MPLS L3VPN: Inter-AS - Option C
The previous posts were used to explain Inter-AS L3VPN Option A and Option B. Inter-AS Option C uses a Multihop eBGP VPNv4 between Route-Reflectors (RR) on each Service Provider, the ASBRs are only used to exchange the PE loopback routes using eBGP IPv4 session, but at the same time this session is used to send labels creating a transport label between ASes. With this, the LSP (Label Switched Path) path is not broken and the original MPLS VPN label is used all the way, since the next-hop of the VPNv4 routes is not changed along the path. Option C has some characteristics that define it:
- Route Reflectors exchange VPNv4 routes + next-hop-unchanged.
- Labelled eBGP IPv4 between ASBRs.
- ASBRs only contain the addresses of remote PEs for BGP next-hop reachability of VPN routes.
- The loopback prefixes received from eBGP must be redistributed into IGP (in each Service Provider) for other PEs to resolved the VPNv4 next-hop between ASes.
- End-to-end LSP.
- More scalable than Option B.
- More invasive than Option B, because each domain of the Service Provider will be exposed.
When RFC3107 is used with networks configured with MP-eBGP multihop must have a LSP between nonadjacent routers.
Will be necessary use the neighbor <address> send-label command under the eBGP configuration between the ASBRs to enable the exchange of IPv4 label between the two peers plus the mpls bgp forwarding command (this one is automatically configured under the interface) under the ASBR-to-ASBR interface to maintain MPLS forwarding for directly connected BGP peers.
The next-hop addresses of the remote AS PEs learned via eBGP between the ASBRs must be redistributed into the IGP of both ASes via the redistribute bgp command in order for the next-hops in the remote AS to be reachable.
Also, when it’s configured the MP-eBGP peering between the RRs in the different ASes. There is a command that is really important that needs to be used in both RRs is the neighbor <address> next-hop-unchanged command, this will use the next-hop of the original PE and preserve a single LSP, in other words, the next-hop is not changed when the VPNv4 routes are exchanged between the RRs.
Talking about Inter-AS L3VPN Option C is a bit polemic in terms of security, where it is recommended to deploy it when both ASes belongs to the same overall authority, such as Service Provider with ASes in different regions of a country or the world.
Demonstrating: Inter-AS L3VPN Option C
The following set of commands will be used to demonstrate the basic configuration to establish an Inter-AS L3VPN Option C, and assuming that the two MPLS backbones of each Service Providers are already configured.
PEs in both Service Providers are configured with the same Route Distinguisher (RD) and Route Target (RT) for the customer FARMA.
On AS8048
hostname CE1
!
interface Loopback0
ip address 7.7.7.7 255.255.255.255
!
interface Ethernet0/3
description CE-PE
ip address 192.168.57.2 255.255.255.252
!
!
router eigrp 101
network 0.0.0.0
eigrp router-id 7.7.7.7
!
hostname PE1
!
vrf definition FARMA
rd 6306:8048
!
address-family ipv4
route-target export 6306:8048
route-target import 6306:8048
exit-address-family
!
!
interface Ethernet0/3
vrf forwarding FARMA
description PE-CE1
ip address 192.168.57.1 255.255.255.252
!
!
router eigrp AS8048
!
address-family ipv4 unicast vrf FARMA autonomous-system 101
!
topology base
redistribute bgp 8048 metric 1000 10 255 1 1500
exit-af-topology
network 192.168.57.0 0.0.0.3
exit-address-family
!
router bgp 8048
!
address-family ipv4 vrf FARMA
redistribute eigrp 101
exit-address-family
!
hostname ASBR
!
interface Ethernet0/3
description ASBR8048-ASBR6306
ip address 190.40.14.1 255.255.255.252
mpls bgp forwarding
!
!
router ospf 65500
mpls ldp autoconfig
redistribute bgp 8048 subnets route-map REDISTRIBUTE_IN_OSPF
!
!
router bgp 8048
bgp log-neighbor-changes
no bgp default ipv4-unicast
no bgp default route-target filter
neighbor 190.40.14.2 remote-as 6306
!
address-family ipv4
network 1.1.1.1 mask 255.255.255.255
network 2.2.2.2 mask 255.255.255.255
network 5.5.5.5 mask 255.255.255.255
neighbor 190.40.14.2 activate
neighbor 190.40.14.2 send-label
exit-address-family
!
ip prefix-list FOREIGN_PREFIXES seq 10 permit 16.16.16.16/32
ip prefix-list FOREIGN_PREFIXES seq 20 permit 11.11.11.11/32
!
route-map REDISTRIBUTE_IN_OSPF permit 10
match ip address prefix-list FOREIGN_PREFIXES
!
hostname RR1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
!
router bgp 8048
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 2.2.2.2 remote-as 8048
neighbor 2.2.2.2 update-source Loopback0
neighbor 3.3.3.3 remote-as 8048
neighbor 3.3.3.3 update-source Loopback0
neighbor 5.5.5.5 remote-as 8048
neighbor 5.5.5.5 update-source Loopback0
neighbor 6.6.6.6 remote-as 8048
neighbor 6.6.6.6 update-source Loopback0
neighbor 11.11.11.11 remote-as 6306
neighbor 11.11.11.11 ebgp-multihop 255
neighbor 11.11.11.11 update-source Loopback0
!
address-family ipv4
exit-address-family
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
neighbor 2.2.2.2 route-reflector-client
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community both
neighbor 3.3.3.3 route-reflector-client
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community both
neighbor 5.5.5.5 route-reflector-client
neighbor 6.6.6.6 activate
neighbor 6.6.6.6 send-community both
neighbor 6.6.6.6 route-reflector-client
neighbor 11.11.11.11 activate
neighbor 11.11.11.11 send-community both
neighbor 11.11.11.11 next-hop-unchanged
exit-address-family
!
On AS6306
hostname CE2
!
interface Loopback0
ip address 17.17.17.17 255.255.255.255
!
interface Ethernet0/1
description CE-PE
ip address 192.168.167.2 255.255.255.0
!
!
router eigrp 101
network 0.0.0.0
eigrp router-id 17.17.17.17
!
hostname PE2
!
vrf definition FARMA
rd 6306:8048
!
address-family ipv4
route-target export 6306:8048
route-target import 6306:8048
exit-address-family
!
!
interface Ethernet0/1
vrf forwarding FARMA
description PE-CE2
ip address 192.168.167.1 255.255.255.0
!
!
router eigrp AS6306
!
address-family ipv4 unicast vrf FARMA autonomous-system 101
!
topology base
redistribute bgp 6306 metric 1000 10 255 1 1500
exit-af-topology
network 192.168.167.0
exit-address-family
!
router bgp 6306
!
address-family ipv4 vrf FARMA
redistribute eigrp 101
exit-address-family
!
hostname ASBR
!
interface Ethernet0/3
description AS6306-AS8048
ip address 190.40.14.2 255.255.255.252
mpls bgp forwarding
!
!
router ospf 65501
mpls ldp autoconfig
redistribute bgp 6306 subnets route-map REDISTRIBUTE_IN_OSPF
!
!
router bgp 6306
bgp log-neighbor-changes
no bgp default ipv4-unicast
no bgp default route-target filter
neighbor 190.40.14.1 remote-as 8048
!
address-family ipv4
network 11.11.11.11 mask 255.255.255.255
network 16.16.16.16 mask 255.255.255.255
neighbor 190.40.14.1 activate
neighbor 190.40.14.1 send-label
exit-address-family
!
ip prefix-list FOREIGN_PREFIXES seq 10 permit 1.1.1.1/32
ip prefix-list FOREIGN_PREFIXES seq 20 permit 2.2.2.2/32
ip prefix-list FOREIGN_PREFIXES seq 30 permit 5.5.5.5/32
!
route-map REDISTRIBUTE_IN_OSPF permit 10
match ip address prefix-list FOREIGN_PREFIXES
!
hostname RR2
!
interface Loopback0
ip address 11.11.11.11 255.255.255.255
!
!
router bgp 6306
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 1.1.1.1 remote-as 8048
neighbor 1.1.1.1 ebgp-multihop 255
neighbor 1.1.1.1 update-source Loopback0
neighbor 12.12.12.12 remote-as 6306
neighbor 12.12.12.12 update-source Loopback0
neighbor 13.13.13.13 remote-as 6306
neighbor 13.13.13.13 update-source Loopback0
neighbor 15.15.15.15 remote-as 6306
neighbor 15.15.15.15 update-source Loopback0
neighbor 16.16.16.16 remote-as 6306
neighbor 16.16.16.16 update-source Loopback0
!
address-family ipv4
exit-address-family
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community both
neighbor 1.1.1.1 next-hop-unchanged
neighbor 12.12.12.12 activate
neighbor 12.12.12.12 send-community both
neighbor 12.12.12.12 route-reflector-client
neighbor 13.13.13.13 activate
neighbor 13.13.13.13 send-community both
neighbor 13.13.13.13 route-reflector-client
neighbor 15.15.15.15 activate
neighbor 15.15.15.15 send-community both
neighbor 15.15.15.15 route-reflector-client
neighbor 16.16.16.16 activate
neighbor 16.16.16.16 send-community both
neighbor 16.16.16.16 route-reflector-client
exit-address-family
!
Verifying end-to-end reachability between CEs
CE1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
7.0.0.0/32 is subnetted, 1 subnets
C 7.7.7.7 is directly connected, Loopback0
17.0.0.0/32 is subnetted, 1 subnets
D 17.17.17.17 [90/435200] via 192.168.57.1, 00:22:30, Ethernet0/3
192.168.57.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.57.0/30 is directly connected, Ethernet0/3
L 192.168.57.2/32 is directly connected, Ethernet0/3
D 192.168.167.0/24 [90/307200] via 192.168.57.1, 00:22:30, Ethernet0/3
CE1# ping 17.17.17.17 source 7.7.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 17.17.17.17, timeout is 2 seconds:
Packet sent with a source address of 7.7.7.7
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/10 ms
CE1# traceroute 17.17.17.17 source 7.7.7.7
Type escape sequence to abort.
Tracing the route to 17.17.17.17
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.57.1 5 msec 2 msec 1 msec
2 10.3.5.3 [MPLS: Labels 28/35 Exp 0] 4 msec 3 msec 5 msec
3 10.2.3.2 [MPLS: Labels 30/35 Exp 0] 3 msec 3 msec 4 msec
4 10.2.4.4 [MPLS: Labels 29/35 Exp 0] 3 msec 3 msec 4 msec
5 190.40.14.2 [MPLS: Labels 22/35 Exp 0] 6 msec 10 msec 11 msec
6 10.11.14.11 [MPLS: Labels 25/35 Exp 0] 13 msec 8 msec 9 msec
7 10.11.13.13 [MPLS: Labels 23/35 Exp 0] 6 msec 3 msec 2 msec
8 192.168.167.1 [MPLS: Label 35 Exp 0] 4 msec 3 msec 4 msec
9 192.168.167.2 2 msec * 4 msec
With a simple traceroute between CEs we can see there is a single LSP (Label Switched Path) used to provide end-to-end reachability, this LSP is using the label 35.
Verifying LSP from PE1 within AS8048
PE1# show ip bgp vpnv4 all 17.17.17.17
BGP routing table entry for 6306:8048:17.17.17.17/32, version 14
Paths: (1 available, best #1, table FARMA)
Not advertised to any peer
Refresh Epoch 3
6306
16.16.16.16 (metric 1) from 1.1.1.1 (1.1.1.1)
Origin incomplete, metric 0, localpref 100, valid, internal, best
Extended Community: RT:6306:8048 0x8800:32768:0 0x8801:101:153600
0x8802:65281:256000 0x8803:65281:1500 0x8806:0:286331153
mpls labels in/out nolabel/35
rx pathid: 0, tx pathid: 0x0
PE1# show bgp vpnv4 unicast all labels
Network Next Hop In label/Out label
Route Distinguisher: 6306:8048 (FARMA)
7.7.7.7/32 192.168.57.2 31/nolabel
17.17.17.17/32 16.16.16.16 nolabel/35
192.168.57.0/30 0.0.0.0 33/nolabel(FARMA)
192.168.167.0 16.16.16.16 nolabel/34
PE1# show ip route vrf FARMA 17.17.17.17
Routing Table: FARMA
Routing entry for 17.17.17.17/32
Known via "bgp 8048", distance 200, metric 0
Tag 6306, type internal
Redistributing via eigrp 101
Advertised by eigrp 101 metric 1000 10 255 1 1500
Last update from 16.16.16.16 00:48:48 ago
Routing Descriptor Blocks:
* 16.16.16.16 (default), from 1.1.1.1, 00:48:48 ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 6306
MPLS label: 35
MPLS Flags: MPLS Required
Verifying LSP from RR1 within AS8048
RR1# show ip bgp vpnv4 all summary | b Neighbor
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
2.2.2.2 4 8048 78 86 13 0 0 01:07:42 0
3.3.3.3 4 8048 78 84 13 0 0 01:07:47 0
5.5.5.5 4 8048 80 91 13 0 0 01:07:49 2
11.11.11.11 4 6306 81 79 13 0 0 01:07:03 2
RR1# show ip bgp vpnv4 all 17.17.17.17
BGP routing table entry for 6306:8048:17.17.17.17/32, version 9
Paths: (1 available, best #1, no table)
Advertised to update-groups:
1
Refresh Epoch 1
6306
16.16.16.16 (metric 1) from 11.11.11.11 (11.11.11.11)
Origin incomplete, localpref 100, valid, external, best
Extended Community: RT:6306:8048 0x8800:32768:0 0x8801:101:153600
0x8802:65281:256000 0x8803:65281:1500 0x8806:0:286331153
mpls labels in/out nolabel/35
rx pathid: 0, tx pathid: 0x0
Verifying the transport labels between ASBRs
ASBR8048# show mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
29 22 16.16.16.16/32 7420 Et0/3 190.40.14.2
ASBR6306# show mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
22 25 16.16.16.16/32 8983 Et0/1 10.11.14.11
Verifying LSP on PE2 within AS6306
PE2# show ip bgp vpnv4 all 17.17.17.17
BGP routing table entry for 6306:8048:17.17.17.17/32, version 13
Paths: (1 available, best #1, table FARMA)
Advertised to update-groups:
1
Refresh Epoch 1
Local
192.168.167.2 from 0.0.0.0 (16.16.16.16)
Origin incomplete, metric 3584000, localpref 100, weight 32768, valid, sourced, best
Extended Community: RT:6306:8048
Cost:pre-bestpath:128:3584000 (default-2143899647) 0x8800:32768:0
0x8801:101:153600 0x8802:65281:256000 0x8803:65281:1500
0x8806:0:286331153
mpls labels in/out 35/nolabel
rx pathid: 0, tx pathid: 0x0
PE2# show bgp vpnv4 unicast all labels
Network Next Hop In label/Out label
Route Distinguisher: 6306:8048 (FARMA)
7.7.7.7/32 5.5.5.5 nolabel/31
17.17.17.17/32 192.168.167.2 35/nolabel
192.168.57.0/30 5.5.5.5 nolabel/33
192.168.167.0 0.0.0.0 34/nolabel(FARMA)
Besides the options to interconnect two ASes for a customer that wants a L3VPN between two different locations, there is another technology that takes inter-AS L3VPN to other level, called Carrier Supporting Carrier (CSC) and could be discuss it later.
__
References