Under Attack?
Broken Network System?
Leave your details below and we’ll get back to you shortly
The loss of some relationships might sadden us, but some might raise interesting questions in regards to Border Gateway Protocol (BGP)…
Network Separation of Two Companies
Imagine this, two companies that were once a single entity have decided to part ways.
Employees will be split between the companies, with financial and other matters to address. However, as network engineers, we are mostly interested on who will keep the old network they once shared.
A few months ago, we faced this question when one of our customers have decided to split its network to two as part of the separation of its company.
From a single network, two networks needed to be born, one as an ISP (Internet Service Provider) and the other as a Mobile SP (Service Provider).
Both networks shared a variety of services, including Radius, SBC, DNS, and more. Additionally, they shared public IPs and a Public AS.
A Mobile Service Provider needed a new network
This blog focuses on a Mobile SP network — specifically, a standard MPLS network connecting two sites in different cities, each capable of backing up the other. For this network, a new AS number was acquired along with new Public IP addresses for subscribers.
Allow me to share with you some of the technical challenges that needed to be addressed before the separation:
The Power of POC
A POC is a great way to explore all the dilemmas we mentioned above without disrupting the network’s functionality.
We were able to replicate the customer’s network using a single Juniper router (thanks, Juniper, for creating the logical-systems) and conducted some tests on this replica. Now let’s answer some questions:
3.To understand the answer to this question, firstly, you need to understand the problem we faced. We have a large number of providers connected to the routers on each site, and we can’t schedule all of them to work with us on the same MW (maintenance window). To solve this, against our providers, we have configured the ‘local-as 200 loops 2 alias’ command. Now that you know that, you also need to be aware of the as-path-domain concept that Juniper implemented on their Junos OS. Basically each ‘domain’ contains ASs that are configured on the router, this includes all ASs from all routing-instances.
Take a look on the following output from the router:
oasis@PE-Mobile-SP-A-1> show as-path domain
Domain: 2 Primary: 65301
References: 1 Paths: 8
Local AS: 65301 Loops: 1
Domain: 3 Primary: 100
References: 18 Paths: 9945
Flags: Master
Local AS: 200 Loops: 2
Local AS: 100 Loops: 1
The output above simply tells us that routes that are coming into the router are checked against AS200 and AS100 no matter on which VRF the routes should enter to. The AS65301 is an independent-domain and thus belong to a different domain.
If for example the router PE-Mobile-SP-A-1 will receive a route that looks like this:
10.10.10.10/32 *[BGP/170] 00:00:01, localpref 100, from 1.1.1.2
AS path: 200 I, validation-state: unverified
> to 10.11.12.13 via lt-0/0/0.3108, label-switched-path PE-Mobile-SP-A-1_TO_PE-Mobile-SP-B-2
It will be accepted even if AS200 appears twice (it doesn’t look like that, but once you see the ‘I’ in the as-path it indicates the path origin, which AS200 is part of this path).
Another example:
10.10.10.10/32 [BGP ] 00:00:21, from 1.1.1.1
AS path: 200 200 I, validation-state: unverified
> to 10.11.12.13 via lt-0/0/0.3108, label-switched-path PE-Mobile-SP-A-1_TO_PE-Mobile-SP-B-1
In this case, the route will be rejected due to as-loop (as we enabled only twice the AS200) and here it appears 3 times.
4. ISPs around the world rely on the RIPE Database to adjust their routing tables, aligning their import/export policies with the information provided in RIPE registrations. The Mobile Operator has acquired IP addresses previously assigned to a different company (ASN) and location, and now requires these addresses to be re-registered under the Operator’s new ASN.
Summary
Performing network separation in a service provider network is a complex project, mainly due to the need to perform it on a live network, to get to know both the network, the relevant protocols, and the possibilities to wrinkle them a little.
Despite the challenges, the network migration went smoothly, leaving both entities as distinct networks in the internet landscape. This achievement marked a crucial step in the complex separation process.
Join Our Team:
If you find these networking challenges exciting, we’re hiring talented network engineers at Oasis. *Contact us* to be part of our passionate team.
Nir Gal
Net&Sec Solution Architect
Leave your details below and we’ll get back to you shortly