cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
206564
Views
20
Helpful
19
Replies

BGP Configuration

Hi all,

Please Can any one help me understand this concept...

Let me show you the scenario

one MPLS connection from ISP coming to my router and from my router to DMZ servers

i have to connect to the Remote server to my DMZ server

The ISP gave me the details of BGP to configure

now what i have to do to Route my private network to the remote servers...

i performed NAT on my router to go through the  ISP Connection.....now i can ping to ISP gateway and can see all the router in #sh bgp table

is it correct or i have to directly forward the traffic of Internal Network to ISP through BGP................or

Do i have to Create Tunnels ..if Tunnels are required then what i have to Know from the Remote Office

                                                Desig.jpg

Many many Thanks in advance

6 Accepted Solutions

Accepted Solutions

John Blakley
VIP Alumni
VIP Alumni

Do you have 1 site that has an mpls circuit and the other does not, or do they go into the same provider and mpls on both sides? If you have mpls on both sides through the same provider, it should be as easy as peering with the provider with bgp on both sides and then advertising your internal subnets. If you have the public internet between you, you'll need to creat lan-to-lan tunnels between the two routers. Here's a guide to help you do that:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

You need to check if you have a route in your routing table for 10.16.21.x (show ip route | i 10.16.21.) If you don't, you'll need a tunnel or a route. There's no way around that.

If you have a route in your routing table already, I'm assuming that your address that they want to see you coming in as is 10.11.19.43? Is the server that you're coming from on 10.10.10.28? If so, you'll configure nat in this way:

ip nat pool Nat 10.11.19.43 10.11.19.43 netmask 255.255.255.0

ip nat inside source route-map NatToOtherSide pool Nat

access-list 100 permit ip host 10.10.10.28 host 10.16.21.206

route-map NatToOtherSide permit 10

match ip address 100

When your server (10.10.10.28) sends traffic to host 10.16.21.206 (based off of destination address above), it will nat to that address. You can further tie this down to the port as well:

access-list 100 permit tcp host 10.10.10.28 host 10.16.21.206 eq 5775

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

This route map doesn't need a set statement because it's being used for natting. I'm unclear as to what ip address they're using on the other side. Is the destination address that you're supposed to go to 10.16.21.206? Again, if they're not on the same mpls network, you'll probably need to use tunnels to get your two subnets to talk to each other. You should get in touch with them to find out if you'll need a tunnel.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

I'm not understanding who is who You said that you have a route for 10.11.49.x. Can you post "show ip route 10.11.19.43"? Also, do they own they have the 10.16.21.206 address or is that one yours? Let's assume that they are in the same ISP, it doesn't mean that they're in the same vrf which would require the isp to configure interaction between your companies (import/export of routes between vrfs).

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

A null route is:

ip route null0

So, in your case would be:

ip route 10.16.21.206 255.255.255.255 null0

Then, in bgp:

router bgp 100

network 10.16.21.206 mask 255.255.255.255

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

Null0 gives you a static route to advertise. BGP needs an existing route to be in the routing table before it can advertise it to other peers. The purpose for it in this scenario is that you're natting to an address that is nowhere on your router. The static route allows for the route to be put into the table and let bgp use it. When bgp advertises it, it will show that the 10.16.21.206 comes from your AS and will let everyone upstream know how to get to this address. Technically, I guess you could create a loopback with the ip on there and nat out as that addres but I'd have to lab that up.

I attached the diagram for you to review...

R3 192.168.1.1 is natted out as 10.10.10.10. R1 has natting configured, but doesn't hold that ip anywhere:

R1:

ip nat inside source static tcp 192.168.1.2 80 10.10.10.10 80 extendable

R1#sh ip route 10.10.10.10

% Network not in table

R1#

On R2, it doesn't exist either:

R2#sh ip route 10.10.10.10

% Network not in table

R2#

I'll add the null route:

R1(config)#do sh run | inc ip route

ip route 10.10.10.10 255.255.255.255 Null0

R1(config)#

Is it in the routing table now?

R1(config)#do sh ip route 10.10.10.10

Routing entry for 10.10.10.10/32

  Known via "static", distance 1, metric 0 (connected)

  Routing Descriptor Blocks:

  * directly connected, via Null0

      Route metric is 0, traffic share count is 1

So far so good...now let's advertise it in bgp:

R1#sh run | inc router bgp|10.10.10.10

router bgp 10

network 10.10.10.10 mask 255.255.255.255

It's showing in the bgp table:

R1#sh ip bgp regex ^$         

BGP table version is 8, local router ID is 1.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path

*> 1.1.1.0/24       0.0.0.0                  0         32768 i

*> 10.10.10.10/32   0.0.0.0                  0         32768 i

*> 172.20.20.0/30   0.0.0.0                  0         32768 i

*> 192.168.1.0/30   0.0.0.0                  0         32768 i

R1#

What about R2?

R2#sh ip route 10.10.10.10

Routing entry for 10.10.10.10/32

  Known via "bgp 200", distance 20, metric 0

  Tag 10, type external

  Last update from 172.20.20.1 00:01:53 ago

  Routing Descriptor Blocks:

  * 172.20.20.1, from 172.20.20.1, 00:01:53 ago

      Route metric is 0, traffic share count is 1

      AS Hops 1

      Route tag 10

Okay, so we have the 10.10.10.10/32 route over at R2. Can it get to 10.10.10.10:80?

R2#telnet 10.10.10.10 80

Trying 10.10.10.10, 80 ... Open

Get / http/1.0

HTTP/1.1 401 Unauthorized

Date: Fri, 01 Mar 2002 00:20:54 GMT

Server: cisco-IOS

Accept-Ranges: none

WWW-Authenticate: Basic realm="level_15_access"

401 Unauthorized

[Connection to 10.10.10.10 closed by foreign host]

Yes it can....so your null route allows for you to basically advertise a route into bgp. There are other uses for null0 like summaries, but this is just to be able to get a route to advertise.

I also labbed up the loopback question and you should be able to do that as well:

R1(config-if)#do sh run int lo1

Building configuration...

Current configuration : 106 bytes

!

interface Loopback1

ip address 10.10.10.10 255.255.255.255

ip nat outside

ip virtual-reassembly

end

Same configuration for everything else, but you wouldn't have a static route to null0. Notice how I have "ip nat outside" on the loopback interface. That's because I want traffic to use this ip as outgoing. I still  have the nat configuration on the router though:

R1#sh run | i ip nat inside source

ip nat inside source static tcp 192.168.1.2 80 interface Loopback1 80

R1#sh ip nat trans

Pro Inside global      Inside local       Outside local      Outside global

tcp 10.10.10.10:80     192.168.1.2:80     ---                ---

R1#

On R2:

R2#telnet 10.10.10.10 80

Trying 10.10.10.10, 80 ... Open

Sorry for such a long post In conclusion, you can use either one you wish; both seem to work fine.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

19 Replies 19

.......................

John Blakley
VIP Alumni
VIP Alumni

Do you have 1 site that has an mpls circuit and the other does not, or do they go into the same provider and mpls on both sides? If you have mpls on both sides through the same provider, it should be as easy as peering with the provider with bgp on both sides and then advertising your internal subnets. If you have the public internet between you, you'll need to creat lan-to-lan tunnels between the two routers. Here's a guide to help you do that:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Thankyou John.....

i don't know about the other side..as it is a govt organization server, i think they are connected to the same ISP ...

i think they are connected to hundereds of organization like us...so they don't want to create tunnels

..

now they  gave the source and detination ip addresses to NAT to be able to connect to their server

now my prob is

1) i configured BGP and removed NAT

                         so how can i forward my private netowrk  to other side , (static routes or internal routing)

2 ) they gave me source and destination ip address to NAT

                               now i am confused to which ip should i nat as inside to outside  and outside to inside

Source IP Address

Destination IP Address

Service

Action

10.11.19.43

10.16.21.206

5775/tcp

allow

now i dont know what i have to do with this ip address....how to nat

You need to check if you have a route in your routing table for 10.16.21.x (show ip route | i 10.16.21.) If you don't, you'll need a tunnel or a route. There's no way around that.

If you have a route in your routing table already, I'm assuming that your address that they want to see you coming in as is 10.11.19.43? Is the server that you're coming from on 10.10.10.28? If so, you'll configure nat in this way:

ip nat pool Nat 10.11.19.43 10.11.19.43 netmask 255.255.255.0

ip nat inside source route-map NatToOtherSide pool Nat

access-list 100 permit ip host 10.10.10.28 host 10.16.21.206

route-map NatToOtherSide permit 10

match ip address 100

When your server (10.10.10.28) sends traffic to host 10.16.21.206 (based off of destination address above), it will nat to that address. You can further tie this down to the port as well:

access-list 100 permit tcp host 10.10.10.28 host 10.16.21.206 eq 5775

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Thank you Jhon

as you said i don't find any route for 10.16.21.206

but i found the route for 10.11.19.43

eventhough i configured the route map but i am unable to ping ......

does the above route-map needs "set" statement...

This route map doesn't need a set statement because it's being used for natting. I'm unclear as to what ip address they're using on the other side. Is the destination address that you're supposed to go to 10.16.21.206? Again, if they're not on the same mpls network, you'll probably need to use tunnels to get your two subnets to talk to each other. You should get in touch with them to find out if you'll need a tunnel.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Thank you very much john...,

i am sure they are using the same ISP as we are...and the ip 10.16.21.206 is their test server IP address, we spoke to them but they are reluctent to create tunnels...

Source IP Address

Destination IP Address

Service

Action

10.11.19.43

10.16.21.206

5775/tcp

allow

what they are given is the above details .

the diagram is like below

                                           

please guide me to configure this.....

I'm not understanding who is who You said that you have a route for 10.11.49.x. Can you post "show ip route 10.11.19.43"? Also, do they own they have the 10.16.21.206 address or is that one yours? Let's assume that they are in the same ISP, it doesn't mean that they're in the same vrf which would require the isp to configure interaction between your companies (import/export of routes between vrfs).

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

hi John.....

thanks for your reply

the information i got was wrong now i have to recongifure that whole....

the actual scenario is

we are hosting the server 10.10.10.28 and the remote org connecting to our server from 10.11.19.51

and they are forwarding the traffice from 10.11.19.51 to 10.16.21.206 and i created a loopback interface 10.16.21.206  on my router and advertized it through BGP and created natting for that on port 5775

i can from my server 10.10.10.28 to loopback and isp

but how can i know that the remote server are forwarding the routes to my loop back and i am getting the traffic on my server 10.10.10.28

this like   10.11.19.51 -------------->10.16.21.206----(NAT)------------>10.10.10.28

                                                 (loopback)

Please guide me

You can see if they can ping the address 10.16.21.206. If you're advertising it and they're on the same mpls network, they should have the 10.16.21.x subnet in their table (pending vrf import/export that the ISP may be doing). If they can ping it, then I would remove the address from the loopback and then static nat to that address:

ip nat inside source static tcp 10.10.10.28 5775 10.16.21.206 5775

Create a route to null0 and advertise that via BGP. They should still be able to get to it.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Thankyou John  i am already having the static nat  

how to create route to null0

  Pro    Inside global            Inside local           Outside local      Outside global

  tcp    10.16.21.206:5775   10.10.10.28:5775     ---                     ---

  ---     10.16.21.206            10.10.10.28            ---                      ---  

but i am not able to ping the remote server 10.11.19.51  how can i know that the traffice they are sending for 10.16.21.226 natted and forwarding to my server 10.10.10.28

my router is 1941 does it support both incoming and outgoing taffic

Again, you need to see if they can get to your address that you're advertising. You could be doing this all for nothing and need to create vpn tunnels instead. Your router will work fine...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Hi Jhon,

thankyou very much for your quick reply

yeah , the remote server is of govt org's so we cannot force them to create tunnels, already we asked them for tunnels but they are reluctent to create that now we have to do this.....

how to create route to null0

A null route is:

ip route null0

So, in your case would be:

ip route 10.16.21.206 255.255.255.255 null0

Then, in bgp:

router bgp 100

network 10.16.21.206 mask 255.255.255.255

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***