cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1915
Views
25
Helpful
14
Replies
mudvayne15
Beginner

BGP Inconsistent Route issue

Hi Everyone, 

 

I'm having an issue with our Multihoming setup, whenever ISP 1 goes down. It affects ISP 2 as well, meaning both links are down. 

 

I checked with the provider and they told me that there is an inconsistent route from CE, whenever the traffic passes through their AS603, it goes back to AS604. 

 

As a solution, they told me to apply NAT on the router to fix the inconsistency. However, my concern is that we have Public IPs advertised (152.152.110.0/23) to them and they want them to NAT it. 

Sorry, I am not an expert in BGP but if I apply NAT on it, will it replace the 152.152.110.0 with the NAT IP? We cannot NAT the 152.152.x.x subnet because it is used to access servers in different regions. 

 

Sample Diagram.JPG

This is my configuration for gateway 2, it's identical to the gateway 1 router. 

 

Gateway 2 - Configuration

interface Loopback0 ip address 152.152.111.2 255.255.255.255 ! interface Tunnel1 ip address 10.200.57.82 255.255.255.252 ip mtu 1500 ip flow ingress ip tcp adjust-mss 1400 tunnel source 10.201.72.110 tunnel destination 10.200.200.22 ! interface GigabitEthernet0/0 ip address 152.152.111.6 255.255.255.252 duplex auto speed auto media-type rj45 ! interface FastEthernet0/0/0 ! interface FastEthernet0/0/1 ! interface FastEthernet0/0/2 ! interface FastEthernet0/0/3 switchport access vlan 2 ! interface Vlan1 ip address 152.152.110.2 255.255.255.0 ! router ospf 1 log-adjacency-changes network 152.152.110.0 0.0.0.255 area 0 network 152.152.111.2 0.0.0.0 area 0 network 152.152.111.6 0.0.0.0 area 0 default-information originate always ! router bgp 38792 bgp router-id 152.152.111.2 bgp log-neighbor-changes neighbor upstream peer-group neighbor upstream version 4 neighbor iBGP peer-group neighbor iBGP update-source Loopback0 neighbor iBGP version 4 neighbor 10.200.57.81 remote-as 9584 neighbor 10.200.57.81 peer-group upstream neighbor 152.152.111.1 remote-as 38792 neighbor 152.152.111.1 peer-group iBGP ! address-family ipv4 neighbor upstream soft-reconfiguration inbound neighbor upstream prefix-list BOGONS in neighbor upstream prefix-list ANNOUNCE out neighbor upstream filter-list 500 out neighbor iBGP next-hop-self neighbor iBGP soft-reconfiguration inbound neighbor 10.200.57.81 activate neighbor 152.152.111.1 activate no auto-summary no synchronization network 152.152.110.0 mask 255.255.254.0 exit-address-family ! ip forward-protocol nd ip route 10.200.200.22 255.255.255.255 GigabitEthernet0/1 10.201.72.109 ip route 152.152.110.0 255.255.254.0 Null0 200 no ip http server no ip http secure-server ! ip as-path access-list 500 permit ^$ ! ! ! ip prefix-list ANNOUNCE description Our External Netblocks ip prefix-list ANNOUNCE seq 10 permit 152.152.110.0/23 ip prefix-list ANNOUNCE seq 20 deny 0.0.0.0/0 le 32 ! ip prefix-list BOGONS description Bogon networks we won't accept. ip prefix-list BOGONS seq 5 deny 0.0.0.0/8 le 32 ip prefix-list BOGONS seq 30 deny 10.0.0.0/8 le 32 ip prefix-list BOGONS seq 390 deny 127.0.0.0/8 le 32 ip prefix-list BOGONS seq 395 deny 169.254.0.0/16 le 32 ip prefix-list BOGONS seq 400 deny 172.16.0.0/12 le 32 ip prefix-list BOGONS seq 485 deny 192.0.0.0/24 le 32 ip prefix-list BOGONS seq 490 deny 192.0.2.0/24 le 32 ip prefix-list BOGONS seq 500 deny 192.168.0.0/16 le 32 ip prefix-list BOGONS seq 512 deny 198.18.0.0/15 le 32 ip prefix-list BOGONS seq 513 deny 198.51.100.0/24 le 32 ip prefix-list BOGONS seq 515 deny 203.0.113.0/24 le 32 ip prefix-list BOGONS seq 520 deny 224.0.0.0/4 le 32 ip prefix-list BOGONS seq 1000 deny 152.152.122.0/23 le 32 ip prefix-list BOGONS seq 9999 permit 0.0.0.0/0 le 27 ! !

Thank you in advance.

 

 

3 ACCEPTED SOLUTIONS

Accepted Solutions
Georg Pauwen
VIP Expert

Hello,

 

I'll probably have to lab this up (unless somebody else sees a problem right away of course), but when you say the configs of both routers are identical, are you trying to accomplish some sort of load balancing ?

View solution in original post

Giuseppe Larosa
Hall of Fame Master

Hello @mudvayne15 ,

your configuration looks like correct to avoid recalculations

neighbor upstream prefix-list ANNOUNCE out
  neighbor upstream filter-list 500 out

 

I only wonder if the as path access-list 500 is in the correct range .

>>

ip as-path access-list 500 permit ^$

try to use

ip as-path access-list 5 permit ^$

 

and remove the line

neighbor upstream prefix-list ANNOUNCE out

and use

neighbor upstream filter-list 5 out

 

Hope to help

Giuseppe

 

View solution in original post

Hell
You should NOT depend on any isp to help filter your network - what is happening is you had become a transit path between those ISPs so what YOU need to do is what @Giuseppe Larosa suggested  apply that as-path filer and ONLY advertise any route that dont have an as path in them basically only your local routes.

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

14 REPLIES 14
Georg Pauwen
VIP Expert

Hello,

 

I'll probably have to lab this up (unless somebody else sees a problem right away of course), but when you say the configs of both routers are identical, are you trying to accomplish some sort of load balancing ?

View solution in original post

Hello,

 

Yes, almost identical, just different ISP. The routing right now is that when traffic goes out from the network, it goes via ISP 2 and routes back to ISP 1. 

 

I had this setup with our other offices and did not encounter this inconsistent route as advised by the ISP. 

Giuseppe Larosa
Hall of Fame Master

Hello @mudvayne15 ,

your configuration looks like correct to avoid recalculations

neighbor upstream prefix-list ANNOUNCE out
  neighbor upstream filter-list 500 out

 

I only wonder if the as path access-list 500 is in the correct range .

>>

ip as-path access-list 500 permit ^$

try to use

ip as-path access-list 5 permit ^$

 

and remove the line

neighbor upstream prefix-list ANNOUNCE out

and use

neighbor upstream filter-list 5 out

 

Hope to help

Giuseppe

 

View solution in original post

Thank you, I will check and investigate. 

MHM Cisco World
Collaborator

there are two protocol 
OSPF and BGP, 
and both advertise 152.152.110.0/24 !! this make flap, because AD OSPF is 110 and eBGP is 20, this make issue. 
just remove this network and see the result. 

NOTE:- any case there are two or more protocol and advertise the same route make issue in your topology.

I believe you had it wrong, OSPF is only /24 while the network advertised in BGP is /23

why you advertise it through eBGP ?

Because 152.152.x.x is our public IP. 

OSPF not advertise this public IP to ISP but BGP do that.

So I think you use OSPF to make iBGP establish between two peer. 

so iBGP will advertise this IP not OSPF, when you make both OSPF and iBGP advertise the route the issue arise.

MHM Cisco World
Collaborator

any updates 

I will make the changes on Sept 25, but to apply NAT on the router.
The ISP might not like it when we only route from our Public IP via their Tunnel. 

 

It's definitely not an issue with how I placed the subnet between OSPF and BGP. 

friend what I mention here, 

OSPF is only use for iBGP peer,
BGP is responsible for exchange prefix not OSPF. 

mudvayne15
Beginner

Hello everyone, Just to update you on this issue. 
I asked ISP A to do AS Prepending on their end and it fixed our issue. I see the routes coming back to ISP 2 now properly.

 

Now, I am only pending if the failover will work properly. 

Hell
You should NOT depend on any isp to help filter your network - what is happening is you had become a transit path between those ISPs so what YOU need to do is what @Giuseppe Larosa suggested  apply that as-path filer and ONLY advertise any route that dont have an as path in them basically only your local routes.

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post