cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
433
Views
0
Helpful
8
Replies

BGP Help for Direct Internet Access from Two different locations

dmpeter666
Beginner
Beginner

We have 6 offices. Denver, Omaha, St. Louis, Atlanta, Wash. D.C and HQ. Right now we have all of the regional offices using the HQ DIA except St. Louis because they have there own DIA. I would like to have Denver and Omaha use that DIA and when I manipulate my bgp they do make it to that circuit but will not access the internet.

 

This is what my bgp settings look like now:

 

router bgp 2xxxx
 bgp log-neighbor-changes
 network 172.16.16.0 mask 255.255.255.128
 neighbor 192.xxx.x.xx remote-as 3xxx
 neighbor 192.xxx.x.xx version 4
 neighbor 192.xxx.x.xx soft-reconfiguration inbound

 

I will add neighbor 192.xxx.x.xx default-originate and redistribute static since the DIA is in a sub interface and has a static route. Still wont access the internet.

 

interface GigabitEthernet0/0/1.1
 description VPN VLAN
 encapsulation dot1Q 2291
 ip address 192.xxx.x.xx 255.255.255.252
 ip flow monitor CasMon input
 ip policy route-map vpndia
 no cdp enable
!
interface GigabitEthernet0/0/1.2
 description DIA
 encapsulation dot1Q 200
 ip address 64.xxx.xxx.xx 255.255.255.252
 ip nat outside
 ip flow monitor CasMon input
 ip policy route-map vpndia
 no cdp enable
 ip virtual-reassembly

 

and of course my overload:

 

ip nat inside source list 13 interface GigabitEthernet0/0/1.2 overload

 

The route-maps:

 

route-map vpndia permit 10
 match ip address 120
 set default interface GigabitEthernet0/0/1.1
!        
route-map vpndia permit 20
 set default interface GigabitEthernet0/0/1.2

 

Access List:

access-list 13 permit any

 

The bgp settings for the Omaha and Denver office are the same as above.

 

Does it look like I am missing anything from either side of the bgp settings?

 

Thanks for any help.

8 Replies 8

Georg Pauwen
VIP Master VIP Master
VIP Master

Hello,

 

so you want Denver and Omaha to use St. Louis for Internet access ? What is the output of 'show ip route' from either Denver or Omaha ? Can you post the full configs of either Denver or Omaha, and St. Louis ?

Here is the ip route of Omaha. I will post the configs in separate posts.

 

Omaha_mpls#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 192.168.0.25 to network 204.76.10.0

S*    0.0.0.0/0 [20/0] via 192.168.0.25
      4.0.0.0/29 is subnetted, 1 subnets
B        4.28.237.88 [20/0] via 192.168.0.25, 6w6d
      64.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B        64.210.123.31/32 [20/0] via 192.168.0.25, 6w6d
B        64.211.191.248/30 [20/0] via 192.168.0.25, 6w6d
      162.97.0.0/16 is variably subnetted, 3 subnets, 2 masks
B        162.97.0.26/32 [20/0] via 192.168.0.25, 6w6d
B        162.97.88.52/30 [20/0] via 192.168.0.25, 6w6d
B        162.97.89.200/30 [20/0] via 192.168.0.25, 6w6d
      172.16.0.0/16 is variably subnetted, 13 subnets, 5 masks
B        172.16.0.0/16 [20/0] via 192.168.0.25, 6w6d
B        172.16.11.128/26 [20/0] via 192.168.0.25, 6w6d
B        172.16.14.0/24 [20/0] via 192.168.0.25, 6w6d
B        172.16.14.0/25 [20/0] via 192.168.0.25, 5w1d
B        172.16.15.0/24 [20/0] via 192.168.0.25, 6w6d
B        172.16.15.0/25 [20/0] via 192.168.0.25, 3d10h
B        172.16.16.0/24 [20/0] via 192.168.0.25, 6w6d
B        172.16.16.0/25 [20/0] via 192.168.0.25, 1d05h
B        172.16.17.0/24 [20/0] via 192.168.0.25, 6w6d
B        172.16.18.0/24 [20/0] via 192.168.0.25, 6w6d
C        172.16.18.0/25 is directly connected, GigabitEthernet0/0/0
L        172.16.18.2/32 is directly connected, GigabitEthernet0/0/0
B        172.16.180.0/24 [20/0] via 192.168.0.25, 5w1d
      172.17.0.0/24 is subnetted, 1 subnets
B        172.17.26.0 [20/0] via 192.168.0.25, 6w6d
      172.20.0.0/24 is subnetted, 1 subnets
B        172.20.1.0 [20/0] via 192.168.0.25, 6w6d
      192.168.0.0/24 is variably subnetted, 7 subnets, 2 masks
B        192.168.0.8/30 [20/0] via 192.168.0.25, 6w6d
B        192.168.0.12/30 [20/0] via 192.168.0.25, 6w6d
B        192.168.0.16/30 [20/0] via 192.168.0.25, 6w6d
B        192.168.0.20/30 [20/0] via 192.168.0.25, 6w6d
C        192.168.0.24/30 is directly connected, GigabitEthernet0/0/1
L        192.168.0.26/32 is directly connected, GigabitEthernet0/0/1
B        192.168.0.32/30 [20/0] via 192.168.0.25, 6w6d
      192.168.10.0/30 is subnetted, 1 subnets
B        192.168.10.252 [20/0] via 192.168.0.25, 6w6d
      192.221.222.0/30 is subnetted, 6 subnets
B        192.221.222.32 [20/0] via 192.168.0.25, 6w6d
B        192.221.222.44 [20/0] via 192.168.0.25, 6w6d
B        192.221.222.48 [20/0] via 192.168.0.25, 6w6d
B        192.221.222.52 [20/0] via 192.168.0.25, 6w6d
B        192.221.222.56 [20/0] via 192.168.0.25, 6w6d
B        192.221.222.60 [20/0] via 192.168.0.25, 6w6d
      192.233.90.0/30 is subnetted, 1 subnets
B        192.233.90.248 [20/0] via 192.168.0.25, 6w6d
      192.233.91.0/30 is subnetted, 1 subnets
B        192.233.91.72 [20/0] via 192.168.0.25, 6w6d
      192.233.93.0/30 is subnetted, 1 subnets
B        192.233.93.24 [20/0] via 192.168.0.25, 6w6d
      199.76.222.0/30 is subnetted, 1 subnets
B        199.76.222.188 [20/0] via 192.168.0.25, 6w6d
B     204.76.8.0/24 [20/0] via 192.168.0.25, 6w6d
B*    204.76.10.0/24 [20/0] via 192.168.0.25, 6w6d
B     204.76.13.0/24 [20/0] via 192.168.0.25, 6w6d
      208.49.240.0/29 is subnetted, 1 subnets
B        208.49.240.40 [20/0] via 192.168.0.25, 6w6d
      208.50.228.0/25 is subnetted, 1 subnets
B        208.50.228.128 [20/0] via 192.168.0.25, 2w0d
      209.130.198.0/28 is subnetted, 1 subnets
B        209.130.198.64 [20/0] via 192.168.0.25, 6w6d

Here is Omaha:

Current configuration : 6893 bytes
!
! Last configuration change at 05:15:11 CST Wed Dec 27 2017 by dmpeter
!
version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no platform punt-keepalive disable-kernel-core
!
hostname Omaha_mpls
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical

!
aaa new-model
!
!
aaa group server tacacs+ taclogin
 server name AUTH
!
aaa authentication attempts login 5
aaa authentication login default group taclogin local
aaa accounting exec tac_acct start-stop group taclogin
aaa accounting commands 15 tac_acct start-stop group taclogin
aaa accounting network tac_acct start-stop group taclogin
aaa accounting connection tac_acct start-stop group taclogin
!
!
!
!
!
!
aaa session-id common
clock timezone CST 4 0
clock summer-time CST recurring
no ip source-route
!
ip multicast-routing distributed
!
!
!
!
!
!
!
!
!
!        


no ip bootp server

no ip domain lookup
ip domain name neca.org
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
flow exporter Cascade
 destination 172.xx.x.xx
!
!
flow monitor CasMon
 exporter Cascade
 record netflow-original
!
!
!
!
crypto pki trustpoint TP-self-signed-1520460634
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1520460634
 revocation-check none
 rsakeypair TP-self-signed-1520460634
!
!

!
spanning-tree extend system-id
!

!
redundancy
 mode none
!
!
no cdp run
!
ip tcp synwait-time 10
!
!
!
!
!
interface GigabitEthernet0/0/0
 description Inside Office
 ip address 172.16.18.2 255.255.255.128
 ip helper-address 172.16.18.15
 no ip redirects
 ip pim sparse-dense-mode
 ip flow monitor CasMon input
 ip access-group 107 in
 standby 1 ip 172.16.18.1
 standby 1 priority 80
 standby 1 preempt
 media-type rj45
 speed 100
 no negotiation auto
!
interface GigabitEthernet0/0/1
 description ISP Side
 bandwidth 10240
 ip address 192.168.0.26 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip pim sparse-dense-mode
 ip nbar protocol-discovery
 ip flow monitor CasMon input
 speed 100
 no negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
router bgp 19094
 bgp log-neighbor-changes
 network 172.16.18.0 mask 255.255.255.128
 neighbor 192.168.0.25 remote-as 3549
 neighbor 192.168.0.25 version 4
 neighbor 192.168.0.25 soft-reconfiguration inbound
!
ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip http server
ip http authentication local
ip http secure-server
ip http secure-ciphersuite rc4-128-sha
ip http timeout-policy idle 60 life 86400 requests 10000
ip tftp source-interface GigabitEthernet0/0/0
ip default-network 204.76.10.0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip bgp-community new-format
!
logging trap debugging
logging host 172.20.1.20
access-list 99 permit 0.0.0.0
access-list 107 permit tcp host 172.20.1.99 eq tacacs host 172.16.18.2
access-list 107 deny   tcp any any eq 161
access-list 107 deny   tcp any any eq 162
access-list 107 deny   tcp any any eq 199
access-list 107 deny   udp any any eq 199
access-list 107 deny   tcp any any eq 391
access-list 107 deny   udp any any eq 391
access-list 107 deny   tcp any any eq 705
access-list 107 deny   tcp any any eq 1993
access-list 107 deny   udp any any eq 1993
access-list 107 permit ip any any
access-list 110 remark admin access
access-list 110 remark SDM_ACL Category=1
access-list 110 permit ip 172.0.0.0 0.255.255.255 any
access-list 110 permit ip 204.76.10.0 0.0.0.255 any
access-list 110 permit ip 204.76.13.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 deny   ip any any
access-list 190 permit ip any any precedence critical
access-list 191 permit tcp any eq www any
access-list 191 permit tcp any eq 443 any
!

!
tacacs-server timeout 10
tacacs-server directed-request
tacacs server AUTH
 address ipv4 172.20.1.99
 
!
!
!
control-plane
!
banner login ^Cc
You have accessed a confidential and proprietary computing network.  Access beyond this point is unlawful without previous authorization from NECA.^C
!
line con 0
 exec-timeout 5 0
 accounting connection tac_acct
 accounting commands 15 tac_acct
 accounting exec tac_acct
 transport output telnet
 stopbits 1
line aux 0
 exec-timeout 4 0
 accounting connection tac_acct
 accounting commands 15 tac_acct
 accounting exec tac_acct
 transport output telnet
 stopbits 1
line vty 0 4
 access-class 110 in
 exec-timeout 4 0
 privilege level 15
 accounting connection tac_acct
 accounting commands 15 tac_acct
 accounting exec tac_acct
 length 0
 transport input ssh
!
ntp authenticate

!
end

Here is St. Louis:

 

Current configuration : 7972 bytes
!
! Last configuration change at 05:44:43 CST Wed Dec 27 2017 by dmpeter
!
version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no platform punt-keepalive disable-kernel-core
!
hostname StLouis_mpls
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical

aaa new-model
!
!
aaa group server tacacs+ taclogin
 server name AUTH
!
aaa authentication attempts login 5
aaa authentication login default group taclogin local
aaa accounting exec tac_acct start-stop group taclogin
aaa accounting commands 15 tac_acct start-stop group taclogin
aaa accounting network tac_acct start-stop group taclogin
aaa accounting connection tac_acct start-stop group taclogin
!
!
!
!
!
!
aaa session-id common
clock timezone CST 4 0
clock summer-time CST recurring
no ip source-route
!
ip multicast-routing distributed
!
!
!
!
!
!
!
!
!
!        


no ip bootp server

no ip domain lookup

!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
flow exporter Cascade
 destination 172.xx.x.xx
!
!
flow monitor CasMon
 exporter Cascade
 record netflow-original
!
!
!
!
crypto pki trustpoint TP-self-signed-2293929639
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2293929639
 revocation-check none
 rsakeypair TP-self-signed-2293929639
!
!

!
spanning-tree extend system-id
!

!
redundancy
 mode none
!
!
no cdp run
!
ip tcp synwait-time 10
!
!
!
!
!
interface GigabitEthernet0/0/0
 description Inside Office
 ip address 172.16.16.2 255.255.255.128
 ip helper-address 172.16.16.15
 no ip redirects
 ip nat inside
 ip pim sparse-dense-mode
 ip flow monitor CasMon input
 ip access-group 107 in
 standby 1 ip 172.16.16.1
 standby 1 priority 80
 standby 1 preempt
 media-type rj45
 speed 100
 no negotiation auto
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1
 description ISP Side
 bandwidth 20480
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip pim sparse-dense-mode
 ip nbar protocol-discovery
 ip flow monitor CasMon input
 speed 100
 no negotiation auto
!
interface GigabitEthernet0/0/1.1
 description VPN VLAN
 encapsulation dot1Q 2291
 ip address 192.168.0.18 255.255.255.252
 ip flow monitor CasMon input
 ip policy route-map vpndia
 no cdp enable
!
interface GigabitEthernet0/0/1.2
 description DIA
 encapsulation dot1Q 200
 ip address 64.215.113.38 255.255.255.252
 ip nat outside
 ip flow monitor CasMon input
 ip policy route-map vpndia
 no cdp enable
 ip virtual-reassembly
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
router bgp 21616
 bgp log-neighbor-changes
 network 172.16.16.0 mask 255.255.255.128
 neighbor 192.168.0.17 remote-as 3549
 neighbor 192.168.0.17 version 4
 neighbor 192.168.0.17 soft-reconfiguration inbound
!
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list 13 interface GigabitEthernet0/0/1.2 overload
ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip http server
ip http authentication local
ip http secure-server
ip http secure-ciphersuite rc4-128-sha
ip http timeout-policy idle 60 life 86400 requests 10000
ip tftp source-interface GigabitEthernet0/0/0
ip default-network 204.76.10.0
ip route 0.0.0.0 0.0.0.0 64.215.113.37
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip bgp-community new-format
!
logging trap debugging
logging host 172.20.1.20
access-list 13 permit any
access-list 99 permit 0.0.0.0
access-list 107 permit tcp host 172.20.1.99 eq tacacs host 172.16.16.2
access-list 107 deny   tcp any any eq 161
access-list 107 deny   tcp any any eq 162
access-list 107 deny   tcp any any eq 199
access-list 107 deny   udp any any eq 199
access-list 107 deny   tcp any any eq 391
access-list 107 deny   udp any any eq 391
access-list 107 deny   tcp any any eq 705
access-list 107 deny   tcp any any eq 1993
access-list 107 deny   udp any any eq 1993
access-list 107 permit ip any any
access-list 110 remark admin access
access-list 110 remark SDM_ACL Category=1
access-list 110 permit ip 172.0.0.0 0.255.255.255 any
access-list 110 permit ip 204.76.10.0 0.0.0.255 any
access-list 110 permit ip 204.76.13.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 deny   ip any any
access-list 120 permit ip 172.0.0.0 0.255.255.255 any
access-list 120 permit ip 204.76.10.0 0.0.0.255 any
access-list 120 permit ip 204.76.13.0 0.0.0.255 any
access-list 120 permit ip 192.168.0.0 0.0.255.255 any
access-list 190 permit ip any any precedence critical
access-list 191 permit tcp any eq www any
access-list 191 permit tcp any eq 443 any
!
route-map vpndia permit 10
 match ip address 120
 set default interface GigabitEthernet0/0/1.1
!
route-map vpndia permit 20
 set default interface GigabitEthernet0/0/1.2
!

!
tacacs-server timeout 10
tacacs-server directed-request
tacacs server AUTH
 address ipv4 172.20.1.99
 
!
!        
!
control-plane
!
banner login ^C
You have accessed a confidential and proprietary computing network.  Access beyond this point is unlawful without previous authorization from NECA.^C
!
line con 0
 exec-timeout 5 0
 accounting connection tac_acct
 accounting commands 15 tac_acct
 accounting exec tac_acct
 transport output telnet
 stopbits 1
line aux 0
 exec-timeout 4 0
 accounting connection tac_acct
 accounting commands 15 tac_acct
 accounting exec tac_acct
 transport output telnet
 stopbits 1
line vty 0 4
 access-class 110 in
 exec-timeout 4 0
 privilege level 15
 accounting connection tac_acct
 accounting commands 15 tac_acct
 accounting exec tac_acct
 length 0
 transport input ssh
!

!
end

Hello,

 

thanks for the configs, I will have a look...

Hello,

 

on your St. Louis router, what is the purpose of the route map on the outgoing interface ?

 

interface GigabitEthernet0/0/1.2
description DIA
encapsulation dot1Q 200
ip address 64.215.113.38 255.255.255.252
ip nat outside
ip flow monitor CasMon input
ip policy route-map vpndia
no cdp enable
ip virtual-reassembly

 

Try and delete that from the interface configuration. The rest of your NAT configuration and the routing looks good.

Thanks...Let me try that in the morning and I will let you know...

Same result. Hits the VPN ip but not the DIA...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers