cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2451
Views
8
Helpful
23
Replies

I need help in configuring the network (BGP & 2 ISP)

florinmarian
Level 1
Level 1

Greetings, friends!
After noticing that in this community there really are people willing to help and teach you, I come again with some problems to which I hope I will find an answer (either directly or indirectly).

Let me describe my resources:
- The Cisco WS-4948E switch
- ASN AS57XXX
- Subnets 188.241.XXX.0/24, 188.241.YYY.0/24 and 2a0e:8f02:XXXX::/48 respectively
- ISP A, which does not support BGP session, having the IP address 192.168.1.XXX configured on the switch, unable to give up the router provided by the ISP
- ISP B which supports BGP session, having the IP address 10.192.63.XXX configured on the switch, without having any public IP address or any intermediate device between the switch and the ISP

What I want:
1. How should the network be divided into vlans knowing that I connect the ports GigabitEthernet1/1 and GigabitEthernet1/2 to the router of the first ISP, GigabitEthernet1/3 to the 2nd ISP and I want to allow the other ports of the switch to be considered consumers that can only have IP addresses from the 3 subnets listed above (so the Switch should serve as a gateway with the IPs 188.241.XXX.1, 188.241.YYY.1, 2a0e :8f02:XXXX::1)?
2. In what way can the 2 ISPs be used knowing that one allows BGP session, the other does not but the one that does not allow BGP session still does not filter the IPs?

Configuration examples would be welcome because it's the first time I'm interacting with a Cisco switch.

Thank you!

23 Replies 23

marce1000
VIP
VIP

 

 - To achieve your goals, you can configure VLANs on the Cisco WS-4948E switch and assign IP addresses to the VLAN interfaces. Here's a configuration example:
    VLAN Configuration:
You can divide the network into VLANs as per your requirement. In this example, we'll create three VLANs: VLAN100, VLAN200, and VLAN300 :

vlan 100
name ISP1
!
vlan 200
name ISP2
!
vlan 300
name Consumer
!

 
Configure the interfaces connecting to the ISPs and the other switch ports :
interface GigabitEthernet1/1
description Connection to ISP1 Router
switchport mode trunk
switchport trunk allowed vlan 100, 300
!
interface GigabitEthernet1/2
description Connection to ISP1 Router
switchport mode trunk
switchport trunk allowed vlan 100, 300
!
interface GigabitEthernet1/3
description Connection to ISP2 Router
switchport mode trunk
switchport trunk allowed vlan 200, 300
!
interface range GigabitEthernet1/4 - 48
description Consumer Ports
switchport mode access
switchport access vlan 300
!

Assign IP addresses to the VLAN interfaces to act as gateways for their respective subnets.
interface Vlan100
description ISP1 VLAN
ip address 192.168.1.XXX 255.255.255.0
!
interface Vlan200
description ISP2 VLAN
ip address 10.192.63.XXX 255.255.255.0
!
interface Vlan300
description Consumer VLAN
ip address 188.241.XXX.1 255.255.255.0
ipv6 address 2a0e:8f02:XXXX::1/48
!

Set the default routes to direct the traffic towards the respective ISPs.
ip route 0.0.0.0 0.0.0.0 192.168.1.XXX
ip route 0.0.0.0 0.0.0.0 10.192.63.XXX
        Make sure to replace XXX with the appropriate IP addresses based on your actual configuration.

Regarding the usage of the two ISPs, here's what you can do:

For ISP1 (which does not support BGP), you can configure static routes on the router provided by the ISP to direct the traffic to your Cisco switch as the default gateway. The switch will then handle the routing based on the VLAN interfaces and subnets.

For ISP2 (which supports BGP), you can establish a BGP session between the Cisco switch and the ISP's router. You'll need to configure BGP settings such as autonomous system number (ASN), BGP neighbors, and route advertisements. Here's a high-level example:

router bgp AS57XXX
neighbor 10.192.63.YYY remote-as ISP2_ASN
!
address-family ipv4
network 188.241.XXX.0 mask 255.255.255.0
network 188.241.YYY.0 mask 255.255.255.0
exit-address-family

Replace AS57XXX with your actual ASN and ISP2_ASN with the ASN of ISP2.

Note: BGP configuration requires coordination with your ISP and understanding of their specific requirements and configurations. It's recommended to consult with your ISP's technical support for detailed BGP configuration instructions.

Remember to save the configuration after making the changes. You can do so by running the write command.
  Note that all of this is given 'without warranty' ; review and or test for business implementations , 

 M.

 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Thank you very much!
I still have a few questions:
1. Shouldn't somewhere like "GigabitEthernet1/1, GigabitEthernet1/2 and GigabitEthernet1/3" be part of the previously defined vlans? (is the switchport access vlan XXX command missing next to each interface?)
2. Won't the clients be able to assign themselves IP addresses from the 192.168.1.0/24 range and access the router of the first ISP, a router to which they should not have access?
3. Shouldn't there be an algorithm or something that makes it possible to ingress or egress on the first ISP so that we can benefit from its network even if we don't have a BGP session but it still doesn't filter the IPs?

 

      >...1. Shouldn't somewhere like "GigabitEthernet1/1, GigabitEthernet1/2 and GigabitEthernet1/3" be part of the previously defined vlans? (is the switchport access vlan XXX command missing next to each interface?)
      That is incorporated in the trunk setup and or the respective switchport trunk allowed vlan ... commands.

 >...2. Won't the clients be able to assign themselves IP addresses from the 192.168.1.0/24 range and access the router of the first ISP, a router to which they should not have access?
           Clients can always assign IP addresses to themselves , but correct  network operation can only work by the addressing schemes that you provide , usually done by DHCP

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Okay, so missing Gi1/x (1,2,3) are missing => they're well set up.

---- -------------------------------- --------- -------------------------------
1    default                          active
100  Orange                           active
200  RCS&RDS                          active
300  Clients                          active    Gi1/4, Gi1/5, Gi1/6, Gi1/7
                                                Gi1/8, Gi1/9, Gi1/10, Gi1/11
                                                Gi1/12, Gi1/13, Gi1/14, Gi1/15
                                                Gi1/16, Gi1/17, Gi1/18, Gi1/19
                                                Gi1/20, Gi1/21, Gi1/22, Gi1/23
                                                Gi1/24, Gi1/25, Gi1/26, Gi1/27
                                                Gi1/28, Gi1/29, Gi1/30, Gi1/31
                                                Gi1/32, Gi1/33, Gi1/34, Gi1/35
                                                Gi1/36, Gi1/37, Gi1/38, Gi1/39
                                                Gi1/40, Gi1/41, Gi1/42, Gi1/43
                                                Gi1/44, Gi1/45, Gi1/46, Gi1/47
                                                Gi1/48, Te1/49, Te1/50, Te1/51
                                                Te1/52

 

Now, about what I think remains unresolved: Customers should not be able to connect to the local network (192.168.1.0/24), but that network should only be used as egress "as a NAT" that only allows them to use the 2Gbps (1Gbps per port) even without a BGP connection even if they're using IPs from 188.241.XXX.0/24 or 188.241.YYY.0/24.
Somehow, with ISP2, I set the BGP session so that the Internet knows where and which route it must come to access a service from my subnets, but when a client of mine wants to download a resource from the Internet, he should use either ISP1 be one of them at random (like a load balancer?).
Thank you!

I need to see topology 

I tried to be as concrete as possible in the explanations, I'm afraid I'm not able to describe the topology in a professional way

one side not support BGP other support BGP this point not clear to me 

ISP1 doesn't offer BGP sessions (so it won't announce the 3 subnets to me) but it don't filter the IP addresses coming out of his router. In other words, I could do IP spoofing with any IP in the world, but I don't want to do such a thing but use this advantage to have egress from the 3 subnets through them.
Maybe this is clearer: ISP1 has 2Gbps unguaranteed and ISP2 150Mbps guaranteed.
My goal is to have 150Mbps upload and 1-2Gbps download through the 3 public subnets I have.

this simple topology please write note on it, which traffic 

Screenshot (471).png

florinmarian
Level 1
Level 1

Hello!

I tried on my own to configure BGP routing but I fail to find the issue about BGP connection.

Please see above outputs to understand what I did.

Starting from scratch, I used those commands to configure my network:

vlan 100
name Orange
!
vlan 200
name RCS&RDS
!
vlan 300
name Clients
!
interface GigabitEthernet1/1
description Connection to Orange Router
switchport mode access
switchport access vlan 100
no shutdown
!
interface GigabitEthernet1/2
description Connection to Orange Router
switchport mode access
switchport access vlan 100
no shutdown
!
interface GigabitEthernet1/3
description Connection to RCS&RDS Router
switchport mode access
switchport access vlan 200
no shutdown
!
interface range GigabitEthernet1/4 - 48
description Consumer Ports
switchport mode access
switchport access vlan 300
!
interface range TenGigabitEthernet1/49 - 52
description Consumer Ports
switchport mode access
switchport access vlan 300
!
interface vlan 100
description Conexiune Orange
ip address 192.168.1.2 255.255.255.0
no shutdown
!
interface vlan 200
description Conexiune RCSRDS
ip address 10.XXX.63.19 255.255.255.248
ipv6 address 2a02:2f08:XXXX::2/126
no shutdown
!
interface vlan 300
description Conexiune Servere
no shutdown
ip address 188.241.ABC.1 255.255.255.0
ip address 188.241.DEF.1 255.255.255.0 secondary
ipv6 address 2a0e:8f02:XXXX::1/64
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 10.XXX.63.17
ip route 0.0.0.0 0.0.0.0 10.XXX.63.18
ipv6 route ::/0 2a02:2f08:XXXX::1
!
ipv6 unicast-routing
!
router bgp 57403
  bgp router-id 10.XXX.63.19
  neighbor 10.XXX.63.17 remote-as 8708
  neighbor 10.XXX.63.17 description Conexiune IPv4 la ISP
  neighbor 10.XXX.63.17 activate
  neighbor 10.XXX.63.17 soft-reconfiguration inbound
  neighbor 10.XXX.63.18 remote-as 8708
  neighbor 10.XXX.63.18 description Conexiune IPv4 la ISP
  neighbor 10.XXX.63.18 activate
  neighbor 10.XXX.63.18 soft-reconfiguration inbound
  address-family ipv4
    network 188.241.ABC.0 mask 255.255.255.0
    network 188.241.DEF.0 mask 255.255.255.0
  exit-address-family
  address-family ipv6
    network 2a0e:8f02:XXXX::/48
  exit-address-family
end

 

Logs:

Switch#ping 10.XXX.63.17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.XXX.63.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/16 ms
Switch#ping 10.XXX.63.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.XXX.63.18, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/13/24 ms
Switch#show ip bgp summary
BGP router identifier 10.XXX.63.19, local AS number 57403
BGP table version is 1, main routing table version 1

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.XXX.63.17    4         8708       0       0        1    0    0 never    Active
10.XXX.63.18    4         8708       0       0        1    0    0 never    Active

BGP debugging info:

*May 26 04:38:00.366: BGP: 10.XXX.63.17 Active open failed - tcb is not available, open active delayed 8192ms (35000ms max, 60% jitter)
*May 26 04:38:00.366: BGP: ses global 10.XXX.63.17 (0x2700B224:0) act Reset (Active open failed).
*May 26 04:38:00.366: BGP: 10.XXX.63.17 active went from Active to Idle
*May 26 04:38:00.366: BGP: nbr global 10.XXX.63.17 Active open failed - open timer running
*May 26 04:38:00.366: BGP: nbr global 10.XXX.63.17 Active open failed - open timer running
*May 26 04:38:01.086: BGP: 10.XXX.63.18 active went from Idle to Active
*May 26 04:38:01.086: BGP: 10.XXX.63.18 open active, local address 10.XXX.63.19
*May 26 04:38:08.254: BGP: 10.XXX.63.17 active went from Idle to Active
*May 26 04:38:08.254: BGP: 10.XXX.63.17 open active, local address 10.XXX.63.19
*May 26 04:38:24.406: BGP: topo global:IPv4 Unicast:base Scanning routing tables
*May 26 04:38:24.406: BGP: topo global:IPv6 Unicast:base Scanning routing tables
*May 26 04:38:24.406: BGP: topo global:IPv4 Multicast:base Scanning routing tables
*May 26 04:38:24.406: BGP: topo global:L2VPN E-VPN:base Scanning routing tables
*May 26 04:38:31.086: BGP: 10.XXX.63.18 open failed: Connection timed out; remote host not responding

Basically, from a Laptop configured with IPv6 only (GigabitEthernet1/4 - 48), I cannot ping the IP address of ipv6.google.com, but only the IP address ::1 of the server that serves as a gateway.
Going by the thread of the problem, the problem seems to be related to the fact that the BGP connection is not established with the ISP routers, although I can ping the respective IP addresses and the AS number is correct.

Any help is welcome.

Thank you!

add
 

neighbor 10.XXX.63.17 activate
  neighbor 10.XXX.63.18 activate

under the address family ipv4 

Tried something like this but don't change the situation in any way:

router bgp 57403
  bgp router-id 10.XXX.63.19
  neighbor 10.XXX.63.17 remote-as 8708
  neighbor 10.XXX.63.17 description Conexiune IPv4 la ISP
  neighbor 10.XXX.63.17 soft-reconfiguration inbound
  neighbor 10.XXX.63.18 remote-as 8708
  neighbor 10.XXX.63.18 description Conexiune IPv4 la ISP
  neighbor 10.XXX.63.18 soft-reconfiguration inbound
  neighbor 2a02:2f08:XXXX::1 remote-as 8708
  neighbor 2a02:2f08:XXXX::1 description Conexiune IPv6 la ISP
  neighbor 2a02:2f08:XXXX::1 soft-reconfiguration inbound
  address-family ipv4
    neighbor 10.XXX.63.17 activate
	neighbor 10.XXX.63.18 activate
    network 188.241.ABC.0 mask 255.255.255.0
    network 188.241.DEF.0 mask 255.255.255.0
  exit-address-family
  address-family ipv6
  neighbor 2a02:2f08:XXXX::1 activate
    network 2a0e:8f02:f04f::/48
  exit-address-family
end

Thank you for your help!

this eBGP, are both peer direct connect via same subnet ? if Not you need ebgp multihop 


Yes, same ISP is using this 10.XXX.63.16/29 and 2a02:2f08:XXXX::/126 for our BGP announcements.

Thank you!

Review Cisco Networking for a $25 gift card