BGP peering

Question. Best practice is to configure iBGP via loopback interface. My question is, is that valid statement for scenario where two BGP peers are seperated by a firewall?

Hello Mateuz,
iBGP allows for a TTL=255 in the BGP packets so the added hop caused by the firewall is not a problem for the iBGP session.
if the session were eBGP you would need to tune the ebgp-multihop to take care of the FW hop.
Hope to help
Giuseppe

Similar Messages

  • How many BGP peers does the 3548 switch support?

    Is it possible to run more than 40 peers on a single switch? What is the limitation if not?

    Hi ,
     You can have 40 BGP peers , IPV4 unicast routes handled by hardware is only 24000 .Enusre all your BGP peering routing updates is within this limits . 
    http://www.cisco.com/c/en/us/products/collateral/switches/nexus-3548-switch/data_sheet_c78-707001.html
    Table 7. Hardware Specifications Common to Both Switches
    Mode
    Normal Mode
    Warp Mode
    Hardware tables and scalability
    Number of MAC addresses
    64,000
    8000
    Number of IPv4 unicast routes
    24,000
    4000
    Number of IPv4 hosts
    64,000
    8000
    Number of IPv4 multicast routes
    8000
    8000
    Number of VLANS
    4096
    Number of ACL entries
    4096
    Number of spanning-tree instances
    Rapid Spanning Tree Protocol (RSTP): 512
    Multiple Spanning Tree (MST) Protocol: 64
    Number of EtherChannels
    24
    Number of ports per EtherChannel
    24
    Buffer size
    6 MB shared among 16 ports; 18 MB total
    Boot flash memory
    2 GB
    HTH
    Sandy

  • BGP peering via default route

    I read http://blog.ipexpert.com/2010/11/08/bgp-peering-and-default-routes/ and understood that BGP speaker will not initiate BGP connection with the other BGP router if it can reach it via default route only...And BGP peering will not come up at all if both the BGP speakers know each other via default routes only....I could not understand the reason behind this though...Could any expert help me in understanding the underlying reasoning?

    I can't think of a reason why you would want to peer with a router you don't have a route for. If you're relying on a default route for a multi-hop bgp peer session, it could cause the session to be unreliable due to changes in the network down the line from you. An unreliable bgp session would be bad on the router's cpu/memory if the session were to flap.

  • IPS4240 in bypassmode-auto cause BGP peering failure

    Recently installed IPS4240's running inline. With "bypass-mode auto" the BGP peering (with password) between 2 routers either side of the IPS unit drops. The error logs indicate bad MD5 hash on both units. In "bypass-mode on" BGP peering with password is fine.
    Anyone know a fix or the cause?

    This is probably being dropped or modified by some of the "normalizer" engine signatures in the IPS. Basically the IPS in inline mode does a lot of TCP checks and drops or modifies packets with certain bits set. It probably doesn't like the fact the MD5 hash is set as TCP option bit 19 and is modifying it somehow, which then fails your authentication on the remote peer.
    Go into whatever configuration tool you're using and enable the "produce-verbose-alert" on all the 13xx signatures (1300-1330). Then check your alerts for an alert with a victim/attacker IP addresses of your BGP routers, see what signature it was that actually fired, then disable that signature (or add a filter so that it doesn't fire for that IP address pair anymore). This will stop it doing whatever it is doing to your BGP packets and it should work from then on.
    It'll probably be one of the sub-sigs under 1330, as this does a lot of different checks on various parts of the TCP packet.

  • BGP peering with ISP

    Hello Guys
    I have a scenario where I would like to have your insights.
    1. Client having Main site and DR site connected to same ISP with public IP line.
    2. The client has acquired a public IP block (/24) and would like to use same on both main and DR sites.
    Would this be possible through BGP? How can we advertise the same IP block on 2 sites?
    The sites need to be in an active-active scenario.
    Thanks

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    If you're going to advertize the same address block, from two different BGP peers, whether to the same ISP or different ISPs, the expectation is, you can get to or from that address block along either path.  I.e. you need an "internal" path between your two BGP peers.  Otherwise, the "critical" BGP path fails, you continue to advertize an address block that's unreachable.
    There's no need to split your block unless you were trying to manually load balance using your two paths.
    As another poster noted, you might have asymmetrical routing (depending on path costing), but from a pure L3 perspective it doesn't matter.  It can, though, matter to stateful devices like firewalls.  The latter might be addressed by firewalls at both sites sharing state information.

  • Cisco BGP Peering Between 2 ISP

    Hi Cisco People,
    Just have a question with BGP peering in Cisco's. I have two ISP's which I am peering against for an active and standby configuration. I would like to know if there is a way to configure some sort of 'dead-peer detection' on the router to monitor a public IP address in the event of an ISP failure. I want to find a way to dynamically failover the link in the event of failure when losing pings to an external address.
    Regards
    Chris

    Chris
    Dead Peer Detection is one of the functions performed by BGP. If the peer goes dead then BGP will detect it and will withdraw routes learned from that peer from the routing table.
    What you describe about monitoring a public address is more about validating that the ISP routing logic is learning and advertising appropriate routes than it is about detecting if a peer has gone dead. I would think that this is possible - but a bit complex. I would think that you could configure IP SLA to track some public address (the tricky bit here is to make sure that you are tracking through ISP1 and not using ISP2 for this). Then you should be able to configure EEM to watch the track and if the route is lost to make appropriate changes in BGP to force the failover.
    HTH
    Rick

  • No BGP Peering between CE and PE

    Still in the process of modeling the MPLS network that we currently have with one of our Service Providers.
    At this point I have placed the same config on the Lab CE's that exist in our production network. I have also followed Cisco Documentation to configure the PE routers, however I cannot get the CE to PE BGP peering.
    What am I missing?
    *CE Router*
    nterface Loopback0
    ip address 10.18.0.8 255.255.255.255
    interface FastEthernet0/0
    ip address 68.139.201.30 255.255.255.252
    duplex half
    interface FastEthernet1/0
    no ip address
    shutdown
    duplex half
    interface FastEthernet1/1
    no ip address
    shutdown
    duplex half
    interface FastEthernet2/0
    no ip address
    duplex full
    router bgp 1
    no synchronization
    bgp log-neighbor-changes
    neighbor 68.139.201.29 remote-as 65000
    *PE Router*
    ip vrf vpn-mtb
    rd 1:100
    route-target export 1:100
    route-target import 1:100
    no ip domain lookup
    mpls label protocol ldp
    tag-switching tdp router-id Loopback0
    interface Loopback0
    ip address 68.2.0.1 255.255.255.252
    interface FastEthernet0/0
    ip address 68.2.1.2 255.255.255.252
    duplex auto
    speed auto
    tag-switching ip
    interface FastEthernet1/0
    ip vrf forwarding vpn-mtb
    ip address 68.139.201.29 255.255.255.252
    duplex auto
    speed auto
    interface FastEthernet2/0
    no ip address
    shutdown
    duplex auto
    speed auto
    router ospf 1
    router-id 68.2.0.1
    log-adjacency-changes
    network 68.0.0.0 0.255.255.255 area 0
    router bgp 65000
    no synchronization
    bgp log-neighbor-changes
    redistribute connected
    neighbor 68.2.0.3 remote-as 65000
    neighbor 68.2.0.3 update-source Loopback0
    no auto-summary
    address-family vpnv4
    neighbor 68.2.0.3 activate
    neighbor 68.2.0.3 send-community extended
    exit-address-family
    address-family ipv4 vrf vpn-mtb
    redistribute connected
    neighbor 68.139.201.30 remote-as 1
    neighbor 68.139.201.30 activate
    neighbor 68.139.201.30 as-override
    no auto-summary
    no synchronization
    exit-address-family

    Here are the command outputs:
    PE#show ip bgp vpnv4 all summary
    BGP router identifier 68.2.0.1, local AS number 65000
    BGP table version is 3, main routing table version 3
    1 network entries using 137 bytes of memory
    1 path entries using 64 bytes of memory
    3/1 BGP path/bestpath attribute entries using 348 bytes of memory
    1 BGP extended community entries using 24 bytes of memory
    0 BGP route-map cache entries using 0 bytes of memory
    0 BGP filter-list cache entries using 0 bytes of memory
    BGP using 573 total bytes of memory
    BGP activity 3/0 prefixes, 3/0 paths, scan interval 15 secs
    Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
    68.2.0.3 4 65000 0 0 0 0 0 never Active
    68.139.201.30 4 1 29 29 0 0 0 never Active
    CE#show ip bgp summary
    BGP router identifier 68.2.0.1, local AS number 1
    BGP table version is 1, main routing table version 1
    Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
    68.139.201.29 4 65000 4246 4246 0 0 0 never Active

  • ISP BGP peering with HSRP for redundancy

    we have a router7507, BGP peering to one ISP. Now, we need a router redundancy solution.
    I want to use HSRP in the BGP peering interface, because the ISP only peering us a IP address, I have to use HSRP on two router interfaces, and use HSRP virtual IP to peer the ISP, do you think this solution is working, or some troubles, will BGP work fine with HSRP interfaces?
    thanks.

    yes BGP works fine with HSRP interface.Here is some sample configurations for your reference.
    Router A Configuration (ISP Router):
    interface ethernet 0
    ip address
    standby 1 ip (The ip should be same as above command)
    standby 1 priority 110
    standby 1 track Serial0.100
    standby 1 preempt
    Router B Configuration (client Router):
    interface ethernet 0
    ip address
    standby 1 ip (The ip should be same as ISPs address>
    standby 1 priority 105
    standby 1 track Serial0.100
    standby 1 preempt

  • IOS IPS/IDS on a BGP Peering Router?

    We have a pair of BP peerings between our network and our upstream service provider.  Since the peering points are geographically distributed and we run a "cold potato" routing policy on our network we cannot guarantee symmetric routing for traffic exchanged with our upstream service provider.
    Yesterday we followed the bouncing ball through the IPS/IDS setup documentation on a Cisco 2901 running 15.2(4)M3 and acting as a BGP speaking peering router at one of our peering points.  Immediately the router started throwing %IPS-6-SEND_TCP_PAK and %IPS-6-TIMEOUT_EVENT messages in the logs.  We also observed that some upstream service provider web sites became inaccessible to our users.  Turning off IPS/IDS on the 2901 restored connectivity for our users to those web sites.
    Three questions:
    Do the default Cisco IOS IPS/IDS rules assume that the router will see both sides of each TCP session?
    Does the Cisco IOS IPS/IDS TCP stream reassembly assume an attack and send TCP RST frames when it doesn't see both sides of a TCP session?
    Should we move the Cisco IPS/IDS functionality from the BGP-speaking routers at peering points to our customer sites, as the customer sites are the only places in our network guaranteed to see both sides of a given TCP session?  (We already perform NAT on the customer site routers for that reason.)

    Hello Bill,
    1) Yes, there are some normalizer functions on some IOS-IPS signatures that will behave like that with this scenarios (Asymetric routing not something good to any kind of security device)
    2) Yes, it will close the connections, I will definetly need to look for specific actions regarding that but you could just check the IOS IPS Signature statistics  on your router , see which is the one triggering the most and then see the action configured for it (and change it if required)
    3) If you cannot change that behavior then it would be safe to tell the router is not a good place to set an IPS or any other kind of firewall configuration unless you set with a weaker security policy (useless from a security standard point of view)
    Check my blog at http:laguiadelnetworking.com for further information.
    Cheers,
    Julio Carvajal Segura

  • Link Local BGP peering between Cisco and Juniper (M-Series)

    Hi,
    has anybody successfully managed to get a working IPv6 session between a Cisco and a Juniper router using Link Local IPs?
    I got it working between two cisco routers and two Juniper Routers but not with the two different vendors.
    Configuration on the Juniper site:
       family inet6 {
           address FE80::1/64;
      protocols {
          bgp {
              group customer_ipv6 {
                  neighbor fe80::2 {
                      local-interface at-2/0/0.119;
                      peer-as 65300;
                      as-override;
    Configuration on the Cisco site:
    interface ATM0/0/0.1 point-to-point
    bandwidth 2033
    ip address 10.194.235.42 255.255.255.252
    ip access-group AL-SECURITY-WAN out
    ip mtu 1500
    ipv6 address FE80::2 link-local
    ipv6 enable
    bfd interval 999 min_rx 999 multiplier 15
    pvc 1/32
      vbr-nrt 2244 2244 1
      tx-ring-limit 3
      encapsulation aal5snap
    router bgp 65300
    bgp router-id 10.213.58.185
    bgp log-neighbor-changes
    no bgp default ipv4-unicast
    neighbor FE80::1%ATM0/0/0.1 remote-as 65300
    neighbor FE80::1%ATM0/0/0.1 version 4
    neighbor FE80::2%GigabitEthernet0/1 remote-as 65300
    neighbor FE80::2%GigabitEthernet0/1 version 4
    address-family ipv4
    exit-address-family
    address-family ipv6
      neighbor FE80::1%ATM0/0/0.1 activate
      neighbor FE80::1%ATM0/0/0.1 advertisement-interval 5
      neighbor FE80::1%ATM0/0/0.1 soft-reconfiguration inbound
      neighbor FE80::1%ATM0/0/0.1 route-map NH6 out
      neighbor FE80::2%GigabitEthernet0/1 activate
      neighbor FE80::2%GigabitEthernet0/1 advertisement-interval 5
      neighbor FE80::2%GigabitEthernet0/1 soft-reconfiguration inbound
      neighbor FE80::2%GigabitEthernet0/1 route-map NH6 out
    exit-address-family
    CE_HOSTNAME# show ip bgp ipv6 uni su
    BGP router identifier 10.213.58.185, local AS number 65300
    BGP table version is 7, main routing table version 7
    4 network entries using 656 bytes of memory
    4 path entries using 320 bytes of memory
    1/1 BGP path/bestpath attribute entries using 128 bytes of memory
    2 BGP AS-PATH entries using 48 bytes of memory
    2 BGP community entries using 48 bytes of memory
    0 BGP route-map cache entries using 0 bytes of memory
    0 BGP filter-list cache entries using 0 bytes of memory
    BGP using 1200 total bytes of memory
    BGP activity 34/12 prefixes, 38/12 paths, scan interval 60 secs
    Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    FE80::1%ATM0/0/0.1
                    4        65300       0       0        1    0    0 never    Idle
    FE80::2%GigabitEthernet0/1
                    4        65300      15      16        7    0    0 00:10:59        4
    CE_HOSTNAME#
    The console monitoring states the following:
    Nov 10 06:30:33.023 MET: %BGP-3-NOTIFICATION: sent to neighbor FE80::1%ATM0/0/0.1 active 2/7 (unsupported/disjoint capability) 0 bytes
    Nov 10 06:30:33.023 MET: %BGP-4-MSGDUMP: unsupported or mal-formatted message received from FE80::1%ATM0/0/0.1:
    FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 001D 0104 505A 005A 52D2 C023 00
    Nov 10 06:30:33.023 MET: %BGP-3-NOTIFICATION: received from neighbor FE80::1%ATM0/0/0.1 active 2/5 (authentication failure) 0 bytes
    de-ipc-ulmdon-ce-02#
    Nov 10 06:30:33.023 MET: %BGP_SESSION-5-ADJCHANGE: neighbor FE80::1%ATM0/0/0.1 IPv6 Unicast topology base removed from session  BGP Notification sent
    The Cisco Router is running IOS 15.2, the Juniper Site JunOS 10.4
    Any Ideas how I can get this to work?
    Thanks in advance!

    Marcin,
    I updated the debugging log, the previous one was created using override-capability-neg on the neighbor (experimental).
    >>0) Do you see similar scenario for working session? (Between two Cisco routers)
    The working connection between two cisco routers doesn't show any output
    >>1) What verion of IOS are you running? Something failrly recent I hope?
    Show Version:
    Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(1)T1, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2011 by Cisco Systems, Inc.
    Compiled Mon 19-Sep-11 16:24 by prod_rel_team
    ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
    CE_HOSTNAME uptime is 2 weeks, 5 days, 21 hours, 35 minutes
    System returned to ROM by reload at 18:43:21 MET(S) Fri Oct 21 2011
    System restarted at 18:44:50 MET(S) Fri Oct 21 2011
    System image file is "flash:c1900-universalk9-mz.SPA.152-1.T1.bin"
    Last reload type: Normal Reload
    Last reload reason: Reload Command
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    Cisco CISCO1941/K9 (revision 1.0) with 446464K/77824K bytes of memory.
    Processor board ID FCZ1504C0G8
    1 DSL controller
    2 Gigabit Ethernet interfaces
    1 ATM interface
    1 terminal line
    DRAM configuration is 64 bits wide with parity disabled.
    255K bytes of non-volatile configuration memory.
    250880K bytes of ATA System CompactFlash 0 (Read/Write)
    License Info:
    License UDI:
    Device#   PID                   SN
    *0        CISCO1941/K9          FCZ1504C0G8
    Technology Package License Information for Module:'c1900'
    Technology    Technology-package           Technology-package
                  Current       Type           Next reboot
    ipbase        ipbasek9      Permanent      ipbasek9
    security      None          None           None
    data          datak9        Permanent      datak9
    Configuration register is 0x2102
    >>2) Can we have some more info from Juniper side (logs/debugs).
    Sadly not. The Juniper Traceoptions don't show anything
    All I can offer you at this point is the neighbor show command:
    user@Juniper> show bgp neighbor fe80::2 instance vrf-test
    Peer: fe80::2 AS 65300         Local: unspecified AS 20570
      Type: External    State: Idle           Flags:
      Last State: NoState       Last Event: NoEvent
      Last Error: None
      Export: [ pol-standard-bgp-export ] Import: [ pol-standard-bgp-import ]
      Options:
      Options:
      Address families configured: inet6-unicast
      Path-attributes dropped:  128
      Holdtime: 90 Preference: 170
      Number of flaps: 0
      Trace options:  all
      Trace file: /var/log/bgp_ipv6_ll_20111110 size 131072 files 10
    user@Juniper> show bgp summary instance vrf-test
    Groups: 2 Peers: 2 Down peers: 1
    Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
    vrf-2.inet.0          37         16          0          0          0          0
    vrf-.inet6.0           0          0          0          0          0          0
    vrf-24.mdt.0           0          0          0          0          0          0
    Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
    10.194.235.42         65300       1149       1076       0       1     8:44:00 Establ
      vrf-test.inet.0: 6/7/7/0
    fe80::2               65300          0          0       0       0     9:38:32 Idle
    >>3)
    CE_HOSTNAME#
    Nov 10 15:35:49.574 MET: BGP: ses global 10.194.235.41 (0x2970EDA4:1) Keep alive timer fired.
    Nov 10 15:35:49.574 MET: BGP: 10.194.235.41 KEEPALIVE requested (bgp_keepalive_timer_expired)
    Nov 10 15:35:49.574 MET: BGP: ses global 10.194.235.41 (0x2970EDA4:1) service keepalive IO request.
    Nov 10 15:35:49.574 MET: BGP: 10.194.235.41 KEEPALIVE write request serviced in BGP_IO
    CE_HOSTNAME#
    Nov 10 15:35:50.598 MET: BGP: ses global FE80::2%GigabitEthernet0/1 (0x316FBDDC:1) Keep alive timer fired.
    Nov 10 15:35:50.598 MET: BGP: FE80::2%GigabitEthernet0/1 KEEPALIVE requested (bgp_keepalive_timer_expired)
    Nov 10 15:35:50.598 MET: BGP: ses global FE80::2%GigabitEthernet0/1 (0x316FBDDC:1) service keepalive IO request.
    Nov 10 15:35:50.598 MET: BGP: FE80::2%GigabitEthernet0/1 KEEPALIVE write request serviced in BGP_IO
    CE_HOSTNAME#
    Nov 10 15:35:52.850 MET: BGP: 10.194.235.41 received KEEPALIVE, length (excl. header) 0
    CE_HOSTNAME#
    Nov 10 15:35:54.694 MET: BGP: FE80::1%ATM0/0/0.1 active went from Idle to Active
    Nov 10 15:35:54.694 MET: BGP: FE80::1%ATM0/0/0.1 open active, local address FE80::2
    Nov 10 15:35:54.698 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Adding topology IPv6 Unicast:base
    Nov 10 15:35:54.698 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Send OPEN
    Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active went from Active to OpenSent
    Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active sending OPEN, version 4, my as: 65300, holdtime 180 seconds, ID AD53AB9
    Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active KEEPALIVE write request serviced in BGP_IO
    Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active KEEPALIVE write request serviced in BGP_IO
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv message type 1, length (excl. header) 10
    Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Receive OPEN
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv OPEN, version 4, holdtime 90 seconds
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv OPEN w/ OPTION parameter len: 0
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active went from OpenSent to Closing
    Nov 10 15:35:54.702 MET: %BGP-3-NOTIFICATION: sent to neighbor FE80::1%ATM0/0/0.1 active 2/7 (unsupported/disjoint capability) 0 bytes
    Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Send NOTIFICATION 2/7 (unsupported/disjoint capability) 0 bytes
    Nov 10 15:35:54.702 MET: %BGP-4-MSGDUMP: unsupported or mal-formatted message received from FE80::1%ATM0/0/0.1:
    FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 001D 0104 505A 005A 52D2 C023 00
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv message type 3, length (excl. header) 2
    Nov 10 15:35:54.702 MET: %BGP-3-NOTIFICATION: received from neighbor FE80::1%ATM0/0/0.1 active 2/5 (authentication failure) 0 bytes
    Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Receive NOTIFICATION 2/5 (authentication failure) 0 bytes
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active bad state change from Closing to Closing
    Nov 10 15:35:54.702 MET: -Traceback= 21B3370Cz 21B33C74z 21B34258z
    Nov 10 15:35:54.702 MET: BGP: tbl IPv4 Unicast:base Service reset requests
    Nov 10 15:35:54.702 MET: BGP: tbl IPv6 Unicast:base Service reset requests
    Nov 10 15:35:54.702 MET: BGP: tbl VPNv4 Unicast:base Service reset requests
    Nov 10 15:35:54.702 MET: BGP: tbl VPNv6 Unicast:base Service reset requests
    Nov 10 15:35:54.702 MET: BGP: tbl IPv4 Multicast:base Service reset requests
    Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) NSF delete stale NSF not active
    Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) NSF no stale paths state is NSF not active
    Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) Resetting ALL counters.
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active closing
    Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Session close and reset neighbor FE80::1%ATM0/0/0.1 topostate
    Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) Resetting ALL counters.
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active went from Closing to Idle
    Nov 10 15:35:54.702 MET: %BGP_SESSION-5-ADJCHANGE: neighbor FE80::1%ATM0/0/0.1 IPv6 Unicast topology base removed from session  BGP Notification sent
    CE_HOSTNAME#CE_HOSTNAME#
    Nov 10 15:35:49.574 MET: BGP: ses global 10.194.235.41 (0x2970EDA4:1) Keep alive timer fired.
    Nov 10 15:35:49.574 MET: BGP: 10.194.235.41 KEEPALIVE requested (bgp_keepalive_timer_expired)
    Nov 10 15:35:49.574 MET: BGP: ses global 10.194.235.41 (0x2970EDA4:1) service keepalive IO request.
    Nov 10 15:35:49.574 MET: BGP: 10.194.235.41 KEEPALIVE write request serviced in BGP_IO
    CE_HOSTNAME#
    Nov 10 15:35:50.598 MET: BGP: ses global FE80::2%GigabitEthernet0/1 (0x316FBDDC:1) Keep alive timer fired.
    Nov 10 15:35:50.598 MET: BGP: FE80::2%GigabitEthernet0/1 KEEPALIVE requested (bgp_keepalive_timer_expired)
    Nov 10 15:35:50.598 MET: BGP: ses global FE80::2%GigabitEthernet0/1 (0x316FBDDC:1) service keepalive IO request.
    Nov 10 15:35:50.598 MET: BGP: FE80::2%GigabitEthernet0/1 KEEPALIVE write request serviced in BGP_IO
    CE_HOSTNAME#
    Nov 10 15:35:52.850 MET: BGP: 10.194.235.41 received KEEPALIVE, length (excl. header) 0
    CE_HOSTNAME#
    Nov 10 15:35:54.694 MET: BGP: FE80::1%ATM0/0/0.1 active went from Idle to Active
    Nov 10 15:35:54.694 MET: BGP: FE80::1%ATM0/0/0.1 open active, local address FE80::2
    Nov 10 15:35:54.698 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Adding topology IPv6 Unicast:base
    Nov 10 15:35:54.698 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Send OPEN
    Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active went from Active to OpenSent
    Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active sending OPEN, version 4, my as: 65300, holdtime 180 seconds, ID AD53AB9
    Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active KEEPALIVE write request serviced in BGP_IO
    Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active KEEPALIVE write request serviced in BGP_IO
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv message type 1, length (excl. header) 10
    Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Receive OPEN
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv OPEN, version 4, holdtime 90 seconds
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv OPEN w/ OPTION parameter len: 0
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active went from OpenSent to Closing
    Nov 10 15:35:54.702 MET: %BGP-3-NOTIFICATION: sent to neighbor FE80::1%ATM0/0/0.1 active 2/7 (unsupported/disjoint capability) 0 bytes
    Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Send NOTIFICATION 2/7 (unsupported/disjoint capability) 0 bytes
    Nov 10 15:35:54.702 MET: %BGP-4-MSGDUMP: unsupported or mal-formatted message received from FE80::1%ATM0/0/0.1:
    FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 001D 0104 505A 005A 52D2 C023 00
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv message type 3, length (excl. header) 2
    Nov 10 15:35:54.702 MET: %BGP-3-NOTIFICATION: received from neighbor FE80::1%ATM0/0/0.1 active 2/5 (authentication failure) 0 bytes
    Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Receive NOTIFICATION 2/5 (authentication failure) 0 bytes
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active bad state change from Closing to Closing
    Nov 10 15:35:54.702 MET: -Traceback= 21B3370Cz 21B33C74z 21B34258z
    Nov 10 15:35:54.702 MET: BGP: tbl IPv4 Unicast:base Service reset requests
    Nov 10 15:35:54.702 MET: BGP: tbl IPv6 Unicast:base Service reset requests
    Nov 10 15:35:54.702 MET: BGP: tbl VPNv4 Unicast:base Service reset requests
    Nov 10 15:35:54.702 MET: BGP: tbl VPNv6 Unicast:base Service reset requests
    Nov 10 15:35:54.702 MET: BGP: tbl IPv4 Multicast:base Service reset requests
    Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) NSF delete stale NSF not active
    Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) NSF no stale paths state is NSF not active
    Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) Resetting ALL counters.
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active closing
    Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Session close and reset neighbor FE80::1%ATM0/0/0.1 topostate
    Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) Resetting ALL counters.
    Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active went from Closing to Idle
    Nov 10 15:35:54.702 MET: %BGP_SESSION-5-ADJCHANGE: neighbor FE80::1%ATM0/0/0.1 IPv6 Unicast topology base removed from session  BGP Notification sent
    CE_HOSTNAME#

  • BGP peers with same AS number

    Hi All,
    As in the network topology attached (replica of actual network), I would like to know if there is any way that routes received from PE-RTR1 in CE-RTR can be advertised to PE-RTR2 and vice versa, so that PE-RTR1 & PE-RTR2 can reach each other.
    Routing protocol used between PE-RTR1 & CE and PE-RTR2 & CE is BGP.
    The issue seems to be due to same AS number of PE-RTR1 & PE-RTR2. It might not be possible to change AS numbers defined. Is there any way to overcome this situation?
    Thanks in advance..
    Regards,
    Nagabhushan

    I read that a bit too quickly.
    If you're connecting your locations via the ISP and they all use the same AS, they'll all need the statement I mentioned in my previous comment. If you already have communication between them via the ISP, then this command is probably already there.
    If you're connecting everything via fibre to the primary location, you can just peer with the other locations using the same AS and you'll be fine... though there are some considerations if you're redistributing BGP into an internal routing protocol.
    In your current configuration, is each location seeing the networks from the other sites propagating from the ISP via BGP?

  • Advertising ipv4 routes via ipv6 bgp peers

    Hello,
    I have established IPV6 bgp sessions with ipv6 prefix-list filter. But ipv4 routes were advertised over this bgp session. Do I I need special configuration under address family or ipv4 prefix-list filters required ?
    Note : the config was  IBGP between 7200 routers and 6509 core switches.
    Thank you all
    Nael

    Hi Nael,
    This is because address-family ipv4 unicast gets activated by default when you configure a new neighbor in BGP. You either need to configure "no bgp default ipv4-unicast" or go under address-family ipv4 unicast and do a "no neighbor" for the ipv6 neighbor.
    Hope this helps

  • BGP Advertised Routes two Peering

    Dear all
    I have issue with BGP behaviour. I have two BGP peering; from both I receive default route, but one of them,
    AS 65472 is primary so I setup local preference in 200; it is because I want to use AS 65472 as internet
    provider. The another one, AS 65472 is used as secundary internet access, but for internal network (private) is
    used as primary. The issue is when try ping from LAN, can not reach internal network, seems to be that
    becuase Local preference is setup within AS65472 and the packet try to go thru AS 65472 because local prefeence 200,
    but I need that internal network go thru AS 65471.
    I am sure that I am advertising network as I expect, but when is running BGP for both peering, it fails.
    Here are go output for this situation:
    7204VXR-SCT#sh ip bgp neighbors 172.16.40.37 received-routes
       Network          Next Hop            Metric LocPrf Weight Path
    * i0.0.0.0          172.16.40.37             0    100      0 i
    Total number of prefixes 1
    7204VXR-SCT#sh ip bgp neighbors 172.16.40.37 advertised-routes
       Network          Next Hop            Metric LocPrf Weight Path
    *> 10.10.200.0/30   0.0.0.0                  0         32768 i
    *> 10.30.24.0/21    172.16.40.4              0         32768 i
    *> 172.16.17.0/24   172.16.40.5              0         32768 i
    *> 172.16.211.0/24  0.0.0.0                  0         32768 i
    *> 172.18.56.16/29  0.0.0.0                  0         32768 i
    *> 172.30.100.18/32 0.0.0.0                  0         32768 i
    *> 172.31.0.20/30   0.0.0.0                  0         32768 i
    7204VXR-SCT#sh ip bgp neighbors 190.97.254.241 received-routes
       Network          Next Hop            Metric LocPrf Weight Path
    *  0.0.0.0          190.97.254.241                         0 65472 i
    Total number of prefixes 1
       Network          Next Hop            Metric LocPrf Weight Path
    *> 190.153.116.0/22 172.16.40.4              0         32768 i
    *> 190.153.120.0/22 172.16.40.4              0         32768 i
    *> 190.153.124.0/24 172.16.40.37            10         32768 i
    router bgp 65471
     bgp log-neighbor-changes
     neighbor externalBGP peer-group
     neighbor externalBGP remote-as 65472
     neighbor externalBGP version 4
     neighbor internalBGP-SCT peer-group
     neighbor internalBGP-SCT remote-as 65471
     neighbor internalBGP-SCT version 4
     neighbor 172.16.40.37 peer-group internalBGP-SCT
     neighbor 190.97.254.241 peer-group viginet
     address-family ipv4
     neighbor externalBGPsoft-reconfiguration inbound
     neighbor externalBGProute-map viginet-in in
     neighbor externalBGProute-map viginet-out out
     neighbor internalBGP-SCT soft-reconfiguration inbound
     neighbor internalBGP-SCT route-map internalBGP-SCT-out out
     neighbor 172.16.40.37 activate
     neighbor 190.97.254.241 activate
     no auto-summary
     no synchronization
     network 10.10.200.0 mask 255.255.255.252
     network 10.30.24.0 mask 255.255.248.0
     network 172.16.17.0 mask 255.255.255.0
     network 172.16.40.0 mask 255.255.255.0
     network 172.16.211.0 mask 255.255.255.0
     network 172.18.56.16 mask 255.255.255.248
     network 172.30.100.18 mask 255.255.255.255
     network 172.31.0.20 mask 255.255.255.252
     network 190.153.116.0 mask 255.255.252.0
     network 190.153.120.0 mask 255.255.252.0
     network 190.153.124.0 mask 255.255.255.0
     exit-address-family
    ip route 172.16.40.36 255.255.255.252 Null0 250
    ip route 190.153.116.0 255.255.252.0 172.16.40.4
    ip route 190.153.120.0 255.255.252.0 172.16.40.4
    ip prefix-list invalidas seq 10 permit 172.16.40.0/24
    ip prefix-list invalidas seq 15 permit 10.30.24.0/21
    ip prefix-list invalidas seq 20 permit 172.16.211.0/24
    ip prefix-list invalidas seq 25 permit 172.18.56.16/29
    ip prefix-list invalidas seq 30 permit 172.30.100.18/32
    ip prefix-list invalidas seq 35 permit 10.10.200.0/30
    ip prefix-list invalidas seq 40 permit 172.16.17.0/24
    ip prefix-list invalidas seq 45 permit 172.31.0.20/30
    ip access-list standard viginet-100
     permit 190.153.116.0 0.0.3.255
     permit 190.153.120.0 0.0.3.255
     permit 190.153.124.0 0.0.0.255
    route-map externalBGP-out permit 10
     match ip address viginet-100
    route-map externalBGP-in permit 10
     set local-preference 200
    route-map internalBGP-SCT-out permit 10
     match ip address prefix-list invalidas

    Hello.
    If you want your internal network to go through peer 65471 (to 0.0.0.0/0), then why do you need AS 65472?
    Could you please provide "show ip bgp 0.0.0.0/0"?

  • Question about network statement in OSPF and BGP

    The network statements in OSPF and BGP can be used to advertise networks. But I'm not clear under what circumstances would make more sense to use network statements to advertise a network than by using other methods to have the network learned by other routers.
    Here is an example: assume I'm running BGP on router A. I want to advertise network 10.1.1.0/24 to other BGP peers. I have a OSPF route for this network. I can do 2 things: one is to use "network 10.1.1.0 mask 255.255.255.0", the other is to do "redistribute OSPF ... route-map OSPF-INTO-BGP", and create a prefix list to permit 10.1.1.0/24.
    Both would work to have this network learned by other BGP peers. But which is better for what purpose?
    Thanks a lot
    Gary

    Hi Gary,
    There is one little difference between the use of the two approaches - the route injected into BGP by using a network statement will carry an Origin attribute of IGP, whereas the route injected using redistribution will have an Origin attribute of Incomplete. Now, that is not a huge issue since you can always change that whatever value you desire both with the use of the network statement and redistribution. The important thing, however, is that in the BGP best path selection process, the Origin attribute comparison is fairly high up and will prefer a route with the attribute of IGP.
    Apart from that, there is absolutely no difference between using the network statement and using redistribution with a route-map that matches exactly on the same route that you would have specified with the network statement.
    I guess one advantage of using the redistribute approach is that it does not clutter up the BGP config. If you wish to add more routes, you simply add them to the prefix list so that you don't really touch the BGP config portion at all..
    Hope that helps - pls do remember to rate posts that help.
    Paresh

  • BGP Issue In MPLS Network

    we are having a gateway router which is running a public as and having a direct peering with service provider. We are also working as MPLS-SP and providing internet services to our esteemed clients. Now I am facing a one issue if the customer is coming at remote pop which is having a BGP with private as number and customer itself is having a global as number with his own ip pool. For that I created a peering with my gateway router by putting a route for loopback and created e-bgp peering. Now when the customer pool was advertised by my gateway it doesnot get the reverse path?
    Kindly give your suggestions or designs how the ebgp can be used with gateway router in case SP is runnig MPLS.
    regards
    shivlu jain

    Shivlu,
    Its not clear why u have Private-AS at one of ur POPs , while u could have the Same Public-AS configured and run IBGP session between Your PoPs. If you have Myltiple POPs than u can go for (Route-Reflector) design.
    The Second point, If you mean what type of Internet access, Then you can have one of the following:
    1- Classic Internet Access.
    2- a dedicated Vrf for Internet Access.
    HTH
    Mohamed

Maybe you are looking for

  • Can some one have a look at this php script?

    Ok! hear's the script! It work's fine! but with one problem. when I get the email it look's like this> Base Color: NaturalTread Color: Black What I want the email to look like is> Base Color: Natural Tread Color: Black ie i don't want all the "var's"

  • Replication of Business partner and the Sales document from CRM to R/3

    HI All ,     I am completely new to this CRM technical , I need some technical document on how can I replicate BP and sales documents from CRM  to R/3 through CRM middleware . Please help me out in this regard . Regards Debasri Sarkar

  • Dynamic header

    Hello, I have to create a report that actually consists of two type of report. Each report type I have created from different set of tables, and therefore I have two repeating frames, (one for each report type). In the margin I created two different

  • Can Aperture 3 and Iphoto sinc library ?

    Hi . I´m not photo professional but I want more reosurce with my photos. I bought Aperture 3 and I feel I have most I need from Iphoto. I don´t want have too many space with two photo libraries and have a risk to loose something. It´s possible to sin

  • Vendor/Customer Periodic Transfer from GTS - Idoc errors

    Hi Guys Need your help on this, seems like when i am trying to send the reduced message type for /SAPSLL/CREMAS_SLL and DEBMAS_SLL I see that its generating IDOCS but its not communicating - 1 master IDocs set up for message type /SAPSLL/CREMAS_SLL b