Solved: BGP allowas-in

maosa7578 · ‎02-11-2006

Could someone explain to me about the BGP allow-as in configuration as it relates to MPLS VPN ? why do I need it, when do I need it ? It would help to explain in parrallel with as-overide, as I get mixed between the application of the two.

Thanks

Herbert.

pkhatri · ‎02-12-2006

Here's how AS-override works:

- this is used when two or more CEs for a customer use the same BGP AS# (quite common)

- the PE looks at the first AS# in the AS-PATH of the route being advertised to a CE. If this is equal to the AS# of the CE it is advertising the route to, it is replaced by the provider's own AS#. This works even if there are multiple occurences of the As# (due to ASPATH prepending).

- the impact of the above will be that the ASPATH of the route received by the CE will have at least two occurences of the provider's own AS#.

Here's how allowas-in works:

- this is used in situations where a customer site links 2 VPNS e.g. a site has 2 links,where each terminates on a different VRF on the PE

- this is also applicable in cases where a CE is multi-homed to 2 PE routers (same VRF)

- now, when the CE advertises a route learned from one of the PEs to another, the PE will drop the route because it contains it's own AS# (since the route was learned from another PE in the first place).

- the use of allowas-in disables this check on the PE

- you can specify the maximum amount of occurences of the PE router's AS# in the ASPATH to prevent loops

You can also use the Site-of-Origin attribute to prevent advertising routes out to a site from which they were originally learned.

Hope that helps - pls rate the post if it does.

Paresh

View solution in original post

pkhatri · ‎02-12-2006

Here's how AS-override works:

- this is used when two or more CEs for a customer use the same BGP AS# (quite common)

- the PE looks at the first AS# in the AS-PATH of the route being advertised to a CE. If this is equal to the AS# of the CE it is advertising the route to, it is replaced by the provider's own AS#. This works even if there are multiple occurences of the As# (due to ASPATH prepending).

- the impact of the above will be that the ASPATH of the route received by the CE will have at least two occurences of the provider's own AS#.

Here's how allowas-in works:

- this is used in situations where a customer site links 2 VPNS e.g. a site has 2 links,where each terminates on a different VRF on the PE

- this is also applicable in cases where a CE is multi-homed to 2 PE routers (same VRF)

- now, when the CE advertises a route learned from one of the PEs to another, the PE will drop the route because it contains it's own AS# (since the route was learned from another PE in the first place).

- the use of allowas-in disables this check on the PE

- you can specify the maximum amount of occurences of the PE router's AS# in the ASPATH to prevent loops

You can also use the Site-of-Origin attribute to prevent advertising routes out to a site from which they were originally learned.

Hope that helps - pls rate the post if it does.

Paresh

maosa7578 · ‎02-12-2006

Thanks Paresh, very helpful explanation.

Is it safe to say in a multi-homed CE environment you will always soo and allowas-in ?

Herbert.

pkhatri · ‎02-12-2006

Hi Herbert,

You don't always have to ...sometimes the setup is such that these looping situations will just not occur. But it does not do any harm. Also, SoO is quite useful when you are running non-BGP PE-CE protocols in addition to BGP...

Hope that helps,

Paresh

jasrine47 · ‎03-20-2006

Hi

Yes. I just saw this command being used in multihoming environment. I have tested our multihoming and it works as expected.

jasrine47

http://ciscorouterconfig.blogspot.com/