Wednesday, May 27, 2009

Inter-AS Multicast VPN Support

When default MDT is enabled on VRF, it sends PIM join with (BGP source, MDT address) to other PE routers to establish PIM neighborship. When the connectivity is via Inter-AS Option B or Option C, we may not even have VRF enabled on ASBR’s and end up with incomplete PIM neighborship. Even if we do any config changes in ASBR (like static join group), we may face the following issues:


  • P router on receiving a PIM join (BGP source, MDT address) will perform RPF check on BGP source. As this BGP source will be in other Autonomous system and may not be leaked to local Autonomous system, RPF will fail.
  • When a PE router receives a PIM join on MDT tunnel interface, it performs an IP lookup into the VRF table for source address of PIM join and check if the next hop is PIM adjacent. It also checks if the source address of PIM join is reachable through MDT tunnel interface (for RPF check).
  • PE router should know the source address of MDT group to join the group.


The above issues boiled down to the following requirements:

  1. All PE routers in an AS should know the source address of PE routers in adjacent AS.
  2. ASBR should know the Source PE address in adjacent AS for RPF check
  3. SSM multicast enabled router on receiving PIM join, will look into the embedded (source address, Group) and send PIM join to upstream towards the source. So all P routers should know the source PE address in adjacent AS to send the PIM join.

Multicast VPN Inter-AS support introduces BGP connector attribute, BGP MDT SAFI identifier and RPF vector to addresses these issues.


BGP Connector:

To join a particular (S, G) group, we need to know the source address of PE router. But with Inter-AS option B and Option C, the ASBR will rewrite the next-hop of VPNv4 address and so we may not get to know the actual PE source address.


BGP connector, a transitive attribute have been added with all VPNv4 updates which let us know the actual source/originator of VPNv4 updates. Within an AS, this attribute will be the same as of next-hop. When advertised to other AS, the next-hop will be rewritten, but the BGP connector attribute will remain same. This helps the end PE router know about the source of VPNv4 update. This solves Requirement 1.

BGP MDT SAFI:

This SAFI is designed to carry source address of PE routers to which PIM join will be sent. This SAFI updates (RD:PE_Address) will be saved in a separate MDT table in both PE as well in ASBR.

ASBR router will use this information for RPF check.


PE router will use this information to know which ASBR to send the PIM join packet when it is destinated to RD:PE_Address. This solves Requirement 2.

PIM RPF vector:

BGP Connector and MDT SAFI are advertised as part of BGP and so this may not help P routers to solve any issues. As P routers will not have routing entry for Source PE routers in adjacent AS, they may not able to send the PIM join to the source address. To overcome this, PIM RPF vector feature is introduced which allows the PE router to encode MDT SAFI next hop address (ASBR address) along with PE source address in PIM join. Now P routers will look into the MDT SAFI next hop instead of the actual PE source address. As all internal routers will have reachability to MDT SAFI next-hop address, PIM join will send accordingly. This solves Requirement 3.

Inter-AS MVPN operation:

In our example, we will discuss the Inter-AS setup with Option B enabled.

In the above topology, Inter-AS MPLS VPN is pre configured and works fine. (See Configuration part for config information).

Now to support Inter-AS Multicast VPN, we do the following,


1. Configure BGP MDT SAFI in all PE, ASBR and RR routers as below,


router bgp

neighbor remote-as

address-family ipv4 mdt

neighbor activate


As BGP MDT SAFI follows the same best path selection as normal BGP AFI, we need the next-hop advertised in MDT SAFI to be reachable. If not the update will not be a valid path. To avoid this issue, we configure next-hop-self on ASBR.


address-family ipv4 mdt

neighbor next-hop-self


When RR is involved, care should be taken to enable “route-reflector-client” under MDT SAFI.


address-family ipv4 mdt

neighbor route-reflector-client


2. Configure RPF vector on all PE routers as below,



ip multicast vrf rpf proxy rd vector


The above two step configuration leads to all PE routers advertising (PE_Source, MDT_Group) to all bgp MDT SAFI enabled neighbors.

In our topology the following steps will happen to setup the MDT tree,

  • PE1 will advertise (100.1.4.4, 232.1.1.1) with next-hop 100.1.4.4 to RR and RR reflect the same to ASBR1.
  • ASBR1 advertise (100.1.4.4, 232.1.1.1) with next-hop 200.1.2.2 to ASBR2.
  • ASBR2 advertise (100.1.4.4, 232.1.1.1) with next-hop 200.1.1.1 to PE2.
  • PE2 populate the MDT table with the above details and send PIM join with source=100.1.4.4, Group=232.1.1.1 and embed RPF Vector=200.1.1.1 and send the message towards ASBR2
  • ASBR2 removes the RPF Vector and perform RPF lookup and learns the next hop to 100.1.4.4 is ASBR1. It changes the RPF Vector=100.1.2.2 and send the join message to ASBR1.
  • ASBR1 change the RPF Vector= 100.1.4.4 and send towards PE1.
  • This will setup the MDT tree rooted from 100.1.4.4



Configuration:

PE2 Configuration:

hostname PE2

!

ip subnet-zero

!

!

ip cef

ip vrf COKE

rd 200:1

route-target export 1:1

route-target import 1:1

mdt default 232.1.1.1

!

ip multicast-routing

ip multicast-routing vrf COKE

ip multicast vrf COKE rpf proxy rd vector

!

!

!

interface Loopback0

ip address 200.1.5.5 255.255.255.255

no ip directed-broadcast

ip router isis AS200

ip pim sparse-dense-mode

!

interface Serial2/0

ip address 200.1.15.5 255.255.255.0

no ip directed-broadcast

ip router isis AS200

ip pim sparse-dense-mode

encapsulation frame-relay

tag-switching ip

serial restart-delay 0

frame-relay map clns 501 broadcast

frame-relay map ip 200.1.15.1 501 broadcast

no frame-relay inverse-arp

interface Serial2/2

ip vrf forwarding COKE

ip address 10.1.58.5 255.255.255.0

no ip directed-broadcast

ip pim sparse-mode

serial restart-delay 0

router ospf 1 vrf COKE

router-id 10.1.58.5

log-adjacency-changes

redistribute bgp 200 subnets

network 10.1.58.0 0.0.0.255 area 0

!

router isis AS200

net 47.0200.0000.5555.5555.00

!

router bgp 200

bgp router-id 200.1.5.5

no bgp default ipv4-unicast

bgp log-neighbor-changes

neighbor 200.1.1.1 remote-as 200

neighbor 200.1.1.1 update-source Loopback0

!

address-family ipv4 mdt

neighbor 200.1.1.1 activate

exit-address-family

!

address-family vpnv4

neighbor 200.1.1.1 activate

neighbor 200.1.1.1 send-community extended

exit-address-family

!

address-family ipv4 vrf COKE

redistribute ospf 1 vrf COKE match internal external 1 external 2

no synchronization

exit-address-family

!

ip pim ssm default

ip pim vrf COKE rp-address 10.1.46.4

ip pim vrf COKE autorp listener

!

!

control-plane

!

no cns aaa enable

end



ASBR2 Configuration:

hostname ASBR2

ip cef

ip vrf COKE

rd 200:1

!

ip multicast-routing

ip multicast-routing vrf COKE

!

!

!

interface Loopback0

ip address 200.1.1.1 255.255.255.255

no ip directed-broadcast

ip router isis AS200

ip pim sparse-dense-mode

!

interface FastEthernet0/0

ip address 150.1.12.1 255.255.255.0

no ip directed-broadcast

ip pim sparse-dense-mode

duplex half

speed auto

mpls bgp forwarding

mpls label protocol ldp

tag-switching ip

interface Serial2/0

ip address 200.1.15.1 255.255.255.0

no ip directed-broadcast

ip router isis AS200

ip pim sparse-dense-mode

encapsulation frame-relay

tag-switching ip

serial restart-delay 0

frame-relay map clns 105 broadcast

frame-relay map ip 200.1.15.5 105 broadcast

no frame-relay inverse-arp

router isis AS200

net 47.0200.0000.1111.1111.00

!

router bgp 200

bgp router-id 200.1.1.1

no bgp default ipv4-unicast

no bgp default route-target filter

bgp log-neighbor-changes

neighbor 100.1.2.2 remote-as 100

neighbor 100.1.2.2 ebgp-multihop 10

neighbor 100.1.2.2 update-source Loopback0

neighbor 200.1.5.5 remote-as 200

neighbor 200.1.5.5 update-source Loopback0

!

address-family ipv4 mdt

neighbor 100.1.2.2 activate

neighbor 200.1.5.5 activate

neighbor 200.1.5.5 next-hop-self

exit-address-family

!

address-family vpnv4

neighbor 100.1.2.2 activate

neighbor 100.1.2.2 send-community extended

neighbor 200.1.5.5 activate

neighbor 200.1.5.5 send-community extended

neighbor 200.1.5.5 next-hop-self

exit-address-family

!

address-family ipv4 vrf COKE

no synchronization

exit-address-family

ip route 100.1.2.2 255.255.255.255 150.1.12.2

!

ip pim ssm default

!

!

control-plane

!

end

ASBR1 Configuration:

hostname ASBR1

!

ip cef

ip vrf COKE

rd 200:2

!

ip multicast-routing

ip multicast-routing vrf COKE

mpls label protocol ldp

!

interface Loopback0

ip address 100.1.2.2 255.255.255.255

no ip directed-broadcast

ip router isis AS100

ip pim sparse-dense-mode

!

interface FastEthernet0/0

ip address 150.1.12.2 255.255.255.0

no ip directed-broadcast

ip pim sparse-dense-mode

duplex half

speed auto

mpls bgp forwarding

tag-switching ip

!

interface Serial2/0

ip address 100.1.23.2 255.255.255.0

no ip directed-broadcast

ip router isis AS100

ip pim sparse-dense-mode

encapsulation frame-relay

tag-switching ip

serial restart-delay 0

frame-relay map clns 203 broadcast

frame-relay map ip 100.1.23.3 203 broadcast

no frame-relay inverse-arp

!

router isis AS100

net 47.0100.0000.2222.2222.00

!

router bgp 100

no bgp default ipv4-unicast

no bgp default route-target filter

bgp log-neighbor-changes

neighbor 100.1.3.3 remote-as 100

neighbor 100.1.3.3 update-source Loopback0

neighbor 200.1.1.1 remote-as 200

neighbor 200.1.1.1 ebgp-multihop 10

neighbor 200.1.1.1 update-source Loopback0

!

address-family ipv4 mdt

neighbor 100.1.3.3 activate

neighbor 100.1.3.3 next-hop-self

neighbor 200.1.1.1 activate

exit-address-family

!

address-family vpnv4

neighbor 100.1.3.3 activate

neighbor 100.1.3.3 send-community extended

neighbor 100.1.3.3 next-hop-self

neighbor 200.1.1.1 activate

neighbor 200.1.1.1 send-community extended

exit-address-family

!

address-family ipv4 vrf COKE

no synchronization

exit-address-family

!

ip classless

ip route 200.1.1.1 255.255.255.255 150.1.12.1

!

ip pim ssm default

!

!

tag-switching tdp router-id Loopback0 force

control-plane

end

P1 Configuration:

hostname P1

!

ip cef

ip multicast-routing

mpls label protocol ldp

interface Loopback0

ip address 100.1.3.3 255.255.255.255

no ip directed-broadcast

ip router isis AS100

ip pim sparse-dense-mode

!

interface Serial2/0

ip address 100.1.23.3 255.255.255.0

no ip directed-broadcast

ip router isis AS100

ip pim sparse-dense-mode

encapsulation frame-relay

tag-switching ip

serial restart-delay 0

frame-relay map clns 302 broadcast

frame-relay map ip 100.1.23.2 302 broadcast

no frame-relay inverse-arp

!

interface Serial2/1

ip address 100.1.34.3 255.255.255.0

no ip directed-broadcast

ip router isis AS100

ip pim sparse-dense-mode

encapsulation frame-relay

tag-switching ip

serial restart-delay 0

frame-relay map clns 314 broadcast

frame-relay map ip 100.1.34.4 314 broadcast

no frame-relay inverse-arp

router isis AS100

net 47.0100.0000.3333.3333.00

!

router bgp 100

no bgp default ipv4-unicast

bgp log-neighbor-changes

neighbor 100.1.2.2 remote-as 100

neighbor 100.1.2.2 update-source Loopback0

neighbor 100.1.4.4 remote-as 100

neighbor 100.1.4.4 update-source Loopback0

!

address-family ipv4 mdt

neighbor 100.1.2.2 activate

neighbor 100.1.2.2 route-reflector-client

neighbor 100.1.4.4 activate

neighbor 100.1.4.4 route-reflector-client

exit-address-family

!

address-family vpnv4

neighbor 100.1.2.2 activate

neighbor 100.1.2.2 send-community extended

neighbor 100.1.2.2 route-reflector-client

neighbor 100.1.4.4 activate

neighbor 100.1.4.4 send-community extended

neighbor 100.1.4.4 route-reflector-client

exit-address-family

!

ip pim ssm default

!

!

tag-switching tdp router-id Loopback0 force

control-plane

end

PE1 Configuration:

hostname PE1

!

ip cef

ip vrf COKE

rd 100:1

route-target export 1:1

route-target import 1:1

mdt default 232.1.1.1

!

ip multicast-routing

ip multicast-routing vrf COKE

ip multicast vrf COKE rpf proxy rd vector

mpls label protocol ldp

!

interface Loopback0

ip address 100.1.4.4 255.255.255.255

no ip directed-broadcast

ip router isis AS100

ip pim sparse-dense-mode

!

interface Serial2/0

ip address 100.1.34.4 255.255.255.0

no ip directed-broadcast

ip router isis AS100

ip pim sparse-dense-mode

encapsulation frame-relay

tag-switching ip

serial restart-delay 0

frame-relay map clns 413 broadcast

frame-relay map ip 100.1.34.3 413 broadcast

no frame-relay inverse-arp

!

interface Serial2/3

ip vrf forwarding COKE

ip address 10.1.46.4 255.255.255.0

no ip directed-broadcast

ip pim sparse-mode

serial restart-delay 0

!

router ospf 1 vrf COKE

router-id 10.1.46.4

log-adjacency-changes

redistribute bgp 100 subnets

network 10.1.46.0 0.0.0.255 area 0

!

router isis AS100

net 47.0100.0000.4444.4444.00

!

router bgp 100

no bgp default ipv4-unicast

bgp log-neighbor-changes

neighbor 100.1.3.3 remote-as 100

neighbor 100.1.3.3 update-source Loopback0

!

address-family ipv4 mdt

neighbor 100.1.3.3 activate

exit-address-family

!

address-family vpnv4

neighbor 100.1.3.3 activate

neighbor 100.1.3.3 send-community extended

exit-address-family

!

address-family ipv4 vrf COKE

redistribute ospf 1 vrf COKE match internal external 1 external 2

no synchronization

exit-address-family

!

ip classless

!

ip pim ssm default

ip pim vrf COKE rp-address 10.1.46.4

ip pim vrf COKE autorp listener

!

!

control-plane

!

end

Verification:

PE2# show ip bgp vpnv4 all neighbors | inc MDT

Address family IPv4 MDT: advertised and received

PE2#

PE2#show ip bgp ipv4 mdt all

BGP table version is 6, local router ID is 200.1.5.5

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 100:1

*>i100.1.4.4/32 200.1.1.1 0 100 0 100 ?

Route Distinguisher: 200:1 (default for vrf COKE)

*> 200.1.5.5/32 0.0.0.0 0 ?

PE2#

PE2#show ip bgp ipv4 mdt all 100.1.4.4

BGP routing table entry for 100:1:100.1.4.4/32, version 6

Paths: (1 available, best #1, table IPv4-MDT-BGP-Table)

Not advertised to any peer

100

200.1.1.1 (metric 20) from 200.1.1.1 (200.1.1.1)

Origin incomplete, metric 0, localpref 100, valid, internal, best,

MDT group address: 232.1.1.1

PE2#

PE2#show ip mroute proxy

(100.1.4.4, 232.1.1.1)

Proxy Assigner Origin Uptime/Expire

100:1/200.1.1.1 0.0.0.0 BGP MDT 00:04:53/stopped

PE2#show ip mroute

IP Multicast Routing Table

Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,

L - Local, P - Pruned, R - RP-bit set, F - Register flag,

T - SPT-bit set, J - Join SPT, M - MSDP created entry,

X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,

U - URD, I - Received Source Specific Host Report,

Z - Multicast Tunnel, z - MDT-data group sender,

Y - Joined MDT-data group, y - Sending to MDT-data group

V - RD & Vector, v - Vector

Outgoing interface flags: H - Hardware switched, A - Assert winner

Timers: Uptime/Expires

Interface state: Interface, Next-Hop or VCD, State/Mode

(200.1.5.5, 232.1.1.1), 03:51:40/00:03:04, flags: sT

Incoming interface: Loopback0, RPF nbr 0.0.0.0

Outgoing interface list:

Serial2/0, Forward/Sparse-Dense, 02:21:53/00:02:37

(100.1.4.4, 232.1.1.1), 03:52:10/00:02:44, flags: sTIZV

Incoming interface: Serial2/0, RPF nbr 200.1.15.1, vector 200.1.1.1

Outgoing interface list:

MVRF COKE, Forward/Sparse-Dense, 02:22:18/00:00:00

PE2#



4 comments:

  1. could you tell me whether P routers require mdt safi.

    regards
    shivlu jain

    ReplyDelete
  2. Shivlu,
    On P router, normally we dont run BGP and so no MDT SAFI is required. But in this case, I used the P router as RR and so MDT SAFI is required.

    Regards,
    Nagendra

    ReplyDelete
  3. Hi Nagendra

    I've similar topology.
    I've successfully ping multicast between backbone (PE)
    But ping multicast between CE only apply one side.
    CE1 able to reach CE2 but CE2 unable.
    Can you please give me a hint where I missed ?
    Thanks in advanced

    ReplyDelete
  4. i think you need proxy vector on PE1 too

    ReplyDelete