Juniper Vs Cisco Vs Alcatel-Lucent: July 2016

In this post we demonstrate use of as-override and how to configure as-override in MPLS layer-3 VPN scenarios on Cisco, Juniper and Alcatel-Lucent.

In BGP loops are avoided by verifying AS number in AS path attribute. If the receiving router sees its own AS number in the AS Path of the received BGP packet, the packet is dropped.

Topology:

For example in the above topology cisco-rtr receives routes 2.2.2.2/32 and 3.3.3.3/32 from site-2 and site-3 respectively. When 2.2.2.2/32 and 3.3.3.3/32 are advertised to CPE at site-1 they are denied because router sees its own AS number in the AS Path.

Debug messages on CPE in site-1 shows routes are denied because router sees its own AS number in the AS Path.

*Jul 21 11:28:03.216: BGP(0): 192.168.2.2 rcv UPDATE w/ attr: nexthop 192.168.2.2, origin i, originator 0.0.0.0, merged path 100 64512, AS_PATH 100 64512, community , extended community , SSA attribute

*Jul 21 11:28:03.216: BGP(0): 192.168.2.2 rcv UPDATE about 3.3.3.3/32 -- DENIED due to: AS-PATH contains our own AS;

*Jul 21 11:28:03.216: BGP(0): 192.168.2.2 rcv UPDATE w/ attr: nexthop 192.168.2.2, origin ?, originator 0.0.0.0, merged path 100 64512, AS_PATH 100 64512, community , extended community , SSA attribute

*Jul 21 11:28:03.216: BGP(0): 192.168.2.2 rcv UPDATE about 2.2.2.2/32 -- DENIED due to: AS-PATH contains our own AS;

In L3VPN routing updates from one site will be dropped when the other site receives them. To overcome this we configure as-override statement on PE devices. The as-override statement replaces the site-2 device AS number with that of the cisco-rtr device AS.

After configuring as-override on cisco-rtr we can see AS_PATH is changed from AS_PATH 100 64512 to AS_PATH 100 100.

*Jul 21 11:37:41.904: BGP(0): 192.168.2.2 rcvd UPDATE w/ attr: nexthop 192.168.2.2, origin i, merged path 100, AS_PATH 100

*Jul 21 11:37:41.908: BGP(0): 192.168.2.2 rcvd UPDATE w/ attr: nexthop 192.168.2.2, origin ?, metric 0, merged path 100, AS_PATH 100

*Jul 21 11:37:41.908: BGP(0): 192.168.2.2 rcvd UPDATE w/ attr: nexthop 192.168.2.2, origin i, merged path 100 100, AS_PATH 100 100

*Jul 21 11:37:41.908: BGP(0): 192.168.2.2 rcvd 3.3.3.3/32

*Jul 21 11:37:41.908: BGP(0): 192.168.2.2 rcvd UPDATE w/ attr: nexthop 192.168.2.2, origin ?, merged path 100 100, AS_PATH 100 100

*Jul 21 11:37:41.908: BGP(0): 192.168.2.2 rcvd 2.2.2.2/32

*Jul 21 11:37:41.908: BGP(0): Revise route installing 1 of 1 routes for 2.2.2.2/32 -> 192.168.2.2(global) to main IP table

*Jul 21 11:37:41.908: BGP(0): Revise route installing 1 of 1 routes for 3.3.3.3/32 -> 192.168.2.2(global) to main IP table

Prerequisites:

MP-BGP Established between PE routers. Click here to view MP-BGP configuration.

MPLS enabled throughout the network.

Hub and spoke topology is used in this example.

Cisco router is configured as HUB, Juniper and Alcatel is configured as Spoke.

Hub Exports route-target 100:601075 and spokes import routes with route-target 100:601075.

Spokes exports routes with route-target 100:601074 Hub Import routes with route-target 100:601074

Cisco configuration:

ip vrf l3vpn-alu-cisco

rd 100:601074

route-target export 100:601075

route-target import 100:601074

interface GigabitEthernet2/28.1

encapsulation dot1Q 8

ip vrf forwarding l3vpn-alu-cisco

ip address 192.168.2.2 255.255.255.252

router bgp 100

address-family ipv4 vrf l3vpn-alu-cisco

no synchronization

redistribute connected

neighbor 192.168.2.1 remote-as 64512

neighbor 192.168.2.1 activate

neighbor 192.168.2.1 as-override

exit-address-family

end

cisco-rtr#sh ip route vrf l3vpn-alu-cisco

Routing Table: l3vpn-alu-cisco

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

1.0.0.0/32 is subnetted, 1 subnets

B 1.1.1.1 [20/0] via 192.168.2.1, 00:36:07

2.0.0.0/32 is subnetted, 1 subnets

B 2.2.2.2 [200/0] via 100.64.0.3, 21:35:41

3.0.0.0/32 is subnetted, 1 subnets

B 3.3.3.3 [200/0] via 100.64.0.102, 01:01:41

192.168.1.0/30 is subnetted, 1 subnets

B 192.168.1.0 [200/0] via 100.64.0.3, 1d03h

192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.2.0/30 is directly connected, GigabitEthernet2/28.1

L 192.168.2.2/32 is directly connected, GigabitEthernet2/28.1

192.168.3.0/30 is subnetted, 1 subnets

B 192.168.3.0 [200/0] via 100.64.0.102, 2d21hcisco-rtr#

cisco-rtr#sh mpls forwarding-table vrf l3vpn-alu-cisco 192.168.1.0

Local Outgoing Prefix Bytes Label Outgoing Next Hop

Label Label or VC or Tunnel Id Switched interface

None 18 192.168.1.0/30[V] 0 Gi2/16 172.31.22.90

cisco-rtr#

cisco-rtr#sh mpls forwarding-table vrf l3vpn-alu-cisco 192.168.3.0

Local Outgoing Prefix Bytes Label Outgoing Next Hop

Label Label or VC or Tunnel Id Switched interface

None 261354 192.168.3.0/30[V] 0 Gi8/1/0 172.31.22.42

cisco-rtr#

Site-1 CPE Configuration:

interface Loopback100

ip address 1.1.1.1 255.255.255.255

interface FastEthernet0/0.1

encapsulation dot1Q 8

ip address 192.168.2.1 255.255.255.252

end

router bgp 64512

bgp log-neighbor-changes

neighbor 192.168.2.2 remote-as 100

address-family ipv4

redistribute connected

neighbor 192.168.2.2 activate

neighbor 192.168.2.2 soft-reconfiguration inbound

exit-address-family

CPE-1#sh bgp ipv4 unicast neighbors 192.168.2.2 routes

BGP table version is 3742, local router ID is 200.200.200.200

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 2.2.2.2/32 192.168.2.2 0 100 100 ?

*> 3.3.3.3/32 192.168.2.2 0 100 100 i

*> 192.168.1.0/30 192.168.2.2 0 100 i

* 192.168.2.0/30 192.168.2.2 0 0 100 ?

*> 192.168.3.0/30 192.168.2.2 0 100 i

Total number of prefixes 5

CPE-1#

Ping CPE at Site-2:

CPE-1# ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Ping CPE at Site-3

CPE-1# ping 3.3.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msCPE-1#

Juniper Configuration:

jpr-rtr> show configuration interfaces ge-1/1/2.1

vlan-id 46;

family inet {

address 192.168.1.1/30;

}

jpr-rtr# show routing-instances L3-vpn-Lab-38xx01

instance-type vrf;

interface ge-1/1/2.1;

route-distinguisher 100:6010175;

vrf-target {

import target:100:601075;

export target:100:601074;

}

vrf-table-label;

protocols {

bgp {

group PE-CE {

type external;

neighbor 192.168.1.2 {

peer-as 64512;

local-as 100;

as-override;

}

Verification:

jpr-rtr> show route table L3-vpn-Lab-38xx01.inet.0

L3-vpn-Lab-38xx01.inet.0: 5 destinations, 7 routes (5 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

1.1.1.1/32 *[BGP/170] 00:42:19, MED 0, localpref 100, from 100.64.0.6

AS path: 64512 ?, validation-state: unverified

> to 100.64.169.50 via ae10.316, Push 11895, Push 401396(top) //11895 is VPN label

2.2.2.2/32 *[BGP/170] 00:00:36, MED 0, localpref 100

AS path: 64512 ?, validation-state: unverified

> to 192.168.1.2 via ge-1/1/2.1

192.168.1.0/30 *[Direct/0] 2w0d 00:09:58

> via ge-1/1/2.1

192.168.1.1/32 *[Local/0] 2w0d 00:09:58

Local via ge-1/1/2.1

192.168.2.0/30 *[BGP/170] 21:38:51, MED 0, localpref 100, from 100.64.0.6

AS path: ?, validation-state: unverified

> to 100.64.169.50 via ae10.316, Push 340, Push 401396(top)

{master}

jpr-rtr>

Site-2 CPE Configuration:

interface GigabitEthernet0/1.46

encapsulation dot1Q 46

ip address 192.168.1.2 255.255.255.252

interface Loopback10

ip address 2.2.2.2 255.255.255.255

end

router bgp 64512

neighbor 192.168.1.1 remote-as 100

address-family ipv4

redistribute connected

neighbor 192.168.1.1 activate

exit-address-family

CPE-2#sh bgp ipv4 unicast neighbors 192.168.1.1 routes

BGP table version is 19, local router ID is 192.168.200.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 1.1.1.1/32 192.168.1.1 0 100 100 ?

r> 192.168.2.0/30 192.168.1.1 0 100 ?

Total number of prefixes 2

CPE-2#

Site-1 reachability

CPE-2# ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

CPE-2#

Alcatel Configuration:

In Alcatel-lucent Virtual Private Routed Network (VPRN) is a Layer 3 Virtual Private Network (VPN) service.

alu-rtr#configure service customer 6010174 create

alu-rtr>config>service>cust# description "l3vpn-alu-cisco-juniper"

alu-rtr>config>service>cust# exit

alu-rtr# configure router policy-options

alu-rtr>config>router>policy-options# begin

alu-rtr>config>router>policy-options#community "6010174_IMP_RT" members "target:100:601075"

alu-rtr>config>router>policy-options# community "6010174_EXP_RT" members "target:100:601074"

alu-rtr>config>router>policy-options# policy-statement "6010174_VRF_IMP"

alu-rtr>config>router>policy-options>policy-statement# info

----------------------------------------------

entry 10

from

community "6010174_IMP_RT"

exit

action accept

exit

default-action reject

----------------------------------------------

alu-rtr>config>router>policy-options>policy-statement# exit

alu-rtr>config>router>policy-options>policy-statement "6010174_VRF_EXP"

alu-rtr>config>router>policy-options>policy-statement# info

----------------------------------------------

entry 10

action accept

community add "6010174_EXP_RT"

exit

----------------------------------------------

alu-rtr>config>router>policy-options>policy-statement# exit

alu-rtr>config>router>policy-options# policy-statement "PE-CE-EXPORt"

alu-rtr>config>router>policy-options>policy-statement# info

----------------------------------------------

description "To advertise routes to CPE"

entry 10

action accept

exit

----------------------------------------------

alu-rtr>config>router>policy-options>policy-statement# exit

alu-rtr>config>router>policy-options# commit

alu-rtr>config>router>policy-options# exit

alu-rtr# configure service vprn 6010174 customer 6010174 create

alu-rtr>config>service>vprn# info

----------------------------------------------

vrf-import "6010174_VRF_IMP"

vrf-export "6010174_VRF_EXP"

route-distinguisher 100:6010176

auto-bind mpls

interface "gi-7/1/5:30" create

address 192.168.3.1/30

sap 7/1/5:30 create

exit

bgp

group "l3-vpn-PE-CE"

type external

export "PE-CE-EXPORt"

neighbor 192.168.3.2

family ipv4

as-override

local-as 100

peer-as 64512

exit

no shutdown

exit

no shutdown

----------------------------------------------

alu-rtr>config>service>vprn# exit

alu-rtr#

Verification on alu-rtr:

alu-rtr# show router 6010174 route-table

===============================================================================

Route Table (Service: 6010174)

===============================================================================

Dest Prefix[Flags] Type Proto Age Pref

Next Hop[Interface Name] Metric

-------------------------------------------------------------------------------

1.1.1.1/32 Remote BGP VPN 00h14m11s 170

100.64.0.6 (tunneled) 0

3.3.3.3/32 Remote BGP 01h38m17s 170

192.168.3.2 0

192.168.2.0/30 Remote BGP VPN 00h14m11s 170

100.64.0.6 (tunneled) 0

192.168.3.0/30 Local Local 08d04h21m 0

gi-7/1/5:30 0

-------------------------------------------------------------------------------

No. of Routes: 4

Flags: n = Number of times nexthop is repeated

B = BGP backup route available

L = LFA nexthop available

S = Sticky ECMP requested

===============================================================================

alu-rtr#

Customer Site-3 Configuration:

interface Loopback100

ip address 3.3.3.3 255.255.255.255

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.3.2 255.255.255.252

end

router bgp 64512

neighbor 192.168.3.1 remote-as 100

address-family ipv4

redistribute connected

neighbor 192.168.3.1 activate

exit-address-family

Verification:

CPE-3#sh bgp ipv4 unicast neighbors 192.168.3.1 routes

BGP table version is 1319, local router ID is 172.168.30.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 1.1.1.1/32 192.168.3.1 0 100 100 ?

*> 192.168.2.0/30 192.168.3.1 0 100 ?

Total number of prefixes 4

CPE-3#

Site-1 reachability

CPE-3# ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

CPE-3#

AS-Override feature and configuration example