MPLS Layer 3 VPN BGP Allow-AS-In

External BGP uses a simple loop prevention mechanism: when you see your own AS number in the AS path, we don’t accept the prefix. There are some scenarios where this might be an issue. Take a look at the following topology:

Bgp As234 As12 Topology

Above we have a MPLS VPN network where the customer is using the same AS number (12) on both sites. CE1 and CE2 will be unable to learn each others prefixes since they are using the same AS number.




Let’s see if this is true, here are the configurations of all routers if you want to test this yourself:

Configurations

Here you will find the startup configurations of each device.

CE1

hostname CE1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
router bgp 12
 bgp log-neighbor-changes
 network 1.1.1.1 mask 255.255.255.255
 neighbor 192.168.12.2 remote-as 234
!
end

PE1

hostname PE1
!
ip vrf CUSTOMER
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
ip cef
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/1
 ip vrf forwarding CUSTOMER
 ip address 192.168.12.2 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 192.168.23.2 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 1
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.23.0 0.0.0.255 area 0
!         
router bgp 234
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 234
 neighbor 4.4.4.4 update-source Loopback0
 !
 address-family ipv4
  no neighbor 4.4.4.4 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUSTOMER
  neighbor 192.168.12.1 remote-as 12
  neighbor 192.168.12.1 activate
 exit-address-family
!
end

P

hostname P
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.23.3 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface GigabitEthernet0/2
 ip address 192.168.34.3 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 1
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.23.0 0.0.0.255 area 0
 network 192.168.34.0 0.0.0.255 area 0
!
end       

PE2

hostname PE2
!
ip vrf CUSTOMER
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
ip cef
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface GigabitEthernet0/1
 ip vrf forwarding CUSTOMER
 ip address 192.168.45.4 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 192.168.34.4 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 1
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.34.0 0.0.0.255 area 0
!         
router bgp 234
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 234
 neighbor 2.2.2.2 update-source Loopback0
 !
 address-family ipv4
  no neighbor 2.2.2.2 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUSTOMER
  neighbor 192.168.45.5 remote-as 12
  neighbor 192.168.45.5 activate
 exit-address-family
!
end

CE2

hostname CE2
!
ip cef
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.45.5 255.255.255.0
 duplex auto
 speed auto
!
router bgp 12
 bgp log-neighbor-changes
 network 5.5.5.5 mask 255.255.255.255
 neighbor 192.168.45.4 remote-as 234
!
end

Each CE router has a loopback interface that was advertised in BGP (1.1.1.1/32 and 5.5.5.5/32). The first thing to check is to see if the PE routers have learned the prefixes from our CE routers:

PE1#show ip bgp vpnv4 all

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTOMER)
 *>  1.1.1.1/32       192.168.12.1             0             0 12 i
 *>i 5.5.5.5/32       4.4.4.4                  0    100      0 12 i
PE2#show ip bgp vpnv4 all 

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTOMER)
 *>i 1.1.1.1/32       2.2.2.2                  0    100      0 12 i
 *>  5.5.5.5/32       192.168.45.5             0             0 12 i

Above you can see that both PE routers have a VPN route for these prefixes. Did they advertise these prefixes to our CE routers?

PE1#show ip bgp vpnv4 all neighbors 192.168.12.1 advertised-routes 
BGP table version is 16, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTOMER)
 *>i 5.5.5.5/32       4.4.4.4                  0    100      0 12 i

Total number of prefixes 1 
PE2#show ip bgp vpnv4 all neighbors 192.168.45.5 advertised-routes
BGP table version is 18, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTOMER)
 *>i 1.1.1.1/32       2.2.2.2                  0    100      0 12 i

Total number of prefixes 1

No issues there, our PE routers are advertising these prefixes to the CE routers. Let’s see what we find in the BGP tables of the CE routers:

CE1#show ip bgp      

     Network          Next Hop            Metric LocPrf Weight Path
 *>  1.1.1.1/32       0.0.0.0                  0         32768 i
CE2#show ip bgp 

     Network          Next Hop            Metric LocPrf Weight Path
 *>  5.5.5.5/32       0.0.0.0                  0         32768 i

The CE routers only have their own prefixes in their BGP tables. Why did they refuse the updates from the PE routers? Time for a debug:

CE1#debug ip bgp all updates 
BGP updates debugging is on for all address families

Let’s reset the BGP neighbor adjacency:

CE1#clear ip bgp *

Here’s what you will see on the CE1 router:

CE1# BGP(0): 192.168.12.2 rcv UPDATE about 5.5.5.5/32 -- DENIED due to: AS-PATH contains our own AS;

As expected, the CE1 router denies the update since it sees its own AS number in the AS path. If we don’t want to change our AS numbers then there’s two ways to deal with this:

  • Use Allow-AS in to overrule the loop prevention mechanism of external BGP.
  • Use AS override to change the AS number on the PE routers.

This lesson is about allow-AS in so that’s what we will do this time:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now!

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 799 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
541 Sign Ups in the last 30 days
satisfaction-guaranteed

  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags:


Forum Replies

  1. Hi Rene,

    I want to know the configuration, where the customer will be using bgp protocol.

    what will be the steps for CE1 to PE1, PE1-P-PE2, CE2to PE2.

    kindly reply.

    S Alladi

  2. Hi Rene,

    Thanks! Very Good explanation.

    Davis

  3. HI Rene,

    you mentioned two methods to solve the two same AS issue.

    Use Allow-AS in to overrule the loop prevention mechanism of external BGP.
    Use AS override to change the AS number on the PE routers.

    my question is that among both method which method should I use for which situation?

    thanks,
    Nyi Nyi.

  4. Hi Nyi Nyi,

    Both will get the job done, the main difference is that allow AS in is configured on the customer routers and AS override is done on the SP routers. In the real world you probably don’t have access to both the customer and SP routers so it’s possible that only one of the two options is available to you.

    Rene

20 more replies! Ask a question or join the discussion by visiting our Community Forum