VRF issue in Olive with junos >10

huh, that is a weird one ya got there. I haven't seen it myself to tell the truth. But I haven't really used olives since 8.x'ish.

Is any other interface on the PE's reachable from PE to PE? Outside of the routing instance, or inside the routing instance?

Outside the routing instance, all the PE's interfaces are reachable, but in the routing instance every PE can only ping its local interfaces and the interfaces of the CE directly connected. May be olive does not support Junos > 10 at 100%.

heh, well, to tell the truth Olives have always been "unsupported" and so if it works then great, it not then oh well. Although I can understand your frustration.

What about picking up a cheap J series or a low end branch srx100? I know that you can pick up a srx100 pretty cheap off ebay.

I'll think about it. Thanks a lot Aldur

Hi, i already tested it too and yes it didn't work i use even the JunOS 7.4

can anyone help why is that ?

[edit]
masagung@olive# run show route table VRFA.inet.0 logical-router R2

VRFA.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.4/32 *[BGP/170] 04:03:37, localpref 100
AS path: 65006 I
> to 192.168.90.1 via fxp2.11
10.0.0.5/32 *[BGP/170] 04:03:02, localpref 100, from 10.0.0.3
AS path: 65005 I
> to 192.168.1.1 via fxp2.12, Push 16, Push 100016(top)
192.168.90.0/30 *[Direct/0] 04:04:07
> via fxp2.11
192.168.90.2/32 *[Local/0] 04:04:07
Local via fxp2.11
192.168.90.4/30 *[BGP/170] 04:03:02, localpref 100, from 10.0.0.3
AS path: I
> to 192.168.1.1 via fxp2.12, Push 16, Push 100016(top)

masagung@olive# run ping 10.0.0.3 logical-router R2 routing-instance VRFA
PING 10.0.0.3 (10.0.0.3): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
^C
--- 10.0.0.3 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

[edit]
masagung@olive# ...ogical-router R2 routing-instance VRFA
PING 192.168.90.5 (192.168.90.5): 56 data bytes
^C
--- 192.168.90.5 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

Hi masagung, can you give me the VRF configuration?

This is a completely different issue then what maynou_21 was seeing.

It is expected that you can't reach 10.0.0.3, since that route is not located in the VRF table. (I'm assuming that 10.0.0.3 is the far end PE?)

You do have a route for the 192.168.90.5 prefix but ping packets just can't reach it. The issue maynou_21 had wouldn't allow him to even send the ping packets even though there was a route in the VRF table for it.

Check the far end PE. There must be a routing miscommunication somewhere. Possibly a firewall filter problem too.

Aldur wrote: »

This is a completely different issue then what maynou_21 was seeing.

It is expected that you can't reach 10.0.0.3, since that route is not located in the VRF table. (I'm assuming that 10.0.0.3 is the far end PE?)

You do have a route for the 192.168.90.5 prefix but ping packets just can't reach it. The issue maynou_21 had wouldn't allow him to even send the ping packets even though there was a route in the VRF table for it.

Check the far end PE. There must be a routing miscommunication somewhere. Possibly a firewall filter problem too.

Hi Aldur,
yes you are correct the 10.0.0.3 is the far end PE
since i can't ping between PE's i tried to ping it and failed
now i already used the real router in lab and it worked just fine

maynou_21 wrote: »

Hi masagung, can you give me the VRF configuration?

yes maynou this is my VRF configuration

[edit]
admin@PE-1# show routing-instances |no-more
VRFA {
instance-type vrf;
interface fe-0/0/0.0;
route-distinguisher 1234:1;
vrf-target target:1234:1;
vrf-table-label;
routing-options {
autonomous-system 1234 independent-domain;
}
protocols {
bgp {
family inet {
unicast;
}
group vpna-ebgp {
type external;
local-address 192.168.90.2;
peer-as 65006;
neighbor 192.168.90.1;
}
}
}
}

now i can ping between the PE's which is facing to the CE

[edit]
admin@PE-1# run ping 192.168.90.5
PING 192.168.90.5 (192.168.90.5): 56 data bytes
ping: sendto: No route to host
^C
--- 192.168.90.5 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

[edit]
admin@PE-1# run ping 192.168.90.5 routing-instance VRFA
PING 192.168.90.5 (192.168.90.5): 56 data bytes
64 bytes from 192.168.90.5: icmp_seq=0 ttl=64 time=15.966 ms
^C
--- 192.168.90.5 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 15.966/15.966/15.966/0.000 ms

and this is the traceroute from PE1 to CE2

[edit]
admin@PE-1# run traceroute 192.168.90.6 routing-instance VRFA
traceroute to 192.168.90.6 (192.168.90.6), 30 hops max, 40 byte packets
1 192.168.1.1 (192.168.1.1) 16.149 ms 7.833 ms 9.371 ms
MPLS Label=100080 CoS=0 TTL=1 S=0
MPLS Label=16 CoS=0 TTL=1 S=1
2 192.168.90.6 (192.168.90.6) 18.724 ms 28.707 ms 9.428 ms

thank you so much for all the help

When you worked with olive, you used logical routers. You couldn't ping between the PEs because you have puted "vrf-table-label" in the vrf configuration (vrf-table-label doesn't work with logical-router).
try to deactivate "vrf-table-label". In this case, the ping between PEs will work, but you will not be able to ping between CEs. To solve this problem, you need to define a static route (in the vrf) to the CE directly connected to the PE.

maynou_21 wrote: »

When you worked with olive, you used logical routers. You couldn't ping between the PEs because you have puted "vrf-table-label" in the vrf configuration (vrf-table-label doesn't work with logical-router).
try to deactivate "vrf-table-label". In this case, the ping between PEs will work, but you will not be able to ping between CEs. To solve this problem, you need to define a static route (in the vrf) to the CE directly connected to the PE.

yes but it worked now in real router

masagung wrote: »

yes but it worked now in real router

These are olives, which are unsupported, and have small hiccups here and there. You'll have to expect from time to time that there will be features that will work on real routers but don't quiet work on olives.

But that's the trade off you get, otherwise you'll be spending thousands of dollars to buy real gear. Not to mention the power involved in keeping that gear running. Trust me I know, I have 10, or so, real SRX boxes in my home lab.