MPLS Layer 3 VPN BGP AS Override

BGP has a simple loop prevention mechanism for external BGP. When you see your own AS number in the AS path, we do not accept the prefix. This mechanism is fine for Internet routing but there are some other scenarios where this might be an issue. Take a look at the following topology:

Above we have a small MPLS VPN network with two customer sites. The customer is using the same AS number (12) for both sites. When CE1 or CE2 receive an update from each other they will not accept it since their own AS number will be in the AS path.

Let’s find out if this is true. Here are the configurations of all routers:

• Configurations
• CE1
• PE1
• P
• PE2
• CE2

Here you will find the startup configurations of each device.

Let’s find out what is going on. First we’ll check if the PE routers have a VPN route for the prefixes from the CE routers:

PE1#show ip bgp vpnv4 all

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTOMER)
 *>  1.1.1.1/32       192.168.12.1             0             0 12 i
 *>i 5.5.5.5/32       4.4.4.4                  0    100      0 12 i

PE2#show ip bgp vpnv4 all 

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTOMER)
 *>i 1.1.1.1/32       2.2.2.2                  0    100      0 12 i
 *>  5.5.5.5/32       192.168.45.5             0             0 12 i

The PE routers have an entry for the loopback interfaces of the CE routers. Are they advertising these to the CE routers?

PE1#show ip bgp vpnv4 all neighbors 192.168.12.1 advertised-routes 
BGP table version is 16, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTOMER)
 *>i 5.5.5.5/32       4.4.4.4                  0    100      0 12 i

Total number of prefixes 1 

PE2#show ip bgp vpnv4 all neighbors 192.168.45.5 advertised-routes
BGP table version is 18, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTOMER)
 *>i 1.1.1.1/32       2.2.2.2                  0    100      0 12 i

Total number of prefixes 1

The PE routers are advertising these to the CE routers. Let’s check the CE routers:

CE1#show ip bgp      

     Network          Next Hop            Metric LocPrf Weight Path
 *>  1.1.1.1/32       0.0.0.0                  0         32768 i

CE2#show ip bgp 

     Network          Next Hop            Metric LocPrf Weight Path
 *>  5.5.5.5/32       0.0.0.0                  0         32768 i

There’s nothing there…they only have the prefix on their own loopback interface in the BGP table. Let’s enable a debug on CE1 to figure out why it’s not accepting anything from PE1:

CE1#debug ip bgp all updates 
BGP updates debugging is on for all address families

Let’s reset the neighbor adjacency:

CE1#clear ip bgp *

Here’s what you will see:

CE1#
BGP(0): 192.168.12.2 rcv UPDATE about 5.5.5.5/32 -- DENIED due to: AS-PATH contains our own AS;

No surprises here…CE1 is denying the update since it sees its own AS number in the AS path. If we want to keep the same AS number on CE1 and CE2 then there are two possible solutions for this issue:

• Allow-AS in: this can be configured on the CE routers which tells them to accept prefixes with their own AS number in the AS path.
• AS override: this can be configured on the PE routers, the AS number will be replaced with the AS number from the service provider.

• Unit 1: Introduction
  • Introduction to MPLS
  • MPLS Labels and Devices
• Unit 2: LDP (Label Distribution Protocol)
  • MPLS LDP (Label Distribution Protocol)
  • MPLS LDP Label Filtering
• Unit 3: MPLS VPN
  • VRFs (Virtual Routing and Forwarding)
  • MPLS L3 VPN Explained
  • MPLS L3 VPN Configuration
  • MPLS L3 VPN BGP Allow AS in
  • MPLS L3 VPN BGP AS Override
  • MPLS L3 VPN PE-CE RIP
  • MPLS L3 VPN PE-CE EIGRP
  • MPLS L3 VPN PE-CE OSPF
  • MPLS L3 VPN PE-CE OSPF Default Route
  • MPLS L3 VPN PE-CE OSPF Global Default Route
  • MPLS L3 VPN PE-CE OSPF Sham Link
  • VRF Lite Route Leaking
  • MPLS VPN Extranet Route Leaking
  • MPLS VPN VRF Export Map
  • MPLS VPN VRF Import Map
  • MPLS over FlexVPN
• Unit 4: MPLS L2 Encapsulation
  • AToM (Any Transport over MPLS)
• Unit 5: IPv6 MPLS
  • IPv6 over MPLS 6PE/6VPE
• Unit 6: MPLS Traffic
  • Introduction to MPLS Traffic Engineering (TE)
  • MPLS Traffic Engineering (TE) IS-IS Configuration
  • MPLS Traffic Engineering (TE) OSPF Configuration
  • MPLS TE RSVP-TE
  • MPLS TE Static Routes
  • MPLS TE Policy Based Routing (PBR)
  • MPLS TE Autoroute Announce
  • MPLS TE Autoroute Destination
  • MPLS TE Autoroute Metric
  • MPLS TE Unequal Cost Load Balancing
  • MPLS TE Load Balancing between IGP and TE
  • MPLS TE Forwarding Adjacency
  • MPLS TE Path Options Explicit
  • MPLS TE Class-Based Tunnel Selection (CBTS)
  • MPLS TE Metric
  • MPLS TE Setup and Hold Priority
  • MPLS TE Attribute Flag and Affinity
  • MPLS TE Reoptimization
  • MPLS TE Fast Reroute (FRR)
  • MPLS TE Fast Reroute Path Link Protection
  • MPLS TE Fast Reroute Path Node Protection
  • MPLS TE FRR RSVP Hello Support
  • MPLS TE DiffServ Aware (DS-TE) Traditional
  • MPLS TE Diffserv-Aware (DS-TE) IETF Mode
  • MPLS VPN over MPLS TE Tunnels
  • MPLS TE Per VRF TE tunnel