Solved: IOS XR - default route advertisement via eBGP - L3VPN MPLS

lucaparente · ‎01-12-2024

Dear Community,

I have the following setup (network scheme attached):

* MPLS L3VPN for Customer "A"
* different branch offices and 1 HQ/DC office with Internet access via centralized Firewall
* BGP is used as CE-PE routing protocol: branch sites use ASN "y" and backbone uses ASN "x"
* branch with lan 192.168.20.0/24 (the only visible in the diagram) has 2 CPEs connected with different PEs: PE02 is an IOS router while PE05 is an IOS-XR router

The centralized firewall in DC advertises a default route via eBGP (ASN y -> ASN x) to its PE, configured with the correct VRF for Customer A.
When 0.0.0.0/0 NLRI reaches PE02 and PE05 the behavior is different:
* PE02 (IOS) advertises the default to its eBGP peer (CE02) via eBGP (CE is configured with "allow as-in")
* PE05 (IOS XR) DOES NOT advertise the default to its eBGP peer (CE01) (CE is configured with "allow as-in" and IOS XR peer is configured with both route-policy IN and OUT that "pass" all prefixes)

So CE01, which should be the primary path (via PE05), does not receive the default via PE05 (which is configured to set a better MED for the outbound prefixes) and uses the backup path (via PE02) instead.

The only solution I've found to fix this behavior is configure the "default-originate" parameter under IOS XR neighbor statement or "as-override", same result related to 0.0.0.0/0 advertisement.

I just want to know why IOS XR behaves like this.

Thanks

BR

Luca

MHM Cisco World · ‎01-12-2024

I think I dont need to see show ip bgp vpn4 any more I think I get the issue here

Disable the

As-path-loopcheck out

Under vrf of ios xr and see result

MHM

View solution in original post

MHM Cisco World · ‎01-12-2024

Do you config rpl in ios xr ?

If yes share tge policy you use

MHM

lucaparente · ‎01-12-2024

route-policy RP-IN
set local-preference 150
pass
end-policy

route-policy RP-OUT
set med 150
pass
end-policy

 vrf CUSTOMER-A
  rd xxxxx:XXX
  address-family ipv4 unicast
  !
  neighbor X.X.X.X
   remote-as Y
   address-family ipv4 unicast
    route-policy RP-IN in
    route-policy RP-OUT out

MHM Cisco World · ‎01-12-2024

Your RPL allow everything

Can you share show ip bgp vpnv4 0.0.0.0

Are ios xr receive this defualt from site (behind fw)

MHM

MHM Cisco World · ‎01-12-2024

Now let check what I get until now

Two sites same AS

The CE drop the prefix since it from same AS (loop prevent)

What you do

1- config defualt originate this make ios xr push defualt route but it as is AS-X not AS-Y so CE accept it

2- config as-override which is do same change AS to make CE accept prefix

I Prefer use as-override this make ios xr advertise defualt if other site have this route

**You can check what ios xr advertise by show ip bgp neighbors advertise-route' to see if ios xr advertise it or not**

Still one point' why IOS advertise defualt and CE accpet it?

MHM

lucaparente · ‎01-12-2024

RP/0/RSP0/CPU0:PE05#show bgp vpnv4 uni vrf CUSTOMER-A 0.0.0.0


BGP routing table entry for 0.0.0.0/0, Route Distinguisher: XXXX:XX

Paths: (3 available, best #2)
  Not advertised to any peer
  Path #1: Received by speaker 0
  Not advertised to any peer
  65070
    X.X.X.X (metric 3) from Y.Y.Y.Y (X.X.X.X)
      Received Label 1315 
      Origin IGP, metric 0, localpref 100, valid, internal, imported
      Received Path ID 0, Local Path ID 0, version 0
      Extended community: SoO:65070:0 RT:XXXX:XX 
      Originator: X.X.X.X, Cluster list: 0.0.0.103, 0.0.0.102
      Source AFI: VPNv4 Unicast, Source VRF: Customer-A, Source Route Distinguisher: XXXX:XX
  Path #2: Received by speaker 0
  Not advertised to any peer
  65070
    X.X.X.X (metric 3) from K.K.K.K (X.X.X.X)
      Received Label 1315 
      Origin IGP, metric 0, localpref 100, valid, internal, best, group-best, import-candidate, imported
      Received Path ID 0, Local Path ID 1, version 149972
      Extended community: SoO:65070:0 RT:XXXX:XX 
      Originator: X.X.X.X, Cluster list: 0.0.0.102
      Source AFI: VPNv4 Unicast, Source VRF: Customer-A, Source Route Distinguisher: XXXX:XX
  Path #3: Received by speaker 0
  Not advertised to any peer
  65070
    X.X.X.X (metric 3) from Z.Z.Z.Z (X.X.X.X)
      Received Label 1315 
      Origin IGP, metric 0, localpref 100, valid, internal, imported
      Received Path ID 0, Local Path ID 0, version 0
      Extended community: SoO:65070:0 RT:XXXX:XX 
      Originator: X.X.X.X, Cluster list: 0.0.0.101
      Source AFI: VPNv4 Unicast, Source VRF: Customer-A, Source Route Distinguisher: XXXX:XX
	  


RP/0/RSP0/CPU0:PE05#show bgp vrf CUSTOMER-A ipv4 uni neighbors  "CE01-IP" advertised-routes 
Network            Next Hop        From            AS Path
Route Distinguisher: XXXX:XX (default for vrf CUSTOMER-A)
(blank)

@MHM Cisco World wrote:

Now let check what I get until now

Two sites same AS

The CE drop the prefix since it from same AS (loop prevent)

Generally the CE would drop because of loop-prevention but I've configured "allow-as in" under BGP peer configuration (so CE will accept eBGP prefixes with same AS from PE).

As you see from my attachment, PE05 (IOS XR) receives the default in VRF (i've deleted real IP address and names for privacy reasons) but it does not advertise it to other peers and if i check the advertised routes to CE the list is blank.
After I add "override-as" under PE05' neigbor config, the output changes and i see the default advertised to CE router.

IOS does not behave like that, as you can see from the below output taken from PE02 (IOS):

PE02#show bgp vpnv4 uni vrf Customer-A 0.0.0.0                                 
BGP routing table entry for XXXX:XX:0.0.0.0/0, version 723465
Paths: (2 available, best #2, table BRENDOLAN)
  Advertised to update-groups:
     1058      
  Refresh Epoch 3
  65070
    x.x.x.x (metric 3) (via default) from y.y.y.y (y.y.y.y)
      Origin IGP, metric 0, localpref 100, valid, internal
      Extended Community: SoO:65070:0 RT:XXXX:XX
      Originator: x.x.x.x, Cluster list: 0.0.0.101
      mpls labels in/out nolabel/1315
      rx pathid: 0, tx pathid: 0
  Refresh Epoch 3
  65070
    x.x.x.x (metric 3) (via default) from k.k.k.k (k.k.k.k)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Extended Community: SoO:65070:0 RT:XXXX:XX
      Originator: x.x.x.x, Cluster list: 0.0.0.102
      mpls labels in/out nolabel/1315
	  
	  
	  
PE02#show bgp vpnv4 uni vrf Customer-A neighbors "CE02-IP" advertised-routes 
     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: XXXX:XX (default for vrf Customer-A)
 *>i 0.0.0.0          X.X.X.X          0    100      0 65070 i

MHM Cisco World · ‎01-12-2024

Your last reply disappear

Can you share show ip bgp vpnv4 again

MHM

decode.chr13 · ‎01-12-2024

The XR is trying to avoid routing loops.

I believe as-override in PEs is the correct option for all branches and HQ.

lucaparente · ‎01-12-2024

Yes I think the same but I want to understand why it behaves like that while IOS/IOS-XE behaves differently and if there are other solutions other than as-override.

decode.chr13 · ‎01-12-2024

I don't know exactly for this case, but generally IOS-XR has much more strict implementation of BGP then IOS, because IOS can run from ISR-861 to ASR-1009, but XR runs only on very big traffic boxes generally, so preventing human errors is a must (like leaking prefixes because of forgotten elements of rpls).

There are actually 3 alternative solutions:

1) as-override (the best)

2) each branch has it's own AS Num (too much management), even if using confederations.

3) allowas-in (that's the worst). Is for BGP like no spanning-tree vlan 100 for layer2 switches.

MHM Cisco World · ‎01-12-2024

I think I dont need to see show ip bgp vpn4 any more I think I get the issue here

Disable the

As-path-loopcheck out

Under vrf of ios xr and see result

MHM

lucaparente · ‎01-12-2024

That's it man, thank you!!! I was looking for the REASON why XR behaves like that, and that's it!