Rate and give feedback:
Feedback Received. Thank You!
Example: Configuring AS Override
Understanding AS Override
The AS override feature allows a provider edge (PE) router to
change the private autonomous system (AS) number used by a customer
edge (CE) device on an external BGP (EBGP) session running on a VPN
routing and forwarding (VRF) access link. The private AS number is
changed to the PE AS number. Another CE device connected to another
PE device sees the EBGP route coming from the first site with an AS
path of provider-ASN provider-ASN, instead of provider-ASN site1-ASN.
This allows enterprise networks to use the same private ASN on all
sites.
The AS override feature offers a clear management advantage
to the service provider because BGP by default does not accept BGP
routes with an AS path attribute that contains the local AS number.
In an enterprise network with multiple sites, you might wish
to use a single AS number across sites. Suppose, for example that
two CE devices are in AS 64512 and that the provider network is in
AS 65534.
When the service provider configures a Layer 3 VPN with this
setup, even if the MPLS network has routes towards Device CE1 and
Device CE2, Device CE1 and Device CE2 do not have routes to each other
because the AS path attribute would appear as 64512 65534 64512. BGP
uses the AS path attribute as its loop avoidance mechanism. If a site
sees its own AS number more than once in the AS path, the route is
considered invalid.
One way to overcome this difficulty is with the as-override statement, which is applied to the PE devices. The as-override statement replaces the CE device's AS number with that of the PE
device, thus preventing the customer AS number from appearing more
than once in the AS path attribute.
If a customer uses AS path prepending to make certain paths
less desirable and the service provider uses AS override, each CE
AS number occurrence in the AS-path is changed to the service provider
AS number. For example, suppose that all customer sites use the same
AS number, say 64512. If the ISP uses AS number 65534, one customer
site sees the path to another site as 65534 65534. If the customer
prepends 64512 on a particular path to make it less desirable, another
customer site sees that path as 65534 65534 65534.
Example: Configuring a Layer 3 VPN with Route Reflection and
AS Override
Suppose that you are a service provider providing
a managed MPLS-based Layer 3 VPN service. Your customer has several
sites and requires BGP routing to customer edge (CE) devices at each
site.
Requirements
No special configuration beyond device initialization
is required before configuring this example.
Overview
This example has two CE devices, two provider edge (PE) devices,
and several provider core devices. The provider network is also using
IS-IS to support LDP and BGP loopback reachability Device P2 is acting
as a route reflector (RR). Both CE devices are in autonomous system
(AS) 64512. The provider network is in AS 65534.
The as-override statement is applied to the PE devices,
thus replacing the CE device's AS number with that of the PE device.
This prevents the customer AS number from appearing more than once
in the AS path attribute.
Figure 1 shows the topology used in
this example.
Figure 1: AS Override Topology
CLI Quick Configuration shows the configuration
for all of the devices in Figure 1. The section Step-by-Step Procedure describes the steps on Device
PE1.
Configuration
CLI Quick Configuration
To quickly configure this
example, copy the following commands, paste them into a text file,
remove any line breaks, change any details necessary to match your
network configuration, and then copy and paste the commands into the
CLI at the [edit] hierarchy level.
Device CE1
set interfaces ge-1/2/0 unit 0 family inet address 10.0.0.1/30set interfaces ge-1/2/0 unit 0 family isoset interfaces lo0 unit 0 family inet address 10.255.1.1/32set interfaces lo0 unit 0 family iso address 49.0001.0010.0000.0101.00set protocols bgp group PE type externalset protocols bgp group PE family inet unicastset protocols bgp group PE export ToBGPset protocols bgp group PE peer-as 65534set protocols bgp group PE neighbor 10.0.0.2set policy-options policy-statement ToBGP term Direct from protocol directset policy-options policy-statement ToBGP term Direct then acceptset routing-options router-id 10.255.1.1set routing-options autonomous-system 64512
Device P1
set interfaces ge-1/2/0 unit 0 family inet address 10.0.0.6/30set interfaces ge-1/2/0 unit 0 family isoset interfaces ge-1/2/0 unit 0 family mplsset interfaces ge-1/2/1 unit 0 family inet address 10.0.0.9/30set interfaces ge-1/2/1 unit 0 family isoset interfaces ge-1/2/1 unit 0 family mplsset interfaces ge-1/2/2 unit 0 family inet address 10.0.0.25/30set interfaces ge-1/2/2 unit 0 family isoset interfaces ge-1/2/2 unit 0 family mplsset interfaces lo0 unit 0 family inet address 10.255.3.3/32set interfaces lo0 unit 0 family iso address 49.0001.0010.0000.0303.00set protocols mpls interface allset protocols mpls interface fxp0.0 disableset protocols bgp group l3vpn type internalset protocols bgp group l3vpn local-address 10.255.3.3set protocols bgp group l3vpn family inet-vpn unicastset protocols bgp group l3vpn peer-as 65534set protocols bgp group l3vpn local-as 65534set protocols bgp group l3vpn neighbor 10.255.4.4set protocols isis interface all level 2 metric 10set protocols isis interface all level 1 disableset protocols isis interface fxp0.0 disableset protocols isis interface lo0.0 level 2 metric 0set protocols ldp deaggregateset protocols ldp interface allset protocols ldp interface fxp0.0 disableset routing-options router-id 10.255.3.3
Device P2
set interfaces ge-1/2/0 unit 0 family inet address 10.0.0.10/30set interfaces ge-1/2/0 unit 0 family isoset interfaces ge-1/2/0 unit 0 family mplsset interfaces ge-1/2/1 unit 0 family inet address 10.0.0.13/30set interfaces ge-1/2/1 unit 0 family isoset interfaces ge-1/2/1 unit 0 family mplsset interfaces lo0 unit 0 family inet address 10.255.4.4/32set interfaces lo0 unit 0 family iso address 49.0001.0010.0000.0404.00set protocols mpls interface allset protocols mpls interface fxp0.0 disableset protocols bgp group Core-RRClients type internalset protocols bgp group Core-RRClients local-address 10.255.4.4set protocols bgp group Core-RRClients family inet-vpn unicastset protocols bgp group Core-RRClients cluster 10.255.4.4set protocols bgp group Core-RRClients peer-as 65534set protocols bgp group Core-RRClients neighbor 10.255.3.3set protocols bgp group Core-RRClients neighbor 10.255.7.7set protocols bgp group Core-RRClients neighbor 10.255.2.2set protocols bgp group Core-RRClients neighbor 10.255.5.5set protocols isis interface all level 2 metric 10set protocols isis interface all level 1 disableset protocols isis interface fxp0.0 disableset protocols isis interface lo0.0 level 2 metric 0set protocols ldp deaggregateset protocols ldp interface allset protocols ldp interface fxp0.0 disableset routing-options router-id 10.255.4.4set routing-options autonomous-system 65534
Device P3
set interfaces ge-1/2/0 unit 0 family inet address 10.0.0.22/30set interfaces ge-1/2/0 unit 0 family isoset interfaces ge-1/2/0 unit 0 family mplsset interfaces ge-1/2/1 unit 0 family inet address 10.0.0.26/30set interfaces ge-1/2/1 unit 0 family isoset interfaces ge-1/2/1 unit 0 family mplsset interfaces ge-1/2/2 unit 0 family inet address 10.0.0.30/30set interfaces ge-1/2/2 unit 0 family isoset interfaces ge-1/2/2 unit 0 family mplsset interfaces lo0 unit 0 family inet address 10.255.7.7/32set interfaces lo0 unit 0 family iso address 49.0001.0010.0000.0707.00set protocols mpls interface allset protocols mpls interface fxp0.0 disableset protocols bgp group l3vpn type internalset protocols bgp group l3vpn local-address 10.255.7.7set protocols bgp group l3vpn family inet-vpn unicastset protocols bgp group l3vpn peer-as 65534set protocols bgp group l3vpn local-as 65534set protocols bgp group l3vpn neighbor 10.255.4.4set protocols isis interface all level 2 metric 10set protocols isis interface all level 1 disableset protocols isis interface fxp0.0 disableset protocols isis interface lo0.0 level 2 metric 0set protocols ldp deaggregateset protocols ldp interface allset protocols ldp interface fxp0.0 disableset routing-options router-id 10.255.7.7
Device PE1
set interfaces ge-1/2/0 unit 0 family inet address 10.0.0.2/30set interfaces ge-1/2/0 unit 0 family isoset interfaces ge-1/2/0 unit 0 family mplsset interfaces ge-1/2/1 unit 0 family inet address 10.0.0.5/30set interfaces ge-1/2/1 unit 0 family isoset interfaces ge-1/2/1 unit 0 family mplsset interfaces ge-1/2/2 unit 0 family inet address 10.0.0.21/30set interfaces ge-1/2/2 unit 0 family isoset interfaces ge-1/2/2 unit 0 family mplsset interfaces lo0 unit 0 family inet address 10.255.2.2/32set interfaces lo0 unit 0 family iso address 49.0001.0010.0000.0202.00set protocols mpls interface ge-1/2/2.0set protocols mpls interface ge-1/2/1.0set protocols mpls interface lo0.0set protocols mpls interface fxp0.0 disableset protocols bgp group l3vpn type internalset protocols bgp group l3vpn local-address 10.255.2.2set protocols bgp group l3vpn family inet-vpn unicastset protocols bgp group l3vpn peer-as 65534set protocols bgp group l3vpn local-as 65534set protocols bgp group l3vpn neighbor 10.255.4.4set protocols isis interface ge-1/2/1.0 level 2 metric 10set protocols isis interface ge-1/2/1.0 level 1 disableset protocols isis interface ge-1/2/2.0 level 2 metric 10set protocols isis interface ge-1/2/2.0 level 1 disableset protocols isis interface fxp0.0 disableset protocols isis interface lo0.0 level 2 metric 0set protocols ldp deaggregateset protocols ldp interface ge-1/2/1.0set protocols ldp interface ge-1/2/2.0set protocols ldp interface fxp0.0 disableset protocols ldp interface lo0.0set routing-instances VPN-A instance-type vrfset routing-instances VPN-A interface ge-1/2/0.0set routing-instances VPN-A route-distinguisher 65534:1234set routing-instances VPN-A vrf-target target:65534:1234set routing-instances VPN-A protocols bgp group CE type externalset routing-instances VPN-A protocols bgp group CE family inet unicastset routing-instances VPN-A protocols bgp group CE neighbor 10.0.0.1 peer-as 64512set routing-instances VPN-A protocols bgp group CE neighbor 10.0.0.1 as-overrideset routing-options router-id 10.255.2.2set routing-options autonomous-system 65534
Device PE2
set interfaces ge-1/2/0 unit 0 family inet address 10.0.0.14/30set interfaces ge-1/2/0 unit 0 family isoset interfaces ge-1/2/0 unit 0 family mplsset interfaces ge-1/2/1 unit 0 family inet address 10.0.0.17/30set interfaces ge-1/2/1 unit 0 family isoset interfaces ge-1/2/2 unit 0 family inet address 10.0.0.29/30set interfaces ge-1/2/2 unit 0 family isoset interfaces ge-1/2/2 unit 0 family mplsset interfaces lo0 unit 0 family inet address 10.255.5.5/32set interfaces lo0 unit 0 family iso address 49.0001.0010.0000.0505.00set protocols mpls interface ge-1/2/0.0set protocols mpls interface ge-1/2/2.0set protocols mpls interface lo0.0set protocols mpls interface fxp0.0 disableset protocols bgp group l3vpn type internalset protocols bgp group l3vpn local-address 10.255.5.5set protocols bgp group l3vpn family inet-vpn unicastset protocols bgp group l3vpn peer-as 65534set protocols bgp group l3vpn local-as 65534set protocols bgp group l3vpn neighbor 10.255.4.4set protocols isis interface ge-1/2/0.0 level 2 metric 10set protocols isis interface ge-1/2/0.0 level 1 disableset protocols isis interface ge-1/2/2.0 level 2 metric 10set protocols isis interface ge-1/2/2.0 level 1 disableset protocols isis interface fxp0.0 disableset protocols isis interface lo0.0 level 2 metric 0set protocols ldp deaggregateset protocols ldp interface ge-1/2/0.0set protocols ldp interface ge-1/2/2.0set protocols ldp interface fxp0.0 disableset protocols ldp interface lo0.0set routing-instances VPN-A instance-type vrfset routing-instances VPN-A interface ge-1/2/1.0set routing-instances VPN-A route-distinguisher 65534:1234set routing-instances VPN-A vrf-target target:65534:1234set routing-instances VPN-A protocols bgp group CE type externalset routing-instances VPN-A protocols bgp group CE family inet unicastset routing-instances VPN-A protocols bgp group CE neighbor 10.0.0.18 peer-as 64512set routing-instances VPN-A protocols bgp group CE neighbor 10.0.0.18 as-overrideset routing-options router-id 10.255.5.5set routing-options autonomous-system 65534
Device CE2
set interfaces ge-1/2/0 unit 0 family inet address 10.0.0.18/30set interfaces ge-1/2/0 unit 0 family isoset interfaces lo0 unit 0 family inet address 10.255.6.6/32set interfaces lo0 unit 0 family iso address 49.0001.0010.0000.0606.00set protocols bgp group PE type externalset protocols bgp group PE family inet unicastset protocols bgp group PE export ToBGPset protocols bgp group PE peer-as 65534set protocols bgp group PE neighbor 10.0.0.17set policy-options policy-statement ToBGP term Direct from protocol directset policy-options policy-statement ToBGP term Direct then acceptset routing-options router-id 10.255.6.6set routing-options autonomous-system 64512
Step-by-Step Procedure
- Configure the interfaces.
To enable MPLS, include the protocol family on the interface
so that the interface does not discard incoming MPLS traffic.
[edit interfaces]user@PE1# set ge-1/2/0 unit 0 family inet address 10.0.0.2/30user@PE1# set ge-1/2/0 unit 0 family isouser@PE1# set ge-1/2/0 unit 0 family mplsuser@PE1# set ge-1/2/1 unit 0 family inet address 10.0.0.5/30user@PE1# set ge-1/2/1 unit 0 family isouser@PE1# set ge-1/2/1 unit 0 family mplsuser@PE1# set ge-1/2/2 unit 0 family inet address 10.0.0.21/30user@PE1# set ge-1/2/2 unit 0 family isouser@PE1# set ge-1/2/2 unit 0 family mplsuser@PE1# set lo0 unit 0 family inet address 10.255.2.2/32user@PE1# set lo0 unit 0 family iso address 49.0001.0010.0000.0202.00
- Add the interface to the MPLS protocol to establish the
control plane level connectivity.
Set up the IGP so that the provider devices can communicate
with each other.
To establish a mechanism to distribute MPLS labels, enable LDP.
Optionally, for LDP, enable forwarding equivalence class (FEC) deaggregation,
which results in faster global convergence.
[edit protocols]user@PE1# set mpls interface ge-1/2/2.0user@PE1# set mpls interface ge-1/2/1.0user@PE1# set mpls interface lo0.0user@PE1# set mpls interface fxp0.0 disableuser@PE1# set isis interface ge-1/2/1.0 level 2 metric 10user@PE1# set isis interface ge-1/2/1.0 level 1 disableuser@PE1# set isis interface ge-1/2/2.0 level 2 metric 10user@PE1# set isis interface ge-1/2/2.0 level 1 disableuser@PE1# set isis interface fxp0.0 disableuser@PE1# set isis interface lo0.0 level 2 metric 0user@PE1# set ldp deaggregateuser@PE1# set ldp interface ge-1/2/1.0user@PE1# set ldp interface ge-1/2/2.0user@PE1# set ldp interface fxp0.0 disableuser@PE1# set ldp interface lo0.0 - Enable the internal BGP (IBGP) connection to peer with
the RR only, using the IPv4 VPN unicast address family.
[edit protocols bgp group l3vpn]user@PE1# set type internaluser@PE1# set local-address 10.255.2.2user@PE1# set family inet-vpn unicastuser@PE1# set peer-as 65534user@PE1# set local-as 65534user@PE1# set neighbor 10.255.4.4
- Configure the routing instance, including the as-override statement.
Create the routing-Instance (VRF) on the PE device, setting
up the BGP configuration to peer with Device CE1.
[edit routing-instances VPN-A]user@PE1# set instance-type vrfuser@PE1# set interface ge-1/2/0.0user@PE1# set route-distinguisher 65534:1234user@PE1# set vrf-target target:65534:1234user@PE1# set protocols bgp group CE type externaluser@PE1# set protocols bgp group CE family inet unicastuser@PE1# set protocols bgp group CE neighbor 10.0.0.1 peer-as 64512user@PE1# set protocols bgp group CE neighbor 10.0.0.1 as-override - Configure the router ID and the AS number.
[edit routing-options]user@PE1# set router-id 10.255.2.2user@PE1# set autonomous-system 65534
Results
From configuration mode, confirm your configuration
by entering the show interfaces, show protocols, show routing-instances, and show routing-options commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
user@PE1# show interfacesge-1/2/0 {unit 2 {family inet {address 10.0.0.2/30;}family iso;family mpls;}}
ge-1/2/1 {unit 5 {family inet {address 10.0.0.5/30;}family iso;family mpls;}}
ge-1/2/2 {unit 21 {family inet {address 10.0.0.21/30;}family iso;family mpls;}}
lo0 {unit 0 {family inet {address 10.255.2.2/32;}family iso {address 49.0001.0010.0000.0202.00;}}}
user@PE1# show protocolsmpls {interface ge-1/2/2.0;interface ge-1/2/1.0;interface lo0.0;interface fxp0.0 {disable;}}
bgp {group l3vpn {type internal;local-address 10.255.2.2;family inet-vpn {unicast;}peer-as 65534;local-as 65534;neighbor 10.255.4.4;}}
isis {interface ge-1/2/1.0 {level 2 metric 10;level 1 disable;}interface ge-1/2/2.0 {level 2 metric 10;level 1 disable;}interface fxp0.0 {disable;}interface lo0.0 {level 2 metric 0;}}
ldp {deaggregate;interface ge-1/2/1.0;interface ge-1/2/2.0;interface fxp0.0 {disable;}interface lo0.0;}
user@PE1# show routing-instancesVPN-A {instance-type vrf;interface ge-1/2/0.0;route-distinguisher 65534:1234;vrf-target target:65534:1234;protocols {bgp {group CE {type external;family inet {unicast;}neighbor 10.0.0.1 {peer-as 64512;as-override;}}}}}
user@PE1# show routing-optionsrouter-id 10.255.2.2;autonomous-system 65534;
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Checking AS Path to the CE Devices
Purpose
Display information on Device PE1 about the AS path
attribute for the route to Device CE2’s loopback interface.
Action
On Device PE1, from operational mode, enter the show route table VPN-A.inet.0 10.255.6.6 command.
VPN-A.inet.0: 5 destinations, 6 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.255.6.6/32 *[BGP/170] 02:19:35, localpref 100, from 10.255.4.4
AS path: 64512 I, validation-state: unverified
> to 10.0.0.22 via ge-1/2/2.0, Push 300032, Push 299776(top)Meaning
The output shows that Device PE1 has an AS path for
10.255.6.6/32 as coming from AS 64512.
Checking How the Route to Device CE2 Is Advertised
Purpose
Make sure the route to Device CE2 is advertised to
Device CE1 as if it is coming from the MPLS core.
Action
On Device PE1, from operational mode, enter the show route advertising-protocol bgp 10.0.0.1 command.
VPN-A.inet.0: 5 destinations, 6 routes (5 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 10.0.0.16/30 Self I
* 10.255.1.1/32 10.0.0.1 65534 I
* 10.255.6.6/32 Self 65534 I
Meaning
The output indicates that Device PE1 is advertising
only its own AS number in the AS path.
Checking the Route on Device CE1
Purpose
Make sure that Device CE1 contains only the provider
AS number in the AS path for the route to Device CE2.
Action
From operational mode, enter the show route table inet.0 terse 10.255.6.6 command.
user@CE1> show route table inet.0 terse 10.255.6.6
inet.0: 5 destinations, 6 routes (5 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
A V Destination P Prf Metric 1 Metric 2 Next hop AS path
* ? 10.255.6.6/32 B 170 100 65534 65534 I
unverified >10.0.0.2
Meaning
The output indicates that Device CE1 has a route to
Device CE2. The loop issue is resolved with the use of the as-override statement.
One route is hidden on the CE device. This is because Junos
OS does not perform a BGP split horizon. Generally, split horizon
in BGP is unnecessary, because any routes that might be received back
by the originator are less preferred due to AS path length (for EBGP),
AS path loop detection (IBGP), or other BGP metrics. Advertising routes
back to the neighbor from which they were learned has a negligible
effect on the router's performance, and is the correct thing to do.
Published: 2013-02-19
