Route Summarization: Theory and Practice

[deanwebb]

Question for discussion... I know that being able to do route summarization is important, as it allows for cleaner routing tables. That's the theory part. My question is for those with experience in larger networks or ISP environments - is that something that can be maintained at scale? Or do you eventually get to where a range intended for region X has to be split up and assigned to regions A, B, and C and cases like that?

And, once broken up in that way, have you ever gone back and try to straighten things out? Or does it just stay that way, forever?

[Otanx]

Not a super large org, but the summaries stay, and the other sties will just advertise more specifics. It does not happen too often. When you use 10/8 you have plenty to work with so no reason to split up normally. Even then we tend not to summarize anymore. Routers are powerful enough they can handle the table sizes, and with automation engineers are not looking at route tables as often.

-Otanx

[deanwebb]

Interesting. I've got some customers that break out in a rash when I suggest splitting a /24 into two /25s in different geographic locations. While it makes access lists easy to set up (just one /24 to define), they give me a 5-minute briefing on how important route summarization is in that environment.

[Otanx]

Is it an issue with route summarization or is it a I know if I see 10.10.anything it is site A, if I see 10.20.anything it is site B. Then you saying to use 10.10.20.0/25 at site A and 10.20.20.128/25 at site B means I won't know where it is. Then this is why people write weird ACLs that look like;
permit 10.0.200.0 0.255.0.255 any

Then I can use 10.X.200.0/24 with X being a site ID and my ACLs just work, and I still can identify the site the IP belongs to.

-Otanx

[deanwebb]

These guys were saying route summarization. 10.1.0.0 is everything in Datacenter A and 10.2.0.0 is Datacenter B. I can't have a little bit of 10.1.0.0 in DC B or it screws up all their summarization that's supposed to let them have good performance on handling traffic bound to the DC.

[Otanx]

Eh, I am curious what their performance benefit is from route summarization. I wouldn't want you to split a /24 like that in my environment, but it is so I can identify where a system is by IP easy, not for any kind of performance benefit. I expect this is the real reason, but they don't want to say "because I don't like it". We would just set you up to use an ACL like I had in my previous post. Then we are both happy. My IPs are the way I want them, and there is only one ACL line. This is actually how we do this where I work. We have a /16 reserved for "nodes". A node is basically a small office. Each node gets a /24 out of that /16. Then the servers get an IP based on their role. So .50 at a node is say a file server. Then all my ACLs match 0.0.255.0 mask.

-Otanx

[deanwebb]

Yeah, I think it's more keeping it neat than any performance. BUT, keeping it neat means it's easier to wrap my head around what's going on, and that's a very good thing indeed.