MPLS Lab 018 Internet Access CE sites Connect to The Secondary ISP
Image requirements:
VIRL: IOSv 15.7
EVE-NG: Cisco vIOS Router vios-15.6
GNS3: vios-adventerprisek9-m.vmdk.SPA.156-2.T
Description:
Until this moment all labs were about how to build MPLS core network and connect customers' offices over the MPLS infrastructure, now you are going to learn how to enable Internet Access on the CE routers. In this particular lab, you will configure three CE locations to have access to the Internet via the secondary ISP. Each of the customer sites will have its own independent Internet access, all traffic distant to outside networks will be routed to the "ISP-Internet-Access", internal communications will occur over L3 MPLS VPN service.
Topology:
Download Lab: EVE-NG | GNS3
Scenario:
All three CE locations have been connected to the MPLS and have access to each other LAN networks but unfortunately, MPLS ISP does not provide access to the Internet at this moment. The secondary connections to the another ISP have been installed and configured, CE routers are able to ping IP addresses of the opposite side of the links but this is where configuration ends and you need to put in place proper routing and network address translation settings to allow the CE routers' LAN subnets to access the Internet.
Lab tasks:
1. Verify the connectivity between CE routers and the secondary ISP.
2. Configure default static route to direct the traffic distant for the outside networks towards the ISP-Internet-Access.
3. Identify the local subnets that will be translated.
4. Enable interfaces for NAT operation.
5. Configure NAT overload in the global configuration mode.
6. Verify if LAN hosts of all CE routers are able to ping 8.8.8.8.
7. Confirm if LAN-to-LAN communication still occurs through the MPLS network.
Lab procedure:
Task1: Ping the IP addresses of the secondary ISP from all CE routers.
CE1-A#ping 50.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 50.0.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/2/4 ms
CE1-A#
CE1-C#ping 50.0.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 50.0.0.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/2/3 ms
CE1-C#
CE1-B#ping 50.0.0.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 50.0.0.9, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/3 ms
CE1-B#
Task2: Configure the default route using the next-hop address of the secondary ISP.
Configuring all three CE routers:
CE1-A(config)#ip route 0.0.0.0 0.0.0.0 50.0.0.1
CE1-C(config)#ip route 0.0.0.0 0.0.0.0 50.0.0.5
CE1-B(config)#ip route 0.0.0.0 0.0.0.0 50.0.0.9
Verifying Internet access from CE routers:
CE1-A#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms
CE1-C#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/2 ms
CE1-B#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/2 ms
Each of the CE routers able to ping an IP address on the Internet.
Task3: Configure a standard access control list to identify the local subnets which will be subject to network translation.
Configuring all three CE routers:
CE1-A#show ip route connected
Gateway of last resort is 50.0.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
C 10.150.0.0/30 is directly connected, GigabitEthernet0/1
L 10.150.0.1/32 is directly connected, GigabitEthernet0/1
C 10.155.0.0/24 is directly connected, Loopback0
L 10.155.0.1/32 is directly connected, Loopback0
50.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 50.0.0.0/30 is directly connected, GigabitEthernet0/2
L 50.0.0.2/32 is directly connected, GigabitEthernet0/2
CE1-A(config)#ip access-list standard NAT
CE1-A(config-std-nacl)#permit 10.155.0.0 0.0.0.255
CE1-C(config)#ip access-list standard NAT
CE1-C(config-std-nacl)#permit 10.165.0.0 0.0.0.255
CE1-B(config)#ip access-list standard NAT
CE1-B(config-std-nacl)#permit 10.160.0.0 0.0.0.255
Task4: Enable interface to perform NAT.
Configuring all three CE routers:
CE1-A(config)#interface lo0
CE1-A(config-if)#ip nat inside
CE1-A(config-if)#int g0/2
CE1-A(config-if)#ip nat outside
CE1-C(config)#int lo0
CE1-C(config-if)#ip nat inside
CE1-C(config-if)#int g0/2
CE1-C(config-if)#ip nat outside
CE1-B(config)#interface lo0
CE1-B(config-if)#ip nat inside
CE1-B(config-if)#int g0/2
CE1-B(config-if)#ip nat outside
Task5: Configure NAT overload.
Configuring all three CE routers:
CE1-A(config)#ip nat inside source list NAT interface g0/2 overload
CE1-C(config)#ip nat inside source list NAT interface g0/2 overload
CE1-B(config)#ip nat inside source list NAT interface g0/2 overload
Verify NAT configuration:
CE1-A#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0
Outside interfaces:
GigabitEthernet0/2
Inside interfaces:
Loopback0
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list NAT interface GigabitEthernet0/2 refcount 0
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
Task6: Ping from the LAN network the IP address on the Internet.
CE1-A#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.155.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms
CE1-C#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.165.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/6 ms
CE1-B#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.160.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/7 ms
Confirm that translation occurs by looking at the network translation table:
CE1-A#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 50.0.0.2:2 10.155.0.1:2 8.8.8.8:2 8.8.8.8:2
Task7: Verify LAN-to-LAN communication over the MPLS network
CE1-A#traceroute 10.160.0.1 source lo0
Type escape sequence to abort.
Tracing the route to 10.160.0.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.150.0.2 3 msec 2 msec 4 msec
2 10.0.1.5 [MPLS: Labels 115/1420 Exp 0] 8 msec 6 msec 6 msec
3 10.0.0.10 [MPLS: Labels 415/1420 Exp 0] 6 msec 6 msec 5 msec
4 10.150.0.6 [AS 65002] [MPLS: Label 1420 Exp 0] 5 msec 5 msec 6 msec
5 10.150.0.5 [AS 65002] 6 msec * 7 msec
CE1-A#
CE1-A#traceroute 10.165.0.1 source lo0
Type escape sequence to abort.
Tracing the route to 10.165.0.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.150.0.2 2 msec 2 msec 2 msec
2 10.0.3.5 [MPLS: Labels 314/1320 Exp 0] 3 msec 4 msec 5 msec
3 10.150.0.10 [AS 65001] [MPLS: Label 1320 Exp 0] 4 msec 4 msec 5 msec
4 10.150.0.9 [AS 65001] 4 msec * 6 msec
CE1-A#
As you can see the implementation of Internet Access did not affect L3 MPLS VPN connectivity between CE nodes.
Summary:
This lab showed you how to configure the Internet access through the secondary ISP, this is not a scalable solution and the fact is very pricey, the company has to pay for four Internet bills, but sometimes this is the way to go if you lack IT staff that can support extensive network operation.
VIRL: IOSv 15.7
EVE-NG: Cisco vIOS Router vios-15.6
GNS3: vios-adventerprisek9-m.vmdk.SPA.156-2.T
Description:
Until this moment all labs were about how to build MPLS core network and connect customers' offices over the MPLS infrastructure, now you are going to learn how to enable Internet Access on the CE routers. In this particular lab, you will configure three CE locations to have access to the Internet via the secondary ISP. Each of the customer sites will have its own independent Internet access, all traffic distant to outside networks will be routed to the "ISP-Internet-Access", internal communications will occur over L3 MPLS VPN service.
Topology:
Download Lab: EVE-NG | GNS3
Scenario:
All three CE locations have been connected to the MPLS and have access to each other LAN networks but unfortunately, MPLS ISP does not provide access to the Internet at this moment. The secondary connections to the another ISP have been installed and configured, CE routers are able to ping IP addresses of the opposite side of the links but this is where configuration ends and you need to put in place proper routing and network address translation settings to allow the CE routers' LAN subnets to access the Internet.
Lab tasks:
1. Verify the connectivity between CE routers and the secondary ISP.
2. Configure default static route to direct the traffic distant for the outside networks towards the ISP-Internet-Access.
3. Identify the local subnets that will be translated.
4. Enable interfaces for NAT operation.
5. Configure NAT overload in the global configuration mode.
6. Verify if LAN hosts of all CE routers are able to ping 8.8.8.8.
7. Confirm if LAN-to-LAN communication still occurs through the MPLS network.
Lab procedure:
Task1: Ping the IP addresses of the secondary ISP from all CE routers.
CE1-A#ping 50.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 50.0.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/2/4 ms
CE1-A#
CE1-C#ping 50.0.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 50.0.0.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/2/3 ms
CE1-C#
CE1-B#ping 50.0.0.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 50.0.0.9, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/3 ms
CE1-B#
Task2: Configure the default route using the next-hop address of the secondary ISP.
Configuring all three CE routers:
CE1-A(config)#ip route 0.0.0.0 0.0.0.0 50.0.0.1
CE1-C(config)#ip route 0.0.0.0 0.0.0.0 50.0.0.5
CE1-B(config)#ip route 0.0.0.0 0.0.0.0 50.0.0.9
Verifying Internet access from CE routers:
CE1-A#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms
CE1-C#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/2 ms
CE1-B#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/2 ms
Each of the CE routers able to ping an IP address on the Internet.
Task3: Configure a standard access control list to identify the local subnets which will be subject to network translation.
Configuring all three CE routers:
CE1-A#show ip route connected
Gateway of last resort is 50.0.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
C 10.150.0.0/30 is directly connected, GigabitEthernet0/1
L 10.150.0.1/32 is directly connected, GigabitEthernet0/1
C 10.155.0.0/24 is directly connected, Loopback0
L 10.155.0.1/32 is directly connected, Loopback0
50.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 50.0.0.0/30 is directly connected, GigabitEthernet0/2
L 50.0.0.2/32 is directly connected, GigabitEthernet0/2
CE1-A(config)#ip access-list standard NAT
CE1-A(config-std-nacl)#permit 10.155.0.0 0.0.0.255
CE1-C(config)#ip access-list standard NAT
CE1-C(config-std-nacl)#permit 10.165.0.0 0.0.0.255
CE1-B(config)#ip access-list standard NAT
CE1-B(config-std-nacl)#permit 10.160.0.0 0.0.0.255
Task4: Enable interface to perform NAT.
Configuring all three CE routers:
CE1-A(config)#interface lo0
CE1-A(config-if)#ip nat inside
CE1-A(config-if)#int g0/2
CE1-A(config-if)#ip nat outside
CE1-C(config)#int lo0
CE1-C(config-if)#ip nat inside
CE1-C(config-if)#int g0/2
CE1-C(config-if)#ip nat outside
CE1-B(config)#interface lo0
CE1-B(config-if)#ip nat inside
CE1-B(config-if)#int g0/2
CE1-B(config-if)#ip nat outside
Task5: Configure NAT overload.
Configuring all three CE routers:
CE1-A(config)#ip nat inside source list NAT interface g0/2 overload
CE1-C(config)#ip nat inside source list NAT interface g0/2 overload
CE1-B(config)#ip nat inside source list NAT interface g0/2 overload
Verify NAT configuration:
CE1-A#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0
Outside interfaces:
GigabitEthernet0/2
Inside interfaces:
Loopback0
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list NAT interface GigabitEthernet0/2 refcount 0
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
Task6: Ping from the LAN network the IP address on the Internet.
CE1-A#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.155.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms
CE1-C#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.165.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/6 ms
CE1-B#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.160.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/7 ms
Confirm that translation occurs by looking at the network translation table:
CE1-A#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 50.0.0.2:2 10.155.0.1:2 8.8.8.8:2 8.8.8.8:2
Task7: Verify LAN-to-LAN communication over the MPLS network
CE1-A#traceroute 10.160.0.1 source lo0
Type escape sequence to abort.
Tracing the route to 10.160.0.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.150.0.2 3 msec 2 msec 4 msec
2 10.0.1.5 [MPLS: Labels 115/1420 Exp 0] 8 msec 6 msec 6 msec
3 10.0.0.10 [MPLS: Labels 415/1420 Exp 0] 6 msec 6 msec 5 msec
4 10.150.0.6 [AS 65002] [MPLS: Label 1420 Exp 0] 5 msec 5 msec 6 msec
5 10.150.0.5 [AS 65002] 6 msec * 7 msec
CE1-A#
CE1-A#traceroute 10.165.0.1 source lo0
Type escape sequence to abort.
Tracing the route to 10.165.0.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.150.0.2 2 msec 2 msec 2 msec
2 10.0.3.5 [MPLS: Labels 314/1320 Exp 0] 3 msec 4 msec 5 msec
3 10.150.0.10 [AS 65001] [MPLS: Label 1320 Exp 0] 4 msec 4 msec 5 msec
4 10.150.0.9 [AS 65001] 4 msec * 6 msec
CE1-A#
As you can see the implementation of Internet Access did not affect L3 MPLS VPN connectivity between CE nodes.
Summary:
This lab showed you how to configure the Internet access through the secondary ISP, this is not a scalable solution and the fact is very pricey, the company has to pay for four Internet bills, but sometimes this is the way to go if you lack IT staff that can support extensive network operation.
Comments
Post a Comment