Routing failed to locate next hop for ICMP from outside:10.60.30.111/1 to inside:10.89.30.41/0

Similar Messages

• How to contact the Dubai technical support for Iphone from outside dubai

  how to contact the Dubai technical support for Iphone from outside Dubai

  If you purcased your iPhone from one of the UAE cell carriers, you will need to find the support number for the carrier, Etisalat or DU, from which you purchased the iPhone. If you purchased your iPhone from the online Apple Store in the UAE, you can find their phone number here:
  http://support.apple.com/kb/HE57#U
  Regards.

• Choosing next hop for traffic specific

  Hello,
  I would like to know how I can use "set tag" in Route-map in order to lead traffic specific throug static route with "ip route". 
  I believe that I can do the following:
  access-list 101 permit ip 192.168.120.0 0.0.0.255 any    /* Filtering Lan Traffic Specific 1 */
  access-list 102 permit ip 192.168.180.0 0.0.0.255 any    /* Filtering Lan Traffic Specific 2  */
  route-map XXXX permit 10       /* Tag 20 is related to Lan traffic specific 1 */
   match ip address 101
   set tag 20
  route-map YYYY permit 20     /* Tag 30 is related to Lan traffic specific 2 */
   match ip address 102
   set tag 30
  interface GigabitEthernet0/1.20    /* Applying route-map to Lan subinterface */
   encapsulation dot1Q 20
   ip address 192.168.120.1 255.255.255.0
   ip policy route-map XXXX
  interface GigabitEthernet0/1.21    /* Applying route-map to Lan subinterface */
   encapsulation dot1Q 21
   ip address 192.168.180.1 255.255.255.0
   ip policy route-map YYYY
   ip route 172.18.70.0 255.255.255.0 11.0.15.1 tag 20    /* traffic specific 1 is transmit  to 172.18.0.70 through next hop 11.0.15.1 */
   ip route 172.18.70.0 255.255.255.0 11.0.15.5 tag 30    /* traffic specific 2 is transmit  to 172.18.0.70 through next hop 11.0.15.5 */
  Is this correct ?, or is there another way to approach this issue?
  Thanks for your answer in advance.

  Hello Cadet,
  Thanks for your feedback. Sorry, I was wrong. As you say, it looks correct. I did the mistake when I tested the ping from the Router-1 while the PRB applied to ingressing traffic and not to the generated traffic in the Router-1.
  I have been doing this work remotely, because the sites are far each other.
  Finally one person went to the remote site and verified, from de Lan1 and Lan2, that they was following the correct route.
  Also, I was not sure about this routes:
  ip route 11.0.12.0 255.255.255.252 GigabitEthernet0/0.80
  ip route 11.0.12.4 255.255.255.252 GigabitEthernet0/0.81
  ip route 192.168.120.0 255.255.255.0 GigabitEthernet0/1.20
  ip route 192.168.180.0 255.255.255.0 GigabitEthernet0/1.21
  Thanks for your advise.
  The "ip route" in the Router-2, I have corrected too.
  Thanks very much.
  Best regards,
  Sandro 

• IP Route - Exit interface vs Next Hop

  Hi guys,
  I'm sure this has been asked before :) But are there any known issues when using an exit interface in a route statement as opposed to a next hop address?
  I have had an issue this morning after a router change whereby some hosts were able to access a web server and some were unable to. My route statement to the web server was pointing to an exit interface and when this was changed to next hop, all users were able to access it. It is very puzzling!
  The router is an ASR1001, running 15.4.
  Thanks.

  I am sure that you added the information hoping that it would help us to understand your situation. But I am still not clear whether you are talking about doing something like
  ip route x.x.x.x y.y.y.y Eth0/0
  or
  ip route x.x.x.x y.y.y.y Tun1 (and if it is Tun1 is this a point to point tunnel or a multipoint tunnel?)
  As has been mentioned there are (multiple) issues with a static route which specifies only an exit interface if the interface is multipoint like Ethernet.
  HTH
  Rick

• Premiere Pro CC's sequence lost. Is there a way to "search" for it from outside the project?

  I seem to have lost a sequence created in Premiere Pro CC. I can't find it anywhere inside the Project bin.
  We have so many same-name, older projects (between Auto-Save, different drives and so on) that looking inside each of them would take forever.
  But we do know the name of the sequence. I am wondering  if there is a way to "search" for a sequence name from outside the project?
  Thanks

  there is a way to "search" for a sequence name outside of the project,
  but it would be a pointless waste of time.
  sequences are only saved within the project file itself!!
  We have so many same-name, older projects (between Auto-Save, different drives and so on) that looking inside each of them would take forever.
  better get at it then!
  hahahahahahahaha!!!

• ASA 5505 initial build - Failed to locate egress interface (Please help :-) )

  Hi, I have just purchased a ASA 5505 and have completed the initial setup via the wizard.  I am currently unable to access services on the outside of the ASA. 
  The error: 'Failed to locate egress interface for UDP from inside'....  appears when ever my DNS server attempts a lookup. 
  I have configured this several times from scratch using the wizard and I am unable to figure out the issue with the NAT / Routing config. 
  If I run the packet tracer I get the error: "(no-route) no route to host", however I do have a default route configured so I suspect it maybe my NAT configuration. 
  Overview, 192.168.10.0/24 inside the ASA, 192.168.1.0/24 outside the ASA, 192.168.1.1 is the gateway to the internet.  I ideally want the ASA to use PAT to mask the 192.168.10.0/24 network behind the ASAs 192.168.1.0/24 network address but still allow clients to gain internet access. 
  Full config follows, screen shots attached, any help would be very gratefully received. 
  Result of the command: "sh run"
  : Saved
  ASA Version 9.0(1)
  hostname firewall
  enable password (REMOVED) encrypted
  passwd (REMOVED) encrypted
  names
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.10.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 192.168.1.254 255.255.255.0
  interface Vlan5
   no nameif
   security-level 50
   ip address dhcp
  ftp mode passive
  object network obj_any
   subnet 0.0.0.0 0.0.0.0
  object network Server1
   host 192.168.10.10
  object network GoogleDNS1
   host 8.8.8.8
   description Google DNS Server
  object network GoogleDNS2
   host 8.8.4.4
   description Google DNS Server
  object network 192.168.10.x
   subnet 192.168.10.0 255.255.255.0
  object network InternetRouter
   host 192.168.1.1
  object-group network DM_INLINE_NETWORK_1
   network-object object GoogleDNS1
   network-object object GoogleDNS2
  object-group service DM_INLINE_TCP_1 tcp
   port-object eq www
   port-object eq https
  access-list inside_access_in remark External DNS Lookups
  access-list inside_access_in extended permit udp object Server1 object-group DM_INLINE_NETWORK_1 eq domain
  access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
  access-list inside_access_in extended deny ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source dynamic any interface
  object network obj_any
   nat (inside,outside) dynamic interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 255.255.255.255 192.168.1.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:(REMOVED)
  : end

  Just to want to be sure, can you post output from show int ip brie and show route? And try to remove your ACL for testing purpose or at least don't applied it anywhere yet. 
  Once done, try do another packet-tracer to 8.8.8.8 using icmp packet instead of UDP paste the whole the output here. Before doing this, add icmp any any outside command on the ASA.
  I know this should have anything to do with your issue, because if ACL is the issue then you will see output being denied by ACL on the packet tracer output. Let us know the results.

• What is the second, third, etc. next-hop address in the route-map set command for?

  What is the second, third, etc. next-hop address in the route-map set command for?
  route-map TEST_PBR permit 10 match
  match ip address 101
  router(config-route-map)#set ip next-hop 1.1.1.1 ?
  A.B.C.D IP address of next hop

  Hi,
  You may get your answer in below link
  http://www.groupstudy.com/archives/ccielab/200812/msg00999.html
  First next-hop will be used unless until that is not unreachable. If first is unreachable, then next one will be used. Since these next-hops are directly connected, router can easily come to know whether they are active or not. In case you want to set some loopback ip as next-hop then you need to use keyword recursive "set ip next-hop recursive"
  --Pls dont forget to rate helpful posts--
  Regards,
  Akash

• BGP route-reflector next-hop issue

  Hello,
  I have a small GNS3 lab that is working with one exception: I cannot ping loopback0 on RRc2 and RRc3 from RRc1.
  RRc1, RRc2 and RRc3 can all ping loopback0 on SmileyISP and RRc2 and RRc3 can ping each others loopback0
  interfaces.
  I am broken between the two route-reflectors: RRS1 and RRS2.
  Given these conditions:
  1) Do not configure any IGP.
  2) No static routes
  How do I get connectivity from RRc1's loopback0 interface to RRc2 loopback0 and RRc3 loopback0?
  I used a route-map to set the next hop, but I am obviously doing something wrong.
  I am providing relevant show command outputs, router configs, and the GNS3 topology.net config.
  You will have to change the image and working directories to match your computer.
  Not quite sure where I am going wrong.
  Any help would be greatly appreciated.
  Thanks.
  -- Mark
  RRc1#sh ip bgp
  BGP table version is 53, local router ID is 172.16.1.1
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
                x best-external, a additional-path, c RIB-compressed,
  Origin codes: i - IGP, e - EGP, ? - incomplete
  RPKI validation codes: V valid, I invalid, N Not found
       Network          Next Hop            Metric LocPrf Weight Path
   *>i 1.1.1.0/24       10.1.25.5                0    100      0 100 i
   *>i 10.1.12.0/24     10.1.26.2                0    100      0 i
   *>i 10.1.13.0/24     10.1.12.1                0    100      0 i
   *>i 10.1.14.0/24     10.1.12.1                0    100      0 i
   *>i 10.1.15.0/24     10.1.12.1                0    100      0 i
   *>i 10.1.25.0/24     10.1.26.2                0    100      0 i
   * i 10.1.26.0/24     10.1.26.2                0    100      0 i
   *>                   0.0.0.0                  0         32768 i
   *>  172.16.1.0/24    0.0.0.0                  0         32768 i
   *>i 172.16.2.0/24    10.1.12.1                0    100      0 i
   *>i 172.16.3.0/24    10.1.12.1                0    100      0 i
  RRc1#
  RRc1#ping 172.16.2.1 so lo0
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
  Packet sent with a source address of 172.16.1.1
  Success rate is 0 percent (0/5)
  RRc1#
  RRc2#sh ip bgp
  BGP table version is 31, local router ID is 172.16.2.1
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
                x best-external, a additional-path, c RIB-compressed,
  Origin codes: i - IGP, e - EGP, ? - incomplete
  RPKI validation codes: V valid, I invalid, N Not found
       Network          Next Hop            Metric LocPrf Weight Path
   *>i 1.1.1.0/24       10.1.15.5                0    100      0 100 i
   * i 10.1.12.0/24     10.1.12.2                0    100      0 i
   * i 10.1.13.0/24     10.1.13.1                0    100      0 i
   *>                   0.0.0.0                  0         32768 i
   *>i 10.1.14.0/24     10.1.13.1                0    100      0 i
   *>i 10.1.15.0/24     10.1.13.1                0    100      0 i
   * i 10.1.25.0/24     10.1.12.2                0    100      0 i
   * i 10.1.26.0/24     10.1.12.2                0    100      0 i
   * i 172.16.1.0/24    10.1.12.2                0    100      0 i
   *>  172.16.2.0/24    0.0.0.0                  0         32768 i
   *>i 172.16.3.0/24    10.1.14.4                0    100      0 i
  RRc2#
  SmileyISP#sh run
  Building configuration...
  Current configuration : 988 bytes
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  hostname SmileyISP
  boot-start-marker
  boot-end-marker
  no aaa new-model
  ip cef
  no ipv6 cef
  multilink bundle-name authenticated
  interface Loopback0
   ip address 1.1.1.1 255.255.255.0
  interface FastEthernet0/0
   no ip address
   shutdown
   duplex half
  interface FastEthernet1/0
   ip address 10.1.15.5 255.255.255.0
   speed auto
   duplex auto
  interface FastEthernet1/1
   ip address 10.1.25.5 255.255.255.0
   speed auto
   duplex auto
  router bgp 100
   bgp log-neighbor-changes
   network 1.1.1.0 mask 255.255.255.0
   network 10.1.15.0 mask 255.255.255.0
   neighbor 10.1.15.1 remote-as 200
   neighbor 10.1.25.2 remote-as 200
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  control-plane
  line con 0
   logging synchronous
   transport preferred none
   stopbits 1
  line aux 0
   stopbits 1
  line vty 0 4
   login
  end
  RRS1#sh run
  Building configuration...
  Current configuration : 1594 bytes
  ! Last configuration change at 19:24:34 UTC Sat Feb 7 2015
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  hostname RRS1
  boot-start-marker
  boot-end-marker
  no aaa new-model
  ip cef
  no ipv6 cef
  multilink bundle-name authenticated
  interface FastEthernet0/0
   no ip address
   shutdown
   duplex half
  interface FastEthernet1/0
   ip address 10.1.15.1 255.255.255.0
   speed auto
   duplex auto
  interface FastEthernet1/1
   ip address 10.1.12.1 255.255.255.0
   speed auto
   duplex auto
  interface FastEthernet2/0
   ip address 10.1.13.1 255.255.255.0
   speed auto
   duplex auto
  interface FastEthernet2/1
   ip address 10.1.14.1 255.255.255.0
   speed auto
   duplex auto
  router bgp 200
   bgp log-neighbor-changes
   network 10.1.13.0 mask 255.255.255.0
   network 10.1.14.0 mask 255.255.255.0
   network 10.1.15.0 mask 255.255.255.0
   neighbor RouteReflectors peer-group
   neighbor RouteReflectors remote-as 200
   neighbor RouteReflectors route-map NEXTHOP out
   neighbor RRClients peer-group
   neighbor RRClients remote-as 200
   neighbor RRClients route-reflector-client
   neighbor 10.1.12.2 peer-group RouteReflectors
   neighbor 10.1.13.3 peer-group RRClients
   neighbor 10.1.14.4 peer-group RRClients
   neighbor 10.1.15.5 remote-as 100
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  route-map NEXTHOP permit 10
   set ip next-hop peer-address
  control-plane
  line con 0
   logging synchronous
   transport preferred none
   stopbits 1
  line aux 0
   stopbits 1
  line vty 0 4
   login
  end
  RRS2#sh ru
  Building configuration...
  Current configuration : 1542 bytes
  ! Last configuration change at 19:42:06 UTC Sat Feb 7 2015
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  hostname RRS2
  boot-start-marker
  boot-end-marker
  no aaa new-model
  ip cef
  no ipv6 cef
  multilink bundle-name authenticated
  interface FastEthernet0/0
   no ip address
   shutdown
   duplex half
  interface FastEthernet1/0
   ip address 10.1.12.2 255.255.255.0
   speed auto
   duplex auto
  interface FastEthernet1/1
   ip address 10.1.25.2 255.255.255.0
   speed auto
   duplex auto
  interface FastEthernet2/0
   ip address 10.1.26.2 255.255.255.0
   speed auto
   duplex auto
  interface FastEthernet2/1
   no ip address
   shutdown
   speed auto
   duplex auto
  router bgp 200
   bgp log-neighbor-changes
   network 10.1.12.0 mask 255.255.255.0
   network 10.1.25.0 mask 255.255.255.0
   network 10.1.26.0 mask 255.255.255.0
   neighbor RouteReflectors peer-group
   neighbor RouteReflectors remote-as 200
   neighbor RouteReflectors route-map NEXTHOP out
   neighbor RRClients peer-group
   neighbor RRClients remote-as 200
   neighbor RRClients route-reflector-client
   neighbor 10.1.12.1 peer-group RouteReflectors
   neighbor 10.1.25.5 remote-as 100
   neighbor 10.1.26.6 peer-group RRClients
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  route-map NEXTHOP permit 10
   set ip next-hop peer-address
  control-plane
  line con 0
   logging synchronous
   transport preferred none
   stopbits 1
  line aux 0
   stopbits 1
  line vty 0 4
   login
  end
  RRc1#sh run
  Building configuration...
  Current configuration : 1005 bytes
  ! Last configuration change at 18:43:57 UTC Sat Feb 7 2015
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  hostname RRc1
  boot-start-marker
  boot-end-marker
  no aaa new-model
  ip cef
  no ipv6 cef
  multilink bundle-name authenticated
  interface Loopback0
   ip address 172.16.1.1 255.255.255.0
  interface FastEthernet0/0
   no ip address
   shutdown
   duplex half
  interface FastEthernet1/0
   ip address 10.1.26.6 255.255.255.0
   speed auto
   duplex auto
  interface FastEthernet1/1
   no ip address
   shutdown
   speed auto
   duplex auto
  router bgp 200
   bgp log-neighbor-changes
   network 10.1.26.0 mask 255.255.255.0
   network 172.16.1.0 mask 255.255.255.0
   neighbor 10.1.26.2 remote-as 200
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  control-plane
  line con 0
   logging synchronous
   transport preferred none
   stopbits 1
  line aux 0
   stopbits 1
  line vty 0 4
   login
  end
  RRc2#sh run
  Building configuration...
  Current configuration : 1005 bytes
  ! Last configuration change at 18:45:05 UTC Sat Feb 7 2015
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  hostname RRc2
  boot-start-marker
  boot-end-marker
  no aaa new-model
  ip cef
  no ipv6 cef
  multilink bundle-name authenticated
  interface Loopback0
   ip address 172.16.2.1 255.255.255.0
  interface FastEthernet0/0
   no ip address
   shutdown
   duplex half
  interface FastEthernet1/0
   ip address 10.1.13.3 255.255.255.0
   speed auto
   duplex auto
  interface FastEthernet1/1
   no ip address
   shutdown
   speed auto
   duplex auto
  router bgp 200
   bgp log-neighbor-changes
   network 10.1.13.0 mask 255.255.255.0
   network 172.16.2.0 mask 255.255.255.0
   neighbor 10.1.13.1 remote-as 200
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  control-plane
  line con 0
   logging synchronous
   transport preferred none
   stopbits 1
  line aux 0
   stopbits 1
  line vty 0 4
   login
  end
  RRc3#wr term
  Building configuration...
  Current configuration : 1005 bytes
  ! Last configuration change at 18:31:12 UTC Sat Feb 7 2015
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  hostname RRc3
  boot-start-marker
  boot-end-marker
  no aaa new-model
  ip cef
  no ipv6 cef
  multilink bundle-name authenticated
  interface Loopback0
   ip address 172.16.3.1 255.255.255.0
  interface FastEthernet0/0
   no ip address
   shutdown
   duplex half
  interface FastEthernet1/0
   ip address 10.1.14.4 255.255.255.0
   speed auto
   duplex auto
  interface FastEthernet1/1
   no ip address
   shutdown
   speed auto
   duplex auto
  router bgp 200
   bgp log-neighbor-changes
   network 10.1.14.0 mask 255.255.255.0
   network 172.16.3.0 mask 255.255.255.0
   neighbor 10.1.14.1 remote-as 200
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  control-plane
  line con 0
   logging synchronous
   transport preferred none
   stopbits 1
  line aux 0
   stopbits 1
  line vty 0 4
   login
  end
  autostart = False
  version = 0.8.6
  [127.0.0.1:7202]
      workingdir = C:\Users\Mark\AppData\Local\Temp
      udp = 10200
          image = C:\downloads\GNS3\c7200-adventerprisek9-mz.152-4.S5.image
          idlepc = 0x62f1e4ec
          ghostios = True
          console = 2005
          aux = 2100
          cnfg = configs\SmileyISP.cfg
          slot1 = PA-2FE-TX
          f1/0 = RRS1 f1/0
          f1/1 = RRS2 f1/1
          x = -24.0
          y = -259.0
          z = 1.0
          hx = -1.5
          hy = -24.0
          console = 2015
          aux = 2101
          cnfg = configs\RRc1.cfg
          slot1 = PA-2FE-TX
          f1/0 = RRS2 f2/0
          x = -292.0
          y = 200.0
          z = 1.0
          hx = -5.5
          hy = -25.0
  [127.0.0.1:7200]
      workingdir = C:\Users\Mark\AppData\Local\Temp
      udp = 10000
          image = C:\downloads\GNS3\c7200-adventerprisek9-mz.152-4.S5.image
          idlepc = 0x62f1e4ec
          ghostios = True
          console = 2012
          aux = 2102
          cnfg = configs\RRS1.cfg
          slot1 = PA-2FE-TX
          f1/0 = SmileyISP f1/0
          f1/1 = RRS2 f1/0
          slot2 = PA-2FE-TX
          f2/0 = RRc2 f1/0
          f2/1 = RRc3 f1/0
          x = 197.0
          y = 6.0
          z = 1.0
          hx = 42.5
          hy = -20.0
          console = 2013
          aux = 2103
          cnfg = configs\RRS2.cfg
          slot1 = PA-2FE-TX
          f1/0 = RRS1 f1/1
          f1/1 = SmileyISP f1/1
          slot2 = PA-2FE-TX
          f2/0 = RRc1 f1/0
          x = -239.0
          y = 9.0
          z = 1.0
          hx = 1.5
          hy = -24.0
  [127.0.0.1:7201]
      workingdir = C:\Users\Mark\AppData\Local\Temp
      udp = 10100
          image = C:\downloads\GNS3\c7200-adventerprisek9-mz.152-4.S5.image
          idlepc = 0x62f1e4ec
          ghostios = True
          console = 2009
          aux = 2104
          cnfg = configs\RRc3.cfg
          slot1 = PA-2FE-TX
          f1/0 = RRS1 f2/1
          x = 337.0
          y = 155.0
          z = 1.0
          hx = 17.5
          hy = -25.0
          console = 2008
          aux = 2105
          cnfg = configs\RRc2.cfg
          slot1 = PA-2FE-TX
          f1/0 = RRS1 f2/0
          x = 149.0
          y = 204.0
          z = 1.0
          hx = -13.5
          hy = -23.0
  [GNS3-DATA]
      configs = configs
          text = ".1"
          x = 208.0
          y = -23.0
          text = "10.1.12.0/24"
          x = -19.0
          y = 5.0
          text = ".1"
          x = 153.0
          y = 25.0
          text = ".1"
          x = 259.0
          y = 33.0
          text = "10.1.13.0/24"
          x = 238.0
          y = 84.0
          rotate = 99
          text = "10.1.25.0/24"
          x = -188.0
          y = -124.0
          text = "l0: 172.16.2.1/24"
          x = 125.0
          y = 244.0
          text = "l0:172.16.1.1/24"
          x = -269.0
          y = 240.0
          text = "10.1.15.0/24"
          x = 116.0
          y = -127.0
          text = "10.1.14.0/24"
          x = 293.0
          y = 53.0
          rotate = 50
          text = ".1"
          x = 194.0
          y = 68.0
          text = "AS100"
          x = -20.0
          y = -342.0
          text = ".2"
          x = -148.0
          y = 46.0
          text = "AS200"
          x = 33.0
          y = 300.0
          text = "l0: 1.1.1.1/24"
          x = -42.0
          y = -306.0
          text = ".5"
          x = 50.0
          y = -213.0
          text = ".2"
          x = -248.0
          y = 60.0
          text = ".2"
          x = -174.0
          y = -52.0
          text = ".5"
          x = -54.0
          y = -209.0
          text = ".6"
          x = -232.0
          y = 189.0
          text = "l0:172.16.3.1/24"
          x = 299.0
          y = 194.0
          text = "10.1.26.0/24"
          x = -274.0
          y = 167.0
          rotate = 290
          text = ".3"
          x = 208.0
          y = 187.0
          text = ".4"
          x = 312.0
          y = 155.0
          type = ellipse
          x = 50.0
          y = -35.0
          width = 385.0
          height = 345.0
          fill_color = "#ffff7f"
          border_style = 2
          z = -1.0
          type = ellipse
          x = -171.0
          y = -346.0
          width = 359.0
          height = 200.0
          fill_color = "#aaff7f"
          border_style = 2
          z = -1.0
          type = ellipse
          x = -407.0
          y = -87.0
          width = 883.0
          height = 443.0
          border_style = 2
          z = -2.0
          type = ellipse
          x = -361.0
          y = -29.0
          width = 385.0
          height = 326.0
          fill_color = "#55aaff"
          border_style = 2
          z = -3.0

  BD,
  Ahh...
  OK.  In the original article, the author states that the final piece with the route map
  NEXTHOP was supposed to fix the reachability issue.  Obviously it doesn't.
  After reading your last post, I looked more carefully at the output from 'sh ip bgp'
  on each of the client routers and I realized that several of the next hop addresses were
  wrong for some of the prefixes.
  1) I completely removed the 'neighbor RouteReflectors route-map NEXTHOP out'
  from both RR's.  Then I ran 'sh ip bgp' on the clients and noted a change in the next hop addresses.  Still wrong, but it changed.
  2) I then tried next-hop-self from the RR's to the clients, but it did not change from where
  it was after I completed step 1.  I am not sure why there was no change. (actually, see the very end of this post)
  3) I then applied my version of the route map:  route-map NEXTHOP permit 10
                                                                               set ip next-hop peer-address
  to the RR's with this: neighbor RRClients route-map NEXTHOP out
  That fixed it.  All three clients have as their next hop for all prefixes their respective
  RR's (which is what they should have for this topology).
  I have full connectivity everywhere, even loopback to loopback between all clients.
  1) THANK YOU for pointing me in the right direction.
  2) If I may ask, why did next hop self fail?  More specifically, I saw no change at all
  in the next hop for the advertised prefixes.  Is it because next-hop-self should be used
  for eBGP peers and all of the RR's and clients are all within the same AS?

• Policy Based Routing - set ip next-hop

  All,
  I am trying to change the next hop for selective traffic to route via a WAN optimiser rather than follow the default route. I am trying to achieve this on a 4506 with IOS 12.2(20)EW.
  I have configured an ACL intended to capture traffic from my desired subnet, to my desired subnet:
  ip access-list extended INTER-STOR permit ip 192.168.XX.0 0.0.0.128 192.168.YY.0 0.0.0.128 log
  I have then created the route map:
  route-map WAN-OPT permit 10 match ip address INTER-STOR set interface Vlan1 set ip next-hop 192.168.XX.50
  I have tested both with and without setting the interface. Neither make any difference.
  I am then applying the route map policy to the vlan in which the traffic I wish to re-route is originating.
  ip policy route-map WAN-OPT
  I am finding however that this configuration doesn't work.
  I have reviewed a number of documents and can not find any limitations based on the version of IOS I am using or my configuration.
  This switch performs the routing for this environment, however there are no interfaces assigned to this vlan for anything other than testing on this switch. They are assigned on a stack on 3750's running as a VTP client. Again - testing from a port in the relevant vlan on this switch doing the routing (4500) does not change the results. The traffic continues to be routed the via the default route.
  I'm not so sure that it is even the route map that has the problem as if I look at the access lists I can not see any hits being registered. I'm not sure whether this is a red-herring or not as I can't see what is wrong with the ACL or anything to suggest this ACL would not be supported.
  If anybody can offer any guidance or suggestions it would be very much appreciated.
  Thanks,

  Below is the "offical" explanation, I have bolded and underlined ESTENTIAL information:-
  set ip next-hop
  •Specifies the next hop for which to route the packet (the next hop must be adjacent). This behavior is identical to a next hop specified in the normal routing table.
  set interface
  •Sets output interface for the packet. This action specifies that the packet is forwarded out of the local interface. The interface must be a Layer 3 interface (no switchports), and the destination address in the packet must lie within the IP network assigned to that interface. If the destination address for the packet does not lie within that network, the packet is dropped.
  set ip default next-hop
  •Sets next hop to which to route the packet if there is no explicit route for this destination. Before forwarding the packet to the next hop, the switch looks up the packet's destination address in the unicast routing table. If a match is found, the packet is forwarded by way of the routing table. If no match is found, the packet is forwarded to the specified next hop.
  set default interface
  •Sets output interface for the packet if there is no explicit route for this destination. Before forwarding the packet to the next hop, the switch looks up the packet's destination address in the unicast routing table. If a match is found, the packet is forwarded via the routing table. If no match is found, the packet is forwarded to the specified output interface. If the destination address for the packet does not lie within that network, the packet is dropped.
  HTH>

• BGP Next-hop Change

  Hi All,
  I want to discuss a problem that I am facing in the BGP scenario.
  The problem is that I have 2 ISP connections from a service provider which is terminating on 6509 VSS and our companies 2 routers and ASA is also connected to 6509 VSS.
  R5 is creating a eBGP peering with R3 (Primary ISP) and R4 (Secondary ISP) and in same way R6 is having eBGP peering with R3 and R4.
  I am using 2 default routes 1st with default AD towards R3 (Pri ISP) and 2nd with a higher AD value towards R4 (Sec ISP).
  After this I had changed Next-hop with the help of route-map.So, that the traffic will hit on ASAs interface from WAN side.
  The route-map for R3 is having a set IP next-hop of ASAs IP address x.x.x.10 and the route-map for R4 is having a set IP next-hop of ASAs 2nd interface IP address y.y.y.10 
  So, now problem is when I use command on R5 to see which next-hop I am sending to customer(#sh ip bgp nei x.x.x.3 advertised-routes) than for R3 network it shows me the exact next-hop which I want of x.x.x.10 ASAs interfaces but when I use same command to check for R4 than the output is also same i.e. it is having the next-hop of ASAs IP x.x.x.10 even in my route-map I am having a entry to set next-hop for R4 is ASAs interface IP y.y.y.10
  After this I used wireshark to capture packet and I also used debug but the output shows that next-hop is set for R4 is y.y.y.10
  So, this is the problem i.e. in show output command it is showing wrong next-hop but in capturing it is acknowledging that it is using the next-hop mentioned in route-map.
  This is my configuration on R5 and same is on R6 just IPs are like y.y.y.6
  R5#
  interface GigabitEthernet0/0
   description TO Primary ISP
   ip address x.x.x.5 255.255.255.248
   duplex auto
   speed auto
   no shut
  interface GigabitEthernet0/1
   description To Secondary ISP
   ip address y.y.y.5 255.255.255.248
   duplex auto
   speed auto
   no shut
  ip access-list standard BLOCK
   deny any
  route-map as_prepend_secondary permit 10
   set ip next-hop y.y.y.10
  route-map as_prepend_primary permit 10
    set ip next-hop x.x.x.10
  router bgp AAAAA
   no synchronization
   bgp log-neighbor-changes
   network z.z.z.z mask 255.255.255.248
   timers bgp 10 30
   neighbor y.y.y.4 remote-as BBBBB
   neighbor y.y.y.4 route-map as_prepend_secondary out
   neighbor x.x.x.3 remote-as BBBBB
   neighbor x.x.x.3 route-map as_prepend_primary out
   distribute-list BLOCK in
   no auto-summary
  ip route x.x.x.0 255.255.255.0 x.x.x.3
  ip route y.y.y.0 255.255.255.0 y.y.y.3 2
  This is the output of Debug on R6
  BGP: TX IPv4 Unicast Wkr global 7 Cur Processing.
  BGP: TX IPv4 Unicast Wkr global 7 Cur Attr change from 0x0 to 0x68F081C8.
  *Sep 15 13:16:15.056: BGP(0): y.y.y.4 NEXT_HOP is set to y.y.y.10 by policy for net y.y.y.128,
  Thanks & Regards,
  Rahul Chhabra

  Topology Diagram

• BGP - next hop self command.

  Hi,
  I am learning bgp...need your help...
  Connectivity is like as follows:
  Router A (ebgp)  Router B (ibgp) Router C (ibgp) Router D
  when loopback subnet of Router A is received at Router C, defalult with next hop address of outgoing interface of router A.
  after configuring next hop self command on router B to C, on Router C then show next hop add outgoing interface of router B. k no prob.
  but same subnet isn't received on router D because of ibgp split horizon rule; used route-reflector client on router C. then router D received subnet of Router A; but shows next hop address outgoing interface of router B. even though i used next hop self on router C towards D.; router D didn't show next hop add of router C. Why ??
  Its ok i used IGP i.e. EIGRP in between router B, C & D. it works.
  => why next hop self doesn't work in this scenario ?? & is it the reaseon we need to use IGP into IBGP AS ??
  --Sandy.

  Hi,
  I agree with Milan, you can use a route-map applied in the outbound direction to rewrite the next-hop.
  Another option is to use the "next-hop-self all" (note the keyword all), that will update the next hop of both iBGP and eBGP learned prefixes:
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/command/irg-cr-book/bgp-m1.html#wp4972925610
  The use case for this (next-hop-self all) is I see is in a DMVPN Network, but not for an ISP - MPLS/VPN Provider.
  Regarding BGP and the need of IGP, think that different protocols have different purposes. The IGP, specially used in large-scale deployments, is used to build the topology and provide reachability to internal prefixes. The IGPs used in large-scale designs, IS-IS/OSPF, are good here because as they are link-state protocols and have a complete view of the network and will detect fast a change and run SPF for a new topology if needed. Furthermore, they have extensions to use MPLS/Traffic Engineering.
  Once the topology is build and the routers have reachability to internal prefixes, then you can run iBGP (typically between loopbacks) to provide reachability to external prefixes. BGP is very good to transport a good amount of prefixes, as it is based in TCP. If the IGPs could handle the amount of prefixes can handle BGP, then you would not need iBGP, you would redistribute (which is another option) them to the IGP and we will only have external BGP. However, in order to provide reachability and build and scalable network, you need BGP plus an IGP.
  The reason of having the need of an iBGP full mesh is to prevent black-holes in the network. Think that routers A-B-C, A is running iBGP with C, which are edge routers receiving prefixes from other ASN´s. As B is not running BGP, when it receives a packet destined to an external network it will drop that packet as it has no information in the RIB.
  There was also an old rule called synchronization that prevented the problem of advertising a black hole to another AS. The rule was that if the prefix is not in the IGP, BGP will not advertise that prefix. So, redistribution solved in the old days the problem of black holes and the rule of sync the problem of advertising them to other ASNs. As the networks got bigger and bigger, there was no point to redistribute the external prefixes to the IGP, so iBGP full-mesh/RRs were deployed and the sync rule disabled.
  Hope this helps,
  Jose.

• PBR / set ip next-hop

  Hi,
  could someone please advice how to change a next-hop for incoming SMTP traffic? I've successfully created PBR to redirect customer SMTP traffic to a different next-hop:
  C6509#access-list 150 permit tcp 85.175.191.0 0.0.0.255 any eq smtp (customer LAN is 85.175.191.0/24; from customer to the internet)
  C6509#access-list 160 permit tcp any 85.175.191.0 0.0.0.255 eq smtp (from the internet to customer LAN; doesn't work!)
  C6509#route-map MAIL-Redirect permit 10
  C6509#match ip address 150
  C6509#set ip next-hop 20.10.10.10
  C6509#route-map MAIL-Redirect permit 20
  C6509#match ip address 160
  C6509#set ip next-hop 20.10.10.10
  C6509#interface Vlan100
  C6509#ip address 85.175.191.1 255.255.255.0
  C6509#ip policy route-map MAIL-Redirect
  Redirect customer SMTP traffic from inside to the internet works as expected:
  IP: s=85.175.191.111 (Vlan16), d=173.19.66.27, len 60, FIB policy match
  IP: s=85.175.191.111 (Vlan16), d=173.19.66.27, len 60, PBR Counted
  IP: s=85.175.191.111 (Vlan16), d=173.19.66.27, g=20.10.10.10, len 60, FIB policy routed
  C6509#sh access-list 150
  Extended IP access list 150
      10 permit tcp 85.175.191.0 0.0.0.255 any eq smtp (17 matches)
  But the other direction (SMTP traffic coming in from the internet to 85.175.191.0/24) seems not working:
  C6509#sh access-list 160
  Extended IP access list 160
      10 permit tcp any 5.175.191.0 0.0.0.255 eq smtp
  Any ideas?
  Thanks,
  Thomas

  I think it's because PBR must be configured in interface receiving traffic; try configuring PBR on the  WAN interface (obviously you can split the route-map in the routemaps: one for incoming traffic (used on WAN inertf) and one for outgoing traffic (used on VLAN 100))
  Let me know, bye,
  enrico
  PS: please rate if useful

• BGP Next-hop conflict with MPLS Label.

  Hi, Experts
  Equipment: Cisco ASR9922, IOS-XR 4.3.2
  Issue: I have problem that my RR do the next-hop-self by using route-policy for client routers, the next-hop is changed as intended but the MPLS label doesn’t changed to reflect the new next-hop.
  What I would like to achieve: I would like RR to set next-hop-self only for selected prefixes(172.168.0.0/24, 0.0.0.0/0) but maintain original next-hop for the rest, I do this by using route-policy.
  Detail:
  I have routers running MPLS infrastructure with ASR9922 as an RR. RN router is in neighbor-group RN and CPE-xx routers are in neighbor-group AN.
  •-       Every routers are in same BGP AS64549.
  •-       RN sends prefixes 0.0.0.0/0 and 172.168.0.0/24 to RR.
  •-       CPE-25 sends prefix 192.168.25.1/32 to RR.
  Neighbor-group AN has the route-policy AN-OUT2 to set next-hop of prefix 172.168.0.0/24 and 0.0.0.0/0 to RR#loopback1 before send out update to CPE routers. Below is BGP and RPL configuration at RR.
  router bgp 64549
  nsr
  bgp graceful-restart
  ibgp policy out enforce-modifications
  address-family vpnv4 unicast
    additional-paths receive
    additional-paths send
    additional-paths selection route-policy ADD-PATH-iBGP
    retain route-target all
  neighbor-group AN
    remote-as 64549
    cluster-id 172.16.1.11
    update-source Loopback1
    address-family vpnv4 unicast
     route-reflector-client
     route-policy AN-OUT2 out
     soft-reconfiguration inbound
  route-policy AN-OUT2
    if destination in DEFAULT or destination in RNC then
      set next-hop 192.168.10.11
    else
      pass
    endif
  end-policy
  This is what RR advertises to CPE-24
  RP/0/RP0/CPU0:RR#show bgp vpnv4 unicast neighbors 192.168.10.24 advertised-routes
  Fri Dec 20 15:23:14.931 BKK
  Network            Next Hop        From            AS Path
  Route Distinguisher: 64549:3339
  0.0.0.0/0          192.168.10.11   172.16.1.1      ?
                                     172.16.1.2      ?
  172.168.0.0/24     192.168.10.11   172.16.1.1      ?
                                     172.16.1.2      ?
  192.168.0.1/32     192.168.10.11   192.168.10.24   i
  192.168.0.26/32    192.168.10.26   192.168.10.26   i
  192.168.25.1/32    192.168.10.25   192.168.10.25   i
  192.168.211.8/30   192.168.10.22   192.168.10.22   i
  The IP part works as intended but MPLS Label doesn’t work as intended. Please take a look at RN who is originates 172.168.0.0/24, label 16025 is locally assigned.
  RP/0/RP0/CPU0:RN1#show bgp vpnv4 unicast labels
  Status codes: s suppressed, d damped, h history, * valid, > best
                i - internal, r RIB-failure, S stale, N Nexthop-discard
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network            Next Hop        Rcvd Label      Local Label
  Route Distinguisher: 64549:3339 (default for vrf VLAN3339)
  *> 0.0.0.0/0          0.0.0.0         nolabel         16025          
  * i                   172.16.1.11     16068           16025          
  * i                   172.16.1.13     16033           16025          
  *> 172.168.0.0/24     0.0.0.0         nolabel         16025          
  * i                   172.16.1.11     16059           16025          
  * i                   172.16.1.13     16024           16025          
  172.168.0.0/24 at RR, label 16059 is locally assigned, label 16025 is receive from RN router. It should send 172.168.0.0/24 with label 16059 to CPE-24 to reflect next-hop changed.
  RP/0/RSP0/CPU0:RR#show bgp vpnv4 unicast labels
  Status codes: s suppressed, d damped, h history, * valid, > best
                i - internal, r RIB-failure, S stale, N Nexthop-discard
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network            Next Hop        Rcvd Label      Local Label
  Route Distinguisher: 64549:3339
  *>i0.0.0.0/0          172.16.1.1      16025           16068          
  * i                   172.16.1.2      16007           16068          
  *>i172.168.0.0/24     172.16.1.1      16025           16059          
  * i                   172.16.1.2      16007           16059          
  *>i192.168.0.1/32     192.168.10.24   131070          16060          
  *>i192.168.25.1/32    192.168.10.25   131070          16062          
  *>i192.168.211.8/30   192.168.10.22   131070          16065          
  What I found at CPE-24 which is Alcatel router is that, RR send prefix 172.168.0.0/24, nh 192.168.10.11 with label 16025 which is incorrect.
  A:CPE-24# show router bgp routes vpn-ipv4 172.168.0.0/24
  ===============================================================================
  BGP Router ID:192.168.10.24    AS:64549       Local AS:64549     
  ===============================================================================
  Legend -
  Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
  Origin codes  : i - IGP, e - EGP, ? - incomplete, > - best, b - backup
  ===============================================================================
  BGP VPN-IPv4 Routes
  ===============================================================================
  Flag  Network                                            LocalPref   MED
        Nexthop                                            Path-Id     VPNLabel
        As-Path                                                       
  u*>?  64549:3339:172.168.0.0/24                          100         0
        192.168.10.11                                      None        16025
        No As-Path                                                     
  Routes : 1
  ===============================================================================
  On RR If I just remove the policy and do the next-hop-self under vpv4 address family, CPE-24 will get corrent nh with correct label(16059) but that won’t achieve our requirement to change nh only on selected prefixes. Is this software problem? Or is there any solution to work around?
  Regard,
  Marit

  Hello Marit,
  I am able to recreate this in the lab, and unfortunately this scenario is not supported. BGP does not advertise allocated label if we set nexhop using route policy. The only way is by next-hop-self configured on RR, and yes it eventually will applies to all prefixes advertised to neighbor-group AN. Currently i do not have workaround available.
  Below is the capture of what i have tested in the lab:
  The topology:
  CRS-4-02 ---------- CRS-8-01 ------------ ASR-9006-1
  CRS-8-01 is Route-reflector of CRS-4-02 and ASR-9006-1.
  CRS-4-02 advertise some prefixes.
  This issue occurs when RR have route-policy toward ASR-9006-1, where it assign incorrect label. But it assign correct label if CRS-8-01 use next-hop-self.
  Below is the test done in the lab if RR use next-hop-self:
  RP/0/RP0/CPU0:CRS-4-02#show run router bgp
  Tue Jan  7 08:16:18.945 UTC
  router bgp 1
  bgp router-id 172.16.4.1
  ibgp policy out enforce-modifications
  address-family ipv4 unicast
  address-family vpnv4 unicast
  neighbor 172.16.8.3
    remote-as 1
    update-source Loopback0
    address-family ipv4 unicast
    address-family vpnv4 unicast
     route-policy PASS in
     route-policy PASS out
  vrf RTAMAELA
    rd 100:1
    address-family ipv4 unicast
     redistribute connected
  RP/0/RP0/CPU0:CRS-4-02#show bgp vpnv4 unicast advertised  summary
  Tue Jan  7 08:16:29.001 UTC
  Network            Next Hop        From             Advertised to
  Route Distinguisher: 100:1
  78.22.11.2/32      172.16.4.1      Local            172.16.8.3
  78.22.11.3/32      172.16.4.1      Local            172.16.8.3
  93.22.15.61/32     172.16.4.1      Local            172.16.8.3
  RP/0/RP0/CPU0:CRS-4-02#
  RP/0/RP0/CPU0:CRS-4-02#show bgp vpnv4 unicast labels
  Tue Jan  7 08:16:53.655 UTC
  BGP router identifier 172.16.4.1, local AS number 1
  BGP generic scan interval 60 secs
  BGP table state: Active
  Table ID: 0x0
  BGP main routing table version 57
  BGP scan interval 60 secs
  Status codes: s suppressed, d damped, h history, * valid, > best
                i - internal, r RIB-failure, S stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network            Next Hop        Rcvd Label      Local Label
  Route Distinguisher: 100:1 (default for vrf RTAMAELA)
  *>i22.51.32.77/32     172.16.8.3      16056           nolabel
  *> 78.22.11.2/32      0.0.0.0         nolabel         16003
  *> 78.22.11.3/32      0.0.0.0         nolabel         16003
  *> 93.22.15.61/32     0.0.0.0         nolabel         16003
  Processed 4 prefixes, 4 paths
  RP/0/RP0/CPU0:CRS-4-02#
  RP/0/RP1/CPU0:CRS-8-01#show run router bgp
  Wed Jan  8 11:07:05.436 UTC
  router bgp 1
  bgp graceful-restart
  ibgp policy out enforce-modifications
  address-family ipv4 unicast
    allocate-label all
  address-family vpnv4 unicast
    retain route-target all
  neighbor-group AN
    remote-as 1
    update-source Loopback0
    address-family vpnv4 unicast
     route-reflector-client
     next-hop-self                              <-- use next-hop-self toward ASR-9006-1
     soft-reconfiguration inbound
  neighbor-group RN
    remote-as 1
    update-source Loopback0
    graceful-restart
    address-family vpnv4 unicast
     route-reflector-client
     next-hop-self
     soft-reconfiguration inbound
  neighbor 10.10.10.10
    remote-as 1
    address-family ipv4 unicast
  neighbor 72.15.48.5
    use neighbor-group AN
  neighbor 172.16.4.1
    use neighbor-group RN
  RP/0/RP1/CPU0:CRS-8-01#show bgp vpnv4 unicast labels
  Wed Jan  8 11:07:09.091 UTC
  BGP router identifier 172.16.8.3, local AS number 1
  BGP generic scan interval 60 secs
  BGP table state: Active
  Table ID: 0x0   RD version: 344169
  BGP main routing table version 92
  BGP scan interval 60 secs
  Status codes: s suppressed, d damped, h history, * valid, > best
                i - internal, r RIB-failure, S stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network            Next Hop        Rcvd Label      Local Label
  Route Distinguisher: 100:1
  *>i22.51.32.77/32     72.15.48.5      16000           16056
  *>i78.22.11.2/32      172.16.4.1      16003           16053
  *>i78.22.11.3/32      172.16.4.1      16003           16054
  *>i93.22.15.61/32     172.16.4.1     16003           16055
  Processed 4 prefixes, 4 paths
  RP/0/RP1/CPU0:CRS-8-01#
  RP/0/RSP1/CPU0:ASR-9006-01#show run router bgp
  Wed Jan  8 17:02:02.796 UTC
  router bgp 1
  bgp router-id 72.15.48.5
  bgp graceful-restart
  ibgp policy out enforce-modifications
  address-family ipv4 unicast
  address-family vpnv4 unicast
    retain route-target all
  neighbor-group RR
    remote-as 1
    update-source Loopback0
    graceful-restart
    address-family vpnv4 unicast
     route-reflector-client
     soft-reconfiguration inbound
  neighbor 172.16.8.3
    use neighbor-group RR
  neighbor 192.169.1.2
    remote-as 1
    update-source Loopback0
    address-family vpnv4 unicast
     route-policy PASS in
     route-policy PASS out
  vrf RTAMAELA
    rd 100:1
    address-family ipv4 unicast
     redistribute connected
  RP/0/RSP1/CPU0:ASR-9006-01#show bgp vpnv4 unicast labels
  Wed Jan  8 17:02:04.381 UTC
  BGP router identifier 72.15.48.5, local AS number 1
  BGP generic scan interval 60 secs
  BGP table state: Active
  Table ID: 0x0   RD version: 253825
  BGP main routing table version 126
  BGP scan interval 60 secs
  Status codes: s suppressed, d damped, h history, * valid, > best
                i - internal, r RIB-failure, S stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network            Next Hop        Rcvd Label      Local Label
  Route Distinguisher: 100:1 (default for vrf RTAMAELA)
  *> 22.51.32.77/32     0.0.0.0         nolabel         16000
  *>i78.22.11.2/32      172.16.8.3      16053           nolabel          <== 172.16.8.3 is the loopback address of CRS-8-01
  *>i78.22.11.3/32      172.16.8.3      16054           nolabel
  *>i93.22.15.61/32     172.16.8.3      16055           nolabel
  Processed 4 prefixes, 4 paths
  RP/0/RSP1/CPU0:ASR-9006-01#
  From output above we can see that ASR-9006-01 received correct label for each prefix.
  Below is the output with route-policy configured and ASR-9006-01 receive incorrect label:
  RP/0/RP1/CPU0:CRS-8-01#show run router bgp
  Wed Jan  8 11:04:46.310 UTC
  router bgp 1
  bgp graceful-restart
  ibgp policy out enforce-modifications
  address-family ipv4 unicast
    allocate-label all
  address-family vpnv4 unicast
    retain route-target all
  neighbor-group AN
    remote-as 1
    update-source Loopback0
    address-family vpnv4 unicast
     route-reflector-client
     route-policy RTAMAELA out
     soft-reconfiguration inbound
  neighbor-group RN
    remote-as 1
    update-source Loopback0
    graceful-restart
    address-family vpnv4 unicast
     route-reflector-client
     next-hop-self
     soft-reconfiguration inbound
  neighbor 72.15.48.5
    use neighbor-group AN
  neighbor 172.16.4.1
    use neighbor-group RN
  RP/0/RP1/CPU0:CRS-8-01#show run route-policy RTAMAELA
  Wed Jan  8 11:16:06.847 UTC
  route-policy RTAMAELA
    if destination in RNC then
      set next-hop 172.16.8.3
    else
      pass
    endif
  end-policy
  RP/0/RP1/CPU0:CRS-8-01#show run prefix-set RNC
  Wed Jan  8 11:16:12.099 UTC
  prefix-set RNC
    78.22.11.3/32
  end-set
  RP/0/RP1/CPU0:CRS-8-01#show bgp vpnv4 unicast labels
  Wed Jan  8 11:04:33.512 UTC
  BGP router identifier 172.16.8.3, local AS number 1
  BGP generic scan interval 60 secs
  BGP table state: Active
  Table ID: 0x0   RD version: 344013
  BGP main routing table version 92
  BGP scan interval 60 secs
  Status codes: s suppressed, d damped, h history, * valid, > best
                i - internal, r RIB-failure, S stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network            Next Hop        Rcvd Label      Local Label
  Route Distinguisher: 100:1
  *>i22.51.32.77/32     72.15.48.5      16000           16056
  *>i78.22.11.2/32      172.16.4.1      16003           16053
  *>i78.22.11.3/32      172.16.4.1      16003           16054
  *>i93.22.15.61/32     172.16.4.1      16003           16055
  Processed 4 prefixes, 4 paths
  RP/0/RP1/CPU0:CRS-8-01#
  RP/0/RSP1/CPU0:ASR-9006-01#show run router bgp
  Wed Jan  8 16:59:41.601 UTC
  router bgp 1
  bgp router-id 72.15.48.5
  bgp graceful-restart
  ibgp policy out enforce-modifications
  address-family ipv4 unicast
  address-family vpnv4 unicast
    retain route-target all
  neighbor-group RR
    remote-as 1
    update-source Loopback0
    graceful-restart
    address-family vpnv4 unicast
     route-reflector-client
     soft-reconfiguration inbound
  neighbor 172.16.8.3
    use neighbor-group RR
  neighbor 192.169.1.2
    remote-as 1
    update-source Loopback0
    address-family vpnv4 unicast
     route-policy PASS in
     route-policy PASS out
  vrf RTAMAELA
    rd 100:1
    address-family ipv4 unicast
     redistribute connected
  RP/0/RSP1/CPU0:ASR-9006-01#show bgp ipv4 unicast labels
  Wed Jan  8 16:59:52.173 UTC
  RP/0/RSP1/CPU0:ASR-9006-01#show bgp vpnv4 unicast labels
  Wed Jan  8 17:00:00.457 UTC
  BGP router identifier 72.15.48.5, local AS number 1
  BGP generic scan interval 60 secs
  BGP table state: Active
  Table ID: 0x0   RD version: 253701
  BGP main routing table version 123
  BGP scan interval 60 secs
  Status codes: s suppressed, d damped, h history, * valid, > best
                i - internal, r RIB-failure, S stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network            Next Hop        Rcvd Label      Local Label
  Route Distinguisher: 100:1 (default for vrf RTAMAELA)
  *> 22.51.32.77/32     0.0.0.0         nolabel         16000
  *>i78.22.11.2/32      172.16.4.1      16003           nolabel
  *>i78.22.11.3/32      172.16.8.3      16003           nolabel   <-- It receive label 16003, which is wrong. it should receive label 16054.
  *>i93.22.15.61/32     172.16.4.1      16003           nolabel
  Processed 4 prefixes, 4 paths
  RP/0/RSP1/CPU0:ASR-9006-01#
  Rivalino

• Importance of specifiying MAC add of next hop L3 device in FWSM config

  Hi,
  With refrence of Cisco Secure Firewall Services Module (FWSM) of Cisco Press book it's mentioned that
  "While configuring the transparent mode in FWSM, it is important to specify the MAC address and the CAM entries on the Layer 3 next hop device of FWSM."
  This part of configuration is not very much clear to me please let me know the logic of this things
  The following are two examples:
  Layer 3 Device A (PFC) at the Outside Security Domain
  ! IP address of the next hop for the outside security domain
  interface Vlan20
  mac-address 0000.0000.0001
  ip address 10.10.1.1 255.255.255.0
  ! Specify the IP address and MAC address at the first hop layer 3 interface
  ! of the inside security domain
  arp 10.10.1.21 0000.0000.0001 ARPA
  Layer 3 Device B at the Inside Security Domain
  ! IP address of the next hop for the inside security domain
  interface Vlan21
  mac-address 0000.0000.0021
  ip address 10.10.1.21 255.255.255.0
  ! Specify the IP address and MAC address defined at the first hop interface
  ! of the outside security domain
  arp 10.10.1.21 0000.0000.0002 ARPA
  Regards
  Ambivert Skill

  Hello Mikis,
  Fair enough, Just remember beggining on 8.3 how the ASA handles the packets it's different from 8.2 and older versions.
  As you said now the ASA is going to check the proper Nat rules first and then the Acl's that is why when we want to allow traffic from outside to an inside server  we need to poing the ACL to the private or un-nated Ip as the nat rule was taken in place first
  Good post by the way,
  Remember to rate all the community answers, for us that is more important than a thanks
  Julio

• The next-hop-self command PLEASE HELP

  I have a question about the next hop-self command, i have a topology with 3 routers lets say R1,R2 and R3. Know R1 and R2 are Ebgps neighbors and R2 and R3 are iBgp neighbors. Know lets say i have a loop back address or lan on R3. Do i need to configure Next-hop-self on R2 towords R1 so R1 can ping R3s lans.
  I need to be able to know the Logic very well so a clear explenation would be very appreciated.

  Sorry, you did say you wanted to understand the logic.
  When a BGP router advertises a route to an EBGP peer the next hop in the route is itself. By definition the receiving router must know how to get to that next hop because they are peering with BGP.
  When a BGP router receives a route from an EBGP peer if it advertises it to an IBGP peer by default it does not change the next hop IP so the next hop IP is that of the originating router.
  So there is a good chance that the IBGP router does not know how to get to that next hop IP.
  There are a couple of solutions to this and one of them is to configure the receiving EBGP router to change the next hop IP to itself which obviously the IBGP peer knows how to get because again it has a peering.
  Jon