Solved: Re: EBGP through a Firewall - (ebgp multihop)

velo84 · ‎05-03-2012

Have a question that maybe someone can help with. In the following article: http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml

With scenario 2, router11 & router21 learn a default route from the ISP routers (Router14 & Router24) through the Firewalls.

Router11:

Router11# show ip bgp

Network Next Hop Metric LocPrf Weight Path

*> 0.0.0.0 172.16.13.4 200 0 20 i

*> 10.10.20.0/24 172.16.13.4 0 200 0 64500 i

*>i10.10.30.0/24 192.168.10.2 0 100 0 64503 i

* i192.168.10.0 192.168.10.2 0 100 0 i

*> 0.0.0.0 0 32768 i

I understand why the output is like this (ebgp multihop) but surely there will be an issue with this because for e.g. Router11 has a next hop of 172.16.13.4 for the default route 0.0.0.0 which is not on the same segment (172.16.11.x). It shows static routes in the configuration so that Router11 can reach Router14 for the BGP peering but surely the next hop for the default route would need to be on the same segment as Router11 (172.16.11.x)

The two routers are sharing routes via EBGP but what would be the flow of normal traffic traversing the routers (going through Router11 out to the default route through Router14 for example)

Many thanks

Mark

John Blakley · ‎05-03-2012

Mark,

I labbed this up and it's working the way I stated. Below is the bgp table from R1:

R1#sh ip bgp

BGP table version is 3, local router ID is 10.12.0.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 0.0.0.0 172.45.0.5 0 0 5 i

*> 10.12.0.0/24 0.0.0.0 0 32768 i

R1#ping 5.5.5.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:

!!!!!

5.5.5.5 is a loopback on R5. I have a static route to 172.45.0.0 on R1:

Gateway of last resort is 172.45.0.5 to network 0.0.0.0

172.45.0.0/24 is subnetted, 1 subnets

S 172.45.0.0 [1/0] via 10.12.0.2

10.0.0.0/24 is subnetted, 1 subnets

C 10.12.0.0 is directly connected, FastEthernet0/0

B* 0.0.0.0/0 [20/0] via 172.45.0.5, 00:02:39

ip route 172.45.0.0 255.255.255.0 10.12.0.2

10.12.0.2 has a default route to point to R4. R5 has a default route pointing back to R4.

If you look at the routing table above, the default route points to 172.45.0.5. I have a static route pointing 172.45.0.0 to 10.12.0.2. When I do a traceroute from the router to 5.5.5.5:

R1#tracer 5.5.5.5

Type escape sequence to abort.

Tracing the route to 5.5.5.5

1 10.12.0.2 4 msec 4 msec 4 msec

2 10.24.0.4 [AS 5] 12 msec 12 msec 12 msec

3 172.45.0.5 [AS 5] 12 msec * 12 msec

R1#

It uses the static route to get to 10.12.0.2...I attached a diagram of the topology I used for this test. BGP is only configured on R1 and R5:

R1#sh run | s router bgp

router bgp 1

no synchronization

bgp log-neighbor-changes

network 10.12.0.0 mask 255.255.255.0

neighbor 172.45.0.5 remote-as 5

neighbor 172.45.0.5 ebgp-multihop 3

no auto-summary

R1#

R5(config)#do sh run | s router bgp

router bgp 5

no synchronization

bgp log-neighbor-changes

neighbor 10.12.0.1 remote-as 1

neighbor 10.12.0.1 ebgp-multihop 3

neighbor 10.12.0.1 default-originate

no auto-summary

R5(config)#

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎05-03-2012

Mark,

I may not understand what you're asking. Multihop in eBGP (ebgp multihop) is used when you have a neighbor that's more than 1 hop away. BGP TTL is default 1. Do you have a topology? I have a couple of questions:

1. Is this working and you're just wondering how it's working?

2. Is it not working and you're trying to fix it?

If it's 1, then your router could be doing a recursive lookup to get to the destination. If the next hop in BGP is 172.16.13.4, but your router is point to 172.16.12.4 by a static route, it's possible that it knows to get to the 172.16.12.0/24 subnet it has to go to 172.16.13.4 to get there. The 172.16.13.4 device may have a connected route to 172.16.12.0/24.

I could be completely off-base though

John

HTH, John *** Please rate all useful posts ***

velo84 · ‎05-03-2012

Hi John

Thanks for the response. Basically I came across this article on the cisco site and am just curious as to his this works. All the details are in the link I sent but here are the two images of the topology.

http://www.cisco.com/image/gif/paws/6500/bgp-pix_1.gif

http://www.cisco.com/image/gif/paws/6500/bgp-pix_3.gif

In a normal situation if 2 routers were adjacent to each other and router A was learning a route from Router B then the next hop for that route would be router B. In this instance it's a number of hops away. I understand what ebgp multihop is (although I have never implemented it myself) but I am just trying to understand how this works with the next hop for the route being a number of hops away. Example, what would the traceroute look like, would it just skip the PIX and the next router after it?

Sorry if that is not a clear explanation.

Mark

John Blakley · ‎05-03-2012

Mark,

In your example, I believe it's going to do a recursive lookup to get to the neighbor. I need to lab this up to see what it looks like too, but here's my guess:

RouterA 192.168.1.50

Pix Inside 192.168.1.1

Pix Outside 172.16.15.1

Router B Inside 172.16.15.50

Router B Outside 192.168.50.1

Router C Inside 192.168.50.254

Loopback on router C 5.5.5.5

Router A -----> PIX -------> Router B ---------> Router C

Router A BGP:

neighbor 192.168.50.254 ebg-multihop 3

The table on Router A would look something like:

5.5.5.5 next-hop 192.168.50.254

When a lookup is done, a static route could be (read will be) put on Router A:

ip route 192.168.50.0 255.255.255.0 192.168.1.1 (Pix inside)

The Pix will have a route pointing 192.168.50.0 to Router B inside address and Router B will have a connected route because of its connection with C.

When a packet is sent to 5.5.5.5, Router A will do a recursive lookup in its routing table and notices to get to 5.5.5.5 it will send to 192.168.50.254. So it has to send packet to Pix, Pix sends to B, and B sends to C.

For what it's worth, when doing iBGP connections using loopbacks, you have to use ebgp-multihop 2 in order for the peering to come up.

HTH,

John

HTH, John *** Please rate all useful posts ***

John Blakley · ‎05-03-2012

Mark,

I labbed this up and it's working the way I stated. Below is the bgp table from R1:

R1#sh ip bgp

BGP table version is 3, local router ID is 10.12.0.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 0.0.0.0 172.45.0.5 0 0 5 i

*> 10.12.0.0/24 0.0.0.0 0 32768 i

R1#ping 5.5.5.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:

!!!!!

5.5.5.5 is a loopback on R5. I have a static route to 172.45.0.0 on R1:

Gateway of last resort is 172.45.0.5 to network 0.0.0.0

172.45.0.0/24 is subnetted, 1 subnets

S 172.45.0.0 [1/0] via 10.12.0.2

10.0.0.0/24 is subnetted, 1 subnets

C 10.12.0.0 is directly connected, FastEthernet0/0

B* 0.0.0.0/0 [20/0] via 172.45.0.5, 00:02:39

ip route 172.45.0.0 255.255.255.0 10.12.0.2

10.12.0.2 has a default route to point to R4. R5 has a default route pointing back to R4.

If you look at the routing table above, the default route points to 172.45.0.5. I have a static route pointing 172.45.0.0 to 10.12.0.2. When I do a traceroute from the router to 5.5.5.5:

R1#tracer 5.5.5.5

Type escape sequence to abort.

Tracing the route to 5.5.5.5

1 10.12.0.2 4 msec 4 msec 4 msec

2 10.24.0.4 [AS 5] 12 msec 12 msec 12 msec

3 172.45.0.5 [AS 5] 12 msec * 12 msec

R1#

It uses the static route to get to 10.12.0.2...I attached a diagram of the topology I used for this test. BGP is only configured on R1 and R5:

R1#sh run | s router bgp

router bgp 1

no synchronization

bgp log-neighbor-changes

network 10.12.0.0 mask 255.255.255.0

neighbor 172.45.0.5 remote-as 5

neighbor 172.45.0.5 ebgp-multihop 3

no auto-summary

R1#

R5(config)#do sh run | s router bgp

router bgp 5

no synchronization

bgp log-neighbor-changes

neighbor 10.12.0.1 remote-as 1

neighbor 10.12.0.1 ebgp-multihop 3

neighbor 10.12.0.1 default-originate

no auto-summary

R5(config)#

HTH,

John

HTH, John *** Please rate all useful posts ***

velo84 · ‎05-04-2012

John, makes perfect sense now. Thanks very much for your help, much appreciated.

Regards,

Mark

John Blakley · ‎05-04-2012

You're welcome and thanks for the rating!

HTH, John *** Please rate all useful posts ***