多协议标签交换 (MPLS) : MPLS

MPLS VPN 上 LSP 故障排除

2016 年 10 月 27 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 8 月 22 日) | 反馈


目录


简介

本文假设您有基本多协议标签交换(MPLS)概念前期了解。MPLS交换的信息包根据在标签转发信息基础(LFIB)包含的信息转发。离开在标签交换接口的数据包一个路由器将收到有LFIB指定的值的标签。标签关联与在LFIB的目的地根据转发相等类(FEC)。FEC是分组在同一个路径移动并且得到同一转发治疗的IP信息包。FEC的多数简单的示例是移动到某一子网的所有信息包。另一示例能是有去内部网关路由协议(IGP)下一跳的一给的IP优先级的所有信息包关联与边界网关协议(BGP)路由的一组。

标签信息库(LIB)是存储从所有标签转发协议(LDP)或标签发行协议(TDP)邻居接收的标签的结构。对于Cisco实施,标签为所有路由在一个给的路由器的路由表里发送(除BGP路由外),给所有LDP或TDP邻居。从邻居接收的所有标签在LIB保留,是否使用他们。如果标签从他们的FEC的下行邻接接收,则在LIB存储的标签使用信息包转发由LFIB。含义转发使用的标签请是从路由器的下一跳接收的那些到目的地,根据路由器的思科快速转发(CEF)和路由表。

如果标签绑定从在路由器的路由和CEF表里没出现的前缀的下行邻接接收(包括子网掩码),不会使用这些捆绑。以相似的方式,如果路由器通告一个子网/子网掩码对的标签,不对应于路由更新由相同子网/子网掩码对的此路由器也通告,这些标签不会由上游邻居使用,并且标签交换路径(LSP)这些设备之间将出故障。

本文提供这种示例LSP故障和几个可能的解决方案。本文包括一个方案,路由器接收的标签绑定没有用于转发MPLS交换的信息包。然而,用于的步骤诊断和更正此问题是可适用的对所有问题介入标签绑定的和在配置的路由器的LFIB MPLS的。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档中的信息基于以下软件版本:

  • Cisco IOSï ¿  ½软件版本12.0(21)ST2

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

网络图

troubleshoot_mpls_vpn-1.gif

路由器配置

PE1路由器配置
ip vrf aqua
 rd 100:1
 route-target export 1:1
 route-target import 1:1
!
interface Loopback0
 ip address 10.2.2.2 255.255.255.255
 no ip directed-broadcast
!
interface Ethernet2/0/1
 ip vrf forwarding aqua
 ip address 10.1.1.2 255.255.255.0
 no ip directed-broadcast
 ip route-cache distributed

!--- The VPN Routing and Forwarding (VRF) interface 
!--- toward the customer edge (CE) router.
 
interface Ethernet2/0/2
 ip address 10.7.7.2 255.255.255.0
 no ip directed-broadcast
 ip route-cache distributed
 tag-switching ip
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
router bgp 1
 bgp log-neighbor-changes
 neighbor 10.5.5.5 remote-as 1
 neighbor 10.5.5.5 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
 neighbor 10.5.5.5 activate
 neighbor 10.5.5.5 send-community extended
 exit-address-family
 !        
 address-family ipv4
 neighbor 10.5.5.5 activate
 no auto-summary
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf aqua
 redistribute connected
 no auto-summary
 no synchronization
 exit-address-family

P路由器配置
interface Loopback0
 ip address 10.7.7.7 255.255.255.255
 no ip directed-broadcast
!
interface Ethernet2/0
 ip address 10.8.8.7 255.255.255.0
 no ip directed-broadcast
 tag-switching ip
!
interface Ethernet2/1
 ip address 10.7.7.7 255.255.255.0
 no ip directed-broadcast
 tag-switching ip
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0


!--- BGP is not run on this router.

PE2路由器配置
ip vrf aqua
 rd 100:1
 route-target export 1:1
 route-target import 1:1
!
interface Loopback0
 ip address 10.5.5.5 255.255.255.0
 no ip directed-broadcast
!
interface Ethernet0/0
 ip vrf forwarding aqua
 ip address 10.10.10.5 255.255.255.0
 no ip directed-broadcast

!--- The VRF interface toward the CE router.

!
interface Ethernet0/3
 ip address 10.8.8.5 255.255.255.0
 no ip directed-broadcast
 tag-switching ip
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
router rip
 version 2
 !
 address-family ipv4 vrf aqua
 version 2
 network 10.0.0.0
 no auto-summary
 exit-address-family
!
router bgp 1
 bgp log-neighbor-changes
 neighbor 10.2.2.2 remote-as 1
 neighbor 10.2.2.2 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
 neighbor 10.2.2.2 activate
 neighbor 10.2.2.2 send-community extended
 exit-address-family
 !
 address-family ipv4
 neighbor 10.2.2.2 activate
 no auto-summary
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf aqua
 redistribute connected
 redistribute rip
 no auto-summary
 no synchronization
 exit-address-family

CE2路由器配置
interface Loopback0
 ip address 192.168.1.196 255.255.255.192
 no ip directed-broadcast
!
interface Ethernet1
 ip address 10.10.10.6 255.255.255.0
 no ip directed-broadcast
!
router rip
 version 2
 network 10.0.0.0
 network 192.168.1.0
 no auto-summary

!--- Routing Information Protocol (RIP) is used for the advertisement 
!--- of routes between the CE and the provider edge (PE) router.

!
ip route 0.0.0.0 0.0.0.0 10.10.10.5

注意: CE1配置省略。配置包括在以太网接口和静态默认路由的仅IP寻址对10.2.2.2。

问题

如以下示例所显示, CE1和CE2之间回环接口的连接丢失。

CE1#ping 192.168.1.196

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.196, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

然而,如以下示例所显示, CE1有此目的地的一个有效路由条目。

CE1#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "static", distance 1, metric 0, candidate default path
  Redistributing via ospf 100
  Routing Descriptor Blocks:
  * 10.1.1.2
      Route metric is 0, traffic share count is 1

在PE1 (PE路由器附加对CE1),您能检查MPLS VPN特定信息。以下示例显示对目的地的有效路由是存在VRF表里为此VPN。

PE1#show ip route vrf aqua 192.168.1.196
Routing entry for 192.168.1.192/26
  Known via "bgp 1", distance 200, metric 1, type internal
  Last update from 10.5.5.5 00:09:52 ago
  Routing Descriptor Blocks:
  * 10.5.5.5 (Default-IP-Routing-Table), from 10.5.5.5, 00:09:52 ago
      Route metric is 1, traffic share count is 1
      AS Hops 0, BGP network version 0
	  
PE1#show tag-switching forwarding-table vrf aqua 192.168.1.196 detail
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop    
tag    tag or VC   or Tunnel Id      switched   interface              
None   16          192.168.1.192/26  0          Et2/0/2    10.7.7.7     
        MAC/Encaps=14/22, MTU=1496, Tag Stack{16 32}
        00603E2B02410060835887428847 0001000000020000
        No output feature configured

PE1#show ip bgp vpnv4 vrf aqua 192.168.1.192
BGP routing table entry for 100:1:192.168.1.192/26, version 43
Paths: (1 available, best #1, table aqua)
  Not advertised to any peer
  Local
    10.5.5.5 (metric 21) from 10.5.5.5 (10.5.5.5)
      Origin incomplete, metric 1, localpref 100, valid, internal, best
      Extended Community: RT:1:1
 
PE1#show tag-switching forwarding-table 10.5.5.5 detail
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop    
tag    tag or VC   or Tunnel Id      switched   interface              
18     16          10.5.5.5/32       0          Et2/0/2    10.7.7.7     
        MAC/Encaps=14/18, MTU=1500, Tag Stack{16}
        00603E2B02410060835887428847 00010000
        No output feature configured
    Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

如此示例所显示, PE1没有BGP下一跳的一个路由与正确掩码。

PE1#
PE1#show ip route 10.5.5.5 255.255.255.0
% Subnet not in table
PE1#show ip route 10.5.5.5 255.255.255.255
Routing entry for 10.5.5.5/32
  Known via "ospf 1", distance 110, metric 21, type intra area
  Last update from 10.7.7.7 on Ethernet2/0/2, 00:38:55 ago
  Routing Descriptor Blocks:
  * 10.7.7.7, from 10.5.5.5, 00:38:55 ago, via Ethernet2/0/2
      Route metric is 21, traffic share count is 1

PE1用于的IGP路由信息到达此BGP下一跳从P路由器接收。如以下示例所显示,此路由器也显示PE2环回的一不正确掩码,并且没有此前缀的一个路由与正确掩码。

P#show ip route 10.5.5.5 
Routing entry for 10.5.5.5/32
  Known via "ospf 1", distance 110, metric 11, type intra area
  Last update from 10.8.8.5 on Ethernet2/0, 00:47:48 ago
  Routing Descriptor Blocks:
  * 10.8.8.5, from 10.5.5.5, 00:47:48 ago, via Ethernet2/0
      Route metric is 11, traffic share count is 1

P#show ip route 10.5.5.5 255.255.255.0
% Subnet not in table

LSP 故障原因

LFIB和标记捆绑在P路由器显示LSP故障的原因在此路由器和PE2之间。没有10.5.5.5的流出的标签。当数据包离开PE1时运载两个标签、P路由器生成的BGP下一跳标签(16)和PE2生成的VPN标签(32)。由于在P路由器的此条目显示此目的地的无标记,标签交换的数据包,将被派出,不用任何标签。因为VPN标签32丢失,由PE2不会接收,并且PE2不会有正确信息转发数据包对适当的VPN目标。

P#show tag-switching forwarding-table 10.5.5.5 detail
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop    
tag    tag or VC   or Tunnel Id      switched   interface              
16     Untagged    10.5.5.5/32       5339       Et2/0      10.8.8.5     
        MAC/Encaps=0/0, MTU=1504, Tag Stack{}
        No output feature configured
    Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

如以下示例所显示, P路由器的标签绑定表显示该PE2 (tsr :10.8.8.5:0)只通告一约束与/24掩码的10.5.5.5的。/32路由的一个标签由P路由器和PE1 (tsr通告:不是10.2.2.2:0),但是PE2。由于也通告的PE2通告的捆绑不匹配路由,标签不是存在P路由器的LFIB转发数据包到此目的地。

P#show tag-switching tdp bindings detail 
  
  tib entry: 10.5.5.0/24, rev 67(no route)
        remote binding: tsr: 10.8.8.5:0, tag: imp-null
  tib entry: 10.5.5.5/32, rev 62
        local binding:  tag: 16
          Advertised to:
          10.2.2.2:0             10.8.8.5:0             
        remote binding: tsr: 10.2.2.2:0, tag: 18

差异的原因PE2和标签绑定之间通告的路由更新在此路由器里路由表和标记绑定表能被看到。显示正确/24掩码,这路由器使用直接地连接的环回在生成标签绑定。由于此网络使用开放最短路径优先(OSPF),路由器通告与/32掩码的此接口,如以下示例所显示。

PE2#show ip route 10.5.5.5
Routing entry for 10.5.5.0/24
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via Loopback0
      Route metric is 0, traffic share count is 1

PE2#show tag-switching tdp bindings detail
   
  tib entry: 10.5.5.0/24, rev 142
        local binding:  tag: imp-null
          Advertised to:
          10.7.7.7:0             
  tib entry: 10.5.5.5/32, rev 148
        remote binding: tsr: 10.7.7.7:0, tag: 16

PE2#show ip ospf interface loopback 0 
Loopback0 is up, line protocol is up 
  Internet Address 10.5.5.5/24, Area 0 
  Process ID 1, Router ID 10.5.5.5, Network Type LOOPBACK, Cost: 1
  Loopback interface is treated as a stub Host


!--- OSPF advertises all interfaces of Network Type LOOPBACK as host 
!--- routes (/32).

解决方案

由于LSP的失败在P路由器和PE1之间的由为环回通告的路由和PE1生成的标签绑定之间的一不匹配造成,多数简单解决方案将更改环回的掩码依照回环类型的所有网络的OSPF通告的掩码。

解决方案 1:子网掩码的崔凡吉莱在PE2的

PE2#configure terminal 
   Enter configuration commands, one per line.  End with CNTL/Z. 
   PE2(config)#int lo 0 
   PE2(config-if)#ip add 10.5.5.5 255.255.255.255 
   PE2(config-if)#end 
   PE2#

如以下示例所显示,关于PE1的信息在LSP故障发生的方案出现同一样。

PE1#show tag-switching forwarding-table vrf aqua 192.168.1.196 detail
Local  Outgoing    Prefix                 Bytes tag  Outgoing   Next Hop    
tag    tag or VC   or Tunnel Id           switched   interface              
None   16               192.168.1.192/26  0          Et2/0/2    10.7.7.7     
       MAC/Encaps=14/22, MTU=1496, Tag      Stack{16 32}
       00603E2B02410060835887428847 0001000000020000
       No output feature configured
     
PE1#show tag-switching forwarding-table 10.5.5.5 detail 
Local  Outgoing    Prefix                 Bytes tag  Outgoing   Next Hop    
tag    tag or VC   or Tunnel Id           switched   interface              
18     16               10.5.5.5/32       0          Et2/0/2    10.7.7.7     
       MAC/Encaps=14/18, MTU=1500, Tag      Stack{16}
       00603E2B02410060835887428847 00010000
       No output feature configured
   Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10      11 12 13 14 15

P路由器显示条件哪些导致LSP故障不再存在。流出的标签当前是pop标记。这意味着BGP下一跳的顶部标签将弹出作为数据包横断路由器,但是数据包将有第二个VPN标签(数据包不再被派出的无标记)。

标记绑定表显示标签(imp-null)由PE2 (tsr通告:10.8.8.5:0) /32路由的。

P#show tag-switching forwarding-table 10.5.5.5 detail 
   Local  Outgoing    Prefix               Bytes tag  Outgoing   Next Hop 
   tag    tag or VC   or Tunnel Id         switched   interface 
   16     Pop tag     10.5.5.5/32          3493       Et2/0         10.8.8.5 
           MAC/Encaps=14/14, MTU=1504, Tag Stack{}    
           006009E08B0300603E2B02408847 
           No output feature configured
 
       Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11    12 13 14 15
 
P#show tag-switching tdp bindings detail 
       
       tib entry: 10.5.5.5/32, rev 71 
             local binding:  tag: 16 
               Advertised to: 
               10.2.2.2:0                  10.8.8.5:0 
             remote binding: tsr: 10.2.2.2:0,      tag: 18 
             remote binding: tsr: 10.8.8.5:0,      tag: imp-null

解决方案 2:OSPF网络类型崔凡吉莱

第二解决方案将更改回环接口的OSPF网络类型。当PE2's回环接口OSPF网络类型更改到点对点时,环回前缀自动地不再通告与/32掩码。这意味着PE2生成的标签绑定,当参考直接连接的子网在其路由表里(包含/24子网掩码)时,将匹配在从PE2接收的P路由器的OSPF路由(包含此前缀的一个/24子网掩码)。

如以下示例所显示, ip ospf network point-to-point命令可以用于更改在PE2回环接口的网络类型。

PE2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
PE2(config)#interface loopback 0
PE2(config-if)#ip ospf network point-to-point
PE2(config-if)#

如下所示,在PE1的标记转发表包含BGP下一跳的一个条目,是一致与回环接口实际掩码在PE2的。路由表显示OSPF路由关联与此转发条目也正确。

PE1#show tag-switching forwarding-table 10.5.5.5 detail 
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop    
tag    tag or VC   or Tunnel Id      switched   interface              
22     17          10.5.5.0/24       0          Et2/0/2    10.7.7.7     
        MAC/Encaps=14/18, MTU=1500, Tag Stack{17}
        00603E2B02410060835887428847 00011000
        No output feature configured
    Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

PE1#show ip route 10.5.5.5
Routing entry for 10.5.5.0/24
  Known via "ospf 1", distance 110, metric 21, type intra area
  Last update from 10.7.7.7 on Ethernet2/0/2, 00:36:53 ago
  Routing Descriptor Blocks:
  * 10.7.7.7, from 10.5.5.5, 00:36:53 ago, via Ethernet2/0/2
      Route metric is 21, traffic share count is 1

在下面的示例中的, P路由器的标记转发条目显示流出的标记,一pop标记,正如在解决方案1,如下面示例所显示。再次,下一跳将弹出作为数据包的BGP的顶部标签横断此路由器,但是第二个VPN标签将保留,并且LSP不会发生故障。约束显示正确子网掩码也存在。

P#show tag-switching forwarding-table 10.5.5.5 detail  
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop    
tag    tag or VC   or Tunnel Id      switched   interface              
17     Pop tag     10.5.5.0/24       4261       Et2/0      10.8.8.5     
        MAC/Encaps=14/14, MTU=1504, Tag Stack{}
        006009E08B0300603E2B02408847 
        No output feature configured
    Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15


P#show tag-switching tdp bindings detail
  
  tib entry: 10.5.5.0/24, rev 68
        local binding:  tag: 17
          Advertised to:
          10.2.2.2:0             10.8.8.5:0             
        remote binding: tsr: 10.8.8.5:0, tag: imp-null
        remote binding: tsr: 10.2.2.2:0, tag: 22

如下所示,此命令输出确认网络类型更改到点对点。全连接从CE1是存在到CE2回环接口。

PE2#show ip ospf interface loopback 0 
Loopback0 is up, line protocol is up 
  Internet Address 10.5.5.5/24, Area 0 
  Process ID 1, Router ID 10.5.5.5, Network Type POINT_TO_POINT, Cost: 1
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
  Index 3/3, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 0
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 0, Adjacent neighbor count is 0 
  Suppress hello for 0 neighbor(s)

CE1#ping 192.168.1.196

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.196, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
CE1.

相关信息


Document ID: 23565