Cisco IOS MPLS PE-CE BGP routingの設定方法

MPLS VPNについて、PE-CE間のルーティングとしてBGPを用いる方法についてまとめます。疎通可能にするためには、BGP VPNv4によってBGP ipv4を伝播させる必要があります。

コマンド一覧
構成図
仕様説明
1. PE-CE BGP routing
2. AS番号の重複
PE-CE BGP routing
allowas-in
1. 設定投入
2. 疎通確認
allowas-in
1. 設定投入
2. 疎通確認

コマンド一覧

このシナリオで重要なコマンド一覧は以下の通りです。

Router(config)# router bgp <local_as>
Router(config-router)# address-family ipv4 vrf <vrf>
Router(config-router-af)# neighbor <addr> remote <remote_as>

Router(config)# router bgp <local_as>
Router(config-router)# neighbor <addr> allowas-in

Router(config)# router bgp <local_as>
Router(config-router)# address-family ipv4 vrf <vrf>
Router(config-router-af)# neighbor <addr> as-override

構成図

以下の構成で動作確認を行います。PEルータ間は予めMPLS neighborおよびbgp vpnv4 neighborが確立されています。

                                               VPN
                                       e0/1    e0/0      e0/0
                                       .3+--------+.3      .5+--------+
                   VPN             ┌----+  PE3   +----------+  CE5  | 
         e0/0      e0/0      e0/1  │    +--------+          +---+----+
 +--------+.1      .2+--------+.2  │           192.168.35.0/24  │.5 e0/1
 |  CE1   +----------+  PE2   +----┤          VPN               │     192.168.56.0/24
 +--------+          +--------+    │  e0/1    e0/0      e0/0    │.6 e0/1
        192.168.12.0/24            │  .4+--------+.4      .6+---+----+
                                   └----+  PE4   +----------+  CE6  | 
                                         +--------+          +--------+
                             150.1.234.0/24     192.168.46.0/24

 PE1 Loopback0       CE2 Loopback0       PE3 Loopback0      PE5 Loopback0
 10.1.1.1/32         150.1.2.2/32        150.1.3.3/32       10.5.5.5/32

                                         PE4 Loopback0      PE6 Loopback0
                                         150.1.4.4/32       10.6.6.6/32

 [CE1]
router bgp 65156
 no synchronization
 network 10.1.1.1 mask 255.255.255.255
 network 192.168.12.0
 neighbor 192.168.12.2 remote-as 234
 no auto-summary

 [PE2]
ip vrf VPN
 rd 234:1
 route-target export 234:1
 route-target import 234:1
!
interface Ethernet0/0
 ip vrf forwarding VPN
 ip address 192.168.12.2 255.255.255.0
!
router ospf 1
 network 150.1.2.2 0.0.0.0 area 0
 network 155.1.234.2 0.0.0.0 area 0
!
router bgp 234
 no bgp default ipv4-unicast
 neighbor 150.1.3.3 remote-as 234
 neighbor 150.1.3.3 update-source Loopback0
 neighbor 150.1.4.4 remote-as 234
 neighbor 150.1.4.4 update-source Loopback0
 !
 address-family vpnv4
  neighbor 150.1.3.3 activate
  neighbor 150.1.3.3 send-community extended
  neighbor 150.1.4.4 activate
  neighbor 150.1.4.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf VPN
  no synchronization
 exit-address-family

 [PE3]
<omitted>

 [PE4]
<omitted>

 [CE5]
<omitted>

 [CE6]
<omitted>

設定全文は下記ファイルです。詳細設定は下記を参照ください。

CE1

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CE1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.1.1.1 255.255.255.255
!
interface Ethernet0/0
 ip address 192.168.12.1 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router bgp 65156
 no synchronization
 bgp log-neighbor-changes
 network 10.1.1.1 mask 255.255.255.255
 network 192.168.12.0
 neighbor 192.168.12.2 remote-as 234
 no auto-summary
!
ip http server
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

PE2

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip vrf VPN
 rd 234:1
 route-target export 234:1
 route-target import 234:1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 150.1.2.2 255.255.255.255
!
interface Ethernet0/0
 ip vrf forwarding VPN
 ip address 192.168.12.2 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 ip address 155.1.234.2 255.255.255.0
 half-duplex
 mpls ip
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router ospf 1
 log-adjacency-changes
 network 150.1.2.2 0.0.0.0 area 0
 network 155.1.234.2 0.0.0.0 area 0
!
router bgp 234
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 150.1.3.3 remote-as 234
 neighbor 150.1.3.3 update-source Loopback0
 neighbor 150.1.4.4 remote-as 234
 neighbor 150.1.4.4 update-source Loopback0
 !
 address-family vpnv4
  neighbor 150.1.3.3 activate
  neighbor 150.1.3.3 send-community extended
  neighbor 150.1.4.4 activate
  neighbor 150.1.4.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf VPN
  no synchronization
 exit-address-family
!
ip http server
ip forward-protocol nd
!
!
!
!
!
mpls ldp router-id Loopback0 force
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

PE3

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip vrf VPN
 rd 234:1
 route-target export 234:1
 route-target import 234:1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 150.1.3.3 255.255.255.255
!
interface Ethernet0/0
 ip vrf forwarding VPN
 ip address 192.168.35.3 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 ip address 155.1.234.3 255.255.255.0
 half-duplex
 mpls ip
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router ospf 1
 log-adjacency-changes
 network 150.1.3.3 0.0.0.0 area 0
 network 155.1.234.3 0.0.0.0 area 0
!
router bgp 234
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 150.1.2.2 remote-as 234
 neighbor 150.1.2.2 update-source Loopback0
 neighbor 150.1.4.4 remote-as 234
 neighbor 150.1.4.4 update-source Loopback0
 !
 address-family vpnv4
  neighbor 150.1.2.2 activate
  neighbor 150.1.2.2 send-community extended
  neighbor 150.1.4.4 activate
  neighbor 150.1.4.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf VPN
  no synchronization
 exit-address-family
!
ip http server
ip forward-protocol nd
!
!
!
!
!
mpls ldp router-id Loopback0 force
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

PE4

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip vrf VPN
 rd 234:1
 route-target export 234:1
 route-target import 234:1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 150.1.4.4 255.255.255.255
!
interface Ethernet0/0
 ip vrf forwarding VPN
 ip address 192.168.46.4 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 ip address 155.1.234.4 255.255.255.0
 half-duplex
 mpls ip
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router ospf 1
 log-adjacency-changes
 network 150.1.4.4 0.0.0.0 area 0
 network 155.1.234.4 0.0.0.0 area 0
!
router bgp 234
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 150.1.2.2 remote-as 234
 neighbor 150.1.2.2 update-source Loopback0
 neighbor 150.1.3.3 remote-as 234
 neighbor 150.1.3.3 update-source Loopback0
 !
 address-family vpnv4
  neighbor 150.1.2.2 activate
  neighbor 150.1.2.2 send-community extended
  neighbor 150.1.3.3 activate
  neighbor 150.1.3.3 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf VPN
  no synchronization
 exit-address-family
!
ip http server
ip forward-protocol nd
!
!
!
!
!
mpls ldp router-id Loopback0 force
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

CE5

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CE5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.5.5.5 255.255.255.255
!
interface Ethernet0/0
 ip address 192.168.35.5 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.56.5 255.255.255.0
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router bgp 65156
 no synchronization
 bgp log-neighbor-changes
 network 10.5.5.5 mask 255.255.255.255
 network 192.168.35.0
 network 192.168.56.0
 neighbor 192.168.35.3 remote-as 234
 neighbor 192.168.56.6 remote-as 65156
 no auto-summary
!
ip http server
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

CE6

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CE6
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.6.6.6 255.255.255.255
!
interface Ethernet0/0
 ip address 192.168.46.6 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.56.6 255.255.255.0
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router bgp 65156
 no synchronization
 bgp log-neighbor-changes
 network 10.6.6.6 mask 255.255.255.255
 network 192.168.46.0
 network 192.168.56.0
 neighbor 192.168.46.4 remote-as 234
 neighbor 192.168.56.5 remote-as 65156
 no auto-summary
!
ip http server
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

仕様説明

PE-CE BGP routing

PE-CE間で、BGP routingを設定するには、以下のように”address-family ipv4 vrf VPN”に対してBGP neighborを定義します。RIP, OSPF等のIGPと異なり、redistributeは不要です。

Router(config)# router bgp <local_as>
Router(config-router)# address-family ipv4 vrf <vrf>
Router(config-router-af)# neighbor <addr> remote <remote_as>

AS番号の重複

CE同士が同じAS番号を使う場合は、AS_PATH loopによってprefixが交換されません。そのような場合は、以下のようなコマンドを使用する事で、AS_PATH loopが発生しても敢えてprefixを受信するようにする事ができます。

Router(config)# router bgp <local_as>
Router(config-router)# neighbor <addr> allowas-in

as-overrideキーワードを使用してもAS番号の重複に対応する事ができます。対向のCEルータが付与したAS番号を自AS番号で上書きする事によって、AS番号の重複を防ぐ事ができます。

Router(config)# router bgp <local_as>
Router(config-router)# address-family ipv4 vrf <vrf>
Router(config-router-af)# neighbor <addr> as-override

allowas-in, as-overrideのいずれの設定もAS番号の重複を許可する事になりますので、潜在的なRouting Loopの危険性があります。動作確認は別の機会としますが、このようなLoopを防ぐためにSOO(Site Of Origin)を利用する事もあります。

PE-CE BGP routing

設定投入

PE-CE間で、BGP routingを定義します。

 [PE2]
router bgp 234
 address-family ipv4 vrf VPN
  neighbor 192.168.12.1 remote 65156

 [PE3]
router bgp 234
 address-family ipv4 vrf VPN
  neighbor 192.168.35.5 remote 65156

 [PE4]
router bgp 234
 address-family ipv4 vrf VPN
  neighbor 192.168.46.6 remote 65156

疎通確認

VPN間の疎通が可能である事を確認します。

 [PE2]
PE2#ping vrf VPN 192.168.46.4 source 192.168.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.46.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/62/84 ms
PE2#

address-family vpnv4に対するBGP tableがどのような出力になるかも確認しておきましょう。

 [PE2]
PE2#show bgp vpnv4 unicast all summary
BGP router identifier 150.1.2.2, local AS number 234
BGP table version is 14, main routing table version 14
7 network entries using 959 bytes of memory
12 path entries using 816 bytes of memory
4/2 BGP path/bestpath attribute entries using 496 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
1 BGP extended community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2319 total bytes of memory
BGP activity 7/0 prefixes, 17/5 paths, scan interval 15 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
150.1.3.3       4   234      28      27       14    0    0 00:23:42        5
150.1.4.4       4   234      32      28       14    0    0 00:22:38        5
192.168.12.1    4 65156      21      21       14    0    0 00:16:05        2
PE2#
PE2#
PE2#show bgp vpnv4 unicast all
BGP table version is 14, local router ID is 150.1.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 234:1 (default for vrf VPN)
*> 10.1.1.1/32      192.168.12.1             0             0 65156 i
* i10.5.5.5/32      150.1.4.4                0    100      0 65156 i
*>i                 150.1.3.3                0    100      0 65156 i
* i10.6.6.6/32      150.1.4.4                0    100      0 65156 i
*>i                 150.1.3.3                0    100      0 65156 i
r> 192.168.12.0     192.168.12.1             0             0 65156 i
* i192.168.35.0     150.1.4.4                0    100      0 65156 i
*>i                 150.1.3.3                0    100      0 65156 i
* i192.168.46.0     150.1.4.4                0    100      0 65156 i
*>i                 150.1.3.3                0    100      0 65156 i
* i192.168.56.0     150.1.4.4                0    100      0 65156 i
*>i                 150.1.3.3                0    100      0 65156 i
PE2#

AS番号の重複

CE間で異なるAS番号を使用している場合は、上記の設定のみで疎通可能になります。しかし、CE間で同一のAS番号を使用している場合は、AS_PATH loopが発生しているとみなされてしまいます。CE1のbgp tables上にはprefixがひとつも存在しません。

 [CE1]
CE1#show ip route bgp

CE1#
CE1#
CE1#show ip bgp neighbors 192.168.12.2 | begin For address family: IPv4 Unicast
 For address family: IPv4 Unicast
  BGP table version 5, neighbor version 5/0
 Output queue size : 0
  Index 1, Offset 0, Mask 0x2
  1 update-group member
                                 Sent       Rcvd
  Prefix activity:               ----       ----
    Prefixes Current:               2          0
    Prefixes Total:                 2          0
    Implicit Withdraw:              0          0
    Explicit Withdraw:              0          0
    Used as bestpath:             n/a          0
    Used as multipath:            n/a          0

                                   Outbound    Inbound
  Local Policy Denied Prefixes:    --------    -------
    AS_PATH loop:                       n/a          5
    Total:                                0          5
  Number of NLRIs in the update sent: max 2, min 2

  Connections established 2; dropped 1
  Last reset 00:31:15, due to Peer closed the session
Connection state is ESTAB, I/O status: 1, unread input bytes: 0

CE1#

この問題に対応するには、allowas-in, as-overrideなどのキーワードを用いてAS番号の重複に対応する必要があります。

allowas-in

設定投入

PEルータにてAS番号の重複を許可するようにします。

 [PE1]
router bgp 65156
 neighbor 192.168.12.2 allowas-in

 [PE5]
router bgp 65156
 neighbor 192.168.35.3 allowas-in

 [PE6]
router bgp 65156
 neighbor 192.168.46.4 allowas-in

疎通確認

PE間で疎通可能になった事を確認します。

 [PE1]
CE1#ping 10.5.5.5 source Loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/69/96 ms
CE1#
CE1#
CE1#show ip bgp
BGP table version is 20, local router ID is 10.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.1.1.1/32      0.0.0.0                  0         32768 i
*> 10.5.5.5/32      192.168.12.2                           0 234 65156 i
*> 10.6.6.6/32      192.168.12.2                           0 234 65156 i
*> 192.168.12.0     0.0.0.0                  0         32768 i
*> 192.168.35.0     192.168.12.2                           0 234 65156 i
*> 192.168.46.0     192.168.12.2                           0 234 65156 i
*> 192.168.56.0     192.168.12.2                           0 234 65156 i
CE1#

allowas-in

設定投入

さきほどのallowas-inの設定を削除します。

 [PE1]
router bgp 65156
 no neighbor 192.168.12.2 allowas-in

 [PE5]
router bgp 65156
 no neighbor 192.168.35.3 allowas-in

 [PE6]
router bgp 65156
 no neighbor 192.168.46.4 allowas-in

さきほどのallowas-inの設定を削除します。

 [CE2]
router bgp 234
 address-family ipv4 vrf VPN
  neighbor 192.168.12.1 as-override

 [CE3]
router bgp 234
 address-family ipv4 vrf VPN
  neighbor 192.168.35.5 as-override

 [CE4]
router bgp 234
 address-family ipv4 vrf VPN
  neighbor 192.168.46.6 as-override

疎通確認

PE間で疎通可能になった事を確認します。また、AS番号が65156から234に置換された事を確認します。

 [PE1]
CE1#ping 10.6.6.6 source Loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.6.6, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/67/76 ms
CE1#
CE1#
CE1#show ip bgp
BGP table version is 30, local router ID is 10.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.1.1.1/32      0.0.0.0                  0         32768 i
*> 10.5.5.5/32      192.168.12.2                           0 234 234 i
*> 10.6.6.6/32      192.168.12.2                           0 234 234 i
*> 192.168.12.0     0.0.0.0                  0         32768 i
*> 192.168.35.0     192.168.12.2                           0 234 234 i
*> 192.168.46.0     192.168.12.2                           0 234 234 i
*> 192.168.56.0     192.168.12.2                           0 234 234 i
CE1#