){kind=link}
Topology
Objectives
- Configure EBGP and IBGP.
- Configure EIGRP in the ITA domain.
- Troubleshoot and resolve next hop issues in IBGP.
- Configure full-mesh IBGP to resolve routing issue within ITA domain.
- Configure ITA so it is not a transit AS.
- Verify connectivity.
Background
The International Travel Agency (ITA) runs BGP on its SanJose1 and SanJose3 routers in AS 65000. SanJose1 in AS 65000 is running EBGP with the ISP1 router in AS 65100. SanJose3 in AS 65000 is running EBGP with the ISP2 router in AS 65200. ITA routers need to receive IPv4 networks from both ISPs. To ensure AS 65000 is not a transit AS, SanJose1 and SanJose3 will only include ITA networks 172.16.2.0/24 and 172.16.4.0/24 in its BGP updates to the ISP routers. Your job is to configure EIGRP BGP for this internetwork.
Note: The topology shows SanJose3 in AS 65000 is running EBGP with the ISP2 router in AS 65200. ISP2 (router R5) does not actually exist in the physical lab topology. This is done due to the limitations of four routers in our CCNP NetLab topologies.
Note: This lab uses Cisco 1941 routers with Cisco IOS Release 15.4 with IP Base. The switches are Cisco WS-C2960-24TT-L with Fast Ethernet interfaces, therefore the router will use routing metrics associated with a 100 Mb/s interface. Depending on the router or switch model and Cisco IOS Software version, the commands available and output produced might vary from what is shown in this lab.
Required Resources
- 4 routers (Cisco IOS Release 15.2 or comparable)
- 4 switches (LAN interfaces)
- Serial and Ethernet cables
Step 0: Suggested starting configurations.
a. Apply the following configuration to each router along with the appropriate hostname. The exec-timeout 0 0 command should only be used in a lab environment.
Router(config)# no ip domain-lookup Router(config)# line con 0 Router(config-line)# logging synchronous Router(config-line)# exec-timeout 0 0
Step 1: Configure interface addresses on all routers and EBGP on ISP1.
a. Using the addressing scheme in the diagram, create the loopback interfaces and apply IPv4 addresses to these and the serial interfaces on ISP (R1), SanJose1 (R2), and SanJose2 (R3).
Router R1 (hostname ISP1)
ISP(config)# interface Loopback0 ISP(config-if)# ip address 10.0.0.1 255.255.255.0 ISP(config-if)# exit ISP(config)# interface GigabitEthernet0/0 ISP(config-if)# ip address 10.1.0.1 255.255.0.0 ISP(config-if)# no shutdown ISP(config-if)# exit ISP(config)# interface Serial0/0/0 ISP(config-if)# ip address 192.168.1.1 255.255.255.252 ISP(config-if)# clock rate 64000 ISP(config-if)# no shutdown ISP(config-if)# exit ISP(config)# router bgp 65100 ISP(config-router)# bgp router-id 1.0.0.1 ISP(config-router)# neighbor 192.168.1.2 remote-as 65000 ISP(config-router)# network 10.1.0.0 mask 255.255.0.0 ISP(config-router)#
ISP1 has an EBGP peering session with SanJose1. ISP1 is advertising the 10.1.0.0/16 network. A similar BGP configuration is assumed on ISP2, which does not physically exist in this lab topology.
Router R2 (hostname SanJose1)
SanJose1(config)# interface Loopback0 SanJose1(config-if)# ip address 172.17.2.1 255.255.255.0 SanJose1(config-if)# exit SanJose1(config)# interface GigabitEthernet0/0 SanJose1(config-if)# ip address 172.16.2.1 255.255.255.0 SanJose1(config-if)# no shutdown SanJose1(config-if)# exit SanJose1(config)# interface Serial0/0/0 SanJose1(config-if)# ip address 192.168.1.2 255.255.255.252 SanJose1(config-if)# no shutdown SanJose1(config-if)# exit SanJose1(config)# interface Serial0/0/1 SanJose1(config-if)# ip address 172.16.1.1 255.255.255.252 SanJose1(config-if)# clock rate 64000 SanJose1(config-if)# no shutdown SanJose1(config-if)#
Router R3 (hostname SanJose2)
SanJose2(config)# interface Loopback0 SanJose2(config-if)# ip address 172.17.3.1 255.255.255.0 SanJose2(config-if)# exit SanJose2(config)# interface GigabitEthernet0/0 SanJose2(config-if)# ip address 172.16.3.1 255.255.255.0 SanJose2(config-if)# no shutdown SanJose2(config-if)# exit SanJose2(config)# interface Serial0/0/1 SanJose2(config-if)# ip address 172.16.1.2 255.255.255.252 SanJose2(config-if)# no shutdown SanJose2(config-if)# exit SanJose2(config)# interface Serial0/1/0 SanJose2(config-if)# ip address 172.16.1.5 255.255.255.252 SanJose2(config-if)# clock rate 64000 SanJose2(config-if)# no shutdown SanJose2(config-if)#
Router R4 (hostname SanJose3)
SanJose3(config)# interface Loopback0 SanJose3(config-if)# ip address 172.17.4.1 255.255.255.0 SanJose3(config-if)# no shutdown SanJose3(config-if)# exit SanJose3(config)# interface Serial0/0/0 SanJose3(config-if)# ip address 172.16.1.6 255.255.255.252 SanJose3(config-if)# no shutdown SanJose3(config-if)# exit SanJose3(config)# interface GigabitEthernet0/0 SanJose3(config-if)# ip address 172.16.4.1 255.255.255.0 SanJose3(config-if)# no shutdown SanJose3(config-if)#
b. Use ping to test the connectivity between the directly connected routers.
Step 2: Configure EIGRP on ITA routers.
Configure EIGRP on the SanJose1, SanJose2, and SanJose3 routers. Both routers should be able to ping the other router’s LAN and loopback interfaces. (Note: If using an IOS prior to 15.0, use the no auto-summary router configuration command to disable automatic summarization. This command is the default beginning with IOS 15.)
Configure EIGRP for IPv4 and IPv6 on SanJose1.
SanJose1(config)# router eigrp 1 SanJose1(config-router)# eigrp router-id 1.1.1.1 SanJose1(config-router)# network 172.16.0.0 SanJose1(config-router)# network 172.17.0.0 SanJose2(config)# router eigrp 1 SanJose2(config-router)# eigrp router-id 2.2.2.2 SanJose2(config-router)# network 172.16.0.0 SanJose2(config-router)# network 172.17.0.0 SanJose3(config)# router eigrp 1 SanJose3(config-router)# eigrp router-id 3.3.3.3 SanJose3(config-router)# network 172.16.0.0 SanJose3(config-router)# network 172.17.0.0
c. Use ping to test the reachability between the ITA routers. For example, SanJose3’s G0/0 interface should be able to ping SanJose1’s G0/0 interface.
SanJose3# ping 172.16.2.0 source gig 0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.2.0, timeout is 2 seconds: Packet sent with a source address of 172.16.4.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 52/55/56 ms SanJose3#
Step 3: Configure BGP on SanJose1 and SanJose3.
d. On SanJose1, configure EBGP to peer with ISP1. ISP1 has already been configured to peer with SanJose1. Configure SanJose1 to IBGP peer with SanJose3 using its loopback0 address. SanJose1 will be advertising the 172.16.2.0/24 network in BGP.
SanJose1(config)# router bgp 65000 SanJose1(config-router)# bgp router-id 1.1.1.1 SanJose1(config-router)# neighbor 192.168.1.1 remote-as 65100 SanJose1(config-router)# neighbor 172.17.4.1 remote-as 65000 SanJose1(config-router)# neighbor 172.17.4.1 update-source Loopback0 SanJose1(config-router)# network 172.16.2.0 mask 255.255.255.0 SanJose1(config-router)#
e. Configure SanJose3 to IBGP peer with SanJose1 using its loopback0 address. SanJose3 will be advertising the 172.16.4.0/24 network in BGP.
SanJose3(config)# router bgp 65000 SanJose3(config-router)# bgp router-id 3.3.3.3 SanJose3(config-router)# neighbor 172.17.2.1 remote-as 65000 SanJose3(config-router)# neighbor 172.17.2.1 update-source Loopback0 SanJose3(config-router)# network 172.16.4.0 mask 255.255.255.0 SanJose3(config-router)#
Step 4: Verify BGP on SanJose1.
f. Examine SanJose1’s BGP table using the show ip bgp command.
SanJose1# show ip bgp
BGP table version is 7, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.0/16 192.168.1.1 0 0 65100 i
*> 172.16.2.0/24 0.0.0.0 0 32768 i
r>i 172.16.4.0/24 172.17.4.1 0 100 0 i
SanJose1#
Examine Notice that there are three entries in SanJose1’s BGP table.
- 10.1.0.0/16 – The status codes “*>” indicate that this network is reachable using the next hop IPaddress 192.168.1.1.
- 172.16.2.0/24 – The status codes “*>” indicate that this network is reachable. The next hop address 0.0.0.0 indicates that this router is originating the network.
- 172.16.4.0/24 – The status “r>i” indicate that this network is reachable. The “r” indicates a RIB failure and the “i” means this entry was learned via IBGP.
Why is there a RIB failure for the 172.16.4.0/24 network? What command would help you determine the cause?
_____________________________________________________________________
g. Use the show ip bgp rib-failure command to examine the cause of the RIB failure.
SanJose1# show ip bgp rib-failure Network Next Hop RIB-failure RIB-NH Matches 172.16.4.0/24 172.17.4.1 Higher admin distance n/a SanJose1#
As you might have answer in the previous question, the RIB failure is due to SanJose1 having a better routing source to this destination. SanJose routers are using EIGRP to share internal ITA networks. IBGP has a higher administrative distance (200) than EIGRP (90), so the EIGRP router is preferred.
h. Verify SanJose1’s routing table using the show ip route command.
SanJose1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/16 is subnetted, 1 subnets
B 10.1.0.0 [20/0] via 192.168.1.1, 00:14:14
172.16.0.0/16 is variably subnetted, 7 subnets, 3 masks
C 172.16.1.0/30 is directly connected, Serial0/0/1
L 172.16.1.1/32 is directly connected, Serial0/0/1
D 172.16.1.4/30 [90/2681856] via 172.16.1.2, 00:30:41, Serial0/0/1
C 172.16.2.0/24 is directly connected, GigabitEthernet0/0
L 172.16.2.1/32 is directly connected, GigabitEthernet0/0
D 172.16.3.0/24 [90/2172416] via 172.16.1.2, 00:30:41, Serial0/0/1
D 172.16.4.0/24 [90/2684416] via 172.16.1.2, 00:29:42, Serial0/0/1
172.17.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.17.2.0/24 is directly connected, Loopback0
L 172.17.2.1/32 is directly connected, Loopback0
D 172.17.3.0/24 [90/2297856] via 172.16.1.2, 00:30:41, Serial0/0/1
D 172.17.4.0/24 [90/2809856] via 172.16.1.2, 00:29:42, Serial0/0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/30 is directly connected, Serial0/0/0
L 192.168.1.2/32 is directly connected, Serial0/0/0
SanJose1#
Notice that SanJose1 has a BGP route to 10.1.0.0/16 on ISP1 and an EIGRP route to the 172.16.4.0/24 network on SanJose3.
i. Verify SanJose1’s reachability to 10.1.0.0/16 on ISP1.
SanJose1# ping 10.1.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/27/28 ms SanJose1#
Step 5: Examine and troubleshoot IBGP next hop reachability on SanJose3.
a. Examine the routing table on SanJose3 using the show ip route command.
SanJose3# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 7 subnets, 3 masks
D 172.16.1.0/30 [90/2681856] via 172.16.1.5, 01:00:03, Serial0/0/0
C 172.16.1.4/30 is directly connected, Serial0/0/0
L 172.16.1.6/32 is directly connected, Serial0/0/0
D 172.16.2.0/24 [90/2684416] via 172.16.1.5, 01:00:03, Serial0/0/0
D 172.16.3.0/24 [90/2172416] via 172.16.1.5, 01:00:03, Serial0/0/0
C 172.16.4.0/24 is directly connected, GigabitEthernet0/0
L 172.16.4.1/32 is directly connected, GigabitEthernet0/0
172.17.0.0/16 is variably subnetted, 4 subnets, 2 masks
D 172.17.2.0/24 [90/2809856] via 172.16.1.5, 01:00:03, Serial0/0/0
D 172.17.3.0/24 [90/2297856] via 172.16.1.5, 01:00:03, Serial0/0/0
C 172.17.4.0/24 is directly connected, Loopback0
L 172.17.4.1/32 is directly connected, Loopback0
SanJose3#
Notice that SanJose3 does not include a route to the 10.1.0.0/16 network on ISP1.
b. Examine the BGP table on SanJose3 using the show ip bgp command to try and determine the reason why the 10.1.0.0/16 network is not in its routing table.
SanJose3# show ip bgp
BGP table version is 3, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
* i 10.1.0.0/16 192.168.1.1 0 100 0 65100 i
r>i 172.16.2.0/24 172.17.2.1 0 100 0 i
*> 172.16.4.0/24 0.0.0.0 0 32768 i
SanJose3#
The output shows that the 10.1.0.0/16 network is in the BGP table but is missing the “>” status code indicating that it is not being offered to the IP routing table. The next hop address used for this route is 192.168.1.1. SanJose3’s routing table in Step 3a shows that SanJose3 does not have a route to this next hop address. If the router does not have a route to the next hop address then the route will not be included in the IP routing table.
In routing, the term “next hop” does not always mean the next hop is a physically adjacent interface. The next hop, as in this case, can be more than one router away.
BGP specifies that routes learned through IBGP are never propagated to other IBGP peers. SanJose1 has learned via EBGP about the 10.1.0.0/16 network from ISP1 with a next hop address of 192.168.1.1, the IP address of ISP1. SanJose1 uses this same next hop address of 192.168.1.1 in its IBGP update to SanJose3.
What are two solutions to this problem?
________________________________________________________________
c. The decision is made to modify the behavior on SanJose1 so that it uses its loopback0 interface as the next hop address in its IBGP updates.
SanJose1(config)# router bgp 65000 SanJose1(config-router)# neighbor 172.17.4.1 next-hop-self SanJose1(config-router)#
Note: For consistency, a similar configuration for SanJose3 is shown. You do not need to configure this. This would need to be done if ISP2 router actually existed in our lab topology.
SanJose3(config)# router bgp 65000 SanJose3(config-router)# neighbor 172.17.2.1 next-hop-self SanJose3(config-router)#
d. Re-examine the BGP table on SanJose3 using the show ip bgp command to see if SanJose3 now has a valid next hop to the 10.1.0.0/16 network.
SanJose3# show ip bgp
BGP table version is 5, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*>i 10.1.0.0/16 172.17.2.1 0 100 0 65100 i
r>i 172.16.2.0/24 172.17.2.1 0 100 0 i
*> 172.16.4.0/24 0.0.0.0 0 32768 i
SanJose3#
Notice that the next hope address has been changed to SanJose1’s loopback0 address 172.17.2.1 which is reachable because it being advertised in EIGRP updates from SanJose1.
e. Re-examine the routing table on SanJose3 using the show ip route command to see if SanJose3 now has a route to the 10.1.0.0/16 network.
SanJose3# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/16 is subnetted, 1 subnets
B 10.1.0.0 [200/0] via 172.17.2.1, 00:03:17
172.16.0.0/16 is variably subnetted, 7 subnets, 3 masks
D 172.16.1.0/30 [90/2681856] via 172.16.1.5, 01:26:06, Serial0/0/0
C 172.16.1.4/30 is directly connected, Serial0/0/0
L 172.16.1.6/32 is directly connected, Serial0/0/0
D 172.16.2.0/24 [90/2684416] via 172.16.1.5, 01:26:06, Serial0/0/0
D 172.16.3.0/24 [90/2172416] via 172.16.1.5, 01:26:06, Serial0/0/0
C 172.16.4.0/24 is directly connected, GigabitEthernet0/0
L 172.16.4.1/32 is directly connected, GigabitEthernet0/0
172.17.0.0/16 is variably subnetted, 4 subnets, 2 masks
D 172.17.2.0/24 [90/2809856] via 172.16.1.5, 01:26:06, Serial0/0/0
D 172.17.3.0/24 [90/2297856] via 172.16.1.5, 01:26:06, Serial0/0/0
C 172.17.4.0/24 is directly connected, Loopback0
L 172.17.4.1/32 is directly connected, Loopback0
SanJose3#
f. In the previous output, SanJose3 shows a route to the 10.1.0.0/16 network. Verify reachability to this network by pinging ISP1’s G0/0 interface.
SanJose3# ping 10.1.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) SanJose3#
Notice that the ping was not successful. One reason is because SanJose3 is not advertising the network used as the source IP address in the ping, the 172.16.1.4/30 network.
SanJose3 is advertising its 172.16.4.0/24 network in its BGP updates using the network command in its initial BGP configuration. Use the ping command changing the source IP address for the ping to use SanJose3’s G0/0 IP address 172.16.4.1.
SanJose3# ping 10.1.0.1 source gig 0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds: Packet sent with a source address of 172.16.4.1 U.U.U Success rate is 0 percent (0/5) SanJose3#
Even with the correct source IP address the ping does not succeed.
Even though SanJose3 has a route to ISP1’s 10.1.0.0/16 network, why do the pings from SanJose3 fail to 10.1.0.1?
_________________________________________________________________
Step 4: Examine the behavior of BGP synchronization being disabled.
a. The output below reminds us that SanJose3 has an entry in its BGP table and a route in its IP routing table for 10.1.0.0/16.
SanJose3# show ip bgp
BGP table version is 5, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*>i 10.1.0.0/16 172.17.2.1 0 100 0 65100 i
r>i 172.16.2.0/24 172.17.2.1 0 100 0 i
*> 172.16.4.0/24 0.0.0.0 0 32768 i
SanJose3#
SanJose3# show ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/16 is subnetted, 1 subnets
B 10.1.0.0 [200/0] via 172.17.2.1, 00:26:43
SanJose3#
b. Use the ping command to see if SanJose3 can ping the 10.1.0.1 address on ISP1. Notice that the ping fails.
SanJose3# ping 10.1.0.1 source gig 0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds: Packet sent with a source address of 172.16.4.1 U.U.U
c. The problem is on SanJose2. SanJose2 does not have a route for 10.1.0.0/16 network as shown using the show ip route command.
SanJose2# show ip route
Even though SanJose2 does not have any knowledge of the 10.1.0.0/16 network, SanJose3 has the network in its IP routing table because it learned the route via IBGP from SanJose1 and has a valid next hop address to SanJose1 for the route. Even though there is not complete reachability in the ITA for 10.1.0.0/16, SanJose3 still has a IBGP route for this network because the default BGP behavior is no synchronization. Beginning with IOS 12.2(8)T, the default BGP behavior is no synchronization.
What is the BGP synchronization rule? The BGP synchronization rule states that a router will not include in its routing table nor advertise routes learned by IBGP unless that route is directly connected or learned from an IGP. In other words, with synchronization enabled, SanJose3 will not include the BGP route to 10.1.0.0/16 in its routing table unless it already knows about it via EIGRP. SanJose3 having the 10.1.0.0/16 network in its IP routing table as an EIGRP route would be mean other routers in the domain, SanJose2, most likely have this route also.
Prior to IOS 12.2(8)T synchronization was the default behavior. What this meant was that
d. The affect of this behavior can be examined by enabling synchronization on SanJose3 using the BGP synchronization command. The clear ip bgp * command is used to rest the neighbor adjacencies.
SanJose3(config)# router bgp 65000 SanJose3(config-router)# synchronization SanJose3(config-router)# end SanJose3#clear ip bgp * *Sep 28 18:13:53.007: %BGP-5-ADJCHANGE: neighbor 172.17.2.1 Down User reset *Sep 28 18:13:53.007: %BGP_SESSION-5-ADJCHANGE: neighbor 172.17.2.1 IPv4 Unicast topology base removed from session User reset *Sep 28 18:13:53.335: %BGP-5-ADJCHANGE: neighbor 172.17.2.1 Up SanJose3#
e. Using the show ip bgp command verify that SanJose3 is still receiving the IBGP update for 10.1.0.0/16 from SanJose1 but no longer is valid.
SanJose3# show ip bgp
BGP table version is 3, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
* i 10.1.0.0/16 172.17.2.1 0 100 0 65100 i
r>i 172.16.2.0/24 172.17.2.1 0 100 0 i
*> 172.16.4.0/24 0.0.0.0 0 32768 i
SanJose3#
f. With synchronization enable, using the show ip route command verify that SanJose3 no longer includes the 10.1.0.0/16 network in its routing table. SanJose3 does not include the 10.1.0.0/16 network in its IP routing table because it does not have this network as an IGP (EIGRP) route in its routing table.
SanJose3# show ip route
With synchronization enable, routes learned via EBGP would need to redistributed into the IGP (EIGRP). SanJose2 would then include the 10.1.0.0/16 network in its IP routing table. Because of the size of Internet routing tables and the potential for this to consume a lot of memory and CPU resources, this is no longer considered best practice.
The better solution is to configure full-mesh IBGP on the transit BGP routers. This is done in the next step.
g. To return to the default configuration, disable synchronization on SanJose3 using the no synchronization command and reset the BGP peering. Verify that SanJose3 has returned to this behavior using the show ip bgp and show ip route bgp commands.
SanJose3(config)# router bgp 65000
SanJose3(config-router)# no synchronization
SanJose3(config-router)# end
SanJose3# clear ip bgp *
SanJose3#
*Sep 28 18:25:39.415: %BGP-5-ADJCHANGE: neighbor 172.17.2.1 Down User reset
*Sep 28 18:25:39.415: %BGP_SESSION-5-ADJCHANGE: neighbor 172.17.2.1 IPv4 Unicast topology base removed from session User reset
*Sep 28 18:25:40.155: %BGP-5-ADJCHANGE: neighbor 172.17.2.1 Up
SanJose3#
SanJose3# show ip bgp
BGP table version is 4, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*>i 10.1.0.0/16 172.17.2.1 0 100 0 65100 i
r>i 172.16.2.0/24 172.17.2.1 0 100 0 i
*> 172.16.4.0/24 0.0.0.0 0 32768 i
SanJose3# show ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/16 is subnetted, 1 subnets
B 10.1.0.0 [200/0] via 172.17.2.1, 00:09:43
SanJose3#
Step 5: Configure and verify full-mesh IBGP on all ITA transit routers.
a. With no synchronization being the default behavior with IOS, it is important that network administrators ensure IBGP reachability amongst all routers in the transit path. Looking at the topology, notice that SanJose3 has an EBGP peering relationship with ISP2. (This only exists in the topology but was not configured.) Without any further configuration to filter the 10.1.0.0/16 network, SanJose3 would advertise this network to ISP2. The routing policy on ISP2 could mean that it would forward packets for 10.1.0.0/16 to SanJose3. SanJose2 would then forward them to SanJose2, where they would be dropped because it does not have a route to this network.
The solution is to configure fully-meshed IBGP amongst all routers in the transit path, SanJose1, SanJose2, and SanJose3.
Configure BGP on SanJose2 to have peering relationships with both SanJose1 and SanJose3. Configure SanJose1 and SanJose3 to have a peering relationship with SanJose2. Configure the peering to use the loopback0 addresses.
SanJose2(config)# router bgp 65000 SanJose2(config-router)# bgp router-id 2.2.2.2 SanJose2(config-router)# neighbor 172.17.2.1 remote-as 65000 SanJose2(config-router)# neighbor 172.17.2.1 update-source Loopback0 SanJose2(config-router)# neighbor 172.17.4.1 remote-as 65000 SanJose2(config-router)# neighbor 172.17.4.1 update-source Loopback0 SanJose2(config-router)# SanJose1(config)# router bgp 65000 SanJose1(config-router)# neighbor 172.17.3.1 remote-as 65000 SanJose1(config-router)# neighbor 172.17.3.1 update-source Loopback0 SanJose1(config-router)# neighbor 172.17.3.1 next-hop-self SanJose1(config-router)# SanJose3(config)# router bgp 65000 SanJose3(config-router)# neighbor 172.17.3.1 remote-as 65000 SanJose3(config-router)# neighbor 172.17.3.1 update-source Loopback0 SanJose3(config-router)#
Note: Notice that SanJose1 is configured as the next hop for IBGP routes advertised to SanJose2. For consistency, a similar configuration for SanJose3 is shown. Once again, you do not need to configure this because the ISP2 router does not actually existed in our lab topology.
SanJose3(config)# router bgp 65000 SanJose3(config-router)# neighbor 172.17.3.1 next-hop-self SanJose3(config-router)#
b. Use the show bgp summary command on each router to verify the neighbor adjacencies.
ISP1# show bgp summary BGP router identifier 1.0.0.0, local AS number 65100 BGP table version is 18, main routing table version 18 3 network entries using 432 bytes of memory 3 path entries using 240 bytes of memory 3/3 BGP path/bestpath attribute entries using 480 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 1176 total bytes of memory BGP activity 6/3 prefixes, 8/5 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.2 4 65000 20 21 18 0 0 00:14:25 2 ISP1# SanJose1# show bgp summary BGP router identifier 1.1.1.1, local AS number 65000 BGP table version is 4, main routing table version 4 3 network entries using 432 bytes of memory 3 path entries using 240 bytes of memory 3/3 BGP path/bestpath attribute entries using 480 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 1176 total bytes of memory BGP activity 7/4 prefixes, 8/5 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.17.3.1 4 65000 18 18 4 0 0 00:12:12 0 172.17.4.1 4 65000 19 18 4 0 0 00:12:12 1 192.168.1.1 4 65100 18 18 4 0 0 00:12:12 1 SanJose1# SanJose2# show bgp summary BGP router identifier 2.2.2.2, local AS number 65000 BGP table version is 9, main routing table version 9 3 network entries using 432 bytes of memory 3 path entries using 240 bytes of memory 2/2 BGP path/bestpath attribute entries using 320 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 1016 total bytes of memory BGP activity 5/2 prefixes, 5/2 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.17.2.1 4 65000 20 20 9 0 0 00:14:30 2 172.17.4.1 4 65000 68 66 9 0 0 00:53:14 1 SanJose2# SanJose3# show bgp summary BGP router identifier 3.3.3.3, local AS number 65000 BGP table version is 10, main routing table version 10 3 network entries using 432 bytes of memory 3 path entries using 240 bytes of memory 3/3 BGP path/bestpath attribute entries using 480 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 1176 total bytes of memory BGP activity 11/8 prefixes, 11/8 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.17.2.1 4 65000 20 22 10 0 0 00:14:35 2 172.17.3.1 4 65000 66 68 10 0 0 00:53:19 0 SanJose3#
c. Verify that SanJose2 now has the 10.1.0.0/16 network in its BGP table and in its IP routing table, using the show ip bgp and show ip route bgp commands.
SanJose2# show ip bgp
BGP table version is 5, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*>i 10.1.0.0/16 172.17.2.1 0 100 0 65100 i
r>i 172.16.2.0/24 172.17.2.1 0 100 0 i
r>i 172.16.4.0/24 172.17.4.1 0 100 0 i
SanJose2#
SanJose2# show ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/16 is subnetted, 1 subnets
B 10.1.0.0 [200/0] via 172.17.2.1, 00:06:53
SanJose2#
d. Verify that SanJose3 still has the 10.1.0.0/16 network in its BGP table and in its IP routing table, using the show ip bgp and show ip route bgp commands.
SanJose3# show ip bgp
BGP table version is 5, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*>i 10.1.0.0/16 172.17.2.1 0 100 0 65100 i
r>i 172.16.2.0/24 172.17.2.1 0 100 0 i
*> 172.16.4.0/24 0.0.0.0 0 32768 i
SanJose3#
SanJose3# show ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/16 is subnetted, 1 subnets
B 10.1.0.0 [200/0] via 172.17.2.1, 00:54:55
SanJose3#
e. Verify that SanJose3 and ISP1 can now ping their BGP advertised networks from their G0/0 interfaces.
SanJose3# ping 10.1.0.1 source gig 0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds: Packet sent with a source address of 172.16.4.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 80/82/84 ms SanJose3# ISP1# ping 172.16.4.1 source gig 0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.4.1, timeout is 2 seconds: Packet sent with a source address of 10.1.0.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 80/83/84 ms ISP1#
We now have complete reachability!
Would the pings succeeded if they were not sourced from their G0/0 interfaces? Why or why not?
_______________________________________________________
Step 6: Configure AS 65000 as a non-transit AS.
a. The configuration on SanJose1 and ISP1 allow both routers to exchange BGP learned route. Although this router does not actually exist in our topology, ISP2 and SanJose3 could also be configured to exchange BGP learned routes. This would cause AS 65000 to be a transit AS. BGP routes learned from ISP1 would be advertised by SanJose3 to ISP2, and BGP routes learned from ISP2 would be advertised to by SanJose1 to ISP1.
To avoid being a transit AS, on SanJose1, configure an AS-path filter using an AS-path access list. The access list will only permit locally sourced routes are sent to the provider, ISP1. Routes learned from another AS will be filtered and not included in its updates. This filter is applied to a set of routes announced to the ISP1 neighbor.
The regular expression “^$” matches only routes that are locally sourced, do not contain an AS in its AS-path.
SanJose1(config)# router bgp 65000 SanJose1(config-router)# neighbor 192.168.1.1 filter-list 1 out SanJose1(config-router)# exit SanJose1(config)# ip as-path access-list 1 permit ^$ SanJose1(config)#
Note: A similar configuration would be done on SanJose3 with its neighbor ISP2.
b. Because our topology is not actually include the ISP2 network, we won’t see any difference in our outputs. If ISP2 did actually exist, ISP1 and ISP2 would only receive BGP updates from SanJose1 and SanJose3 respectively for the 172.16.2.0/24 and 172.16.4.0/24 networks. For example, ISP2 would not receive a BGP update for the 10.1.0.0/16 from SanJose3.
To verify that we have not removed any reachability between AS 65100 and AS 65000, once again use the ping command between ISP1 and SanJose3.
ISP1# ping 172.16.4.1 source gig 0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.4.1, timeout is 2 seconds: Packet sent with a source address of 10.1.0.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 80/83/84 ms ISP1# SanJose3# ping 10.1.0.1 source gig 0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds: Packet sent with a source address of 172.16.4.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 80/83/84 ms SanJose3#