Routing

Expand all | Collapse all

PE-CE iBGP in MPLS VPN

Jump to Best Answer
  • 1.  PE-CE iBGP in MPLS VPN

    Posted 05-29-2018 07:57

    Hello,

     

    We are setting up a new network, migrating from a baremetal network to an MPLS EVPN enabled network on QFX5200 and 5110.

     

    We decided to preserve the internal AS across the whole infrastructure to ease our migration and avoid using aditionnal AS numbers.

     

    The whole IS-IS/LDP/RSVP/BGP setup is in place and works great with routing-instances direct routes, however we are using BGP with one CE, namely our Firewall. 

     

    We've followed the following doc: https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/vpns-configuring-layer-3-vpns-to-carry-ibgp-traffic.html

     

    Routes received from the firewall do not propagate in the MPLS domain, the remote PE shows the following:

     

    State: <Secondary Hidden Int Ext ProtectionCand>
    Inactive reason: Unusable path

     

     

    we have configured the "routing-options autonomous-system independent-domain" under the routing instance with no change.  We've also tried the AS-override on top of it but still no luck

     

    The PE have a policy-statement of "next-hop self" between them.

     

    Am I forgetting something?



  • 2.  RE: PE-CE iBGP in MPLS VPN

    Posted 06-04-2018 20:57

    Hi!

     

    It is difficult to answer without completly understanding your network but lets give it a try...  You mentioned:

     

    =======

    Routes received from the firewall do not propagate in the MPLS domain, the "remote" PE shows the following:

     

    State: <Secondary Hidden Int Ext ProtectionCand>
    Inactive reason: Unusable path

    ======

     

    This means that route is being advertized by local PE (connecting to CE) and routes are being received on remote end. But not installed in routing table.

     

    ====== 

    The PE have a policy-statement of "next-hop self" between them.

    ======

     

    You also have NHS policy... I would suggest to cross check the protocol next-hop on the routes received on remote end (should be loopback of local PE) and ensure that protocol next-hop is reachable via inet.3.

     

    There may be other reasons for it, but this seems to be most probable.



  • 3.  RE: PE-CE iBGP in MPLS VPN
    Best Answer

    Posted 06-05-2018 05:40

    Hi Amit,

     

    In the end the problem was with traffic engineering (deploying so many new things at the same time)... we had traffic engineering set to bgp-igp, removing the routes from inet.3.  We changed it to bgp-igp-both-rib and we are good to go.

     

    I'll mark you answer as accepted as you did pin point the inet.3 😉



  • 4.  RE: PE-CE iBGP in MPLS VPN

    Posted 06-05-2018 06:10
    Hi!

    That's great. Good to hear problem was resolved. 😊

    Seems by mistake you marked your own post as solution. Could you please change it to my post, so that anyone following this thread gets to look at correct answer.

    Thanks
    Amit