BGP hub and spoke over MPLS VPN

lrb

I was re-reading the MPLS Fundamentals book and decided I would lab up the BGP hub and spoke topology thats in the book and modify it a little to fit into my existing BGP/MPLS GNS3 study topology.

Anyway, it took me a lot longer than expected (seeing as I am only about 4 months out from my RS lab), and definately reinforces the point to consider the basics before trying to use your "CCIE ninja tricks" to solve the problem.

Because it might be a bit of fun, I'll post a picture of my topology BEFORE I changed a few things around to eventually solve the problem, and walk through the steps up until the problem occurs. If anyone is interested to have a crack at trying to fix the problem by looking only at the topology and some partial configs, please post here!

Here is a picture of the topology that is currently NOT working. Remember our goal is to create a hub and spoke topology where BGP spoke sites advertise their routes to the hub site, and the hub site will advertise them back to the other spoke sites. Therefore, spoke-to-spoke communication occurs through the hub (otherwise we could just set the import RT of one site to the export RT of the other sites and be done with it).



Now for the steps up until the problem occurs.
1. CE router R6 injects network 6.6.6.6/32 into BGP
2. R6 advertises the IPv4 prefix to PE router R4 over EBGP with an AS_PATH of [236].
4. R4 slaps an RD of 230:6 onto the route to create a VPNv4 prefix of 230:6:6.6.6/32 and advertises this to PE router R1 over IBGP. The export RT of 230:6 is also slapped onto the route.
5. R1 recieves the VPNv4 route and looks for any VRFs importing RT 230:6. VRF 230 is. R4 removes the RD of 230:6 and puts it into the BGP VPN table for VRF 230.
6. R1 then advertises the IPv4 prefix over EBGP to CE routers R2 and R3 with the AS_PATH of [14 236]
7. R2 and R3 receive the route, perform bestpath selection, and then advertise the route to each other via IBGP.

After step 7, a few problem occurs. R1 does not process the update received from the CE routers. This is the first problem and is pretty easy to fix

Once the first problem is fixed, R1 still does not send the VPNv4 route to R4 with the hub-to-spoke RT on it, meaning that the spokes never receive each other's routes through the hub. This is the second problem.

TLDR: Look at topology, look at the partial config below, identify the two problems.

Note that all links between routers have the third octet identifying the routers on the link (e.g. R1-R4 link = 10.0.14.0/24). The host address on all links is simply set to the number of the router (e.g. R6 = .6)

Partial config on R1:

[COLOR=#000000][FONT=Tahoma][FONT=Courier New]R1(config)#ip vrf 230
R1(config-vrf)#rd 230:1
R1(config-vrf)#route-target import 230:5
R1(config-vrf)#route-target import 230:6
R1(config-vrf)#route-target export 230:5
R1(config-vrf)#route-target export 230:6[/FONT][/FONT][/COLOR]
[COLOR=#000000][FONT=Tahoma][FONT=Courier New]
[/FONT][/FONT][/COLOR]
[COLOR=#000000][FONT=Tahoma][FONT=Courier New]R1(config)#router bgp 14
R1(config-router)#address
R1(config-router)#address-family ipv4 vrf 230
R1(config-router-af)#neighbor 10.0.12.2 remote-as 230[/FONT][/FONT][/COLOR]
[COLOR=#000000][FONT=Tahoma][FONT=Courier New]R1(config-router-af)#neighbor 10.0.13.3 remote-as 230[/FONT]
[/FONT][/COLOR]

Partial config on R4:

[COLOR=#000000][FONT=Tahoma][FONT=Courier New]R4(config)#ip vrf 235
R4(config-vrf)#rd 230:5
R4(config-vrf)#route-target both 230:5

[/FONT][/FONT][/COLOR]
[COLOR=#000000][FONT=Tahoma][FONT=Courier New]R4(config)#ip vrf 236
R4(config-vrf)#rd 230:6
R4(config-vrf)#route-target both 230:6
[/FONT][/FONT][/COLOR]
[COLOR=#000000][FONT=Tahoma][FONT=Courier New]
[/FONT][/FONT][/COLOR]
[COLOR=#000000][FONT=Tahoma][FONT=Courier New]R4(config)#router bgp 14
R4(config-router)#address-family ipv4 vrf 235
R4(config-router-af)#neighbor 10.0.45.5 remote-as 235
R4(config-router)#address-family ipv4 vrf 236
R4(config-router-af)#neighbor 10.0.46.6 remote-as 236[/FONT]
[/FONT][/COLOR]

Note that the problem only requires fixing on R1 and R4 so don't worry about the other routers. Feel free to ask questions and I will give you more hints.

The end goal is to have this:

R5#show ip bgp
BGP table version is 28, local router ID is 10.0.45.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 2.2.2.2/32       10.0.45.4                              0 14 230 i
*> 3.3.3.3/32       10.0.45.4                              0 14 230 i
*> 5.5.5.5/32       0.0.0.0                  0         32768 i
*> 6.6.6.6/32       10.0.45.4                              0 14 230 14 236 i
*> 10.0.23.0/24     10.0.45.4                              0 14 230 i

BGP_hubspoke.jpg

Jackace

One question for you.

"R1 does not process the update received from the CE routers" Is that all CE routers? or just specific routers?

Edit - My first initial response to the issue is it looks like your issues are at least partially caused by BGP loop prevention mechanisms.


The first things I would try are using allowas-in on the peering sessions with R2 and R3, and I would change the RTs you are using. From Routers 5 and 6 you can import using the same RT, but you need to export 2 different RTs one for each site. On R1 you need to import both the RTs from R5 and R6, but you need to export just the one RT. For example:

R4 vrf 235
rd 230:5
Import 230:1
Export 230:5

R4 vrf 236
rd 230:6
Import 230:1
Export 230:6


R1 vrf 230
rd 230:1
Import 230:5
Import 230:6
Export 230:1