This topic describes steps that are needed for MPLS VPN troubleshooting.
© 2011 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—2-33
Perform basic MPLS troubleshooting:
• Is Cisco Express Forwarding enabled?
• Are labels for IGP routes generated and propagated?
• Are large labeled packets propagated across the MPLS backbone (maximum transmission unit issues)?
Before you start in-depth MPLS VPN troubleshooting, you should ask the following standard MPLS troubleshooting questions:
Is Cisco Express Forwarding enabled on all routers in the transit path between the PE routers?
Are labels for BGP next hops generated and propagated?
Are there any maximum transmission unit (MTU) issues in the transit path (for example, LAN switches not supporting a jumbo Ethernet frame)?
MPLS VPN troubleshooting consists of these two major steps:
Verifying the routing information flow, using the checks that are outlined in the figure
Verifying the data flow, or packet forwarding
© 2011 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—2-34
P-Network
1. Are CE routes received by a PE router?
2. Are routes redistributed into MP-BGP with the proper extended communities?
3. Are VPNv4 routes propagated to other PE routers?
4. Is the BGP route selection process working correctly?
5. Are VPNv4 routes inserted into VRFs on other PE routers?
CE-Spoke P
CE-Spoke
CE-Spoke
CE-Spoke
PE-1 PE-2
6. Are VPNv4 routes redistributed from BGP into the PE-CE routing protocol?
7. Are IPv4 routes propagated to other CE routers?
Verification of the routing information flow should be done systematically, starting at the ingress CE router and moving to the egress CE router.
© 2011 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—2-35
show route vrf vrf-name
show bgp vpnv4 vrf vrf-name ip-prefix debug bgp
show bgp vpnv4 unicast ip-prefix
show bgp vpnv4 unicast vrf vrf-name ip-prefix show route vrf
show bgp ip-prefix show vrf detail
show route
Troubleshooting routing information flow requires the verification of end-to-end routing information propagation between CE routers.
Step 1 The first step is to check the routing information exchange from the CE routers to the PE routers. Use the show ip route vrf vrf-name (Cisco IOS and IOS XE) or show route vrf vrf-name (Cisco IOS XR) command to verify that the PE router receives customer routes from the CE router. Use traditional routing protocol troubleshooting if needed.
Step 2 The CE routes that are received by the PE router need to be redistributed into MP-BGP; otherwise, the routes will not be propagated to other PE routers. Proper redistribution of CE routes into a per-VRF instance of BGP can be verified with the show ip bgp vpnv4 vrf name (IOS and IOS XE) or show bgp vpnv4 vrf vrf-name (IOS XR) command. The route distinguisher (RD) prepended to the IPv4 prefix and the route targets (RTs) attached to the CE route can be verified with the show ip bgp vpnv4 vrf vrf-name ip-prefix (IOS and IOS XE) or show bgp vpnv4 vrf vrf-name ip-prefix (IOS XR) command.
Step 3 The CE routes that are redistributed into MP-BGP need to be propagated to other PE routers. Verify proper route propagation with the show ip bgp vpnv4 all ip-prefix (IOS and IOS XE) or show bgp vpnv4 unicast ip-prefix (IOS XR) command on the remote PE router.
Step 4 The VPNv4 routes that are received by the PE router need to be inserted into the proper VRF. This insertion can be verified with the show ip route vrf (IOS and IOS XE) or show route vrf (IOS XR) command. The validity of the import RTs can be verified with the show ip bgp vpnv4 all ip-prefix (IOS and IOS XE) or show bgp vpnv4 unicast ip-prefix (IOS XR) command, which displays the RTs attached to a VPNv4 route. You can also verify the validity of the import RTs with the show ip vrf detail (IOS and IOS XE) or show vrf detail (IOS XR) command, which lists the import RTs for a VRF. At least one RT attached to the VPNv4 route needs to match at least one RT in the VRF.
Step 5 Next, the BGP routes that are received via MP-BGP and inserted into the VRF need to be redistributed into the PE-CE routing protocol.
Step 6 Finally, the routes that are redistributed into the PE-CE routing protocol need to be propagated to CE routers.
© 2011 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—2-36
P-Network
CE-Spoke P
CE-Spoke
CE-Spoke
CE-Spoke
PE-1 PE-2
Is the Cisco Express Forwarding entry correct on
the ingress PE router?
Is Cisco Express Forwarding enabled on the ingress PE
router interface?
Is the LFIB entry on the egress PE router correct?
Is there an end-to-end LSP tunnel between the PE routers?
After you have verified proper route exchange, start MPLS VPN data flow troubleshooting using the checks that are listed in the next figures.
© 2011 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—2-37
P-Network
CE-Spoke P
CE-Spoke
CE-Spoke
CE-Spoke
PE-1 PE-2
show cef vrf vrf-name ip-prefix/length detail
show cef interface
One of the most common configuration mistakes related to data flow is the failure to enable Cisco Express Forwarding on the ingress PE router interface. The presence of Cisco Express Forwarding can be verified with the show cef interface command on Cisco IOS, IOS XE, and IOS XR devices.
If Cisco Express Forwarding switching is enabled on the ingress interface, you can verify the validity of the Cisco Express Forwarding entry and the associated label stack with the show ip cef vrf vrf-name ip-prefix detail (IOS and IOS XE) or show cef vrf vrf-name ip-prefix detail (IOS XR) command. The top label in the stack should correspond to the BGP next-hop label as displayed by the show mpls forwarding-table (IOS and IOS XE) or show mpls forwarding (IOS XR) command on the ingress router. The second label in the stack should correspond to the label allocated by the egress router. You can verify this label by using the show mpls forwarding-table (IOS and IOS XE) or show mpls forwarding vrf (IOS XR) command on the egress router.
© 2011 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—2-38
• Check for summarization issues. The BGP next hop should be reachable as a host route.
• Quick check—If TTL propagation is disabled, the trace from PE-2 to PE-1 should contain only one hop.
• If needed, check LFIB values hop by hop.
• Check for MTU issues on the path. MPLS VPN requires a larger label header than pure MPLS.
P-Network
CE-Spoke P
CE-Spoke
CE-Spoke
CE-Spoke
PE-1 PE-2
If Cisco Express Forwarding is enabled on the ingress interface and the Cisco Express
Forwarding entry contains the proper labels, the data flow problem might lie inside the MPLS core. Two common mistakes include summarization of BGP next hops inside the core IGP and MTU issues.
The quickest way to diagnose summarization problems is to disable IP Time to Live (TTL) propagation into the MPLS label header using the no mpls ip ttl-propagate (IOS and IOS XE) or mpls ip ttl-propagate disable (IOS XR) configuration command on the provider router (P router) and PE routers. The traceroute command from the ingress PE router toward the BGP next hop should display no intermediate hops when TTL propagation is disabled. If
intermediate hops are displayed, the label-switched path (LSP) tunnel between PE routers is broken at those hops, and the VPN traffic cannot flow.
© 2011 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—2-39
show cef vrf vrf-name ip-prefix/length detail show mpls forwarding vrf vrf-name value detail
PE-2
As a last troubleshooting measure (usually not needed), you can verify the contents of the label forwarding information base (LFIB) on the egress PE router and compare them with the second label in the label stack on the ingress PE router. A mismatch indicates an internal Cisco IOS Software error that you will need to report to the Cisco Technical Assistance Center (TAC).
© 2011 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—2-40
show ip ospf database show ip bgp
show ip eigrp topology
Control Plane
Data Plane
show ip route
show mpls forwarding-table show mpls forwarding-table vrf show ip cef
show ip cef vrf show mpls ldp bindings
show mpls forwarding show mpls forwarding vrf show cef
show cef vrf show ospf database show bgp
show eigrp topology
show route
show mpls ldp bindings
Cisco IOS and IOS XE Cisco IOS XR
Routing Protocol
IP Routing Table (RIB)
Label Exchange Protocol (LFIB)
IP Forwarding Table (FIB)
Label Forwarding Table (LFIB)
The figure shows the relevant commands for Cisco IOS, IOS XE, and Cisco IOS XR devices to troubleshoot the control plane and the data plane of an MPLS router.
Summary
This topic summarizes the primary points that were discussed in this lesson.
© 2011 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—2-41
• OSPF as a PE-CE routing protocol is implemented as a separate routing process.
• BGP is very scalable and predictable as a PE-CE routing protocol.
• MPLS VPN troubleshooting has two main steps: verifying routing information flow and verifying proper data flow.