MPLS Layer 3 VPN BGP AS Override

BGP has a simple loop prevention mechanism for external BGP. When you see your own AS number in the AS path, we do not accept the prefix. This mechanism is fine for Internet routing but there are some other scenarios where this might be an issue. Take a look at the following topology:

Bgp As234 As12 Topology

Above we have a small MPLS VPN network with two customer sites. The customer is using the same AS number (12) for both sites. When CE1 or CE2 receive an update from each other they will not accept it since their own AS number will be in the AS path.

BGP has a simple loop prevention mechanism for external BGP. When you see your own AS number in the AS path, we do not accept the prefix. This mechanism is fine for Internet routing but there are some other scenarios where this might be an issue. Take a look at the following topology: Above we have


Let’s find out if this is true. Here are the configurations of all routers:

Configurations

Here you will find the startup configurations of each device.

CE1

hostname CE1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
router bgp 12
 bgp log-neighbor-changes
 network 1.1.1.1 mask 255.255.255.255
 neighbor 192.168.12.2 remote-as 234
!
end

PE1

hostname PE1
!
ip vrf CUSTOMER
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
ip cef
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/1
 ip vrf forwarding CUSTOMER
 ip address 192.168.12.2 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 192.168.23.2 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 1
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.23.0 0.0.0.255 area 0
!         
router bgp 234
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 234
 neighbor 4.4.4.4 update-source Loopback0
 !
 address-family ipv4
  no neighbor 4.4.4.4 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUSTOMER
  neighbor 192.168.12.1 remote-as 12
  neighbor 192.168.12.1 activate
 exit-address-family
!
end

P

hostname P
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.23.3 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface GigabitEthernet0/2
 ip address 192.168.34.3 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 1
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.23.0 0.0.0.255 area 0
 network 192.168.34.0 0.0.0.255 area 0
!
end       

PE2

hostname PE2
!
ip vrf CUSTOMER
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
ip cef
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface GigabitEthernet0/1
 ip vrf forwarding CUSTOMER
 ip address 192.168.45.4 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 192.168.34.4 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 1
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.34.0 0.0.0.255 area 0
!         
router bgp 234
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 234
 neighbor 2.2.2.2 update-source Loopback0
 !
 address-family ipv4
  no neighbor 2.2.2.2 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUSTOMER
  neighbor 192.168.45.5 remote-as 12
  neighbor 192.168.45.5 activate
 exit-address-family
!
end

CE2

hostname CE2
!
ip cef
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.45.5 255.255.255.0
 duplex auto
 speed auto
!
router bgp 12
 bgp log-neighbor-changes
 network 5.5.5.5 mask 255.255.255.255
 neighbor 192.168.45.4 remote-as 234
!
end

Let’s find out what is going on. First we’ll check if the PE routers have a VPN route for the prefixes from the CE routers:

PE1#show ip bgp vpnv4 all

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTOMER)
 *>  1.1.1.1/32       192.168.12.1             0             0 12 i
 *>i 5.5.5.5/32       4.4.4.4                  0    100      0 12 i
PE2#show ip bgp vpnv4 all 

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTOMER)
 *>i 1.1.1.1/32       2.2.2.2                  0    100      0 12 i
 *>  5.5.5.5/32       192.168.45.5             0             0 12 i

The PE routers have an entry for the loopback interfaces of the CE routers. Are they advertising these to the CE routers?

PE1#show ip bgp vpnv4 all neighbors 192.168.12.1 advertised-routes 
BGP table version is 16, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTOMER)
 *>i 5.5.5.5/32       4.4.4.4                  0    100      0 12 i

Total number of prefixes 1 
PE2#show ip bgp vpnv4 all neighbors 192.168.45.5 advertised-routes
BGP table version is 18, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTOMER)
 *>i 1.1.1.1/32       2.2.2.2                  0    100      0 12 i

Total number of prefixes 1

The PE routers are advertising these to the CE routers. Let’s check the CE routers:

CE1#show ip bgp      

     Network          Next Hop            Metric LocPrf Weight Path
 *>  1.1.1.1/32       0.0.0.0                  0         32768 i
CE2#show ip bgp 

     Network          Next Hop            Metric LocPrf Weight Path
 *>  5.5.5.5/32       0.0.0.0                  0         32768 i

There’s nothing there…they only have the prefix on their own loopback interface in the BGP table. Let’s enable a debug on CE1 to figure out why it’s not accepting anything from PE1:

CE1#debug ip bgp all updates 
BGP updates debugging is on for all address families

Let’s reset the neighbor adjacency:

CE1#clear ip bgp *

Here’s what you will see:

CE1#
BGP(0): 192.168.12.2 rcv UPDATE about 5.5.5.5/32 -- DENIED due to: AS-PATH contains our own AS;

No surprises here…CE1 is denying the update since it sees its own AS number in the AS path. If we want to keep the same AS number on CE1 and CE2 then there are two possible solutions for this issue:

  • Allow-AS in: this can be configured on the CE routers which tells them to accept prefixes with their own AS number in the AS path.
  • AS override: this can be configured on the PE routers, the AS number will be replaced with the AS number from the service provider.

This lesson is about AS override so that’s what we will do. Let’s configure the PE routers:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 655 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

561 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Shannon,
    This is a good question, and there is a lot going on behind the scene to answer it. As you know, AllowAS-In and AS-Override are both essentially tricks that can be used to deal with what would normally be considered a BGP looped route (since the ASN number will appear in the AS Path).

    The important consideration is whether the BGP “loop” route will actually be filtered on the PE side or the CE side. AllowAS-In assumes the filtering is being done on the CE side, but in reality, most PEs would have already filtered the route before it got to the CE.

    Fo

    ... Continue reading in our forum

  2. Hi Rene,
    Thanks for your nice article !
    Is AS Override only support on MPLS environment ??

    br//
    zaman

  3. Hi Rene,

    Thanks for the Great explanation. I was wondering how does MPLS work & configured between different autonomous systems. Like when there are more than 2 Service providers involved. I checked in google but couldn’t find any article in simple terms… Could you please help ?

    Thank you

  4. Just being picky :smile: , I believe that “If you take a closer look, you can see that AS number 1 has been replaced with AS number 234.” should be replaced with “If you take a closer look, you can see that AS number 12 has been replaced with AS number 234.” Also the picture and interfaces from Configurations files are not the same (in this lesson and also the previous one).

    A question would be why the PE routers are not configured as BGP neighbors with P router? I guess the MPLS VPN does the trick (haven’t read the MPLS lessons yet).

    You make great lessons and comments! Thank you all,
    Stefanita

  5. Hi Stefanita,

    Thanks for letting me know about this error, I just fixed it.

    About your question, it’s indeed MPLS VPN that does the trick. The P routers only do label switching, they only need to know how to reach the PE routers. The PE routers require iBGP to exchange VPN routes. If you haven’t seen it before, take a look at this explanation:

    ... Continue reading in our forum

10 more replies! Ask a question or join the discussion by visiting our Community Forum