Solved: BGP routes advertising but traffic from prefix-list not going through

Oreoloveboss · ‎05-27-2019

Hello, I am a newbie to BGP and have an ASR1001x (172.16.0.3) that forwards an ACL (through PBR) to a second router while I'm trying to get BGP working on a testing prefix-list. The router is configured as follows:

interface Loopback0
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/0/0
ip address 172.16.0.3 255.255.255.0
ip nat inside
ip policy route-map PBR_GI0/0/0
!
interface GigabitEthernet0/0/2
ip address 1.1.101.101 255.255.255.252
ip nat outside
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/3
ip address 2.2.201.201 255.255.255.252
ip nat outside
negotiation auto
ip virtual-reassembly
!

GE0/0/0 is in from SVI switch.

BGP setup as follows:

router bgp 62323
bgp log-neighbor-changes
neighbor 1.1.100.100 remote-as 200
neighbor 1.1.100.100 ttl-security hops 2
neighbor 1.1.100.100 password 7 #####
neighbor 1.1.100.100 timers 6 20
neighbor 2.2.200.200 remote-as 300
neighbor 2.2.200.200 ttl-security hops 2
neighbor 2.2.200.200 password 7 ####
neighbor 2.2.200.200 timers 7 22
!
address-family ipv4
network 172.16.0.0 mask 255.255.255.0
network 192.168.0.0
network 192.168.120.0
neighbor 1.1.100.100 activate
neighbor 1.1.100.100 send-community both
neighbor 1.1.100.100 route-map ISPA_IN in
neighbor 1.1.100.100 route-map ISPA_OUT out
neighbor 2.2.200.200 activate
neighbor 2.2.200.200 send-community both
neighbor 2.2.200.200 route-map ISPB_IN in
neighbor 2.2.200.200 route-map ISPB_OUT out
exit-address-family
!
ip as-path access-list 1 permit ^$
ip as-path access-list 2 permit _200$
ip as-path access-list 2 permit _300$
!
access-list 1 permit 192.160.120.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.0.255

static routes for 3 networks to through SVI (172.160.0.254):

ip route 192.168.100.0 255.255.255.0 172.16.0.254
ip route 192.168.110.0 255.255.255.0 172.16.0.254
ip route 192.168.120.0 255.255.255.0 172.16.0.254

access list for PBR to send to hop to second router and prefix-list for BGP route

ip access-list standard PRODUCTION_ACL
permit 192.168.100.0 0.0.0.255
permit 192.168.110.0 0.0.0.255
!
!
ip prefix-list TESTING_LAN seq 5 permit 192.168.120.0/24

route-maps:

route-map PBR_GI0/0/0 permit 10
match ip address PRODUCTION_ACL
set ip next-hop 172.16.0.1
!
route-map ISPA_IN permit 10
match as-path 2
!
route-map ISPB_IN permit 10
match as-path 2
!
route-map ISPA_OUT permit 20
match ip address prefix-list TESTING_LAN
match as-path 1
!
route-map ISPB_OUT permit 20
match ip address prefix-list TESTING_LAN
match as-path 1
!

I'm getting BGP routes in, as well I can see that I'm advertising a route to both neighbors:

local router ID: 192.168.0.1
Network Next Hop Metric LocPrf Weight Path
*> 192.168.120.0 172.16.0.254 0 32768 i

But when I'm on a machine on 192.168.120.0/24 I have no connectivity, can't ping anything past the WAN interfaces on router. Am I missing something in the setup?

Giuseppe Larosa · ‎05-27-2019

Hello,

please add a network diagram, because it is not clear how many routers are involved.

Who is the device with IP 172.16.0.1 ?

Who is the device with IP 172.16.0.254?

is PBR configured on the same device with the eBGP sessions ?

Also some configurations is clearly manually changed

>>

interface GigabitEthernet0/0/3
ip address 3.3.301.301 255.255.255.252

This is clearly impossible in IPv4 ! 301 cannot stay in a single octet.

Also the route-map inbound for ISP B should match as path access-list 3 and not 2 or you will not accept any routes from ISP B.

Also the way the regular expressions are written work only in a lab

ip as-path access-list 2 permit _200$
ip as-path access-list 2 permit _300$

In real world the AS paths have the ISP AS number on leftmost position but can include any other AS number.

So your ip as-path access-list should be

ip as-path access-list 2 permit ^200_

ip as-path access-list 3 permit ^300_

How is NAT configured ?

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-27-2019

Hello,

please add a network diagram, because it is not clear how many routers are involved.

Who is the device with IP 172.16.0.1 ?

Who is the device with IP 172.16.0.254?

is PBR configured on the same device with the eBGP sessions ?

Also some configurations is clearly manually changed

>>

interface GigabitEthernet0/0/3
ip address 3.3.301.301 255.255.255.252

This is clearly impossible in IPv4 ! 301 cannot stay in a single octet.

Also the route-map inbound for ISP B should match as path access-list 3 and not 2 or you will not accept any routes from ISP B.

Also the way the regular expressions are written work only in a lab

ip as-path access-list 2 permit _200$
ip as-path access-list 2 permit _300$

In real world the AS paths have the ISP AS number on leftmost position but can include any other AS number.

So your ip as-path access-list should be

ip as-path access-list 2 permit ^200_

ip as-path access-list 3 permit ^300_

How is NAT configured ?

Hope to help

Giuseppe

Oreoloveboss · ‎05-27-2019

Thanks for your reply. I washed the IPs out and had a brain fart there, I updated the OP.

172.16.0.1 is a second router that is not configured for BGP, but has a link to another ISP and I want all traffic on 192.168.100.0/24 and 192.168.100.110/24 to hop to. This part is working. It's the traffic on 192.168.120.0/24 that I want to go through BGP that is not working.

The device 172.16.0.254 is a switch that does access, svi and dhcp.

Here is a network diagram:

And yes PBR and BGP on same router, everything from the config above is all on 172.16.0.3 which is an ASR1001x

Giuseppe Larosa · ‎05-27-2019

Hello,

no problems at all! it was evident you had changed the IP addresses.

Thanks for the network diagram and for the additional info.

There is still one piece of information that is missing:

Your NAT configuration is complete?

Are you NATTING for testing network 192.168.200.0/24?

Because you have:

ip nat inside on internal interface of ASR1000

ip nat outside on interfaces to ISPs

the multilayer switch 172.16.0.254 has a default route pointing to 172.16.0.3 (ASR 1000 internal IP address) ?

You can post you nat configuration if you have one

And you can check IP NAT operations with

show ip nat translations

Hope to help

Giuseppe

Oreoloveboss · ‎05-27-2019

Yes 172.16.0.254 forwards all traffic to 172.16.0.3 (well it's to HSRB 172.16.0.11 configured on both routers, but higher priority on 172.16.0.3).

Also there is no NAT configuration which may be the problem. To add a little more info this is from tearing down a VPC tunnel to Amazon direct connect where 192.168.100.0 was previously natted to a block of Amazon IPs.

Giuseppe Larosa · ‎05-27-2019

Hello Oreoloveboss,

so no NAT is involved.

another question : is this a lab setup are you emulating ISPA and ISPB?

if yes how do you emulate them ?

I ask because 192.168.120.0/24 is still a private IP address that could not access public Internet directly.

It could be used if your eBGP sessions are used to connect to MPLS L3VPN services from ISPA and ISPB.

Hope to help

Giuseppe

Oreoloveboss · ‎05-27-2019

I believe the issue was NAT, i was just confused as to how the NAT was previously functioning when we were on amazon direct connect tunnel.

I created a route-map ISPA_WAN and ISPB_WAN with match ip of an access-list that included 172.16.0.1/24, 192.168.100.0/24, 192.168.110.0/24, 192.168.120.0/24

and then NAT the following:

ip nat inside source route-map ISPA_WAN interface GigabitEthernet0/0/2 overload

ip nat inside source route-map ISPB_WAN interface GigabitEthernet0/0/3 overload

and it appears to be working. Thanks so much for your assistance!