01-17-2012 01:19 PM
TOPOLOGY:
I have a dual Hub and Spoke MPLS topology, with a Point-to-point link between the hubs.
Traffic between spokes must traverse one of the hubs in order to reach the destination spoke.
Spoke-to-spoke traffic works as designed.
:
QUESTION:
I want the spokes to utilize their primary hub (secondary hub in failure mode) when the destination is another spoke. BUT, when the destination is a hub LAN, I need the spoke (MPLS cloud) to route directly to the hub’s LAN bypassing the primary/secondary spoke-to-spoke rules.
:
TROUBLESHOOTING:
I tried several different approaches to adjust this flow but cannot seem to figure out the exact recipe to make it work correctly.
I was tinkering around with the expanded extcommunity-list with as-path filtering among other items.
Suggestions would be most appreciated. Looking for a direction!
:
:
Here are the trace routes for the 3 different destinations (from spoke WAN3):
:
1. Flow to primary hub’s LAN, timestamps removed for clarity
WAN3#trace 172.16.2.1
1 172.17.30.2 ------------------- [PE3]
2 172.17.26.2 [AS 65535]----- [PE2]
3 172.17.26.1 [AS 65535]----- [WAN2, primary hub]]
4 172.16.20.253 [AS 20]------- [destination net]
:
:
2. Spoke-to-spoke flow, timestamps removed for clarity
WAN3#trace 172.16.4.1
1 172.17.30.2 ------------------ [PE3]
2 172.17.26.2 [AS 65535] ---- [PE2]
3 172.17.26.1 [AS 65535] ---- [WAN2, primary hub]
4 172.17.20.2 [AS 20] -------- [PE2]
5 172.17.40.2 [AS 65535] ---- [PE3]
6 172.17.40.1 [AS 65535] ---- [WAN4]
:
:
3. Spoke to secondary hub’s LAN, timestamps removed for clarity
WAN3#trace 172.16.1.1
1 172.17.30.2 ----------------- [PE3]
2 172.17.26.2 [AS 65535] -- [PE2]------------------------- Want this to go to PE1
3 172.17.26.1 [AS 65535] -- [WAN2, primary hub]
4 172.18.250.1 [AS 20] ----- [Backup link]
5 172.16.10.253 [AS 10] ---- [Secondary hub LAN]
:
:
:
Configuration for PE3:
vrf definition REG3
description WAN3 to WAN1 & WAN2 [Hub & Spoke]
rd 30:1020
!
address-family ipv4
import map WAN2
route-target export 30:30
route-target import 10:10
route-target import 20:20
exit-address-family
!
address-family ipv6
import map WAN2V6
route-target export 30:30
route-target import 20:20
route-target import 10:10
exit-address-family
!
---snip---
!
router bgp 65535 bgp
router-id 10.0.0.3
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 10.0.0.1 remote-as 65535
neighbor 10.0.0.1 update-source Loopback0
neighbor 10.0.0.2 remote-as 65535
neighbor 10.0.0.2 update-source Loopback0
!
address-family ipv4
exit-address-family
!
address-family vpnv4
neighbor 10.0.0.1 activate
neighbor 10.0.0.1 send-community extended
neighbor 10.0.0.2 activate
neighbor 10.0.0.2 send-community extended
exit-address-family
!
address-family vpnv6
neighbor 10.0.0.1 activate
neighbor 10.0.0.1 send-community extended
neighbor 10.0.0.2 activate
neighbor 10.0.0.2 send-community extended
exit-address-family
!
address-family ipv4 vrf REG3
redistribute connected
neighbor 172.17.30.1 remote-as 30
neighbor 172.17.30.1 description WAN3 [Hub & Spoke]
neighbor 172.17.30.1 activate
neighbor 172.17.30.1 route-map WAN3 in
exit-address-family
!
address-family ipv6 vrf REG3
redistribute connected
neighbor 172:17:30::1 remote-as 30
neighbor 172:17:30::1 description WAN3 [Hub & Spoke]
neighbor 172:17:30::1 activate
neighbor 172:17:30::1 route-map WAN3V6 in
exit-address-family
!
address-family ipv4 vrf REG4
redistribute connected
neighbor 172.17.40.1 remote-as 40
neighbor 172.17.40.1 description WAN4 [Hub & Spoke]
neighbor 172.17.40.1 activate
neighbor 172.17.40.1 route-map WAN4 in
exit-address-family
!
address-family ipv6 vrf REG4
redistribute connected
neighbor 172:17:40::1 remote-as 40
neighbor 172:17:40::1 description WAN4 [Hub & Spoke]
neighbor 172:17:40::1 activate
neighbor 172:17:40::1 route-map WAN4V6 in
exit-address-family
!
ip extcommunity-list standard WAN1 permit rt 10:10
ip extcommunity-list standard WAN1V6 permit rt 10:10
ip extcommunity-list standard WAN2 permit rt 20:20
ip extcommunity-list standard WAN2V6 permit rt 20:20
!
ip access-list standard WAN3
permit 172.16.30.2
permit 172.16.30.3
permit 172.16.3.0
remark Perfer Local prefixes over prefixes from Hubs
!
ip access-list standard WAN4
permit 172.16.40.2
permit 172.16.4.0
remark Perfer Local prefixes over prefixes from Hubs
!
route-map WAN1V6 permit 10
description LP set higher for nets w/ RT 10:10 received from WAN1
match extcommunity WAN1V6
set local-preference 500
!
route-map WAN1V6 permit 20
description LP set lower for nets w/ RT 20:20 received from WAN2
match extcommunity WAN2V6
set local-preference 40
!
route-map WAN2V6 permit 10
description LP set higher for nets w/ RT 20:20 received from WAN1
match extcommunity WAN2V6
set local-preference 500
!
route-map WAN2V6 permit 20
description LP set lower for nets w/ RT 10:10 received from WAN2
match extcommunity WAN1V6
set local-preference 40
!
route-map WAN3V6 permit 10
description LP set higher on local nets to prevent flapping
match ipv6 address WAN3V6
set local-preference 700
!
route-map WAN4V6 permit 10
description LP set higher on local nets to prevent flapping
match ipv6 address WAN4V6
set local-preference 700
!
route-map WAN1 permit 10
description LP set higher for nets w/ RT 10:10 received from WAN1
match extcommunity WAN1
set local-preference 500
!
route-map WAN1 permit 20
description LP set lower for nets w/ RT 20:20 received from WAN2
match extcommunity WAN2
set local-preference 40
!
route-map WAN2 permit 10
description LP set higher for nets w/ RT 20:20 received from WAN2
match extcommunity WAN2
set local-preference 500
!
route-map WAN2 permit 20
description LP set lower for nets w/T 10:10 received from WAN1
match extcommunity WAN1
set local-preference 40
!
route-map WAN3 permit 10
description LP set higher on local nets to prevent flapping
match ip address WAN3
set local-preference 700
!
route-map WAN4 permit 10
description LP set higher on local nets to prevent flapping
match ip address WAN4
set local-preference 700
TOPOLOGY MAP showing prefix flows:
Solved! Go to Solution.
01-18-2012 11:08 AM
Hello,
I havent seen the Local-preference before on PE3. Apologize. Indeed, if there is a higher Local preference towards WAN-2 from PE3, then it will always be prefered regardless of the AS-Prepend done. I agree.
Now, lets see how you can change this for Network 172.16.1.0/24. taking your previous config as below:-
route-map WAN1 permit 10
description LP set higher for nets w/ RT 10:10 received from WAN1
match extcommunity WAN1
set local-preference 500
!
route-map WAN1 permit 20
description LP set lower for nets w/ RT 20:20 received from WAN2
match extcommunity WAN2
set local-preference 40
Proposed Change:
What I will do is to add another match statment that denies Net 172.16.1/24 with an RT of 20:20 from being set with local preference 500 , instead, it should set an LP of 20 for example, and allow all other Net to set an LP of 500 as follows:
ip prefix-list WAN1 seq 5 deny 172.16.1.0/24
ip prefix-list WAN1 seq 10 permit 0.0.0.0/0 le 32
ip prefix-list Set-LP-20 seq 5 permit 172.16.1.0/24
route-map WAN1 permit 10
description LP set higher for nets w/ RT 10:10 received from WAN1
match ip address prefix-list WAN1 ------------------------------------------------------ Add this MATCH statement
match extcommunity WAN1
set local-preference 500
route-map WAN1 permit 30 ---------------------------------------------------------------- Add this Sequence to the route-map
match ip address prefix-list Set-LP-20
Set Local-preference 20
Please let us know the result,
Regards,
Mohamed
01-17-2012 01:50 PM
Hello,
You need to do one thing, the Originator of the 172.16.1.0/24 is (AS 10) WAN-1.
On WAN-1, advertise this prefix with prepended AS of 10 towards WAN-2 router, this way, it will become less prefered by the MPLS cloud and the Spoke routers, So that when you trace back from the Spokes, it should traverse PE1 and WAN-1 directly instead of going to WAN-2.
You need to perform identical action for traffic destined to 172.16.2.0/24 from the Spoke, On WAN-2, prepend this Network twords WAN-1 , so that it will become less prefered.
Thanks,
Mohamed
01-18-2012 07:52 AM
Hi Mohamed,
Perhaps I should have provided a little more details (but didn’t want to overload the folks helping). Below (1st output) is PE3’s bgp table before pre-pending the 172.16.1/24 net as was suggested.
:
On PE3, BGP Well-known Discretionary attribute “Local preference” is used to select the route offered through PE2 (10.0.0.2)(LP=500). A shorter AS path for the 172.16.1/24 net is offered through PE1 (10.0.0.1) but has a lower local-preference (LP=40).
:
Below, (2nd output) the AS path (prepended on WAN1 egress) added to the nets which don’t make any change. Highest local preference is the attribute used in making all the decisions here.
:
I think the issue in my setup is the PE3 vrf definition, address-family ipv4 “IMPORT MAP” which sets all nets from RT 20:20 to LP of 500.
:
What (I think) is needed here is a way for the IMPORT MAP to look at something other than the route-target [20:20 verses 10:10]. BUT I could be wrong as I don’t have an answer yet either.
:
:
Before prepending
PE3#sh ip bgp vpnv4 vrf REG3
BGP table version is 122, local router ID is 10.0.0.3
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 30:1020 (default for vrf REG3)
*>i0.0.0.0 10.0.0.2 0 500 0 20 i
* i 10.0.0.1 0 40 0 10 i
*>i172.16.1.0/24 10.0.0.2 0 500 0 20 10 ?
* i 10.0.0.1 2 40 0 10 ?
*>i172.16.2.0/24 10.0.0.2 2 500 0 20 ?
* i 10.0.0.1 0 40 0 10 20 ?
* i172.16.3.0/24 10.0.0.2 0 500 0 20 65535 30 ?
* i 10.0.0.1 0 40 0 10 65535 30 ?
*> 172.17.30.1 0 700 0 30 ?
*>i172.16.4.0/24 10.0.0.2 0 500 0 20 65535 40 ?
* i 10.0.0.1 0 40 0 10 65535 40 ?
*>i172.16.10.0/24 10.0.0.2 0 500 0 20 10 i
* i 10.0.0.1 0 40 0 10 i
*>i172.16.10.1/32 10.0.0.2 0 500 0 20 10 ?
* i 10.0.0.1 2 40 0 10 ?
After prepending
PE3#sh ip bgp vpnv4 vrf REG3
BGP table version is 200, local router ID is 10.0.0.3
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 30:1020 (default for vrf REG3)
*>i0.0.0.0 10.0.0.2 0 500 0 20 i
*>i172.16.1.0/24 10.0.0.2 0 500 0 20 10 ?
* i 10.0.0.1 2 40 0 10 10 ?
*>i172.16.2.0/24 10.0.0.2 2 500 0 20 ?
* i172.16.3.0/24 10.0.0.2 0 500 0 20 65535 30 ?
*> 172.17.30.1 0 700 0 30 ?
*>i172.16.4.0/24 10.0.0.2 0 500 0 20 65535 40 ?
*>i172.16.10.0/24 10.0.0.2 0 500 0 20 10 i
* i 10.0.0.1 0 40 0 10 10 i
*>i172.16.10.1/32 10.0.0.2 0 500 0 20 10 ?
* i 10.0.0.1 2 40 0 10 10 ?
*>i172.16.10.2/32 10.0.0.2 0 500 0 20 10 ?
* i 10.0.0.1 0 40 0 10 10 ?
*>i172.16.10.3/32 10.0.0.2 0 500 0 20 10 ?
* i 10.0.0.1 0 40 0 10 10 ?
01-18-2012 11:08 AM
Hello,
I havent seen the Local-preference before on PE3. Apologize. Indeed, if there is a higher Local preference towards WAN-2 from PE3, then it will always be prefered regardless of the AS-Prepend done. I agree.
Now, lets see how you can change this for Network 172.16.1.0/24. taking your previous config as below:-
route-map WAN1 permit 10
description LP set higher for nets w/ RT 10:10 received from WAN1
match extcommunity WAN1
set local-preference 500
!
route-map WAN1 permit 20
description LP set lower for nets w/ RT 20:20 received from WAN2
match extcommunity WAN2
set local-preference 40
Proposed Change:
What I will do is to add another match statment that denies Net 172.16.1/24 with an RT of 20:20 from being set with local preference 500 , instead, it should set an LP of 20 for example, and allow all other Net to set an LP of 500 as follows:
ip prefix-list WAN1 seq 5 deny 172.16.1.0/24
ip prefix-list WAN1 seq 10 permit 0.0.0.0/0 le 32
ip prefix-list Set-LP-20 seq 5 permit 172.16.1.0/24
route-map WAN1 permit 10
description LP set higher for nets w/ RT 10:10 received from WAN1
match ip address prefix-list WAN1 ------------------------------------------------------ Add this MATCH statement
match extcommunity WAN1
set local-preference 500
route-map WAN1 permit 30 ---------------------------------------------------------------- Add this Sequence to the route-map
match ip address prefix-list Set-LP-20
Set Local-preference 20
Please let us know the result,
Regards,
Mohamed
01-19-2012 07:10 AM
Hey
It appears using a RT in an import map; you are restricted to non-granular parameters and I guess for good reason. I’m thinking service providers don’t usually want this granularity due to the number of different customers. In my limited experience, it appears using RTs in an import map is an all or nothing setup; the same policy applies to all prefixes that made it through the filter. Although I do see some docs speaking to “extended communities” (expanded) that allow more granularity but again it based on RTs with regular expressions.
In working with you, I think we figured out the alternative to import map with RT’s is to use import maps with route-maps. Route-maps allow for very granular parameters Eg. ACL, prefix-map, regular-exp filtering, permit and denies per prefix etc. In the vrf definition (ip vrf for those still only using IPv4) I still use the import map. In the import map, I removed the RT statements and replaced with route-maps and tied the route-maps to ACL’s. The ACL’s permit the exact prefixes for each hub site. The nice feature about this method is I can control spoke traffic flow totally from the hub by prepending each prefix as the need arises. The down-side to this method is the service provider has to know all networks behind each CE router.
One note, my setup is probably unique in that it’s a hub and spoke environment, (traffic between spokes MUST traverse a hub in each direction of the traffic flow) and two (CE) spokes connect to the same PE router (PE3) but in different VRFs.
Thanks again for taking your time to assist!!!
Hope to assist with support in the future.
As a comparison and reference,
I configured spoke-3 (WAN3) to use the new setup described above.
I left spoke-4 (WAN4) using import map with RT’s, see this setup in my original thread.
Here Spoke-3 (WAN3) is using Route-map, ACL (not RT)
Trace from Spoke-3 (WAN3) to Hub1 (WAN1) LAN
WAN3#trace 172.16.1.1
1 172.17.30.2 ------------------ PE3
2 172.17.16.2 [AS 65535]--- PE1
3 172.17.16.1 [AS 65535]--- HUB1 (WAN1)
4 172.16.10.253 [AS 10] ---- CORE1
Trace from Spoke-3 (WAN3) to Hub2 (WAN2) LAN
WAN3#trace 172.16.2.1
1 172.17.30.2 ---------------------PE3
2 172.17.26.2 [AS 65535] ----PE2
3 172.17.26.1 [AS 65535] ----HUB2 (WAN2)
4 172.16.20.253 [AS 20] -----CORE2
Trace from Spoke-3 (WAN3) to spoke-4 (WAN4)
WAN3#trace 172.16.4.1
1 172.17.30.2 -----------------------PE3
2 172.17.26.2 [AS 65535] ------PE2
3 172.17.26.1 [AS 65535] ------HUB2 (WAN2)
4 172.17.20.2 [AS 20] -----------PE2
5 172.17.40.2 [AS 65535] ------PE3
6 172.17.40.1 [AS 65535] ------Spoke-4 (WAN4)
The above flows can be manipulated from either hub.
The below flows are locked in and only change in failure.
Here Spoke-4 (WAN4) is using RTs on PE3
Trace from Spoke-4 (WAN4) to Hub1 (WAN1) LAN
WAN4#trace 172.16.1.1
1 172.17.40.2 ----------------------PE3
2 172.17.16.2 [AS 65535] --–--PE1
3 172.17.16.1 [AS 65535] -----HUB1 (WAN1)
4 172.16.10.253 [AS 10] ------CORE1
Trace from Spoke-4 (WAN4) to Hub2 (WAN2) LAN
WAN4#trace 172.16.2.1
1 172.17.40.2 ----------------------PE3
2 172.17.16.2 [AS 65535] -----PE1
3 172.17.16.1 [AS 65535] -----HUB1 (WAN1)
4 172.18.250.2 [AS 10] --------HUB2 (WAN2, using Backup link)
5 172.16.20.253 [AS 20] ------CORE2
Trace from Spoke-4 (WAN4) to Spoke-3 (WAN3) LAN
WAN4#trace 172.16.3.1
1 172.17.40.2 ---------------------PE3
2 172.17.16.2 [AS 65535] ----PE1
3 172.17.16.1 [AS 65535] ----HUB1 (WAN1)
4 172.17.10.2 [AS 10] ---------PE1
5 172.17.30.2 [AS 65535] ----PE3
6 172.17.30.1 [AS 65535] ----Spoke-3 (WAN3)
Here the backup link between hubs is down and spoke-4 (WAN4) experiences additional hops. And don’t forget the “P” routers that are not shown in any of the traces, these “P” routers are transparent but are still in the path. If the “P” routers were shown, the number of hops would be a minimum of 10.
The downed backup link has no effect on Spoke-3 (WAN3)
WAN4#trace 172.16.2.1
1 172.17.40.2 --------------------PE3
2 172.17.16.2 [AS 65535] ---PE1
3 172.17.16.1 [AS 65535] ---HUB1 (WAN1)
4 172.17.10.2 [AS 10] --------PE1
5 172.17.26.2 [AS 65535] ---PE2
6 172.17.26.1 [AS 65535] ---HUB2 (WAN2)
7 172.16.20.253 [AS 20] ----CORE2
01-19-2012 10:38 AM
Test reply www.cisco.com
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide