© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring...

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1

MPLS VPN Implementation

Configuring BGP as the Routing Protocol Between PE and CE Routers


Outline

• Overview

• Configuring a per-VRF BGP Routing Context

• What Are the Reasons for Limiting the Number of Routes in a VRF?

• Limiting the Number of Prefixes Received from a BGP Neighbor

• Limiting the Total Number of VRF Routes

• Identifying AS-Override Issues

• Identifying Allowas-in Issues

• Implementing SOO for Loop Prevention

• Summary


router bgp as-number address-family ipv4 vrf vrf-name ... Per-VRF BGP definitions ...

Router(config)#

• Select per-VRF BGP context with the address-family command.

• Configure CE EBGP neighbors in the VRF context, not in the global BGP configuration.

• CE neighbors have to be activated with the neighbor activate command.

Configuring per-VRF BGP Routing Context


Configuring per-VRF BGP Routing Context (Cont.)


Limiting the Number of Routes in a VRF

• SPs offering MPLS VPN services are at risk of denial-of-service attacks similar to those aimed at SPs offering BGP connectivity:– Any customer can generate any number of routes, using

resources in the PE routers.

• Therefore, resources used by a single customer have to be limited.

• Cisco IOS software offers two solutions:– It can limit the number of routes received from a BGP neighbor.

– It can limit the total number of routes in a VRF.


neighbor ip-address maximum-prefix maximum [threshold] [warning-only]

Router(config-router-af)#

• Controls how many prefixes can be received from a neighbor

• Optional threshold parameter specifies the percentage where a warning message is logged (default is 75 percent)

• Optional warning-only keyword specifies the action on exceeding the maximum number (default is to drop peering)

Limiting the Number of Prefixes Received from a BGP Neighbor


Limiting the Total Number of VRF Routes

• The VRF maximum routes limit command limits the number of routes that are imported into a VRF:– Routes coming from CE routers

– Routes coming from other PE routers (imported routes)

• The route limit is configured for each VRF.

• If the number of routes exceeds the route limit:– A syslog message is generated.

– The Cisco IOS software can be configured to reject routes (optional).


maximum routes limit {warn-threshold | warn-only}

Router(config-vrf)#

• This command configures the maximum number of routes accepted into a VRF:– The limit parameter is the route limit for the VRF.

– The warn-threshold parameter is the percentage value over which a warning message is sent to syslog.

– The warn-only option creates a syslog error message when the maximum number of routes exceeds the threshold.

• Syslog messages generated by this command are rate-limited.

Limiting the Total Number of VRF Routes (Cont.)


Limiting the Total Number of VRF Routes (Cont.)


The customer wants to reuse the same AS number on several sites:• CE-BGP-A1 announces network 10.1.0.0/16 to PE-Site-X.

• The prefix announced by CE-BGP-A1 is propagated to PE-Site-Y as an internal route through MP-BGP.

• PE-Site-Y prepends AS 65115 to the AS path and propagates the prefix to CE-BGP-A2.

• CE-BGP-A2 drops the update because AS 65213 is already in the AS path.

AS-Override: The Issue


AS-Override:Implementation

• New AS path update procedures have been implemented to reuse the same AS number on all VPN sites.

• The procedures allow the use of private and public AS numbers.

• The same AS number may be used for all sites.


AS-Override: Implementation (Cont.)

• With AS-override configured, the AS path update procedure on the PE router is as follows:

– If the first AS number in the AS path is equal to the neighboring AS, it is replaced with the provider AS number.

– If the first AS number has multiple occurrences (because of AS path prepend), all occurrences are replaced with the provider AS number.

– After this operation, the provider AS number is prepended to the AS path.


neighbor ip-address as-override


• This command configures the AS-override AS path update procedure for the specified neighbor.

• AS-override is configured for CE EBGP neighbors in the VRF address family of the BGP process.

AS-Override:Command


AS-Override:Example

PE-Site-Y replaces AS 65213 with AS 65115 in the AS path, prepends another copy of AS 65115 to the AS path, and propagates the prefix.


PE-Site-Y replaces all occurrences of AS 65213 with AS 65115 in the AS path, prepends another copy of AS 65115 to the AS path, and propagates the prefix.

AS-Override:AS-Path Prepending


Allowas-in: The Issue

• Customer site links two VPNs

• Not a usual setup (traffic between VPNs should not flow over the customer site)

• Sometimes used for enhanced security


Allowas-in:The Issue (Cont.)

• VPN perspective: VPN-A is connected to VPN-B via CE-AB.

• Physical topology: The CE-AB router is dual-connected to the PE routers.

• MPLS VPN perspective: The CE-AB router has two links into the P-network.

• BGP perspective shows issue: The CE-AB router has two connections to AS 65115.


Allowas-in:The Issue (Cont.)

• PE-1 announces network 10.1.0.0/16 to CE-AB.

• CE-AB prepends its AS number to the AS path and propagatesthe prefix to PE-2.

• PE-2 drops the update because its AS number is already in the AS path.

• AS-override is needed on CE-AB, which may require a Cisco IOS software upgrade on the CE router.


Allowas-in:Implementation

The allowas-in BGP option disables the AS path check on the PE router:• The number of occurrences of the PE router AS number is

limited to suppress real routing loops.

• The limit has to be configured.

• The PE router will reject the update only if its AS number appears in the AS path more often than the configured limit.


neighbor allowas-in number

Router(config-router)#

• This command disables the traditional BGP AS path check.

• An incoming update is rejected only if the AS number of the PE router appears in the AS path more often than the configured limit.

Allowas-in:Command


AS path-based BGP loop prevention is bypassed with the AS‑override and allowas-in features.

Implementing SOO for Loop Prevention


• The SOO attribute (extended BGP community) can be used to prevent loops in these scenarios.

• The SOO attribute is needed only for multihomed sites.

• When EBGP is run between PE and CE routers, the SOO attribute is configured through a route-map command.

• For other routing protocols, the SOO attribute can be applied to routes learned through a particular VRF interface during the redistribution into BGP.

Implementing SOO for Loop Prevention (Cont.)


route-map name permit seq match conditions set extcommunity soo extended-community-value

Router(config)#

• Creates a route map that sets the SOO attribute

neighbor ip-address route-map name in


• Applies an inbound route map to the CE EBGP neighbor

Inbound EBGP Update



ip vrf sitemap route-map-name

Router(config-if)#

• Applies a route map that sets the SOO extended community attribute to inbound routing updates received from this interface

Other Inbound Routing Updates



ip extcommunity-list number permit soo value!route-map name deny seq match extcommunity number!route-map name permit 9999

Router(config)#

• Defines a route map that discards routes with the desired SOO value

neighbor ip-address route-map name out


• Applies the route map to outbound updates sent to the EBGP CE neighbor



Summary

• Use the address-family ipv4 vrf vrf-name command in the BGP routing process to configure a per-VRF BGP routing context.

• SPs offering MPLS VPN services are at risk of denial-of-service attacks. Limiting VRF tables is one method to prevent such attacks.

• Use the neighbor maximum-prefix command to limit the number of prefixes received from a BGP neighbor.

• Use the maximum routes command to limit the total number of VRF routes.


• BGP loop detection prevents customers from reusing their AS number. The neighbor ip-address as-overide command prevents this issue by replacing the customer AS number with the ISP AS number.

• By default, a customer site cannot link two VPN sites of the same AS number because of BGP loop detection. The neighbor allowas-in number command disables the BGP path check and permits routing updates.

• The SOO extended BGP community is used as a loop prevention mechanism for multihomed customer sites.

Summary (Cont.)


Date post:	01-Apr-2015
Category:	Documents
Upload:	ashleigh-ames
View:	221 times
Download:	0 times

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring...

Documents