© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Outline Overview Configuring a per-VRF BGP Routing Context What Are the Reasons for Limiting the Number of Routes in a VRF? Limiting the Number of Prefixes Received from a BGP Neighbor Limiting the Total Number of VRF Routes Identifying AS-Override Issues Identifying Allowas-in Issues Implementing SOO for Loop Prevention Summary
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v router bgp as-number address-family ipv4 vrf vrf-name... Per-VRF BGP definitions... Router(config)# Select per-VRF BGP context with the address-family command. Configure CE EBGP neighbors in the VRF context, not in the global BGP configuration. CE neighbors have to be activated with the neighbor activate command. Configuring per-VRF BGP Routing Context
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Configuring per-VRF BGP Routing Context (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Limiting the Number of Routes in a VRF SPs offering MPLS VPN services are at risk of denial-of-service attacks similar to those aimed at SPs offering BGP connectivity: –Any customer can generate any number of routes, using resources in the PE routers. Therefore, resources used by a single customer have to be limited. Cisco IOS software offers two solutions: –It can limit the number of routes received from a BGP neighbor. –It can limit the total number of routes in a VRF.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v neighbor ip-address maximum-prefix maximum [threshold] [warning-only] Router(config-router-af)# Controls how many prefixes can be received from a neighbor Optional threshold parameter specifies the percentage where a warning message is logged (default is 75 percent) Optional warning-only keyword specifies the action on exceeding the maximum number (default is to drop peering) Limiting the Number of Prefixes Received from a BGP Neighbor
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Limiting the Total Number of VRF Routes The VRF maximum routes limit command limits the number of routes that are imported into a VRF: –Routes coming from CE routers –Routes coming from other PE routers (imported routes) The route limit is configured for each VRF. If the number of routes exceeds the route limit: –A syslog message is generated. –The Cisco IOS software can be configured to reject routes (optional).
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v maximum routes limit {warn-threshold | warn-only} Router(config-vrf)# This command configures the maximum number of routes accepted into a VRF: –The limit parameter is the route limit for the VRF. –The warn-threshold parameter is the percentage value over which a warning message is sent to syslog. –The warn-only option creates a syslog error message when the maximum number of routes exceeds the threshold. Syslog messages generated by this command are rate-limited. Limiting the Total Number of VRF Routes (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Limiting the Total Number of VRF Routes (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v The customer wants to reuse the same AS number on several sites: CE-BGP-A1 announces network /16 to PE-Site-X. The prefix announced by CE-BGP-A1 is propagated to PE-Site-Y as an internal route through MP-BGP. PE-Site-Y prepends AS to the AS path and propagates the prefix to CE-BGP-A2. CE-BGP-A2 drops the update because AS is already in the AS path. AS-Override: The Issue
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v AS-Override: Implementation New AS path update procedures have been implemented to reuse the same AS number on all VPN sites. The procedures allow the use of private and public AS numbers. The same AS number may be used for all sites.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v AS-Override: Implementation (Cont.) With AS-override configured, the AS path update procedure on the PE router is as follows: –If the first AS number in the AS path is equal to the neighboring AS, it is replaced with the provider AS number. –If the first AS number has multiple occurrences (because of AS path prepend), all occurrences are replaced with the provider AS number. –After this operation, the provider AS number is prepended to the AS path.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v neighbor ip-address as-override Router(config-router-af)# This command configures the AS-override AS path update procedure for the specified neighbor. AS-override is configured for CE EBGP neighbors in the VRF address family of the BGP process. AS-Override: Command
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v AS-Override: Example PE-Site-Y replaces AS with AS in the AS path, prepends another copy of AS to the AS path, and propagates the prefix.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v PE-Site-Y replaces all occurrences of AS with AS in the AS path, prepends another copy of AS to the AS path, and propagates the prefix. AS-Override: AS-Path Prepending
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Allowas-in: The Issue Customer site links two VPNs Not a usual setup (traffic between VPNs should not flow over the customer site) Sometimes used for enhanced security
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Allowas-in: The Issue (Cont.) VPN perspective: VPN-A is connected to VPN-B via CE-AB. Physical topology: The CE-AB router is dual-connected to the PE routers. MPLS VPN perspective: The CE-AB router has two links into the P- network. BGP perspective shows issue: The CE-AB router has two connections to AS
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Allowas-in: The Issue (Cont.) PE-1 announces network /16 to CE-AB. CE-AB prepends its AS number to the AS path and propagates the prefix to PE-2. PE-2 drops the update because its AS number is already in the AS path. AS-override is needed on CE-AB, which may require a Cisco IOS software upgrade on the CE router.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Allowas-in: Implementation The allowas-in BGP option disables the AS path check on the PE router: The number of occurrences of the PE router AS number is limited to suppress real routing loops. The limit has to be configured. The PE router will reject the update only if its AS number appears in the AS path more often than the configured limit.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v neighbor allowas-in number Router(config-router)# This command disables the traditional BGP AS path check. An incoming update is rejected only if the AS number of the PE router appears in the AS path more often than the configured limit. Allowas-in: Command
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v AS path-based BGP loop prevention is bypassed with the AS override and allowas-in features. Implementing SOO for Loop Prevention
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v The SOO attribute (extended BGP community) can be used to prevent loops in these scenarios. The SOO attribute is needed only for multihomed sites. When EBGP is run between PE and CE routers, the SOO attribute is configured through a route-map command. For other routing protocols, the SOO attribute can be applied to routes learned through a particular VRF interface during the redistribution into BGP. Implementing SOO for Loop Prevention (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v route-map name permit seq match conditions set extcommunity soo extended-community-value Router(config)# Creates a route map that sets the SOO attribute neighbor ip-address route-map name in Router(config-router-af)# Applies an inbound route map to the CE EBGP neighbor Inbound EBGP Update Implementing SOO for Loop Prevention (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v ip vrf sitemap route-map-name Router(config-if)# Applies a route map that sets the SOO extended community attribute to inbound routing updates received from this interface Other Inbound Routing Updates Implementing SOO for Loop Prevention (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v ip extcommunity-list number permit soo value ! route-map name deny seq match extcommunity number ! route-map name permit 9999 Router(config)# Defines a route map that discards routes with the desired SOO value neighbor ip-address route-map name out Router(config-router-af)# Applies the route map to outbound updates sent to the EBGP CE neighbor Implementing SOO for Loop Prevention (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Summary Use the address-family ipv4 vrf vrf-name command in the BGP routing process to configure a per-VRF BGP routing context. SPs offering MPLS VPN services are at risk of denial-of-service attacks. Limiting VRF tables is one method to prevent such attacks. Use the neighbor maximum-prefix command to limit the number of prefixes received from a BGP neighbor. Use the maximum routes command to limit the total number of VRF routes.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v BGP loop detection prevents customers from reusing their AS number. The neighbor ip-address as-overide command prevents this issue by replacing the customer AS number with the ISP AS number. By default, a customer site cannot link two VPN sites of the same AS number because of BGP loop detection. The neighbor allowas-in number command disables the BGP path check and permits routing updates. The SOO extended BGP community is used as a loop prevention mechanism for multihomed customer sites. Summary (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v