Re: Multiple BGP instances on n7k and 2 n9k with multiple VRF

nocceesia · ‎08-24-2023

Hello,
in a production environment, my desiderata is set up 2 bgp instances on 2 different vrf to 2 different eBGP provider. This is not possible for the existance of one router bgp confgiuration already enable. Topology is a redundant NxK with 1 N7k e 2 n9k with l2 connettivity and routing enabled.

in VRF-01 I have 1 n7k with IP 10.7.1.50
and 2 n9k, A: 10.7.1.51 and B:10.7.1.52

they are already configured with:
- 1 eBGP peer to AS YYYYY for the n7k via vlan 263
- 1 eBGP peer to AS YYYYY for the couple of n9k (vpc to provider) via vlan 263

here the n7k config for the existant iBGP and eBGP config, iBGP is on XXXXX istance

router bgp XXXXX
  vrf VRF-01
    router-id 10.7.1.50
    address-family ipv4 unicast
    neighbor 10.7.1.51 remote-as 64780
      description to N9K-A
      update-source Vlan9
      address-family ipv4 unicast
        next-hop-self
        soft-reconfiguration inbound always
    neighbor 10.7.1.52 remote-as 64780
      description to N9K-B
      update-source Vlan9
      address-family ipv4 unicast
        next-hop-self
        soft-reconfiguration inbound always
    neighbor ZZZ.ZZZ.ZZZ.ZZ1
      remote-as YYYYY
      description to ISP
      update-source Vlan263
      ebgp-multihop 3
      timers 30 90
      address-family ipv4 unicast
        route-map net_from_ISP_to_ours in
        route-map discard out
        default-originate route-map default_to_ISP
        soft-reconfiguration inbound always
    neighbor ZZZ.ZZZ.ZZZ.ZZ2
      remote-as YYYYY
      description to ISP
      update-source Vlan263
      ebgp-multihop 3
      timers 30 90
      address-family ipv4 unicast
          route-map net_from_ISP_to_ours in
        route-map discard out
        default-originate route-map default_to_ISP
        soft-reconfiguration inbound always

The config of 2 n9k is the same with IP inverted for iBGP and same 2 eBGP neighbors
Vlan 263 is for ISP and vlan 56 is for iBGP and HSRP connettivity for a ptp firewall.

Add a new router bgp KKKKK is not possible couse of error:

NEXUS#"bgp is already running; tag is XXXXX"

Now, i need to add a new VRF-B and configure another new internal (iBGP) VLAN57 for a new Firewall Ptp and hsrp (same config as up but with seprate routing instance and routing domain) and i would want so much use another AS number. If i configure in the existant router bgp XXXXX as:

router bgp XXXXX
  vrf VRF-02
    router-id 10.8.1.21
    address-family ipv4 unicast
    neighbor 10.8.1.19 remote-as KKKKK
      descriptionto N9K-B VRF-02
      update-source Vlan57
      address-family ipv4 unicast
        next-hop-self
        soft-reconfiguration inbound always
    neighbor 10.8.1.20 remote-as KKKKK
      description to N9K-A VRF-02
      update-source Vlan57
      address-family ipv4 unicast
        next-hop-self
        soft-reconfiguration inbound always

the LOG message is:

N7K %BGP-3-BADPEERAS: bgp-XXXXX [5118] VRF VRF-02, Peer 10.8.1.20 - bad remote-as, expecting KKKKK received XXXXX.

config is correct on all nxk and for VRF-02 i have used ever KKKKK. In this scenario, router remain in IDLE and use eBGP. for comunication If i change the AS KKKKK to XXXXX on all nexus to:

router bgp XXXXX
  vrf VRF-02
    router-id 10.8.1.21
    address-family ipv4 unicast
    neighbor 10.8.1.19 remote-as XXXXX
      descriptionto N9K-B VRF-02
      update-source Vlan57
      address-family ipv4 unicast
        next-hop-self
        soft-reconfiguration inbound always
    neighbor 10.8.1.20 remote-as XXXXX
      description to N9K-A VRF-02
      update-source Vlan57
      address-family ipv4 unicast
        next-hop-self
        soft-reconfiguration inbound always

iBGP start regular and router comunicate correctly. SVI Vlan57 is in VRF-02 and in HSRP for new Firewall. For now, i can't configure vlan 264 because ISP-02 is not conneced (but i can simulate if i want with a new router)

How would I use another AS number for the new VRF-02? Is it possible to have 2 AS numbers on the same n7k and n9k or do I need a special command to rewrite the internal

Can someone provide me some config or some guidance or explain if i can use a special config?

M02@rt37 · ‎08-24-2023

Hello @nocceesia,

How would I use another AS number for the new VRF-02?

On your bgp instance XXXX do:

neighbor a.b.c.d local-as YYYY

With this neighbor that peering should be presented with ASN YYYY and not XXXX.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

nocceesia · ‎08-24-2023

THIS IS THE PROBLEM, this command is for eBGP not for ibgp.

and, on Nexus os the command "neighbor a.b.c.d local-as YYYY "don't exist...

N7K (config-router-vrf-neighbor)# neighbor a.b.c.d ?
*** No matching command found in current mode, matching in (config-router-vrf) mode ***
<CR>
remote-as Specify Autonomous System Number of the neighbor

only "remote-as" command is permitted, but is possible to add single command:

N7K(config-router-vrf-neighbor)# local-as YYYYY

under the neighbor configuration; but if i set the command, local-as YYYYY, BGP status don't change and the 3 VRF on routers comunicate over XXXXX, if i set the command, this message appear:

warning: local-as allowed only fot EBGP peers. disabling local-as for a.b.c.d

this because vlan57 is for ibgp peer.
vlan 264 is for ebgp but the remote AS will be a ISP number (ZZZZZ), and i don't want use local AS here.

M02@rt37 · ‎08-25-2023

Hello @nocceesia,

Thanks for clarification.

Have you got a draw about your topology ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

nocceesia · ‎08-25-2023

as i mentioned, bgp XXXXX already exist for VRF-01 (not in scheme). iBGP works fine if i use AS XXXXX for VRF-02 also in router XXXXX BGP definition.