Re: ASR1001-X moving from plain interfaces to sub interfaces with OSPF

douglasparsons · ‎01-04-2025

Hello,

I have a working router that currently uses the physical interfaces and LACP to make the connections with redundancy across my 6807. I need to move to just using the 10Gig interfaces to support increases above the 1 Gig speed of the other physical interface. To do this I changed the design to be a router on a stick and used sub interfaces on the 10 Gig interface. For some reason the BGP routing did not come back up. Also not sure about the OSPF. My understanding (very weak on this) is the OSPF is used to inject the route into BGP to find the neighbors. Thus allowing the traffic to load balance across the two ISP links into the layer 2 network that provides connectivity back to the mother ship.

So when I move the configuration from physical to sub nothing happened. I can ping the outside interfaces from inside (also on a sub interface) but that was it. I could not get the BGP to sync up.

Before Config:

interface Loopback0
description BGP PEER IP WITH VCCS WAN
ip address 32.212.65.12 255.255.255.255
ip ospf 1 area 1
!
interface Loopback1
description IP for bgp router-id-1
ip address 10.255.255.251 255.255.255.255
!
interface Port-channel26
description LAN
mtu 9216
ip address 10.10.1.2 255.255.255.224
lacp max-bundle 2
!
interface Port-channel47
description WAN_2
ip address 32.212.124.216 255.255.255.224
no ip proxy-arp
ip access-group inboundVCCSWan in
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 106D0148061C0258582E3F7A277B1E662E43
ip ospf network point-to-multipoint non-broadcast
ip ospf 1 area 1
negotiation auto
!
interface Port-channel48
description WAN_1
ip address 32.212.62.45 255.255.255.128
no ip proxy-arp
ip access-group inboundWan in
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 106D0148061C0258582E3F7A277B1E66D45
ip ospf network point-to-multipoint non-broadcast
ip ospf 1 area 1
negotiation auto

--More-- !
interface TenGigabitEthernet0/0/0
mtu 9216
no ip address
lacp port-priority 4000
channel-group 26 mode active
!
interface TenGigabitEthernet0/0/1
mtu 9216
no ip address
lacp port-priority 4000
channel-group 26 mode active
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
service-policy input mpls
channel-group 48 mode active
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
service-policy input mpls
channel-group 48 mode active
!
interface GigabitEthernet0/0/2
no ip address
negotiation auto
channel-group 47 mode active
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
channel-group 47 mode active
!

AFTER CONFIG:

interface Port-channel26
description Edge to Firewall
mtu 9216
lacp max-bundle 2

interface Port-channel26.247

description LAN
ip address 10.10.1.2 255.255.255.224
encapsulation dot1q 247
exit
interface Port-channel26.332
description Link to Cox
ip address 32.212.124.216 255.255.255.224
encapsulation dot1q 332
no ip proxy-arp
ip access-group Hardening in
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 106D0148061C0258582E3F7A277B1E662E43
ip ospf network point-to-multipoint non-broadcast
ip ospf 1 area 1
exit
interface Port-channel26.334
description WAN_1
ip address 32.212.62.45 255.255.255.128
encapsulation dot1q 334
no ip proxy-arp
ip access-group Hardening in
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 106D0148061C0258582E3F7A277B1E662D45
ip ospf network point-to-multipoint non-broadcast
ip ospf 1 area 1
exit
!

interface TenGigabitEthernet0/0/0
mtu 9216
no ip address
lacp port-priority 4000
channel-group 26 mode active
!
interface TenGigabitEthernet0/0/1
mtu 9216
no ip address
lacp port-priority 3000
channel-group 26 mode active
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
service-policy input mpls
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
service-policy input mpls
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/4
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/5
no ip address
shutdown
negotiation auto
!

Hopefully I did not fat finger anything when I pasted in the config parts above. I am going to feel real silly/stupid if it is something simple.

Thanks,

D

MHM Cisco World · ‎01-05-2025

you copy md5 key as it ?

I think the key is add as plain text and when you do show it appear hidden

can I see
show ip ospf interface x/x

MHM

douglasparsons · ‎01-05-2025

I copied the hash and pasted it back in for the interface. I wondered if that may be the issue.

Unfortunately this router is in production and I had to revert it back to the original configuration.

Here is the command with the router running the old configuration and connected.

Edge_VWCC#show ip ospf int po27
Port-channel27 is up, line protocol is up
Internet Address X.X.X.X/27, Interface ID 21, Area 1
Attached via Interface Enable
Process ID 1, Router ID X.X.X.X, Network Type POINT_TO_MULTIPOINT, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
oob-resync timeout 120
Hello due in 00:00:09
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Can be protected by per-prefix Loop-Free FastReroute
Can be used for per-prefix Loop-Free FastReroute repair paths
Not Protected by per-prefix TI-LFA
Index 1/2/2, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 1 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor X.X.X.X
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Youngest key id is 1

MHM Cisco World · ‎01-05-2025

Show ip ospf interface breif <<- do you see PO have ospf Full?

MHM

douglasparsons · ‎01-05-2025

Show ip ospf interface brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 1 1 X.X.X.X/32 1 LOOP 0/0
Po48 1 1 X.X.X.X/25 1 P2MP 0/0
Po47 1 1 X.X.X.X/27 1 P2MP 1/1

MHM Cisco World · ‎01-05-2025

the show ip ospf inter brief <<- dont show any new PO subinterface ?

also show ip ospf interface po26 <<- why PO27?? we talking about PO26 subinterface

do

show ip interface brief <<- check if PO26 and it subinterface is UP/UP

MHM

paul driver · ‎01-05-2025

Hello
How is this rtr connected into the network, do you have a L2 handoff switch interconnecting it, and if so have you created new Layer 2 vlans 247, 332 & 334 for the new lan/wan interfaces and the necessary trunk for the physical interfaces

Also before your changes you have PC26 lan ip address in vlan 1 now its in vlan 247

As for ospf/bgp adjacency's & peerings you do not show any cfg for this

if applicable post the output of the following in a txt file and attached to your post:
sh run | sec router
sh ip interface brief
sh ip arp
sh ip ospf interface brief
sh ip ospf neighbours
sh bgp ipv4 unicast summary
sh bgp ipv4 unicast
sh ip ospf rib
sh ip route

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

douglasparsons · ‎01-05-2025

Paul,

Please read my post more carefully. If I did not form the trunk then I would not be able to ping the interfaces from my LAN side. And no I did not post the rest of the configuration, just the part that changed. I saw no interface specifics elsewhere in the configuration so it should not matter what interface the configuration is on.

paul driver · ‎01-05-2025

Hello
So if ospf was “broke” which means what ?
No neighbour adjacency whatsoever or stuck in a certain state - you need to be more specific
it could a numbers things not exclusive to authentication

next time you perform the change and it happens again the best possible command to check ospf states and maybe even enable a debug

sh ip ospf neighbours
debug ip ospf packets
debug ip ospf adj
debug ip ospf hello

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

douglasparsons · ‎01-05-2025

Paul,

Broke as in when I did an IP Route I saw no routes other than the static routes. There were no OSPF generated routes and no BGP routes. So something I did broke the routing.

Another odd thing that made me think that it was routing is that I was still getting hits on the ACL that is applied to my SSH running on port 22 on all the interfaces. It was blocked and from an outside public IP. So the only way I can see that happening is that the interface was up and connected and the remote routers still had routes pointing inward to my router that had not aged out so traffic from the Internet could go towards my router but traffic inside could not pass outward towards the Internet.

Campus is closed tomorrow and I hope to be able to go in and test more. I am in a data gathering mode to prepare for that test so when I get there I can quickly change the configuration and then test. So I do appreciate any commands that will help me dig into the details. I had been a very long day and was late at night so my brain was barely functioning by that time of day.

paul driver · ‎01-05-2025

Hello
so you don’t know what state the ospf was in apart from you lost connectivity
and from your responses bgp connectivity relies on ospf bit you do now know what states either router process was in post change
Is it applicable you can post a run cfg of the L3 switch/rtr with those commands I initially requested so we can least review how its all connected?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎01-05-2025

Hello
FYI you mentioned bgp /ospf issues post change hence i requested you post the output of a few commands to help find out why this maybe the case however I gather from your response you know that running those commands is irrelevant or that do not wish any further assistance

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

douglasparsons · ‎01-05-2025

I had to return the router to the old configuration so running them would be irrelevant. I had the trunk setup to the router as I could ping the IPs of the outside interfaces from a machine on my LAN connected to the inside sub interface.

As for the other parts of the configuration it was working before and I did not change any of those parts. Only what was posted was changed. Since it worked in the old configuration then OSPF and BGP was setup as well as the internal routes were per static entries. I had even opened a TAC case that night for help but the tech was so hyperfocussed on BGP that she could not realize that the BGP was being fed the neighbors from OSPF. She kept telling me there was no route to the neighbor and that was the issue. I gave up and hand run out of time. It was the next day when I realized why it had no route, OSPF was broke, but why? Same configuration, just different interface. I had a hunch and so I turned to the community since I got nowhere with TAC. I think MHM is on the right track and that the digest key cannot be copied but has to be entered. I will have to wait until I can break the connections and get the keys from our parent who is in charge of the neighbors.

Thanks,

Doug

MHM Cisco World · ‎01-05-2025

Router# show ip ospf traffic <<- even if your return to old config check this command it give you some hint about why OSPF is failed

douglasparsons · ‎01-05-2025

Thanks, campus is closed tomorrow due to weather so I am hoping I can do more testing and with a fresh brain.

I am also waiting for a response from the group that manages the OSPF neighbors. With some luck they will send me the digest keys.

ASR1001-X moving from plain interfaces to sub interfaces with OSPF/BGP