Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

BGP Configuration Question

I am implementing BGP at my site. I have an AS number from ARIN (aaa),

a /24 subnet (zzz.zzz.zzz.0), and I am multihomed to two ISP's as shown.

|

| <-- (Int F0/1 to /24 Ethernet network

| IP: zzz.zzz.zzz.1)

|

+-----------------------------------------+

| |

| Cisco 3725 Router |

| ASN ccc |

| |

+-----------------------------------------+

| 1 |

T | <-- (Int S0/0 to ISP1 0 | <-- (Int F0/0 to ISP2

1 | IP: xxx.xxx.xxx.38) M | IP: yyy.yyy.yyy.254)

| b |

L | |

I | L |

N | I |

E | <-- (IP: xxx.xxx.xxx.37) N | <-- (IP: yyy.yyy.yyy.253)

| E |

+------------+ +------------+

| ISP 1 | | ISP 2 |

| ASN aaa | | ASN bbb |

| | | |

+------------+ +------------+

With a basic BGP setup (below) I am unable to receive ICMP echo replies

from my routers S0/0 interface (xxx.xxx.xxx.38) from most external hosts.

If I shutdown int f0/0 remote hosts can receive ping replies from s0/0

almost immediately. Then when f0/0 is brought back up the replies from

s0/0 stop.

Basic BGP setup

router bgp ccc

network zzz.zzz.zzz.0 mask 255.255.255.0

neighbor xxx.xxx.xxx.37 remote-as aaa

neighbor xxx.xxx.xxx.37 activate

neighbor yyy.yyy.yyy.253 remote-as bbb

neighbor yyy.yyy.yyy.253 activate

In testing this a little further I have disabled BGP and set static

routes. If I use xxx.xxx.xxx.37 as my default route I can ping

xxx.xxx.xxx.38 and yyy.yyy.yyy.254 fine from remote hosts. However,

if I set my default route to use yyy.yyy.yyy.253 remote hosts can only

ping yyy.yyy.yyy.254.

I am guessing that the ICMP packets are attempting to take a different

return path (through different AS's?) to the source (remote host) than

which they came.

Could this be the cause? If so, I would like to find more information.

If not, I'm looking for suggestions.

Thanks.

14 REPLIES
Anonymous
N/A

Re: BGP Configuration Question

Here's a better diagram:

http://www.yearone.com/temp/bgpsetup.jpg" width="489" height="350">

http://www.yearone.com/temp/bgpsetup.jpg

Cisco Employee

Re: BGP Configuration Question

Do you have any ACL configured on the .254 link?

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: BGP Configuration Question

Are you sure that ISP2 is transitting your address space properly ?

It could be that ISP2 sending the route out to their BGP peers, but have an ACL in their network that doesn't actually allow the packets through.

A traceroute would probably help you figure out where things are dying.

= K

Cisco Employee

Re: BGP Configuration Question

Kurt,

It has nothing to do with their address space at this point. The addreses they are trying to ping belong to the respective Service Providers.

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Gold

Re: BGP Configuration Question

A possible guess, though by no means positive.... I wonder if it's uRPF checking? Maybe, when you have the other ISP link up, ISP aaa is actually choosing the path through ISP bbb to reach your serial link (!). I'm not certain why this would be, but it could be some wierd confluence of aggregation and address space issues combined with unicast RPF configured on aaa's router, somehow.

I think you are using two different address spaces, one from each provider, right? Are you advertising both address spaces out to both providers? If you are, then maybe you should try just advertising the address space they've assigned back to them, and see if that works. If it does, then you probably need to call both of them, and tell them to punch holes in their aggregate for you.

I don't know--it seems possible that it's a uRPF problem, though.

:-)

Russ.W

Anonymous
N/A

Re: BGP Configuration Question

I am only distributing zzz.zzz.zzz.0/24 (from one ISP) and I am not announcing my ISP connections. IP verify unicast-reverse-path is NOT enabled on any interface.

After further testing this is what I've found. 1) From remote locations trace routes to xxx.xxx.xxx.38 and xxx.xxx.xxx.37 take the same path; and trace routes to xxx.xxx.xxx.38 make it to xxx.xxx.xxx.37 then fail. 2) If I set a static route to a remote location through xxx.xxx.xxx.37 ping and trace route work fine to S0/0 (xxx.xxx.xxx.38).

Anonymous
N/A

Re: BGP Configuration Question

Also, here is my current running config:

version 12.2

service tcp-keepalives-in

service timestamps debug datetime

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname router1

!

logging queue-limit 100

logging buffered 262144 informational

logging console critical

enable secret 5 xxxx.

!

clock timezone EST -5

clock summer-time EDT recurring

aaa new-model

!

!

aaa authentication banner ^C

^C

aaa session-id common

ip subnet-zero

no ip source-route

!

!

ip cef

ip domain name mydomain.com

ip name-server fff.fff.fff.13

ip name-server ggg.ggg.ggg.53

!

ip audit notify log

ip audit po max-events 100

ip audit smtp spam 200

ip audit signature 2002 disable

ip audit signature 2005 disable

ip audit name IDR1 info action alarm

!

!

no voice hpi capture buffer

no voice hpi capture destination

!

!

mta receive maximum-recipients 0

!

!

!

!

interface Loopback0

description Main loopback interface

ip address 10.30.0.1 255.255.255.255

!

interface FastEthernet0/0

description XXXX.

ip address yyy.yyy.yyy.254 255.255.255.252

ip audit IDR1 in

speed 100

full-duplex

no keepalive

no cdp enable

!

interface Serial0/0

no ip address

ip audit IDR1 in

encapsulation frame-relay IETF

no fair-queue

service-module t1 timeslots 1-24

frame-relay lmi-type ansi

!

interface Serial0/0.1 point-to-point

description XXXX.

ip address xxx.xxx.xxx.38 255.255.255.252

ip audit IDR1 in

frame-relay interface-dlci 500 IETF

!

interface FastEthernet0/1

description XXXX.

ip address zzz.zzz.zzz.1 255.255.255.0

duplex auto

speed auto

no cdp enable

!

interface Serial0/1

no ip address

shutdown

no cdp enable

!

router bgp ccc

no synchronization

no bgp log-neighbor-changes

network zzz.zzz.zzz.0

neighbor xxx.xxx.xxx.37 remote-as aaa

neighbor xxx.xxx.xxx.37 route-map prepend out

neighbor xxx.xxx.xxx.37 filter-list 5 out

neighbor yyy.yyy.yyy.253 remote-as bbb

neighbor yyy.yyy.yyy.253 update-source FastEthernet0/0

neighbor yyy.yyy.yyy.253 route-map setlocal in

neighbor yyy.yyy.yyy.253 filter-list 5 out

no auto-summary

!

no ip http server

no ip http secure-server

ip classless

!

ip as-path access-list 5 permit ^$

!

!

logging facility local1

logging source-interface Loopback0

access-list 111 deny ip 0.0.0.0 0.255.255.255 any log-input

access-list 111 deny ip 10.0.0.0 0.255.255.255 any log-input

access-list 111 deny ip 127.0.0.0 0.255.255.255 any log-input

access-list 111 deny ip 172.16.0.0 0.0.255.255 any log-input

access-list 111 deny ip 169.254.0.0 0.0.255.255 any log-input

access-list 111 deny ip 192.168.0.0 0.0.0.255 any log-input

access-list 111 deny ip host 0.0.0.0 any log-input

access-list 111 deny ip 224.0.0.0 31.255.255.255 any log-input

access-list 111 deny icmp any any redirect log-input

access-list 111 deny ip 0.0.0.0 0.255.255.255 any

access-list 111 deny ip 10.0.0.0 0.255.255.255 any

access-list 111 deny ip 127.0.0.0 0.255.255.255 any

access-list 111 deny ip 172.16.0.0 0.0.255.255 any

access-list 111 deny ip 169.254.0.0 0.0.255.255 any

access-list 111 deny ip 192.168.0.0 0.0.0.255 any

access-list 111 deny ip host 0.0.0.0 any

access-list 111 deny ip 224.0.0.0 31.255.255.255 any

access-list 111 deny icmp any any redirect

no cdp run

!

route-map setlocal permit 10

set local-preference 500

!

route-map prepend permit 10

set as-path prepend ccc ccc

!

!

radius-server authorization permit missing Service-Type

call rsvp-sync

!

!

mgcp profile default

!

!

dial-peer cor custom

!

!

banner login ^C

Attention! Authorized personnel only!

^C

banner motd ^C

Attention! Authorized personnel only!

^C

!

line con 0

password 7 xxxx

line aux 0

exec-timeout 0 1

no exec

line vty 0 4

access-class 50 in

exec-timeout 30 0

password 7 xxxx

transport input ssh

!

scheduler allocate 3000 1000

end

Cisco Employee

Re: BGP Configuration Question

So the ACL 111 is not applied anywhere?

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Anonymous
N/A

Re: BGP Configuration Question

That is correct.

Cisco Employee

Re: BGP Configuration Question

The issue is very unlikely with the routing since you are trying to ping address ranges advertised by your SPs. Do you by any chance have an outbound ACL on the serial link to your Service Providers. I think that the problem might be that the icmp request packets are going one interface and are trying to go back via the other interface but are not allowed to.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Gold

Re: BGP Configuration Question

"I am only distributing zzz.zzz.zzz.0/24 (from one ISP)"

From your configuration, that's exactly what it looks like--you're taking a /24 from one ISP, and advertising it to both ISP's. Have you looked at one of the route view servers to see what your routes look like from the other end? I don't know the specific /24, so I can't, but look at one of the route view servers, and see if the /24 exists, and what the as path is to reach it. Then you'll know if the ISP you're getting the address space from is summarizing the route or not.

"IP verify unicast-reverse-path is NOT enabled on any interface."

I assume you've asked your ISP's this question? Your local config doesn't matter here, only your ISP's configuration. Are all the addresses in your block reachable, and just the two serials are unreachable? If you're not advertising the serial's address space, who is? Again, it would be useful to go out to one of the route view servers, and look up the serial interface addresses, and see what the actual as path is on both.

:-)

Russ.W

Anonymous
N/A

Re: BGP Configuration Question

View from route-views.oregon-ix.net (my /24 is 206.82.80.0 and my ASN is 32042:

BGP routing table entry for 206.82.80.0/24, version 3643872

Paths: (56 available, best #53, table Default-IP-Routing-Table)

Not advertised to any peer

2914 7018 7029 32042

129.250.0.11 from 129.250.0.11 (129.250.0.88)

Origin IGP, metric 5, localpref 100, valid, external

Community: 2914:420 2914:2000 2914:3000 65504:7018

16150 13237 3561 7018 7029 32042

217.75.96.60 from 217.75.96.60 (217.75.96.60)

Origin IGP, localpref 100, valid, external

Community: 3561:21000 13237:44294 16150:65321 16150:65324 16150:65340

5650 701 32042 32042 32042

208.186.154.36 from 208.186.154.36 (207.173.112.11)

Origin IGP, metric 0, localpref 100, valid, external

5650 701 32042 32042 32042

208.186.154.35 from 208.186.154.35 (207.173.112.63)

Origin IGP, metric 0, localpref 100, valid, external

5056 7018 7029 32042

167.142.3.6 from 167.142.3.6 (167.142.225.101)

Origin IGP, localpref 100, valid, external

6395 7018 7029 32042

216.140.8.59 from 216.140.8.59 (216.140.8.59)

Origin IGP, metric 3, localpref 100, valid, external

Community: 6395:200 6395:1005

My ISP's are AllTel (ASN 7029) and MCI (ASN 701). Notice paths through both of these ISP's are shown.

Both ISP's are advertising my point-to-point networks as 'show ip bgp w.x.y.z' and pings to the ISP side of the links all work from route view servers.

I am able to ping (from route view servers and other external hosts) my side of the All Tel point-to-point but not the MCI one (this is the whole issue here). However, if I disable the All Tel interface my MCI interface immediately begins to respond to ping. Also, if I set a static route in my router to a particular network over the MCI line pings from remote hosts will work.

Cisco Employee

Re: BGP Configuration Question

Again, I don't think this has anything to do with what you do and don't advertise to you SPs, since the issue occurs whe you ping the interface addresses, which are under the SPs scope.

BTW I can successfully traceroute to both x.x.x.38 and y.y.y.254 but can only ping to y.y.y.254. It has to be something related to the type of traffic and not the routing itself.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Gold

Re: BGP Configuration Question

Can you ping through the MCI line (rather than to it)? Do you know what policies MCI has set on their end (access lists and such)? They might have it blocked for admin reasons, as Herald has said.

:-)

Russ.W

158
Views
0
Helpful
14
Replies
CreatePlease to create content