Arp Incomplete in BGP
Hello,
I have a BGP session established IPv4 and IPv6, with 2 ISP, and I have session established with PTT also.
My router is a Cisco 7206VXR. Since the last week I'm haveing problem with a "ARP Incomplete" in the BGP session established with the PTT.
To troubleshooting, replacing my Cisco 7206VXR to a Cisco 1800. The problem persisted!
Replaced again by a Cisco Catalyst 3750 and the problem solved. But I need rollback to the Cisco 7206VXR.
I don't have configuration for arp rate limit or arp inspection.
Anyone have any idea about this problem?
Tks
Cesar
Hi Cesar,
can you elaborate on '"ARP Incomplete" in the BGP session established with the PTT.' ?
Do you mean that the BGP session was Idle and when you checked 'show ip bgp neighbor x.x.x.x' you saw "ARP incomplete" as the cause of the problem, or you simply checked the ARP table and saw that the remote IP was incomplete?
Generally speaking ARP incomplete indicate underlying connectivity issues, but I find weird that the issue is solved by replacing your router (2 times). Personally I think that it is just a coincidence that with the Cat3750 you don't see the problem.
What you need to do is to connect the 7206 back and troubleshoot ARP related issue to see if the router correctly receives and sends ARP packets.
Also I would check if some kind of CoPP was configured to rate limit the arp traffic. That could cause similar issues if your router receives tons of ARP packets and drop some due to CoPP.
Riccardo
Similar Messages
-
CSCuo99477 - Arp stuck in Incomplete state
Dear Cisco Support,
For this bug, If we hit this bug unfortunately with using this version, is there any consequences?
Will the machine’s arp entry which showing “arp incomplete” in the core switch be disconnected or not working?
What kind of situation will trigger this bug happen?
ThanksFrom what I'm finding, AFI 2 is IPv6. This seems like it's expecting IPv6:
Nov 5 11:07:16.785: %BGP-3-NOTIFICATION: received from neighbor X.X.X.85 active 2/8 (no supported AFI/SAFI) 3 bytes 000000
I'm also seeing that SAFI 8 is multicast:
http://www.iana.org/assignments/safi-namespace/safi-namespace.xhtml
If this is the case, the settings that you have above simply wouldn't work. I would contact the ISP to see what your peer is running.
http://routing-bits.com/2009/11/26/output-101-bgp-afisafi/
HTH,
John -
DHCP Reservation problems caused by ARP proxy?
We have been having recurring problems at three of our new school sites with printer IP addresses. We have created the address reservations in our DHCP servers (Windows Server 2012) but several times per week, the address shows up as a "BAD ADDRESS" in the DHCP leases and the printer never does get a good lease until we recreate the reservation and power cycle the printer. This is happening across several different printer models.
Because this is only happening at our new sites, I've been investigating possible reasons. The configurations are mostly identical at our new sites and old; we have 3750X's at the old sites and 3850's (and one school with 4500X's) at the new sites. We have the correct IP helpers on every VLAN - one for each of our DHCP servers and one for each ISE node. ISE doesn't respond to the DHCP requests, it only listens for them to profile the endpoints. I've also begun enforcing ISE at one of the sites to see if it was just related to IP conflicts - no luck so far.
Today I was fixing a printer reservation and came across something interesting. At one of the new schools, the MDF ARP table reported that 10.24.12.20 was assigned to a workstation (it is supposed to be assigned to a printer). When I ran a check on the port in the IDF associated with that IP address to find the IP that was associated with the device, the device had an IP of 10.24.12.26. This caused me to start looking for ARP problems.
I went looking for a difference in the configs on the 3850's and the 4500X's compared to the 3750X's at the older sites. Here's what I found when I did a "sh run all":
4500X:
ip arp poll queue 1000
ip arp poll rate 1000
no ip arp proxy disable
ip arp gleaning tftp
ip arp gleaning udp
ip arp incomplete retry 20
ip arp incomplete entries 5000
ip arp incomplete enable
ip arp inspection log-buffer entries 32
ip arp inspection log-buffer logs 5 interval 1
ip sticky-arp
no ip gratuitous-arps
The 3750X only has the following ARP commands:
ip sticky-arpno ip gratuitous-arps
ip arp inspection log-buffer entries 32ip arp inspection log-buffer logs 5 interval 1
I was looking in particular at the "no ip arp proxy disable" on the 4500 and 3850's. I'm wondering if the newer switches are working as ARP proxies and causing problems with the printers. It doesn't seem that the 3750X's or older are doing this, or even have the commands. I am headed down the wrong path here? What are the repercussions of disabling the arp proxy on the newer switches to test it?
ThanksHi,
if you have proxy arp then you should see multiple IP mapped to same MAC( the one from the device with proxy arp enabled), is this the case ?
Regards
Alain
Don't forget to rate helpful posts. -
"show arp" indicates 'Incomplete' Hardware Addr
Here are the logs:
Router#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet x.x.x.102 0 Incomplete ARPA
Internet x.x.x.101 0 Incomplete ARPA
Internet x.x.x.100 0 Incomplete ARPA
Internet x.x.120.99 0 Incomplete ARPA
Internet x.x.120.98 1 0040.10xx.xxxx ARPA FastEthernet0/0
Internet x.x.120.97 - 000e.83f6.28b6 ARPA FastEthernet0/0
A firewall is connected to the FastEthernet port 0/0. Router can't see MAC address of computers behind it. What can we do ?
Thanks in advance.zaqtivi
It is hard to understand the topology when you obscure so much of the addresses. That makes it more difficult to understand your situation and to make good suggestions.
If the router is trying ARP for these addresses then it must believe that they reside in the local subnet. If these devices are on a segment that is on the other side of the firewall then perhaps they should be defined as a different subnet and the router given a route to that subnet with the next hop address being the firewall.
If that does not help then perhaps you can be more clear about the situation and the topology.
HTH
Rick -
ARP table not populating mac address for previously reachable IP address
Router has been online and working fine with one BGP neighbor for almost 2 years and no downtime. 2 weeks ago, added a 2nd BGP peer. Everything worked fine for 2 weeks, then all of a sudden yesterday the 2nd BGP peer is disconnected and does not come back. ISP checks and sees everything looks fine on their end. We cannot even ping each other now.
Upon investigation, the ARP table is not even populating the MAC address for the BGP peer IP anymore (same local subnet). Stays "incomplete" in the table no matter what we do, including clearing arp table, changing IP address, etc.
Plug a laptop directly into the 2nd BGP peer FE port and replicate the IP addressing. Laptop cannot ping Router, but Router CAN ping laptop. Check ARP table, but STILL no mac address assigned and now not even the ARP table showing "incomplete".
Thinking it could be the FE interface, switch to the 2nd FE interface and perform same laptop test, this time with arbitrary IP addressing. Now cannot ping each other, no MAC in ARP table.
End up rebooting the router and lo-and-behold, everything is working normally again. 2nd BGP peer peers up instantly.
I should also mention that the 1st BGP peer worked flawlessly throughout, taking all the Internet load and having no issues throughout.
Also, the FE ports for the 2nd BGP peer are on an HWIC FE card plugged into the router. The 1st BGP peer is plugged into the built-in GE interface. 2901 running: c2900-universalk9-mz.SPA.151-4.M4.bin
Lastly, no router resource issues, no error messages, no logs. Just the BGP peer disconnecting.
I have never, in 20 years working with Cisco routers seen something like this before. This is the most fundamental aspect of IP and Ethernet that was not working.
Has anyone ever seen this behavior before??
Here is the router config (IP's changed):
version 15.1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
boot-start-marker
boot-end-marker
logging buffered 150000
aaa new-model
aaa authentication login LAUTHEN local
aaa authentication login TAUTHEN local group tacacs+ enable
aaa authorization console
aaa authorization exec LAUTHOR local if-authenticated
aaa authorization exec TAUTHOR local group tacacs+ if-authenticated
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
no ipv6 cef
no ip source-route
ip cef
no ip domain lookup
multilink bundle-name authenticated
username ubiadmin privilege 15 secret 4 .JbeuWXuZvchrG0OL.5BftFtqrrEyxcnVHn5rIuCnTk
username umitsnoc01 privilege 15 secret 4 cUmoRUjey9O1x.wk9S.kleX.iAAhCwihupr6Z98p6OA
redundancy
ip ssh version 2
track 1 interface GigabitEthernet0/0 line-protocol
class-map match-any AutoQoS-VoIP-RTP-Trust
match access-group name SIP-Media-INBOUND
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31
class-map match-any Customer-Voice
match access-group name Customer-VPNs
class-map match-any media
match access-group name SIP-Media
class-map match-any signaling
match access-group name SIP-Signaling
policy-map AutoQoS-Policy-Trust
class AutoQoS-VoIP-RTP-Trust
priority percent 70
class AutoQoS-VoIP-Control-Trust
bandwidth percent 5
class class-default
fair-queue
policy-map queue
class signaling
bandwidth percent 5
class media
priority percent 50
class Customer-Voice
priority percent 40
class class-default
fair-queue
policy-map shape
class class-default
shape average 10000000
service-policy queue
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description BGP Peer 1
ip address 2.2.2.2 255.255.255.252
no ip redirects
ip flow ingress
ip flow egress
duplex auto
speed auto
service-policy output shape
interface GigabitEthernet0/1
description LAN
ip address 1.2.3.4 255.255.255.0
no ip redirects
ip flow ingress
ip flow egress
standby 255 ip 1.2.3.1
standby 255 priority 105
standby 255 preempt
standby 255 mac-address 1a2b.3c4d.5e6f
standby 255 track 1 decrement 10
duplex auto
speed auto
service-policy output AutoQoS-Policy-Trust
interface FastEthernet0/0/0
description BGP Peer 2
ip address 1.1.1.1 255.255.255.252
ip flow ingress
ip flow egress
duplex full
speed 100
service-policy output shape
interface FastEthernet0/0/1
no ip address
shutdown
duplex auto
speed auto
router bgp 7777
bgp router-id 2.2.2.2
bgp log-neighbor-changes
network 1.2.3.0 mask 255.255.255.0
neighbor 1.1.1.2 remote-as 5555
neighbor 1.1.1.2 update-source FastEthernet0/0/0
neighbor 1.1.1.2 prefix-list L3-DEFGW in
neighbor 1.1.1.2 route-map L3-LPREF-IN in
neighbor 2.2.2.1 remote-as 6666
neighbor 2.2.2.1 ebgp-multihop 2
neighbor 2.2.2.1 update-source GigabitEthernet0/0
neighbor 2.2.2.1 send-community
neighbor 2.2.2.1 prefix-list COLO-DEFGW in
neighbor 2.2.2.1 route-map COLO-LPREF-IN in
neighbor 2.2.2.1 route-map COLO-OUT out
ip forward-protocol nd
ip bgp-community new-format
ip as-path access-list 5 permit _5555_
ip as-path access-list 5 deny .*
ip as-path access-list 10 permit ^6666$
no ip http server
no ip http secure-server
ip flow-top-talkers
top 50
sort-by bytes
ip route 0.0.0.0 0.0.0.0 1.1.1.2 254 name L3
ip route 0.0.0.0 0.0.0.0 2.2.2.1 255 name COLO1
ip route 10.0.0.0 255.0.0.0 10.10.10.10 name FW_OUTSIDE
ip tacacs source-interface GigabitEthernet0/1
ip access-list standard SNMP_SOURCES
permit 12.12.12.0 0.0.0.255
deny any log
ip prefix-list L3-DEFGW seq 5 permit 0.0.0.0/0
ip prefix-list COLO-DEFGW seq 5 permit 0.0.0.0/0
ip prefix-list COLO-LPREF-OUT seq 5 permit 1.2.3.0/24
route-map COLO-LPREF-IN permit 5
match as-path 5
set local-preference 250
route-map COLO-LPREF-IN permit 10
set local-preference 150
route-map COLO-LPREF-IN permit 20
route-map COLO-OUT permit 10
match ip address prefix-list COLO-LPREF-OUT
set as-path prepend 7777 7777 7777
set community 29795:1004
route-map COLO-OUT permit 20
route-map L3-LPREF-IN permit 10
match as-path 10
set local-preference 200
route-map L3-LPREF-IN permit 20
set local-preference 150
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps flowmon
snmp-server enable traps transceiver all
snmp-server enable traps ds1
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps license
snmp-server enable traps envmon
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps flash insertion removal
snmp-server enable traps mac-notification
snmp-server enable traps aaa_server
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps memory bufferpeak
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps vtp
snmp-server enable traps ipslaWhen you were checking the ARP table was there an entry for Fast0/0/0?
HTH
Rick -
We started to test dual-stack bgp implementation. although we established neighbour over ipv6, seems still we couldnt advertise our networks on internet and we couldnt reach anywhere over ipv6 address.
Here our related configs and outputs;
router bgp 3xxx
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2A02:E0:0:xx::1 remote-as 34xxx
neighbor x.x.x.x remote-as 34xxx
neighbor x.x.x.x remote-as 91xx
maximum-paths 4
address-family ipv4
exit-address-family
address-family ipv6
neighbor 2A02:E0:0:xx::1 activate
neighbor 2A02:E0:0:xx::1 prefix-list v6in in
neighbor 2A02:E0:0:xx::1 prefix-list v6out out
network 2001:67C:xxxx::/48
no synchronization
exit-address-family
ipv6 prefix-list v6in seq 5 permit ::/0 le 128
ipv6 prefix-list v6out seq 5 permit 2001:67C:xxxx::/48
interface GigabitEthernet0/2
ip address 92.45.xxx.x 255.255.255.252
no ip redirects
no ip proxy-arp
ip flow ingress
load-interval 30
duplex auto
speed auto
media-type rj45
negotiation auto
ipv6 address 2A02:E0:0:xx::2/126
ipv6 enable
7200-1_KULE#sh bgp ipv6 unicast
BGP table version is 4, local router ID is 212.156.xx.xx
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> ::/0 2A02:E0:0:xx::1 0 34xx 34xx 130xx 94xx i
What we supposed to do ?
Best regards.Yes, we have three C class networks and one of them is used for firewall side.
May i ask aother question?
On ipv4 bgp conf. we use route maps for coming and outgoing traffic on 3 different metro ethernet internet connections. We have 3 c class ipv4. so we configured load sharing for each networks between net connections. We use local-pref, weight or as path prepend.
Could we do the same thing for ipv6 connections ? We have ::/48 . for example we want to use ::/56 and share networks on internet lines.
Best regards -
Slow ARP response for dial-in clients
I’ve been experiencing an intermittent issue with remote PC’s connecting to a Cisco AS5350 Universal Gateway - basically, a RAS server.
The issue as far as I’ve been able to pinpoint seems to be related to the amount of time it takes the dial-in client to register an ARP entry on the local network where the RAS server and other servers are connected. If I start an extend ping to one of the servers on the local network (not to the RAS server) once my dial-up connection has been established, I typically see anywhere between 3 and 18 ICMP request timeouts before I start receiving replies. And if at the same time I start an extended ping to the IP address of the RAS server, ICMP replies are received immediately with no request timeouts.
Topology:
Dial-in Client <===> AS5350 RAS <===> L2 Switch <===> Server
192.168.240.131 240.5 240.1 240.21
The switch that the AS5350 and the servers are connected to is a WS-C2960G-8TC-L layer-2 switch with a very basic config. Basically they only thing I’ve changed during the course of my troubleshooting is the STP mode, STP forward time and to enabled STP portfast on the uplinks to the AS5350 and the server… see configuration below:
Current configuration : 2721 bytes
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Switch
boot-start-marker
boot-end-marker
no aaa new-model
system mtu routing 1500
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1 forward-time 5
vlan internal allocation policy ascending
interface GigabitEthernet0/1
description Uplink to Server
spanning-tree portfast
interface GigabitEthernet0/2
description Uplink to CLE-AS5350 RAS
speed 100
duplex full
spanning-tree portfast
interface GigabitEthernet0/3
interface GigabitEthernet0/4
interface GigabitEthernet0/5
interface GigabitEthernet0/6
interface GigabitEthernet0/7
interface GigabitEthernet0/8
interface Vlan1
ip address 192.168.240.1 255.255.255.0
ip http server
ip http secure-server
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
end
For troubleshooting, I enabled “debug arp” on the switch and attempted a dial-up connection to the AS5350. Once the call was established and I received a DHCP lease (192.168.240.131), I started an extended ping to a server (192.168.240.21) on the network… see below:
Host Details:
192.168.240.1 (b4e9.b006.9e40) = Vlan1 on L2 switch.
192.168.240.21 (5cf9.dd48.76dd) = Server.
192.168.240.5 (000d.280c.fe1b) = Cisco AS5350 RAS server.
192.168.240.131 (0000.0000.0000) = PPP dial-in client on RAS server.
000292: *Mar 1 00:21:22.819 UTC: IP ARP: creating incomplete entry for IP address: 192.168.240.131 interface Vlan1
000293: *Mar 1 00:21:22.819 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000298: *Mar 1 00:21:27.013 UTC: IP ARP: rcvd req src 192.168.240.21 5cf9.dd48.76dd, dst 192.168.240.131 Vlan1
000299: *Mar 1 00:21:27.441 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000306: *Mar 1 00:21:32.441 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000314: *Mar 1 00:21:37.449 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000323: *Mar 1 00:21:42.440 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000329: *Mar 1 00:21:47.440 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000334: *Mar 1 00:21:52.439 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000344: *Mar 1 00:21:57.447 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000350: *Mar 1 00:22:02.447 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000358: *Mar 1 00:22:07.430 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000364: *Mar 1 00:22:12.438 UTC: IP ARP: creating incomplete entry for IP address: 192.168.240.131 interface Vlan1
000365: *Mar 1 00:22:12.438 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40,dst 192.168.240.131 0000.0000.0000 Vlan1
000372: *Mar 1 00:22:17.437 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000373: *Mar 1 00:22:17.446 UTC: IP ARP: rcvd rep src 192.168.240.131 000d.280c.fe1b, dst 192.168.240.1 Vlan1
The first line of the debug shows the switch creating an “incomplete entry” for the dial-in client (192.168.240.131).
For all subsequent ICMP requests, you can see that the dial-in client has a MAC address of 0000.0000.0000 – I guess you would call this an incomplete entry.
On the last line of the debug output, you can see that the dial-in client (192.168.240.131) finally gets the MAC address of the AS5350 (000d.280c.fe1b) assigned to it – this is when we start getting ICMP replies.
So during this capture, there were 12 ICMP request timeouts before the dial-in client started receiving replies.
Below is the current config on my Cisco AS5350 RAS server:
Current configuration : 6741 bytes
version 12.3
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
hostname AS5350
boot-start-marker
no boot startup-test
boot-end-marker
logging buffered 2048000 debugging
enable secret 5 *********************
resource-pool disable
calltracker enable
spe country usa
spe call-record modem
spe default-firmware spe-firmware-1
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login NO_AUTHEN none
aaa authentication enable default group tacacs+ enable
aaa authentication ppp dialin if-needed local
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 1 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa session-id common
ip subnet-zero
ip cef
ip dhcp excluded-address 192.168.240.1 192.168.240.127
ip dhcp excluded-address 192.168.240.150 192.168.240.254
ip dhcp pool LOCAL
network 192.168.240.0 255.255.255.0
default-router 192.168.240.1
lease 0 1
ip ssh time-out 10
ip ssh version 2
isdn switch-type primary-4ess
fax interface-type fax-mail
controller T1 3/0
shutdown
controller T1 3/1
framing esf
linecode b8zs
pri-group timeslots 1-24
description PRI on Copper
no crypto isakmp ccm
interface FastEthernet0/0
no ip address
shutdown
interface FastEthernet0/1
description Uplink to Switch – Gi0/2
ip address 192.168.240.5 255.255.255.0
duplex full
speed 100
interface Serial0/0
no ip address
shutdown
interface Serial0/1
no ip address
shutdown
interface Serial3/0:23
no ip address
shutdown
interface Serial3/1:23
description PRI on Copper
no ip address
encapsulation ppp
dialer rotary-group 2
dialer-group 2
isdn switch-type primary-4ess
isdn incoming-voice modem
isdn T306 60000
fair-queue
no cdp enable
interface Dialer2
ip unnumbered FastEthernet0/1
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer-group 2
peer default ip address dhcp-pool LOCAL
fair-queue
no cdp enable
ppp authentication chap pap callin
ppp multilink
interface Group-Async0
no ip address
no group-range
interface Group-Async1
description Dial-up PRI modem lines
ip unnumbered FastEthernet0/1
encapsulation ppp
dialer in-band
dialer idle-timeout 0
async mode interactive
peer default ip address dhcp-pool LOCAL
fair-queue
ppp authentication chap pap callin
group-range 1/00 1/59
router eigrp 100
network 192.168.240.0
auto-summary
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.240.1
ip tacacs source-interface FastEthernet0/1
no ip http server
no ip http secure-server
logging history debugging
logging trap debugging
logging x.x.x.x
access-list 101 deny eigrp any any
access-list 101 permit ip any any
access-list 101 remark dialer-list used for dialer-list 1
access-list 182 remark *** PERMIT SSH TO THIS DEVICE ***
access-list 182 permit tcp any any eq 22
access-list 182 deny ip any any log
dialer-list 1 protocol ip permit
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 *******************
control-plane
voice-port 3/0:D
voice-port 3/1:D
dial-peer cor custom
ss7 mtp2-variant Bellcore 0
ss7 mtp2-variant Bellcore 1
ss7 mtp2-variant Bellcore 2
ss7 mtp2-variant Bellcore 3
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
no exec
line vty 0 4
access-class 182 in
exec-timeout 30 0
logging synchronous
transport input ssh
escape-character BREAK
line 1/00 1/59
no modem callout
modem Dialin
rotary 1
transport input all
transport output all
autoselect during-login
autoselect ppp
scheduler allocate 10000 400
ntp clock-period 17180055
ntp server x.x.x.x
end
Cisco AS5350 IOS: c5350-ik9s-mz.123-11.T11.bin
Is anyone aware of an IOS bug or an error in my configurations that could be causing the delay in creating an ARP entry for the dial-in client?
I am open to any suggestions.
BTW, if I add static arp entries on the server, ICMP replies are typically received after one or two request timeouts.
However, I feel this is not a solution to the problem, only a band-aid fix.
arp -s 192.168.240.128 00-0d-28-0c-fe-1b
arp -s 192.168.240.129 00-0d-28-0c-fe-1b
arp -s 192.168.240.130 00-0d-28-0c-fe-1b
arp -s 192.168.240.131 00-0d-28-0c-fe-1b
arp -s 192.168.240.132 00-0d-28-0c-fe-1b
arp -s 192.168.240.133 00-0d-28-0c-fe-1b
arp -s 192.168.240.134 00-0d-28-0c-fe-1b
arp -s 192.168.240.135 00-0d-28-0c-fe-1b
arp -s 192.168.240.136 00-0d-28-0c-fe-1b
arp -s 192.168.240.137 00-0d-28-0c-fe-1b
arp -s 192.168.240.138 00-0d-28-0c-fe-1b
arp -s 192.168.240.139 00-0d-28-0c-fe-1b
arp -s 192.168.240.140 00-0d-28-0c-fe-1b
arp -s 192.168.240.141 00-0d-28-0c-fe-1b
arp -s 192.168.240.142 00-0d-28-0c-fe-1b
arp -s 192.168.240.143 00-0d-28-0c-fe-1b
arp -s 192.168.240.144 00-0d-28-0c-fe-1b
arp -s 192.168.240.145 00-0d-28-0c-fe-1b
arp -s 192.168.240.146 00-0d-28-0c-fe-1b
arp -s 192.168.240.147 00-0d-28-0c-fe-1b
arp -s 192.168.240.148 00-0d-28-0c-fe-1b
arp -s 192.168.240.149 00-0d-28-0c-fe-1b
Thank you for taking the time to read my post.
-BradHi Krishnamraj,
How many records are you gettnig from server..?? Are they very huge..??
Thanks,
Bhasker -
Load balance not happening in BGP
Dear Friends,
As per I know local BGP process may implement equal-cost load-balancing to the paths that:
Have the same set of path attributes up to the MED (weight, Local Preference, Origin, MED)
Are of the same type (both learned via iBGP or eBGP)
Have the same IGP cost to reach their NEXT_HOP IP address
If the above conditions are met andmaximum-paths [ibgp]is configured under the BGP process, BGP will install multiple equal-cost routes into the local RIB and use them for load-balancing. We call the above condition as load-balancing conditions for BGP.
As all the above criteria are matched still BGP is not doing load balance. Please find below routing table:
R1:
R1#sh ip bgp
BGP table version is 4, local router ID is 40.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i192.168.1.0 20.1.1.2 0 100 0 i
* i 30.1.1.1 0 100 0 i
R1#sh ip route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
R 20.1.1.0 [120/1] via 10.1.1.2, 00:00:03, FastEthernet0/0
40.0.0.0/24 is subnetted, 1 subnets
C 40.1.1.0 is directly connected, FastEthernet0/1
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
B 192.168.1.0/24 [200/0] via 20.1.1.2, 00:12:01
30.0.0.0/24 is subnetted, 1 subnets
R 30.1.1.0 [120/1] via 40.1.1.2, 00:00:15, FastEthernet0/1
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 10.1.1.2 remote-as 100
neighbor 40.1.1.2 remote-as 100
maximum-paths 2
no auto-summary
Please help....!!!!!!! why BGP is not load balancing here????
R1#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
1 10.1.1.2 88 msec 60 msec 28 msec
2 20.1.1.2 104 msec 56 msec 120 msec
Regards,
SanjibDear Jon,
Thank you so much.
When I changed the configuration BGP is now loadbalancing. But in configuartion Max-path showing as 1 instead of 2.
R1#sh ip pro | sec bgp
Routing Protocol is "bgp 100"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
IGP synchronization is disabled
Automatic route summarization is disabled
Neighbor(s):
Address FiltIn FiltOut DistIn DistOut Weight RouteMap
12.1.1.2
13.1.1.3
Maximum path: 1
Routing Information Sources:
Gateway Distance Last Update
13.1.1.3 200 00:01:12
12.1.1.2 200 00:02:15
Distance: external 20 internal 200 local 200
Regards,
Sanjib -
TOC-BP-SWa#sh ip bgp neighbors 10.14.0.3 advertised-routes
BGP table version is 1674320, local router ID is 10.14.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.14.0.1/32 0.0.0.0 0 32768 i
*> 147.249.37.0/24 172.20.18.1 120 0 2001 65015 65016 64823 7381 64681 i
*> 147.249.38.0/24 172.20.18.1 120 0 2001 65015 65016 64823 7381 64681 i
*> 147.249.46.0/24 172.20.18.1 120 0 2001 65015 65016 64823 7381 12159 12159 i
*> 147.249.196.0/24 172.20.18.1 120 0 2001 65015 65016 64823 64870 65124 i
*> 147.249.237.0/24 172.20.18.1 120 0 2001 65015 65016 64823 7381 64681 i
TOC-BP-SWa#sh ip bgp neighbors 10.14.0.3 received-r
Total number of prefixes 0
TOC-BP-SWa#sh ip bgp neighbors 10.14.0.2 received-r
BGP table version is 1674320, local router ID is 10.14.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i10.14.0.2/32 10.14.0.2 0 100 0 i
* i147.249.37.0/24 10.14.0.2 0 120 0 2001 65015 65016 64823 7381 64681 i
* i147.249.38.0/24 10.14.0.2 0 120 0 2001 65015 65016 64823 7381 64681 i
* i147.249.46.0/24 10.14.0.2 0 120 0 2001 65015 65016 64823 7381 12159 12159 i
* i147.249.196.0/24 10.14.0.2 0 120 0 2001 65015 65016 64823 64870 65124 i
* i147.249.237.0/24 10.14.0.2 0 120 0 2001 65015 65016 64823 7381 64681 i
Can this output be duplicated with an OSPF command?Not really because OSPF does not advertise routes it sends LSAs to it's peers.
So you need to look at the OSPF database ie. -
"sh ip ospf database"
which will show you all the LSAs the router is aware of.
In terms of all the LSAs the router has received it will show all of those but it will also show you LSAs that were generated by the router itself although the advertising router IP will point to that being the case.
In terms of all the LSAs the router advertises again it depends on the area and how that has been configured.
So for example an ABR might well have external LSAs (which aren't tied to any area in the OSPF database) but that doesn't necessarily mean it is advertising them to peers within an area as it could have been configured not to.
So it gives you a good idea but you need to also work out a few things for yourself as well.
Jon -
Strange ARP Problems with C170 and AsyncOS 9
after upgrading to asyncOS 9.0 (Ironport C170) we have the following problem.
For better understanding a short explanation (without all network devices)
The traffic flow is
Lan --- Application Firewall ---Ironport
During a connection between the Firewall and the Ironport, the Ironport is unable to make a response.
It seems the Ironport is unable to make an arp resolution for the virtual cluster ip from the firewall.
E.g. ping from the firewall with the virtual cluster ip as source won't work.
Ping from the firewall with the physical interface as source works fine.
AsyncOS prior to version 9 has not such problems.
The arp table shows following entry for the virtual cluster ip (AsynOS)
(xxx.xxx.103.254) at (incomplete) on em1 expired [ethernet]
Explantation:
xx.103.254 with mac 01:00:5e:19:67:fe = virtual cluster ip
xx.103.128 with mac 00:e0:ed:37:05:1a = physical interface ip
Ping from "xxx.103.254 Cluster IP" as source to xxx.103.135 (cisco Ironport) as destination
The ICMP Packet went from the virtual Cluster Interface (xxx.25.103.254) with mac-adress 05:1a (physical interface) to the ironport.
The ironport makes an arp request...who is xxx.25.103.254?..and receives as answer the OTHER mac-address (virtual Clusterinterface) 67:fe.
I think, the ironport with the new asyncOS has some troubles with this 2 different mac-addresses.
No. Time Source Destination Protocol Length Info
10 4.115231 xxx.25.103.254 xxx.25.103.135 ICMP 98 Echo (ping) request id=0xaa26, seq=0/0, ttl=64 (no response found!)
Frame 10: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
Ethernet II, Src: Silicom_37:05:1a (00:e0:ed:37:05:1a), Dst: Cisco_9c:ba:3a (50:3d:e5:9c:ba:3a)
Internet Protocol Version 4, Src: xxx.25.103.254 (xxx.25.103.254), Dst: xxx.25.103.135 (xxx.25.103.135)
Internet Control Message Protocol
No. Time Source Destination Protocol Length Info
11 4.115251 Cisco_9c:ba:3a Broadcast ARP 42 Who has xxx.25.103.254? Tell xxx.25.103.135
Frame 11: 42 bytes on wire (336 bits), 42 bytes captured (336 bits)
Ethernet II, Src: Cisco_9c:ba:3a (50:3d:e5:9c:ba:3a), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
No. Time Source Destination Protocol Length Info
12 4.115365 Silicom_37:05:1a Cisco_9c:ba:3a ARP 60 xxx.25.103.254 is at 01:00:5e:19:67:fe
Frame 12: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: Silicom_37:05:1a (00:e0:ed:37:05:1a), Dst: Cisco_9c:ba:3a (50:3d:e5:9c:ba:3a)
any ideas?Try a different DNS server.
Open System Preferences > Network > Advanced > DNS
Click + and type:
208.67.222.222
Click + again and do the same.
208.67.220.220
Click OK.
Then try Safari or Mail. -
Question about network statement in OSPF and BGP
The network statements in OSPF and BGP can be used to advertise networks. But I'm not clear under what circumstances would make more sense to use network statements to advertise a network than by using other methods to have the network learned by other routers.
Here is an example: assume I'm running BGP on router A. I want to advertise network 10.1.1.0/24 to other BGP peers. I have a OSPF route for this network. I can do 2 things: one is to use "network 10.1.1.0 mask 255.255.255.0", the other is to do "redistribute OSPF ... route-map OSPF-INTO-BGP", and create a prefix list to permit 10.1.1.0/24.
Both would work to have this network learned by other BGP peers. But which is better for what purpose?
Thanks a lot
GaryHi Gary,
There is one little difference between the use of the two approaches - the route injected into BGP by using a network statement will carry an Origin attribute of IGP, whereas the route injected using redistribution will have an Origin attribute of Incomplete. Now, that is not a huge issue since you can always change that whatever value you desire both with the use of the network statement and redistribution. The important thing, however, is that in the BGP best path selection process, the Origin attribute comparison is fairly high up and will prefer a route with the attribute of IGP.
Apart from that, there is absolutely no difference between using the network statement and using redistribution with a route-map that matches exactly on the same route that you would have specified with the network statement.
I guess one advantage of using the redistribute approach is that it does not clutter up the BGP config. If you wish to add more routes, you simply add them to the prefix list so that you don't really touch the BGP config portion at all..
Hope that helps - pls do remember to rate posts that help.
Paresh -
ARP issues with 3750X & 2960X Stack
Unable to consistently ping a device from the 3750x that is connected to a vlan on the 2960x stack (po1 between 3750x and 2960x). ARP statements appear normally in 3750x, where the interface vlan resides. The device is pingable from through the 3750x, but not from the 3750x, even when specifying the Vlan Interface as the source.
Thanks for the help.Connected device, then power cycled, then pinged:
lrs3750x-admin#ping 172.18.3.17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.3.17, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/34 ms
lrs3750x-admin#
Then, spiked the interface, because dot1x was lacking logs and not behaving properly:
lrs3750x-admin# show arp | in 172.18.3.17
Internet 172.18.3.17 0 Incomplete ARPA
lrs3750x-admin#ping 172.18.3.17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.3.17, timeout is 2 seconds:
Clear arp no longer fixes the issue for the device.
Thanks! -
BGP, VRF and PBR ("set vrf")
Hi networkers!
Requirements:
- 2 locations (OFFICE, DC) in the same town
- each having two active WAN connections (carrying individual routing domains): The default Any2Any WAN (where several other locations are connected to) and a client specific MC WAN.
- There is a high speed "metro" connection between the locations
- Targets of MC WAN must only be available from a dedicated "MC LAN" network segment
- The default route of "MC LAN" is into Any2Any. Some specific routes coming from MC WAN will overrule A2A routes
- By default, all locally generated traffic should leave into the local WAN links
- In case of a local fault, the locally generated traffic should go via "metro" link into the remote WAN links.
- Traffic between office and DC has to use the metro link.
Hardware: Cat 4500X in VSS configuration at both locations acting as router.
The challenge is with the "MC LAN" that should be fully integrated into A2A routing (communicating locally with devices in other LAN segments and remotely with other sites) but it should also communicate with some special targets of the MC WAN that all other LAN segments must not see.
The general solution that I found is to set the "MC LAN segment" into the GRT but apply "ip vrf receive VRF_MC" and "set vrf VRF_MC" as PBR for targets that should be reached via MC-WAN. It is makes me a little unhappy, that I have to configure a static PBR "routing" because the MC routes are already available by BGP within VRF_MC. But I have tested several other solutions (route leackage e.g.). But they did not work (route leakage for example is not possible on-device between VLANs but only between physical ports).
I put in here only the OFFICE part of the configuration. At the DC there is no "MC LAN" only "MC WAN" which is fully isolated by VRF.
We create two transfer networks at each side. One for the Metro and one for the WAN and start BGP sessions with the neighbors. Failover is guaranteed by longer AS-PATH:
vrf definition VRF_MC
description MC routing domain
rd 65500:1
address-family ipv4
exit-address-family
interface Vlan3
description MC Office
ip vrf receive VRF_MC
ip address 1.40.1.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip policy route-map MC_PBR_VRF
interface Vlan30
description WAN A2A transfer (partner 2.2.2.18 // remote-as 65293 - local AS 65502)
ip address 2.2.2.21 255.255.255.240
interface Vlan31
description WAN MC(partner 2.2.2.50 // remote-as 65293 - local AS 65502)
vrf forwarding VRF_MC
ip address 2.2.2.53 255.255.255.240
interface Vlan34
description Metro A2A transfer (partner 3.3.3.69 remote-as 65503)
ip address 3.3.3.66 255.255.255.240
interface Vlan36
description Metro MC transfer (partner 3.3.3.85 remote-as 65503)
vrf forwarding VRF_MC
ip address 3.3.3.82 255.255.255.240
router bgp 65502
bgp always-compare-med
bgp log-neighbor-changes
network 1.40.1.0 mask 255.255.255.0 <-- MC LAN
network 1.1.192.0 mask 255.255.248.0 <-- other Office LAN segments below
network 1.1.200.0 mask 255.255.248.0
network 1.1.208.0 mask 255.255.248.0
neighbor 2.2.2.18 remote-as 65293
neighbor 2.2.2.18 description to_A2A_WAN
neighbor 2.2.2.18 version 4
neighbor 2.2.2.18 remove-private-as
neighbor 2.2.2.18 soft-reconfiguration inbound
neighbor 2.2.2.18 prefix-list BGP_A2A_out out
neighbor 3.3.3.69 remote-as 65503
neighbor 3.3.3.69 description A2A_Metro_to_DC
neighbor 3.3.3.69 update-source Vlan34
neighbor 3.3.3.69 version 4
neighbor 3.3.3.69 soft-reconfiguration inbound
address-family ipv4 vrf VRF_MC
network 1.40.1.0 mask 255.255.255.0 <-- MC LAN
neighbor 2.2.2.50 remote-as 65293
neighbor 2.2.2.50 description to_MC_WAN
neighbor 2.2.2.50 version 4
neighbor 2.2.2.50 activate
neighbor 2.2.2.50 remove-private-as
neighbor 2.2.2.50 soft-reconfiguration inbound
neighbor 2.2.2.50 prefix-list BGP_MC_out out
neighbor 3.3.3.85 remote-as 65503
neighbor 3.3.3.85 description MC_Metro_to_DC
neighbor 3.3.3.85 update-source Vlan36
neighbor 3.3.3.85 activate
neighbor 3.3.3.85 soft-reconfiguration inbound
exit-address-family
route-map MC_PBR_VRF permit 10
match ip address MC_PBR_ROUTE
set vrf VRF_MC
! control BGP
ip prefix-list BGP_A2A_out seq 10 permit 1.1.192.0/21 le 32
ip prefix-list BGP_A2A_out seq 20 permit 1.1.200.0/21 le 32
ip prefix-list BGP_A2A_out seq 30 permit 1.1.208.0/21 le 32
ip prefix-list BGP_A2A_out seq 40 permit 1.40.1.0/24 le 32
! control BGP
ip prefix-list BGP_MC_out seq 10 permit 1.40.1.0/24 le 32
ip access-list extended MC_PBR_ROUTE
permit ip any 2.2.2.48 0.0.0.15
permit ip any 3.3.3.80 0.0.0.15
permit ip any 7.87.208.0 0.0.15.255
permit ip any 55.55.0.0 0.0.0.255
permit ip any host 93.93.93.93
That's all.
What is possible:
- traceroute into MC WAN from Office LAN router "traceroute vrf VRF_MC 55.55.0.83"
1 2.2.2.50 [AS 65276] 8 msec 0 msec 0 msec
2 10.10.21.189 [AS 65276] 4 msec 0 msec 4 msec
3 10.10.41.74 [AS 65276] 12 msec 8 msec 16 msec
- MC LAN is fully reachable from A2A WAN
- Metro link is used for backup and "city" traffic between office and DC.
What does not work:
- A device connected to MC LAN cannot reach any target in MC WAN. Example:
C:\Users\me>tracert -d 55.55.0.83
1 2 ms 1 ms 1 ms 2.2.2.53 <- IP local VLAN31 MC-WAN transfer net (belonging to VRF_MC)
2 <1 ms <1 ms <1 ms 2.2.2.18 <- jump back into the GTR (A2A WAN router IP)
3 1 ms 1 ms 1 ms 5.5.5.5 <- A2A WAN
What is missing?? Is my solution itself a no-go?
Additional question: There is a backup metro link with a smaller bandwidth that should be used only in case of main metro link is down. I installed a route-map to "set local-preference 20" for all routes received via this backup metro link. Is this the recommended way to implement such backup link.
Best regardsUse the route map as a noraml thing.
To match the all the ip address there should not be any match statement in the route map. -
Assistance Needed: Inter-VRF Routing with MP-BGP
hello everyone,
I've been trying to solve a problem for over a day regarding inter-vrf routing using MP-BGP and I can't seem to figure a few things out.
I have Cisco 1921 which has VRF-JLAN and VRF-JGLOBE with 3 interfaces configured as (g0/0 = vrf JLAN, g0/1=no vrf, g0/2 = dot1q trunk to 2960S). vrf JLAN is a restricted network for users access, dns server, e.t.c. vrf JGLOBE is for Video server and global routing table belongs to Wifi Access. I've been able to seperate all the network and I can route traffic out to the Internet from vrf JLAN and the global route table but where I'm having issues is getting vrf JGLOBE to route traffic using the Global route table.
For example: vrf JLAN should not be accessed by either Global or vrf JGLOBE. JGLOBE should be able to access vrf JLAN dns server but it should route its internet traffic via Global route table (g0/1). Last JLAN should be able to access 2 networks from the Global route table.
I've attached my config and diagram so you can better understand what I'm trying to achieve. More light to solving this problem would be much appreciated.
ip vrf JGLOBE
rd 65001:2
export map WIFI
route-target export 65001:2
ip vrf JLAN
rd 65001:1
import ipv4 unicast map C-GLOBAL
route-target export 65001:1
route-target import 65001:1
route-target import 65001:2
interface GigabitEthernet0/0
description LAN-ACCESS-INTERNET [TO Nexthop FIREWALL]
ip vrf forwarding JLAN
ip address 192.168.4.3 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip inspect INTERNET-FW out
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
interface GigabitEthernet0/1
description GLOBAL-Wifi-INTERNET [TO Nexthop - FIREWALL]
ip address 192.168.5.3 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip inspect GLOBAL-FW in
ip inspect GLOBAL-FW out
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
interface GigabitEthernet0/2.3
description Users LAN
encapsulation dot1Q 3
ip vrf forwarding JLAN
ip address 192.168.30.1 255.255.255.240
interface GigabitEthernet0/2.4
description Video Server
encapsulation dot1Q 4
ip vrf forwarding JGLOBE
ip address 10.6.40.1 255.255.255.0
router ospf 1 vrf JLAN
router-id 10.6.6.10
redistribute bgp 65001 subnets
network 0.0.0.0 255.255.255.255 area 0
router ospf 2 vrf JGLOBE
router-id 10.5.7.10
redistribute bgp 65001 subnets
network 0.0.0.0 255.255.255.255 area 0
router bgp 65001
bgp router-id 10.4.6.4
bgp log-neighbor-changes
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
address-family ipv4
redistribute connected
exit-address-family
address-family ipv4 vrf JGLOBE
redistribute connected
redistribute ospf 2
exit-address-family
address-family ipv4 vrf JLAN
redistribute connected
redistribute ospf 1
exit-address-family
ip dns view vrf JGLOBE default
ip dns view vrf JLAN default
ip route 0.0.0.0 0.0.0.0 192.168.5.1
ip route vrf JGLOBE 0.0.0.0 0.0.0.0 GigabitEthernet0/1 192.168.5.1
ip route vrf JLAN 0.0.0.0 0.0.0.0 192.168.4.1 name LAN_INET
ip prefix-list GLOBAL-INET seq 5 permit 0.0.0.0/0
ip prefix-list SERVER-NET seq 5 permit 10.6.40.2/32
ip prefix-list WIFI-NET seq 5 permit 10.254.0.0/22 le 32Hi Matt
Yes the X/32 routes needs to be present in the VRF Routing-Table and if they are to be learnt statically then the MP-iBGP config for that particular VRF address-family has to redistribute static routes as well.
Regards
Varma -
HELP! Been looking at this problem all day. Have a simple BGP config on my end (below). I have no control on the other end. Recently upgraded from 2811 to 2911. IOS: c2900-universalk9-mz.SPA.151-4.M7.bin Configs on old and new routers exactly the same.
Called our ISP. They see the same debug logs, but have no clue to fix. I can ping across fine. No MTU issues. Move connections back to old 2811 BGP comes up no problem.
interface Serial0/0/0
ip address X.X.X.86 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
service-module t1 fdl ansi
no cdp enable
router bgp 65000
bgp log-neighbor-changes
network Y.Y.Y.0
network Y.Y.Y.16 mask 255.255.255.240
neighbor X.X.X.85 remote-as 2
neighbor X.X.X.85 password 7 06252C1268715E3C5139
debug
Nov 5 11:07:05.493: BGP: Selected new router ID Y.Y.Y.17 for scope global
Nov 5 11:07:05.537: BGP: Applying map to find origin for Y.Y.Y.16/28
Nov 5 11:07:05.541: BGP: Applying map to find origin for Y.Y.Y.16/28
Nov 5 11:07:05.541: BGP: Applying map to find origin for Y.Y.Y.16/28
Nov 5 11:07:05.549: BGP: nbr global X.X.X.85 Active open failed - can't get active topologies
Nov 5 11:07:05.549: BGP: nbr global X.X.X.85 Open active delayed 11264ms (35000ms max, 60% jitter)
Nov 5 11:07:06.457: BGP: X.X.X.85 passive open to X.X.X.86
Nov 5 11:07:06.461: BGP: X.X.X.85 passive went from Idle to Connect
Nov 5 11:07:06.461: BGP: ses global X.X.X.85 (0x307CA074:0) pas Setting open delay timer to 60 seconds.
Nov 5 11:07:06.461: BGP: ses global X.X.X.85 (0x307CA074:0) pas read request no-op
Nov 5 11:07:06.521: BGP: Sched timer-wheel running slow by 8 ticks
Nov 5 11:07:16.761: BGP: X.X.X.85 active went from Idle to Active
Nov 5 11:07:16.761: BGP: X.X.X.85 open active, local address X.X.X.86
Nov 5 11:07:16.773: BGP: ses global X.X.X.85 (0x30B937F4:0) act Adding topology IPv4 Unicast:base
Nov 5 11:07:16.773: BGP: ses global X.X.X.85 (0x30B937F4:0) act Send OPEN
Nov 5 11:07:16.773: BGP: X.X.X.85 active went from Active to OpenSent
Nov 5 11:07:16.773: BGP: X.X.X.85 active sending OPEN, version 4, my as: 65000, holdtime 180 seconds, ID CD464511
Nov 5 11:07:16.785: BGP: X.X.X.85 active rcv message type 3, length (excl. header) 5
Nov 5 11:07:16.785: %BGP-3-NOTIFICATION: received from neighbor X.X.X.85 active 2/8 (no supported AFI/SAFI) 3 bytes 000000
Nov 5 11:07:16.785: BGP: ses global X.X.X.85 (0x30B937F4:0) act Receive NOTIFICATION 2/8 (no supported AFI/SAFI) 3 bytes 000000
Nov 5 11:07:16.785: BGP: ses global X.X.X.85 (0x30B937F4:0) act Reset (BGP Notification received).
Nov 5 11:07:16.785: BGP: X.X.X.85 active went from OpenSent to Closing
Nov 5 11:07:16.785: BGP: nbr_topo global X.X.X.85 IPv4 Unicast:base (0x30B937F4:0) NSF delete stale NSF not active
Nov 5 11:07:16.785: BGP: nbr_topo global X.X.X.85 IPv4 Unicast:base (0x30B937F4:0) NSF no stale paths state is NSF not active
Nov 5 11:07:16.785: BGP: nbr_topo global X.X.X.85 IPv4 Unicast:base (0x30B937F4:0) Resetting ALL counters.
Nov 5 11:07:16.785: BGP: X.X.X.85 active closing
Nov 5 11:07:16.785: BGP: ses global X.X.X.85 (0x30B937F4:0) act Session close and reset neighbor X.X.X.85 topostate
Nov 5 11:07:16.785: BGP: nbr_topo global X.X.X.85 IPv4 Unicast:base (0x30B937F4:0) Resetting ALL counters.
Nov 5 11:07:16.785: BGP: X.X.X.85 active went from Closing to Idle
Nov 5 11:07:16.785: %BGP_SESSION-5-ADJCHANGE: neighbor X.X.X.85 IPv4 Unicast topology base removed from session BGP Notification received
Nov 5 11:07:16.785: BGP: ses global X.X.X.85 (0x30B937F4:0) act Removed topology IPv4 Unicast:base
Nov 5 11:07:16.785: BGP: ses global X.X.X.85 (0x30B937F4:0) act Removed last topology
Nov 5 11:07:16.785: BGP: nbr global X.X.X.85 Active open failed - existing passive session
Nov 5 11:07:16.785: BGP: nbr global X.X.X.85 Active open failed - existing passive sessionFrom what I'm finding, AFI 2 is IPv6. This seems like it's expecting IPv6:
Nov 5 11:07:16.785: %BGP-3-NOTIFICATION: received from neighbor X.X.X.85 active 2/8 (no supported AFI/SAFI) 3 bytes 000000
I'm also seeing that SAFI 8 is multicast:
http://www.iana.org/assignments/safi-namespace/safi-namespace.xhtml
If this is the case, the settings that you have above simply wouldn't work. I would contact the ISP to see what your peer is running.
http://routing-bits.com/2009/11/26/output-101-bgp-afisafi/
HTH,
John
Maybe you are looking for
-
Saved "Your Music" music has disappeared in Windows client
HI All the saved albums i have in my "Your Music" collection have disappeared from the Windows (7) client (1.0.8.59.gee82e7e6). They still appear in the Android client. What happened ? ThanksJon
-
Help.... Aperture keeps quitting on me....
Okay, here's the quick scoop. When I open Aperture it says "trying to recover 1 of 4 media files" and then suddenly quits. I tried several times to open and I'm having the same issue. Has this happened to anyone else? Do I have any other access to my
-
Need help about iphone replacment..
i get a replacement iphone. but on the dispatch label they have sent me show that ii only need send back the phone.. do i get a brand new one or one of the phone that is fixed and getting ready for replacement??
-
In my gallery on my tablet I want to be able to rename groups of pictures. So far I cannot find out how to do this.
-
Upgrade from OS 10.4.11 to OS X 5
Hi, I'm getting ready to upgrade to OS X.5. I have 4 gigs of memory and over 600 gigs of free HD space. I have a complete, bootable back-up. Everything is working fine. My question: Will doing an 'up-grade' work, or do I need to do an 'archive and in