MPLS Lab 021 Internet Access Through Global Routing Table with NAT performed at Remote PE site
Image requirements:
VIRL: IOSv 15.7
EVE-NG: Cisco vIOS Router vios-15.6
GNS3: vios-adventerprisek9-m.vmdk.SPA.156-2.T
Description:
Learn how to provide access to the Internet for the customer's CE locations with NAT performed at the MPLS remote PE router connected to the ISP via eBGP using a global routing context. In this lab, you will be configuring multiple devices at customer and MPLS ISP locations, to ensure that both CE sites are able to communicate with the outside world.
Topology:
Download Lab: EVE-NG | GNS3 | VIRL
Scenario:
Entire topology has been configured, PE1 router at the MPLS cloud connected to the ISP, and has able to establish successful communication with google's DNS server. MPLS, and its supporting IGP IS-IS and MP-BGP protocols have been implemented, customer's CE sites' LAN networks exchanged data, but one thing left for network engineers to accomplish, that is to provide CE locations with access to the global web. The network support team that includes managers and designers have chosen the implementation of Internet access via a global routing table with NAT translation performed at the remote PE1 router, in this way only one NAT implementation is required for all CE sites. After new network documentation has been approved by the board of the engineers, you have been selected to lead this project, follow the tasks below to complete this lab.
Lab tasks:
1. Enable the router PE1 to perform NAT translation:
a. Configure ACL to identify networks of MPLS Core and customer devices.
b. Configure NAT pool using public IPv4 addresses from the reserved range.
c. Configure inside and outside NAT interfaces.
d. Configure the NAT statement, using the pool with overload keyword.
e. Verify NAT operation from local and remote PE nodes.
2. Advertise Customer's LAN networks to the NAT performing router PE1:
a. Configure the static route on each of the PE router for CE sites' LAN subnets using both the next-hop address and exit interface.
b. Redistribute static routes into the BGP IPv4 table, this way PE1 will learn the LAN networks of CE routers.
3. On each PE router attached to the CE sites, configure the static default route under the vrf CE1 pointing to the PE1 router's IP address via the global routing context.
4. Via PE-CE routing, advertise the default route to the CE sites.
5. Verify that CE sites able to access the Internet.
Lab procedure:
Task1: Enable the router PE1 to perform NAT translation.
Sub-step a. Configure ACL to identify networks of MPLS Core and customer devices. Use the standard access-control list to include subnets of the MPLS core network and also the customer's LAN subnets:
Configure ACL named NAT on the PE1 router:
PE1#show ip access-lists NAT
PE1(config)#ip access-list standard NAT
PE1(config-std-nacl)#permit 192.168.0.0 0.0.0.255
PE1(config-std-nacl)#permit 10.0.0.0 0.0.0.255
PE1(config-std-nacl)#permit 192.168.10.0 0.0.0.255
PE1(config-std-nacl)#permit 192.168.20.0 0.0.0.255
PE1(config-std-nacl)#end
PE1#
The first two lines identify the subnets of the infrastructure itself, loopback0 interfaces and the links between nodes in the topology, the last two are the CE locations' LAN subnets.
Verify ACL:
PE1#show ip access-lists NAT
Standard IP access list NAT
10 permit 192.168.0.0, wildcard bits 0.0.0.255
20 permit 10.0.0.0, wildcard bits 0.0.0.255
30 permit 192.168.10.0, wildcard bits 0.0.0.255
40 permit 192.168.20.0, wildcard bits 0.0.0.255
Sub-step b. Configure NAT pool using public IPv4 addresses from the reserved range. The public IPv4 address range that has been allocated by regional register to the MPLS ISP is 75.100.0.0/20, the exact capacity of this range is 16 of /24 subnets, use the last /24 subnet for the NAT pool. You can check PE1's BGP IPV4 table for the global routing context and will find that it advertises this public IPv4 range to the ISP.
PE1#show bgp ipv4 unicast
BGP table version is 4, local router ID is 192.168.0.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 50.0.0.1 0 500 i
*> 50.0.0.0/16 50.0.0.1 0 0 500 i
*> 75.100.0.0/20 0.0.0.0 0 32768 i
Configure the NAT pool:
PE1(config)#ip nat pool PUBLIC_RANGE 75.100.15.0 75.100.15.254 netmask 255.255.255.0
Sub-step c. Configure inside and outside NAT interfaces.
PE1(config)#interface g0/2
PE1(config-if)#ip nat outside
PE1(config-if)#exit
!
PE1(config)#interface g0/1
PE1(config-if)#ip nat inside
!
PE1(config-if)#int lo0
PE1(config-if)#ip nat inside
PE1(config-if)#end
PE1#
Sub-step d. Configure the NAT statement, using the pool with overload keyword.
PE1(config)#ip nat inside source list NAT pool PUBLIC_RANGE overload
Sub-step e. Verify NAT operation from local and remote PE nodes.
PE1#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0
Outside interfaces:
GigabitEthernet0/2
Inside interfaces:
GigabitEthernet0/1, Loopback0
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list NAT pool PUBLIC_RANGE refcount 0
pool PUBLIC_RANGE: netmask 255.255.255.0
start 75.100.15.0 end 75.100.15.254
type generic, total addresses 255, allocated 0 (0%), misses 0
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
PE1#
PE1#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms
PE1#
PE1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 75.100.15.1:0 192.168.0.3:0 8.8.8.8:0 8.8.8.8:0
PE1#
PE2#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.6
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms
PE2#
PE3#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.7
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/5 ms
PE3#
Now that successful NAT operation has been confirmed. You can continue to perform the next task.
Task 2: Advertise Customer's LAN networks to the NAT performing router PE1.
Sub-step a. Configure the static route on each of the PE router for CE sites' LAN subnets using both the next-hop address and exit interface:
Configuring router PE3:
PE3(config)#ip route 192.168.10.0 255.255.255.0 g0/2 10.0.0.25
Configuring router PE2:
PE2(config)#ip route 192.168.20.0 255.255.255.0 g0/2 10.0.0.9
Sub-step b. Redistribute static routes into the BGP IPv4 table, this way PE1 will learn the LAN networks of CE routers.
Configuring router PE3:
PE3(config)#router bgp 65000
PE3(config-router)#redistribute static
PE3(config-router)#end
Verify BGP table:
PE3#show bgp ipv4 unicast
Network Next Hop Metric LocPrf Weight Path
*>i 0.0.0.0 192.168.0.3 0 100 0 500 i
*>i 50.0.0.0/16 192.168.0.3 0 100 0 500 i
*>i 75.100.0.0/20 192.168.0.3 0 100 0 i
*> 192.168.10.0 0.0.0.0 0 32768 ?
PE3#
Configuring router PE2:
PE2(config)#router bgp 65000
PE2(config-router)#redistribute static
PE2(config-router)#end
PE2#
Verify BGP table:
PE2#show bgp ipv4 unicast
Network Next Hop Metric LocPrf Weight Path
*>i 0.0.0.0 192.168.0.3 0 100 0 500 i
*>i 50.0.0.0/16 192.168.0.3 0 100 0 500 i
*>i 75.100.0.0/20 192.168.0.3 0 100 0 i
*>i 192.168.10.0 192.168.0.7 0 100 0 ?
*> 192.168.20.0 0.0.0.0 0 32768 ?
PE2#
Verify the BGP table of router PE1 to make sure that the propagation of CE's LAN networks took place:
PE1#show bgp ipv4 unicast
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 50.0.0.1 0 500 i
*> 50.0.0.0/16 50.0.0.1 0 0 500 i
*> 75.100.0.0/20 0.0.0.0 0 32768 i
*>i 192.168.10.0 192.168.0.7 0 100 0 ?
*>i 192.168.20.0 192.168.0.6 0 100 0 ?
Task3: On each PE router attached to the CE sites, configure the static default route under the vrf CE1 pointing to the PE1 router's IP address via the global routing context.
Configuring router PE3:
PE3(config)#ip route vrf CE1 0.0.0.0 0.0.0.0 192.168.0.3 global
Verify if the static route has been installed:
PE3#show ip route vrf CE1 static
Routing Table: CE1
Gateway of last resort is 192.168.0.3 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.0.3
Configuring router PE2:
PE2(config)#ip route vrf CE1 0.0.0.0 0.0.0.0 192.168.0.3 global
Task 4: Via PE-CE routing, advertise the default route to the CE sites. Under the address-family ipv4 for vrf CE1 in BGP router global configuration mode use the neighbor command to propagate the default route.
Configuring router PE3:
PE3(config)#router bgp 65000
PE3(config-router)#address-family ipv4 unicast vrf CE1
PE3(config-router-af)#neighbor 10.0.0.25 default-originate
Configuring router PE2:
PE2(config)#router bgp 65000
PE2(config-router)#address-family ipv4 unicast vrf CE1
PE2(config-router-af)#neighbor 10.0.0.9 default-originate
Task 5: Verify that CE sites able to access the Internet.
Verify the BGP table to see if the default route has been installed:
CE1-A#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 10.0.0.26 0 65000 i
*> 10.0.0.8/30 10.0.0.26 0 65000 ?
r> 10.0.0.24/30 10.0.0.26 0 0 65000 ?
*> 192.168.0.1/32 10.0.0.26 0 65000 65002 i
*> 192.168.0.2/32 0.0.0.0 0 32768 i
*> 192.168.10.0 0.0.0.0 0 32768 i
*> 192.168.20.0 10.0.0.26 0 65000 65002 i
CE1-A#
Ping the address on the Internet from 192.168.10.0/24 network:
CE1-A#ping 8.8.8.8 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms
CE1-A#
Repeat the same verification steps on the router CE1-B.
Summary:
This lab introduced you to Internet access via the global routing table with the use of the NAT at the remote PE location, this method of configuration is not really scalable but it gives you the opportunity to practice multiple networking technologies, to deliver the service of the Internet access to the customer's locations via MPLS core network by using static routing with VRF, MP-BGP address-families, redistribution, NAT implementation and more. The main disadvantage of this configuration is that it leaks customers' private networks into the MPLS infrastructure which can put additional burden on the network backbone and support team during the maintenance and troubleshooting procedures. Additionally, this method of NAT configured at the remote PE node will fail if overlapping subnets would be introduced to the core network, PE router performing network translation would potentially have an equal-cost route installed into the RIB and load balance between multiple CE sites which will lead to the interrupted connectivity.
VIRL: IOSv 15.7
EVE-NG: Cisco vIOS Router vios-15.6
GNS3: vios-adventerprisek9-m.vmdk.SPA.156-2.T
Description:
Learn how to provide access to the Internet for the customer's CE locations with NAT performed at the MPLS remote PE router connected to the ISP via eBGP using a global routing context. In this lab, you will be configuring multiple devices at customer and MPLS ISP locations, to ensure that both CE sites are able to communicate with the outside world.
Topology:
Download Lab: EVE-NG | GNS3 | VIRL
Scenario:
Entire topology has been configured, PE1 router at the MPLS cloud connected to the ISP, and has able to establish successful communication with google's DNS server. MPLS, and its supporting IGP IS-IS and MP-BGP protocols have been implemented, customer's CE sites' LAN networks exchanged data, but one thing left for network engineers to accomplish, that is to provide CE locations with access to the global web. The network support team that includes managers and designers have chosen the implementation of Internet access via a global routing table with NAT translation performed at the remote PE1 router, in this way only one NAT implementation is required for all CE sites. After new network documentation has been approved by the board of the engineers, you have been selected to lead this project, follow the tasks below to complete this lab.
Lab tasks:
1. Enable the router PE1 to perform NAT translation:
a. Configure ACL to identify networks of MPLS Core and customer devices.
b. Configure NAT pool using public IPv4 addresses from the reserved range.
c. Configure inside and outside NAT interfaces.
d. Configure the NAT statement, using the pool with overload keyword.
e. Verify NAT operation from local and remote PE nodes.
2. Advertise Customer's LAN networks to the NAT performing router PE1:
a. Configure the static route on each of the PE router for CE sites' LAN subnets using both the next-hop address and exit interface.
b. Redistribute static routes into the BGP IPv4 table, this way PE1 will learn the LAN networks of CE routers.
3. On each PE router attached to the CE sites, configure the static default route under the vrf CE1 pointing to the PE1 router's IP address via the global routing context.
4. Via PE-CE routing, advertise the default route to the CE sites.
5. Verify that CE sites able to access the Internet.
Lab procedure:
Task1: Enable the router PE1 to perform NAT translation.
Sub-step a. Configure ACL to identify networks of MPLS Core and customer devices. Use the standard access-control list to include subnets of the MPLS core network and also the customer's LAN subnets:
Configure ACL named NAT on the PE1 router:
PE1#show ip access-lists NAT
PE1(config)#ip access-list standard NAT
PE1(config-std-nacl)#permit 192.168.0.0 0.0.0.255
PE1(config-std-nacl)#permit 10.0.0.0 0.0.0.255
PE1(config-std-nacl)#permit 192.168.10.0 0.0.0.255
PE1(config-std-nacl)#permit 192.168.20.0 0.0.0.255
PE1(config-std-nacl)#end
PE1#
The first two lines identify the subnets of the infrastructure itself, loopback0 interfaces and the links between nodes in the topology, the last two are the CE locations' LAN subnets.
Verify ACL:
PE1#show ip access-lists NAT
Standard IP access list NAT
10 permit 192.168.0.0, wildcard bits 0.0.0.255
20 permit 10.0.0.0, wildcard bits 0.0.0.255
30 permit 192.168.10.0, wildcard bits 0.0.0.255
40 permit 192.168.20.0, wildcard bits 0.0.0.255
Sub-step b. Configure NAT pool using public IPv4 addresses from the reserved range. The public IPv4 address range that has been allocated by regional register to the MPLS ISP is 75.100.0.0/20, the exact capacity of this range is 16 of /24 subnets, use the last /24 subnet for the NAT pool. You can check PE1's BGP IPV4 table for the global routing context and will find that it advertises this public IPv4 range to the ISP.
PE1#show bgp ipv4 unicast
BGP table version is 4, local router ID is 192.168.0.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 50.0.0.1 0 500 i
*> 50.0.0.0/16 50.0.0.1 0 0 500 i
*> 75.100.0.0/20 0.0.0.0 0 32768 i
Configure the NAT pool:
PE1(config)#ip nat pool PUBLIC_RANGE 75.100.15.0 75.100.15.254 netmask 255.255.255.0
Sub-step c. Configure inside and outside NAT interfaces.
PE1(config)#interface g0/2
PE1(config-if)#ip nat outside
PE1(config-if)#exit
!
PE1(config)#interface g0/1
PE1(config-if)#ip nat inside
!
PE1(config-if)#int lo0
PE1(config-if)#ip nat inside
PE1(config-if)#end
PE1#
Sub-step d. Configure the NAT statement, using the pool with overload keyword.
PE1(config)#ip nat inside source list NAT pool PUBLIC_RANGE overload
Sub-step e. Verify NAT operation from local and remote PE nodes.
PE1#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0
Outside interfaces:
GigabitEthernet0/2
Inside interfaces:
GigabitEthernet0/1, Loopback0
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list NAT pool PUBLIC_RANGE refcount 0
pool PUBLIC_RANGE: netmask 255.255.255.0
start 75.100.15.0 end 75.100.15.254
type generic, total addresses 255, allocated 0 (0%), misses 0
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
PE1#
PE1#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms
PE1#
PE1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 75.100.15.1:0 192.168.0.3:0 8.8.8.8:0 8.8.8.8:0
PE1#
PE2#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.6
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms
PE2#
PE3#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.7
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/5 ms
PE3#
Now that successful NAT operation has been confirmed. You can continue to perform the next task.
Task 2: Advertise Customer's LAN networks to the NAT performing router PE1.
Sub-step a. Configure the static route on each of the PE router for CE sites' LAN subnets using both the next-hop address and exit interface:
Configuring router PE3:
PE3(config)#ip route 192.168.10.0 255.255.255.0 g0/2 10.0.0.25
Configuring router PE2:
PE2(config)#ip route 192.168.20.0 255.255.255.0 g0/2 10.0.0.9
Sub-step b. Redistribute static routes into the BGP IPv4 table, this way PE1 will learn the LAN networks of CE routers.
Configuring router PE3:
PE3(config)#router bgp 65000
PE3(config-router)#redistribute static
PE3(config-router)#end
Verify BGP table:
PE3#show bgp ipv4 unicast
Network Next Hop Metric LocPrf Weight Path
*>i 0.0.0.0 192.168.0.3 0 100 0 500 i
*>i 50.0.0.0/16 192.168.0.3 0 100 0 500 i
*>i 75.100.0.0/20 192.168.0.3 0 100 0 i
*> 192.168.10.0 0.0.0.0 0 32768 ?
PE3#
Configuring router PE2:
PE2(config)#router bgp 65000
PE2(config-router)#redistribute static
PE2(config-router)#end
PE2#
Verify BGP table:
PE2#show bgp ipv4 unicast
Network Next Hop Metric LocPrf Weight Path
*>i 0.0.0.0 192.168.0.3 0 100 0 500 i
*>i 50.0.0.0/16 192.168.0.3 0 100 0 500 i
*>i 75.100.0.0/20 192.168.0.3 0 100 0 i
*>i 192.168.10.0 192.168.0.7 0 100 0 ?
*> 192.168.20.0 0.0.0.0 0 32768 ?
PE2#
Verify the BGP table of router PE1 to make sure that the propagation of CE's LAN networks took place:
PE1#show bgp ipv4 unicast
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 50.0.0.1 0 500 i
*> 50.0.0.0/16 50.0.0.1 0 0 500 i
*> 75.100.0.0/20 0.0.0.0 0 32768 i
*>i 192.168.10.0 192.168.0.7 0 100 0 ?
*>i 192.168.20.0 192.168.0.6 0 100 0 ?
Task3: On each PE router attached to the CE sites, configure the static default route under the vrf CE1 pointing to the PE1 router's IP address via the global routing context.
Configuring router PE3:
PE3(config)#ip route vrf CE1 0.0.0.0 0.0.0.0 192.168.0.3 global
Verify if the static route has been installed:
PE3#show ip route vrf CE1 static
Routing Table: CE1
Gateway of last resort is 192.168.0.3 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.0.3
Configuring router PE2:
PE2(config)#ip route vrf CE1 0.0.0.0 0.0.0.0 192.168.0.3 global
Task 4: Via PE-CE routing, advertise the default route to the CE sites. Under the address-family ipv4 for vrf CE1 in BGP router global configuration mode use the neighbor command to propagate the default route.
Configuring router PE3:
PE3(config)#router bgp 65000
PE3(config-router)#address-family ipv4 unicast vrf CE1
PE3(config-router-af)#neighbor 10.0.0.25 default-originate
Configuring router PE2:
PE2(config)#router bgp 65000
PE2(config-router)#address-family ipv4 unicast vrf CE1
PE2(config-router-af)#neighbor 10.0.0.9 default-originate
Task 5: Verify that CE sites able to access the Internet.
Verify the BGP table to see if the default route has been installed:
CE1-A#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 10.0.0.26 0 65000 i
*> 10.0.0.8/30 10.0.0.26 0 65000 ?
r> 10.0.0.24/30 10.0.0.26 0 0 65000 ?
*> 192.168.0.1/32 10.0.0.26 0 65000 65002 i
*> 192.168.0.2/32 0.0.0.0 0 32768 i
*> 192.168.10.0 0.0.0.0 0 32768 i
*> 192.168.20.0 10.0.0.26 0 65000 65002 i
CE1-A#
Ping the address on the Internet from 192.168.10.0/24 network:
CE1-A#ping 8.8.8.8 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms
CE1-A#
Repeat the same verification steps on the router CE1-B.
Summary:
This lab introduced you to Internet access via the global routing table with the use of the NAT at the remote PE location, this method of configuration is not really scalable but it gives you the opportunity to practice multiple networking technologies, to deliver the service of the Internet access to the customer's locations via MPLS core network by using static routing with VRF, MP-BGP address-families, redistribution, NAT implementation and more. The main disadvantage of this configuration is that it leaks customers' private networks into the MPLS infrastructure which can put additional burden on the network backbone and support team during the maintenance and troubleshooting procedures. Additionally, this method of NAT configured at the remote PE node will fail if overlapping subnets would be introduced to the core network, PE router performing network translation would potentially have an equal-cost route installed into the RIB and load balance between multiple CE sites which will lead to the interrupted connectivity.
Comments
Post a Comment