Solved: Re: VPNV4 route denied by iBGP peer

gramucisco · ‎11-24-2007

Not sure why the VPNv4 route is denied by BGP peer. Any help is appreciated.

Using Cisco 2811, 12.4(7a).

iBGP speaker (PE router) sends a VPNV4 route, but peer (P or PE router) denies the route with following error (debug message):

DENIED due to: extended community not supported;

The BGP configuration is (identical config on both speakers):

router bgp 1

no sync

neighbor 2.2.2.2 remote-as 1

address-family vpnv4

neighbor 2.2.2.2 activate

neighbor 2.2.2.2 send-community extended

exit-address-family

vikas.sharma · ‎11-26-2007

Hi,

One of the reason for this error is "Mismatch in route-target community strings for route import/export" . Pls check the route-target.

Regards

Vikas Sharma

View solution in original post

swaroop.potdar · ‎11-26-2007

Gramu, Vikas,

If your P router in question has anything to do with VPNv4 sessions or messages received then technically its not a P router but a PE router. Even though you may name it as a P router.

Also to troubleshoot your traffic switching problem, probably you may want to look at your LSP being functional for only the IGP labels, as P routers need not have any VPN information to switch traffic between PE's for end CE's. Just the IGP label for the next hop is enough.

Having said that, "no bgp default route-target filter" has nothing to do with inter-as, as none of the inter-as options except one option requires this command.

This command was introduced to nullify the basic BGP default in IOS which was introduced to conserve memory.

As any PE router which does have have a import RT configured should not store the received routes in the updates to conserve memory. So in conditions where you need to override this behaviour you can always use "no bgp default rt filter".

HTH-Cheers,

Swaroop

View solution in original post

vikas.sharma · ‎11-26-2007

Hi,

One of the reason for this error is "Mismatch in route-target community strings for route import/export" . Pls check the route-target.

Regards

Vikas Sharma

gramucisco · ‎11-26-2007

I think, you're right about route-target configuration. Once I configured import/export route targets for the vrf on PE (I do not know how I missed this basic config; I kind of overlooked), the VPN routes were accepted by PE.

However, the problem still exists for P routers. Since we do not configure route targets on 'P' routers (not VPN/VRF aware), I am wondering as to how we can configure P routers to accept VPNV4 routes.

The bottomline is that PE router has VPN routes, but it cannot send traffic through the Ps in the core.

Any help/suggestions?

swaroop.potdar · ‎11-26-2007

This is the default behaviour of BGP for RT which you have not configured on the receiving BGP peers.

For eg: on PE1 if you have configured RT 1:1 to be exported and the same RT does not exist on other Vpnv4 BGP peers in terms of a import RT of 1:1 then

all the routes exported with RT 1:1 would be denied and can be seen as a part of debug ip bgp vpnv4 uni.

Also a P router in a MPLS cloud should not be having any IBGP peering with any, as it simply does not need one.

You Ipv4 internet traffic would also be label switched if you omit the ipv4 IBGP sessions off the P routers.

But if you have already implemented vpnv4 sessions on your P routers as well as a part of your design then you can configure this command on the P routers to accept and store all the RT's received.

router bgp x

no bgp default route-target filter

HTH-Cheers,

Swaroop

vikas.sharma · ‎11-26-2007

Hi,

This is the situation when u want Inter-AS kind of scenario i.e. when u want ur vpnv4 routes to be exported to another AS. This is as per my understanding a different case where there is no Inter-AS communication. Thus we do not require "no bgp default raoute-target filter" here.

Gramu - Can u pls copy P router configuration here.

Regards

Vikas Sharma

swaroop.potdar · ‎11-26-2007

Gramu, Vikas,

If your P router in question has anything to do with VPNv4 sessions or messages received then technically its not a P router but a PE router. Even though you may name it as a P router.

Also to troubleshoot your traffic switching problem, probably you may want to look at your LSP being functional for only the IGP labels, as P routers need not have any VPN information to switch traffic between PE's for end CE's. Just the IGP label for the next hop is enough.

Having said that, "no bgp default route-target filter" has nothing to do with inter-as, as none of the inter-as options except one option requires this command.

This command was introduced to nullify the basic BGP default in IOS which was introduced to conserve memory.

As any PE router which does have have a import RT configured should not store the received routes in the updates to conserve memory. So in conditions where you need to override this behaviour you can always use "no bgp default rt filter".

HTH-Cheers,

Swaroop

gramucisco · ‎11-27-2007

Swaroop, Vikas: Thanks for the input.

Swaroop, What I understand from your email is:

1. iBGP mesh is required only among PEs

2. PEs and P routers should know how to reach the PEs (typically IGP is used to achieve this reachability). P router does not need to be aware of VPN routes at all since data path is through LSP.

I had reachability problem. Let me focus on debugging the LSP aspect and share my finding.

gramucisco · ‎11-28-2007

The config works now! I had some routing problem, so the VRF reachability did not work earlier. I am posting the config below for anybody who likes to use it for basic VPN setup for practice. R1 & R6 are CEs, R2 & R5 are PEs and R3 & R4 are P routers.

R1

config terminal

hostname R1

interface fast 0/0

ip address 10.1.1.1 255.255.255.0

no shut

exit

interface loopback0

ip addr 1.1.1.1 255.255.255.255

no shut

exit

router rip

network 10.1.1.0

network 1.1.1.1

exit

ip route 0.0.0.0 0.0.0.0 10.1.1.2

exit

write mem

R2

config terminal

hostname R2

interface loopback0

ip addr 2.2.2.2 255.255.255.255

no shut

exit

ip vrf red

rd 1:1

route-target both 100:100

exit

interface fast 0/0

ip vrf forwarding red

ip address 10.1.1.2 255.255.255.0

no shut

exit

interface fast 0/1

ip address 20.1.1.1 255.255.255.0

no shut

mpls ip

mpls label protocol ldp

exit

mpls ip

mpls label protocol ldp

router rip

address-family ipv4 vrf red

network 10.1.1.0

exit

router ospf 1

network 20.1.1.1 0.0.0.0 area 0

network 2.2.2.2 0.0.0.0 area 0

exit

router bgp 1

neighbor 5.5.5.5 remote-as 1

neighbor 5.5.5.5 update-source loopback0

address-family vpnv4

neighbor 5.5.5.5 activate

exit

address-family ipv4 vrf red

redistribute rip

no synchronization

exit-address-family

exit

write mem

R3

config terminal

hostname R3

interface loopback0

ip addr 3.3.3.3 255.255.255.255

no shut

exit

interface fast 0/1

ip address 20.1.1.2 255.255.255.0

no shut

mpls ip

mpls label protocol ldp

exit

interface serial 0/0/1

ip address 30.1.1.1 255.255.255.0

encap hdlc

mpls ip

mpls label protocol ldp

no shut

exit

mpls ip

mpls label protocol ldp

router ospf 1

network 20.1.1.2 0.0.0.0 area 0

network 30.1.1.1 0.0.0.0 area 0

network 3.3.3.3 0.0.0.0 area 0

exit

write mem

R4

config terminal

hostname R4

interface loopback0

ip addr 4.4.4.4 255.255.255.255

no shut

exit

interface serial 0/0/1

ip address 30.1.1.2 255.255.255.0

encap hdlc

mpls ip

mpls label protocol ldp

no shut

exit

interface fast 0/0

ip address 40.1.1.1 255.255.255.0

mpls ip

mpls label protocol ldp

no shut

exit

mpls ip

mpls label protocol ldp

router ospf 1

network 30.1.1.2 0.0.0.0 area 0

network 40.1.1.1 0.0.0.0 area 0

network 4.4.4.4 0.0.0.0 area 0

exit

write mem

R5

config terminal

hostname R5

ip vrf red

rd 1:1

route-target both 100:100

exit

interface loopback0

ip addr 5.5.5.5 255.255.255.255

no shut

exit

interface fast 0/0

ip address 40.1.1.2 255.255.255.0

mpls ip

mpls label protocol ldp

no shut

exit

interface serial 0/0/1

ip vrf forwarding red

ip address 50.1.1.2 255.255.255.0

encap hdlc

no shut

exit

mpls ip

mpls label protocol ldp

router ospf 1

network 40.1.1.2 0.0.0.0 area 0

network 5.5.5.5 0.0.0.0 area 0

exit

router rip

address-family ipv4 vrf red

network 50.1.1.0

exit

router bgp 1

neighbor 2.2.2.2 remote-as 1

neighbor 2.2.2.2 update-source loopback0

address-family vpnv4 unicast

neighbor 2.2.2.2 activate

exit

address-family ipv4 vrf red

redistribute rip

no synchronization

exit-address-family

exit

write mem

R6

config terminal

hostname R6

interface serial 0/0/1

ip address 50.1.1.1 255.255.255.0

no shut

exit

interface loopback0

ip addr 6.6.6.6 255.255.255.255

no shut

exit

router rip

network 50.1.1.0

network 6.6.6.6

exit

ip route 0.0.0.0 0.0.0.0 50.1.1.2

exit

write mem

kli · ‎11-30-2007

swaroop.

Can you tell me what is difference between VPLS and Layer 3 MPLS/VPN.

Thank you very much..

--Ken

swaroop.potdar · ‎12-01-2007

VPLS and L3VPN both are VPN's in terms of similarity rest all are differences, to list.

1) VPLS is a multipoint Layer 2 VPN. / L3VPN is a multipoint Layer 3 VPN.

2) VPLS doesnt use BGP but needs full mesh of LDP peering beetween the endpoints/ L3VPN needs BGP full mesh.

3) VPLS doesnt need for the CE to peer using any routing protocol with the PE / L3VPN needs a routing protocol or a static route at minimum to forward traffic to the remote end.

4) VPLS is a single broadcast domain / L3VPN is not and is infact a connection of multiple L3 islands.

For simplicity VPLS is a pure layer 2 VPN / and L3VPN as the name suggests is IP based VPN.

HTH-Cheers,

Swaroop