Solved: Re: ABF next-hop V6 lookup in RIB or FIB?

noah.plimpton@charter.com · ‎08-16-2018

Need some assistance determining exactly how the nexthop decision is made when a ABF forwarding rule is matched. My question is, does it do a lookup in the RIB or FIB and will the packet be handled via the actions specified by the results of that lookup?

I am trying to create an ABF rule which will match ipv6 traffic with a dscp marking of 7 and have it set the nexthop to a V6 labeled-unicast route which recurses to a 6PE next-hop which will then label the packet and send it to it's final destination. I am seeing in the logs is that the packet matches the ABF entry so the matching criteria appears correct. Unfortunately, the path is unchanged and the packet is not redirected to the nexthop I specify.

ABF entry::

ipv6 access-list ACL_IPV6_POLICY_ROUTING
 130 permit ipv6 any any dscp 7 log nexthop1 ipv6 2001:506:100:f440::194:96

Log Entry showing packets matching::

RP/0/RSP0/CPU0:Aug 16 16:16:57.625 UTC: ipv6_acl_daemon[303]: %ACL-IPV6_ACL-6-IPACCESSLOGNP : access-list ACL_IPV6_POLICY_ROUTING (130) permit 58 2600:6ce2:0:2::1 -> 2001:506:100:f480::194:131, 4 packets
RP/0/RSP0/CPU0:Aug 16 16:16:57.625 UTC: ipv6_acl_daemon[303]: %ACL-IPV6_ACL-6-IPACCESSLOGP : access-list ACL_IPV6_POLICY_ROUTING (130) permit udp 2600:6ce2:0:2::1(32780) -> 2001:506:100:f480::194:131(33437), 1 packet

V6 Route for next-hop in RIB::

#show route ipv6 2001:506:100:f440::194:96

Routing entry for 2001:506:100:f440::194:96/128
  Known via "bgp 65206", distance 200, metric 0, type internal
  Installed Aug 15 21:41:09.752 for 19:27:10
  Routing Descriptor Blocks
    ::ffff:96.34.226.91, from ::ffff:172.30.120.133
      Nexthop in Vrf: "default", Table: "default", IPv4 Unicast, Table Id: 0xe0000000
      Route metric is 0
  No advertising protos.

V6 Route for 6PE route in RIB(Hitting the default)::

#show route ipv6 ::ffff:96.34.226.91

Routing entry for ::/0
  Known via "isis default", distance 115, metric 100, candidate default path, type level-1
  Installed May 30 22:29:15.191 for 11w0d
  Routing Descriptor Blocks
    fe80::d66d:50ff:fe93:c602, from 2001:506:100:f400::194:0, via Bundle-Ether3
      Route metric is 100
  No advertising protos.

V6 CEF entry for next-hop::

#show cef ipv6 2001:506:100:f440::194:96
2001:506:100:f440::194:96/128, version 26680183, internal 0x14004001 0x0 (ptr 0x779199dc) [1], 0x0 (0x0), 0x410 (0x7bf3fa00)
 Updated Aug 15 21:41:09.750
 Prefix Len 128, traffic index 0, precedence n/a, priority 4
 BGP Attribute: id: 0x1f92, Local id: 0x2ad, Origin AS: 0, Next Hop AS: 0

   via ::ffff:96.34.226.91, 3 dependencies, recursive [flags 0x6000]
    path-idx 0 NHID 0x0 [0x71280244 0x0]
    next hop VRF - 'default', table - 0xe0000000
    next hop ::ffff:96.34.226.91 via ::ffff:96.34.226.91:0
     next hop 96.34.12.13/32 BE2          labels imposed {16006 300112}

I would like to see the ABF action use the CEF entry to forward the packet and not the RIB entry, but I don't believe that's happening. Is that expected behavior?

I did try to set the nexthop on the ABF entry to the 6PE route and my commit failed

(config)#ipv6 access-list ACL_IPV6_POLICY_ROUTING
RP/0/RSP0/CPU0:crr01k1sbcc(config-ipv6-acl)# 130 permit ipv6 any any dscp 7 log nexthop1 ipv6 ::ffff:96.34.226.91
RP/0/RSP0/CPU0:crr01k1sbcc(config-ipv6-acl)#commit

% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed [inheritance]' from this session to view the errors

(config-ipv6-acl)#show configuration failed inheritance
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.


ipv6 access-list ACL_IPV6_POLICY_ROUTING
 130 permit ipv6 any any dscp 7 log nexthop1 ipv6 ::ffff:96.34.226.91
!!% V4 Mapped nexthop address: verify ACL config failed for ACL ACL_IPV6_POLICY_ROUTING seq 130
!
end

IOS-XR version is 5.1.3.

Any help would be greatly appreciated.

tkarnani · ‎08-17-2018

Hi Noah,

i checked internally, it seems for mpls next hop abf is not supported

an alternative we can try is using epbr, it can be used to redirect packets over mpls vpn

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-4/ip-addresses/configuration/guide/b-ip-addresses-configuration-guide-asr9000-64x/b-ip-addresses-configuration-guide-asr9000-64x_chapter_0111.html

Thanks

View solution in original post

tkarnani · ‎08-16-2018

i have never tried this or seen a next hop as 6pe, in general for basic ABF next hop we need to verify the two things below.

#1

show access-list ipv6 ACL_IPV6_POLICY_ROUTING hardware ingress location 0/x/cpu0

>> we are looking to verify the next hop in hardware

#2

show cef ipv6 external location 0/x/cpu0

>> we are looking for the ABF section, verify the prefix is there and the next hop is resolved and valid

noah.plimpton@charter.com · ‎08-16-2018

Thanks for replying so quickly @tkarnani. Requested info below.

#show access-list ipv6 ACL_IPV6_POLICY_ROUTING hardware ingress  location 0/0/CPU0
ipv6 access-list ACL_IPV6_POLICY_ROUTING
 110 permit ipv6 any any dscp 6 (next-hop: addr=2001:506:100:f440::194:95, vrf name=default)
 130 permit ipv6 any any dscp 7 log (211 hw matches) (next-hop: addr=2001:506:100:f440::194:96, vrf name=default)
 1000 permit ipv6 any any (1152990 hw matches)

#show cef ipv6 external location 0/0/cpu0
Client Name : IPV6_ABF (comp-id: 0xc09) (0x94f6e050)
Protocol : ipv6
Prefix : 2001:506:100:f440::194:95 (0x94fa00fc)
Gateway array : 8886d8a0 (0x20020170/1)
Loadinfo : 0 (0x0/0)
Number of notifs : 1
Interest type : IP reachability notify
Table Id : 0xe0800000
Cookie Value : 0000000000000000
State : resolved
Via : 2001:506:100:f440::194:95/128
Added to pend list: Aug 15 22:23:54.144

Client Name : IPV6_ABF (comp-id: 0xc09) (0x94f6e050)
Protocol : ipv6
Prefix : 2001:506:100:f440::194:96 (0x94fa01a0)
Gateway array : 8886d990 (0x20020170/1)
Loadinfo : 0 (0x0/0)
Number of notifs : 1
Interest type : IP reachability notify
Table Id : 0xe0800000
Cookie Value : 0000000000000000
State : resolved
Via : 2001:506:100:f440::194:96/128
Added to pend list: Aug 15 22:23:54.145

Client Name : fib-ipv6 (comp-id: 0) (0x0)
Protocol : ipv4
Prefix : 96.34.194.0 (0x962710d4)
Gateway array : 8873ffa8 (0x10050/1)
Loadinfo : 8904e0f8 (0x300101/1)
Number of notifs : 0
Interest type : 6VPE MPLS nexthop reachability
Table Id : 0x0
Cookie Value : 0000000000000000
State : unresolved, in retry
Via :
Added to pend list: Never

Client Name : fib-ipv6 (comp-id: 0) (0x0)
Protocol : ipv4
Prefix : 96.34.226.90 (0x96271150)
Gateway array : 8873ded8 (0x30050/1)
Loadinfo : 8904de00 (0x1110111/1)
Number of notifs : 0
Interest type : 6VPE MPLS nexthop reachability
Table Id : 0x0
Cookie Value : 0000000000000000
State : resolved
Via : 16004/0
Added to pend list: Never

Client Name : fib-ipv6 (comp-id: 0) (0x0)
Protocol : ipv4
Prefix : 96.34.226.91 (0x962711cc)
Gateway array : 8873eb80 (0x30050/1)
Loadinfo : 8904df30 (0x1110111/1)
Number of notifs : 0
Interest type : 6VPE MPLS nexthop reachability
Table Id : 0x0
Cookie Value : 0000000000000000
State : resolved
Via : 16005/0
Added to pend list: Never

Looks like both prefixes are present, and the state='resolved'. The next-hop does not reflect the 6pe route however. Do I need to somehow get those 6pe routes in to the V6 RIB?

tkarnani · ‎08-16-2018

in the current state are packets being forwarded to 2001:506:100:f440::194:95 ?

noah.plimpton@charter.com · ‎08-16-2018

Packets are not being forwarded using the default route. They are not being routed to 2001:506:100:f440::194:95

tkarnani · ‎08-16-2018

What type of Line card are you using for 0/0/cpu0?

noah.plimpton@charter.com · ‎08-16-2018

NAME: "module 0/0/CPU0", DESCR: "80G Modular Linecard, Packet Transport Optimized"
PID: A9K-MOD80-TR, VID: V07, SN: XXXXXXXX

tkarnani · ‎08-17-2018

Hi Noah,

i checked internally, it seems for mpls next hop abf is not supported

an alternative we can try is using epbr, it can be used to redirect packets over mpls vpn

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-4/ip-addresses/configuration/guide/b-ip-addresses-configuration-guide-asr9000-64x/b-ip-addresses-configuration-guide-asr9000-64x_chapter_0111.html

Thanks

noah.plimpton@charter.com · ‎08-17-2018

Thanks for all your help @tkarnani. ePBR worked perfectly. Really appreciate it

tkarnani · ‎08-17-2018

Glad i could help

noah.plimpton@charter.com · ‎08-22-2018

Sorry to re-visit this, but had another question that I can't seem to find an answer for in the documentation.

It appears that when and IPv6 packet reaches the destination I've set in my policy-map and has the mpls labels popped, the dscp marking has been re-set to 0 or BE instead of the dscp value I originally matched on. Is that expected behavior when using ePBR? I am fairly certain the modification to the packet is happening before it's tagged by the local router that is enforcing the policy-map but could be wrong. Just want to see if there is some documentation regarding how the packet is handled by ePBR or if this is expected behavior and if so, what my options would be for preserving or re-setting the dscp marking on the IP packet. This only seems to happen for v6. v4 works as expected with the original dscp marking still set. Also of note, the v6 next-hop is learned via bgp-lu so that might or might not affect how label imposition occurs but I wouldn't expect it to change the IPv6 headers either way. Thanks for your help in advance...

Aleksandar Vidakovic · ‎08-23-2018

Can you let us know on which platform do you see this and with what IOS XR release? The decapsulation PE should not rewrite the IP ToS based on the MPLS EXP. Control plane (how we learned the route) plays no role in this.

noah.plimpton@charter.com · ‎08-23-2018

Thanks for your response. The far-side PE is a JunOS device and I am working with them now to determine if the issue is on their side. Please see my response to tkarnani from just a few minutes ago for more info.

tkarnani · ‎08-23-2018

can you also let us know how you are allocating the label on the remote PE?

per prefix? per vrf? per pe?

noah.plimpton@charter.com · ‎08-23-2018

I should have updated this yesterday, but didn't grab a packet capture until late in the day. I do in fact see the correct DSCP markings on the packet after it is forwarded to it's destination so I no longer believe this is an issue on the XR device. It looks to be something on the far side so I am engaging another vendor to determine if their device has a rewrite policy that is stripping that marking.

To answer your question, we are allocating labels via labeled-unicast and they are allocated per-prefix.

Thank you for your response, but I no longer believe it's a Cisco issue.