Inter-AS L3VPN Pt. 3, Option B

In Option B, we will exchange the vpnv4 unicast table with the remote ASBR over the L3 NNI. We no longer need to define the VRF and create a sub-interface for each L3 VPN service we want to transport over this L3 NNI. We only need a single interface to run BGP vpnv4 unicast with the remote SP’s ASBR.

This allows for much greater scalability, but requires the SPs to trust each other and exchange their individual vpnv4 unicast tables. Route filters can be used to only export the necessary routes to the vpnv4 peer. However, you’d need the remote SP to tell you their RT values in order to filter incoming routes from them.

Let’s convert our Option A Inter-AS setup to Option B.

Lab

First we’ll remove the Option A config on SP1_R3 and SP2_XR1.

#SP1_R3
no vrf definition CUSTOMER
no int Gi2.10

#SP2_XR1
no vrf CUSTOMER
no router bgp 200 vrf CUSTOMER
no int gi0/0/0/0.10

Next, ensure the L3 addresses for the NNI are on the physical interfaces.

#SP1_R3
int Gi2
 ip address 100.1.1.1 255.255.255.252

#SP2_XR1
int Gi0/0/0/0
 ip address 100.1.1.2/30

Now we’ll configure a vpnv4 session between the two SP routers.

#SP1_R3
router bgp 100
 neighbor 100.1.1.2 remote-as 200
 address-family vpnv4
  neighbor 100.1.1.2 activate

#SP2_XR1
router bgp 200
 neighbor 100.1.1.1
  remote-as 100
  address-family vpnv4 unicast
   route-policy PASS in
   route-policy L3NNI out
!
route-policy L3NNI
 if extcommunity rt matches-any ( 200:1 ) then pass endif
end-policy

First, notice that IOS-XE has automatically added a command under the Gi2 interface:

*Aug  4 11:51:10.470: %BGP_LMM-6-AUTOGEN1: The mpls bgp forwarding command has been configured on interface: GigabitEthernet2
SP1_R3#show run int gi2
Building configuration...

Current configuration : 141 bytes
!
interface GigabitEthernet2
 ip address 100.1.1.1 255.255.255.252
 negotiation auto
 mpls bgp forwarding
 no mop enabled
 no mop sysid
end

Gi2 is not enabled for MPLS explicity, but it will need to send labeled traffic using the VPN label learned from SP2_XR1. IOS-XE automatically adds the mpls bgp forwarding command under the interface when you configure an eBGP neighbor for vpnv4 unicast.

Also look at the route-policy used on SP2_XR1. eBGP neighbors need a route-policy, so I decided to demonstrate a route-policy used to limit vpnv4 routes to only customer RTs that span this L3 NNI. This is not necessary, but is good practice.

Why aren’t the two routers learning any routes via the vpnv4 unicast address-family yet?

SP1_R3#show bgp vpnv4 uni all sum | be Neighbor
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.2.2.2        4          100       9       6        3    0    0 00:01:42        0
100.1.1.2       4          200       6       7        3    0    0 00:03:18        0

RP/0/0/CPU0:SP2_XR1#show bgp vpnv4 uni sum | be Neighbor
Thu Aug  4 11:57:07.952 UTC
Neighbor        Spk    AS MsgRcvd MsgSent   TblVer  InQ OutQ  Up/Down  St/PfxRcd
10.2.2.2          0   200    1017     922       14    0    0 15:13:05          0
100.1.1.1         0   100      12      10       14    0    0 00:05:54          0

The answer is due to the bgp route target filter, which you saw in “An In-Depth Look at RD and RT, Pt. 1.” A router will automatically filter received vpnv4 routes if they do not contain an RT value that is configured locally on the router. In other words, if they router doesn’t think it “needs” the vpnv4 routes, it ignores them. Let’s disable this filter on both routers.

#SP1_R3
router bgp 100
 no bgp default route-target filter
!
clear bgp vpnv4 uni * soft in

#SP2_XR1
router bgp 200
 address-family vpnv4 unicast
  retain route-target all

Both routers are now accepting the vpnv4 routes from their local RR, and advertising the routes to each other.

SP1_R3#show bgp vpnv4 uni all sum | be Nei                    
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.2.2.2        4          100      15      10        3    0    0 00:04:33        1
100.1.1.2       4          200       9      10        3    0    0 00:04:21        1

SP1_R3#show bgp vpnv4 uni all neigh 100.1.1.2 routes | be Network
     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 200:1
 *>   10.1.2.0/24      100.1.1.2                              0 200 65001 i

Total number of prefixes 1 
SP1_R3#

RP/0/0/CPU0:SP2_XR1#show bgp vpnv4 uni sum | be Neighbor
Thu Aug  4 12:11:25.023 UTC
Neighbor        Spk    AS MsgRcvd MsgSent   TblVer  InQ OutQ  Up/Down  St/PfxRcd
10.2.2.2          0   200    1034     938       16    0    0 15:27:22          1
100.1.1.1         0   100      40      34       16    0    0 00:04:43          1

RP/0/0/CPU0:SP2_XR1#show bgp vpnv4 uni neighbors 100.1.1.1 routes | be Network
Thu Aug  4 12:11:33.813 UTC
   Network            Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1
*> 10.1.1.0/24        100.1.1.1                              0 100 65000 i

Processed 1 prefixes, 1 paths
RP/0/0/CPU0:SP2_XR1#

Is traffic working now between CE1 and CE2?

The answer is no. The PEs do not have the routes from the other SP in the table. Why is this?

RP/0/0/CPU0:SP1_XR1#show bgp vrf CUSTOMER | be Network
Thu Aug  4 12:13:19.084 UTC
   Network            Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf CUSTOMER)
*> 10.1.1.0/24        100.64.0.2               0             0 65000 i

Processed 1 prefixes, 1 paths

SP2_R3#show bgp vpnv4 uni all | be Network
     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 200:1 (default for vrf CUSTOMER)
 *>   10.1.2.0/24      100.64.1.2               0             0 65001 i

Think back to the series on RD and RT. The reason both PEs do not import the routes into the VRF is because of the RT value. SP1 is importing and exporting 100:1. SP2 is importing and exporting 200:1.

In order to solve this, we’ll need to import the other SP’s RT on the VRF. You could say that in Option A, the RT is locally significant. Each SP does not care what the other SP is using for RT values. However, in Option B, the RT is now globally significant, as the SPs either need to coordinate on the RT to use, or they need to import the remote SP’s RT value into the local VRF.

#SP1_XR1
vrf CUSTOMER
 address-family ipv4 unicast
  import route-target 200:1

#SP2_R3
vrf definition CUSTOMER
 route-target import 100:1

Hmm, still no luck. We still don’t see the routes on the PEs. Can you figure out the issue?

Look route received at the local RRs from the routers connecting to the L3 NNI.

SP1_R2#show bgp vpnv4 uni all | be Network
     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1
 *>i  10.1.1.0/24      10.1.1.1                 0    100      0 65000 i
Route Distinguisher: 200:1
 * i  10.1.2.0/24      100.1.1.2                0    100      0 200 65001 i

SP2_R2#show bgp vpnv4 uni all | be Network
     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1
 * i  10.1.1.0/24      100.1.1.1                     100      0 100 65000 i
Route Distinguisher: 200:1
 *>i  10.1.2.0/24      10.3.3.3                 0    100      0 65001 i

The next-hop is the public IP of the other router on the L3 NNI. Let’s implement next-hop-self on the two routers on the L3 NNI. By default, routers will set next-hop-self on vpnv4 routes when they themselves inject the route from a VRF. However, when learning a vpnv4 route from another eBGP router, the regular BGP rules apply, and the nexthop is unchanged.

#SP1_R3
router bgp 100
 address-family vpnv4
  neighbor 10.2.2.2 next-hop-self
!
clear bgp vpnv4 uni 10.2.2.2 soft out

#SP2_XR1
router bgp 200
 neighbor 10.2.2.2
  address-family vpnv4 unicast
   next-hop-self
!
clear bgp vpnv4 uni 10.2.2.2 soft out

Great, both PEs have the routes. The CEs have the routes as well.

CE1#show bgp | be Network
     Network          Next Hop            Metric LocPrf Weight Path
 *>   10.1.1.0/24      0.0.0.0                  0         32768 i
 *>   10.1.2.0/24      100.64.0.1                             0 100 200 65001 i

CE2#show bgp | be Network
     Network          Next Hop            Metric LocPrf Weight Path
 *>   10.1.1.0/24      100.64.1.1                             0 200 100 65000 i
 *>   10.1.2.0/24      0.0.0.0                  0         32768 i

However, pings end to end still are not working.

CE1#ping 10.1.2.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1 
.....
Success rate is 0 percent (0/5)

There is one final configuration we are missing. On IOS-XR, the router does not send labeled traffic to a next-hop learned via BGP unless it is a /32 route. Right now, the next-hop 100.1.1.1 is known via a connected /30. The router will not deliver labeled traffic to this IP. To work around this, we’ll configure a static /32 pointing out the connected interface. This might seem a bit silly, but it is necessary.

#SP2_XR1
router static address-family ipv4 unicast
 100.1.1.1/32 Gi0/0/0/0

Pings are working now!

CE1#ping 10.1.2.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/12 ms

A traceroute shows three different service labels (24, 24008, 18):

CE1#traceroute 10.1.2.1 source lo0 probe 1
Type escape sequence to abort.
Tracing the route to 10.1.2.1
VRF info: (vrf in name/id, vrf out name/id)
  1 100.64.0.1 2 msec
  2 10.1.2.2 [AS 65001] [MPLS: Labels 18/24 Exp 0] 33 msec
  3 10.2.3.3 [MPLS: Label 24 Exp 0] 34 msec
  4 100.1.1.2 [MPLS: Label 24008 Exp 0] 15 msec
  5 10.1.2.2 [AS 65001] [MPLS: Labels 16/18 Exp 0] 51 msec
  6 100.64.1.1 [MPLS: Label 18 Exp 0] 13 msec
  7 100.64.1.2 15 msec

Conclusion

Option B allows for greater flexibility compared to Option A. You do not need to configure the VRFs on the ASBRs, nor do you need a sub-interface for every single L3VPN VRF you are spanning across this L3 NNI.

Option B requires a bit more configuration to setup. You need to take the following items into account:

  • You must disable the RT filter on the router connecting to the L3 NNI, unless it happens to be acting as PE and already has the VRF defined.

    • no bgp default route-target filter on IOS-XE

    • address-family vpnv4 unicast retain route-target all on IOS-XR

  • You must import the remote SP’s RT into your VRF on the PEs. You could alternatively coordinate with the remote SP on the RT values but this is likely too much effort.

  • You must set next-hop-self on the routes advertised from the router on the L3 NNI edge to the internal RR.

  • mpls bgp forwarding is automatically added to the interface on XE.

  • On IOS-XR you must have a /32 route to the next-hop.

With Option B, the traffic between the two routers on the L3 NNI is now label switched instead of IP routed (as it is in Option A). There are three total VPN labels end-to-end.

  • The VPN label from the originating PE to the local ASBR

  • The VPN label from the local ASBR to the remote ASBR

  • The VPN label from the remote ASBR to the remote PE

PreviousInter-AS L3VPN Pt. 2, Option ANextInter-AS L3VPN Pt. 4, Option C

Last updated