cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
515
Views
0
Helpful
2
Replies
Highlighted

ASR920 - IPv6 forwarding not working for 'leaked' routes between vrfs

Dear all,

I'm running IOS-XE 03.16.01a.S in an ASR920. I'd be grateful if somebody could help me with a pretty strange behaviour I have in an ASR920.

 

I have two vrfs, VRFA and VRFB. 

  • VRFA has the following route table:

B XXXX:YYYY::/64 [200/50]
via XXXX:YYYY:0:3::2
C XXXX:YYYY:0:3::/64 [0/0]
via BDI1023, directly connected
L XXXX:YYYY:0:3::3/128 [0/0]
via BDI1023, receive
B XXXX:YYYY:0:9::/64 [20/0]
via BDI1010%VRFB, directly connected
L FF00::/8 [0/0]
via Null0, receive

 

  • VRFB has the following route table:

B XXXX:YYYY::/64 [200/50]
via XXXX:YYYY:0:3::2%VRFA
B XXXX:YYYY:0:3::/64 [20/0]
via BDI1023%VRFA, directly connected
C XXXX:YYYY:0:9::/64 [0/0]
via BDI1010, directly connected
L XXXX:YYYY:0:9::1/128 [0/0]
via BDI1010, receive
L FF00::/8 [0/0]
via Null0, receive

 

I want to reach network XXXX:YYYY::/64 from XXXX:YYYY:0:9::1 in VRFB. As you can see, VRFB also has visibility of the next-hop in VRFA: 'B XXXX:YYYY:0:3::/64 [20/0] via BDI1023%VRFA, directly connected'.

I can ping XXXX:YYYY:0:3::3 in VRFA from XXXX:YYYY:0:9::1 in VRFB. However, it's impossible to reach XXXX:YYYY:0:3::2 in VRFA from XXXX:YYYY:0:9::1 in VRFB and XXXX:YYYY:0:3::2 is reachable from any IPv6 address in VRFA.

If I recreate the same configuration in an ASR1K, it works fine.

My impression is that I'm facing some sort of bug, but I've been unable to find it using the Cisco Bug Search Tool.

Do you have any experience with this sort of IPv6 configs in ASR920?

Thanks in advance

Kind regards

Octavio

2 REPLIES 2
Highlighted
Beginner

Re: ASR920 - IPv6 forwarding not working for 'leaked' routes between vrfs

Hi, Which IOS XE Version are you using? The ping used the source address? Could you share the config in boths routers.

Highlighted

Re: ASR920 - IPv6 forwarding not working for 'leaked' routes between vrfs

Thank you for your help.

I try to answer your questions...

Thanks in advance

Octavio

 

1. Release

Cisco IOS XE Software, Version 03.16.01a.S - Extended Support Release
Cisco IOS Software, ASR920 Software (PPC_LINUX_IOSD-UNIVERSALK9_NPE-M), Version 15.5(3)S1a, RELEASE SOFTWARE (fc1)

2. Ping samples with source IP

ping vrf VRFA XXXX:YYYY::4 source XXXX:YYYY:0:10::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to XXXX:YYYY::4, timeout is 2 seconds:
Packet sent with a source address of XXXX:YYYY:0:10::1%VRFA
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

 

ping vrf VRFB XXXX:YYYY::4 source XXXX:YYYY:0:9::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to XXXX:YYYY::4, timeout is 2 seconds:
Packet sent with a source address of XXXX:YYYY:0:9::1%VRFB
.....
Success rate is 0 percent (0/5)

 

3. Config. I introduce the most significant parts...

3.1 Router A (ASR920)


vrf definition VRFB
rd 2:2
!
address-family ipv4
...
exit-address-family
!
address-family ipv6
import map RM-IMPORTv6-DG-DDIs
route-target export 103:103
route-target import 103:103
exit-address-family
!
vrf definition VRFA
rd 1:1
!
address-family ipv4
exit-address-family
!
address-family ipv6
route-target export 103:103
route-target import 103:103
exit-address-family
!
...

interface Port-channel2
description LAN side
mtu 9170
no ip address
negotiation auto
service instance trunk 10 ethernet
encapsulation dot1q 1010,1020,1030,1040,1050,1060,1064-1065,2001-2002,2004
rewrite ingress tag pop 1 symmetric
bridge-domain from-encapsulation
!
!
interface Port-channel3
description WAN side
mtu 9170
no ip address
load-interval 30
service instance trunk 10 ethernet
encapsulation dot1q 1012,1022-1023,1032-1033,1045,1052,1111-1113,1220,2002-2004
rewrite ingress tag pop 1 symmetric
bridge-domain from-encapsulation
!
...
!

interface GigabitEthernet0/0/6
mtu 9170
no ip address
media-type auto-select
negotiation auto
channel-group 2 mode active
!
...
interface TenGigabitEthernet0/0/12
mtu 9170
no ip address
flowcontrol receive off
channel-group 3 mode active
!
interface TenGigabitEthernet0/0/13
mtu 9170
no ip address
flowcontrol receive off
channel-group 3 mode active
!
...
interface BDI1010
vrf forwarding VRFB
ip address 100.65.0.1 255.255.224.0
ip helper-address 172.30.41.4
ip helper-address 172.30.41.5
ipv6 address XXXX:YYYY:0:9::1/64
ipv6 nd managed-config-flag
ipv6 dhcp relay destination XXXX:YYYY::4
ipv6 dhcp relay destination XXXX:YYYY::5
!
...
interface BDI1023
vrf forwarding VRFA
ip address 172.30.16.11 255.255.255.0
ipv6 address XXXX:YYYY:0:3::3/64
!
...
interface BDI1060
vrf forwarding VRFA
ip address 10.18.64.1 255.255.224.0
ipv6 address XXXX:YYYY:0:10::1/64
ipv6 nd managed-config-flag
ipv6 dhcp relay destination XXXX:YYYY::4
ipv6 dhcp relay destination XXXX:YYYY::5
!
...
router bgp 65501
bgp router-id 172.30.10.13
bgp log-neighbor-changes
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
no bgp default ipv4-unicast
!
...
address-family ipv6 vrf VRFB
redistribute static
network XXXX:YYYY:0:9::/64
exit-address-family
!
...
address-family ipv6 vrf VRFA
redistribute static
network XXXX:YYYY:0:3::/64
network XXXX:YYYY:0:8::/64
network XXXX:YYYY:0:10::/64
network XXXX:YYYY:0:11::/64
...
neighbor XXXX:YYYY:0:3::2 remote-as 65501
neighbor XXXX:YYYY:0:3::2 fall-over
neighbor XXXX:YYYY:0:3::2 activate
neighbor XXXX:YYYY:0:3::2 soft-reconfiguration inbound
neighbor XXXX:YYYY:0:3::2 route-map RM-IPv6-Connected out
...
exit-address-family
!
...
!
ipv6 prefix-list IMPORTv6-DG-DDIs seq 10 permit ::/0
ipv6 prefix-list IMPORTv6-DG-DDIs seq 20 permit XXXX:YYYY::/64
ipv6 prefix-list IMPORTv6-DG-DDIs seq 30 permit XXXX:YYYY:0:3::/64
ipv6 prefix-list IMPORTv6-DG-DDIs seq 40 permit XXXX:YYYY:0:8::/64
!
ipv6 prefix-list IPv6-Connected seq 10 permit XXXX:YYYY:0:9::/64
ipv6 prefix-list IPv6-Connected seq 20 permit XXXX:YYYY:0:10::/64
ipv6 prefix-list IPv6-Connected seq 30 permit XXXX:YYYY:0:11::/64
route-map DENY_ALL deny 10
!
...
!
route-map RM-IPv6-Connected permit 10
match ipv6 address prefix-list IPv6-Connected
!
...
route-map RM-IMPORTv6-DG-DDIs permit 10
match ipv6 address prefix-list IMPORTv6-DG-DDIs
!

 

3.2 Router B (ASR1001-X) It has the right routing table in its VRFC and every IP in VRFA of router A is reachable...

B XXXX:YYYY::/64 [20/0]
via Port-channel55.1101%VRFD, directly connected
C XXXX:YYYY:0:3::/64 [0/0]
via Port-channel55.1023, directly connected
L XXXX:YYYY:0:3::2/128 [0/0]
via Port-channel55.1023, receive
B XXXX:YYYY:0:9::/64 [200/0]
via XXXX:YYYY:0:3::3
B XXXX:YYYY:0:10::/64 [200/0]
via XXXX:YYYY:0:3::3
L FF00::/8 [0/0]
via Null0, receive

 

* From VRFC in Router B to VRFA in router A - successful
ping vrf VRFC XXXX:YYYY:0:10::1 source XXXX:YYYY:0:3::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to XXXX:YYYY:0:10::1, timeout is 2 seconds:
Packet sent with a source address of XXXX:YYYY:0:3::2%VRFC
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

 

* From VRFC in Router B to VRFB in router A - unsuccessful

ping vrf VRFC XXXX:YYYY:0:9::1 source XXXX:YYYY:0:3::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to XXXX:YYYY:0:9::1, timeout is 2 seconds:
Packet sent with a source address of XXXX:YYYY:0:3::2%VRFC
.....
Success rate is 0 percent (0/5)

 

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey

This widget could not be displayed.