Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
NE 8000 route leaking bet...

NE 8000 route leaking between two vpn-instance

Created: Aug 30, 2021 10:00:53Latest reply: Sep 12, 2021 14:12:38 416 8 1 0 0
  Rewarded HiCoins: 5 (problem resolved)
View the author 1# 
Hello everyone! 

Please help me solve the problem with leaking routes.

It is required to allocate a host route from a subnet and perform route leaking between two VPNs

Configuration example:

#
ip vpn-instance VPN_CUSTOMER1
 ipv4-family
  route-distinguisher 192.168.255.111:100
  export route-policy FROM-CUST1
  apply-label per-instance 
  vpn-target 65000:100 export-extcommunity
  vpn-target 65000:100 65000:1301 import-extcommunity
#
ip vpn-instance VPN_CUSTOMER2
 ipv4-family
  route-distinguisher 192.168.255.111:1300
  export route-policy FROM-CUST2
  apply-label per-instance 
  vpn-target 65000:1300 export-extcommunity
  vpn-target 65000:1300 65000:117 import-extcommunity
#
mpls lsr-id 192.168.255.111
mpls
#
mpls ldp
#
#
#
interface GigabitEthernet0/0/0
 description <<< TO MPLS CLOUD >>>
 set flow-stat interval 30
 ip address 192.168.10.22 255.255.255.252 
 ospf cost 5
 ospf mtu-enable
 ospf network-type p2p
 ospf timer hello 5
 ospf timer dead 10
 mpls
 mpls mtu 1500
 mpls ldp
#
#
interface Eth-trunk1
 description <<< TO SWITCH S5731 >>>
#
interface Eth-trunk1.2
 description <<< CONTROLLER CUSTOMER2 >>>
 dot1q termination vid 2
 ip binding vpn-instance VPN_CUSTOMER2
 ip address 192.168.2.1 255.255.255.0 
 arp broadcast enable
#
interface Eth-trunk1.3
 description <<< CONTROLLER CUSTOMER1 >>>
 dot1q termination vid 3
 ip binding vpn-instance VPN_CUSTOMER1
 ip address 192.168.1.1 255.255.255.0 
 arp broadcast enable
#
interface LoopBack255
 description <<< MPLS CORE >>>
 ip address 192.168.255.111 255.255.255.255 
#
bgp 65000
 router-id 192.168.255.111
 group RR-SERVERS internal
 peer RR-SERVERS connect-interface LoopBack255
 peer 192.168.255.11 as-number 65000 
 peer 192.168.255.11 group RR-SERVERS 
 #
 ipv4-family unicast
  undo synchronization
  peer RR-SERVERS enable
  peer 192.168.255.11 enable
  peer 192.168.255.11 group RR-SERVERS 
 # 
 ipv4-family vpnv4
  undo policy vpn-target
  peer RR-SERVERS enable
  peer RR-SERVERS next-hop-local 
  peer 192.168.255.11 enable
  peer 192.168.255.11 group RR-SERVERS 
 #
 ipv4-family vpn-instance VPN_CUSTOMER1 
  import-route direct
  import-route static
 #
 ipv4-family vpn-instance VPN_CUSTOMER2 
  import-route direct
  import-route static
#
#
ospf 100 router-id 192.168.255.111 
 silent-interface all
 undo silent-interface GigabitEthernet0/0/0
 spf-schedule-interval intelligent-timer 3000 100 20 
 lsa-originate-interval intelligent-timer 3000 100 50 
 lsa-arrival-interval 20
 area 0.0.0.0 
  network 192.168.11.22 0.0.0.0 
  network 192.168.255.111 0.0.0.0 
#
route-policy FROM-CUST1 permit node 10 
 if-match ip-prefix CONTROLLER-CUST1
 apply extcommunity rt 65000:117 additive 
#
route-policy FROM-CUST1 permit node 20 
#
route-policy FROM-CUST2 permit node 10 
 if-match ip-prefix CONTROLLER-CUST2 
 apply extcommunity rt 65000:1301 additive 
#
route-policy FROM-CUST2 permit node 20 
#
ip ip-prefix CONTROLLER-CUST2 index 20 permit 192.168.2.4 32
ip ip-prefix CONTROLLER-CUST1 index 10 permit 192.168.1.177 32
#
ip route-static vpn-instance VPN_CUSTOMER1 192.168.1.177 255.255.255.255 Eth-trunk1.3
ip route-static vpn-instance VPN_CUSTOMER2 192.168.2.4 255.255.255.255 Eth-trunk1.2

#



And the output of diagnostic commands:

dis ip routing-table vpn-instance VPN_CUSTOMER2
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: VPN_CUSTOMER2
         Destinations : 6        Routes : 6        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

    192.1688.1.177/32  BGP     255  0           D   192.168.1.1      Eth-trunk1.3
    192.168.2.0/24  Direct  0    0           D   192.168.2.1     Eth-trunk1.2
    192.168.2.1/32  Direct  0    0           D   127.0.0.1       Eth-trunk1.2
    192.168.2.4/32  Static  60   0           D   192.168.2.1     Eth-trunk1.2


dis ip routing-table vpn-instance VPN_CUSTOMER1
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: VPN_CUSTOMER1
         Destinations : 76       Routes : 76       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

    192.168.1.0/24  Direct  0    0           D   192.168.1.1      Eth-trunk1.3
    192.168.1.1/32  Direct  0    0           D   127.0.0.1       Eth-trunk1.3
    192.168.1.177/32  Static  60   0           D   192.168.1.1      Eth-trunk1.3
    192.168.2.4/32  BGP     255  0           D   192.168.2.1     Eth-trunk1.2
    
    
PC-CONTROLLER-CUST1>ping 192.168.2.4 -t

Ping 192.168.2.4: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 192.168.2.4 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss
  
PC-CONTROLLER-CUST2>ping 192.168.1.177

Ping 192.168.1.177: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 192.168.1.177 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss



  
PC-USER>ping 192.168.1.1

Ping 10.8.247.1: 32 data bytes, Press Ctrl_C to break
From 10.8.247.1: bytes=32 seq=1 ttl=255 time=31 ms
From 10.8.247.1: bytes=32 seq=2 ttl=255 time=31 ms
From 10.8.247.1: bytes=32 seq=3 ttl=255 time=31 ms

--- 10.8.247.1 ping statistics ---
  3 packet(s) transmitted
  3 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 31/31/31 ms


PC-USER>ping 192.168.1.177

Ping 192.168.1.177: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 192.168.1.177 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss


Visually, everything looks correct, but the point is, as soon as the host route is present, the connection between the nodes stops with PC-USER.
Attachment: You need to log in to download or view. No account? Register
route leakingHCIE Routing and Swi

Like (1) Dislike (0) Favorite(0) Share Report
Previous: NetEngine 8000 M1A Router redundancy Active/Standby Mode
Next: Hello, help me with this question.
Featured Answers

Best answer

Recommended answer

(0) (0)
chenhui
Admin Created Aug 31, 2021 06:15:55

Posted by user_3440255 at 2021-08-30 15:54 In fact, the problem was with static routes. As soon as the controller address itself was specified ...
Oh yeah I forgot the when configuring the static route in a broadcast network, the next hop is mandatory and the export interface is optional. But for a PPP link, you can only specify the export interface, cause for a broadcast network, no next hop means the router doesn't know the destination MAC address that can be used to encapsulate the packets, while for a PPP link, there is no MAC address requirement.
View more
  • x
  • convention:
All Answers
(0) (0)
2#
Y_T_Z
Y_T_Z Admin Created Aug 30, 2021 10:02:09

Hello, dear.
It's nice to meet you in the community.
We're working on getting the right answer for you. Please rest assured that we'll be back with an answer shortly.
View more
  • x
  • convention:
(0) (0)
3#
chenhui
chenhui Admin Created Aug 30, 2021 12:08:44

Hi,
The configuration seems fine, and I already tried that in the test environment, and everything works normally.
Can you please check the gateway configuration on the two CUSTOMER PC? That is the only potential problem that I could imagine by now.
View more
  • x
  • convention:
(0) (0)
4#
dendj2402
dendj2402 Created Aug 30, 2021 12:21:19

gateway from PC-CUSTOMER is available

PC-CONTROLLER-CUST1>ping 192.168.1.1

Ping 192.168.1.1: 32 data bytes, Press Ctrl_C to break
From 192.168.1.1: bytes=32 seq=1 ttl=255 time=62 ms
From 192.168.1.1: bytes=32 seq=2 ttl=255 time=32 ms
From 192.168.1.1: bytes=32 seq=3 ttl=255 time=47 ms

--- 192.168.1.1 ping statistics ---
3 packet(s) transmitted
3 packet(s) received
0.00% packet loss
round-trip min/avg/max = 32/47/62 ms


PC-CONTROLLER-CUST2>ping 192.168.2.1

Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
From 192.168.2.1: bytes=32 seq=1 ttl=255 time=16 ms
From 192.168.2.1: bytes=32 seq=2 ttl=255 time=16 ms
From 192.168.2.1: bytes=32 seq=3 ttl=255 time=31 ms
From 192.168.2.1: bytes=32 seq=4 ttl=255 time=16 ms

--- 192.168.2.1 ping statistics ---
4 packet(s) transmitted
4 packet(s) received
0.00% packet loss
round-trip min/avg/max = 16/19/31 ms

View more
  • x
  • convention:
(0) (0)
5#
chenhui
chenhui Admin Created Aug 30, 2021 12:26:48

Posted by user_3440255 at 2021-08-30 12:21 gateway from PC-CUSTOMER is availablePC-CONTROLLER-CUST1>ping 192.168.1.1Ping 192.168.1.1: 32 data b ...
Well, the gateway address is in the same network as the PC itself, would you please check the gateway configuration on the PC, or you might configure a temp interface that is in another network and bind it to the VPN instance, then doing the ping test to check whether the result is normal.
View more
  • x
  • convention:
(0) (0)
6#
dendj2402
dendj2402 Created Aug 30, 2021 15:54:09

In fact, the problem was with static routes. As soon as the controller address itself was specified as the nexthop address (PC-CONTROLLER-CUST1 and PC-CONTROLLER-CUST2), then everything worked as it should be.


#
ip route-static vpn-instance VPN_CUSTOMER1 192.168.1.177 255.255.255.255 Eth-trunk1.3 192.168.1.177
ip route-static vpn-instance VPN_CUSTOMER2 192.168.2.4 255.255.255.255 Eth-trunk1.2 192.168.2.4
#



dis ip routing-table vpn-instance VPN_CUSTOMER2
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: VPN_CUSTOMER2
        Destinations : 6        Routes : 6        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

  192.168.1.177/32  BGP     255  0           D   192.168.1.177    Eth-trunk1.3
   192.168.2.0/24  Direct  0    0           D   192.168.2.1     Eth-trunk1.2
   192.168.2.1/32  Direct  0    0           D   127.0.0.1       Eth-trunk1.2
   192.168.2.4/32  Static  60   0           D   192.168.2.4     Eth-trunk1.2
 192.168.2.255/32  Direct  0    0           D   127.0.0.1       Eth-trunk1.2
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0



dis ip routing-table vpn-instance VPN_CUSTOMER1
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: VPN_CUSTOMER1
        Destinations : 7       Routes : 7      

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

      192.168.0.0/24  IBGP    255  0          RD   192.168.255.11  GigabitEthernet0/0/0
    192.168.1.0/24  Direct  0    0           D   192.168.1.1      Eth-trunk1.3
    192.168.1.1/32  Direct  0    0           D   127.0.0.1       Eth-trunk1.3
  192.168.1.177/32  Static  60   0           D   192.168.1.177    Eth-trunk1.3
  192.168.1.255/32  Direct  0    0           D   127.0.0.1       Eth-trunk1.3
   192.168.2.4/32  BGP     255  0           D   192.168.2.4     Eth-trunk1.2
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0



PC-CONTROLLER-CUST2>ping 192.168.1.177 -t

Ping 192.168.1.177: 32 data bytes, Press Ctrl_C to break
From 192.168.1.177: bytes=32 seq=1 ttl=127 time=31 ms
From 192.168.1.177: bytes=32 seq=2 ttl=127 time=47 ms
From 192.168.1.177: bytes=32 seq=3 ttl=127 time=47 ms
From 192.168.1.177: bytes=32 seq=4 ttl=127 time=47 ms

--- 192.168.1.177 ping statistics ---
 4 packet(s) transmitted
 4 packet(s) received
 0.00% packet loss
 round-trip min/avg/max = 31/43/47 ms
 
 
 
PC-CONTROLLER-CUST1>ping 192.168.2.4 -t

Ping 192.168.2.4: 32 data bytes, Press Ctrl_C to break
From 192.168.2.4: bytes=32 seq=1 ttl=127 time=46 ms
From 192.168.2.4: bytes=32 seq=2 ttl=127 time=32 ms
From 192.168.2.4: bytes=32 seq=3 ttl=127 time=47 ms
From 192.168.2.4: bytes=32 seq=4 ttl=127 time=15 ms

--- 192.168.2.4 ping statistics ---
 4 packet(s) transmitted
 4 packet(s) received
 0.00% packet loss
 round-trip min/avg/max = 15/35/47 ms
 


PC-USER>ping 192.168.1.177 -t

Ping 192.168.1.177: 32 data bytes, Press Ctrl_C to break
From 192.168.1.177: bytes=32 seq=1 ttl=127 time=47 ms
From 192.168.1.177: bytes=32 seq=2 ttl=127 time=47 ms
From 192.168.1.177: bytes=32 seq=3 ttl=127 time=46 ms
From 192.168.1.177: bytes=32 seq=4 ttl=127 time=47 ms
From 192.168.1.177: bytes=32 seq=5 ttl=127 time=47 ms
From 192.168.1.177: bytes=32 seq=6 ttl=127 time=47 ms

--- 192.168.1.177 ping statistics ---
 6 packet(s) transmitted
 6 packet(s) received
 0.00% packet loss
 round-trip min/avg/max = 46/46/47 ms

View more
  • x
  • convention:
(0) (0)
7#
dendj2402
dendj2402 Created Aug 30, 2021 16:01:04

As a result, for correct operation leaking of / 32 hosts routes between vpn should look like this


#
ip vpn-instance VPN_CUSTOMER1
ipv4-family
 route-distinguisher 192.168.255.111:100
 export route-policy FROM-CUST1
 apply-label per-instance
 vpn-target 65000:100 export-extcommunity
 vpn-target 65000:100 65000:1301 import-extcommunity
#
ip vpn-instance VPN_CUSTOMER2
ipv4-family
 route-distinguisher 192.168.255.111:1300
 export route-policy FROM-CUST2
 apply-label per-instance
 vpn-target 65000:1300 export-extcommunity
 vpn-target 65000:1300 65000:117 import-extcommunity
#
interface Eth-trunk1.2
description <<< CONTROLLER CUSTOMER2 >>>
dot1q termination vid 2
ip binding vpn-instance VPN_CUSTOMER2
ip address 192.168.2.1 255.255.255.0
arp broadcast enable
#
interface Eth-trunk1.3
description <<< CONTROLLER CUSTOMER1 >>>
dot1q termination vid 3
ip binding vpn-instance VPN_CUSTOMER1
ip address 192.168.1.1 255.255.255.0
arp broadcast enable
#
bgp 65000
#
ipv4-family vpn-instance VPN_CUSTOMER1
 import-route direct
 import-route static
#
ipv4-family vpn-instance VPN_CUSTOMER2
 import-route direct
 import-route static
#
#
route-policy FROM-CUST1 permit node 10
if-match ip-prefix CONTROLLER-CUST1
apply extcommunity rt 65000:117 additive
#
route-policy FROM-CUST1 permit node 20
#
route-policy FROM-CUST2 permit node 10
if-match ip-prefix CONTROLLER-CUST2
apply extcommunity rt 65000:1301 additive
#
route-policy FROM-CUST2 permit node 20
#
ip ip-prefix CONTROLLER-CUST2 index 20 permit 192.168.2.4 32
ip ip-prefix CONTROLLER-CUST1 index 10 permit 192.168.1.177 32
#
#
ip route-static vpn-instance VPN_CUSTOMER1 192.168.1.177 255.255.255.255 Eth-trunk1.3 192.168.1.177
ip route-static vpn-instance VPN_CUSTOMER2 192.168.2.4 255.255.255.255 Eth-trunk1.2 192.168.2.4
#

View more
  • x
  • convention:
(0) (0)
8#
chenhui
chenhui Admin Created Aug 31, 2021 06:15:55

Posted by user_3440255 at 2021-08-30 15:54 In fact, the problem was with static routes. As soon as the controller address itself was specified ...
Oh yeah I forgot the when configuring the static route in a broadcast network, the next hop is mandatory and the export interface is optional. But for a PPP link, you can only specify the export interface, cause for a broadcast network, no next hop means the router doesn't know the destination MAC address that can be used to encapsulate the packets, while for a PPP link, there is no MAC address requirement.
View more
  • x
  • convention:
(0) (0)
9#
Unicef
Unicef MVE Created Sep 12, 2021 14:12:38

Very good answer
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.