MPLS Lab 025 Internet Access Through Global Routing Table with NAT performed at Local PE
Image requirements:
VIRL: IOSv 15.7
EVE-NG: Cisco vIOS Router vios-15.6
GNS3: vios-adventerprisek9-m.vmdk.SPA.156-2.T
Description:
Internet Access for the customer's offices will be available via global routing table but at this time the NAT translation will be performed at the PE sites closer to the CE routers, in the topology, there are two customer locations, one is CE1-A and another CE1-B, each of them connected to PE3 and PE2 routers respectively because there are requirements to bring NAT as close to the CE routers as possible configurations have to be performed on both PE routers. In this lab, for the CE1-A site, there will be instruction given on how to configure the NAT at PE3 node then later, after you have obtained the necessary knowledge you will perform the configuration for the second CE1-B site by yourself.
Topology:
Download Lab: VIRL | EVE-NG | GNS3
Scenario:
Prepare PE routers connected to the CE sites for NAT translation, first of all, these PE routers have to be able to translate private CE's networks into the publicly available IPv4 addresses. Configure public ip addresses on the PE3 and PE2 routers by using loopback1 interfaces with /32 subnets out of public address range configured on the PE1 router, which is 75.100.0.0/20, this range has already been advertised to the ISP to which MPLS cloud is connected, meaning that as soon as loopback1 interfaces and NAT are configured communication with outside networks has to be established without performing additional configurations to other devices in the topology. For PE3 router use the first IP address from 75.100.3.0/24 subnet, for PE2 router use the first IP address from 75.100.2.0/24 subnet. After loopback1 interfaces have been configured proceed to implement NAT overload according to described tasks below.
Lab tasks:
1. Configure the loopback1 interface on the PE3 router as mentioned in the scenario.
2. Advertise /32 prefix of loopback1 interface to the PE1 router by redistributing with BGP.
3. Verify the access to the Internet on the PE3 router.
4. Configure ACL to identify private networks of CE1-A on PE3 router.
5. Configure the NAT interfaces on the PE3 router.
6. Configure the NAT statement.
7. Verify that router CE1-A able to ping 8.8.8.8 from its loopback1 interface.
8. Repeat steps above in a similar way to complete configuration for the PE2 router.
Lab procedure:
Task 1: Configure the loopback1 interface on the PE3 router.
Configuring router PE3:
PE3(config)#interface lo1
PE3(config-if)#description PUBLIC IP
PE3(config-if)#ip address 75.100.3.0 255.255.255.255
PE3(config-if)#end
PE3#
Task 2: Redistribute loopback1 prefix with BGP.
Step1. Configure prefix-list:
PE3(config)#ip prefix-list LOOPBACK1 permit 72.100.3.0/32
Step2. Configure route-map:
PE3(config)#route-map CONNECTED permit 10
PE3(config-route-map)#match ip address prefix-list LOOPBACK1
PE3(config-route-map)#end
PE3#
Step3. Configure redistribution into BGP:
PE3(config)#router bgp 65000
PE3(config-router)#redistribute connected route-map CONNECTED
PE3(config-router)#end
PE3#
Note if you doing this lab in VIRL, there is a chance that you will be stuck with BGP does not want to redistribute connected if route-map is used, just skip steps 1 and 2 and configure redistribution without route-map
Step4. Verify BGP table to see if the redistribution works:
PE1#show ip route 75.100.3.0
Routing entry for 75.100.3.0/32
Known via "bgp 65000", distance 200, metric 0, type internal
Last update from 192.168.0.7 00:08:47 ago
Routing Descriptor Blocks:
* 192.168.0.7, from 192.168.0.7, 00:08:47 ago
Route metric is 0, traffic share count is 1
AS Hops 0
MPLS label: none
PE1#
PE1 now has in its routing table PE3's loopback1's prefix.
Task 3: Verify the access to the Internet on the PE3 router.
PE3#ping 8.8.8.8 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 75.100.3.0
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
PE3#
Now that Internet connectivity confirmed you can begin configuring NAT.
Task 4: Configure ACL to identify private networks of CE1-A on PE3 router.
Configuring router PE3:
PE3(config)#ip access-list standard NAT
PE3(config-std-nacl)#permit 192.168.10.0 0.0.0.255
Verifying ACL:
PE3#show ip access-lists NAT
Standard IP access list NAT
10 permit 192.168.10.0, wildcard bits 0.0.0.255
Task 5: Configure the NAT interfaces on the PE3 router.
Configuring router PE3:
PE3(config)#interface g0/2
PE3(config-if)#ip nat inside
PE3(config-if)#interface g0/1
PE3(config-if)#ip nat outside
Task 6: Configure the NAT statement.
Configuring PE3:
PE3(config)#ip nat source list NAT interface loopback 1 vrf CE1 overload
Verifying NAT:
PE3#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0
Outside interfaces:
GigabitEthernet0/1
Inside interfaces:
GigabitEthernet0/2
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list NAT interface GigabitEthernet0/1 refcount 0
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
PE3#
Task 7: Verify that router CE1-A able to ping 8.8.8.8 from its loopback1 interface.
CE1-A#ping 8.8.8.8 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/7 ms
CE1-A#
Task 8. Repeat steps above in a similar way to complete configuration for the PE2 router.
Using the skills you acquired in this lab finish configuring the PE2 router.
Summary:
By bringing NAT operation as close to the CE site as possible, allows CE sites with overlapping private subnets to reach outside destinations. Also if there is a lack of public IP addresses, NAT can be performed at multiple PE routers.
VIRL: IOSv 15.7
EVE-NG: Cisco vIOS Router vios-15.6
GNS3: vios-adventerprisek9-m.vmdk.SPA.156-2.T
Description:
Internet Access for the customer's offices will be available via global routing table but at this time the NAT translation will be performed at the PE sites closer to the CE routers, in the topology, there are two customer locations, one is CE1-A and another CE1-B, each of them connected to PE3 and PE2 routers respectively because there are requirements to bring NAT as close to the CE routers as possible configurations have to be performed on both PE routers. In this lab, for the CE1-A site, there will be instruction given on how to configure the NAT at PE3 node then later, after you have obtained the necessary knowledge you will perform the configuration for the second CE1-B site by yourself.
Topology:
Download Lab: VIRL | EVE-NG | GNS3
Scenario:
Prepare PE routers connected to the CE sites for NAT translation, first of all, these PE routers have to be able to translate private CE's networks into the publicly available IPv4 addresses. Configure public ip addresses on the PE3 and PE2 routers by using loopback1 interfaces with /32 subnets out of public address range configured on the PE1 router, which is 75.100.0.0/20, this range has already been advertised to the ISP to which MPLS cloud is connected, meaning that as soon as loopback1 interfaces and NAT are configured communication with outside networks has to be established without performing additional configurations to other devices in the topology. For PE3 router use the first IP address from 75.100.3.0/24 subnet, for PE2 router use the first IP address from 75.100.2.0/24 subnet. After loopback1 interfaces have been configured proceed to implement NAT overload according to described tasks below.
Lab tasks:
1. Configure the loopback1 interface on the PE3 router as mentioned in the scenario.
2. Advertise /32 prefix of loopback1 interface to the PE1 router by redistributing with BGP.
3. Verify the access to the Internet on the PE3 router.
4. Configure ACL to identify private networks of CE1-A on PE3 router.
5. Configure the NAT interfaces on the PE3 router.
6. Configure the NAT statement.
7. Verify that router CE1-A able to ping 8.8.8.8 from its loopback1 interface.
8. Repeat steps above in a similar way to complete configuration for the PE2 router.
Lab procedure:
Task 1: Configure the loopback1 interface on the PE3 router.
Configuring router PE3:
PE3(config)#interface lo1
PE3(config-if)#description PUBLIC IP
PE3(config-if)#ip address 75.100.3.0 255.255.255.255
PE3(config-if)#end
PE3#
Task 2: Redistribute loopback1 prefix with BGP.
Step1. Configure prefix-list:
PE3(config)#ip prefix-list LOOPBACK1 permit 72.100.3.0/32
Step2. Configure route-map:
PE3(config)#route-map CONNECTED permit 10
PE3(config-route-map)#match ip address prefix-list LOOPBACK1
PE3(config-route-map)#end
PE3#
Step3. Configure redistribution into BGP:
PE3(config)#router bgp 65000
PE3(config-router)#redistribute connected route-map CONNECTED
PE3(config-router)#end
PE3#
Note if you doing this lab in VIRL, there is a chance that you will be stuck with BGP does not want to redistribute connected if route-map is used, just skip steps 1 and 2 and configure redistribution without route-map
Step4. Verify BGP table to see if the redistribution works:
PE1#show ip route 75.100.3.0
Routing entry for 75.100.3.0/32
Known via "bgp 65000", distance 200, metric 0, type internal
Last update from 192.168.0.7 00:08:47 ago
Routing Descriptor Blocks:
* 192.168.0.7, from 192.168.0.7, 00:08:47 ago
Route metric is 0, traffic share count is 1
AS Hops 0
MPLS label: none
PE1#
PE1 now has in its routing table PE3's loopback1's prefix.
Task 3: Verify the access to the Internet on the PE3 router.
PE3#ping 8.8.8.8 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 75.100.3.0
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
PE3#
Now that Internet connectivity confirmed you can begin configuring NAT.
Task 4: Configure ACL to identify private networks of CE1-A on PE3 router.
Configuring router PE3:
PE3(config)#ip access-list standard NAT
PE3(config-std-nacl)#permit 192.168.10.0 0.0.0.255
Verifying ACL:
PE3#show ip access-lists NAT
Standard IP access list NAT
10 permit 192.168.10.0, wildcard bits 0.0.0.255
Task 5: Configure the NAT interfaces on the PE3 router.
Configuring router PE3:
PE3(config)#interface g0/2
PE3(config-if)#ip nat inside
PE3(config-if)#interface g0/1
PE3(config-if)#ip nat outside
Task 6: Configure the NAT statement.
Configuring PE3:
PE3(config)#ip nat source list NAT interface loopback 1 vrf CE1 overload
Verifying NAT:
PE3#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0
Outside interfaces:
GigabitEthernet0/1
Inside interfaces:
GigabitEthernet0/2
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list NAT interface GigabitEthernet0/1 refcount 0
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
PE3#
Task 7: Verify that router CE1-A able to ping 8.8.8.8 from its loopback1 interface.
CE1-A#ping 8.8.8.8 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/7 ms
CE1-A#
Task 8. Repeat steps above in a similar way to complete configuration for the PE2 router.
Using the skills you acquired in this lab finish configuring the PE2 router.
Summary:
By bringing NAT operation as close to the CE site as possible, allows CE sites with overlapping private subnets to reach outside destinations. Also if there is a lack of public IP addresses, NAT can be performed at multiple PE routers.
Comments
Post a Comment