1. INTER-AUTONOMOUS SYSTEM MPLS VPN: CONFIGURATION AND TROUBLESHOOTING
DECEMBER 2003

2. Agenda
Troubleshooting Commands
Inter-AS Case Study
Inter-AS Summary

3. BASIC TROUBLESHOOTING COMMANDS
MPLS VPN Inter-AS, 12/03
© 2003 Cisco Systems, Inc. All rights reserved. 3

4. Troubleshooting Commands
Check VRF routing table
show ip route vrf <vrf name>
Check the imported route and associated NH address
Check BGP VPNv4 table
show ip bgp vpnv4 all
Check routes associated with an RD
Check CEF table CEF
show ip CEF VRF <vrf name>
Entries for the imported prefixes from a neighbor
Check TFIB table
show tag forwarding

5. CASE STUDY MPLS VPN Inter-AS, 12/03 5
© 2003 Cisco Systems, Inc. All rights reserved. 5

6. Inter-AS Case Study Agenda
Introduction
Configuration Analysis
Backup path check
Load Balancing VPNv4 prefixes across the Inter-AS paths
Inter-AS Design Considerations
Inter-AS Configurations

7. Introduction Case study scenario Setup
Inter-AS VPN Distribution Methods
Next-Hop-Self Method
Redistribute Connected Subnet Method
Label Switch Path – Next-Hop-Self
Label Switch Path – Redistribute Connected Subnets

8. Case Study Scenario
Two separate MPLS VPN networks: (AS200 and AS300) that distribute VPN routes between each other.
Two Inter-AS (eBGP) connections: primary and backup paths
VPN traffic will normally travel over the primary Inter-AS path and switch over to the backup path in the event of a failure
Four VRFs used in this example:
AS300: VRF green and emerald sites
AS200: VRF red and pink

9. Topology

10. IP Addressing for the Topology

11. Inter-AS Distribution Methods
Next-hop-self Method
Changing next-hop to that of the local ASBR for all VPNv4 routes learned from the other ASBR
BGP label and NH are changed by the receiving ASBR, which that has next-hop-self enabled
Redistribute-Connected-Subnets
Redistributing the next hop address of the remote ASBR into the local IGP using redistribute connected subnets command
Example: BGP label and next hop is not changed when the VPNv4 routes are redistributed into the local AS
Both methods will be used in this case study. ASBR in AS200 will change NH to themselves. ASBRs in AS300 will use host route to NH address of ASBR in AS200.

12. Inter-AS Case Study Specifications
AS 200 has three routers
Primary ASBR: ASBR-A200
Using Next-Hop-Self Method on ASBR-200
Backup ASBR / P router: ASBR-B200
PE: PE-200; two VRF’s red and pink
AS 300 has three routers:
Primary ASBR: ASBR-A300
Using Redistribute Connected subnets on ASBR-300
Backup ASBR / P router: ASBR-B300
PE: PE-300; two VRF’s green and emerald

13. Inter-AS Distribution: Next-Hop-Self Method on Primary path
1.       The VPNv4 route 300:1: is allocated the BGP label of {161} by PE-300. The BGP next hop is set to the PE-300 loopback
2.       ASBR-A300 receives the VPNv4 update via an MP-iBGP session from PE-300
3.       ASBR-A300 then allocates a new BGP local label {164} for the VPNv4 route and sets the BGP next hop to its interface The BGP VPNv4 table for the route will show 164/161 as the tags being used for the route (refer to Figure 21 TFIB on ASBR-A300).
4.       ASBR-A200 receives the VPNv4 update via the MP-eBGP session from ASBR-A300. Since next-hop-self is set to the PE neighbour PE-200, a new BGP local label {23} will be allocated and the next hop will be set to the loopback The BGP VPNv4 table for the route will show 23/164 as the tags being used for the route (refer to Figure 14 TFIB on ASBR-A200)
PE-200 receives the VPNv4 routes and inserts it into VRF red. PE-200 will then use the BGP label {23} and the appropriate IGP label for next-hop to get to

14. Inter-AS Distribution: Next-Hop-Self Method
Changing next-hop to that of the local ASBR for all VPNv4
routes learnt from the other ASBR. Sample config for ASBR-A200:
address-family vpnv4
neighbor activate
neighbor send-community extended
neighbor route-map SETMETRIC out
neighbor activate
neighbor next-hop-self (! PE-200 peer)
neighbor send-community extended
neighbor route-map INTER-AS in
exit-address-family !
ip extcommunity-list 10 permit rt 200:777
access-list 1 permit any
route-map SETMETRIC permit 10
match ip address 1
set metric 50
route-map INTER-AS permit 10
match extcommunity 10

15. Inter-AS Distribution: Redistribute Connected Subnet Method
ASBRs in AS300 uses the redistribute connected subnets method to distribute VPNv4 routes
BGP next-hop is not changed for remote VPNv4 routes and will remain that of ASBR-A200 which is (the interface address)

16. Inter-AS Distribution: Label Switch Path – Next-Hop-Self

17. Inter-AS Distribution: Label Switch Path – Redistribute Connected Subnets

18. Backup path check
Under normal circumstances, all traffic between the Autonomous Systems will travel along the primary eBGP path, circuit addresses –
This section verifies that the backup path works correctly if the primary path fails
Simple test was executed with traffic originating from PE300 traveling to PE200
Shutdown primary interface on AS200
Backup path is selected on PE-300
The primary interface was shut down on ASBR-A200 to simulate a simple failure. The test was
done several times and it took between 16 and 24 seconds for theVPNv4 routes to be
redistributed so that the backup path was selected. The BGP scan-timers were modified to
provide the faster convergence. Refer to section 0 for configuration details and also [3],
page 255 for a detailed discussion of VPN convergence .

19. Backup path check: Traceroute on the primary path
PE-300#trace vrf green
Type escape sequence to abort.
Tracing the route to
msec 4 msec 0 msec
msec 4 msec 0 msec
msec 4 msec 0 msec  ASBR-A200 primary
msec 0 msec 4 msec
msec * 0 msec

20. Backup path check: Traceroute on the primary path (Cont.)
PE-300#trace vrf green
Type escape sequence to abort.
Tracing the route to
msec 4 msec 0 msec
msec 0 msec 4 msec  ASBR-B200 backup
msec * 0 msec

21. Load Balancing VPNv4 Prefixes Across the Inter-AS Paths
Overview
ASBR 200 configurations
PE-200 configuration
PE-300 VPNv4 BGP Table

22. Load Balancing VPNv4 Prefixes Across the Inter-AS Paths: Topology

23. Load Balancing VPNv4 Prefixes Across the Inter-AS Paths: Goals and Specs
Goal: load balance VPNv4 prefixes across both Inter-AS links from AS300 to AS200.
Note that there are two paths:
Gateway 1 (path between ASBR-A200 and ASBR-A300): only VRF green traffic
Gateway 2 (path between ASBR-B200 & ASBR-B300): only VRF emerald traffic
ASBR-A200: accept routes only from VRF green
ASBR-B200: accept routes only from VRF emerald
If load balancing is required in both directions, mirror ASBR-A200 configuration on ASBR-A300 and ASBR-B200 configuration on ASBR-B300
The INTER-AS route-map will cause the AS200 ASBR’s to accept VPNv4 routes that
hold the extcommunity attribute of 777:1 or 777:2. The VPNv4 routes will hold one
or the other value, not both. Depending on which ASBR it is, the MED will be set
appropriately, either 50 if it has been chosen to be the primary, or 100 if it is not
chosen to be the primary.

24. Load-balancing: VPNv4 Related Specifications
MED is set at each gateway, depending upon the route-target/extcommunity value on the VPNv4 route
Route-target = 777:1
Primary: Gateway 1; prefix: MED=50
Backup: Gateway 2; MED=100
Route-target = 777:2
Primary: Gateway 2; prefix: MED=50
Backup: Gateway 1; MED=100
Gateways have both been configured to accept only VPNv4 routes that have the extcommunity attribute 777:1 or 777:2

25. Load Balancing Across the Inter-AS Paths: PE 200 Configuration
The primary path for VRF pink is via ASBR-B200
All routes in VRF pink have the route-target 777:2; ASBR-A200 will be the backup path (from perspective of the PE-300)
The primary path for VRF red is via ASBR-A200; backup path is via ASBR-B200
VRF
Prefix RT
Primary
Backup
Red
200:1 777:1
200:1
ASBR-A200 ( )
Denied
ASBR-B200 ( )
Pink
200:2 777:2
*should see the red routes via and the pink routes via

26. Load Balancing Across the Inter-AS Paths: PE 200 Configuration (Cont.)
ip vrf pink
rd 200:2
route-target export 200:2
route-target export 777:2  use ASBR-B200 as the primary path
route-target import 200:2
route-target import 300:2 !
ip vrf red
rd 200:1
export map OUT-INTER-AS
route-target export 200:1
route-target import 200:1
route-target import 300:1
access-list 10 permit
route-map OUT-INTER-AS permit 10
match ip address 10
set extcommunity rt 777:1 additive  use ASBR-A200 as the primary path
The PE-200 configuration has been modified slightly so that all routes in VRF pink have the route-target 777:2, and hence will use ASBR-B200 as the primary path and ASBR-A200 as the backup path (from PE-300’s perspective). The selected route via the route-map in VRF red will use ASBR-A200 as the primary path and ASBR-B200 as the backup path

27. Load Balancing Across the Inter-AS Paths: ASBR-A200 Configuration
router bgp 200 …
address-family vpnv4
neighbor activate
neighbor send-community extended
neighbor route-map SETMETRIC out
neighbor activate
neighbor next-hop-self
neighbor send-community extended
neighbor route-map INTER-AS in
exit-address-family !
ip extcommunity-list 10 permit rt 777:1
ip extcommunity-list 11 permit rt 777:2
route-map SETMETRIC permit 10
match extcommunity 10
set metric  Metric is 100 on ASBR-B200
route-map SETMETRIC permit 11
match extcommunity 11
set metric  Metric is 50 on ASBR-B200
route-map INTER-AS permit 10
match extcommunity  AS200 ASBR’s to accept VPNv4 routes that hold the extcommunity attribute of 777:1 or 777:2

28. Load Balancing Across the Inter-AS Paths: PE-300 VPNv4 BGP Table
PE-300#show ip bgp vpnv4 all
BGP table version is 99, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 200:1
*>i / ?
* i ?
Route Distinguisher: 200:2
* i / ?
*>i ?
* i / ?
Route Distinguisher: 300:1 (default for vrf green)
*>i / ?  Via ASBR-A200
*> / ?
Route Distinguisher: 300:2 (default for vrf emerald)
*>i / ?  Via ASBR-B200
*>i / ?  Via ASBR-B200
*> / ?
Note: BGP VPNv4 table on PE-300 after the VPNv4 routes from AS 200 have been redistributed using the new route-targets and MED values. As can be seen, the best routes have been chosen and imported into the green and emerald VRF’s using the lowest metric (MED) the next hop being either or

29. Configurations
ASBR-A200
ASBR-A300
ASBR-B200
ASBR-B300
PE-200
PE-300

30. Configurations: ASBR-A200
hostname ABSR-A200 !
logging rate-limit console 10 except errors
ip subnet-zero
no ip finger
no ip domain-lookup
ip cef distributed
call rsvp-sync
cns event-service server
interface Loopback0
ip address
interface ATM1/0/0
ip address
ip route-cache distributed
ip ospf network point-to-point
no atm ilmi-keepalive
pvc 1/102
broadcast
encapsulation aal5snap
tag-switching ip
interface POS1/1/0
ip address
clock source internal
pos ais-shut
pos report lais
pos report lrdi
router ospf 200
log-adjacency-changes
network area 0
network area 0 !
router bgp 200
no synchronization
no bgp default ipv4-unicast
no bgp default route-target filter
bgp log-neighbor-changes
neighbor remote-as 300
neighbor remote-as 200
neighbor update-source Loopback0
address-family vpnv4
neighbor activate
neighbor send-community extended
neighbor route-map SETMETRIC out
neighbor activate
neighbor next-hop-self
neighbor send-community extended
neighbor route-map INTER-AS in
exit-address-family
ip kerberos source-interface any
ip classless
no ip http server
ip extcommunity-list 10 permit rt 200:777
access-list 1 permit any
route-map SETMETRIC permit 10
match ip address 1
set metric 50
route-map INTER-AS permit 10
match extcommunity 10
end

31. Configurations: ASBR-A300
hostname ABSR-A300 !
logging rate-limit console 10 except errors
ip subnet-zero
no ip finger
no ip domain-lookup
ip cef distributed
tag-switching tag-range downstream
call rsvp-sync
cns event-service server
interface Loopback0
ip address
interface ATM8/0/0
ip address
ip route-cache distributed
ip ospf network point-to-point
no atm ilmi-keepalive
pvc 1/102
broadcast
encapsulation aal5snap
tag-switching ip
interface POS8/1/0
ip address
pos ais-shut
pos report lais
pos report lrdi !
router ospf 300
log-adjacency-changes
redistribute connected subnets
network area 0
network area 0
router bgp 300
no synchronization
no bgp default ipv4-unicast
no bgp default route-target filter
bgp log-neighbor-changes
neighbor remote-as 200
neighbor remote-as 300
neighbor update-source Loopback0
address-family vpnv4
neighbor activate
neighbor send-community extended
neighbor route-map SETMETRIC out
neighbor activate
neighbor send-community extended
bgp scan-time 10
bgp scan-time import 10
exit-address-family
ip kerberos source-interface any
ip classless
no ip http server
access-list 1 permit any
route-map SETMETRIC permit 10
match ip address 1
set metric 50

32. Configurations: ASBR-B200
hostname ABSR-B200 !
boot system disk0:c7200-js-mz T8.bin
logging rate-limit console 10 except errors
enable password cisco
ip subnet-zero
no ip finger
no ip domain-lookup
ip cef
call rsvp-sync
cns event-service server
interface Loopback0
ip address
interface FastEthernet0/0
ip address
duplex full
tag-switching ip
interface ATM3/0
ip address
ip ospf network point-to-point
no atm ilmi-keepalive
pvc 1/102
broadcast
encapsulation aal5snap
interface POS4/0
ip address
no ip route-cache cef
clock source internal !
interface FastEthernet6/0
ip address
duplex full
router ospf 200
log-adjacency-changes
network area 0
network area 0
router bgp 200
no synchronization
no bgp default ipv4-unicast
no bgp default route-target filter
bgp log-neighbor-changes
neighbor remote-as 300
neighbor remote-as 200
neighbor update-source Loopback0
address-family vpnv4
neighbor activate
neighbor send-community extended
neighbor route-map SETMETRIC out
neighbor activate
neighbor next-hop-self
neighbor send-community extended
neighbor route-map INTER-AS in
exit-address-family
ip kerberos source-interface any
ip classless
no ip http server
ip extcommunity-list 10 permit rt 200:777
access-list 1 permit any
route-map SETMETRIC permit 10
match ip address 1
set metric 100
route-map INTER-AS permit 10
match extcommunity 10
end

33. Configurations: ASBR-B300
hostname ABSR-B300 !
boot system disk0:c7200-js-mz T8.bin
logging rate-limit console 10 except errors
enable password cisco
ip subnet-zero
no ip finger
no ip domain-lookup
ip cef
tag-switching tag-range downstream
call rsvp-sync
cns event-service server
interface Loopback0
ip address
interface FastEthernet0/0
ip address
duplex full
tag-switching ip
interface ATM3/0
ip address
ip ospf network point-to-point
no atm ilmi-keepalive
pvc 1/102
broadcast
encapsulation aal5snap
interface POS4/0
ip address
no ip route-cache cef !
router ospf 300
log-adjacency-changes
redistribute connected subnets
network area 0
network area 0
network area 0
router bgp 300
no synchronization
no bgp default ipv4-unicast
no bgp default route-target filter
bgp log-neighbor-changes
neighbor remote-as 200
neighbor remote-as 300
neighbor update-source Loopback0
address-family vpnv4
neighbor activate
neighbor send-community extended
neighbor route-map SETMETRIC out
neighbor activate
neighbor send-community extended
bgp scan-time 10
bgp scan-time import 10
exit-address-family
ip kerberos source-interface any
ip classless
no ip http server
access-list 1 permit any
route-map SETMETRIC permit 10
match ip address 1
set metric 100
end

34. Configurations: PE-200 hostname PE-200 !
boot system disk0:c7200-js-mz.121-5c.E8.bin
ip subnet-zero
ip vrf pink
rd 200:2
route-target export 200:2
route-target export 200:777
route-target import 200:2
route-target import 300:2
ip vrf red
rd 200:1
export map OUT-INTER-AS
route-target export 200:1
route-target import 200:1
route-target import 300:1
ip cef
tag-switching tdp router-id Loopback0
cns event-service server
interface Loopback0
ip address
interface Loopback10
ip vrf forwarding red
ip address
interface Loopback11
ip vrf forwarding pink
ip address
interface FastEthernet4/0
ip address
no ip route-cache cef
duplex full
tag-switching ip
router ospf 200
log-adjacency-changes
network area 0
network area 0
router bgp 200
no synchronization
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor remote-as 200
neighbor update-source Loopback0
neighbor remote-as 200
neighbor update-source Loopback0
default-information originate !
address-family ipv4 vrf red
redistribute connected
redistribute static
no auto-summary
exit-address-family
address-family ipv4 vrf pink
address-family vpnv4
neighbor activate
neighbor send-community extended
neighbor activate
neighbor send-community extended
ip classless
ip route vrf red Loopback
ip route vrf pink Loopback
no ip http server
access-list 10 permit
route-map OUT-INTER-AS permit 10
match ip address 10
set extcommunity rt 200:777 additive
end

35. Configurations: PE-300 hostname PE-300 ! ip subnet-zero no ip finger
no ip domain-lookup
ip vrf emerald
rd 300:2
route-target export 300:2
route-target import 300:2
route-target import 200:2
ip vrf green
rd 300:1
route-target export 300:1
route-target import 300:1
route-target import 200:1
ip cef
tag-switching tag-range downstream
cns event-service server
interface Loopback0
ip address
interface Loopback10
ip vrf forwarding green
ip address
interface Loopback11
ip vrf forwarding emerald
ip address
interface ATM1/0
no ip address
no ip route-cache cef
no atm ilmi-keepalive
interface FastEthernet4/0
ip address
duplex full
tag-switching ip
router ospf 300
log-adjacency-changes
network area 0
network area 0 !
router bgp 300
no synchronization
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor remote-as 300
neighbor update-source Loopback0
neighbor remote-as 300
neighbor update-source Loopback0
address-family ipv4 vrf green
redistribute connected
no auto-summary
exit-address-family
address-family ipv4 vrf emerald
address-family vpnv4
neighbor activate
neighbor send-community extended
neighbor activate
neighbor send-community extended
bgp scan-time 15
bgp scan-time import 10
ip classless
no ip http server
tftp-server disk0:c7200-js-mz.121-5c.E8.bin
end

36. INTER-AS SUMMARY

37. Inter-AS Summary Service Providers have deployed Inter-AS for:
Scalability purposes
Partitioning the network based on services or management boundaries
Some contract work is in progress amongst Service Providers to establish partnership and offer end-end VPN services to the common customer base
Service Provider networks are completely separate
Do not need to exchange internal prefix or label information
Each Service Provider establishes a direct MP-eBGP session with the others to exchange VPN-IPv4 addresses with labels
/32 route to reach the ASBR is created by default so ASBRs can communicate without a need for IGP
Must be redistributed in the receiving Service Provider’s IGP

38. Inter-AS Summary (Cont.)
IGP or LDP across ASBR links is not required
Labels are already assigned to the routes when exchanged via MP-eBGP
Interface used to establish MP-eBGP session does not need to be associated with a VRF
Direct eBGP routes and labels can be exchanged.
Next-Hop self can be turned on on ASBRs, enabling the ASBR to use its own address for next-hop
Using the next-hop self requires an additional entry in the TFIB for each VPNv4 route (about 180) bytes
If the Service Provider wishes to hide the Inter-AS link then use the next-hop-self method otherwise use the redistribute connected subnets method

39. Inter-AS Summary (Cont.)
Multi-hop MP-eBGP sessions can be passed between Service Providers without conversions to VPNv4 routes
Configuration of VRFs is not required on the ASBRs because bgp default route-target filter (automatic route filtering feature) has been disabled
To conserve memory on both sides of the boundary and implement a simple form of security, always configure inbound route-maps to filter only routes that need to be passed to the other AS

40. References Inter-AS for MPLS VPNs CCO Documentation:
121newft/121t/121t5/interas.htm
MPLS and VPN architectures Jim Guichard/Ivan Pepelnjak ISBN :
Support for Inter-provider MPLS VPN ENG Dan Tappan, (internal only)

41. MPLS VPN Inter-AS, 12/03
© 2003 Cisco Systems, Inc. All rights reserved. 41