Nokia, Nokia Router
Inter-AS Model A VPRN in Nokia SROS – VPN Layer 3 Option A
13
Th5
Th5
Inter-AS Model A VPRN also known as VPN Layer 3 Option A is a first design for inter-as information exchange. This article investigates how an Inter-AS model A VPN can be used to connect two VPN sites connected to different ASes for Nokia SROS router (7750 SR).
Mục lục
Topology and Prepare
We will configure an Inter-AS model A VPRN to provide Layer-3 connectivity between VPN sites 1 and VPN site 2 connected to different ASes. In this article, we do not introduce basic configuration: Port, Interface, LDP, OSPF, BGP… Overall configuration you can download at the link at the end of the article.
CE:
- Configure BGP family ipv4 with PE
- Advertise system ip to bgp
PE:
- Configure OSPF, LDP in AS
- Configure BGP family vpn-ipv4 with ASBR
- Create VPRN 10: PE1 using RT and RD 64501:10, PE2 using RT and RD 64502:10. Ensure that the VPRN has an IP interface and a BGP session to CE5 and CE6.
ASBR:
- Configure OSPF, LDP in AS
- Configure BGP family vpn-ipv4 with PE
Configuration in ASBR to adversite VPN route
1. Configure VPRN 10 on ASBR3
On PE1, examine the VPN routes advertised to ASBR3.
A:PE1# show router bgp neighbor 10.10.10.3 advertised-routes vpn-ipv4
===============================================================================
BGP Router ID:10.10.10.1 AS:64501 Local AS:64501
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
i 64501:10:192.168.0.5/32 100 None
10.10.10.1 None n/a
64496 524286
i 64501:10:192.168.5.0/24 100 None
10.10.10.1 None n/a
No As-Path 524286
-------------------------------------------------------------------------------
Routes : 2
===============================================================================ASBR3 is discarding the VPN routes because it does not have a configured VPRN that accepts these routes. Configure VPRN 10 on ASBR3 use RD and RT 64501:10
##Configure VPRN 10 on ASBR3. Use RD and RT 64501:10
/configure service vprn 10 customer 1 create
autonomous-system 64501
route-distinguisher 64501:10
auto-bind-tunnel resolution filter
auto-bind-tunnel resolution-filter ldp
vrf-target target:64501:10
no shutdownVRF 10 contains two routes: the system address of CE5 and the address of the VRF interface toward CE5.
A:ASBR3# show router 10 route-table
===============================================================================
Route Table (Service: 10)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
192.168.0.5/32 Remote BGP VPN 00h08m38s 170
10.10.10.1 (tunneled) 2
192.168.5.0/24 Remote BGP VPN 00h08m38s 170
10.10.10.1 (tunneled) 2
-------------------------------------------------------------------------------
No. of Routes: 4
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================2. Configure a SAP toward ASBR4 on ASBR3’s VPRN
Using a VLAN tag of 10 and an IP address of 172.16.4.3/29.
/configure port 1/1/1
ethernet mode access
ethernet encap-type dot1q
no shutdown
/configure service vprn 10
interface to-ASBR4 create
address 172.16.4.3/29
sap 1/1/1:10 create3. Configure VPRN 10 on ASBR4
Use RD and RT 64502:10.
/configure service vprn 10 customer 1 create
autonomous-system 64502
route-distinguisher 64502:10
auto-bind-tunnel resolution filter
auto-bind-tunnel resolution-filter ldp
vrf-target target:64502:10
no shutdown4. Configure a SAP toward ASBR3 on ASBR4’s VPRN
Using a VLAN tag of 10 and an IP address of 172.16.4.4/29.
/configure port 1/1/1
ethernet mode access
ethernet encap-type dot1q
no shutdown
/configure service vprn 10
interface to-ASBR3 create
address 172.16.4.4/29
sap 1/1/1:10 create5. Configure an eBGP session between ASBR3 and ASBR4 over the VPRN 10 interface
ASBR3 must advertise only the system address of CE5 to ASBR4. ASBR4 must advertise only the system address of CE6 to ASBR3.
##ASBR3##
/configure router policy-options
begin
prefix-list "VPN10_LOCAL_CE" prefix 192.168.0.5/32 exact
policy-statement "VPN10_EXPORT"
entry 10
from protocol bgp-vpn
from prefix-list "VPN10_LOCAL_CE"
action accept
exit
exit
default-action reject
exit
commit
/configure service vprn 10 bgp
group "to-ASBR4"
neighbor 172.16.4.4
export "VPN10_EXPORT"
peer-as 64502##ASBR4##
/configure router policy-options
begin
prefix-list "VPN10_LOCAL_CE" prefix 192.168.0.6/32 exact
policy-statement "VPN10_EXPORT"
entry 10
from protocol bgp-vpn
from prefix-list "VPN10_LOCAL_CE"
action accept
exit
exit
default-action reject
exit
commit
/configure service vprn 10 bgp
group "to-ASBR3"
neighbor 172.16.4.3
export "VPN10_EXPORT"
peer-as 645016. Verify that the VPRN 10 BGP session is successfully established between the ASBRs.
A:ASBR3# show router 10 bgp summary all
===============================================================================
BGP Summary
===============================================================================
Legend : D - Dynamic Neighbor
===============================================================================
Neighbor
Description
ServiceId AS PktRcvd InQ Up/Down State|Rcv/Act/Sent (Addr Family)
PktSent OutQ
-------------------------------------------------------------------------------
10.10.10.1
Def. Instance 64501 58 0 00h26m48s 2/2/2 (VpnIPv4)
58 0
172.16.4.4
Svc: 10 64502 59 0 00h27m30s 1/1/1 (IPv4)
59 0
-------------------------------------------------------------------------------
7.Examine the routes exchanged between the ASBRs.
The ASBRs treat each other as CE routers and exchange IPv4 routes with no labels.
A:ASBR3# show router 10 bgp neighbor 172.16.4.4 advertised-routes
===============================================================================
BGP Router ID:10.10.10.3 AS:64501 Local AS:64501
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
i 192.168.0.5/32 n/a None
172.16.4.3 None n/a
64501 64496 -
-------------------------------------------------------------------------------
Routes : 1
===============================================================================A:ASBR4# show router 10 bgp neighbor 172.16.4.3 advertised-routes
...
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
i 192.168.0.6/32 n/a None
172.16.4.4 None n/a
64502 64497 -
-------------------------------------------------------------------------------
Routes : 1
===============================================================================8. Examine the routes advertised by ASBR4 to PE2.
ASBR4 learns CE5’s system address from ASBR3 over its VPRN 10 interface and places the route in its VRF. It adds the configured RD and RT 64502:10, allocates VPN label 524286, and automatically advertises the route to its MP-iBGP peers.
A:ASBR4# show router bgp neighbor 10.10.10.2 advertised-routes vpn-ipv4
===============================================================================
BGP Router ID:10.10.10.4 AS:64502 Local AS:64502
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
i 64502:10:172.16.4.0/29 100 None
10.10.10.4 None n/a
No As-Path 524286
i 64502:10:192.168.0.5/32 100 None
10.10.10.4 None n/a
64501 64496 524286
-------------------------------------------------------------------------------
Routes : 2
===============================================================================9.Examine in detail the route received by PE2 for CE5’s system address.
The Next-Hop for the route is the system address of the local ASBR4. PE2 needs to have a tunnel to ASBR4 and does not need to learn PE1’s system address.
A:PE2# show router bgp routes 192.168.0.5/32 vpn-ipv4 detail
===============================================================================
BGP Router ID:10.10.10.2 AS:64502 Local AS:64502
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Original Attributes
Network : 192.168.0.5/32
Nexthop : 10.10.10.4
Route Dist. : 64502:10 VPN Label : 524286
Path Id : None
From : 10.10.10.4
Res. Nexthop : n/a
Local Pref. : 100 Interface Name : to-ASBR4
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : None
AIGP Metric : None IGP Cost : 2
Connector : None
Community : target:64502:10
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 10.10.10.4
Flags : Used Valid Best IGP
Route Source : Internal
AS-Path : 64501 64496
Route Tag : 0
Neighbor-AS : 64501
Orig Validation: N/A
Add Paths Send : Default
Last Modified : 00h39m47s
VPRN Imported : 10Export BGP-VPN to BGP in PE
In order for the CE to receive the route from the BGP-VPN family, it is necessary to configure the export on the PE router.
##PE1 and PE2##
/configure router policy-options
begin
policy-statement "EXPORT-TO-CE"
entry 10
from protocol bgp-vpn
to protocol bgp
action accept
exit
exit
exit
commit
/configure service vprn 10 bgp group "PE-CE" export "EXPORT-TO-CE"Verify the route table of CE6:
A:CE6# show router route-table
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
172.16.4.0/29 Remote BGP 00h47m42s 170
192.168.6.2 0
192.168.0.5/32 Remote BGP 00h47m42s 170
192.168.6.2 0
192.168.0.6/32 Local Local 00h50m40s 0
system 0
192.168.6.0/24 Local Local 00h50m05s 0
to-PE2 0
-------------------------------------------------------------------------------
No. of Routes: 4
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================PE2 receives CE5’s system address from ASBR4 as a VPN-IPv4 route and imports it to VRF 10 based on RT 64502:10. The route is then advertised to CE6 based on the export policy applied on the VPRN 10 BGP session.
Verify that CE6 can ping CE5’s system address.
A:CE6# ping 192.168.0.5 source 192.168.0.6
PING 192.168.0.5 56 data bytes
64 bytes from 192.168.0.5: icmp_seq=1 ttl=60 time=63.2ms.
64 bytes from 192.168.0.5: icmp_seq=2 ttl=60 time=34.5ms.
64 bytes from 192.168.0.5: icmp_seq=3 ttl=60 time=8.27ms.
64 bytes from 192.168.0.5: icmp_seq=4 ttl=60 time=50.7ms.
64 bytes from 192.168.0.5: icmp_seq=5 ttl=60 time=3.05ms.
---- 192.168.0.5 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 3.05ms, avg = 31.9ms, max = 63.2ms, stddev = 23.4ms
A:CE6# Describe the labels forwarding
Describe the labels that PE2 pushes on a data packet destined for CE5. PE2 pushes two labels: the inner label is the VPN label advertised by ASBR4 for the VPN-IPv4 route, and the outer label is the transport label for the LDP tunnel toward the Next-Hop ASBR4. In this example, the VPN label is 524286, and the LDP label is 524287.
A:PE2# show router 10 fib 1 192.168.0.5/32
===============================================================================
FIB Display
===============================================================================
Prefix [Flags] Protocol
NextHop
-------------------------------------------------------------------------------
192.168.0.5/32 BGP_VPN
10.10.10.4 (VPRN Label:524286 Transport:LDP)
-------------------------------------------------------------------------------
Total Entries : 1
-------------------------------------------------------------------------------
===============================================================================
A:PE2# show router ldp bindings prefixes ipv4 session 10.10.10.4:0
===============================================================================
LDP Bindings (IPv4 LSR ID 10.10.10.2)
(IPv6 LSR ID ::)
===============================================================================
Label Status:
U - Label In Use, N - Label Not In Use, W - Label Withdrawn
WP - Label Withdraw Pending, BU - Alternate For Fast Re-Route
e - Label ELC
FEC Flags:
LF - Lower FEC, UF - Upper FEC, M - Community Mismatch,
BA - ASBR Backup FEC
===============================================================================
LDP IPv4 Prefix Bindings
===============================================================================
Prefix
Peer FEC-Flags
IgrLbl EgrLbl
EgrNextHop EgrIntf/LspId
-------------------------------------------------------------------------------
10.10.10.2/32
10.10.10.4:0
524287U --
-- --
10.10.10.4/32
10.10.10.4:0
-- 524287
10.2.4.4 1/1/1
-------------------------------------------------------------------------------
No. of IPv4 Prefix Bindings: 2
===============================================================================ASBR4 pops both labels and examines its VRF 10. It forwards the packet unlabeled to its BGP peer ASBR3.
A:ASBR4# show router 10 fib 1 192.168.0.5/32
===============================================================================
FIB Display
===============================================================================
Prefix [Flags] Protocol
NextHop
-------------------------------------------------------------------------------
192.168.0.5/32 BGP
172.16.4.3 (to-ASBR3)
-------------------------------------------------------------------------------
Total Entries : 1
-------------------------------------------------------------------------------
===============================================================================ASBR3 pushes two labels: the inner label is the VPN label allocated and advertised by PE1, and the outer label is the transport label for the LDP tunnel toward the Next-Hop PE1. In this example, the VPN label is 524286 and the LDP label is 524287.
A:ASBR3# show router 10 fib 1 192.168.0.5/32
===============================================================================
FIB Display
===============================================================================
Prefix [Flags] Protocol
NextHop
-------------------------------------------------------------------------------
192.168.0.5/32 BGP_VPN
10.10.10.1 (VPRN Label:524286 Transport:LDP)
-------------------------------------------------------------------------------
Total Entries : 1
-------------------------------------------------------------------------------
===============================================================================
A:ASBR3# show router ldp bindings prefixes ipv4 session 10.10.10.1:0
===============================================================================
LDP Bindings (IPv4 LSR ID 10.10.10.3)
(IPv6 LSR ID ::)
===============================================================================
Label Status:
U - Label In Use, N - Label Not In Use, W - Label Withdrawn
WP - Label Withdraw Pending, BU - Alternate For Fast Re-Route
e - Label ELC
FEC Flags:
LF - Lower FEC, UF - Upper FEC, M - Community Mismatch,
BA - ASBR Backup FEC
===============================================================================
LDP IPv4 Prefix Bindings
===============================================================================
Prefix
Peer FEC-Flags
IgrLbl EgrLbl
EgrNextHop EgrIntf/LspId
-------------------------------------------------------------------------------
10.10.10.1/32
10.10.10.1:0
-- 524287
10.1.3.1 1/1/2
10.10.10.3/32
10.10.10.1:0
524287U --
-- --
-------------------------------------------------------------------------------
No. of IPv4 Prefix Bindings: 2
===============================================================================The data packet is label-switched across AS 64501 to PE1, which pops both labels and forwards the unlabeled packet to its destination CE5.
A:PE1# show router 10 fib 1 192.168.0.5/32
===============================================================================
FIB Display
===============================================================================
Prefix [Flags] Protocol
NextHop
-------------------------------------------------------------------------------
192.168.0.5/32 BGP
192.168.5.5 (to-CE5)
-------------------------------------------------------------------------------
Total Entries : 1
-------------------------------------------------------------------------------
===============================================================================You can download documents including: configuration file, unl file for eve-ng at the following link:
Do not hesitate to leave questions or exchange in the comments section. Good luck.