Inter-AS Option B Label Security for IP-VPN and EVPN Routes
This chapter provides information about inter-AS option B label security for IP-VPN and EVPN routes.
Topics in this chapter include:
Applicability
The information and the configuration in this chapter are based on SR OS Release 24.3.R1. Inter-AS option B label security for IP-VPN routes is supported in SR OS Release 16.0.R4, and later. Inter-AS option B label security for EVPN routes is supported in SR OS Release 23.3.R2, and later.
Overview
In inter-AS option B interconnects, the Autonomous System Border Routers (ASBRs) can filter BGP IP-VPN or BGP EVPN routes based on route target (RT). In addition, BGP neighbor trust prevents label spoofing in inter-AS option B for the VPN-IPv4, VPN-IPv6, and EVPN address families. In networks where ASBRs advertise routes to multiple peer ASBRs, an ASBR may drop packets on IP interfaces that are configured as untrusted with the default-forwarding argument set to the drop command option:
# on ASBR: configure router interface <..> untrusted default-forwarding dropBy default, all IP interfaces between ASBRs are trusted and the datapath allows all packets. It is possible to configure a number of maximum 15 interfaces as untrusted. The default-forwarding argument can be set to the forward option (default behavior) or to the drop option.
When an IP interface is configured as untrusted without the default-forwarding drop option or when the untrusted IP interface is configured with the (default) default-forwarding forward option, the datapath allows all packets and the behavior is the same as when the untrusted command is not configured.
Traffic is only dropped when the IP interface is configured with untrusted default-forwarding drop.
Untrusted interfaces with default-forwarding forward option allow all IP-VPN and EVPN routes shows that the datapath allows all IP-VPN and EVPN traffic when the interface is configured as untrusted with default-forwarding set to forward. There is no need to configure neighbor-trust for VPN-IPv4, VPN-IPv6, or EVPN.
| untrusted configuration | neighbor-trust configured | traffic allowed | ||||
|---|---|---|---|---|---|---|
| VPN-IPv4 | VPN-IPv6 | EVPN | VPN-IPv4 | VPN-IPv6 | EVPN | |
| untrusted forward | no | no | no | yes | yes | yes |
| untrusted forward | no | no | yes | yes | yes | yes |
| untrusted forward | no | yes | no | yes | yes | yes |
| untrusted forward | no | yes | yes | yes | yes | yes |
| untrusted forward | yes | no | no | yes | yes | yes |
| untrusted forward | yes | no | yes | yes | yes | yes |
| untrusted forward | yes | yes | no | yes | yes | yes |
| untrusted forward | yes | yes | yes | yes | yes | yes |
In contrast, the datapath drops all labeled packets on untrusted IP interfaces configured with the default-forwarding drop option. To allow the datapath to provide an exception to the default forwarding handling for Ingress Label Maps (ILMs), BGP must flag those ILMs to the data path. The following neighbor-trust command is used to enable the exceptional ILM forwarding behavior for multiple VPN address families: VPN-IPv4, VPN-IPv6, and EVPN:
# on ASBR: configure router bgp neighbor-trust { vpn-ipv4 | vpn-ipv6 | evpn }BGP neighbor-trust defines what traffic is allowed on untrusted interfaces with default-forwarding drop option shows what traffic is allowed on an untrusted interface configured with the default-forwarding drop option when BGP neighbor-trust is configured for VPN-IP or EVPN address families.
| untrusted configuration | neighbor-trust configured | traffic allowed | ||||
|---|---|---|---|---|---|---|
| VPN-IPv4 | VPN-IPv6 | EVPN | VPN-IPv4 | VPN-IPv6 | EVPN | |
| untrusted drop | no | no | no | no | no | no |
| untrusted drop | no | no | yes | no | no | yes |
| untrusted drop | no | yes | no | no | yes | no |
| untrusted drop | no | yes | yes | no | yes | yes |
| untrusted drop | yes | no | no | yes | no | no |
| untrusted drop | yes | no | yes | yes | no | yes |
| untrusted drop | yes | yes | no | yes | yes | no |
| untrusted drop | yes | yes | yes | yes | yes | yes |
Configuration
Inter-AS option B label security with services configured on PEs only
- BGP-IPVPN "VPRN-1"
- BGP-EVPN "VPRN-2"
- EVPN VPLS "VPLS-3"
- EVPN VPWS "Epipe-4"
- EVPN R-VPLS "BD-5" in IES "IES-55"
Initial configuration
- cards, MDAs, ports
- router interfaces
- IS-IS between PE-1, RR-5, and ASBR-2 in AS 64496 and between PE-4, RR-6, and ASBR-3 in AS 64511, but not between the ASBRs
- SR-ISIS between PE-1 and ASBR-2 in AS 64496 and between PE-4 and ASBR-3 in AS 64511
- BGP for the VPN-IPv4, VPN-IPv6, and EVPN address families:l
- IBGP in AS 64496 with route reflector RR-5 and clients PE-1 and ASBR-2
- IBGP in AS 64511 with route reflector RR-6 and clients PE-4 and ASBR-3
- EBGP between ASBR-2 and ASBR-3
The BGP configuration on PE-1 is as follows:
# on PE-1:
configure
router Base
autonomous-system 64496
bgp
rapid-withdrawal
split-horizon
rapid-update vpn-ipv4 vpn-ipv6 evpn
group "internal"
peer-as 64496
neighbor 192.0.2.5
family vpn-ipv4 vpn-ipv6 evpn
exit
exit
The BGP configuration on RR-5 is as follows:
# on RR-5:
configure
router Base
autonomous-system 64496
bgp
rapid-withdrawal
split-horizon
rapid-update vpn-ipv4 vpn-ipv6 evpn
group "internal"
cluster 192.0.2.5
peer-as 64496
neighbor 192.0.2.1
family vpn-ipv4 vpn-ipv6 evpn
exit
neighbor 192.0.2.2
family vpn-ipv4 vpn-ipv6 evpn
exit
exit
The BGP configuration on ASBR-2 is as follows:
# on ASBR-2:
configure
router Base
autonomous-system 64496
bgp
enable-inter-as-vpn # required for inter-AS VPRN model B
rapid-withdrawal
split-horizon
rapid-update vpn-ipv4 vpn-ipv6 evpn
next-hop-resolution
labeled-routes
transport-tunnel
family vpn
resolution any
exit
exit
exit
exit
group "external"
type external
peer-as 64511
neighbor 192.168.23.2
family vpn-ipv4 vpn-ipv6 evpn
exit
exit
group "internal"
peer-as 64496
neighbor 192.0.2.5
family vpn-ipv4 vpn-ipv6 evpn
exit
exit
The BGP configuration on the nodes in AS 64511 is similar.
Services configuration
The following services are configured on PE-1:
# on PE-1:
configure
service
vprn 1 name "VPRN-1" customer 1 create
interface "int-test-1" create
address 10.1.1.1/24
ipv6
address 2001:db8::10:1:1:1/120
exit
sap 1/1/c10/1:1 create
exit
exit
bgp-ipvpn
mpls
auto-bind-tunnel
resolution any
exit
route-distinguisher 192.0.2.1:1
vrf-target target:64496:1
no shutdown
exit
exit
no shutdown
exit
vprn 2 name "VPRN-2" customer 1 create
interface "int-test-2" create
address 10.2.1.1/24
ipv6
address 2001:db8::10:2:1:1/120
exit
sap 1/1/c10/1:2 create
exit
exit
bgp-evpn
mpls
auto-bind-tunnel
resolution any
exit
route-distinguisher 192.0.2.1:2
vrf-target target:64496:2
no shutdown
exit
exit
no shutdown
exit
vpls 3 name "VPLS-3" customer 1 create
bgp
route-target export target:64496:3 import target:64496:3
exit
bgp-evpn
evi 3
mpls
auto-bind-tunnel
resolution any
exit
no shutdown
exit
exit
sap 1/1/c10/1:3 create
no shutdown
exit
no shutdown
exit
epipe 4 name "Epipe-4" customer 1 create
bgp
route-target export target:64496:4 import target:64496:4
exit
bgp-evpn
local-attachment-circuit PE1 create
eth-tag 1
exit
remote-attachment-circuit PE4 create
eth-tag 4
exit
evi 4
mpls
auto-bind-tunnel
resolution any
exit
no shutdown
exit
exit
sap 1/1/c10/1:4 create
description "SAP to CE-41"
no shutdown
exit
no shutdown
exit
vpls 5 name "BD-5" customer 1 create
allow-ip-int-bind
exit
bgp
route-target export target:64496:5 import target:64496:5
exit
bgp-evpn
evi 5
mpls bgp 1
auto-bind-tunnel
resolution any
exit
no shutdown
exit
exit
stp
shutdown
exit
sap 1/1/c10/1:5 create
no shutdown
exit
no shutdown
exit
ies 55 name "IES-55" customer 1 create
interface "int-BD-5" create
address 172.16.5.1/24
ipv6
address 2001:db8::16:5:1/120
exit
vpls "BD-5"
exit
exit
no shutdown
exit
The configuration of the services on PE-4 in AS 64511 is similar.
Inter-AS option B services using trusted interfaces
By default, IP interfaces are trusted. With trusted interfaces between ASBR-2 and ASBR-3, traffic can be sent from the services or the CEs connected to the services on PE-1 to the corresponding services on PE-4.
Inter-AS option B services using untrusted interfaces with default-forwarding forward option
It is possible to configure the interface from ASBR-3 to ASBR-2 as untrusted with the default-forwarding argument set to the forward option, or even without this default-forwarding argument, because the default option is forward:
# on ASBR-3:
configure
router Base
interface "int-ASBR-3-ASBR-2"
address 192.168.23.2/30
port 1/1/c2/1:1000
untrusted default-forwarding forward # default option forward
no shutdown
exit
With this configuration where packets on the untrusted interfaces are forwarded by default, it is possible to send traffic between the services on PE-1 and the services on PE-4:
*A:PE-1# ping router-instance "VPRN-1" 10.1.4.4 rapid # VPN-IPv4
PING 10.1.4.4 56 data bytes
!!!!!
---- 10.1.4.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.29ms, avg = 2.59ms, max = 3.27ms, stddev = 0.351ms
*A:PE-1# ping router-instance "VPRN-1" 2001:db8::10:1:4:4 rapid # VPN-IPv6
PING 2001:db8::10:1:4:4 56 data bytes
!!!!!
---- 2001:db8::10:1:4:4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.29ms, avg = 2.57ms, max = 3.18ms, stddev = 0.312ms
*A:PE-1# ping router-instance "VPRN-2" 10.2.4.4 rapid # EVPN IFL
PING 10.2.4.4 56 data bytes
!!!!!
---- 10.2.4.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.14ms, avg = 2.56ms, max = 3.20ms, stddev = 0.357ms
*A:PE-1# ping router-instance "VPRN-2" 2001:db8::10:2:4:4 rapid # EVPN IFL
PING 2001:db8::10:2:4:4 56 data bytes
!!!!!
---- 2001:db8::10:2:4:4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.19ms, avg = 2.49ms, max = 2.96ms, stddev = 0.259ms
*A:PE-1# ping router-instance "CE-31" 172.16.3.4 rapid # EVPN VPLS
PING 172.16.3.4 56 data bytes
!!!!!
---- 172.16.3.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.86ms, avg = 3.08ms, max = 3.44ms, stddev = 0.208ms
*A:PE-1# ping router-instance "CE-31" 2001:db8::16:3:4 rapid # EVPN VPLS
PING 2001:db8::16:3:4 56 data bytes
!!!!!
---- 2001:db8::16:3:4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.91ms, avg = 3.19ms, max = 3.60ms, stddev = 0.238ms
*A:PE-1# ping router-instance "CE-41" 172.16.4.4 rapid # EVPN VPWS
PING 172.16.4.4 56 data bytes
!!!!!
---- 172.16.4.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.84ms, avg = 3.23ms, max = 3.95ms, stddev = 0.381ms
*A:PE-1# ping router-instance "CE-41" 2001:db8::16:4:4 rapid # EVPN VPWS
PING 2001:db8::16:4:4 56 data bytes
!!!!!
---- 2001:db8::16:4:4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.62ms, avg = 2.94ms, max = 3.58ms, stddev = 0.334ms
*A:PE-1# ping router-instance "CE-51" 172.16.5.54 rapid # EVPN R-VPLS
PING 172.16.5.54 56 data bytes
!!!!!
---- 172.16.5.54 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 3.10ms, avg = 3.32ms, max = 3.45ms, stddev = 0.120ms
*A:PE-1# ping router-instance "CE-51" 2001:db8::16:5:54 rapid # EVPN R-VPLS
PING 2001:db8::16:5:54 56 data bytes
!!!!!
---- 2001:db8::16:5:54 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 3.21ms, avg = 3.41ms, max = 3.87ms, stddev = 0.241ms
All traffic is forwarded, so there is no need to configure the neighbor-trust command. If the neighbor-trust command is configured for VPN-IPv4, VPN-IPv6, EVPN, or any combination of these, this command has no effect. As an example, the neighbor-trust command is configured for the VPN-IPv4 and EVPN address families, as follows:
# on ASBR-3:
configure
router Base
bgp
neighbor-trust vpn-ipv4 evpn
The datapath forwards all traffic for the corresponding services, regardless of this neighbor-trust configuration:
*A:PE-1# ping router-instance "VPRN-1" 10.1.4.4 rapid # VPN-IPv4
PING 10.1.4.4 56 data bytes
!!!!!
---- 10.1.4.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.00ms, avg = 2.32ms, max = 2.98ms, stddev = 0.339ms
*A:PE-1# ping router-instance "VPRN-1" 2001:db8::10:1:4:4 rapid # VPN-IPv6
PING 2001:db8::10:1:4:4 56 data bytes
!!!!!
---- 2001:db8::10:1:4:4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.08ms, avg = 2.49ms, max = 3.21ms, stddev = 0.381ms
*A:PE-1# ping router-instance "VPRN-2" 10.2.4.4 rapid # EVPN IFL
PING 10.2.4.4 56 data bytes
!!!!!
---- 10.2.4.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.16ms, avg = 2.41ms, max = 2.99ms, stddev = 0.305ms
*A:PE-1# ping router-instance "VPRN-2" 2001:db8::10:2:4:4 rapid # EVPN IFL
PING 2001:db8::10:2:4:4 56 data bytes
!!!!!
---- 2001:db8::10:2:4:4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.14ms, avg = 2.47ms, max = 2.99ms, stddev = 0.308ms
*A:PE-1# ping router-instance "CE-31" 172.16.3.4 rapid # EVPN VPLS
PING 172.16.3.4 56 data bytes
!!!!!
---- 172.16.3.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.87ms, avg = 3.80ms, max = 5.55ms, stddev = 0.973ms
*A:PE-1# ping router-instance "CE-31" 2001:db8::16:3:4 rapid # EVPN VPLS
PING 2001:db8::16:3:4 56 data bytes
!!!!!
---- 2001:db8::16:3:4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 3.03ms, avg = 3.30ms, max = 3.90ms, stddev = 0.306ms
*A:PE-1# ping router-instance "CE-41" 172.16.4.4 rapid # EVPN VPWS
PING 172.16.4.4 56 data bytes
!!!!!
---- 172.16.4.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 3.05ms, avg = 3.41ms, max = 4.26ms, stddev = 0.444ms
*A:PE-1# ping router-instance "CE-41" 2001:db8::16:4:4 rapid # EVPN VPWS
PING 2001:db8::16:4:4 56 data bytes
!!!!!
---- 2001:db8::16:4:4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.63ms, avg = 3.17ms, max = 3.67ms, stddev = 0.349ms
*A:PE-1# ping router-instance "CE-51" 172.16.5.54 rapid # EVPN R-VPLS
PING 172.16.5.54 56 data bytes
!!!!!
---- 172.16.5.54 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.89ms, avg = 3.37ms, max = 3.84ms, stddev = 0.338ms
*A:PE-1# ping router-instance "CE-51" 2001:db8::16:5:54 rapid # EVPN R-VPLS
PING 2001:db8::16:5:54 56 data bytes
!!!!!
---- 2001:db8::16:5:54 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.73ms, avg = 3.11ms, max = 3.56ms, stddev = 0.284ms
When no untrusted is configured on the interface, the interface is trusted and the connectivity remains.
Inter-AS option B services using untrusted interfaces with default-forwarding drop option
The following command on ASBR-2 configures the IP interface "int-ASBR-2-ASBR-3" as untrusted with default-forwarding argument set to drop:
# on ASBR-2:
configure
router Base
interface "int-ASBR-2-ASBR-3"
address 192.168.23.1/30
port 1/1/c1/1:1000
untrusted default-forwarding drop
no shutdown
When no neighbor-trust command is configured, the datapath drops all traffic for the configured services, as follows:
*A:PE-1# ping router-instance "VPRN-1" 10.1.4.4 rapid # VPN-IPv4
PING 10.1.4.4 56 data bytes
.....
---- 10.1.4.4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "VPRN-1" 2001:db8::10:1:4:4 rapid # VPN-IPv6
PING 2001:db8::10:1:4:4 56 data bytes
.....
---- 2001:db8::10:1:4:4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "VPRN-2" 10.2.4.4 rapid # EVPN IFL
PING 10.2.4.4 56 data bytes
.....
---- 10.2.4.4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "VPRN-2" 2001:db8::10:2:4:4 rapid # EVPN IFL
PING 2001:db8::10:2:4:4 56 data bytes
.....
---- 2001:db8::10:2:4:4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-31" 172.16.3.4 rapid # EVPN VPLS
PING 172.16.3.4 56 data bytes
.....
---- 172.16.3.4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-31" 2001:db8::16:3:4 rapid # EVPN VPLS
PING 2001:db8::16:3:4 56 data bytes
.....
---- 2001:db8::16:3:4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-41" 172.16.4.4 rapid # EVPN VPWS
PING 172.16.4.4 56 data bytes
.....
---- 172.16.4.4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-41" 2001:db8::16:4:4 rapid # EVPN VPWS
PING 2001:db8::16:4:4 56 data bytes
.....
---- 2001:db8::16:4:4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-51" 172.16.5.54 rapid # EVPN R-VPLS
PING 172.16.5.54 56 data bytes
.....
---- 172.16.5.54 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-51" 2001:db8::16:5:54 rapid # EVPN R-VPLS
PING 2001:db8::16:5:54 56 data bytes
.....
---- 2001:db8::16:5:54 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
When neighbor-trust is configured for the VPN-IPv4 address family, the datapath allows IPv4 traffic in VPRN-1 between PE-1 and PE-4 (but not traffic for services using the other address families):
# on ASBR-2:
configure
router Base
bgp
neighbor-trust vpn-ipv4
*A:PE-1# ping router-instance "VPRN-1" 10.1.4.4 rapid # VPN-IPv4
PING 10.1.4.4 56 data bytes
!!!!!
---- 10.1.4.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.34ms, avg = 2.57ms, max = 3.10ms, stddev = 0.274ms
*A:PE-1# ping router-instance "VPRN-1" 2001:db8::10:1:4:4 rapid # VPN-IPv6
PING 2001:db8::10:1:4:4 56 data bytes
.....
---- 2001:db8::10:1:4:4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "VPRN-2" 10.2.4.4 rapid # EVPN IFL
PING 10.2.4.4 56 data bytes
.....
---- 10.2.4.4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "VPRN-2" 2001:db8::10:2:4:4 rapid # EVPN IFL
PING 2001:db8::10:2:4:4 56 data bytes
.....
---- 2001:db8::10:2:4:4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-31" 172.16.3.4 rapid # EVPN VPLS
PING 172.16.3.4 56 data bytes
.....
---- 172.16.3.4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-31" 2001:db8::16:3:4 rapid # EVPN VPLS
PING 2001:db8::16:3:4 56 data bytes
---- 2001:db8::16:3:4 PING Statistics ----
5 packets transmitted, 5 packets bounced, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-41" 172.16.4.4 rapid # EVPN VPWS
PING 172.16.4.4 56 data bytes
.....
---- 172.16.4.4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-41" 2001:db8::16:4:4 rapid # EVPN VPWS
PING 2001:db8::16:4:4 56 data bytes
---- 2001:db8::16:4:4 PING Statistics ----
5 packets transmitted, 5 packets bounced, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-51" 172.16.5.54 rapid # EVPN R-VPLS
PING 172.16.5.54 56 data bytes
.....
---- 172.16.5.54 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-51" 2001:db8::16:5:54 rapid # EVPN R-VPLS
PING 2001:db8::16:5:54 56 data bytes
---- 2001:db8::16:5:54 PING Statistics ----
5 packets transmitted, 5 packets bounced, 0 packets received, 100% packet loss
When neighbor-trust is configured for the VPN-IPv4 and VPN-IPv6 address families, the datapath allows IPv4 and IPv6 traffic in VPRN-1 between PE-1 and PE-4 (but not traffic for services using the EVPN address family):
# on ASBR-2:
configure
router Base
bgp
neighbor-trust vpn-ipv4 vpn-ipv6
*A:PE-1# ping router-instance "VPRN-1" 10.1.4.4 rapid # VPN-IPv4
PING 10.1.4.4 56 data bytes
!!!!!
---- 10.1.4.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.72ms, avg = 2.98ms, max = 3.58ms, stddev = 0.306ms
*A:PE-1# ping router-instance "VPRN-1" 2001:db8::10:1:4:4 rapid # VPN-IPv6
PING 2001:db8::10:1:4:4 56 data bytes
!!!!!
---- 2001:db8::10:1:4:4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.54ms, avg = 2.79ms, max = 3.37ms, stddev = 0.294ms
*A:PE-1# ping router-instance "VPRN-2" 10.2.4.4 rapid # EVPN IFL
PING 10.2.4.4 56 data bytes
.....
---- 10.2.4.4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "VPRN-2" 2001:db8::10:2:4:4 rapid # EVPN IFL
PING 2001:db8::10:2:4:4 56 data bytes
.....
---- 2001:db8::10:2:4:4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-31" 172.16.3.4 rapid # EVPN VPLS
PING 172.16.3.4 56 data bytes
.....
---- 172.16.3.4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-31" 2001:db8::16:3:4 rapid # EVPN VPLS
PING 2001:db8::16:3:4 56 data bytes
---- 2001:db8::16:3:4 PING Statistics ----
5 packets transmitted, 5 packets bounced, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-41" 172.16.4.4 rapid # EVPN VPWS
PING 172.16.4.4 56 data bytes
.....
---- 172.16.4.4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-41" 2001:db8::16:4:4 rapid # EVPN VPWS
PING 2001:db8::16:4:4 56 data bytes
---- 2001:db8::16:4:4 PING Statistics ----
5 packets transmitted, 5 packets bounced, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-51" 172.16.5.54 rapid # EVPN R-VPLS
PING 172.16.5.54 56 data bytes
.....
---- 172.16.5.54 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "CE-51" 2001:db8::16:5:54 rapid # EVPN R-VPLS
PING 2001:db8::16:5:54 56 data bytes
---- 2001:db8::16:5:54 PING Statistics ----
5 packets transmitted, 5 packets bounced, 0 packets received, 100% packet loss
When neighbor-trust is configured for the EVPN address family only, the datapath allows traffic in VPRN-2, VPLS-3, Epipe-4, and EVPN R-VPLS BD-5 between PE-1 and PE-4, but not in IP-VPN VPRN-1 (which does not use the EVPN address family):
# on ASBR-2:
configure
router Base
bgp
neighbor-trust evpn
*A:PE-1# ping router-instance "VPRN-1" 10.1.4.4 rapid # VPN-IPv4
PING 10.1.4.4 56 data bytes
.....
---- 10.1.4.4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "VPRN-1" 2001:db8::10:1:4:4 rapid # VPN-IPv6
PING 2001:db8::10:1:4:4 56 data bytes
.....
---- 2001:db8::10:1:4:4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:PE-1# ping router-instance "VPRN-2" 10.2.4.4 rapid # EVPN IFL
PING 10.2.4.4 56 data bytes
!!!!!
---- 10.2.4.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 1.98ms, avg = 2.35ms, max = 2.89ms, stddev = 0.343ms
*A:PE-1# ping router-instance "VPRN-2" 2001:db8::10:2:4:4 rapid # EVPN IFL
PING 2001:db8::10:2:4:4 56 data bytes
!!!!!
---- 2001:db8::10:2:4:4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.16ms, avg = 2.30ms, max = 2.78ms, stddev = 0.239ms
*A:PE-1# ping router-instance "CE-31" 172.16.3.4 rapid # EVPN VPLS
PING 172.16.3.4 56 data bytes
!!!!!
---- 172.16.3.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.56ms, avg = 2.93ms, max = 3.52ms, stddev = 0.332ms
*A:PE-1# ping router-instance "CE-31" 2001:db8::16:3:4 rapid # EVPN VPLS
PING 2001:db8::16:3:4 56 data bytes
!!!!!
---- 2001:db8::16:3:4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.53ms, avg = 3.64ms, max = 7.28ms, stddev = 1.83ms
*A:PE-1# ping router-instance "CE-41" 172.16.4.4 rapid # EVPN VPWS
PING 172.16.4.4 56 data bytes
!!!!!
---- 172.16.4.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.77ms, avg = 3.02ms, max = 3.48ms, stddev = 0.279ms
*A:PE-1# ping router-instance "CE-41" 2001:db8::16:4:4 rapid # EVPN VPWS
PING 2001:db8::16:4:4 56 data bytes
!!!!!
---- 2001:db8::16:4:4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.55ms, avg = 3.74ms, max = 8.13ms, stddev = 2.20ms
*A:PE-1# ping router-instance "CE-51" 172.16.5.54 rapid # EVPN R-VPLS
PING 172.16.5.54 56 data bytes
!!!!!
---- 172.16.5.54 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.82ms, avg = 3.14ms, max = 3.77ms, stddev = 0.330ms
*A:PE-1# ping router-instance "CE-51" 2001:db8::16:5:54 rapid # EVPN R-VPLS
PING 2001:db8::16:5:54 56 data bytes
!!!!!
---- 2001:db8::16:5:54 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 2.38ms, avg = 3.69ms, max = 7.19ms, stddev = 1.77ms
Inter-AS option B label security with services configured on PEs and on ASBR
BGP neighbor trust is not supported on PE-ASBRs for VPLS or Epipe services, as shown for ASBR-2 in the following example. Example topology with services on PEs and on ASBR-2 shows the topology with services on ASBR-2 as well as on the PEs.
The service configuration on ASBR-2 is similar to the service configuration on PE-1 and PE-4. Epipe-44 is an Epipe between ASBR-2 and PE-4, but the other services are the same as in the PEs. The interface between ASBR-2 and ASBR-3 remains untrusted with default-forwarding set to drop. The neighbor-trust command on ASBR-2 is configured for VPN-IPv4, VPN-IPv6, and EVPN, as follows:
# on ASBR-2:
configure
router Base
bgp
neighbor-trust vpn-ipv4 vpn-ipv6 evpn
The datapath allows traffic for the VPRN services on ASBR-2 and PE-4 (using VPN-IPv4, VPN-IPv6, or EVPN-IFL), but the traffic between the EVPN VPLS and EVPN VPWS services on ASBR-2 and PE-4 is dropped, as follows:
*A:ASBR-2# ping router-instance "VPRN-1" 10.1.4.4 rapid # VPN-IPv4
PING 10.1.4.4 56 data bytes
!!!!!
---- 10.1.4.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 1.56ms, avg = 1.93ms, max = 2.32ms, stddev = 0.260ms
*A:ASBR-2# ping router-instance "VPRN-1" 2001:db8::10:1:4:4 rapid # VPN-IPv6
PING 2001:db8::10:1:4:4 56 data bytes
!!!!!
---- 2001:db8::10:1:4:4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 1.75ms, avg = 2.00ms, max = 2.44ms, stddev = 0.238ms
*A:ASBR-2# ping router-instance "VPRN-2" 10.2.4.4 rapid # EVPN IFL
PING 10.2.4.4 56 data bytes
!!!!!
---- 10.2.4.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 1.79ms, avg = 2.00ms, max = 2.22ms, stddev = 0.152ms
*A:ASBR-2# ping router-instance "VPRN-2" 2001:db8::10:2:4:4 rapid # EVPN IFL
PING 2001:db8::10:2:4:4 56 data bytes
!!!!!
---- 2001:db8::10:2:4:4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 1.51ms, avg = 1.96ms, max = 2.41ms, stddev = 0.291ms
*A:ASBR-2# ping router-instance "CE-32" 172.16.3.4 rapid # EVPN VPLS
PING 172.16.3.4 56 data bytes
.....
---- 172.16.3.4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:ASBR-2# ping router-instance "CE-32" 2001:db8::16:3:4 rapid # EVPN VPLS
PING 2001:db8::16:3:4 56 data bytes
---- 2001:db8::16:3:4 PING Statistics ----
5 packets transmitted, 5 packets bounced, 0 packets received, 100% packet loss
*A:ASBR-2# ping router-instance "CE-442" 172.16.44.4 rapid # EVPN VPWS
PING 172.16.44.4 56 data bytes
.....
---- 172.16.44.4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:ASBR-2# ping router-instance "CE-442" 2001:db8::16:44:4 rapid # EVPN VPWS
PING 2001:db8::16:44:4 56 data bytes
---- 2001:db8::16:44:4 PING Statistics ----
5 packets transmitted, 5 packets bounced, 0 packets received, 100% packet loss
*A:ASBR-2# ping router-instance "CE-52" 172.16.5.54 rapid # EVPN R-VPLS
PING 172.16.5.54 56 data bytes
.....
---- 172.16.5.54 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss
*A:ASBR-2# ping router-instance "CE-52" 2001:db8::16:5:54 rapid # EVPN R-VPLS
PING 2001:db8::16:5:54 56 data bytes
---- 2001:db8::16:5:54 PING Statistics ----
5 packets transmitted, 5 packets bounced, 0 packets received, 100% packet loss
The datapath allows traffic between PE-1 and PE-4 for all services, but drops the traffic to and from the local EVPN VPLS and EVPN VPWS on the ASBR. BGP neighbor trust is not supported for EVPN-IFF routes on a PE-ASBR.
Conclusion
BGP neighbor trust prevents label spoofing in inter-AS option B for the VPN-IPv4, VPN-IPv6, and EVPN address families.