<br>If someone cares.<br><br>Yes, as I suspected, the issue turned out to be pretty simple. This was my failure to grasp that NetIron does not readvertise static and connected routes from VRFs to MP-BGP by default.<br><br>
So what I was missing is the following:<br><br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"> address-family ipv4 unicast vrf l3vpn-cust-321<br> redistribute connected<br>
redistribute static<br> exit-address-family<br></blockquote><br>Same story (which is a bit more obvious) with OSPF, for those who like it as a CE-PE protocol. Or add a BGP neighbor here for CE-PE BGP exchange and than, of course, CE-PE BGP <-> core MP-BGP readvertisement will happen automatically for a given VRF.<br>
<br>Also (what made me feel truly stuck) NetIron does not care of VPN routes received from the core until you configure "address-family ipv4 unicast vrf <vrf-name>" stanza in the "router bgp" config. Does not even show it has received the routes (except in debug and in the count of Update messages for a neighbor).<br>
<br>Well, to be honest, it seems to be a bit strange place in config for such an option, especially for redistribution of static and connected, since this really looks like a place having to do with only CE-PE BGP exchange.<br>
<br><div class="gmail_quote">2013/3/6 Pavel Lunin wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<br>
Hi,<br>
<br>
I'm a bit stuck with a pretty simple L3VPN lab config on CER2024.<br>
<br>
I mostly work with Juniper and haven't configured MPLS stuff on
Brocade for edges. Though I have, but a couple of years ago :)<br>
<br>
I just needed a basic lab setup to test a couple of things (not the
L3VPN itself) and it turned out I can't even get it up. I see the
router receives an update from neighbor but doesn't show anything
about it. Just silently ignores it. Moreover it does not advertise
and vpn routes.<br>
<br>
I even thought it could be a license issue, but the box has advanced
premium license, and I have checked some other MPLS stuff covered
with the license (Martini VLL) and it works just fine.<br>
<br>
<blockquote type="cite"><a href="mailto:SSH@cer.lab#sho" target="_blank">SSH@cer.lab#sho</a> version | i Lic<br>
License: ADV_SVCS_PREM (LID: rXXXXXXXX)<br>
</blockquote>
<br>
Could someone bother to skim through my output and check whether I
miss something really simple or it rather seem to be a software
issue and should be escalated to Brocade TAC. <br>
<br>
BTW I tried IronWare 5.3.0c, 5.4.0a and 5.4.0b. So it seems pretty
unrealistic that such basic a showstopper bug can exist in three
releases.<br>
<br>
Here are some configs and diagnostics. Sorry, I know it's a bit too
long for the list :)<br>
<br>
VRF:<br>
<blockquote type="cite"><a href="mailto:SSH@cer.lab#sho" target="_blank">SSH@cer.lab#sho</a> run | beg l3vpn<br>
vrf l3vpn-cust-321<br>
rd 65500:321<br>
route-target export 65500:321<br>
route-target import 65500:321<br>
address-family ipv4<br>
route-target export 65500:321<br>
route-target import 65500:321<br>
ip route <a href="http://10.3.33.0/24" target="_blank">10.3.33.0/24</a> 10.3.21.2<br>
exit-address-family<br>
exit-vrf<br>
<br>
</blockquote>
<br>
CE facing iface:<br>
<blockquote type="cite">
<a href="mailto:SSH@cer.lab#sho" target="_blank">SSH@cer.lab#sho</a> run interface ve 32 <br>
interface ve 32<br>
vrf forwarding l3vpn-cust-321<br>
ip address <a href="http://10.3.21.1/24" target="_blank">10.3.21.1/24</a><br>
!<br>
</blockquote>
BTW, CE-PE link is OK, pingable etc.<br>
<br>
<blockquote type="cite"><a href="mailto:SSH@cer.lab#sho" target="_blank">SSH@cer.lab#sho</a> ip vrf l3vpn-cust-321<br>
VRF l3vpn-cust-321, default RD 65500:321, Table ID 2<br>
Label: 500001, Label-Switched Mode: OFF<br>
IP Router-Id: 10.3.21.1<br>
Interfaces:<br>
v32 <br>
Export VPN route-target communities:<br>
RT:65500:321 <br>
Import VPN route-target communities:<br>
RT:65500:321 <br>
No import route-map<br>
No export route-map<br>
<br>
Address Family IPv4<br>
Max Routes: 1024<br>
Number of Unicast Routes: 2<br>
Export VPN route-target communities:<br>
RT:65500:321 <br>
Import VPN route-target communities:<br>
RT:65500:321 <br>
<a href="mailto:SSH@cer.lab#" target="_blank">SSH@cer.lab#</a><br>
<br>
<a href="mailto:SSH@cer.lab#sho" target="_blank">SSH@cer.lab#sho</a> ip route vrf l3vpn-cust-321 <br>
Total number of IP routes: 2<br>
Type Codes - B:BGP D:Connected I:ISIS O:OSPF R:RIP S:Static; Cost
- Dist/Metric<br>
BGP Codes - i:iBGP e:eBGP<br>
ISIS Codes - L1:Level-1 L2:Level-2<br>
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
s:Sham Link<br>
Destination Gateway Port
Cost Type Uptime<br>
1 <a href="http://10.3.21.0/24" target="_blank">10.3.21.0/24</a> DIRECT ve 32
0/0 D 1d1h <br>
2 <a href="http://10.3.33.0/24" target="_blank">10.3.33.0/24</a> 10.3.21.2 ve 32
1/1 S 1d1h <br>
</blockquote>
<br>
<br>
BGP:<br>
<blockquote type="cite">
<a href="mailto:SSH@cer.lab#show" target="_blank">SSH@cer.lab#show</a> ip bgp config<br>
Current BGP configuration:<br>
<br>
router bgp<br>
local-as 65500<br>
capability as4 enable<br>
neighbor 172.19.126.11 remote-as 65500<br>
neighbor 172.19.126.11 update-source loopback 1<br>
neighbor 172.19.126.11 soft-reconfiguration inbound<br>
neighbor 172.19.126.77 remote-as 65500<br>
neighbor 172.19.126.77 update-source loopback 1<br>
neighbor 172.19.126.77 soft-reconfiguration inbound<br>
<br>
address-family ipv4 unicast<br>
exit-address-family<br>
<br>
address-family ipv4 multicast<br>
exit-address-family<br>
<br>
address-family ipv6 unicast<br>
neighbor 172.19.126.11 activate <br>
exit-address-family<br>
<br>
address-family ipv6 multicast<br>
exit-address-family
<br>
<br>
address-family vpnv4 unicast
<br>
neighbor 172.19.126.11 activate
<br>
neighbor 172.19.126.11 send-community both<br>
neighbor 172.19.126.77 activate <br>
neighbor 172.19.126.77 send-community extended<br>
exit-address-family<br>
<br>
end of BGP configuration<br>
</blockquote>
Both peers are JUNOS based.<br>
<br>
.11 is a Route Reflector, the .77 is a remote PE for this VPN. I
first started with just an RR but thought IronWare might dislike
something about Juniper's cluster ID or something and tried with a
direct session.<br>
<br>
I see the peers advertise VPN routes and CER receives it, but:<br>
<blockquote type="cite"><a href="mailto:SSH@cer.lab#show" target="_blank">SSH@cer.lab#show</a> ip bgp vpnv4 summary <br>
BGP4 Summary <br>
Router ID: 172.19.126.55 Local AS Number: 65500<br>
Confederation Identifier: not configured<br>
Confederation Peers: <br>
Maximum Number of IP ECMP Paths Supported for Load Sharing: 1<br>
Number of Neighbors Configured: 2, UP: 2<br>
Number of Routes Installed: 0<br>
Number of Routes Advertising to All Neighbors: 0 (0 entries)<br>
Number of Attribute Entries Installed: 0<br>
Neighbor Address AS# State Time Rt:Accepted
Filtered Sent ToSend<br>
172.19.126.11 65500 ESTAB 1d 0h20m 0
0 0 0 <br>
172.19.126.77 65500 ESTAB 1d 0h20m 0
0 0 0 <br>
<a href="mailto:SSH@cer.lab#" target="_blank">SSH@cer.lab#</a></blockquote>
<br>
CER does really receive the VPN updates from the peers:<br>
<blockquote type="cite">
<a href="mailto:SSH@cer.lab#show" target="_blank">SSH@cer.lab#show</a> deb<br>
Debug message destination: SSH session 1<br>
Debug MAC is set to: All.<br>
IP Routing:<br>
BGP: bgp debugging is on<br>
BGP: updates RX debugging is on<br>
BGP: updates TX debugging is on<br>
BGP: route-selection debugging is on<br>
BGP: VPNV4 Unicast Address Family debugging is on<br>
<a href="mailto:SSH@cer.lab#" target="_blank">SSH@cer.lab#</a><br>
<a href="mailto:SSH@cer.lab#clear" target="_blank">SSH@cer.lab#clear</a> ip bg nei 172.19.126.11<br>
<a href="mailto:SSH@cer.lab#" target="_blank">SSH@cer.lab#</a><br>
<a href="mailto:SSH@cer.lab#Mar" target="_blank">SSH@cer.lab#Mar</a> 6 13:24:43.975 BGP: BGP: 172.19.126.11 rcv
UPDATE w/attr: Origin=IGP AS_PATH= LOCAL_PREF=100
EXTENDED_COMMUNITY= RT 65500:321 ORIGINATOR_ID=172.19.126.77
CLUSTER_LIST=0.0.255.220 <b>NextHop=0:0:172.19.126.77 </b><br>
Mar 6 13:24:43.975 BGP: (4): 172.19.126.11 rcv UPDATE
Label=299936 65500:321:<a href="http://10.3.44.0/24" target="_blank">10.3.44.0/24</a><br>
Mar 6 13:24:43.975 BGP: (4): 172.19.126.11 rcv UPDATE
Label=299920 65500:321:<a href="http://10.3.23.1/32" target="_blank">10.3.23.1/32</a><br>
<a href="mailto:SSH@cer.lab#" target="_blank">SSH@cer.lab#</a></blockquote>
<br>
But no further sign of these updates:<br>
<blockquote type="cite">
<a href="mailto:SSH@cer.lab#sho" target="_blank">SSH@cer.lab#sho</a> ip bgp vpnv4 <br>
BGP VPNv4 Routing Table is empty</blockquote>
<blockquote type="cite"><a href="mailto:SSH@cer.lab#sho" target="_blank">SSH@cer.lab#sho</a> ip bgp vpnv4 <br>
BGP VPNv4 Routing Table is empty<br>
<br>
<a href="mailto:SSH@cer.lab#show" target="_blank">SSH@cer.lab#show</a> ip bgp vpnv4 filtered-routes <br>
BGP has no filtered route</blockquote>
<br>
LSP to remote PE is up and running (mpls ping is OK, Martini VLL
works across LDP LSP, etc)<br>
<br>
<blockquote type="cite"><a href="mailto:SSH@cer.lab#show" target="_blank">SSH@cer.lab#show</a> mpls lsp <br>
Note: LSPs marked with * are taking a Secondary Path<br>
Admin Oper Tunnel Up/Dn Retry
Active<br>
Name To State State Intf Times No.
Path<br>
55-to-11 172.19.126.11 UP UP tnl0 3 0
-- <br>
55-to-33 172.19.126.33 UP UP tnl1 1 0
-- <br>
55-to-77 172.19.126.77 UP UP tnl2 3 0
-- <br>
55-to-99 172.19.126.99 UP UP tnl3 3 0 --
</blockquote>
<br>
<blockquote type="cite"><a href="mailto:SSH@cer.lab#sho" target="_blank">SSH@cer.lab#sho</a> mpls route 172.19.126.77<br>
R:RSVP L:LDP S:Static O:Others<br>
Destination Gateway Tnnl Port Label
Sig Cost Use<br>
1 <a href="http://172.19.126.77/32" target="_blank">172.19.126.77/32</a> 172.19.126.77 tnl2 e1/7 301216
R 0 0<br>
2 <a href="http://172.19.126.77/32" target="_blank">172.19.126.77/32</a> 172.19.126.11 tnl5 e1/7 300960
L 0 0<br>
</blockquote>
<br>
(Also tried LDP and RSVP only config).<br>
<br>
Zero routes received, zero filtered, zero sent:<br>
<blockquote type="cite"><a href="mailto:SSH@cer.lab#sho" target="_blank">SSH@cer.lab#sho</a> ip bgp vpnv4 summary <br>
BGP4 Summary <br>
Router ID: 172.19.126.55 Local AS Number: 65500<br>
Confederation Identifier: not configured<br>
Confederation Peers: <br>
Maximum Number of IP ECMP Paths Supported for Load Sharing: 1<br>
Number of Neighbors Configured: 2, UP: 2<br>
Number of Routes Installed: 0<br>
Number of Routes Advertising to All Neighbors: 0 (0 entries)<br>
Number of Attribute Entries Installed: 0<br>
Neighbor Address AS# State Time Rt:Accepted
Filtered Sent ToSend<br>
172.19.126.11 65500 ESTAB 0h 0m57s 0
0 0 0 <br>
172.19.126.77 65500 ESTAB 1d 0h21m 0
0 0 0 <br>
</blockquote>
<br>
At the same time plain IP and IPv6 routes are received through the
same iBGP sessions and work as expected:<br>
<blockquote type="cite"><a href="mailto:SSH@cer.lab#sh" target="_blank">SSH@cer.lab#sh</a> ip bgp <br>
Total number of BGP Routes: 1<br>
Status codes: s suppressed, d damped, h history, * valid, >
best, i internal, S stale<br>
Origin codes: i - IGP, e - EGP, ? - incomplete<br>
Network Next Hop MED LocPrf Weight
Path<br>
*>i <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> 172.19.126.11 100 0
i<br>
</blockquote>
<br>
<blockquote type="cite"><a href="mailto:SSH@cer.lab#sh" target="_blank">SSH@cer.lab#sh</a> ipv6 bgp <br>
Total number of BGP Routes: 1<br>
Status codes: s suppressed, d damped, h history, * valid, >
best, i internal, S stale<br>
Origin codes: i - IGP, e - EGP, ? - incomplete<br>
Network Next Hop MED LocPrf Weight
Path<br>
*>i ::/0 ::ffff:172.19.126.11<br>
100 0 i<br>
</blockquote>
<br>
<br>
VRF, just in case:<br>
<blockquote type="cite">
<a href="mailto:SSH@cer.lab#show" target="_blank">SSH@cer.lab#show</a> ip vrf l3vpn-cust-321<br>
VRF l3vpn-cust-321, default RD 65500:321, Table ID 2<br>
Label: 500001, Label-Switched Mode: OFF<br>
IP Router-Id: 10.3.21.1<br>
Interfaces:<br>
v32 <br>
Export VPN route-target communities:<br>
RT:65500:321 <br>
Import VPN route-target communities:<br>
RT:65500:321 <br>
No import route-map<br>
No export route-map<br>
<br>
Address Family IPv4<br>
Max Routes: 1024<br>
Number of Unicast Routes: 2<br>
Export VPN route-target communities:<br>
RT:65500:321 <br>
Import VPN route-target communities:<br>
RT:65500:321 </blockquote><span class="HOEnZb"><font color="#888888">
<br>
<br>
<div>-- <br>
<div style="font-family:serif">Pavel Lunin<br>
<br>
</div>
</div>
</font></span></div>
</blockquote></div><br>