Sunday, February 5, 2012

BGP PE-CE Routing Protocol Overview, Configuration, and Verification

BGP PE-CE Routing Protocol Overview, Configuration, and Verification


BGP version 4 (BGP4) is the current de facto Internet standard for inter-domain (AS) exterior routing. In MPLS VPN networks, MP-BGP is used and plays a pivotal role in the transportation of VPNv4 prefixes across the service provider network. In traditional environments, customer networks prefer to use BGP in their networks and, therefore, use BGP as a PE-CE routing protocol when migrating from a non-MPLS based to an MPLS VPN based network. This helps the customer establish a consistent end-to-end routing policy. In an MPLS VPN network, BGP attributes for a VPN site are transparently transported across the service provider backbone to another site in the same VPN. Because there is a single routing protocol used across the VPN between service provider core and customer sites, the concept of redistribution does not apply.

BGP PE-CE peering in an MPLS VPN environment can be performed in two different ways:

  • BGP PE-CE VPN sites implementing unique AS numbers
  • BGP PE-CE VPN sites implementing same AS numbers

In the MPLS VPN network shown in Figure 6-1, an MPLS VPN service provider plans to provision BGP PE-CE routing protocol for two customers, Customers A and B. CE1-A and CE2-A are CE devices belonging to Customer A located at Site 1 and Site 2, respectively. They are part of the same VPN, VPN-A. These CE devices are connected to provider edge devices PE1-AS1 and PE2-AS1 in the service provider network. CE1-A belongs to AS 65001 and CE2-A belongs to AS 65002. For Customer B network, CE1-A and CE2-A are the CE devices located at Site 1 and Site 2, respectively, and are part of the VPN, VPN-B. CE1-A and CE2-A belong to AS 65001 and are connected to PE1-AS1 and PE2-AS1, respectively.

Figure 6-1. MPLS VPN Provider Provisioning BGP PE-CE Routing


Implementing BGP PE-CE routing for the Customer A network is not an issue because the VPN sites use unique AS numbers. However, Customer B plans on using the same AS number on its sites. This causes an issue when migrating from a traditional non-MPLS based network topology, where the customer might use the same AS numbers at all his sites, to an MPLS VPN-based infrastructure due to the BGP loop prevention mechanism. The BGP loop prevention mechanism disallows customer sites having identical AS numbers to be linked by another AS number. In other words, if such a case occurs, routing updates from one site would be dropped when the other site receives them; therefore, connectivity cannot be established between the sites without additional configuration on the SP PE routers.

To explain this further, Figure 6-2 shows an MPLS VPN network provisioned for Customer B. As shown in Figure 6-2, BGP loop prevention mechanism on CE2-B finds 65001 in the AS-PATH; therefore, CE2-B rejects the 192.168.10.0/24 update from PE2-AS1 because it finds its own AS in the update.

Figure 6-2. BGP Loop Prevention Mechanism


To circumvent the BGP loop prevention mechanism, the AS-PATH update procedure in BGP was modified. The current AS-PATH update procedure allows customer topologies to reuse AS numbers at the sites by using the AS Override functionality. The functionality is made active only when the first AS number in the AS-PATH is equal to the AS number of the receiving BGP router. As shown in Figure 6-2, the first AS number in the AS-PATH is 65001, which is the AS number of CE2-B, the receiving router.

Figure 6-3 shows the AS Override functionality when identical AS numbers are used at customer sites. The AS Override function causes all leading occurrences of the AS number of the receiving BGP router to be replaced with the AS number of the sending BGP router. As shown in Step 3 of Figure 6-3, when AS Override is used, AS 65001 in the AS-PATH is replaced with the AS number of the sending BGP router PE2-AS1, which is 1. Any other occurrences (further down the AS-PATH) of the receiving router's AS number are not replaced because they indicate a real routing information loop. In addition, an extra copy of the sending router's AS number is prepended to the AS-PATH (standard AS number prepending procedure that occurs on every eBGP update) to maintain proper AS hop count for proper BGP route selection. Step 3 in Figure 6-3 shows that PE2-AS1 prepends AS 1 to BGP update.

Figure 6-3. AS Override Functionality


Configuration Flowchart to Implement BGP PE-CE Routing for VPN Sites with Unique and Same AS Numbers


Figure 6-4 shows the configuration flowchart to configure BGP PE-CE routing for VPN sites using unique and same BGP AS.

Figure 6-4. Configuration Flowchart for BGP PE-CE VPN Sites Implementing Unique and Similar AS


Implementing BGP PE-CE Routing for VPN Sites With Unique and Same AS Numbers


This configuration scenario demonstrates BGP PE-CE routing for VPN sites using same and different BGP AS numbers. You will use the topology shown in Figure 6-1, in which Customer A is using BGP AS 65001 and 65002 at Sites 1 and 2, respectively, and Customer B uses the same AS 65001 at both the sites. Before configuring, ensure that the provider network is provisioned to deliver MPLS VPN services to Customer A sites. It is also assumed that IP addresses are preconfigured and VRFs defined on PE routers. Example 6-1 provides the configuration steps defining VRF and its attributes on PE routers for BGP PE-CE routing.

Example 6-1. Define VRF Cust_A and Cust_B on PE Routers PE1-AS1 and PE2-AS1

PE1-AS1(config)#ip vrf Cust_A

PE1-AS1(config-vrf)# rd 1:100

PE1-AS1(config-vrf)# route-target both 1:100

PE1-AS1(config)#interface Serial1/0

PE1-AS1(config-if)# description connected to CE1-A

PE1-AS1(config-if)# ip vrf forwarding Cust_A

PE1-AS1(config-if)# ip address 172.16.1.1 255.255.255.252

PE1-AS1(config)#ip vrf Cust_B

PE1-AS1(config-vrf)# rd 1:200

PE1-AS1(config-vrf)# route-target both 1:200

PE1-AS1(config)#interface Serial2/0

PE1-AS1(config-if)# description connected to CE2-B

PE1-AS1(config-if)# ip vrf forwarding Cust_B

PE1-AS1(config-if)# ip address 192.168.1.1 255.255.255.252


The steps to configure BGP PE-CE routing on PE routers are as follows:

Step 1.
Configure per VRF BGP routing context on PE routers�Configure per VRF BGP routing contexts for Cust_A and Cust_B under the BGP routing process on PE1-AS1 and PE2-AS1. Example 6-2 demonstrates the per VRF BGP configuration on PE1-AS1. Repeat the steps on PE2-AS1. Note that the address-family IPv4 VRF contexts are seen by default in a router's configuration when relevant configurations for forming MP-iBGP sessions are configured on PE routers. In that case, address-family ipv4 vrf vrf-name command under the BGP routing process is keyed in to enter a particular VRF's IPv4 address-family context so that further configurations can be performed (as shown in Step 2).


Example 6-2. Configure per VRF BGP Routing Context on PE Routers
PE1-AS1(config)#router bgp 1

PE1-AS1(config-router)#address-family ipv4 vrf Cust_A

PE1-AS1(config)#router bgp 1

PE1-AS1(config-router)#address-family ipv4 vrf Cust_B

Step 2.
Define and activate BGP CE neighbors�In this step, under the BGP VRF routing context created in Step 1, the remote BGP CE neighbors are defined on the PE routers and activated. Example 6-3 shows the configuration to define BGP CE neighbors on the PE routers.


Example 6-3. Define and Activate BGP CE Neighbors
PE1-AS1(config-router-af)#neighbor 172.16.1.2 remote-as 65001

PE1-AS1(config-router-af)#neighbor 172.16.1.2 activate

________________________________________________________________

PE2-AS1(config-router-af)#neighbor 172.16.2.2 remote-as 65002

PE2-AS1(config-router-af)#neighbor 172.16.2.2 activate

________________________________________________________________

PE1-AS1(config-router-af)#neighbor 192.168.1.2 remote-as 65001

PE1-AS1(config-router-af)#neighbor 192.168.1.2 as-override

PE1-AS1(config-router-af)#neighbor 192.168.1.2 activate

________________________________________________________________

PE2-AS1(config-router-af)#neighbor 192.168.2.2 remote-as 65001

PE2-AS1(config-router-af)#neighbor 192.168.2.2 as-override

PE2-AS1(config-router-af)#neighbor 192.168.2.2 activate


CE Router Configuration

Example 6-4 shows the configuration on Routers CE CE1-A, CE2-A, CE1-B, and CE2-B.

Example 6-4. CE1-A, CE2-A, CE1-B, and CE2-B Configuration

hostname CE1-A

!

interface Ethernet0/0

description Customer A Site 1 network

 ip address 172.16.10.1 255.255.255.0

!

interface Serial1/0

description connected to PE1-AS1

 ip address 172.16.1.2 255.255.255.252

!

router bgp 65001

 no synchronization

network 172.16.10.0 mask 255.255.255.0

 neighbor 172.16.1.1 remote-as 1

 no auto-summary

__________________________________________________________________________

hostname CE2-A

!

interface Ethernet0/0

description Customer A Site 2 network

 ip address 172.16.20.1 255.255.255.0

!

interface Serial1/0

description connected to PE2-AS1

ip address 172.16.2.2 255.255.255.252

!

router bgp 65002

 no synchronization

network 172.16.20.0 mask 255.255.255.0

 neighbor 172.16.2.1 remote-as 1

 no auto-summary

__________________________________________________________________________

hostname CE1-B

!

interface Ethernet0/0

 description Customer B Site 1 network

 ip address 192.168.10.1 255.255.255.0

!

interface Serial1/0

description connected to PE1-AS1

 ip address 192.168.1.2 255.255.255.252

!

router bgp 65001

 no synchronization

 network 192.168.10.0

 neighbor 192.168.1.1 remote-as 1

 no auto-summary

__________________________________________________________________________

hostname CE2-B

!

interface Ethernet0/0

 description Customer B Site 2 network

 ip address 192.168.20.1 255.255.255.0

!

interface Serial1/0

 description connected to PE2-AS1

 ip address 192.168.2.2 255.255.255.252

!

router bgp 65001

 no synchronization

 network 192.168.20.0

 neighbor 192.168.2.1 remote-as 1

 no auto-summary


Final Configuration for BGP PE-CE VPN Sites Implementing Unique and Same BGP AS Numbers

Example 6-5 shows the detailed and final configurations on the PE1-AS1, PE2-AS1, and P1-AS1 routers.

Example 6-5. PE1-AS1, PE2-AS1, and P1-AS1 Final Configuration for BGP PE-CE VPN Sites Implementing Unique BGP AS

hostname PE1-AS1

!

ip cef

!

ip vrf Cust_A

 rd 1:100

 route-target export 1:100

 route-target import 1:100

!

ip vrf Cust_B

 rd 1:200

 route-target export 1:200

 route-target import 1:200

!

mpls ldp router-id Loopback0

!

interface Loopback0

 ip address 10.10.10.101 255.255.255.255

!

interface Serial0/0

 description connected to P1-AS1

 ip address 10.10.10.1 255.255.255.252

 mpls ip

!

interface Serial1/0

 description connected to CE1-A

 ip vrf forwarding Cust_A

 ip address 172.16.1.1 255.255.255.252

!

interface Serial2/0

 description connected to CE1-B

 ip vrf forwarding Cust_B

 ip address 192.168.1.1 255.255.255.252

!

router ospf 1

 router-id 10.10.10.101

 network 10.0.0.0 0.255.255.255 area 0

!

router bgp 1

 no synchronization

 neighbor 10.10.10.102 remote-as 1

 neighbor 10.10.10.102 update-source Loopback0

 no auto-summary

 !

 address-family vpnv4

 neighbor 10.10.10.102 activate

 neighbor 10.10.10.102 send-community extended

 exit-address-family

 !

 address-family ipv4 vrf Cust_B

 neighbor 192.168.1.2 remote-as 65001

 neighbor 192.168.1.2 activate

 neighbor 192.168.1.2 as-override

 no auto-summary

 no synchronization

 exit-address-family

 !

 address-family ipv4 vrf Cust_A

 neighbor 172.16.1.2 remote-as 65001

 neighbor 172.16.1.2 activate

 no auto-summary

 no synchronization

 exit-address-family

__________________________________________________________________________

hostname PE2-AS1

!

ip cef

!

ip vrf Cust_A

 rd 1:100

 route-target export 1:100

 route-target import 1:100

!

ip vrf Cust_B

 rd 1:200

 route-target export 1:200

 route-target import 1:200

!

mpls ldp router-id Loopback0

!

interface Loopback0

 ip address 10.10.10.102 255.255.255.255

!

interface Serial0/0

 description connected to P1-AS1

 ip address 10.10.10.5 255.255.255.252

 mpls ip

!

interface Serial1/0

 description connected to CE2-A

 ip vrf forwarding Cust_A

 ip address 172.16.2.1 255.255.255.252

!

interface Serial2/0

 description connected to CE2-B

 ip vrf forwarding Cust_B

 ip address 192.168.2.1 255.255.255.252

!

router ospf 1

 router-id 10.10.10.102

 network 10.0.0.0 0.255.255.255 area 0

!

router bgp 1

 no synchronization

 neighbor 10.10.10.101 remote-as 1

 neighbor 10.10.10.101 update-source Loopback0

 no auto-summary

 !

 address-family vpnv4

 neighbor 10.10.10.101 activate

 neighbor 10.10.10.101 send-community extended

 exit-address-family

 !

 address-family ipv4 vrf Cust_B

 neighbor 192.168.2.2 remote-as 65001

 neighbor 192.168.2.2 activate

 neighbor 192.168.2.2 as-override

 no auto-summary

 no synchronization

 exit-address-family

 !

 address-family ipv4 vrf Cust_A

 neighbor 172.16.2.2 remote-as 65002

 neighbor 172.16.2.2 activate

 no auto-summary

 no synchronization

 exit-address-family

__________________________________________________________________________

hostname P1-AS1

!

ip cef

!

interface Loopback0

 ip address 10.10.10.200 255.255.255.255

!

interface Serial0/0

description connected to PE1-AS1

 ip address 10.10.10.2 255.255.255.252

 mpls ip

!

interface Serial1/0

description connected to PE2-AS1

 ip address 10.10.10.6 255.255.255.252

 mpls ip

!

router ospf 1

 log-adjacency-changes

 network 10.0.0.0 0.255.255.255 area 0


Verifying BGP PE-CE Routing for VPN Sites Implementing Unique and Different BGP AS Numbers

The steps to verify BGP PE-CE routing for VPN sites implementing unique and different BGP AS numbers are

Step 1.
Verify BGP neighbor relationship on PE1-AS1 and PE2-AS1�Verify the BGP neighbor relationship between PE-CE routers. Example 6-6 shows that the BGP neighbor relationship is established 
between PE1-AS1 and CE routers CE1-A and CE2-B. PE1-AS1 has received two prefixes from PE2-AS1 (10.10.10.102) and one from each CE router. The BGP neighbor relationship can also be verified by issuing show ip bgp neighbor ip-address.


Example 6-6. show ip bgp vpnv4 all summary on PE Routers
PE1-AS1#show ip bgp vpnv4 all summary

<output truncated for brevity>

Neighbor        V    AS MsgRcvd MsgSent  TblVer InQ OutQ Up/Down  State/PfxRcd

10.10.10.102    4     1      11      11       9   0    0 00:06:30        2

172.16.1.2      4 65001      11      11       9   0    0 00:06:06        1

192.168.1.2     4 65001      11      11       9   0    0 00:06:05        1

______________________________________________________________________________

PE2-AS1#show ip bgp vpnv4 all summary

<output truncated for brevity>

Neighbor        V    AS MsgRcvd MsgSent  TblVer InQ OutQ Up/Down  State/PfxRcd

10.10.10.101    4     1      12      12       9   0    0 00:07:23        2

172.16.2.2      4 65002      12      12       9   0    0 00:07:30        1

192.168.2.2     4 65001      12      12       9   0    0 00:07:30        1

Step 2.
Verify VRF routing table on PE1-AS1 and PE2-AS1�Check VRFs Cust_A and Cust_B routing table to see if CE networks are received by the connected PE routers. Example 6-7 outlines that PE1-AS1 has received CE2-A network (172.16.20.0/24) from the PE2-AS1 router and 172.16.10.0/24 from the connected CE router, CE1-A.


Example 6-7. VRF Routing Table on PE Routers
PE1-AS1#show ip route vrf Cust_A bgp

     172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks

B       172.16.20.0/24 [200/0] via 10.10.10.102, 00:07:10

B       172.16.10.0/24 [20/0] via 172.16.1.2, 00:07:38

________________________________________________________________

PE1-AS1#show ip route vrf Cust_B bgp

B    192.168.10.0/24 [20/0] via 192.168.1.2, 00:07:43

B    192.168.20.0/24 [200/0] via 10.10.10.102, 00:07:15

________________________________________________________________

PE2-AS1#show ip route vrf Cust_A bgp

     172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks

B       172.16.20.0/24 [20/0] via 172.16.2.2, 00:08:30

B       172.16.10.0/24 [200/0] via 10.10.10.101, 00:08:15

________________________________________________________________

PE2-AS1#show ip route vrf Cust_B bgp

B    192.168.10.0/24 [200/0] via 10.10.10.101, 00:08:18

B    192.168.20.0/24 [20/0] via 192.168.2.2, 00:08:33

Step 3.
Verify BGP VPNv4 routing table on PE1-AS1 and PE2-AS1�Check the BGP VPNv4 routing table to verify CE networks on the PE routers. Example 6-8 shows PE1-AS1 has 172.16.20.0/24 and 192.168.20.0/24 prefixes in the BGP table from the remote PE router, PE2-AS1, and 172.16.10.0 and 192.168.10.0 from the local CE routers, CE1-A and CE1-B. Similar output is also seen on PE2-AS1.


Example 6-8. VPNv4 Routing Table on PE Routers
PE1-AS1#show ip bgp vpnv4 all

BGP table version is 9, local router ID is 10.10.10.101

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete



   Network          Next Hop             Metric LocPrf Weight Path

Route Distinguisher: 1:100 (default for vrf Cust_A)

*> 172.16.10.0/24   172.16.1.2               0              0 65001 i

*>i172.16.20.0/24   10.10.10.102             0    100       0 65002 i

Route Distinguisher: 1:200 (default for vrf Cust_B)

*> 192.168.10.0     192.168.1.2              0              0 65001 i

*>i192.168.20.0     10.10.10.102             0    100       0 65001 i

_______________________________________________________________________________

PE2-AS1#show ip bgp vpnv4 all

BGP table version is 9, local router ID is 10.10.10.102

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete



   Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 1:100 (default for vrf Cust_A)

*>i172.16.10.0/24   10.10.10.101             0    100       0 65001 i

*> 172.16.20.0/24   172.16.2.2               0              0 65002 i

Route Distinguisher: 1:200 (default for vrf Cust_B)

*>i192.168.10.0     10.10.10.101             0    100       0 65001 i

*> 192.168.20.0     192.168.2.2              0              0 65001 i

Step 4.
Verify end-to-end connectivity via ping�Verify end-to-end connectivity between CE1-A and CE2-A by issuing a ping from CE1-A to network 172.16.20.1/24 on CE2-A and vice versa. Example 6-9 shows the result of the ping operation.


Example 6-9. Verify End-to-End Connectivity on CE Routers
CE1-A#ping 172.16.20.1 source 172.16.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.20.1, timeout is 2 seconds:

Packet sent with a source address of 172.16.10.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 76/79/84 ms

_______________________________________________________________________

CE1-B#ping 192.168.20.1 source 192.168.10.1



Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 80/80/84 ms
Related Posts Plugin for WordPress, Blogger...