Inter-AS VPRN Model B
This chapter describes the Inter-AS VPRN Model B.
Topics in this chapter include:
Applicability
This chapter was initially written for SR OS Release 15.0.R8, but the CLI in the current edition is based on SR OS Release 22.2.R1.
Overview
An inter-AS Virtual Private Routed Network (VPRN) contains sites that are connected to different Autonomous Systems (ASs). Inter-AS is typically used either to provide extended reach through a partnership/trust agreement, as an interim means to interconnect ASs following acquisition, or because of the internal organization of a single Service Provider (SP). Three models for interconnecting ASs are defined in RFC 4364, labeled model A, B, and C. This chapter describes model B.
Inter-AS VPRN model B encompasses EBGP redistributing VPN-IPv4 and VPN-IPv6 routes between neighboring ASs. An Autonomous System Border Router (ASBR) learns VPN routes from within its AS using IBGP, potentially as a client of a Route Reflector (RR), then uses EBGP to redistribute those labeled VPN routes to its adjacent ASBR.
When redistributing the routes into EBGP, the ASBR imposes next-hop-self on the VPN-IPv4 and VPN-IPv6 update messages and generates its own label value when it advertises the update message upstream. Therefore, the ASBR programs a label-swap entry in its FIB and forwards traffic to the neighboring ASBR using a single-level label stack (the VPN label).
A key property of model B is that it eliminates the need for per-VPRN configuration on the ASBRs. However, both ASBRs must have a mechanism to implicitly learn all VPN prefixes within their local AS and selectively advertise some of those prefixes to the neighboring ASBR.
Inter-AS VPRN Model B control and data plane example shows an example of the control plane and corresponding data plane used in model B, where MPLS is used for transport in both ASs. CE-1 is attached to PE-1 in AS 64496 and advertises prefix 172.31.100.0/24, which is propagated between neighboring ASBRs to PE-2 in AS 64510 and upstream to CE-2.
The IP traffic originating from CE-2 and received by PE-2 is received on the VRF interface of VPRN 100 and encapsulated using a two-level label stack; the inner label is the VPN label (300) and the outer label is the LDP transport label used for reaching the local ASBR-2.
ASBR-2 passes the traffic to ASBR-1, removing the LDP transport label and swapping the VPN label (300) with its VPN label (200), resulting in a single-level label stack.
In turn, ASBR-1 swaps the received VPN label (200) with another VPN label (100) and adds an LDP transport label to reach PE-1.
Finally, PE-1 removes the VPN label and delivers the unlabeled IP traffic to CE-1.
Configuration
In the example shown in Inter-AS VPRN Model B topology, IS-IS is configured in each AS, and MP-IBGP sessions are established between the PEs and the RRs in AS 64496 and 64510, PE-3 and PE-7, respectively. LDP and RSVP-TE is used for transport in AS 64496, whereas AS 64510 uses LDP for its transport. An MP-EBGP session is established between ASBR PE-4 and ASBR PE-8.
The initial configuration includes:
Cards, MDAs, and ports
Router interfaces
IS-IS as IGP on all interfaces (alternatively, OSPF can be used), with traffic engineering enabled
LDP and RSVP-TE configured in AS 64496, LDP configured in AS 64510
IBGP configured in AS 64496, with PE-3 as RR for clients PE-1, PE-2, and PE-4
IBGP configured in AS 64510, with PE-7 as RR for clients PE-5, PE-6, and PE-8
Model B configuration
There are no specific requirements on PE routers or RRs for enabling inter-AS VPRN model B; only specific configurations are required on the ASBRs.
First, an ASBR must learn the VPN-IPv4 and VPN-IPv6 routes from the local AS and export these routes to the neighbor AS over an MP-EBGP session. This is achieved on each ASBR by declaring an IBGP group for peering with the local RR, and declaring an EBGP group for peering with the neighboring AS. The IBGP and EBGP groups have included the address family vpn-ipv4, vpn-ipv6, or both.
Additionally, import and export policies can be used to control the VPN-IPv4 and VPN-IPv6 routes exchanged. The latter requires the vpn-apply-import and vpn-apply-export commands for SR OS to match the prefixes of the VPN-IPv4 and VPN-IPv6 address families.
The use of the next-hop-resolution command is explained in the Service configuration section. The BGP configuration on ASBR PE-4 is as follows:
# on ASBR PE-4:
configure
router Base
bgp
loop-detect discard-route
enable-inter-as-vpn
split-horizon
next-hop-resolution
labeled-routes
transport-tunnel
family vpn
resolution-filter
ldp # by default enabled for VPN routes
rsvp
exit
resolution filter
exit
exit
exit
exit
group "vpn-eBGP"
neighbor 192.168.48.2
family vpn-ipv4 vpn-ipv6
peer-as 64510
exit
exit
group "vpn-iBGP"
peer-as 64496
neighbor 192.0.2.3
family vpn-ipv4 vpn-ipv6
exit
exit
no shutdown
exit
exit
exit
The configuration on ASBR PE-8 is similar.
Second, the enable-inter-as-vpn command enables the inter-AS functionality and causes the ASBR to store the received VPN-IPv4 routes in its RIB-In, even though it has no VRF that imports these routes. For a route to be considered valid, the ASBR still needs to resolve the next-hop of this route to a tunnel. The enable-inter-as-vpn command will also change the BGP next-hop of advertised and received VPN-IPv4/VPN-IPv6 routes. When a route is advertised to an EBGP peer, the BGP next-hop is changed to the local-address used for communicating with the EBGP peer. When a route is received from an EBGP peer and advertised to an IBGP peer, the BGP next-hop is changed to the local-address used for communicating with the IBGP peer.
The configuration of the MP-EBGP session between the ASBRs in the EBGP group allows the ASBR to forward labeled packets over its connection with its peer ASBR.
MPLS LSP configuration
Two LSPs are needed between the end-to-end PEs (PE-1 and PE-5) to exchange service traffic bidirectionally, because LSPs are unidirectional. In AS 64496, this is achieved by configuring a first LSP from the service PE (PE-1) to the local ASBR (PE-4), and a second LSP back from the local ASBR (PE-4) toward the service PE (PE-1). In AS 64510, LDP is enabled on all interfaces; no RSVP LSPs are used.
In AS 64496, LDP and RSVP are enabled. The LSP (and path) from PE-1 to PE-4 runs via PE-3, as follows:
# on PE-1
configure
router Base
mpls
path "path-PE-1-PE-3-PE-4"
hop 10 192.168.13.2 strict
hop 20 192.168.34.2 strict
no shutdown
exit
lsp "lsp-PE-1-PE-4"
to 192.0.2.4
primary "path-PE-1-PE-3-PE-4"
exit
no shutdown
exit
no shutdown
exit
exit
exit
The LSP (and path) from PE-4 to PE-3 also runs via PE-3, as follows:
# on ASBR PE-4:
configure
router Base
mpls
path "path-PE-4-PE-3-PE-1"
hop 10 192.168.34.1 strict
hop 20 192.168.13.1 strict
no shutdown
exit
lsp "lsp-PE-4-PE-1"
to 192.0.2.1
primary "path-PE-4-PE-3-PE-1"
exit
no shutdown
exit
no shutdown
exit
exit
exit
Service configuration
VPRN 1 is configured on PE-1 and PE-5. Although the VPRN service IDs used in both ASs do not need to match, in an inter-AS VPRN model B context, the route targets (RTs) used in both ASs must be coordinated. The RT exported by the PE-1 VPRN 1 must be imported by the PE-5 VPRN 1, and vice versa. In this example, no specific vrf-import and vrf-export communities are used; the simplified method using a single vrf-target community is used instead.
To carry the customer data across AS 64496, tunnels must bind to a VPRN service with the auto-bind-tunnel command. Resolution is set to filter, indicating that SR OS must select a tunnel using the information defined in the resolution-filter context. The keywords ldp and rsvp in the resolution-filter context indicate that LDP or RSVP tunnels can be used, but SR OS prefers the RSVP tunnels because the preference for RSVP (7) is lower than the preference for LDP (9).
In AS 64496, the VPRN service on PE-1 is defined as follows:
# on PE-1:
configure
service
vprn 1 name "VPRN1" customer 1 create
interface "int-S1-1" create
address 10.1.10.1/24
ipv6
address 2001:db8:1::1:1/120
exit
sap 1/2/1:1 create
exit
exit
interface "int-S1-2" create
address 10.1.11.1/24
loopback
exit
bgp-ipvpn
mpls
auto-bind-tunnel
resolution-filter
ldp
rsvp
exit
resolution filter
exit
route-distinguisher 64496:1
vrf-target target:64496:1
no shutdown
exit
exit
no shutdown
exit
In AS 64510, the transport technology is LDP only, so the VPRN service in PE-5 auto-binds using LDP LSPs in the tunnel table to resolve VPN-IPv4 and VPN-IPv6 routes for which the vrf-target matches the vrf-target community value configured in PE-1, as follows:
# on PE-5 in AS 64510:
configure
service
vprn 1 name "VPRN1" customer 1 create
description "VPN-1, counterpart is on PE-1"
interface "int-S1-1" create
address 10.1.50.1/24
ipv6
address 2001:db8:1::5:1/120
exit
sap 1/2/1:1 create
exit
exit
interface "int-S1-2" create
address 10.1.51.1/24
loopback
exit
bgp-ipvpn
mpls
auto-bind-tunnel
resolution-filter
ldp
exit
resolution filter
exit
route-distinguisher 64510:1
vrf-target target:64496:1
no shutdown
exit
exit
no shutdown
exit
A second service is defined on PE-1 and PE-2 (VPRN 33), using loopback addresses 10.33.1.1/32 and 10.33.2.1/32 in PE-1 and PE-2, respectively. These addresses might appear in traces and commands later, but are of no concern because these are used for transporting intra-AS traffic.
For service traffic to flow in the PE-5 to PE-1 direction, ASBR PE-4 in AS 64496 must offer the possibility to use RSVP-TE tunnels when resolving a BGP next-hop for VPN services. Therefore, ASBR PE-4 must be explicitly configured, as follows:
# on ASBR PE-4:
configure
router Base
bgp
next-hop-resolution
labeled-routes
transport-tunnel
family vpn
resolution-filter
rsvp
exit
resolution filter
exit
exit
exit
exit
exit
On ASBR PE-8 in AS 64510, no explicit configuration is required because resolving a BGP next-hop for VPN service to LDP tunnels is the default behavior.
Verification
With the configurations from previous sections applied, PE-1 receives three VPN-IPv4 routes and one VPN-IPv6 route, as follows:
*A:PE-1# show router bgp summary all
===============================================================================
BGP Summary
===============================================================================
Legend : D - Dynamic Neighbor
===============================================================================
Neighbor
Description
ServiceId AS PktRcvd InQ Up/Down State|Rcv/Act/Sent (Addr Family)
PktSent OutQ
-------------------------------------------------------------------------------
192.0.2.3
Def. Inst 64496 421 0 03h27m16s 3/3/3 (VpnIPv4)
424 0 1/1/1 (VpnIPv6)
-------------------------------------------------------------------------------
PE-1 received the following three VPN-IPv4 routes:
*A:PE-1# show router bgp routes vpn-ipv4
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 64496:33:10.33.2.0/24 100 None
192.0.2.2 None 10
No As-Path 524283
u*>i 64510:1:10.1.50.0/24 100 None
192.0.2.4 None 20
64510 524279
u*>i 64510:1:10.1.51.0/24 100 None
192.0.2.4 None 20
64510 524279
-------------------------------------------------------------------------------
Routes : 3
===============================================================================
PE-1 received the following VPN-IPv6 route:
*A:PE-1# show router bgp routes vpn-ipv6
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv6 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 64510:1:2001:db8:1::5:0/120 100 None
::ffff:192.0.2.4 None 20
64510 524278
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
PE-1 has three LDP tunnels and one RSVP tunnel, and its tunnel table looks as follows:
*A:PE-1# show router tunnel-table
===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination Owner Encap TunnelId Pref Nexthop Metric
Color
-------------------------------------------------------------------------------
192.0.2.2/32 ldp MPLS 65537 9 192.168.12.2 10
192.0.2.3/32 ldp MPLS 65538 9 192.168.13.2 10
192.0.2.4/32 rsvp MPLS 1 7 192.168.13.2 16777215
192.0.2.4/32 ldp MPLS 65539 9 192.168.12.2 20
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
L = Loop-Free Alternate (LFA) hop available
E = Inactive best-external BGP route
k = RIB-API or Forwarding Policy backup hop
===============================================================================
The IPv4 routing table for VPRN 1 is as follows:
*A:PE-1# show router 1 route-table
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.1.10.0/24 Local Local 00h02m15s 0
int-S1-1 0
10.1.11.0/24 Local Local 00h02m15s 0
int-S1-2 0
10.1.50.0/24 Remote BGP VPN 00h01m01s 170
192.0.2.4 (tunneled:RSVP:1) 16777215
10.1.51.0/24 Remote BGP VPN 00h01m01s 170
192.0.2.4 (tunneled:RSVP:1) 16777215
-------------------------------------------------------------------------------
No. of Routes: 4
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
The IPv4 addresses for VPRN 1 on PE-8 are 10.1.50.0/24 and 10.1.51.0/24, and are reachable through RSVP-TE tunnel 1 (tunneled:RSVP:1). The VPN label value for these prefixes is assigned and advertised by ASBR PE-4 and gets to PE-1 via the RR PE-3 in an MP-BGP update message. The 10.33.2.0/24 prefix belongs to a different service and is not relevant for model B because it is used for intra-AS traffic. The VPN-IPv4 routes received on PE-1 are as follows:
*A:PE-1# show router bgp neighbor 192.0.2.3 received-routes vpn-ipv4
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 64496:33:10.33.2.0/24 100 None
192.0.2.2 None 10
No As-Path 524283
u*>i 64510:1:10.1.50.0/24 100 None
192.0.2.4 None 20
64510 524279
u*>i 64510:1:10.1.51.0/24 100 None
192.0.2.4 None 20
64510 524279
-------------------------------------------------------------------------------
Routes : 3
===============================================================================
The BGP next-hops for the VPN-IPv4 BGP address family are as follows. Service traffic for VPRN 33 uses the LDP tunnel to PE-2 carrying the intra-AS traffic, and service traffic for VPRN 1 uses the RSVP tunnel to ASBR PE-4 carrying the inter-AS traffic.
*A:PE-1# show router bgp next-hop vpn-ipv4
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
===============================================================================
BGP VPN Next Hop
===============================================================================
VPN Next Hop Owner
Autobind FibProg Reason
Labels (User-labels) FlexAlgo Metric
Admin-tag-policy (strict-tunnel-tagging)
-------------------------------------------------------------------------------
192.0.2.2 LDP
ldp bgp Y
-- (2) -- 10
-- (-)
192.0.2.4 RSVP
ldp rsvp bgp Y
-- (2) -- 16777215
-- (-)
-------------------------------------------------------------------------------
Next Hops : 2
===============================================================================
The IPv6 routing table for VPRN 1 is as follows:
*A:PE-1# show router 1 route-table ipv6
===============================================================================
IPv6 Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
2001:db8:1::1:0/120 Local Local 00h03m54s 0
int-S1-1 0
2001:db8:1::5:0/120 Remote BGP VPN 00h02m40s 170
192.0.2.4 (tunneled:RSVP:1) 16777215
-------------------------------------------------------------------------------
No. of Routes: 2
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
The VPN-IPv6 routes received on PE-1 are as follows:
*A:PE-1# show router bgp neighbor 192.0.2.3 received-routes vpn-ipv6
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv6 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 64510:1:2001:db8:1::5:0/120 100 None
::ffff:192.0.2.4 None 20
64510 524278
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
The BGP next-hop for the VPN-IPv6 address family is as follows:
*A:PE-1# show router bgp next-hop vpn-ipv6
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
===============================================================================
BGP VPN Next Hop
===============================================================================
VPN Next Hop Owner
Autobind FibProg Reason
Labels (User-labels) FlexAlgo Metric
Admin-tag-policy (strict-tunnel-tagging)
-------------------------------------------------------------------------------
::ffff:192.0.2.4 RSVP
ldp rsvp bgp Y
-- (2) -- 16777215
-- (-)
-------------------------------------------------------------------------------
Next Hops : 1
===============================================================================
The forwarding plane is programmed accordingly, as follows:
*A:PE-1# show router 1 fib 1 ipv4
===============================================================================
FIB Display
===============================================================================
Prefix [Flags] Protocol
NextHop
-------------------------------------------------------------------------------
10.1.10.0/24 LOCAL
10.1.10.0 (int-S1-1)
10.1.11.0/24 LOCAL
10.1.11.0 (int-S1-2)
10.1.50.0/24 BGP_VPN
192.0.2.4 (VPRN Label:524279 Transport:RSVP LSP:1)
10.1.51.0/24 BGP_VPN
192.0.2.4 (VPRN Label:524279 Transport:RSVP LSP:1)
-------------------------------------------------------------------------------
Total Entries : 4
-------------------------------------------------------------------------------
===============================================================================
*A:PE-1# show router 1 fib 1 ipv6
===============================================================================
FIB Display
===============================================================================
Prefix [Flags] Protocol
NextHop
-------------------------------------------------------------------------------
2001:db8:1::1:0/120 LOCAL
2001:db8:1::1:0 (int-S1-1)
2001:db8:1::5:0/120 BGP_VPN
192.0.2.4 (VPRN Label:524278 Transport:RSVP LSP:1)
-------------------------------------------------------------------------------
Total Entries : 2
-------------------------------------------------------------------------------
===============================================================================
SR OS uses a label-per-VRF mode of label distribution, meaning that the same label is used for different VPN-IPv4 and different VPN-IPv6 prefixes from the same VRF, which saves on MPLS label resources. In this example, the VPRN service label is 524279 for the VPN-IPv4 prefixes 10.1.50.0/24 and 10.1.51.0/24, and 524278 for VPN-IPv6 prefix 2001:db8:1::5:0/120.
The forwarding plane is also programmed with the outer label to be used for transport purposes. Two labels are present: 524282 assigned through RSVP, and 524284 assigned through LDP. Because RSVP takes precedence over LDP, the RSVP label is actively used, as follows:
*A:PE-1# show router fp-tunnel-table 1 192.0.2.4/32
===============================================================================
IPv4 Tunnel Table Display
Legend:
label stack is ordered from bottom-most to top-most
B - FRR Backup
===============================================================================
Destination Protocol Tunnel-ID
Lbl/SID
NextHop Intf/Tunnel
Lbl/SID (backup)
NextHop (backup)
-------------------------------------------------------------------------------
192.0.2.4/32 LDP -
524284
192.168.12.2 1/1/1:1000
192.0.2.4/32 RSVP 1
524282
192.168.13.2 1/1/2:1000
-------------------------------------------------------------------------------
Total Entries : 2
-------------------------------------------------------------------------------
===============================================================================
Traffic over VPRN 1 is generated using a ping command on PE-1 to the remote loopback address, as follows:
*A:PE-1# ping router 1 10.1.50.1
PING 10.1.50.1 56 data bytes
64 bytes from 10.1.50.1: icmp_seq=1 ttl=64 time=6.11ms.
64 bytes from 10.1.50.1: icmp_seq=2 ttl=64 time=6.13ms.
64 bytes from 10.1.50.1: icmp_seq=3 ttl=64 time=6.61ms.
64 bytes from 10.1.50.1: icmp_seq=4 ttl=64 time=6.00ms.
64 bytes from 10.1.50.1: icmp_seq=5 ttl=64 time=6.05ms.
---- 10.1.50.1 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 6.00ms, avg = 6.18ms, max = 6.61ms, stddev = 0.220ms
On PE-1, the IPv4 VPRN 1 service traffic is pushed with VPN label 524279, followed by RSVP-TE transport label 524282. ASBR PE-4 removes the RSVP-TE transport label and swaps the internal (advertised) VPN label 524279 with the external VPN label 524280 received from ASBR PE-8. For IPv6 VPRN 1 traffic, VPN label 524278 is swapped by VPN label 524279. The inter-AS BGP labels stored by ASBR PE-4 are as follows:
*A:PE-4# show router bgp inter-as-label
===============================================================================
BGP Inter-AS labels
Flags: B - entry has backup, P - entry is promoted
===============================================================================
NextHop Received Advertised Label
Label Label Origin
-------------------------------------------------------------------------------
192.0.2.1 524281 524282 Internal
192.0.2.1 524282 524281 Internal
192.0.2.1 524282 524280 Internal
192.0.2.2 524283 524277 Internal
192.168.48.2 524279 524278 External
192.168.48.2 524280 524279 External
-------------------------------------------------------------------------------
Total Labels allocated: 6
===============================================================================
The forward data flow (from AS 64496 to AS 64510) for VPRN 1 uses the labels for which the label origin is external. The VPN labels used for the backward data flow (from AS 64510 to 64496) uses the labels for which the label origin is internal.
For brevity, the commands to display and check VPN prefixes and labels used in AS 64510 are omitted.
By disabling (shutdown) both RSVP LSPs between PE-1 and ASBR PE-4 in AS 64496, both PE-1 and PE-4 will select LDP tunnels for resolving VPN BGP next-hops. Then, the route table for VPRN 1 is as follows, where tunneled indicates an LDP tunnel is used to reach the next hop:
*A:PE-1# show router 1 route-table
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.1.10.0/24 Local Local 04h29m37s 0
int-S1-1 0
10.1.11.0/24 Local Local 04h29m37s 0
int-S1-2 0
10.1.50.0/24 Remote BGP VPN 00h00m08s 170
192.0.2.4 (tunneled) 20
10.1.51.0/24 Remote BGP VPN 00h00m08s 170
192.0.2.4 (tunneled) 20
-------------------------------------------------------------------------------
No. of Routes: 4
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
Only LDP tunnels are available in PE-1 and ASBR PE-4, as follows:
*A:PE-1# show router tunnel-table
===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination Owner Encap TunnelId Pref Nexthop Metric
Color
-------------------------------------------------------------------------------
192.0.2.2/32 ldp MPLS 65537 9 192.168.12.2 10
192.0.2.3/32 ldp MPLS 65538 9 192.168.13.2 10
192.0.2.4/32 ldp MPLS 65539 9 192.168.12.2 20
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
L = Loop-Free Alternate (LFA) hop available
E = Inactive best-external BGP route
k = RIB-API or Forwarding Policy backup hop
===============================================================================
*A:PE-4# show router tunnel-table
===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination Owner Encap TunnelId Pref Nexthop Metric
Color
-------------------------------------------------------------------------------
192.0.2.1/32 ldp MPLS 65538 9 192.168.24.1 20
192.0.2.2/32 ldp MPLS 65539 9 192.168.24.1 10
192.0.2.3/32 ldp MPLS 65537 9 192.168.34.1 10
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
L = Loop-Free Alternate (LFA) hop available
E = Inactive best-external BGP route
k = RIB-API or Forwarding Policy backup hop
===============================================================================
The BGP next-hop for VPN-IPv4 traffic in PE-1 also indicates that, to reach PE-5 via PE-4, an LDP tunnel is used, as follows:
*A:PE-1# show router bgp next-hop vpn-ipv4
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
===============================================================================
BGP VPN Next Hop
===============================================================================
VPN Next Hop Owner
Autobind FibProg Reason
Labels (User-labels) FlexAlgo Metric
Admin-tag-policy (strict-tunnel-tagging)
-------------------------------------------------------------------------------
192.0.2.2 LDP
ldp bgp Y
-- (2) -- 10
-- (-)
192.0.2.4 LDP
ldp rsvp bgp Y
-- (2) -- 20
-- (-)
-------------------------------------------------------------------------------
Next Hops : 2
===============================================================================
The forwarding plane is programmed accordingly, as follows:
*A:PE-1# show router 1 fib 1 ipv4
===============================================================================
FIB Display
===============================================================================
Prefix [Flags] Protocol
NextHop
-------------------------------------------------------------------------------
10.1.10.0/24 LOCAL
10.1.10.0 (int-S1-1)
10.1.11.0/24 LOCAL
10.1.11.0 (int-S1-2)
10.1.50.0/24 BGP_VPN
192.0.2.4 (VPRN Label:524279 Transport:LDP)
10.1.51.0/24 BGP_VPN
192.0.2.4 (VPRN Label:524279 Transport:LDP)
-------------------------------------------------------------------------------
Total Entries : 4
-------------------------------------------------------------------------------
===============================================================================
*A:PE-1# show router fp-tunnel-table 1
===============================================================================
IPv4 Tunnel Table Display
Legend:
label stack is ordered from bottom-most to top-most
B - FRR Backup
===============================================================================
Destination Protocol Tunnel-ID
Lbl/SID
NextHop Intf/Tunnel
Lbl/SID (backup)
NextHop (backup)
-------------------------------------------------------------------------------
192.0.2.2/32 LDP -
524287
192.168.12.2 1/1/1:1000
192.0.2.3/32 LDP -
524287
192.168.13.2 1/1/2:1000
192.0.2.4/32 LDP -
524284
192.168.12.2 1/1/1:1000
-------------------------------------------------------------------------------
Total Entries : 3
-------------------------------------------------------------------------------
===============================================================================
The details for the LDP tunnel from PE-1 to PE-4 are as follows:
*A:PE-1# show router tunnel-table 192.0.2.4/32 detail
===============================================================================
Tunnel Table (Router: Base)
===============================================================================
Destination : 192.0.2.4/32
NextHop : 192.168.12.2
Tunnel Flags : (Not Specified)
Age : 00h12m46s
CBF Classes : (Not Specified)
Owner : ldp Encap : MPLS
Tunnel ID : 65539 Preference : 9
Tunnel Label : 524284 Tunnel Metric : 20
Tunnel MTU : 1556 Max Label Stack : 1
-------------------------------------------------------------------------------
Number of tunnel-table entries : 1
Number of tunnel-table entries with LFA : 0
===============================================================================
On PE-1, the IPv4 traffic in VPRN 1 is pushed with VPN label 524279, followed by LDP transport label 524284. ASBR PE-4 removes the LDP transport label and swaps the internal (advertised) VPN label 524279 with the external VPN label 524280 received from ASBR PE-8. The inter-AS label mapping between the ASBRs remains unchanged.
On the directly connected interface between the ASBRs, nothing has changed; only a single MPLS label is used to carry the VPN data, as shown in the following capture:
With this configuration, all the VPN-IPv4 and VPN-IPv6 routes known to AS 64496 are advertised by ASBR PE-4 to AS 64510, even the VPN-IPv4 and VPN-IPv6 routes from other AS 64496 VPRN services that do not need to be distributed:
*A:PE-4# show router bgp neighbor 192.168.48.2 advertised-routes vpn-ipv4 brief
===============================================================================
BGP Router ID:192.0.2.4 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag Network
-------------------------------------------------------------------------------
i 64496:1:10.1.10.0/24
i 64496:1:10.1.11.0/24
i 64496:33:10.33.1.0/24
i 64496:33:10.33.2.0/24
-------------------------------------------------------------------------------
Routes : 4
===============================================================================
As already indicated, the 10.33.1.0/24 and 10.33.2.0/24 prefixes belong to VPRN 33. This service exists on PE-1 and PE-2 only, and the corresponding customer traffic must be kept within AS 64496, so there is no need to advertise these prefixes to the peer AS. The "exp-SVC-1" policy is defined at ASBR PE-4 to achieve this, as follows:
# on ASBR PE-4:
configure
router Base
policy-options
begin
prefix-list "pfx-SVC-1"
prefix 10.1.10.0/24 longer
prefix 10.1.11.0/24 longer
prefix 2001:db8:1::/96 longer
exit
policy-statement "exp-SVC-1"
entry 10
from
prefix-list "pfx-SVC-1"
exit
action accept
exit
exit
default-action drop
exit
exit
commit
exit
exit
exit
The "exp-SVC-1" policy is applied to ASBR PE-4 as an export policy, but also import policies can be used to control which prefixes are exchanged. This additionally requires the vpn-apply-export (and the vpn-apply-import) command, and the change required at ASBR PE-4 is as follows:
# on ASBR PE-4:
configure
router Base
autonomous-system 64496
bgp
group "vpn-eBGP"
vpn-apply-export
export "exp-SVC-1"
neighbor 192.168.48.2
family vpn-ipv4 vpn-ipv6
peer-as 64510
exit
exit
exit
exit
exit
Therefore, the PE-4 ASBR will only advertise the VPN-IPv4 and VPN-IPv6 prefixes for VRPN 1, as follows:
*A:PE-4# show router bgp neighbor 192.168.48.2 advertised-routes vpn-ipv4 brief
===============================================================================
BGP Router ID:192.0.2.4 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag Network
-------------------------------------------------------------------------------
i 64496:1:10.1.10.0/24
i 64496:1:10.1.11.0/24
-------------------------------------------------------------------------------
Routes : 2
===============================================================================
*A:PE-4# show router bgp neighbor 192.168.48.2 advertised-routes vpn-ipv6 brief
===============================================================================
BGP Router ID:192.0.2.4 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv6 Routes
===============================================================================
Flag Network
-------------------------------------------------------------------------------
i 64496:1:2001:db8:1::1:0/120
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
Conclusion
Inter-AS VPRN model B offers service providers a way to interconnect IPv4 and IPv6 VPN sites across different ASs, avoiding the need for dedicated services in the ASBR, which would otherwise consume valuable resources in the ASBR. Model B is useful for scenarios where model C does not apply; for example, when there is no trust agreement with the peer AS, so that exchanging PE system addresses with that peer is not permitted or does not make sense.