- Finding Feature Information
- Prerequisites for EIGRP MPLS VPN PE-CE Site of Origin
- Restrictions for EIGRP MPLS VPN PE-CE Site of Origin
- Information About EIGRP MPLS VPN PE-CE Site of Origin
- EIGRP MPLS VPN PE-CE Site of Origin Support Overview
- Site of Origin Support for Backdoor Links
- Router Interoperation with a Site of Origin Extended Community
- Redistribution of BGP VPN Routes That Carry the Site of Origin into EIGRP
- BGP Cost Community Support for EIGRP MPLS VPN PE-CE Network Topologies
- Benefits of the EIGRP MPLS VPN PE-CE Site of Origin Support Feature
- How to Configure EIGRP MPLS VPN PE-CE Site of Origin Support
- Configuration Examples for EIGRP MPLS VPN PE-CE SoO
- Additional References
- Feature Information for MPLS VPN PE-CE Site of Origin (SoO)
- Glossary
EIGRP MPLS VPN PE-CE Site of Origin
The EIGRP MPLS VPN PE-CE Site of Origin feature introduces the capability to filter Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) traffic on a per-site basis for Enhanced Interior Gateway Routing Protocol (EIGRP) networks. Site of Origin (SoO) filtering is configured at the interface level and is used to manage MPLS VPN traffic and to prevent transient routing loops from occurring in complex and mixed network topologies. This feature is designed to support the MPLS VPN Support for EIGRP Between Provider Edge (PE) and Customer Edge (CE) feature. Support for backdoor links is provided by this feature when a Cisco IOS release is implemented on PE routers that support EIGRP MPLS VPNs.
- Finding Feature Information
- Prerequisites for EIGRP MPLS VPN PE-CE Site of Origin
- Restrictions for EIGRP MPLS VPN PE-CE Site of Origin
- Information About EIGRP MPLS VPN PE-CE Site of Origin
- How to Configure EIGRP MPLS VPN PE-CE Site of Origin Support
- Configuration Examples for EIGRP MPLS VPN PE-CE SoO
- Additional References
- Feature Information for MPLS VPN PE-CE Site of Origin (SoO)
- Glossary
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for EIGRP MPLS VPN PE-CE Site of Origin
This document assumes that Border Gateway Protocol (BGP) is configured in the network core (or the service provider backbone). The following tasks will also need to be completed before you can configure this feature:
- This feature was introduced to support the MPLS VPN Support for EIGRP Between Provider Edge and Customer Edge feature and should be configured after the EIGRP MPLS VPN is created.
- All PE routers that are configured to support the EIGRP MPLS VPN must run a Cisco IOS release that provides support for the SoO extended community.
Restrictions for EIGRP MPLS VPN PE-CE Site of Origin
- If a VPN site is partitioned and the SoO extended community attribute is configured on a backdoor router interface, the backdoor link cannot be used as an alternate path to reach prefixes originated in other partitions of the same site.
- A unique SoO value must be configured for each individual VPN site. The same value must be configured on all provider edge and customer edge interfaces (if SoO is configured on the CE routers) that support the same VPN site.
Information About EIGRP MPLS VPN PE-CE Site of Origin
- EIGRP MPLS VPN PE-CE Site of Origin Support Overview
- Site of Origin Support for Backdoor Links
- Router Interoperation with a Site of Origin Extended Community
- Redistribution of BGP VPN Routes That Carry the Site of Origin into EIGRP
- BGP Cost Community Support for EIGRP MPLS VPN PE-CE Network Topologies
- Benefits of the EIGRP MPLS VPN PE-CE Site of Origin Support Feature
EIGRP MPLS VPN PE-CE Site of Origin Support Overview
The EIGRP MPLS VPN PE-CE Site of Origin feature introduces SoO support for EIGRP-to-BGP and BGP-to-EIGRP redistribution. The SoO extended community is a BGP extended community attribute that is used to identify routes that have originated from a site so that the readvertisement of that prefix back to the source site can be prevented. The SoO extended community uniquely identifies the site from which a PE router has learned a route. SoO support provides the capability to filter MPLS VPN traffic on a per-EIGRP-site basis. SoO filtering is configured at the interface level and is used to manage MPLS VPN traffic and to prevent routing loops from occurring in complex and mixed network topologies, such as EIGRP VPN sites that contain both VPN and backdoor links.
The configuration of the SoO extended community allows MPLS VPN traffic to be filtered on a per-site basis. The SoO extended community is configured in an inbound BGP route map on the PE router and is applied to the interface. The SoO extended community can be applied to all exit points at the customer site for more specific filtering but must be configured on all interfaces of PE routers that provide VPN services to CE routers.
Site of Origin Support for Backdoor Links
The EIGRP MPLS VPN PE-CE Site of Origin (SoO) feature introduces support for backdoor links. A backdoor link or a route is a connection that is configured outside of the VPN between a remote and main site; for example, a WAN leased line that connects a remote site to the corporate network. Backdoor links are typically used as back-up routes between EIGRP sites if the VPN link is down or not available. A metric is set on the backdoor link so that the route though the backdoor router is not selected unless there is a VPN link failure.
The SoO extended community is defined on the interface of the backdoor router. It identifies the local site ID, which should match the value that is used on the PE routers that support the same site. When the backdoor router receives an EIGRP update (or reply) from a neighbor across the backdoor link, the router checks the update for an SoO value. If the SoO value in the EIGRP update matches the SoO value on the local backdoor interface, the route is rejected and not added to the EIGRP topology table. This typically occurs when the route with the local SoO valued in the received EIGRP update was learned by the other VPN site and then advertised through the backdoor link by the backdoor router in the other VPN site. SoO filtering on the backdoor link prevents transient routing loops from occurring by filtering out EIGRP updates that contain routes that carry the local site ID.
Note |
If a VPN site is partitioned and the SoO extended community attribute is configured on a backdoor router interface, the backdoor link cannot be used as an alternate path to reach prefixes originated in other partitions of the same site. |
If this feature is enabled on the PE routers and the backdoor routers in the customer sites, and SoO values are defined on both the PE and backdoor routers, both the PE and backdoor routers will support convergence between the VPN sites. The other routers in the customer sites need only propagate the SoO values carried by the routes, because the routes are forwarded to neighbors. These routers do not otherwise affect or support convergence beyond normal Diffusing Update Algorithm (DUAL) computations.
Router Interoperation with a Site of Origin Extended Community
The configuration of an SoO extended community allows routers that support the EIGRP MPLS VPN PE-CE Site of Origin feature to identify the site from which each route originated. When this feature is enabled, the EIGRP routing process on the PE or CE router checks each received route for the SoO extended community and filters based on the following conditions:
- A received route from BGP or a CE router contains a SoO value that matches the SoO value on the receiving interface.
If a route is received with an associated SoO value that matches the SoO value that is configured on the receiving interface, the route is filtered because it was learned from another PE router or from a backdoor link. This behavior is designed to prevent routing loops.
- A received route from a CE router is configured with an SoO value that does not match.
If a route is received with an associated SoO value that does not match the SoO value that is configured on the receiving interface, the route is added to the EIGRP topology table so that it can be redistributed into BGP.
If the route is already installed to the EIGRP topology table but is associated with a different SoO value, the SoO value from the topology table will be used when the route is redistributed into BGP.
- A received route from a CE router does not contain an SoO value.
If a route is received without a SoO value, the route is accepted into the EIGRP topology table, and the SoO value from the interface that is used to reach the next hop CE router is appended to the route before it is redistributed into BGP.
When BGP and EIGRP peers that support the SoO extended community receive these routes, they will also receive the associated SoO values and pass them to other BGP and EIGRP peers that support the SoO extended community. This filtering is designed to prevent transient routes from being relearned from the originating site, which prevents transient routing loops from occurring.
Redistribution of BGP VPN Routes That Carry the Site of Origin into EIGRP
When an EIGRP routing process on a PE router redistributes BGP VPN routes into an EIGRP topology table, EIGRP extracts the SoO value (if one is present) from the appended BGP extended community attributes and appends the SoO value to the route before adding it to the EIGRP topology table. EIGRP tests the SoO value for each route before sending updates to CE routers. Routes that are associated with SoO values that match the SoO value configured on the interface are filtered out before they are passed to the CE routers. When an EIGRP routing process receives routes that are associated with different SoO values, the SoO value is passed to the CE router and carried through the CE site.
BGP Cost Community Support for EIGRP MPLS VPN PE-CE Network Topologies
The BGP cost community is a nontransitive extended community attribute that is passed to internal BGP (iBGP) and confederation peers but not external BGP (eBGP) peers. The cost community feature allows you to customize the local route preference and influence the BGP best path selection process.
Before BGP cost community support for EIGRP MPLS VPN PE-CE network topologies was introduced, BGP preferred locally sourced routes over routes learned from BGP peers. Backdoor links in an EIGRP MPLS VPN topology were preferred by BGP when the backdoor link was learned first. (A backdoor link or a route is a connection that is configured outside of the VPN between a remote and main site; for example, a WAN leased line that connects a remote site to the corporate network).
The "prebest path" point of insertion (POI) was introduced in the BGP Cost Community feature to support mixed EIGRP VPN network topologies that contain VPN and backdoor links. This POI is applied automatically to EIGRP routes that are redistributed into BGP. The "prebest path" POI carries the EIGRP route type and metric. This POI influences the best path calculation process by influencing BGP to consider this POI before any other comparison step. No configuration is required. This feature is enabled automatically for EIGRP VPN sites when a Cisco IOS release that supports this feature is installed on the PE routers or the CE and backdoor router at the customer sites.
For more information about the BGP Cost Community feature, see to the BGP Cost Community module in the Cisco IOS IP Routing: BGP Configuration Guide.
Benefits of the EIGRP MPLS VPN PE-CE Site of Origin Support Feature
The configuration of the EIGRP MPLS VPN PE-CE Site of Origin Support feature introduces per-site VPN filtering, which improves support for complex topologies, such as MPLS VPNs with backdoor links, CE routers that are dual-homed to different PE routers, and PE routers that support CE routers from different sites within the same virtual routing and forwarding (VRF) instance.
How to Configure EIGRP MPLS VPN PE-CE Site of Origin Support
- Configuring the Site of Origin Extended Community
- Verifying the Configuration of the Site of Origin Extended Community
Configuring the Site of Origin Extended Community
The configuration of the SoO extended community allows MPLS VPN traffic to be filtered on a per-site basis. The SoO extended community is configured in an inbound BGP route map on the PE router and is applied to the interface. The SoO extended community can be applied to all exit points at the customer site for more specific filtering but must be configured on all interfaces of PE routers that provide VPN services to CE routers.
- Border Gateway Protocol (BGP) is configured in the network core (or the service provider backbone).
- Configure an EIGRP MPLS VPN before configuring this feature.
- All PE routers that are configured to support the EIGRP MPLS VPN must support the SoO extended community.
- A unique SoO value must be configured for each VPN site. The same value must be used on the interface of the PE router that connects to the CE router for each VPN site.
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
Example: Router(config)# route-map Site-of-Origin permit 10 |
Enters route-map configuration mode and creates a route map.
|
|
Example: Router(config-route-map)# set extcommunity soo 100:1 Example:
|
Sets BGP extended community attributes.
The colon is used to separate the autonomous system number and network number or IP address and network number.
|
|
Example: Router(config-route-map)# exit |
Exits route-map configuration mode and enters global configuration mode. |
|
Example: Router(config)# interface FastEthernet 0/0 |
Enters interface configuration mode to configure the specified interface. |
|
Example: Router(config-if)# ip vrf forwarding VRF1 |
Associates the VRF with an interface or subinterface.
|
|
Example: Router(config-if)# ip vrf sitemap Site-of-Origin |
Associates the VRF with an interface or subinterface.
|
|
Example: Router(config-if)# ip address 10.0.0.1 255.255.255.255 |
Configures the IP address for the interface.
|
|
Example: Router(config-if)# end |
Exits interface configuration mode and enters privileged EXEC mode. |
What to Do Next
- For mixed EIGRP MPLS VPN network topologies that contain backdoor routes, the next task is to configure the "prebest path" cost community for backdoor routes.
Verifying the Configuration of the Site of Origin Extended Community
Use the following steps to verify the configuration of the SoO extended community attribute.
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
Example: Router# show ip bgp vpnv4 all 10.0.0.1 |
Displays VPN address information from the BGP table.
|
|
Example: Router# show eigrp address-family ipv4 4453 topology 10.10.10.0/24 |
Displays entries in the EIGRP topology table. |
Configuration Examples for EIGRP MPLS VPN PE-CE SoO
- Example Configuring the Site of Origin Extended Community
- Example Verifying the Site of Origin Extended Community
Example Configuring the Site of Origin Extended Community
The following example, beginning in global configuration mode, configures the SoO extended community on an interface:
Router(config)# route-map Site-of-Origin permit 10 Router(config-route-map)# set extcommunity soo 100:1 Router(config-route-map)# exit Router(config)# interface FastEthernet 0/0 Router(config-if)# ip vrf forwarding VRF1 Router(config-if)# ip vrf sitemap Site-of-Origin Router(config-if)# ip address 10.0.0.1 255.255.255.255 Router(config-if)# end
Example Verifying the Site of Origin Extended Community
The following example shows VPN address information from the BGP table and verifies the configuration of the SoO extended community:
Router# show ip bgp vpnv4 all 10.0.0.1
BGP routing table entry for 100:1:10.0.0.1/32, version 6
Paths: (1 available, best #1, no table)
Advertised to update-groups:
1
100 300
192.168.0.2 from 192.168.0.2 (172.16.13.13)
Origin incomplete, localpref 100, valid, external, best
Extended Community: SOO:100:1
The following example shows how to display EIGRP metrics for specified internal services and external services:
Router# show eigrp address-family ipv4 4453 topology 10.10.10.0/24
EIGRP-IPv4 VR(virtual-name) Topology Entry for AS(4453)/ID(10.0.0.1) for 10.10.10.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 128256
Descriptor Blocks:
0.0.0.0 (Null0), from Connected, Send flag is 0x0
Composite metric is (128256/0), service is Internal
Vector metric:
Minimum bandwidth is 10000000 Kbit
Total delay is 5000 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1514
Hop count is 0
Originating router is 10.0.0.1
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
BGP cost community feature and the "prebest path" point of insertion |
BGP Cost Community module of the Cisco IOS IP Routing: BGP Configuration Guide |
Cisco Express Forwarding (CEF) commands |
Cisco IOS IP Switching Command Reference |
CEF configuration tasks |
Cisco Express Forwarding Overview module of the Cisco IOS IP Switching Configuration Guide |
EIGRP commands |
Cisco IOS IP Routing: EIGRP Command Reference |
EIGRP configuration tasks |
Configuring EIGRP |
MPLS VPNs |
Cisco IOS Multiprotocol Label Switching Configuration Guide |
Standards
Standard |
Title |
---|---|
None |
-- |
MIBs
MIB |
MIBs Link |
---|---|
None |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
RFC |
Title |
---|---|
None |
-- |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for MPLS VPN PE-CE Site of Origin (SoO)
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for EIGRP MPLS VPN PE-CE Site of Origin (SoO) |
Feature Name |
Releases |
Feature Information |
---|---|---|
EIGRP MPLS VPN PE-CE Site of Origin (SoO) |
12.0(27)S 12.2(18)SXE 12.2(28)SB 12.2(30)S 12.2(33)SRE 12.2(33)XNE 12.3(8)T 15.0(1)M |
The EIGRP MPLS VPN PE-CE Site of Origin (SoO) feature introduces the capability to filter MPLS VPN traffic on a per-site basis for EIGRP networks. The following command was introduced or modified by this feature: ip vrf sitemap |
Glossary
AFI--Address Family Identifier. Carries the identity of the network layer protocol that is associated with the network address.
backdoor link --A link connecting two backdoor routers.
backdoor router --A router that connects two or more sites, that are also connected to each other through an MPLS VPN EIGRP PE to CE links.
BGP --Border Gateway Protocol. An interdomain routing protocol that exchanges reachability information with other BGP systems. It is defined by RFC 1163, A Border Gateway Protocol (BGP). BGP supports CIDR and uses route aggregation mechanisms to reduce the size of routing tables.
Cost Community --An extended community attribute that can be inserted anywhere into the best path calculation.
customer edge (CE) router --A router that belongs to a customer network, that connects to a provider edge (PE) router to utilize MPLS VPN network services.
MBGP --multiprotocol BGP. An enhanced version of BGP that carries routing information for multiple network-layer protocols and IP multicast routes. It is defined in RFC 2858, Multiprotocol Extensions for BGP-4.
provider edge (PE) router --The PE router is the entry point into the service provider network. The PE router is typically deployed on the edge of the network and is administered by the service provider. The PE router is the redistribution point between EIGRP and BGP in PE to CE networking.
site --A collection of routers that have well-defined exit points to other "sites."
site of origin (SoO) --A special purpose tag or attribute that identifies the site that injects a route into the network. This attribute is used for intersite filtering in MPLS VPN PE-to-CE topologies.
VPN --Virtual Private Network. Allows IP traffic to travel securely over public TCP/IP networks and the Internet by encapsulating and encrypting all IP packets. VPN uses a tunnel to encrypt all information at the IP level.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.