VPN throughput CISCO886/887

Question:

I was looking for document Cisco 3560  where the VPN throughput of the Cisco886/887 Router is listet.

Does anyone have somthing like that?

Answer:

http://anticisco.ru/pubs/ISR_G2_Perfomance.pdf  Cisco 3560V2 Price

Checking on QoS

Question:

We have a router Catalyst 3560X  that does bandwidth limiting outbound:

...class TAG-AF22

  set dscp af22

  bandwidth remaining percent 15

...

And inbound policing...

..class QOS-TEST

  set dscp a11

  police cir 768000

   conform-action transmit

   exceed-action drop

...

Is there a way to show if these thresholds are ever being hit?  For example of QOS-TEST or TAG-AF22 were ever throttled?

Answer:

on the interfaces these policies are applied

int xx

serivice-policy in/output xxxx

show policy-map WS-C3560X-24T-L Price int xx

Unstable 877 on ADSL 2+

Question:

I'm based in the UK and have had Cisco 3560 a new ADSL line put into a remote site by BT (British Telecom).  It is an ADSL 2+ line and I have configured it as A VPN back to our site.  All is working but the line is unstable and it goes down for 20 seconds every 20 mins or so, sometimes it is longer or less,quite random, this also happens if I take the VPN config off.  I phoned BT and they said they don't support Cisco 877s or 1800s that use the Alcatel chipset and said we should get rid of using Cisco (what!!).  Anyway is there a work around, do I need to update my ADSL modem firmware (not sure how you do this) or are they right?

Some info:

Show flash

Directory of flash:/

    2  -rwx    21910432   Mar 1 2002 00:22:01 +00:00  c870-advipservicesk9-mz.124-24.T8.bin

    3  -rwx         660  Jun 11 2013 10:19:32 +01:00  vlan.dat

27611136 bytes total (5693440 bytes free)

Show version

Cisco 877 (MPC8272) processor (revision 0x400) with 118784K/12288K bytes of memory.

Processor board ID FGL153224W1

MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10

4 FastEthernet interfaces

1 ATM interface

128K bytes of non-volatile configuration memory.

28672K bytes of processor board System flash (Intel Strataflash)

sh dsl int atm 0

ATM0

Alcatel 20190 chipset information

                                   ATU-R (DS)                      ATU-C (US)

Modem Status:               Showtime (DMTDSL_SHOWTIME)

DSL Mode:                    ITU G.992.5 (ADSL2+) Annex A

ITU STD NUM:                0x03                            0x3

Chip Vendor ID:              'STMI'                          'TSTC'

Chip Vendor Specific:      0x0000                    0x0510

Chip Vendor Country:       0x0F                      0xB5

Modem Vendor ID: 'CSCO'                          'TSTC'

Modem Vendor Specific:   0x0000                    0x5100

Modem Vendor Country:  0xB5                      0xB5

Serial Number Near:         FGL153224W 877-K9   12.4

Serial Number Far:           Chip ID:     C196P (1)

DFE BOM:                      DFE3.0 Annex A (1)

Capacity Used:               100%                            100%

Noise Margin:                 5.5 dB                          5.0 dB

Output Power:                20.5 dBm                        12.5 dBm

Attenuation:                   36.0 dB                         19.0 dB

FEC ES Errors:              758                             307359

ES Errors:                       3                              27923

SES Errors:                    1                              3272

LOSES Errors:                1                              2315

UES Errors:                    0                              1667

Defect Status:             None                            None

Last Fail Code:  None

Watchdog Counter: 0x11

Watchdog Resets: 0

Selftest Result: 0x00

Subfunction:     0x00

Interrupts:      23720321 (0 spurious)

PHY Access Err:  0

Activations:     149

LED Status:      ON

LED On Time:     100

LED Off Time:    100

Init FW:         init_AMR-3.0.014_no_bist.bin

Operation FW:    AMR-3.0.014.bin

FW Source:       embedded

FW Version:      3.0.14

                 DS Channel1      DS Channel0   US Channel1       US Channel0

Speed (kbps):              0                13444                    0               804

Cells:                         0                  10347                   0           1445512

Reed-Solomon EC:     0                   8991                    0           4347917

CRC Errors:                0                       3                     0            161230

Header Errors:            0                        3                    0            257708

Total BER:                0E-0           1098E-9

Leakage Average BER:      0E-0           1098E-9

Interleave Delay:         0                8             0                63

                        ATU-R (DS)      ATU-C (US)

Bitswap:               enabled            enabled

Bitswap success:          0                   0

LOM Monitoring : Disabled

Answer:

adsl_alc_20190_0.0.026.bin Is the FW you want. This has been specifically designed for the DSLAMs in Cisco 3560V2 Price the UK.

What is faster, routing or NAT?

Question:

I've heard an opinion,WS-C3750X-48PF-L Price  that routing works faster then NAT, but I can't find any information proving this. For example, if I have several NAT connections on my way to the ISP, it will slow web browsing. Is it true?

My second question is about router's recourses. I almost sure that NAT takes more recourses than routing. Confirm it, if it's correct.

Answer:

The concept of "speed", i.e. what is "faster", is somewhat vague, and it is really difficult to compare the NAT to the routing because they fulfill essentially different functions.

Routing is primarily concerned with lookups - trying to find a matching entry in a routing table. Nowadays, in software-based routers, this is done by creating a prefix tree index over a routing table, performing a longest prefix match in this tree and using the located information to forward the packet (Cisco calls this the CEF). Apart from decreasing the TTL in the packet header and recomputing the header checksum, no more work over a packet is required. In hardware-based routers, the lookup is done in specialized hardware and always within a constant time.

NAT is concerned with lookups in the translation table (exact match, as opposed to prefix-based match during routing) and packet modification. In the case of NAT, you peform a lookup into the translation table to know how to modify the addressing fields of the packet header, optionally the segment header, and in several cases, you also inspect the payload to perform L7 NAT (for example rewriting address/port numbers in FTP or SIP communication). Especially if the NAT needs to modify the packet payload, this can get complicated. After all this modification, several checksums have to be updated as well (L4 segment checksum, L3 packet header checksum, possibly L7 checksum if the application uses any checksums itself).

The complexity of the NAT appears to be higher but from the viewpoint of the number of operations when rewriting pure L3 headers in a static 1:1 mapping, there may be fewer operations than if routing a packet over a routing table containing tens of thousands of entries.

What I am saying is that the answer to your question depends strongly on how the NAT and routing code is implemented and how complex the NAT and routing configuration is.

What can be said with certainty - a router performing only routing will be loaded less than a router that performs both NAT and routing. Please note that there is no such thing as a router performing NAT without routing. That is why I find comparing the complexity of the routing to the complexity of NAT to be somewhat inappropriate. You can't have NAT without routing, so why ask which one of them is WS-C3750X-48P-L "faster"?

Cisco 881 WAN issue

Question:

I have no access to WAN with my WS-C3750X-12S-S Price cisco 881(Cisco 881 sec K9; IOS 15.0(1)M8). The 881 is in PPPoE

I followed the discussion: https://supportforums.cisco.com/message/3465409#3465409.

I thing my config is almost the same...

But unfortunaly  I can't ping 8.8.8.8 i.ex., from the router.

In the PPP log I saw the login with success to ISP and it receives an IP address.

This is my config:

ip source-route

!

!

ip dhcp excluded-address 192.168.9.1 192.168.9.99

!

ip dhcp pool ccp-pool1

   import all

   network 192.168.9.0 255.255.255.0

   default-router 192.168.9.1

!

!

ip cef

ip name-server 8.8.8.8

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn FCZ161991C1

!

!

username pcu privilege 15 secret 5 xxxx.

!

!

!

!

!

!

!

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

no ip address

ip virtual-reassembly

ip tcp adjust-mss 1412

duplex auto

speed auto

pppoe-client dial-pool-number 1

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.9.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

interface Dialer0

ip address dhcp client-id FastEthernet4

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxx

ppp chap password 7 xxx

ppp pap sent-username xxx@SKYNET password 7 xxx

no cdp enable

!

!

router rip

network 192.168.9.0

no auto-summary

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns server

ip nat inside source list 1 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

!

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.9.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run

!

!

!

!

!

control-plane

!

!

=====================================================

Pierre#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer0

      192.168.9.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.9.0/24 is directly connected, Vlan1

L        192.168.9.1/32 is directly connected, Vlan1

Answer:

Please use "ip address negotiated" under interface dialer instead of using "ip address dhcp client-id FastEthernet4".

Please use " ip mtu 1492" instead of 1452.

Are you getting a valid IP address WS-C3750V2-48PS-S in the dialer after making those changes?

Sub interface NAT problem

Question:

I have the following on Cisco Catalyst 3560 an 1841.

PPPoE on Fast0/0 works fine and picks up ISP address.

I have assigned on the /29 address to fast0/1.2 and and created a LAN on fast0/1.1 using the native VLAN.

I can ping the /29 address from the internet and also ping the internal address from the LAN.

I added a NAT statement (inside and outside to each sub interface).

I cannot connect from the 192.168.199.0/24 network out via NAT.  Is this possible with subinterfaces?

vpdn enable

!

interface FastEthernet0/0

description PPPOE WAN

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.1

encapsulation dot1Q 1 native

ip address 192.168.199.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1.2

encapsulation dot1Q 2

ip address 81.143.105.77 255.255.255.248

ip nat outside

ip virtual-reassembly

!

!

interface Dialer1

ip address negotiated

no ip unreachables

ip mtu 1492

encapsulation ppp

ip tcp adjust-mss 1452

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp chap hostname ******

ppp chap password 0 *****

!

ip route 0.0.0.0 0.0.0.0 Dialer1 2

ip nat inside source list 10 interface FastEthernet0/1.2 overload

!

access-list 10 permit 192.168.199.0 0.0.0.255

dialer-list 1 protocol ip permit

Answer:

I have the following:

I think this is what you want to do? Anything from inside - Client_Inside will be translated to 2.2.2.1 when I try to ping R2 which has a loopback of 1.1.1.1.

So all packets that are generated from the inside will be translated with a source address of 2.2.2.1. I have added a route of 2.2.2.1 back to R1 where the loopback exists.

here are the configs:

CLIENT_INSDIE#show run

Building configuration...

Current configuration : 827 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CLIENT_INSDIE

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

no ip domain lookup

ip domain name lab.local

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

interface FastEthernet0/0

ip address dhcp

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

!

!

no ip http server

no ip http secure-server

!

!

control-plane

!

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

!

end     

CLIENT_INSDIE#

CLIENT_INSDIE#show ip int brie

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            20.0.0.101      YES DHCP   up                    up    

FastEthernet0/1            unassigned      YES unset  administratively down down  

=======================================================================

R1#show run

Building configuration...

*Mar  1 00:41:27.515: %SYS-5-CONFIG_I: Configured from console by console

Current configuration : 1323 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 20.0.0.0 20.0.0.100

!

ip dhcp pool 1

   network 20.0.0.0 255.255.255.0

   default-router 20.0.0.1

!

!

no ip domain lookup

ip domain name lab.local

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

interface Loopback0

ip address 2.2.2.1 255.255.255.255

!

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 20.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.0.0.2

!

!

no ip http server

no ip http secure-server

ip nat pool test 2.2.2.1 2.2.2.1 netmask 255.255.255.252

ip nat inside source list 100 pool test overload

!

access-list 100 permit ip 20.0.0.0 0.0.0.255 any

!

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

!

end

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.0.0.2 to network 0.0.0.0

     2.0.0.0/32 is subnetted, 1 subnets

C       2.2.2.1 is directly connected, Loopback0

     20.0.0.0/24 is subnetted, 1 subnets

C       20.0.0.0 is directly connected, FastEthernet0/1

     10.0.0.0/30 is subnetted, 1 subnets

C       10.0.0.0 is directly connected, FastEthernet0/0

S*   0.0.0.0/0 [1/0] via 10.0.0.2

=======================================================================

R2#show run

Building configuration...

Current configuration : 934 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

!

no ip domain lookup

ip domain name lab.local

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

interface Loopback1

ip address 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 10.0.0.2 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

ip route 2.2.2.1 255.255.255.255 10.0.0.1

!

!

no ip http server

no ip http secure-server

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

!

end

Now I will ping 1.1.1.1 from client router:

CLIENT_INSDIE#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/64 ms

=======================================================

R1#

*Mar  1 00:45:51.783: NAT*: s=20.0.0.101->2.2.2.1, d=1.1.1.1 [75]

*Mar  1 00:45:51.811: NAT*: s=1.1.1.1, d=2.2.2.1->20.0.0.101 [75]

*Mar  1 00:45:51.847: NAT*: s=20.0.0.101->2.2.2.1, d=1.1.1.1 [76]

*Mar  1 00:45:51.867: NAT*: s=1.1.1.1, d=2.2.2.1->20.0.0.101 [76]

*Mar  1 00:45:51.887: NAT*: s=20.0.0.101->2.2.2.1, d=1.1.1.1 [77]

*Mar  1 00:45:51.911: NAT*: s=1.1.1.1, d=2.2.2.1->20.0.0.101 [77]

*Mar  1 00:45:51.931: NAT*: s=20.0.0.101->2.2.2.1, d=1.1.1.1 [78]

*Mar  1 00:45:51.947: NAT*: s=1.1.1.1, d=2.2.2.1->20.0.0.101 [78]

*Mar  1 00:45:51.975: NAT*: s=20.0.0.101->2.2.2.1, d=1.1.1.1 [79]

*Mar  1 00:45:51.995: NAT*: s=1.1.1.1, d=2.2.2.1->20.0.0.101 [79]

R1#

*Mar  1 00:46:19.939: NAT: expiring 2.2.2.1 (20.0.0.101) icmp 14 (14)

R1#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 2.2.2.1:13        20.0.0.101:13      1.1.1.1:13         1.1.1.1:13

=======================================================

R2#

*Mar  1 00:45:24.731: IP: tableid=0, s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1 (Loopback1), routed via RIB

*Mar  1 00:45:24.735: IP: s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1, len 100, rcvd 4

*Mar  1 00:45:24.735: IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), routed via FIB

*Mar  1 00:45:24.735: IP: s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), len 100, sending

*Mar  1 00:45:24.799: IP: tableid=0, s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1 (Loopback1), routed via RIB

*Mar  1 00:45:24.799: IP: s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1, len 100, rcvd 4

*Mar  1 00:45:24.799: IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), routed via FIB

*Mar  1 00:45:24.799: IP: s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), len 100, sending

*Mar  1 00:45:24.855: IP: tableid=0, s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1 (Loopback1), routed via RIB

*Mar  1 00:45:24.855: IP: s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1, len 100, rcvd 4

*Mar  1 00:45:24.855: IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), routed via FIB

*Mar  1 00:45:24.855: IP: s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), len 100, sending

*Mar  1 00:45:24.895: IP: tableid=0, s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1 (Loopback1), routed via RIB

*Mar  1 00:45:24.895: IP: s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1, len 100, rcvd 4

*Mar  1 00:45:24.895: IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), routed via FIB

*Mar  1 00:45:24.895: IP: s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), len 100, sending

*Mar  1 00:45:24.939: IP: tableid=0, s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1 (Loopback1), routed via RIB

*Mar  1 00:45:24.939: IP: s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1, len 100, rcvd 4

*Mar  1 00:45:24.939: IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), routed via FIB

*Mar  1 00:45:24.939: IP: s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), len 100, sending

So we are NATing the source to 2.2.2.1 which is not on the physical interface. You can also do this for sub interface.

Is this what you was trying Cisco 3560 Switch to do?

OSPF Routes listed and Type-5 AS External not in routing table

Question:

I have several remote routers WS-C3560X-24T-L running OSPF (not Cisco) that I have a remote location that I have a static route to a network behind a firewall (66.62.x.x as shown below) that I am redistributing into OSPF.  The static route traverses my entire non Cisco Network as OSPF without issue

However, once it hits the Cisco routers (7206VXR's) it shows up as a Type-5 AS external link if I do a "show ip ospf database it is at the bottom of the list.  However, it does not make it to my OSPF routing table and thus I am having to use static routes for this 66.62.x.x/27 network to get it to route from the internet to the remote location around 7 hops away.


Router#show ip ospf database
           
Type-5 AS External Link States
Link ID         ADV Router      Age         Seq#                 Checksum Tag
66.62.x.x    10.10.10.x     223      0x80xxxx           0x0xxxxx


Any thoughts as to how to get these routes into my OSPF routing table from the OSPF database on my 7206's? .


Answer:

I just realized after I posted the previous message that the route installed in the routing table is most probably the static route (66.62.x.x/27) that you referred to in your initial post. Could you try removing that static route to see if the ospf external routes will WS-C3560X-24T-S Price install?

Administrative Distance and BGP Path Selection Process

Question:

I was looking at the BGP path selection WS-C3750V2-48TS-S Price criteria (weight, local_pref, MED, etc.) and I noticed that the seventh attribute considered is whether the prefix was learned from eBGP or iBGP. But the Administrative Distance for eBGP is 20, versus 200 for iBGP, and doesn't AD trump everything in the route selection process? So shouldn't eBGP vs. iBGP be the very first attribute considered in the BGP path selection process? It seems like a contradiction to me.

Answer:

I came across this question before (i questioned this too) but found Brian McGahans answer which is a good one in my opinion....

"Actually it doesn’t come into play at all. iBGP and EBGP distances are never compared for the same prefix. The distance only comes in when you’re comparing BGP to another protocol, like iBGP to EIGRP, or EBGP to OSPF. In the BGP Bestpath Selection you prefer External (EBGP) over Internal (iBGP) routes, but changing the distance doesn’t affect this. For example if you set the iBGP distance to 19 (lower than EBGP), the bestpath selection will still choose the EBGP route over the iBGP route, assuming that everything is equal up until that point (weight, local pref, as-path, origin, med, etc.)"

AD only come into play when receiving same prefix from different routing processes and iBGP as well as eBGP are BGP.

In this case the BGP router will choose the best path to install in the RIB following the best path selection algorithm:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431.shtml         WS-C3750V2-24TS-S

eBGP Peering through an ASA problem

Question:

I'm having an issue setting up Catalyst 3560 Price an eBGP peering through an ASA in GNS3 (implementing this on my production equipment in the near future) and can't seem to figure out the problem.  If I connect these two routers through the ASA, the peering fails.  If I connect the two routers directly and change the static routes to point to the new next hops, it works.  So I'm inclined to think my ASA is preventing the BGP connection from establishing.  There are some additional configuration items in the configs below that aren't necessarily pertinent to this problem, as the ultimate goal for this project is to setup BGP over GRE over IPsec using a 6500 & ASA on my end, and a router on their end (presumably using VTI ipsec protection profiles).. but I'm just starting off with getting the BGP peering up.  And I'm not even totally sure if I'm doing that properly (or if this is possible)..  Unfortunately it's been a little while since I've worked with these technologies and I'm a bit lost..

Topology:                 R1 -------------------- ASA -------------------------- R2

Router1#sh run

Building configuration...

Current configuration : 1788 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router1

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 critical

!

no aaa new-model

memory-size iomem 5

ip cef

!

!

no ip domain lookup

ip domain name lab.local

!

interface Loopback0

ip address 10.217.81.25 255.255.255.248

!

interface Tunnel1

description GRE-TUNNEL-1

ip address 192.168.101.10 255.255.255.252

tunnel source Loopback0

tunnel destination 10.174.171.12

!

interface FastEthernet0/0

ip address 10.217.81.22 255.255.255.248

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.2.2.3 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet1/0

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

!

!

router bgp 2

no synchronization

bgp log-neighbor-changes

network 10.2.2.0 mask 255.255.255.0

neighbor 10.174.171.12 remote-as 1

neighbor 10.174.171.12 ebgp-multihop 25

neighbor 10.174.171.12 update-source Loopback0

no auto-summary

!

ip route 0.0.0.0 0.0.0.0 10.217.81.17

ip route 10.174.171.0 255.255.255.0 10.217.81.17

!

!

no ip http server

no ip http secure-server

!

ip access-list standard BGP-ROUTES

permit 0.0.0.0

!

!

route-map BGP-ROUTES permit 10

match ip address BGP-ROUTES

!

<omitted>

!

!

end

---------------

ASA# sh run

: Saved

:

ASA Version 8.4(2)

!

hostname ASA

!

interface GigabitEthernet0

nameif inside

security-level 100

ip address 10.217.81.17 255.255.255.248

!

<omitted>

!

interface GigabitEthernet5

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.0

!

ftp mode passive

object network VPN-DYNAMIC-HOSTS

subnet 10.251.0.0 255.255.240.0

object network VPN-STATIC-HOSTS

subnet 10.251.4.0 255.255.255.0

object network obj-10.217.81.25-32

host 10.217.81.25

description Catalyst 6513 Loopback0

object network obj-10.174.171.12-32

host 10.174.171.12

description ISP

access-list VPN-ACL extended permit ip any 10.251.0.0 255.255.240.0

access-list VPN-ACL extended permit tcp host 10.217.81.25 host 10.174.171.13 eq bgp

access-list VPN-ACL extended permit tcp host 10.217.81.25 host 10.174.171.12 eq bgp

access-list VPN-ACL extended permit ip any 10.251.4.0 255.255.255.0

access-list inside-out extended permit tcp any host 10.174.171.12 eq bgp

access-list inside-out extended permit ip any any

access-list outside-acl extended permit ip any any

!

tcp-map OPTION-19

  tcp-options range 19 19 allow

!

pager lines 24

logging enable

logging buffer-size 10240

logging buffered critical

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group outside-acl out interface inside

access-group inside-out out interface outside

route outside 0.0.0.0 0.0.0.0 10.1.1.2 1

route inside 10.2.2.0 255.255.255.0 10.217.81.22 1

route outside 10.174.171.0 255.255.255.0 10.1.1.2 1

route inside 10.217.80.0 255.255.248.0 10.217.81.22 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set VPN-TSET esp-aes-256 esp-sha-hmac

crypto map outside_map 19 match address VPN-ACL

crypto map outside_map 19 set peer 10.174.171.12

crypto map outside_map 19 set ikev1 transform-set VPN-TSET

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 10.174.171.12 type ipsec-l2l

tunnel-group 10.174.171.12 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map BGP

match port tcp eq bgp

class-map INSPECT

match any

!

!

policy-map INSPECT

class INSPECT

  inspect icmp

class BGP

  set connection random-sequence-number disable

  set connection advanced-options OPTION-19

!

service-policy INSPECT global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:75f708fe7b6e1e46a7430d709c10b69a

: end

----------------------------

R2#sh run

Building configuration...

Current configuration : 1843 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 critical

!

no aaa new-model

memory-size iomem 5

ip cef

!

no ip domain lookup

ip domain name lab.local

!

crypto keyring kr1

  pre-shared-key address 10.217.81.17 key cisco

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

crypto isakmp profile ikp1

   keyring kr1

   match identity address 10.217.81.17 255.255.255.255

!

!

crypto ipsec transform-set ts1 esp-aes esp-sha-hmac

!

crypto ipsec profile ip1

set transform-set ts1

set isakmp-profile ikp1

!

!

!

!

!

interface Loopback0

ip address 10.174.171.12 255.255.255.0

!

interface Loopback1

no ip address

!

interface Tunnel0

ip address 192.168.101.9 255.255.255.252

tunnel source Loopback0

tunnel destination 10.217.81.25

tunnel protection ipsec profile ip1

!

interface FastEthernet0/0

ip address 10.1.1.2 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.3.3.4 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet1/0

ip address 192.168.1.2 255.255.255.0

duplex auto

speed auto

!

!

router bgp 1

no synchronization

bgp log-neighbor-changes

network 10.3.3.0 mask 255.255.255.0

neighbor 10.217.81.25 remote-as 2

neighbor 10.217.81.25 ebgp-multihop 25

neighbor 10.217.81.25 update-source Loopback0

no auto-summary

!

ip route 0.0.0.0 0.0.0.0 10.1.1.1

ip route 10.217.81.0 255.255.255.0 10.1.1.1

!

!

no ip http server

no ip http secure-server

!

<omitted>

end

-------------

I have been fiddling with the ACLs and some other things, but a syslog message that I'm getting on both ends looks like this (with different IPs based on the router):

*Mar  2 04:50:52.556: BGP: 10.217.81.25 open failed: Connection timed out; remote host not responding, open active delayed 32705ms (35000ms max, 28% jitter)

Answer:

There is a lot to look through here. But one of the things I am noticing is that the ASA is doing an inspect on BGP and I wonder if that is the issue. As a test, would you be able to remove Catalyst 3560V2 Price the inspect for BGP from the ASA?