Things have been a little quiet on the blog lately but I have been pretty much keeping the study momentum going.
I don't think I mentioned it but I haven't actually sat for the CCIE Written Exam yet. Here in Brisbane there used to be two centres you could sit the exam but one went out of business a few months ago and there is a 4-5 month lead time on doing a computer based exam! In a few weeks I plan to go to Sydney so I will make time to do the exam then. The CCIE R&S Version 4.0 blueprint for Written and Lab are pretty much in alignment, right now I am moving more to looking at things from what the written exam is interested in.
That said, I'm now at the end of the IPExpert Volume 1 Labs - the final lab has an estimated timelimit of 10 hours and touches on NAT and IOS security topics particularly IOS firewalls both topics which aren't really my strong points. So I think I'm going to do some more self study in those areas before I face that particular lab. How do I feel so far about the Volume 1 Workbook? I've been pretty happy with it, most of the labs have been good but some have been more challenging than others (I guess the areas I spent a lot of time on projects I found particularly easy compared to others I havent had a lot of experience with) - I know I'm going to redo particular labs in the future but it's been good to touch on technology areas. I'm looking forward to facing the Volume 3 labs.
One of the things I'm planning on doing is getting used to working to the estimated timeframes for the labs, while I do attempt to black out enough time to sit a lab at home, the reality is there are some interruptions that occur, so I've decided to use a timer program that I can pause when these events crop up. So far XNote Stopwatch seems fairly reasonable at the moment - I like the idea of being able to set it to be always on top but partly transparent so I can see the time remaining and not lose screen real estate.
Sunday, 5 December 2010
Saturday, 30 October 2010
BGP allow-as-in and as-override
If you are a service provider providing a managed MPLS based IP-VPN service some of the things you may worry about could include scaling your customer provisioning process. If you have a customer that has 10 sites and requires BGP routing to CE devices at each site besides dealing with interface addressing allocations and so on - technically you may need to also allow unique BGP ASNs per site/CE as well.
There are a few techniques that I know that allows us to allocate the same BGP ASN to every router.
Let's start with a simple topology..
CE1 S0/0===S0/0 PE1 Fa0/0 ==Fa0/0 PE2 S0/0 ===S0/0 CE2
PE1 and PE1 are running OSPF, MPLS and LDP between themselves and MP-iBGP on ASN 666 to carry the customer routing information
CE1 has an EBGP connection to PE1 while CE2 has an EBGP connection to PE2 and each of these are redistributing a number of loopbacks into bgp
PE1 Config:
hostname PE1
!
ip vrf CustA
rd 666:1
route-target export 666:1
route-target import 666:1
!
!
interface Serial0/0
ip vrf forwarding CustA
ip address 192.168.12.2 255.255.255.252
clock rate 128000
!
router ospf 100
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 192.168.255.253 0.0.0.0 area 0
!
router bgp 666
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 666
neighbor 2.2.2.2 update-source Loopback0
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf CustA
neighbor 192.168.12.1 remote-as 64512
neighbor 192.168.12.1 activate
no synchronization
exit-address-family
PE2 Config:
!
interface Loopback0
ip address 1.2.3.4 255.255.255.255
!
interface Loopback1
ip address 2.3.4.5 255.255.255.255
!
interface Loopback2
ip address 3.4.5.6 255.255.255.255
!
interface Loopback3
ip address 4.5.6.7 255.255.255.255
!
interface Serial0/0
ip address 192.168.12.1 255.255.255.252
!
router bgp 64512
no synchronization
bgp log-neighbor-changes
redistribute connected metric 100
neighbor 192.168.12.2 remote-as 666
neighbor 192.168.12.2 soft-reconfiguration inbound
no auto-summary
!
!
interface Loopback0
ip address 9.8.7.6 255.255.255.255
!
interface Loopback1
ip address 8.7.6.5 255.255.255.255
!
interface Loopback2
ip address 7.6.5.4 255.255.255.255
!
interface Loopback3
ip address 6.5.4.3 255.255.255.255
!
interface Serial0/0
ip address 192.168.34.1 255.255.255.252
!
router bgp 64512
no synchronization
bgp log-neighbor-changes
redistribute connected metric 100
neighbor 192.168.34.2 remote-as 666
neighbor 192.168.34.2 soft-reconfiguration inbound
no auto-summary
!
Lets see if we can see our routes from the other CE router:
Nothing... not a good sign, is BGP running?
CE1#sh ip bgp summ
BGP router identifier 4.5.6.7, local AS number 64512
BGP table version is 6, main routing table version 6
5 network entries using 600 bytes of memory
5 path entries using 260 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory
BGP using 1140 total bytes of memory
BGP activity 15/10 prefixes, 15/10 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.12.2 4 666 71 52 6 0 0 00:03:57 0
CE2#sh ip bgp summ
BGP router identifier 9.8.7.6, local AS number 64512
BGP table version is 6, main routing table version 6
5 network entries using 600 bytes of memory
5 path entries using 260 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 2) using 32 bytes of memory
BGP using 1140 total bytes of memory
BGP activity 5/0 prefixes, 5/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.34.2 4 666 53 89 6 0 0 00:00:27 0
Yes, we're just not seeing any prefixs coming in - can we see them on the PE routers?
PE2#sh ip route vrf CustA
Routing Table: CustA
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
192.168.12.0/30 is subnetted, 1 subnets
B 192.168.12.0 [200/100] via 1.1.1.1, 00:08:09
1.0.0.0/32 is subnetted, 1 subnets
B 1.2.3.4 [200/100] via 1.1.1.1, 00:08:09
2.0.0.0/32 is subnetted, 1 subnets
B 2.3.4.5 [200/100] via 1.1.1.1, 00:08:09
3.0.0.0/32 is subnetted, 1 subnets
B 3.4.5.6 [200/100] via 1.1.1.1, 00:08:09
4.0.0.0/32 is subnetted, 1 subnets
B 4.5.6.7 [200/100] via 1.1.1.1, 00:08:09
6.0.0.0/32 is subnetted, 1 subnets
B 6.5.4.3 [20/100] via 192.168.34.1, 00:02:00
7.0.0.0/32 is subnetted, 1 subnets
B 7.6.5.4 [20/100] via 192.168.34.1, 00:02:00
8.0.0.0/32 is subnetted, 1 subnets
B 8.7.6.5 [20/100] via 192.168.34.1, 00:02:00
9.0.0.0/32 is subnetted, 1 subnets
B 9.8.7.6 [20/100] via 192.168.34.1, 00:02:00
192.168.34.0/24 is variably subnetted, 2 subnets, 2 masks
B 192.168.34.0/30 [20/100] via 192.168.34.1, 00:02:00
C 192.168.34.0/24 is directly connected, Serial0/0
Ok, so the PE routers appear to be happy enough at the situation....
What's the problem? Let's have a look at the BGP updates coming in
CE1#debug ip bgp updates
BGP updates debugging is on for address family: IPv4 Unicast
CE1#clear ip bgp *
*Mar 1 01:02:23.675: %BGP-5-ADJCHANGE: neighbor 192.168.12.2 Down User reset
*Mar 1 01:02:50.755: %BGP-5-ADJCHANGE: neighbor 192.168.12.2 Up
*Mar 1 01:02:50.763: BGP(0): 192.168.12.2 rcv UPDATE w/ attr: nexthop 192.168.12.2, origin ?, originator 0.0.0.0, path 666 64512, community , extended community
*Mar 1 01:02:50.763: BGP(0): 192.168.12.2 rcv UPDATE about 192.168.34.0/30 -- DENIED due to: AS-PATH contains our own AS;
*Mar 1 01:02:50.763: BGP(0): 192.168.12.2 rcv UPDATE about 9.8.7.6/32 -- DENIED due to: AS-PATH contains our own AS;
*Mar 1 01:02:50.763: BGP(0): 192.168.12.2 rcv UPDATE about 8.7.6.5/32 -- DENIED due to: AS-PATH contains our own AS;
*Mar 1 01:02:50.767: BGP(0): 192.168.12.2 rcv UPDATE about 7.6.5.4/32 -- DENIED due to: AS-PATH contains our own AS;
*Mar 1 01:02:50.767: BGP(0): 192.168.12.2 rcv UPDATE about 6.5.4.3/32 -- DENIED due to: AS-PATH contains our own AS;
Well this explains it - BGP loop avoidance is based on the AS-PATH, since CE1 and CE2 are both allocated the same ASN, we need to fix this.
CE1 EBGP AS 64512 - EBGP AS 666 PE1 I-MPBGP AS 666 PE2 EBGP AS 666 - EBGP AS 64512 CE2
CE1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CE1(config)#router bgp 64512
CE1(config-router)#neighbor 192.168.12.2 allowas-in ?
<1-10> Number of occurances of AS number
CE1(config-router)#neighbor 192.168.12.2 allowas-in 1
This allows us to add some flexibility to the AS-PATH checks - in this case if we see our ASN once in the path already, it's ok to allow it in
6.0.0.0/32 is subnetted, 1 subnets
B 6.5.4.3 [20/0] via 192.168.12.2, 00:00:11
7.0.0.0/32 is subnetted, 1 subnets
B 7.6.5.4 [20/0] via 192.168.12.2, 00:00:11
8.0.0.0/32 is subnetted, 1 subnets
B 8.7.6.5 [20/0] via 192.168.12.2, 00:00:11
9.0.0.0/32 is subnetted, 1 subnets
B 9.8.7.6 [20/0] via 192.168.12.2, 00:00:11
192.168.34.0/30 is subnetted, 1 subnets
B 192.168.34.0 [20/0] via 192.168.12.2, 00:00:11
Lets see the AS-Path
CE1(config-router)#do sh ip bgp
BGP table version is 31, local router ID is 4.5.6.7
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.2.3.4/32 0.0.0.0 100 32768 ?
*> 2.3.4.5/32 0.0.0.0 100 32768 ?
*> 3.4.5.6/32 0.0.0.0 100 32768 ?
*> 4.5.6.7/32 0.0.0.0 100 32768 ?
*> 6.5.4.3/32 192.168.12.2 0 666 64512 ?
*> 7.6.5.4/32 192.168.12.2 0 666 64512 ?
*> 8.7.6.5/32 192.168.12.2 0 666 64512 ?
*> 9.8.7.6/32 192.168.12.2 0 666 64512 ?
*> 192.168.12.0/30 0.0.0.0 100 32768 ?
*> 192.168.34.0/30 192.168.12.2 0 666 64512 ?
Option 2 - as-override on the PE
An alternate method is to remove the ASN of the other CE from the AS-PATH loop check doesn't fail on the local CE
PE2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PE2(config)#router bgp 666
PE2(config-router)#address-family ipv4 unicast vrf CustA
PE2(config-router-af)#neighbor 192.168.34.1 as-override
PE2(config-router-af)#do clear ip bgp * soft
Now lets see if CE2 is happy:
CE2#sh ip route bgp
192.168.12.0/30 is subnetted, 1 subnets
B 192.168.12.0 [20/0] via 192.168.34.2, 00:02:46
1.0.0.0/32 is subnetted, 1 subnets
B 1.2.3.4 [20/0] via 192.168.34.2, 00:02:46
2.0.0.0/32 is subnetted, 1 subnets
B 2.3.4.5 [20/0] via 192.168.34.2, 00:02:46
3.0.0.0/32 is subnetted, 1 subnets
B 3.4.5.6 [20/0] via 192.168.34.2, 00:02:46
4.0.0.0/32 is subnetted, 1 subnets
B 4.5.6.7 [20/0] via 192.168.34.2, 00:02:46
CE2#sh ip bgp
BGP table version is 21, local router ID is 9.8.7.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.2.3.4/32 192.168.34.2 0 666 666 ?
*> 2.3.4.5/32 192.168.34.2 0 666 666 ?
*> 3.4.5.6/32 192.168.34.2 0 666 666 ?
*> 4.5.6.7/32 192.168.34.2 0 666 666 ?
*> 6.5.4.3/32 0.0.0.0 100 32768 ?
*> 7.6.5.4/32 0.0.0.0 100 32768 ?
*> 8.7.6.5/32 0.0.0.0 100 32768 ?
*> 9.8.7.6/32 0.0.0.0 100 32768 ?
*> 192.168.12.0/30 192.168.34.2 0 666 666 ?
*> 192.168.34.0/30 0.0.0.0 100 32768 ?
CE2#ping 1.2.3.4 source 9.8.7.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:
Packet sent with a source address of 9.8.7.6
!!!!!
It seems like for the CCIE lab there is usually more than one way to do something, and quite often you will be restricted from using particular methods, so it is always handy to have an alternate up your sleeve.
There are a few techniques that I know that allows us to allocate the same BGP ASN to every router.
Let's start with a simple topology..
CE1 S0/0===S0/0 PE1 Fa0/0 ==Fa0/0 PE2 S0/0 ===S0/0 CE2
PE1 and PE1 are running OSPF, MPLS and LDP between themselves and MP-iBGP on ASN 666 to carry the customer routing information
CE1 has an EBGP connection to PE1 while CE2 has an EBGP connection to PE2 and each of these are redistributing a number of loopbacks into bgp
PE1 Config:
hostname PE1
!
ip vrf CustA
rd 666:1
route-target export 666:1
route-target import 666:1
!
mpls label protocol ldp
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
description To PE2
ip address 192.168.255.253 255.255.255.252
duplex auto
speed auto
mpls ipinterface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
description To PE2
ip address 192.168.255.253 255.255.255.252
duplex auto
speed auto
!
interface Serial0/0
ip vrf forwarding CustA
ip address 192.168.12.2 255.255.255.252
clock rate 128000
!
router ospf 100
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 192.168.255.253 0.0.0.0 area 0
!
router bgp 666
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 666
neighbor 2.2.2.2 update-source Loopback0
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf CustA
neighbor 192.168.12.1 remote-as 64512
neighbor 192.168.12.1 activate
no synchronization
exit-address-family
!
mpls ldp router-id Loopback0PE2 Config:
hostname PE2
!
ip vrf CustA
rd 666:1
route-target export 666:1
route-target import 666:1
!
mpls label protocol ldp
!
ip vrf CustA
rd 666:1
route-target export 666:1
route-target import 666:1
!
mpls label protocol ldp
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
description To PE1
ip address 192.168.255.254 255.255.255.252
duplex auto
speed auto
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
description To PE1
ip address 192.168.255.254 255.255.255.252
duplex auto
speed auto
mpls ip
!
interface Serial0/0
ip vrf forwarding CustA
ip address 192.168.34.2 255.255.255.0
clock rate 128000
!
router ospf 100
router-id 2.2.2.2
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 192.168.255.254 0.0.0.0 area 0
!
router bgp 666
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 666
neighbor 1.1.1.1 update-source Loopback0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf CustA
neighbor 192.168.34.1 remote-as 64512
neighbor 192.168.34.1 activate
no synchronization
exit-address-family
!
interface Serial0/0
ip vrf forwarding CustA
ip address 192.168.34.2 255.255.255.0
clock rate 128000
!
router ospf 100
router-id 2.2.2.2
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 192.168.255.254 0.0.0.0 area 0
!
router bgp 666
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 666
neighbor 1.1.1.1 update-source Loopback0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf CustA
neighbor 192.168.34.1 remote-as 64512
neighbor 192.168.34.1 activate
no synchronization
exit-address-family
!
mpls ldp router-id Loopback0CE1 Config:
hostname CE1!
interface Loopback0
ip address 1.2.3.4 255.255.255.255
!
interface Loopback1
ip address 2.3.4.5 255.255.255.255
!
interface Loopback2
ip address 3.4.5.6 255.255.255.255
!
interface Loopback3
ip address 4.5.6.7 255.255.255.255
!
interface Serial0/0
ip address 192.168.12.1 255.255.255.252
!
router bgp 64512
no synchronization
bgp log-neighbor-changes
redistribute connected metric 100
neighbor 192.168.12.2 remote-as 666
neighbor 192.168.12.2 soft-reconfiguration inbound
no auto-summary
!
CE2 Config:
hostname CE2!
interface Loopback0
ip address 9.8.7.6 255.255.255.255
!
interface Loopback1
ip address 8.7.6.5 255.255.255.255
!
interface Loopback2
ip address 7.6.5.4 255.255.255.255
!
interface Loopback3
ip address 6.5.4.3 255.255.255.255
!
interface Serial0/0
ip address 192.168.34.1 255.255.255.252
!
router bgp 64512
no synchronization
bgp log-neighbor-changes
redistribute connected metric 100
neighbor 192.168.34.2 remote-as 666
neighbor 192.168.34.2 soft-reconfiguration inbound
no auto-summary
!
Lets see if we can see our routes from the other CE router:
CE1#sh ip route bgp
CE2#sh ip route bgp
Nothing... not a good sign, is BGP running?
CE1#sh ip bgp summ
BGP router identifier 4.5.6.7, local AS number 64512
BGP table version is 6, main routing table version 6
5 network entries using 600 bytes of memory
5 path entries using 260 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory
BGP using 1140 total bytes of memory
BGP activity 15/10 prefixes, 15/10 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.12.2 4 666 71 52 6 0 0 00:03:57 0
CE2#sh ip bgp summ
BGP router identifier 9.8.7.6, local AS number 64512
BGP table version is 6, main routing table version 6
5 network entries using 600 bytes of memory
5 path entries using 260 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 2) using 32 bytes of memory
BGP using 1140 total bytes of memory
BGP activity 5/0 prefixes, 5/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.34.2 4 666 53 89 6 0 0 00:00:27 0
Yes, we're just not seeing any prefixs coming in - can we see them on the PE routers?
PE1#sh ip route vrf CustA
Routing Table: CustA
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
192.168.12.0/30 is subnetted, 1 subnets
C 192.168.12.0 is directly connected, Serial0/0
1.0.0.0/32 is subnetted, 1 subnets
B 1.2.3.4 [20/100] via 192.168.12.1, 00:08:15
2.0.0.0/32 is subnetted, 1 subnets
B 2.3.4.5 [20/100] via 192.168.12.1, 00:08:15
3.0.0.0/32 is subnetted, 1 subnets
B 3.4.5.6 [20/100] via 192.168.12.1, 00:08:15
4.0.0.0/32 is subnetted, 1 subnets
B 4.5.6.7 [20/100] via 192.168.12.1, 00:08:15
6.0.0.0/32 is subnetted, 1 subnets
B 6.5.4.3 [200/100] via 2.2.2.2, 00:01:49
7.0.0.0/32 is subnetted, 1 subnets
B 7.6.5.4 [200/100] via 2.2.2.2, 00:01:49
8.0.0.0/32 is subnetted, 1 subnets
B 8.7.6.5 [200/100] via 2.2.2.2, 00:01:49
9.0.0.0/32 is subnetted, 1 subnets
B 9.8.7.6 [200/100] via 2.2.2.2, 00:01:49
192.168.34.0/30 is subnetted, 1 subnets
B 192.168.34.0 [200/100] via 2.2.2.2, 00:01:49
Routing Table: CustA
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
192.168.12.0/30 is subnetted, 1 subnets
C 192.168.12.0 is directly connected, Serial0/0
1.0.0.0/32 is subnetted, 1 subnets
B 1.2.3.4 [20/100] via 192.168.12.1, 00:08:15
2.0.0.0/32 is subnetted, 1 subnets
B 2.3.4.5 [20/100] via 192.168.12.1, 00:08:15
3.0.0.0/32 is subnetted, 1 subnets
B 3.4.5.6 [20/100] via 192.168.12.1, 00:08:15
4.0.0.0/32 is subnetted, 1 subnets
B 4.5.6.7 [20/100] via 192.168.12.1, 00:08:15
6.0.0.0/32 is subnetted, 1 subnets
B 6.5.4.3 [200/100] via 2.2.2.2, 00:01:49
7.0.0.0/32 is subnetted, 1 subnets
B 7.6.5.4 [200/100] via 2.2.2.2, 00:01:49
8.0.0.0/32 is subnetted, 1 subnets
B 8.7.6.5 [200/100] via 2.2.2.2, 00:01:49
9.0.0.0/32 is subnetted, 1 subnets
B 9.8.7.6 [200/100] via 2.2.2.2, 00:01:49
192.168.34.0/30 is subnetted, 1 subnets
B 192.168.34.0 [200/100] via 2.2.2.2, 00:01:49
Routing Table: CustA
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
192.168.12.0/30 is subnetted, 1 subnets
B 192.168.12.0 [200/100] via 1.1.1.1, 00:08:09
1.0.0.0/32 is subnetted, 1 subnets
B 1.2.3.4 [200/100] via 1.1.1.1, 00:08:09
2.0.0.0/32 is subnetted, 1 subnets
B 2.3.4.5 [200/100] via 1.1.1.1, 00:08:09
3.0.0.0/32 is subnetted, 1 subnets
B 3.4.5.6 [200/100] via 1.1.1.1, 00:08:09
4.0.0.0/32 is subnetted, 1 subnets
B 4.5.6.7 [200/100] via 1.1.1.1, 00:08:09
6.0.0.0/32 is subnetted, 1 subnets
B 6.5.4.3 [20/100] via 192.168.34.1, 00:02:00
7.0.0.0/32 is subnetted, 1 subnets
B 7.6.5.4 [20/100] via 192.168.34.1, 00:02:00
8.0.0.0/32 is subnetted, 1 subnets
B 8.7.6.5 [20/100] via 192.168.34.1, 00:02:00
9.0.0.0/32 is subnetted, 1 subnets
B 9.8.7.6 [20/100] via 192.168.34.1, 00:02:00
192.168.34.0/24 is variably subnetted, 2 subnets, 2 masks
B 192.168.34.0/30 [20/100] via 192.168.34.1, 00:02:00
C 192.168.34.0/24 is directly connected, Serial0/0
Ok, so the PE routers appear to be happy enough at the situation....
What's the problem? Let's have a look at the BGP updates coming in
CE1#debug ip bgp updates
BGP updates debugging is on for address family: IPv4 Unicast
CE1#clear ip bgp *
*Mar 1 01:02:23.675: %BGP-5-ADJCHANGE: neighbor 192.168.12.2 Down User reset
*Mar 1 01:02:50.755: %BGP-5-ADJCHANGE: neighbor 192.168.12.2 Up
*Mar 1 01:02:50.763: BGP(0): 192.168.12.2 rcv UPDATE w/ attr: nexthop 192.168.12.2, origin ?, originator 0.0.0.0, path 666 64512, community , extended community
*Mar 1 01:02:50.763: BGP(0): 192.168.12.2 rcv UPDATE about 192.168.34.0/30 -- DENIED due to: AS-PATH contains our own AS;
*Mar 1 01:02:50.763: BGP(0): 192.168.12.2 rcv UPDATE about 9.8.7.6/32 -- DENIED due to: AS-PATH contains our own AS;
*Mar 1 01:02:50.763: BGP(0): 192.168.12.2 rcv UPDATE about 8.7.6.5/32 -- DENIED due to: AS-PATH contains our own AS;
*Mar 1 01:02:50.767: BGP(0): 192.168.12.2 rcv UPDATE about 7.6.5.4/32 -- DENIED due to: AS-PATH contains our own AS;
*Mar 1 01:02:50.767: BGP(0): 192.168.12.2 rcv UPDATE about 6.5.4.3/32 -- DENIED due to: AS-PATH contains our own AS;
Well this explains it - BGP loop avoidance is based on the AS-PATH, since CE1 and CE2 are both allocated the same ASN, we need to fix this.
CE1 EBGP AS 64512 - EBGP AS 666 PE1 I-MPBGP AS 666 PE2 EBGP AS 666 - EBGP AS 64512 CE2
Option 1 - allow-as-in on the CE
CE1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CE1(config)#router bgp 64512
CE1(config-router)#neighbor 192.168.12.2 allowas-in ?
<1-10> Number of occurances of AS number
CE1(config-router)#neighbor 192.168.12.2 allowas-in 1
This allows us to add some flexibility to the AS-PATH checks - in this case if we see our ASN once in the path already, it's ok to allow it in
CE1(config-router)#do clear ip bgp * soft
CE1(config-router)#do sh ip route bgp6.0.0.0/32 is subnetted, 1 subnets
B 6.5.4.3 [20/0] via 192.168.12.2, 00:00:11
7.0.0.0/32 is subnetted, 1 subnets
B 7.6.5.4 [20/0] via 192.168.12.2, 00:00:11
8.0.0.0/32 is subnetted, 1 subnets
B 8.7.6.5 [20/0] via 192.168.12.2, 00:00:11
9.0.0.0/32 is subnetted, 1 subnets
B 9.8.7.6 [20/0] via 192.168.12.2, 00:00:11
192.168.34.0/30 is subnetted, 1 subnets
B 192.168.34.0 [20/0] via 192.168.12.2, 00:00:11
Lets see the AS-Path
CE1(config-router)#do sh ip bgp
BGP table version is 31, local router ID is 4.5.6.7
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.2.3.4/32 0.0.0.0 100 32768 ?
*> 2.3.4.5/32 0.0.0.0 100 32768 ?
*> 3.4.5.6/32 0.0.0.0 100 32768 ?
*> 4.5.6.7/32 0.0.0.0 100 32768 ?
*> 6.5.4.3/32 192.168.12.2 0 666 64512 ?
*> 7.6.5.4/32 192.168.12.2 0 666 64512 ?
*> 8.7.6.5/32 192.168.12.2 0 666 64512 ?
*> 9.8.7.6/32 192.168.12.2 0 666 64512 ?
*> 192.168.12.0/30 0.0.0.0 100 32768 ?
*> 192.168.34.0/30 192.168.12.2 0 666 64512 ?
Option 2 - as-override on the PE
An alternate method is to remove the ASN of the other CE from the AS-PATH loop check doesn't fail on the local CE
PE2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PE2(config)#router bgp 666
PE2(config-router)#address-family ipv4 unicast vrf CustA
PE2(config-router-af)#neighbor 192.168.34.1 as-override
PE2(config-router-af)#do clear ip bgp * soft
Now lets see if CE2 is happy:
CE2#sh ip route bgp
192.168.12.0/30 is subnetted, 1 subnets
B 192.168.12.0 [20/0] via 192.168.34.2, 00:02:46
1.0.0.0/32 is subnetted, 1 subnets
B 1.2.3.4 [20/0] via 192.168.34.2, 00:02:46
2.0.0.0/32 is subnetted, 1 subnets
B 2.3.4.5 [20/0] via 192.168.34.2, 00:02:46
3.0.0.0/32 is subnetted, 1 subnets
B 3.4.5.6 [20/0] via 192.168.34.2, 00:02:46
4.0.0.0/32 is subnetted, 1 subnets
B 4.5.6.7 [20/0] via 192.168.34.2, 00:02:46
Yep, and what is the AS path?
CE2#sh ip bgp
BGP table version is 21, local router ID is 9.8.7.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.2.3.4/32 192.168.34.2 0 666 666 ?
*> 2.3.4.5/32 192.168.34.2 0 666 666 ?
*> 3.4.5.6/32 192.168.34.2 0 666 666 ?
*> 4.5.6.7/32 192.168.34.2 0 666 666 ?
*> 6.5.4.3/32 0.0.0.0 100 32768 ?
*> 7.6.5.4/32 0.0.0.0 100 32768 ?
*> 8.7.6.5/32 0.0.0.0 100 32768 ?
*> 9.8.7.6/32 0.0.0.0 100 32768 ?
*> 192.168.12.0/30 192.168.34.2 0 666 666 ?
*> 192.168.34.0/30 0.0.0.0 100 32768 ?
So the final test - L3 data plane connectivity:
CE2#ping 1.2.3.4 source 9.8.7.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:
Packet sent with a source address of 9.8.7.6
!!!!!
It seems like for the CCIE lab there is usually more than one way to do something, and quite often you will be restricted from using particular methods, so it is always handy to have an alternate up your sleeve.
Tuesday, 12 October 2010
IOS Based Menu Configuration
I've never really had a need to create router based menus before, however there is a requirement in the blueprint to be able to know how to do it.
Part 4: Managing Connections, Menus, and System Banners has what we want (by the way if you decide to go to the Network Management Configuration Guide - there is a different framework called Embedded Menu Manager which relies on XML based configs and is not what you want at all)
Task:
When user NetDiag (password NetDiag) logs into the router immediately provide them a diagnostics menu to be able to quickly ping and traceroute other routers.
This task is actually two parts - the menu and the setting the account for the user to automatically start the menu.
Subtask 1 - the Menu:
Multiple Menus can exist and call other menus, so they each need a name to identify them, in this example I'm just going to use "diag". Defining a menu title is required - just like setting a banner, as it is a free-form string, you need to select a character that lets the router know that this is the end of input (we're using the ^ character here)
After the menu, we'll show the list of options and the descriptions of each option
R1(config)#menu diag text 1 Ping R2
R1(config)#menu diag text 2 Ping R3
R1(config)#menu diag text 3 Traceroute R2
R1(config)#menu diag text 4 Traceroute R3
R1(config)#menu diag text x Exit
Now we enter the actual commands we want to execute for each option
R1(config)#menu diag command 1 ping 200.0.0.2 repeat 2 source loopback0
R1(config)#menu diag command 2 ping 200.0.0.3 repeat 2 source loopback0
R1(config)#menu diag command 3 trace 200.0.0.2 source loopback0
R1(config)#menu diag command 4 trace 200.0.0.3 source loopback0
R1(config)#menu diag command x menu-exit
If you like, you can also specify the message prompt when requesting a menu selection
R1(config)#menu diag prompt $
Enter TEXT message. End with the character '$'
What is thy wish Master? $
Optionally, we can pause the display after each command before presenting the menu again - this would only be worth using if we cleared the screen before displaying the menu
To Test:
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 200.0.0.1
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 4/6/8 ms
--More--
Subtask 2 - Autocommand:
With the menu is sorted - time to create the user and enable them to only have access to the menu. This will be achieved with the autocommand which gets run as soon as the user connects.
R1(config)#username NetDiag password NetDiag
R1(config)#username NetDiag autocommand menu diag
If you noticed in the menu commands, extended ping commands are used which require enable mode.
R1(config)#username NetDiag privilege 15
Make sure we are allowing users to telnet in to us
R1(config)#line vty 0 4
R1(config-line)#login local
Let's test it from R6.
The only possible problem here is when we exit the menu, we are at the CLI prompt with a user in enable mode. If you wanted to disconnect the user when they exit the menu, change it so that they are logged out instead:
Where to find info about this on the Cisco Website:
www.cisco.com -> Support -> IOS and NX-OS Software -> Cisco IOS -> 12.4 Family -> 12.4T -> Configuration Guides -> Configuration Fundamentals Configuration GuidePart 4: Managing Connections, Menus, and System Banners has what we want (by the way if you decide to go to the Network Management Configuration Guide - there is a different framework called Embedded Menu Manager which relies on XML based configs and is not what you want at all)
Task:
When user NetDiag (password NetDiag) logs into the router immediately provide them a diagnostics menu to be able to quickly ping and traceroute other routers.
This task is actually two parts - the menu and the setting the account for the user to automatically start the menu.
Subtask 1 - the Menu:
Multiple Menus can exist and call other menus, so they each need a name to identify them, in this example I'm just going to use "diag". Defining a menu title is required - just like setting a banner, as it is a free-form string, you need to select a character that lets the router know that this is the end of input (we're using the ^ character here)
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#menu diag title ^
Enter TEXT message. End with the character '^'
####################
# Diagnostics Menu #
####################^
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#menu diag title ^
Enter TEXT message. End with the character '^'
####################
# Diagnostics Menu #
####################^
After the menu, we'll show the list of options and the descriptions of each option
R1(config)#menu diag text 1 Ping R2
R1(config)#menu diag text 2 Ping R3
R1(config)#menu diag text 3 Traceroute R2
R1(config)#menu diag text 4 Traceroute R3
R1(config)#menu diag text x Exit
Now we enter the actual commands we want to execute for each option
R1(config)#menu diag command 1 ping 200.0.0.2 repeat 2 source loopback0
R1(config)#menu diag command 2 ping 200.0.0.3 repeat 2 source loopback0
R1(config)#menu diag command 3 trace 200.0.0.2 source loopback0
R1(config)#menu diag command 4 trace 200.0.0.3 source loopback0
R1(config)#menu diag command x menu-exit
If you like, you can also specify the message prompt when requesting a menu selection
R1(config)#menu diag prompt $
Enter TEXT message. End with the character '$'
What is thy wish Master? $
Optionally, we can pause the display after each command before presenting the menu again - this would only be worth using if we cleared the screen before displaying the menu
R1(config)#menu diag clear-screen
R1(config)#menu diag option 1 pause
R1(config)#menu diag option 1 pause
R1(config)#menu diag option 2 pause
R1(config)#menu diag option 3 pause
R1(config)#menu diag option 4 pauseTo Test:
R1(config)#do menu diag
####################
# Diagnostics Menu #
####################
1 Ping R2
2 Ping R3
3 Traceroute R2
4 Traceroute R3
x Exit
What is thy wish Master? 1####################
# Diagnostics Menu #
####################
1 Ping R2
2 Ping R3
3 Traceroute R2
4 Traceroute R3
x Exit
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 200.0.0.1
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 4/6/8 ms
--More--
Subtask 2 - Autocommand:
With the menu is sorted - time to create the user and enable them to only have access to the menu. This will be achieved with the autocommand which gets run as soon as the user connects.
R1(config)#username NetDiag password NetDiag
R1(config)#username NetDiag autocommand menu diag
If you noticed in the menu commands, extended ping commands are used which require enable mode.
R1(config)#username NetDiag privilege 15
Make sure we are allowing users to telnet in to us
R1(config)#line vty 0 4
R1(config-line)#login local
Let's test it from R6.
R6#telnet 200.0.0.1
Trying 200.0.0.1 ... Open
User Access Verification
Username: NetDiag
Password:
Trying 200.0.0.1 ... Open
User Access Verification
Username: NetDiag
Password:
####################
# Diagnostics Menu #
####################
1 Ping R2
2 Ping R3
3 Traceroute R2
4 Traceroute R3
x Exit
What is thy wish Master? x
R1## Diagnostics Menu #
####################
1 Ping R2
2 Ping R3
3 Traceroute R2
4 Traceroute R3
x Exit
What is thy wish Master? x
The only possible problem here is when we exit the menu, we are at the CLI prompt with a user in enable mode. If you wanted to disconnect the user when they exit the menu, change it so that they are logged out instead:
R1(config)#menu diag command x logout
Friday, 1 October 2010
BGP Route Aggregation and unsuppress-map
Route aggregation is a generally good thing to do.
When you enable it within your BGP instance and you elected to suppress the contributing routes from being advertised to your peers by using the "summary-only" keyword. In some cases though, you may not want to suppress the contributing routes for certain peers and want a way to disable this global behaviour on an individual peer basis.
Through the application of the swiss army knife known as a route-map in conjunction with the "unsuppress-map" keyword on your neighbor declaration; it is possible to allow the more-specific routes to still be transmitted.
In my configuration example, I have three routers, R4, R5 and R6 in a string where R5 is directly peering with R4 and R6.
R4 Configuration
no synchronization
bgp router-id 4.4.4.4
bgp log-neighbor-changes
network 4.4.4.4 mask 255.255.255.255
neighbor 100.100.45.5 remote-as 64513
no auto-summary
!
R5 Initial Configuration
description R4 Fa0/0
ip address 100.100.45.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description R5 Fa0/1
ip address 100.100.56.5 255.255.255.0
duplex auto
speed auto
!
router bgp 64513
no synchronization
bgp router-id 5.5.5.5
bgp log-neighbor-changes
network 5.5.5.5 mask 255.255.255.255
network 172.16.0.0 mask 255.255.255.0
network 172.16.7.0 mask 255.255.255.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
aggregate-address 172.16.0.0 255.255.248.0 summary-only
aggregate-address 192.168.0.0 255.255.252.0 summary-only
neighbor 100.100.45.4 remote-as 64512
neighbor 100.100.56.6 remote-as 64514
no auto-summary
R6 Configuration
hostname R6
interface Loopback0
ip address 6.6.6.6 255.255.255.255
!
interface FastEthernet0/1
description R5 Fa0/1
ip address 100.100.56.6 255.255.255.0
duplex auto
speed auto
!
router bgp 64514
no synchronization
bgp log-neighbor-changes
network 6.6.6.6 mask 255.255.255.255
neighbor 100.100.56.5 remote-as 64513
no auto-summary
!
As you can see there are some loopbacks on R5 which are summarised thanks to the "aggregate-address" commands and with the "summary-only" keyword, the contributing routes will be suppressed from advertisement.
Lets have a look at what R4 and R6 see:
R6# sh ip route bgp
4.0.0.0/32 is subnetted, 1 subnets
B 4.4.4.4 [20/0] via 100.100.56.5, 00:10:29
5.0.0.0/32 is subnetted, 1 subnets
B 5.5.5.5 [20/0] via 100.100.56.5, 00:09:59
172.16.0.0/21 is subnetted, 1 subnets
B 172.16.0.0 [20/0] via 100.100.56.5, 00:09:59
B 192.168.0.0/22 [20/0] via 100.100.56.5, 00:09:59
Which certainly matches what R5 says it's doing:
R5#sh ip bgp neighbors 100.100.45.4 advertised-routes
BGP table version is 16, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.4/32 100.100.45.4 0 0 64512 i
*> 5.5.5.5/32 0.0.0.0 0 32768 i
*> 6.6.6.6/32 100.100.56.6 0 0 64514 i
*> 172.16.0.0/21 0.0.0.0 32768 i
*> 192.168.0.0/22 0.0.0.0 32768 i
Total number of prefixes 5
R5#sh ip bgp neighbors 100.100.56.6 advertised-routes
BGP table version is 16, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.4/32 100.100.45.4 0 0 64512 i
*> 5.5.5.5/32 0.0.0.0 0 32768 i
*> 6.6.6.6/32 100.100.56.6 0 0 64514 i
*> 172.16.0.0/21 0.0.0.0 32768 i
*> 192.168.0.0/22 0.0.0.0 32768 i
Total number of prefixes 5
Lets say for arguments sake we want to see the specific routes from 192.168.0.0/22 to appear on R4 and the specific routes from 172.16.0.0/21 to appear on R6
The way we do this is to set the neighbor to have an unsuppress-map (a route-map) which when matched will allow the contributing routes to be transferred. In this example, the route-map for R4 is matching the route with an access list, and the route-map for R6 is using a prefix-list
R5(config)#router bgp 64513
R5(config-router)#neighbor 100.100.45.4 unsuppress-map UnsuppressR4
R5(config-router)#neighbor 100.100.56.6 unsuppress-map UnsuppressR6
R5(config-router)#route-map UnsuppressR4
R5(config-route-map)#match ip address 4
R5(config-route-map)#exit
R5(config)#access-list 4 permit 192.168.0.0 0.0.3.255
R5(config)#route-map UnsuppressR6
R5(config-route-map)#match ip address prefix-list R6
R5(config-route-map)#exit
R5(config)#ip prefix-list R6 permit 172.16.0.0/21
After clearing the peerings (clear ip bgp *) and waiting for BGP to come up and stabilise, lets see what R5 is advertising to its peers
Below we can see that R5 is advertising some routes with the "s" flag which means that they were suppressed but we're advertising them:
R5#sh ip bgp neighbors 100.100.45.4 advertised-routes
BGP table version is 16, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 5.5.5.5/32 0.0.0.0 0 32768 i
*> 6.6.6.6/32 100.100.56.6 0 0 64514 i
*> 172.16.0.0/21 0.0.0.0 32768 i
*> 192.168.0.0/22 0.0.0.0 32768 i
s> 192.168.1.0 0.0.0.0 0 32768 i
s> 192.168.2.0 0.0.0.0 0 32768 i
s> 192.168.3.0 0.0.0.0 0 32768 i
R4>sh ip route bgp
5.0.0.0/32 is subnetted, 1 subnets
B 5.5.5.5 [20/0] via 100.100.45.5, 00:02:45
6.0.0.0/32 is subnetted, 1 subnets
B 6.6.6.6 [20/0] via 100.100.45.5, 00:03:31
172.16.0.0/21 is subnetted, 1 subnets
B 172.16.0.0 [20/0] via 100.100.45.5, 00:02:45
B 192.168.1.0/24 [20/0] via 100.100.45.5, 00:02:45
B 192.168.2.0/24 [20/0] via 100.100.45.5, 00:02:45
B 192.168.3.0/24 [20/0] via 100.100.45.5, 00:02:45
B 192.168.0.0/22 [20/0] via 100.100.45.5, 00:02:45
Now here is a problem with R5... we aren't advertising the specific routes for the 172.16.0.0/21 network to R6!
R5#sh ip bgp neighbors 100.100.56.6 advertised-routes
BGP table version is 16, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.4/32 100.100.45.4 0 0 64512 i
*> 5.5.5.5/32 0.0.0.0 0 32768 i
*> 172.16.0.0/21 0.0.0.0 32768 i
*> 192.168.0.0/22 0.0.0.0 32768 i
Total number of prefixes 4
The problem is that the prefix-list is only matching on the summary route and not the contributing routes. All we need to do is fix up the prefix-list and all should be well
R5(config)#no ip prefix-list R6 permit 172.16.0.0/21
R5(config)#ip prefix-list R6 permit 172.16.0.0/21 le 24
R5(config)#do clear ip bgp 100.100.56.6 soft
R5(config)#do sh ip bgp nei 100.100.56.6 adv
BGP table version is 16, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.4/32 100.100.45.4 0 0 64512 i
*> 5.5.5.5/32 0.0.0.0 0 32768 i
s> 172.16.0.0/24 0.0.0.0 0 32768 i
*> 172.16.0.0/21 0.0.0.0 32768 i
s> 172.16.7.0/24 0.0.0.0 0 32768 i
*> 192.168.0.0/22 0.0.0.0 32768 i
Total number of prefixes 6
Things are now working as expected and R6 agrees
R6>sh ip route bgp
4.0.0.0/32 is subnetted, 1 subnets
B 4.4.4.4 [20/0] via 100.100.56.5, 00:09:45
5.0.0.0/32 is subnetted, 1 subnets
B 5.5.5.5 [20/0] via 100.100.56.5, 00:08:58
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
B 172.16.7.0/24 [20/0] via 100.100.56.5, 00:02:03
B 172.16.0.0/24 [20/0] via 100.100.56.5, 00:02:03
B 172.16.0.0/21 [20/0] via 100.100.56.5, 00:08:58
B 192.168.0.0/22 [20/0] via 100.100.56.5, 00:08:58
When you enable it within your BGP instance and you elected to suppress the contributing routes from being advertised to your peers by using the "summary-only" keyword. In some cases though, you may not want to suppress the contributing routes for certain peers and want a way to disable this global behaviour on an individual peer basis.
Through the application of the swiss army knife known as a route-map in conjunction with the "unsuppress-map" keyword on your neighbor declaration; it is possible to allow the more-specific routes to still be transmitted.
In my configuration example, I have three routers, R4, R5 and R6 in a string where R5 is directly peering with R4 and R6.
R4 Configuration
hostname R4
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
description To R5 Fa0/0
ip address 100.100.45.4 255.255.255.0
duplex auto
speed auto
!
router bgp 64512ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
description To R5 Fa0/0
ip address 100.100.45.4 255.255.255.0
duplex auto
speed auto
!
no synchronization
bgp router-id 4.4.4.4
bgp log-neighbor-changes
network 4.4.4.4 mask 255.255.255.255
neighbor 100.100.45.5 remote-as 64513
no auto-summary
!
R5 Initial Configuration
hostname R5
interface Loopback0
ip address 5.5.5.5 255.255.255.255
!
interface Loopback10
ip address 192.168.1.1 255.255.255.0
!
interface Loopback11
ip address 192.168.2.1 255.255.255.0
!
interface Loopback12
ip address 192.168.3.1 255.255.255.0
!
interface Loopback20
ip address 172.16.0.1 255.255.255.0
!
interface Loopback21
ip address 172.16.7.1 255.255.255.0
!
interface FastEthernet0/0ip address 5.5.5.5 255.255.255.255
!
interface Loopback10
ip address 192.168.1.1 255.255.255.0
!
interface Loopback11
ip address 192.168.2.1 255.255.255.0
!
interface Loopback12
ip address 192.168.3.1 255.255.255.0
!
interface Loopback20
ip address 172.16.0.1 255.255.255.0
!
interface Loopback21
ip address 172.16.7.1 255.255.255.0
!
description R4 Fa0/0
ip address 100.100.45.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description R5 Fa0/1
ip address 100.100.56.5 255.255.255.0
duplex auto
speed auto
!
router bgp 64513
no synchronization
bgp router-id 5.5.5.5
bgp log-neighbor-changes
network 5.5.5.5 mask 255.255.255.255
network 172.16.0.0 mask 255.255.255.0
network 172.16.7.0 mask 255.255.255.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
aggregate-address 172.16.0.0 255.255.248.0 summary-only
aggregate-address 192.168.0.0 255.255.252.0 summary-only
neighbor 100.100.45.4 remote-as 64512
neighbor 100.100.56.6 remote-as 64514
no auto-summary
R6 Configuration
hostname R6
interface Loopback0
ip address 6.6.6.6 255.255.255.255
!
interface FastEthernet0/1
description R5 Fa0/1
ip address 100.100.56.6 255.255.255.0
duplex auto
speed auto
!
router bgp 64514
no synchronization
bgp log-neighbor-changes
network 6.6.6.6 mask 255.255.255.255
neighbor 100.100.56.5 remote-as 64513
no auto-summary
!
As you can see there are some loopbacks on R5 which are summarised thanks to the "aggregate-address" commands and with the "summary-only" keyword, the contributing routes will be suppressed from advertisement.
Lets have a look at what R4 and R6 see:
R4#sh ip route bgp
5.0.0.0/32 is subnetted, 1 subnets
B 5.5.5.5 [20/0] via 100.100.45.5, 00:09:48
6.0.0.0/32 is subnetted, 1 subnets
B 6.6.6.6 [20/0] via 100.100.45.5, 00:10:18
172.16.0.0/21 is subnetted, 1 subnets
B 172.16.0.0 [20/0] via 100.100.45.5, 00:09:48
B 192.168.0.0/22 [20/0] via 100.100.45.5, 00:09:48
5.0.0.0/32 is subnetted, 1 subnets
B 5.5.5.5 [20/0] via 100.100.45.5, 00:09:48
6.0.0.0/32 is subnetted, 1 subnets
B 6.6.6.6 [20/0] via 100.100.45.5, 00:10:18
172.16.0.0/21 is subnetted, 1 subnets
B 172.16.0.0 [20/0] via 100.100.45.5, 00:09:48
B 192.168.0.0/22 [20/0] via 100.100.45.5, 00:09:48
4.0.0.0/32 is subnetted, 1 subnets
B 4.4.4.4 [20/0] via 100.100.56.5, 00:10:29
5.0.0.0/32 is subnetted, 1 subnets
B 5.5.5.5 [20/0] via 100.100.56.5, 00:09:59
172.16.0.0/21 is subnetted, 1 subnets
B 172.16.0.0 [20/0] via 100.100.56.5, 00:09:59
B 192.168.0.0/22 [20/0] via 100.100.56.5, 00:09:59
Which certainly matches what R5 says it's doing:
R5#sh ip bgp neighbors 100.100.45.4 advertised-routes
BGP table version is 16, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.4/32 100.100.45.4 0 0 64512 i
*> 5.5.5.5/32 0.0.0.0 0 32768 i
*> 6.6.6.6/32 100.100.56.6 0 0 64514 i
*> 172.16.0.0/21 0.0.0.0 32768 i
*> 192.168.0.0/22 0.0.0.0 32768 i
Total number of prefixes 5
R5#sh ip bgp neighbors 100.100.56.6 advertised-routes
BGP table version is 16, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.4/32 100.100.45.4 0 0 64512 i
*> 5.5.5.5/32 0.0.0.0 0 32768 i
*> 6.6.6.6/32 100.100.56.6 0 0 64514 i
*> 172.16.0.0/21 0.0.0.0 32768 i
*> 192.168.0.0/22 0.0.0.0 32768 i
Total number of prefixes 5
Lets say for arguments sake we want to see the specific routes from 192.168.0.0/22 to appear on R4 and the specific routes from 172.16.0.0/21 to appear on R6
The way we do this is to set the neighbor to have an unsuppress-map (a route-map) which when matched will allow the contributing routes to be transferred. In this example, the route-map for R4 is matching the route with an access list, and the route-map for R6 is using a prefix-list
R5(config)#router bgp 64513
R5(config-router)#neighbor 100.100.45.4 unsuppress-map UnsuppressR4
R5(config-router)#neighbor 100.100.56.6 unsuppress-map UnsuppressR6
R5(config-router)#route-map UnsuppressR4
R5(config-route-map)#match ip address 4
R5(config-route-map)#exit
R5(config)#access-list 4 permit 192.168.0.0 0.0.3.255
R5(config)#route-map UnsuppressR6
R5(config-route-map)#match ip address prefix-list R6
R5(config-route-map)#exit
R5(config)#ip prefix-list R6 permit 172.16.0.0/21
After clearing the peerings (clear ip bgp *) and waiting for BGP to come up and stabilise, lets see what R5 is advertising to its peers
Below we can see that R5 is advertising some routes with the "s" flag which means that they were suppressed but we're advertising them:
R5#sh ip bgp neighbors 100.100.45.4 advertised-routes
BGP table version is 16, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 5.5.5.5/32 0.0.0.0 0 32768 i
*> 6.6.6.6/32 100.100.56.6 0 0 64514 i
*> 172.16.0.0/21 0.0.0.0 32768 i
*> 192.168.0.0/22 0.0.0.0 32768 i
s> 192.168.1.0 0.0.0.0 0 32768 i
s> 192.168.2.0 0.0.0.0 0 32768 i
s> 192.168.3.0 0.0.0.0 0 32768 i
R4>sh ip route bgp
5.0.0.0/32 is subnetted, 1 subnets
B 5.5.5.5 [20/0] via 100.100.45.5, 00:02:45
6.0.0.0/32 is subnetted, 1 subnets
B 6.6.6.6 [20/0] via 100.100.45.5, 00:03:31
172.16.0.0/21 is subnetted, 1 subnets
B 172.16.0.0 [20/0] via 100.100.45.5, 00:02:45
B 192.168.1.0/24 [20/0] via 100.100.45.5, 00:02:45
B 192.168.2.0/24 [20/0] via 100.100.45.5, 00:02:45
B 192.168.3.0/24 [20/0] via 100.100.45.5, 00:02:45
B 192.168.0.0/22 [20/0] via 100.100.45.5, 00:02:45
Now here is a problem with R5... we aren't advertising the specific routes for the 172.16.0.0/21 network to R6!
R5#sh ip bgp neighbors 100.100.56.6 advertised-routes
BGP table version is 16, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.4/32 100.100.45.4 0 0 64512 i
*> 5.5.5.5/32 0.0.0.0 0 32768 i
*> 172.16.0.0/21 0.0.0.0 32768 i
*> 192.168.0.0/22 0.0.0.0 32768 i
Total number of prefixes 4
The problem is that the prefix-list is only matching on the summary route and not the contributing routes. All we need to do is fix up the prefix-list and all should be well
R5(config)#no ip prefix-list R6 permit 172.16.0.0/21
R5(config)#ip prefix-list R6 permit 172.16.0.0/21 le 24
R5(config)#do clear ip bgp 100.100.56.6 soft
R5(config)#do sh ip bgp nei 100.100.56.6 adv
BGP table version is 16, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.4/32 100.100.45.4 0 0 64512 i
*> 5.5.5.5/32 0.0.0.0 0 32768 i
s> 172.16.0.0/24 0.0.0.0 0 32768 i
*> 172.16.0.0/21 0.0.0.0 32768 i
s> 172.16.7.0/24 0.0.0.0 0 32768 i
*> 192.168.0.0/22 0.0.0.0 32768 i
Total number of prefixes 6
Things are now working as expected and R6 agrees
R6>sh ip route bgp
4.0.0.0/32 is subnetted, 1 subnets
B 4.4.4.4 [20/0] via 100.100.56.5, 00:09:45
5.0.0.0/32 is subnetted, 1 subnets
B 5.5.5.5 [20/0] via 100.100.56.5, 00:08:58
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
B 172.16.7.0/24 [20/0] via 100.100.56.5, 00:02:03
B 172.16.0.0/24 [20/0] via 100.100.56.5, 00:02:03
B 172.16.0.0/21 [20/0] via 100.100.56.5, 00:08:58
B 192.168.0.0/22 [20/0] via 100.100.56.5, 00:08:58
Subscribe to:
Comments (Atom)