This is the fourth post in the series, the goal of the series is to provide a guide for the MPLS and BGP Lab I posted awhile back. The labs consists of MPLS VPNs and BGP along with some OSPF, NAT, IPSEC and GRE exposure. I will be posting the files needed for this lab at the bottom. Here’s the topology and the requirements:


(click image for fullsize)

Requirements:
Internet
* The two Internet routers should serve as transit ASes. No other routers should permit transit traffic.
* Internet sites (modeled by loopbacks) should be accessible by all lan IPs.

Clients
* London, Paris, and New York have Internet connections to their respective ISPs. New York is dual-homed.
* London, Paris, New York, and Chicago all have MPLS connections to the same provider. New York and Chicago constitute one company, while London and Paris constitute another. Their routes should not mix over MPLS.
* London, Paris, and New York each have data centers with a DMZ that should be publicly accessible.
* London, Paris, New York, and Chicago each have 2 LANs which should not be accessible from the Internet, though they should be able to access the Internet.
* London and Paris have a GRE over IPSEC connection between them that should take over routing between their LANs in case the MPLS connection fails. Additionally, the MPLS connection should take over for DMZ sites if the Internet connection should fail.

MPLS
* The MPLS-P router should be the only one in area 0. It should be an ABR connection MPLS-PE1 (a stub area 1) and MPLS-PE2 (a stub area 2).
* Area 1 and Area 2 should be summarized to /24′s before being injected into the OSPF backbone.
* The PE routers should communicate via BGP to the CE routers.

Today is going to be a short one. We’ll go through the config for NewYork-I. It’s a multi-homed BGP config, which is why I didn’t include it with the other internet edge routers. Here’s the config:

NewYork-I

hostname NewYork-I
!
interface FastEthernet0/0
 description Connection to NewYork-M
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
!
interface Serial1/0
 description Connection to Internet1
 ip address 10.1.1.2 255.255.255.252
 ip nat outside
!
interface Serial1/1
 description Connection to Internet2
 ip address 10.2.0.2 255.255.255.252
 ip nat outside
!
ip nat inside source route-map NAT_0 interface Serial1/0 overload
ip nat inside source route-map NAT_1 interface Serial1/1 overload
!
ip access-list standard LAN_IP
 deny   192.168.1.0 0.0.0.255
 deny   192.168.5.0 0.0.0.255
 permit any
!
ip access-list standard NAT
 permit 192.168.1.0 0.0.0.255
 permit 192.168.5.0 0.0.0.255
!
route-map NAT_0 permit 10
 match ip address NAT
 match interface Serial1/0
!
route-map NAT_1 permit 10
 match ip address NAT
 match interface Serial1/1

First we do the standard IPs and NAT inside and outside. In this situation we have two internet connections, and we want to use both. We are load balancing across our connections. In our NAT config we’re using route-maps instead of a simple ACL. This is needed for the load balancing. Our NAT_0 route-map is matching the addresses we want to NAT, and matching the interface appropriately. Next we’ll go through the BGP config:

ip as-path access-list 10 permit ^$
!
route-map INET_OUT permit 10
 match ip address LAN_IP
 match as-path 10
!
router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 network 10.192.1.0 mask 255.255.255.0
 neighbor 10.1.1.1 remote-as 64512
 neighbor 10.1.1.1 route-map INET_OUT out
 neighbor 10.2.0.1 remote-as 64513
 neighbor 10.2.0.1 route-map INET_OUT out
 neighbor 192.168.0.254 remote-as 65001
 neighbor 192.168.0.254 next-hop-self
 no auto-summary

We are dual homed here, so we need to prevent this AS from becoming a transit. We do this with our as-path ACL and route-map. The ACL forwards only our local AS, this is done by matching a blank AS path, which is what the router sees for local prefixes. We then configure a route-map to filter out the LAN IPs as we don’t want those advertised to the internet, we also match our as-path ACL in the route-map. The rest of the BGP config is pretty standard, we configure our neighbors and we set our route-maps OUT on the Internet1 and Internet2 neighbors. Let’s verify everything with some show commands:

Chicago-M#ping 10.128.0.1 source 192.168.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.128.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.5.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/40/96 ms
 
Chicago-M#ping 10.129.0.1 source 192.168.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.129.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.5.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/31/56 ms

We can ping the internet from our LAN subnet on Chicago-M, so we know NAT is working properly.

Internet1#sh ip bgp neighbors 10.1.1.2 routes
BGP table version is 11, local router ID is 10.128.0.1
   Network          Next Hop            Metric LocPrf Weight Path
*> 10.192.1.0/24    10.1.1.2                 0             0 65001 i
Total number of prefixes 1
 
Internet2#sh ip bgp neighbors 10.2.0.2 routes
BGP table version is 10, local router ID is 10.129.0.1
   Network          Next Hop            Metric LocPrf Weight Path
*> 10.192.1.0/24    10.2.0.2                 0             0 65001 i
Total number of prefixes 1

We see only our DMZ on the internet routers, which is what we want.

That’s it for this one, part five will be coming soon. Here are the files needed for the lab:
The Dynagen/GNS3 .net file
The IP Address Allocations
The Visio Diagram for the Lab
(You will need to modify the .net file to reflect your own IOS and path values)

Colby

Colby Glass has been in IT since 2002. He is currently a Systems Engineer (presales) with a Cisco Gold partner and holds the CCNP R/S, CCNP DC, CCDP, CCIP, JNCIA-ER.

More Posts