+1 (855) 645-7684
A while back we published a blog on ip infusion‘s OcNOS and MikroTik interop with segment routing mpls and LDP. Today we are going to build on the fundamentals learned there to test VPNv4 and VPNv6 interoperability with Juniper.
We’re going to start with the same topology from the previous post but with juniper instead of mikrotik. Of course juniper could run isis end to end to eliminate the redistribution but we’re going to continue to use OSPF and LDP. OSPF and LDP are largely deployed and it is likely you will come across this scenario in your path towards SR-MPLS.
MPLS/IGP Setup
The first thing to accomplish is end to end reachability between the provider edge (PE) routers.
MPLS only requires the /32s of the loopbacks for functionality so redistribution is limited to the /32 loopbacks of the PE routers. If we ran isis end to end we would not have to perform this redistribution.
ipi-2.lab.jan1.us.ipa.net#
ip prefix-list LDP-PE-LOOPBACKS
seq 10 permit 100.127.2.0/24 eq 32
!
ip prefix-list SR-PE-LOOPBACKS
seq 10 permit 100.127.0.0/24 eq 32
!
route-map REDIS-OSPF-TO-ISIS permit 10
match ip address prefix-list LDP-PE-LOOPBACKS
!
route-map REDIS-ISIS-TO-OSPF permit 10
match ip address prefix-list SR-PE-LOOPBACKS
!
router isis UNDERLAY
is-type level-1-2
metric-style wide
mpls traffic-eng router-id 100.127.0.2
mpls traffic-eng level-1
mpls traffic-eng level-2
capability cspf
dynamic-hostname
fast-reroute ti-lfa level-1 proto ipv4
fast-reroute ti-lfa level-2 proto ipv4
net 49.0015.1001.2700.0002.00
redistribute ospf level-1-2 route-map REDIS-OSPF-TO-ISIS
segment-routing mpls
!
router ospf
ospf router-id 100.127.0.2
redistribute isis UNDERLAY route-map REDIS-ISIS-TO-OSPF
passive-interface lo enable
network 100.126.0.0/29 area 0.0.0.0
network 100.126.0.8/29 area 0.0.0.0
network 100.127.0.2/32 area 0.0.0.0
!ipi-1.lab.jan1.us.ipa.net#ping 100.127.2.2 source-ip 100.127.0.1
Press CTRL+C to exit
PING 100.127.2.2 (100.127.2.2) from 100.127.0.1 : 56(84) bytes of data.
64 bytes from 100.127.2.2: icmp_seq=1 ttl=63 time=6.30 ms
64 bytes from 100.127.2.2: icmp_seq=2 ttl=63 time=2.09 ms
64 bytes from 100.127.2.2: icmp_seq=3 ttl=63 time=5.83 msNow that we have loopback to loopback reachability we will stitch together the LDP and segment routing (SR) domains.
IPI-1 is going to server as a segment routing mapping server. This will assign labels to the routes in the LDP label space and distribute them to through the SR domain so we can have an end to end label switched path enabling the use of MPLS services.
segment-routing
mpls sr-prefer
global block 16000 23999
mapping-server
srms preference 100
prefix-sid-map address-family ipv4
100.127.2.0/32 4000 range 256
exit-ms-af
exit-msThis will start with prefix 100.127.2.0/32 add 4000 to the segment routing global block starting point (16000 as defined) and be able to label the next 256 routes in order. i.e. 100.127.2.1/32 gets the node sid 20001. IPI-2 shows the stitching in action.
Let’s look at the label space.
ipi-2.lab.jan1.us.ipa.net#show mpls ilm-table
Codes: > - installed ILM, * - selected ILM, p - stale ILM
K - CLI ILM, T - MPLS-TP, s - Stitched ILM
S - SNMP, L - LDP, R - RSVP, C - CRLDP
B - BGP , K - CLI , V - LDP_VC, I - IGP_SHORTCUT
O - OSPF/OSPF6 SR, i - ISIS SR, k - SR CLI
P - SR Policy, U - unknown
Code FEC/VRF/L2CKT ILM-ID In-Label Out-Label In-Intf Out-Intf
/VRF Nexthop LSP-Type
i> 100.127.0.1/32 4 16101 3 N/A xe48
100.126.0.1 LSP_DEFAULT
B> evpn:1 3 17 Nolabel N/A N/A
127.0.0.1 LSP_DEFAULT
B> evpn:2 1 16 Nolabel N/A N/A
127.0.0.1 LSP_DEFAULT
B> evpn:1 2 640 Nolabel N/A N/A
127.0.0.1 LSP_DEFAULT
L> 100.127.0.1/32 8 24961 3 N/A xe48
100.126.0.1 LSP_DEFAULT
s i> 100.127.2.2/32 9 20002 3 N/A xe47.1
100.126.0.10 LSP_DEFAULT
i> 100.127.0.2/32 5 16102 Nolabel N/A N/A
127.0.0.1 LSP_DEFAULT
i> 100.126.0.1/32 6 25600 3 N/A xe48
100.126.0.1 LSP_DEFAULT
L> 100.127.2.2/32 10 24962 3 N/A xe47.1
100.126.0.10 LSP_DEFAULTThe highlighted label above shows the stitching in action as denoted by the s. IMPORTANT mpls lsp-stitching needs to be enabled on any router in the SR and LDP domain.
IPI-1 only sees isis-sr labels and QFX-2 only sees LDP labels as shown below.
ipi-1.lab.jan1.us.ipa.net#show mpls ilm-table
Codes: > - installed ILM, * - selected ILM, p - stale ILM
K - CLI ILM, T - MPLS-TP, s - Stitched ILM
S - SNMP, L - LDP, R - RSVP, C - CRLDP
B - BGP , K - CLI , V - LDP_VC, I - IGP_SHORTCUT
O - OSPF/OSPF6 SR, i - ISIS SR, k - SR CLI
P - SR Policy, U - unknown
Code FEC/VRF/L2CKT ILM-ID In-Label Out-Label In-Intf Out-Intf
/VRF Nexthop LSP-Type
i> 100.127.0.1/32 4 16101 Nolabel N/A N/A
127.0.0.1 LSP_DEFAULT
B> evpn:1 3 17 Nolabel N/A N/A
127.0.0.1 LSP_DEFAULT
B> evpn:100 1 16 Nolabel N/A N/A
127.0.0.1 LSP_DEFAULT
B> evpn:1 2 640 Nolabel N/A N/A
127.0.0.1 LSP_DEFAULT
P> 100.127.0.2/32 7 20 3 N/A xe48
100.126.0.2 LSP_DEFAULT
i> 100.127.2.2/32 8 20002 20002 N/A xe48
100.126.0.2 LSP_DEFAULT
i> 100.127.0.2/32 6 16102 3 N/A xe48
100.126.0.2 LSP_DEFAULT
i> 100.126.0.2/32 5 26240 3 N/A xe48
100.126.0.2 LSP_DEFAULT
B> VOICE 9 24960 Nolabel N/A VOICE
N/A LSP_DEFAULT[email protected]# run show route table inet.3
inet.3: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
100.126.0.0/29 *[LDP/9] 01:14:11, metric 1
> to 100.126.0.9 via xe-0/0/47.0
100.127.0.1/32 *[LDP/9] 01:14:11, metric 1
> to 100.126.0.9 via xe-0/0/47.0, Push 24961
100.127.0.2/32 *[LDP/9] 01:14:11, metric 1
> to 100.126.0.9 via xe-0/0/47.0L3VPN
It is common to place a voice services into a layer 3 vpn. So first we’ll setup a VPNv4 session. Then build the vrf and test end to end reachability.
ipi-1.lab.jan1.us.ipa.net
ip vrf VOICE
rd 100.127.0.1:12
route-target both 65000:12
!
interface xe46
speed 10g
ip vrf forwarding VOICE
ip address 172.16.0.1/24
ipv6 address 2001:db8::1/64
!
router bgp 65000
neighbor 100.127.2.2 remote-as 65000
neighbor 100.127.2.2 update-source lo
!
address-family vpnv4 unicast
neighbor 100.127.2.2 activate
exit-address-family
!
address-family ipv4 vrf VOICE
redistribute connected
exit-address-family
!
[email protected]# show routing-instances
VOICE {
instance-type vrf;
interface xe-0/0/47.10;
interface xe-0/0/47.100;
route-distinguisher 100.127.2.2:1;
vrf-target target:65000:12;
vrf-table-label;
}
[email protected]# show interfaces xe-0/0/47
vlan-tagging;
unit 0 {
vlan-id 1;
family inet {
address 100.126.0.10/29;
}
family iso;
family mpls;
}
unit 10 {
vlan-id 10;
family inet {
address 172.16.2.1/24;
}
family inet6 {
address 2001:db8:0:1::1/64;
}
}
[email protected]# show protocols bgp
group VPN {
family inet-vpn {
unicast;
}
family inet6-vpn {
unicast;
}
export PS-DIRECT;
peer-as 65000;
neighbor 100.127.0.1;
}
local-address 100.127.2.2;
local-as 65000;We are building the vrf VOICE with route-target import and export 65000:12 for membership.
ipi-1.lab.jan1.us.ipa.net#show ip bgp vpnv4 all summary
BGP router identifier 100.127.0.1, local AS number 65000
BGP table version is 2
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcv MsgSen TblVer InQ OutQ Up/Down State/PfxRcd
100.127.2.2 4 65000 368 354 2 0 0 02:09:07 2
Total number of neighbors 1
Total number of Established sessions 1[email protected]# run show bgp summary
Threading mode: BGP I/O
Groups: 1 Peers: 1 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
bgp.l3vpn.0
1 1 0 0 0 0
bgp.l3vpn-inet6.0
1 1 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
100.127.0.1 65000 319 313 0 7 2:14:50 Establ
bgp.l3vpn.0: 1/1/1/0
bgp.l3vpn-inet6.0: 1/1/1/0
VOICE.inet.0: 1/1/1/0
VOICE.inet6.0: 1/1/1/0ipi-1.lab.jan1.us.ipa.net#show ip bgp vrf VOICE
BGP table version is 1, local router ID is 172.16.0.1
Status codes: s suppressed, d damped, h history, a add-path, * valid, > best, i - internal,
l - labeled, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> l 172.16.0.0/24 0.0.0.0 0 100 32768 ?
*>i 172.16.2.0/24 100.127.2.2 0 100 0 i
*>i 192.168.0.0 100.127.2.2 0 100 0 i
Total number of prefixes 3[email protected]# run show route table VOICE.inet.0
VOICE.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
172.16.0.0/24 *[BGP/170] 01:35:07, localpref 100, from 100.127.0.1
AS path: ?, validation-state: unverified
> to 100.126.0.9 via xe-0/0/47.0, Push 24960, Push 24961(top)
172.16.2.0/24 *[Direct/0] 02:08:32
> via xe-0/0/47.10
172.16.2.1/32 *[Local/0] 02:08:32
Local via xe-0/0/47.10
192.168.0.0/24 *[Direct/0] 1w0d 00:03:04
> via xe-0/0/47.100
192.168.0.2/32 *[Local/0] 1w0d 00:03:04
Local via xe-0/0/47.100We can see that we are receiving three prefixes from QFX-2 and reachability is confirmed below.
ipi-1.lab.jan1.us.ipa.net#ping 172.16.2.1 vrf VOICE
Press CTRL+C to exit
PING 172.16.2.1 (172.16.2.1) 56(84) bytes of data.
64 bytes from 172.16.2.1: icmp_seq=1 ttl=64 time=3.02 ms
64 bytes from 172.16.2.1: icmp_seq=2 ttl=64 time=6.87 ms6VPE
6VPE is a great way to take advantage of your already deployed and operational MPLS core. Here we’re going to use the sr-mpls/LDP setup to build an IPv6 service on top, again for vrf VOICE.
Most of the configuration elements are the same except for utilizing VPNv6 and IPv6 addressing. Let’s look specifically at those portions.
ipi-1.lab.jan1.us.ipa.net#show run bgp
!
router bgp 65000
neighbor 100.127.2.2 remote-as 65000
neighbor 100.127.2.2 update-source lo
!
address-family vpnv6 unicast
neighbor 100.127.2.2 activate
exit-address-family
!
address-family ipv6 vrf VOICE
redistribute connected
exit-address-family
![email protected]# show protocols bgp
group VPN {
family inet-vpn {
unicast;
}
family inet6-vpn {
unicast;
}
export PS-DIRECT;
peer-as 65000;
neighbor 100.127.0.1;
}
local-address 100.127.2.2;
local-as 65000;[email protected]# show protocols mpls
ipv6-tunneling;I will draw attention to the ipv6-tunneling command on QFX-2 above. This is required to tunnel the IPv6 packets over the MPLS core. Without this you will end up with an unusable next hop.
ipi-1.lab.jan1.us.ipa.net#show ip bgp vpnv6 all summary
BGP router identifier 100.127.0.1, local AS number 65000
BGP table version is 2
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcv MsgSen TblVer InQ OutQ Up/Down State/PfxRcd
100.127.2.2 4 65000 393 380 2 0 0 02:20:07 1
Total number of neighbors 1
Total number of Established sessions 1[email protected]# run show bgp summary
Threading mode: BGP I/O
Groups: 1 Peers: 1 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
bgp.l3vpn.0
1 1 0 0 0 0
bgp.l3vpn-inet6.0
1 1 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
100.127.0.1 65000 319 313 0 7 2:14:50 Establ
bgp.l3vpn.0: 1/1/1/0
bgp.l3vpn-inet6.0: 1/1/1/0
VOICE.inet.0: 1/1/1/0
VOICE.inet6.0: 1/1/1/0ipi-1.lab.jan1.us.ipa.net#show ip bgp vpnv6 vrf VOICE
Status codes: s suppressed, d damped, h history, a add-path, * valid, > best, i - internal, l - lab
eled
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100.127.0.1:12 (Default for VRF VOICE)
*> l 2001:db8::/64 :: 0 100 32768 ?
*>i 2001:db8:0:1::/64
::ffff:100.127.2.2 0 100 0 i
Announced routes count = 1
Accepted routes count = 1[email protected]# run show route table VOICE.inet6.0
VOICE.inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
2001:db8::/64 *[BGP/170] 01:43:15, localpref 100, from 100.127.0.1
AS path: ?, validation-state: unverified
> to 100.126.0.9 via xe-0/0/47.0, Push 24960, Push 24961(top)
2001:db8:0:1::/64 *[Direct/0] 01:49:56
> via xe-0/0/47.10
2001:db8:0:1::1/128*[Local/0] 01:49:56
Local via xe-0/0/47.10
fe80::86c1:c100:a32:5032/128
*[Local/0] 01:49:56
Local via xe-0/0/47.10
ff02::2/128 *[INET6/0] 1w2d 20:22:10
MultiRecv
{master:0}[edit]Now that we have all over our routes and signaling setup lets verify reachability.
ipi-1.lab.jan1.us.ipa.net#ping ipv6 2001:db8:0:1::1 vrf VOICE
Press CTRL+C to exit
PING 2001:db8:0:1::1(2001:db8:0:1::1) 56 data bytes
64 bytes from 2001:db8:0:1::1: icmp_seq=1 ttl=64 time=2.80 ms
64 bytes from 2001:db8:0:1::1: icmp_seq=2 ttl=64 time=3.84 msConclusion
With the new features and support in IP Infusion GA 6.0 stability and interop between vendors is becoming better. This paves the way for deployments of segment-routing while migrating the LDP segments all while maintaining current VPNs.
The 6VPE support allows for rapid adoption of IPv6 utilizing the core already in place.
We’ll be working on more interop testing to include L2VPN with both LDP signaled VPLS and BGP signaled VPLS. Be sure to come back for more.