R2 is the route reflector for the network
R1 , R3 and R4 all are PEs serving customers (customers are simulated by loopback interfaces)
R1 has four VRFs : VRF1,VRF2,VRF3,VRF4
R3 has one VRF : VRF1
R4 has one VRF : VRF2
Configurations
R1
interface Loopback0
ip address 1.1.1.1 255.255.255.255
mpls label protocol ldp
mpls ldp router-id Loopback0 force
interface FastEthernet1/0
ip address 192.168.12.1 255.255.255.0
speed 100
full-duplex
mpls ip
no shut
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 192.168.12.1 0.0.0.0 area 0
ip vrf VRF1
rd 1:1
route-target export 1:1
route-target import 1:1
ip vrf VRF2
rd 2:2
route-target export 2:2
route-target import 2:2
ip vrf VRF3
rd 3:3
route-target export 3:3
route-target import 3:3
ip vrf VRF4
rd 4:4
route-target export 4:4
route-target import 4:4
interface Loopback1
ip vrf forwarding VRF1
ip address 172.16.1.1 255.255.255.255
interface Loopback2
ip vrf forwarding VRF2
ip address 172.16.2.1 255.255.255.255
interface Loopback3
ip vrf forwarding VRF3
ip address 172.16.3.1 255.255.255.255
interface Loopback4
ip vrf forwarding VRF4
ip address 172.16.4.1 255.255.255.255
router bgp 1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 1
neighbor 2.2.2.2 update-source Loopback0
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
exit-address-family
address-family ipv4 vrf VRF4
no synchronization
network 172.16.4.1 mask 255.255.255.255
exit-address-family
address-family ipv4 vrf VRF3
no synchronization
network 172.16.3.1 mask 255.255.255.255
exit-address-family
address-family ipv4 vrf VRF2
no synchronization
network 172.16.2.1 mask 255.255.255.255
exit-address-family
address-family ipv4 vrf VRF1
no synchronization
network 172.16.1.1 mask 255.255.255.255
exit-address-family
R2
interface Loopback0
ip address 2.2.2.2 255.255.255.255
mpls label protocol ldp
mpls ldp router-id Loopback0 force
interface FastEthernet1/0
ip address 192.168.12.2 255.255.255.0
speed 100
full-duplex
mpls ip
no shut
interface FastEthernet1/1
ip address 192.168.23.2 255.255.255.0
speed 100
full-duplex
mpls ip
no shut
interface FastEthernet2/0
ip address 192.168.24.2 255.255.255.0
speed 100
full-duplex
mpls ip
no shut
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 192.168.12.2 0.0.0.0 area 0
network 192.168.23.2 0.0.0.0 area 0
network 192.168.24.2 0.0.0.0 area 0
router bgp 1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
neighbor 3.3.3.3 remote-as 1
neighbor 3.3.3.3 update-source Loopback0
neighbor 4.4.4.4 remote-as 1
neighbor 4.4.4.4 update-source Loopback0
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community both
neighbor 1.1.1.1 route-reflector-client
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community both
neighbor 3.3.3.3 route-reflector-client
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community both
neighbor 4.4.4.4 route-reflector-client
exit-address-family
R3
interface Loopback0
ip address 3.3.3.3 255.255.255.255
mpls label protocol ldp
mpls ldp router-id Loopback0 force
interface FastEthernet1/0
ip address 192.168.23.3 255.255.255.0
speed 100
full-duplex
mpls ip
no shut
exit
ip vrf VRF1
rd 1:1
route-target export 1:1
route-target import 1:1
interface Loopback1
ip vrf forwarding VRF1
ip address 10.10.3.3 255.255.255.255
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 192.168.23.3 0.0.0.0 area 0
router bgp 1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 1
neighbor 2.2.2.2 update-source Loopback0
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
exit-address-family
address-family ipv4 vrf VRF1
no synchronization
network 10.10.3.3 mask 255.255.255.255
exit-address-family
R4
interface Loopback0
ip address 4.4.4.4 255.255.255.255
mpls label protocol ldp
mpls ldp router-id Loopback0 force
interface FastEthernet1/0
ip address 192.168.24.4 255.255.255.0
speed 100
full-duplex
mpls ip
no shut
ip vrf VRF2
rd 2:2
route-target export 2:2
route-target import 2:2
interface Loopback1
ip vrf forwarding VRF2
ip address 10.10.4.4 255.255.255.255
router ospf 1
router-id 4.4.4.4
log-adjacency-changes
network 4.4.4.4 0.0.0.0 area 0
network 192.168.24.4 0.0.0.0 area 0
router bgp 1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 1
neighbor 2.2.2.2 update-source Loopback0
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
exit-address-family
!
address-family ipv4 vrf VRF2
no synchronization
network 10.10.4.4 mask 255.255.255.255
exit-address-family
Now , let us check the BGP VPNv4 table and updates
R1#sh bgp vpnv4 unicast all
BGP table version is 9, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf VRF1)
*>i 10.10.3.3/32 3.3.3.3 0 100 0 i
*> 172.16.1.1/32 0.0.0.0 0 32768 i
Route Distinguisher: 2:2 (default for vrf VRF2)
*>i 10.10.4.4/32 4.4.4.4 0 100 0 i
*> 172.16.2.1/32 0.0.0.0 0 32768 i
Route Distinguisher: 3:3 (default for vrf VRF3)
*> 172.16.3.1/32 0.0.0.0 0 32768 i
Route Distinguisher: 4:4 (default for vrf VRF4)
*> 172.16.4.1/32 0.0.0.0 0 32768 i
R1#ping vrf VRF1 10.10.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 188/226/280 ms
R1#ping vrf VRF2 10.10.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 168/210/248 ms
R3#sh bgp vpnv4 unicast all
BGP table version is 4, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf VRF1)
*> 10.10.3.3/32 0.0.0.0 0 32768 i
*>i 172.16.1.1/32 1.1.1.1 0 100 0 i
R3#ping vrf VRF1 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 164/198/224 ms
R4#sh bgp vpnv4 unicast all
BGP table version is 4, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 2:2 (default for vrf VRF2)
*> 10.10.4.4/32 0.0.0.0 0 32768 i
*>i 172.16.2.1/32 1.1.1.1 0 100 0 i
R4#ping vrf VRF2 172.16.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 176/215/292 ms
We have connectivity between all active loopback interfaces (each in its own VRF)
Let us now check what R2 (the RR) is advertising to R3
R2#sh bgp vpnv4 unicast all neighbors 3.3.3.3 advertised-routes
BGP table version is 7, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1
*>i 10.10.3.3/32 3.3.3.3 0 100 0 i
*>i 172.16.1.1/32 1.1.1.1 0 100 0 i
Route Distinguisher: 2:2
*>i 10.10.4.4/32 4.4.4.4 0 100 0 i
*>i 172.16.2.1/32 1.1.1.1 0 100 0 i
Route Distinguisher: 3:3
*>i 172.16.3.1/32 1.1.1.1 0 100 0 i
Route Distinguisher: 4:4
*>i 172.16.4.1/32 1.1.1.1 0 100 0 i
Total number of prefixes 6
Even though , the only active network in the VRF defined on R3 (VRF1) is 172.16.1.1
R2#sh bgp vpnv4 unicast all neighbors 4.4.4.4 advertised-routes
BGP table version is 7, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1
*>i 10.10.3.3/32 3.3.3.3 0 100 0 i
*>i 172.16.1.1/32 1.1.1.1 0 100 0 i
Route Distinguisher: 2:2
*>i 10.10.4.4/32 4.4.4.4 0 100 0 i
*>i 172.16.2.1/32 1.1.1.1 0 100 0 i
Route Distinguisher: 3:3
*>i 172.16.3.1/32 1.1.1.1 0 100 0 i
Route Distinguisher: 4:4
*>i 172.16.4.1/32 1.1.1.1 0 100 0 i
Total number of prefixes 6
The same applies for R4 which needs to communicate only with the loopback interface 172.16.2.1 which belongs to VRF2
Let us turn on debugging on R3 and see what is happening
R3#debug bgp vpnv4 unicast updates
BGP updates debugging is on for address family: VPNv4 Unicast
R3#clear bgp vpnv4 unicast * soft in
R3#
*May 24 11:10:07.927: BGP: nbr_topo global 2.2.2.2 VPNv4 Unicast:base (0x687739D8:1) rcvd Refresh Start-of-RIB
*May 24 11:10:07.927: BGP: nbr_topo global 2.2.2.2 VPNv4 Unicast:base (0x687739D8:1) refresh_epoch is 2
*May 24 11:10:08.047: BGP: 2.2.2.2 Next hop is our own address 3.3.3.3
*May 24 11:10:08.051: BGP: 2.2.2.2 Local router is the Originator; Discard update
*May 24 11:10:08.055: BGP(4): 2.2.2.2 rcv UPDATE w/ attr: nexthop 3.3.3.3, origin i, localpref 100, metric 0, originator 3.3.3.3, clusterlist 2.2.2.2, merged path , AS_PATH , community , extended community RT:1:1, SSA attribute
*May 24 11:10:08.067: BGPSSA ssacount is 0
*May 24 11:10:08.067: BGP(4): 2.2.2.2 rcv UPDATE about 1:1:10.10.3.3/32 -- DENIED due to: ORIGINATOR is us; MP_REACH NEXTHOP is our own address;, label 21
*May 24 11:10:08.075: BGP(4): 2.2.2.2 rcvd UPDATE w/ attr: nexthop 1.1.1.1, origin i, localpref 100, metric 0, originator 1.1.1.1, clusterlist 2.2.2.2, extended community RT:1:1
*May 24 11:10:08.087: BGP(4): 2.2.2.2 rcvd 1:1:172.16.1.1/32, label 21...duplicate ignored
*May 24 11:10:08.091: BGP(4): 2.2.2.2 rcvd UPDATE w/ attr: nexthop 4.4.4.4, origin i, localpref 100, metric 0, originator 4.4.4.4, clusterlist 2.2.2.2, extended community RT:2:2
*May 24 11:10:08.099: BGP(4): 2.2.2.2 rcvd 2:2:10.10.4.4/32, label 21 -- DENIED due to: extended community not supported;
*May 24 11:10:08.107: BGP(4): 2.2.2.2 rcvd UPDATE w/ attr: nexthop 1.1.1.1, origin i, localpref 100, metric 0, originator 1.1.1.1, clusterlist 2.2.2.2, extended community RT:2:2
*May 24 11:10:08.115: BGP(4): 2.2.2.2 rcvd 2:2:172.16.2.1/32, label 22 -- DENIED due to:
R3# extended community not supported;
*May 24 11:10:08.123: BGP(4): 2.2.2.2 rcvd UPDATE w/ attr: nexthop 1.1.1.1, origin i, localpref 100, metric 0, originator 1.1.1.1, clusterlist 2.2.2.2, extended community RT:3:3
*May 24 11:10:08.131: BGP(4): 2.2.2.2 rcvd 3:3:172.16.3.1/32, label 23 -- DENIED due to: extended community not supported;
*May 24 11:10:08.139: BGP(4): 2.2.2.2 rcvd UPDATE w/ attr: nexthop 1.1.1.1, origin i, localpref 100, metric 0, originator 1.1.1.1, clusterlist 2.2.2.2, extended community RT:4:4
*May 24 11:10:08.147: BGP(4): 2.2.2.2 rcvd 4:4:172.16.4.1/32, label 24 -- DENIED due to: extended community not supported;
*May 24 11:10:08.151: BGP: nbr_topo global 2.2.2.2 VPNv4 Unicast:base (0x687739D8:1) rcvd Refresh End-of-RIB
We can see the DENIED due to: extended community not supported message , which means it will never get imported in the BGP VPNv4 table due to the missing Route-target (not configured due to lack of need)
Let us now turn our feature
R2
router bgp 1
address-family rtfilter unicast
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
neighbor 1.1.1.1 route-reflector-client
neighbor 1.1.1.1 default-originate
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
neighbor 3.3.3.3 route-reflector-client
neighbor 3.3.3.3 default-originate
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
neighbor 4.4.4.4 route-reflector-client
neighbor 4.4.4.4 default-originate
R1
router bgp 1
address-family rtfilter unicast
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
R3
router bgp 1
address-family rtfilter unicast
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
R4
router bgp 1
address-family rtfilter unicast
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
R1#sh bgp vpnv4 unicast all
BGP table version is 39, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf VRF1)
*>i 10.10.3.3/32 3.3.3.3 0 100 0 i
*> 172.16.1.1/32 0.0.0.0 0 32768 i
Route Distinguisher: 2:2 (default for vrf VRF2)
*>i 10.10.4.4/32 4.4.4.4 0 100 0 i
*> 172.16.2.1/32 0.0.0.0 0 32768 i
Route Distinguisher: 3:3 (default for vrf VRF3)
*> 172.16.3.1/32 0.0.0.0 0 32768 i
Route Distinguisher: 4:4 (default for vrf VRF4)
*> 172.16.4.1/32 0.0.0.0 0 32768 i
R3#sh bgp vpnv4 unicast all
BGP table version is 19, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf VRF1)
*> 10.10.3.3/32 0.0.0.0 0 32768 i
*>i 172.16.1.1/32 1.1.1.1 0 100 0 i
R4#sh bgp vpnv4 unicast all
BGP table version is 22, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 2:2 (default for vrf VRF2)
*> 10.10.4.4/32 0.0.0.0 0 32768 i
*>i 172.16.2.1/32 1.1.1.1 0 100 0 i
R2#sh bgp vpnv4 unicast all neighbors 3.3.3.3 advertised-routes
BGP table version is 47, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1
*>i 10.10.3.3/32 3.3.3.3 0 100 0 i
*>i 172.16.1.1/32 1.1.1.1 0 100 0 i
Total number of prefixes 2
R2#sh bgp vpnv4 unicast all neighbors 4.4.4.4 advertised-routes
BGP table version is 47, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 2:2
*>i 10.10.4.4/32 4.4.4.4 0 100 0 i
*>i 172.16.2.1/32 1.1.1.1 0 100 0 i
Total number of prefixes 2
Let us now turn the debugging again
R3#debug bgp vpnv4 unicast updates
BGP updates debugging is on for address family: VPNv4 Unicast
R3#clear bgp vpnv4 unicast * soft in
R3#
*May 24 11:20:24.547: BGP: nbr_topo global 2.2.2.2 VPNv4 Unicast:base (0x68918044:1) rcvd Refresh Start-of-RIB
*May 24 11:20:24.547: BGP: nbr_topo global 2.2.2.2 VPNv4 Unicast:base (0x68918044:1) refresh_epoch is 2
*May 24 11:20:24.559: BGP: 2.2.2.2 Next hop is our own address 3.3.3.3
*May 24 11:20:24.559: BGP: 2.2.2.2 Local router is the Originator; Discard update
*May 24 11:20:24.563: BGP(4): 2.2.2.2 rcv UPDATE w/ attr: nexthop 3.3.3.3, origin i, localpref 100, metric 0, originator 3.3.3.3, clusterlist 2.2.2.2, merged path , AS_PATH , community , extended community RT:1:1, SSA attribute
*May 24 11:20:24.575: BGPSSA ssacount is 0
R3#
*May 24 11:20:24.579: BGP(4): 2.2.2.2 rcv UPDATE about 1:1:10.10.3.3/32 -- DENIED due to: ORIGINATOR is us; MP_REACH NEXTHOP is our own address;, label 21
*May 24 11:20:24.583: BGP(4): 2.2.2.2 rcvd UPDATE w/ attr: nexthop 1.1.1.1, origin i, localpref 100, metric 0, originator 1.1.1.1, clusterlist 2.2.2.2, extended community RT:1:1
*May 24 11:20:24.595: BGP(4): 2.2.2.2 rcvd 1:1:172.16.1.1/32, label 21...duplicate ignored
*May 24 11:20:24.599: BGP: nbr_topo global 2.2.2.2 VPNv4 Unicast:base (0x68918044:1) rcvd Refresh End-of-RIB
R3#sh ip bgp vpnv4 all neighbors 2.2.2.2 | inc RT Filter
Address family RT Filter: advertised and received
RT Filter activate
For address family: RT Filter
R2#show ip bgp vpnv4 all nei 1.1.1.1 received rtfilters
Address family: VPNv4 Unicast
Extended community filter has: 4 entries with default filtering disabled
Incremental refresh walk mode
Status codes: * valid, S Stale > installed
Route-Target Outbound Filter
*> Extended Community RT:4:4
*> Extended Community RT:3:3
*> Extended Community RT:2:2
*> Extended Community RT:1:1
R2#show ip bgp vpnv4 all nei 3.3.3.3 received rtfilters
Address family: VPNv4 Unicast
Extended community filter has: 1 entries with default filtering disabled
Incremental refresh walk mode
Status codes: * valid, S Stale > installed
Route-Target Outbound Filter
*> Extended Community RT:1:1
R2#show ip bgp vpnv4 all nei 4.4.4.4 received rtfilters
Address family: VPNv4 Unicast
Extended community filter has: 1 entries with default filtering disabled
Incremental refresh walk mode
Status codes: * valid, S Stale > installed
Route-Target Outbound Filter
*> Extended Community RT:2:2
No comments:
Post a Comment