MPLS Layer 3 VPN BGP AS Override

BGP has a simple loop prevention mechanism for external BGP. When you see your own AS number in the AS path, we do not accept the prefix. This mechanism is fine for Internet routing but there are some other scenarios where this might be an issue. Take a look at the following topology:

Bgp As234 As12 Topology

Above we have a small MPLS VPN network with two customer sites. The customer is using the same AS number (12) for both sites. When CE1 or CE2 receive an update from each other they will not accept it since their own AS number will be in the AS path.

BGP has a simple loop prevention mechanism for external BGP. When you see your own AS number in the AS path, we do not accept the prefix. This mechanism is fine for Internet routing but there are some other scenarios where this might be an issue. Take a look at the following topology: Above we have


Let’s find out if this is true. Here are the configurations of all routers:

Configurations

Here you will find the startup configurations of each device.

CE1

hostname CE1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
router bgp 12
 bgp log-neighbor-changes
 network 1.1.1.1 mask 255.255.255.255
 neighbor 192.168.12.2 remote-as 234
!
end

PE1

hostname PE1
!
ip vrf CUSTOMER
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
ip cef
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/1
 ip vrf forwarding CUSTOMER
 ip address 192.168.12.2 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 192.168.23.2 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 1
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.23.0 0.0.0.255 area 0
!         
router bgp 234
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 234
 neighbor 4.4.4.4 update-source Loopback0
 !
 address-family ipv4
  no neighbor 4.4.4.4 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUSTOMER
  neighbor 192.168.12.1 remote-as 12
  neighbor 192.168.12.1 activate
 exit-address-family
!
end

P

hostname P
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.23.3 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface GigabitEthernet0/2
 ip address 192.168.34.3 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 1
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.23.0 0.0.0.255 area 0
 network 192.168.34.0 0.0.0.255 area 0
!
end       

PE2

hostname PE2
!
ip vrf CUSTOMER
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
ip cef
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface GigabitEthernet0/1
 ip vrf forwarding CUSTOMER
 ip address 192.168.45.4 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 192.168.34.4 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 1
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.34.0 0.0.0.255 area 0
!         
router bgp 234
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 234
 neighbor 2.2.2.2 update-source Loopback0
 !
 address-family ipv4
  no neighbor 2.2.2.2 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUSTOMER
  neighbor 192.168.45.5 remote-as 12
  neighbor 192.168.45.5 activate
 exit-address-family
!
end

CE2

hostname CE2
!
ip cef
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.45.5 255.255.255.0
 duplex auto
 speed auto
!
router bgp 12
 bgp log-neighbor-changes
 network 5.5.5.5 mask 255.255.255.255
 neighbor 192.168.45.4 remote-as 234
!
end

Let’s find out what is going on. First we’ll check if the PE routers have a VPN route for the prefixes from the CE routers:

PE1#show ip bgp vpnv4 all

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTOMER)
 *>  1.1.1.1/32       192.168.12.1             0             0 12 i
 *>i 5.5.5.5/32       4.4.4.4                  0    100      0 12 i
PE2#show ip bgp vpnv4 all 

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTOMER)
 *>i 1.1.1.1/32       2.2.2.2                  0    100      0 12 i
 *>  5.5.5.5/32       192.168.45.5             0             0 12 i

The PE routers have an entry for the loopback interfaces of the CE routers. Are they advertising these to the CE routers?

PE1#show ip bgp vpnv4 all neighbors 192.168.12.1 advertised-routes 
BGP table version is 16, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTOMER)
 *>i 5.5.5.5/32       4.4.4.4                  0    100      0 12 i

Total number of prefixes 1 
PE2#show ip bgp vpnv4 all neighbors 192.168.45.5 advertised-routes
BGP table version is 18, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTOMER)
 *>i 1.1.1.1/32       2.2.2.2                  0    100      0 12 i

Total number of prefixes 1

The PE routers are advertising these to the CE routers. Let’s check the CE routers:

CE1#show ip bgp      

     Network          Next Hop            Metric LocPrf Weight Path
 *>  1.1.1.1/32       0.0.0.0                  0         32768 i
CE2#show ip bgp 

     Network          Next Hop            Metric LocPrf Weight Path
 *>  5.5.5.5/32       0.0.0.0                  0         32768 i

There’s nothing there…they only have the prefix on their own loopback interface in the BGP table. Let’s enable a debug on CE1 to figure out why it’s not accepting anything from PE1:

CE1#debug ip bgp all updates 
BGP updates debugging is on for all address families

Let’s reset the neighbor adjacency:

CE1#clear ip bgp *

Here’s what you will see:

CE1#
BGP(0): 192.168.12.2 rcv UPDATE about 5.5.5.5/32 -- DENIED due to: AS-PATH contains our own AS;

No surprises here…CE1 is denying the update since it sees its own AS number in the AS path. If we want to keep the same AS number on CE1 and CE2 then there are two possible solutions for this issue:

  • Allow-AS in: this can be configured on the CE routers which tells them to accept prefixes with their own AS number in the AS path.
  • AS override: this can be configured on the PE routers, the AS number will be replaced with the AS number from the service provider.

This lesson is about AS override so that’s what we will do. Let’s configure the PE routers:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

505 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Hi Rene,

    I want to know the configuration, where the customer will be using bgp protocol.

    what will be the steps for CE1 to PE1, PE1-P-PE2, CE2to PE2.

    kindly reply.

    S Alladi

  2. HI Rene,

    you mentioned two methods to solve the two same AS issue.

    Use Allow-AS in to overrule the loop prevention mechanism of external BGP.
    Use AS override to change the AS number on the PE routers.

    my question is that among both method which method should I use for which situation?

    thanks,
    Nyi Nyi.



  3. Hi Rene,
    everything was clear about this lesson but am confused why did you configure AS 12 on Router CE1? It should have been AS1. If we configure different AS then we dont have to use Allowas-in command, right?

    hostname CE1
    !
    interface Loopback0
     ip address 1.1.1.1 255.255.255.255
    !
    interface GigabitEthernet0/1
     ip address 192.168.12.1 255.255.255.0
     duplex auto
     speed auto
     media-type rj45
    !
    router bgp 12
     bgp log-neighbor-changes
     network 1.1.1.1 mask 255.255.255.255
     neighbor 192.168.12.2 remote-as 234
     neighbor 192.168.12.2 allowas-in
    !
    end

  4. Hi Eleever,

    You mean this part?

     address-family ipv4
      no neighbor 4.4.4.4 activate
     exit-address-family
     !
     address-family vpnv4
      neighbor 4.4.4.4 activate
      neighbor 4.4.4.4 send-community extended
     exit-address-family
    

    What is does is that we don’t exchange IPv4 unicast routes but only VPNv4 routes with our neighbor.

    Rene

7 more replies! Ask a question or join the discussion by visiting our Community Forum