Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
Expand all | Collapse all

iBGP with VRF failed

  • 1.  iBGP with VRF failed

    Posted 03-04-2021 22:28
    Hello, 

    I would like to establish iBGP session between physical router with someone's VRF. Please refer to the diagram below.
    Unfortunately, It does not work. The iBGP session between Router A and B is working.  But the one between Router A and Router B's VRF is abnormal. 
    Sometime it's up, sometime it isn't.

    I can't find any document about this topic. Could you share some advices for me to bring it up ?

    My VRF's configuration : 

    > show configuration routing-instances NANCY_F1             

    instance-type vrf;

    interface lo0.7;   <-- I assign one loopback for this VRF as source address.

    route-distinguisher 212.155.127.193:1104;

    vrf-target target:1104:4809;

    vrf-table-label;

    routing-options {

        interface-routes {

            rib-group inet NANCY_F1;

        }

        static {

            route 0.0.0.0/0 {

                next-table inet.0;

                preference 254;

            }

        }

    }

    protocols {

        bgp {

            group IBGP_v4 {

    type internal;
    traceoptions {
    file ibgp size 20m;
    }
    local-address 192.168.128.10;
    log-updown;
    import [ BH-IN ACCEPT-ALL ];
    family inet {
    unicast;
    flow {
    no-install;
    no-validate FLOWSPEC-NOVALIDATE;
    }
    any;
    }
    remove-private;
    neighbor 192.168.201.147 {
    import ACCEPT-668;
    export DENY-ALL;
    tcp-mss 1350;
    }
    }

    > show bgp summary | match 192.168.201.147
    192.168.201.147 64050 0 0 0 2 1w2d 1:25:03 Connect

    Best regards
    Cloud


  • 2.  RE: iBGP with VRF failed

    Posted 03-04-2021 22:59
    Hi - 

    Do you have connectivity using "ping 192.168.201.147 source 192.168.128.10 routing-instance NANCY_F1"?


  • 3.  RE: iBGP with VRF failed

    Posted 03-05-2021 05:48
    Sounds like the connectivity is intermittent from the table containing the peer on router A to the vrf on router B.

    How is the network path created between these two peer addresses?
    We need to examine all the links and services in that path to see where the issue is occuring.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 4.  RE: iBGP with VRF failed

    Posted 03-05-2021 08:41
    I would agree with Steve. It would be helpful to see the connectivity between the two peers for the troubling connection. At first glance it seems like a classic example of one BGP peering relying on another and it cycling.


  • 5.  RE: iBGP with VRF failed

    Posted 03-08-2021 21:07

    Hi All,

     

    We're running under MPLS/RSVP with IS-IS.

     

    This is our configuration for every router.

    > show configuration protocols isis

    interface xe-1/2/2.0 {

        point-to-point;

        family inet

        family inet6

        level 2 metric 40;

        level 1 disable;

    }

    interface xe-5/1/0:2.1 {

        point-to-point;

        family inet

        family inet6

        level 2 {

            metric 20;

            ipv6-unicast-metric 20;

        }

    }

    interface xe-5/0/0:3.0 {

        point-to-point;

        family inet

        family

        level 2 metric 1;

        level 1 disable;

    }

    interface lo0.0;

     

    > show configuration protocols rsvp

    interface all;

     

    > show configuration protocols mpls

    apply-groups GR-LSP;

    path-mtu {

        rsvp mtu-signaling;

    }

    optimize-adaptive-teardown {

        p2p;

    }

    traffic-engineering {

        bgp-igp-both-ribs;

    }

    traceoptions {

        file mpls size 20m;

    }

    optimize-switchover-delay 120;

    optimize-timer 3600;

    interface all;

     

    > show configuration protocols ldp

    apply-groups GR-LSP;

    traceoptions {

        file ldp size 20m;

    }

    track-igp-metric;

    make-before-break {

        switchover-delay 5;

    }

    interface all {

        link-protection {

            dynamic-rsvp-lsp;

        }

    }

    p2mp;

    family {

        inet;

        inet6;

    }

    transport-preference ipv4;

     

    And the connectivity is like this below:

     

    > show route 192.168.201.147

     

    inet.0: 853753 destinations, 3188225 routes (853753 active, 4 holddown, 1 hidden)

    + = Active Route, - = Last Active, * = Both

     

    192.168.201.144/29  *[IS-IS/18] 5w2d 08:28:24, metric 52

                        > to 172.20.11.13 via xe-5/0/0:3.0

                        [BGP/170] 1d 02:43:55, localpref 100, from 192.168.147.2

                          AS path: I, validation-state: unverified

                        > to 172.20.11.13 via xe-5/0/0:3.0, Push 225

     

    NANCY_F1.inet.0: 831672 destinations, 834385 routes (37987 active, 0 holddown, 793729 hidden)

    + = Active Route, - = Last Active, * = Both

     

    192.168.201.144/29    *[IS-IS/18] 5w2d 08:29:43, metric 52

                        > to 172.20.11.13 via xe-5/0/0:3.0

     

    > ping 192.168.201.147 source 192.168.128.17 routing-instance NANCY_F1  

    PING 192.168.201.147 (192.168.201.147): 56 data bytes

    64 bytes from 192.168.201.147: icmp_seq=0 ttl=60 time=79.315 ms

    64 bytes from 192.168.201.147: icmp_seq=1 ttl=60 time=79.711 ms

    --- 1.32.201.147 ping statistics ---

    2 packets transmitted, 2 packets received, 0% packet loss

    round-trip min/avg/max/stddev = 79.315/79.513/79.711/0.198 ms






  • 6.  RE: iBGP with VRF failed

    Posted 03-08-2021 23:03
    In the BGP VRF configuration you provided in your original post, a local-address of 192.168.128.10 is specified with peer address 192.168.201.147.. Do you have connectivity (successful ping) between those two addresses from that VRF?


  • 7.  RE: iBGP with VRF failed

    Posted 03-08-2021 23:12

    Hi,

     

    Yes, ping is successful. 192168.128.10 is under another VRF.

    That means 192.168.201.147 established a couple of sessions with these VRFs in same router.

    But it's all failed.

     

    > ping 192.168.201.147 source 192.168.128.10 routing-instance EXTERNAL rapid count 100

    PING 192.168.201.147 (192.168.201.147): 56 data bytes

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    --- 192.168.201.147 ping statistics ---

    100 packets transmitted, 100 packets received, 0% packet loss

    round-trip min/avg/max/stddev = 79.652/80.865/108.446/3.542 ms

     

    > show route 192.168.201.147 table EXTERNAL.inet.0

     

    EXTERNAL.inet.0: 824538 destinations, 1039160 routes (824092 active, 0 holddown, 3050 hidden)

    + = Active Route, - = Last Active, * = Both

     

    192.168.201.144/29    *[IS-IS/18] 5w2d 10:36:50, metric 52

                        > to 172.20.11.13 via xe-5/0/0:3.0

     

    Best regards,

    Cloud

     






  • 8.  RE: iBGP with VRF failed

    Posted 03-09-2021 05:47
    Since connectivity is intermittent, with the peer establishing and dropping periodically, we need to determine which part of the network path is unstable.

    I'm not able to visualize all the elements involved from your descriptions above. 

    Could you walk through the path from  Router A per to the  Router B's VRF peer and how the transport is accomplished?

    I am suspecting that an lsp, l2circuit, vpn or some element of the virtual connection is flapping.

    Once all the items are identified, we then need to look at the extensive output from their respective status commands that can tell us which element is unstable.

    Then we can proceed to determine what is causing that particular instability 


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 9.  RE: iBGP with VRF failed

    Posted 03-09-2021 21:24

    Hi,

     

    I've one more question on this BGP connection.

     

    For my understanding, BGP connection bases on static/IGP route.

    But according to my infrastructure, it's not learning routes each other by IS-IS.

    Is it possible to cause this problem ?

     

    # Router A to check Router B's IP

     

    > show route 192.168.201.147 table EXTERNAL.inet.0     

     

    EXTERNAL.inet.0: 824702 destinations, 1039508 routes (824259 active, 0 holddown, 3066 hidden)

    + = Active Route, - = Last Active, * = Both

     

    192.168.201.144/29    *[IS-IS/18] 5w3d 08:44:47, metric 52

                        > to 172.20.11.13 via xe-5/0/0:3.0

     

     

     

    #router B to check RouterA's VRF IP

     

    > show route 192.168.128.10

     

    inet.0: 853764 destinations, 3028019 routes (853764 active, 19 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

     

    192.168.128.10/32   *[BGP/170] 5w3d 08:42:24, localpref 100, from 192.168.146.2

                          AS path: I, validation-state: unverified

                          to 192.168.145.58 via xe-1/3/2.0, Push 429233

                        > to 192.168.145.62 via xe-2/2/3.0, Push 432032

                          to 192.168.145.62 via xe-2/2/3.0, label-switched-path xe-1/3/2.0:BypassLSP->192.168.146.6

                        [BGP/170] 5w3d 08:42:34, localpref 100, from 103.198.146.6

                          AS path: I, validation-state: unverified

                          to 192.168.145.58 via xe-1/3/2.0, Push 429233

                        > to 192.168.145.62 via xe-2/2/3.0, Push 432032

                          to 192.168.145.62 via xe-2/2/3.0, label-switched-path xe-1/3/2.0:BypassLSP->192.168.146.6

                        [BGP/170] 5d 22:46:41, localpref 100, from 192.168.145.3

                          AS path: I, validation-state: unverified

                          to 192.168.145.58 via xe-1/3/2.0, Push 429233

                        > to 192.168.145.62 via xe-2/2/3.0, Push 432032

                          to 192.168.145.62 via xe-2/2/3.0, label-switched-path xe-1/3/2.0:BypassLSP->192.168.146.6






  • 10.  RE: iBGP with VRF failed

    Posted 03-10-2021 05:23
    The method of learning the route to the peer is not an issue, but the stability of that route would potentially be one.  So the question is how old is the route and does it keep changing age periodically?

    In other words is the loss of the route to the peer the reason for the instability as it drops and gets learned again.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 11.  RE: iBGP with VRF failed

    Posted 03-15-2021 06:17

    Hi,

     

    As what I show about the status of routing, it has stayed for several weeks. I think it's stable to keep the BGP session between a router and a VRF.

    So, that's why I can't understand why BGP session is always failed.

     

    Is it possible to open any port to this connection except I did for this filter in loopback ?

    But actually I disabled these filter , it still is failed.

     

    > show configuration firewall family inet filter accept-bgp

    apply-flags omit;

    term accept-bgp {

        from {

            source-prefix-list {

                bgp-neighbors_v4;

                bgp-neighbors-EXTERNAL_v4;

                bgp-neighbors-VRF_v4;

            }

            protocol tcp;

            port bgp;

        }

        then {

            count accept-bgp;

            accept;

        }

    }

     

    > show configuration firewall family inet filter accept-rsvp  

    apply-flags omit;

    term accept-rsvp {

        from {

            destination-prefix-list {

                router-ipv4;

            }

            protocol rsvp;

        }

        then {

            count accept-rsvp;

            accept;

        }

    }

     

    > show configuration firewall family inet filter accept-ldp    

    apply-flags omit;

    term accept-ldp-discover {

        from {

            source-prefix-list {

                router-ipv4;

            }

            inactive: destination-prefix-list {

                multicast-all-routers;

                router-ipv4;

            }

            protocol udp;

            destination-port ldp;

        }

        then {

            count accept-ldp-discover;

            accept;

        }

    }

    term accept-ldp-unicast {

        from {

            source-prefix-list {

                router-ipv4;

            }

            destination-prefix-list {

                router-ipv4;               

            }

            protocol tcp;

            port ldp;

        }

        then {

            count accept-ldp-unicast;

            accept;

        }

    }

    term accept-tldp-discover {

        from {

            destination-prefix-list {

                router-ipv4;

            }

            protocol udp;

            destination-port ldp;

        }

        then {

            count accept-tldp-discover;

            accept;

        }

    }

    term accept-ldp-igmp {

        from {

            source-prefix-list {           

                router-ipv4;

            }

            destination-prefix-list {

                multicast-all-routers;

            }

            protocol igmp;

        }

        then {

            count accept-ldp-igmp;

            accept;

        }

    }

    term accept-lsp-ping {

        from {

            source-prefix-list {

                router-ipv4;

            }

            protocol udp;

            port 3503;

        }

        then accept;






  • 12.  RE: iBGP with VRF failed

    Posted 03-28-2021 06:30
    I've been reading all this again and not sure that I have the symptoms correct.

    Is the peer here bouncing / intermittent?

    Or are you saying it was working at one time and now will no longer establish but there is ping connectivity between the two peers?

    In any case, I think enabling bgp trace options under both peers would be a good idea now to get some more detailed logs.
    https://kb.juniper.net/InfoCenter/index?page=content&id=KB36461

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------