MPLS VPN Implementation Configuring BGP as the Routing
MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -1
Outline • Overview • Configuring a per-VRF BGP Routing Context • What Are the Reasons for Limiting the Number of Routes in a VRF? • Limiting the Number of Prefixes Received from a BGP Neighbor • Limiting the Total Number of VRF Routes • Identifying AS-Override Issues • Identifying Allowas-in Issues • Implementing SOO for Loop Prevention • Summary © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -2
Configuring per-VRF BGP Routing Context Router(config)# router bgp as-number address-family ipv 4 vrf-name. . . Per-VRF BGP definitions. . . • Select per-VRF BGP context with the address-family command. • Configure CE EBGP neighbors in the VRF context, not in the global BGP configuration. • CE neighbors have to be activated with the neighbor activate command. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -3
Configuring per-VRF BGP Routing Context (Cont. ) © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -4
Limiting the Number of Routes in a VRF • SPs offering MPLS VPN services are at risk of denial-of-service attacks similar to those aimed at SPs offering BGP connectivity: – Any customer can generate any number of routes, using resources in the PE routers. • Therefore, resources used by a single customer have to be limited. • Cisco IOS software offers two solutions: – It can limit the number of routes received from a BGP neighbor. – It can limit the total number of routes in a VRF. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -5
Limiting the Number of Prefixes Received from a BGP Neighbor Router(config-router-af)# neighbor ip-address maximum-prefix maximum [threshold] [warning-only] • Controls how many prefixes can be received from a neighbor • Optional threshold parameter specifies the percentage where a warning message is logged (default is 75 percent) • Optional warning-only keyword specifies the action on exceeding the maximum number (default is to drop peering) © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -6
Limiting the Total Number of VRF Routes • The VRF maximum routes limit command limits the number of routes that are imported into a VRF: – Routes coming from CE routers – Routes coming from other PE routers (imported routes) • The route limit is configured for each VRF. • If the number of routes exceeds the route limit: – A syslog message is generated. – The Cisco IOS software can be configured to reject routes (optional). © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -7
Limiting the Total Number of VRF Routes (Cont. ) Router(config-vrf)# maximum routes limit {warn-threshold | warn-only} • This command configures the maximum number of routes accepted into a VRF: – The limit parameter is the route limit for the VRF. – The warn-threshold parameter is the percentage value over which a warning message is sent to syslog. – The warn-only option creates a syslog error message when the maximum number of routes exceeds the threshold. • Syslog messages generated by this command are rate-limited. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -8
Limiting the Total Number of VRF Routes (Cont. ) © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -9
AS-Override: The Issue The customer wants to reuse the same AS number on several sites: • CE-BGP-A 1 announces network 10. 1. 0. 0/16 to PE-Site-X. • The prefix announced by CE-BGP-A 1 is propagated to PE-Site-Y as an internal route through MP-BGP. • PE-Site-Y prepends AS 65115 to the AS path and propagates the prefix to CE -BGP-A 2. • CE-BGP-A 2 drops the update because AS 65213 is already in the AS path. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -10
AS-Override: Implementation • New AS path update procedures have been implemented to reuse the same AS number on all VPN sites. • The procedures allow the use of private and public AS numbers. • The same AS number may be used for all sites. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -11
AS-Override: Implementation (Cont. ) • With AS-override configured, the AS path update procedure on the PE router is as follows: – If the first AS number in the AS path is equal to the neighboring AS, it is replaced with the provider AS number. – If the first AS number has multiple occurrences (because of AS path prepend), all occurrences are replaced with the provider AS number. – After this operation, the provider AS number is prepended to the AS path. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -12
AS-Override: Command Router(config-router-af)# neighbor ip-address as-override • This command configures the AS-override AS path update procedure for the specified neighbor. • AS-override is configured for CE EBGP neighbors in the VRF address family of the BGP process. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -13
AS-Override: Example PE-Site-Y replaces AS 65213 with AS 65115 in the AS path, prepends another copy of AS 65115 to the AS path, and propagates the prefix. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -14
AS-Override: AS-Path Prepending PE-Site-Y replaces all occurrences of AS 65213 with AS 65115 in the AS path, prepends another copy of AS 65115 to the AS path, and propagates the prefix. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -15
Allowas-in: The Issue • Customer site links two VPNs • Not a usual setup (traffic between VPNs should not flow over the customer site) • Sometimes used for enhanced security © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -16
Allowas-in: The Issue (Cont. ) • VPN perspective: VPN-A is connected to VPN-B via CE-AB. • Physical topology: The CE-AB router is dual-connected to the PE routers. • MPLS VPN perspective: The CE-AB router has two links into the P-network. • BGP perspective shows issue: The CE-AB router has two connections to AS 65115. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -17
Allowas-in: The Issue (Cont. ) • PE-1 announces network 10. 1. 0. 0/16 to CE-AB. • CE-AB prepends its AS number to the AS path and propagates the prefix to PE-2. • PE-2 drops the update because its AS number is already in the AS path. • AS-override is needed on CE-AB, which may require a Cisco IOS software upgrade on the CE router. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -18
Allowas-in: Implementation The allowas-in BGP option disables the AS path check on the PE router: • The number of occurrences of the PE router AS number is limited to suppress real routing loops. • The limit has to be configured. • The PE router will reject the update only if its AS number appears in the AS path more often than the configured limit. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -19
Allowas-in: Command Router(config-router)# neighbor allowas-in number • This command disables the traditional BGP AS path check. • An incoming update is rejected only if the AS number of the PE router appears in the AS path more often than the configured limit. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -20
Implementing SOO for Loop Prevention AS path-based BGP loop prevention is bypassed with the AS‑override and allowas-in features. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -21
Implementing SOO for Loop Prevention (Cont. ) • The SOO attribute (extended BGP community) can be used to prevent loops in these scenarios. • The SOO attribute is needed only for multihomed sites. • When EBGP is run between PE and CE routers, the SOO attribute is configured through a route-map command. • For other routing protocols, the SOO attribute can be applied to routes learned through a particular VRF interface during the redistribution into BGP. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -22
Implementing SOO for Loop Prevention (Cont. ) Inbound EBGP Update Router(config)# route-map name permit seq match conditions set extcommunity soo extended-community-value • Creates a route map that sets the SOO attribute Router(config-router-af)# neighbor ip-address route-map name in • Applies an inbound route map to the CE EBGP neighbor © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -23
Implementing SOO for Loop Prevention (Cont. ) Other Inbound Routing Updates Router(config-if)# ip vrf sitemap route-map-name • Applies a route map that sets the SOO extended community attribute to inbound routing updates received from this interface © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -24
Implementing SOO for Loop Prevention (Cont. ) Router(config)# ip extcommunity-list number permit soo value ! route-map name deny seq match extcommunity number ! route-map name permit 9999 • Defines a route map that discards routes with the desired SOO value Router(config-router-af)# neighbor ip-address route-map name out • Applies the route map to outbound updates sent to the EBGP CE neighbor © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -25
Summary • Use the address-family ipv 4 vrf-name command in the BGP routing process to configure a per-VRF BGP routing context. • SPs offering MPLS VPN services are at risk of denial-of-service attacks. Limiting VRF tables is one method to prevent such attacks. • Use the neighbor maximum-prefix command to limit the number of prefixes received from a BGP neighbor. • Use the maximum routes command to limit the total number of VRF routes. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -26
Summary (Cont. ) • BGP loop detection prevents customers from reusing their AS number. The neighbor ip-address as -overide command prevents this issue by replacing the customer AS number with the ISP AS number. • By default, a customer site cannot link two VPN sites of the same AS number because of BGP loop detection. The neighbor allowas-in number command disables the BGP path check and permits routing updates. • The SOO extended BGP community is used as a loop prevention mechanism for multihomed customer sites. © 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -27
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v 2. 2— 5 -28
- Slides: 28