[128340] in North American Network Operators' Group
Cisco ASR BGP within the box question
daemon@ATHENA.MIT.EDU (Steven.Glogger@swisscom.com)
Mon Aug 2 09:02:50 2010
From: <Steven.Glogger@swisscom.com>
To: <cisco-nsp@puck.nether.net>, <nanog@nanog.org>
Date: Mon, 2 Aug 2010 15:02:33 +0200
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
hi all
just a short question (related to a quite new feature from cisco).
with the new cisco ASR software (15.0(1)S - released some days ago) it is a=
ble to do BGP on the same box.
we need this feature because we use the VASI interfaces to bring and filter=
traffic from one VRF to another VRF and performing firewalling (ZBF).
basically we have on the box:
[VRF_A via vasileft1]--[VRF_B via vasiright1]
and the box itself speaks BGP on VRF_B with some RR's:
[ASRBox] ---- (RR) ---- [anotherbox]
the fun part is, if you want to announce (e.g. 0.0.0.0/0) from VRF_B (annou=
nced from anotherbox) to VRF_A it should be possible now with that new feat=
ure.
according to BGP I need to configure the VRF_A peer as route-reflector-clie=
nt so the routes from the anotherbox get reflected via RR to VRF_B.
but, it seems that the router itself needs to be tricked, since he thinks t=
hat both peers are in the same route-reflector cluster ("DENIED due to: ref=
lected from the same cluster"):
Aug 2 13:35:03: BGP(0): 213.3.246.33 send UPDATE (format) 0.0.0.0/0, next =
10.62.112.65, metric 0, path 44038 3303, extended community RT:65501:1702
Aug 2 13:35:03: BGP(0): 213.3.246.34 rcv UPDATE w/ attr: nexthop 10.62.112=
.65, origin i, localpref 250, metric 0, originator 10.62.112.65, clusterlis=
t 10.62.112.79 10.62.112.17, merged path 44038 3303, AS_PATH , community
Aug 2 13:35:03: BGP(0): 213.3.246.34 rcv UPDATE about 0.0.0.0/0 -- DENIED =
due to: reflected from the same cluster;
Aug 2 13:35:03: BGP: 213.3.246.34 Modifying prefix 0.0.0.0/0 from 0 -> 4 a=
ddress
so, this is my config:
config:
<snip>
interface vasileft1
ip vrf forwarding VRF_A
ip address 10.0.0.1 255.255.255.252
zone-member security VASILEFT
!
interface vasiright1
ip vrf forwarding VRF_B
ip address 10.0.0.2 255.255.255.252
zone-member security VASIRIGHT
!
router bgp 65501
address-family ipv4 vrf IABIP-
bgp router-id 10.0.0.1
redistribute connected
redistribute static
neighbor 10.0.0.2 remote-as 65501
neighbor 10.0.0.2 update-source vasileft1
neighbor 10.0.0.2 activate
neighbor 10.0.0.2 send-community both
neighbor 10.0.0.2 next-hop-self
exit-address-family
!
address-family ipv4 vrf IACYP-
import path selection multipaths
bgp router-id 10.0.0.2
redistribute connected
redistribute static route-map SET-PREFIX-SoO
neighbor 10.0.0.1 remote-as 65501
neighbor 10.0.0.1 update-source vasiright1
neighbor 10.0.0.1 activate
neighbor 10.0.0.1 send-community both
neighbor 10.0.0.1 next-hop-self
exit-address-family
</snip>
what does not works:
- having another AS number on the same box (otherwise eBGP would be possibl=
e)
- client-to-client reflection
- magic stuff in route-map
- setting different cluster-id's for different address-families
- nothing found in the release notes: http://www.cisco.com/en/US/docs/ios/i=
os_xe/3/release/notes/asr1k_rn_3s_rel_notes.html
so, does anyone knows a nice hidden command to disable this cluster-checkin=
g on a per-peer basis or so?
-steven
