Date created: 06/30/15 15:12:09. Last modified: 10/06/17 12:13:26

Inter-AS MPLS Option B - RT Regex Filter

Simple regex to only match VRFs being exported from customer AS 10

R1:

hostname R1

vrf definition 10
 rd 1.1.1.1:10
 
 address-family ipv4
  route-target export 10:10
  route-target import 10:10
 exit-address-family

vrf definition 20
 rd 1.1.1.1:20
 
 address-family ipv4
  route-target export 10:20
  route-target import 10:20
 exit-address-family

vrf definition 30
 rd 1.1.1.1:30
 
 address-family ipv4
  route-target export 30:30
  route-target import 30:30
 exit-address-family

interface Loopback0
 ip address 1.1.1.1 255.255.255.255

interface Loopback10
 vrf forwarding 10
 ip address 10.0.0.1 255.255.255.255

interface Loopback20
 vrf forwarding 20
 ip address 20.0.0.1 255.255.255.255

interface Loopback30
 vrf forwarding 30
 ip address 30.0.0.1 255.255.255.255

interface FastEthernet0/0
 ip address 192.0.2.1 255.255.255.252
 mpls bgp forwarding


router bgp 100
 bgp log-neighbor-changes
 neighbor 192.0.2.2 remote-as 200
 
 address-family ipv4
  redistribute connected
  neighbor 192.0.2.2 activate
 exit-address-family
 
 address-family vpnv4
  neighbor 192.0.2.2 activate
  neighbor 192.0.2.2 send-community extended
  neighbor 192.0.2.2 route-map RM-Filter-RTs-In in
 exit-address-family
 
 address-family ipv4 vrf 10
  redistribute connected
 exit-address-family
 
 address-family ipv4 vrf 20
  redistribute connected
 exit-address-family
 
 address-family ipv4 vrf 30
  redistribute connected
 exit-address-family

ip extcommunity-list expanded RT-Filter permit 10:[1-2]*
ip bgp-community new-format

route-map RM-Filter-RTs-In permit 10
 match extcommunity RT-Filter



R1#show bgp vpnv4 unicast all
BGP table version is 12, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1.1.1.1:10 (default for vrf 10)
 *>  10.0.0.1/32      0.0.0.0                  0         32768 ?
 *>  10.0.0.2/32      192.0.2.2                0             0 200 ?
Route Distinguisher: 1.1.1.1:20 (default for vrf 20)
 *>  20.0.0.1/32      0.0.0.0                  0         32768 ?
 *>  20.0.0.2/32      192.0.2.2                0             0 200 ?
Route Distinguisher: 1.1.1.1:30 (default for vrf 30)
 *>  30.0.0.1/32      0.0.0.0                  0         32768 ?
Route Distinguisher: 2.2.2.2:10
 *>  10.0.0.2/32      192.0.2.2                0             0 200 ?
Route Distinguisher: 2.2.2.2:20
 *>  20.0.0.2/32      192.0.2.2                0             0 200 ?

Example between IOS and IOS-XR. Two PEs each with a loopback inside each VRF:

IOS:
ip extcommunity-list expanded CUST1-RT-FILTER permit 65001:1[5-9][0-9][0-9]
ip extcommunity-list expanded CUST1-RT-FILTER permit 65001:20[0-9][0-9]
ip extcommunity-list expanded CUST1-RT-FILTER permit 65001:2100

ip extcommunity-list expanded AS-Internal-RTs permit (500:) route-map RM-iBGP-VPNv4-Filters permit 10 match extcommunity CUST1-RT-FILTER
route-map RM-iBGP-VPNv4-Filters permit 1000
match extcommunity AS-500-Internal

router bgp 500
address-family vpnv4
neighbor 10.0.0.3 route-map RM-iBGP-VPNv4-Filters out


IOS-XR:

extcommunity-set rt iBGP-VPNv-RT-Filters
  ios-regex '65001:1[5-9][0-9][0-9]',
  ios-regex '65001:20[0-9][0-9]',
  ios-regex '65001:2100',
  ios-regex '(500:)'
end-set

route-policy RP-iBGP-VPNv4-RT-Filter
  if extcommunity rt matches-any iBGP-VPNv-RT-Filters then
    pass
  else
    drop
  endif
end-policy

router bgp 500
 neighbor 10.0.0.4
  address-family vpnv4 unicast
   route-policy RP-iBGP-VPNv4-RT-Filter out

On IOS-XR one can use a route-policy with the retain route-target option to filter RTs without having to have all the VRFs defined locally on the ASBR (this is the preferred design for scalability). One can also set the label timeout to 5 minutes (for example) for the Option B MP-BGP labels, to ensure that during a failure scenario traffic sent to the local ABSR (assuming it was the primary path) will still be accepted and although the local ASBR to forward to the new ABSR (assuming BGP PIC is in place so that the backup path was already present on the local ASRB):

extcommunity-set rt my-rt-set
  ios-regex '65001:20[0-9][0-9]',
  12345:100,
  12345:200
end-set

route-policy retain-rt
  if extcommunity rt matches-any my-rt-set then
    pass
  else
    drop
  endif
end-policy

router bgp 12345
 address-family vpnv4 unicast
  retain route-target route-policy retain-rt
   retain local-label 5