Basic configuration:
BGP is another routing protocol that can be used between PE-CE. Generally, BGP is used when users need to connect two or more operating networks. Usually eBGP is used, because usually, the AS number of the VPN customer is the same as the operator. The AS is not the same. At this time, it needs to be installed. In the case of import operation, the route can be directly transmitted as the BGP route learned from the CE, without the need for route introduction to other PEs. As shown in the output below, PE1 has assigned an eBGP neighbor address 10.1.14.1 (CE) under its VPN instance.
sysname PE1#
bgp 100
Ipv4-family vpn-instance VPN-APeer 10.1.14.1 as-number 65000
AS replacement:
In the MPLS VPN environment where PE-CE uses BGP, because BGP carries the AS-PATH attribute when transmitting routes, if the same VPN user uses different AS numbers for each site, normal routing exchanges can be carried out between the sites; if the same User sites use the same AS number, so BGP can learn routes normally. These features include AS substitution (substitute-as> and A11ow-as-loop. The functions and usage of these two features are described below respectively.
As shown in the figure, the AS numbers used by the two sites of the user are both 65000:
When the PE1 router advertises the VPNv4 route of Site1 to PE2, the AS-PATH carries the AS number 65000. After CE2 receives it, it is because in the routing AS If your AS number is found in -PATH, the route will be discarded. Similarly, the route of Site2 cannot be received by Site1. One solution is to assign different AS numbers to each site. This solution requires a lot of configuration changes, which is troublesome. Another simpler solution is to use BGP's AS replacement function. The operating principle of AS replacement is to replace the user's AS number appearing in the AS-PATH with the operator's AS number before the PE router advertises the route to the user CE. In this way, the remote CE will receive the route, because the AS number is no longer visible in the AS-PATH. When the AS replacement function is enabled, PE2 checks that the AS number of CE2 is 65000. Before the route is advertised to CE2, it replaces AS-PATH 100 65000 with 100 100.
The command for configuring AS substitution in Huawei VRP system is: peer {group-name | ipv4-address }substitute-as. The following output shows that the relevant configuration command 10.1.35.1 on PE2 is the address of CE2.
bgp 100
Ipv4-family vpn-instance VPN-Apeer 10.1.35.1 substitute-as
Allow-as-loop:
Allow-as-loop is another solution. After enabling this feature, the PE router does not need to check the AS-PATH attribute, but allows the CE router to receive the BGP route with its own AS number. The end uses the Allow-as-loop feature to receive the route sent from the remote site, and shows how to enable this feature.
Sysname CE#
bgp 65000
Ipv4-family unicast
Peer 10.1.35.2 allow-as-loop#
In the Hub-and-spoke networking environment, users may not want direct communication between Spoke sites, but need to communicate through the Hub site. At this time, the routes between Spoke sites must also be advertised to the Hub site first, and then The Hub site is transferred to other sites, that is, after the CE router of the Hub site receives the route of a Spoke site, it needs to advertise it back to the PE router. At this time, allow-as-loop must be enabled on the PE router. To receive the route, as shown in the figure below:
At this time, if the route from the Spokel site wants to enter the operator's network again, the Allow-as-loop feature must be enabled at PE2.
SoO:
In the previous notes, we mentioned that routing loops are prone to occur in a CE dual-homing MPLS VPN environment. The previous article also introduced some methods to prevent loops, and also introduced two BGP features, AS replacement and Allow-as-loop. These two features complete certain functions, but make the AS-PATH anti-loop mechanism invalid. This creates a hidden danger in the loop. As shown in the figure below, CE1 and CE2 are located at the same VPN site. CE1 is connected to PE1, and CE2 is connected to PE2. After receiving the route from CE1, PE1 advertises it to other PEs (including PE2) through MP-iBGP, and PE2 then The route is forwarded to CE2, and CE2 has learned the route through the IGP in Site1, which may cause a routing loop inside Site1.
In this case, it is best to use another feature of BGP-SoO to avoid the hidden danger of loops. SoO (Site-of-Origin) is called the site of origin, used to identify the origin site of the route, and SoO is an extended community attribute of BGP to prevent routing loops. SoO can be used only when the BGP protocol is used between PE-CE. On the PE router configured with SoO, when the VP engraves the VPNv4 route with the SoO value, whether the VPNv4 road SoO value with the SoO value is received from the public network by the other PEs of the route through the Muu and Rabbit The same as the local configuration, if the same, it will not be imported back to the VPN instance, so as to avoid publishing the route back to the source site, as shown in the following figure: The
following output shows the configuration method of SoO in Huawei VRP system.
Sysname PE2
bgp 100
Ipv4-family vpn-instance VPN-A
peer 192.168.1.2 substitute-as
peer 192.168.1.2 SoO 100:101
PE2 applies the AS substitution feature to CE2 (192.168.1.2) and sets the SoO value to 100:101.
Sorting out the source of information: "HCIE Routing Exchange Learning Guide"