BGP issues and route changes

Jacob Durham
Jacob Durham used Ask the Experts™
on
Need help fixing old BGP setup
I have inherited a piecemeal network that has many things I haven't figured out yet. I'm no network engineer so I lean of the TAC for most complex changes.

 

I have an issue with our BGP changing routes today for some reason and I'm trying to figure out how I can fix it and prevent it from happening again.

 

At some point today our BGP on our edge router (CORE-RTR1) connected to our ISP changed it default route and Gateway of Last Resort from our ISP to another router (OLD-RTR1) on our network that USED TO have a redundant internet connection.

 

This cause a loop where the other two rouers were just sending traffic back and forth to one another. During this - I realized I need to reset/recalculate the routes. In a hurry - I rebooted CORE-RTR1. This fixed this routing issue but I'm pretty sure caused me to lose as information which would have let me see the reason for the route change.

 

My BGP routes are correct now but I want to prevent them from changing again.

 

The BGP section on the two routers is below. Please let me know what additional info would be helpful.

 

CORE-RTR1

core-rtr2#show run | sec bgp
router bgp 33394
bgp router-id 192.168.255.21
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 10.200.1.11 remote-as 65001
neighbor 10.200.1.11 description BGP Peering across MOE to Northcreek
neighbor 67.131.8.149 remote-as 209
neighbor 192.168.255.103 remote-as 33394
neighbor 192.168.255.103 update-source Loopback0
neighbor 192.168.255.104 remote-as 33394
neighbor 192.168.255.104 update-source Loopback0
!
address-family ipv4
network 67.131.8.148 mask 255.255.255.252
neighbor 10.200.1.11 activate
neighbor 10.200.1.11 route-map RM_NorthCreek_In in
neighbor 67.131.8.149 activate
neighbor 67.131.8.149 route-map RM_CLINK out
neighbor 192.168.255.103 activate
neighbor 192.168.255.104 activate
distance bgp 20 105 200
exit-address-family

 

 

 

 

OLD-RTR1

 

OLD-RTR1#show run | sec bgp
router bgp 65001
bgp router-id 192.168.255.22
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 10.11.254.2 remote-as 65001
neighbor 10.200.1.1 remote-as 33394
neighbor 63.156.111.189 remote-as 209
!
address-family ipv4
neighbor 10.11.254.2 activate
neighbor 10.11.254.2 next-hop-self
neighbor 10.200.1.1 activate
neighbor 63.156.111.189 activate
neighbor 63.156.111.189 route-map RM_CLINK out
distance bgp 20 105 200
exit-address-family
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Is the OLD router supposed to be a backup internet path or no? Also, I don't see any type of filtering between the old and new router. Possibly adding a prefix list that denies the default prefix and filtering that outbound on the old router or inbound on the new router.
Jacob DurhamIT Support Analyst II (Lead Infrastructure Engineer)

Author

Commented:
The old router used to have a redundant internet circuit.

We only have one internet egress now which is connected to EDGE-RTR1.
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Ok so if you add filtering between those two routers it should prevent a default route from ever being advertised to the New router.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

SouljaSr.Net.Eng
Top Expert 2011

Commented:
Example config on old router:

ip prefix-list OLDRTR seq 5 permit 0.0.0.0/0

 

route-map OLDtoNEW deny 10
match ip address prefix-list OLDRTR
route-map OLDtoNEW permit 20

router bgp 65001
address-family ipv4
neighbor 10.200.1.1  route-map OLDtoNEW out
Jacob DurhamIT Support Analyst II (Lead Infrastructure Engineer)

Author

Commented:
Would this do the same thing on the new router?

#show route-map
route-map RM_CLINK, permit, sequence 10
  Match clauses:
    ip address prefix-lists: PL_Default
  Set clauses:
    local-preference 999
  Policy routing matches: 0 packets, 0 bytes
route-map RM_CLINK, deny, sequence 1000
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RM_NorthCreek_In, deny, sequence 5
  Match clauses:
    ip address prefix-lists: default-route
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RM_NorthCreek_In, permit, sequence 10
  Match clauses:
  Set clauses:
    local-preference 90
  Policy routing matches: 0 packets, 0 bytes
route-map RM_NorthCreek_In, deny, sequence 1000
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
#show route-map pr
#show route-map pr
#show ip pre
#show ip prefix-list
ip prefix-list PL_Default: 1 entries
   seq 5 permit 0.0.0.0/0
ip prefix-list default-route: 1 entries
   seq 10 permit 0.0.0.0/0

Open in new window

Jacob DurhamIT Support Analyst II (Lead Infrastructure Engineer)

Author

Commented:
Here is the current configs on the OLD-RTR

#show ip prefix-list
ip prefix-list PL_Default: 1 entries
   seq 5 permit 0.0.0.0/0
#show route-map
route-map RM_CLINK, permit, sequence 10
  Match clauses:
    ip address prefix-lists: PL_Default
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RM_CLINK, deny, sequence 1000
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

Open in new window

SouljaSr.Net.Eng
Top Expert 2011

Commented:
Ok I was thinking the 10.200.1.1 was the new router. Which neighbors is which. I assume they are the one's with the route maps you posted now.  Is that correct?
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Based on the OLD router config, it will advertise a default route. You'll need to deny the default route in that route map with a deny sequence instead of permit.
Jacob DurhamIT Support Analyst II (Lead Infrastructure Engineer)

Author

Commented:
10.200.1.1 is the new router.

10.200.1.11 should never be the default route.

This is what I added. Does it look right?

10.200.1.1#show ip pre
10.200.1.1#show ip prefix-list 
ip prefix-list PL_Default: 1 entries
   seq 5 permit 0.0.0.0/0
ip prefix-list default-route: 1 entries
   seq 10 permit 0.0.0.0/0
10.200.1.1#show route-map 
route-map RM_CLINK, permit, sequence 10
  Match clauses:
    ip address prefix-lists: PL_Default 
  Set clauses:
    local-preference 999
  Policy routing matches: 0 packets, 0 bytes
route-map RM_CLINK, deny, sequence 1000
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RM_NorthCreek_In, deny, sequence 5
  Match clauses:
    ip address prefix-lists: default-route 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RM_NorthCreek_In, permit, sequence 10
  Match clauses:
  Set clauses:
    local-preference 90
  Policy routing matches: 0 packets, 0 bytes
route-map RM_NorthCreek_In, deny, sequence 1000
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
10.200.1.1#

Open in new window

SouljaSr.Net.Eng
Top Expert 2011

Commented:
Yes, if RM_NorthCreek_In is the route-map peering to the old router then it will block the default route. I would rather block it closest to the source and modify the route-map on the old. Or even better filter on both ends as double insurance.
Jacob DurhamIT Support Analyst II (Lead Infrastructure Engineer)

Author

Commented:
How do I block it on the old routers? So it is done on both?

10.200.1.11#show ip pre 
10.200.1.11#show ip prefix-list 
ip prefix-list PL_Default: 1 entries
   seq 5 permit 0.0.0.0/0
10.200.1.11#show route-map
route-map RM_CLINK, permit, sequence 10
  Match clauses:
    ip address prefix-lists: PL_Default 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RM_CLINK, deny, sequence 1000
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
10.200.1.11#

Open in new window

SouljaSr.Net.Eng
Top Expert 2011

Commented:
You'd do pretty much the same in regards to the prefix list and route-map, just on the old router's neighbor statement, put the route-map in the OUT direction.
SouljaSr.Net.Eng
Top Expert 2011

Commented:
You can then verify it by on the old router by doing a sho ip bgp neighbor x.x.x.x advertised-routes .  x.x.x.x being the new router
Jacob DurhamIT Support Analyst II (Lead Infrastructure Engineer)

Author

Commented:
Can you tell what that would look like? Like below?

route-map RM_NorthCreek_OUT deny 5

match ip address prefix-list default-route

 

ip prefix-list default-route seq 10 permit 0.0.0.0/0

Open in new window

SouljaSr.Net.Eng
Top Expert 2011

Commented:
router bgp 65001

address-family ipv4
neighbor x.x.x.x route-map RM_NorthCreek_OUT out


I put x.x.x.x cause I am still unsure which neighbor is the new router.
Sr.Net.Eng
Top Expert 2011
Commented:
Any update?
Jacob DurhamIT Support Analyst II (Lead Infrastructure Engineer)

Author

Commented:
This was a much bigger issue but you've helped. Thanks.
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Ah ok. Would you mind sharing? You can message me with the details. Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial