MPLS VPN with GRE tunnels between PEs
Hi,
I am trying to set up a Layer 3 MPLS VPN (RFC 4364) with GRE tunnels
between PEs (RFC 4797) instead of an MPLS backbone. I have followed the
instructions in the "Demystifying MPLS" paper (
http://2011.eurobsdcon.org/papers/jeker/MPLS.pdf), and on the following
mailing list posts:
http://old.nabble.com/BGP-MPLS-VPN-tt31327789.html#a31397215
http://marc.info/?l=openbsd-misc&m=127470697232025&w=2
http://marc.info/?l=openbsd-misc&m=129112614017103&w=2
Here is my setup:
| Juniper router 1 | lo0 192.168.20.2
| | VRF 8 with loopback 192.168.55.1
| 192.168.10.4
|
| 192.168.10.5
| Juniper router 2 | lo0 192.168.20.3
| | VRF 8 with loopback 192.168.56.1
| 10.0.4.1
|
| vlan4092 10.0.4.3
| OpenBSD box | lo0 192.168.20.5
| | rdomain 8 192.168.55.2
I want all three routers to act as PEs but without any MPLS connectivity
between them. RFC 4797 allows this by allowing the following encapsulation
scheme for say a ping from Juniper 1 to OpenBSD box:
[This is what I should ideally get]:
* Ping request:
IP header: src 192.168.20.2 dst 192.168.20.5
GRE header:
MPLS label identifying the rdomain: 666
IP header: src 192.168.55.1 dst 192.168.55.2
ICMP ping request
* Ping reply:
IP header: src 192.168.20.5 dst 192.168.20.2
GRE header:
MPLS label identifying the VRF: 300720
IP header: src 192.168.55.2 dst 192.168.55.1
ICMP ping reply
However, the following is what I actually get:
* Ping request:
IP header: src 192.168.20.2 dst 192.168.20.5
GRE header:
MPLS label identifying the rdomain: 666
IP header: src 192.168.55.1 dst 192.168.55.2
ICMP ping request
* Ping reply:
MPLS label identifying the VRF: 300720
IP header: src 192.168.55.2 dst 192.168.55.1
ICMP ping reply
The reply back from the OpenBSD box does not GRE-encapsulate the MPLS
packet and since I don't have a MPLS LSP set up between OpenBSD box and
Juniper 1, the ping reply never reaches Juniper 1.
Here is the tcpdump where I see the above:
# tcpdump -i vlan4092 -s 1500 -Xvvv not tcp and not udp
13:52:39.188348 gre 192.168.20.2 > 192.168.20.5: [] gre-proto-0x8847 (DF)
(ttl 63, id 0, len 112)
: 4500 0070 4000 3f2f 9207 c0a8 1402 E..p..@.?/..o?=o?=..
0010: c0a8 1405 8847 0029 a1ff 4500 0054 o?=o?=.G.)o?=o?=E..T
0020: efee 4001 9b66 c0a8 3701 c0a8 3702 o?=o?=..@..fo?=o?=7.o?=o?=7.
0030: 0800 6bf0 521e 0151 f8d4 ba4f 8c78 0e00 ..ko?=R..Qo?=T:O.x..
0040: 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617
0050: 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 !"#$%&'
0060: 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 ()*+,-./01234567
13:52:39.188374 MPLS(label 300720, exp 0, ttl 255) 192.168.55.2 >
192.168.55.1: icmp: echo reply (id:521e seq:337) (ttl 255, id 64891, len 84)
: 496b 01ff 4500 0054 fd7b ff01 ced8 Ik.o?=E..To?={..o?=.o?=
0010: c0a8 3702 c0a8 3701 73f0 521e 0151 o?=o?=7.o?=o?=7...so?=R..Q
0020: f8d4 ba4f 8c78 0e00 0809 0a0b 0c0d 0e0f o?=T:O.x..
0030: 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f
0040: 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f !"#$%&'()*+,-./
0050: 3031 3233 3435 3637 01234567
Here are the various pieces of my configuration:
# ifconfig
lo0: flags=8049 mtu 33152
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff00
re0: flags=88843 mtu 1500
lladdr c8:9c:dc:dd:1a:f6
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet6 fe80::ca9c:dcff:fedd:1af6%re0 prefixlen 64 scopeid 0x1
pflog0: flags=141 mtu 33152
priority: 0
groups: pflog
vlan4092: flags=88843 mtu 1500
lladdr c8:9c:dc:dd:1a:f6
priority: 0
vlan: 4092 priority: 0 parent interface: re0
groups: vlan egress
status: active
inet 10.0.4.3 netmask 0xff00 broadcast 10.0.4.255
inet6 fe80::ca9c:dcff:fedd:1af6%vlan4092 prefixlen 64 scopeid 0x5
lo1: flags=8149 mtu 33152
priority: 0
groups: lo
inet6 fe80::1%lo1 prefixlen 64 scopeid 0x6
inet 192.168.20.5 netmask 0x
gre0: flags=a9011 mtu 1476
priority: 0
groups: gre
physical address inet 192.168.20.5 --> 192.168.20.2
inet 192.168.55.2 --> 192.168.55.1 netmask 0x
mpe8: flags=20011 rdomain 8 mtu 1500
priority: 0
mpls label: 666
groups: mpe
inet 192.168.55.2 --> 0.0.0.0 netmask 0xff00
lo2: flags=28049 rdomain 8 mtu 33152
priority: 0
groups: lo
inet 192.168.55.2 netmask 0xff00
# route -n -T 8 show
Routing tables
Internet:
D
MPLS VPN with GRE tunnels between PEs
Hi,
I am trying to set up a Layer 3 MPLS VPN (RFC 4364) with GRE tunnels
between PEs (RFC 4797) instead of an MPLS backbone. I have followed the
instructions in the "Demystifying MPLS" paper (
http://2011.eurobsdcon.org/papers/jeker/MPLS.pdf), and on the following
mailing list posts:
http://old.nabble.com/BGP-MPLS-VPN-tt31327789.html#a31397215
http://marc.info/?l=openbsd-misc&m=127470697232025&w=2
http://marc.info/?l=openbsd-misc&m=129112614017103&w=2
Here is my setup:
| Juniper router 1 | lo0 192.168.20.2
| | VRF 8 with loopback 192.168.55.1
| 192.168.10.4
|
| 192.168.10.5
| Juniper router 2 | lo0 192.168.20.3
| | VRF 8 with loopback 192.168.56.1
| 10.0.4.1
|
| vlan4092 10.0.4.3
| OpenBSD box | lo0 192.168.20.5
| | rdomain 8 192.168.55.2
I want all three routers to act as PEs but without any MPLS connectivity
between them. RFC 4797 allows this by allowing the following encapsulation
scheme for say a ping from Juniper 1 to OpenBSD box:
[This is what I should ideally get]:
* Ping request:
IP header: src 192.168.20.2 dst 192.168.20.5
GRE header:
MPLS label identifying the rdomain: 666
IP header: src 192.168.55.1 dst 192.168.55.2
ICMP ping request
* Ping reply:
IP header: src 192.168.20.5 dst 192.168.20.2
GRE header:
MPLS label identifying the VRF: 300720
IP header: src 192.168.55.2 dst 192.168.55.1
ICMP ping reply
However, the following is what I actually get:
* Ping request:
IP header: src 192.168.20.2 dst 192.168.20.5
GRE header:
MPLS label identifying the rdomain: 666
IP header: src 192.168.55.1 dst 192.168.55.2
ICMP ping request
* Ping reply:
MPLS label identifying the VRF: 300720
IP header: src 192.168.55.2 dst 192.168.55.1
ICMP ping reply
The reply back from the OpenBSD box does not GRE-encapsulate the MPLS
packet and since I don't have a MPLS LSP set up between OpenBSD box and
Juniper 1, the ping reply never reaches Juniper 1.
Here is the tcpdump where I see the above:
# tcpdump -i vlan4092 -s 1500 -Xvvv not tcp and not udp
13:52:39.188348 gre 192.168.20.2 > 192.168.20.5: [] gre-proto-0x8847 (DF)
(ttl 63, id 0, len 112)
: 4500 0070 4000 3f2f 9207 c0a8 1402 E..p..@.?/..o?=o?=..
0010: c0a8 1405 8847 0029 a1ff 4500 0054 o?=o?=.G.)o?=o?=E..T
0020: efee 4001 9b66 c0a8 3701 c0a8 3702 o?=o?=..@..fo?=o?=7.o?=o?=7.
0030: 0800 6bf0 521e 0151 f8d4 ba4f 8c78 0e00 ..ko?=R..Qo?=T:O.x..
0040: 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617
0050: 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 !"#$%&'
0060: 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 ()*+,-./01234567
13:52:39.188374 MPLS(label 300720, exp 0, ttl 255) 192.168.55.2 >
192.168.55.1: icmp: echo reply (id:521e seq:337) (ttl 255, id 64891, len 84)
: 496b 01ff 4500 0054 fd7b ff01 ced8 Ik.o?=E..To?={..o?=.o?=
0010: c0a8 3702 c0a8 3701 73f0 521e 0151 o?=o?=7.o?=o?=7...so?=R..Q
0020: f8d4 ba4f 8c78 0e00 0809 0a0b 0c0d 0e0f o?=T:O.x..
0030: 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f
0040: 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f !"#$%&'()*+,-./
0050: 3031 3233 3435 3637 01234567
Here are the various pieces of my configuration:
# ifconfig
lo0: flags=8049 mtu 33152
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff00
re0: flags=88843 mtu 1500
lladdr c8:9c:dc:dd:1a:f6
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet6 fe80::ca9c:dcff:fedd:1af6%re0 prefixlen 64 scopeid 0x1
pflog0: flags=141 mtu 33152
priority: 0
groups: pflog
vlan4092: flags=88843 mtu 1500
lladdr c8:9c:dc:dd:1a:f6
priority: 0
vlan: 4092 priority: 0 parent interface: re0
groups: vlan egress
status: active
inet 10.0.4.3 netmask 0xff00 broadcast 10.0.4.255
inet6 fe80::ca9c:dcff:fedd:1af6%vlan4092 prefixlen 64 scopeid 0x5
lo1: flags=8149 mtu 33152
priority: 0
groups: lo
inet6 fe80::1%lo1 prefixlen 64 scopeid 0x6
inet 192.168.20.5 netmask 0x
gre0: flags=a9011 mtu 1476
priority: 0
groups: gre
physical address inet 192.168.20.5 --> 192.168.20.2
inet 192.168.55.2 --> 192.168.55.1 netmask 0x
mpe8: flags=20011 rdomain 8 mtu 1500
priority: 0
mpls label: 666
groups: mpe
inet 192.168.55.2 --> 0.0.0.0 netmask 0xff00
lo2: flags=28049 rdomain 8 mtu 33152
priority: 0
groups: lo
inet 192.168.55.2 netmask 0xff00
# route -n -T 8 show
Routing tables
Internet:
D
Re: MPLS VPN with GRE tunnels between PEs
Hi,
Can anyone shed some light on this?
Thanks.
Bert
On Tue, May 22, 2012 at 10:37 AM, Bert Smith
wrote:
> Hi,
>
> I am trying to set up a Layer 3 MPLS VPN (RFC 4364) with GRE tunnels
> between PEs (RFC 4797) instead of an MPLS backbone. I have followed the
> instructions in the "Demystifying MPLS" paper (
> http://2011.eurobsdcon.org/papers/jeker/MPLS.pdf), and on the following
> mailing list posts:
> http://old.nabble.com/BGP-MPLS-VPN-tt31327789.html#a31397215
> http://marc.info/?l=openbsd-misc&m=127470697232025&w=2
> http://marc.info/?l=openbsd-misc&m=129112614017103&w=2
>
> Here is my setup:
>
>
> | Juniper router 1 | lo0 192.168.20.2
> | | VRF 8 with loopback 192.168.55.1
>
> | 192.168.10.4
> |
> | 192.168.10.5
>
> | Juniper router 2 | lo0 192.168.20.3
> | | VRF 8 with loopback 192.168.56.1
>
> | 10.0.4.1
> |
> | vlan4092 10.0.4.3
>
> | OpenBSD box | lo0 192.168.20.5
> | | rdomain 8 192.168.55.2
>
>
> I want all three routers to act as PEs but without any MPLS connectivity
> between them. RFC 4797 allows this by allowing the following encapsulation
> scheme for say a ping from Juniper 1 to OpenBSD box:
>
> [This is what I should ideally get]:
> * Ping request:
> IP header: src 192.168.20.2 dst 192.168.20.5
> GRE header:
> MPLS label identifying the rdomain: 666
> IP header: src 192.168.55.1 dst 192.168.55.2
> ICMP ping request
>
> * Ping reply:
> IP header: src 192.168.20.5 dst 192.168.20.2
> GRE header:
> MPLS label identifying the VRF: 300720
> IP header: src 192.168.55.2 dst 192.168.55.1
> ICMP ping reply
>
> However, the following is what I actually get:
> * Ping request:
> IP header: src 192.168.20.2 dst 192.168.20.5
> GRE header:
> MPLS label identifying the rdomain: 666
> IP header: src 192.168.55.1 dst 192.168.55.2
> ICMP ping request
>
> * Ping reply:
> MPLS label identifying the VRF: 300720
> IP header: src 192.168.55.2 dst 192.168.55.1
> ICMP ping reply
>
> The reply back from the OpenBSD box does not GRE-encapsulate the MPLS
> packet and since I don't have a MPLS LSP set up between OpenBSD box and
> Juniper 1, the ping reply never reaches Juniper 1.
>
> Here is the tcpdump where I see the above:
> # tcpdump -i vlan4092 -s 1500 -Xvvv not tcp and not udp
>
> 13:52:39.188348 gre 192.168.20.2 > 192.168.20.5: [] gre-proto-0x8847 (DF)
> (ttl 63, id 0, len 112)
> : 4500 0070 4000 3f2f 9207 c0a8 1402 E..p..@.?/..��..
> 0010: c0a8 1405 8847 0029 a1ff 4500 0054 ��.G.)��E..T
> 0020: efee 4001 9b66 c0a8 3701 c0a8 3702
��..@..f��7.��7.
> 0030: 0800 6bf0 521e 0151 f8d4 ba4f 8c78 0e00 ..k�R..Q�ԺO.x..
> 0040: 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617
> 0050: 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 !"#$%&'
> 0060: 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 ()*+,-./01234567
>
> 13:52:39.188374 MPLS(label 300720, exp 0, ttl 255) 192.168.55.2 >
> 192.168.55.1: icmp: echo reply (id:521e seq:337) (ttl 255, id 64891, len
> 84)
> : 496b 01ff 4500 0054 fd7b ff01 ced8 Ik.�E..T�{..�.�
> 0010: c0a8 3702 c0a8 3701 73f0 521e 0151 ��7.��7...s�R..Q
> 0020: f8d4 ba4f 8c78 0e00 0809 0a0b 0c0d 0e0f �ԺO.x..
> 0030: 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f
> 0040: 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f !"#$%&'()*+,-./
> 0050: 3031 3233 3435 3637 01234567
>
> Here are the various pieces of my configuration:
>
> # ifconfig
> lo0: flags=8049 RUNNING,MULTICAST> mtu 33152
> priority: 0
> groups: lo
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
> inet 127.0.0.1 netmask 0xff00
> re0: flags=88843 mtu 1500
> lladdr c8:9c:dc:dd:1a:f6
> priority: 0
> media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
> status: active
> inet6 fe80::ca9c:dcff:fedd:1af6%re0 prefixlen 64 scopeid 0x1
> pflog0: flags=141 mtu 33152
> priority: 0
> groups: pflog
> vlan4092: flags=88843 mtu 1500
> lladdr c8:9c:dc:dd:1a:f6
> priority: 0
> vlan: 4092 priority: 0 parent interface: re0
> groups: vlan egress
> status: active
> inet 10.0.4.3 netmask 0xff00 broadcast 10.0.4.255
> inet6 fe80::ca9c:dcff:fedd:1af6%vlan4092 prefixlen 64 scopeid 0x5
> lo1: flags=8149 mtu 33152
> priority: 0
> groups: lo
> inet6 fe80::1%lo1 prefixlen 64 scopeid 0x6
> inet 192.168.20.5 netmask 0x
> gre0: flags=a9011 mtu 1476
> priority: 0
> groups: gre
> physical address inet 192.168.20.5 --> 192.168.20.2
> inet 192.168.5
