New BGP setup
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by Gordon Montgomery on August 20, 2008, 1:19 pm
Please log in for more thread options I am trying to set up a new BGP config. Very basic. We will have two T-1's from two different ISPs. This is a 2811, version 12.3(11)T3. I just have the one peer set up for now. The other is due to be installed in the next 3 weeks. These are the lines I added to my running config: ! router bgp mypublicASN no synchronization bgp log-neighbor-changes network x.x.x.0 mask 255.255.255.0 neighbor y.y.y.45 remote-as 3356 neighbor y.y.y.45 route-map localonly out no auto-summary ! ! ip as-path access-list 9 permit ^$ ! ! route-map localonly permit 10 match as-path 9 ! Now, I do have ACLs on both in and out on the interface facing my peer. So I dutifully added a permit to 179. I do see the hit count increase on the incoming ACL but not on the outgoing ACL. I have even tried taking both ACLs off. Still when I debug BGP I see that the peer times out and no connection is made. Can someone spot my obvious mistake? The ISP is double checking their router and config, but I thought I would ask here. Thanks, Gordon Montgomery Living Scriptures, Inc gordon@lsi.com (anti spam - replace lsi with livingscriptures) (801) 627-2000 | |||||||||||||||||||
|
Posted by Chris on August 20, 2008, 3:46 pm
Please log in for more thread options On Wed, 20 Aug 2008 17:19:41 GMT, Gordon Montgomery wrote: Daft question, but can you ping the peer address? Is it directly connected or should you be using multihop? What state is your session in? IDLE, ACTIVE etc? Chris. | |||||||||||||||||||
|
Posted by Gordon Montgomery on August 20, 2008, 8:30 pm
Please log in for more thread options
>On Wed, 20 Aug 2008 17:19:41 GMT, Gordon Montgomery wrote:
> >> I am trying to set up a new BGP config. Very basic. We will have
>> two T-1's from two different ISPs. This is a 2811, version 12.3(11)T3. >> I just have the one peer set up for now. The other is due to be installed >> in the next 3 weeks. >> >> These are the lines I added to my running config: >> >> >> ! >> router bgp mypublicASN >> no synchronization >> bgp log-neighbor-changes >> network x.x.x.0 mask 255.255.255.0 >> neighbor y.y.y.45 remote-as 3356 >> neighbor y.y.y.45 route-map localonly out >> no auto-summary >> ! >> ! >> ip as-path access-list 9 permit ^$ >> ! >> ! >> route-map localonly permit 10 >> match as-path 9 >> ! >> >> Now, I do have ACLs on both in and out on the interface facing >> my peer. So I dutifully added a permit to 179. I do see the hit count >> increase on the incoming ACL but not on the outgoing ACL. I have >> even tried taking both ACLs off. Still when I debug BGP I see that >> the peer times out and no connection is made. Can someone spot >> my obvious mistake? The ISP is double checking their router and >> config, but I thought I would ask here. >> >> Thanks, >> >> >> Gordon Montgomery >> Living Scriptures, Inc >> gordon@lsi.com (anti spam - replace lsi with livingscriptures) >> (801) 627-2000 >
>Daft question, but can you ping the peer address? Is it directly connected >or should you be using multihop? What state is your session in? IDLE, >ACTIVE etc? > >Chris. Well, like many times with large carriers, a couple of hours after they swore that everything on their end was correct but "they would look into it", it magically started working. But to answer your questions, yes it was directly connected and I could ping the peer router. I believe the session state was ACTIVE. I notice now that it is working, when I do a sh ip bgp nei , it shows the peer id as a completely different ip address. Must be some sort of BGP forwarding I know nothing about. Thanks for trying to help. Gordon Gordon Montgomery Living Scriptures, Inc gordon@lsi.com (anti spam - replace lsi with livingscriptures) (801) 627-2000 | |||||||||||||||||||
|
Posted by Merv on August 20, 2008, 9:20 pm
Please log in for more thread options
make sure to have inbound prefix filter to block your assigned address block should have MD5 password configured for all BGP sessions - nei <>
password <> make sure you disable CDP on interface facing ISP | |||||||||||||||||||
|
Posted by Gordon Montgomery on August 22, 2008, 2:57 pm
Please log in for more thread options
>make sure to have inbound prefix filter to block your assigned address
Thanks, I will look into those things.
>block > >should have MD5 password configured for all BGP sessions - nei <> >password <> > >make sure you disable CDP on interface facing ISP > Gordon Gordon Montgomery Living Scriptures, Inc gordon@lsi.com (anti spam - replace lsi with livingscriptures) (801) 627-2000 | |||||||||||||||||||
| Similar Threads | Posted |
| NOC setup for an ISP. | August 4, 2005, 8:18 pm |
| Re: PIX DMZ Setup? | May 28, 2005, 8:57 am |
| PIX 506 (no e) VPN setup? | July 25, 2006, 12:20 pm |
| ATM ima setup | August 15, 2006, 4:31 pm |
| VPN setup on IOS | May 9, 2007, 2:24 pm |
| PIX 501 VPN Setup | July 5, 2007, 11:20 am |
| New BGP setup | August 20, 2008, 1:19 pm |
| Cisco PIX 501 VPN Setup | September 18, 2005, 2:41 pm |
| How to setup FXO/FXS on two router? Need help please :) | October 11, 2005, 11:30 am |
| PIX 501 snmp setup | October 11, 2005, 3:09 pm |
| Quintum Setup | December 12, 2005, 3:47 pm |
| Setup Remote VPN on PIX 501 | March 23, 2006, 10:09 am |
| cisco 827 sbc, AT&T setup | August 18, 2006, 10:18 pm |
| Smartport Setup | November 8, 2006, 10:24 pm |
| SETUP A VPN CONNECTION FROM THE OUTSIDE | November 18, 2006, 1:40 pm |
> two T-1's from two different ISPs. This is a 2811, version 12.3(11)T3.
> I just have the one peer set up for now. The other is due to be installed
> in the next 3 weeks.
>
> These are the lines I added to my running config:
>
>
> !
> router bgp mypublicASN
> no synchronization
> bgp log-neighbor-changes
> network x.x.x.0 mask 255.255.255.0
> neighbor y.y.y.45 remote-as 3356
> neighbor y.y.y.45 route-map localonly out
> no auto-summary
> !
> !
> ip as-path access-list 9 permit ^$
> !
> !
> route-map localonly permit 10
> match as-path 9
> !
>
> Now, I do have ACLs on both in and out on the interface facing
> my peer. So I dutifully added a permit to 179. I do see the hit count
> increase on the incoming ACL but not on the outgoing ACL. I have
> even tried taking both ACLs off. Still when I debug BGP I see that
> the peer times out and no connection is made. Can someone spot
> my obvious mistake? The ISP is double checking their router and
> config, but I thought I would ask here.
>
> Thanks,
>
>
> Gordon Montgomery
> Living Scriptures, Inc
> gordon@lsi.com (anti spam - replace lsi with livingscriptures)
> (801) 627-2000