Routing

Expand all | Collapse all

L3vpn - could not ping ce

Jump to Best Answer
  • 1.  L3vpn - could not ping ce

    Posted 02-05-2019 13:54

    Hello everyone.

    I`ve got a problem with l3vpn. Current schema looks like this:

    CE1 is directly connected to PE1(MX104-1):

    instance-type vrf;
    interface ae1.4083;
    route-distinguisher 1.1.1.1:20000;
    vrf-import L3VPN-BG-IMPORT;
    vrf-export L3VPN-BG-EXPORT;
    vrf-table-label;
    

    CE2 connected to PE2(ACX2100) injects 0/0 route into vrf:

    instance-type vrf;
    interface ge-1/1/0.669;
    route-distinguisher 3.3.3.3:20000;
    vrf-import L3VPN-BG-IMPORT;
    vrf-export L3VPN-BG-EXPORT;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.199.0.34;
        }
    }
    

    PE1 and PE2 are route-reflectors, but they have LSP from each-other, so 1.1.1.1 and 2.2.2.2 are in inet.3 table of each RR.

    I have a very strange problem. I got routes visible on each PE:

    PE1:

    run show route table VPN-A.inet.0:

    0.0.0.0/0          *[BGP/170] 00:10:16, localpref 100, from 3.3.3.3
                          AS path: I, validation-state: unverified
                        > to 172.16.31.14 via xe-2/0/0.1077, Push 300352
    10.194.36.0/24     *[Direct/0] 8w0d 06:28:53
                        > via ae1.4083
    10.194.36.1/32     *[Local/0] 8w0d 06:28:53
                          Local via ae1.4083
    

    PE2:

    0.0.0.0/0          *[Static/5] 8w0d 06:32:48
                        > to 10.199.0.34 via ge-1/1/0.669
    10.194.36.0/24     *[BGP/170] 00:11:06, localpref 100, from 1.1.1.1
                          AS path: I, validation-state: unverified
                        > to 172.16.31.13 via xe-1/3/0.1077, label-switched-path ACX-MX
                          to 172.16.31.17 via xe-1/3/0.2341, label-switched-path ACX-MX
    10.199.0.32/30     *[Direct/0] 8w0d 06:30:52
                        > via ge-1/1/0.669
    10.199.0.33/32     *[Local/0] 8w0d 06:30:52
                          Local via ge-1/1/0.669
    

    This works when i use path (1) for traffic forwarding (PE1(MX104-1)->PE2(ACX2100))

    If the path changes to PE1(MX104-1)->P(MX104-2)->PE2(ACX2100) i still got all routes in vrf`s routing table, but i cannot ping networks behind CE2 from CE1.

    PE1:

    0.0.0.0/0          *[BGP/170] 00:03:10, localpref 100, from 3.3.3.3
                          AS path: I, validation-state: unverified
                        > to 172.16.1.239 via xe-2/0/2.100, Push 300352
                        [BGP/170] 00:03:09, localpref 100, from 2.2.2.2
                          AS path: I, validation-state: unverified
                        > to 172.16.1.239 via xe-2/0/2.100, Push 300352
    10.194.36.0/24     *[Direct/0] 8w0d 06:44:12
                        > via ae1.4083
    10.194.36.1/32     *[Local/0] 8w0d 06:44:12
                          Local via ae1.4083
    

    PE2:

    0.0.0.0/0          *[Static/5] 8w0d 06:49:06
                        > to 10.199.0.34 via ge-1/1/0.669
    10.194.36.0/24     *[BGP/170] 00:04:59, localpref 100, from 1.1.1.1
                          AS path: I, validation-state: unverified
                        > to 172.16.31.29 via xe-1/3/1.3347, label-switched-path ACX-MX
                          to 172.16.31.13 via xe-1/3/0.1077, label-switched-path ACX-MX
    10.199.0.32/30     *[Direct/0] 8w0d 06:47:10
                        > via ge-1/1/0.669
    10.199.0.33/32     *[Local/0] 8w0d 06:47:10
                          Local via ge-1/1/0.669
    

    And i got bunch of l2vpn pw from PE1 to PE2 - they work well.l3vpn.png



  • 2.  RE: L3vpn - could not ping ce

     
    Posted 02-06-2019 19:33
    Hi smelnik,

    If the routes are in the VRFs, doesn't seem to be control plane issue. Assume PE2-CE2 is not ethernet? Else we may need "vrf-table-label" on CE2 as well.
    Did you fix the issue?

    Hope this helps.

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).


  • 3.  RE: L3vpn - could not ping ce

    Posted 02-07-2019 05:57

    Hello.

    All links are ethernet.

    Vrf-table label is configured for on PE1.  Not sure if it helps on PE2 side - there is a next-hop. But i tried it anyway - it doesnt helped.

     



  • 4.  RE: L3vpn - could not ping ce

    Posted 02-06-2019 20:03

    Hi Smelnik,

     

    Did you check reverse path? are you sure it is taking path 2. what do you see in forwarding table ? May be you need to specify source IP while running ping.

     

    Thanks,

     



  • 5.  RE: L3vpn - could not ping ce

    Posted 02-07-2019 06:05

    Reverse path up is working. There are lots of l2vpn pw from PE2 to PE1 and they are all up and running using path 2.

    As a workaround i`ve added ip 4.4.4.4/32 to PE-2 loopback and changed export policy for L3VPN to match next-hop 4.4.4.4:

    show configuration policy-options policy-statement L3VPN-BG-EXPORT

     show configuration policy-options policy-statement L3VPN-BG-EXPORT
    term 1 {
        from protocol static;
        then {
            community add L3VPN-BG-EXPORT;
            next-hop 4.4.4.4;
            accept;
        }
    }
    term 2 {
        then reject;
    }
    

    Made a new LSP that follows IGP and uses path 1 on PE1, and L3VPN now working like this:

    from PE1 to PE2 it goes through path 1.

    And from PE2 to PE1 it goes through path 2.

    image.png



  • 6.  RE: L3vpn - could not ping ce
    Best Answer

    Posted 02-08-2019 08:42

    So i`ve found why there was no second push - on this RR which was RR without any VRFs was turned on statement rib bgp.l3vpn.0 resolution-ribs inet.0 

    So next-hop was resolved through inet.0, not inet.3.

     

    Thanks everyone 🙂