© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1
MPLS VPN Implementation
Configuring BGP as the Routing Protocol Between PE and CE Routers
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-2
Outline
• Overview
• Configuring a per-VRF BGP Routing Context
• What Are the Reasons for Limiting the Number of Routes in a VRF?
• Limiting the Number of Prefixes Received from a BGP Neighbor
• Limiting the Total Number of VRF Routes
• Identifying AS-Override Issues
• Identifying Allowas-in Issues
• Implementing SOO for Loop Prevention
• Summary
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-3
router bgp as-number address-family ipv4 vrf vrf-name ... Per-VRF BGP definitions ...
Router(config)#
• Select per-VRF BGP context with the address-family command.
• Configure CE EBGP neighbors in the VRF context, not in the global BGP configuration.
• CE neighbors have to be activated with the neighbor activate command.
Configuring per-VRF BGP Routing Context
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-4
Configuring per-VRF BGP Routing Context (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-5
Limiting the Number of Routes in a VRF
• SPs offering MPLS VPN services are at risk of denial-of-service attacks similar to those aimed at SPs offering BGP connectivity:– Any customer can generate any number of routes, using
resources in the PE routers.
• Therefore, resources used by a single customer have to be limited.
• Cisco IOS software offers two solutions:– It can limit the number of routes received from a BGP neighbor.
– It can limit the total number of routes in a VRF.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-6
neighbor ip-address maximum-prefix maximum [threshold] [warning-only]
Router(config-router-af)#
• Controls how many prefixes can be received from a neighbor
• Optional threshold parameter specifies the percentage where a warning message is logged (default is 75 percent)
• Optional warning-only keyword specifies the action on exceeding the maximum number (default is to drop peering)
Limiting the Number of Prefixes Received from a BGP Neighbor
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-7
Limiting the Total Number of VRF Routes
• The VRF maximum routes limit command limits the number of routes that are imported into a VRF:– Routes coming from CE routers
– Routes coming from other PE routers (imported routes)
• The route limit is configured for each VRF.
• If the number of routes exceeds the route limit:– A syslog message is generated.
– The Cisco IOS software can be configured to reject routes (optional).
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-8
maximum routes limit {warn-threshold | warn-only}
Router(config-vrf)#
• This command configures the maximum number of routes accepted into a VRF:– The limit parameter is the route limit for the VRF.
– The warn-threshold parameter is the percentage value over which a warning message is sent to syslog.
– The warn-only option creates a syslog error message when the maximum number of routes exceeds the threshold.
• Syslog messages generated by this command are rate-limited.
Limiting the Total Number of VRF Routes (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-9
Limiting the Total Number of VRF Routes (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-10
The customer wants to reuse the same AS number on several sites:• CE-BGP-A1 announces network 10.1.0.0/16 to PE-Site-X.
• The prefix announced by CE-BGP-A1 is propagated to PE-Site-Y as an internal route through MP-BGP.
• PE-Site-Y prepends AS 65115 to the AS path and propagates the prefix to CE-BGP-A2.
• CE-BGP-A2 drops the update because AS 65213 is already in the AS path.
AS-Override: The Issue
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-11
AS-Override:Implementation
• New AS path update procedures have been implemented to reuse the same AS number on all VPN sites.
• The procedures allow the use of private and public AS numbers.
• The same AS number may be used for all sites.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-12
AS-Override: Implementation (Cont.)
• With AS-override configured, the AS path update procedure on the PE router is as follows:
– If the first AS number in the AS path is equal to the neighboring AS, it is replaced with the provider AS number.
– If the first AS number has multiple occurrences (because of AS path prepend), all occurrences are replaced with the provider AS number.
– After this operation, the provider AS number is prepended to the AS path.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-13
neighbor ip-address as-override
Router(config-router-af)#
• This command configures the AS-override AS path update procedure for the specified neighbor.
• AS-override is configured for CE EBGP neighbors in the VRF address family of the BGP process.
AS-Override:Command
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-14
AS-Override:Example
PE-Site-Y replaces AS 65213 with AS 65115 in the AS path, prepends another copy of AS 65115 to the AS path, and propagates the prefix.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-15
PE-Site-Y replaces all occurrences of AS 65213 with AS 65115 in the AS path, prepends another copy of AS 65115 to the AS path, and propagates the prefix.
AS-Override:AS-Path Prepending
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-16
Allowas-in: The Issue
• Customer site links two VPNs
• Not a usual setup (traffic between VPNs should not flow over the customer site)
• Sometimes used for enhanced security
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-17
Allowas-in:The Issue (Cont.)
• VPN perspective: VPN-A is connected to VPN-B via CE-AB.
• Physical topology: The CE-AB router is dual-connected to the PE routers.
• MPLS VPN perspective: The CE-AB router has two links into the P-network.
• BGP perspective shows issue: The CE-AB router has two connections to AS 65115.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-18
Allowas-in:The Issue (Cont.)
• PE-1 announces network 10.1.0.0/16 to CE-AB.
• CE-AB prepends its AS number to the AS path and propagatesthe prefix to PE-2.
• PE-2 drops the update because its AS number is already in the AS path.
• AS-override is needed on CE-AB, which may require a Cisco IOS software upgrade on the CE router.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-19
Allowas-in:Implementation
The allowas-in BGP option disables the AS path check on the PE router:• The number of occurrences of the PE router AS number is
limited to suppress real routing loops.
• The limit has to be configured.
• The PE router will reject the update only if its AS number appears in the AS path more often than the configured limit.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-20
neighbor allowas-in number
Router(config-router)#
• This command disables the traditional BGP AS path check.
• An incoming update is rejected only if the AS number of the PE router appears in the AS path more often than the configured limit.
Allowas-in:Command
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-21
AS path-based BGP loop prevention is bypassed with the AS‑override and allowas-in features.
Implementing SOO for Loop Prevention
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-22
• The SOO attribute (extended BGP community) can be used to prevent loops in these scenarios.
• The SOO attribute is needed only for multihomed sites.
• When EBGP is run between PE and CE routers, the SOO attribute is configured through a route-map command.
• For other routing protocols, the SOO attribute can be applied to routes learned through a particular VRF interface during the redistribution into BGP.
Implementing SOO for Loop Prevention (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-23
route-map name permit seq match conditions set extcommunity soo extended-community-value
Router(config)#
• Creates a route map that sets the SOO attribute
neighbor ip-address route-map name in
Router(config-router-af)#
• Applies an inbound route map to the CE EBGP neighbor
Inbound EBGP Update
Implementing SOO for Loop Prevention (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-24
ip vrf sitemap route-map-name
Router(config-if)#
• Applies a route map that sets the SOO extended community attribute to inbound routing updates received from this interface
Other Inbound Routing Updates
Implementing SOO for Loop Prevention (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-25
ip extcommunity-list number permit soo value!route-map name deny seq match extcommunity number!route-map name permit 9999
Router(config)#
• Defines a route map that discards routes with the desired SOO value
neighbor ip-address route-map name out
Router(config-router-af)#
• Applies the route map to outbound updates sent to the EBGP CE neighbor
Implementing SOO for Loop Prevention (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-26
Summary
• Use the address-family ipv4 vrf vrf-name command in the BGP routing process to configure a per-VRF BGP routing context.
• SPs offering MPLS VPN services are at risk of denial-of-service attacks. Limiting VRF tables is one method to prevent such attacks.
• Use the neighbor maximum-prefix command to limit the number of prefixes received from a BGP neighbor.
• Use the maximum routes command to limit the total number of VRF routes.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-27
• BGP loop detection prevents customers from reusing their AS number. The neighbor ip-address as-overide command prevents this issue by replacing the customer AS number with the ISP AS number.
• By default, a customer site cannot link two VPN sites of the same AS number because of BGP loop detection. The neighbor allowas-in number command disables the BGP path check and permits routing updates.
• The SOO extended BGP community is used as a loop prevention mechanism for multihomed customer sites.
Summary (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-28
Top Related