Inter-AS VPRN Model B

This chapter describes the Inter-AS VPRN Model B.

Topics in this chapter include:

Applicability

This chapter was initially written for SR OS Release 15.0.R8, but the MD-CLI in the current edition is based on SR OS Release 22.2.R1.

Overview

An inter-AS Virtual Private Routed Network (VPRN) contains sites that are connected to different Autonomous Systems (ASs). Inter-AS is typically used either to provide extended reach through a partnership/trust agreement, as an interim means to interconnect ASs following acquisition, or because of the internal organization of a single Service Provider (SP). Three models for interconnecting ASs are defined in RFC 4364, labeled model A, B, and C. This chapter describes model B.

Inter-AS VPRN model B encompasses EBGP redistributing VPN-IPv4 and VPN-IPv6 routes between neighboring ASs. An Autonomous System Border Router (ASBR) learns VPN routes from within its AS using IBGP, potentially as a client of a Route Reflector (RR), then uses EBGP to redistribute those labeled VPN routes to its adjacent ASBR.

When redistributing the routes into EBGP, the ASBR imposes next-hop-self on the VPN-IPv4 and VPN-IPv6 update messages and generates its own label value when it advertises the update message upstream. Therefore, the ASBR programs a label-swap entry in its FIB and forwards traffic to the neighboring ASBR using a single-level label stack (the VPN label).

A key property of model B is that it eliminates the need for per-VPRN configuration on the ASBRs. However, both ASBRs must have a mechanism to implicitly learn all VPN prefixes within their local AS and selectively advertise some of those prefixes to the neighboring ASBR.

Inter-AS VPRN Model B control and data plane example shows an example of the control plane and corresponding data plane used in model B, where MPLS is used for transport in both ASs. CE-1 is attached to PE-1 in AS 64496 and advertises prefix 172.31.100.0/24, which is propagated between neighboring ASBRs to PE-2 in AS 64510 and upstream to CE-2.

The IP traffic originating from CE-2 and received by PE-2 is received on the VRF interface of VPRN 100 and encapsulated using a two-level label stack; the inner label is the VPN label (300) and the outer label is the LDP transport label used for reaching the local ASBR-2.

ASBR-2 passes the traffic to ASBR-1, removing the LDP transport label and swapping the VPN label (300) with its VPN label (200), resulting in a single-level label stack.

In turn, ASBR-1 swaps the received VPN label (200) with another VPN label (100) and adds an LDP transport label to reach PE-1.

Finally, PE-1 removes the VPN label and delivers the unlabeled IP traffic to CE-1.

Figure 1. Inter-AS VPRN Model B control and data plane example

Configuration

In the example shown in Inter-AS VPRN Model B topology, IS-IS is configured in each AS, and MP-IBGP sessions are established between the PEs and the RRs in AS 64496 and 64510, PE-3 and PE-7, respectively. LDP and RSVP-TE is used for transport in AS 64496, whereas AS 64510 uses LDP for its transport. An MP-EBGP session is established between ASBR PE-4 and ASBR PE-8.

Figure 2. Inter-AS VPRN Model B topology

The initial configuration includes:

  • Cards, MDAs, and ports

  • Router interfaces

  • IS-IS as IGP on all interfaces (alternatively, OSPF can be used), with traffic engineering enabled

  • LDP and RSVP-TE configured in AS 64496, LDP configured in AS 64510

  • IBGP configured in AS 64496, with PE-3 as RR for clients PE-1, PE-2, and PE-4

  • IBGP configured in AS 64510, with PE-7 as RR for clients PE-5, PE-6, and PE-8

Model B configuration

There are no specific requirements on PE routers or RRs for enabling inter-AS VPRN model B; only specific configurations are required on the ASBRs.

First, an ASBR must learn the VPN-IPv4 and VPN-IPv6 routes from the local AS and export these routes to the neighbor AS over an MP-EBGP session. This is achieved on each ASBR by declaring an IBGP group for peering with the local RR, and declaring an EBGP group for peering with the neighboring AS. The IBGP and EBGP groups have included the address family vpn-ipv4, vpn-ipv6, or both.

Additionally, import and export policies can be used to control the VPN-IPv4 and VPN-IPv6 routes exchanged. The latter requires the vpn-apply-import and vpn-apply-export commands for SR OS to match the prefixes of the VPN-IPv4 and VPN-IPv6 address families.

The use of the next-hop-resolution command is described in the Service configuration section. The BGP configuration on ASBR PE-4 is as follows:

# on ASBR PE-4:
configure {
    router "Base" {
        autonomous-system 64496
        bgp {
            loop-detect discard-route
            inter-as-vpn true                   # required for inter-as VPRN model B
            split-horizon true
            next-hop-resolution
                labeled-routes
                    transport-tunnel
                        family vpn
                            resolution filter
                            resolution-filter
                                ldp true        # by default enabled for VPN routes
                                rsvp true
                            }
                        }
                    }
                }
            }
            group "vpn-eBGP" {
            }
            group "vpn-iBGP" {
                peer-as 64496
            }
            neighbor "192.0.2.3" {
                group "vpn-iBGP"
                family {
                    vpn-ipv4 true
                    vpn-ipv6 true
                }
            }
            neighbor "192.168.48.2" {
                group "vpn-eBGP"
                peer-as 64510
                family {
                    vpn-ipv4 true
                    vpn-ipv6 true
                }
                ebgp-default-reject-policy {
                    import false
                    export false
                }
            }

The configuration on ASBR PE-8 is similar.

Second, the inter-as-vpn true command enables the inter-AS functionality and causes the ASBR to store the received VPN-IPv4 routes in its RIB-In, even though it has no VRF that imports these routes. For a route to be considered valid, the ASBR still needs to resolve the next-hop of this route to a tunnel. The inter-as-vpn true command will also change the BGP next-hop of advertised and received VPN-IPv4/VPN-IPv6 routes. When a route is advertised to an EBGP peer, the BGP next-hop is changed to the local-address used for communicating with the EBGP peer. When a route is received from an EBGP peer and advertised to an IBGP peer, the BGP next-hop is changed to the local-address used for communicating with the IBGP peer.

The configuration of the MP-EBGP session between the ASBRs in the EBGP group allows the ASBR to forward labeled packets over its connection with its peer ASBR.

MPLS LSP configuration

Two LSPs are needed between the end-to-end PEs (PE-1 and PE-5) to exchange service traffic bidirectionally, because LSPs are unidirectional. In AS 64496, this is achieved by configuring a first LSP from the service PE (PE-1) to the local ASBR (PE-4), and a second LSP back from the local ASBR (PE-4) toward the service PE (PE-1). In AS 64510, LDP is enabled on all interfaces; no RSVP LSPs are used.

In AS 64496, both LDP and RSVP are enabled. The LSP (and path) from PE-1 to PE-4 runs via PE-3, as follows:

# on PE-1:
configure {
    router "Base" {
        ldp {
            interface-parameters {
                interface "int-PE-1-PE-2" {
                    ipv4 {
                    }
                }
                interface "int-PE-1-PE-3" {
                    ipv4 {
                    }
                }
            }
        }
        mpls {
            admin-state enable
            interface "int-PE-1-PE-2" {
            }
            interface "int-PE-1-PE-3" {
            }
            interface "system" {
            }
            path "path-PE-1-PE-3-PE-4" {
                admin-state enable
                hop 10 {
                    ip-address 192.168.13.2
                    type strict
                }
                hop 20 {
                    ip-address 192.168.34.2
                    type strict
                }
            }
            lsp "lsp-PE-1-PE-4" {
                admin-state enable
                type p2p-rsvp
                to 192.0.2.4
                primary "path-PE-1-PE-3-PE-4" {
                }
            }
        }
        rsvp {
            admin-state enable
            interface "int-PE-1-PE-2" {
            }
            interface "int-PE-1-PE-3" {
            }
        }

The LSP (and path) from PE-4 to PE-3 also runs via PE-3, as follows:

# on ASBR PE-4:
configure {
    router "Base" {
        ldp {
            interface-parameters {
                interface "int-PE-4-PE-2" {
                    ipv4 {
                    }
                }
                interface "int-PE-4-PE-3" {
                    ipv4 {
                    }
                }
            }
        }
        mpls {
            admin-state enable
            interface "int-PE-4-PE-2" {
            }
            interface "int-PE-4-PE-3" {
            }
            interface "system" {
            }
            path "path-PE-4-PE-3-PE-1" {
                admin-state enable
                hop 10 {
                    ip-address 192.168.34.1
                    type strict
                }
                hop 20 {
                    ip-address 192.168.13.1
                    type strict
                }
            }
            lsp "lsp-PE-4-PE-1" {
                admin-state enable
                type p2p-rsvp
                to 192.0.2.1
                primary "path-PE-4-PE-3-PE-1" {
                }
            }
        }
        rsvp {
            admin-state enable
            interface "int-PE-4-PE-2" {
            }
            interface "int-PE-4-PE-3" {
            }
        }

Service configuration

VPRN 1 is configured on PE-1 and PE-5. Although the VPRN service IDs used in both ASs do not need to match, in an inter-AS VPRN model B context, the route targets (RTs) used in both ASs must be coordinated. The RT exported by the PE-1 VPRN 1 must be imported by the PE-5 VPRN 1, and vice versa. In this example, specific import-community and export-community values are used for VPRN 1; the simplified method using a single vrf-target community is used for VPRN 33.

To carry the customer data across AS 64496, tunnels must bind to a VPRN service with the auto-bind-tunnel command. Resolution is set to filter, indicating that SR OS must select a tunnel using the information defined in the resolution-filter context. The keywords ldp true and rsvp true in the resolution-filter context indicate that LDP or RSVP tunnels can be used, but SR OS prefers the RSVP tunnels because the preference for RSVP (7) is lower than the preference for LDP (9).

In AS 64496, the VPRN service on PE-1 is defined as follows:

# on PE-1:
configure {
    service {
        vprn "VPRN1" {
            admin-state enable
            service-id 1
            customer "1"
            bgp-ipvpn {
                mpls {
                    admin-state enable
                    route-distinguisher "64496:1"
                    vrf-target {
                        import-community "target:64510:1"
                        export-community "target:64496:1"
                    }
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            ldp true
                            rsvp true
                        }
                    }
                }
            }
            interface "int-S1-1" {
                ipv4 {
                    primary {
                        address 10.1.10.1
                        prefix-length 24
                    }
                }
                sap 1/2/1:1 {
                }
                ipv6 {
                    primary {
                        address 2001:db8:1::1:1
                        prefix-length 120
                    }
                }
            }
            interface "int-S1-2" {
                loopback true
                ipv4 {
                    primary {
                        address 10.1.11.1
                        prefix-length 24
                    }
                }
            }
        }

In AS 64510, the transport technology is LDP only, so the VPRN service in PE-5 auto-binds using LDP LSPs in the tunnel table to resolve VPN-IPv4 and VPN-IPv6 routes for which the vrf-target import-community matches the vrf-target export-community value configured in PE-1 and vice versa, as follows:

# on PE-5 in AS 64510:
configure {
    service {
        vprn "VPRN1" {
            admin-state enable
            service-id 1
            customer "1"
            bgp-ipvpn {
                mpls {
                    admin-state enable
                    route-distinguisher "64510:1"
                    vrf-target {
                        import-community "target:64496:1"
                        export-community "target:64510:1"
                    }
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            ldp true
                        }
                    }
                }
            }
            interface "int-S1-1" {
                ipv4 {
                    primary {
                        address 10.1.50.1
                        prefix-length 24
                    }
                }
                sap 1/2/1:1 {
                }
                ipv6 {
                    primary {
                        address 2001:db8:1::5:1
                        prefix-length 120
                    }
                }
            }
            interface "int-S1-2" {
                loopback true
                ipv4 {
                    primary {
                        address 10.1.51.1
                        prefix-length 24
                    }
                }
            }
        }

A second service is defined on PE-1 and PE-2 (VPRN 33), using loopback addresses 10.33.1.1/32 and 10.33.2.1/32 in PE-1 and PE-2, respectively. These addresses might appear in traces and commands later, but are of no concern because these are used for transporting intra-AS traffic. On PE-1, VPRN 33 is configured as follows:

# on PE-1:
configure {
    service {
        vprn "VPRN33" {
            admin-state enable
            service-id 33
            customer "1"
            bgp-ipvpn {
                mpls {
                    admin-state enable
                    route-distinguisher "64496:33"
                    vrf-target {
                        community "target:64496:33"
                    }
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            ldp true
                        }
                    }
                }
            }
            interface "int-S1-1" {
                loopback true
                ipv4 {
                    primary {
                        address 10.33.1.1
                        prefix-length 24
                    }
                }
            }
        }

For VPRN 1 service traffic to flow in the direction from PE-5 to PE-1, ASBR PE-4 in AS 64496 must offer the possibility to use RSVP-TE tunnels when resolving a BGP next-hop for VPN services. Therefore, ASBR PE-4 must be explicitly configured, as follows:

# on ASBR PE-4:
configure {
    router "Base" {
        autonomous-system 64496
        bgp {
            next-hop-resolution
                labeled-routes
                    transport-tunnel
                        family vpn
                            resolution filter
                            resolution-filter
                                # ldp true    # LDP by default enabled
                                rsvp true
                            }
                        }
                    }
                }
            }

On ASBR PE-8 in AS 64510, no explicit configuration is required because resolving a BGP next-hop for VPN service to LDP tunnels is the default behavior.

Verification

With the configurations from previous sections applied, PE-1 receives three VPN-IPv4 routes and one VPN-IPv6 route, as follows:

[/]
A:admin@PE-1# show router bgp summary all
 
===============================================================================
BGP Summary
===============================================================================
Legend : D - Dynamic Neighbor
===============================================================================
Neighbor
Description
ServiceId          AS PktRcvd InQ  Up/Down   State|Rcv/Act/Sent (Addr Family)
                      PktSent OutQ
-------------------------------------------------------------------------------
192.0.2.3
Def. Inst       64496     421    0 03h27m16s 3/3/3 (VpnIPv4)
                          424    0           1/1/1 (VpnIPv6)
-------------------------------------------------------------------------------

PE-1 received the following three VPN-IPv4 routes:

[/]
A:admin@PE-1# show router bgp routes vpn-ipv4
===============================================================================
 BGP Router ID:192.0.2.1        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag  Network                                            LocalPref   MED
      Nexthop (Router)                                   Path-Id     IGP Cost
      As-Path                                                        Label
-------------------------------------------------------------------------------
u*>i  64496:33:10.33.2.0/24                              100         None
      192.0.2.2                                          None        10
      No As-Path                                                     524283
u*>i  64510:1:10.1.50.0/24                               100         None
      192.0.2.4                                          None        20
      64510                                                          524279
u*>i  64510:1:10.1.51.0/24                               100         None
      192.0.2.4                                          None        20
      64510                                                          524279
-------------------------------------------------------------------------------
Routes : 3
===============================================================================

PE-1 received the following VPN-IPv6 route:

[/]
A:admin@PE-1# show router bgp routes vpn-ipv6
===============================================================================
 BGP Router ID:192.0.2.1        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP VPN-IPv6 Routes
===============================================================================
Flag  Network                                            LocalPref   MED
      Nexthop (Router)                                   Path-Id     IGP Cost
      As-Path                                                        Label
-------------------------------------------------------------------------------
u*>i  64510:1:2001:db8:1::5:0/120                        100         None
      ::ffff:192.0.2.4                                   None        20
      64510                                                          524278
-------------------------------------------------------------------------------
Routes : 1
===============================================================================

PE-1 has three LDP tunnels and one RSVP tunnel, and its tunnel table looks as follows:

[/]
A:admin@PE-1# show router tunnel-table

===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination           Owner     Encap TunnelId  Pref   Nexthop        Metric
   Color
-------------------------------------------------------------------------------
192.0.2.2/32          ldp       MPLS  65537     9      192.168.12.2   10
192.0.2.3/32          ldp       MPLS  65538     9      192.168.13.2   10
192.0.2.4/32          rsvp      MPLS  1         7      192.168.13.2   16777215
192.0.2.4/32          ldp       MPLS  65539     9      192.168.12.2   20
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
       L = Loop-Free Alternate (LFA) hop available
       E = Inactive best-external BGP route
       k = RIB-API or Forwarding Policy backup hop
===============================================================================

The IPv4 routing table for VPRN 1 is as follows:

[/]
A:admin@PE-1# show router 1 route-table

===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                    Metric
-------------------------------------------------------------------------------
10.1.10.0/24                                  Local   Local     00h02m15s  0
       int-S1-1                                                     0
10.1.11.0/24                                  Local   Local     00h02m15s  0
       int-S1-2                                                     0
10.1.50.0/24                                  Remote  BGP VPN   00h01m01s  170
       192.0.2.4 (tunneled:RSVP:1)                                  16777215
10.1.51.0/24                                  Remote  BGP VPN   00h01m01s  170
       192.0.2.4 (tunneled:RSVP:1)                                  16777215
-------------------------------------------------------------------------------
No. of Routes: 4
Flags: n = Number of times nexthop is repeated
       B = BGP backup route available
       L = LFA nexthop available
       S = Sticky ECMP requested
===============================================================================

The IPv4 addresses for VPRN 1 on PE-8 are 10.1.50.0/24 and 10.1.51.0/24, and are reachable through RSVP-TE tunnel 1 (tunneled:RSVP:1). The VPN label value for these prefixes is assigned and advertised by ASBR PE-4 and gets to PE-1 via the RR PE-3 in an MP-BGP update message. The 10.33.2.0/24 prefix belongs to a different service and is not relevant for model B because it is used for intra-AS traffic. The VPN-IPv4 routes received on PE-1 are as follows:

[/]
A:admin@PE-1# show router bgp neighbor 192.0.2.3 received-routes vpn-ipv4
===============================================================================
 BGP Router ID:192.0.2.1        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag  Network                                            LocalPref   MED
      Nexthop (Router)                                   Path-Id     IGP Cost
      As-Path                                                        Label
-------------------------------------------------------------------------------
u*>i  64496:33:10.33.2.0/24                              100         None
      192.0.2.2                                          None        10
      No As-Path                                                     524283
u*>i  64510:1:10.1.50.0/24                               100         None
      192.0.2.4                                          None        20
      64510                                                          524279
u*>i  64510:1:10.1.51.0/24                               100         None
      192.0.2.4                                          None        20
      64510                                                          524279
-------------------------------------------------------------------------------
Routes : 3
===============================================================================

The BGP next-hops for the VPN-IPv4 BGP address family are as follows. Service traffic for VPRN 33 uses the LDP tunnel to PE-2 carrying the intra-AS traffic, and service traffic for VPRN 1 uses the RSVP tunnel to ASBR PE-4 carrying the inter-AS traffic.

[/]
A:admin@PE-1# show router bgp next-hop vpn-ipv4
===============================================================================
 BGP Router ID:192.0.2.1        AS:64496       Local AS:64496
===============================================================================

===============================================================================
BGP VPN Next Hop
===============================================================================
VPN Next Hop                                                Owner
   Autobind                                        FibProg  Reason
   Labels (User-labels)                            FlexAlgo Metric
   Admin-tag-policy (strict-tunnel-tagging)
-------------------------------------------------------------------------------
192.0.2.2                                                   LDP
   ldp bgp                                            Y
   -- (2)                                          --       10
   -- (-)
192.0.2.4                                                   RSVP
   ldp rsvp bgp                                       Y
   -- (2)                                          --       16777215
   -- (-)
-------------------------------------------------------------------------------
Next Hops : 2
===============================================================================

The IPv6 routing table for VPRN 1 is as follows:

[/]
A:admin@PE-1# show router 1 route-table ipv6

===============================================================================
IPv6 Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                    Metric
-------------------------------------------------------------------------------
2001:db8:1::1:0/120                           Local   Local     00h03m54s  0
       int-S1-1                                                     0
2001:db8:1::5:0/120                           Remote  BGP VPN   00h02m40s  170
       192.0.2.4 (tunneled:RSVP:1)                                  16777215
-------------------------------------------------------------------------------
No. of Routes: 2
Flags: n = Number of times nexthop is repeated
       B = BGP backup route available
       L = LFA nexthop available
       S = Sticky ECMP requested
===============================================================================

The VPN-IPv6 routes received on PE-1 are as follows:

[/]
A:admin@PE-1# show router bgp neighbor 192.0.2.3 received-routes vpn-ipv6
===============================================================================
 BGP Router ID:192.0.2.1        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP VPN-IPv6 Routes
===============================================================================
Flag  Network                                            LocalPref   MED
      Nexthop (Router)                                   Path-Id     IGP Cost
      As-Path                                                        Label
-------------------------------------------------------------------------------
u*>i  64510:1:2001:db8:1::5:0/120                        100         None
      ::ffff:192.0.2.4                                   None        20
      64510                                                          524278
-------------------------------------------------------------------------------
Routes : 1
===============================================================================

The BGP next-hop for the VPN-IPv6 address family is as follows:

[/]
A:admin@PE-1# show router bgp next-hop vpn-ipv6
===============================================================================
 BGP Router ID:192.0.2.1        AS:64496       Local AS:64496
===============================================================================

===============================================================================
BGP VPN Next Hop
===============================================================================
VPN Next Hop                                                Owner
   Autobind                                        FibProg  Reason
   Labels (User-labels)                            FlexAlgo Metric
   Admin-tag-policy (strict-tunnel-tagging)
-------------------------------------------------------------------------------
::ffff:192.0.2.4                                            RSVP
   ldp rsvp bgp                                       Y
   -- (2)                                          --       16777215
   -- (-)
-------------------------------------------------------------------------------
Next Hops : 1
===============================================================================

The forwarding plane is programmed accordingly, as follows:

[/]
A:admin@PE-1# show router 1 fib 1 ipv4

===============================================================================
FIB Display
===============================================================================
Prefix [Flags]                                              Protocol
  NextHop
-------------------------------------------------------------------------------
10.1.10.0/24                                                LOCAL
  10.1.10.0 (int-S1-1)
10.1.11.0/24                                                LOCAL
  10.1.11.0 (int-S1-2)
10.1.50.0/24                                                BGP_VPN
  192.0.2.4 (VPRN Label:524279 Transport:RSVP LSP:1)
10.1.51.0/24                                                BGP_VPN
  192.0.2.4 (VPRN Label:524279 Transport:RSVP LSP:1)
-------------------------------------------------------------------------------
Total Entries : 4
-------------------------------------------------------------------------------
===============================================================================
[/]
A:admin@PE-1# show router 1 fib 1 ipv6

===============================================================================
FIB Display
===============================================================================
Prefix [Flags]                                              Protocol
  NextHop
-------------------------------------------------------------------------------
2001:db8:1::1:0/120                                         LOCAL
  2001:db8:1::1:0 (int-S1-1)
2001:db8:1::5:0/120                                         BGP_VPN
  192.0.2.4 (VPRN Label:524278 Transport:RSVP LSP:1)
-------------------------------------------------------------------------------
Total Entries : 2
-------------------------------------------------------------------------------
===============================================================================

SR OS uses a label-per-VRF mode of label distribution, meaning that the same label is used for different VPN-IPv4 and different VPN-IPv6 prefixes from the same VRF, which saves on MPLS label resources. In this example, the VPRN service label is 524279 for the VPN-IPv4 prefixes 10.1.50.0/24 and 10.1.51.0/24, and 524278 for VPN-IPv6 prefix 2001:db8:1::5:0/120.

The forwarding plane is also programmed with the outer label to be used for transport purposes. Two labels are present: 524282 assigned through RSVP, and 524284 assigned through LDP. Because RSVP takes precedence over LDP, the RSVP label is actively used, as follows:

[/]
A:admin@PE-1# show router fp-tunnel-table 1 192.0.2.4/32

===============================================================================
IPv4 Tunnel Table Display

Legend:
label stack is ordered from bottom-most to top-most
B - FRR Backup
===============================================================================
Destination                                  Protocol         Tunnel-ID
  Lbl/SID
    NextHop                                                   Intf/Tunnel
  Lbl/SID (backup)
    NextHop   (backup)
-------------------------------------------------------------------------------
192.0.2.4/32                                 LDP               -
  524284
    192.168.12.2                                               1/1/1:1000
192.0.2.4/32                                 RSVP              1
  524282
    192.168.13.2                                               1/1/2:1000
-------------------------------------------------------------------------------
Total Entries : 2
-------------------------------------------------------------------------------
===============================================================================

Traffic over VPRN 1 is generated using a ping command on PE-1 to the remote loopback address, as follows:

[/]
A:admin@PE-1# ping 10.1.50.1 router-instance "VPRN1"
PING 10.1.50.1 56 data bytes
64 bytes from 10.1.50.1: icmp_seq=1 ttl=64 time=5.55ms.
64 bytes from 10.1.50.1: icmp_seq=2 ttl=64 time=6.38ms.
64 bytes from 10.1.50.1: icmp_seq=3 ttl=64 time=5.91ms.
64 bytes from 10.1.50.1: icmp_seq=4 ttl=64 time=5.75ms.
64 bytes from 10.1.50.1: icmp_seq=5 ttl=64 time=5.43ms.

---- 10.1.50.1 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 5.43ms, avg = 5.80ms, max = 6.38ms, stddev = 0.331ms

On PE-1, the IPv4 VPRN 1 traffic is pushed with VPN label 524279, followed by RSVP-TE transport label 524282. ASBR PE-4 removes the RSVP-TE transport label and swaps the internal (advertised) VPN label 524279 with the external VPN label 524280 received from ASBR PE-8. For IPv6 VPRN 1 traffic, VPN label 524278 is swapped by VPN label 524279. The inter-AS BGP labels stored by ASBR PE-4 are as follows:

[/]
A:admin@PE-4# show router bgp inter-as-label

===============================================================================
BGP Inter-AS labels
Flags: B - entry has backup, P - entry is promoted
===============================================================================
NextHop                       Received       Advertised     Label
                              Label          Label          Origin
-------------------------------------------------------------------------------
192.0.2.1                     524281         524282         Internal
192.0.2.1                     524282         524281         Internal
192.0.2.1                     524282         524280         Internal
192.0.2.2                     524283         524277         Internal
192.168.48.2                  524279         524278         External
192.168.48.2                  524280         524279         External
-------------------------------------------------------------------------------
Total Labels allocated:   6
===============================================================================

The forward data flow (from AS 64496 to AS 64510) for VPRN 1 uses the labels for which the label origin is external. The VPN labels used for the backward data flow (from AS 64510 to 64496) uses the labels for which the label origin is internal.

For brevity, the commands to display and check VPN prefixes and labels used in AS 64510 are omitted.

By disabling (admin-state disable) both RSVP LSPs between PE-1 and ASBR PE-4 in AS 64496, both PE-1 and PE-4 will select LDP tunnels for resolving VPN BGP next-hops. Then, the route table for VPRN 1 is as follows, where tunneled indicates an LDP tunnel is used to reach the next hop:

[/]
A:admin@PE-1# show router 1 route-table
 
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                    Metric
-------------------------------------------------------------------------------
10.1.10.0/24                                  Local   Local     04h29m37s  0
       int-S1-1                                                     0
10.1.11.0/24                                  Local   Local     04h29m37s  0
       int-S1-2                                                     0
10.1.50.0/24                                  Remote  BGP VPN   00h00m08s  170
       192.0.2.4 (tunneled)                                         20
10.1.51.0/24                                  Remote  BGP VPN   00h00m08s  170
       192.0.2.4 (tunneled)                                         20
-------------------------------------------------------------------------------
No. of Routes: 4
Flags: n = Number of times nexthop is repeated
       B = BGP backup route available
       L = LFA nexthop available
       S = Sticky ECMP requested
===============================================================================

Only LDP tunnels are available in PE-1 and ASBR PE-4, as follows:

[/]
A:admin@PE-1# show router tunnel-table

===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination           Owner     Encap TunnelId  Pref   Nexthop        Metric
   Color
-------------------------------------------------------------------------------
192.0.2.2/32          ldp       MPLS  65537     9      192.168.12.2   10
192.0.2.3/32          ldp       MPLS  65538     9      192.168.13.2   10
192.0.2.4/32          ldp       MPLS  65539     9      192.168.12.2   20
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
       L = Loop-Free Alternate (LFA) hop available
       E = Inactive best-external BGP route
       k = RIB-API or Forwarding Policy backup hop
===============================================================================
[/]
A:admin@PE-4# show router tunnel-table

===============================================================================
IPv4 Tunnel Table (Router: Base)
===============================================================================
Destination           Owner     Encap TunnelId  Pref   Nexthop        Metric
   Color
-------------------------------------------------------------------------------
192.0.2.1/32          ldp       MPLS  65538     9      192.168.24.1   20
192.0.2.2/32          ldp       MPLS  65539     9      192.168.24.1   10
192.0.2.3/32          ldp       MPLS  65537     9      192.168.34.1   10
-------------------------------------------------------------------------------
Flags: B = BGP or MPLS backup hop available
       L = Loop-Free Alternate (LFA) hop available
       E = Inactive best-external BGP route
       k = RIB-API or Forwarding Policy backup hop
===============================================================================

The BGP next-hop for VPN-IPv4 traffic in PE-1 also indicates that, to reach PE-5 via PE-4, an LDP tunnel is used, as follows:

[/]
A:admin@PE-1# show router bgp next-hop vpn-ipv4
===============================================================================
 BGP Router ID:192.0.2.1        AS:64496       Local AS:64496
===============================================================================

===============================================================================
BGP VPN Next Hop
===============================================================================
VPN Next Hop                                                Owner
   Autobind                                        FibProg  Reason
   Labels (User-labels)                            FlexAlgo Metric
   Admin-tag-policy (strict-tunnel-tagging)
-------------------------------------------------------------------------------
192.0.2.2                                                   LDP
   ldp bgp                                            Y
   -- (2)                                          --       10
   -- (-)
192.0.2.4                                                   LDP
   ldp rsvp bgp                                       Y
   -- (2)                                          --       20
   -- (-)
-------------------------------------------------------------------------------
Next Hops : 2
===============================================================================

The forwarding plane is programmed accordingly, as follows:

[/]
A:admin@PE-1# show router 1 fib 1 ipv4

===============================================================================
FIB Display
===============================================================================
Prefix [Flags]                                              Protocol
  NextHop
-------------------------------------------------------------------------------
10.1.10.0/24                                                LOCAL
  10.1.10.0 (int-S1-1)
10.1.11.0/24                                                LOCAL
  10.1.11.0 (int-S1-2)
10.1.50.0/24                                                BGP_VPN
  192.0.2.4 (VPRN Label:524279 Transport:LDP)
10.1.51.0/24                                                BGP_VPN
  192.0.2.4 (VPRN Label:524279 Transport:LDP)
-------------------------------------------------------------------------------
Total Entries : 4
-------------------------------------------------------------------------------
===============================================================================
[/]
A:admin@PE-1# show router fp-tunnel-table 1

===============================================================================
IPv4 Tunnel Table Display

Legend:
label stack is ordered from bottom-most to top-most
B - FRR Backup
===============================================================================
Destination                                  Protocol         Tunnel-ID
  Lbl/SID
    NextHop                                                   Intf/Tunnel
  Lbl/SID (backup)
    NextHop   (backup)
-------------------------------------------------------------------------------
192.0.2.2/32                                 LDP               -
  524287
    192.168.12.2                                               1/1/1:1000
192.0.2.3/32                                 LDP               -
  524287
    192.168.13.2                                               1/1/2:1000
192.0.2.4/32                                 LDP               -
  524284
    192.168.12.2                                               1/1/1:1000
-------------------------------------------------------------------------------
Total Entries : 3
-------------------------------------------------------------------------------
===============================================================================

The details for the LDP tunnel from PE-1 to PE-4 are as follows:

[/]
A:admin@PE-1# show router tunnel-table 192.0.2.4/32 detail

===============================================================================
Tunnel Table (Router: Base)
===============================================================================
Destination      : 192.0.2.4/32
NextHop          : 192.168.12.2
Tunnel Flags     : (Not Specified)
Age              : 00h12m46s
CBF Classes      : (Not Specified)
Owner            : ldp                  Encap            : MPLS
Tunnel ID        : 65539                Preference       : 9
Tunnel Label     : 524284               Tunnel Metric    : 20
Tunnel MTU       : 1556                 Max Label Stack  : 1
-------------------------------------------------------------------------------
Number of tunnel-table entries          : 1
Number of tunnel-table entries with LFA : 0
===============================================================================

On PE-1, the IPv4 traffic in VPRN 1 is pushed with VPN label 524279, followed by LDP transport label 524284. ASBR PE-4 removes the LDP transport label and swaps the internal (advertised) VPN label 524279 with the external VPN label 524280 received from ASBR PE-8. The inter-AS label mapping between the ASBRs remains unchanged.

On the directly connected interface between the ASBRs, nothing has changed; only a single MPLS label is used to carry the VPN data, as shown in the following capture:

With this configuration, all the VPN-IPv4 and VPN-IPv6 routes known to AS 64496 are advertised by ASBR PE-4 to AS 64510, even the VPN-IPv4 and VPN-IPv6 routes from other AS 64496 VPRN services that do not need to be distributed:

[/]
A:admin@PE-4# show router bgp neighbor 192.168.48.2 advertised-routes vpn-ipv4 brief
===============================================================================
 BGP Router ID:192.0.2.4        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag  Network
-------------------------------------------------------------------------------
i     64496:1:10.1.10.0/24
i     64496:1:10.1.11.0/24
i     64496:33:10.33.1.0/24
i     64496:33:10.33.2.0/24
-------------------------------------------------------------------------------
Routes : 4
===============================================================================

As already indicated, the 10.33.1.0/24 and 10.33.2.0/24 prefixes belong to VPRN 33. This service exists on PE-1 and PE-2 only, and the corresponding customer traffic must be kept within AS 64496, so there is no need to advertise these prefixes to the peer AS. The "exp-SVC-1" policy is defined at ASBR PE-4 to achieve this, as follows:

# on ASBR PE-4:
configure {
    policy-options {
        prefix-list "pfx-SVC-1" {
            prefix 10.1.10.0/24 type longer {
            }
            prefix 10.1.11.0/24 type longer {
            }
            prefix 2001:db8:1::/96 type longer {
            }
        }
        policy-statement "exp-SVC-1" {
            entry 10 {
                from {
                    prefix-list "pfx-SVC-1"
                }
                action {
                    action-type accept
                }
            }
            default-action {
                action-type reject
            }
        }

The "exp-SVC-1" policy is applied to ASBR PE-4 as an export policy, but also import policies can be used to control which prefixes are exchanged. This additionally requires the vpn-apply-export true (and the vpn-apply-import true) command, and the change required at ASBR PE-4 is as follows:

# on ASBR PE-4:
configure {
    router "Base" {
        autonomous-system 64496
        bgp {
            group "vpn-eBGP" {
                vpn-apply-export true
                export {
                    policy ["exp-SVC-1"]
                }
            }
            neighbor "192.168.48.2" {
                group "vpn-eBGP"
                peer-as 64510
                family {
                    vpn-ipv4 true
                    vpn-ipv6 true
                }
                ebgp-default-reject-policy {
                    import false
                    delete export
                }
            }

Therefore, the PE-4 ASBR will only advertise the VPN-IPv4 and VPN-IPv6 prefixes for VRPN 1, as follows:

[/]
A:admin@PE-4# show router bgp neighbor 192.168.48.2 advertised-routes vpn-ipv4 brief
===============================================================================
 BGP Router ID:192.0.2.4        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag  Network
-------------------------------------------------------------------------------
i     64496:1:10.1.10.0/24
i     64496:1:10.1.11.0/24
-------------------------------------------------------------------------------
Routes : 2
===============================================================================
[/]
A:admin@PE-4# show router bgp neighbor 192.168.48.2 advertised-routes vpn-ipv6 brief
===============================================================================
 BGP Router ID:192.0.2.4        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP VPN-IPv6 Routes
===============================================================================
Flag  Network
-------------------------------------------------------------------------------
i     64496:1:2001:db8:1::1:0/120
-------------------------------------------------------------------------------
Routes : 1
===============================================================================

Conclusion

Inter-AS VPRN model B offers service providers a way to interconnect IPv4 and IPv6 VPN sites across different ASs, avoiding the need for dedicated services in the ASBR, which would otherwise consume valuable resources in the ASBR. Model B is useful for scenarios where model C does not apply; for example, when there is no trust agreement with the peer AS, so that exchanging PE system addresses with that peer is not permitted or does not make sense.