mpls vpn implementation n.
Skip this Video
Loading SlideShow in 5 Seconds..
MPLS VPN Implementation PowerPoint Presentation
Download Presentation
MPLS VPN Implementation

play fullscreen
1 / 28
Download Presentation

MPLS VPN Implementation - PowerPoint PPT Presentation

zuriel
160 Views
Download Presentation

MPLS VPN Implementation

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers

  2. Outline • Overview • Configuring a per-VRF BGP Routing Context • What Are the Reasons for Limiting the Number of Routes in a VRF? • Limiting the Number of Prefixes Received from a BGP Neighbor • Limiting the Total Number of VRF Routes • Identifying AS-Override Issues • Identifying Allowas-in Issues • Implementing SOO for Loop Prevention • Summary

  3. Configuring per-VRF BGP Routing Context Router(config)# router bgp as-number address-family ipv4 vrf vrf-name ... Per-VRF BGP definitions ... • Select per-VRF BGP context with theaddress-familycommand. • Configure CE EBGP neighbors in the VRF context, not in the global BGP configuration. • CE neighbors have to be activated with the neighbor activate command.

  4. Configuring per-VRF BGP Routing Context (Cont.)

  5. Limiting the Number of Routes in a VRF • SPs offering MPLS VPN services are at risk of denial-of-service attacks similar to those aimed at SPs offering BGP connectivity: • Any customer can generate any number of routes, using resources in the PE routers. • Therefore, resources used by a single customer have to be limited. • Cisco IOS software offers two solutions: • It can limit the number of routes received from a BGP neighbor. • It can limit the total number of routes in a VRF.

  6. Limiting the Number of Prefixes Received from a BGP Neighbor Router(config-router-af)# neighbor ip-address maximum-prefix maximum [threshold] [warning-only] • Controls how many prefixes can be received from a neighbor • Optional threshold parameter specifies the percentage where a warning message is logged (default is 75 percent) • Optional warning-only keyword specifies the action on exceeding the maximum number (default is to drop peering)

  7. Limiting the Total Number of VRF Routes • TheVRF maximum routes limitcommand limits the number of routes that are imported into a VRF: • Routes coming from CE routers • Routes coming from other PE routers (imported routes) • The route limit is configured for each VRF. • If the number of routes exceeds the route limit: • A syslog message is generated. • The Cisco IOS software can be configured to reject routes (optional).

  8. Limiting the Total Number of VRF Routes (Cont.) • This command configures the maximum number of routes accepted into a VRF: • The limitparameteris the route limit for the VRF. • The warn-threshold parameteris the percentage value over which a warning message is sent to syslog. • The warn-only option creates a syslog error message when the maximum number of routes exceeds the threshold. • Syslog messages generated by this command are rate-limited. Router(config-vrf)# maximum routes limit{warn-threshold | warn-only}

  9. Limiting the Total Number of VRF Routes (Cont.)

  10. AS-Override:The Issue • The customer wants to reuse the same AS number on several sites: • CE-BGP-A1 announces network 10.1.0.0/16 to PE-Site-X. • The prefix announced by CE-BGP-A1 is propagated to PE-Site-Y as an internal route through MP-BGP. • PE-Site-Y prepends AS 65115 to the AS path and propagates the prefix to CE-BGP-A2. • CE-BGP-A2 drops the update because AS 65213 is already in the AS path.

  11. AS-Override:Implementation • New AS path update procedures have been implemented to reuse the same AS number on all VPN sites. • The procedures allow the use of private and public AS numbers. • The same AS number may be used for all sites.

  12. AS-Override:Implementation (Cont.) • With AS-override configured, the AS path update procedure on the PE router is as follows: • If the first AS number in the AS path is equal to the neighboring AS, it is replaced with the provider AS number. • If the first AS number has multiple occurrences (because of AS path prepend), all occurrences are replaced with the provider AS number. • After this operation, the provider AS number is prepended to the AS path.

  13. AS-Override:Command Router(config-router-af)# neighbor ip-address as-override • This command configures the AS-override AS path update procedure for the specified neighbor. • AS-override is configured for CE EBGP neighbors in the VRF address family of the BGP process.

  14. AS-Override:Example PE-Site-Y replaces AS 65213 with AS 65115 in the AS path, prepends another copy of AS 65115 to the AS path, and propagates the prefix.

  15. AS-Override:AS-Path Prepending PE-Site-Y replaces all occurrences of AS 65213 with AS 65115 in the AS path, prepends another copy of AS 65115 to the AS path, and propagates the prefix.

  16. Allowas-in: The Issue • Customer site links two VPNs • Not a usual setup (traffic between VPNs should not flow over the customer site) • Sometimes used for enhanced security

  17. Allowas-in:The Issue (Cont.) • VPN perspective: VPN-A is connected to VPN-B via CE-AB. • Physical topology: The CE-AB router is dual-connected to the PE routers. • MPLS VPN perspective: The CE-AB router has two links into the P-network. • BGP perspective shows issue: The CE-AB router has two connections to AS 65115.

  18. Allowas-in:The Issue (Cont.) • PE-1 announces network 10.1.0.0/16 to CE-AB. • CE-AB prepends its AS number to the AS path and propagatesthe prefix to PE-2. • PE-2 drops the update because its AS number is already in the AS path. • AS-override is needed on CE-AB, which may require a Cisco IOS software upgrade on the CE router.

  19. Allowas-in:Implementation • Theallowas-in BGP option disables the AS path check on the PE router: • The number of occurrences of the PE router AS number is limited to suppress real routing loops. • The limit has to be configured. • The PE router willreject the update only if its AS number appears in the AS pathmore often than the configured limit.

  20. Allowas-in:Command Router(config-router)# neighbor allowas-in number • This command disables the traditional BGP ASpath check. • An incoming update is rejected only if the AS number of the PE router appears in the AS path more often than the configured limit.

  21. Implementing SOO for Loop Prevention • AS path-based BGP loop prevention is bypassed with the AS‑override and allowas-in features.

  22. Implementing SOO for Loop Prevention (Cont.) • The SOO attribute (extended BGP community) can be used to prevent loops in these scenarios. • The SOO attribute is needed only for multihomed sites. • When EBGP is run between PE and CE routers, the SOO attribute is configured through a route-map command. • For other routing protocols, the SOO attribute can be applied to routes learned through a particular VRF interface during the redistribution into BGP.

  23. Implementing SOO for Loop Prevention (Cont.) Inbound EBGP Update Router(config)# route-map name permit seq match conditions set extcommunity soo extended-community-value • Creates a route map that sets the SOO attribute Router(config-router-af)# neighbor ip-address route-map name in • Applies an inbound routemap to the CE EBGP neighbor

  24. Implementing SOO for Loop Prevention (Cont.) Other Inbound Routing Updates Router(config-if)# ip vrf sitemap route-map-name • Applies a routemap that sets the SOO extended community attribute to inbound routing updates received from this interface

  25. Implementing SOO for Loop Prevention (Cont.) Router(config)# ip extcommunity-list number permit soo value ! route-map name deny seq match extcommunity number ! route-map name permit 9999 • Defines a route map that discards routes with the desired SOO value Router(config-router-af)# neighbor ip-address route-map name out • Applies the routemap to outbound updates sent to the EBGP CE neighbor

  26. Summary • Use the address-family ipv4 vrf vrf-name command in the BGP routing process to configure a per-VRF BGP routing context. • SPs offering MPLS VPN services are at risk of denial-of-service attacks. Limiting VRF tables is one method to prevent such attacks. • Use the neighbor maximum-prefix command to limit the number of prefixes received from a BGP neighbor. • Use the maximum routes command to limit the total number of VRF routes.

  27. Summary (Cont.) • BGP loop detection prevents customers from reusing their AS number. The neighbor ip-address as-overide command prevents this issue by replacing the customer AS number with the ISP AS number. • By default, a customer site cannot link two VPN sites of the same AS number because of BGP loop detection. The neighbor allowas-in number command disables the BGP path check and permits routing updates. • The SOO extended BGP community is used as a loop prevention mechanism for multihomed customer sites.