10-20-2021 08:50 AM
server vrf -- mpls/bgp -- ASR -- internet -- vpn peer -- internet
I have a ASR with a lot of policy tunnels. Sometimes there is a need to route all traffic from our datacenter through a IPsec VPN tunnel. For example it might be a network segment that has no internet access of firewall and servers on that segment need internet access.
With a VXR I would create normal policy tunnel and define VPN tunnel destination proxyID ANY.
ip access-list extended vpn-acl
permit ip 192.168.0.0 0.0.0.255 any
That would ofc be mirrored by the remote VPN device. For some reason crypto map reverse-route static doesn't add default route to vrf routing table so I would add a static route.
ip route vrf vpn-vrf 0.0.0.0 0.0.0.0 ethernet0/0(internet interface) x.x.x.x (vpn peer IP)
On a VXR this would allow 192.168.0.0/24 subnet to access any IP address via the VPN tunnel. It would also allow VXR to use BGP to advertise default route to server segment.
On the ASR non of this works and I can't figure out why. Adding the static route will add it to vpn vrf routing table but it will not advertise to server segment. BGP is configured to advertise statics and default.
address-family ipv4 vrf vpn-vrf
redistribute connected
redistribute static
default-information originate
exit-address-family
Any ideas? Or shall I open a TAC for this?
P.S. Tunnel interface is not possible due to some limitations in the architecture. I'll have to figure out why I can't use those.
10-20-2021 12:06 PM
Can you post the result from these outputs:
show bgp vpnv4 unicast vrf vpn-vrf neighbors X.X.X.X advertised
show bgp vpnv4 unicast vrf vpn-vrf
show bgp vpnv4 unicast vrf vpn-vrf summary
show ip vrf vpn-vrf
-Pablo
10-21-2021 11:43 PM
#sh ip vrf vpn-vrf
Name Default RD Interfaces
vpn-vrf 1.102.109.172:10026 Lo591 << lo I used for testing
#sh bgp vpnv4 unicast vrf vpn-vrf
BGP table version is 7289284, local router ID is x.x.x.35
Route Distinguisher: 1.102.109.172:10026 (default for vrf vpn-vrf)
*> 0.0.0.0 vpn.peer.ip 0 32768 ?
*> 10.10.191.0/24 x.x.x.195 0 65000 65001 65002 ?
*> 10.100.0.0/23 vpn.peer.ip 0 32768 ?
*> 10.100.145.0/24 vpn.peer.ip 0 32768 ?
show bgp vpnv4 unicast vrf vpn-vrf summary = blank output
show bgp vpnv4 unicast vrf vpn-vrf neighbors X.X.X.X advertised
DC MPLS BGP routing is not strong area and I can't figure out what IP I should use on the neighbor. ASR BGP config has a bunch of DC routers listed but all of those say "No such neighbor". If my vrf had direct BGP peering config this would be simple.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide