How to Configure BGP peering on Azure ExpressRoute - Cisco 9300 series switch
I have set up an ExpressRoute connection with private peering on Azure. Despite enabling and provisioning peering, BGP between the on-prem Cisco 9300 switch and the Azure ASN 65080 is down. However in Azure portal route summary table, it's showing connecting up/dwn. In the Cisco 9300 series, I created an SVI and assigned a primary private peering IP and a secondary private peering IP; I also configured BGP routing with the local ASN.
I do not have a router, so I'm using a Cisco 9300 series switch to terminate the ExpressRoute connection, e.g., GI1/0/43, and it uses the same vlan for Azure private peering.
Do I need to create other steps to establish BGP peering?
Any help will be appreciated.
Azure ExpressRoute
-
Ganesh Patapati 2,590 Reputation points • Microsoft Vendor
2024-10-17T18:43:18.5433333+00:00 Hi Dualeh Farah,
Greetings,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I'd be happy to help you troubleshoot the issue with your ExpressRoute connection and BGP peering.
- Since you're using a Cisco 9300 series switch to terminate the ExpressRoute connection, you need to ensure that the switch is configured to advertise the correct IP addresses and subnet masks to Azure.
The samples in this section apply to any router running the IOS-XE OS family.
Cisco IOS-XE based routers
To set up an ExpressRoute connection with private peering on Azure, you'll need to follow these steps:
Refer: https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-add-ipv6-portal
Refer: https://learn.microsoft.com/en-us/azure/expressroute/expressroute-circuit-peerings
Please let us know if we can be of any further assistance here.
Thanks,
Ganesh
Please Accept an answer if correct.
Original posters help the community find answers faster by identifying the correct answer.
-
Dualeh Farah 5 Reputation points
2024-10-18T14:25:41.0233333+00:00 Hi Ganesh,
Appreciate your help.
ExpressRoute terminated cisco 9300 switch, do i need to configure dot1q encapsulation on switch port which ExpressRoute connecting? I created 2 SVIs in my switch for Primary and secondary IP address 10.2.2.1/30 and 10.2.2.5/30.
-
Ganesh Patapati 2,590 Reputation points • Microsoft Vendor
2024-10-21T17:53:27.03+00:00 Hey Dualeh Farah,
**We appreciate your patience!**NOTE: configuring dot1q encapsulation on switch these are all done by the service provider ISP.
- As per azure end everything is clear and correct and its looks like misconfiguration from the vendor end, please confirm from their end and here is below limitation of the technical requirements from azure end
Hope this clarifies.
Thanks,
Ganesh
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
-
Dualeh Farah 5 Reputation points
2024-10-22T10:49:27.6166667+00:00 Hi Ganesh,
Thanks for your comment.
The BGP ASN for azure, could this be any private ASN e.g 64520 or it must be 12076 for Microsoft. Or do i need ISP ASN for their end.
Something not right in the configuration.
This is configuration my switch port where ExpressRoute connecting.
||Switch configuration||
!
int g1/0/3
no switchport
int g1/0/3.60
encapsulation dot1q 60
ip add 10.2.2.1 255.255.255.252
no shut
!
BGP confiruation
!
router bgp 64530
neigjbor 10.2.2.2 remoteas 12076
neigjbor 10.2.2.6 remoteas 12076
network 172.16.0.0 mask 255.255.255.0
!
||Azure portal Configuration||
Azure ASN 64511
Azure private peering
10.2.2.0/30 primary
10.2.2.4/30 secondary
Does anyone see where thing went wrong here, there is no bgp established between azure and on prem network and i'm bit confusing ExpressRoute set up.
-
Ganesh Patapati 2,590 Reputation points • Microsoft Vendor
2024-10-24T15:40:19.94+00:00 Hey Dualeh Farah,
We appreciate your patience!
First let me know are you using private peering or Microsoft peering.
- Microsoft uses AS 12076 for Azure public, Azure private and Microsoft peering. We have reserved ASNs from 65515 to 65520 for internal use. Both 16 bit and 32-bit AS numbers are supported.
- There are no requirements around data transfer symmetry. The forward and return paths may traverse different router pairs. Identical routes must be advertised from either sides across multiple circuit pairs belonging to you. Route metrics aren't required to be identical.
NOTE: These are the ASNs that we primarily use, please refer the below document.
Hope this clarifies, please let me know if you need any further assistance.
Thanks
Ganesh
-
Dualeh Farah 5 Reputation points
2024-10-25T08:50:11.6233333+00:00 Hi Ganesh,
I'm using Microsoft private peering.
The issue is BGP session not establishing betwwen on-prem switch and Azure. I can ping 10.2.2.2 from my cisco switch on-prem but no BGP established. See belwo On-prem switch BGP configuration
router bgp 64530
neigjbor 10.2.2.2 remoteas 12076
neigjbor 10.2.2.6 remoteas 12076
address-family ipv4
network 172.16.0.0 mask 255.255.255.0
neighbor 10.2.2.2 activate
neighbor 10.2.2.6 activate
exit-address-family
-
Ganesh Patapati 2,590 Reputation points • Microsoft Vendor
2024-10-25T14:39:40.9766667+00:00 Hi Dualeh Farah,
I hope you are doing well
I will share the BGP troubleshooting document with you and follow these steps and let me know in which step you are facing the issue?
Please let me know from these steps
- Verify circuit provisioning and state
- Validate peering configuration
- Validate ARP
- Validate BGP and routes on the MSEE
- Confirm the traffic flow
- Test private peering connectivity
- Verify availability of the virtual network gateway
I hope this clarifies
Regards,
Ganesh
-
Dualeh Farah 5 Reputation points
2024-10-25T15:36:28.8866667+00:00 Hi Ganesh,
1 - yes the circuit is provissioned state
2 - Peering configuration has done and verify
3 - ARP verify, on under private peering, ARP table pupolated
4 - On-prem switch, BGP was configured but no BGP route at all
5 - on-prem switch i can ping azure private peering IP address
6 - On VGN not sure if its sone-reduancy
-
Ganesh Patapati 2,590 Reputation points • Microsoft Vendor
2024-10-29T15:04:43.93+00:00 Hey Dualeh Farah,
We appreciate your patience!
Run the below commands and let me know where you are facing the issue:
And also go through these below documents it will tell you how to exactly get the route table of the private peering.
I hope these clarifies
Regards,
Ganesh
-
Ganesh Patapati 2,590 Reputation points • Microsoft Vendor
2024-10-30T14:47:58.8933333+00:00 Hey Dualeh Farah,
Good day!
- Just dropping in to see if you had a chance to read my response to your query about correcting the issue.
If you have any further concerns, please do not hesitate to contact us. We are pleased to help you.
I look forward to your response and appreciate your time on this.
Regards,
Ganesh
-
Ganesh Patapati 2,590 Reputation points • Microsoft Vendor
2024-11-01T09:36:27.0233333+00:00 Hey Dualeh Farah,
We appreciate your patience!
- Just dropping in to see if you had a chance to read my response to your query about correcting the issue.
If you have any further concerns, please do not hesitate to contact us. We are pleased to help you.
I look forward to your response and appreciate your time on this.
Regards,
Ganesh
-
Dualeh Farah 5 Reputation points
2024-11-04T12:18:42.2633333+00:00 Hi,
No it doesn't help, still no working.
-
Ganesh Patapati 2,590 Reputation points • Microsoft Vendor
2024-11-05T14:28:27.2733333+00:00 Hey Dualeh Farah,
We appreciate your patience!
- Please send me a screenshot of the exact issue you are experiencing when following these steps.
Regards,
Ganesh
-
Ganesh Patapati 2,590 Reputation points • Microsoft Vendor
2024-11-06T15:39:05.94+00:00 Hey Dualeh Farah,
We appreciate your patience!
- Please send me a screenshot of the exact issue you are experiencing when following these steps.
Regards,
Ganesh
-
Gabriel Joseph 0 Reputation points
2024-11-16T05:28:51.13+00:00 Hello Dualeh. Before you troubleshoot BGP you should make sure you can ping from the SVI to the Azure IP in the same subnet. If you can’t, you have other issues to solve first, like making sure you are correctly handling the VLAN tags.
Can you share more about how your provider provisioned your circuit? How are they presenting the primary and secondary VXCs? One physical handoff or two? Are they giving you dot1q (single-tagged) or QinQ (double-tagged) VLANs?
Note that the configuration examples provided are for router platforms. A C9300 switch has certain layer 3 capabilities but depending how your provider has provisioned your circuit a L3 switch may not support the features you need to peer with Azure. (I learned this the hard way, after purchasing a C9300!)
Sign in to comment