In this post, we are going to go through the implementation and verification steps of Inter-AS Option B (defined in RFC4364 http://tools.ietf.org/html/rfc4364#page-32 ). Please refer to previous post Inter-AS Options to for the definitions, and differences of the three.
In option B implementation, ASBRs themselves are PE routers. They learn VPN-IPv4 routes from other PEs from the same AS via MP-iBGP (either directly or via Route Reflectors). The ASBR from one AS then have an eBGP session(s) with other AS ASBR to redistribute the VPN-IPv4 routes to the other AS. The later ASBR then redistributes those VPN-IPv4 labeled routes to the rest of the PEs belonging to that AS.
Topology
In this topology, we use Cisco IOS routers (R1 – R3) in AS100, as well as Juniper routers (R4 – R6) in AS200, just for demonstration of configuration and verification on both platforms. Typically for connectivity beween ASes, one eBGP session between ASBRs is sufficient. In this example, however, we set up two eBGP sessions between ASBR R3 and R4 to demonstrate VPN-based policy routing, by route filtering based on VPN route targets. We would like to route traffic for VPN1 via the first connection, and VPN2 via the other.
Configuration
R3-ASBR# interface Loopback0 description Management Loopback ip address 3.3.3.3 255.255.255.255 ! interface GigabitEthernet1.23 description R3 -> R2-P encapsulation dot1Q 23 ip address 20.2.3.3 255.255.255.0 mpls ip ! interface GigabitEthernet1.34 description R3 -> R4 | First eBGP encapsulation dot1Q 34 ip address 20.3.4.3 255.255.255.0 mpls bgp forwarding ! interface GigabitEthernet1.342 description R3 -> R4 | Second eBGP encapsulation dot1Q 342 ip address 20.3.42.3 255.255.255.0 mpls bgp forwarding ! Enable OSPF router ospf 1 network 3.3.3.3 0.0.0.0 area 0 network 20.2.3.3 0.0.0.0 area 0 ! ! Enable MP-iBGP to other PE, and MP-eBGP to other ASBR router bgp 100 bgp log-neighbor-changes ! By default, PE do not accept VPNv4 routes ! that do not belong to one of its VRF ! This command force it to learn & propagate all routes to other PEs. no bgp default route-target filter neighbor 1.1.1.1 remote-as 100 neighbor 1.1.1.1 update-source Loopback0 neighbor 20.3.4.4 remote-as 200 neighbor 20.3.42.4 remote-as 200 ! address-family ipv4 no neighbor 1.1.1.1 activate no neighbor 20.3.4.4 activate no neighbor 20.3.42.4 activate exit-address-family ! address-family vpnv4 neighbor 1.1.1.1 activate neighbor 1.1.1.1 send-community extended neighbor 1.1.1.1 next-hop-self neighbor 20.3.4.4 activate neighbor 20.3.4.4 send-community extended neighbor 20.3.42.4 activate neighbor 20.3.42.4 send-community extended exit-address-family ! Policy to only import and export VPN2 routes via the second eBGP connection ! We can apply a similar policy on the first eBGP connection on R3 ! But for demonstration purpose, we choose to apply that policy on R4 (Junos) ip extcommunity-list standard Community_VPN2 permit rt 100:2 ip extcommunity-list standard Community_VPN2 permit rt 200:2 ! route-map VPN2-EXPORT-ONLY permit 10 match extcommunity Community_VPN2 ! route-map VPN2-EXPORT-ONLY deny 1000 description Deny all else ! route-map VPN2-IMPORT-ONLY permit 10 match extcommunity Community_VPN2 set local-preference 200 ! route-map VPN2-IMPORT-ONLY deny 1000 description Deny all else ! router bgp 100 address-family vpnv4 neighbor 20.3.42.4 route-map VPN2-IMPORT-ONLY in neighbor 20.3.42.4 route-map VPN2-EXPORT-ONLY out exit-address-family R4-ASBR# interfaces { ge-0/0/1 { vlan-tagging; unit 34 { description "R4 -> R3 | First eBGP"; vlan-id 34; family inet { address 20.3.4.4/24; } family mpls; } unit 45 { description "R4 -> R5"; vlan-id 45; family inet { address 20.4.5.4/24; } family mpls; } unit 342 { description "R4 -> R3 | Second eBGP"; vlan-id 342; family inet { address 20.3.42.4/24; } family mpls; } } lo0 { unit 0 { description "Management Loopback"; family inet { address 4.4.4.4/32; } family mpls; } } } routing-options { router-id 4.4.4.4; autonomous-system 200; } protocols { mpls { interface ge-0/0/1.45; interface ge-0/0/1.34; interface ge-0/0/1.342; } bgp { group IBGP { type internal; local-address 4.4.4.4; family inet-vpn { unicast; } export next-hop-self; neighbor 6.6.6.6; } group EBGP1 { type external; description "L3VPN Inter-AS"; import VPN1-IMPORT-ONLY; family inet-vpn { unicast; } export VPN1-EXPORT-ONLY; neighbor 20.3.4.3 { peer-as 100; } } group EBGP2 { type external; description "2nd L3VPN Inter-AS"; family inet-vpn { unicast; } neighbor 20.3.42.3 { peer-as 100; } } } ospf { area 0.0.0.0 { interface ge-0/0/1.45; interface lo0.0; } } ldp { interface ge-0/0/1.45; interface lo0.0; } } policy-options { policy-statement VPN1-EXPORT-ONLY { term VPN1 { from community [ Community_100_1 Community_200_1 ]; then accept; } term Reject-All { then reject; } } policy-statement VPN1-IMPORT-ONLY { term VPN1 { from community Community_100_1; then { local-preference 200; accept; } } term Reject-All { then reject; } } policy-statement next-hop-self { then { next-hop self; } } community Community_100_1 members target:100:1; community Community_100_2 members target:100:2; community Community_200_1 members target:200:1; community Community_200_2 members target:200:2; } /// Other router configuration R1-PE# ! hostname R1-PE ! ip vrf VPN1 rd 1.1.1.1:1 route-target export 100:1 route-target import 100:1 route-target import 200:1 ! ip vrf VPN2 rd 1.1.1.1:2 route-target export 100:2 route-target import 100:2 route-target import 200:2 interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface Loopback1 ip vrf forwarding VPN1 ip address 10.1.1.1 255.255.255.0 ! interface Loopback2 ip vrf forwarding VPN2 ip address 10.1.2.1 255.255.255.0 ! interface GigabitEthernet1.12 encapsulation dot1Q 12 ip address 20.1.2.1 255.255.255.0 mpls ip ! router ospf 1 network 1.1.1.1 0.0.0.0 area 0 network 20.1.2.1 0.0.0.0 area 0 ! router bgp 100 bgp log-neighbor-changes neighbor 3.3.3.3 remote-as 100 neighbor 3.3.3.3 update-source Loopback0 ! address-family vpnv4 neighbor 3.3.3.3 activate neighbor 3.3.3.3 send-community extended exit-address-family ! address-family ipv4 vrf VPN1 redistribute connected exit-address-family ! address-family ipv4 vrf VPN2 redistribute connected exit-address-family ! R2-P# interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface GigabitEthernet1.12 encapsulation dot1Q 12 ip address 20.1.2.2 255.255.255.0 mpls ip ! interface GigabitEthernet1.23 encapsulation dot1Q 23 ip address 20.2.3.2 255.255.255.0 mpls ip ! router ospf 1 network 2.2.2.2 0.0.0.0 area 0 network 20.1.2.2 0.0.0.0 area 0 network 20.2.3.2 0.0.0.0 area 0 lab@R5-P> show configuration interfaces { ge-0/0/1 { vlan-tagging; unit 45 { vlan-id 45; family inet { address 20.4.5.5/24; } family mpls; } unit 56 { vlan-id 56; family inet { address 20.5.6.5/24; } family mpls; } } lo0 { unit 0 { family inet { address 5.5.5.5/32; } family mpls; } } } routing-options { router-id 5.5.5.5; autonomous-system 200; } protocols { mpls { interface ge-0/0/1.45; interface ge-0/0/1.56; } ospf { area 0.0.0.0 { interface lo0.0; interface ge-0/0/1.45; interface ge-0/0/1.56; } } ldp { interface ge-0/0/1.45; interface ge-0/0/1.56; interface lo0.0; } } lab@R6-PE> show configuration interfaces { ge-0/0/1 { vlan-tagging; unit 56 { vlan-id 56; family inet { address 20.5.6.6/24; } family mpls; } } lo0 { unit 0 { family inet { address 6.6.6.6/32; } family mpls; } unit 1 { family inet { address 10.6.1.1/24; } } unit 2 { family inet { address 10.6.2.1/24; } } } } routing-options { router-id 6.6.6.6; autonomous-system 200; } protocols { mpls { interface ge-0/0/1.56; } bgp { group IBGP { type internal; local-address 6.6.6.6; family inet-vpn { unicast; } neighbor 4.4.4.4; } } ospf { area 0.0.0.0 { interface lo0.0; interface ge-0/0/1.56; } } ldp { interface ge-0/0/1.56; interface lo0.0; } } policy-options { policy-statement VPN1-EXPORT { then { community add Community_200_1; accept; } } policy-statement VPN1-IMPORT { term Import { from community [ Community_200_1 Community_100_1 ]; then accept; } } policy-statement VPN2-EXPORT { then { community add Community_200_2; accept; } } policy-statement VPN2-IMPORT { term Import { from community [ Community_200_2 Community_100_2 ]; then accept; } } community Community_100_1 members target:100:1; community Community_100_2 members target:100:2; community Community_200_1 members target:200:1; community Community_200_2 members target:200:2; } routing-instances { VPN1 { instance-type vrf; interface lo0.1; route-distinguisher 6.6.6.6:1; vrf-import VPN1-IMPORT; vrf-export VPN1-EXPORT; } VPN2 { instance-type vrf; interface lo0.2; route-distinguisher 6.6.6.6:2; vrf-import VPN2-IMPORT; vrf-export VPN2-EXPORT; } }
Verification
R3-ASBR#show ip bgp vpnv4 all BGP table version is 31, local router ID is 3.3.3.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1.1.1.1:1 *>i 10.1.1.0/24 1.1.1.1 0 100 0 ? Route Distinguisher: 1.1.1.1:2 *>i 10.1.2.0/24 1.1.1.1 0 100 0 ? Route Distinguisher: 6.6.6.6:1 *> 10.6.1.0/24 20.3.4.4 0 200 i *> 10.6.1.1/32 20.3.4.4 0 200 i Route Distinguisher: 6.6.6.6:2 *> 10.6.2.0/24 20.3.42.4 200 0 200 i *> 10.6.2.1/32 20.3.42.4 200 0 200 i R3-ASBR#show mpls forwarding-table Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 16 Pop Label 20.3.4.4/32 0 Gi1.34 20.3.4.4 17 Pop Label 20.3.42.4/32 0 Gi1.342 20.3.42.4 18 Pop Label 2.2.2.2/32 0 Gi1.23 20.2.3.2 19 Pop Label 20.1.2.0/24 0 Gi1.23 20.2.3.2 20 16 1.1.1.1/32 0 Gi1.23 20.2.3.2 27 300976 6.6.6.6:1:10.6.1.0/24 \ 0 Gi1.34 20.3.4.4 28 300992 6.6.6.6:1:10.6.1.1/32 \ 0 Gi1.34 20.3.4.4 29 301008 6.6.6.6:2:10.6.2.0/24 \ 0 Gi1.342 20.3.42.4 30 301024 6.6.6.6:2:10.6.2.1/32 \ 0 Gi1.342 20.3.42.4 31 18 1.1.1.1:1:10.1.1.0/24 \ 0 Gi1.23 20.2.3.2 32 19 1.1.1.1:2:10.1.2.0/24 \ 0 Gi1.23 20.2.3.2 lab@R4-ASBR> show route inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden) ... inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 5.5.5.5/32 *[LDP/9] 02:27:16, metric 1 > to 20.4.5.5 via ge-0/0/1.45 6.6.6.6/32 *[LDP/9] 02:27:16, metric 1 > to 20.4.5.5 via ge-0/0/1.45, Push 301040 mpls.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0 *[MPLS/0] 06:09:45, metric 1 Receive 1 *[MPLS/0] 06:09:45, metric 1 Receive 2 *[MPLS/0] 06:09:45, metric 1 Receive 13 *[MPLS/0] 06:09:45, metric 1 Receive 300944 *[LDP/9] 02:27:16, metric 1 > to 20.4.5.5 via ge-0/0/1.45, Pop 300944(S=0) *[LDP/9] 02:27:16, metric 1 > to 20.4.5.5 via ge-0/0/1.45, Pop 300960 *[LDP/9] 02:27:16, metric 1 > to 20.4.5.5 via ge-0/0/1.45, Swap 301040 300976 *[VPN/170] 02:27:08, metric2 1, from 6.6.6.6 > to 20.4.5.5 via ge-0/0/1.45, Swap 300080, Push 301040(top) 300992 *[VPN/170] 02:27:08, metric2 1, from 6.6.6.6 > to 20.4.5.5 via ge-0/0/1.45, Swap 300096, Push 301040(top) 301008 *[VPN/170] 02:27:08, metric2 1, from 6.6.6.6 > to 20.4.5.5 via ge-0/0/1.45, Swap 300112, Push 301040(top) 301024 *[VPN/170] 02:27:08, metric2 1, from 6.6.6.6 > to 20.4.5.5 via ge-0/0/1.45, Swap 300128, Push 301040(top) 301040 *[VPN/170] 02:26:38 > to 20.3.4.3 via ge-0/0/1.34, Swap 31 301056 *[VPN/170] 02:26:38 > to 20.3.42.3 via ge-0/0/1.342, Swap 32 bgp.l3vpn.0: 6 destinations, 7 routes (6 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 1.1.1.1:1:10.1.1.0/24 *[BGP/170] 02:26:38, localpref 200 AS path: 100 ? > to 20.3.4.3 via ge-0/0/1.34, Push 31 1.1.1.1:2:10.1.2.0/24 *[BGP/170] 02:26:38, localpref 100 AS path: 100 ? > to 20.3.42.3 via ge-0/0/1.342, Push 32 6.6.6.6:1:10.6.1.0/24 *[BGP/170] 02:27:08, localpref 100, from 6.6.6.6 AS path: I > to 20.4.5.5 via ge-0/0/1.45, Push 300080, Push 301040(top) 6.6.6.6:1:10.6.1.1/32 *[BGP/170] 02:27:08, localpref 100, from 6.6.6.6 AS path: I > to 20.4.5.5 via ge-0/0/1.45, Push 300096, Push 301040(top) 6.6.6.6:2:10.6.2.0/24 *[BGP/170] 02:27:08, localpref 100, from 6.6.6.6 AS path: I > to 20.4.5.5 via ge-0/0/1.45, Push 300112, Push 301040(top) 6.6.6.6:2:10.6.2.1/32 *[BGP/170] 02:27:08, localpref 100, from 6.6.6.6 AS path: I > to 20.4.5.5 via ge-0/0/1.45, Push 300128, Push 301040(top) Verification on PE routers R1-PE#sh ip route vrf VPN1 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.1.1.0/24 is directly connected, Loopback1 L 10.1.1.1/32 is directly connected, Loopback1 B 10.6.1.0/24 [200/0] via 3.3.3.3, 02:30:47 B 10.6.1.1/32 [200/0] via 3.3.3.3, 02:30:47 R1-PE#sh ip bgp vpnv4 vrf VPN1 10.6.1.0/24 BGP routing table entry for 1.1.1.1:1:10.6.1.0/24, version 20 Paths: (1 available, best #1, table VPN1) Not advertised to any peer Refresh Epoch 1 200, imported path from 6.6.6.6:1:10.6.1.0/24 (global) 3.3.3.3 (metric 3) from 3.3.3.3 (3.3.3.3) Origin IGP, metric 0, localpref 100, valid, internal, best Extended Community: RT:200:1 mpls labels in/out nolabel/27 rx pathid: 0, tx pathid: 0x0 lab@R6-PE> show route inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) ... inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 4.4.4.4/32 *[LDP/9] 02:33:44, metric 1 > to 20.5.6.5 via ge-0/0/1.56, Push 301056 5.5.5.5/32 *[LDP/9] 02:33:46, metric 1 > to 20.5.6.5 via ge-0/0/1.56 VPN1.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.1.1.0/24 *[BGP/170] 02:33:06, localpref 200, from 4.4.4.4 AS path: 100 ? > to 20.5.6.5 via ge-0/0/1.56, Push 301040, Push 301056(top) 10.6.1.0/24 *[Direct/0] 03:58:06 > via lo0.1 10.6.1.1/32 *[Local/0] 03:58:06 Local via lo0.1 VPN2.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.1.2.0/24 *[BGP/170] 02:33:06, localpref 100, from 4.4.4.4 AS path: 100 ? > to 20.5.6.5 via ge-0/0/1.56, Push 301056, Push 301056(top) 10.6.2.0/24 *[Direct/0] 03:58:06 > via lo0.2 10.6.2.1/32 *[Local/0] 03:58:06 Local via lo0.2 mpls.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0 *[MPLS/0] 04:35:27, metric 1 Receive 1 *[MPLS/0] 04:35:27, metric 1 Receive 2 *[MPLS/0] 04:35:27, metric 1 Receive 13 *[MPLS/0] 04:35:27, metric 1 Receive 300048 *[LDP/9] 02:33:46, metric 1 > to 20.5.6.5 via ge-0/0/1.56, Pop 300048(S=0) *[LDP/9] 02:33:46, metric 1 > to 20.5.6.5 via ge-0/0/1.56, Pop 300064 *[LDP/9] 02:33:44, metric 1 > to 20.5.6.5 via ge-0/0/1.56, Swap 301056 300080 *[VPN/170] 02:33:36 receive table VPN1.inet.0, Pop 300096 *[VPN/170] 02:33:36 receive table VPN1.inet.0, Pop 300112 *[VPN/170] 02:33:36 receive table VPN2.inet.0, Pop 300128 *[VPN/170] 02:33:36 receive table VPN2.inet.0, Pop bgp.l3vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 1.1.1.1:1:10.1.1.0/24 *[BGP/170] 02:33:06, localpref 200, from 4.4.4.4 AS path: 100 ? > to 20.5.6.5 via ge-0/0/1.56, Push 301040, Push 301056(top) 1.1.1.1:2:10.1.2.0/24 *[BGP/170] 02:33:06, localpref 100, from 4.4.4.4 AS path: 100 ? > to 20.5.6.5 via ge-0/0/1.56, Push 301056, Push 301056(top)