%ROUTING-RIB-3-UPDATE_TIMEOUT
Hi,
We are having GSR-12010 router in our n/w.Problm is that everytime any ospf link is going down we ae geting the error message listed below:
LC/0/2/CPU0:Jan 20 07:57:32 : ifmgr[164]: %PKT_INFRA-LINEPROTO-5-UPDOWN : Line protocol on Interface POS0/2/3/0, changed state to Down
RP/0/8/CPU0:Jan 20 07:57:32 : ospf[304]: %ROUTING-OSPF-5-ADJCHG : Process 200, Nbr 10.181.128.3 on POS0/2/3/0 in area 0 from FULL to DOWN, Neighbor Down: interface down or detached
LC/0/2/CPU0:Jan 20 07:57:34 : g_spa_3[158]: %L2-SONET_LOCAL-4-ALARM : SonetPath0/2/3/0: B3_TCA
LC/0/2/CPU0:Jan 20 07:57:42 : ifmgr[164]: %PKT_INFRA-LINK-3-UPDOWN : Interface POS0/2/3/0, changed state to Up
LC/0/2/CPU0:Jan 20 07:57:42 : ifmgr[164]: %PKT_INFRA-LINEPROTO-5-UPDOWN : Line protocol on Interface POS0/2/3/0, changed state to Up
LC/0/2/CPU0:Jan 20 07:57:45 : g_spa_3[158]: %L2-SONET_LOCAL-4-ALARM : SonetPath0/2/3/0: B3_TCA cleared
RP/0/8/CPU0:Jan 20 07:57:52 : ospf[304]: %ROUTING-OSPF-5-ADJCHG : Process 200, Nbr 10.181.128.3 on POS0/2/3/0 in area 0 from LOADING to FULL, Loading Done
RP/0/8/CPU0:Jan 20 08:27:32 : ipv4_rib[225]: %ROUTING-RIB-3-UPDATE_TIMEOUT : Client "ospf" updated the RIB without signaling update completion for Vrf: "default" Tbl: "default" Safi: "Unicast"
LC/0/2/CPU0:Jan 20 08:56:40 : ifmgr[164]: %PKT_INFRA-LINK-3-UPDOWN : Interface POS0/2/3/0, changed state to Down
LC/0/2/CPU0:Jan 20 08:56:40 : ifmgr[164]: %PKT_INFRA-LINEPROTO-5-UPDOWN : Line protocol on Interface POS0/2/3/0, changed state to Down
RP/0/8/CPU0:Jan 20 08:56:40 : ospf[304]: %ROUTING-OSPF-5-ADJCHG : Process 200, Nbr 10.181.128.3 on POS0/2/3/0 in area 0 from FULL to DOWN, Neighbor Down: interface down or detached
LC/0/2/CPU0:Jan 20 08:56:40 : g_spa_3[158]: %L2-SONET_LOCAL-4-ALARM : SonetPath0/2/3/0: B3_TCA
LC/0/2/CPU0:Jan 20 08:56:50 : ifmgr[164]: %PKT_INFRA-LINK-3-UPDOWN : Interface POS0/2/3/0, changed state to Up
LC/0/2/CPU0:Jan 20 08:56:50 : ifmgr[164]: %PKT_INFRA-LINEPROTO-5-UPDOWN : Line protocol on Interface POS0/2/3/0, changed state to Up
LC/0/2/CPU0:Jan 20 08:56:52 : g_spa_3[158]: %L2-SONET_LOCAL-4-ALARM : SonetPath0/2/3/0: B3_TCA cleared
RP/0/8/CPU0:Jan 20 08:57:00 : ospf[304]: %ROUTING-OSPF-5-ADJCHG : Process 200, Nbr 10.181.128.3 on POS0/2/3/0 in area 0 from LOADING to FULL, Loading Done
RP/0/8/CPU0:Jan 20 09:26:40 : ipv4_rib[225]: %ROUTING-RIB-3-UPDATE_TIMEOUT : Client "ospf" updated the RIB without signaling update completion for Vrf: "default" Tbl: "default" Safi: "Unicast"
Please help us to get route cause and solution to this error log.
Rgds,
Tejeshwar Saini
Hello Tejeshwar,
the OSPF adjacency comes up correctly?
is the device able to forward and receive over the link?
the message appears to just signal the OSPF process has modified the RIB table, because the OSPF neighbor came up, without providing a signal to another process and
This may be without impact or with impact on your device
if you see that there is an impact you should open a TAC service request.
if there is no impact, you may be able to live with this message
You are using IOS XR 3.6. TAC will probably suggest you an upgrade that can take the form or one or more SMU packages or a whole IOS XR upgrade.
Hope to help
Giuseppe
Similar Messages
-
Difference between sh ip bgp & sh ip route? BGP tables and main routing table.
Difference between sh ip bgp & sh ip route?
sh ip bgp :::: loc-rib ?
sh ip bgp nei x.x.x.x advertised-routes : adj-rib-in.
sh ip bgp nei x.x.x.x recieved-routes : adj-rib-out.
sh ip bgp nei x.x.x.x routes : loc-rib ?
sh ip route = rib ? if yes does it mean its loc-rib ?
so in a given router with bgp running, will there be 5 tables (sh ip bgp; adj-rib-in; loc-rib;adj-rib-out; sh ip route) ? if yes where are they saved ?sh ip bgp
shows the BGP table (where are stored info coming from BGP update)
sh ip bgp nei x.x.x.x advertised-routes
shows networks that your router will advertise to a specific neighbor
sh ip bgp nei x.x.x.x recieved-routes
shows advertisement received from a specific neighbor; networks (NLRI) filtered with route-map distribute-list,... are included (Inbound soft reconfiguration must be enabled)
sh ip bgp nei x.x.x.x routes
shows only routes sent by a specific neighbor and not filtered or discarded (i.s accepted)
sh ip route
show routing table; it contains the best route for each network (best is first of all the lowest administrative distance, then the lowest metric)
Bye,
enrico.
PS please rate if useful -
Hi All,
Has anyone deployed NG-MVPN (mLDP) with ASR9000 ? Configuration on configuration guide is bit confusing and appreciate if you have any good document to follow to implement NG-MVPN with ASR9000.
Rgds
HarinIOS XR 4.3.0 has support for NG-MVPN. so CRS, ASR9K has it than.
http://www.cisco.com/en/US/customer/docs/routers/asr9000/software/asr9k_r4.3/multicast/configuration/guide/b_mcast_cg43xasr9k_chapter_0100.html
Next-Generation Multicast VPN
Next-Generation Multicast VPN (NG-MVPN) offers more scalability for Layer 3 VPN multicast traffic. It allows point-to-multipoint Label Switched Paths (LSP) to be used to transport the multicast traffic between PEs, thus allowing the multicast traffic and the unicast traffic to benefit from the advantages of MPLS transport, such as traffic engineering and fast re-route. This technology is ideal for video transport as well as offering multicast service to customers of the layer 3 VPN service.
Advantages of NG-MVPN:
VRF Route-Import and Source-AS Extended Communities
Upstream Multicast Hop (UMH) and Duplicate Avoidance
Leaf AD (Type-4) and Source-Active (Type-5) BGP AD messages
Default-MDT with mLDP P2MP trees and with Static P2MP-TE tunnels
BGP C-multicast Routing
RIB-based Extranet with BGP AD
Accepting (*,G) S-PMSI announcements
Egress-PE functionality for Ingress Replication (IR) core-trees
Enhancements for PIM C-multicast Routing
Migration of C-multicast Routing protocol -
%IPRT-3-RIB_LOOP: Resolution loop formed by routes in RIB
Does someone know how to debug this error message please?
%IPRT-3-RIB_LOOP: Resolution loop formed by routes in RIB
This error message spread everywhere inside my network.
thanks!!Hello Vincent,
This error mean that RIB route producers have installed routes in the RIB that form a loop during resolution. But, there could be several reasons for this. For. eg: a route received from a neighboring device and being installed in the RIB that conflicted with an already known/installed path.
When were these logs observed? Are there any other logs alongside this which can shed some more light on the actual problem. The supporting logs can tell which component is triggering this (like CEF discovering the routing for a prefix has recursive paths that lead back to itself). These logs are merely symptoms.
"show log" and "show ip route loops" will be good to have to start with!
Regards,
Imran -
ISR router cannot receive packets addressed to itself?
Hello, Support Team and All Members,
I have a C881G router connected to 2 different ISP networks with a failover function configured and running properly. The following is a simple network diagram:
The main WAN traffic goes through the ISP 1 LTE network and the router, provided by that ISP. The DMS Host on that router points to our C881G router Fa4 WAN interface (192.168.1.10), so the ISP 1 NAT Router is practically transparent to our traffic. Our C881G tracks the DNS server within the ISP 1 network (194.dns.isp.1) and in case of it's inaccessibility the traffic is switched to the backup link, served by the on-board HSPA+ modem (interface Dialer0 of our C881G), connected to the ISP 2 HSPA network. It works fine, but the problem is with the PPTP connections from outside to the C881G router. The PPTP calls work always from the PPTP Client 2 PC (directly connected to the Fa4 subnet), but from PPTP Client 1 PC it works only in the failover mode - when all traffic goes through the ISP 2. The incoming path via ISP 1 does not work. The problem is rather not connected to the PPTP VPN, GRE, authentication or encryption, because just the first TCP 1723 SYN packets are dropped at Fa4 much earlier by the C881G router. The debug ip packet detail shows the following routing decision:
IP: s=194.xxx.yyy.80 (FastEthernet4), d=192.168.1.10, len 40, input feature
TCP src=4241, dst=1723, seq=791503628, ack=4111924253, win=0 ACK RST, MCI Check(94), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
FIBipv4-packet-proc: route packet from FastEthernet4 src 194.xxx.yyy.80 dst 192.168.1.10
FIBfwd-proc: Default:192.168.1.10/32 receive entry
FIBipv4-packet-proc: packet routing failed
All other packets addressed from outside networks to the router itself and received via the Fa4 are also dropped in this way. All packets sent to Fa4 from the local subnet 192.168.1.0 are accepted. The routing table shows only standard connected interfaces and 1 static route to the 194.dns.isp.1 via 192.168.1.1, which is also the tracked gateway of last resort.
Router runs the CEF.
I cannot locate in the following configuration file any statement preventing the packets addressed to the router itself:
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
hostname C881_xyz
boot-start-marker
boot-end-marker
logging buffered 8192
no logging console
no logging monitor
no aaa new-model
clock timezone PCTime 1 0
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
crypto ...
... <removed for sanity>
crypto pki ...
ip dhcp excluded-address 192.168.70.1 192.168.70.99
ip dhcp excluded-address 192.168.70.180 192.168.70.254
ip dhcp excluded-address 192.168.71.1 192.168.71.99
ip dhcp excluded-address 192.168.71.180 192.168.71.254
ip dhcp pool ccp-pool
import all
network 192.168.70.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.70.1
lease 0 12
ip dhcp pool NVR
import all
network 192.168.71.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.71.1
lease 0 12
ip domain name mydomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
chat-script gsm "" "AT!SCACT=1,1" TIMEOUT 60 "OK"
license udi pid C881G+7-K9 sn ***********
username admin privilege 15 secret 5 ******************************
controller Cellular 0
track 1 ip sla 1 reachability
delay down 1 up 30
interface FastEthernet0
description All VLANs Trunk
switchport mode trunk
no ip address
interface FastEthernet1
description VLAN 1 - LAN Main
no ip address
interface FastEthernet2
description VLAN 20 - LAN NVR
switchport access vlan 20
no ip address
interface FastEthernet3
description Traffic Monitoring only
no ip address
interface FastEthernet4
description WAN SP1$ETH-WAN$
ip address 192.168.1.10 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface Virtual-Template1
ip unnumbered FastEthernet4
peer default ip address pool vpn_pptp_pool
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap-v2
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
interface Vlan1
description LAN Main
ip address 192.168.70.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan20
description LAN NVR
ip address 192.168.71.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer pool 1
dialer idle-timeout 0
dialer string gsm
dialer persistent
dialer-group 1
ip local policy route-map track-primary-if
ip local pool vpn_pptp_pool 192.168.70.180 192.168.70.199
ip forward-protocol nd
no ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 32
sort-by bytes
cache-timeout 600000
ip nat inside source route-map ISP_1 interface FastEthernet4 overload
ip nat inside source route-map ISP_2 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1
ip route 0.0.0.0 0.0.0.0 Dialer0 253
ip route 194.dns.isp.1 255.255.255.255 192.168.1.1
ip sla auto discovery
ip sla 1
icmp-echo 194.dns.isp.1 source-interface FastEthernet4
frequency 10
ip sla schedule 1 life forever start-time now
logging trap debugging
dialer-list 1 protocol ip permit
route-map track-primary-if permit 1
match ip address 100
set interface FastEthernet4
route-map Static_ISP_2 permit 10
match interface Dialer0
route-map Static_ISP_1 permit 10
match interface FastEthernet4
route-map ISP_2 permit 10
match ip address 1
match interface Dialer0
route-map ISP_1 permit 10
match ip address 1
match interface FastEthernet4
access-list 1 remark List for outside NATs
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.71.0 0.0.0.255
access-list 100 remark CCP_ACL Category=0
access-list 100 permit icmp any host 194.dns.isp.1
access-list 105 remark List for debugging local ICMP tests
access-list 105 remark CCP_ACL Category=16
access-list 105 permit icmp any any
control-plane
line con 0
no modem enable
line aux 0
line 3
script dialer gsm
modem InOut
no exec
transport input all
rxspeed 21600000
txspeed 5760000
line vty 0 4
exec-timeout 0 0
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
ntp update-calendar
ntp server 195.time.srv.1
end
Do you have an idea what can be the reason of that behaviour?
I really appreciate your suggestions,
MaciexHello Maciex,
I am afraid that the debug ip packet detailed has led you to a wrong conclusion. Whatever the "forus FALSE" means, it does not indicate that the router refuses to consider the packet as addressed to itself. I've just concocted a very quick test - two routers connected back to back, one is 10.0.1.1/24, the other is 10.0.1.2/24. I am pinging 10.0.1.2 from 10.0.1.1 and this is what 10.0.1.2 shows me:
*Aug 4 23:09:38.067: IP: s=10.0.1.1 (Ethernet2/1), d=10.0.1.2, len 100, input feature
*Aug 4 23:09:38.071: ICMP type=8, code=0, MCI Check(94), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Aug 4 23:09:38.079: FIBipv4-packet-proc: route packet from Ethernet2/1 src 10.0.1.1 dst 10.0.1.2
*Aug 4 23:09:38.083: FIBfwd-proc: Default:10.0.1.2/32 receive entry
*Aug 4 23:09:38.083: FIBipv4-packet-proc: packet routing failed
*Aug 4 23:09:38.087: IP: tableid=0, s=10.0.1.1 (Ethernet2/1), d=10.0.1.2 (Ethernet2/1), routed via RIB
*Aug 4 23:09:38.091: IP: s=10.0.1.1 (Ethernet2/1), d=10.0.1.2 (Ethernet2/1), len 100, rcvd 3
*Aug 4 23:09:38.095: ICMP type=8, code=0
*Aug 4 23:09:38.099: IP: s=10.0.1.1 (Ethernet2/1), d=10.0.1.2, len 100, stop process pak for forus packet
*Aug 4 23:09:38.103: ICMP type=8, code=0
*Aug 4 23:09:38.107: FIBipv4-packet-proc: route packet from (local) src 10.0.1.2 dst 10.0.1.1
*Aug 4 23:09:38.111: FIBfwd-proc: packet routed by adj to Ethernet2/1 10.0.1.1
*Aug 4 23:09:38.111: FIBipv4-packet-proc: packet routing succeeded
*Aug 4 23:09:38.115: IP: s=10.0.1.2 (local), d=10.0.1.1 (Ethernet2/1), len 100, sending
*Aug 4 23:09:38.119: ICMP type=0, code=0
*Aug 4 23:09:38.127: IP: s=10.0.1.2 (local), d=10.0.1.1 (Ethernet2/1), len 100, sending full packet
*Aug 4 23:09:38.131: ICMP type=0, code=0
Note that even here, the router said the same as yours - and yet it did respond successfully to the ping request.
There is, I am afraid, a more mundane problem. PPTP is generally incompatible with PAT. PPTP uses two data streams: one is the control channel run over TCP port 1723, the other is the actual tunneled traffic - however, that traffic is essentially GRE-encapsulated, put directly into IP packets with no port information (there is no TCP/UDP involved). Without special support on the ISP 1 NAT box, PPTP sessions will not be able to pass through it. You will have to negotiate this with your ISP 1 - ask him to configure its NAT box with PPTP Application Layer Gateway support and allow IP protocol 47 (GRE).
This would explain why the PPTP Client 2 can always connect to your router - it is because there is no NAT/PAT/FW between the client and the router. It would also explain why Client 1 is able to connect over ISP 2 - because on that path, there is no NAT/PAT/FW box apparently present and there is a direct connectivity to the public IP address of your router.
Try talking to your ISP 1 about this.
Best regards,
Peter -
(High Ip input) on My router , I need to troubleshoot why CPU is high !!!!
(High Ip input) on My router , I need to troubleshoot why CPU is high !!!!
=================
i have a cisco router 7200 NPEG2 processor , worked as LNS for PPPOVPDN circuits (Router for ADSL clients)
i have "high ip input on my processor" and there is alot of differnce on my router between operations done by cef and operations done by router cpu
as an example , lets make show cpu process sorted
CPU utilization for five seconds: 67%/54%; one minute: 67%; five minutes: 68%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
87 10837056 46891299 231 6.31% 6.04% 6.32% 0 IP Input
122 4081972 38214106 106 2.47% 2.36% 2.46% 0 L2X Data Daemon
270 467844 2089101 223 0.79% 0.78% 0.79% 0 PPP Events
275 1862224 2102444 885 0.71% 0.73% 0.71% 0 SNMP ENGINE
112 627104 93588 6700 0.39% 0.36% 0.37% 0 CEF: IPv4 proces
273 854004 4207368 202 0.31% 0.26% 0.24% 0 IP SNMP
52 453256 12321 36787 0.31% 0.31% 0.31% 0 Compute load avg
258 295540 701580 421 0.23% 0.17% 0.15% 0 RADIUS
142 45792 14107303 3 0.23% 0.21% 0.21% 0 HQF Shaper Backg
78 86532 166975 518 0.23% 0.17% 0.13% 0 ACCT Periodic Pr
260 483164 248673 1942 0.23% 0.19% 0.24% 0 L2TP mgmt daemon
272 63980 1073491 59 0.15% 0.16% 0.15% 0 IPHC Admin
77 111560 184597 604 0.15% 0.08% 0.06% 0 AAA ACCT Proc
261 330572 217566 1519 0.15% 0.12% 0.15% 0 L2TUN Applicatio
274 450584 2102164 214 0.15% 0.15% 0.15% 0 PDU DISPATCHER
16 152352 1081873 140 0.07% 0.08% 0.19% 0 EnvMon
279 229040 27298 8390 0.07% 0.10% 0.11% 0 VTEMPLATE Backgr
40 23704 53593 442 0.07% 0.03% 0.02% 0 Net Background
95 4512 55604 81 0.07% 0.00% 0.00% 0 PPP Hooks
109 6844 62029 110 0.07% 0.00% 0.00% 0 IP Background
269 21384 1931910 11 0.07% 0.06% 0.07% 0 PPP manager
271 116 60672 1 0.07% 0.00% 0.00% 0 Multilink PPP
23 98400 321 306542 0.00% 0.07% 0.03% 0 AAA high-capacit
=====================
as we see above , we have high "IP Input" about differnece in cpu =67-54=13 % , which is high value process in software .
i follwed the article here :
http://www.cisco.com/c/en/us/support/docs/routers/7500-series-routers/41160-highcpu-ip-input.html
i check and found that my router is fine ,
no arp calls.
no routing loops.
no flapping links.
i checked that my router has cef enabled and no enormous routing protocol updates
i found that i have big differnce between hardware & software process on the router which is 13 %
but when the traffic is more and more , the cpu reach reach 93 % and begin to have drops.
i just want to ask , how can i debug the operations that are done on the cpu processor of the router ???
i mean that if i know that traffic , i can estimate and know the problem that increasing my cpu !!!
another question :
how to debug the packest that has a ttl exceeded 50 or ttl exceeded 100 ?????
i dont wan tto make debug ip packed , because i have a huge traffic and it will let my router hanged due to large debug !!
===============
righ now i will post my router config and some verification:
drvirus#sh running-config
Building configuration...
Current configuration : 12291 bytes
upgrade fpd auto
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
hostname drvirus
boot-start-marker
boot system flash disk2:c7200p-adventerprisek9-mz.124-24.T7.bin
boot system flash disk2:c7200p-adventerprisek9-mz.124-24.T8.bin
boot-end-marker
logging message-counter syslog
aaa new-model
aaa group server radius radiusservers
server-private 10..f.f.f auth-port 1812 acct-port 1813 key 7 weifuhjkefkjdbhfjkasbfjka
aaa authentication login adminstaff local
aaa authentication login sdm_vpn_xauth_ml_1 group radius
aaa authentication login ahmad local
aaa authentication ppp vpdn group radiusservers local
aaa authentication ppp drvirus local
aaa authentication ppp vpdn1 local group radiusservers
aaa authentication ppp ddd none
aaa authentication ppp dddd none
aaa authentication ppp anyok none
aaa authorization network default group radius local
aaa authorization network vpdn group radiusservers local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network drvirus local
aaa authorization network vpdn1 local group radiusservers
aaa authorization network ddd none
aaa authorization network anyok none
aaa accounting delay-start
aaa accounting update newinfo periodic 10
aaa accounting network vpdn
action-type start-stop
broadcast
group radiusservers
aaa server radius dynamic-author
client xxxxxxxx
client 10.xxxxxx
client 10.xxxxxxxxx
server-key 7 dihcbsdjkbvcsdhmbvhsdbvsdhmbvsd
auth-type any
aaa session-id common
clock timezone GMT+3 3
no ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip cef
no ip bootp server
ip domain name drvirus
ip name-server x.x.x.x.x
ip name-server 8.8.8.8
login block-for 180 attempts 3 within 60
login quiet-mode access-class telnet
login on-failure log
login on-success log
no ipv6 cef
ipv6 dhcp pool vvv
prefix-delegation pool version6
address prefix 3333::/64
dns-server 4444::1
multilink bundle-name authenticated
vpdn enable
vpdn logging
vpdn logging local
vpdn history failure table-size 50
vpdn-group eeeeeeeeeeee
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname qqqqqq
local name rrrrrrr
lcp renegotiation on-mismatch
l2tp tunnel password 7ekfhjjeklfnlenfl
l2tp tunnel timeout no-session 60
ip mtu adjust
username drvirus@!34`!512&$8#$232!^@^FGsdGD privilege 0 password 7 000sdkjhvsdkjvnah94313085g2355091407458E32425D
interface Loopback1
ip address ttttttt 255.255.255.255
interface GigabitEthernet0/1
description ttttttt
ip address 10.60.60.2 255.255.255.0 secondary
ip address 10.200.200.200 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
duplex auto
speed auto
media-type rj45
negotiation auto
interface GigabitEthernet0/1.4
encapsulation dot1Q 4
ip address ttttttttt 255.255.255.224
interface GigabitEthernet0/1.14
encapsulation dot1Q 14
ip address 192.168.50.3 255.255.255.0
interface FastEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0/2
ip address 10.160.150.2 255.255.255.0
duplex auto
speed auto
media-type rj45
negotiation auto
interface GigabitEthernet0/3
description rrrrrrr
ip address xxxxxxx 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
duplex full
speed 1000
media-type sfp
negotiation auto
interface Virtual-Template1
ip unnumbered Loopback1
ip tcp adjust-mss 1412
no logging event link-status
peer default ip address pool xxxxx xxxxxx
ppp mtu adaptive
ppp authentication pap vpdn1
ppp authorization vpdn1
ppp accounting vpdn
router eigrp 2
redistribute connected metric 1 2 1 2 1
passive-interface default
no passive-interface GigabitEthernet0/1
network 10.200.200.200 0.0.0.0
no auto-summary
eigrp router-id 2.2.2.2
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.200.200.2
ip route dddddddddd 255.255.255.0 fffffff
ip route ddddddddd 255.255.255.0 ffffff
no ip http server
no ip http secure-server
ip radius source-interface GigabitEthernet0/2
radius-server attribute nas-port format d
radius-server configure-nas
radius-server host ddddddddddd auth-port 1812 acct-port 1813 key 7 dddddddddd
radius-server retransmit 0
radius-server key 7 dddddddddddddddddd
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
drvirus#sh ip traffic
IP statistics:
Rcvd: 92454889 total, 5908020 local destination
0 format errors, 94 checksum errors, 3789577 bad hop count
0 unknown protocol, 23360 not a gateway
0 security failures, 0 bad options, 3730347 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 3730347 alert, 0 cipso, 0 ump
0 other
Frags: 1409002 reassembled, 485 timeouts, 0 couldn't reassemble
4542214 fragmented, 9089659 fragments, 2659413 couldn't fragment
Bcast: 6024 received, 0 sent
Mcast: 56503 received, 31033 sent
Sent: 15839581 generated, 2407203241 forwarded
Drop: 23 encapsulation failed, 0 unresolved, 0 no adjacency
0 no route, 0 unicast RPF, 0 forced drop
0 options denied
Drop: 0 packets with source IP address zero
Drop: 0 packets with internal loop back IP address
0 physical broadcast
ICMP statistics:
Rcvd: 0 format errors, 0 checksum errors, 0 redirects, 4 unreachable
140579 echo, 33742 echo reply, 0 mask requests, 0 mask replies, 0 quench
0 parameter, 0 timestamp, 0 timestamp replies, 0 info request, 0 other
0 irdp solicitations, 0 irdp advertisements
0 time exceeded, 0 info replies
Sent: 0 redirects, 3530 unreachable, 33744 echo, 140579 echo reply
0 mask requests, 0 mask replies, 0 quench, 0 timestamp, 0 timestamp replies
0 info reply, 46795 time exceeded, 0 parameter problem
0 irdp solicitations, 0 irdp advertisements
TCP statistics:
Rcvd: 19285 total, 0 checksum errors, 7 no port
Sent: 39402 total
BGP statistics:
Rcvd: 0 total, 0 opens, 0 notifications, 0 updates
0 keepalives, 0 route-refresh, 0 unrecognized
Sent: 0 total, 0 opens, 0 notifications, 0 updates
0 keepalives, 0 route-refresh
IP-EIGRP statistics:
Rcvd: 39154 total
Sent: 39275 total
PIMv2 statistics: Sent/Received
Total: 0/0, 0 checksum errors, 0 format errors
Registers: 0/0 (0 non-rp, 0 non-sm-group), Register Stops: 0/0, Hellos: 0/0
Join/Prunes: 0/0, Asserts: 0/0, grafts: 0/0
Bootstraps: 0/0, Candidate_RP_Advertisements: 0/0
Queue drops: 0
State-Refresh: 0/0
IGMP statistics: Sent/Received
Total: 0/0, Format errors: 0/0, Checksum errors: 0/0
Host Queries: 0/0, Host Reports: 0/0, Host Leaves: 0/0
DVMRP: 0/0, PIM: 0/0
Queue drops: 0
UDP statistics:
Rcvd: 5632168 total, 0 checksum errors, 9605 no port
Sent: 15536481 total, 0 forwarded broadcasts
OSPF statistics:
Rcvd: 0 total, 0 checksum errors
0 hello, 0 database desc, 0 link state req
0 link state updates, 0 link state acks
Sent: 0 total
0 hello, 0 database desc, 0 link state req
0 link state updates, 0 link state acks
ARP statistics:
Rcvd: 36012 requests, 25 replies, 0 reverse, 0 other
Sent: 3590 requests, 1883 replies (41 proxy), 0 reverse
Drop due to input queue full: 0
drvirus#sh interfaces switching
GigabitEthernet0/1 ffff
Throttle count 0
Drops RP 29334 SP 0
SPD Flushes Fast 183378 SSE 0
SPD Aggress Fast 0
SPD Priority Inputs 196591 Drops 0
Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 50222652 1410586379 38933488 2377282438
Cache misses 0 - - -
Fast 2501299905 502401799 1732463443 1178236678
Auton/SSE 0 0 0 0
Protocol DEC MOP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 104 8008
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol ARP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 36178 2170680 3643 233084
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol CDP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 1039 385469 2067 772027
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol Other
Switching path Pkts In Chars In Pkts Out Chars Out
Process 2266 138297 6179 370740
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
NOTE: all counts are cumulative and reset only after a reload.
Interface FastEthernet0/2 is disabled
GigabitEthernet0/2
Throttle count 0
Drops RP 0 SP 0
SPD Flushes Fast 785 SSE 0
SPD Aggress Fast 0
SPD Priority Inputs 1900 Drops 0
Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 382927 34296776 382540 106683985
Cache misses 0 - - -
Fast 198 31569 0 0
Auton/SSE 0 0 0 0
Protocol DEC MOP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 104 8008
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol ARP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 1900 114000 1813 108780
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol CDP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 1030 378010 1031 378377
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol Other
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 6180 370800
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
NOTE: all counts are cumulative and reset only after a reload.
GigabitEthernet0/3 drvirus
Throttle count 0
Drops RP 15 SP 0
SPD Flushes Fast 22435 SSE 0
SPD Aggress Fast 0
SPD Priority Inputs 194236 Drops 0
Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 40507058 2970006619 56462488 1872816742
Cache misses 0 - - -
Fast 1758170357 386468928 2449949282 3706868609
Auton/SSE 0 0 0 0
Protocol DEC MOP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 105 8085
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol ARP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 5 300 7 420
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol CDP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 1034 379478
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol Other
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 6180 370800
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
NOTE: all counts are cumulative and reset only after a reload.
drvirus#sh ip route summary
IP routing table name is Default-IP-Routing-Table(0)
IP routing table maximum-paths is 32
Route Source Networks Subnets Overhead Memory (bytes)
connected 1 1644 105280 250040
static 3 0 192 456
eigrp 2 0 0 0 0
internal 5 5860
Total 9 1644 105472 256356
Removing Queue Size 0
drvirus#sh ip route summary
IP routing table name is Default-IP-Routing-Table(0)
IP routing table maximum-paths is 32
Route Source Networks Subnets Overhead Memory (bytes)
connected 1 1645 105344 250192
static 3 0 192 456
eigrp 2 0 0 0 0
internal 5 5860
Total 9 1645 105536 256508
Removing Queue Size 0
drvirus#sh ip route summary
IP routing table name is Default-IP-Routing-Table(0)
IP routing table maximum-paths is 32
Route Source Networks Subnets Overhead Memory (bytes)
connected 1 1645 105344 250192
static 3 0 192 456
eigrp 2 0 0 0 0
internal 5 5860
Total 9 1645 105536 256508
Removing Queue Size 0
drvirus#sh ip route summary
IP routing table name is Default-IP-Routing-Table(0)
IP routing table maximum-paths is 32
Route Source Networks Subnets Overhead Memory (bytes)
connected 1 1645 105344 250192
static 3 0 192 456
eigrp 2 0 0 0 0
internal 5 5860
Total 9 1645 105536 256508
Removing Queue Size 0
drvirus#
ANy help ??????!!!!!can some one determin if :
122 9166144 120227216 76 3.30% 2.81% 2.42% 0 L2X Data Daemon
has a relation to my high cpu
her is agian my cpu process :
drvirus#sh processes cpu sorted
CPU utilization for five seconds: 69%/51%; one minute: 62%; five minutes: 59%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
87 22165548 147317354 150 7.60% 6.54% 5.74% 0 IP Input
16 682988 2637213 258 3.61% 0.70% 0.37% 0 EnvMon
122 9166144 120227216 76 3.30% 2.81% 2.42% 0 L2X Data Daemon
270 484700 4987094 97 0.76% 0.84% 0.86% 0 PPP Events
260 746640 483367 1544 0.30% 0.51% 0.51% 0 L2TP mgmt daemon
112 1082540 228491 4737 0.30% 0.31% 0.31% 0 CEF: IPv4 proces
190 596 755 789 0.30% 0.02% 0.00% 2 SSH Process
279 461184 78909 5844 0.30% 0.39% 0.45% 0 VTEMPLATE Backgr
52 954592 29823 32008 0.30% 0.31% 0.31% 0 Compute load avg
272 53744 2782461 19 0.23% 0.17% 0.16% 0 IPHC Admin
261 513524 428266 1199 0.23% 0.38% 0.37% 0 L2TUN Applicatio
142 31888 35627222 0 0.23% 0.19% 0.20% 0 HQF Shaper Backg
258 570384 1602872 355 0.15% 0.18% 0.17% 0 RADIUS
78 43280 392561 110 0.15% 0.10% 0.08% 0 ACCT Periodic Pr
281 52340 385568 135 0.07% 0.08% 0.09% 0 IP-EIGRP: PDM
40 37300 138153 269 0.07% 0.09% 0.10% 0 Net Background
77 145860 443602 328 0.07% 0.06% 0.07% 0 AAA ACCT Proc
110 31060 53876 576 0.07% 0.03% 0.02% 0 IP RIB Update
45 11868 52400 226 0.07% 0.01% 0.00% 0 IF-MGR control p
115 20164 103667 194 0.07% 0.02% 0.00% 0 PPP IPCP
102 181600 489310 371 0.07% 0.14% 0.15% 0 SSM connection m
143 3148 1461382 2 0.07% 0.01% 0.00% 0 RBSCP Background
80 19488 22128 880 0.07% 0.02% 0.00% 0 CDP Protocol
23 189412 10771 17585 0.00% 0.15% 0.04% 0 AAA high-capacit
22 0 1 0 0.00% 0.00% 0.00% 0 CEF MIB API
21 0 2 0 0.00% 0.00% 0.00% 0 ATM Idle Timer
20 376 153594 2 0.00% 0.00% 0.00% 0 ARP Background
24 0 2 0 0.00% 0.00% 0.00% 0 AAA_SERVER_DEADT
25 0 1 0 0.00% 0.00% 0.00% 0 Policy Manager
26 1376 26590 51 0.00% 0.00% 0.00% 0 DDR Timers
31 4 30 133 0.00% 0.00% 0.00% 0 EEM ED Syslog
27 0 5 0 0.00% 0.00% 0.00% 0 Entity MIB API
33 324 147392 2 0.00% 0.00% 0.00% 0 GraphIt
34 0 2 0 0.00% 0.00% 0.00% 0 Dialer event
28 0 2 0 0.00% 0.00% 0.00% 0 Serial Backgroun
36 0 2 0 0.00% 0.00% 0.00% 0 XML Proxy Client -
Load balancing weirdness using NAT and same-metric route
Hi.
I'm trying to set up a double-WAN load-balancing scenario:
I decided to attempt the "multiple same-metric routes with NAT" approach so I went for the example used in the IOS NAT Load-Balancing for Two ISP Connections Configuration Guide [1].
I decided to use an upside-down Cisco 871-SEC/K9: use Vlan1 and Vlan2 for the routers and Fa4 for the LAN. I am hoping this is not an issue.
There is this weirdness with some connections, particularly FTP. I pinpointed the problem to the following scenario: if I do a couple of pings to 100.1.1.1 using the FastEthernet4 as the source address, this is what I get in the logs:
=== PING 1 ECHO REQUEST ===
*Mar 3 04:38:43.521: IP: tableid=0, s=192.168.60.4 (FastEthernet4), d=100.1.1.1 (Vlan1), routed via RIB
*Mar 3 04:38:43.521: NAT: s=192.168.60.4->10.129.124.2, d=100.1.1.1 [14152]
*Mar 3 04:38:43.521: IP: s=10.129.124.2 (FastEthernet4), d=100.1.1.1 (Vlan1), g=10.129.124.1, len 60, forward
*Mar 3 04:38:43.521: ICMP type=8, code=0
=== PING 1 ECHO REPLY ===
*Mar 3 04:38:45.589: NAT*: s=100.1.1.1, d=10.129.124.2->192.168.60.4 [19824]
*Mar 3 04:38:45.589: IP: tableid=0, s=100.1.1.1 (Vlan1), d=192.168.60.4 (FastEthernet4), routed via RIB
*Mar 3 04:38:45.589: IP: s=100.1.1.1 (Vlan1), d=192.168.60.4 (FastEthernet4), g=192.168.60.4, len 60, forward
*Mar 3 04:38:45.589: ICMP type=0, code=0
=== (something else) ===
*Mar 3 04:38:52.353: RT: SET_LAST_RDB for 0.0.0.0/0
OLD rdb: via 10.129.124.33, Vlan2
NEW rdb: via 10.129.124.1, Vlan1
=== PING 2 ECHO REQUEST ===
*Mar 3 04:38:52.353: IP: tableid=0, s=192.168.60.4 (FastEthernet4), d=100.1.1.1 (Vlan2), routed via RIB
*Mar 3 04:38:52.353: NAT: s=192.168.60.4->10.129.124.2, d=100.1.1.1 [14159]
*Mar 3 04:38:52.353: IP: s=10.129.124.2 (FastEthernet4), d=100.1.1.1 (Vlan2), g=10.129.124.33, len 60, forward
*Mar 3 04:38:52.353: ICMP type=8, code=0
=== PING 2 ECHO REPLY ===
*Mar 3 04:38:53.029: NAT*: s=100.1.1.1, d=10.129.124.2->192.168.60.4 [19825]
*Mar 3 04:38:53.029: IP: tableid=0, s=100.1.1.1 (Vlan1), d=192.168.60.4 (FastEthernet4), routed via RIB
*Mar 3 04:38:53.033: IP: s=100.1.1.1 (Vlan1), d=192.168.60.4 (FastEthernet4), g=192.168.60.4, len 60, forward
*Mar 3 04:38:53.033: ICMP type=0, code=0
In the section "Ping 2 Echo Request" line 2 shows the NAT translating the packet to the address for the first provider but line 3 shows it routing it through the second one.
In this case, the ICMP packet goes through but it is problematic if the ISP restricts the service by source-address (like RPF) or there is some acceleration mechanism inside the provider cloud, other than just plain routing.
What am I missing? Here is the relevant part of the configuration. I deliberately disabled CEF to be able to debug the messages, but I *think* this may be altering the actual router behavior. This router does not have a "debug ip cef packet" command.
no ip cef
ip dhcp pool lan-side
import all
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
domain-name doublewan.local
dns-server 8.8.8.8 8.8.4.4
lease infinite
ip domain name doublewan
interface FastEthernet0
!doesn't appear on running-config: vlan 1 is the default access vlan
!switchport access vlan 1
interface FastEthernet1
switchport access vlan 2
interface FastEthernet2
shutdown
interface FastEthernet3
shutdown
interface FastEthernet4
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
interface Vlan1
ip address 10.129.124.2 255.255.255.224
ip nat outside
ip virtual-reassembly
no ip route-cache
interface Vlan2
ip address 10.129.124.35 255.255.255.224
ip nat outside
ip virtual-reassembly
no ip route-cache
ip route 0.0.0.0 0.0.0.0 Vlan1 10.129.124.1
ip route 0.0.0.0 0.0.0.0 Vlan2 10.129.124.33
ip nat inside source route-map nat1 interface Vlan1 overload
ip nat inside source route-map nat2 interface Vlan2 overload
ip access-list standard acl4-nexthop-vlan1
permit 10.129.124.1
ip access-list standard acl4-nexthop-vlan2
permit 10.129.124.33
route-map nat2 permit 10
match ip address 102
match ip next-hop acl4-nexthop-vlan2
match interface Vlan2
route-map nat1 permit 10
match ip address 101
match ip next-hop acl4-nexthop-vlan1
match interface Vlan1
control-plane
Of course, there is some configuration pending for redundancy and stuff.
Thanks a lot in advance.
[1] http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/100658-ios-nat-load-balancing-2isp.htmlHello.
This might be a bug in debug command or the IOS (without ip cef) you use; as routing is done before NAT (inside to outside).
To make sure it works fine with ip cef, just enable strict uRPF (or just ACL) on .1 and .33 interfaces and see if you see any packet sent over wrong interface.
PS: please check "sh ip cef 100.1.1.1"; I guess ip cef would tell you "per-destination sharing". -
UNABLE TO INJECT A STATIC DEFAULT ROUTE FROM PE????
UNABLE TO INJECT A STATIC DEFAULT ROUTE FROM PE????
Description:
I am unable to get a static default route via MPBGP session for a vrf, any other route redistributed the same way is getting through.
Just the static default route isn't ????
1>
SOURCE PE WHERE IS THE ROUTE REDISTRIBUTED:
pe1#
router bgp 4755
bgp router-id 10.10.10.103
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.10.10.100 remote-as 4755
neighbor 10.10.10.100 update-source Loopback0
address-family vpnv4
neighbor 10.10.10.100 activate
neighbor 10.10.10.100 send-community extended
exit-address-family
address-family ipv4 vrf B
redistribute static <<<<<<<<<<<<<< STATIC REDIS
no auto-summary
no synchronization
exit-address-family
address-family ipv4 vrf A
redistribute static <<<<<<<<<<<<<< STATIC REDIS
no auto-summary
no synchronization
exit-address-family
ip classless
ip route vrf A 0.0.0.0 0.0.0.0 Serial1/0 192.168.1.2 global <<<< STATIC ROUTE POINTING THE GLOBAL CONTEXT INTERFACE
ip route vrf B 0.0.0.0 0.0.0.0 Serial1/0 192.168.1.2 global <<<< STATIC ROUTE POINTING THE GLOBAL CONTEXT INTERFACE
DESTINATION PE HERE I CANNOT SEE THE STATIC DEFAULT ROUTE:
pe3(config-router-af)#do sh ip bgp vpnv4 all
BGP table version is 11, local router ID is 10.10.10.103
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 4755:1 (default for vrf A)
*>i172.16.1.0/30 10.10.10.101 0 100 0 ?
*>i172.16.2.0/30 10.10.10.102 0 100 0 ?
*>i172.16.10.0/24 10.10.10.101 2297856 100 0 ?
*>i172.16.20.0/24 10.10.10.102 2297856 100 0 ?
*>i172.16.200.0/24 10.10.10.102 2170112 100 0 ?
Route Distinguisher: 4755:2 (default for vrf B)
*>i172.16.1.0/30 10.10.10.101 0 100 0 ?
*>i172.16.2.0/30 10.10.10.102 0 100 0 ?
*>i172.16.10.0/24 10.10.10.101 2297856 100 0 ?
*>i172.16.20.0/24 10.10.10.102 2297856 100 0 ?
*>i172.16.200.0/24 10.10.10.102 2170112 100 0 ?
THE STAITC ROUTE IS REDISTRIBUTED TO LOCAL VRF CONTXT ASWELL AS WE CAN SEE:
pe3(config-router-af)#do sh ip route vrf A
Routing Table: A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.1.2 to network 0.0.0.0
172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
B 172.16.200.0/24 [200/2170112] via 10.10.10.102, 00:00:23
B 172.16.20.0/24 [200/2297856] via 10.10.10.102, 00:00:23
B 172.16.10.0/24 [200/2297856] via 10.10.10.101, 00:00:23
B 172.16.1.0/30 [200/0] via 10.10.10.101, 00:00:23
B 172.16.2.0/30 [200/0] via 10.10.10.102, 00:00:23
S* 0.0.0.0/0 [1/0] via 192.168.1.2, Serial1/0
Hope I am clear in explaining the issue...
Thanks,
DaraHehehe :)
"Unfortunately" that's true !!!!
This could have been the last thing that I try.
Getting he techs work, protocols work is fine.
But if get to make myself understand the logic behind adding this command as well than ... :(
Thanks a lot, -
How do you Redistribution EIGRP into OSPF and maintain a distance of 250 for a static route?
Ok, I have scoured the forums long enough and have to post. The design is below. I moved a firewall to our new data center, which required adding some static routes for VPN connections and broadband backups. To minimize the amount of static routes I redistribute static into EIGRP with a route-map and prefix-list.
My problem is the next part of my network. When the data leaves my 56128's it hits an edge device connecting to our dark fiber. On this edge device I am running OSPF onto the dark fiber, then redistribute some EIGRP subnets into OSPF and again all is well.
Everything works up until the point the redistributed routes hit my RIB at my main data center where I am running IBGP. IBPG is run between our MPLS router and core for all our remote sites. When my backup route from the 56128's hits the cores, it supersedes the BGP route because the AD route O E2 [110/20] is lower than the BGP AD B [200/0]. Given the configuration below what can be done to remedy this? Oh when I redistribute I can only change the AD for the backup routes, all other routes should stay the same.
56128's where my static routes are:
ip route 192.168.101.0/24 192.168.30.77 name firewall 250
router eigrp 65100
redistribute static route-map Static-To-Eigrp
route-map Static-To-Eigrp permit 10
match ip address prefix-list Static2Eigrp
ip prefix-list Static2Eigrp seq 2 permit 192.168.101.0/24
Edge device:
router eigrp 65100
network 172.18.0.5 0.0.0.0
network 172.18.0.32 0.0.0.3
network 172.18.0.36 0.0.0.3
redistribute ospf 65100 metric 2000000 0 255 1 1500
redistribute static metric 200000 0 255 1 1500 route-map STATICS_INTO_EIGRP
passive-interface default
no passive-interface Port-channel11
no passive-interface Port-channel12
eigrp router-id 172.18.0.5
router ospf 65100
router-id 172.18.0.5
log-adjacency-changes
redistribute eigrp 65100 subnets route-map EIGRP_INTO_OSPF
passive-interface default
no passive-interface GigabitEthernet1/0/1
no passive-interface GigabitEthernet1/0/2
no passive-interface GigabitEthernet2/0/1
no passive-interface GigabitEthernet2/0/2
network 172.18.0.0 0.0.255.255 area 0
ip prefix-list EIGRP_INTO_OSPF seq 5 permit 172.18.0.0/16 le 32
ip prefix-list EIGRP_INTO_OSPF seq 10 permit 192.168.94.0/29 le 32
ip prefix-list EIGRP_INTO_OSPF seq 15 permit 192.168.26.32/29 le 32
ip prefix-list EIGRP_INTO_OSPF seq 20 permit 192.168.30.72/29 le 32
ip prefix-list EIGRP_INTO_OSPF seq 25 permit 192.168.20.128/25 le 32
ip prefix-list EIGRP_INTO_OSPF seq 26 permit 192.168.101.0/24 le 32 <- Backup Route for MPLS Remote Office
route-map EIGRP_INTO_OSPF permit 10
match ip address prefix-list EIGRP_INTO_OSPFSo in the case of a /24. If it were say broken up into /25's? From our remote sites we are using aggregate-address summary-only. Not sure how I would advertise a more specific route via BGP, sorry.
I didnt have this problem until I moved my firewalls. They plugged into the cores where IBGP was running and the static never kicked in unless the bgp route disappeared. I guess I could use my static redistribution for my VPN sites and use statics across the cores for the handful of backup links I have. -
Is there a way to link/identify unpaid RIBA (BOE in ITALY) to the original invoice?
Is there any SAP solution for resetting the clearing documnet and re opening the original invoice?
Any information, ideas or pointers will be very helpful. thanks.hi
I took your advise on the second approach and added new filter to catch 302 response and read the new URL from Location. Here is the flow.
Connect to URL --> Is HTTP CODe =302 --> Retrieve Location from Http Header- Rewrite URL - Dynamic Router - Connection
I am getting a new error as below. I verified the certificates using the below open ssl comands and added them to the certificate store in OEG. The error comes from the Redirect URL which is cs12.salesforce.com
C:\Program Files\GnuWin32\bin>openssl s_client -connect test.salesforce.com:443 -showcerts
and
C:\Program Files\GnuWin32\bin>openssl s_client -connect cs12.salesforce.com:443 -showcerts
thank you for your time and help.
ERROR 06/May/2012:00:22:23.125 [14e0] nested fault: SSL protocol error
error:140CF086:SSL routines:SSL_VERIFY_CERT_CHAIN:certificate verify fai
led
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate veri
fy failed:
java.lang.RuntimeException: SSL protocol error
error:140CF086:SSL routines:SSL_VERIFY_CERT_CHAIN:certificate verify fai
led
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate veri
fy failed
at com.vordel.dwe.ConnectionCache.getConnection(Native Method)
at com.vordel.circuit.net.ConnectionProcessor$State.tryTransaction(Conne
ctionProcessor.java:482)
at com.vordel.circuit.net.ConnectionProcessor.invoke(ConnectionProcessor
.java:650)
at com.vordel.circuit.InvocationEngine.invokeFilter(InvocationEngine.jav
a:154)
at com.vordel.circuit.InvocationEngine.invokeCircuit(InvocationEngine.ja
va:43)
at com.vordel.circuit.InvocationEngine.processMessage(InvocationEngine.j
ava:229)
at com.vordel.circuit.SyntheticCircuitChainProcessor.invoke(SyntheticCir
cuitChainProcessor.java:36)
at com.vordel.dwe.http.HTTPPlugin.invokeDispose(HTTPPlugin.java:290)
at com.vordel.dwe.http.HTTPPlugin.invoke(HTTPPlugin.java:131) -
Route Leaking between VRF:s (Shared services)
Hi,
I'm a bit confused by this setup that i'm trying to achieve.
The setup is classic though, I have one VRF for education (EDU), one for administrators (ADM) and then a shared VRF (GEM) like this:
ip vrf ADM
description *** ADMIN NET ***
rd 2:2
export map ADM-to-EDU
route-target export 2:2
route-target import 1:1
route-target import 2:2
ip vrf EDU
description *** ELEV NET ***
rd 3:3
route-target export 3:3
route-target import 1:1
route-target import 33:33
route-target import 3:3
ip vrf GEM
description *** GEMENSAM NET ***
rd 1:1
route-target export 1:1
route-target import 2:2
route-target import 3:3
route-target import 1:1
As you can see, i have also configured an export map for vrf ADM, which i'm then importing routes from.
the Map looks as follows:
access-list 1 permit 172.18.254.37
route-map ADM-to-EDU permit 10
match ip address 1
set extcommunity rt 33:33 additive
A relevant part of the ip setup is as follows:
interface Loopback3
ip vrf forwarding EDU
ip address 3.3.3.3 255.255.255.255
interface Loopback37
ip vrf forwarding ADM
ip address 172.18.254.37 255.255.255.255
I'm running BGP:
router bgp 65235
no synchronization
bgp log-neighbor-changes
no auto-summary
address-family ipv4 vrf GEM redistribute connected
redistribute static
default-information originate
no synchronization
exit-address-family
address-family ipv4 vrf EDU
redistribute connected
redistribute static
default-information originate
no synchronization
exit-address-family
address-family ipv4 vrf ADM
redistribute connected
redistribute static
default-information originate
no synchronization
exit-address-family
Now, the thing is, the leaking is working, i can see the leaked route in the EDU routing table below,
Router#sh ip route vrf EDU
Routing Table: EDU
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 172.19.16.5 to network 0.0.0.0
1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 is directly connected, 04:53:31, Loopback1
3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback3
172.19.0.0/32 is subnetted, 1 subnets
B 172.19.16.5 is directly connected, 02:27:51, Loopback0
172.18.0.0/32 is subnetted, 1 subnets
B 172.18.254.37 is directly connected, 00:32:14, Loopback37
B* 0.0.0.0/0 [20/0] via 172.19.16.5 (GEM), 02:08:42
but i cannot reach it:
Router#ping vrf EDU 172.18.254.37
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
Success rate is 0 percent (0/5)
But if i run "debug ip packet" and the perform another ping, i get this result which i think is a bit weird? to me it seems as if it works.
Router#ping vrf EDU 172.18.254.37
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
*Mar 1 05:42:40.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:40.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar 1 05:42:40.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:40.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar 1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:40.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar 1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:40.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar 1 05:42:42.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:42.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar 1 05:42:42.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:42.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar 1 05:42:42.582: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:42.586: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar 1 05:42:42.590: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:42.590: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar 1 05:42:44.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:44.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar 1 05:42:44.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:44.574: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar 1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:44.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar 1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:44.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar 1 05:42:46.566: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:46.570: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar 1 05:42:46.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:46.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar 1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:46.570: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar 1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:46.574: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
*Mar 1 05:42:48.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:48.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
*Mar 1 05:42:48.566: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
*Mar 1 05:42:48.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
*Mar 1 05:42:48.574: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:48.574: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
*Mar 1 05:42:48.582: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
*Mar 1 05:42:48.582: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
Success rate is 0 percent (0/5)
Router#
However, if i add leaking for 3.3.3.3 in ADM vrf like this:
access-list 2 permit 3.3.3.3
route-map EDU-to-ADM permit 10
match ip address 2
set extcommunity rt 22:22 additive
ip vrf ADM
description *** ADMIN NET ***
rd 2:2
export map ADM-to-EDU
route-target export 2:2
route-target import 1:1
route-target import 22:22 < - added line
route-target import 2:2
ip vrf EDU
description *** ELEV NET ***
rd 3:3
export map EDU-to-ADM < - added line
route-target export 3:3
route-target import 1:1
route-target import 33:33
route-target import 3:3
Then it will work:
Router#ping vrf EDU 172.18.254.37
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/16 ms
So actually, my big question is, am i doing this the right or wrong way? i'm a bit confused.
Sorry about the rant, maybe it will clarify some things for others who are confused, or maybe just make it worse!
Some additional thoughts:
Why can't i perform this ping, shouldnt this work?
Router#ping vrf GEM 172.18.254.37
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Router#
bgp info:
Router#sh ip bgp vpnv4 all
BGP table version is 79, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf GEM)
*> 0.0.0.0 172.19.16.5 0 32768 ?
*> 1.1.1.1/32 0.0.0.0 0 32768 ?
*> 2.2.2.2/32 0.0.0.0 0 32768 ?
*> 3.3.3.3/32 0.0.0.0 0 32768 ?
*> 172.18.254.37/32 0.0.0.0 0 32768 ?
*> 172.19.16.5/32 0.0.0.0 0 32768 ?
Route Distinguisher: 2:2 (default for vrf ADM)
*> 0.0.0.0 172.19.16.5 0 32768 ?
*> 1.1.1.1/32 0.0.0.0 0 32768 ?
*> 2.2.2.2/32 0.0.0.0 0 32768 ?
*> 3.3.3.3/32 0.0.0.0 0 32768 ?
*> 172.18.254.37/32 0.0.0.0 0 32768 ?
*> 172.19.16.5/32 0.0.0.0 0 32768 ?
Route Distinguisher: 3:3 (default for vrf EDU)
*> 0.0.0.0 172.19.16.5 0 32768 ?
*> 1.1.1.1/32 0.0.0.0 0 32768 ?
Network Next Hop Metric LocPrf Weight Path
*> 3.3.3.3/32 0.0.0.0 0 32768 ?
*> 172.18.254.37/32 0.0.0.0 0 32768 ?
*> 172.19.16.5/32 0.0.0.0 0 32768 ?
Router#Thank you for your answer Aravala.
Ok, so i think i'm beginning to understand this now after several hours..
Below is my setup now, and it works, but the thing is that it ONLY works from nets that are actually configured on interfaces.
What i mean by this is,
i want to reach ONLY the ip 172.18.254.37(ADM net) from ANY adress on 172.19.0.0/16 (EDU net)
so naturally i try and change the prefix list to:
ip prefix-list 1 seq 5 permit 172.18.254.37/32
ip prefix-list 2 seq 5 permit 172.19.0.0/16
But this doesnt work, i would be very grateful if someone could explain why and how to get around it..! i dont want to define every subnet on 172.19.0.0/16 and at the same time leave all of the 172.18.254.0/24 network open.
working setup:
ip vrf ADM
description *** ADMIN NET ***
rd 2:2
export map ADM-to-EDU
route-target export 2:2
route-target import 1:1
route-target import 22:22
route-target import 2:2
ip vrf EDU
description *** ELEV NET ***
rd 3:3
export map EDU-to-ADM
route-target export 3:3
route-target import 1:1
route-target import 33:33
route-target import 3:3
ip vrf GEM
description *** GEMENSAM NET ***
rd 1:1
route-target export 1:1
route-target import 2:2
route-target import 3:3
route-target import 1:1
ip prefix-list 1 seq 5 permit 172.18.254.0/24
ip prefix-list 2 seq 5 permit 172.19.64.0/21
route-map ADM-to-EDU permit 10
match ip address prefix-list 1
set extcommunity rt 33:33 additive
route-map EDU-to-ADM permit 10
match ip address prefix-list 2
set extcommunity rt 22:22 additive -
CSR1000V VRF Route Leaking vs GNS
Hi folks,
working on 2 lab envronments. I have successfully configured VRF route leaking on GNS3, however can't get it working on CSR1000v with same config (only IP's and name's of VRF etc is different). Is there something on the CSR1000v that I have to do that's different from GNS? Is there a reason why the route in GNS is in both the OSPF database and the routing table yet in ESXi it's only in the database?
OSPF between neighbors
BGP to do route leaking
GNS - leaking route 220.0.0.0
GNS - Neighbor running OSPF has 220.0.0.0 in the database and the routing table for VRF 100
ESXi - leaking route 45.0.0.0
ESXi - Neighbor running OSPF has 45.0.0.0 in the database and is NOT in the routing table for VRF cavia
GNS - 3640's with c3640-js-mz.124-17
ESXi - CSR1000V with Cisco IOS XE Software, Version 03.12.00.S
On both labs using BGP to leak routes between VRF's.
GNS LAB
VRF's --------------------------------------------------
ip vrf 100
rd 100:100
route-target export 1:100
route-target import 1:300
ip vrf 200
rd 200:200
route-target export 1:200
route-target import 1:300
ip vrf 300
rd 300:300
route-target export 1:300
route-target import 1:100
route-target import 1:200
OSPF --------------------------------------------------------------
router ospf 100 vrf 100
router-id 4.4.4.4
log-adjacency-changes
redistribute bgp 10 subnets
network 100.0.0.0 0.0.0.3 area 0
network 0.0.0.0 255.255.255.255 area 0
router ospf 200 vrf 200
router-id 44.44.44.44
log-adjacency-changes
redistribute bgp 10 subnets
network 200.0.0.0 0.0.0.3 area 0
network 0.0.0.0 255.255.255.255 area 0
BGP -------------------------------------------------------------
router bgp 10
no synchronization
bgp log-neighbor-changes
no auto-summary
address-family ipv4 vrf 300
no synchronization
network 220.0.0.0 mask 255.255.255.252
exit-address-family
address-family ipv4 vrf 200
redistribute ospf 200 vrf 200
no synchronization
exit-address-family
address-family ipv4 vrf 100
redistribute ospf 100 vrf 100
no synchronization
exit-address-family
R4#sh ip bgp vpnv4 all
BGP table version is 17, local router ID is 44.44.44.44
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100:100 (default for vrf 100)
*> 10.0.0.0/24 100.0.0.1 2 32768 ?
*> 100.0.0.0/30 0.0.0.0 0 32768 ?
*> 220.0.0.0/30 0.0.0.0 0 32768 i
Route Distinguisher: 200:200 (default for vrf 200)
*> 20.0.0.0/24 200.0.0.1 2 32768 ?
*> 200.0.0.0/30 0.0.0.0 0 32768 ?
*> 220.0.0.0/30 0.0.0.0 0 32768 i
Route Distinguisher: 300:300 (default for vrf 300)
*> 10.0.0.0/24 100.0.0.1 2 32768 ?
*> 20.0.0.0/24 200.0.0.1 2 32768 ?
*> 100.0.0.0/30 0.0.0.0 0 32768 ?
*> 200.0.0.0/30 0.0.0.0 0 32768 ?
*> 220.0.0.0/30 0.0.0.0 0 32768 i
-----------------------on neighbor R3 220.0.0.0 (in vrf 300) is in the routing table for vrf 100 as designed----------------------
R3#sh ip route vrf 100
220.0.0.0/30 is subnetted, 1 subnets
O E2 220.0.0.0 [110/1] via 100.0.0.2, 00:29:48, FastEthernet1/0.10
100.0.0.0/30 is subnetted, 1 subnets
C 100.0.0.0 is directly connected, FastEthernet1/0.10
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, FastEthernet0/0
----------------------OSPF Database on neighbor R3-------------------------------------------
R3#sh ip ospf data
OSPF Router with ID (33.33.33.33) (Process ID 200)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
33.33.33.33 33.33.33.33 521 0x80000006 0x005A0E 2
44.44.44.44 44.44.44.44 541 0x80000006 0x001C18 1
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
200.0.0.2 44.44.44.44 540 0x80000005 0x006820
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
220.0.0.0 44.44.44.44 540 0x80000005 0x009BAE 3489660938
OSPF Router with ID (3.3.3.3) (Process ID 100)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
3.3.3.3 3.3.3.3 722 0x80000006 0x008C9F 2
4.4.4.4 4.4.4.4 581 0x80000006 0x00F845 1
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
100.0.0.2 4.4.4.4 581 0x80000005 0x00FEA7
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
220.0.0.0 4.4.4.4 581 0x80000005 0x00509A 3489660938
ESXi LAB
VRF's----------------------------------------------------------
vrf definition cavia
rd 1:100
address-family ipv4
route-target export 1000:100
route-target import 1000:300
exit-address-family
vrf definition microsoft
rd 1:200
address-family ipv4
route-target export 1000:200
route-target import 1000:300
exit-address-family
vrf definition shared
rd 1:300
address-family ipv4
route-target export 1000:300
route-target import 1000:100
route-target import 1000:200
exit-address-family
OSPF ----------------------------------------------------------------
router ospf 100 vrf cavia
redistribute bgp 50 subnets
network 172.100.200.0 0.0.0.3 area 0
network 0.0.0.0 255.255.255.255 area 0
router ospf 200 vrf microsoft
redistribute bgp 50 subnets
network 172.200.200.0 0.0.0.3 area 0
network 0.0.0.0 255.255.255.255 area 0
BGP -----------------------------------------------------------------
router bgp 50
bgp log-neighbor-changes
address-family ipv4 vrf cavia
redistribute ospf 100
exit-address-family
address-family ipv4 vrf microsoft
redistribute ospf 200
exit-address-family
address-family ipv4 vrf shared
network 45.0.0.0 mask 255.255.255.252
exit-address-family
---------------45.0.0.0 is in the correct BGP VRF's----------------
R8#sh ip bgp vpnv4 all
BGP table version is 20, local router ID is 8.8.8.8
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:100 (default for vrf cavia)
*> 45.0.0.0/30 0.0.0.0 0 32768 i
*> 80.100.0.0/30 172.100.200.1 2 32768 ?
*> 172.100.100.0/30 172.100.200.1 2 32768 ?
*> 172.100.100.4/30 172.100.200.1 2 32768 ?
*> 172.100.200.0/30 0.0.0.0 0 32768 ?
Route Distinguisher: 1:200 (default for vrf microsoft)
*> 45.0.0.0/30 0.0.0.0 0 32768 i
*> 80.200.0.0/30 172.200.200.1 2 32768 ?
*> 172.200.100.0/30 172.200.200.1 2 32768 ?
*> 172.200.100.4/30 172.200.200.1 2 32768 ?
*> 172.200.200.0/30 0.0.0.0 0 32768 ?
Route Distinguisher: 1:300 (default for vrf shared)
*> 45.0.0.0/30 0.0.0.0 0 32768 i
*> 80.100.0.0/30 172.100.200.1 2 32768 ?
*> 80.200.0.0/30 172.200.200.1 2 32768 ?
*> 172.100.100.0/30 172.100.200.1 2 32768 ?
*> 172.100.100.4/30 172.100.200.1 2 32768 ?
*> 172.100.200.0/30 0.0.0.0 0 32768 ?
*> 172.200.100.0/30 172.200.200.1 2 32768 ?
Network Next Hop Metric LocPrf Weight Path
*> 172.200.100.4/30 172.200.200.1 2 32768 ?
*> 172.200.200.0/30 0.0.0.0 0 32768 ?
-----------------------on neighbor R1 45.0.0.0 (in vrf shared) is not in the routing table for vrf cavia----------------------
R1#sh ip route vrf cavia
Gateway of last resort is 172.100.200.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.100.200.2
80.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 80.100.0.0/30 is directly connected, GigabitEthernet1.1
L 80.100.0.1/32 is directly connected, GigabitEthernet1.1
B 80.100.0.4/30 [20/0] via 80.100.0.2, 03:52:22
172.100.0.0/16 is variably subnetted, 7 subnets, 2 masks
C 172.100.100.0/30 is directly connected, GigabitEthernet3.1
L 172.100.100.2/32 is directly connected, GigabitEthernet3.1
C 172.100.100.4/30 is directly connected, GigabitEthernet2.1
L 172.100.100.6/32 is directly connected, GigabitEthernet2.1
B 172.100.101.0/30 [20/0] via 80.100.0.2, 03:52:22
C 172.100.200.0/30 is directly connected, GigabitEthernet4.1
L 172.100.200.1/32 is directly connected, GigabitEthernet4.1
----------------------OSPF Database on neighbor R1 -------------------------------------------
R1#
R1#sh ip ospf data
OSPF Router with ID (172.100.200.1) (Process ID 100)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
172.100.200.1 172.100.200.1 668 0x8000000A 0x009F4E 4
172.100.200.2 172.100.200.2 681 0x80000007 0x005F5C 1
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
172.100.200.1 172.100.200.1 668 0x80000002 0x0012BD
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
45.0.0.0 172.100.200.2 441 0x80000002 0x0047E1 3489660978
80.100.0.4 172.100.200.1 1679 0x80000008 0x00A883 3489725929
172.100.101.0 172.100.200.1 1679 0x80000008 0x00C4A9 3489725929BUMP
-
Problem leaking route from VRF to global table on CSR 1000V
Hi Guys,
So I have a problem with VRF's on a CSR 1000V, specifically exporting a connected subnet from a VRF into the global routing table.
My config, very abbreviated, is as follows:
Router:
GE1: 10.0.0.1/31 VRF TEST
GE2: 172.30.20.1/24 (No VRF, BGP neighbor to 172.30.20.2, receiving 0.0.0.0/0 (default route))
Now sh ip route displays:
0.0.0.0/0 (BGP)
172.30.20.1/24 (Connected)
sh ip route vrf TEST displays:
0.0.0.0/0 (BGP)
10.0.0.1/31 connected
My VRF config is as follows:
ip vrf TEST
rd 1:1
import ipv4 unicast map GLOBAL
export ipv4 unicast map CONNECTED-SUBNET
ip prefix-list CONNECTED seq 1 permit 10.0.0.1/31
ip prefix-list DEFAULT seq 1 permit 0.0.0.0/0
route-map CONNECTED-SUBNET permit 10
match ip address prefix-list CONNECTED
route-map GLOBAL permit 10
match ip address prefix-list DEFAULT
Now my import command works perfectly (0.0.0.0/0 is imported from BGP into the VRF's routing table), however my export command does not function - seemingly at all.
Even though my prefix list is an exact match, I do not see 10.0.0.1/31 appearing in the global routing table, or the BGP table at all (show ip bgp 10.0.0.1 shows only the 0.0.0.0/0 default route)
Any thoughts on what is going on here? Am I misunderstanding the export command for VRF's? I was under the impression this will export directly to the BGP table, and then be imported to the global routing table if applicable?
Any thoughts/input would be appreciated!Hello
"GE1: 10.0.0.1/31 VRF TEST
GE2: 172.30.20.1/24 (No VRF, BGP neighbor to 172.30.20.2, receiving 0.0.0.0/0 (default route))"
I must have misunderstood somewhere I was assuming you had no vrf bgp between GE1-2 , and just vrf on subnet 10.0.0.0/x which needed to be advertised in the global routing table hence my last post suggested you redistribute into bgp,
So assuming you are accepting a default route from GE2 it went like this
GE1
int fa0/1
ip vrf forwading TEST
ip addresses 10.0.0.1 255.255.255.255
int xx
ip address 172.30.20.1 255.255.255.0
router bgp xy
neighbour 172.30.20.2 remote-as yx
redistribute static ( to advertised the vrf subnet to GE2)
ip route 10.0.0.1 255.255.255.255 fa0/1 ( this is tell the global rib where to go for the vrf route)
ip prefix-list VRF permit 0.0.0.0/0
route-map VRF_rm
match ip address prefix VRF ( match on the default route advertised from GE2 which is in the global rib)
ip vrf TEST
import-map ipv4 vrf VRF-rm ( import the default from global rib into the vrf rib)
res
Paul -
MPLS BGP routes push to DMVPN spokes
I have an MPLS with BGP. I also have sites that are not connected directly to the MPLS, but have a s2s VPN to hub sites that are connected to the MPLS and that way they access the MPLS resources. I need to communicate the route changes to the MPLS when the DMVPN fails-over to another hub.
Currently this is my config:
Datacenter (MPLS only)
interface GigabitEthernet0/1
description MPLS
ip address 192.168.0.34 255.255.255.252
interface Vlan2
ip address 192.168.96.2 255.255.255.0
router bgp 65511
bgp log-neighbor-changes
network 192.168.96.0
neighbor 192.168.0.33 remote-as 65510
Hub site 1 (MPLS + internet)
interface Tunnel200
ip address 10.99.99.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication auth
ip nhrp map multicast dynamic
ip nhrp network-id 12345
ip nhrp holdtime 600
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 200
tunnel protection ipsec profile dmvpn
interface GigabitEthernet0/1
description MPLS
ip address 192.168.1.2 255.255.255.0 secondary
ip address 192.168.0.2 255.255.255.252
router bgp 65001
bgp log-neighbor-changes
network 192.168.1.0
network 192.168.21.0
!10.99 clients are DMVPN spokes
neighbor 10.99.99.3 remote-as 99010
neighbor 10.99.99.3 route-reflector-client
neighbor 10.99.99.21 remote-as 99001
neighbor 10.99.99.21 route-reflector-client
!as 65000 is the MPLS PE
neighbor 192.168.0.1 remote-as 65000
Hub Site 2, has the same configuration, except for local ip address and router BGP ID.
Spoke site:
interface Tunnel200
ip address 10.99.99.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication auth
ip nhrp map 10.99.99.1 PUBLIC_IP_HUB_1
ip nhrp map 10.99.99.16 PUBLIC_IP_HUB_2
ip nhrp network-id 12345
ip nhrp holdtime 600
ip nhrp nhs 10.99.99.1 priority 1
ip nhrp nhs 10.99.99.16 priority 5
ip nhrp nhs fallback 60
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 200
tunnel protection ipsec profile dmvpn
interface GigabitEthernet0/1
description Internal
ip address 192.168.3.1 255.255.255.192
router bgp 99010
bgp log-neighbor-changes
network 192.168.3.0
neighbor 10.99.99.1 remote-as 65001
neighbor 10.99.99.16 remote-as 65013
On this spoke site
#sh ip route
B 192.168.1.0/24 [20/0] via 10.99.99.1, 00:47:01
which is the HUB network, but the rest of the MPLS routes are not "learned".
What am I missing?
Thanks!Hi Jon, I've ommited the configuration of the MPLS provider routers in between. The DC is connected to a router that has the AS 65510.
DC:CPE---PE:{MPLS}PE---CPE:HUB---{internet}---Spoke
The DC is ok getting the network information via BGP:
#sh ip route
B 192.168.3.0/24 [20/0] via 192.168.0.33, 3d05h
B 192.168.21.0/24 [20/0] via 192.168.0.33, 3d05h
#sh ip bgp 192.168.21.0
BGP routing table entry for 192.168.21.0/24, version 559
Paths: (1 available, best #1, table default)
Not advertised to any peer
Refresh Epoch 1
65510 3549 6140 3549 65000
192.168.0.33 from 192.168.0.33 (###.###.###.###)
Origin IGP, localpref 100, valid, external, best
#sh ip route 192.168.21.0
Routing entry for 192.168.21.0/24
Known via "bgp 65511", distance 20, metric 0
Tag 65510, type external
Last update from 192.168.0.33 3d05h ago
Routing Descriptor Blocks:
* 192.168.0.33, from 192.168.0.33, 3d05h ago
Route metric is 0, traffic share count is 1
AS Hops 5
Route tag 65510
MPLS label: none
Spoke:
#sh ip bgp
BGP table version is 494, local router ID is 192.168.21.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.0.129.32/27 10.99.99.16 0 65013 65012 3549 ?
*> 192.168.96.0 10.99.99.16 0 65013 65012 3549 6745 65510 ?
#sh ip route 192.168.96.0
Routing entry for 192.168.96.0/24
Known via "bgp 99001", distance 20, metric 0
Tag 65013, type external
Last update from 10.99.99.16 00:02:11 ago
Routing Descriptor Blocks:
* 10.99.99.16, from 10.99.99.16, 00:02:11 ago
Route metric is 0, traffic share count is 1
AS Hops 5
Route tag 65013
MPLS label: none
#sh ip bgp 192.168.96.0
BGP routing table entry for 192.168.96.0/24, version 465
Paths: (1 available, best #1, table default)
Not advertised to any peer
Refresh Epoch 2
65013 65012 3549 6745 65510
10.99.99.16 from 10.99.99.16 (10.2.16.1)
Origin incomplete, localpref 100, valid, external, best
The route is not being updated to the rest of the routers, and the 192.168.21.0 network is still announced via the old route.
(from spoke)
ping 192.168.96.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.96.2, timeout is 2 seconds:
Success rate is 0 percent (0/5)
From DC
#traceroute 192.168.21.1
Type escape sequence to abort.
Tracing the route to 192.168.21.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.0.33 [AS 65510] 0 msec 0 msec 0 msec
2 172.50.1.33 [AS 65510] 56 msec 36 msec 36 msec
3 10.80.1.1 [AS 3549] 44 msec 44 msec 44 msec
4 10.80.1.2 [AS 3549] 172 msec 172 msec 168 msec
5 172.50.1.1 [AS 3549] 168 msec 168 msec 172 msec
6 172.50.1.2 [AS 3549] 180 msec 180 msec 176 msec
7 192.168.0.2 [AS 65000] 172 msec 172 msec 168 msec <- old route, should be 192.168.0.9
8 192.168.0.2 [AS 65000] !H * !H -
Route advertisement with AS path
Hello
We are running Multi-homed network, to influence the BGP route selection, we are using AS path attribute with route-maps.
Recently, we observed that the routes advertised on TCL network(ISP 1) were not reflected in global routing table.
For example, we have advertised a network (196.X.X.X/24) on TCL BGP peer as best path and also advertised the same network on another BGP peer with AS path pretend of 10times. But, the network is reaching via Bharti BGP (iSP 2 )peer instead of TCL peer.
Can anyone help understand as why it is preferred route is via Bharti
Thanks
Viswa SaiNetwork statement in BGP configuration is used to identify which networks are being advertised. BGP process then checks the global routing table, if it sees a prefix in global routing table and with exact match (including subnet mask), only then it will advertise that network to other BGP peers.
Is this network a local network or learned from other routing protocols? If locak, make sure you enter exact mask of the network seen in routing table. If learned from other routing protocols, the better way is to selectively redistribute iGP routes into BGP using prefix-list and route-map.
As far as convergence is concerned, below is explanation:
BGP routers router will not start the BGP Best-Path calculation/selection process until they receives all NLRI from BGP peer. This will be known from UPDATE messages. End of UPDATE messages is usually identified after a KEEPALIVE message is received.
The time taken to learn new best path is directly proportional to number of NLRIs received from peers.
Only when your service provider router selects it's best path, and installs into RIB, it is going to send UPDATE message to your routers. If SP routers use line cards with Cisco distributed forwarding, it is going to populate it's FIB and then send UPDATE message.
It depends on how fast your Bharati BGP peer detects your network unreachable and sends UPDATE messages to it's peers to withdraw your network's NLRI from it's routing table.
There are ways to improve this convergence, but at service provider level. In your network, if you want faster re-convergence, static routes (with higher AD) would be a wonderful solution.
Few other ways would be to use:
Bidirectional forwarding detection (BFD)
fast neighbor failover
BGP next hop tracking
BGP best external path (IOS and vendor specific)
BGP prefix convergence (IOS and vendor specific)
Peace and Health,
Ravindra
Maybe you are looking for
-
i want to import photos onto my ipad3. it shows up as a device in itunes but there isn't a photo category listed. it shows music, movies, books and purchased. how come photos doesn't appear? i went to itunes help and followed instruction from "add
-
PDF files on FTP will not open correctly
Our PDF files open fine from local hard disks, and http locations. However, We are having trouble opening PDF files from a FTP server. After double-clicking on the file, the Adobe 'grey' background loads, and nothing else. At first time it opened
-
Auto-Refresh and Order By for view accessors
Hi, We have set auto-refresh to true on a VO(LovVO) in shared AM and used the same to create an lov in another VO. Now if we have Order By in LovVO then we get the exception: ORA-29983: Unsupported query for Continuous Query Notification This is beca
-
Please, I am writing a VI to acquire data from one micrometer (like a quad encoder) and a quad encoder for the position. How can I store data coming from the micrometer ( read by a channel of a multifunction DAQ ) in an array of 5000 positions ( one
-
Icon usb key not on desk under lion macbook air
I A new Macbook Air under Lion. No icon of usb disk or usb key on desk. Thanks for your help. Michel