Solved: Traffic from sub-interface subnets failing to AWS

jroy777 · ‎05-07-2024

I have an ASR1001-x with a single 10G interface to a switch on the LAN. I cannot pass traffic from the sub interface subnets to AWS network connected on WAN. The Lan interface subnet 192.168.50.0/23 passes traffic correctly. the other two do not. Can anyone see a problem here?

interface TenGigabitEthernet0/0/0
mtu 3800
no ip address
!
interface TenGigabitEthernet0/0/0.2900
description "Direct Connect to Amazon VPC or Transit Gateway on AWS Cloud"
encapsulation dot1Q 2900
ip address 169.254.38.182 255.255.255.252
!
interface TenGigabitEthernet0/0/1
description "Prod DBNET access"
ip address 192.168.51.249 255.255.254.0 <----Ping from here to AWS 169.254.38.181 works
no ip proxy-arp
ip nbar protocol-discovery
!
interface TenGigabitEthernet0/0/1.4
encapsulation dot1Q 4
ip address 10.1.0.4 255.255.254.0 <----Ping from here to AWS 169.254.38.181 Does NOT
!
interface TenGigabitEthernet0/0/1.35
encapsulation dot1Q 35
ip address 10.10.2.4 255.255.255.0 <----Ping from here to AWS 169.254.38.181 Does NOT
!
router bgp 64514
bgp log-neighbor-changes
neighbor 169.254.38.181 remote-as 64513
neighbor 169.254.38.181 password 7777777
!
address-family ipv4
network 10.1.0.0 mask 255.255.254.0
network 10.10.2.0 mask 255.255.255.0
network 169.254.38.180 mask 255.255.255.252
network 192.168.50.0 mask 255.255.254.0
neighbor 169.254.38.181 activate
exit-address-family
!

AWS-DC-RTR#show bgp
% Command accepted but obsolete, unreleased or unsupported; see documentation.

BGP table version is 15, local router ID is 192.168.51.249
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.0/23 0.0.0.0 0 32768 i
* 169.254.38.181 0 64513 i
*> 10.10.2.0/24 0.0.0.0 0 32768 i
* 169.254.38.181 0 64513 i
*> 10.22.0.0/16 169.254.38.181 0 64513 i
*> 10.31.0.0/16 169.254.38.181 0 64513 i
*> 10.32.0.0/16 169.254.38.181 0 64513 i
*> 10.33.0.0/16 169.254.38.181 0 64513 i
*> 169.254.38.180/30 0.0.0.0 0 32768 i
*> 192.168.50.0/23 0.0.0.0 0 32768 i
AWS-DC-RTR#

AWS-DC-RTR#ping 169.254.38.181 source 192.168.51.249
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.38.181, timeout is 2 seconds:
Packet sent with a source address of 192.168.51.249
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/29 ms
AWS-DC-RTR#ping 169.254.38.181 source 10.10.2.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.38.181, timeout is 2 seconds:
Packet sent with a source address of 10.10.2.4
.....
Success rate is 0 percent (0/5)
AWS-DC-RTR#ping 169.254.38.181 source 10.1.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.38.181, timeout is 2 seconds:
Packet sent with a source address of 10.1.0.4
.....
Success rate is 0 percent (0/5)
AWS-DC-RTR#

MHM Cisco World · ‎05-07-2024

Can you share show ip bgp in AWS

Also you ping the AWS peer IP? This IP is for underlay IGP' try ping IP advertise by bgp not bgp peer

MHM

View solution in original post

jroy777 · ‎05-07-2024

It almost acts like it is not in layer3?

AWS-DC-RTR#sh interfaces tenGigabitEthernet 0/0/1
TenGigabitEthernet0/0/1 is up, line protocol is up
Hardware is BUILT-IN-2T+6X1GE, address is a0e0.af94.5001 (bia a0e0.af94.5001)
Description: "Prod DBNET access"
Internet address is 192.168.51.249/23
MTU 1500 bytes, BW 10000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set
Keepalive not supported
Full Duplex, 10000Mbps, link type is force-up, media type is unknown media type
output flow-control is on, input flow-control is on
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 64850000 bits/sec, 5485 packets/sec
5 minute output rate 473000 bits/sec, 817 packets/sec
     850976125 packets input, 1243947372294 bytes, 0 no buffer
     Received 625190 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 553199 multicast, 0 pause input
     118135807 packets output, 8511093703 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     144530 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out
     1 carrier transitions
AWS-DC-RTR#sh interfaces tenGigabitEthernet 0/0/1.4
TenGigabitEthernet0/0/1.4 is up, line protocol is up
Hardware is BUILT-IN-2T+6X1GE, address is a0e0.af94.5001 (bia a0e0.af94.5001)
Internet address is 10.1.0.4/23
MTU 1500 bytes, BW 10000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation 802.1Q Virtual LAN, Vlan ID 4.
ARP type: ARPA, ARP Timeout 04:00:00
Keepalive not supported
Last clearing of "show interface" counters never
AWS-DC-RTR#sh interfaces tenGigabitEthernet 0/0/1.35
TenGigabitEthernet0/0/1.35 is up, line protocol is up
Hardware is BUILT-IN-2T+6X1GE, address is a0e0.af94.5001 (bia a0e0.af94.5001)
Internet address is 10.10.2.4/24
MTU 1500 bytes, BW 10000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 4/255
Encapsulation 802.1Q Virtual LAN, Vlan ID 35.
ARP type: ARPA, ARP Timeout 04:00:00
Keepalive not supported
Last clearing of "show interface" counters never
AWS-DC-RTR#

MHM Cisco World · ‎05-07-2024

Can you share show ip bgp in AWS

Also you ping the AWS peer IP? This IP is for underlay IGP' try ping IP advertise by bgp not bgp peer

MHM

balaji.bandi · ‎05-07-2024

Where is that interface connected - if other side also trunk and can understand vlan tagging

try below config :

interface TenGigabitEthernet0/0/1
no ip address
no shutdown

interface TenGigabitEthernet0/0/1.X (X choose the different VLAN number here)
description "Prod DBNET access"
encapsulation dot1Q X (same replace X with vlan number)
ip address 192.168.51.249 255.255.254.0
no ip proxy-arp
ip nbar protocol-discovery
!
interface TenGigabitEthernet0/0/1.4
encapsulation dot1Q 4
ip address 10.1.0.4 255.255.254.0

interface TenGigabitEthernet0/0/1.35
encapsulation dot1Q 35
ip address 10.10.2.4 255.255.255.0

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎05-08-2024

Hello,

can you post a screenshot of our AWS Direct Connect --> Virtual Interfaces management console ?

jroy777 · ‎05-08-2024

jroy777 · ‎05-08-2024

It ended up the AWS engineer placed my routes on AWS side. Once he removed, It came up.

MHM Cisco World · ‎05-08-2024

The AWS is underlying and your prefix is overlying that must separate

That explain issue

Thank alot for updating

MHM

jroy777 · ‎05-08-2024

Thanks to all you Guru's, you are Greatly Appreciated!

jroy777 · ‎05-08-2024

Something else has popped up. The ASR is connected to a FortiSwitch and the FortiSwitch is connected to an HP 5700 switch stack in our DMZ. The DMZ stack has 2 vlan's 1)DMZ hosts 10.1.0.0/23 (native vlan1) 2)UAT hosts (vlan 35). I set the port on the HP to vlan 35 because the port on the FortiSwitch is set as 35 and upstream towards AWS is also dot1q 35. I cannot pass any traffic on vlan 35. I can pass traffic on DMZ subnet without issue. SEe drawing. Any recommendations? Yellow boxes show whats left that still is not working (only vlan35)

jroy777 · ‎05-08-2024

Hosts in the UAT cannot ping the ASR 10.10.2.4 interface

Georg Pauwen · ‎05-09-2024

Hello,

are all links between the UAT hosts and the ASR layer 2 links ? Are you using trunks ? I guess it would help to see the relevant configs...

jroy777 · ‎05-09-2024

Here is Cisco:

interface TenGigabitEthernet0/0/0
mtu 8500
no ip address
!
interface TenGigabitEthernet0/0/0.2900
description "Direct Connect to Amazon VPC or Transit Gateway on AWS Cloud"
encapsulation dot1Q 2900
ip address 169.254.38.182 255.255.255.252
!
interface TenGigabitEthernet0/0/1
description "Prod DBNET access"
ip address 192.168.51.249 255.255.254.0
no ip proxy-arp
ip nbar protocol-discovery
!
interface TenGigabitEthernet0/0/1.4
encapsulation dot1Q 4
ip address 10.1.0.4 255.255.254.0
!
interface TenGigabitEthernet0/0/1.35
encapsulation dot1Q 35
ip address 10.10.2.4 255.255.255.0

Here is FortiSwitch: Only relevant portions for ports 25 thru 28 that are in use.

#global_vdom=1
config system global
set dst enable
set hostname "FortiSW-424E"
end
config switch vlan-tpid
edit "default"
set ether-type 0x8100
next
end
config switch physical-port
next
edit "port25"
set lldp-profile "default-auto-isl"
set speed auto-module
next
edit "port26"
set lldp-profile "default-auto-isl"
set speed auto-module
next
edit "port27"
set lldp-profile "default-auto-isl"
set speed auto-module
next
edit "port28"
set lldp-profile "default-auto-isl"
set speed auto-module
next
edit "internal"
next
end
config switch vlan
edit 1
set description "dbnet"
next
edit 35
set description "UAT"
next
edit 4
set description "dmz"
next
end
config switch interface
next
edit "port25"
set snmp-index 25
next
edit "port26"
set native-vlan 4
set snmp-index 26
next
edit "port27"
set native-vlan 35
set snmp-index 27
next
edit "port28"
set allowed-vlans 1,4,35
set edge-port disabled
set snmp-index 28
next
edit "internal"
set allowed-vlans 1,4,35
set stp-state disabled
set snmp-index 29
next
end
config switch stp instance
edit "0"
config stp-port
next
edit "port25"
next
edit "port26"
next
edit "port27"
next
edit "port28"
next
edit "internal"
next
end
next
edit "15"
set vlan-range 4094
next
end
next
end
config system interface
next
edit "internal"
set ip 192.168.50.41 255.255.254.0
set allowaccess ping https ssh
set type physical
set alias "internal"
set snmp-index 30
next
end
config router bgp
config redistribute "connected"
end
end

FortiSW-424E #

Here is HP Switch:

The HP gives me multiple link types: access, trunk or hybrid