It has been a while since I have done any labs after getting a new job. This time, I will be building a NNI option C using both Cisco IOS and Juniper MX. The reason I write this is because I do not find many resources on the internet about the inter AS connection using 2 different software at the same time. Hope this can be useful for anyone who is having the same struggle as i do.
(the AS# below are randomly picked!!)
Based on the lab diagram (dont feel like copping it up), as the internal VPN service is already running and the intra AS is running OSPF and LDP for MPLS, I will be connecting AS5052 (the green aren in middle) and AS7077 (the orange area at the bottom) together over NNIs to extend the MPLS VPN services.
Since the NNIs in this lab will not be running LDP between the ASBRs of AS5052 and AS7077, we will be using BGP to exchange IPv4 plus label information between AS7077 and AS5052 for building end to end LSP as a second option.
Also, we will have the route reflectors to exchange the MPLS VPN route entries between both autonomous system for extending MPLS VPN services.
The objective of this lab would be the following:
1. R04 (AS5052 ASBR) has eBGP peering with R25 (AS7077 ASBR) for IPv4 entries plus labelling.
2. R06 (AS5052 ASBR) has eBGP peering with R24 (AS7077 ASBR) for IPv4 entries plus labelling.
3. R26 (AS7077 RR) has eBGP peering with R08 and R09 (AS5052 RR) for MPLS VPN route entries.
4. Route reflector(s) within AS will have iBGP peering to every PE router for giving out the peering AS loop back addresses and as well the VPN route entries.
First of all, the ASBRs from both AS will have to advertise their internal loop back Addresses to their peers. This is to allow the peering AS network PE routers to recognize the next hop of the VPN traffic, as well as the peering between router reflectors. In order to do so, ASBR will redistribute all of the loop back address from its OSPF database to its peer via eBGP.
R04:
In the attached route table below, we can tell the routes are store in the inet.0 table, which is the IPv4 table. But why would the good old IPv4 routes would have a label attach at the end? That is because the label will be used to form an end to end label switching path to carry the mpls encapsulated packets from one AS to another. And some of you might have spot that some route entries does not have MPLS label. That is because R04 is the penultimate router of R25.
| Route entries | |
| netuser@net-AS5052-vMX-R04> show route protocol bgp next-hop 9.9.9.5 inet.0: 42 destinations, 62 routes (42 active, 0 holddown, 0 hidden) + = Active Route, – = Last Active, * = Both 10.70.0.24/32 [BGP/170] 01:14:47, MED 2, localpref 100 AS path: 7077 ?, validation-state: unverified > to 9.9.9.5 via ge-0/0/2.3969, Push 19 10.70.0.25/32 *[BGP/170] 01:14:47, MED 0, localpref 100 AS path: 7077 ?, validation-state: unverified > to 9.9.9.5 via ge-0/0/2.3969 10.70.0.26/32 [BGP/170] 01:14:47, MED 2, localpref 100 AS path: 7077 ?, validation-state: unverified > to 9.9.9.5 via ge-0/0/2.3969, Push 17 10.70.1.0/31 [BGP/170] 01:14:47, MED 501, localpref 100 AS path: 7077 ?, validation-state: unverified > to 9.9.9.5 via ge-0/0/2.3969, Push 18 10.70.1.2/31 *[BGP/170] 01:14:47, MED 0, localpref 100 AS path: 7077 ?, validation-state: unverified > to 9.9.9.5 via ge-0/0/2.3969 10.70.1.4/31 *[BGP/170] 01:14:47, MED 0, localpref 100 AS path: 7077 ?, validation-state: unverified > to 9.9.9.5 via ge-0/0/2.3969 10.70.1.6/31 *[BGP/170] 01:14:47, MED 0, localpref 100 AS path: 7077 ?, validation-state: unverified > to 9.9.9.5 via ge-0/0/2.3969 |
|
| The syntax for the R04 is listed below: – it is to build an LSP using BGP. – also it exchanges the loopback addresses of router reflector and other P and PE routes to AS7077. |
|
| set interfaces ge-0/0/2 unit 3969 description “Connect to NNI-C AS7077 R25” set interfaces ge-0/0/2 unit 3969 vlan-id 3969 set interfaces ge-0/0/2 unit 3969 family inet mtu 1982 set interfaces ge-0/0/2 unit 3969 family inet address 9.9.9.4/31 set interfaces ge-0/0/2 unit 3969 family mpls mtu 1962 set interfaces ge-0/0/2 unit 3969 family mpls maximum-labels 5 !!! it is always a good practices to set interfaces to take as much labels as possible. In this case, it will pass 3 layers of encapulations (1 for MPLS VPN, 1 for internal AS LSP, and 1 for LSP over NNI) to AS7077 !!! |
|
| set policy-options policy-statement ebgp-AS7077-export term 01-route_reflector from route-filter 10.50.0.8/32 exact set policy-options policy-statement ebgp-AS7077-export term 01-route_reflector from route-filter 10.50.0.9/32 exact set policy-options policy-statement ebgp-AS7077-export term 01-route_reflector then accept set policy-options policy-statement ebgp-AS7077-export term 02-loopback from route-filter 10.50.0.0/24 prefix-length-range /32-/32 set policy-options policy-statement ebgp-AS7077-export term 02-loopback then accept set policy-options policy-statement ebgp-AS7077-export then reject |
|
| set protocols bgp group ebgp-AS7077-NNI-C type external set protocols bgp group ebgp-AS7077-NNI-C family inet labeled-unicast !!! the magic of building an LSP using BGP is “labeled-unicast” !!! set protocols bgp group ebgp-AS7077-NNI-C export ebgp-AS7077-export set protocols bgp group ebgp-AS7077-NNI-C peer-as 7077 set protocols bgp group ebgp-AS7077-NNI-C neighbor 9.9.9.5 |
R25:
| Route entries | ||
| net-AS7077-vIOS-R25#sho ip route bgp | in 9.9.9.4 B 10.50.0.1/32 [20/1] via 9.9.9.4, 00:11:10 B 10.50.0.4/32 [20/0] via 9.9.9.4, 00:11:10 B 10.50.0.5/32 [20/1] via 9.9.9.4, 00:11:10 B 10.50.0.8/32 [20/1] via 9.9.9.4, 00:11:10 |
||
|
||
| The syntax below for R25 is listed below: – to exchange route entries including |
||
| interface GigabitEthernet0/2.3969 encapsulation dot1Q 3969 ip address 9.9.9.5 255.255.255.254 mpls mtu 1980 mpls traffic-eng tunnels mpls bgp forwarding mpls ip ip rsvp bandwidth 1500 |
||
| router bgp 7077 bgp log-neighbor-changes no bgp default ipv4-unicast neighbor 9.9.9.4 remote-as 5052 neighbor 10.70.0.26 remote-as 7077 neighbor 10.70.0.26 update-source Loopback0 ! |
||
| address-family ipv4 redistribute ospf 1 neighbor 9.9.9.4 activate neighbor 9.9.9.4 send-community extended neighbor 9.9.9.4 route-map bgp-in in neighbor 9.9.9.4 route-map bgp-out out neighbor 9.9.9.4 send-label exit-address-family ! |
||
| route-map bgp-out permit 10 set mpls-label ! route-map bgp-in permit 10 match mpls-label ! |
After both sides have the route info of the addresses of router s loopback and the router reflector, we can build the ebgp peering between both router reflectors (R8 and R26). The R8 is a logical router.
| Syntax for R8 – applying all of the route type in the same group is not really a good practice, but who cares, it s a lab only eh !!! |
|
| set logical-systems LS-RR1 protocols bgp group ebgp-NNI-C type external set logical-systems LS-RR1 protocols bgp group ebgp-NNI-C multihop ttl 200 !!! since this ebgp connection is not direct peering, and the default ebgp time to live value is 1, so we have to increase the ttl for this connection. !!! set logical-systems LS-RR1 protocols bgp group ebgp-NNI-C local-address 10.50.0.8 set logical-systems LS-RR1 protocols bgp group ebgp-NNI-C neighbor 10.70.0.26 multihop no-nexthop-change !!! also we need to advertise the route entries to AS7077 without changing the next hop at their end. otherwise, all of the traffic from AS7077 to AS5052 will be routed via the route reflector. !!! set logical-systems LS-RR1 protocols bgp group ebgp-NNI-C neighbor 10.70.0.26 family inet-vpn unicast set logical-systems LS-RR1 protocols bgp group ebgp-NNI-C neighbor 10.70.0.26 family inet6-vpn unicast set logical-systems LS-RR1 protocols bgp group ebgp-NNI-C neighbor 10.70.0.26 family l2vpn signaling set logical-systems LS-RR1 protocols bgp group ebgp-NNI-C neighbor 10.70.0.26 family evpn signaling set logical-systems LS-RR1 protocols bgp group ebgp-NNI-C neighbor 10.70.0.26 family inet-mvpn signaling set logical-systems LS-RR1 protocols bgp group ebgp-NNI-C neighbor 10.70.0.26 family inet6-mvpn signaling set logical-systems LS-RR1 protocols bgp group ebgp-NNI-C neighbor 10.70.0.26 peer-as 7077 |
|
| Syntax for R26: | |
| router bgp 7077 neighbor 10.50.0.8 remote-as 5052 neighbor 10.50.0.8 ebgp-multihop 200 !!!! the multi hop here is the same as ttl in junos. neighbor 10.50.0.8 update-source Loopback0 neighbor 10.50.0.9 remote-as 5052 neighbor 10.50.0.9 ebgp-multihop 200 !!!! the multi hop here is the same as ttl in junos. neighbor 10.50.0.9 update-source Loopback0 ! |
|
| address-family vpnv4 neighbor 10.50.0.8 activate neighbor 10.50.0.8 send-community both neighbor 10.50.0.8 next-hop-unchanged !!! also we need to advertise the route entries to AS5052 without changing the next hop at their end. otherwise, all of the traffic from AS5052 to AS7077 will be routed via the route reflector. !!! neighbor 10.50.0.9 activate neighbor 10.50.0.9 send-community both neighbor 10.50.0.9 next-hop-unchanged exit-address-family ! |
|
| address-family vpnv4 multicast neighbor 10.50.0.8 activate neighbor 10.50.0.8 send-community extended neighbor 10.50.0.8 next-hop-unchanged neighbor 10.50.0.9 activate neighbor 10.50.0.9 send-community extended neighbor 10.50.0.9 next-hop-unchanged exit-address-family |
|
| address-family vpnv6 neighbor 10.50.0.8 activate neighbor 10.50.0.8 send-community extended neighbor 10.50.0.8 next-hop-unchanged neighbor 10.50.0.9 activate neighbor 10.50.0.9 send-community extended neighbor 10.50.0.9 next-hop-unchanged exit-address-family |
|
| address-family vpnv6 multicast neighbor 10.50.0.8 activate neighbor 10.50.0.8 send-community extended neighbor 10.50.0.8 next-hop-unchanged neighbor 10.50.0.9 activate neighbor 10.50.0.9 send-community extended neighbor 10.50.0.9 next-hop-unchanged exit-address-family |
|
| address-family l2vpn evpn neighbor 10.50.0.8 activate neighbor 10.50.0.8 send-community both neighbor 10.50.0.8 next-hop-unchanged neighbor 10.50.0.9 activate neighbor 10.50.0.9 send-community both neighbor 10.50.0.9 next-hop-unchanged exit-address-family |
|
Once we have the ebgp connection setup at both AS, we will be able to see the route entries received from R26 to R08, and R08 will redistribute the ebgp routes to other PE nodes within the AS.
| Route entries at R08: – from the routes below, for route 8.8.8.8/32 and 10.70.2.0/30 (located in R25 VRF), there are 2 mpls labes. |
||||||||||||||||||||||
If R08 is the ingress router and need to pass a packet to 10.70.2.0/30, the traffic flow will be listed below:
|
||||||||||||||||||||||
If R08 is the ingress router and need to pass a packet to 10.70.90.26/32, the traffic flow will be listed below:
|
||||||||||||||||||||||
| netuser@net-AS5052-vMX-R04> show route logical-system LS-RR1 table bgp.l3vpn.0 bgp.l3vpn.0: 30 destinations, 30 routes (30 active, 0 holddown, 0 hidden) + = Active Route, – = Last Active, * = Both7077:1025:8.8.8.8/32 *[BGP/170] 00:42:59, localpref 100, from 10.70.0.26 AS path: 7077 ?, validation-state: unverified > to 10.50.1.24 via lt-0/0/0.25, Push 29, Push 320881(top) !!! 7077:1025:10.70.2.0/30 *[BGP/170] 00:42:59, localpref 100, from 10.70.0.26 AS path: 7077 ?, validation-state: unverified > to 10.50.1.24 via lt-0/0/0.25, Push 30, Push 320881(top) 7077:1026:10.70.90.26/32 *[BGP/170] 04:13:07, MED 0, localpref 100, from 10.70.0.26 AS path: 7077 ?, validation-state: unverified > to 10.50.1.24 via lt-0/0/0.25, Push 74, Push 402033(top) |
||||||||||||||||||||||
| netuser@net-AS5052-vMX-R04> show route label 402033 mpls.0: 33 destinations, 33 routes (33 active, 0 holddown, 0 hidden) + = Active Route, – = Last Active, * = Both 402033 *[VPN/170] 00:37:58 > to 9.9.9.5 via ge-0/0/2.3969, Swap 17 |
||||||||||||||||||||||
| net-AS7077-vIOS-R25#sho mpls forwarding-table labels 17 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 17 Pop Label 10.70.0.26/32 747812 Gi0/1.3972 10.70.1.3 Pop Label 10.70.0.26/32 377223 Gi0/1.3971 10.70.1.5 |
||||||||||||||||||||||
| net-AS7077-vIOS-R26#sho mpls forwarding-table labels 74 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 74 Pop Label 10.70.90.26/32[V] \ 0 aggregate/cust-A |
||||||||||||||||||||||
I think I will stop here for a while. Also this post should cover the basic NNI option C setup for both Cisco IOS and Juniper Junos already. But do let me know what else can be put into this post to make it better.
| 1 | 2 |
| 3 | 4 |