Why Router 3845 BGP won't Route ?

[eNur]

Let's say, ...

Router A, AS number 1
Router B, AS number 2
Router C, AS number 3

The connection between them is: A - B - C

B has 4 networks attached to it:
a.b.c.d, e.f.g.h, m.n.o.p, and q.r.s.t networks.

I want to have BGP pairing between B to A, and B to C. However, I want only a.b.c.d and e.f.g.h to be announced to A, while m.n.o.p and q.r.s.t to be announces to C.
In order to do that, I did an ACL filter on the announcements. The configuration looks like this:

router bgp 2
bgp router-id 2
bgp log-neighbor-changes
network a.b.c.d mask 255.255.255.0
network e.f.g.h mask 255.255.255.0
network m.n.o.p mask 255.255.255.0
network q.r.s.t mask 255.255.255.0
neighbor A remote-as 1
neighbor A distribute-list 11 out
neighbor B remote-as 2
neighbor B distribute-list 22 out
no auto-summary

access-list 11 permit a.b.c.d
access-list 11 permit e.f.g.h
access-list 11 deny any
access-list 22 permit m.n.o.p
access-list 22 permit q.r.s.t
access-list 22 deny any

BGP updated completely, as expected.

What makes me confused is, it does not do routing:
B can access (PING) to A, C, and to the 4 networks, and vice versa A, C, and the networks can PING B. But, the networks can't PING to A nor C.
Traceroute reveals that the PINGs stopped at Router B.

Looks like the C3845 Router did not routes. Or did I make a boo-boo in the configuration?

Your comments please. Thank you.

 

[unclerico]

can you post configs from all three routers??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[eNur]

The actual configs for all routers are just too much, and most are not related to the BGP. (i.e., simple IP ROUTE on all three routers will work). So, I summarized the BGP part to simplify the situation.

Router A:
router bgp 1
bgp router-id 1
network 1.2.3.4 mask 255.255.255.0
neighbor B remote-as 2
no auto-summary

Router C:
router bgp 3
bgp router-id 3
network 6.7.8.9 mask 255.255.255.0
neighbor B remote-as 2
no auto-summary


As for the middle Router, which is Router B, the standard config should work:

Router B:
router bgp 2
bgp router-id 2
network a.b.c.d mask 255.255.255.0
network e.f.g.h mask 255.255.255.0
network m.n.o.p mask 255.255.255.0
network q.r.s.t mask 255.255.255.0
neighbor A remote-as 1
neighbor B remote-as 2
no auto-summary


However, the standard config then will announce the four networks (a.b.c.d, e.f.g.h, m.n.o.p, and q.r.s.t) to both neighbor (A and B).

What I wanted is, let Router B knows about info from A and C, however in return let A knows only the first 2 networks (a.b.c.d, and e.f.g.h), and let C knows only the last 2 networks (m.n.o.p and q.r.s.t). That is why I added the distribute-list:

neighbor A distribute-list 11 out
neighbor B distribute-list 22 out

access-list 11 permit a.b.c.d
access-list 11 permit e.f.g.h
access-list 11 deny any

access-list 22 permit m.n.o.p
access-list 22 permit q.r.s.t
access-list 22 deny any


True enough, the Router B itself received A and C BGP updates, so Router B can go to any routes located thru A or C. So, Router B is connected to everyone (A's networks, C's networks, and B's own 4 networks).

However, it is not good from the 4 networks.

Network a.b.c.d and e.f.g.h cannot reach Router A (thus cannot reach network 1.2.3.4), while network m.n.o.p and q.r.s.t cannot reach Router C (thus cannot reach network 6.7.8.9).


Everything else in Router B is fresh (startup-config was erased, then Router was rebooted with nothing in it). The only new config are shown above.

Ideas?

 

[unclerico]

However, it is not good from the 4 networks.

Network a.b.c.d and e.f.g.h cannot reach Router A (thus cannot reach network 1.2.3.4), while network m.n.o.p and q.r.s.t cannot reach Router C (thus cannot reach network 6.7.8.9).

So abcd and efgh are not int Router A's routing table?? mnop and qrst are not in Router C's routing table?? If you remove the distribute-lists from Router B do you see them?? Can you list the output from sh ip bgp neighbor from all three routers??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[eNur]

Ah! That's one possible explanation.
I'm sorry that I won't be able to give you the sh ip bgp neighbor from all. The above scenario is a simplified story. The full story is, Router A belongs to Internet Access Provider A, while Router C belongs to Internet Access Provider C. That's two different path to two different 'Internet'. I was trying to connect my Router B to both 'Internet' but showing half of my networks to A and the other half to C.

sh ip bgp neighbor from Router B shows both neighbor correctly, bgp status shows incoming and outgoing packets, and sh ip route shows all kind of routing coming from both A and C. So, I was assuming that because Router B received both A and C messages, then A and C should also received Router B messages.

Your comments might explain things. Maybe Router B did not actually send any network information to A and C? Did I do the access-list or distribute-list wrongly? I'll try to ask for the Provider's list (either A or C) to confirm this.

Any more suggestions on where else should I check?

 

[unclerico]

Have you thought of using conditional advertising??

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094309.shtml

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[eNur]

It's a nice feature, but did not fit to my need.
For the conditional advertising to works, Router B has to match 'something' from either Router A or C, and then it will advertise accordingly.
However, there is nothing in particular from Router A and C that can be used for this trigger. Router B is supposed to send the route information to Router A and C no matter what.

Thank's for the info though. Will fit nicely for the failover routing set up.

 

[unclerico]

Can you at least provide the sh ip bgp and the sh ip route for Router B??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[eNur]

Sorry for the late update.
We found the problem and fixed it. The problem came from the combination of "network", "access-list/distribute-list", and "ip route".
I wasn't giving out the complete picture because I didn't think it would matter, but it is.

Here is a summary of what happened:

Router B:
router bgp 2
bgp router-id 2
network a.b.c.d mask 255.255.255.0
network m.n.o.p mask 255.255.255.0
neighbor A remote-as 1
neighbor B remote-as 2
no auto-summary
neighbor A distribute-list 11 out
neighbor B distribute-list 22 out

access-list 11 permit a.b.c.d 0.0.0.255
access-list 11 deny any

access-list 22 permit m.n.o.p 0.0.0.255
access-list 22 deny any

ip route a.b.c.d1 255.255.255.128 eth0
ip route a.b.c.d2 255.255.255.128 eth0
ip route m.n.o.p1 255.255.255.240 eth0
ip route m.n.o.p2 255.255.255.240 eth0


So, what happened is that the "network" and "mask" which is filtered with the "access-list/distribute-list" is not the same with the "ip route". Because of this, the BGP Route of a.b.c.d and m.n.o.p were never sent out to either Router A or C. Thus, Router A and C did not know where a.b.c.d and m.n.o.p network is, but Router B know them correctly. That is why I thought B did not want to Route, but in reality is that A and C did not know where to return the Route.

Changing the "ip route", "networks", and/or "access-list" will fix the problem:

Router B:
router bgp 2
bgp router-id 2
network a.b.c.d1 mask 255.255.255.128
network a.b.c.d2 mask 255.255.255.128
network m.n.o.p mask 255.255.255.0
neighbor A remote-as 1
neighbor B remote-as 2
no auto-summary
neighbor A distribute-list 11 out
neighbor B distribute-list 22 out

access-list 11 permit a.b.c.d1 0.0.0.127
access-list 11 permit a.b.c.d2 0.0.0.127
access-list 11 deny any

access-list 22 permit m.n.o.p 0.0.0.255
access-list 22 deny any

ip route a.b.c.d1 255.255.255.128 eth0
ip route a.b.c.d2 255.255.255.128 eth0
ip route m.n.o.p 255.255.255.0 eth0


Thank you for all the help and ideas.