01-15-2009 02:59 AM
HI,
I'm studyng for MPLS exam and I wanted to create a small lab to recreate a scenario with overlapping MPLS-VPN to make some practice.
I created the following physical topology:
ACentral-\ $$$$$$$ /---BCentral
SiteB2---Pe1--P--Pe2--SiteA2
SiteA1---/ $$$$$$$ \---SiteB1
The traffic flow should be the following:
SiteA1---\ $$$$$$$ /----SiteB1
$$ | $$ACentral--BCentral$$ | $$
SiteA2---/ $$$$$$$ \----SiteB2
Notes:
-Each customer spoke site cannot communicate directly with the other customers sites.
-There are no restrictions for the intranet traffic.
To accomplish those requirements, I created these VRFs on Pe1 (configuration on Pe2 is specular):
ip vrf A
rd 1:1
route-target export 1:1
route-target import 1:1
!
ip vrf AC !ip vrf BC (on Pe2)
rd 1:123 ! rd 2:123 (on Pe2)
route-target export 1:1 ! 2:2 on Pe2
route-target export 3:100 ! same on Pe2
route-target import 1:1 ! 2:2 on Pe2
route-target import 3:100 ! same on Pe2
!
ip vrf B
rd 2:2
route-target export 2:2
route-target import 2:2
I expected that both PEs were able to reach every network of the other customer but probably something is missing.
The problem is that BC's VRF on Pe2, exports routes learned from VRF B, using RT 2:2 only, without RT 3:100 and obviously VRF AC(on Pe1) does not import these routes and it doesn't have a reachability to B1 site.
The same thing happens on Pe1, where VRF BC does not have routes for A1 site.
Attached you can find the configuration of all P-Pe-Ce and some verification command
Hope to receive your comments.
Thanks in advance.
Marco.
PS
IOS on all routers: c2600-telco-mz.123-26
Solved! Go to Solution.
01-15-2009 08:34 AM
Marco,
One precision. What I meant is reconfigure VRF AC on PE1 and VRF BC on PE2 for both to import RT 1:1 and 2:2.
Regards
01-15-2009 08:22 AM
Marco,
This is normal behavior.
Let me explain the import/export process. Routes are first exported from a specific VRF to BGP VPNv4 and are tagged with the configured export route target(s) (RT). They can then be imported by other VRF configured to import the same RT and advertised to VPNv4 peers. Once the routes have been imported by the other VRF context, they won't be exported back to the BGP VPNv4 context.
So in your scenario, the routes you are seeing from PE2 with a RT of 2:2 have been exported from VRF B, not VRF BC.
You could reconfigure VRF AC to import RT 1:1 and 2:2 on both PE1 and PE2 to achieve the requirement.
Regards
01-15-2009 08:34 AM
Marco,
One precision. What I meant is reconfigure VRF AC on PE1 and VRF BC on PE2 for both to import RT 1:1 and 2:2.
Regards
01-15-2009 03:48 PM
mmm...I thought the problem was solved but, importing RT 1:1 or 2:2 on cental site is not a solution. Teorically the requirements are not achieved in this way since traffic must go through both central site. Take a look to attached picture.
Probably there is a mistake in the slides of the course.
Unfortunately there aren't other configuration details other than the vrf configuration in the example.
01-15-2009 07:38 PM
Marco,
The diagrams make it clearer. The data flow diagram seems to indicate that:
VPN_A_Central has access to its own routes between PE1 and PE2. It has extranet access to all routes from VPN_A. It shouldn't have any access to VPN_B routes.
VPN_B_Central has access to its own routes between PE1 and PE2. It also has extranet access to all routes from VPN_B. It shouldn't have any access to VPN_A routes.
VPN_A and VPN_B should have their own routes and routes from VPN_A_Central and VPN_B_Central respectively.
This is accomplish with the example configuration:
PE1:
ip vrf VPN_A
rd 123:750
route-target both 123:750
!
ip vrf VPN_B
rd 123:760
route-target both 123:760
!
ip vrf VPN_Central_A
rd 123:751
route-target both 123:750
route-target both 123:1001
PE2:
ip vrf VPN_A
rd 123:750
route-target both 123:750
!
ip vrf VPN_B
rd 123:760
route-target both 123:760
!
ip vrf VPN_Central_B
rd 123:761
route-target both 123:760
route-target both 123:1001
!
Regards
01-15-2009 09:24 AM
----
They can then be imported by other VRF configured to import the same RT and advertised to VPNv4 peers [...] they won't be exported back to the BGP VPNv4 context.
---
Thanks for your reply
I'm not sure I undestood completely what you said about the import/export process.
These are the operation:
1 - route X is received in VRF B via IGP
2 - route X is redistributed in BGPipv4(VRF B)
3 - route X in BGPipv4(VRF-B) table is tagged with RT 2:2 and exported as BGP-VPNv4 update to the other VRFs if any and to other MPBGP peers.
4 - VRF-BC is configured to import BGP-VPNv4 routes with RT 2:2, thus, routeX is imported in VRF-BC, and even if VRF-BC is configured to export with RD 3:100 and 2:2 , routeX won't be sent back to other BGP-VPNv4 neighbor or local VRF (as you said). It reminds me about split horizon
Is this flow correct...more or less?
Thanks
Regards
01-15-2009 10:01 AM
Marco,
You description is mostly correct except for item 4. Routes received with route-target 2:2 will be imported by all local VRFs configured with import RT 2:2.
An yes, it is similar to split horizon in the sense that if it has been imported, it can't be exported back.
Regards
01-15-2009 10:43 PM
macro
As per me hritter is saying right.
regards
shivlu jain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide