MPLS VPN – Part 4

this is the second part of “MPLS VPN – Part 3″ topic. in the previous post I discussed about building MPLS VPN network with BGP as PE-CE protocol and this one is the remaining portion of that document. if you want to read this guide, it is better to start with previous one.
Now we have reachability from each PE router to its clients and the only remaining part is establishing full connectivity. For this, we must enable MP-BGP between R3 and R5.

R3(config-router)#do sh run | sec bgp
router bgp 345
 bgp log-neighbor-changes
 neighbor 5.5.5.5 remote-as 345
 neighbor 5.5.5.5 update-source Loopback0
address-family ipv4
  no neighbor 5.5.5.5 activate
address-family vpnv4
  neighbor 5.5.5.5 activate
  neighbor 5.5.5.5 send-community both
 exit-address-family
R5(config-router)#do sh run | sec bgp
router bgp 345
 bgp log-neighbor-changes
 neighbor 3.3.3.3 remote-as 345
 neighbor 3.3.3.3 update-source Loopback0
address-family ipv4
  no neighbor 3.3.3.3 activate
exit-address-family
address-family vpnv4
  neighbor 3.3.3.3 activate
  neighbor 3.3.3.3 send-community both
 exit-address-family

We don’t need IPv4 BGP relationship between R3 and R5 and for that reason, I deactivated IPv4 address family advertisement between R3 and R5. This causes no damage to network, because R3 can get these messages through R4 which acts as RR and vice versa.
After configuring VPNv4 relationship, we must take care of some small but important tricks too. Considering the topology, we have customers that use the same AS numbers throughout their network. Because of loop prevention mechanism of BGP, prefixes coming from HQ network will be blocked by other CE router inside each customer, because they will see their own AS numbers inside AS-PATH list. This is good built-in mechanism of BGP, but in our scenario this can be corruptive. With this mechanism in effect, R1 don’t get R7’s network and vice versa. This is the same about R2 and R6 too. There are two solutions for this. Using as-override feature on PE routers or AllowAS-in on CE routers. Let’s examine the first one.

R3(config-router)#do sh run | sec bgp
address-family ipv4 vrf B
  neighbor 123.123.123.2 as-override
 exit-address-family
 !        
 address-family ipv4 vrf A
  neighbor 133.133.133.1 as-override
exit-address-family

This will cause customer AS numbers inserted inside AS-PATH list, are replaced by SP AS numbers and this will eliminate our loop prevention mechanism done by BGP routers. One thing that is good to remember is that, “as-override” feature is available only at VRF address family level. Unavailability of this command under global BGP or IPv4 address family leave us with another problem; that is, our global BGP prefixes is blocked by CE routers due to the same loop prevention mechanism. “as-override” command is written for VPN networks not global prefixes and we need to resolve the same problem for global networks too. This can be done by “allowas-in” command on CE routers. This feature makes routers to accept multiple occurrence of their AS numbers in AS-PATH list.

R1(config-router)#do sh run | sec bgp
router bgp 1
 address-family ipv4
  neighbor 13.13.13.3 allowas-in 2
R2(config-router)#do sh run | sec bgp
router bgp 2
 neighbor 23.23.23.3 allowas-in 2
 no auto-summary
R6(config-router)#do sh run | sec bgp
router bgp 2
 neighbor 56.56.56.5 allowas-in 2
 no auto-summary
R7(config-router)#do sh run | sec bgp
router bgp 1
 neighbor 57.57.57.5 allowas-in 2
 no auto-summary

One last thing remains that must be considered before final verification. If you look at the bgp table on CE routers you will see that local networks that originated by the router itself, is re-advertised back to the router by PE router. This is because of “allowas-in” feature, because we made routers to accept multiple occurrences of their own AS numbers inside AS-PATH list. These BGP table entries will not affect the routing process, but if router handles thousands or more BGP prefixes, these useless additional entries will fill router’s memory and this can be problematic issue in that situation. For eliminating these prefixes we can use special BGP feature named SOO. This feature marks BGP prefixes coming from one customer site and prevents the same prefixes from entering the same site again. There is some ways to implement SOO and here I’m going to use a route-map on both R3 and R5:

route-map SOO, permit, sequence 10
  Match clauses:
  Set clauses:
    extended community SoO:1:1
  Policy routing matches: 0 packets, 0 bytes
route-map SOO2, permit, sequence 10
  Match clauses:
  Set clauses:
    extended community SoO:2:2
  Policy routing matches: 0 packets, 0 bytes

And applying the route-maps to BGP routes coming from CE routers.

R5(config-router)#do sh run | sec bgp
router bgp 345
address-family ipv4
  neighbor 56.56.56.6 route-map SOO2 in
  neighbor 57.57.57.7 route-map SOO in
R3(config-router)#do sh run | sec bgp
router bgp 345
address-family ipv4
  neighbor 13.13.13.1 route-map SOO in
  neighbor 23.23.23.2 route-map SOO2 in

For these route-maps to take effect we must reset BGP relationships. You can do this by “clear ip bgp *” command or soft versions of that.
If anything was right, the PE routers should get full knowledge of customer networks. So a simple verification will reveal the truth.

R5(config-router)#do sh ip bgp vpnv4 all | beg Net    
   Network          Next Hop            Metric LocPrf Path
Route Distinguisher: 1:1 (default for vrf A)
*>i1.1.1.0/30       3.3.3.3                  0    100 1 i
*> 7.7.7.7/32       157.157.157.7        0        1 i
*> 7.7.7.8/32       157.157.157.7        0        1 i
Route Distinguisher: 2:2 (default for vrf B)
*>i2.2.2.2/32       3.3.3.3                  0    100 2 i
*>i2.2.2.3/32       3.3.3.3                  0    1   2 i
*> 6.6.6.6/32       156.156.156.6        0        2 i
*> 6.6.6.7/32       156.156.156.6        0        2 i
R3(config-router)#do sh ip bgp vpnv4 all | beg Net    
   Network          Next Hop            Metric LocPrf Path
Route Distinguisher: 1:1 (default for vrf A)
*> 1.1.1.0/30       133.133.133.1        0        1 i
*>i7.7.7.7/32       5.5.5.5                  0    100 1 i
*>i7.7.7.8/32       5.5.5.5                  0    100 1 i
Route Distinguisher: 2:2 (default for vrf B)
*> 2.2.2.2/32       123.123.123.2        0        2 i
*> 2.2.2.3/32       123.123.123.2        0        2 i
*>i6.6.6.6/32       5.5.5.5                  0    100 2 i
*>i6.6.6.7/32       5.5.5.5                  0    100 2 i

And customers:

R1(config-router)#do sh ip route  
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.4 is directly connected, Loopback2
     2.0.0.0/32 is subnetted, 2 subnets
B       2.2.2.4 [20/0] via 13.13.13.3, 05:48:49
B       2.2.2.5 [20/0] via 13.13.13.3, 05:48:49
     4.0.0.0/32 is subnetted, 1 subnets
B       4.4.4.4 [20/0] via 13.13.13.3, 05:48:49
     6.0.0.0/32 is subnetted, 2 subnets
B       6.6.6.8 [20/0] via 13.13.13.3, 05:48:49
B       6.6.6.9 [20/0] via 13.13.13.3, 05:48:49
     7.0.0.0/32 is subnetted, 1 subnets
B       7.7.7.9 [20/0] via 13.13.13.3, 05:44:11
     13.0.0.0/24 is subnetted, 1 subnets
C       13.13.13.0 is directly connected, Serial0/0.1
R2(config-router)#do sh ip route  
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
B       1.1.1.4 [20/0] via 23.23.23.3, 05:49:07
     2.0.0.0/32 is subnetted, 2 subnets
C       2.2.2.4 is directly connected, Loopback2
C       2.2.2.5 is directly connected, Loopback3
     4.0.0.0/32 is subnetted, 1 subnets
B       4.4.4.4 [20/0] via 23.23.23.3, 05:49:07
     6.0.0.0/32 is subnetted, 2 subnets
B       6.6.6.8 [20/0] via 23.23.23.3, 05:43:57
B       6.6.6.9 [20/0] via 23.23.23.3, 05:43:57
     23.0.0.0/24 is subnetted, 1 subnets
C       23.23.23.0 is directly connected, FastEthernet0/0.1
     7.0.0.0/32 is subnetted, 1 subnets
B       7.7.7.9 [20/0] via 23.23.23.3, 05:49:09
R6(config-router)#do sh ip route  
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
B       1.1.1.4 [20/0] via 56.56.56.5, 05:48:33
     2.0.0.0/32 is subnetted, 2 subnets
B       2.2.2.4 [20/0] via 56.56.56.5, 05:44:10
B       2.2.2.5 [20/0] via 56.56.56.5, 05:44:10
     4.0.0.0/32 is subnetted, 1 subnets
B       4.4.4.4 [20/0] via 56.56.56.5, 05:49:04
     6.0.0.0/32 is subnetted, 2 subnets
C       6.6.6.8 is directly connected, Loopback2
C       6.6.6.9 is directly connected, Loopback3
     7.0.0.0/32 is subnetted, 1 subnets
B       7.7.7.9 [20/0] via 56.56.56.5, 05:49:06
     56.0.0.0/24 is subnetted, 1 subnets
C       56.56.56.0 is directly connected, FastEthernet0/1.1
R7(config-router)#do sh ip route  
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
B       1.1.1.4 [20/0] via 57.57.57.5, 05:45:05
     2.0.0.0/32 is subnetted, 2 subnets
B       2.2.2.4 [20/0] via 57.57.57.5, 05:48:41
B       2.2.2.5 [20/0] via 57.57.57.5, 05:48:41
     4.0.0.0/32 is subnetted, 1 subnets
B       4.4.4.4 [20/0] via 57.57.57.5, 05:49:12
     6.0.0.0/32 is subnetted, 2 subnets
B       6.6.6.8 [20/0] via 57.57.57.5, 05:49:12
B       6.6.6.9 [20/0] via 57.57.57.5, 05:49:12
     7.0.0.0/32 is subnetted, 1 subnets
C       7.7.7.9 is directly connected, Loopback2
     57.0.0.0/24 is subnetted, 1 subnets
C       57.57.57.0 is directly connected, Serial0/0.1

As you might noticed, I did summarization on R1 to show you different things that we can do with VPN routes. I did this summarization with “aggregate-address” command as follows:

R1(config-router)#do sh run | sec bgp
router bgp 1
 address-family ipv4 vrf A
  aggregate-address 1.1.1.0 255.255.255.252 summary-only

This process causes the 1.1.1.1/32 and 1.1.1.2/32 networks to be summarized into one major network, 1.1.1.0/30 which can be seen inside our VRF routing table.
And final ping test:

R1(config-router)#do ping 2.2.2.5 so lo2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.5, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.4 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/45/108 ms
R1(config-router)#do ping 7.7.7.9 so lo2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.9, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.4 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/70/100 ms
R1(config-router)#do ping vrf A 7.7.7.8 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.8, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/56/100 ms
R2(config-router)#do ping 6.6.6.8 so lo2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.8, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.4 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/79/96 ms
R2(config-router)#do ping vrf B 6.6.6.6 so lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.3 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/100/116 ms

Leave a Comment

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *

2,050 Spam Comments Blocked so far by Spam Free Wordpress

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>