Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Connection problem.

Hi,

I faced a strange issue.

The problem is like this; we have a VPN between two sites. Suddenly the VPN gone down and when we checked in detail, no packets are reaching between our two VPN sites, which are located two different locations of world.

We did traceroute from both locations and found that both traceroute`s is getting timeout at same ISP which located between our local ISP`s.

H.O<=>local ISPA<=>ISP1<=>ISP2<=>ISP3<=>local ISPB<=>B.O

We contacted to our local ISPA and provided both traceroute information?s.

After one week we got information that the ISP3 routing information dose not allow to send packets to ISP1.

Is this possible to setup/configure in ISP3 routing to ISP2, that not to send packets to particular ISP`s or only to send the ISP3 routing information?s to particular ISP`s?

If possible, then which protocol is able to do this setup?

Is there any link which give this details?

Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Connection problem.

According to the doc., community flag is used to tag the route. i.e. you can say they are the same function, but the community is applied on a group of routes and every routes in this group is tagged. Hope this clarify.

This is one of the way to control the routes. As I mentioned before, one ISP may block the routes, route update. Or one ISP not advertise it to remote, or there is looping that the route point to incorrect next-hop and finally route back to the origination, or route the traffic to a unavailable location, there are many many ways to do it and community is usually used to mark/tag the route then based on the defined policy to apply to those tagged routes.

If you want to know more, try to read the book, Internet Routing Architecture (2nd edition). This is a great book of BGP operation and usage in Internet.

Hope this helps.

9 REPLIES
Silver

Re: Connection problem.

This is an external factor, it is difficult to troubleshoot it except you can ask the ISP A & B to route the packet via other path. However, the problem is the RTD, hop count, etc. better than original path ?

Could you advise why the ISP 3 not allow to send packet to ISP 1 ? subnet issue ot policy issue.

Hope this helps.

New Member

Re: Connection problem.

Thank you very much for the reply.

We asked the details why ISP3 is not sending packets to ISP1 suddenly and the reply was that the ISP3 routing is configured like that and the issue has been solved.

How it is solved will not be informed to us.

But my doubt is how can an ISP say ISP3`s routing info cannot be send to ISP1 and how is it controlled by ISP3 as both ISP3 and ISP1 are connected thru ISP2.

We think the problem will be ate ISP2, but not sure.

The local ISPA, ISP1 and ISP2 are same organizations at different locations of world.

ISP3 and local ISPB are same organization too.

All are big players.

What I think is, if one ISP goes down in between, then another routes will be learned automatically and the connections can be established.

But a total black out between two locations thru Internet is very strange, I think so.

Is it possible to filter out or block the traffic to particular IP address with BGP protocols, which is learned by different router and also not directly connect to that particular IP segments?

Thank you.

Silver

Re: Connection problem.

Thanks for the rating.

What I think it is a mis-configuration in some ISPs to block those traffic, so cause the problem. It is not a policy issue. In the Internet world, we should able to travel to anywhere and the ISP should not block any traffic. Those inter-connection between ISPs should be muturally agreed for the routes exchange, e.g. only accept /24 mask, etc.

Therefore, if there is such case, push the ISP to solve it and it is their responsibility to let to communicate to remote w/o any problem.

In technical side, you can use simple mark some route w/ tag and block those marked routes and it is easy to do it, also easy to make mistake w/o carefully planned.

Hope this helps.

New Member

Re: Connection problem.

Thank you very much for the details.

The issue has been solved, but it took 1 week to solve the issue and our VPN was down too.

With this issue, I am trying to learn the technical side, that how to block the traffic.

As you gave the details that with simple mark some route w/ tag, it is possible to do it.

Can you please give some link on it, which explain it and how it can be implement it.

Thank you.

Silver

Re: Connection problem.

You're welcome and sorry for my typo w/o review the content and post to the forum. The mark that I mentioned is the "community" in BGP. Please check below link for reference.

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00801475b2.shtml

Or simply to implement access-control list to block the unwanted address.

In this case, you have better to consider a backup solution to provide the backup path if the VPN down. You can source the most cost-effective solution from both telco. It may be ISDN, another ISP, dial-up, etc.

Hope this helps.

New Member

Re: Connection problem.

Thank you very much for the details and link.

May be the ISP3 new community flag value would have been automatically blocked at ISP2 and the routing information?s of ISP3 was not sending to ISP1 by ISP2?

Is the community flag and route tag same?

Thank you.

Silver

Re: Connection problem.

According to the doc., community flag is used to tag the route. i.e. you can say they are the same function, but the community is applied on a group of routes and every routes in this group is tagged. Hope this clarify.

This is one of the way to control the routes. As I mentioned before, one ISP may block the routes, route update. Or one ISP not advertise it to remote, or there is looping that the route point to incorrect next-hop and finally route back to the origination, or route the traffic to a unavailable location, there are many many ways to do it and community is usually used to mark/tag the route then based on the defined policy to apply to those tagged routes.

If you want to know more, try to read the book, Internet Routing Architecture (2nd edition). This is a great book of BGP operation and usage in Internet.

Hope this helps.

New Member

Re: Connection problem.

Thank you very much for the explanations, helped a lot in understanding.

Thank you once again.

Silver

Re: Connection problem.

You're welcome. :)

92
Views
14
Helpful
9
Replies