Inter-AS L3VPN Pt. 2, Option A

In this article we will cover Inter-AS L3VPN Option A.

SP1 and SP2 peer directly over a L3 NNI, as following. These are the ASBRs.

SP1 provides Customer A service at location A (CE1). SP2 provides Customer A service at location B (CE2).

We’ll setup Inter-AS Option A, in which SP1_R3 will treat SP2_XR1 as another CE. SP2_XR1 will also treat SP1_R3 as a CE.

Lab

Here are the sartup configs. SP1 runs OSPF and SP2 runs ISIS. R2 for each SP is a RR. Intra-AS L3VPN is setup, but CE1 cannot reach CE2 yet.

#CE1
hostname CE1
!
line con 0
 logging sync
!
int Gi1
 ip address 100.64.0.2 255.255.255.252
 no shut
!
int lo0
 ip address 10.1.1.1 255.255.255.0
!
router bgp 65000
 neighbor 100.64.0.1 remote-as 100
 network 10.1.1.0 mask 255.255.255.0

#SP1_XR1
hostname SP1_XR1
!
vrf CUSTOMER
 address-family ipv4 unicast
  import route-target 100:1
  export route-target 100:1
!
int Gi0/0/0/0
 vrf CUSTOMER
 ip add 100.64.0.1/30
 no shut
!
int Gi0/0/0/1
 ip address 10.1.2.1/24
 no shut
!
int Lo0
 ip address 10.1.1.1/32
!
router ospf 1
 area 0 
  int Gi0/0/0/1
   network point-to-point
  int Lo0
!
mpls ldp
 int Gi0/0/0/1
!
router bgp 100
 bgp router-id 100.100.100.1
 address-family ipv4 unicast
 address-family vpnv4 unicast
 neighbor 10.2.2.2
  remote-as 100
  update-source lo0
  address-family vpnv4 unicast
 !
 vrf CUSTOMER
  rd 100:1
  address-family ipv4 unicast
  neighbor 100.64.0.2
   remote-as 65000
   address-family ipv4 unicast
    route-policy PASS in
    route-policy PASS out
!
route-policy PASS
 pass
end-policy

#SP1_R2
hostname SP1_R2
!
line con 0
 logging sync
!
int Gi1
 ip address 10.1.2.2 255.255.255.0
 no shut
 mpls ip
 ip ospf network point-to-point
!
int Gi2
 ip address 10.2.3.2 255.255.255.0
 no shut
 mpls ip
 ip ospf network point-to-point
!
int lo0
 ip address 10.2.2.2 255.255.255.255
!
router ospf 1
 network 10.0.0.0 0.255.255.255 area 0
!
router bgp 100
 neighbor 10.1.1.1 remote-as 100
 neighbor 10.1.1.1 update-source lo0
 neighbor 10.3.3.3 remote-as 100
 neighbor 10.3.3.3 update-source lo0
 address-family vpnv4 unicast
  neighbor 10.1.1.1 activate
  neighbor 10.1.1.1 route-reflector-client
  neighbor 10.3.3.3 activate
  neighbor 10.3.3.3 route-reflector-client

#SP1_R3
hostname SP1_R3
!
line con 0
 logging sync
!
int Gi1
 ip address 10.2.3.3 255.255.255.0
 no shut
 mpls ip
 ip ospf network point-to-point
!
int Gi2
 ip address 100.1.1.1 255.255.255.252
 no shut
!
int lo0
 ip address 10.3.3.3 255.255.255.255
!
router ospf 1
 network 10.0.0.0 0.255.255.255 area 0
!
router bgp 100
 bgp router-id 100.100.100.3
 neighbor 10.2.2.2 remote-as 100
 neighbor 10.2.2.2 update-source lo0
 address-family vpnv4 unicast
  neighbor 10.2.2.2 activate

#SP2_XR1
hostname SP2_XR1
!
int Gi0/0/0/0
 ip address 100.1.1.2/30
 no shut
!
int Gi0/0/0/1
 ip address 10.1.2.1/24
 no shut
!
int lo0
 ip address 10.1.1.1/32
!
router isis 1
 net 49.0001.0000.0000.0001.00
 is-type level-2-only
 int Gi0/0/0/1
  address-family ipv4 unicast
  point-to-point
 !
 int lo0
  address-family ipv4 unicast
!
mpls ldp
 int Gi0/0/0/1
!
router bgp 200
 bgp router-id 200.200.200.1
 address-family vpnv4 unicast
 neighbor 10.2.2.2
  remote-as 200
  update-source lo0
  address-family vpnv4 unicast

#SP2_R2
hostname SP2_R2
!
line con 0
 logging sync
!
int Gi1
 ip address 10.1.2.2 255.255.255.0
 no shut
 mpls ip
 isis network point-to-point
 ip router isis
!
int Gi2
 ip address 10.2.3.2 255.255.255.0
 no shut
 mpls ip
 isis network point-to-point
 ip router isis
!
int lo0
 ip address 10.2.2.2 255.255.255.255
 ip router isis
!
router isis
 net 49.0001.0000.0000.0002.00
 is-type level-2-only
!
mpls ldp
 int Gi0/0/0/1
!
router bgp 200
 neighbor 10.1.1.1 remote-as 200
 neighbor 10.1.1.1 update-source lo0
 neighbor 10.3.3.3 remote-as 200
 neighbor 10.3.3.3 update-source lo0
 address-family vpnv4 unicast
  neighbor 10.1.1.1 activate
  neighbor 10.1.1.1 route-reflector-client
  neighbor 10.3.3.3 activate
  neighbor 10.3.3.3 route-reflector-client

#SP2_R3
hostname SP2_R3
!
line con 0
 logging sync
!
vrf definition CUSTOMER
 rd 200:1
 route-target both 200:1
 address-family ipv4
!
int Gi1
 ip address 10.2.3.3 255.255.255.0
 no shut
 mpls ip
 isis network point-to-point
 ip router isis
!
int Gi2
 vrf forwarding CUSTOMER
 ip address 100.64.1.1 255.255.255.252
 no shut
!
int lo0
 ip address 10.3.3.3 255.255.255.255
 ip router isis
!
router isis
 net 49.0001.0000.0000.0003.00
 is-type level-2-only
!
router bgp 200
 bgp router-id 200.200.200.3
 neighbor 10.2.2.2 remote-as 200
 neighbor 10.2.2.2 update-source lo0
 address-family ipv4 unicast vrf CUSTOMER
  neighbor 100.64.1.2 remote-as 65001
 address-family vpnv4 unicast
  neighbor 10.2.2.2 activate

#CE2
hostname CE2
!
line con 0
 logging sync
!
int Gi1
 ip address 100.64.1.2 255.255.255.252
 no shut
!
int lo0
 ip address 10.1.2.1 255.255.255.0
!
router bgp 65001
 neighbor 100.64.1.1 remote-as 200
 network 10.1.2.0 mask 255.255.255.0

Notice that the PE of each SP is learning the customer’s route via the local CE, but the customer does not have end-to-end reachability yet.

RP/0/0/CPU0:SP1_XR1#show bgp vrf CUSTOMER | beg Network
Wed Aug  3 21:29:09.478 UTC
   Network            Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf CUSTOMER)
*> 10.1.1.0/24        100.64.0.2               0             0 65000 i


SP2_R3#show bgp vrf CUSTOMER | be Network
     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 200:1 (default for vrf CUSTOMER)
 *>   10.1.2.0/24      100.64.1.2               0             0 65001 i

Configuring the L3 NNI

We’ll now configure the ASBRs. This involves each router simulanteouly acting as a PE and CE. From its own perspective, it is a PE. From the other service provider’s perspective, it is a CE.

You’ll see that the drawback to Option A is that you must configure every VRF on the router where the L3 NNI is terminated, since the other end is treated as a CE in the VRF. We must import the routes learned from the CE into the vpnv4 unicast table.

Additionally, we must create a subinterface for every VRF, as we cannot “re-use” a single interface for multiple VRFs.

#SP1_R3
vrf definition CUSTOMER
 rd 100:1
 address-family ipv4 unicast
  route-target both 100:1
!
int Gi2.10
 encapsulation dot1q 10
 vrf forwarding CUSTOMER
 ip address 100.1.1.1 255.255.255.252
!
router bgp 100
 address-family ipv4 unicast vrf CUSTOMER
 neighbor 100.1.1.2 remote-as 200

#SP2_XR1
vrf CUSTOMER
 address-family ipv4 unicast
  import route-target 200:1
  export route-target 200:1
!
int Gi0/0/0/0.10
 encapsulation dot1q 10
 vrf CUSTOMER
 ip address 100.1.1.2 255.255.255.252
!
router bgp 200
 address-family ipv4 unicast
 vrf CUSTOMER
  rd 200:1
  address-family ipv4 unicast
  neighbor 100.1.1.1
   remote-as 100
   address-family ipv4 unicast
    route-policy PASS in
    route-policy PASS out
!
route-policy PASS
 pass
end-policy

Note: You may run into a bug on the CSR1000v with sub interfaces. To work around it, you can try creating a service instance for encapsulation untagged under the physical interface:

interface GigabitEthernet2
 service instance 1 ethernet
  encapsulation untagged
!
interface GigabitEthernet2.10
 encapsulation dot1Q 10
 vrf forwarding CUSTOMER
 ip address 100.1.1.1 255.255.255.252

CE1 now has reachability to CE2.

CE1#ping 10.1.2.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/43/169 ms

Try to write down the AS paths seen on CE1 for 10.1.2.0/24 and CE2 for 10.1.1.0/24, and then check your work on the devices.

CE1#show bgp ipv4 uni | in 10.1.2.0  
 *>   10.1.2.0/24      100.64.0.1                             0 100 200 65001 i

CE2#show bgp ipv4 uni | in 10.1.1.0
 *>   10.1.1.0/24      100.64.1.1                             0 200 100 65000 i

Notice that each SP can use its own RT values for the vpnv4 routes. Each SP runs a completely separate VPN, and they share routes at the L3 NNI as if each other were CEs.

RP/0/0/CPU0:SP1_XR1#show bgp vrf CUSTOMER 10.1.1.0/24 | in RT
Thu Aug  4 11:19:14.177 UTC
      Extended community: RT:100:1 
RP/0/0/CPU0:SP1_XR1#show bgp vrf CUSTOMER 10.1.2.0/24 | in RT
Thu Aug  4 11:19:17.056 UTC
      Extended community: RT:100:1

SP2_R3#show bgp vpnv4 unicast vrf CUSTOMER detail | in RT
      Extended Community: RT:200:1
      Extended Community: RT:200:1

Traffic is unlabeled at the L3 NNI. It simply has a dot1q tag, no MPLS label.

Conclusion

Inter-AS Option A is the simplest solution for providing L3VPN service for a customer through an L3 NNI. From each service provider’s perspective, the other service provider is treated as a CE.

While easy and intuitive to configure, the drawback is lack of scalability. If there are 200 L3VPNs that need to span this L3 NNI, there are 200 subinterfaces, 200 VRFs, and 200 BGP peering sessions that need to be configured on each ASBR.

In Option B and C we will see solutions that allow for greater scale. However this will come at the cost of needing to share more information between SPs. Option A is the most secure because SPs do not have to share information such as RT values, etc.