Inter-AS L3VPN Pt. 1, Overview

This series will explore the various options available for interconnecting two different service providers to provide a customer L3VPN service.

With Option A/B/C, two SPs provide L3VPN service to a single customer. The CEs peer with a PE in either service provider network. The two SPs must exchange routes to give the customer a single L3VPN service.

Typically service providers will use L2 NNIs, and there will be no need to peer over L3. Let’s say SP1 is offering L3VPN to a customer, and SP2 provides the last mile. SP2 may hand off the service to SP1 with a VLAN using Q-in-Q. This way, the CPE will peer with SP1 as if SP1 itself provided the last mile. SP2 is just offering L2VPN pseudowire service.

However sometimes service providers may want to handoff L3 instead of L2 (Q-in-Q). Now the service providers need to peer over BGP and figure out how they will coherently provide L3VPN to the customer. This series of articles will explore the common options, which are called Option A, B, and C.

Option A

This is the most straight-forward option, and the one I have personally seen deployed the most. In this case, each SP runs its own L3VPN for the customer as normal. At the interconnection between the two SPs, each SP treats the other SP as a CE. You must configure the VRF on the routers connecting to the L3 NNI, and configure a sub-interface per VRF on the L3 NNI. We will call the routers that connect at the L3 NNI ASBRs (Autonomous System Boundry Routers).

Option B

In Option B, the two ASBRs will run vpnv4 unicast instead of one ipv4 unicast session per VRF. The vpnv4 unicast table now spans end-to-end between the two SPs. This allows for flexibility, as you no longer need the VRF on each router, and you don’t need a sub-interface per VRF on the L3 NNI. The traffic over the L3 NNI will have a single VPN label, which is learned via vpnv4 unicast. The end-to-end traffic from ingress PE to egress PE has separate three VPN labels. (Not a stack of three labels, but the service label changes as it goes from SP to NNI to SP).

Option C

In Option C, the LSP is end-to-end. The VPN label is carried all the way from the ingress PE to the egress PE at the other SP. The two ASBRs run BGP-LU, and each SP learns the loopbacks of PEs in the other SP. The two SP RRs form a vpvn4 peering session. This option is the least secure and you would be hard pressed to find this in the real world in my opinion.

Summary

In Option A, the ASBRs run a normal ipv4 unicast session. The ASBRs treat each other as a CE in the L3VPN.

In Option B, the ASBRs run vpnv4 unicast and share the entire vpnv4 table.

In Option C, the ASBRs run BGP-LU and expose their own PE loopback IPs. The RRs in each SP peer over vpnv4 unicast.

Read on as we lab up each scenario!