1. MPLS L3 VPN – Troubleshooting – PART 1
In this video we’ll see how to troubleshoot your mpls l three vpns. But the first thing we need to do whenever we do some troubleshooting, if you come across any issue, the first thing you need to know how the things need to be configured. So which means you need to be very well aware of how the things how exactly you need to configure mpls L three vpn. If you remember, we have three steps, six steps total. Sorry. So with the first step we need to configure igp inside the service for a core, which we did already, and we need to enable ldp inside the service for a core. And then we configure something called vrf with some route distinguishing and route target values.
And then we do some ppc routing and then finally we do some vpn V four pairing between both the P routers and then redistribution of the routes. So to troubleshoot any network, it’s really important for you to know how the things need to be configured and what are the exact commands should be present on the router. So if you realize that there is something missing as per the requirement, then we need to make sure that we just go and configure that particular thing. And in case if you realize that there is something misconfigured as per your scenario that should not be present, then you need to make sure that you change to the correct configuration. So for all the things, knowing the correct things is very important.
So at this point, I expect you to know how to do all these things like all the six steps. You are very good at these things like configuring L three vpns with some two sites or multiple sites and then between the two different customers using overlap vpns and all this stuff what we discussed. So I got a pre configured, pre configured initial config. In fact I have where I have a router file which is connecting to five. And then I got a customer, another customer six, six on the router, on the router six. So my requirement is to make sure that Router Five must be able to communicate with the router six lan interface through our mbls network backbone. Now there’s something preconfigured in this.
Like I have a I have, igp configured everything, whatever the six steps which we discussed, all the things are pre conference. But I have some initial configs where I did some mistakes, like I manually put some errors into it. And we are going to do some troubleshooting in this. So the first thing we’ll try to verify, I’ll go to my topology here. Now I’ll jump to the command line here. I got router Five on the left side and the Router six. And we need to make sure that these two should come together. So the entire IP addressing everything is exactly the same what we did in our previous labs. So you know that these four routers are acting as a code. And then we have vpn before pairing established.
And then we have ebgp configured here. So I’m using a P two C routing protocol as bgp. Here the last lab which we use for MPs L three vpns. And here also I got bgp as a pu two C routing protocol. So there’s no way of redistribution in this scenario. So we need to make sure that the router phi customer of a one A one should be able to communicate with another side of the same customer A. The first thing what I’ll do is I’ll make sure so whenever you do some troubleshooting relating to mpls, if you realize that the customer routers are not able to communicate with each other. In that case, the first thing, I’ll make sure that this customer route here, the five must be seen in the vrf routing table of router one.
And similarly this customer route must be seen on the vrf routing table of router three. So first we need to make sure that both the sides, this customer route must be coming in the vrf routing. So it’s going to confirm that your P to C routing. It’s perfect. Okay? So once you realize that P two C routing is perfect, let’s say this customer route is coming here and then the customer router fire out is also coming on the router one, but this route is not coming on the other end. So if you realize something like that. Now there are multiple reasons for that. The first reason might be in case if your vpn V Four is not configured properly. So because in order to extend the route from one P to another P, we need to configure something called vpn V four.
If vpn v Four neighborship is not established between the P routers in that case also the routes will not be exchanged. So once you realize that, okay, vpn V Four is working fine, the second possible reason might be might be something called redistribution. Because if in case if I’m using Osp of here and inside the core it is bgp, if you don’t do redistribution of Osp of routes into bgp, that will be another possible reason. So in this scenario, redistribution is not the reason because I’m using bgp here. So there’s no need of redistribution. If you are using pe to see as a bgp, what is the next possible reason might be in case if the routes are not coming on other P any there is something called route target.
Because in case if you do not export the route target value here, or else if you’re not exporting on this side or maybe you’re not importing on the other side, any one of these or maybe both reasons can also impact the extent of the routes. And one more thing, when you’re using vpn V four pairing, we need to ensure that we use send Community command extended. Because sometimes what happens is we generally forget this command. We configure. The vpn V Four pairing is established. Route target seems to be okay, redistribution seems to be okay. But sometimes if you miss the Send Committee command on the vpn vivo pairing, then there is no way of exchanging the routes because the route target value information will not be carried along with the vpn routes.
So these are some of the things we need to keep in mind. So based on the way the routes are coming and going now, we can easily analyze what might be the possible reason. Okay, so first thing and any other things. Okay, anyway, and if I get if I come across any other things, I’ll just quickly go through with that. So the first thing, we’ll try to work on these two things. So first step, I always start with troubleshooting and I’m going to assume the first two things are already pre configured and they are correct. Okay. So I’m not getting into this troubleshooting of these two things because I have covered already that in a separate section with troubleshooting ldp. So I’m going to assume that this is perfect.
I don’t have any errors in my ldp or igp configuration, so these are actually running fine in case if you realize. Anyway, if you want to troubleshoot this, we already discussed like we need to verify Show mpls interfaces, show mpls ldp Niables those commands. So that is something I have covered already. So in this section I’m going to focus on the third step. From the third step, I’ll start with pe to C routing. So the first thing I’ll go and check P to C routing ensuring that the router fire route must be seen on the Router One VR routing table. Similar. Where router Six? Route must be seen on the Router three vrf routing table. So let’s go to router one. And already I have initial configuration so I’ll quickly jump to my schwip route vrfa One that is the vrf name. I don’t see the route coming on the router file.
So whenever you don’t see the route coming on the router file, the first thing we need to verify so in case if the route is not coming then what is the next thing we need to verify? So definitely there is some P to C routing issue. So the next thing I’ll verify the neighbor ship because I don’t really think that maybe the route is not advertised, but before the route should get advertised, the neighborship should be there between those two routers. If I’m using ospf, I’ll verify the osp of neighborship. If I’m using ehrp, I’ll verify the ehrp neighborhood. So in this scenario, I’m going to use pgp. So I’ll verify. Show IP bgp vpn V Four vrfa. One summary. So this command is equivalent to your Show IP bgp summary command. So I can see there is no neighborship established between router one to five. If you want to can check the bgp configurations.
Now, based on that bgp configurations, I can at least come to know what command is missing. I can see under that assembly there is a neighbor command, but there is activate command. I actually in my initial config, I have changed to no. Actually it was it was working fine. I moved to no Command. So which means unless and until you give activate command, the neighbor ship will not initiate. So which means for everything except ipv four, we need to compulsory say activate command. So the activate command was missing here. So I’ll try to fix it. Order bgp 500 address family ipv for vrf a one and then I need to say neighbor one 7216 15 five. Under the vrf need to say activate that. So once I give activate, hopefully the neighbor ship should come up because seems to be all the commands are okay on the route one, we need to have a neighbor command.
Let me just verify once again show run section bgp. Okay, so let me check the configs under the vrf, neighbor command is okay, activate is okay. And the network command is also okay. So you can see the neighborship comes up. Now, if I verify show Ipbgp vpn V Four summary I’m able to see one route, but I should see what route is coming. So to verify, you can also use this command show IP bgp vpn V four vrfa one I can see on the router one I’m able to see what is the network. I’m able to see I’m able to see the connect interface, but I’m not able to see five. Now, the meaning of this is the neighborship is established but the route is not coming. It’s going to confirm that there is some problem on the router file. Might be advertisement issue.
So let’s go and check the bgp configurations on the router file. Show run section bgp. You can see network command. Neighbor command is okay. That’s the reason neighborship is coming up. Network command. There is only one network command. The van interface is advertised. There is no land interface advertised. So in fact we have five. This interface was not advertised. So I’m going to router bgp 5600 and the network command five and then 25525, I’m using 32 done. So hopefully the route the router one should be able to see five five. So this confirmed that petc routing is okay on the site one. And to test, we can also test under the vrf, I should be able to ping to that customer. Now this is going to confirm that the routing between P to C is perfect on the site one.
2. MPLS L3 VPN – Troubleshooting – PART 2
Let’s try to jump to the site Two and do the same thing. Let’s go to site two here on the side two, I’ll go to router router three. Now this is a site to here. So we’ll verify on the router Three. So shy BBCP VPN before Vrf a two. That’s the name of the Vrf. The neighborhood needs to be okay. Yes, it is okay. And if I remove summary, I should be able to see the route six six coming into my Vrf routing table. If I give show IP route vrf a hyphen two. Anyway, you should see here because I’m already able to see this bgp table. So definitely you’ll be able to see in the routing table as well almost. And if I verify ping VRFA Two, I should be able to see six six six now on the side too, there is no problem here. So it’s working fine. So the first step we verified P two C routing.
The second step, we need to ensure that this customer route from site One should be able to reach on this side similar way I had to do the same thing on the other side. The six six six must be seen on the other side of the peer router. Now it’s going to confirm many things like VPN V Four peering is okay, route targeting, port exports. So three things we need to check here. Check the customer C route should be seen on the other end of the pe router. So that’s something we need to ensure. Let’s verify. Let’s start with the router three here only. So on the router three, if I use show IPGP VPN v four VRFA hyphen two, you can see I’m able to see five five coming from site one here you got five. It’s coming here. It confirmed that your route is riding through Bgp and then through VPN V Four.
It is reaching other P router. The same thing I need to check on the router one. Also show IP route or you can use this command as well. Show IP route VRFA one. Now you can see five is coming that is coming from the same site. But the six network is not coming on the other side. So this is a problem. Here the first thing. We already verified that this customer route is coming on the router Three, but it’s not coming on this side. So what are the things we need to check? Three things we need to ensure that your VPN V Four configuration needs to be okay on this router. Because the problem is on the router, it might be on the router Three or router One. So first we’ll check on the router Three and then we’ll check on the router one also.
So redistribution is not required in this scenario because we are using Bgp as a pu two C protocol. And then what is the next thing we need to check? Import export values. So first, I’ll verify VPN V. Four neighborship between Router One and Router Three. So show IP Bgp VPN v four. All summary, I can see VPN V Four. Neighbor shape seems to be okay, but no routes are exchanged from the router Three. So let me verify once again all the commands are present or not. Because if you miss any of the commands in that VPN V Four, you will not see. So neighborship is okay because remote as updates is okay. At this family activates and comes in next to ourselves. So this time on the router one, the concentration seems to be okay. Let me check on the Router Three show run section.
So mostly the problem is on the router three. So we’ll check showrun section Bgp. Now here you can see there are some commands missing here. Remote as updates is okay, but under the family, what are the commands we need to have? If we just get back to the basics, you should know what are the commands. Because when you do some troubleshooting, it’s mandatory that you need to know what are the set of commands required here. So here we go to activate but Send committee is missing and what else is missing? Next option. So we need to send neighbor Eleven one, send Community extended and also we need to add Next option. Now next option is very important here because sometimes what happens, you actually come across a scenario where your routes will be exchanged from one set of the side.
But you’ll see the routes, customer routes from router five to router six. But you’ll not be able to ping between the customer sites because of Next stop. Because normally what happens if you don’t use Next opsel here if I miss that command next Stop self. Now by default the route is coming from the router Five and then the outer five reduces to router Three. So whenever the default behavior of the next stop when it sends the advertisements to internal bhp neighbors, it will not change the next hop. So which means router Three is going to receive the route with the next stop of this router. But again in order for the VPN V Four to work between pe to pe, it is going to add a label for the next hop. So it’s really important that next hop should be the next router that is the other P router.
So you need to be very careful with the next hop self command here. Now if I verify show IP Bgp VPN V Four all summary on both the sides, the VPN V Four confirmation seems to be okay, but can I see that out still? I’m not able to see that out. So I fixed the VPN v four. VPN V Four is not a problem now and there is no possibility of redistribution because we are using Bgp as a P to C protocol. Now what else we need to verify import export so whenever you realize that the customer is coming till P but not on the other P, these are the three things we need to verify. So let’s verify because there might be some misconfigurations on the router one or router three. So first we will verify on the router one. So we need to ensure that we are importing and exporting 501.
So router one is okay because we are exporting 501 and importing 501. Let’s verify on the router three show run section Vrf. In some iOS showrun, Vrf also works directly. Now here you can see there is import but there is no export. The problem here is the router three is receiving the routes but actually it is not exporting the routes because of export route target values missing. Here there is only import. So that’s the reason you will only see the routes coming one side, by the other side the routes will not be exchanged. Now, there’s also one thing you can conclude that okay? In case if you realize that one side the route is coming, but the other side it’s not coming. So there are two things I can say that there might be an issue. Mostly route target value mismatch or misconfigured sometimes redistribution issue.
Also sometimes what happens, we do redistribution from this side it will be okay, but this side actually we forgot to do redistribution on this side. But once the redistribution is okay so if you miss configure redistribution or if something is missing redistribution or route target values, you’ll see one side, route exchange happens. So based on that, again we can at least analyze that, okay? This might be the possible reason. So it really helps you to jump directly to that specific things if you try to remember that, okay, if something like this is happening. So these two or three might be the possible reasons. It really saves a lot of time if you try to understand how the things works. Okay? So here the problem is we are not exporting the values here.
So we need to say Ipvrf A Hyphen two route target export 501. Okay, I think I misconfigured it as 51. It has to be 501. So I’ll remove it. Now, these are some of the common mistakes generally happens when you, when you try to configure. So instead of 50 it will be 500. Sometimes instead of 500 it will be 50. So we need to be very careful. So if I verify once again the configurations, the vrs import export configurations has to be perfect. Okay, fine. So now we have confirmed that we verified that VPN V four is okay and then route target values is also okay. Now I should be able to see this route on the router one, right? So I’ll go to router one and I’ll say show ib Bgp VPN before VRFA one, I should be able to see the route coming from router three.
That is next stop. And then six six six. So now the customer routes are coming on the both sides. The next thing we need to ensure end to enrichability the third thing we need to ensure that end to end, mostly end to end reachability we need to check and in case if there is no end to end reachable t is happening. Sometimes what happens, you will see the routes, routes will be coming but you don’t see the communication happens. So in those kind of scenarios you can probably verify the next job self issue or it can be a label switch paths. Let’s say in case if you have a label issue like maybe mpls is not configured properly or there is some issue with the LDP if there is some labels which path breaks during whatever the path is using, if there is no label assigned on that particular path on any one of the router.
In that case, also you’ll see the routes, but you will not see the end to end communication happens. Okay, let’s say if you don’t see the routes in that case, more likely there are some misconfigurations or there might be some filters applied. So in our scenario, next up, self is not the issue because we already fixed it and then label switch path we are resuming. It’s going to be perfect. So we didn’t troubleshoot that but I didn’t do any changes to that particular thing. So you know even how to troubleshoot LDP. So in case if you want to just ensure that LDP is working fine, you can always use this command show mpls forwarding table for your next hop. You always need to have outgoing label. It has to be outgoing label. So if you see something called no label on any of these routers then probably that will create a problem for you.
If you just go to router two showing tillers forwarding table for 13 one, I’ll say something called pop tag because it is the one homp before because of php it will be pop tag. But if you see something called no label then there is some problem here. You need to check that. So here we are going to assume that label switch path is working fine here. Now I’ll go to router of fine and I’ll verify the routing table. Show IPGP. I should be able to see six dot network in my routing table but I’m not able to see. Let’s verify on the router six show IP I’m able to see five but not six six. Now, what might be the reason here? If you closely verify some of the configs we missed one more thing here as override.
If you remember we need to check as override because now what is happening here is on the router one, the routes are coming from here. I think we are not able to see on the router file, right? So the route is advertising and then it goes to router. Let me take down. Okay. Now the route is advertised from Router Six. Router Six and then Router Three advertisements back to Router One. And when the router receives, it is originating from 400 and 5600. That is my customer as number. And then it is going to 500 before it comes to my autonomous system number. Now here the router file is receiving the route with its own as number. So automatically what it is going to do, it is going to reject the routes.
It will not accept the routes. Now what I need to do is I need to tell go to Router One. And then when I’m advertising to Router Five, we need to give a command called as Override. Now this is something you already know. We discussed this much more in detail in our petc routing using mpls using Bgp protocol. So that as override command is missing on the router one. So you can easily say that if you really work on the lapse, probably you will be in a position to tell what might be the issue. Now here you can see that as override is missing. So I need to say router Bgp 500. Address family ipv four, VRFA one. And then I need to send neighbor as override. Now, once I configure this command, now definitely I should be able to see the routes. Hopefully you can see now I’m able to see Six.
If I try to ping six six from Router Five, I should see end to end reachability should be there in case if there is no end to end reachability, then there is some problem here. Now I’m able to see the route, but there is no end to end communication. So just now we verified that there is no problem in the label switch path. That is one thing I verified already by using Show mpls forwarding table and next hop self might be next hop serve. Let’s check. Let’s check on the Router Three. Show run, section Bgp. Let me check on the Router One as well. Section Bgp. Now on the Router Three, it seems to be okay. Activates and community in a shop sell on the Router One as well. It seems to be okay. Activates and comedy in extrop cell.
Now what else the label switch path? Let me verify Show mpl is LDP neighbors on the Router One, I’m able to see both the neighbors similar way. On the Router Three, I’m able to see both the neighbors. So neighbor shape is okay. Even if you verify Show mpls forwarding table, I should see for eleven dot network eleven one I should see incoming and outgoing label even I should see the same thing for 13 dot network as well. 30 dot. Anyway, it’s directly connected on the Router One. So what would be the possible reason? Let’s see on the router file so there’s no reason. Actually I think it will just take some time for convergence. So hopefully you can see it, it’s working fine. So there’s no other issue. In fact, we fixed all the issues here. It was just taking some time for convergence.
That’s it. So now you can see there is an end to end reachability here. So this way I generally follow to troubleshoot l three VPN. So this is the most common method I generally use for most of the troubleshooting. If I have to do with mpls mostly I divide the question in three steps. The first thing, I’ll ensure that the customer route must be coming on the pe router. Same thing on the other side as well. So once you realize that the pe to C routing is okay, then probably the second thing we need to ensure that the customer route from one side should be seen on the other side. Now, based on that, I can at least confirm that your VPN viper is okay, redistribution is okay and then Vrf import export values must be okay. Now these are the three things, major things which will decide whether the route should go on the other side or not.
So if these three things are misconfigured in that case, definitely you will see the routes will not be exchanged on the other side. And then finally the last thing what I’ll do is we need to make sure that the routes also should be seen on the customer. Now, once you see the routes on the customer, if you have an issue with a label switch path or next stop self issues or send community mostly any of these issues. So most of these two issues if you have then you will see the routes coming but you will not be able to have end to end reachable display. So when you try to ping, it will not ping and generally your packet goes somewhere and it will drop in between because the label switch path majorly breaks in the path.
