Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Mpls vpn routing problem!

Hi,

I have 2 mpls vpns. These 2 both receive routes from a route-target. Let's say that there is vpn_A and vpn_B. in show ip route vrf .. command both show a bgp route pointing to a router that has the subnet connected. But in vpn_A the show mpls forwarding-table vrf .. command does not show any labels or a next hop router :

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

None Recursive 192.168.199.0/24 0 .In vpn_B a label and a next hop router exist. Should i add a static route for the vrf pointing to the next hop?

21 REPLIES
Hall of Fame Super Blue

Re: Mpls vpn routing problem!

Hi

You shouldn't need to. Could you describe your topology in a bit more detail ie. which routers are involved (CE,PE,P) and also provide configs for the relevant routers.

Jon

Community Member

Re: Mpls vpn routing problem!

The topology goes like this :

PE1(vpn_A) - P - P - PE2(vpn_B). The 2 PE'S. the CE'S. In the routing table of PE1 there is a route to PE2. On the PE2 there is a route for PE1 vnp_A. Both have vlan interfaces configured for example on PE1 :

interface Vlan107

ip vrf forwarding vpn_A

ip address 192.168.1.240 255.255.255.0.

The vrf config on both PE'S :

ip vrf vpn_A

rd 1234:260

route-target export 1234:260

route-target export 1234:950

route-target import 1234:260

route-target import 1234:95

ip vrf Vpn_B

rd 1234:95

route-target export 1234:95

route-target import 1234:950

route-target import 1234:95.

hope this in enough

Hall of Fame Super Blue

Re: Mpls vpn routing problem!

Hi

Can you provide

Full config of PE1 and PE2.

Jon

Community Member

Re: Mpls vpn routing problem!

I am really sorry this is impossible, huge config and i am in a productive network.Can i send anything else?

Hall of Fame Super Blue

Re: Mpls vpn routing problem!

No Problem, i understand. If possible could you provide the outputs of the following commands from both PE's

1) sh ip ro vrf VPN_A

sh ip ro vrf VPN_B

2) sh mpls forwarding-table

3) sh mpls forwarding-table vrf VPN_A

sh mpls forwarding-table vrf VPN_B

Jon

Community Member

Re: Mpls vpn routing problem!

show ip route vrf vpn_A

C 192.168.1.0/24 is directly connected, Vlan107

B 192.168.199.0/24 [200/0] via Pe2's_loopback, 19:01:05

show mpls forwarding-table vrf vpn_A

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

822 Aggregate vrf:vpn_A 40096523

823 Untagged 192.168.10.0/24[V] \

20828455849 Vl107 192.168.1.83

824 Untagged 192.168.30.0/24[V] \

1103199 Vl107 192.168.1.4

show ip route vrf vpn_B

B 192.168.1.0/24 [200/0] via Pe1's_loopback, 1d05h

show mpls forwarding-table vrf vpn_B

Local Outgoing Prefix Bytes Label Outgoing Next Hop

Label Label or VC or Tunnel Id Switched interface

593 Pop Label IPv4 VRF[V] 15550 aggregate/vpn_B

2981 No Label 192.168.199.0/24[V] \

83985816861 Vl110 P2_PUBLIC_ADDR...

Community Member

Re: Mpls vpn routing problem!

I have another PE with same config and when i do show ip route vrf command for the vpn_B there a line saying "MPLS REQUIRED" which does not appear in the PE1.also they have a diff in the config :

address-family ipv4 vrf vpn_A

redistribute connected

redistribute static route-map SetPreference50

no auto-summary

no synchronization

exit-address-family

address-family ipv4 vrf vpn_A

redistribute connected

redistribute static route-map SetPreference50

no synchronization

exit-address-family

Community Member

Re: Mpls vpn routing problem!

Hi,

No auto-summary does not matter here. It is required only when u are using RIP, EIGRP etc.

If it is showing "MPLS required".. cross varify you have enabled mpls ip @ global configuration and @ interface configuration. If u have not enabled it @ interface or global, u can still see the routes as routes go via MPBGP but u can not ping each other.

Regards

Vikas Sharma

Community Member

Re: Mpls vpn routing problem!

mpls ip is enabled both globally and locally. In fact i have noticed that in PE1 there is no vrf vpn_B and an address family for vpn_B. How can i clear this bgp route in this specific vrf?

Re: Mpls vpn routing problem!

Vasileios, there is nothing wrong with your setup at all. Please see the explanation below.

1) show mpls forwarding vrf x.

this command gives you output of the nexthop and the label reuqired only of the routes it is originating itself, and not for the remote routes.

For eg: On Pex-CEx.

If the PEx has received 10.1.1.1 route from CEx , then only you will see the nexthop and local label for the prefix in show mpls forwarding vrf x. If a route for eg 20.1.1.1 was received from PEy then it wont show up in show mpls forwarding vrf x but will only show up in show ip route vrf x.

2) MPLS Required: on the contrary this means that to switch the packets to that nexthop MPLS is required. If you do a show ip route vrf x x.x.x.x then you will see MPLS required mentioned for each and every route in that vrf except for routes which which were originated locally form a directly connected CE.

Referring to the example above in point 1, the same 10.1.1.1 route wont need MPLS as its connected to local CEx so there wont be MPLS required for show ip route vrf x.

But for 20.1.1.1 there wont be MPLS forwarding entry but there would be a MPLS reuqired entry in show ip route, as to reach this prefix on a remote PE MPLS is required till the remote PE.

So what you are seeing is normal.

HTH-Cheers,

Swaroop

Community Member

Re: Mpls vpn routing problem!

Goodmorning and thanx for the responses. The weird thing is that the vrf routing table has the right routes, other vrf on the same router having the exact destination works just fine. We have don the whole mpls vpn on the router from the beginning, but nothing changed? Could it be an interface problem?

Re: Mpls vpn routing problem!

As mentioned in my earlier post, all the outputs you put across were normal and nothing was wrong with them, if you see when it works then also the outputs would be similar.

You might have had a problem at the IGP-LSP level when you were troubleshooting the VRF labels :-)

HTH-Cheers,

Swaroop

Community Member

Re: Mpls vpn routing problem!

The isis is the IGP and works fine with the other vpns. The problem remains for days now and nothing indicates a problem in the IGP. I have really tried everything and nothing worked. Similar vpn that take the also take the routes from the main vpn work just fine.

Cisco Employee

Re: Mpls vpn routing problem!

Hi,

Just a small note: "show mpls forwarding" does only list the locally assigned labels other than "implicit null". Thus not every network will show up here, especially networks learned through BGP in a VRF do usually not have a locally assigned label and thus do not show up.

The command to look at is "show ip cef vrf ... detail" which will tell you, which label stack is implemented when sending a packet towards the specified destination network. In case you have multiple pathes to the BGP next hop you might see a "recursive" statement, i.e. you need another "show ip cef" for the BGP next hop to see the full label stack.

Hope this helps! Please rate all posts.

Regards, Martin

Community Member

Re: Mpls vpn routing problem!

i get this result from the show ip vrf

show ip cef vrf vpn_A 192.168.199.0 det

192.168.199.0/24, version 26, epoch 0

0 packets, 0 bytes

tag information set, all rewrites owned

local tag: VPN-route-head

fast tag rewrite with

Recursive rewrite via xx.xx.xx.4/32, tags imposed {2981}

via xx.xx.xx.4, 0 dependencies, recursive

next hop xx.xx.xx.190, GigabitEthernet9/10 via xx.xx.xx.4/32 (Default)

valid adjacency

tag rewrite with

Recursive rewrite via xx.xx.xx.4/32, tags imposed {2981}

Recursive load sharing using xx.xx.xx.4/32.

And from another router that the same mpls vpn works just fine i get the following result :

show ip cef vrf vpn_A 192.168.199.0 det

192.168.199.0/24, epoch 18

recursive via xx.xx.xx.4 label 2981

nexthop xx.xx.xx.45 GigabitEthernet4/24 label 18857.

The neighbor P to the first problematic router is a CRS-1

Cisco Employee

Re: Mpls vpn routing problem!

Hi,

There is nothing problematic here, afaik.

Both routers use the same label - 2981 - the VPN label and this is fine.

As I wrote, you might have more than one path to the destination, which then is indicated by "Recursive load sharing using xx.xx.xx.4/32". show ip cef xx.xx.xx.4/32 should give you the LDP labels used for reaching the outgoing PE, where 192.168.199.0/24 is found.

You can also check the label stack in use by "traceroute vrf VPN_A 192.168.199.y" where y is a reachable host IP.

The first hop should show you the labels your PE is using to reach the destination.

So no worries, everything is fine - assuming you have reachability.

Please rate all posts.

Regards, Martin

Community Member

Re: Mpls vpn routing problem!

The target vrf has a public ip which is routable in the network from a redistributed static route. From the problematic router this ip does not have a tag :

router1#show mpls forwarding-table vrf vpn_A xx.xx.xx.242

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

None Recursive xx.xx.xx.240/30 0

and the working router :

router2#show mpls forwarding-table vrf vpn_A xx.xx.xx.242

Local Outgoing Prefix Bytes Label Outgoing Next Hop

Label Label or VC or Tunnel Id Switched interface

None 593 xx.xx.xx.240/30[V] \

0 Gi4/24 xx.xx.xx.45.

Traceroute fails from the beginning.

Cisco Employee

Re: Mpls vpn routing problem!

Hi,

Traceroute fails? You mean traceroute from within the VRF to the public destination? Is there no connectivity at all? Or is only traceroute not working? If you have connectivity to the internet, but traceroute fails: That might just mean everything is fine :-)

Let me explain my "wierd" statement.

Traceroute in a MPLS VPN environment is a little tricky.

To send a packet across the MPLS core from a VRF, two labels are needed, top label to send to the BGP next hop, bottom label is VPN label. A P router discarding this packet with labelstack, will create an ICMP "TTL expired in transit" packet. The question is, how to send it back to the originating host. As a P router does not have customer routes any direct delivery of the ICMP packet is impossible. Thus the ICMP packet is sent further on through the same LSP (label switched path) as the original discarded IP packet. This means, that the ICMP reply of a P router will travel to the remote CE, who does an IP lookup and sends it back. You can easily verify this with an access-list denying all ICMP packets in at the remote CE in a lab environment. This will discard the ICMP packets from the core and thus every core/P router will show up as "*" in your traceroute output.

In your case there might be a firewall preventing the "ICMP TTL expired" packetsto get back to the originating PE.

Hope this helps! Please rate all posts.

Regards, Martin

Community Member

Re: Mpls vpn routing problem!

traceroute fails within the vrf :

traceroute vrf vpn_A 192.168.199.11

Type escape sequence to abort.

Tracing the route to 192.168.199.11

1 * * *

2 * * *

3 * * *

4 * * *

5 * * *

6 * * *

7 * * *

8 * * *

9 * * *

10 * * *

11 * * *

12 * * *

13 * * *

14 * * *

15 * * *

16 * * *

17 * * *

18 * * *

19 * * *

20 * * * .

I can trace within tha same vrf. This address is from another vrf from which the routes are imported in the vpn_A routing table!

Cisco Employee

Re: Mpls vpn routing problem!

Hi,

Are all connected networks announced to the respective VRFs? Could be that either source or destination IPs are not routed. Is there any connectivity across the VRFs or is only traceroute affected? If no connectivity exists, check your VRF routing tables, if all required networks are inserted and if so, troubleshoot the intermediate MPLS network first.

Without further information regarding your configurations and topology it is very difficult to give a more specific answer.

Hope this helps! Please rate all posts.

Regards, Martin

Community Member

Re: Mpls vpn routing problem!

Problem is solved. I had overlapping ip adresses in a forgotten vrf and the BGP selected the old vrf as the best way.. Thanx for all the responses i had the chance to make troubleshooting a little more advanced. It is always nice to know that support is always available from the cisco society!

thanx

528
Views
20
Helpful
21
Replies
CreatePlease to create content