MPLS Lab 020 Internet Access via Central Site
Image requirements:
VIRL: IOSv 15.7
EVE-NG: Cisco vIOS Router vios-15.6
GNS3: vios-adventerprisek9-m.vmdk.SPA.156-2.T
Description:
This lab is about cutting down the budget on the secondary ISPs for branch offices, now multiple branch locations will use the CE1-A office's Internet connection to access Web, access will be provided over the existing L3 MPLS VPN services. BGP is used as PE-CE routing between CE and PE routers. CE1-A site must be configured as next-hop for the default routes directing traffic from CE1-B and CE-C locations to the outside world. NAT translation will be in place at the CE1-A router for local and remote subnets of branch offices.
Topology:
Download Lab: EVE-NG | GNS3
Scenario:
To reduce current expenses on the Internet bills, service contacts with ISP for branch offices have been terminated and now the network engineers seeking the way to provide the Internet access to the CE1-B and CE1-C sites via a connection that CE1-A site uses. It has been decided that the CE1-A router's configurations will be modified to allow two remote locations to share one existing access to the Web.
Lab tasks:
1. Identify local and remote networks with the standard ACL to be subject to the NAT translation.
2. Configure appropriate interfaces for NAT function.
3. Enable NAT in the global router configuration.
4. Verify if the local subnet is able to access the Internet.
5. Configure default route advertisement to the BGP peer.
6. Verify the propagation of the default route to the CE1-B and CE1-C sites, as well as the Internet connectivity.
Lab procedure:
Task1: Configure a standard access control list named NAT, permit 3 subnets, one local to the CE1-A and two remote subnets of CE1-B and CE1-C routers.
Step1. Configure ACL:
CE1-A#show ip access-lists
CE1-A#
CE1-A#configure terminal
CE1-A(config)#ip access-list standard NAT
CE1-A(config-std-nacl)#permit 10.155.0.0 0.0.0.255
CE1-A(config-std-nacl)#permit 10.160.0.0 0.0.0.255
CE1-A(config-std-nacl)#permit 10.165.0.0 0.0.0.255
CE1-A(config-std-nacl)#
Step2. Verify configured ACL:
CE1-A#show ip access-lists NAT
Standard IP access list NAT
10 permit 10.155.0.0, wildcard bits 0.0.0.255
20 permit 10.160.0.0, wildcard bits 0.0.0.255
30 permit 10.165.0.0, wildcard bits 0.0.0.255
CE1-A#
Task2: Configure interfaces to be inside and outside NAT.
Step1. Identify interfaces:
CE1-A#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.255.2.212 YES NVRAM administratively down down
GigabitEthernet0/1 10.150.0.1 YES NVRAM up up
GigabitEthernet0/2 50.0.0.2 YES NVRAM up up
GigabitEthernet0/3 unassigned YES NVRAM administratively down down
Loopback0 10.155.0.1 YES NVRAM up up
CE1-A#
Step2. Configure NAT interfaces:
CE1-A(config)#interface g0/2
CE1-A(config-if)#ip nat outside
CE1-A(config-if)#exit
!
CE1-A(config)#interface g0/1
CE1-A(config-if)#ip nat inside
CE1-A(config-if)#exit
!
CE1-A(config)#interface lo0
CE1-A(config-if)#ip nat inside
CE1-A(config-if)#end
Task3: Configure NAT statement.
CE1-A(config)#ip nat inside source list NAT interface g0/2 overload
Task4: Confirm Internet access from the local subnet.
CE1-A#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.155.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/7 ms
CE1-A#
CE1-A#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 50.0.0.2:0 10.155.0.1:0 8.8.8.8:0 8.8.8.8:0
CE1-A#
Task5: Advertise the default route to the routers CE1-B and CE1-C.
Step1. Verify the bgp table on the nodes CE1-C and CE1-B:
CE1-C#show ip bgp
BGP table version is 7, local router ID is 10.165.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.150.0.0/30 10.150.0.10 0 64500 65000 i
*> 10.150.0.4/30 10.150.0.10 0 64500 65002 i
*> 10.150.0.8/30 0.0.0.0 0 32768 i
*> 10.155.0.0/24 10.150.0.10 0 64500 65000 i
*> 10.160.0.0/24 10.150.0.10 0 64500 65002 i
*> 10.165.0.0/24 0.0.0.0 0 32768 i
CE1-C#
CE1-B#show ip bgp
BGP table version is 7, local router ID is 10.160.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.150.0.0/30 10.150.0.6 0 64500 65000 i
*> 10.150.0.4/30 0.0.0.0 0 32768 i
*> 10.150.0.8/30 10.150.0.6 0 64500 65001 i
*> 10.155.0.0/24 10.150.0.6 0 64500 65000 i
*> 10.160.0.0/24 0.0.0.0 0 32768 i
*> 10.165.0.0/24 10.150.0.6 0 64500 65001 i
CE1-B#
Both output show no presence of the quad zero route in the BGP tables. Additionaly if you are working in the production environment you should check the IP routing table as well, to make sure that other sources of routing information have not installed default routes into the routing tables.
Step2. Configure CE1-A router to propagate default route using BGP neighbor command:
CE1-A#show ip bgp summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.150.0.2 4 64500 74 72 8 0 0 01:02:01 5
CE1-A#
Current neighbor is 10.150.0.2
CE1-A(config)#router bgp 65000
CE1-A(config-router)#neighbor 10.150.0.2 default-originate
CE1-A(config-router)#end
CE1-A#
To expedite the change made to the neighbor use clear ip bgp soft command:
CE1-A#clear ip bgp 10.150.0.2 soft
Then, verify the local BGP table for the presence of the default route, the next-hop should be "0.0.0.0", indicating that CE1-A router is the originator of the route and it is advertising the route to its BGP peer.
CE1-A#show bgp ipv4 unicast
Network Next Hop Metric LocPrf Weight Path
0.0.0.0 0.0.0.0 0 i
*> 10.150.0.0/30 0.0.0.0 0 32768 i
*> 10.150.0.4/30 10.150.0.2 0 64500 65002 i
*> 10.150.0.8/30 10.150.0.2 0 64500 65001 i
*> 10.155.0.0/24 0.0.0.0 0 32768 i
*> 10.160.0.0/24 10.150.0.2 0 64500 65002 i
*> 10.165.0.0/24 10.150.0.2 0 64500 65001 i
CE1-A#
Task 6: Back on the router CE1-C and CE1-B confirm the propagation of the default route from CE1-A and then verify Internet connectivity.
Step1. Verify the default route:
CE1-C#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 10.150.0.10 0 64500 65000 i
*> 10.150.0.0/30 10.150.0.10 0 64500 65000 i
*> 10.150.0.4/30 10.150.0.10 0 64500 65002 i
*> 10.150.0.8/30 0.0.0.0 0 32768 i
*> 10.155.0.0/24 10.150.0.10 0 64500 65000 i
*> 10.160.0.0/24 10.150.0.10 0 64500 65002 i
*> 10.165.0.0/24 0.0.0.0 0 32768 i
CE1-C#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "bgp 65001", distance 20, metric 0, candidate default path
Tag 64500, type external
Last update from 10.150.0.10 00:09:54 ago
Routing Descriptor Blocks:
* 10.150.0.10, from 10.150.0.10, 00:09:54 ago
Route metric is 0, traffic share count is 1
AS Hops 2
Route tag 64500
MPLS label: none
CE1-B#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 10.150.0.6 0 64500 65000 i
*> 10.150.0.0/30 10.150.0.6 0 64500 65000 i
*> 10.150.0.4/30 0.0.0.0 0 32768 i
*> 10.150.0.8/30 10.150.0.6 0 64500 65001 i
*> 10.155.0.0/24 10.150.0.6 0 64500 65000 i
*> 10.160.0.0/24 0.0.0.0 0 32768 i
*> 10.165.0.0/24 10.150.0.6 0 64500 65001 i
CE1-B#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "bgp 65002", distance 20, metric 0, candidate default path
Tag 64500, type external
Last update from 10.150.0.6 00:10:57 ago
Routing Descriptor Blocks:
* 10.150.0.6, from 10.150.0.6, 00:10:57 ago
Route metric is 0, traffic share count is 1
AS Hops 2
Route tag 64500
MPLS label: none
Step2: Verify Internet connectivity:
CE1-C#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.165.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/7/8 ms
CE1-C#
CE1-B#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.160.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/11 ms
CE1-B#
Ping from both CE1-C and CE1-B shows that connection to the Internet is available and working properly.
Summary:
This lab demonstrates that one of the CE sites could serve as access to the Internet for other CE locations, this configuration is ideal for the situation when the central office of the company needs to have control of access to the Internet for the branch offices. Additionally, if a backup connection is not desired, then this also simplifies the troubleshooting process and reduces the cost of the operation.
VIRL: IOSv 15.7
EVE-NG: Cisco vIOS Router vios-15.6
GNS3: vios-adventerprisek9-m.vmdk.SPA.156-2.T
Description:
This lab is about cutting down the budget on the secondary ISPs for branch offices, now multiple branch locations will use the CE1-A office's Internet connection to access Web, access will be provided over the existing L3 MPLS VPN services. BGP is used as PE-CE routing between CE and PE routers. CE1-A site must be configured as next-hop for the default routes directing traffic from CE1-B and CE-C locations to the outside world. NAT translation will be in place at the CE1-A router for local and remote subnets of branch offices.
Topology:
Download Lab: EVE-NG | GNS3
Scenario:
To reduce current expenses on the Internet bills, service contacts with ISP for branch offices have been terminated and now the network engineers seeking the way to provide the Internet access to the CE1-B and CE1-C sites via a connection that CE1-A site uses. It has been decided that the CE1-A router's configurations will be modified to allow two remote locations to share one existing access to the Web.
Lab tasks:
1. Identify local and remote networks with the standard ACL to be subject to the NAT translation.
2. Configure appropriate interfaces for NAT function.
3. Enable NAT in the global router configuration.
4. Verify if the local subnet is able to access the Internet.
5. Configure default route advertisement to the BGP peer.
6. Verify the propagation of the default route to the CE1-B and CE1-C sites, as well as the Internet connectivity.
Lab procedure:
Task1: Configure a standard access control list named NAT, permit 3 subnets, one local to the CE1-A and two remote subnets of CE1-B and CE1-C routers.
Step1. Configure ACL:
CE1-A#show ip access-lists
CE1-A#
CE1-A#configure terminal
CE1-A(config)#ip access-list standard NAT
CE1-A(config-std-nacl)#permit 10.155.0.0 0.0.0.255
CE1-A(config-std-nacl)#permit 10.160.0.0 0.0.0.255
CE1-A(config-std-nacl)#permit 10.165.0.0 0.0.0.255
CE1-A(config-std-nacl)#
Step2. Verify configured ACL:
CE1-A#show ip access-lists NAT
Standard IP access list NAT
10 permit 10.155.0.0, wildcard bits 0.0.0.255
20 permit 10.160.0.0, wildcard bits 0.0.0.255
30 permit 10.165.0.0, wildcard bits 0.0.0.255
CE1-A#
Task2: Configure interfaces to be inside and outside NAT.
Step1. Identify interfaces:
CE1-A#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.255.2.212 YES NVRAM administratively down down
GigabitEthernet0/1 10.150.0.1 YES NVRAM up up
GigabitEthernet0/2 50.0.0.2 YES NVRAM up up
GigabitEthernet0/3 unassigned YES NVRAM administratively down down
Loopback0 10.155.0.1 YES NVRAM up up
CE1-A#
Step2. Configure NAT interfaces:
CE1-A(config)#interface g0/2
CE1-A(config-if)#ip nat outside
CE1-A(config-if)#exit
!
CE1-A(config)#interface g0/1
CE1-A(config-if)#ip nat inside
CE1-A(config-if)#exit
!
CE1-A(config)#interface lo0
CE1-A(config-if)#ip nat inside
CE1-A(config-if)#end
Task3: Configure NAT statement.
CE1-A(config)#ip nat inside source list NAT interface g0/2 overload
Task4: Confirm Internet access from the local subnet.
CE1-A#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.155.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/7 ms
CE1-A#
CE1-A#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 50.0.0.2:0 10.155.0.1:0 8.8.8.8:0 8.8.8.8:0
CE1-A#
Task5: Advertise the default route to the routers CE1-B and CE1-C.
Step1. Verify the bgp table on the nodes CE1-C and CE1-B:
CE1-C#show ip bgp
BGP table version is 7, local router ID is 10.165.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.150.0.0/30 10.150.0.10 0 64500 65000 i
*> 10.150.0.4/30 10.150.0.10 0 64500 65002 i
*> 10.150.0.8/30 0.0.0.0 0 32768 i
*> 10.155.0.0/24 10.150.0.10 0 64500 65000 i
*> 10.160.0.0/24 10.150.0.10 0 64500 65002 i
*> 10.165.0.0/24 0.0.0.0 0 32768 i
CE1-C#
CE1-B#show ip bgp
BGP table version is 7, local router ID is 10.160.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.150.0.0/30 10.150.0.6 0 64500 65000 i
*> 10.150.0.4/30 0.0.0.0 0 32768 i
*> 10.150.0.8/30 10.150.0.6 0 64500 65001 i
*> 10.155.0.0/24 10.150.0.6 0 64500 65000 i
*> 10.160.0.0/24 0.0.0.0 0 32768 i
*> 10.165.0.0/24 10.150.0.6 0 64500 65001 i
CE1-B#
Both output show no presence of the quad zero route in the BGP tables. Additionaly if you are working in the production environment you should check the IP routing table as well, to make sure that other sources of routing information have not installed default routes into the routing tables.
Step2. Configure CE1-A router to propagate default route using BGP neighbor command:
CE1-A#show ip bgp summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.150.0.2 4 64500 74 72 8 0 0 01:02:01 5
CE1-A#
Current neighbor is 10.150.0.2
CE1-A(config)#router bgp 65000
CE1-A(config-router)#neighbor 10.150.0.2 default-originate
CE1-A(config-router)#end
CE1-A#
To expedite the change made to the neighbor use clear ip bgp soft command:
CE1-A#clear ip bgp 10.150.0.2 soft
Then, verify the local BGP table for the presence of the default route, the next-hop should be "0.0.0.0", indicating that CE1-A router is the originator of the route and it is advertising the route to its BGP peer.
CE1-A#show bgp ipv4 unicast
Network Next Hop Metric LocPrf Weight Path
0.0.0.0 0.0.0.0 0 i
*> 10.150.0.0/30 0.0.0.0 0 32768 i
*> 10.150.0.4/30 10.150.0.2 0 64500 65002 i
*> 10.150.0.8/30 10.150.0.2 0 64500 65001 i
*> 10.155.0.0/24 0.0.0.0 0 32768 i
*> 10.160.0.0/24 10.150.0.2 0 64500 65002 i
*> 10.165.0.0/24 10.150.0.2 0 64500 65001 i
CE1-A#
Task 6: Back on the router CE1-C and CE1-B confirm the propagation of the default route from CE1-A and then verify Internet connectivity.
Step1. Verify the default route:
CE1-C#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 10.150.0.10 0 64500 65000 i
*> 10.150.0.0/30 10.150.0.10 0 64500 65000 i
*> 10.150.0.4/30 10.150.0.10 0 64500 65002 i
*> 10.150.0.8/30 0.0.0.0 0 32768 i
*> 10.155.0.0/24 10.150.0.10 0 64500 65000 i
*> 10.160.0.0/24 10.150.0.10 0 64500 65002 i
*> 10.165.0.0/24 0.0.0.0 0 32768 i
CE1-C#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "bgp 65001", distance 20, metric 0, candidate default path
Tag 64500, type external
Last update from 10.150.0.10 00:09:54 ago
Routing Descriptor Blocks:
* 10.150.0.10, from 10.150.0.10, 00:09:54 ago
Route metric is 0, traffic share count is 1
AS Hops 2
Route tag 64500
MPLS label: none
CE1-B#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 10.150.0.6 0 64500 65000 i
*> 10.150.0.0/30 10.150.0.6 0 64500 65000 i
*> 10.150.0.4/30 0.0.0.0 0 32768 i
*> 10.150.0.8/30 10.150.0.6 0 64500 65001 i
*> 10.155.0.0/24 10.150.0.6 0 64500 65000 i
*> 10.160.0.0/24 0.0.0.0 0 32768 i
*> 10.165.0.0/24 10.150.0.6 0 64500 65001 i
CE1-B#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "bgp 65002", distance 20, metric 0, candidate default path
Tag 64500, type external
Last update from 10.150.0.6 00:10:57 ago
Routing Descriptor Blocks:
* 10.150.0.6, from 10.150.0.6, 00:10:57 ago
Route metric is 0, traffic share count is 1
AS Hops 2
Route tag 64500
MPLS label: none
Step2: Verify Internet connectivity:
CE1-C#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.165.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/7/8 ms
CE1-C#
CE1-B#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.160.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/11 ms
CE1-B#
Ping from both CE1-C and CE1-B shows that connection to the Internet is available and working properly.
Summary:
This lab demonstrates that one of the CE sites could serve as access to the Internet for other CE locations, this configuration is ideal for the situation when the central office of the company needs to have control of access to the Internet for the branch offices. Additionally, if a backup connection is not desired, then this also simplifies the troubleshooting process and reduces the cost of the operation.
Comments
Post a Comment