cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1318
Views
9
Helpful
7
Replies

Overlapping MPLS-VPN problems

Marcofbbr
Level 1
Level 1

HI,

I'm studyng for MPLS exam and I wanted to create a small lab to recreate a scenario with overlapping MPLS-VPN to make some practice.

I created the following physical topology:

ACentral-\ $$$$$$$ /---BCentral

SiteB2---Pe1--P--Pe2--SiteA2

SiteA1---/ $$$$$$$ \---SiteB1

The traffic flow should be the following:

SiteA1---\ $$$$$$$ /----SiteB1

$$ | $$ACentral--BCentral$$ | $$

SiteA2---/ $$$$$$$ \----SiteB2

Notes:

-Each customer spoke site cannot communicate directly with the other customers sites.

-There are no restrictions for the intranet traffic.

To accomplish those requirements, I created these VRFs on Pe1 (configuration on Pe2 is specular):

ip vrf A

rd 1:1

route-target export 1:1

route-target import 1:1

!

ip vrf AC !ip vrf BC (on Pe2)

rd 1:123 ! rd 2:123 (on Pe2)

route-target export 1:1 ! 2:2 on Pe2

route-target export 3:100 ! same on Pe2

route-target import 1:1 ! 2:2 on Pe2

route-target import 3:100 ! same on Pe2

!

ip vrf B

rd 2:2

route-target export 2:2

route-target import 2:2

I expected that both PEs were able to reach every network of the other customer but probably something is missing.

The problem is that BC's VRF on Pe2, exports routes learned from VRF B, using RT 2:2 only, without RT 3:100 and obviously VRF AC(on Pe1) does not import these routes and it doesn't have a reachability to B1 site.

The same thing happens on Pe1, where VRF BC does not have routes for A1 site.

Attached you can find the configuration of all P-Pe-Ce and some verification command

Hope to receive your comments.

Thanks in advance.

Marco.

PS

IOS on all routers: c2600-telco-mz.123-26

1 Accepted Solution

Accepted Solutions

Marco,

One precision. What I meant is reconfigure VRF AC on PE1 and VRF BC on PE2 for both to import RT 1:1 and 2:2.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

7 Replies 7

Harold Ritter
Cisco Employee
Cisco Employee

Marco,

This is normal behavior.

Let me explain the import/export process. Routes are first exported from a specific VRF to BGP VPNv4 and are tagged with the configured export route target(s) (RT). They can then be imported by other VRF configured to import the same RT and advertised to VPNv4 peers. Once the routes have been imported by the other VRF context, they won't be exported back to the BGP VPNv4 context.

So in your scenario, the routes you are seeing from PE2 with a RT of 2:2 have been exported from VRF B, not VRF BC.

You could reconfigure VRF AC to import RT 1:1 and 2:2 on both PE1 and PE2 to achieve the requirement.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Marco,

One precision. What I meant is reconfigure VRF AC on PE1 and VRF BC on PE2 for both to import RT 1:1 and 2:2.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

mmm...I thought the problem was solved but, importing RT 1:1 or 2:2 on cental site is not a solution. Teorically the requirements are not achieved in this way since traffic must go through both central site. Take a look to attached picture.

Probably there is a mistake in the slides of the course.

Unfortunately there aren't other configuration details other than the vrf configuration in the example.

Marco,

The diagrams make it clearer. The data flow diagram seems to indicate that:

VPN_A_Central has access to its own routes between PE1 and PE2. It has extranet access to all routes from VPN_A. It shouldn't have any access to VPN_B routes.

VPN_B_Central has access to its own routes between PE1 and PE2. It also has extranet access to all routes from VPN_B. It shouldn't have any access to VPN_A routes.

VPN_A and VPN_B should have their own routes and routes from VPN_A_Central and VPN_B_Central respectively.

This is accomplish with the example configuration:

PE1:

ip vrf VPN_A

rd 123:750

route-target both 123:750

!

ip vrf VPN_B

rd 123:760

route-target both 123:760

!

ip vrf VPN_Central_A

rd 123:751

route-target both 123:750

route-target both 123:1001

PE2:

ip vrf VPN_A

rd 123:750

route-target both 123:750

!

ip vrf VPN_B

rd 123:760

route-target both 123:760

!

ip vrf VPN_Central_B

rd 123:761

route-target both 123:760

route-target both 123:1001

!

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

----

They can then be imported by other VRF configured to import the same RT and advertised to VPNv4 peers [...] they won't be exported back to the BGP VPNv4 context.

---

Thanks for your reply

I'm not sure I undestood completely what you said about the import/export process.

These are the operation:

1 - route X is received in VRF B via IGP

2 - route X is redistributed in BGPipv4(VRF B)

3 - route X in BGPipv4(VRF-B) table is tagged with RT 2:2 and exported as BGP-VPNv4 update to the other VRFs if any and to other MPBGP peers.

4 - VRF-BC is configured to import BGP-VPNv4 routes with RT 2:2, thus, routeX is imported in VRF-BC, and even if VRF-BC is configured to export with RD 3:100 and 2:2 , routeX won't be sent back to other BGP-VPNv4 neighbor or local VRF (as you said). It reminds me about split horizon

Is this flow correct...more or less?

Thanks

Regards

Marco,

You description is mostly correct except for item 4. Routes received with route-target 2:2 will be imported by all local VRFs configured with import RT 2:2.

An yes, it is similar to split horizon in the sense that if it has been imported, it can't be exported back.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

macro

As per me hritter is saying right.

regards

shivlu jain

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: