Inter-AS Option B
GWはSEGMENT ROUTING partⅠとpartⅡを読むことに大半を費やしました。
SEGMENT ROUTING partⅡ P137
If there are eBGP sessions involved, as typically is the case, they must be configured with next-hop-unchanged under the BGP address-family to ensure the BGP next hop of the service > route is not updated when propagaing it.
next-hop-unchanged 環境下の注意書きを見て、これはどういう場合なのだろうと思い、Cisco-Pressと過去の検証記録を振り返ると色々思い出しました。
① Inter-AS Option C のRRで、next-hop-unchanged を使うこと
② Inter-AS Option A,B,C,Dを読んで理解していた風になっていたが、Inter-AS Option Bに完敗していたことを思い出しました。(Inter-AS Option Aは検証済み)
半年ぶりにInter-AS Option Bに挑み、手を動かして理解できたので検証した結果をまとめました。
- 1.Inter-AS Option B
- 2.構成(Single-Hop Multiprotocol eBGP for VPNv4)
- 3.config
- 4.各設定の要点
- 5.検証など
- 6.他のOptionとの比較
- 7. 参考
1.Inter-AS Option B
雑に言うと、異なるAS(Autonomous System)間でlabel通信をして、end-to-endの通信をする手法
RFC4364 BGP/MPLS IP Virtual Private Networks (VPNs) [RFC4364 page-32]
[RFC4364 page-32]:https://tools.ietf.org/html/rfc4364#page-32 10. Multi-AS Backbones
b) EBGP redistribution of labeled VPN-IPv4 routes from AS to neighboring AS.
だから Option B なのかも
2.構成(Single-Hop Multiprotocol eBGP for VPNv4)
物理
論理
CML-P(Version: 2.1.2-b39)を使いました。
CSR 1000v(IOS XE 16.11.01b)
3.config
Markdownすげーと感動しました。折りたたみ!すごい!
hero-rinのブログ はてなで使えるMarkdown記法
R1(CE1のconfig)(左端の▲クリックすると見えます)
!/// CE1 (CE-Router) /// ! conf t ! hostname R1 ! interface loopback0 ip address 1.1.1.1 255.255.255.255 no shut ! interface GigabitEtherne1 ip address 10.1.2.1 255.255.255.0 no shut ! interface GigabitEthernet2 ip address 192.168.10.1 255.255.255.0 no shut ! interface GigabitEtherne6 ip address 192.168.2.131 255.255.255.0 no shut ! router bgp 65001 bgp log-neighbor-changes network 192.168.10.0 neighbor 10.1.2.2 remote-as 1 ! enable secret admin ! line vty 0 4 exec-timeout 300 0 password admin transport input all ! ! end
R2(PE1のconfig)(左端の▲クリックすると見えます)
!/// PE1 (PE-Router) /// ! conf t ! hostname R2 ! ! interface Loopback0 ip address 1.1.1.2 255.255.255.255 ip ospf 1 area 0 ! interface GigabitEthernet2 ip address 10.2.3.2 255.255.255.0 no shut ! interface GigabitEtherne6 ip address 192.168.2.132 255.255.255.0 no shut ! ip vrf CX_B rd 1:101 route-target export 1:101 route-target import 1:101 route-target export 2:101 route-target import 2:101 ! interface GigabitEthernet1 ip vrf forwarding CX_B ip address 10.1.2.2 255.255.255.0 ! ! router ospf 1 router-id 1.1.1.2 network 10.2.3.0 0.0.0.255 area 0 ! router bgp 1 bgp router-id 1.1.1.2 bgp log-neighbor-changes neighbor 1.1.1.3 remote-as 1 neighbor 1.1.1.3 update-source Loopback0 ! address-family vpnv4 neighbor 1.1.1.3 activate neighbor 1.1.1.3 send-community extended exit-address-family ! address-family ipv4 vrf CX_B neighbor 10.1.2.1 remote-as 65001 neighbor 10.1.2.1 activate neighbor 10.1.2.1 as-override exit-address-family ! mpls ldp router-id Loopback0 force ! interface GigabitEthernet2 mpls ip ! enable secret admin ! line vty 0 4 exec-timeout 300 0 password admin transport input all ! ! end
R3(ASBR1のconfig)(左端の▲クリックすると見えます)
!/// ASBR1 (ASBR) /// ! conf t ! hostname R3 ! ! interface Loopback0 ip address 1.1.1.3 255.255.255.255 ip ospf 1 area 0 ! interface GigabitEthernet1 ip address 10.3.4.3 255.255.255.0 mpls bgp forwarding no shut ! interface GigabitEtherne2 ip address 10.2.3.3 255.255.255.0 mpls ip no shut ! interface GigabitEtherne6 ip address 192.168.2.133 255.255.255.0 no shut ! ! ip route 1.1.1.4 255.255.255.255 10.3.4.4 ! router ospf 1 router-id 1.1.1.3 network 10.2.3.0 0.0.0.255 area 0 ! router bgp 1 bgp router-id 1.1.1.3 bgp log-neighbor-changes no bgp default ipv4-unicast no bgp default route-target filter neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 update-source Loopback0 neighbor 10.3.4.4 remote-as 2 ! address-family ipv4 exit-address-family ! address-family vpnv4 neighbor 1.1.1.2 activate neighbor 1.1.1.2 send-community extended neighbor 1.1.1.2 next-hop-self neighbor 10.3.4.4 activate neighbor 10.3.4.4 send-community extended exit-address-family ! enable secret admin ! line vty 0 4 exec-timeout 300 0 password admin transport input all ! ! end
R4(ASBR2のconfig)(左端の▲クリックすると見えます)
!/// ASBR2 (ASBR) /// ! conf t ! hostname R4 ! ! interface Loopback0 ip address 1.1.1.4 255.255.255.255 ip ospf 2 area 0 ! interface GigabitEthernet1 ip address 10.3.4.4 255.255.255.0 mpls bgp forwarding no shut ! interface GigabitEtherne2 ip address 10.4.5.4 255.255.255.0 mpls ip no shut ! interface GigabitEtherne6 ip address 192.168.2.134 255.255.255.0 mpls ip no shut ! ! ! router ospf 2 router-id 1.1.1.4 network 10.4.5.0 0.0.0.255 area 0 ! router bgp 2 bgp router-id 1.1.1.4 bgp log-neighbor-changes no bgp default ipv4-unicast no bgp default route-target filter neighbor 1.1.1.5 remote-as 2 neighbor 1.1.1.5 update-source Loopback0 neighbor 10.3.4.3 remote-as 1 ! address-family ipv4 exit-address-family ! address-family vpnv4 neighbor 1.1.1.5 activate neighbor 1.1.1.5 send-community extended neighbor 1.1.1.5 next-hop-self neighbor 10.3.4.3 activate neighbor 10.3.4.3 send-community extended exit-address-family ! ! enable secret admin ! line vty 0 4 exec-timeout 300 0 password admin transport input all ! ! end
R5(PE2のconfig)(左端の▲クリックすると見えます)
!/// PE2 (PE-Router) /// ! conf t ! hostname R5 ! ! interface Loopback0 ip address 1.1.1.5 255.255.255.255 ip ospf 2 area 0 ! interface GigabitEthernet1 ip vrf forwarding CX_B ip address 10.5.6.5 255.255.255.0 ! interface GigabitEthernet2 ip address 10.4.5.5 255.255.255.0 mpls ip no shut ! interface GigabitEtherne6 ip address 192.168.2.135 255.255.255.0 no shut ! ip vrf CX_B rd 2:101 route-target export 2:101 route-target export 1:101 route-target import 2:101 route-target import 1:101 ! ! router ospf 2 router-id 1.1.1.5 network 10.4.5.0 0.0.0.255 area 0 ! router bgp 2 bgp router-id 1.1.1.5 bgp log-neighbor-changes neighbor 1.1.1.4 remote-as 2 neighbor 1.1.1.4 update-source Loopback0 ! address-family vpnv4 neighbor 1.1.1.4 activate neighbor 1.1.1.4 send-community extended exit-address-family ! address-family ipv4 vrf CX_B neighbor 10.5.6.6 remote-as 65001 neighbor 10.5.6.6 activate neighbor 10.5.6.6 as-override exit-address-family ! mpls ldp router-id Loopback0 force ! enable secret admin ! line vty 0 4 exec-timeout 300 0 password admin transport input all ! ! end
R6(CE2のconfig)(左端の▲クリックすると見えます)
!/// CE2 (CE-Router) /// ! conf t ! hostname R6 ! ! interface loopback0 ip address 1.1.1.6 255.255.255.255 ! interface GigabitEtherne1 ip address 10.5.6.6 255.255.255.0 no shut ! interface GigabitEthernet2 ip address 192.168.20.6 255.255.255.0 no shut ! interface GigabitEtherne6 ip address 192.168.2.136 255.255.255.0 no shut ! router bgp 65001 bgp log-neighbor-changes network 192.168.20.0 neighbor 10.5.6.5 remote-as 2 ! enable secret admin ! line vty 0 4 exec-timeout 300 0 password admin transport input all ! ! end
4.各設定の要点
4.1 CE
特になし。IP振って、PEとeBGP peering
4.2 PE
CE向けにVRFを設定してBGP peering
as-override 忘れずに(両端のCEが同じASなので)
route-target の理解が必要でした。
Service Provider内の vpnv4[BGP AS x]
Service Provider内はMPLS
4.3 ASBR
AS内のiBGP Peerにnext-hop-self 忘れずに
Service Provider内の vpnv4[BGP AS x]
Service Provider内のOPSFは気まぐれでプロセスID変えました。
Service Provider内はMPLS
5.検証など
5.1 CE
CE1からCE2へ疎通確認
R1#traceroute 192.168.20.6 source 192.168.10.1 Type escape sequence to abort. Tracing the route to 192.168.20.6 VRF info: (vrf in name/id, vrf out name/id) 1 10.1.2.2 1 msec 1 msec 1 msec 2 10.2.3.3 [MPLS: Label 21 Exp 0] 3 msec 3 msec 3 msec 3 10.3.4.4 [MPLS: Label 20 Exp 0] 3 msec 4 msec 3 msec 4 10.5.6.5 [MPLS: Label 18 Exp 0] 3 msec 2 msec 2 msec 5 10.5.6.6 3 msec * 4 msec R1#
R1#ping 192.168.20.6 source 192.168.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.20.6, timeout is 2 seconds: Packet sent with a source address of 192.168.10.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/4 ms R1#
CE2からCE1へ疎通確認
R6#traceroute 192.168.10.1 source 192.168.20.6 Type escape sequence to abort. Tracing the route to 192.168.10.1 VRF info: (vrf in name/id, vrf out name/id) 1 10.5.6.5 2 msec 1 msec 1 msec 2 10.4.5.4 [MPLS: Label 21 Exp 0] 4 msec 3 msec 3 msec 3 10.3.4.3 [MPLS: Label 19 Exp 0] 3 msec 3 msec 3 msec 4 10.1.2.2 [MPLS: Label 17 Exp 0] 3 msec 3 msec 3 msec 5 10.1.2.1 3 msec * 4 msec R6#
R6#ping 192.168.10.1 source 192.168.20.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds: Packet sent with a source address of 192.168.20.6 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms R6#
5.2 PE
5.2.1 route-target
VRFの設定で、 route-targetの設定をします。
ip vrf(オンラインヘルプ:一部抜粋して表示しています) R2(config)#ip vrf CX_B R2(config-vrf)#? VPN Routing/Forwarding instance configuration commands: rd Specify Route Distinguisher R2(config-vrf)#rd ? ASN:nn, IP-address:nn or 4BASN:nn VPN Route Distinguisher R2(config-vrf)#
(1) PE1にはCE1向けのVRFとして、rd 1:101 を設定しています。 敢えて、CE1向けのみにします。
R2(config-vrf)#do sh run vrf Building configuration... Current configuration : 414 bytes ip vrf CX_B rd 1:101 route-target export 1:101 route-target import 1:101 ! ! 以下省略
逆サイドのPE2も同様に敢えて、CE2向けのみにします。
R5(config-vrf)#do sh run vrf Building configuration... Current configuration : 387 bytes ip vrf CX_B rd 2:101 route-target export 2:101 route-target import 2:101 ! ! 以下省略
このままだと、CE2の通信が入ってこない。
R1#show ip route bgp | begin Gateway Gateway of last resort is not set R1#
(2) PE1のVRFに route-target import 2:101 を追加します。
R2(config-vrf)#do sh run vrf Building configuration... Current configuration : 414 bytes ip vrf CX_B rd 1:101 route-target export 1:101 route-target import 1:101 route-target import 2:101 ! !
CE2側のprefixが入ってきました。
R1#show ip route bgp | begin Gateway Gateway of last resort is not set B 192.168.20.0/24 [20/0] via 10.1.2.2, 00:00:03 R1#
しかし、CE2側にはCE1のprefixが入ってきません。
R6#show ip route bgp | begin Gateway Gateway of last resort is not set R6#
(3) PE1のVRFに route-target export 2:101 を追加します。
R2(config-vrf)#do sh run vrf Building configuration... Current configuration : 441 bytes ip vrf CX_B rd 1:101 route-target export 1:101 route-target export 2:101 route-target import 1:101 route-target import 2:101 ! ! 以下省略します
CE1側のprefixが入ってきました。
R6#show ip route bgp | begin Gateway Gateway of last resort is not set B 192.168.10.0/24 [20/0] via 10.5.6.5, 00:00:08 R6#
要件に合わせて、PEのVRFでは適切にroute-targetの設定をする必要があります。
5.3 ASBR
5.3.1 no bgp default route-target filter
Cisco-Pressによると
MPLS Configuration on Cisco IOS Software
The default behavior is to deny incoming VPNv4 prefixes that are not otherwise imported into any local VRF.
ASBRで、 no bgp default route-target filter を設定しなさいとあります。
defaultだと、AS1にAS2のvpnv4ラベルが入ってこない。逆もまた然り。そのため、この設定をしなさいということ。
コマンドリファレンスに載ってなかったので、オンラインヘルプを見ます。
bgp default route-target filter(オンラインヘルプ:一部抜粋して表示しています) R3(config-router)#no bgp ? default Configure BGP defaults R3(config-router)#no bgp default ? route-target Control behavior based on Route-Target attributes R3(config-router)#no bgp default route-target ? filter Control automatic VPN Route-Target filtering R3(config-router)#no bgp default route-target filter
5.3.2 mpls bgp forwarding
AS1からAS2へvpnv4のラベル情報を伝搬するのにこの設定が必要。逆もまた然り。
コマンドリファレンス
mpls bgp forwarding
(1) ASBR1:Gi1に”mpls bgp forwarding ”未設定
R3#show mpls forwarding-table Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 17 No Label 1.1.1.4/32 0 Gi1 10.3.4.4 18 Pop Label 1.1.1.2/32 0 Gi2 10.2.3.2 19 17 1:101:192.168.10.0/24 \ 0 Gi2 10.2.3.2 20 No Label 10.3.4.4/32 0 Gi1 10.3.4.4 21 20 2:101:192.168.20.0/24 \ 0 drop </span> R3#
これを忘れると、CEにBGPでprefixが伝わるが、見せかけだけで通信できなくなりました。
∵ ASBR間でlabel通信が成立してないから
2:101:192.168.20.0/24 がdropしてしまいます。
R1#show ip route bgp | begin Gate Gateway of last resort is not set B 192.168.20.0/24 [20/0] via 10.1.2.2, 01:01:09 R1# R1#traceroute 192.168.20.6 source 192.168.10.1 Type escape sequence to abort. Tracing the route to 192.168.20.6 VRF info: (vrf in name/id, vrf out name/id) 1 10.1.2.2 1 msec 1 msec 1 msec 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * R1#
ASBR1:Gieth1に”mpls bgp forwarding ”が設定済み
R3#show mpls forwarding-table Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 17 No Label 1.1.1.4/32 0 Gi1 10.3.4.4 18 Pop Label 1.1.1.2/32 0 Gi2 10.2.3.2 19 17 1:101:192.168.10.0/24 \ 5312 Gi2 10.2.3.2 20 Pop Label 10.3.4.4/32 0 Gi1 10.3.4.4 21 20 2:101:192.168.20.0/24 \ 9754 Gi1 10.3.4.4 R3#
ASBR間のabel通信が正常になり、end-to-endの疎通が出来るようになりました。
これもハマっていた原因でした。
R1#show ip route bgp | begin Gate Gateway of last resort is not set B 192.168.20.0/24 [20/0] via 10.1.2.2, 01:08:53 R1# R1#traceroute 192.168.20.6 source 192.168.10.1 Type escape sequence to abort. Tracing the route to 192.168.20.6 VRF info: (vrf in name/id, vrf out name/id) 1 10.1.2.2 1 msec 1 msec 1 msec 2 10.2.3.3 [MPLS: Label 21 Exp 0] 3 msec 3 msec 2 msec 3 10.3.4.4 [MPLS: Label 20 Exp 0] 6 msec 3 msec 3 msec 4 10.5.6.5 [MPLS: Label 18 Exp 0] 2 msec 2 msec 3 msec 5 10.5.6.6 3 msec * 4 msec R1#
5.3.3 no bgp default ipv4-unicast
今回のASBRではaddress-family ipv4 を使わないので、これを使う。
以下のリンク先にある説明が大変分かり易かったです。
Logs Cisco ACI / CCIE 勉強サイト
実際に試してみて納得しました。
6.他のOptionとの比較
Cisco-Press
BGP Design and Implementation
Chap.10 Multiprotocol BGP and MPLS VPN
P480 Comparison and Contrast of Four Inter-AS Options
Inter-AS
Option A Complexity / Scalability
= Low / Low
Option B Complexity / Scalability
= Medium / Medium
次のターゲットは、もっと難しいのか...
Option C Complexity / Scalability
= High / High
ASBRにVRFの設定が不要なので、拡張性があるのは十分体感できた。
Option B でも複雑なのに、更に複雑なのかよ。
Inter-AS Option C も検証して理解できたらブログにまとめます。
7. 参考
7.1 Cisco-Press
① MPLS Configuration on Cisco IOS Software
Chap.7 Inter-Provider VPNs
② BGP Design and Implementation
Chap.10 Multiprotocol BGP and MPLS VPN
7.2 参考URL
① katorea memo(Inter-AS Option B) https://gemunopedy.hatenadiary.com/entry/2017/05/08/210906
② CiscoIOS および IOS XR を使用したレイヤ 3 MPLS VPN INTER-AS オプション B の設定と検証 https://www.cisco.com/c/ja_jp/support/docs/multiprotocol-label-switching-mpls/mpls/200557-Configuration-and-Verification-of-Layer.html
③ Logs(VPN no bgp default ipv4-unicast) https://www.sash.jp/vpn-no-bgp-default-ipv4-unicast
7.3 コマンドリファレンス
① Cisco IOS IP Routing: BGP Command Reference
コマンド: neighbor as-override split-horizon
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/command/irg-cr-book/bgp-m1.html#wp2080622590
② Cisco IOS Multiprotocol Label Switching Command Reference
コマンド: mpls bgp forwarding
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mpls/command/mp-cr-book/mp-m1.html#wp4243947304
7.4 Markdown
hero-rinのブログ(はてなで使えるMarkdown記法)
https://hero-rin.hatenablog.com/entry/2019/03/05/022708