Tshoot 300-135 (BGP & GRE)

Ticket #1
The eBGP neighborship is broken between R1 and R5.
Diagnose and resolve

#### Understand the problem
R1#show ip bgp neighbors
R1#show ip bgp neighbors 198.51.100.5
R1#ping 198.51.100.5
R1#show run | sec router bgp
R1#show arp
R1#show arp 198.51.100.5
R1#show ip int g1/0
#### Check vlans on R5
R5#show vlans
#### Check if there is any Layer 2 issues
SW#show interfaces gi2/0 trunk
SW#show run int g2/0
SW(config)#int g2/0
SW(config-if)#switchport trunk allowed vlan add 488

#### Check Layer 2 (MAC address)
SW#show mac address-table vlan 488
#### Tip. Turn off console logging if too much info on screen
SW(config)#no logging console
#### Remember to turn back on
SW(config)#logging console
#### Force R5 to use its own IP for GBP
R5(config)#router bgp 2711
R5(config-router)#no neighbor external update-source loopback 0
#### Activate BGP on R1
R1(config)#router bgp 53488
R1(config-router)#neighbor 198.51.100.5 activate

Ticket #2
R9’s loopback interface (9.9.9.9) can’t ping R2 (198.51.100.12)
Diagnose and resolve.
Do not modify or unassign any ACLs

#### Understand the problem
R9#ping 198.51.100.12 source 9.9.9.9
R9#show ip route 198.51.100.12

#### Go to the source and check
R2#show ip route 198.51.100.12

#### Check if the source router R2 has IP
R2#show ip int g0/0 | i address

#### Enter the correct IP & Mask
R2(config)#int g0/x
R2(config-if)# ip address 198.51.100.12 255.255.255.248
#### Is R9 advertising 9.9.9.9
R9#show ip bgp 9.9.9.9
#### Check if R9 has neighbor established 
R9#show ip bgp neighbors
#### Fix misconfiguration on R8
R8(config)#router bgp 3356
R8(config-router)#neighbor 192.0.2.9 activate
#### Verify that R8 is learning the prefix from R9
R8#show ip bgp 9.9.9.9
#### Check if R6 also has the prefix 9.9.9.9
R6#show ip bgp 9.9.9.9

#### Check if R6 has R1 prefix
R6#show ip bgp
R6#show ip bgp 198.51.100.8

#### Discovered R6 has no Next Hop from R5
#### Ping test
R6#ping 56.0.0.5
#### Discovered no Layer 2 problem

#### Check R6 neighbor
R6#show ip bgp neighbors 56.0.0.5
#### Check for misconfiguration
R6#show run | sec router bgp
#### Remove the misconfiguration statement for neighbor
R6(config)#router bgp 174
R6(config-router)#no neighbor 56.0.0.5 update-source loopback 0

#### Verify fix
R6#show ip bgp 198.51.100.8
R6#ping 198.51.100.11

Ticket #3
R2’s interface (198.51.100.12) is unable to ping R4’s interface (203.0.113.4)

Diagnose and resolve
Do not modify and IGP configuration
Do not remove any route map entries

#### Verify the understanding of our problem
#### Ping from R2 to R4
R2#ping 203.0.113.4
R2#ping 203.0.113.4 source g0/x
R2#show ip route 203.0.113.0
R2#traceroute 203.0.113.7
R2#traceroute 203.0.113.4
#### Go to R5 where the traceroute is stopping
R5#show ip route 203.0.113.0

#### As expected, R5 doesn't know how to get to 203.0.113.0
#### Check L2 first then L3
R5#ping 57.0.0.7

#### Discovered no ping so definitely L2 issue
R5#show arp 57.0.0.7

#### Goto R5's neighbor R7 and bring up interface
R7(config)#int g0/x
R7(config-if)#no shut

#### Verify fix
R5#ping 57.0.0.7
#### Check if R7 is advertising 203.0.113.0 prefix
R7#show ip bgp 203.0.113.0

#### Discovered that network statement is missing
R7(config)#router bgp 2711
R7(config-router)#network 203.0.113.0 mask 255.255.255.0

#### Verify the fix
R5#show ip bgp 203.0.113.0
R6#show ip bgp 203.0.113.0
R7#show ip bgp 203.0.113.0
R8#show ip bgp 203.0.113.0
#### Fix the route-map (filtering on R5)
#### Deny and Deny cancel each other out (route-map & prefix-list)
#### Net effect is ignoring the 5.5.5.5/32 and gets redistributed
R6#show route-map RM-CONN
R6(config)#ip prefix-list PL-LOOPBACK deny 5.5.5.5/32
R6(config)#ip prefix-list PL-LOOPBACK permit 0.0.0.0/0 ge 1
R6(config)#route-map RM-CONN deny 5
R6(config-route-map)#match ip address prefix-list PL-LOOPBACK
#### Verify route-map fix config
R6#show route-map RM-CONN
#### Check reachability
R7#show ip bgp 198.51.100.8
#### Why inaccessible?
R7#show ip bgp 198.51.100.1
R7#show ip route 198.51.100.1
#### Investigate R5
R5#show ip route 198.51.100.0
R5#show ip route 198.51.100.0 255.255.255.248
R5#show ip route 198.51.100.0 255.255.255.248 longer-prefixes

#### Configure missing network statement 
R5(config)#router bgp 2711
R5(config-router)#network 198.51.100.0 mask 255.255.255.248

Ticket #4
R4 can’t reach the Web server (192.0.1.100)
Diagnose and resolve
Do not modify any route filtering

#### Check the router in between
R7#show ip bgp neighbors | i state =

#### State = Idle
R7#ping 78.0.0.8
R7#show arp 78.0.0.8

#### Ping unreachable and no arp means Layer 2 trouble
R7#show ip int g1/0 | i line|Internet

#### Wrong IP configured (78.8.0.7 to 78.0.0.7)
R7(config)#int g1/x
R7(config-if)#ip address 78.0.0.7 255.255.255.0

#### Verify fix for Layer 2 connectivity
R7#ping 78.0.0.8
#### Check route to destination 192.0.1.0
R7#show ip bgp 192.0.1.0

#### Move closer to next hop and check route to 192.0.1.0
R8#show ip bgp 192.0.1.0
#### Check BGP route
R8#show ip bgp
#### Check if R7 is filtering any routes
R7#show ip bgp neighbors 78.0.0.8 | i filter

#### Check the filter (prefix-list)
R7#show ip prefix-list
R7#show ip prefix-list PL-BGP-IN
seq 20 denies everything else
#### Requirement states that we are not allowed to modify any route filtering
#### We need to remove the aggregate route to match the seq 5 permit specific route
#### Find out what's causing aggregate advertising 
R8#show run | sec router bgp

#### On R8, get rid of aggregate
R8(config)#router bgp 3356
R8(config-router-af)#no aggregate-address 192.0.0.0 255.255.252.0 summary-only
#### Check new config
R8#show ip bgp 192.0.1.0

#### Check route from source to destination
R4#traceroute 192.0.1.100 timeout 1 probe 1 ttl 1 22

#### Check the opposite direction
R9#show ip route 203.0.113.4
R9#traceroute 203.0.113.4 timeout 1 probe 1 ttl 1 22
#### Discovered asymmetric routing 
#### Check for any Drop
R9#show ip traffic | i Drop
#### Check if uRPF strict mode is enabled
R8#show run int gi0/x
R8#show run int gi0/x
uRPF (Unicast Reverse Path Forwarding)
#### Change uRPF from Strict mode to loose
R8(config)#int range gi0/x, gi0/x
R8(config-if-range)#ip verify unicast source reachable-via any

#### Verify fix
R4#traceroute 192.0.1.100
R4#traceroute 192.0.1.100 timeout 1 probe 1 ttl 1 22

Ticket #5
Traffic is not passing between R4 (203.0.113.4) and R9 (192.0.2.)
Diagnose and resolve.
Ensure bidirectional traffic takes the optimal path.

#### Verify the understanding of the problem
R9#traceroute 203.0.113.4 source 192.0.2.9
R9#traceroute 203.0.113.4 source 192.0.2.9 probe 1 timeout 1 ttl 1 22
R9#show ip bgp 203.0.113.0


#### Verify the understanding of the problem
R8#show ip bgp 203.0.113.0
R8#traceroute 203.0.113.4 source 78.0.0.8 timeout 1 probe 1 ttl 1 22

#### Check if R8 is filtering any routes it should learn
R8#show ip bgp neighbors 78.0.0.7 | i filter
#### Let's check out the filtering
R8#show ip as-path-access-list 1

#### Discovered that R8 is blocking all BGP advertisement from neighbor R7
#### Locate the filtering
R8#show run | sec router bgp
#### Remove the filtering for Incoming
R8(config)#router bgp 3356
R8(config-router)#address-family ipv4
R8(config-router-af)#no neighbor 78.0.0.7 prefix-list 1 in

#### Clear bgp to get the latest update
R8#clear ip bgp * soft
R8(config-router)#do clear ip bgp * soft

#### Verify fix to see if R8 now can learn bgp route from neighbor R7
R8#show ip bgp 203.0.113.0
R8#traceroute 203.0.113.4
Found new best path after removing Incoming filter
#### Check if R7 has route back to R9
R7#show ip bgp 192.0.2.0
Discovered R7 does not know how to return back to R9
#### Check if R7 has any filter
R7#show ip bgp neighbors 78.0.0.8 | i filter

#### Check out the filter Incoming
R7#show ip prefix-list PL-BGP-IN.

#### Allow its neighbor prefix
R7(config)#ip prefix-list PL-BGP-IN seq 4 permit 192.0.2.0/24

#### Flush and refresh bgp
R7#clear ip bgp * soft
#### Verify Fix
R7#traceroute 192.0.2.9 source 203.0.113.7

#### Give few more secs for flush the bgp
R7#traceroute 192.0.2.9 source 203.0.113.7

#### Give few more secs..
R7#traceroute 192.0.2.9 source 203.0.113.7

#### Finally fixed (Takes sometime to get BGP updates)
R7#traceroute 192.0.2.9 source 203.0.113.7

Ticket #6
R1 (198.51.100.1) can’t ping R4 (203.0.113.4)
Diagnose and resolve.

#### Verify the understanding of the problem
R1#show ip int br
R1#ping 203.0.113.4
R1#ping 203.0.113.4 source g1/0
R1#traceroute 203.0.113.4 probe 1 timeout 1 ttl 1 22
R1#show ip route 203.0.113.4

#### Create access-list to check logs
R1(config)#access-list 100 permit icmp host 198.51.100.1 host 203.0.113.4 echo

#### Turn on detailed IP Packet debugging 
R1#debug ip packet detail 100
debug shows IPsec related messages
#### Investigate IPsec trouble
R1#show crypto ipsec sa
#### Let's take a look at the crypto map tag r1r4
R1#show crypto map tag r1r4
#### Ping test failed (why? traffic over IPsec)
R1#ping 203.0.113.4 source g1/0

#### Ping test successful (why? traffic over normal route)
R1#ping 203.0.113.4 source loopback 0

#### Understood that IPsec is not working
#### Need to debug IPsec traffic

#### Create access-list to match traffic for debug
R1(config)#access-list 101 permit esp any any

#### debug detail
R1#debug ip packet detail 101
R1#undebug all
R1 is blocking return traffic
#### Discovered return traffic is denied
#### Check what is blocking the return traffic
R1#show run int g1/x
R1 has Incoming filter
#### Check the Incoming filter
R1#show access-lists 199
#### Either permit esp for return traffic or remove filter completely
R1(config)#int g1/x
R1(config-if)#no ip access-group 199 in

#### Verify fix
R1#ping 203.0.113.4
R1#ping 203.0.113.4 source g1/x
R1#ping 203.0.113.4 source 198.51.100.1

Ticket #7
Ensure IP reachability among the following loopbacks:

R1 10.0.0.1
R2 10.0.0.2
R3 10.0.0.3
R4 10.0.0.4

Ensure non of these appear in any BGP RIP.
Do not use IGP route filtering or modify any BGP configuration.

#### Verify understanding of the problem
R1#ping 10.0.0.2 source 10.0.0.1
R1#ping 10.0.0.3 source 10.0.0.1
R1#ping 10.0.0.4 source 10.0.0.1

#### Check if reachability to 10.0.0.2 is via BGP
R1#show ip route 10.0.0.2
R1#show ip bgp 10.0.0.2
R1#show run | sec router bgp
#### OSPF does not redistribute external-routes
#### Example of Type 5 LSAs (external)
R1#show ip ospf database
R1#show ip ospf database | begin External

#### Verify that Type 5 LSAs (external route) not present in BGP
R1#show ip bgp 10.0.0.3
Redistributing into BGP yet ospf routes are not shown in BGP route
#### Objective is to make all 10.0.0.0 advertised as Type-5 (External) LSAs
#### Use redistribute connected subnet under ospf
#### OSPF network command overwrites redistribute connected
#### Make it Type-5 LSA on R2
R2#show run | sec router ospf
R2(config)#router ospf 1
R2(config-router)#no network 10.0.0.2 0.0.0.0 area 0

#### Verify change
R1#show ip route 10.0.0.2
Now known via ospf 1 type external 2
#### Check how many more does R1 knows via BGP
R1#show ip bgp
R1#show ip bgp | i 10.0.0

#### Check how R1 is advertising its 10.0.0.1 via ospf
R1#show run | sec router ospf
#### Get rid of 10.0.0.1 from BGP RIP
R1(config-router)#no network 10.0.0.1 0.0.0.0 area 0
R1(config-router)#redistribute connected subnets

#### Verify change
R1#show ip bgp
R1#show ip bgp 10.0.0.0
R1#show ip bgp 10.0.0.0/8 longer-prefixes
#### Remove from last router advertising 10.0.0.x over BGP
R4#show ip route 10.0.0.4
How is 10.0.0.4 getting into BGP?
#### Need to stop advertising over BGP
R4#show ip route 10.0.0.4
How does BGP know? via Local best
#### Stay focus and determine which protocol is distributing 10.0.0.x
R4#show run | sec router bgp
#### Is EIGRP redistributing 10.0.0.4?
R4#show run | sec router eigrp
#### Is OSPF redistributing 10.0.0.4?
R4#show run | sec router ospf
Another network statement covering 10.0.0.4
#### Both EIGRP and OSPF have network statement for 10.0.0.4 prefix
#### Remove network advertisement either from ospf or EIGRP process
R4(config)#router ospf 1
R4(config-router)#no network 10.0.0.4 0.0.0.0 area 0

R4(config)#router eigrp 29897
R4(config-router)#no network 10.0.0.4 0.0.0.0

#### Verify change
R4#show ip bgp 10.0.0.4
#### How to make 10.0.0.4 totally out of BGP?
R4#show run | sec router bgp
#### Requirement is not to touch BGP configuration.
#### However, we can change the route-map
R4#show route-map
R4#show route-map RM-EIGRP->BGP
R4#show access-lists 18
#### Add 10.0.0.x to access-list 18 for route-map to deny
#### Permit on access-list. Later Route-map to deny.
R4(config)#access-list 18 permit 10.0.0.0 0.255.255.255

#### Verify fix
R4#show ip bgp 10.0.0.0
R4#show ip bgp 10.0.0.0/8 longer-prefixes

#### Clear and verify again
R4#clear ip bgp * soft
R4#show ip route 10.0.0.0
R4#show ip bgp 10.0.0.0

#### Verify fix
R4#ping 10.0.0.1 source 10.0.0.4
R4#ping 10.0.0.2 source 10.0.0.4
R4#ping 10.0.0.3 source 10.0.0.4

Ticket #8
The Tunnel19 interface between R1 and R9 is down. Ensure link-local IPv6 traffic can traverse the tunnel.

#### Tunnel 19 is up/up
R1#show int tunnel 19

#### Check int tunnel 19 config
R1#show run int tunnel 19

#### Discovered tunnel mode gre is multipoint
#### Discovered no destination address for tunnel
#### Check the opposite end of the tunnel
R9#show run int tunnel 19

#### Discovered no source address for tunnel
R9(config)#int tunnel 19
R9(config-if)#tunnel source 192.0.2.9
#### Check IP connectivity from R9 to R1
R9#ping 1.1.1.1
R9#ping 1.1.1.1 source g3/x
R9#ping 1.1.1.1 source 192.0.2.9
R9#traceroute 1.1.1.1 source 192.0.2.9
R9#traceroute 1.1.1.1 source 192.0.2.9 probe 1 timeout 1 ttl 1 22

#### Traceroute stops at R5
#### R5 able to reach the destination R1
R5#show ip route 1.1.1.1

#### R5 is taking different path back (via R6 instead of R7)
R5#show ip route 192.0.2.9

#### Discovered asymmetric routing
#### Check for uRPF (Unicast Reverse Path Forwarding) strict or loose
R5#show run int g1/x
R5#show run int g2/x
#### Change uRPF to loose mode
R5(config-if-range)#int range gi0/x, gi1/x
R5(config-if-range)#ip verify unicast source reachable-via any

#### Verify IP connectivity fix
R9#ping 1.1.1.1 source 192.0.2.9
#### Fix tunnel 19 (assign destination)
R1(config)#int tunnel 19
R1(config-if)#tunnel destination 9.9.9.9

#### Discovered tunnel mode gre multipoint
#### Fix tunnel 19
R1(config)#int tunnel 19
R1(config-if)#tunnel mode gre ip
R1(config-if)#tunnel destination 192.0.2.9

#### Verify fix
R1#ping fe80::9
Output Interface: tunnel 19

Ticket #9
The OSPFv3 adjacency is down between R4 and R9.
Diagnose and resolve.
Your solution may not remove any other adjacencies.

IPv6 running on GRE tunnel.
OSPFv3 running on IPv6
#### If IPv6 is broken at link-local level, OSPF will not work.
#### If Tunnel is down, IPv6 will be broken.
#### Pick a router to understand the environment
R9#show ipv6 ospf neighbor

#### Discovered 1 OSPF neighbor is down
R9#show ipv6 ospf interface brief
R9#show ipv6 int tunnel 49
#### Check the dead neighbor
R4#show ipv6 ospf neighbor
R4#show ipv6 ospf int brief
R4#show ipv6 int brief
R4#show ipv6 int tunnel 49
#### All config looks good.

#### Check ip connectivity 
R4#ping FE80::9
Output Interface: tunnel 49
#### ping test failed

You can have same link-local address on multiple interfaces

#### Check if ipv6 traffic can be encapsulated over GRE tunnel
R4#clear ipv6 traffic
R4#ping FE80::9
Output Interface: tunnel 49
R4#show ipv6 traffic

#### Discovered GRE tunnel trouble
#### By design, GRE supports both IPv4 & IPv6
R4#show cef interface tunnel 49
#### Strange Why "IPv6 unsupported tunnel mode"?
#### Is Tunnel 49 running GRE?
R4#show int tunnel 49
R4#show run int tunnel 49
This is IP over IP tunnel.
We need GRE tunnel
#### IP over IP tunnel encapsulation type does not support IPv6
#### GRE does support IPv6

#### Change to GRE
R4(config)#int tunnel 49
R4(config-if)#tunnel mode gre ip

#### Change to GRE too for R9
R9(config)#int tunnel 49
R9(config-if)#tunnel mode gre ip

Have to be very aware of the nuances in the output messages.

Leave a Comment

Your email address will not be published. Required fields are marked *