Comware

 View Only
  • 1.  [A5500] Redundancy of static route over BGP

    Posted Mar 15, 2016 10:32 AM

    Bonjour from France,

    I have 2 IRF-stack with a layer-2 connection between them.
    The second stack is on a backup site for the PCR.

    IP address :
    - first stack (Main site) : 10.0.0.252/24 ;
    - second stack (Backup site) : 10.0.0.253/24.

    I created 2 VRFs on each IRF stack :
    - vpn_main (vlan 100) ;
    - vpn_customerA (vlan 1002).

    There is a VLAN interface for vpn_customerA VRF on each stack :
    - first stack : 10.0.5.9/29 ;
    - second stack : 10.0.5.10/29.

    I have 2 CPE in the vpn_main VRF :
    - CPE1 : 10.0.0.204/24 ;
    - CPE2 : 10.0.0.203./24

    CPE2 is the backup nexthop of CPE1.
    CPE1 and CPE2 makes routing between 10.0.0.0/24 and 10.3.0.0/16

    Each VRF is linked with the other (vpn-target 100:1 1002:1 both).
    I configure BGP in 2 vpn4 family to import the static route.
    In the vpn_customerA from main site I put a static route : ip route-static vpn-instance vpn_customerA 10.3.224.0 255.255.240.0 vpn-instance vpn_main 10.0.0.204
    In the vpn_customerA from second site I put an other static route : ip route-static vpn-instance vpn_customerA 10.3.224.0 255.255.240.0 vpn-instance vpn_main 10.0.0.203

    Finally, I have a router (10.0.5.11/29) with 2 BGP sessions :
    - First with 10.0.5.9 ;
    - Second with 10.0.5.10.

    This router gets 10.3.224.0/20 from vpn_customerA (Main site).
    but when I cut the link between this router and 10.0.5.9, I expect that a new BGP route from 10.0.5.10 will be receipt but no.
    I wonder why is it always the static route over BGP...

    Some help is welcome ! :)

    Best regards,

    Jacques



  • 2.  RE: [A5500] Redundancy of static route over BGP

    Posted Mar 15, 2016 11:56 AM

    In fact, the problem is not the router 10.0.5.11 but the switch on main site.
    When I down the interface where is connected 10.0.0.204 and I type display display ip routing-table vpn-instance vpn_customerA, I get :

    Routing Tables: vpn_customerA
            Destinations : 7        Routes : 7

    Destination/Mask    Proto  Pre  Cost         NextHop         Interface

    0.0.0.0/0           Static 60   0            10.0.5.11       Vlan1002
    10.0.0.0/24         BGP    130  10           10.0.0.252      Vlan100
    10.0.5.8/29         Direct 0    0            10.0.5.9        Vlan1002
    10.0.5.9/32         Direct 0    0            127.0.0.1       InLoop0
    10.3.224.0/20       Static 60   0            10.0.0.204      Vlan100
    127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0
    127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

    When I type display ip routing-table vpn-instance vpn_customerA protocol bgp, I get :

    vpn_customerA Routing Table : BGP
    Summary Count : 2

    BGP Routing Table Status : <Active>
    Summary Count : 1

    Destination/Mask    Proto  Pre  Cost         NextHop         Interface

    10.0.0.0/24         BGP    130  10           10.0.0.252      Vlan100

    BGP Routing table Status : <Inactive>
    Summary Count : 1

    Destination/Mask    Proto  Pre  Cost         NextHop         Interface

    10.3.224.0/20       BGP    255  0            10.0.5.10       Vlan1002

     

    So, I understand that the route doesn't switch on the other site :(



  • 3.  RE: [A5500] Redundancy of static route over BGP

    Posted Mar 15, 2016 03:45 PM

    Posting configs & drawing might help.
    You're using a static route to 10.0.0.204.
    This route will not disappear after shutting down the ethernet interface where 10.0.0.204 is connected!
    Only when VLAN100 interface goes down, this static route will disappear..



  • 4.  RE: [A5500] Redundancy of static route over BGP

    Posted Mar 15, 2016 06:37 PM

    Bonsoir 16again and thank you,

    So, do you think that I can find a solution to my problem while keeping the constraint to subnet 10.3.0.0/16 with /20 (or another mask) ? I can't modify the CPE's BGP configuration (these routers don't belong to me) and I need to allocate subnetwork in every future VRF without keeping the initial mask /16.

    Please find a drawing in file-attach and below the configurations :

    ----- BEGINNING SW-MAIN-----
    #
     version 5.20.99, Release 5501P19
    #
     sysname sw-main
    #
     router id 10.0.0.252
    #
    ip vpn-instance vpn_CustomerA
     route-distinguisher 1002:1
     vpn-target 1002:1 100:1 export-extcommunity
     vpn-target 1002:1 100:1 import-extcommunity
    #
    ip vpn-instance vpn_main
     route-distinguisher 100:1
     vpn-target 100:1 1002:1 export-extcommunity
     vpn-target 100:1 1002:1 import-extcommunity
    #
    vlan 1
    #
    vlan 100
    #
    vlan 1002
    #
    interface Vlan-interface100
     ip binding vpn-instance vpn_main
     ip address 10.0.0.252 255.255.255.0
     ospf dr-priority 255
     vrrp vrid 100 virtual-ip 10.0.0.252
     vrrp vrid 100 priority 254
    #
    interface Vlan-interface1002
     ip binding vpn-instance vpn_CustomerA
     ip address 10.0.5.9 255.255.255.248
     ospf dr-priority 255
     vrrp vrid 100 virtual-ip 10.0.5.9
     vrrp vrid 100 priority 254
    #
    bgp 65001
     default med 10
     undo synchronization
     #
     ipv4-family vpn-instance vpn_CustomerA
      peer 10.0.5.10 as-number 65001
      peer 10.0.5.11 as-number 65001
      network 10.3.224.0 255.255.240.0
      import-route direct
      peer 10.0.5.10 connect-interface Vlan-interface1002
      peer 10.0.5.11 connect-interface Vlan-interface1002
     #
     ipv4-family vpn-instance vpn_main
      peer 10.0.0.204 as-number 65289
      peer 10.0.0.253 as-number 65001
      peer 10.0.0.254 as-number 65001
      default med 10
      import-route direct
      peer 10.0.0.204 connect-interface Vlan-interface100
      peer 10.0.0.204 preferred-value 100
      peer 10.0.0.253 connect-interface Vlan-interface100
      peer 10.0.0.254 connect-interface Vlan-interface100
    #
    ospf 1 router-id 10.0.0.252 vpn-instance vpn_main
     peer 10.0.0.253
     peer 10.0.0.254
     area 0.0.0.0
      network 10.0.0.0 0.0.0.255
    #
    ospf 1002 router-id 10.0.5.9 vpn-instance vpn_CustomerA
     peer 10.0.5.10
     peer 10.0.5.11
     area 0.0.0.0
      network 10.0.5.8 0.0.0.7
    #
     ip route-static vpn-instance vpn_CustomerA 0.0.0.0 0.0.0.0 Vlan-interface1002 10.0.5.11
     ip route-static vpn-instance vpn_CustomerA 10.3.224.0 255.255.240.0 vpn-instance vpn_main 10.0.0.204
     ip route-static vpn-instance vpn_main 0.0.0.0 0.0.0.0 Vlan-interface100 10.0.0.254
    ----- END SW-MAIN -----


    ----- BEGINNING SW-BACKUP-----
    #
     version 5.20.99, Release 5501P19
    #
     sysname sw-backup
    #
     router id 10.0.0.253
    #
    ip vpn-instance vpn_CustomerA
     route-distinguisher 1002:1
     vpn-target 1002:1 100:1 export-extcommunity
     vpn-target 1002:1 100:1 import-extcommunity
    #
    ip vpn-instance vpn_main
     route-distinguisher 100:1
     vpn-target 100:1 1002:1 export-extcommunity
     vpn-target 100:1 1002:1 import-extcommunity
    #
    vlan 1
    #
    vlan 100
    #
    vlan 1002
    #
    interface Vlan-interface100
     ip binding vpn-instance vpn_main
     ip address 10.0.0.253 255.255.255.0
     ospf dr-priority 128
     vrrp vrid 100 virtual-ip 10.0.0.252
     vrrp vrid 100 priority 128
    #
    interface Vlan-interface1002
     ip binding vpn-instance vpn_CustomerA
     ip address 10.0.5.10 255.255.255.248
     ospf dr-priority 128
     vrrp vrid 100 virtual-ip 10.0.5.9
     vrrp vrid 100 priority 128
    #
    bgp 65001
     default med 20
     undo synchronization
     #
     ipv4-family vpn-instance vpn_CustomerA
      peer 10.0.5.9 as-number 65001
      peer 10.0.5.11 as-number 65001
      network 10.3.224.0 255.255.240.0
      import-route direct
      peer 10.0.5.9 connect-interface Vlan-interface1002
      peer 10.0.5.11 connect-interface Vlan-interface1002
     #
     ipv4-family vpn-instance vpn_main
      peer 10.0.0.203 as-number 65289
      peer 10.0.0.252 as-number 65001
      peer 10.0.0.254 as-number 65001
      default med 20
      import-route direct
      peer 10.0.0.203 connect-interface Vlan-interface100
      peer 10.0.0.203 preferred-value 100
      peer 10.0.0.252 connect-interface Vlan-interface100
      peer 10.0.0.254 connect-interface Vlan-interface100
    #
    ospf 1 router-id 10.0.0.253 vpn-instance vpn_main
     peer 10.0.0.252
     peer 10.0.0.254
     area 0.0.0.0
      network 10.0.0.0 0.0.0.255
    #
    ospf 1002 router-id 10.0.5.10 vpn-instance vpn_CustomerA
     peer 10.0.5.9
     peer 10.0.5.11
     area 0.0.0.0
      network 10.0.5.8 0.0.0.7
    #
     ip route-static vpn-instance vpn_CustomerA 0.0.0.0 0.0.0.0 Vlan-interface1002 10.0.5.11
     ip route-static vpn-instance vpn_CustomerA 10.3.224.0 255.255.240.0 vpn-instance vpn_main 10.0.0.203
     ip route-static vpn-instance vpn_main 0.0.0.0 0.0.0.0 Vlan-interface100 10.0.0.254
    ----- END SW-BACKUP -----



  • 5.  RE: [A5500] Redundancy of static route over BGP

    Posted Mar 16, 2016 05:32 PM

    Can you show BGP prefixes recieved from 10.0.0.204  (and  on backup from 203) ?
    If 10.3.x.x network is advertised, you can get rid of static route



  • 6.  RE: [A5500] Redundancy of static route over BGP

    Posted Mar 16, 2016 06:25 PM

    Bonsoir 16again,

    The prefixes received from 10.0.0.204 and 10.0.0.203 are :
    - 10.1.0.0/16 le 32 ;
    - 10.2.0.0/16 le 32 ;
    - 10.3.0.0/16 le 32 ;
    - 10.4.0.0/14 le 32 ;
    - 10.8.0.0/13 le 32 ;
    - 10.16.0.0/12 le 32 ;
    - 10.32.0.0/11 le 32 ;
    - 10.64.0.0/10 le 32 ;
    - 10.128.0.0/9 le 32.

    My problem is that  I can't resize the netmask received from these CPE.



  • 7.  RE: [A5500] Redundancy of static route over BGP

    Posted Mar 17, 2016 02:02 AM

    Why not simply use the 10.3.0.0/16 route in your network?  If you do use more specific 10.3.x.x routes elsewhere (for instance 10.3.33.0/24)  in your network, these route can coexist!
    Also if you want to exclude access to your network from other 10.3 networks, you might use ACL like below:
    permit ip source  10.3.224.0 255.255.240.0  dest any
    deny  ip source  10.3.0.0 255.255.0.0  dest any
    permit ip any any



  • 8.  RE: [A5500] Redundancy of static route over BGP

    Posted Mar 17, 2016 07:10 AM

    You're right about ACL or Acces-List but :
    - I'll have another CPEs from another provider with the same prefixes (it's the reason that I use VPN-instance) ;
    - If customerA wants for example 10.3.144.0/20 with the others providers, the route doesn't match.



  • 9.  RE: [A5500] Redundancy of static route over BGP

    Posted Mar 17, 2016 09:02 AM

    If you have route1 for 10.3.144.0/20  alongside route2 for 10.3.0.0/16 ,   route1 is most specific (longer match) and will be used for 10.3.144.0/20  destinations,  for all other 10.3.0.0/16 destinations route 2 will be used.

    Since you can't change the advertised 10.3.0.0/16 route, you have to use it as-is.

    Off course you should only advertise this /16 route to VPN instance that's using it.

     



  • 10.  RE: [A5500] Redundancy of static route over BGP

    Posted Mar 17, 2016 09:40 AM

    Unfortunately, I think I have no choice :(
    I can't change the advertised route, so CustomerA instance receive 10.3.0.0/16 for vpn_main.
    when I'll have vpn_main2 with the others CPEs that announce 10.3.0.0/16 and customerA wants to take a 10.3.x.x/20 subnet from them, it will be not possible.

    I'd hope taht it was possible to modify the netmask in my network infrastructure with a "voodoo" mechanism :)

    I should explain to customerA that he must choose a subnet excluded from 10.3.0.0/16 and for his current network, configure an ACL to filter the flows from him to 10.3.224.0/20 only.

    Ok, I test now and I'll come back to share the solution.

    Thank you a lot 16again.