Monday, January 9, 2017

CCIE SPv4 - MPLS L3 VPN - BGP Site of Origin

Software versions:
IOS XE 15.5
IOS XR 5.3

The topology for this demo:
In this post we will take a look at BGP Site of Origin. The idea behind the solution is a backdoor link to another site isn't the preferred path to the destination. Typically there is a highspeed link that is directly connecting the two sites and it is preferred over the L3 VPN circuit. Because eBGP peerings automatically get an AD of 20, from a routing perspective, the eBGP route will win unless a more specific route, static route is used or SoO is used to stop the advertisement of routes. 

From our previous post we have both IPv4 and IPv6 routes using the MPLS connection, our customer decided to provision a L2 P2P circuit and use that for other reasons. They have complained to us about the issue and want us to fix the issue. We could tell the customer to use a static route, which is the most common solution but they have hundreds of routes and opted to have us fix the issue. 

R7#sh bgp vpnv4 unicast vrf BGP
Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 20:50693 (default for vrf BGP)
 *>  10.10.10.0/24    37.0.0.3                               0 50693 10 ?
 *>  13.13.13.0/24    37.0.0.3                               0 50693 134 ?
 *   37.0.0.0/24      37.0.0.3                               0 50693 127 i
 *>                   0.0.0.0                  0         32768 i
 *>  59.0.0.0/24      37.0.0.3                               0 50693 9 i
 *>  83.0.0.0/24      37.0.0.3                               0 50693 8 i
 *>  106.0.0.0/24     37.0.0.3                               0 50693 10 i
 *>  112.0.0.0/24     37.0.0.3                               0 50693 127 i
 *>  113.0.0.0/24     37.0.0.3                               0 50693 143 i
 *>  131.0.0.0/24     37.0.0.3                               0 50693 134 i
 *   192.168.7.0      37.0.0.3                               0 50693 127 i
 *>                   0.0.0.0                  0         32768 i
 *>  192.168.12.0     37.0.0.3                               0 50693 127 i
 *>  192.168.12.0     37.0.0.3                               0 50693 127 i

As you can see, all the routes have the same next hop, R3 which is 37.0.0.3.

R7#sh bgp vpnv4 unicast vrf BGP  summary | b Neighbor
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
12.7.0.12       4          127      37      36       18    0    0 00:20:39        9

This is the new point to point circuit that the customer has. Routes have been learned on it but because this is configured as an iBGP peer, the AD of 200 makes it less preferred.

Now it's time for us to configure Site Of Origin and make use of the backdoor link. This is configured on the PE side under the VRF configuration.

R3
router bgp 50693
address-family ipv4 vrf BGP
  neighbor 37.0.0.7 remote-as 127
  neighbor 37.0.0.7 activate
  neighbor 37.0.0.7 soo 127:50693

XR1
router bgp 50693
neighbor 112.0.0.12
   remote-as 127
   address-family ipv4 unicast
    route-policy PASS in
    route-policy PASS out
    as-override
    site-of-origin 127:50693

You can see underneath bolded the SoO community value.

RP/0/0/CPU0:XR1#sh bgp vpnv4 unicast vrf BGP  37.0.0.0/24
Mon Jan  9 23:45:16.336 UTC
BGP routing table entry for 37.0.0.0/24, Route Distinguisher: 20:50693
Versions:
  Process           bRIB/RIB  SendTblVer
  Speaker                254         254
    Local Label: 24013
Last Modified: Jan  9 23:15:14.688 for 00:30:01
Paths: (3 available, best #1)
  Advertised to update-groups (with more than one peer):
    0.2
  Path #1: Received by speaker 0
  Advertised to update-groups (with more than one peer):
    0.2
  127
    112.0.0.12 from 112.0.0.12 (192.168.1.12)
      Origin IGP, localpref 100, valid, external, best, group-best, import-candidate
      Received Path ID 0, Local Path ID 1, version 254
      Extended community: SoO:127:50693 RT:20:50693
  Path #2: Received by speaker 0
  Not advertised to any peer
  127
    192.168.1.3 (metric 3) from 192.168.1.2 (192.168.1.3)
      Received Label 22
      Origin IGP, metric 0, localpref 100, valid, internal, import-candidate, imported
      Received Path ID 0, Local Path ID 0, version 0
      Extended community: RT:20:50693
      Originator: 192.168.1.3, Cluster list: 192.168.1.2
      Source VRF: BGP, Source Route Distinguisher: 20:50693
  Path #3: Received by speaker 0
  Not advertised to any peer
  127
    192.168.1.3 (metric 3) from 192.168.1.14 (192.168.1.3)
      Received Label 22
      Origin IGP, metric 0, localpref 100, valid, internal, import-candidate, imported
      Received Path ID 0, Local Path ID 0, version 0
      Extended community: RT:20:50693
      Originator: 192.168.1.3, Cluster list: 192.168.1.14
      Source VRF: BGP, Source Route Distinguisher: 20:50693

R7 debug output:
BGP(4): (base) 37.0.0.3 send UPDATE (format) 112.0.0.0/24, next 37.0.0.7, metric 0, path Local, extended community RT:20:50693
BGP(0): 37.0.0.3 rcv UPDATE about 112.0.0.0/24 -- withdrawn
BGP: 37.0.0.3 Modifying prefix 112.0.0.0/24 from 0 -> 4 address
BGP(0): 37.0.0.3 rcv UPDATE about 192.168.12.0/24 -- withdrawn
BGP: 37.0.0.3 Modifying prefix 192.168.12.0/24 from 0 -> 4 address
BGP(0): 37.0.0.3 rcv UPDATE about 37.0.0.0/24 -- withdrawn
BGP: 37.0.0.3 Modifying prefix 37.0.0.0/24 from 0 -> 4 address
BGP(0): 37.0.0.3 rcv UPDATE about 192.168.7.0/24 -- withdrawn
BGP: 37.0.0.3 Modifying prefix 192.168.7.0/24 from 0 -> 4 address

The withdrawn message indicates that those routes from R3 are no longer being used. Instead R7 will update the BGP table and then the VRF BGP RIB to use the backdoor link

R7#sh bgp vpnv4 unicast vrf BGP
Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 20:50693 (default for vrf BGP)
 * i 10.10.10.0/24    12.7.0.12                0    100      0 50693 10 ?
 *>                   37.0.0.3                               0 50693 10 ?
 * i 13.13.13.0/24    12.7.0.12                0    100      0 50693 134 ?
 *>                   37.0.0.3                               0 50693 134 ?
 *>  37.0.0.0/24      0.0.0.0                  0         32768 i
 * i 59.0.0.0/24      12.7.0.12                0    100      0 50693 9 i
 *>                   37.0.0.3                               0 50693 9 i
 * i 83.0.0.0/24      12.7.0.12                0    100      0 50693 8 i
 *>                   37.0.0.3                               0 50693 8 i
 * i 106.0.0.0/24     12.7.0.12                0    100      0 50693 10 i
 *>                   37.0.0.3                               0 50693 10 i
 *>i 112.0.0.0/24     12.7.0.12                0    100      0 i
 * i 113.0.0.0/24     12.7.0.12                0    100      0 50693 143 i
     Network          Next Hop            Metric LocPrf Weight Path
 *>                   37.0.0.3                               0 50693 143 i
 * i 131.0.0.0/24     12.7.0.12                0    100      0 50693 134 i
 *>                   37.0.0.3                               0 50693 134 i
 *>  192.168.7.0      0.0.0.0                  0         32768 i
 *>i 192.168.12.0     12.7.0.12                0    100      0 i

As you can see, the 112.0.0.0/24 and the 192.168.12.0/24 are both using the backdoor link.

R7#sh ip route vrf BGP | in 12.7.0.12
B        112.0.0.0 [200/0] via 12.7.0.12, 00:07:20
B     192.168.12.0/24 [200/0] via 12.7.0.12, 00:07:20

The AD on both routes is 200 indicating an iBGP peered route. Due to the SoO configuration, R7 will send any traffic destined to either destination over the backdoor link.

R7#trace vrf BGP 192.168.12.12
Type escape sequence to abort.
Tracing the route to 192.168.12.12
VRF info: (vrf in name/id, vrf out name/id)
  1 12.7.0.12 2 msec 1 msec *

Thanks for stopping by!
Rob Riker, CCIE #50693
Posted by at
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)