cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1374
Views
0
Helpful
5
Replies

MPLS Hub & Spoke traffic flow refinement

fsebera
Level 4
Level 4

TOPOLOGY:

I have a dual Hub and Spoke MPLS topology, with a Point-to-point link between the hubs.

Traffic between spokes must traverse one of the hubs in order to reach the destination spoke.

Spoke-to-spoke traffic works as designed.

:

QUESTION:

I want the spokes to utilize their primary hub (secondary hub in failure mode) when the destination is another spoke. BUT, when the destination is a hub LAN, I need the spoke (MPLS cloud) to route directly to the hub’s LAN bypassing the primary/secondary spoke-to-spoke rules.

:

TROUBLESHOOTING:

I tried several different approaches to adjust this flow but cannot seem to figure out the exact recipe to make it work correctly. 

I was tinkering around with the expanded extcommunity-list with as-path filtering among other items.

Suggestions would be most appreciated. Looking for a direction!

:

:

Here are the trace routes for the 3 different destinations (from spoke WAN3):

:

1. Flow to primary hub’s LAN, timestamps removed for clarity

WAN3#trace 172.16.2.1  

  1 172.17.30.2 ------------------- [PE3] 

  2 172.17.26.2 [AS 65535]----- [PE2]  

  3 172.17.26.1 [AS 65535]----- [WAN2, primary hub]]  

  4 172.16.20.253 [AS 20]------- [destination net]

:

:

2. Spoke-to-spoke flow, timestamps removed for clarity

WAN3#trace 172.16.4.1  

  1 172.17.30.2 ------------------ [PE3]  

  2 172.17.26.2 [AS 65535] ---- [PE2]  

  3 172.17.26.1 [AS 65535] ---- [WAN2, primary hub] 

  4 172.17.20.2 [AS 20] -------- [PE2]  

  5 172.17.40.2 [AS 65535] ---- [PE3]  

  6 172.17.40.1 [AS 65535] ---- [WAN4]

:

:

3. Spoke to secondary hub’s LAN, timestamps removed for clarity

WAN3#trace 172.16.1.1  

  1 172.17.30.2 ----------------- [PE3]  

  2 172.17.26.2 [AS 65535] -- [PE2]------------------------- Want this to go to PE1

  3 172.17.26.1 [AS 65535] -- [WAN2, primary hub]

  4 172.18.250.1 [AS 20] ----- [Backup link]  

  5 172.16.10.253 [AS 10] ---- [Secondary hub LAN]

:

:

:

Configuration for PE3:

vrf definition REG3

description WAN3 to WAN1 & WAN2 [Hub & Spoke]

rd 30:1020

!       

address-family ipv4  

  import map WAN2  

  route-target export 30:30  

  route-target import 10:10 

  route-target import 20:20

exit-address-family

!

address-family ipv6 

  import map WAN2V6  

  route-target export 30:30  

  route-target import 20:20  

  route-target import 10:10

exit-address-family

!

---snip---

!

router bgp 65535 bgp

  router-id 10.0.0.3

  bgp log-neighbor-changes

  no bgp default ipv4-unicast

  neighbor 10.0.0.1 remote-as 65535

  neighbor 10.0.0.1 update-source Loopback0

  neighbor 10.0.0.2 remote-as 65535

  neighbor 10.0.0.2 update-source Loopback0

!

address-family ipv4

exit-address-family

!

address-family vpnv4  

neighbor 10.0.0.1 activate  

neighbor 10.0.0.1 send-community extended  

neighbor 10.0.0.2 activate  

neighbor 10.0.0.2 send-community extended

exit-address-family

!

address-family vpnv6  

neighbor 10.0.0.1 activate  

neighbor 10.0.0.1 send-community extended  

neighbor 10.0.0.2 activate  

neighbor 10.0.0.2 send-community extended

exit-address-family

!

address-family ipv4 vrf REG3  

redistribute connected  

neighbor 172.17.30.1 remote-as 30  

neighbor 172.17.30.1 description WAN3 [Hub & Spoke]  

neighbor 172.17.30.1 activate  

neighbor 172.17.30.1 route-map WAN3 in

exit-address-family

!

address-family ipv6 vrf REG3  

redistribute connected  

neighbor 172:17:30::1 remote-as 30  

neighbor 172:17:30::1 description WAN3 [Hub & Spoke]  

neighbor 172:17:30::1 activate  

neighbor 172:17:30::1 route-map WAN3V6 in

exit-address-family

!

address-family ipv4 vrf REG4  

redistribute connected  

neighbor 172.17.40.1 remote-as 40  

neighbor 172.17.40.1 description WAN4 [Hub & Spoke]  

neighbor 172.17.40.1 activate  

neighbor 172.17.40.1 route-map WAN4 in

exit-address-family

!

address-family ipv6 vrf REG4  

redistribute connected  

neighbor 172:17:40::1 remote-as 40  

neighbor 172:17:40::1 description WAN4 [Hub & Spoke]  

neighbor 172:17:40::1 activate  

neighbor 172:17:40::1 route-map WAN4V6 in

exit-address-family

!

ip extcommunity-list standard WAN1 permit rt 10:10

ip extcommunity-list standard WAN1V6 permit rt 10:10

ip extcommunity-list standard WAN2 permit rt 20:20

ip extcommunity-list standard WAN2V6 permit rt 20:20

!

ip access-list standard WAN3

permit 172.16.30.2

permit 172.16.30.3

permit 172.16.3.0

remark Perfer Local prefixes over prefixes from Hubs

!

ip access-list standard WAN4

permit 172.16.40.2

permit 172.16.4.0

remark Perfer Local prefixes over prefixes from Hubs

!

route-map WAN1V6 permit 10

description LP set higher for nets w/ RT 10:10 received from WAN1

match extcommunity WAN1V6

set local-preference 500

!

route-map WAN1V6 permit 20

description LP set lower for nets w/ RT 20:20 received from WAN2

match extcommunity WAN2V6

set local-preference 40

!

route-map WAN2V6 permit 10

description LP set higher for nets w/ RT 20:20 received from WAN1

match extcommunity WAN2V6

set local-preference 500

!       

route-map WAN2V6 permit 20

description LP set lower for nets w/ RT 10:10 received from WAN2

match extcommunity WAN1V6

set local-preference 40

!

route-map WAN3V6 permit 10

description LP set higher on local nets to prevent flapping

match ipv6 address WAN3V6

set local-preference 700

!

route-map WAN4V6 permit 10

description LP set higher on local nets to prevent flapping

match ipv6 address WAN4V6

set local-preference 700

!

route-map WAN1 permit 10

description LP set higher for nets w/ RT 10:10 received from WAN1

match extcommunity WAN1

set local-preference 500

!

route-map WAN1 permit 20

description LP set lower for nets w/ RT 20:20 received from WAN2

match extcommunity WAN2

set local-preference 40

!

route-map WAN2 permit 10

description LP set higher for nets w/ RT 20:20 received from WAN2

match extcommunity WAN2

set local-preference 500

!

route-map WAN2 permit 20

description LP set lower for nets w/T 10:10 received from WAN1

match extcommunity WAN1

set local-preference 40

!

route-map WAN3 permit 10

description LP set higher on local nets to prevent flapping

match ip address WAN3

set local-preference 700

!

route-map WAN4 permit 10

description LP set higher on local nets to prevent flapping

match ip address WAN4

set local-preference 700

TOPOLOGY MAP showing prefix flows:

Hub and Spoke Jan 2012.gif

1 Accepted Solution

Accepted Solutions

Hello,

I havent seen the Local-preference before on PE3. Apologize.  Indeed, if there is a higher Local preference towards WAN-2 from PE3, then it will always be prefered regardless of the AS-Prepend done. I agree.

Now, lets see how you can change this for Network 172.16.1.0/24. taking your previous config as below:-

route-map WAN1 permit 10

description LP set higher for nets w/ RT 10:10 received from WAN1

match extcommunity WAN1

set local-preference 500

!

route-map WAN1 permit 20

description LP set lower for nets w/ RT 20:20 received from WAN2

match extcommunity WAN2

set local-preference 40

Proposed Change:

What I will do is to add another match statment that denies Net 172.16.1/24 with an RT of 20:20 from being set with local preference 500 , instead, it should set an LP of 20 for example, and allow all other Net to set an LP of 500 as follows:

ip prefix-list WAN1 seq 5 deny 172.16.1.0/24

ip prefix-list WAN1 seq 10 permit 0.0.0.0/0 le 32

ip prefix-list Set-LP-20  seq 5 permit 172.16.1.0/24

route-map WAN1 permit 10

description LP set higher for nets w/ RT 10:10 received from WAN1

match ip address prefix-list WAN1 ------------------------------------------------------ Add this MATCH statement

match extcommunity WAN1

set local-preference 500

route-map WAN1 permit 30 ---------------------------------------------------------------- Add this Sequence to the route-map

match ip address prefix-list Set-LP-20

Set Local-preference 20

Please let us know the result,

Regards,

Mohamed

View solution in original post

5 Replies 5

Mohamed Sobair
Level 7
Level 7

Hello,

You need to do one thing, the Originator of the 172.16.1.0/24 is (AS 10) WAN-1.

On WAN-1, advertise this prefix with prepended AS of 10 towards WAN-2 router, this way, it will become less prefered by the MPLS cloud and the Spoke routers, So that when you trace back from the Spokes, it should traverse PE1 and WAN-1 directly instead of going to WAN-2.

You need to perform identical action for traffic destined to 172.16.2.0/24 from the Spoke, On WAN-2, prepend this Network twords WAN-1 , so that it will become less prefered.

Thanks,

Mohamed

Hi Mohamed,

Perhaps I should have provided a little more details (but didn’t want to overload the folks helping). Below (1st output) is PE3’s bgp table before pre-pending the 172.16.1/24 net as was suggested.

:

On PE3, BGP Well-known Discretionary attribute “Local preference” is used to select the route offered through PE2 (10.0.0.2)(LP=500). A shorter AS path for the 172.16.1/24 net is offered through PE1 (10.0.0.1) but has a lower local-preference (LP=40).

:

Below, (2nd output) the AS path (prepended on WAN1 egress) added to the nets which don’t make any change. Highest local preference is the attribute used in making all the decisions here.

:

I think the issue in my setup is the PE3 vrf definition, address-family ipv4 “IMPORT MAP” which sets all nets from RT 20:20 to LP of 500.

:

What (I think) is needed here is a way for the IMPORT MAP to look at something other than the route-target [20:20 verses 10:10]. BUT I could be wrong as I don’t have an answer yet either.

:

:

Before prepending

PE3#sh ip bgp vpnv4 vrf REG3

BGP table version is 122, local router ID is 10.0.0.3  

Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 30:1020 (default for vrf REG3)

*>i0.0.0.0         10.0.0.2                0    500     0 20 i

* i                10.0.0.1                0    40      0 10 i

*>i172.16.1.0/24   10.0.0.2                0    500     0 20 10 ?

* i                10.0.0.1                2    40      0 10 ?

*>i172.16.2.0/24   10.0.0.2                2    500     0 20 ?

* i                10.0.0.1                0    40      0 10 20 ?

* i172.16.3.0/24   10.0.0.2                0    500     0 20 65535 30 ?

* i                10.0.0.1                0    40      0 10 65535 30 ?

*>                 172.17.30.1             0    700     0 30 ?

*>i172.16.4.0/24   10.0.0.2                0    500     0 20 65535 40 ?

* i                10.0.0.1                0    40      0 10 65535 40 ?

*>i172.16.10.0/24  10.0.0.2                0    500     0 20 10 i

* i                10.0.0.1                0    40      0 10 i

*>i172.16.10.1/32  10.0.0.2                0    500     0 20 10 ?

* i                10.0.0.1                2    40      0 10 ?

After prepending

PE3#sh ip bgp vpnv4 vrf REG3

BGP table version is 200, local router ID is 10.0.0.3  

Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 30:1020 (default for vrf REG3)

*>i0.0.0.0         10.0.0.2                0    500     0 20 i

*>i172.16.1.0/24   10.0.0.2                0    500     0 20 10 ?

* i                10.0.0.1                2    40      0 10 10 ?

*>i172.16.2.0/24   10.0.0.2                2    500     0 20 ?

* i172.16.3.0/24   10.0.0.2                0    500     0 20 65535 30 ?

*>                 172.17.30.1             0    700     0 30 ?

*>i172.16.4.0/24   10.0.0.2                0    500     0 20 65535 40 ?

*>i172.16.10.0/24  10.0.0.2                0    500     0 20 10 i

* i                10.0.0.1                0    40      0 10 10 i

*>i172.16.10.1/32  10.0.0.2                0    500     0 20 10 ?

* i                10.0.0.1                2    40      0 10 10 ?

*>i172.16.10.2/32  10.0.0.2                0    500     0 20 10 ?

* i                10.0.0.1                0    40      0 10 10 ?

*>i172.16.10.3/32  10.0.0.2                0    500     0 20 10 ?

* i                10.0.0.1                0    40      0 10 10 ?

Hello,

I havent seen the Local-preference before on PE3. Apologize.  Indeed, if there is a higher Local preference towards WAN-2 from PE3, then it will always be prefered regardless of the AS-Prepend done. I agree.

Now, lets see how you can change this for Network 172.16.1.0/24. taking your previous config as below:-

route-map WAN1 permit 10

description LP set higher for nets w/ RT 10:10 received from WAN1

match extcommunity WAN1

set local-preference 500

!

route-map WAN1 permit 20

description LP set lower for nets w/ RT 20:20 received from WAN2

match extcommunity WAN2

set local-preference 40

Proposed Change:

What I will do is to add another match statment that denies Net 172.16.1/24 with an RT of 20:20 from being set with local preference 500 , instead, it should set an LP of 20 for example, and allow all other Net to set an LP of 500 as follows:

ip prefix-list WAN1 seq 5 deny 172.16.1.0/24

ip prefix-list WAN1 seq 10 permit 0.0.0.0/0 le 32

ip prefix-list Set-LP-20  seq 5 permit 172.16.1.0/24

route-map WAN1 permit 10

description LP set higher for nets w/ RT 10:10 received from WAN1

match ip address prefix-list WAN1 ------------------------------------------------------ Add this MATCH statement

match extcommunity WAN1

set local-preference 500

route-map WAN1 permit 30 ---------------------------------------------------------------- Add this Sequence to the route-map

match ip address prefix-list Set-LP-20

Set Local-preference 20

Please let us know the result,

Regards,

Mohamed

Hey

It appears using a RT in an import map; you are restricted to non-granular parameters and I guess for good reason. I’m thinking service providers don’t usually want this granularity due to the number of different customers. In my limited experience, it appears using RTs in an import map is an all or nothing setup; the same policy applies to all prefixes that made it through the filter. Although I do see some docs speaking to “extended communities” (expanded) that allow more granularity but again it based on RTs with regular expressions.

In working with you, I think we figured out the alternative to import map with RT’s is to use import maps with route-maps. Route-maps allow for very granular parameters Eg. ACL, prefix-map, regular-exp filtering, permit and denies per prefix etc. In the vrf definition (ip vrf for those still only using IPv4) I still use the import map. In the import map, I removed the RT statements and replaced with route-maps and tied the route-maps to ACL’s. The ACL’s permit the exact prefixes for each hub site. The nice feature about this method is I can control spoke traffic flow totally from the hub by prepending each prefix as the need arises. The down-side to this method is the service provider has to know all networks behind each CE router.

One note, my setup is probably unique in that it’s a hub and spoke environment, (traffic between spokes MUST traverse a hub in each direction of the traffic flow) and two (CE) spokes connect to the same PE router (PE3) but in different VRFs.

Thanks again for taking your time to assist!!!

Hope to assist with support in the future.

As a comparison and reference,

I configured spoke-3 (WAN3) to use the new setup described above.

I left spoke-4 (WAN4) using import map with RT’s, see this setup in my original thread.

Here Spoke-3 (WAN3) is using Route-map, ACL (not RT)

Trace from Spoke-3 (WAN3) to Hub1 (WAN1) LAN

WAN3#trace 172.16.1.1  

1 172.17.30.2 ------------------ PE3  

2 172.17.16.2 [AS 65535]--- PE1  

3 172.17.16.1 [AS 65535]--- HUB1 (WAN1)  

4 172.16.10.253 [AS 10] ---- CORE1

Trace from Spoke-3 (WAN3) to Hub2 (WAN2) LAN

WAN3#trace 172.16.2.1  

1 172.17.30.2 ---------------------PE3  

2 172.17.26.2 [AS 65535] ----PE2  

3 172.17.26.1 [AS 65535] ----HUB2 (WAN2)  

4 172.16.20.253 [AS 20] -----CORE2

Trace from Spoke-3 (WAN3) to spoke-4 (WAN4)

WAN3#trace 172.16.4.1  

1 172.17.30.2 -----------------------PE3  

2 172.17.26.2 [AS 65535] ------PE2  

3 172.17.26.1 [AS 65535] ------HUB2 (WAN2)  

4 172.17.20.2 [AS 20] -----------PE2  

5 172.17.40.2 [AS 65535] ------PE3  

6 172.17.40.1 [AS 65535] ------Spoke-4 (WAN4)

The above flows can be manipulated from either hub.

The below flows are locked in and only change in failure.

Here Spoke-4 (WAN4) is using RTs on PE3

Trace from Spoke-4 (WAN4) to Hub1 (WAN1) LAN

WAN4#trace 172.16.1.1  

1 172.17.40.2 ----------------------PE3  

2 172.17.16.2 [AS 65535] --–--PE1  

3 172.17.16.1 [AS 65535] -----HUB1 (WAN1)  

4 172.16.10.253 [AS 10] ------CORE1

Trace from Spoke-4 (WAN4) to Hub2 (WAN2) LAN

WAN4#trace 172.16.2.1  

1 172.17.40.2 ----------------------PE3  

2 172.17.16.2 [AS 65535] -----PE1  

3 172.17.16.1 [AS 65535] -----HUB1 (WAN1)  

4 172.18.250.2 [AS 10] --------HUB2 (WAN2, using Backup link)  

5 172.16.20.253 [AS 20] ------CORE2

Trace from Spoke-4 (WAN4) to Spoke-3 (WAN3) LAN

WAN4#trace 172.16.3.1  

1 172.17.40.2 ---------------------PE3  

2 172.17.16.2 [AS 65535] ----PE1  

3 172.17.16.1 [AS 65535] ----HUB1 (WAN1)  

4 172.17.10.2 [AS 10] ---------PE1  

5 172.17.30.2 [AS 65535] ----PE3  

6 172.17.30.1 [AS 65535] ----Spoke-3 (WAN3)

Here the backup link between hubs is down and spoke-4 (WAN4) experiences additional hops. And don’t forget the “P” routers that are not shown in any of the traces, these “P” routers are transparent but are still in the path. If the “P” routers were shown, the number of hops would be a minimum of 10.

The downed backup link has no effect on Spoke-3 (WAN3)

WAN4#trace 172.16.2.1  

1 172.17.40.2 --------------------PE3 

2 172.17.16.2 [AS 65535] ---PE1  

3 172.17.16.1 [AS 65535] ---HUB1 (WAN1) 

4 172.17.10.2 [AS 10] --------PE1 

5 172.17.26.2 [AS 65535] ---PE2 

6 172.17.26.1 [AS 65535] ---HUB2 (WAN2) 

7 172.16.20.253 [AS 20] ----CORE2

dsunkava
Level 1
Level 1

Test reply www.cisco.com

Sent from Cisco Technical Support iPad App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: