Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1179
Views
0
Helpful
1
Replies

IOS-XRv 9000 - VPN Label Doesn't Get Imposed for Transit Traffic

Alexey L.
Level 1
Level 1

‎06-15-2021 04:39 AM - edited ‎06-15-2021 04:45 AM

Hi,

 

I might be missing something, but for some reason IOS XRv 9000 (7.2.2) doesn't seem to impose an inner (VPN) label to transit traffic only. For traffic that originates from the IOS XRv 9000 itself it seems to be working as expected.

 

Simplified lab topology (Note: All the AS numbers and IPs are fake)

 

AS100 [Transit (CSR1000v)] <---> AS9116 [Edge (XRv 9000) --- Core (CSR1000v) --- GW (CSR 1000v) --- Attack Mitigation Appliance]

 

  1. MPLS/LDP/ISIS/BGP enabled lab network AS9116
  2. RR IPv4 Unicast
  3. RR VPNv4 with Edge and GW only (VRF Dirty)

 

Off-ramp scenario

 

  1. Loopback 25.25.25.25/32 is advertised via iBGP with next-hop 150.1.1.110 towards Edge only
  2. 150.1.1.110 is reachable via a static route with next-hop IP in VRF Dirty
  3. The NH in VRF Dirty is reachable using a VPN label advertised from the GW

 

Working: Traffic from the Edge itself ends up in VRF Dirty --> both labels are getting imposed (MPLS: Labels 16/26)

RP/0/RP0/CPU0:EDGE-1#show running-config router static 
Tue Jun 15 10:00:41.550 UTC
router static
address-family ipv4 unicast
150.1.1.110/32 vrf DIRTY 212.199.110.1
212.199.96.0/20 Null0 tag 9116
!
vrf MGMT
address-family ipv4 unicast
0.0.0.0/0 192.168.150.100
!
!
vrf DIRTY
!
!
RP/0/RP0/CPU0:EDGE-1#


RP/0/RP0/CPU0:EDGE-1#show route | i 25.25.25.25 
Tue Jun 15 10:00:45.161 UTC
B 25.25.25.25/32 [200/0] via 150.1.1.110, 00:20:05
RP/0/RP0/CPU0:EDGE-1#


RP/0/RP0/CPU0:EDGE-1#show cef 25.25.25.25/32 hardware egress 
Tue Jun 15 10:00:52.927 UTC
25.25.25.25/32, version 111, internal 0x5000001 0x40 (ptr 0xd40d4b0) [1], 0x0 (0xe206888), 0x0 (0x0)
Updated Jun 15 09:40:39.972
Prefix Len 32, traffic index 0, precedence n/a, priority 4
via 150.1.1.110/32, 2 dependencies, recursive [flags 0x6000]
path-idx 0 NHID 0x0 [0xd40d588 0x0]
next hop 150.1.1.110/32 via 150.1.1.110/32
RP/0/RP0/CPU0:EDGE-1#


RP/0/RP0/CPU0:EDGE-1#show cef 150.1.1.110/32 hardware egress 
Tue Jun 15 10:00:57.928 UTC
150.1.1.110/32, version 86, internal 0x1000001 0x30 (ptr 0xd40d588) [2], 0x0 (0xe2067b0), 0xa00 (0xecd7648)
Updated Jun 15 09:42:43.523
Prefix Len 32, traffic index 0, precedence n/a, priority 3
via 212.199.110.1/32, 4 dependencies, recursive [flags 0x0]
path-idx 0 NHID 0x0 [0xd40d3d8 0x0]
next hop VRF - 'DIRTY', table - 0xe0000002
next hop 212.199.110.1/32 via 212.199.110.0/30
local label 24011 
next hop 212.199.101.2/32 Gi0/0/0/1.101 labels imposed {16 26 None}
RP/0/RP0/CPU0:EDGE-1#

RP/0/RP0/CPU0:EDGE-1#traceroute 25.25.25.25
Tue Jun 15 10:02:09.189 UTC

Type escape sequence to abort.
Tracing the route to 25.25.25.25

1 212.199.101.2 [MPLS: Labels 16/26 Exp 0] 14 msec 2 msec 7 msec 
2 212.199.110.1 3 msec 8 msec 2 msec 
3 212.199.111.1 9 msec 2 msec 10 msec 
4 212.199.111.1 2 msec 11 msec 2 msec 
5 212.199.104.1 [MPLS: Label 17 Exp 0] 11 msec 2 msec 10 msec 
6 212.199.103.2 2 msec 15 msec 2 msec 
7 31.10.10.2 7 msec * 17 msec 
RP/0/RP0/CPU0:EDGE-1#

Packet capture from the upstream router (Core) --> two labels

Frame 25: 126 bytes on wire (1008 bits), 126 bytes captured (1008 bits)
Ethernet II, Src: VMware_29:cc:f4 (00:0c:29:29:cc:f4), Dst: VMware_5e:f1:ba (00:0c:29:5e:f1:ba)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 101
MultiProtocol Label Switching Header, Label: 16, Exp: 0, S: 0, TTL: 255
MultiProtocol Label Switching Header, Label: 26, Exp: 0, S: 1, TTL: 255
Internet Protocol Version 4, Src: 212.199.101.1, Dst: 25.25.25.25
Internet Control Message Protocol

 

 

Not Working: Traffic from the Transit (AS100) eventually ends up in VRF Global --> only transport label imposed at the Edge (MPLS: Label 16)

TRANSIT-1#show ip cef 25.25.25.25
25.25.25.0/24
nexthop 21.10.10.2 GigabitEthernet2
TRANSIT-1#

TRANSIT-1#traceroute 25.25.25.25
Type escape sequence to abort.
Tracing the route to 25.25.25.25
VRF info: (vrf in name/id, vrf out name/id)
1 21.10.10.2 3 msec 2 msec 2 msec
2 212.199.101.2 [AS 9116] [MPLS: Label 16 Exp 0] 2 msec 1 msec 1 msec
3 212.199.104.2 [AS 9116] 2 msec 1 msec 2 msec
4 212.199.104.1 [AS 9116] [MPLS: Label 17 Exp 0] 2 msec 2 msec 2 msec
5 212.199.103.2 [AS 9116] 1 msec 2 msec 2 msec
6 31.10.10.2 2 msec * 3 msec
TRANSIT-1#

Packet capture from the upstream router (Core) --> one label

Frame 65: 122 bytes on wire (976 bits), 122 bytes captured (976 bits)
Ethernet II, Src: VMware_29:cc:f4 (00:0c:29:29:cc:f4), Dst: VMware_5e:f1:ba (00:0c:29:5e:f1:ba)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 101
MultiProtocol Label Switching Header, Label: 16, Exp: 0, S: 1, TTL: 254
Internet Protocol Version 4, Src: 21.10.10.1, Dst: 25.25.25.25
Internet Control Message Protocol

 

 

Any ideas as to why the inner label won't get imposed for transit traffic?

 

Thanks in advance!

 

Regards,

Alexey

 

 

 

 

Labels:
0 Helpful
1 Reply 1

Alexey L.
Level 1
Level 1

‎06-18-2021 08:25 AM

If anyone is interested. Confirmed the issue is related to a number of recursive lookups (5 vs 4)......

• Doesn’t work for transit traffic: BGP NH -> STATIC -> VRF NH -> VPNV4 NH -> IGP NH
• Works for transit traffic: STATIC -> VRF NH -> VPNV4 NH -> IGP NH

0 Helpful
Customers Also Viewed These Support Documents