I have been going through some Inter-AS MPLS VPN labs over the past couple of days. There are basically 3 different methods to achieve Inter-AS connectivity for MPLS VPNS.
Option 10A – Back to Back VRFs between ASBRs
Option 10B – VPNv4 eBGP between ASBRs
Option 10C – VPNv4 between RRs or PEs using multihop eBGP
I have labbed up all three of these methods along with the some slight variations on the specific configuration options within each of them and will be writing these up in the coming days.
These are described in RFC 2547bis of which an extract is below.
10. Multi-AS Backbones
What if two sites of a VPN are connected to different Autonomous Systems (e.g., because the sites are connected to different SPs)? The PE routers attached to that VPN will then not be able to maintain IBGP connections with each other, or with a common route reflector. Rather, there needs to be some way to use EBGP to distribute VPN-IPv4 addresses.
There are a number of different ways of handling this case, which we present in order of increasing scalability.
a) VRF-to-VRF connections at the AS (Autonomous System) border routers.
In this procedure, a PE router in one AS attaches directly to a PE router in another. The two PE routers will be attached by multiple sub-interfaces, at least one for each of the VPNs whose routes need to be passed from AS to AS. Each PE will treat the other as if it were a CE router. That is, the PEs associate each such sub-interface with a VRF, and use EBGP to distribute unlabeled IPv4 addresses to each other.
This is a procedure that “just works”, and that does not require MPLS at the border between ASes. However, it does not scale as well as the other procedures discussed below.
b) EBGP redistribution of labeled VPN-IPv4 routes from AS to neighboring AS.
In this procedure, the PE routers use IBGP to redistribute labeled VPN-IPv4 routes either to an Autonomous System Border Router (ASBR), or to a route reflector of which an ASBR is a client. The ASBR then uses EBGP to redistribute those labeled VPN-IPv4 routes to an ASBR in another AS, which in turn distributes them to the PE routers in that AS, or perhaps to another ASBR which in turn distributes them …
When using this procedure, VPN-IPv4 routes should only be accepted on EBGP connections at private peering points, as part of a trusted arrangement between SPs. VPN-IPv4 routes should neither be distributed to nor accepted from the public Internet, or from any BGP peers which are not trusted. An ASBR should never accept a labeled packet from an EBGP peer unless it has actually distributed the top label to that peer.
If there are many VPNs having sites attached to different Autonomous Systems, there does not need to be a single ASBR between those two ASes which holds all the routes for all the VPNs; there can be multiple ASBRs, each of which holds only the routes for a particular subset of the VPNs.
This procedure requires that there be a label switched path leading from a packet’s ingress PE to its egress PE. Hence the appropriate trust relationships must exist between and among the set of ASes along the path. Also, there must be agreement among the set of SPs as to which border routers need to receive routes with which Route Targets.
c) Multihop EBGP redistribution of labeled VPN-IPv4 routes between source and destination ASes, with EBGP redistribution of labeled IPv4 routes from AS to neighboring AS.
In this procedure, VPN-IPv4 routes are neither maintained nor distributed by the ASBRs. An ASBR must maintain labeled IPv4 /32 routes to the PE routers within its AS. It uses EBGP to distribute these routes to other ASes. ASBRs in any transit ASes will also have to use EBGP to pass along the labeled /32 routes. This results in the creation of a label switched path from the ingress PE router to the egress PE router. Now PE routers in different ASes can establish multi-hop EBGP
connections to each other, and can exchange VPN-IPv4 routes over those connections.
If the /32 routes for the PE routers are made known to the P routers of each AS, everything works normally. If the /32 routes for the PE routers are NOT made known to the P routers (other than the ASBRs), then this procedure requires a packet’s ingress PE to put a three label stack on it. The bottom label is assigned by the egress PE, corresponding to the packet’s destination address in a particular VRF. The middle label is assigned by the ASBR, corresponding to the /32 route to the
egress PE. The top label is assigned by the ingress PE’s IGP Next Hop, corresponding to the /32 route to the ASBR.
To improve scalability, one can have the multi-hop EBGP connections exist only between a route reflector in one AS and a route reflector in another. (However, when the route reflectors distribute routes over this connection, they do not modify the BGP next hop attribute of the routes.) The actual PE routers would then only have IBGP connections to the route reflectors in their own AS.
This procedure is very similar to the “Carrier’s Carrier” procedures described in section 9. Like the previous procedure, it requires that there be a label switched path leading from a packet’s ingress PE to its egress PE.