BGP peering
Question. Best practice is to configure iBGP via loopback interface. My question is, is that valid statement for scenario where two BGP peers are seperated by a firewall?
Hello Mateuz,
iBGP allows for a TTL=255 in the BGP packets so the added hop caused by the firewall is not a problem for the iBGP session.
if the session were eBGP you would need to tune the ebgp-multihop to take care of the FW hop.
Hope to help
Giuseppe
Similar Messages
-
How many BGP peers does the 3548 switch support?
Is it possible to run more than 40 peers on a single switch? What is the limitation if not?
Hi ,
You can have 40 BGP peers , IPV4 unicast routes handled by hardware is only 24000 .Enusre all your BGP peering routing updates is within this limits .
http://www.cisco.com/c/en/us/products/collateral/switches/nexus-3548-switch/data_sheet_c78-707001.html
Table 7. Hardware Specifications Common to Both Switches
Mode
Normal Mode
Warp Mode
Hardware tables and scalability
Number of MAC addresses
64,000
8000
Number of IPv4 unicast routes
24,000
4000
Number of IPv4 hosts
64,000
8000
Number of IPv4 multicast routes
8000
8000
Number of VLANS
4096
Number of ACL entries
4096
Number of spanning-tree instances
Rapid Spanning Tree Protocol (RSTP): 512
Multiple Spanning Tree (MST) Protocol: 64
Number of EtherChannels
24
Number of ports per EtherChannel
24
Buffer size
6 MB shared among 16 ports; 18 MB total
Boot flash memory
2 GB
HTH
Sandy -
I read http://blog.ipexpert.com/2010/11/08/bgp-peering-and-default-routes/ and understood that BGP speaker will not initiate BGP connection with the other BGP router if it can reach it via default route only...And BGP peering will not come up at all if both the BGP speakers know each other via default routes only....I could not understand the reason behind this though...Could any expert help me in understanding the underlying reasoning?
I can't think of a reason why you would want to peer with a router you don't have a route for. If you're relying on a default route for a multi-hop bgp peer session, it could cause the session to be unreliable due to changes in the network down the line from you. An unreliable bgp session would be bad on the router's cpu/memory if the session were to flap.
-
IPS4240 in bypassmode-auto cause BGP peering failure
Recently installed IPS4240's running inline. With "bypass-mode auto" the BGP peering (with password) between 2 routers either side of the IPS unit drops. The error logs indicate bad MD5 hash on both units. In "bypass-mode on" BGP peering with password is fine.
Anyone know a fix or the cause?This is probably being dropped or modified by some of the "normalizer" engine signatures in the IPS. Basically the IPS in inline mode does a lot of TCP checks and drops or modifies packets with certain bits set. It probably doesn't like the fact the MD5 hash is set as TCP option bit 19 and is modifying it somehow, which then fails your authentication on the remote peer.
Go into whatever configuration tool you're using and enable the "produce-verbose-alert" on all the 13xx signatures (1300-1330). Then check your alerts for an alert with a victim/attacker IP addresses of your BGP routers, see what signature it was that actually fired, then disable that signature (or add a filter so that it doesn't fire for that IP address pair anymore). This will stop it doing whatever it is doing to your BGP packets and it should work from then on.
It'll probably be one of the sub-sigs under 1330, as this does a lot of different checks on various parts of the TCP packet. -
Hello Guys
I have a scenario where I would like to have your insights.
1. Client having Main site and DR site connected to same ISP with public IP line.
2. The client has acquired a public IP block (/24) and would like to use same on both main and DR sites.
Would this be possible through BGP? How can we advertise the same IP block on 2 sites?
The sites need to be in an active-active scenario.
ThanksDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
If you're going to advertize the same address block, from two different BGP peers, whether to the same ISP or different ISPs, the expectation is, you can get to or from that address block along either path. I.e. you need an "internal" path between your two BGP peers. Otherwise, the "critical" BGP path fails, you continue to advertize an address block that's unreachable.
There's no need to split your block unless you were trying to manually load balance using your two paths.
As another poster noted, you might have asymmetrical routing (depending on path costing), but from a pure L3 perspective it doesn't matter. It can, though, matter to stateful devices like firewalls. The latter might be addressed by firewalls at both sites sharing state information. -
Cisco BGP Peering Between 2 ISP
Hi Cisco People,
Just have a question with BGP peering in Cisco's. I have two ISP's which I am peering against for an active and standby configuration. I would like to know if there is a way to configure some sort of 'dead-peer detection' on the router to monitor a public IP address in the event of an ISP failure. I want to find a way to dynamically failover the link in the event of failure when losing pings to an external address.
Regards
ChrisChris
Dead Peer Detection is one of the functions performed by BGP. If the peer goes dead then BGP will detect it and will withdraw routes learned from that peer from the routing table.
What you describe about monitoring a public address is more about validating that the ISP routing logic is learning and advertising appropriate routes than it is about detecting if a peer has gone dead. I would think that this is possible - but a bit complex. I would think that you could configure IP SLA to track some public address (the tricky bit here is to make sure that you are tracking through ISP1 and not using ISP2 for this). Then you should be able to configure EEM to watch the track and if the route is lost to make appropriate changes in BGP to force the failover.
HTH
Rick -
No BGP Peering between CE and PE
Still in the process of modeling the MPLS network that we currently have with one of our Service Providers.
At this point I have placed the same config on the Lab CE's that exist in our production network. I have also followed Cisco Documentation to configure the PE routers, however I cannot get the CE to PE BGP peering.
What am I missing?
*CE Router*
nterface Loopback0
ip address 10.18.0.8 255.255.255.255
interface FastEthernet0/0
ip address 68.139.201.30 255.255.255.252
duplex half
interface FastEthernet1/0
no ip address
shutdown
duplex half
interface FastEthernet1/1
no ip address
shutdown
duplex half
interface FastEthernet2/0
no ip address
duplex full
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 68.139.201.29 remote-as 65000
*PE Router*
ip vrf vpn-mtb
rd 1:100
route-target export 1:100
route-target import 1:100
no ip domain lookup
mpls label protocol ldp
tag-switching tdp router-id Loopback0
interface Loopback0
ip address 68.2.0.1 255.255.255.252
interface FastEthernet0/0
ip address 68.2.1.2 255.255.255.252
duplex auto
speed auto
tag-switching ip
interface FastEthernet1/0
ip vrf forwarding vpn-mtb
ip address 68.139.201.29 255.255.255.252
duplex auto
speed auto
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
router ospf 1
router-id 68.2.0.1
log-adjacency-changes
network 68.0.0.0 0.255.255.255 area 0
router bgp 65000
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor 68.2.0.3 remote-as 65000
neighbor 68.2.0.3 update-source Loopback0
no auto-summary
address-family vpnv4
neighbor 68.2.0.3 activate
neighbor 68.2.0.3 send-community extended
exit-address-family
address-family ipv4 vrf vpn-mtb
redistribute connected
neighbor 68.139.201.30 remote-as 1
neighbor 68.139.201.30 activate
neighbor 68.139.201.30 as-override
no auto-summary
no synchronization
exit-address-familyHere are the command outputs:
PE#show ip bgp vpnv4 all summary
BGP router identifier 68.2.0.1, local AS number 65000
BGP table version is 3, main routing table version 3
1 network entries using 137 bytes of memory
1 path entries using 64 bytes of memory
3/1 BGP path/bestpath attribute entries using 348 bytes of memory
1 BGP extended community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 573 total bytes of memory
BGP activity 3/0 prefixes, 3/0 paths, scan interval 15 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
68.2.0.3 4 65000 0 0 0 0 0 never Active
68.139.201.30 4 1 29 29 0 0 0 never Active
CE#show ip bgp summary
BGP router identifier 68.2.0.1, local AS number 1
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
68.139.201.29 4 65000 4246 4246 0 0 0 never Active -
ISP BGP peering with HSRP for redundancy
we have a router7507, BGP peering to one ISP. Now, we need a router redundancy solution.
I want to use HSRP in the BGP peering interface, because the ISP only peering us a IP address, I have to use HSRP on two router interfaces, and use HSRP virtual IP to peer the ISP, do you think this solution is working, or some troubles, will BGP work fine with HSRP interfaces?
thanks.yes BGP works fine with HSRP interface.Here is some sample configurations for your reference.
Router A Configuration (ISP Router):
interface ethernet 0
ip address
standby 1 ip (The ip should be same as above command)
standby 1 priority 110
standby 1 track Serial0.100
standby 1 preempt
Router B Configuration (client Router):
interface ethernet 0
ip address
standby 1 ip (The ip should be same as ISPs address>
standby 1 priority 105
standby 1 track Serial0.100
standby 1 preempt -
IOS IPS/IDS on a BGP Peering Router?
We have a pair of BP peerings between our network and our upstream service provider. Since the peering points are geographically distributed and we run a "cold potato" routing policy on our network we cannot guarantee symmetric routing for traffic exchanged with our upstream service provider.
Yesterday we followed the bouncing ball through the IPS/IDS setup documentation on a Cisco 2901 running 15.2(4)M3 and acting as a BGP speaking peering router at one of our peering points. Immediately the router started throwing %IPS-6-SEND_TCP_PAK and %IPS-6-TIMEOUT_EVENT messages in the logs. We also observed that some upstream service provider web sites became inaccessible to our users. Turning off IPS/IDS on the 2901 restored connectivity for our users to those web sites.
Three questions:
Do the default Cisco IOS IPS/IDS rules assume that the router will see both sides of each TCP session?
Does the Cisco IOS IPS/IDS TCP stream reassembly assume an attack and send TCP RST frames when it doesn't see both sides of a TCP session?
Should we move the Cisco IPS/IDS functionality from the BGP-speaking routers at peering points to our customer sites, as the customer sites are the only places in our network guaranteed to see both sides of a given TCP session? (We already perform NAT on the customer site routers for that reason.)Hello Bill,
1) Yes, there are some normalizer functions on some IOS-IPS signatures that will behave like that with this scenarios (Asymetric routing not something good to any kind of security device)
2) Yes, it will close the connections, I will definetly need to look for specific actions regarding that but you could just check the IOS IPS Signature statistics on your router , see which is the one triggering the most and then see the action configured for it (and change it if required)
3) If you cannot change that behavior then it would be safe to tell the router is not a good place to set an IPS or any other kind of firewall configuration unless you set with a weaker security policy (useless from a security standard point of view)
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura -
Link Local BGP peering between Cisco and Juniper (M-Series)
Hi,
has anybody successfully managed to get a working IPv6 session between a Cisco and a Juniper router using Link Local IPs?
I got it working between two cisco routers and two Juniper Routers but not with the two different vendors.
Configuration on the Juniper site:
family inet6 {
address FE80::1/64;
protocols {
bgp {
group customer_ipv6 {
neighbor fe80::2 {
local-interface at-2/0/0.119;
peer-as 65300;
as-override;
Configuration on the Cisco site:
interface ATM0/0/0.1 point-to-point
bandwidth 2033
ip address 10.194.235.42 255.255.255.252
ip access-group AL-SECURITY-WAN out
ip mtu 1500
ipv6 address FE80::2 link-local
ipv6 enable
bfd interval 999 min_rx 999 multiplier 15
pvc 1/32
vbr-nrt 2244 2244 1
tx-ring-limit 3
encapsulation aal5snap
router bgp 65300
bgp router-id 10.213.58.185
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor FE80::1%ATM0/0/0.1 remote-as 65300
neighbor FE80::1%ATM0/0/0.1 version 4
neighbor FE80::2%GigabitEthernet0/1 remote-as 65300
neighbor FE80::2%GigabitEthernet0/1 version 4
address-family ipv4
exit-address-family
address-family ipv6
neighbor FE80::1%ATM0/0/0.1 activate
neighbor FE80::1%ATM0/0/0.1 advertisement-interval 5
neighbor FE80::1%ATM0/0/0.1 soft-reconfiguration inbound
neighbor FE80::1%ATM0/0/0.1 route-map NH6 out
neighbor FE80::2%GigabitEthernet0/1 activate
neighbor FE80::2%GigabitEthernet0/1 advertisement-interval 5
neighbor FE80::2%GigabitEthernet0/1 soft-reconfiguration inbound
neighbor FE80::2%GigabitEthernet0/1 route-map NH6 out
exit-address-family
CE_HOSTNAME# show ip bgp ipv6 uni su
BGP router identifier 10.213.58.185, local AS number 65300
BGP table version is 7, main routing table version 7
4 network entries using 656 bytes of memory
4 path entries using 320 bytes of memory
1/1 BGP path/bestpath attribute entries using 128 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
2 BGP community entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1200 total bytes of memory
BGP activity 34/12 prefixes, 38/12 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
FE80::1%ATM0/0/0.1
4 65300 0 0 1 0 0 never Idle
FE80::2%GigabitEthernet0/1
4 65300 15 16 7 0 0 00:10:59 4
CE_HOSTNAME#
The console monitoring states the following:
Nov 10 06:30:33.023 MET: %BGP-3-NOTIFICATION: sent to neighbor FE80::1%ATM0/0/0.1 active 2/7 (unsupported/disjoint capability) 0 bytes
Nov 10 06:30:33.023 MET: %BGP-4-MSGDUMP: unsupported or mal-formatted message received from FE80::1%ATM0/0/0.1:
FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 001D 0104 505A 005A 52D2 C023 00
Nov 10 06:30:33.023 MET: %BGP-3-NOTIFICATION: received from neighbor FE80::1%ATM0/0/0.1 active 2/5 (authentication failure) 0 bytes
de-ipc-ulmdon-ce-02#
Nov 10 06:30:33.023 MET: %BGP_SESSION-5-ADJCHANGE: neighbor FE80::1%ATM0/0/0.1 IPv6 Unicast topology base removed from session BGP Notification sent
The Cisco Router is running IOS 15.2, the Juniper Site JunOS 10.4
Any Ideas how I can get this to work?
Thanks in advance!Marcin,
I updated the debugging log, the previous one was created using override-capability-neg on the neighbor (experimental).
>>0) Do you see similar scenario for working session? (Between two Cisco routers)
The working connection between two cisco routers doesn't show any output
>>1) What verion of IOS are you running? Something failrly recent I hope?
Show Version:
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(1)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Mon 19-Sep-11 16:24 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
CE_HOSTNAME uptime is 2 weeks, 5 days, 21 hours, 35 minutes
System returned to ROM by reload at 18:43:21 MET(S) Fri Oct 21 2011
System restarted at 18:44:50 MET(S) Fri Oct 21 2011
System image file is "flash:c1900-universalk9-mz.SPA.152-1.T1.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO1941/K9 (revision 1.0) with 446464K/77824K bytes of memory.
Processor board ID FCZ1504C0G8
1 DSL controller
2 Gigabit Ethernet interfaces
1 ATM interface
1 terminal line
DRAM configuration is 64 bits wide with parity disabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 CISCO1941/K9 FCZ1504C0G8
Technology Package License Information for Module:'c1900'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security None None None
data datak9 Permanent datak9
Configuration register is 0x2102
>>2) Can we have some more info from Juniper side (logs/debugs).
Sadly not. The Juniper Traceoptions don't show anything
All I can offer you at this point is the neighbor show command:
user@Juniper> show bgp neighbor fe80::2 instance vrf-test
Peer: fe80::2 AS 65300 Local: unspecified AS 20570
Type: External State: Idle Flags:
Last State: NoState Last Event: NoEvent
Last Error: None
Export: [ pol-standard-bgp-export ] Import: [ pol-standard-bgp-import ]
Options:
Options:
Address families configured: inet6-unicast
Path-attributes dropped: 128
Holdtime: 90 Preference: 170
Number of flaps: 0
Trace options: all
Trace file: /var/log/bgp_ipv6_ll_20111110 size 131072 files 10
user@Juniper> show bgp summary instance vrf-test
Groups: 2 Peers: 2 Down peers: 1
Table Tot Paths Act Paths Suppressed History Damp State Pending
vrf-2.inet.0 37 16 0 0 0 0
vrf-.inet6.0 0 0 0 0 0 0
vrf-24.mdt.0 0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
10.194.235.42 65300 1149 1076 0 1 8:44:00 Establ
vrf-test.inet.0: 6/7/7/0
fe80::2 65300 0 0 0 0 9:38:32 Idle
>>3)
CE_HOSTNAME#
Nov 10 15:35:49.574 MET: BGP: ses global 10.194.235.41 (0x2970EDA4:1) Keep alive timer fired.
Nov 10 15:35:49.574 MET: BGP: 10.194.235.41 KEEPALIVE requested (bgp_keepalive_timer_expired)
Nov 10 15:35:49.574 MET: BGP: ses global 10.194.235.41 (0x2970EDA4:1) service keepalive IO request.
Nov 10 15:35:49.574 MET: BGP: 10.194.235.41 KEEPALIVE write request serviced in BGP_IO
CE_HOSTNAME#
Nov 10 15:35:50.598 MET: BGP: ses global FE80::2%GigabitEthernet0/1 (0x316FBDDC:1) Keep alive timer fired.
Nov 10 15:35:50.598 MET: BGP: FE80::2%GigabitEthernet0/1 KEEPALIVE requested (bgp_keepalive_timer_expired)
Nov 10 15:35:50.598 MET: BGP: ses global FE80::2%GigabitEthernet0/1 (0x316FBDDC:1) service keepalive IO request.
Nov 10 15:35:50.598 MET: BGP: FE80::2%GigabitEthernet0/1 KEEPALIVE write request serviced in BGP_IO
CE_HOSTNAME#
Nov 10 15:35:52.850 MET: BGP: 10.194.235.41 received KEEPALIVE, length (excl. header) 0
CE_HOSTNAME#
Nov 10 15:35:54.694 MET: BGP: FE80::1%ATM0/0/0.1 active went from Idle to Active
Nov 10 15:35:54.694 MET: BGP: FE80::1%ATM0/0/0.1 open active, local address FE80::2
Nov 10 15:35:54.698 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Adding topology IPv6 Unicast:base
Nov 10 15:35:54.698 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Send OPEN
Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active went from Active to OpenSent
Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active sending OPEN, version 4, my as: 65300, holdtime 180 seconds, ID AD53AB9
Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active KEEPALIVE write request serviced in BGP_IO
Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active KEEPALIVE write request serviced in BGP_IO
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv message type 1, length (excl. header) 10
Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Receive OPEN
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv OPEN, version 4, holdtime 90 seconds
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv OPEN w/ OPTION parameter len: 0
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active went from OpenSent to Closing
Nov 10 15:35:54.702 MET: %BGP-3-NOTIFICATION: sent to neighbor FE80::1%ATM0/0/0.1 active 2/7 (unsupported/disjoint capability) 0 bytes
Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Send NOTIFICATION 2/7 (unsupported/disjoint capability) 0 bytes
Nov 10 15:35:54.702 MET: %BGP-4-MSGDUMP: unsupported or mal-formatted message received from FE80::1%ATM0/0/0.1:
FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 001D 0104 505A 005A 52D2 C023 00
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv message type 3, length (excl. header) 2
Nov 10 15:35:54.702 MET: %BGP-3-NOTIFICATION: received from neighbor FE80::1%ATM0/0/0.1 active 2/5 (authentication failure) 0 bytes
Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Receive NOTIFICATION 2/5 (authentication failure) 0 bytes
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active bad state change from Closing to Closing
Nov 10 15:35:54.702 MET: -Traceback= 21B3370Cz 21B33C74z 21B34258z
Nov 10 15:35:54.702 MET: BGP: tbl IPv4 Unicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: tbl IPv6 Unicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: tbl VPNv4 Unicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: tbl VPNv6 Unicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: tbl IPv4 Multicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) NSF delete stale NSF not active
Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) NSF no stale paths state is NSF not active
Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) Resetting ALL counters.
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active closing
Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Session close and reset neighbor FE80::1%ATM0/0/0.1 topostate
Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) Resetting ALL counters.
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active went from Closing to Idle
Nov 10 15:35:54.702 MET: %BGP_SESSION-5-ADJCHANGE: neighbor FE80::1%ATM0/0/0.1 IPv6 Unicast topology base removed from session BGP Notification sent
CE_HOSTNAME#CE_HOSTNAME#
Nov 10 15:35:49.574 MET: BGP: ses global 10.194.235.41 (0x2970EDA4:1) Keep alive timer fired.
Nov 10 15:35:49.574 MET: BGP: 10.194.235.41 KEEPALIVE requested (bgp_keepalive_timer_expired)
Nov 10 15:35:49.574 MET: BGP: ses global 10.194.235.41 (0x2970EDA4:1) service keepalive IO request.
Nov 10 15:35:49.574 MET: BGP: 10.194.235.41 KEEPALIVE write request serviced in BGP_IO
CE_HOSTNAME#
Nov 10 15:35:50.598 MET: BGP: ses global FE80::2%GigabitEthernet0/1 (0x316FBDDC:1) Keep alive timer fired.
Nov 10 15:35:50.598 MET: BGP: FE80::2%GigabitEthernet0/1 KEEPALIVE requested (bgp_keepalive_timer_expired)
Nov 10 15:35:50.598 MET: BGP: ses global FE80::2%GigabitEthernet0/1 (0x316FBDDC:1) service keepalive IO request.
Nov 10 15:35:50.598 MET: BGP: FE80::2%GigabitEthernet0/1 KEEPALIVE write request serviced in BGP_IO
CE_HOSTNAME#
Nov 10 15:35:52.850 MET: BGP: 10.194.235.41 received KEEPALIVE, length (excl. header) 0
CE_HOSTNAME#
Nov 10 15:35:54.694 MET: BGP: FE80::1%ATM0/0/0.1 active went from Idle to Active
Nov 10 15:35:54.694 MET: BGP: FE80::1%ATM0/0/0.1 open active, local address FE80::2
Nov 10 15:35:54.698 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Adding topology IPv6 Unicast:base
Nov 10 15:35:54.698 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Send OPEN
Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active went from Active to OpenSent
Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active sending OPEN, version 4, my as: 65300, holdtime 180 seconds, ID AD53AB9
Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active KEEPALIVE write request serviced in BGP_IO
Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active KEEPALIVE write request serviced in BGP_IO
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv message type 1, length (excl. header) 10
Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Receive OPEN
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv OPEN, version 4, holdtime 90 seconds
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv OPEN w/ OPTION parameter len: 0
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active went from OpenSent to Closing
Nov 10 15:35:54.702 MET: %BGP-3-NOTIFICATION: sent to neighbor FE80::1%ATM0/0/0.1 active 2/7 (unsupported/disjoint capability) 0 bytes
Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Send NOTIFICATION 2/7 (unsupported/disjoint capability) 0 bytes
Nov 10 15:35:54.702 MET: %BGP-4-MSGDUMP: unsupported or mal-formatted message received from FE80::1%ATM0/0/0.1:
FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 001D 0104 505A 005A 52D2 C023 00
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv message type 3, length (excl. header) 2
Nov 10 15:35:54.702 MET: %BGP-3-NOTIFICATION: received from neighbor FE80::1%ATM0/0/0.1 active 2/5 (authentication failure) 0 bytes
Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Receive NOTIFICATION 2/5 (authentication failure) 0 bytes
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active bad state change from Closing to Closing
Nov 10 15:35:54.702 MET: -Traceback= 21B3370Cz 21B33C74z 21B34258z
Nov 10 15:35:54.702 MET: BGP: tbl IPv4 Unicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: tbl IPv6 Unicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: tbl VPNv4 Unicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: tbl VPNv6 Unicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: tbl IPv4 Multicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) NSF delete stale NSF not active
Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) NSF no stale paths state is NSF not active
Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) Resetting ALL counters.
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active closing
Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Session close and reset neighbor FE80::1%ATM0/0/0.1 topostate
Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) Resetting ALL counters.
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active went from Closing to Idle
Nov 10 15:35:54.702 MET: %BGP_SESSION-5-ADJCHANGE: neighbor FE80::1%ATM0/0/0.1 IPv6 Unicast topology base removed from session BGP Notification sent
CE_HOSTNAME# -
Hi All,
As in the network topology attached (replica of actual network), I would like to know if there is any way that routes received from PE-RTR1 in CE-RTR can be advertised to PE-RTR2 and vice versa, so that PE-RTR1 & PE-RTR2 can reach each other.
Routing protocol used between PE-RTR1 & CE and PE-RTR2 & CE is BGP.
The issue seems to be due to same AS number of PE-RTR1 & PE-RTR2. It might not be possible to change AS numbers defined. Is there any way to overcome this situation?
Thanks in advance..
Regards,
NagabhushanI read that a bit too quickly.
If you're connecting your locations via the ISP and they all use the same AS, they'll all need the statement I mentioned in my previous comment. If you already have communication between them via the ISP, then this command is probably already there.
If you're connecting everything via fibre to the primary location, you can just peer with the other locations using the same AS and you'll be fine... though there are some considerations if you're redistributing BGP into an internal routing protocol.
In your current configuration, is each location seeing the networks from the other sites propagating from the ISP via BGP? -
Advertising ipv4 routes via ipv6 bgp peers
Hello,
I have established IPV6 bgp sessions with ipv6 prefix-list filter. But ipv4 routes were advertised over this bgp session. Do I I need special configuration under address family or ipv4 prefix-list filters required ?
Note : the config was IBGP between 7200 routers and 6509 core switches.
Thank you all
NaelHi Nael,
This is because address-family ipv4 unicast gets activated by default when you configure a new neighbor in BGP. You either need to configure "no bgp default ipv4-unicast" or go under address-family ipv4 unicast and do a "no neighbor" for the ipv6 neighbor.
Hope this helps -
BGP Advertised Routes two Peering
Dear all
I have issue with BGP behaviour. I have two BGP peering; from both I receive default route, but one of them,
AS 65472 is primary so I setup local preference in 200; it is because I want to use AS 65472 as internet
provider. The another one, AS 65472 is used as secundary internet access, but for internal network (private) is
used as primary. The issue is when try ping from LAN, can not reach internal network, seems to be that
becuase Local preference is setup within AS65472 and the packet try to go thru AS 65472 because local prefeence 200,
but I need that internal network go thru AS 65471.
I am sure that I am advertising network as I expect, but when is running BGP for both peering, it fails.
Here are go output for this situation:
7204VXR-SCT#sh ip bgp neighbors 172.16.40.37 received-routes
Network Next Hop Metric LocPrf Weight Path
* i0.0.0.0 172.16.40.37 0 100 0 i
Total number of prefixes 1
7204VXR-SCT#sh ip bgp neighbors 172.16.40.37 advertised-routes
Network Next Hop Metric LocPrf Weight Path
*> 10.10.200.0/30 0.0.0.0 0 32768 i
*> 10.30.24.0/21 172.16.40.4 0 32768 i
*> 172.16.17.0/24 172.16.40.5 0 32768 i
*> 172.16.211.0/24 0.0.0.0 0 32768 i
*> 172.18.56.16/29 0.0.0.0 0 32768 i
*> 172.30.100.18/32 0.0.0.0 0 32768 i
*> 172.31.0.20/30 0.0.0.0 0 32768 i
7204VXR-SCT#sh ip bgp neighbors 190.97.254.241 received-routes
Network Next Hop Metric LocPrf Weight Path
* 0.0.0.0 190.97.254.241 0 65472 i
Total number of prefixes 1
Network Next Hop Metric LocPrf Weight Path
*> 190.153.116.0/22 172.16.40.4 0 32768 i
*> 190.153.120.0/22 172.16.40.4 0 32768 i
*> 190.153.124.0/24 172.16.40.37 10 32768 i
router bgp 65471
bgp log-neighbor-changes
neighbor externalBGP peer-group
neighbor externalBGP remote-as 65472
neighbor externalBGP version 4
neighbor internalBGP-SCT peer-group
neighbor internalBGP-SCT remote-as 65471
neighbor internalBGP-SCT version 4
neighbor 172.16.40.37 peer-group internalBGP-SCT
neighbor 190.97.254.241 peer-group viginet
address-family ipv4
neighbor externalBGPsoft-reconfiguration inbound
neighbor externalBGProute-map viginet-in in
neighbor externalBGProute-map viginet-out out
neighbor internalBGP-SCT soft-reconfiguration inbound
neighbor internalBGP-SCT route-map internalBGP-SCT-out out
neighbor 172.16.40.37 activate
neighbor 190.97.254.241 activate
no auto-summary
no synchronization
network 10.10.200.0 mask 255.255.255.252
network 10.30.24.0 mask 255.255.248.0
network 172.16.17.0 mask 255.255.255.0
network 172.16.40.0 mask 255.255.255.0
network 172.16.211.0 mask 255.255.255.0
network 172.18.56.16 mask 255.255.255.248
network 172.30.100.18 mask 255.255.255.255
network 172.31.0.20 mask 255.255.255.252
network 190.153.116.0 mask 255.255.252.0
network 190.153.120.0 mask 255.255.252.0
network 190.153.124.0 mask 255.255.255.0
exit-address-family
ip route 172.16.40.36 255.255.255.252 Null0 250
ip route 190.153.116.0 255.255.252.0 172.16.40.4
ip route 190.153.120.0 255.255.252.0 172.16.40.4
ip prefix-list invalidas seq 10 permit 172.16.40.0/24
ip prefix-list invalidas seq 15 permit 10.30.24.0/21
ip prefix-list invalidas seq 20 permit 172.16.211.0/24
ip prefix-list invalidas seq 25 permit 172.18.56.16/29
ip prefix-list invalidas seq 30 permit 172.30.100.18/32
ip prefix-list invalidas seq 35 permit 10.10.200.0/30
ip prefix-list invalidas seq 40 permit 172.16.17.0/24
ip prefix-list invalidas seq 45 permit 172.31.0.20/30
ip access-list standard viginet-100
permit 190.153.116.0 0.0.3.255
permit 190.153.120.0 0.0.3.255
permit 190.153.124.0 0.0.0.255
route-map externalBGP-out permit 10
match ip address viginet-100
route-map externalBGP-in permit 10
set local-preference 200
route-map internalBGP-SCT-out permit 10
match ip address prefix-list invalidasHello.
If you want your internal network to go through peer 65471 (to 0.0.0.0/0), then why do you need AS 65472?
Could you please provide "show ip bgp 0.0.0.0/0"? -
Question about network statement in OSPF and BGP
The network statements in OSPF and BGP can be used to advertise networks. But I'm not clear under what circumstances would make more sense to use network statements to advertise a network than by using other methods to have the network learned by other routers.
Here is an example: assume I'm running BGP on router A. I want to advertise network 10.1.1.0/24 to other BGP peers. I have a OSPF route for this network. I can do 2 things: one is to use "network 10.1.1.0 mask 255.255.255.0", the other is to do "redistribute OSPF ... route-map OSPF-INTO-BGP", and create a prefix list to permit 10.1.1.0/24.
Both would work to have this network learned by other BGP peers. But which is better for what purpose?
Thanks a lot
GaryHi Gary,
There is one little difference between the use of the two approaches - the route injected into BGP by using a network statement will carry an Origin attribute of IGP, whereas the route injected using redistribution will have an Origin attribute of Incomplete. Now, that is not a huge issue since you can always change that whatever value you desire both with the use of the network statement and redistribution. The important thing, however, is that in the BGP best path selection process, the Origin attribute comparison is fairly high up and will prefer a route with the attribute of IGP.
Apart from that, there is absolutely no difference between using the network statement and using redistribution with a route-map that matches exactly on the same route that you would have specified with the network statement.
I guess one advantage of using the redistribute approach is that it does not clutter up the BGP config. If you wish to add more routes, you simply add them to the prefix list so that you don't really touch the BGP config portion at all..
Hope that helps - pls do remember to rate posts that help.
Paresh -
we are having a gateway router which is running a public as and having a direct peering with service provider. We are also working as MPLS-SP and providing internet services to our esteemed clients. Now I am facing a one issue if the customer is coming at remote pop which is having a BGP with private as number and customer itself is having a global as number with his own ip pool. For that I created a peering with my gateway router by putting a route for loopback and created e-bgp peering. Now when the customer pool was advertised by my gateway it doesnot get the reverse path?
Kindly give your suggestions or designs how the ebgp can be used with gateway router in case SP is runnig MPLS.
regards
shivlu jainShivlu,
Its not clear why u have Private-AS at one of ur POPs , while u could have the Same Public-AS configured and run IBGP session between Your PoPs. If you have Myltiple POPs than u can go for (Route-Reflector) design.
The Second point, If you mean what type of Internet access, Then you can have one of the following:
1- Classic Internet Access.
2- a dedicated Vrf for Internet Access.
HTH
Mohamed
Maybe you are looking for
-
Can some one have a look at this php script?
Ok! hear's the script! It work's fine! but with one problem. when I get the email it look's like this> Base Color: NaturalTread Color: Black What I want the email to look like is> Base Color: Natural Tread Color: Black ie i don't want all the "var's"
-
Replication of Business partner and the Sales document from CRM to R/3
HI All , I am completely new to this CRM technical , I need some technical document on how can I replicate BP and sales documents from CRM to R/3 through CRM middleware . Please help me out in this regard . Regards Debasri Sarkar
-
Hello, I have to create a report that actually consists of two type of report. Each report type I have created from different set of tables, and therefore I have two repeating frames, (one for each report type). In the margin I created two different
-
Can Aperture 3 and Iphoto sinc library ?
Hi . I´m not photo professional but I want more reosurce with my photos. I bought Aperture 3 and I feel I have most I need from Iphoto. I don´t want have too many space with two photo libraries and have a risk to loose something. It´s possible to sin
-
Vendor/Customer Periodic Transfer from GTS - Idoc errors
Hi Guys Need your help on this, seems like when i am trying to send the reduced message type for /SAPSLL/CREMAS_SLL and DEBMAS_SLL I see that its generating IDOCS but its not communicating - 1 master IDocs set up for message type /SAPSLL/CREMAS_SLL b