VPN communication

Unanswered Question
Jun 7th, 2008
User Badges:

I have two PE routers connected to each other through a P router. The three are running eigrp and mpls. A MP-BGP session is run between the two PE routers, with OSPF running between the PE and CE routers. I am receiving ospf routes just fine over the MPLS-VPN, how any traffic that is sent is being dropped on the closest PE router. I'm assuming when traffic is arriving for another VPN site, the PE router doesnt know how to route the traffic.


Here is some relevent info.


PE-102


ip vrf test

rd 1:10

route-target export 100:10

route-target import 100:10

ip cef

!

!

!

interface Ethernet0/0

no ip address

shutdown

!

interface Serial1/0

ip vrf forwarding test

ip address 192.168.1.2 255.255.255.0

no fair-queue

!

interface Serial2/0

ip address 192.168.2.1 255.255.255.0

tag-switching ip

!

interface Serial3/0

no ip address

!

router eigrp 1

redistribute connected

network 192.168.1.0

network 192.168.2.0

no auto-summary

no eigrp log-neighbor-changes

!

router ospf 1 vrf test

log-adjacency-changes

redistribute bgp 1 metric 20 subnets

network 192.168.1.0 0.0.0.255 area 0

!

router bgp 1

no synchronization

no bgp default ipv4-unicast

bgp log-neighbor-changes

network 192.168.1.0

network 192.168.2.0

neighbor 192.168.3.2 remote-as 1

neighbor 192.168.3.2 activate

no auto-summary

!

address-family ipv4 vrf test

redistribute ospf 1 match internal external 1 external 2

no auto-summary

no synchronization

exit-address-family

!

address-family vpnv4

neighbor 192.168.3.2 activate

neighbor 192.168.3.2 send-community extended

no auto-summary

exit-address-family


PE 104


ip vrf test

rd 1:10

route-target export 100:10

route-target import 100:10

ip cef

!

!

!

interface Ethernet0/0

no ip address

shutdown

!

interface Serial1/0

ip address 192.168.3.2 255.255.255.0

tag-switching ip

no fair-queue

!

interface Serial2/0

ip vrf forwarding test

ip address 192.168.4.1 255.255.255.0

!

interface Serial3/0

ip vrf forwarding test

ip address 192.168.8.1 255.255.255.0

!

router eigrp 1

redistribute connected

network 192.168.3.0

network 192.168.4.0

network 192.168.8.0

no auto-summary

no eigrp log-neighbor-changes

!

router ospf 1 vrf test

log-adjacency-changes

redistribute bgp 1 metric 20 subnets

network 192.168.4.0 0.0.0.255 area 0

network 192.168.8.0 0.0.0.255 area 0

!

router bgp 1

no synchronization

no bgp default ipv4-unicast

bgp log-neighbor-changes

network 192.168.3.0

network 192.168.4.0

network 192.168.8.0

neighbor 192.168.2.1 remote-as 1

neighbor 192.168.2.1 activate

no auto-summary

!

address-family ipv4 vrf test

redistribute ospf 1 match internal external 1 external 2

no auto-summary

no synchronization

exit-address-family

!

address-family vpnv4

neighbor 192.168.2.1 activate

neighbor 192.168.2.1 send-community extended

no auto-summary

exit-address-family





102#show ip route vrf test

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route


Gateway of last resort is not set


B 192.168.8.0/24 [200/0] via 192.168.3.2, 00:01:58

B 192.168.6.0/24 [200/128] via 192.168.3.2, 00:01:58

B 192.168.7.0/24 [200/128] via 192.168.3.2, 00:01:58

O IA 192.168.16.0/24 [110/128] via 192.168.1.1, 00:02:24, Serial1/0

C 192.168.1.0/24 is directly connected, Serial1/0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tsmarcyes Sat, 06/07/2008 - 17:13
User Badges:

I figured out my issue. The next hop for all vpn/mpls routes was the directly connected interface between the P and PE router (the neighbor command was pointing to the direct serial int, not the loopback). Therefore, the P router was POPing the tag because of Penultimate Hopping, and trying to do a lookup on the vpn label. Since the P router has no clue about how to route the vpn label, it was dropping the packet. So I recreated the BGP sessions pointing to their loopback addresses and things worked fine.


So my question is now, is there a way to overcome this without using loopback interfaces. I know loopback interfaces are recommended for bgp anyways to provide reliability, but it seems that if this were a unspoken requirement for MPLS/VPN, then it would be more well known.

waleed_amer Sun, 06/08/2008 - 06:55
User Badges:

Hi,


If next hop for MPBGP routes is the directly connected interface for P router, the P router who will be responsible for distributing ldp label for this subnet so the tag POPing will happen on the ingress PE router so you need next hop with ldp label has been distributed the egress PE router.


Regards,W.Amer

Jon Marshall Sun, 06/08/2008 - 11:33
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I had the exact same issue and was also surprised that it wasn't as well known as you would think it should be. Perhaps were just looking in the wrong places :-)


See this previous thread which was when i asked pretty much the same thing. There is a suggestion in the last post of the thread of a different way to do things but i never got around to trying it out. Harold Ritter who originally answered the question is very experienced in all things MPLS.


Oh and please try to ignore that fact i keep referring to penultimate pop hopping rather than what it should be which is penultimate hop popping - seem to have a bit of a block with this !


http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Service%20Providers&topic=MPLS&topicID=.ee8558c&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cbe8a76/0#selected_message


Jon

Actions

This Discussion