Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
729
Views
5
Helpful
4
Replies

Carrier Ethernet Loops on ASR 920

Kriptonik55
Level 1
Level 1

‎05-28-2020 09:23 AM

Configuration:  We have a carrier-ethernet network consisting of 5 core routers at different locations.  Each core router has two bridge domains configured:  BD 10 for management and routing, and BD 20 for layer 2 transport of user data.  The hub location has an NMS poller tied into the system to monitor hardware.

 

Issue:  If a device goes offline the NMS sends out a ping request to locate the unresponsive IP address.  This seems to be causing a layer 3 loop on the system where we can see tens of thousands of copies of the ICMP packet circulating the network with a "icmp.no_resp" status.

 

This is the first time trying to construct a carrier ethernet topology, and I know the routing is a little tricky because each router has a single IP that is facing multiple ports since each Bridge-Domain can only have one BDI assigned to it.  I am wondering if it is something in the way I have the OSPF configured that is causing the ip traffic to loop?  Should I change the OSPF statement for each router to just be a /32 for that routers BDI IP address?

 

Any help is much appreciated.

 

Copy of Loaded Config (scrubbed):

 

conf t
!
no service tcp-small-servers
no service udp-small-servers
no service finger
no ip boot server
no ip bootp server
no service config
no ip http server
no ip http secure-server
no service pad
no ip source-route
no ip gratuitous-arps
no service dhcp
no cdp run
no ip domain-lookup
no boot network
!
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime
service timestamps log datetime
service password-encryption
service pt-vty-logging
!
hostname Core
!
no logging console
!
ip domain-name network.net
!
!
ip tcp synwait-time 10
!
crypto key generate rsa modulus 2048
ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh version 2
ip ssh server algorithm mac hmac-sha1 hmac-sha1-96
ip ssh server algorithm encryption aes128-cbc aes192-cbc aes256-cbc
!
!
spanning-tree mode mst
spanning-tree mst configuration
instance 10 vlan 1-200
name MYmst10
revision 1
!
!
snmp-server view mib2 mib-2 included
snmp-server community mysnmp RO ipv6 NMS01
snmp-server location Site 1
snmp-server contact NMS01.network.net
!
!
!
!
interface Loopback0
description Site 01 Loopback
ip address 10.0.255.1 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mfib cef input
no ip mfib cef output
exit
!
!
!
!
!
!
interface BDI10
ip address 10.0.0.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 0 IcCtBd10a0
no shut
exit
!
interface gig 0/0/0
description Core-to-Core Trunk
ethernet dot1ad nni
!
service instance trunk 1 ethernet
encapsulation dot1ad 20-100
bridge-domain from-encapsulation
rewrite ingress tag pop 1 symmetric
no shut
!
service instance 10 ethernet
encapsulation dot1ad 10 dot1q 10
rewrite ingress tag pop 2 symmetric
bridge-domain 10
no shut
!
!
interface gig 0/0/1
description Core-to-Edge Port
!
service instance 10 ethernet
encapsulation dot1q 10 second-dot1q 10
rewrite ingress tag pop 2 symmetric
bridge-domain 10
no shut
!
service instance 20
encapsulation dot1q 20 second-dot1q any
rewrite ingress tag pop 1 symmetric
bridge-domain 20
no shut
!
router ospf 10
router-id 10.0.255.1
auto-cost reference-bandwidth 100000
area 0 authentication message-digest
passive-interface default
no passive-interface BDI10
network 10.0.0.0 0.0.0.255 area 0
network 10.0.255.1 0.0.0.0 area 0
!
end
!
!
config t
ntp server 10.0.0.100 version 4 prefer
clock timezone EST -5
clock summer-time EST date 10 MAR 2019 02:00 3 NOV 2019 02:00
!
end
!
!
!
!
!
config t
aaa new-model
aaa authentication login default group tacacs+ local
tacacs server ADDC01
address ipv4 10.0.2.101
key TACacsTEST
port 49
timeout 20
!
exit
!
ip tacacs source-interface bdi10
username Admin password PASSword1234
exit
!
!
!
!
!
!
!
!
!
config t
!
access-list 3 permit 10.0.0.0 0.0.0.255 log
!
no policy-map drop-127/8-netblock-traffic
!
ip access-list extended 100
permit ospf any 10.0.0.0 0.0.255.255
permit ospf any host 224.0.0.5
permit ospf any host 224.0.0.6
!
ip access-list extended 110
permit tcp 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255 eq 22
permit tcp 10.0.0.0 0.0.255.255 eq 22 10.0.0.0 0.0.255.255 established
permit udp 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255 eq ntp
!
ip access-list extended 120
permit icmp any 10.0.0.0 0.0.255.255 echo
permit icmp any 10.0.0.0 0.0.255.255 echo-reply
permit icmp any 10.0.0.0 0.0.255.255 ttl-exceeded
permit icmp any 10.0.0.0 0.0.255.255 packet-too-big
permit icmp any 10.0.0.0 0.0.255.255 port-unreachable
permit icmp any 10.0.0.0 0.0.255.255 unreachable
permit gre any any
!
ip access-list extended 130
permit icmp any any fragments
permit udp any any fragments
permit tcp any any fragments
permit ip any any fragments
permit udp any any eq 1434
permit tcp any any eq 639 rst
permit tcp any any eq bgp rst
!
ip access-list extended 140
permit tcp any any
permit udp any any
permit icmp any any
permit ip any any
!
!
end
!
!
!
!
!
conf t
!
class-map match-any COPP_routing
match access-group 100
!
class-map match-any COPP_management
match access-group 110
!
class-map match-any COPP_normal
match access-group 120
!
class-map match-any COPP_undesirable
match access-group 130
!
class-map match-any COPP_catch-all-ip
match access-group 140
!
policy-map COPP
class COPP_undesirable
police cir 128k pir 256k conform transmit exceed drop violate drop
class COPP_routing
police cir 128k pir 256k conform transmit exceed drop violate drop
class COPP_management
police cir 128k pir 256k conform transmit exceed drop violate drop
class COPP_normal
police cir 128k pir 256k conform transmit exceed drop violate drop
class COPP_catch-all-ip
police cir 128k pir 256k conform transmit exceed drop violate drop
class class-default
police cir 128k pir 256k conform transmit exceed drop violate drop
!
control-plane
service-policy input COPP
!
exit
!
!
banner login ^
Welcome to the test net
^
!
line con 0
login authentication default
session-timeout 10
exec-timeout 9 59
login local
line aux 0
exec-timeout 9 59
no exec
line vty 0 4
login authentication default
session-timeout 10
access-class 3 in
exec-timeout 9 59
login local
transport input ssh
!
!
enable secret 0 PASSword1234
!

 

 

 

 

 

 

 

0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎05-28-2020 10:54 AM

Hello,

 

which IP address(es) are you pinging, the loopback(s) ? What are you using as NMS ?

0 Helpful

Kriptonik55
Level 1
Level 1
In response to Georg Pauwen

‎05-28-2020 11:08 AM

We are pinging the BDI's of each router that belong to Bridge-Domain 10 (Management).  So, for the specific router in question it would be router 4 at 10.0.0.4.

 

The NMS is SolarWinds NTA and NPM.

We currently have the network topology mapped as what the NMS found via autodiscovery by pinging everything in the 10.0.0.0 subnet.

0 Helpful

Georg Pauwen
VIP
VIP
In response to Kriptonik55

‎05-28-2020 11:21 AM

Hello,

 

since you are advertising the loopback, I wonder (if that is an option) if the excessive packets stop when your NMS just pings the loopback IP addresses ?

Kriptonik55
Level 1
Level 1
In response to Georg Pauwen

‎05-28-2020 12:30 PM

I configured the NMS to use the loopbak address as the polling point.  After about 10 minutes of the node being offline there have been no ping loops.  It seems the issue only occurs when hitting BDI 10. 

 

I am wondering if the fact that since every router is broadcasting network 10.0.0.0 in the ospf statements when a ping cannot find the target the layer 2 and layer 3 crossover is causing the packets to continue cycling from each router with a 10.0.0.0 network statement.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card