No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

how to the CE to Access a VPN Through a GRE Tunnel of the Public Network to MPLS LDP over MPLS TE Cloud

Publication Date:  2012-07-27 Views:  137 Downloads:  1
Issue Description


Our customer has a CE device on the public internet network and need to access a VPN in the MPLS LDP over MPLS TE cloud for customer network.
But we had a problem to communicate between PC1 to PC2 however the tunnel was up and working fine.

Alarm Information
No Alarms found.

Handling Process
We will use GRE tunnel between the CE device and nearest PE carrying the VPN instance through the public network and test the connection between them as follows :
For PE & CE Device GRE Configuration :
<CE1> set board-type slot 5 tunnel
<CE1> system-view
[CE1] interface loopback1
[CE1-LoopBack1] target-board 5
[CE1-LoopBack1] binding tunnel gre
[CE1-LoopBack1] quit
[CE1] interface tunnel5/0/1
[CE1-Tunnel5/0/1] tunnel-protocol gre
[CE1-Tunnel5/0/1] ip address 2.2.2.1 255.255.255.0
[CE1-Tunnel5/0/1] source loopback 1
[CE1-Tunnel5/0/1] destination 5.5.5.5
[CE1-Tunnel5/0/1] quit
# Configure PE1.
<PE1> set board-type slot 5 tunnel
<PE1> system-view
[PE1] interface loopback1
[PE1-LoopBack1] target-board 5
[PE1-LoopBack1] binding tunnel gre
[PE1-LoopBack1] quit
[PE1] interface tunnel5/0/1
[PE1-Tunnel5/0/1] tunnel-protocol gre
[PE1-Tunnel5/0/1] ip address 2.2.2.2 255.255.255.0
[PE1-Tunnel5/0/1] source loopback 1
[PE1-Tunnel5/0/1] destination 6.6.6.6
[PE1-Tunnel5/0/1] quit
 
Verify tunnel status :
[PE1] display interface Tunnel 5/0/1
Tunnel5/0/1 current state : UP
Line protocol current state : UP
Description : Tunnel5/0/1 Interface, Route Port
The Maximum Transmit Unit is 1500 bytes
Internet Address is 2.2.2.2/24
Encapsulation is TUNNEL, loopback not set
Tunnel source 5.5.5.5 (LoopBack1), destination 6.6.6.6
Tunnel protocol/transport GRE/IP , key disabled
keepalive disabled
Checksumming of packets disabled
    5 minutes input rate 0 bytes/sec, 0 packets/sec
    5 minutes output rate 0 bytes/sec, 0 packets/sec
    0 packets input,  0 bytes
    0 input error
    0 packets output,  0 bytes
0 output error
 
Configure a VPN instance VPN1 on PE1 and bind VPN1 with the GRE tunnel
PE2 is already configured with VPN instance,
[PE1] interface tunnel5/0/1
[PE1-Tunnel5/0/1] ip binding vpn-instance vpn1
[PE1-Tunnel5/0/1] ip address 2.2.2.2 255.255.255.0
[PE1-Tunnel5/0/1] quit
Configure the IGP routing between CE1 and PE1.
# Configure PE1.
[PE1] isis 10 vpn-instance vpn1
[PE1-isis-10] network-entity 10.0000.0000.0002.00
[PE1-isis-10] quit
 
Configure MBGP for PE1
# Specify the remote PE as the IBGP peer and use the loopback interface to establish the IBGP connection.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] import-route isis 10
[PE1-bgp-vpn1] quit
Verify the configuration.
If the configuration succeeds, the ping from CE1 to 31.1.1.2 on CE2 succeeds.
Take CE1 as an example:
[CE1] ping 31.1.1.2
  PING 31.1.1.2: 56  data bytes, press CTRL_C to break
   Request time out
    Request time out
    Request time out
    Request time out
    Request time out
 
  --- 31.1.1.2 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
100.00% packet loss
The ping between PC1 and PC2 failed.
 
 
 
 
We need to advertise the Tunnel in ISIS routing protocol on both CE & PE :
Configure the IGP routing that traverses the GRE tunnel between CE1 and PE1.
[CE1] interface tunnel5/0/1
[CE1-Tunnel5/0/1] isis enable 10
[CE1-Tunnel5/0/1] quit
 
[PE1] interface tunnel5/0/1
[PE1-Tunnel5/0/1] isis enable 10
[PE1-Tunnel5/0/1] quit
 
Also , we need to Import the BGP routing to the IS-IS routing in PE.
 [PE1] isis 10
[PE1-isis-10] import-route bgp
[PE1-isis-10] quit
 
Verify connection : Take CE1 as an example:
[CE1] ping 31.1.1.2
  PING 31.1.1.2: 56  data bytes, press CTRL_C to break
    Reply from 31.1.1.2: bytes=56 Sequence=1 ttl=253 time=72 ms
    Reply from 31.1.1.2: bytes=56 Sequence=2 ttl=253 time=34 ms
    Reply from 31.1.1.2: bytes=56 Sequence=3 ttl=253 time=50 ms
    Reply from 31.1.1.2: bytes=56 Sequence=4 ttl=253 time=50 ms
    Reply from 31.1.1.2: bytes=56 Sequence=5 ttl=253 time=34 ms
  --- 31.1.1.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 34/48/72 ms 
The ping between PC1 and PC2 succeeds.

Root Cause
CE device on the public network and need to access a VPN in the MPLS LDP over MPLS TE cloud for customer network and besides that, we need to keed the customer confedentiality info through the public network to be secured.
We met a problem to communicate between Pc1 to Pc2 however the gre tunnel was up and working and vpn instance is created beside other Pcs can communicate normally with pc2,
The customer is using L3VPN over MPLS LDP over MPLS TE , OSPF & MPBGP protocols on MPLS Cloud ,and use isis through public network between PE1 & R1 & CE1 so the vpn instance will be through isis up to CE1 , GRE tunnel through public network ISIS protocol between PE1 & CE1 .
After tracing the problem,the MPLS LDP sessions over MPLS TE was UP ,GRE tunnel was up ,  the VPN instance was up ,
After troubleshooting the problem , its that we should advertise the GRE tunnel through ISIS protocol to be in the routing table and redistribute ISIS VPN-instance on the MBGP/OSPF domain.

Suggestions
It is suggested to use this solution for similar cases.

END