Fighting with a nagging issue on a Cisco ISR Edge router that won't establish a BGP neighborship with the ISP.
Previously configured with a static default route, now switching to BGP
Debugs state: Active open failed - No route to peer
show ip bgp summary - shows zero inbound or outbound packets
Routing is working because the internet is up using a static default route. The gateway router on the ISP side is both the Static routing target and the new BGP peer.
At the moment we aren't even advertising any routes, we are just trying to get the neighborship to establish so I can pull a default route from the ISP
Config here has IPs sanitized and working mostly from memory, so I apologize for any syntax mistakes
Previous Network engineer left me with this router having a weird VRF config where there's a unique VRF of this router connected to both the outside and inside interfaces of our Firewall which sits in between. Outside VRF is meant to handle BGP and and an ACL to filter IPs + ports, inside VRF is meant to handle the OSPF instance. And I suspect this config is the root of my problem
Am I right in assuming that the BGP instance on an ISR router has to find the route to the BGP peer from the default VRFs routing table? (Default VRFs routing table is currently blank)
Because the route for the peer is directly connected to Gi 0/0/2 and appears in the EXT VRF routing table.
ip vrf INT rd 101:2 ip vrf EXT rd 101:1 int gi 0/0/0 des WAN_to_Firewall vrf forwarding EXT ip address 192.168.0.1 255.255.255.0 no shut int gi 0/0/1 desc Internal_LAN_From_Firewall vrf forwarding INT ip address 192.168.1.1 255.255.255.0 no shut int gi 0/0/2 desc external_WAN_to_ISP vrf forwarding EXT ip address 172.16.1.1 255.255.255.0 no shut int gi 0/0/1 desc Internal_LAN_to_core_stack vrf forwarding INT ip address 192.168.2.1 255.255.255.0 no shut ip route vrf INT 0.0.0.0 0.0.0.0 192.168.1.2 //Firewall ip route vrf EXT 0.0.0.0 0.0.0.0 172.16.1.2 //ISP router bgp XXXX bgp log-neighbor-changes bgp router-id 172.16.1.1 neighbor 172.16.1.2 remote-as YYYY neighbor 172.16.1.2 password NoYoBusiness neighbor 172.16.1.2 update-source gi 0/0/2 address-family ipv4 bgp damp neighbor 172.16.1.2 activate neighbor 172.16.1.2 send-community neighbor 172.16.1.2 next-hop-self neighbor 172.16.1.2 prefix-list ISP-in in neighbor 172.16.1.2 route-map ASXXXX-out out ip prefix-list ASXXXX-out permit 172.16.0.0/24 ip prefix-list ISP-in seq 5 deny 0.0.0.0/8 le 32 ip prefix-list ISP-in seq 10 deny 10.0.0.0/8 le 32 ip prefix-list ISP-in seq 15 deny 127.0.0.0/8 le 32 ip prefix-list ISP-in seq 20 deny 169.254.0.0/16 le 32 ip prefix-list ISP-in seq 25 deny 172.16.0.0/12 le 32 ip prefix-list ISP-in seq 30 deny 192.168.0.0/16 le 32 ip prefix-list ISP-in seq 35 deny 224.0.0.0/3 le 32 ip prefix-list ISP-in seq 40 permit 0.0.0.0/0 le 32 route-map ASXXXX-out match ip address prefix-list ASXXXX-out set community YYYY:110 
No comments:
Post a Comment