| « Cisco to Announce New Tech on March 9th | Basic IPv6 Routing » |
| posted in Cisco Networking, Technical | |
| by Vito_Corleone on April 29th, 2010 | tags: BGP, Cisco, Dynamips, GNS3, Tutorial |
Today we’ll go over a dual-homed enterprise BGP deployment. We have an enterprise in AS 6500 connected to ISPs in ASes 1111 and 2222, respectively. We also have a router in the cloud simulating the internet (injecting loopbacks) and routers in our DMZ simulating servers, and a loopback on the IBR simulating a LAN. In the post we will only go over configuration for BGP in AS 6500 (otherwise this will be far too long), but I’m including the initial configs for the other devices as well as the final configs for all devices. I’m using 3725s here, but nearly any router in Dynamips should be sufficient.
Here’s the topology:
Here are the tasks:
1. Configure the Oustside Border Router in AS 6500. Peer with ISP-1 and ISP-2. Ensure that the DMZ subnet is advertised to the internet.
2. Prevent AS 6500 from being used as a transit between ASes 1111 and 2222.
3. The link through ISP-1 is much faster than the link through ISP-2. Configure outgoing traffic to use ISP-1 as the primary, only use the link through ISP-2 if the primary link is down.
4. Configure incoming traffic to use the link through ISP-1 as the primary.
5. Ensure that NAT is setup to use both ISPs.
First we’ll configure the OBR (Outside Border Router):
Router(config)#hostname OBR OBR(config)#interface FastEthernet0/0 OBR(config-if)# ip address 72.51.18.1 255.255.255.0 OBR(config-if)# ip nat inside OBR(config-if)# ip virtual-reassembly OBR(config-if)# duplex auto OBR(config-if)# speed auto OBR(config-if)# OBR(config-if)#interface Serial0/0 OBR(config-if)# ip address 57.85.11.3 255.255.255.254 OBR(config-if)# ip nat outside OBR(config-if)# ip virtual-reassembly OBR(config-if)# clock rate 2000000 OBR(config-if)# OBR(config-if)#interface Serial0/1 OBR(config-if)# ip address 93.48.61.3 255.255.255.254 OBR(config-if)# ip nat outside OBR(config-if)# ip virtual-reassembly OBR(config-if)# clock rate 2000000 OBR(config-if)# OBR(config-if)#router ospf 6500 OBR(config-router)# log-adjacency-changes OBR(config-router)# network 72.51.18.0 0.0.0.255 area 0 OBR(config-router)# default-information originate always
Basic stuff here, hostname, IPs, NAT inside/outside statements and OSPF. We’re running OSPF on our DMZ link and originating a default route “always”, which means originate the default even if we do not have one in the table. The default is sent to the IBR. The IBR only needs a default as the only way out of the network is through the OBR.
Next we’ll go through the BGP config on the OBR:
OBR(config)#ip as-path access-list 10 permit ^$ OBR(config)# OBR(config-route-map)#route-map ISP-2_OUT permit 10 OBR(config-route-map)# match as-path 10 OBR(config-route-map)# set origin igp OBR(config-route-map)# set as-path prepend 6500 6500 6500 OBR(config-route-map)# OBR(config-route-map)#route-map ISP-1_OUT permit 10 OBR(config-route-map)# match as-path 10 OBR(config-route-map)# set origin igp OBR(config-route-map)# OBR(config)#route-map ISP-2_IN permit 10 OBR(config-route-map)# set local-preference 100 OBR(config-route-map)#route-map ISP-1_IN permit 10 OBR(config-route-map)# set local-preference 200 OBR(config-route-map)#exit OBR(config)# OBR(config)#router bgp 6500 OBR(config-router)# no synchronization OBR(config-router)# no auto-summary OBR(config-router)# network 57.85.11.2 mask 255.255.255.254 OBR(config-router)# network 72.51.18.0 mask 255.255.255.0 OBR(config-router)# network 93.48.61.2 mask 255.255.255.254 OBR(config-router)# neighbor 57.85.11.2 remote-as 2222 OBR(config-router)# neighbor 57.85.11.2 route-map ISP-2_IN in OBR(config-router)# neighbor 57.85.11.2 route-map ISP-2_OUT out OBR(config-router)# neighbor 93.48.61.2 remote-as 1111 OBR(config-router)# neighbor 93.48.61.2 route-map ISP-1_IN in OBR(config-router)# neighbor 93.48.61.2 route-map ISP-1_OUT out
Okay, this is the meat of the post. First we configure our as-path ACL, this is using a regular expression to match blank space. We then create a route map for each neighbor matching this regex. The purpose of this is to prevent AS 6500 from becoming a transit for the two ISPs. We match blank space because that’s what the router sees when sending updates to its neighbors. Anything not matching this regex (routes that originated outside of AS 6500) will hit the implicit deny and not be sent in updates. We’ve also set the origin to IGP in these route maps. We then apply the route maps in the OUT direction to both of our neighbors. After that we configure two more route maps to set Local Preference to 200 for ISP-1 and 100 for ISP-2. This makes the link through ISP-1 the primary and will not use ISP-2 unless the primary link is down (*with LP higher is better). Finally we configure the route maps IN from our neighbors.
Last we will configure NAT:
OBR(config)#ip access-list extended NAT OBR(config-ext-nacl)# permit ip 192.168.20.0 0.0.0.255 any OBR(config-ext-nacl)#route-map ISP-1_NAT permit 10 OBR(config-ext-nacl)# OBR(config-route-map)# match ip address NAT OBR(config-route-map)# match interface Serial0/1 OBR(config-route-map)# OBR(config-route-map)#route-map ISP-2_NAT permit 10 OBR(config-route-map)# match ip address NAT OBR(config-route-map)# match interface Serial0/0 OBR(config-route-map)#exit OBR(config)# OBR(config)#ip nat inside source route-map ISP-1_NAT interface Serial0/1 overload OBR(config)#ip nat inside source route-map ISP-2_NAT interface Serial0/0 overload
This is a dual NAT configuration. We use an ACL to match traffic (LAN behind the IBR) we want to NAT. Then we configure route-maps to match the NAT ACL and exit interfaces. Last, we configure our NAT statements to use the route-maps and PAT.
Now we test:
ISP-1#sh ip bgp neighbors 93.48.61.3 routes ... Network Next Hop Metric LocPrf Weight Path *> 57.85.11.2/31 93.48.61.3 0 0 6500 i *> 72.51.18.0/24 93.48.61.3 0 0 6500 i * 93.48.61.2/31 93.48.61.3 0 0 6500 i Total number of prefixes 3 ISP-2#sh ip bgp | sec 6500 * 57.85.11.2/31 57.85.11.3 0 0 6500 6500 6500 6500 i *> 72.51.18.0/24 68.33.42.3 0 7777 1111 6500 i * 57.85.11.3 0 0 6500 6500 6500 6500 i * 57.85.11.3 0 0 6500 6500 6500 6500 i
We see that only routes originating in AS 6500 are being advertised and that our prepending to ISP-2 is working as we wanted. ISP-2 is preferring the path through ISP-1 to access our DMZ network.
Let’s verify that AS 6500 is using the path through ISP-1 to access external routes:
OBR#sh ip bgp
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Network Next Hop Metric LocPrf Weight Path
* 5.5.5.5/32 57.85.11.2 100 0 2222 7777 ?
*> 93.48.61.2 200 0 1111 7777 ?
* 25.14.76.2/31 57.85.11.2 100 0 2222 7777 i
*> 93.48.61.2 200 0 1111 i
* 32.32.32.0/24 57.85.11.2 100 0 2222 7777 ?
*> 93.48.61.2 200 0 1111 7777 ?
* 43.43.43.0/24 57.85.11.2 100 0 2222 7777 ?
*> 93.48.61.2 200 0 1111 7777 ?
...
ISP-1 is the best path for all of our network, its LP is 200.
Finally we’ll test NAT:
IBR#sh ip int b Interface IP-Address OK? Method Status Protocol FastEthernet0/0 72.51.18.2 YES NVRAM up up Loopback20 192.168.20.1 YES NVRAM up up IBR#ping 65.65.65.1 source lo20 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 65.65.65.1, timeout is 2 seconds: Packet sent with a source address of 192.168.20.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/20 ms OBR#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 93.48.61.3:12 192.168.20.1:12 65.65.65.1:12 65.65.65.1:12
NAT is working too! We can successfully ping one of the “internet” devices, we can also see the translation on the OBR.
That’s all for this one. Hopefully it was helpful to some. Post any questions in the comments.
Files
Initial configs
Final configs
.net file
Comments
A thread has been created on the site forum specifically for commenting on this blog post.