Re: Setting up ARIN network range on a router. BGP setup and how do I use my IPs?

badassmexican · ‎11-22-2018

I'm very new to Cisco routing. I have a 7100 series router and a new ISP that will advertise our IP block.

I'm trying to figure out how to configure the router to allow us to use the IPs from our block. Any pointers on what I'm missing would be greatly appreciated. I'm having lots of fun with this router.

I was able to figure out how to get the router setup and now I have internet and DHCP working.

It has two ports which I assigned with the IP provided by my ISP and an internal IP.

I added my ISP gateway as a neighbor in my BGP settings:

neighbor 33.88.245.169 remote-as 174

I also added a route to my ISPs gateway and the Internet started working:

ip route 0.0.0.0 0.0.0.0 38.88.245.169

I also created a new access list 1. 4 was already there so I'm thinking maybe I should not have created a new one and just added to access list 4.

I bolded the things I've added to the configuration. The rest was already there. I think this router was already working but with a different ISP.

Router#show running-config
Building configuration...

Current configuration : 3151 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
logging rate-limit console 10 except errors
!
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
ip dhcp excluded-address 192.168.250.0 192.168.250.6
!
ip dhcp pool Main-DHCP
network 192.168.250.0 255.255.255.0
default-router 192.168.250.1
dns-server 66.28.0.45
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.250.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description Uplink
ip address 38.88.245.170 255.255.255.248
ip nat outside
duplex full
speed 100
!
interface Serial1/0
no ip address
shutdown
framing c-bit
cablelength 10
dsu bandwidth 44210
!
router bgp 6551
bgp log-neighbor-changes
network 207.182.96.0
network 207.182.97.0
network 207.182.98.0
network 207.182.99.0
network 207.182.100.0
network 207.182.104.0
network 207.182.105.0
neighbor 33.88.245.169 remote-as 174
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source list 4 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 0.0.0.0 0.0.0.0 38.88.245.169
ip route 207.182.96.0 255.255.255.0 FastEthernet0/0
ip route 207.182.97.0 255.255.255.0 FastEthernet0/0
ip route 207.182.98.0 255.255.255.0 FastEthernet0/0
ip route 207.182.98.0 255.255.255.128 FastEthernet0/0
ip route 207.182.99.0 255.255.255.0 FastEthernet0/0
ip route 207.182.100.0 255.255.255.0 FastEthernet0/0
ip route 207.182.101.0 255.255.255.0 FastEthernet0/0
ip route 207.182.102.0 255.255.255.0 FastEthernet0/0
ip route 207.182.103.0 255.255.255.0 FastEthernet0/0
ip route 207.182.104.0 255.255.255.0 FastEthernet0/0
ip route 207.182.105.0 255.255.255.0 FastEthernet0/0
no ip http server
!
!
ip prefix-list USCOLO_out seq 10 permit 207.182.96.0/24
ip prefix-list USCOLO_out seq 11 permit 207.182.96.0/19
ip prefix-list USCOLO_out seq 20 permit 207.182.97.0/24
ip prefix-list USCOLO_out seq 30 permit 207.182.98.0/24
ip prefix-list USCOLO_out seq 40 permit 207.182.99.0/24
ip prefix-list USCOLO_out seq 41 permit 207.182.100.0/24
ip prefix-list USCOLO_out seq 42 permit 207.182.104.0/24
ip prefix-list USCOLO_out seq 45 permit 207.182.105.0/24
ip prefix-list USCOLO_out seq 99 deny 0.0.0.0/0
!
ip prefix-list default seq 5 permit 0.0.0.0/0
logging facility local0
logging source-interface FastEthernet0/0
access-list 1 permit 192.168.250.0 0.0.0.255
access-list 4 permit 207.182.105.0
access-list 4 permit 207.182.104.0
access-list 4 permit 207.182.97.0
access-list 4 permit 207.182.96.0
access-list 4 permit 207.182.99.0
access-list 4 permit 207.182.98.0
access-list 4 permit 207.182.100.0
route-map USCOLO permit 10
match as-path 1
set local-preference 103
!
route-map USCOLO_out permit 10
match ip address prefix-list USCOLO_out
!
!
!
line con 0
transport input none
line aux 0
line vty 0 4
login
line vty 5 15
login
!
end

Georg Pauwen · ‎11-22-2018

Hello,

if you want to use all the IP addresses assigned to you, you need to use a NAT pool. Have a look at the config below (lines in bold are for the NAT pool). That said, I am not sure where the 207.x.x.x addresses are used, or if they are used at all ?

Router#show running-config
Building configuration...

Current configuration : 3151 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
logging rate-limit console 10 except errors
!
ip subnet-zero
!
no ip finger
no ip domain-lookup
ip dhcp excluded-address 192.168.250.0 192.168.250.6
!
ip dhcp pool Main-DHCP
network 192.168.250.0 255.255.255.0
default-router 192.168.250.1
dns-server 66.28.0.45
!
call rsvp-sync
!
interface FastEthernet0/0
ip address 192.168.250.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description Uplink
ip address 38.88.245.170 255.255.255.248
ip nat outside
duplex full
speed 100
!
interface Serial1/0
no ip address
shutdown
framing c-bit
cablelength 10
dsu bandwidth 44210
!
router bgp 6551
bgp log-neighbor-changes
network 207.182.96.0
network 207.182.97.0
network 207.182.98.0
network 207.182.99.0
network 207.182.100.0
network 207.182.104.0
network 207.182.105.0
neighbor 33.88.245.169 remote-as 174
!
ip nat pool ISP_BLOCK 38.88.245.169 38.88.245.174 netmask 255.255.255.248
ip nat inside source list 1 pool ISP_BLOCK
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source list 4 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 0.0.0.0 0.0.0.0 38.88.245.169
ip route 207.182.96.0 255.255.255.0 FastEthernet0/0
ip route 207.182.97.0 255.255.255.0 FastEthernet0/0
ip route 207.182.98.0 255.255.255.0 FastEthernet0/0
ip route 207.182.98.0 255.255.255.128 FastEthernet0/0
ip route 207.182.99.0 255.255.255.0 FastEthernet0/0
ip route 207.182.100.0 255.255.255.0 FastEthernet0/0
ip route 207.182.101.0 255.255.255.0 FastEthernet0/0
ip route 207.182.102.0 255.255.255.0 FastEthernet0/0
ip route 207.182.103.0 255.255.255.0 FastEthernet0/0
ip route 207.182.104.0 255.255.255.0 FastEthernet0/0
ip route 207.182.105.0 255.255.255.0 FastEthernet0/0
no ip http server
!
ip prefix-list USCOLO_out seq 10 permit 207.182.96.0/24
ip prefix-list USCOLO_out seq 11 permit 207.182.96.0/19
ip prefix-list USCOLO_out seq 20 permit 207.182.97.0/24
ip prefix-list USCOLO_out seq 30 permit 207.182.98.0/24
ip prefix-list USCOLO_out seq 40 permit 207.182.99.0/24
ip prefix-list USCOLO_out seq 41 permit 207.182.100.0/24
ip prefix-list USCOLO_out seq 42 permit 207.182.104.0/24
ip prefix-list USCOLO_out seq 45 permit 207.182.105.0/24
ip prefix-list USCOLO_out seq 99 deny 0.0.0.0/0
!
ip prefix-list default seq 5 permit 0.0.0.0/0
logging facility local0
logging source-interface FastEthernet0/0
access-list 1 permit 192.168.250.0 0.0.0.255
access-list 4 permit 207.182.105.0
access-list 4 permit 207.182.104.0
access-list 4 permit 207.182.97.0
access-list 4 permit 207.182.96.0
access-list 4 permit 207.182.99.0
access-list 4 permit 207.182.98.0
access-list 4 permit 207.182.100.0
route-map USCOLO permit 10
match as-path 1
set local-preference 103
!
route-map USCOLO_out permit 10
match ip address prefix-list USCOLO_out
!
line con 0
transport input none
line aux 0
line vty 0 4
login
line vty 5 15
login
!
end

badassmexican · ‎11-22-2018

The 207.x.x.x addresses are what I'm actually trying to make work. They are a block of IPs we own and I get that info from the ARIN site and not the ISP. We had BGP provisioned for us from the ISP so we could use them. They said they would "advertise the IPs"? I'm not sure if that's the right terminology.

This is the ARIN info:

AS Number/Range: 6551

AS Handle: AS6551

Net Range: 207.182.96.0 - 207.182.127.255

CIDR: 207.182.96.0/19

This is the BGP info from our ISP:

BGP has been provisioned as requested

Customer ASN: 6551

ISP ASN: 174

Customer Router Port IP: 38.88.245.170

DNS Resolver: 66.28.0.45 res1.dns.cogentco.com

DNS Resolver: 66.28.0.61 res2.dns.cogentco.com

Authoritative DNS: 66.28.0.14 auth1.dns.cogentco.com

Authoritative DNS: 66.28.0.30 auth2.dns.cogentco.com

We did receive 5 static IP's from our ISP and couldn't figure out how to get them working. Thank you for the configuration info so I could use those.

So we use .168 to isolate the subnet and .169 for our router

So you have these five to use how you need them

38.88.245.170

38.88.245.171

38.88.245.172

38.88.245.173

38.88.245.174

Georg Pauwen · ‎11-22-2018

Hello,

if you own:

AS Number/Range: 6551

AS Handle: AS6551
Net Range: 207.182.96.0 - 207.182.127.255
CIDR: 207.182.96.0/19

That means you can use any of these addresses freely on your network WITHOUT the need to NAT (translate) them. In fact, you own 8190 public IP addresses, so you would not need any private IP addressing at all. That said, I am not doubting your information, but what company do you woork for ? A very large multinational ? I am just asking because Iknow only a few companies that own that many public IP addresses...

badassmexican · ‎11-22-2018

It's a small (I think it's small) mobile service company. I just kind of fell into it. But I'm really loving that I get to finally use Cisco. Thank you so much for the help so far. I'm learning a lot.

So I should be able to just assign a machine in my network a static IP that we own and it should just work and be visible? I tried that and couldn't get on the internet. Maybe my settings were wrong. Is my gateway my router or my ISPs gateway? Also, what subnet mask would I need?

EDIT: I imagine I would need to open ports is this correct. But most would just to browse the internet. Others would need port 80 or other specific ports.

Below is what the router had when it was in use in a colo before we moved it to our office. Hence the new ISP setup. I'm confused by what they were doing on FastEthernet0/0 with the secondary IPs there. When I did that I couldn't use them because the IP's where already in use by the port. What would the purpose of that be?

EDIT: Also, what is the reason for several entries for the two neighbors? I see remot-as and route-map in and out. Do I need these as well?

interface FastEthernet0/0

ip address 207.182.100.1 255.255.255.0 secondary

ip address 207.182.97.4 255.255.255.0 secondary

ip address 207.182.96.18 255.255.255.240 secondary

ip address 207.182.96.34 255.255.255.240 secondary

ip address 207.182.96.61 255.255.255.240 secondary

ip address 207.182.96.7 255.255.255.240 secondary

ip address 207.182.98.1 255.255.255.0

duplex auto

speed auto

interface FastEthernet0/1

description USCOLO-Uplink

ip address 208.74.78.10 255.255.255.252

duplex auto

speed auto

router bgp 6551

bgp log-neighbor-changes

network 207.182.96.0

network 207.182.97.0

network 207.182.98.0

network 207.182.99.0

network 207.182.100.0

network 207.182.104.0

network 207.182.105.0

neighbor 12.250.114.181 remote-as 7018

neighbor 12.250.114.181 route-map ATT in

neighbor 208.74.78.9 remote-as 32743

neighbor 208.74.78.9 description ***USCOLO***

neighbor 208.74.78.9 route-map USCOLO in

neighbor 208.74.78.9 route-map USCOLO_out out

Georg Pauwen · ‎11-22-2018

Hello,

based on your information, the below config should be sufficient. Just make sure your clients use any of the IP addresses assigned to FastEthernet0/0 as their default gateway.

Router#show running-config
Building configuration...

Current configuration : 3151 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
logging rate-limit console 10 except errors
!
ip subnet-zero
!
no ip finger
no ip domain-lookup
!
call rsvp-sync
!
interface FastEthernet0/0
ip address 207.182.100.1 255.255.255.0 secondary
ip address 207.182.97.4 255.255.255.0 secondary
ip address 207.182.96.18 255.255.255.240 secondary
ip address 207.182.96.34 255.255.255.240 secondary
ip address 207.182.96.61 255.255.255.240 secondary
ip address 207.182.96.7 255.255.255.240 secondary
ip address 207.182.98.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description Uplink
ip address 38.88.245.170 255.255.255.248
duplex full
speed 100
!
interface Serial1/0
no ip address
shutdown
framing c-bit
cablelength 10
dsu bandwidth 44210
!
router bgp 6551
bgp log-neighbor-changes
network 207.182.96.0 mask 255.255.224.0
neighbor 33.88.245.169 remote-as 174
!
ip classless
!
ip route 0.0.0.0 0.0.0.0 38.88.245.169
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
login
line vty 5 15
login
!
end

badassmexican · ‎11-22-2018

The IPs on FastEthernet0/1 are the gateway! That makes sense now.

thank you so much. Happy Thanksgiving.

Georg Pauwen · ‎11-22-2018

Not on FastEthernet0/1, but FastEthernet0/0...these are the gateways for your LAN clients...

badassmexican · ‎11-22-2018

Yes, FastEthernet0/0 the LAN inside port. That was a typo. I was just so excited to be getting so much great help.

badassmexican · ‎11-23-2018

Hi,

I used this config but maybe I'm not configuring my clients right. I can ping the DNS servers from the router. But my client with a static IP can't ping anything but the gateway.

interface FastEthernet0/0
ip address 207.182.100.1 255.255.255.0 secondary
ip address 207.182.97.4 255.255.255.0 secondary
ip address 207.182.96.18 255.255.255.240 secondary
ip address 207.182.96.34 255.255.255.240 secondary
ip address 207.182.96.61 255.255.255.240 secondary
ip address 207.182.96.7 255.255.255.240 secondary
ip address 207.182.98.1 255.255.255.0
duplex auto
speed auto

I set my client with the IP of 207.182.100.100 with a subnet of 255.255.255.0 because it's the subnet assigned to that gateway.

I set my DNS to one of the ones provided by the ISP and to the Google DNS servers but I can't ping them from the client. Just the router.

66.28.0.45

8.8.8.8

4.4.4.4

What am I missing?

Thanks

Here's the conf file

Router#show running-config

Building configuration...

Current configuration : 1340 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router

!

logging rate-limit console 10 except errors

!

ip subnet-zero

!

no ip finger

no ip domain-lookup

!

call rsvp-sync

!

interface FastEthernet0/0

ip address 207.182.97.4 255.255.255.0 secondary

ip address 207.182.96.18 255.255.255.240 secondary

ip address 207.182.96.34 255.255.255.240 secondary

ip address 207.182.96.61 255.255.255.240 secondary

ip address 207.182.96.7 255.255.255.240 secondary

ip address 207.182.100.1 255.255.255.0 secondary

ip address 207.182.98.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

description Uplink

ip address 38.88.245.170 255.255.255.248

duplex full

speed 100

!

interface Serial1/0

no ip address

shutdown

framing c-bit

cablelength 10

dsu bandwidth 44210

!

router bgp 6551

bgp log-neighbor-changes

network 207.182.96.0 mask 255.255.224.0

neighbor 33.88.245.169 remote-as 174

!

ip classless

ip route 0.0.0.0 0.0.0.0 38.88.245.169

no ip http server

!

line con 0

transport input none

line aux 0

line vty 0 4

login

line vty 5 15

login

!

end

badassmexican · ‎11-23-2018

Ok, I made a little progress. I'm able to use my IPs now and get online.

ip: 207.182.100.100

mask: 255.255.255.0

gateway: 207.182.100.1

DNS: 66.28.0.45, 8.8.8.8, 4.4.4.4

But I had to add this line to the configuration

access-list 4 permit 207.182.100.0 0.0.0.255

Then I was online!

When I do a who is search I get 38.88.245.170 instead of my IP though.

paul driver · ‎11-22-2018

Hello

Can you back track a little- May I ask a few questions which hasnt seemed to be asked?

It seems you have only one exit point and you have a bgp peering with the isp that is directly connected but at the same time you have static default route, so I dont see the point of using bgp if you have a default route - Is your isp advertising any routes to you possibly a default?

Whats the reasoning for the static routes pertaining to the arin subnet, if the ISP has provided you with this subnet for nat then you dont need static routes for them pointing ingress towards your lan.

I think you need to tidy up your configuration pertaining to the bgp and the static routing then possible apply nat to use your assigned arin address so to nat your internal lan subnet.

Lastly - Do you wish a 1-to-1 nat regards you ARIN assigned subnet and your lan subnet?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

badassmexican · ‎11-22-2018

Hello,

EDIT: My understanding is we went with this ISP in particular because they would "advertise" where other ISP's wouldn't. I thought it was advertising our IPs so we could use our block(?) of IPs. BGP was part of that I thought. Does this sound right?

EDIT 2: I just need to be able to use these IPs as needed. Get them get on the internet and be pingable from the outside. We also need this to be the internet connection for the LAN. Is there a better way to do this?

Do I actually need BGP for this?

Do I need a static route for this?

Is a 1-to-1 nat for the ARIN assigned subnet and my lan subnet what I need so that static IPs are can get on the internet and pingable?

Maybe I am configuring this wrong. Like I said earlier I'm a Cisco and router newbie.

Here is the goal with my Cisco 7120 router (old one):

Make all the IPs we own pingable or whatever is the safest way to show they are in use. I was told if you don't use them you could lose them.

Have desktop and server clients on the LAN be seen to the world as whatever static IP is assigned to it. If they go to a "who am I" IP page we want the static IP to show up.

Have DHCP clients that don't need static IPs.

Keep everyone safe by blocking ports that aren't needed. Do NAT forwarding to clients that do need ports open.

I set up DHCP just because I found out I could and wanted to try it. Not sure if this will be a headache or if the router can open and block ports I need and do NAT forwarding. Should I just use a SonicWall or something to do this?

When I started they told me we'd be getting a new ISP and to use this router. It was ready to go I just need to set the IPs and configure the BGP neighbor settings and everything should work. It didn't. Well maybe I had the wrong gateway lol.

paul driver · ‎11-23-2018

Hello

Thanks for the additional information - Now regarding what you said about this router I am wondering if it is actually in production at present?

It sounds like the configuration you have shown is from a previous connection, If it is we may be able to erase all configuration and start from scratch obtaining connection for you.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

badassmexican · ‎11-23-2018

Hi,

Luckily this router is not in production yet. So we could erase it all if needed. It is from a previous configuration.