands through available paths by keeping your constraints in mind. Low latency path , higher bandwidth links, SRLG disjoint paths and so on. I wrote an article to illustrate IGP Traffic Engineering as an MPLS Traffic Engineering Alternatives If you have any question or comment please share in the comment box below.

Published - Tue, 26 Nov 2019

Created by - Orhan Ergun

What is VPWS, VLL, EoMPLS?

Actually all are the same thing. VPWS stands for virtual private wire service , VLL stands for virtual leased line and EoMPLS stands for Ethernet over MPLS. MPLS Technologies and Design are explained in great detail in my Instructor Led CCDE and Self Paced CCDE course. All are MPLS Layer 2 VPN service and terms are used to define point to point layer 2 circuit. In this post I will not mention about design best practices , deployment options or scenarios but will keep it simple and only explain the definitions. For MPLS Layer 2 VPN, you can even hear ATOM from Cisco engineers. ATOM stands for Any Transport over MPLS. But it is weird though. MPLS stands for Multi Protocol Label Switching which mean you can carry any protocol through MPLS. So ATOM is just another version of saying ‘ MPLS ‘. There are different standard bodies probably you heard IETF , IEEE , ITU , MEF (Metro Ethernet Forum) and so on. VPWS is an IETF term. MEF also defined MPLS Layer 2 VPN point to point service and they call it E-Line. Essentially all are same thing. They are the most common MPLS Layer 2 VPN application. In this post I just covered the definition and the different alternative keywords for VPWS. You can check from the right sidebar many MPLS related posts. To have a great understanding of SP Networks, you can check my new published “Service Provider Networks Design and Perspective” Book. It covers the SP network Technologies with also explaining in detail a factious SP network. Click here

Published - Tue, 26 Nov 2019

Created by - Orhan Ergun

OSPF and IS-IS for MPLS Traffic Engineering!

OSPF and IS-IS for MPLS TE- You need OSPF or IS-IS to distribute link information such as reserved, unreserved and used bandwidth, metric, link colouring information.These informations are used by CSPT ( Constraint based shortest path first ) algorithm.   For those who are familiar with MPLS-Traffic Engineering, path is calculated either at each and every device or with the offline computation tools such as NMS from the central place.   For the distributed computation, CSPF which is one of the flavour of Shortest Path First (SPF) algorithm is used.   CSPF computes a dynamic unidirectional MPLS TE LSP ( Label Switch Path ) by reaching the Traffic Engineering Database (TED). TED database has different attributes than regular link state database which is created such as reserved , used , unreserved bandwidth on the interfaces, link colouring attributes and so on.Link colouring information is used to avoid SRLG ( Shared Risk Link Group ) path at the transport network. These information can only be provided by the link state protocols. Thus if you want to calculate the MPLS TE LSP without helping the NMS ( Network Management System ) but on each and every LSR as distributed, you need to use link state routing protocols which are OSPF and IS-IS currently.

Published - Tue, 26 Nov 2019

Created by - Orhan Ergun

Route Redistribution Best Practices

Route Redistribution Best Practices - You need route redistribution for many reasons. In this post,the drivers for the route redistribution but more importantly the best practices for applying route redistribution will be explained in great detail. I am explaining this topic in deep detail in my  “BGP Zero to Hero” course. Click here for our Special Offer. Redistribution allows one domain information to be leaked to another one. This can be between the companies, same company but different routing protocol but in IS-IS case same routing protocol but different level. Redistribution comes with its cost, in this article I will explain the drivers for route redistribution. How really it works and best practices from the network design point of view will be covered. You may have partner network which uses different routing protocol than your network, although it doesn’t have to be different protocol. Better practice is to create a BGP neighborship between the two companies and provide the reachability to each other. By doing this, you continue to use separate IGP protocols in each site and start to use BGP for partner network routes. Biggest advantage of doing this; link flaps, route flaps, intentional or unintentional operator mistakes will not cause routing protocol convergence in your network. Best Practice : If you have multiple points where you redistribute routes, be aware of routing loops. You should use route-map, distribute-list, route-tag, some sort of filtering mechanisms. Best Practice : If you are running link state protocol as your IGP and you have broadcast segment, it is better to use Designated router and redistribution point ( ASBR ) as same router. In this way, you will reduce the amount of flooding. You may want to redistribute default route at the Internet edge into your IGP protocol. You need to be really careful while doing this.Use filtering mechanisms to allow only default route. If company is using IS-IS as an IGP and multi level of IS-IS is deployed , you may need to leak some routes from level 2 domain into level 1 domain.This operation is done by redistributing selective addresses from level 2 domain into level 1 domain.Why would I want to leak prefixes into level 1 ?   You have to leak loopback addresses of all PE devices from level 2 into level 1 domain if MPLS is enabled in the network. ( Seamless or Unified MPLS is exception ).In that case you learn remote PE addresses and label binding through BGP.   Enterprise might be receiving MPLS VPN service from Service Provider and they maybe using different PE-CE routing protocol than their IGP. In this case, redistribution is necessary. All above best practices applies in this case. VPN service providers need to redistribute customers routing protocol into Multi Protocol BGP if the customers is not using BGP as their PE-CE routing protocol.In this case Service Provider takes the routes from VRF, make them VPN route by adding RD and RT values and send over the SP network. Conclusion: Avoid redistribution if you can. It is easy to create routing loops and to manage it to avoid loop, might be too complex to configure. It’s Your Turn Do you have any bad experience with route redistribution? Share your experience and suggestions in the comments box below.

Published - Tue, 26 Nov 2019