Hello Blau

Thank you so much for your reply, I was looking at the as-local command but was not sure.  Would you use the

no-prepend replace-as command to ensure the hub router doesn't see the Branch router AS? or will MP-iBGP work fine with just the as-local command.  We will have a hub and spoke topology and the hub router will route all intra VRF traffic. Inter VRF traffic will be routed via firewall.

Thank you 

Hello Harvey,

I am sorry that I mislead you, but you can not use local-as for establishing iBGP peers. These are rules in first cisco document I provided earlier:

- Local-AS cannot have the local BGP protocol AS number or the AS number       of the remote peer.

- The local-as command is valid only if the       peer is a true eBGP peer. It does not work for two peers in different sub-ASs       in a confederation.

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00800949cd.shtml#command

From description you have provided, I think that it is not necesssary for iBGP peering. You can have HUB router in one AS and all Spokes on same different AS. Spokes will be peering only with HUB, not with other spokes. You also do not need to send all prefixes to Spokes, you will just send them default route and HUB router will always decide where to route traffic next.

Best Regards

Please rate all helpful posts and close solved questions

Hello Blau

Thnak you so much for your reply, it is much appreciated.  Please see the configuration below we are considering using, this is for a branch site. I was told that in order for us to have multiple vrfs over a single VPN peering we must run MP-iBGP.  The gobal network will be trusted, no change to current network.

semi-trusted, untrusted and guest VRF's will be created and will terminate on the data centre hub and a firewall will provide traffic enforcement and inter VRF routing.

router bgp 100
bgp log-neighbor-changes
neighbor 10.1.1.1 remote-as 100 (SERVICE PROVIDER)
neighbor 192.168.1.1 remote-as 200 (GRE HUB IN DATA CENTER)
no auto-summary
!
address-family vpnv4
neighbor 192.168.1.1 activate
neighbor 192.168.1.1 send-community extended
!
address-family ipv4 vrf Semi-Trusted
no synchronization
neighbor 10.0.0.2 remote-as 200
neighbor 10.0.0.2 activate
exit-address-family

address-family ipv4 vrf Untrusted
no synchronization
neighbor 10.0.1.2 remote-as 200
neighbor 10.0.1.2 activate
exit-address-family

address-family ipv4 vrf Guest
no synchronization
neighbor 10.0.2.2 remote-as 200
neighbor 10.0.2.2 activate
exit-address-family

interface Tunnel 10

ip address x.x.x.x x.x.x.x

ip vrf forwarding semi-trusted/untrusted/guest

Tunnel Source x.x.x.x x.x.x.x

tunnel destination x.x.x.x x.x.x.x

mpls ip

Hello Harvey,

Template looks good, but it is hard to say in this phase because we do not know details.

I assume that Tunnel 10 will be used to connect branch to HUB. I do not need to create multiple tunnels, one for each VRF. You can have one tunnel in global routing table and MP-BGP/MPLS will take care of isolating routes (traffic) between VRFs.

Best Regards

Please rate all helpful posts and close solved questions

Hi Blau

You are corect tunnel 10 will be used to connect the branch site tothe hub and MP-BGP/MPLS will take care of traffic issolation.  This is a PE to PE VPN and it is my understanding that MP iBGP is required for vpnv4/ipv4 route distribution. I was told this would not work with MP eBGP.  Is this your understanding?

Hi Harvey,

Please read this:

Introduction to Interprovider MPLS L3 VPN

http://blog.ipexpert.com/2010/06/30/introduction-to-interprovider-mpls-l3-vpns/

Best Regards

Please rate all helpful posts and close solved questions