Inter AS Option A Design Considerations and Comparison

Inter-AS Option A is the easiest, most flexible, most secure Inter autonomous system MPLS VPN technology.

I am explaining this topic in deep detail in my CCDE Training Bootcamp and CCDE course.

In the below topology VPN Customers A and B are connected to two different service providers via MPLS Layer 3 VPN. In order to have end-to-end MPLS VPN service, Service Providers use special mechanisms.

In this article, I will explain the most basic one which is Inter-AS Option A, though there are many other things you need to know about Inter-AS Option A.

Our aim is to carry out all the customer routes between the service providers.

There are many different ways of handling this case. In this post, I will explain Inter AS Option A MPLS/VPN, also known as the VRF-to-VRF approach.

Inter-AS Option A

Figure 1: Inter-AS Option A

I will use the topology depicted in fig. 1 throughout this post to explain Inter AS Option A operation.

In the above diagram, we have two service providers and two customers which require Inter-AS MPLS VPN service.

The PE routers that connect the two providers are also known as ASBR (Autonomous System Boundary Router).

Inter-AS Option A: an ASBR router in one Autonomous System attaches directly to an ASBR router in another Autonomous System.

The two ASBR routers are attached to multiple sub-interfaces; at least one of the VPNs whose routes need to be passed from one AS to the other AS is attached. In addition, those sub-interfaces associated with the VRF table.

For each customer, service providers could use the separate physical connections, instead of a sub-interface. However, doing that would not produce an optimal results for resource utilization.

PE routers connected to the CE devices run MP-IBGP, either through full mesh or through RR (route reflector).

Inter-AS Option A allows ASBR routers to keep all the VRFs for customers who require Inter AS service.

SP-A and SP-B ASBR routers maintain a VPN forwarding table in LFIB. Furthermore, they keep routing information in RIB and FIB.

Compared to other AS options, ASBRs have high memory usage in Inter-AS Option A.

However, other Inter AS VPN options does not have these capabilities.

ASBRs can either run the same routing protocol with the customer on the VRFs or use just EBGP.

For example, if the requirement for customer A, is to keep routing information, such as metric end to end, SP-A and SP-B run the same routing protocol on the ASBRs and the PE devices to where the Customer CE device is attached to.

SP-A and SP-B: Inter AS Option A will have to manage redistribution at the ASBRs because the routes appear to the ASBR as BGP routes from remote PEs. For customer A, those routes need to be redistributed from BGP to Customer A PE-CE Routing protocol, and from the Customer A PE-CE routing protocol to BGP.

ASBRs associate each such sub-interface with a VRF.

Inter-AS Option A does not require MPLS at the ASBRs unlike the other Inter AS options.

Since we need to have a separate VRF and sub-interface for each customer VPN, separate routing protocol, and deal with redistribution for each protocol, it is operationally cumbersome and thus hard to scale.

Among all other Inter AS options since there is only IP routing between the AS, Option A is considered as a most secure one.

In addition, it is the easiest option to implement between the AS because Option A does not require another control plane mechanism between service provider ASBRs such as LDP, BGP+label, or BGP-VPNv4.

Between the service providers on ASBRs, either IGP protocols or EBGP are used.

More importantly, other Inter AS Options (Inter-AS Option B and Inter-AS Option C) require additional control-plane protocols to advertise the customer or infrastructure prefixes between the ASBRs.

Since only IP traffic passes (Not MPLS) between the service providers, most granular QoS implementation is achieved with Option A. (Per sub-interface and IP DSCP vs. MPLS EXP)

For all Inter AS Options, it is very common that customers to have to trust the service provider for data integrity, confidentiality, and availability.

MPLS does not encrypt the packets because if a customer needs end-to-end encryption, the user can deploy an IPSEC.

The below Inter-AS MPLS VPN Options Comparison Table gives you the most comprehensive analysis. In real life and also for the design exams it will be very useful since the comparison is done from the design point of view.

Inter-AS MPLS VPN Options Comparison

Figure - Inter-AS MPLS VPN Options Comparison

Do you use MPLS VPN service? Is it from one provider or multiple providers?

Let's talk about your design in the comment section.

To have a great understanding of SP Networks, you can check my newly published SP Book. It covers the SP network Technologies with also explaining in detail a factious SP network.

Created by
Orhan Ergun

Orhan Ergun, CCIE/CCDE Trainer, Author of Many Networking Books, Network Design Advisor, and Cisco Champion 2019/2020/2021

He created OrhanErgun.Net 10 years ago and has been serving the IT industry with his renowned and awarded training.

Wrote many books, mostly on Network Design, joined many IETF RFCs, gave Public talks at many Forums, and mentored thousands of his students.  

Today, with his carefully selected instructors, OrhanErgun.Net is providing IT courses to tens of thousands of IT engineers. 

View profile

Related courses

MPLS Zero to Hero Training

30:07:04 Hours
51 Lectures
Intermediate

$250

Cisco CCIE Service Provider Training

100:47:57 Hours
233 Lectures
Expert

$1250

MPLS VPN Zero to Hero Training

15:12:01 Hours
24 Lectures
Intermediate

$100