search

toshi01kudo / SR-MPLS_Multi_AS_MPBGP_Practice

1 stars 0 forks source link

SRv6網越しに通信できない / Ping is not reachable over SRv6-VPN #7

Open toshi01kudo opened 3 years ago

toshi01kudo commented 3 years ago

ルートは受信できてるにもかかわらず、Pingできない。

csr1000v-kudo-09#show ip route vrf UG-A-19

Routing Table: UG-A-19
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

      100.0.0.0/32 is subnetted, 5 subnets
B        100.64.10.4 [20/0] via 172.24.19.5, 00:17:40
B        100.64.10.5 [20/0] via 172.24.19.5, 00:39:58
B        100.64.10.6 [20/0] via 172.24.19.5, 00:02:43
C        100.64.10.19 is directly connected, Loopback19
B        100.64.10.29 [20/0] via 172.24.19.5, 00:02:43
      172.24.0.0/16 is variably subnetted, 3 subnets, 2 masks
C        172.24.19.0/24 is directly connected, GigabitEthernet2.19
L        172.24.19.9/32 is directly connected, GigabitEthernet2.19
B        172.24.29.0/24 [20/0] via 172.24.19.5, 00:02:43

csr1000v-kudo-09#ping vrf UG-A-19 100.64.10.29 so 100.64.10.19
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.64.10.29, timeout is 2 seconds:
Packet sent with a source address of 100.64.10.19
.....
Success rate is 0 percent (0/5)
toshi01kudo commented 3 years ago

PEルータ同士のPingが不可なので、VPN区間を抜けることができていない。

RP/0/RP0/CPU0:cisco-kudo-02#show route vrf UG-A
Wed Dec 30 07:09:03.833 UTC

Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
       U - per-user static route, o - ODR, L - local, G  - DAGR, l - LISP
       A - access/subscriber, a - Application route
       M - mobile route, r - RPL, t - Traffic Engineering, (!) - FRR Backup path

Gateway of last resort is not set

B    100.64.10.4/32 [200/0] via fd00:4:4::4 (nexthop in vrf default), 00:45:31
L    100.64.10.5/32 is directly connected, 04:33:40, Loopback10
B    100.64.10.6/32 [200/0] via fd00:6:6::6 (nexthop in vrf default), 01:02:57
B    100.64.10.19/32 [20/0] via 172.24.19.9, 01:40:13
B    100.64.10.29/32 [200/0] via fd00:6:6::6 (nexthop in vrf default), 01:02:57
C    172.24.19.0/24 is directly connected, 04:33:27, GigabitEthernet0/0/0/0.19
L    172.24.19.5/32 is directly connected, 04:33:27, GigabitEthernet0/0/0/0.19
B    172.24.29.0/24 [200/0] via fd00:6:6::6 (nexthop in vrf default), 01:02:57
RP/0/RP0/CPU0:cisco-kudo-02#
RP/0/RP0/CPU0:cisco-kudo-02#ping vrf UG-A 100.64.10.6 so 100.64.10.5
Wed Dec 30 07:09:23.973 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.64.10.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
toshi01kudo commented 3 years ago

BGPピアへの疎通性はOK

RP/0/RP0/CPU0:cisco-kudo-02#ping fd00:6:6::6 so fd00:5:5::5
Wed Dec 30 07:10:46.645 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to fd00:6:6::6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/14/26 ms
toshi01kudo commented 3 years ago

FIBテーブルを見ると、 next hop fd00:6:6::/128 の記載あり。このアドレスは/64としては存在するが、/128だと存在しないはず。これが原因か?

RP/0/RP0/CPU0:cisco-kudo-02#show cef vrf UG-A
Wed Dec 30 07:12:02.561 UTC

Prefix              Next Hop            Interface
------------------- ------------------- ------------------
0.0.0.0/0           drop                default handler
0.0.0.0/32          broadcast
100.64.10.4/32      fd00:4:4::/128      <recursive>
100.64.10.5/32      receive             Loopback10
100.64.10.6/32      fd00:6:6::/128      <recursive>
100.64.10.19/32     172.24.19.9/32      <recursive>
100.64.10.29/32     fd00:6:6::/128      <recursive>
172.24.19.0/24      attached            GigabitEthernet0/0/0/0.19
172.24.19.0/32      broadcast           GigabitEthernet0/0/0/0.19
172.24.19.5/32      receive             GigabitEthernet0/0/0/0.19
172.24.19.9/32      172.24.19.9/32      GigabitEthernet0/0/0/0.19
172.24.19.255/32    broadcast           GigabitEthernet0/0/0/0.19
172.24.29.0/24      fd00:6:6::/128      <recursive>
224.0.0.0/4         0.0.0.0/32
224.0.0.0/24        receive
255.255.255.255/32  broadcast
RP/0/RP0/CPU0:cisco-kudo-02#show cef vrf UG-A 100.64.10.6/32
Wed Dec 30 07:12:30.141 UTC
100.64.10.6/32, version 85, SRv6 Transit, internal 0x5000001 0x0 (ptr 0xdecbe8c) [1], 0x0 (0xe09e868), 0x0 (0xf217368)
 Updated Dec 30 06:06:06.112
 Prefix Len 32, traffic index 0, precedence n/a, priority 3
   via fd00:6:6::/128, 3 dependencies, recursive [flags 0x6000]
    path-idx 0 NHID 0x0 [0xe23f124 0x0]
    next hop VRF - 'default', table - 0xe0800000
    next hop fd00:6:6::/128 via fd00:6:6::/64
    SRv6 T.Encaps.Red SID-list {fd00:6:6:0:43::}

RP/0/RP0/CPU0:cisco-kudo-02#show route ipv6 fd00:6:6::/128
Wed Dec 30 07:16:41.032 UTC

% Network not in table
toshi01kudo commented 3 years ago

上記が原因かと思い、下記のようなStaticを全ルータへ設定したが、解消しなかった。。 ちなみに、出力Interfaceを指定していないのは意図的なもので、障害時に回り込めるようにするため。

RP/0/RP0/CPU0:cisco-kudo-02(config-static-afi)#show comm c d
Wed Dec 30 07:24:27.683 UTC
Building configuration...
!! IOS XR Configuration 7.0.1
   router static
    address-family ipv6 unicast
+    fd00:6:6::/128 fd00:6:6::6
    !
   !
end

RP/0/RP0/CPU0:cisco-kudo-02#ping vrf UG-A 100.64.10.6 so 100.64.10.5
Wed Dec 30 07:32:33.976 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.64.10.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
toshi01kudo commented 3 years ago

よく考えたら、上記アドレスはルータ自身がもっていないため、パケットが届いても破棄される可能性あり。 ちなみに上記アドレスをinterfaceへ適用するとLocatorが落ちるので、今度はSRv6が動作しなくなるという。。

RP/0/RP0/CPU0:cisco-kudo-02(config-if)#show comm c d
Wed Dec 30 07:38:59.034 UTC
Building configuration...
!! IOS XR Configuration 7.0.1
+  interface Loopback55
+   description ***Dummy_Locator***
+   ipv6 address fd00:5:5::/128
   !
end

RP/0/RP0/CPU0:cisco-kudo-02(config-if)#
RP/0/RP0/CPU0:cisco-kudo-02(config-if)#commit show
Wed Dec 30 07:39:03.381 UTC
RP/0/RP0/CPU0:Dec 30 07:39:03.529 UTC: ipv6_rib[1240]: %ROUTING-SRv6-5-LOCATOR_UPDOWN : Locator 'No5' state changed to Down
RP/0/RP0/CPU0:Dec 30 07:39:03.796 UTC: fib_mgr[187]: %OS-MMAP_PEER-7-CONNECT : Connect from process 4404 to 16530 skipped: Connection refused
RP/0/RP0/CPU0:Dec 30 07:39:04.179 UTC: config[65756]: %MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user 'hanabi'. Use 'show configuration commit changes 1000000100' to view the changes.
toshi01kudo commented 3 years ago

VRF無し&SRv6無しでそもそも疎通が取れないことが発覚。 アドレスファミリーをまたいでいることが原因なのか、もしくは、「IPv4 over IPv6」となっているため、そもそも何かしらの技術が必要な可能性がある。 ちなみに、Staticで設定しようとしても、IPv4のアドレスファミリーでNext-hopにIPv6アドレスを指定できないため、Staticでの検証は不可。

下記、BGP受信ルート。Next-hopはiBGPピアアドレスのIPv6となっている。

B    172.24.10.3/32 [20/0] via 172.24.1.3, 00:14:27
B    172.24.10.4/32 [200/0] via fd00:1:1::2 (nexthop in vrf default), 00:07:04
B    172.24.10.33/32 [20/0] via 172.24.1.3, 00:14:27
B    172.24.20.6/32 [20/0] via 172.24.3.6, 00:14:27
B    172.24.20.7/32 [200/0] via fd00:1:1::2 (nexthop in vrf default), 00:07:04