Information About BGP-VPN Distinguisher Attribute
The following sections provide information about BGP-VPN distinguisher attribute.
Role and Benefit of the VPN Distinguisher Attribute
Route-target (RT) extended community attributes identify the VPN membership of routes. The RT attributes are placed onto a route at the exporting (egress) provider edge router (PE) and are transported across the iBGP cloud and across autonomous systems. Any Virtual Routing and Forwarding (VRF) instances at the remote PE that want to import such routes must have the corresponding RTs set as import RTs for that VRF.
The figure below illustrates two autonomous systems, each containing customer edge routers (CEs) that belong to different VPNs. Each PE tracks which route distinguisher (RD) corresponds to which VPN, thus controlling the traffic that belongs to each VPN.
In an Inter-AS Option B scenario like the one in the figure above, these routes are carried across an AS boundary from Autonomous System Border Router 1 (ASBR1) to ASBR2 over an MP-eBGP session, with the routes’ respective RTs as extended community attributes being received by ASBR2.
ASBR2 must maintain complex RT mapping schemes to translate RTs originated by AS1 to RTs recognized by AS2, so that the RTs can be imported by their respective VPN membership CE connections on PE2 for CE3 and CE4.
Some network administrators prefer to hide the RTs they source in AS1 from devices in AS2. In order to do that, the administrator must differentiate routes belonging to each VPN with a certain attribute so that the RTs can be removed on the outbound side of ASBR1 before sending routes to ASBR2, and ASBR2 can then map that attribute to recognizable RTs in AS2. The VPN Distinguisher (VD) extended community attribute serves that purpose.
The benefit of the BGP—VPN Distinguisher Attribute feature is that source RTs can be kept private from devices in destination autonomous systems.
How the VPN Distinguisher Attribute Works
The network administrator configures the egress ASBR to perform translation of RTs to a VPN distinguisher extended community attribute, and configures the ingress ASBR to perform translation of the VPN distinguisher to RTs. More specifically, the translation is achieved as follows:
On the Egress ASBR
-
An outbound route map specifies a match excommunity clause that determines which VPN routes are subject to mapping, based on the route’s RT values.
-
A set extcommunity vpn-distinguisher command sets the VPN distinguisher that replaces the RTs.
-
The set extcomm-list delete command that references the same set of RTs is configured to remove the RTs, and then the route is sent to the neighboring ingress ASBR.
On the Ingress ARBR
-
An inbound route map specifies a match excommunity vpn-distinguisher command that determines which VPN routes are subject to mapping, based on the route’s VPN distinguisher.
-
The set extcommunity rt command specifies the RTs that replace the VPN distinguisher.
-
For routes that match the clause, the VPN distinguisher is replaced with the configured RTs.
Additional Behaviors Related to the VPN Distinguisher
On the egress ASBR, if a VPN route matches a route map clause that does not have the set extcommunity vpn-distinguisher command that is configured, the RTs that the VPN route is tagged with are retained.
The VPN distinguisher is transitive across the AS boundary, but is not carried within the iBGP cloud. That is, the ingress ASBR can receive the VPN distinguisher from an eBGP peer, but the VPN distinguisher is discarded on the inbound side after it is mapped to the corresponding RTs.
On the ingress ASBR, if a VPN route carrying the VPN distinguisher matches a route map clause that does not have a set extcommunity rt command that is configured in the inbound route map, the system does not discard the attribute, nor does it propagate the attribute within the iBGP cloud. The VPN distinguisher for the route is retained so that the network administrator can configure the correct inbound policy to translate the VPN distinguisher to the RTs that the VPN route should carry. If the route is sent to eBGP peers, the VPN distinguisher is carried as is. The network administrator could configure a route-map entry to remove the VPN distinguisher from routes that are sent to eBGP peers.
Configuring a set extcommunity vpn-distinguisher command in an outbound route map or a match excommunity command in an inbound route map results in an outbound or inbound route refresh request, respectively, in order to update the routes being sent or received.
BGP-VPN Distinguisher Attribute
The BGP—VPN Distinguisher Attribute feature allows a network administrator to keep source route targets (RTs) private from an Autonomous System Border Router (ASBR) in a destination autonomous system. An RT at an egress ASBR is mapped to a VPN distinguisher, the VPN distinguisher is carried through the eBGP, and then it is mapped to an RT at the ingress ASBR.