CCIE in 2 months - Is it possible?: IOS-XR

Showing posts with label IOS-XR. Show all posts

Thursday, February 6, 2014

NTS: VRF

VRF

VRF Basic Configuration

IOS
ip vrf VPN-A
rd 100:1
route-target export 100:1
route-target import 100:1
!
vrf definition VPN-B
rd 100:2
address-family ipv4
route-target export 100:2
route-target import 100:2
exit-address-family
address-family ipv6
route-target export 100:2
route-target import 100:2
exit-address-family

IOS-XR
vrf VPN-C
address-family ipv4 unicast
import route-target
   100:3
export route-target
   100:3
address-family ipv6 unicast
import route-target
   100:3
export route-target
   100:3
!
router bgp 100
vrf VPN-C
rd 100:3

Prefer to use the "vrf definition" command to configure VRFs. Always include an address-family, most probably the ipv4 one.

You can have different import/export RTs per address family. If you have common ones, then you can define them directly under the vrf definition.

IOS-XR requires the VRF RD config under the BGP process.

You can use the "rd auto" command in IOS -XR in order to automatically create unique RDs per VRF.

IOS-XR
router bgp 100
vrf VPN
rd auto

If you don't define any export RTs for a VRF on the local PE, then the prefixes will by default get dropped when they are transferred to the remote PE.

You can view all routing tables (global and VRF ones) by using the command "sh ip route vrf *".

On a router that acts as a default gateway, the following can be configured if the next-hop is in the global routing table and you want to have the static route inside the VRF but pointing to the global routing table.

IOS
ip route vrf VPN 0.0.0.0 0.0.0.0 1.1.1.1 global

You can change the default label allocation (if you want to decrease label usage) for all VRFs or a specific VRF using the following command:

IOS
R1(config)#mpls label mode vrf VPN protocol bgp-vpnv4 ?
per-prefix     Per prefix label (default)
per-vrf        Per VRF label for entire VRF
vrf-conn-aggr Per VRF label for connected and BGP aggregates in VRF

Export RT per Prefix

You can use an export map in order to set different export RTs per prefix.

IOS
vrf definition VPN-A
rd 100:1
!
address-family ipv4
export map R1-MAP
exit-address-family
!
route-map R1-MAP permit 10
match ip address R1-ACL
set extcommunity rt 2.2.2.2:11 2.2.2.2:111
!
ip access-list standard R1-ACL
permit 1.1.1.1
!

IOS-XR
vrf VPN-A
address-family ipv4 unicast
export route-policy R1-RPOLICY
!
route-policy R1-RPOLICY
if destination in (1.1.1.1/32) then
set extcommunity rt (2.2.2.2:11, 2.2.2.2:111)
endif
end-policy

In the IOS-XR route-policy you must use destination in order to match the required prefix. Also you can use parenthesis whenever you need to group parameters, like the multiple RTs.

If you initially have no export RTs and later decide to add some through an export map, then you must reset the VPNv4 BGP sessions in order to have the BGP routes get the new RTs immediately.

Import global routes into VRF

You have the option of importing various global routes into a specific VRF, while at the same time limiting the number of them.

IOS
vrf definition VPN_A
rd 100:1
route-target export 100:1
route-target import 100:1
!
address-family ipv4
import ipv4 unicast 5 map GLOBAL-TABLE-ROUTEMAP
exit-address-family
!
route-map GLOBAL-TABLE-ROUTEMAP permit 10
match ip address prefix-list PREFIX-LIST
!
ip prefix-list PREFIX-LIST seq 5 permit 4.4.4.4/32
match ip address prefix-list PREFIX-LIST

IOS
R2#sh bgp vpnv4 unicast all
BGP table version is 8, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf VPN_A)
Import Map: GLOBAL-TABLE-ROUTEMAP, Address-Family: IPv4 Unicast, Pfx Count/Limit: 1/5
*> 1.1.1.1/32       10.1.2.1                 0         32768 i
*> 4.4.4.4/32       20.2.4.4                10         32768 i
*> 10.1.2.0/24      0.0.0.0                  0         32768 i
*>i10.19.20.0/24    19.19.19.19              0    100      0 i
*>i20.20.20.20/32   19.19.19.19              0    100      0 i

R2#sh bgp vpnv4 unicast all 4.4.4.4/32
BGP routing table entry for 100:1:4.4.4.4/32, version 8
Paths: (1 available, best #1, table VPN_A)
Not advertised to any peer
Local, imported path from 4.4.4.4/32
    20.2.4.4 from 0.0.0.0 (2.2.2.2)
      Origin IGP, metric 10, localpref 100, weight 32768, valid, external, no-import, best

The global route to be imported must exist in the global BGP table (existence in RIB doesn't matter).

No RTs or other attributes will be assigned to the imported prefixes. Use the route-map set commands to configure those.

In latest IOS releases (>15.x) you have to option of doing the opposite too, export prefixes from a VRF into the global BGP table.

The commands "import/export map" (which are different from the above) are used to filter the VRF <=> MP-BGP prefixes, while the commands "import/export ipv4 unicast" are used to leak routes between the VRF and the global BGP table.

Inbound VPN Prefix Filtering due to RTs

In VPNv4/v6 BGP setups, all BGP VPN prefixes are checked against the local RT import policies and if there is no match found, then the prefix is discarded (in order to keep the BGP table small).

Route-Reflectors have this filter disabled by default, because they need all the prefixes to accommodate all possible PEs. In order to disable it manually on other routers, you can use the following commands.

IOS
router bgp 100
no bgp default route-target filter

IOS-XR
router bgp 100
address-family vpnv4 unicast
retain route-target all

IOS-XR supports also the selective filtering of RTs by using a policy that matches specific RTs.

IOS-XR
router bgp 100
address-family vpnv4 unicast
retain route-target route-policy RT-POLICY
!
route-policy RT-POLICY
if extcommunity rt matches-any (100:1, 100:2) then
pass
else
drop
endif

Multi-VRF (VRF-Lite)

It allows a logical separation of a CE router into multiple VRFs, without the need for MPLS/MP-BGP. Using MPLS Multi-VRF you can extend the LSPs to the CE and all routing domains that the CE supports.

Usually, a router with Multi-VRF is shared by several customers and each customer has their own routing table.

Characteristics

one or more VRFs configured and assigned to interfaces
no MPLS configured
no BGP VPNv4 configured
no RTs under "vrf definition" required on IOS
no RDs under "bgp vrf" required on IOS-XR

Configuration Steps

Configure VRFs on the PE and the CE
Configure the routing protocol for each VRF on the CE towards each customer
Configure BGP or IGP as PE-CE protocol for each VRF
Configure labeling either with BGP+Label or IGP+LDP (if required)

Special care must be taken in case of using OSPF as PE-CE protocol, because due to setting the DN bit by default on specific routes advertised from PE to CE, these routes wouldn't be installed in the Multi-VRF CE's routing table.

Always prefer to use BGP as PE-CE, due to its simpler configuration and better filtering.

Traffic classification into a VRF

One VRF per interface

Classic method (IOS, IOS-XR)

Multiple VRFs per interface

Multi-VRF Selection Using Policy-Based Routing (IOS)

match an ip access-list

VRF Selection Based on Source IP Address (IOS)

match the source ip address

VRF-Autoclassify (IOS)

match the directly connected prefix

ACL Based Forwarding with VRF Next-Hop (IOS-XR)

match an ip access-list

Classic Method

IOS
interface X
ip vrf forwarding VPN-A
!
interface X
vrf forwarding VPN-B

IOS-XR
interface X
vrf VPN-C

Multi-VRF Selection Using Policy-Based Routing

It allows a specific interface on a PE router to route packets to different VPNs based on various match criteria defined in an ip access list or on packet length.

IOS
interface X
ip vrf receive VPN-A
ip vrf receive VPN-B
ip vrf receive VPN-C
ip address 1.1.1.1 255.255.255.0
ip policy route-map VRF-SELECTION-PBR

ip access-list standard VPN-A-ACL
permit 1.1.2.2
ip access-list standard VPN-B-ACL
permit 1.1.3.3
ip access-list standard VPN-C-ACL
permit 1.1.4.4
!
route-map VRF-SELECTION-PBR permit 10
match ip address VPN-A-ACL
set vrf VPN-A
!
route-map VRF-SELECTION-PBR permit 20
match ip address VPN-B-ACL
set vrf VPN-B
!
route-map VRF-SELECTION-PBR permit 30
match ip address VPN-C-ACL
set vrf VPN-C

Limitations

multicast is not usually supported by PBR

VRF Selection Based on Source IP Address

It allows a specific interface on a PE router to route packets to different VPNs based upon the source IP address of the packets. It's supported only on very specific hardware.

IOS
vrf selection source 1.1.1.0 255.255.255.0 vrf VPN-A
vrf selection source 2.2.2.0 255.255.255.0 vrf VPN-B
!
int X
ip vrf select source
ip vrf receive VPN-A
ip vrf receive VPN-B

Limitations

supported by limited hardware
performance can degrade with longer subnet masks

If it's not supported by the router, you'll get the following output:

R1(config)#vrf selection source 1.1.1.0 255.255.255.0 vrf VPN-A
% VRF Select: failed to add config

VRF-Autoclassify

It allows a specific interface on a PE router to route packets to different VPNs based on the ip addresses assigned to directly connected hosts.

At the same time it also enables certain types of Policy Based Routing (PBR) to be created dynamically without configuring all the related route maps and access lists. More specifically it enables the dynamic configuration of policies that are required for the mapping of packets to the VRFs, depending on whether the source address of the packet belongs to those connected routes.

IOS
interface X
ip address 1.1.1.1 255.255.255.0 secondary vrf VPN-A
ip address 1.1.2.1 255.255.255.0 secondary vrf VPN-B
ip address 2.2.2.2 255.255.255.0
ip vrf autoclassify source
!
interface Y
ip vrf forwarding VPN-A
ip address 10.10.10.1 255.255.255.0
!
interface Z
ip vrf forwarding VPN-B
ip address 20.20.20.1 255.255.255.0

Limitations

any directly connected hosts must not run routing protocols
the router that is enabled with the VRF-Autoclassify feature must not run routing protocols
applies only to unicast packets

ACL Based Forwarding (ABF) with VRF Next-Hop

It allows packet arriving on ingress VRF to get routed on an egress interface which is in a different VRF based on various match criteria defined in an ip access list.

So you actually specify a nexthop VRF instead of a specific IP address for the nexthop. When this config is enabled, packet destination lookup will be performed in the ABF Nexthop VRF.

IOS-XR
interface X
ipv4 address 10.10.10.10 255.255.255.0
vrf VPN-A
ipv4 access-group ABF-ACL ingress
!
ipv4 access-list ABF-ACL
permit ipv4 1.1.2.2 0.0.0.0 any nexthop1 vrf VPN-A
permit ipv4 1.1.3.3 0.0.0.0 any nexthop1 vrf VPN-B
permit ipv4 1.1.4.4 0.0.0.0 any nexthop1 vrf VPN-C

Limitations

applies only to ASR9k and CRS running IOS-XR

NTS: BFD

BFD

BFD (Bidirectional Forwarding Detection) is defined in RFC 5880.
BFD for one-hop IPv4/IPv6 is defined in RFC 5881.
BFD for multi-hop is defined in RFC 5883.
BFD for MPLS LSPs is defined in RFC 5884.

Common BFD applications

Control plane liveliness detection
Tunnel endpoint liveliness detection
Trigger mechanism for IP/MPLS FRR
MPLS date plane failure detection

BFD advantages

failure detection in sub-sec
generic/consistent failure detection mechanism for all protocols
less CPU intensive if distributed to the data plane

BFD modes

Asynchronous mode

continuous and periodic BFD packets

Demand mode

BFD packets only after a demand

BFD echo (where a stream of echo packets is sent and received) is the most common function for both modes.

Cisco supports the asynchronous mode and the echo function by default.

BFD payload control packets are encapsulated in UDP packets

destination port 3784
source port 49152

Echo packets are also encapsulated in UDP packets

destination port 3785
source port 3785

BFD control packets are always sent as unicast packets to the BFD peer.

The encapsulation of BFD Control packets for multihop application in IPv4 and IPv6 is identical to that above, except that the UDP destination port is 4784.

Each system reports in the BFD Control packet how rapidly it would like to transmit BFD packets, as well as how rapidly it is prepared to receive them. This allows either system to determine the max packet rate (minimum interval) in both directions.

To establish a BFD neighbor in IOS-XR, BFD must either be configured under an IGP or as a static route.

BFD Configuration

BFD can be configured

under an interface for a specific protocol (IOS)
under the protocol process for a specific interface (IOS-XR)
under the protocol process for all interfaces (IOS)
under the protocol process for all neighbors (IOS-XR)
under the protocol process for a specific neighbor (IOS,IOS-XR)

In all cases, BFD timers (interval, min_rx, multiplier) must be defined under the relevant interfaces too. BFD and BGP in IOS-XR is the exception, as show below.

If you are using BFD with uRPF on a particular interface, then you need to use the "echo disable" command to disable the echo mode on that interface, otherwise echo packets are rejected. You can disable echo mode for the entire router, or for an individual interface.

BFD can be combined with "carrier-delay 0" for quicker protocol reaction.

In IOS-XR, "bfd fast-detect" is required in order to start the BFD process.

BFD might cause crashes and malfunctions when enabled on GNS3 emulated routers.

Instead of running BFD at the link-level, you can also run BFD at the LSP level (aka across the LSP), something that offers faster detection in case of path protection.

BFD & BGP

IOS
interface X
bfd interval 300 min_rx 300 multiplier 3
!
router bgp 100
neighbor 2.2.2.2 fall-over bfd

IOS-XR
router bgp 100
neighbor 2.2.2.2
bfd fast-detect
bfd multiplier 3
bfd minimum-interval 300

In IOS-XR, BFD parameters (multiplier, min-interval) can be configured for all BGP neighbors (under the BGP process) or for a specific BGP neighbor. BFD activation is always per neighbor.

It is generally not recommended to use BFD for iBGP, when the underlying IGP is already doing so.

BFD & ISIS

IOS
interface X
bfd interval 150 min_rx 150 multiplier 3
isis bfd

or

IOS
router isis 1
bfd all-interfaces
!
interface X
bfd disable

IOS-XR
router isis 1
interface X
bfd minimum-interval 150
bfd multiplier 3
bfd fast-detect ipv4

BFD & OSPF

IOS
interface X
bfd interval 150 min_rx 150 multiplier 3
ip ospf bfd

or

IOS
router ospf 1
bfd all-interfaces
!
interface X
bfd disable

IOS-XR
router ospf 1
area 0
interface X
bfd minimum-interval 150
bfd multiplier 3
bfd fast-detect ipv4

BFD parameters can also be configured directly under the ospf process.

BFD establishes sessions from a neighbor to a DR or BDR, only when the neighbor state is full.

BFD does not establish sessions between DR-Other neighbors (for example, when their OSPF states are both 2-way)

BFD & RSVP-TE/FRR

IOS
ip rsvp signalling hello bfd
!
interface X
bfd interval 300 min_rx 300 multiplier 3
ip rsvp signalling hello bfd

IOS-XR
mpls traffic-eng
interface TenGigE0/0/0/0
bfd fast-detect
!
bfd minimum-interval 150
bfd multiplier 3

IOS relates the BFD configuration to RSVP configuration, while IOS-XR relates it to MPLS TE configuration.

IOS
R3#sh bfd neighbors detail

NeighAddr                         LD/RD    RH/RS     State     Int
12.3.4.4                           1/1     Up        Up        Fa0/0.34
Session state is UP and using echo function with 300 ms interval.
OurAddr: 12.3.4.3
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3
Received MinRxInt: 1000000, Received Multiplier: 3
Holddown (hits): 0(0), Hello (hits): 1000(17)
Rx Count: 15, Rx Interval (ms) min/max/avg: 1/996/834 last: 312 ms ago
Tx Count: 18, Tx Interval (ms) min/max/avg: 1/1000/845 last: 344 ms ago
Elapsed time watermarks: 0 0 (last: 0)
Registered protocols: CEF TE/FRR
Uptime: 00:00:11
Last packet: Version: 1                  - Diagnostic: 0
             State bit: Up               - Demand bit: 0
             Poll bit: 0                 - Final bit: 0
             Multiplier: 3               - Length: 24
             My Discr.: 1                - Your Discr.: 1
             Min tx interval: 1000000    - Min rx interval: 1000000
             Min Echo interval: 300000

BFD & IPv6

BFD for IPv6 (BFDv6) is not supported in IOS-XR < 4.1.

BFDv6 supports both global and link-local IPv6 addresses for neighbor session creation. BFDv6 sessions select automatically source addresses to match the neighbor address types. Each type of IPv6 address on the local router must be paired with the same type on the peer router.

You can have an IPv6 static route (2001:DB8::/64) pointing to a peer router associated with a BFD neighbor (2001::1). In order to remove this IPv6 static route from the RIB if the BFD neighbor goes down, you must associate the static route with the BFD neighbor

IOS
ipv6 route 2001:DB8::/64 Ethernet0/0 2001::1
ipv6 route static bfd Ethernet0/0 2001::1

In BFD associated mode (default), an IPv6 static route is automatically associated with an IPv6 BFD neighbor, if the static route next-hop matches exactly the static BFD neighbor. If you want to avoid this, you can configure the static route as "unassociated".

NTS: Inter-AS MPLS L3VPN

Inter-AS MPLS L3VPN

Inter-AS MPLS L3VPN Options are defined in RFC 4364.

Inter-AS Options

Inter-AS Option A (Back-to-Back VRF)

one logical/physical interface per VRF in the interconnection
one PE-CE eBGP/IGP session per VRF between ASBRs
IP traffic between ASBRs
no need for common RDs/RTs between ASNs
2 LSPs and 1 IP path from one PE to the other PE

Inter-AS Option B (MP-eBGP between ASBRs)

one physical/logical interface for all VRFs in the interconnection
eBGP VPNv4 between ASBRs
MPLS traffic between ASBRs
common RDs/RTs between ASNs (unless RT rewrite is used)
next-hop-self on each ASBR for iBGP

3 LSPs from one PE to the other PE

redistribute connected/static on each ASBR for the interconnection

2 LSPs from one PE to the other PE
filter to redistribute only the peer's address

multihop (loopback) peering between ASBRs

2 LSPs from one PE to the other PE
static routes for peer's loopback on each ASBR
LDP between ASBRs
MPLS static label binding for peer's loopback pointing to interconnection on each ASBR

Inter-AS Option C (Multihop MP-eBGP between RRs/PEs)

one physical/logical interface for all VRFs in the interconnection
labeled eBGP session between ASBRs for next-hop exchange
multihop eBGP VPNv4 session between RRs
MPLS traffic between ASBRs
common RDs/RTs between ASNs (unless RT rewrite is used)
change next-hop on each VPNv4 RR for the eBGP session (default)

2 LSPs from one PE to the other PE

next-hop-unchanged on each VPNv4 RR for the eBGP session

1 LSP from one PE to the other PE

eBGP session between ASBRs with directly connected interfaces

next-hop-self on each ASBR for the iBGP sessions

multihop (loopback) eBGP session between ASBRs with loopbacks

static routes for peer's loopback on each ASBR
LDP between ASBRs
MPLS static label binding for peer's loopback pointing to interconnection on each ASBR

The transport label changes whenever the next-hop changes.

Inter-AS Option A

ASBR-1

IOS
ip vrf VPN1
rd 1:100
route-target 1:100
!
ip vrf VPN2
rd 1:200
route-target 1:200
!
interface FastEthernet0/0
description ** Inter-AS NNI **
!
interface FastEthernet0/0.10
description ** Customer VPN1 **
encapsulation dot1q 10
ip vrf forwarding VPN1
ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/0.20
description ** Customer VPN2 **
encapsulation dot1q 20
ip vrf forwarding VPN2
ip address 20.20.20.1 255.255.255.0
!
router bgp 1
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
neighbor 1.1.1.1 description iBGP-VPNv4
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
neighbor 1.1.1.1 next-hop-self
exit-address-family
!
address-family ipv4 vrf VPN1
neighbor 10.10.10.2 remote-as 2
neighbor 10.10.10.2 activate
exit-address-family
!
address-family ipv4 vrf VPN2
neighbor 20.20.20.2 remote-as 2
neighbor 20.20.20.2 activate
exit-address-family

ASBR-2

IOS
ip vrf test1
rd 2:100
route-target 2:100
!
ip vrf test2
rd 2:200
route-target 2:200
!
interface FastEthernet0/0
description ** Inter-AS NNI **
!
interface FastEthernet0/0.10
description ** Customer VPN1 **
encapsulation dot1q 10
ip vrf forwarding VPN1
ip address 10.10.10.2 255.255.255.0
!
interface FastEthernet0/0.20
description ** Customer VPN2 **
encapsulation dot1q 20
ip vrf forwarding VPN2
ip address 20.20.20.2 255.255.255.0
!
router bgp 2
neighbor 2.2.2.2 remote-as 2
neighbor 2.2.2.2 update-source Loopback0
neighbor 2.2.2.2 description iBGP-VPNv4
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
neighbor 2.2.2.2 next-hop-self
exit-address-family
!
address-family ipv4 vrf VPN1
neighbor 10.10.10.1 remote-as 1
neighbor 10.10.10.1 activate
exit-address-family
!
address-family ipv4 vrf VPN2
neighbor 20.20.20.1 remote-as 1
neighbor 20.20.20.1 activate
exit-address-family

You can also use a different router-id per VRF, using the "bgp router-id" under each vrf address-family.

Inter-AS Option B

ASBR-1

IOS
interface FastEthernet0/0
description ** Inter-AS NNI **
ip address x.x.x.x
mpls bgp forwarding
!
router bgp 1
no bgp default route-target filter
neighbor PE-1 remote-as 1
neighbor PE-1 update-source Loopback0
neighbor PE-1 description MP-iBGP with PE-1
neighbor ASBR-2 remote-as 2
neighbor ASBR-2 description MP-eBGP with ASBR-2
no auto-summary
!
address-family vpnv4
neighbor PE-1 activate
neighbor PE-1 send-community extended
neighbor PE-1 next-hop-self
neighbor ASBR-2 activate
neighbor ASBR-2 send-community extended
exit-address-family

ASBR-2

IOS
interface FastEthernet0/0
description ** Inter-AS NNI **
ip address x.x.x.x
mpls bgp forwarding
!
router bgp 2
no bgp default route-target filter
neighbor PE-2 remote-as 2
neighbor PE-2 update-source Loopback0
neighbor PE-2 description MP-iBGP with PE-2
neighbor ASBR-1 remote-as 1
neighbor ASBR-1 description MP-eBGP with ASBR-1
!
address-family vpnv4
neighbor PE-2 activate
neighbor PE-2 send-community extended
neighbor PE-2 next-hop-self
neighbor ASBR-1 activate
neighbor ASBR-1 send-community extended
exit-address-family

Inter-AS Option C

RR-1

IOS
router bgp 1
no synchronization
neighbor PE-1 remote-as 1
neighbor PE-1 update-source Loopback0
neighbor PE-1 description MP-iBGP with PE-1
neighbor ASBR-1 remote-as 1
neighbor ASBR-1 update-source Loopback0
neighbor ASBR-1 description MP-iBGP with ASBR-1
neighbor RR-2 remote-as 2
neighbor RR-2 ebgp-multihop 255
neighbor RR-2 update-source Loopback0
neighbor RR-2 description MP-eBGP with RR-2
no auto-summary
!
address-family vpnv4
neighbor PE-1 activate
neighbor PE-1 send-community extended
neighbor PE-1 route-reflector-client
neighbor ASBR-1 activate
neighbor ASBR-1 send-community extended
neighbor ASBR-1 route-reflector-client
neighbor RR-2 activate
neighbor RR-2 send-community extended
neighbor RR-2 next-hop-unchanged
exit-address-family

ASBR-1

IOS
interface FastEthernet0/0
description ** Inter-AS NNI **
ip address x.x.x.x
mpls bgp forwarding
!
route-map PE2-TO-IGP permit 10
match ip address PE-2
!
router IGP 100
redistribute bgp 1 route-map PE2-TO-IGP
!
router bgp 1
no synchronization
network PE-1 mask 255.255.255.255
!
neighbor RR-1 remote-as 1
neighbor RR-1 update-source Loopback0
neighbor RR-1 description MP-iBGP to RR-1
neighbor ASBR-2 remote-as 2
neighbor ASBR-2 send-label
νeighbor ASBR-2 description MP-eBGP to ASBR-2
no auto-summary
!
address-family vpnv4
neighbor RR-1 activate
neighbor RR-1 send-community extended
exit-address-family

ASBR-2

IOS
interface FastEthernet0/0
description ** Inter-AS NNI **
ip address x.x.x.x
mpls bgp forwarding
!
route-map PE1-TO-IGP permit 10
match ip address PE-1
!
router IGP 200
redistribute bgp 2 route-map PE1-TO-IGP
!
router bgp 2
network PE-2 mask 255.255.255.255
!
neighbor RR-2 remote-as 2
neighbor RR-2 update-source Loopback0
neighbor RR-2 description MP-iBGP to RR-2
neighbor ASBR-1 remote-as 1
neighbor ASBR-1 send-label
neighbor ASBR-1 description MP-eBGP to ASBR-1
!
address-family vpnv4
neighbor RR-2 activate
neighbor RR-2 send-community extended
exit-address-family

RR-2

IOS
router bgp 2
neighbor PE-2 remote-as 2
neighbor PE-2 update-source Loopback0
neighbor PE-2 description MP-iBGP with PE-2
neighbor ASBR-2 remote-as 2
neighbor ASBR-2 update-source Loopback0
neighbor ASBR-2 description MP-iBGP with ASBR-2
neighbor RR-1 remote-as 1
neighbor RR-1 ebgp-multihop 255
neighbor RR-1 update-source Loopback0
neighbor RR-1 description MP-eBGP with RR-1
!
address-family vpnv4
neighbor PE-2 activate
neighbor PE-2 send-community extended
neighbor PE-2 route-reflector-client
neighbor ASBR-2 activate
neighbor ASBR-2 send-community extended
neighbor ASBR-2 route-reflector-client
neighbor RR-1 activate
neighbor RR-1 send-community extended
neighbor RR-1 next-hop-unchanged
exit-address-family

In IOS-XR, in order to send IPv4 prefixes with labels over a labeled BGP session, the IOS-XR router must be the originator of the prefixes. On the other hand, an IOS router can send labeled IPv4 prefixes over a labeled BGP session whether it's the originator or not of those prefixes.

If an output route-map is applied on a labeled BGP session, then labels will be added only to those prefixes that have the command "set mpls-label" under the relevant statement in the route-map. Generally, if a router is advertising IPv4 prefixes with labels, then you can use an output route-map (with the "set mpls-label" command) to specify which prefixes will be sent with a label.

You need to disable the default RT filter from the ASBRs, unless they have all the VRFs locally configured or they are VPNv4 RRs.

In most IOS software releases, the command "mpls bgp forwarding" is added automatically under the eBGP peering interface when a VPNv4 or labeled BGP session is configured between directly connected peers. If you use loopbacks for peering, then you must manually configure it. Always verify its existence, together with the interface's mpls operational state.

IOS
R1#sh mpls int
Interface              IP            Tunnel   BGP Static Operational
FastEthernet0/0.13     Yes (ldp)     No       No No     Yes
FastEthernet0/0.30     No            No       Yes No     Yes

Generally, Cisco software requires a /32 route for each next-hop that should be label switched. In the Inter-AS B/C options, in IOS-XR you must add manually a /32 static route for the peer address of the interconnection in order to create a label for that. IOS creates automatically a /32 connected route when the relevant VPNv4 or labeled BGP session comes up.

IOS-XR
router static
address-family ipv4 unicast
10.10.10.2/32 GigabitEthernet0/2/1/2

IOS
Dec 29 15:45:30.703: %BGP-5-ADJCHANGE: neighbor 10.10.10.2 Up
Dec 29 15:45:30.707: CONN: add connected route, idb: FastEthernet0/0.30, addr: 10.10.10.2, mask: 255.255.255.255

If you want to achieve load-sharing in a MPLS L3VPN environment with RRs, you can use a different RD per PE in combination with BGP multipath.

Inter-AS scenarios emulated in GNS3 might sometimes cause very large delays in data forwarding. Increase the ping/traceroute timeout in order to verify connectivity.

Static Label Bindings

In some cases you don't have the option of enabling LDP or having a VPNv4 or labeled BGP session between directly connected peers, but you still need to have the label switching functionality on their interconnection.

i.e. if you configure the following static route in order to reach peer's loopback:

IOS
ip route 19.19.19.19 255.255.255.255 12.1.19.19

IOS
R1#sh mpls forwarding-table 19.19.19.19 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
24         No Label   19.19.19.19/32   0             Fa0/0 12.1.19.19
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        CA02141C0008CA0417EC0000810000770800
        No output feature configured

then you need to also add a static (outgoing) label binding for that:

IOS
mpls static binding ipv4 19.19.19.19 255.255.255.255 output 12.1.19.19 implicit-null

IOS
R1#sh mpls static binding
19.19.19.19/32: Incoming label: none;
Outgoing labels:
     12.1.19.19           implicit-null

R1#sh mpls forwarding-table 19.19.19.19 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
24         Pop Label 19.19.19.19/32   0             Fa0/0 12.1.19.19
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        CA02141C0008CA0417EC0000810000770800
        No output feature configured

At the same time, you must enable MPLS on this interface without using LDP:

IOS
R1#sh mpls int FastEthernet0/0
Interface              IP            Tunnel   BGP Static Operational

IOS
interface FastEthernet0/0
mpls bgp forwarding

IOS
R1#sh mpls int FastEthernet0/0
Interface              IP            Tunnel   BGP Static Operational
FastEthernet0/0    No            No       Yes No     Yes

Static Label Bindings per Interface

multiaccess interfaces

next-hop ip address required
label required

point-to-point interfaces

interface required

The above differentiation per interface is applicable only on specific software releases. The multiaccess interface is the common one.

If you must configure specific static labels, then you must first define the label range (which will sometimes require a reload).

Implicit-null is used in the above example due to PHP (pop label) that must happen for the directly connected peer.

Inter-AS L3VPN

If you want to follow a Inter-AS L3VPN path (assuming control-plane has been setup correctly), then you can execute the following algorithm:

first router (start PE)

Find the VPN label for the prefix
Find the Transport label(s) for the prefix's next-hop

n router

Follow the Transport top label swaps until there is a "Pop Label" for next router

n+1 router

Find the local VPN label for the prefix

If VPN label is "nolabel", then

router is the end PE
VPN is locally attached

If VPN label is other, then

router is an RR/ASBR
find the Transport label(s) for the prefix's new next-hop
go to "n router"

If VPN label doesn't exist, then

multiple Transport labels exist
go to "n router"

If the route is learned from IGP, the Transport label must be allocated through LDP/RSVP.
If the route is learned from BGP, the Transport label must be allocated through BGP.

Example

R6(PE1)=>R4(P1)=>XR1(ASBR1)=>R1(ASBR2)=>R3(P2)=>R2(PE3)

Start PE

IOS
R6#sh bgp vpnv4 unicast all 7.7.7.7/32
BGP routing table entry for 102:202:7.7.7.7/32, version 36
Paths: (1 available, best #1, table VPN_B)
Not advertised to any peer
100
    2.2.2.2 (metric 20) from 20.20.20.20 (20.20.20.20)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:102:202 0x8800:32768:0 0x8801:1:130560
        0x8802:65281:25600 0x8803:65281:1500 0x8806:0:0
      mpls labels in/out nolabel/26

VPN label is 26

IOS
R6#sh mpls forwarding-table 2.2.2.2 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
None       23         2.2.2.2/32       0             Fa0/0.46   20.4.6.4
        MAC/Encaps=18/26, MRU=1496, Label Stack{16 23}
        CA0611100000CA0115B000008100002E8847 0001000000017000
        No output feature configured

Transport label is 16/23, VPN label is 26

IOS
R4#sh mpls forwarding-table labels 16 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
16         Pop Label 19.19.19.19/32   18896         Fa0/0.419 20.4.19.19
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        CA02141C0008CA0611100000810001A38847
        No output feature configured

Transport label is 23, VPN label is 26

IOS

XR1#sh mpls forwarding-table labels 23 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
23         20         2.2.2.2/32       22628         Fa0/0.119 12.1.19.1
        MAC/Encaps=18/22, MRU=1500, Label Stack{20}
        CA0417EC0000CA02141C0008810000778847 00014000
        No output feature configured

Transport label is 20, VPN label is 26

IOS

R1#sh mpls forwarding-table labels 20 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
20         19         2.2.2.2/32       24518         Fa0/0.13   10.1.3.3
        MAC/Encaps=18/22, MRU=1500, Label Stack{19}
        CA0711100000CA0417EC00008100000D8847 00013000
        No output feature configured

Transport label is 19, VPN label is 26

IOS

R3#sh mpls forwarding-table labels 19 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
19         Pop Label 2.2.2.2/32       85693         Fa0/0.23   10.2.3.2
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        CA0517EC0000CA0711100000810000178847
        No output feature configured

VPN label is 26

IOS

R2#sh bgp vpnv4 unicast all 7.7.7.7/32
BGP routing table entry for 102:202:7.7.7.7/32, version 4
Paths: (1 available, best #1, table VPN_B)
Advertised to update-groups:
     1
Local
    40.2.7.7 from 0.0.0.0 (2.2.2.2)
      Origin incomplete, metric 156160, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:102:202 Cost:pre-bestpath:128:156160
        0x8800:32768:0 0x8801:1:130560 0x8802:65281:25600 0x8803:65281:1500
        0x8806:0:0
      mpls labels in/out 26/nolabel

End PE found

RT Rewrite

It is used mainly in Inter-AS topologies, when there is a need to keep different RTs between the ASes. It allows the ASBR (or any other router that's involved) to replace the peer ASN's RTs with their own.

Configuration Steps

define the RTs to be replaced
configure a route-map that matches the above RTs, deletes them and then adds the new RTs
apply the route-map to the bgp neighbor session

IOS
ip extcommunity-list 1 permit rt 200:1
ip extcommunity-list 2 permit rt 200:2
!
route-map RT-REWRITE-ROUTEMAP permit 10
match extcommunity 1
set extcomm-list 1 delete
set extcommunity rt 100:1 additive
continue 20
!
route-map RT-REWRITE-ROUTEMAP permit 20
match extcommunity 2
set extcomm-list 2 delete
set extcommunity rt 100:2 additive
!
route-map RT-REWRITE-ROUTEMAP permit 30
!
router bgp 100
neighbor 10.10.10.2 remote-as 200
!
address family vpnv4
neighbor 10.10.10.2 activate
neighbor 10.10.10.2 send-community extended
neighbor 10.10.10.2 route-map RT-REWRITE-ROUTEMAP in

Use the "additive" keyword when setting the new RT in order to not erase all other extended communities.

Use the "continue" statement (in ingress route-maps) when you need to rewrite more than one RTs in the same prefix.

Pages

Thursday, February 6, 2014

NTS: VRF

VRF

NTS: BFD

BFD

NTS: Inter-AS MPLS L3VPN

Inter-AS MPLS L3VPN