No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Previous route isolation does work while adding vpn configuration in inter-AS VPN option A

Publication Date:  2014-12-01 Views:  47 Downloads:  0
Issue Description

Customer network have three L3vpn instance, vpna,vpnb and vpnc which forbid accessing to others. Route-distingusiher and vpn-target as following:

vpna:route-distinguisher 1:1, vpn-target 1:1

vpna:route-distinguisher 1:2, vpn-target 1:2

vpna:route-distinguisher 1:3, vpn-target 1:3

As shown in Figure,

ASBR1

CE-A1 belongs to vpna, CE-B1 belongs to vpnb and CE-C1 belongs to vpnc

ASBR2

CE-A2 belongs to vpna, CE-B2 belongs to vpnb and CE-C2 belongs to vpnc

Create the VPN instance on two ASBRs and bind the instance to the interface connected to another ASBR. Set up the EBGP peer relationship between ASBRs to implement inter-AS VPN option A. CE-A1 only learned routes of CE-A2 each other and not learned routes of CE-B2 and CE-C2.The three vpn-instance is isolated among each other.



For service requirement, Creating a new vpn instance, vpnd, and need to learn routes of vpna,vpnb and vpnc. Previous three vpn-instance remain isolated.

vpnd: route-distinguisher 1:1, vpn-target 1:1 1:2 1:3 1:4

We found previous design of  private route isolation does not work while adding vpnd configuration.



Handling Process

【 Analysis 】

1. Select one error route and check out local cross route on ASBR1

2.  Which option A peer  of ASBR1 advise route to ASBR2 and Should ASBR1 advise route?

3.  Check local cross route is corect after receiving the error route on ASBR2

4.   Analyze and find out root cause.
【Fault analysis 】
1.Selected route 123.1.1.1/32 from CE- A1 .

2. Check ASBR1 and found ASBR1 learned vpna's private route 123.1.1.1/32 from CE-A1 and advised to ASBR2 through vpna of option A peer 12.1.1.2. At the same time, private route 123.1.1.1/32 local cross to vpnd and advised to ASBR2 through vpnd of option A peer 12.4.4.2.


<ASBR1>display bgp vpnv4 all routing-table 123.1.1.1 32
BGP local router ID : 1.1.1.1
Local AS number : 100

Total routes of Route Distinguisher(1:1): 1
BGP routing table entry information of 123.1.1.1/32:
From: 14.1.1.4 (1.1.1.4)
Route Duration: 00h21m57s
Direct Out-interface: Ethernet0/0/2.1
Original nexthop: 14.1.1.4
Qos information : 0x0
Ext-Community:RT <1 : 1>
AS-path 65001, origin igp, MED 0, pref-val 0, valid, external, best, select, pre 255
Not advertised to any peer yet


VPN-Instance vpna, Router ID 1.1.1.1:
Total Number of Routes: 1
BGP routing table entry information of 123.1.1.1/32:
From: 14.1.1.4 (1.1.1.4)
Route Duration: 23h37m42s
Direct Out-interface: Ethernet0/0/2.1
Original nexthop: 14.1.1.4
Qos information : 0x0
AS-path 65001, origin igp, MED 0, pref-val 0, valid, external, best, select, active, pre 255
Advertised to such 2 peers:

14.1.1.4
12.1.1.2  / /Through vpna of Option A peer 12.1.1.2 advised route to ASBR2


VPN-Instance vpnd, Router ID 1.1.1.1:
Total Number of Routes: 1
BGP routing table entry information of 123.1.1.1/32:
From: 14.1.1.4 (1.1.1.4)
Route Duration: 00h21m57s
Direct Out-interface: Ethernet0/0/2.1
Original nexthop: 14.1.1.4
Qos information : 0x0
0x0 Qosinformation.
Ext-Community:RT <1 : 1>/ / routes of vpna local cross to vpnd
AS-path 65001, originigp MED0 pref-val0, valid, external, best, select, active, pre 255
Advertisedtosuch2peers:
14.4.4.4
12.4.4.2  / / advised route to ASBR2 through vpnd of Option A peer 12.4.4.2

Analysis:

ERT of vpna, egress of vpn-target, is 1:1 and IRT of vpnd, ingress of vpn-target , include 1:1 so private route 123.1.1.1/32 local cross to vpnd is correct.

For ASBR1, CE-A1 is option A peer. To local cross vpnd route and advised to peer 12.4.4.2 is also correct.



3.Checked ASBR2 and found ASBR2 learn private route 123.1.1/32 of vpna through vpna of peer 12.1.1.1 and advised to CE-A2.
At the same time, ASBR2 learn private route 123.1.1.1/32 of vpnd through vpnd of peer 12.4.4.1. To local cross to vpna (priority is lower),vpnb, vpnc and advised route to CE-B2,CE-C2  and CE-D2. That is why four vpn-instance learn private route 123.1.1.1/32 .

<ASBR2>display bgp vpnv4 all routing-table 123.1.1.1 32
BGP local router ID : 1.1.1.2
Local AS number : 200

Total routes of Route Distinguisher(1:1): 1
BGP routing table entry information of 123.1.1.1/32:
From: 12.1.1.1 (1.1.1.1)
Route Duration: 23h39m00s
Direct Out-interface: Ethernet0/0/0.1
Original nexthop: 12.1.1.1
Qos information : 0x0
Ext-Community:RT <1 : 1>
AS-path 100 65001, origin igp, pref-val 0, valid, external, best, select, pre 255
Not advertised to any peer yet

Total routes of Route Distinguisher(1:4): 1
BGP routing table entry information of 123.1.1.1/32:
From: 12.4.4.1 (1.1.1.1)
Route Duration: 00h23m15s
Direct Out-interface: Ethernet0/0/0.4
Original nexthop: 12.4.4.1
Qos information : 0x0
Ext-Community:RT <1 : 1>, RT <1 : 2>,
RT <1 : 3>, RT <1 : 4>
AS-path 100 65001, origin igp, pref-val 0, valid, external, best, select, pre 255
Not advertised to any peer yet

VPN-Instance vpna, Router ID 1.1.1.2:
Total Number of Routes: 2
BGP routing table entry information of 123.1.1.1/32:
From: 12.1.1.1 (1.1.1.1)
Route Duration: 23h39m00s
Direct Out-interface: Ethernet0/0/0.1
Original nexthop: 12.1.1.1
Qos information : 0x0
AS-path 100 65001, origin igp, pref-val 0, valid, external, best, select, active, pre 255
Advertised to such 2 peers:
12.1.1.1
23.1.1.3         / /to advised route to CE-A2
BGP routing table entry information of 123.1.1.1/32:
From: 12.4.4.1 (1.1.1.1)
Route Duration: 00h23m15s
Direct Out-interface: Ethernet0/0/0.4
Original nexthop: 12.4.4.1
Qos information : 0x0
Ext-Community:RT <1 : 1>, RT <1 : 2>,
RT <1 : 3>, RT <1 : 4> //route of  vpnd  local cross to vpna

AS-path 100 65001, origin igp, pref-val 0, valid, external, pre 255, not preferred for peer type
Not advertised to any peer yet

VPN-Instance vpnb, Router ID 1.1.1.2:
Total Number of Routes: 1
BGP routing table entry information of 123.1.1.1/32:
From: 12.4.4.1 (1.1.1.1)
Route Duration: 00h23m15s
Direct Out-interface: Ethernet0/0/0.4
Original nexthop: 12.4.4.1
Qos information : 0x0
Ext-Community:RT <1 : 1>, RT <1 : 2>,

AS-path 100 65001, origin igp, pref-val 0, valid, external, best, select, active, pre 255
Advertised to such 2 peers:
12.2.2.1
23.2.2.3 // advised roure to CE-B2

 

VPN-Instance vpnc, Router ID 1.1.1.2:
Total Number of Routes: 1
BGP routing table entry information of 123.1.1.1/32:
From: 12.4.4.1 (1.1.1.1)
Route Duration: 00h23m15s
Direct Out-interface: Ethernet0/0/0.4
Original nexthop: 12.4.4.1
Qos information : 0x0
Ext-Community:RT <1 : 1>, RT <1 : 2>,
RT <1 : 3>, RT <1 : 4> // route of vpnd local cross to vpnc

AS-path 100 65001, origin igp, pref-val 0, valid, and external, best, select, active, pre 255
Advertisedtosuch2peers:
12.3.3.1
23.3.3.3         / and route release to the CE- C2

VPN-Instance vpnd, Router ID 1.1.1.2:
Total Number of Routes: 2
BGP routing table entry information of 123.1.1.1/32:
From: 12.4.4.1 (1.1.1.1)
Route Duration: 00h23m15s
Direct Out-interface: Ethernet0/0/0.4
Original nexthop: 12.4.4.1
Qos information : 0x0
AS-path 100 65001, origin igp, pref-val 0, valid, external, best, select, active, pre 255
Advertised to such 2 peers:
12.4.4.1
23.4.4.3         / / advised route to CE- D2
BGP routing table entry information of 123.1.1.1/32:
From: 12.1.1.1 (1.1.1.1)
Route Duration: 23h39m00s
Direct Out-interface: Ethernet0/0/0.1
Original nexthop: 12.1.1.1
Qos information : 0x0
Ext-Community:RT <1 : 1>
AS-path 100 65001, origin igp, pref-val 0, valid, external, pre 255, not preferred for peer type
Not advertised to any peer yet

Analysis:
ERT of vpnd, egress of vpn-target, are 1:1, 1:2, 1:3, 1:4 and IRT of vpna, ingress of vpn-target is 1:1, IRT of vpnb, ingress of vpn-target is 1:2, IRT of vpnc, ingress of vpn-target is 1:3. Private route 123.1.1.1/32 local cross is correct. To local cross route to vpnb,vpnc and advised to CE-B2 and CE-C2 is also correct.

4.As mention above, to local cross and advised route are correct in ASBR1 and ASBR2. The key point is vpnd cross route to others of vpn. It cause ASBR2 learned routes from vpnd cross route to others of vpn.
Similarly, other of private routes is the same way to cross others of vpn. Vpn can learn route among each other.

 

Root Cause
The New vpnd local cross others of vpn. It cause ASBR2 learn route from vpnd and cross to others of vpn.
Solution

【 solution 1 】

ASBR1 setup egress policy of vpnd of option A. The rules of policy
(1) Only advised routes from vpnd which include VPNv4 routes through IRT 1:4 cross to vpnd and among others.
(2) Don’t advised routes from others of vpn include VPNv4 routes through IRT 1:1  or 1:2 or 1:3 cross to vpnd and routes of others vpn local cross to vpnd.
To obey the rules of policy above, ASBR2 will not receive the routes from CE-A1 through vpnd of option A peer.

The source of vpnd routes of ASBR1:
1. VPNv4 routes with extcommunity<1:4> through IRT 1:4 cross to vpnd
2. VPNv4 routes without extcommunity through others peer of vpnd
We can setup policy as following in ASBR1


ip extcommunity-filter 1 permit 1:4
ip extcommunity-filter 200 permit [0-9]
#
route-policy rp-asbr2-vpnd premit node 10
if-match extcommunity-filter 1
route-policy rp-asbr2-vpnd deny node 20
if-match extcommunity-filter 200
route-policy rp-asbr2-vpnd permit node 100
#
bgp 100
ipv4-family vpn-instance vpnd
peer 12.4.4.2 route-policy rp-asbr2-vpnd export

 

Similarly, to control routes advised to ASBR1

Note: In simply local cross scenarios, no PE scenarios, we don't need to setup "route-policy rp-asbr2-vpnd node 10" and "extcommunity-filter 1"。

【 solution 2 】

Inter-AS VPN option-B, ASBR advised route each other through VPNv4 peer .When ASBR1 receive routes from CE-A1 and only advised extcommunity 1:1 VPNv4 routes to ASBR2. ASBR1 does not advised routes through vpnd of peer so ASBR2 will not receive private routes from vpnd and only receive extcommunity 1:1 VPNv4 routes.

Match base on IRT, Only local cross to vpna and vpnd without vpnb and vpnc.
Setup detail can refer to chapter BGP MPLS IP VPN configuration of configuration guide.

END