[j-nsp] L3 VPN on 5.6
Daniel
telecom at servidor.unam.mx
Fri Mar 14 18:46:42 EST 2003
On Fri, 14 Mar 2003, Harry Reynolds wrote:
I dont get it my config looks similar but it dont get the local CE route
labeled.. but im not running BGP between PE and CE .. is that why?
> Hey all,
>
> I set up a quick L3 VPN with 5.6R2.4, and PE to remote CE-VRF
> interface pings are working. Note that initial testing with a static
> /30 and /32 did not work due to the use of /30 addressing on VRF
> interfaces. The export of direct is working OK.
>
>
> I have this:
>
> Ce PE PE CE
> T1---------r3-------------r4-----------c1
> .14 .13 .5 .6
> 172.16.0.12/30 172.16.0.4/30
>
>
> [edit]
> lab at r3# run ping routing-instance t1 172.16.0.6
> PING 172.16.0.6 (172.16.0.6): 56 data bytes
> 64 bytes from 172.16.0.6: icmp_seq=0 ttl=252 time=0.804 ms
> 64 bytes from 172.16.0.6: icmp_seq=1 ttl=252 time=0.609 ms
> 64 bytes from 172.16.0.6: icmp_seq=2 ttl=252 time=0.634 ms
> 64 bytes from 172.16.0.6: icmp_seq=3 ttl=252 time=0.614 ms
> 64 bytes from 172.16.0.6: icmp_seq=4 ttl=252 time=0.607 ms
> ^X64 bytes from 172.16.0.6: icmp_seq=5 ttl=252 time=0.591 ms
>
> [at the C1 CE]
>
> lab at c1> monitor traffic interface fxp1
> verbose output suppressed, use <detail> or <extensive> for full
> protocol decode
> Listening on fxp1, capture size 96 bytes
>
> 16:04:01.665351 In IP 172.16.0.13 > 172.16.0.6: icmp: echo request
> 16:04:01.665422 Out IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
> 16:04:02.673366 In IP 172.16.0.13 > 172.16.0.6: icmp: echo request
> 16:04:02.673407 Out IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
> 16:04:03.683460 In IP 172.16.0.13 > 172.16.0.6: icmp: echo request
> 16:04:03.683493 Out IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
> ^C
> [configs]
> [edit]
> lab at r3# show policy-options
> policy-statement vrf-import {
> term 1 {
> from {
> protocol bgp;
> community target;
> }
> then accept;
> }
> }
> policy-statement vrf-export {
> from protocol [ bgp direct ];
> then {
> community add target;
> accept;
> }
> }
> community target members target:65412:1;
>
> [edit]
> lab at r3# show routing-instances
> t1 {
> instance-type vrf;
> interface fe-0/0/2.0;
> route-distinguisher 10.0.3.5:1;
> vrf-import vrf-import;
> vrf-export vrf-export;
> routing-options {
> static {
> route 172.16.0.14/32 next-hop 172.16.0.14;
> }
> }
> protocols {
> bgp {
> group t1 {
> type external;
> peer-as 65222;
> neighbor 172.16.0.14;
> }
> }
> }
> }
>
> [edit]
> lab at r3# run show route table t1
>
> t1.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 130.130.0.0/16 *[BGP/170] 00:26:57, MED 0, localpref 100
> AS path: 65222 I
> > to 172.16.0.14 via fe-0/0/2.0
> 172.16.0.4/30 *[BGP/170] 00:05:10, localpref 100, from 10.0.3.4
> AS path: I
> > via so-0/2/0.100, label-switched-path r4
> <<< remote VRF subnet is labeled
>
> 172.16.0.12/30 *[Direct/0] 00:27:14
> > via fe-0/0/2.0
> 172.16.0.13/32 *[Local/0] 00:27:14
> Local via fe-0/0/2.0
> 172.16.0.14/32 *[Static/5] 00:17:31
> > to 172.16.0.14 via fe-0/0/2.0
> 200.200.0.0/16 *[BGP/170] 00:05:37, MED 0, localpref 100, from
> 10.0.3.4
> AS path: 65010 I
> > via so-0/2/0.100, label-switched-path r4
> 200.200.1.0/24 *[BGP/170] 00:05:37, MED 0, localpref 100, from
> 10.0.3.4
> AS path: 65010 I
> > via so-0/2/0.100, label-switched-path r4
> 207.17.136.192/32 *[BGP/170] 00:26:48, localpref 100
> AS path: 65222 I
> > to 172.16.0.14 via fe-0/0/2.0
> edit]
> lab at r3# run show version
> Hostname: r3
> Model: m5
> JUNOS Base OS boot [5.6R1.3]
> JUNOS Base OS Software Suite [5.6R2.4]
> JUNOS Kernel Software Suite [5.6R2.4]
> JUNOS Packet Forwarding Engine Support (M5/M10) [5.6R2.4]
>
> Daniel, keep in mind that the received echo traffic is sent out the
> originating PE (r3 in this case) after VRF label pop to the attached
> CE (T1), where it is sent back to the local PE for a successful ping:
>
> [edit]
> lab at T1-P1# run monitor traffic interface fxp2
> verbose output suppressed, use <detail> or <extensive> for full
> protocol decode
> Listening on fxp2, capture size 96 bytes
>
> 16:33:55.052652 In IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
> 16:33:55.052678 Out IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
> 16:33:56.055299 In IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
> 16:33:56.055319 Out IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
> 16:33:57.065313 In IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
> 16:33:57.065329 Out IP 172.16.0.6 > 172.16.0.13: icmp: echo reply
>
> I mention this because it means it is all or nothing, in the sense
> that a successful ping in one direction requires that all be working
> in the opposite direction too. Put another way, a ping from r3 to c1
> requires a functional r2-T1 VRF interface and proper routing logic at
> the T1 CE device.
>
> HTHs
>
> > -----Original Message-----
> > From: juniper-nsp-bounces at puck.nether.net
> > [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of
> > Cliff DeGuzman
> > Sent: Friday, March 14, 2003 11:59 AM
> > To: Daniel; Josef Buchsteiner
> > Cc: juniper-nsp at puck.nether.net
> > Subject: RE: [j-nsp] L3 VPN on 5.6
> >
> >
> > hi daniel,
> >
> > please open a case with our JTAC so we can investigate this issue.
> >
> > thanks!
> > cliff
> >
> > > -----Original Message-----
> > > From: Daniel [mailto:telecom at servidor.unam.mx]
> > > Sent: Friday, March 14, 2003 11:25 AM
> > > To: Josef Buchsteiner
> > > Cc: juniper-nsp at puck.nether.net
> > > Subject: Re: [j-nsp] L3 VPN on 5.6
> > >
> > >
> > > On Fri, 14 Mar 2003, Daniel wrote:
> > > Josef, If you were talking about a static route.. i tried
> > > that too.. and
> > > it didnt work.. and I dont remember needing it before..
> > > anyways here are the results.. I even tried with ge-2/3/0.0..
> > > and it didnt
> > > work.. i guess you just can't ping the local CE interface
> > > on JunOS anymore...Thanks
> > >
> > > PE1>VRF1 {
> > > instance-type vrf;
> > > interface ge-0/0/0.0;
> > > route-distinguisher 1:1;
> > > vrf-import VRFIMP1;
> > > vrf-export VRFEXP1;
> > > routing-options {
> > > static {
> > > route 10.10.15.2/32 next-hop 10.10.15.2;
> > > }
> > > policy-statement VRFEXP1 {
> > > term a {
> > > from protocol direct;
> > > then {
> > > community add COMM1;
> > > accept;
> > > }
> > > }
> > > term b {
> > > from {
> > > protocol static;
> > > route-filter 10.10.15.2/32 exact;
> > > }
> > > then {
> > > community add COMM1;
> > > accept;
> > > }
> > > }
> > > term d {
> > > then reject;
> > > }
> > > }
> > >
> > >
> > > PE2> show route table VRF1
> > >
> > > VRF1.inet.0: 4 destinations, 4 routes (4 active, 0
> > holddown, 0 hidden)
> > > + = Active Route, - = Last Active, * = Both
> > >
> > > 10.10.15.0/24 *[BGP/170] 00:01:09, localpref 100, from
> > > 10.10.104.3
> > > AS path: I
> > > > via so-2/2/0.0, Push 100003, Push
> > 100001(top)
> > > 10.10.15.2/32 *[BGP/170] 00:01:09, localpref 100, from
> > > 10.10.104.3
> > > AS path: I
> > > > via so-2/2/0.0, Push 100003, Push
> > 100001(top)
> > > 10.10.16.0/24 *[Direct/0] 18:41:11
> > > > via ge-2/3/0.0
> > > 10.10.16.1/32 *[Local/0] 18:41:12
> > > Local via ge-2/3/0.0
> > >
> > > PE2> ping routing-instance VRF1 10.10.15.2
> > > PING 10.10.15.2 (10.10.15.2): 56 data bytes
> > > ^C
> > > --- 10.10.15.2 ping statistics ---
> > > 3 packets transmitted, 0 packets received, 100% packet loss
> > >
> > > PE2> ping routing-instance VRF1 interface ge-2/3/0.0 10.10.15.2
> > > PING 10.10.15.2 (10.10.15.2): 56 data bytes
> > > ^C
> > > --- 10.10.15.2 ping statistics ---
> > > 2 packets transmitted, 0 packets received, 100% packet loss
> > >
> > >
> > >
> > >
> > > > On Fri, 14 Mar 2003, Josef Buchsteiner wrote:
> > > >
> > > > Hi Josef, Thanks but i went over that document and i still
> > > can't fix this
> > > > issue. I used the local and vpn-interface with the ping and
> > > > still nothing (im not sure that this is supported on the
> > > 5.6 they are not
> > > > on the help cli) and like i said it's just a directly
> > connected
> > > > CE so im not supposed to see this routes on bgp.l3 table
> > > right? just on
> > > > the VRF1 table..
> > > > So maybe you can't ping the directly conected interface on
> > > a VRF anymore?
> > > > thanks
> > > >
> > > > PE1> show route table bgp.l3
> > > >
> > > > bgp.l3vpn.0: 1 destinations, 1 routes (1 active, 0
> > > holddown, 0 hidden)
> > > > + = Active Route, - = Last Active, * = Both
> > > >
> > > > 1:1:10.10.16.0/24
> > > > *[BGP/170] 17:49:37, localpref 100, from
> > > 10.10.104.4
> > > > AS path: I
> > > > > to 10.10.105.17 via ge-0/1/0.0,
> > Push 100000
> > > >
> > > > PE1> show route table VRF1
> > > >
> > > > VRF1.inet.0: 3 destinations, 3 routes (3 active, 0
> > > holddown, 0 hidden)
> > > > + = Active Route, - = Last Active, * = Both
> > > >
> > > > 10.10.15.0/24 *[Direct/0] 17:54:54
> > > > > via ge-0/0/0.0
> > > > 10.10.15.1/32 *[Local/0] 17:54:54
> > > > Local via ge-0/0/0.0
> > > > 10.10.16.0/24 *[BGP/170] 17:49:44, localpref 100, from
> > > 10.10.104.4
> > > > AS path: I
> > > > > to 10.10.105.17 via ge-0/1/0.0,
> > Push 100000
> > > >
> > > > These are the pingss outputs
> > > >
> > > >
> > > > PE1>ping 10.10.16.1 vpn-interface ge-0/0/0 local
> > 10.10.15.1 count 3
> > > > PING 10.10.16.1 (10.10.16.1): 56 data bytes
> > > >
> > > > --- 10.10.16.1 ping statistics ---
> > > > 3 packets transmitted, 0 packets received, 100% packet loss
> > > >
> > > >
> > > > PE1>ping routing-instance VRF1 10.10.16.1 local
> > 10.10.15.1 count 3
> > > > PING 10.10.16.1 (10.10.16.1): 56 data bytes
> > > >
> > > > --- 10.10.16.1 ping statistics ---
> > > > 3 packets transmitted, 0 packets received, 100% packet loss
> > > >
> > > > > At 02:43 AM 3/14/2003, Daniel wrote:
> > > > >
> > > > > > Hi, I know that there are some changes on L3VPNs
> > > between 5.6 and 5.5 but
> > > > > >i thought it was only the part of not running mpls on
> > > the pe-ce interface.
> > > > >
> > > > > you just don't need to configure family mpls on the pe-ce
> > > interface anymore
> > > > > as the software does it for you so this is still inherited.
> > > > >
> > > > > >I loaded my working config from 5.5 and I can see the
> > > routes on the PE
> > > > > >router but i can't ping it I'm using 5.6 rev2.
> > > > >
> > > > >
> > > > > Please look at the troubleshooting guidance and see what
> > > you need to
> > > > > do if you want to ping multi-access address on the PE-CE
> > > connection
> > > > > and then all will work ;-)
> > > > >
> > > > >
> > > http://www.juniper.net/techpubs/software/junos/junos56/swconfi
> > > g56-vpns/html/vpnl3-trouble.html
> > > > >
> > > > > thanks
> > > > > Josef
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > >PE1-P-PE2
> > > > > >
> > > > > >PE1> show route table VRF1
> > > > > >
> > > > > >VRF1.inet.0: 3 destinations, 3 routes (3 active, 0
> > > holddown, 0 hidden)
> > > > > >+ = Active Route, - = Last Active, * = Both
> > > > > >
> > > > > >10.10.15.0/24 *[Direct/0] 00:05:58
> > > > > > > via ge-0/0/0.0
> > > > > >10.10.15.1/32 *[Local/0] 00:05:58
> > > > > > Local via ge-0/0/0.0
> > > > > >10.10.16.0/24 *[BGP/170] 00:00:48, localpref 100,
> > > from 10.10.104.4
> > > > > > AS path: I
> > > > > > > to 10.10.105.17 via ge-0/1/0.0,
> > > Push 100000
> > > > > >
> > > > > >PE1> ping routing-instance VRF1 10.10.15.1
> > > > > >PING 10.10.15.1 (10.10.15.1): 56 data bytes
> > > > > >64 bytes from 10.10.15.1: icmp_seq=0 ttl=255 time=7.853 ms
> > > > > >64 bytes from 10.10.15.1: icmp_seq=1 ttl=255 time=0.362 ms
> > > > > >64 bytes from 10.10.15.1: icmp_seq=2 ttl=255 time=0.321 ms
> > > > > >^C
> > > > > >--- 10.10.15.1 ping statistics ---
> > > > > >3 packets transmitted, 3 packets received, 0% packet loss
> > > > > >round-trip min/avg/max/stddev = 0.321/2.845/7.853/3.541 ms
> > > > > >
> > > > > >daniel at m20-2> ping routing-instance VRF1 10.10.16.1
> > > > > >PING 10.10.16.1 (10.10.16.1): 56 data bytes
> > > > > >^C
> > > > > >--- 10.10.16.1 ping statistics ---
> > > > > >3 packets transmitted, 0 packets received, 100% packet loss
> > > > > >
> > > > > >
> > > > > >
> > > > > >configs are at the bottom
> > > > > >
> > > > > >PE1.---
> > > > > >
> > > > > >interfaces {
> > > > > > ge-0/0/0 {
> > > > > > unit 0 {
> > > > > > family inet {
> > > > > > address 10.10.15.1/24;
> > > > > > }
> > > > > > family iso;
> > > > > > }
> > > > > > }
> > > > > > ge-0/1/0 {
> > > > > > unit 0 {
> > > > > > family inet {
> > > > > > address 10.10.105.18/30;
> > > > > > }
> > > > > > family iso;
> > > > > > family mpls;
> > > > > > }
> > > > > > }
> > > > > > lo0 {
> > > > > > unit 0 {
> > > > > > family inet {
> > > > > > address 10.10.104.3/32;
> > > > > > }
> > > > > >
> > > > > >protocols {
> > > > > > mpls {
> > > > > > interface ge-0/1/0.0;
> > > > > > }
> > > > > > bgp {
> > > > > > group MVPN {
> > > > > > type internal;
> > > > > > local-address 10.10.104.3;
> > > > > > neighbor 10.10.104.4 {
> > > > > > family inet-vpn {
> > > > > > unicast;
> > > > > > }
> > > > > > }
> > > > > > }
> > > > > > }
> > > > > > ospf {
> > > > > > area 0.0.0.0 {
> > > > > > interface ge-0/1/0.0;
> > > > > > interface so-1/0/0.0;
> > > > > > interface lo0.0;
> > > > > > }
> > > > > > }
> > > > > > ldp {
> > > > > > interface ge-0/1/0.0;
> > > > > > interface lo0.0;
> > > > > > }
> > > > > >
> > > > > >policy-options {
> > > > > > policy-statement VRFIMP1 {
> > > > > > term a {
> > > > > > from {
> > > > > > protocol bgp;
> > > > > > community COMM1;
> > > > > > }
> > > > > > then accept;
> > > > > > }
> > > > > > term b {
> > > > > > then reject;
> > > > > > }
> > > > > > }
> > > > > > policy-statement VRFEXP1 {
> > > > > > term a {
> > > > > > from protocol direct;
> > > > > > then {
> > > > > > community add COMM1;
> > > > > > accept;
> > > > > > }
> > > > > > }
> > > > > > term b {
> > > > > > then reject;
> > > > > > }
> > > > > > }
> > > > > >community COMM1 members target:1:1;
> > > > > >
> > > > > >routing-instances {
> > > > > > VRF1 {
> > > > > > instance-type vrf;
> > > > > > interface ge-0/0/0.0;
> > > > > > route-distinguisher 1:1;
> > > > > > vrf-import VRFIMP1;
> > > > > > vrf-export VRFEXP1;
> > > > > > }
> > > > > >
> > > > > >
> > > > > >P
> > > > > >
> > > > > >interfaces {
> > > > > > so-0/1/0
> > > > > > unit 0 {
> > > > > > family inet {
> > > > > > address 10.10.105.42/30;
> > > > > > }
> > > > > > family mpls;
> > > > > > }
> > > > > > }
> > > > > > ge-0/2/0 {
> > > > > > unit 0 {
> > > > > > family inet {
> > > > > > address 10.10.105.17/30;
> > > > > > }
> > > > > > family mpls;
> > > > > > }
> > > > > > }
> > > > > > lo0 {
> > > > > > unit 0 {
> > > > > > family inet {
> > > > > > address 10.10.104.2/32;
> > > > > > }
> > > > > >protocols {
> > > > > > mpls {
> > > > > > interface so-0/1/0.0;
> > > > > > interface ge-0/2/0.0;
> > > > > > }
> > > > > > ospf {
> > > > > > area 0.0.0.0 {
> > > > > > interface so-0/1/0.0;
> > > > > > interface ge-0/2/0.0;
> > > > > > interface lo0.0;
> > > > > > }
> > > > > > }
> > > > > > ldp {
> > > > > > interface so-0/1/0.0;
> > > > > > interface ge-0/2/0.0;
> > > > > > interface lo0.0;
> > > > > > }
> > > > > >}
> > > > > >
> > > > > >
> > > > > >PE
> > > > > >
> > > > > >interfaces {
> > > > > > so-2/2/0
> > > > > > unit 0 {
> > > > > > family inet {
> > > > > > address 10.10.105.41/30;
> > > > > > }
> > > > > > family mpls;
> > > > > > }
> > > > > > }
> > > > > > ge-2/3/0 {
> > > > > > unit 0 {
> > > > > > family inet {
> > > > > > address 10.10.16.1/24;
> > > > > > }
> > > > > > lo0 {
> > > > > > unit 0 {
> > > > > > family inet {
> > > > > > address 10.10.104.4/32;
> > > > > > }
> > > > > >protocols {
> > > > > > mpls {
> > > > > > interface so-2/2/0.0;
> > > > > > }
> > > > > > bgp {
> > > > > > group MPVN {
> > > > > > type internal;
> > > > > > local-address 10.10.104.4;
> > > > > > neighbor 10.10.104.3 {
> > > > > > family inet-vpn {
> > > > > > unicast;
> > > > > > }
> > > > > > }
> > > > > > }
> > > > > > }
> > > > > > ospf {
> > > > > > area 0.0.0.0 {
> > > > > > interface so-1/2/0.0;
> > > > > > interface so-2/2/0.0;
> > > > > > interface lo0.0;
> > > > > > }
> > > > > > }
> > > > > > ldp {
> > > > > > interface so-2/2/0.0;
> > > > > > interface lo0.0;
> > > > > > }
> > > > > >policy-options {
> > > > > > policy-statement VRFIMP1 {
> > > > > > term a {
> > > > > > from {
> > > > > > protocol bgp;
> > > > > > community COMM1;
> > > > > > }
> > > > > > then accept;
> > > > > > }
> > > > > > term b {
> > > > > > then reject;
> > > > > > }
> > > > > > }
> > > > > > policy-statement VRFEXP1 {
> > > > > > term a {
> > > > > > from protocol [ direct local ];
> > > > > > then {
> > > > > > community add COMM1;
> > > > > > accept;
> > > > > > }
> > > > > > }
> > > > > > term b {
> > > > > > then reject;
> > > > > > }
> > > > > > community COMM1 members target:1:1;
> > > > > >
> > > > > >routing-instances {
> > > > > > VRF1 {
> > > > > > instance-type vrf;
> > > > > > interface ge-2/3/0.0;
> > > > > > route-distinguisher 1:1;
> > > > > > vrf-import VRFIMP1;
> > > > > > vrf-export VRFEXP1;
> > > > > > }
> > > > > >
> > > > > >
> > > > > >
> > > > > >_______________________________________________
> > > > > >juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > > > >http://puck.nether.net/mailman/listinfo/juniper-nsp
> > > > >
> > > > > _______________________________________________
> > > > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > > > http://puck.nether.net/mailman/listinfo/juniper-nsp
> > > > >
> > > >
> > > > _______________________________________________
> > > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > > http://puck.nether.net/mailman/listinfo/juniper-nsp
> > > >
> > >
> > > _______________________________________________
> > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/juniper-nsp
> > >
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list