BGP Best External in a VPRN
This chapter provides information about BGP Best External in a VPRN.
Topics in this chapter include:
Applicability
The information and configuration in this chapter was originally written for SR OS Release 14.0.R7. In the current edition, the MD-CLI is updated to SR OS Release 22.2.R2.
Overview
By default, BGP speakers only advertise their best route for a destination. The BGP best external feature allows BGP speakers to advertise their best external route for a prefix Network Layer Reachability Information (NLRI) to their IBGP peers when their best overall route for this prefix NLRI is an internal route. This feature provides additional path visibility to the IBGP mesh. When two paths are available to reach a destination, and one is preferred, the availability of an alternate path in the RIB means that only a FIB update is required if the preferred next-hop fails. Also, the presence of two paths can reduce route oscillation.
BGP best external can be enabled in the base router with the following command:
[ex:/configure router "Base" bgp]
A:admin@PE-2# advertise-external ?
advertise-external
ipv4 - Enable support for unlabeled unicast IPv4 routes
ipv6 - Enable support for unlabeled unicast IPv6 routes
label-ipv4 - Enable support for labeled-unicast IPv4 routes
label-ipv6 - Enable support for labeled-unicast IPv6 routes
---snip---
# on PE-2:
configure {
router "Base" {
bgp {
advertise-external {
ipv4 true
}
Chapter "BGP Add-Path" in the Unicast Routing Protocols volume of 7450 ESS, 7750 SR, and 7950 XRS Advanced Configuration Guide — Book I describes the use of the add-paths parameter for different address families. Chapter "BGP Fast Reroute" in the Unicast Routing Protocols volume in the 7450 ESS, 7750 SR, and 7950 XRS MD-CLI Advanced Configuration Guide - Part I includes a configuration example with BGP best external enabled in the base router, whereas this chapter focuses on BGP best external in a VPRN context.
VPRN BGP best external can be configured with the following command:
[ex:/configure service]
A:admin@PE-2# vprn "VPRN 1" ?
---snip---
export-inactive-bgp - Export preferred BGP route even if inactive
---snip---
# on PE-2:
configure {
service {
vprn "VPRN 1" {
export-inactive-bgp true
VPRN BGP best external allows the best EBGP IPv4/IPv6 route learned by a VPRN to be exported as a BGP VPN-IPv4/IPv6 route, even when that EBGP IPv4/IPv6 route is inactive due to the presence of a preferred BGP VPN-IPv4/IPv6 route from another PE. This best external route advertisement is useful in active/standby multi-homing scenarios because it can ensure that all PEs have knowledge of the backup path provided by the standby PE, thus reducing convergence times. VPRN BGP best external can also be applied in combination with Equal Cost Multi-Path (ECMP).
CE-4 advertises prefix 10.0.0.0/8 to its EBGP peers PE-1 and PE-2 shows the example topology with CE-4 in Autonomous System (AS) 64500 advertising prefix 10.0.0.0/8 to VPRN 1 in PE-1 and PE-2 in AS 64496.
PE-1 is the primary PE for this prefix and it creates a corresponding BGP VPN-IPv4 route with a higher local preference (LP) value (for example, 200) compared to the default LP (100). PE-1 advertises this BGP VPN-IPv4 route to its IBGP peers PE-2 and PE-3. PE-2 imports this BGP VPN-IPv4 route into its VRF, which deactivates the EBGP route received from CE-4, because it has the default LP of 100 (by BGP selection rules, the highest LP wins). By default, BGP prevents PE-2 from exporting its inactive BGP IPv4 route from CE-4 and, therefore, PE-1 and PE-3 cannot learn a BGP VPN-IPv4 backup route for prefix 10.0.0.0/8, as shown in Default BGP behavior: BGP advertises best route only.
VPRN BGP best external allows PE-2 to advertise its best external route as backup on the following conditions:
The option export-inactive-bgp true is configured in VPRN 1 on PE-2 (or on all PEs in the multi-homed site).
The BGP route from CE-4 must match the VRF export policy in PE-2.
The BGP VPN-IPv4 route exported by PE-2 must have a unique NLRI (RD:IP prefix combination) that does not overlap with a BGP VPN-IPv4 route from another PE for the same prefix. Therefore, a different RD can be allocated to the VRF in each PE connected to the multi-homed site. For example, VPRN 1 in PE-1 has RD 64496:11 and VPRN 1 in PE-2 has RD 64496:12.
VPRN BGP best external enabled: BGP advertises active and standby routes shows the BGP route advertisements when VPRN BGP best external is enabled. The BGP VPN-IPv4 route from PE-2 carries a per-next-hop label (meaning pop and forward to CE-4) regardless of the configured label mode of the VPRN service in PE-2.
The PEs support BGP Fast Reroute (BGP FRR) using BGP VPN-IPv4 routes; therefore, PE-1 and PE-3 can install the route advertised by PE-2 as a backup path for prefix 10.0.0.0/8 and use that path immediately after detecting that the primary path has failed. When the link between PE-1 and CE-4 fails, PE-1 will detect this link failure typically seconds before the other PEs do. Therefore, PE-3 keeps sending traffic toward the network 10.0.0.0/8 to PE-1 and PE-1 uses the repair path via PE-2, as shown in BGP FRR on PE-1 after failure of active link to CE.
Even when PE-2 is still unaware of the link failure between PE-1 and CE-4, PE-2 will not loop traffic back to PE-1. The reason is that PE-1 sends traffic to PE-2 with a per-next-hop label so that no FIB lookup occurs in PE-2. Traffic is forwarded correctly to CE-4.
When PE-2 receives the BGP VPN-IPv4 route withdrawal from PE-1 for prefix 10.0.0.0/8, it removes the route from its RIB-IN and reruns the decision process. In this example, the EBGP route to CE-4 becomes the new primary/best path. PE-2 will re-advertise its BGP VPN-IPv4 route for prefix 10.0.0.0/8. The difference is that the BGP VPN-IPv4 route is based on the export of an active/used route and, therefore, the advertised label value is based on the configured label mode of the VPRN service, as shown in PE-2 re-advertises VPN-IPv4 route with label based on VRF for label mode VRF (default).
It takes time for this route to reach all ingress routers and for these routers to update their forwarding tables to use the per-VRF label value. For a while, there may still be traffic destined for prefix 10.0.0.0/8 that is received by PE-2 with the per-next-hop label L2. Traffic will be dropped if the per-next-hop label is deleted by the IOM as soon as PE-2 determines there are no more inactive/standby paths with CE-4 as next hop. Traffic loss can be avoided by delaying the deletion of per-next-hop labels in the IOM by configuring label retention for BGP labels with the following command:
*[ex:/configure router "Base" mpls-labels]
A:admin@PE-2# bgp-labels-hold-timer ?
bgp-labels-hold-timer <number>
<number> - <0..255>
Default - 0
BGP labels hold timer for the ingress router
# on PE-2:
configure {
router "Base" {
mpls-labels {
bgp-labels-hold-timer 60
Finally, all ingress routers have updated their forwarding tables based on the BGP update sent by PE-2, and PE-3 sends traffic for prefix 10.0.0.0/8 directly toward PE-2, as shown in Traffic destined for prefix 10.0.0.0/8 after control plane convergence.
Configuration
Example topology shows the example topology with the used IP addresses.
The initial configuration includes the following:
Cards, MDAs, ports
Router interfaces
IS-IS (or OSPF) as IGP within AS 64496
LDP on all interfaces within AS 64496
BGP is configured in the base router context of all PEs for address family VPN-IPv4; for example, for PE-1 as follows:
# on PE-1:
configure {
router "Base" {
autonomous-system 64496
bgp {
rapid-withdrawal true
group "IBGP" {
peer-as 64496
family {
vpn-ipv4 true
}
}
neighbor "192.0.2.2" {
group "IBGP"
}
neighbor "192.0.2.3" {
group "IBGP"
}
The BGP configuration for the base router on the other two PEs is similar and a full mesh is established in AS 64496.
Configure VPRN without BGP best external
VPRN 1 is created on all PEs with the following settings:
Default label mode: label-mode vrf
Ready for BGP FRR: bgp-vpn-backup>ipv4 true
Different RDs in VPRN 1 for each PE: 64496:11 on PE-1, 64496:12 on PE-2, and 64496:13 on PE-3
Auto-bind-tunnel with resolution any. In this example, LDP will be used.
Loopback interface "lo0" with IP address 172.31.2.1/32 on PE-1, which is also defined as the router ID in VPRN 1. The same approach is used on PE-2 and PE-3: 172.31.2.2/32 and 172.31.2.3/32.
IBGP between all PEs (full mesh) for address family IPv4
EBGP between PE-1 and CE-4 and between PE-2 and CE-4
BGP best external is disabled, by default.
The configuration of VPRN 1 on PE-3 is as follows:
# on PE-3:
configure {
service {
vprn "VPRN 1" {
admin-state enable
service-id 1
customer "1"
autonomous-system 64496
router-id 172.31.2.3
# label-mode vrf # default
bgp-ipvpn {
mpls {
admin-state enable
route-distinguisher "64496:13"
vrf-target {
community "target:64496:1"
}
auto-bind-tunnel {
resolution any
}
}
}
bgp {
rapid-withdrawal true
group "IBGP" {
peer-as 64496
}
neighbor "172.31.2.1" {
group "IBGP"
}
neighbor "172.31.2.2" {
group "IBGP"
}
}
interface "lo0" {
loopback true
ipv4 {
primary {
address 172.31.2.3
prefix-length 32
}
}
}
bgp-vpn-backup { # enable BGP FRR
ipv4 true
}
On PE-1 and PE-2, the VPRN configuration includes an external interface toward CE-4, and EBGP is defined toward peer CE-4. The VPRN 1 configuration on PE-2 is as follows:
# on PE-2:
configure {
policy-options {
policy-statement "import-bgp-LP100" {
default-action {
action-type accept
local-preference 100
}
}
}
service {
vprn "VPRN 1" {
admin-state enable
service-id 1
customer "1"
autonomous-system 64496
router-id 172.31.2.2
# label-mode vrf # default
bgp-ipvpn {
mpls {
admin-state enable
route-distinguisher "64496:12"
vrf-target {
community "target:64496:1"
}
auto-bind-tunnel {
resolution any
}
}
}
bgp {
rapid-withdrawal true
split-horizon true
group "EBGP" {
peer-as 64500
import {
policy ["import-bgp-LP100"]
}
}
group "IBGP" {
peer-as 64496
}
neighbor "172.16.24.2" {
group "EBGP"
}
neighbor "172.31.2.1" {
group "IBGP"
}
neighbor "172.31.2.3" {
group "IBGP"
}
}
interface "int-PE-2-CE-4_VPRN1" {
ipv4 {
primary {
address 172.16.24.1
prefix-length 30
}
}
sap 1/1/3:1 {
}
}
interface "lo0" {
loopback true
ipv4 {
primary {
address 172.31.2.2
prefix-length 32
}
}
}
bgp-vpn-backup { # enable BGP FRR
ipv4 true
}
PE-2 has an import policy that sets the LP to 100, which is the default LP, but without import policy, no EBGP routes are accepted by default.
The VPRN 1 configuration on PE-1 looks similar to the configuration on PE-2, but includes an import policy that assigns an LP of 200 to each prefix that is received from CE-4, as follows:
# on PE-1:
configure {
policy-options {
policy-statement "import-bgp-LP200" {
default-action {
action-type accept
local-preference 200
}
}
}
service {
vprn "VPRN 1" {
admin-state enable
service-id 1
customer "1"
autonomous-system 64496
router-id 172.31.2.1
# label-mode vrf # default
bgp-ipvpn {
mpls {
admin-state enable
route-distinguisher "64496:11"
vrf-target {
community "target:64496:1"
}
auto-bind-tunnel {
resolution any
}
}
}
bgp {
rapid-withdrawal true
split-horizon true
group "EBGP" {
peer-as 64500
import {
policy ["import-bgp-LP200"]
}
}
group "IBGP" {
peer-as 64496
}
neighbor "172.16.14.2" {
group "EBGP"
}
neighbor "172.31.2.2" {
group "IBGP"
}
neighbor "172.31.2.3" {
group "IBGP"
}
}
interface "int-PE-1-CE-4_VPRN1" {
ipv4 {
primary {
address 172.16.14.1
prefix-length 30
}
}
sap 1/1/3:1 {
}
}
interface "lo0" {
loopback true
ipv4 {
primary {
address 172.31.2.1
prefix-length 32
}
}
}
bgp-vpn-backup { # enable BGP FRR
ipv4 true
}
}
CE-4 has EBGP configured toward PE-1 and PE-2. CE-4 exports the prefix 10.0.0.0/8, as defined in export policy "export-bgp" that is applied in the bgp context:
# on CE-4:
configure {
policy-options {
prefix-list "10.0.0.0/8" {
prefix 10.0.0.0/8 type longer {
}
}
policy-statement "export-bgp" {
entry 10 {
from {
prefix-list ["10.0.0.0/8"]
}
action {
action-type accept
}
}
}
}
router "Base" {
autonomous-system 64500
interface "int-CE-4-PE-1_VPRN1" {
port 1/1/1:1
ipv4 {
primary {
address 172.16.14.2
prefix-length 30
}
}
}
interface "int-CE-4-PE-2_VPRN1" {
port 1/1/2:1
ipv4 {
primary {
address 172.16.24.2
prefix-length 30
}
}
}
interface "system" {
ipv4 {
primary {
address 192.0.2.4
prefix-length 32
}
}
}
interface "test_connectedNW" {
loopback
ipv4 {
primary {
address 10.0.0.1
prefix-length 8
}
}
}
bgp {
rapid-withdrawal true
split-horizon true
group "EBGP" {
peer-as 64496
export {
policy ["export-bgp"]
}
}
neighbor "172.16.14.1" {
group "EBGP"
}
neighbor "172.16.24.1" {
group "EBGP"
}
}
Initially, VPRN BGP best external is disabled and, so only the best BGP route will be advertised and IBGP peers will not learn backup paths. The following section shows which routes are exchanged. Afterward, VPRN BGP best external will be enabled and the same show commands will be used.
Verification - VPRN without BGP best external
PE-1 imports prefix 10.0.0.0/8, assigns LP 200 to it, and advertises a corresponding VPN-IPv4 route to its IBGP peers (PE-2 and PE-3). Toward PE-2, this is as follows:
# on PE-1:
15 2022/05/02 11:24:40.478 CEST MINOR: DEBUG #2001 Base Peer 1: 192.0.2.2
"Peer 1: 192.0.2.2: UPDATE
Peer 1: 192.0.2.2 - Send BGP UPDATE:
Withdrawn Length = 0
Total Path Attr Length = 65
Flag: 0x90 Type: 14 Len: 30 Multiprotocol Reachable NLRI:
Address Family VPN_IPV4
NextHop len 12 NextHop 192.0.2.1
10.0.0.0/8 RD 64496:11 Label 524283 (Raw label 0x7fffb1)
Flag: 0x40 Type: 1 Len: 1 Origin: 0
Flag: 0x40 Type: 2 Len: 6 AS Path:
Type: 2 Len: 1 < 64500 >
Flag: 0x40 Type: 5 Len: 4 Local Preference: 200
Flag: 0xc0 Type: 16 Len: 8 Extended Community:
target:64496:1
"
The NLRI includes the prefix 10.0.0.0/8 and the RD 64496:11, and the label is 524283. BGP prevents PE-2 from sending a similar BGP update for prefix 10.0.0.0/8 because that route is not active on PE-2. PE-3 receives a BGP VPN-IPv4 route for network 64496:11:10.0.0.0/8, and this route has PE-1 as next hop and LP 200. No route is received from PE-2 for network 64496:12:10.0.0.0/8; as follows:
[/]
A:admin@PE-3# show router bgp routes vpn-ipv4
===============================================================================
BGP Router ID:192.0.2.3 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 64496:11:10.0.0.0/8 200 None
192.0.2.1 None 10
64500 524283
u*>i 64496:11:172.16.14.0/30 100 None
192.0.2.1 None 10
No As-Path 524283
u*>i 64496:11:172.31.2.1/32 100 None
192.0.2.1 None 10
No As-Path 524283
u*>i 64496:12:172.16.24.0/30 100 None
192.0.2.2 None 10
No As-Path 524283
u*>i 64496:12:172.31.2.2/32 100 None
192.0.2.2 None 10
No As-Path 524283
-------------------------------------------------------------------------------
Routes : 5
===============================================================================
In a similar way, the list of BGP VPN-IPv4 routes on PE-2 includes prefix 64496:11:10.0.0.0/8 with LP 200 and next hop PE-1, as follows:
[/]
A:admin@PE-2# show router bgp routes vpn-ipv4
===============================================================================
BGP Router ID:192.0.2.2 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 64496:11:10.0.0.0/8 200 None
192.0.2.1 None 10
64500 524283
u*>i 64496:11:172.16.14.0/30 100 None
192.0.2.1 None 10
No As-Path 524283
u*>i 64496:11:172.31.2.1/32 100 None
192.0.2.1 None 10
No As-Path 524283
u*>i 64496:13:172.31.2.3/32 100 None
192.0.2.3 None 10
No As-Path 524283
-------------------------------------------------------------------------------
Routes : 4
===============================================================================
The list of BGP IPv4 routes in VPRN 1 on PE-2 has two entries for prefix 10.0.0.0/8, but none of them is best or used, as follows:
[/]
A:admin@PE-2# show router 1 bgp routes
===============================================================================
BGP Router ID:172.31.2.2 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
*i 10.0.0.0/8 100 None
172.16.24.2 None 0
64500 -
i 10.0.0.0/8 200 None
172.16.14.2 None 0
64500 -
-------------------------------------------------------------------------------
Routes : 2
===============================================================================
The routing table for VPRN 1 on PE-2 and PE-3 for prefix 10.0.0.0/8 shows that the next hop is PE-1 and the protocol is BGP VPN, as follows:
[/]
A:admin@PE-2# show router 1 route-table 10.0.0.0/8
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.0.0.0/8 Remote BGP VPN 00h02m00s 170
192.0.2.1 (tunneled) 10
-------------------------------------------------------------------------------
No. of Routes: 1
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
Instead of using an external route to CE-4, the route for prefix 10.0.0.0/8 is internal (BGP VPN), using an LDP transport tunnel to PE-1. There are no non-active routes, as can be shown by adding the keyword all to the preceding show command, as follows:
[/]
A:admin@PE-2# show router 1 route-table 10.0.0.0/8 all
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Active Metric
-------------------------------------------------------------------------------
10.0.0.0/8 Remote BGP VPN 00h02m23s 170
192.0.2.1 (tunneled) Y 10
-------------------------------------------------------------------------------
No. of Routes: 1
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
E = Inactive best-external BGP route
===============================================================================
There are no standby routes, because BGP only advertises the best used route.
On PE-1, the following BGP IPv4 route with next hop CE-4 is used for prefix 10.0.0.0/8 in VPRN 1:
[/]
A:admin@PE-1# show router 1 bgp routes
===============================================================================
BGP Router ID:172.31.2.1 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 10.0.0.0/8 200 None
172.16.14.2 None 0
64500 -
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
The route for prefix 10.0.0.0/8 in the routing table of VPRN 1 has next hop 172.16.14.2 on CE-4, as follows:
[/]
A:admin@PE-1# show router 1 route-table 10.0.0.0/8 all
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Active Metric
-------------------------------------------------------------------------------
10.0.0.0/8 Remote BGP 00h03m20s 170
172.16.14.2 Y 0
-------------------------------------------------------------------------------
No. of Routes: 1
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
E = Inactive best-external BGP route
===============================================================================
There is no backup route because BGP prevents PE-2 from sending a standby route for prefix 10.0.0.0/8 to its IBGP peers.
PE-2 has advertised two VPN-IPv4 routes in the base router (the last number in Rcv/Act/Sent = Received/Active/Sent), as follows:
*A:PE-2# show router bgp summary family vpn-ipv4
===============================================================================
BGP Router ID:192.0.2.2 AS:64496 Local AS:64496
===============================================================================
BGP Admin State : Up BGP Oper State : Up
---snip---
===============================================================================
BGP VPN-IPv4 Summary
===============================================================================
Legend : D - Dynamic Neighbor
===============================================================================
Neighbor
AS PktRcvd PktSent InQ OutQ Up/Down State|Recv/Actv/Sent
-------------------------------------------------------------------------------
192.0.2.1
64496 24 23 0 0 00h08m42s 3/3/2
192.0.2.3
64496 22 23 0 0 00h08m37s 1/1/2
-------------------------------------------------------------------------------
Enable BGP best external in VPRN
VPRN BGP best external is configured on PE-2 (or on all PEs in the multi-homing site) as follows:
# on PE-2:
configure {
service {
vprn "VPRN 1" {
export-inactive-bgp true
When configured, this command causes all IPv4 and IPv6 VPRN BGP best external routes to be exported in the multi-protocol BGP (MP-BGP) domain. Best external routes are BGP routes for which all the following conditions are met:
The BGP route is matched by the VRF export policy.
The BGP route is inactive because a more preferred BGP VPN route for the same prefix is present in the route table manager (RTM).
This BGP route is best and valid considering only VPRN BGP routes.
PE-2 is advertising a best external route and is called the standby PE for prefix 10.0.0.0/8. PEs can be active for some IP prefixes and standby for other IP prefixes.
Best external routes are advertised to the BGP VPN-IPv4 neighbors. In this example, the BGP VPN-IPv4 neighbors are IBGP neighbors, but they can also be EBGP neighbors. The RD must be unique across the PEs exporting a BGP VPN-IP route for the same prefix; otherwise, the best external route may not be advertised. The advertised VPRN label is based on the next hop IP of the best external route, regardless of the label mode of the VPRN in the standby PE.
Verification - VPRN with BGP best external - BGP FRR
VPRN with BGP best external BGP FRR results in the following. VPRN BGP best external is enabled (BGP Export Inactv) in VPRN 1 on PE-2:
[/]
A:admin@PE-2# show service id 1 base
===============================================================================
Service Basic Information
===============================================================================
Service Id : 1 Vpn Id : 0
Service Type : VPRN
MACSec enabled : no
Name : VPRN 1
Description : (Not Specified)
Customer Id : 1 Creation Origin : manual
---snip---
Max IPv6 Routes : No Limit
Ignore NH Metric : Disabled
Hash Label : Disabled
Entropy Label : Disabled
Vrf Target : target:64496:1
---snip---
Label mode : vrf
BGP VPN Backup : ipv4
BGP Export Inactv : Enabled
LOG all events : Disabled
SAP Count : 1 SDP Bind Count : 0
VSD Domain : <none>
-------------------------------------------------------------------------------
Service Access & Destination Points
-------------------------------------------------------------------------------
Identifier Type AdmMTU OprMTU Adm Opr
-------------------------------------------------------------------------------
sap:1/1/3:1 q-tag 1578 1578 Up Up
===============================================================================
After VPRN BGP best external is enabled, PE-2 advertises its standby route for prefix 10.0.0.0/8 to its IBGP peers, as follows:
# on PE-2:
15 2022/05/02 11:28:51.976 CEST MINOR: DEBUG #2001 Base Peer 1: 192.0.2.3
"Peer 1: 192.0.2.3: UPDATE
Peer 1: 192.0.2.3 - Send BGP UPDATE:
Withdrawn Length = 0
Total Path Attr Length = 65
Flag: 0x90 Type: 14 Len: 30 Multiprotocol Reachable NLRI:
Address Family VPN_IPV4
NextHop len 12 NextHop 192.0.2.2
10.0.0.0/8 RD 64496:12 Label 524284 (Raw label 0x7fffc1)
Flag: 0x40 Type: 1 Len: 1 Origin: 0
Flag: 0x40 Type: 2 Len: 6 AS Path:
Type: 2 Len: 1 < 64500 >
Flag: 0x40 Type: 5 Len: 4 Local Preference: 100
Flag: 0xc0 Type: 16 Len: 8 Extended Community:
target:64496:1
"
The RD is 64496:12, the LP is 100, and the label is 524284. The BGP update shown is sent by PE-2 toward PE-3; the BGP update sent by PE-2 toward PE-1 is similar.
The number of BGP VPN-IPv4 routes sent by PE-2 to each IBGP peer increased from 2 to 3, as follows:
[/]
A:admin@PE-2# show router bgp summary all
===============================================================================
BGP Summary
===============================================================================
Legend : D - Dynamic Neighbor
===============================================================================
Neighbor
Description
ServiceId AS PktRcvd InQ Up/Down State|Rcv/Act/Sent (Addr Family)
PktSent OutQ
-------------------------------------------------------------------------------
192.0.2.1
Def. Inst 64496 24 0 00h08m42s 3/3/3 (VpnIPv4)
23 0
192.0.2.3
Def. Inst 64496 22 0 00h08m37s 1/1/3 (VpnIPv4)
23 0
---snip---
PE-3 has two BGP VPN-IPv4 routes for prefix 10.0.0.0/8: one for network 64496:11:10.0.0.0/8 with LP 200 and next hop PE-1, and one for network 64496:12:10.0.0.0/8 with LP 100 and next hop PE-2, as follows:
[/]
A:admin@PE-3# show router bgp routes 10.0.0.0/8 vpn-ipv4
===============================================================================
BGP Router ID:192.0.2.3 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 64496:11:10.0.0.0/8 200 None
192.0.2.1 None 10
64500 524283
u*>i 64496:12:10.0.0.0/8 100 None
192.0.2.2 None 10
64500 524284
-------------------------------------------------------------------------------
Routes : 2
===============================================================================
PE-1 has one BGP VPN-IPv4 route for network 64496:12:10.0.0.0/8 with LP 100 and next hop PE-2; PE-2 has one BGP VPN-IPv4 route for network 64496:11:10.0.0.0/8 with LP 200 and next hop PE-1.
All PEs are ready for BGP FRR and the "B" flag indicates that a BGP VPN-IPv4 backup route is available. This flag is present when the VPRN is configured for BGP FRR (bgp-vpn-backup>ipv4 true) and a standby route has been received, as follows. The B flag was not present in the output for the routing table when VPRN BGP best external was disabled, as shown earlier.
[/]
A:admin@PE-1# show router 1 route-table 10.0.0.0/8
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.0.0.0/8 [B] Remote BGP 00h06m47s 170
172.16.14.2 0
-------------------------------------------------------------------------------
No. of Routes: 1
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
The active route on PE-1 has next hop 172.16.14.2 on CE-4.
On PE-3, the active BGP VPN-IPv4 route for prefix 10.0.0.0/8 uses an LDP transport tunnel to PE-1; a BGP VPN-IPv4 backup route is also available, as follows:
[/]
A:admin@PE-3# show router 1 route-table 10.0.0.0/8
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.0.0.0/8 [B] Remote BGP VPN 00h06m39s 170
192.0.2.1 (tunneled) 10
-------------------------------------------------------------------------------
No. of Routes: 1
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
The active BGP VPN-IPv4 route on PE-2 uses an LDP transport tunnel to PE-1, but no BGP backup route is available:
[/]
A:admin@PE-2# show router 1 route-table 10.0.0.0/8
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.0.0.0/8 Remote BGP VPN 00h06m34s 170
192.0.2.1 (tunneled) 10
-------------------------------------------------------------------------------
No. of Routes: 1
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
PE-2 has a standby BGP IPv4 route that is displayed with the following show command:
[/]
A:admin@PE-2# show router 1 route-table 10.0.0.0/8 all
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Active Metric
-------------------------------------------------------------------------------
10.0.0.0/8 [E] Remote BGP 00h03m11s 170
172.16.24.2 N 0
10.0.0.0/8 Remote BGP VPN 00h07m14s 170
192.0.2.1 (tunneled) Y 10
-------------------------------------------------------------------------------
No. of Routes: 2
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
E = Inactive best-external BGP route
===============================================================================
The "E" flag indicates that this route is an inactive best external BGP route.
VPRN 1 on PE-1 and PE-3 is ready for BGP FRR (bgp-vpn-backup>ipv4 true) and PE-2 advertised a standby BGP VPN-IPv4 route for prefix 10.0.0.0/8; therefore, PE-1 and PE-3 can add an alternative route to the routing table of VPRN 1, as follows:
[/]
A:admin@PE-1# show router 1 route-table 10.0.0.0/8 alternative
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
Alt-NextHop Alt-
Metric
-------------------------------------------------------------------------------
10.0.0.0/8 Remote BGP 00h07m47s 170
172.16.14.2 0
10.0.0.0/8 (Backup) Remote BGP VPN 00h07m47s 170
192.0.2.2 (tunneled) 10
-------------------------------------------------------------------------------
No. of Routes: 2
Flags: n = Number of times nexthop is repeated
Backup = BGP backup route
LFA = Loop-Free Alternate nexthop
S = Sticky ECMP requested
===============================================================================
[/]
A:admin@PE-3# show router 1 route-table 10.0.0.0/8 alternative
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
Alt-NextHop Alt-
Metric
-------------------------------------------------------------------------------
10.0.0.0/8 Remote BGP VPN 00h08m05s 170
192.0.2.1 (tunneled) 10
10.0.0.0/8 (Backup) Remote BGP VPN 00h08m05s 170
192.0.2.2 (tunneled) 10
-------------------------------------------------------------------------------
No. of Routes: 2
Flags: n = Number of times nexthop is repeated
Backup = BGP backup route
LFA = Loop-Free Alternate nexthop
S = Sticky ECMP requested
===============================================================================
The alternative BGP VPN-IPv4 route for prefix 10.0.0.0/8 in VPRN 1 uses an LDP transport tunnel toward PE-2.
Configure ECMP
Because BGP best external allows advertising of an alternative path, it can also be used for load-sharing. ECMP is configured with value 2 in VPRN 1 on all PEs, as follows:
# on PE-1, PE-2, PE-3:
configure {
service {
vprn "VPRN 1" {
ecmp 2
Other than the ECMP configuration, the VPRN configuration is the same as in the previous example. If ECMP is configured, BGP FRR is not needed anymore:
# on PE-1, PE-2, PE-3:
configure {
service {
vprn "VPRN 1" {
delete bgp-vpn-backup
On PE-3, the BGP decision process will prefer the route with the highest LP and, therefore, only the route via PE-1 with LP 200 will be used and there will be no load-sharing. To ensure that the routes via PE-1 and PE-2 have the same cost, the import policy in VPRN 1 on PE-1 that sets the LP to 200 is replaced by an import policy that sets the LP to 100, as follows:
# on PE-1:
configure {
policy-options {
policy-statement "import-bgp-LP100" {
default-action {
action-type accept
local-preference 100
}
}
}
service {
vprn "VPRN 1" {
bgp {
group "EBGP"
delete import
import {
policy ["import-bgp-LP100"]
}
}
BGP best external is enabled (on PE-1 and) PE-2, as follows:
# on PE-2:
configure {
service {
vprn "VPRN 1" {
export-inactive-bgp true
Verification - VPRN with BGP best external - ECMP
VPRN with BGP best external ECMP results in the following. With BGP best external enabled on the PEs in the multi-homing site (PE-2 and PE-3), the following two BGP VPN-IPv4 routes are used on PE-3:
[/]
A:admin@PE-3# show router bgp routes 10.0.0.0/8 vpn-ipv4
===============================================================================
BGP Router ID:192.0.2.3 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 64496:11:10.0.0.0/8 100 None
192.0.2.1 None 10
64500 524283
u*>i 64496:12:10.0.0.0/8 100 None
192.0.2.2 None 10
64500 524283
-------------------------------------------------------------------------------
Routes : 2
===============================================================================
The following BGP IPv4 routes are learned in VPRN 1 on PE-3, but they are not used:
[/]
A:admin@PE-3# show router 1 bgp routes 10.0.0.0/8
===============================================================================
BGP Router ID:172.31.2.3 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
i 10.0.0.0/8 100 None
172.16.14.2 None 0
64500 -
i 10.0.0.0/8 100 None
172.16.24.2 None 0
64500 -
-------------------------------------------------------------------------------
Routes : 2
===============================================================================
When ECMP is enabled and the routes have the same LP, the routing table on PE-3 has two active routes for prefix 10.0.0.0/8, each using an LDP transport tunnel, as follows:
[/]
A:admin@PE-3# show router 1 route-table 10.0.0.0/8
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.0.0.0/8 Remote BGP VPN 00h02m42s 170
192.0.2.1 (tunneled) 10
10.0.0.0/8 Remote BGP VPN 00h02m42s 170
192.0.2.2 (tunneled) 10
-------------------------------------------------------------------------------
No. of Routes: 2
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
Loadsharing for traffic from PE-3 destined to 10.0.0.0/8 shows that traffic from VPRN 1 on PE-3 destined to prefix 10.0.0.0/8 is sprayed over two paths: one via PE-1 and one via PE-2.
Conclusion
VPRNs can be configured with the option export-inactive-bgp true, which allows a BGP speaker to advertise its best external BGP route to its BGP peers even if that route is inactive due to the presence of a more preferred BGP VPN route from another PE. BGP best external in VPRN is useful in active/standby multi-homing scenarios because it allows the standby PE to advertise a backup path. The traffic failover time can be reduced when all PE routers have advance knowledge of the potential backup paths and do not have to wait for BGP route advertisements and/or withdrawals to reprogram their forwarding tables. VPRN BGP best external can also be used in combination with ECMP.