[c-nsp] MPBGP, CEF drops and upgrade from 12.4.4 to 12.4.24
Karl Putland
karl at simplesignal.com
Tue Oct 8 14:15:42 EDT 2013
So I have a working MPBGP VRF-Lite configuration that does what I expect on
12.4.4. When I upgrade to 12.4.24 or 12.4.20 or 12.4.22 it stops returning
traffic from the customer VRFs and CEF drops packets with Unresolved Route.
12.4.15 is the last 12.4 that seems to work. 15.2.4 also appears to work.
I'm hoping that someone can help shed some light on this. I've been
searching release notes for a couple of days and I'm coming up empty.
Thanks,
--Karl
Sample config at the end of this message.
Customer VRFs import a common route-target 60522:100 that is associated
with a VRF VOIP for the subset of routes we wish to export to the
customers. Customer VRFs export to route-target 65000:1
G0/1 was the original connection to the router before we started doing
VRF-Lite. G0/1.130 was used to put an interface in vrf MAIN so that we
could import from 65000:1 and pull the routes to customer networks back
into our wan side core.
G0/2.700, G0/2.701, and G0/2.702 are on a NNI to a MPLS service provider.
The far side of E701 has 10.70.1.0/24
The far side of E702 has 10.70.2.0/24
I realize that in vrf VOIP I have a route the G0/1 interface address that
points to the upstream. I couldn't figure out a way to add a static route
to a connected interface into vrf VOIP. With the level of traffic we have,
and the fact that no customer traffic should access this device, I'm ok
with the round trip to the upstream device.
Under 12.4.4 everything works. Routes from VOIP are imported to E701
>From the router I can ping 10.70.1.1
#sh ip route vrf E701
[...]
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.223.223.20/30 is directly connected, GigabitEthernet0/2.701
B 10.70.1.0/24 [20/0] via 10.223.223.21, 00:25:05
172.16.0.0/32 is subnetted, 2 subnets
B 172.16.119.178 [20/0] via 172.16.119.177, 00:25:05,
GigabitEthernet0/1
B 172.16.119.130 [20/0] via 172.16.119.177, 00:25:05,
GigabitEthernet0/1
#ping 10.70.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.70.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
#sh ip cef vrf E701
Prefix Next Hop Interface
0.0.0.0/0 drop Null0 (default route handler entry)
0.0.0.0/32 receive
10.70.1.0/24 10.223.223.21 GigabitEthernet0/2.701
10.223.223.20/30 attached GigabitEthernet0/2.701
10.223.223.20/32 receive
10.223.223.21/32 10.223.223.21 GigabitEthernet0/2.701
10.223.223.22/32 receive
10.223.223.23/32 receive
72.1.119.130/32 72.1.119.177 GigabitEthernet0/1
72.1.119.178/32 72.1.119.177 GigabitEthernet0/1
224.0.0.0/4 drop
224.0.0.0/24 receive
255.255.255.255/32 receive
#sh ip cef vrf E701 detail
IP CEF with switching (Table Version 13), flags=0x0
13 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 9
1 instant recursive resolution, 0 used background process
109 leaves, 91 nodes, 99304 bytes, 149 inserts, 40 invalidations
0 load sharing elements, 0 bytes, 0 references
universal per-destination load sharing algorithm, id AE91E839
2(0) CEF resets, 2 revisions of existing leaves
Resolution Timer: Exponential (currently 1s, peak 1s)
0 in-place/0 aborted modifications
refcounts: 25138 leaf, 24832 node
[...snip...]
172.16.119.130/32, version 11, epoch 0, cached adjacency 172.16.119.177
0 packets, 0 bytes
tag information set
local tag: VPN-route-head
via 172.16.119.177, GigabitEthernet0/1, 0 dependencies
next hop 172.16.119.177, GigabitEthernet0/1
valid cached adjacency
tag rewrite with Gi0/1, 172.16.119.177, tags imposed: {}
172.16.119.178/32, version 12, epoch 0, cached adjacency 172.16.119.177
0 packets, 0 bytes
tag information set
local tag: VPN-route-head
via 172.16.119.177, GigabitEthernet0/1, 0 dependencies
next hop 172.16.119.177, GigabitEthernet0/1
valid cached adjacency
tag rewrite with Gi0/1, 172.16.119.177, tags imposed: {}
NOW... Upgrade to 12.4.20 12.4.22 or 12.4.24
Config remains the same.
Ping fails and cef shows unresolved routes
#ping 10.70.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.70.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
#sh ip cef vrf E701
Prefix Next Hop Interface
0.0.0.0/0 no route
0.0.0.0/8 drop
0.0.0.0/32 receive
10.70.1.0/24 10.223.223.21 GigabitEthernet0/2.701
10.223.223.20/30 attached GigabitEthernet0/2.701
10.223.223.20/32 receive GigabitEthernet0/2.701
10.223.223.21/32 attached GigabitEthernet0/2.701
10.223.223.22/32 receive GigabitEthernet0/2.701
10.223.223.23/32 receive GigabitEthernet0/2.701
172.16.119.130/32 172.16.119.177 GigabitEthernet0/1
172.16.119.178/32 172.16.119.177 GigabitEthernet0/1
127.0.0.0/8 drop
224.0.0.0/4 drop
224.0.0.0/24 receive
240.0.0.0/4 drop
255.255.255.255/32 receive
#sh ip cef vrf E701 detail
IPv4 CEF is enabled and running
VRF E701:
16 prefixes (16/0 fwd/non-fwd)
Table id 2
Database epoch: 0 (16 entries at this epoch)
[...snip...]
172.16.119.130/32, epoch 0
nexthop 172.16.119.177 GigabitEthernet0/1 unusable: no label
172.16.119.178/32, epoch 0
nexthop 172.16.119.177 GigabitEthernet0/1 unusable: no label
#debug ip cef drops
IP CEF drops debugging is on
#term mon
#ping 10.70.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.70.1.1, timeout is 2 seconds:
*Oct 8 17:58:27.955: CEF-Drop: Packet from 10.70.1.1 (Gi0/2.701) to
172.16.119.178, Unresolved route.
*Oct 8 17:58:29.955: CEF-Drop: Packet from 10.70.1.1 (Gi0/2.701) to
172.16.119.178, Unresolved route.
*Oct 8 17:58:31.955: CEF-Drop: Packet from 10.70.1.1 (Gi0/2.701) to
172.16.119.178, Unresolved route.
*Oct 8 17:58:33.955: CEF-Drop: Packet from 10.70.1.1 (Gi0/2.701) to
172.16.119.178, Unresolved route.
*Oct 8 17:58:35.955: CEF-Drop: Packet from 10.70.1.1 (Gi0/2.701) to
172.16.119.178, Unresolved route.
Success rate is 0 percent (0/5)
!!! BEGIN CONFIG !!!
!
upgrade fpd auto
version 12.4
!
hostname TEST
!
ip cef
!
!
!
!
ip vrf E700
rd 65000:700
route-target export 65000:700
route-target import 65000:700
route-target import 60522:100
!
ip vrf E701
rd 65000:701
route-target export 65000:701
route-target export 65000:1
route-target import 65000:701
route-target import 60522:100
!
ip vrf E702
rd 65000:702
route-target export 65000:702
route-target export 65000:1
route-target import 65000:702
route-target import 60522:100
!
ip vrf MAIN
rd 65000:100
route-target export 65000:100
route-target import 65000:1
route-target import 65000:100
route-target import 65000:700
!
ip vrf VOIP
rd 60522:100
route-target export 60522:100
route-target import 60522:100
!
no ip domain lookup
ip domain name simplesignal.com
!
ip ssh authentication-retries 5
!
interface GigabitEthernet0/1
ip address 172.16.119.178 255.255.255.252
ip ospf message-digest-key 1 md5 foo
ip ospf 202 area 0
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/1.130
encapsulation dot1Q 130
ip vrf forwarding MAIN
ip address 172.16.119.182 255.255.255.252
ip ospf message-digest-key 1 md5 bar
ip ospf 130 area 0
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/2.700
encapsulation dot1Q 700
ip vrf forwarding E700
ip address 10.223.223.18 255.255.255.252
!
interface GigabitEthernet0/2.701
encapsulation dot1Q 701
ip vrf forwarding E701
ip address 10.223.223.22 255.255.255.252
!
interface GigabitEthernet0/2.702
encapsulation dot1Q 702
ip vrf forwarding E702
ip address 10.223.223.26 255.255.255.252
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
router ospf 130 vrf MAIN
router-id 10.1.9.130
log-adjacency-changes
area 0 authentication message-digest
redistribute bgp 60522 subnets
!
router ospf 202
router-id 10.1.9.1
log-adjacency-changes
area 0 authentication message-digest
redistribute connected metric-type 1 subnets
redistribute static metric-type 1 subnets
!
router bgp 60522
no synchronization
bgp router-id 172.16.119.178
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf VOIP
redistribute static
no synchronization
exit-address-family
!
address-family ipv4 vrf MAIN
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf E702
redistribute static
neighbor 10.223.223.25 remote-as 65029
neighbor 10.223.223.25 activate
neighbor 10.223.223.25 next-hop-self
neighbor 10.223.223.25 soft-reconfiguration inbound
no synchronization
exit-address-family
!
address-family ipv4 vrf E701
redistribute static
neighbor 10.223.223.21 remote-as 65029
neighbor 10.223.223.21 activate
neighbor 10.223.223.21 next-hop-self
neighbor 10.223.223.21 soft-reconfiguration inbound
no synchronization
exit-address-family
!
address-family ipv4 vrf E700
redistribute static
neighbor 10.223.223.17 remote-as 65029
neighbor 10.223.223.17 activate
neighbor 10.223.223.17 next-hop-self
neighbor 10.223.223.17 soft-reconfiguration inbound
no synchronization
exit-address-family
!
ip forward-protocol nd
ip route vrf VOIP 172.16.119.130 255.255.255.255 172.16.119.177 global name
dlab-irvine-1
ip route vrf VOIP 172.16.119.178 255.255.255.255 172.16.119.177 global name
TEST_7206_1oc
end
!!! END CONFIG !!!
--Karl
Karl Putland
Senior Engineer
*SimpleSignal*
Anywhere: 303-242-8608
<http://www.simplesignal.com/explainer_video.php>
More information about the cisco-nsp
mailing list