Implementing Multicast VPN on Cisco IOS (Part 4 - BGP Signaling)

In previous releases:



Profile 0

Profile 1

Profile 3



In this part of the article, we will look at the option of replacing signaling within the overlay network from PIM to BGP.



As discussed earlier (see the article on BGP Auto-Discovery), in order to transmit analogs of PIM messages, several types of routes were invented in BGP, each of which carries certain functionality. Moreover, there are more route types than there are message types in PIM.







"Why put an owl on a globe?" - you may ask, because everything works great with PIM too. And, in general, you will be right. The main reason for such a knight's movement is scalability. PIM, being in essence a Soft Driven protocol, requires constant mailing of service messages for its operation, which at a certain size of implementation (if the number of nodes starts to exceed a couple of hundred or thousands) introduces limitations due to the inevitable load on the CPU. BGP is a Hard Driven protocol - i.e. if something was said once, it is not repeated; any BGP updates are solely due to changes in the network.



Today we will consider two scenarios: using PIM SSM and PIM ASM within C-VRF.



C-PIM SSM



For a simpler understanding of BGP signaling for building multicast trees, let's start our conversation with a simpler PIM SSM.



First of all, let's remove the current settings for the rendezvous point and disable traffic recipients:



CE4(config)#interface Loopback0
CE4(config-if)#no ip igmp join-group 231.1.1.2
CE4(config-if)#

CE15(config)#no ip pim bsr-candidate Loopback0 0
CE15(config)#no ip pim rp-candidate Loopback0 group-list 1


On all PEs, we will indicate that BGP will work for signaling instead of PIM. This is done with the following command:



ip vrf C-ONE
 mdt overlay use-bgp


The starting point for observation will be the situation without the presence of sources and recipients of multicast traffic. Only type-1 routes should be present in the BGP table:



PE1#show bgp ipv4 mvpn all 
BGP table version is 406, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
              t secondary path, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
 
     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1.1.1.1:1 (default for vrf C-ONE)
 *>   [1][1.1.1.1:1][1.1.1.1]/12
                       0.0.0.0                            32768 ?
 *>i  [1][1.1.1.1:1][2.2.2.2]/12
                       2.2.2.2                  0    100      0 ?
 *>i  [1][1.1.1.1:1][3.3.3.3]/12
                       3.3.3.3                  0    100      0 ?
 *>i  [1][1.1.1.1:1][4.4.4.4]/12
                       4.4.4.4                  0    100      0 ?
Route Distinguisher: 2.2.2.2:1
 *>i  [1][2.2.2.2:1][2.2.2.2]/12
                       2.2.2.2                  0    100      0 ?
Route Distinguisher: 3.3.3.3:1
     Network          Next Hop            Metric LocPrf Weight Path
 *>i  [1][3.3.3.3:1][3.3.3.3]/12
                       3.3.3.3                  0    100      0 ?
Route Distinguisher: 4.4.4.4:1
 *>i  [1][4.4.4.4:1][4.4.4.4]/12
                       4.4.4.4                  0    100      0 ?


Let's connect the recipient:



CE4(config-if)#ip igmp join 230.1.1.1 source 11.11.11.11


On the nearest PE, a BGP route of the 7th type is created - this is the equivalent of the PIM (S, G) Join message:



PE4#show bgp ipv4 mvpn all 
Route Distinguisher: 1.1.1.1:1
 *>   [7][1.1.1.1:1][65001][11.11.11.11/32][230.1.1.1/32]/22
                       0.0.0.0                            32768 ?


Logically, this route should be present only on PE4 and PE1 (because it is through them that traffic should pass) and not on PE2 and PE3. Let's check:



PE1#show bgp ipv4 mvpn all | b \[7\]
 *>i  [7][1.1.1.1:1][65001][11.11.11.11/32][230.1.1.1/32]/22
                       4.4.4.4                  0    100      0 ?

PE2#show bgp ipv4 mvpn all | b \[7\]
PE2#

PE3#show bgp ipv4 mvpn all | b \[7\]
PE3#


How is it that the route originally spawned on PE4 is only imported on PE1?



Let's look at the entry in the BGP table in more detail:



PE4#show bgp ipv4 mvpn all route-type 7 1.1.1.1:1 65001 11.11.11.11 230.1.1.1 
BGP routing table entry for [7][1.1.1.1:1][65001][11.11.11.11/32][230.1.1.1/32]/22, version 533
Paths: (1 available, best #1, table MVPNv4-BGP-Table)
  Advertised to update-groups:
     7         
  Refresh Epoch 1
  Local
    0.0.0.0 from 0.0.0.0 (4.4.4.4)
      Origin incomplete, localpref 100, weight 32768, valid, sourced, local, best
      Extended Community: RT:1.1.1.1:1
      rx pathid: 1, tx pathid: 0x0


The prefix entry contains the extended community Route-target = 1.1.1.1:1, which was added to the vpnv4 prefix by the router, which from the point of PE4 is an RPF neighbor:



PE1#show bgp vpnv4 unicast rd 1.1.1.1:1 11.11.11.11/32
BGP routing table entry for 1.1.1.1:1:11.11.11.11/32, version 670
Paths: (1 available, best #1, table C-ONE)
  Advertised to update-groups:
     1          17        
  Refresh Epoch 4
  65011
    172.1.11.11 (via vrf C-ONE) from 172.1.11.11 (11.11.11.11)
      Origin IGP, metric 0, localpref 100, valid, external, best
      Extended Community: RT:65001:1 MVPN AS:65001:0.0.0.0 MVPN VRF:1.1.1.1:1
      mpls labels in/out 10018/nolabel
      rx pathid: 0, tx pathid: 0x0
PE1#

PE2#show bgp vpnv4 unicast rd 2.2.2.2:1 11.11.11.11/32
BGP routing table entry for 2.2.2.2:1:11.11.11.11/32, version 762
Paths: (1 available, best #1, table C-ONE)
  Advertised to update-groups:
     1         
  Refresh Epoch 152
  65011, imported path from 1.1.1.1:1:11.11.11.11/32 (global)
    1.1.1.1 (metric 4) (via default) from 8.8.8.8 (8.8.8.8)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:65001:1 MVPN AS:65001:0.0.0.0 MVPN VRF:1.1.1.1:1
      Originator: 1.1.1.1, Cluster list: 8.8.8.8
      Connector Attribute: count=1
       type 1 len 12 value 1.1.1.1:1:1.1.1.1
      mpls labels in/out nolabel/10018
      rx pathid: 0, tx pathid: 0x0


Let's check the connectivity:



CE1#ping 230.1.1.1 so 11.11.11.11 rep 3   
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 230.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11 
 
Reply to request 0 from 14.14.14.14, 7 ms
Reply to request 0 from 14.14.14.14, 8 ms
Reply to request 1 from 14.14.14.14, 7 ms
Reply to request 1 from 14.14.14.14, 9 ms
Reply to request 2 from 14.14.14.14, 7 ms
Reply to request 2 from 14.14.14.14, 7 ms


C-PIM ASM



In the case of C-PIM in SSM mode, everything is quite simple. For mVPN to work correctly, it is enough to create two additional (types) BGP routes.



But what if a more complex ASM PIM is used inside the C-VRF? 



First of all, we see that all CEs know information about the rendezvous point:



CE2#show ip pim rp mapp
CE2#show ip pim rp mapping 
Auto-RP is not enabled
PIM Group-to-RP Mappings
 
Group(s) 231.1.1.0/24
  RP 15.15.15.15 (?), v2
    Info source: 15.15.15.15 (?), via bootstrap, priority 0, holdtime 150
         Uptime: 1d04h, expires: 00:02:09
CE2#


How? If we look at the BGP table, we will not find any hint of this point there:



PE1#show bgp ipv4 mvpn all 
BGP table version is 682, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
              t secondary path, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
 
     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1.1.1.1:1 (default for vrf C-ONE)
 *>   [1][1.1.1.1:1][1.1.1.1]/12
                       0.0.0.0                            32768 ?
 *>i  [1][1.1.1.1:1][2.2.2.2]/12
                       2.2.2.2                  0    100      0 ?
 *>i  [1][1.1.1.1:1][3.3.3.3]/12
                       3.3.3.3                  0    100      0 ?
 *>i  [1][1.1.1.1:1][4.4.4.4]/12
                       4.4.4.4                  0    100      0 ?
Route Distinguisher: 2.2.2.2:1
 *>i  [1][2.2.2.2:1][2.2.2.2]/12
                       2.2.2.2                  0    100      0 ?
Route Distinguisher: 3.3.3.3:1
     Network          Next Hop            Metric LocPrf Weight Path
 *>i  [1][3.3.3.3:1][3.3.3.3]/12
                       3.3.3.3                  0    100      0 ?
Route Distinguisher: 4.4.4.4:1
 *>i  [1][4.4.4.4:1][4.4.4.4]/12
                       4.4.4.4                  0    100      0 ?


Do not forget that we have a PMSTI with PIM activated:



PE1#show ip pim vrf C-ONE interface 
 
Address          Interface                Ver/   Nbr    Query  DR         DR
                                          Mode   Count  Intvl  Prior
172.1.11.1       GigabitEthernet2.111     v2/S   1      30     1          172.1.11.11
172.1.15.1       GigabitEthernet2.115     v2/S   1      30     1          172.1.15.15
1.1.1.1          Tunnel2                  v2/S   0      30     1          1.1.1.1






From this, an important conclusion can be drawn - some PIM messages (even with BGP signaling) are transmitted over the core network within the Default MDT .





Imagine a source appears on the network (behind the CE2 router) Since there are currently no mRIB entries on CE2, the PIM Designated Router (in our case, it is CE2 itself) sends a Register message to the rendezvous point, thereby signaling the presence of an active source in the network.





A tree is created at the rendezvous point (12.12.12.12, 231.1.1.1):



CE5#show ip mroute | b \(
(*, 231.1.1.1), 00:00:19/stopped, RP 15.15.15.15, flags: SP
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list: Null
 
(12.12.12.12, 231.1.1.1), 00:00:19/00:02:40, flags: P
  Incoming interface: GigabitEthernet2.115, RPF nbr 172.1.15.1
  Outgoing interface list: Null


And, since there are no active traffic recipients on the network (there is no tree (*, 231.1.1.1)), then a Register-Stop message is generated from the CE5 side







In response to receiving Register-Stop, CE2 suspends data transmission (no interfaces in OIL):



CE2#show ip mroute 231.1.1.1               
 
(12.12.12.12, 231.1.1.1), 00:00:07/00:02:54, flags: PFT
  Incoming interface: Loopback0, RPF nbr 0.0.0.0
  Outgoing interface list: Null


Now, imagine that there is a recipient on the network interested in traffic for group 231.1.1.1. On PE4, a route appears inside the C-VRF:



PE4#show ip mroute vrf C-ONE 231.1.1.1 | b \(
(*, 231.1.1.1), 00:00:44/00:02:45, RP 15.15.15.15, flags: Sg
  Incoming interface: Tunnel0, RPF nbr 1.1.1.1
  Outgoing interface list:
    GigabitEthernet2.414, Forward/Sparse, 00:00:44/00:02:45


And a BGP route of the 6th type is created, which is the equivalent of PIM Join (*, 231.1.1.1):



PE4#show bgp ipv4 mvpn all
Route Distinguisher: 1.1.1.1:1
 *>   [6][1.1.1.1:1][65001][15.15.15.15/32][231.1.1.1/32]/22
                       0.0.0.0                            32768 ?
 
PE4#show bgp ipv4 mvpn all route-type 6 1.1.1.1:1 65001 15.15.15.15 231.1.1.1
BGP routing table entry for [6][1.1.1.1:1][65001][15.15.15.15/32][231.1.1.1/32]/22, version 808
Paths: (1 available, best #1, table MVPNv4-BGP-Table)
  Advertised to update-groups:
     8         
  Refresh Epoch 1
  Local
    0.0.0.0 from 0.0.0.0 (4.4.4.4)
      Origin incomplete, localpref 100, weight 32768, valid, sourced, local, best
      Extended Community: RT:1.1.1.1:1
      rx pathid: 1, tx pathid: 0x0


In the above output, you need to note the extended community Route-target = 1.1.1.1:1. What is it and where did it come from?



Let's check the presence of this prefix on other PEs:



PE2#show bgp ipv4 mvpn all route-type 6 1.1.1.1:1 65001 15.15.15.15 231.1.1.1
% Network not in table
 
PE3#show bgp ipv4 mvpn all route-type 6 1.1.1.1:1 65001 15.15.15.15 231.1.1.1
% Network not in table

PE1#show bgp ipv4 mvpn all route-type 6 1.1.1.1:1 65001 15.15.15.15 231.1.1.1
BGP routing table entry for [6][1.1.1.1:1][65001][15.15.15.15/32][231.1.1.1/32]/22, version 698
Paths: (1 available, best #1, table MVPNv4-BGP-Table)
  Not advertised to any peer
  Refresh Epoch 2
  Local
    4.4.4.4 (metric 3) from 8.8.8.8 (8.8.8.8)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:1.1.1.1:1
      Originator: 4.4.4.4, Cluster list: 8.8.8.8
      rx pathid: 0, tx pathid: 0x0


Those. the prefix exists only on PE1. What's interesting is the fact that the rendezvous point (15.15.15.15) is located on the site behind PE1.



Knowing the purpose of the Route-target (import of routes into a specific VRF), the conclusion suggests itself - RT = 1.1.1.1:1 is known to PE1 and unknown to PE2 / PE3. That is, the fact is obvious that PE4 generated a BGP route describing the PIM Shared Tree Join in such a way that it was processed only on the PE behind which the rendezvous point is actually located (in fact, this is an analogue of the PIM Join transmission through the RPF interface). But how do PE1 and PE4 reconcile Route-target values?



PE4 conducts RPF for rendezvous point address:



PE4#show ip rpf vrf C-ONE 15.15.15.15
RPF information for ? (15.15.15.15)
  RPF interface: Tunnel0
  RPF neighbor: ? (1.1.1.1)
  RPF route/mask: 15.15.15.15/32
  RPF type: unicast (bgp 65001)
  Doing distance-preferred lookups across tables
  BGP originator: 1.1.1.1
  RPF topology: ipv4 multicast base, originated from ipv4 unicast base


PE1 is seen as RPF neighbor. This means that PE4 must place a Route-target inside a Type 6 route that only PE1 will import. To answer the question "how does PE4 know it?" - let's see, for starters, the vpn route:



PE4#show bgp vpnv4 unicast vrf C-ONE 15.15.15.15/32
BGP routing table entry for 4.4.4.4:1:15.15.15.15/32, version 859
Paths: (1 available, best #1, table C-ONE)
  Advertised to update-groups:
     1         
  Refresh Epoch 1
  65015, imported path from 1.1.1.1:1:15.15.15.15/32 (global)
    1.1.1.1 (metric 3) (via default) from 8.8.8.8 (8.8.8.8)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:65001:1 MVPN AS:65001:0.0.0.0 MVPN VRF:1.1.1.1:1
      Originator: 1.1.1.1, Cluster list: 8.8.8.8
      Connector Attribute: count=1
       type 1 len 12 value 1.1.1.1:1:1.1.1.1
      mpls labels in/out nolabel/10013
      rx pathid: 0, tx pathid: 0x0


Note the additional MVPN VRF community: 1.1.1.1: 1. This is nothing more than the Route Import community generated by PE1. It is this value that is copied as a Route-target inside the multicast route, which allows PE1 to import the received update from PE4.



The result of processing BGP route type 6 on PE4 is the creation of an entry in the multicast routing table:



PE4#show ip mroute vrf C-ONE
 
(*, 231.1.1.1), 00:23:31/00:02:33, RP 15.15.15.15, flags: Sg
  Incoming interface: Tunnel0, RPF nbr 1.1.1.1
  Outgoing interface list:
    GigabitEthernet2.414, Forward/Sparse, 00:23:31/00:02:33


Note - Note that Tunnel0 (PMSTI) is specified as the input interface.



At the rendezvous point, the creation of a common tree is completed:



CE5#show ip mroute | b \(
(*, 231.1.1.1), 00:25:42/00:03:22, RP 15.15.15.15, flags: S
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    GigabitEthernet2.115, Forward/Sparse, 00:25:42/00:03:22






Now, if an active traffic source appears on the network again, the rendezvous point will know how to "combine" (*, 231.1.1.1) and (12.12.12.12, 231.1.1.1) trees.



CE5#show ip mroute | b \(
(*, 231.1.1.1), 00:47:12/stopped, RP 15.15.15.15, flags: S
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    GigabitEthernet2.115, Forward/Sparse, 00:47:12/00:02:31
 
(12.12.12.12, 231.1.1.1), 00:00:23/00:02:43, flags: PT
  Incoming interface: GigabitEthernet2.115, RPF nbr 172.1.15.1
  Outgoing interface list: Null


The rendezvous point creates a PIM Join (12.12.12.12, 231.1.1.1), sending it towards CE2. PE1 receives the specified PIM Join and creates a BGP route of the 7th type:



PE1#show bgp ipv4 mvpn all 
Route Distinguisher: 2.2.2.2:1
 *>   [7][2.2.2.2:1][65001][12.12.12.12/32][231.1.1.1/32]/22
                       0.0.0.0                            32768 ?
 
PE1#show bgp ipv4 mvpn all route-type 7 2.2.2.2:1 65001 12.12.12.12 231.1.1.1
BGP routing table entry for [7][2.2.2.2:1][65001][12.12.12.12/32][231.1.1.1/32]/22, version 726
Paths: (1 available, best #1, table MVPNv4-BGP-Table)
  Advertised to update-groups:
     8         
  Refresh Epoch 1
  Local
    0.0.0.0 from 0.0.0.0 (1.1.1.1)
      Origin incomplete, localpref 100, weight 32768, valid, sourced, local, best
      Extended Community: RT:2.2.2.2:1
      rx pathid: 1, tx pathid: 0x0


Please note that the Remote VPN RD value is set to 2.2.2.2:1, since it is through PE2 that the RPF check of the route is completed:



PE1#show ip rpf vrf C-ONE 12.12.12.12
RPF information for ? (12.12.12.12)
  RPF interface: Tunnel2
  RPF neighbor: ? (2.2.2.2)
  RPF route/mask: 12.12.12.12/32
  RPF type: unicast (bgp 65001)
  Doing distance-preferred lookups across tables
  BGP originator: 2.2.2.2
  RPF topology: ipv4 multicast base, originated from ipv4 unicast base


And RT 2.2.2.2:1 has been added to VPNv4 a prefix from the PE2 side:



PE1#show bgp vpnv4 unicast vrf C-ONE 12.12.12.12
BGP routing table entry for 1.1.1.1:1:12.12.12.12/32, version 706
Paths: (1 available, best #1, table C-ONE)
  Advertised to update-groups:
     1         
  Refresh Epoch 2
  65012, imported path from 2.2.2.2:1:12.12.12.12/32 (global)
    2.2.2.2 (metric 4) (via default) from 8.8.8.8 (8.8.8.8)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:65001:1 MVPN AS:65001:0.0.0.0 MVPN VRF:2.2.2.2:1
      Originator: 2.2.2.2, Cluster list: 8.8.8.8
      Connector Attribute: count=1
       type 1 len 12 value 2.2.2.2:1:2.2.2.2
      mpls labels in/out nolabel/31
      rx pathid: 0, tx pathid: 0x0


This step, in fact, completes the construction of the tree (12.12.12.12, 231.1.1.1) in the section between the source and the rendezvous point:





After receiving a route of the 7th type, PE2 generates a route of the 5th type, signaling the presence of an active traffic source in the network. The route is imported by all PE devices.



PE2#show bgp ipv4 mvpn all
 
Route Distinguisher: 2.2.2.2:1 (default for vrf C-ONE)
 *>   [5][2.2.2.2:1][12.12.12.12][231.1.1.1]/18
                       0.0.0.0                            32768 ?
 
 PE2#show bgp ipv4 mvpn all route-type 5 12.12.12.12 231.1.1.1
BGP routing table entry for [5][2.2.2.2:1][12.12.12.12][231.1.1.1]/18, version 838
Paths: (1 available, best #1, table MVPNv4-BGP-Table, not advertised to EBGP peer)
  Advertised to update-groups:
     8         
  Refresh Epoch 1
  Local
    0.0.0.0 from 0.0.0.0 (2.2.2.2)
      Origin incomplete, localpref 100, weight 32768, valid, sourced, local, best
      Community: no-export
      Extended Community: RT:65001:1
      rx pathid: 0, tx pathid: 0x0


When a route type 5 is received, on PE4 (where the receiver is located), the creation of a multicast tree is completed:



PE4#show ip mroute vrf C-ONE
 
(12.12.12.12, 231.1.1.1), 00:22:24/00:02:51, flags: TnQ
  Incoming interface: Tunnel0, RPF nbr 2.2.2.2
  Outgoing interface list:
    GigabitEthernet2.414, Forward/Sparse, 00:22:24/00:03:19


Note - pay attention to the Q flag, which indicates that the entry was created thanks to the BGP Source-Active message 





The considered variant of the mVPN organization is codenamed "Profile 11". Its main characteristics:



  • Default MDT is used to transmit multicast traffic to the superimposed network
  • the mGRE protocol is used as a transport organization method
  • BGP protocol is used to signal the multicast tree within the imposed network



All Articles