12-27-2017 08:11 AM - edited 03-05-2019 09:41 AM
We have 6 offices. Denver, Omaha, St. Louis, Atlanta, Wash. D.C and HQ. Right now we have all of the regional offices using the HQ DIA except St. Louis because they have there own DIA. I would like to have Denver and Omaha use that DIA and when I manipulate my bgp they do make it to that circuit but will not access the internet.
This is what my bgp settings look like now:
router bgp 2xxxx
bgp log-neighbor-changes
network 172.16.16.0 mask 255.255.255.128
neighbor 192.xxx.x.xx remote-as 3xxx
neighbor 192.xxx.x.xx version 4
neighbor 192.xxx.x.xx soft-reconfiguration inbound
I will add neighbor 192.xxx.x.xx default-originate and redistribute static since the DIA is in a sub interface and has a static route. Still wont access the internet.
interface GigabitEthernet0/0/1.1
description VPN VLAN
encapsulation dot1Q 2291
ip address 192.xxx.x.xx 255.255.255.252
ip flow monitor CasMon input
ip policy route-map vpndia
no cdp enable
!
interface GigabitEthernet0/0/1.2
description DIA
encapsulation dot1Q 200
ip address 64.xxx.xxx.xx 255.255.255.252
ip nat outside
ip flow monitor CasMon input
ip policy route-map vpndia
no cdp enable
ip virtual-reassembly
and of course my overload:
ip nat inside source list 13 interface GigabitEthernet0/0/1.2 overload
The route-maps:
route-map vpndia permit 10
match ip address 120
set default interface GigabitEthernet0/0/1.1
!
route-map vpndia permit 20
set default interface GigabitEthernet0/0/1.2
Access List:
access-list 13 permit any
The bgp settings for the Omaha and Denver office are the same as above.
Does it look like I am missing anything from either side of the bgp settings?
Thanks for any help.
12-27-2017 09:19 AM
Hello,
so you want Denver and Omaha to use St. Louis for Internet access ? What is the output of 'show ip route' from either Denver or Omaha ? Can you post the full configs of either Denver or Omaha, and St. Louis ?
12-27-2017 09:41 AM
Here is the ip route of Omaha. I will post the configs in separate posts.
Omaha_mpls#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 192.168.0.25 to network 204.76.10.0
S* 0.0.0.0/0 [20/0] via 192.168.0.25
4.0.0.0/29 is subnetted, 1 subnets
B 4.28.237.88 [20/0] via 192.168.0.25, 6w6d
64.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B 64.210.123.31/32 [20/0] via 192.168.0.25, 6w6d
B 64.211.191.248/30 [20/0] via 192.168.0.25, 6w6d
162.97.0.0/16 is variably subnetted, 3 subnets, 2 masks
B 162.97.0.26/32 [20/0] via 192.168.0.25, 6w6d
B 162.97.88.52/30 [20/0] via 192.168.0.25, 6w6d
B 162.97.89.200/30 [20/0] via 192.168.0.25, 6w6d
172.16.0.0/16 is variably subnetted, 13 subnets, 5 masks
B 172.16.0.0/16 [20/0] via 192.168.0.25, 6w6d
B 172.16.11.128/26 [20/0] via 192.168.0.25, 6w6d
B 172.16.14.0/24 [20/0] via 192.168.0.25, 6w6d
B 172.16.14.0/25 [20/0] via 192.168.0.25, 5w1d
B 172.16.15.0/24 [20/0] via 192.168.0.25, 6w6d
B 172.16.15.0/25 [20/0] via 192.168.0.25, 3d10h
B 172.16.16.0/24 [20/0] via 192.168.0.25, 6w6d
B 172.16.16.0/25 [20/0] via 192.168.0.25, 1d05h
B 172.16.17.0/24 [20/0] via 192.168.0.25, 6w6d
B 172.16.18.0/24 [20/0] via 192.168.0.25, 6w6d
C 172.16.18.0/25 is directly connected, GigabitEthernet0/0/0
L 172.16.18.2/32 is directly connected, GigabitEthernet0/0/0
B 172.16.180.0/24 [20/0] via 192.168.0.25, 5w1d
172.17.0.0/24 is subnetted, 1 subnets
B 172.17.26.0 [20/0] via 192.168.0.25, 6w6d
172.20.0.0/24 is subnetted, 1 subnets
B 172.20.1.0 [20/0] via 192.168.0.25, 6w6d
192.168.0.0/24 is variably subnetted, 7 subnets, 2 masks
B 192.168.0.8/30 [20/0] via 192.168.0.25, 6w6d
B 192.168.0.12/30 [20/0] via 192.168.0.25, 6w6d
B 192.168.0.16/30 [20/0] via 192.168.0.25, 6w6d
B 192.168.0.20/30 [20/0] via 192.168.0.25, 6w6d
C 192.168.0.24/30 is directly connected, GigabitEthernet0/0/1
L 192.168.0.26/32 is directly connected, GigabitEthernet0/0/1
B 192.168.0.32/30 [20/0] via 192.168.0.25, 6w6d
192.168.10.0/30 is subnetted, 1 subnets
B 192.168.10.252 [20/0] via 192.168.0.25, 6w6d
192.221.222.0/30 is subnetted, 6 subnets
B 192.221.222.32 [20/0] via 192.168.0.25, 6w6d
B 192.221.222.44 [20/0] via 192.168.0.25, 6w6d
B 192.221.222.48 [20/0] via 192.168.0.25, 6w6d
B 192.221.222.52 [20/0] via 192.168.0.25, 6w6d
B 192.221.222.56 [20/0] via 192.168.0.25, 6w6d
B 192.221.222.60 [20/0] via 192.168.0.25, 6w6d
192.233.90.0/30 is subnetted, 1 subnets
B 192.233.90.248 [20/0] via 192.168.0.25, 6w6d
192.233.91.0/30 is subnetted, 1 subnets
B 192.233.91.72 [20/0] via 192.168.0.25, 6w6d
192.233.93.0/30 is subnetted, 1 subnets
B 192.233.93.24 [20/0] via 192.168.0.25, 6w6d
199.76.222.0/30 is subnetted, 1 subnets
B 199.76.222.188 [20/0] via 192.168.0.25, 6w6d
B 204.76.8.0/24 [20/0] via 192.168.0.25, 6w6d
B* 204.76.10.0/24 [20/0] via 192.168.0.25, 6w6d
B 204.76.13.0/24 [20/0] via 192.168.0.25, 6w6d
208.49.240.0/29 is subnetted, 1 subnets
B 208.49.240.40 [20/0] via 192.168.0.25, 6w6d
208.50.228.0/25 is subnetted, 1 subnets
B 208.50.228.128 [20/0] via 192.168.0.25, 2w0d
209.130.198.0/28 is subnetted, 1 subnets
B 209.130.198.64 [20/0] via 192.168.0.25, 6w6d
12-27-2017 09:45 AM
Here is Omaha:
Current configuration : 6893 bytes
!
! Last configuration change at 05:15:11 CST Wed Dec 27 2017 by dmpeter
!
version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no platform punt-keepalive disable-kernel-core
!
hostname Omaha_mpls
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
!
aaa new-model
!
!
aaa group server tacacs+ taclogin
server name AUTH
!
aaa authentication attempts login 5
aaa authentication login default group taclogin local
aaa accounting exec tac_acct start-stop group taclogin
aaa accounting commands 15 tac_acct start-stop group taclogin
aaa accounting network tac_acct start-stop group taclogin
aaa accounting connection tac_acct start-stop group taclogin
!
!
!
!
!
!
aaa session-id common
clock timezone CST 4 0
clock summer-time CST recurring
no ip source-route
!
ip multicast-routing distributed
!
!
!
!
!
!
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name neca.org
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
flow exporter Cascade
destination 172.xx.x.xx
!
!
flow monitor CasMon
exporter Cascade
record netflow-original
!
!
!
!
crypto pki trustpoint TP-self-signed-1520460634
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1520460634
revocation-check none
rsakeypair TP-self-signed-1520460634
!
!
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
no cdp run
!
ip tcp synwait-time 10
!
!
!
!
!
interface GigabitEthernet0/0/0
description Inside Office
ip address 172.16.18.2 255.255.255.128
ip helper-address 172.16.18.15
no ip redirects
ip pim sparse-dense-mode
ip flow monitor CasMon input
ip access-group 107 in
standby 1 ip 172.16.18.1
standby 1 priority 80
standby 1 preempt
media-type rj45
speed 100
no negotiation auto
!
interface GigabitEthernet0/0/1
description ISP Side
bandwidth 10240
ip address 192.168.0.26 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip nbar protocol-discovery
ip flow monitor CasMon input
speed 100
no negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
router bgp 19094
bgp log-neighbor-changes
network 172.16.18.0 mask 255.255.255.128
neighbor 192.168.0.25 remote-as 3549
neighbor 192.168.0.25 version 4
neighbor 192.168.0.25 soft-reconfiguration inbound
!
ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip http server
ip http authentication local
ip http secure-server
ip http secure-ciphersuite rc4-128-sha
ip http timeout-policy idle 60 life 86400 requests 10000
ip tftp source-interface GigabitEthernet0/0/0
ip default-network 204.76.10.0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip bgp-community new-format
!
logging trap debugging
logging host 172.20.1.20
access-list 99 permit 0.0.0.0
access-list 107 permit tcp host 172.20.1.99 eq tacacs host 172.16.18.2
access-list 107 deny tcp any any eq 161
access-list 107 deny tcp any any eq 162
access-list 107 deny tcp any any eq 199
access-list 107 deny udp any any eq 199
access-list 107 deny tcp any any eq 391
access-list 107 deny udp any any eq 391
access-list 107 deny tcp any any eq 705
access-list 107 deny tcp any any eq 1993
access-list 107 deny udp any any eq 1993
access-list 107 permit ip any any
access-list 110 remark admin access
access-list 110 remark SDM_ACL Category=1
access-list 110 permit ip 172.0.0.0 0.255.255.255 any
access-list 110 permit ip 204.76.10.0 0.0.0.255 any
access-list 110 permit ip 204.76.13.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 deny ip any any
access-list 190 permit ip any any precedence critical
access-list 191 permit tcp any eq www any
access-list 191 permit tcp any eq 443 any
!
!
tacacs-server timeout 10
tacacs-server directed-request
tacacs server AUTH
address ipv4 172.20.1.99
!
!
!
control-plane
!
banner login ^Cc
You have accessed a confidential and proprietary computing network. Access beyond this point is unlawful without previous authorization from NECA.^C
!
line con 0
exec-timeout 5 0
accounting connection tac_acct
accounting commands 15 tac_acct
accounting exec tac_acct
transport output telnet
stopbits 1
line aux 0
exec-timeout 4 0
accounting connection tac_acct
accounting commands 15 tac_acct
accounting exec tac_acct
transport output telnet
stopbits 1
line vty 0 4
access-class 110 in
exec-timeout 4 0
privilege level 15
accounting connection tac_acct
accounting commands 15 tac_acct
accounting exec tac_acct
length 0
transport input ssh
!
ntp authenticate
!
end
12-27-2017 09:49 AM
Here is St. Louis:
Current configuration : 7972 bytes
!
! Last configuration change at 05:44:43 CST Wed Dec 27 2017 by dmpeter
!
version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no platform punt-keepalive disable-kernel-core
!
hostname StLouis_mpls
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
aaa new-model
!
!
aaa group server tacacs+ taclogin
server name AUTH
!
aaa authentication attempts login 5
aaa authentication login default group taclogin local
aaa accounting exec tac_acct start-stop group taclogin
aaa accounting commands 15 tac_acct start-stop group taclogin
aaa accounting network tac_acct start-stop group taclogin
aaa accounting connection tac_acct start-stop group taclogin
!
!
!
!
!
!
aaa session-id common
clock timezone CST 4 0
clock summer-time CST recurring
no ip source-route
!
ip multicast-routing distributed
!
!
!
!
!
!
!
!
!
!
no ip bootp server
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
flow exporter Cascade
destination 172.xx.x.xx
!
!
flow monitor CasMon
exporter Cascade
record netflow-original
!
!
!
!
crypto pki trustpoint TP-self-signed-2293929639
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2293929639
revocation-check none
rsakeypair TP-self-signed-2293929639
!
!
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
no cdp run
!
ip tcp synwait-time 10
!
!
!
!
!
interface GigabitEthernet0/0/0
description Inside Office
ip address 172.16.16.2 255.255.255.128
ip helper-address 172.16.16.15
no ip redirects
ip nat inside
ip pim sparse-dense-mode
ip flow monitor CasMon input
ip access-group 107 in
standby 1 ip 172.16.16.1
standby 1 priority 80
standby 1 preempt
media-type rj45
speed 100
no negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description ISP Side
bandwidth 20480
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip nbar protocol-discovery
ip flow monitor CasMon input
speed 100
no negotiation auto
!
interface GigabitEthernet0/0/1.1
description VPN VLAN
encapsulation dot1Q 2291
ip address 192.168.0.18 255.255.255.252
ip flow monitor CasMon input
ip policy route-map vpndia
no cdp enable
!
interface GigabitEthernet0/0/1.2
description DIA
encapsulation dot1Q 200
ip address 64.215.113.38 255.255.255.252
ip nat outside
ip flow monitor CasMon input
ip policy route-map vpndia
no cdp enable
ip virtual-reassembly
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
router bgp 21616
bgp log-neighbor-changes
network 172.16.16.0 mask 255.255.255.128
neighbor 192.168.0.17 remote-as 3549
neighbor 192.168.0.17 version 4
neighbor 192.168.0.17 soft-reconfiguration inbound
!
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list 13 interface GigabitEthernet0/0/1.2 overload
ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip http server
ip http authentication local
ip http secure-server
ip http secure-ciphersuite rc4-128-sha
ip http timeout-policy idle 60 life 86400 requests 10000
ip tftp source-interface GigabitEthernet0/0/0
ip default-network 204.76.10.0
ip route 0.0.0.0 0.0.0.0 64.215.113.37
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip bgp-community new-format
!
logging trap debugging
logging host 172.20.1.20
access-list 13 permit any
access-list 99 permit 0.0.0.0
access-list 107 permit tcp host 172.20.1.99 eq tacacs host 172.16.16.2
access-list 107 deny tcp any any eq 161
access-list 107 deny tcp any any eq 162
access-list 107 deny tcp any any eq 199
access-list 107 deny udp any any eq 199
access-list 107 deny tcp any any eq 391
access-list 107 deny udp any any eq 391
access-list 107 deny tcp any any eq 705
access-list 107 deny tcp any any eq 1993
access-list 107 deny udp any any eq 1993
access-list 107 permit ip any any
access-list 110 remark admin access
access-list 110 remark SDM_ACL Category=1
access-list 110 permit ip 172.0.0.0 0.255.255.255 any
access-list 110 permit ip 204.76.10.0 0.0.0.255 any
access-list 110 permit ip 204.76.13.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 deny ip any any
access-list 120 permit ip 172.0.0.0 0.255.255.255 any
access-list 120 permit ip 204.76.10.0 0.0.0.255 any
access-list 120 permit ip 204.76.13.0 0.0.0.255 any
access-list 120 permit ip 192.168.0.0 0.0.255.255 any
access-list 190 permit ip any any precedence critical
access-list 191 permit tcp any eq www any
access-list 191 permit tcp any eq 443 any
!
route-map vpndia permit 10
match ip address 120
set default interface GigabitEthernet0/0/1.1
!
route-map vpndia permit 20
set default interface GigabitEthernet0/0/1.2
!
!
tacacs-server timeout 10
tacacs-server directed-request
tacacs server AUTH
address ipv4 172.20.1.99
!
!
!
control-plane
!
banner login ^C
You have accessed a confidential and proprietary computing network. Access beyond this point is unlawful without previous authorization from NECA.^C
!
line con 0
exec-timeout 5 0
accounting connection tac_acct
accounting commands 15 tac_acct
accounting exec tac_acct
transport output telnet
stopbits 1
line aux 0
exec-timeout 4 0
accounting connection tac_acct
accounting commands 15 tac_acct
accounting exec tac_acct
transport output telnet
stopbits 1
line vty 0 4
access-class 110 in
exec-timeout 4 0
privilege level 15
accounting connection tac_acct
accounting commands 15 tac_acct
accounting exec tac_acct
length 0
transport input ssh
!
!
end
12-27-2017 10:51 AM
Hello,
thanks for the configs, I will have a look...
12-27-2017 11:37 AM
Hello,
on your St. Louis router, what is the purpose of the route map on the outgoing interface ?
interface GigabitEthernet0/0/1.2
description DIA
encapsulation dot1Q 200
ip address 64.215.113.38 255.255.255.252
ip nat outside
ip flow monitor CasMon input
ip policy route-map vpndia
no cdp enable
ip virtual-reassembly
Try and delete that from the interface configuration. The rest of your NAT configuration and the routing looks good.
12-27-2017 11:47 AM
Thanks...Let me try that in the morning and I will let you know...
12-28-2017 04:34 AM
Same result. Hits the VPN ip but not the DIA...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: