[c-nsp] MPLS VPN with lot of PPP interfaces and central firewall (Half Duplex VRF / HDVRF)

[Gerald Krause]

Am 23.02.2010 16:47, Oliver Boehmer (oboehmer) schrieb:
>  
>> Hello Oli, thx for your support again. I have configured the HUB/PE as
>> suggested:
>> [..]
>> I see that a traceroute from CPE1 to CPE2 now take the path over the
> HUB
>> and then back to the LNS as expected:
>> [...]
>> When I remove the def-route on the HUB, I'am still able to reach CPE2
>> from CPE1 directly over the LNS:
>>
>> cpe1-vrftest#traceroute
>> Target IP address: 10.98.2.1
>> Source address: 10.98.1.1
>> Tracing the route to 10.98.2.1
>>   1 10.99.17.254 68 msec 60 msec 64 msec   (Loopback102 LNS)
>>   2 10.99.17.2 152 msec *  148 msec        (CPE2)
>>
>> So I *can* re-direct the traffic from CPE to CPE through the HUB but
> in
>> the case the HUB fails, the CPEs are directly connected again through
>> the LNS/SPOKE PE. Is that the expected behaviour? Or is there still
> some
>> thing I'am missing (RPF is enabled on the Vi's)?
> 
> That's strange.. Can you open a TAC case to get this looked at? 

Ok, I will do so if I can't get ahead soon.

> I just
> tried this with "regular" serial interfaces, and I don't see the issue,
> i.e. without a default route, the CEs don't see each other.

I assume even without any MP-BGP between the SPOKE and HUB PEs, it
should be possible to isolate two interfaces on the SPOKE/PE with the
Half Duplex VRF feature enabled. I'am right here? So how looks your
SPOKE/PE test setup regarding the VRF configuration (VRF definition,
interfaces and static routes for that VRF)? That would be interesting
for me. Maybe I can build a similar setup with some unused FastEth's in
my LNS/SPOKE/PE.

> Can you remove urpf and try again? 

I've tried that, looks like uRPF has no influence. I get the same
resluts with and without.

Thx a lot so far!
--
Gerald