Solved: Re: MPLS VPN/MP-BGP

net guru · ‎03-02-2020

Hello Experts,

Am having a course project " Migrating a traditional Network to SD-WAN network " . the Network that will be migrated is MPLS/VPN connecting 2 Customers with their corresponding branchs , so since I have CCNA R&S I thought I could manage to at least know what's going on. I started to learn about VRFs and MPLS more along with MP-BGP. but since these technologies were just lightly mentionned in CCNA, I couldn't really troubleshoot what happend.

the problem that I had is that both VRFs routing tables detect the branchs network and HQs ( on both PEs ) and still the ping on the loopbacks doesn't work.
please find below the config on both PEs and the topology.

thank you so much for your help !

PE-LER:

ip vrf Customer1
rd 1:1
route-target export 1:1
route-target import 1:1
!
ip vrf Customer2
rd 2:2
route-target export 2:2
route-target import 2:2
!

interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
ip vrf forwarding Customer1
ip address 192.168.1.2 255.255.255.0
duplex half
!
interface FastEthernet1/0
ip vrf forwarding Customer2
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 11.11.11.1 255.255.255.252
duplex auto
speed auto
mpls ip
!
interface FastEthernet2/0
ip address 22.22.22.1 255.255.255.252
duplex auto
speed auto
mpls ip
!
interface FastEthernet2/1
no ip address
shutdown
duplex auto
speed auto
!

router eigrp 1
auto-summary
!
address-family ipv4 vrf Customer1
redistribute bgp 100 metric 64 1000 255 1 1500
network 3.3.3.0 0.0.0.255
network 192.168.1.0
no auto-summary
autonomous-system 1
exit-address-family

router eigrp 2
auto-summary
!
address-family ipv4 vrf Customer2
redistribute bgp 100 metric 64 1000 255 1 1500
network 3.3.3.0 0.0.0.255
network 192.168.2.0
no auto-summary
autonomous-system 2
exit-address-family
!
router ospf 1
log-adjacency-changes
network 3.3.3.0 0.0.0.255 area 0
network 11.11.11.0 0.0.0.3 area 0
network 22.22.22.0 0.0.0.3 area 0
!
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 8.8.8.8 remote-as 100
neighbor 8.8.8.8 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 8.8.8.8 activate
neighbor 8.8.8.8 send-community extended
exit-address-family
!
address-family ipv4 vrf Customer2
redistribute eigrp 2
no synchronization
exit-address-family
!
address-family ipv4 vrf Customer1
redistribute eigrp 1
no synchronization
exit-address-family
!

mpls ldp router-id Loopback0 force
!

PE-LER1:

ip vrf Customer1
rd 1:1
route-target export 1:1
route-target import 1:1
!
ip vrf Customer2
rd 2:2
route-target export 2:2
route-target import 2:2

interface Loopback0
ip address 8.8.8.8 255.255.255.0
!
interface FastEthernet0/0
ip address 55.55.55.2 255.255.255.252
duplex half
mpls ip
!
interface FastEthernet1/0
ip address 66.66.66.2 255.255.255.252
duplex auto
speed auto
mpls ip
!
interface FastEthernet1/1
ip vrf forwarding Customer1
ip address 192.168.10.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet2/0
ip vrf forwarding Customer2
ip address 192.168.20.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet2/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 1
auto-summary
!
address-family ipv4 vrf Customer1
redistribute bgp 100 metric 64 1000 255 1 1500
network 8.8.8.0 0.0.0.255
network 192.168.10.0
auto-summary
autonomous-system 1
exit-address-family
!

router eigrp 2
auto-summary
!
address-family ipv4 vrf Customer2
redistribute bgp 100 metric 64 1000 255 1 1500
network 8.8.8.0 0.0.0.255
network 192.168.20.0
no auto-summary
autonomous-system 2
exit-address-family
!
router ospf 1
log-adjacency-changes
network 8.8.8.0 0.0.0.255 area 0
network 55.55.55.0 0.0.0.3 area 0
network 66.66.66.0 0.0.0.3 area 0
!
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 100
neighbor 3.3.3.3 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf Customer2
redistribute eigrp 2
no synchronization
exit-address-family
!
address-family ipv4 vrf Customer1
redistribute eigrp 1
no synchronization
exit-address-family
!

mpls ldp router-id Loopback0 force
!

the VRF routing tables :

PE-LER#sh ip route vrf Customer1

Routing Table: Customer1
Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/156160] via 192.168.1.1, 03:22:22, FastEthernet0/0
B 192.168.10.0/24 [200/0] via 8.8.8.8, 00:53:53
9.0.0.0/24 is subnetted, 1 subnets
B 9.9.9.0 [200/156160] via 8.8.8.8, 00:53:53
C 192.168.1.0/24 is directly connected, FastEthernet0/0

----------------------------------------------------------

PE-LER1#sh ip route vrf Customer1

Routing Table: Customer1
Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets
B 1.1.1.0 [200/156160] via 3.3.3.3, 01:34:43
C 192.168.10.0/24 is directly connected, FastEthernet1/1
9.0.0.0/24 is subnetted, 1 subnets
D 9.9.9.0 [90/156160] via 192.168.10.1, 03:24:42, FastEthernet1/1
B 192.168.1.0/24 [200/0] via 3.3.3.3, 01:34:43

filopeter · ‎03-03-2020

Hello,

try to turn off eigrp auto-summary on PE-LER1:

!

router eigrp 1
auto-summary
!
address-family ipv4 vrf Customer1
redistribute bgp 100 metric 64 1000 255 1 1500
network 8.8.8.0 0.0.0.255
network 192.168.10.0
auto-summary
autonomous-system 1
exit-address-family
!

Best Regards,

P.

View solution in original post

net guru · ‎03-03-2020

Hi again sir filopeter,
I did a traceroute from customer1 to customer1-branch , and it stoped at the LER-PE router. am now more in the theory of mpls problem in my network , I went and checked all LSR routers and had again verified the good config of mpls , I will drop a LSR config in this comment so if I have a misconfig you can verify it with me :

LSR :
interface FastEthernet0/0
ip address 11.11.11.2 255.255.255.252
duplex half
mpls ip
!
interface FastEthernet1/0
ip address 33.33.33.1 255.255.255.252
duplex auto
speed auto
mpls ip
router ospf 1
log-adjacency-changes
network 4.4.4.0 0.0.0.255 area 0
network 11.11.11.0 0.0.0.3 area 0
network 33.33.33.0 0.0.0.3 area 0
mpls ldp router-id Loopback0 force

please find below a capture of mpls shows in LSR:

View solution in original post

filopeter · ‎03-03-2020

It looks like you have an broken LSP.

Configure "ip ospf network point-to-point" under your Loopback 0 interfaces on PE-LER and PE-LER-1. In case of OSPF as IGP, this command is required to advertise the real netmask of your loopback interface.

If the loopback's real netmask is not /32 (in your case it is /24), you have a disparity between the information advertised by OSPF and LDP. While LDP advertises the true loopback's address/netmask and label mapping, the receiving LSR does not recognizes this label mapping because it does not know the address/netmask in its routing table, as OSPF advertises the loopback using the /32 netmask by default.

In the provided output you see also "no label" instead of "pop label" for 3.3.3.3/32

View solution in original post

filopeter · ‎03-03-2020

Hello,

try to turn off eigrp auto-summary on PE-LER1:

!

router eigrp 1
auto-summary
!
address-family ipv4 vrf Customer1
redistribute bgp 100 metric 64 1000 255 1 1500
network 8.8.8.0 0.0.0.255
network 192.168.10.0
auto-summary
autonomous-system 1
exit-address-family
!

Best Regards,

P.

net guru · ‎03-03-2020

I tried that but It didn't work .. what I don't get is , what are the cases when you see that Networks existing in your routing tables and still are unreachable ?

filopeter · ‎03-03-2020

You have mentioned that the ping on loopbacks does not work. Do you mean ping between LER routers (3.3.3.3 and 8.8.8.8), or ping between CE routers (1.1.1.0/24 and 9.9.9.0/24)?

Routing exchange is control plane task and forwarding of packets is data plane task. Sometimes you may have issue only in the MPLS data plane, like broken LSP path (for example "mpls ip" is not configured between LSR routers in your drawing).

net guru · ‎03-03-2020

Hi again sir filopeter,
I did a traceroute from customer1 to customer1-branch , and it stoped at the LER-PE router. am now more in the theory of mpls problem in my network , I went and checked all LSR routers and had again verified the good config of mpls , I will drop a LSR config in this comment so if I have a misconfig you can verify it with me :

LSR :
interface FastEthernet0/0
ip address 11.11.11.2 255.255.255.252
duplex half
mpls ip
!
interface FastEthernet1/0
ip address 33.33.33.1 255.255.255.252
duplex auto
speed auto
mpls ip
router ospf 1
log-adjacency-changes
network 4.4.4.0 0.0.0.255 area 0
network 11.11.11.0 0.0.0.3 area 0
network 33.33.33.0 0.0.0.3 area 0
mpls ldp router-id Loopback0 force

please find below a capture of mpls shows in LSR:

filopeter · ‎03-03-2020

It looks like you have an broken LSP.

Configure "ip ospf network point-to-point" under your Loopback 0 interfaces on PE-LER and PE-LER-1. In case of OSPF as IGP, this command is required to advertise the real netmask of your loopback interface.

If the loopback's real netmask is not /32 (in your case it is /24), you have a disparity between the information advertised by OSPF and LDP. While LDP advertises the true loopback's address/netmask and label mapping, the receiving LSR does not recognizes this label mapping because it does not know the address/netmask in its routing table, as OSPF advertises the loopback using the /32 netmask by default.

In the provided output you see also "no label" instead of "pop label" for 3.3.3.3/32

net guru · ‎03-03-2020

Thank you so much for your help, but even thought It is fixed , I feel frustrated because I don't get some stuff :
1 - since you said LDP advertises the ture loopback @/netmask , we have LDP working for both PEs, doesn't that seal the deal ? if not , then why !
2 - why would " ospf network point-to-point " fix the problem , what special treatement is done by OSPF in this case ?

thank you so much for you help , and please propose any documents that can give me an insight about these techs + SD-WANs , I would appreciate it so much because i have no clue from where to start!!

loris.marcellini · ‎03-03-2020

Hey there,

I would start asking a few questions, particularly, why would you have:

1) /24 loopbacks?

2) each individual network advertised without mask under specific address-family? And why not use redistribute connected instead?

An additional consideration:

1) Assuming you use OSPF as internal IGP within the MPLS backbone and EIGRP as PE-CE protocol, I am not sure you'd need to have your loopbacks under the EIGRP address-family? They're used internally for reachability from one MPLS spearker to another, they should be advertised by OSPF and they are, not sure what the customer would do with that piece of info.

When it comes to why does not work. It is not obvious by judging a chunk of config and a show route hence my suggestion would be, 1) fix loopback mask, 2) post a network diagram, 3) specify ip src and dst (whether they're loopback or something else) 4) run a traditional and mpls traceroute and ping from the src to the dst.

Hope this helps.

L.

net guru · ‎03-03-2020

Hi good sir , thank you for interacting with my problem,
1/ about loopbacks , I've read in some discussion in GNS3 forums that when ospf is the igp protocol under LDP , you have to set the loopbacks not to /32 mask because those will not be advertised ( correct me if am wrong )
2/I don't know redistribute connected , Why it is used and what is its purpose !!
thanks for responding good sir !

filopeter · ‎03-04-2020

1/ OSPF treats Loopback interfaces as stub networks and advertise them as host routes (with mask /32) regardless of their configured/native mask. To change this default behaviour you have to configure the OSPF network type to point-to-point network. The best practice is to use /32 masks for loopback interfaces.

2/ In MPLS VPNs you usually also advertise the subnet between PE and CE routers (in your case 192.168.1.0/24 or 192.168.10.0/24 in vrf Customer 1). You can do this in two ways
- advertise this network under eigrp and then redistribute eigrp to bgp like you did
- redistribute connected subnets to bgp, as these networks are directly connected to your PEs

3/ do not forget to increase the MTU on mpls enabled interfaces to avoid possible fragmentation

loris.marcellini · ‎03-04-2020

1) here's a pretty exhaustive explanation by a friend @Giuseppe Larosa https://community.cisco.com/t5/routing/loopback-interface-as-32-for-ldp-to-work/td-p/2913130

2) redistribute connected is not a common practice in general, it's up to who configures the network, in this case it would have probably helped clearing some doubts and making sure you were advertising the correct subnet. For instance in a lab, using redistribute connected does not hurt, read more about the command at: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/8606-redist.html#connectRoute

filopeter · ‎03-04-2020

2) To avoid redistribution of connected subnets is generally true for pure IP environment and IGP routing protocols. But In MPLS VPN environment you have to deal either with redistribution to MP-BGP, or you have to run eBGP on CE-PE interfaces. Redistribution of connected subnets to BGP is common practice.