BGP route selection from LAN to WAN
Hi,
I am going to implement a multihome internet connection to two different ISP. Before implementing in real network, I have prepared the same in GNS3 and testing. Subnet 10.x.5.0/24 should take R1 to outside from LAN and 10.x.6.0/24 should take R2 to outside from LAN.
Below is my configuration;
HSRP between R1 and R2 towards LAN. R1 is the primary HSRP device.
R6 is the host (example) and subnet .5.0/24 and .6.0/24 are connected to R6.
R6 is sending a default route to HSRP VIP.
R1 is advertising subnet 10.x.5.0/24 and R2 is advertising subnet 10.x.6.0/24
iBGP is configured between R1 and R2
From Internet to LAN:
From router 5 (exam.: Internet) traffic is divided in to two routers. traffic for 10.x.5.0/24 coming to R1 and traffic for 10.x.6.0/24 coming to R2. This is absolutely fine. What i expected.
From LAN to Internet:
I need traffic from 10.x.5.0/24 should take R1 to go to internet (outside) and from 10.x.6.0/24 should take R2 to go to Inernet (outside).
I have tried with higher Local Preference on each router but is not working. All traffic from R6 (i.e. LAN) to outside is taking only R1 to go outisde.
Could any one can help on how I can share traffic for 10.x.5.0/24 & 10.x.6.0/24 divided in two Routers from LAN.
Diagram is attached.
As answered in other post, hosts belong to LAN2 (subnet 10.x.6.0/24) can have default gateway set to R2 (R2 could be HSRP active node) now R2 will have route from eBGP (AS300) as well ibgp session (from R1). We can tweak BGP attribute to prefer eBGP session. One good option is to set weight as we want to prefer AS300 routes locally to the router and not on R1. Similarly on R1 put weight for AS200 routes.
Regards,
Akash
Similar Messages
-
[solved] Troubleshoot ssh with keys (works from LAN, not WAN)
I'm trying to set up ssh so that I can connect to my work computer from home. It is pretty much essential that I keep the work box as secure as possible at all times. (So I can't disable the firewall, come home and test it because IT would not be at all happy.)
I'm not sure if this is an Arch question, a Fedora question or a general Linux/networking question.
The work box is running Fedora 17. It has a firewall eerily like the "simple stateful firewall" described on Arch's wiki. It is running sshd. Public key authentication is enabled. No other form of authentication is enabled. It has a rule allowing ssh connections.
My laptop is running Arch. It has a firewall very like that described on the "simple stateful firewall" page. It has a couple of rules allowing stuff I need at home (printer and something I had to enable for the LAN).
Initially, I was given an internal ip address. I got this working fine i.e. I could ssh into the box from my laptop while sitting next to it in my office over the LAN. I'm using the default form of key pair generated on Arch (i.e. rsa) and am using gpg-agent with ssh support in lieu of ssh-agent to manage keys. Pin entry is using the qt front end as I'm on KDE. (I adapted KDE's config so that it starts gpg-agent with ssh support for the session so that I didn't end up with two instances.)
Once the firewall was in place and sshd was running, they gave me a public ip address. At this point, no port was opened in their firewall to allow WAN connections but I tested the public ip address from within the LAN and it once again worked fine.
Once I'd confirmed the machine could connect out after getting a public ip, they arranged for the port to be opened for ssh. However, I cannot connect to the machine from home.
$ ssh -vvi .ssh/id_rsa [email protected]
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 22: Applying options for xxx.xxx.xxx.x
debug1: /etc/ssh/ssh_config line 32: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket "/home/username/.ssh/[email protected]:nn" does not exist
debug2: ssh_connect: needpriv 0
debug1: Connecting to xxx.xxx.xxx.x [xxx.xxx.xxx.x] port nn.
debug1: connect to address xxx.xxx.xxx.x port nn: Connection timed out
ssh: connect to host xxx.xxx.xxx.x port nn: Connection timed out
xxx.xxx.xxx.x is the public ip (works fine from LAN)
nn is the port number
username is my user name (same on both machines)
The options for the host from ssh_config are:
AddressFamily inet
Compression yes
ControlMaster auto
ControlPath ~/.ssh/socket-%r@%h:%p
and the only generic option applied to all hosts is just a line to insist on protocol 2 which I think is default now anyway but I followed the wiki and specified it to be sure.
What have I missed? My networking knowledge is pretty basic at best. (I got this far using Arch's wiki, Fedora's documentation and a little trial and error. That seemed to work well but now I've added google and still can't figure it out. All the hits I get concern cases where the LAN connection works but authentication fails over WAN. But I'm not getting that far - it looks like my work box doesn't respond at all...)
Last edited by cfr (2012-09-25 22:12:06)So I discovered I'd also managed to kill off LAN access as well as the machine's ability to use any sort of DNS... (I did say it needed to be secure...)
Anyway, I fixed that, reestablished working ssh from LAN but still can't get it to work from WAN.
Question: if ShieldsUp! reports the port as stealthed does that mean that the port has not actually been opened? So the campus firewall is blocking the connection? Because if so, I'm knocking my head against a brick (fire)wall to no purpose whatsoever...
I figure it can't be the software firewall else I'd not be able to connect on the LAN. And it is a public ip address so there's no NAT translation required... -
BGP route Selection for Outgoing Traffic
Hi,
I am going to implement a multihome internet connection to two different ISP. Before implementing in real network, I have prepared the same in GNS3 and testing. Subnet 10.x.5.0/24 should take R1 to outside from LAN and 10.x.6.0/24 should take R2 to outside from LAN.
Below is my configuration;
HSRP between R1 and R2 towards LAN. R1 is the primary HSRP device.
R6 is the host (example) and subnet .5.0/24 and .6.0/24 are connected to R6.
R6 is sending a default route to HSRP VIP.
R1 is advertising subnet 10.x.5.0/24 and R2 is advertising subnet 10.x.6.0/24
iBGP is configured between R1 and R2
From Internet to LAN:
From router 5 (exam.: Internet) traffic is divided in to two routers. traffic for 10.x.5.0/24 coming to R1 and traffic for 10.x.6.0/24 coming to R2. This is absolutely fine. What i expected.
From LAN to Internet:
I need traffic from 10.x.5.0/24 should take R1 to go to internet (outside) and from 10.x.6.0/24 should take R2 to go to Inernet (outside).
I have tried with higher Local Preference on each router but is not working. All traffic from R6 (i.e. LAN) to outside is taking only R1 to go outisde.
Could any one can help on how I can share traffic for 10.x.5.0/24 & 10.x.6.0/24 divided in two Routers from LAN.
Diagram is attached.IN HSRP keep R2 as active router for 10.x.6.0/24 Subnet.
If you do not want to change HSRP, Then create a route map, match the 10.x.6.0/24 Subnet and the set the next hope as R4. -
UCCX 8.0 switching network deployment from LAN to WAN
I have a UCCX 8.0.2 HA setup that was installed in a LAN enviroment. I now need to change that to a WAN setup. A good documnet would be great. Thanks.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
For information about HA Deployment over WAN, see these sections of the 8.0.1 Installation Guide PDF:
http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_8_0/installation/guide/uccx801ig.pdf:
"Important Considerations" on page 10
"Performing Initial Setup for the Second Node" on page 72http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_8_0/installation/guide/uccx801ig.pdf
This related information might also be useful:
WAN/LAN Restrictions
http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_8_0/configuration/guide/uccx801ag.pdf
Expected Behaviour During a Failover
http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_8_0/reference/guide/uccx80_eb_failover.pdf
Please let us know if these docs provide the information you need.
Linda -
BGP Path Selection - Favor Oldest Routes
I've been poking around in a few test routers trying to find where BGP states how long a route has been known from a neighbor. Based on Cisco's BGP path selection article: http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html, #10 states BGP prefers the oldest known route.
What command shows the amount of time a route has been known via BGP?Thanks for your reply, Paul.
The first command just shows the same timer as the sh ip bgp summary timer. It's just the timer of the neighbor relationship.
The second command just displays how long the route has been in the routing table. I've tested this and found that when BGP loses a route to a network and then selects a different path that it had known about, the timer resets to 0. Even though it had known about the path for a while, it still resets to 0.
So thanks to everyone for your responses, but I'm still looking for some way to see the age of a BGP-learned route. -
EIGRP vs BGP route path selection scenario
I am looking for a routing solution to the following scenario. It is a fairly simple design.
I have two WAN connections between sites A and B. One is a 20 Meg Metro Ethernet Circuit running EIGRP. The other is a 10 Meg MPLS running BGP. What do I need to do in my configuration to make sure that the 20 Meg connection is the chosen path based off the fact that it has better speed and bandwidth? It appears to me that the MPLS is the preferred path even though it is slower.
See attached Diagram:
Site A Config
interface GigabitEthernet1/0/12
description PADC COX P2P 20 Meg
no switchport
bandwidth 20480
ip address 172.20.1.1 255.255.255.252
interface GigabitEthernet2/0/2
description LEVEL 3 MPLS
no switchport
bandwidth 10240
ip address 172.22.0.2 255.255.255.252
router eigrp 1
network 10.0.1.0 0.0.0.255
network 172.20.1.0 0.0.0.3
network 192.168.76.8 0.0.0.3
redistribute bgp 65003 metric 100 1 255 1 1500 route-map MPLS_NETWORKS
redistribute static route-map DEFAULT_ROUTE
router bgp 65003
bgp log-neighbor-changes
redistribute static
redistribute eigrp 1
neighbor 172.22.0.1 remote-as 1
default-information originate
Site B Config
interface GigabitEthernet0/1
description COX Communications 10 Meg to Venyu
bandwidth 20480
ip address 172.20.1.2 255.255.255.252
duplex auto
speed auto
service-policy output VOIP
interface GigabitEthernet0/2
description Level 3 MPLS
bandwidth 10240
ip address 172.22.1.2 255.255.255.252
duplex full
speed 100
router eigrp 1
network 10.3.1.0 0.0.0.31
network 10.52.1.0 0.0.0.255
network 10.76.6.0 0.0.0.255
network 172.20.1.0 0.0.0.3
network 192.168.63.64 0.0.0.63
network 192.168.76.249 0.0.0.0
passive-interface default
no passive-interface GigabitEthernet0/0
no passive-interface GigabitEthernet0/1
router bgp 65003
bgp log-neighbor-changes
network 10.3.1.0 mask 255.255.255.224
network 10.52.1.0 mask 255.255.255.0
network 10.76.6.0 mask 255.255.255.0
network 192.168.76.249 mask 255.255.255.255
neighbor 172.22.1.1 remote-as 1If each router is receiving advertisements for the same networks/subnet masks from both BGP and EIGRP it will always choose the BGP routes because they have a lower AD ie. 20 vs EIGRP 90.
Doesn't matter what the bandwidth is.
If you want to prefer the 20Mbps links then there are a number of options -
1) if you can summarise each sites subnets then advertise the summary via BGP and the more specific via EIGRP. More specific will be chosen even before AD is taken into account.
2) change the AD of either BGP or EIGRP so EIGRP ends up with the lower AD
3) run BGP on both links although you would still need to manipulate the attributes to make sure the link you want is used.
Jon -
Isolate linksys router from LAN while retaining internet
Hi guys,
got a bit of a problem that I've spent the past 3 hours trying to nail down. My main router is a MI424WR for my FIOS connection. It serves several computers, wired and wireless. I have an old linksys BEFW11S4 router that I am trying to use with a weaker (WEP) encryption so some devices can still use internet that would not otherwise access a WAP or WAP2 access point, and since WEP is easily crackable, I would like to isolate the WEP router (linksys in this case) from the rest of the internal network, which contains shared files)
As it stands, I have connected the WAN port of the linksys to one of the LAN ports of the MI424WR, assigned 192.168.2.1 as linksys' IP address (on a separate subnet, as the FIOS router has a 192.168.1.1 address), received a DHCP Internet address from the MI424WR, and have also enabled DHCP on the linksys router itself in order to allow client devices to get their own addresses and access the internet.
Now, based on what I've been reading, connecting the main router's (MI424WR) LAN port to the WAN port of the linksys should create two separate LAN segments, which should separate the local networks from one another. There is obviously something I'm missing here... I am getting essentially the same result as connecting the LAN port of the FIOS router to the LAN port of the linksys router. Shouldn't there be a difference between the WAN and LAN ports in this case?
Any help is appreciated.
Thank you.
Any suggestions?The hookup that you did will only protect the BEFW11S4 users from the MI424WR users. It will not protect the MI424WR users from the BEFW11S4 users.
This is because the WAN port on the BEFW11S4 only blocks unsolicited data coming into the BEFW11S4. The WAN port does not block any outgoing data.
The solution to your problem is this:
MI424WR ---- BEFW11S4
---- WRT54G (or any other wireless router of your choice)
MI424WR LAN port wired to BEFW11S4 Internet port.
MI424WR LAN port wired to WRT54G Internet port.
No other devices connect to MI424WR, either by wire or wirelessly.
Turn off wireless in the MI424WR.
All wired and wireless computers (and other secured devices) connect only to the WRT54G, which is using WPA or WPA2 and a strong password.
In this setup, the Internet port of the WRT54G will prevent intruders from getting into your secured network on the WRT54G, even if the BEFW11S4 is compromised.
Also the BEFW11S4 and the WRT54G should be using:
1) different SSIDs
2) different encryption methods
3) completely different passwords, that are in no way similar, since someone might crack your WEP password.
4) different channels. There are 11 channels to pick from. You can use any two channels, but ideally they should be 5 or more channels apart. Channels 1, 6, and 11 usually work the best.
Message Edited by toomanydonuts on 01-14-2010 02:04 AM -
i am from Bulgaria i wan to but with my two credit card but there is no option to select Bularia to register my cards, i am from Bulgaria i wan to but with my two credit card but there is no option to select Bularia to register my cards
To use the iTunes/Mac App Stores for a given nation you must be a legal resident of that nation, provide a credit card issued to you by a bank in that nation with a verifiable billing address in that nation.
-
MPLS - Routing info from the same BGP AS
Hi everyone,
I'm working on MPLS - (lab) and I was wondering how is it possible (or command) to pass traffic to and from the same AS? In my lab I have to specifiy "nei allow-as in" in order to see routes from routers in my AS. I have 5 routers in my lab - One in AS 777 mpls and the other four in AS 6500). Everything in AS 6500 has the bgp sub command neig "ip addy" allow-as in. This is the only way I can see routes advertised from neighbors.
Thanks in advance.Hi
Another (and I believe more used) possibility is to configure as-override on the PE towards CE
router bg MPLS-CORE
address-family ipv6 vrf test
neighbour x.x.x.x as-override
(syntax might be wrong)
Jon -
Route leaking from VRF to Global on same router with VLAN interface
Hi all,
I would like to do some route leaking from VRF to Global and Global to VRF on the same router. Here is an output of the config:
interface FastEthernet4
description ***Connection to WAN***
ip vrf forwarding FVRF
ip address 10.0.0.6 255.255.255.0
interface Vlan100
description ***LAN***
ip address 192.168.227.1 255.255.255.0
So what I want is to import 192.168.227.0 /24 into FVRF and import 10.0.0.0 /24 into the global routing table.
I though I could do that config but it is not possible:
(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100
% For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface
OR
DK-SLVPN(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100 192.168.227.1 global
%Invalid next hop address (it's this router)
Any ideas are really welcome.
Best regards,
LaurentHi,
I have tried the following solution:
Add 10.0.0.0 /24 From VRFto Global:
ip route 10.0.0.0 255.255.255.0 FastEthernet4
Add 192.168.227.0 /24 from Global to VRF:
router bgp 64512
bgp log-neighbor-changes
address-family ipv4
no synchronization
redistribute connected
no auto-summary
exit-address-family
ip prefix-list Global-VRF seq 5 permit 192.168.227.0/24
route-map Global permit 10
match ip address prefix-list Global-VRF
ip vrf FVRF
rd 1:1
import ipv4 unicast map Global
So now the VRF table looks like that:
# sh ip route vrf FVRF
C 10.0.0.0/24 is directly connected, FastEthernet4
S 10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
L 10.0.0.6/32 is directly connected, FastEthernet4
B 192.168.227.0/24 is directly connected, 00:15:12, Vlan100
The Global table looks like this:
#sh ip route
Gateway of last resort is 10.1.0.107 to network 0.0.0.0
D* 0.0.0.0/0 [90/1709056] via 10.1.0.107, 3d02h, Tunnel1
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
S 10.0.0.0/24 is directly connected, FastEthernet4
C 10.1.0.0/24 is directly connected, Tunnel1
L 10.1.0.227/32 is directly connected, Tunnel1
C 10.2.0.0/24 is directly connected, Tunnel2
L 10.2.0.227/32 is directly connected, Tunnel2
C 10.10.10.227/32 is directly connected, Loopback100
192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.227.0/24 is directly connected, Vlan100
L 192.168.227.1/32 is directly connected, Vlan100
But When I try to ping it still doesn´t work:
#ping vrf FVRF 192.168.227.1 source fastEthernet 4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.227.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.6
Success rate is 0 percent (0/5)
#ping 10.0.0.1 source vlan 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.227.1
Success rate is 0 percent (0/5)
Any ideas?
Regards,
Laurent -
866VAE - cant acces web pages from LAN
Hi everyone,
im fighting with Cisco 866VAE-K9 for few days. I have got ADSL2+ line in Cisco, i can ping anything from router (like 8.8.8.8 or www.google.com), test of connection in CCP runs successfully, but i cant acces web pages from LAN computers. From LAN i can ping to any IP adress in internet (like 8.8.8.8), but i cant ping or access domain names of web pages (like www.google.com). I know there is probably something wrong in my config, but after 2 days of googling i cant find where the problem is. Can anybody help?
Here is my running config:
Building configuration...
Current configuration : 8181 bytes
! Last configuration change at 11:31:15 UTC Fri Mar 6 2015 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname cisco_866vae
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret 5 xx
enable password xx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
wan mode dsl
ip port-map user-protocol--1 port tcp 3500
ip name-server 8.8.8.8
ip cef
no ipv6 cef
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
crypto pki trustpoint TP-self-signed-2886901321
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2886901321
revocation-check none
rsakeypair TP-self-signed-2886901321
crypto pki certificate chain TP-self-signed-2886901321
certificate self-signed 01
controller VDSL 0
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all ccp-cls--1
match access-group name all
class-map type inspect match-all ccp-cls--2
match access-group name all1
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
policy-map type inspect ccp-policy-ccp-cls--1
class type inspect ccp-cls--1
pass
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--2
class type inspect ccp-cls--2
pass
class class-default
drop
zone security out
zone security in
zone-pair security sdm-zp-in-out source in destination out
service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-out-in source out destination in
service-policy type inspect ccp-policy-ccp-cls--2
interface Loopback0
ip address 192.168.100.1 255.255.255.0
zone-member security in
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 8/48
oam-pvc manage
pppoe-client dial-pool-number 1
interface Ethernet0
description $ETH-WAN$
no ip address
shutdown
pppoe-client dial-pool-number 2
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface GigabitEthernet0
no ip address
interface GigabitEthernet1
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id GigabitEthernet1
ip tcp adjust-mss 1412
shutdown
duplex auto
speed auto
interface Vlan1
description $FW_INSIDE$
ip address 192.168.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in
ip tcp adjust-mss 1412
interface Dialer1
no ip address
interface Dialer2
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
zone-member security out
encapsulation ppp
dialer pool 1
dialer-group 3
ppp authentication chap pap callin
ppp chap hostname o2
ppp chap password 0 o2
ppp pap sent-username o2 password 0 o2
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat source list 101 interface Dialer2 overload
ip nat inside source static tcp 192.168.7.39 3500 interface Dialer2 3500
ip nat inside source list 101 interface Dialer2 overload
ip nat inside source route-map MAP_ACL interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2 permanent
ip route 192.168.2.0 255.255.255.0 192.168.7.3 permanent
ip access-list extended NAT_ACL
deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended all
remark CCP_ACL Category=128
permit ip any any
ip access-list extended all1
remark CCP_ACL Category=128
permit ip any any
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.7.0 0.0.0.255
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any any
access-list 101 permit udp any any eq domain
access-list 101 permit udp any eq domain any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
dialer-list 3 protocol ip permit
mac-address-table aging-time 15
route-map MAP_ACL permit 10
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 40 0
password xxxxxxx
transport input telnet ssh
transport output telnet ssh
scheduler allocate 60000 1000
endHi,
I would be happy to help but I have one question first: Your configuration contains a lot of cruft generated from SDM/CCP and I am not sure if any of that is really required by you. Do you believe you would be fine with having this entire configuration trimmed down and do just what's supposed to do (routing and NAT), and we had security measures added in later? Just by the way, I do not believe you need the zone-based firewall. In your simple setup with just a few inside/outside interfaces, it does not add any real value apart from making the configuration virtually unreadable. We can easily do the same with IP Inspect.
Best regards,
Peter -
Weird BGP path selection problem
Hi, all,
I am seeing a weird BGP path selection problem on 4948 switch running cat4500-entservicesk9-mz.122-46.SG.bin code, this switch has two uplinks to the same ISP's different edge router, one circuit is primary the other one is strict backup, only default route is accepted from ISP. I am setting both local preference and weight to the default route advertised over backup link, however neither one is taking effect, BGP still thinks the backup link is better, what could be wrong?
rtr#sh ip bgp 0.0.0.0/0
BGP routing table entry for 0.0.0.0/0, version 105
Paths: (3 available, best #2, table Default-IP-Routing-Table, not advertised to EBGP peer)
Not advertised to any peer
17675, (received & used)
203.169.8.37 from 203.169.8.37 (61.211.160.150)
Origin IGP, localpref 100, valid, external
Community: 65001:0 no-export
17675
203.169.8.45 from 203.169.8.45 (61.211.160.151)
Origin IGP, localpref 90, weight 90, valid, external, best <====
Community: 65001:0 no-export
17675, (received-only)
203.169.8.45 from 203.169.8.45 (61.211.160.151)
Origin IGP, localpref 100, valid, external
Community: 65001:0 no-export
ThanksHi,
On cisco routers , weight is having highest preference to decide best path. By default for received route, weight is 0 but you are setting weight 90 to backup path and that is why it is getting preferred (higher is better). Please remove weight and let local preference be 90 (lesser than route on primary path)
--Pls dont forget to rate helpful posts--
Regards,
Akash -
hi,
i have the following cli show command output,
R2#show bgp ipv4 unicast
BGP table version is 11, local router ID is 192.168.220.252
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i192.168.30.0 192.168.110.70 0 100 0 63000 i
*> 192.168.220.70 0 0 63000 63000 i
* i192.168.40.0 192.168.110.70 0 100 0 63000 63000 i
*> 192.168.220.70 0 0 63000 i
R2#
why isn't the route through the shortest AS path not selected as the best route for 192.168.30.0. ?
thanks,
uddikaR2#
R2#
R2#show ip bgp 192.168.30.0
BGP routing table entry for 192.168.30.0/24, version 7
Paths: (2 available, best #2, table Default-IP-Routing-Table)
Advertised to update-groups:
2
63000
192.168.110.70 (inaccessible) from 192.168.111.251 (192.168.111.251)
Origin IGP, metric 0, localpref 100, valid, internal
63000 63000, (received & used)
192.168.220.70 from 192.168.220.70 (192.168.220.70)
Origin IGP, metric 0, localpref 100, valid, external, best
R2#
R2#
thanks, i noticed that R2 does not have the route for the next hop, 192.168.110.70. -
Question regarding LAN to WAN setup.....
Hi everyone,
I'm pretty new at routing and don't have much experience in it other than what I've learned in CCNA. I'm going for my CCNP now and am starting to study for ROUTE. As such, I need to lab, lab, lab.
Please bear with me as I'm pretty much new at a lot of this stuff.
I have a 2600 and currently, it only has one Ethernet port. I'd like to get a WAN card/WIC for it but I'm not exactly sure which one I should get (or if one even exists.)
I do have an extra T1 CSU/DSU card but I don't think I can use that to connect to anything but a T1 line, which I don't have. (Note this is going to connect to one of my home Linksys Smart router's ports so as to have a LAN to WAN setup. The Linksys provides Internet access throughout the house.)
I did try to connect the T1 card to one of the Linksys's LAN ports but I'm not getting any activity at all. (This leads me to believe this card is SOLELY to connect to a T1.)
Basically, I'd like to have the Linksys on one network and the Cisco on a completely different network and have the two networks communicate with each other after configuring the appropriate routing protocol. I've already tried this using ROAS utilizing VLANs and it worked perfectly but I now want to try it with completely different networks. For example, my Linksys will be on 192.168.x.x and the Cisco will be on say, 10.1.x.x.
Does Cisco offer a WAN card for my 2600 that isn't T1 and that will work with one of the Linksys's ports to accomplish this?
I think I've read there is the NM-1E module that would give me an extra port. But is that used as a LAN port or a WAN port? Can an extra LAN card act as a WAN card if I simply configure it for the different network?
Thanks!Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
T1 CSU/DSU is a different physical technology from Ethernet. It's often possible to connect two such interfaces, back-to-back, if two routers have these modules; doubtful your Linksys does.
It's been a long time since I've worked with a 2600, but some models might have various options to add another Ethernet port and/or replace the T1 CSU/DSU module with one. Cisco's main web site should have that information.
BTW, old hardware should be able configure basic routing, but if you're going for a CCNP, you might be unable to try out some newer IOS features you'll be expected to know and understand. -
Lan and Wan port on Airport express
Hi guys I am wondering if you could help me out with my airport express.
I recently bought an airport express and have it set up as the following:
Router--->ethernet cable in to the Wan of Airport express--->ethernet from Airport Express Lan to computer
This is so that I have hardwired internet to my gaming computer and wifi in my room for all my devices. The problem is, however, next year I will not be in a situation that allows me the same setup. I will be too far away to run an ethernet cable from the router to the airport express. So I have decided I shall use it to join the network wirelessly and relay internet through both the Wan and Lan port (think this is called bridge mode?). I was also intending on connecting an ethernet hub to one of the ports so that I can connect multiple devices, smart tv, macbook, ps3 etc. But having one of the ports exclusively to my gaming pc.
My question is, with both Lan and Wan ports relaying internet to multiple devices, would I see a drop in performance, in particular in regard to my compter? Or is the airport express able to join both the 2.4GHz or 5GHz and relay each connection to a specific lan port?
Unfortunately I am not in a position to test this yet, lacking a 5GHz connection in my halls, so I would appreciate if anyone could help shed some light.
Thank youis the main router also an apple product? if so, then yes you can extend wirelessly, but if the main router is an apple product, why are you bothering to extend wirelessly at all when the main router's signals should be strong enough?
if the main router is NOT an apple router, then you wil NOT be able to extend it wirelessly period.
in my experience, there are very FEW places you NEED to extend a network wirelessly, and i always recommend against it since there is a big performance decrease.
In the case of a wirelessly extended network, throughput may be reduced to less than 60 percent of that of a single device.
http://support.apple.com/kb/HT4145
Maybe you are looking for
-
I don't know how to use my nokia PC Suit in my com...
I downloaded a PC suit in my computer and I dont Know how to connect to my N7610
-
I was transferring files from one external hard drive to the other, then when I loaded Final Cut I notice the majority of my events wouldn't load. When I tried to reimport the files from my hard drive they still won't come up.
-
Partitioning InfoCubes on BW 3.5
Hi all, we are currently starting the process of partitioning two infocubes on our system. FYI DB is Oracle 9.2 and it is BW 3.5. The two Infocubes have been emptied of data and have been logically partitioned by CALMONTH over a year with a total of
-
Thunderbird had been working great then stopped today.
I have verified the settings (incoming - pop.verizon.net/995, outgoing - smtp.verizon.net/465, SSL/TLS for both). I spent about an hour on the phone with Verizon and of course everything is great on their end so it must be Thunderbird...right. Anyway
-
i'm looking for a auto maintenance app that will tell me what reccomended maintenance needs to be done at a certain mileage automatically. know of any?