First I would like to show MP-BGP RD and RT parameters on
BGP update message:
R1 is sending BGP update message to R4:
Address family <AFI 1, SAFI 128> indicates that each
NLRI in an MP-REACH-NLRI or MP-UNREACH-NLRI attribute consists of three parts:
a) An MPLS label stack
b) A route distinguisher
c) An IPv4 prefix
The message includes (among other things) an extended
community with route-target value:
And the VPNv4 prefix along with RD and MPLS label (R4 will
use this label as outgoing label):
Using this information R4 can knows the originator of the
VPNv4 prefix and to which routing table to add this route, in this case to VRF
ABC.
This is the network topology:
And the network
information:
Name
|
Administrative
|
Role
|
R1
|
Service provider
|
P router, route-reflector
|
R2
|
Service provider
|
PE router
|
R3
|
Service provider
|
PE router
|
R4
|
Service provider
|
PE router
|
R5
|
Service provider
|
PE router
|
R6
|
ABC
|
CE
|
R7
|
ABC
|
CE
|
R8
|
CNN
|
CE
|
-
The SP network is running
with OSPF as IGP, LDP, BGP and MP-BGP.
-
R6 and R7 are using EIGRP
as CE-to-PE protocol
-
R8 is using OSPF as CE-to-PE
protocol
-
Each CE is advertising his
directly connected interfaces into the routing domain,
*Full configuration will can be found below.
First task: Customer ABC wants to allow his site (R6) to
communicate with customer CNN (R8) but only through the backup link and only
from specific subnet (192.168.63.0/24).
So let’s start with R5 which is the PE router for R8:
ip vrf CNN
rd 5:200
route-target export 200:200
route-target export 400:400
route-target import 200:200
route-target import 300:300
|
I’m using RT 300:300 to import R6 prefixes and RT 400:400 to
advertise R8 prefixes.
Now on R3, which is the PE for R6 on the backup link:
ip vrf ABC
rd 3:100
export map RM_VRF_EXPORT_MAP
route-target export 100:100
route-target import 100:100
route-target import 400:400
!
ip prefix-list PL_NET63 seq 5
permit 192.168.63.0/24
!
route-map RM_VRF_EXPORT_MAP
permit 10
match ip address prefix-list PL_NET63
set extcommunity rt 300:300 additive
!
route-map RM_VRF_EXPORT_MAP
permit 20
|
Note I’m using export map on the VRF to attach an extended
community only to subnet 192.168.63.0/24.
Few more things that should be done,Block R2 from learning R8 prefixes:
router eigrp 1
no auto-summary
!
address-family ipv4 vrf ABC
redistribute bgp 65000 metric 100000 10 255
1 1500
network 10.1.26.2 0.0.0.0
distribute-list 6 in
no auto-summary
autonomous-system 236
exit-address-family
!
access-list 6 permit
192.168.61.0 0.0.0.255
access-list 6 permit
192.168.62.0 0.0.0.255
access-list 6 permit
192.168.63.0 0.0.0.255
|
And configure BGP to ignore cost-community on all SP
routers:
router bgp 65000
no synchronization
bgp log-neighbor-changes
bgp bestpath cost-community ignore
neighbor 1.1.1.1 remote-as 65000
neighbor 1.1.1.1 update-source Loopback0
neighbor 1.1.1.1 send-community both
neighbor 1.1.1.1 soft-reconfiguration
inbound
no auto-summary
!
|
Else PE router may prefer BGP as best path to R6 prefixes as
shown below:
R3#sh ip eigrp vrf ABC
topology
IP-EIGRP Topology Table for
AS(236)/ID(3.3.3.3) Routing Table: ABC
Codes: P - Passive, A -
Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 10.1.26.0/24, 1 successors,
FD is 28160
via VPNv4 Sourced (28160/0)
P 192.168.72.0/24, 1
successors, FD is 28160
via Redistributed (28160/0)
P 10.1.47.0/24, 1 successors,
FD is 28160
via Redistributed (28160/0)
P 192.168.71.0/24, 1
successors, FD is 28160
via Redistributed (28160/0)
P 10.1.36.0/24, 1 successors,
FD is 2816000
via Connected, FastEthernet1/1
P 10.1.58.0/24, 1 successors,
FD is 28160
via Redistributed (28160/0)
P 192.168.81.0/24, 1
successors, FD is 28160
via Redistributed (28160/0)
P 192.168.82.0/24, 1
successors, FD is 28160
via Redistributed (28160/0)
P 192.168.61.0/24, 1
successors, FD is 156160
via VPNv4 Sourced (156160/0)
via 10.1.36.6 (2944000/128256),
FastEthernet1/1
P 192.168.62.0/24, 1
successors, FD is 156160
via VPNv4 Sourced (156160/0)
via 10.1.36.6 (2944000/128256),
FastEthernet1/1
P 192.168.63.0/24, 1
successors, FD is 156160
via VPNv4 Sourced (156160/0)
via 10.1.36.6 (2944000/128256),
FastEthernet1/1
R3#show ip bgp vpnv4 vrf ABC
192.168.61.0/24
BGP routing table entry for
3:100:192.168.61.0/24, version 139
Paths: (1 available, best #1,
table ABC)
Not advertised to any peer
Local, imported path from
2:100:192.168.61.0/24
2.2.2.2 (metric 3) from 1.1.1.1 (1.1.1.1)
Origin incomplete, metric 156160,
localpref 100, valid, internal, best
Extended Community: RT:100:100 Cost:pre-bestpath:128:156160
0x8800:32768:0 0x8801:236:130560
0x8802:65281:25600 0x8803:65281:1500
Originator: 2.2.2.2, Cluster list:
1.1.1.1
mpls labels in/out nolabel/30
|
Now let’s look on R8 routing table:
R8#show ip route
Codes: C - connected, S - static,
R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -
OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 -
OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF
external type 2
i - IS-IS, su - IS-IS summary, L1 -
IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate
default, U - per-user static route
o - ODR, P - periodic downloaded
static route
Gateway of last resort is not
set
O E2 192.168.63.0/24 [110/20] via 10.1.58.5, 00:06:39, FastEthernet0/0
C 192.168.81.0/24 is directly connected,
Loopback1
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.58.0 is directly connected,
FastEthernet0/0
C 192.168.82.0/24 is directly connected,
Loopback2
|
And check with ping and trace:
R8#ping 192.168.63.1
Type escape sequence to
abort.
Sending 5, 100-byte ICMP
Echos to 192.168.63.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent
(5/5), round-trip min/avg/max = 36/56/96 ms
R8#traceroute 192.168.63.1
Type escape sequence to
abort.
Tracing the route to
192.168.63.1
1 10.1.58.5 52 msec 36 msec 16 msec
2 10.1.15.1 [MPLS: Labels 17/16 Exp 0] 60
msec 72 msec 88 msec
3 10.1.36.3 [MPLS: Label 16 Exp 0] 76 msec
56 msec 48 msec
4 10.1.36.6 64 msec * 96 msec
|
And R6 routing table:
R6# sh ip route
Codes: C - connected, S -
static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -
OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 -
OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external
type 2
i - IS-IS, su - IS-IS summary, L1 -
IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate
default, U - per-user static route
o - ODR, P - periodic downloaded
static route
Gateway of last resort is not
set
D EX 192.168.72.0/24
[170/30720] via 10.1.26.2, 00:08:19, FastEthernet0/0
C 192.168.63.0/24 is directly connected,
Loopback3
C 192.168.62.0/24 is directly connected,
Loopback2
C 192.168.61.0/24 is directly connected,
Loopback1
D EX 192.168.81.0/24 [170/2818560] via 10.1.36.3, 00:08:14,
FastEthernet0/1
10.0.0.0/24 is subnetted, 4 subnets
C 10.1.26.0 is directly connected,
FastEthernet0/0
D EX 10.1.47.0 [170/30720] via 10.1.26.2,
00:08:19, FastEthernet0/0
C 10.1.36.0 is directly connected,
FastEthernet0/1
D EX 10.1.58.0 [170/2818560] via 10.1.36.3,
00:08:15, FastEthernet0/1
D EX 192.168.82.0/24 [170/2818560] via 10.1.36.3, 00:08:15,
FastEthernet0/1
D EX 192.168.71.0/24
[170/30720] via 10.1.26.2, 00:08:21, FastEthernet0/0
|
And ping and trace:
R6#ping 192.168.81.1 source
lo3
Type escape sequence to
abort.
Sending 5, 100-byte ICMP
Echos to 192.168.81.1, timeout is 2 seconds:
Packet sent with a source
address of 192.168.63.1
!!!!!
Success rate is 100 percent
(5/5), round-trip min/avg/max = 24/67/108 ms
R6#traceroute 192.168.82.1
source lo3
Type escape sequence to
abort.
Tracing the route to
192.168.82.1
1 10.1.36.3 12 msec 56 msec 8 msec
2 10.1.13.1 [MPLS: Labels 19/23 Exp 0] 56
msec 60 msec 52 msec
3 10.1.58.5 [MPLS: Label 23 Exp 0] 40 msec
68 msec 20 msec
4 10.1.58.8 56 msec * 80 msec
|
Using RT which are basically extended communities on MP-BGP,
we can alter and manipulate routes through our SP backbone.
No comments:
Post a Comment