MPLSLayer3VPNBGPASOverride

1vote
BGPhasasimplelooppreventionmechanismforexternalBGP.WhenyouseeyourownASnumberinthe
ASpath,wedonotaccepttheprefix.ThismechanismisfineforInternetroutingbuttherearesomeother
scenarioswherethismightbeanissue.Takealookatthefollowingtopology:

AbovewehaveasmallMPLSVPNnetworkwithtwocustomersites.ThecustomerisusingthesameAS
number(1)forbothsites.WhenCE1orCE2receiveanupdatefromeachothertheywillnotacceptitsince
theirownASnumberwillbeintheASpath.Letsfindoutifthisistrue.Herearetheconfigurationsofall
routers:

Configurations CE1 PE1 P PE2 CE2

Hereyouwillfindthestartupconfigurationsofeachdevice.

Letsfindoutwhatisgoingon.FirstwellcheckifthePEroutershaveaVPNroutefortheprefixesfromthe
CErouters:

PE1#showipbgpvpnv4all

NetworkNextHopMetricLocPrfWeightPath
RouteDistinguisher:1:1(defaultforvrfCUSTOMER)
*>1.1.1.1/32192.168.12.10012i
*>i5.5.5.5/324.4.4.40100012i

PE2#showipbgpvpnv4all

NetworkNextHopMetricLocPrfWeightPath
RouteDistinguisher:1:1(defaultforvrfCUSTOMER)
*>i1.1.1.1/322.2.2.20100012i
 *>5.5.5.5/32192.168.45.50012i

ThePEroutershaveanentryfortheloopbackinterfacesoftheCErouters.Aretheyadvertisingthesetothe
CErouters?

PE1#showipbgpvpnv4allneighbors192.168.12.1advertised-routes
BGPtableversionis16,localrouterIDis2.2.2.2
Statuscodes:ssuppressed,ddamped,hhistory,*valid,>best,i-
internal,
rRIB-failure,SStale,mmultipath,bbackup-path,fRT-
Filter,
xbest-external,aadditional-path,cRIB-compressed,
Origincodes:i-IGP,e-EGP,?-incomplete
RPKIvalidationcodes:Vvalid,Iinvalid,NNotfound

NetworkNextHopMetricLocPrfWeightPath
RouteDistinguisher:1:1(defaultforvrfCUSTOMER)
*>i5.5.5.5/324.4.4.40100012i

Totalnumberofprefixes1

PE2#showipbgpvpnv4allneighbors192.168.45.5advertised-routes
BGPtableversionis18,localrouterIDis4.4.4.4
Statuscodes:ssuppressed,ddamped,hhistory,*valid,>best,i-
internal,
rRIB-failure,SStale,mmultipath,bbackup-path,fRT-
Filter,
xbest-external,aadditional-path,cRIB-compressed,
Origincodes:i-IGP,e-EGP,?-incomplete
RPKIvalidationcodes:Vvalid,Iinvalid,NNotfound

NetworkNextHopMetricLocPrfWeightPath
RouteDistinguisher:1:1(defaultforvrfCUSTOMER)
*>i1.1.1.1/322.2.2.20100012i

Totalnumberofprefixes1

ThePEroutersareadvertisingthesetotheCErouters.LetschecktheCErouters:

CE1#showipbgp

NetworkNextHopMetricLocPrfWeightPath
*>1.1.1.1/320.0.0.0032768i

CE2#showipbgp

NetworkNextHopMetricLocPrfWeightPath
*>5.5.5.5/320.0.0.0032768i

TheresnothingtheretheyonlyhavetheprefixontheirownloopbackinterfaceintheBGPtable.Letsenable
adebugonCE1tofigureoutwhyitsnotacceptinganythingfromPE1:

CE1#debugipbgpallupdates
BGPupdatesdebuggingisonforalladdressfamilies

Letsresettheneighboradjacency:

CE1#clearipbgp*

Hereswhatyouwillsee:
 CE1#
BGP(0):192.168.12.2rcvUPDATEabout5.5.5.5/32--DENIEDdueto:AS-PATH
containsourownAS

NosurpriseshereCE1isdenyingtheupdatesinceitseesitsownASnumberintheASpath.Ifwewantto
keepthesameASnumberonCE1andCE2thentherearetwopossiblesolutionsforthisissue:

Allow-ASin:thiscanbeconfiguredontheCErouterswhichtellsthemtoacceptprefixeswiththeirown
ASnumberintheASpath.
ASoverride:thiscanbeconfiguredonthePErouters,theASnumberwillbereplacedwiththeASnumber
fromtheserviceprovider.

ThislessonisaboutASoverridesothatswhatwewilldo.LetsconfigurethePErouters:

PE1(config)#routerbgp234
PE1(config-router)#address-familyipv4vrfCUSTOMER
PE1(config-router-af)#neighbor192.168.12.1as-override

PE2(config)#routerbgp234
PE2(config-router)#address-familyipv4vrfCUSTOMER
PE2(config-router-af)#neighbor192.168.45.5as-override

Tospeedthingsup,letscleartheBGPneighboradjacenciesonthePErouters:

PE1&PE2#clearipbgp*

LetstakeanotherlookattheCErouters:

CE1#showipbgp5.5.5.5
BGProutingtableentryfor5.5.5.5/32,version7
Paths:(1available,best#1,tabledefault)
Notadvertisedtoanypeer
RefreshEpoch1
234234
192.168.12.2from192.168.12.2(2.2.2.2)
OriginIGP,localpref100,valid,external,best
rxpathid:0,txpathid:0x0

CE2#showipbgp1.1.1.1
BGProutingtableentryfor1.1.1.1/32,version7
Paths:(1available,best#1,tabledefault)
Notadvertisedtoanypeer
RefreshEpoch1
234234
192.168.45.4from192.168.45.4(4.4.4.4)
OriginIGP,localpref100,valid,external,best
rxpathid:0,txpathid:0x0

TheCEroutershavenowlearnedeachothersprefixes.Ifyoutakeacloserlook,youcanseethatASnumber
1hasbeenreplacedwithASnumber234.

Onefinalcheck,letsseeifthereisconnectivitybetween1.1.1.1and5.5.5.5:

CE1#ping5.5.5.5sourceloopback0
Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto5.5.5.5,timeoutis2seconds:
Packetsentwithasourceaddressof1.1.1.1
!!!!!
Successrateis100percent(5/5),round-tripmin/avg/max=6/8/11ms

Excellentthisisworking!Wanttotakealookattheseconfigurationsyourself?
 Configurations CE1 PE1 P PE2 CE2

Hereyouwillfindthestartupconfigurationsofeachdevice.

Conclusion
ASoverrideisasimpletechniquetochangetheASnumberofupdatesthatyouadvertisetoyourexternal
BGPneighbors.AnothersolutionisallowASinbutthisisconfiguredontheCErouters.Sinceweare
overrulingtheexternalBGPlooppreventionmechanismyouhavetomakesurethatyouhavealoop-free
topology.

InthisscenariotherearenoissuessincetheCEroutersarestubs,theyonlyhaveoneexitpath.Whenyour
customersitesaremultihomedorhaveabackdoorlinkthenyouneedtousetheBGPSoO(SiteofOrigin)
communitytoensureyouhavealoopfreetopology.Thisissomethingwellcoverinanotherlesson.