Solved: Re: BGP Backdoor MPLS

cisc0.ameer · ‎08-12-2019

hello

i have below scenario

P router includes : R1 , R2 , R3 , R4

PE router includes : R5 , R55 , R12 , R13

CE router includes : R6 , R7 , R10 , R11

2 GREEN circle indicates 2 prefixes suppose : 1.1.1.0/24 & 2.2.2.0/24

we have MPLS core backbone but for these 2 Green Circle we prefer traffic flow will be done through a router 8 and router 9 (Traffic Flow shows with right green's arrow) .

My question is on which router ( PE or CE )and which one , we should run bgp backdoor command to achieve this task ?please little bit explain

thanks

Giuseppe Larosa · ‎08-13-2019

Hello cisc0.ameer,

yes for making effective use of network ... backdoor on CE routers R8 has to redistribute into an IGP spoken with R6,R7 and the same for R9 it should redistribute eBGP prefix into an IGP spoken by R9, R10, R11.

>> Yes, PE nodes uses as-override command

In any case eBGP prefixes coming on the MPLS L3 VPN will have a longer AS path compared to direct eBGP R8/R9.

>> You mean if Prefix(Green circle ) goes via R8-R9 and we have 1 PATH in AS_PATH SEQ it's preferred to going via CE-PE(MPLS L3) and occurrence 2 PATH in AS_PATH so YES YES i have to be care about this , How many Paths are there to reach other Side green circle (perfect point..THANK )

It is the opposite :

the direct eBGP session will provide the best paths (unless using local preference on CE nodes) for the shorter AS path in comparison to eBGP prefixes learned from PE nodes, so you should advertise over it only the prefixes that you want to use the direct R8-R9 link.

(the shortest AS path is preferred AS path length 1 is better then AS path length 2).

>> But i am still not understanding why we should put command on CE routers ?

Only CE routers can have an IGP adjacency with R8 in site 1 and with R9 in site 2.

The network .... backdoor is useful when you want to prefer an IGP route over an eBGP route.

The PE nodes have just eBGP sessions with directly connected CE nodes. There is no chance for them to receive an IGP route from R8 or from R9.

You should enable an IGP in VRF just to receive a prefix that should be preferred over the MP iBGP prefix coming from PE nodes serving the other VRF site. It is a waste of resources.

However, PE nodes could receive the best route chosen by CE nodes coming from R8 on site 1 in the scenario of iBGP between R8 and R6,R7 and iBGP between R9 and R10,R11.

I think you need to use appropriate route filters to avoid installation of the route(s) originated on R8/R9 eBGP session on the PE nodes in the only BGP scenario ( eBGP on R8/R9 + iBGP inside each VRF site).

Explanation:

You don't want PE nodes to prefer the route coming from eBGP session R8/R9 and describing the prefix of the other site over the MP iBGP routes received by other PE nodes.

PE nodes R5 and R55 should accept only routes related to site 1 subnets

PE nodes R12, R13 should accept only routes related to site 2 subnets.

As an alternative way to deal with this, CE nodes should advertise only prefixes that are local with AS path empty.

ip as-path access-list 1 permit ^$

route-map SEND-ONLY-LOCAL-ROUTES permit 10

match as-path 1

on CE nodes R6,R7 and R10,R11

in bgp

neighbor <PE-address-in-VRF> route-map SEND-ONLY-LOCAL-ROUTES out

This works because the local AS number is appended later and when the prefixes are examined they have either an empty AS path (local routes) or an AS path that contains the other site BGP AS number.

This solution is better because it does not need to be updated if in a later time you decide to use the R8/R9 eBGP session for other prefixes.

The route filters on PE nodes would need to be updated if a change occurs.

Or they could use an AS path filter like ^65000$ here I suppose site 1 use private BGP AS number 65000 to allow only paths that are made of a single AS number equal to 65000 this would block the prefix coming from the other site via R8/R9 eBGP session that would have an AS path 65000 65001 from the point of view of PE nodes R5 and R55.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎08-12-2019

Hello cisc0.ameer,

the use case for BGP backdoor is when you want to have an IGP route preferred over an eBGP route.

see the BGP case studies

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/26634-bgp-toc.html?dtid=osscdc000283#bgpbackdoor

In your network scenario the BGP network .... backdoor command can be used on CE routers R6, R7 and R10, R11 only if routers R8 and R9 are redistributing into an IGP the prefixes exchanged on their direct eBGP session and the CE nodes take part in the IGP routing domain.

if R8 has iBGP sessions with R6,R7 and R9 has iBGP sessions with R10,R11 and no redistribution into IGP occurs the BGP network ... backdoor command is not effective on BGP best path selection.

To be noted in this second scenario the AS path attribute on R8-R9 direct eBGP session is shorter it has only the other site BGP AS number listed.

Prefixes received by R6, R7 from PE routers R5, R55 and by R10, R11 from PE nodes R12, R13 will have an AS path made of two entries :

a) if PE nodes are not using as override two AS numbers appear MPLS-SP-AS followed by other site BGP AS

b) if PE nodes are using as override (that would be needed if the BGP AS is the same on customer sites) the AS path would be made by two occurrences of MPLS-SP AS number

In any case the BGP AS path attribute over MPLS L3 VPN should be longer made of two ASes and direct eBGP session R8/R9 has shorter AS path attribute made of only one AS (the other site AS number).

As the shortest AS path is preferred the use of the R8-R9 link should be made without the need for setting an higher local preference on R8 or R9.

In this case you should be careful on what prefixes are announced over the R8/R9 direct eBGP session or your MPLS L3 VPN will become the backup of the direct link R8/R9 for all prefixes!

Hope to help

Giuseppe

cisc0.ameer · ‎08-13-2019

Hello sir @Giuseppe Larosa thanks for Your replying

if R8 has iBGP sessions with R6,R7 and R9 has iBGP sessions with R10,R11 and no redistribution into IGP occurs the BGP network ... backdoor command is not effective on BGP best path selection

You mean it is compulsory we redistribute BGP[each side] into IGP domain of Both R8 and R9 correct ?

Prefixes received by R6, R7 from PE routers R5, R55 and by R10, R11 from PE nodes R12, R13 will have an AS path made of two entries :

a) if PE nodes are not using as override two AS numbers appear  MPLS-SP-AS followed by other site BGP AS

b) if PE nodes are using as override (that would be needed if the BGP AS is the same on customer sites) the AS path would be made by two occurrences of MPLS-SP AS number

Yes, PE nodes uses as-override command

In any case the BGP AS path attribute over MPLS L3 VPN should be longer made of two ASes and direct eBGP session R8/R9 has shorter AS path attribute made of only one AS (the other site AS number).

As the shortest AS path is preferred the use of the R8-R9 link should be made without the need for setting an higher local preference on R8 or R9.

In this case you should be careful on what prefixes are announced over the R8/R9 direct eBGP session or your MPLS L3 VPN will become the backup of the direct link R8/R9 for all prefixes!

You mean if Prefix(Green circle ) goes via R8-R9 and we have 1 PATH in AS_PATH SEQ it's preferred to going via CE-PE(MPLS L3) and occurrence 2 PATH in AS_PATH so YES YES i have to be care about this , How many Paths are there to reach other Side green circle (perfect point..THANK )

But i am still not understanding why we should put command on CE routers ? Why NOT on PE routers?

In your network scenario the BGP network .... backdoor command can be used on CE routers R6, R7 and R10, R11 only if routers R8 and R9 are redistributing into an IGP the prefixes exchanged on their direct eBGP session and the CE nodes take part in the IGP routing domain.

did You mean if CE routers will not take part in IGP routing we can put command on PE routers?

thanks

Giuseppe Larosa · ‎08-13-2019