Hi all
A bit of background - i've recently started a new job and my employer has a complicated (at least by my standards!) networking implementation. The previous network admin left suddenly and didn't create much in the way of useful documentation, so i've had to reverse engineer a lot of things. From what I can gather, the sites were connected using MPLS and GetVPN, and some sites have been migrated to a DMVPN solution.
The problem I have is that a site (Site1) connecting to a site in another continent (Site2). Both sites are connected to the same MPLS provider but the traffic is routed via the DMVPN Hub site, because the routers in Site1 aren't advertising any routes into the MPLS, so Site2 sends traffic to the MPLS default route which is the hub site, and the traffic from there enters the DMVPN cloud. This is causing a huge amount of latency for the users.
I've simplified and/or obfuscated IP addresses where possible
Site1 = 2x Cisco 2800 routers connected to an MPLS circuit. Routing done using EIGRP.
Site2 = 2x Cisco 892 routers connected to both an MPLS and internet circuit. Router is using EIGRP on the inside and BGP on the outside. HSRP configured on the inside.
Site2's config is very simple so I don't think the issue resides here. The internal network is 192.168.0.0/16 , 172.16.0.1 is the next hop on the LAN side
sh run | sec ip route ip route 0.0.0.0 0.0.0.0 172.17.0.1 ip route 192.168.0.0 255.255.0.0 172.16.0.1 sh run | sec router eig router eigrp 100 redistribute static network 0.0.0.0 no auto-summary
Site1's config on the other hand ...
There are two VRFs configured. One for MPLS and one for INET. There is a firewall behind the router and there are two transit VLANs used, one for internet traffic and one for traffic to the other sites, i'm not really clear on why this was done. The actual internal network of Site1 are a few different subnets e.g. 172.20.1.0/24 but it's connected through a spaghetti of other devices with different interfaces in between.
ip vrf INET rd 65000:2 ip vrf MPLS rd 65000:1 interface GigabitEthernet8 description MPLS ip vrf forwarding MPLS ip address 172.25.1.45 255.255.255.240 interface GigabitEthernet9 description INET ip vrf forwarding INET ip address <public IP removed> interface Vlan9 ip address 172.25.10.108 255.255.255.248 standby 0 ip 172.25.10.107 standby 0 timers 1 4 standby 0 priority 105 standby 0 preempt delay minimum 60 service-policy input PM_SET-DSCP interface Vlan2525 description Internet-FW ip vrf forwarding INET ip address 10.71.1.100 255.255.255.248 ip nat inside ip virtual-reassembly in standby 0 ip 10.71.1.99 standby 0 timers 1 4 standby 0 priority 105 standby 0 preempt delay minimum 60 router eigrp 100 network 172.25.10.108 0.0.0.0 network 172.25.200.22 0.0.0.0 redistribute bgp 65000 metric 100000 10 255 1 1500 distance eigrp 90 210 passive-interface default no passive-interface Vlan9 router bgp 65000 bgp router-id 172.25.200.22 bgp log-neighbor-changes neighbor MPLS-HUB peer-group neighbor MPLS-HUB remote-as 65000 neighbor MPLS-HUB timers 20 60 neighbor INET-HUB peer-group neighbor INET-HUB remote-as 65000 neighbor INET-HUB timers 20 60 neighbor 10.0.0.1 peer-group MPLS-HUB neighbor 10.0.0.2 peer-group MPLS-HUB neighbor 10.0.20.1 peer-group INET-HUB neighbor 10.0.20.2 peer-group INET-HUB ! address-family ipv4 bgp redistribute-internal <a load of network xxx.xxx.xxx.xxx statement cut to advertise the internal networks of the site, but basically 172.20.0.0> neighbor MPLS-HUB send-community neighbor MPLS-HUB next-hop-self neighbor MPLS-HUB route-map MPLS-SPOKE-IN in neighbor MPLS-HUB route-map MPLS-SPOKE-OUT out neighbor INET-HUB send-community neighbor INET-HUB next-hop-self neighbor INET-HUB route-map INET-SPOKE-IN in neighbor INET-HUB route-map INET-SPOKE-OUT out neighbor 10.0.0.1 activate neighbor 10.0.0.1 soft-reconfiguration inbound neighbor 10.0.0.2 activate neighbor 10.0.0.2 soft-reconfiguration inbound neighbor 10.0.20.1 activate neighbor 10.0.20.1 soft-reconfiguration inbound neighbor 10.0.20.2 activate neighbor 10.0.20.2 soft-reconfiguration inbound distance bgp 20 109 109 exit-address-family ip route <various internal networks> Vlan9 172.25.10.105 <- next hop to firewall INET interface ip route vrf INET 0.0.0.0 0.0.0.0 GigabitEthernet9 <ISP IP redacted> ip route vrf INET <various internal networks> Vlan2525 10.71.1.97 <- next hop to firewall LAN interface ip route vrf MPLS 0.0.0.0 0.0.0.0 GigabitEthernet8 172.25.1.33 <- next hop into MPLS
Site2's routers can see the MPLS interface of Site1 advertised through EIGRP but not the LAN:
Site2#sh ip route 172.25.1.45 Routing entry for 172.25.1.32/28 Known via "eigrp 100", distance 170, metric 341760 Tag 64532, type external Redistributing via eigrp 100 Last update from 172.25.7.21 on GigabitEthernet0/1, 5d02h ago Routing Descriptor Blocks: * 172.25.7.21, from 172.25.7.21, 5d02h ago, via GigabitEthernet0/1 Route metric is 341760, traffic share count is 1 Total delay is 10020 microseconds, minimum bandwidth is 30030 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 2 Route tag 64532 Site2#sh ip route 172.20.1.2 % Network not in table
Site1 doesn't have any routes to this network so traffic goes to the hub site over the DMVPN:
Site1#sh ip route vrf * 192.168.0.0 % Network not in table Routing Table: INET % Network not in table Routing Table: MPLS % Network not in table
So, I read about route leaking (https://www.netcraftsmen.com/using-vrf-lite-eigrp-and-static-routes/), I thought a configuration like this would work, but I still don't get the routes visible from the remote sites
router eigrp 100 ! address-family ipv4 vrf MPLS redistribute static network 172.20.0.0 autonomous-system 65000
Can anyone point me in the right direction? I feel like this isn't the complete config but i'm not sure what else im missing... sorry for the long post, my head hurts!!
No comments:
Post a Comment