Cisco ASR BGP within the box question
hi all
just a short question (related to a quite new feature from cisco).
with the new cisco ASR software (15.0(1)S - released some days ago) it is able
to do BGP on the same box.
we need this feature because we use the VASI interfaces to bring and filter
traffic from one VRF to another VRF and performing firewalling (ZBF).
basically we have on the box:
[VRF_A via vasileft1]--[VRF_B via vasiright1]
and the box itself speaks BGP on VRF_B with some RR's:
[ASRBox] (RR) [anotherbox]
the fun part is, if you want to announce (e.g. 0.0.0.0/0) from VRF_B (announced
from anotherbox) to VRF_A it should be possible now with that new feature.
according to BGP I need to configure the VRF_A peer as route-reflector-client
so the routes from the anotherbox get reflected via RR to VRF_B.
but, it seems that the router itself needs to be tricked, since he thinks that
both peers are in the same route-reflector cluster ("DENIED due to: reflected
from the same cluster"):
Aug 2 13:35:03: BGP(0): 213.3.246.33 send UPDATE (format) 0.0.0.0/0, next
10.62.112.65, metric 0, path 44038 3303, extended community RT:65501:1702
Aug 2 13:35:03: BGP(0): 213.3.246.34 rcv UPDATE w/ attr: nexthop 10.62.112.65,
origin i, localpref 250, metric 0, originator 10.62.112.65, clusterlist
10.62.112.79 10.62.112.17, merged path 44038 3303, AS_PATH , community
Aug 2 13:35:03: BGP(0): 213.3.246.34 rcv UPDATE about 0.0.0.0/0 -- DENIED due
to: reflected from the same cluster;
Aug 2 13:35:03: BGP: 213.3.246.34 Modifying prefix 0.0.0.0/0 from 0 -> 4
address
so, this is my config:
config:
interface vasileft1
ip vrf forwarding VRF_A
ip address 10.0.0.1 255.255.255.252
zone-member security VASILEFT
!
interface vasiright1
ip vrf forwarding VRF_B
ip address 10.0.0.2 255.255.255.252
zone-member security VASIRIGHT
!
router bgp 65501
address-family ipv4 vrf IABIP-
bgp router-id 10.0.0.1
redistribute connected
redistribute static
neighbor 10.0.0.2 remote-as 65501
neighbor 10.0.0.2 update-source vasileft1
neighbor 10.0.0.2 activate
neighbor 10.0.0.2 send-community both
neighbor 10.0.0.2 next-hop-self
exit-address-family
!
address-family ipv4 vrf IACYP-
import path selection multipaths
bgp router-id 10.0.0.2
redistribute connected
redistribute static route-map SET-PREFIX-SoO
neighbor 10.0.0.1 remote-as 65501
neighbor 10.0.0.1 update-source vasiright1
neighbor 10.0.0.1 activate
neighbor 10.0.0.1 send-community both
neighbor 10.0.0.1 next-hop-self
exit-address-family
what does not works:
- having another AS number on the same box (otherwise eBGP would be possible)
- client-to-client reflection
- magic stuff in route-map
- setting different cluster-id's for different address-families
- nothing found in the release notes:
http://www.cisco.com/en/US/docs/ios/ios_xe/3/release/notes/asr1k_rn_3s_rel_notes.html
so, does anyone knows a nice hidden command to disable this cluster-checking on
a per-peer basis or so?
-steven
RE: [c-nsp] Cisco ASR BGP within the box question
thanks oliver,
will try and keep you (and the list) updated.
-steven
-Original Message-
From: Oliver Boehmer (oboehmer) [mailto:oboeh...@cisco.com]
Sent: Tuesday, August 03, 2010 8:06 AM
To: Glogger Steven, SCS-NIT-NIO-PIO-DNW-NEO; cisco-...@puck.nether.net;
nanog@nanog.org
Subject: RE: [c-nsp] Cisco ASR BGP within the box question
Steven,
> just a short question (related to a quite new feature from cisco).
> with the new cisco ASR software (15.0(1)S - released some days ago) it
is
> able to do BGP on the same box.
> we need this feature because we use the VASI interfaces to bring and
filter
> traffic from one VRF to another VRF and performing firewalling (ZBF).
>
> basically we have on the box:
> [VRF_A via vasileft1]--[VRF_B via vasiright1]
>
> and the box itself speaks BGP on VRF_B with some RR's:
> [ASRBox] (RR) [anotherbox]
>
> the fun part is, if you want to announce (e.g. 0.0.0.0/0) from VRF_B
> (announced from anotherbox) to VRF_A it should be possible now with
that new
> feature.
>
> according to BGP I need to configure the VRF_A peer as
route-reflector-
> client so the routes from the anotherbox get reflected via RR to
VRF_B.
>
> but, it seems that the router itself needs to be tricked, since he
thinks
> that both peers are in the same route-reflector cluster ("DENIED due
to:
> reflected from the same cluster"):
>[...]
> so, does anyone knows a nice hidden command to disable this
cluster-checking
> on a per-peer basis or so?
I'm not aware of an enhancement to set the cluster-id on a per-vrf
basis, it is currently global.. But you could turn this into an eBGP
session using local-as, for example
router bgp 65501
address-family ipv4 vrf IABIP-
neighbor 10.0.0.2 remote-as 65502
neighbor 10.0.0.2 local-as 65503 no-prepend replace-as
address-family ipv4 vrf IACYP-
neighbor 10.0.0.1 remote-as 65503
neighbor 10.0.0.1 local-as 65502 no-prepend replace-as
not sure if this helps..
oli
Re: All Google Search Results: "This site may harm your computer."
seems to be a global problem. even here in switzerland... i barely hear already "the internet is broken":) -steven > > Am 31.01.2009 um 16:02 schrieb "Adam Young" > : > >> Peter Beckman wrote: >>> This morning whilest Googling, I got a bunch of "Permission Denied" >>> to >>> "/interstitial?..." URLs on Google. >>> >>> Then all my search results got listed as "This site may harm your >>> computer." >>> >>> Is Google broken, or is the functionality of listing sites as >>> broken, >>> broken? >> >> Confirmed in Southern Ontario, Canada. >> >> -- >> Adam Young >> >>
RE: Blocking only Facebook Apps
hm.. have you tried to analyze how facebook implements those apps and just filters them out by some URL filters or so? -steven > -Original Message- > From: Xaver Aerni [mailto:xae...@pop.ch] > Sent: Wednesday, January 06, 2010 11:38 AM > To: nanog@nanog.org > Subject: Blocking only Facebook Apps > > Hello, > We have differents company here, they would only block the Apps from Facebook. > Facebook self could be open. It give a methode to block only the Apps by > firewall. If > we haven't a methode we must block facebook in difference bigger companies... > Greetings > Xaver > > Xariffusion Informatik & Telecom > Zürichstrasse 10a > 8340 Hinwil > Switerzland > Tel. +41 43 843 7878 > +1 707 361 6839
