Injecting Global default Routes into a MPLS VPN

Similar Messages

• Inject BGP Default Routes into Multiple VRF before Best Path Selection

  Hello, 
  I have the following setup:
  Multiple Border Routers with eBGP sessions to external AS. We receive a default route from this multiple AS to keep the Table manageable. We noticed an important part of our traffic was been SW routed instead of CEF when we had the Full Internet table. Router Resources came to the ground when we changed to a default. 
  Now I want to separate this default routes into different VRF. Attached is the Diagram. 
  My question is,  the multiple default route all go into the BGP Table. The BGP table then select the best route and place it on the RIB and then to the FIB. 
  I want to redistribute the different Route on the BGP table prior to the Best path selection algorithm and placed on the RIB. 
  How can I achieve this?

  Hi,
  Redistribution of multiple routes to same prefix is not possible. Even if you have configured BGP multipath and all different bgp routes got installed into routing table, during redistribution only route will be redistributed. 
  Also would like to understand the requirement of redistributing multiple BGP routes in to IGP. As per your diagram, 3 different eBGP sessions are on three different routers, so you can prefer eBGP route over iBGP received from other routers and can distribute eBGP route to IGP from each router. Thus you will have three different default routes in to IGP in core.
  Please don't forget to rate this post if it has been helpful
  - Akash

• How do I inject a static default route into vrf

  Could anybody give me any advise on injecting a static default route into vrf.
  The static route is to the internet, I can't enable vrf forwading on the fa interface as other users also use this internet connection.
  I am configuring a 7206 VXR 12.3(26) and have attached a copy of the config
  Any help gratefully received

  Hi
  I think you have to specify the route as this
  ip route vrf delegate_wireless fa0/0 0.0.0.0 0.0.0.0 194.154.168.1 global
  it tells the router to to use a next hop that is not part of the vrf.
  Also, don't forget that the return traffic has to be routed out to the vrf.
  Something like this.
  ip route a.b.c.d tu1 10.252.254.2
  /Mikael

• Using ACE RHI to inject a default route

  I think I posted this onto the wrong Forum. Anyone able to advise here?
  SteveK.
  Posted by: stevek1 - Network Administrator, Dept Natural Resources and Mines
  Apr 18, 2008, 12:04am PST
  Hi Folks,
  I need to provide internal devices with active-active access to our clustered firewall which sits across 2 data centres.
  I need to allow internal hosts to reach external/unknown networks via a default route.
  We have ACE modules in our internal network aggregation 6513s at each site.
  I aim to achieve this using RHI...ie...device at site 1 reaches the internet via firewall at site 1, device at site 2 reaches internet via firewall at site 2 (due to better route). If the firewall is inaccessible from site 2, ACE at site 2 removes the route from the MSFC using RHI and site 2 device traffic is re-routed to the site 1 exit point.
  Has anyone out there done this before?
  Regards, Steve.
  | Outline | Subscribe | E-Mail this Message
  Replied by: stevek1 - Network Administrator, Dept Natural Resources and Mines - Apr 20, 2008, 6:48pm PST
  Hi Folks,
  It's Steve here again. I haven't had a response to my query as yet, but basically I need to know the validity of using ACE RHI to inject a default route as opposed to a host route.
  Can anyone please advise?
  Best Wishes, Steve.

  Thanks so much for your response Zahoor.
  The solution you have provided is more complicated than I had in mind. For example we had not intended using FWSM (we don't have these modules). I just want to use our existing ACEs at each Data Centre to provide the injection of a default route to our internal EIGRP process based on the result of a probe to our Checkpoint FW. What do you think?
  Steve.

• Metrics when redistributing a static default route into EIGRP?

  I saw a network working with EIGRP and resdistributing a static default route into it. I did not find the "default metrics" to redistribute into EIGRP but the static default route works and is redistributed. My understanding was that everytime you redistribute into EIGRP you needed to specify the metrics. How come this network is working? Can someone explain or point to a cisco document what explains it?
  Sample of the config:
  router eigrp 1
  redistribute static
  no autosummary
  network Y.Y.Y.Y
  ip route 0.0.0.0 0.0.0.0 X.X.X.X
  Thank you,

  It's just one of those specific things about EIGRP and IOS, maybe a design choice. If they do use the interface as the seed metric then that would help explain why it's that way.
  Weirdly if you are using EIGRP VRF address family configuration on IOS and you redistribute statics you do need a metric.
  And I believe NXOS running on Nexus switches also needs a metric defined.
  Just one of those things you have to remember but it would be good if it was consistent.
  Jon

• Managing Route-Map based MPLS VPN

  1) How to derive the VPN information of the MPLS VPN configured using route-maps? As I understand, stitching route-maps information to derive VPN is complex as it is difficult to derive & correlate the filters tied to each of the route-maps that are tied to a VRF :(
  2) Is there any MIB to get from the MIB
  a) Route-maps tied to each VRF
  b) What is the filter associated with each route-map?
  c) Definition of each of the above filter
  It would have been nice if the route-maps' name had global-significance within AS, so that we could have treated route-maps, pretty much like the route-tragets. Alas, I doubt it is :(
  It should be noted here that if the MPLS VPN is configured using route targets, the VPN information derivation is fairly straight forward throught MplsVpn MIB.
  So, the question is what is the simplest way to derive the MPLS VPN info given that they are configured using route-maps in BGP for labelled-route-distribution & for the pkt association with the VRFs.
  Thanks,
  Suresh R

  Each CE in a customer VPN is also added to the management VPN by selecting the Join the management VPN option in the service request user interface.
  The function of the management route map is to allow only the routes to the specific CE into the management VPN. The Cisco IOS supports only one export route map and one import route map per VRF.
  http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/products_user_guide_chapter09186a0080353ac3.html

• What should my default route be with a VPN?

  I have a remote site that is connected to my main site using a VPN over the internet. ALL traffic on the remote site should come back to the main. On the remote site I have the outside interface configured with a crypto map indicating that the peer is my Main site's outside ASA (VPN endpoint) interface. The VPN functions and most of the traffic seems to be flowing correctly, except..
  When a user tries to telnet to a site the packets seem to be going out to the internet instead of through the VPN tunnel? The way I came to this conclusion is I did a traceroute on the router to the IP of the Telnet server and see that it goes to the internet and gets lost. A traceroute from the user's station shows it goes out their router and just times out afterwards.
  There is 1 static route on the router specifying the default route as the ISP's interface. This is the correct next hop but with my crypto map configured on the interface and with the peer being my main site, is this configuration correct? Should my default route on the router be my VPN peer's IP as the next hop or the ISP's?
  Also do you think this is the reason why packets are getting routed to the internet instead of back to my Main site?  Thanks for any help!!

  Thanks for the reply Karsten. I'm thinking now that the issue is actually back at my Main site and not at the crypto map. When I was on the remote router and did the traceroute (which went to the internet) I think it was only because I didn't specify which specific interface to ping from.
  I still wasn't sure about that next hop though so thanks for answering that!  -Mark

• Route Leaking in MPLS/VPN Networks (IOX support)

  Hi all,
  I would like to if IOX of CRS-1 can support route leaking between VRF<>Global routing table?
  hhttp://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtmlttp://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml
  Regards

  Hi,
  You can use the vrf keyword after the prefix you want to join and before specifying the NH. It will tell the router in which VRF the lookup should be done:
  http://www.cisco.com/en/US/docs/routers/crs/software/crs_r4.0/routing/command/reference/rr40crs1book_chapter9.html#wp172562637
  The vrf name "default" is reserved to reference the GRT.
  HTH
  Laurent.

• Introduce second default gateway into policy-based routing and optimization

  Questions:
  1) How to get the second PBR_DEFAULT_GATEWAY address 10.20.20.3 into the policy-based routing for redundancy?
  2) Any optimizations as more and more traffic (policy-based routed and otherwise) goes through interface Gi1/0/1?
  Address range A.B.0.0/16 represents assigned Internet-routable addresses.
  Network also uses 10.0.0.0/8, 172.16.0.0/20, 192.168.0.0/16.
  DEFAULT_GATEWAY router participates in OSPF and injects the default routes 0.0.0.0/0 10.10.10.1 and 0.0.0.0/0 10.20.20.1 into OSPF.
  PBR_DEFAULT_GATEWAY router participates in OSPF but filters out default routes injected by DEFAULT_GATEWAY router.
  ROUTER_A participates in OSPF and receives default routes injected by DEFAULT_GATEWAY router.
  ROUTER_A contains the attached policy-routing configuration that allows the subnet A.B.30.0/24 to route anywhere on the network and uses PBR_DEFAULT_GATEWAY as the way out.

  Ok I will see if I can run out to work and try this today..
  After thinking about this, If I need to get to local ip addresses (192.168.1.0 and 192.168.128.0), I might have to change my route map to include those ranges in an ACL, then assign the 172.20.200.1 as the gateway to get to those networks, with the last statement being the traffic to be sent out the firewall
  for instance
  # Access to one of my local networks
  access-list 101 permit ip 172.20.200.0 0.0.0.255 192.168.1.0 0.0.0.255
  # Send Internet traffic to ASA/PIX
  access-list 172 permit ip 172.20.200.0 0.0.0.255 any
  route-map pix-172-20-200 permit 10
  match ip address 101
  set ip next-hop 172.20.200.1
  route-map pix-172-20-200 permit 20
  match ip address 172
  set ip next-hop 172.20.200.2
  and so on?
  I know I need to be in front of my switch to test the change from set ip default next-hop to set ip next-hop...
  I wantto make sure I can still get to the local networks I need to get to.
  I appreciate all your help, and I will test this later on today..
  Thanks
  Don Hickey

• VPN overrides default route

  I noticed my VPN connections overrides the default route set by my WiFi connection. With an active VPN I can browse my office network but not the WWW.
  When I type in terminal …
  sudo route delete default
  sudo route add -net default 192.168.2.1
  sudo route add -net 192.168.178.0 192.168.178.201
  … I can access (via VPN) my office network and can still browse in the WWW.
  Is there any way I can prevent to override the default route when establishing a VPN connection (IPSec Cisco via Network > Add VPN)?
  Maybe I can create an AppleScript or something like that?
  192.168.2.1 = local network (home)
  192.168.178.1 = remote network (office)
  192.168.178.201 = remote virtual client IP

  Why would you even come here asking for help with a Friztbox anyway?  You should have contact the maker of the router or your network admins for info on how to enable split tunneling.
  I wasn't asking for help about my Fritzbox. I didn't know where to start and thought Apple's forums maybe a good starting point. You told me "Nothing you can do about it.". I found a solution I can do it without touching the Fritzbox config. I tought a forum is to help others not to tell them "there's no way" or go and ask the maker.
  Anyway, next time I will not consider to ask here. Sorry for bothering you.

• L3-MPLS VPN Convergence

  Perhaps someone on this group can identify the missing timers/processing-delays in end-to-end client route convergence
  Scenarios:
  a) BGP New route Advertised by Cleint(CPE1)
  b) BGP Route withdrawn by Client(CPE1)
  PE-to-RR i-M-BGP (Logical)
  ========= ----RR------ ======
  " | | "
  CPE1---->PE1------->P1-------->P2---->PE2----->CPE2
  | |
  --------->P3-------->P4-------
  Routing:
  - eBGP btw CPE and PE (any routing prot within Cust site),
  - OSPF, LDP in Core,
  Timers/Steps I'm aware of:
  - Advertisement of routes from CE to PE and placement into VRF
  - Propagation of routes across the MPLS VPN backbone
  - Import process of these routes into relevant VRFs
  - Advertisement of VRF routes to attached VPN sites
  - BGP advertisement-interval: Default = 5 seconds for iBGP, 30 for eBGP
  - BGP Import Process: Default = 15 seconds
  - BGP Scanner Process Default = 60 seconds
  Would appreciate if you someone can identify any missing process-delay, timers? specially w.r.t RR.
  Thanks
  SH

  Check the LDP/TDP timers in the core. Remember if a link fails in the core, reroute occurs, LDP/TDP binding needs to be renewed. tags are binded on those routes being in the routing table (IGP). So, there is a delay possible from a core prespective:
  mpls ldp holdtime
  mpls ldp discovery hello [holdtime | interval]
  In case you are using TE check these:
  mpls traffic-eng topology holddown
  mpls traffic-eng signalling forwarding sync
  mpls traffic-eng fast-reroute timers promotion
  I believe the latter one onyl applies to SDH. In which you use segment loss feature.
  Regards,
  Frank

• MPLS VPN L3 BGP to Customer CPE

  Hello,
  I am learning how to setup MPLS VPN L3. I am running OSPF in the MPLS Core and have configured MP-BGP between PE. I am running BGP between the PE and CPE in my lab, and I can see redistributed routes from the CPE in the vrf routing table for that customer on the PE router. My question is how to reditribute the vrf routes into my MPLS core to transmit the traffic to the customer other site on the same vpn. Below is what my config looks like.
  PE
  ip vrf customerA
  rd 100:101
  route-target export both 100:1000
  int fa0/0
  ip vrf forwarding customerA
  ip address x.x.x.x x.x.x.x
  router ospf 1
  loopback  in area0
  networks in area0
  router bgp 65000
  neighbor to other PE routers in AS 65000 (MPLS Network)
  address family vpn4
  neighbor other PE routers activate
  neighbor other PE routers send community
  ip address ipv4 vrf customerA
  neighbor to customerA in AS 55000
  CPE
  router ospf 1
  loopback in area 0
  networks in area 0
  router bgp 55000
  neighbor to PE router in AS 65000
  redistribute ospf 1

  Hi
  You dont have to redistribute your routes into mpls core. The vpnv4 bgp session that you have has already sent your ce routes to the remote pe router, provided you have the vrf configured on the other end.
  For more detaiked explanation please check a presentation available in the current running Ask The Expert event in the support community.

• Can you help? Two dialer interfaces with IP SLA for default route failover - issues

  I have an issue with a Cisco 2821, it has an ADSL2+ HWIC  whose ATM interfaces is linked to dialer 1 and a Gi0/1 interface with a pppoe client which is linked to dialer 2.  Both dialer interfaces are up with their respective IP addresses.  If the ADSL on dialer 1 fails i want the IP SLA to kick and and replace the default route for dialer 1 with one for dialer 2.
  This config works if you manually shut down the dialer 1 interface, it injects the default route for dialer 2 and then when you unshut the interface, the default route for dialer 1 comes back.  The problem i have is if you take out the cable for the ATM interface and take it down, it does not take the route out the routing table and the default route for dialer2,  which works if you just shut down dialer 1 does not appear.
  whats the difference between shutting down dialer1 and it fails over the default route and taking the cable out then it does not?
  Here is my config, i'm sure its something simple i'm doing wrong, can anyone help???
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  enable secret 5 $1$qOOJ$HV5AH6US/YZMuCGPYp3pP.
  no aaa new-model
  dot11 syslog
  ip source-route
  ip cef
  ip dhcp excluded-address 192.168.0.1
  ip dhcp pool pool1
     network 192.168.0.0 255.255.255.0
     default-router 192.168.0.1
     dns-server 188.92.232.50 188.92.232.100
  no ip domain lookup
  no ipv6 cef
  multilink bundle-name authenticated
  voice-card 0
   no dspfarm
  archive
   log config
    hidekeys
  track 1 ip sla 1 reachability
  interface GigabitEthernet0/0
   description Gi0/30 Local LAN
   ip address 192.168.0.1 255.255.255.0
   ip verify unicast reverse-path
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   ip nat inside
   ip virtual-reassembly
   no ip mroute-cache
   duplex auto
   speed auto
   snmp trap ip verify drop-rate
   no mop enabled
  interface GigabitEthernet0/1
   no ip address
   duplex auto
   speed auto
   pppoe enable group global
   pppoe-client dial-pool-number 2
  interface ATM0/2/0
   description ATM0_DSL
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   logging event atm pvc state
   logging event subif-link-status
   no atm ilmi-keepalive
   dsl operating-mode auto
   dsl enable-training-log
   pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  interface Dialer1
   ip address negotiated
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip mtu 1492
   ip nat outside
   ip virtual-reassembly
   encapsulation ppp
   dialer pool 1
   keepalive 1 3
   no cdp enable
   ppp lcp predictive
   ppp authentication pap chap callin
   ppp chap hostname ********@ccsleeds.net
   ppp chap password 0 ********
   ppp pap sent-username *******@ccsleeds.net password 0 ********
  interface Dialer2
   ip address negotiated
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip mtu 1492
   encapsulation ppp
   dialer pool 2
   keepalive 1 3
   no cdp enable
   ppp lcp predictive
   ppp authentication pap chap callin
   ppp chap hostname **********@adsllogin.co.uk
   ppp chap password 0 *********
   ppp pap sent-username *********@adsllogin.co.uk password 0 ***********
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip route 0.0.0.0 0.0.0.0 Dialer2 10
  no ip http server
  no ip http secure-server
  ip nat inside source list 1 interface Dialer1 overload
  ip sla 1
  icmp-echo 8.8.8.8 source-interface di1
  timeout 1000
  threshold 100
  frequency 3
  ip sla schedule 1 life forever start-time now
  access-list 1 permit 192.168.0.0 0.0.0.255
  control-plane
  gatekeeper
   shutdown
  line con 0
  line aux 0
  line vty 0 4
   password test
   login
  scheduler allocate 20000 1000
  end

  Sure that EEM can shut/unshut interface...you have "event track" in EEM for monitoring track events...for example:
  event manager applet test
  event track 1 state down
  action 1.0 command "enable"
  action 1.1 command "conf t"
  action 1.2 command "interfac dialer 1"
  action 1.3 command "shut"
  action 1.4 syslog "Dialer 1 down!!!"
  action 1.5 end
  This would be an example from head :)
  You would need another EEM similar to this one for unshutting interface with "event track 1 state up" for bringing interface up again.
  Again as I said you would need to test this before putting in production and you would maybe need to tweak this a little bit acording to your needs...
  BR,
  Dragan

• Modify the preference value of the default route

  Hi
  How to achieve the Below ? any configuration example?
  1)How to modify the preference value of the default route to be less prefered than OSPF External route
  2)how to redistribute the default route as type 2 external route
  3)how to redistribute the default route as type 1 external route
  thanks

  Hi Ibrahim,
  See below:
  1) Can you elaborate on this a bit? Can you explain, specifically, what your trying to accomplish? I don't think you can get a default route into the OSPF RIB that is not external as the default is injected as a Type-5 LSA (e1 or e2). If your talking about getting a router to use the OSPF learned default over the default router learned via some other source (e.g. static, BGP, etc), then it depends on the source because of the Administrative Distance when comparing the two defaults ( the one default learned via OSPF has AD=110, and the other default is AD=X, where X is the Administrative Distance assigned to the protocol).
  2) Use the "default-information originate metric-type 2" command under "router ospf" -- Note this is the default
  3) Use the "default-information originate metric-type 1" command under "router ospf" -- Note, you don't need this in Totally Stubby Area.
  4) For NSSA area you have to use the "area nssa <area_num> default information-originate metric-type <type>" router subcommand. Note your NSSA should have a Type-7 LSA for the default route
  Rate if helpful.
  Joe

• Generating an OSPF default-route within Area0

  Guys,
  Are there any rules relating to generating a 0.0.0.0 0.0.0.0 within a backbone area.
  As then a BB router would become an ASBR?
  Also, is it possible to use a redist static to acheive the same result. On testing I cant seem to acheive that.
  Many thx indeed,
  Ken
  router ospf 10
  log-adjacency-changes
  network 10.0.0.0 0.255.255.255 area 0
  default-information originate
  ip classless
  ip route 0.0.0.0 0.0.0.0 10.192.67.2
  S2Rtr1#sh ip int brief
  Interface IP-Address OK? Method Status Protocol
  FastEthernet0/0 10.192.66.1 YES NVRAM up up
  Serial0/0 unassigned YES NVRAM administratively down down
  BRI0/0 unassigned YES NVRAM administratively down down
  BRI0/0:1 unassigned YES unset administratively down down
  BRI0/0:2 unassigned YES unset administratively down down
  FastEthernet0/1 10.192.67.1 YES NVRAM up up
  Serial0/1 unassigned YES NVRAM administratively down down
  Hssi1/0 10.192.1.2 YES NVRAM up up
  S2Rtr1#

  I can't think of a good reason why a core router couldn't be an ASBR and inject the default route in the ospf domain. I have seen many customer doing it.
  The only way to inject the default route in ospf is to use the "default-information originate" statement. The redistribute static won't do it.
  Hope this helps,