eBGP question

Ashwin Kotha · ‎10-11-2011

Hi Experts,

Consider the following scenarios.

I have two Branch offices (assume AS2 )connected via same router (assume AS3) like the topo below.

I have iBGP in each site routers (b/w CE1, R2, R3 and b/w CE2,R6, RR2, R7). The IGP is OSPF and from GW in which I have eBGP AS3 I am able to ping each wings loopback. For example from GW I can ping 192.168.3.1 - 5 and can ping 192.168.2.1 - 5 ). I have "show ip bgp" output as this in GW.

GW#show ip bgp

BGP table version is 11, local router ID is 1.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 192.168.2.1/32 2.1.1.1 0 2 i

*> 192.168.2.2/32 2.1.1.1 0 2 i

*> 192.168.2.3/32 2.1.1.1 0 2 i

*> 192.168.2.4/32 2.1.1.1 0 2 i

*> 192.168.2.5/32 2.1.1.1 0 2 i

*> 192.168.3.1/32 2.2.1.1 0 2 i

*> 192.168.3.2/32 2.2.1.1 0 2 i

*> 192.168.3.3/32 2.2.1.1 0 2 i

*> 192.168.3.4/32 2.2.1.1 0 2 i

*> 192.168.3.5/32 2.2.1.1 0 2 i

GW#

Now the requirement is to be able to ping 192.168.3.0 block from R3 and 192.168.2.0 from R7. Can anyone throw some light here.

BGP config on GW:

GW#show runn | beg bgp

router bgp 3

no synchronization

bgp log-neighbor-changes

network 200.0.0.0 mask 255.0.0.0

neighbor 2.1.1.1 remote-as 2

neighbor 2.1.1.1 ebgp-multihop 2

neighbor 2.1.1.1 update-source Loopback1

neighbor 2.2.1.1 remote-as 2

neighbor 2.2.1.1 ebgp-multihop 2

neighbor 2.2.1.1 update-source Loopback1

neighbor 2.2.1.1 next-hop-self

no auto-summary

!.

Let me know what I am missing.

Thanks,

Ash

Marwan ALshawi · ‎10-11-2011

hi Ash

BGP has a loop prevention behavior when BGP recieve a route via eBGP session and see its own AS number in the AS path it will not install it in the routing table

one way to fix it is use as-override command in the ISP/GW router where it will remove the AS of the source and keep its own AS only which is AS 3

GW router:

neighbor as-override

Hope this help

if helpful rate

Vaibhava Varma · ‎10-11-2011

Hi Ash

Just to add some more points to the solution to the above issue:

The Default AS-Path loop prevention mechanism can be tweaked in 2 ways:

1. By the ISP using "as-override" per eBGP neighbour session config under VRF specific context-only possible when CEs(belonging to same AS) are MPLS VPN customers

2. By the CE (belonging to the same AS) using "allow-as in" per eBGP neighbour session for IPv4 eBGP peering.

Since here the GW Router is doing IPv4 eBGP peering we would need to configure the "allow-as in" command on the CE2,CE3 routers to accept their own AS-Path in the eBGP update from AS3.

Hope this helps you resolve your issue.

Regards

Varma

Marwan ALshawi · ‎10-12-2011

The second option allow AS works but more risky as it might cause routing loops

Is the issue fixed ?

Ashwin Kotha · ‎10-12-2011

Hi Marwanshawi / Vaibhava Varma,

Thanks for the solutions. I might have not considered about routing loops and bgp would by default block the same AS coming in via different AS which could be the case in real scenarios. Anyways, this is a brilliant suggestion from both of you. Will try out all the solution and let you guys know.

Thanks a lot guys,

Ashwin Kotha.

Marwan ALshawi · ‎10-13-2011

good luck and rate the helpful posts too

Ashwin Kotha · ‎10-13-2011

Hi Guys,

I tried the option "allowas-in" in CE's but didnt work. To make sure I changed the AS number in right flank ( Currently it is 4 and configuration changed accordingly). Now both the routes (192.168.3.x and 192.168.2.x) are seen in bgp table and pingable from GW router. But still CE2 is not able to ping 192.168.2.x and CE1 is not able to ping 192.168.3.x.

Traceroute on CE2 to 192.168.2.1 is this

CE2#traceroute 192.168.2.1

Type escape sequence to abort.

Tracing the route to 192.168.2.1

1 200.0.2.1 12 msec 24 msec 12 msec

2 200.0.1.2 8 msec 32 msec 20 msec

3 * * *

4

It is hitting the interface of CE1 router from GW. The packet has been dropped there in se 1/0 of CE1. The routing table of CE 1 still has 192.168.2.x network which is the destination learnt via iBGP.

Thanks,

Ash

Vaibhava Varma · ‎10-13-2011

Hi Ash

So we have now the routes present in the routing table at the CEs.

What is the source of your ping. Is it the CE's Interface IP connecting to PE. Have you advertsied the same via eBGP or not.

Can you try a Source based ping across CEs using the loopbacks as source.

Regards

Varma

Marwan ALshawi · ‎10-14-2011

i agree with Varma, it is almost the source IP is not reachable as long as you see both ends loopbacks then source the pin from one of these loopbacks

by the way have you tried the as-override command ?