All posts by Amolak

About Amolak

Network Consultant

RIPng for IPv6 Routing

Cisco, IPv6, RIP, , ,

RIPng (Routing Information Protocol Next Generation) defined in RFC 2080 is an extension of RIPv2 for support of IPv6. RIP is a distance vector routing protocol.

We will not talk much about how RIP and distance vector algorithm works. We will demonstrate how it can be configured for IPv6 routing.

RIPng Messaging

There are two basic RIPng message types, RIP Request and RIP Response, which are exchanged using the User Datagram Protocol (UDP) port number 521.

RIP Request messages are sent to UDP destination port 521. They may have a source port of 521 or may use an ephemeral port number.

RIP Response messages sent in reply to an RIP Request are sent with a source port of 521, and a destination port equal to whatever source port the RIP Request used.

Unsolicited RIP Response messages (sent on a routine basis and not in response to a request) are sent with both the source and destination ports set to 521.

Here is the network topology for our discussion:

ripng

We will discuss following topics:

  1. RIPng configuration
  2. RIPng Route Metric Manipulation
  3. RIPng Route Aggregation/Summarization
  4. RIPng Default Route
  5. RIPng Route Filter
RIPng Configuration
R1

!! Enable IPv6 Routing globally !!
ipv6 unicast-routing
!
!! Enable RIPng at interface level !!
!! ipv6 rip [pid] enable, RIPV6 is a process ID used here !!
!
interface Loopback0
 ipv6 address 2001::1/128
 ipv6 rip RIPV6 enable
!
interface GigabitEthernet0/0
 ipv6 address 2001:1:2:14::1/64
 ipv6 rip RIPV6 enable
!
interface FastEthernet1/0
 ipv6 address 2001:1:2:13::1/64
 ipv6 rip RIPV6 enable

R4

ipv6 unicast-routing
!
interface Loopback0
 ipv6 address 2001::4/128
 ipv6 rip RIPV6 enable
!
interface GigabitEthernet0/0
 ipv6 address 2001:1:2:14::4/64
 ipv6 rip RIPV6 enable
!
interface GigabitEthernet1/0
 ipv6 address 2001:1:2:34::4/64
 ipv6 rip RIPV6 enable


R3

ipv6 unicast-routing
!
interface Loopback0
 ipv6 address 2001::3/128
 ipv6 rip RIPV6 enable
!
interface GigabitEthernet0/0
 ipv6 address 2001:1:2:34::3/64
 ipv6 rip RIPV6 enable
!
interface FastEthernet1/0
 ipv6 address 2001:1:2:13::3/64
 ipv6 rip RIPV6 enable
!
interface FastEthernet1/1
 ipv6 address 2001:1:2:23::3/64
 ipv6 rip RIPV6 enable
!
 
R2

ipv6 unicast-routing
!
interface Loopback0
 ipv6 address 2001::2/128
 ipv6 rip RIPV6 enable
!
interface FastEthernet0/0
 ipv6 address 2001:1:2:23::2/64
 ipv6 rip RIPV6 enable
Verification & Testing:
R1#sh ipv6 protocols
IPv6 Routing Protocol is "connected"
IPv6 Routing Protocol is "ND"
IPv6 Routing Protocol is "rip RIPV6"
  Interfaces:
    FastEthernet1/0
    GigabitEthernet0/0
    Loopback0
  Redistribution:
    None

R1#show ipv6 rip
RIP process "RIPV6", port 521, multicast-group FF02::9, pid 276
     Administrative distance is 120. Maximum paths is 16
     Updates every 30 seconds, expire after 180
     Holddown lasts 0 seconds, garbage collect after 120
     Split horizon is on; poison reverse is off
     Default routes are not generated
     Periodic updates 45, trigger updates 3
     Full Advertisement 1, Delayed Events 0
  Interfaces:
    FastEthernet1/0
    GigabitEthernet0/0
    Loopback0
  Redistribution:
    None

R1#show ipv6 route rip
IPv6 Routing Table - default - 11 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
       I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
       EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
       NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
       OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
R   2001::2/128 [120/3]
     via FE80::C803:21FF:FE78:1C, FastEthernet1/0
R   2001::3/128 [120/2]
     via FE80::C803:21FF:FE78:1C, FastEthernet1/0
R   2001::4/128 [120/2]
     via FE80::C802:21FF:FE78:8, GigabitEthernet0/0
R   2001:1:2:23::/64 [120/2]
     via FE80::C803:21FF:FE78:1C, FastEthernet1/0
R   2001:1:2:34::/64 [120/2]
     via FE80::C802:21FF:FE78:8, GigabitEthernet0/0
     via FE80::C803:21FF:FE78:1C, FastEthernet1/0

!! Routing for Loopback interface of R2 !!
R1#show ipv6 route 2001::2
Routing entry for 2001::2/128
  Known via "rip RIPV6", distance 120, metric 3
  Route count is 1/1, share count 0
  Routing paths:
    FE80::C803:21FF:FE78:1C, FastEthernet1/0
      Last updated 00:23:15 ago
!! Routing entry is known via RIP process RIPV6, administrative distance is 120 and metric(hop count) is 3. Next-Hop is link-local IP (FE80::C803:21FF:FE78:1C) of neighbor router interface which is connected via FastEthernet1/0. !!
R3#sh ipv6 int f1/0
FastEthernet1/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::C803:21FF:FE78:1C

R1#ping 2001::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/82/136 ms

R1#traceroute 2001::2
Type escape sequence to abort.
Tracing the route to 2001::2

  1 2001:1:2:13::3 32 msec 56 msec 24 msec
  2 2001:1:2:23::2 60 msec 64 msec 84 msec

Similar test can be done on other routers to verify IPv6 routing.

R4#sh ipv6 route rip
IPv6 Routing Table - default - 11 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
       I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
       EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
       NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
       OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
R   2001::1/128 [120/2]
     via FE80::C800:27FF:FE54:8, GigabitEthernet0/0
R   2001::2/128 [120/3]
     via FE80::C803:21FF:FE78:8, GigabitEthernet1/0
R   2001::3/128 [120/2]
     via FE80::C803:21FF:FE78:8, GigabitEthernet1/0
R   2001:1:2:13::/64 [120/2]
     via FE80::C803:21FF:FE78:8, GigabitEthernet1/0
     via FE80::C800:27FF:FE54:8, GigabitEthernet0/0
R   2001:1:2:23::/64 [120/2]
     via FE80::C803:21FF:FE78:8, GigabitEthernet1/0

R3#show ipv6 route rip
IPv6 Routing Table - default - 12 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
       I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
       EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
       NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
       OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
R   2001::1/128 [120/2]
     via FE80::C800:27FF:FE54:1C, FastEthernet1/0
R   2001::2/128 [120/2]
     via FE80::C801:27FF:FE54:8, FastEthernet1/1
R   2001::4/128 [120/2]
     via FE80::C802:21FF:FE78:1C, GigabitEthernet0/0
R   2001:1:2:14::/64 [120/2]
     via FE80::C802:21FF:FE78:1C, GigabitEthernet0/0
     via FE80::C800:27FF:FE54:1C, FastEthernet1/0


R2#show ipv6 route rip
IPv6 Routing Table - default - 10 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
       I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
       EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
       NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
       OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
R   2001::1/128 [120/3]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001::3/128 [120/2]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001::4/128 [120/3]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001:1:2:13::/64 [120/2]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001:1:2:14::/64 [120/3]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001:1:2:34::/64 [120/2]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0

R2#ping 2001::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/80/120 ms
R2#ping 2001::3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/41/56 ms
R2#ping 2001::4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/58/80 ms
RIPng Route Metric Manipulation

As we see in above output the traffic from R1 to R3/R2 is going via R3 based on the lowest metric(hop-count). We want to go it via R4 (i.e, R1 -> R4 -> R3 -> R2). We can do it by increment the metric on link between R1 and R3. This feature is called metric-offset.

Routing before metric-offset

R1#show ipv6 route rip
<snip>
R   2001::2/128 [120/3]
     via FE80::C803:21FF:FE78:1C, FastEthernet1/0
R   2001::3/128 [120/2]
     via FE80::C803:21FF:FE78:1C, FastEthernet1/0
R   2001::4/128 [120/2]
     via FE80::C802:21FF:FE78:8, GigabitEthernet0/0
R   2001:1:2:23::/64 [120/2]
     via FE80::C803:21FF:FE78:1C, FastEthernet1/0
R   2001:1:2:34::/64 [120/2]
     via FE80::C802:21FF:FE78:8, GigabitEthernet0/0
     via FE80::C803:21FF:FE78:1C, FastEthernet1/0

R3#show ipv6 route rip
<snip>
R   2001::1/128 [120/2]
     via FE80::C800:27FF:FE54:1C, FastEthernet1/0
R   2001::2/128 [120/2]
     via FE80::C801:27FF:FE54:8, FastEthernet1/1
R   2001::4/128 [120/2]
     via FE80::C802:21FF:FE78:1C, GigabitEthernet0/0
R   2001:1:2:14::/64 [120/2]
     via FE80::C802:21FF:FE78:1C, GigabitEthernet0/0
     via FE80::C800:27FF:FE54:1C, FastEthernet1/0

Metric-offset configuration

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface FastEthernet1/0
R1(config-if)# ipv6 rip RIPV6 metric-offset 3
R1(config-if)#end

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#interface FastEthernet1/0
R3(config-if)#ipv6 rip RIPV6 metric-offset 3
R3(config-if)#end

Routing after metric-offset

!! Metric for all routes learned via Fa1/0 has been incremented by 3 and routes via Gig0/0 has lowest metric and best path in routing table.!!

R1#show ipv6 route rip
<snip>
R   2001::2/128 [120/4]
     via FE80::C802:21FF:FE78:8, GigabitEthernet0/0
R   2001::3/128 [120/3]
     via FE80::C802:21FF:FE78:8, GigabitEthernet0/0
R   2001::4/128 [120/2]
     via FE80::C802:21FF:FE78:8, GigabitEthernet0/0
R   2001:1:2:23::/64 [120/3]
     via FE80::C802:21FF:FE78:8, GigabitEthernet0/0
R   2001:1:2:34::/64 [120/2]
     via FE80::C802:21FF:FE78:8, GigabitEthernet0/0

R1#ping 2001::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/60/80 ms

R1#traceroute 2001::2
Type escape sequence to abort.
Tracing the route to 2001::2

  1 2001:1:2:14::4 28 msec 36 msec 28 msec  <<<< R4
  2 2001:1:2:34::3 16 msec 76 msec 32 msec  <<<< R3
  3 2001:1:2:23::2 76 msec 68 msec 60 msec  <<<< R2


R3#show ipv6 route rip
<snip>
R   2001::1/128 [120/3]
     via FE80::C802:21FF:FE78:1C, GigabitEthernet0/0
R   2001::2/128 [120/2]
     via FE80::C801:27FF:FE54:8, FastEthernet1/1
R   2001::4/128 [120/2]
     via FE80::C802:21FF:FE78:1C, GigabitEthernet0/0
R   2001:1:2:14::/64 [120/2]
     via FE80::C802:21FF:FE78:1C, GigabitEthernet0/0

R3#ping 2001::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/25/32 ms

R3#traceroute 2001::1
Type escape sequence to abort.
Tracing the route to 2001::1

  1 2001:1:2:34::4 24 msec 36 msec 16 msec  <<<< R4
  2 2001:1:2:14::1 60 msec 16 msec 28 msec  <<<< R1
RIPng Route Aggregation/Summarization

We want to aggregate following routes on R3 which are received from R4 and R1 and advertise summary route  to R2.

2001:1:2:34::/64
2001:1:2:14::/64
2001:1:2:13::/64

Summary route – These 3 routes has first 48 bits common (2001:1:2), so we can aggregate as follows

2001:1:2::/48

R2 routing table before route aggregation on R3

R2#show ipv6 route rip
<snip>
R   2001::1/128 [120/4]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001::3/128 [120/2]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001::4/128 [120/3]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001:1:2:13::/64 [120/2]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001:1:2:14::/64 [120/3]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001:1:2:34::/64 [120/2]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0

Route aggregation configuration on R3

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#interface FastEthernet1/1
R3(config-if)#ipv6 rip RIPV6 summary-address 2001:1:2::/48
R3(config-if)#end


R2 routing table after route aggregation on R3

R2#show ipv6 route rip
<snip>
R   2001::1/128 [120/4]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001::3/128 [120/2]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001::4/128 [120/3]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001:1:2::/48 [120/2]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
RIPng Default Route

We want to advertise a default route to R2 from R3 so that R2 can send traffic for any unknown prefix to R3.

R2 Before default route configuration

R2#show ipv6 route ::/0
% Route not found

Default-route configuration on R3

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#interface FastEthernet1/1
R3(config-if)#ipv6 rip RIPV6 default-information originate
R3(config-if)#end

R2 after default route configuration

R2#show ipv6 route ::/0
Routing entry for ::/0
  Known via "rip RIPV6", distance 120, metric 2
  Route count is 1/1, share count 0
  Routing paths:
    FE80::C803:21FF:FE78:1D, FastEthernet0/0
      Last updated 00:02:11 ago
RIPng Route Filter

RIPng uses IPv6 prefix-lists to filter routing updates. You apply prefix-lists either inbound or outbound under the RIPng process configuration mode. You may choose to associate an interface with the distribute-list, or apply it to all interfaces simultaneously by not specifying an interface.

Let’s say we want R2 to filter R4’s Loopback0 IPv6 prefix from entering the local routing table.

R2 routing table before applying route filter

R2#show ipv6 route rip
<snip>
R   ::/0 [120/2]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001::1/128 [120/4]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001::3/128 [120/2]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001::4/128 [120/3]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001:1:2::/48 [120/2]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0

Configuration

!! Configured ipv6 prefix-list to deny 2001::4/128(R4's Loopback IP) and permit everything else. This prefix list is applied under RIPng process ID in inbound direction !!

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ipv6 prefix-list FILTER deny  2001::4/128
R2(config)#ipv6 prefix-list FILTER permit ::/0 le 128
R2(config)#ipv6 router rip RIPV6
R2(config-rtr)# distribute-list prefix-list FILTER in
R2(config-rtr)#end

R2#show ipv6 route rip
<snip>
R   ::/0 [120/2]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001::1/128 [120/4]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001::3/128 [120/2]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0
R   2001:1:2::/48 [120/2]
     via FE80::C803:21FF:FE78:1D, FastEthernet0/0

After applying the route filter, routing entry for R4's Loopback IP is gone but all other routes are still present int the routing table.

R2#ping 2001::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/65/84 ms

 

 

MPLS L3VPN Inter-AS VPN Option A

MPLS, , , ,

If two sites of a MPLS L3VPN are connected to different Autonomous Systems (e.g., because the sites are connected to different SPs). The PE routers attached to that VPN will then not be able to maintain IBGP connections with each other, or with a common route reflector. Rather, there needs to be some way to use EBGP to distribute VPN-IPv4 addresses.

There are a number of different ways of handling this case, let’s discuss first option which is called option A or back-to-back VRF exchange.

In this procedure, a PE router in one AS attaches directly to a PE router in another.  The two PE routers will be attached by multiple sub-interfaces, at least one for each of the VPNs whose routes need to be passed from AS to AS.  Each PE will treat the other as if it were a CE router.  That is, the PEs associate each such sub-interface with a VRF, and use EBGP (or any PE/CE IGP) to distribute unlabeled IPv4 addresses to each other.

We will use following network topology to discuss this feature.

mpls-interas-optA

PE-CE Configuration with ISP-1
R7 (CE Router) - Customer A Site 1

## EIGRP is the PE-CE routing protocol used for this customer ##

interface FastEthernet0/0
 ip address 192.168.47.7 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.7.7 255.255.255.0
!
router eigrp 100
 network 192.168.0.0 0.0.255.255

R8 (CE Router) - Customer B Site 1

## OSPF is the PE-CE routing protocol used for this customer ##

interface FastEthernet0/0
 ip address 172.16.48.8 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 172.16.8.8 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
router ospf 1
 router-id 172.16.8.8

R4 (PE Router) - ISP 1

vrf definition Cust-A
 rd 100:1
 !
 address-family ipv4
  route-target export 100:1
  route-target import 100:1
 exit-address-family
!
vrf definition Cust-B
 rd 100:2
 !        
 address-family ipv4
  route-target export 100:2
  route-target import 100:2
 exit-address-family
!
interface Loopback0
 ip address 1.1.0.4 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 1.1.34.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 vrf forwarding Cust-A
 ip address 192.168.47.4 255.255.255.0
!
interface FastEthernet1/1
 vrf forwarding Cust-B
 ip address 172.16.48.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 100 area 0
!
router eigrp 1
 !
 address-family ipv4 vrf Cust-A autonomous-system 100
  default-metric 10000 100 255 1 1500
  redistribute bgp 100
  network 192.168.47.0
 exit-address-family
!
router ospf 100 vrf Cust-B
 router-id 172.16.48.4
 redistribute bgp 100 subnets
!
router ospf 1
 router-id 1.1.0.4
!
router bgp 100
 bgp router-id 1.1.0.4
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 1.1.0.1 remote-as 100
 neighbor 1.1.0.1 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 1.1.0.1 activate
  neighbor 1.1.0.1 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf Cust-A
  redistribute connected
  redistribute eigrp 100
 exit-address-family
 !
 address-family ipv4 vrf Cust-B
  redistribute connected
  redistribute ospf 100 match internal external 1 external 2
 exit-address-familyR3 (P Router) - ISP 1

interface Loopback0
 ip address 1.1.0.3 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 1.1.13.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 1.1.34.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip  
!
router ospf 1
 router-id 1.1.0.3

R1 (PE Router) - ISP 1 - ASBR connected to ISP 2

vrf definition Cust-A
 rd 100:1
 !
 address-family ipv4
  route-target export 100:1
  route-target import 100:1
 exit-address-family
!
vrf definition Cust-B
 rd 100:2
 !        
 address-family ipv4
  route-target export 100:2
  route-target import 100:2
 exit-address-family
!
interface Loopback0
 ip address 1.1.0.1 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 1.1.13.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 speed 100
 duplex full
 mpls ip
!
interface FastEthernet0/1
 no ip address
!
interface FastEthernet0/1.1
 encapsulation dot1Q 12
 vrf forwarding Cust-A
 ip address 12.12.12.1 255.255.255.0
!
interface FastEthernet0/1.2
 encapsulation dot1Q 21
 vrf forwarding Cust-B
 ip address 21.21.21.1 255.255.255.0
!   
router ospf 1
 router-id 1.1.0.1
!
router bgp 100
 bgp router-id 1.1.0.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 1.1.0.4 remote-as 100
 neighbor 1.1.0.4 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 1.1.0.4 activate
  neighbor 1.1.0.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf Cust-A
  neighbor 12.12.12.2 remote-as 200
  neighbor 12.12.12.2 activate
 exit-address-family
 !
 address-family ipv4 vrf Cust-B
  neighbor 21.21.21.2 remote-as 200
  neighbor 21.21.21.2 activate
 exit-address-family
!            
PE-CE Configuration with ISP-2

Both ASBR routers in ISP1 and ISP2 see each other as CE router and treat itself as PE router. RD (Route Distinguisher) value for each customer does not require to match in both ISP networks. Here, Both ISPs are using different RD (Route Distinguisher).

We have used BGP as PE-CE routing protocol here. Any IGP can be used as well.

R2 (PE Router) - ISP 2 - ASBR connected to ISP 1

vrf definition Cust-A
 rd 200:1
 !
 address-family ipv4
  route-target export 200:1
  route-target import 200:1
 exit-address-family
!
vrf definition Cust-B
 rd 200:2
 !        
 address-family ipv4
  route-target export 200:2
  route-target import 200:2
 exit-address-family
!
interface Loopback0
 ip address 2.2.0.2 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 2.2.25.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 no ip address
!
interface FastEthernet0/1.1
 encapsulation dot1Q 12
 vrf forwarding Cust-A
 ip address 12.12.12.2 255.255.255.0
!
interface FastEthernet0/1.2
 encapsulation dot1Q 21
 vrf forwarding Cust-B
 ip address 21.21.21.2 255.255.255.0
!
router ospf 1
 router-id 2.2.0.2
!
router bgp 200
 bgp router-id 2.2.0.2
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 2.2.0.6 remote-as 200
 neighbor 2.2.0.6 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 2.2.0.6 activate
  neighbor 2.2.0.6 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf Cust-A
  neighbor 12.12.12.1 remote-as 100
  neighbor 12.12.12.1 activate
 exit-address-family
 !
 address-family ipv4 vrf Cust-B
  neighbor 21.21.21.1 remote-as 100
  neighbor 21.21.21.1 activate
 exit-address-family


R5 (P Router) - ISP 2

interface Loopback0
 ip address 2.2.0.5 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 2.2.25.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 2.2.56.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip  
!
router ospf 1
 router-id 2.2.0.5

R6 (PE Router) - ISP 2

vrf definition Cust-A
 rd 200:1
 !
 address-family ipv4
  route-target export 200:1
  route-target import 200:1
 exit-address-family
!
vrf definition Cust-B
 rd 200:2
 !        
 address-family ipv4
  route-target export 200:2
  route-target import 200:2
 exit-address-family
!
interface Loopback0
 ip address 2.2.0.6 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 no ip address
!
interface FastEthernet0/1
 ip address 2.2.56.6 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 vrf forwarding Cust-A
 ip address 192.168.69.6 255.255.255.0
!
interface FastEthernet1/1
 vrf forwarding Cust-B
 ip address 172.16.106.6 255.255.255.0
 ip ospf network point-to-point
 ip ospf 200 area 0
!
!
router eigrp 1
 !
 address-family ipv4 vrf Cust-A autonomous-system 100
  default-metric 10000 100 255 1 1500
  redistribute bgp 200
  network 192.168.69.0
 exit-address-family
!
router ospf 200 vrf Cust-B
 router-id 172.16.106.6
 redistribute bgp 200 subnets
!
router ospf 1
 router-id 2.2.0.6
!
router bgp 200
 bgp router-id 2.2.0.6
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 2.2.0.2 remote-as 200
 neighbor 2.2.0.2 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 2.2.0.2 activate
  neighbor 2.2.0.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf Cust-A
  redistribute connected
  redistribute eigrp 100
 exit-address-family
 !
 address-family ipv4 vrf Cust-B
  redistribute connected
  redistribute ospf 200 match internal external 1 external 2
 exit-address-family


R9 (CE Router) - Customer A Site 2

## EIGRP is the PE-CE routing protocol used for this customer ##

interface FastEthernet0/0
 ip address 192.168.69.9 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.9.9 255.255.255.0
!
router eigrp 100
 network 192.168.0.0 0.0.255.255

R10 (CE Router) - Customer B Site 2

## OSPF is the PE-CE routing protocol used for this customer ##

interface FastEthernet0/0
 ip address 172.16.106.10 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 172.16.10.10 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
router ospf 1
 router-id 172.16.10.10
Verification & Testing
R7#sh ip route | beg Gateway
Gateway of last resort is not set

      192.168.7.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.7.0/24 is directly connected, FastEthernet0/1
L        192.168.7.7/32 is directly connected, FastEthernet0/1
D EX  192.168.9.0/24 [170/284160] via 192.168.47.4, 01:04:34, FastEthernet0/0
      192.168.47.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.47.0/24 is directly connected, FastEthernet0/0
L        192.168.47.7/32 is directly connected, FastEthernet0/0
D EX  192.168.69.0/24 [170/284160] via 192.168.47.4, 01:04:34, FastEthernet0/0

Ping Customer-A Site 2 network

R7#ping 192.168.9.9 source 192.168.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.9.9, timeout is 2 seconds:
Packet sent with a source address of 192.168.7.7 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 152/160/172 ms

Traceroute Customer-A Site 2 network

R7#traceroute 192.168.9.9 source 192.168.7.7
Type escape sequence to abort.
Tracing the route to 192.168.9.9
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.47.4 28 msec 36 msec 36 msec
  2 1.1.34.3 [MPLS: Labels 302/104 Exp 0] 88 msec 100 msec 88 msec
  3 12.12.12.1 [MPLS: Label 104 Exp 0] 64 msec 92 msec 60 msec
  4 12.12.12.2 116 msec 120 msec 92 msec
  5 2.2.25.5 [MPLS: Labels 501/604 Exp 0] 176 msec 168 msec 152 msec
  6 192.168.69.6 [MPLS: Label 604 Exp 0] 128 msec 140 msec 140 msec
  7 192.168.69.9 176 msec *  156 msec

We can see from the above output there are two different LSP (Label Switch Path) are being used to provide end-to-end reachability.

LSP-1: From R4 to R1 using VPN Label 104

R4#sh bgp vpnv4 unicast vrf Cust-A 192.168.9.0
BGP routing table entry for 100:1:192.168.9.0/24, version 10
Paths: (1 available, best #1, table Cust-A)
  Not advertised to any peer
  Refresh Epoch 1
  200
    1.1.0.1 (metric 3) from 1.1.0.1 (1.1.0.1)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:100:1
      mpls labels in/out nolabel/104
      rx pathid: 0, tx pathid: 0x0

The traffic between R1 & R2 is normal Unlabeled IPv4 traffic

R1#sh bgp vpnv4 unicast vrf Cust-A 192.168.9.0
BGP routing table entry for 100:1:192.168.9.0/24, version 10
Paths: (1 available, best #1, table Cust-A)
  Advertised to update-groups:
     3         
  Refresh Epoch 1
  200
    12.12.12.2 from 12.12.12.2 (2.2.0.2)
      Origin incomplete, localpref 100, valid, external, best
      Extended Community: RT:100:1
      mpls labels in/out 104/nolabel
      rx pathid: 0, tx pathid: 0x0

LSP-2: From R2 to R6 using VPN label 604

R2#sh bgp vpnv4 unicast vrf Cust-A 192.168.9.0
BGP routing table entry for 200:1:192.168.9.0/24, version 10
Paths: (1 available, best #1, table Cust-A)
  Advertised to update-groups:
     1         
  Refresh Epoch 1
  Local
    2.2.0.6 (metric 3) from 2.2.0.6 (2.2.0.6)
      Origin incomplete, metric 30720, localpref 100, valid, internal, best
      Extended Community: RT:200:1 Cost:pre-bestpath:128:30720 0x8800:32768:0 
        0x8801:100:5120 0x8802:65281:25600 0x8803:65281:1500 
        0x8806:0:3232253193
      mpls labels in/out nolabel/604
      rx pathid: 0, tx pathid: 0x0

Finally unlabelled traffic from ISP 2 PE Router (R6) to CE Router (R9)
 
R6#sh bgp vpnv4 unicast vrf Cust-A 192.168.9.0
BGP routing table entry for 200:1:192.168.9.0/24, version 3
Paths: (1 available, best #1, table Cust-A)
  Advertised to update-groups:
     1         
  Refresh Epoch 1
  Local
    192.168.69.9 from 0.0.0.0 (2.2.0.6)
      Origin incomplete, metric 30720, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:200:1 Cost:pre-bestpath:128:30720 0x8800:32768:0 
        0x8801:100:5120 0x8802:65281:25600 0x8803:65281:1500 
        0x8806:0:3232253193
      mpls labels in/out 604/nolabel
      rx pathid: 0, tx pathid: 0x0

Similarly, end-to-end reachability can be verified for Customer B sites.

R8#sh ip route | beg Gateway 
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
C        172.16.8.0/24 is directly connected, FastEthernet0/1
L        172.16.8.8/32 is directly connected, FastEthernet0/1
O E2     172.16.10.0/24 [110/1] via 172.16.48.4, 01:33:51, FastEthernet0/0
C        172.16.48.0/24 is directly connected, FastEthernet0/0
L        172.16.48.8/32 is directly connected, FastEthernet0/0
O E2     172.16.106.0/24 [110/1] via 172.16.48.4, 01:33:51, FastEthernet0/0

R8#ping 172.16.10.10 source 172.16.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.10, timeout is 2 seconds:
Packet sent with a source address of 172.16.8.8 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 220/236/248 ms
R8#trace 172.16.10.10 source 172.16.8.8
Type escape sequence to abort.
Tracing the route to 172.16.10.10
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.48.4 32 msec 52 msec 64 msec
  2 1.1.34.3 [MPLS: Labels 302/106 Exp 0] 140 msec 140 msec 136 msec
  3 21.21.21.1 [MPLS: Label 106 Exp 0] 84 msec 104 msec 116 msec
  4 21.21.21.2 136 msec 152 msec 132 msec
  5 2.2.25.5 [MPLS: Labels 501/606 Exp 0] 248 msec 224 msec 232 msec
  6 172.16.106.6 [MPLS: Label 606 Exp 0] 208 msec 196 msec 192 msec
  7 172.16.106.10 236 msec *  240 msec


R4#sh bgp vpnv4 unicast vrf Cust-B 172.16.10.0
BGP routing table entry for 100:2:172.16.10.0/24, version 12
Paths: (1 available, best #1, table Cust-B)
  Not advertised to any peer
  Refresh Epoch 1
  200
    1.1.0.1 (metric 3) from 1.1.0.1 (1.1.0.1)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:100:2
      mpls labels in/out nolabel/106
      rx pathid: 0, tx pathid: 0x0

R1#sh bgp vpnv4 unicast vrf Cust-B 172.16.10.0
BGP routing table entry for 100:2:172.16.10.0/24, version 12
Paths: (1 available, best #1, table Cust-B)
  Advertised to update-groups:
     3         
  Refresh Epoch 1
  200
    21.21.21.2 from 21.21.21.2 (2.2.0.2)
      Origin incomplete, localpref 100, valid, external, best
      Extended Community: RT:100:2
      mpls labels in/out 106/nolabel
      rx pathid: 0, tx pathid: 0x0

R2#sh bgp vpnv4 unicast vrf Cust-B 172.16.10.0
BGP routing table entry for 200:2:172.16.10.0/24, version 12
Paths: (1 available, best #1, table Cust-B)
  Advertised to update-groups:
     2         
  Refresh Epoch 1
  Local
    2.2.0.6 (metric 3) from 2.2.0.6 (2.2.0.6)
      Origin incomplete, metric 2, localpref 100, valid, internal, best
      Extended Community: RT:200:2 OSPF DOMAIN ID:0x0005:0x000000C80200 
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:172.16.106.6:0
      mpls labels in/out nolabel/606
      rx pathid: 0, tx pathid: 0x0

R6#sh bgp vpnv4 unicast vrf Cust-B 172.16.10.0
BGP routing table entry for 200:2:172.16.10.0/24, version 7
Paths: (1 available, best #1, table Cust-B)
  Advertised to update-groups:
     1         
  Refresh Epoch 1
  Local
    172.16.106.10 from 0.0.0.0 (2.2.0.6)
      Origin incomplete, metric 2, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:200:2 OSPF DOMAIN ID:0x0005:0x000000C80200 
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:172.16.106.6:0
      mpls labels in/out 606/nolabel
      rx pathid: 0, tx pathid: 0x0

The major drawback of this design is scalability as it requires a separate VRF interface for each customer on ASBR PE Routers.

This issue is addressed in MPLS Inter-AS option B & C. We will discuss it later.

VRF Aware IPSEC VPN – Part 2

IPSEC, MPLS, Security, VPN, VRF, ,

In part 2, We will discuss the VRF Aware IPSec VPN when internet link is not configured under Global VRF and it belongs to a specific VRF which would be FVRF (Front Door VRF) in this scenario.

You must refer part 1 http://www.amolak.net/vrf-aware-ipsec-vpn-part-1/ of this discussion to understand the terminologies used. Also we will use the same network topology of part1.

Configuration:

R1 - PE and VRF Aware IPSec VPN Router

!! -- Create VRF named cust-a for Customer-A --!!
!! -- This is Inside VRF (I-VRF) --!!
vrf definition cust-a
 rd 123:1
 !
 address-family ipv4
  route-target export 123:1
  route-target import 123:1
 exit-address-family
!
!! -- Create VRF named cust-b for Customer-B --!!
!! -- This is Inside VRF (I-VRF) --!!
!
vrf definition cust-b
 rd 123:2
 !
 address-family ipv4
  route-target export 123:2
  route-target import 123:2
 exit-address-family
!
!! -- Create VRF named int-vrf for Internet Link --!!
!! -- This is Front Door VRF (F-VRF) --!!
!
vrf definition int-vrf
 rd 123:123
 !
 address-family ipv4
  route-target export 123:123
  route-target import 123:123
 exit-address-family
!
interface FastEthernet0/1
 vrf forwarding int-vrf
 ip address 1.1.14.1 255.255.255.0
!
!! -- Define ISAKMP Pre-shared key for both VPN Peers --!!
! 
crypto keyring internet-keyring vrf int-vrf 
  pre-shared-key address 1.1.47.7 key vpn1password
  pre-shared-key address 1.1.48.8 key vpn2password
!
!! -- Create ISAKMP Policy --!!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
!! -- Create ISAKMP Profile for both VPNs --!!
!
crypto isakmp profile vpn1
   vrf cust-a
   keyring internet-keyring
   match identity address 1.1.47.7 255.255.255.255 int-vrf
crypto isakmp profile vpn2
   vrf cust-b
   keyring internet-keyring
   match identity address 1.1.48.8 255.255.255.255 int-vrf
!
!
!! -- Create IPSec Transform-set for both VPNs --!!
!
crypto ipsec transform-set vpn1-TS esp-3des esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set vpn2-TS esp-3des esp-sha-hmac 
 mode tunnel
!
!
!! -- Create access-list to define the traffic to pass through --!!
!! -- the VPN tunnel --!!
!! -- access-list 101 is for Customer-1 traffic --!!
!! -- access-list 102 is for Customer-2 traffic --!!
!
access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 102 permit ip 172.16.6.0 0.0.0.255 172.16.8.0 0.0.0.255
!
!! -- Create Crypto MAP for both VPNs --!!
!
crypto map crypmap 1 ipsec-isakmp 
 set peer 1.1.47.7
 set transform-set vpn1-TS 
 set isakmp-profile vpn1
 match address 101
!
crypto map crypmap 2 ipsec-isakmp 
 set peer 1.1.48.8
 set transform-set vpn2-TS 
 set isakmp-profile vpn2
 match address 102
!
!! -- Apply Crypto MAP to Internet facing interface --!!
!
interface FastEthernet0/1
 vrf forwarding int-vrf
 ip address 1.1.14.1 255.255.255.0
 crypto map crypmap
!
!! -- Routing --!!
!! -- We have to import default route from VRF 'int-vrf' --!!
!! -- into Customer VRFs 'cust-a' and 'cust-b'--!!
!! -- Without this route import, both customer VRF has --!!
!! -- no idea how to reach internet and VPN peers --!!
!
vrf definition cust-a
 address-family ipv4
  route-target import 123:123
 exit-address-family
!
vrf definition cust-b
 address-family ipv4
  route-target import 123:123
 exit-address-family
!
!! -- Static route - VRF 'int-vrf' --!!
ip route vrf int-vrf 0.0.0.0 0.0.0.0 1.1.14.4
!! -- Static route - VRF 'cust-a' --!! 
ip route vrf cust-a 192.168.7.0 255.255.255.0 FastEthernet0/1 1.1.14.4
!! -- Static route - VRF 'cust-b' --!!
ip route vrf cust-b 172.16.8.0 255.255.255.0 FastEthernet0/1 1.1.14.4
!
!
!! -- Redistribute IPSec VPN routes into BGP --!!
!! -- MP-BGP will advertise it to PE-2 Router --!!
!! -- PE-2 Router will advertise those routes to Customers --!!
!
router bgp 123
 bgp router-id 10.1.0.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.2 remote-as 123
 neighbor 10.1.0.2 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.1.0.2 activate
  neighbor 10.1.0.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf cust-a
  redistribute static
 exit-address-family
 !
 address-family ipv4 vrf cust-b
  redistribute static
 exit-address-family
!
Verification:

R7 (Customer-A Site 1) can ping R5 (Customer-A Site-2) network

R7#ping 192.168.5.5 so 192.168.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.5, timeout is 2 seconds:
Packet sent with a source address of 192.168.7.7 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/129/140 ms

R8 (Customer-B Site 1) can ping R6 (Customer-B Site-2) network

R8#ping 172.16.6.6 so 172.16.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.6.6, timeout is 2 seconds:
Packet sent with a source address of 172.16.8.8 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/132/144 ms

Verify VPN Status on R1

R1#show crypto session detail 
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/1
Profile: vpn1
Uptime: 00:25:30
Session status: UP-ACTIVE     
Peer: 1.1.47.7 port 500 fvrf: int-vrf ivrf: cust-a
      Phase1_id: 1.1.47.7
      Desc: (none)
  IKEv1 SA: local 1.1.14.1/500 remote 1.1.47.7/500 Active 
          Capabilities:(none) connid:1001 lifetime:23:34:29
  IPSEC FLOW: permit ip 192.168.5.0/255.255.255.0 192.168.7.0/255.255.255.0 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 34 drop 0 life (KB/Sec) 4171386/2069
        Outbound: #pkts enc'ed 34 drop 0 life (KB/Sec) 4171386/2069

Interface: FastEthernet0/1
Profile: vpn2
Uptime: 00:25:07
Session status: UP-ACTIVE     
Peer: 1.1.48.8 port 500 fvrf: int-vrf ivrf: cust-b
      Phase1_id: 1.1.48.8
      Desc: (none)
  IKEv1 SA: local 1.1.14.1/500 remote 1.1.48.8/500 Active 
          Capabilities:(none) connid:1002 lifetime:23:34:52
  IPSEC FLOW: permit ip 172.16.6.0/255.255.255.0 172.16.8.0/255.255.255.0 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 14 drop 0 life (KB/Sec) 4267407/2092
        Outbound: #pkts enc'ed 14 drop 0 life (KB/Sec) 4267407/2092

Here, we can see Front Door VRF (FVRF) is 'int-vrf' and Inside VRF (IVRF) is 'cust-a' & 'cust-b' for Customer A and B respectively.
Here is the Full configuration of Router R1. There is no change in the configuration of all other devices. It is same as mentioned in part-1.

hostname R1
!
vrf definition cust-a
 rd 123:1
 !
 address-family ipv4
  route-target export 123:1
  route-target import 123:1
  route-target import 123:123
 exit-address-family
!
vrf definition cust-b
 rd 123:2
 !
 address-family ipv4
  route-target export 123:2
  route-target import 123:2
  route-target import 123:123
 exit-address-family
!
vrf definition int-vrf
 rd 123:123
 !
 address-family ipv4
  route-target export 123:123
  route-target import 123:123
 exit-address-family
!
crypto keyring internet-keyring vrf int-vrf 
  pre-shared-key address 1.1.47.7 key vpn1password
  pre-shared-key address 1.1.48.8 key vpn2password
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp profile vpn1
   vrf cust-a
   keyring internet-keyring
   match identity address 1.1.47.7 255.255.255.255 int-vrf
crypto isakmp profile vpn2
   vrf cust-b
   keyring internet-keyring
   match identity address 1.1.48.8 255.255.255.255 int-vrf
!
!
crypto ipsec transform-set vpn1-TS esp-3des esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set vpn2-TS esp-3des esp-sha-hmac 
 mode tunnel
!
!
!
crypto map crypmap 1 ipsec-isakmp 
 set peer 1.1.47.7
 set transform-set vpn1-TS 
 set isakmp-profile vpn1
 match address 101
crypto map crypmap 2 ipsec-isakmp 
 set peer 1.1.48.8
 set transform-set vpn2-TS 
 set isakmp-profile vpn2
 match address 102
!
interface Loopback0
 ip address 10.1.0.1 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.13.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 speed 100
 duplex full
 mpls ip
!
interface FastEthernet0/1
 vrf forwarding int-vrf
 ip address 1.1.14.1 255.255.255.0
 speed 100
 duplex full
 crypto map crypmap
!
router ospf 1
 router-id 10.1.0.1
!
router bgp 123
 bgp router-id 10.1.0.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.2 remote-as 123
 neighbor 10.1.0.2 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.1.0.2 activate
  neighbor 10.1.0.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf cust-a
  redistribute static
 exit-address-family
 !
 address-family ipv4 vrf cust-b
  redistribute static
 exit-address-family
 !
 address-family ipv4 vrf int-vrf
  redistribute connected
  redistribute static
 exit-address-family
!
ip route vrf cust-a 192.168.7.0 255.255.255.0 FastEthernet0/1 1.1.14.4
ip route vrf cust-b 172.16.8.0 255.255.255.0 FastEthernet0/1 1.1.14.4
ip route vrf int-vrf 0.0.0.0 0.0.0.0 1.1.14.4
!
access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 102 permit ip 172.16.6.0 0.0.0.255 172.16.8.0 0.0.0.255
!
end

 

 

VRF Aware IPSEC VPN – Part 1

IPSEC, MPLS, Security, VPN, VRF, ,

The VRF-Aware IPSec feature introduces IPSec tunnel mapping to MPLS VPNs. Using the VRF-Aware IPSec feature, you can map IPSec tunnels to Virtual Routing and Forwarding (VRF) instances using a single public-facing address.

Terminology

VRF – A VRF instance is a per-VPN routing information repository that defines the VPN membership of a customer site attached to the Provider Edge (PE) router. A VRF comprises an IP routing table, a derived Cisco Express Forwarding (CEF) table, a set of interfaces that use the forwarding table, and a set of rules and routing protocol parameters that control the information that is included in the routing table. A separate set of routing and Cisco Express Forwarding (CEF) tables is maintained for each VPN customer.

Inside VRF (IVRF) –  Inside VRF contains the clear-text traffic (before encryption for outbound flows and after decryption for inbound flows). Typically, Each customer link has its own VRF instance configured on PE Routers, exchanged routing via MP-BGP and route traffic over MPLS network.

Front Door VRF (FVRF) – Front-door VRF (or outside VRF), the VRF that contain the encrypted traffic. Typically, this VRF is used for internet traffic and VPN endpoint IP addresses are part of this VRF.

Global VRF – The routing instance that is used if no specific VRF is defined. If there is no VRF instance configured on interface, that interface belongs to global VRF.

VRF-Aware IPsec Functional Overview

Front Door VRF (FVRF) and Inside VRF (IVRF) are central to understanding the feature.

Each IPsec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which we shall call the FVRF, while the inner, protected IP packet belongs to another domain called the IVRF. Another way of stating the same thing is that the local endpoint of the IPsec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF.

One or more IPsec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile that is attached to a crypto map entry.

Packet Flow into the IPsec Tunnel
  • A VPN packet arrives from the Service Provider MPLS backbone network to the PE and is routed through an interface facing the Internet.
  • The packet is matched against the Security Policy Database (SPD), and the packet is IPsec encapsulated. The SPD includes the IVRF and the access control list (ACL).
  • The IPsec encapsulated packet is then forwarded using the FVRF routing table.
Packet Flow from the IPsec Tunnel
  • An IPSec-encapsulated packet arrives at the PE router from the remote IPsec endpoint.
  • IPSec performs the Security Association (SA) lookup for the Security Parameter Index (SPI), destination, and protocol.
  • The packet is decapsulated using the SA and is associated with IVRF.
  • The packet is further forwarded using the IVRF routing table.
Network Topology

VRF Aware IPSEC VPN

IP Addressing

Hostname Interface IP Address
R1 Fa0/0 10.1.13.1/24
R1 Fa0/1 1.1.14.1/24
R1 Loopback0 10.1.0.1/32
R2 Fa0/0 10.1.23.2/24
R2 Fa1/0 10.10.25.2/24
R2 Fa1/1 10.10.26.2/24
R2 Loopback0 10.1.0.2/32
R3 Fa0/0 10.1.13.3/24
R3 Fa0/1 10.1.23.3/24
R3 Loopback0 10.1.0.3/32
R4 Fa0/0 1.1.14.4/24
R4 Fa1/0 1.1.47.4/24
R4 Fa1/1 1.1.48.4/24
R5 Fa0/0 10.10.25.5/24
R5 Fa0/1 192.168.5.5/24
R6 Fa0/0 10.10.26.6/24
R6 Fa0/1 172.16.6.6/24
R7 Fa0/0 1.1.47.7/24
R7 Fa0/1 192.168.7.7/24
R8 Fa0/0 1.1.48.8/24
R8 Fa0/1 172.16.8.8/24

Note: We will not discuss MPLS, BGP Configuration, It is assumed that you have basic knowledge of MPLS, MP-BGP configuration. This discussion is limited to VRF Aware IPSEC VPN only.

Configuration:

R1 is PE Router which has one arm connected to internal MPLS network and other arm is connected to Internet. The same internet link will be shared for VRF Aware IPSec VPN of multiple customers.

Here, we will not configure any VRF instance for Internet link, hence it will be treated as Global VRF. We will create and discuss VRF instance for internet link in part-2 of this topic. 

R1 - PE and VRF Aware IPSec VPN Router

!! -- Create VRF named cust-a for Customer-A --!!
!! -- This is Inside VRF (I-VRF) --!!
vrf definition cust-a
 rd 123:1
 !
 address-family ipv4
  route-target export 123:1
  route-target import 123:1
 exit-address-family
!
!! -- Create VRF named cust-b for Customer-B --!!
!! -- This is Inside VRF (I-VRF) --!!
!
vrf definition cust-b
 rd 123:2
 !
 address-family ipv4
  route-target export 123:2
  route-target import 123:2
 exit-address-family
!
!! -- Define ISAKMP Pre-shared key for both VPNs --!!
! 
crypto keyring vpn1  
  pre-shared-key address 1.1.47.7 key vpn1password
crypto keyring vpn2  
  pre-shared-key address 1.1.48.8 key vpn2password
!
!! -- Create ISAKMP Policy --!!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
!! -- Create ISAKMP Profile for both VPNs --!!
!
crypto isakmp profile vpn1
   vrf cust-a
   keyring vpn1
   match identity address 1.1.47.7 255.255.255.255 
crypto isakmp profile vpn2
   vrf cust-b
   keyring vpn2
   match identity address 1.1.48.8 255.255.255.255 
!
!
!! -- Create IPSec Transform-set for both VPNs --!!
!
crypto ipsec transform-set vpn1-TS esp-3des esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set vpn2-TS esp-3des esp-sha-hmac 
 mode tunnel
!
!
!! -- Create access-list to define the traffic to pass through --!!
!! -- the VPN tunnel --!!
!! -- access-list 101 is for Customer-1 traffic --!!
!! -- access-list 102 is for Customer-2 traffic --!!
!
access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 102 permit ip 172.16.6.0 0.0.0.255 172.16.8.0 0.0.0.255
!
!! -- Create Crypto MAP for both VPNs --!!
!
crypto map crypmap 1 ipsec-isakmp 
 set peer 1.1.47.7
 set transform-set vpn1-TS 
 set isakmp-profile vpn1
 match address 101
!
crypto map crypmap 2 ipsec-isakmp 
 set peer 1.1.48.8
 set transform-set vpn2-TS 
 set isakmp-profile vpn2
 match address 102
!
!! -- Apply Crypto MAP to Internet facing interface --!!
!
interface FastEthernet0/1
 ip address 1.1.14.1 255.255.255.0
 crypto map crypmap
!
!! -- Routing --!!
!! -- Configure a default static route via internet next-hop IP --!!
!! -- There is no VRF defined for Internet link --!!
!! -- By default it belongs to Global VRF --!! 
!
ip route 0.0.0.0 0.0.0.0 1.1.14.4
!
!! -- As VPN Peer IP is reachable via internet link of Global VRF --!!
!! -- We have to define below routes to route traffic --!!
!! -- from customer VRF to Global VRF--!!
!
ip route vrf cust-a 192.168.7.0 255.255.255.0 1.1.14.4 global
ip route vrf cust-b 172.16.8.0 255.255.255.0 1.1.14.4 global
!
!! -- Redistribute IPSec VPN routes into BGP --!!
!! -- MP-BGP will advertise it to PE-2 Router --!!
!! -- PE-2 Router will advertise those routes to Customers --!!
!
router bgp 123
 bgp router-id 10.1.0.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.2 remote-as 123
 neighbor 10.1.0.2 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.1.0.2 activate
  neighbor 10.1.0.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf cust-a
  redistribute static
 exit-address-family
 !
 address-family ipv4 vrf cust-b
  redistribute static
 exit-address-family
!
Verification:

R7 (Customer-A Site 1) can ping R5 (Customer-A Site-2) network

R7#ping 192.168.5.5 so 192.168.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.5, timeout is 2 seconds:
Packet sent with a source address of 192.168.7.7 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 172/184/196 ms

R8 (Customer-B Site 1) can ping R6 (Customer-B Site-2) network

R8#ping 172.16.6.6 so 172.16.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.6.6, timeout is 2 seconds:
Packet sent with a source address of 172.16.8.8 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 152/164/188 ms

Verify VPN Status on R1

R1#show crypto session detail 
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/1
Profile: vpn1
Uptime: 00:40:13
Session status: UP-ACTIVE     
Peer: 1.1.47.7 port 500 fvrf: (none) ivrf: cust-a
      Phase1_id: 1.1.47.7
      Desc: (none)
  IKEv1 SA: local 1.1.14.1/500 remote 1.1.47.7/500 Active 
          Capabilities:(none) connid:1001 lifetime:23:19:46
  IPSEC FLOW: permit ip 192.168.5.0/255.255.255.0 192.168.7.0/255.255.255.0 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 24 drop 0 life (KB/Sec) 4175257/1186
        Outbound: #pkts enc'ed 24 drop 0 life (KB/Sec) 4175257/1186

Interface: FastEthernet0/1
Profile: vpn2
Uptime: 00:38:49
Session status: UP-ACTIVE     
Peer: 1.1.48.8 port 500 fvrf: (none) ivrf: cust-b
      Phase1_id: 1.1.48.8
      Desc: (none)
  IKEv1 SA: local 1.1.14.1/500 remote 1.1.48.8/500 Active 
          Capabilities:(none) connid:1002 lifetime:23:21:09
  IPSEC FLOW: permit ip 172.16.6.0/255.255.255.0 172.16.8.0/255.255.255.0 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 14 drop 0 life (KB/Sec) 4190264/1270
        Outbound: #pkts enc'ed 14 drop 0 life (KB/Sec) 4190264/1270

 

Here is the configuration of all devices, if you want to understand and test it in your lab.

-----------------------------------------------
R1 - MPLS PE-1 and VRF Aware IPSec VPN Router
-----------------------------------------------

hostname R1
!
vrf definition cust-a
 rd 123:1
 !
 address-family ipv4
  route-target export 123:1
  route-target import 123:1
 exit-address-family
!
vrf definition cust-b
 rd 123:2
 !
 address-family ipv4
  route-target export 123:2
  route-target import 123:2
 exit-address-family
!
crypto keyring vpn1  
  pre-shared-key address 1.1.47.7 key vpn1password
crypto keyring vpn2  
  pre-shared-key address 1.1.48.8 key vpn2password
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp profile vpn1
   vrf cust-a
   keyring vpn1
   match identity address 1.1.47.7 255.255.255.255 
crypto isakmp profile vpn2
   vrf cust-b
   keyring vpn2
   match identity address 1.1.48.8 255.255.255.255 
!
!
crypto ipsec transform-set vpn1-TS esp-3des esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set vpn2-TS esp-3des esp-sha-hmac 
 mode tunnel
!
!
!
crypto map crypmap 1 ipsec-isakmp 
 set peer 1.1.47.7
 set transform-set vpn1-TS 
 set isakmp-profile vpn1
 match address 101
crypto map crypmap 2 ipsec-isakmp 
 set peer 1.1.48.8
 set transform-set vpn2-TS 
 set isakmp-profile vpn2
 match address 102
!
interface Loopback0
 ip address 10.1.0.1 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.13.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 speed 100
 duplex full
 mpls ip
!
interface FastEthernet0/1
 ip address 1.1.14.1 255.255.255.0
 speed 100
 duplex full
 crypto map crypmap
!
router ospf 1
 router-id 10.1.0.1
!
router bgp 123
 bgp router-id 10.1.0.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.2 remote-as 123
 neighbor 10.1.0.2 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.1.0.2 activate
  neighbor 10.1.0.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf cust-a
  redistribute static
 exit-address-family
 !
 address-family ipv4 vrf cust-b
  redistribute static
 exit-address-family
!
ip route 0.0.0.0 0.0.0.0 1.1.14.4
ip route vrf cust-a 192.168.7.0 255.255.255.0 1.1.14.4 global
ip route vrf cust-b 172.16.8.0 255.255.255.0 1.1.14.4 global
!
access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 102 permit ip 172.16.6.0 0.0.0.255 172.16.8.0 0.0.0.255
!
end

----------------------
R2 - MPLS PE-2 Router
----------------------

hostname R2
!
vrf definition cust-a
 rd 123:1
 !
 address-family ipv4
  route-target export 123:1
  route-target import 123:1
 exit-address-family
!
vrf definition cust-b
 rd 123:2
 !
 address-family ipv4
  route-target export 123:2
  route-target import 123:2
 exit-address-family
!
interface Loopback0
 ip address 10.1.0.2 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.23.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 speed 100
 duplex full
 mpls ip
!
interface FastEthernet1/0
 vrf forwarding cust-a
 ip address 10.10.25.2 255.255.255.0
 speed 100
 duplex full
!
interface FastEthernet1/1
 vrf forwarding cust-b
 ip address 10.10.26.2 255.255.255.0
 speed 100
 duplex full
!
router ospf 1
 router-id 10.1.0.2
!
router bgp 123
 bgp router-id 10.1.0.2
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.1 remote-as 123
 neighbor 10.1.0.1 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.1.0.1 activate
  neighbor 10.1.0.1 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf cust-a
  redistribute connected
  redistribute static
  neighbor 10.10.25.5 remote-as 65005
  neighbor 10.10.25.5 activate
 exit-address-family
 !
 address-family ipv4 vrf cust-b
  redistribute connected
  redistribute static
  neighbor 10.10.26.6 remote-as 65006
  neighbor 10.10.26.6 activate
 exit-address-family
!
end

-------------------
R3 - MPLS P Router
-------------------

hostname R3
!
interface Loopback0
 ip address 10.1.0.3 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.13.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 speed 100
 duplex full
 mpls ip
!
interface FastEthernet0/1
 ip address 10.1.23.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 speed 100
 duplex full
 mpls ip
!
router ospf 1
 router-id 10.1.0.3
!
end

---------------------
R4 - Internet Router
---------------------

hostname R4
!
interface FastEthernet0/0
 ip address 1.1.14.4 255.255.255.0
 speed 100
 duplex full
!
interface FastEthernet1/0
 ip address 1.1.47.4 255.255.255.0
 speed 100
 duplex full
!
interface FastEthernet1/1
 ip address 1.1.48.4 255.255.255.0
 speed 100
 duplex full
!
end

---------------------------------
R5 - Customer A Site 2 CE Router
---------------------------------

hostname R5
!
interface FastEthernet0/0
 ip address 10.10.25.5 255.255.255.0
 speed 100
 duplex full
!
interface FastEthernet0/1
 ip address 192.168.5.5 255.255.255.0
 speed auto
 duplex auto
!
router bgp 65005
 bgp log-neighbor-changes
 network 192.168.5.0
 neighbor 10.10.25.2 remote-as 123
!
end

---------------------------------
R6 - Customer-B Site 2 CE Router
---------------------------------

hostname R6
!
interface FastEthernet0/0
 ip address 10.10.26.6 255.255.255.0
 speed 100
 duplex full
!
interface FastEthernet0/1
 ip address 172.16.6.6 255.255.255.0
 speed auto
 duplex auto
!
router bgp 65006
 bgp log-neighbor-changes
 network 172.16.6.0 mask 255.255.255.0
 neighbor 10.10.26.2 remote-as 123
!
end

--------------------------------------------------------------------
R7 - Customer-A Site 1 Router having Site-to-Site IPSec VPN with R1
--------------------------------------------------------------------

hostname R7
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key vpn1password address 1.1.14.1       
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac 
 mode tunnel
!
crypto map crypmap 1 ipsec-isakmp 
 set peer 1.1.14.1
 set transform-set TS 
 match address 101
!
interface FastEthernet0/0
 ip address 1.1.47.7 255.255.255.0
 speed 100
 duplex full
 crypto map crypmap
!
interface FastEthernet0/1
 ip address 192.168.7.7 255.255.255.0
 speed auto
 duplex auto
!
ip route 0.0.0.0 0.0.0.0 1.1.47.4
!
access-list 101 permit ip 192.168.7.0 0.0.0.255 192.168.5.0 0.0.0.255
!
end

--------------------------------------------------------------------
R8 - Customer-B Site 1 Router having Site-to-Site IPSec VPN with R1
--------------------------------------------------------------------

hostname R8
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key vpn2password address 1.1.14.1       
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac 
 mode tunnel
!
crypto map crypmap 1 ipsec-isakmp 
 set peer 1.1.14.1
 set transform-set TS 
 match address 102
!
interface FastEthernet0/0
 ip address 1.1.48.8 255.255.255.0
 speed 100
 duplex full
 crypto map crypmap
!
interface FastEthernet0/1
 ip address 172.16.8.8 255.255.255.0
 speed auto
 duplex auto
!
ip route 0.0.0.0 0.0.0.0 1.1.48.4
!
access-list 102 permit ip 172.16.8.0 0.0.0.255 172.16.6.0 0.0.0.255
!
end

Part -2 http://www.amolak.net/vrf-aware-ipsec-vpn-part-2/

BGP Outbound Route Filtering – ORF

BGP, Cisco, Service Provider, ,

When a customer connects a CE router to provider PE router for BGP peering, there are limited options for what routes a CE can receive from PE via BGP. Usually Service provider give the customer option of sending Full BGP table, just a default route, or some specific prefix such as default route + service provider’s locally originated prefix. Normally service provider do not want to implement complex outbound route filter policy for the customer. And customer implement a inbound route filter policy to receive prefix whatever they required.

From administrative point of view service provider is happy as they don’t have to worry about the change request coming from customer to add or remove the prefix in provider to customer advertisements.

Similarly, customer don’t have to submit a change request to service provider and can modify inbound filter policy as per their requirements.

But from a resources usage point of view this is not a optimal design. Provider router is still sending full bgp table (around 500k prefix) and customer router also process all of the BGP updates and ultimately just wanted to accept a few prefixes (sometime 1-2%) and deny all others.

Here, BGP Outbound Route Filtering capability plays a significant role to optimize this design without increasing the administrative overhead for service provider to make frequent changes for filtering prefix advertisements to the customer.

With BGP ORF capability, CE router tells dynamically PE Routers what outbound filter PE should use to advertise prefix to the CE.

Let’s configure this feature and see how it works. We will use following network topology for this discussion.

orf-topology

Here is the initial BGP configuration and status on both routers:

PE Router

- BGP Peering is UP between PE and CE Router
- PE is advertising full bgp table to CE

R2#sh run | s bgp
router bgp 200
 bgp log-neighbor-changes
 network 0.0.0.0
 network 2.2.1.0 mask 255.255.255.0
 network 2.2.2.0 mask 255.255.255.0
 network 2.2.3.0 mask 255.255.255.0
 network 2.2.4.0 mask 255.255.255.0
 network 2.2.5.0 mask 255.255.255.0
 neighbor 1.1.1.1 remote-as 100

R2#sh ip bgp sum | b Nei
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.1         4          100       5       6        7    0    0 00:01:39        0

R2#sh ip bgp
BGP table version is 7, local router ID is 2.2.5.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          0.0.0.0                  0         32768 i
 *>  2.2.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       0.0.0.0                  0         32768 i
 *>  2.2.3.0/24       0.0.0.0                  0         32768 i
 *>  2.2.4.0/24       0.0.0.0                  0         32768 i
 *>  2.2.5.0/24       0.0.0.0                  0         32768 i

R2#sh ip bgp neighbors 1.1.1.1 advertised-routes
BGP table version is 7, local router ID is 2.2.5.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          0.0.0.0                  0         32768 i
 *>  2.2.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       0.0.0.0                  0         32768 i
 *>  2.2.3.0/24       0.0.0.0                  0         32768 i
 *>  2.2.4.0/24       0.0.0.0                  0         32768 i
 *>  2.2.5.0/24       0.0.0.0                  0         32768 i

Total number of prefixes 6

 

CE Router

- BGP Peering is UP between CE and PE Router
- CE is receiving full bgp table from PE

R1#sh run | s bgp
router bgp 100
 bgp log-neighbor-changes
 neighbor 1.1.1.2 remote-as 200

R1#sh ip bgp sum | b Nei
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.2         4          200      12      12       19    0    0 00:07:35        6

R1#sh ip bgp
BGP table version is 19, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          1.1.1.2                  0             0 200 i
 *>  2.2.1.0/24       1.1.1.2                  0             0 200 i
 *>  2.2.2.0/24       1.1.1.2                  0             0 200 i
 *>  2.2.3.0/24       1.1.1.2                  0             0 200 i
 *>  2.2.4.0/24       1.1.1.2                  0             0 200 i
 *>  2.2.5.0/24       1.1.1.2                  0             0 200 i

Let’s first apply inbound filter on CE Router. CE want to accept below prefix only:

Default route + 2 specific prefix
0.0.0.0/0
2.2.1.0/24
2.2.2.0/24

R1#
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip prefix-list FILTER permit 0.0.0.0/0
R1(config)#ip prefix-list FILTER permit 2.2.1.0/24
R1(config)#ip prefix-list FILTER permit 2.2.2.0/24
R1(config)#
R1(config)#router bgp 100
R1(config-router)# neighbor 1.1.1.2 prefix-list FILTER in
R1(config-router)#
R1(config-router)#end
R1#
*Apr  8 12:09:58.667: %SYS-5-CONFIG_I: Configured from console by console
R1#clear ip bgp * soft
R1#sh ip bgp
BGP table version is 22, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          1.1.1.2                  0             0 200 i
 *>  2.2.1.0/24       1.1.1.2                  0             0 200 i
 *>  2.2.2.0/24       1.1.1.2                  0             0 200 i

 

it appears our requirement is fulfilled but there is something not optimal behind the scene. Let’s debug the BGP advertisements.

PE is still advertising full BGP table to CE.

R2#sh ip bgp neighbors 1.1.1.1 advertised-routes
BGP table version is 7, local router ID is 2.2.5.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          0.0.0.0                  0         32768 i
 *>  2.2.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       0.0.0.0                  0         32768 i
 *>  2.2.3.0/24       0.0.0.0                  0         32768 i
 *>  2.2.4.0/24       0.0.0.0                  0         32768 i
 *>  2.2.5.0/24       0.0.0.0                  0         32768 i

Total number of prefixes 6
We can see before accepting the required 3 prefixes in BGP table, CE router has processed all received prefixes from PE and denied the prefixes which are not permitted in the inbound prefix-list applied for neighbor 1.1.1.2 on CE router. Just imagine the resources usage if it was the actual full bgp table of 500K prefixes.

R1#debug ip bgp updates
BGP updates debugging is on for address family: IPv4 Unicast
R1#
R1#clear ip bgp 1.1.1.2
R1#
*Apr  8 12:15:10.551: BGP(0): no valid path for 0.0.0.0/0
*Apr  8 12:15:10.555: BGP(0): no valid path for 2.2.1.0/24
*Apr  8 12:15:10.559: BGP(0): no valid path for 2.2.2.0/24
*Apr  8 12:15:10.567: %BGP-5-ADJCHANGE: neighbor 1.1.1.2 Down User reset
*Apr  8 12:15:10.571: %BGP_SESSION-5-ADJCHANGE: neighbor 1.1.1.2 IPv4 Unicast topology base removed from session  User reset
*Apr  8 12:15:10.575: BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 0.0.0.0/0
*Apr  8 12:15:10.583: BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 2.2.1.0/24
*Apr  8 12:15:10.591: BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 2.2.2.0/24
*Apr  8 12:15:10.883: %BGP-5-ADJCHANGE: neighbor 1.1.1.2 Up
*Apr  8 12:15:10.979: BGP(0): 1.1.1.2 rcvd UPDATE w/ attr: nexthop 1.1.1.2, origin i, metric 0, merged path 200, AS_PATH
*Apr  8 12:15:10.991: BGP(0): 1.1.1.2 rcvd 0.0.0.0/0
*Apr  8 12:15:10.995: BGP(0): 1.1.1.2 rcvd 2.2.1.0/24
*Apr  8 12:15:10.999: BGP(0): 1.1.1.2 rcvd 2.2.2.0/24
*Ap
R1#r  8 12:15:11.003: BGP(0): 1.1.1.2 rcvd 2.2.3.0/24 -- DENIED due to: distribute/prefix-list;
*Apr  8 12:15:11.007: BGP(0): 1.1.1.2 rcvd 2.2.4.0/24 -- DENIED due to: distribute/prefix-list;
*Apr  8 12:15:11.011: BGP(0): 1.1.1.2 rcvd 2.2.5.0/24 -- DENIED due to: distribute/prefix-list;
*Apr  8 12:15:11.015: BGP(0): Revise route installing 1 of 1 routes for 0.0.0.0/0 -> 1.1.1.2(global) to main IP table
*Apr  8 12:15:11.015: BGP(0): Revise route installing 1 of 1 routes for 2.2.1.0/24 -> 1.1.1.2(global) to main IP table
*Apr  8 12:15:11.019: BGP(0): Revise route installing 1 of 1 routes for 2.2.2.0/24 -> 1.1.1.2(global) to main IP table

R1#sh ip bgp
BGP table version is 34, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          1.1.1.2                  0             0 200 i
 *>  2.2.1.0/24       1.1.1.2                  0             0 200 i
 *>  2.2.2.0/24       1.1.1.2                  0             0 200 i

Let’s try BGP ORF feature now.

CE Router - R1

R1#
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip prefix-list FILTER permit 0.0.0.0/0
R1(config)#ip prefix-list FILTER permit 2.2.1.0/24
R1(config)#ip prefix-list FILTER permit 2.2.2.0/24
R1(config)#
R1(config)#router bgp 100
R1(config-router)#neighbor 1.1.1.2 capability orf prefix-list send
R1(config-router)# neighbor 1.1.1.2 prefix-list FILTER in
R1(config-router)#end
*Apr  8 12:22:38.879: %BGP-5-ADJCHANGE: neighbor 1.1.1.2 Down Capability changed
*Apr  8 12:22:38.883: %BGP_SESSION-5-ADJCHANGE: neighbor 1.1.1.2 IPv4 Unicast topology base removed from session  Capability changed
*Apr  8 12:22:39.391: %BGP-5-ADJCHANGE: neighbor 1.1.1.2 Up


PE Router - R2

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#router bgp 200
R2(config-router)#neighbor 1.1.1.1 capability orf prefix-list receive
R2(config-router)#
*Apr  8 12:26:25.267: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down Capability changed
*Apr  8 12:26:25.271: %BGP_SESSION-5-ADJCHANGE: neighbor 1.1.1.1 IPv4 Unicast topology base removed from session  Capability changed
*Apr  8 12:26:25.955: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
R2(config-router)#
R2(config-router)#end
R2#

Verification:

CE Router (R1) has negotiated ORF capability with neighbor router (PE R2) and sent the prefix-list ORF to PE neighbor. 

R1#sh ip bgp neighbors 1.1.1.2

<snip>

 For address family: IPv4 Unicast
  Session: 1.1.1.2
  BGP table version 46, neighbor version 46/0
  Output queue size : 0
  Index 7, Advertise bit 0
  7 update-group member
  AF-dependant capabilities:
    Outbound Route Filter (ORF) type (128) Prefix-list:
      Send-mode: advertised
      Receive-mode: received
  Outbound Route Filter (ORF): sent;
  Incoming update prefix filter list is FILTER

<snip>
PE Router (R2) has negotiated ORF capability with neighbor router (CE R1) and received the prefix-list ORF from CE neighbor.

R2#sh ip bgp neighbors 1.1.1.1

<snip>

 For address family: IPv4 Unicast
  Session: 1.1.1.1
  BGP table version 7, neighbor version 7/0
  Output queue size : 0
  Index 7, Advertise bit 0
  7 update-group member
  AF-dependant capabilities:
    Outbound Route Filter (ORF) type (128) Prefix-list:
      Send-mode: received
      Receive-mode: advertised
  Outbound Route Filter (ORF): received (3 entries)

<snip> 


R2#sh ip bgp neighbors 1.1.1.1 received prefix-filter
Address family: IPv4 Unicast
ip prefix-list 1.1.1.1: 3 entries
   seq 5 permit 0.0.0.0/0
   seq 10 permit 2.2.1.0/24
   seq 15 permit 2.2.2.0/24
R2#

!! -- You can see there is no local prefix-list in running configuration of R2 --!!

R2#sh ip prefix-list
R2#

!! -- Now R2 is advertising only those prefixes to neighbor which are permitted in ORF prefix-list --!! 

R2#sh ip bgp neighbors 1.1.1.1 advertised-routes
BGP table version is 7, local router ID is 2.2.5.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          0.0.0.0                  0         32768 i
 *>  2.2.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       0.0.0.0                  0         32768 i

Total number of prefixes 3
Let's debug bgp updates on R1 to see what it is receiving.
It is receiving only required prefix from neighbor. There is no extra CPU resources used for processing unnecessary updates.

R1#debug ip bgp updates
BGP updates debugging is on for address family: IPv4 Unicast

R1#clear ip bgp 1.1.1.2
R1#
*Apr  8 13:10:36.119: BGP(0): no valid path for 0.0.0.0/0
*Apr  8 13:10:36.123: BGP(0): no valid path for 2.2.1.0/24
*Apr  8 13:10:36.123: BGP(0): no valid path for 2.2.2.0/24
*Apr  8 13:10:36.135: %BGP-5-ADJCHANGE: neighbor 1.1.1.2 Down User reset
*Apr  8 13:10:36.139: %BGP_SESSION-5-ADJCHANGE: neighbor 1.1.1.2 IPv4 Unicast topology base removed from session  User reset
*Apr  8 13:10:36.143: BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 0.0.0.0/0
*Apr  8 13:10:36.147: BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 2.2.1.0/24
*Apr  8 13:10:36.155: BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 2.2.2.0/24
R1#
*Apr  8 13:10:37.291: %BGP-5-ADJCHANGE: neighbor 1.1.1.2 Up
*Apr  8 13:10:38.219: BGP(0): 1.1.1.2 rcvd UPDATE w/ attr: nexthop 1.1.1.2, origin i, metric 0, merged path 200, AS_PATH
*Apr  8 13:10:38.227: BGP(0): 1.1.1.2 rcvd 0.0.0.0/0
*Apr  8 13:10:38.231: BGP(0): 1.1.1.2 rcvd 2.2.1.0/24
*Apr  8 13:10:38.235: BGP(0): 1.1.1.2 rcvd 2.2.2.0/24
*Apr  8 13:10:38.239: BGP(0): Revise route installing 1 of 1 routes for 0.0.0.0/0 -> 1.1.1.2(global) to main IP table
*Apr  8 13:10:38.247: BGP(0): Revise route installing 1 of 1 routes for 2.2.1.0/24 -> 1.1.1.2(global) to main IP table
*Apr  8 13:10:38.247: BGP(0): Revise route installing 1 of 1 routes for 2.2.2.0/24 -> 1.1.1.2(global) to main IP table
R1#

In future, if CE want to receive one more prefix 2.2.3.0/24 from PE. CE just have to modify its prefix-list.

!!-- Existing prefix-list --!!
R1#sh ip prefix-list
ip prefix-list FILTER: 3 entries
   seq 5 permit 0.0.0.0/0
   seq 10 permit 2.2.1.0/24
   seq 15 permit 2.2.2.0/24
R1#
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip prefix-list FILTER seq 20 permit 2.2.3.0/24
R1(config)#
R1(config)#end
R1#
*Apr  8 13:15:03.579: %SYS-5-CONFIG_I: Configured from console by console

!!-- New prefix-list --!!
R1#sh ip prefix-list
ip prefix-list FILTER: 4 entries
   seq 5 permit 0.0.0.0/0
   seq 10 permit 2.2.1.0/24
   seq 15 permit 2.2.2.0/24
   seq 20 permit 2.2.3.0/24
R1#

R1#clear ip bgp 1.1.1.2 in ?
  prefix-filter  Push out prefix-list ORF and do inbound soft reconfig
  <cr>
R1#clear ip bgp 1.1.1.2 in prefix-filter


R2 has the updated prefix-filter now.

R2#sh ip bgp neighbors 1.1.1.1 received prefix-filter
Address family: IPv4 Unicast
ip prefix-list 1.1.1.1: 4 entries
   seq 5 permit 0.0.0.0/0
   seq 10 permit 2.2.1.0/24
   seq 15 permit 2.2.2.0/24
   seq 20 permit 2.2.3.0/24

R2 advertised prefixes based on the updated prefix-filter

R2#sh ip bgp neighbors 1.1.1.1 advertised-routes
BGP table version is 7, local router ID is 2.2.5.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          0.0.0.0                  0         32768 i
 *>  2.2.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       0.0.0.0                  0         32768 i
 *>  2.2.3.0/24       0.0.0.0                  0         32768 i

Total number of prefixes 4

R1 has the required prefixes in its BGP table. 

R1#sh ip bgp
BGP table version is 59, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          1.1.1.2                  0             0 200 i
 *>  2.2.1.0/24       1.1.1.2                  0             0 200 i
 *>  2.2.2.0/24       1.1.1.2                  0             0 200 i
 *>  2.2.3.0/24       1.1.1.2                  0             0 200 i