Re: L2VPN Over GRE - Page 2

jm-barreto · ‎04-15-2024

Hi

I'm trying to extended a L2 segment using MPLS L2vpn over GRE. I am able to establish the tunnel and get ospf and mpls adjacency also the xconnect between the peer is up but my 2 test pc cant reach each other.

This is my PE3 config.

interface GigabitEthernet0/0/0/0
mtu 1560
!
interface GigabitEthernet0/0/0/0.101 l2transport
encapsulation untagged
!
interface tunnel-ip10
ipv4 address 10.2.3.2 255.255.255.252
tunnel source GigabitEthernet0/0/0/1
tunnel destination 172.16.50.2
!
router static
address-family ipv4 unicast
172.16.50.0/30 GigabitEthernet0/0/0/1 172.16.51.1
!
!
router ospf 1
nsr
router-id 3.3.3.3
mpls ldp auto-config
nsf cisco
area 1
network point-to-point
mpls traffic-eng
interface Loopback0
!
interface tunnel-ip10
!
!
mpls traffic-eng router-id Loopback0
!
mpls traffic-eng
!
mpls ldp
log
hello-adjacency
neighbor
nsr
graceful-restart
!
discovery
hello holdtime 5
hello interval 1
!
router-id 3.3.3.3
!
mpls oam
!
l2vpn
router-id 3.3.3.3
xconnect group test
p2p test
interface GigabitEthernet0/0/0/0.101
neighbor ipv4 1.1.1.1 pw-id 55555

RP/0/RP0/CPU0:PE3#sh cef tunnel-ip10
Mon Apr 15 17:21:14.820 UTC

Prefix Next Hop Interface
------------------- ------------------- ------------------
1.1.1.1/32 10.2.3.1/32 tunnel-ip10
2.2.2.2/32 10.2.3.1/32 tunnel-ip10
10.1.2.0/30 10.2.3.1/32 tunnel-ip10
10.2.3.0/30 attached tunnel-ip10
10.2.3.0/32 broadcast tunnel-ip10
10.2.3.2/32 receive tunnel-ip10
10.2.3.3/32 broadcast tunnel-ip10

RP/0/RP0/CPU0:PE3#sh ospf neighbor
Mon Apr 15 17:21:42.745 UTC

* Indicates MADJ interface
# Indicates Neighbor awaiting BFD session up

Neighbors for OSPF 1

Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/ - 00:00:39 10.2.3.1 tunnel-ip10
Neighbor is up for 00:07:56

Total neighbor count: 1

RP/0/RP0/CPU0:PE3#sh mpls ldp neighbor
Mon Apr 15 17:21:50.007 UTC

Peer LDP Identifier: 1.1.1.1:0
TCP connection: 1.1.1.1:646 - 3.3.3.3:21530
Graceful Restart: No
Session Holdtime: 180 sec
State: Oper; Msgs sent/rcvd: 26/19; Downstream-Unsolicited
Up time: 00:07:55
LDP Discovery Sources:
IPv4: (1)
Targeted Hello (3.3.3.3 -> 1.1.1.1, active)
IPv6: (0)
Addresses bound to this peer:
IPv4: (2)
1.1.1.1 10.1.2.1
IPv6: (0)

Peer LDP Identifier: 2.2.2.2:0
TCP connection: 2.2.2.2:646 - 3.3.3.3:23252
Graceful Restart: No
Session Holdtime: 180 sec
State: Oper; Msgs sent/rcvd: 12/11; Downstream-Unsolicited
Up time: 00:01:59
LDP Discovery Sources:
IPv4: (1)
tunnel-ip10
IPv6: (0)
Addresses bound to this peer:
IPv4: (4)
2.2.2.2 10.1.2.2 10.2.3.1 172.16.50.2
IPv6: (0)

RP/0/RP0/CPU0:PE3#sh ip route
Mon Apr 15 17:21:55.506 UTC

Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR, l - LISP
A - access/subscriber, a - Application route
M - mobile route, r - RPL, t - Traffic Engineering, (!) - FRR Backup path

Gateway of last resort is not set

O 1.1.1.1/32 [110/1002] via 10.2.3.1, 00:08:09, tunnel-ip10
O 2.2.2.2/32 [110/1001] via 10.2.3.1, 00:08:09, tunnel-ip10
L 3.3.3.3/32 is directly connected, 02:11:35, Loopback0
O 10.1.2.0/30 [110/1001] via 10.2.3.1, 00:08:09, tunnel-ip10
C 10.2.3.0/30 is directly connected, 01:52:52, tunnel-ip10
L 10.2.3.2/32 is directly connected, 01:52:52, tunnel-ip10
L 127.0.0.0/8 [0/0] via 0.0.0.0, 02:11:38
S 172.16.50.0/30 [1/0] via 172.16.51.1, 02:11:35, GigabitEthernet0/0/0/1
C 172.16.51.0/30 is directly connected, 02:11:35, GigabitEthernet0/0/0/1
L 172.16.51.2/32 is directly connected, 02:11:35, GigabitEthernet0/0/0/1

RP/0/RP0/CPU0:PE3#sh l2vpn xc
Mon Apr 15 17:22:15.036 UTC
Legend: ST = State, UP = Up, DN = Down, AD = Admin Down, UR = Unresolved,
SB = Standby, SR = Standby Ready, (PP) = Partially Programmed,
LU = Local Up, RU = Remote Up, CO = Connected, (SI) = Seamless Inactive

XConnect Segment 1 Segment 2
Group Name ST Description ST Description ST
------------------------ ----------------------------- -----------------------------
test test UP Gi0/0/0/0.101 UP 1.1.1.1 55555 UP
----------------------------------------------------------------------------------------

Harold Ritter · ‎04-17-2024

Hi @jm-barreto ,

I searched internally and saw similar cases. It appears that l2vpn over mpls over gre is not supported on the NCS540.

That would explain the behavior you are seeing, despite the fact that your configurations look fine.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

jm-barreto · ‎04-17-2024

Thank for the information. I do a similar lab but using Cisco 3600ME and it happen the same. I do some packet capture and notice that when i do icmp from PC behind PE1 to PC on PE3, the PC on PE3 see the icmp and reply back but the PC on PE1 do not get the reply. I made some capture to the tunnel interface on PE3 and see those reply being encapsulated to the GRE tunnel but PE2 never get those. Its like one side comunication. So i change the topology of my lab and add a 4th PE behind PE3 and made the L2VPN between PE1 and PE4 and now its working.
Sadly i dont have many NCS540 available to replicate this and see if working or not.
I was following this documentation:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-12/configuration_guide/mpls/b_1612_mpls_9300_cg/configuring_mpls_layer_2_vpn_over_gre.pdf
And from all of the scenario the one that work form me is the last one.
I will try to add one of my NCS540 to the 3600ME lab and see if i can make it work. I will share my result once i recreate the lab.
Thank again for all the help

Harold Ritter · ‎04-17-2024

Hi @jm-barreto ,

I think moving the l2vpn function to another PE should make it work with the NCS540 too. Please keep us posted.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

jm-barreto · ‎04-19-2024

Hi @Harold Ritter

The lab work with the NCS540 and 3600 as GRE speaker and moving the l2vpn/ to another PE behind the PEs that are doing the GRE tunnel. I inject real traffic from my lab lan in 1 side to a PC to the other side. And the problem that I facing now is I think mtu or tcp mss. The PC get ip via dhcp and its able to get out to internet but some web page dont load or take a while to load. The 3600ME do not support changing the mtu in the tunnel interface, it let me adjust the tcp mss. On the NCS540 it let me change the MTU but the tcp adjust-mss, the only option that give me is enable or disable, I cant specify the mss.

So I kind of stuck to where I can adjust mtu or mss.

I will appreciate any help you can provide me.

Thanks

MHM Cisco World · ‎04-17-2024

Let me check friend update you tonight.

Thanks for waiting

MHM

jm-barreto · ‎04-17-2024

Thanks for the help

MHM Cisco World · ‎04-17-2024

You mention you can run some lab

So try below

The IP you use for xconnect must reachable via tunnel (not via opsf)

So add static route for xconnect IP and check in lab the l2vpn

jm-barreto · ‎04-18-2024

Thanks for the info. That scenario is not the same as mine. My tunnel is between R2 and R3. This is because R3 will be on a remote site that i can connect it to my MPLS core network via Fiber or Fixed Wireless. On R3 site we have satellite internet, using that connection we want to do a tunnel GRE to one of our PE that is connected to or MPLS core network to make PE 3 part of that mpls via the tunnel.

MHM Cisco World · ‎04-18-2024

Note to consider

1- tunnel IP and tunnel source can not be in same IGP

2- Mpls label is build label by label'

The top label must be label of tunnel destination

The bottom label must be the label of VC'

The top label is know from all router in path and that correct since the tunnel src/dest is know by let called it mpls underlaying

The bottom must know only by two end

In PE when it recieve l2pack it must use tunnel as egress point for xconnect.

Hope this clear to you

MHM