-
Notifications
You must be signed in to change notification settings - Fork 706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dealing with VRFs #1648
Comments
@amanshaikh75 Hi, please let me clear my head, first. With the following topology
When the r1 and r2 advertise the same prefix r1> gobgp global rib -a ipv4 add 192.168.1.0/24
r1> gobgp global rib -a ipv4
Network Next Hop AS_PATH Age Attrs
*> 192.168.1.0/24 0.0.0.0 00:00:00 [{Origin: ?}]
r2> gobgp global rib -a ipv4 add 192.168.1.0/24
r2> gobgp global rib -a ipv4
Network Next Hop AS_PATH Age Attrs
*> 192.168.1.0/24 0.0.0.0 00:00:00 [{Origin: ?}] GoBGP imports each path per VRF separately and also imports them with RD to the global table. r3> gobgp vrf 1 rib -a ipv4
Network Next Hop AS_PATH Age Attrs
192.168.1.0/24 10.0.0.1 65001 00:00:00 [{Origin: ?}]
r3> gobgp vrf 2 rib -a ipv4
Network Next Hop AS_PATH Age Attrs
192.168.1.0/24 10.0.0.2 65002 00:00:00 [{Origin: ?}]
r3> gobgp global rib -a vpnv4
Network Labels Next Hop AS_PATH Age Attrs
*> 65000:100:192.168.1.0/24 [0] 10.0.0.1 65001 00:00:00 [{Origin: ?} {Extcomms: [65000:100]}]
*> 65000:200:192.168.1.0/24 [0] 10.0.0.2 65002 00:00:00 [{Origin: ?} {Extcomms: [65000:200]}] Then, GoBGP (zclient.go) will install VPN routes into Zebra by using the paths on the global table which contains VRF IDs. Lines 241 to 249 in d31262d
Lines 507 to 510 in d31262d
Am I misunderstanding? |
Hi, You're right that in the case above, there is no need to calculate BGP best path for each VRF separately since the two VRFs are using different RD's as they should. However, consider a case where r4 sends the following VPNv4 route to r3:
When this route arrives, GoBGP at r3 will calculate best paths in global RIB, and will choose all three routes as best since each of the three routes has a distinct RD.
Since the first and the third routes have the same route targets, both of them will be imported into VRF 1, and will be installed as best routes into Zebra. In reality, the first route is better than the third route since it is learned over an eBGP session while the other route is learned over an iBGP session (assuming r3-r4 session is an iBGP one). Do you agree? Speaking more generally, the following cases will create problems with GoBGP's current way of handing VRF routes:
|
@amanshaikh75 Hi, I don't know whether the different values of RD and RT are used in the real (production) MPLS VPN services and I think the same value should be better for the maintainability. But the different RD and RT are not prohibited, and I tried the following with Cisco routers.
With the above situation, the route from R2
It seems that Also, as you said, the best path seems to be selected per VRF (a local connected path is selected on "Vrf1"). You mean this behavior? |
Hi @iwaseyusuke Yes, this is exactly what I am referring to. I don't know how common this is, but it's not precluded. Another way this situation arises is when routes are shared between different VPNs (or VRFs). |
@amanshaikh75 Hi, Does this PR (#1656) address this issue? This patch clones the VPN path having the different RD and overwrites the RD on the cloned path by the RD of matched VRFs. |
@iwaseyusuke Hi Your PR seems to be a step in the right direction. However, here are couple of items to think about:
|
@amanshaikh75 Sorry for the delay and thank you for reviewing.
I think routes from a VRF should be imported as MPLS-labeled VPN routes (SAFI=128). Sorry I might not understand RFC8277 enough, but section-5 can be said for SAFI=128? And section-5 mentions some implementations but does not clarify which approach is the best.
Yes, the cloned path should be selected as the best path on the specific VRF. The behavior (the output of |
I agree that section-5 of RFC 8277 does not advocate one particular approach. On the other hand, bringing routes into VRF as SAFI=128 still has the problem in that routes learned from CEs are usually SAFI=1 routes. So, now you face the problem of comparing SAFI=1 and SAFI=128 routes, right?
So, are you now maintaining separate route table for each VRF? |
You mean routes from PE(or P) routers can not be compared with routes from CE routers because routes from PEs will be SAFI=128 and routes from CEs will be SAFI=1, right?
No, GoBGP does not maintain each VRF table and maintains only global table. For example, with the following topology, if both CE1 and CE2 has the same prefix "192.168.1.0/24" and the RD on GoBGP's VRF (65000:100) and the RD on PE's VRF (65000:200),
GoBGP will receive an IPv4 prefix For CE side, GoBGP will translate the prefix
Then GoBGP applies the best path calculation and the first one and the last one are selected, but the last one will not be installed to Zebra because the last one does not have VRF ID. |
I see. So essentially, you are creating a per-VRF table within the global table by cloning paths if necessary. All the VRF-specific paths will have VPN prefixes with the VRF's RD which will allow gobgp to run the decision process appropriately. I can't think of any obvious problems with this approach. |
@amanshaikh75 Thanks for your confirmation. I think this approach is the similar to the way to "regard SAFI-1 routes and SAFI-4 routes as completely independent". |
One thing @iwaseyusuke . I have noticed with the current implementation, when a new VRF and a neighbor within it are added to GoBGP, the deamon does not send existing VPNv4 routes that can be imported into the VRF to the neighbor during RIB synchronization. Is this something your PR fixes? |
@amanshaikh75 Thanks for your report! But sorry this PR does not address that issue I think. |
Will you be willing to create a new PR to address this issue? BTW with ZAPI version 5, I have been able to find a way to install VPN routes with double encapsulation at the ingress PE. See zapi_version_5 in my gobgp repository. With this update, I am now able to use GoBGP for CE-to-CE traffic in L3VPN scenario. |
Yes, thanks! It is highly welcomed!
That sounds great! But, supporting both v4 and v5 seems to make the codes complex... Hmmm... |
- This commit aims to solve reported problem on issues osrg#1611, osrg#1648 and osrg#1912 - Partial changes of this commit duplicate with changes on PR osrg#1587 (not merged) and PR osrg#1766 (not merged and already closed) - This commit is tested with only FRRouting version 6.0.2 (which uses Zebra API 6) - This commit fixes lack of LABEL_MANAGER_CONNECT_ASYNC for ZAPI6. (This bug is introduced on commit 2bdb76f "Supporting Zebra API version 6 which is used in FRRouting version 6")
- This commit aims to solve reported problem on issues #1611, #1648 and #1912 - Partial changes of this commit duplicate with changes on PR #1587 (not merged) and PR #1766 (not merged and already closed) - This commit is tested with only FRRouting version 6.0.2 (which uses Zebra API 6) - This commit fixes lack of LABEL_MANAGER_CONNECT_ASYNC for ZAPI6. (This bug is introduced on commit 2bdb76f "Supporting Zebra API version 6 which is used in FRRouting version 6")
I have a scenario; same routes published 1.1.1.1/32 with red and blue vrf tag , arrived at gobgp; those routes get inserted in different routing table ; now I want to access both routes from same vm , how I will do that. Please guide me. |
from router 3 I want to access both 65000:100:192.168.1.0/24 and 65000:200:192.168.1.0/24; how to do that ; please guide me. |
Even in the only one VRF and unique RD (example 65000:100), the router must execute path selection algorithm into VRF table when a prefix (example 10.0.0.0/8) received from CE1. At my case new prefix will win because it's received from eBGP and has not decreased local preference. After that it must be injected (cloned) into global table in vpnv4 format. And there global table performs independent new path selection in vpnv4 AFI (and the new route can be not best).
And after that old local CE2 can receive BGP Update with new path because new path was selected as best into VRF. |
It seems to me that the way GoBGP handles VRFs is not correct. Let me illustrate this by describing two work-flows:
Handling receipt of a BGP update message
- Check the update for correctness.
- Add path(s) to Adj-RIB-In of the peer from which the update is received.
- If the peer belongs to a VRF, import path(s) to the Global RIB by converting IPv4/v6 routes to VPNv4/v6 routes respectively.
- Apply applicable import policies to the path(s).
+ Run best-path selection in the context of the global RIB.
- If necessary, install updated routes into kernel forwarding table through Zebra. While doing this, check which VRFs the route can be imported to, and install it in all the VRFs where the route can be imported to.
- Propagate changed routes to all the peers after applying export policies.
- Check the update for correctness.
- Add path(s) to Adj-RIB-In of the peer from which the update is received.
- Apply applicable import policies to the path(s).
- Run best-path selection in the context of the VRF in which the peer belongs to.
- If necessary, install updated routes into VRF’s kernel forwarding table through Zebra.
- Propagate installed rotes to other peers in the VRF after applying relevant export policies.
- If the peer’s VRF is not global VRF, export the route(s) to the Global RIB by converting IPv4/v6 routes to VPNv4/v6 routes respectively.
- Run best-path selection in the context of the global RIB.
- However, Do NOT install VPN routes into kernel’s global forwarding table.
- But send updated VPN routes to peers that belong to the global VRF.
- Check which other VRFs the newly received paths need to be imported into (based on import route-target of the VRF.
- For each VRF, the route is imported into:
- Run the best-path calculation in the context of the VRF.
- If necessary, install updated routes into VRF’s kernel forwarding table through Zebra.
- Propagate installed routes to other peers in the VRF after applying relevant export policies.
Addition of a new VRF through configuration
- If VRF already exists, ignore the request.
- Add a VRF structure to the table-manager.
- For every route-target in the import route-target list of this VRF, create a RouteTargetMemberShipNLRI, send it to appropriate neighbors.
- No VPN routes are imported into the VRF from the global RIB.
- Carry out all the above steps.
- Import VPN routes into the VRF.
- Run best-path selection algorithm in the context of the VRF.
- Install best routes into VRF’s kernel forwarding table through Zebra.
- Propagate installed rotes to other peers in the VRF after applying relevant export policies.
The text was updated successfully, but these errors were encountered: