In this post, we are going to go through the implementation and verification steps of Inter-AS Option B (defined in RFC4364 http://tools.ietf.org/html/rfc4364#page-32 ). Please refer to previous post Inter-AS Options to for the definitions, and differences of the three.
In option B implementation, ASBRs themselves are PE routers. They learn VPN-IPv4 routes from other PEs from the same AS via MP-iBGP (either directly or via Route Reflectors). The ASBR from one AS then have an eBGP session(s) with other AS ASBR to redistribute the VPN-IPv4 routes to the other AS. The later ASBR then redistributes those VPN-IPv4 labeled routes to the rest of the PEs belonging to that AS.
Topology
In this topology, we use Cisco IOS routers (R1 – R3) in AS100, as well as Juniper routers (R4 – R6) in AS200, just for demonstration of configuration and verification on both platforms. Typically for connectivity beween ASes, one eBGP session between ASBRs is sufficient. In this example, however, we set up two eBGP sessions between ASBR R3 and R4 to demonstrate VPN-based policy routing, by route filtering based on VPN route targets. We would like to route traffic for VPN1 via the first connection, and VPN2 via the other.
Configuration
R3-ASBR#
interface Loopback0
description Management Loopback
ip address 3.3.3.3 255.255.255.255
!
interface GigabitEthernet1.23
description R3 -> R2-P
encapsulation dot1Q 23
ip address 20.2.3.3 255.255.255.0
mpls ip
!
interface GigabitEthernet1.34
description R3 -> R4 | First eBGP
encapsulation dot1Q 34
ip address 20.3.4.3 255.255.255.0
mpls bgp forwarding
!
interface GigabitEthernet1.342
description R3 -> R4 | Second eBGP
encapsulation dot1Q 342
ip address 20.3.42.3 255.255.255.0
mpls bgp forwarding
! Enable OSPF
router ospf 1
network 3.3.3.3 0.0.0.0 area 0
network 20.2.3.3 0.0.0.0 area 0
!
! Enable MP-iBGP to other PE, and MP-eBGP to other ASBR
router bgp 100
bgp log-neighbor-changes
! By default, PE do not accept VPNv4 routes
! that do not belong to one of its VRF
! This command force it to learn & propagate all routes to other PEs.
no bgp default route-target filter
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source Loopback0
neighbor 20.3.4.4 remote-as 200
neighbor 20.3.42.4 remote-as 200
!
address-family ipv4
no neighbor 1.1.1.1 activate
no neighbor 20.3.4.4 activate
no neighbor 20.3.42.4 activate
exit-address-family
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
neighbor 1.1.1.1 next-hop-self
neighbor 20.3.4.4 activate
neighbor 20.3.4.4 send-community extended
neighbor 20.3.42.4 activate
neighbor 20.3.42.4 send-community extended
exit-address-family
! Policy to only import and export VPN2 routes via the second eBGP connection
! We can apply a similar policy on the first eBGP connection on R3
! But for demonstration purpose, we choose to apply that policy on R4 (Junos)
ip extcommunity-list standard Community_VPN2 permit rt 100:2
ip extcommunity-list standard Community_VPN2 permit rt 200:2
!
route-map VPN2-EXPORT-ONLY permit 10
match extcommunity Community_VPN2
!
route-map VPN2-EXPORT-ONLY deny 1000
description Deny all else
!
route-map VPN2-IMPORT-ONLY permit 10
match extcommunity Community_VPN2
set local-preference 200
!
route-map VPN2-IMPORT-ONLY deny 1000
description Deny all else
!
router bgp 100
address-family vpnv4
neighbor 20.3.42.4 route-map VPN2-IMPORT-ONLY in
neighbor 20.3.42.4 route-map VPN2-EXPORT-ONLY out
exit-address-family
R4-ASBR#
interfaces {
ge-0/0/1 {
vlan-tagging;
unit 34 {
description "R4 -> R3 | First eBGP";
vlan-id 34;
family inet {
address 20.3.4.4/24;
}
family mpls;
}
unit 45 {
description "R4 -> R5";
vlan-id 45;
family inet {
address 20.4.5.4/24;
}
family mpls;
}
unit 342 {
description "R4 -> R3 | Second eBGP";
vlan-id 342;
family inet {
address 20.3.42.4/24;
}
family mpls;
}
}
lo0 {
unit 0 {
description "Management Loopback";
family inet {
address 4.4.4.4/32;
}
family mpls;
}
}
}
routing-options {
router-id 4.4.4.4;
autonomous-system 200;
}
protocols {
mpls {
interface ge-0/0/1.45;
interface ge-0/0/1.34;
interface ge-0/0/1.342;
}
bgp {
group IBGP {
type internal;
local-address 4.4.4.4;
family inet-vpn {
unicast;
}
export next-hop-self;
neighbor 6.6.6.6;
}
group EBGP1 {
type external;
description "L3VPN Inter-AS";
import VPN1-IMPORT-ONLY;
family inet-vpn {
unicast;
}
export VPN1-EXPORT-ONLY;
neighbor 20.3.4.3 {
peer-as 100;
}
}
group EBGP2 {
type external;
description "2nd L3VPN Inter-AS";
family inet-vpn {
unicast;
}
neighbor 20.3.42.3 {
peer-as 100;
}
}
}
ospf {
area 0.0.0.0 {
interface ge-0/0/1.45;
interface lo0.0;
}
}
ldp {
interface ge-0/0/1.45;
interface lo0.0;
}
}
policy-options {
policy-statement VPN1-EXPORT-ONLY {
term VPN1 {
from community [ Community_100_1 Community_200_1 ];
then accept;
}
term Reject-All {
then reject;
}
}
policy-statement VPN1-IMPORT-ONLY {
term VPN1 {
from community Community_100_1;
then {
local-preference 200;
accept;
}
}
term Reject-All {
then reject;
}
}
policy-statement next-hop-self {
then {
next-hop self;
}
}
community Community_100_1 members target:100:1;
community Community_100_2 members target:100:2;
community Community_200_1 members target:200:1;
community Community_200_2 members target:200:2;
}
/// Other router configuration
R1-PE#
!
hostname R1-PE
!
ip vrf VPN1
rd 1.1.1.1:1
route-target export 100:1
route-target import 100:1
route-target import 200:1
!
ip vrf VPN2
rd 1.1.1.1:2
route-target export 100:2
route-target import 100:2
route-target import 200:2
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
ip vrf forwarding VPN1
ip address 10.1.1.1 255.255.255.0
!
interface Loopback2
ip vrf forwarding VPN2
ip address 10.1.2.1 255.255.255.0
!
interface GigabitEthernet1.12
encapsulation dot1Q 12
ip address 20.1.2.1 255.255.255.0
mpls ip
!
router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 20.1.2.1 0.0.0.0 area 0
!
router bgp 100
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 100
neighbor 3.3.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN1
redistribute connected
exit-address-family
!
address-family ipv4 vrf VPN2
redistribute connected
exit-address-family
!
R2-P#
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet1.12
encapsulation dot1Q 12
ip address 20.1.2.2 255.255.255.0
mpls ip
!
interface GigabitEthernet1.23
encapsulation dot1Q 23
ip address 20.2.3.2 255.255.255.0
mpls ip
!
router ospf 1
network 2.2.2.2 0.0.0.0 area 0
network 20.1.2.2 0.0.0.0 area 0
network 20.2.3.2 0.0.0.0 area 0
lab@R5-P> show configuration
interfaces {
ge-0/0/1 {
vlan-tagging;
unit 45 {
vlan-id 45;
family inet {
address 20.4.5.5/24;
}
family mpls;
}
unit 56 {
vlan-id 56;
family inet {
address 20.5.6.5/24;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 5.5.5.5/32;
}
family mpls;
}
}
}
routing-options {
router-id 5.5.5.5;
autonomous-system 200;
}
protocols {
mpls {
interface ge-0/0/1.45;
interface ge-0/0/1.56;
}
ospf {
area 0.0.0.0 {
interface lo0.0;
interface ge-0/0/1.45;
interface ge-0/0/1.56;
}
}
ldp {
interface ge-0/0/1.45;
interface ge-0/0/1.56;
interface lo0.0;
}
}
lab@R6-PE> show configuration
interfaces {
ge-0/0/1 {
vlan-tagging;
unit 56 {
vlan-id 56;
family inet {
address 20.5.6.6/24;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 6.6.6.6/32;
}
family mpls;
}
unit 1 {
family inet {
address 10.6.1.1/24;
}
}
unit 2 {
family inet {
address 10.6.2.1/24;
}
}
}
}
routing-options {
router-id 6.6.6.6;
autonomous-system 200;
}
protocols {
mpls {
interface ge-0/0/1.56;
}
bgp {
group IBGP {
type internal;
local-address 6.6.6.6;
family inet-vpn {
unicast;
}
neighbor 4.4.4.4;
}
}
ospf {
area 0.0.0.0 {
interface lo0.0;
interface ge-0/0/1.56;
}
}
ldp {
interface ge-0/0/1.56;
interface lo0.0;
}
}
policy-options {
policy-statement VPN1-EXPORT {
then {
community add Community_200_1;
accept;
}
}
policy-statement VPN1-IMPORT {
term Import {
from community [ Community_200_1 Community_100_1 ];
then accept;
}
}
policy-statement VPN2-EXPORT {
then {
community add Community_200_2;
accept;
}
}
policy-statement VPN2-IMPORT {
term Import {
from community [ Community_200_2 Community_100_2 ];
then accept;
}
}
community Community_100_1 members target:100:1;
community Community_100_2 members target:100:2;
community Community_200_1 members target:200:1;
community Community_200_2 members target:200:2;
}
routing-instances {
VPN1 {
instance-type vrf;
interface lo0.1;
route-distinguisher 6.6.6.6:1;
vrf-import VPN1-IMPORT;
vrf-export VPN1-EXPORT;
}
VPN2 {
instance-type vrf;
interface lo0.2;
route-distinguisher 6.6.6.6:2;
vrf-import VPN2-IMPORT;
vrf-export VPN2-EXPORT;
}
}
Verification
R3-ASBR#show ip bgp vpnv4 all
BGP table version is 31, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1.1.1.1:1
*>i 10.1.1.0/24 1.1.1.1 0 100 0 ?
Route Distinguisher: 1.1.1.1:2
*>i 10.1.2.0/24 1.1.1.1 0 100 0 ?
Route Distinguisher: 6.6.6.6:1
*> 10.6.1.0/24 20.3.4.4 0 200 i
*> 10.6.1.1/32 20.3.4.4 0 200 i
Route Distinguisher: 6.6.6.6:2
*> 10.6.2.0/24 20.3.42.4 200 0 200 i
*> 10.6.2.1/32 20.3.42.4 200 0 200 i
R3-ASBR#show mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
16 Pop Label 20.3.4.4/32 0 Gi1.34 20.3.4.4
17 Pop Label 20.3.42.4/32 0 Gi1.342 20.3.42.4
18 Pop Label 2.2.2.2/32 0 Gi1.23 20.2.3.2
19 Pop Label 20.1.2.0/24 0 Gi1.23 20.2.3.2
20 16 1.1.1.1/32 0 Gi1.23 20.2.3.2
27 300976 6.6.6.6:1:10.6.1.0/24 \
0 Gi1.34 20.3.4.4
28 300992 6.6.6.6:1:10.6.1.1/32 \
0 Gi1.34 20.3.4.4
29 301008 6.6.6.6:2:10.6.2.0/24 \
0 Gi1.342 20.3.42.4
30 301024 6.6.6.6:2:10.6.2.1/32 \
0 Gi1.342 20.3.42.4
31 18 1.1.1.1:1:10.1.1.0/24 \
0 Gi1.23 20.2.3.2
32 19 1.1.1.1:2:10.1.2.0/24 \
0 Gi1.23 20.2.3.2
lab@R4-ASBR> show route
inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
...
inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
5.5.5.5/32 *[LDP/9] 02:27:16, metric 1
> to 20.4.5.5 via ge-0/0/1.45
6.6.6.6/32 *[LDP/9] 02:27:16, metric 1
> to 20.4.5.5 via ge-0/0/1.45, Push 301040
mpls.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0 *[MPLS/0] 06:09:45, metric 1
Receive
1 *[MPLS/0] 06:09:45, metric 1
Receive
2 *[MPLS/0] 06:09:45, metric 1
Receive
13 *[MPLS/0] 06:09:45, metric 1
Receive
300944 *[LDP/9] 02:27:16, metric 1
> to 20.4.5.5 via ge-0/0/1.45, Pop
300944(S=0) *[LDP/9] 02:27:16, metric 1
> to 20.4.5.5 via ge-0/0/1.45, Pop
300960 *[LDP/9] 02:27:16, metric 1
> to 20.4.5.5 via ge-0/0/1.45, Swap 301040
300976 *[VPN/170] 02:27:08, metric2 1, from 6.6.6.6
> to 20.4.5.5 via ge-0/0/1.45, Swap 300080, Push 301040(top)
300992 *[VPN/170] 02:27:08, metric2 1, from 6.6.6.6
> to 20.4.5.5 via ge-0/0/1.45, Swap 300096, Push 301040(top)
301008 *[VPN/170] 02:27:08, metric2 1, from 6.6.6.6
> to 20.4.5.5 via ge-0/0/1.45, Swap 300112, Push 301040(top)
301024 *[VPN/170] 02:27:08, metric2 1, from 6.6.6.6
> to 20.4.5.5 via ge-0/0/1.45, Swap 300128, Push 301040(top)
301040 *[VPN/170] 02:26:38
> to 20.3.4.3 via ge-0/0/1.34, Swap 31
301056 *[VPN/170] 02:26:38
> to 20.3.42.3 via ge-0/0/1.342, Swap 32
bgp.l3vpn.0: 6 destinations, 7 routes (6 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.1:1:10.1.1.0/24
*[BGP/170] 02:26:38, localpref 200
AS path: 100 ?
> to 20.3.4.3 via ge-0/0/1.34, Push 31
1.1.1.1:2:10.1.2.0/24
*[BGP/170] 02:26:38, localpref 100
AS path: 100 ?
> to 20.3.42.3 via ge-0/0/1.342, Push 32
6.6.6.6:1:10.6.1.0/24
*[BGP/170] 02:27:08, localpref 100, from 6.6.6.6
AS path: I
> to 20.4.5.5 via ge-0/0/1.45, Push 300080, Push 301040(top)
6.6.6.6:1:10.6.1.1/32
*[BGP/170] 02:27:08, localpref 100, from 6.6.6.6
AS path: I
> to 20.4.5.5 via ge-0/0/1.45, Push 300096, Push 301040(top)
6.6.6.6:2:10.6.2.0/24
*[BGP/170] 02:27:08, localpref 100, from 6.6.6.6
AS path: I
> to 20.4.5.5 via ge-0/0/1.45, Push 300112, Push 301040(top)
6.6.6.6:2:10.6.2.1/32
*[BGP/170] 02:27:08, localpref 100, from 6.6.6.6
AS path: I
> to 20.4.5.5 via ge-0/0/1.45, Push 300128, Push 301040(top)
Verification on PE routers
R1-PE#sh ip route vrf VPN1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Loopback1
L 10.1.1.1/32 is directly connected, Loopback1
B 10.6.1.0/24 [200/0] via 3.3.3.3, 02:30:47
B 10.6.1.1/32 [200/0] via 3.3.3.3, 02:30:47
R1-PE#sh ip bgp vpnv4 vrf VPN1 10.6.1.0/24
BGP routing table entry for 1.1.1.1:1:10.6.1.0/24, version 20
Paths: (1 available, best #1, table VPN1)
Not advertised to any peer
Refresh Epoch 1
200, imported path from 6.6.6.6:1:10.6.1.0/24 (global)
3.3.3.3 (metric 3) from 3.3.3.3 (3.3.3.3)
Origin IGP, metric 0, localpref 100, valid, internal, best
Extended Community: RT:200:1
mpls labels in/out nolabel/27
rx pathid: 0, tx pathid: 0x0
lab@R6-PE> show route
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
...
inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
4.4.4.4/32 *[LDP/9] 02:33:44, metric 1
> to 20.5.6.5 via ge-0/0/1.56, Push 301056
5.5.5.5/32 *[LDP/9] 02:33:46, metric 1
> to 20.5.6.5 via ge-0/0/1.56
VPN1.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.1.1.0/24 *[BGP/170] 02:33:06, localpref 200, from 4.4.4.4
AS path: 100 ?
> to 20.5.6.5 via ge-0/0/1.56, Push 301040, Push 301056(top)
10.6.1.0/24 *[Direct/0] 03:58:06
> via lo0.1
10.6.1.1/32 *[Local/0] 03:58:06
Local via lo0.1
VPN2.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.1.2.0/24 *[BGP/170] 02:33:06, localpref 100, from 4.4.4.4
AS path: 100 ?
> to 20.5.6.5 via ge-0/0/1.56, Push 301056, Push 301056(top)
10.6.2.0/24 *[Direct/0] 03:58:06
> via lo0.2
10.6.2.1/32 *[Local/0] 03:58:06
Local via lo0.2
mpls.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0 *[MPLS/0] 04:35:27, metric 1
Receive
1 *[MPLS/0] 04:35:27, metric 1
Receive
2 *[MPLS/0] 04:35:27, metric 1
Receive
13 *[MPLS/0] 04:35:27, metric 1
Receive
300048 *[LDP/9] 02:33:46, metric 1
> to 20.5.6.5 via ge-0/0/1.56, Pop
300048(S=0) *[LDP/9] 02:33:46, metric 1
> to 20.5.6.5 via ge-0/0/1.56, Pop
300064 *[LDP/9] 02:33:44, metric 1
> to 20.5.6.5 via ge-0/0/1.56, Swap 301056
300080 *[VPN/170] 02:33:36
receive table VPN1.inet.0, Pop
300096 *[VPN/170] 02:33:36
receive table VPN1.inet.0, Pop
300112 *[VPN/170] 02:33:36
receive table VPN2.inet.0, Pop
300128 *[VPN/170] 02:33:36
receive table VPN2.inet.0, Pop
bgp.l3vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.1:1:10.1.1.0/24
*[BGP/170] 02:33:06, localpref 200, from 4.4.4.4
AS path: 100 ?
> to 20.5.6.5 via ge-0/0/1.56, Push 301040, Push 301056(top)
1.1.1.1:2:10.1.2.0/24
*[BGP/170] 02:33:06, localpref 100, from 4.4.4.4
AS path: 100 ?
> to 20.5.6.5 via ge-0/0/1.56, Push 301056, Push 301056(top)
Packet Corner 