MPLS VPN with eBGP on PE-CE Links AS Override and allowas-in

Meddane · ‎07-14-2022

eBGP can be used in the the PE-CE links. Under the address family ipv4 vrf of the router bgp command on the PE router, weneed to configure the CE router as the eBGP neighbor and activate it. In

this example the CE routers are in the autonomous system 65000 in VRF CCIE and the PE routers are in the autonomous system 10.

The issue is that if the customer has the same ASN at different sites, the CE routers drop the BGP routes because the default behavior of BGP and the prevention mechanism against loops in BGP.

Here the complete configuration of all routers before doing verification and configuration of the two features: Autonomous System Override and allowas-in in order to solve this issue:

CE-A1:

interface Loopback0

ip address 172.16.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 10.1.1.2 255.255.255.0

!

router bgp 65000

no synchronization

bgp log-neighbor-changes

network 10.1.1.0 mask 255.255.255.0

network 172.16.1.0 mask 255.255.255.0

neighbor 10.1.1.1 remote-as 10

no auto-summary

CE-A2:

interface Loopback0

ip address 172.16.2.1 255.255.255.0

!

interface FastEthernet0/0

ip address 10.2.2.2 255.255.255.0

!

router bgp 65000

no synchronization

bgp log-neighbor-changes

network 10.2.2.0 mask 255.255.255.0

network 172.16.2.0 mask 255.255.255.0

neighbor 10.2.2.1 remote-as 10

no auto-summary

PE1:

ip vrf CCIE

rd 1:111

route-target export 1:100

route-target import 1:100

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

ip vrf forwarding CCIE

ip address 10.1.1.1 255.255.255.0

!

interface s1/0

ip address 192.168.1.1 255.255.255.0

mpls ip

!

router ospf 1

network 1.1.1.1 0.0.0.0 area 0

network 192.168.1.0 0.0.0.255 area 0

!

router bgp 10

no synchronization

bgp log-neighbor-changes

neighbor 2.2.2.2 remote-as 10

neighbor 2.2.2.2 update-source Loopback0

neighbor 2.2.2.2 next-hop-self

no auto-summary

!

address-family vpnv4

neighbor 2.2.2.2 activate

neighbor 2.2.2.2 send-community extended

exit-address-family

!

address-family ipv4 vrf CCIE

neighbor 10.1.1.2 remote-as 65000

neighbor 10.1.1.2 activate

no synchronization

exit-address-family

PE2:

ip vrf CCIE

rd 1:111

route-target export 1:100

route-target import 1:100

!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

!

interface FastEthernet0/0

ip vrf forwarding CCIE

ip address 10.2.2.1 255.255.255.0

!

interface s1/0

ip address 192.168.2.1 255.255.255.0

mpls ip

!

router ospf 1

network 2.2.2.2 0.0.0.0 area 0

network 192.168.2.0 0.0.0.255 area 0

!

router bgp 10

no synchronization

bgp log-neighbor-changes

neighbor 1.1.1.1 remote-as 10

neighbor 1.1.1.1 update-source Loopback0

neighbor 1.1.1.1 next-hop-self

no auto-summary

!

address-family vpnv4

neighbor 1.1.1.1 activate

neighbor 1.1.1.1 send-community extended

exit-address-family

!

address-family ipv4 vrf CCIE

neighbor 10.2.2.2 remote-as 65000

neighbor 10.2.2.2 activate

no synchronization

exit-address-family

P:

Int loopback 0

ip address 3.3.3.3 255.255.255.255

!

interface s1/0

ip address 192.168.1.2 255.255.255.0

mpls ip

!

interface s1/1

ip address 192.168.2.2 255.255.255.0

mpls ip

!

router ospf 1

network 192.168.1.0 0.0.0.255 area 0

network 192.168.2.0 0.0.0.255 area 0

network 3.3.3.3 0.0.0.0 area 0

Let's verify the BGP tables of PE1 and PE2 routers, they are learned all BGP routes:

PE1#show ip bgp vpnv4 all

BGP table version is 7, local router ID is 1.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 1:111 (default for vrf CCIE)

r> 10.1.1.0/24 10.1.1.2 0 0 65000 i

*>i 10.2.2.0/24 2.2.2.2 0 100 0 65000 i

*> 172.16.1.0/24 10.1.1.2 0 0 65000 i

*>i 172.16.2.0/24 2.2.2.2 0 100 0 65000 i

PE1#

PE1#show ip route vrf CCIE | beg Gate

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 10.1.1.0/24 is directly connected, FastEthernet0/0

L 10.1.1.1/32 is directly connected, FastEthernet0/0

B 10.2.2.0/24 [200/0] via 2.2.2.2, 00:07:20

172.16.0.0/24 is subnetted, 2 subnets

B 172.16.1.0 [20/0] via 10.1.1.2, 00:07:20

B 172.16.2.0 [200/0] via 2.2.2.2, 00:07:20

PE1#

PE2#show ip bgp vpnv4 all

BGP table version is 13, local router ID is 2.2.2.2

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 1:111 (default for vrf CCIE)

*>i 10.1.1.0/24 1.1.1.1 0 100 0 65000 i

r> 10.2.2.0/24 10.2.2.2 0 0 65000 i

*>i 172.16.1.0/24 1.1.1.1 0 100 0 65000 i

*> 172.16.2.0/24 10.2.2.2 0 0 65000 i

PE2#

PE2#show ip route vrf CCIE | beg Gate

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

B 10.1.1.0/24 [200/0] via 1.1.1.1, 00:09:15

C 10.2.2.0/24 is directly connected, FastEthernet0/0

L 10.2.2.1/32 is directly connected, FastEthernet0/0

172.16.0.0/24 is subnetted, 2 subnets

B 172.16.1.0 [200/0] via 1.1.1.1, 00:09:15

B 172.16.2.0 [20/0] via 10.2.2.2, 00:14:54

PE2#

Now let's verify the BGP table of CE-A1 and CE-A2 routers, we can see that they do not install the prefixes 172.16.2.0/24 and 172.16.1.0/24 respectively:

CE-A1#show ip bgp

BGP table version is 3, local router ID is 172.16.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

*> 10.1.1.0/24 0.0.0.0 0 32768 i

*> 172.16.1.0/24 0.0.0.0 0 32768 i

CE-A1#

CE-A2#show ip bgp

BGP table version is 3, local router ID is 172.16.2.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

*> 10.2.2.0/24 0.0.0.0 0 32768 i

*> 172.16.2.0/24 0.0.0.0 0 32768 i

CE-A2#

The debug ip bgp updates on CE-A1 below shows why CE-A1 router does not accept the prefix 172.16.2.0/24:

CE-A1#debug ip bgp updates

BGP updates debugging is on for address family: IPv4 Unicast

CE-A1#

*Jun 25 18:31:02.703: %BGP-5-NBR_RESET: Neighbor 10.1.1.1 reset (Peer closed the session)

*Jun 25 18:31:02.711: %BGP-5-ADJCHANGE: neighbor 10.1.1.1 Down Peer closed the session

*Jun 25 18:31:02.711: %BGP_SESSION-5-ADJCHANGE: neighbor 10.1.1.1 IPv4 Unicast topology base removed from session Peer closed the session

*Jun 25 18:31:03.791: %BGP-5-ADJCHANGE: neighbor 10.1.1.1 Up

CE-A1#

*Jun 25 18:31:03.843: BGP(0): (base) 10.1.1.1 send UPDATE (format) 10.1.1.0/24, next 10.1.1.2, metric 0, path Local

*Jun 25 18:31:04.739: BGP(0): 10.1.1.1 rcv UPDATE w/ attr: nexthop 10.1.1.1, origin i, originator 0.0.0.0, merged path 10 65000, AS_PATH , community , extended community , SSA attribute

*Jun 25 18:31:04.747: BGPSSA ssacount is 0

*Jun 25 18:31:04.747: BGP(0): 10.1.1.1 rcv UPDATE about 10.2.2.0/24 -- DENIED due to: AS-PATH contains our own AS;

*Jun 25 18:31:04.751: BGP(0): 10.1.1.1 rcv UPDATE about 172.16.2.0/24 -- DENIED due to: AS-PATH contains our own AS;

CE-A1#

Each PE router sends the VRF CCIE routes with an as-path of [65000] in the vpnv4 update to the other PE routers. The BGP route that is sent to the remote CE router is the vpnv4 route that is converted to an IPv4 route when the RD is stripped off. The route is sent to the CE router via eBGP with an as-path of [10 65000]. The CE router drops the BGP update as it sees that its own ASN 65000 is in the update. This behavior is the default behavior of BGP and is a prevention mechanism against loops in BGP.

An easier solution is to tell to PE router so that it will send the BGP prefix to the remote CE router with the as-path [10 10] instead of [10 65000]. The PE router simply checks the ASN of the CE router against the ASNs in the as-path. If a match happens, all occurrences of this ASN in the as-path are replaced with the ASN of the service provider AS 10 in this case.

The neighbor 10.2.2.2 as-override and neighbor 10.1.1.2 as-override commands on PE2 and PE1 respectively are needed to override the ASN.

PE2(config)#router bgp 10

PE2(config-router)#address-family ipv4 unicast vrf CCIE

PE2(config-router-af)#neighbor 10.2.2.2 as-override

PE1(config)#router bgp 10

PE1(config-router)#address-family ipv4 unicast vrf google

PE1(config-router-af)#neighbor 10.1.1.2 as-override

The debug shows that the prefix 172.16.2.0/24 is added in the BGP table :

CE-A1#

*Jun 25 18:48:59.699: BGP(0): 10.1.1.1 rcvd UPDATE w/ attr: nexthop 10.1.1.1, origin i, merged path 10 10, AS_PATH

*Jun 25 18:48:59.707: BGP(0): 10.1.1.1 rcvd 10.2.2.0/24

*Jun 25 18:48:59.711: BGP(0): 10.1.1.1 rcvd 172.16.2.0/24

*Jun 25 18:48:59.711: BGP(0): 10.1.1.1 rcv UPDATE about 10.1.1.0/24 -- withdrawn

*Jun 25 18:48:59.715: BGP(0): 10.1.1.1 rcv UPDATE about 172.16.1.0/24 -- withdrawn

*Jun 25 18:48:59.715: BGP(0): Revise route installing 1 of 1 routes for 10.2.2.0/24 -> 10.1.1.1(global) to main IP table

*Jun 25 18:48:59.719: BGP(0): Revise route installing 1 of 1 routes for 172.16.2.0/24 -> 10.1.1.1(global) to main IP table

CE-A1#

And the show ip bgp command shows that the as-override caused the PE routers to modify the AS_PATH. The AS_PATH is [10 10]:

CE-A1#sh ip bgp

BGP table version is 5, local router ID is 172.16.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

*> 10.1.1.0/24 0.0.0.0 0 32768 i

*> 10.2.2.0/24 10.1.1.1 0 10 10 i

*> 172.16.1.0/24 0.0.0.0 0 32768 i

*> 172.16.2.0/24 10.1.1.1 0 10 10 i

CE-A1#

Same conclusion for CE-A2 router:

CE-A2#sh ip bgp

BGP table version is 5, local router ID is 172.16.2.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

*> 10.1.1.0/24 10.2.2.1 0 10 10 i

*> 10.2.2.0/24 0.0.0.0 0 32768 i

*> 172.16.1.0/24 10.2.2.1 0 10 10 i

*> 172.16.2.0/24 0.0.0.0 0 32768 i

CE-A2#

Now the ping passes successfully:

CE-A1#ping 172.16.2.1 sou lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:

Packet sent with a source address of 172.16.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 108/134/148 ms

CE-A1#

Another solution, instead of overriding autonomous system numbers in the as-path, you can instruct the PE router to loosen the check of the as-path.

CE-A1(config)#router bgp 65000

CE-A1(config-router)#neighbor 10.1.1.1 allowas-in 10

CE-A2(config)#router bgp 65000

CE-A2(config-router)#neighbor 10.2.2.1 allowas-in 10

The debug tells us that the prefix 172.16.2.0/24 is added into the BGP table:

CE-A1(config-router)#

*Jun 25 18:58:10.375: BGP: nbr_topo global 10.1.1.1 IPv4 Unicast:base (0x68ED4568:1) rcvd Refresh Start-of-RIB

*Jun 25 18:58:10.379: BGP: nbr_topo global 10.1.1.1 IPv4 Unicast:base (0x68ED4568:1) refresh_epoch is 2

*Jun 25 18:58:10.463: BGP(0): 10.1.1.1 rcvd UPDATE w/ attr: nexthop 10.1.1.1, origin i, merged path 10 65000, AS_PATH

*Jun 25 18:58:10.467: BGP(0): 10.1.1.1 rcvd 10.2.2.0/24

*Jun 25 18:58:10.471: BGP(0): 10.1.1.1 rcvd 172.16.2.0/24

*Jun 25 18:58:10.471: BGP: nbr_topo global 10.1.1.1 IPv4 Unicast:base (0x68ED4568:1) rcvd Refresh End-of-RIB

*Jun 25 18:58:10.483: BGP(0): Revise route installing 1 of 1 routes for 10.2.2.0/24 -> 10.1.1.1(global) to main IP table

CE-A1(config-router)#

*Jun 25 18:58:10.487: BGP(0): Revise route installing 1 of 1 routes for 172.16.2.0/24 -> 10.1.1.1(global) to main IP table

CE-A1(config-router)#end

We can see on CE-A1 that the AS_PATH is [10 65000] for the prefix 172.16.2.0/24, and the AS_PATH is [10 65000] for the prefix 172.16.1.0/24 on CE-A2.

Therefore the allowas-in feature tell to PE1 and PE2 routers to keep all the AS_PATH information:

CE-A1#sh ip bgp

BGP table version is 9, local router ID is 172.16.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

*> 10.1.1.0/24 0.0.0.0 0 32768 i

*> 10.2.2.0/24 10.1.1.1 0 10 65000 i

*> 172.16.1.0/24 0.0.0.0 0 32768 i

*> 172.16.2.0/24 10.1.1.1 0 10 65000 i

CE-A1#

CE-A2#sh ip bgp

BGP table version is 9, local router ID is 172.16.2.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

*> 10.1.1.0/24 10.2.2.1 0 10 65000 i

*> 10.2.2.0/24 0.0.0.0 0 32768 i

*> 172.16.1.0/24 10.2.2.1 0 10 65000 i

*> 172.16.2.0/24 0.0.0.0 0 32768 i

CE-A2#