CCIE in 2 months - Is it possible?: VRF

Showing posts with label VRF. Show all posts

Thursday, February 6, 2014

NTS: L3VPN Redistribution

L3VPN Redistribution

Configuration Steps

Configure the VRFs
Configure the RDs
Configure the import/export RTs
Assign the PE=>CE interfaces to VRFs
Configure IGP/BGP between PE-CE
Configure MP-BGP between PEs
Mutually redistribute between MP-BGP and the PE-CE IGP

BGP<=>RIP

RIP=>BGP
RIP metric => BGP MED (auto)

RIP=>BGP=>RIP
RIP metric => BGP MED => RIP metric (auto)

OTHER=>BGP=>RIP
BGP X => RIP metric (manual)

If "auto" doesn't work (for whatever reason), you can trying clearing the vrf routing table on the PE or you can use the following to set manually the RIP metric:

redistribute bgp 100 metric transparent
redistribute bgp 100 metric X
redistribute bgp 100 route-map X

Clearing of vrf routing table might be needed every time a new prefix is redistributed.

If version 2 is to be used, then it must be defined under the ipv4 vrf address-family on the PE.

RIP metric = hops (0-16)

Configuration

IOS
router rip
address-family ipv4 vrf VPN
redistribute bgp 200
!
router bgp 100
address-family ipv4 vrf VPN
redistribute rip

IOS-XR
router rip
vrf VPN
redistribute bgp 200
!
router bgp 200
vrf VPN
address-family ipv4 unicast
redistribute rip

BGP<=>EIGRP

EIGRP=>BGP
EIGRP composite metric => BGP MED (auto)
EIGRP vector metrics => BGP Extended Cost Community (auto)

EIGRP=>BGP=>EIGRP
EIGRP composite metric => BGP MED => EIGRP composite metric (auto)
EIGRP vector metrics => BGP Extended Cost Community => EIGRP vector metrics (auto)
original internal EIGRP routes appear as internal EIGRP routes when redistributed
original external EIGRP routes appear as external EIGRP routes when redistributed

OTHER=>BGP=>EIGRP
BGP X => EIGRP metrics (manual)
original routes appear as external EIGRP routes when redistributed

If "auto" doesn't work (for whatever reason), you can trying clearing the vrf routing table on the PE or you can use the following to set manually the EIGRP metrics:

redistribute bgp 100 metric K1 K2 K3 K4 K5
redistribute bgp 100 route-map X
redistribute bgp 100 route-policy X
redistribute bgp 100 & default-metric K1 K2 K3 K4 K5

Clearing of vrf routing table might be needed every time a new prefix is redistributed.

EIGRP vector metrics = K1 K2 K3 K4 K5 (i.e. 1000 10 255 1 1500)

Configuration

IOS
router eigrp 100
address-family ipv4 vrf VPN autonomous-system 1
redistribute bgp 200
exit-address-family
!
router bgp 200
address-family ipv4 vrf VPN
redistribute eigrp 1

IOS-XR
router eigrp 100
vrf VPN
address-family ipv4
   autonomous-system 1
   redistribute bgp 200
!
router bgp 200
vrf VPN
address-family ipv4 unicast
   redistribute eigrp 1

Redistribution of EIGRP into the BGP vrf requires the EIGRP autonomous-system number to be redistributed. Some software releases may accept the global EIGRP process too.

You can use the SoO extended community to prevent any possible loops.

BGP<=>ISIS

ISIS=>BGP
ISIS metric => BGP MED (auto)

ISIS=>BGP=>ISIS
ISIS metric => BGP MED => ISIS metric (auto)

OTHER=>BGP=>ISIS
BGP X => ISIS metric (manual)

You can use the following to set manually the ISIS metric:

redistribute bgp 100 metric X
redistribute bgp 100 route-map X

Clearing of vrf routing table might be needed every time a new prefix is redistributed.

ISIS metric = hops (10)

Configuration

IOS
router isis 100
address-family ipv4 vrf VPN
redistribute bgp 200
!
router bgp 200
address-family ipv4 vrf VPN
redistribute isis 100

IOS-XR
router isis 100
vrf VPN
redistribute bgp 200
!
router bgp 200
vrf VPN
address-family ipv4 unicast
redistribute isis 100

Redistribution doesn't take into account the IS-IS connected routes. You have to explicitly define them.

In order to void a possible loop while doing redistribution (when L1 is involved), you can change the distance of the ISIS advertised routes (excluding connected) on the PE to be higher than BGP's.

IOS
router isis 100
vrf VPN
distance 201 0.0.0.0 255.255.255.255 ISIS-NOT-CONNECTED-ACL

BGP<=>OSPF

OSPF=>BGP
OSPF metric => BGP MED + 1 (auto)
OSPF Area/LSA => BGP extended community "OSPF RT" (auto)

OSPF=>BGP=>OSPF
OSPF metric => BGP MED + 1 => OSPF metric (auto)

original intra-area routes appear as inter-area routes when redistributed (if same OSPF Domain-ID)
original intra-area routes appear as external-2 routes when redistributed (if different OSPF Domain-ID)
type-4 LSAs are not redistributed into BGP
original external routes appear as external-2 routes when redistributed (requires "match external" in redistribution from OSPF to BGP)

OTHER=>BGP=>OSPF
BGP X => OSPF metric (manual)

You can always use the following to manually set the OSPF metric:

redistribute bgp 200 metric X
redistribute bgp 200 route-map X

Clearing of vrf routing table might be needed every time a new prefix is redistributed.

OSPF metric = interface cost (0-65535)

"OSPF RT" Extended Community

"OSPF RT" format is "Area:LSA-Type:External-Type"

LSA Type to OSPF RT conversion

Type-1/2 => RT 2
Type-3 => RT 3
Type-5 => RT 5
Type-7 => RT 7
Sham-links => RT 129

Examples

OSPF RT:0.0.0.0:2:0

area 0.0.0.0
LSA-Type 1/2

OSPF RT:0.0.0.0:5:0

LSA-Type 5
External 1

OSPF RT:0.0.0.0:5:1

LSA-Type 5
External 2

Configuration

IOS
router ospf 100 vrf VPN
redistribute bgp 200 subnets
!
router bgp 200
address-family ipv4 vrf VPN
redistribute ospf 100 vrf VPN

IOS-XR
router ospf 100
vrf VPN
redistribute bgp 200
!
router bgp 200
vrf VPN
address-family ipv4 unicast
redistribute ospf 100

In IOS, if you don't include the vrf name in the redistribution of OSPF into BGP, it gets automatically added to the configuration.

The DN Bit and the VPN Route Tag

For a PE it is necessary to know if a particular prefix has been learned from another PE router, in order to avoid re-advertisement of it into BGP and cause a loop.

Two mechanisms are mainly used for loop prevention when OSPF is used as PE-CE protocol.

the DN bit
the VPN Route (or OSPF Domain) tag

By default, when a type 3, 5, 7 LSA is sent from a PE to a CE, the DN bit is set by the PE.

When another PE receives from a CE router, a type 3, 5, 7 LSA with the DN bit set, the prefix information from that LSA is not used during the OSPF route calculation, which means that the prefix doesn't get installed into the PE's BGP table.

Almost all Cisco software releases support the setting of DN bit only for Type-3 LSAs and they use a 32-bit VPN Route tag for Type-5/7 LSAs. The configuration and inclusion of the VPN Route Tag is required by all implementations for backward compatibility with older implementations that do not set the DN bit in type 5/7 LSAs.

If a PE router receives an LSA that contains the same VPN Route Tag as the locally configured tag, then the local PE router knows that another PE router (from the same domain) generated this route and the LSA is ignored.

16bit ASNs

VPN Route tag Format: 1101 000000000000 ASN_of_VPN_Backbone

32bit ASNs

VPN Route tag must be defined manually

You can change this default value by using the "domain-tag" command within the OSPF VRF process configuration.

IOS
router ospf 100 vrf VPN
domain-tag 12345

IOS-XR
router ospf 100
vrf TEST
domain-tag 12345

In case of Multi-VRF (VRF-Lite), the router that is accepting the LSA with the DN bit is actually a CE router with no BGP VPNv4 functionality, so there is no danger of redistributing this prefix into BGP. In order to bypass this DN bit check, the following configuration can be enabled.

IOS
router ospf 100 vrf VPN
capability vrf-lite

IOS-XR
router ospf 100
vrf VPN
disable-dn-bit-check

Verification

IOS
R1#sh ip ospf 100 database summary 10.7.7.7

            OSPF Router with ID (10.1.3.1) (Process ID 100)

                Summary Net Link States (Area 0)

Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 1196
Options: (No TOS-capability, DC, Downward)
LS Type: Summary Links(Network)
Link State ID: 10.7.7.7 (summary Network Number)
Advertising Router: 10.1.2.2
LS Seq Number: 80000005
Checksum: 0x2761
Length: 28
Network Mask: /32
        MTID: 0         Metric: 2

R1#sh ip ospf 100 database external 7.7.7.7

            OSPF Router with ID (10.1.3.1) (Process ID 100)

                Type-5 AS External Link States

Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 1302
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 7.7.7.7 (External Network Number )
Advertising Router: 10.1.2.2
LS Seq Number: 80000004
Checksum: 0x6DCF
Length: 36
Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 3489661028

Links

IETF - RFC 4576 (the DN-bit)

OSPF Domain-ID

OSPF Domain-ID is an attribute that defines how (internal, external) the OSPF routes will be transferred from one CE to another CE over their PEs BGP VPNv4 session.

On a PE, if the OSPF Domain-ID of the received BGP prefixes (encoded as extended community) is the same as the OSPF Domain-ID of the local OSPF process, then:

the MPLS core is treated like a SuperBackbone area (which is considered higher than area 0)
the PE is treated like an ABR (instead of an ASBR)
internal routes are being redistributed as Type-3 LSAs (instead of Type-5)

IOS-XR uses a null Domain-ID by default, so this needs to be changed if the other PE is running IOS (which is encoding the OSPF process-id as domain-id). OSPF Domain-ID needs to be changed on the PEs (where redistribution between BGP and OSPF takes place), not on the CEs.

The "type" value can be different is some cases for backwards compatibility (like in 0005 vs 8005).

Detailed Steps

OSPF=>BGP redistribution on PE1

if the OSPF Domain tag of the local OSPF process is the same as the VPN Route tag of the prefix, then that route isn't installed into BGP
if the OSPF DN bit check is enabled in the local OSPF process and the OSPF route has this bit set, then that route isn't installed into BGP
if the route is installed into BGP

the Domain-ID of the local OSPF process is encoded into OSPF DOMAIN ID community on the prefix

the area and the LSA type of the OSPF prefix is encoded into OSPF RT community on the prefix

the Router-ID of the local OSPF process is encoded into OSPF ROUTER ID community on the prefix

BGP=>OSPF redistribution on PE2

if the Domain-ID of the local OSPF process is the same as the OSPF DOMAIN ID community of the prefix, then that route is passed to the CE as internal else as external

Configuration

IOS
router ospf 100 vrf VPN
domain-id type 0005 value 000000440101

IOS-XR
router ospf 100
vrf VPN
domain-id type 0005 value 000000440101

Verification

You can use "sh ip ospf" to see the Domain-ID of the local OSPF process.

You can use "sh bgp vpn4 unicast" to see the Domain-ID encoded as extended community in the BGP prefixes (OSPF RT is included too).

R2#sh ip ospf 100
Routing Process "ospf 100" with ID 10.1.2.2
   Domain ID type 0x0005, value 0x000000440101
Start time: 00:13:37.092, Time elapsed: 00:36:17.144
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Connected to MPLS VPN Superbackbone, VRF VPN
Event-log disabled
It is an area border and autonomous system boundary router
Redistributing External Routes from,
    bgp 100, includes subnets in redistribution

R2#sh bgp vpnv4 unicast vrf VPN 1.1.1.1/32
BGP routing table entry for 100:1:1.1.1.1/32, version 2
Paths: (1 available, best #1, table VPN)
Advertised to update-groups:
     1
Local
    10.1.2.1 from 0.0.0.0 (2.2.2.2)
      Origin incomplete, metric 2, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:100:1 OSPF DOMAIN ID:0x0005:0x000000440101
        OSPF RT:0.0.0.0:3:0 OSPF ROUTER ID:10.1.2.2:0
      mpls labels in/out 28/nolabel

R2#sh ip ospf 100 database

            OSPF Router with ID (10.1.2.2) (Process ID 100)
...
                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         10.1.1.1        980         0x80000002 0x00F336
...

LSA Type-3 (Summary) in local OSPF table is encoded as "OSPF RT:0.0.0.0:3:0" in local BGP table.

Propagation of OSPF routes between CE1 and CE2

same domain-id

CE1 O => CE2 IA

different domain-id

CE1 O => CE2 E2

sham-link (regardless of domain-id)

CE1 O => CE2 O

Extra care needs to be taken if route tags are changed manually on OSPF=>BGP redistribution, because external OSPF routes are tagged by the BGP ASN when BGP=>OSPF redistribution takes place, which means that the original tag is lost (which could lead to a loop)

IOS
R6#sh ip route 1.1.1.1
Routing entry for 1.1.1.1/32
Known via "ospf 100", distance 110, metric 2
Tag Complete, Path Length == 1, AS 100, , type extern 2, forward metric 1
Last update from 10.10.10.5 on POS4/0, 00:00:03 ago
Routing Descriptor Blocks:
* 10.10.10.5, from 10.10.10.5, 00:00:03 ago, via POS4/0
Route metric is 2, traffic share count is 1
Route tag 3489661028

If a BGP VPNv4 route is redistributed into OSPF, then redistributed into another IGP like RIP (where all the information (DN bit, VPN Route-Tag) needed to prevent looping is lost), and then redistributed back into OSPF, then it is possible that it could be redistributed back into BGP as a VPNv4 route, thereby causing a loop.

You can use route tags at every step of redistribution in order to avoid possible routing loops, either caused by the above scenario or by mutual redistribution in two places.

NTS: VRF

VRF

VRF Basic Configuration

IOS
ip vrf VPN-A
rd 100:1
route-target export 100:1
route-target import 100:1
!
vrf definition VPN-B
rd 100:2
address-family ipv4
route-target export 100:2
route-target import 100:2
exit-address-family
address-family ipv6
route-target export 100:2
route-target import 100:2
exit-address-family

IOS-XR
vrf VPN-C
address-family ipv4 unicast
import route-target
   100:3
export route-target
   100:3
address-family ipv6 unicast
import route-target
   100:3
export route-target
   100:3
!
router bgp 100
vrf VPN-C
rd 100:3

Prefer to use the "vrf definition" command to configure VRFs. Always include an address-family, most probably the ipv4 one.

You can have different import/export RTs per address family. If you have common ones, then you can define them directly under the vrf definition.

IOS-XR requires the VRF RD config under the BGP process.

You can use the "rd auto" command in IOS -XR in order to automatically create unique RDs per VRF.

IOS-XR
router bgp 100
vrf VPN
rd auto

If you don't define any export RTs for a VRF on the local PE, then the prefixes will by default get dropped when they are transferred to the remote PE.

You can view all routing tables (global and VRF ones) by using the command "sh ip route vrf *".

On a router that acts as a default gateway, the following can be configured if the next-hop is in the global routing table and you want to have the static route inside the VRF but pointing to the global routing table.

IOS
ip route vrf VPN 0.0.0.0 0.0.0.0 1.1.1.1 global

You can change the default label allocation (if you want to decrease label usage) for all VRFs or a specific VRF using the following command:

IOS
R1(config)#mpls label mode vrf VPN protocol bgp-vpnv4 ?
per-prefix     Per prefix label (default)
per-vrf        Per VRF label for entire VRF
vrf-conn-aggr Per VRF label for connected and BGP aggregates in VRF

Export RT per Prefix

You can use an export map in order to set different export RTs per prefix.

IOS
vrf definition VPN-A
rd 100:1
!
address-family ipv4
export map R1-MAP
exit-address-family
!
route-map R1-MAP permit 10
match ip address R1-ACL
set extcommunity rt 2.2.2.2:11 2.2.2.2:111
!
ip access-list standard R1-ACL
permit 1.1.1.1
!

IOS-XR
vrf VPN-A
address-family ipv4 unicast
export route-policy R1-RPOLICY
!
route-policy R1-RPOLICY
if destination in (1.1.1.1/32) then
set extcommunity rt (2.2.2.2:11, 2.2.2.2:111)
endif
end-policy

In the IOS-XR route-policy you must use destination in order to match the required prefix. Also you can use parenthesis whenever you need to group parameters, like the multiple RTs.

If you initially have no export RTs and later decide to add some through an export map, then you must reset the VPNv4 BGP sessions in order to have the BGP routes get the new RTs immediately.

Import global routes into VRF

You have the option of importing various global routes into a specific VRF, while at the same time limiting the number of them.

IOS
vrf definition VPN_A
rd 100:1
route-target export 100:1
route-target import 100:1
!
address-family ipv4
import ipv4 unicast 5 map GLOBAL-TABLE-ROUTEMAP
exit-address-family
!
route-map GLOBAL-TABLE-ROUTEMAP permit 10
match ip address prefix-list PREFIX-LIST
!
ip prefix-list PREFIX-LIST seq 5 permit 4.4.4.4/32
match ip address prefix-list PREFIX-LIST

IOS
R2#sh bgp vpnv4 unicast all
BGP table version is 8, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf VPN_A)
Import Map: GLOBAL-TABLE-ROUTEMAP, Address-Family: IPv4 Unicast, Pfx Count/Limit: 1/5
*> 1.1.1.1/32       10.1.2.1                 0         32768 i
*> 4.4.4.4/32       20.2.4.4                10         32768 i
*> 10.1.2.0/24      0.0.0.0                  0         32768 i
*>i10.19.20.0/24    19.19.19.19              0    100      0 i
*>i20.20.20.20/32   19.19.19.19              0    100      0 i

R2#sh bgp vpnv4 unicast all 4.4.4.4/32
BGP routing table entry for 100:1:4.4.4.4/32, version 8
Paths: (1 available, best #1, table VPN_A)
Not advertised to any peer
Local, imported path from 4.4.4.4/32
    20.2.4.4 from 0.0.0.0 (2.2.2.2)
      Origin IGP, metric 10, localpref 100, weight 32768, valid, external, no-import, best

The global route to be imported must exist in the global BGP table (existence in RIB doesn't matter).

No RTs or other attributes will be assigned to the imported prefixes. Use the route-map set commands to configure those.

In latest IOS releases (>15.x) you have to option of doing the opposite too, export prefixes from a VRF into the global BGP table.

The commands "import/export map" (which are different from the above) are used to filter the VRF <=> MP-BGP prefixes, while the commands "import/export ipv4 unicast" are used to leak routes between the VRF and the global BGP table.

Inbound VPN Prefix Filtering due to RTs

In VPNv4/v6 BGP setups, all BGP VPN prefixes are checked against the local RT import policies and if there is no match found, then the prefix is discarded (in order to keep the BGP table small).

Route-Reflectors have this filter disabled by default, because they need all the prefixes to accommodate all possible PEs. In order to disable it manually on other routers, you can use the following commands.

IOS
router bgp 100
no bgp default route-target filter

IOS-XR
router bgp 100
address-family vpnv4 unicast
retain route-target all

IOS-XR supports also the selective filtering of RTs by using a policy that matches specific RTs.

IOS-XR
router bgp 100
address-family vpnv4 unicast
retain route-target route-policy RT-POLICY
!
route-policy RT-POLICY
if extcommunity rt matches-any (100:1, 100:2) then
pass
else
drop
endif

Multi-VRF (VRF-Lite)

It allows a logical separation of a CE router into multiple VRFs, without the need for MPLS/MP-BGP. Using MPLS Multi-VRF you can extend the LSPs to the CE and all routing domains that the CE supports.

Usually, a router with Multi-VRF is shared by several customers and each customer has their own routing table.

Characteristics

one or more VRFs configured and assigned to interfaces
no MPLS configured
no BGP VPNv4 configured
no RTs under "vrf definition" required on IOS
no RDs under "bgp vrf" required on IOS-XR

Configuration Steps

Configure VRFs on the PE and the CE
Configure the routing protocol for each VRF on the CE towards each customer
Configure BGP or IGP as PE-CE protocol for each VRF
Configure labeling either with BGP+Label or IGP+LDP (if required)

Special care must be taken in case of using OSPF as PE-CE protocol, because due to setting the DN bit by default on specific routes advertised from PE to CE, these routes wouldn't be installed in the Multi-VRF CE's routing table.

Always prefer to use BGP as PE-CE, due to its simpler configuration and better filtering.

Traffic classification into a VRF

One VRF per interface

Classic method (IOS, IOS-XR)

Multiple VRFs per interface

Multi-VRF Selection Using Policy-Based Routing (IOS)

match an ip access-list

VRF Selection Based on Source IP Address (IOS)

match the source ip address

VRF-Autoclassify (IOS)

match the directly connected prefix

ACL Based Forwarding with VRF Next-Hop (IOS-XR)

match an ip access-list

Classic Method

IOS
interface X
ip vrf forwarding VPN-A
!
interface X
vrf forwarding VPN-B

IOS-XR
interface X
vrf VPN-C

Multi-VRF Selection Using Policy-Based Routing

It allows a specific interface on a PE router to route packets to different VPNs based on various match criteria defined in an ip access list or on packet length.

IOS
interface X
ip vrf receive VPN-A
ip vrf receive VPN-B
ip vrf receive VPN-C
ip address 1.1.1.1 255.255.255.0
ip policy route-map VRF-SELECTION-PBR

ip access-list standard VPN-A-ACL
permit 1.1.2.2
ip access-list standard VPN-B-ACL
permit 1.1.3.3
ip access-list standard VPN-C-ACL
permit 1.1.4.4
!
route-map VRF-SELECTION-PBR permit 10
match ip address VPN-A-ACL
set vrf VPN-A
!
route-map VRF-SELECTION-PBR permit 20
match ip address VPN-B-ACL
set vrf VPN-B
!
route-map VRF-SELECTION-PBR permit 30
match ip address VPN-C-ACL
set vrf VPN-C

Limitations

multicast is not usually supported by PBR

VRF Selection Based on Source IP Address

It allows a specific interface on a PE router to route packets to different VPNs based upon the source IP address of the packets. It's supported only on very specific hardware.

IOS
vrf selection source 1.1.1.0 255.255.255.0 vrf VPN-A
vrf selection source 2.2.2.0 255.255.255.0 vrf VPN-B
!
int X
ip vrf select source
ip vrf receive VPN-A
ip vrf receive VPN-B

Limitations

supported by limited hardware
performance can degrade with longer subnet masks

If it's not supported by the router, you'll get the following output:

R1(config)#vrf selection source 1.1.1.0 255.255.255.0 vrf VPN-A
% VRF Select: failed to add config

VRF-Autoclassify

It allows a specific interface on a PE router to route packets to different VPNs based on the ip addresses assigned to directly connected hosts.

At the same time it also enables certain types of Policy Based Routing (PBR) to be created dynamically without configuring all the related route maps and access lists. More specifically it enables the dynamic configuration of policies that are required for the mapping of packets to the VRFs, depending on whether the source address of the packet belongs to those connected routes.

IOS
interface X
ip address 1.1.1.1 255.255.255.0 secondary vrf VPN-A
ip address 1.1.2.1 255.255.255.0 secondary vrf VPN-B
ip address 2.2.2.2 255.255.255.0
ip vrf autoclassify source
!
interface Y
ip vrf forwarding VPN-A
ip address 10.10.10.1 255.255.255.0
!
interface Z
ip vrf forwarding VPN-B
ip address 20.20.20.1 255.255.255.0

Limitations

any directly connected hosts must not run routing protocols
the router that is enabled with the VRF-Autoclassify feature must not run routing protocols
applies only to unicast packets

ACL Based Forwarding (ABF) with VRF Next-Hop

It allows packet arriving on ingress VRF to get routed on an egress interface which is in a different VRF based on various match criteria defined in an ip access list.

So you actually specify a nexthop VRF instead of a specific IP address for the nexthop. When this config is enabled, packet destination lookup will be performed in the ABF Nexthop VRF.

IOS-XR
interface X
ipv4 address 10.10.10.10 255.255.255.0
vrf VPN-A
ipv4 access-group ABF-ACL ingress
!
ipv4 access-list ABF-ACL
permit ipv4 1.1.2.2 0.0.0.0 any nexthop1 vrf VPN-A
permit ipv4 1.1.3.3 0.0.0.0 any nexthop1 vrf VPN-B
permit ipv4 1.1.4.4 0.0.0.0 any nexthop1 vrf VPN-C

Limitations

applies only to ASR9k and CRS running IOS-XR

NTS: EIGRP

EIGRP

EIGRP (Enhanced Interior Gateway Routing Protocol) is described in draft-savage-eigrp.

EIGRP is protocol number 88.

Packets are sent to multicast 224.0.0.10 (IPv4) or FF02::A (IPv6).

Metrics

bandwidth

minimum bandwidth (kbps) => 10^7 / bandwidth

delay

total route delay (tens of microseconds) => delay/10

reliability

likelihood of successful packet transmission (0-255)

load

effective load of the route (0-255)

mtu

minimum MTU size (bytes)

All metrics are calculated from the outgoing interface towards the destination.

metric = [K1 * bandwidth + (K2 * bandwidth) / (256 - load) + K3 * delay] * [K5 / (reliability + K4)]

Default

K1=K3=1
K2=K4=K5=0

Bandwidth and Delay are the ones used by default.

metric = (10^7/bandwidth + delay/10) x 256

Example

minimum bandwidth = 100 Kbps
total delay = 20000 + 5000 = 25000 usec
metric = (10^7/100 + 25000/10 ) x 256 = 26240000

Mismatched K values (weights for EIGRP metrics) can prevent neighbor relationships.

IOS
router eigrp 1
metric weights 0 1 0 1 0 0

IOS-XR
router eigrp 1
address-family ipv4
metric weights 0 1 0 1 0 0

Route Selection

The lowest calculated metric from a router to a destination is called the feasible distance (FD) of that destination
If a neighbor's advertised distance to a destination is lower than router's FD, then that neighbor becomes a feasible successor (FS) to the specific destination
Every destination for which there is at least one FS, will be installed in the router's EIGRP topology
For every destination in the router's EIGRP topology, the route with the lowest metric will be installed in the RIB
The neighbor advertising that route will be successor for that destination

Load Balancing

By default traffic to equal cost paths (up to 4) is load balanced.

Unequal-Cost Load Balancing

You can use a variance as a multiplier to determine which routes are feasible for unequal-cost load balancing, according to the following condition:

route metric < lowest cost metric * variance

Routes that follow the above rule are installed into RIB as long as maximum-paths (default=4) is not exceeded.

Traffic Sharing

balanced (default)

traffic is distributed proportionately to the ratios of the route metrics

minimum

traffic is distributed equally across all paths that have a cost equal to the minimum cost path

In general:

variance

affects what non-lowest cost routes are installed into RIB

traffic-share

affects how traffic is distributed across best routes

In order to use only one path for traffic forwarding, but install more different-cost paths into RIB (for faster convergence), you can use a combination of both features.

IOS
router eigrp 1
traffic-share min across-interfaces
variance x

IOS-XR
router eigrp 1
address-family ipv4
variance x

Traffic-share is not supported in IOS-XR.

Stub Routing

A router that is configured as a stub with the "eigrp stub" command cannot be used as transit and shares connected and summary routing information with all neighbor routers by default. Generally, the following can be permitted/denied explicitly :

connected
static
summary
redistributed
leak-map
receive-only

Stub routing also minimizes the exchange of queries.

Route Summarization

IOS
interface X
ip summary-address eigrp 100 x.x.x.x y.y.y.y

IOS-XR
router eigrp 100
address-family ipv4
interface X
summary-address x.x.x.x/y

Default route can be originated the same way

Split-horizon

Split horizon blocks route information from being advertised by a router out of any interface from which that information originated. With non-broadcast networks (such as Frame Relay multipoint), you may want to disable it with "no ip split-horizon eigrp x".

An alternative is poison-reverse: Once you learn of a route through an interface, advertise it as unreachable back through that same interface.

Configuration

IOS
router eigrp 1
network 1.1.1.0 0.0.0.255
!
ipv6 router eigrp 1
!
interface X
ipv6 eigrp 1

IOS-XR
router eigrp 1
address-family ipv4
interface X
!
address-family ipv6
interface X

"ip hello-interval eigrp x" and "ip hold-time eigrp x" under an interface can be used to tune the convergence time.

Authentication

IOS
interface X
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 KEYCHAIN
!
key chain KEYCHAIN
key 1
key-string TESTPASS

IOS-XR
router eigrp 1
address-family ipv4
interface X
authentication keychain KEYCHAIN
!
key chain KEYCHAIN
key 1
key-string TESTPASS
send-lifetime 1:00:00 february 01 2014 infinite
accept-lifetime 1:00:00 february 01 2014 infinite

Only MD5 is supported.

Key-chains in IOS-XR might require the use of lifetimes.

PE-CE

R1 (CE)

IOS
router eigrp 1
network 1.1.1.0 0.0.0.255

IOS-XR
router eigrp 1
address-family ipv4
interface X

R2 (PE)

IOS
router eigrp 100
address-family ipv4 vrf VPN autonomous-system 1
network 1.1.1.0 0.0.0.255
exit-address-family

IOS-XR
router eigrp 100
vrf VPN
address-family ipv4
autonomous-system 1
interface X

CE EIGRP process number and PE EIGRP autonomous-system must match.

Some software releases require the manual addition of "no auto-summary" under the EIGRP process.

EIGRP adjacency might not get established in IOS devices if you initially forget to add the autonomous-system number and add it later. Try to remove the whole EIGRP config and then reapply it if this is the case.

For IPv6 VRFs you have to use the named configuration on IOS (see below).

Verification

IOS
R1#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface       Hold Uptime   SRTT   RTO Q Seq
                                            (sec)         (ms)       Cnt Num
0   10.1.2.2                Fa0/0             14 00:32:28 1280 5000 0 4

R2#sh ip eigrp vrf VPN_A neighbors
EIGRP-IPv4 Neighbors for AS(1) VRF(VPN)
H   Address                 Interface       Hold Uptime   SRTT   RTO Q Seq
                                            (sec)         (ms)       Cnt Num
0   10.1.2.1                Fa1/0             13 00:32:47   54   324 0 4

IOS-XR
GSR#sh eigrp vrf VNP neighbors

Sun Jan 12 19:23:12.845 UTC

IPv4-EIGRP neighbors for AS(1) vrf VPN

H   Address                 Interface       Hold Uptime   SRTT   RTO Q Seq
                                            (sec)         (ms)       Cnt Num
0   10.1.0.10               Gi0/1/0/1.1019    13 00:01:10    8   200 0 4

IOS
R1#sh ip eigrp topology
EIGRP-IPv4 Topology Table for AS(1)/ID(1.1.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 10.5.8.0/24, 1 successors, FD is 30720
        via 10.1.2.2 (30720/28160), FastEthernet0/0
P 8.8.8.8/32, 1 successors, FD is 158720
        via 10.1.2.2 (158720/156160), FastEthernet0/0
P 10.1.2.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/0
P 1.1.1.1/32, 1 successors, FD is 128256
        via Connected, Loopback0

R2#sh ip eigrp vrf VPN topology
EIGRP-IPv4 Topology Table for AS(1)/ID(10.1.2.2) VRF(VPN)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 10.5.8.0/24, 1 successors, FD is 28160
        via VPNv4 Sourced (28160/0)
P 8.8.8.8/32, 1 successors, FD is 156160
        via VPNv4 Sourced (156160/0)
P 10.1.2.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet1/0
P 1.1.1.1/32, 1 successors, FD is 156160
        via 10.1.2.1 (156160/128256), FastEthernet1/0

IOS-XR
GSR#sh eigrp vrf VPN topology

Sun Jan 12 19:30:02.425 UTC

IPv4-EIGRP Topology Table for AS(1)/ID(19.19.19.19) VRF: VPN

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 10.10.10.10/32, 1 successors, FD is 130816
        via 10.1.0.10 (130816/128256), GigabitEthernet0/1/0/1.1019
P 10.9.9.9/32, 1 successors, FD is 130816
        via VPNv4 Sourced (130816/0)
P 10.0.0.0/24, 1 successors, FD is 2816
        via VPNv4 Sourced (2816/0)
P 10.1.0.0/24, 1 successors, FD is 2816
        via Connected, GigabitEthernet0/1/0/1.1019

EIGRP route attributes are transferred as extended communities, EIGRP metric is transferred as BGP MED.

IOS
R2#sh bgp vpnv4 unicast vrf VPN 8.8.8.8/32
BGP routing table entry for 100:1:8.8.8.8/32, version 10
Paths: (1 available, best #1, table VPN)
Not advertised to any peer
Local
    5.5.5.5 (metric 3) from 3.3.3.3 (3.3.3.3)
      Origin incomplete, metric 156160, localpref 100, valid, internal, best
      Extended Community: RT:100:1 Cost:pre-bestpath:128:156160
        0x8800:32768:0 0x8801:1:130560 0x8802:65281:25600 0x8803:65281:1500
        0x8806:0:0
      Originator: 5.5.5.5, Cluster list: 3.3.3.3
      mpls labels in/out nolabel/23

Named vs AS

The following is applicable only to IOS.

Named (new)

supports VRFs under IPv4 and IPv6
supports IPv6 VRF-Lite
interface configuration goes under the af-interface under the address-family

AS (old)

supports VRFs under IPv4 only
interface configuration goes under the physical interface

Named Configuration (new)

IOS
interface POS2/0
ip address 10.10.10.1 255.255.255.0
ipv6 address 2001:20:20:20::1/64
ipv6 eigrp 2
!
router eigrp EIGRP1
!
address-family ipv4 unicast autonomous-system 1
!
af-interface POS2/0
   hello-interval 20
   hold-time 60
exit-af-interface
!
network 10.10.10.0 0.0.0.255
exit-address-family
!
address-family ipv6 unicast autonomous-system 2
!
af-interface POS2/0
   authentication mode md5
   authentication key-chain KEYCHAIN
exit-af-interface
!
exit-address-family

AS Configuration (old)

IOS
interface POS2/0
ip address 10.10.10.2 255.255.255.0
ip hello-interval eigrp 1 20
ip hold-time eigrp 1 60
ipv6 address 2001:20:20:20::2/64
ipv6 eigrp 2
ipv6 authentication mode eigrp 2 md5
ipv6 authentication key-chain eigrp 2 KEYCHAIN
!
router eigrp 1
network 10.10.10.0 0.0.0.255
!
ipv6 router eigrp 2

IOS
R1#sh eigrp address-family ipv4 neighbors
EIGRP-IPv4 VR(EIGRP1) Address-Family Neighbors for AS(1)
H   Address                 Interface       Hold Uptime   SRTT   RTO Q Seq
                                            (sec)         (ms)       Cnt Num
0   10.10.10.2              PO2/0             45 00:56:05   46   276 0 30

R2#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface       Hold Uptime   SRTT   RTO Q Seq
                                            (sec)         (ms)       Cnt Num
0   10.10.10.1              PO2/0             43 00:56:23   42   252 0 29

R1#sh eigrp address-family ipv6 int det
EIGRP-IPv6 VR(EIGRP1) Address-Family Interfaces for AS(2)
                        Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers Un/Reliable SRTT   Un/Reliable   Flow Timer   Routes
PO2/0              1        0/0      1601       0/1         7969           0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/0 Un/reliable ucasts: 4/8
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 3 Out-of-sequence rcvd: 2
Topology-ids on interface - 0
Authentication mode is md5, key-chain is "KEYCHAIN"

R2#sh ipv6 eigrp int det
EIGRP-IPv6 Interfaces for AS(2)
                        Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers Un/Reliable SRTT   Un/Reliable   Flow Timer   Routes
PO2/0              1        0/0        32       0/1           50           0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/0 Un/reliable ucasts: 3/6
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 2 Out-of-sequence rcvd: 1
Topology-ids on interface - 0
Authentication mode is md5, key-chain is "KEYCHAIN"

NTS: Inter-AS MPLS L3VPN

Inter-AS MPLS L3VPN

Inter-AS MPLS L3VPN Options are defined in RFC 4364.

Inter-AS Options

Inter-AS Option A (Back-to-Back VRF)

one logical/physical interface per VRF in the interconnection
one PE-CE eBGP/IGP session per VRF between ASBRs
IP traffic between ASBRs
no need for common RDs/RTs between ASNs
2 LSPs and 1 IP path from one PE to the other PE

Inter-AS Option B (MP-eBGP between ASBRs)

one physical/logical interface for all VRFs in the interconnection
eBGP VPNv4 between ASBRs
MPLS traffic between ASBRs
common RDs/RTs between ASNs (unless RT rewrite is used)
next-hop-self on each ASBR for iBGP

3 LSPs from one PE to the other PE

redistribute connected/static on each ASBR for the interconnection

2 LSPs from one PE to the other PE
filter to redistribute only the peer's address

multihop (loopback) peering between ASBRs

2 LSPs from one PE to the other PE
static routes for peer's loopback on each ASBR
LDP between ASBRs
MPLS static label binding for peer's loopback pointing to interconnection on each ASBR

Inter-AS Option C (Multihop MP-eBGP between RRs/PEs)

one physical/logical interface for all VRFs in the interconnection
labeled eBGP session between ASBRs for next-hop exchange
multihop eBGP VPNv4 session between RRs
MPLS traffic between ASBRs
common RDs/RTs between ASNs (unless RT rewrite is used)
change next-hop on each VPNv4 RR for the eBGP session (default)

2 LSPs from one PE to the other PE

next-hop-unchanged on each VPNv4 RR for the eBGP session

1 LSP from one PE to the other PE

eBGP session between ASBRs with directly connected interfaces

next-hop-self on each ASBR for the iBGP sessions

multihop (loopback) eBGP session between ASBRs with loopbacks

static routes for peer's loopback on each ASBR
LDP between ASBRs
MPLS static label binding for peer's loopback pointing to interconnection on each ASBR

The transport label changes whenever the next-hop changes.

Inter-AS Option A

ASBR-1

IOS
ip vrf VPN1
rd 1:100
route-target 1:100
!
ip vrf VPN2
rd 1:200
route-target 1:200
!
interface FastEthernet0/0
description ** Inter-AS NNI **
!
interface FastEthernet0/0.10
description ** Customer VPN1 **
encapsulation dot1q 10
ip vrf forwarding VPN1
ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/0.20
description ** Customer VPN2 **
encapsulation dot1q 20
ip vrf forwarding VPN2
ip address 20.20.20.1 255.255.255.0
!
router bgp 1
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
neighbor 1.1.1.1 description iBGP-VPNv4
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
neighbor 1.1.1.1 next-hop-self
exit-address-family
!
address-family ipv4 vrf VPN1
neighbor 10.10.10.2 remote-as 2
neighbor 10.10.10.2 activate
exit-address-family
!
address-family ipv4 vrf VPN2
neighbor 20.20.20.2 remote-as 2
neighbor 20.20.20.2 activate
exit-address-family

ASBR-2

IOS
ip vrf test1
rd 2:100
route-target 2:100
!
ip vrf test2
rd 2:200
route-target 2:200
!
interface FastEthernet0/0
description ** Inter-AS NNI **
!
interface FastEthernet0/0.10
description ** Customer VPN1 **
encapsulation dot1q 10
ip vrf forwarding VPN1
ip address 10.10.10.2 255.255.255.0
!
interface FastEthernet0/0.20
description ** Customer VPN2 **
encapsulation dot1q 20
ip vrf forwarding VPN2
ip address 20.20.20.2 255.255.255.0
!
router bgp 2
neighbor 2.2.2.2 remote-as 2
neighbor 2.2.2.2 update-source Loopback0
neighbor 2.2.2.2 description iBGP-VPNv4
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
neighbor 2.2.2.2 next-hop-self
exit-address-family
!
address-family ipv4 vrf VPN1
neighbor 10.10.10.1 remote-as 1
neighbor 10.10.10.1 activate
exit-address-family
!
address-family ipv4 vrf VPN2
neighbor 20.20.20.1 remote-as 1
neighbor 20.20.20.1 activate
exit-address-family

You can also use a different router-id per VRF, using the "bgp router-id" under each vrf address-family.

Inter-AS Option B

ASBR-1

IOS
interface FastEthernet0/0
description ** Inter-AS NNI **
ip address x.x.x.x
mpls bgp forwarding
!
router bgp 1
no bgp default route-target filter
neighbor PE-1 remote-as 1
neighbor PE-1 update-source Loopback0
neighbor PE-1 description MP-iBGP with PE-1
neighbor ASBR-2 remote-as 2
neighbor ASBR-2 description MP-eBGP with ASBR-2
no auto-summary
!
address-family vpnv4
neighbor PE-1 activate
neighbor PE-1 send-community extended
neighbor PE-1 next-hop-self
neighbor ASBR-2 activate
neighbor ASBR-2 send-community extended
exit-address-family

ASBR-2

IOS
interface FastEthernet0/0
description ** Inter-AS NNI **
ip address x.x.x.x
mpls bgp forwarding
!
router bgp 2
no bgp default route-target filter
neighbor PE-2 remote-as 2
neighbor PE-2 update-source Loopback0
neighbor PE-2 description MP-iBGP with PE-2
neighbor ASBR-1 remote-as 1
neighbor ASBR-1 description MP-eBGP with ASBR-1
!
address-family vpnv4
neighbor PE-2 activate
neighbor PE-2 send-community extended
neighbor PE-2 next-hop-self
neighbor ASBR-1 activate
neighbor ASBR-1 send-community extended
exit-address-family

Inter-AS Option C

RR-1

IOS
router bgp 1
no synchronization
neighbor PE-1 remote-as 1
neighbor PE-1 update-source Loopback0
neighbor PE-1 description MP-iBGP with PE-1
neighbor ASBR-1 remote-as 1
neighbor ASBR-1 update-source Loopback0
neighbor ASBR-1 description MP-iBGP with ASBR-1
neighbor RR-2 remote-as 2
neighbor RR-2 ebgp-multihop 255
neighbor RR-2 update-source Loopback0
neighbor RR-2 description MP-eBGP with RR-2
no auto-summary
!
address-family vpnv4
neighbor PE-1 activate
neighbor PE-1 send-community extended
neighbor PE-1 route-reflector-client
neighbor ASBR-1 activate
neighbor ASBR-1 send-community extended
neighbor ASBR-1 route-reflector-client
neighbor RR-2 activate
neighbor RR-2 send-community extended
neighbor RR-2 next-hop-unchanged
exit-address-family

ASBR-1

IOS
interface FastEthernet0/0
description ** Inter-AS NNI **
ip address x.x.x.x
mpls bgp forwarding
!
route-map PE2-TO-IGP permit 10
match ip address PE-2
!
router IGP 100
redistribute bgp 1 route-map PE2-TO-IGP
!
router bgp 1
no synchronization
network PE-1 mask 255.255.255.255
!
neighbor RR-1 remote-as 1
neighbor RR-1 update-source Loopback0
neighbor RR-1 description MP-iBGP to RR-1
neighbor ASBR-2 remote-as 2
neighbor ASBR-2 send-label
νeighbor ASBR-2 description MP-eBGP to ASBR-2
no auto-summary
!
address-family vpnv4
neighbor RR-1 activate
neighbor RR-1 send-community extended
exit-address-family

ASBR-2

IOS
interface FastEthernet0/0
description ** Inter-AS NNI **
ip address x.x.x.x
mpls bgp forwarding
!
route-map PE1-TO-IGP permit 10
match ip address PE-1
!
router IGP 200
redistribute bgp 2 route-map PE1-TO-IGP
!
router bgp 2
network PE-2 mask 255.255.255.255
!
neighbor RR-2 remote-as 2
neighbor RR-2 update-source Loopback0
neighbor RR-2 description MP-iBGP to RR-2
neighbor ASBR-1 remote-as 1
neighbor ASBR-1 send-label
neighbor ASBR-1 description MP-eBGP to ASBR-1
!
address-family vpnv4
neighbor RR-2 activate
neighbor RR-2 send-community extended
exit-address-family

RR-2

IOS
router bgp 2
neighbor PE-2 remote-as 2
neighbor PE-2 update-source Loopback0
neighbor PE-2 description MP-iBGP with PE-2
neighbor ASBR-2 remote-as 2
neighbor ASBR-2 update-source Loopback0
neighbor ASBR-2 description MP-iBGP with ASBR-2
neighbor RR-1 remote-as 1
neighbor RR-1 ebgp-multihop 255
neighbor RR-1 update-source Loopback0
neighbor RR-1 description MP-eBGP with RR-1
!
address-family vpnv4
neighbor PE-2 activate
neighbor PE-2 send-community extended
neighbor PE-2 route-reflector-client
neighbor ASBR-2 activate
neighbor ASBR-2 send-community extended
neighbor ASBR-2 route-reflector-client
neighbor RR-1 activate
neighbor RR-1 send-community extended
neighbor RR-1 next-hop-unchanged
exit-address-family

In IOS-XR, in order to send IPv4 prefixes with labels over a labeled BGP session, the IOS-XR router must be the originator of the prefixes. On the other hand, an IOS router can send labeled IPv4 prefixes over a labeled BGP session whether it's the originator or not of those prefixes.

If an output route-map is applied on a labeled BGP session, then labels will be added only to those prefixes that have the command "set mpls-label" under the relevant statement in the route-map. Generally, if a router is advertising IPv4 prefixes with labels, then you can use an output route-map (with the "set mpls-label" command) to specify which prefixes will be sent with a label.

You need to disable the default RT filter from the ASBRs, unless they have all the VRFs locally configured or they are VPNv4 RRs.

In most IOS software releases, the command "mpls bgp forwarding" is added automatically under the eBGP peering interface when a VPNv4 or labeled BGP session is configured between directly connected peers. If you use loopbacks for peering, then you must manually configure it. Always verify its existence, together with the interface's mpls operational state.

IOS
R1#sh mpls int
Interface              IP            Tunnel   BGP Static Operational
FastEthernet0/0.13     Yes (ldp)     No       No No     Yes
FastEthernet0/0.30     No            No       Yes No     Yes

Generally, Cisco software requires a /32 route for each next-hop that should be label switched. In the Inter-AS B/C options, in IOS-XR you must add manually a /32 static route for the peer address of the interconnection in order to create a label for that. IOS creates automatically a /32 connected route when the relevant VPNv4 or labeled BGP session comes up.

IOS-XR
router static
address-family ipv4 unicast
10.10.10.2/32 GigabitEthernet0/2/1/2

IOS
Dec 29 15:45:30.703: %BGP-5-ADJCHANGE: neighbor 10.10.10.2 Up
Dec 29 15:45:30.707: CONN: add connected route, idb: FastEthernet0/0.30, addr: 10.10.10.2, mask: 255.255.255.255

If you want to achieve load-sharing in a MPLS L3VPN environment with RRs, you can use a different RD per PE in combination with BGP multipath.

Inter-AS scenarios emulated in GNS3 might sometimes cause very large delays in data forwarding. Increase the ping/traceroute timeout in order to verify connectivity.

Static Label Bindings

In some cases you don't have the option of enabling LDP or having a VPNv4 or labeled BGP session between directly connected peers, but you still need to have the label switching functionality on their interconnection.

i.e. if you configure the following static route in order to reach peer's loopback:

IOS
ip route 19.19.19.19 255.255.255.255 12.1.19.19

IOS
R1#sh mpls forwarding-table 19.19.19.19 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
24         No Label   19.19.19.19/32   0             Fa0/0 12.1.19.19
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        CA02141C0008CA0417EC0000810000770800
        No output feature configured

then you need to also add a static (outgoing) label binding for that:

IOS
mpls static binding ipv4 19.19.19.19 255.255.255.255 output 12.1.19.19 implicit-null

IOS
R1#sh mpls static binding
19.19.19.19/32: Incoming label: none;
Outgoing labels:
     12.1.19.19           implicit-null

R1#sh mpls forwarding-table 19.19.19.19 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
24         Pop Label 19.19.19.19/32   0             Fa0/0 12.1.19.19
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        CA02141C0008CA0417EC0000810000770800
        No output feature configured

At the same time, you must enable MPLS on this interface without using LDP:

IOS
R1#sh mpls int FastEthernet0/0
Interface              IP            Tunnel   BGP Static Operational

IOS
interface FastEthernet0/0
mpls bgp forwarding

IOS
R1#sh mpls int FastEthernet0/0
Interface              IP            Tunnel   BGP Static Operational
FastEthernet0/0    No            No       Yes No     Yes

Static Label Bindings per Interface

multiaccess interfaces

next-hop ip address required
label required

point-to-point interfaces

interface required

The above differentiation per interface is applicable only on specific software releases. The multiaccess interface is the common one.

If you must configure specific static labels, then you must first define the label range (which will sometimes require a reload).

Implicit-null is used in the above example due to PHP (pop label) that must happen for the directly connected peer.

Inter-AS L3VPN

If you want to follow a Inter-AS L3VPN path (assuming control-plane has been setup correctly), then you can execute the following algorithm:

first router (start PE)

Find the VPN label for the prefix
Find the Transport label(s) for the prefix's next-hop

n router

Follow the Transport top label swaps until there is a "Pop Label" for next router

n+1 router

Find the local VPN label for the prefix

If VPN label is "nolabel", then

router is the end PE
VPN is locally attached

If VPN label is other, then

router is an RR/ASBR
find the Transport label(s) for the prefix's new next-hop
go to "n router"

If VPN label doesn't exist, then

multiple Transport labels exist
go to "n router"

If the route is learned from IGP, the Transport label must be allocated through LDP/RSVP.
If the route is learned from BGP, the Transport label must be allocated through BGP.

Example

R6(PE1)=>R4(P1)=>XR1(ASBR1)=>R1(ASBR2)=>R3(P2)=>R2(PE3)

Start PE

IOS
R6#sh bgp vpnv4 unicast all 7.7.7.7/32
BGP routing table entry for 102:202:7.7.7.7/32, version 36
Paths: (1 available, best #1, table VPN_B)
Not advertised to any peer
100
    2.2.2.2 (metric 20) from 20.20.20.20 (20.20.20.20)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:102:202 0x8800:32768:0 0x8801:1:130560
        0x8802:65281:25600 0x8803:65281:1500 0x8806:0:0
      mpls labels in/out nolabel/26

VPN label is 26

IOS
R6#sh mpls forwarding-table 2.2.2.2 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
None       23         2.2.2.2/32       0             Fa0/0.46   20.4.6.4
        MAC/Encaps=18/26, MRU=1496, Label Stack{16 23}
        CA0611100000CA0115B000008100002E8847 0001000000017000
        No output feature configured

Transport label is 16/23, VPN label is 26

IOS
R4#sh mpls forwarding-table labels 16 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
16         Pop Label 19.19.19.19/32   18896         Fa0/0.419 20.4.19.19
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        CA02141C0008CA0611100000810001A38847
        No output feature configured

Transport label is 23, VPN label is 26

IOS

XR1#sh mpls forwarding-table labels 23 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
23         20         2.2.2.2/32       22628         Fa0/0.119 12.1.19.1
        MAC/Encaps=18/22, MRU=1500, Label Stack{20}
        CA0417EC0000CA02141C0008810000778847 00014000
        No output feature configured

Transport label is 20, VPN label is 26

IOS

R1#sh mpls forwarding-table labels 20 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
20         19         2.2.2.2/32       24518         Fa0/0.13   10.1.3.3
        MAC/Encaps=18/22, MRU=1500, Label Stack{19}
        CA0711100000CA0417EC00008100000D8847 00013000
        No output feature configured

Transport label is 19, VPN label is 26

IOS

R3#sh mpls forwarding-table labels 19 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
19         Pop Label 2.2.2.2/32       85693         Fa0/0.23   10.2.3.2
        MAC/Encaps=18/18, MRU=1504, Label Stack{}
        CA0517EC0000CA0711100000810000178847
        No output feature configured

VPN label is 26

IOS

R2#sh bgp vpnv4 unicast all 7.7.7.7/32
BGP routing table entry for 102:202:7.7.7.7/32, version 4
Paths: (1 available, best #1, table VPN_B)
Advertised to update-groups:
     1
Local
    40.2.7.7 from 0.0.0.0 (2.2.2.2)
      Origin incomplete, metric 156160, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:102:202 Cost:pre-bestpath:128:156160
        0x8800:32768:0 0x8801:1:130560 0x8802:65281:25600 0x8803:65281:1500
        0x8806:0:0
      mpls labels in/out 26/nolabel

End PE found

RT Rewrite

It is used mainly in Inter-AS topologies, when there is a need to keep different RTs between the ASes. It allows the ASBR (or any other router that's involved) to replace the peer ASN's RTs with their own.

Configuration Steps

define the RTs to be replaced
configure a route-map that matches the above RTs, deletes them and then adds the new RTs
apply the route-map to the bgp neighbor session

IOS
ip extcommunity-list 1 permit rt 200:1
ip extcommunity-list 2 permit rt 200:2
!
route-map RT-REWRITE-ROUTEMAP permit 10
match extcommunity 1
set extcomm-list 1 delete
set extcommunity rt 100:1 additive
continue 20
!
route-map RT-REWRITE-ROUTEMAP permit 20
match extcommunity 2
set extcomm-list 2 delete
set extcommunity rt 100:2 additive
!
route-map RT-REWRITE-ROUTEMAP permit 30
!
router bgp 100
neighbor 10.10.10.2 remote-as 200
!
address family vpnv4
neighbor 10.10.10.2 activate
neighbor 10.10.10.2 send-community extended
neighbor 10.10.10.2 route-map RT-REWRITE-ROUTEMAP in

Use the "additive" keyword when setting the new RT in order to not erase all other extended communities.

Use the "continue" statement (in ingress route-maps) when you need to rewrite more than one RTs in the same prefix.

Pages