Cannot statically route MPLS L3VPN over TE Tunnel

steven.crutchley · ‎07-10-2018

I have the following network:

ISIS is used as the IGP. Standard L3VPN MPLS setup.

CE1 and CE2 are both part of Customer 1. Their ACs on both PE1 and PE2 are in VRF CUST_1. Routes are advertised over VPNv4 MP-BGP via RR1.

I've enabled traffic engineering on all interfaces and have setup a TE tunnel with PE1 as the headend, PE2 as the tail-end and an explicit path via P2-P3-P4-PE2.

PE1#sh run int tu1
Building configuration...

Current configuration : 200 bytes
!
interface Tunnel1
 ip unnumbered Loopback0
 tunnel destination 200.200.200.200
 tunnel mode mpls traffic-eng
 tunnel mpls traffic-eng path-option 1 explicit name LOWER-PATH
 no routing dynamic
end

PE1#show ip explicit-paths name LOWER-PATH
PATH LOWER-PATH (strict source route, path complete, generation 6)
    1: next-address 2.2.2.2
    2: next-address 3.3.3.3
    3: next-address 4.4.4.4
    4: next-address 200.200.200.200
PE1#

100.100.100.100 = PE1
200.200.200.200 = PE2
1.1.1.1 = P1 etc..

I've statically routed traffic to 192.168.70.0/24 over the TE Tunnel using:

ip route vrf CUST_1 192.168.70.0 255.255.255.0 Tunnel1

If I trace from CE1 to 192.168.80.1 is goes via the upper path - normal MPLS L3VPN

CE1#trace 192.168.80.1 source lo1

Type escape sequence to abort.
Tracing the route to 192.168.80.1

1 172.30.1.9 12 msec 12 msec 24 msec
2 10.10.110.1 [AS 500] [MPLS: Labels 50106/52019 Exp 0] 84 msec 72 msec 108 msec
3 10.10.15.5 [AS 500] [MPLS: Labels 50505/52019 Exp 0] 100 msec 140 msec 124 msec
4 10.10.56.6 [AS 500] [MPLS: Labels 50600/52019 Exp 0] 112 msec 112 msec 100 msec
5 172.30.2.9 [AS 500] [MPLS: Label 52019 Exp 0] 76 msec 92 msec 64 msec
6 172.30.2.10 [AS 500] 84 msec 72 msec 92 msec

If I trace to 192.168.70.1 I'd like it go over the TE tunnel via the static route. But I get nothing

CE1#trace 192.168.70.1 source lo1

Type escape sequence to abort.
Tracing the route to 192.168.70.1

1 172.30.1.9 24 msec 12 msec 12 msec
2 * * *
3 * * *

When doing a packet capture, I can see the ICMP request going along the lower path (i.e. through the tunnel) but the VPN label is not on the packet.

So P4 PHPs the Tunnel label and it arrives at PE2 as an IP packet. PE2 has not idea what to do with, naturally, and drops it.

How can make sure the VPN label (as advertised via MP-BGP from PE2) is pushed onto the IP packet at PE1 before it enters the tunnel?

jpl861 · ‎07-10-2018

Have you advertised 192.168.70.0/24 via BGP from CE2? Without the TE tunnel, can you establish communication between the two networks?

steven.crutchley · ‎07-10-2018

Yes. If I remove the static route, traffic to 192.168.70.0/24 will follow the same path as traffic to 192.168.80.0/24.

jpl861 · ‎07-10-2018

Can you show us all mpls-te relevant configurations on your head-end? Thanks!

jpl861 · ‎07-10-2018

I also don’t see mpls ip configured on your tunnel interfaces. You’ll need that too as you will need to have end to end LSP.

steven.crutchley · ‎07-11-2018

Hi John,

Here is the IS-IS config, interface config and output of 'sh mpls traffic-eng tunnels tunnel 1'

(added 'mpls ip' to tunnel interface as you suggested. No change)

PE1#sh run int tu1
Building configuration...

Current configuration : 200 bytes
!
interface Tunnel1
 ip unnumbered Loopback0
 mpls ip
 tunnel destination 200.200.200.200
 tunnel mode mpls traffic-eng
 tunnel mpls traffic-eng path-option 1 explicit name LOWER-PATH
 no routing dynamic
end

PE1#

PE1#sh mpls traffic-eng tunnels tunnel 1

Name: PE1_t1                              (Tunnel1) Destination: 200.200.200.200
  Status:
    Admin: up         Oper: up     Path: valid       Signalling: connected

    path option 1, type explicit LOWER-PATH (Basis for Setup, path weight 40)

  Config Parameters:
    Bandwidth: 0        kbps (Global)  Priority: 7  7   Affinity: 0x0/0xFFFF
    Metric Type: TE (default)
    AutoRoute:  disabled  LockDown: disabled  Loadshare: 0        bw-based
    auto-bw: disabled

  InLabel  :  -
  OutLabel : FastEthernet1/0, 50200
  RSVP Signalling Info:
       Src 100.100.100.100, Dst 200.200.200.200, Tun_Id 1, Tun_Instance 19
    RSVP Path Info:
      My Address: 10.10.210.10
      Explicit Route: 10.10.210.2 10.10.23.2 10.10.23.3 10.10.34.3
                      10.10.34.4 10.10.204.4 10.10.204.20 200.200.200.200
      Record Route:  NONE
      Tspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
    RSVP Resv Info:
      Record Route:  NONE
      Fspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
  Shortest Unconstrained Path Info:
    Path Weight: 40 (TE)
    Explicit Route: 10.10.110.10 10.10.110.1 10.10.15.1 10.10.15.5
                    10.10.56.5 10.10.56.6 10.10.206.6 10.10.206.20
                    200.200.200.200
  History:
    Tunnel:
      Time since created: 1 hours, 33 minutes
      Time since path change: 1 hours, 33 minutes
    Current LSP:
      Uptime: 1 hours, 33 minutes
PE1#
PE1#sh run interface fa0/0
Building configuration...

Current configuration : 207 bytes
!
interface FastEthernet0/0
 description link to P1
 ip address 10.10.110.10 255.255.255.0
 ip router isis LAB
 speed 100
 full-duplex
 mpls ip
 mpls traffic-eng tunnels <<<<<< THIS IS ON ALL P AND PE CORE LINKS
 isis circuit-type level-2-only
end

PE1#
PE1#sh run | sec router isis
 ip router isis LAB
 ip router isis LAB
router isis LAB
 net 49.0500.0100.0100.0100.00
 is-type level-2-only
 metric-style wide
 mpls traffic-eng router-id Loopback0
 mpls traffic-eng level-2
 passive-interface Loopback0
PE1#

Here is how PE1 sees VRF CUST_1

PE1#sh bgp vpnv4 unicast vrf CUST_1 192.168.80.0
BGP routing table entry for 500:1:192.168.80.0/24, version 10
Paths: (1 available, best #1, table CUST_1)
  Advertised to update-groups:
     1
  220
    200.200.200.200 (metric 40) from 77.77.77.77 (77.77.77.77)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:500:1
      Originator: 200.200.200.200, Cluster list: 77.77.77.77
      mpls labels in/out nolabel/52019
PE1#sh bgp vpnv4 unicast vrf CUST_1 192.168.70.0
BGP routing table entry for 500:1:192.168.70.0/24, version 9
Paths: (1 available, best #1, table CUST_1)
  Advertised to update-groups:
     1          2
  Local
    0.0.0.0 from 0.0.0.0 (100.100.100.100)
      Origin incomplete, metric 0, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:500:1
      mpls labels in/out 51019/nolabel
PE1#sh ip route vrf CUST_1

Routing Table: CUST_1
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

B    192.168.60.0/24 [20/0] via 172.30.1.10, 01:33:57
     172.30.0.0/30 is subnetted, 2 subnets
B       172.30.2.8 [200/0] via 200.200.200.200, 01:33:42
C       172.30.1.8 is directly connected, FastEthernet0/1
B    192.168.80.0/24 [200/0] via 200.200.200.200, 01:33:42
S    192.168.70.0/24 is directly connected, Tunnel1
PE1#

jpl861 · ‎07-11-2018

This is weird. Why is your 70.x locally injected on BGP. Shouldn't this be learned from PE2?

PE1#sh bgp vpnv4 unicast vrf CUST_1 192.168.70.0
BGP routing table entry for 500:1:192.168.70.0/24, version 9
Paths: (1 available, best #1, table CUST_1)
  Advertised to update-groups:
     1          2
  Local
    0.0.0.0 from 0.0.0.0 (100.100.100.100)
      Origin incomplete, metric 0, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:500:1
      mpls labels in/out 51019/nolabel

.

a.alekseev · ‎07-10-2018

You must enable RSVP or allocate all labels manually along the path...

steven.crutchley · ‎07-11-2018

RSVP is in use . I can see it in the debug output.

PE1#debug ip rsvp dump-messages
RSVP dump-messages debugging is on
PE1#
*Mar  1 01:30:30.375: RSVP:     version:1 flags:0000 type:Path cksum:1995 ttl:255 reserved:0 length:232
*Mar  1 01:30:30.379:  SESSION              type 7 length 16:
*Mar  1 01:30:30.379:   Destination 200.200.200.200, TunnelId 1, Source 100.100.100.100, Protocol 0, Flags 0000
*Mar  1 01:30:30.379:  HOP                  type 1 length 12:
*Mar  1 01:30:30.379:   Neighbor 10.10.210.10, LIH 0x01000403
*Mar  1 01:30:30.383:  TIME_VALUES          type 1 length 8 :
*Mar  1 01:30:30.383:   Refresh period is 30000 msecs
*Mar  1 01:30:30.383:  EXPLICIT_ROUTE       type 1 length 68:
*Mar  1 01:30:30.383:   (#1) Strict IPv4 Prefix, 8 bytes, 10.10.210.2/32
*Mar  1 01:30:30.383:   (#2) Strict IPv4 Prefix, 8 bytes, 10.10.23.2/32
*Mar  1 01:30:30.387:   (#3) Strict IPv4 Prefix, 8 bytes, 10.10.23.3/32
*Mar  1 01:30:30.387:   (#4) Strict IPv4 Prefix, 8 bytes, 10.10.34.3/32
*Mar  1 01:30:30.387:   (#5) Strict IPv4 Prefix, 8 bytes, 10.10.34.4/32
*Mar  1 01:30:30.387:   (#6) Strict IPv4 Prefix, 8 bytes, 10.10.204.4/32
*Mar  1 01:30:30.387:   (#7) Strict IPv4 Prefix, 8 bytes, 10.10.204.20/32
*Mar  1 01:30:30.391:   (#8) Strict IPv4 Prefix, 8 bytes, 200.200.200.200/32
*Mar  1 01:30:30.391:  LABEL_REQUEST        type 1 length 8 :
*Mar  1 01:30:30.391:   Layer 3 protocol ID: 2048
*Mar  1 01:30:30.391:  SESSION_ATTRIBUTE    type 7 length 16:
*Mar  1 01:30:30.391:         Session name: PE1_t1
*Mar  1 01:30:30.391:         Setup priority: 7, reservation priority: 7
*Mar  1 01:30:30.391:         Status: May-Reroute
*Mar  1 01:30:30.391:  SENDER_TEMPLATE      type 7 length 12:
*Mar  1 01:30:30.391:   Source 100.100.100.100, tunnel_id 19
*Mar  1 01:30:30.391:  SENDER_TSPEC         type 2 length 36:
*Mar  1 01:30:30.391:   version=0, length in words=7
*Mar  1 01:30:30.391:   Token bucket fragment (service_id=1, length=6 words
*Mar  1 01:30:30.391:       parameter id=127, flags=0, parameter length=5
*Mar  1 01:30:30.391:       average rate=0 bytes/sec, burst depth=1000 bytes
*Mar  1 01:30:30.391:       peak rate   =0 bytes/sec
*Mar  1 01:30:30.391:       min unit=0 bytes, max pkt size=2147483647 bytes
*Mar  1 01:30:30.391:  ADSPEC               type 2 length 48:
*Mar  1 01:30:30.395:  version=0  length in words=10
*Mar  1 01:30:30.395:  General Parameters  break bit=0  service length=8
*Mar  1 01:30:30.395:                                         IS Hops:1
*Mar  1 01:30:30.395:              Minimum Path Bandwidth (bytes/sec):12500000
*Mar  1 01:30:30.395:                     Path Latency (microseconds):0
*Mar  1 01:30:30.395:                                        Path MTU:1500
*Mar  1 01:30:30.395:  Controlled Load Service  break bit=0  service length=0
*Mar  1 01:30:30.395:
PE1#

a.alekseev · ‎07-11-2018

it should be done in a different way

create second loopback on PE2 with address 200.200.200.201
import it in IGP

on PE1

vrf definition CUST_1
rd 100.100.100.100:1
!
address-family ipv4
import map TE
route-target export 1:1
route-target import 1:1
exit-address-family

!
ip extcommunity-list 1 permit rt 1:1
!
ip prefix-list TE seq 5 permit 192.168.70.0/24
!
route-map TE permit 10
match ip address prefix-list TE
match extcommunity 1
set ip next-hop 200.200.200.201
!
route-map TE permit 20
match extcommunity 1
!
ip route 200.200.200.201 255.255.255.255 Tunnel0

steven.crutchley · ‎07-18-2018

Thanks for the response.

So I have configured everything as you've suggested but I don't thin the next hop is being set correctly.

There is my config

PE1#sh run | sec vrf CUST_1
ip vrf CUST_1
 description Customer_1_VRF
 rd 500:1
 vpn id 500:1
 import map TE_IMPORT
 route-target export 500:1
 route-target import 500:1
<snip>
PE1#
PE1#
PE1#sh run | sec TE_IMPORT
<snip>
ip prefix-list TE_IMPORT seq 5 permit 192.168.70.0/24
route-map TE_IMPORT permit 10
 match ip address TE_IMPORT
 match extcommunity 1
 set ip next-hop 200.200.200.201
route-map TE_IMPORT permit 20
 match extcommunity 1
PE1#
PE1#show ip route 200.200.200.200
Routing entry for 200.200.200.200/32
  Known via "isis", distance 115, metric 40, type level-2
  Redistributing via isis
  Last update from 10.10.110.1 on FastEthernet0/0, 00:34:05 ago
  Routing Descriptor Blocks:
  * 10.10.110.1, from 200.200.200.200, via FastEthernet0/0
      Route metric is 40, traffic share count is 1

PE1#show ip route 200.200.200.201
Routing entry for 200.200.200.201/32
  Known via "static", distance 1, metric 0 (connected)
  Redistributing via bgp 500
  Advertised by bgp 500
  Routing Descriptor Blocks:
  * directly connected, via Tunnel1
      Route metric is 0, traffic share count is 1

PE1#sh run int tu1
Building configuration...

Current configuration : 200 bytes
!
interface Tunnel1
 ip unnumbered Loopback0
 tunnel destination 200.200.200.200
 tunnel mode mpls traffic-eng
 tunnel mpls traffic-eng path-option 1 explicit name LOWER-PATH
 no routing dynamic
end

PE1#

PE2#sh run int lo1
Building configuration...

Current configuration : 97 bytes
!
interface Loopback1
 description TE Interface
 ip address 200.200.200.201 255.255.255.255
end

PE2#sh run | sec router isis
<snip>
router isis LAB
 net 49.0500.0200.0200.0200.00
 is-type level-2-only
 metric-style wide
 mpls traffic-eng router-id Loopback0
 mpls traffic-eng level-2
 passive-interface Loopback0
 passive-interface Loopback1
PE2#

After clearing BGP and LDP I get the following output. Note that the next-hop to 192.168.70.0/24 hasn't changed.

PE1#sh bgp vpnv4 unicast vrf CUST_1 192.168.70.0
BGP routing table entry for 500:1:192.168.70.0/24, version 10
Paths: (1 available, best #1, table CUST_1)
  Advertised to update-groups:
     1
  220
    200.200.200.200 (metric 40) from 77.77.77.77 (77.77.77.77)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:500:1
      Originator: 200.200.200.200, Cluster list: 77.77.77.77
      mpls labels in/out nolabel/52019
PE1#sh ip cef vrf CUST_1 192.168.70.0
192.168.70.0/24, version 29, epoch 0, cached adjacency 10.10.110.1
0 packets, 0 bytes
  tag information set
    local tag: VPN-route-head
    fast tag rewrite with Fa0/0, 10.10.110.1, tags imposed: {50105 52019}
  via 200.200.200.200, 0 dependencies, recursive
    next hop 10.10.110.1, FastEthernet0/0 via 200.200.200.200/32
    valid cached adjacency
    tag rewrite with Fa0/0, 10.10.110.1, tags imposed: {50105 52019}
PE1#sh ip ro vrf CUST_1

Routing Table: CUST_1
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

B    192.168.60.0/24 [20/0] via 172.30.1.10, 00:09:07
     172.30.0.0/30 is subnetted, 2 subnets
B       172.30.2.8 [200/0] via 200.200.200.200, 00:08:53
C       172.30.1.8 is directly connected, FastEthernet0/1
B    192.168.80.0/24 [200/0] via 200.200.200.200, 00:08:53
B    192.168.70.0/24 [200/0] via 200.200.200.200, 00:08:53
PE1#

If I do a traceroute from CE1 traffic to both 192.168.70.0/24 and 192.168.80.0/24 do not enter the tunnel and take the upper path.

CE1#trace 192.168.70.1 source lo1

Type escape sequence to abort.
Tracing the route to 192.168.70.1

  1 172.30.1.9 16 msec 24 msec 20 msec
  2 10.10.110.1 [AS 500] [MPLS: Labels 50105/52019 Exp 0] 124 msec 92 msec 124 msec
  3 10.10.15.5 [AS 500] [MPLS: Labels 50504/52019 Exp 0] 96 msec 92 msec 120 msec
  4 10.10.56.6 [AS 500] [MPLS: Labels 50600/52019 Exp 0] 80 msec 108 msec 56 msec
  5 172.30.2.9 [AS 500] [MPLS: Label 52019 Exp 0] 92 msec 88 msec 68 msec
  6 172.30.2.10 [AS 500] 112 msec 112 msec 108 msec
CE1#trace 192.168.80.1 source lo1

Type escape sequence to abort.
Tracing the route to 192.168.80.1

  1 172.30.1.9 8 msec 12 msec 24 msec
  2 10.10.110.1 [AS 500] [MPLS: Labels 50105/52018 Exp 0] 112 msec 192 msec 124 msec
  3 10.10.15.5 [AS 500] [MPLS: Labels 50504/52018 Exp 0] 60 msec 128 msec 64 msec
  4 10.10.56.6 [AS 500] [MPLS: Labels 50600/52018 Exp 0] 124 msec 124 msec 108 msec
  5 172.30.2.9 [AS 500] [MPLS: Label 52018 Exp 0] 104 msec 96 msec 84 msec
  6 172.30.2.10 [AS 500] 116 msec 68 msec 120 msec
CE1#

Should 200.200.200.201 be in the CUST_1 vrf?

jpl861 · ‎07-18-2018

route-map TE_IMPORT permit 10
 match ip address TE_IMPORT

It should be "match ip address prefix-list TE_IMPORT"

steven.crutchley · ‎07-18-2018

Yes of course. Schoolboy error. Sorry about that.

However I've correct it and cleared BGP and it still hasn't been reset...

PE1#
PE1#
PE1#
PE1#sh run | sec TE
 import map TE_IMPORT
ip prefix-list TE_IMPORT seq 5 permit 192.168.70.0/24
route-map TE_IMPORT permit 10
 match ip address prefix-list TE_IMPORT
 match extcommunity 1
 set ip next-hop 200.200.200.201
route-map TE_IMPORT permit 20
 match extcommunity 1
PE1#
PE1#sh ip cef vrf CUST_1 192.168.70.0
192.168.70.0/24, version 33, epoch 0, cached adjacency 10.10.110.1
0 packets, 0 bytes
  tag information set
    local tag: VPN-route-head
    fast tag rewrite with Fa0/0, 10.10.110.1, tags imposed: {50105 52019}
  via 200.200.200.200, 0 dependencies, recursive
    next hop 10.10.110.1, FastEthernet0/0 via 200.200.200.200/32
    valid cached adjacency
    tag rewrite with Fa0/0, 10.10.110.1, tags imposed: {50105 52019}
PE1#
PE1#sh ip ro vrf CUST_1

Routing Table: CUST_1
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

B    192.168.60.0/24 [20/0] via 172.30.1.10, 00:05:03
     172.30.0.0/30 is subnetted, 2 subnets
B       172.30.2.8 [200/0] via 200.200.200.200, 00:04:56
C       172.30.1.8 is directly connected, FastEthernet0/1
B    192.168.80.0/24 [200/0] via 200.200.200.200, 00:04:56
B    192.168.70.0/24 [200/0] via 200.200.200.200, 00:04:56
PE1#

a.alekseev · ‎07-18-2018

show full configs for PE1, PE2

steven.crutchley · ‎07-18-2018

See attached for configs of PE1 and PE2