VRF MPLS and Multicast

dylan.keys1 · ‎10-10-2021

Hi,

I am trying to achieve multicast over our MPLS network. We use a GRE tunnels between our sites to establish an internal MPLS core. Using BGP we are able to route our enterprise VRFs between the sites. One of our VRFs requires bi-directional multicast traffic between devices. I have not been successful in getting a PIM VRF neighbor on the VRF. I have been using this write up as a bit of a reference however am not 100% sure it is quiet what I am after.

https://foxnetlab.com/index.php/9-articles/185-multicast-traffic-forwarding-inside-vpn-over-mpls-network-rosen

Above is a cut down example of the topology. As seen the GRE tunnels are configured on all routers, along with OSPF, MPLS and BGP.

If anyone can point me in the right direction for some documentation that would be great.

Georg Pauwen · ‎10-10-2021

Hello,

post the configs of the supposed PIM neighbors so we can see if you are missing something...

Giuseppe Larosa · ‎10-11-2021

Hello @dylan.keys1 ,

if you run MPLS over point to point GRE tunnels protected by IPSec using Draft Rosen you add another overhead as Draft Rosen uses multipoint GRE to forward L3 VPN multicast within a GRE packet with source= PE loopback and destination = MDT that is a multicast address in global routing table. There is a default MDT per VPN used for signaling and low traffic groups additional MDTs can be used for high volume traffic.

I'm afraid you have too much overhead to be able to run Draft Rosen if your interfaces to ISP have default MTU 1500 bytes

Anyway, as already suggested post your configurations of your PE nodes .

You need to run PIM and MPLS over the current p2p GRE tunnels.

Hope to help

Giuseppe

dylan.keys1 · ‎10-11-2021

Hi,

Below is the config for router one for each site.

*** SITE 1 ****
hostname site01-rt01
!
vrf definition A
rd 65010:1
route-target export 65010:1
route-target import 65010:1
route-target import 65020:1
!
address-family ipv4
mdt default 239.1.1.1
mdt data 239.1.2.0 0.0.0.255 threshold 4096
mdt data threshold 4096
exit-address-family
!
vrf definition WAN
!
address-family ipv4
exit-address-family
!
no ip domain lookup
ip domain name network.pprod
ip multicast-routing 
ip multicast-routing vrf A 
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
interface Loopback0
description transec lo
ip address 192.168.10.255 255.255.255.255
ip pim sparse-mode
!
interface Loopback10
vrf forwarding A
ip address 189.10.0.255 255.255.255.255
ip pim sparse-mode
!
interface Tunnel102001
description CRT01
ip address 18.10.20.1 255.255.255.252
ip pim sparse-mode
tunnel source GigabitEthernet0/1
tunnel destination 10.45.88.9
tunnel path-mtu-discovery
tunnel vrf WAN
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Management
ip address 172.16.0.101 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN
vrf forwarding WAN
ip address 10.0.32.54 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description 010Z01
vrf forwarding A
ip address 189.10.0.1 255.255.255.252
ip pim sparse-mode
duplex full
speed 1000
!
!
router ospf 1
mpls ldp autoconfig area 0
router-id 192.168.10.255
passive-interface default
no passive-interface Tunnel102001
network 18.10.20.0 0.0.0.3 area 0
network 192.168.10.255 0.0.0.0 area 0
!
router bgp 65010
bgp router-id 192.168.10.255
bgp log-neighbor-changes
neighbor 192.168.20.255 remote-as 65020
neighbor 192.168.20.255 disable-connected-check
neighbor 192.168.20.255 update-source Loopback0
!
address-family ipv4
network 192.168.10.255 mask 255.255.255.255
network 192.168.20.255 mask 255.255.255.255 backdoor
neighbor 192.168.20.255 activate
exit-address-family
!
address-family vpnv4
neighbor 192.168.20.255 activate
neighbor 192.168.20.255 send-community extended
exit-address-family
!
address-family ipv4 vrf A
network 189.10.0.0 mask 255.255.255.252
network 189.10.0.255 mask 255.255.255.255
exit-address-family
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip ftp source-interface GigabitEthernet0/0
ip pim bidir-enable
ip pim bsr-candidate Loopback0 0
ip pim rp-candidate Loopback0
ip pim vrf A bsr-candidate Loopback10 0
ip pim vrf A rp-candidate Loopback10
ip ssh version 2
!

Site 02 Router 01

hostname site02-rt01
!
vrf definition A
 rd 65020:1
 route-target export 65020:1
 route-target import 65020:1
 route-target import 65010:1
 !
 address-family ipv4
  mdt default 239.1.1.1
  mdt data 239.1.2.0 0.0.0.255 threshold 4096
  mdt data threshold 4096
 exit-address-family
!
vrf definition WAN
 !
 address-family ipv4
 exit-address-family
!
ip vrf for
!
no ip domain lookup
ip domain name network.pprod
ip multicast-routing 
ip multicast-routing vrf A 
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
interface Loopback0
 description transec lo
 ip address 192.168.20.255 255.255.255.255
 ip pim sparse-mode
!         
interface Loopback10
 description vrf A lo
 vrf forwarding A
 ip address 189.20.0.255 255.255.255.255
 ip pim sparse-mode
!
interface Tunnel102001
 description CRT01
 ip address 18.10.20.2 255.255.255.252
 ip pim sparse-mode
 tunnel source GigabitEthernet0/1
 tunnel destination 10.0.32.54
 tunnel path-mtu-discovery
 tunnel vrf WAN
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Management
 ip address 172.16.0.102 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description WAN
 vrf forwarding WAN
 ip address 10.45.88.9 255.255.255.252
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/0
 description 020Z01
 vrf forwarding A
 ip address 189.20.0.1 255.255.255.252
 ip pim sparse-mode
 duplex full
 speed 1000
!
!
router ospf 1
 mpls ldp autoconfig
 mpls ldp autoconfig area 0
 router-id 192.168.20.255
 passive-interface default
 no passive-interface Tunnel102001
 network 18.10.20.0 0.0.0.3 area 0
 network 192.168.20.255 0.0.0.0 area 0
!         
router bgp 65020
 bgp router-id 192.168.20.255
 bgp log-neighbor-changes
 neighbor 192.168.10.255 remote-as 65010
 neighbor 192.168.10.255 disable-connected-check
 neighbor 192.168.10.255 update-source Loopback0
 !
 address-family ipv4
  network 192.168.10.255 mask 255.255.255.255 backdoor
  network 192.168.20.255 mask 255.255.255.255
  neighbor 192.168.10.255 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 192.168.10.255 activate
  neighbor 192.168.10.255 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf A
  network 189.20.0.0 mask 255.255.255.252
  network 189.20.0.255 mask 255.255.255.255
 exit-address-family
!
ip forward-protocol nd
!
ip pim bidir-enable

Giuseppe Larosa · ‎10-12-2021

Hello @dylan.keys1 ,

first of all,

mpls ip command is missing on all p2p GRE tunnels in addition you are using a Front VRF FVRF named WAN,

so MPLS here is not involved.

In this scenario Draft Rosen may not work correctly. Because MDT addresses are supposed to be in GRT and your tunnels belong to vrf WAN.

Change FVRF to global routing table and you will get a chance to have it working.

post show ip pim vrf A neighbors

Hope to help

Giuseppe

dylan.keys1 · ‎10-12-2021

Hi @Giuseppe Larosa

MPLS auto configure is enabled on the OSPF instance, my understanding is that this negates the need to add the MPLS IP command on the tunnel interfaces?

The tunnels are in the global routing instance. Using a fVRF as the tunnel source doesn’t change the scope of the tunnel interface. If I do a show IP route my tunnel networks are listed there.

Either way removing the fVRF is not an option in the design.

a show ip pim vrf A list no neighbours. A show ip pim neighbour list the remote end tunnel interface.

If this approach is not suitable for transporting multicast traffic via MPLS did you have any other suggested approaches?

Thanks for your time.

Giuseppe Larosa · ‎10-12-2021

Hello @dylan.keys1 ,

thanks for your feddback you are right you have MPLS enabled under router ospf section.

I have missed that.

and the tunnels are not member of the front VRF WAN. This is correct too.

However, the Front VRF WAN probably is the issue that makes Draft Rosen not working in your scenario.

To be honest I have deployed successfully Draft Rosen in toplogies with physical links.

There was one case where I was able to deploy Draft Rosen over p2p GRE tunnels extending over public Internet with MPLS and PIM enabled over them for Vancouver Winter Onimpic Games.

And it worked allowing to carry multicast video streams from Canada to Italy Rome.

In your case you should probably deploy a parallel set of p2p GRE tunnels to be used only for multicast disabling PIM on current set of tunnels and using for those tunnels FVRF = GRT.

If only one VRF is interested in carrying multicast you new set of p2p GRE tunnels could be associated to vrf A directly.

Hope to help

Giuseppe

dylan.keys1 · ‎10-12-2021

@Giuseppe Larosa

I took the fVRF off the tunnel just to see if that made any difference. I also decided to reboot the devices after I made the changes. Did a ip pim vrf A nei and I have a PIM neighbor.

I reapplied the fVRF and did another reboot, did a show ip pim vrf A nei and you would not believe it I have a neighbor and multicast traffic seems to be working.

The old turn it off and on again trick has seemed to work.

Cheers for your help.

Giuseppe Larosa · ‎10-13-2021

Hello @dylan.keys1 ,

thanks for your feedback.

Our work is not so deterministic at the end, so sometimes we can fix something as you say by turn it off / turn it on .

This adds value to your feedback that can be helpful for somebody else that might be in the same scenario and same issue.

Best Regards

Giuseppe