MPLS Inter-AS VPN 【Option 1:Back-toback VRF】Option A
Chap4 MPLS VPN--Inter-AS Option AB
Configuration Guides(IOS XE Everest 16.6)
Multiprotocol Label Switching (MPLS)
MPLS Layer 3 VPNs Inter-AS and CSC Configuration Guide
Chap4 MPLS VPN--Inter-AS Option AB
■ 1 ■ Configuration Guides
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_ias_and_csc/configuration/xe-16-6/mp-ias-and-csc-xe-16-6-book/mpls-vpn-inter-as-option-ab.html
Inter-AS VPN options 【Option 1:Back-toback VRF】
Option Aとも言うのかも
RFC4364
BGP/MPLS IP Virtual Private Networks (VPNs)
https://tools.ietf.org/html/rfc4364#page-32
10. Multi-AS Backbones
a) VRF-to-VRF connections at the AS ~
だから Option A なのか?
■ 2 ■ 雑に言うと...
異なるAS間でVRFを直接つなぐMPLS VPNのやり方
Complexity : Low
Scalability : Low
----- ASBR Point -----
ASBR1 - ASBR2のGi1には、vrf CX_Aを直つなぎ(Back-to-Back)
ASBR1 - ASBR2のGi2には、vrf CX_Bを直つなぎ(Back-to-Back)
ASBR1 - ASBR2 は address-family ipv4 vrf で
それぞれのvrfをBGPで定義する
----- PE1,PE2 Point -----
CX_Aは、VPNサイト1(左側)とVPNサイト2(右側)で
異なるASを使っているが、
CX_Bは、VPNサイト1(左側)とVPNサイト2(右側)で
同じASを使っている
AS Override を使わないといけない
---
他は特別なことはしていない。
検証した構成↓↓↓
■ 3 ■ config
----- CE_A1 --------------------------------
router bgp 65001
bgp log-neighbor-changes
network 172.16.100.0 mask 255.255.255.0
neighbor 172.16.10.1 remote-as 1
----- CE_B1 --------------------------------
router bgp 65001
bgp log-neighbor-changes
network 192.168.100.0
neighbor 192.168.10.1 remote-as 1
----- PE1 ----------------------------------
ip vrf CX_A
rd 1:100
route-target export 1:100
route-target import 1:100
ip vrf CX_B
rd 1:101
route-target export 1:101
route-target import 1:101
!
interface GigabitEthernet1
ip vrf forwarding CX_A
ip address 172.16.10.1 255.255.255.252
!
interface GigabitEthernet2
ip vrf forwarding CX_B
ip address 192.168.10.1 255.255.255.252
!
!
router ospf 1
router-id 10.10.10.101
network 10.10.10.0 0.0.0.255 area 0
!
router bgp 1
bgp router-id 10.10.10.101
bgp log-neighbor-changes
neighbor 10.10.10.200 remote-as 1
neighbor 10.10.10.200 update-source Loopback0
!
address-family vpnv4
neighbor 10.10.10.200 activate
neighbor 10.10.10.200 send-community extended
exit-address-family
!
address-family ipv4 vrf CX_A
neighbor 172.16.10.2 remote-as 65001
neighbor 172.16.10.2 activate
exit-address-family
!
address-family ipv4 vrf CX_B
neighbor 192.168.10.2 remote-as 65001
neighbor 192.168.10.2 activate
neighbor 192.168.10.2 as-override
exit-address-family
!
mpls ldp router-id Loopback0 force
!
interface GigabitEthernet3
mpls ip
----- P1 -----------------------------------
router ospf 1
router-id 10.10.10.200
network 10.10.10.0 0.0.0.255 area 0
!
router bgp 1
bgp router-id 10.10.10.200
bgp log-neighbor-changes
neighbor 10.10.10.101 remote-as 1
neighbor 10.10.10.101 update-source Loopback0
neighbor 10.10.10.102 remote-as 1
neighbor 10.10.10.102 update-source Loopback0
!
address-family vpnv4
neighbor 10.10.10.101 activate
neighbor 10.10.10.101 send-community extended
neighbor 10.10.10.101 route-reflector-client
neighbor 10.10.10.102 activate
neighbor 10.10.10.102 send-community extended
neighbor 10.10.10.102 route-reflector-client
exit-address-family
!
!
mpls ldp router-id Loopback0 force
!
interface GigabitEthernet3
mpls ip
!
interface GigabitEthernet4
mpls ip
----- ASBR1 --------------------------------
ip vrf CX_A
rd 1:100
route-target export 1:100
route-target import 1:100
ip vrf CX_B
rd 1:101
route-target export 1:101
route-target import 1:101
!
interface GigabitEthernet1
ip vrf forwarding CX_A
ip address 172.16.30.1 255.255.255.252
!
interface GigabitEthernet2
ip vrf forwarding CX_B
ip address 192.168.30.1 255.255.255.252
!
!
router ospf 1
router-id 10.10.10.102
network 10.10.10.0 0.0.0.255 area 0
!
router bgp 1
bgp router-id 10.10.10.102
bgp log-neighbor-changes
neighbor 10.10.10.200 remote-as 1
neighbor 10.10.10.200 update-source Loopback0
!
address-family vpnv4
neighbor 10.10.10.200 activate
neighbor 10.10.10.200 send-community extended
exit-address-family
!
address-family ipv4 vrf CX_A
neighbor 172.16.30.2 remote-as 2
neighbor 172.16.30.2 activate
exit-address-family
!
address-family ipv4 vrf CX_B
neighbor 192.168.30.2 remote-as 2
neighbor 192.168.30.2 activate
exit-address-family
!
!
!
mpls ldp router-id Loopback0 force
!
interface GigabitEthernet4
mpls ip
----- ASBR2 --------------------------------
ip vrf CX_A
rd 2:100
route-target export 2:100
route-target import 2:100
ip vrf CX_B
rd 2:101
route-target export 2:101
route-target import 2:101
!
interface GigabitEthernet1
ip vrf forwarding CX_A
ip address 172.16.30.2 255.255.255.252
!
interface GigabitEthernet2
ip vrf forwarding CX_B
ip address 192.168.30.2 255.255.255.252
!
!
router ospf 2
router-id 10.20.20.102
network 10.20.20.0 0.0.0.255 area 0
!
router bgp 2
bgp router-id 10.20.20.102
bgp log-neighbor-changes
neighbor 10.20.20.200 remote-as 2
neighbor 10.20.20.200 update-source Loopback0
!
address-family vpnv4
neighbor 10.20.20.200 activate
neighbor 10.20.20.200 send-community extended
exit-address-family
!
address-family ipv4 vrf CX_A
neighbor 172.16.30.1 remote-as 1
neighbor 172.16.30.1 activate
exit-address-family
!
address-family ipv4 vrf CX_B
neighbor 192.168.30.1 remote-as 1
neighbor 192.168.30.1 activate
exit-address-family
!
!
mpls ldp router-id Loopback0 force
!
interface GigabitEthernet4
mpls ip
----- P2 --------------------------------
router ospf 2
router-id 10.20.20.200
network 10.20.20.0 0.0.0.255 area 0
!
router bgp 2
bgp router-id 10.20.20.200
bgp log-neighbor-changes
neighbor 10.20.20.101 remote-as 2
neighbor 10.20.20.101 update-source Loopback0
neighbor 10.20.20.102 remote-as 2
neighbor 10.20.20.102 update-source Loopback0
!
address-family vpnv4
neighbor 10.20.20.101 activate
neighbor 10.20.20.101 send-community extended
neighbor 10.20.20.101 route-reflector-client
neighbor 10.20.20.102 activate
neighbor 10.20.20.102 send-community extended
neighbor 10.20.20.102 route-reflector-client
exit-address-family
!
!
mpls ldp router-id Loopback0 force
!
interface GigabitEthernet3
mpls ip
!
interface GigabitEthernet4
mpls ip
----- PE2 --------------------------------
ip vrf CX_A
rd 2:100
route-target export 2:100
route-target import 2:100
ip vrf CX_B
rd 2:101
route-target export 2:101
route-target import 2:101
!
interface GigabitEthernet1
ip vrf forwarding CX_A
ip address 172.16.20.1 255.255.255.252
!
interface GigabitEthernet2
ip vrf forwarding CX_B
ip address 192.168.20.1 255.255.255.252
!
!
router ospf 2
router-id 10.20.20.101
network 10.20.20.0 0.0.0.255 area 0
!
router bgp 2
bgp router-id 10.20.20.101
bgp log-neighbor-changes
neighbor 10.20.20.200 remote-as 2
neighbor 10.20.20.200 update-source Loopback0
!
address-family vpnv4
neighbor 10.20.20.200 activate
neighbor 10.20.20.200 send-community extended
exit-address-family
!
address-family ipv4 vrf CX_A
neighbor 172.16.20.2 remote-as 65002
neighbor 172.16.20.2 activate
exit-address-family
!
address-family ipv4 vrf CX_B
neighbor 192.168.20.2 remote-as 65001
neighbor 192.168.20.2 activate
neighbor 192.168.20.2 as-override
exit-address-family
!
mpls ldp router-id Loopback0 force
!
interface GigabitEthernet3
mpls ip
----- CE_A2 --------------------------------
router bgp 65002
bgp log-neighbor-changes
network 172.16.200.0 mask 255.255.255.0
neighbor 172.16.20.1 remote-as 2
----- CE_B2 --------------------------------
router bgp 65001
bgp log-neighbor-changes
network 192.168.200.0
neighbor 192.168.20.1 remote-as 2
■ 4 ■ 確認
----- CE_A1 Routing ------------------------
CE_A1#sh ip rou bgp | b Gate
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
B 172.16.200.0/24 [20/0] via 172.16.10.1, 02:06:19
CE_A1#
CE_A1#ping 172.16.200.1 sou 172.16.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
CE_A1#
CE_A1#traceroute 172.16.200.1 sou 172.16.100.1
Type escape sequence to abort.
Tracing the route to 172.16.200.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.10.1 1 msec 1 msec 1 msec
2 10.10.10.2 [MPLS: Labels 16/19 Exp 0] 3 msec 3 msec 3 msec
3 172.16.30.1 [MPLS: Label 19 Exp 0] 3 msec 2 msec 2 msec
4 172.16.30.2 2 msec 3 msec 3 msec
5 10.20.20.6 [MPLS: Labels 17/19 Exp 0] 15 msec 6 msec 4 msec
6 172.16.20.1 [MPLS: Label 19 Exp 0] 4 msec 5 msec 3 msec
7 172.16.20.2 4 msec * 4 msec
CE_A1#
----- CE_B1 Routing ------------------------
CE_B1#sh ip rou bgp | b Gate
Gateway of last resort is not set
B 192.168.200.0/24 [20/0] via 192.168.10.1, 01:45:14
CE_B1#
CE_B1#ping 192.168.200.1 sou 192.168.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/6/13 ms
CE_B1#
CE_B1#traceroute 192.168.200.1 sou 192.168.100.1
Type escape sequence to abort.
Tracing the route to 192.168.200.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.10.1 6 msec 8 msec 1 msec
2 10.10.10.2 [MPLS: Labels 16/20 Exp 0] 3 msec 2 msec 5 msec
3 192.168.30.1 [MPLS: Label 20 Exp 0] 2 msec 2 msec 2 msec
4 192.168.30.2 2 msec 13 msec 9 msec
5 10.20.20.6 [MPLS: Labels 17/20 Exp 0] 4 msec 3 msec 4 msec
6 192.168.20.1 [MPLS: Label 20 Exp 0] 4 msec 6 msec 4 msec
7 192.168.20.2 5 msec * 4 msec
CE_B1#
VPNサイト1(左側)とVPNサイト2(右側)で疎通できた。
ラベルを中心に確認した結果
===== PE1 ============================
----- PE1 LFIB -----------------------
PE1#sh mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
16 Pop Label 10.10.10.200/32 0 Gi3 10.10.10.2
17 16 10.10.10.102/32 0 Gi3 10.10.10.2
18 Pop Label 10.10.10.4/30 0 Gi3 10.10.10.2
19 No Label 172.16.100.0/24[V] \
6572 Gi1 172.16.10.2
20 No Label 192.168.100.0/24[V] \
5686 Gi2 192.168.10.2
PE1#
----- PE1 Routing vrf CX_A and CX_B ----------
PE1#sh ip rou vrf CX_A bgp | b Gate
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 4 subnets, 3 masks
B 172.16.100.0/24 [20/0] via 172.16.10.2, 02:38:34
B 172.16.200.0/24 [200/0] via 10.10.10.102, 02:21:25
PE1#
PE1#sh ip rou vrf CX_B bgp | b Gate
Gateway of last resort is not set
B 192.168.100.0/24 [20/0] via 192.168.10.2, 03:08:30
B 192.168.200.0/24 [200/0] via 10.10.10.102, 02:53:19
PE1#
--- PE1 Display information about all VPN NLRIs ---
PE1#sh ip bgp vpnv4 all
BGP table version is 7, local router ID is 10.10.10.101
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:100 (default for vrf CX_A)
*> 172.16.100.0/24 172.16.10.2 0 0 65001 i
*>i 172.16.200.0/24 10.10.10.102 0 100 0 2 65002 i
Route Distinguisher: 1:101 (default for vrf CX_B)
*> 192.168.100.0 192.168.10.2 0 0 65001 i
*>i 192.168.200.0 10.10.10.102 0 100 0 2 65001 i
PE1#
--- PE1 all VPN NLRIs and BGP labels for prefixes ---
PE1#sh ip bgp vpnv4 all labels
Network Next Hop In label/Out label
Route Distinguisher: 1:100 (CX_A)
172.16.100.0/24 172.16.10.2 19/nolabel
172.16.200.0/24 10.10.10.102 nolabel/19
Route Distinguisher: 1:101 (CX_B)
192.168.100.0 192.168.10.2 20/nolabel
192.168.200.0 10.10.10.102 nolabel/20
----- PE1 LIB table -----------
PE1#sh mpls ldp bindings 10.10.10.101 32
lib entry: 10.10.10.101/32, rev 4
local binding: label: imp-null
remote binding: lsr: 10.10.10.200:0, label: 17
PE1#
===== P1 =============================
----- P1 LFIB ------------------------
P1#sh mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
16 Pop Label 10.10.10.102/32 5258 Gi4 10.10.10.5
17 Pop Label 10.10.10.101/32 12254 Gi3 10.10.10.1
P1#
===== ASBR1 ==========================
----- ASBR1 LFIB ---------------------
ASBR1#sh mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
16 Pop Label 10.10.10.200/32 0 Gi4 10.10.10.6
17 Pop Label 10.10.10.0/30 0 Gi4 10.10.10.6
18 17 10.10.10.101/32 0 Gi4 10.10.10.6
19 No Label 172.16.200.0/24[V] \
3960 Gi1 172.16.30.2
20 No Label 192.168.200.0/24[V] \
2694 Gi2 192.168.30.2
ASBR1#
--- ASBR1 Routing vrf CX_A and CX_B ---
ASBR1#sh ip rou vrf CX_A bgp | b Gate
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 4 subnets, 3 masks
B 172.16.100.0/24 [200/0] via 10.10.10.101, 02:57:30
B 172.16.200.0/24 [20/0] via 172.16.30.2, 02:40:22
ASBR1#
ASBR1#sh ip rou vrf CX_B bgp | b Gate
Gateway of last resort is not set
B 192.168.100.0/24 [200/0] via 10.10.10.101, 02:55:13
B 192.168.200.0/24 [20/0] via 192.168.30.2, 02:40:01
ASBR1#
===== ASBR2 ==========================
----- ASBR2 LFIB ---------------------
ASBR2#sh mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
16 Pop Label 10.20.20.200/32 0 Gi4 10.20.20.6
17 Pop Label 10.20.20.0/30 0 Gi4 10.20.20.6
18 No Label 172.16.100.0/24[V] \
5636 Gi1 172.16.30.1
19 No Label 192.168.100.0/24[V] \
3058 Gi2 192.168.30.1
20 17 10.20.20.101/32 0 Gi4 10.20.20.6
ASBR2#
--- ASBR2 Routing vrf CX_A and CX_B ---
ASBR2#sh ip rou vrf CX_A bgp | b Gate
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 4 subnets, 3 masks
B 172.16.100.0/24 [20/0] via 172.16.30.1, 03:00:17
B 172.16.200.0/24 [200/0] via 10.20.20.101, 02:43:09
ASBR2#
ASBR2#sh ip rou vrf CX_B bgp | b Gate
Gateway of last resort is not set
B 192.168.100.0/24 [20/0] via 192.168.30.1, 02:57:12
B 192.168.200.0/24 [200/0] via 10.20.20.101, 02:42:00
ASBR2#
-- ASBR2 Display information about all VPN NLRIs --
ASBR2#sh ip bgp vpnv4 all
BGP table version is 7, local router ID is 10.20.20.102
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 2:100 (default for vrf CX_A)
*> 172.16.100.0/24 172.16.30.1 0 1 65001 i
*>i 172.16.200.0/24 10.20.20.101 0 100 0 65002 i
Route Distinguisher: 2:101 (default for vrf CX_B)
*> 192.168.100.0 192.168.30.1 0 1 65001 i
*>i 192.168.200.0 10.20.20.101 0 100 0 65001 i
ASBR2#
-- ASBR2 all VPN NLRIs and BGP labels for prefixes --
ASBR2#sh ip bgp vpnv4 all labels
Network Next Hop In label/Out label
Route Distinguisher: 2:100 (CX_A)
172.16.100.0/24 172.16.30.1 18/nolabel
172.16.200.0/24 10.20.20.101 nolabel/19
Route Distinguisher: 2:101 (CX_B)
192.168.100.0 192.168.30.1 19/nolabel
192.168.200.0 10.20.20.101 nolabel/20
ASBR2#
----- ASBR2 LIB table -----------
ASBR2#sh mpls ldp bindings 10.20.20.102 32
lib entry: 10.20.20.102/32, rev 4
local binding: label: imp-null
remote binding: lsr: 10.20.20.200:0, label: 16
ASBR2#
===== P2 ==========================
----- P2 LFIB ------------------------
P2#sh mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
16 Pop Label 10.20.20.102/32 8618 Gi4 10.20.20.5
17 Pop Label 10.20.20.101/32 3602 Gi3 10.20.20.1
P2#
===== PE2 ============================
----- PE2 LFIB -----------------------
PE2#sh mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
16 Pop Label 10.20.20.200/32 0 Gi3 10.20.20.2
17 16 10.20.20.102/32 0 Gi3 10.20.20.2
18 Pop Label 10.20.20.4/30 0 Gi3 10.20.20.2
19 No Label 172.16.200.0/24[V] \
3204 Gi1 172.16.20.2
20 No Label 192.168.200.0/24[V] \
1938 Gi2 192.168.20.2
PE2#
----- PE2 Routing vrf CX_A and CX_B ----------
PE2#sh ip rou vrf CX_A bgp | b Gate
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 4 subnets, 3 masks
B 172.16.100.0/24 [200/0] via 10.20.20.102, 02:59:22
B 172.16.200.0/24 [20/0] via 172.16.20.2, 02:55:14
PE2#
PE2#sh ip rou vrf CX_B bgp | b Gate
Gateway of last resort is not set
B 192.168.100.0/24 [200/0] via 10.20.20.102, 02:59:05
B 192.168.200.0/24 [20/0] via 192.168.20.2, 02:54:06
PE2#
■ 5 ■ Command References
Cisco IOS IP Routing: BGP Command Reference
neighbor as-override split-horizon
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/command/irg-cr-book/bgp-m1.html#wp2080622590
--- 参考図書 ---
MPLS Configuration on Cisco IOS Software(CiscoPress)
Chap.7 Inter-Provider VPNs
Chap.8 Carrier Supporting Carriers
BGP Design and Implementation
Chap.10 Multiprotocol BGP and MPLS VPN
--- 参考blog ---
Inter-AS Option A
https://gemunopedy.hatenadiary.com/entry/2017/05/08/124253
