Solved

Cisco 881 BGP to ISP Internet help

Posted on 2012-03-20
13
1,349 Views
Last Modified: 2012-03-20
Hello All,

Very much a noob when it comes to BGP.

We have a new Wires Only EFM line that has been setup by our ISP.

We have been given the IP range and AS numbers but are struggling to get it configured.

Router config is as follows:-

interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 141.0.0.0 255.255.255.248 #one of our static IP addresses
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto


router bgp 65530
 no synchronization
 bgp log-neighbor-changes
 network 141.0.0.0 mask 255.255.255.248  #my network range
 redistribute static
 neighbor 141.0.0.0 remote-as 20500 # ISP's WAN Interface
 no auto-summary

Have I missed something obvious?

Cheers
0
Comment
Question by:ghost123
  • 7
  • 6
13 Comments
 
LVL 6

Expert Comment

by:vmagan
ID: 37742136
what is the issue here? You cant get online?
0
 
LVL 1

Author Comment

by:ghost123
ID: 37742149
yes sorry - cannot ping internet IP's i.e. 158.152.1.58 - demons DNS
0
 
LVL 6

Expert Comment

by:vmagan
ID: 37742217
You need to add a default route. In global mode add 0.0.0.0 0.0.0.0 xxxx which xxxx is the isp gateway.
0
 
LVL 6

Expert Comment

by:vmagan
ID: 37742223
Post a show ip route config
0
 
LVL 1

Author Comment

by:ghost123
ID: 37742376
Hi

Thanks for your help so far.

Full config as follows:-

efm#sh run
Building configuration...

Current configuration : 7602 bytes
!
! Last configuration change at 13:27:19 PCTime Tue Mar 20 2012 by admin
! NVRAM config last updated at 13:19:40 PCTime Tue Mar 20 2012 by admin
! NVRAM config last updated at 13:19:40 PCTime Tue Mar 20 2012 by admin
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname efm
!
boot-start-marker
boot system flash:c880data-universalk9-mz.152-2.T1.bin #UPDATED iOS
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$DByl$q.z3CJ1Nf5PIE6CKDKueU/
!
no aaa new-model
!
memory-size iomem 10
clock timezone PCTime 0 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-453973501
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-453973501
 revocation-check none
 rsakeypair TP-self-signed-453973501
!
!
crypto pki certificate chain TP-self-signed-453973501
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34353339 37333530 31301E17 0D313230 33323031 31303634
  385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3435 33393733
  35303130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  BA3462D6 211C445D 6C2BE6CD 458D7253 3F8FBCEB 7B2A6F55 300CD955 91F88206
  DED7EF7C 5B3D1378 C662B3E1 1A4A948C FC3E0F4D FF6C1ECF E6674203 D984B3B6
  B57830FD 094F051C FC0850E0 38B8EE70 505A2C4F 5CE3CA6F 8658D170 CB47101E
  2B337FF3 F7CD751A 179DD28D 4AAB02E8 72E315E7 C3DAD9E0 ECB0FDB8 7F0785A9
  02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
  11041B30 19821765 666D2E74 65727279 73666162 72696373 2E6C6F63 616C301F
  0603551D 23041830 168014ED 0C5ABDB2 03CA7E59 530A1D76 2EC84643 97991E30
  1D060355 1D0E0416 0414ED0C 5ABDB203 CA7E5953 0A1D762E C8464397 991E300D
  06092A86 4886F70D 01010405 00038181 00AC2629 7C85BFF5 FEAE657B 45E000E6
  DC4C47AC B68A740F CF2C9ABA 34494085 E85252E4 02E85D5B 9D947192 D9D183D0
  1342B8F4 0DF1E062 E7976CD2 15E4E330 3DD5EE7B 438D023A BC3F5754 B5C3629C
  C9357FFA CD368098 D6579C37 25167FA3 B821E604 6D9297D6 01589830 79E0162D
  C6663A3E BAB97F7D 147712AA F38F224F 70
        quit
no ip source-route
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.9
ip dhcp excluded-address 10.10.10.21 10.10.10.254
!
ip dhcp pool ccp-pool1
 import all
 network 10.10.10.0 255.255.255.0
 default-router 10.10.10.1
!
!
no ip bootp server
ip domain name domain.local
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FCZ160793DV
!
!
username adminis privilege 15 secret 5 $1$x2bu$Z1AeQC8iaNnFOPfJT9wwR1
!
!
!
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 141.0.0.0 255.255.255.248 # MY PUBLIC IP ADDRESS
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
router bgp 65530
 bgp log-neighbor-changes
 network 141.0.0.0 mask 255.255.255.248 # IP RANGE ASSIGNED BY ISP
 neighbor 141.0.0.0 remote-as 20500 # WAN IP OF ISP
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 141.0.0.0 # WAN IP ADDRESS OF ISP
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 141.0.0.0 0.0.0.7 any #MY NETWORK RANGE
no cdp run
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------


-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000 4000 1000
scheduler interval 500
!
end

BGP info

efm#sh bgp summary
BGP router identifier 141.0.0.8, local AS number 65530 #MY PUBLIC IP
BGP table version is 2, main routing table version 2
1 network entries using 148 bytes of memory
1 path entries using 64 bytes of memory
1/1 BGP path/bestpath attribute entries using 128 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 340 total bytes of memory
BGP activity 1/0 prefixes, 1/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State
/PfxRcd
141.0.0.0    4        20500       0       0        1    0    0 never    Idle #WAN IP of ISP
efm#


Thanks
0
 
LVL 1

Author Comment

by:ghost123
ID: 37742412
forgot say, i have removed "redistribute static"


needed?

Thanks
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 6

Expert Comment

by:vmagan
ID: 37742422
Make sure when you post configs that you try not to put external ip addresses and passwords out here.

when you did that ip route is that address the ISP gateway? Not your static ip but it needs to be the ISP gateway which is usually one number less then your first static ip address.
0
 
LVL 1

Author Comment

by:ghost123
ID: 37742463
internals will be changed and the externals arent real but fair point!

The line that says

ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 141.0.0.0 # WAN IP ADDRESS OF ISP

The 141.x.x.x address is 1 number less than the "Customer WAN Interface" address - notes say WAN Link. The number is described as "Provider WAN Interface"

thx
0
 
LVL 6

Expert Comment

by:vmagan
ID: 37742655
is this router directly connected to the ISP modem?

run the show ip route cmd and post here.
0
 
LVL 1

Author Comment

by:ghost123
ID: 37742766
yes, its connected to a RAD LA-210 modem that is onsite

efm#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.10.10.0/24 is directly connected, Vlan1
L        10.10.10.1/32 is directly connected, Vlan1
      141.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        141.0.0.0/29 is directly connected, FastEthernet4 #PUBLIC IP NETWORK
L        141.0.0.0/32 is directly connected, FastEthernet4 #PUBLIC IP ASSIGNED TO ROUTER




Gateway of last resort is not set???


thx
0
 
LVL 6

Accepted Solution

by:
vmagan earned 500 total points
ID: 37742868
Right that is what we have to configure which is the ip route 0.0.0.0 let me re-check the config brb.
0
 
LVL 1

Author Comment

by:ghost123
ID: 37742884
vmagan, sorted now!

ip I had assigned to fastethernet4 was wrong!

corrected and now all is hunky dory!

thx for all your help
0
 
LVL 6

Expert Comment

by:vmagan
ID: 37742912
awesome! Glad its working for you.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now