Overlapping addresses in MPLS VPN

I know that you can have overlapping addresses in a MPLS VPN and that route distiguisher is used for distiguishing them, by converting IPv4 to VPNv4.
My question is that if an IP range of a Branch A overlapps with IP range of branch B of the same VPN, How could a host in Branch A ping any host in Branch B, if they are in a same subnet? I mean, how could the router (CE) know to forward it to PE ? if the range is directly connected (to CE).
I will apreciate any help

Within a VPN the normal IP routing rules apply, eg. if you have 2 networks that overlap within a VPN you need to use NAT in one of the CE routers.
Hth,
Niels

Similar Messages

Central Site Internet Connectivity for MPLS VPN User

What are the solutions of Central site Internet connectivity for a MPLS VPN user, and what is the best practice?

Hello,
Since you mentioned that Internet Access should be through a central site, it is clear that all customer sites (except the central) will somehow have a default (static/dynamic) to reach the central site via the normal VPN path for unknown destinations. Any firewall that might be needed, would be placed at the central site (at least). So, the issue is how the central site accesses the Internet.
Various methods exist to provide Internet Access to an MPLS VPN. I am not sure if any one of them is considered the best. Each method has its pros and cons, and since you have to balance various factors, those factors might conflict at some point. It is hard to get simplicity, optimal routing, maximum degree of security (no matter how you define "security"), reduced memory demands and cover any other special requirements (such as possibility for overlapping between customer addresses) from a single solution. Probably the most secure VPN is the one which is not open to the Internet. If you open it to the Internet, some holes also open inevitably.
One method is to create a separate Internet_Access VPN and have other VPNs create an extranet with that Internet_Access VPN. This method is said to be very secure (at least in terms of backbone exposure). However, if full routing is a requirement, the increased memory demands of this solution might lead you to prefer to keep the internet routing table in the Global Routing Table (GRT). You might have full routing in the GRT of PEs and Ps or in PEs only (second is probably better).
Some names for solutions that exist are: static default routing, dynamic default routing, separate BGP session between PE and CE (via separate interface, subinterface or tunnel), extranet with internet VRF (mentioned earlier), extranet with internet VRF + VRF-aware NAT.
The choice will depend on the requirements of your environment. I cannot possibly describe all methods here and I do not know of a public document that does. If you need an analysis of MPLS VPN security, you may want to take a look at Michael Behringer's great book with M.Morrow "MPLS VPN Security". Another book that describes solutions is "MPLS and VPN Architectures" by Ivan Pepelnjak. There is a Networkers session on MPLS VPNs that lists solutions. There is also a relevant document in CCO:
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml (covering static default routing option).
Kind Regards,
M.

Performance end to end testing and comparison between MPLS VPN and VPLS VPN

Hi,
I am student of MSc Network Security and as for my project which is " Comparison between MPLS L3 VPN and VPLS VPN, performance monitoring by end to end testing " I have heard a lot of buzz about VPLS as becoming NGN, I wanted to exppore that and produce a comparison report of which technology is better. To accomplish this I am using GNS3, with respect to the MPLS L3 VPN lab setup that is not a problem but I am stuck at the VPLS part how to setup that ? I have searched but unable to find any cost effective mean, even it is not possible in the university lab as we dont have 7600 series
I would appreciate any support, guidence, advice.
Thanks
Shahbaz

Hi Shahbaz,
I am not completely sure I understand your request.
MPLS VPN and VPLS are 2 technologies meant to address to different needs, L3 VPN as opposed as L2 VPN. Not completely sure how you would compare them in terms of performance. Would you compare the performance of a F1 racing car with a Rally racing car?
From the ISP point of view there is little difference (if we don't want to consider the specific inherent peculiarities of each technology) , as in the very basic scenarios we can boil down to the following basic operations for both:
Ingress PE impose 2 labels (at least)
Core Ps swap top most MPLS label
Egress PE removes last label exposing underlying packet or frame.
So whether the LSRs deal with underlying L2 frames or L3 IP packets there is no real difference in terms of performance (actually the P routers don't even notice any difference).
About simulators, I am not aware of anyone able to simulate a L2 VPN (AtoM or VPLS).
Riccardo

Centralize internet access in MPLS VPN

Can i implement Centralize internet access (the Hub CE Router to performs NAT) in cisco MPLS VPN solution?
If so, is there any example about that? i can't find it at CCO~
Thanks a lot~

If you run dynamic routing protocol in PE-CE,like rip2,ospf,bgp,do the following task.
1:set a default route in HUB CE;and generate the default route under its dynamic protocol.
2:in other CEs, make sure they can learn this route.
If you run static route and vrf static route between CE and PE,do the following task.
1.set default route in HUB CE, and set default route in other CEs.
2.In all PEs,redistribute the connected and static rotues to address-family ipv4 of customer vrf.
3.set the customer vrf default route in all PE which connected your all CEs.
Note: make sure all PEs can reach the GW address of vrf deafult route. GW IP address is the interface of which HUB CE towards PE.
command: "ip route vrf 0.0.0.0 0.0.0.0 global.
TRY

GRE with VRF on MPLS/VPN

Hi.
Backbone network is running MPLS/VPN.
I have one VRF (VRF-A) for client VPN network.
One requirement is to configure another VRF (VRF-B) for this client for a separate public VRF connection.
Sub-interfacing not allowed on CE-to-PE due to access provider limitation.
So GRE is our option.
CE config:
Note: CE is running on global. VRF-A is configured at PE.
But will add VRF-B here for the requirement.
interface Tunnel0
ip vrf forwarding VRF-B
ip address 10.12.25.22 255.255.255.252
tunnel source GigabitEthernet0/1
tunnel destination 10.12.0.133
PE1 config:
interface Tunnel0
ip vrf forwarding VRF-B
ip address 10.12.25.21 255.255.255.252
tunnel source Loopback133
tunnel destination 10.12.26.54
tunnel vrf VRF-A
Tunnel works and can ping point-to-point IP address.
CE LAN IP for VRF-B is configured as static route at PE1
PE1:
ip route vrf VRF-B 192.168.96.0 255.255.255.0 Tunnel0 10.12.25.22
But from PE2 which is directly connected to PE1 (MPLS/LDP running), connectivity doesnt works.
From PE2:
- I can ping tunnel0 interface of PE1
- I cant ping tunnel0 interface of CE
Routing is all good and present in the routing table.
From CE:
- I can ping any VRF-B loopback interface of PE1
- But not VRF-B loopback interfaces PE2 (even if routing is all good)
PE1/PE2 are 7600 SRC3/SRD6.
Any problem with 7600 on this?
Need comments/suggestions.

Hi Allan,
what is running between PE1 and PE2 ( what I mean is any routing protocol).
If No, then PE2 has no ways of knowing GRE tunnel IP prefixes and hence I suppose those will not be in its CEF table...
If Yes, then check are those Prefixes available in LDP table...
Regards,
Smitesh

Redundant access from MPLS VPN to global routing table

Several our customers have MPLS VPNs deployed over our infrastructure. Part of them requires access to Internet (global routing table in our case).
As I'm not aware of any methods how to dynamicaly import/export routes between VRF/Global routing tables, at the moment there are static routes configured - one inside VRF pointing to global next hop, another one in global routing table, pointing to interface inside VRF.
Task is to configure redundant access to Internet. By redundancy I mean using several exit points (primary and backup), what physically represents separate boxes.
Here comes tricky part - both global static routes (on both boxes, meaning) are valid and reachable in all cases - no matter if specific prefix is reachable in VRF or not. What I'd like to achieve is that specific static route becomes valid only if specific prefix is reachable inside VRF. Yea, sounds like dynamic routing :), I know
OK, hope U got the idea. Any solutions/recommendations ? Running all Internet routing inside VRF isn't an option, at least for now :(

Hi Andris,
I did not mean to have a VRF on the CE. The CE would have both PVCs in the global routing table - his ONLY routing table in fact. One PVC would be used to announce routes into the customer specific VPN (VRF configured on the PE). The other PVC would allow for internet access through the PE (global IP routing table on the PE).
dot1q will be ok as well.
This way the CE can be a normal BGP peer to the PE, i.e. there is no MPLS VPN involved here. This allows all options of customer-ISP connectivity.
Example:
PE config:
interface Serial0/0
encapsulation frame-relay
interface Serial0/0.1 point-to-point
description customer VPN access
ip vrf customer
ip address 10.1.1.1 255.255.255.252
interface Serial0/0.2 point-to-point
description customer Internet access
ip address 192.168.1.1 255.255.255.252
router rip
address-family ipv4 vrf customer
version 2
network 10.0.0.0
no auto-summary
redistribute bgp 65000 metric 5
router bgp 65000
neighbor 192.168.1.2 remote-as 65001
address-family ipv4 vrf customer
redistribute rip
CE config:
interface Serial0/0
encapsulation frame-relay
interface Serial0.1 point-to-point
description VPN access
ip address 10.1.1.2 255.255.255.252
interface Serial0.2 point-to-point
description Internet access
ip address 192.168.1.2 255.255.255.252
router bgp 65001
neighbor 192.168.1.1 remote-as 65000
router rip
version 2
network 10.0.0.0
no auto-summary
Of course you can replace RIP with whatever is suitable for you. And don´t sue me when you do not apply required BGP filters for internet access... ;-)
The other option ("mini internet") would be feasible as well. Just make sure your BGP filters are NEVER messed up and additionally apply a limit on the numbers of prefixes in your VRF mini-internet.
Regards
Martin

MPLS/VPN network load balancing in the core

Hi,
I've an issue about cef based load-balancing in the MPLS core in MPLS/VPN environment. If you consider flow-based load balancing, the path (out interface) will be chosen based on source-destination IP address. What about in MPLS/VPN environment? The hash will be based on PE router src-dst loopback addresses, or vrf packet src-dst in P and PE router? The topology would be:
CE---PE===P===PE---CE
I'm interested in load balancing efficiency if I duplicate the link between P and PE routers.
Thank you for your help!
Gabor

Hi,
On the PE router you could set different types and 2 levels of load-balancing.
For instance, in case of a DUAL-homed site, subnet A prefix for VPN A could be advertised in the VPN by PE1 or PE2.
PE1 receives this prefix via eBGP session from CE1 and keep this route as best due to external state.
PE2 receives this prefix via eBGP session from CE2 and keep this route as best due to external state.
                             eBGP
                     PE1 ---------CE1
PE3----------P1                          Subnet A
                     PE2----------CE2 /
                            eBGP
Therefore from PE3 point of view, 2 routes are available assuming that IGP metric for PE3/PE1 is equal to PE3/PE2.
The a 1rst level of load-sharing can be achieve thanks to the maximum-paths ibgp number command.
2 MP-BGP routes are received on PE3:
PE3->PE1->CE1->subnet A
PE3->PE2->CE2->subnet A
To use both routes you must set the number at 2 at least : maximum-paths ibgp 2
But gess what, in the real world an MPLS backbone hardly garantee an equal IGP cost between 2 Egress PE for a given prefix.
So it is often necessary to ignore the IGP metric by adding the "unequal-cost" keyword: maximum-paths unequal-cost ibgp 2
By default the load-balancing is called "per-session": source and destination addresses are considered to choose the path and the outgoing interface avoiding reordering the packets on the target site. Overwise it is possible to use "per-packet" load-balancing.
Then a 2nd load-sharing level can occur.
For instance:
         __P1__PE1__CE1
PE3           \/                   Subnet A
        \ __P2__PE2__CE2
There is still 2 MP-BGP paths :
PE3->P1->PE1->CE1->subnet A
PE3->P1->PE2->CE2->subnet A
But this time for 2 MP-BGP paths 4 IGP path are available:
PE3->P1->PE1->CE1->subnet A
PE3->P1->PE2->CE2->subnet A
PE3->P2->PE1->CE1->subnet A
PE3->P2->PE2->CE2->subnet A
For a load-balancing to be active between those 4 paths, they must exist in the routing table thanks to the "maximum-path 4 "command in the IGP (ex OSPF) process.
Therefore if those 4 paths are equal-cost IGP paths then a 2nd level load-balancing is achieved. the default behabior is the same source destination mechanism to selected the "per-session" path as mentionned before.
On an LSP each LSR could use this feature.
BR

MPLS VPN L3 BGP to Customer CPE

Hello,
I am learning how to setup MPLS VPN L3. I am running OSPF in the MPLS Core and have configured MP-BGP between PE. I am running BGP between the PE and CPE in my lab, and I can see redistributed routes from the CPE in the vrf routing table for that customer on the PE router. My question is how to reditribute the vrf routes into my MPLS core to transmit the traffic to the customer other site on the same vpn. Below is what my config looks like.
PE
ip vrf customerA
rd 100:101
route-target export both 100:1000
int fa0/0
ip vrf forwarding customerA
ip address x.x.x.x x.x.x.x
router ospf 1
loopback in area0
networks in area0
router bgp 65000
neighbor to other PE routers in AS 65000 (MPLS Network)
address family vpn4
neighbor other PE routers activate
neighbor other PE routers send community
ip address ipv4 vrf customerA
neighbor to customerA in AS 55000
CPE
router ospf 1
loopback in area 0
networks in area 0
router bgp 55000
neighbor to PE router in AS 65000
redistribute ospf 1

Hi
You dont have to redistribute your routes into mpls core. The vpnv4 bgp session that you have has already sent your ce routes to the remote pe router, provided you have the vrf configured on the other end.
For more detaiked explanation please check a presentation available in the current running Ask The Expert event in the support community.

Configuring MPLS VPN using static routing

Hi,
I am managed to set up a BGP/MPLS VPN in a laboratory using CS3620 routers running IOS 12.2(3) with ISIS. I am thinking of using static routes among the PE and P routers instead of a IGP. Does anyone know if Cisco routers supports static configuration of LSP? I have tried but could not get it work.

You can very well run MPLS with static routing in the core, as in Cisco we have to meet 2 criterias to have a MPLS forwarding Table.
1) Creating the LIB
This thing lies in having LDP neighborship netween two peers and you have Label bindings.
This is irrespective of what is the best next hop to reach the advertising peers LDP_ID.
2) Creating the LFIB
Now after considering all the Label bindings, the LDP_ID which can be reached out an interface
as a next hop, those Label bindings get installed in the LFIB.
So considering the above two points, we have to be careful in static routes
only for interfaces like Ethernet (Multiaccess Segments).
As in CEF when you give a static route pointing to an Ethernet Interface, CEF creates a
GLean Adjacency (Meaning there could be multiple hosts as the next hop on this segement, and it will glean for the right next-hop)
Now you may observe that when you give a static route only pointing to an Ethernet interface,
you LDP adjacency may come up and you may exchange the bindings with each other. But the Label Forarding Table is not created. This is bcos of this being a Multiaccess interface. And you have
Glean For it. If its a Normal WAN interface like Serial or POS, then there is no problem of
GLean and you would have a Valid Cached Adjacency.
So to avoid probelems with Ethernet interfaces you can simply specify the next-hop-ip address.
For Eg: ip route 10.10.31.250 255.255.255.255 10.10.31.226 (Without the Interface)
ip route 10.10.31.250 255.255.255.255 fa0/0 10.10.31.226 (Or with the Interface)
Only Difference in both is in the first one it has to do a recursive lookup for the outgoing interface. Otherwise both work well. And you can have static routes in your network
running MPLS.
And doing this CEF would would work as it should and you would have a Valid Cached Adjacency.
So this is applicable for Cisco devices which use CEF, including 6500 with SUP720.
HTH-Cheers,
Swaroop

MPLS VPNs - Latency

Hello All,
I have a MPLS VPN setup for one of my sites. We have a 10M pipe (Ethernet handoff) from the MPLS SP, and it is divided into 3 VRFs.
6M - Corp traffic
2M - VRF1
2M - VRF2
The users are facing lot of slowness while trying to access application on VRF1. I can see the utilization on the VRF1 is almost 60% of it's total capacity (2M). Yesterday when trying to ping across to the VRF1 Peer in the MPLS cloud, I was getting a Max response time of 930ms.
xxxxx#sh int FastEthernet0/3/0.1221
FastEthernet0/3/0.1221 is up, line protocol is up
Hardware is FastEthernet, address is 503d.e531.f9ed (bia 503d.e531.f9ed)
Description: xxxxx
Internet address is x.x.x.x/30
MTU 1500 bytes, BW 2000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 71/255, rxload 151/255
Encapsulation 802.1Q Virtual LAN, Vlan ID 1221.
ARP type: ARPA, ARP Timeout 04:00:00
Last clearing of "show interface" counters never
I also see a lot of Output drops on the physical interface Fa0/3/0. Before going to the service provider, can you please tell me if this can be an issue with the way QoS is configured on these VRFs?
xxxxxxx#sh int FastEthernet0/3/0 | inc drops
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3665
Appreciate your help.
Thanks
Mikey

Hi Kishore,
Thanks for the clarification. Let me speak to the service provider and see if we can sort out the Output drops issue.
I had a few more queries.
1) Will output drops also contribute to the latency here?
2) The show int fa0/3/0.1221 output below only shows the load on the physical interface (fa0/3/0) and not of that particuar interface.Right?
xxxxxx#sh int fa0/3/0.1221 | inc load
     reliability 255/255, txload 49/255, rxload 94/255
xxxxx#sh int fa0/3/0 | inc load
     reliability 255/255, txload 49/255, rxload 94/255
I can try and enable IP accounting on that sub-interface (VRF) and see the load. Thoughts?
3) As you said, if the 2M gets maxed out I would see latency as the shaper is getting fully utilized. But I don't see that on the interface load as mentioned above? I have pasted the ping response during the time load output was taken. I can;t read much into the policy map output, but does it talk anything about 2M being fully utilized and hence packets getting dropped.
xxxxxxx#ping vrf ABC x.x.x.x re 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds:
Success rate is 99 percent (997/1000), round-trip min/avg/max = 12/216/1972 ms
xxxx#sh policy-map interface fa0/3/0.1221
FastEthernet0/3/0.1221
Service-policy output: ABC
    Class-map: class-default (match-any)
      114998 packets, 36909265 bytes
      5 minute offered rate 11000 bps, drop rate 0 bps
      Match: any
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval Increment
             Rate           Limit bits/int bits/int (ms)      (bytes)
          2000000/2000000   12500 50000     50000     25        6250
        Adapt Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      0         114998    36909265 1667      2329112   no
Thanks
Mikey

MPLS VPN support for VPNv6

All,
which routers and IOS has MPLS VPN support for VPNv6?
regards
Devang Patel

Hello Devang,
in the feature navigator look for the 6VPE feature for example a C7609 with sup720 3BXL and IOS 12.2(33)SxHa2 has the vpnv6 address-family.
see for example
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ov_mpls_6vpe.html
you still need an MPLS/Ipv4 core or an ipv4 core if using GRE tunnels:
Table 1 Feature Information for Implementing IPv6 VPN over MPLS
Feature Name Releases Feature Information
IPv6 VPN over MPLS (6VPE)
12.2(28)SB
12.2(33)SRB
12.4(20)T
The IPv6 VPN (6VPE) over a MPLS IPv4 core infrastructure feature allows ISPs to offer IPv6 VPN services to their customers.
This entire document provides information about this feature.
MPLS VPN 6VPE support over IP tunnels
12.2(33)
SRB1
This feature allows the use of IPv4 GRE tunnels to provide IPv6 VPN over MPLS functionality to reach the BGP next hop.
This following sections provide information about this feature:
â¢6VPE Over GRE Tunnels
Hope to help
Giuseppe

Unable proxy ping using CISCO-PING-MIB in MPLS VPN ?

using CISCO-PING-MIB in MPLS VPN ?
In CISCO-PING-MIB.my document, wu can use the CISCO-PING-MIB to
Proxy ping the hosts in the MPLS VPN (vrf).
But when i do it, router will return the message:
errstat =12; errindex = 1(ciscoPingProtocol).
If Router isn't configed vrf, can proxy ping.
If set the error vrf name in snmp packet,
errstat=10; errindex=8(vrfname)
Do Cisco Support Proxy ping with vrf???

sorry, i don't use unix station, i program to send snmp messages.
parameters:
ciscoPingProtocol = 1(IP);
ciscoPingAddress =x.x.x.x;
ciscoPingPacketCount=
ciscoPingPacketSize=
ciscoPingPacketTimeout=
ciscoPingDelay=
ciscoPingEntryStatus=4;
ciscoPingVrfName="vpn1";
The parameters is right, because when i don't use ciscoPingVrfName, i can
ping the address.
But i set the ciscoPingVrfName="vpn1", the error is received.
thanks.

Multihoming Primary/Backup PE MPLS VPN

Hi there,
I kind of stuck of implementing and configuring Primary/Backup scenario for MPLS VPN enviroment.
Currently, only singe CE router connected to 2 PE router, Primary PE and Backup PE in the same POP.
PE-CE IGP is running OSPF. On CE router prespective, how do I achieve primary/backup scenario and on other remote PE, how does MPLS VPN cloud noticed that there is Primary and Backup PE towords this CE router?
Any configuration or sample out there? Appreciate for the help.
regards,
maher

Hello Maher,
I would try to set the interface metric to a higher value for the backup PE. With OSPF->BGP redistribution you should then get a higher MED in BGP making the path less preferable. Example:
interface Serial0/0
description to primary PE
ip ospf cost 100
interface Serial0/1
description to backup PE
ip ospf cost 1000
Alternatively you could modify the MED while redistributiing into BGP:
router bgp 65000
address-family ipv4 vrf VRFname
redistribute ospf 123 vrf VRFname match internal external route-map OSPF2BGP
route-map OSPF2BGP permit 10
set metric 10000
Hope this helps! Please rate all posts.
Regards, Martin

MPLS Tags not appearing on one side of new MPLS VPN

I have an already existing 6509 that is going to provide the entire MPLS routing table via route reflector to a new 6509. Here are the relevant configs:
EXISTING 6509 (Router A)
interface Loopback0
ip address 10.255.2.2 255.255.255.255
end
router bgp 23532
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.255.2.3 remote-as 23532
neighbor 10.255.2.3 update-source Loopback0
address-family ipv4 mdt
neighbor 10.255.2.3 activate
neighbor 10.255.2.3 send-community extended
neighbor 10.255.2.3 route-reflector-client
neighbor 10.255.2.3 soft-reconfiguration inbound
exit-address-family
address-family vpnv4
neighbor 10.255.2.3 activate
neighbor 10.255.2.3 send-community extended
neighbor 10.255.2.3 route-reflector-client
neighbor 10.255.2.3 next-hop-self
bgp redistribute-internal
exit-address-family
address-family ipv4 vrf CustomerA
redistribute connected
redistribute static
no synchronization
bgp redistribute-internal
exit-address-family
DAL-COLO-6509-1#show mpls ldp neighbor 10.255.2.3
Peer LDP Ident: 10.255.2.3:0; Local LDP Ident 10.255.2.2:0
TCP connection: 10.255.2.3.16271 - 10.255.2.2.646
State: Oper; Msgs sent/rcvd: 647/646; Downstream
Up time: 06:07:30
LDP discovery sources:
Vlan65, Src IP addr: X.X.X.69
Addresses bound to peer LDP Ident:
10.255.2.3 X.X.X.69 X.X.X.254 10.10.1.31
DAL-COLO-6509-1#show mpls forwarding-table 10.255.2.3 detail
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
257 Pop Label 10.255.2.3/32 22272 Vl65 X.X.X.69
MAC/Encaps=14/14, MRU=1584, Label Stack{}
001CB14458000009B6A4B8008847
No output feature configured
DAL-COLO-6509-1#show mpls ldp bindings 10.255.2.3 32
lib entry: 10.255.2.3/32, rev 4933
local binding: label: 257
remote binding: lsr: 10.255.2.1:0, label: 131
remote binding: lsr: 10.255.2.3:0, label: imp-null
DAL-COLO-6509-1#traceroute 10.255.2.3
Type escape sequence to abort.
Tracing the route to 10.255.2.3
1 69-69.netblk-66-60-69.yada.net (X.X.X.69) 0 msec * 0 msec
DAL-COLO-6509-1#
New 6509 (Router B)
router bgp 23532
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.255.2.2 remote-as 23532
neighbor 10.255.2.2 update-source Loopback0
address-family ipv4 mdt
neighbor 10.255.2.2 activate
neighbor 10.255.2.2 send-community both
neighbor 10.255.2.2 soft-reconfiguration inbound
exit-address-family
address-family vpnv4
neighbor 10.255.2.2 activate
neighbor 10.255.2.2 send-community both
neighbor 10.255.2.2 next-hop-self
bgp redistribute-internal
exit-address-family
address-family ipv4 vrf CustomerA
redistribute connected
redistribute static
no synchronization
bgp redistribute-internal
exit-address-family
Br26-COLO-6509-1#show mpls ldp neighbor 10.255.2.2
Peer LDP Ident: 10.255.2.2:0; Local LDP Ident 10.255.2.3:0
TCP connection: 10.255.2.2.646 - 10.255.2.3.16271
State: Oper; Msgs sent/rcvd: 657/657; Downstream
Up time: 06:16:40
LDP discovery sources:
Vlan65, Src IP addr: X.X.X.70
Addresses bound to peer LDP Ident:
10.255.2.2 X.X.X.10 X.X.X.14 X.X.X.5
66.60.70.18 66.60.75.252 66.60.72.65 66.60.75.81
10.10.1.40 66.60.70.17 X.X.X.17 66.60.73.161
X.X.X.70
Br26-COLO-6509-1#show mpls forwarding-table 10.255.2.2 detail
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
40 Pop Label 10.255.2.2/32 0 Vl65 X.X.X.70
MAC/Encaps=14/14, MRU=1584, Label Stack{}
0009B6A4B800001CB14458008847
No output feature configured
Br26-COLO-6509-1#show mpls ldp bindings 10.255.2.2 32
lib entry: 10.255.2.2/32, rev 40
local binding: label: 40
remote binding: lsr: 10.10.1.30:0, label: 29
remote binding: lsr: 10.255.2.2:0, label: imp-null
Br26-COLO-6509-1#traceroute 10.255.2.2
Type escape sequence to abort.
Tracing the route to 10.255.2.2
1 70-69.netblk-66-60-69.yada.net (X.X.X.70) 0 msec * 0 msec
Br26-COLO-6509-1#
Im seeing label switching coming from the old switch (which has several MPLS VPN connections already). Im not seeing anything from the new switch. OSPF is the routing protocol between the interfaces, and shows to be working fine. LDP neighbor relationship seems to be good- just tagging isn’t occurring going back toward the old switch. Any suggestions?
Thanks
Greg

Yes- that is the problem we are trying to fix.
Br26-COLO-6509-1#sh ver
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXI13, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Tue 11-Mar-14 04:53 by prod_rel_team
ROM: System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1)
Br26-COLO-6509-1 uptime is 1 day, 49 minutes
Uptime for this control processor is 1 day, 49 minutes
Time since Br26-COLO-6509-1 switched to active is 1 day, 48 minutes
System returned to ROM by reload at 09:20:45 CDT Wed May 7 2014 (SP by reload)
System restarted at 09:24:29 CDT Wed May 7 2014
System image file is "disk0:s72033-adventerprisek9_wan-mz.122-33.SXI13.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco WS-C6509-E (R7000) processor (revision 1.3) with 458720K/65536K bytes of memory.
Processor board ID SMG1125N74N
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from s/w reset
5 Virtual Ethernet interfaces
154 Gigabit Ethernet interfaces
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
Yes- we do have a Sup7303B in this switch.

MPLS VPN / BGP Netflow Issue

I have followed all of the configuration steps given for egress accounting with netflow on a MPLS VPN link. However, it is only showing flows coming into the router. I need to be able to account both ways- any recommendations? Config below:
interface Multilink12
mtu 1580
ip address XX.XX.XX.XX 255.255.255.252
no ip redirects
no ip unreachables
ip pim sparse-mode
ip route-cache flow
mpls netflow egress
mpls label protocol ldp
mpls ip
ppp multilink
ppp multilink group 12
ip flow-export source FastEthernet0/0/0.10
ip flow-export version 5
ip flow-export destination XX.XX.XX.XX 9996
IP packet size distribution (10730093 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .098 .645 .011 .016 .012 .009 .010 .000 .001 .000 .001 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .002 .185 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
4 active, 65532 inactive, 464700 added
6109192 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 336520 bytes
0 active, 16384 inactive, 20706 added, 20706 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 7 0.0 20 233 0.0 7.0 11.3
TCP-FTP 3 0.0 1 40 0.0 0.4 1.6
TCP-WWW 5757 0.0 6 389 0.0 1.1 3.0
TCP-SMTP 7 0.0 1 40 0.0 0.7 1.6
TCP-X 244 0.0 1 54 0.0 0.0 1.5
TCP-other 304762 0.2 7 346 1.6 2.2 4.8
UDP-DNS 346 0.0 1 127 0.0 0.0 15.4
UDP-NTP 3323 0.0 1 80 0.0 0.0 15.4
UDP-other 131041 0.0 62 341 5.4 17.6 13.2
ICMP 64291 0.0 1 79 0.0 0.0 15.4
Total: 509781 0.3 21 341 7.1 5.9 8.3
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Mu12 10.50.66.218 Null 10.105.0.1 11 0675 00A1 84
Mu12 10.50.66.218 Null 10.105.19.10 11 0675 00A1 2
Mu12 10.50.66.218 Null 10.105.19.3 11 0675 00A1 4
Mu12 10.50.66.42 Null 10.105.19.10 06 0B3C 01BD 12

Update on this- Im now receiving all traffic incoming into the interface, but am tracking only about 10% of the outgoing traffic- revised config below:
ip flow-cache timeout active 1
ip flow-cache mpls label-positions 1 2 3
ipv6 flow-cache mpls label-positions 1 2 3
interface Multilink12
mtu 1580
ip address XX.XX.XX.XX 255.255.255.252
no ip redirects
no ip unreachables
ip flow ingress
ip flow egress
ip pim sparse-mode
ip route-cache flow
mpls netflow egress
mpls label protocol ldp
mpls ip
ppp multilink
ppp multilink group 12
service-policy output cbwfq-voice20per
ip flow-export source FastEthernet0/0/0.10
ip flow-export version 9 origin-as
ip flow-export destination XX.XX.XX.XX 9996

Overlapping addresses in MPLS VPN

Similar Messages

Maybe you are looking for