eng-mssk: MPLS L3 VPN 6PE eBGP PE-CE Routing Protocol (Filtering)

Following the post in http://eng-mssk.blogspot.com/2012/10/mpls-l3-vpn-6pe-ebgp-pe-ce-routing.html

Now, let us assume that we want to apply some filtering techniques on BGP updates sent from neighbor to neighbor

We will create another loopback interface on CE2

CE2(config)#interface loopback 2

CE2(config-if)#ipv6 address 2001

CE2(config-if)#ipv6 address 2002:db8::5/128

CE2(config-if)#end

CE2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

CE2(config)#router bgp 5

CE2(config-router)# address-family ipv6

CE2(config-router-af)#network 2002:DB8::5/128

PE2#sh bgp vpnv6 unicast vrf MSSK neighbors 2001:DB8:45::5 routes

BGP table version is 5, local router ID is 4.4.4.4

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 100:1 (default for vrf MSSK)

*> 2001:DB8::5/128 2001:DB8:45::5 0 0 5 i

*> 2002:DB8::5/128 2001:DB8:45::5 0 0 5 i

We want to allow the 2001 prefix only to pass to PE2

PE2(config)#ipv6 access-list MSSK_ACL

PE2(config-ipv6-acl)#permit 2001:DB8::5/128 any

PE2(config-router)#route-map MSSK_MAP permit 10

PE2(config-route-map)#match ipv6 address MSSK_ACL

PE2(config)#router bgp 100

PE2(config-router)#address-family ipv6 vrf MSSK

PE2(config-router-af)#neighbor 2001:DB8:45::5 route-map MSSK_MAP in

PE2#clear bgp all 5 (This will clear the BGP process peering with AS 5 for all address families )

PE2#sh bgp vpnv6 unicast vrf MSSK neighbors 2001:DB8:45::5 routes

BGP table version is 12, local router ID is 4.4.4.4

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 100:1 (default for vrf MSSK)

*> 2001:DB8::5/128 2001:DB8:45::5 0 0 5 i

Now, let us try another method: prefix-lists

Creating another two loopbacks on CE2 and removing the configuration from the previous example

CE2(config)#int lo2

CE2(config-if)#ipv6 address 2003:db8::5/96

CE2(config)#int lo3:

CE2(config-if)#ipv6 address 2004:db8::5/64

CE2(config)#router bgp 5

CE2(config-router)#address-family ipv6

CE2(config-router-af)#network 2003:DB8::5/96

CE2(config-router-af)#network 2004:DB8::5/64

PE2#sh bgp vpnv6 unicast vrf MSSK neighbors 2001:DB8:45::5 routes

BGP table version is 17, local router ID is 4.4.4.4

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 100:1 (default for vrf MSSK)

*> 2001:DB8::5/128 2001:DB8:45::5 0 0 5 i

*> 2002:DB8::5/128 2001:DB8:45::5 0 0 5 i

*> 2003:DB8::/96 2001:DB8:45::5 0 0 5 i

*> 2004:DB8::/64 2001:DB8:45::5 0 0 5 i

Total number of prefixes 4

We have three subnet masks 128 96 and 64, we want to allow routes greater than or equal to 96

PE2(config)#ipv6 prefix-list MSSK_PL seq 5 permit 0::0/0 ge 96

PE2(config)#router bgp 100

PE2(config-router)#address-family ipv6 vrf MSSK

PE2(config-router-af)#neighbor 2001:DB8:45::5 prefix-list MSSK_PL in

PE2#clear bgp all 5

PE2#sh bgp vpnv6 unicast vrf MSSK neighbors 2001:DB8:45::5 routes

BGP table version is 24, local router ID is 4.4.4.4

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 100:1 (default for vrf MSSK)

*> 2001:DB8::5/128 2001:DB8:45::5 0 0 5 i

*> 2002:DB8::5/128 2001:DB8:45::5 0 0 5 i

*> 2003:DB8::/96 2001:DB8:45::5 0 0 5 i

Total number of prefixes 3

Now, let us suppose that we want to export all of the prefixes from PE2 towards PE1 (i.e. will reach CE1) except for CE2 loopback3 interface: 2004:DB8::5/64

We will use export-maps in order to influence the transport of prefixes

Note: all the previous configurations have been removed

First, we will configure a prefix-list that matches CE2 loopback3 interface

PE2(config)#ipv6 prefix-list MSSK_PL seq 5 permit 2004:DB8::/64

Then we will create a route-map that matches that prefix and then we will change the route-target value of that prefix

route-map EXPORT_MAP permit 10

match ipv6 address prefix-list MSSK_PL

set extcommunity rt 100:2

Now, as we remember that the import route-target configured on PE1 side is 100:1

PE1#sh vrf detail

VRF MSSK; default RD 100:1; default VPNID <not set>

Interfaces:

Fa1/0

Address family ipv4 (Table ID = 0x1):

Export VPN route-target communities

RT:100:1

Import VPN route-target communities

RT:100:1

No import route-map

No export route-map

VRF label distribution protocol: not configured

VRF label allocation mode: per-prefix

Address family ipv6 (Table ID = 0x1E000001):

Export VPN route-target communities

RT:100:1

Import VPN route-target communities

RT:100:1

No import route-map

No export route-map

VRF label distribution protocol: not configured

VRF label allocation mode: per-prefix

So, when PE1 receives a route with extended route-target community of 100:2 it will not advertise that route to CE1 neither it will be installed in the VRF

Never forget in our case to add another sequence in our configured route-map to permit the rest of routes, otherwise all routes will be dropped

PE2(config)#route-map EXPORT_MAP permit 20

Next, we will apply that route-map in the form of export map under the vrf definition under the address-family of concern : ipv6 address family

PE2(config)#vrf definition MSSK

PE2(config-vrf)# address-family ipv6

PE2(config-vrf-af)# export map EXPORT_MAP

Clearing BGP processes

CE1#sh ipv6 route bgp

IPv6 Routing Table - Default - 7 entries

Codes: C - Connected, L - Local, S - Static, U - Per-user Static route

B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1

I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP

EX - EIGRP external

O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2

ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

B 2001:DB8::5/128 [20/0]

via FE80::C801:18FF:FE0C:1C, FastEthernet1/0

B 2002:DB8::5/128 [20/0]

via FE80::C801:18FF:FE0C:1C, FastEthernet1/0

B 2003:DB8::/96 [20/0]

via FE80::C801:18FF:FE0C:1C, FastEthernet1/0

PE1#sh bgp vpnv6 unicast all

BGP table version is 97, local router ID is 2.2.2.2

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 100:1 (default for vrf MSSK)

*> 2001:DB8::1/128 2001:DB8:12::1 0 0 1 i

*>i2001:DB8::5/128 ::FFFF:4.4.4.4 0 100 0 5 i

*>i2002:DB8::5/128 ::FFFF:4.4.4.4 0 100 0 5 i

*>i2003:DB8::/96 ::FFFF:4.4.4.4 0 100 0 5 i

PE1#sh bgp vpnv6 unicast all neighbors 4.4.4.4 routes

BGP table version is 97, local router ID is 2.2.2.2

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 100:1 (default for vrf MSSK)

*>i2001:DB8::5/128 ::FFFF:4.4.4.4 0 100 0 5 i

*>i2002:DB8::5/128 ::FFFF:4.4.4.4 0 100 0 5 i

*>i2003:DB8::/96 ::FFFF:4.4.4.4 0 100 0 5 i

Total number of prefixes 3

PE2#sh bgp vpnv6 unicast vrf MSSK 2004:DB8::/64

BGP routing table entry for [100:1]2004:DB8::/64, version 50

Paths: (1 available, best #1, table MSSK)

Advertised to update-groups:

2001:DB8:45::5 (FE80::C804:18FF:FE0C:1C) from 2001:DB8:45::5 (5.5.5.5)

Origin IGP, metric 0, localpref 100, valid, external, best

Extended Community: RT:100:2

mpls labels in/out 25/nolabel

If we took another route

PE2#sh bgp vpnv6 unicast vrf MSSK 2003:DB8::/96

BGP routing table entry for [100:1]2003:DB8::/96, version 66

Paths: (1 available, best #1, table MSSK)

Advertised to update-groups:

2001:DB8:45::5 (FE80::C804:18FF:FE0C:1C) from 2001:DB8:45::5 (5.5.5.5)

Origin IGP, metric 0, localpref 100, valid, external, best

Extended Community: RT:100:1

mpls labels in/out 26/nolabel

If we turned on debugging on PE1

PE1#debug bgp vpnv6 unicast updates

*Oct 19 18:35:06.959: %BGP-5-ADJCHANGE: neighbor 4.4.4.4 Up

*Oct 19 18:35:06.963: BGP(5): 4.4.4.4 send UPDATE (format) [100:1]2001:DB8::1/128, next ::FFFF:2.2.2.2, label 22, metric 0, path 1, extended community RT:100:1

*Oct 19 18:35:06.983: BGP(5): 4.4.4.4 rcvd UPDATE w/ attr: nexthop ::FFFF:4.4.4.4, origin i, localpref 100, metric 0, path 5, extended community RT:100:2

*Oct 19 18:35:06.983: BGP(5): 4.4.4.4 rcvd [100:1]2004:DB8::/64, label 25 -- DENIED due to: extended community not supported;

*Oct 19 18:35:06.983: BGP(5): 4.4.4.4 rcvd UPDATE w/ attr: nexthop ::FFFF:4.4.4.4, origin i, localpref 100, metric 0, path 5, extended community RT:100:1

*Oct 19 18:35:06.983: BGP(5): 4.4.4.4 rcvd [100:1]2001:DB8::5/128, label 28

*Oct 19 18:35:06.983: BGP(5): 4.4.4.4 rcvd [100:1]2002:DB8::5/128, label 27

*Oct 19 18:35:06.983: BGP(5): 4.4.4.4 rcvd [100:1]2003:DB8::/96, label 26

*Oct 19 18:35:06.983: BGP(5): Revise route installing [100:1]2001:DB8::5/128 -> ::FFFF:4.4.4.4 (::) to main IPv6 table

*Oct 19 18:35:06.983: BGP(5): Revise route installing [100:1]2002:DB8::5/128 -> ::FFFF:4.4.4.4 (::) to main IPv6 table

*Oct 19 18:35:06.983: BGP(5): Revise route installing [100:1]2003:DB8::/96 -> ::FFFF:4.4.4.4 (::) to main IPv6 table

eng-mssk

Friday, October 19, 2012

MPLS L3 VPN 6PE eBGP PE-CE Routing Protocol (Filtering)

No comments:

Contributors