Inter-AS Option B Label Security for IP-VPN and EVPN Routes
This chapter provides information about inter-AS option B label security for IP-VPN and EVPN routes.
Topics in this chapter include:
Applicability
The information and the configuration in this chapter are based on SR OS Release 24.3.R1. Inter-AS option B label security for IP-VPN routes is supported in SR OS Release 16.0.R4, and later. Inter-AS option B label security for EVPN routes is supported in SR OS Release 23.3.R2, and later.
Overview
In inter-AS option B interconnects, the Autonomous System Border Routers (ASBRs) can filter BGP IP-VPN or BGP EVPN routes based on route target (RT). In addition, BGP neighbor trust prevents label spoofing in inter-AS option B for the VPN-IPv4, VPN-IPv6, and EVPN address families. In networks where ASBRs advertise routes to multiple peer ASBRs, an ASBR may drop packets on IP interfaces that are configured as untrusted with the default-forwarding argument set to the drop command option:
# on ASBR: configure router interface <..> untrusted default-forwarding dropBy default, all IP interfaces between ASBRs are trusted and the datapath allows all packets. It is possible to configure a number of maximum 15 interfaces as untrusted. The default-forwarding argument can be set to the forward option (default behavior) or to the drop option.
When an IP interface is configured as untrusted without the default-forwarding drop option or when the untrusted IP interface is configured with the (default) default-forwarding forward option, the datapath allows all packets and the behavior is the same as when the untrusted command is not configured.
Traffic is only dropped when the IP interface is configured with untrusted default-forwarding drop.
Untrusted interfaces with default-forwarding forward option allow all IP-VPN and EVPN routes shows that the datapath allows all IP-VPN and EVPN traffic when the interface is configured as untrusted with default-forwarding set to forward. There is no need to configure neighbor-trust for VPN-IPv4, VPN-IPv6, or EVPN.
| untrusted configuration | neighbor-trust configured | traffic allowed | ||||
|---|---|---|---|---|---|---|
| VPN-IPv4 | VPN-IPv6 | EVPN | VPN-IPv4 | VPN-IPv6 | EVPN | |
| untrusted forward | no | no | no | yes | yes | yes |
| untrusted forward | no | no | yes | yes | yes | yes |
| untrusted forward | no | yes | no | yes | yes | yes |
| untrusted forward | no | yes | yes | yes | yes | yes |
| untrusted forward | yes | no | no | yes | yes | yes |
| untrusted forward | yes | no | yes | yes | yes | yes |
| untrusted forward | yes | yes | no | yes | yes | yes |
| untrusted forward | yes | yes | yes | yes | yes | yes |
In contrast, the datapath drops all labeled packets on untrusted IP interfaces configured with the default-forwarding drop option. To allow the datapath to provide an exception to the default forwarding handling for Ingress Label Maps (ILMs), BGP must flag those ILMs to the data path. The following neighbor-trust command enables the exceptional ILM forwarding behavior for multiple VPN address families: VPN-IPv4, VPN-IPv6, and EVPN:
# on ASBR:
configure {
router "Base" {
bgp {
neighbor-trust {
vpn-ipv4 true
vpn-ipv6 true
evpn true
BGP neighbor-trust defines what traffic is allowed on untrusted interfaces with default-forwarding drop option shows what traffic is allowed on an untrusted interface configured with the default-forwarding drop option when BGP neighbor-trust is configured for VPN-IP or EVPN address families.
| untrusted configuration | neighbor-trust configured | traffic allowed | ||||
|---|---|---|---|---|---|---|
| VPN-IPv4 | VPN-IPv6 | EVPN | VPN-IPv4 | VPN-IPv6 | EVPN | |
| untrusted drop | no | no | no | no | no | no |
| untrusted drop | no | no | yes | no | no | yes |
| untrusted drop | no | yes | no | no | yes | no |
| untrusted drop | no | yes | yes | no | yes | yes |
| untrusted drop | yes | no | no | yes | no | no |
| untrusted drop | yes | no | yes | yes | no | yes |
| untrusted drop | yes | yes | no | yes | yes | no |
| untrusted drop | yes | yes | yes | yes | yes | yes |
Configuration
Inter-AS option B label security with services configured on PEs only
- BGP-IPVPN "VPRN-1"
- BGP-EVPN "VPRN-2"
- EVPN VPLS "VPLS-3"
- EVPN VPWS "Epipe-4"
- EVPN R-VPLS "BD-5" in IES "IES-55"
Initial configuration
- cards, MDAs, ports
- router interfaces
- IS-IS between PE-1, RR-5, and ASBR-2 in AS 64496 and between PE-4, RR-6, and ASBR-3 in AS 64511, but not between the ASBRs
- SR-ISIS between PE-1 and ASBR-2 in AS 64496 and between PE-4 and ASBR-3 in AS 64511
- BGP for the VPN-IPv4, VPN-IPv6, and EVPN address families:l
- IBGP in AS 64496 with route reflector RR-5 and clients PE-1 and ASBR-2
- IBGP in AS 64511 with route reflector RR-6 and clients PE-4 and ASBR-3
- EBGP between ASBR-2 and ASBR-3
The BGP configuration on PE-1 is as follows:
# on PE-1:
configure {
router "Base" {
autonomous-system 64496
bgp {
rapid-withdrawal true
split-horizon true
rapid-update {
vpn-ipv4 true
vpn-ipv6 true
evpn true
}
group "internal" {
peer-as 64496
}
neighbor "192.0.2.5" {
group "internal"
family {
vpn-ipv4 true
vpn-ipv6 true
evpn true
}
}
The BGP configuration on RR-5 is as follows:
# on RR-5:
configure {
router "Base" {
autonomous-system 64496
bgp {
rapid-withdrawal true
split-horizon true
rapid-update {
vpn-ipv4 true
vpn-ipv6 true
evpn true
}
group "internal" {
peer-as 64496
cluster {
cluster-id 192.0.2.5
}
}
neighbor "192.0.2.1" {
group "internal"
family {
vpn-ipv4 true
vpn-ipv6 true
evpn true
}
}
neighbor "192.0.2.2" {
group "internal"
family {
vpn-ipv4 true
vpn-ipv6 true
evpn true
}
}
The BGP configuration on ASBR-2 is as follows:
# on ASBR-2:
configure exclusive
router "Base" {
autonomous-system 64496
bgp {
inter-as-vpn true # required for inter-AS VPRN model B
rapid-withdrawal true
split-horizon true
rapid-update {
vpn-ipv4 true
vpn-ipv6 true
evpn true
}
next-hop-resolution {
labeled-routes {
transport-tunnel {
family vpn {
resolution any
}
}
}
}
group "external" {
ebgp-default-reject-policy {
import false
export false
}
type external
peer-as 64511
}
group "internal" {
peer-as 64496
}
neighbor "192.0.2.5" {
group "internal"
family {
vpn-ipv4 true
vpn-ipv6 true
evpn true
}
}
neighbor "192.168.23.2" {
group "external"
family {
vpn-ipv4 true
vpn-ipv6 true
evpn true
}
}
The BGP configuration on the nodes in AS 64511 is similar.
Services configuration
The following services are configured on PE-1:
# on PE-1:
configure {
service {
vprn "VPRN-1" {
admin-state enable
service-id 1
customer "1"
bgp-ipvpn {
mpls {
admin-state enable
route-distinguisher "192.0.2.1:1"
vrf-target {
community "target:64496:1"
}
auto-bind-tunnel {
resolution any
}
}
}
interface "int-test-1" {
ipv4 {
primary {
address 10.1.1.1
prefix-length 24
}
}
sap 1/1/c10/1:1 {
}
ipv6 {
address 2001:db8::10:1:1:1 {
prefix-length 120
}
}
}
}
vprn "VPRN-2" {
admin-state enable
service-id 2
customer "1"
bgp-evpn {
mpls 1 {
admin-state enable
route-distinguisher "192.0.2.1:2"
vrf-target {
community "target:64496:2"
}
auto-bind-tunnel {
resolution any
}
}
}
interface "int-test-2" {
ipv4 {
primary {
address 10.2.1.1
prefix-length 24
}
}
sap 1/1/c10/1:2 {
}
ipv6 {
address 2001:db8::10:2:1:1 {
prefix-length 120
}
}
}
}
vpls "VPLS-3" {
admin-state enable
service-id 3
customer "1"
bgp 1 {
route-target {
export "target:64496:3"
import "target:64496:3"
}
}
bgp-evpn {
evi 3
mpls 1 {
admin-state enable
auto-bind-tunnel {
resolution any
}
}
}
sap 1/1/c10/1:3 {
}
}
epipe "Epipe-4" {
admin-state enable
service-id 4
customer "1"
bgp 1 {
route-target {
export "target:64496:4"
import "target:64496:4"
}
}
sap 1/1/c10/1:4 {
description "SAP to CE-41"
}
bgp-evpn {
evi 4
local-attachment-circuit "PE1" {
eth-tag 1
}
remote-attachment-circuit "PE4" {
eth-tag 4
}
mpls 1 {
admin-state enable
auto-bind-tunnel {
resolution any
}
}
}
}
vpls "BD-5" {
admin-state enable
service-id 5
customer "1"
routed-vpls {
}
bgp 1 {
route-target {
export "target:64496:5"
import "target:64496:5"
}
}
bgp-evpn {
evi 5
mpls 1 {
admin-state enable
auto-bind-tunnel {
resolution any
}
}
}
sap 1/1/c10/1:5 {
}
}
ies "IES-55" {
admin-state enable
service-id 55
customer "1"
interface "int-BD-5" {
vpls "BD-5" {
}
ipv4 {
primary {
address 172.16.5.1
prefix-length 24
}
}
ipv6 {
address 2001:db8::16:5:1 {
prefix-length 120
}
}
}
}
The configuration of the services on PE-4 in AS 64511 is similar.
Inter-AS option B services using trusted interfaces
By default, IP interfaces are trusted. With trusted interfaces between ASBR-2 and ASBR-3, traffic can be sent from the services or the CEs connected to the services on PE-1 to the corresponding services on PE-4.
Inter-AS option B services using untrusted interfaces with default-forwarding forward option
It is possible to configure the interface from ASBR-3 to ASBR-2 as untrusted with the default-forwarding argument set to the forward option, or even without this default-forwarding argument, because the default option is forward:
# on ASBR-3:
configure {
router "Base" {
interface "int-ASBR-3-ASBR-2" {
port 1/1/c2/1:1000
ipv4 {
primary {
address 192.168.23.2
prefix-length 30
}
}
untrusted {
default-forwarding forward
}
With this configuration where packets on the untrusted interfaces are forwarded by default, it is possible to send traffic between the services on PE-1 and the services on PE-4:
[/]
A:admin@PE-1# ping 10.1.4.4 router-instance "VPRN-1" count 1
PING 10.1.4.4 56 data bytes
64 bytes from 10.1.4.4: icmp_seq=1 ttl=64 time=2.84ms.
---- 10.1.4.4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 2.84ms, avg = 2.84ms, max = 2.84ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 2001:db8::10:1:4:4 router-instance "VPRN-1" count 1
PING 2001:db8::10:1:4:4 56 data bytes
64 bytes from 2001:db8::10:1:4:4 icmp_seq=1 hlim=64 time=2.85ms.
---- 2001:db8::10:1:4:4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 2.85ms, avg = 2.85ms, max = 2.85ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 10.2.4.4 router-instance "VPRN-2" count 1
PING 10.2.4.4 56 data bytes
64 bytes from 10.2.4.4: icmp_seq=1 ttl=64 time=2.72ms.
---- 10.2.4.4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 2.72ms, avg = 2.72ms, max = 2.72ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 2001:db8::10:2:4:4 router-instance "VPRN-2" count 1
PING 2001:db8::10:2:4:4 56 data bytes
64 bytes from 2001:db8::10:2:4:4 icmp_seq=1 hlim=64 time=2.96ms.
---- 2001:db8::10:2:4:4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 2.96ms, avg = 2.96ms, max = 2.96ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 172.16.3.4 router-instance "CE-31" count 1
PING 172.16.3.4 56 data bytes
64 bytes from 172.16.3.4: icmp_seq=1 ttl=64 time=4.09ms.
---- 172.16.3.4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 4.09ms, avg = 4.09ms, max = 4.09ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 2001:db8::16:3:4 router-instance "CE-31" count 1
PING 2001:db8::16:3:4 56 data bytes
64 bytes from 2001:db8::16:3:4 icmp_seq=1 hlim=64 time=3.81ms.
---- 2001:db8::16:3:4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.81ms, avg = 3.81ms, max = 3.81ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 172.16.4.4 router-instance "CE-41" count 1
PING 172.16.4.4 56 data bytes
64 bytes from 172.16.4.4: icmp_seq=1 ttl=64 time=3.67ms.
---- 172.16.4.4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.67ms, avg = 3.67ms, max = 3.67ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 2001:db8::16:4:4 router-instance "CE-41" count 1
PING 2001:db8::16:4:4 56 data bytes
64 bytes from 2001:db8::16:4:4 icmp_seq=1 hlim=64 time=3.62ms.
---- 2001:db8::16:4:4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.62ms, avg = 3.62ms, max = 3.62ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 172.16.5.54 router-instance "CE-51" count 1
PING 172.16.5.54 56 data bytes
64 bytes from 172.16.5.54: icmp_seq=1 ttl=64 time=4.04ms.
---- 172.16.5.54 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 4.04ms, avg = 4.04ms, max = 4.04ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 2001:db8::16:5:54 router-instance "CE-51" count 1
PING 2001:db8::16:5:54 56 data bytes
64 bytes from 2001:db8::16:5:54 icmp_seq=1 hlim=64 time=3.91ms.
---- 2001:db8::16:5:54 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.91ms, avg = 3.91ms, max = 3.91ms, stddev = 0.000ms
All traffic is forwarded, so there is no need to configure the neighbor-trust command. If the neighbor-trust command is configured for VPN-IPv4, VPN-IPv6, EVPN, or any combination of these, this command has no effect. As an example, the neighbor-trust command is configured for the VPN-IPv4 and EVPN address families, as follows:
# on ASBR-3:
configure {
router "Base" {
bgp {
neighbor-trust {
vpn-ipv4 true
vpn-ipv6 false
evpn true
The datapath forwards all traffic for the corresponding services, regardless of this neighbor-trust configuration:
[/]
A:admin@PE-1# ping 10.1.4.4 router-instance "VPRN-1" count 1 # VPN-IPv4
PING 10.1.4.4 56 data bytes
64 bytes from 10.1.4.4: icmp_seq=1 ttl=64 time=2.84ms.
---- 10.1.4.4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 2.84ms, avg = 2.84ms, max = 2.84ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 2001:db8::10:1:4:4 router-instance "VPRN-1" count 1
PING 2001:db8::10:1:4:4 56 data bytes
64 bytes from 2001:db8::10:1:4:4 icmp_seq=1 hlim=64 time=3.13ms.
---- 2001:db8::10:1:4:4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.13ms, avg = 3.13ms, max = 3.13ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 10.2.4.4 router-instance "VPRN-2" count 1 # EVPN IFL
PING 10.2.4.4 56 data bytes
64 bytes from 10.2.4.4: icmp_seq=1 ttl=64 time=2.54ms.
---- 10.2.4.4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 2.54ms, avg = 2.54ms, max = 2.54ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 2001:db8::10:2:4:4 router-instance "VPRN-2" count 1
PING 2001:db8::10:2:4:4 56 data bytes
64 bytes from 2001:db8::10:2:4:4 icmp_seq=1 hlim=64 time=2.78ms.
---- 2001:db8::10:2:4:4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 2.78ms, avg = 2.78ms, max = 2.78ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 172.16.3.4 router-instance "CE-31" count 1 # EVPN VPLS
PING 172.16.3.4 56 data bytes
64 bytes from 172.16.3.4: icmp_seq=1 ttl=64 time=3.75ms.
---- 172.16.3.4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.75ms, avg = 3.75ms, max = 3.75ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 2001:db8::16:3:4 router-instance "CE-31" count 1
PING 2001:db8::16:3:4 56 data bytes
64 bytes from 2001:db8::16:3:4 icmp_seq=1 hlim=64 time=3.68ms.
---- 2001:db8::16:3:4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.68ms, avg = 3.68ms, max = 3.68ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 172.16.4.4 router-instance "CE-41" count 1 # EVPN VPWS
PING 172.16.4.4 56 data bytes
64 bytes from 172.16.4.4: icmp_seq=1 ttl=64 time=3.69ms.
---- 172.16.4.4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.69ms, avg = 3.69ms, max = 3.69ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 2001:db8::16:4:4 router-instance "CE-41" count 1
PING 2001:db8::16:4:4 56 data bytes
64 bytes from 2001:db8::16:4:4 icmp_seq=1 hlim=64 time=3.50ms.
---- 2001:db8::16:4:4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.50ms, avg = 3.50ms, max = 3.50ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 172.16.5.54 router-instance "CE-51" count 1 # EVPN R-VPLS
PING 172.16.5.54 56 data bytes
64 bytes from 172.16.5.54: icmp_seq=1 ttl=64 time=3.63ms.
---- 172.16.5.54 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.63ms, avg = 3.63ms, max = 3.63ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 2001:db8::16:5:54 router-instance "CE-51" count 1
PING 2001:db8::16:5:54 56 data bytes
64 bytes from 2001:db8::16:5:54 icmp_seq=1 hlim=64 time=3.68ms.
---- 2001:db8::16:5:54 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.68ms, avg = 3.68ms, max = 3.68ms, stddev = 0.000ms
When delete untrusted is configured on the interface, the interface is trusted and the connectivity remains.
Inter-AS option B services using untrusted interfaces with default-forwarding drop option
The following command on ASBR-2 configures the IP interface "int-ASBR-2-ASBR-3" as untrusted with default-forwarding argument set to drop:
# on ASBR-2:
configure {
router "Base" {
interface "int-ASBR-2-ASBR-3" {
port 1/1/c1/1:1000
ipv4 {
primary {
address 192.168.23.1
prefix-length 30
}
}
untrusted {
default-forwarding drop
}
When no neighbor-trust command is configured, the datapath drops all traffic for the configured services, as follows:
[/]
A:admin@PE-1# ping 10.1.4.4 router-instance "VPRN-1" count 1 # VPN-IPv4
PING 10.1.4.4 56 data bytes
Request timed out. icmp_seq=1.
---- 10.1.4.4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 2001:db8::10:1:4:4 router-instance "VPRN-1" count 1
PING 2001:db8::10:1:4:4 56 data bytes
Request timed out. icmp_seq=1.
---- 2001:db8::10:1:4:4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 10.2.4.4 router-instance "VPRN-2" count 1 # EVPN IFL
PING 10.2.4.4 56 data bytes
Request timed out. icmp_seq=1.
---- 10.2.4.4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 2001:db8::10:2:4:4 router-instance "VPRN-2" count 1
PING 2001:db8::10:2:4:4 56 data bytes
Request timed out. icmp_seq=1.
---- 2001:db8::10:2:4:4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 172.16.3.4 router-instance "CE-31" count 1 # EVPN VPLS
PING 172.16.3.4 56 data bytes
Request timed out. icmp_seq=1.
---- 172.16.3.4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 2001:db8::16:3:4 router-instance "CE-31" count 1
PING 2001:db8::16:3:4 56 data bytes
112 bytes from 2001:db8::16:3:1 Address unreachable
VR CLS LEN NXT HLIM SRC
6 00 64 58 64 2001:db8::16:3:1
DST
2001:db8::16:3:4
ICMP6: Echo request
---- 2001:db8::16:3:4 PING Statistics ----
1 packet transmitted, 1 packet bounced, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 172.16.4.4 router-instance "CE-41" count 1 # EVPN VPWS
PING 172.16.4.4 56 data bytes
Request timed out. icmp_seq=1.
---- 172.16.4.4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 2001:db8::16:4:4 router-instance "CE-41" count 1
PING 2001:db8::16:4:4 56 data bytes
112 bytes from 2001:db8::16:4:1 Address unreachable
VR CLS LEN NXT HLIM SRC
6 00 64 58 64 2001:db8::16:4:1
DST
2001:db8::16:4:4
ICMP6: Echo request
---- 2001:db8::16:4:4 PING Statistics ----
1 packet transmitted, 1 packet bounced, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 172.16.5.54 router-instance "CE-51" count 1 # EVPN R-VPLS
PING 172.16.5.54 56 data bytes
Request timed out. icmp_seq=1.
---- 172.16.5.54 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 2001:db8::16:5:54 router-instance "CE-51" count 1
PING 2001:db8::16:5:54 56 data bytes
112 bytes from 2001:db8::16:5:51 Address unreachable
VR CLS LEN NXT HLIM SRC
6 00 64 58 64 2001:db8::16:5:51
DST
2001:db8::16:5:54
ICMP6: Echo request
---- 2001:db8::16:5:54 PING Statistics ----
1 packet transmitted, 1 packet bounced, 0 packets received, 100% packet loss
When neighbor-trust is configured for the VPN-IPv4 address family, the datapath allows IPv4 traffic in VPRN-1 between PE-1 and PE-4 (but not traffic for services using the other address families):
# on ASBR-2:
configure {
router "Base" {
bgp {
neighbor-trust {
vpn-ipv4 true
}
[/]
A:admin@PE-1# ping 10.1.4.4 router-instance "VPRN-1" count 1 # VPN-IPv4
PING 10.1.4.4 56 data bytes
64 bytes from 10.1.4.4: icmp_seq=1 ttl=64 time=2.77ms.
---- 10.1.4.4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 2.77ms, avg = 2.77ms, max = 2.77ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 2001:db8::10:1:4:4 router-instance "VPRN-1" count 1
PING 2001:db8::10:1:4:4 56 data bytes
Request timed out. icmp_seq=1.
---- 2001:db8::10:1:4:4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 10.2.4.4 router-instance "VPRN-2" count 1 # EVPN IFL
PING 10.2.4.4 56 data bytes
Request timed out. icmp_seq=1.
---- 10.2.4.4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 2001:db8::10:2:4:4 router-instance "VPRN-2" count 1
PING 2001:db8::10:2:4:4 56 data bytes
Request timed out. icmp_seq=1.
---- 2001:db8::10:2:4:4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 172.16.3.4 router-instance "CE-31" count 1 # EVPN VPLS
PING 172.16.3.4 56 data bytes
Request timed out. icmp_seq=1.
---- 172.16.3.4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 2001:db8::16:3:4 router-instance "CE-31" count 1
PING 2001:db8::16:3:4 56 data bytes
112 bytes from 2001:db8::16:3:1 Address unreachable
VR CLS LEN NXT HLIM SRC
6 00 64 58 64 2001:db8::16:3:1
DST
2001:db8::16:3:4
ICMP6: Echo request
---- 2001:db8::16:3:4 PING Statistics ----
1 packet transmitted, 1 packet bounced, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 172.16.4.4 router-instance "CE-41" count 1 # EVPN VPWS
PING 172.16.4.4 56 data bytes
Request timed out. icmp_seq=1.
---- 172.16.4.4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 172.16.5.54 router-instance "CE-51" count 1 # EVPN R-VPLS
PING 172.16.5.54 56 data bytes
Request timed out. icmp_seq=1.
---- 172.16.5.54 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 2001:db8::16:5:54 router-instance "CE-51" count 1
PING 2001:db8::16:5:54 56 data bytes
112 bytes from 2001:db8::16:5:51 Address unreachable
VR CLS LEN NXT HLIM SRC
6 00 64 58 64 2001:db8::16:5:51
DST
2001:db8::16:5:54
ICMP6: Echo request
---- 2001:db8::16:5:54 PING Statistics ----
1 packet transmitted, 1 packet bounced, 0 packets received, 100% packet loss
When neighbor-trust is configured for the VPN-IPv4 and VPN-IPv6 address families, the datapath allows IPv4 and IPv6 traffic in VPRN-1 between PE-1 and PE-4 (but not traffic for services using the EVPN address family):
# on ASBR-2:
configure {
router "Base" {
bgp {
neighbor-trust {
vpn-ipv4 true
vpn-ipv6 true
}
[/]
A:admin@PE-1# ping 10.1.4.4 router-instance "VPRN-1" count 1 # VPN-IPv4
PING 10.1.4.4 56 data bytes
64 bytes from 10.1.4.4: icmp_seq=1 ttl=64 time=2.78ms.
---- 10.1.4.4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 2.78ms, avg = 2.78ms, max = 2.78ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 2001:db8::10:1:4:4 router-instance "VPRN-1" count 1
PING 2001:db8::10:1:4:4 56 data bytes
64 bytes from 2001:db8::10:1:4:4 icmp_seq=1 hlim=64 time=2.92ms.
---- 2001:db8::10:1:4:4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 2.92ms, avg = 2.92ms, max = 2.92ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 10.2.4.4 router-instance "VPRN-2" count 1 # EVPN IFL
PING 10.2.4.4 56 data bytes
Request timed out. icmp_seq=1.
---- 10.2.4.4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 2001:db8::10:2:4:4 router-instance "VPRN-2" count 1
PING 2001:db8::10:2:4:4 56 data bytes
Request timed out. icmp_seq=1.
---- 2001:db8::10:2:4:4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 172.16.3.4 router-instance "CE-31" count 1 # EVPN VPLS
PING 172.16.3.4 56 data bytes
Request timed out. icmp_seq=1.
---- 172.16.3.4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 2001:db8::16:3:4 router-instance "CE-31" count 1
PING 2001:db8::16:3:4 56 data bytes
112 bytes from 2001:db8::16:3:1 Address unreachable
VR CLS LEN NXT HLIM SRC
6 00 64 58 64 2001:db8::16:3:1
DST
2001:db8::16:3:4
ICMP6: Echo request
---- 2001:db8::16:3:4 PING Statistics ----
1 packet transmitted, 1 packet bounced, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 172.16.4.4 router-instance "CE-41" count 1 # EVPN VPWS
PING 172.16.4.4 56 data bytes
Request timed out. icmp_seq=1.
---- 172.16.4.4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 2001:db8::16:4:4 router-instance "CE-41" count 1
PING 2001:db8::16:4:4 56 data bytes
112 bytes from 2001:db8::16:4:1 Address unreachable
VR CLS LEN NXT HLIM SRC
6 00 64 58 64 2001:db8::16:4:1
DST
2001:db8::16:4:4
ICMP6: Echo request
---- 2001:db8::16:4:4 PING Statistics ----
1 packet transmitted, 1 packet bounced, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 172.16.5.54 router-instance "CE-51" count 1 # EVPN R-VPLS
PING 172.16.5.54 56 data bytes
Request timed out. icmp_seq=1.
---- 172.16.5.54 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 2001:db8::16:5:54 router-instance "CE-51" count 1
PING 2001:db8::16:5:54 56 data bytes
112 bytes from 2001:db8::16:5:51 Address unreachable
VR CLS LEN NXT HLIM SRC
6 00 64 58 64 2001:db8::16:5:51
DST
2001:db8::16:5:54
ICMP6: Echo request
---- 2001:db8::16:5:54 PING Statistics ----
1 packet transmitted, 1 packet bounced, 0 packets received, 100% packet loss
When neighbor-trust is configured for the EVPN address family only, the datapath allows traffic in VPRN-2, VPLS-3, Epipe-4, and EVPN R-VPLS BD-5 between PE-1 and PE-4, but not in IP-VPN VPRN-1 (which does not use the EVPN address family):
# on ASBR-2:
configure {
router "Base" {
bgp {
neighbor-trust {
vpn-ipv4 false
vpn-ipv6 false
evpn true
}
[/]
A:admin@PE-1# ping 10.1.4.4 router-instance "VPRN-1" count 1 # VPN-IPv4
PING 10.1.4.4 56 data bytes
Request timed out. icmp_seq=1.
---- 10.1.4.4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 2001:db8::10:1:4:4 router-instance "VPRN-1" count 1
PING 2001:db8::10:1:4:4 56 data bytes
Request timed out. icmp_seq=1.
---- 2001:db8::10:1:4:4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@PE-1# ping 10.2.4.4 router-instance "VPRN-2" count 1 # EVPN IFL
PING 10.2.4.4 56 data bytes
64 bytes from 10.2.4.4: icmp_seq=1 ttl=64 time=3.00ms.
---- 10.2.4.4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.00ms, avg = 3.00ms, max = 3.00ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 2001:db8::10:2:4:4 router-instance "VPRN-2" count 1
PING 2001:db8::10:2:4:4 56 data bytes
64 bytes from 2001:db8::10:2:4:4 icmp_seq=1 hlim=64 time=2.75ms.
---- 2001:db8::10:2:4:4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 2.75ms, avg = 2.75ms, max = 2.75ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 172.16.3.4 router-instance "CE-31" count 1 # EVPN VPLS
PING 172.16.3.4 56 data bytes
64 bytes from 172.16.3.4: icmp_seq=1 ttl=64 time=3.89ms.
---- 172.16.3.4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.89ms, avg = 3.89ms, max = 3.89ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 2001:db8::16:3:4 router-instance "CE-31" count 1
PING 2001:db8::16:3:4 56 data bytes
64 bytes from 2001:db8::16:3:4 icmp_seq=1 hlim=64 time=3.95ms.
---- 2001:db8::16:3:4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.95ms, avg = 3.95ms, max = 3.95ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 172.16.4.4 router-instance "CE-41" count 1 # EVPN VPWS
PING 172.16.4.4 56 data bytes
64 bytes from 172.16.4.4: icmp_seq=1 ttl=64 time=3.87ms.
---- 172.16.4.4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.87ms, avg = 3.87ms, max = 3.87ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 2001:db8::16:4:4 router-instance "CE-41" count 1
PING 2001:db8::16:4:4 56 data bytes
64 bytes from 2001:db8::16:4:4 icmp_seq=1 hlim=64 time=3.86ms.
---- 2001:db8::16:4:4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.86ms, avg = 3.86ms, max = 3.86ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 172.16.5.54 router-instance "CE-51" count 1 # EVPN R-VPLS
PING 172.16.5.54 56 data bytes
64 bytes from 172.16.5.54: icmp_seq=1 ttl=64 time=3.88ms.
---- 172.16.5.54 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.88ms, avg = 3.88ms, max = 3.88ms, stddev = 0.000ms
[/]
A:admin@PE-1# ping 2001:db8::16:5:54 router-instance "CE-51" count 1
PING 2001:db8::16:5:54 56 data bytes
64 bytes from 2001:db8::16:5:54 icmp_seq=1 hlim=64 time=3.70ms.
---- 2001:db8::16:5:54 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 3.70ms, avg = 3.70ms, max = 3.70ms, stddev = 0.000ms
Inter-AS option B label security with services configured on PEs and on ASBR
BGP neighbor trust is not supported on PE-ASBRs for VPLS or Epipe services, as shown for ASBR-2 in the following example. Example topology with services on PEs and on ASBR-2 shows the topology with services on ASBR-2 as well as on the PEs.
The service configuration on ASBR-2 is similar to the service configuration on PE-1 and PE-4. Epipe-44 is an Epipe between ASBR-2 and PE-4, but the other services are the same as in the PEs. The interface between ASBR-2 and ASBR-3 remains untrusted with default-forwarding set to drop. The neighbor-trust command on ASBR-2 is configured for VPN-IPv4, VPN-IPv6, and EVPN, as follows:
# on ASBR-2:
configure {
router "Base" {
bgp {
neighbor-trust {
vpn-ipv4 true
vpn-ipv6 true
evpn true
}
The datapath allows traffic for the VPRN services on ASBR-2 and PE-4 (using VPN-IPv4, VPN-IPv6, or EVPN-IFL), but the traffic between the EVPN VPLS and EVPN VPWS services on ASBR-2 and PE-4 is dropped, as follows:
[/]
A:admin@ASBR-2# ping 10.1.4.4 router-instance "VPRN-1" count 1 # VPN-IPv4
PING 10.1.4.4 56 data bytes
64 bytes from 10.1.4.4: icmp_seq=1 ttl=64 time=2.66ms.
---- 10.1.4.4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 2.66ms, avg = 2.66ms, max = 2.66ms, stddev = 0.000ms
[/]
A:admin@ASBR-2# ping 2001:db8::10:1:4:4 router-instance "VPRN-1" count 1
PING 2001:db8::10:1:4:4 56 data bytes
64 bytes from 2001:db8::10:1:4:4 icmp_seq=1 hlim=64 time=2.27ms.
---- 2001:db8::10:1:4:4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 2.27ms, avg = 2.27ms, max = 2.27ms, stddev = 0.000ms
[/]
A:admin@ASBR-2# ping 10.2.4.4 router-instance "VPRN-2" count 1 # EVPN IFL
PING 10.2.4.4 56 data bytes
64 bytes from 10.2.4.4: icmp_seq=1 ttl=64 time=2.42ms.
---- 10.2.4.4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 2.42ms, avg = 2.42ms, max = 2.42ms, stddev = 0.000ms
[/]
A:admin@ASBR-2# ping 2001:db8::10:2:4:4 router-instance "VPRN-2" count 1
PING 2001:db8::10:2:4:4 56 data bytes
64 bytes from 2001:db8::10:2:4:4 icmp_seq=1 hlim=64 time=2.31ms.
---- 2001:db8::10:2:4:4 PING Statistics ----
1 packet transmitted, 1 packet received, 0.00% packet loss
round-trip min = 2.31ms, avg = 2.31ms, max = 2.31ms, stddev = 0.000ms
[/]
A:admin@ASBR-2# ping 172.16.3.4 router-instance "CE-32" count 1 # EVPN VPLS
PING 172.16.3.4 56 data bytes
Request timed out. icmp_seq=1.
---- 172.16.3.4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@ASBR-2# ping 2001:db8::16:3:4 router-instance "CE-32" count 1
PING 2001:db8::16:3:4 56 data bytes
112 bytes from 2001:db8::16:3:2 Address unreachable
VR CLS LEN NXT HLIM SRC
6 00 64 58 64 2001:db8::16:3:2
DST
2001:db8::16:3:4
ICMP6: Echo request
---- 2001:db8::16:3:4 PING Statistics ----
1 packet transmitted, 1 packet bounced, 0 packets received, 100% packet loss
[/]
A:admin@ASBR-2# ping 172.16.44.4 router-instance "CE-442" count 1 # EVPN VPWS
PING 172.16.44.4 56 data bytes
Request timed out. icmp_seq=1.
---- 172.16.44.4 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@ASBR-2# ping 2001:db8::16:44:4 router-instance "CE-442" count 1
PING 2001:db8::16:44:4 56 data bytes
112 bytes from 2001:db8::16:44:2 Address unreachable
VR CLS LEN NXT HLIM SRC
6 00 64 58 64 2001:db8::16:44:2
DST
2001:db8::16:44:4
ICMP6: Echo request
---- 2001:db8::16:44:4 PING Statistics ----
1 packet transmitted, 1 packet bounced, 0 packets received, 100% packet loss
[/]
A:admin@ASBR-2# ping 172.16.5.54 router-instance "CE-52" count 1 # EVPN R-VPLS
PING 172.16.5.54 56 data bytes
Request timed out. icmp_seq=1.
---- 172.16.5.54 PING Statistics ----
1 packet transmitted, 0 packets received, 100% packet loss
[/]
A:admin@ASBR-2# ping 2001:db8::16:5:54 router-instance "CE-52" count 1
PING 2001:db8::16:5:54 56 data bytes
112 bytes from 2001:db8::16:5:52 Address unreachable
VR CLS LEN NXT HLIM SRC
6 00 64 58 64 2001:db8::16:5:52
DST
2001:db8::16:5:54
ICMP6: Echo request
---- 2001:db8::16:5:54 PING Statistics ----
1 packet transmitted, 1 packet bounced, 0 packets received, 100% packet loss
The datapath allows traffic between PE-1 and PE-4 for all services, but drops the traffic to and from the local EVPN VPLS and EVPN VPWS on the ASBR. BGP neighbor trust is not supported for EVPN-IFF routes on a PE-ASBR.
Conclusion
BGP neighbor trust prevents label spoofing in inter-AS option B for the VPN-IPv4, VPN-IPv6, and EVPN address families.