Next-hop-self route reflector and inter-AS option B

Next-hop-self route reflectors (NHS-RR) are used in BGP networks to reduce the need for fully meshed iBGP connections within a single autonomous system (AS). In a fully meshed AS, iBGP routers do not advertise routes to their neighbors, while NHS-RR allows a route reflector (RR) to advertise learned iBGP routes to iBGP neighbors with its own address as the next hop. This feature connects different domains within the same AS and improves the overall scale.

Inter-AS option B is a method for interconnecting VPN sites located in different ASes. Using this method, autonomous system border routers (ASBRs) are directly connected and routes are exchanged on a single interface.

EVPN IFL and VPN-IPv4/IPv6 routes both support NHS-RR capability and inter-AS option B.

The following figure shows the configuration of NHS-RR and inter-AS option B:
Figure 1. EVPN and IP-VPN services on inter-AS option B

The preceding figure shows two different ASes that are connected via inter-AS option B ASBRs br4, br5, and br6. This method allows for the extension of EVPN and IP-VPN services across different MPLS or segement routing MPLS domains without providing services on border routers.

Egress PEs advertise EVPN and IP-VPN routes to adjacent border routers.

Border routers carry out the following functions:
  1. Import and redistribute routes to the remote border routers or local PEs where the addresses of the remote border routers are used as the next hops and their own service MPLS labels are used.
  2. Program a label swap operation so that the ingress traffic service label is looked up and packets are forwarded with a new service label.
The following shows the configuration of the default network instance of pe1 in EVPN and IP-VPN services on inter-AS option B, which is similar to the configuration of the other PEs in the figure:
--{ + candidate shared default }--[ network-instance default ]--
A:pe1# info
    type default
    interface ethernet-1/10.0 {
    }
    interface system0.0 {
    }
    protocols {
        bgp {
            admin-state enable
            autonomous-system 65001
            router-id 10.0.0.1
            bgp-label {
                bgp-ipvpn {
                    next-hop-resolution {
                        ipv4-next-hops {
                            tunnel-resolution {
                                allowed-tunnel-types [
                                    ldp
                                    sr-isis
                                ]
                            }
                        }
                    }
                }
            }
            ebgp-default-policy {
                import-reject-all false
                export-reject-all false
            }
            afi-safi evpn {
                admin-state enable
                evpn {
                    keep-all-routes true
                    rapid-update true
                }
            }
            afi-safi l3vpn-ipv4-unicast {
                admin-state enable
                l3vpn-ipv4-unicast {
                    keep-all-routes true
                    rapid-update true
                }
            }
            group overlay-ibgp {
                peer-as 65001
                afi-safi evpn {
                }
                afi-safi l3vpn-ipv4-unicast {
                }
                timers {
                    connect-retry 1
                    minimum-advertisement-interval 1
                }
                trace-options {
                    flag update {
                        modifier detail
                    }
                }
            }
            neighbor 10.0.0.4 {
                peer-group overlay-ibgp
            }
        }
        ldp {
            admin-state enable
            dynamic-label-block range-1-ldp
            discovery {
                interfaces {
                    interface ethernet-1/10.0 {
                        ipv4 {
                            admin-state enable
                        }
                    }
                }
            }
        }
        isis {
            dynamic-label-block range-3-srgb
            instance i14 {
                admin-state enable
                instance-id 1
                level-capability L2
                iid-tlv true
                net [
                    49.0001.0000.0000.0001.00
                ]
                trace-options {
                    trace [
                        adjacencies
                        interfaces
                        packets-all
                    ]
                }
                segment-routing {
                    mpls {
                        dynamic-adjacency-sids {
                            all-interfaces true
                        }
                    }
                }
                interface ethernet-1/10.0 {
                    circuit-type point-to-point
                    ipv4-unicast {
                        admin-state enable
                    }
                }
                interface system0.0 {
                    passive true
                    ipv4-unicast {
                        admin-state enable
                    }
                }
            }
        }
    }
    segment-routing {
        mpls {
            global-block {
                label-range range-2-srgb
            }
            local-prefix-sid 1 {
                interface system0.0
                ipv4-label-index 1
            }
        }
    }
The following shows the configuration of the default network instance of RR pe2 in EVPN and IP-VPN services on inter-AS option B:
--{ + candidate shared default }--[ network-instance default protocols bgp ]--
A:pe2# info
    admin-state enable
    autonomous-system 65023
    router-id 10.0.0.2
    bgp-label {
        bgp-ipvpn {
            next-hop-resolution {
                ipv4-next-hops {
                    tunnel-resolution {
                        allowed-tunnel-types [
                            ldp
                            sr-isis
                        ]
                    }
                }
            }
        }
    }
    ebgp-default-policy {
        import-reject-all false
        export-reject-all false
    }
    afi-safi evpn {
        admin-state enable
        evpn {
            keep-all-routes true
            rapid-update true
        }
    }
    afi-safi l3vpn-ipv4-unicast {
        admin-state enable
        l3vpn-ipv4-unicast {
            keep-all-routes true
            rapid-update true
        }
    }
    group overlay-ibgp {
        peer-as 65023
        afi-safi evpn {
        }
        afi-safi l3vpn-ipv4-unicast {
        }
        route-reflector {
            client true
            cluster-id 2.2.2.2
        }
        timers {
            connect-retry 1
            minimum-advertisement-interval 1
        }
        trace-options {
            flag update {
                modifier detail
            }
        }
    }
    neighbor 10.0.0.3 {
        peer-group overlay-ibgp
    }
    neighbor 10.0.0.5 {
        peer-group overlay-ibgp
    }
    neighbor 10.0.0.6 {
        peer-group overlay-ibgp
    }
The following commands enable NHS-RR and inter-AS option B functionality on SR Linux:
  • inter-as-vpn
  • next-hop-self-route-reflector

These commands affect all EVPN routes and trigger bgp_mgr to swap the service label for all EVPN MPLS routes. These commands also change the next hop to self in all routes with MPLS encapsulation.

For border router configuration, IGP is not enabled in interfaces to other border routers.

The inter-as-vpn true command allows received EVPN/IP-VPN routes to be retained in the BGP RIB and propagated to any eBGP or iBGP peer. To ensure label allocation, a dynamic label block must be configured for border routers. Label allocation re-advertises a received route into the adjacent AS with a local network instance MPLS label and ensures an MPLS label swap operation is completed.

Configure a dynamic label block using the following configuration:
--{ * candidate shared default }--[  ]--
A:srl1# info network-instance mgmt
    network-instance mgmt {
        protocols {
            bgp {
                bgp-label {
                    bgp-vpn {
                        dynamic-label-block 1
                    }
                }

The label block is shared by the EVPN inter-AS model B and EVPN NHS-RR features.

Note:

The inter-as-vpn true command has the same function as the keep-all-routes command for keeping the routes in the RIB.

The following shows the configuration of the default network instance of border router br4 in EVPN and IP-VPN services on inter-AS option B:
--{ + candidate shared default }--[ network-instance default ]--
A:br4# info
    type default
    interface ethernet-1/10.0 {
    }
    interface ethernet-1/11.0 {
    }
    interface ethernet-1/12.0 {
    }
    interface system0.0 {
    }
    protocols {
        bgp {
            autonomous-system 65001
            router-id 10.0.0.4
            bgp-label {
                bgp-vpn {
                    dynamic-label-block range-6-bgp-lu
                }
                bgp-ipvpn {
                    next-hop-resolution {
                        ipv4-next-hops {
                            tunnel-resolution {
                                allowed-tunnel-types [
                                    ldp
                                    sr-isis
                                ]
                            }
                        }
                    }
                }
            }
            ebgp-default-policy {
                import-reject-all false
                export-reject-all false
            }
            afi-safi evpn {
                admin-state enable
                evpn {
                    inter-as-vpn true
                    rapid-update true
                    default-received-encapsulation mpls
                    next-hop-resolution {
                        ipv4-next-hops {
                            tunnel-resolution {
                                allowed-tunnel-types [
                                    bgp
                                    ldp
                                    sr-isis
                                ]
                            }
                        }
                    }
                }
            }
            afi-safi l3vpn-ipv4-unicast {
                admin-state enable
                l3vpn-ipv4-unicast {
                    inter-as-vpn true
                    rapid-update true
                }
            }
            group overlay-ebgp {
                peer-as 65023
                afi-safi evpn {
                }
                timers {
                    connect-retry 1
                    minimum-advertisement-interval 1
                }
                trace-options {
                    flag update {
                        modifier detail
                    }
                }
            }
            group overlay-ibgp {
                peer-as 65001
                afi-safi evpn {
                }
                timers {
                    connect-retry 1
                    minimum-advertisement-interval 1
                }
                trace-options {
                    flag update {
                        modifier detail
                    }
                }
            }
            neighbor 10.4.5.2 {
                peer-group overlay-ebgp
            }
            neighbor 10.4.6.2 {
                peer-group overlay-ebgp
            }
            neighbor 10.0.0.1 {
                peer-group overlay-ibgp
            }
        }
        ldp {
            admin-state enable
            dynamic-label-block range-1-ldp
            discovery {
                interfaces {
                    interface ethernet-1/10.0 {
                        ipv4 {
                            admin-state enable
                        }
                    }
                    interface ethernet-1/11.0 {
                        ipv4 {
                            admin-state enable
                        }
                    }
                    interface ethernet-1/12.0 {
                        ipv4 {
                            admin-state enable
                        }
                    }
                }
            }
        }
        isis {
            dynamic-label-block range-3-srgb
            instance i14 {
                admin-state enable
                instance-id 1
                level-capability L2
                iid-tlv true
                net [
                    49.0001.0000.0000.0004.00
                ]
                segment-routing {
                    mpls {
                        dynamic-adjacency-sids {
                            all-interfaces true
                        }
                    }
                }
                interface ethernet-1/10.0 {
                    circuit-type point-to-point
                    ipv4-unicast {
                        admin-state enable
                    }
                }
                interface system0.0 {
                    passive true
                    ipv4-unicast {
                        admin-state enable
                    }
                }
            }
        }
    }
    segment-routing {
        mpls {
            global-block {
                label-range range-2-srgb
            }
            local-prefix-sid 1 {
                interface system0.0
                ipv4-label-index 4
            }
        }
    }
The following shows the configuration of border router br4's label allocation:
--{ + candidate shared default }--[ system mpls ]--
A:br4# info
    label-ranges {
        static range-2-srgb {
            shared true
            start-label 100001
            end-label 120000
        }
        static range-5-static-services {
            shared false
            start-label 3000
            end-label 4000
        }
        dynamic range-1-ldp {
            start-label 100
            end-label 200
        }
        dynamic range-3-srgb {
            start-label 120001
            end-label 120999
        }
        dynamic range-4-evpn {
            start-label 500
            end-label 699
        }
        dynamic range-5-services {
            start-label 1000
            end-label 2000
        }
        dynamic range-6-bgp-lu {
            start-label 122001
            end-label 122201
        }
    }
    services {
        evpn {
            dynamic-label-block range-4-evpn
        }
        network-instance {
            dynamic-label-block range-5-services
        }
    }

The next-hop-self-route-reflector command requires the configuration of a border router as a RR. The behavior of this command is equivalent to the inter-as-vpn command, with one difference: the use of next-hop-self-route-reflector allows the border router to receive and readvertise routes to RR clients within the same AS.

BGP next-hop resolution for EVPN/IP-VPN routes

NHS-RR and inter-AS option B routes all use the next-hop-resolution grouping. This grouping is only used when the following options are enabled:
  • inter-as-vpn
  • nhsrr-evpn
The next-hop-resolution command allows the disabling of route resolution. By default, routes are not ignored. If a longest prefix match (LPM) FIB lookup provides a route that is not local or static, and there is no tunnel, the route is unresolved. This command also permits the:
  • resolution of tunnels through a fallback to FIB lookup
  • resolution of local and static routes to the next hop in the absence of resolving tunnels
BGP receives next-hop resolution information from the following contexts:
  • For IP-VPN:
    --{ * candidate shared default }--[  ]--
    A:srl1# info network-instance default
        network-instance default {
            protocols {
                bgp {
                    bgp-label {
                        bgp-ipvpn {
                            next-hop-resolution {
                                    }
                                }
                            }
                        }
                    }
  • For EVPN:
    --{ * candidate shared default }--[  ]--
    A:srl3# info network-instance default
        network-instance default {
            protocols {
                bgp {
                    afi-safi evpn {
                        next-hop-resolution {
                        }
                    }
                }
            }
        }

The next-hop-resolution configuration on the ASBR on the default network instance affects EVPN-MPLS routes but not EVPN-VXLAN routes. EVPN-VXLAN routes also ignore everything under the next-hop-resolution context.

The next-hop-resolution tunnel-resolution allowed-tunnel-types leaf restricts VXLAN and only allows MPLS tunnels.

The following describes the EVPN next-hop resolution logic:
  1. If the EVPN route type is an ES route (route type 4) then the route is resolved to any route in the default network instance route table, regardless of encapsulation type or node type.
  2. If the EVPN route type is different from an ES route, the following logic is followed:
    1. If the route has an encapsulation type of VXLAN or if there is no encapsulation type found and default-received-encapsulation is set to VXLAN then the route is resolved over any RTM route.
    2. If the route has an encapsulation type of MPLS or default-received-encapsulation is set to MPLS then the resolution is selected based on the default network instance ASBR or service configuration.

Displaying next-hop-self route reflector and inter-AS option B information

You can display the service Incoming Label Mapping (ILM) information and the next hop resolution using the info from state command.

Swapped service labels

The following example displays the swapped labels using the info from state command. The BGP-RIB provides the state information for each imported and exported route.

// example for EVPN IFL route on a model B ASBR:
 
--{ candidate shared default }--[  ]--
A:br4# info from state network-instance default bgp-rib evpn rib-in-out rib-in-post ip-prefix-routes 10.0.0.2:3 ethernet-tag-id 0 ip-prefix-length 24 ip-prefix 10.20.20.
0/24 neighbor 10.4.5.2
    network-instance default {
        bgp-rib {
            evpn {
                rib-in-out {
                    rib-in-post {
                        ip-prefix-routes 10.0.0.2:3 ethernet-tag-id 0 ip-prefix-length 24 ip-prefix 10.20.20.0/24 neighbor 10.4.5.2 {
                            esi 00:00:00:00:00:00:00:00:00:00
                            gateway-ip 0.0.0.0
                            attr-id 125
                            last-modified "2024-04-10T12:46:50.200Z (2 hours ago)"
                            used-route false
                            valid-route true
                            best-route true
                            stale-route false
                            pending-delete false
                            tie-break-reason none
                            label {
                                value 122010  // received service label
                                value-type mpls-label
                            }
                            invalid-reason {
                                rejected-route false
                                as-loop false
                                next-hop-unresolved false
                                cluster-loop false
                                label-allocation-failed false
                                fib-programming-failed false
                            }
                        }
                    }
                }
            }
        }
    }
--{ candidate shared default }--[  ]--
A:br4# info from state network-instance default bgp-rib evpn rib-in-out rib-out-post ip-prefix-routes 10.0.0.2:3 ethernet-tag-id 0 ip-prefix-length 24 ip-prefix 10.20.20
.0/24 neighbor 10.0.0.1
    network-instance default {
        bgp-rib {
            evpn {
                rib-in-out {
                    rib-out-post {
                        ip-prefix-routes 10.0.0.2:3 ethernet-tag-id 0 ip-prefix-length 24 ip-prefix 10.20.20.0/24 neighbor 10.0.0.1 {
                            esi 00:00:00:00:00:00:00:00:00:00
                            gateway-ip 0.0.0.0
                            attr-id 147
                            next-hop 10.0.0.4
                            label {
                                value 122007 // advertised label, 122010 is swapped to 122007
                                value-type mpls-label
                            }
                        }
                    }
                }
            }
        }
    }

Next hop state in VRF for Inter-AS Option B

The swapped label value is used to find the next hop resolution.

// The service label entry 122007 provides the NHG and next hop
 
--{ candidate shared default }--[  ]--
A:br4# info from state network-instance default route-table mpls label-entry 122007
    network-instance default {
        route-table {
            mpls {
                label-entry 122007 {
                    operation swap
                    entry-type bgp
                    last-app-update "2024-04-10T12:46:50.185Z (2 hours ago)"
                    next-hop-group 373030816119
                }
            }
        }
    }

--{ candidate shared default }--[  ]--
A:br4# info from state network-instance default route-table next-hop-group 373030816119
    network-instance default {
        route-table {
            next-hop-group 373030816119 {
                backup-next-hop-group 0
                fib-programming {
                    last-successful-operation-type add
                    last-successful-operation-timestamp 2024-04-10T11:57:16.328Z
                    pending-operation-type none
                    last-failed-operation-type none
                }
                next-hop 0 {
                    next-hop 373030816115
                    resolved true
                }
            }
        }
    }

// In this example, the next hop is resolved to a local route 10.4.5.0 (ASBRs using single hop eBGP session)
 
--{ candidate shared default }--[  ]--
A:br4# info from state network-instance default route-table next-hop 373030816115
    network-instance default {
        route-table {
            next-hop 373030816115 {
                type indirect
                ip-address 10.4.5.2
                resolving-route {
                    ip-prefix 10.4.5.0/30
                    route-type local
                    route-owner net_inst_mgr
                }
                mpls {
                    pushed-mpls-label-stack [
                        122010
                    ]
                }
            }
        }
    }

MPLS route table

The following example displays the the MPLS route table which summarizes the swap operation, incoming label, outgoing label, and associated next hop.

--{ candidate shared default }--[  ]--
A:br4# show network-instance default route-table mpls
+--------+-----------+---------+-----------+----------------------+-----------------+---------------+
| Label  | Operation | Type    | Next      | Next-hop IP          | Next-hop        | Next-hop MPLS |
|        |           |         | Net-Inst  | (Type)               | Subinterface    | labels        |
+========+===========+=========+===========+======================+=================+===============+
| 100    | POP       | ldp     | default   |                      |                 |               |
| 100002 | SWAP      | sr-mpls | N/A       | 10.1.4.1 (mpls)      | ethernet-1/10.0 | 100002        |
| 100005 | POP       | sr-mpls | default   |                      |                 |               |
| 120002 | SWAP      | sr-mpls | N/A       | 10.1.4.1 (mpls)      | ethernet-1/10.0 | IMPLICIT_NULL |
| 122001 | SWAP      | bgp     | N/A       | 10.0.0.1 (indirect)  |                 | 1002          |
| 122002 | SWAP      | bgp     | N/A       | 10.0.0.1 (indirect   |                 | 1001          |
| 122003 | SWAP      | bgp     | N/A       | 10.0.0.1 (indirect)  |                 | 1003          |
| 122004 | SWAP      | bgp     | N/A       | 10.4.5.2 (indirect)  |                 | 122008        |
| 122005 | SWAP      | bgp     | N/A       | 10.4.5.2 (indirect)  |                 | 122011        |
| 122006 | SWAP      | bgp     | N/A       | 10.4.5.2 (indirect)  |                 | 122007        |
| 122007 | SWAP      | bgp     | N/A       | 10.4.5.2 (indirect)  |                 | 122010        |
| 122008 | SWAP      | bgp     | N/A       | 10.4.5.2 (indirect)  |                 | 122014        |
| 122009 | SWAP      | bgp     | N/A       | 10.4.5.2 (indirect)  |                 | 122009        |
| 122010 | SWAP      | bgp     | N/A       | 10.4.5.2 (indirect)  |                 | 122012        |
| 122011 | SWAP      | bgp     | N/A       | 10.4.5.2 (indirect)  |                 | 122013        |
+--------+-----------+---------+-----------+----------------------+-----------------+---------------+
// 122007 swapped with 122010 with next hop 10.4.5.2