AR1220E V200R006C10 BGP Issue

Created May 25, 2018 15:52:21Latest reply Jun 15, 2018 16:00:19 549 2 0 0

Issue Description:

AR create BGP session from Loopback IP instead of physical IP.

transparent.gifHandling Process:

After discuss with CSE colleague , we need to one remote session for troubleshooting .
Below is our remote session summary .

check configuration is ok .

acl name NAT_Gi0/0/8_0 3080 
 rule 10 deny ip source x.x.152.0 0.0.0.255
 rule 15 deny ip source x.x.156.8 0.0.0.3
rule 20 deny ip source x.x.24.0 0.0.1.255
 rule 30 permit ip
acl name NAT_Gi0/0/8_1 3081 
 rule 10 permit ip source x.x.24.0 0.0.1.255
acl name NAT_Gi0/0/9_0 3090 
 rule 10 deny ip source x.x.152.0 0.0.0.255
 rule 20 deny ip source x.x.24.0 0.0.1.255
 rule 30 permit ip
acl name NAT_Gi0/0/9_1 3091 
 rule 10 permit ip source x.x.24.0 0.0.1.255

interface GigabitEthernet0/0/8
description --ISP1-NTK--
ip address x.x.156.10 255.255.255.252
traffic-filter inbound acl name Internet_In
nat server protocol tcp global interface LoopBack 1 9012 inside x.x.25.241 9012
nat server protocol udp global interface LoopBack 1 9012 inside x.x.25.241 9012
nat server protocol udp global interface LoopBack 1 500 inside x.x.25.241 500
nat server protocol udp global interface LoopBack 1 4500 inside x.x.25.241 500
nat outbound 3081 interface LoopBack 1
 nat outbound 3080 interface LoopBack 0
 zone Internet
#
interface GigabitEthernet0/0/9
description --ISP2-RosTK--
ip address x.x.78.154 255.255.255.252
traffic-filter inbound acl name Internet_In
nat server protocol tcp global interface LoopBack 1 9012 inside x.x.25.241 9012
nat server protocol udp global interface LoopBack 1 9012 inside x.x.25.241 9012
nat server protocol udp global interface LoopBack 1 500 inside x.x.25.241 500
nat server protocol udp global interface LoopBack 1 4500 inside x.x.25.241 500
nat outbound 3091 interface LoopBack 1
 nat outbound 3090 interface LoopBack 0
 zone Internet

interface LoopBack0
description nat
ip address x.x.152.29 255.255.255.255
#
interface LoopBack1
description nat
ip address x.x.152.28 255.255.255.255

bgp 203xxx
router-id x.x.152.0
peer x.x.78.153 as-number 12389
peer x.x.78.153 description RosTK
peer x.x.78.153 connect-interface GigabitEthernet0/0/9
peer x.x.156.9 as-number 31200
peer x.x.156.9 description NTK
peer x.x.156.9 connect-interface GigabitEthernet0/0/8
#
check tcp status , so that we can confirm AR use which IP create BGP session .

  ===============display tcp status===============
======================================================
TCPCB    Tid/Soid Local Add:port        Foreign Add:port      VPNID  State
37e672f4 7  /1    0.0.0.0:22            0.0.0.0:0             23553  Listening
37e66fec 51 /1    0.0.0.0:80            0.0.0.0:0             23553  Listening
37e663cc 204/1    0.0.0.0:179          x.x.78.153:0       0      Listening
37e669dc 204/4    0.0.0.0:179           x.x.156.9:0        0      Listening
37e67904 51 /2    0.0.0.0:443           0.0.0.0:0             23553  Listening
37e66ce4 204/198  x.x.78.154:179     x.x.78.153:51180   0      Established
37e666d4 7  /34   172.16.98.5:22        172.16.130.2:1901     0      Established
34e64f40 204/209  x.x.156.10:179     x.x.156.9:58097    0      Established

until now we confirmed NTK ISP if we remove rule 15 on acl 3080 , it will use loopback ip create bgp peer . at the same time RTK and NTK have the same configuration , but RTK will use physical ip create BGP session , but NTK will use loopback ip create BGP session .

 

transparent.gifRoot Cause:

After analyzed the log and discussed with VRP expert , below is this issue root cause .

1. The behavior of port G0/0/8 is correct. If the router start bgp  first and the packet will be translated in the out direction, so BGP will be established using the loopback interface.
Deny the physical address in the ACL, whatever local side and peer side start bgp session, AR will be used physical address.

2. The reason why G0/0/9 did not add deny rule AR also use physical address create BGP session, because bgp is initiated by the peer device. If the local first initiated, will be
Use the loopback IP address after NAT conversion.

 

transparent.gifSolution:

If the customer want to use the physical port to establish bgp session, please deny the local address in the NAT outbound related ACL.

 

This post was last edited by Skay at 2018-09-12 09:44.
  • x
  • convention:

Cybertan     Created May 25, 2018 15:58:22 Helpful(0) Helpful(0)

very good
  • x
  • convention:

yangyong  Adept   Created Jun 15, 2018 16:00:19 Helpful(0) Helpful(0)

Great share! Well done!
  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top