MPLS Intro Series – Customer Connection with BGP

In the last article, we performed a packet walk of a simple VPNv4 network. This article will expand our deployment by allowing the CE_Sites to advertise their own routes via BGP. For this configuration, we will use some overlapping and some unique private AS numbers.

One thing that must be considered is whether or not the same BGP AS is used throughout a given VRF. For example, if we use 64512 at both CE_Site_1 and CE_Site_2 the BGP routes will be dropped as they are advertised toward the customer site. This is demonstrated by doing a simple configuration to advertise 1.1.1.1 from CE_Site_1.

CE_Site_1 BGP Configuration

interface Loopback0
 description Loopback
 ip address 1.1.1.1 255.255.255.255
!
router bgp 64512
 bgp log-neighbor-changes
 network 1.1.1.1 mask 255.255.255.255
 neighbor 10.1.1.1 remote-as 1

PE1 vrf RED – BGP Configuration and Verification (success)

router bgp 1
!
 no bgp default ipv4-unicast
 neighbor 20.20.20.20 remote-as 1
 neighbor 20.20.20.20 update-source Loopback0
!
 address-family vpnv4
  neighbor 20.20.20.20 activate
  neighbor 20.20.20.20 send-community both
 exit-address-family
!
 address-family ipv4 vrf RED
  redistribute connected
  neighbor 10.1.1.2 remote-as 64512
  neighbor 10.1.1.2 activate
 exit-address-family

//routes in BGP RIB
PE1#show bgp vpnv4 unicast vrf RED
BGP table version is 46, local router ID is 10.10.10.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
              t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:200 (default for vrf RED)
 *>   1.1.1.1/32       10.1.1.2                 0             0 64512 i
 *>   10.1.1.0/24      0.0.0.0                  0         32768 ?
 *>i  20.2.2.0/24      20.20.20.20              0    100      0 ?

PE2 vrf RED BGP Configuration and Verification (success)

router bgp 1
 no bgp default ipv4-unicast
 neighbor 10.10.10.10 remote-as 1
 neighbor 10.10.10.10 update-source Loopback0
 !
 address-family vpnv4
  neighbor 10.10.10.10 activate
  neighbor 10.10.10.10 send-community both
 exit-address-family
 !
 address-family ipv4 vrf RED
  redistribute connected
  neighbor 20.2.2.2 remote-as 64512
  neighbor 20.2.2.2 activate
 exit-address-family

//routes in BGP RIB
PE2#show bgp vpnv4 unicast vrf RED
BGP table version is 26, local router ID is 20.20.20.20
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
              t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:200 (default for vrf RED)
 *>i  1.1.1.1/32       10.10.10.10              0    100      0 64512 i
 *>i  10.1.1.0/24      10.10.10.10              0    100      0 ?
 *>   20.2.2.0/24      0.0.0.0                  0         32768 ?

//notice that 1.1.1.1 is in the BGP RIB and even reachable from PE2
PE2#ping vrf RED 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/31/79 ms

CE_Site_2 Configuration and Validation (failure – 1.1.1.1/32 is missing)

router bgp 64512
 bgp log-neighbor-changes
 neighbor 20.2.2.1 remote-as 1

//routes in BGP RIB
CE_Site2#show ip bgp
BGP table version is 3, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
              t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>   10.1.1.0/24      20.2.2.1                               0 1 ?
 r>   20.2.2.0/24      20.2.2.1                 0             0 1 ?

Notice that PE2 isn’t advertising 1.1.1.1/32 to CE2 (we only see routes from AS 1). The reason is that AS 64512 is already in the BGP Path Attribute. We can override this by doing an AS Path override on PE2.

PE2 Path Override

router bgp 1
 address-family ipv4 vrf RED
  neighbor 20.2.2.2 as-override
!
clear ip bgp vrf RED ipv4 unicast 64512

Now the route will appear on CE2 as a route belonging to AS 1. It is also reachable.

CE_Site2#show ip bgp
BGP table version is 10, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
              t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>   1.1.1.1/32       20.2.2.1                               0 1 1 i
 *>   10.1.1.0/24      20.2.2.1                               0 1 ?
 r>   20.2.2.0/24      20.2.2.1                 0             0 1 ?
CE_Site2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 47/68/107 ms

Another way to address this is using unique AS numbers per site. In the case of CE_Site_3 and CE_Site_4 using VRF BLUE, we can use 64512 and 64513 to illustrate this. Some may jump to the conclusion that we already used 64512. While that is correct, it is in a different VRF and that makes it unique.

CE_Site_3 Configuration

interface Loopback0
 description Loopback
 ip address 3.3.3.3 255.255.255.255
!
router bgp 64512
 bgp log-neighbor-changes
 network 3.3.3.3 mask 255.255.255.255
 neighbor 10.3.3.1 remote-as 1

PE1 Configuration and Validation (success)

router bgp 1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 20.20.20.20 remote-as 1
 neighbor 20.20.20.20 update-source Loopback0
 !
 address-family vpnv4
  neighbor 20.20.20.20 activate
  neighbor 20.20.20.20 send-community both
 exit-address-family
 !
 address-family ipv4 vrf BLUE
  redistribute connected
  neighbor 10.3.3.2 remote-as 64512
  neighbor 10.3.3.2 activate
 exit-address-family
!
//validation
PE1#show bgp vpnv4 unicast vrf BLUE
BGP table version is 47, local router ID is 10.10.10.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
              t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 110:210 (default for vrf BLUE)
 *>   3.3.3.3/32       10.3.3.2                 0             0 64512 i
 *>   10.3.3.0/24      0.0.0.0                  0         32768 ?
 *>i  20.4.4.0/24      20.20.20.20              0    100      0 ?

PE2 Configuration and Validation (success)

router bgp 1
 no bgp default ipv4-unicast
 neighbor 10.10.10.10 remote-as 1
 neighbor 10.10.10.10 update-source Loopback0
 !
 address-family vpnv4
  neighbor 10.10.10.10 activate
  neighbor 10.10.10.10 send-community both
 exit-address-family
 !
 address-family ipv4 vrf BLUE
  redistribute connected
  neighbor 20.4.4.2 remote-as 64513
  neighbor 20.4.4.2 activate
 exit-address-family
 !

//validation
PE2#show bgp vpnv4 unicast vrf BLUE
BGP table version is 28, local router ID is 20.20.20.20
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
              t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 110:210 (default for vrf BLUE)
 *>i  3.3.3.3/32       10.10.10.10              0    100      0 64512 i
 *>i  10.3.3.0/24      10.10.10.10              0    100      0 ?
 *>   20.4.4.0/24      0.0.0.0                  0         32768 ?

CE_Site_4 Configuration and Validation (success)

router bgp 64513
 bgp log-neighbor-changes
 neighbor 20.4.4.1 remote-as 1
!
CE_Site4#show ip bgp
BGP table version is 4, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
              t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>   3.3.3.3/32       20.4.4.1                               0 1 64512 i
 *>   10.3.3.0/24      20.4.4.1                               0 1 ?
 r>   20.4.4.0/24      20.4.4.1                 0             0 1 ?

CE_Site4#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/27/45 ms

Notice in the validation at CE_Site_4, the AS path is ‘1 64512’.

This article has demonstrated a couple of methods of using BGP as a CE-PE protocol. In an upcoming article, we will conclude the series by sharing information about route reflectors.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Design and tagged . Bookmark the permalink.