CCIE lab対策(2.4.b Inter-AS L3VPN)その3 Inter-AS option C
Inter-AS option C が理解できたので自分のメモ用にアウトプットします。
1. Inter-AS Option C とは
Inter-AS Option C とは、Inter-AS Link で VPN を使って end-to-end の通信を行う方式です。
特徴は、ASBR-ASBR 間で VPN を使わずに、RR-RR 間で VPN の情報をやり取りする点です。
RR で VPN を集約するため最も scalability の高い設計方式と言えます。しかし、双方の AS 間で情報交換が必須な方式であるため、invasibe な方式であると言えます。
雑な一言でまとめると、可用性は高いけどマニアックなので難しいし面倒ということです。
今回は”CCIE Service Provider Training Videos ”にも助けられました。
learningnetwork.cisco.com
動画:MPLS L3VPN and CSC with Cisco IOS and Cisco IOS XR Lizabete Cacic
後に触れますが検証時のラベルの付け方や構築のポイントの多くを動画から学びました。
ポイントとしては、以下の5点です。
① ASBR 間では、BGP-LU を定義すること
② ASBR のBGPで学習した経路を IGP に redistribute すること
③ ASBR-ASBR 間で static route を定義すること
④ PE のみ route-reflector-client の定義をすること
⑤ RR 間は VPN で next-hop-unchanged を定義すること
2. Topology
CE-PE-RR-ASBR-ASBR-RR-PE-CE を含めた構成としました。
IOS-XE を含めた構成も検討したのですが、ASBR で IPv6 ラベルを交換できない等諸々の事情ため IOS-XR の構成としました。
IOS-XR version
RP/0/RP0/CPU0:e_N1#show version Sat Feb 4 08:12:25.415 UTC Cisco IOS XR Software, Version 7.4.1 Copyright (c) 2013-2021 by Cisco Systems, Inc. Build Information: Built By : ingunawa Built On : Wed Aug 4 04:18:28 PDT 2021 Built Host : iox-ucs-012 Workspace : /auto/srcarchive17/prod/7.4.1/xrv9k/ws Version : 7.4.1 Location : /opt/cisco/XR/packages/ Label : 7.4.1-0 cisco IOS-XRv 9000 () processor System uptime is 1 day 19 hours 30 minutes RP/0/RP0/CPU0:e_N1#
IOS-XE version
e_CE1#show version Cisco IOS XE Software, Version 17.03.04a
3. Config
e_N1【IOS-XR】config
hostname e_N1
group CCIE-ISIS
router isis '.*'
is-type level-2-only
address-family ipv4 unicast
metric-style wide
mpls ldp auto-config
!
address-family ipv6 unicast
single-topology
!
interface 'Gi.*'
point-to-point
address-family ipv4 unicast
!
address-family ipv6 unicast
!
!
interface 'Loopback.*'
passive
address-family ipv4 unicast
!
address-family ipv6 unicast
!
!
!
end-group
!
vrf A
rd 1:1
address-family ipv4 unicast
import route-target
200:1
!
export route-target
100:1
!
!
address-family ipv6 unicast
import route-target
400:2
!
export route-target
300:2
!
!
!
address-family ipv6 unicast
!
!
interface Loopback0
ipv4 address 1.1.1.1 255.255.255.255
ipv6 address 1125:1:1:1::1/128
!
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.2.1 255.255.255.0
ipv6 address 1125:1:2::1/64
!
interface GigabitEthernet0/0/0/1
vrf A
ipv4 address 10.10.20.1 255.255.255.0
ipv6 address 1125:1010:20::1/64
!
interface GigabitEthernet0/0/0/2
ipv4 address 10.1.3.1 255.255.255.0
ipv6 address 1125:1:3::1/64
!
!
route-policy PASS
pass
end-policy
!
router isis AS1
apply-group CCIE-ISIS
net 49.0001.0000.0000.0001.00
interface Loopback0
!
interface GigabitEthernet0/0/0/0
!
interface GigabitEthernet0/0/0/2
!
!
router bgp 1
bgp router-id 1.1.1.1
address-family vpnv4 unicast
!
address-family vpnv6 unicast
!
neighbor 3.3.3.3
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
!
!
neighbor 1125:3:3:3::3
remote-as 1
update-source Loopback0
address-family vpnv6 unicast
!
!
vrf A
rd 1:1
address-family ipv4 unicast
redistribute connected
!
address-family ipv6 unicast
redistribute connected
!
neighbor 10.10.20.2
remote-as 100
address-family ipv4 unicast
route-policy PASS in
route-policy PASS out
!
!
neighbor 1125:1010:20::2
remote-as 100
address-family ipv6 unicast
route-policy PASS in
route-policy PASS out
!
!
!
!
mpls ldp
router-id 1.1.1.1
address-family ipv6
!
interface GigabitEthernet0/0/0/0
address-family ipv6
!
!
interface GigabitEthernet0/0/0/2
address-family ipv6
!
!
!
mpls label range table 0 100100 100199
end
e_N2【IOS-XR】config
hostname e_N2
group CCIE-ISIS
router isis '.*'
is-type level-2-only
address-family ipv4 unicast
metric-style wide
mpls ldp auto-config
!
address-family ipv6 unicast
single-topology
!
interface 'Gi.*'
point-to-point
address-family ipv4 unicast
!
address-family ipv6 unicast
!
!
interface 'Loopback.*'
passive
address-family ipv4 unicast
!
address-family ipv6 unicast
!
!
!
end-group
!
interface Loopback0
ipv4 address 2.2.2.2 255.255.255.255
ipv6 address 1125:2:2:2::2/128
!
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.2.2 255.255.255.0
ipv6 address 1125:1:2::2/64
!
interface GigabitEthernet0/0/0/1
ipv4 address 10.2.3.2 255.255.255.0
ipv6 address 1125:2:3::2/64
!
interface GigabitEthernet0/0/0/2
ipv4 address 10.10.30.2 255.255.255.0
ipv6 address 1125:1010:30::2/64
!
prefix-set AS2_PE_RR_LOOPBACK0_IPV4
5.5.5.5/32,
6.6.6.6/32
end-set
!
prefix-set AS2_PE_RR_LOOPBACK0_IPV6
1125:5:5:5::5/128,
1125:6:6:6::6/128
end-set
!
route-policy PASS
pass
end-policy
!
route-policy REDISTRIBUTE_IN_IGP
if destination in AS2_PE_RR_LOOPBACK0_IPV4 then
pass
endif
end-policy
!
route-policy REDISTRIBUTE_IN_IGP_IPV6
if destination in AS2_PE_RR_LOOPBACK0_IPV6 then
pass
endif
end-policy
!
router static
address-family ipv4 unicast
10.10.30.4/32 GigabitEthernet0/0/0/2
!
address-family ipv6 unicast
1125:1010:30::4/128 GigabitEthernet0/0/0/2
!
!
router isis AS1
apply-group CCIE-ISIS
net 49.0001.0000.0000.0002.00
address-family ipv4 unicast
redistribute bgp 1 route-policy REDISTRIBUTE_IN_IGP
!
address-family ipv6 unicast
redistribute bgp 1 route-policy REDISTRIBUTE_IN_IGP_IPV6
!
interface Loopback0
!
interface GigabitEthernet0/0/0/0
!
interface GigabitEthernet0/0/0/1
!
!
router bgp 1
bgp router-id 2.2.2.2
address-family ipv4 unicast
network 1.1.1.1/32
network 3.3.3.3/32
allocate-label all
!
address-family ipv6 unicast
network 1125:1:1:1::1/128
network 1125:3:3:3::3/128
allocate-label all
!
neighbor 10.10.30.4
remote-as 2
address-family ipv4 labeled-unicast
route-policy PASS in
route-policy PASS out
!
!
neighbor 1125:1010:30::4
remote-as 2
address-family ipv6 labeled-unicast
route-policy PASS in
route-policy PASS out
!
!
!
mpls ldp
router-id 2.2.2.2
address-family ipv6
!
interface GigabitEthernet0/0/0/0
address-family ipv6
!
!
interface GigabitEthernet0/0/0/1
address-family ipv6
!
!
!
mpls label range table 0 100200 100299
end
e_N3【IOS-XR】config
hostname e_N3 group CCIE-ISIS router isis '.*' is-type level-2-only address-family ipv4 unicast metric-style wide mpls ldp auto-config ! address-family ipv6 unicast single-topology ! interface 'Gi.*' point-to-point address-family ipv4 unicast ! address-family ipv6 unicast ! ! interface 'Loopback.*' passive address-family ipv4 unicast ! address-family ipv6 unicast ! ! ! end-group ! interface Loopback0 ipv4 address 3.3.3.3 255.255.255.255 ipv6 address 1125:3:3:3::3/128 ! interface GigabitEthernet0/0/0/0 ipv4 address 10.1.3.3 255.255.255.0 ipv6 address 1125:1:3::3/64 ! interface GigabitEthernet0/0/0/1 ipv4 address 10.2.3.3 255.255.255.0 ipv6 address 1125:2:3::3/64 ! route-policy PASS pass end-policy ! router isis AS1 apply-group CCIE-ISIS net 49.0001.0000.0000.0003.00 interface Loopback0 ! interface GigabitEthernet0/0/0/0 ! interface GigabitEthernet0/0/0/1 ! ! router bgp 1 bgp router-id 3.3.3.3 address-family vpnv4 unicast ! address-family vpnv6 unicast ! neighbor 1.1.1.1 remote-as 1 update-source Loopback0 address-family vpnv4 unicast route-reflector-client ! ! neighbor 6.6.6.6 remote-as 2 ebgp-multihop 255 update-source Loopback0 address-family vpnv4 unicast route-policy PASS in route-policy PASS out next-hop-unchanged ! ! neighbor 1125:1:1:1::1 remote-as 1 update-source Loopback0 address-family vpnv6 unicast route-reflector-client ! ! neighbor 1125:6:6:6::6 remote-as 2 ebgp-multihop 255 update-source Loopback0 address-family vpnv6 unicast route-policy PASS in route-policy PASS out next-hop-unchanged ! ! ! mpls ldp router-id 3.3.3.3 address-family ipv6 ! interface GigabitEthernet0/0/0/0 address-family ipv6 ! ! interface GigabitEthernet0/0/0/1 address-family ipv6 ! ! ! mpls label range table 0 100300 100399 end
e_N4【IOS-XR】config
hostname e_N4
group CCIE-ISIS
router isis '.*'
is-type level-2-only
address-family ipv4 unicast
metric-style wide
mpls ldp auto-config
!
address-family ipv6 unicast
single-topology
!
interface 'Gi.*'
point-to-point
address-family ipv4 unicast
!
address-family ipv6 unicast
!
!
interface 'Loopback.*'
passive
address-family ipv4 unicast
!
address-family ipv6 unicast
!
!
!
end-group
!
interface Loopback0
ipv4 address 4.4.4.4 255.255.255.255
ipv6 address 1125:4:4:4::4/128
!
interface GigabitEthernet0/0/0/1
ipv4 address 10.10.30.4 255.255.255.0
ipv6 address 1125:1010:30::4/64
!
interface GigabitEthernet0/0/0/2
ipv4 address 10.4.5.4 255.255.255.0
ipv6 address 1125:4:5::4/64
!
interface GigabitEthernet0/0/0/3
ipv4 address 10.4.6.4 255.255.255.0
ipv6 address 1125:4:6::4/64
!
prefix-set AS1_PE_RR_LOOPBACK0_IPV4
1.1.1.1/32,
3.3.3.3/32
end-set
!
prefix-set AS1_PE_RR_LOOPBACK0_IPV6
1125:1:1:1::1/128,
1125:3:3:3::3/128
end-set
!
route-policy PASS
pass
end-policy
!
route-policy REDISTRIBUTE_IN_IGP
if destination in AS1_PE_RR_LOOPBACK0_IPV4 then
pass
endif
end-policy
!
route-policy REDISTRIBUTE_IN_IGP_IPV6
if destination in AS1_PE_RR_LOOPBACK0_IPV6 then
pass
endif
end-policy
!
router static
address-family ipv4 unicast
10.10.30.2/32 GigabitEthernet0/0/0/1
!
address-family ipv6 unicast
1125:1010:30::2/128 GigabitEthernet0/0/0/1
!
!
router isis AS2
apply-group CCIE-ISIS
net 49.0002.0000.0000.0004.00
address-family ipv4 unicast
redistribute bgp 2 route-policy REDISTRIBUTE_IN_IGP
!
address-family ipv6 unicast
redistribute bgp 2 route-policy REDISTRIBUTE_IN_IGP_IPV6
!
interface Loopback0
!
interface GigabitEthernet0/0/0/2
!
interface GigabitEthernet0/0/0/3
!
!
router bgp 2
bgp router-id 4.4.4.4
address-family ipv4 unicast
network 5.5.5.5/32
network 6.6.6.6/32
allocate-label all
!
address-family ipv6 unicast
network 1125:5:5:5::5/128
network 1125:6:6:6::6/128
allocate-label all
!
neighbor 10.10.30.2
remote-as 1
address-family ipv4 labeled-unicast
route-policy PASS in
route-policy PASS out
!
!
neighbor 1125:1010:30::2
remote-as 1
address-family ipv6 labeled-unicast
route-policy PASS in
route-policy PASS out
!
!
!
mpls ldp
router-id 4.4.4.4
address-family ipv6
!
interface GigabitEthernet0/0/0/2
address-family ipv6
!
!
interface GigabitEthernet0/0/0/3
address-family ipv6
!
!
!
mpls label range table 0 200400 200499
end
e_N5【IOS-XR】config
hostname e_N5
group CCIE-ISIS
router isis '.*'
is-type level-2-only
address-family ipv4 unicast
metric-style wide
mpls ldp auto-config
!
address-family ipv6 unicast
single-topology
!
interface 'Gi.*'
point-to-point
address-family ipv4 unicast
!
address-family ipv6 unicast
!
!
interface 'Loopback.*'
passive
address-family ipv4 unicast
!
address-family ipv6 unicast
!
!
!
end-group
!
vrf B
rd 2:5
address-family ipv4 unicast
import route-target
100:1
!
export route-target
200:1
!
!
address-family ipv6 unicast
import route-target
300:2
!
export route-target
400:2
!
!
!
interface Loopback0
ipv4 address 5.5.5.5 255.255.255.255
ipv6 address 1125:5:5:5::5/128
!
interface GigabitEthernet0/0/0/1
vrf B
ipv4 address 10.10.80.1 255.255.255.0
ipv6 address 1125:1010:80::1/64
!
interface GigabitEthernet0/0/0/2
ipv4 address 10.4.5.5 255.255.255.0
ipv6 address 1125:4:5::5/64
!
interface GigabitEthernet0/0/0/3
ipv4 address 10.5.6.5 255.255.255.0
ipv6 address 1125:5:6::5/64
!
route-policy PASS
pass
end-policy
!
router isis AS2
apply-group CCIE-ISIS
net 49.0002.0000.0000.0005.00
interface Loopback0
!
interface GigabitEthernet0/0/0/2
!
interface GigabitEthernet0/0/0/3
!
!
router bgp 2
bgp router-id 5.5.5.5
address-family vpnv4 unicast
!
address-family vpnv6 unicast
!
neighbor 6.6.6.6
remote-as 2
update-source Loopback0
address-family vpnv4 unicast
!
!
neighbor 1125:6:6:6::6
remote-as 2
update-source Loopback0
address-family vpnv6 unicast
!
!
vrf B
rd 2:5
address-family ipv4 unicast
redistribute connected
!
address-family ipv6 unicast
redistribute connected
!
neighbor 10.10.80.2
remote-as 200
address-family ipv4 unicast
route-policy PASS in
route-policy PASS out
!
!
neighbor 1125:1010:80::2
remote-as 200
address-family ipv6 unicast
route-policy PASS in
route-policy PASS out
!
!
!
!
mpls ldp
router-id 5.5.5.5
address-family ipv6
!
interface GigabitEthernet0/0/0/2
address-family ipv6
!
!
interface GigabitEthernet0/0/0/3
address-family ipv6
!
!
!
mpls label range table 0 200500 200599
end
e_N6【IOS-XR】config
hostname e_N6 group CCIE-ISIS router isis '.*' is-type level-2-only address-family ipv4 unicast metric-style wide mpls ldp auto-config ! address-family ipv6 unicast single-topology ! interface 'Gi.*' point-to-point address-family ipv4 unicast ! address-family ipv6 unicast ! ! interface 'Loopback.*' passive address-family ipv4 unicast ! address-family ipv6 unicast ! ! ! end-group ! interface Loopback0 ipv4 address 6.6.6.6 255.255.255.255 ipv6 address 1125:6:6:6::6/128 ! interface GigabitEthernet0/0/0/1 ipv4 address 10.4.6.6 255.255.255.0 ipv6 address 1125:4:6::6/64 ! interface GigabitEthernet0/0/0/2 ipv4 address 10.5.6.6 255.255.255.0 ipv6 address 1125:5:6::6/64 ! route-policy PASS pass end-policy ! router isis AS2 apply-group CCIE-ISIS net 49.0002.0000.0000.0006.00 interface Loopback0 ! interface GigabitEthernet0/0/0/1 ! interface GigabitEthernet0/0/0/2 ! ! router bgp 2 bgp router-id 6.6.6.6 address-family vpnv4 unicast ! address-family vpnv6 unicast ! neighbor 3.3.3.3 remote-as 1 ebgp-multihop 255 update-source Loopback0 address-family vpnv4 unicast route-policy PASS in route-policy PASS out next-hop-unchanged ! ! neighbor 5.5.5.5 remote-as 2 update-source Loopback0 address-family vpnv4 unicast route-reflector-client ! ! neighbor 1125:3:3:3::3 remote-as 1 ebgp-multihop 255 update-source Loopback0 address-family vpnv6 unicast route-policy PASS in route-policy PASS out next-hop-unchanged ! ! neighbor 1125:5:5:5::5 remote-as 2 update-source Loopback0 address-family vpnv6 unicast route-reflector-client ! ! ! mpls ldp router-id 6.6.6.6 address-family ipv6 ! interface GigabitEthernet0/0/0/1 address-family ipv6 ! ! interface GigabitEthernet0/0/0/2 address-family ipv6 ! ! ! mpls label range table 0 200600 200699 end
e_CE1【IOS-XE】config
hostname e_CE1 ! no ip domain lookup ! ipv6 unicast-routing ! ! interface Loopback0 ip address 100.100.100.100 255.255.255.255 ipv6 address 1125:100:100:100::100/128 ! interface GigabitEthernet1 ip address 10.10.20.2 255.255.255.0 ipv6 address 1125:1010:20::2/64 ! router bgp 100 bgp router-id 100.100.100.100 bgp log-neighbor-changes no bgp default ipv4-unicast neighbor 10.10.20.1 remote-as 1 neighbor 1125:1010:20::1 remote-as 1 ! address-family ipv4 network 100.100.100.100 mask 255.255.255.255 neighbor 10.10.20.1 activate exit-address-family ! address-family ipv6 network 1125:100:100:100::100/128 neighbor 1125:1010:20::1 activate exit-address-family ! end
e_CE2【IOS-XE】config
hostname e_CE2 ! no ip domain lookup ! ipv6 unicast-routing ! ! interface Loopback0 ip address 200.200.200.200 255.255.255.255 ipv6 address 1125:200:200:200::200/128 ! interface GigabitEthernet1 ip address 10.10.80.2 255.255.255.0 ipv6 address 1125:1010:80::2/64 ! router bgp 200 bgp router-id 200.200.200.200 bgp log-neighbor-changes no bgp default ipv4-unicast neighbor 10.10.80.1 remote-as 2 neighbor 1125:1010:80::1 remote-as 2 ! address-family ipv4 network 200.200.200.200 mask 255.255.255.255 neighbor 10.10.80.1 activate exit-address-family ! address-family ipv6 network 1125:200:200:200::200/128 neighbor 1125:1010:80::1 activate exit-address-family ! end
4. 検証の小技
デモの動画を見た時に分かりやすいなと思い今回採用しました。
【IOS-XR】mpls label range table 0 最小ラベル 最大ラベル
RP/0/RP0/CPU0:e_N1(config)#mpls label range table 0 ? <16000-1048575> Minimum label value RP/0/RP0/CPU0:e_N1(config)#mpls label range table 0 100100 ? <16000-1048575> Maximum label value RP/0/RP0/CPU0:e_N1(config)#mpls label range table 0 100100 100199 RP/0/RP0/CPU0:e_N1(config)#
【IOS-XE】mpls label range 最小ラベル 最大ラベル
e_N4(config)#mpls label range ? <16-1048575> Minimum label value for dynamic label range e_N4(config)#mpls label range 200400 ? <200400-1048575> Maximum label value for dynamic label range e_N4(config)#mpls label range 200400 200499 e_N4(config)#
というのも全部 Default 値だと、どこのラベルが付いているのかぱっと見分からないのです。
一つ注意事項があります。このコマンドは一番最初に実行する必要があります。LDP、VRF、BGP-LU などで動的なラベルを構成してからコマンドを実行しても、既に Label Switching Database(LSD) が Default 値で構築された後であるため意図したラベルにすることができません。
これで AS もノード名も特定できるので分かりやすくなります。
5. 構築の要点
5.1 BGP-LU
LSPをend-to-endで確立するために両ASのPEルータとRRルータのLoopback 0をBGP-LUを使ってAdvertiseします。
以下に AS1 のe_N2(ASBRルータ)の定義を示します。
router bgp 1 bgp router-id 2.2.2.2 address-family ipv4 unicast network 1.1.1.1/32 network 3.3.3.3/32 allocate-label all ! address-family ipv6 unicast network 1125:1:1:1::1/128 network 1125:3:3:3::3/128 allocate-label all ! neighbor 10.10.30.4 remote-as 2 address-family ipv4 labeled-unicast route-policy PASS in route-policy PASS out ! ! neighbor 1125:1010:30::4 remote-as 2 address-family ipv6 labeled-unicast route-policy PASS in route-policy PASS out ! ! !
対向 AS2 の e_N4(ASBRルータ)も同様に定義します。
5.2 redistribute
AS1 の e-N2(ASBRルータ)は BGP-LU で 対向AS2 の e_N5(PEルータ)と e_N6(RRルータ)の Loopback を学習していますが、これを IGP で学習するために redistribute が必要です。
RP/0/RP0/CPU0:e_N2#show route bgp Sun Feb 5 10:00:28.284 UTC B 5.5.5.5/32 [20/10] via 10.10.30.4, 10:19:20 B 6.6.6.6/32 [20/10] via 10.10.30.4, 10:19:20 RP/0/RP0/CPU0:e_N2#
redistribute しないと e_N3(RRルータ)にルーティング情報が入ってきません。
RP/0/RP0/CPU0:e_N3#show route | b Gate
Sun Feb 5 01:41:41.748 UTC
Gateway of last resort is not set
i L2 1.1.1.1/32 [115/10] via 10.1.3.1, 11:16:55, GigabitEthernet0/0/0/0
i L2 2.2.2.2/32 [115/10] via 10.2.3.2, 15:08:59, GigabitEthernet0/0/0/1
L 3.3.3.3/32 is directly connected, 1w5d, Loopback0
i L2 10.1.2.0/24 [115/20] via 10.1.3.1, 11:16:55, GigabitEthernet0/0/0/0
[115/20] via 10.2.3.2, 11:16:55, GigabitEthernet0/0/0/1
C 10.1.3.0/24 is directly connected, 1w5d, GigabitEthernet0/0/0/0
L 10.1.3.3/32 is directly connected, 1w5d, GigabitEthernet0/0/0/0
C 10.2.3.0/24 is directly connected, 1w5d, GigabitEthernet0/0/0/1
L 10.2.3.3/32 is directly connected, 1w5d, GigabitEthernet0/0/0/1
RP/0/RP0/CPU0:e_N3#
e-N2(ASBRルータ)で BGP を ISIS に redistribute します。
router isis AS1 apply-group CCIE-ISIS net 49.0001.0000.0000.0002.00 address-family ipv4 unicast redistribute bgp 1 level-2 ! address-family ipv6 unicast redistribute bgp 1 level-2
これで AS1 で、対向AS2 の e_N5(PEルータ)とe-N6(RRルータ)の Loopback を学習することができ LSP を end-to-end で張ることができます。
RP/0/RP0/CPU0:e_N3#show route | b Gate
Sun Feb 5 09:25:10.508 UTC
Gateway of last resort is not set
i L2 1.1.1.1/32 [115/10] via 10.1.3.1, 19:00:24, GigabitEthernet0/0/0/0
i L2 2.2.2.2/32 [115/10] via 10.2.3.2, 22:52:28, GigabitEthernet0/0/0/1
L 3.3.3.3/32 is directly connected, 1w5d, Loopback0
i L2 5.5.5.5/32 [115/10] via 10.2.3.2, 00:00:16, GigabitEthernet0/0/0/1
i L2 6.6.6.6/32 [115/10] via 10.2.3.2, 00:00:16, GigabitEthernet0/0/0/1
i L2 10.1.2.0/24 [115/20] via 10.1.3.1, 19:00:24, GigabitEthernet0/0/0/0
[115/20] via 10.2.3.2, 19:00:24, GigabitEthernet0/0/0/1
C 10.1.3.0/24 is directly connected, 1w5d, GigabitEthernet0/0/0/0
L 10.1.3.3/32 is directly connected, 1w5d, GigabitEthernet0/0/0/0
C 10.2.3.0/24 is directly connected, 1w5d, GigabitEthernet0/0/0/1
L 10.2.3.3/32 is directly connected, 1w5d, GigabitEthernet0/0/0/1
RP/0/RP0/CPU0:e_N3#
ここで大事なことは、セキュリティを考慮して LSP の構築に必要な prefix のみを受信するように定義せねばならないことです。
対向 AS2 の e_N5(PEルータ)とe-N6(RRルータ)の Loopback prefix だけを受信するようにします。
prefix-set AS2_PE_RR_LOOPBACK0_IPV4
5.5.5.5/32,
6.6.6.6/32
end-set
!
route-policy REDISTRIBUTE_IN_IGP
if destination in AS2_PE_RR_LOOPBACK0_IPV4 then
pass
endif
end-policy
!
router isis AS1
address-family ipv4 unicast
redistribute bgp 1 route-policy REDISTRIBUTE_IN_IGP
!
!
同様に IPv6 prefix も定義します。
prefix-set AS2_PE_RR_LOOPBACK0_IPV6
1125:5:5:5::5/128,
1125:6:6:6::6/128
end-set
!
route-policy REDISTRIBUTE_IN_IGP_IPV6
if destination in AS2_PE_RR_LOOPBACK0_IPV6 then
pass
endif
end-policy
!
router isis AS1
address-family ipv6 unicast
redistribute bgp 1 route-policy REDISTRIBUTE_IN_IGP_IPV6
!
対向 AS2 の e_N4(ASBRルータ)も同様に、AS1 の e_N1(PEルータ)とe-N3(RRルータ)の Loopback prefix だけを受信するようにします。
5.3 static route
Inter-AS option B と同様に ASBR 間は /32 の static route が必要です。
www.cisco.com
For IOS-XR over Inter-As link there is a different logic as compared to that of IOS. It is required to configure a static /32 route to ASBR1's interface, so that mpls label is bound for a /32 prefix. If this is not done then control plane will come up but the traffic will not be forwarded.
以下に AS1 のe_N2(ASBRルータ)の定義を示します。
router static address-family ipv4 unicast 10.10.30.4/32 GigabitEthernet0/0/0/2 ! address-family ipv6 unicast 1125:1010:30::4/128 GigabitEthernet0/0/0/2 ! !
対向 AS2 の e_N4(ASBRルータ)も同様の定義をします。
5.4 route-reflector-client
e_N1(PEルータ)の VPNv4/v6 を RR で集約するため、e_N1(PEルータ)だけ route-reflector-client の定義をします。
e_N2(ASBRルータ)を含めない点にご注意ください。
以下に AS1 のe_N3(RRルータ)の定義を示します。
router bgp 1 neighbor 1.1.1.1 remote-as 1 update-source Loopback0 address-family vpnv4 unicast route-reflector-client ! ! neighbor 1125:1:1:1::1 remote-as 1 update-source Loopback0 address-family vpnv6 unicast route-reflector-client ! !
対向AS2 の e_N6(RRルータ)にも同様の定義をします。
5.5 next-hop-unchanged
e_N3(RRルータ)と e_N6(RRルータ)間で MP-eBGP を定義します。
ここで大事なポイントは、eBGP は Default で NEXT_HOP を上書きするということです。
e_N3(RRルータ)と e_N6(RRルータ)間で MP-eBGP を定義すると、以下のようになります。
RP/0/RP0/CPU0:e_N5#show bgp vpnv4 unicast
Sun Feb 5 09:48:59.471 UTC
BGP router identifier 5.5.5.5, local AS number 2
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0x0 RD version: 0
BGP main routing table version 101
BGP NSR Initial initsync version 8 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs
Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1
*>i10.10.20.0/24 3.3.3.3 100 0 1 ?
*>i100.100.100.100/32 3.3.3.3 100 0 1 100 i
Route Distinguisher: 2:5 (default for vrf B)
*>i10.10.20.0/24 3.3.3.3 100 0 1 ?
*> 10.10.80.0/24 0.0.0.0 0 32768 ?
*>i100.100.100.100/32 3.3.3.3 100 0 1 100 i
*> 200.200.200.200/32 10.10.80.2 0 0 200 i
Processed 6 prefixes, 6 paths
RP/0/RP0/CPU0:e_N5#
prefix:100.100.100.100/32 の NEXT_HOP は 1.1.1.1(e_N1:PEルータ)であるのが正しい情報なのですが、NEXT_HOP が 3.3.3.3(e_N3:RRルータ)に上書きされてしまいます。このままでは対向の AS に間違った情報が伝搬されてしまいます。
ここで必要になるのが NEXT_HOP の上書きを禁止する定義「next-hop-unchanged」です。
オンラインヘルプを参照するとこのような記載があります。
next-hop-unchanged Do not overwrite next hop before advertising to eBGP peers
e_N3(RRルータ)で「next-hop-unchanged」を定義します。
router bgp 1 bgp router-id 3.3.3.3 ! neighbor 6.6.6.6 remote-as 2 ebgp-multihop 255 update-source Loopback0 address-family vpnv4 unicast route-policy PASS in route-policy PASS out next-hop-unchanged ! !
NEXT_HOP が 1.1.1.1(e_N1:PEルータ)となり正しい状態になります。
RP/0/RP0/CPU0:e_N5#show bgp vpnv4 unicast
Sun Feb 5 09:54:19.039 UTC
BGP router identifier 5.5.5.5, local AS number 2
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0x0 RD version: 0
BGP main routing table version 109
BGP NSR Initial initsync version 8 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs
Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1
*>i10.10.20.0/24 1.1.1.1 100 0 1 ?
*>i100.100.100.100/32 1.1.1.1 100 0 1 100 i
Route Distinguisher: 2:5 (default for vrf B)
*>i10.10.20.0/24 1.1.1.1 100 0 1 ?
*> 10.10.80.0/24 0.0.0.0 0 32768 ?
*>i100.100.100.100/32 1.1.1.1 100 0 1 100 i
*> 200.200.200.200/32 10.10.80.2 0 0 200 i
Processed 6 prefixes, 6 paths
RP/0/RP0/CPU0:e_N5#
対向 AS2 の e_N6(RRルータ)に同様の定義をします。
6. vpnv4 確認
ルーティング情報と疎通確認はこのようになりました。
e_CE1#show ip route bgp | b Gate
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
B 10.10.80.0/24 [20/0] via 10.10.20.1, 00:02:15
200.200.200.0/32 is subnetted, 1 subnets
B 200.200.200.200 [20/0] via 10.10.20.1, 00:02:15
e_CE1#
e_CE1#ping 200.200.200.200 source 100.100.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.200.200, timeout is 2 seconds:
Packet sent with a source address of 100.100.100.100
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/4/9 ms
e_CE1#
e_CE1#traceroute 200.200.200.200 source 100.100.100.100
Type escape sequence to abort.
Tracing the route to 200.200.200.200
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.20.1 [AS 1] 5 msec 2 msec 1 msec
2 10.1.2.2 [MPLS: Labels 100208/200509 Exp 0] 7 msec 5 msec 6 msec
3 10.10.30.4 [MPLS: Labels 200404/200509 Exp 0] 6 msec 5 msec 3 msec
4 10.4.5.5 [MPLS: Label 200509 Exp 0] 6 msec 3 msec 4 msec
5 10.10.80.2 [AS 2] 4 msec * 19 msec
e_CE1#
e_N1(PEルータ)からCE2’s Loopback0(200.200.200.200/32)に到達するには、
ラベルを2つスタックしていることが分かります。
VRF の情報を見るとRD 1:1 で route-target 200:1 を使う(ソースのRD 2:5)
NEXT_HOP は 5.5.5.5(Label 200509)
BGP-UPDATE パケットも見てみましょう。showコマンドと一致していることが分かります。
e_N2(ASBRルータ)ではこのようになりました。
BGP-UPDATE パケットも見てみましょう。showコマンドと一致していることが分かります。
e_N3(RRルータ)はコントロールプレーンなのでパケットを転送しないのですが、BGP のやり取りをします。
BGP-UPDATE パケットも見てみましょう。showコマンドと一致していることが分かります。
e_N4(ASBRルータ)ではこのようになりました。
e_N5(PEルータ)ではこのようになりました。
e_N6(RRルータ)はコントロールプレーンなのでパケットを転送しないのですが、BGP のやり取りをします。
BGP-UPDATE パケットも見てみましょう。showコマンドと一致していることが分かります。
7. vpnv6 確認
e_CE1#show ipv6 route bgp
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, RL - RPL, O - OSPF Intra, OI - OSPF Inter
OE1 - OSPF ext 1, OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1
ON2 - OSPF NSSA ext 2, la - LISP alt, lr - LISP site-registrations
ld - LISP dyn-eid, lA - LISP away, le - LISP extranet-policy
lp - LISP publications, a - Application, m - OMP
B 1125:200:200:200::200/128 [20/0], tag 1
via FE80::5200:FF:FE37:4, GigabitEthernet1
B 1125:1010:80::/64 [20/0], tag 1
via FE80::5200:FF:FE37:4, GigabitEthernet1
e_CE1#
e_CE1#ping ipv6 1125:200:200:200::200 source 1125:100:100:100::100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1125:200:200:200::200, timeout is 2 seconds:
Packet sent with a source address of 1125:100:100:100::100
UUUUU
Success rate is 0 percent (0/5)
e_CE1#
e_CE1#traceroute ipv6 1125:200:200:200::200 source 1125:100:100:100::100
Type escape sequence to abort.
Tracing the route to 1125:200:200:200::200
1 1125:1010:20::1 [AS 1] !U !U !U
e_CE1#
設定が間違っているのか?何故かPEでラベルが付いてくれないため疎通はできませんでした。
RP/0/RP0/CPU0:e_N1#show mpls forwarding
Mon Feb 6 04:41:59.267 UTC
Local Outgoing Prefix Outgoing Next Hop Bytes
Label Label or ID Interface Switched
------ ----------- ------------------ ------------ --------------- ------------
100100 Pop 3.3.3.3/32 Gi0/0/0/2 10.1.3.3 236030
100101 100210 6.6.6.6/32 Gi0/0/0/0 10.1.2.2 0
100102 100208 5.5.5.5/32 Gi0/0/0/0 10.1.2.2 3360
100103 Pop 2.2.2.2/32 Gi0/0/0/0 10.1.2.2 0
100104 Pop 10.2.3.0/24 Gi0/0/0/0 10.1.2.2 0
Pop 10.2.3.0/24 Gi0/0/0/2 10.1.3.3 0
100105 Pop 1125:3:3:3::3/128 Gi0/0/0/2 fe80::5200:ff:fe39:3 \
698085
100106 Unlabelled 1125:5:5:5::5/128 Gi0/0/0/0 fe80::5200:ff:fe38:3 \
0
100107 Unlabelled 1125:6:6:6::6/128 Gi0/0/0/0 fe80::5200:ff:fe38:3 \
0
100108 Pop 1125:2:2:2::2/128 Gi0/0/0/0 fe80::5200:ff:fe38:3 \
363539
100109 Pop 1125:2:3::/64 Gi0/0/0/0 fe80::5200:ff:fe38:3 \
880
Pop 1125:2:3::/64 Gi0/0/0/2 fe80::5200:ff:fe39:3 \
0
100110 Unlabelled 1125:100:100:100::100/128[V] \
Gi0/0/0/1 fe80::5200:ff:fe3c:0 \
0
100111 Aggregate A: Per-VRF Aggr[V] A 0
100112 Aggregate A: Per-VRF Aggr[V] A 13184
100113 Unlabelled 100.100.100.100/32[V] \
Gi0/0/0/1 10.10.20.2 0
RP/0/RP0/CPU0:e_N1#
調査して原因が分かったら更新します。
8. 参考URL
① Configure Inter-AS Option C MPLS VPN With Cisco IOS and Cisco IOS-XR
www.cisco.com
② Cisco IOS-XR BGP with MPLS Designs
www.cisco.com
③ Introduction Inter-AS L3VPN
https://nsrc.org/workshops/2015/apricot2015/raw-attachment/wiki/Track3MPLS/9-Apriot_2015_Inter-AS.2.pdf
④ [Multi-AS Segment Routing 検証連載 #2] SR-MPLS L3VPN in Multi-AS
engineers.ntt.com
⑤ Inter-AS Option C
gemunopedy.hatenadiary.com
⑥ Inter AS Option C – Design Considerations and Comparison
orhanergun.net
⑦ MPLS L3VPN Inter-AS Option C
learningnetwork.cisco.com
次回は、Inter-AS Option D について記事を書きます。
最後までお読みいただきありがとうございました!
