Wired Intelligent Edge

 View Only
last person joined: 17 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

AOS-CX iBGP in VRF?

This thread has been viewed 70 times

  • 1.  AOS-CX iBGP in VRF?

    Posted Jun 19, 2021 09:41 PM
    Hi everyone,

    I'm trying to setup iBGP within a VRF using a different AS number to BGP running in the default VRF between two AOS-CX devices.
    I can get this working with eBGP peers, but I always get 'Bad Peer AS' when trying iBGP.

    I've tried using AOS-CX virtual in EVE-NG on 10.06 and 10.07 with the same results.
    I have also tried adding 'no-prepend replace-as dual-as' to the local-as command with the same results.

    I can get this working if I use the same AS number as the default VRF for iBGP peering but this doesn't seem like an ideal thing to do.

    @vincent.giles wondering if you've done this before?

    Config is below:

    Switch 1
    vrf INTERNET
    rd 65011:100
    !
    router bgp 65001
    <other working iBGP/ eBGP config using the above AS>
    !
    vrf OUTSIDE
    bgp router-id 1.1.1.1
    timers bgp 15 45
    neighbor 10.0.0.2 remote-as 65011
    neighbor 10.0.0.2 local-as 65011
    address-family ipv4 unicast
    neighbor 10.0.0.2 activate
    exit-address-family

    Switch 2:
    vrf INTERNET
    rd 65011:100
    !
    router bgp 65001
    <other working iBGP/ eBGP config using the above AS>
    !
    vrf OUTSIDE
    bgp router-id 2.2.2.2
    timers bgp 15 45
    neighbor 10.0.0.1 remote-as 65011
    neighbor 10.0.0.1 local-as 65011
    address-family ipv4 unicast
    neighbor 10.0.0.1 activate
    exit-address-family

    Output of 'show bgp vrf OUTSIDE all neighbors 10.0.0.1' from Switch2:
    BGP Neighbor 1.1.1.1 (External)
    Description : Switch1 iBGP OUTSIDE
    Peer-group :

    Remote Router Id : 0.0.0.0 Local Router Id : 2.2.2.2
    Remote AS : 65011 Local AS : 65001
    Remote Port : 0 Local Port : 0
    State : Idle Admin Status : Up
    Conn. Established : 0 Conn. Dropped : 0
    Passive : No Update-Source :
    Cfg. Hold Time : 45 Cfg. Keep Alive : 15
    Neg. Hold Time : 0 Neg. Keep Alive : 0
    Up/Down Time : 00h:00m:00s Connect-Retry Time : 120
    Local-AS Prepend : Yes Alt. Local-AS : 65011
    BFD : Disabled
    Password :
    Last Err Sent : OPEN Message Error
    Last SubErr Sent : Bad Peer AS
    Last Err Rcvd : No Error
    Last SubErr Rcvd : No Error

    Graceful-Restart : Enabled Gr. Restart Time : 30
    Gr. Stalepath Time : 300 Remove Private-AS : No
    TTL : 1 Local Cluster-ID :
    Weight : 0 Fall-over : No
    Confederation-Peers : No​

    ------------------------------
    Chris Denham
    ------------------------------


  • 2.  RE: AOS-CX iBGP in VRF?

    EMPLOYEE
    Posted Jun 21, 2021 05:20 AM
    When I used "local-as ASN no-prepend replace-as dual-as", it was always with eBGP peer, not for iBGP peer.
    So I have no experience with such set-up, which seems unusual to me.
    - Did you set the "local-as ASN no-prepend replace-as dual-as" on both Swtich1 and Switch2 ?
    - May be worth setting different router-id in default VRF and in OUTSIDE VRF.

    ------------------------------
    Vincent Giles
    ------------------------------

    Original Message


  • 3.  RE: AOS-CX iBGP in VRF?

    Posted Jun 21, 2021 05:24 AM

    Thanks Vincent,

    Yes I applied the same command on both iBGP peers and also configured a different router ID on each as well.



    ------------------------------
    Chris Denham
    ------------------------------

    Original Message


  • 4.  RE: AOS-CX iBGP in VRF?

    EMPLOYEE
    Posted Jun 21, 2021 05:45 AM
    Please share the full BGP configuration.

    ------------------------------
    Vincent Giles
    ------------------------------

    Original Message


  • 5.  RE: AOS-CX iBGP in VRF?

    Posted Jun 21, 2021 05:55 AM

    Sure thing, please see sanitised config below:

    ### SWITCH-1 ###

router bgp 65001
    bgp router-id 10.1.1.1
    timers bgp 15 45
    bgp log-neighbor-changes
    bgp graceful-restart restart-time 30
    neighbor 10.1.1.137 remote-as 65001
    neighbor 10.1.1.137 description iBGP
    address-family ipv4 unicast
        neighbor 10.1.1.137 activate
        neighbor 10.1.1.137 soft-reconfiguration inbound
        redistribute connected route-map CONNECTED
        redistribute local loopback route-map LOOPBACKS
        redistribute static route-map STATIC
    exit-address-family
!
    vrf INTERNET
        bgp router-id 1.1.1.1
        timers bgp 15 45
        bgp log-neighbor-changes
        bgp graceful-restart restart-time 30
        neighbor 10.1.1.139 remote-as 65011
        neighbor 10.1.1.139 description iBGP INTERNET
        neighbor 10.1.1.139 local-as 65011
        address-family ipv4 unicast
            neighbor 10.1.1.139 activate
            neighbor 10.1.1.139 soft-reconfiguration inbound
            redistribute connected route-map CONNECTED_INTERNET
        exit-address-family

### SWITCH-2 ###

router bgp 65001
    bgp router-id 10.1.1.2
    timers bgp 15 45
    bgp log-neighbor-changes
    bgp graceful-restart restart-time 30
    neighbor 10.1.1.136 remote-as 65001
    neighbor 10.1.1.136 description iBGP
    address-family ipv4 unicast
        neighbor 10.1.1.136 activate
        neighbor 10.1.1.136 soft-reconfiguration inbound
        redistribute connected route-map CONNECTED
        redistribute local loopback route-map LOOPBACKS
        redistribute static route-map STATIC
    exit-address-family
!
    vrf INTERNET
        bgp router-id 1.1.1.2
        timers bgp 15 45
        bgp log-neighbor-changes
        bgp graceful-restart restart-time 30
        neighbor 10.1.1.138 remote-as 65011
        neighbor 10.1.1.138 description iBGP INTERNET
        neighbor 10.1.1.138 local-as 65011
        address-family ipv4 unicast
            neighbor 10.1.1.138 activate
            neighbor 10.1.1.138 soft-reconfiguration inbound
            redistribute connected route-map CONNECTED_INTERNET
        exit-address-family


    ------------------------------
    Chris Denham
    ------------------------------

    Original Message


  • 6.  RE: AOS-CX iBGP in VRF?

    EMPLOYEE
    Posted Jun 21, 2021 06:31 AM
    Could you re-edit this config with the command "local-as ASN no-prepend replace-as dual-as" that you said you tried.


    ------------------------------
    Vincent Giles
    ------------------------------

    Original Message


  • 7.  RE: AOS-CX iBGP in VRF?

    Posted Jun 21, 2021 05:29 PM
    Sure thing, see below:

    ### SWITCH-1 ###

router bgp 65001
    bgp router-id 10.1.1.1
    timers bgp 15 45
    bgp log-neighbor-changes
    bgp graceful-restart restart-time 30
    neighbor 10.1.1.137 remote-as 65001
    neighbor 10.1.1.137 description iBGP
    address-family ipv4 unicast
        neighbor 10.1.1.137 activate
        neighbor 10.1.1.137 soft-reconfiguration inbound
        redistribute connected route-map CONNECTED
        redistribute local loopback route-map LOOPBACKS
        redistribute static route-map STATIC
    exit-address-family
!
    vrf INTERNET
        bgp router-id 1.1.1.1
        timers bgp 15 45
        bgp log-neighbor-changes
        bgp graceful-restart restart-time 30
        neighbor 10.1.1.139 remote-as 65011
        neighbor 10.1.1.139 description iBGP INTERNET
        neighbor 10.1.1.139 local-as 65011 no-prepend replace-as dual-as
        address-family ipv4 unicast
            neighbor 10.1.1.139 activate
            neighbor 10.1.1.139 soft-reconfiguration inbound
            redistribute connected route-map CONNECTED_INTERNET
        exit-address-family

### SWITCH-2 ###

router bgp 65001
    bgp router-id 10.1.1.2
    timers bgp 15 45
    bgp log-neighbor-changes
    bgp graceful-restart restart-time 30
    neighbor 10.1.1.136 remote-as 65001
    neighbor 10.1.1.136 description iBGP
    address-family ipv4 unicast
        neighbor 10.1.1.136 activate
        neighbor 10.1.1.136 soft-reconfiguration inbound
        redistribute connected route-map CONNECTED
        redistribute local loopback route-map LOOPBACKS
        redistribute static route-map STATIC
    exit-address-family
!
    vrf INTERNET
        bgp router-id 1.1.1.2
        timers bgp 15 45
        bgp log-neighbor-changes
        bgp graceful-restart restart-time 30
        neighbor 10.1.1.138 remote-as 65011
        neighbor 10.1.1.138 description iBGP INTERNET
        neighbor 10.1.1.138 local-as 65011 no-prepend replace-as dual-as
        address-family ipv4 unicast
            neighbor 10.1.1.138 activate
            neighbor 10.1.1.138 soft-reconfiguration inbound
            redistribute connected route-map CONNECTED_INTERNET
        exit-address-family​


    ------------------------------
    Chris Denham
    ------------------------------

    Original Message


  • 8.  RE: AOS-CX iBGP in VRF?

    EMPLOYEE
    Posted Jun 22, 2021 04:38 AM

    Hi Chris,

     

    I think that the answer is behind the "local-as" functionality and when this can be used. I cannot find any relevant information in the Aruba guides, but this seems to be working for true eBGP peers only (according to the cisco documentation). When you are configuring it under the BGP context, the following command description is available as well (it's like a confirmation to me):

     

    8320(config-bgp-vrf)# neighbor 10.10.10.1 ?

    local-as           Configure the local AS number for the EBGP neighbor

     

    Regards

    Stanislav



    ------------------------------
    Stanislav Naydenov
    ------------------------------

    Original Message


  • 9.  RE: AOS-CX iBGP in VRF?

    EMPLOYEE
    Posted Jun 22, 2021 06:52 AM
    Right. It is only for eBGP.
    I never touched such use-case for replacing AS for iBGP.
    If you expose the top objective, there might be some other alternatives to achieve your goal.

    ------------------------------
    Vincent Giles
    ------------------------------

    Original Message


  • 10.  RE: AOS-CX iBGP in VRF?

    Posted Jun 22, 2021 04:24 PM
    Thanks guys, the objective is to share local specific routes (e.g. loopbacks, a default route for Internet connection on VSX switch 1 only) via an IGP.

    I've managed to get iBGP standing up by re-using the internal ASN inside the VRF - just wondering if there are any negative implications of this, or reasons why you wouldn't want to do this?

    I guess I could also use OSPF as the IGP as well?

    It is interesting that the local-as command works as expected for iBGP in a VRF on a similar setup with Cisco switches.

    ### SWITCH-1 ###

router bgp 65001
    bgp router-id 10.1.1.1
    timers bgp 15 45
    bgp log-neighbor-changes
    bgp graceful-restart restart-time 30
    neighbor 10.1.1.137 remote-as 65001
    neighbor 10.1.1.137 description iBGP
    address-family ipv4 unicast
        neighbor 10.1.1.137 activate
        neighbor 10.1.1.137 soft-reconfiguration inbound
        redistribute connected route-map CONNECTED
        redistribute local loopback route-map LOOPBACKS
        redistribute static route-map STATIC
    exit-address-family
!
    vrf INTERNET
        bgp router-id 1.1.1.1
        timers bgp 15 45
        bgp log-neighbor-changes
        bgp graceful-restart restart-time 30
        neighbor 10.1.1.139 remote-as 65001
        neighbor 10.1.1.139 description iBGP INTERNET
        address-family ipv4 unicast
            neighbor 10.1.1.139 activate
            neighbor 10.1.1.139 soft-reconfiguration inbound
            redistribute connected route-map CONNECTED_INTERNET
        exit-address-family

### SWITCH-2 ###

router bgp 65001
    bgp router-id 10.1.1.2
    timers bgp 15 45
    bgp log-neighbor-changes
    bgp graceful-restart restart-time 30
    neighbor 10.1.1.136 remote-as 65001
    neighbor 10.1.1.136 description iBGP
    address-family ipv4 unicast
        neighbor 10.1.1.136 activate
        neighbor 10.1.1.136 soft-reconfiguration inbound
        redistribute connected route-map CONNECTED
        redistribute local loopback route-map LOOPBACKS
        redistribute static route-map STATIC
    exit-address-family
!
    vrf INTERNET
        bgp router-id 1.1.1.2
        timers bgp 15 45
        bgp log-neighbor-changes
        bgp graceful-restart restart-time 30
        neighbor 10.1.1.138 remote-as 65001
        neighbor 10.1.1.138 description iBGP INTERNET
        address-family ipv4 unicast
            neighbor 10.1.1.138 activate
            neighbor 10.1.1.138 soft-reconfiguration inbound
            redistribute connected route-map CONNECTED_INTERNET
        exit-address-family​​


    ------------------------------
    Chris Denham
    ------------------------------

    Original Message


  • 11.  RE: AOS-CX iBGP in VRF?

    EMPLOYEE
    Posted Oct 26, 2023 07:05 PM

    Resurrecting this thread, as we are facing the same issue. The use case is, we have an "internal" BGP EVPN underlay but we also need to peer a VRF with BGP externally, using a different ASN specified by the external entity. Since CX only supports a single BGP routing process, we are able to establish the external peer by using 'local-as' on the neighbor command under the VRF. But how do we ensure iBGP continuity between the VSX pair with this "external" ASN?

    If we use the BGP EVPN's ASN, this will cause this "internal" ASN to become part of the AS-path in the NLRI coming from the "external" VRF, which will be foreign to the external entity...

    Is there a remedy?


    Original Message


  • 12.  RE: AOS-CX iBGP in VRF?

    Posted Oct 26, 2023 07:59 PM

    I haven't looked at this behaviour again in later releases, but at the time the only workaround was to use the eBGP ASN for the iBGP peering.

    In your case if the external party is dictating the ASN, could you re-use this for EVPN?

    Alternatively you could use the EVPN ASN and ask your upstream ISP to filter your internal ASN (this may not be possible depending on your ISP configuration).


    Original Message


  • 13.  RE: AOS-CX iBGP in VRF?

    EMPLOYEE
    Posted Oct 26, 2023 09:36 PM

    Thanks for your reply. Yes, what should have happened is the external party's ASN should have been used to begin with and now I'm trying to avoid a wholesale reconfiguration that may break who-knows-what elsewhere in this 'engineered solution' I'm dealing with. I suppose the external party could truncate the EVPN's ASN from the beginning of the AS-path (they're Cisco), but as a "good neighbor", we should be able to filter it from going out to begin with, so I'm looking at the potential of using an as-path list/route-map to filter it, but the action taken for the regex match is TBD--does it filter just the ASN from the as-path (good) or does it merely filter all matching advertisements (bad)? I just wish there was an option for 'local-as' to filter the 'real AS'. Other than that, the workaround you found seems to have netted the result we were looking for (VRF RT looks good during steady state and after failing uplinks).


    Original Message


  • 14.  RE: AOS-CX iBGP in VRF?

    EMPLOYEE
    Posted Oct 26, 2023 09:45 PM

    Of course, as soon as I posted my reply, I read about 'set as-path exclude'. There may be hope yet...


    Original Message


  • 15.  RE: AOS-CX iBGP in VRF?

    Posted Oct 26, 2023 09:49 PM

    That seems to be a more granular option that would give you more control than the remove-private-AS command.


    Original Message


  • 16.  RE: AOS-CX iBGP in VRF?

    Posted Oct 26, 2023 09:47 PM

    I think the remove-private-AS command may do the trick:

    neighbor remove-private-AS

    neighbor {<IP-ADDRESS>|<PEER-GROUP-NAME>} remove-private-AS no neighbor {<IP-ADDRESS>|<PEER-GROUP-NAME>} remove-private-AS

    Description

    This command forces the BGP neighbor to drop the private AS numbers. When the outbound update contains a sequence of private AS numbers, this sequence is dropped. If the command is configured for peer-group, then all the neighbors that are part of peer-group will remove the private-AS before sending the BGP update message.

    The no form of this command allows the private-AS number to be carried in BGP update message. The neighbor connection must be reset using clear ip bgp neighbor-ip-address to allow this

    configuration to take effect.


    Original Message


  • 17.  RE: AOS-CX iBGP in VRF?

    EMPLOYEE
    Posted Oct 26, 2023 09:58 PM

    Thanks again, but the ASN the external entity wants us to use is also a private ASN. Fun stuff, eh?


    Original Message