BGP Confederation Overview

An AS using BGP confederations, as defined in RFC 5065, separates each router in the AS into one of several confederation subautonomous systems. Peers inside the same sub-AS are considered to be confederation iBGP peers, and routers in different sub-autonomous systems are considered to be confederation eBGP peers.

Confederations propagate routes to all routers, without a full mesh of peers inside the entire AS. To do so, confederation eBGP peer connections act like true eBGP peers in some respects.

By the end of these steps, all the routers inside ASN 123 have learned of the 21.0.0.0/8 prefix. Also, ASN 678 (R6 in this case) learned of a route for that same prefix - a route that would work and would not have the black-hole effect. In fact, from ASN 678’s perspective, it sees a route that appears to be through ASNs 123 and 45. Also note that routers in sub-AS 65002 and 65003 will not advertise the prefix back into sub-AS 65001 because AS 65001 is already in the confederation AS_PATH.

ASNs 64512 through 65535 are private ASNs, meant for use in cases where the ASN will not be advertised to the Internet or other autonomous systems. By using private ASNs, a confederation can hopefully avoid the following type of problem.

The following list summarizes the key topics regarding confederations:

■ Inside a sub-AS, full mesh is required, because full iBGP rules are in effect.

■ The confederation eBGP connections act like normal eBGP connections in that iBGP routes are advertised—as long as the AS_PATH implies that such an advertisement would not cause a loop.

■ Confederation eBGP connections also act like normal eBGP connections regarding Time to Live (TTL), because all packets use a TTL of 1 by default. (TTL can be changed with the neighbor ebgp-multihop command.)

■ Confederation eBGP connections act like iBGP connections in every other regard for example, the NEXT_HOP is not changed by default.

■ Confederation ASNs are not considered part of the length of the AS_PATH when a router chooses the best routes based on the shortest AS_PATH.

■ Confederation routers remove the confederation ASNs from the AS_PATH in Updates sent outside the confederation; therefore, other routers do not know that a confederation was used.

 

Below a simple configuration for the topology in Figure:

In this internetwork topology, R1 is in sub-AS 65001, with R2 and R3 in sub-AS 65023. In this case, R1 and R3 will not be neighbors. The following list outlines the sequence of events to propagate a  prefix:

1. R3 will learn prefix 21.0.0.0/8 through eBGP from AS 45 (R4). 
2. R3 will advertise the prefix through iBGP to R2. 
3. R2 will advertise the prefix through confederation eBGP to R1
 
R1# sh run | s router bgp

router bgp 65001
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 bgp confederation identifier 123
 bgp confederation peers 65023 
 neighbor 2.2.2.2 remote-as 65023
 neighbor 2.2.2.2 ebgp-multihop 2
 neighbor 2.2.2.2 update-source Loopback1
 neighbor 2.2.2.2 next-hop-self
 neighbor 172.16.16.6 remote-as 678

R2# sh run | s router bgp

router bgp 65023
 bgp log-neighbor-changes
 bgp confederation identifier 123
 bgp confederation peers 65001 
 neighbor 1.1.1.1 remote-as 65001
 neighbor 1.1.1.1 ebgp-multihop 2
 neighbor 1.1.1.1 update-source Loopback1
 neighbor 3.3.3.3 remote-as 65023
 neighbor 3.3.3.3 update-source Loopback1

R3# sh run | s router bgp

router bgp 65023
 bgp log-neighbor-changes
 bgp confederation identifier 123
 neighbor 2.2.2.2 remote-as 65023
 neighbor 2.2.2.2 update-source Loopback1
 neighbor 2.2.2.2 next-hop-self
 neighbor 4.4.4.4 remote-as 45
 neighbor 4.4.4.4 ebgp-multihop 2
 neighbor 4.4.4.4 update-source Loopback1

R1 has received the 21.0.0.0/8 prefix, with sub-AS 65023 shown in parentheses, and true AS 45 shown outside the parentheses. R1 has also learned the same prefix via AS 678 and R6. The route through the sub-AS is best because it is the shortest AS_PATH; the shortest AS_PATH logic ignores the confederation sub-autonomous systems.

R1# show ip bgp | begin Network

     Network          Next Hop            Metric LocPrf Weight Path
 *>  21.0.0.0         3.3.3.3                  0    100      0 (65023) 45 i

R6 shows its received update from R1, showing the removed sub-AS, and the inclusion of the true AS, AS 123.

R6# show ip bgp | begin Network

     Network          Next Hop            Metric LocPrf Weight Path
 *>  21.0.0.0         172.16.16.1                            0 123 45 i

.!!!!

.!.!!

...!! 

biOos

Carrying IPv6 over a MPLS Backbone (6PE)

There are multiple techniques available to integrate IPv6 services over Service Providers core backbones: dedicated IPv6 network running over various data link layers, dual stack IPv4-IPv6 backbone, or leveraging of an existing MPLS backbone. These solutions (IPv6) are deployed on Service Providers backbones when the amount of IPv6 traffic and the revenue generated are in line with the necessary investments and the risks consented

Service Providers running an MPLS/IPv4 infrastructure follow the same trends, as several integration scenarios are possible to offer IPv6 services on an MPLS network. Cisco Systems specially developed IPv6 Provider Edge Router over MPLS—(Cisco 6PE) to meet all of those requirements.

Operation of 6PE

In the 6PE solution, the PE routers are dual-stack, which means they run IPv4 and IPv6. The CE routers that are running IPv6 are connected to the PE router via a normal interface; the interface is not part of a VRF for IPv6 even though the same interface might be in a VRF for IPv4. The IPv6 routing distribution between the PE routers is done via MP-iBGP. At the same time, MP-iBGP distributes the label to be used for the specific IPv6 prefixes. This BGP label identifies or tags the IPv6 packet at the egress PE. The egress PE looks up this BGP label in the label forwarding information base (LFIB) and uses it to forward the IPv6 packet toward the egress CE.

NOTE Notice that ipv6 unicast-routing and ipv6 cef are not enabled by default and thus must be configured. Also notice that RIP routing processes have names and that they have to be enabled on each interface.

The topology below shows the case:

CE config example:

ipv6 unicast-routing
ipv6 cef
!
interface Loopback0
 ip address 10.100.1.1 255.255.255.255
 ipv6 address 2001:DB8:11::1/128
 ipv6 rip cust-one enable
!
interface Ethernet0/1
 description PE
 no ip address
 ipv6 address 2001:DB8:20::1/64
 ipv6 rip cust-one enable
!
ipv6 router rip cust-one
!
end

PE - 254.1 config:

ip cef
ipv6 unicast-routing
ipv6 cef
!
interface Loopback0
 ip address 10.200.254.1 255.255.255.255
!
interface Ethernet0/0
 ip address 10.200.200.1 255.255.255.0
 mpls ip
!
interface Ethernet0/1
 description CE
 no ip address
 ipv6 address 2001:DB8:20::2/64
 ipv6 enable
 ipv6 rip cust-one enable
!
mpls ldp router-id Loopback0 force
!
router ospf 1
 mpls ldp autoconfig
 network 0.0.0.0 255.255.255.255 area 0
!
router bgp 1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.200.254.7 remote-as 1
 neighbor 10.200.254.7 update-source Loopback0
 !
 address-family ipv4
  neighbor 10.200.254.7 activate
 exit-address-family
 !
 address-family ipv6
  redistribute connected
  redistribute rip cust-one
  neighbor 10.200.254.7 activate
  neighbor 10.200.254.7 send-community both
  neighbor 10.200.254.7 send-label
 exit-address-family
!
ipv6 router rip cust-one
 redistribute bgp 1
!
end

Verifying 6PE Operation

CE# trace ipv6 2001:DB8:30::1

1 2001:DB8:20::2 0 msec 0 msec 0 msec
  2 ::FFFF:10.200.200.2 [MPLS: Labels 17/20 Exp 0] 2 msec 2 msec 3 msec
  3 ::FFFF:10.200.210.2 [MPLS: Labels 17/20 Exp 0] 2 msec 2 msec 2 msec
  4 ::FFFF:10.200.211.2 [MPLS: Labels 17/20 Exp 0] 3 msec 3 msec 2 msec
  5 ::FFFF:10.200.215.2 [MPLS: Labels 18/20 Exp 0] 2 msec 1 msec 2 msec
  6 2001:DB8:30::2 2 msec 3 msec 2 msec
  7 2001:DB8:30::1 3 msec 2 msec 2 msec

NOTE Notice the ::FFFF:IPv4 address notation in the traceroute. This is an IPv4-mapped IPv6 address, because it has the format of ::FFFF:IPv4-address. It represents the address of IPv4-only nodes as an IPv6 address. This is the result of this P router not having IPv6 enabled.

And after disable the ttl in MPLS cloud (no mpls ip propagate-ttl):

CE# trace ipv6 2001:DB8:30::1

  1 2001:DB8:20::2 1 msec 0 msec 1 msec
  2 2001:DB8:30::2 2 msec 2 msec 2 msec
  3 2001:DB8:30::1 2 msec 2 msec 2 msec

CE# debug ipv6 rip

*May 31 18:48:59.515: RIPng [default VRF]: a message has been received.
*May 31 18:48:59.515: RIPng [Et0/1, default VRF]: response received from FE80::A8BB:CCFF:FE00:1010 for process "cust-one".
*May 31 18:48:59.515:        src=FE80::A8BB:CCFF:FE00:1010 (Ethernet0/1)
*May 31 18:48:59.515:        dst=FF02::9
*May 31 18:48:59.515:        sport=521, dport=521, length=72
*May 31 18:48:59.515:        command=2, version=1, mbz=0, #rte=3
*May 31 18:48:59.515:        tag=0, metric=1, prefix=2001:DB8:20::/64
*May 31 18:48:59.515:        tag=0, metric=1, prefix=2001:DB8:30::/64
*May 31 18:48:59.515:        tag=0, metric=2, prefix=2001:DB8:12::1/128
CE#
*May 31 18:49:02.737: RIPng [Et0/1, default VRF]: process "cust-one" is sending a multicast update.
*May 31 18:49:02.737:        src=FE80::A8BB:CCFF:FE00:8010
*May 31 18:49:02.737:        dst=FF02::9 (Ethernet0/1)
*May 31 18:49:02.737:        sport=521, dport=521, length=52
*May 31 18:49:02.737:        command=2, version=1, mbz=0, #rte=2
*May 31 18:49:02.737:        tag=0, metric=1, prefix=2001:DB8:11::1/128
*May 31 18:49:02.737:        tag=0, metric=1, prefix=2001:DB8:20::/64
*May 31 18:49:02.737: RIPng [Lo0, default VRF]: process "cust-one" is sending a multicast update.
*May 31 18:49:02.737:        src=FE80::A8BB:CCFF:FE00:8000
*May 31 18:49:02.737:        dst=FF02::9
CE# (Loopback0)
*May 31 18:49:02.737:        sport=521, dport=521, length=92
*May 31 18:49:02.737:        command=2, version=1, mbz=0, #rte=4
*May 31 18:49:02.737:        tag=0, metric=1, prefix=2001:DB8:11::1/128
*May 31 18:49:02.737:        tag=0, metric=1, prefix=2001:DB8:20::/64
*May 31 18:49:02.737:        tag=0, metric=2, prefix=2001:DB8:30::/64
*May 31 18:49:02.737:        tag=0, metric=3, prefix=2001:DB8:12::1/128
*May 31 18:49:02.738: RIPng [default VRF]: a message has been received.
*May 31 18:49:02.738: RIPng [Lo0, default VRF]: process "cust-one" received own response.

CE# show ipv6 route rip

R   2001:DB8:12::1/128 [120/3]
     via FE80::A8BB:CCFF:FE00:1010, Ethernet0/1
R   2001:DB8:30::/64 [120/2]
     via FE80::A8BB:CCFF:FE00:1010, Ethernet0/1

PE# show bgp ipv6 unicast neighbors

BGP neighbor is 10.200.254.7,  remote AS 1, internal link
  BGP version 4, remote router ID 10.200.254.7
  BGP state = Established, up for 02:34:15
  Last read 00:00:19, last write 00:00:30, hold time is 180, keepalive interval is 60 seconds
  Neighbor sessions:
    1 active, is not multisession capable (disabled)
  Neighbor capabilities:
    Route refresh: advertised and received(new)
    Four-octets ASN Capability: advertised and received
    Address family IPv4 Unicast: advertised and received
    Address family IPv6 Unicast: advertised and received
    ipv6 MPLS Label capability: advertised and received
    Enhanced Refresh Capability: advertised and received
...
 For address family: IPv6 Unicast
  Session: 10.200.254.7
  BGP table version 7, neighbor version 7/0
  Output queue size : 0
  Index 2, Advertise bit 0
  2 update-group member
  Community attribute sent to this neighbor
  Sending Prefix & Label
...

PE# show ipv6 route 2001:db8:30::1

Routing entry for 2001:DB8:30::/64
  Known via "bgp 1", distance 200, metric 0, type internal
  Redistributing via rip cust-one
  Route count is 1/1, share count 0
  Routing paths:
    10.200.254.7%default indirectly connected
      MPLS label: 20
      Last updated 02:37:44 ago

PE# show bgp ipv6 unicast 2001:db8:30::1/64

BGP routing table entry for 2001:DB8:30::/64, version 6
Paths: (1 available, best #1, table default)
  Not advertised to any peer
  Refresh Epoch 1
  Local
    ::FFFF:10.200.254.7 (metric 51) from 10.200.254.7 (10.200.254.7)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      mpls labels in/out nolabel/20
      rx pathid: 0, tx pathid: 0x0

PE# show ipv6 cef 2001:DB8:30::1/64 detail

2001:DB8:30::/64, epoch 0, flags [rib defined all labels]
  recursive via 10.200.254.7 label 20
    nexthop 10.200.200.2 Ethernet0/0 label 17

Summary Steps

1. enable
2. configure terminal
3. ip cef
4. ipv6 cef
5. ipv6 unicast-routing
6. router bgp as-number
7. no synchronization
8. no bgp default ipv4-unicast
9. neighbor {ip-address | ipv6-address | peer-group-name} remote-as as-number
10. neighbor {ip-address | ipv6-address | peer-group-name} update-so intf-type intf-number
11. address-family ipv6
12. neighbor {ip-address | ipv6-address | peer-group-name} activate
13. neighbor {ip-address | ipv6-address | peer-group-name} send-label
14. exit-address-family

.!!!!

 .!.!!
...!.
....!

biOos

IPv6 over IPv4 Tunneling

Overlay tunneling encapsulates IPv6 packets in IPv4 packets for delivery across an IPv4 infrastructure (a core network or the figure below). By using overlay tunnels, you can communicate with isolated IPv6 networks without upgrading the IPv4 infrastructure between them. Overlay tunnels can be configured between border devices or between a border device and a host; however, both tunnel endpoints must support both the IPv4 and IPv6 protocol stacks. IPv6 supports the following types of overlay tunneling mechanisms:

• Manual
• Generic routing encapsulation (GRE)
• IPv4-compatible
• 6to4
• Intrasite Automatic Tunnel Addressing Protocol (ISATAP) 

 

 

The config is simple.

R1# show running-config

!
ip cef
ipv6 unicast-routing
ipv6 cef
!
interface Loopback0
no ip address
ipv6 address 2001:DB8:1::1/64
ipv6 ospf 1 area 0
!
interface Tunnel0
no ip address
ipv6 address 2001:DB8:10::1/64
ipv6 ospf 1 area 0
tunnel source Ethernet0/0
tunnel mode ipv6ip
tunnel destination 209.165.201.6
!
interface Ethernet0/0
ip address 209.165.201.1 255.255.255.252
!
router ospfv3 1
!
address-family ipv6 unicast
exit-address-family
!
router bgp 100
bgp router-id 1.1.1.1
bgp log-neighbor-changes
neighbor 209.165.201.2 remote-as 200
!
address-family ipv4
network 209.165.201.0 mask 255.255.255.252
neighbor 209.165.201.2 activate
exit-address-family
!
end

R3# show ipv6 int brief

Ethernet0/1            [up/up]
    unassigned
Loopback0              [up/up]
    FE80::A8BB:CCFF:FE00:3000
    2001:DB8:3::3
Tunnel0                [up/up]
    FE80::D1A5:C906
    2001:DB8:10::2

R3# tracer 2001:DB8:1::1

Tracing the route to 2001:DB8:1::1

  1 2001:DB8:10::1 2 msec 2 msec 1 msec

R1# debug ipv6 icmp

*Apr 20 18:04:41.250: ICMPv6: Sent Unreachable code 4, Src=2001:DB8:10::1, Dst=2001:DB8:10::2
*Apr 20 18:04:41.251: ICMPv6: Sent Unreachable code 4, Src=2001:DB8:10::1, Dst=2001:DB8:10::2

.!!!!

..!..

biOos