MPLS – BGP L3 VPN

image

we will build this lab on previous post MPLS EIGRP L3 VPN 

we will run BGP between CE and PE instead of EIGRP

We will start by configuring BGP on the CEs

R1

R1#show running-config | sec router
router bgp 65011
 no synchronization
 bgp log-neighbor-changes
 network 1.1.1.0 mask 255.255.255.0
 neighbor 10.1.12.2 remote-as 100
 no auto-summary

R5

R5#show running-config | sec router bgp
router bgp 65011
 no synchronization
 bgp log-neighbor-changes
 network 5.5.5.0 mask 255.255.255.0
 neighbor 10.1.45.4 remote-as 100
 no auto-summary

Now let’s run the BGP between the CE and PE

on both router R2 and R4

router bgp 100
 address-family ipv4 vrf CUST_A
  neighbor 10.1.45.5 remote-as 65011
  neighbor 10.1.45.5 activate
  no synchronization
  network 10.1.45.0 mask 255.255.255.0

let’s check BGP on R5

R5#show ip bgp summary  | b Nei
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.1.45.4       4   100      35      27       10    0    0 00:12:14        2

we see the BGP neighbor is up, but we are receiving only 2 routes while we should be receiving 3

R5(config-router)#do sh ip bgp
BGP table version is 11, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 5.5.5.0/24       0.0.0.0                  0         32768 i
*> 10.1.12.0/24     10.1.45.4                              0 100 i
r> 10.1.45.0/24     10.1.45.4                0             0 100 i

The reason that R5 is not receiving 1.1.1.0/24 prefix is that this prefix is originated

in AS 65011 which is the same AS of R5 as a default behaviour BGP will filter routes with its own AS in the AS_Path to prevent loop

we can override this behaviour using this command

neighbor x.x.x.x allow-as in

R5(config)#router bgp 100
R5(config-router)#neighbor 10.1.45.4 allowas-in
R5(config-router)#do sh ip bgp
BGP table version is 11, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       10.1.45.4                              0 100 65011 i
*> 5.5.5.0/24       0.0.0.0                  0         32768 i
*> 10.1.12.0/24     10.1.45.4                              0 100 i
r> 10.1.45.0/24     10.1.45.4                0             0 100 i

As we can see from the output above R5 has accepted the 1.1.1.0/24 after the command was used under the BGP configuration

Another way of doing this is using this command on the PE

neighbor x.x.x.x as-override

so on R2

R2(config)#router bgp 100
R2(config-router)#address-family ipv4 vrf CUST_A
R2(config-router-af)#neighbor 10.1.12.1 as-override 

Now let’s check the BGP on R1

R1#sh ip bgp
BGP table version is 13, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       0.0.0.0                  0         32768 i
*> 5.5.5.0/24       10.1.12.2                              0 100 100 i
r> 10.1.12.0/24     10.1.12.2                0             0 100 i
*> 10.1.45.0/24     10.1.12.2                              0 100 i

As we can see R2 overrides the original AS_Path and replaced it with its AS number

Comments

Post a Comment

Popular posts from this blog

IPv6 EIGRP

Image
In this post we will try to configure IPv6 EIGRP see the different options for the protocol and how these options are almost identical to the IPv4 version of EIGRP configuration R1 ipv6 unicast-routing interface lo0 ipv6 address 2001:1:1::1/64 interface FastEthernet0/0   ipv6 address FE80::1 link-local   ipv6 address FC00:1:12::1/64 ! interface FastEthernet0/1   ipv6 address FE80::1 link-local   ipv6 address FC00:1:13::1/64 !          R2 ipv6 unicast-routing interface lo0 ipv6 address 2001:2:2::2/64 interface FastEthernet0/0   ipv6 address FE80::2 link-local   ipv6 address FC00:1:12::2/64 ! interface FastEthernet0/1   ipv6 address FE80::2 link-local   ipv6 address FC00:1:23::2/64 R3 ipv6 unicast-routing interface lo0 ipv6 address 2001:3:3::3/64 interface lo1 ipv6 address 2001:3:4::3/64 interface lo2 ipv6 address 2001:3:5::3/64 interface FastEthernet0/0   ipv6 address FE80::3 link-...
Read more

BPDU Filter vs BPDU Guard

        Today we will try to explore the difference between these 2 options, BPDU guard and BPDU filter We know that BPDU are used to communicate between switches in L2 networks  to ensure loop free topology. BPDU Guard is used to protect our access (or trunks incase of servers) ports from receiving undesired BPDU packets, this feature is helpful in enforcing your network boundary in access layer BPDU Guard can be enabled on global configuration as well as under the interface configuration BPDU Filter on the other hand is used to filter BPDU packets outbound when configured  in global configuration (after sending 11 BPDU out ) and will filter BPDU inbound/outbound when configured under the interface level To better understand these two features, let’s use this simple topology R1 is connected to SW1 through F0/0 to have R1 send and receive BPDU we will simple configure bridging group 1 on the router and we will join the bridge group when desired to...
Read more

Private VLANS and protected ports

Image
In this post we will try to learn two layer 2 technologies, private vlans and protected ports Private vlans is used to segregate the layer 2 domain within the same vlan so we don’t waste any IP addresses, think about as sub-vlans within the same vlan that share the same layer 3 address. These sub-vlans can be of two kinds                      1- Community 2- Isolated The difference between community and isolated sub-vlans that hosts within community vlan can communicate together however hosts within isolated vlans con’t communicate to each others, also note that hosts from different community vlans can’t communicate/isolated vlans can’t communicate together. The question is how these hosts in community/isolated vlans communicate to the outside world, and the answer is they communicate through the promiscuous port which is part of parent vlan but this port is allowed to communicat...
Read more