07-02-2018 10:45 PM - edited 03-05-2019 10:42 AM
Hello,
I've been trying to establish a Route-Reflector for an MPLS VPN, and was hoping to use dynamic neighbors to reduce the configuration complexity and ease the change burden while adding new PE routers. My BGP config on the Route Reflector is as follows:
interface Loopback0
ip address 10.13.0.2 255.255.255.255
end
router bgp 64900 bgp log-neighbor-changes bgp listen range 10.13.0.0/25 peer-group RR-clients bgp listen limit 200 neighbor RR-clients peer-group neighbor RR-clients remote-as 64900 neighbor RR-clients update-source Loopback0 neighbor RR-peers peer-group neighbor RR-peers remote-as 64900 neighbor RR-peers update-source Loopback0 neighbor 10.13.0.1 peer-group RR-peers neighbor 10.13.0.129 peer-group RR-peers neighbor 10.13.0.130 peer-group RR-peers ! address-family vpnv4 neighbor RR-clients activate neighbor RR-clients send-community extended neighbor RR-clients route-reflector-client neighbor RR-peers send-community extended neighbor 10.13.0.1 activate neighbor 10.13.0.129 activate neighbor 10.13.0.130 activate exit-address-family
What I believe is happening, is that the router is not accepting BGP connections as expected, this is confirmed by reviewing the active TCP connections.
TCB Local Address Foreign Address (state) 7FE560858478 10.13.0.2.22 10.12.0.148.60473 ESTAB 7FE5744CC698 10.13.0.2.11969 10.13.0.1.179 ESTAB 7FE571240F40 10.13.0.2.179 10.13.0.78.11518 SYNRCVD 7FE574527050 10.13.0.2.18570 10.13.0.129.179 ESTAB 7FE5744D1D50 10.13.0.2.179 10.13.0.130.30470 ESTAB
The above shows a connection is being attempted from a client router (which I am pretty sure falls within the bgp limit range)
The config for a client router is as follows:
interface Loopback0 ip address 10.13.0.78 255.255.255.255 end router bgp 64900 bgp log-neighbor-changes neighbor 10.13.0.1 remote-as 64900 neighbor 10.13.0.1 update-source Loopback0 neighbor 10.13.0.2 remote-as 64900 neighbor 10.13.0.2 update-source Loopback0 ! address-family vpnv4 neighbor 10.13.0.1 activate neighbor 10.13.0.1 send-community extended neighbor 10.13.0.2 activate neighbor 10.13.0.2 send-community extended exit-address-family
If I explicitly add the client router as a neighbor, and member of the RR-clients peer-group, I have no issue establishing a BGP session.
What am I missing here?
07-03-2018 01:10 AM
Hello,
post the full configs of both RR and client. Your client has two neighbors configured...what does your topology look like ?
07-03-2018 03:35 PM
Hi Georg, the topology is a partial mesh of point-to-point routed links. I am using EIGRP as the IGP. The configured neighbors are identical to this configuration, with the exception that they are split between two clusters (1 & 2).
Route Reflector config (redacted) IOS ASR1001-X running IOS XE 16.06.02
! version 16.6 no service pad service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname xxx ! boot-start-marker boot system flash bootflash:/asr1001x-universalk9.16.06.02.SPA.bin boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging buffered 10000 no logging console ! aaa new-model ! ! aaa group server radius RADIUS_AUTH ip radius source-interface Loopback0 ! aaa authentication banner ^CUnauthorised Access Prohibited^C aaa authentication login default group RADIUS_AUTH enable aaa authentication login networkaccess group RADIUS_AUTH enable aaa authentication dot1x default group RADIUS_AUTH aaa authorization exec default group RADIUS_AUTH if-authenticated aaa authorization network default group RADIUS_AUTH aaa authorization auth-proxy default group RADIUS_AUTH aaa accounting delay-start all aaa accounting auth-proxy default start-stop group RADIUS_AUTH aaa accounting exec default start-stop group RADIUS_AUTH aaa accounting network default start-stop group RADIUS_AUTH aaa accounting system default start-stop group RADIUS_AUTH ! ! ! ! ! ! aaa session-id common clock timezone EST 10 0 no ip source-route ! ! ! ! ! ! ip domain lookup source-interface Loopback0 ip multicast-routing distributed ! ! ! login on-failure log login on-success log ! ! ! ! ! ! ! subscriber templating ! ! ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! license udi pid ASR1001-X sn xxx spanning-tree extend system-id diagnostic bootup level minimal archive log config logging enable logging size 200 notify syslog contenttype plaintext hidekeys memory free low-watermark processor 2000 ! ! ! redundancy mode none ! ! ! ! ! lldp run cdp run ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.13.0.1 255.255.255.255 ip pim sparse-mode ! interface TenGigabitEthernet0/0/0 no ip address shutdown ! interface TenGigabitEthernet0/0/1 no ip address shutdown ! interface GigabitEthernet0/0/0 mtu 1580 ip address 10.3.5.6 255.255.255.252 ip pim sparse-mode ip router isis bccits negotiation auto mpls ip cdp enable isis network point-to-point ! interface GigabitEthernet0/0/1 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/2 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/3 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/4 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/5 no ip address shutdown negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! ! router eigrp 1 default-metric 10000 100 255 1 1500 network 10.0.0.0 ! router isis bccits net 49.0000.0100.1300.0001.00 is-type level-2-only metric-style wide max-lsp-lifetime 65535 lsp-refresh-interval 65535 spf-interval 5 1 20 prc-interval 5 1 20 lsp-gen-interval 5 1 20 passive-interface default no passive-interface GigabitEthernet0/0/0 ! router bgp 64900 bgp cluster-id 1 bgp log-neighbor-changes bgp listen range 10.13.0.0/25 peer-group RR-clients bgp listen limit 200 neighbor RR-clients peer-group neighbor RR-clients remote-as 64900 neighbor RR-clients update-source Loopback0 neighbor RR-peers peer-group neighbor RR-peers remote-as 64900 neighbor RR-peers update-source Loopback0 neighbor 10.13.0.1 peer-group RR-peers neighbor 10.13.0.129 peer-group RR-peers neighbor 10.13.0.130 peer-group RR-peers ! address-family vpnv4 neighbor RR-clients activate neighbor RR-clients send-community extended neighbor RR-clients route-reflector-client neighbor RR-peers send-community extended neighbor 10.13.0.1 activate neighbor 10.13.0.129 activate neighbor 10.13.0.130 activate exit-address-family ! ip forward-protocol nd ip telnet source-interface Loopback0 ip ftp source-interface Loopback0 no ip http server no ip http secure-server ip http client source-interface Loopback0 ip tftp source-interface Loopback0 ! ip ssh version 2 ! ip sla logging traps logging source-interface Loopback0 ! ! ! control-plane ! ! ! ! ! banner login ^C ^C line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class REMOTE_ACCESS in exec-timeout 15 0 logging synchronous login authentication networkaccess exec prompt timestamp transport preferred none transport input ssh line vty 5 15 access-class REMOTE_ACCESS in exec-timeout 15 0 logging synchronous login authentication networkaccess exec prompt timestamp transport preferred none transport input ssh ! ntp source Loopback0 wsma agent exec ! wsma agent config ! wsma agent filesys ! wsma agent notify ! ! end
PE Configuration ASR920 running IOS XE 03.18.03.SP.156-2.SP3-ext
! version 15.6 no service pad service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption no platform punt-keepalive disable-kernel-core platform bfd-debug-trace 1 platform xconnect load-balance-hash-algo mac-ip-instanceid platform tcam-parity-error enable platform tcam-threshold alarm-frequency 1 ! boot-start-marker boot system flash asr920-universalk9_npe.03.18.03.SP.156-2.SP3-ext.bin boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging buffered 10000 no logging console ! aaa new-model ! ! aaa group server radius RADIUS_AUTH ip radius source-interface Loopback0 ! aaa authentication banner ^CUnauthorised Access Prohibited^C aaa authentication login default group RADIUS_AUTH enable aaa authentication login networkaccess group RADIUS_AUTH enable aaa authentication dot1x default group RADIUS_AUTH aaa authorization exec default group RADIUS_AUTH if-authenticated aaa authorization network default group RADIUS_AUTH aaa authorization auth-proxy default group RADIUS_AUTH aaa accounting delay-start all aaa accounting auth-proxy default start-stop group RADIUS_AUTH aaa accounting exec default start-stop group RADIUS_AUTH aaa accounting network default start-stop group RADIUS_AUTH aaa accounting system default start-stop group RADIUS_AUTH ! ! ! ! ! aaa session-id common process cpu threshold type total rising 80 interval 5 clock timezone EST 10 0 facility-alarm critical exceed-action shutdown no ip source-route ! ip vrf test rd 64900:2 route-target export 64900:2 route-target import 64900:2 ! ! ! ! ! ! ! ! ! ip domain lookup source-interface Loopback0 ip multicast-routing distributed ! ! ! ip arp inspection bridge-domain 1 login on-failure log login on-success log ! ! ! ! ! ! ! ! ! multilink bundle-name authenticated ! ! license udi pid ASR-920-24SZ-M sn license boot level advancedmetroipaccess archive log config logging enable logging size 200 notify syslog contenttype plaintext hidekeys memory free low-watermark processor 2000 ! sdm prefer default ! ! redundancy bridge-domain 1 ! ! ! ! ! transceiver type all monitoring cdp run ! ip telnet source-interface Loopback0 lldp run ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.13.0.78 255.255.255.255 ip pim sparse-mode ! interface Loopback100 ip vrf forwarding test ip address 1.1.1.1 255.255.255.255 ! interface GigabitEthernet0/0/0 ip arp inspection trust no ip address ip pim sparse-mode ip access-group ACL-DEFAULT in negotiation auto cdp enable service instance 601 ethernet encapsulation dot1q 601 rewrite ingress tag pop 1 symmetric l2protocol peer cdp lldp udld bridge-domain 601 ! ! interface GigabitEthernet0/0/1 ip arp inspection trust no ip address ip pim sparse-mode ip access-group ACL-DEFAULT in negotiation auto cdp enable service instance 602 ethernet encapsulation dot1q 602 rewrite ingress tag pop 1 symmetric l2protocol peer cdp lldp udld bridge-domain 602 ! service instance 603 ethernet encapsulation dot1q 603 rewrite ingress tag pop 1 symmetric l2protocol peer cdp lldp udld bridge-domain 603 ! ! interface GigabitEthernet0/0/2 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/3 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/4 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/5 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/6 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/7 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/8 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/9 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/10 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/11 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/12 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/13 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/14 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/15 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/16 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/17 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/18 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/19 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/20 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/21 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/22 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/23 mtu 1580 ip address 10.13.4.10 255.255.255.252 ip pim sparse-mode negotiation auto mpls ip cdp enable ! interface TenGigabitEthernet0/0/24 no ip address shutdown ! interface TenGigabitEthernet0/0/25 no ip address shutdown ! interface TenGigabitEthernet0/0/26 no ip address shutdown ! interface TenGigabitEthernet0/0/27 no ip address shutdown ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! interface BDI1 ip pim sparse-mode ip igmp query-interval 125 shutdown ! interface BDI601 ip pim sparse-mode ip igmp query-interval 125 ! interface BDI602 ip pim sparse-mode ip igmp query-interval 125 ! interface BDI603 ip pim sparse-mode ip igmp query-interval 125 ! ! router eigrp 1 default-metric 10000 100 255 1 1500 network 10.0.0.0 ! router bgp 64900 bgp log-neighbor-changes neighbor 10.13.0.1 remote-as 64900 neighbor 10.13.0.1 update-source Loopback0 neighbor 10.13.0.2 remote-as 64900 neighbor 10.13.0.2 update-source Loopback0 ! address-family vpnv4 neighbor 10.13.0.1 activate neighbor 10.13.0.1 send-community extended neighbor 10.13.0.2 activate neighbor 10.13.0.2 send-community extended exit-address-family ! address-family ipv4 vrf test network 1.1.1.1 mask 255.255.255.255 redistribute connected exit-address-family ! ip forward-protocol nd ! ip ftp source-interface Loopback0 no ip http server no ip http secure-server ip http client source-interface Loopback0 ip tftp source-interface Loopback0 ip ssh version 2 ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr ip scp server enable ! ip sla logging traps logging source-interface Loopback0 ! ! radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server dead-criteria time 5 tries 3 radius-server deadtime 2 ! ! ! ! control-plane ! banner login ^ ^ line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class REMOTE_ACCESS in exec-timeout 15 0 logging synchronous login authentication networkaccess exec prompt timestamp transport preferred none transport input ssh line vty 5 15 access-class REMOTE_ACCESS in exec-timeout 15 0 logging synchronous login authentication networkaccess exec prompt timestamp transport preferred none transport input ssh ! ntp source Loopback0 ! ! end
07-03-2018 06:49 AM
Hi
I tested your configuration and it works perfectly, it could be a bug, I also used EIGRP for the NLRI.
07-03-2018 03:16 PM
Thanks Julio, appreciate your testing it for me. I'm glad its potentially not my understanding of BGP dynamic neighbors. I'll try and get a TAC case raised.
03-11-2019 03:06 AM
Hello, what was the result of your TAC case? I have seen the same problem after upgrade to 16.6.5 (Everest release).
David
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide