MPLS Lab 026 Internet Access Through Global Routing Table with NAT performed at CE site
Image requirements:
VIRL: IOSv 15.7
EVE-NG: Cisco vIOS Router vios-15.6
GNS3: vios-adventerprisek9-m.vmdk.SPA.156-2.T
Description:
In this lab, you will move NAT translation from PE routers directly to the customers' locations, ISP will provide the public IPv4 addresses to its clients, you will need to reconfigure PE routers in the way that public IPv4 addresses assigned to the CE routers will be reachable over private MPLS network to the Internet users.
Topology:
Download Lab: VIRL | EVE-NG | GNS3
Scenario:
After months of negotiations and justifications with RIR, the MPLS service provider was able to obtain the large chunk of public IPv4 space and now to improve performance of its core infrastructure, NAT services are no longer available at POP, PE routers have been reconfigured to deliver straight access to the global networks via routable IP addresses, provider encourage its customers to configure NAT translation at their CE routers, ISP ensures that every client will have its own public IPv4 address.
Lab tasks:
1. Configure the PE1 router to advertise the public IPv4 subnet to its ISP via BGP.
2. Configure on the PE1 router loopback interface with the lowest /32 IPv4 address out of the public subnet for testing purposes.
3. Advertise default route to the routers PE2 and PE3.
4. Configure routers PE2 and PE3 to advertise a default route to their respective CE routers.
5. Configure on the routers PE2 and PE3 static default routes for CE1 VRF instances via the global routing table.
6. Assign the next two lowest /32 IPv4 subnets out of ISP's public IPv4 pool of addresses to customer's CE routers.
7. Configure routers CE1-A and CE1-B to redistribute their public IPv4 addresses to PE routers.
8. Configure routers PE2 and PE3 to propagate CE's public IPv4 addresses to PE1 router.
9. Verify that CE routers are able to ping the 8.8.8.8 Internet address from their public IPv4 addresses.
10. Configure NAT overload on CE routers and verify that they are able to ping the 8.8.8.8 Internet address from their private subnets.
Task1: Configure the PE1 router to advertise the public IPv4 subnet to its ISP via BGP.
Step1. Configure null0 static route for 75.100.0.0/20 at the router PE1:
PE1(config)#ip route 75.100.0.0 255.255.240.0 null0
PE1(config)#end
PE1#
PE1#show ip route static
Gateway of last resort is 50.0.0.1 to network 0.0.0.0
75.0.0.0/20 is subnetted, 1 subnets
S 75.100.0.0 is directly connected, Null0
PE1#
Step2. In BGP configuration mode, with the "network" statement advertise the public subnet:
PE1(config)#router bgp 65000
PE1(config-router)#network 75.100.0.0 mask 255.255.240.0
PE1(config-router)#end
PE1#show bgp ipv4 unicast
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 50.0.0.1 0 500 i
*> 50.0.0.0/16 50.0.0.1 0 0 500 i
*> 75.100.0.0/20 0.0.0.0 0 32768 i
PE1#
Task2: Configure on the PE1 router loopback interface with the lowest /32 IPv4 address out of the public subnet for testing purposes.
Step1. Verify what loopback interfaces have been already configured to avoid connectivity problems:
PE1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.255.3.252 YES NVRAM administratively down down
GigabitEthernet0/1 10.0.0.14 YES NVRAM up up
GigabitEthernet0/2 50.0.0.2 YES NVRAM up up
GigabitEthernet0/3 unassigned YES unset administratively down down
Loopback0 192.168.0.3 YES NVRAM up up
PE1#
The output shows that the next interface can be loopback1.
Step2. Configure the loopback 1 interface with 75.100.0.0/32 ip address:
PE1(config)#interface lo1
PE1(config-if)#ip address 75.100.0.0 255.255.255.255
PE1(config-if)#end
PE1#
PE1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.255.3.252 YES NVRAM administratively down down
GigabitEthernet0/1 10.0.0.14 YES NVRAM up up
GigabitEthernet0/2 50.0.0.2 YES NVRAM up up
GigabitEthernet0/3 unassigned YES unset administratively down down
Loopback0 192.168.0.3 YES NVRAM up up
Loopback1 75.100.0.0 YES manual up up
PE1#
Step3. Verify connectivity to the Internet from the PE1 router's loopback1 interface:
PE1#ping 8.8.8.8 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 75.100.0.0
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
PE1#
Task3: Advertise default route to the routers PE2 and PE3.
Step1. Configure PE1 router propagate default route to its peers with BGP:
PE1(config)#router bgp 65000
PE1(config-router)#neighbor 192.168.0.6 default-originate
PE1(config-router)#neighbor 192.168.0.7 default-originate
PE1(config-router)# end
Step2: Verify propagation:
PE3#show ip bgp
BGP table version is 5, local router ID is 192.168.0.7
Network Next Hop Metric LocPrf Weight Path
*>i 0.0.0.0 192.168.0.3 0 100 0 i
*>i 50.0.0.0/16 192.168.0.3 0 100 0 500 i
*>i 75.100.0.0/20 192.168.0.3 0 100 0 i
PE3#
PE2#show ip bgp
BGP table version is 7, local router ID is 192.168.0.6
Network Next Hop Metric LocPrf Weight Path
*>i 0.0.0.0 192.168.0.3 0 100 0 i
*>i 50.0.0.0/16 192.168.0.3 0 100 0 500 i
*>i 75.100.0.0/20 192.168.0.3 0 100 0 i
PE2#
Task4: Configure routers PE2 and PE3 to advertise a default route to their respective CE routers.
Step1. Configuring PE2:
PE2(config)#router bgp 65000
PE2(config-router)#address-family ipv4 unicast vrf CE1
PE2(config-router-af)#neighbor 10.0.0.9 default-originate
PE2(config-router-af)#end
PE2#
Step2. Configuring PE2:
PE3(config)#router bgp 65000
PE3(config-router)#address-family ipv4 unicast vrf CE1
PE3(config-router-af)#neighbor 10.0.0.25 default-originate
PE3(config-router-af)#end
PE3#
Step3. Verify that configuration took place:
CE1-A#show ip route bgp
Gateway of last resort is 10.0.0.26 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.0.0.26, 00:01:10
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
B 10.0.0.8/30 [20/0] via 10.0.0.26, 01:07:21
192.168.0.0/32 is subnetted, 2 subnets
B 192.168.0.1 [20/0] via 10.0.0.26, 01:07:21
B 192.168.20.0/24 [20/0] via 10.0.0.26, 01:07:21
CE1-B#show ip route bgp
Gateway of last resort is 10.0.0.10 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.0.0.10, 00:04:22
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
B 10.0.0.24/30 [20/0] via 10.0.0.10, 01:08:17
192.168.0.0/32 is subnetted, 2 subnets
B 192.168.0.2 [20/0] via 10.0.0.10, 01:08:17
B 192.168.10.0/24 [20/0] via 10.0.0.10, 01:08:17
Task5: Configure on the routers PE2 and PE3 static default routes for CE1 VRF instances via the global routing table.
Step1: Configuring PE2:
PE2(config)#ip route vrf CE1 0.0.0.0 0.0.0.0 192.168.0.3 global
PE2#show ip route vrf CE1 static
Routing Table: CE1
Gateway of last resort is 192.168.0.3 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.0.3
Step2. Configuring PE3:
PE3(config)#ip route vrf CE1 0.0.0.0 0.0.0.0 192.168.0.3 global
Task6: Assign the next two lowest /32 IPv4 subnets out of ISP's public IPv4 pool of addresses to customer's CE routers.
Step1. Configuring CE1-A:
CE1-A#show ip interface brief | exclude unassigned
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.255.3.247 YES NVRAM administratively down down
GigabitEthernet0/1 10.0.0.25 YES NVRAM up up
Loopback0 192.168.0.2 YES NVRAM up up
Loopback1 192.168.10.1 YES NVRAM up up
CE1-A#
CE1-A(config)#interface loopback 2
CE1-A(config-if)#ip address 75.100.0.1 255.255.255.255
CE1-A(config-if)# end
Step2. Configuring CE1-B:
CE1-B(config)#interface loopback 2
CE1-B(config-if)#ip address 75.100.0.2 255.255.255.255
CE1-B(config-if)#end
Task7: Configure routers CE1-A and CE1-B to redistribute their public IPv4 addresses to PE routers.
Step1. Configuring CE1-A:
CE1-A(config)#router bgp 65001
CE1-A(config-router)#network 75.100.0.1 mask 255.255.255.255
CE1-A(config-router)#end
CE1-A#show ip bgp
BGP table version is 9, local router ID is 192.168.10.1
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 10.0.0.26 0 65000 i
*> 10.0.0.8/30 10.0.0.26 0 65000 ?
r> 10.0.0.24/30 10.0.0.26 0 0 65000 ?
*> 75.100.0.1/32 0.0.0.0 0 32768 i
*> 192.168.0.1/32 10.0.0.26 0 65000 65002 i
*> 192.168.0.2/32 0.0.0.0 0 32768 i
*> 192.168.10.0 0.0.0.0 0 32768 i
*> 192.168.20.0 10.0.0.26 0 65000 65002 i
CE1-A#
Step2. Configuring CE1-B:
CE1-B(config)#router bgp 65002
CE1-B(config-router)#network 75.100.0.2 mask 255.255.255.255
CE1-B(config-router)#end
Step3. Verify that routers PE2 and PE3 received routes:
PE2#show bgp vrf CE1
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10:10 (default for vrf CE1)
0.0.0.0 0.0.0.0 0 i
*> 10.0.0.8/30 0.0.0.0 0 32768 ?
*>i 10.0.0.24/30 192.168.0.7 0 100 0 ?
*>i 75.100.0.1/32 192.168.0.7 0 100 0 65001 i
*> 75.100.0.2/32 10.0.0.9 0 0 65002 i
*> 192.168.0.1/32 10.0.0.9 0 0 65002 i
*>i 192.168.0.2/32 192.168.0.7 0 100 0 65001 i
*>i 192.168.10.0 192.168.0.7 0 100 0 65001 i
*> 192.168.20.0 10.0.0.9 0 0 65002 i
PE2#
PE3#show bgp vrf CE1
BGP table version is 14, local router ID is 192.168.0.7
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10:10 (default for vrf CE1)
0.0.0.0 0.0.0.0 0 i
*>i 10.0.0.8/30 192.168.0.6 0 100 0 ?
*> 10.0.0.24/30 0.0.0.0 0 32768 ?
*> 75.100.0.1/32 10.0.0.25 0 0 65001 i
*>i 75.100.0.2/32 192.168.0.6 0 100 0 65002 i
*>i 192.168.0.1/32 192.168.0.6 0 100 0 65002 i
*> 192.168.0.2/32 10.0.0.25 0 0 65001 i
*> 192.168.10.0 10.0.0.25 0 0 65001 i
*>i 192.168.20.0 192.168.0.6 0 100 0 65002 i
PE3#
Task8: Configure routers PE2 and PE3 to propagate CE's public IPv4 addresses to PE1 router.
Step1. Identify /32 subnet of CE1-A router with prefix-lists:
PE3(config)#ip prefix-list CE1A_PUBLIC_IP permit 75.100.0.1/32
Step2. Configure route-map to match prefix-list:
PE3(config)#route-map CE1A permit 10
PE3(config-route-map)#match ip address prefix-list CE1A_PUBLIC_IP
PE3(config-route-map)#end
PE3#
Step3. Export CE1-A public IPv4 address into the global routing table:
PE3(config)#vrf definition CE1
PE3(config-vrf)#address-family ipv4
PE3(config-vrf-af)#export ipv4 unicast map CE1A
PE3(config-vrf-af)#end
Step4. Verify if redistribution occurred:
PE1#show ip bgp
Network Next Hop Metric LocPrf Weight Path
0.0.0.0 0.0.0.0 0 i
*> 50.0.0.1 0 500 i
*> 50.0.0.0/16 50.0.0.1 0 0 500 i
*> 75.100.0.0/20 0.0.0.0 0 32768 i
*>i 75.100.0.1/32 192.168.0.7 0 100 0 65001 i
Step5. Repeat steps above on the router PE2.
Task9: Verify that CE routers are able to ping the 8.8.8.8 Internet address from their public IPv4 addresses.
CE1-A#ping 8.8.8.8 source lo2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 75.100.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
CE1-A#
CE1-B#ping 8.8.8.8 source lo2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 75.100.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
CE1-B#
Task10: Configure NAT overload on CE routers and verify that they are able to ping the 8.8.8.8 Internet address from their private subnets.
Configuring router CE1-A:
Step1. Enable NAT on interfaces:
CE1-A(config)#interface lo0
CE1-A(config-if)#ip nat inside
CE1-A(config-if)#int lo1
CE1-A(config-if)#ip nat inside
CE1-A(config-if)#int g0/1
CE1-A(config-if)#ip nat outside
Step2: Configure NAT ACL:
CE1-A(config)#ip access-list standard NAT
CE1-A(config-std-nacl)#permit 192.168.10.0 0.0.0.255
CE1-A(config-std-nacl)#permit 192.168.0.2 0.0.0.0
CE1-A(config-std-nacl)#end
Step3. Configure NAT overload:
CE1-A(config)#ip nat inside source list NAT interface lo2 overload
Step4. Verify NAT operation:
CE1-A#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/7 ms
CE1-A#ping 8.8.8.8 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
CE1-A#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 75.100.0.1:2 192.168.0.2:2 8.8.8.8:2 8.8.8.8:2
icmp 75.100.0.1:3 192.168.10.1:3 8.8.8.8:3 8.8.8.8:3
CE1-A#
Step5. Configure router CE1-B.
Summary:
Internet Access via global routing table is not very efficient, there are a lot of complicated configurations which will lead to the poor network management and operation, and will cause additional stress when it comes to troubleshooting. The next lab will introduce a more practical and robust solution using access to the Internet inside the VPN.
VIRL: IOSv 15.7
EVE-NG: Cisco vIOS Router vios-15.6
GNS3: vios-adventerprisek9-m.vmdk.SPA.156-2.T
Description:
In this lab, you will move NAT translation from PE routers directly to the customers' locations, ISP will provide the public IPv4 addresses to its clients, you will need to reconfigure PE routers in the way that public IPv4 addresses assigned to the CE routers will be reachable over private MPLS network to the Internet users.
Topology:
Download Lab: VIRL | EVE-NG | GNS3
Scenario:
After months of negotiations and justifications with RIR, the MPLS service provider was able to obtain the large chunk of public IPv4 space and now to improve performance of its core infrastructure, NAT services are no longer available at POP, PE routers have been reconfigured to deliver straight access to the global networks via routable IP addresses, provider encourage its customers to configure NAT translation at their CE routers, ISP ensures that every client will have its own public IPv4 address.
Lab tasks:
1. Configure the PE1 router to advertise the public IPv4 subnet to its ISP via BGP.
2. Configure on the PE1 router loopback interface with the lowest /32 IPv4 address out of the public subnet for testing purposes.
3. Advertise default route to the routers PE2 and PE3.
4. Configure routers PE2 and PE3 to advertise a default route to their respective CE routers.
5. Configure on the routers PE2 and PE3 static default routes for CE1 VRF instances via the global routing table.
6. Assign the next two lowest /32 IPv4 subnets out of ISP's public IPv4 pool of addresses to customer's CE routers.
7. Configure routers CE1-A and CE1-B to redistribute their public IPv4 addresses to PE routers.
8. Configure routers PE2 and PE3 to propagate CE's public IPv4 addresses to PE1 router.
9. Verify that CE routers are able to ping the 8.8.8.8 Internet address from their public IPv4 addresses.
10. Configure NAT overload on CE routers and verify that they are able to ping the 8.8.8.8 Internet address from their private subnets.
Task1: Configure the PE1 router to advertise the public IPv4 subnet to its ISP via BGP.
Step1. Configure null0 static route for 75.100.0.0/20 at the router PE1:
PE1(config)#ip route 75.100.0.0 255.255.240.0 null0
PE1(config)#end
PE1#
PE1#show ip route static
Gateway of last resort is 50.0.0.1 to network 0.0.0.0
75.0.0.0/20 is subnetted, 1 subnets
S 75.100.0.0 is directly connected, Null0
PE1#
Step2. In BGP configuration mode, with the "network" statement advertise the public subnet:
PE1(config)#router bgp 65000
PE1(config-router)#network 75.100.0.0 mask 255.255.240.0
PE1(config-router)#end
PE1#show bgp ipv4 unicast
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 50.0.0.1 0 500 i
*> 50.0.0.0/16 50.0.0.1 0 0 500 i
*> 75.100.0.0/20 0.0.0.0 0 32768 i
PE1#
Task2: Configure on the PE1 router loopback interface with the lowest /32 IPv4 address out of the public subnet for testing purposes.
Step1. Verify what loopback interfaces have been already configured to avoid connectivity problems:
PE1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.255.3.252 YES NVRAM administratively down down
GigabitEthernet0/1 10.0.0.14 YES NVRAM up up
GigabitEthernet0/2 50.0.0.2 YES NVRAM up up
GigabitEthernet0/3 unassigned YES unset administratively down down
Loopback0 192.168.0.3 YES NVRAM up up
PE1#
The output shows that the next interface can be loopback1.
Step2. Configure the loopback 1 interface with 75.100.0.0/32 ip address:
PE1(config)#interface lo1
PE1(config-if)#ip address 75.100.0.0 255.255.255.255
PE1(config-if)#end
PE1#
PE1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.255.3.252 YES NVRAM administratively down down
GigabitEthernet0/1 10.0.0.14 YES NVRAM up up
GigabitEthernet0/2 50.0.0.2 YES NVRAM up up
GigabitEthernet0/3 unassigned YES unset administratively down down
Loopback0 192.168.0.3 YES NVRAM up up
Loopback1 75.100.0.0 YES manual up up
PE1#
Step3. Verify connectivity to the Internet from the PE1 router's loopback1 interface:
PE1#ping 8.8.8.8 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 75.100.0.0
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
PE1#
Task3: Advertise default route to the routers PE2 and PE3.
Step1. Configure PE1 router propagate default route to its peers with BGP:
PE1(config)#router bgp 65000
PE1(config-router)#neighbor 192.168.0.6 default-originate
PE1(config-router)#neighbor 192.168.0.7 default-originate
PE1(config-router)# end
Step2: Verify propagation:
PE3#show ip bgp
BGP table version is 5, local router ID is 192.168.0.7
Network Next Hop Metric LocPrf Weight Path
*>i 0.0.0.0 192.168.0.3 0 100 0 i
*>i 50.0.0.0/16 192.168.0.3 0 100 0 500 i
*>i 75.100.0.0/20 192.168.0.3 0 100 0 i
PE3#
PE2#show ip bgp
BGP table version is 7, local router ID is 192.168.0.6
Network Next Hop Metric LocPrf Weight Path
*>i 0.0.0.0 192.168.0.3 0 100 0 i
*>i 50.0.0.0/16 192.168.0.3 0 100 0 500 i
*>i 75.100.0.0/20 192.168.0.3 0 100 0 i
PE2#
Task4: Configure routers PE2 and PE3 to advertise a default route to their respective CE routers.
Step1. Configuring PE2:
PE2(config)#router bgp 65000
PE2(config-router)#address-family ipv4 unicast vrf CE1
PE2(config-router-af)#neighbor 10.0.0.9 default-originate
PE2(config-router-af)#end
PE2#
Step2. Configuring PE2:
PE3(config)#router bgp 65000
PE3(config-router)#address-family ipv4 unicast vrf CE1
PE3(config-router-af)#neighbor 10.0.0.25 default-originate
PE3(config-router-af)#end
PE3#
Step3. Verify that configuration took place:
CE1-A#show ip route bgp
Gateway of last resort is 10.0.0.26 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.0.0.26, 00:01:10
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
B 10.0.0.8/30 [20/0] via 10.0.0.26, 01:07:21
192.168.0.0/32 is subnetted, 2 subnets
B 192.168.0.1 [20/0] via 10.0.0.26, 01:07:21
B 192.168.20.0/24 [20/0] via 10.0.0.26, 01:07:21
CE1-B#show ip route bgp
Gateway of last resort is 10.0.0.10 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.0.0.10, 00:04:22
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
B 10.0.0.24/30 [20/0] via 10.0.0.10, 01:08:17
192.168.0.0/32 is subnetted, 2 subnets
B 192.168.0.2 [20/0] via 10.0.0.10, 01:08:17
B 192.168.10.0/24 [20/0] via 10.0.0.10, 01:08:17
Task5: Configure on the routers PE2 and PE3 static default routes for CE1 VRF instances via the global routing table.
Step1: Configuring PE2:
PE2(config)#ip route vrf CE1 0.0.0.0 0.0.0.0 192.168.0.3 global
PE2#show ip route vrf CE1 static
Routing Table: CE1
Gateway of last resort is 192.168.0.3 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.0.3
Step2. Configuring PE3:
PE3(config)#ip route vrf CE1 0.0.0.0 0.0.0.0 192.168.0.3 global
Task6: Assign the next two lowest /32 IPv4 subnets out of ISP's public IPv4 pool of addresses to customer's CE routers.
Step1. Configuring CE1-A:
CE1-A#show ip interface brief | exclude unassigned
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.255.3.247 YES NVRAM administratively down down
GigabitEthernet0/1 10.0.0.25 YES NVRAM up up
Loopback0 192.168.0.2 YES NVRAM up up
Loopback1 192.168.10.1 YES NVRAM up up
CE1-A#
CE1-A(config)#interface loopback 2
CE1-A(config-if)#ip address 75.100.0.1 255.255.255.255
CE1-A(config-if)# end
Step2. Configuring CE1-B:
CE1-B(config)#interface loopback 2
CE1-B(config-if)#ip address 75.100.0.2 255.255.255.255
CE1-B(config-if)#end
Task7: Configure routers CE1-A and CE1-B to redistribute their public IPv4 addresses to PE routers.
Step1. Configuring CE1-A:
CE1-A(config)#router bgp 65001
CE1-A(config-router)#network 75.100.0.1 mask 255.255.255.255
CE1-A(config-router)#end
CE1-A#show ip bgp
BGP table version is 9, local router ID is 192.168.10.1
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 10.0.0.26 0 65000 i
*> 10.0.0.8/30 10.0.0.26 0 65000 ?
r> 10.0.0.24/30 10.0.0.26 0 0 65000 ?
*> 75.100.0.1/32 0.0.0.0 0 32768 i
*> 192.168.0.1/32 10.0.0.26 0 65000 65002 i
*> 192.168.0.2/32 0.0.0.0 0 32768 i
*> 192.168.10.0 0.0.0.0 0 32768 i
*> 192.168.20.0 10.0.0.26 0 65000 65002 i
CE1-A#
Step2. Configuring CE1-B:
CE1-B(config)#router bgp 65002
CE1-B(config-router)#network 75.100.0.2 mask 255.255.255.255
CE1-B(config-router)#end
Step3. Verify that routers PE2 and PE3 received routes:
PE2#show bgp vrf CE1
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10:10 (default for vrf CE1)
0.0.0.0 0.0.0.0 0 i
*> 10.0.0.8/30 0.0.0.0 0 32768 ?
*>i 10.0.0.24/30 192.168.0.7 0 100 0 ?
*>i 75.100.0.1/32 192.168.0.7 0 100 0 65001 i
*> 75.100.0.2/32 10.0.0.9 0 0 65002 i
*> 192.168.0.1/32 10.0.0.9 0 0 65002 i
*>i 192.168.0.2/32 192.168.0.7 0 100 0 65001 i
*>i 192.168.10.0 192.168.0.7 0 100 0 65001 i
*> 192.168.20.0 10.0.0.9 0 0 65002 i
PE2#
PE3#show bgp vrf CE1
BGP table version is 14, local router ID is 192.168.0.7
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10:10 (default for vrf CE1)
0.0.0.0 0.0.0.0 0 i
*>i 10.0.0.8/30 192.168.0.6 0 100 0 ?
*> 10.0.0.24/30 0.0.0.0 0 32768 ?
*> 75.100.0.1/32 10.0.0.25 0 0 65001 i
*>i 75.100.0.2/32 192.168.0.6 0 100 0 65002 i
*>i 192.168.0.1/32 192.168.0.6 0 100 0 65002 i
*> 192.168.0.2/32 10.0.0.25 0 0 65001 i
*> 192.168.10.0 10.0.0.25 0 0 65001 i
*>i 192.168.20.0 192.168.0.6 0 100 0 65002 i
PE3#
Task8: Configure routers PE2 and PE3 to propagate CE's public IPv4 addresses to PE1 router.
Step1. Identify /32 subnet of CE1-A router with prefix-lists:
PE3(config)#ip prefix-list CE1A_PUBLIC_IP permit 75.100.0.1/32
Step2. Configure route-map to match prefix-list:
PE3(config)#route-map CE1A permit 10
PE3(config-route-map)#match ip address prefix-list CE1A_PUBLIC_IP
PE3(config-route-map)#end
PE3#
Step3. Export CE1-A public IPv4 address into the global routing table:
PE3(config)#vrf definition CE1
PE3(config-vrf)#address-family ipv4
PE3(config-vrf-af)#export ipv4 unicast map CE1A
PE3(config-vrf-af)#end
Step4. Verify if redistribution occurred:
PE1#show ip bgp
Network Next Hop Metric LocPrf Weight Path
0.0.0.0 0.0.0.0 0 i
*> 50.0.0.1 0 500 i
*> 50.0.0.0/16 50.0.0.1 0 0 500 i
*> 75.100.0.0/20 0.0.0.0 0 32768 i
*>i 75.100.0.1/32 192.168.0.7 0 100 0 65001 i
Step5. Repeat steps above on the router PE2.
Task9: Verify that CE routers are able to ping the 8.8.8.8 Internet address from their public IPv4 addresses.
CE1-A#ping 8.8.8.8 source lo2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 75.100.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
CE1-A#
CE1-B#ping 8.8.8.8 source lo2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 75.100.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
CE1-B#
Task10: Configure NAT overload on CE routers and verify that they are able to ping the 8.8.8.8 Internet address from their private subnets.
Configuring router CE1-A:
Step1. Enable NAT on interfaces:
CE1-A(config)#interface lo0
CE1-A(config-if)#ip nat inside
CE1-A(config-if)#int lo1
CE1-A(config-if)#ip nat inside
CE1-A(config-if)#int g0/1
CE1-A(config-if)#ip nat outside
Step2: Configure NAT ACL:
CE1-A(config)#ip access-list standard NAT
CE1-A(config-std-nacl)#permit 192.168.10.0 0.0.0.255
CE1-A(config-std-nacl)#permit 192.168.0.2 0.0.0.0
CE1-A(config-std-nacl)#end
Step3. Configure NAT overload:
CE1-A(config)#ip nat inside source list NAT interface lo2 overload
Step4. Verify NAT operation:
CE1-A#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/7 ms
CE1-A#ping 8.8.8.8 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
CE1-A#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 75.100.0.1:2 192.168.0.2:2 8.8.8.8:2 8.8.8.8:2
icmp 75.100.0.1:3 192.168.10.1:3 8.8.8.8:3 8.8.8.8:3
CE1-A#
Step5. Configure router CE1-B.
Summary:
Internet Access via global routing table is not very efficient, there are a lot of complicated configurations which will lead to the poor network management and operation, and will cause additional stress when it comes to troubleshooting. The next lab will introduce a more practical and robust solution using access to the Internet inside the VPN.
Comments
Post a Comment