07-30-2009 05:49 AM - edited 03-04-2019 05:36 AM
All,
I've attached a gns lab that I created and need help with. What I've got is the following:
Customer A and B connect to ISP_PE1 and ISP_PE2.
ISP_PE1, ISP_P, and ISP_PE2 run eigrp in AS100.
ISP_PE1 and ISP_PE2 are running BGP in AS200 and peer with each of the customer routers, and run vpnv4 peer between ISP_PE1 and ISP_PE2.
On every customer router (CustomerA on ISP_PE1 for instance), I have the routes from the other CustomerA router on the ISP_PE2 side of the mpls network. I can't ping the CustomerA router from the other CustomerA router even though I see the routes. I also show the routes on ISP_PE1 and ISP_PE2 under the respective vrf.
I've attached the zip file should anyone want to take a look at it because I'm stumped.
Thanks,
John
Solved! Go to Solution.
08-01-2009 12:56 PM
John
Glad you got it working.
MPLS tags are only used within the MPLS cloud ie. between the PE & P routers. They are stripped at the egress of the MPLS clouhd and become normal IP packets. So the CE routers do not see any MPLS tags.
Actually to be more specific if you have enabled Penultimate Hop Popping the top tag is actually stripped before the packet reaches the egress PE so the egress PE actually receives the packet with only the VPN tag ie.
with MPLS VPN's the packets have 2 tags as they traverse the MPLS cloud.
So at the ingress PE a VPN tag is added. This VPN tag is only relevant to the egress PE ie. the intermediate P routers don't care about it.
Then the ingress PE adds another tag and this tag is used to label switch the packet to the next hop ie. the first P router. This P router then strips the top tag only and adds another tag to switch to to the next P router. The last P router removes the top tag and simply forwards the packet to the egress PE router without adding another tag. So when the PE router receives the packet it only has the VPN tag to process.
Apologies if you already knew all this.
Jon
07-30-2009 06:10 AM
You probably can ping Customer A adresses fron Customer B routers though. =) Am I right?
07-30-2009 06:14 AM
No, I can't. I don't have CustomerA's routes on CustomerB's routers.
When I look at the basic routing table on the ISP routers, I only have my IGP routes (which I *think* is correct). In order to see the customer routes, I have to look at the vrf table.
Thanks,
John
07-30-2009 06:51 AM
08-03-2009 11:04 AM
John
Sorry, meant to verify this for you but got sidetracked :-)
"When I look at the basic routing table on the ISP routers, I only have my IGP routes (which I *think* is correct). In order to see the customer routes, I have to look at the vrf table."
Correct. More specifically
1) The P routers only have routes for destinations within the MPLS cloud ie. other P routers and PE routers. So they only have IGP routes where the IGP is running between the P & PE routers.
2) The PE routers have the IGP routes as above but also the customer routes which in an MPLS VPN are contained within vrfs. So a "sh ip route" on a PE router will only show the IGP routes where the IGP is running between the P & PE routers + the IBGP routes exchanged between PE routers.
To view the customer routes you need to use the "sh ip route vrf
Jon
08-03-2009 11:09 AM
Jon,
That's what I got :) It worked great, and it was my very first full-fledged mpls setup. Now I get to build on that....
Thanks,
John
07-30-2009 07:05 AM
John
We are going to have to agree on a directory structure for our GNS3 setup, took me ages to modify to point to my directories :-)
Your problem is that you are peering between the PE routers on their physical interface addresses whereas you should be peering on a loopback address. For a description of why see this post i did a while back -
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40.2cbe8a76
and yes i know it should be Penultimate Hop Popping and not what i put :-)
I made the following modifications to your PE router configs -
PE1
int loopback 10
ip address 11.11.11.1 255.255.255.0
!
router eigrp 100
network 2.2.2.2 0.0.0.3
network 11.11.11.0 0.0.0.255
no auto-summary
router bgp 200
no synchronization
bgp log-neighbor-changes
neighbor 12.12.12.1 remote-as 200
neighbor 12.12.12.1 update-source loopback10
no auto-summary
!
address-family vpnv4
neighbor 12.12.12.1 activate
neighbor 12.12.12.1 send-community both
exit-address-family
!
PE2
int loopback 10
ip address 12.12.12.1 255.255.255.0
router eigrp 100
network 1.1.1.1 0.0.0.3
network 12.12.12.0 0.0.0.255
no auto-summary
router bgp 200
no synchronization
bgp log-neighbor-changes
neighbor 11.11.11.1 remote-as 200
neighbor 11.11.11.1 update-source loopback10
no auto-summary
!
address-family vpnv4
neighbor 11.11.11.1 activate
neighbor 11.11.11.1 send-community both
exit-address-family
Jon
07-30-2009 07:08 AM
Jon,
You're awesome! So my problem is the iBGP peers needing to peer on a loopback interface? If so, that explains why my routers were giving me the error message of something like:
peer 2.2.2.2 may not be reachable from 1.1.1.1 because it's not a loopback (or something like that).
I could easily ping 2.2.2.2 though, so I just disregarded the message. I can't test this until tonight, but this is a great start!
Thanks!
John
07-30-2009 07:17 AM
John
No problem. I tested with your config files and it worked fine.
One important thing to note. The peering on loopbacks as indicated in other thread is to do with MPLS labels ie. it's the underlying MPLS setup that wasn't working properly rather than when you added the MPLS VPN config.
Let me know how you get on :-)
Jon
07-31-2009 05:51 AM
Jon,
Changing my peers to use loopbacks definitely resolved the issue. I also noticed that any tags that exit out of the providers network leave the provider's network as untagged, so I'm assuming that the mpls labels are only local within the provider's environment. Is that a correct assumption?
Thanks!
John
08-01-2009 12:56 PM
John
Glad you got it working.
MPLS tags are only used within the MPLS cloud ie. between the PE & P routers. They are stripped at the egress of the MPLS clouhd and become normal IP packets. So the CE routers do not see any MPLS tags.
Actually to be more specific if you have enabled Penultimate Hop Popping the top tag is actually stripped before the packet reaches the egress PE so the egress PE actually receives the packet with only the VPN tag ie.
with MPLS VPN's the packets have 2 tags as they traverse the MPLS cloud.
So at the ingress PE a VPN tag is added. This VPN tag is only relevant to the egress PE ie. the intermediate P routers don't care about it.
Then the ingress PE adds another tag and this tag is used to label switch the packet to the next hop ie. the first P router. This P router then strips the top tag only and adds another tag to switch to to the next P router. The last P router removes the top tag and simply forwards the packet to the egress PE router without adding another tag. So when the PE router receives the packet it only has the VPN tag to process.
Apologies if you already knew all this.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide