BGP issue?????
I dont understand "bgp deterministic med" and bgp best path med confed on page 300" of TCP/IP vol 2 book .
Today I read that but all was confusing about deterministic med!!!!!!Please if you have time explain.
Thanks in advance.
Bye,
Anand Solgama
Hi,
Bgp deterministic-med command ensures the comparison of the MED variable when choosing routes advertised by different peers in the same autonomous system and bgp always-compare-med command ensures the comparison of the MED for paths from neighbors in different autonomous systems.
But there is a way and sequence of comparison depending if both are enabled or either one is enabled. Please follow the link below that will help you understanding the MED comparison.
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094925.shtml
If you have any BGP query you can refer to my ask the expert event link:
https://supportforums.cisco.com/discussion/11945706/configuring-and-troubleshooting-border-gateway-protocol-bgp
Thanks & Regards
Sandeep
Similar Messages
-
we are having a gateway router which is running a public as and having a direct peering with service provider. We are also working as MPLS-SP and providing internet services to our esteemed clients. Now I am facing a one issue if the customer is coming at remote pop which is having a BGP with private as number and customer itself is having a global as number with his own ip pool. For that I created a peering with my gateway router by putting a route for loopback and created e-bgp peering. Now when the customer pool was advertised by my gateway it doesnot get the reverse path?
Kindly give your suggestions or designs how the ebgp can be used with gateway router in case SP is runnig MPLS.
regards
shivlu jainShivlu,
Its not clear why u have Private-AS at one of ur POPs , while u could have the Same Public-AS configured and run IBGP session between Your PoPs. If you have Myltiple POPs than u can go for (Route-Reflector) design.
The Second point, If you mean what type of Internet access, Then you can have one of the following:
1- Classic Internet Access.
2- a dedicated Vrf for Internet Access.
HTH
Mohamed -
Hello All,
I am facing some issue on BGP.I configured BGP on cisco 1905 but
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
. BGP neighborship is not forming.
I am attaching my Show tech and BGP debug.Please help me to out on this.Hi Manoj,
This error message basically indicates that the two BGP neighbors didn't
agree on some of
the capabilities configured under the BGP configuration. This is as per RFC
2842 for
Capabilities Advertisement with BGP-4. I am pasting the paragraph below,
that explains
this:
"If a BGP speaker that supports a certain capability determines that
its peer doesn't support this capability, the speaker may send a
NOTIFICATION message to the peer, and terminate peering. The Error
Subcode in the message is set to Unsupported Capability. The message
should contain the capability (capabilities) that causes the speaker
to send the message. The decision to send the message and terminate
peering is local to the speaker. Such peering should not be re-
established automatically."
http://www.faqs.org/rfcs/rfc2842.html
Because the new code you are running supports capabilities that your other
peers do not please add the following command on the router to the peer
that is not coming up
neighbor x.x.x.x dont-capability-negotiate
If you are using prefix lists for your peer you can use this command as well
no neighbor x.x.x.x capabilities orf prefix-list both
Hope it will help.
Regards
Syed. -
BGP route-reflector next-hop issue
Hello,
I have a small GNS3 lab that is working with one exception: I cannot ping loopback0 on RRc2 and RRc3 from RRc1.
RRc1, RRc2 and RRc3 can all ping loopback0 on SmileyISP and RRc2 and RRc3 can ping each others loopback0
interfaces.
I am broken between the two route-reflectors: RRS1 and RRS2.
Given these conditions:
1) Do not configure any IGP.
2) No static routes
How do I get connectivity from RRc1's loopback0 interface to RRc2 loopback0 and RRc3 loopback0?
I used a route-map to set the next hop, but I am obviously doing something wrong.
I am providing relevant show command outputs, router configs, and the GNS3 topology.net config.
You will have to change the image and working directories to match your computer.
Not quite sure where I am going wrong.
Any help would be greatly appreciated.
Thanks.
-- Mark
RRc1#sh ip bgp
BGP table version is 53, local router ID is 172.16.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*>i 1.1.1.0/24 10.1.25.5 0 100 0 100 i
*>i 10.1.12.0/24 10.1.26.2 0 100 0 i
*>i 10.1.13.0/24 10.1.12.1 0 100 0 i
*>i 10.1.14.0/24 10.1.12.1 0 100 0 i
*>i 10.1.15.0/24 10.1.12.1 0 100 0 i
*>i 10.1.25.0/24 10.1.26.2 0 100 0 i
* i 10.1.26.0/24 10.1.26.2 0 100 0 i
*> 0.0.0.0 0 32768 i
*> 172.16.1.0/24 0.0.0.0 0 32768 i
*>i 172.16.2.0/24 10.1.12.1 0 100 0 i
*>i 172.16.3.0/24 10.1.12.1 0 100 0 i
RRc1#
RRc1#ping 172.16.2.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
Success rate is 0 percent (0/5)
RRc1#
RRc2#sh ip bgp
BGP table version is 31, local router ID is 172.16.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*>i 1.1.1.0/24 10.1.15.5 0 100 0 100 i
* i 10.1.12.0/24 10.1.12.2 0 100 0 i
* i 10.1.13.0/24 10.1.13.1 0 100 0 i
*> 0.0.0.0 0 32768 i
*>i 10.1.14.0/24 10.1.13.1 0 100 0 i
*>i 10.1.15.0/24 10.1.13.1 0 100 0 i
* i 10.1.25.0/24 10.1.12.2 0 100 0 i
* i 10.1.26.0/24 10.1.12.2 0 100 0 i
* i 172.16.1.0/24 10.1.12.2 0 100 0 i
*> 172.16.2.0/24 0.0.0.0 0 32768 i
*>i 172.16.3.0/24 10.1.14.4 0 100 0 i
RRc2#
SmileyISP#sh run
Building configuration...
Current configuration : 988 bytes
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
hostname SmileyISP
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ipv6 cef
multilink bundle-name authenticated
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 10.1.15.5 255.255.255.0
speed auto
duplex auto
interface FastEthernet1/1
ip address 10.1.25.5 255.255.255.0
speed auto
duplex auto
router bgp 100
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.0
network 10.1.15.0 mask 255.255.255.0
neighbor 10.1.15.1 remote-as 200
neighbor 10.1.25.2 remote-as 200
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
RRS1#sh run
Building configuration...
Current configuration : 1594 bytes
! Last configuration change at 19:24:34 UTC Sat Feb 7 2015
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
hostname RRS1
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ipv6 cef
multilink bundle-name authenticated
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 10.1.15.1 255.255.255.0
speed auto
duplex auto
interface FastEthernet1/1
ip address 10.1.12.1 255.255.255.0
speed auto
duplex auto
interface FastEthernet2/0
ip address 10.1.13.1 255.255.255.0
speed auto
duplex auto
interface FastEthernet2/1
ip address 10.1.14.1 255.255.255.0
speed auto
duplex auto
router bgp 200
bgp log-neighbor-changes
network 10.1.13.0 mask 255.255.255.0
network 10.1.14.0 mask 255.255.255.0
network 10.1.15.0 mask 255.255.255.0
neighbor RouteReflectors peer-group
neighbor RouteReflectors remote-as 200
neighbor RouteReflectors route-map NEXTHOP out
neighbor RRClients peer-group
neighbor RRClients remote-as 200
neighbor RRClients route-reflector-client
neighbor 10.1.12.2 peer-group RouteReflectors
neighbor 10.1.13.3 peer-group RRClients
neighbor 10.1.14.4 peer-group RRClients
neighbor 10.1.15.5 remote-as 100
ip forward-protocol nd
no ip http server
no ip http secure-server
route-map NEXTHOP permit 10
set ip next-hop peer-address
control-plane
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
RRS2#sh ru
Building configuration...
Current configuration : 1542 bytes
! Last configuration change at 19:42:06 UTC Sat Feb 7 2015
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
hostname RRS2
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ipv6 cef
multilink bundle-name authenticated
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 10.1.12.2 255.255.255.0
speed auto
duplex auto
interface FastEthernet1/1
ip address 10.1.25.2 255.255.255.0
speed auto
duplex auto
interface FastEthernet2/0
ip address 10.1.26.2 255.255.255.0
speed auto
duplex auto
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
router bgp 200
bgp log-neighbor-changes
network 10.1.12.0 mask 255.255.255.0
network 10.1.25.0 mask 255.255.255.0
network 10.1.26.0 mask 255.255.255.0
neighbor RouteReflectors peer-group
neighbor RouteReflectors remote-as 200
neighbor RouteReflectors route-map NEXTHOP out
neighbor RRClients peer-group
neighbor RRClients remote-as 200
neighbor RRClients route-reflector-client
neighbor 10.1.12.1 peer-group RouteReflectors
neighbor 10.1.25.5 remote-as 100
neighbor 10.1.26.6 peer-group RRClients
ip forward-protocol nd
no ip http server
no ip http secure-server
route-map NEXTHOP permit 10
set ip next-hop peer-address
control-plane
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
RRc1#sh run
Building configuration...
Current configuration : 1005 bytes
! Last configuration change at 18:43:57 UTC Sat Feb 7 2015
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
hostname RRc1
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ipv6 cef
multilink bundle-name authenticated
interface Loopback0
ip address 172.16.1.1 255.255.255.0
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 10.1.26.6 255.255.255.0
speed auto
duplex auto
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
router bgp 200
bgp log-neighbor-changes
network 10.1.26.0 mask 255.255.255.0
network 172.16.1.0 mask 255.255.255.0
neighbor 10.1.26.2 remote-as 200
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
RRc2#sh run
Building configuration...
Current configuration : 1005 bytes
! Last configuration change at 18:45:05 UTC Sat Feb 7 2015
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
hostname RRc2
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ipv6 cef
multilink bundle-name authenticated
interface Loopback0
ip address 172.16.2.1 255.255.255.0
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 10.1.13.3 255.255.255.0
speed auto
duplex auto
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
router bgp 200
bgp log-neighbor-changes
network 10.1.13.0 mask 255.255.255.0
network 172.16.2.0 mask 255.255.255.0
neighbor 10.1.13.1 remote-as 200
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
RRc3#wr term
Building configuration...
Current configuration : 1005 bytes
! Last configuration change at 18:31:12 UTC Sat Feb 7 2015
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
hostname RRc3
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ipv6 cef
multilink bundle-name authenticated
interface Loopback0
ip address 172.16.3.1 255.255.255.0
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 10.1.14.4 255.255.255.0
speed auto
duplex auto
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
router bgp 200
bgp log-neighbor-changes
network 10.1.14.0 mask 255.255.255.0
network 172.16.3.0 mask 255.255.255.0
neighbor 10.1.14.1 remote-as 200
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
autostart = False
version = 0.8.6
[127.0.0.1:7202]
workingdir = C:\Users\Mark\AppData\Local\Temp
udp = 10200
image = C:\downloads\GNS3\c7200-adventerprisek9-mz.152-4.S5.image
idlepc = 0x62f1e4ec
ghostios = True
console = 2005
aux = 2100
cnfg = configs\SmileyISP.cfg
slot1 = PA-2FE-TX
f1/0 = RRS1 f1/0
f1/1 = RRS2 f1/1
x = -24.0
y = -259.0
z = 1.0
hx = -1.5
hy = -24.0
console = 2015
aux = 2101
cnfg = configs\RRc1.cfg
slot1 = PA-2FE-TX
f1/0 = RRS2 f2/0
x = -292.0
y = 200.0
z = 1.0
hx = -5.5
hy = -25.0
[127.0.0.1:7200]
workingdir = C:\Users\Mark\AppData\Local\Temp
udp = 10000
image = C:\downloads\GNS3\c7200-adventerprisek9-mz.152-4.S5.image
idlepc = 0x62f1e4ec
ghostios = True
console = 2012
aux = 2102
cnfg = configs\RRS1.cfg
slot1 = PA-2FE-TX
f1/0 = SmileyISP f1/0
f1/1 = RRS2 f1/0
slot2 = PA-2FE-TX
f2/0 = RRc2 f1/0
f2/1 = RRc3 f1/0
x = 197.0
y = 6.0
z = 1.0
hx = 42.5
hy = -20.0
console = 2013
aux = 2103
cnfg = configs\RRS2.cfg
slot1 = PA-2FE-TX
f1/0 = RRS1 f1/1
f1/1 = SmileyISP f1/1
slot2 = PA-2FE-TX
f2/0 = RRc1 f1/0
x = -239.0
y = 9.0
z = 1.0
hx = 1.5
hy = -24.0
[127.0.0.1:7201]
workingdir = C:\Users\Mark\AppData\Local\Temp
udp = 10100
image = C:\downloads\GNS3\c7200-adventerprisek9-mz.152-4.S5.image
idlepc = 0x62f1e4ec
ghostios = True
console = 2009
aux = 2104
cnfg = configs\RRc3.cfg
slot1 = PA-2FE-TX
f1/0 = RRS1 f2/1
x = 337.0
y = 155.0
z = 1.0
hx = 17.5
hy = -25.0
console = 2008
aux = 2105
cnfg = configs\RRc2.cfg
slot1 = PA-2FE-TX
f1/0 = RRS1 f2/0
x = 149.0
y = 204.0
z = 1.0
hx = -13.5
hy = -23.0
[GNS3-DATA]
configs = configs
text = ".1"
x = 208.0
y = -23.0
text = "10.1.12.0/24"
x = -19.0
y = 5.0
text = ".1"
x = 153.0
y = 25.0
text = ".1"
x = 259.0
y = 33.0
text = "10.1.13.0/24"
x = 238.0
y = 84.0
rotate = 99
text = "10.1.25.0/24"
x = -188.0
y = -124.0
text = "l0: 172.16.2.1/24"
x = 125.0
y = 244.0
text = "l0:172.16.1.1/24"
x = -269.0
y = 240.0
text = "10.1.15.0/24"
x = 116.0
y = -127.0
text = "10.1.14.0/24"
x = 293.0
y = 53.0
rotate = 50
text = ".1"
x = 194.0
y = 68.0
text = "AS100"
x = -20.0
y = -342.0
text = ".2"
x = -148.0
y = 46.0
text = "AS200"
x = 33.0
y = 300.0
text = "l0: 1.1.1.1/24"
x = -42.0
y = -306.0
text = ".5"
x = 50.0
y = -213.0
text = ".2"
x = -248.0
y = 60.0
text = ".2"
x = -174.0
y = -52.0
text = ".5"
x = -54.0
y = -209.0
text = ".6"
x = -232.0
y = 189.0
text = "l0:172.16.3.1/24"
x = 299.0
y = 194.0
text = "10.1.26.0/24"
x = -274.0
y = 167.0
rotate = 290
text = ".3"
x = 208.0
y = 187.0
text = ".4"
x = 312.0
y = 155.0
type = ellipse
x = 50.0
y = -35.0
width = 385.0
height = 345.0
fill_color = "#ffff7f"
border_style = 2
z = -1.0
type = ellipse
x = -171.0
y = -346.0
width = 359.0
height = 200.0
fill_color = "#aaff7f"
border_style = 2
z = -1.0
type = ellipse
x = -407.0
y = -87.0
width = 883.0
height = 443.0
border_style = 2
z = -2.0
type = ellipse
x = -361.0
y = -29.0
width = 385.0
height = 326.0
fill_color = "#55aaff"
border_style = 2
z = -3.0BD,
Ahh...
OK. In the original article, the author states that the final piece with the route map
NEXTHOP was supposed to fix the reachability issue. Obviously it doesn't.
After reading your last post, I looked more carefully at the output from 'sh ip bgp'
on each of the client routers and I realized that several of the next hop addresses were
wrong for some of the prefixes.
1) I completely removed the 'neighbor RouteReflectors route-map NEXTHOP out'
from both RR's. Then I ran 'sh ip bgp' on the clients and noted a change in the next hop addresses. Still wrong, but it changed.
2) I then tried next-hop-self from the RR's to the clients, but it did not change from where
it was after I completed step 1. I am not sure why there was no change. (actually, see the very end of this post)
3) I then applied my version of the route map: route-map NEXTHOP permit 10
set ip next-hop peer-address
to the RR's with this: neighbor RRClients route-map NEXTHOP out
That fixed it. All three clients have as their next hop for all prefixes their respective
RR's (which is what they should have for this topology).
I have full connectivity everywhere, even loopback to loopback between all clients.
1) THANK YOU for pointing me in the right direction.
2) If I may ask, why did next hop self fail? More specifically, I saw no change at all
in the next hop for the advertised prefixes. Is it because next-hop-self should be used
for eBGP peers and all of the RR's and clients are all within the same AS? -
Hello All,
I'm working in a BGP prefix list configuration and i'm seeing a strange issue.
Issue: As per the cofiguration we have defined the prefix list to filter the incomming subnets. Though a specific subnet is not allowed in the prefix list but the router is allowing the subnet to get in to BGP table from the neighbour.
configuration:
ip prefix-list TEST seq 5 permit 10.61.64.0/19 ge 24 le 24
Though the below subnet is not allowed in prefix list but I'm seeing this subnet in BGP table with best path.
10.61.192.0/23
Can you anybody help me to know what could be the issue? any bug? any thing I'm wrong with the configuration?
Thanks,
ThiyaguHi,
After applying the prefix-list try soft resting the BGP neighbor and test again
clear ip bgp XX neigh soft in
HTH -
hi,
i have the following cli show command output,
R2#show bgp ipv4 unicast
BGP table version is 11, local router ID is 192.168.220.252
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i192.168.30.0 192.168.110.70 0 100 0 63000 i
*> 192.168.220.70 0 0 63000 63000 i
* i192.168.40.0 192.168.110.70 0 100 0 63000 63000 i
*> 192.168.220.70 0 0 63000 i
R2#
why isn't the route through the shortest AS path not selected as the best route for 192.168.30.0. ?
thanks,
uddikaR2#
R2#
R2#show ip bgp 192.168.30.0
BGP routing table entry for 192.168.30.0/24, version 7
Paths: (2 available, best #2, table Default-IP-Routing-Table)
Advertised to update-groups:
2
63000
192.168.110.70 (inaccessible) from 192.168.111.251 (192.168.111.251)
Origin IGP, metric 0, localpref 100, valid, internal
63000 63000, (received & used)
192.168.220.70 from 192.168.220.70 (192.168.220.70)
Origin IGP, metric 0, localpref 100, valid, external, best
R2#
R2#
thanks, i noticed that R2 does not have the route for the next hop, 192.168.110.70. -
Hi all,
I'm having problems establishing an adjacency between a 3750-x running bgp and a remote (directly connected) router. The adjacency is failing with the error: ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.44.163.171 Vlan212 (10.44.163.171 is a HSRP address), I can see this in the ARP cache on the switch and the address is pingable. Switch is running 15.2(SE7).
Basic BGP config on the switch:
router bgp xxxx
neighbor 10.44.163.169 remote-as xxxx
I can ping the .169 (and .171 address).
Any insights would be appreciated before I speak to the 3rd party maintaining the remote router.
Thanks.Pete
If you are using the HSRP VIP on your side and that is what they have configured as the neighbor IP address in their BGP configuration then you probably won't be able to initiate the connection
This is because if you start the connection your switch uses the source IP of the physical interface and that doesn't match the neighbor IP they have configured on their device.
If you want to use the HSRP VIP then the remote device needs to initiate the connection and you need to make your end passive ie. it does not try to open the connection.
This should work because the initial connection is to the HSRP VIP and so the response comes from that IP as well although we did have a discussion a while back as to how well this works if HSRP fails over in terms time taken to bring up a new BGP session.
Try adding this to your configuration and then have the other side try to initiate the connection -
"neighbor 10.144.163.169 transport connection-mode passive"
obviously the remote device can't also be using HSRP and can't be using the above command or it will never work.
Jon -
I have followed all of the configuration steps given for egress accounting with netflow on a MPLS VPN link. However, it is only showing flows coming into the router. I need to be able to account both ways- any recommendations? Config below:
interface Multilink12
mtu 1580
ip address XX.XX.XX.XX 255.255.255.252
no ip redirects
no ip unreachables
ip pim sparse-mode
ip route-cache flow
mpls netflow egress
mpls label protocol ldp
mpls ip
ppp multilink
ppp multilink group 12
ip flow-export source FastEthernet0/0/0.10
ip flow-export version 5
ip flow-export destination XX.XX.XX.XX 9996
IP packet size distribution (10730093 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .098 .645 .011 .016 .012 .009 .010 .000 .001 .000 .001 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .002 .185 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
4 active, 65532 inactive, 464700 added
6109192 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 336520 bytes
0 active, 16384 inactive, 20706 added, 20706 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 7 0.0 20 233 0.0 7.0 11.3
TCP-FTP 3 0.0 1 40 0.0 0.4 1.6
TCP-WWW 5757 0.0 6 389 0.0 1.1 3.0
TCP-SMTP 7 0.0 1 40 0.0 0.7 1.6
TCP-X 244 0.0 1 54 0.0 0.0 1.5
TCP-other 304762 0.2 7 346 1.6 2.2 4.8
UDP-DNS 346 0.0 1 127 0.0 0.0 15.4
UDP-NTP 3323 0.0 1 80 0.0 0.0 15.4
UDP-other 131041 0.0 62 341 5.4 17.6 13.2
ICMP 64291 0.0 1 79 0.0 0.0 15.4
Total: 509781 0.3 21 341 7.1 5.9 8.3
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Mu12 10.50.66.218 Null 10.105.0.1 11 0675 00A1 84
Mu12 10.50.66.218 Null 10.105.19.10 11 0675 00A1 2
Mu12 10.50.66.218 Null 10.105.19.3 11 0675 00A1 4
Mu12 10.50.66.42 Null 10.105.19.10 06 0B3C 01BD 12Update on this- Im now receiving all traffic incoming into the interface, but am tracking only about 10% of the outgoing traffic- revised config below:
ip flow-cache timeout active 1
ip flow-cache mpls label-positions 1 2 3
ipv6 flow-cache mpls label-positions 1 2 3
interface Multilink12
mtu 1580
ip address XX.XX.XX.XX 255.255.255.252
no ip redirects
no ip unreachables
ip flow ingress
ip flow egress
ip pim sparse-mode
ip route-cache flow
mpls netflow egress
mpls label protocol ldp
mpls ip
ppp multilink
ppp multilink group 12
service-policy output cbwfq-voice20per
ip flow-export source FastEthernet0/0/0.10
ip flow-export version 9 origin-as
ip flow-export destination XX.XX.XX.XX 9996 -
Having an issue adding network to eigrp
I'm doing a class project using a network simulator and am asked to: Design and implement an network for company RoutersCourseMatters. The names of the department names at this company are Faculty, Staff, and Students. For security reasons, each department must be isolated from each other's broadcast domain on the network. The Faculty have 50 end devices that need to be connected to the network. Staff has 26 end devices and the Students have 100 end devices. The network spaced provided by the ISP is 192.168.0.0/24. The dynamic protocol used for this network must be for Cisco-only equipment. Test each department network with just one end device and ensure full connectivity across the entire network
So we have our network topology setup for the class project(see picture attached). We are using one router for faculty+staff. Faculty has ip/mask of 192.168.0.1/26 and staff is: 192.168.0.65/27. we have a seperate router for students which the IP subnet for students is 192.168.0.150/25. The routers are directly connected and are using ips 192.168.0.98/29 & 192.168.0.100/29 so since the two routers are directly connected on the same subnet they have no issue pinging each other. The problem is pinging hosts from a subnet to hosts on a different subnet. When I try and add ANY 192.168.0.* subnet to eigrp it instead adds 192.168.16.* network. For instance on the faculty/student router if i do a 'router eigrp 1' command followed by 'network 192.168.0.0 0.0.0.63' it shows network 192.168.16.0 has been added to eigrp under show run. here is show run command:
faculty/staff Con0 is now available
Press RETURN to get started!
faculty/staff>en
faculty/staff#show run
Building configuration...
Current configuration : 874 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname faculty/staff
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
ip subnet-zero
interface FastEthernet0/0
description blank
ip address 192.168.0.65 255.255.255.224
no ip directed-broadcast
interface FastEthernet0/1
description link to switch
ip address 192.168.0.1 255.255.255.192
no ip directed-broadcast
interface Serial0/0/0
ip address 192.168.20.2 255.255.255.0
no ip directed-broadcast
clockrate 2000000
interface Serial0/0/1
no ip address
no ip directed-broadcast
shutdown
clockrate 2000000
interface Serial0/1/0
no ip address
no ip directed-broadcast
shutdown
clockrate 2000000
interface Serial0/1/1
ip address 192.168.0.98 255.255.255.248
no ip directed-broadcast
router eigrp 1
network 0.0.0.0
network 192.168.1.1 0.0.0.0
network 192.168.16.0
network 192.168.20.0
no auto-summary
ip classless
no ip http server
no ip http secure-server
control-plane
line con 0
line aux 0
line vty 0 4
login
line vty 5 1180
login
scheduler allocate 20000 1000
end
faculty/staff#config t
Enter configuration commands, one per line. End with CNTL/Z
faculty/staff(config)#router eigrp 1
faculty/staff(config-router)#network 192.168.0.0 0.0.0.63
faculty/staff(config-router)#exit
faculty/staff(config)#exit
faculty/staff#show run
Building configuration...
Current configuration : 874 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname faculty/staff
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
ip subnet-zero
interface FastEthernet0/0
description blank
ip address 192.168.0.65 255.255.255.224
no ip directed-broadcast
interface FastEthernet0/1
description link to switch
ip address 192.168.0.1 255.255.255.192
no ip directed-broadcast
interface Serial0/0/0
ip address 192.168.20.2 255.255.255.0
no ip directed-broadcast
clockrate 2000000
interface Serial0/0/1
no ip address
no ip directed-broadcast
shutdown
clockrate 2000000
interface Serial0/1/0
no ip address
no ip directed-broadcast
shutdown
clockrate 2000000
interface Serial0/1/1
ip address 192.168.0.98 255.255.255.248
no ip directed-broadcast
router eigrp 1
network 0.0.0.0
network 192.168.1.1 0.0.0.0
network 192.168.16.0
network 192.168.20.0
no auto-summary
ip classless
no ip http server
no ip http secure-server
--More--
project.jpg
Reply Reply to Main Discussion
Cody Robinson
Cody Robinson
2:36pm
Here is 'show ip eigrp topology' on staff/faculty router:
faculty/staff Con0 is now available
Press RETURN to get started!
faculty/staff>en
faculty/staff#show ip interface
FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.0.65/27
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1514 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is disabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
FastEthernet0/1 is up, line protocol is up
Internet address is 192.168.0.1/26
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1514 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is disabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
Serial0/0/0 is down, line protocol is down
Internet address is 192.168.20.2/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1514 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is disabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
Serial0/0/1 is administratively down, line protocol is down
Internet protocol processing disabled
Serial0/1/0 is administratively down, line protocol is down
Internet protocol processing disabled
Serial0/1/1 is up, line protocol is up
Internet address is 192.168.0.98/29
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1514 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is disabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
faculty/staff#show ip eigrp ?
<1-65535> Autonomous System
accounting IP-EIGRP Accounting
interfaces IP-EIGRP interfaces
neighbors IP-EIGRP neighbors
topology IP-EIGRP Topology Table
traffic IP-EIGRP Traffic Statistics
vrf Select a VPN Routing/Forwarding instance
faculty/staff#show ip eigrp topology
IP-EIGRP Topology Table for AS(1)/ID(192.168.20.2)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 192.168.0.0/26, 1 successors, FD is 2172416
via Connected, FastEthernet0/1
P 192.168.0.64/27, 1 successors, FD is 2172416
via Connected, FastEthernet0/0
P 192.168.0.96/29, 1 successors, FD is 2172416
via Connected, Serial0/1/1
faculty/staff#
Cody Robinson
Cody Robinson
2:37pm
Here is show run on students router:
Students Con0 is now available
Press RETURN to get started!
Students>sh run
^
% Invalid input detected at '^' marker.
Students>en
Students#sh run
Building configuration...
Current configuration : 874 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Students
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
ip subnet-zero
interface FastEthernet0/0
no ip address
no ip directed-broadcast
shutdown
interface FastEthernet0/1
description link to switch
ip address 192.168.0.150 255.255.255.128
no ip directed-broadcast
interface Serial0/0/0
ip address 192.168.10.1 255.255.255.0
no ip directed-broadcast
clockrate 2000000
interface Serial0/0/1
no ip address
no ip directed-broadcast
shutdown
clockrate 2000000
interface Serial0/1/0
no ip address
no ip directed-broadcast
shutdown
clockrate 2000000
interface Serial0/1/1
ip address 192.168.0.100 255.255.255.248
no ip directed-broadcast
clockrate 2000000
router eigrp 1
network 0.0.0.0
network 192.168.1.1 0.0.0.0
network 192.168.10.0
ip classless
no ip http server
no ip http secure-server
control-plane
line con 0
line aux 0
line vty 0 4
login
line vty 5 1180
login
scheduler allocate 20000 1000
end
Students#Hello lolwar,
From your setup and description you provided I see some mismatch in IP subneting you calculated.
For instance in your diagram you have networks 192.168.0.0/26 (FACULTY), 192.168.0.64/27 (STAFF), 192.168.0.96/29 (point-to-point link between routers) and 192.168.0.128/25 (STUDENTS).
First, you're wasting IP addresses, because you have unused space between point-to-point link and STUDENTS subnet. It's a good practice, when calculating subnets first calculate the biggest, subnet, then smaller one until the smallest one (usually some point-to-point cross-connects). For more about this see this guide.
Now, the issue I see as the most important is, that you have in your diagram networks as I mentioned above, but into your EIGRP process you're adding completely different subnets (192.168.16.x, 192.168.20.x,...).
I entered following:
STUDENT ROUTER =------------>
router eigrp 1
network 192.168.0.96 0.0.0.7
network 192.168.0.128 0.0.0.127
FACULTY/STAFF ROUTER =------------->
router eigrp 1
network 192.168.0.0 0.0.0.63
network 192.168.0.64 0.0.0.31
network 192.168.0.96 0.0.0.7
And all works just fine, computer's are able to ping each other. Also although it's not necessary, it's good to includes network wildcard mask into the "network" command under EIGRP (or OSPF) configuration.
I hope this will help you (please rate if this is the case. Thanks.) -
891W to 5505 EZVPN issue...No peer struct to get peer description
Hey everyone,
I've been on the forums looking for a solution to my issue in my lab....
I'm getting the No peer struct to get peer description error in my debug. I've done a search on these forums but the changes that I made did not work for me
It has to be something simple.....
I am able to ping out to my ASA
891Demo#ping 38.98.226.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.98.226.100, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/106/116 ms
I did a few show commands listed below if anyone wants to take a look...
891Demo#sho run
Building configuration...
Current configuration : 6370 bytes
! Last configuration change at 20:47:45 UTC Fri Jan 10 2014 by admin
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 891Demo
boot-start-marker
boot-end-marker
logging buffered 52000
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
crypto pki trustpoint TP-self-signed-1670941714
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1670941714
revocation-check none
rsakeypair TP-self-signed-1670941714
crypto pki certificate chain TP-self-signed-1670941714
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363730 39343137 3134301E 170D3133 30393130 31383038
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36373039
34313731 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A613 DCE81A2F 27DC53B6 6ED91D5E 167EEAEA D9793CB3 33C39BBE CBC5AF0B
029C1605 3FC09722 C7811B2D 173B5887 2C87A9C7 4DDAC1C4 AE13A1C3 743B940E
A5A7AF56 26A83081 2330E910 1BA8317A BE0BC37A 631D858D E307DC04 2F76D648
1500DB09 2BC1B92A 92C0B8FE 59434385 A3D1B19D 5665D3A9 07956793 F2B98EDA
EA870203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1489C50C C4C16781 28F37E31 DABE13A9 2EE9967E 58301D06
03551D0E 04160414 89C50CC4 C1678128 F37E31DA BE13A92E E9967E58 300D0609
2A864886 F70D0101 05050003 81810053 FD39A299 CFF9E763 C89846EE 9BE0DAE4
31B890D0 969764F0 98A21C63 FD103ADB 29BA7DB4 98C142B9 1EA60C71 1D6C4BE5
921224F5 BE5FC348 2A2A4858 A5D0E680 23346C0E 8EA55314 435CE650 5167C796
1EB4EFAD 1D045B2C 84031255 C2A9F5B7 C8542ACF 3C69C46E DE0230AE EA3587EE
464A0AC0 3987D917 47A4ABDB 5B6022
quit
ip cef
ip dhcp excluded-address 10.10.10.7 10.10.10.254
891Demo#sh run
Building configuration...
Current configuration : 6370 bytes
! Last configuration change at 20:47:45 UTC Fri Jan 10 2014 by admin
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 891Demo
boot-start-marker
boot-end-marker
logging buffered 52000
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
crypto pki trustpoint TP-self-signed-1670941714
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1670941714
revocation-check none
rsakeypair TP-self-signed-1670941714
crypto pki certificate chain TP-self-signed-1670941714
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363730 39343137 3134301E 170D3133 30393130 31383038
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36373039
34313731 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A613 DCE81A2F 27DC53B6 6ED91D5E 167EEAEA D9793CB3 33C39BBE CBC5AF0B
029C1605 3FC09722 C7811B2D 173B5887 2C87A9C7 4DDAC1C4 AE13A1C3 743B940E
A5A7AF56 26A83081 2330E910 1BA8317A BE0BC37A 631D858D E307DC04 2F76D648
1500DB09 2BC1B92A 92C0B8FE 59434385 A3D1B19D 5665D3A9 07956793 F2B98EDA
EA870203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1489C50C C4C16781 28F37E31 DABE13A9 2EE9967E 58301D06
03551D0E 04160414 89C50CC4 C1678128 F37E31DA BE13A92E E9967E58 300D0609
2A864886 F70D0101 05050003 81810053 FD39A299 CFF9E763 C89846EE 9BE0DAE4
31B890D0 969764F0 98A21C63 FD103ADB 29BA7DB4 98C142B9 1EA60C71 1D6C4BE5
921224F5 BE5FC348 2A2A4858 A5D0E680 23346C0E 8EA55314 435CE650 5167C796
1EB4EFAD 1D045B2C 84031255 C2A9F5B7 C8542ACF 3C69C46E DE0230AE EA3587EE
464A0AC0 3987D917 47A4ABDB 5B6022
quit
ip cef
ip dhcp excluded-address 10.10.10.7 10.10.10.254
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 0 2
ip domain name yourdomain.com
no ipv6 cef
ipv6 multicast rpf use-bgp
multilink bundle-name authenticated
license udi pid CISCO891W-AGN-A-K9 sn FTX171783D3
username admin privilege 15 password 0 password
redundancy
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
crypto isakmp policy 50
encr 3des
authentication pre-share
group 2
crypto isakmp key D1l2w3r4 address 38.98.226.100
crypto isakmp client configuration group VPNGroupZLAB
key D1l2w3r4
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
connect auto
group DefaultL2LGroup key D1l2w3r4
mode client
peer 38.98.226.100
username ztest password D1l2w3r4
xauth userid mode local
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to38.98.226.100
set peer 38.98.226.100
set transform-set ESP-3DES-SHA
match address 102
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
no ip address
interface FastEthernet5
no ip address
interface FastEthernet6
no ip address
interface FastEthernet7
no ip address
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Async1
no ip address
encapsulation slip
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1 254
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 192.168.1.1 254
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 dhcp 254
ip access-list extended protect_traffic
permit ip host 10.10.10.1 host 10.1.11.1
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.1.11.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.10.10.0 0.0.0.255 10.1.11.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.7 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.10.10.0 0.0.0.255 10.1.11.0 0.0.0.255
control-plane
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
mgcp profile default
line con 0
line 1
modem InOut
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
transport output telnet ssh
line vty 5 15
access-class 23 in
transport input telnet ssh
transport output telnet ssh
end
=============================================
=============================================
891Demo#sh crypto ipsec sa
interface: GigabitEthernet0
Crypto map tag: SDM_CMAP_1, local addr 10.0.0.35
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.11.0/255.255.255.0/0/0)
current_peer 38.98.226.100 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.35, remote crypto endpt.: 38.98.226.100
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
=============================================
=============================================
891Demo#sho crypto se
Crypto session current status
Interface: GigabitEthernet0
Session status: DOWN
Peer: 38.98.226.100 port 500
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.1.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
891Demo#
*Jan 10 20:56:15.327: No peer struct to get peer description
=============================================
=============================================
891Demo#sh crypto isakmp default pol
Default IKE policy
Default protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65508
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65509
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65510
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65511
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65512
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65513
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65514
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Any insight to this would be appreciated, i'm still going to try and figure it out as wellIt is the host site not transmitting. The ACL that i see thats blocking is for a client based VPN.
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.180.0 255.255.254.0 Inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit ip object obj_any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) source static DM_INLINE_NETWORK_20 DM_INLINE_NETWORK_20 destination static AT_Remote AT_Remote no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.180.232/12345 to 192.168.180.232/12345
Phase: 6
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule -
Hi Friends,
We are experiencing issue in Cisco 6004 while creating VPC. We are unable to configure VPC because upon enabling the feature it is showing error.
Request if anybody can help us here.
TEST(config)# feature vpc
Error: while enabling/disabling service: vpc, err: (null) (0x4288005c)
TEST# sh license usage
Feature Ins Lic Status Expiry Date Comments
Count
FCOE_NPV_PKG No - Unused -
FM_SERVER_PKG No - Unused -
ENTERPRISE_PKG No - Unused -
FC_FEATURES_PKG No - Unused Grace 117D 4H
VMFEX_FEATURE_PKG No - Unused Grace 117D 5H
ENHANCED_LAYER2_PKG No - Unused -
LAN_BASE_SERVICES_PKG Yes - In use Never -
LAN_ENTERPRISE_SERVICES_PKG No - Unused -
TEST# show feature | i vpc
vpc 1 disabled
TEST# show feature
Feature Name Instance State
Flexlink 1 enabled
amt 1 disabled
bfd 1 disabled
bfd_app 1 disabled
bgp 1 disabled
cts 1 disabled
dhcp 1 disabled
dot1x 1 disabled
eigrp 1 disabled
eigrp 2 disabled
eigrp 3 disabled
eigrp 4 disabled
eth_port_sec 1 disabled
extended_credit 1 disabled
fabric-binding 1 disabled
fc-port-security 1 disabled
fcoe 1 disabled
fcoe-npv 1 disabled
fcsp 1 disabled
fex 1 enabled
fport-channel-trunk 1 disabled
glbp 1 disabled
hsrp_engine 1 disabled
http-server 1 disabled
interface-vlan 1 enabled
isis 1 disabled
isis 2 disabled
isis 3 disabled
isis 4 disabled
lacp 1 enabled
ldap 1 disabled
lldp 1 enabled
msdp 1 disabled
npiv 1 disabled
npv 1 disabled
oim 1 disabled
ospf 1 disabled
ospf 2 disabled
ospf 3 disabled
ospf 4 disabled
ospfv3 1 disabled
ospfv3 2 disabled
ospfv3 3 disabled
ospfv3 4 disabled
pbr 1 disabled
pim 1 disabled
poe 1 disabled
port_track 1 disabled
private-vlan 1 disabled
privilege 1 disabled
ptp 1 disabled
rip 1 disabled
rip 2 disabled
rip 3 disabled
rip 4 disabled
scpServer 1 disabled
sftpServer 1 disabled
sshServer 1 enabled
tacacs 1 disabled
telnetServer 1 enabled
udld 1 enabled
vmfex 1 disabled
vpc 1 disabled
vrrp 1 disabled
vtp 1 disabled
TEST#I know this is a few months old so hopefully you already resolved the issue, but for anyone else searching:
Just got off a call with TAC trying to resolve this issue on my 5548UP.
Turns out that you cannot configure VPC if the flexlink feature is enabled. Disabled that feature, and everything worked for me. -
Question about network statement in OSPF and BGP
The network statements in OSPF and BGP can be used to advertise networks. But I'm not clear under what circumstances would make more sense to use network statements to advertise a network than by using other methods to have the network learned by other routers.
Here is an example: assume I'm running BGP on router A. I want to advertise network 10.1.1.0/24 to other BGP peers. I have a OSPF route for this network. I can do 2 things: one is to use "network 10.1.1.0 mask 255.255.255.0", the other is to do "redistribute OSPF ... route-map OSPF-INTO-BGP", and create a prefix list to permit 10.1.1.0/24.
Both would work to have this network learned by other BGP peers. But which is better for what purpose?
Thanks a lot
GaryHi Gary,
There is one little difference between the use of the two approaches - the route injected into BGP by using a network statement will carry an Origin attribute of IGP, whereas the route injected using redistribution will have an Origin attribute of Incomplete. Now, that is not a huge issue since you can always change that whatever value you desire both with the use of the network statement and redistribution. The important thing, however, is that in the BGP best path selection process, the Origin attribute comparison is fairly high up and will prefer a route with the attribute of IGP.
Apart from that, there is absolutely no difference between using the network statement and using redistribution with a route-map that matches exactly on the same route that you would have specified with the network statement.
I guess one advantage of using the redistribute approach is that it does not clutter up the BGP config. If you wish to add more routes, you simply add them to the prefix list so that you don't really touch the BGP config portion at all..
Hope that helps - pls do remember to rate posts that help.
Paresh -
EEM / IP SLA to shutdown lossy high RTT BGP neighbor
Hi,
I'm relatively new to the IP SLA procedure and very new to EEM. I'm searching for the most efficient way to monitor the availability (packet loss and latency) of a BGP neighbor from a router to actively shutdown the neighbor relationship in order to failover to a back up L2L VPN I have configured on an ASA. It's important that I'm able to continue monitoring the BGP neighbor so that when the neighbor becomes stable again, I can reenable the BGP neighbor relationship. I've put something quick together (below) but am not sure if it will do what I want. I'd appreciate any suggestions and feedback.
Thank you!
-Mike
ip sla 90
icmp-echo <neighbor_ip> source-ip <source_ip>
threshold 250
timeout 500
frequency 3
ip sla schedule 90 life forever start-time now
ip sla enable reaction-alerts
track 90 ip sla 90 reachability
delay down 3 up 180
event manager applet BGP_NEIGHBOR_DIRTY
description SHUT DOWN BGP NEIGHBOR IF RTT OVER 250 FOR 3 SECONDS
event syslog pattern "90 ip sla 90 reachability Up->Down"
action 1.0 cli command "enable"
action 1.1 cli command "configure term"
action 1.2 cli command "router bgp 63320"
action 1.3 cli command "neighbor <neighbor_ip> shutdown"
action 1.4 cli command "end"
event manager applet BGP_NEIGHBOR_CLEAN
description ENABLE BGP NEIGHBOR IF RTT UNDER 250 FOR 3 MINUTES
event syslog pattern "90 ip sla 90 reachability Down->Up"
action 1.0 cli command "enable"
action 1.1 cli command "configure term"
action 1.2 cli command "router bgp 63320"
action 1.3 cli command "no neighbor <neighbor_ip> shutdown"
action 1.4 cli command "end"By chosing a target that is along your desired path, you can certainly have a more robust script. I would use loopback to loopback communication as well, this will force the traffic through the router, and also find any potential issues where the peer is alive and sending bgp but not actually passing traffic. You will definitely need some "fudge" factors in there to deal with routers have to process the ICMP packets (Any CoPP will really really skew the results you are getting). I have had experiences where testing to/from a Nexus device gives wildly different results vs testing through the boxes.
HTH -
Nexus 7010 bgp state change alert not triggered to NNM
Hi ,
BGP state change alert not triggered to NNM on Nexus -7010 for Monitoring.
Details of the Device:
Nexus 7010 :
Software
BIOS: version 3.22.0
kickstart: version 5.1(3)
system: version 5.1(3)
BGP neighbor status :
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.16.1.2 4 65505 5089234 5194515 51359 0 0 6w2d 391
172.16.1.3 4 65505 5044293 5146859 51359 0 0 30w4d 378
172.31.11.3 4 15404 120744 114811 51359 0 0 1w6d 1
172.31.42.3 4 65501 5261796 5264413 51359 0 0 2d06h 0
Snmp trap enabled:
snmp-server user admin network-admin auth md5 0x690c4ede8a88ba7f2de791dbe7a77f0a
priv 0x690c4ede8a88ba7f2de791dbe7a77f0a localizedkey
snmp-server host 172.30.0.55 traps version 2c xxxx
snmp-server enable traps bgp
Downloaded cisco-bgp4-mib version, bgp4-mib tried and performed snmpwalk as given below
nnmsnmpwalk.ovpl -c xxx 172.31.15.130 .1.3.6.1.4.1.9.9.187.0.6
Error : No MIB objects contained under subtree
nnmsnmpwalk.ovpl -v 2 -c xxx 172.31.15.130 .1.3.6.1.2.1.15.3.
No MIB objects contained under subtree
Kindly advise to resolve the issue
Regards
HariYou can set an alert for Warning State. This is feasible.
Juke Chou
TechNet Community Support -
Hi All,
As in the network topology attached (replica of actual network), I would like to know if there is any way that routes received from PE-RTR1 in CE-RTR can be advertised to PE-RTR2 and vice versa, so that PE-RTR1 & PE-RTR2 can reach each other.
Routing protocol used between PE-RTR1 & CE and PE-RTR2 & CE is BGP.
The issue seems to be due to same AS number of PE-RTR1 & PE-RTR2. It might not be possible to change AS numbers defined. Is there any way to overcome this situation?
Thanks in advance..
Regards,
NagabhushanI read that a bit too quickly.
If you're connecting your locations via the ISP and they all use the same AS, they'll all need the statement I mentioned in my previous comment. If you already have communication between them via the ISP, then this command is probably already there.
If you're connecting everything via fibre to the primary location, you can just peer with the other locations using the same AS and you'll be fine... though there are some considerations if you're redistributing BGP into an internal routing protocol.
In your current configuration, is each location seeing the networks from the other sites propagating from the ISP via BGP?
Maybe you are looking for
-
The server was unable to load the SSL provider library needed to log in
Hello All, When I am trying to login to my default SQL 2008R2 SP2 instance in windows 2003 server via ssms, I am getting the below error A connection was successfully established with the server, but then an error occurred during the pre-login handsh
-
I have created an array which holds data that is entered by a user using JOptionPane. I would now like to create an object of a class called Module that was previously created. But the program says that the constructor module() cannot be found. Can s
-
How to customize standard "gen. comb." function to generate 1 instead 0?
Hi, I am curious if anyone knows where we could change the standard generate combination function to generete some other number than 0. I think it must be quite easy, but unfortunately I can not find the right part of the code. Thanks for any advise.
-
I am having difficulties in downloading iOS 8.0.2 to my iPhone 4. It is giving me the following message: software update failed. An error occurred downloading iOS 8.0.2. Please help!
-
Safari displays a .qfx file rather than writing it
When I connect to my local bank and direct it to download my transactions record as a .qfx file, Safari displays the contents of the file on the window, rather than writing the data to a .qfx file. I do not see this behavior with FireFox. Java script