1 / 28

MPLS VPN Implementation

MPLS VPN Implementation. Configuring BGP as the Routing Protocol Between PE and CE Routers. Outline. Overview Configuring a per-VRF BGP Routing Context What Are the Reasons for Limiting the Number of Routes in a VRF? Limiting the Number of Prefixes Received from a BGP Neighbor

zuriel
Télécharger la présentation

MPLS VPN Implementation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers

  2. Outline • Overview • Configuring a per-VRF BGP Routing Context • What Are the Reasons for Limiting the Number of Routes in a VRF? • Limiting the Number of Prefixes Received from a BGP Neighbor • Limiting the Total Number of VRF Routes • Identifying AS-Override Issues • Identifying Allowas-in Issues • Implementing SOO for Loop Prevention • Summary

  3. Configuring per-VRF BGP Routing Context Router(config)# router bgp as-number address-family ipv4 vrf vrf-name ... Per-VRF BGP definitions ... • Select per-VRF BGP context with theaddress-familycommand. • Configure CE EBGP neighbors in the VRF context, not in the global BGP configuration. • CE neighbors have to be activated with the neighbor activate command.

  4. Configuring per-VRF BGP Routing Context (Cont.)

  5. Limiting the Number of Routes in a VRF • SPs offering MPLS VPN services are at risk of denial-of-service attacks similar to those aimed at SPs offering BGP connectivity: • Any customer can generate any number of routes, using resources in the PE routers. • Therefore, resources used by a single customer have to be limited. • Cisco IOS software offers two solutions: • It can limit the number of routes received from a BGP neighbor. • It can limit the total number of routes in a VRF.

  6. Limiting the Number of Prefixes Received from a BGP Neighbor Router(config-router-af)# neighbor ip-address maximum-prefix maximum [threshold] [warning-only] • Controls how many prefixes can be received from a neighbor • Optional threshold parameter specifies the percentage where a warning message is logged (default is 75 percent) • Optional warning-only keyword specifies the action on exceeding the maximum number (default is to drop peering)

  7. Limiting the Total Number of VRF Routes • TheVRF maximum routes limitcommand limits the number of routes that are imported into a VRF: • Routes coming from CE routers • Routes coming from other PE routers (imported routes) • The route limit is configured for each VRF. • If the number of routes exceeds the route limit: • A syslog message is generated. • The Cisco IOS software can be configured to reject routes (optional).

  8. Limiting the Total Number of VRF Routes (Cont.) • This command configures the maximum number of routes accepted into a VRF: • The limitparameteris the route limit for the VRF. • The warn-threshold parameteris the percentage value over which a warning message is sent to syslog. • The warn-only option creates a syslog error message when the maximum number of routes exceeds the threshold. • Syslog messages generated by this command are rate-limited. Router(config-vrf)# maximum routes limit{warn-threshold | warn-only}

  9. Limiting the Total Number of VRF Routes (Cont.)

  10. AS-Override:The Issue • The customer wants to reuse the same AS number on several sites: • CE-BGP-A1 announces network 10.1.0.0/16 to PE-Site-X. • The prefix announced by CE-BGP-A1 is propagated to PE-Site-Y as an internal route through MP-BGP. • PE-Site-Y prepends AS 65115 to the AS path and propagates the prefix to CE-BGP-A2. • CE-BGP-A2 drops the update because AS 65213 is already in the AS path.

  11. AS-Override:Implementation • New AS path update procedures have been implemented to reuse the same AS number on all VPN sites. • The procedures allow the use of private and public AS numbers. • The same AS number may be used for all sites.

  12. AS-Override:Implementation (Cont.) • With AS-override configured, the AS path update procedure on the PE router is as follows: • If the first AS number in the AS path is equal to the neighboring AS, it is replaced with the provider AS number. • If the first AS number has multiple occurrences (because of AS path prepend), all occurrences are replaced with the provider AS number. • After this operation, the provider AS number is prepended to the AS path.

  13. AS-Override:Command Router(config-router-af)# neighbor ip-address as-override • This command configures the AS-override AS path update procedure for the specified neighbor. • AS-override is configured for CE EBGP neighbors in the VRF address family of the BGP process.

  14. AS-Override:Example PE-Site-Y replaces AS 65213 with AS 65115 in the AS path, prepends another copy of AS 65115 to the AS path, and propagates the prefix.

  15. AS-Override:AS-Path Prepending PE-Site-Y replaces all occurrences of AS 65213 with AS 65115 in the AS path, prepends another copy of AS 65115 to the AS path, and propagates the prefix.

  16. Allowas-in: The Issue • Customer site links two VPNs • Not a usual setup (traffic between VPNs should not flow over the customer site) • Sometimes used for enhanced security

  17. Allowas-in:The Issue (Cont.) • VPN perspective: VPN-A is connected to VPN-B via CE-AB. • Physical topology: The CE-AB router is dual-connected to the PE routers. • MPLS VPN perspective: The CE-AB router has two links into the P-network. • BGP perspective shows issue: The CE-AB router has two connections to AS 65115.

  18. Allowas-in:The Issue (Cont.) • PE-1 announces network 10.1.0.0/16 to CE-AB. • CE-AB prepends its AS number to the AS path and propagatesthe prefix to PE-2. • PE-2 drops the update because its AS number is already in the AS path. • AS-override is needed on CE-AB, which may require a Cisco IOS software upgrade on the CE router.

  19. Allowas-in:Implementation • Theallowas-in BGP option disables the AS path check on the PE router: • The number of occurrences of the PE router AS number is limited to suppress real routing loops. • The limit has to be configured. • The PE router willreject the update only if its AS number appears in the AS pathmore often than the configured limit.

  20. Allowas-in:Command Router(config-router)# neighbor allowas-in number • This command disables the traditional BGP ASpath check. • An incoming update is rejected only if the AS number of the PE router appears in the AS path more often than the configured limit.

  21. Implementing SOO for Loop Prevention • AS path-based BGP loop prevention is bypassed with the AS‑override and allowas-in features.

  22. Implementing SOO for Loop Prevention (Cont.) • The SOO attribute (extended BGP community) can be used to prevent loops in these scenarios. • The SOO attribute is needed only for multihomed sites. • When EBGP is run between PE and CE routers, the SOO attribute is configured through a route-map command. • For other routing protocols, the SOO attribute can be applied to routes learned through a particular VRF interface during the redistribution into BGP.

  23. Implementing SOO for Loop Prevention (Cont.) Inbound EBGP Update Router(config)# route-map name permit seq match conditions set extcommunity soo extended-community-value • Creates a route map that sets the SOO attribute Router(config-router-af)# neighbor ip-address route-map name in • Applies an inbound routemap to the CE EBGP neighbor

  24. Implementing SOO for Loop Prevention (Cont.) Other Inbound Routing Updates Router(config-if)# ip vrf sitemap route-map-name • Applies a routemap that sets the SOO extended community attribute to inbound routing updates received from this interface

  25. Implementing SOO for Loop Prevention (Cont.) Router(config)# ip extcommunity-list number permit soo value ! route-map name deny seq match extcommunity number ! route-map name permit 9999 • Defines a route map that discards routes with the desired SOO value Router(config-router-af)# neighbor ip-address route-map name out • Applies the routemap to outbound updates sent to the EBGP CE neighbor

  26. Summary • Use the address-family ipv4 vrf vrf-name command in the BGP routing process to configure a per-VRF BGP routing context. • SPs offering MPLS VPN services are at risk of denial-of-service attacks. Limiting VRF tables is one method to prevent such attacks. • Use the neighbor maximum-prefix command to limit the number of prefixes received from a BGP neighbor. • Use the maximum routes command to limit the total number of VRF routes.

  27. Summary (Cont.) • BGP loop detection prevents customers from reusing their AS number. The neighbor ip-address as-overide command prevents this issue by replacing the customer AS number with the ISP AS number. • By default, a customer site cannot link two VPN sites of the same AS number because of BGP loop detection. The neighbor allowas-in number command disables the BGP path check and permits routing updates. • The SOO extended BGP community is used as a loop prevention mechanism for multihomed customer sites.

More Related