CCIE in 2 months - Is it possible?: Labeled BGP

Showing posts with label Labeled BGP. Show all posts

Thursday, February 6, 2014

NTS: CsC

CsC

CsC (Carrier supporting Carrier) is defined in RFC 4364.

Control-Plane

The Customer Carrier PEs run BGP VPNv4 in order to exchange VPN labels
The Customer Carrier routers run IGP+LDP (or iBGP+Label) in order to exchange all their internal BGP next-hops and their labels
The CsC-PEs and CsC-CEs run eBGP (or IGP) in order to exchange BGP next-hop prefixes
The CsC-PEs and CsC-CEs run eBGP+Label (or IGP+LDP) in order to exchange labels for the BGP next-hop prefixes
The Backbone Carrier routers run IGP+LDP in order to exchange all their internal BGP next-hops and their labels

The Backbone Carrier offers a MPLS VPN service to the Customer Carrier which in turn offers a MPLS VPN or Internet service to its customers.

The Backbone Carrier doesn't need to know the final customer prefixes.

Using IGP+LDP in CsC is not as risky as with Inter-AS MPLS VPN Option 3 because:

Customer Carrier internal routes are put into a specific VRF in the Backbone Carrier
No Backbone Carrier internal routes are distributed into the Customer Carrier network

You can have multiple Backbone Carriers, using Inter-AS MPLS L3VPN for interconnection.

By default a CsC-PE runs PHP towards the CsC-CE. If using an ipv4-labeled PE-CE session, you can change this behavior (in order to keep the QoS consistent across providers) by using the "neighbor x.x.x.x send-label explicit-null" on the CsC-CE.

IOS-XR supports only the use of Labeled BGP as a PE-CE protocol in CsC topologies. LDP (+IGP) is not supported.

CsC Load Balancing

Load balancing between CsC-PE and CsC-CE can be achieved with:

directly connected loopback peering for one pair of PE/CE

one eBGP session between neighbors
multiple static routes for each other's loopback
mpls forwarding on all directly connected physical interfaces

eBGP multipath for multiple pairs of PEs/CEs

maximum-paths under bgp & vrf address family on PE
maximum-paths under bgp on CE

When using static routes, you also need to define the outgoing interface and the next-hop.

"mpls bgp forwarding" is not automatically added, because the BGP session is not between directly connected neighbors. You have to add it yourself.

Configuration

BC = Backbone Carrier (AS10)
CC = Customer Carrier (AS100)
C = Customer (AS200)

Backbone Carrier runs IS-IS or OSPF with MPLS/LDP in its core

Backbone Carrier (CsC-PE1) runs OSPF+LDP with Customer Carrier (CsC-CE1)
Backbone Carrier (CsC-PE2) runs eBGP+Label with Customer Carrier (CsC-CE2)

Customer Site 1 (C-CE1) runs OSPF with Customer Carrier (CC-PE1)
Customer Site 2 (C-CE2) runs ISIS with Customer Carrier (CC-PE2)

CC-PE (Customer Carrier PE serving the final customer site) and CsC-CE (Carrier supporting Carrier CE) functionalities can be collapsed into a single router.

CsC-PE1 and CsC-PE2 run iBGP VPNv4 in order to exchange Customer Carrier prefixes/labels
CsC-CE1 and CsC-CE2 run iBGP VPNv4 in order to exchange Customer prefixes/labels

IGP+LDP between CsC-PE1 and CsC-CE1

CsC-PE1 (IOS)
! for connectivity to BC core (IGP+LDP)
mpls ldp router-id Loopback0
mpls label protocol ldp
!
interface Ethernet0/2
description ** Link to BC core **
ip address x.x.x.x
mpls ip
!
router isis/ospf x
!
! for connectivity to CsC-CE1 (OSPF+LDP)
vrf definition CC-VPN
rd 10:X
route-target 10:X
!
address-family ipv4
exit-address-family
!
interface Ethernet1/0
description ** Link to CsC-CE1 **
vrf forwarding CC-VPN
ip address x.x.x.x
mpls ip
!
router ospf 10 vrf CC-VPN
redistribute bgp 10 subnets
network x.x.x.x area 0
!
! for connectivity to BC-PE2 (iBGP VPNv4)
router bgp 10
no bgp default ipv4-unicast
neighbor BC-PE2 remote-as 10
neighbor BC-PE2 update-source Loopback0
!
address-family vpnv4
neighbor BC-PE2 activate
neighbor BC-PE2 send-community extended
exit-address-family
!
address-family ipv4 vrf CC-VPN
redistribute ospf 10 vrf CC-VPN
exit-address-family

CsC-CE1 (IOS)
! for connectivity to CsC-PE1 (OSPF+LDP)
mpls ldp router-id Loopback0
mpls label protocol ldp
!
interface Ethernet1/0
description ** Link to CsC-PE1 **
ip address x.x.x.x
mpls ip
!
router ospf 10
network x.x.x.x area 0
!

CC-PE1 (IOS)
! for connectivity to C-CE1 (OSPF+VRF)
vrf definition C-VPN
rd 100:Y
route-target 100:Y
!
address-family ipv4
exit-address-family
!
interface Ethernet1/3
description ** Link to C-CE1 **
vrf forwarding C-VPN
ip address y.y.y.y
!
router ospf 200 vrf C-VPN
redistribute bgp 100 subnets
network y.y.y.y area 0
!
! for connectivity to CC-PE2 (iBGP VPNv4)
router bgp 100
no bgp default ipv4-unicast
neighbor CC-PE2 remote-as 100
neighbor CC-PE2 update-source Loopback0
!
address-family vpnv4
neighbor CC-PE2 activate
neighbor CC-PE2 send-community extended
exit-address-family
!
address-family ipv4 vrf C-VPN
redistribute ospf 200 vrf C-VPN
exit-address-family
!

BGP+Label between CsC-PE2 and CsC-CE2

CsC-PE2 (IOS-XR)
! for connectivity to BC core (IGP+LDP)
mpls ldp router-id Loopback0
mpls label protocol ldp
!
router isis/ospf x
!
mpls ldp
router-id x.x.x.x
interface x
!
! for connectivity to CsC-CE2 (eBGP+Label)
vrf CC-VPN
address-family ipv4 unicast
import route-target
   10:X
export route-target
   10:X
!
interface GigabitEthernet0/2/1/1
description ** Link to CsC-CE2 **
vrf CC-VPN
ipv4 address x.x.x.x
!
router static
vrf CC-VPN
address-family ipv4 unicast
   CsC-CE2/32 GigabitEthernet0/2/1/1
!
router bgp 10
address-family ipv4 unicast
!
vrf CC-VPN
rd 10:X
address-family ipv4 unicast
   network x.x.x.x
   allocate-label all
!
neighbor CsC-CE2
   remote-as 100
   address-family ipv4 unicast
    route-policy PASS-RPL in
    route-policy PASS-RPL out
    as-override
    send-extended-community-ebgp
   !
   address-family ipv4 labeled-unicast
    route-policy PASS-RPL in
    route-policy PASS-RPL out
    as-override
    send-extended-community-ebgp
!
route-policy PASS-RPL
pass
end-policy
!
! for connectivity to BC-PE1 (iBGP VPNv4)
router bgp 10
address-family vpnv4 unicast
!
neighbor BC-PE1
remote-as 10
update-source Loopback0
address-family vpnv4 unicast

CsC-CE2 (IOS)
! for connectivity to CsC-PE2 (eBGP+Label)
interface Ethernet1/0
description ** Link to CsC-PE2 **
ip address x.x.x.x
mpls bgp forwarding
!
router bgp 100
no bgp default ipv4-unicast
neighbor CsC-PE2 remote-as 10
!
address-family ipv4
neighbor CsC-PE2 activate
neighbor CsC-PE2 send-label
exit-address-family
!
! for connectivity to C-CE2 (ISIS+VRF)
vrf definition C-VPN
rd 100:Y
route-target 100:Y
!
address-family ipv4
exit-address-family
!
interface Ethernet1/3
description ** Link to C-CE2 **
vrf forwarding C-VPN
ip address y.y.y.y
ip router isis 200
!
router isis 200
vrf C-VPN
redistribute bgp 100
!
! for connectivity to CC-PE1 (iBGP VPNv4)
router bgp 100
neighbor CC-PE1 remote-as 100
neighbor CC-PE1 update-source Loopback0
!
address-family vpnv4
neighbor CC-PE1 activate
neighbor CC-PE1 send-community extended
exit-address-family
!
address-family ipv4 vrf C-VPN
redistribute isis 200
exit-address-family

IOS-XR configuration is similar to IOS, with the major difference of using the labeled unicast address-family instead of the send-label keyword.

Don't forget to create a /32 static route for the CsC-PE/CE next-hop in IOS-XR when using eBGP+Label. Always verify the installation of labels for /32 next-hops.

Verification

Customer Carrier PEs must have a BGP VPNv4 route and a label for the VPN prefix
Customer Carrier routers must have a label for the VPN prefix's next-hop
CsC-PEs must have a BGP VPNv4 route and a label for the VPN prefix's next-hop
Backbone Carrier routers must have a label for the next-hop of VPN prefix's next-hop

Example

Assume the following network:

R1-R2-R3-R4-R5-R6-R7-R8-R9-R10

where

Customer Carrier Network
Backbone Carrier Network

Then the following would happen for a VPN packet originating at R1 and terminating at R10.

R1 (1.1.1.1) (Customer Carrier PE router) - vrf VPN

Transport label is 18, VPN label is 20
next-hop is R10 (10.10.10.10)

R2 (2.2.2.2) (Customer Carrier P router)

Transport label is 20, VPN label is 20
next-hop is R10 (10.10.10.10)

R3 (3.3.3.3) (CsC-CE)

Transport label is 26, VPN label is 20
next-hop is R10 (10.10.10.10)

R4 (4.4.4.4) (CsC-PE) - vrf CSC

Transport label is 16/21, VPN label is 20
next-hop is R7 (7.7.7.7)

R5 (5.5.5.5) Backbone Carrier P router)

Transport label is 16/21, VPN label is 20
next-hop is R7 (7.7.7.7)

R6 (6.6.6.6) (Backbone Carrier P router)

Transport label is 21, VPN label is 20
next-hop is R7 (7.7.7.7)

R7 (7.7.7.7) (CsC-PE) - vrf CSC

Transport label is 18, VPN label is 20
next-hop is R10 (10.10.10.10)

R8 (8.8.8.8) (CsC-CE)

Transport label is 17, VPN label is 20
next-hop is R10 (10.10.10.10)

R9 (9.9.9.9) (Customer Carrier P router)

Transport label is removed, VPN label is 20
next-hop is R10 (10.10.10.10)

R10 (10.10.10.10) (Customer Carrier PE router) - vrf VPN

VPN label is removed, destination reached in next-hop

R1#trace vrf VPN 99.99.99.99

Type escape sequence to abort.
Tracing the route to 99.99.99.99

1 20.1.2.2 [MPLS: Labels 18/20 Exp 0] 10 msec 10 msec 8 msec
2 20.2.3.3 [MPLS: Labels 20/20 Exp 0] 7 msec 7 msec 7 msec
3 20.3.4.4 [MPLS: Labels 26/20 Exp 0] 8 msec 8 msec 7 msec
4 20.4.5.5 [MPLS: Labels 16/21/20 Exp 0] 7 msec 7 msec 8 msec
5 20.5.6.6 [MPLS: Labels 16/21/20 Exp 0] 6 msec 5 msec 5 msec
6 20.6.7.7 [MPLS: Labels 21/20 Exp 0] 3 msec 3 msec 3 msec
7 20.7.8.8 [MPLS: Labels 18/20 Exp 0] 1 msec 1 msec 1 msec
8 20.8.9.9 [MPLS: Labels 17/20 Exp 0] 1 msec 1 msec 1 msec
9 20.9.10.10 [MPLS: Label 20 Exp 0] 1 msec 1 msec 1 msec
10 30.10.10.99 1 msec 2 msec 2 msec

Verification in every hop

Customer Carrier PE router
R1#sh ip route vrf VPN 99.99.99.99

Routing Table: VPN
Routing entry for 99.99.99.99/32
Known via "bgp 100", distance 200, metric 1, type internal
Redistributing via rip
Advertised by rip metric transparent
Last update from 10.10.10.10 00:56:37 ago
Routing Descriptor Blocks:
* 10.10.10.10 (default), from 10.10.10.10, 00:56:37 ago
      Route metric is 1, traffic share count is 1
      AS Hops 0
      MPLS label: 20
      MPLS Flags: MPLS Required

R1#sh bgp vpnv4 unicast vrf VPN 99.99.99.99/32
BGP routing table entry for 100:1:99.99.99.99/32, version 11
Paths: (1 available, best #1, table VPN)
Not advertised to any peer
Local
    10.10.10.10 (metric 20) from 10.10.10.10 (10.10.10.10)
      Origin incomplete, metric 1, localpref 100, valid, internal, best
      Extended Community: RT:100:1
      mpls labels in/out nolabel/20

VPN label is 20

R1#sh mpls forwarding-table 10.10.10.10 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
23         18         10.10.10.10/32   0             Fa0/0.12   20.1.2.2
        MAC/Encaps=18/22, MRU=1500, Label Stack{18}
        CA0113DC0000CA03079400088100026C8847 00012000
        No output feature configured

R1#sh ip cef vrf VPN 99.99.99.99 det99.99.99.99/32, epoch 0, flags rib defined all labels
recursive via 10.10.10.10 label 20
    nexthop 20.1.2.2 FastEthernet0/0.12 label 18

Transport label is 18, VPN label is 20

From here you have 2 options:

follow the next-hops
follow the labels (i prefer this one)

Following the next-hops

Customer Carrier P router
R2#sh mpls forwarding-table 10.10.10.10 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
18         20         10.10.10.10/32   13707         Fa0/0.23 20.2.3.3
        MAC/Encaps=18/22, MRU=1500, Label Stack{20}
        CA0610240000CA0113DC00008100002E8847 00014000
        No output feature configured

Transport label is 20, VPN label is 20

CsC-CE
R3#sh mpls forwarding-table 10.10.10.10 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
20         26         10.10.10.10/32   15048         Fa0/0.34   20.3.4.4
        MAC/Encaps=18/22, MRU=1500, Label Stack{26}
        CA0207940008CA0610240000810001A38847 0001A000
        No output feature configured

Transport label is 26, VPN label is 20

CsC-PE
R4#sh mpls forwarding-table vrf CSC 10.10.10.10 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
26         21         10.10.10.10/32[V]16033         Fa0/0.45   20.4.5.5
        MAC/Encaps=18/26, MRU=1496, Label Stack{16 21}
        C20911080000CA0207940008810003338847 0001000000015000
        VPN route: CSC
        No output feature configured

2 Transport labels are used (use "detail" to see them)

R4#sh bgp vpnv4 unicast vrf CSC 10.10.10.10
BGP routing table entry for 200:1:10.10.10.10/32, version 12
Paths: (1 available, best #1, table CSC)
Advertised to update-groups:
     3
100
    7.7.7.7 (metric 4) from 7.7.7.7 (7.7.7.7)
      Origin incomplete, metric 20, localpref 100, valid, internal, best
      Extended Community: RT:200:1
      mpls labels in/out 26/21

VPN label (21) for Backbone Carrier is actually Transport label (21) for Customer Carrier

R4#sh mpls forwarding-table 7.7.7.7 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
16         16         7.7.7.7/32       0             Fa0/0.45   20.4.5.5
        MAC/Encaps=18/22, MRU=1500, Label Stack{16}
        C20911080000CA0207940008810003338847 00010000
        No output feature configured

Transport label is 16/21, VPN label is 20

Backbone Carrier P router
R5#sh mpls forwarding-table 7.7.7.7 detail
Local Outgoing    Prefix            Bytes tag Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     16          7.7.7.7/32        44218      Fa0/0.56 20.5.6.6
        MAC/Encaps=18/22, MRU=1500, Tag Stack{16}
        C20811080000C209110800008100004E8847 00010000
        No output feature configured
    Per-packet load-sharing

Transport label is 16/21, VPN label is 20

Backbone Carrier P router
R6#sh mpls forwarding-table 7.7.7.7 detail
Local Outgoing    Prefix            Bytes tag Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     7.7.7.7/32        42398      Fa0/0.67   20.6.7.7
        MAC/Encaps=18/18, MRU=1504, Tag Stack{}
        CA0415180000C20811080000810000118847
        No output feature configured
    Per-packet load-sharing

Transport label is 21, VPN label is 20

CsC-PE
R7#sh mpls forwarding-table vrf CSC 10.10.10.10 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
21         18         10.10.10.10/32[V]24156         Fa0/0.78 20.7.8.8
        MAC/Encaps=18/22, MRU=1500, Label Stack{18}
        CA0710240000CA04151800008100000D8847 00012000
        VPN route: CSC
        No output feature configured

Transport label is 18, VPN label is 20

CsC-CE
R8#sh mpls forwarding-table 10.10.10.10 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
18         17         10.10.10.10/32   24703         Fa0/0.89 20.8.9.9
        MAC/Encaps=18/22, MRU=1500, Label Stack{17}
        CA0013DC0000CA0710240000810000238847 00011000
        No output feature configured

Transport label is 17, VPN label is 20

Customer Carrier P router
R9#sh mpls forwarding-table 10.10.10.10 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
17         Pop Label 10.10.10.10/32   23892         Fa0/0.910 20.9.10.10
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        CA0515180000CA0013DC0000810000198847
        No output feature configured

Transport label is removed, VPN label is 20

Customer Carrier PE router
R10#sh mpls forwarding-table vrf VPN 99.99.99.99 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
20         No Label   99.99.99.99/32[V]1770          Fa0/0.1010 30.10.10.99
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        C20A0F840000CA05151800008100001D0800
        VPN route: VPN
        No output feature configured

VPN label is removed, destination reached

Following the labels

Customer Carrier P router
R2#sh mpls forwarding-table labels 18 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
18         20         10.10.10.10/32   13852         Fa0/0.23 20.4.6.4
        MAC/Encaps=18/22, MRU=1500, Label Stack{20}
        CA0610240000CA0113DC00008100002E8847 00014000
        No output feature configured

Transport label is 20, VPN label is 20

CsC-CE
R3#sh mpls forwarding-table labels 20 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
20         26         10.10.10.10/32   15338         Fa0/0.34   20.4.19.19
        MAC/Encaps=18/22, MRU=1500, Label Stack{26}
        CA0207940008CA0610240000810001A38847 0001A000
        No output feature configured

Transport label is 26, VPN label is 20

CsC-PE
R4#sh mpls forwarding-table labels 26 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
26         21         10.10.10.10/32[V]16645         Fa0/0.45   20.4.5.5
        MAC/Encaps=18/26, MRU=1496, Label Stack{16 21}
        C20911080000CA0207940008810003338847 0001000000015000
        VPN route: CSC
        No output feature configured

2 Transport labels are used (use "detail" to see them)

Transport label is 16/21, VPN label is 20

Backbone Carrier P router
R5#sh mpls forwarding-table labels 16 detail
Local Outgoing    Prefix            Bytes tag Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     16          7.7.7.7/32        30421      Fa0/0.56 20.5.6.6
        MAC/Encaps=18/22, MRU=1500, Tag Stack{16}
        C20811080000C209110800008100004E8847 00010000
        No output feature configured
    Per-packet load-sharing

Transport label is 16/21, VPN label is 20

Backbone Carrier P router
R6#sh mpls forwarding-table labels 16 detail
Local Outgoing    Prefix            Bytes tag Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     7.7.7.7/32        29337      Fa0/0.67   20.6.7.7
        MAC/Encaps=18/18, MRU=1504, Tag Stack{}
        CA0415180000C20811080000810000118847
        No output feature configured
    Per-packet load-sharing

Transport label is 21, VPN label is 20

CsC-PE
R7#sh mpls forwarding-table labels 21 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
21         18         10.10.10.10/32[V]17260         Fa0/0.78 20.7.8.8
        MAC/Encaps=18/22, MRU=1500, Label Stack{18}
        CA0710240000CA04151800008100000D8847 00012000
        VPN route: CSC
        No output feature configured

Transport label is 18, VPN label is 20

CsC-CE
R8#sh mpls forwarding-table labels 18 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
18         17         10.10.10.10/32   17726         Fa0/0.89 20.8.9.9
        MAC/Encaps=18/22, MRU=1500, Label Stack{17}
        CA0013DC0000CA0710240000810000238847 00011000
        No output feature configured

Transport label is 17, VPN label is 20

Customer Carrier P router
R9#sh mpls forwarding-table labels 17 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
17         Pop Label 10.10.10.10/32   17200         Fa0/0.910 20.9.10.10
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        CA0515180000CA0013DC0000810000198847
        No output feature configured

Transport label is removed, VPN label is 20

Customer Carrier PE router
R10#sh mpls forwarding-table labels 20 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
20         No Label   99.99.99.99/32[V]1770          Fa0/0.1010 30.10.10.99
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        C20A0F840000CA05151800008100001D0800
        VPN route: VPN
        No output feature configured

VPN label is removed, destination reached

NTS: Inter-AS MPLS L3VPN

Inter-AS MPLS L3VPN

Inter-AS MPLS L3VPN Options are defined in RFC 4364.

Inter-AS Options

Inter-AS Option A (Back-to-Back VRF)

one logical/physical interface per VRF in the interconnection
one PE-CE eBGP/IGP session per VRF between ASBRs
IP traffic between ASBRs
no need for common RDs/RTs between ASNs
2 LSPs and 1 IP path from one PE to the other PE

Inter-AS Option B (MP-eBGP between ASBRs)

one physical/logical interface for all VRFs in the interconnection
eBGP VPNv4 between ASBRs
MPLS traffic between ASBRs
common RDs/RTs between ASNs (unless RT rewrite is used)
next-hop-self on each ASBR for iBGP

3 LSPs from one PE to the other PE

redistribute connected/static on each ASBR for the interconnection

2 LSPs from one PE to the other PE
filter to redistribute only the peer's address

multihop (loopback) peering between ASBRs

2 LSPs from one PE to the other PE
static routes for peer's loopback on each ASBR
LDP between ASBRs
MPLS static label binding for peer's loopback pointing to interconnection on each ASBR

Inter-AS Option C (Multihop MP-eBGP between RRs/PEs)

one physical/logical interface for all VRFs in the interconnection
labeled eBGP session between ASBRs for next-hop exchange
multihop eBGP VPNv4 session between RRs
MPLS traffic between ASBRs
common RDs/RTs between ASNs (unless RT rewrite is used)
change next-hop on each VPNv4 RR for the eBGP session (default)

2 LSPs from one PE to the other PE

next-hop-unchanged on each VPNv4 RR for the eBGP session

1 LSP from one PE to the other PE

eBGP session between ASBRs with directly connected interfaces

next-hop-self on each ASBR for the iBGP sessions

multihop (loopback) eBGP session between ASBRs with loopbacks

static routes for peer's loopback on each ASBR
LDP between ASBRs
MPLS static label binding for peer's loopback pointing to interconnection on each ASBR

The transport label changes whenever the next-hop changes.

Inter-AS Option A

ASBR-1

IOS
ip vrf VPN1
rd 1:100
route-target 1:100
!
ip vrf VPN2
rd 1:200
route-target 1:200
!
interface FastEthernet0/0
description ** Inter-AS NNI **
!
interface FastEthernet0/0.10
description ** Customer VPN1 **
encapsulation dot1q 10
ip vrf forwarding VPN1
ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/0.20
description ** Customer VPN2 **
encapsulation dot1q 20
ip vrf forwarding VPN2
ip address 20.20.20.1 255.255.255.0
!
router bgp 1
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
neighbor 1.1.1.1 description iBGP-VPNv4
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
neighbor 1.1.1.1 next-hop-self
exit-address-family
!
address-family ipv4 vrf VPN1
neighbor 10.10.10.2 remote-as 2
neighbor 10.10.10.2 activate
exit-address-family
!
address-family ipv4 vrf VPN2
neighbor 20.20.20.2 remote-as 2
neighbor 20.20.20.2 activate
exit-address-family

ASBR-2

IOS
ip vrf test1
rd 2:100
route-target 2:100
!
ip vrf test2
rd 2:200
route-target 2:200
!
interface FastEthernet0/0
description ** Inter-AS NNI **
!
interface FastEthernet0/0.10
description ** Customer VPN1 **
encapsulation dot1q 10
ip vrf forwarding VPN1
ip address 10.10.10.2 255.255.255.0
!
interface FastEthernet0/0.20
description ** Customer VPN2 **
encapsulation dot1q 20
ip vrf forwarding VPN2
ip address 20.20.20.2 255.255.255.0
!
router bgp 2
neighbor 2.2.2.2 remote-as 2
neighbor 2.2.2.2 update-source Loopback0
neighbor 2.2.2.2 description iBGP-VPNv4
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
neighbor 2.2.2.2 next-hop-self
exit-address-family
!
address-family ipv4 vrf VPN1
neighbor 10.10.10.1 remote-as 1
neighbor 10.10.10.1 activate
exit-address-family
!
address-family ipv4 vrf VPN2
neighbor 20.20.20.1 remote-as 1
neighbor 20.20.20.1 activate
exit-address-family

You can also use a different router-id per VRF, using the "bgp router-id" under each vrf address-family.

Inter-AS Option B

ASBR-1

IOS
interface FastEthernet0/0
description ** Inter-AS NNI **
ip address x.x.x.x
mpls bgp forwarding
!
router bgp 1
no bgp default route-target filter
neighbor PE-1 remote-as 1
neighbor PE-1 update-source Loopback0
neighbor PE-1 description MP-iBGP with PE-1
neighbor ASBR-2 remote-as 2
neighbor ASBR-2 description MP-eBGP with ASBR-2
no auto-summary
!
address-family vpnv4
neighbor PE-1 activate
neighbor PE-1 send-community extended
neighbor PE-1 next-hop-self
neighbor ASBR-2 activate
neighbor ASBR-2 send-community extended
exit-address-family

ASBR-2

IOS
interface FastEthernet0/0
description ** Inter-AS NNI **
ip address x.x.x.x
mpls bgp forwarding
!
router bgp 2
no bgp default route-target filter
neighbor PE-2 remote-as 2
neighbor PE-2 update-source Loopback0
neighbor PE-2 description MP-iBGP with PE-2
neighbor ASBR-1 remote-as 1
neighbor ASBR-1 description MP-eBGP with ASBR-1
!
address-family vpnv4
neighbor PE-2 activate
neighbor PE-2 send-community extended
neighbor PE-2 next-hop-self
neighbor ASBR-1 activate
neighbor ASBR-1 send-community extended
exit-address-family

Inter-AS Option C

RR-1

IOS
router bgp 1
no synchronization
neighbor PE-1 remote-as 1
neighbor PE-1 update-source Loopback0
neighbor PE-1 description MP-iBGP with PE-1
neighbor ASBR-1 remote-as 1
neighbor ASBR-1 update-source Loopback0
neighbor ASBR-1 description MP-iBGP with ASBR-1
neighbor RR-2 remote-as 2
neighbor RR-2 ebgp-multihop 255
neighbor RR-2 update-source Loopback0
neighbor RR-2 description MP-eBGP with RR-2
no auto-summary
!
address-family vpnv4
neighbor PE-1 activate
neighbor PE-1 send-community extended
neighbor PE-1 route-reflector-client
neighbor ASBR-1 activate
neighbor ASBR-1 send-community extended
neighbor ASBR-1 route-reflector-client
neighbor RR-2 activate
neighbor RR-2 send-community extended
neighbor RR-2 next-hop-unchanged
exit-address-family

ASBR-1

IOS
interface FastEthernet0/0
description ** Inter-AS NNI **
ip address x.x.x.x
mpls bgp forwarding
!
route-map PE2-TO-IGP permit 10
match ip address PE-2
!
router IGP 100
redistribute bgp 1 route-map PE2-TO-IGP
!
router bgp 1
no synchronization
network PE-1 mask 255.255.255.255
!
neighbor RR-1 remote-as 1
neighbor RR-1 update-source Loopback0
neighbor RR-1 description MP-iBGP to RR-1
neighbor ASBR-2 remote-as 2
neighbor ASBR-2 send-label
νeighbor ASBR-2 description MP-eBGP to ASBR-2
no auto-summary
!
address-family vpnv4
neighbor RR-1 activate
neighbor RR-1 send-community extended
exit-address-family

ASBR-2

IOS
interface FastEthernet0/0
description ** Inter-AS NNI **
ip address x.x.x.x
mpls bgp forwarding
!
route-map PE1-TO-IGP permit 10
match ip address PE-1
!
router IGP 200
redistribute bgp 2 route-map PE1-TO-IGP
!
router bgp 2
network PE-2 mask 255.255.255.255
!
neighbor RR-2 remote-as 2
neighbor RR-2 update-source Loopback0
neighbor RR-2 description MP-iBGP to RR-2
neighbor ASBR-1 remote-as 1
neighbor ASBR-1 send-label
neighbor ASBR-1 description MP-eBGP to ASBR-1
!
address-family vpnv4
neighbor RR-2 activate
neighbor RR-2 send-community extended
exit-address-family

RR-2

IOS
router bgp 2
neighbor PE-2 remote-as 2
neighbor PE-2 update-source Loopback0
neighbor PE-2 description MP-iBGP with PE-2
neighbor ASBR-2 remote-as 2
neighbor ASBR-2 update-source Loopback0
neighbor ASBR-2 description MP-iBGP with ASBR-2
neighbor RR-1 remote-as 1
neighbor RR-1 ebgp-multihop 255
neighbor RR-1 update-source Loopback0
neighbor RR-1 description MP-eBGP with RR-1
!
address-family vpnv4
neighbor PE-2 activate
neighbor PE-2 send-community extended
neighbor PE-2 route-reflector-client
neighbor ASBR-2 activate
neighbor ASBR-2 send-community extended
neighbor ASBR-2 route-reflector-client
neighbor RR-1 activate
neighbor RR-1 send-community extended
neighbor RR-1 next-hop-unchanged
exit-address-family

In IOS-XR, in order to send IPv4 prefixes with labels over a labeled BGP session, the IOS-XR router must be the originator of the prefixes. On the other hand, an IOS router can send labeled IPv4 prefixes over a labeled BGP session whether it's the originator or not of those prefixes.

If an output route-map is applied on a labeled BGP session, then labels will be added only to those prefixes that have the command "set mpls-label" under the relevant statement in the route-map. Generally, if a router is advertising IPv4 prefixes with labels, then you can use an output route-map (with the "set mpls-label" command) to specify which prefixes will be sent with a label.

You need to disable the default RT filter from the ASBRs, unless they have all the VRFs locally configured or they are VPNv4 RRs.

In most IOS software releases, the command "mpls bgp forwarding" is added automatically under the eBGP peering interface when a VPNv4 or labeled BGP session is configured between directly connected peers. If you use loopbacks for peering, then you must manually configure it. Always verify its existence, together with the interface's mpls operational state.

IOS
R1#sh mpls int
Interface              IP            Tunnel   BGP Static Operational
FastEthernet0/0.13     Yes (ldp)     No       No No     Yes
FastEthernet0/0.30     No            No       Yes No     Yes

Generally, Cisco software requires a /32 route for each next-hop that should be label switched. In the Inter-AS B/C options, in IOS-XR you must add manually a /32 static route for the peer address of the interconnection in order to create a label for that. IOS creates automatically a /32 connected route when the relevant VPNv4 or labeled BGP session comes up.

IOS-XR
router static
address-family ipv4 unicast
10.10.10.2/32 GigabitEthernet0/2/1/2

IOS
Dec 29 15:45:30.703: %BGP-5-ADJCHANGE: neighbor 10.10.10.2 Up
Dec 29 15:45:30.707: CONN: add connected route, idb: FastEthernet0/0.30, addr: 10.10.10.2, mask: 255.255.255.255

If you want to achieve load-sharing in a MPLS L3VPN environment with RRs, you can use a different RD per PE in combination with BGP multipath.

Inter-AS scenarios emulated in GNS3 might sometimes cause very large delays in data forwarding. Increase the ping/traceroute timeout in order to verify connectivity.

Static Label Bindings

In some cases you don't have the option of enabling LDP or having a VPNv4 or labeled BGP session between directly connected peers, but you still need to have the label switching functionality on their interconnection.

i.e. if you configure the following static route in order to reach peer's loopback:

IOS
ip route 19.19.19.19 255.255.255.255 12.1.19.19

IOS
R1#sh mpls forwarding-table 19.19.19.19 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
24         No Label   19.19.19.19/32   0             Fa0/0 12.1.19.19
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        CA02141C0008CA0417EC0000810000770800
        No output feature configured

then you need to also add a static (outgoing) label binding for that:

IOS
mpls static binding ipv4 19.19.19.19 255.255.255.255 output 12.1.19.19 implicit-null

IOS
R1#sh mpls static binding
19.19.19.19/32: Incoming label: none;
Outgoing labels:
     12.1.19.19           implicit-null

R1#sh mpls forwarding-table 19.19.19.19 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
24         Pop Label 19.19.19.19/32   0             Fa0/0 12.1.19.19
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        CA02141C0008CA0417EC0000810000770800
        No output feature configured

At the same time, you must enable MPLS on this interface without using LDP:

IOS
R1#sh mpls int FastEthernet0/0
Interface              IP            Tunnel   BGP Static Operational

IOS
interface FastEthernet0/0
mpls bgp forwarding

IOS
R1#sh mpls int FastEthernet0/0
Interface              IP            Tunnel   BGP Static Operational
FastEthernet0/0    No            No       Yes No     Yes

Static Label Bindings per Interface

multiaccess interfaces

next-hop ip address required
label required

point-to-point interfaces

interface required

The above differentiation per interface is applicable only on specific software releases. The multiaccess interface is the common one.

If you must configure specific static labels, then you must first define the label range (which will sometimes require a reload).

Implicit-null is used in the above example due to PHP (pop label) that must happen for the directly connected peer.

Inter-AS L3VPN

If you want to follow a Inter-AS L3VPN path (assuming control-plane has been setup correctly), then you can execute the following algorithm:

first router (start PE)

Find the VPN label for the prefix
Find the Transport label(s) for the prefix's next-hop

n router

Follow the Transport top label swaps until there is a "Pop Label" for next router

n+1 router

Find the local VPN label for the prefix

If VPN label is "nolabel", then

router is the end PE
VPN is locally attached

If VPN label is other, then

router is an RR/ASBR
find the Transport label(s) for the prefix's new next-hop
go to "n router"

If VPN label doesn't exist, then

multiple Transport labels exist
go to "n router"

If the route is learned from IGP, the Transport label must be allocated through LDP/RSVP.
If the route is learned from BGP, the Transport label must be allocated through BGP.

Example

R6(PE1)=>R4(P1)=>XR1(ASBR1)=>R1(ASBR2)=>R3(P2)=>R2(PE3)

Start PE

IOS
R6#sh bgp vpnv4 unicast all 7.7.7.7/32
BGP routing table entry for 102:202:7.7.7.7/32, version 36
Paths: (1 available, best #1, table VPN_B)
Not advertised to any peer
100
    2.2.2.2 (metric 20) from 20.20.20.20 (20.20.20.20)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:102:202 0x8800:32768:0 0x8801:1:130560
        0x8802:65281:25600 0x8803:65281:1500 0x8806:0:0
      mpls labels in/out nolabel/26

VPN label is 26

IOS
R6#sh mpls forwarding-table 2.2.2.2 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
None       23         2.2.2.2/32       0             Fa0/0.46   20.4.6.4
        MAC/Encaps=18/26, MRU=1496, Label Stack{16 23}
        CA0611100000CA0115B000008100002E8847 0001000000017000
        No output feature configured

Transport label is 16/23, VPN label is 26

IOS
R4#sh mpls forwarding-table labels 16 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
16         Pop Label 19.19.19.19/32   18896         Fa0/0.419 20.4.19.19
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        CA02141C0008CA0611100000810001A38847
        No output feature configured

Transport label is 23, VPN label is 26

IOS

XR1#sh mpls forwarding-table labels 23 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
23         20         2.2.2.2/32       22628         Fa0/0.119 12.1.19.1
        MAC/Encaps=18/22, MRU=1500, Label Stack{20}
        CA0417EC0000CA02141C0008810000778847 00014000
        No output feature configured

Transport label is 20, VPN label is 26

IOS

R1#sh mpls forwarding-table labels 20 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
20         19         2.2.2.2/32       24518         Fa0/0.13   10.1.3.3
        MAC/Encaps=18/22, MRU=1500, Label Stack{19}
        CA0711100000CA0417EC00008100000D8847 00013000
        No output feature configured

Transport label is 19, VPN label is 26

IOS

R3#sh mpls forwarding-table labels 19 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
19         Pop Label 2.2.2.2/32       85693         Fa0/0.23   10.2.3.2
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        CA0517EC0000CA0711100000810000178847
        No output feature configured

VPN label is 26

IOS

R2#sh bgp vpnv4 unicast all 7.7.7.7/32
BGP routing table entry for 102:202:7.7.7.7/32, version 4
Paths: (1 available, best #1, table VPN_B)
Advertised to update-groups:
     1
Local
    40.2.7.7 from 0.0.0.0 (2.2.2.2)
      Origin incomplete, metric 156160, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:102:202 Cost:pre-bestpath:128:156160
        0x8800:32768:0 0x8801:1:130560 0x8802:65281:25600 0x8803:65281:1500
        0x8806:0:0
      mpls labels in/out 26/nolabel

End PE found

RT Rewrite

It is used mainly in Inter-AS topologies, when there is a need to keep different RTs between the ASes. It allows the ASBR (or any other router that's involved) to replace the peer ASN's RTs with their own.

Configuration Steps

define the RTs to be replaced
configure a route-map that matches the above RTs, deletes them and then adds the new RTs
apply the route-map to the bgp neighbor session

IOS
ip extcommunity-list 1 permit rt 200:1
ip extcommunity-list 2 permit rt 200:2
!
route-map RT-REWRITE-ROUTEMAP permit 10
match extcommunity 1
set extcomm-list 1 delete
set extcommunity rt 100:1 additive
continue 20
!
route-map RT-REWRITE-ROUTEMAP permit 20
match extcommunity 2
set extcomm-list 2 delete
set extcommunity rt 100:2 additive
!
route-map RT-REWRITE-ROUTEMAP permit 30
!
router bgp 100
neighbor 10.10.10.2 remote-as 200
!
address family vpnv4
neighbor 10.10.10.2 activate
neighbor 10.10.10.2 send-community extended
neighbor 10.10.10.2 route-map RT-REWRITE-ROUTEMAP in

Use the "additive" keyword when setting the new RT in order to not erase all other extended communities.

Use the "continue" statement (in ingress route-maps) when you need to rewrite more than one RTs in the same prefix.

Pages

Thursday, February 6, 2014

NTS: CsC

CsC

NTS: Inter-AS MPLS L3VPN

Inter-AS MPLS L3VPN