Just a short note to remind, in exam, you can't use "sh run | include bgp" command. If you doubt which one you can use, check in CCNP Tshoot Demo from Cisco website.
Client1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.2.1.3 YES DHCP up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Client1#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/80/128 ms
Client1#ping 209.65.200.225
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.65.200.225, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 80/89/108 ms
Client1#ping 209.65.200.226
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.65.200.226, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
------------------------------
Pinging stop in 209.65.200.226. Check BGP neighbour status first in R1.
R1#sh ip bgp summary
BGP router identifier 1.1.1.1, local AS number 65001
BGP table version is 2, main routing table version 2
1 network entries using 117 bytes of memory
1 path entries using 52 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 417 total bytes of memory
BGP activity 1/0 prefixes, 2/1 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
209.65.200.226 4 65002 0 0 0 0 0 never Active
-----------------------------------------------
R1 has broken BGP neighbour status with another router. As you see that, it's in Active state and no messages and prefix has received.
Let's check R1's bgp configuration.
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 209.65.200.224 mask 255.255.255.252
neighbor 209.65.200.226 remote-as 65002
no auto-summary
------------------
It seems like BGP configuration is correct and something wrong in IP access-list. Check access-list in R1.
ip nat inside source list 10 interface Serial1/1 overload
!
access-list 10 permit 10.2.2.0 0.0.0.255
access-list 10 permit 10.2.4.0 0.0.0.255
access-list 10 permit 10.1.4.0 0.0.0.255
access-list 10 permit 10.10.4.0 0.0.0.255
access-list 10 permit 10.1.1.0 0.0.0.255
access-list 10 permit 10.2.1.0 0.0.0.255
access-list 40 permit 209.65.200.241
access-list 40 deny 10.1.0.0 0.0.255.255
access-list 40 deny 10.2.0.0 0.0.255.255
ipv6 router ospf 6
log-adjacency-changes
-----------------
Here is the problem. IP access-list 40 is not allowing 209.65.200.224/30 network and applied to Serial 1/1 interface. So, let's fix and solve the problem.
As soon as after doing following changes in R1, all are solved.
R1(config)#ip access-list standard 40
R1(config-std-nacl)#per
R1(config-std-nacl)#permit 209.65.200.224 0.0.0.3
R1(config-std-nacl)#^Z
R1#
*Mar 1 00:21:19.411: %SYS-5-CONFIG_I: Configured from console by console
*Mar 1 00:21:25.291: %BGP-5-ADJCHANGE: neighbor 209.65.200.226 Up
R1#
------------------------------
The problem device is R1, and it's related with ip access-list and can fixed by adding new access-list in access-list 40.
Hi,
ReplyDeleteYou should indicate that the acl 40 is applied to the interface
Serial1/1
ip address 209.65.200.225 255.255.255.252
ip access-group 40 in
Otherwise it is not clear why we have to modify the acl 40. Btw perfect website and perfect way to share information. I can just say thanks mate for your effort. Very appreciated.
Ah, many thanks, man.
ReplyDeleteYes, you are right. I just looked straight to access-list 40 and fixed.