Solved: Thanks it worked.

danishsattar · ‎06-04-2015

Hi,

I'm having trouble in routing for my WAN Link. here is my scenario.

We have got a new internet connection and trying to make a smooth transition to this new connection. We have two DIA circuits terminated on a single router. one is for communicating with remote site and other one is for Internet (This one is new).

Remote site DIA Information:

BGP Number: 65333

Local IP: 172.22.66.77

Remote IP: 172.22.66.76

We only have to pass a very specific traffic to this link. i.e. destination address: 10.130.0.0/16 subnet traffic.

current config:

router bgp 65333
bgp log-neighbor-changes
redistribute connected
redistribute static
neighbor 172.22.66.76 remote-as 65000

Internet DIA Information (New):

Customer IP Address: 94.95.96.97/32

Gateway: 94.95.96.96

We have 15 more public IP Address with default gate to our WAN IP address i.e. 94.95.99.100-115

For Local Interfaces we have:

Interface 01: 10.111.112.7 (local network)

Interface 02: 94.95.99.101 (Firewall) New settings

Now the problem before new internet connection we didn't have to divide the traffic so all traffic was going through 172.22.66.76 IP address, but now we only want to send very specific traffic i.e. destination address: 10.130.0.0/16. rest via internet gateway. So BGP was doing it's job and no trouble at all.

how do we configure this kind of routing and What changes need to be made in configurations, i tried adding 94.95.96.96 as default route but no luck traffic still going through 172.22.66.76 interface.

show ip route 94.95.96.97

Known via "bgp 65333", distance 20, metric 0
Tag 65000, type external
Last update from 172.22.66.76 03:45:29 ago
Routing Descriptor Blocks:
* 172.22.66.76, from 172.22.66.76, 03:45:29 ago
Route metric is 0, traffic share count is 1
AS Hops 2
Route tag 65000
MPLS label: none

paul driver · ‎06-07-2015

Hello

router bgp 65333

no auto summary (older iOS)

neighbour 172.22.66.76 remote-as 65000

network 172.22.66.77 mask 255.255.255.252

network 10.111.112.0 mask 255.255.255.248

network x.x.x.x (any other local subnet you wish remote site to see)

Ip route 10.111.112.0 255.255.255.248 gig0.0.2544 172.22.66.76

ip route 0.0.0.0 0.0.0.0 94.95.96.96

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Mark Malone · ‎06-04-2015

Are both of these links using BGP?

danishsattar · ‎06-04-2015

No only first one.

Mark Malone · ‎06-04-2015

Your default static should work but your redistributing static routes and connected interfaces back into the BGP process locally , if you remove that your static default will work out the internet link for all destinations not known by the router

danishsattar · ‎06-04-2015

tried that one but it stop the traffic to destination 10.130.0.0/16 as well.

Mark Malone · ‎06-04-2015

It should not do that since your router knows the path to this subnet through BGP , the default is only for traffic that the router has no path to so it does not get dropped, quick fix use PBR apply it to your internet link interface with an extended ACL anything coming from source of your lan going to destination of 10.130.0.0/16 set the next hop ip address as the BGP gateway this will make all traffic go out through internet link but redirect traffic for that subnet back to BGP circuit

When you remove the bgp redistribute statements and add the default route , what does it show for the show ip route 10.130.0.0/16 in routing table and BGP table

Are you receiving a default route through BGP already from ISP

danishsattar · ‎06-04-2015

I can ping from router to that network but not from end systems.

I created following access list:

access-list 101 permit ip any 10.130.0.0 0.0.255.255

route-map RemoteSite, permit, sequence 20
Match clauses:
ip address (access-lists): 101
Set clauses:
ip next-hop 172.22.66.76
interface GigabitEthernet0/0.2544
ip default next-hop 172.22.66.76
Policy routing matches: 0 packets, 0 bytes

Still same problem no ping from end hosts

Mark Malone · ‎06-04-2015

Try apply route - map to Lan interface in , can you attach the show run as it is now the parts involved

danishsattar · ‎06-04-2015

Current configuration : 5011 bytes
!
! Last configuration change at 17:01:21 UTC Thu Jun 4 2015 by
!
version 15.4

interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.2544
description TO-RemoteSite
encapsulation dot1Q 2544
ip address 172.22.66.77 255.255.255.252
!
interface GigabitEthernet0/1
description TO-Core-SW
ip address 10.111.112.7 255.255.255.248
ip policy route-map RemoteSite
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2.3823
description To-WAN
encapsulation dot1Q 3823
ip address 94.95.96.97 255.255.255.254
!
interface GigabitEthernet0/0/0
description Firewall-Connection
ip address 94.95.99.101 255.255.255.240
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
no ip address
shutdown
duplex auto
speed auto
!
router bgp 65333
bgp log-neighbor-changes
network 10.30.0.0 mask 255.255.0.0 //no difference if its here or not
neighbor 172.22.66.76 remote-as 65000
!
ip route 0.0.0.0 0.0.0.0 94.95.96.96

route-map RemoteSite permit 20
match ip address 101 156 100
set ip next-hop 172.22.66.76
!
!
access-list 100 permit icmp any 10.30.0.0 0.0.255.255
access-list 101 permit ip any 10.30.0.0 0.0.255.255
access-list 156 permit tcp any 10.30.0.0 0.0.255.255
!

PS. For now WAN interfaces are down Administratively.

danishsattar · ‎06-06-2015

any one help??

milan.kulik · ‎06-06-2015

Hi,

which prefixes are you receiving from BGP?

IMHO, instead of configuring PBR, you should simply filter the BGP prefixes recieved permitting only those you want to route to through you BGP neighbor.

Best regards,

Milan

danishsattar · ‎06-06-2015

I did that as well. the main problem is if i remove redistribute static and connected command , clients cannot seem to access the remote network. this is what i have tried.

remove bgp add static route to remote network - Result - router can ping but not end clients

BGP without redistribute commands- Same result as above

PBR - Same result as above

inbound filtering for BGP - same result as above

the main problem is the redistribute commands. i know there shouldn't be any for bgp but without those end clients are not able to communicate with remote network.

So what should i do.

milan.kulik · ‎06-07-2015

Hi,

well, you need to think in two ways:

1) You need to advertise you local subnets via BGP. Without that the remote site users will not be able to reach your site user subnets through the BGP backbone.

So you need to redistribute your directly connected and static routes (some of them at least) to BGP on your router.

2) You need to reach only some of the remote subnets via BGP backbone. That's why you need to filter prefixes received from your BGP neighbour and permit only those you want to reach via BGP.

Am I clearer now?