Introduction Inter-AS L3VPN

tending VPN services over Inter-AS

tworks
• VPN Sites attached to different MPLS VPN Service Provid
• How do you distribute and share VPN routes between ASs

ASBR1   Back-­‐to-­‐Back  VRFs   ASBR2  

(Op5on  A)  
MP-­‐eBGP  for  VPNv4  
(Op5on  B)  
AS  #1   AS  #2  
Mul5hop  MP-­‐eBGP  between  
RRs  
(Op5on  C)  
MP-­‐eBGP+Labels  
CE1       CE2    
1  
a-AS MPLS VPNs Review
Distinguisher (RD) MP-­‐iBGP  Update  
t IPv4 routes to VPNv4 BGP  VPN-­‐IPv4    
VPN/VRF     Net=RD:16.1/16  
Endpoints   NH=PE1  
Route  Target  100:1  
Target allows VPN 18.1/16   VPN  Label=40  
to be imported/ PE1  
ed to/from a VPN IP
P1   P2   PE2  
E loopbacks are known MPLS  Core  

MP-­‐iBGP  Update:  
P protocol carries BGP  VPN-­‐IPv4    
Net=RD:18.1/16  
routes and NH=PE1  
unities using BGP Route  Target  100:1  
s-families VPN  Label=41  
IP 40 P1 IP
 er-AS VPN—Option A
nnecting ASBRs using Back-to-Back VRFs
BGP  VPN-­‐IPv4     Each  ASBR  Thinks  the  Other  Is  a  CE   BGP  VPN
Net=RD:16.1/16   Net=RD:
NH=PE1   NH=PE1  
Route  Target  100:1   Unlabeled  IP   Route  Ta
VPN  Lab
VPN  Label=40  
Packets  
E1   P
P1  
P1   VRF-­‐Lite   P2  
AS1   PE-­‐ASBR1   ConfiguraUon   PE-­‐ASBR2   AS2  

40 P1 IP 40 IP IP 80 P2 IP 8
ders prefer not to share MPLS link
al interface per VPN/VRF on directly connected ASBRs;
forwarded as an IP packet between the ASBRs
use any supported PE-CE routing protocol
olicies negotiated and configured manually on the ASBRs
s the most secure and easiest to provision
r-AS VPN—Option B
ecting two ASBRs – Two Methods

edistribute eBGP link into the IGP of both AS

ASBR1   ASBR2  
AS  #1   A
IGP2
IGP1
PE1  

eceiving PE-ASBRs be the next hop

I’m the Next I’m the

Hop to AS2 Hop to

ASBR1   ASBR2  

AS  #1  
 er-AS VPN—Option B
ablishing reachability between geographically dispersed VPN
t Hop Self on ASBRs
eBGP  for  VPNv4  
Label  Exchange   VP
between  Gateway  
:   PE-­‐ASBR  Routers  
RD:1:2
/24,   ASBR1   Using  eBGP   ASBR2   N
RT=1:
L1)  
VPN-­‐v4  update:  
AS  #1   RD:1:27:152.12.4.0/24,   AS  #2  
NH=ASBR1   P
RT=1:222,  Label=(L2)  
BG
CE1   CE2     152.1
E2  
Customer-­‐A   Customer-­‐A  
152.12.4.0/24  

v4  Prefixes/Labels  from  PEs  Distributed  to  ASBRs  

 er-AS VPN—Option B
blishing reachability between geographically dispersed VPNs us
Self on ASBRs

Virtual Routing Forwarding tables on ASBRs unless ASBR also supp

ctionality (has VRF interfaces)

OS, Receiving PE-ASBR automatically creates a /32 host route to a

ich must be advertised into receiving IGP if next-hop-self is not in operation to maintain the LSP

XR, must define a static route to the Next Hop of peer ASBR for Opti
ll as all address families (IPv4, IPv6, VPNv4, VPNv6). The CLI is o
tion B configuration example.
XR, must define route-policy to pass or filter selected VPNv4 routes f
and Option C as well as all address families (IPv4, IPv6, VPNv4, V
I is only shown in Option B configuration example.

SBR-ASBR link must be directly connected!!!!!! Could use

-AS VPN—Option B
-end VPN packet forwarding - Next Hop Self on AS

L3   152.12.4.
ASBR1   ASBR2  

L1  
AS  #1   AS  #2  
L2   152.12.4.1  
P
4.1   CE1   CE2     152.1

VPN-­‐R1   VPN-­‐R2  
152.12.4.0/24  

L3 are BGP VPN label.

er-AS VPN—Option B
co IOS ASBR eBGP configuration
eBGP  for  VPNv4  
ASBR1   ASBR2  

AS  #1   AS  #2  
P
!  
router  bgp  1  
neighbor  <ASBR2>  remote-­‐as  2  
neighbor  <PE1>  remote-­‐as  1   V
neighbor  <PE1>  update-­‐source  loopback0  
no  bgp  default  route-­‐target  filter  
!  
address-­‐family  vpnv4  
neighbor  <PE1>  remote-­‐as  1  ac5vate  
neighbor  <PE1>  remote-­‐as  1  next-­‐hop-­‐self  
neighbor  <ASBR2>  remote-­‐as  2  ac5vate  
neighbor  <ASBR2>  remote-­‐as  2  send-­‐community  extended  
r-AS VPN—Option B
IOS XR ASBR1 Configuration
eBGP  for  VPNv4  
ASBR1   ASBR2  
Int  gig0/0/1   Int  gig0/0/1   PE2  
PE1  
AS  #1   50.0.0.1   50.0.0.2   AS  #2  
gp  1  
5vate       !  
neighbor  <PE1>  
s  MPLS  forwarding  onASBR!)        remote-­‐as  1  
e  <type  &  #>        update-­‐source  loopback0  
 ASBR-­‐ASBR  link!)        address-­‐family  vpnv4  unicast  
-­‐family  vpnv4  unicast        next-­‐hop-­‐self  
(!Set  ASBR1  as  next-­‐hop-­‐self!)  
 <ASBR2>   !  
-­‐as  2   router  sta5c  
s-­‐family  vpnv4  unicast        50.0.0.2/32  interface  gig0/0/1    
e  VPNv4  address  family  for  ASBR)   !  
(!Sta5c  Route  for  ASBR-­‐ASBR  link  
policy  pass-­‐all  in   configured.  It  is  not  installed  auto
policy  pass-­‐all  out   IOS!)  
orwarding  of  VPNv4  routes  to  other  AS!)    
 
licy  pass-­‐all  
er-AS VPN—Option C
tihop eBGP VPNv4 Between RRs for better scale
Reflectors exchange VPNv4 routes
Exchange PE loopbacks (IPv4) with labels as these Exchange
P NH addresses Rou
RR1  
tes LFIB duplication at ASBRs. ASBRs don’t hold
prefix/label info.

ptions for Label Distribution for BGP NH Addresses for

ASBR1   AS
each domain:
AS  #1  
BGP IPv4 + Labels (RFC3107) – most preferred &
ecommended eBGP  IPv
GP + LDP Labels

xchange Label Advertisement Capability - Enables IGP  +  LD

d LSP Paths PE1  

quent Address Family Identifier (SAFI value 4) field is

o indicate that the NLRI contains a label
 er-AS VPN—Option C
ablishing reachability between VPNs

BGP  VPNv4  update:  

RD:1:27:152.12.4.0/24,   BGP  VP
NH=PE1   RD:1:27
RR1   RT=1:222,  Label=(L1)   RR2   NH=PE1
24,  
RT=1:22
)   ASBR1   ASBR2  
AS  #1  

 
  From  ASBR1:   BGP,  OSPF
To  ASBR2:   Network=PE1   152.12.4.0
2   CE1  
Network=PE1   NH=ASBR-­‐2   C
NH=ASBR-­‐1   Label=(L3)  
VPN-­‐R1   Label=(L2)     VPN-­‐R2  
152.12.4.0/24    
tore PE loopbacks & exchange labels for PE Loopback addresses
 er-AS VPN—Option C
N packet forwarding
RR1   RR2  

ASBR1   ASBR2   L3   L1   152.12.4.1  

L1   152.12.4.1  

L2   L1   152.12.4.1  

52.12.4.1   CE1   CE2     152

VPN-­‐R1   VPN-­‐R2  
152.12.4.0/24  

is a VPN label. L2 and L3 are IPv4 labels.

 Outer  Most  Core  (IGP  Labels  in  an  AS)  Label  Is  not  displayed  in  on  this  slide.
 er-AS VPN—Option C
4+Label, Cisco IOS Configuration
pv4  
 ac5vate   !  
 send-­‐label   router  bgp  1  
neighbor  <RR2>  ebgp-­‐mulUhop
RR1   !  
address-­‐family  ipv4  
RR2  
neighbor  <RR2>  ac5vate  
ASBR1    
AS  #1   neighbor  <PE1>  ac5vate  
neighbor  <PE1>  send-­‐label  
  ASBR2  
neighbor  <ASBR1>  ac5vate  
  neighbor  <ASBR1>  send-­‐label  
address-­‐family  ipv4   !  
neighbor  <ASBR2>  ac5vate   address-­‐family  vpnv4  
neighbor  <ASBR2>  send-­‐label   neighbor  <RR2>  next-­‐hop-­‐unch
exit-­‐address-­‐family  
neighbor  <RR1>  ac5vate   !  
er-AS VPN—Option C
4+Label, Cisco IOS XR Configuration
ards  all  peers!   !    Command  towards  all  peers!  
pv4  labeled-­‐unicast   address-­‐family  ipv4  labeled-­‐uni
!  
RR1   RR2  

AS  #1  
ASBR1  

ASBR2  
!  
router  bgp  1  
address-­‐family  vpnv4  unicast  
!  
neighbor    <RR2>  
     remote-­‐as  2  
     address-­‐family  vpnv4  unicast  
     ebgp-­‐mulUhop  255  
 er-AS L3VPN Summary
ree models: Option A, B, and C
tion A is the most secured, least invasive. Support granular QoS.
tion B, more scalable than Option-A for high numbers of VRFs. more adoptable
ovider corporations
Less invasive than Option C, More invasive than Option A
More scalable than Option-A if have high numbers of VRFs
Use eBGP for ASBR peering
ASBRs store VPNv4 routes and allocate labels for VPN prefixes
tion C, most scalable, most invasive, mostly deployed in a single service provide
work
Use ASBRs to handle IPv4 PE loopbacks
Route Reflectors exchange VPNv4 routes