MPLS VPN 上 LSP 故障排除
简介
本文档假设您事先了解基本的多协议标签交换(MPLS)概念。MPLS交换数据包根据标签转发信息库(LFIB)中包含的信息进行转发。通过标签交换接口离开路由器的数据包将接收带有LFIB指定值的标签。标签根据转发等价类(FEC)与LFIB中的目标关联。FEC是IP数据包的分组,这些数据包在同一路径上传输并接受相同的转发处理。FEC最简单的示例是所有数据包都传输到某个子网。另一个示例可能是所有具有给定IP优先级的数据包,这些数据包会发往与一组边界网关协议(BGP)路由关联的内部网关协议(IGP)下一跳。
标签信息库(LIB)是存储从所有标签分发协议(LDP)或标签分发协议(TDP)邻居接收的标签的结构。对于思科实施,会为给定路由器的路由表中的所有路由(BGP路由除外)向所有LDP或TDP邻居发送标签。从邻居收到的所有标签都会保留在LIB中,无论是否使用。如果从下游邻居接收标签以用于其FEC,则存储在LIB中的标签将用于LFIB的数据包转发。表示根据路由器的思科快速转发(CEF)和路由表,转发使用的标签是从路由器的下一跳到目的地的标签。
如果从下游邻居接收未出现在路由器路由表和CEF表中的前缀(包括子网掩码)的标签绑定,则不会使用这些绑定。同样地,如果路由器通告的子网/子网掩码对与此路由器通告的相同子网/子网掩码对的路由更新不对应的标签,上游邻居将不使用这些标签,并且这些设备之间的标签交换路径(LSP)将失败。
本文档提供了此类LSP故障的示例和几种可能的解决方案。本文档介绍一种场景,其中路由器接收的标签绑定不用于转发MPLS交换数据包。但是,用于诊断和纠正此问题的步骤适用于涉及标签绑定和为MPLS配置的路由器上的LFIB的任何问题。
先决条件
要求
本文档没有任何特定的要求。
使用的组件
本文档中的信息基于以下软件版本:
-
思科IOS®软件版本12.0(21)ST2
规则
有关文档规则的详细信息,请参阅 Cisco 技术提示规则。
网络图
路由器配置
| PE1路由器配置 |
|---|
ip vrf aqua rd 100:1 route-target export 1:1 route-target import 1:1 ! interface Loopback0 ip address 10.2.2.2 255.255.255.255 no ip directed-broadcast ! interface Ethernet2/0/1 ip vrf forwarding aqua ip address 10.1.1.2 255.255.255.0 no ip directed-broadcast ip route-cache distributed !--- The VPN Routing and Forwarding (VRF) interface !--- toward the customer edge (CE) router. interface Ethernet2/0/2 ip address 10.7.7.2 255.255.255.0 no ip directed-broadcast ip route-cache distributed tag-switching ip ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! router bgp 1 bgp log-neighbor-changes neighbor 10.5.5.5 remote-as 1 neighbor 10.5.5.5 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 10.5.5.5 activate neighbor 10.5.5.5 send-community extended exit-address-family ! address-family ipv4 neighbor 10.5.5.5 activate no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf aqua redistribute connected no auto-summary no synchronization exit-address-family |
| P路由器配置 |
|---|
interface Loopback0 ip address 10.7.7.7 255.255.255.255 no ip directed-broadcast ! interface Ethernet2/0 ip address 10.8.8.7 255.255.255.0 no ip directed-broadcast tag-switching ip ! interface Ethernet2/1 ip address 10.7.7.7 255.255.255.0 no ip directed-broadcast tag-switching ip ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 !--- BGP is not run on this router. |
| PE2路由器配置 |
|---|
ip vrf aqua rd 100:1 route-target export 1:1 route-target import 1:1 ! interface Loopback0 ip address 10.5.5.5 255.255.255.0 no ip directed-broadcast ! interface Ethernet0/0 ip vrf forwarding aqua ip address 10.10.10.5 255.255.255.0 no ip directed-broadcast !--- The VRF interface toward the CE router. ! interface Ethernet0/3 ip address 10.8.8.5 255.255.255.0 no ip directed-broadcast tag-switching ip ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! router rip version 2 ! address-family ipv4 vrf aqua version 2 network 10.0.0.0 no auto-summary exit-address-family ! router bgp 1 bgp log-neighbor-changes neighbor 10.2.2.2 remote-as 1 neighbor 10.2.2.2 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 10.2.2.2 activate neighbor 10.2.2.2 send-community extended exit-address-family ! address-family ipv4 neighbor 10.2.2.2 activate no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf aqua redistribute connected redistribute rip no auto-summary no synchronization exit-address-family |
| CE2路由器配置 |
|---|
interface Loopback0 ip address 192.168.1.196 255.255.255.192 no ip directed-broadcast ! interface Ethernet1 ip address 10.10.10.6 255.255.255.0 no ip directed-broadcast ! router rip version 2 network 10.0.0.0 network 192.168.1.0 no auto-summary !--- Routing Information Protocol (RIP) is used for the advertisement !--- of routes between the CE and the provider edge (PE) router. ! ip route 0.0.0.0 0.0.0.0 10.10.10.5 |
注意:已省略CE1配置。该配置仅包括以太网接口上的IP编址和到10.2.2.2的静态默认路由。
问题
CE1与CE2的环回接口之间的连接已丢失,如以下示例所示。
CE1#ping 192.168.1.196 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.196, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
但是,CE1具有此目标的有效路由条目,如以下示例所示。
CE1#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0, candidate default path
Redistributing via ospf 100
Routing Descriptor Blocks:
* 10.1.1.2
Route metric is 0, traffic share count is 1
在PE1(连接到CE1的PE路由器),您可以检查MPLS VPN特定信息。以下示例显示,此VPN的VRF表中存在到目的地的有效路由。
PE1#show ip route vrf aqua 192.168.1.196
Routing entry for 192.168.1.192/26
Known via "bgp 1", distance 200, metric 1, type internal
Last update from 10.5.5.5 00:09:52 ago
Routing Descriptor Blocks:
* 10.5.5.5 (Default-IP-Routing-Table), from 10.5.5.5, 00:09:52 ago
Route metric is 1, traffic share count is 1
AS Hops 0, BGP network version 0
PE1#show tag-switching forwarding-table vrf aqua 192.168.1.196 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
None 16 192.168.1.192/26 0 Et2/0/2 10.7.7.7
MAC/Encaps=14/22, MTU=1496, Tag Stack{16 32}
00603E2B02410060835887428847 0001000000020000
No output feature configured
PE1#show ip bgp vpnv4 vrf aqua 192.168.1.192
BGP routing table entry for 100:1:192.168.1.192/26, version 43
Paths: (1 available, best #1, table aqua)
Not advertised to any peer
Local
10.5.5.5 (metric 21) from 10.5.5.5 (10.5.5.5)
Origin incomplete, metric 1, localpref 100, valid, internal, best
Extended Community: RT:1:1
PE1#show tag-switching forwarding-table 10.5.5.5 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
18 16 10.5.5.5/32 0 Et2/0/2 10.7.7.7
MAC/Encaps=14/18, MTU=1500, Tag Stack{16}
00603E2B02410060835887428847 00010000
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
如本例所示,PE1没有具有正确掩码的BGP下一跳路由。
PE1#
PE1#show ip route 10.5.5.5 255.255.255.0
% Subnet not in table
PE1#show ip route 10.5.5.5 255.255.255.255
Routing entry for 10.5.5.5/32
Known via "ospf 1", distance 110, metric 21, type intra area
Last update from 10.7.7.7 on Ethernet2/0/2, 00:38:55 ago
Routing Descriptor Blocks:
* 10.7.7.7, from 10.5.5.5, 00:38:55 ago, via Ethernet2/0/2
Route metric is 21, traffic share count is 1
PE1用于到达此BGP下一跳的IGP路由信息从P路由器接收。如以下示例所示,此路由器还显示了PE2环回的不正确掩码,并且没有具有正确掩码的此前缀的路由。
P#show ip route 10.5.5.5
Routing entry for 10.5.5.5/32
Known via "ospf 1", distance 110, metric 11, type intra area
Last update from 10.8.8.5 on Ethernet2/0, 00:47:48 ago
Routing Descriptor Blocks:
* 10.8.8.5, from 10.5.5.5, 00:47:48 ago, via Ethernet2/0
Route metric is 11, traffic share count is 1
P#show ip route 10.5.5.5 255.255.255.0
% Subnet not in table
LSP 故障原因
P路由器上的LFIB和标记绑定显示了此路由器与PE2之间LSP故障的原因。没有10.5.5.5的传出标签。当数据包离开PE1时,它携带两个标签,即P路由器(16)生成的BGP下一跳标签和PE2(32)生成的VPN标签。 由于P路由器上的此条目显示此目标的无标记标签交换数据包,因此它将在不带任何标签的情况下发送出去。由于VPN标签32丢失,PE2永远不会收到该标签,PE2将没有正确的信息将数据包转发到正确的VPN目标。
P#show tag-switching forwarding-table 10.5.5.5 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Untagged 10.5.5.5/32 5339 Et2/0 10.8.8.5
MAC/Encaps=0/0, MTU=1504, Tag Stack{}
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
如以下示例所示,P路由器的标签绑定表显示PE2(tsr:10.8.8.5:0)仅通告带/24掩码的10.5.5.5绑定。/32路由的标签由P路由器和PE1通告(tsr:10.2.2.2:0),但不是PE2。由于PE2通告的绑定与其也通告的路由不匹配,因此P路由器的LFIB中不存在将数据包转发到此目的地的标签。
P#show tag-switching tdp bindings detail
tib entry: 10.5.5.0/24, rev 67(no route)
remote binding: tsr: 10.8.8.5:0, tag: imp-null
tib entry: 10.5.5.5/32, rev 62
local binding: tag: 16
Advertised to:
10.2.2.2:0 10.8.8.5:0
remote binding: tsr: 10.2.2.2:0, tag: 18
PE2通告的路由更新和标签绑定之间差异的原因可在此路由器的路由表和标签绑定表中找到。直连环回显示正确的/24掩码,路由器在生成标签绑定时使用该掩码。由于此网络使用开放最短路径优先(OSPF),因此路由器使用/32掩码通告此接口,如下例所示。
PE2#show ip route 10.5.5.5
Routing entry for 10.5.5.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Loopback0
Route metric is 0, traffic share count is 1
PE2#show tag-switching tdp bindings detail
tib entry: 10.5.5.0/24, rev 142
local binding: tag: imp-null
Advertised to:
10.7.7.7:0
tib entry: 10.5.5.5/32, rev 148
remote binding: tsr: 10.7.7.7:0, tag: 16
PE2#show ip ospf interface loopback 0
Loopback0 is up, line protocol is up
Internet Address 10.5.5.5/24, Area 0
Process ID 1, Router ID 10.5.5.5, Network Type LOOPBACK, Cost: 1
Loopback interface is treated as a stub Host
!--- OSPF advertises all interfaces of Network Type LOOPBACK as host !--- routes (/32).
解决方案
由于P路由器和PE1之间的LSP故障是由为环回通告的路由与PE1生成的标签绑定不匹配引起的,因此最简单的解决方案是更改环回的掩码,以符合OSPF为LOOPBACK类型的所有网络通告的掩码。
解决方案 1:PE2的子网掩码更改
PE2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. PE2(config)#int lo 0 PE2(config-if)#ip add 10.5.5.5 255.255.255.255 PE2(config-if)#end PE2#
PE1上的信息与发生LSP故障的场景中的信息相同,如以下示例所示。
PE1#show tag-switching forwarding-table vrf aqua 192.168.1.196 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
None 16 192.168.1.192/26 0 Et2/0/2 10.7.7.7
MAC/Encaps=14/22, MTU=1496, Tag Stack{16 32}
00603E2B02410060835887428847 0001000000020000
No output feature configured
PE1#show tag-switching forwarding-table 10.5.5.5 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
18 16 10.5.5.5/32 0 Et2/0/2 10.7.7.7
MAC/Encaps=14/18, MTU=1500, Tag Stack{16}
00603E2B02410060835887428847 00010000
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
P路由器显示导致LSP故障的条件不再存在。传出标签现在是一个弹出标签。这意味着当数据包通过路由器时,BGP下一跳的顶部标签将弹出,但数据包仍将具有第二个VPN标签(数据包不再以无标记方式发送)。
标签绑定表显示PE2通告的标签(imp-null)(tsr:10.8.8.5:0)。
P#show tag-switching forwarding-table 10.5.5.5 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 10.5.5.5/32 3493 Et2/0 10.8.8.5
MAC/Encaps=14/14, MTU=1504, Tag Stack{}
006009E08B0300603E2B02408847
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
P#show tag-switching tdp bindings detail
tib entry: 10.5.5.5/32, rev 71
local binding: tag: 16
Advertised to:
10.2.2.2:0 10.8.8.5:0
remote binding: tsr: 10.2.2.2:0, tag: 18
remote binding: tsr: 10.8.8.5:0, tag: imp-null
解决方案 2:OSPF网络类型更改
第二种解决方案是更改环回接口的OSPF网络类型。当PE2的环回接口的OSPF网络类型更改为点对点时,环回前缀不再使用/32掩码自动通告。这意味着PE2在其路由表中引用直连子网(包含/24子网掩码)时生成的标签绑定将与从PE2接收的P路由器上的OSPF路由(包含此前缀的/24子网掩码)匹配。
ip ospf network point-to-point命令可用于更改PE2环回接口上的网络类型,如以下示例所示。
PE2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. PE2(config)#interface loopback 0 PE2(config-if)#ip ospf network point-to-point PE2(config-if)#
如下所示,PE1上的标记转发表包含BGP下一跳的条目,该条目与PE2上环回接口的实际掩码一致。路由表显示与此转发条目关联的OSPF路由也正确。
PE1#show tag-switching forwarding-table 10.5.5.5 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
22 17 10.5.5.0/24 0 Et2/0/2 10.7.7.7
MAC/Encaps=14/18, MTU=1500, Tag Stack{17}
00603E2B02410060835887428847 00011000
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
PE1#show ip route 10.5.5.5
Routing entry for 10.5.5.0/24
Known via "ospf 1", distance 110, metric 21, type intra area
Last update from 10.7.7.7 on Ethernet2/0/2, 00:36:53 ago
Routing Descriptor Blocks:
* 10.7.7.7, from 10.5.5.5, 00:36:53 ago, via Ethernet2/0/2
Route metric is 21, traffic share count is 1
在以下示例中,P路由器的标记转发条目将传出标记显示为弹出标记,如解决方案1中所示,如下例所示。再次,当数据包通过此路由器时,BGP下一跳的顶部标签将弹出,但第二个VPN标签将保留,LSP不会失败。也存在显示正确子网掩码的绑定。
P#show tag-switching forwarding-table 10.5.5.5 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
17 Pop tag 10.5.5.0/24 4261 Et2/0 10.8.8.5
MAC/Encaps=14/14, MTU=1504, Tag Stack{}
006009E08B0300603E2B02408847
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
P#show tag-switching tdp bindings detail
tib entry: 10.5.5.0/24, rev 68
local binding: tag: 17
Advertised to:
10.2.2.2:0 10.8.8.5:0
remote binding: tsr: 10.8.8.5:0, tag: imp-null
remote binding: tsr: 10.2.2.2:0, tag: 22
如下所示,此命令的输出确认网络类型已更改为点对点。从CE1到CE2的环回接口存在完全连接。
PE2#show ip ospf interface loopback 0 Loopback0 is up, line protocol is up Internet Address 10.5.5.5/24, Area 0 Process ID 1, Router ID 10.5.5.5, Network Type POINT_TO_POINT, Cost: 1 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Index 3/3, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 0, Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) CE1#ping 192.168.1.196 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.196, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms CE1.
相关信息
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
1.0 |
18-Jan-2008 |
初始版本 |
反馈