- Read Me First
- Cisco BGP Overview
- BGP 4
- Configuring a Basic BGP Network
- BGP 4 Soft Configuration
- BGP Support for 4-byte ASN
- IPv6 Routing: Multiprotocol BGP Extensions for IPv6
- IPv6 Routing: Multiprotocol BGP Link-Local Address Peering
- IPv6 Multicast Address Family Support for Multiprotocol BGP
- Configuring Multiprotocol BGP (MP-BGP) Support for CLNS
- BGP IPv6 Admin Distance
- Connecting to a Service Provider Using External BGP
- BGP Route-Map Continue
- BGP Route-Map Continue Support for Outbound Policy
- Removing Private AS Numbers from the AS Path in BGP
- Configuring BGP Neighbor Session Options
- BGP Neighbor Policy
- BGP Dynamic Neighbors
- BGP Support for Next-Hop Address Tracking
- BGP Restart Neighbor Session After Max-Prefix Limit Reached
- BGP Support for Dual AS Configuration for Network AS Migrations
- Configuring Internal BGP Features
- BGP VPLS Auto Discovery Support on Route Reflector
- BGP FlowSpec Route-reflector Support
- BGP Flow Specification Client
- BGP NSF Awareness
- BGP Graceful Restart per Neighbor
- BGP Support for BFD
- IPv6 NSF and Graceful Restart for MP-BGP IPv6 Address Family
- BGP Link Bandwidth
- Border Gateway Protocol Link-State
- iBGP Multipath Load Sharing
- BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS-VPN
- Loadsharing IP Packets over More Than Six Parallel Paths
- BGP Policy Accounting
- BGP Policy Accounting Output Interface Accounting
- BGP Cost Community
- BGP Support for IP Prefix Import from Global Table into a VRF Table
- BGP Support for IP Prefix Export from a VRF Table into the Global Table
- BGP per Neighbor SoO Configuration
- Per-VRF Assignment of BGP Router ID
- BGP Next Hop Unchanged
- BGP Support for the L2VPN Address Family
- BGP Event-Based VPN Import
- BGP Best External
- BGP PIC Edge for IP and MPLS-VPN
- Detecting and Mitigating a BGP Slow Peer
- Configuring BGP: RT Constrained Route Distribution
- Configuring a BGP Route Server
- BGP Diverse Path Using a Diverse-Path Route Reflector
- BGP Enhanced Route Refresh
- Configuring BGP Consistency Checker
- BGP—Origin AS Validation
- BGP MIB Support
- BGP 4 MIB Support for Per-Peer Received Routes
- BGP Support for Nonstop Routing (NSR) with Stateful Switchover (SSO) Using L2VPN VPLS
- BGP NSR Auto Sense
- BGP NSR Support for iBGP Peers
- BGP Graceful Shutdown
- BGP — mVPN BGP sAFI 129 - IPv4
- BGP-MVPN SAFI 129 IPv6
- BFD—BGP Multihop Client Support, cBit (IPv4 and IPv6), and Strict Mode
- BGP Attribute Filter and Enhanced Attribute Error Handling
- BGP Additional Paths
- BGP-Multiple Cluster IDs
- BGP-VPN Distinguisher Attribute
- BGP-RT and VPN Distinguisher Attribute Rewrite Wildcard
- VPLS BGP Signaling
- Multicast VPN BGP Dampening
- BGP—IPv6 NSR
- BGP-VRF-Aware Conditional Advertisement
- BGP—Selective Route Download
- BGP—Support for iBGP Local-AS
- eiBGP Multipath for Non-VRF Interfaces (IPv4/IPv6)
- L3VPN iBGP PE-CE
- BGP NSR Support for MPLS VPNv4 and VPNv6 Inter-AS Option B
- BGP-RTC for Legacy PE
- BGP PBB EVPN Route Reflector Support
- BGP Monitoring Protocol
- VRF Aware BGP Translate-Update
- BGP Support for MTR
- BGP Accumulated IGP
- BGP MVPN Source-AS Extended Community Filtering
- BGP AS-Override Split-Horizon
- BGP Support for Multiple Sourced Paths Per Redistributed Route
- Maintenance Function: BGP Routing Protocol
BGP-VPN Distinguisher Attribute
The BGP—VPN Distinguisher Attribute feature allows a network administrator to keep source route targets (RTs) private from an Autonomous System Border Router (ASBR) in a destination autonomous system. An RT at an egress ASBR is mapped to a VPN distinguisher, the VPN distinguisher is carried through the eBGP, and then it is mapped to an RT at the ingress ASBR.
- Finding Feature Information
- Information About BGP-VPN Distinguisher Attribute
- How to Configure BGP-VPN Distinguisher Attribute
- Configuration Examples for BGP-VPN Distinguisher Attribute
- Additional References
- Feature Information for BGP-VPN Distinguisher Attribute
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About BGP-VPN Distinguisher Attribute
Role and Benefit of the VPN Distinguisher Attribute
Route-target (RT) extended community attributes identify the VPN membership of routes. The RT attributes are placed onto a route at the exporting (egress) provider edge router (PE) and are transported across the iBGP cloud and across autonomous systems. Any Virtual Routing and Forwarding (VRF) instances at the remote PE that want to import such routes must have the corresponding RTs set as import RTs for that VRF.
The figure below illustrates two autonomous systems, each containing customer edge routers (CEs) that belong to different VPNs. Each PE tracks which route distinguisher (RD) corresponds to which VPN, thus controlling the traffic that belongs to each VPN.
In an Inter-AS Option B scenario like the one in the figure above, these routes are carried across an AS boundary from Autonomous System Border Router 1 (ASBR1) to ASBR2 over an MP-eBGP session, with the routes’ respective RTs as extended community attributes being received by ASBR2.
ASBR2 must maintain complex RT mapping schemes to translate RTs originated by AS1 to RTs recognized by AS2, so that the RTs can be imported by their respective VPN membership CE connections on PE2 for CE3 and CE4.
Some network administrators prefer to hide the RTs they source in AS1 from devices in AS2. In order to do that, the administrator must differentiate routes belonging to each VPN with a certain attribute so that the RTs can be removed on the outbound side of ASBR1 before sending routes to ASBR2, and ASBR2 can then map that attribute to recognizable RTs in AS2. The VPN Distinguisher (VD) extended community attribute serves that purpose.
The benefit of the BGP—VPN Distinguisher Attribute feature is that source RTs can be kept private from devices in destination autonomous systems.
How the VPN Distinguisher Attribute Works
The network administrator configures the egress ASBR to perform translation of RTs to a VPN distinguisher extended community attribute, and configures the ingress ASBR to perform translation of the VPN distinguisher to RTs. More specifically, the translation is achieved as follows:
An outbound route map specifies a match excommunity clause that determines which VPN routes are subject to mapping, based on the route’s RT values.
A set extcommunity vpn-distinguisher command sets the VPN distinguisher that replaces the RTs.
The set extcomm-list delete command that references the same set of RTs is configured to remove the RTs, and then the route is sent to the neighboring ingress ASBR.
On the Ingress ARBR
An inbound route map specifies a match excommunity vpn-distinguisher command that determines which VPN routes are subject to mapping, based on the route’s VPN distinguisher.
The set extcommunity rt command specifies the RTs that replace the VPN distinguisher.
For routes that match the clause, the VPN distinguisher is replaced with the configured RTs.
Additional Behaviors Related to the VPN Distinguisher
On the egress ASBR, if a VPN route matches a route map clause that does not have the set extcommunity vpn-distinguisher command configured, the RTs that the VPN route is tagged with are retained.
The VPN distinguisher is transitive across the AS boundary, but is not carried within the iBGP cloud. That is, the ingress ASBR can receive the VPN distinguisher from an eBGP peer, but the VPN distinguisher is discarded on the inbound side after it is mapped to the corresponding RTs.
On the ingress ASBR, if a VPN route carrying the VPN distinguisher matches a route map clause that does not have a set extcommunity rt command configured in the inbound route map, the system does not discard the attribute, nor does it propagate the attribute within the iBGP cloud. The VPN distinguisher for the route is retained so that the network administrator can configure the correct inbound policy to translate the VPN distinguisher to the RTs that the VPN route should carry. If the route is sent to eBGP peers, the VPN distinguisher is carried as is. The network administrator could configure a route-map entry to remove the VPN distinguisher from routes sent to eBGP peers.
Configuring a set extcommunity vpn-distinguisher command in an outbound route map or a match excommunity command in an inbound route map results in an outbound or inbound route refresh request, respectively, in order to update the routes being sent or received.
How to Configure BGP-VPN Distinguisher Attribute
Replacing an RT with a VPN Distinguisher Attribute
Perform this task on an egress ASBR to replace a route target (RT) with a VPN distinguisher extended community attribute. Remember to replace the VPN distinguisher with a route target on the ingress ASBR; that task is described in the “Replacing a VPN Distinguisher Attribute with an RT” section.
1.
enable
2.
configure
terminal
3.
ip
extcommunity-list
expanded-list
{permit |
deny}
rt
value
4.
exit
5.
route-map
map-tag {permit |
deny} [sequence-number]
6.
match
extcommunity
extended-community-list-name
7.
set
extcomm-list
extcommunity-name
delete
8.
set
extcommunity
vpn-distinguisher
id
9.
exit
10.
route-map
map-name
{permit |
deny} [sequence-number]
11.
exit
12.
router
bgp
as-number
13.
neighbor
ip-address
remote-as
autonomous-system-number
14.
address-family
vpnv4
15.
neighbor
ip-address
activate
16.
neighbor
ip-address
route-map
map-name
out
17.
exit-address-family
DETAILED STEPS
Replacing a VPN Distingusher Attribute with an RT
Perform this task on an ingress ASBR to replace a VPN distinguisher extended community attribute with a route target (RT) attribute. This task assumes you already configured the egress ASBR to replace the RT with a VPN distinguisher; that task is described in the “Replacing an RT with a VPN Distinguisher Attribute” section.
1.
enable
2.
configure
terminal
3.
ip
extcommunity-list
expanded-list
{permit |
deny}
vpn-distinguisher
id
4.
exit
5.
route-map
map-tag {permit |
deny} [sequence-number]
6.
match
extcommunity
extended-community-list-name
7.
set
extcomm-list
extcommunity-name
delete
8.
set
extcommunity
rt
value
additive
9.
exit
10.
route-map
map-tag
{permit |
deny} [sequence-number]
11.
exit
12.
router
bgp
as-number
13.
neighbor
ip-address
remote-as
autonomous-system-number
14.
address-family
vpnv4
15.
neighbor
ip-address
activate
16.
neighbor
ip-address
route-map
map-name
in
17.
exit-address-family
DETAILED STEPS
Configuration Examples for BGP-VPN Distinguisher Attribute
Example: Translating RT to VPN Distinguisher to RT
The following example shows the egress ASBR configuration to replace a route target (RT) with a VPN distinguisher, and shows the ingress ASBR configuration to replace the VPN distinguisher with a route target.
On the egress ASBR, IP extended community list 1 is configured to filter VPN routes by permitting only routes with RT 101:100. A route map named vpn-id-map1 says that any route that matches on routes that are allowed by IP extended community list 1 are subject to two set commands. The first set command deletes the RT from the route. The second set command sets the VPN distinguisher attribute to 111:100.
The route-map vpn-id-map1 permit 20 command allows other routes, which are not part of the RT-to-VPN distinguisher mapping, to pass the route map so that they are not discarded. Without this command, the implicit deny would cause these routes to be discarded.
Finally, in autonomous system 2000, for the VPNv4 address family, the route map vpn-id-map1 is applied to routes going out to the neighbor at 192.168.101.1.
Egress ASBR
ip extcommunity-list 1 permit rt 101:100 ! route-map vpn-id-map1 permit 10 match extcommunity 1 set extcomm-list 1 delete set extcommunity vpn-distinguisher 111:100 ! route-map vpn-id-map1 permit 20 ! router bgp 2000 neighbor 192.168.101.1 remote-as 2000 address-family vpnv4 neighbor 192.168.101.1 activate neighbor 192.168.101.1 route-map vpn-id-map1 out exit-address-family !
On the ingress ASBR, IP extended community list 51 allows routes with a VPN distinguisher of 111:100. A route map named vpn-id-rewrite-map1 says that any route that matches on routes that are allowed by IP extended community list 51 are subject to two set commands. The first set command deletes the VPN distinguisher from the route. The second set command sets the RT to 101:1, and that RT is added to the RT list without replacing any RTs.
The route-map vpn-id-rewrite-map1 permit 20 command allows other routes, which are not part of the VPN distinguisher-to-RT mapping, to pass the route map so that they are not discarded. Without this command, the implicit deny would cause those routes to be discarded.
Finally, in autonomous system 3000, for the VPNv4 address family, the route map named vpn-id-rewrite-map1 is applied to incoming routes destined for the neighbor at 192.168.0.81.
Ingress ASBR
ip extcommunity-list 51 permit vpn-distinguisher 111:100 ! route-map vpn-id-rewrite-map1 permit 10 match extcommunity 51 set extcomm-list 51 delete set extcommunity rt 101:1 additive ! route-map vpn-id-rewrite-map1 permit 20 ! router bgp 3000 neighbor 192.168.0.81 remote-as 3000 address-family vpnv4 neighbor 192.168.0.81 activate neighbor 192.168.0.81 route-map vpn-id-rewrite-map1 in exit-address-family !
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
BGP commands |
MIBs
MIB |
MIBs Link |
---|---|
None |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for BGP-VPN Distinguisher Attribute
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.