Inter-AS Option B

GWはSEGMENT ROUTING partⅠとpartⅡを読むことに大半を費やしました。

SEGMENT ROUTING partⅡ P137
If there are eBGP sessions involved, as typically is the case, they must be configured with next-hop-unchanged under the BGP address-family to ensure the BGP next hop of the service > route is not updated when propagaing it.

next-hop-unchanged 環境下の注意書きを見て、これはどういう場合なのだろうと思い、Cisco-Pressと過去の検証記録を振り返ると色々思い出しました。
① Inter-AS Option C のRRで、next-hop-unchanged を使うこと
② Inter-AS Option A,B,C,Dを読んで理解していた風になっていたが、Inter-AS Option Bに完敗していたことを思い出しました。(Inter-AS Option Aは検証済み)

半年ぶりにInter-AS Option Bに挑み、手を動かして理解できたので検証した結果をまとめました。

1.Inter-AS Option B

雑に言うと、異なるAS(Autonomous System)間でlabel通信をして、end-to-endの通信をする手法

RFC4364 BGP/MPLS IP Virtual Private Networks (VPNs) [RFC4364 page-32]
[RFC4364 page-32]:https://tools.ietf.org/html/rfc4364#page-32 10. Multi-AS Backbones
b) EBGP redistribution of labeled VPN-IPv4 routes from AS to neighboring AS.

だから Option B なのかも

2.構成(Single-Hop Multiprotocol eBGP for VPNv4)

物理 f:id:chimay_wh:20210509132019p:plain 論理 f:id:chimay_wh:20210509132033p:plain CML-P(Version: 2.1.2-b39)を使いました。
CSR 1000v(IOS XE 16.11.01b)

3.config

Markdownすげーと感動しました。折りたたみ!すごい!
hero-rinのブログ はてなで使えるMarkdown記法

R1(CE1のconfig)(左端の▲クリックすると見えます)

!/// CE1 (CE-Router) ///
!
conf t
!
hostname R1
!
interface loopback0
 ip address 1.1.1.1 255.255.255.255
 no shut
!
interface GigabitEtherne1
 ip address 10.1.2.1 255.255.255.0
 no shut
!
interface GigabitEthernet2
 ip address 192.168.10.1 255.255.255.0
 no shut
!
interface GigabitEtherne6
 ip address 192.168.2.131 255.255.255.0
 no shut
!
router bgp 65001
 bgp log-neighbor-changes
 network 192.168.10.0
 neighbor 10.1.2.2 remote-as 1
!
enable secret admin
!
line vty 0 4
 exec-timeout 300 0
 password admin
 transport input all
!
!
end

R2(PE1のconfig)(左端の▲クリックすると見えます)

!/// PE1 (PE-Router) ///
!
conf t
!
hostname R2
!
!
interface Loopback0
 ip address 1.1.1.2 255.255.255.255
 ip ospf 1 area 0
!
interface GigabitEthernet2
 ip address 10.2.3.2 255.255.255.0
 no shut
!
interface GigabitEtherne6
 ip address 192.168.2.132 255.255.255.0
 no shut
!
ip vrf CX_B
 rd 1:101
 route-target export 1:101
 route-target import 1:101
 route-target export 2:101
 route-target import 2:101
!
interface GigabitEthernet1
 ip vrf forwarding CX_B
 ip address 10.1.2.2 255.255.255.0
!
!
router ospf 1
 router-id 1.1.1.2
 network 10.2.3.0 0.0.0.255 area 0
!
router bgp 1
 bgp router-id 1.1.1.2
 bgp log-neighbor-changes
 neighbor 1.1.1.3 remote-as 1
 neighbor 1.1.1.3 update-source Loopback0
 !
 address-family vpnv4
  neighbor 1.1.1.3 activate
  neighbor 1.1.1.3 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CX_B
  neighbor 10.1.2.1 remote-as 65001
  neighbor 10.1.2.1 activate
  neighbor 10.1.2.1 as-override
 exit-address-family
!
mpls ldp router-id Loopback0 force
!
interface GigabitEthernet2
 mpls ip
!
enable secret admin
!
line vty 0 4
 exec-timeout 300 0
 password admin
 transport input all
!
!
end

R3(ASBR1のconfig)(左端の▲クリックすると見えます)

!/// ASBR1 (ASBR) ///
!
conf t
!
hostname R3
!
!
interface Loopback0
 ip address 1.1.1.3 255.255.255.255
 ip ospf 1 area 0
!
interface GigabitEthernet1
 ip address 10.3.4.3 255.255.255.0
 mpls bgp forwarding
 no shut
!
interface GigabitEtherne2
 ip address 10.2.3.3 255.255.255.0
 mpls ip
 no shut
!
interface GigabitEtherne6
 ip address 192.168.2.133 255.255.255.0
 no shut
!
!
ip route 1.1.1.4 255.255.255.255 10.3.4.4
!
router ospf 1
 router-id 1.1.1.3
 network 10.2.3.0 0.0.0.255 area 0
!
router bgp 1
 bgp router-id 1.1.1.3
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 no bgp default route-target filter
 neighbor 1.1.1.2 remote-as 1
 neighbor 1.1.1.2 update-source Loopback0
 neighbor 10.3.4.4 remote-as 2
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 1.1.1.2 activate
  neighbor 1.1.1.2 send-community extended
  neighbor 1.1.1.2 next-hop-self
  neighbor 10.3.4.4 activate
  neighbor 10.3.4.4 send-community extended
 exit-address-family
!
enable secret admin
!
line vty 0 4
 exec-timeout 300 0
 password admin
 transport input all
!
!
end

R4(ASBR2のconfig)(左端の▲クリックすると見えます)

!/// ASBR2 (ASBR) ///
!
conf t
!
hostname R4
!
!
interface Loopback0
 ip address 1.1.1.4 255.255.255.255
 ip ospf 2 area 0
!
interface GigabitEthernet1
 ip address 10.3.4.4 255.255.255.0
 mpls bgp forwarding 
 no shut
!
interface GigabitEtherne2
 ip address 10.4.5.4 255.255.255.0
 mpls ip
 no shut
!
interface GigabitEtherne6
 ip address 192.168.2.134 255.255.255.0
 mpls ip
 no shut
!
!
!
router ospf 2
 router-id 1.1.1.4
 network 10.4.5.0 0.0.0.255 area 0
!
router bgp 2
 bgp router-id 1.1.1.4
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 no bgp default route-target filter
 neighbor 1.1.1.5 remote-as 2
 neighbor 1.1.1.5 update-source Loopback0
 neighbor 10.3.4.3 remote-as 1
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 1.1.1.5 activate
  neighbor 1.1.1.5 send-community extended
  neighbor 1.1.1.5 next-hop-self
  neighbor 10.3.4.3 activate
  neighbor 10.3.4.3 send-community extended
 exit-address-family
!
!
enable secret admin
!
line vty 0 4
 exec-timeout 300 0
 password admin
 transport input all
!
!
end

R5(PE2のconfig)(左端の▲クリックすると見えます)

!/// PE2 (PE-Router) ///
!
conf t
!
hostname R5
!
!
interface Loopback0
 ip address 1.1.1.5 255.255.255.255
 ip ospf 2 area 0
!
interface GigabitEthernet1
 ip vrf forwarding CX_B
 ip address 10.5.6.5 255.255.255.0
!
interface GigabitEthernet2
 ip address 10.4.5.5 255.255.255.0
 mpls ip
 no shut
!
interface GigabitEtherne6
 ip address 192.168.2.135 255.255.255.0
 no shut
!
ip vrf CX_B
 rd 2:101
 route-target export 2:101
 route-target export 1:101
 route-target import 2:101
 route-target import 1:101
!
!
router ospf 2
 router-id 1.1.1.5
 network 10.4.5.0 0.0.0.255 area 0
!
router bgp 2
 bgp router-id 1.1.1.5
 bgp log-neighbor-changes
 neighbor 1.1.1.4 remote-as 2
 neighbor 1.1.1.4 update-source Loopback0
 !
 address-family vpnv4
  neighbor 1.1.1.4 activate
  neighbor 1.1.1.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CX_B
  neighbor 10.5.6.6 remote-as 65001
  neighbor 10.5.6.6 activate
  neighbor 10.5.6.6 as-override
 exit-address-family
!
mpls ldp router-id Loopback0 force
!
enable secret admin
!
line vty 0 4
 exec-timeout 300 0
 password admin
 transport input all
!
!
end

R6(CE2のconfig)(左端の▲クリックすると見えます)

!/// CE2 (CE-Router) ///
!
conf t
!
hostname R6
!
!
interface loopback0
 ip address 1.1.1.6 255.255.255.255
!
interface GigabitEtherne1
 ip address 10.5.6.6 255.255.255.0
 no shut
!
interface GigabitEthernet2
 ip address 192.168.20.6 255.255.255.0
 no shut
!
interface GigabitEtherne6
 ip address 192.168.2.136 255.255.255.0
 no shut
!
router bgp 65001
 bgp log-neighbor-changes
 network 192.168.20.0
 neighbor 10.5.6.5 remote-as 2
!
enable secret admin
!
line vty 0 4
 exec-timeout 300 0
 password admin
 transport input all
!
!
end

4.各設定の要点

4.1 CE

特になし。IP振って、PEとeBGP peering

4.2 PE

CE向けにVRFを設定してBGP peering
as-override 忘れずに(両端のCEが同じASなので)
route-target の理解が必要でした。 Service Provider内の vpnv4[BGP AS x]
Service Provider内はMPLS

4.3 ASBR

AS内のiBGP Peerにnext-hop-self 忘れずに
Service Provider内の vpnv4[BGP AS x]
Service Provider内のOPSFは気まぐれでプロセスID変えました。
Service Provider内はMPLS

5.検証など

5.1 CE

CE1からCE2へ疎通確認

R1#traceroute 192.168.20.6 source 192.168.10.1
Type escape sequence to abort.
Tracing the route to 192.168.20.6
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.2.2 1 msec 1 msec 1 msec
  2 10.2.3.3 [MPLS: Label 21 Exp 0] 3 msec 3 msec 3 msec
  3 10.3.4.4 [MPLS: Label 20 Exp 0] 3 msec 4 msec 3 msec
  4 10.5.6.5 [MPLS: Label 18 Exp 0] 3 msec 2 msec 2 msec
  5 10.5.6.6 3 msec *  4 msec
R1#
R1#ping 192.168.20.6 source 192.168.10.1      
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.6, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/4 ms
R1#

CE2からCE1へ疎通確認

R6#traceroute 192.168.10.1 source 192.168.20.6
Type escape sequence to abort.
Tracing the route to 192.168.10.1
VRF info: (vrf in name/id, vrf out name/id)
  1 10.5.6.5 2 msec 1 msec 1 msec
  2 10.4.5.4 [MPLS: Label 21 Exp 0] 4 msec 3 msec 3 msec
  3 10.3.4.3 [MPLS: Label 19 Exp 0] 3 msec 3 msec 3 msec
  4 10.1.2.2 [MPLS: Label 17 Exp 0] 3 msec 3 msec 3 msec
  5 10.1.2.1 3 msec *  4 msec
R6#
R6#ping 192.168.10.1 source 192.168.20.6      
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.6 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R6#

5.2 PE

5.2.1 route-target

VRFの設定で、 route-targetの設定をします。

ip vrf(オンラインヘルプ:一部抜粋して表示しています)
R2(config)#ip vrf CX_B
R2(config-vrf)#?
VPN Routing/Forwarding instance configuration commands:
  rd               Specify Route Distinguisher

R2(config-vrf)#rd ?
  ASN:nn, IP-address:nn or 4BASN:nn  VPN Route Distinguisher

R2(config-vrf)#

(1) PE1にはCE1向けのVRFとして、rd 1:101 を設定しています。 敢えて、CE1向けのみにします。

R2(config-vrf)#do sh run vrf
Building configuration...

Current configuration : 414 bytes
ip vrf CX_B
 rd 1:101
 route-target export 1:101
 route-target import 1:101
!
!
以下省略

逆サイドのPE2も同様に敢えて、CE2向けのみにします。

R5(config-vrf)#do sh run vrf
Building configuration...

Current configuration : 387 bytes
ip vrf CX_B
 rd 2:101
 route-target export 2:101
 route-target import 2:101
!
!
以下省略

このままだと、CE2の通信が入ってこない。

R1#show ip route bgp | begin Gateway
Gateway of last resort is not set

R1#

(2) PE1のVRFに route-target import 2:101 を追加します。

R2(config-vrf)#do sh run vrf
Building configuration...

Current configuration : 414 bytes
ip vrf CX_B
 rd 1:101
 route-target export 1:101
 route-target import 1:101
 route-target import 2:101
!
!

CE2側のprefixが入ってきました。

R1#show ip route bgp | begin Gateway
Gateway of last resort is not set

B     192.168.20.0/24 [20/0] via 10.1.2.2, 00:00:03
R1#

しかし、CE2側にはCE1のprefixが入ってきません。

R6#show ip route bgp | begin Gateway
Gateway of last resort is not set

R6#

(3) PE1のVRFに route-target export 2:101 を追加します。

R2(config-vrf)#do sh run vrf
Building configuration...

Current configuration : 441 bytes
ip vrf CX_B
 rd 1:101
 route-target export 1:101
 route-target export 2:101
 route-target import 1:101
 route-target import 2:101
!
!
以下省略します

CE1側のprefixが入ってきました。

R6#show ip route bgp | begin Gateway
Gateway of last resort is not set

B     192.168.10.0/24 [20/0] via 10.5.6.5, 00:00:08
R6#

要件に合わせて、PEのVRFでは適切にroute-targetの設定をする必要があります。

5.3 ASBR

5.3.1 no bgp default route-target filter

Cisco-Pressによると
MPLS Configuration on Cisco IOS Software
The default behavior is to deny incoming VPNv4 prefixes that are not otherwise imported into any local VRF.

ASBRで、 no bgp default route-target filter を設定しなさいとあります。
defaultだと、AS1にAS2のvpnv4ラベルが入ってこない。逆もまた然り。そのため、この設定をしなさいということ。
コマンドリファレンスに載ってなかったので、オンラインヘルプを見ます。

bgp default route-target filter(オンラインヘルプ:一部抜粋して表示しています)

R3(config-router)#no bgp ?
  default                  Configure BGP defaults

R3(config-router)#no bgp default ?
  route-target      Control behavior based on Route-Target attributes

R3(config-router)#no bgp default route-target ?
  filter  Control automatic VPN Route-Target filtering

R3(config-router)#no bgp default route-target filter
5.3.2 mpls bgp forwarding

AS1からAS2へvpnv4のラベル情報を伝搬するのにこの設定が必要。逆もまた然り。
コマンドリファレンス
mpls bgp forwarding

(1) ASBR1:Gi1に”mpls bgp forwarding ”未設定

R3#show mpls forwarding-table 
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop    
Label      Label      or Tunnel Id     Switched      interface              
17         No Label   1.1.1.4/32       0             Gi1        10.3.4.4    
18         Pop Label  1.1.1.2/32       0             Gi2        10.2.3.2    
19         17         1:101:192.168.10.0/24   \
                                       0             Gi2        10.2.3.2    
20         No Label   10.3.4.4/32      0             Gi1        10.3.4.4    
21         20         2:101:192.168.20.0/24   \
                                       0             drop   </span>    
R3#

これを忘れると、CEにBGPでprefixが伝わるが、見せかけだけで通信できなくなりました。
∵ ASBR間でlabel通信が成立してないから
 2:101:192.168.20.0/24 がdropしてしまいます。

R1#show ip route bgp | begin Gate
Gateway of last resort is not set

B     192.168.20.0/24 [20/0] via 10.1.2.2, 01:01:09
R1#
R1#traceroute 192.168.20.6 source 192.168.10.1
Type escape sequence to abort.
Tracing the route to 192.168.20.6
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.2.2 1 msec 1 msec 1 msec
  2  *  *  * 
  3  *  *  * 
  4  *  *  * 
  5  *  *  * 
  6  *  *  * 
  7  *  *  * 
  8  *  *  * 
  9  *  *  * 
 10  *  *  * 
 11  *  *  * 
 12  *  *  * 
 13  *  *  * 
 14  *  *  * 
 15  *  *  * 
 16  *  *  * 
 17  *  *  * 
 18  *  *  * 
 19  *  *  * 
 20  *  *  * 
 21  *  *  * 
 22  *  *  * 
 23  *  *  * 
 24  *  *  * 
 25  *  *  * 
 26  *  *  * 
 27  *  *  * 
 28  *  *  * 
 29  *  *  * 
 30  *  *  * 
R1#

ASBR1:Gieth1に”mpls bgp forwarding ”が設定済み

R3#show mpls forwarding-table 
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop    
Label      Label      or Tunnel Id     Switched      interface              
17         No Label   1.1.1.4/32       0             Gi1        10.3.4.4    
18         Pop Label  1.1.1.2/32       0             Gi2        10.2.3.2    
19         17         1:101:192.168.10.0/24   \
                                       5312          Gi2        10.2.3.2    
20         Pop Label  10.3.4.4/32      0             Gi1        10.3.4.4    
21         20         2:101:192.168.20.0/24   \
                                       9754          Gi1        10.3.4.4    
R3#

ASBR間のabel通信が正常になり、end-to-endの疎通が出来るようになりました。
これもハマっていた原因でした。

R1#show ip route bgp | begin Gate             
Gateway of last resort is not set

B     192.168.20.0/24 [20/0] via 10.1.2.2, 01:08:53
R1#
R1#traceroute 192.168.20.6 source 192.168.10.1
Type escape sequence to abort.
Tracing the route to 192.168.20.6
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.2.2 1 msec 1 msec 1 msec
  2 10.2.3.3 [MPLS: Label 21 Exp 0] 3 msec 3 msec 2 msec
  3 10.3.4.4 [MPLS: Label 20 Exp 0] 6 msec 3 msec 3 msec
  4 10.5.6.5 [MPLS: Label 18 Exp 0] 2 msec 2 msec 3 msec
  5 10.5.6.6 3 msec *  4 msec
R1#
5.3.3 no bgp default ipv4-unicast

今回のASBRではaddress-family ipv4 を使わないので、これを使う。
以下のリンク先にある説明が大変分かり易かったです。
Logs Cisco ACI / CCIE 勉強サイト
実際に試してみて納得しました。

6.他のOptionとの比較

Cisco-Press
BGP Design and Implementation
Chap.10 Multiprotocol BGP and MPLS VPN
P480 Comparison and Contrast of Four Inter-AS Options

Inter-AS
Option A Complexity / Scalability
= Low / Low
Option B Complexity / Scalability
= Medium / Medium
次のターゲットは、もっと難しいのか...
Option C Complexity / Scalability
= High / High

ASBRにVRFの設定が不要なので、拡張性があるのは十分体感できた。
Option B でも複雑なのに、更に複雑なのかよ。

Inter-AS Option C も検証して理解できたらブログにまとめます。

7. 参考

7.1 Cisco-Press

① MPLS Configuration on Cisco IOS Software
   Chap.7 Inter-Provider VPNs
② BGP Design and Implementation
   Chap.10 Multiprotocol BGP and MPLS VPN

7.2 参考URL

① katorea memo(Inter-AS Option B) https://gemunopedy.hatenadiary.com/entry/2017/05/08/210906

② CiscoIOS および IOS XR を使用したレイヤ 3 MPLS VPN INTER-AS オプション B の設定と検証 https://www.cisco.com/c/ja_jp/support/docs/multiprotocol-label-switching-mpls/mpls/200557-Configuration-and-Verification-of-Layer.html

③ Logs(VPN no bgp default ipv4-unicast) https://www.sash.jp/vpn-no-bgp-default-ipv4-unicast

7.3 コマンドリファレンス

Cisco IOS IP Routing: BGP Command Reference
コマンド: neighbor as-override split-horizon
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/command/irg-cr-book/bgp-m1.html#wp2080622590

Cisco IOS Multiprotocol Label Switching Command Reference
コマンド: mpls bgp forwarding
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mpls/command/mp-cr-book/mp-m1.html#wp4243947304

7.4 Markdown

hero-rinのブログ(はてなで使えるMarkdown記法)
https://hero-rin.hatenablog.com/entry/2019/03/05/022708