Thanks for the reply.

The situation we had, if I can repeat with some diagrams, was we were advertising a /32 with one as-path to the ISP and from a second router adverting a /28 with two as-paths, to the same ISP.   ISP was steering traffic back to us through the router that was advertising a /28 (PE2-CE2), for devices that were configured to talk to /32.

CE1  (/32 as-path x 2)   --> PE1 (ISP)    core

CE2 (/28 as-path x 1)   --> PE2 (ISP)     core

I think it could be that the ISP design when exporting to the core is adverting aggregates?  As i cannot think of any other reason why they would prefer /28 path for traffic destined to /32.

Thanks,

TK

TK

Thanks for the additional information. What you describe here is certainly not the expected behavior. It may take some additional investigation to understand this issue. As a next step would you post the output on both of your BGP CE routers of the command show ip bgp neighbor advertised

HTH

Rick

Thanks for the reply.

I cannot paste any details here due to Confidentiality, security will be all over me, and i wont have access to the router now for next few days.

If there is anything specific you want to know, please let me know and i'll update accordingly.

Thanks,

TK

Hi Sergey,

So we have Dual-homed design where the two CE's are connected to the two PE's, of the same ISP.  

The issue is, the devices that are connected in the remote location, on the other side of the ISP cloud are configured to with next hop of /32 (lets say its a server sitting in our organisation, behind the CE)

As explained earlier, the ISP PE is preferring the /28 path (CE2-PE2) instead of the /32 path (CE1-PE1).

So, my theory is, it could be that the ISP when getting the 192.168.1.0/28 & the /32 from the CE, its ignoring the /32 and exporting only /28 (aggregate) to the remote devices. 
On the other side of the cloud where the remote device is connected, the PE its connected to has only the /28 in its routing table, which it received from the core.  Now, the remote device, which needs a route to /32 is seeing this /28 subnet and therefore the return traffic is using the /28, as that is the only route it has on the remote side PE.  Again this is just a theory, i might be wrong!

Hope that explains.

Thanks,

TK            

Hello TK,

you have now described with more details your network scenario.

If I understand correctly you have an MPLS L3 VPN service.

In this case your routers the CE1 and CE1 are peering with directly connected PE nodes.

Yes, the MPLS SP can actually perform  filtering of /32 host routes or aggregation before exporting the resulting VPNv4 prefix.

You can ask to the MPLS SP to help you in achieving the desired behaviour.

Another important point is that the two PE nodes should use different route distinguishers, in this way their VPNv4 prefixes would be NOT comparable and propagated everwhere via route reflector and  the remote PE could see both routes and make a choice after importing based on BGP attributes.

Usually /30 prefixes are accepted in a VPN as most VRF access links use them. As an approximation of your desired behaviour you could try to advertise a /30 prefix from CE1, including the IP address of the server of interest, and you can see if the /30 prefix is propagated to remote PE.

In any case I would ask to the MPLS SP to have different RDs on their PE1 and PE2 nodes.

This can be an improvement.

Hope to help

Giuseppe

Hi Giuseppe,

The /32 is really for our own design reasons, to prefer to more specific than the aggregate, but what was puzzling me is why the ISP was preferring the /28 and not the /32. 
Thanks for all you help in this forum, at least the initial confusion is now clear.

Cheers,

TK

Duplicated - apologies