Re: BGP Help for Direct Internet Access from Two different locations

dmpeter666 · ‎12-27-2017

We have 6 offices. Denver, Omaha, St. Louis, Atlanta, Wash. D.C and HQ. Right now we have all of the regional offices using the HQ DIA except St. Louis because they have there own DIA. I would like to have Denver and Omaha use that DIA and when I manipulate my bgp they do make it to that circuit but will not access the internet.

This is what my bgp settings look like now:

router bgp 2xxxx
bgp log-neighbor-changes
network 172.16.16.0 mask 255.255.255.128
neighbor 192.xxx.x.xx remote-as 3xxx
neighbor 192.xxx.x.xx version 4
neighbor 192.xxx.x.xx soft-reconfiguration inbound

I will add neighbor 192.xxx.x.xx default-originate and redistribute static since the DIA is in a sub interface and has a static route. Still wont access the internet.

interface GigabitEthernet0/0/1.1
description VPN VLAN
encapsulation dot1Q 2291
ip address 192.xxx.x.xx 255.255.255.252
ip flow monitor CasMon input
ip policy route-map vpndia
no cdp enable
!
interface GigabitEthernet0/0/1.2
description DIA
encapsulation dot1Q 200
ip address 64.xxx.xxx.xx 255.255.255.252
ip nat outside
ip flow monitor CasMon input
ip policy route-map vpndia
no cdp enable
ip virtual-reassembly

and of course my overload:

ip nat inside source list 13 interface GigabitEthernet0/0/1.2 overload

The route-maps:

route-map vpndia permit 10
match ip address 120
set default interface GigabitEthernet0/0/1.1
!
route-map vpndia permit 20
set default interface GigabitEthernet0/0/1.2

Access List:

access-list 13 permit any

The bgp settings for the Omaha and Denver office are the same as above.

Does it look like I am missing anything from either side of the bgp settings?

Thanks for any help.

Georg Pauwen · ‎12-27-2017

Hello,

so you want Denver and Omaha to use St. Louis for Internet access ? What is the output of 'show ip route' from either Denver or Omaha ? Can you post the full configs of either Denver or Omaha, and St. Louis ?

dmpeter666 · ‎12-27-2017

Here is the ip route of Omaha. I will post the configs in separate posts.

Omaha_mpls#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 192.168.0.25 to network 204.76.10.0

S*    0.0.0.0/0 [20/0] via 192.168.0.25
      4.0.0.0/29 is subnetted, 1 subnets
B        4.28.237.88 [20/0] via 192.168.0.25, 6w6d
      64.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B        64.210.123.31/32 [20/0] via 192.168.0.25, 6w6d
B        64.211.191.248/30 [20/0] via 192.168.0.25, 6w6d
      162.97.0.0/16 is variably subnetted, 3 subnets, 2 masks
B        162.97.0.26/32 [20/0] via 192.168.0.25, 6w6d
B        162.97.88.52/30 [20/0] via 192.168.0.25, 6w6d
B        162.97.89.200/30 [20/0] via 192.168.0.25, 6w6d
      172.16.0.0/16 is variably subnetted, 13 subnets, 5 masks
B        172.16.0.0/16 [20/0] via 192.168.0.25, 6w6d
B        172.16.11.128/26 [20/0] via 192.168.0.25, 6w6d
B        172.16.14.0/24 [20/0] via 192.168.0.25, 6w6d
B        172.16.14.0/25 [20/0] via 192.168.0.25, 5w1d
B        172.16.15.0/24 [20/0] via 192.168.0.25, 6w6d
B        172.16.15.0/25 [20/0] via 192.168.0.25, 3d10h
B        172.16.16.0/24 [20/0] via 192.168.0.25, 6w6d
B        172.16.16.0/25 [20/0] via 192.168.0.25, 1d05h
B        172.16.17.0/24 [20/0] via 192.168.0.25, 6w6d
B        172.16.18.0/24 [20/0] via 192.168.0.25, 6w6d
C        172.16.18.0/25 is directly connected, GigabitEthernet0/0/0
L        172.16.18.2/32 is directly connected, GigabitEthernet0/0/0
B        172.16.180.0/24 [20/0] via 192.168.0.25, 5w1d
      172.17.0.0/24 is subnetted, 1 subnets
B        172.17.26.0 [20/0] via 192.168.0.25, 6w6d
      172.20.0.0/24 is subnetted, 1 subnets
B        172.20.1.0 [20/0] via 192.168.0.25, 6w6d
      192.168.0.0/24 is variably subnetted, 7 subnets, 2 masks
B        192.168.0.8/30 [20/0] via 192.168.0.25, 6w6d
B        192.168.0.12/30 [20/0] via 192.168.0.25, 6w6d
B        192.168.0.16/30 [20/0] via 192.168.0.25, 6w6d
B        192.168.0.20/30 [20/0] via 192.168.0.25, 6w6d
C        192.168.0.24/30 is directly connected, GigabitEthernet0/0/1
L        192.168.0.26/32 is directly connected, GigabitEthernet0/0/1
B        192.168.0.32/30 [20/0] via 192.168.0.25, 6w6d
      192.168.10.0/30 is subnetted, 1 subnets
B        192.168.10.252 [20/0] via 192.168.0.25, 6w6d
      192.221.222.0/30 is subnetted, 6 subnets
B        192.221.222.32 [20/0] via 192.168.0.25, 6w6d
B        192.221.222.44 [20/0] via 192.168.0.25, 6w6d
B        192.221.222.48 [20/0] via 192.168.0.25, 6w6d
B        192.221.222.52 [20/0] via 192.168.0.25, 6w6d
B        192.221.222.56 [20/0] via 192.168.0.25, 6w6d
B        192.221.222.60 [20/0] via 192.168.0.25, 6w6d
      192.233.90.0/30 is subnetted, 1 subnets
B        192.233.90.248 [20/0] via 192.168.0.25, 6w6d
      192.233.91.0/30 is subnetted, 1 subnets
B        192.233.91.72 [20/0] via 192.168.0.25, 6w6d
      192.233.93.0/30 is subnetted, 1 subnets
B        192.233.93.24 [20/0] via 192.168.0.25, 6w6d
      199.76.222.0/30 is subnetted, 1 subnets
B        199.76.222.188 [20/0] via 192.168.0.25, 6w6d
B     204.76.8.0/24 [20/0] via 192.168.0.25, 6w6d
B*    204.76.10.0/24 [20/0] via 192.168.0.25, 6w6d
B     204.76.13.0/24 [20/0] via 192.168.0.25, 6w6d
      208.49.240.0/29 is subnetted, 1 subnets
B        208.49.240.40 [20/0] via 192.168.0.25, 6w6d
      208.50.228.0/25 is subnetted, 1 subnets
B        208.50.228.128 [20/0] via 192.168.0.25, 2w0d
      209.130.198.0/28 is subnetted, 1 subnets
B        209.130.198.64 [20/0] via 192.168.0.25, 6w6d

dmpeter666 · ‎12-27-2017

Here is Omaha:

Current configuration : 6893 bytes
!
! Last configuration change at 05:15:11 CST Wed Dec 27 2017 by dmpeter
!
version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no platform punt-keepalive disable-kernel-core
!
hostname Omaha_mpls
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical

!
aaa new-model
!
!
aaa group server tacacs+ taclogin
server name AUTH
!
aaa authentication attempts login 5
aaa authentication login default group taclogin local
aaa accounting exec tac_acct start-stop group taclogin
aaa accounting commands 15 tac_acct start-stop group taclogin
aaa accounting network tac_acct start-stop group taclogin
aaa accounting connection tac_acct start-stop group taclogin
!
!
!
!
!
!
aaa session-id common
clock timezone CST 4 0
clock summer-time CST recurring
no ip source-route
!
ip multicast-routing distributed
!
!
!
!
!
!
!
!
!
!

no ip bootp server

no ip domain lookup
ip domain name neca.org
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
flow exporter Cascade
destination 172.xx.x.xx
!
!
flow monitor CasMon
exporter Cascade
record netflow-original
!
!
!
!
crypto pki trustpoint TP-self-signed-1520460634
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1520460634
revocation-check none
rsakeypair TP-self-signed-1520460634
!
!

!
spanning-tree extend system-id
!

!
redundancy
mode none
!
!
no cdp run
!
ip tcp synwait-time 10
!
!
!
!
!
interface GigabitEthernet0/0/0
description Inside Office
ip address 172.16.18.2 255.255.255.128
ip helper-address 172.16.18.15
no ip redirects
ip pim sparse-dense-mode
ip flow monitor CasMon input
ip access-group 107 in
standby 1 ip 172.16.18.1
standby 1 priority 80
standby 1 preempt
media-type rj45
speed 100
no negotiation auto
!
interface GigabitEthernet0/0/1
description ISP Side
bandwidth 10240
ip address 192.168.0.26 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip nbar protocol-discovery
ip flow monitor CasMon input
speed 100
no negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
router bgp 19094
bgp log-neighbor-changes
network 172.16.18.0 mask 255.255.255.128
neighbor 192.168.0.25 remote-as 3549
neighbor 192.168.0.25 version 4
neighbor 192.168.0.25 soft-reconfiguration inbound
!
ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip http server
ip http authentication local
ip http secure-server
ip http secure-ciphersuite rc4-128-sha
ip http timeout-policy idle 60 life 86400 requests 10000
ip tftp source-interface GigabitEthernet0/0/0
ip default-network 204.76.10.0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip bgp-community new-format
!
logging trap debugging
logging host 172.20.1.20
access-list 99 permit 0.0.0.0
access-list 107 permit tcp host 172.20.1.99 eq tacacs host 172.16.18.2
access-list 107 deny   tcp any any eq 161
access-list 107 deny   tcp any any eq 162
access-list 107 deny   tcp any any eq 199
access-list 107 deny   udp any any eq 199
access-list 107 deny   tcp any any eq 391
access-list 107 deny   udp any any eq 391
access-list 107 deny   tcp any any eq 705
access-list 107 deny   tcp any any eq 1993
access-list 107 deny   udp any any eq 1993
access-list 107 permit ip any any
access-list 110 remark admin access
access-list 110 remark SDM_ACL Category=1
access-list 110 permit ip 172.0.0.0 0.255.255.255 any
access-list 110 permit ip 204.76.10.0 0.0.0.255 any
access-list 110 permit ip 204.76.13.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 deny   ip any any
access-list 190 permit ip any any precedence critical
access-list 191 permit tcp any eq www any
access-list 191 permit tcp any eq 443 any
!

!
tacacs-server timeout 10
tacacs-server directed-request
tacacs server AUTH
address ipv4 172.20.1.99

!
!
!
control-plane
!
banner login ^Cc
You have accessed a confidential and proprietary computing network. Access beyond this point is unlawful without previous authorization from NECA.^C
!
line con 0
exec-timeout 5 0
accounting connection tac_acct
accounting commands 15 tac_acct
accounting exec tac_acct
transport output telnet
stopbits 1
line aux 0
exec-timeout 4 0
accounting connection tac_acct
accounting commands 15 tac_acct
accounting exec tac_acct
transport output telnet
stopbits 1
line vty 0 4
access-class 110 in
exec-timeout 4 0
privilege level 15
accounting connection tac_acct
accounting commands 15 tac_acct
accounting exec tac_acct
length 0
transport input ssh
!
ntp authenticate

!
end

dmpeter666 · ‎12-27-2017

Here is St. Louis:

Current configuration : 7972 bytes
!
! Last configuration change at 05:44:43 CST Wed Dec 27 2017 by dmpeter
!
version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no platform punt-keepalive disable-kernel-core
!
hostname StLouis_mpls
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical

aaa new-model
!
!
aaa group server tacacs+ taclogin
server name AUTH
!
aaa authentication attempts login 5
aaa authentication login default group taclogin local
aaa accounting exec tac_acct start-stop group taclogin
aaa accounting commands 15 tac_acct start-stop group taclogin
aaa accounting network tac_acct start-stop group taclogin
aaa accounting connection tac_acct start-stop group taclogin
!
!
!
!
!
!
aaa session-id common
clock timezone CST 4 0
clock summer-time CST recurring
no ip source-route
!
ip multicast-routing distributed
!
!
!
!
!
!
!
!
!
!

no ip bootp server

no ip domain lookup

!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
flow exporter Cascade
destination 172.xx.x.xx
!
!
flow monitor CasMon
exporter Cascade
record netflow-original
!
!
!
!
crypto pki trustpoint TP-self-signed-2293929639
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2293929639
revocation-check none
rsakeypair TP-self-signed-2293929639
!
!

!
spanning-tree extend system-id
!

!
redundancy
mode none
!
!
no cdp run
!
ip tcp synwait-time 10
!
!
!
!
!
interface GigabitEthernet0/0/0
description Inside Office
ip address 172.16.16.2 255.255.255.128
ip helper-address 172.16.16.15
no ip redirects
ip nat inside
ip pim sparse-dense-mode
ip flow monitor CasMon input
ip access-group 107 in
standby 1 ip 172.16.16.1
standby 1 priority 80
standby 1 preempt
media-type rj45
speed 100
no negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description ISP Side
bandwidth 20480
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip nbar protocol-discovery
ip flow monitor CasMon input
speed 100
no negotiation auto
!
interface GigabitEthernet0/0/1.1
description VPN VLAN
encapsulation dot1Q 2291
ip address 192.168.0.18 255.255.255.252
ip flow monitor CasMon input
ip policy route-map vpndia
no cdp enable
!
interface GigabitEthernet0/0/1.2
description DIA
encapsulation dot1Q 200
ip address 64.215.113.38 255.255.255.252
ip nat outside
ip flow monitor CasMon input
ip policy route-map vpndia
no cdp enable
ip virtual-reassembly
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
router bgp 21616
bgp log-neighbor-changes
network 172.16.16.0 mask 255.255.255.128
neighbor 192.168.0.17 remote-as 3549
neighbor 192.168.0.17 version 4
neighbor 192.168.0.17 soft-reconfiguration inbound
!
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list 13 interface GigabitEthernet0/0/1.2 overload
ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip http server
ip http authentication local
ip http secure-server
ip http secure-ciphersuite rc4-128-sha
ip http timeout-policy idle 60 life 86400 requests 10000
ip tftp source-interface GigabitEthernet0/0/0
ip default-network 204.76.10.0
ip route 0.0.0.0 0.0.0.0 64.215.113.37
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip bgp-community new-format
!
logging trap debugging
logging host 172.20.1.20
access-list 13 permit any
access-list 99 permit 0.0.0.0
access-list 107 permit tcp host 172.20.1.99 eq tacacs host 172.16.16.2
access-list 107 deny   tcp any any eq 161
access-list 107 deny   tcp any any eq 162
access-list 107 deny   tcp any any eq 199
access-list 107 deny   udp any any eq 199
access-list 107 deny   tcp any any eq 391
access-list 107 deny   udp any any eq 391
access-list 107 deny   tcp any any eq 705
access-list 107 deny   tcp any any eq 1993
access-list 107 deny   udp any any eq 1993
access-list 107 permit ip any any
access-list 110 remark admin access
access-list 110 remark SDM_ACL Category=1
access-list 110 permit ip 172.0.0.0 0.255.255.255 any
access-list 110 permit ip 204.76.10.0 0.0.0.255 any
access-list 110 permit ip 204.76.13.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 deny   ip any any
access-list 120 permit ip 172.0.0.0 0.255.255.255 any
access-list 120 permit ip 204.76.10.0 0.0.0.255 any
access-list 120 permit ip 204.76.13.0 0.0.0.255 any
access-list 120 permit ip 192.168.0.0 0.0.255.255 any
access-list 190 permit ip any any precedence critical
access-list 191 permit tcp any eq www any
access-list 191 permit tcp any eq 443 any
!
route-map vpndia permit 10
match ip address 120
set default interface GigabitEthernet0/0/1.1
!
route-map vpndia permit 20
set default interface GigabitEthernet0/0/1.2
!

!
tacacs-server timeout 10
tacacs-server directed-request
tacacs server AUTH
address ipv4 172.20.1.99

!
!
!
control-plane
!
banner login ^C
You have accessed a confidential and proprietary computing network. Access beyond this point is unlawful without previous authorization from NECA.^C
!
line con 0
exec-timeout 5 0
accounting connection tac_acct
accounting commands 15 tac_acct
accounting exec tac_acct
transport output telnet
stopbits 1
line aux 0
exec-timeout 4 0
accounting connection tac_acct
accounting commands 15 tac_acct
accounting exec tac_acct
transport output telnet
stopbits 1
line vty 0 4
access-class 110 in
exec-timeout 4 0
privilege level 15
accounting connection tac_acct
accounting commands 15 tac_acct
accounting exec tac_acct
length 0
transport input ssh
!

!
end

Georg Pauwen · ‎12-27-2017

Hello,

thanks for the configs, I will have a look...

Georg Pauwen · ‎12-27-2017

Hello,

on your St. Louis router, what is the purpose of the route map on the outgoing interface ?

interface GigabitEthernet0/0/1.2
description DIA
encapsulation dot1Q 200
ip address 64.215.113.38 255.255.255.252
ip nat outside
ip flow monitor CasMon input
ip policy route-map vpndia
no cdp enable
ip virtual-reassembly

Try and delete that from the interface configuration. The rest of your NAT configuration and the routing looks good.

dmpeter666 · ‎12-27-2017

Thanks...Let me try that in the morning and I will let you know...

dmpeter666 · ‎12-28-2017

Same result. Hits the VPN ip but not the DIA...