MPLS / BGP Inter AS route exchage

Istvan kelemen · ‎02-13-2014

Hi everyone,

I am trying to build a real life topology. My goal is to exchange private routes between 2 MPLS provider via the public internet without leaking the private routes to public internet. So the router in the top right corner should be able to ping the router below and ISP routers should not know about private routes.

The interfaces of ATnT_PE_PE and SWC_PE_PE toward to ISP are in VRF INET. I estabilished a BGP ipv4 VRF INET session between two MPLS providers, the connectivity is fine however when i filter the private routes on ISP this movement brakes the connectivity.

How can i get it working?

I will post the configs of two Service provider EDGE routers:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

ip cef

!

ip vrf INET

rd 100:100

route-target export 100:100

route-target import 100:100

route-target import 1:1

!

ip vrf OCH

rd 1:1

route-target export 1:1

route-target import 1:1

route-target import 100:100

!

multilink bundle-name authenticated

!

archive

log config

hidekeys

!

ip tcp synwait-time 5

!

interface Loopback0

ip address 10.4.4.4 255.255.255.255

!

interface Tunnel0

no ip address

tunnel source Serial1/2

tunnel destination 40.0.0.2

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/0

ip address 10.0.14.4 255.255.255.0

ip router isis

ip nat inside

ip virtual-reassembly

mpls ip

serial restart-delay 0

!

interface Serial1/1

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/2

ip vrf forwarding INET

ip address 20.0.0.1 255.255.255.252

ip nat outside

ip virtual-reassembly

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

router isis

net 00.0000.0000.0004.00

passive-interface Loopback0

!

router bgp 100

bgp log-neighbor-changes

neighbor 10.3.3.3 remote-as 100

neighbor 10.3.3.3 update-source Loopback0

neighbor 10.11.11.11 remote-as 100

neighbor 10.11.11.11 update-source Loopback0

neighbor 10.22.22.22 remote-as 100

neighbor 10.22.22.22 update-source Loopback0

!

address-family ipv4

neighbor 10.3.3.3 activate

neighbor 10.11.11.11 activate

neighbor 10.22.22.22 activate

no auto-summary

no synchronization

exit-address-family

!

address-family vpnv4

neighbor 10.3.3.3 activate

neighbor 10.3.3.3 send-community both

neighbor 10.3.3.3 route-reflector-client

neighbor 10.11.11.11 activate

neighbor 10.11.11.11 send-community both

neighbor 10.11.11.11 route-reflector-client

neighbor 10.22.22.22 activate

neighbor 10.22.22.22 send-community both

neighbor 10.22.22.22 route-reflector-client

exit-address-family

!

address-family ipv4 vrf OCH

no synchronization

exit-address-family

!

address-family ipv4 vrf INET

neighbor 20.0.0.2 remote-as 1

neighbor 20.0.0.2 activate

neighbor 40.0.0.2 remote-as 200

neighbor 40.0.0.2 ebgp-multihop 10

neighbor 40.0.0.2 activate

neighbor 40.0.0.2 send-community both

no synchronization

network 20.0.0.0 mask 255.255.255.252

exit-address-family

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

access-list 10 permit 10.0.0.0 0.255.255.255

access-list 10 permit 172.16.0.0 0.0.255.255

access-list 10 permit 172.17.0.0 0.0.255.255

access-list 10 permit 172.18.0.0 0.0.255.255

access-list 10 permit 172.19.0.0 0.0.255.255

access-list 10 permit 172.20.0.0 0.0.255.255

access-list 10 permit 172.21.0.0 0.0.255.255

access-list 10 permit 172.22.0.0 0.0.255.255

access-list 10 permit 172.23.0.0 0.0.255.255

access-list 10 permit 172.24.0.0 0.0.255.255

access-list 10 permit 172.25.0.0 0.0.255.255

access-list 10 permit 172.26.0.0 0.0.255.255

access-list 10 permit 172.27.0.0 0.0.255.255

access-list 10 permit 172.28.0.0 0.0.255.255

access-list 10 permit 172.29.0.0 0.0.255.255

access-list 10 permit 172.30.0.0 0.0.255.255

access-list 10 permit 172.31.0.0 0.0.255.255

access-list 10 permit 192.168.0.0 0.0.255.255

access-list 10 permit any

!

route-map FILTER deny 10

match ip address 10

!

route-map FILTER permit 20

!

mpls ldp router-id Loopback0

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

end

blau grana · ‎02-13-2014

Hi Istvan,

I see that ISP RED and ISP PURPLE are using different AS numbers, are they two different ISPs or are they the one ISP divided by public internet in your scenario?

If they are two different ISPs, you should consider using one of Inter-AS MPLS VPN solution.

If they are one ISP, why don't you use same AS number?

Also, lets say that green area is the third ISP, a big one. I would purchase Layer2 link between both edge routers in RED and PURPLE area.

It is hard to help you aby further, because you did not provide enough information.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Istvan kelemen · ‎02-16-2014

Hi,

I the ISPs are 2 different ones in the green area. I will implement either a l2 VPN solution or CSC (B2B VRF or so on).

Thanks anyway!

Vinit Jain · ‎02-18-2014

Hi Istvan

Looking at your design, it looks like you are trying to have a LAN based connectivity between sites since you have installed switches. L2VPN based solution like EoMPLS or VPLS would be a good option. If the Switches are acting as L3 devices then you can go for CSC.

Thanks

Thanks
--Vinit