E-BGP and MPLS VPNs 349

no auto-summary exit-address-family

!

ip classless

no ip http server

!

!

!

line con 0 exec-timeout 0 0 privilege level 15 logging synchronous transport input none

ip netmask-format decimal line aux 0

line vty 0 4 privilege level 15 password cisco logging synchronous login

ip netmask-format decimal

!

E-BGP Operation

Before getting started with any configuration, let’s talk about E-BGP operation. E-BGP is supported between PE and CE routers. E-BGP will be configured under the address-family ipv4 section for a particular VPN. All the standard BGP rules, filters, and assorted bells and whistles still work. Remember to use the ? and CCO (www.cisco.com) to get more information on how to configure advanced BGP features in an MPLS VPN E-BGP environment. The new BGP feature that you should know about is AS-override.

AS-Override

In Figure 8.5, a customer has a simple MPLS VPN and is using the same AS number at each site.

350 Chapter 8 Advanced MPLS Topics

F I G U R E 8 . 5 A customer VPN using a single AS number

In the VPN in Figure 8.5, a prefix from the Peer 1 router is sent to the

Atlanta POP router through an E-BGP connection. The originating AS number (65001) is in the AS path. The prefix is propagated across the service provider network and arrives at the Raleigh POP router. The Raleigh POP router forwards the update to the Peer 2 router and attaches its AS number (65000) to the update. When the Peer 2 router receives the prefix, it is discarded. When the Peer 2 router sees its AS number (65001) in the AS path (65000|65001), it discards the packet. In reality, there is no loop, but the default operation of BGP is to drop the route.

Since customers don’t need an IOS upgrade to fix MPLS VPN problems, the service provider PE routers need some way to remedy this situation. The neighbor ip_address as-override command is used to replace all copies of the originating AS in an update.

In Figure 8.6, a route originates from the Peer 1 router in AS 65001. The update is propagated through the service provider network with the original AS number. When the update is sent to the Peer 2 router through an E-BGP connection, assuming AS-override has been configured, all instances of the originating AS (65001) are replaced with the service provider’s AS number (65000).

F I G U R E 8 . 6 A network with AS-override in operation

Enough of that, back to configuration.

E-BGP and MPLS VPNs 351

VPN Configuration

So the service provider network is all set up, and you need to configure an MPLS VPN. From a business case standpoint, the Peer 1 and Peer 2 routers require a simple MPLS-based VPN. E-BGP will be used between the POP routers and the peer routers.

The first thing to configure on the Atlanta POP router is a VRF with a route distinguisher and a route target:

Atlanta#conf t

Enter configuration commands, one per line. End with CNTL/Z. Atlanta(config)#ip vrf

Atlanta(config)#ip vrf vpn_1 Atlanta(config-vrf)#rd 65000:1 Atlanta(config-vrf)#route

Atlanta(config-vrf)#route-target both 65000:1

Next, you need to associate the interface that connects to Peer 1 with the VRF:

Atlanta(config)#int s 0/1

Atlanta(config-if)#ip vrf forwarding vpn_1

%Interface Serial0/1 IP address 192.168.3.6 removed due to enabling VRF vpn_1

Atlanta(config-if)#ip address 192.168.3.6 255.255.255.252

Now you need to configure an E-BGP session between the Atlanta POP router and the Peer 1 router:

Atlanta(config)#router bgp 65000

Atlanta(config-router)#address-family ipv4 vrf vpn_1 Atlanta(config-router-af)#neighbor 192.168.3.5 remote-as 65001 Atlanta(config-router-af)#neighbor 192.168.3.5 activate Atlanta(config-router-af)#neighbor 192.168.3.5 as-override

Atlanta(config-router-af)#redistribute connected Atlanta(config-router-af)#^Z

Atlanta#

Now on to the Raleigh POP router. You need to configure an E-BGP session between the Raleigh POP router and the Peer 2 router:

Raleigh(config)#router bgp 65000

Raleigh(config-router)#address-family ipv4 vrf vpn_1 Raleigh(config-router-af)#neighbor 192.168.3.10 remote-as 65001 Raleigh(config-router-af)#neighbor 192.168.3.10 activate

352 Chapter 8 Advanced MPLS Topics

Raleigh(config-router-af)#neighbor 192.168.3.10 as-override

Raleigh(config-router-af)#redistribute connected Raleigh(config-router-af)#^Z

Raleigh#

The following sections contain the running-configs for the Atlanta and Raleigh POP routers. Try to get in the habit of reading and verifying the configuration.

Limiting Routes

There are many BGP features that allow service providers to filter or limit the number of routes that they may learn from an E-BGP peer. If you do not want to use well-known BGP features, it’s possible to limit the number of routes in a VRF.

For example, suppose a customer is only paying for simple site-to-site connectivity. The service provider, as a function of MPLS VPN operation, is responsible for convergence and carrying customer routes though the service provider backbone. If the customer is paying for only a simple connection, they may get a price break because of the limited overhead (such as the number of routes the service provider must propagate).

To limit the customer to a set number of routes, the maximum-routes command can be used.

Consider another example. Let’s say the customer has two sites and has only a total of six routes that will be in the VRF on the PE router. On the PE router, where the VRF is configured, three of the routes are learned from the other site and three routes are generated by the local CE router.

The maximum-routes command uses two values, which are based on the maximum number of routes and at what percentage a SYSLOG message should be sent. In the configuration example that follows, after the maximumroutes command, the 6 indicates the maximum number of routes and the 75 is a percentage that is used to specify when SYSLOG messages will be sent. Once the six routes are exceeded, new routes are dropped by the PE.

ip vrf vpn_z

rd 100:100

route-target both 100:100

maximum-routes 6 75