I've always been weary of redistributing an IGP into BGP rather than using explicit network statements. Sure it automates the process, but if I'm going to be redistributing BGP into the IGP (say for MPLS CPE) - hopefully with a 'route-map' - there is a potential for funky redistribution loops and issues. Better to break the cycle and statically configure BGP with 'network' statements to explicitly advertise only what you want.
Of course, I'll break my own rules in the name of testing or in this case, a lab exercise. I'm in a Cisco IPv6 training class and our BGP routing lab instructed us to:
-
"Configure IBGP between R1 and R2 using the parameters that are listed in the table."
Parameter R1 R2 Source Loopback 1 Loopback 1 Redistribute into BGP IPv6 ConnectedSet origin IGP IPv6 ConnectedSet origin IGP
The original configuration was pretty straight forward. EIGRP was used as the IGP to which we were to add BGP. EIGRP was already advertising the connected routes so the EIGRP admin distance was modified so IBGP would be preferred. I was already cringing, but decided to play along.
The relevant parts of the provided R1 configuration follow. You can assume R2 was identical with the appropriate corresponding addresses for interfaces and peers.
interface Loopback1 ipv6 address 2001:DB9:121:100::1/64 ! interface Loopback2 ipv6 address 2001:DB9:121:200::1/64 ! interface Serial0/0/0 no ip address encapsulation frame-relay IETF frame-relay lmi-type cisco ! interface Serial0/0/0.1 point-to-point description To R2 ipv6 address 2001:DB9:123:1::1/64 ipv6 eigrp 1 frame-relay interface-dlci 122 ! ipv6 router eigrp 1 eigrp router-id 10.12.1.1 no shutdown passive-interface Loopback1 passive-interface Loopback2 distance 250 255
At this point, the BGP configuration was pretty easy. I added the following:
router bgp 65012 bgp router-id 10.12.1.1 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 2001:DB9:122:100::1 remote-as 65012 neighbor 2001:DB9:122:100::1 update-source Loopback1 ! address-family ipv6 neighbor 2001:DB9:122:100::1 activate redistribute connected route-map BGPCONN no synchronization exit-address-family ! route-map BGPCONN permit 10 match source-protocol connected set origin igp
It's no surprise that BGP came up and all was working. From R1:
W1P2R1#show bgp ipv6 unicast summary
BGP router identifier 10.12.1.1, local AS number 65012
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
2001:DB9:122:100::1
4 65012 1027 1044 47 0 0 00:02:05 4
And I could see my R1 routes on R2:
W1P2R2#show ipv6 route 2001:db9:121:200::/64
Routing entry for 2001:DB9:121:200::/64
Known via "bgp 65012", distance 200, metric 0, type internal
Backup from "eigrp 1 [250]"
Route count is 1/1, share count 0
Routing paths:
2001:DB9:121:100::1
Last updated 00:00:59 ago
But a subsequent 'show' command revealed an issue:
W1P2R2#show ipv6 route 2001:db9:121:200::/64
Routing entry for 2001:DB9:121:200::/64
Known via "eigrp 1", distance 250, metric 20640000, type internal
Route count is 1/1, share count 0
Routing paths:
FE80::219:55FF:FE35:1B90, Serial0/0/0.1
Last updated 00:00:00 ago
The route was no longer learned via BGP, but through EIGRP. Weird. The previous command shows the admin distance was correct; iBGP [200] should be preferred over EIGRP [250 - modified]. What was happening?
I did the "up-arrow, enter" troubleshooting technique; that is, I ran the previous 'show ipv6 route ...' command over and over. Of course it worked. I noticed the "Last updated" timer reset every minute as the route flip-flopped between EIGRP and BGP. I started thinking about the BGP walker process and how it runs every 60 seconds.
Since we were in a lab, I had no issues with running 'debug bgp ipv6 unicast updates' on R2 and verified my instinct was correct.
*Dec 13 15:05:50.176: BGP(1): no valid path for 2001:DB9:121:1::/64 *Dec 13 15:05:50.176: BGP(1): no valid path for 2001:DB9:121:100::/64 *Dec 13 15:05:50.176: BGP(1): no valid path for 2001:DB9:121:200::/64 *Dec 13 15:05:50.176: BGP(1): no valid path for 2001:DB9:121:300::/64 *Dec 13 15:05:50.196: BGP(1): nettable_walker 2001:DB9:121:1::/64 no best path *Dec 13 15:05:50.196: BGP(1): nettable_walker 2001:DB9:121:100::/64 no best path *Dec 13 15:05:50.196: BGP(1): nettable_walker 2001:DB9:121:200::/64 no best path *Dec 13 15:05:50.200: BGP(1): nettable_walker 2001:DB9:121:300::/64 no best path *Dec 13 15:06:50.220: BGP(1): Revise route installing 2001:DB9:121:1::/64 -> 2001:DB9:121:100::1 (::) to main IPv6 table *Dec 13 15:06:50.220: BGP(1): Revise route installing 2001:DB9:121:100::/64 -> 2001:DB9:121:100::1 (::) to main IPv6 table *Dec 13 15:06:50.220: BGP(1): Revise route installing 2001:DB9:121:200::/64 -> 2001:DB9:121:100::1 (::) to main IPv6 table *Dec 13 15:06:50.220: BGP(1): Revise route installing 2001:DB9:121:300::/64 -> 2001:DB9:121:100::1 (::) to main IPv6 table
BGP on R2 put the routes for the advertised R1 connected interfaces - including the network containing the address for the R1 Loopback1 interface it was peering with - into the routing table. The routes had a next hop of the R1 Loopback1 interface. When these routes entered the routing table, they displaced the EIGRP routes for the same networks. A minute later when BGP walker ran again, there was no IGP (EIGRP) path to the next hop for those routes, so BGP removed them (as seen in the first 8 lines of the 'debug'). The routes were quickly replaced with the EIGRP routes as seen in the above "show ipv6 route ..." commands. Sixty seconds later when BGP walker ran again, the BGP routes were learned and now had a valid next hop as the IGP routes were in the routing table and BGP introduced the same routes - as seen in the last 4 lines of the above 'debug'. Every sixty seconds this repeated and flip-flopped the routes between EIGRP and BGP.
Knowing the problem, the fix was easy. Just use the existing 'route-map' to block the Loopback1 network from being advertised as a connected route. On R1, I used:
route-map BGPCONN deny 5 match ipv6 address PEER ! ipv6 access-list PEER permit ipv6 2001:DB9:121:100::/64 any
The complementary statements on R2 and a 'clear bgp ipv6 unicast *' had everything working perfectly!
The lesson learned just reinforced my original statement regarding redistribution - proceed with caution.
Posts
No comments :
Post a Comment