In this article we will cover Inter-AS L3VPN Option A.
SP1 and SP2 peer directly over a L3 NNI, as following. These are the ASBRs.
SP1 provides Customer A service at location A (CE1). SP2 provides Customer A service at location B (CE2).
We’ll setup Inter-AS Option A, in which SP1_R3 will treat SP2_XR1 as another CE. SP2_XR1 will also treat SP1_R3 as a CE.
Lab
Here are the sartup configs. SP1 runs OSPF and SP2 runs ISIS. R2 for each SP is a RR. Intra-AS L3VPN is setup, but CE1 cannot reach CE2 yet.
#CE1
hostname CE1
!
line con 0
logging sync
!
int Gi1
ip address 100.64.0.2 255.255.255.252
no shut
!
int lo0
ip address 10.1.1.1 255.255.255.0
!
router bgp 65000
neighbor 100.64.0.1 remote-as 100
network 10.1.1.0 mask 255.255.255.0
#SP1_XR1
hostname SP1_XR1
!
vrf CUSTOMER
address-family ipv4 unicast
import route-target 100:1
export route-target 100:1
!
int Gi0/0/0/0
vrf CUSTOMER
ip add 100.64.0.1/30
no shut
!
int Gi0/0/0/1
ip address 10.1.2.1/24
no shut
!
int Lo0
ip address 10.1.1.1/32
!
router ospf 1
area 0
int Gi0/0/0/1
network point-to-point
int Lo0
!
mpls ldp
int Gi0/0/0/1
!
router bgp 100
bgp router-id 100.100.100.1
address-family ipv4 unicast
address-family vpnv4 unicast
neighbor 10.2.2.2
remote-as 100
update-source lo0
address-family vpnv4 unicast
!
vrf CUSTOMER
rd 100:1
address-family ipv4 unicast
neighbor 100.64.0.2
remote-as 65000
address-family ipv4 unicast
route-policy PASS in
route-policy PASS out
!
route-policy PASS
pass
end-policy
#SP1_R2
hostname SP1_R2
!
line con 0
logging sync
!
int Gi1
ip address 10.1.2.2 255.255.255.0
no shut
mpls ip
ip ospf network point-to-point
!
int Gi2
ip address 10.2.3.2 255.255.255.0
no shut
mpls ip
ip ospf network point-to-point
!
int lo0
ip address 10.2.2.2 255.255.255.255
!
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
!
router bgp 100
neighbor 10.1.1.1 remote-as 100
neighbor 10.1.1.1 update-source lo0
neighbor 10.3.3.3 remote-as 100
neighbor 10.3.3.3 update-source lo0
address-family vpnv4 unicast
neighbor 10.1.1.1 activate
neighbor 10.1.1.1 route-reflector-client
neighbor 10.3.3.3 activate
neighbor 10.3.3.3 route-reflector-client
#SP1_R3
hostname SP1_R3
!
line con 0
logging sync
!
int Gi1
ip address 10.2.3.3 255.255.255.0
no shut
mpls ip
ip ospf network point-to-point
!
int Gi2
ip address 100.1.1.1 255.255.255.252
no shut
!
int lo0
ip address 10.3.3.3 255.255.255.255
!
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
!
router bgp 100
bgp router-id 100.100.100.3
neighbor 10.2.2.2 remote-as 100
neighbor 10.2.2.2 update-source lo0
address-family vpnv4 unicast
neighbor 10.2.2.2 activate
#SP2_XR1
hostname SP2_XR1
!
int Gi0/0/0/0
ip address 100.1.1.2/30
no shut
!
int Gi0/0/0/1
ip address 10.1.2.1/24
no shut
!
int lo0
ip address 10.1.1.1/32
!
router isis 1
net 49.0001.0000.0000.0001.00
is-type level-2-only
int Gi0/0/0/1
address-family ipv4 unicast
point-to-point
!
int lo0
address-family ipv4 unicast
!
mpls ldp
int Gi0/0/0/1
!
router bgp 200
bgp router-id 200.200.200.1
address-family vpnv4 unicast
neighbor 10.2.2.2
remote-as 200
update-source lo0
address-family vpnv4 unicast
#SP2_R2
hostname SP2_R2
!
line con 0
logging sync
!
int Gi1
ip address 10.1.2.2 255.255.255.0
no shut
mpls ip
isis network point-to-point
ip router isis
!
int Gi2
ip address 10.2.3.2 255.255.255.0
no shut
mpls ip
isis network point-to-point
ip router isis
!
int lo0
ip address 10.2.2.2 255.255.255.255
ip router isis
!
router isis
net 49.0001.0000.0000.0002.00
is-type level-2-only
!
mpls ldp
int Gi0/0/0/1
!
router bgp 200
neighbor 10.1.1.1 remote-as 200
neighbor 10.1.1.1 update-source lo0
neighbor 10.3.3.3 remote-as 200
neighbor 10.3.3.3 update-source lo0
address-family vpnv4 unicast
neighbor 10.1.1.1 activate
neighbor 10.1.1.1 route-reflector-client
neighbor 10.3.3.3 activate
neighbor 10.3.3.3 route-reflector-client
#SP2_R3
hostname SP2_R3
!
line con 0
logging sync
!
vrf definition CUSTOMER
rd 200:1
route-target both 200:1
address-family ipv4
!
int Gi1
ip address 10.2.3.3 255.255.255.0
no shut
mpls ip
isis network point-to-point
ip router isis
!
int Gi2
vrf forwarding CUSTOMER
ip address 100.64.1.1 255.255.255.252
no shut
!
int lo0
ip address 10.3.3.3 255.255.255.255
ip router isis
!
router isis
net 49.0001.0000.0000.0003.00
is-type level-2-only
!
router bgp 200
bgp router-id 200.200.200.3
neighbor 10.2.2.2 remote-as 200
neighbor 10.2.2.2 update-source lo0
address-family ipv4 unicast vrf CUSTOMER
neighbor 100.64.1.2 remote-as 65001
address-family vpnv4 unicast
neighbor 10.2.2.2 activate
#CE2
hostname CE2
!
line con 0
logging sync
!
int Gi1
ip address 100.64.1.2 255.255.255.252
no shut
!
int lo0
ip address 10.1.2.1 255.255.255.0
!
router bgp 65001
neighbor 100.64.1.1 remote-as 200
network 10.1.2.0 mask 255.255.255.0
Notice that the PE of each SP is learning the customer’s route via the local CE, but the customer does not have end-to-end reachability yet.
RP/0/0/CPU0:SP1_XR1#show bgp vrf CUSTOMER | beg Network
Wed Aug 3 21:29:09.478 UTC
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf CUSTOMER)
*> 10.1.1.0/24 100.64.0.2 0 0 65000 i
SP2_R3#show bgp vrf CUSTOMER | be Network
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 200:1 (default for vrf CUSTOMER)
*> 10.1.2.0/24 100.64.1.2 0 0 65001 i
Configuring the L3 NNI
We’ll now configure the ASBRs. This involves each router simulanteouly acting as a PE and CE. From its own perspective, it is a PE. From the other service provider’s perspective, it is a CE.
You’ll see that the drawback to Option A is that you must configure every VRF on the router where the L3 NNI is terminated, since the other end is treated as a CE in the VRF. We must import the routes learned from the CE into the vpnv4 unicast table.
Additionally, we must create a subinterface for every VRF, as we cannot “re-use” a single interface for multiple VRFs.
Note: You may run into a bug on the CSR1000v with sub interfaces. To work around it, you can try creating a service instance for encapsulation untagged under the physical interface:
CE1#ping 10.1.2.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/43/169 ms
Try to write down the AS paths seen on CE1 for 10.1.2.0/24 and CE2 for 10.1.1.0/24, and then check your work on the devices.
CE1#show bgp ipv4 uni | in 10.1.2.0
*> 10.1.2.0/24 100.64.0.1 0 100 200 65001 i
CE2#show bgp ipv4 uni | in 10.1.1.0
*> 10.1.1.0/24 100.64.1.1 0 200 100 65000 i
Notice that each SP can use its own RT values for the vpnv4 routes. Each SP runs a completely separate VPN, and they share routes at the L3 NNI as if each other were CEs.
RP/0/0/CPU0:SP1_XR1#show bgp vrf CUSTOMER 10.1.1.0/24 | in RT
Thu Aug 4 11:19:14.177 UTC
Extended community: RT:100:1
RP/0/0/CPU0:SP1_XR1#show bgp vrf CUSTOMER 10.1.2.0/24 | in RT
Thu Aug 4 11:19:17.056 UTC
Extended community: RT:100:1
SP2_R3#show bgp vpnv4 unicast vrf CUSTOMER detail | in RT
Extended Community: RT:200:1
Extended Community: RT:200:1
Traffic is unlabeled at the L3 NNI. It simply has a dot1q tag, no MPLS label.
Conclusion
Inter-AS Option A is the simplest solution for providing L3VPN service for a customer through an L3 NNI. From each service provider’s perspective, the other service provider is treated as a CE.
While easy and intuitive to configure, the drawback is lack of scalability. If there are 200 L3VPNs that need to span this L3 NNI, there are 200 subinterfaces, 200 VRFs, and 200 BGP peering sessions that need to be configured on each ASBR.
In Option B and C we will see solutions that allow for greater scale. However this will come at the cost of needing to share more information between SPs. Option A is the most secure because SPs do not have to share information such as RT values, etc.
