This is the third post in the series, the goal of the series is to provide a guide for the MPLS and BGP Lab I posted awhile back. The labs consists of MPLS VPNs and BGP along with some OSPF, NAT, IPSEC and GRE exposure. I will be posting the files needed for this lab at the bottom. Here’s the topology and the requirements:


(click image for fullsize)

Requirements:
Internet
* The two Internet routers should serve as transit ASes. No other routers should permit transit traffic.
* Internet sites (modeled by loopbacks) should be accessible by all lan IPs.

Clients
* London, Paris, and New York have Internet connections to their respective ISPs. New York is dual-homed.
* London, Paris, New York, and Chicago all have MPLS connections to the same provider. New York and Chicago constitute one company, while London and Paris constitute another. Their routes should not mix over MPLS.
* London, Paris, and New York each have data centers with a DMZ that should be publicly accessible.
* London, Paris, New York, and Chicago each have 2 LANs which should not be accessible from the Internet, though they should be able to access the Internet.
* London and Paris have a GRE over IPSEC connection between them that should take over routing between their LANs in case the MPLS connection fails. Additionally, the MPLS connection should take over for DMZ sites if the Internet connection should fail.

MPLS
* The MPLS-P router should be the only one in area 0. It should be an ABR connection MPLS-PE1 (a stub area 1) and MPLS-PE2 (a stub area 2).
* Area 1 and Area 2 should be summarized to /24′s before being injected into the OSPF backbone.
* The PE routers should communicate via BGP to the CE routers.

Today we’re going to configure the internet routers for London and Paris. Here’s the config for London:
London-I

hostname London-I
!
interface Loopback0
 ip address 10.192.0.1 255.255.255.0
!
interface FastEthernet0/0
 description Connection to London-M
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
!
interface Serial1/0
 description Connection to Internet1
 ip address 10.1.0.2 255.255.255.252
 ip nat outside
!
interface Tunnel1
 ip address 192.168.254.1 255.255.255.252
 tunnel source Serial1/0
 tunnel destination 10.2.1.2
!
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 network 10.1.0.0 mask 255.255.255.252
 network 10.192.0.0 mask 255.255.255.0
 network 192.168.254.0 mask 255.255.255.252
 neighbor 10.1.0.1 remote-as 64512
 neighbor 10.1.0.1 weight 4000
 neighbor 10.1.0.1 route-map INET_OUT out
 neighbor 192.168.0.254 remote-as 65000
 neighbor 192.168.0.254 next-hop-self
 neighbor 192.168.0.254 weight 2000
 neighbor 192.168.254.2 remote-as 65002
 no auto-summary
!
ip as-path access-list 10 permit ^$
!
ip nat inside source list NAT interface Serial1/0 overload
!
ip access-list standard LAN_IP
 deny   192.168.254.0 0.0.0.3
 deny   192.168.1.0 0.0.0.255
 deny   192.168.4.0 0.0.0.255
 permit any
!
ip access-list standard NAT
 permit 192.168.1.0 0.0.0.255
 permit 192.168.4.0 0.0.0.255
!
route-map INET_OUT permit 10
 match ip address LAN_IP
 match as-path 10

This is a ton of config. First we’ve configured the interfaces with IPs and NAT. We’re NATing our LAN IPs to give them access to the internet. We also have the Tunnel interface configured with S1/0 as the source and Paris-I’s S1/0 as the destination.

Next we have the BGP config, we disable synchronization and auto-summarization. We bring up our neighbors, we have 10.1.0.1, which is Internet1. Weight is configured for this neighbor so it is preferred and we don’t get recursive route issues with BGP. We have a route-map out to Internet1. This route-map is filtering out the LAN IPs, as well as our Tunnel subnet, it is also only allowing routes from our local AS out. We also have 192.168.0.254, which is our iBGP relationship with London-M, we’ve changed the next hop for our routing updates to London-M, this router. The 192.168.0.254 also has weight applied to it so the WAN is preferred over the tunnel.

Here is the config for Paris:
Paris-I

hostname Paris-I
!
interface Tunnel1
 ip address 192.168.254.2 255.255.255.252
 tunnel source Serial1/0
 tunnel destination 10.1.0.2
!
interface Loopback0
 ip address 10.192.2.1 255.255.255.0
!
interface FastEthernet0/0
 description Connection to Paris-M
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface Serial1/0
 description Connection to Internet2
 ip address 10.2.1.2 255.255.255.252
 ip nat outside
!
router bgp 65002
 no synchronization
 bgp log-neighbor-changes
 network 10.2.1.0 mask 255.255.255.252
 network 10.192.2.0 mask 255.255.255.0
 network 192.168.254.0 mask 255.255.255.252
 neighbor 10.2.1.1 remote-as 64513
 neighbor 10.2.1.1 weight 4000
 neighbor 10.2.1.1 route-map INET_OUT out
 neighbor 192.168.2.254 remote-as 65002
 neighbor 192.168.2.254 next-hop-self
 neighbor 192.168.2.254 weight 2000
 neighbor 192.168.254.1 remote-as 65000
 no auto-summary
!
ip as-path access-list 10 permit ^$
!
ip access-list standard LAN_IP
 deny   192.168.254.0 0.0.0.3
 deny   192.168.1.0 0.0.0.255
 deny   192.168.4.0 0.0.0.255
 permit any
!
ip access-list standard NAT
 permit 192.168.1.0 0.0.0.255
 permit 192.168.4.0 0.0.0.255
!
route-map INET_OUT permit 10
 match ip address LAN_IP
 match as-path 10

This is essentially a mirror of the London config, so it shouldn’t require any explanation.

A couple notes, some of my config here isn’t best practice, it’s simply accomplishing the goal (like the weight config, normally I would do that with a route-map instead of a blanket neighbor statement). Also, as I’m sure you’ve noticed, I didn’t do the crypto config for the tunnel. If anyone wants to see it, just comment. I was feeling lazy when I initially did this lab.

That’s all for this one, part four will be coming soon. Here are the files needed for the lab:
The Dynagen/GNS3 .net file
The IP Address Allocations
The Visio Diagram for the Lab
(You will need to modify the .net file to reflect your own IOS and path values)

Colby

Colby Glass has been in IT since 2002. He is currently a Systems Engineer (presales) with a Cisco Gold partner and holds the CCNP R/S, CCNP DC, CCDP, CCIP, JNCIA-ER.

More Posts