[j-nsp] L3 VPN on 5.6
Harry Reynolds
harry at juniper.net
Fri Mar 14 15:41:57 EST 2003
Hey all,
I set up a quick L3 VPN with 5.6R2.4, and PE to remote CE-VRF
interface pings are working. Note that initial testing with a static
/30 and /32 did not work due to the use of /30 addressing on VRF
interfaces. The export of direct is working OK.
I have this:
Ce PE PE CE
T1---------r3-------------r4-----------c1
.14 .13 .5 .6
172.16.0.12/30 172.16.0.4/30
[edit]
lab at r3# run ping routing-instance t1 172.16.0.6
PING 172.16.0.6 (172.16.0.6): 56 data bytes
64 bytes from 172.16.0.6: icmp_seq=0 ttl=252 time=0.804 ms
64 bytes from 172.16.0.6: icmp_seq=1 ttl=252 time=0.609 ms
64 bytes from 172.16.0.6: icmp_seq=2 ttl=252 time=0.634 ms
64 bytes from 172.16.0.6: icmp_seq=3 ttl=252 time=0.614 ms
64 bytes from 172.16.0.6: icmp_seq=4 ttl=252 time=0.607 ms
^X64 bytes from 172.16.0.6: icmp_seq=5 ttl=252 time=0.591 ms
[at the C1 CE]
lab at c1> monitor traffic interface fxp1
verbose output suppressed, use <detail> or <extensive> for full
protocol decode
Listening on fxp1, capture size 96 bytes
16:04:01.665351 In IP 172.16.0.13 > 172.16.0.6: icmp: echo request
16:04:01.665422 Out IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
16:04:02.673366 In IP 172.16.0.13 > 172.16.0.6: icmp: echo request
16:04:02.673407 Out IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
16:04:03.683460 In IP 172.16.0.13 > 172.16.0.6: icmp: echo request
16:04:03.683493 Out IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
^C
[configs]
[edit]
lab at r3# show policy-options
policy-statement vrf-import {
term 1 {
from {
protocol bgp;
community target;
}
then accept;
}
}
policy-statement vrf-export {
from protocol [ bgp direct ];
then {
community add target;
accept;
}
}
community target members target:65412:1;
[edit]
lab at r3# show routing-instances
t1 {
instance-type vrf;
interface fe-0/0/2.0;
route-distinguisher 10.0.3.5:1;
vrf-import vrf-import;
vrf-export vrf-export;
routing-options {
static {
route 172.16.0.14/32 next-hop 172.16.0.14;
}
}
protocols {
bgp {
group t1 {
type external;
peer-as 65222;
neighbor 172.16.0.14;
}
}
}
}
[edit]
lab at r3# run show route table t1
t1.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
130.130.0.0/16 *[BGP/170] 00:26:57, MED 0, localpref 100
AS path: 65222 I
> to 172.16.0.14 via fe-0/0/2.0
172.16.0.4/30 *[BGP/170] 00:05:10, localpref 100, from 10.0.3.4
AS path: I
> via so-0/2/0.100, label-switched-path r4
<<< remote VRF subnet is labeled
172.16.0.12/30 *[Direct/0] 00:27:14
> via fe-0/0/2.0
172.16.0.13/32 *[Local/0] 00:27:14
Local via fe-0/0/2.0
172.16.0.14/32 *[Static/5] 00:17:31
> to 172.16.0.14 via fe-0/0/2.0
200.200.0.0/16 *[BGP/170] 00:05:37, MED 0, localpref 100, from
10.0.3.4
AS path: 65010 I
> via so-0/2/0.100, label-switched-path r4
200.200.1.0/24 *[BGP/170] 00:05:37, MED 0, localpref 100, from
10.0.3.4
AS path: 65010 I
> via so-0/2/0.100, label-switched-path r4
207.17.136.192/32 *[BGP/170] 00:26:48, localpref 100
AS path: 65222 I
> to 172.16.0.14 via fe-0/0/2.0
edit]
lab at r3# run show version
Hostname: r3
Model: m5
JUNOS Base OS boot [5.6R1.3]
JUNOS Base OS Software Suite [5.6R2.4]
JUNOS Kernel Software Suite [5.6R2.4]
JUNOS Packet Forwarding Engine Support (M5/M10) [5.6R2.4]
Daniel, keep in mind that the received echo traffic is sent out the
originating PE (r3 in this case) after VRF label pop to the attached
CE (T1), where it is sent back to the local PE for a successful ping:
[edit]
lab at T1-P1# run monitor traffic interface fxp2
verbose output suppressed, use <detail> or <extensive> for full
protocol decode
Listening on fxp2, capture size 96 bytes
16:33:55.052652 In IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
16:33:55.052678 Out IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
16:33:56.055299 In IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
16:33:56.055319 Out IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
16:33:57.065313 In IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
16:33:57.065329 Out IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
I mention this because it means it is all or nothing, in the sense
that a successful ping in one direction requires that all be working
in the opposite direction too. Put another way, a ping from r3 to c1
requires a functional r2-T1 VRF interface and proper routing logic at
the T1 CE device.
HTHs
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of
> Cliff DeGuzman
> Sent: Friday, March 14, 2003 11:59 AM
> To: Daniel; Josef Buchsteiner
> Cc: juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] L3 VPN on 5.6
>
>
> hi daniel,
>
> please open a case with our JTAC so we can investigate this issue.
>
> thanks!
> cliff
>
> > -----Original Message-----
> > From: Daniel [mailto:telecom at servidor.unam.mx]
> > Sent: Friday, March 14, 2003 11:25 AM
> > To: Josef Buchsteiner
> > Cc: juniper-nsp at puck.nether.net
> > Subject: Re: [j-nsp] L3 VPN on 5.6
> >
> >
> > On Fri, 14 Mar 2003, Daniel wrote:
> > Josef, If you were talking about a static route.. i tried
> > that too.. and
> > it didnt work.. and I dont remember needing it before..
> > anyways here are the results.. I even tried with ge-2/3/0.0..
> > and it didnt
> > work.. i guess you just can't ping the local CE interface
> > on JunOS anymore...Thanks
> >
> > PE1>VRF1 {
> > instance-type vrf;
> > interface ge-0/0/0.0;
> > route-distinguisher 1:1;
> > vrf-import VRFIMP1;
> > vrf-export VRFEXP1;
> > routing-options {
> > static {
> > route 10.10.15.2/32 next-hop 10.10.15.2;
> > }
> > policy-statement VRFEXP1 {
> > term a {
> > from protocol direct;
> > then {
> > community add COMM1;
> > accept;
> > }
> > }
> > term b {
> > from {
> > protocol static;
> > route-filter 10.10.15.2/32 exact;
> > }
> > then {
> > community add COMM1;
> > accept;
> > }
> > }
> > term d {
> > then reject;
> > }
> > }
> >
> >
> > PE2> show route table VRF1
> >
> > VRF1.inet.0: 4 destinations, 4 routes (4 active, 0
> holddown, 0 hidden)
> > + = Active Route, - = Last Active, * = Both
> >
> > 10.10.15.0/24 *[BGP/170] 00:01:09, localpref 100, from
> > 10.10.104.3
> > AS path: I
> > > via so-2/2/0.0, Push 100003, Push
> 100001(top)
> > 10.10.15.2/32 *[BGP/170] 00:01:09, localpref 100, from
> > 10.10.104.3
> > AS path: I
> > > via so-2/2/0.0, Push 100003, Push
> 100001(top)
> > 10.10.16.0/24 *[Direct/0] 18:41:11
> > > via ge-2/3/0.0
> > 10.10.16.1/32 *[Local/0] 18:41:12
> > Local via ge-2/3/0.0
> >
> > PE2> ping routing-instance VRF1 10.10.15.2
> > PING 10.10.15.2 (10.10.15.2): 56 data bytes
> > ^C
> > --- 10.10.15.2 ping statistics ---
> > 3 packets transmitted, 0 packets received, 100% packet loss
> >
> > PE2> ping routing-instance VRF1 interface ge-2/3/0.0 10.10.15.2
> > PING 10.10.15.2 (10.10.15.2): 56 data bytes
> > ^C
> > --- 10.10.15.2 ping statistics ---
> > 2 packets transmitted, 0 packets received, 100% packet loss
> >
> >
> >
> >
> > > On Fri, 14 Mar 2003, Josef Buchsteiner wrote:
> > >
> > > Hi Josef, Thanks but i went over that document and i still
> > can't fix this
> > > issue. I used the local and vpn-interface with the ping and
> > > still nothing (im not sure that this is supported on the
> > 5.6 they are not
> > > on the help cli) and like i said it's just a directly
> connected
> > > CE so im not supposed to see this routes on bgp.l3 table
> > right? just on
> > > the VRF1 table..
> > > So maybe you can't ping the directly conected interface on
> > a VRF anymore?
> > > thanks
> > >
> > > PE1> show route table bgp.l3
> > >
> > > bgp.l3vpn.0: 1 destinations, 1 routes (1 active, 0
> > holddown, 0 hidden)
> > > + = Active Route, - = Last Active, * = Both
> > >
> > > 1:1:10.10.16.0/24
> > > *[BGP/170] 17:49:37, localpref 100, from
> > 10.10.104.4
> > > AS path: I
> > > > to 10.10.105.17 via ge-0/1/0.0,
> Push 100000
> > >
> > > PE1> show route table VRF1
> > >
> > > VRF1.inet.0: 3 destinations, 3 routes (3 active, 0
> > holddown, 0 hidden)
> > > + = Active Route, - = Last Active, * = Both
> > >
> > > 10.10.15.0/24 *[Direct/0] 17:54:54
> > > > via ge-0/0/0.0
> > > 10.10.15.1/32 *[Local/0] 17:54:54
> > > Local via ge-0/0/0.0
> > > 10.10.16.0/24 *[BGP/170] 17:49:44, localpref 100, from
> > 10.10.104.4
> > > AS path: I
> > > > to 10.10.105.17 via ge-0/1/0.0,
> Push 100000
> > >
> > > These are the pingss outputs
> > >
> > >
> > > PE1>ping 10.10.16.1 vpn-interface ge-0/0/0 local
> 10.10.15.1 count 3
> > > PING 10.10.16.1 (10.10.16.1): 56 data bytes
> > >
> > > --- 10.10.16.1 ping statistics ---
> > > 3 packets transmitted, 0 packets received, 100% packet loss
> > >
> > >
> > > PE1>ping routing-instance VRF1 10.10.16.1 local
> 10.10.15.1 count 3
> > > PING 10.10.16.1 (10.10.16.1): 56 data bytes
> > >
> > > --- 10.10.16.1 ping statistics ---
> > > 3 packets transmitted, 0 packets received, 100% packet loss
> > >
> > > > At 02:43 AM 3/14/2003, Daniel wrote:
> > > >
> > > > > Hi, I know that there are some changes on L3VPNs
> > between 5.6 and 5.5 but
> > > > >i thought it was only the part of not running mpls on
> > the pe-ce interface.
> > > >
> > > > you just don't need to configure family mpls on the pe-ce
> > interface anymore
> > > > as the software does it for you so this is still inherited.
> > > >
> > > > >I loaded my working config from 5.5 and I can see the
> > routes on the PE
> > > > >router but i can't ping it I'm using 5.6 rev2.
> > > >
> > > >
> > > > Please look at the troubleshooting guidance and see what
> > you need to
> > > > do if you want to ping multi-access address on the PE-CE
> > connection
> > > > and then all will work ;-)
> > > >
> > > >
> > http://www.juniper.net/techpubs/software/junos/junos56/swconfi
> > g56-vpns/html/vpnl3-trouble.html
> > > >
> > > > thanks
> > > > Josef
> > > >
> > > >
> > > >
> > > >
> > > > >PE1-P-PE2
> > > > >
> > > > >PE1> show route table VRF1
> > > > >
> > > > >VRF1.inet.0: 3 destinations, 3 routes (3 active, 0
> > holddown, 0 hidden)
> > > > >+ = Active Route, - = Last Active, * = Both
> > > > >
> > > > >10.10.15.0/24 *[Direct/0] 00:05:58
> > > > > > via ge-0/0/0.0
> > > > >10.10.15.1/32 *[Local/0] 00:05:58
> > > > > Local via ge-0/0/0.0
> > > > >10.10.16.0/24 *[BGP/170] 00:00:48, localpref 100,
> > from 10.10.104.4
> > > > > AS path: I
> > > > > > to 10.10.105.17 via ge-0/1/0.0,
> > Push 100000
> > > > >
> > > > >PE1> ping routing-instance VRF1 10.10.15.1
> > > > >PING 10.10.15.1 (10.10.15.1): 56 data bytes
> > > > >64 bytes from 10.10.15.1: icmp_seq=0 ttl=255 time=7.853 ms
> > > > >64 bytes from 10.10.15.1: icmp_seq=1 ttl=255 time=0.362 ms
> > > > >64 bytes from 10.10.15.1: icmp_seq=2 ttl=255 time=0.321 ms
> > > > >^C
> > > > >--- 10.10.15.1 ping statistics ---
> > > > >3 packets transmitted, 3 packets received, 0% packet loss
> > > > >round-trip min/avg/max/stddev = 0.321/2.845/7.853/3.541 ms
> > > > >
> > > > >daniel at m20-2> ping routing-instance VRF1 10.10.16.1
> > > > >PING 10.10.16.1 (10.10.16.1): 56 data bytes
> > > > >^C
> > > > >--- 10.10.16.1 ping statistics ---
> > > > >3 packets transmitted, 0 packets received, 100% packet loss
> > > > >
> > > > >
> > > > >
> > > > >configs are at the bottom
> > > > >
> > > > >PE1.---
> > > > >
> > > > >interfaces {
> > > > > ge-0/0/0 {
> > > > > unit 0 {
> > > > > family inet {
> > > > > address 10.10.15.1/24;
> > > > > }
> > > > > family iso;
> > > > > }
> > > > > }
> > > > > ge-0/1/0 {
> > > > > unit 0 {
> > > > > family inet {
> > > > > address 10.10.105.18/30;
> > > > > }
> > > > > family iso;
> > > > > family mpls;
> > > > > }
> > > > > }
> > > > > lo0 {
> > > > > unit 0 {
> > > > > family inet {
> > > > > address 10.10.104.3/32;
> > > > > }
> > > > >
> > > > >protocols {
> > > > > mpls {
> > > > > interface ge-0/1/0.0;
> > > > > }
> > > > > bgp {
> > > > > group MVPN {
> > > > > type internal;
> > > > > local-address 10.10.104.3;
> > > > > neighbor 10.10.104.4 {
> > > > > family inet-vpn {
> > > > > unicast;
> > > > > }
> > > > > }
> > > > > }
> > > > > }
> > > > > ospf {
> > > > > area 0.0.0.0 {
> > > > > interface ge-0/1/0.0;
> > > > > interface so-1/0/0.0;
> > > > > interface lo0.0;
> > > > > }
> > > > > }
> > > > > ldp {
> > > > > interface ge-0/1/0.0;
> > > > > interface lo0.0;
> > > > > }
> > > > >
> > > > >policy-options {
> > > > > policy-statement VRFIMP1 {
> > > > > term a {
> > > > > from {
> > > > > protocol bgp;
> > > > > community COMM1;
> > > > > }
> > > > > then accept;
> > > > > }
> > > > > term b {
> > > > > then reject;
> > > > > }
> > > > > }
> > > > > policy-statement VRFEXP1 {
> > > > > term a {
> > > > > from protocol direct;
> > > > > then {
> > > > > community add COMM1;
> > > > > accept;
> > > > > }
> > > > > }
> > > > > term b {
> > > > > then reject;
> > > > > }
> > > > > }
> > > > >community COMM1 members target:1:1;
> > > > >
> > > > >routing-instances {
> > > > > VRF1 {
> > > > > instance-type vrf;
> > > > > interface ge-0/0/0.0;
> > > > > route-distinguisher 1:1;
> > > > > vrf-import VRFIMP1;
> > > > > vrf-export VRFEXP1;
> > > > > }
> > > > >
> > > > >
> > > > >P
> > > > >
> > > > >interfaces {
> > > > > so-0/1/0
> > > > > unit 0 {
> > > > > family inet {
> > > > > address 10.10.105.42/30;
> > > > > }
> > > > > family mpls;
> > > > > }
> > > > > }
> > > > > ge-0/2/0 {
> > > > > unit 0 {
> > > > > family inet {
> > > > > address 10.10.105.17/30;
> > > > > }
> > > > > family mpls;
> > > > > }
> > > > > }
> > > > > lo0 {
> > > > > unit 0 {
> > > > > family inet {
> > > > > address 10.10.104.2/32;
> > > > > }
> > > > >protocols {
> > > > > mpls {
> > > > > interface so-0/1/0.0;
> > > > > interface ge-0/2/0.0;
> > > > > }
> > > > > ospf {
> > > > > area 0.0.0.0 {
> > > > > interface so-0/1/0.0;
> > > > > interface ge-0/2/0.0;
> > > > > interface lo0.0;
> > > > > }
> > > > > }
> > > > > ldp {
> > > > > interface so-0/1/0.0;
> > > > > interface ge-0/2/0.0;
> > > > > interface lo0.0;
> > > > > }
> > > > >}
> > > > >
> > > > >
> > > > >PE
> > > > >
> > > > >interfaces {
> > > > > so-2/2/0
> > > > > unit 0 {
> > > > > family inet {
> > > > > address 10.10.105.41/30;
> > > > > }
> > > > > family mpls;
> > > > > }
> > > > > }
> > > > > ge-2/3/0 {
> > > > > unit 0 {
> > > > > family inet {
> > > > > address 10.10.16.1/24;
> > > > > }
> > > > > lo0 {
> > > > > unit 0 {
> > > > > family inet {
> > > > > address 10.10.104.4/32;
> > > > > }
> > > > >protocols {
> > > > > mpls {
> > > > > interface so-2/2/0.0;
> > > > > }
> > > > > bgp {
> > > > > group MPVN {
> > > > > type internal;
> > > > > local-address 10.10.104.4;
> > > > > neighbor 10.10.104.3 {
> > > > > family inet-vpn {
> > > > > unicast;
> > > > > }
> > > > > }
> > > > > }
> > > > > }
> > > > > ospf {
> > > > > area 0.0.0.0 {
> > > > > interface so-1/2/0.0;
> > > > > interface so-2/2/0.0;
> > > > > interface lo0.0;
> > > > > }
> > > > > }
> > > > > ldp {
> > > > > interface so-2/2/0.0;
> > > > > interface lo0.0;
> > > > > }
> > > > >policy-options {
> > > > > policy-statement VRFIMP1 {
> > > > > term a {
> > > > > from {
> > > > > protocol bgp;
> > > > > community COMM1;
> > > > > }
> > > > > then accept;
> > > > > }
> > > > > term b {
> > > > > then reject;
> > > > > }
> > > > > }
> > > > > policy-statement VRFEXP1 {
> > > > > term a {
> > > > > from protocol [ direct local ];
> > > > > then {
> > > > > community add COMM1;
> > > > > accept;
> > > > > }
> > > > > }
> > > > > term b {
> > > > > then reject;
> > > > > }
> > > > > community COMM1 members target:1:1;
> > > > >
> > > > >routing-instances {
> > > > > VRF1 {
> > > > > instance-type vrf;
> > > > > interface ge-2/3/0.0;
> > > > > route-distinguisher 1:1;
> > > > > vrf-import VRFIMP1;
> > > > > vrf-export VRFEXP1;
> > > > > }
> > > > >
> > > > >
> > > > >
> > > > >_______________________________________________
> > > > >juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > > >http://puck.nether.net/mailman/listinfo/juniper-nsp
> > > >
> > > > _______________________________________________
> > > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > > http://puck.nether.net/mailman/listinfo/juniper-nsp
> > > >
> > >
> > > _______________________________________________
> > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/juniper-nsp
> > >
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list