[j-nsp] L3 MPLS VPN on Olive
Leonard Giuliano
lenny at juniper.net
Tue Nov 6 16:35:21 EST 2007
This is expected. Forwarding unicast packets across L3VPNs doesn't work
on olives, though as you can see, you should be able to get the control
plane up. Interestingly, mcast forwarding will work if you want to try
out MVPNs.
Olives don't have a PFE, so some PFE stuff doesn't work. This is one
example of something that doesn't work.
-Lenny
On Sun, 4 Nov 2007, Junaid wrote:
-) Hi,
-)
-) I am testing MPLS L3VPNs on Olive. I have two directly connected PE
-) routers (olive1 and olive2) and one CE router (olive3) connected to
-) olive2. The PE routers share a /30 subnet on their connecting link
-) (fxp0s on both routers connected via tap interfaces). The loopbacks of
-) both the PE routers are statically routed on the other PE router (no
-) IGP used for simplicity). I have created a VRF named "VPN" on both
-) routers and put a one loopback interface each (other than the one use
-) for the PE routers) in the VRF. Also, the interface connecting CE
-) (olive3) to olive2 is also put in this VRF. Now, as indicated by
-) routing tables, my control plane as well as my data plane information
-) is as it should be, VPN routes are reaching from one PE to the other
-) and forwarding table has the next-hop defined correctly. I am able to
-) ping loopbacks in the VRFs from one PE to the other but I am unable to
-) ping (from olive1) the interface IPs of the PE-CE link and the
-) loopback of the CE router - the loopback of the CE router is
-) statically routed (inside the VRF) on olive2. Can any one help me on
-) this!
-)
-) A word about my olive environment; I have three olive instances on a
-) Windows machine booted via "jqemu". All the instantiated interfaces
-) are connected to "tap" interfaces on the host machine. All the tap
-) interfaces are bridged together - so we can assume that all interfaces
-) are connected on an L2 switch. I have also tested this situation by
-) connecting instances using sockets but I got the same result. However,
-) the all outputs below are based on the bridged version of the setup.
-)
-) Pertinent configs and outputs are as follows, I will really appreciate
-) any help on this :)
-)
-) -----------------------------------------
-) root at olive1> show configuration
-) version 7.0R1.5;
-) system {
-) host-name olive1;
-) syslog {
-) file logs {
-) any any;
-) }
-) }
-) }
-) interfaces {
-) fxp0 {
-) unit 0 {
-) family inet {
-) address 10.0.0.1/24;
-) }
-) family mpls;
-) }
-) }
-) lo0 {
-) unit 0 {
-) family inet {
-) address 10.10.0.1/32;
-) }
-) }
-) unit 1 {
-) family inet {
-) address 192.168.1.254/32;
-) }
-) }
-) }
-) }
-) routing-options {
-) static {
-) route 10.10.0.2/32 next-hop 10.0.0.2;
-) }
-) router-id 10.10.0.1;
-) autonomous-system 64512;
-) }
-) protocols {
-) rsvp {
-) traceoptions {
-) file rsvp-logs world-readable;
-) flag all;
-) }
-) interface fxp0.0;
-) interface all;
-) }
-) mpls {
-) label-switched-path testp {
-) from 10.0.0.1;
-) to 10.0.0.2;
-) no-cspf;
-) }
-) interface fxp0.0;
-) }
-) bgp {
-) group o1to2 {
-) type internal;
-) neighbor 10.0.0.2 {
-) family inet-vpn {
-) unicast;
-) }
-) }
-) }
-) }
-) }
-) routing-instances {
-) VPN {
-) instance-type vrf;
-) interface lo0.1;
-) route-distinguisher 64512:1;
-) vrf-target target:64512:100;
-) }
-) }
-)
-) root at olive1>
-)
-) -----------------------------------------
-)
-) root at olive2> show configuration
-) version 7.0R1.5;
-) system {
-) host-name olive2;
-) }
-) interfaces {
-) fxp0 {
-) unit 0 {
-) family inet {
-) address 10.0.0.2/24;
-) }
-) family mpls;
-) }
-) }
-) fxp1 {
-) unit 0 {
-) family inet {
-) address 10.1.0.1/24;
-) }
-) }
-) }
-) lo0 {
-) unit 0 {
-) family inet {
-) address 10.10.0.2/32;
-) }
-) }
-) unit 2 {
-) family inet {
-) address 192.168.2.254/32;
-) }
-) }
-) }
-) }
-) routing-options {
-) static {
-) route 10.10.0.1/32 next-hop 10.0.0.1;
-) }
-) router-id 10.10.0.2;
-) autonomous-system 64512;
-) }
-) protocols {
-) rsvp {
-) interface fxp0.0;
-) interface all;
-) }
-) mpls {
-) label-switched-path testp {
-) from 10.0.0.2;
-) to 10.0.0.1;
-) no-cspf;
-) }
-) interface fxp0.0;
-) }
-) bgp {
-) group o1to2 {
-) type internal;
-) neighbor 10.0.0.1 {
-) family inet-vpn {
-) unicast;
-) }
-) }
-) }
-) }
-) }
-) routing-instances {
-) VPN {
-) instance-type vrf;
-) interface lo0.2;
-) interface fxp1.0;
-) route-distinguisher 64512:2;
-) vrf-target target:64512:100;
-) routing-options {
-) static {
-) route 172.16.10.254/32 next-hop 10.1.0.2;
-) }
-) }
-) }
-) }
-)
-) root at olive2>
-)
-)
-) -----------------------------------------
-)
-) root at olive3> show configuration
-) version 7.0R1.5;
-) system {
-) host-name olive3;
-) }
-) interfaces {
-) fxp0 {
-) unit 0 {
-) family inet {
-) address 10.1.0.2/24;
-) }
-) family mpls;
-) }
-) }
-) lo0 {
-) unit 0 {
-) family inet {
-) address 172.16.10.254/32;
-) }
-) }
-) }
-) }
-) routing-options {
-) static {
-) route 0.0.0.0/0 next-hop 10.1.0.1;
-) }
-) }
-)
-)
-) -----------------------------------------
-) root at olive1> show route
-)
-) inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
-) + = Active Route, - = Last Active, * = Both
-)
-) 10.0.0.0/24 *[Direct/0] 00:12:57
-) > via fxp0.0
-) 10.0.0.1/32 *[Local/0] 00:12:57
-) Local via fxp0.0
-) 10.10.0.1/32 *[Direct/0] 00:12:57
-) > via lo0.0
-) 10.10.0.2/32 *[Static/5] 00:12:55
-) > to 10.0.0.2 via fxp0.0
-)
-) inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
-) + = Active Route, - = Last Active, * = Both
-)
-) 10.0.0.2/32 *[RSVP/7] 00:12:44, metric 65535
-) > to 10.0.0.2 via fxp0.0, label-switched-path testp
-)
-) VPN.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
-) + = Active Route, - = Last Active, * = Both
-)
-) 10.1.0.0/24 *[BGP/170] 00:12:37, localpref 100
-) AS path: I
-) > to 10.0.0.2 via fxp0.0, label-switched-path testp
-) 172.16.10.254/32 *[BGP/170] 00:12:37, localpref 100
-) AS path: I
-) > to 10.0.0.2 via fxp0.0, label-switched-path testp
-) 192.168.1.254/32 *[Direct/0] 00:12:55
-) > via lo0.1
-) 192.168.2.254/32 *[BGP/170] 00:12:37, localpref 100
-) AS path: I
-) > to 10.0.0.2 via fxp0.0, label-switched-path testp
-)
-) mpls.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
-) + = Active Route, - = Last Active, * = Both
-)
-) 0 *[MPLS/0] 00:13:03, metric 1
-) Receive
-) 1 *[MPLS/0] 00:13:03, metric 1
-) Receive
-) 2 *[MPLS/0] 00:13:03, metric 1
-) Receive
-) 100000 *[VPN/170] 00:12:37
-) receive table VPN.inet.0, Pop
-)
-) bgp.l3vpn.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
-) + = Active Route, - = Last Active, * = Both
-)
-) 64512:2:10.1.0.0/24
-) *[BGP/170] 00:12:37, localpref 100
-) AS path: I
-) > to 10.0.0.2 via fxp0.0, label-switched-path testp
-) 64512:2:172.16.10.254/32
-) *[BGP/170] 00:12:37, localpref 100
-) AS path: I
-) > to 10.0.0.2 via fxp0.0, label-switched-path testp
-) 64512:2:192.168.2.254/32
-) *[BGP/170] 00:12:37, localpref 100
-) AS path: I
-) > to 10.0.0.2 via fxp0.0, label-switched-path testp
-)
-) __juniper_private1__.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0
-) hidden)
-) + = Active Route, - = Last Active, * = Both
-)
-) fe80::2aa:ff:fe00:101/128
-) *[Direct/0] 00:12:55
-) > via lo0.16385
-)
-) root at olive1>
-)
-)
-)
-) -----------------------------------------
-) root at olive2> show route
-)
-) inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
-) + = Active Route, - = Last Active, * = Both
-)
-) 10.0.0.0/24 *[Direct/0] 00:13:52
-) > via fxp0.0
-) 10.0.0.2/32 *[Local/0] 00:13:52
-) Local via fxp0.0
-) 10.10.0.1/32 *[Static/5] 00:13:51
-) > to 10.0.0.1 via fxp0.0
-) 10.10.0.2/32 *[Direct/0] 00:13:52
-) > via lo0.0
-)
-) inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
-) + = Active Route, - = Last Active, * = Both
-)
-) 10.0.0.1/32 *[RSVP/7] 00:13:48, metric 65535
-) > to 10.0.0.1 via fxp0.0, label-switched-path testp
-)
-) VPN.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
-) + = Active Route, - = Last Active, * = Both
-)
-) 10.1.0.0/24 *[Direct/0] 00:13:53
-) > via fxp1.0
-) 10.1.0.1/32 *[Local/0] 00:13:53
-) Local via fxp1.0
-) 172.16.10.254/32 *[Static/5] 00:13:52
-) > to 10.1.0.2 via fxp1.0
-) 192.168.1.254/32 *[BGP/170] 00:13:42, localpref 100
-) AS path: I
-) > to 10.0.0.1 via fxp0.0, label-switched-path testp
-) 192.168.2.254/32 *[Direct/0] 00:13:53
-) > via lo0.2
-)
-) mpls.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
-) + = Active Route, - = Last Active, * = Both
-)
-) 0 *[MPLS/0] 00:13:56, metric 1
-) Receive
-) 1 *[MPLS/0] 00:13:56, metric 1
-) Receive
-) 2 *[MPLS/0] 00:13:56, metric 1
-) Receive
-) 100000 *[VPN/170] 00:13:43
-) > to 10.1.0.2 via fxp1.0, Pop
-) 100016 *[VPN/170] 00:13:43
-) receive table VPN.inet.0, Pop
-)
-) bgp.l3vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
-) + = Active Route, - = Last Active, * = Both
-)
-) 64512:1:192.168.1.254/32
-) *[BGP/170] 00:13:42, localpref 100
-) AS path: I
-) > to 10.0.0.1 via fxp0.0, label-switched-path testp
-)
-) __juniper_private1__.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0
-) hidden)
-) + = Active Route, - = Last Active, * = Both
-)
-) fe80::2aa:ff:fe00:103/128
-) *[Direct/0] 00:13:52
-) > via lo0.16385
-)
-) root at olive2>
-)
-)
-) -----------------------------------------
-)
-) root at olive3> show route
-)
-) inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
-) + = Active Route, - = Last Active, * = Both
-)
-) 0.0.0.0/0 *[Static/5] 00:06:47
-) > to 10.1.0.1 via fxp0.0
-) 10.1.0.0/24 *[Direct/0] 00:06:49
-) > via fxp0.0
-) 10.1.0.2/32 *[Local/0] 00:06:49
-) Local via fxp0.0
-) 172.16.10.254/32 *[Direct/0] 00:06:48
-) > via lo0.0
-)
-) __juniper_private1__.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0
-) hidden)
-) + = Active Route, - = Last Active, * = Both
-)
-) fe80::2aa:ff:fe00:105/128
-) *[Direct/0] 00:06:48
-) > via lo0.16385
-)
-) root at olive3>
-)
-)
-) -----------------------------------------
-)
-) >From olive1 I am able to ping 192.168.2.254 which is the loopback on
-) olive2 in the VRF:
-)
-) root at olive1> ping 192.168.2.254
-) PING 192.168.2.254 (192.168.2.254): 56 data bytes
-) ping: sendto: No route to host
-)
-) ^C
-) --- 192.168.2.254 ping statistics ---
-) 1 packets transmitted, 0 packets received, 100% packet loss
-)
-) root at olive1> ping 192.168.2.254 routing-instance VPN
-) PING 192.168.2.254 (192.168.2.254): 56 data bytes
-) 64 bytes from 192.168.2.254: icmp_seq=0 ttl=255 time=142.953 ms
-) 64 bytes from 192.168.2.254: icmp_seq=1 ttl=255 time=1.657 ms
-) 64 bytes from 192.168.2.254: icmp_seq=2 ttl=255 time=4.885 ms
-)
-) ^C
-) --- 192.168.2.254 ping statistics ---
-) 3 packets transmitted, 3 packets received, 0% packet loss
-) round-trip min/avg/max/stddev = 1.657/49.832/142.953/65.860 ms
-)
-) Similarly I can ping the loopback in VRF on olive1 from olive2 (output
-) not shown).
-)
-) -----------------------------------------
-)
-) Also, I am unable to ping the interface IPs on the link shared by
-) olive2 and CE router from olive1.
-)
-) root at olive1> ping 10.1.0.1 routing-instance VPN
-) PING 10.1.0.1 (10.1.0.1): 56 data bytes
-) ^C
-) --- 10.1.0.1 ping statistics ---
-) 5 packets transmitted, 0 packets received, 100% packet loss
-)
-) root at olive1>
-)
-) root at olive1> ping 10.1.0.2 routing-instance VPN
-) PING 10.1.0.2 (10.1.0.2): 56 data bytes
-) ^C
-) --- 10.1.0.2 ping statistics ---
-) 5 packets transmitted, 0 packets received, 100% packet loss
-)
-) root at olive1>
-)
-) -----------------------------------------
-)
-) However, I am unable to ping the loopback on CE from olive1 while I
-) can ping it from Olive2:
-)
-) root at olive1> ping 172.16.10.254 routing-instance VPN
-) PING 172.16.10.254 (172.16.10.254): 56 data bytes
-) ^C
-) --- 172.16.10.254 ping statistics ---
-) 7 packets transmitted, 0 packets received, 100% packet loss
-)
-)
-)
-) root at olive2> ping 172.16.10.254 routing-instance VPN
-) PING 172.16.10.254 (172.16.10.254): 56 data bytes
-) 64 bytes from 172.16.10.254: icmp_seq=0 ttl=255 time=47.467 ms
-) 64 bytes from 172.16.10.254: icmp_seq=1 ttl=255 time=3.266 ms
-) 64 bytes from 172.16.10.254: icmp_seq=2 ttl=255 time=4.939 ms
-) 64 bytes from 172.16.10.254: icmp_seq=3 ttl=255 time=3.078 ms
-)
-) ^C
-) --- 172.16.10.254 ping statistics ---
-) 4 packets transmitted, 4 packets received, 0% packet loss
-) round-trip min/avg/max/stddev = 3.078/14.688/47.467/18.939 ms
-)
-)
-)
-) -----------------------------------------
-)
-) Sniffing on the CORE interface on olive2 while pinging the loopback on
-) CE from olive1 shows that ICMP (MPLS) packets are received from olive1
-) with the correct VPN label but strangely olive2 routers seems to DROP
-) THEM SILENTLY. I have sniffed on CE but no packet is received on its
-) interface!
-)
-)
-) root at olive2> monitor traffic interface fxp0 extensive
-) Listening on fxp0, capture size 96 bytes
-)
-) 14:52:12.818208 In 0:aa:0:0:1:1 0:aa:0:0:1:3 8847 102: MPLS (label
-) 100000, exp 0, [S], ttl 255)
-) (tos 0x0, ttl 255, id 29970, offset 0, flags [none], proto:
-) ICMP (1), length: 84) 192.168.1.254 > 172.16.10.254: ICMP echo request
-) seq 14080, length 64
-)
-) 14:52:13.253471 In 0:aa:0:0:1:1 0:aa:0:0:1:3 8847 102: MPLS (label
-) 100000, exp 0, [S], ttl 255)
-) (tos 0x0, ttl 255, id 29971, offset 0, flags [none], proto:
-) ICMP (1), length: 84) 192.168.1.254 > 172.16.10.254: ICMP echo request
-) seq 14336, length 64
-)
-) 14:52:13.680046 In 0:aa:0:0:1:1 0:aa:0:0:1:3 8847 102: MPLS (label
-) 100000, exp 0, [S], ttl 255)
-) (tos 0x0, ttl 255, id 29972, offset 0, flags [none], proto:
-) ICMP (1), length: 84) 192.168.1.254 > 172.16.10.254: ICMP echo request
-) seq 14592, length 64
-)
-) 14:52:14.115719 In 0:aa:0:0:1:1 0:aa:0:0:1:3 8847 102: MPLS (label
-) 100000, exp 0, [S], ttl 255)
-) (tos 0x0, ttl 255, id 29973, offset 0, flags [none], proto:
-) ICMP (1), length: 84) 192.168.1.254 > 172.16.10.254: ICMP echo request
-) seq 14848, length 64
-)
-) 14:52:14.549708 In 0:aa:0:0:1:1 0:aa:0:0:1:3 8847 102: MPLS (label
-) 100000, exp 0, [S], ttl 255)
-) (tos 0x0, ttl 255, id 29974, offset 0, flags [none], proto:
-) ICMP (1), length: 84) 192.168.1.254 > 172.16.10.254: ICMP echo request
-) seq 15104, length 64
-)
-) 14:52:14.984292 In 0:aa:0:0:1:1 0:aa:0:0:1:3 8847 102: MPLS (label
-) 100000, exp 0, [S], ttl 255)
-) (tos 0x0, ttl 255, id 29975, offset 0, flags [none], proto:
-) ICMP (1), length: 84) 192.168.1.254 > 172.16.10.254: ICMP echo request
-) seq 15360, length 64
-)
-) 14:52:15.419728 In 0:aa:0:0:1:1 0:aa:0:0:1:3 8847 102: MPLS (label
-) 100000, exp 0, [S], ttl 255)
-) (tos 0x0, ttl 255, id 29976, offset 0, flags [none], proto:
-) ICMP (1), length: 84) 192.168.1.254 > 172.16.10.254: ICMP echo request
-) seq 15616, length 64
-)
-) 14:52:15.849263 In 0:aa:0:0:1:1 0:aa:0:0:1:3 8847 102: MPLS (label
-) 100000, exp 0, [S], ttl 255)
-) (tos 0x0, ttl 255, id 29977, offset 0, flags [none], proto:
-) ICMP (1), length: 84) 192.168.1.254 > 172.16.10.254: ICMP echo request
-) seq 15872, length 64
-)
-) 14:52:16.288540 In 0:aa:0:0:1:1 0:aa:0:0:1:3 8847 102: MPLS (label
-) 100000, exp 0, [S], ttl 255)
-) (tos 0x0, ttl 255, id 29978, offset 0, flags [none], proto:
-) ICMP (1), length: 84) 192.168.1.254 > 172.16.10.254: ICMP echo request
-) seq 16128, length 64
-)
-) 14:52:16.718826 In 0:aa:0:0:1:1 0:aa:0:0:1:3 8847 102: MPLS (label
-) 100000, exp 0, [S], ttl 255)
-) (tos 0x0, ttl 255, id 29979, offset 0, flags [none], proto:
-) ICMP (1), length: 84) 192.168.1.254 > 172.16.10.254: ICMP echo request
-) seq 16384, length 64
-)
-) 14:52:17.434696 In 0:aa:0:0:1:1 0:aa:0:0:1:3 8847 102: MPLS (label
-) 100000, exp 0, [S], ttl 255)
-) (tos 0x0, ttl 255, id 29980, offset 0, flags [none], proto:
-) ICMP (1), length: 84) 192.168.1.254 > 172.16.10.254: ICMP echo request
-) seq 16640, length 64
-)
-) 14:52:17.616305 Out 0:aa:0:0:1:3 0:aa:0:0:1:1 ip 85: (tos 0xc0, ttl
-) 64, id 18716, offset 0, flags [none], proto: TCP (6), length: 71)
-) 10.0.0.2.4944 > 10.0.0.1.bgp: P 92357182:92357201(19) ack 3673416124
-) win 16486 <nop,nop
-) ,timestamp 249499 252521>: BGP, length: 19
-) Keepalive Message (4), length: 19
-)
-) 14:52:17.659058 In 0:aa:0:0:1:1 0:aa:0:0:1:3 ip 66: (tos 0xc0, ttl
-) 64, id 29981, offset 0, flags [none], proto: TCP (6), length: 52)
-) 10.0.0.1.bgp > 10.0.0.2.4944: . 1:1(0) ack 19 win 16384
-) <nop,nop,timestamp 256336 24949
-) 9>
-)
-) 14:52:17.864884 In 0:aa:0:0:1:1 0:aa:0:0:1:3 8847 102: MPLS (label
-) 100000, exp 0, [S], ttl 255)
-) (tos 0x0, ttl 255, id 29982, offset 0, flags [none], proto:
-) ICMP (1), length: 84) 192.168.1.254 > 172.16.10.254: ICMP echo request
-) seq 16896, length 64
-)
-) ^C
-) 20 packets received by filter
-) 0 packets dropped by kernel
-)
-) root at olive2>
-)
-) -----------------------------------------
-)
-)
-) Regards,
-)
-) JunaidM
-) _______________________________________________
-) juniper-nsp mailing list juniper-nsp at puck.nether.net
-) https://puck.nether.net/mailman/listinfo/juniper-nsp
-)
More information about the juniper-nsp
mailing list