Community ForumCommunity Wiki * Blog Home  * Log in
« »

Enterprise BGP Lab

posted in Cisco Networking, Technical
by on April 29th, 2010 tags: , , , ,


Today we’ll go over a dual-homed enterprise BGP deployment. We have an enterprise in AS 6500 connected to ISPs in ASes 1111 and 2222, respectively. We also have a router in the cloud simulating the internet (injecting loopbacks) and routers in our DMZ simulating servers, and a loopback on the IBR simulating a LAN. In the post we will only go over configuration for BGP in AS 6500 (otherwise this will be far too long), but I’m including the initial configs for the other devices as well as the final configs for all devices. I’m using 3725s here, but nearly any router in Dynamips should be sufficient.

Here’s the topology:

topology

Here are the tasks:

1. Configure the Oustside Border Router in AS 6500. Peer with ISP-1 and ISP-2. Ensure that the DMZ subnet is advertised to the internet.
2. Prevent AS 6500 from being used as a transit between ASes 1111 and 2222.
3. The link through ISP-1 is much faster than the link through ISP-2. Configure outgoing traffic to use ISP-1 as the primary, only use the link through ISP-2 if the primary link is down.
4. Configure incoming traffic to use the link through ISP-1 as the primary.
5. Ensure that NAT is setup to use both ISPs.

First we’ll configure the OBR (Outside Border Router):

Router(config)#hostname OBR
OBR(config)#interface FastEthernet0/0
OBR(config-if)# ip address 72.51.18.1 255.255.255.0
OBR(config-if)# ip nat inside
OBR(config-if)# ip virtual-reassembly
OBR(config-if)# duplex auto
OBR(config-if)# speed auto
OBR(config-if)#
OBR(config-if)#interface Serial0/0
OBR(config-if)# ip address 57.85.11.3 255.255.255.254
OBR(config-if)# ip nat outside
OBR(config-if)# ip virtual-reassembly
OBR(config-if)# clock rate 2000000
OBR(config-if)#
OBR(config-if)#interface Serial0/1
OBR(config-if)# ip address 93.48.61.3 255.255.255.254
OBR(config-if)# ip nat outside
OBR(config-if)# ip virtual-reassembly
OBR(config-if)# clock rate 2000000
OBR(config-if)#
OBR(config-if)#router ospf 6500
OBR(config-router)# log-adjacency-changes
OBR(config-router)# network 72.51.18.0 0.0.0.255 area 0
OBR(config-router)# default-information originate always

Basic stuff here, hostname, IPs, NAT inside/outside statements and OSPF. We’re running OSPF on our DMZ link and originating a default route “always”, which means originate the default even if we do not have one in the table. The default is sent to the IBR. The IBR only needs a default as the only way out of the network is through the OBR.

Next we’ll go through the BGP config on the OBR:

OBR(config)#ip as-path access-list 10 permit ^$
OBR(config)#
OBR(config-route-map)#route-map ISP-2_OUT permit 10
OBR(config-route-map)# match as-path 10
OBR(config-route-map)# set origin igp
OBR(config-route-map)# set as-path prepend 6500 6500 6500
OBR(config-route-map)#
OBR(config-route-map)#route-map ISP-1_OUT permit 10
OBR(config-route-map)# match as-path 10
OBR(config-route-map)# set origin igp
OBR(config-route-map)#
OBR(config)#route-map ISP-2_IN permit 10
OBR(config-route-map)# set local-preference 100
OBR(config-route-map)#route-map ISP-1_IN permit 10
OBR(config-route-map)# set local-preference 200
OBR(config-route-map)#exit
OBR(config)#
OBR(config)#router bgp 6500
OBR(config-router)# no synchronization
OBR(config-router)# no auto-summary
OBR(config-router)# network 57.85.11.2 mask 255.255.255.254
OBR(config-router)# network 72.51.18.0 mask 255.255.255.0
OBR(config-router)# network 93.48.61.2 mask 255.255.255.254
OBR(config-router)# neighbor 57.85.11.2 remote-as 2222
OBR(config-router)# neighbor 57.85.11.2 route-map ISP-2_IN in
OBR(config-router)# neighbor 57.85.11.2 route-map ISP-2_OUT out
OBR(config-router)# neighbor 93.48.61.2 remote-as 1111
OBR(config-router)# neighbor 93.48.61.2 route-map ISP-1_IN in
OBR(config-router)# neighbor 93.48.61.2 route-map ISP-1_OUT out

Okay, this is the meat of the post. First we configure our as-path ACL, this is using a regular expression to match blank space. We then create a route map for each neighbor matching this regex. The purpose of this is to prevent AS 6500 from becoming a transit for the two ISPs. We match blank space because that’s what the router sees when sending updates to its neighbors. Anything not matching this regex (routes that originated outside of AS 6500) will hit the implicit deny and not be sent in updates. We’ve also set the origin to IGP in these route maps. We then apply the route maps in the OUT direction to both of our neighbors. After that we configure two more route maps to set Local Preference to 200 for ISP-1 and 100 for ISP-2. This makes the link through ISP-1 the primary and will not use ISP-2 unless the primary link is down (*with LP higher is better). Finally we configure the route maps IN from our neighbors.

Last we will configure NAT:

OBR(config)#ip access-list extended NAT
OBR(config-ext-nacl)# permit ip 192.168.20.0 0.0.0.255 any
OBR(config-ext-nacl)#route-map ISP-1_NAT permit 10
OBR(config-ext-nacl)#
OBR(config-route-map)# match ip address NAT
OBR(config-route-map)# match interface Serial0/1
OBR(config-route-map)#
OBR(config-route-map)#route-map ISP-2_NAT permit 10
OBR(config-route-map)# match ip address NAT
OBR(config-route-map)# match interface Serial0/0
OBR(config-route-map)#exit
OBR(config)#
OBR(config)#ip nat inside source route-map ISP-1_NAT interface Serial0/1 overload
OBR(config)#ip nat inside source route-map ISP-2_NAT interface Serial0/0 overload

This is a dual NAT configuration. We use an ACL to match traffic (LAN behind the IBR) we want to NAT. Then we configure route-maps to match the NAT ACL and exit interfaces. Last, we configure our NAT statements to use the route-maps and PAT.

Now we test:

ISP-1#sh ip bgp neighbors 93.48.61.3 routes
...
   Network          Next Hop            Metric LocPrf Weight Path
*> 57.85.11.2/31    93.48.61.3               0             0 6500 i
*> 72.51.18.0/24    93.48.61.3               0             0 6500 i
*  93.48.61.2/31    93.48.61.3               0             0 6500 i
Total number of prefixes 3

ISP-2#sh ip bgp | sec 6500
*  57.85.11.2/31    57.85.11.3               0             0 6500 6500 6500 6500 i
*> 72.51.18.0/24    68.33.42.3                             0 7777 1111 6500 i
*                   57.85.11.3               0             0 6500 6500 6500 6500 i
*                   57.85.11.3               0             0 6500 6500 6500 6500 i

We see that only routes originating in AS 6500 are being advertised and that our prepending to ISP-2 is working as we wanted. ISP-2 is preferring the path through ISP-1 to access our DMZ network.

Let’s verify that AS 6500 is using the path through ISP-1 to access external routes:

OBR#sh ip bgp
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
   Network          Next Hop            Metric LocPrf Weight Path
*  5.5.5.5/32       57.85.11.2                    100      0 2222 7777 ?
*>                  93.48.61.2                    200      0 1111 7777 ?
*  25.14.76.2/31    57.85.11.2                    100      0 2222 7777 i
*>                  93.48.61.2                    200      0 1111 i
*  32.32.32.0/24    57.85.11.2                    100      0 2222 7777 ?
*>                  93.48.61.2                    200      0 1111 7777 ?
*  43.43.43.0/24    57.85.11.2                    100      0 2222 7777 ?
*>                  93.48.61.2                    200      0 1111 7777 ?
...

ISP-1 is the best path for all of our network, its LP is 200.

Finally we’ll test NAT:

IBR#sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            72.51.18.2      YES NVRAM  up                    up
Loopback20                 192.168.20.1    YES NVRAM  up                    up
IBR#ping 65.65.65.1 source lo20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 65.65.65.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/20 ms

OBR#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 93.48.61.3:12     192.168.20.1:12    65.65.65.1:12      65.65.65.1:12

NAT is working too! We can successfully ping one of the “internet” devices, we can also see the translation on the OBR.

That’s all for this one. Hopefully it was helpful to some. Post any questions in the comments.

Files

Initial configs
Final configs
.net file

Comments

A thread has been created on the site forum specifically for commenting on this blog post.