BGP route-reflector next-hop issue

Similar Messages

• Bgp Route reflector

  Hello,
  i have this bgp topology all router running bgp and no igp is running. Now, the problem is R2 and R3 are route reflector, R1 and R4 are Rclient.
  R3 has learn route from R4 (4.4.4.4) from its R client and it advertise to R2 but R2 not advertise (4.4.4.4) route to its client (R1).
  R1#sh ip bgp
  BGP table version is 5, local router ID is 192.168.12.1
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  *> 1.1.1.1/32       0.0.0.0                  0         32768 i
  *>i2.2.2.2/32       192.168.12.2             0    100      0 i
  * i3.3.3.3/32       192.168.23.3             0    100      0 i
  R2#sh ip bgp
  BGP table version is 8, local router ID is 192.168.12.2
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  *>i1.1.1.1/32       192.168.12.1             0    100      0 i
  *> 2.2.2.2/32       0.0.0.0                  0         32768 i
  *>i3.3.3.3/32       192.168.23.3             0    100      0 i
  * i4.4.4.4/32       192.168.34.4             0    100      0 i

  R3#sh ip bgp
  BGP table version is 8, local router ID is 192.168.23.3
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  * i1.1.1.1/32       192.168.12.1             0    100      0 i
  *>i2.2.2.2/32       192.168.23.2             0    100      0 i
  *> 3.3.3.3/32       0.0.0.0                  0         32768 i
  *>i4.4.4.4/32       192.168.34.4             0    100      0 
  R3#sh run | se router bgp
  router bgp 1
   no synchronization
   bgp log-neighbor-changes
   network 3.3.3.3 mask 255.255.255.255
   neighbor 192.168.23.2 remote-as 1
   neighbor 192.168.23.2 next-hop-self
   neighbor 192.168.34.4 remote-as 1
   neighbor 192.168.34.4 route-reflector-client
   no auto-summary

• Query on BGP route distribution

  Hello Everyone
  In the below scenario (GNS3), IBGP peering enabled between R1-R2, R1-R3, R2-R3 and EBGP peering enabled between R2-R4,R3-R5,R4-R6,R5-R7. OSPF enabled as IGP. Scenario attached for reference.
  The problem I've observed in R1 is not getting entire BGP routing table for destinations 30.x.x.x/40.x.x.x.
  I'm able to see only best routes in R1 BGP routing table, but alternate valid routes are not visible in its topology table.
  R1#sh ip bgp
  BGP table version is 81, local router ID is 100.100.2.1
  *>i30.30.1.0/24     10.10.1.2                0    100      0 200 300 ?
  *>i30.30.2.0/24     10.10.1.2                0    100      0 200 300 ?
  *>i40.40.1.0/24     10.10.2.2                0    100      0 200 400 i
  *>i40.40.2.0/24     10.10.2.2                0    100      0 200 400 i
  *> 100.100.1.0/24   0.0.0.0                  0         32768 i
  *> 100.100.2.0/24   0.0.0.0                  0         32768 i
  More confusing part to me is when I disable IBGP peering between R2-R3 or shutdown interface between R2-R3 or else if I disable ospf in R1,R2 & R3 routers , I'm able to see both best route and alternate valid route in BGP topology table.
  R1#sh ip bgp

  Hi Milin & Renan,
  Thanks for your replies. To narrow down the problem, I’ve shut down the 40.40.x.x network.
  Now between R2-R3, R3 is not advertising 30.30.X.X network to R2, but whereas R2 is advertising 30.30.X.X network to R3. Why R3 is not advertising 30.30.X.X (route via 200 400 300) to R2.
  R2#sh ip bgp ( No alternate route)
   Network          Next Hop            Metric LocPrf Weight Path
  *> 30.30.1.0/24     10.10.4.2                              0 200 300 ?
  *> 30.30.2.0/24     10.10.4.2                              0 200 300 ?
  *>i100.100.1.0/24   10.10.1.1                0    100      0 i
  *>i100.100.2.0/24   10.10.1.1                0    100      0 i
  R2#sh ip bgp summary
  Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
  10.10.1.1       4   100      96      98        5    0    0 01:05:50        2
  10.10.3.2       4   100      98     100        5    0    0 01:05:54        0
  10.10.4.2       4   200     100      98        5    0    0 01:05:39        2
  R3#sh ip bgp  ( only in R3 we can see both best route & alternate route)
     Network          Next Hop            Metric LocPrf Weight Path
  *>i30.30.1.0/24     10.10.3.1                0    100      0 200 300 ?
  *                   10.10.5.2                              0 200 400 300 ?
  *>i30.30.2.0/24     10.10.3.1                0    100      0 200 300 ?
  *                   10.10.5.2                              0 200 400 300 ?
  *>i100.100.1.0/24   10.10.2.1                0    100      0 i
  *>i100.100.2.0/24   10.10.2.1                0    100      0 i
  R3#sh ip bgp summary
  Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
  10.10.2.1       4   100      54      57       19    0    0 00:50:17        2
  10.10.3.1       4   100      62      60       19    0    0 00:27:22        2
  10.10.5.2       4   200      58      58       19    0    0 00:50:08        2

• BGP Next-hop conflict with MPLS Label.

  Hi, Experts
  Equipment: Cisco ASR9922, IOS-XR 4.3.2
  Issue: I have problem that my RR do the next-hop-self by using route-policy for client routers, the next-hop is changed as intended but the MPLS label doesn’t changed to reflect the new next-hop.
  What I would like to achieve: I would like RR to set next-hop-self only for selected prefixes(172.168.0.0/24, 0.0.0.0/0) but maintain original next-hop for the rest, I do this by using route-policy.
  Detail:
  I have routers running MPLS infrastructure with ASR9922 as an RR. RN router is in neighbor-group RN and CPE-xx routers are in neighbor-group AN.
  •-       Every routers are in same BGP AS64549.
  •-       RN sends prefixes 0.0.0.0/0 and 172.168.0.0/24 to RR.
  •-       CPE-25 sends prefix 192.168.25.1/32 to RR.
  Neighbor-group AN has the route-policy AN-OUT2 to set next-hop of prefix 172.168.0.0/24 and 0.0.0.0/0 to RR#loopback1 before send out update to CPE routers. Below is BGP and RPL configuration at RR.
  router bgp 64549
  nsr
  bgp graceful-restart
  ibgp policy out enforce-modifications
  address-family vpnv4 unicast
    additional-paths receive
    additional-paths send
    additional-paths selection route-policy ADD-PATH-iBGP
    retain route-target all
  neighbor-group AN
    remote-as 64549
    cluster-id 172.16.1.11
    update-source Loopback1
    address-family vpnv4 unicast
     route-reflector-client
     route-policy AN-OUT2 out
     soft-reconfiguration inbound
  route-policy AN-OUT2
    if destination in DEFAULT or destination in RNC then
      set next-hop 192.168.10.11
    else
      pass
    endif
  end-policy
  This is what RR advertises to CPE-24
  RP/0/RP0/CPU0:RR#show bgp vpnv4 unicast neighbors 192.168.10.24 advertised-routes
  Fri Dec 20 15:23:14.931 BKK
  Network            Next Hop        From            AS Path
  Route Distinguisher: 64549:3339
  0.0.0.0/0          192.168.10.11   172.16.1.1      ?
                                     172.16.1.2      ?
  172.168.0.0/24     192.168.10.11   172.16.1.1      ?
                                     172.16.1.2      ?
  192.168.0.1/32     192.168.10.11   192.168.10.24   i
  192.168.0.26/32    192.168.10.26   192.168.10.26   i
  192.168.25.1/32    192.168.10.25   192.168.10.25   i
  192.168.211.8/30   192.168.10.22   192.168.10.22   i
  The IP part works as intended but MPLS Label doesn’t work as intended. Please take a look at RN who is originates 172.168.0.0/24, label 16025 is locally assigned.
  RP/0/RP0/CPU0:RN1#show bgp vpnv4 unicast labels
  Status codes: s suppressed, d damped, h history, * valid, > best
                i - internal, r RIB-failure, S stale, N Nexthop-discard
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network            Next Hop        Rcvd Label      Local Label
  Route Distinguisher: 64549:3339 (default for vrf VLAN3339)
  *> 0.0.0.0/0          0.0.0.0         nolabel         16025          
  * i                   172.16.1.11     16068           16025          
  * i                   172.16.1.13     16033           16025          
  *> 172.168.0.0/24     0.0.0.0         nolabel         16025          
  * i                   172.16.1.11     16059           16025          
  * i                   172.16.1.13     16024           16025          
  172.168.0.0/24 at RR, label 16059 is locally assigned, label 16025 is receive from RN router. It should send 172.168.0.0/24 with label 16059 to CPE-24 to reflect next-hop changed.
  RP/0/RSP0/CPU0:RR#show bgp vpnv4 unicast labels
  Status codes: s suppressed, d damped, h history, * valid, > best
                i - internal, r RIB-failure, S stale, N Nexthop-discard
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network            Next Hop        Rcvd Label      Local Label
  Route Distinguisher: 64549:3339
  *>i0.0.0.0/0          172.16.1.1      16025           16068          
  * i                   172.16.1.2      16007           16068          
  *>i172.168.0.0/24     172.16.1.1      16025           16059          
  * i                   172.16.1.2      16007           16059          
  *>i192.168.0.1/32     192.168.10.24   131070          16060          
  *>i192.168.25.1/32    192.168.10.25   131070          16062          
  *>i192.168.211.8/30   192.168.10.22   131070          16065          
  What I found at CPE-24 which is Alcatel router is that, RR send prefix 172.168.0.0/24, nh 192.168.10.11 with label 16025 which is incorrect.
  A:CPE-24# show router bgp routes vpn-ipv4 172.168.0.0/24
  ===============================================================================
  BGP Router ID:192.168.10.24    AS:64549       Local AS:64549     
  ===============================================================================
  Legend -
  Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
  Origin codes  : i - IGP, e - EGP, ? - incomplete, > - best, b - backup
  ===============================================================================
  BGP VPN-IPv4 Routes
  ===============================================================================
  Flag  Network                                            LocalPref   MED
        Nexthop                                            Path-Id     VPNLabel
        As-Path                                                       
  u*>?  64549:3339:172.168.0.0/24                          100         0
        192.168.10.11                                      None        16025
        No As-Path                                                     
  Routes : 1
  ===============================================================================
  On RR If I just remove the policy and do the next-hop-self under vpv4 address family, CPE-24 will get corrent nh with correct label(16059) but that won’t achieve our requirement to change nh only on selected prefixes. Is this software problem? Or is there any solution to work around?
  Regard,
  Marit

  Hello Marit,
  I am able to recreate this in the lab, and unfortunately this scenario is not supported. BGP does not advertise allocated label if we set nexhop using route policy. The only way is by next-hop-self configured on RR, and yes it eventually will applies to all prefixes advertised to neighbor-group AN. Currently i do not have workaround available.
  Below is the capture of what i have tested in the lab:
  The topology:
  CRS-4-02 ---------- CRS-8-01 ------------ ASR-9006-1
  CRS-8-01 is Route-reflector of CRS-4-02 and ASR-9006-1.
  CRS-4-02 advertise some prefixes.
  This issue occurs when RR have route-policy toward ASR-9006-1, where it assign incorrect label. But it assign correct label if CRS-8-01 use next-hop-self.
  Below is the test done in the lab if RR use next-hop-self:
  RP/0/RP0/CPU0:CRS-4-02#show run router bgp
  Tue Jan  7 08:16:18.945 UTC
  router bgp 1
  bgp router-id 172.16.4.1
  ibgp policy out enforce-modifications
  address-family ipv4 unicast
  address-family vpnv4 unicast
  neighbor 172.16.8.3
    remote-as 1
    update-source Loopback0
    address-family ipv4 unicast
    address-family vpnv4 unicast
     route-policy PASS in
     route-policy PASS out
  vrf RTAMAELA
    rd 100:1
    address-family ipv4 unicast
     redistribute connected
  RP/0/RP0/CPU0:CRS-4-02#show bgp vpnv4 unicast advertised  summary
  Tue Jan  7 08:16:29.001 UTC
  Network            Next Hop        From             Advertised to
  Route Distinguisher: 100:1
  78.22.11.2/32      172.16.4.1      Local            172.16.8.3
  78.22.11.3/32      172.16.4.1      Local            172.16.8.3
  93.22.15.61/32     172.16.4.1      Local            172.16.8.3
  RP/0/RP0/CPU0:CRS-4-02#
  RP/0/RP0/CPU0:CRS-4-02#show bgp vpnv4 unicast labels
  Tue Jan  7 08:16:53.655 UTC
  BGP router identifier 172.16.4.1, local AS number 1
  BGP generic scan interval 60 secs
  BGP table state: Active
  Table ID: 0x0
  BGP main routing table version 57
  BGP scan interval 60 secs
  Status codes: s suppressed, d damped, h history, * valid, > best
                i - internal, r RIB-failure, S stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network            Next Hop        Rcvd Label      Local Label
  Route Distinguisher: 100:1 (default for vrf RTAMAELA)
  *>i22.51.32.77/32     172.16.8.3      16056           nolabel
  *> 78.22.11.2/32      0.0.0.0         nolabel         16003
  *> 78.22.11.3/32      0.0.0.0         nolabel         16003
  *> 93.22.15.61/32     0.0.0.0         nolabel         16003
  Processed 4 prefixes, 4 paths
  RP/0/RP0/CPU0:CRS-4-02#
  RP/0/RP1/CPU0:CRS-8-01#show run router bgp
  Wed Jan  8 11:07:05.436 UTC
  router bgp 1
  bgp graceful-restart
  ibgp policy out enforce-modifications
  address-family ipv4 unicast
    allocate-label all
  address-family vpnv4 unicast
    retain route-target all
  neighbor-group AN
    remote-as 1
    update-source Loopback0
    address-family vpnv4 unicast
     route-reflector-client
     next-hop-self                              <-- use next-hop-self toward ASR-9006-1
     soft-reconfiguration inbound
  neighbor-group RN
    remote-as 1
    update-source Loopback0
    graceful-restart
    address-family vpnv4 unicast
     route-reflector-client
     next-hop-self
     soft-reconfiguration inbound
  neighbor 10.10.10.10
    remote-as 1
    address-family ipv4 unicast
  neighbor 72.15.48.5
    use neighbor-group AN
  neighbor 172.16.4.1
    use neighbor-group RN
  RP/0/RP1/CPU0:CRS-8-01#show bgp vpnv4 unicast labels
  Wed Jan  8 11:07:09.091 UTC
  BGP router identifier 172.16.8.3, local AS number 1
  BGP generic scan interval 60 secs
  BGP table state: Active
  Table ID: 0x0   RD version: 344169
  BGP main routing table version 92
  BGP scan interval 60 secs
  Status codes: s suppressed, d damped, h history, * valid, > best
                i - internal, r RIB-failure, S stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network            Next Hop        Rcvd Label      Local Label
  Route Distinguisher: 100:1
  *>i22.51.32.77/32     72.15.48.5      16000           16056
  *>i78.22.11.2/32      172.16.4.1      16003           16053
  *>i78.22.11.3/32      172.16.4.1      16003           16054
  *>i93.22.15.61/32     172.16.4.1     16003           16055
  Processed 4 prefixes, 4 paths
  RP/0/RP1/CPU0:CRS-8-01#
  RP/0/RSP1/CPU0:ASR-9006-01#show run router bgp
  Wed Jan  8 17:02:02.796 UTC
  router bgp 1
  bgp router-id 72.15.48.5
  bgp graceful-restart
  ibgp policy out enforce-modifications
  address-family ipv4 unicast
  address-family vpnv4 unicast
    retain route-target all
  neighbor-group RR
    remote-as 1
    update-source Loopback0
    graceful-restart
    address-family vpnv4 unicast
     route-reflector-client
     soft-reconfiguration inbound
  neighbor 172.16.8.3
    use neighbor-group RR
  neighbor 192.169.1.2
    remote-as 1
    update-source Loopback0
    address-family vpnv4 unicast
     route-policy PASS in
     route-policy PASS out
  vrf RTAMAELA
    rd 100:1
    address-family ipv4 unicast
     redistribute connected
  RP/0/RSP1/CPU0:ASR-9006-01#show bgp vpnv4 unicast labels
  Wed Jan  8 17:02:04.381 UTC
  BGP router identifier 72.15.48.5, local AS number 1
  BGP generic scan interval 60 secs
  BGP table state: Active
  Table ID: 0x0   RD version: 253825
  BGP main routing table version 126
  BGP scan interval 60 secs
  Status codes: s suppressed, d damped, h history, * valid, > best
                i - internal, r RIB-failure, S stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network            Next Hop        Rcvd Label      Local Label
  Route Distinguisher: 100:1 (default for vrf RTAMAELA)
  *> 22.51.32.77/32     0.0.0.0         nolabel         16000
  *>i78.22.11.2/32      172.16.8.3      16053           nolabel          <== 172.16.8.3 is the loopback address of CRS-8-01
  *>i78.22.11.3/32      172.16.8.3      16054           nolabel
  *>i93.22.15.61/32     172.16.8.3      16055           nolabel
  Processed 4 prefixes, 4 paths
  RP/0/RSP1/CPU0:ASR-9006-01#
  From output above we can see that ASR-9006-01 received correct label for each prefix.
  Below is the output with route-policy configured and ASR-9006-01 receive incorrect label:
  RP/0/RP1/CPU0:CRS-8-01#show run router bgp
  Wed Jan  8 11:04:46.310 UTC
  router bgp 1
  bgp graceful-restart
  ibgp policy out enforce-modifications
  address-family ipv4 unicast
    allocate-label all
  address-family vpnv4 unicast
    retain route-target all
  neighbor-group AN
    remote-as 1
    update-source Loopback0
    address-family vpnv4 unicast
     route-reflector-client
     route-policy RTAMAELA out
     soft-reconfiguration inbound
  neighbor-group RN
    remote-as 1
    update-source Loopback0
    graceful-restart
    address-family vpnv4 unicast
     route-reflector-client
     next-hop-self
     soft-reconfiguration inbound
  neighbor 72.15.48.5
    use neighbor-group AN
  neighbor 172.16.4.1
    use neighbor-group RN
  RP/0/RP1/CPU0:CRS-8-01#show run route-policy RTAMAELA
  Wed Jan  8 11:16:06.847 UTC
  route-policy RTAMAELA
    if destination in RNC then
      set next-hop 172.16.8.3
    else
      pass
    endif
  end-policy
  RP/0/RP1/CPU0:CRS-8-01#show run prefix-set RNC
  Wed Jan  8 11:16:12.099 UTC
  prefix-set RNC
    78.22.11.3/32
  end-set
  RP/0/RP1/CPU0:CRS-8-01#show bgp vpnv4 unicast labels
  Wed Jan  8 11:04:33.512 UTC
  BGP router identifier 172.16.8.3, local AS number 1
  BGP generic scan interval 60 secs
  BGP table state: Active
  Table ID: 0x0   RD version: 344013
  BGP main routing table version 92
  BGP scan interval 60 secs
  Status codes: s suppressed, d damped, h history, * valid, > best
                i - internal, r RIB-failure, S stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network            Next Hop        Rcvd Label      Local Label
  Route Distinguisher: 100:1
  *>i22.51.32.77/32     72.15.48.5      16000           16056
  *>i78.22.11.2/32      172.16.4.1      16003           16053
  *>i78.22.11.3/32      172.16.4.1      16003           16054
  *>i93.22.15.61/32     172.16.4.1      16003           16055
  Processed 4 prefixes, 4 paths
  RP/0/RP1/CPU0:CRS-8-01#
  RP/0/RSP1/CPU0:ASR-9006-01#show run router bgp
  Wed Jan  8 16:59:41.601 UTC
  router bgp 1
  bgp router-id 72.15.48.5
  bgp graceful-restart
  ibgp policy out enforce-modifications
  address-family ipv4 unicast
  address-family vpnv4 unicast
    retain route-target all
  neighbor-group RR
    remote-as 1
    update-source Loopback0
    graceful-restart
    address-family vpnv4 unicast
     route-reflector-client
     soft-reconfiguration inbound
  neighbor 172.16.8.3
    use neighbor-group RR
  neighbor 192.169.1.2
    remote-as 1
    update-source Loopback0
    address-family vpnv4 unicast
     route-policy PASS in
     route-policy PASS out
  vrf RTAMAELA
    rd 100:1
    address-family ipv4 unicast
     redistribute connected
  RP/0/RSP1/CPU0:ASR-9006-01#show bgp ipv4 unicast labels
  Wed Jan  8 16:59:52.173 UTC
  RP/0/RSP1/CPU0:ASR-9006-01#show bgp vpnv4 unicast labels
  Wed Jan  8 17:00:00.457 UTC
  BGP router identifier 72.15.48.5, local AS number 1
  BGP generic scan interval 60 secs
  BGP table state: Active
  Table ID: 0x0   RD version: 253701
  BGP main routing table version 123
  BGP scan interval 60 secs
  Status codes: s suppressed, d damped, h history, * valid, > best
                i - internal, r RIB-failure, S stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network            Next Hop        Rcvd Label      Local Label
  Route Distinguisher: 100:1 (default for vrf RTAMAELA)
  *> 22.51.32.77/32     0.0.0.0         nolabel         16000
  *>i78.22.11.2/32      172.16.4.1      16003           nolabel
  *>i78.22.11.3/32      172.16.8.3      16003           nolabel   <-- It receive label 16003, which is wrong. it should receive label 16054.
  *>i93.22.15.61/32     172.16.4.1      16003           nolabel
  Processed 4 prefixes, 4 paths
  RP/0/RSP1/CPU0:ASR-9006-01#
  Rivalino

• BGP - next hop self command.

  Hi,
  I am learning bgp...need your help...
  Connectivity is like as follows:
  Router A (ebgp)  Router B (ibgp) Router C (ibgp) Router D
  when loopback subnet of Router A is received at Router C, defalult with next hop address of outgoing interface of router A.
  after configuring next hop self command on router B to C, on Router C then show next hop add outgoing interface of router B. k no prob.
  but same subnet isn't received on router D because of ibgp split horizon rule; used route-reflector client on router C. then router D received subnet of Router A; but shows next hop address outgoing interface of router B. even though i used next hop self on router C towards D.; router D didn't show next hop add of router C. Why ??
  Its ok i used IGP i.e. EIGRP in between router B, C & D. it works.
  => why next hop self doesn't work in this scenario ?? & is it the reaseon we need to use IGP into IBGP AS ??
  --Sandy.

  Hi,
  I agree with Milan, you can use a route-map applied in the outbound direction to rewrite the next-hop.
  Another option is to use the "next-hop-self all" (note the keyword all), that will update the next hop of both iBGP and eBGP learned prefixes:
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/command/irg-cr-book/bgp-m1.html#wp4972925610
  The use case for this (next-hop-self all) is I see is in a DMVPN Network, but not for an ISP - MPLS/VPN Provider.
  Regarding BGP and the need of IGP, think that different protocols have different purposes. The IGP, specially used in large-scale deployments, is used to build the topology and provide reachability to internal prefixes. The IGPs used in large-scale designs, IS-IS/OSPF, are good here because as they are link-state protocols and have a complete view of the network and will detect fast a change and run SPF for a new topology if needed. Furthermore, they have extensions to use MPLS/Traffic Engineering.
  Once the topology is build and the routers have reachability to internal prefixes, then you can run iBGP (typically between loopbacks) to provide reachability to external prefixes. BGP is very good to transport a good amount of prefixes, as it is based in TCP. If the IGPs could handle the amount of prefixes can handle BGP, then you would not need iBGP, you would redistribute (which is another option) them to the IGP and we will only have external BGP. However, in order to provide reachability and build and scalable network, you need BGP plus an IGP.
  The reason of having the need of an iBGP full mesh is to prevent black-holes in the network. Think that routers A-B-C, A is running iBGP with C, which are edge routers receiving prefixes from other ASN´s. As B is not running BGP, when it receives a packet destined to an external network it will drop that packet as it has no information in the RIB.
  There was also an old rule called synchronization that prevented the problem of advertising a black hole to another AS. The rule was that if the prefix is not in the IGP, BGP will not advertise that prefix. So, redistribution solved in the old days the problem of black holes and the rule of sync the problem of advertising them to other ASNs. As the networks got bigger and bigger, there was no point to redistribute the external prefixes to the IGP, so iBGP full-mesh/RRs were deployed and the sync rule disabled.
  Hope this helps,
  Jose.

• Route Reflectors Design issue

  Hi,
  I am having this design issue with route reflectors and could use some help.
  I have 18 routers fully meshed in an MP-iBGP session and i am going to introduce route reflectors into the network to minimize the total number of TCP sessions
  My problem is that some of these routers have outboud policies with one another. for example i have a route map on router 1 affecting only router 2 and would like to keep it this way
  is there any way to do that through route reflectors ?
  Thank you
  Hadi

  Hi Riccardo,
  I have 18 routers in a full MP-iBGP mesh topology. Some pairs of these routers have the following policy :
  I have a route-map matching on Route Targets and i am setting the next hop to be different from the rest of the RT for that site.
  This way, the prefixes originating from site A for example will reach site B with different next hops depending on how i set it in my route-map.
  These policies are only between pairs of routers i.e. router#1 needs only to affect router#2
  How can i achieve this using RRs
  Thank you
  Hadi

• BGP Next-hop Change

  Hi All,
  I want to discuss a problem that I am facing in the BGP scenario.
  The problem is that I have 2 ISP connections from a service provider which is terminating on 6509 VSS and our companies 2 routers and ASA is also connected to 6509 VSS.
  R5 is creating a eBGP peering with R3 (Primary ISP) and R4 (Secondary ISP) and in same way R6 is having eBGP peering with R3 and R4.
  I am using 2 default routes 1st with default AD towards R3 (Pri ISP) and 2nd with a higher AD value towards R4 (Sec ISP).
  After this I had changed Next-hop with the help of route-map.So, that the traffic will hit on ASAs interface from WAN side.
  The route-map for R3 is having a set IP next-hop of ASAs IP address x.x.x.10 and the route-map for R4 is having a set IP next-hop of ASAs 2nd interface IP address y.y.y.10 
  So, now problem is when I use command on R5 to see which next-hop I am sending to customer(#sh ip bgp nei x.x.x.3 advertised-routes) than for R3 network it shows me the exact next-hop which I want of x.x.x.10 ASAs interfaces but when I use same command to check for R4 than the output is also same i.e. it is having the next-hop of ASAs IP x.x.x.10 even in my route-map I am having a entry to set next-hop for R4 is ASAs interface IP y.y.y.10
  After this I used wireshark to capture packet and I also used debug but the output shows that next-hop is set for R4 is y.y.y.10
  So, this is the problem i.e. in show output command it is showing wrong next-hop but in capturing it is acknowledging that it is using the next-hop mentioned in route-map.
  This is my configuration on R5 and same is on R6 just IPs are like y.y.y.6
  R5#
  interface GigabitEthernet0/0
   description TO Primary ISP
   ip address x.x.x.5 255.255.255.248
   duplex auto
   speed auto
   no shut
  interface GigabitEthernet0/1
   description To Secondary ISP
   ip address y.y.y.5 255.255.255.248
   duplex auto
   speed auto
   no shut
  ip access-list standard BLOCK
   deny any
  route-map as_prepend_secondary permit 10
   set ip next-hop y.y.y.10
  route-map as_prepend_primary permit 10
    set ip next-hop x.x.x.10
  router bgp AAAAA
   no synchronization
   bgp log-neighbor-changes
   network z.z.z.z mask 255.255.255.248
   timers bgp 10 30
   neighbor y.y.y.4 remote-as BBBBB
   neighbor y.y.y.4 route-map as_prepend_secondary out
   neighbor x.x.x.3 remote-as BBBBB
   neighbor x.x.x.3 route-map as_prepend_primary out
   distribute-list BLOCK in
   no auto-summary
  ip route x.x.x.0 255.255.255.0 x.x.x.3
  ip route y.y.y.0 255.255.255.0 y.y.y.3 2
  This is the output of Debug on R6
  BGP: TX IPv4 Unicast Wkr global 7 Cur Processing.
  BGP: TX IPv4 Unicast Wkr global 7 Cur Attr change from 0x0 to 0x68F081C8.
  *Sep 15 13:16:15.056: BGP(0): y.y.y.4 NEXT_HOP is set to y.y.y.10 by policy for net y.y.y.128,
  Thanks & Regards,
  Rahul Chhabra

  Topology Diagram

• IP Route - Exit interface vs Next Hop

  Hi guys,
  I'm sure this has been asked before :) But are there any known issues when using an exit interface in a route statement as opposed to a next hop address?
  I have had an issue this morning after a router change whereby some hosts were able to access a web server and some were unable to. My route statement to the web server was pointing to an exit interface and when this was changed to next hop, all users were able to access it. It is very puzzling!
  The router is an ASR1001, running 15.4.
  Thanks.

  I am sure that you added the information hoping that it would help us to understand your situation. But I am still not clear whether you are talking about doing something like
  ip route x.x.x.x y.y.y.y Eth0/0
  or
  ip route x.x.x.x y.y.y.y Tun1 (and if it is Tun1 is this a point to point tunnel or a multipoint tunnel?)
  As has been mentioned there are (multiple) issues with a static route which specifies only an exit interface if the interface is multipoint like Ethernet.
  HTH
  Rick

• Why BGP aggregate-address shows next hop itself?

  Hello,
  I have treble with bgp aggregate-address x.x.x.x y.y.y.y summary-only command, whenever i put that command on my bgp it start showing its next hop as itself, i am running ios 15.2(4)M1 attached is my topology, and below is config of "Sugerbush"
       Network          Next Hop            Metric LocPrf Weight Path
   s>  192.168.192.0    192.168.1.254       409600             0 100 ?
   * i 192.168.192.0/21 192.168.1.237            0    100      0 i
   *>                   0.0.0.0                            32768 i                                           <-------WHY?
   *                    192.168.1.254            0             0 100 ?
   s>  192.168.193.0    192.168.1.254       409600             0 100 ?
   s>  192.168.194.0    192.168.1.254       409600             0 100 ?
  Sugarbush#
  Sugarbush#sh ip bgp 192.168.192.0/21
  BGP routing table entry for 192.168.192.0/21, version 9
  Paths: (3 available, best #2, table default)
    Advertised to update-groups:
       37         38
    Refresh Epoch 1
    Local, (aggregated by 200 192.168.1.246)
      192.168.1.237 from 192.168.1.237 (192.168.1.246)
        Origin IGP, metric 0, localpref 100, valid, internal, atomic-aggregate
    Refresh Epoch 1
    Local, (aggregated by 200 192.168.1.253)
      0.0.0.0 from 0.0.0.0 (192.168.1.253)
        Origin IGP, localpref 100, weight 32768, valid, aggregated, local, atomic-aggregate, best
    Refresh Epoch 1
    100, (aggregated by 100 192.168.199.2)
      192.168.1.254 from 192.168.1.254 (192.168.199.2)
        Origin incomplete, metric 0, localpref 100, valid, external, atomic-aggregate
  Sugarbush#
  Sugarbush#sh run | s bgp
  router bgp 200
   bgp log-neighbor-changes
   bgp aggregate-timer 0
   aggregate-address 192.168.192.0 255.255.248.0 summary-only
   neighbor 192.168.1.237 remote-as 200
   neighbor 192.168.1.237 next-hop-self
   neighbor 192.168.1.250 remote-as 300
   neighbor 192.168.1.254 remote-as 100
  Sugarbush#
  Regards,
  gargolek,

  Hello,
  I have treble with bgp aggregate-address x.x.x.x y.y.y.y summary-only command, whenever i put that command on my bgp it start showing its next hop as itself, i am running ios 15.2(4)M1 attached is my topology, and below is config of "Sugerbush"
       Network          Next Hop            Metric LocPrf Weight Path
   s>  192.168.192.0    192.168.1.254       409600             0 100 ?
   * i 192.168.192.0/21 192.168.1.237            0    100      0 i
   *>                   0.0.0.0                            32768 i                                           <-------WHY?
   *                    192.168.1.254            0             0 100 ?
   s>  192.168.193.0    192.168.1.254       409600             0 100 ?
   s>  192.168.194.0    192.168.1.254       409600             0 100 ?
  Sugarbush#
  Sugarbush#sh ip bgp 192.168.192.0/21
  BGP routing table entry for 192.168.192.0/21, version 9
  Paths: (3 available, best #2, table default)
    Advertised to update-groups:
       37         38
    Refresh Epoch 1
    Local, (aggregated by 200 192.168.1.246)
      192.168.1.237 from 192.168.1.237 (192.168.1.246)
        Origin IGP, metric 0, localpref 100, valid, internal, atomic-aggregate
    Refresh Epoch 1
    Local, (aggregated by 200 192.168.1.253)
      0.0.0.0 from 0.0.0.0 (192.168.1.253)
        Origin IGP, localpref 100, weight 32768, valid, aggregated, local, atomic-aggregate, best
    Refresh Epoch 1
    100, (aggregated by 100 192.168.199.2)
      192.168.1.254 from 192.168.1.254 (192.168.199.2)
        Origin incomplete, metric 0, localpref 100, valid, external, atomic-aggregate
  Sugarbush#
  Sugarbush#sh run | s bgp
  router bgp 200
   bgp log-neighbor-changes
   bgp aggregate-timer 0
   aggregate-address 192.168.192.0 255.255.248.0 summary-only
   neighbor 192.168.1.237 remote-as 200
   neighbor 192.168.1.237 next-hop-self
   neighbor 192.168.1.250 remote-as 300
   neighbor 192.168.1.254 remote-as 100
  Sugarbush#
  Regards,
  gargolek,

• Routing failed to locate next hop for ICMP from outside:10.60.30.111/1 to inside:10.89.30.41/0

  ASA 5505 Split tunneling stopped working when upgraded from 8.3(1) to 8.4(3).
  When a user was connecting to the old 8.3(1) appliance they could access all of our subnets: 10.60.0.0/16, 10.89.0.0/16, 10.33.0.0/16, 10.1.0.0/16
  but now they cannot and in the logs I can just see
  6          Oct 31 2012          08:17:59          110003          10.60.30.111          1          10.89.30.41          0          Routing failed to locate next hop for ICMP from outside:10.60.30.111/1 to inside:10.89.30.41/0
  any hints? i have tried almost everything. the running configuration is:
  : Saved
  ASA Version 8.4(3)
  hostname asa
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.60.70.1 255.255.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 80.90.98.217 255.255.255.248
  ftp mode passive
  clock timezone GMT 0
  dns domain-lookup inside
  dns domain-lookup outside
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network NETWORK_OBJ_10.33.0.0_16
  subnet 10.33.0.0 255.255.0.0
  object network NETWORK_OBJ_10.60.0.0_16
  subnet 10.60.0.0 255.255.0.0
  object network NETWORK_OBJ_10.89.0.0_16
  subnet 10.89.0.0 255.255.0.0
  object network NETWORK_OBJ_10.1.0.0_16
  subnet 10.1.0.0 255.255.0.0
  object network tetPC
  host 10.60.10.1
  description test        
  object network NETWORK_OBJ_10.60.30.0_24
  subnet 10.60.30.0 255.255.255.0
  object network NETWORK_OBJ_10.60.30.64_26
  subnet 10.60.30.64 255.255.255.192
  object network SSH-server
  host 10.60.20.6
  object network SSH_public
  object network ftp_public
  host 80.90.98.218
  object network rdp
  host 10.60.10.4
  object network ftp_server
  host 10.60.20.2
  object network ssh_public
  host 80.90.98.218
  object service FTP
  service tcp destination eq 12
  object network NETWORK_OBJ_10.60.20.3
  host 10.60.20.3
  object network NETWORK_OBJ_10.60.40.192_26
  subnet 10.60.40.192 255.255.255.192
  object network NETWORK_OBJ_10.60.10.10
  host 10.60.10.10
  object network NETWORK_OBJ_10.60.20.2
  host 10.60.20.2
  object network NETWORK_OBJ_10.60.20.21
  host 10.60.20.21
  object network NETWORK_OBJ_10.60.20.4
  host 10.60.20.4
  object network NETWORK_OBJ_10.60.20.5
  host 10.60.20.5
  object network NETWORK_OBJ_10.60.20.6
  host 10.60.20.6
  object network NETWORK_OBJ_10.60.20.7
  host 10.60.20.7
  object network NETWORK_OBJ_10.60.20.29
  host 10.60.20.29
  object service port_tomcat
  service tcp source range 8080 8082
  object network TBSF
  subnet 172.16.252.0 255.255.255.0
  object network MailServer
  host 10.33.10.2
  description Mail Server
  object service HTTPS
  service tcp source eq https
  object network test
  object network access_web_mail
  host 10.60.50.251
  object network downtown_Interface_host
  host 10.60.50.1
  description downtown Interface Host
  object service Oracle_port
  service tcp source eq sqlnet
  object network NETWORK_OBJ_10.60.50.248_29
  subnet 10.60.50.248 255.255.255.248
  object network NETWORK_OBJ_10.60.50.1
  host 10.60.50.1
  object network NETWORK_OBJ_10.60.50.0_28
  subnet 10.60.50.0 255.255.255.240
  object network brisel
  subnet 10.191.191.0 255.255.255.0
  object network NETWORK_OBJ_10.191.191.0_24
  subnet 10.191.191.0 255.255.255.0
  object network NETWORK_OBJ_10.60.60.0_24
  subnet 10.60.60.0 255.255.255.0
  object-group service TCS_Service_Group
  description This Group of available Services is for TCS Clients
  service-object object port_tomcat
  object-group service HTTPS_ACCESS tcp
  port-object eq https
  object-group network DM_INLINE_NETWORK_1
  network-object 10.1.0.0 255.255.0.0
  network-object 10.33.0.0 255.255.0.0
  network-object 10.60.0.0 255.255.0.0
  network-object 10.89.0.0 255.255.0.0
  access-list outside_1_cryptomap extended permit ip 10.60.0.0 255.255.0.0 10.33.0.0 255.255.0.0
  access-list outside_2_cryptomap extended permit ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0
  access-list outside_3_cryptomap extended permit ip 10.60.0.0 255.255.0.0 10.1.0.0 255.255.0.0
  access-list OUTSIDE_IN extended permit icmp any any time-exceeded
  access-list OUTSIDE_IN extended permit icmp any any unreachable
  access-list OUTSIDE_IN extended permit icmp any any echo-reply
  access-list OUTSIDE_IN extended permit icmp any any source-quench
  access-list OUTSIDE_IN extended permit tcp 194.2.20.0 255.255.255.0 host 80.90.98.220 eq smtp
  access-list OUTSIDE_IN extended permit tcp host 194.25.12.0 host 80.90.98.220 eq smtp
  access-list OUTSIDE_IN extended permit icmp host 80.90.98.222 host 80.90.98.217
  access-list OUTSIDE_IN extended permit tcp host 162.162.4.1 host 80.90.98.220 eq smtp
  access-list OUTSIDE_IN extended permit tcp host 98.85.125.2 host 80.90.98.221 eq ssh
  access-list OAKDCAcl standard permit 10.60.0.0 255.255.0.0
  access-list OAKDCAcl standard permit 10.33.0.0 255.255.0.0
  access-list OAKDCAcl remark backoffice
  access-list OAKDCAcl standard permit 10.89.0.0 255.255.0.0
  access-list OAKDCAcl remark maint
  access-list OAKDCAcl standard permit 10.1.0.0 255.255.0.0
  access-list osgd standard permit host 10.60.20.4
  access-list osgd standard permit host 10.60.20.5
  access-list osgd standard permit host 10.60.20.7
  access-list testOAK_splitTunnelAcl standard permit 10.60.0.0 255.255.0.0
  access-list snmp extended permit udp any eq snmptrap any
  access-list snmp extended permit udp any any eq snmp
  access-list downtown_splitTunnelAcl standard permit host 10.60.20.29
  access-list webMailACL standard permit host 10.33.10.2
  access-list HBSC standard permit host 10.60.30.107
  access-list HBSC standard deny 10.33.0.0 255.255.0.0
  access-list HBSC standard deny 10.89.0.0 255.255.0.0
  access-list outside_4_cryptomap extended permit ip 10.60.0.0 255.255.0.0 10.191.191.0 255.255.255.0
  access-list OAK-remote_splitTunnelAcl standard permit 10.1.0.0 255.255.0.0
  access-list OAK-remote_splitTunnelAcl standard permit 10.33.0.0 255.255.0.0
  access-list OAK-remote_splitTunnelAcl standard permit 10.60.0.0 255.255.0.0
  access-list OAK-remote_splitTunnelAcl standard permit 10.89.0.0 255.255.0.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool OAKPRD_pool 10.60.30.110-10.60.30.150 mask 255.255.0.0
  ip local pool mail_sddress_pool 10.60.50.251-10.60.50.255 mask 255.255.0.0
  ip local pool test 10.60.50.1 mask 255.255.255.255
  ip local pool ipad 10.60.30.90-10.60.30.99 mask 255.255.0.0
  ip local pool TCS_pool 10.60.40.200-10.60.40.250 mask 255.255.255.0
  ip local pool OSGD_POOL 10.60.50.2-10.60.50.10 mask 255.255.0.0
  ip local pool OAK_pool 10.60.60.0-10.60.60.255 mask 255.255.0.0
  ip verify reverse-path interface inside
  ip verify reverse-path interface outside
  ip audit name ThreatDetection attack action alarm
  ip audit interface inside ThreatDetection
  ip audit interface outside ThreatDetection
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any echo inside
  icmp permit any echo outside
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 destination static NETWORK_OBJ_10.33.0.0_16 NETWORK_OBJ_10.33.0.0_16
  nat (inside,outside) source static NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 destination static NETWORK_OBJ_10.89.0.0_16 NETWORK_OBJ_10.89.0.0_16
  nat (inside,outside) source static NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 destination static NETWORK_OBJ_10.1.0.0_16 NETWORK_OBJ_10.1.0.0_16
  nat (inside,outside) source static any any destination static NETWORK_OBJ_10.60.30.0_24 NETWORK_OBJ_10.60.30.0_24
  nat (inside,outside) source static any any destination static NETWORK_OBJ_10.60.30.64_26 NETWORK_OBJ_10.60.30.64_26
  nat (inside,outside) source static NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.20.29 destination static NETWORK_OBJ_10.60.40.192_26 NETWORK_OBJ_10.60.40.192_26 service any port_tomcat
  nat (inside,outside) source static any any destination static NETWORK_OBJ_10.60.50.1 NETWORK_OBJ_10.60.50.1
  nat (inside,outside) source static MailServer MailServer destination static NETWORK_OBJ_10.60.50.248_29 NETWORK_OBJ_10.60.50.248_29
  nat (inside,outside) source static any any destination static NETWORK_OBJ_10.60.50.0_28 NETWORK_OBJ_10.60.50.0_28
  nat (inside,outside) source static NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 destination static NETWORK_OBJ_10.191.191.0_24 NETWORK_OBJ_10.191.191.0_24
  nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.60.60.0_24 NETWORK_OBJ_10.60.60.0_24 no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  route outside 0.0.0.0 0.0.0.0 80.90.98.222 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 10.60.10.10 255.255.255.255 inside
  http 10.33.30.33 255.255.255.255 inside
  http 10.60.30.33 255.255.255.255 inside
  snmp-server host inside 10.33.30.108 community ***** version 2c
  snmp-server host inside 10.89.70.30 community *****
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set lux_trans_set esp-aes esp-sha-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 84.51.31.173
  crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map outside_map 2 match address outside_2_cryptomap
  crypto map outside_map 2 set peer 98.85.125.2
  crypto map outside_map 2 set ikev1 transform-set ESP-3DES-SHA
  crypto map outside_map 3 match address outside_3_cryptomap
  crypto map outside_map 3 set peer 220.79.236.146
  crypto map outside_map 3 set ikev1 transform-set ESP-3DES-SHA
  crypto map outside_map 4 match address outside_4_cryptomap
  crypto map outside_map 4 set pfs
  crypto map outside_map 4 set peer 159.146.232.122
  crypto map outside_map 4 set ikev1 transform-set lux_trans_set
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 28800
  crypto ikev1 policy 50
  authentication pre-share
  encryption aes
  hash sha
  group 1
  lifetime 86400
  crypto ikev1 policy 70
  authentication pre-share
  encryption aes
  hash sha
  group 5
  lifetime 86400
  telnet 10.60.10.10 255.255.255.255 inside
  telnet 10.60.10.1 255.255.255.255 inside
  telnet 10.60.10.5 255.255.255.255 inside
  telnet 10.60.30.33 255.255.255.255 inside
  telnet 10.33.30.33 255.255.255.255 inside
  telnet timeout 30
  ssh 10.60.10.5 255.255.255.255 inside
  ssh 10.60.10.10 255.255.255.255 inside
  ssh 10.60.10.3 255.255.255.255 inside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd dns 155.2.10.20 155.2.10.50 interface inside
  dhcpd auto_config outside interface inside
  threat-detection basic-threat
  threat-detection scanning-threat shun duration 3600
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  tftp-server inside 10.60.10.10 configs/config1
  webvpn
  group-policy testTG internal
  group-policy testTG attributes
  dns-server value 155.2.10.20 155.2.10.50
  vpn-tunnel-protocol ikev1
  group-policy DefaultRAGroup_1 internal
  group-policy DefaultRAGroup_1 attributes
  dns-server value 155.2.10.20 155.2.10.50
  vpn-tunnel-protocol l2tp-ipsec
  group-policy TcsTG internal
  group-policy TcsTG attributes
  vpn-idle-timeout 20
  vpn-session-timeout 120
  vpn-tunnel-protocol ikev1
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value testOAK_splitTunnelAcl
  address-pools value TCS_pool
  group-policy downtown_interfaceTG internal
  group-policy downtown_interfaceTG attributes
  dns-server value 155.2.10.20 155.2.10.50
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value downtown_splitTunnelAcl
  group-policy HBSCTG internal
  group-policy HBSCTG attributes
  dns-server value 155.2.10.20 155.2.10.50
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value HBSC
  group-policy OSGD internal
  group-policy OSGD attributes
  dns-server value 155.2.10.20 155.2.10.50
  vpn-session-timeout none
  vpn-tunnel-protocol ikev1
  group-lock value OSGD
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value testOAK_splitTunnelAcl
  group-policy OAKDC internal
  group-policy OAKDC attributes
  vpn-tunnel-protocol ikev1
  group-lock value OAKDC
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value OAKDCAcl
  intercept-dhcp 255.255.0.0 disable
  address-pools value OAKPRD_pool
  group-policy mailTG internal
  group-policy mailTG attributes
  dns-server value 155.2.10.20 155.2.10.50
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value webMailACL
  group-policy OAK-remote internal
  group-policy OAK-remote attributes
  dns-server value 155.2.10.20 155.2.10.50
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value OAK-remote_splitTunnelAcl
  vpn-group-policy OAKDC
  service-type nas-prompt
  tunnel-group DefaultRAGroup general-attributes
  address-pool OAKPRD_pool
  address-pool ipad
  default-group-policy DefaultRAGroup_1
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 84.51.31.173 type ipsec-l2l
  tunnel-group 84.51.31.173 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 98.85.125.2 type ipsec-l2l
  tunnel-group 98.85.125.2 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 220.79.236.146 type ipsec-l2l
  tunnel-group 220.79.236.146 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group OAKDC type remote-access
  tunnel-group OAKDC general-attributes
  address-pool OAKPRD_pool
  default-group-policy OAKDC
  tunnel-group OAKDC ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group TcsTG type remote-access
  tunnel-group TcsTG general-attributes
  address-pool TCS_pool
  default-group-policy TcsTG
  tunnel-group TcsTG ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group downtown_interfaceTG type remote-access
  tunnel-group downtown_interfaceTG general-attributes
  address-pool test
  default-group-policy downtown_interfaceTG
  tunnel-group downtown_interfaceTG ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group TunnelGroup1 type remote-access
  tunnel-group mailTG type remote-access
  tunnel-group mailTG general-attributes
  address-pool mail_sddress_pool
  default-group-policy mailTG
  tunnel-group mailTG ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group testTG type remote-access
  tunnel-group testTG general-attributes
  address-pool mail_sddress_pool
  default-group-policy testTG
  tunnel-group testTG ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group OSGD type remote-access
  tunnel-group OSGD general-attributes
  address-pool OSGD_POOL
  default-group-policy OSGD
  tunnel-group OSGD ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group HBSCTG type remote-access
  tunnel-group HBSCTG general-attributes
  address-pool OSGD_POOL
  default-group-policy HBSCTG
  tunnel-group HBSCTG ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 159.146.232.122 type ipsec-l2l
  tunnel-group 159.146.232.122 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group OAK-remote type remote-access
  tunnel-group OAK-remote general-attributes
  address-pool OAK_pool
  default-group-policy OAK-remote
  tunnel-group OAK-remote ipsec-attributes
  ikev1 pre-shared-key *****
  policy-map global_policy
  prompt hostname context
  no call-home reporting anonymous
  hpm topN enable
  : end
  asdm history enable

  Dear Darko,
  The problem here is the overlapp issue with the Internal network.
  Since the VPN pool is:
  ip local pool OAKPRD_pool 10.60.30.110-10.60.30.150 mask 255.255.0.0
  And the local network is:
  interface Vlan1
       nameif inside
       security-level 100
       ip address 10.60.70.1 255.255.0.0
  So since you have some NAT rules telling the FW that 10.60.0.0/16 is connected to the inside, we need to change that and force it to know that 10.60.30.0/24 is actually reachable to the outside.
  On the other hand, yes you could point to outside interface, but is not a good practice.
  Thanks.
  Portu.
  In case you do not have any further questions, please mark this post as answered.

• Policy Based Routing - set ip next-hop

  All,
  I am trying to change the next hop for selective traffic to route via a WAN optimiser rather than follow the default route. I am trying to achieve this on a 4506 with IOS 12.2(20)EW.
  I have configured an ACL intended to capture traffic from my desired subnet, to my desired subnet:
  ip access-list extended INTER-STOR permit ip 192.168.XX.0 0.0.0.128 192.168.YY.0 0.0.0.128 log
  I have then created the route map:
  route-map WAN-OPT permit 10 match ip address INTER-STOR set interface Vlan1 set ip next-hop 192.168.XX.50
  I have tested both with and without setting the interface. Neither make any difference.
  I am then applying the route map policy to the vlan in which the traffic I wish to re-route is originating.
  ip policy route-map WAN-OPT
  I am finding however that this configuration doesn't work.
  I have reviewed a number of documents and can not find any limitations based on the version of IOS I am using or my configuration.
  This switch performs the routing for this environment, however there are no interfaces assigned to this vlan for anything other than testing on this switch. They are assigned on a stack on 3750's running as a VTP client. Again - testing from a port in the relevant vlan on this switch doing the routing (4500) does not change the results. The traffic continues to be routed the via the default route.
  I'm not so sure that it is even the route map that has the problem as if I look at the access lists I can not see any hits being registered. I'm not sure whether this is a red-herring or not as I can't see what is wrong with the ACL or anything to suggest this ACL would not be supported.
  If anybody can offer any guidance or suggestions it would be very much appreciated.
  Thanks,

  Below is the "offical" explanation, I have bolded and underlined ESTENTIAL information:-
  set ip next-hop
  •Specifies the next hop for which to route the packet (the next hop must be adjacent). This behavior is identical to a next hop specified in the normal routing table.
  set interface
  •Sets output interface for the packet. This action specifies that the packet is forwarded out of the local interface. The interface must be a Layer 3 interface (no switchports), and the destination address in the packet must lie within the IP network assigned to that interface. If the destination address for the packet does not lie within that network, the packet is dropped.
  set ip default next-hop
  •Sets next hop to which to route the packet if there is no explicit route for this destination. Before forwarding the packet to the next hop, the switch looks up the packet's destination address in the unicast routing table. If a match is found, the packet is forwarded by way of the routing table. If no match is found, the packet is forwarded to the specified next hop.
  set default interface
  •Sets output interface for the packet if there is no explicit route for this destination. Before forwarding the packet to the next hop, the switch looks up the packet's destination address in the unicast routing table. If a match is found, the packet is forwarded via the routing table. If no match is found, the packet is forwarded to the specified output interface. If the destination address for the packet does not lie within that network, the packet is dropped.
  HTH>

• What is the second, third, etc. next-hop address in the route-map set command for?

  What is the second, third, etc. next-hop address in the route-map set command for?
  route-map TEST_PBR permit 10 match
  match ip address 101
  router(config-route-map)#set ip next-hop 1.1.1.1 ?
  A.B.C.D IP address of next hop

  Hi,
  You may get your answer in below link
  http://www.groupstudy.com/archives/ccielab/200812/msg00999.html
  First next-hop will be used unless until that is not unreachable. If first is unreachable, then next one will be used. Since these next-hops are directly connected, router can easily come to know whether they are active or not. In case you want to set some loopback ip as next-hop then you need to use keyword recursive "set ip next-hop recursive"
  --Pls dont forget to rate helpful posts--
  Regards,
  Akash

• (PBR) set next-hop to the same router?

  Hi
  I need to send some traffic to an external L2 device, and then get it back, to the same router.
  I planned to use PRB, to set the outgoing interface, and the next-hop as the IP address of the incoming interface, from the same router.
  Is that possible?
  Can I set as the next-hop an IP address from the same router, forcing the traffic to go out, by specifying the outgoing interface too?
  Thanks in advance
  JM

  JM,
  Good catch, I did try the command on a router today, and it did show up in the running config. Its indeed a warning message, but I m not sure whether the router will route packet to itself..if I get some time today i will test it out.
  Sankar.

• Next hop router

  what is next hop router? "The router which will be one router hop closer to the destination, is next-hop router" please explain this

  Just an addition to what Alain and Chandu already stated:
  Remember that a basic operation of routers when forwarding packets on multiaccess-interfaces is the layer-2 encapsulation for the associated layer-2 segment next in the path. So a router has to know the next-hop in order to resolve its layer-2 address, which then will be used as the destination address for the layer-2 frames send to the next-hop. When the next-hop router receives the frame, the layer-2 header will be removed and the encapsulation process starts again for the next segment in the path.
  HTH
  Rolf

• MP-BGP and Route-Reflector

  Hi All...
  I have this topology:
  CE2-->PE1-->P--->PE2-->CE2
  .............\-->PE3-->CE2
  In router "P" I want to configure MP-BGP, but I have many doubts with configurations this router. I need to do route-reflector too.
  Anybody can help me?
  CLRGomes

  Thanks, look my configuration:
  Router P
  router bgp 65500
  no synchronization
  no bgp default route-target filter
  bgp log-neighbor-changes
  neighbor MPLS peer-group
  neighbor MPLS remote-as 65500
  neighbor MPLS ebgp-multihop 255
  neighbor MPLS update-source Loopback0
  neighbor MPLS route-reflector-client
  neighbor MPLS allowas-in
  neighbor MPLS soft-reconfiguration inbound
  neighbor 10.10.10.2 peer-group MPLS
  neighbor 10.10.10.3 peer-group MPLS
  neighbor 10.10.10.4 peer-group MPLS
  no auto-summary
  address-family vpnv4
  neighbor MPLS route-reflector-client
  neighbor MPLS send-community both
  neighbor 10.10.10.2 activate
  neighbor 10.10.10.3 activate
  neighbor 10.10.10.4 activate
  exit-address-family
  ok...working perfect, I did MP-BGP between PE routers and I configured RDs differents too...
  Later I did between PE->CE with OSPF and working too, loadshare working.
  Thanks a lot
  CLRGomes
  CCIE R&S