LAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

[A5500] Redundancy of static route over BGP

SOLVED
Go to solution

[A5500] Redundancy of static route over BGP

Bonjour from France,

I have 2 IRF-stack with a layer-2 connection between them.
The second stack is on a backup site for the PCR.

IP address :
- first stack (Main site) : 10.0.0.252/24 ;
- second stack (Backup site) : 10.0.0.253/24.

I created 2 VRFs on each IRF stack :
- vpn_main (vlan 100) ;
- vpn_customerA (vlan 1002).

There is a VLAN interface for vpn_customerA VRF on each stack :
- first stack : 10.0.5.9/29 ;
- second stack : 10.0.5.10/29.

I have 2 CPE in the vpn_main VRF :
- CPE1 : 10.0.0.204/24 ;
- CPE2 : 10.0.0.203./24

CPE2 is the backup nexthop of CPE1.
CPE1 and CPE2 makes routing between 10.0.0.0/24 and 10.3.0.0/16

Each VRF is linked with the other (vpn-target 100:1 1002:1 both).
I configure BGP in 2 vpn4 family to import the static route.
In the vpn_customerA from main site I put a static route : ip route-static vpn-instance vpn_customerA 10.3.224.0 255.255.240.0 vpn-instance vpn_main 10.0.0.204
In the vpn_customerA from second site I put an other static route : ip route-static vpn-instance vpn_customerA 10.3.224.0 255.255.240.0 vpn-instance vpn_main 10.0.0.203

Finally, I have a router (10.0.5.11/29) with 2 BGP sessions :
- First with 10.0.5.9 ;
- Second with 10.0.5.10.

This router gets 10.3.224.0/20 from vpn_customerA (Main site).
but when I cut the link between this router and 10.0.5.9, I expect that a new BGP route from 10.0.5.10 will be receipt but no.
I wonder why is it always the static route over BGP...

Some help is welcome ! :)

Best regards,

Jacques

9 REPLIES

Re: [A5500] Redundancy of static route over BGP

In fact, the problem is not the router 10.0.5.11 but the switch on main site.
When I down the interface where is connected 10.0.0.204 and I type display display ip routing-table vpn-instance vpn_customerA, I get :

Routing Tables: vpn_customerA
        Destinations : 7        Routes : 7

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

0.0.0.0/0           Static 60   0            10.0.5.11       Vlan1002
10.0.0.0/24         BGP    130  10           10.0.0.252      Vlan100
10.0.5.8/29         Direct 0    0            10.0.5.9        Vlan1002
10.0.5.9/32         Direct 0    0            127.0.0.1       InLoop0
10.3.224.0/20       Static 60   0            10.0.0.204      Vlan100
127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0
127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

When I type display ip routing-table vpn-instance vpn_customerA protocol bgp, I get :

vpn_customerA Routing Table : BGP
Summary Count : 2

BGP Routing Table Status : <Active>
Summary Count : 1

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

10.0.0.0/24         BGP    130  10           10.0.0.252      Vlan100

BGP Routing table Status : <Inactive>
Summary Count : 1

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

10.3.224.0/20       BGP    255  0            10.0.5.10       Vlan1002

 

So, I understand that the route doesn't switch on the other site :(

16again
Respected Contributor

Re: [A5500] Redundancy of static route over BGP

Posting configs & drawing might help.
You're using a static route to 10.0.0.204.
This route will not disappear after shutting down the ethernet interface where 10.0.0.204 is connected!
Only when VLAN100 interface goes down, this static route will disappear..

Re: [A5500] Redundancy of static route over BGP

Bonsoir 16again and thank you,

So, do you think that I can find a solution to my problem while keeping the constraint to subnet 10.3.0.0/16 with /20 (or another mask) ? I can't modify the CPE's BGP configuration (these routers don't belong to me) and I need to allocate subnetwork in every future VRF without keeping the initial mask /16.

Please find a drawing in file-attach and below the configurations :

----- BEGINNING SW-MAIN-----
#
 version 5.20.99, Release 5501P19
#
 sysname sw-main
#
 router id 10.0.0.252
#
ip vpn-instance vpn_CustomerA
 route-distinguisher 1002:1
 vpn-target 1002:1 100:1 export-extcommunity
 vpn-target 1002:1 100:1 import-extcommunity
#
ip vpn-instance vpn_main
 route-distinguisher 100:1
 vpn-target 100:1 1002:1 export-extcommunity
 vpn-target 100:1 1002:1 import-extcommunity
#
vlan 1
#
vlan 100
#
vlan 1002
#
interface Vlan-interface100
 ip binding vpn-instance vpn_main
 ip address 10.0.0.252 255.255.255.0
 ospf dr-priority 255
 vrrp vrid 100 virtual-ip 10.0.0.252
 vrrp vrid 100 priority 254
#
interface Vlan-interface1002
 ip binding vpn-instance vpn_CustomerA
 ip address 10.0.5.9 255.255.255.248
 ospf dr-priority 255
 vrrp vrid 100 virtual-ip 10.0.5.9
 vrrp vrid 100 priority 254
#
bgp 65001
 default med 10
 undo synchronization
 #
 ipv4-family vpn-instance vpn_CustomerA
  peer 10.0.5.10 as-number 65001
  peer 10.0.5.11 as-number 65001
  network 10.3.224.0 255.255.240.0
  import-route direct
  peer 10.0.5.10 connect-interface Vlan-interface1002
  peer 10.0.5.11 connect-interface Vlan-interface1002
 #
 ipv4-family vpn-instance vpn_main
  peer 10.0.0.204 as-number 65289
  peer 10.0.0.253 as-number 65001
  peer 10.0.0.254 as-number 65001
  default med 10
  import-route direct
  peer 10.0.0.204 connect-interface Vlan-interface100
  peer 10.0.0.204 preferred-value 100
  peer 10.0.0.253 connect-interface Vlan-interface100
  peer 10.0.0.254 connect-interface Vlan-interface100
#
ospf 1 router-id 10.0.0.252 vpn-instance vpn_main
 peer 10.0.0.253
 peer 10.0.0.254
 area 0.0.0.0
  network 10.0.0.0 0.0.0.255
#
ospf 1002 router-id 10.0.5.9 vpn-instance vpn_CustomerA
 peer 10.0.5.10
 peer 10.0.5.11
 area 0.0.0.0
  network 10.0.5.8 0.0.0.7
#
 ip route-static vpn-instance vpn_CustomerA 0.0.0.0 0.0.0.0 Vlan-interface1002 10.0.5.11
 ip route-static vpn-instance vpn_CustomerA 10.3.224.0 255.255.240.0 vpn-instance vpn_main 10.0.0.204
 ip route-static vpn-instance vpn_main 0.0.0.0 0.0.0.0 Vlan-interface100 10.0.0.254
----- END SW-MAIN -----


----- BEGINNING SW-BACKUP-----
#
 version 5.20.99, Release 5501P19
#
 sysname sw-backup
#
 router id 10.0.0.253
#
ip vpn-instance vpn_CustomerA
 route-distinguisher 1002:1
 vpn-target 1002:1 100:1 export-extcommunity
 vpn-target 1002:1 100:1 import-extcommunity
#
ip vpn-instance vpn_main
 route-distinguisher 100:1
 vpn-target 100:1 1002:1 export-extcommunity
 vpn-target 100:1 1002:1 import-extcommunity
#
vlan 1
#
vlan 100
#
vlan 1002
#
interface Vlan-interface100
 ip binding vpn-instance vpn_main
 ip address 10.0.0.253 255.255.255.0
 ospf dr-priority 128
 vrrp vrid 100 virtual-ip 10.0.0.252
 vrrp vrid 100 priority 128
#
interface Vlan-interface1002
 ip binding vpn-instance vpn_CustomerA
 ip address 10.0.5.10 255.255.255.248
 ospf dr-priority 128
 vrrp vrid 100 virtual-ip 10.0.5.9
 vrrp vrid 100 priority 128
#
bgp 65001
 default med 20
 undo synchronization
 #
 ipv4-family vpn-instance vpn_CustomerA
  peer 10.0.5.9 as-number 65001
  peer 10.0.5.11 as-number 65001
  network 10.3.224.0 255.255.240.0
  import-route direct
  peer 10.0.5.9 connect-interface Vlan-interface1002
  peer 10.0.5.11 connect-interface Vlan-interface1002
 #
 ipv4-family vpn-instance vpn_main
  peer 10.0.0.203 as-number 65289
  peer 10.0.0.252 as-number 65001
  peer 10.0.0.254 as-number 65001
  default med 20
  import-route direct
  peer 10.0.0.203 connect-interface Vlan-interface100
  peer 10.0.0.203 preferred-value 100
  peer 10.0.0.252 connect-interface Vlan-interface100
  peer 10.0.0.254 connect-interface Vlan-interface100
#
ospf 1 router-id 10.0.0.253 vpn-instance vpn_main
 peer 10.0.0.252
 peer 10.0.0.254
 area 0.0.0.0
  network 10.0.0.0 0.0.0.255
#
ospf 1002 router-id 10.0.5.10 vpn-instance vpn_CustomerA
 peer 10.0.5.9
 peer 10.0.5.11
 area 0.0.0.0
  network 10.0.5.8 0.0.0.7
#
 ip route-static vpn-instance vpn_CustomerA 0.0.0.0 0.0.0.0 Vlan-interface1002 10.0.5.11
 ip route-static vpn-instance vpn_CustomerA 10.3.224.0 255.255.240.0 vpn-instance vpn_main 10.0.0.203
 ip route-static vpn-instance vpn_main 0.0.0.0 0.0.0.0 Vlan-interface100 10.0.0.254
----- END SW-BACKUP -----

16again
Respected Contributor

Re: [A5500] Redundancy of static route over BGP

Can you show BGP prefixes recieved from 10.0.0.204  (and  on backup from 203) ?
If 10.3.x.x network is advertised, you can get rid of static route

Re: [A5500] Redundancy of static route over BGP

Bonsoir 16again,

The prefixes received from 10.0.0.204 and 10.0.0.203 are :
- 10.1.0.0/16 le 32 ;
- 10.2.0.0/16 le 32 ;
- 10.3.0.0/16 le 32 ;
- 10.4.0.0/14 le 32 ;
- 10.8.0.0/13 le 32 ;
- 10.16.0.0/12 le 32 ;
- 10.32.0.0/11 le 32 ;
- 10.64.0.0/10 le 32 ;
- 10.128.0.0/9 le 32.

My problem is that  I can't resize the netmask received from these CPE.

16again
Respected Contributor
Solution

Re: [A5500] Redundancy of static route over BGP

Why not simply use the 10.3.0.0/16 route in your network?  If you do use more specific 10.3.x.x routes elsewhere (for instance 10.3.33.0/24)  in your network, these route can coexist!
Also if you want to exclude access to your network from other 10.3 networks, you might use ACL like below:
permit ip source  10.3.224.0 255.255.240.0  dest any
deny  ip source  10.3.0.0 255.255.0.0  dest any
permit ip any any

Re: [A5500] Redundancy of static route over BGP

You're right about ACL or Acces-List but :
- I'll have another CPEs from another provider with the same prefixes (it's the reason that I use VPN-instance) ;
- If customerA wants for example 10.3.144.0/20 with the others providers, the route doesn't match.

16again
Respected Contributor

Re: [A5500] Redundancy of static route over BGP

If you have route1 for 10.3.144.0/20  alongside route2 for 10.3.0.0/16 ,   route1 is most specific (longer match) and will be used for 10.3.144.0/20  destinations,  for all other 10.3.0.0/16 destinations route 2 will be used.

Since you can't change the advertised 10.3.0.0/16 route, you have to use it as-is.

Off course you should only advertise this /16 route to VPN instance that's using it.

 

Re: [A5500] Redundancy of static route over BGP

Unfortunately, I think I have no choice :(
I can't change the advertised route, so CustomerA instance receive 10.3.0.0/16 for vpn_main.
when I'll have vpn_main2 with the others CPEs that announce 10.3.0.0/16 and customerA wants to take a 10.3.x.x/20 subnet from them, it will be not possible.

I'd hope taht it was possible to modify the netmask in my network infrastructure with a "voodoo" mechanism :)

I should explain to customerA that he must choose a subnet excluded from 10.3.0.0/16 and for his current network, configure an ACL to filter the flows from him to 10.3.224.0/20 only.

Ok, I test now and I'll come back to share the solution.

Thank you a lot 16again.