BGP route selection from LAN to WAN

Hi,
I am going to implement a multihome internet connection to two different ISP. Before implementing in real network, I have prepared the same in GNS3 and testing. Subnet 10.x.5.0/24 should take R1 to outside from LAN and 10.x.6.0/24 should take R2 to outside from LAN.
Below is my configuration;
HSRP between R1 and R2 towards LAN. R1 is the primary HSRP device.
R6 is the host (example) and subnet .5.0/24 and .6.0/24 are connected to R6.
R6 is sending a default route to HSRP VIP.
R1 is advertising subnet 10.x.5.0/24 and R2 is advertising subnet 10.x.6.0/24
iBGP is configured between R1 and R2
From Internet to LAN:
From router 5 (exam.: Internet) traffic is divided in to two routers. traffic for 10.x.5.0/24 coming to R1 and traffic for 10.x.6.0/24 coming to R2. This is absolutely fine. What i expected.
From LAN to Internet:
I need traffic from 10.x.5.0/24 should take R1 to go to internet (outside) and from 10.x.6.0/24 should take R2 to go to Inernet (outside).
I have tried with higher Local Preference on each router but is not working. All traffic from R6 (i.e. LAN) to outside is taking only R1 to go outisde.
Could any one can help on how I can share traffic for 10.x.5.0/24 & 10.x.6.0/24 divided in two Routers from LAN.
Diagram is attached.

As answered in other post, hosts belong to LAN2 (subnet 10.x.6.0/24) can have default gateway set to R2 (R2 could be HSRP active node) now R2 will have route from eBGP (AS300) as well ibgp session (from R1). We can tweak BGP attribute to prefer eBGP session. One good option is to set weight as we want to prefer AS300 routes locally to the router and not on R1. Similarly on R1 put weight for AS200 routes.
Regards,
Akash

Similar Messages

  • [solved] Troubleshoot ssh with keys (works from LAN, not WAN)

    I'm trying to set up ssh so that I can connect to my work computer from home. It is pretty much essential that I keep the work box as secure as possible at all times. (So I can't disable the firewall, come home and test it because IT would not be at all happy.)
    I'm not sure if this is an Arch question, a Fedora question or a general Linux/networking question.
    The work box is running Fedora 17. It has a firewall eerily like the "simple stateful firewall" described on Arch's wiki. It is running sshd. Public key authentication is enabled. No other form of authentication is enabled. It has a rule allowing ssh connections.
    My laptop is running Arch. It has a firewall very like that described on the "simple stateful firewall" page. It has a couple of rules allowing stuff I need at home (printer and something I had to enable for the LAN).
    Initially, I was given an internal ip address. I got this working fine i.e. I could ssh into the box from my laptop while sitting next to it in my office over the LAN. I'm using the default form of key pair generated on Arch (i.e. rsa) and am using gpg-agent with ssh support in lieu of ssh-agent to manage keys. Pin entry is using the qt front end as I'm on KDE. (I adapted KDE's config so that it starts gpg-agent with ssh support for the session so that I didn't end up with two instances.)
    Once the firewall was in place and sshd was running, they gave me a public ip address. At this point, no port was opened in their firewall to allow WAN connections but I tested the public ip address from within the LAN and it once again worked fine.
    Once I'd confirmed the machine could connect out after getting a public ip, they arranged for the port to be opened for ssh. However, I cannot connect to the machine from home.
    $ ssh -vvi .ssh/id_rsa [email protected]
    OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 22: Applying options for xxx.xxx.xxx.x
    debug1: /etc/ssh/ssh_config line 32: Applying options for *
    debug1: auto-mux: Trying existing master
    debug1: Control socket "/home/username/.ssh/[email protected]:nn" does not exist
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to xxx.xxx.xxx.x [xxx.xxx.xxx.x] port nn.
    debug1: connect to address xxx.xxx.xxx.x port nn: Connection timed out
    ssh: connect to host xxx.xxx.xxx.x port nn: Connection timed out
    xxx.xxx.xxx.x is the public ip (works fine from LAN)
    nn is the port number
    username is my user name (same on both machines)
    The options for the host from ssh_config are:
    AddressFamily inet
    Compression yes
    ControlMaster auto
    ControlPath ~/.ssh/socket-%r@%h:%p
    and the only generic option applied to all hosts is just a line to insist on protocol 2 which I think is default now anyway but I followed the wiki and specified it to be sure.
    What have I missed? My networking knowledge is pretty basic at best. (I got this far using Arch's wiki, Fedora's documentation and a little trial and error. That seemed to work well but now I've added google and still can't figure it out. All the hits I get concern cases where the LAN connection works but authentication fails over WAN. But I'm not getting that far - it looks like my work box doesn't respond at all...)
    Last edited by cfr (2012-09-25 22:12:06)

    So I discovered I'd also managed to kill off LAN access as well as the machine's ability to use any sort of DNS... (I did say it needed to be secure...)
    Anyway, I fixed that, reestablished working ssh from LAN but still can't get it to work from WAN.
    Question: if ShieldsUp! reports the port as stealthed does that mean that the port has not actually been opened? So the campus firewall is blocking the connection? Because if so, I'm knocking my head against a brick (fire)wall to no purpose whatsoever...
    I figure it can't be the software firewall else I'd not be able to connect on the LAN. And it is a public ip address so there's no NAT translation required...

  • BGP route Selection for Outgoing Traffic

    Hi,
    I am going to implement a multihome internet connection to two different ISP.  Before implementing in real network, I have prepared the same in GNS3 and testing.  Subnet 10.x.5.0/24 should take R1 to outside from LAN and 10.x.6.0/24 should take R2 to outside from LAN.
    Below is my configuration;
    HSRP between R1 and R2 towards LAN.  R1 is the primary HSRP device.
    R6 is the host (example) and subnet .5.0/24 and .6.0/24 are connected to R6.
    R6 is sending a default route to HSRP VIP.
    R1 is advertising subnet 10.x.5.0/24 and R2 is advertising subnet 10.x.6.0/24
    iBGP is configured between R1 and R2
    From Internet to LAN:
    From router 5 (exam.: Internet) traffic is divided in to two routers.  traffic for 10.x.5.0/24 coming to R1 and traffic for 10.x.6.0/24 coming to R2.  This is absolutely fine. What i expected.
    From LAN to Internet:
    I need traffic from 10.x.5.0/24 should take R1 to go to internet (outside) and from 10.x.6.0/24 should take R2 to go to Inernet (outside).
    I have tried with higher Local Preference on each router but is not working. All traffic from R6 (i.e. LAN) to outside is taking only R1 to go outisde.
    Could any one can help on how I can share traffic for 10.x.5.0/24 & 10.x.6.0/24 divided in two Routers from LAN.
    Diagram is attached.

    IN HSRP keep R2 as active router for 10.x.6.0/24 Subnet.
    If you do not want to change HSRP, Then create a route map, match the  10.x.6.0/24 Subnet and the set the next hope as R4.

  • UCCX 8.0 switching network deployment from LAN to WAN

    I have a UCCX 8.0.2 HA setup that was installed in a LAN enviroment. I now need to change that to a WAN setup. A good documnet would be great. Thanks.

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    For information about HA Deployment over WAN, see these sections of the 8.0.1 Installation Guide PDF:
    http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_8_0/installation/guide/uccx801ig.pdf:
    "Important Considerations" on page 10
    "Performing Initial Setup for the Second Node" on page 72http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_8_0/installation/guide/uccx801ig.pdf
    This related information might also be useful:
    WAN/LAN Restrictions 
    http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_8_0/configuration/guide/uccx801ag.pdf
    Expected Behaviour During a Failover
    http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_8_0/reference/guide/uccx80_eb_failover.pdf
    Please let us know if these docs provide the information you need.
    Linda

  • BGP Path Selection - Favor Oldest Routes

    I've been poking around in a few test routers trying to find where BGP states how long a route has been known from a neighbor. Based on Cisco's BGP path selection article: http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html, #10 states BGP prefers the oldest known route. 
    What command shows the amount of time a route has been known via BGP?

    Thanks for your reply, Paul.
    The first command just shows the same timer as the sh ip bgp summary timer. It's just the timer of the neighbor relationship.
    The second command just displays how long the route has been in the routing table. I've tested this and found that when BGP loses a route to a network and then selects a different path that it had known about, the timer resets to 0. Even though it had known about the path for a while, it still resets to 0. 
    So thanks to everyone for your responses, but I'm still looking for some way to see the age of a BGP-learned route.

  • EIGRP vs BGP route path selection scenario

    I am looking for a routing solution to the following scenario.  It is a fairly simple design. 
    I have two WAN connections between sites A and B.  One is a 20 Meg Metro Ethernet Circuit running EIGRP.  The other is a 10 Meg MPLS running BGP.  What do I need to do in my configuration to make sure that the 20 Meg connection is the chosen path based off the fact that it has better speed and bandwidth?  It appears to me that the MPLS is the preferred path even though it is slower.
    See attached Diagram:
    Site A Config
    interface GigabitEthernet1/0/12
     description PADC COX P2P 20 Meg
     no switchport
     bandwidth 20480
     ip address 172.20.1.1 255.255.255.252
    interface GigabitEthernet2/0/2
     description LEVEL 3 MPLS
     no switchport
     bandwidth 10240
     ip address 172.22.0.2 255.255.255.252
    router eigrp 1
     network 10.0.1.0 0.0.0.255
     network 172.20.1.0 0.0.0.3
     network 192.168.76.8 0.0.0.3
      redistribute bgp 65003 metric 100 1 255 1 1500 route-map MPLS_NETWORKS
     redistribute static route-map DEFAULT_ROUTE
    router bgp 65003
     bgp log-neighbor-changes
     redistribute static
     redistribute eigrp 1
     neighbor 172.22.0.1 remote-as 1
     default-information originate
    Site B Config
    interface GigabitEthernet0/1
     description COX Communications 10 Meg to Venyu
     bandwidth 20480
     ip address 172.20.1.2 255.255.255.252
     duplex auto
     speed auto
     service-policy output VOIP
    interface GigabitEthernet0/2
     description Level 3 MPLS
     bandwidth 10240
     ip address 172.22.1.2 255.255.255.252
     duplex full
     speed 100
    router eigrp 1
     network 10.3.1.0 0.0.0.31
     network 10.52.1.0 0.0.0.255
     network 10.76.6.0 0.0.0.255
     network 172.20.1.0 0.0.0.3
     network 192.168.63.64 0.0.0.63
     network 192.168.76.249 0.0.0.0
     passive-interface default
     no passive-interface GigabitEthernet0/0
     no passive-interface GigabitEthernet0/1
    router bgp 65003
     bgp log-neighbor-changes
     network 10.3.1.0 mask 255.255.255.224
     network 10.52.1.0 mask 255.255.255.0
     network 10.76.6.0 mask 255.255.255.0
     network 192.168.76.249 mask 255.255.255.255
     neighbor 172.22.1.1 remote-as 1

    If each router is receiving advertisements for the same networks/subnet masks from both BGP and EIGRP it will always choose the BGP routes because they have a lower AD ie. 20 vs EIGRP 90.
    Doesn't matter what the bandwidth is.
    If you want to prefer the 20Mbps links then there are a number of options -
    1) if you can summarise each sites subnets then advertise the summary via BGP and the more specific via EIGRP.  More specific will be chosen even before AD is taken into account.
    2) change the AD of either BGP or EIGRP so EIGRP ends up with the lower AD
    3) run BGP on both links although you would still need to manipulate the attributes to make sure the link you want is used.
    Jon

  • Isolate linksys router from LAN while retaining internet

    Hi guys,
    got a bit of a problem that I've spent the past 3 hours trying to nail down. My main router is a MI424WR for my FIOS connection. It serves several computers, wired and wireless. I have an old linksys BEFW11S4 router that I am trying to use with a weaker (WEP) encryption so some devices can still use internet that would not otherwise access a WAP or WAP2 access point, and since WEP is easily crackable, I would like to isolate the WEP router (linksys in this case) from the rest of the internal network, which contains shared files)
    As it stands, I have connected the WAN port of the linksys to one of the LAN ports of the MI424WR, assigned 192.168.2.1 as linksys' IP address (on a separate subnet, as the FIOS router has a 192.168.1.1 address), received a DHCP Internet address from the MI424WR, and have also enabled DHCP on the linksys router itself in order to allow client devices to get their own addresses and access the internet.
    Now, based on what I've been reading, connecting the main router's (MI424WR) LAN port to the WAN port of the linksys should create two separate LAN segments, which should separate the local networks from one another. There is obviously something I'm missing here... I am getting essentially the same result as connecting the LAN port of the FIOS router to the LAN port of the linksys router. Shouldn't there be a difference between the WAN and LAN ports in this case?
    Any help is appreciated.
    Thank you.
    Any suggestions?

    The hookup that you did will only protect the BEFW11S4 users from the MI424WR users.   It will not protect the MI424WR users from the BEFW11S4 users.
    This is because the WAN port on the BEFW11S4 only blocks unsolicited data coming into the BEFW11S4.  The WAN port does not block any outgoing data.
    The solution to your problem is this:
    MI424WR  ----  BEFW11S4
                    ----  WRT54G  (or any other wireless router of your choice)
    MI424WR  LAN port wired to BEFW11S4  Internet port.
    MI424WR  LAN port wired to WRT54G  Internet port.
    No other devices connect to MI424WR, either by wire or wirelessly.
    Turn off wireless in the MI424WR.
    All wired and wireless computers (and other secured devices) connect only to the WRT54G, which is using WPA or WPA2 and a strong password.
    In this setup, the Internet port of the WRT54G will prevent intruders from getting into your secured network on the WRT54G, even if the BEFW11S4 is compromised.
    Also the BEFW11S4 and the WRT54G should be using:
    1)  different SSIDs
    2)  different encryption methods
    3)  completely different passwords, that are in no way similar, since someone might crack your WEP password.
    4)  different channels.  There are 11 channels to pick from.   You can use any two channels, but ideally they should be 5 or more channels apart.  Channels 1, 6, and 11 usually work the best.
    Message Edited by toomanydonuts on 01-14-2010 02:04 AM

  • I am from Bulgaria i wan to but  with my two credit card but there is no option to select Bularia to register my cards, i am from Bulgaria i wan to but  with my two credit card but there is no option to select Bularia to register my cards

    i am from Bulgaria i wan to but  with my two credit card but there is no option to select Bularia to register my cards, i am from Bulgaria i wan to but  with my two credit card but there is no option to select Bularia to register my cards

    To use the iTunes/Mac App Stores for a given nation you must be a legal resident of that nation, provide a credit card issued to you by a bank in that nation with a verifiable billing address in that nation.

  • MPLS - Routing info from the same BGP AS

    Hi everyone,
    I'm working on MPLS - (lab) and I was wondering how is it possible (or command) to pass traffic to and from the same AS?  In my lab I have to specifiy "nei allow-as in" in order to see routes from routers in my AS. I have 5 routers in my lab - One in AS 777 mpls and the other four in AS 6500). Everything in AS 6500 has the bgp sub command neig "ip addy" allow-as in.  This is the only way I can see routes advertised from neighbors.
    Thanks in advance.

    Hi
    Another (and I believe more used) possibility is to configure as-override on the PE towards CE
    router bg MPLS-CORE
    address-family ipv6 vrf test
    neighbour x.x.x.x as-override
    (syntax might be wrong)
    Jon

  • Route leaking from VRF to Global on same router with VLAN interface

    Hi all,
    I would like to do some route leaking from VRF to Global and Global to VRF on the same router. Here is an output of the config:
    interface FastEthernet4
    description ***Connection to WAN***
    ip vrf forwarding FVRF
    ip address 10.0.0.6 255.255.255.0
    interface Vlan100
    description ***LAN***
    ip address 192.168.227.1 255.255.255.0
    So what I want is to import 192.168.227.0 /24 into FVRF and import 10.0.0.0 /24 into the global routing table.
    I though I could do that config but it is not possible:
    (config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100
    % For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface
    OR
    DK-SLVPN(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100 192.168.227.1 global
    %Invalid next hop address (it's this router)
    Any ideas are really welcome.
    Best regards,
    Laurent

    Hi,
    I have tried the following solution:
    Add 10.0.0.0 /24 From VRFto Global:
    ip route 10.0.0.0 255.255.255.0 FastEthernet4
    Add 192.168.227.0 /24 from Global to VRF:
    router bgp 64512
    bgp log-neighbor-changes
    address-family ipv4
      no synchronization
      redistribute connected
      no auto-summary
    exit-address-family
    ip prefix-list Global-VRF seq 5 permit 192.168.227.0/24
    route-map Global permit 10
    match ip address prefix-list Global-VRF
    ip vrf FVRF
      rd 1:1
      import ipv4 unicast map Global
    So now the VRF table looks like that:
    #      sh ip route vrf FVRF
    C        10.0.0.0/24 is directly connected, FastEthernet4
    S        10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
    L        10.0.0.6/32 is directly connected, FastEthernet4
    B     192.168.227.0/24 is directly connected, 00:15:12, Vlan100
    The Global table looks like this:
    #sh ip route
    Gateway of last resort is 10.1.0.107 to network 0.0.0.0
    D*    0.0.0.0/0 [90/1709056] via 10.1.0.107, 3d02h, Tunnel1
           10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
    S        10.0.0.0/24 is directly connected, FastEthernet4
    C        10.1.0.0/24 is directly connected, Tunnel1
    L        10.1.0.227/32 is directly connected, Tunnel1
    C        10.2.0.0/24 is directly connected, Tunnel2
    L        10.2.0.227/32 is directly connected, Tunnel2
    C        10.10.10.227/32 is directly connected, Loopback100
           192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
    C        192.168.227.0/24 is directly connected, Vlan100
    L        192.168.227.1/32 is directly connected, Vlan100
    But When I try to ping it still doesn´t work:
    #ping vrf FVRF 192.168.227.1 source fastEthernet 4
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.227.1, timeout is 2 seconds:
    Packet sent with a source address of 10.0.0.6
    Success rate is 0 percent (0/5)
    #ping 10.0.0.1 source vlan 100
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
    Packet sent with a source address of 192.168.227.1
    Success rate is 0 percent (0/5)
    Any ideas?
    Regards,
    Laurent

  • 866VAE - cant acces web pages from LAN

    Hi everyone,
    im fighting with Cisco 866VAE-K9 for few days. I have got ADSL2+ line in Cisco, i can ping anything from router (like 8.8.8.8 or www.google.com), test of connection in CCP runs successfully, but i cant acces web pages from LAN computers. From LAN i can ping to any IP adress in internet (like 8.8.8.8), but i cant ping or access domain names of web pages (like www.google.com). I know there is probably something wrong in my config, but after 2 days of googling i cant find where the problem is. Can anybody help?
    Here is my running config:
    Building configuration...
    Current configuration : 8181 bytes
    ! Last configuration change at 11:31:15 UTC Fri Mar 6 2015 by admin
    version 15.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname cisco_866vae
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    enable secret 5 xx
    enable password xx
    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local 
    aaa session-id common
    wan mode dsl
    ip port-map user-protocol--1 port tcp 3500
    ip name-server 8.8.8.8
    ip cef
    no ipv6 cef
    parameter-map type protocol-info yahoo-servers
     server name scs.msg.yahoo.com
     server name scsa.msg.yahoo.com
     server name scsb.msg.yahoo.com
     server name scsc.msg.yahoo.com
     server name scsd.msg.yahoo.com
     server name cs16.msg.dcn.yahoo.com
     server name cs19.msg.dcn.yahoo.com
     server name cs42.msg.dcn.yahoo.com
     server name cs53.msg.dcn.yahoo.com
     server name cs54.msg.dcn.yahoo.com
     server name ads1.vip.scd.yahoo.com
     server name radio1.launch.vip.dal.yahoo.com
     server name in1.msg.vip.re2.yahoo.com
     server name data1.my.vip.sc5.yahoo.com
     server name address1.pim.vip.mud.yahoo.com
     server name edit.messenger.yahoo.com
     server name messenger.yahoo.com
     server name http.pager.yahoo.com
     server name privacy.yahoo.com
     server name csa.yahoo.com
     server name csb.yahoo.com
     server name csc.yahoo.com
    parameter-map type protocol-info msn-servers
     server name messenger.hotmail.com
     server name gateway.messenger.hotmail.com
     server name webmessenger.msn.com
    parameter-map type protocol-info aol-servers
     server name login.oscar.aol.com
     server name toc.oscar.aol.com
     server name oam-d09a.blue.aol.com
    crypto pki trustpoint TP-self-signed-2886901321
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-2886901321
     revocation-check none
     rsakeypair TP-self-signed-2886901321
    crypto pki certificate chain TP-self-signed-2886901321
     certificate self-signed 01
    controller VDSL 0
    class-map type inspect match-any SDM_BOOTPC
     match access-group name SDM_BOOTPC
    class-map type inspect match-any ccp-cls-protocol-p2p
     match protocol edonkey signature
     match protocol gnutella signature
     match protocol kazaa2 signature
     match protocol fasttrack signature
     match protocol bittorrent signature
    class-map type inspect match-all ccp-cls--1
     match access-group name all
    class-map type inspect match-all ccp-cls--2
     match access-group name all1
    class-map type inspect match-any ccp-cls-protocol-im
     match protocol ymsgr yahoo-servers
     match protocol msnmsgr msn-servers
     match protocol aol aol-servers
    class-map type inspect match-any SDM_SSH
     match access-group name SDM_SSH
    class-map type inspect match-any SDM_HTTPS
     match access-group name SDM_HTTPS
    class-map type inspect match-all SDM_GRE
     match access-group name SDM_GRE
    class-map type inspect match-any SDM_SHELL
     match access-group name SDM_SHELL
    class-map type inspect match-any sdm-cls-access
     match class-map SDM_HTTPS
     match class-map SDM_SSH
     match class-map SDM_SHELL
    class-map type inspect match-all sdm-access
     match class-map sdm-cls-access
     match access-group 101
    policy-map type inspect ccp-policy-ccp-cls--1
     class type inspect ccp-cls--1
      pass
     class class-default
      drop
    policy-map type inspect ccp-policy-ccp-cls--2
     class type inspect ccp-cls--2
      pass
     class class-default
      drop
    zone security out
    zone security in
    zone-pair security sdm-zp-in-out source in destination out
     service-policy type inspect ccp-policy-ccp-cls--1
    zone-pair security sdm-zp-out-in source out destination in
     service-policy type inspect ccp-policy-ccp-cls--2
    interface Loopback0
     ip address 192.168.100.1 255.255.255.0
     zone-member security in
    interface ATM0
     no ip address
     no atm ilmi-keepalive
    interface ATM0.1 point-to-point
     pvc 8/48 
      oam-pvc manage
      pppoe-client dial-pool-number 1
    interface Ethernet0
     description $ETH-WAN$
     no ip address
     shutdown
     pppoe-client dial-pool-number 2
    interface FastEthernet0
     no ip address
    interface FastEthernet1
     no ip address
    interface FastEthernet2
     no ip address
    interface FastEthernet3
     no ip address
    interface GigabitEthernet0
     no ip address
    interface GigabitEthernet1
     description $ETH-WAN$$FW_OUTSIDE$
     ip address dhcp client-id GigabitEthernet1
     ip tcp adjust-mss 1412
     shutdown
     duplex auto
     speed auto
    interface Vlan1
     description $FW_INSIDE$
     ip address 192.168.7.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
     zone-member security in
     ip tcp adjust-mss 1412
    interface Dialer1
     no ip address
    interface Dialer2
     description $FW_OUTSIDE$
     ip address negotiated
     ip mtu 1452
     ip nat outside
     ip virtual-reassembly in
     zone-member security out
     encapsulation ppp
     dialer pool 1
     dialer-group 3
     ppp authentication chap pap callin
     ppp chap hostname o2
     ppp chap password 0 o2
     ppp pap sent-username o2 password 0 o2
    ip forward-protocol nd
    ip http server
    ip http authentication local
    ip http secure-server
    ip nat source list 101 interface Dialer2 overload
    ip nat inside source static tcp 192.168.7.39 3500 interface Dialer2 3500
    ip nat inside source list 101 interface Dialer2 overload
    ip nat inside source route-map MAP_ACL interface Dialer2 overload
    ip route 0.0.0.0 0.0.0.0 Dialer2 permanent
    ip route 192.168.2.0 255.255.255.0 192.168.7.3 permanent
    ip access-list extended NAT_ACL
     deny   ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255
     permit ip 192.168.0.0 0.0.0.255 any
    ip access-list extended SDM_BOOTPC
     remark CCP_ACL Category=0
     permit udp any any eq bootpc
    ip access-list extended SDM_GRE
     remark CCP_ACL Category=1
     permit gre any any
    ip access-list extended SDM_HTTPS
     remark CCP_ACL Category=1
     permit tcp any any eq 443
    ip access-list extended SDM_SHELL
     remark CCP_ACL Category=1
     permit tcp any any eq cmd
    ip access-list extended SDM_SSH
     remark CCP_ACL Category=1
     permit tcp any any eq 22
    ip access-list extended all
     remark CCP_ACL Category=128
     permit ip any any
    ip access-list extended all1
     remark CCP_ACL Category=128
     permit ip any any
    access-list 2 remark CCP_ACL Category=2
    access-list 2 permit 192.168.7.0 0.0.0.255
    access-list 101 remark CCP_ACL Category=128
    access-list 101 permit ip any any
    access-list 101 permit udp any any eq domain
    access-list 101 permit udp any eq domain any
    dialer-list 1 protocol ip permit
    dialer-list 2 protocol ip permit
    dialer-list 3 protocol ip permit
    mac-address-table aging-time 15
    route-map MAP_ACL permit 10
    line con 0
     no modem enable
    line aux 0
    line vty 0 4
     exec-timeout 40 0
     password xxxxxxx
     transport input telnet ssh
     transport output telnet ssh
    scheduler allocate 60000 1000
    end

    Hi,
    I would be happy to help but I have one question first: Your configuration contains a lot of cruft generated from SDM/CCP and I am not sure if any of that is really required by you. Do you believe you would be fine with having this entire configuration trimmed down and do just what's supposed to do (routing and NAT), and we had security measures added in later? Just by the way, I do not believe you need the zone-based firewall. In your simple setup with just a few inside/outside interfaces, it does not add any real value apart from making the configuration virtually unreadable. We can easily do the same with IP Inspect.
    Best regards,
    Peter

  • Weird BGP path selection problem

    Hi, all,
    I am seeing a weird BGP path selection problem on 4948 switch running cat4500-entservicesk9-mz.122-46.SG.bin code, this switch has two uplinks to the same ISP's different edge router, one circuit is primary the other one is strict backup, only default route is accepted from ISP. I am setting both local preference and weight to the default route advertised over backup link, however neither one is taking effect, BGP still thinks the backup link is better, what could be wrong?
    rtr#sh ip bgp 0.0.0.0/0
    BGP routing table entry for 0.0.0.0/0, version 105
    Paths: (3 available, best #2, table Default-IP-Routing-Table, not advertised to EBGP peer)
      Not advertised to any peer
      17675, (received & used)
        203.169.8.37 from 203.169.8.37 (61.211.160.150)
          Origin IGP, localpref 100, valid, external
          Community: 65001:0 no-export
      17675
        203.169.8.45 from 203.169.8.45 (61.211.160.151)
          Origin IGP, localpref 90, weight 90, valid, external, best <====
          Community: 65001:0 no-export
      17675, (received-only)
        203.169.8.45 from 203.169.8.45 (61.211.160.151)
          Origin IGP, localpref 100, valid, external
          Community: 65001:0 no-export
    Thanks

    Hi,
    On cisco routers , weight is having highest preference to decide best path. By default for received route, weight is 0 but you are setting weight 90 to backup path and that is why it is getting preferred (higher is better). Please remove weight and let local preference be 90 (lesser than route on primary path)
    --Pls dont forget to rate helpful posts--
    Regards,
    Akash

  • Bgp path selection issue

    hi,
    i have the following cli show command output,
    R2#show bgp ipv4 unicast
    BGP table version is 11, local router ID is 192.168.220.252
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale
    Origin codes: i - IGP, e - EGP, ? - incomplete
       Network          Next Hop            Metric LocPrf Weight Path
    * i192.168.30.0     192.168.110.70           0    100      0 63000 i
    *>                  192.168.220.70           0             0 63000 63000 i
    * i192.168.40.0     192.168.110.70           0    100      0 63000 63000 i
    *>                  192.168.220.70           0             0 63000 i
    R2#
    why isn't the route through the shortest AS path not selected as the best route for 192.168.30.0. ?
    thanks,
    uddika

    R2#
    R2#
    R2#show ip bgp 192.168.30.0
    BGP routing table entry for 192.168.30.0/24, version 7
    Paths: (2 available, best #2, table Default-IP-Routing-Table)
      Advertised to update-groups:
         2         
      63000
        192.168.110.70 (inaccessible) from 192.168.111.251 (192.168.111.251)
          Origin IGP, metric 0, localpref 100, valid, internal
      63000 63000, (received & used)
        192.168.220.70 from 192.168.220.70 (192.168.220.70)
          Origin IGP, metric 0, localpref 100, valid, external, best
    R2#
    R2#
    thanks, i noticed that R2 does not have the route for the next hop, 192.168.110.70.

  • Question regarding LAN to WAN setup.....

    Hi everyone,
    I'm pretty new at routing and don't have much experience in it other than what I've learned in CCNA.  I'm going for my CCNP now and am starting to study for ROUTE.  As such, I need to lab, lab, lab.
    Please bear with me as I'm pretty much new at a lot of this stuff.
    I have a 2600 and currently, it only has one Ethernet port.  I'd like to get a WAN card/WIC for it but I'm not exactly sure which one I should get (or if one even exists.)
    I do have an extra T1 CSU/DSU card but I don't think I can use that to connect to anything but a T1 line, which I don't have.  (Note this is going to connect to one of my home Linksys Smart router's ports so as to have a LAN to WAN setup.  The Linksys provides Internet access throughout the house.)
    I did try to connect the T1 card to one of the Linksys's LAN ports but I'm not getting any activity at all.  (This leads me to believe this card is SOLELY to connect to a T1.)
    Basically, I'd like to have the Linksys on one network and the Cisco on a completely different network and have the two networks communicate with each other after configuring the appropriate routing protocol.  I've already tried this using ROAS utilizing VLANs and it worked perfectly but I now want to try it with completely different networks.  For example, my Linksys will be on 192.168.x.x and the Cisco will be on say, 10.1.x.x.
    Does Cisco offer a WAN card for my 2600 that isn't T1 and that will work with one of the Linksys's ports to accomplish this?
    I think I've read there is the NM-1E module that would give me an extra port.  But is that used as a LAN port or a WAN port?  Can an extra LAN card act as a WAN card if I simply configure it for the different network?
    Thanks!

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    T1 CSU/DSU is a different physical technology from Ethernet.  It's often possible to connect two such interfaces, back-to-back, if two routers have these modules; doubtful your Linksys does.
    It's been a long time since I've worked with a 2600, but some models might have various options to add another Ethernet port and/or replace the T1 CSU/DSU module with one.  Cisco's main web site should have that information.
    BTW, old hardware should be able configure basic routing, but if you're going for a CCNP, you might be unable to try out some newer IOS features you'll be expected to know and understand.

  • Lan and Wan port on Airport express

    Hi guys I am wondering if you could help me out with my airport express.
    I recently bought an airport express and have it set up as the following:
    Router--->ethernet cable in to the Wan of Airport express--->ethernet from Airport Express Lan to computer
    This is so that I have hardwired internet to my gaming computer and wifi in my room for all my devices. The problem is, however, next year I will not be in a situation that allows me the same setup. I will be too far away to run an ethernet cable from the router to the airport express. So I have decided I shall use it to join the network wirelessly and relay internet through both the Wan and Lan port (think this is called bridge mode?). I was also intending on connecting an ethernet hub to one of the ports so that I can connect multiple devices, smart tv, macbook, ps3 etc. But having one of the ports exclusively to my gaming pc.
    My question is, with both Lan and Wan ports relaying internet to multiple devices, would I see a drop in performance, in particular in regard to my compter? Or is the airport express able to join both the 2.4GHz or 5GHz and relay each connection to a specific lan port?
    Unfortunately I am not in a position to test this yet, lacking a 5GHz connection in my halls, so I would appreciate if anyone could help shed some light.
    Thank you

    is the main router also an apple product? if so, then yes you can extend wirelessly, but if the main router is an apple product, why are you bothering to extend wirelessly at all when the main router's signals should be strong enough?
    if the main router is NOT an apple router, then you wil NOT be able to extend it wirelessly period.
    in my experience, there are very FEW places you NEED to extend a network wirelessly, and i always recommend against it since there is a big performance decrease.
    In the case of a wirelessly extended network, throughput may be reduced to less than 60 percent of that of a single device.
    http://support.apple.com/kb/HT4145

Maybe you are looking for