Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1650
Views
0
Helpful
5
Replies

BGP Dynamic Neighbors

Michael Keetman
Level 1
Level 1

‎07-02-2018 10:45 PM - edited ‎03-05-2019 10:42 AM

Hello, 

 

I've been trying to establish a Route-Reflector for an MPLS VPN, and was hoping to use dynamic neighbors to reduce the configuration complexity and ease the change burden while adding new PE routers.  My BGP config on the Route Reflector is as follows:

interface Loopback0
 ip address 10.13.0.2 255.255.255.255
end

router bgp 64900
 bgp log-neighbor-changes
 bgp listen range 10.13.0.0/25 peer-group RR-clients
 bgp listen limit 200
 neighbor RR-clients peer-group
 neighbor RR-clients remote-as 64900
 neighbor RR-clients update-source Loopback0
 neighbor RR-peers peer-group
 neighbor RR-peers remote-as 64900
 neighbor RR-peers update-source Loopback0
 neighbor 10.13.0.1 peer-group RR-peers
 neighbor 10.13.0.129 peer-group RR-peers
 neighbor 10.13.0.130 peer-group RR-peers
 !
 address-family vpnv4
  neighbor RR-clients activate
  neighbor RR-clients send-community extended
  neighbor RR-clients route-reflector-client
  neighbor RR-peers send-community extended
  neighbor 10.13.0.1 activate
  neighbor 10.13.0.129 activate
  neighbor 10.13.0.130 activate
 exit-address-family

What I believe is happening, is that the router is not accepting BGP  connections as expected, this is confirmed by reviewing the active TCP connections.  

 

TCB       Local Address               Foreign Address             (state)
7FE560858478  10.13.0.2.22               10.12.0.148.60473           ESTAB
7FE5744CC698  10.13.0.2.11969            10.13.0.1.179               ESTAB
7FE571240F40  10.13.0.2.179              10.13.0.78.11518            SYNRCVD
7FE574527050  10.13.0.2.18570            10.13.0.129.179             ESTAB
7FE5744D1D50  10.13.0.2.179              10.13.0.130.30470           ESTAB

The above shows a connection is being attempted from a client router (which I am pretty sure falls within the bgp limit range)

 

The config for a client router is as follows:

interface Loopback0
 ip address 10.13.0.78 255.255.255.255
end


router bgp 64900
 bgp log-neighbor-changes
 neighbor 10.13.0.1 remote-as 64900
 neighbor 10.13.0.1 update-source Loopback0
 neighbor 10.13.0.2 remote-as 64900
 neighbor 10.13.0.2 update-source Loopback0
 !
 address-family vpnv4
  neighbor 10.13.0.1 activate
  neighbor 10.13.0.1 send-community extended
  neighbor 10.13.0.2 activate
  neighbor 10.13.0.2 send-community extended
 exit-address-family

If I explicitly add the client router as a neighbor, and member of the RR-clients peer-group, I have no issue establishing a BGP session.

 

What am I missing here?

Labels:
0 Helpful
5 Replies 5

Georg Pauwen
VIP
VIP

‎07-03-2018 01:10 AM

Hello,

 

post the full configs of both RR and client. Your client has two neighbors configured...what does your topology look like ?

0 Helpful

Michael Keetman
Level 1
Level 1
In response to Georg Pauwen

‎07-03-2018 03:35 PM

Hi Georg, the topology is a partial mesh of point-to-point routed links.  I am using EIGRP as the IGP.  The configured neighbors are identical to this configuration, with the exception that they are split between two clusters (1 & 2).

 

Route Reflector config (redacted) IOS ASR1001-X running IOS XE 16.06.02

!
version 16.6
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname xxx
!
boot-start-marker
boot system flash bootflash:/asr1001x-universalk9.16.06.02.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
logging buffered 10000
no logging console
!
aaa new-model
!
!
aaa group server radius RADIUS_AUTH
 ip radius source-interface Loopback0
!
aaa authentication banner ^CUnauthorised Access Prohibited^C
aaa authentication login default group RADIUS_AUTH enable
aaa authentication login networkaccess group RADIUS_AUTH enable
aaa authentication dot1x default group RADIUS_AUTH
aaa authorization exec default group RADIUS_AUTH if-authenticated
aaa authorization network default group RADIUS_AUTH
aaa authorization auth-proxy default group RADIUS_AUTH
aaa accounting delay-start all
aaa accounting auth-proxy default start-stop group RADIUS_AUTH
aaa accounting exec default start-stop group RADIUS_AUTH
aaa accounting network default start-stop group RADIUS_AUTH
aaa accounting system default start-stop group RADIUS_AUTH
!
!
!
!
!
!
aaa session-id common
clock timezone EST 10 0
no ip source-route
!
!
!
!
!
!
ip domain lookup source-interface Loopback0
ip multicast-routing distributed
!
!
!
login on-failure log
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
license udi pid ASR1001-X sn xxx
spanning-tree extend system-id
diagnostic bootup level minimal
archive
 log config
  logging enable
  logging size 200
  notify syslog contenttype plaintext
  hidekeys
memory free low-watermark processor 2000
!
!
!

redundancy
 mode none
!
!
!
!
!
lldp run
cdp run
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.13.0.1 255.255.255.255
 ip pim sparse-mode
!
interface TenGigabitEthernet0/0/0
 no ip address
 shutdown
!
interface TenGigabitEthernet0/0/1
 no ip address
 shutdown
!
interface GigabitEthernet0/0/0
 mtu 1580
 ip address 10.3.5.6 255.255.255.252
 ip pim sparse-mode
 ip router isis bccits
 negotiation auto
 mpls ip
 cdp enable
 isis network point-to-point
!
interface GigabitEthernet0/0/1
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/4
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/5
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
!
router eigrp 1
 default-metric 10000 100 255 1 1500
 network 10.0.0.0
!
router isis bccits
 net 49.0000.0100.1300.0001.00
 is-type level-2-only
 metric-style wide
 max-lsp-lifetime 65535
 lsp-refresh-interval 65535
 spf-interval 5 1 20
 prc-interval 5 1 20
 lsp-gen-interval 5 1 20
 passive-interface default
 no passive-interface GigabitEthernet0/0/0
!
router bgp 64900
 bgp cluster-id 1
 bgp log-neighbor-changes
 bgp listen range 10.13.0.0/25 peer-group RR-clients
 bgp listen limit 200
 neighbor RR-clients peer-group
 neighbor RR-clients remote-as 64900
 neighbor RR-clients update-source Loopback0
 neighbor RR-peers peer-group
 neighbor RR-peers remote-as 64900
 neighbor RR-peers update-source Loopback0
 neighbor 10.13.0.1 peer-group RR-peers
 neighbor 10.13.0.129 peer-group RR-peers
 neighbor 10.13.0.130 peer-group RR-peers
 !
 address-family vpnv4
  neighbor RR-clients activate
  neighbor RR-clients send-community extended
  neighbor RR-clients route-reflector-client
  neighbor RR-peers send-community extended
  neighbor 10.13.0.1 activate
  neighbor 10.13.0.129 activate
  neighbor 10.13.0.130 activate
 exit-address-family
!
ip forward-protocol nd
ip telnet source-interface Loopback0
ip ftp source-interface Loopback0
no ip http server
no ip http secure-server
ip http client source-interface Loopback0
ip tftp source-interface Loopback0

!
ip ssh version 2
!

ip sla logging traps
logging source-interface Loopback0

!
!


!
control-plane
!
!
!
!
!
banner login ^C

^C

line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class REMOTE_ACCESS in
 exec-timeout 15 0
 logging synchronous
 login authentication networkaccess
 exec prompt timestamp
 transport preferred none
 transport input ssh
line vty 5 15
 access-class REMOTE_ACCESS in
 exec-timeout 15 0
 logging synchronous
 login authentication networkaccess
 exec prompt timestamp
 transport preferred none
 transport input ssh
!
ntp source Loopback0

wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

PE Configuration ASR920 running IOS XE 03.18.03.SP.156-2.SP3-ext

!
version 15.6
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no platform punt-keepalive disable-kernel-core
platform bfd-debug-trace 1
platform xconnect load-balance-hash-algo mac-ip-instanceid
platform tcam-parity-error enable
platform tcam-threshold alarm-frequency 1
!
boot-start-marker
boot system flash asr920-universalk9_npe.03.18.03.SP.156-2.SP3-ext.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
logging buffered 10000
no logging console
!
aaa new-model
!
!
aaa group server radius RADIUS_AUTH
 ip radius source-interface Loopback0
!
aaa authentication banner ^CUnauthorised Access Prohibited^C
aaa authentication login default group RADIUS_AUTH enable
aaa authentication login networkaccess group RADIUS_AUTH enable
aaa authentication dot1x default group RADIUS_AUTH
aaa authorization exec default group RADIUS_AUTH if-authenticated
aaa authorization network default group RADIUS_AUTH
aaa authorization auth-proxy default group RADIUS_AUTH
aaa accounting delay-start all
aaa accounting auth-proxy default start-stop group RADIUS_AUTH
aaa accounting exec default start-stop group RADIUS_AUTH
aaa accounting network default start-stop group RADIUS_AUTH
aaa accounting system default start-stop group RADIUS_AUTH
!
!
!
!
!
aaa session-id common
process cpu threshold type total rising 80 interval 5
clock timezone EST 10 0
facility-alarm critical exceed-action shutdown

no ip source-route
!
ip vrf test
 rd 64900:2
 route-target export 64900:2
 route-target import 64900:2
!
!
!
!
!
!
!
!
!



ip domain lookup source-interface Loopback0
ip multicast-routing distributed
!
!
!
ip arp inspection bridge-domain 1
login on-failure log
login on-success log
!
!
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
license udi pid ASR-920-24SZ-M sn
license boot level advancedmetroipaccess
archive
 log config
  logging enable
  logging size 200
  notify syslog contenttype plaintext
  hidekeys
memory free low-watermark processor 2000
!
sdm prefer default
!
!
redundancy
bridge-domain 1
!
!
!
!
!
transceiver type all
 monitoring
cdp run
!
ip telnet source-interface Loopback0
lldp run
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.13.0.78 255.255.255.255
 ip pim sparse-mode
!
interface Loopback100
 ip vrf forwarding test
 ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0/0
 ip arp inspection trust
 no ip address
 ip pim sparse-mode
 ip access-group ACL-DEFAULT in
 negotiation auto
 cdp enable
 service instance 601 ethernet
  encapsulation dot1q 601
  rewrite ingress tag pop 1 symmetric
  l2protocol peer cdp lldp udld
  bridge-domain 601
 !
!
interface GigabitEthernet0/0/1
 ip arp inspection trust
 no ip address
 ip pim sparse-mode
 ip access-group ACL-DEFAULT in
 negotiation auto
 cdp enable
 service instance 602 ethernet
  encapsulation dot1q 602
  rewrite ingress tag pop 1 symmetric
  l2protocol peer cdp lldp udld
  bridge-domain 602
 !
 service instance 603 ethernet
  encapsulation dot1q 603
  rewrite ingress tag pop 1 symmetric
  l2protocol peer cdp lldp udld
  bridge-domain 603
 !
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/4
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/5
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/6
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/7
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/8
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/9
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/10
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/11
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/12
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/13
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/14
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/15
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/16
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/17
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/18
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/19
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/20
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/21
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/22
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/23
 mtu 1580
 ip address 10.13.4.10 255.255.255.252
 ip pim sparse-mode
 negotiation auto
 mpls ip
 cdp enable
!
interface TenGigabitEthernet0/0/24
 no ip address
 shutdown
!
interface TenGigabitEthernet0/0/25
 no ip address
 shutdown
!
interface TenGigabitEthernet0/0/26
 no ip address
 shutdown
!
interface TenGigabitEthernet0/0/27
 no ip address
 shutdown
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
interface BDI1

 ip pim sparse-mode
 ip igmp query-interval 125
 shutdown
!
interface BDI601

 ip pim sparse-mode
 ip igmp query-interval 125
!
interface BDI602

 ip pim sparse-mode
 ip igmp query-interval 125
!
interface BDI603

 ip pim sparse-mode
 ip igmp query-interval 125
!
!
router eigrp 1
 default-metric 10000 100 255 1 1500
 network 10.0.0.0
!
router bgp 64900
 bgp log-neighbor-changes
 neighbor 10.13.0.1 remote-as 64900
 neighbor 10.13.0.1 update-source Loopback0
 neighbor 10.13.0.2 remote-as 64900
 neighbor 10.13.0.2 update-source Loopback0
 !
 address-family vpnv4
  neighbor 10.13.0.1 activate
  neighbor 10.13.0.1 send-community extended
  neighbor 10.13.0.2 activate
  neighbor 10.13.0.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf test
  network 1.1.1.1 mask 255.255.255.255
  redistribute connected
 exit-address-family
!
ip forward-protocol nd
!
ip ftp source-interface Loopback0
no ip http server
no ip http secure-server
ip http client source-interface Loopback0
ip tftp source-interface Loopback0

ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip scp server enable

!
ip sla logging traps
logging source-interface Loopback0

!

!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server deadtime 2
!

!
!
!
control-plane
!
banner login ^
^

line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class REMOTE_ACCESS in
 exec-timeout 15 0
 logging synchronous
 login authentication networkaccess
 exec prompt timestamp
 transport preferred none
 transport input ssh
line vty 5 15
 access-class REMOTE_ACCESS in
 exec-timeout 15 0
 logging synchronous
 login authentication networkaccess
 exec prompt timestamp
 transport preferred none
 transport input ssh
!
ntp source Loopback0

!
!
end
0 Helpful

Julio E. Moisa
VIP
VIP

‎07-03-2018 06:49 AM

Hi

I tested your configuration and it works perfectly, it could be a bug, I also used EIGRP for the NLRI.

 

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Michael Keetman
Level 1
Level 1
In response to Julio E. Moisa

‎07-03-2018 03:16 PM

Thanks Julio, appreciate your testing it for me.  I'm glad its potentially not my understanding of BGP dynamic neighbors.  I'll try and get a TAC case raised.

0 Helpful

exnerd
Level 1
Level 1
In response to Michael Keetman

‎03-11-2019 03:06 AM

Hello, what was the result of your TAC case? I have seen the same problem after upgrade to 16.6.5 (Everest release).

David

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card