Re: [c-nsp] virtual routers - L2-type vpn's
It depends on which XRv image you use. The “free” image has a very limited forwarding plane - it was really only meant for DevOps work The licensed XRv9000 images work, I’m told, but as we’re only using them as RRs I haven’t tested this myself Regards, Chris Jones > On 9 May 2020, at 05:13, Aaron Gould wrote: > > Using csr1000v in EVE-NG, yesterday I was able to do mp2mp vpls (rfc4761 bgp > ad, bgp sig) using (3) csr1000v routers and it all worked, control plane > *and* data plane, all CE's behind the csr1000v pe's could ping each other. > (i test rfc4762 bgp ad, ldp sig, but only with 2 csr1000v and it worked... i > may go back and at in a third csr1000v later). > > > > but, my question and problem was. XRv would not pass traffic in those vpls > tests. control plane would work, configs would commit, and neighbor > pseudowires would even go UP and establish to the other pe's (csr1000v's) > BUT, i got nasty traceback errors on XRv and data plane would not pass > traffic. > > > > Has anyone been successful in getting VPLS to work in XRv ? > > > > What about EVPN in XRv? .does EVPN/MPLS forwarding work in XRv? > > > > > > Tracebacks errors I got on XRv following the commit of the VPLS config.. > > > > RP/0/RP0/CPU0:May 7 22:03:47.917 : fib_mgr[224]: %MGBL-DPC-2-SW_ERR : > Failed to configure l2vpn_ldi (Invalid DPA id 17) : fib_mgr : (PID=4352) : > -Traceback= 7f60faf970ca 7f60fafb5582 7f6105a1a270 7f6105a27740 7f6105a28a70 > 7f61186492f5 7f6118486919 7f6118484064 7f61244fcec8 7f61244fefe9 5ebe3a > 5f9054 5fb5d8 605062 6fe214 538d69 > > > > > > RP/0/RP0/CPU0:May 7 22:03:47.917 : fib_mgr[224]: > %ROUTING-FIB-3-PLATF_UPD_FAIL : FIB platform update failed: > Obj=DATA_TYPE_LOADINFO[ptr=0x114a949f8,refc=0x1,flags=0x80c441] > Action=MODIFY Proto=ipv4. Cerr='dpc_rm_svr' detected the 'warning' condition > 'Internal invalid parameter found.' : fib_mgr : (PID=4352) : -Traceback= > 7f61244fefe9 5ebe3a 5f9054 5fb5d8 605062 6fe214 538d69 565efc 567d65 688000 > 68a9fc 68adf8 43c59a 7f61229daa21 7f61229ebb6e 42376e > > > > > > RP/0/RP0/CPU0:May 7 22:03:47.918 : fib_mgr[224]: %ROUTING-FIB-3-PD_FAIL : > FIB platform error: fib_ldi_platform_update 2077: PD action MODIFY failed > for passed_ldi 0x114a949f8 type DATA_TYPE_LOADINFO flags 0x80c441. Shared > LDI 0x114a949f8 num_slots 1 num_buckets 1 depth 2 ldi type 1 ldi protocol > mpls flags 0x80c441 : 0x4b88b400 'dpc_rm_svr' detected the 'warning' > condition 'Internal invalid parameter found.' : fib_mgr : (PID=4352) : > -Traceback= 5f9054 5fb5d8 605062 6fe214 538d69 565efc 567d65 688000 68a > > 9fc 68adf8 43c59a 7f6122(TRUNCATED) > > > > > > -Aaron > > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] virtual routers - L2-type vpn's
Using csr1000v in EVE-NG, yesterday I was able to do mp2mp vpls (rfc4761 bgp ad, bgp sig) using (3) csr1000v routers and it all worked, control plane *and* data plane, all CE's behind the csr1000v pe's could ping each other. (i test rfc4762 bgp ad, ldp sig, but only with 2 csr1000v and it worked... i may go back and at in a third csr1000v later). but, my question and problem was. XRv would not pass traffic in those vpls tests. control plane would work, configs would commit, and neighbor pseudowires would even go UP and establish to the other pe's (csr1000v's) BUT, i got nasty traceback errors on XRv and data plane would not pass traffic. Has anyone been successful in getting VPLS to work in XRv ? What about EVPN in XRv? .does EVPN/MPLS forwarding work in XRv? Tracebacks errors I got on XRv following the commit of the VPLS config.. RP/0/RP0/CPU0:May 7 22:03:47.917 : fib_mgr[224]: %MGBL-DPC-2-SW_ERR : Failed to configure l2vpn_ldi (Invalid DPA id 17) : fib_mgr : (PID=4352) : -Traceback= 7f60faf970ca 7f60fafb5582 7f6105a1a270 7f6105a27740 7f6105a28a70 7f61186492f5 7f6118486919 7f6118484064 7f61244fcec8 7f61244fefe9 5ebe3a 5f9054 5fb5d8 605062 6fe214 538d69 RP/0/RP0/CPU0:May 7 22:03:47.917 : fib_mgr[224]: %ROUTING-FIB-3-PLATF_UPD_FAIL : FIB platform update failed: Obj=DATA_TYPE_LOADINFO[ptr=0x114a949f8,refc=0x1,flags=0x80c441] Action=MODIFY Proto=ipv4. Cerr='dpc_rm_svr' detected the 'warning' condition 'Internal invalid parameter found.' : fib_mgr : (PID=4352) : -Traceback= 7f61244fefe9 5ebe3a 5f9054 5fb5d8 605062 6fe214 538d69 565efc 567d65 688000 68a9fc 68adf8 43c59a 7f61229daa21 7f61229ebb6e 42376e RP/0/RP0/CPU0:May 7 22:03:47.918 : fib_mgr[224]: %ROUTING-FIB-3-PD_FAIL : FIB platform error: fib_ldi_platform_update 2077: PD action MODIFY failed for passed_ldi 0x114a949f8 type DATA_TYPE_LOADINFO flags 0x80c441. Shared LDI 0x114a949f8 num_slots 1 num_buckets 1 depth 2 ldi type 1 ldi protocol mpls flags 0x80c441 : 0x4b88b400 'dpc_rm_svr' detected the 'warning' condition 'Internal invalid parameter found.' : fib_mgr : (PID=4352) : -Traceback= 5f9054 5fb5d8 605062 6fe214 538d69 565efc 567d65 688000 68a 9fc 68adf8 43c59a 7f6122(TRUNCATED) -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Virtual Routers
Is there a way to divide a 6500 into multiple 'Virtual Routers' with different routing tables ? I've read about VRF-Lite but it is always mentioned in a VPN environment with remote and central devices. I need to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and back into the same 6500. Maybe PBR would do the trick but I'm still looking for some good and clear info on virtual routing in a LAN environment (if existing). Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Virtual Routers
Hi, you can use Multi-VRF in whatever context, so no need for some remote/central scenario. BUT: what you want to achieve will most probably mean working with virtual contexts on the FWSM and/or IPS module. Should be doable but presumably not by means of Multi-VRF. can't say more here without understanding of your exact traffic flow. thanks, Enno On Mon, Nov 17, 2008 at 09:31:19AM +0100, Holemans Wim wrote: Is there a way to divide a 6500 into multiple 'Virtual Routers' with different routing tables ? I've read about VRF-Lite but it is always mentioned in a VPN environment with remote and central devices. I need to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and back into the same 6500. Maybe PBR would do the trick but I'm still looking for some good and clear info on virtual routing in a LAN environment (if existing). Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Heidelberg: HRB 7135 Geschaeftsfuehrer: Roland Fiege, Enno Rey ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Virtual Routers
Actually I just realised after I sent this that you will need to PBR the last hop in the 6500 before the inside host too if you haven't brought it into a vrf otherwise the intial route will take hold and loop you back into the FWSM again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Steele Sent: Monday, 17 November 2008 9:39 PM To: 'Holemans Wim'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Virtual Routers You can do what you want without vrf using PBR, as you mentioned. Using the standard svclc vlans the flow of traffic would be: Outside Host -6500 VLAN 1 - FWSM - 6500 VLAN 2(PBR set ip next-hop IPS) - IPS - 6500 VLAN 3 - Inside Host So in this example physically the IPS would be cabled with 2 separate cables (in/out) in 2 different vlans on the 6500. Any reason that wouldn't work? Gives you the option to bypass the IPS by simply not including it in the IPS PBR acl. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Holemans Wim Sent: Monday, 17 November 2008 7:01 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Virtual Routers Is there a way to divide a 6500 into multiple 'Virtual Routers' with different routing tables ? I've read about VRF-Lite but it is always mentioned in a VPN environment with remote and central devices. I need to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and back into the same 6500. Maybe PBR would do the trick but I'm still looking for some good and clear info on virtual routing in a LAN environment (if existing). Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008 7:58 PM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008 7:58 PM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Virtual Routers
You can do what you want without vrf using PBR, as you mentioned. Using the standard svclc vlans the flow of traffic would be: Outside Host -6500 VLAN 1 - FWSM - 6500 VLAN 2(PBR set ip next-hop IPS) - IPS - 6500 VLAN 3 - Inside Host So in this example physically the IPS would be cabled with 2 separate cables (in/out) in 2 different vlans on the 6500. Any reason that wouldn't work? Gives you the option to bypass the IPS by simply not including it in the IPS PBR acl. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Holemans Wim Sent: Monday, 17 November 2008 7:01 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Virtual Routers Is there a way to divide a 6500 into multiple 'Virtual Routers' with different routing tables ? I've read about VRF-Lite but it is always mentioned in a VPN environment with remote and central devices. I need to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and back into the same 6500. Maybe PBR would do the trick but I'm still looking for some good and clear info on virtual routing in a LAN environment (if existing). Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008 7:58 PM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
