CCIE SPv5.1 Labs
  • Intro
    • Setup
  • Purpose
  • Video Demonstration
  • Containerlab Tips
  • Labs
    • ISIS
      • Start
      • Topology
      • Prefix Suppression
      • Hello padding
      • Overload Bit
      • LSP size
      • Default metric
      • Hello/Hold Timer
      • Mesh groups
      • Prefix Summarization
      • Default Route Preference
      • ISIS Timers
      • Log Neighbor Changes
      • Troubleshooting 1 - No routes
      • Troubleshooting 2 - Adjacency
      • IPv6 Single Topology
      • IPv6 Single Topology Challenge
      • IPv6 Multi Topology
      • IPv6 Single to Multi Topology
      • Wide Metrics Explained
      • Route Filtering
      • Backdoor Link
      • Non-Optimal Intra-Area routing
      • Multi Area
      • Authentication
      • Conditional ATT Bit
      • Troubleshooting iBGP
      • Troubleshooting TE Tunnel
    • LDP
      • Start
      • Topology
      • LDP and ECMP
      • LDP and Static Routes
      • LDP Timers
      • LDP Authentication
      • LDP Session Protection
      • LDP/IGP Sync (OSPF)
      • LDP/IGP Sync (ISIS)
      • LDP Local Allocation Filtering
      • LDP Conditional Label Advertisement
      • LDP Inbound Label Advertisement Filtering
      • LDP Label Advertisement Filtering Challenge
      • LDP Implicit Withdraw
      • LDP Transport Address Troubleshooting
      • LDP Static Labels
    • MPLS-TE
      • Start
      • Topology
      • Basic TE Tunnel w/ OSPF
      • Basic TE Tunnel w/ ISIS
      • TE Tunnel using Admin Weight
      • TE Tunnel using Link Affinity
      • TE Tunnel with Explicit-Null
      • TE Tunnel with Conditional Attributes
      • RSVP message pacing
      • Reoptimization timer
      • IGP TE Flooding Thresholds
      • CSPF Tiebreakers
      • TE Tunnel Preemption
      • TE Tunnel Soft Preemption
      • Tunneling LDP inside RSVP
      • PE to P TE Tunnel
      • Autoroute Announce Metric (XE)
      • Autoroute Announce Metric (XR)
      • Autoroute Announce Absolute Metric
      • Autoroute Announce Backup Path
      • Forwarding Adjacency
      • Forwarding Adjacency with OSPF
      • TE Tunnels with UCMP
      • Auto-Bandwidth
      • FRR Link Protection (XE, BFD)
      • FRR Link Protection (XE, RSVP Hellos)
      • FRR Node Protection (XR)
      • FRR Path Protection
      • FRR Multiple Backup Tunnels (Node Protection)
      • FRR Multiple Backup Tunnels (Link Protection)
      • FRR Multiple Backup Tunnels (Backwidth/Link Protection)
      • FRR Backup Auto-Tunnels
      • FRR Backup Auto-Tunnels with SRLG
      • Full Mesh Auto-Tunnels
      • Full Mesh Dynamic Auto-Tunnels
      • One-Hop Auto-Tunnels
      • CBTS/PBTS
      • Traditional DS-TE
      • IETF DS-TE with MAM
      • IETF DS-TE with RDM
      • RDM w/ FRR Troubleshooting
      • Per-VRF TE Tunnels
      • Tactical TE Issues
      • Multicast and MPLS-TE
    • SR
      • Start
      • Topology
      • Basic SR with ISIS
      • Basic SR with OSPF
      • SRGB Modifcation
      • SR with ExpNull
      • SR Anycast SID
      • SR Adjacency SID
      • SR LAN Adjacency SID (Walkthrough)
      • SR and RSVP-TE interaction
      • SR Basic Inter-area with ISIS
      • SR Basic Inter-area with OSPF
      • SR Basic Inter-IGP (redistribution)
      • SR Basic Inter-AS using BGP
      • SR BGP Data Center (eBGP)
      • SR BGP Data Center (iBGP)
      • LFA
      • LFA Tiebreakers (ISIS)
      • LFA Tiebreakers (OSPF)
      • Remote LFA
      • RLFA Tiebreakers?
      • TI-LFA
      • Remote LFA or TILFA?
      • TI-LFA Node Protection
      • TI-LFA SRLG Protection
      • TI-LFA Protection Priorities (ISIS)
      • TI-LFA Protection Priorities (OSPF)
      • Microloop Avoidance
      • SR/LDP Interworking
      • SR/LDP SRMS OSPF Inter-Area
      • SR/LDP Design Challenge #1
      • SR/LDP Design Challenge #2
      • Migrate LDP to SR (ISIS)
      • OAM with SR
      • SR-MPLS using IPv6
      • Basic SR-TE with AS
      • Basic SR-TE with AS and ODN
      • SR-TE with AS Primary/Secondary Paths
      • SR-TE Dynamic Policies
      • SR-TE Dynamic Policy with Margin
      • SR-TE Explicit Paths
      • SR-TE Disjoint Planes using Anycast SIDs
      • SR-TE Flex-Algo w/ Latency
      • SR-TE Flex-Algo w/ Affinity
      • SR-TE Disjoint Planes using Flex-Algo
      • SR-TE BSIDs
      • SR-TE RSVP-TE Stitching
      • SR-TE Autoroute Include
      • SR Inter-IGP using PCE
      • SR-TE PCC Features
      • SR-TE PCE Instantiated Policy
      • SR-TE PCE Redundancy
      • SR-TE PCE Redundancy w/ Sync
      • SR-TE Basic BGP EPE
      • SR-TE BGP EPE for Unified MPLS
      • SR-TE Disjoint Paths
      • SR Converged SDN Transport Challenge
      • SR OAM DPM
      • SR OAM Tools
      • Performance-Measurement (Interface Delay)
    • SRv6
      • Start
      • Topology
      • Basic SRv6
      • SRv6 uSID
      • SRv6 uSID w/ EVPN-VPWS and BGP IPv4/IPv6
      • SRv6 uSID w/ SR-TE
      • SRv6 uSID w/ SR-TE Explicit Paths
      • SRv6 uSID w/ L3 IGW
      • SRv6 uSID w/ Dual-Connected PE
      • SRv6 uSID w/ Flex Algo
      • SRv6 uSID - Scale (Pt. 1)
      • SRv6 uSID - Scale (Pt. 2)
      • SRv6 uSID - Scale (Pt. 3) (UPA Walkthrough)
      • SRv6 uSID - Scale (Pt. 4) (Flex Algo)
      • SRv6 uSID w/ TI-LFA
    • Multicast
      • Start
      • Topology
      • Basic PIM-SSM
      • PIM-SSM Static Mapping
      • Basic PIM-SM
      • PIM-SM with Anycast RP
      • PIM-SM with Auto-RP
      • PIM-SM with BSR
      • PIM-SM with BSR for IPv6
      • PIM-BiDir
      • PIM-BiDir for IPv6
      • PIM-BiDir with Phantom RP
      • PIM Security
      • PIM Boundaries with AutoRP
      • PIM Boundaries with BSR
      • PIM-SM IPv6 using Embedded RP
      • PIM SSM Range Note
      • PIM RPF Troubleshooting #1
      • PIM RPF Troubleshooting #2
      • PIM RP Troubleshooting
      • PIM Duplicate Traffic Troubleshooting
      • Using IOS-XR as a Sender/Receiver
      • PIM-SM without Receiver IGMP Joins
      • RP Discovery Methods
      • Basic Interdomain Multicast w/o MSDP
      • Basic Interdomain Multicast w/ MSDP
      • MSDP Filtering
      • MSDP Flood Reduction
      • MSDP Default Peer
      • MSDP RPF Check (IOS-XR)
      • MSDP RPF Check (IOS-XE)
      • Interdomain MBGP Policies
      • PIM Boundaries using MSDP
    • MVPN
      • Start
      • Topology
      • Profile 0
      • Profile 0 with data MDTs
      • Profile 1
      • Profile 1 w/ Redundant Roots
      • Profile 1 with data MDTs
      • Profile 6
      • Profile 7
      • Profile 3
      • Profile 3 with S-PMSI
      • Profile 11
      • Profile 11 with S-PMSI
      • Profile 11 w/ Receiver-only Sites
      • Profile 9 with S-PMSI
      • Profile 12
      • Profile 13
      • UMH (Upstream Multicast Hop) Challenge
      • Profile 13 w/ Configuration Knobs
      • Profile 13 w/ PE RP
      • Profile 12 w/ PE Anycast RP
      • Profile 14 (Partitioned MDT)
      • Profile 14 with Extranet option #1
      • Profile 14 with Extranet option #2
      • Profile 14 w/ IPv6
      • Profile 17
      • Profile 19
      • Profile 21
    • MVPN SR
      • Start
      • Topology
      • Profile 27
      • Profile 27 w/ Constraints
      • Profile 27 w/ FRR
      • Profile 28
      • Profile 28 w/ Constraints and FRR
      • Profile 28 w/ Data MDTs
      • Profile 29
    • VPWS
      • Start
      • Topology
      • Basic VPWS
      • VPWS with Tag Manipulation
      • Redundant VPWS
      • Redundant VPWS (IOS-XR)
      • VPWS with PW interfaces
      • Manual VPWS
      • VPWS with Sequencing
      • Pseudowire Logging
      • VPWS with FAT-PW
      • MS-PS (Pseudowire stitching)
      • VPWS with BGP AD
    • VPLS
      • Start
      • Topology
      • Basic VPLS with LDP
      • VPLS with LDP and BGP
      • VPLS with BGP only
      • Hub and Spoke VPLS
      • Tunnel L2 Protocols over VPLS
      • Basic H-VPLS
      • H-VPLS with BGP
      • H-VPLS with QinQ
      • H-VPLS with Redundancy
      • VPLS with Routing
      • VPLS MAC Protection
      • Basic E-TREE
      • VPLS with LDP/BGP-AD and XRv RR
      • VPLS with BGP and XRv RR
      • VPLS with Storm Control
    • EVPN
      • Start
      • Topology
      • EVPN VPWS
      • EVPN VPWS Multihomed
      • EVPN VPWS Multihomed Single-Active
      • Basic Single-homed EVPN E-LAN
      • EVPN E-LAN Service Label Allocation
      • EVPN E-LAN Ethernet Tag
      • EVPN E-LAN Multihomed
      • EVPN E-LAN on XRv
      • EVPN IRB
      • EVPN-VPWS Multihomed IOS-XR (All-Active)
      • EVPN-VPWS Multihomed IOS-XR (Port-Active)
      • EVPN-VPWS Multihomed IOS-XR (Single-Active)
      • EVPN-VPWS Multihomed IOS-XR (Non-Bundle)
      • PBB-EVPN (Informational)
    • BGP Multi-Homing (XE)
      • Start
      • Topology
      • Lab1 ECMP
      • Lab2 UCMP
      • Lab3 Backup Path
      • Lab4 Shadow Session
      • Lab5 Shadow RR
      • Lab6 RR with Add-Path
      • Lab7 MPLS + Add Path ECMP
      • Lab8 MPLS + Shadow RR
      • Lab9 MPLS + RDs + UCMP
    • BGP Multi-Homing (XR)
      • Start
      • Topology
      • Lab1 ECMP
      • Lab2 UCMP
      • Lab3 Backup Path
      • Lab4 “Shadow Session”
      • Lab5 “Shadow RR”
      • Lab6 RR with Add-Path
      • Lab7 MPLS + Add Path ECMP
      • Lab8 MPLS + “Shadow RR”
      • Lab9 MPLS + RDs + UCMP
      • Lab10 MPLS + Same RD + Add-Path + UCMP
      • Lab11 MPLS + Same RD + Add-Path + Repair Path
    • BGP
      • Start
      • Conditional Advertisement
      • Aggregation and Deaggregation
      • Local AS
      • BGP QoS Policy Propagation
      • Non-Optimal eBGP Routing
      • Multihomed Enterprise Challenge
      • Provider Communities
      • Destination-Based RTBH
      • Destination-Based RTBH (Community-Based)
      • Source-Based RTBH
      • Source-Based RTBH (Community-Based)
      • Multihomed Enterprise Challenge (XRv)
      • Provider Communities (XRv)
      • DMZ Link BW Lab1
      • DMZ Link BW Lab2
      • PIC Edge in the Global Table
      • PIC Edge Troubleshooting
      • PIC Edge for VPNv4
      • AIGP
      • AIGP Translation
      • Cost-Community (iBGP)
      • Cost-Community (confed eBGP)
      • Destination-Based RTBH (VRF Provider-triggered)
      • Destination-Based RTBH (VRF CE-triggered)
      • Source-Based RTBH (VRF Provider-triggered)
      • Flowspec (Global IPv4/6PE)
      • Flowspec (VRF)
      • Flowspec (Global IPv4/6PE w/ Redirect)
      • Flowspec (Global IPv4/6PE w/ Redirect) T-Shoot
      • Flowspec (VRF w/ Redirect)
      • Flowspec (Global IPv4/6PE w/ CE Advertisement)
    • Intra-AS L3VPN
      • Start
      • Partitioned RRs
      • Partitioned RRs with IOS-XR
      • RT Filter
      • Non-Optimal Multi-Homed Routing
      • Troubleshoot #1 (BGP)
      • Troubleshoot #2 (OSPF)
      • Troubleshoot #3 (OSPF)
      • Troubleshoot #4 (OSPF Inter-AS)
      • VRF to Global Internet Access (IOS-XE)
      • VRF to Global Internet Access (IOS-XR)
    • Inter-AS L3VPN
      • Start
      • Inter-AS Option A
      • Inter-AS Option B
      • Inter-AS Option C
      • Inter-AS Option AB (D)
      • CSC
      • CSC with Option AB (D)
      • Inter-AS Option C - iBGP LU
      • Inter-AS Option B w/ RT Rewrite
      • Inter-AS Option C w/ RT Rewrite
      • Inter-AS Option A Multi-Homed
      • Inter-AS Option B Multi-Homed
      • Inter-AS Option C Multi-Homed
    • Russo Inter-AS
      • Start
      • Topology
      • Option A L3NNI
      • Option A L2NNI
      • Option A mVPN
      • Option B L3NNI
      • Option B mVPN
      • Option C L3NNI
      • Option C L3NNI w/ L2VPN
      • Option C mVPN
    • BGP RPKI
      • Start
      • RPKI on IOS-XE (Enabling the feature)
      • RPKI on IOS-XE (Validation)
      • RPKI on IOS-XR (Enabling the feature)
      • Enable SSH in Routinator
      • RPKI on IOS-XR (Validation)
      • RPKI on IOS-XR (RPKI Routes)
      • RPKI on IOS-XR (VRF)
      • RPKI iBGP Mesh (No Signaling)
      • RPKI iBGP Mesh (iBGP Signaling)
    • NAT
      • Start
      • Egress PE NAT44
      • NAT44 within an INET VRF
      • Internet Reachability between VRFs
      • CGNAT
      • NAT64 Stateful
      • NAT64 Stateful w/ Static NAT
      • NAT64 Stateless
      • MAP-T BR
    • BFD
      • Start
      • Topology
      • OSPF Hellos
      • ISIS Hellos
      • BGP Keepalives
      • PIM Hellos
      • Basic BFD for all protocols
      • BFD Asymmetric Timers
      • BFD Templates
      • BFD Tshoot #1
      • BFD for Static Routes
      • BFD Multi-Hop
      • BFD for VPNv4 Static Routes
      • BFD for VPNv6 Static Routes
      • BFD for Pseudowires
    • QoS
      • Start
      • QoS on IOS-XE
      • Advanced QoS on IOS-XE Pt. 1
      • Advanced QoS on IOS-XE Pt. 2
      • MPLS QoS Design
      • Notes - QoS on IOS-XR
    • NSO
      • Start
      • Basic NSO Usage
      • Basic NSO Template Service
      • Advanced NSO Template Service
      • Advanced NSO Template Service #2
      • NSO Template vs. Template Service
      • NSO API using Python
      • NSO API using Python #2
      • NSO API using Python #3
      • Using a NETCONF NED
      • Python Service
      • Nano Services
    • MDT
      • Start
      • MDT Server Setup
      • Basic Dial-Out
      • Filtering Data using XPATH
      • Finding the correct YANG model
      • Finding the correct YANG model #2
      • Event-Driven MDT
      • Basic Dial-In using gNMI
      • Dial-Out with TLS
      • Dial-In with TLS
      • Dial-In with two-way TLS
    • App-Hosting
      • Start
      • Lab - iperf3 Docker Container
      • Notes - LXC Container
      • Notes - Native Applications
      • Notes - Process Scripts
    • ZTP
      • Notes - Classic ZTP
      • Notes - Secure ZTP
    • L2 Connectivity Notes
      • 802.1ad (Q-in-Q)
      • MST-AG
      • MC-LAG
      • G.8032
    • Ethernet OAM
      • Start
      • Topology
      • CFM
      • y1731
      • Notes - y1564
    • Security
      • Start
      • Notes - Security ACLs
      • Notes - Hybrid ACLs
      • Notes - MPP (IOS-XR)
      • Notes - MPP (IOS-XE)
      • Notes - CoPP (IOS-XE)
      • Notes - LPTS (IOS-XR)
      • Notes - WAN MACsec White Paper
      • Notes - WAN MACsec Config Guide
      • Notes - AAA
      • Notes - uRPF
      • Notes - VTY lines (IOS-XR)
      • Lab - uRPF
      • Lab - MPP
      • Lab - AAA (IOS-XE)
      • Lab - AAA (IOS-XR)
      • Lab - CoPP and LPTS
    • Assurance
      • Start
      • Notes - Syslog on IOS-XE
      • Notes - Syslog on IOS-XR
      • Notes - SNMP Traps
      • Syslog (IOS-XR)
      • RMON
      • Netflow (IOS-XE)
      • Netflow (IOS-XR)
Powered by GitBook
On this page
  • Answer
  • Explanation
  • Verification
  • Advertising the remote ASBR’s /32 into the IGP
  • Other notes
  • Summary
  1. Labs
  2. Inter-AS L3VPN

Inter-AS Option B

PreviousInter-AS Option ANextInter-AS Option C

Last updated 2 months ago

Load inter.as.l3vpn.option.b.init.cfg

#IOS-XE (R1-R4, R7-R10)
config replace flash:inter.as.l3vpn.option.b.init.cfg
 
#IOS-XR
configure
load bootflash:inter.as.l3vpn.option.b.init.cfg
commit replace
y

RIP, EIGRP, LDP, and VPNv4 is already pre-configured. The route targets for the VRFs have been changed to match between each provider. The ASRB-ASBR link is now only a single subinterface (VLAN 30).

Configure option B so that R9/10 and R7/R8 have reachability.

Answer

#R1
router bgp 100
 ! May need to refresh vpnv4 routes inbound after the below command
 !
 no bgp default route-target filter
 neighbor 30.1.19.19 remote-as 200
 add vpnv4
  neighbor 30.1.19.19 activate
  neighbor 2.2.2.2 next-hop-self

#XR1
router bgp 200
 add vpnv4 uni
  retain route-target all
 !
 neighbor 30.1.19.1
  remote-as 100
  add vpnv4 uni
   route-policy PASS in
   route-policy PASS out
 neighbor 20.20.20.20
  add vpnv4 uni
   next-hop-self
!
route-policy PASS
 pass
end-policy
!
router static add ipv4 uni
 30.1.19.1/32 gi0/0/0/0.30

Explanation

Inter-AS option B is more scalable than option A. In option B, only a single link exists between the ASBRs. These links are in the global table. The ASBRs run BGP VPNv4, and exchange VPNv4 routes between each other. The ASBRs no longer need to have the VRFs locally defined.

A few configurations are needed to allow this to work:

  1. Each ASBR must disable the VPNv4 RT filter. By default, a router will only accept VPNv4 routes for which it has a VRF that imports the RT. This is disabled when the router is a RR. But in this case, the ASBRs are neither RRs nor have the VRFs locally defined.

#R1
router bgp 100
 no bgp default route-target filter

#XR1
router bgp 200
 add vpnv4 uni
  retain route-target all

  1. The ASBR should set next-hop-self on routes advertised to the local RR. Otherwise, the nexthop will be unchanged, and will be the remote ASBR’s address. This happens by default when VRF IPv4 routes (learned from a CE) are imported into VPNv4. But in this case we are learning VPNv4 routes from an eBGP peer and advertising them as VPNv4 to the RR, so the default nexthop rule of leaving the nexthop unchanged takes place. (Alternatively, you could redistribute the NNI link into the IGP).

#R1
router bgp 100
  neighbor 2.2.2.2 next-hop-self

#XR1
router bgp 200
 neighbor 20.20.20.20
  add vpnv4 uni
   next-hop-self

  1. Lastly, we must have a /32 route for the eBGP peer in order to do label switching based on the VPNv4 label learned over the eBGP VPNv4 session. This happens by default when you activate the peer on IOS-XE. However, this does not happen on IOS-XR. We must instead use a static route.

#R1
R1(config-router)#router bgp 100
R1(config-router)# no bgp default route-target filter
R1(config-router)# neighbor 30.1.19.19 remote-as 200
R1(config-router)# add vpnv4
R1(config-router-af)#  neighbor 30.1.19.19 activate
R1(config-router-af)#
%BGP-5-ADJCHANGE: neighbor 30.1.19.19 Up
%BGP_LMM-6-AUTOGEN1: The mpls bgp forwarding command has been configured on interface: GigabitEthernet1.30

#XR1
router static add ipv4 uni
 30.1.19.1/32 gi0/0/0/0.30

On R1 we can see that a /32 route has automatically been added to the routing table, and a local label has been reserved. As far as I can see, this local label is not actually used, it seems to be an internal mechanism to allow label switching to VPNv4 routes learned from this peer. I believe there is an internal check that verifies there is an LSP to the /32 nexthop address for a VPNv4 route. (If you are leaving the nexthop unchanged, the local label is used because you will need to redistribute this /32 into the IGP).

IOS-XE automatically adds the command mpls bgp forwarding to the interface used for the eBGP VPNv4 peering.

Once the static route is added on IOS-XR, the router also allocates a local label in the LFIB.

  1. The providers must collaborate on the RT values. Either they need to import each other’s RT values in addition to their local RT, or they must use the same RTs. In this lab, the init config already had the VRFs using the same RTs in each AS. This requirement makes option B less attractive in the real world.

Verification

Traceroute between two CEs in either AS. Notice that there are now three LSPs. There is one PE-ASBR LSP in each AS, plus a single hop LSP between the two ASBRs. The single hop LSP uses the VPNv4 label.

Three LSPs:

What is nice about option B is that extcommunity values from OSPF or EIGRP are retained. On R7, the 8.8.8.8/32 route is learned as an internal EIGRP route. In option A, it was an external route (unless you run EIGRP at the ASBR-ASBR link, which is ugly).

The downside to option B, is that while routes are no longer installed in the ASBR’s FIB (because the VRFs don’t actually exist on the ASBRs), a single label is used up for every VPNv4 prefix. If there are a large amount of routes learned over the eBGP VPNv4 session, this could quickly use up the local ASBR’s label space.

There is no option for a “per-vrf” label space, because these VPNv4 routes are not being imported into a VRF. On R1, notice that there is one label for every single VPNv4 route learned via the ASBR, and learned via the local PE.

Advertising the remote ASBR’s /32 into the IGP

Instead of using next-hop-self on the ASBR’s VPNv4 session with the local RR, we could advertise the remote ASBR’s /32 into the IGP, and leave the nexthop unchanged. This results in only two LSPs, one LSP from the PE to the remote ASBR, and one from the remote ASBR to its local PE.

#R1
router bgp 100
 address-family vpnv4
  no neighbor 2.2.2.2 next-hop-self
!
router ospf 1
 ! Remember that the /32 is installed as a connected route automatically on IOS-XE
 !
 redistribute conn

#XR1
router bgp 200
 neighbor 20.20.20.20
  address-family vpnv4 unicast
   no next-hop-self
!
router isis 1
 add ipv4 uni 
  ! Remember that we had to add a /32 static route on IOS-XR
  !
  redistribute static

This produces a traceroute with only two VPN labels (24011 and 24005):

Above, 24011 is XR1’s VPN label. 24005 is XR2’s VPN label. The diagram below shows the two LSPs when R7 sends traffic to R8:

When R8 sends traffic to R7, the LSPs are flipped. The first LSP is XR2 to R1, and then the second LSP is R1 to R2.

The advantage to leaving the nexthop unchanged on the VPNv4 route is that it cuts down on the number of entries in the local ASBR’s LFIB. If the local ASBR resets the nexthop to itself when advertising the VPNv4 route internally, it must have an entry for all local VPNv4 prefix, plus all remote VPNv4 prefixes. When leaving the nexthop unchanged, the ASBR now only has to have an entry for all local VPNv4 prefixes. All remote VPNv4 prefixes will have the same top transport label representing the /32 of the remote ASBR, which the local ASBR just pops off, revealing the remote ASBR’s VPN label.

Other notes

IOS-XR also includes a protection mechanism for option B. The idea is that with option B, you are trusting that the remote provider won’t try to spoof MPLS packets. You can implement an rpf check which only permits received labeled packets with MPLS labels that have been locally allocated and advertised to the eBGP peer.

#XR1
router bgp 200
 add vpnv4 uni
  label-security asbr rpf

Summary

Compared to option A, option B is more scalable but requires trust and coordination between SPs. For this reason, option B is likely not used much in the real world unless there is a significant number of VPNs being exchanged over the L3 NNI.

Option B is more scalable because:

  • Only one link is used

    • In option A, one sub interface per VRF is needed

  • The VRFs do not need to be globally defined, which in turn means the VPNv4 prefixes are not installed into the FIB

    • However, at least the local VPNv4 prefixes are installed into the LFIB, as the ASBR terminates the LSP for these prefixes

  • The BGP extcommunities are retained end-to-end between ASes

Option B requires more work to setup:

  • Configuration

    • Disabling RT filter

    • Static /32 route for eBGP VPNv4 peer so that labeled traffic works

    • Next-hop-self on vpnv4 routes towards internal RR

      • Or leave the next-hop unchanged and redistribute the /32 of the eBGP peer into the IGP

  • Coordination between SPs

    • RT values

      • The RT is locally significant in option A, but is globally significant in option B

Option B lacks some scalability, because all VPNv4 prefixes must be entered into the LFIB on the ASBRs. Option C improves upon this as you will see next.