Re: looking for help on BGP advertisements and ip SLA

rreimer · ‎04-30-2013

i have a cisco 3825 running c3825-entservicesk9-mz.124-25g.bin.

it has 2 interfaces

a WAN that has BGP peering with 2 upstream neighbors

a local interface that is connected to a siwtch and then to a firewall (216.224.132.161/27 router, 216.224.132.162/27 is the firewall)

i only want to advertise the subnet of the local interface (216.224.132.160/27) when the firewall is reachable.

I have gotten it such that I can track the firewall IP's reachability using the ip sla and track functions. when I change the firewall ip to something other than 216.224.132.162 the tracking shows it as down.

But I can not figure out how to only BGP advertise the connected subnet when the firewall is reachable and not when it is down.

below is the config I currently have. please help

rtr-pittsford-rhio.roc1#sho run

Building configuration...

Current configuration : 5191 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname rtr-pittsford-rhio.roc1

!

boot-start-marker

boot system flash:c3825-entservicesk9-mz.124-25g.bin

boot-end-marker

!

logging buffered 4096 debugging

enable secret 5 $1$QnV2$d3stnVuvqYVZKOPK18dbj1

!

aaa new-model

!

aaa session-id common

clock timezone EST -5

clock summer-time EDT recurring

no ip source-route

ip cef

!

no ip domain lookup

ip domain name logicalsolutions.net

ip sla monitor 10

type echo protocol ipIcmpEcho 216.224.132.162

threshold 2

frequency 5

ip sla monitor schedule 10 life forever start-time now

voice-card 0

no dspfarm

!

track 10 rtr 10 reachability

!

interface Null0

no ip unreachables

!

interface GigabitEthernet0/0

ip address 216.224.150.18 255.255.255.248

load-interval 30

duplex auto

speed auto

media-type rj45

no keepalive

!

interface GigabitEthernet0/1

ip address 216.224.132.161 255.255.255.224

ip ospf message-digest-key 1 md5 7 107C21302A

ip ospf priority 0

ip ospf mtu-ignore

load-interval 30

duplex auto

speed auto

media-type rj45

no keepalive

!

router ospf 1

router-id 216.224.132.225

log-adjacency-changes detail

area 0 authentication message-digest

redistribute connected

redistribute static

passive-interface default

no passive-interface GigabitEthernet0/1

network 216.224.132.224 0.0.0.7 area 0

default-information originate

!

router bgp 65512

bgp router-id 216.224.150.18

bgp log-neighbor-changes

bgp graceful-restart restart-time 120

bgp graceful-restart stalepath-time 360

bgp graceful-restart

neighbor 216.224.150.21 remote-as 6983

neighbor 216.224.150.21 update-source GigabitEthernet0/0

neighbor 216.224.150.21 timers 30 90

neighbor 216.224.150.22 remote-as 6983

neighbor 216.224.150.22 update-source GigabitEthernet0/0

neighbor 216.224.150.22 timers 30 90

!

address-family ipv4

redistribute static

redistribute ospf 1

neighbor 216.224.150.21 activate

neighbor 216.224.150.21 soft-reconfiguration inbound

neighbor 216.224.150.22 activate

neighbor 216.224.150.22 soft-reconfiguration inbound

no auto-summary

no synchronization

exit-address-family

!

ip local policy route-map SONICWALL_REACHABILITY

ip forward-protocol nd

ip route 216.224.132.160 255.255.255.224 GigabitEthernet0/1 track 10

ip route 0.0.0.0 0.0.0.0 216.224.150.17

!

no ip http server

no ip http secure-server

!

ip prefix-list ADVERTISE seq 5 permit 216.224.132.160/27

ip prefix-list ADVERTISE seq 10 deny 0.0.0.0/0

ip prefix-list ADVERTISE seq 1000 deny 0.0.0.0/0 le 32

!

ip prefix-list RECEIVE seq 5 permit 0.0.0.0/0

ip prefix-list RECEIVE seq 10 deny 0.0.0.0/0 le 32

logging trap debugging

logging facility local6

logging source-interface GigabitEthernet0/0

logging 108.59.240.45

access-list 101 permit ip 108.59.240.32 0.0.0.31 any

access-list 101 permit ip 10.19.64.0 0.0.0.255 any

access-list 101 permit ip any any

access-list 101 deny ip any any log

access-list 102 permit ip any 216.224.132.160 0.0.0.31

route-map SONICWALL_REACHABILITY permit 10

match ip address 102

set ip next-hop 216.224.132.162

set interface Null0

!

route-map OSPF-REDIST permit 1

match ip address prefix-list OSPF-REDIST

jamiegrive · ‎04-30-2013

Hi,

Can you use the 'show ip bgp' to see if there is any change to the prefixes you have in BGP table when the object goes from Up->Down and visa versa?

Sent from Cisco Technical Support iPhone App

rreimer · ‎04-30-2013

thanks for the input

if I change the firewall from 216.224.132.162 to 216.224.132.163 the track shows down. and when the firewall is at 216.224.132.162 the tracking shows it as UP

I don't exactly know how to configure the BGP so it only announces the subnet only when the tracking is up and not down. I tried using a prefix list advertisement in the BGP (at one time) and it did not matter if the tracking was up or down the 3825 still advertised the subnet to the upstream BGP neighbors.

(see below snip from what I had configured)

neighbor 216.224.150.21 prefix-list ADVERTISE out

neighbor 216.224.150.22 prefix-list ADVERTISE out

ip prefix-list ADVERTISE seq 5 permit 216.224.132.160/27

ip prefix-list ADVERTISE seq 10 deny 0.0.0.0/0

ip prefix-list ADVERTISE seq 1000 deny 0.0.0.0/0 le 32

I basically only want that subnet advertised when the tracking is UP as I can not rely on the interface status do to the fact there is a switch in between.

jamiegrive · ‎04-30-2013

Hi,

Ok - no problem. Please add 'network 216.224.132.160 mask 255.255.255.224' under BGP config. It will only advertise it when the static route is in the routing table which is when the SLA is up.

Sent from Cisco Technical Support iPhone App

Harold Ritter · ‎04-30-2013

The static route will never be installed in the RIB as there is already a connected route in the RIB for that same prefix (connected to Gig0/1).

If the goal is to conditionally advertise this prefix, you could just use a different prefix between the FW and the router. The FW could then use 216.224.132.160/27 for NAT and you could use the static route with IP SLA on the router as you do in the current configuration.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

rreimer · ‎04-30-2013

Ok so because it is a connected interface the BGP advertisement is always present.

How do I limit the BGP advertisement of that connected interface/subnet 216.224.132.160/27 to only when the

216.224.132.162 ip is reachable?

Harold Ritter · ‎04-30-2013

Hi Richard,

Well, the connected prefix is owned by the ospf process and you do redistribute ospf in bgp.

If the goal is to conditionally advertise this prefix, you could just use a different prefix between the FW and the router. The FW could then use 216.224.132.160/27 for NAT and you could use the static route with IP SLA on the router as you do in the current configuration.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Jose Jara · ‎05-14-2013

Richard,

you may use BGP conditional advertisement:

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094309.shtml

You could create a static dummy route tracking the 216.224.132.162.

Then, you would use BGP conditional advertisement, which advertise (route-map ADVERTISE) the connected network if the 216.224.132.162 is reachable (route-map EXIST matching the dummy route)

Finally you would apply the config to the neighbor:

neighbor x.x.x.x advertise-map ADVERTISE exist-map EXIST

Hope this helps,

Jose.

kecorder · ‎04-30-2013

Since the route shows as connected it will always be advertised unless the interface goes down, there is no way to link a track to a bgp advertisent, as The other guys said The only way is to configure a static route and use The track there but you wont be able to use that subnet between The router and The firewall

Sent from Cisco Technical Support iPhone App