VRF issue in Olive with junos >10

maynou_21

Hi.
This is my 1st post. I really need your help. I'm trying to configure a VPN in olive.

This is the topology :

CE1

---

PE1

---

P1

---

P2

---

PE2

---

CE2

I've configured a VPN between PE1 and PE2 but I'm not able to ping the loopback IP address of PE2 from PE1 and vice versa, although the routes are present in the routing table.
I can only ping the PE1'loopback from PE1, and the PE2'loopback from PE2.

This is the configuration of PE1 and PE2.

PE1

interfaces {
fxp0 {
unit 0 {
family inet {
address 172.16.11.2/24;
}
family mpls;
}
}
fxp1 {
unit 0 {
family inet {
address 192.168.11.1/24;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 11.11.11.11/32;
}
}
unit 1 {
family inet {
address 10.10.10.1/32;
}
}
}
}
........................
........................

routing-instances {
VPN {
instance-type vrf;
interface fxp1.0;
interface lo0.1;
route-distinguisher 100:1;
vrf-target target:100:1;
vrf-table-label;
protocols {
ospf {
export bgp-to-ospf;
area 0.0.0.0 {
interface all;
}
}
}
}
}

PE2

interfaces {
fxp0 {
unit 0 {
family inet {
address 172.16.22.2/24;
}
family mpls;
}
}
fxp1 {
unit 0 {
family inet {
address 192.168.22.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 22.22.22.22/32;
}
}
unit 1 {
family inet {
address 10.10.10.2/32;
}
}
}
}
........................
........................

routing-instances {
VPN {
instance-type vrf;
interface fxp1.0;
interface lo0.1;
route-distinguisher 100:2;
vrf-target target:100:1;
vrf-table-label;
protocols {
ospf {
export bgp-to-ospf;
area 0.0.0.0 {
interface all;
}
}
}
}
}

The results:

root@PE1# run show route table VPN.inet.0

VPN.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.10.1/32 *[Direct/0] 00:20:44
> via lo0.1
10.10.10.2/32 *[BGP/170] 00:06:48, localpref 100, from 22.22.22.22
AS path: I
> to 172.16.11.1 via fxp0.0, label-switched-path PE1-to-PE2
192.168.11.0/24 *[Direct/0] 00:20:44
> via fxp1.0
192.168.11.1/32 *[Local/0] 00:20:44
Local via fxp1.0
192.168.22.0/24 *[BGP/170] 00:06:48, localpref 100, from 22.22.22.22
AS path: I
> to 172.16.11.1 via fxp0.0, label-switched-path PE1-to-PE2
224.0.0.5/32 *[OSPF/10] 00:20:54, metric 1
MultiRecv

root@PE2# run show route table VPN.inet.0

VPN.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.10.1/32 *[BGP/170] 00:17:33, localpref 100, from 11.11.11.11
AS path: I
> to 172.16.22.1 via fxp0.0, label-switched-path PE2-to-PE1
10.10.10.2/32 *[Direct/0] 00:18:01
> via lo0.1
192.168.11.0/24 *[BGP/170] 00:17:33, localpref 100, from 11.11.11.11
AS path: I
> to 172.16.22.1 via fxp0.0, label-switched-path PE2-to-PE1
192.168.22.0/24 *[Direct/0] 00:18:01
> via fxp1.0
192.168.22.1/32 *[Local/0] 00:18:01
Local via fxp1.0
224.0.0.5/32 *[OSPF/10] 00:18:04, metric 1
MultiRecv

root@PE1# run ping 10.10.10.2 routing-instance VPN
PING 10.10.10.2 (10.10.10.2): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
^C
--- 10.10.10.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

root@PE2# run ping 10.10.10.1 routing-instance VPN
PING 10.10.10.1 (10.10.10.1): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
^C
--- 10.10.10.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

root@PE1# run ping 10.10.10.1 routing-instance VPN
PING 10.10.10.1 (10.10.10.1): 56 data bytes
64 bytes from 10.10.10.1: icmp_seq=0 ttl=64 time=2.573 ms
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.387 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.378 ms
^C
--- 10.10.10.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.378/1.113/2.573/1.033 ms

I have this problem with Olive only when Junos > 10 (I tested it with Junos 10.1 and 10.4 and even 11.1).
But with Junos 8.5, the same configuration worked fine and all the pings succeded.
I need to do it with Junos > 10 because I want to configure IPv6 Multicast VPN which is supported only in Junos >10.

I tested this configuration with a real Juiper router (M120), it worked only when I deactivated the vrf-table-label statement. I tried this with Olive but it didn't work.

Does anyone ever encounter this problem? I really need your help.

Aldur

huh, that is a weird one ya got there. I haven't seen it myself to tell the truth. But I haven't really used olives since 8.x'ish.

Is any other interface on the PE's reachable from PE to PE? Outside of the routing instance, or inside the routing instance?

maynou_21

Outside the routing instance, all the PE's interfaces are reachable, but in the routing instance every PE can only ping its local interfaces and the interfaces of the CE directly connected. May be olive does not support Junos > 10 at 100%.

Aldur

heh, well, to tell the truth Olives have always been "unsupported" and so if it works then great, it not then oh well. Although I can understand your frustration.

What about picking up a cheap J series or a low end branch srx100? I know that you can pick up a srx100 pretty cheap off ebay.

maynou_21

I'll think about it. Thanks a lot Aldur

masagung

Hi, i already tested it too and yes it didn't work i use even the JunOS 7.4

can anyone help why is that ?


[edit]
masagung@olive# run show route table VRFA.inet.0 logical-router R2

VRFA.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.4/32 *[BGP/170] 04:03:37, localpref 100
AS path: 65006 I
> to 192.168.90.1 via fxp2.11
10.0.0.5/32 *[BGP/170] 04:03:02, localpref 100, from 10.0.0.3
AS path: 65005 I
> to 192.168.1.1 via fxp2.12, Push 16, Push 100016(top)
192.168.90.0/30 *[Direct/0] 04:04:07
> via fxp2.11
192.168.90.2/32 *[Local/0] 04:04:07
Local via fxp2.11
192.168.90.4/30 *[BGP/170] 04:03:02, localpref 100, from 10.0.0.3
AS path: I
> to 192.168.1.1 via fxp2.12, Push 16, Push 100016(top)


masagung@olive# run ping 10.0.0.3 logical-router R2 routing-instance VRFA
PING 10.0.0.3 (10.0.0.3): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
^C
--- 10.0.0.3 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss


[edit]
masagung@olive# ...ogical-router R2 routing-instance VRFA
PING 192.168.90.5 (192.168.90.5): 56 data bytes
^C
--- 192.168.90.5 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

maynou_21

Hi masagung, can you give me the VRF configuration?

Aldur

This is a completely different issue then what maynou_21 was seeing.

It is expected that you can't reach 10.0.0.3, since that route is not located in the VRF table. (I'm assuming that 10.0.0.3 is the far end PE?)

You do have a route for the 192.168.90.5 prefix but ping packets just can't reach it. The issue maynou_21 had wouldn't allow him to even send the ping packets even though there was a route in the VRF table for it.

Check the far end PE. There must be a routing miscommunication somewhere. Possibly a firewall filter problem too.

masagung

Aldur wrote: »

This is a completely different issue then what maynou_21 was seeing.

It is expected that you can't reach 10.0.0.3, since that route is not located in the VRF table. (I'm assuming that 10.0.0.3 is the far end PE?)

You do have a route for the 192.168.90.5 prefix but ping packets just can't reach it. The issue maynou_21 had wouldn't allow him to even send the ping packets even though there was a route in the VRF table for it.

Check the far end PE. There must be a routing miscommunication somewhere. Possibly a firewall filter problem too.

Hi Aldur,
yes you are correct the 10.0.0.3 is the far end PE
since i can't ping between PE's i tried to ping it and failed
now i already used the real router in lab and it worked just fine

maynou_21 wrote: »

Hi masagung, can you give me the VRF configuration?

yes maynou this is my VRF configuration

[edit]
admin@PE-1# show routing-instances |no-more
VRFA {
instance-type vrf;
interface fe-0/0/0.0;
route-distinguisher 1234:1;
vrf-target target:1234:1;
vrf-table-label;
routing-options {
autonomous-system 1234 independent-domain;
}
protocols {
bgp {
family inet {
unicast;
}
group vpna-ebgp {
type external;
local-address 192.168.90.2;
peer-as 65006;
neighbor 192.168.90.1;
}
}
}
}

now i can ping between the PE's which is facing to the CE

[edit]
admin@PE-1# run ping 192.168.90.5
PING 192.168.90.5 (192.168.90.5): 56 data bytes
ping: sendto: No route to host
^C
--- 192.168.90.5 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

[edit]
admin@PE-1# run ping 192.168.90.5 routing-instance VRFA
PING 192.168.90.5 (192.168.90.5): 56 data bytes
64 bytes from 192.168.90.5: icmp_seq=0 ttl=64 time=15.966 ms
^C
--- 192.168.90.5 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 15.966/15.966/15.966/0.000 ms

and this is the traceroute from PE1 to CE2

[edit]
admin@PE-1# run traceroute 192.168.90.6 routing-instance VRFA
traceroute to 192.168.90.6 (192.168.90.6), 30 hops max, 40 byte packets
1 192.168.1.1 (192.168.1.1) 16.149 ms 7.833 ms 9.371 ms
MPLS Label=100080 CoS=0 TTL=1 S=0
MPLS Label=16 CoS=0 TTL=1 S=1
2 192.168.90.6 (192.168.90.6) 18.724 ms 28.707 ms 9.428 ms

thank you so much for all the help

maynou_21

When you worked with olive, you used logical routers. You couldn't ping between the PEs because you have puted "vrf-table-label" in the vrf configuration (vrf-table-label doesn't work with logical-router).
try to deactivate "vrf-table-label". In this case, the ping between PEs will work, but you will not be able to ping between CEs. To solve this problem, you need to define a static route (in the vrf) to the CE directly connected to the PE.

masagung

maynou_21 wrote: »

When you worked with olive, you used logical routers. You couldn't ping between the PEs because you have puted "vrf-table-label" in the vrf configuration (vrf-table-label doesn't work with logical-router).
try to deactivate "vrf-table-label". In this case, the ping between PEs will work, but you will not be able to ping between CEs. To solve this problem, you need to define a static route (in the vrf) to the CE directly connected to the PE.

yes but it worked now in real router

Aldur

masagung wrote: »

yes but it worked now in real router

These are olives, which are unsupported, and have small hiccups here and there. You'll have to expect from time to time that there will be features that will work on real routers but don't quiet work on olives.

But that's the trade off you get, otherwise you'll be spending thousands of dollars to buy real gear. Not to mention the power involved in keeping that gear running. Trust me I know, I have 10, or so, real SRX boxes in my home lab.

masagung

Aldur wrote: »

These are olives, which are unsupported, and have small hiccups here and there. You'll have to expect from time to time that there will be features that will work on real routers but don't quiet work on olives.

But that's the trade off you get, otherwise you'll be spending thousands of dollars to buy real gear. Not to mention the power involved in keeping that gear running. Trust me I know, I have 10, or so, real SRX boxes in my home lab.

yes you are correct Aldur, first i tried this L3vpn in Olive because many person said it'll work but not in my case
currently i don't have much money to buy the real gear.
i hope someday i can have my boxes own lab just like you Aldur.
Thank's for the advises you gave me
you're the man