MPLS Integrators Blog

To content | To menu | To search

Monday 5 October 2015

Troubleshooting LSP to a non-/32 route in IOS-XR

Problem statement

Continuing our Inter-AS MPLS topic, today we will focus on troubleshooting LSP's towards non-/32 routes. Typical use case for this kind of a problem is OSPF announcing /32 prefix for a loopback that have /24 mask configured. This one is probably more of a CCIE lab scenario, however there are certain valid use cases for this. And one of them is Inter-AS MPLS Option B. In this kind of scenario, there is a transit link with probably /30 or even /31 mask (ARIN is exhausted, right?). Let's say VPNv4 session between providers runs directly over physical interface IP's (not loopbacks). When labels are announced for routes, next hops are /30 IP's and even though control plane looks "fine", data plane will broken.

Hint: In Classic IOS, this problems is solved automatically and as soon as BGP VPNv4 session comes up over transit link two things will be done in background:
  • "bgp mpls forwarding" command will be configured on interface to install BGP advertised labels in LFIB
  • Connected /32 route pointing to transit interface will be installed into RIB

Initial data

* Transit link is 150.0.0.0/31

* CE advertised ranges:

198.51.100.0/24 - advertised by neighbouring AS

14.14.14.14/32 - advertised by local to ASBR AS

Verification

PE

RP/0/0/CPU0:PE#show route vrf CUSTOMER_A
Mon Oct 5 14:59:06.338 UTC
---omitted for brevity---
B 14.14.14.14/32 [20/0] via 10.13.14.14, 4d23h
B 198.51.100.0/24 [200/0] via 11.11.11.11 (nexthop in vrf default), 2d21h

RP/0/0/CPU0:PE#show bgp vpnv4 uni rd 5.5.5.5:1 198.51.100.0/24
Mon Oct 5 15:02:11.965 UTC
BGP routing table entry for 198.51.100.0/24, Route Distinguisher: 5.5.5.5:1
Versions:
Process bRIB/RIB SendTblVer
Speaker 34 34
Last Modified: Oct 2 17:55:33.842 for 2d21h
Paths: (1 available, best #1)
Not advertised to any peer
Path #1: Received by speaker 0
Not advertised to any peer
65099 65003 65101
11.11.11.11 (metric 20) from 12.12.12.12 (11.11.11.11)
Received Label 24006
Origin IGP, localpref 100, valid, internal, best, group-best, import-candidate, not-in-vrf
Received Path ID 0, Local Path ID 1, version 34
Extended community: RT:65101:101
Originator: 11.11.11.11, Cluster list: 12.12.12.12

RP/0/0/CPU0:R13#show cef 11.11.11.11 detail
Mon Oct 5 15:04:09.267 UTC
11.11.11.11/32, version 14, internal 0x1000001 0x0 (ptr 0xa140c674) [1], 0x0 (0xa13d7830), 0xa28 (0xa156d190)
Updated Sep 30 18:09:09.131
local adjacency 10.12.13.12
Prefix Len 32, traffic index 0, precedence n/a, priority 3
gateway array (0xa12a0980) reference count 6, flags 0x68, source lsd (5), 1 backups
[3 type 5 flags 0x8081 (0xa1587320) ext 0x0 (0x0)]
LW-LDI[type=5, refc=3, ptr=0xa13d7830, sh-ldi=0xa1587320]
gateway array update type-time 1 Sep 30 13:44:19.599
LDI Update time Sep 30 13:44:19.599
LW-LDI-TS Sep 30 13:44:19.599
via 10.12.13.12, GigabitEthernet0/0/0/0.1213, 5 dependencies, weight 0, class 0 [flags 0x0]
path-idx 0 NHID 0x0 [0xa107d3a0 0x0]
next hop 10.12.13.12
local adjacency
local label 24001 labels imposed {24001}


Load distribution: 0 (refcount 3)

Hash OK Interface Address
0 Y GigabitEthernet0/0/0/0.1213 10.12.13.12

ASBR

RP/0/0/CPU0:R11#show mpls forwarding 
Mon Oct 5 15:04:25.530 UTC
Local Outgoing Prefix Outgoing Next Hop Bytes
Label Label or ID Interface Switched
------ ----------- ------------------ ------------ --------------- ------------
24004 24002 13.13.13.13:65002:14.14.14.14/32 \
13.13.13.13 371616
24005 Aggregate 150.0.0.0/31 default 0
24006 299856 5.5.5.5:1:198.51.100.0/24 \
150.0.0.0 303216

Someone experienced in IOS-XR would notice the problem immediately. Let's see detailed output:

RP/0/0/CPU0:R11#show mpls forwarding detail 
Mon Oct 5 15:08:22.634 UTC
Local Outgoing Prefix Outgoing Next Hop Bytes
Label Label or ID Interface Switched
------ ----------- ------------------ ------------ --------------- ------------
24006 299856 5.5.5.5:1:198.51.100.0/24 \
150.0.0.0 303216
Updated Oct 2 17:51:25.110
Path Flags: 0x6000 [ ]
MAC/Encaps: 0/0, MTU: 0
Label Stack (Top -> Bottom): { }
Packets Switched: 2916

Let's verify next hop:

RP/0/0/CPU0:R11#show route ipv4 150.0.0.0       
Mon Oct 5 15:10:38.315 UTC

Routing entry for 150.0.0.0/31
Known via "connected", distance 0, metric 0 (connected)
Installed Oct 2 17:33:12.435 for 2d21h
Routing Descriptor Blocks
directly connected, via GigabitEthernet0/0/0/1
Route metric is 0
No advertising protos.
RP/0/0/CPU0:R11#show mpls forwarding prefix ipv4 unicast 150.0.0.0/31
Mon Oct 5 15:12:10.369 UTC
Local Outgoing Prefix Outgoing Next Hop Bytes
Label Label or ID Interface Switched
------ ----------- ------------------ ------------ --------------- ------------
24005 Aggregate 150.0.0.0/31 default 0

Outgoing label "Aggregate" means that router will pop the whole label stack and do IP lookup.

And if we do debug, we see the following message:

RP/0/0/CPU0:Oct  5 16:50:19.095 : netio[309]: [mpls_switch:2818] Pkt Drop: mpls_switch: GigabitEthernet0_0_0_0.1112, No LFIB entry found for in_label 24006

It becomes even more confusing if you look back at LFIB table in one of the previous outputs, where you can see that outgoing label for 24006 actually exists and it is 299856.

The root cause of this problem is missing /32 route for BGP next hop.

Let's add this connected route manually and see what happens.

router static
address-family ipv4 unicast
150.0.0.0/32 GigabitEthernet0/0/0/1
!
!
RP/0/0/CPU0:ASBR#show mpls forwarding detail
24006  299856      5.5.5.5:1:198.51.100.0/24   \
Gi0/0/0/1 150.0.0.0 303840
Updated Oct 2 17:51:25.110
Path Flags: 0x6000 [ ]
Version: 30, Priority: 4
MAC/Encaps: 14/18, MTU: 1500
Label Stack (Top -> Bottom): { 299856 }
NHID: 0
Packets Switched: 2922

Now we see that outgoing interface was determined and label stack is no longer empty. As soon as /32 route was added, forwarding was restored.

Friday 18 September 2015

Interprovider Layer 3 VPN - Option C (Juniper + Cisco)

coming soon....

Interprovider Layer 3 VPN - Option B (Juniper + Cisco)

coming soon....

Interprovider Layer 3 VPN - Option A (Juniper + Cisco)

coming soon....

Inter-AS MPLS Layer 3 VPN - Option C (Cisco, 2 label stack)

Use case

In this post we will explain Cisco version of configuration for Inter-AS MPLS Option C that was defined in RFC4364. Albeit rarely implemented, this option is the most scalable one. Typical use case for it is usually an enterprise merger.

Configuration

There are 2 ways to configure Option C. Today we will explain "2 label stack" version. In this type of setup loopback addresses learned via BGP on ASBR are redistributed to IGP and known to every P and PE router inside AS. Thus, only 2 labels are used to transport packet from CE to CE.
In this example, first AS will be comprised of IOS-XE boxes and second AS will be using IOS-XR. PE-CE routing protocol will be BGP and all 4 sites will use their own unique AS numbers to avoid "allow-as in" and "as-override" BGP hacks. Some important specific configuration parameters will be explained in more detail.

CE1

Interface configuration

interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface GigabitEthernet2.12
description PE_CE_LINK
encapsulation dot1Q 12
ip address 10.12.0.1 255.255.255.0

Routing protocol configuration

router bgp 65100
bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.255
neighbor 10.12.0.2 remote-as 65001

PE1

Interface configuration

interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip router isis 1
interface GigabitEthernet2.12
encapsulation dot1Q 12
vrf forwarding CUSTOMER_A
ip address 10.12.0.2 255.255.255.0
interface GigabitEthernet2.23
encapsulation dot1Q 23
ip unnumbered Loopback0
ip router isis 1

VRF configuration

vrf definition CUSTOMER_A
rd 2.2.2.2:65001
!
address-family ipv4
route-target export 65001:100
route-target import 65001:100
exit-address-family

Routing protocols configuration

router isis 1
net 49.0000.0000.0002.00
is-type level-2-only
metric-style wide
mpls ldp autoconfig
!
router bgp 65001
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 3.3.3.3 remote-as 65001
neighbor 3.3.3.3 update-source Loopback0
!
address-family ipv4
exit-address-family
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf CUSTOMER_A
neighbor 10.12.0.1 remote-as 65100
neighbor 10.12.0.1 activate
exit-address-family

P1 (RR)

Interface configuration

interface Loopback0
ip address 3.3.3.3 255.255.255.255
ip router isis 1
interface GigabitEthernet2.23
encapsulation dot1Q 23
ip unnumbered Loopback0
ip router isis 1
interface GigabitEthernet2.34
encapsulation dot1Q 34
ip unnumbered Loopback0
ip router isis 1

Routing protocols configuration

router isis 1
net 49.0000.0000.0003.00
is-type level-2-only
metric-style wide
mpls ldp autoconfig
!
router bgp 65001
template peer-policy IBGP
route-reflector-client
send-community extended
exit-peer-policy
!
template peer-session IBGP
remote-as 65001
update-source Loopback0
exit-peer-session
!
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 2.2.2.2 inherit peer-session IBGP
neighbor 4.4.4.4 inherit peer-session IBGP
neighbor 12.12.12.12 remote-as 65002
neighbor 12.12.12.12 ebgp-multihop 5
neighbor 12.12.12.12 update-source Loopback0
!
address-family ipv4
exit-address-family
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
neighbor 2.2.2.2 inherit peer-policy IBGP
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
neighbor 4.4.4.4 inherit peer-policy IBGP
neighbor 12.12.12.12 activate
neighbor 12.12.12.12 send-community extended
neighbor 12.12.12.12 next-hop-unchanged
exit-address-family
Hint: eBGP session between route reflectors must preserve next-hop for VPNv4 routes. Otherwise, RR's will be put into data-plane and connectivity will be broken because VPNv4 routes are not programmed into LFIB.

ASBR1

Interface configuration

interface Loopback0
ip address 4.4.4.4 255.255.255.255
ip router isis 1
interface GigabitEthernet2.34
encapsulation dot1Q 34
ip unnumbered Loopback0
ip router isis 1
interface GigabitEthernet2.114
encapsulation dot1Q 114
ip address 192.168.0.4 255.255.255.0
mpls bgp forwarding
Hint: Last command in this output is a result of a macro that is used in IOS-XE when you enable labeled-unicast address family in BGP. Also, very important fact to understand is that IOS-XE automatically adds peer /32 host route to the routing table because otherwise LSP will be broken (this /32 IP is a next hop for all loopbacks advertised via labeled IPv4 unicast eBGP session on ASBR).
ASBR1#show ip cef 13.13.13.13/32
13.13.13.13/32
nexthop 192.168.0.11 GigabitEthernet2.114 label 24001
ASBR1#show ip route 192.168.0.11
Routing entry for 192.168.0.11/32
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via GigabitEthernet2.114
Route metric is 0, traffic share count is 1

Routing protocols configuration

router bgp 65001
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 3.3.3.3 remote-as 65001
neighbor 3.3.3.3 update-source Loopback0
neighbor 192.168.0.11 remote-as 65002
!
address-family ipv4
redistribute isis 1 level-2 route-map ISIS_TO_BGP
neighbor 192.168.0.11 activate
neighbor 192.168.0.11 send-label
exit-address-family
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family

Route-maps and prefix-lists

ip prefix-list LOOPBACKS seq 5 permit 0.0.0.0/0 ge 32
!
route-map ISIS_TO_BGP permit 10
match ip address prefix-list LOOPBACKS
Hint: Of course, in a real life deployment nobody sane would redistribute BGP into IGP without a tight control of what is being redistributed, but for brevity we will omit this part in our configuration.

ASBR2

Interface configuration

interface Loopback0
ipv4 address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/0/0/0.114
ipv4 address 192.168.0.11 255.255.255.0
encapsulation dot1q 114
!
interface GigabitEthernet0/0/0/0.1112
ipv4 address 10.11.12.11 255.255.255.0
encapsulation dot1q 1112

Routing protocols configuration

router static
address-family ipv4 unicast
192.168.0.4/32 GigabitEthernet0/0/0/0.114
!
!
Hint: Host route to an eBGP neighbor is not added automatically in IOS-XR, therefore it has to be done manually or label switched path will be broken.
router isis 1
is-type level-2-only
net 00.0000.0000.0011.00
address-family ipv4 unicast
metric-style wide
advertise passive-only
redistribute bgp 65002
mpls ldp auto-config
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0.1112
point-to-point
address-family ipv4 unicast
!
!
!
router bgp 65002
address-family ipv4 unicast
redistribute isis 1 route-policy ACCEPT_LOOPBACKS
allocate-label all
!
address-family vpnv4 unicast
!
neighbor 12.12.12.12
remote-as 65002
update-source Loopback0
address-family vpnv4 unicast
!
!
neighbor 192.168.0.4
remote-as 65001
address-family ipv4 labeled-unicast
route-policy ACCEPT_LOOPBACKS in
route-policy ACCEPT_LOOPBACKS out
!
!
!
Hint: Unless told explicitly, BGP process will not allocate labels to IPv4 routes even if labeled IPv4 session was configured.

Routing policy language configuration

prefix-set LOOPBACKS
0.0.0.0/0 eq 32
end-set
!
route-policy ACCEPT_LOOPBACKS
if destination in LOOPBACKS then
done
endif
end-policy
!

P2 (RR)

Interface configuration

interface Loopback0
ipv4 address 12.12.12.12 255.255.255.255
!
interface GigabitEthernet0/0/0/0.1112
ipv4 address 10.11.12.12 255.255.255.0
encapsulation dot1q 1112
!
interface GigabitEthernet0/0/0/0.1213
ipv4 address 10.12.13.12 255.255.255.0
encapsulation dot1q 1213

Routing protocols configuration

router isis 1
is-type level-2-only
net 00.0000.0000.0012.00
log adjacency changes
address-family ipv4 unicast
metric-style wide
advertise passive-only
mpls ldp auto-config
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0.1112
point-to-point
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0.1213
point-to-point
address-family ipv4 unicast
!
!
!
router bgp 65002
address-family vpnv4 unicast
!
neighbor 3.3.3.3
remote-as 65001
ebgp-multihop 5
update-source Loopback0
address-family vpnv4 unicast
route-policy PASS_ALL in
route-policy PASS_ALL out
next-hop-unchanged
!
!
neighbor 11.11.11.11
remote-as 65002
update-source Loopback0
address-family vpnv4 unicast
route-reflector-client
!
!
neighbor 13.13.13.13
remote-as 65002
update-source Loopback0
address-family vpnv4 unicast
route-reflector-client
!
!
!

Routing policy language configuration

route-policy PASS_ALL
done
end-policy

PE2

Interface configuration

interface Loopback0
ipv4 address 13.13.13.13 255.255.255.255
!
interface GigabitEthernet0/0/0/0.1213
ipv4 address 10.12.13.13 255.255.255.0
encapsulation dot1q 1213
!
interface GigabitEthernet0/0/0/0.1314
vrf CUSTOMER_A
ipv4 address 10.13.14.13 255.255.255.0
encapsulation dot1q 1314
!

VRF configuration

vrf CUSTOMER_A
address-family ipv4 unicast
import route-target
65001:100
!
export route-target
65001:100
!
!
!

Routing protocols configuration

router isis 1
is-type level-2-only
net 00.0000.0000.0013.00
log adjacency changes
address-family ipv4 unicast
metric-style wide
advertise passive-only
mpls ldp auto-config
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0.1213
point-to-point
address-family ipv4 unicast
!
!
!
router bgp 65002
address-family ipv4 unicast
!
address-family vpnv4 unicast
!
neighbor 12.12.12.12
remote-as 65002
update-source Loopback0
address-family vpnv4 unicast
!
!
vrf CUSTOMER_A
rd 13.13.13.13:65002
address-family ipv4 unicast
!
neighbor 10.13.14.14
remote-as 65200
address-family ipv4 unicast
route-policy CUSTOMER_A in
route-policy CUSTOMER_A out
!
!
!
!

Routing policy language configuration

route-policy CUSTOMER_A
done
end-policy

CE2

Interface configuration

interface Loopback0
ipv4 address 14.14.14.14 255.255.255.255
!
interface GigabitEthernet0/0/0/0.1314
ipv4 address 10.13.14.14 255.255.255.0
encapsulation dot1q 1314
!

Routing protocol configuration

router bgp 65200
address-family ipv4 unicast
network 14.14.14.14/32
!
neighbor 10.13.14.13
remote-as 65002
address-family ipv4 unicast
route-policy PASS_ALL in
route-policy PASS_ALL out
!
!
!

Inter-AS MPLS Layer 3 VPN - Option C (Cisco, 3 label stack)

Use case

For more information about option C please go to one of our previous posts.

Configuration

Our topic today is a "3 label stack" version of Inter-AS MPLS VPN Option C. This scenario assumes that loopback addresses learned via eBGP session between ASBR's are not redistributed to IGP. It makes it impossible to use only 2 labels because intermediate hops (P routers) do not know how to reach remote PE's. Traffic has to be tunneled from PE to ASBR using transport label, "VPN" label advertised via iBGP labeled unicast session and "VPN" label advertised by remote PE for particular VRF.
Only difference in configuration compared to "2 label stack" will be shown in this example.
Brief description of overall architecture:
  • new address family is activated inside AS, namely IPv4 AF with labeled routes
  • loopback addresses are not redistributed to IS-IS
  • these IPs are advertised from ASBR to RR with labels attached
  • PE pushes 3 labels to traffic received from CE

PE1

Routing protocols configuration

router bgp 65001
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 3.3.3.3 remote-as 65001
neighbor 3.3.3.3 update-source Loopback0
!
address-family ipv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-label
exit-address-family
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf CUSTOMER_A
neighbor 10.12.0.1 remote-as 65100
neighbor 10.12.0.1 activate
exit-address-family

Control plane verification

Let's confirm that loopback IP of remote PE was received via BGP with a label:
PE1#show ip bgp 13.13.13.13
BGP routing table entry for 13.13.13.13/32, version 63
Paths: (1 available, best #1, table default)
Not advertised to any peer
Refresh Epoch 2
65002
4.4.4.4 (metric 30) from 3.3.3.3 (3.3.3.3)
Origin incomplete, metric 20, localpref 100, valid, internal, best
Originator: 4.4.4.4, Cluster list: 3.3.3.3
mpls labels in/out nolabel/24
rx pathid: 0, tx pathid: 0x0
Label to reach next hop of this BGP route will be:
PE1#show ip cef 4.4.4.4/32
4.4.4.4/32
nexthop 3.3.3.3 GigabitEthernet2.23 label 17
VPN label advertised by remote PE is:
PE1#show bgp vpnv4 uni all 14.14.14.14/32
------output omitted for brevity------
BGP routing table entry for 13.13.13.13:65002:14.14.14.14/32, version 51
Paths: (1 available, best #1, no table)
Not advertised to any peer
Refresh Epoch 2
65002 65200
13.13.13.13 (metric 30) (via default) from 3.3.3.3 (3.3.3.3)
Origin IGP, metric 0, localpref 100, valid, internal, best
Extended Community: RT:65001:100
mpls labels in/out nolabel/24004
rx pathid: 0, tx pathid: 0x0
And the last ultimate check to see the data plane:
PE1#show ip cef vrf CUSTOMER_A 14.14.14.14/32
14.14.14.14/32
nexthop 3.3.3.3 GigabitEthernet2.23 label 17 24 24004

P1 (RR)

Routing protocols configuration

router bgp 65001
address-family ipv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 route-reflector-client
neighbor 2.2.2.2 send-label
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 route-reflector-client
neighbor 4.4.4.4 send-label
exit-address-family

ASBR1

Routing protocols configuration

router isis 1
net 49.0000.0000.0004.00
is-type level-2-only
metric-style wide
mpls ldp autoconfig

ASBR2

Routing protocols configuration

router isis 1
is-type level-2-only
net 00.0000.0000.0011.00
address-family ipv4 unicast
metric-style wide
advertise passive-only
mpls ldp auto-config
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0.1112
point-to-point
address-family ipv4 unicast
!
!
!

P2 (RR)

Routing protocols configuration


router bgp 65002
address-family ipv4 unicast
!
address-family vpnv4 unicast
!
neighbor 11.11.11.11
remote-as 65002
update-source Loopback0
address-family ipv4 labeled-unicast
route-reflector-client
!
address-family vpnv4 unicast
route-reflector-client
!
!
neighbor 13.13.13.13
remote-as 65002
update-source Loopback0
address-family ipv4 labeled-unicast
route-reflector-client
!
address-family vpnv4 unicast
route-reflector-client
!
!
!

PE2


Routing protocols configuration

router bgp 65002
address-family ipv4 unicast
allocate-label all
!
address-family vpnv4 unicast
!
neighbor 12.12.12.12
remote-as 65002
update-source Loopback0
address-family ipv4 labeled-unicast
!
address-family vpnv4 unicast
!
!
!
Hint: Contrary to IOS-XE, by default, IOS-XR will not use BGP learned next hops for VPNv4 routes. "Allocate label" command is required to allow PE router to do recursion for BGP routes and install the route in LFIB.
RP/0/0/CPU0:PE2#show cef vrf CUSTOMER_A 1.1.1.1/32 detail
Wed Sep 30 18:34:34.896 UTC
1.1.1.1/32, version 15, internal 0x5000001 0x0 (ptr 0xa140c8f4) [1], 0x0 (0x0), 0x208 (0xa156d140)
Updated Sep 30 15:44:58.204
Prefix Len 32, traffic index 0, precedence n/a, priority 3
gateway array (0xa12a0888) reference count 1, flags 0x4038, source rib (7), 0 backups
[1 type 1 flags 0x40089 (0xa158726c) ext 0x0 (0x0)]
LW-LDI[type=0, refc=0, ptr=0x0, sh-ldi=0x0]
gateway array update type-time 5 Sep 30 18:09:09.111
LDI Update time Sep 30 18:09:09.111
via 2.2.2.2, 3 dependencies, recursive [flags 0x6000]
path-idx 0 NHID 0x0 [0xa15d57f4 0x0]
recursion-via-/32
next hop VRF - 'default', table - 0xe0000000
next hop 2.2.2.2 via 24003/0/21
next hop 10.12.13.12/32 Gi0/0/0/0.1213 labels imposed {24001 24003 18}

Load distribution: 0 (refcount 1)

Hash OK Interface Address
0 Y Unknown 24003/0

Without "allocate label" command, next hop for VPNv4 cannot be resolved:

RP/0/0/CPU0:PE2#show cef vrf CUSTOMER_A 1.1.1.1/32 detail 
Wed Sep 30 17:59:41.819 UTC
1.1.1.1/32, version 15, internal 0x5000001 0x0 (ptr 0xa140c8f4) [1], 0x0 (0x0), 0x208 (0xa156d140)
Updated Sep 30 15:44:58.203
Prefix Len 32, traffic index 0, precedence n/a, priority 3
gateway array (0xa12a0888) reference count 1, flags 0x403a, source rib (7), 0 backups
[1 type 1 flags 0x140089 (0xa158726c) ext 0x0 (0x0)]
LW-LDI[type=0, refc=0, ptr=0x0, sh-ldi=0x0]
gateway array update type-time 3 Sep 30 17:59:38.839
LDI Update time Sep 30 17:36:07.056
via 2.2.2.2, 0 dependencies, recursive [flags 0x6000]
path-idx 0 NHID 0x0 [0xa0f07254 0x0]
recursion-via-/32
next hop VRF - 'default', table - 0xe0000000
unresolved
labels imposed {18}

Load distribution: 0 (refcount 1)

Hash OK Interface Address
0 Y Unknown drop

Inter-AS MPLS Layer 3 VPN - Option B (Cisco)

Use case

In today's post we will explain Cisco configuration for Inter-AS MPLS L3VPN Option B. Here are the main characteristics of this option:

  1. VPNv4 eBGP session is established between ASBR's, thus they have to hold all VPNv4 routes that are exchanged between Service Providers. It makes this option less scalable than Option C, where VPNv4 routes are stored on Route Reflectors only.
  2. Given the fact that ASBR has to accept iBGP VPNv4 routes, one of the following conditions have to be met: route target filtering has to be disabled, VRF with "route-target import" has to be configured or ASBR has to be configured as Route Reflector (which essentially disables route target filtering in the background).
  3. "Next-hop-self" has to be configured for iBGP VPNv4 session on ASBR because, even though the address family is VPNv4, next hop is not changed automatically as in case of PE advertising VRF route.
  4. Packets betweem CE routers travel via 3 LSP's: PE to ASBR1, ASBR1 to ASRB2 and ASBR2 to PE2. Remember that each LSP terminates where next hop changes.

Configuration

ASBR1

Routing protocols configuration

router bgp 65001
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 2.2.2.2 remote-as 65001
neighbor 2.2.2.2 update-source Loopback0
neighbor 3.3.3.3 remote-as 65001
neighbor 3.3.3.3 update-source Loopback0
neighbor 192.168.0.11 remote-as 65002
!
address-family ipv4
exit-address-family
!
address-family vpnv4
no bgp default route-target filter
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
neighbor 3.3.3.3 next-hop-self
neighbor 192.168.0.11 activate
neighbor 192.168.0.11 send-community extended
exit-address-family

ASBR2

Routing protocols configuration

router bgp 65002
address-family vpnv4 unicast
retain route-target all
!
neighbor 12.12.12.12
remote-as 65002
update-source Loopback0
address-family vpnv4 unicast
next-hop-self
!
!
neighbor 192.168.0.4
remote-as 65001
address-family vpnv4 unicast
route-policy ACCEPT_ALL in
route-policy ACCEPT_ALL out
!
!
!

Interprovider Layer 3 VPN - Option A (Cisco)

coming soon....

Interprovider Layer 3 VPN - Option C (Juniper)

Use case

An enterprise wishes to create a private L3 interconnect between two of its remote sites. Each site uses its own private IP range. The two sites are connected to two different service providers. There exist several scenarios to enable this kind of private interconnect (GRE tunnels with or without IPSec, OpenVPN, MPLS, etc). Here, we will focus on an MPLS based solution that requires cooperation between the 2 ISPs (which makes it a very rare case to be found in real life networks).

Configuration

Here is the configuration that enables this scenario.

CE1

Interfaces configuration:

em0 {
vlan-tagging;
unit 18 {
vlan-id 18;
family inet {
address 10.18.0.8/24;
}
}
}
lo0 {
unit 1 {
family inet {
address 192.0.2.1/32;
address 8.8.8.8/32;
}
}
}

BGP Configuration

group ext-65002 {
type external;
export adv-ext-bgp;
peer-as 65002;
neighbor 10.18.0.1 {
local-address 10.18.0.8;
}
}

Routing options configuration:

routing-options {
static {
route 192.0.2.0/24 discard;
}
router-id 8.8.8.8;
autonomous-system 65101;
}

Policy options configuration

policy-options {
policy-statement adv-ext-bgp {
term adv-200 {
from {
route-filter 192.0.2.0/24 exact;
}
then accept;
}
}
}

Routing tables

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
8.8.8.8/32 *[Direct/0] 00:20:03
> via lo0.1
10.18.0.0/24 *[Direct/0] 00:03:50
> via em0.18
10.18.0.8/32 *[Local/0] 00:03:50
Local via em0.18
192.0.2.0/24 *[Static/5] 00:20:02
Discard
192.0.2.1/32 *[Direct/0] 00:20:03
> via lo0.1
192.168.1.0/24 *[Direct/0] 00:20:03
> via em1.0
192.168.1.18/32 *[Local/0] 00:20:03
Local via em1.0
198.51.100.0/24 *[BGP/170] 00:03:18, localpref 100
AS path: 65002 65003 65002 I, validation-state: unverified
> to 10.18.0.1 via em0.18

Connectivity test CE1 <--> CE2

admin@CE1> ping 198.51.100.1 source 192.0.2.1 
PING 198.51.100.1 (198.51.100.1): 56 data bytes
64 bytes from 198.51.100.1: icmp_seq=0 ttl=58 time=1.263 ms
64 bytes from 198.51.100.1: icmp_seq=1 ttl=58 time=1.273 ms
64 bytes from 198.51.100.1: icmp_seq=2 ttl=58 time=1.443 ms
64 bytes from 198.51.100.1: icmp_seq=3 ttl=58 time=1.071 ms
^C
--- 198.51.100.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.071/1.262/1.443/0.132 ms

PE1

Interfaces Configuration

em0 {
vlan-tagging;
unit 12 {
description to-p1;
vlan-id 12;
family inet {
address 10.12.0.1/24;
}
family iso;
family mpls;
}
unit 18 {
description to-ce1;
vlan-id 18;
family inet {
address 10.18.0.1/24;
}
}
}
em1 {
unit 0 {
family inet {
address 192.168.1.11/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 1.1.1.1/32;
}
family iso {
address 49.0001.0001.0001.0101.00;
}
}
}

Routing protocols configuration

mpls {
traffic-engineering mpls-forwarding;
interface all;
}
bgp {
group to-pe2 {
type external;
neighbor 5.5.5.5 {
multihop {
ttl 20;
}
local-address 1.1.1.1;
family inet-vpn {
unicast;
}
peer-as 65003;
}
}
}
isis {
interface all {
level 2 disable;
}
}
ldp {
interface all;
}

Routing options configuration

router-id 1.1.1.1;
autonomous-system 65002;

Policy configuration

policy-statement export-vpn-a {
term 1 {
from protocol bgp;
then {
community add vpn-a;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement import-vpn-a {
term 1 {
from community vpn-a;
then accept;
}
term 2 {
then reject;
}
}
community target:65101:101 members target:65101:101;
community vpn-a members target:65101:101;

Routing instances configuration

vpn-a {
instance-type vrf;
interface em0.18;
route-distinguisher 1.1.1.1:1;
vrf-import import-vpn-a;
vrf-export export-vpn-a;
protocols {
bgp {
group ext-bgp-65001 {
type external;
peer-as 65101;
as-override;
neighbor 10.18.0.8;
}
}
}
}

Routing tables

inet.0: 10 destinations, 13 routes (10 active, 0 holddown, 0 hidden)
@ = Routing Use Only, # = Forwarding Use Only
+ = Active Route, - = Last Active, * = Both
1.1.1.1/32 *[Direct/0] 02:04:25
> via lo0.0
2.2.2.2/32 @[IS-IS/15] 00:27:55, metric 10
> to 10.12.0.2 via em0.12
#[LDP/9] 00:17:49, metric 1
> to 10.12.0.2 via em0.12
4.4.4.4/32 @[IS-IS/15] 00:27:55, metric 20
> to 10.12.0.2 via em0.12
#[LDP/9] 00:17:49, metric 1
> to 10.12.0.2 via em0.12, Push 300096
5.5.5.5/32 @[IS-IS/160] 00:27:55, metric 30
> to 10.12.0.2 via em0.12
#[LDP/9] 00:17:49, metric 1
> to 10.12.0.2 via em0.12, Push 300144
10.12.0.0/24 *[Direct/0] 00:27:55
> via em0.12
10.12.0.1/32 *[Local/0] 00:27:55
Local via em0.12
10.24.0.0/24 *[IS-IS/15] 00:27:55, metric 20
> to 10.12.0.2 via em0.12
150.0.0.0/32 *[Local/0] 02:04:25
Reject
192.168.1.0/24 *[Direct/0] 02:04:25
> via em1.0
192.168.1.11/32 *[Local/0] 02:04:25
Local via em1.0
inet.3: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
2.2.2.2/32 *[LDP/9] 00:17:49, metric 1
> to 10.12.0.2 via em0.12
4.4.4.4/32 *[LDP/9] 00:17:49, metric 1
> to 10.12.0.2 via em0.12, Push 300096
5.5.5.5/32 *[LDP/9] 00:17:49, metric 1
> to 10.12.0.2 via em0.12, Push 300144

vpn-a.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.18.0.0/24 *[Direct/0] 00:27:55
> via em0.18
10.18.0.1/32 *[Local/0] 00:27:55
Local via em0.18
192.0.2.0/24 *[BGP/170] 00:06:59, localpref 100
AS path: 65101 I, validation-state: unverified
> to 10.18.0.8 via em0.18
198.51.100.0/24 *[BGP/170] 00:17:24, localpref 100, from 5.5.5.5
AS path: 65003 65101 I, validation-state: unverified
> to 10.12.0.2 via em0.12, Push 303296, Push 300144(top)
iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
49.0001.0001.0001.0101/72
*[Direct/0] 02:04:25
> via lo0.0
mpls.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0 *[MPLS/0] 02:04:25, metric 1
Receive
1 *[MPLS/0] 02:04:25, metric 1
Receive
2 *[MPLS/0] 02:04:25, metric 1
Receive
13 *[MPLS/0] 02:04:25, metric 1
Receive
299840 *[LDP/9] 00:17:49, metric 1
> to 10.12.0.2 via em0.12, Pop
299840(S=0) *[LDP/9] 00:17:49, metric 1
> to 10.12.0.2 via em0.12, Pop
299856 *[LDP/9] 00:17:49, metric 1
> to 10.12.0.2 via em0.12, Swap 300096
299872 *[LDP/9] 00:17:49, metric 1
> to 10.12.0.2 via em0.12, Swap 300144
299904 *[VPN/170] 00:06:59
> to 10.18.0.8 via em0.18, Pop
bgp.l3vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.1:1:192.0.2.0/24
*[BGP/170] 00:06:59, localpref 100
AS path: 65101 I, validation-state: unverified
> to 10.18.0.8 via em0.18
5.5.5.5:1:198.51.100.0/24
*[BGP/170] 00:17:24, localpref 100, from 5.5.5.5
AS path: 65003 65101 I, validation-state: unverified
> to 10.12.0.2 via em0.12, Push 303296, Push 300144(top)

P1

Interfaces Configuration

em0 {
vlan-tagging;
unit 12 {
vlan-id 12;
family inet {
address 10.12.0.2/24;
}
family iso;
family mpls;
}
unit 24 {
vlan-id 24;
family inet {
address 10.24.0.2/24;
}
family iso;
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 2.2.2.2/32;
}
family iso {
address 49.0001.0002.0002.0202.00;
}
}
}

Routing protocols configuration

mpls {
interface all;
}
isis {
interface all {
level 2 disable;
}
}
ldp {
interface all;
}

Routing options configuration

router-id 2.2.2.2;
autonomous-system 65002;

Routing tables

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.1/32         *[IS-IS/15] 00:18:48, metric 10
> to 10.12.0.1 via em0.12
2.2.2.2/32 *[Direct/0] 1w1d 02:21:12
> via lo0.0
4.4.4.4/32 *[IS-IS/15] 2d 04:36:35, metric 10
> to 10.24.0.4 via em0.24
5.5.5.5/32 *[IS-IS/160] 2d 04:36:35, metric 20
> to 10.24.0.4 via em0.24
10.12.0.0/24 *[Direct/0] 2d 04:36:35
> via em0.12
10.12.0.2/32 *[Local/0] 2d 04:36:35
Local via em0.12
10.24.0.0/24 *[Direct/0] 2d 04:36:35
> via em0.24
10.24.0.2/32 *[Local/0] 2d 04:36:35
Local via em0.24
150.0.0.0/32 *[Local/0] 1w1d 02:21:12
Reject
192.168.1.0/24 *[Direct/0] 1w1d 02:21:12
> via em1.0
192.168.1.12/32 *[Local/0] 1w1d 02:21:12
Local via em1.0 inet.3: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both 1.1.1.1/32 *[LDP/9] 00:18:48, metric 1
> to 10.12.0.1 via em0.12
4.4.4.4/32 *[LDP/9] 01:48:47, metric 1
> to 10.24.0.4 via em0.24
5.5.5.5/32 *[LDP/9] 01:48:47, metric 1
> to 10.24.0.4 via em0.24, Push 301296 iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both 49.0001.0002.0002.0202/72
*[Direct/0] 1w1d 02:21:12
> via lo0.0 mpls.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both 0 *[MPLS/0] 1w1d 02:21:15, metric 1
Receive
1 *[MPLS/0] 1w1d 02:21:15, metric 1
Receive
2 *[MPLS/0] 1w1d 02:21:15, metric 1
Receive
13 *[MPLS/0] 1w1d 02:21:15, metric 1
Receive
300096 *[LDP/9] 01:48:47, metric 1
> to 10.24.0.4 via em0.24, Pop
300096(S=0) *[LDP/9] 01:48:47, metric 1
> to 10.24.0.4 via em0.24, Pop
300144 *[LDP/9] 01:48:47, metric 1
> to 10.24.0.4 via em0.24, Swap 301296
300208 *[LDP/9] 00:18:48, metric 1
> to 10.12.0.1 via em0.12, Pop
300208(S=0) *[LDP/9] 00:18:48, metric 1
> to 10.12.0.1 via em0.12, Pop

ASBR1

Interfaces configuration

em0 {
vlan-tagging;
unit 24 {
description to-p1;
vlan-id 24;
family inet {
address 10.24.0.4/24;
}
family iso;
family mpls;
}
unit 34 {
description to-asbr2;
vlan-id 34;
family inet {
address 10.34.0.4/24;
}
family iso;
family mpls;
}
lo0 {
unit 0 {
family inet {
address 4.4.4.4/32;
}
family iso {
address 49.0001.0004.0004.0404.00;
}
}
}

Routing protocols configuration

mpls {
traffic-engineering mpls-forwarding;
interface all;
}
bgp {
group ext-65003 {
type external;
peer-as 65003;
neighbor 10.34.0.3 {
family inet {
labeled-unicast;
}
export to-as65003;
peer-as 65003;
}
}
}
isis {
export to-igp;
interface all {
level 2 disable;
}
}
ldp {
egress-policy to-igp;
interface all;
interface em0.34 {
disable;
}
}

Routing options configuration

router-id 4.4.4.4;
autonomous-system 65002;

Policy options configuration

policy-statement to-as65003 {
term 1 {
from {
route-filter 1.1.1.1/32 exact;
}
then accept;
}
term 2 {
then reject;
}
}
policy-statement to-igp {
term 1 {
from {
route-filter 4.4.4.4/32 exact;
route-filter 5.5.5.5/32 exact;
}
then accept;
}
term 2 {
then reject;
}
}

Routing tables

inet.0: 13 destinations, 16 routes (13 active, 0 holddown, 0 hidden)
@ = Routing Use Only, # = Forwarding Use Only
+ = Active Route, - = Last Active, * = Both
1.1.1.1/32 @[IS-IS/15] 00:40:35, metric 20
> to 10.24.0.2 via em0.24
#[LDP/9] 00:40:34, metric 1
> to 10.24.0.2 via em0.24, Push 300208
2.2.2.2/32 @[IS-IS/15] 2d 04:58:51, metric 10
> to 10.24.0.2 via em0.24
#[LDP/9] 2d 04:58:10, metric 1
> to 10.24.0.2 via em0.24
4.4.4.4/32 *[Direct/0] 4d 04:00:52
> via lo0.0
5.5.5.5/32 *[BGP/170] 2d 04:58:47, MED 20, localpref 100
AS path: 65003 I, validation-state: unverified
> to 10.34.0.3 via em0.34, Push 302016
10.12.0.0/24 *[IS-IS/15] 2d 04:58:51, metric 20
> to 10.24.0.2 via em0.24
10.24.0.0/24 *[Direct/0] 2d 04:58:51
> via em0.24
[IS-IS/15] 2d 04:58:51, metric 20
> to 10.24.0.2 via em0.24
10.24.0.4/32 *[Local/0] 2d 04:58:51
Local via em0.24
10.34.0.0/24 *[Direct/0] 2d 04:58:51
> via em0.34
10.34.0.4/32 *[Local/0] 2d 04:58:51
Local via em0.34
150.0.0.0/31 *[Direct/0] 4d 04:00:52
> via em2.0
150.0.0.0/32 *[Local/0] 4d 04:00:52
Local via em2.0
192.168.1.0/24 *[Direct/0] 4d 04:00:52
> via em1.0
192.168.1.14/32 *[Local/0] 4d 04:00:52
Local via em1.0
inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.1/32 *[LDP/9] 00:40:34, metric 1
> to 10.24.0.2 via em0.24, Push 300208
2.2.2.2/32 *[LDP/9] 2d 04:58:10, metric 1
> to 10.24.0.2 via em0.24
iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
49.0001.0004.0004.0404/72
*[Direct/0] 4d 04:00:52
> via lo0.0
mpls.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0 *[MPLS/0] 4d 04:00:54, metric 1
Receive
1 *[MPLS/0] 4d 04:00:54, metric 1
Receive
2 *[MPLS/0] 4d 04:00:54, metric 1
Receive
13 *[MPLS/0] 4d 04:00:54, metric 1
Receive
301296 *[LDP/9] 2d 04:58:47, metric 1
> to 10.34.0.3 via em0.34, Swap 302016
301360 *[LDP/9] 2d 04:58:10, metric 1
> to 10.24.0.2 via em0.24, Pop
301360(S=0) *[LDP/9] 2d 04:58:10, metric 1
> to 10.24.0.2 via em0.24, Pop
301536 *[LDP/9] 00:40:34, metric 1
> to 10.24.0.2 via em0.24, Swap 300208
301552 *[VPN/170] 00:40:34
> to 10.24.0.2 via em0.24, Swap 300208

ASBR2

Interface configuration

em0 {
vlan-tagging;
unit 34 {
description to-asbr1;
vlan-id 34;
family inet {
address 10.34.0.3/24;
}
family iso;
family mpls;
}
unit 36 {
description to-p2;
vlan-id 36;
family inet {
address 10.36.0.3/24;
}
family iso;
family mpls;
}
lo0 {
unit 0 {
family inet {
address 3.3.3.3/32;
}
family iso {
address 49.0001.0003.0003.0303.00;
}
}
}

Routing protocols configuration

mpls {
traffic-engineering mpls-forwarding;
interface all;
}
bgp {
group ext-65002 {
type external;
neighbor 10.34.0.4 {
family inet {
labeled-unicast;
}
export to-as65002;
peer-as 65002;
}
}
}
isis {
export to-igp;
interface all {
level 1 disable;
}
}
ldp {
egress-policy to-igp;
interface all;
interface em0.34 {
disable;
}
}

Routing options configuration

router-id 3.3.3.3;
autonomous-system 65003;
Policy options configuration
policy-statement to-as65002 {
term 1 {
from {
route-filter 5.5.5.5/32 exact;
}
then accept;
}
term 2 {
then reject;
}
}
policy-statement to-igp {
term 1 {
from {
route-filter 1.1.1.1/32 exact;
route-filter 3.3.3.3/32 exact;
}
then accept;
}
term 2 {
then reject;
}
}

Routing tables

inet.0: 11 destinations, 14 routes (11 active, 0 holddown, 0 hidden)
@ = Routing Use Only, # = Forwarding Use Only
+ = Active Route, - = Last Active, * = Both
1.1.1.1/32 *[BGP/170] 00:42:00, MED 20, localpref 100
AS path: 65002 I, validation-state: unverified
> to 10.34.0.4 via em0.34, Push 301552
3.3.3.3/32 *[Direct/0] 2w2d 20:23:57
> via lo0.0
5.5.5.5/32 @[IS-IS/18] 2d 04:57:55, metric 20
> to 10.36.0.6 via em0.36
#[LDP/9] 2d 04:57:52, metric 1
> to 10.36.0.6 via em0.36, Push 300624
6.6.6.6/32 @[IS-IS/18] 2d 04:57:55, metric 10
> to 10.36.0.6 via em0.36
#[LDP/9] 2d 04:57:52, metric 1
> to 10.36.0.6 via em0.36
10.34.0.0/24 *[Direct/0] 2d 04:57:55
> via em0.34
10.34.0.3/32 *[Local/0] 2d 04:57:55
Local via em0.34
10.36.0.0/24 *[Direct/0] 2d 04:57:55
> via em0.36
[IS-IS/18] 2d 04:57:55, metric 20
> to 10.36.0.6 via em0.36
10.36.0.3/32 *[Local/0] 2d 04:57:55
Local via em0.36
10.56.0.0/24 *[IS-IS/18] 2d 04:57:55, metric 20
> to 10.36.0.6 via em0.36
192.168.1.0/24 *[Direct/0] 2w2d 21:21:42
> via em1.0
192.168.1.13/32 *[Local/0] 2w2d 21:21:42
Local via em1.0
inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
5.5.5.5/32 *[LDP/9] 2d 04:57:52, metric 1
> to 10.36.0.6 via em0.36, Push 300624
6.6.6.6/32 *[LDP/9] 2d 04:57:52, metric 1
> to 10.36.0.6 via em0.36

iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
49.0001.0003.0003.0303/72
*[Direct/0] 2w2d 20:14:58
> via lo0.0
mpls.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0 *[MPLS/0] 2w2d 21:09:14, metric 1
Receive
1 *[MPLS/0] 2w2d 21:09:14, metric 1
Receive
2 *[MPLS/0] 2w2d 21:09:14, metric 1
Receive
13 *[MPLS/0] 2w2d 21:09:14, metric 1
Receive
301952 *[LDP/9] 2d 04:57:52, metric 1
> to 10.36.0.6 via em0.36, Pop
301952(S=0) *[LDP/9] 2d 04:57:52, metric 1
> to 10.36.0.6 via em0.36, Pop
301968 *[LDP/9] 2d 04:57:52, metric 1
> to 10.36.0.6 via em0.36, Swap 300624
302016 *[VPN/170] 2d 04:57:04
> to 10.36.0.6 via em0.36, Swap 300624
302064 *[LDP/9] 00:42:00, metric 1
> to 10.34.0.4 via em0.34, Swap 301552

P2

Interfaces configuration

em0 {
vlan-tagging;
unit 36 {
description to-asbr2;
vlan-id 36;
family inet {
address 10.36.0.6/24;
}
family iso;
family mpls;
}
unit 56 {
description to-pe2;
vlan-id 56;
family inet {
address 10.56.0.6/24;
}
family iso;
family mpls;
}
}
em1 {
unit 0 {
family inet {
address 192.168.1.16/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 6.6.6.6/32;
}
family iso {
address 49.0001.0006.0006.0606.00;
}
}
}

Routing protocols configuration

mpls {
interface em1.0 {
disable;
}
interface all;
}
isis {
interface all {
level 2 {
inactive: disable;
}
level 1 disable;
}
interface em1.0 {
disable;
}
}
ldp {
interface all;
interface em1.0 {
disable;
}
}

Routing options configuration

router-id 6.6.6.6;
autonomous-system 65002;

Routing tables

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.1/32 *[IS-IS/165] 01:23:54, metric 20
> to 10.36.0.3 via em0.36
3.3.3.3/32 *[IS-IS/18] 2d 05:44:41, metric 10
> to 10.36.0.3 via em0.36
5.5.5.5/32 *[IS-IS/18] 2d 05:44:41, metric 10
> to 10.56.0.5 via em0.56
6.6.6.6/32 *[Direct/0] 2w2d 21:26:18
> via lo0.0
10.36.0.0/24 *[Direct/0] 2d 05:44:42
> via em0.36
10.36.0.6/32 *[Local/0] 2d 05:44:42
Local via em0.36
10.56.0.0/24 *[Direct/0] 2d 05:44:42
> via em0.56
10.56.0.6/32 *[Local/0] 2d 05:44:42
Local via em0.56
192.168.1.0/24 *[Direct/0] 2w2d 22:25:27
> via em1.0
192.168.1.16/32 *[Local/0] 2w2d 22:25:27
Local via em1.0
inet.3: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.1/32 *[LDP/9] 01:23:54, metric 1
> to 10.36.0.3 via em0.36, Push 302064
3.3.3.3/32 *[LDP/9] 2d 05:42:51, metric 1
> to 10.36.0.3 via em0.36
5.5.5.5/32 *[LDP/9] 2d 05:43:23, metric 1
> to 10.56.0.5 via em0.56
iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
49.0001.0006.0006.0606/72
*[Direct/0] 2w2d 21:15:25
> via lo0.0

mpls.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0 *[MPLS/0] 2w2d 04:18:30, metric 1
Receive
1 *[MPLS/0] 2w2d 04:18:30, metric 1
Receive
2 *[MPLS/0] 2w2d 04:18:30, metric 1
Receive
13 *[MPLS/0] 2w2d 04:18:30, metric 1
Receive
300624 *[LDP/9] 2d 05:43:23, metric 1
> to 10.56.0.5 via em0.56, Pop
300624(S=0) *[LDP/9] 2d 05:43:23, metric 1
> to 10.56.0.5 via em0.56, Pop
300640 *[LDP/9] 2d 05:42:51, metric 1
> to 10.36.0.3 via em0.36, Pop
300640(S=0) *[LDP/9] 2d 05:42:51, metric 1
> to 10.36.0.3 via em0.36, Pop
300704 *[LDP/9] 01:23:54, metric 1
> to 10.36.0.3 via em0.36, Swap 302064

PE2

Interfaces configuration

em0 {
vlan-tagging;
unit 56 {
description to-p2;
vlan-id 56;
family inet {
address 10.56.0.5/24;
}
family iso;
family mpls;
}
unit 57 {
description to-ce2;
vlan-id 57;
family inet {
address 10.57.0.5/24;
}
}
}
em1 {
unit 0 {
family inet {
address 192.168.1.15/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 5.5.5.5/32;
}
family iso {
address 49.0001.0005.0005.0505.00;
}
}
}

Routing protocols configuration

mpls {
traffic-engineering mpls-forwarding;
interface em1.0 {
disable;
}
interface all;
}
bgp {
group to-pe1 {
type external;
multihop {
ttl 20;
}
neighbor 1.1.1.1 {
local-address 5.5.5.5;
family inet-vpn {
unicast;
}
peer-as 65002;
}
}
}
isis {
interface all {
level 1 disable;
}
interface em1.0 {
disable;
}
}
ldp {
interface all;
interface em1.0 {
disable;
}
}

Routing options configuration

router-id 5.5.5.5;
autonomous-system 65003;

Policy configuration

policy-statement accept {
term 1 {
then accept;
}
}
policy-statement export-vpn-a {
term 1 {
from protocol bgp;
then {
community add vpn-a;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement import-vpn-a {
term 1 {
from community vpn-a;
then accept;
}
term 2 {
then reject;
}
}
community vpn-a members target:65101:101;

Routing instances configuration

vpn-a {
instance-type vrf;
interface em0.57;
route-distinguisher 5.5.5.5:1;
vrf-import import-vpn-a;
vrf-export export-vpn-a;
inactive: vrf-target target:65101:101;
protocols {
bgp {
group ext-65101 {
type external;
export accept;
peer-as 65101;
as-override;
neighbor 10.57.0.7;
}
}
}
}

Routing tables

inet.0: 9 destinations, 12 routes (9 active, 0 holddown, 0 hidden)
@ = Routing Use Only, # = Forwarding Use Only
+ = Active Route, - = Last Active, * = Both
1.1.1.1/32 @[IS-IS/165] 01:39:32, metric 30
> to 10.56.0.6 via em0.56
#[LDP/9] 01:39:32, metric 1
> to 10.56.0.6 via em0.56, Push 300704
3.3.3.3/32 @[IS-IS/18] 2d 06:00:05, metric 20
> to 10.56.0.6 via em0.56
#[LDP/9] 2d 05:59:02, metric 1
> to 10.56.0.6 via em0.56, Push 300640
5.5.5.5/32 *[Direct/0] 2w2d 21:43:04
> via lo0.0
6.6.6.6/32 @[IS-IS/18] 2d 06:00:05, metric 10
> to 10.56.0.6 via em0.56
#[LDP/9] 2d 05:59:02, metric 1
> to 10.56.0.6 via em0.56
10.36.0.0/24 *[IS-IS/18] 2d 06:00:05, metric 20
> to 10.56.0.6 via em0.56
10.56.0.0/24 *[Direct/0] 2d 06:00:05
> via em0.56
10.56.0.5/32 *[Local/0] 2d 06:00:05
Local via em0.56
192.168.1.0/24 *[Direct/0] 2w2d 22:42:03
> via em1.0
192.168.1.15/32 *[Local/0] 2w2d 22:42:03
Local via em1.0
inet.3: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.1/32 *[LDP/9] 01:39:32, metric 1
> to 10.56.0.6 via em0.56, Push 300704
3.3.3.3/32 *[LDP/9] 2d 05:59:02, metric 1
> to 10.56.0.6 via em0.56, Push 300640
6.6.6.6/32 *[LDP/9] 2d 05:59:02, metric 1
> to 10.56.0.6 via em0.56
vpn-a.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.57.0.0/24 *[Direct/0] 2d 06:00:05
> via em0.57
10.57.0.5/32 *[Local/0] 2d 06:00:05
Local via em0.57
192.0.2.0/24 *[BGP/170] 01:28:42, localpref 100, from 1.1.1.1
AS path: 65002 65101 I, validation-state: unverified
> to 10.56.0.6 via em0.56, Push 299904, Push 300704(top)
198.51.100.0/24 *[BGP/170] 2d 05:59:33, localpref 100
AS path: 65101 I, validation-state: unverified
> to 10.57.0.7 via em0.57
iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
49.0001.0005.0005.0505/72
*[Direct/0] 2w2d 21:32:03
> via lo0.0
mpls.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0 *[MPLS/0] 2w2d 04:34:41, metric 1
Receive
1 *[MPLS/0] 2w2d 04:34:41, metric 1
Receive
2 *[MPLS/0] 2w2d 04:34:41, metric 1
Receive
13 *[MPLS/0] 2w2d 04:34:41, metric 1
Receive
303152 *[LDP/9] 2d 05:59:02, metric 1
> to 10.56.0.6 via em0.56, Pop
303152(S=0) *[LDP/9] 2d 05:59:02, metric 1
> to 10.56.0.6 via em0.56, Pop
303168 *[LDP/9] 2d 05:59:02, metric 1
> to 10.56.0.6 via em0.56, Swap 300640
303280 *[LDP/9] 01:39:32, metric 1
> to 10.56.0.6 via em0.56, Swap 300704
303296 *[VPN/170] 01:39:07
> to 10.57.0.7 via em0.57, Pop
bgp.l3vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.1:1:192.0.2.0/24
*[BGP/170] 01:28:42, localpref 100, from 1.1.1.1
AS path: 65002 65101 I, validation-state: unverified
> to 10.56.0.6 via em0.56, Push 299904, Push 300704(top)
5.5.5.5:1:198.51.100.0/24
*[BGP/170] 2d 05:59:33, localpref 100
AS path: 65101 I, validation-state: unverified
> to 10.57.0.7 via em0.57

CE2

Interfaces configuration

em0 {
vlan-tagging;
unit 57 {
vlan-id 57;
family inet {
address 10.57.0.7/24;
}
}
}
em1 {
unit 0 {
family inet {
address 192.168.1.17/24;
}
}
}
lo0 {
unit 1 {
family inet {
address 198.51.100.1/32;
}
}
}

BGP configuration

group ext-65003 {
type external;
export adv-ext-bgp;
neighbor 10.57.0.5 {
local-address 10.57.0.7;
peer-as 65003;
}
}

Routing options configuration

static {
route 192.0.2.0/24 discard;
}
router-id 8.8.8.8;
autonomous-system 65101;

Policy options configuration

policy-statement adv-ext-bgp {
term adv-200 {
from {
route-filter 192.0.2.0/24 exact;
}
then accept;
}
}

Routing tables

inet.0: 8 destinations, 9 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.1/32 *[Static/5] 2w2d 03:56:46
> to 10.57.0.5 via em0.57
10.57.0.0/24 *[Direct/0] 2d 06:07:17
> via em0.57
[BGP/170] 2d 06:06:12, localpref 100
AS path: 65003 I, validation-state: unverified
> to 10.57.0.5 via em0.57
10.57.0.7/32 *[Local/0] 2d 06:07:17
Local via em0.57
192.0.2.0/24 *[BGP/170] 01:35:22, localpref 100
AS path: 65003 65002 65003 I, validation-state: unverified
> to 10.57.0.5 via em0.57
192.168.1.0/24 *[Direct/0] 2w2d 05:40:17
> via em1.0
192.168.1.17/32 *[Local/0] 2w2d 05:40:17
Local via em1.0
198.51.100.0/24 *[Static/5] 2d 22:53:18
Discard
198.51.100.1/32 *[Direct/0] 2d 22:53:18
> via lo0.1

Connectivity test CE2 <--> CE1

admin@CE2> ping 192.0.2.1 source 198.51.100.1 count 5 
PING 192.0.2.1 (192.0.2.1): 56 data bytes
64 bytes from 192.0.2.1: icmp_seq=0 ttl=58 time=1.141 ms
64 bytes from 192.0.2.1: icmp_seq=1 ttl=58 time=1.113 ms
64 bytes from 192.0.2.1: icmp_seq=2 ttl=58 time=1.209 ms
64 bytes from 192.0.2.1: icmp_seq=3 ttl=58 time=1.313 ms
64 bytes from 192.0.2.1: icmp_seq=4 ttl=58 time=1.198 ms
--- 192.0.2.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.113/1.195/1.313/0.069 ms

Interprovider Layer 3 VPN - Option B (Juniper)

In this post we will explain Juniper version of configuration for Inter-AS MPLS Option B that was defined in RFC4364.

Configuration

Configuration Option B on Juniper is pretty straight forward. Here, only the most important details will be highlighted. A detailed configuration is available at http://www.juniper.net/documentation/en_US/junos15.1/topics/example/mpls-vpn-option2-configuration.html.

Key pieces for configuring Option B are to be found under the BGP configuration.

BGP configuration

PE1

group int-bgp-65002 {
type internal;
neighbor 4.4.4.4 {
local-address 1.1.1.1;
family inet-vpn {
unicast;
}
}
}

ASBR1

group ext-65003 {
type external;
peer-as 65003;
neighbor 10.34.0.3 {
family inet-vpn {
unicast;
}
peer-as 65003;
}
}
group int-65002 {
type internal;
neighbor 1.1.1.1 {
local-address 4.4.4.4;
family inet-vpn {
unicast;
}
}
}

ASBR2

group ext-65002 {
type external;
neighbor 10.34.0.4 {
family inet-vpn {
unicast;
}
peer-as 65002;
}
}
group int-65003 {
type internal;
neighbor 5.5.5.5 {
local-address 3.3.3.3;
family inet-vpn {
unicast;
}
}
}

PE2

group int-65003 {
type internal;
neighbor 3.3.3.3 {
local-address 5.5.5.5;
family inet-vpn {
unicast;
}
}
}

Trivia

What configuration error made on ASBR1 will result in following? 1.1.1.1 is the loopback IP of PE1 and 4.4.4.4 is the loopback IP of ASBR1.

admin@PE1> show route advertising-protocol bgp 4.4.4.4 extensive
vpn-a.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
* 192.0.2.0/24 (1 entry, 1 announced)
BGP group int-bgp-65002 type Internal
Route Distinguisher: 1.1.1.1:1
VPN Label: 300176
Nexthop: Self
Flags: Nexthop Change
Localpref: 100
AS path: [65002] 65101 I
Communities: target:65101:101
admin@ASBR1> show route receive-protocol bgp 1.1.1.1 extensive 
inet.0: 12 destinations, 13 routes (12 active, 0 holddown, 0 hidden)
inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
mpls.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)

Interprovider Layer 3 VPN - Option A (Juniper)

In a next series of posts, we will explore configuration of Inter-provider L3 VPN configuration on Juniper and Cisco devices. More specifically, we will cover all three Options (A, B and C) as explained in RFC4364.

The most important excerpts of router configuration will be shown for each option and if necessary, some specific details will be discussed and explained in more details.

We start with the simplest, but least scalable, of options, Option A.

For a more detailed configuration example, see the following Juniper TechLibrary document: Example: Configuring Interprovider Layer 3 VPN Option A.

Configuration

Configuration

ASBR1

Routing instances

admin@ASBR1# show routing-instances 
ext-65003 {
instance-type vrf;
interface em0.34;
route-distinguisher 100.4.4.4:1;
vrf-target target:65101:101;
protocols {
bgp {
group ext-65003 {
neighbor 10.34.0.3 {
local-address 10.34.0.4;
family inet {
unicast;
}
peer-as 65003;
}
}
}
}
}

Route verification

admin@ASBR1# run show route advertising-protocol bgp 10.34.0.3 extensive    
ext-65003.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
* 192.0.2.0/24 (1 entry, 1 announced)
BGP group ext-65003 type External
Nexthop: Self
AS path: [65002] 65101 I
Communities: target:65101:101
admin@ASBR1# run show route table bgp.l3vpn.0 
bgp.l3vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
100.1.1.1:1:192.0.2.0/24
*[BGP/170] 00:15:45, localpref 100, from 100.1.1.1
AS path: 65101 I, validation-state: unverified
> to 10.24.0.2 via em0.24, Push 300608, Push 300256(top)
admin@ASBR1# run show route table ext-65003.inet.0 
ext-65003.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.34.0.0/24 *[Direct/0] 01:59:30
> via em0.34
10.34.0.4/32 *[Local/0] 01:59:30
Local via em0.34
192.0.2.0/24 *[BGP/170] 00:21:30, localpref 100, from 100.1.1.1
AS path: 65101 I, validation-state: unverified
> to 10.24.0.2 via em0.24, Push 300608, Push 300256(top)
198.51.100.0/24 *[BGP/170] 00:21:07, localpref 100
AS path: 65003 65101 I, validation-state: unverified
> to 10.34.0.3 via em0.34

ASBR2

Routing instances

admin@ASBR2# show routing-instances                                                                                  
ext-65002 {
instance-type vrf;
interface em0.34;
route-distinguisher 100.3.3.3:1;
vrf-target target:65101:101;
protocols {
bgp {
group ext-65002 {
neighbor 10.34.0.4 {
local-address 10.34.0.3;
family inet {
unicast;
}
peer-as 65002;
}
}
}
}
}

Route verification

admin@ASBR2# run show route advertising-protocol bgp 10.34.0.4 extensive    
ext-65002.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
* 198.51.100.0/24 (1 entry, 1 announced)
BGP group ext-65002 type External
Nexthop: Self
AS path: [65003] 65101 I
Communities: target:65101:101
admin@ASBR2# run show route table bgp.l3vpn.0                               
bgp.l3vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
100.5.5.5:1:198.51.100.0/24
*[BGP/170] 00:23:01, localpref 100, from 100.5.5.5
AS path: 65101 I, validation-state: unverified
> to 10.36.0.6 via em0.36, Push 303520, Push 299824(top)
admin@ASBR2# run show route table ext-65002.inet.0 
ext-65002.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.34.0.0/24 *[Direct/0] 00:28:09
> via em0.34
10.34.0.3/32 *[Local/0] 00:28:09
Local via em0.34
192.0.2.0/24 *[BGP/170] 00:23:57, localpref 100
AS path: 65002 65101 I, validation-state: unverified
> to 10.34.0.4 via em0.34
198.51.100.0/24 *[BGP/170] 00:23:35, localpref 100, from 100.5.5.5
AS path: 65101 I, validation-state: unverified
> to 10.36.0.6 via em0.36, Push 303520, Push 299824(top)