Route Servers

What's a route server and what's it good for?

A route server is a device collecting BGP routes from everybody who peers with it and redistributing those routes to all other peers on the route server. Thus by peering with a route server you can avoid having to track and configure individual sessions with each peer at SwissIX. Furthermore, you'll get a lot of routes and traffic from day one.

Route Servers at SwissIX

SwissIX runs two OpenBSD/OpenBGPd-based route servers on the peering LAN. All SwissIX participants are strongly encouraged to peer with both route servers. We operate two independent route servers to allow for uninterrupted traffic flow even during maintenance.

Our route servers work transparently, meaning they don't insert their ASN into the AS path of the redistributed routes. At least on some Cisco IOS versions you have to allow this explicitly.

To peer with our route servers just set up BGP sessions with them as you would for any other peering. Please peer with both of them from all your connections. If you use IPv6, please don't forget to also setup IPv6 sessions. The route servers are both using ASN 42476

rs1.swissix.ch	IPv4 91.206.52.251 IPv6 2001:7f8:24::fb
rs2.swissix.ch	IPv4 91.206.52.252 IPv6 2001:7f8:24::fc

Route Security

SwissIX Route Servers provide route security by filtering announcements. Please find below a list of filters and features available on our route servers.

Filters:
- NEXT_HOP enforcement (strict / same AS - RFC7948 section 4.8)
- minimum and maximum IPv4/IPv6 prefix length
- maximum AS_PATH length
- reject invalid AS_PATHs (containing private/invalid ASNs)
- reject AS_PATHs containing transit-free ASNs
- reject bogons
- max-prefix limit
Prefixes and origin ASNs validation:
- IRR-based filters (RFC7948 section 4.6.2)
- RPKI-based filtering (BGP Prefix Origin Validation).
Graceful shutdown support
- honor the GRACEFUL_SHUTDOWN BGP community received from clients (draft-ietf-grow-bgp-gshut-11)
- allow to perform a graceful shutdown of the route server itself

Configuration Updates

The configuration of the Route Servers is rebuilt at 04:00h (local/CE(S)T) and 16:00h (local/CE(S)T) daily. If you announce new prefixes or change your IRRDB objects please take a possible delay into account.

BGP Communities

The SwissIX Route Server accepts the following communities:

Function	Standard	Large
Do not announce to any client	0:42476	42476:0:0
Announce to peer, even if tagged with the previous community	42476:peer_as	42476:1:peer_as
Do not announce to peer	0:peer_as	42476:0:peer_as
Prepend the announcing ASN once to peer	65511:peer_as	42476:101:peer_as
Prepend the announcing ASN twice to peer	65512:peer_as	42476:102:peer_as
Prepend the announcing ASN thrice to peer	65513:peer_as	42476:103:peer_as
Prepend the announcing ASN once to any	65501:42476	42476:101:0
Prepend the announcing ASN twice to any	65502:42476	42476:102:0
Prepend the announcing ASN thrice to any	65502:42476	42476:103:0
Add NO_EXPORT to peer	65281:peer_as	42476:65281_peer_as
Add NO_ADVERTISE to peer	65282:peer_as	42476:65282_peer_as

BGP Reject Community 65520.*

Prefixes that are rejected by the filers will be tagged with the community 65520 and the below listed ID to document the reject reason. You can use the Looking Glass (rs1.swissix.ch / rs2.swissix.ch) to lookup these communities and understand why some of your prefixes have been rejected.

ID	Reason
0	Special meaning: the route must be treated as rejected. *
1	Invalid AS_PATH length
2	Prefix is bogon
3	Prefix is in global blacklist
4	Invalid AFI
5	Invalid NEXT_HOP
6	Invalid left-most ASN
7	Invalid ASN in AS_PATH
8	Transit-free ASN in AS_PATH
9	Origin ASN not in IRRDB AS-SETs
10	IPv6 prefix not in global unicast space
11	Prefix is in client blacklist
12	Prefix not in IRRDB AS-SETs
13	Invalid prefix length
14	RPKI INVALID route
65535	Unknown

max-prefix recommendations

We recommend you set a max-prefix limit on your side of the route server BGP session. At the moment we suggest to allow 280'000 IPv4 prefixes and 160'000 IPv6 prefixes.

On our side we have also implemented a max-prefix limits on each peer. We use PeeringDB to calculate this max-prefix limit.

Configuration Examples

Here are some cookbook examples for configuring your Route Server sessions. (Parts in italics need to be adapted by you. Bear in mind, these are just basic examples.)

First, an example for Cisco:

!
router bgp yourASNumber
 no bgp enforce-first-as
 neighbor 2001:7F8:24::FB remote-as 42476
 neighbor 2001:7F8:24::FB description Peer Route Server 2
 neighbor 2001:7F8:24::FC remote-as 42476
 neighbor 2001:7F8:24::FC description Peer Route Server 1
 neighbor 91.206.52.251 remote-as 42476
 neighbor 91.206.52.251 description Peer Route Server 2
 neighbor 91.206.52.252 remote-as 42476
 neighbor 91.206.52.252 description Peer Route Server 1
 !
 address-family ipv4
  no neighbor 2001:7F8:24::FB activate
  no neighbor 2001:7F8:24::FC activate
  neighbor 91.206.52.251 activate
  neighbor 91.206.52.251 prefix-list limit_my_outbound_v4_prefixes out
  neighbor 91.206.52.251 maximum-prefix 280000 restart 60
  neighbor 91.206.52.252 activate
  neighbor 91.206.52.252 prefix-list limit_my_outbound_v4_prefixes out
  neighbor 91.206.52.252 maximum-prefix 280000 restart 60
 exit-address-family
 !
 address-family ipv6
  neighbor 2001:7F8:24::FB activate
  neighbor 2001:7F8:24::FB prefix-list limit_my_outbound_v6_prefixes out
  neighbor 2001:7F8:24::FB maximum-prefix 160000 restart 60
  neighbor 2001:7F8:24::FC activate
  neighbor 2001:7F8:24::FC prefix-list limit_my_outbound_v6_prefixes out
  neighbor 2001:7F8:24::FC maximum-prefix 160000 restart 60
 exit-address-family
!

And here a Juniper example:

protocols {
    bgp {
        group swissix-v4-peers {
            type external;
            local-address mySwissIXv4IP;
            export limit_my_outbound_v4_prefixes;
            remove-private;
            neighbor 91.206.52.251 {
                description "Peer Route Server 2";
                family inet {
                    unicast {
                        prefix-limit {
                            maximum 280000;
                            teardown 75 idle-timeout 60;
                        }
                    }
                }
                peer-as 42476;
            }
            neighbor 91.206.52.252 {
                description "Peer Route Server 1";
                family inet {
                    unicast {
                        prefix-limit {
                            maximum 280000;
                            teardown 75 idle-timeout 60;
                        }
                    }
                }
                peer-as 42476;
            }
        }
        group swissix-v6-peers {
            type external;
            local-address mySwissIXv6IP;
            export limit_my_outbound_v6_prefixes;
            remove-private;
            neighbor 2001:7f8:24::fb {
                description "Peer Route Server 2";
                family inet6 {
                    unicast {
                        prefix-limit {
                            maximum 160000;
                            teardown 75 idle-timeout 60;
                        }
                    }
                }
                peer-as 42476;
            }
            neighbor 2001:7f8:24::fc {
                description "Peer Route Server 1";
                family inet6 {
                    unicast {
                        prefix-limit {
                            maximum 160000;
                            teardown 75 idle-timeout 60;
                        }
                    }
                }
                peer-as 42476;
            }
        }
    }
}