BGP As-set

Similar Messages

• Internet load sharing

   Hi,
   I want to load share traffic for my two network segments. I have two routers with each internet circuit running BGP with two different ISPs(ISP- A & ISP-B). Also running IBGP between two routers. Since i have two /24 segments(not provided by ISP) so i want one segment to prefer via ISP A & other segment to prefer via ISP B. I have configured EBGP & IBGP and configured AS-path prepend but i see some asymmetric behaviour. Source traffic which prefer via ISP -A is going via it but incoming traffic is via ISP-B.
  Pls suggest how this asymmetric behaviour could be fixed.

  Hi. Pls see below config. I have ASA configured with ip x.x.x.5 so while tracing from firewall to another location public ip(USA) trace goes to router-A via ISP-A. But when do trace from USA to ASA it goes through ISP-B.
  Router-A#
  router bgp 132965
   bgp log-neighbor-changes
   neighbor 14.140.191.181 remote-as 4755  --- ISP- A
   neighbor X.X.X.18 remote-as 132965   ---- IBGP
   address-family ipv4
    network X.X.X.0 mask 255.255.255.0
    network Y.Y.Y.0 mask 255.255.255.0
    neighbor 14.140.191.181 activate
    neighbor 14.140.191.181 soft-reconfiguration inbound
    neighbor 14.140.191.181 route-map BGP-add out
    neighbor 14.140.191.181 maximum-prefix 1000 1
    neighbor X.X.X.18 activate
    neighbor X.X.X.18 next-hop-self
    neighbor X.X.X.18 soft-reconfiguration inbound
   exit-address-family
  ip route X.X.X.0 255.255.255.0 Null0 254
  ip route Y.Y.Y.0 255.255.255.0 X.X.X.5 name DMZ
  ip prefix-list BGP-236 seq 5 permit X.X.X.0/24
  ip prefix-list BGP-237 seq 5 permit Y.Y.Y.0/24
  route-map BGP-add permit 5
   match ip address prefix-list BGP-236
  route-map BGP-add permit 10
   match ip address prefix-list BGP-237
   set as-path prepend 132965 132965 132965 132965
  ===========================================================
  Router-B#
  router bgp 132965
   bgp log-neighbor-changes
   redistribute connected
   network X.X.X.0 mask 255.255.255.0
   network Y.Y.Y.0 mask 255.255.255.0
   neighbor X.X.X.17 remote-as 132965  --- IBGP
   neighbor X.X.X.17 next-hop-self
   neighbor X.X.X.17 soft-reconfiguration inbound
   neighbor 125.19.48.121 remote-as 9498  --- ISP-B
   neighbor 125.19.48.121 soft-reconfiguration inbound
   neighbor 125.19.48.121 route-map BGP-bhar out
   neighbor 125.19.48.121 maximum-prefix 1000 1
  ip route Y.Y.Y.0 255.255.255.0 X.X.X.5 name DMZ
  ip prefix-list BGP-236 seq 5 permit X.X.X.0/24
  ip prefix-list BGP-237 seq 5 permit Y.Y.Y.0/24
  route-map BGP-bhar permit 5
   match ip address prefix-list BGP-237
  route-map BGP-bhar permit 10
   match ip address prefix-list BGP-236
   set as-path prepend 132965 132965 132965 132965

• MPLS-TE with PBR

  Hi,
  I'm trying some configurations MPLS-TE with PBR in 7600 with SRC3 code and has not been able to make it work.
  I have tried CBTS and regular autoroute tunnels and they work fine but not a regular mpls-te with PBR.
  I've been following sample configurations and still not been able to make it work.
  The lab has the following setup:
  CE1->PE1->P->PE2->CE2
  The configuration at PE1 looks like this:
  interface GigaEthernet2/1
  description Connection to CE1
  ip vrf forwarding test
  ip address 10.1.1.1 255.255.255.252
  ip policy route-map PBR_in
  interface Tunnel105
  description MPLS-TE Test
  ip unnumbered Loopback0
  mpls ip !<-- also have tried without mpls
  tunnel destination 172.16.100.22
  tunnel mode mpls traffic-eng
  tunnel mpls traffic-eng priority 3 3
  tunnel mpls traffic-eng bandwidth sub-pool 250
  tunnel mpls traffic-eng affinity 0x0 mask 0x0
  tunnel mpls traffic-eng path-option 1000 dynamic
  no routing dynamic
  route-map PBR_in permit 10
  match ip address CE_Loops
  set mpls-label !<-- also have tried without this
  set interface Tunnel105 !<-- also have tried set ip next-hop <remote-loop>
  route-map PBR_in permit 100
  ip access-list extended CE_Loops
  10 permit ip host 1.1.1.1 host 2.2.2.2
  20 permit ip host 2.2.2.2 host 1.1.1.1
  And I can see the counters of Tunnel 105 going up but no response, nor any debugging related to it.
  sh int tun 104
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input never, output 00:00:05, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  0 packets input, 0 bytes, 0 no buffer
  Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
  2364 packets output, 168564 bytes, 0 underruns
  0 output errors, 0 collisions, 0 interface resets
  0 unknown protocol drops
  0 unknown protocol drops
  0 output buffer failures, 0 output buffers swapped out
  I have done "debug mpls packet" and but I can't see anything related to labels going on.
  What am I missing? Is MPLS-TE with PBR really possible? How does it apply labels to the PBR packets?
  William

  Hi Shivlu,
  To have a dedicated tunnel per VPN:
  1- Static routes in the VRF should work by specifying only the tunnel interface as the outgoing interface (no next-hop).
  2- Another solution can be to change the BGP NH for each VPN:
  - You have two VPNs configured on PE1 and PE2
  - You have two TE tunnels T1 and T2 between PE1 and PE2. PE1 is the head-end
  - BGP is build over Loopback0 IP addresses as usual
  The idea is to create two new loopbacks one PE2 (L1 and L2) and to configure PE2 to use those loopbacks as BGP NH:
  ip vrf VPN1
  bgp next-hop loopback 1
  ip vrf VPN2
  bgp next-hop loopback 2
  Now PE1 will receive VPNv4 updates from PE2 with BGP NH set to L1 for VPN1 and L2 for VPN2
  on PE1 just add two static route so each loopback will be reachable via two different TE tunnels:
  ip route L1/32 T1
  ip route L2/32 T2
  If you have other PEs with sites connected to these VPNS as well and you are not using TE tunnels, you need to redistribute L1 and L2 into the IGP so those other PEs will have a LSP to PE2 as well.
  I agree if PBR could be aware of the interface in the GRT, it would be an easier solution.
  Thanks
  Laurent.

• Dual MPLS connection to one WAAS with inlinecard

  Hi all,
  Is it posible to use one Cisco WAAS with dual inlineports connected to two PTT routers?
  Both PTT routers is active and load balacing with BGP wth local L3 switches.
  Or is it a most to use WCCP?
  Jan

  Hi Jan,
  Just because I've previously ran into problems, because WAAS obfuscates sequence numbers.
  On newer (greenfield) implementations of WAAS, BGP is set to pass-through as default.
  From this link : http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v511/configuration/guide/cnfg/apx_apps.html
  If the policies is migrated from a WAAS Central manager running versions earlier than 4.4, the default was LS+TFO+DRE - from 4.3.x the default changed to Pass-Through.
  Best Regards
  Finn Poulsen

• Working with ICMP

  Is there a way to protect a network from the malicious use of ICMP without breaking PathMTU or disabling ping and traceroute?  I usually do not add the no ip unreachables command on interfaces within my inside network but do have it on all of my interfaces on the internet facing routers.  I already have an infrastructure ACL on my BGP interface set to deny all icmp packets but that is applied in the IN direction only.  I'm doing a review of the config in preperation for routine maintenance and looking for some ideas. 

  Hi,
  You might want to try Zone Base Firewall and only allow ICMP which ever are generated within the network.
  HTH,
  Smitesh
  Please rate helpful posts...

• BGP, VRF and PBR ("set vrf")

  Hi networkers!
  Requirements:
  - 2 locations (OFFICE, DC) in the same town
  - each having two active WAN connections (carrying individual routing domains): The default Any2Any WAN (where several other locations are connected to) and a client specific MC WAN.
  - There is a high speed "metro" connection between the locations
  - Targets of MC WAN must only be available from a dedicated "MC LAN" network segment
  - The default route of "MC LAN" is into Any2Any. Some specific routes coming from MC WAN will overrule A2A routes
  - By default, all locally generated traffic should leave into the local WAN links
  - In case of a local fault, the locally generated traffic should go via "metro" link into the remote WAN links.
  - Traffic between office and DC has to use the metro link.
  Hardware: Cat 4500X in VSS configuration at both locations acting as router.
  The challenge is with the "MC LAN" that should be fully integrated into A2A routing (communicating locally with devices in other LAN segments and remotely with other sites) but it should also communicate with some special targets of the MC WAN that all other LAN segments must not see.
  The general solution that I found is to set the "MC LAN segment" into the GRT but apply "ip vrf receive VRF_MC" and "set vrf VRF_MC" as PBR for targets that should be reached via MC-WAN. It is makes me a little unhappy, that I have to configure a static PBR "routing" because the MC routes are already available by BGP within VRF_MC. But I have tested several other solutions (route leackage e.g.). But they did not work (route leakage for example is not possible on-device between VLANs but only between physical ports).
  I put in here only the OFFICE part of the configuration. At the DC there is no "MC LAN" only "MC WAN" which is fully isolated by VRF.
  We create two transfer networks at each side. One for the Metro and one for the WAN and start BGP sessions with the neighbors. Failover is guaranteed by longer AS-PATH:
  vrf definition VRF_MC
  description MC routing domain
  rd 65500:1
  address-family ipv4
  exit-address-family
  interface Vlan3
  description MC Office
  ip vrf receive VRF_MC
  ip address 1.40.1.1 255.255.255.0
  no ip redirects
  no ip proxy-arp
  ip policy route-map MC_PBR_VRF
  interface Vlan30
  description WAN A2A transfer (partner 2.2.2.18 // remote-as 65293 - local AS 65502)
  ip address 2.2.2.21 255.255.255.240
  interface Vlan31
  description WAN MC(partner 2.2.2.50 // remote-as 65293 - local AS 65502)
  vrf forwarding VRF_MC
  ip address 2.2.2.53 255.255.255.240
  interface Vlan34
  description Metro A2A transfer (partner 3.3.3.69 remote-as 65503)
  ip address 3.3.3.66 255.255.255.240
  interface Vlan36
  description Metro MC transfer (partner 3.3.3.85 remote-as 65503)
  vrf forwarding VRF_MC
  ip address 3.3.3.82 255.255.255.240
  router bgp 65502
  bgp always-compare-med
  bgp log-neighbor-changes
  network 1.40.1.0 mask 255.255.255.0        <-- MC LAN
  network 1.1.192.0 mask 255.255.248.0       <-- other Office LAN segments below
  network 1.1.200.0 mask 255.255.248.0
  network 1.1.208.0 mask 255.255.248.0
  neighbor 2.2.2.18 remote-as 65293
  neighbor 2.2.2.18 description to_A2A_WAN
  neighbor 2.2.2.18 version 4
  neighbor 2.2.2.18 remove-private-as
  neighbor 2.2.2.18 soft-reconfiguration inbound
  neighbor 2.2.2.18 prefix-list BGP_A2A_out out
  neighbor 3.3.3.69 remote-as 65503
  neighbor 3.3.3.69 description A2A_Metro_to_DC
  neighbor 3.3.3.69 update-source Vlan34
  neighbor 3.3.3.69 version 4
  neighbor 3.3.3.69 soft-reconfiguration inbound
  address-family ipv4 vrf VRF_MC
    network 1.40.1.0 mask 255.255.255.0         <-- MC LAN
    neighbor 2.2.2.50 remote-as 65293
    neighbor 2.2.2.50 description to_MC_WAN
    neighbor 2.2.2.50 version 4
    neighbor 2.2.2.50 activate
    neighbor 2.2.2.50 remove-private-as
    neighbor 2.2.2.50 soft-reconfiguration inbound
    neighbor 2.2.2.50 prefix-list BGP_MC_out out
    neighbor 3.3.3.85 remote-as 65503
    neighbor 3.3.3.85 description MC_Metro_to_DC
    neighbor 3.3.3.85 update-source Vlan36
    neighbor 3.3.3.85 activate
    neighbor 3.3.3.85 soft-reconfiguration inbound
  exit-address-family
  route-map MC_PBR_VRF permit 10
  match ip address MC_PBR_ROUTE
  set vrf VRF_MC
  ! control BGP
  ip prefix-list BGP_A2A_out seq 10 permit 1.1.192.0/21 le 32
  ip prefix-list BGP_A2A_out seq 20 permit 1.1.200.0/21 le 32
  ip prefix-list BGP_A2A_out seq 30 permit 1.1.208.0/21 le 32
  ip prefix-list BGP_A2A_out seq 40 permit 1.40.1.0/24 le 32
  ! control BGP
  ip prefix-list BGP_MC_out seq 10 permit 1.40.1.0/24 le 32
  ip access-list extended MC_PBR_ROUTE
  permit ip any 2.2.2.48 0.0.0.15
  permit ip any 3.3.3.80 0.0.0.15
  permit ip any 7.87.208.0 0.0.15.255
  permit ip any 55.55.0.0 0.0.0.255
  permit ip any host 93.93.93.93
  That's all.
  What is possible:
  - traceroute into MC WAN from Office LAN router "traceroute vrf VRF_MC 55.55.0.83"
    1 2.2.2.50 [AS 65276] 8 msec 0 msec 0 msec
    2 10.10.21.189 [AS 65276] 4 msec 0 msec 4 msec
    3 10.10.41.74 [AS 65276] 12 msec 8 msec 16 msec
  - MC LAN is fully reachable from A2A WAN
  - Metro link is used for backup and "city" traffic between office and DC.
  What does not work:
  - A device connected to MC LAN cannot reach any target in MC WAN. Example:
  C:\Users\me>tracert -d 55.55.0.83
    1     2 ms     1 ms     1 ms  2.2.2.53 <- IP local VLAN31 MC-WAN transfer net (belonging to VRF_MC)
    2    <1 ms    <1 ms    <1 ms  2.2.2.18 <- jump back into the GTR (A2A WAN router IP)
    3     1 ms     1 ms     1 ms  5.5.5.5  <- A2A WAN
  What is missing?? Is my solution itself a no-go?
  Additional question: There is a backup metro link with a smaller bandwidth that should be used only in case of main metro link is down. I installed a route-map to "set local-preference 20" for all routes received via this backup metro link. Is this the recommended way to implement such backup link.
  Best regards

  Use the route map as a noraml thing.
  To match the all the ip address there should not be any match statement in the route map.

• Does editing a pre-fix set for bgp in IOS-XR cause a loss of network connectivity

  Hi,
  I have to edit an existing prefix-set for bpg in ios-xr.  When I went to do it the first time it told me it would wipe the existing information so I aborted the change.
  I have since read that you need to redo the whole list and add the new network you want.
  For example.
  existing
  pre-fix set TEST
  10.10.10.0/24,
  11.11.11.0/24
  new
  pre-fix set TEST
  10.10.10.0/24, 11.11.11.0/24, 12.12.12.0/24
  1st) is the above correct?
  2nd) when this is done will there be any drops in connectivity?
  Thank you.

  1) It is correct, when you create the new prefix-set with the same name as the old one, it overwrites the old one. Meaning that, it wont "append" to the old config, it creates a new prefix-set from scratch
  2) Depends on where are you referencing the prefix-set. For example, on BGP route-policy, there wont be any drop on BGP connectivity, you might even have to do a soft refresh in and out to refresh the advertised/filtered routes

• How does set metric-type internal (bgp) work?

  i can't realise how the command "set metric-type internal " to work.
  bgp announce to ebgp use the igp next-hop metric as the med.
  the igp means only isis?
  does ospf use it ?
  will you tell me how to use it ? give me an example . thinks

  Hi,
  This command can be used into two different contexts:
  1- Redistribution into ISIS
  When you are redistributing routes into ISIS, you have the choice to set the metric-type as internal (between 0 and 64) or external (between 65 and 128)
  Internal metric are always prefer over external metric
  2- Set the MED to reflect IGP cost to the NH on eBGP updates
  You are receiving an iBGP update and before sending it to your eBGP peers, you want the MED for that prefix set to your IGP cost to the iBGP peer announcing this prefix.
  In this case the IGP can be anything.
  This command is not necessary if you are redistributing the route into BGP directly instead of receiving them from iBGP. In such case, the MED reflects by default the IGP cost of the redistributed prefix.
  HTH
  Laurent.

• Load balance not happening in BGP

  Dear Friends,
  As per I know local BGP process may implement equal-cost load-balancing to the paths that:
  Have the same set of path attributes up to the MED (weight, Local Preference, Origin, MED)
  Are of the same type (both learned via iBGP or eBGP)
  Have the same IGP cost to reach their NEXT_HOP IP address
  If the above conditions are met andmaximum-paths [ibgp]is  configured under the BGP process, BGP will install multiple equal-cost  routes into the local RIB and use them for load-balancing. We call the  above condition as load-balancing conditions for BGP.
  As all the above criteria are matched still BGP is not doing load balance. Please find below routing table:
  R1:
  R1#sh ip bgp
  BGP table version is 4, local router ID is 40.1.1.1
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  *>i192.168.1.0      20.1.1.2                 0    100      0 i
  * i                        30.1.1.1                 0    100      0 i
  R1#sh ip route
  Gateway of last resort is not set
       20.0.0.0/24 is subnetted, 1 subnets
  R       20.1.1.0 [120/1] via 10.1.1.2, 00:00:03, FastEthernet0/0
       40.0.0.0/24 is subnetted, 1 subnets
  C       40.1.1.0 is directly connected, FastEthernet0/1
       10.0.0.0/24 is subnetted, 1 subnets
  C       10.1.1.0 is directly connected, FastEthernet0/0
  B    192.168.1.0/24 [200/0] via 20.1.1.2, 00:12:01
       30.0.0.0/24 is subnetted, 1 subnets
  R       30.1.1.0 [120/1] via 40.1.1.2, 00:00:15, FastEthernet0/1
  router bgp 100
  no synchronization
  bgp log-neighbor-changes
  neighbor 10.1.1.2 remote-as 100
  neighbor 40.1.1.2 remote-as 100
  maximum-paths 2
  no auto-summary
  Please help....!!!!!!!   why BGP is not load balancing here????
  R1#traceroute 192.168.1.1
  Type escape sequence to abort.
  Tracing the route to 192.168.1.1
    1 10.1.1.2 88 msec 60 msec 28 msec
    2 20.1.1.2 104 msec 56 msec 120 msec
  Regards,
  Sanjib

  Dear Jon,
  Thank you so much.
  When I changed the configuration BGP is now loadbalancing. But in configuartion Max-path showing as 1 instead of 2.
  R1#sh ip pro | sec bgp
  Routing Protocol is "bgp 100"
    Outgoing update filter list for all interfaces is not set
    Incoming update filter list for all interfaces is not set
    IGP synchronization is disabled
    Automatic route summarization is disabled
    Neighbor(s):
      Address          FiltIn FiltOut DistIn DistOut Weight RouteMap
      12.1.1.2                                            
      13.1.1.3                                            
  Maximum path: 1
    Routing Information Sources:
      Gateway         Distance      Last Update
      13.1.1.3             200      00:01:12
      12.1.1.2             200      00:02:15
    Distance: external 20 internal 200 local 200
  Regards,
  Sanjib

• BGP Path Selection

  With reference to cisco's document on BGP Best Path Selection Algorithm (http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html).
  Out of given 9 paths why 6th has been selected even though AS_PATH for 8th route is better.
  Can anyone explains here, as this document has not considered the AS-PATH during path selection and used lowest ROUTER ID only.
  Thanks in advance and expect technical explanation here.

  Hey Buddy
  The AS_PATH for both is only 1, don't get confused by (AS_SET) which only counts as 1 no matter how many AS are in the set.  Refer to section "How the Best Path Algorithm Works"
  4.Prefer the path with the shortest AS_PATH.
  Note: Be aware of these items:
  ◦An AS_SET counts as 1, no matter how many ASs are in the set.
  So bearing the above in mind
  Example: BGP Best Path Selection
  Path6
    (64955 65003) 65089 --- this equals 1
      172.16.254.226 (metric 20645) from 10.57.255.11 (10.57.255.11)
        Origin IGP, metric 0, localpref 100, valid, confed-external, best
        Extended Community: RT:1100:1001
        mpls labels in/out nolabel/362
  !--- BGP selects this as the Best Path on comparing
  !--- with all the other routes and selected based on lower router ID.
  Path8
    (65003) 65089 --- this equals 1
      172.16.254.226 (metric 20645) from 172.16.254.234 (172.16.254.234)
        Origin IGP, metric 0, localpref 100, valid, confed-external
        Extended Community: RT:1100:1001
        mpls labels in/out nolabel/362
  Comparing path 6 with path 8:
   Both paths have reachable next hops
   Both paths have a WEIGHT of 0
   Both paths have a LOCAL_PREF of 100
   Both paths are learned
   Both paths have AS_PATH length 1 --- because the (AS_SET) always equals 1
   Both paths are of origin IGP
   Both paths have the same neighbor AS, 65089, so comparing MED.
   Both paths have a MED of 0
   Both paths are confed-external
   Both paths have an IGP metric to the NEXT_HOP of 20645
  Path 6 is better than path 8 because it has a lower Router-ID.
  Hope it helps (:

• How to prevent BGP code 6 (Cease) subcode 6 (Other Configuration Change)

  Can anyone tell How to prevent BGP code 6 (Cease) subcode 6 (Other Configuration Change) ?
  We are facing frequent problem with this error. Please suggest how to stop this.... 
  Note :- We are using BGP VPN between this peers.
  Logs :
  Date/Time     : 2015-04-30 00:49:40+05:30
   State         : Up
   Date/Time     : 2015-04-30 00:39:05+05:30
   State         : Down
   Error Code    : 6(CEASE)
   Error Subcode : 6(Other Configuration Change)
   Notification  : Send Notification
   Date/Time     : 2015-04-29 18:22:11+05:30
   State         : Up
   Date/Time     : 2015-04-29 18:21:39+05:30
   State         : Down
   Error Code    : 6(CEASE)
   Error Subcode : 6(Other Configuration Change)
   Notification  : Send Notification

  on the same dates you mean the same request are posted in IT2001? ie both full days?
  Please clarify
  usually the Time collision checks are followed only via posting using report rptarqpost and not while applying through portal in ESS
  This is very strange you indicate
  SO you need to check the basic tables first
  You may need to check the collision.
  Collisions Tables V_T554Y and V_554Y_B reaction indicators.
  and V_T508A
  able T582A set to time constraint of "Z
  In backend Pa30 collision works like this
  1) the logical collision, checks if there is an overlap in the validity
  interval of the IT´s (begda, endda).
  2) the physical collision, checks if there is an overlap in the time
  interval of the IT's.
  In the logical collision it is checked if there is an overlap in the
  validity interval if at least one of the records is a full-day
  ( that is the case when you enter a Daily Work Schedule (DWS) )
  So when one of the records has a DWS it is considered to be a full day
  record and the logical collision is taken into consideration.
  If instead you enter the only the time interval manually the records
  are considered to be partial-day and the physical collision is
  performed. In that case only the time interval is important.
  So if the clock times are not entered the physical collision can not
  take place.
  The collision functionality is always based on clock times and dates,
  never on the total nr of hours.
  Edited by: Siddharth Rajora on Sep 21, 2011 4:57 PM

• Nexus 7010 bgp state change alert not triggered to NNM

  Hi ,
  BGP state change alert not triggered  to NNM on  Nexus -7010 for Monitoring.
  Details of the Device:
  Nexus 7010 :     
  Software
    BIOS:      version 3.22.0
    kickstart: version 5.1(3)
    system:    version 5.1(3)
  BGP neighbor status :
  Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
  172.16.1.2      4 65505 5089234 5194515    51359    0    0     6w2d 391
  172.16.1.3      4 65505 5044293 5146859    51359    0    0    30w4d 378
  172.31.11.3     4 15404  120744  114811    51359    0    0     1w6d 1
  172.31.42.3     4 65501 5261796 5264413    51359    0    0    2d06h 0
  Snmp trap enabled:
  snmp-server user admin network-admin auth md5 0x690c4ede8a88ba7f2de791dbe7a77f0a
  priv 0x690c4ede8a88ba7f2de791dbe7a77f0a localizedkey
  snmp-server host 172.30.0.55 traps version 2c xxxx
  snmp-server enable traps bgp
  Downloaded cisco-bgp4-mib version, bgp4-mib tried and performed snmpwalk  as given below
  nnmsnmpwalk.ovpl -c xxx 172.31.15.130 .1.3.6.1.4.1.9.9.187.0.6
  Error : No MIB objects contained under subtree
  nnmsnmpwalk.ovpl -v 2 -c xxx 172.31.15.130 .1.3.6.1.2.1.15.3.
  No MIB objects contained under subtree
  Kindly advise to resolve the issue
  Regards
  Hari

  You can set an alert for Warning State. This is feasible.
  Juke Chou
  TechNet Community Support

• Serial interfaces, ip vrf forwarding, and PBR with set vrf

  I am doing some work with VRF-lite but I am having some trouble with serial interfaces. I have a PE router with a serial interface where I want to take incoming traffic and using policy-based routing send the traffic to the appropriate VRF. I want to assign the serial interface itself to be in one of those VRFs, not the global routing table. Eventually, I also want to overlap the VPNs/VRFs to send traffic going out the serial interface through the VRF assigned to the serial interface. Initially, it looks something like this:
  ip vrf VRF1
  rd 65000:3
  route-target export 65000:3
  ip vrf VRF2
  rd 65000:18
  route-target import 65000:3
  ip route vrf VRF1 10.90.51.0 255.255.255.0 192.168.11.18
  interface Serial0/0/0
  ip vrf forwarding VRF1
  ip address 192.168.11.17 255.255.255.252
  router bgp 65000
  no synchronization
  bgp log-neighbor-changes
  no auto-summary
  address-family ipv4 vrf VRF1
  redistribute static
  no auto-summary
  no synchronization
  exit-address-family
  ip access-list extended remote-source
  permit ip 10.90.0.0 0.0.255.255 any
  route-map SERIAL-INCOMING permit 100
  match ip address remote-source
  set vrf VRF2
  But if I try to turn on the policy based routing at the serial interface, I get an error:
  Router(conf)#interface Serial0/0/0
  Router(config-if)#ip policy route-map SERIAL-INCOMING
  % Can not apply route-map SERIAL-INCOMING to this interface
  % Either remove 'set vrf' from route-map or unconfigure 'ip vrf forward'
  I can sort of get around the problem by using an "ip vrf receive" instead of "ip vrf forward", but unfortunately, that leaves my Serial interface in the global table which isn't what I wanted.
  What troubles me is that I can do this without any problems on an Ethernet interface. Are there any known issues with "ip vrf forward" and using PBR and "set vrf" on Serial interfaces, or have I configured something wrong?
  If I stick with the "ip vrf receive", how can I force the physical Serial interface into the appropriate VRF?
  Thanks.
  Clarke Morledge
  College of William and Mary

  Upon further investigation....
  The serial interface issue was a red herring. It just so happens that every other time I've done this it has been on a flavor of 12.2x on a 6500/7600 where this feature is supported. The only systems I have with Serial interfaces are 1841s.
  The problem with the 1841 is that most of the code revisions out there do not support this feature. It was only added to the regular code train with the recent release of 12.2(24)T. I tested with 12.2(24)T1 and you are now able to use "ip vrf forwarding" on all interfaces along with a PBR route-map that uses the "set vrf" option.
  Thanks, Laurent, for pointing me towards the TAC on this.
  Clarke Morledge
  College of William and Mary

• Best Practice Two ISPs and BGP

  Hello Experts.
  I was wanting to hear opinions for the best way to setup two ISR4431's with two 2960x's and two ASA firewalls.
  My current design is:
  ISP1 router -> ISR4431-A ->{2960x pair} -> ASA-A
  ISP2 router -> ISR4431-B ->{2960x pair} -> ASA-B
  Currently using public BGP and HSRP on the inside with an SLA monitor to a public IP.
  If HSRP is the best way to accomplish this, how do i solve these two problems or is there a better design? (The two 4431's are not connected to each other currently.)
  -Least Cost routing (i guess that is what its called) - I want to visit a website that is located on ISP2's network (or close to it), but HSRP currently has ISP1 as active. If i go out ISP1 it may go around the country or 10 hops before it hit a site that is 4 hops away on the other ISP.
  -Assymetric routing - i think that is where a reply comes in the non-active ISP - how do i prevent that.
  I am really just looking for design advice about the best way to use this hardware to create as much redundancy as possible and best performance possible. If you could just share your opinion of "I would use ____" or give me a stamp of reassurance on the above design and any opinion on the two problems.
  Thanks for the time!

  Hi,
  If you are running BGP with the service provides, you need an IBGP link between the 2 ISR-4431 routers.  If for example you want traffic to go out using sp-1 and come back using the same provider you need to us AS path prepending, so sp-2 sees a longer path to your network  and so traffic goes out and comes back through the same provider.  In this case you use sp-2 as backup link, if not you can be dealing with Asymmetric routing. In addition, for HSRP/VRRP to work both routers should be connecting to the set of  2960x switches. You can simply stack the 2960x switches so they logically look as one device. The same should go for the firewalls. They should connect to the switch stack.
  HTH

• BGP stuck in opensent state

  HELP! Been looking at this problem all day. Have a simple BGP config on my end (below). I have no control on the other end. Recently upgraded from 2811 to 2911.  IOS: c2900-universalk9-mz.SPA.151-4.M7.bin  Configs on old and new routers exactly the same.
  Called our ISP. They see the same debug logs, but have no clue to fix. I can ping across fine. No MTU issues. Move connections back to old 2811 BGP comes up no problem.
  interface Serial0/0/0
   ip address X.X.X.86 255.255.255.252
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   service-module t1 fdl ansi
   no cdp enable
  router bgp 65000
   bgp log-neighbor-changes
   network Y.Y.Y.0
   network Y.Y.Y.16 mask 255.255.255.240
   neighbor X.X.X.85 remote-as 2
   neighbor X.X.X.85 password 7 06252C1268715E3C5139
  debug
  Nov  5 11:07:05.493: BGP: Selected new router ID Y.Y.Y.17 for scope global
  Nov  5 11:07:05.537: BGP: Applying map to find origin for Y.Y.Y.16/28
  Nov  5 11:07:05.541: BGP: Applying map to find origin for Y.Y.Y.16/28
  Nov  5 11:07:05.541: BGP: Applying map to find origin for Y.Y.Y.16/28
  Nov  5 11:07:05.549: BGP: nbr global X.X.X.85 Active open failed - can't get active topologies
  Nov  5 11:07:05.549: BGP: nbr global X.X.X.85 Open active delayed 11264ms (35000ms max, 60% jitter)
  Nov  5 11:07:06.457: BGP: X.X.X.85 passive open to X.X.X.86
  Nov  5 11:07:06.461: BGP: X.X.X.85 passive went from Idle to Connect
  Nov  5 11:07:06.461: BGP: ses global X.X.X.85 (0x307CA074:0) pas Setting open delay timer to 60 seconds.
  Nov  5 11:07:06.461: BGP: ses global X.X.X.85 (0x307CA074:0) pas read request no-op
  Nov  5 11:07:06.521: BGP: Sched timer-wheel running slow by 8 ticks
  Nov  5 11:07:16.761: BGP: X.X.X.85 active went from Idle to Active
  Nov  5 11:07:16.761: BGP: X.X.X.85 open active, local address X.X.X.86
  Nov  5 11:07:16.773: BGP: ses global X.X.X.85 (0x30B937F4:0) act Adding topology IPv4 Unicast:base
  Nov  5 11:07:16.773: BGP: ses global X.X.X.85 (0x30B937F4:0) act Send OPEN
  Nov  5 11:07:16.773: BGP: X.X.X.85 active went from Active to OpenSent
  Nov  5 11:07:16.773: BGP: X.X.X.85 active sending OPEN, version 4, my as: 65000, holdtime 180 seconds, ID CD464511
  Nov  5 11:07:16.785: BGP: X.X.X.85 active rcv message type 3, length (excl. header) 5
  Nov  5 11:07:16.785: %BGP-3-NOTIFICATION: received from neighbor X.X.X.85 active 2/8 (no supported AFI/SAFI) 3 bytes 000000
  Nov  5 11:07:16.785: BGP: ses global X.X.X.85 (0x30B937F4:0) act Receive NOTIFICATION 2/8 (no supported AFI/SAFI) 3 bytes 000000
  Nov  5 11:07:16.785: BGP: ses global X.X.X.85 (0x30B937F4:0) act Reset (BGP Notification received).
  Nov  5 11:07:16.785: BGP: X.X.X.85 active went from OpenSent to Closing
  Nov  5 11:07:16.785: BGP: nbr_topo global X.X.X.85 IPv4 Unicast:base (0x30B937F4:0) NSF delete stale NSF not active
  Nov  5 11:07:16.785: BGP: nbr_topo global X.X.X.85 IPv4 Unicast:base (0x30B937F4:0) NSF no stale paths state is NSF not active
  Nov  5 11:07:16.785: BGP: nbr_topo global X.X.X.85 IPv4 Unicast:base (0x30B937F4:0) Resetting ALL counters.
  Nov  5 11:07:16.785: BGP: X.X.X.85 active closing
  Nov  5 11:07:16.785: BGP: ses global X.X.X.85 (0x30B937F4:0) act Session close and reset neighbor X.X.X.85 topostate
  Nov  5 11:07:16.785: BGP: nbr_topo global X.X.X.85 IPv4 Unicast:base (0x30B937F4:0) Resetting ALL counters.
  Nov  5 11:07:16.785: BGP: X.X.X.85 active went from Closing to Idle
  Nov  5 11:07:16.785: %BGP_SESSION-5-ADJCHANGE: neighbor X.X.X.85 IPv4 Unicast topology base removed from session  BGP Notification received
  Nov  5 11:07:16.785: BGP: ses global X.X.X.85 (0x30B937F4:0) act Removed topology IPv4 Unicast:base
  Nov  5 11:07:16.785: BGP: ses global X.X.X.85 (0x30B937F4:0) act Removed last topology
  Nov  5 11:07:16.785: BGP: nbr global X.X.X.85 Active open failed - existing passive session
  Nov  5 11:07:16.785: BGP: nbr global X.X.X.85 Active open failed - existing passive session

  From what I'm finding, AFI 2 is IPv6. This seems like it's expecting IPv6:
  Nov  5 11:07:16.785: %BGP-3-NOTIFICATION: received from neighbor X.X.X.85 active 2/8 (no supported AFI/SAFI) 3 bytes 000000
  I'm also seeing that SAFI 8 is multicast:
  http://www.iana.org/assignments/safi-namespace/safi-namespace.xhtml
  If this is the case, the settings that you have above simply wouldn't work. I would contact the ISP to see what your peer is running.
  http://routing-bits.com/2009/11/26/output-101-bgp-afisafi/
  HTH,
  John