Does a route-policy override BGP split-horizon rule in IOS-XR?
If I receive a default route from a non-client, can I turn around and send it to another non client if I have the following applied to the non-client?
prefix-set send-default
0.0.0.0/0
end-set
route-policy DEFAULT-POLICY
if destination in send-default then
pass
else
drop
endif
end-policy
neighbor-group BLAH
remote-as XXXXX
password encrypted XXXXXXX
description iBGP to Decryptors
update-source Loopback0
address-family ipv4 unicast
route-policy DEFAULT-POLICY out
soft-reconfiguration inbound always
neighbor X.X.X.X
use neighbor-group BLAH
end
Hi Carlopez,
For BGP to inject a default rotue you need the "default-information originate" command, unfortunately, you can't redistribute or regenerate a route via the RPL method you described.
regards
xander
Similar Messages
-
Does a Router support 2 BGP As in one router
Does a Router support 2 BGP As in one router. I have gone through the below Cisco page, however my router is not allowing to enter the second AS in the router, it is giving the error as usual " BGP is already running; AS is XX" .
http://www.cisco.com/c/en/us/td/docs/ios/12_2s/feature/guide/fsbgpdas.html#wp1056689
My Router :- Cisco 3845
IOS Version :- c3845-advipservicesk9-mz.124-24.T8.binHi,
You can not run multiple BGP processes on a single router with each of them being in a separate AS. What you can do, and the link in your post explains that, is that towards a particular eBGP neighbor, you can use the neighbor local-as command to appear to be in a different AS than the one you really are in. So you do not start two BGP processes, you just make your single BGP process to appear to use a different ASN on a particular eBGP peering.
Best regards,
Peter -
BGP allowas-in and split horizon problem.
Hi,
I need some help. I can't understand why R2 advertises back the same networks to the neighbor from that received.
My topology is:
R1 is in AS1, R2 is in AS2 and R3 is in AS3, I've eBGP R1-R2, and eBGP R2-R3.
R1 and R3 has configured allowas-in to permit routes with their own AS.
The problem is with eBGP Updates. The router R1 advertise 1.1.1.1/32 to R2, and R2 sent back to R1 the same route 1.1.1.1/32.
I think that should not happen according the BGP split horizon rules. R2 should not advertise those networks who learned from R1, unless R2 has a route with better metric.
The same behavior happens between R2 and R3.
Thanks in advance.
All the router had the same IOS: c7200-is-mz.123-14.T1.bin
R1 Configuration
R1#sh run | sec router
router bgp 1
no synchronization
bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.255
neighbor 172.28.1.1 remote-as 2
neighbor 172.28.1.1 allowas-in 10
neighbor 172.28.1.1 soft-reconfiguration inbound
no auto-summary
R1#
R2 Configuration
router bgp 2
no synchronization
bgp log-neighbor-changes
neighbor 172.28.1.2 remote-as 1
neighbor 172.28.1.2 soft-reconfiguration inbound
neighbor 172.28.2.2 remote-as 3
neighbor 172.28.2.2 soft-reconfiguration inbound
no auto-summary
R2#
R3 Configuration
router eigrp 200
redistribute connected
redistribute bgp 3 metric 100000 10 255 100 1500
network 192.168.3.0 0.0.0.3
no auto-summary
router bgp 3
no synchronization
bgp log-neighbor-changes
redistribute connected
redistribute eigrp 200
neighbor 172.28.2.1 remote-as 2
neighbor 172.28.2.1 allowas-in 10
neighbor 172.28.2.1 soft-reconfiguration inbound
no auto-summary
R3#
R1 BGP Table, Advertised Route, Received Routes
R1#sh ip bgp
BGP table version is 6, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 1.1.1.1/32 172.28.1.1 0 2 1 i
*> 0.0.0.0 0 32768 i
*> 3.3.3.3/32 172.28.1.1 0 2 3 ?
*> 4.4.4.4/32 172.28.1.1 0 2 3 ?
*> 172.28.2.0/30 172.28.1.1 0 2 3 ?
*> 192.168.3.0/30 172.28.1.1 0 2 3 ?
R1#
R1#sh ip bgp neighbors 172.28.1.1 advertised-routes
BGP table version is 6, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 0.0.0.0 0 32768 i
Total number of prefixes 1
R1#
R1#sh ip bgp neighbors 172.28.1.1 received-routes
BGP table version is 6, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 1.1.1.1/32 172.28.1.1 0 2 1 i
*> 3.3.3.3/32 172.28.1.1 0 2 3 ?
*> 4.4.4.4/32 172.28.1.1 0 2 3 ?
*> 172.28.2.0/30 172.28.1.1 0 2 3 ?
*> 192.168.3.0/30 172.28.1.1 0 2 3 ?
Total number of prefixes 5
R1#
R2 BGP Table, Advertised Route, Received Routes
R2#sh ip bgp
BGP table version is 7, local router ID is 172.28.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 172.28.1.2 0 0 1 i
*> 3.3.3.3/32 172.28.2.2 0 0 3 ?
*> 4.4.4.4/32 172.28.2.2 156160 0 3 ?
r> 172.28.2.0/30 172.28.2.2 0 0 3 ?
*> 192.168.3.0/30 172.28.2.2 0 0 3 ?
R2#
R2#
R2 Received routes from R1
R2#sh ip bgp neighbors 172.28.1.2 received-routes
BGP table version is 7, local router ID is 172.28.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 172.28.1.2 0 0 1 i
Total number of prefixes 1
R2#
R2 Advertised routes to R1
R2#sh ip bgp neighbors 172.28.1.2 advertised-routes
BGP table version is 7, local router ID is 172.28.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 172.28.1.2 0 0 1 i
*> 3.3.3.3/32 172.28.2.2 0 0 3 ?
*> 4.4.4.4/32 172.28.2.2 156160 0 3 ?
r> 172.28.2.0/30 172.28.2.2 0 0 3 ?
*> 192.168.3.0/30 172.28.2.2 0 0 3 ?
Total number of prefixes 5
R2#
R2 Received routes from R3
R2#sh ip bgp neighbors 172.28.2.2 received-routes
BGP table version is 7, local router ID is 172.28.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 3.3.3.3/32 172.28.2.2 0 0 3 ?
*> 4.4.4.4/32 172.28.2.2 156160 0 3 ?
r> 172.28.2.0/30 172.28.2.2 0 0 3 ?
*> 192.168.3.0/30 172.28.2.2 0 0 3 ?
Total number of prefixes 4
R2#
R2 Advertised routes to R3
R2#sh ip bgp neighbors 172.28.2.2 advertised-routes
BGP table version is 7, local router ID is 172.28.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 172.28.1.2 0 0 1 i
*> 3.3.3.3/32 172.28.2.2 0 0 3 ?
*> 4.4.4.4/32 172.28.2.2 156160 0 3 ?
r> 172.28.2.0/30 172.28.2.2 0 0 3 ?
*> 192.168.3.0/30 172.28.2.2 0 0 3 ?
Total number of prefixes 5
R2#
R3 BGP Table, Advertised Route, Received Routes
R3#sh ip bg
BGP table version is 7, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 172.28.2.1 0 2 1 i
* 3.3.3.3/32 172.28.2.1 0 2 3 ?
*> 0.0.0.0 0 32768 ?
* 4.4.4.4/32 172.28.2.1 0 2 3 ?
*> 192.168.3.2 156160 32768 ?
* 172.28.2.0/30 172.28.2.1 0 2 3 ?
*> 0.0.0.0 0 32768 ?
* 192.168.3.0/30 172.28.2.1 0 2 3 ?
*> 0.0.0.0 0 32768 ?
R3#
R3#sh ip bgp neighbors 172.28.2.1 advertised-routes
BGP table version is 7, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 3.3.3.3/32 0.0.0.0 0 32768 ?
*> 4.4.4.4/32 192.168.3.2 156160 32768 ?
*> 172.28.2.0/30 0.0.0.0 0 32768 ?
*> 192.168.3.0/30 0.0.0.0 0 32768 ?
Total number of prefixes 4
R3#
R3#sh ip bgp neighbors 172.28.2.1 received-routes
BGP table version is 7, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 172.28.2.1 0 2 1 i
* 3.3.3.3/32 172.28.2.1 0 2 3 ?
* 4.4.4.4/32 172.28.2.1 0 2 3 ?
* 172.28.2.0/30 172.28.2.1 0 2 3 ?
* 192.168.3.0/30 172.28.2.1 0 2 3 ?
Total number of prefixes 5
R3#I agree with the previous posters. What you could do is look at show bgp ipv4 unicast 1.1.1.1 on R2. You will find that the prefix is associated with an update group. An update group is an optimisation within the router BGP process to reduce the processing overhead for generating updates to peers. If two peers have exactly the same outbound routing policy they would be in the same update group. If you looked at the update group show bgp ipv4 unicast update-group <number> you would probabably find that it would contain the peers 172.28.1.2 and 172.28.2.2.
This would mean that the 1.1.1.1 would be replicated to R1 and R3. Without remoteas-in configured R1 would reject the prefix due the AS path containing AS1 - you can see this if you look at the output from show bgp ipv4 unicast neighbor 172.28.1.1 towards the bottom you will see the quantity of prefixes that have been rejected and why - use debug ip bgp updates if you want to see this in real time.
When remoteas-in is configured the prefix from R2 is accepted into the BGP table - however this is irrelevant as it will never become the best-path due to the weight 32768 for the local origination. If R1 peered with R4 via eBGP for example only this best path would advertised and hence nothing is broken.
HTH -
BGP Route Policy for transit AS
Hello,
Can anyone could tell me how route policy in (RPL) should look like - some best practice .
Simple situation. I have two ISP's, one Client ( I am transit AS for Client).
ISP1 AS 100 ------
---------- MY AS 300 ( I am BGP transit for client) ------------ My BGP CLIENT AS 400
ISP2 AS 200 ------
What I configured already are 4 route-policy ( two for isp's in/out and two for client in/out)
route-policy client-in
route-policy client-out
route-policy isp-in
route-policy isp-out
as-path-set aspath_Other
ios-regex '.*'
end-set
as-path-set aspath_Local_plus_Client
ios-regex '^$',
ios-regex '^400'
end-set
as-path-set aspath_Client
ios-regex '^400'
end-set
route-policy isp-in
pass
end-policy
route-policy isp-out
if (as-path in aspath_Local_plus_Client) then
pass
elseif (as-path in aspath_Other) then
drop
endif
end-policy
route-policy client-out
pass
end-policy
route-policy client-in
if (as-path in aspath_Client) then
pass
elseif (as-path in aspath_Other) then
drop
endif
end-policy
I am not sure about route-policy client-in ( should I use aspath like above or e.g prefix-list .. )?
regards,Hi,
you may find this reference useful that talks about inline vs named lists when it comes to RPL.
named lists are easier to edit and preferred when the lists are long, but inline sets are faster to process.
When stating faster, you should think in usec improvements.
One improvement I see is that you can change this:
route-policy client-in
if (as-path in aspath_Client) then
pass
elseif (as-path in aspath_Other) then
drop
endif
end-policy
to this:
route-policy client-in
if (as-path in aspath_Client) then
pass
else
drop
endif
end-policy
Considering the aspath other is a catch all it is a waste of cycles to invoke regex to make sure that it is matches any.
On the topic of using prefix sets vs AS paths there are probably different opinions about it.
If your client originates prefixes that are not theirs your policy still accepts them and will result in rogue routing and hijacking of prefixes.
So with that I would recomment using a prefix set to accept prefixes from my client, just to make sure that we accept legimate prefixes. You dont want to be the guy that sourced rogue prefixes because of a client misconfiguration.
regards
xander -
Setting advertisement / split horizon direction in EIGRP routing
Hello all,
I am trying to work out if I am being a bit rubbish or if split horizon is my new worst enemy.
Below is a diagram of my (simplified) problem scenario using EIGRP.
The solution I am looking for is that Router R3 learns of the 10.0.0.0/8 network from both R1 and R2, then does not advertise it to either. Simple with split horizon enabled.
But when either R1 or R2 are rebooted, a decision somehow takes place, and may well determine that R3 should advertise 10/8 to the new (rebooted) neighbour, at which point split horizon prevents it from being advertised back again. This means the topology table on R3 doesn't contain this route for this neighbour and is slow to converge if the other neighbour is lost.
Is there a way to control in which direction routes are advertised first on a neighbour link? and then I can let split horizon do its thing
Or is there something I am not thinking of...
many thanks,
PaulThis is what i think would work.
Two assuptions i'm making -
1) R1 and R2 have full routes in terms of the remote branch subnets which from what we have talked about seems to be the case.
2) R1 will advertise the specific subnets it is primary for (see below) to R3 which then advertises them to R2 and R2 will do the same for it's primary subnets.
R1 is primary for 32 - 63 summary address 192.168.32.0 255.255.224.0
R2 is primary for 64 - 95 summary address 192.168.64.0 255.255.224.0
Each router is secondary for the other router's primary subnets.
on R1 configure a summary address for R2's subnets on the interface connecting to R3 -
ip summary-address eigrp <AS no> 192.168.64.0 255.255.224.0
on R2 do the same for R1's subnets -
ip summary-address eigrp <AS no> 192.168.32.0 255.255.224.0
So now -
R1 points to R3 and R3 points to R2 for 192.168.32.0/19
R2 points to R3 and R3 points to R1 for 192.168.64.0/19
Because you have used a summary address this suppresses the advertisement of the more specific routes within that summary range.
R1 will therefore advertises it's specific subnets for which it is primary to R3 and a summary address only for R2's subnets.
And R2 does the same ie. it advertises it's specific subnets and a summary for R1's.
R3 then obviously passes these summaries via EIGRP to R1 and R2.
R3's routing table will have specific branch routes pointing to the respective
primary router but only a summary route for the same subnets pointing to the secondary router.
Because a router will always pick the longest match it will use the more specific subnets unless there isn't a matching route.
Which means no need to use metrics to load balance traffic.
In addition the summary route is already in the routing table so no need for either R1 or R2 to send a query to R3 if one of their branch links fail.
I may well have overlooked something so let me know whether you think this will work for you or not.
Jon -
Disabling split horizon for H-VPLS on 7609
Hi,
We installed a new 7609 in our lab for doing H-VPLS interop. The sw Version is IOS (tm) s72033_rp Software (s72033_rp-PSV-M), Version 12.2(18)SXD7.
I do not see the "no-split-horizon" option when trying to configure the remote spoke PE.
l2 vfi PE3-VPLS-A manual
vpn id 200
neighbor 20.0.0.1 encapsulation mpls <no-split-horizon>
Is there a version problem or some config issue ?
Thanks
ATThe hw info is as follows :-
Mod Ports Card Type Model Serial No.
1 2 2+4 port GE-WAN OSM-2+4GE-WAN+ JAB0847061N
5 2 Supervisor Engine 720 (Active) WS-SUP720-BASE SAL0919113H
Mod Sub-Module Model Serial Hw Status
5 Policy Feature Card 3 WS-F6K-PFC3BXL SAL09253GNF 1.6 Ok
5 MSFC3 Daughterboard WS-SUP720 SAL09190TCD 2.5 Ok -
Setting Up DNS - Making Sure I'm Not Running Split Horizon
Hello everyone - I'm wanting to make sure I am running my DNS correctly and that it isn't split horizon.
I purchased a domain name (johnsonsfromtyler.com). I have public "@" and "mail" A host names pointing to my public IP address, have a MX for johnsonsfromtyler.com pointing to mail.johnsonsfromtyler.com, and have a reverse lookup setup all via public DNS.
On my SLS running the private DNS I have the primary zone name set as johnsonsfromtyler.com. For the nameserver I have the zone johnsonsfromtyler.com. pointing to server.johnsonsfromtyler.com which has a static IP of 10.0.1.10. I also have a mail exchanger hostname of mail.johnsonsfromtyler.com with a priority of 10. I also have an alias for mail.johnsonsfromtyler.com pointed to server.johnsonsfromtyler.com. I also have forwarder IP addresses pointing to the OpenDNS servers.
I have my router setup to use the private DNS server located at 10.0.1.10 and the search domain as johnsonsfromtyler.com. server.johnsonsfromtyler.com is running DNS and all other server services.
So am I running DNS correctly and is this setup a split horizon setup? Also, do I need to have forwarder IP addresses pointing to external DNS servers?As Mr Hoffman writes if your "reuse" a public IP domain name in an internal private IP only LAN DNS your are using a "split horizon" DNS (where did that "designation" come from?).
To reach pubic IP servers using the same domain name from your LAN using only the internal DNS, you need to put also the pubic IP servers in your internal DNS with their public IPs. The reverse zone for any "remote" public IPs that Server Admin creates should be removed to let the DNS responsible for that zone answer those lookups - probably not too important for most configurations though.
BIND views can be used to give answers to lookups depending on where (what IP) the query comes from. The same DNS could be setup with different views where public and private IPs are in separate views so that private name -> IP lookups only gets answered when the query comes from the private IP LAN. If you can have a different response (IP) for the same name -> IP lookup? - probably(?) - if the private IP view is listed before the public one in the DNS config.
And I think a DNS is always caching lookups (?) not depending on if forwarders is used or not. Forwarders can speed up lookups but can also make trouble if they stop working/starting refusing answering recursive lookup queries. Without forwarders the DNS has to go "the long way" via root DNS servers (you should update /var/named/named.ca regularly especially if not using forwarders). -
Does Huawei router NE40 support Class-Based QoS?
As I know Class-based QoS defines traffic classifiers based on certain rules and associates traffic classifiers with certain traffic behaviors, forming certain traffic policies. After
these policies are applied to interfaces, class-based traffic policing, traffic shaping, congestion management, and precedence re-marking are implemented.
Does Huawei router NE40 support Class-Based QoS?The NE80E/40E supports DiffServ and provides standard forwarding services such as EF and AF for users by using the following traffic management measures:
1 Traffic classification
2 Traffic policing
3 Traffic shaping
4 Congestion avoidance
QoS of the NE80E/40E supports traffic policy with the above measures and mapping between the QoS fields in the IP header and the MPLS header.
And more information about router NE40, please visit:
http://www.huanetwork.com/huawei-router-ne40e-series-price_c89 -
Trouble with advertise a route BGP from VRF on Cisco IOS 7600
Hi
the diagram especifie the actually operating network
we try to advertise the network 172.16.161.6 to Nortel devices and Cisco devices on cisco AS 2005 and 64912, if we are staying look the routing table on cisco 7600 the network 172.16.161.6 is know it
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/28 ms
cisco 7600#trace
cisco 7600#traceroute vrf data 172.16.161.6
Type escape sequence to abort.
Tracing the route to 172.16.161.6
1 189.1.11.5 [MPLS: Labels 581/730 Exp 0] 24 msec 24 msec 24 msec
2 172.16.12.73 [MPLS: Label 730 Exp 0] 36 msec 28 msec 36 msec
3 172.16.12.74 20 msec 20 msec 24 msec
4 172.16.14.10 64 msec 20 msec 20 msec
5 172.16.19.9 20 msec 24 msec 20 msec
6 172.16.161.6 24 msec 20 msec 24 msec
PE_CAR_1#ping vrf data 172.16.161.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.161.6, timeout is 2 seconds:
but the devices Nortel on AS 64912 on routing tables don´t know the networ 172.16.161.6
the difference on cisco 7600 that know both AS 64912 and 2005 is this one:
configuration on Cisco Router 7600
router bgp 2006
bgp router-id 172.16.110.97
bgp log-neighbor-changes
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
neighbor 172.16.10.41 remote-as 64912
neighbor 172.16.10.41 description PP-A6
neighbor 172.16.11.233 remote-as 64912
neighbor 172.16.11.233 description PP-2TE2
neighbor 172.16.12.73 remote-as 2005
neighbor 172.16.12.73 description PE_MEX_1
neighbor 172.16.12.73 fall-over bfd
neighbor 172.16.13.9 remote-as 2005
neighbor 172.16.13.9 description PE_MEX_3
neighbor 172.16.13.9 fall-over bfd
neighbor 172.16.13.77 remote-as 2005
neighbor 172.16.14.6 remote-as 64512
neighbor 172.16.14.10 remote-as 64512
neighbor 172.16.16.26 remote-as 64982
neighbor 172.16.16.26 description INTERNET-2
neighbor 172.16.16.30 remote-as 64982
neighbor 172.16.16.30 description INTERNET-1
address-family ipv4
neighbor 172.16.10.41 activate (conexion to Nortel Devices)
neighbor 172.16.10.41 route-map AS-PATH-MAN in
neighbor 172.16.10.41 route-map REDES-WAN->MAN out
neighbor 172.16.11.233 activate (conexion to Nortel Devices)
neighbor 172.16.11.233 route-map AS-PATH-MAN in
neighbor 172.16.11.233 route-map REDES-WAN->MAN out
neighbor 172.16.12.73 activate
neighbor 172.16.12.73 route-map REDES-WAN-PE_MEX_1 in
neighbor 172.16.12.73 route-map DEFAULT-ROUTE out
neighbor 172.16.13.9 activate (conexion to Cisco 7600 Devices)
neighbor 172.16.13.9 route-map REDES-WAN-PE_MEX_3 in
neighbor 172.16.13.9 route-map DEFAULT-ROUTE out
neighbor 172.16.13.77 activate
neighbor 172.16.13.77 route-map DEFAULT-ROUTE out
neighbor 172.16.14.6 activate (conexion to ASR 9000)
neighbor 172.16.14.6 route-map default out
neighbor 172.16.14.10 activate (conexion to ASR 9000)
neighbor 172.16.14.10 route-map default out
the difference that look it from routes to know Nortel devices an Cisco Devices is the sollow on Cisco 7600
Cisco 7600#sho ip bgp 150.151.1.250
BGP routing table entry for 150.151.0.0/16, version 5612717
Paths: (2 available, best #1, table default)
Multipath: eBGP
Advertised to update-groups:
2 4
2005
172.16.13.9 from 172.16.13.9 (150.220.250.5)
Origin IGP, localpref 300, valid, external, best
Community: 100:22
Extended Community: RT:100:22
2005
172.16.12.73 from 172.16.12.73 (150.220.250.1)
Origin IGP, localpref 260, valid, external
Community: 100:22
Extended Community: RT:100:22
Cisco 7600#sho ip bgp 172.16.161.6
BGP routing table entry for 172.16.161.6/32, version 6133620
Paths: (2 available, best #2, table default)
Multipath: eBGP
Not advertised to any peer
64512 64513
172.16.14.6 from 172.16.14.6 (172.16.14.1)
Origin incomplete, localpref 100, valid, external, multipath
Extended Community: RT:64512:64513
64512 64513
172.16.14.10 from 172.16.14.10 (172.16.14.2)
Origin incomplete, localpref 100, valid, external, multipath, best
Extended Community: RT:64512:64513
NOT advertised to any peer
if we looking on ASR the vrf GAT the network is advertised but on vrf CAMPUS not
RP/0/RSP0/CPU0:ED_MEX_1#sho bgp vrf CAMPUS 172.16.161.6
Mon May 20 12:58:03.516 UTC
BGP routing table entry for 172.16.161.6/32, Route Distinguisher: 64512:64513
Versions:
Process bRIB/RIB SendTblVer
Speaker 20 20
Local Label: 16004
Last Modified: May 17 17:24:29.877 for 2d19h
Paths: (1 available, best #1)
Not advertised to any peer
Path #1: Received by speaker 0
Not advertised to any peer
64513
172.16.19.5 from 172.16.19.5 (172.16.162.4)
Origin incomplete, metric 110, localpref 100, valid, external, best, group-best, import-candidate
Received Path ID 0, Local Path ID 1, version 20
Extended community: RT:64512:64513
but the vrf GAT:
RP/0/RSP0/CPU0:ED_MEX_1#sho bgp vrf GAT 172.16.161.6
Mon May 20 12:58:52.909 UTC
BGP routing table entry for 172.16.161.6/32, Route Distinguisher: 64512:2006
Versions:
Process bRIB/RIB SendTblVer
Speaker 30 30
Last Modified: May 17 17:24:29.877 for 2d19h
Paths: (1 available, best #1)
Advertised to CE peers (in unique update groups):
172.16.14.5
Path #1: Received by speaker 0
Advertised to CE peers (in unique update groups):
172.16.14.5
64513
172.16.19.5 from 172.16.19.5 (172.16.162.4)
Origin incomplete, metric 110, localpref 100, valid, external, best, group-best, import-candidate, imported
Received Path ID 0, Local Path ID 1, version 30
Extended community: RT:64512:64513
Any idea for this trouble, we try to advertise the extend community but nothing.
the configuration on ASR is the follow:
router bgp 64512
bgp router-id 172.16.14.1
address-family ipv4 unicast
address-family vpnv4 unicast
vrf GAT
rd 64512:2006
address-family ipv4 unicast
redistribute connected
redistribute static
neighbor 172.16.14.5
remote-as 2006
address-family ipv4 unicast
send-community-ebgp
route-policy pass-all in
route-policy pass-all out
send-extended-community-ebgp
vrf CAMPUS
rd 64512:64513
address-family ipv4 unicast
redistribute connected
redistribute static
neighbor 172.16.19.5
remote-as 64513
address-family ipv4 unicast
route-policy pass-all in
route-policy pass-all out
we only put send-extended-community-ebgp only on vrf GAT.
Best RegardsHi Harold thanks for your comment
We do it your recommendation and put on AS 64912 routes a route-map for identify the traffic IN on interface the finally configuration on cisco 7600 is:
router bgp 2006
bgp router-id 172.16.110.97
bgp log-neighbor-changes
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
neighbor 172.16.14.6 remote-as 64512
neighbor 172.16.14.6 description EDGE_MEX_1
neighbor 172.16.14.10 remote-as 64512
neighbor 172.16.14.10 description EDGE_MEX_2
address-family ipv4
no synchronization
neighbor 172.16.14.6 route-map REDES_CAMPUS in
neighbor 172.16.14.6 route-map default out
neighbor 172.16.14.10 activate
neighbor 172.16.14.10 route-map REDES_CAMPUS in
neighbor 172.16.14.10 route-map default out
neighbor 172.16.16.26 activate
with the follow route maps:
ip extcommunity-list standard GAT permit rt 64512:64513
ip bgp-community new-format
ip community-list standard REDES-GAT permit 64512:2006
route-map REDES_CAMPUS permit 430
match extcommunity GAT
set local-preference 250
set community 64512:2006 additive
set extcommunity rt 64512:64513 additive
route-map REDES-WAN->MAN permit 1600
match community REDES-GAT
with this information the routes advertise on neighbord know the loopback 172.16.161.6
GW_MEX_2#sho ip bgp neighbors 172.16.11.233 advertised-routes
BGP table version is 6160029, local router ID is 172.16.110.97
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.1/32 172.16.12.73 300 0 2005 ?
*> 1.0.0.2/32 172.16.12.73 300 0 2005 ?
Network Next Hop Metric LocPrf Weight Path
*> 172.16.140.72/32 172.16.13.9 300 0 2005 ?
*> 172.16.141.22/32 172.16.12.73 250 0 2005 ?
*> 172.16.141.61/32 172.16.12.73 250 0 2005 i
*> 172.16.141.71/32 172.16.12.73 250 0 2005 i
*> 172.16.142.0/27 172.16.13.9 300 0 2005 ?
*> 172.16.142.32/27 172.16.13.9 250 0 2005 ?
*> 172.16.144.0/27 172.16.13.9 300 0 2005 ?
*> 172.16.146.1/32 172.16.13.9 300 0 2005 65451 i
*> 172.16.150.0/27 172.16.12.73 250 0 2005 ?
*> 172.16.152.0/27 172.16.13.9 300 0 2005 ?
*> 172.16.152.32/28 172.16.13.9 300 0 2005 ?
*> 172.16.155.1/32 172.16.13.9 300 0 2005 ?
*> 172.16.161.1/32 172.16.14.6 0 250 0 64512 ?
*> 172.16.161.6/32 172.16.14.10 0 250 0 64512 ?
Thanks for your cooperation
Best Regards -
In which add-family,routing policy should apply for MPBGP ?
Hi,
IN MPBGP protocol, where i will apply routing policy to apply as- path prepand so that Route would be secondary to neighbor.
IGP-OSPF and BGP over MPLS is running.
on Which address-familiy nbr,should i apply, is it in VPNV4 or IPV4 or IPV4 VRF ?
if i want 10.36.128.0/26 prefix should go to Neigbhor MPLS R2, what should i use access-list or Prefix list?
please provide the reply with its config .
Topology like
regards,
AjayHi Harlold,
Thanks for reply...
Please find the topology diagram
1. Yes ,both are MPLS Network.
2. L3VPN intraAS.
3.Mpls router 1 and 2 are PE to connect the SPs MPLS rtr.
4.My administration is upto Router R1.
5.Both MPLS Router R1 and R2 belongs to other Vendor which giving us mpls service . and they want from to advertise only VRF MGMT subnets only with AS Prepend .
So i want to where should Route-map apply? is it in address-family vpnv4 or ?
router bgp 64513
synchronization disable
neighbor 10.49.5.230 remote-as 64513
neighbor 10.49.5.230 update-source loopback1
address-family vpnv4
neighbor 10.49.5.230 activate
neighbor 10.49.5.230 send-community both
neighbor 10.49.5.230 route-map ONM_TO_AIR
Route-map ONM_TO_AIR
match ip add prefix-list ONM_TO_AIR
set as-path prepend 64513 64513 64513 64513.
ip prefix-list ONM_TO_AIR permit 10.49.30.128/26
will it work?
or I have to match extcommuntity in Route-map as it apply to vpnv4 add-family ?
Regards,
Ajay -
ASR 9000 route-policy on ipv4 and vpnv4 neighbors
Hi
To reduce configuraton i would like to use the same route-policy for ipv4 and vpnv4 routes from the same neighbors on ASR 9000.
I know that a "pass all" route-policy will work just fine, also a route-policy like this works fine:
route-policy eBGP_NEIGHBORS
set local-preference 50
endif
end-policy
But why doesn´t this route-policy work?
rd-set EXT_SERVICES_PRIMARY
1.1.1.1:*
end-set
rd-set EXT_SERVICES_SECUNDARY
2.2.2.2:*
end-set
route-policy eBGP_NEIGHBORS
if rd in EXT_SERVICES_PRIMARY then
set local-preference 120
elseif rd in EXT_SERVICES_SECUNDARY then
set local-preference 20
else
set local-preference 80
endif
end-policy
The effect of this is that vpnv4 routes looks just fine but ipv4 routes is missing in bgp table. I have tryed all kind of configs but it just will not work, what am i missing?
The idea of this route-policy is that routes advertised by rd 1.1.1.1 will act as primary and rd 2.2.2.2 as secundary.
1.1.1.1 and 2.2.2.2 is handleing the same routes.
1.1.1.1 is located in one AS and 2.2.2.2 in an other AS
my ASR that i am working on is in a third AS
And alla other routes will have a default local-pref of 80If you watch the if statement, you're challenging that if the RD is something, or else, else... but, maybe, it doesn't work if you don't have an RD.
Based on the Mohit's answer I think that maybe, that's the reason.
route-policy eBGP_NEIGHBORS
if rd in EXT_SERVICES_PRIMARY then
set local-preference 120
elseif rd in EXT_SERVICES_SECUNDARY then
set local-preference 20
else <<< So if not "EXT_SERVICES_PRIMARY" and not "EXT_SERVICES_SECUNDARY", but stills in "if rd.."
set local-preference 80
endif
Mohit's:
route-policy eBGP_NEIGHBORS
if rd in EXT_SERVICES_PRIMARY then
set local-preference 120
elseif rd in EXT_SERVICES_SECUNDARY then
set local-preference 20
endif
set local-preference 80 >>>> Outside the if statement!
end-policy.
Let us know if the Mohit's answer worked! Just to learn something new :) -
Rt-filter or route-policy in a route-reflector
Hi,
I want to implement a route reflector that i will use in two differents networks with differents VPNL3. So i do not want that my route reflector advertise the prefixes form a network to the other. I am using an ASR9000 with IOS XR 4.3.2 as route reflector.
I tried two differents configurations in a testing enviroment and both work fine, one applying route-policy filtering by RD, and another using RT-filter. But i do not know what is better to implement on production. I will appreciate if somebody could help me to decide what is the best to implement in a production Network, thinking in the resources of the network and in the IPv6 deployment (i could not configure RT Filter with address-family ipv6)
With route-policy
rd-set RD_XXX
65000:*
end-set
route-policy to_XXX
if rd in RD_XXX then
pass
else
drop
endif
end-policy
route-policy to_YYY
if rd in RD_XXX then
drop
else
pass
endif
end-policy
router bgp 65001
neighbor-group XXX
remote-as 65001
address-family vpnv4 unicast
route-reflector-client
route-policy to_XXX out
neighbor-group YYY
remote-as 650001
update-source Loopback0
address-family vpnv4 unicast
route-reflector-client
route-policy to_YYY out
with RT-Filter
router bgp 65001
address-family ipv4 rt-filter
neighbor-group XXX
address-family ipv4 rt-filter
route-reflector-client
soft-reconfiguration inbound always
neighbor-group YYY
address-family ipv4 rt-filter
route-reflector-client
soft-reconfiguration inbound always
RegardsHi,
One benefit I see with rt-filter is, this feature provides considerable savings in CPU cycles and transient memory usage, generally this will be beneficial when you have large number of prefixes to be filtered, as you do not need to define route-policy for all the prefixes, and also it simple to configure (only one command )
Look at the Restrictions for BGP: RT Constrained Route Distribution in below document
http://www.cisco.com/en/US/docs/ios/ios_xe/iproute_bgp/configuration/guide/irg_rt_filter_xe.html
HTH
Regards,
Sandip -
Does master recipe have function for splitting phase?
does master recipes that create from T-code C201 have funtion for splitting operation/phase? since i can't find the function splitting in master recipe.
if it has, could anyone explain me?
thanks
kanaponDhaval Choksi
I'm sorry if my question not clear so splitting that i meant is,
In routing,for example assumes that only one person/machine will be working on a job at a time. If it takes one hour to make one, and the order is for 10, the system will schedule the job at that work center to take 10 hours. However, if in the operation in the routing, you select "Required Splitting", then you put in "number of splits" as 2, then the system will assume you are having two people/machines work on the job at the same time, hence it will only schedule the job to take 5 hours, not 10
thanks -
Cisco WebEx Meetings Server-Internal IRP vs Split Horizon
Hi,
We are planning to install CWMS 1.1 but not able to decide among below two topology -
a.Internal Internet Reverse Proxy with all virtual machines including IRP in same internal network(ie no IRP in DMZ).
b.Split Horizon with IRP in DMZ network.
I would prefer option a.(all VM in internal network) as fewer changes on the firewall(allow potrt 80 & 443 from external to internal) but not sure how risky it is as will be allowing all external internet traffic directly to IRP internal on port 80 & 443.Will we be compromising on security if we go with this option?
Please suggest which option is recommended .I have gone through the pros & cons mentioned in CWMS planning guide 1.1.
Thanks
KMSSrdjan, KMS,
Appologies to jump in, but I am also doing a 50 port installation. I am leaning towards internal topology as well as it appears to be less complex and best preforming.
Srjdan,
+5 for the info. Can you please confirm if below applies to 50 port systems as well? Do we need to have a minimum of two boxes to install split-horizon-topology?
"On another hand for that deployment you need 2 HW box's."
I was under the impression we can patch the physical CWMS server onto a DMZ switch and can do split-horizon-topology with only one hadware box. Can you please confirm if thats possible at all?
I tried to raise a request with PDI and was rejected that PDI at the moment is not supporting this product.
I have same queries - let me know I can open a separate thread if you want.
1) How much of a security risk it invloves doing Internal IRP?
2) Is there any additional Cisco device we can recommend to the customer to add extra layer of security to the solution?
3) We have only one hardware box - what would be the best design in that scenario? (50 port installation)
Terry -
Problem with route-policy and taging
Hey!
I'm trying to apply the following configuration but are receving the follow error:
!!% Policy [aggregate-routes] uses the 'tag' attribute. There is no 'tag' attribute at the bgp aggregation-dflt attach point.
route-policy aggregate-routes
set community test
set community test1
if tag eq 1000 then
set community (65000:1,65000:2,65000:3)
endif
end-policy
router static
address-family ipv4 unicast
10.1.1.0/24 Null0 tag 1000
router bgp 65000
address-family ipv4 unicast
aggregate-address 10.1.1.0/24 route-policy aggregate-routesHello.
Please find set/match attributes per attach point in the following document - http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/routing/configuration/guide/b_routing_cg42asr9k/b_routing_cg42asr9k_chapter_0110.html#con_1240966
Match tag is not supported for the attach point.
Maybe you are looking for
-
Windows 8.1: Picture Password and Pin Greyed Out
Recently I accepted the new Exchange ActiveSync Policy in my Windows Mail account which disabled Picture Passwords and Pin Passwords for my Windows 8.1 Machine. I hunted high and low in Local Security Policy, Registry and Local Group Policy settings
-
I received a car charger for xmas. I have an iPhone 4. Is there a difference in the charging dock between the older and newer iphones? I don't want to damage it by shoving a cable in that is designed for a newer model.
-
Trying to install 11.5.10 on RH ES 2.1
Trying to install 11.5.10 on RH ES 2.1. After the RH Install, when i try to start X Windows, It does not come up. Anything that iam missing here.. Any Docs that you could point to at about the Installation process would be very helpful Thanks!
-
Hi Experts, In the POWL of the Purchasing tab(SRM 7), all the purchase order is displaying. User requirement is that they want only those PO list which belongs to their Purchase Org. how to acheive this, points will be rewared. Reg, Rajesh.
-
Ok...so I'm fairly new to the design world. I'm trying to do a swap image (which I understand in the basic form). I have a nav bar at the bottom of my site with photos and when I scroll over them I want a larger picture to pop up on top of them. But