mpls-vpn and vrf routes

Answered Question
Jul 30th, 2009

All,

I've attached a gns lab that I created and need help with. What I've got is the following:

Customer A and B connect to ISP_PE1 and ISP_PE2.

ISP_PE1, ISP_P, and ISP_PE2 run eigrp in AS100.

ISP_PE1 and ISP_PE2 are running BGP in AS200 and peer with each of the customer routers, and run vpnv4 peer between ISP_PE1 and ISP_PE2.

On every customer router (CustomerA on ISP_PE1 for instance), I have the routes from the other CustomerA router on the ISP_PE2 side of the mpls network. I can't ping the CustomerA router from the other CustomerA router even though I see the routes. I also show the routes on ISP_PE1 and ISP_PE2 under the respective vrf.

I've attached the zip file should anyone want to take a look at it because I'm stumped.

Thanks,

John

Attachment: 
I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 4 months ago

John

Glad you got it working.

MPLS tags are only used within the MPLS cloud ie. between the PE & P routers. They are stripped at the egress of the MPLS clouhd and become normal IP packets. So the CE routers do not see any MPLS tags.

Actually to be more specific if you have enabled Penultimate Hop Popping the top tag is actually stripped before the packet reaches the egress PE so the egress PE actually receives the packet with only the VPN tag ie.

with MPLS VPN's the packets have 2 tags as they traverse the MPLS cloud.

So at the ingress PE a VPN tag is added. This VPN tag is only relevant to the egress PE ie. the intermediate P routers don't care about it.

Then the ingress PE adds another tag and this tag is used to label switch the packet to the next hop ie. the first P router. This P router then strips the top tag only and adds another tag to switch to to the next P router. The last P router removes the top tag and simply forwards the packet to the egress PE router without adding another tag. So when the PE router receives the packet it only has the VPN tag to process.

Apologies if you already knew all this.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
bilousand Thu, 07/30/2009 - 06:10

You probably can ping Customer A adresses fron Customer B routers though. =) Am I right?

John Blakley Thu, 07/30/2009 - 06:14

No, I can't. I don't have CustomerA's routes on CustomerB's routers.

When I look at the basic routing table on the ISP routers, I only have my IGP routes (which I *think* is correct). In order to see the customer routes, I have to look at the vrf table.

Thanks,

John

Jon Marshall Mon, 08/03/2009 - 11:04

John

Sorry, meant to verify this for you but got sidetracked :-)

"When I look at the basic routing table on the ISP routers, I only have my IGP routes (which I *think* is correct). In order to see the customer routes, I have to look at the vrf table."

Correct. More specifically

1) The P routers only have routes for destinations within the MPLS cloud ie. other P routers and PE routers. So they only have IGP routes where the IGP is running between the P & PE routers.

2) The PE routers have the IGP routes as above but also the customer routes which in an MPLS VPN are contained within vrfs. So a "sh ip route" on a PE router will only show the IGP routes where the IGP is running between the P & PE routers + the IBGP routes exchanged between PE routers.

To view the customer routes you need to use the "sh ip route vrf " as you say.

Jon

John Blakley Mon, 08/03/2009 - 11:09

Jon,

That's what I got :) It worked great, and it was my very first full-fledged mpls setup. Now I get to build on that....

Thanks,

John

Jon Marshall Thu, 07/30/2009 - 07:05

John

We are going to have to agree on a directory structure for our GNS3 setup, took me ages to modify to point to my directories :-)

Your problem is that you are peering between the PE routers on their physical interface addresses whereas you should be peering on a loopback address. For a description of why see this post i did a while back -

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40.2cbe8a76

and yes i know it should be Penultimate Hop Popping and not what i put :-)

I made the following modifications to your PE router configs -

PE1

int loopback 10

ip address 11.11.11.1 255.255.255.0

!

router eigrp 100

network 2.2.2.2 0.0.0.3

network 11.11.11.0 0.0.0.255

no auto-summary

router bgp 200

no synchronization

bgp log-neighbor-changes

neighbor 12.12.12.1 remote-as 200

neighbor 12.12.12.1 update-source loopback10

no auto-summary

!

address-family vpnv4

neighbor 12.12.12.1 activate

neighbor 12.12.12.1 send-community both

exit-address-family

!

PE2

int loopback 10

ip address 12.12.12.1 255.255.255.0

router eigrp 100

network 1.1.1.1 0.0.0.3

network 12.12.12.0 0.0.0.255

no auto-summary

router bgp 200

no synchronization

bgp log-neighbor-changes

neighbor 11.11.11.1 remote-as 200

neighbor 11.11.11.1 update-source loopback10

no auto-summary

!

address-family vpnv4

neighbor 11.11.11.1 activate

neighbor 11.11.11.1 send-community both

exit-address-family

Jon

John Blakley Thu, 07/30/2009 - 07:08

Jon,

You're awesome! So my problem is the iBGP peers needing to peer on a loopback interface? If so, that explains why my routers were giving me the error message of something like:

peer 2.2.2.2 may not be reachable from 1.1.1.1 because it's not a loopback (or something like that).

I could easily ping 2.2.2.2 though, so I just disregarded the message. I can't test this until tonight, but this is a great start!

Thanks!

John

Jon Marshall Thu, 07/30/2009 - 07:17

John

No problem. I tested with your config files and it worked fine.

One important thing to note. The peering on loopbacks as indicated in other thread is to do with MPLS labels ie. it's the underlying MPLS setup that wasn't working properly rather than when you added the MPLS VPN config.

Let me know how you get on :-)

Jon

John Blakley Fri, 07/31/2009 - 05:51

Jon,

Changing my peers to use loopbacks definitely resolved the issue. I also noticed that any tags that exit out of the providers network leave the provider's network as untagged, so I'm assuming that the mpls labels are only local within the provider's environment. Is that a correct assumption?

Thanks!

John

Correct Answer
Jon Marshall Sat, 08/01/2009 - 12:56

John

Glad you got it working.

MPLS tags are only used within the MPLS cloud ie. between the PE & P routers. They are stripped at the egress of the MPLS clouhd and become normal IP packets. So the CE routers do not see any MPLS tags.

Actually to be more specific if you have enabled Penultimate Hop Popping the top tag is actually stripped before the packet reaches the egress PE so the egress PE actually receives the packet with only the VPN tag ie.

with MPLS VPN's the packets have 2 tags as they traverse the MPLS cloud.

So at the ingress PE a VPN tag is added. This VPN tag is only relevant to the egress PE ie. the intermediate P routers don't care about it.

Then the ingress PE adds another tag and this tag is used to label switch the packet to the next hop ie. the first P router. This P router then strips the top tag only and adds another tag to switch to to the next P router. The last P router removes the top tag and simply forwards the packet to the egress PE router without adding another tag. So when the PE router receives the packet it only has the VPN tag to process.

Apologies if you already knew all this.

Jon

Actions

This Discussion