FLEXoMPLS issue

Unanswered Question

Hi there,


I have an issue where i am unable to route from the hub to the remote site when using FLEXoMPLS,


Everything works and the tunnel sets up fine, though the cloned virtual-access interface isn't used in any routing table as a recursive.


The route shoud be attached to the virtual-access interface


hub#sho ip cef vrf BLUE detail | sec label

192.168.99.0/24, epoch 0, flags rib defined all labels

  recursive via 10.0.0.1 label 17

    recursive via 0.0.0.0/0

      recursive via 172.16.1.1

        attached to Ethernet0/2

hub#

                  

hub#sho ip int brie

...Loopback0                  10.0.0.254      YES NVRAM  up                    up

Virtual-Access1            10.0.0.254      YES unset  up                    up

Virtual-Template1          10.0.0.254      YES unset  up                    down


my hub configuration is attached....


any help would be appreciated!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marcin Latosiewicz Mon, 01/20/2014 - 12:37
User Badges:
  • Cisco Employee,

Lee,


Just for clarification, this is MPLS over Flex not Flex over MPLS :-)


I've been interested in this kind of deployment for a while, I'll try to setup it up tomorrow or the day after and see what I can get for you.

What's the IOS version you're running this one.


M.

Marcin Latosiewicz Tue, 01/21/2014 - 06:42
User Badges:
  • Cisco Employee,

Lee,


Had some problems with 15.2, but tried with 15.4.1T1.


Hub#traceroute vrf BLUE 192.168.101.1 source e1/1

Type escape sequence to abort.

Tracing the route to 192.168.101.1

VRF info: (vrf in name/id, vrf out name/id)

  1 192.168.101.1 6 msec *  5 msec

Hub#show ip cef vrf BLUE 192.168.101.1 det

192.168.101.0/24, epoch 0, flags rib defined all labels

  recursive via 10.1.1.178 label 16

    attached to Virtual-Access3



Hub#sh run | s r b

router bgp 65001

bgp log-neighbor-changes

bgp listen range 10.1.1.0/24 peer-group Spokes

neighbor Spokes peer-group

neighbor Spokes remote-as 65001

neighbor 2001:DB8:1999:: remote-as 65001

neighbor 2001:DB8:1999:: update-source Loopback100

neighbor 192.168.0.2 remote-as 65001

!

address-family ipv4

  network 192.168.0.0

  neighbor Spokes activate

  no neighbor 2001:DB8:1999:: activate

  neighbor 192.168.0.2 activate

  neighbor 192.168.0.2 route-reflector-client

  neighbor 192.168.0.2 next-hop-self all

  neighbor 192.168.0.2 unsuppress-map ALL

exit-address-family

!

address-family vpnv4

  neighbor Spokes activate

  neighbor Spokes send-community extended

exit-address-family

!

address-family ipv6

  neighbor 2001:DB8:1999:: activate

exit-address-family

!

address-family ipv4 vrf BLUE

  network 192.168.0.0

  redistribute connected

exit-address-family

Hub#sh ip route vrf BLUE



Routing Table: BLUE

(...)



Gateway of last resort is not set



      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.0.0/24 is directly connected, Ethernet1/1

L        192.168.0.1/32 is directly connected, Ethernet1/1

B     192.168.101.0/24 [200/0] via 10.1.1.178, 00:07:13

B     192.168.102.0/24 [200/0] via 10.1.1.179, 00:07:13



from spoke


Spoke1#traceroute vrf BLUE 192.168.0.1 source e1/1

Type escape sequence to abort.

Tracing the route to 192.168.0.1

VRF info: (vrf in name/id, vrf out name/id)

  1 192.168.0.1 5 msec *  6 msec

Spoke1#show ip cef vrf BLUE 192.168.0.1 det

192.168.0.0/24, epoch 0, flags rib defined all labels

  recursive via 10.1.1.1 label 16

    attached to Tunnel1

Spoke1#sh run | s r b

router bgp 65001

bgp log-neighbor-changes

network 192.168.101.0

neighbor 10.1.1.1 remote-as 65001

!

address-family vpnv4

  neighbor 10.1.1.1 activate

  neighbor 10.1.1.1 send-community extended

exit-address-family

!

address-family ipv4 vrf BLUE

  network 192.168.101.0

  redistribute connected

exit-address-family

Spoke1#sh ip route vrf BLUE



Routing Table: BLUE

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       a - application route

       + - replicated route, % - next hop override



Gateway of last resort is not set



B     192.168.0.0/24 [200/0] via 10.1.1.1, 00:08:35

      192.168.101.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.101.0/24 is directly connected, Ethernet1/1

L        192.168.101.1/32 is directly connected, Ethernet1/1

Marcin Latosiewicz Tue, 01/21/2014 - 14:42
User Badges:
  • Cisco Employee,

Lee,


Hub#sh run | s Virtual

interface Virtual-Template1 type tunnel

ip unnumbered Loopback100

ip mtu 1400

ip nhrp network-id 2

ip nhrp redirect

ip tcp adjust-mss 1360

ipv6 unnumbered Loopback100

ipv6 enable

mpls bgp forwarding

tunnel path-mtu-discovery

tunnel protection ipsec profile default

Hub#show mpls forwarding-table

Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop

Label      Label      or Tunnel Id     Switched      interface

16         No Label   192.168.0.0/24[V]   \

                                       0             aggregate/BLUE


Everything is global.


I'm wondering if this is actually a valid way to do things, let me pick brains of some of the MPLS folks here.


M.

Hi Marcin,


I will have a topology of 4 ASR hub routers, 2 at one site, 2 in another. I am planning on the spoke routers having 4 tunnels constantly up, one to each hub. I have read in one of your web pages that Cisco recommend iBGP between hub and spoke routers. This is fine, though will need to route-reflect between all the hubs.


The tunnels will be authenticated with a RADIUS a the headend, hence I don't believe with shortcut routing we can authenticate against the RADIUS, or will the Hub router still proxy auth requests for spoke to spoke?


Cheers,

Lee.

Actions

This Discussion