Re: [SUSPICIOUS] Re: [SUSPICIOUS] [vpp-dev] L3VPN in VPP

Wed, 01 Aug 2018 06:06:22 -0700 

Hi,

You probably want:
ip route add 
192.168.23.3/32<http://secure-web.cisco.com/1e20Q6UzWd4GjOJG8OY8s0rEJXU_NkSe1vvW0V05d3wnR62xhSbTv6BBGY3t-FZk_9GeHILMpO9Sicg_CUGMkYc0G_2PZKwcD2b3VmzKGAAnq22abDT9B10MhcOLK-jAMtDKARtFZVvqTiRw32m7JGLeJJ1z4VuTHTo9N10VFpI4ldcqMuqo9SUrMlYjFBJn9L28l6UW9lNBArPz03Vhc6rzN_cFeIHj9q3QJOd8wAL5mhG_obPpdwey2DVDMcS596_VgmHYtd4-Nquo0lfT-uIE7rVugCCc6hTPOt_iiuFiR6nkX_E9qgJOAnmXIic9F/http%3A%2F%2F192.168.23.3%2F32>
 via TenGigabitEthernet4/0/1 out-labels imp-null

given that 192.168.23.2 is directly connected. We talked before about why 
labels for resolving routes are needed. Here it is again ;)

“
If you want to resolve a recursive path that has outgoing labels, ie.
  via 1.1.1.1 out-labels 33

then the resolving route in the FIB MUST also have out-labels. This is because 
you are in effect layering LSPs (the tunnel is the upper/inner layer and the 
route the lower/outer layer). The out-label for the tunnel, provided by the 
tunnel egress device, is not necessarily directly connected to the tunnel 
ingress device. Hence, if the route did not have an out label then a device in 
between the two (that is in the lower layer) would see the label for the 
tunnel/upper layer and mis-forward.
If your two devices are directly connected and so the problem above cannot 
occur, you still need an out-label for the route, but one describes such 
directly connectivity by giving the route an implicit-null out-label, i.e.
   ip route 1.1.1.1/32  via 192.168.1.1 GigabitEthernet13/0/0 out-label imp-null

“

where you replace ‘tunnel’ with ‘recursive route’.

Regards,
nelae


From: <vpp-dev@lists.fd.io> on behalf of Gulakh <holoogul...@gmail.com>
Date: Wednesday, 1 August 2018 at 14:03
To: "Neale Ranns (nranns)" <nra...@cisco.com>, "vpp-dev@lists.fd.io" 
<vpp-dev@lists.fd.io>
Subject: [SUSPICIOUS] Re: [SUSPICIOUS] [vpp-dev] L3VPN in VPP

Yes, that's right, the problem fixed. I should have inserted this rule : "ip 
route add 
192.168.23.3/32<http://secure-web.cisco.com/1e20Q6UzWd4GjOJG8OY8s0rEJXU_NkSe1vvW0V05d3wnR62xhSbTv6BBGY3t-FZk_9GeHILMpO9Sicg_CUGMkYc0G_2PZKwcD2b3VmzKGAAnq22abDT9B10MhcOLK-jAMtDKARtFZVvqTiRw32m7JGLeJJ1z4VuTHTo9N10VFpI4ldcqMuqo9SUrMlYjFBJn9L28l6UW9lNBArPz03Vhc6rzN_cFeIHj9q3QJOd8wAL5mhG_obPpdwey2DVDMcS596_VgmHYtd4-Nquo0lfT-uIE7rVugCCc6hTPOt_iiuFiR6nkX_E9qgJOAnmXIic9F/http%3A%2F%2F192.168.23.3%2F32>
 via TenGigabitEthernet4/0/1 out-labels 50"

But why doesn't work if I don't have a MPLS label for 
192.168.23.3/32<http://secure-web.cisco.com/1e20Q6UzWd4GjOJG8OY8s0rEJXU_NkSe1vvW0V05d3wnR62xhSbTv6BBGY3t-FZk_9GeHILMpO9Sicg_CUGMkYc0G_2PZKwcD2b3VmzKGAAnq22abDT9B10MhcOLK-jAMtDKARtFZVvqTiRw32m7JGLeJJ1z4VuTHTo9N10VFpI4ldcqMuqo9SUrMlYjFBJn9L28l6UW9lNBArPz03Vhc6rzN_cFeIHj9q3QJOd8wAL5mhG_obPpdwey2DVDMcS596_VgmHYtd4-Nquo0lfT-uIE7rVugCCc6hTPOt_iiuFiR6nkX_E9qgJOAnmXIic9F/http%3A%2F%2F192.168.23.3%2F32>
 ? suppose that the Core of the network is pure IP, no MPLS. I know that in 
L3VPN we need a MPLS enabled core but for the sake of IP resolution in another 
FIB, why does it need a second label i.e. MPLS label??

On Tue, Jul 31, 2018 at 5:54 PM, Neale Ranns (nranns) 
<nra...@cisco.com<mailto:nra...@cisco.com>> wrote:
Hi,

Please show me:
  sh ip fib index 1 
5.5.5.5/32<http://secure-web.cisco.com/1qiBZ9KO87qhkFTSqMpukH5tuGlhroTBJnf5EPGDVBaoPHz7HINxyRmk9E08afWyDgxA9SBu4fAlRbRj8zRTnHZHuHrLYTkdXPU5Xxh3GYREoKk_7j7jJkKr-IBiyLTijQq8YEj5StdL7YdjE1nV5kXKPsxjW30yn_0CggkNgAmiThZdYoXWHi0RuqCKAXv1TZtCup7x56Ix6RxH0WnnaJrF0cXQF8hLvvso08HhDRPbrrYQHi6fPNrXUpdbwFN3BfOJai9SkAuOxXVKMjRgSDcFzpNvqjwDWQpxPqcfY63p0XsqZw-wiVmJ3VlrRjqlA/http%3A%2F%2F5.5.5.5%2F32>
and
  sh ip fib index 0 
192.168.23.3/32<http://secure-web.cisco.com/1e20Q6UzWd4GjOJG8OY8s0rEJXU_NkSe1vvW0V05d3wnR62xhSbTv6BBGY3t-FZk_9GeHILMpO9Sicg_CUGMkYc0G_2PZKwcD2b3VmzKGAAnq22abDT9B10MhcOLK-jAMtDKARtFZVvqTiRw32m7JGLeJJ1z4VuTHTo9N10VFpI4ldcqMuqo9SUrMlYjFBJn9L28l6UW9lNBArPz03Vhc6rzN_cFeIHj9q3QJOd8wAL5mhG_obPpdwey2DVDMcS596_VgmHYtd4-Nquo0lfT-uIE7rVugCCc6hTPOt_iiuFiR6nkX_E9qgJOAnmXIic9F/http%3A%2F%2F192.168.23.3%2F32>

I suspect you are missing an out-label on the latter.

/neale

From: <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> on behalf of Gulakh 
<holoogul...@gmail.com<mailto:holoogul...@gmail.com>>
Date: Tuesday, 31 July 2018 at 14:53
To: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" 
<vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
Subject: [SUSPICIOUS] [vpp-dev] L3VPN in VPP

It seems that the Next hop IP resolution does not work correctly:
Here is my Configuration:

# set interface state GigabitEthernet4/0/0 up
# set interface state GigabitEthernet4/0/1 up

# ip table add 1       (create Customer VRF)

# set interface ip table GigabitEthernet 4/0/0 1          (Customer VRF)

# set interface ip address GigabitEthernet4/0/0 
192.168.12.2/24<http://secure-web.cisco.com/1mejCQk17I5LxU-oPmc-Y5Y9SH-QuI1JzmMHtnYxC-JcEiLEONWnm7KI4jhvJF95ad-5GNwHontCl2IynZ_5xbzqSrRSScwpFfrRq-aSE0xMmBDJvq19GGQDMm3kuOiTeUGSa5KENtbB2WXcmnuT7Ud1B1K62GfBsRgVEbNR8Cfn9qj2Mgwlth3SJG4S2ys64TNw46-En9EBGN6wj0Zei9PfVtdOxIOSpkOR8yWvHSYYLkFi1gF1Oq5GhcQwgEZfz8ldPsmxt0u-w4FGUDwskMBEKLfufz3grsu-akd4qvCQt6I_0S_9las7WiLJ4hEEt/http%3A%2F%2F192.168.12.2%2F24>
                  (Toward Customer)
# set interface ip address GigabitEthernet4/0/1 
192.168.23.2/24<http://secure-web.cisco.com/1RjiGhpRNvFvRnuzBsCn_GtUrXZk8CLbhLcOpjylykb2ightek1qpsr1fYq_hUBvoIDjnAzt5FzSE1OQEyVRDvjvzUQWRpCQD7WWtH61rq878mLlDzb4QK5UdvGa-2E2mWGt35C8uAAKzw_tflW1ZEY_6ZjU4aj0gJrOpZLTnUvh3IsCbKypC2locj56nUyHU4G2yQEAWjg-Vb7t9CUptJCzJ8pyScL7JiuX_fs57PHFw9PFSCAynpXyExCeCuUOSjPLUfK3-F8n7WmXs9wn4oYjyBtC9T2SPK_MmXZj4zsM6q3b0z4IV_-wBkDRlqWeO/http%3A%2F%2F192.168.23.2%2F24>
                  (Toward Core)

*** Now I want to add one of Customer's route into its VRF:
# ip route add 
5.5.5.5/32<http://secure-web.cisco.com/1qiBZ9KO87qhkFTSqMpukH5tuGlhroTBJnf5EPGDVBaoPHz7HINxyRmk9E08afWyDgxA9SBu4fAlRbRj8zRTnHZHuHrLYTkdXPU5Xxh3GYREoKk_7j7jJkKr-IBiyLTijQq8YEj5StdL7YdjE1nV5kXKPsxjW30yn_0CggkNgAmiThZdYoXWHi0RuqCKAXv1TZtCup7x56Ix6RxH0WnnaJrF0cXQF8hLvvso08HhDRPbrrYQHi6fPNrXUpdbwFN3BfOJai9SkAuOxXVKMjRgSDcFzpNvqjwDWQpxPqcfY63p0XsqZw-wiVmJ3VlrRjqlA/http%3A%2F%2F5.5.5.5%2F32>
 table 1 via 192.168.23.3 next-hop-table 0 out-labels 40

in which : 
5.5.5.5/32<http://secure-web.cisco.com/1qiBZ9KO87qhkFTSqMpukH5tuGlhroTBJnf5EPGDVBaoPHz7HINxyRmk9E08afWyDgxA9SBu4fAlRbRj8zRTnHZHuHrLYTkdXPU5Xxh3GYREoKk_7j7jJkKr-IBiyLTijQq8YEj5StdL7YdjE1nV5kXKPsxjW30yn_0CggkNgAmiThZdYoXWHi0RuqCKAXv1TZtCup7x56Ix6RxH0WnnaJrF0cXQF8hLvvso08HhDRPbrrYQHi6fPNrXUpdbwFN3BfOJai9SkAuOxXVKMjRgSDcFzpNvqjwDWQpxPqcfY63p0XsqZw-wiVmJ3VlrRjqlA/http%3A%2F%2F5.5.5.5%2F32>
 is the Customer's another site in somewhere else
               table 1 is the customer's VRF
               192.168.23.3 is the next hop which is in the core -> be resolved 
by Global VRF
               next-hop-table 0 is the Global VRF to resolve 192.168.23.3
               out-labels 40 is the VPN Label


Now When I see the VRF 1 ("show ip fib table 1"), here is the output for 
5.5.5.5/32<http://secure-web.cisco.com/1qiBZ9KO87qhkFTSqMpukH5tuGlhroTBJnf5EPGDVBaoPHz7HINxyRmk9E08afWyDgxA9SBu4fAlRbRj8zRTnHZHuHrLYTkdXPU5Xxh3GYREoKk_7j7jJkKr-IBiyLTijQq8YEj5StdL7YdjE1nV5kXKPsxjW30yn_0CggkNgAmiThZdYoXWHi0RuqCKAXv1TZtCup7x56Ix6RxH0WnnaJrF0cXQF8hLvvso08HhDRPbrrYQHi6fPNrXUpdbwFN3BfOJai9SkAuOxXVKMjRgSDcFzpNvqjwDWQpxPqcfY63p0XsqZw-wiVmJ3VlrRjqlA/http%3A%2F%2F5.5.5.5%2F32>

ipv4-VRF:1, fib_index:1, flow hash:[src dst sport dport proto ] 
locks:[src:CLI:2, ]
..............
...............
............
192.168.12.0/24<http://secure-web.cisco.com/1X-mq-jXIRM9199O58f1dpsidAVzn0yMwCHpy-O4A16yqS5HWebVvfywuooYueqMBZVJyIXyE350HzT9qSaQjXNmWsMxoJrs6GCQP5CLrncBaj5u8TYw_R3oEGzr0l-na5QUxNGE8WMqsOC1vv3pVoiOHHlPI3DIm08rbalalc94bzNKMRh7pbtWgkR2LSjypD1B9fI91IqHvShWOQ3pQ0QR8WMOzjR6KiXJiDWUC4q2-Hxku0m5aiB6R2RsthJXogf0nSmhtwS2Bvrf0mRE4YI5ozSQ6Gbi9W74dFqFF9koKGVLdu43XsWpRHZbI71Qt/http%3A%2F%2F192.168.12.0%2F24>
  unicast-ip4-chain
  [@0]: dpo-load-balance: [proto:ip4 index:14 buckets:1 uRPF:13 to:[0:0]]
    [0] [@4]: ipv4-glean: GigabitEthernet4/0/0: mtu:9000 
ffffffffffffa0369f23aa780806
5.5.5.5/32<http://secure-web.cisco.com/1qiBZ9KO87qhkFTSqMpukH5tuGlhroTBJnf5EPGDVBaoPHz7HINxyRmk9E08afWyDgxA9SBu4fAlRbRj8zRTnHZHuHrLYTkdXPU5Xxh3GYREoKk_7j7jJkKr-IBiyLTijQq8YEj5StdL7YdjE1nV5kXKPsxjW30yn_0CggkNgAmiThZdYoXWHi0RuqCKAXv1TZtCup7x56Ix6RxH0WnnaJrF0cXQF8hLvvso08HhDRPbrrYQHi6fPNrXUpdbwFN3BfOJai9SkAuOxXVKMjRgSDcFzpNvqjwDWQpxPqcfY63p0XsqZw-wiVmJ3VlrRjqlA/http%3A%2F%2F5.5.5.5%2F32>
  unicast-ip4-chain
  [@0]: dpo-load-balance: [proto:ip4 index:24 buckets:1 uRPF:25 to:[0:0]]
    [0] [@0]: dpo-drop ip4


Here is the VRF 0:

ipv4-VRF:0, fib_index:0, flow hash:[src dst sport dport proto ] 
locks:[src:plugin-hi:2, src:default-route:1, ]
..............
...............
............
192.168.23.0/24<http://secure-web.cisco.com/1BxVDLC4QQ9EFtmXnERBH_AIg0f-HtBC3lqIOM7TTv4SWnoSCnqx-El_uQlObFCwydCwMo1-KGdGO-2E42Dr-BiTVVGND8SqlTi6VjQTpIFiGbZ2Sfgp1_Qwem7DQnN8v7jP-2syFoeBoQokk7BvXw3K_YdppGLhbR4Hs6tbR5zmGg-5TCXFP_3-LcptsFosBe4bY1y1zqzNbN4a1hG8O1adTl1XLEsRV7dWaubRKx6hoJBuN9FInfn0p34RCaj4l8kEv1TaCebYyEy2BlHfkjw0pGGfUlSGQQr3U_slgu5qRjD2ouVrhkMbIdEfnF806/http%3A%2F%2F192.168.23.0%2F24>
  unicast-ip4-chain
  [@0]: dpo-load-balance: [proto:ip4 index:18 buckets:1 uRPF:19 to:[0:0]]
    [0] [@4]: ipv4-glean: GigabitEthernet4/0/1: mtu:9000 
ffffffffffffa0369f23aa7a0806

Question: why does it say Drop?? I expect to see something that shows next-hop 
is resolved in VRF 0.

On Tue, Jul 31, 2018 at 4:18 PM, Neale Ranns (nranns) 
<nra...@cisco.com<mailto:nra...@cisco.com>> wrote:

Hi,

You are correct on all points.

regards
/neale

From: Holoo Gulakh <holoogul...@gmail.com<mailto:holoogul...@gmail.com>>
Date: Tuesday, 31 July 2018 at 12:19
To: "Neale Ranns (nranns)" <nra...@cisco.com<mailto:nra...@cisco.com>>, 
"vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" 
<vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
Subject: Re: [vpp-dev] L3VPN in VPP

Hi,
In order to have both VPLS and L3VPN works concurrently in a PE router, I guess 
that I should do the following things:

1- Regardless of the type of service that whether it's VPLS ,L3VPN or none(e.g. 
a simple connectivity) , the core of the network works the same, that is I 
should Insert everything about the core of the network in the Global VRF i.e. 
IP FIB 0 and MPLS FIB 0 in VPP.

The above step is done before even providing any services.

2- For the PW-Label of VPLS, the task is delivered to the mpls tunnel to put 
the PW-Label on the Packet (i.e. mpls tunnel add l2-only <PE-TARGET> 
out-labels<PW-LABEL>) then to resolve the PE-TARGET IP address the resolution 
is done by checking the Global VRF which contains information about the core 
and at that stage the MPLS label is added to packet.

   For the VPN-Label of the L3VPN the task of putting it on the packet is 
delivered to the VRF associated with the incoming Interface (i.e. # ip route 
add  <PE-TARGET> table <CUSTOMER-VRF> via <NEXT-HOP> out-labels <VPN-LABEL>) 
and then to resolve the NEXT-HOP IP address, Global VRF must be checked since 
the routing information about the core is stored in the Global VRF (i.e. IP FIB 
0 and MPLS FIB 0 in VPP)
but the problem is that the route store in the customer's VRF must use Global 
VRF in order to resolve its NEXT-HOP.
Searching VPP Doc, I confronted with a parameter that I can use to select which 
VRF to use to resolve the next hop.
so the # command must be modified by (ip route add <PE-TARGET> table 
<CUSTOMER-VRF> via <NEXT-HOP>  next-hop-table <GLOBAL-VRF> out-labels 
<VPN-LABEL>) and then during the resolution of the PE-TARGET IP address the 
MPLS Labels is added to the packet.

Question: Am I right??

Excuse me for my questions ... most of the materials found in Internet are 
about Cisco commands to run the service and they give my little insights on 
what to do with lower level configurations.
Thanks in advance

On Mon, Jul 30, 2018 at 1:31 PM, Neale Ranns (nranns) 
<nra...@cisco.com<mailto:nra...@cisco.com>> wrote:
Hi,

Answers inline marked [nr]

/neale

From: <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> on behalf of Gulakh 
<holoogul...@gmail.com<mailto:holoogul...@gmail.com>>
Date: Saturday, 28 July 2018 at 13:45
To: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" 
<vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
Subject: [vpp-dev] L3VPN in VPP

Hi,
I have setup a VPLS scenario successfully and now I want to setup a L3VPN 
scenario in VPP (L3VPN topology is in attachment).

My configuration for VPLS is some how like this 
link<https://secure-web.cisco.com/1_eKryqCb2xrYGPI9q9Btm_lMzIVwcywAl6pLHrizKa135nedzgTJjko9YTzPxw52Azn-qKU1CfJ6GTkPKqHtdjfHTM3qIVdWmZ0PT1AZPlbT7LFOy-WM06yO7xcC4CH8exjLe6hcHZtZnLaW8uSC27w6_m2jJDImd1Ixar15FadIGi8LzC3jSVKYy8bBfvjsHNq2f06JKDGiCznwpi1RJHb3TuPq-lis-NMLkJtwGzyLrPa_P-6i6gkx9Pv5PaDPUjwjfOPmuCvRVg4KMqDWnAwxw5cCCJnvwxWFH6zeEKzeXNBRkZtTa27F7RDyUFK7/https%3A%2F%2Flists.fd.io%2Fg%2Fvpp-dev%2Ftopic%2Fvpls_dev_in_vpp_1%2F18091281%3Fp%3D%2C%2C%2C20%2C0%2C0%2C0%3A%3Arecentpostdate%252Fsticky%2C%2C%2C20%2C2%2C0%2C18091281>.

As far as I searched Internet, L3VPN has a VPN Label that I think is somehow 
like PW Label in VPLS with difference that VPN Label is used to select VRF and 
PW Label is used to select mpls tunnel (hence bridge).

[nr] other label allocation schemes are available ☺

===============================
Part1:
I guess I should configure the source PE as follow:

     In VPLS: mpls tunnel add l2-only via <PE-TARGET> out-labels <PW-LABEL>
                   ip route add <PE-TARGET> via <NEXT-HOP> out-labels 
<MPLS-LABEL>

     In L3VPN: CMD1 ??????????????? (insert in customer VRF)
                     ip route add <PE-TARGET> via <NEXT-HOP> out-labels 
<MPLS-LABEL> (insert in GLOBAL VRF)

I don't know what command I should use for CMD1 ... This command must add 
VPN-LABEL which is selected base on the customer's VRF to the packet and then 
lookup the GLOBAL VRF to push the MPLS Label. just like VPLS that the mpls 
tunnel first adds a PW Label and then in the destination IP resolution, MPLS 
Label is added to packet.

Question1: Am I right about the configurations in the source PE?


[nr] ip route table <CUSTOMER> <PREFIX> via <PE-TARGET> out-labels 
<CUSTOMER-VRF-LABEL>

you could use 
PREFIX=0.0.0.0/0<http://secure-web.cisco.com/1WIdOfoto6sjS0dwx4zCqNs9tP0BcOns9CSIGyrtTYSlZR8VgXUyhkh5XgRG99g0IqlWCjsmF36vL2FG47L-w234gP-28yK32VnCpg4aNSq1b_RNHKMa1EfgRAcm5krl26srq0D7vEs3M7xG4kQsQrWZ7crgP2KQehzdWtC0pnhXf3Ar9rXh12ZGbFMzYo4NT3iRYxUKQUfwhVbSMZB8yc9OvnWYW6-PqVNVv1yIyOMJ81yAheFKs_5Y3PVaITJ-n3mgcUdwo58qsKTYw2p03gtgeD-AF72daHlemi0jlAXnM8-Sk-xXpye4KchIbIrdy/http%3A%2F%2F0.0.0.0%2F0>
 or many more specifics

and your route to the PE-TARGET would be better as a non-recursive route (i.e. 
if it is learned via e.g. OSPF and this is not an inter-AS option C) otherwise 
you’ll need another labelled route for the next-hop

non-recursive means specify the next-hop and interface.


================================
Part2:
I guess I should configure the target PE as follow:

     In VPLS: mpls local-label add eos <PW-LABEL> via l2-input-on <MPLS-TUNNEL>

     In L3VPN: mpls local-label add eos <VPN-LABEL> via ip4-lookup-in-table 
<VRF-ID>  (insert in GLOBAL VRF)

Question2: Am I right about the configurations in the target PE?

[nr] Yes. The mpls label is added to the MPLS global table, i.e. there’s no 
‘insert in global-VRF’, since the instruction associated with the label is to 
lookup the exposed IP destination address in the customer’s VRF/

=================================
Part3:
In order to fill customer's VRF, I should use control plane's RouteTarget (RT) 
to select the VRF ID and then use below command to fill the VRF:

          ip route add <DESTIANTION> via <NEXT-HOP> <INTERFACE> table <VRF-ID>

Question3: Am I right?

[nr] yes.

thanks in advance







-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#10007): https://lists.fd.io/g/vpp-dev/message/10007
Mute This Topic: https://lists.fd.io/mt/24004957/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to