Junos OS

i ve 2 m320 routers connected to each other on e3 link, i ve created a l3 vpn using a multiserivce fe interface for PE-CE connectivity on both ends.

 

now the issue is that if i ping loopback interface it pings but for this to work i put a static route inside vrf, but in this case the customer route is not advertised if i put vrf-table-label (as per documentation) it advertises the route to other side but then traffic does not forwards even the loopback interface.

 

 

kindly help.

Hi Shabbir,

 

If I understand correctly, you are having problems simply at the local PE-CE connectivity level...

If so, could you please post the configs of the PE and CE ? And then indicate what are the addresses you can/cannot ping and from where ?

 

Thanks,

/david 

like if on one router PE-CE router has the ip address 192.168.1.1 and the other has 192.168.2.1, now when u ping 192.168.1.1 routing-instance TEST from 2nd router it doesnt ping. the same configuration works on if l3 vpn is created between two m10i. the only difrence i saw between two routers is mutilaccess ethernet interface.

I would really need to see the configurations to be able to comment:

Are you sure this is not simply an addressing mistake ? 192.168.1.1 and 192.168.2.1 don't appear to be in the same subnet (although you haven't mentioned the mask) - are you sure it isn't supposed to be 192.168.1.2 ?

 

loopbacks are /32 configs are here 

 

group isb-rr {
    type internal;
    local-address 10.1.1.1;
    family inet-vpn {
        unicast;
    }
    local-as 65000;
    neighbor 10.3.3.3 {
        family inet-vpn {
            unicast;
        }
    }
    neighbor 10.1.1.3;
}
instance-type vrf;
interface lo0.100;
interface fe-0/0/1.0;
route-distinguisher 65000:1001;
vrf-import vfr-import;
vrf-export vfr-export;
routing-options {
    static {
        route 192.168.100.2/32 next-hop 192.168.100.2;
        route 10.10.253.2/32 next-hop 10.10.253.2;
    }
}

------------------------------------------------------------------------------
adnan@xxxxx-b-re0> show configuration routing-instances TEST
instance-type vrf;
interface lo0.100;
route-distinguisher 65000:1001;
vrf-import vfr-import;
vrf-export vfr-export;
routing-options {
    static {
        route 192.168.100.1/32 next-hop 192.168.100.1;
    }
}
group khi-rr {
    type internal;
    local-address 10.3.3.3;
    neighbor 10.1.1.1 {
        family inet-vpn {
            unicast;
        }
    }
    neighbor 10.3.3.5 {
        family inet-vpn {
            unicast;
        }
    }
    neighbor 10.1.1.3 {
        family inet {
            unicast;
        }
        family inet-vpn {
            unicast;
        }
    }
}
adnan@xxxx-b-re0> show configuration policy-options policy-statement vfr-export
from protocol [ bgp direct static ];
then {
    community add ngn-mgmt;
    accept;
}

{master}
adnan@XXXX-b-re0> show configuration policy-options policy-statement vfr-import
term 1 {
    from {
        protocol bgp;
        community ngn-mgmt;
    }
    then accept;
}

both routers have same  configs only bgp is diff imean nabers.

Hi Shabbir,

 

 Assuming 192.168.1.1 and 192.168.1.2 correspond to lo0.100 addresses on both PE routers, you should be able to ping one from another with your configuration below.

 

 However, if those correspond to IP's of fe-0/0/1.0 and  your problem is indeed being unable to export the whole directly connected subnet within a VRF (hence the need for vrf-table-label to force an IP lookup on top of the MPLS label lookup), then you might be hitting one of the limitations described here

 

 Also, you'll need something like the following to completely export direct prefixes, as the whole subnet:

 

 

 set routing-instances test routing-options interface-routes family inet export lan 

 

 Another option to advertise the connected if you can't/don't want to use vrf-table-label, is to use vt-interfaces (created with the presence of a tunnel/services PIC in the router) with something like this (again, along with the code above) :

 

 

set interfaces vt-1/2/0 unit 0 family inet     
set routing-instances test interface vt-1/2/0.0 

 

 The last suggestion I'd have  is to check whether you need vrf-import and vrf-export statements in your configuration at all. What you've configured in your example is the default behavior (with the exception of locally connected prefixes, which I've explained the requirements to advertise them) anyways.

 

Hope this helps,

Erdem

 

 

thanku v much for ur reply.

 

1. yes 192.168.1 n .2 are loopback ip addresses i can ping if i dont put vrf-table-label cmd.

2. when i put vrf-table-label the ethernet  routes advertises but i cant ping both/any of the sides.

 

my problem is not advertisement of routes they advertise but problem is forwarding of traffic. i can remove vrf-import-export and put vrf-target .....

 

looking forward for ur help.

 

thanku.

 

Hi Shabir,

 

 The problem (or one of the problems) is the static routes for 192.168.100.x addresses in your configuration. Please remove them and use a configuration similar to my previous example to advertise the ethernet routes.

 

 Cheers,

 Erdem

@erdems

 

router A

 

set routing-instances TEST instance-type vrf
set routing-instances TEST interface lo0.100
set routing-instances TEST route-distinguisher 65000:1001
set routing-instances TEST vrf-import vfr-import
set routing-instances TEST vrf-export vfr-export
set routing-instances TEST routing-options interface-routes family inet export lan

 

run show route table TEST

TEST.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.100.1/32   *[BGP/170] 00:00:33, localpref 100, from 10.1.1.1
                      AS path: I
                    > via e3-0/1/0.0, Push 303808, Push 339152(top)
192.168.100.2/32   *[Direct/0] 5d 07:24:34
                    > via lo0.100

 

Router B

 

set routing-instances TEST instance-type vrf
set routing-instances TEST interface lo0.100
set routing-instances TEST interface fe-0/0/1.0
set routing-instances TEST route-distinguisher 65000:1001
set routing-instances TEST vrf-import vfr-import
set routing-instances TEST vrf-export vfr-export
set routing-instances TEST routing-options interface-routes family inet export lan

 run show route table TEST

TEST.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.253.0/30     *[Direct/0] 17:23:04
                    > via fe-0/0/1.0
10.10.253.2/32     *[Local/0] 5d 06:20:21
                      Local via fe-0/0/1.0
192.168.100.1/32   *[Direct/0] 5d 07:26:33
                    > via lo0.100
192.168.100.2/32   *[BGP/170] 00:02:50, localpref 100, from 10.3.3.3
                      AS path: I
                    > via e3-0/1/0.0, Push 535360, Push 341952(top)

 

@dav

 

Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                D1573             M320
Midplane         REV 08   710-009120   TR1378            M320 Midplane
FPM GBUS         REV 05   710-005928   WR7819            M320 Board
FPM Display      REV 05   710-009351   WR7878            M320 FPM Display
CIP              REV 05   710-005926   WR7786            M320 CIP
PEM 0            Rev 08   740-009148   UD56048           DC Power Entry Module
PEM 1            Rev 08   740-009148   UD56043           DC Power Entry Module
Routing Engine 0 REV 02   740-016485   P13004102725      RE-4.0
Routing Engine 1 REV 02   740-016485   P13004102369      RE-4.0
CB 0             REV 12   710-009115   WS4762            M320 Control Board
CB 1             REV 12   710-009115   WS4754            M320 Control Board
FPC 0            REV 08   710-016168   WR7229            M320 E3-FPC Type 1
  PIC 0          REV 13   750-002911   WR6208            4x F/E, 100 BASE-TX
  PIC 1          REV 12   750-009215   WP5656            4x E3 IQ
  PIC 2          REV 04   750-015595   JZ0948            AS2 Layer-2 Services
  PIC 3          REV 18   750-007631   WP7536            10x CHE1 IQ
  I3MB A         REV 04   710-016681   WR6458            M320 E3-FPC I3 Mez Board
FPC 1            REV 08   710-016168   WR7224            M320 E3-FPC Type 1
  PIC 0          REV 18   750-007631   WN2706            10x CHE1 IQ
  PIC 1          REV 13   750-002911   WR6219            4x F/E, 100 BASE-TX
  PIC 2          REV 12   750-009215   WP6122            4x E3 IQ
  PIC 3          REV 18   750-007631   WP7551            10x CHE1 IQ
  I3MB A         REV 04   710-016681   WR6459            M320 E3-FPC I3 Mez Board
FPC 2            REV 08   710-016168   WR7213            M320 E3-FPC Type 1
  I3MB A         REV 04   710-016681   WR6464            M320 E3-FPC I3 Mez Board
SIB 0            REV 05   710-013146   WS6612            M320 SIB
SIB 1            REV 05   710-013146   WS6613            M320 SIB
Fan Tray 0                                               Front Top Fan Tray
Fan Tray 1                                               Front Bottom Fan Tray
Fan Tray 2                                               Rear Fan Tray

 

when i configured vrf-table-label on both side then

 

then on router B

 

 show route table TEST

TEST.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.253.0/30     *[BGP/170] 00:00:14, localpref 100, from 10.1.1.1
                      AS path: I
                    > via e3-0/1/0.0, Push 16, Push 339152(top)
192.168.100.1/32   *[BGP/170] 00:00:14, localpref 100, from 10.1.1.1
                      AS path: I
                    > via e3-0/1/0.0, Push 16, Push 339152(top)
192.168.100.2/32   *[Direct/0] 5d 07:30:13
                    > via lo0.100



 ping 10.10.253.2 routing-instance TEST
PING 10.10.253.2 (10.10.253.2): 56 data bytes
^C
--- 10.10.253.2 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

 

 

 and router A

 

run show interfaces fe-0/0/1 terse
Interface               Admin Link Proto    Local                 Remote
fe-0/0/1                up    up
fe-0/0/1.0              up    up   inet     10.10.253.2/30
                                   multiservice
 

Shabbir,

 

 I've quickly copied your setup and it is working indeed, but you also had mentioned that the relatively same configuration was already working between another two of your routers, so that's probably not big news to you 🙂

 

 I see you have a services PIC installed, would you try using "vt- interfaces method" instead of vrf-table-label and see if it makes an improvement?

 

(assuming you have vt-0/2/0 on both routers and remove vrf-table-label)

 

set interfaces vt-0/2/0.0 description "for vpn test"

set interfaces vt-0/2/0.0 family inet

set interfaces vt-0/2/0.0 family mpls

set routing-instances TEST interface vt-0/2/0.0

 

If that doesn't help or you only have services PIC in one of them, please provide the following:

 

1. How the two M320's are connected to each other ?

2. your protocols/bgp configuration (including import/export policies)

3. your lo0.x filters (if any)

4. your [edit groups] and [edit apply-groups] configurations (if any)

 

Cheers,

Erdem

 

 

 

 

 

 

i inserted the lines u sujjested and removed vrf-table but no success (routes are not advertised to other vrf)

set routing-instances TEST instance-type vrf
set routing-instances TEST interface lo0.100
set routing-instances TEST interface fe-0/0/1.0
set routing-instances TEST interface vt-0/2/0.0
set routing-instances TEST route-distinguisher 65000:1001
set routing-instances TEST vrf-import vfr-import
set routing-instances TEST vrf-export vfr-export
set routing-instances TEST routing-options interface-routes family inet export lan


1. M320 are connected through E3 link (kind of back to back 😛 )

2. bgp configuration is already pasted, ospf is running as IGP, mpls is enabled on e3s and e1s -> to pops

3.  no filters applied on lo0.XX

4. just e3 and e1 l1 configurations 

 

{

 

set groups e1-int interfaces <e1-*> e1-options framing g704
set groups e1-int interfaces <e1-*> e1-options fcs 16
set groups e1-int interfaces <e1-*> e1-options idle-cycle-flag flags
set groups e1-int interfaces <e1-*> e1-options start-end-flag filler
set groups e3-int interfaces <e3-*> e3-options fcs 16
set groups e3-int interfaces <e3-*> e3-options idle-cycle-flag flags
set groups e3-int interfaces <e3-*> e3-options start-end-flag filler
 

}

The PB-4E3-QPP will show up as a 4xE3 IQ PIC in the 'show chassis hardware' so I'm afraid your setup will not support vrf-table-label when you use the E3 interfaces as to connect your PE routers.

 

The solutions are:

 - use the vt-interface method with your service-PICs as Erdem mentioned

 - use the older PB-4E3 (non-IQ) PIC

 - use another core-facing interface altogether

 

/david 

1. i cant make any changes in the hardware (as i dont have)

2. only have these E3 interfaces as core facing interface.

3. if u check the configuration i mentioned above, i tried with vt interface and that didnt work can u check if i configured the way it has to?

 

when i use this m320 as core and connect a m10i as access to both m320s (which are installed on our pops) then the l3 vpn works fine. as the traffice forwards through these E3s and same E320 routers.

 

thanku

yes problem solved with vt interface as i added a line

 

set interfaces vt-0/2/0 unit 0 family mpls

thanku very much both of you, kindly tell whos msg should i click solution?

You can give "kudos" to the messages that helped you and click solution on the message that you feel best summarizes your solution 

Thanks,

/david 

Hi Shabbir,

 

I think I have an idea of what may be going wrong. As Erdem pointed to, there are some known (and less known) limitations with vrf-table-label. There is one additional PIC which is does not support vrf-table-label when used as the core-facing (PE/P or PE/PE) interface: the PB-4E3-QPP - is this the PIC you are using ?

If so, you're out of luck  - you're best option is to try to get a hold of PB-4E3 PICs that do support vrf-table-label.

 

Regards,

/david