[c-nsp] Route leaking GRT/VRF - Local prefixes on PE ok, but remote PE prefixes fail?

Fri Dec 1 14:16:55 EST 2017

Hi,

Just testing route leaking between GRT+VRF using import+export ipv4 unicast - From a PE, I am able to ping prefixes in the VRF and in GRT, but prefixes learned from another PE(Also doing route leaking) are unreachable (Prefixes that are part of the VRF (i.e not leaked prefixes) I can reach from either PE).

EG.

Ping VRF prefix from PE01 -> PE02:

#ping vrf TEST_PEERING 111.222.66.253
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 111.222.66.253, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms

Ping GRT prefix (Loopback of PE02) from PE01 -> PE02 fails:

#ping vrf TEST_PEERING 111.222.76.130
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 111.222.76.130, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Ping GRT prefix (Loopback of local PE) success:

#ping vrf TEST_PEERING 111.222.76.201
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 111.222.76.201, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

*Note - We do use RR's - I dont know if this is causing the issue, or if its potentially the RIB failure(In BGP) of the PE Loopback due to OSPF carrying those addresses)

# Check route info of vrf prefix from PE01 -> PE02

sh ip route vrf TEST_PEERING 111.222.66.252

Routing Table: TEST_PEERING
Routing entry for 111.222.66.252/30
  Known via "bgp XXXX", distance 200, metric 0, type internal
  Last update from 111.222.76.130 10:55:07 ago
  Routing Descriptor Blocks:
  * 111.222.76.130 (default), from 111.222.76.204, 10:55:07 ago
      Route metric is 0, traffic share count is 1
      AS Hops 0
      MPLS label: 75
      MPLS Flags: MPLS Required, NSF

#sh ip bgp vpnv4 vrf TEST_PEERING 111.222.66.252
BGP routing table entry for 111.222.76.201:4000:111.222.66.252/30, version 3841875
BGP Bestpath: compare-routerid
Paths: (1 available, best #1, table TEST_PEERING)
  Additional-path-install
  Not advertised to any peer
  Refresh Epoch 81
  Local, imported path from 111.222.76.130:4000:111.222.66.252/30 (global)
    111.222.76.130 (metric 5) (via default) from 111.222.76.204 (111.222.76.204)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      Community: XXXX:4000
      Extended Community: RT:XXXX:4000
      Originator: 111.222.76.130, Cluster list: 0.0.0.2
      mpls labels in/out nolabel/75
      rx pathid: 0, tx pathid: 0x0

GRT prefix on Local PE:

#sh ip bgp vpnv4 vrf TEST_PEERING 111.222.76.201
BGP routing table entry for 111.222.76.201:4000:111.222.76.201/32, version 3775105
BGP Bestpath: compare-routerid
Paths: (1 available, best #1, table TEST_PEERING)
  Additional-path-install
  Not advertised to any peer
  Refresh Epoch 1
  Local, imported path from 111.222.76.201/32 (global)
    0.0.0.0 (via default) from 0.0.0.0 (111.222.76.201)
      Origin incomplete, metric 0, localpref 100, weight 32768, valid, external, no-import, no-import, best
      Community: XXXX:1000 XXXX:1301 XXXX:14000
      rx pathid: 0, tx pathid: 0x0

#sh ip route vrf TEST_PEERING 111.222.76.130

Routing Table: TEST_PEERING
Routing entry for 111.222.76.130/32
  Known via "bgp XXXX", distance 200, metric 0, type internal
  Last update from 111.222.76.130 11:02:45 ago
  Routing Descriptor Blocks:
  * 111.222.76.130 (default), from 111.222.76.204, 11:02:45 ago
      Route metric is 0, traffic share count is 1
      AS Hops 0
      MPLS label: none
      MPLS Flags: NSF

## bgp entry for PE02 GRT loopback(From PE01) - Note RIB failure due to OSPF being more attractive (All PE loops carried by OSPF)

#sh ip bgp 111.222.76.130
BGP routing table entry for 111.222.76.130/32, version 27830848
BGP Bestpath: compare-routerid
Paths: (4 available, best #2, table default, RIB-failure(17))
  Additional-path-install
  Not advertised to any peer
  Refresh Epoch 5
  Local, (received & used)
    111.222.76.130 (metric 5) from 111.222.76.205 (111.222.76.205)
      Origin incomplete, metric 0, localpref 100, valid, internal, af-export(1)
      Community: XXXX:1000 XXXX:1301 XXXX:15000
      Originator: 111.222.76.130, Cluster list: 0.0.0.2
      rx pathid: 0, tx pathid: 0
  Refresh Epoch 4
  Local, (received & used)
    111.222.76.130 (metric 5) from 111.222.76.204 (111.222.76.204)
      Origin incomplete, metric 0, localpref 100, valid, internal, af-export(1), best
      Community: XXXX:1000 XXXX:1301 XXXX:15000
      Originator: 111.222.76.130, Cluster list: 0.0.0.2
      rx pathid: 0, tx pathid: 0x0
  Refresh Epoch 4
  Local, (received & used)
    111.222.76.130 (metric 5) from 111.222.76.212 (111.222.76.212)
      Origin incomplete, metric 0, localpref 100, valid, internal, af-export(1)
      Community: XXXX:1000 XXXX:1301 XXXX:15000
      Originator: 111.222.76.130, Cluster list: 0.0.0.1
      rx pathid: 0, tx pathid: 0
  Refresh Epoch 2
  Local, (received & used)
    111.222.76.130 (metric 5) from 111.222.76.213 (111.222.76.213)
      Origin incomplete, metric 0, localpref 100, valid, internal, af-export(1)
      Community: XXXX:1000 XXXX:1301 XXXX:15000
      Originator: 111.222.76.130, Cluster list: 0.0.0.1
      rx pathid: 0, tx pathid: 0

## Is the "no-import" the cause(And caused by RIB failure?)

#sh ip bgp vpnv4 vrf TEST_PEERING 111.222.76.130
BGP routing table entry for 111.222.76.201:4000:111.222.76.130/32, version 3843463
BGP Bestpath: compare-routerid
Paths: (4 available, best #2, table TEST_PEERING)
  Additional-path-install
  Not advertised to any peer
  Refresh Epoch 5
  Local, (received & used), imported path from 111.222.76.130/32 (global)
    111.222.76.130 (metric 5) (via default) from 111.222.76.205 (111.222.76.205)
      Origin incomplete, metric 0, localpref 100, valid, internal, no-import, no-import
      Community: XXXX:1000 XXXX:1301 XXXX:15000
      Originator: 111.222.76.130, Cluster list: 0.0.0.2
      rx pathid: 0, tx pathid: 0
  Refresh Epoch 4
  Local, (received & used), imported path from 111.222.76.130/32 (global)
    111.222.76.130 (metric 5) (via default) from 111.222.76.204 (111.222.76.204)
      Origin incomplete, metric 0, localpref 100, valid, internal, no-import, no-import, best
      Community: XXXX:1000 XXXX:1301 XXXX:15000
      Originator: 111.222.76.130, Cluster list: 0.0.0.2
      rx pathid: 0, tx pathid: 0x0
  Refresh Epoch 2
  Local, (received & used), imported path from 111.222.76.130/32 (global)
    111.222.76.130 (metric 5) (via default) from 111.222.76.213 (111.222.76.213)
      Origin incomplete, metric 0, localpref 100, valid, internal, no-import, no-import
      Community: XXXX:1000 XXXX:1301 XXXX:15000
      Originator: 111.222.76.130, Cluster list: 0.0.0.1
      rx pathid: 0, tx pathid: 0
  Refresh Epoch 4
  Local, (received & used), imported path from 111.222.76.130/32 (global)
    111.222.76.130 (metric 5) (via default) from 111.222.76.212 (111.222.76.212)
      Origin incomplete, metric 0, localpref 100, valid, internal, no-import, no-import
      Community: XXXX:1000 XXXX:1301 XXXX:15000
      Originator: 111.222.76.130, Cluster list: 0.0.0.1
      rx pathid: 0, tx pathid: 0

VRF config:

vrf definition TEST_PEERING
rd 111.222.76.201:4000
!
address-family ipv4
  import ipv4 unicast 10000 map RP_TEST_PREFIXES_GRT
  export ipv4 unicast 10000 map RP_TEST_PEERING_PARTNERS_PREFIXES_VRF
  route-target export XXXX:4000
  route-target import XXXX:4000
  maximum routes 25000 80 reinstall 90
exit-address-family

router bgp XXXX
!
address-family ipv4 vrf TEST_PEERING
  redistribute connected route-map RP_TAG_PEERING_PARTNERS_PREFIXES_VRF
  redistribute static route-map RP_TAG_PEERING_PARTNERS_PREFIXES_VRF
  neighbor PEERING_B_PEERING_NDC_B1_LOCA peer-group
  neighbor PEERING_B_PEERING_NDC_B1_LOCA remote-as YYYYY
  neighbor PEERING_B_PEERING_NDC_B1_LOCA description eBGP to PEERING_B for PEERING 11515 (YYYYY)
  neighbor PEERING_B_PEERING_NDC_B1_LOCA ttl-security hops 254
  neighbor PEERING_B_PEERING_NDC_B1_LOCA update-source GigabitEthernet0/1/0.35
  neighbor PEERING_B_PEERING_NDC_B1_LOCA route-map RP_PEERING_B_PEERING_LOCA_NDC_IN in
  neighbor PEERING_B_PEERING_NDC_B1_LOCA route-map RP_PEERING_B_PEERING_LOCA_NDC_OUT out
  neighbor 333.44.70.1 peer-group PEERING_B_PEERING_NDC_B1_LOCA
  neighbor 333.44.70.1 activate
  neighbor 333.44.70.2 peer-group PEERING_B_PEERING_NDC_B1_LOCA
  neighbor 333.44.70.2 activate
exit-address-family

#sh run | section route-map RP_TEST_PREFIXES_GRT
route-map RP_TEST_PREFIXES_GRT permit 10
match community CL_GRT_TEST_PREFIXES

#sh run | section route-map RP_TEST_PEERING_PARTNERS_PREFIXES_VRF
route-map RP_TEST_PEERING_PARTNERS_PREFIXES_VRF permit 10
match community CL_TEST_PEERING_PARTNERS_PREFIXES_VRF

#sh run | include  CL_GRT_TEST_PREFIXES
ip community-list standard CL_GRT_TEST_PREFIXES permit XXXX:1301

#sh run | include CL_TEST_PEERING_PARTNERS_PREFIXES_VRF
ip community-list standard CL_TEST_PEERING_PARTNERS_PREFIXES_VRF permit XXXX:4000

#sh run | section route-map RP_TAG_PEERING_PARTNERS_PREFIXES_VRF
route-map RP_TAG_PEERING_PARTNERS_PREFIXES_VRF permit 10
set community XXXX:4000

Thanks in advance for any assistance.