Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
506
Views
5
Helpful
2
Replies

Protecting management / routing protocols on a router

paul-d
Level 1
Level 1

‎07-06-2020 08:45 AM

Hi, does anyone know of a mechanism that allows for the protection of the management plane on a C1900 router, I seem to have an issue where when a link it overly utilised BGP drops out.

 

Jul 6 10:59:18 BST: %BGP-5-NBR_RESET: Neighbor 10.12.4.93 reset (BGP Notification sent)
Jul 6 10:59:18 BST: %BGP-5-ADJCHANGE: neighbor 10.12.4.93 vpn vrf FM Down BGP Notification sent
Jul 6 10:59:18 BST: %BGP_SESSION-5-ADJCHANGE: neighbor 10.12.4.93 IPv4 Unicast vpn vrf FM topology base removed from session BGP Notification sent
Jul 6 10:59:47 BST: %BGP-5-ADJCHANGE: neighbor 10.12.1.93 Up
Jul 6 10:59:47 BST: %BGP-5-ADJCHANGE: neighbor 10.12.2.93 vpn vrf WIFI Up
Jul 6 10:59:47 BST: %BGP-5-ADJCHANGE: neighbor 10.12.4.93 vpn vrf FM Up
Jul 6 11:29:30 BST: %BGP-3-NOTIFICATION: sent to neighbor 10.12.2.93 4/0 (hold time expired) 0 bytes
Jul 6 11:29:30 BST: %BGP-5-NBR_RESET: Neighbor 10.12.2.93 reset (BGP Notification sent)
Jul 6 11:29:30 BST: %BGP-5-ADJCHANGE: neighbor 10.12.2.93 vpn vrf WIFI Down BGP Notification sent
Jul 6 11:29:30 BST: %BGP_SESSION-5-ADJCHANGE: neighbor 10.12.2.93 IPv4 Unicast vpn vrf WIFI topology base removed from session BGP Notification sent
Jul 6 11:29:35 BST: %BGP-3-NOTIFICATION: sent to neighbor 10.12.1.93 4/0 (hold time expired) 0 bytes
Jul 6 11:29:35 BST: %BGP-5-NBR_RESET: Neighbor 10.12.1.93 reset (BGP Notification sent)
Jul 6 11:29:35 BST: %BGP-5-ADJCHANGE: neighbor 10.12.1.93 Down BGP Notification sent
Jul 6 11:29:35 BST: %BGP_SESSION-5-ADJCHANGE: neighbor 10.12.1.93 IPv4 Unicast topology base removed from session BGP Notification sent
Jul 6 11:29:36 BST: %BGP-3-NOTIFICATION: sent to neighbor 10.12.4.93 4/0 (hold time expired) 0 bytes
Jul 6 11:29:36 BST: %BGP-5-NBR_RESET: Neighbor 10.12.4.93 reset (BGP Notification sent)
Jul 6 11:29:36 BST: %BGP-5-ADJCHANGE: neighbor 10.12.4.93 vpn vrf FM Down BGP Notification sent
Jul 6 11:29:36 BST: %BGP_SESSION-5-ADJCHANGE: neighbor 10.12.4.93 IPv4 Unicast vpn vrf FM topology base removed from session BGP Notification sent
Jul 6 11:29:37 BST: %BGP-5-ADJCHANGE: neighbor 10.12.2.93 vpn vrf WIFI Up
Jul 6 11:29:41 BST: %BGP-5-ADJCHANGE: neighbor 10.12.1.93 Up
Jul 6 11:29:41 BST: %BGP-5-ADJCHANGE: neighbor 10.12.4.93 vpn vrf FM Up
Jul 6 11:49:02 BST: %BGP-3-NOTIFICATION: sent to neighbor 10.12.1.93 4/0 (hold time expired) 0 bytes
Jul 6 11:49:02 BST: %BGP-5-NBR_RESET: Neighbor 10.12.1.93 reset (BGP Notification sent)
Jul 6 11:49:02 BST: %BGP-5-ADJCHANGE: neighbor 10.12.1.93 Down BGP Notification sent
Jul 6 11:49:02 BST: %BGP_SESSION-5-ADJCHANGE: neighbor 10.12.1.93 IPv4 Unicast topology base removed from session BGP Notification sent
Jul 6 11:49:04 BST: %BGP-5-NBR_RESET: Neighbor 10.12.2.93 reset (Peer closed the session)
Jul 6 11:49:04 BST: %BGP-5-ADJCHANGE: neighbor 10.12.2.93 vpn vrf WIFI Down Peer closed the session
Jul 6 11:49:04 BST: %BGP_SESSION-5-ADJCHANGE: neighbor 10.12.2.93 IPv4 Unicast vpn vrf WIFI topology base removed from session Peer closed the session
Jul 6 11:49:04 BST: %BGP-5-NBR_RESET: Neighbor 10.12.4.93 reset (Peer closed the session)
Jul 6 11:49:04 BST: %BGP-5-ADJCHANGE: neighbor 10.12.4.93 vpn vrf FM Down Peer closed the session
Jul 6 11:49:04 BST: %BGP_SESSION-5-ADJCHANGE: neighbor 10.12.4.93 IPv4 Unicast vpn vrf FM topology base removed from session Peer closed the session
Jul 6 11:49:06 BST: %BGP-5-ADJCHANGE: neighbor 10.12.2.93 vpn vrf WIFI Up
Jul 6 11:49:09 BST: %BGP-5-ADJCHANGE: neighbor 10.12.1.93 Up
Jul 6 11:49:12 BST: %BGP-5-ADJCHANGE: neighbor 10.12.4.93 vpn vrf FM Up
Jul 6 11:52:44 BST: %BGP-3-NOTIFICATION: sent to neighbor 10.12.4.93 4/0 (hold time expired) 0 bytes
Jul 6 11:52:44 BST: %BGP-5-NBR_RESET: Neighbor 10.12.4.93 reset (BGP Notification sent)
Jul 6 11:52:44 BST: %BGP-5-ADJCHANGE: neighbor 10.12.4.93 vpn vrf FM Down BGP Notification sent
Jul 6 11:52:44 BST: %BGP_SESSION-5-ADJCHANGE: neighbor 10.12.4.93 IPv4 Unicast vpn vrf FM topology base removed from session BGP Notification sent
Jul 6 11:52:46 BST: %BGP-3-NOTIFICATION: sent to neighbor 10.12.2.93 4/0 (hold time expired) 0 bytes
Jul 6 11:52:46 BST: %BGP-5-NBR_RESET: Neighbor 10.12.2.93 reset (BGP Notification sent)
Jul 6 11:52:46 BST: %BGP-5-ADJCHANGE: neighbor 10.12.2.93 vpn vrf WIFI Down BGP Notification sent
Jul 6 11:52:46 BST: %BGP_SESSION-5-ADJCHANGE: neighbor 10.12.2.93 IPv4 Unicast vpn vrf WIFI topology base removed from session BGP Notification sent
Jul 6 11:52:47 BST: %BGP-3-NOTIFICATION: sent to neighbor 10.12.1.93 4/0 (hold time expired) 0 bytes
Jul 6 11:52:47 BST: %BGP-5-NBR_RESET: Neighbor 10.12.1.93 reset (BGP Notification sent)
Jul 6 11:52:47 BST: %BGP-5-ADJCHANGE: neighbor 10.12.1.93 Down BGP Notification sent
Jul 6 11:52:47 BST: %BGP_SESSION-5-ADJCHANGE: neighbor 10.12.1.93 IPv4 Unicast topology base removed from session BGP Notification sent
Jul 6 11:53:02 BST: %BGP-5-ADJCHANGE: neighbor 10.12.1.93 Up
Jul 6 11:53:02 BST: %BGP-5-ADJCHANGE: neighbor 10.12.4.93 vpn vrf FM Up
Jul 6 11:53:02 BST: %BGP-5-ADJCHANGE: neighbor 10.12.2.93 vpn vrf WIFI Up
Jul 6 11:55:31 BST: %CLEAR-5-COUNTERS: Clear counter on all interfaces by  on vty0 
Jul 6 12:05:03 BST: %BGP-3-NOTIFICATION: sent to neighbor 10.12.1.93 4/0 (hold time expired) 0 bytes
Jul 6 12:05:03 BST: %BGP-5-NBR_RESET: Neighbor 10.12.1.93 reset (BGP Notification sent)
Jul 6 12:05:03 BST: %BGP-5-ADJCHANGE: neighbor 10.12.1.93 Down BGP Notification sent
Jul 6 12:05:03 BST: %BGP_SESSION-5-ADJCHANGE: neighbor 10.12.1.93 IPv4 Unicast topology base removed from session BGP Notification sent
Jul 6 12:05:12 BST: %BGP-5-ADJCHANGE: neighbor 10.12.1.93 Up
 
 

site1#sh int gi0/0
GigabitEthernet0/0 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is 0027.e3f4.a300 (bia 0027.e3f4.a300)
Description: ** IP Connect EFM ETHA12970263 EFMC401093 ICUK516721 VPNN901058 **
Internet address is 10.12.1.94/30
MTU 1500 bytes, BW 2000 Kbit/sec, DLY 1000 usec,
reliability 255/255, txload 228/255, rxload 13/255 ------------------------------------------------------- High TC load
Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set
Keepalive set (10 sec)
Full Duplex, 10Mbps, media type is RJ45
output flow-control is unsupported, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:19:19
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 9385 -------------------------------------- High output drops
Queueing strategy: Class-based queueing
Output queue: 10/1000/9367 (size/max total/drops)
30 second input rate 109000 bits/sec, 206 packets/sec ------------------------------------------------------------ 109 Kbps
30 second output rate 1795000 bits/sec, 161 packets/sec ---------------------------------------------------------- 1.7 Mbps
214743 packets input, 15108620 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
172380 packets output, 232920093 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

- Policy map on WAN interface:


site1#sh policy-map int gi0/0 out
GigabitEthernet0/0

Service-policy output: Parent-Shaper

Class-map: class-default (match-any)
198409 packets, 268938975 bytes
30 second offered rate 652000 bps, drop rate 28000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 2/10115/0
(pkts output/bytes output) 188294/254970198
shape (average) cir 1799096, bc 25188, be 0
target shape rate 1799096

Service-policy : Outbound-to-MPLS

queue stats for all priority classes:
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

Class-map: ce_mgmt_bundled_output (match-any)
272 packets, 58951 bytes
30 second offered rate 1000 bps, drop rate 0000 bps
Match: access-group 199
272 packets, 58951 bytes
30 second rate 1000 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 272/58951
police:
cir 8000 bps, bc 8000 bytes, be 16000 bytes
conformed 257 packets, 50225 bytes; actions:
set-dscp-transmit 63
exceeded 15 packets, 8726 bytes; actions:
set-dscp-transmit 63
violated 0 packets, 0 bytes; actions:
set-dscp-transmit 63
conformed 1000 bps, exceeded 0000 bps, violated 0000 bps
bandwidth 20 kbps
Exp-weight-constant: 3 (1/8)
Mean queue depth: 0 packets
dscp Transmitted Random drop Tail drop Minimum Maximum Mark
pkts/bytes pkts/bytes pkts/bytes thresh thresh prob

63 272/58951 0/0 0/0 20 32 1/10

Class-map: ce_ef_output (match-any)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: dscp cs5 (40) ef (46)
0 packets, 0 bytes
30 second rate 0 bps
police:
cir 392000 bps, bc 2000 bytes, be 2000 bytes
conformed 0 packets, 0 bytes; actions:
set-dscp-transmit ef
exceeded 0 packets, 0 bytes; actions:
set-dscp-transmit ef
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
Priority: 392 kbps, burst bytes 9800, b/w exceed drops: 0


Class-map: class-default (match-any)
198137 packets, 268880024 bytes
30 second offered rate 652000 bps, drop rate 18000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 1/10115/0 ---------------------------------------------------- 10115 drops
(pkts output/bytes output) 188022/254911247
bandwidth 1369 kbps
Exp-weight-constant: 6 (1/64)
Mean queue depth: 0 packets
class Transmitted Random drop Tail drop Minimum Maximum Mark
pkts/bytes pkts/bytes pkts/bytes thresh thresh prob

0 183723/254142045 9950/13745670 165/223107 22 59 1/5
1 0/0 0/0 0/0 22 59 1/5
2 0/0 0/0 0/0 22 59 1/5
3 0/0 0/0 0/0 22 59 1/5
4 0/0 0/0 0/0 22 59 1/5
5 0/0 0/0 0/0 22 59 1/5
6 4301/769529 0/0 0/0 74 118 1/10
7 0/0 0/0 0/0 22 59 1/5

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-06-2020 08:54 AM

Hello @paul-d ,

you can extend your ACL 199 to include BGP using

 

access-list 199 permit tcp any any eq bgp

access-list 199 permit tcp any eq bgp any

 

As you don't know which side will be using the well known TCP port 179.

 

However, to be effective this kind of change has to be performed on both sides of the link.

 

Hope to help

Giuseppe

 

paul-d
Level 1
Level 1
In response to Giuseppe Larosa

‎07-06-2020 09:10 AM

Thank you very much
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card