I have created a "parent" service who will fire up multi "child" services to various devices. 4x the vlan service towards switch1/2/3/4. Setup interfaces on router 1/2/3/4/5/6/7, vrf's BGP etc. It also configures an IPSEC service on two IOS routers who are configured with HSRP, they are in HA mode. Meaning when HSRP is configured, and the link between the two is up. The master and slave see each other, everything is good. But when you deactivate the L2 link between the two. HSRP will be in an active state on both sides, because the slave thinks, the HSRP master is down, I need to be active. Next, when you enable the L2 link, the slave sees the master and because of all IPSEC tunnels it will reboot, because of the HA setup. Now, NSO is also configuring the L2 links between the two IPSEC routers in the parent service, but this is a VPLS link, configured on slow devices. What is happening now is that NSO will launch the parent service. All +16 devices will be configured by NSO. But the IPSEC routers are faster, and will be converged before the routers responsible for the L2 connectivity. The result is that when the VPLS is formed, and the already configured HSRP neighbors see each other the standby IPSEC will reboot itself. I want to fix this issue by tweaking the parent service, but I prefer inside NSO itself (maybe device config or NED settings). Is there a way to delay configurations/transactions towards certain devices in this use case? Rob
... View more
Your question is not a problem at all :)
Under Fabric Policies > Pod policies > Policies, there is a BGP Route Reflector default policy. With AS number 1 and the two spines switches of the ACI fabric configured.
Under the L3Out I specified AS 645xx under local-as.
On the ASR I configured this:
router bgp 64xxx
neighbor-group ACI remote-as 645xx ebgp-multihop 3 update-source Loopback0 address-family ipv4 unicast
neighbor 10.4.17.1 use neighbor-group ACI
How do you start troubleshooting on ACI in this case? Or do you have more things to look out for?
... View more
Hi I'm busy in my lab with creating a BGP connection to the outside world (inside my DC).
Right now I'm suck, the BGP connection stays on Idle. Hopefully someone can help me because I can’t find anything on the web about this.
My goal is to create an E-BGP connection between the AIC fabric and an ASR router. The ASR router has a subinterface facing a switch environment. And I've connected an ACI leaf switch with another fabric leaf switch (fabricpath). And I’ve added the VLAN that corresponds with the subinterface on the ASR router.
Under Fabric tab:
First I created a static VLAN pool with only one VLAN.
Then I created a physical domain and linked the VLAN pool.
Then I created a new policy group, Set the speed, cdp, lldp and selected the port on the ACI leaf switch that’s connected to the Fabricpath switch.
Then I created an Attachable Access policy and there I linked the physical domain.
Under switch profiles > profiles the port which is connected to the Fabricpath domain is added to the switch profile.
ATM, The ACI fabric uses BGP AS 1 for testing; we’ll change this in the future.
Then I created a new Tenant.
Inside this Tenant I created a new private network / VRF.
Also I created a new bridge domain and linked them together.
Then I created a new Routed Outside under External Routed networks: L3Out.
I specified the private domain, and selected BGP.
I created a new node profile; under nodes I gave it router id 188.8.131.52
And I’ve added a loopback 10.4.17.1 which will be used by BGP.
Also I created a static for the ASR loopback address with next hop 10.4.10.2/24.
Under the External Routed networks> Logical node profiles > logical interface profiles, I created an SVI, corresponding with the subinterface on the ASR router.
ACI = 10.4.10.4/24 , ASR=10.4.10.2/24
Also I specified the path (which is the ACI switchport).
Then I created under the Logical interface profile the BGP peer connectivity profile.
I specified the loopback of the ASR router ( which ACI has a static route towards).
Under BGP controls, I selected BGP comm and BGP ex comm, TTL 3, Remote AS of the ASR. I used no Local-AS config, and under local-AS number I specified an 64xxx AS number.
Then I created under External Routes Networks> L3Out a new External network.
I linked the correct private network; I’ve added 0.0.0.0/0 with scope:
External Subnets for External EPG
Shared Security Import Subnet
And under contracts I added default on the provided as well as consumed contract
Ok so what is working?
I can ping from the ASR router 10.4.10.2 towards the peer IP 10.4.10.4. This means the encap settings etc are ok.
I can also ping from the ASR router loopback interface the loopback on ACI. So the statics are also ok.
If I do a show bgp summ on the ASR I see:
Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd
10.4.17.1 0 64557 0 2576 0 0 0 00:00:00 Idle!
It doesn’t receive BGP messages.
Can somebody help me?
... View more