BGP and NAT - The Cisco Learning Network.pdf

8/14/2019 BGP and NAT - The Cisco Learning Network.pdf

http://slidepdf.com/reader/full/bgp-and-nat-the-cisco-learning-networkpdf 1/9

/05/2012 BGP and NAT - The Cisco Learning Network

ps://learningnetwork.cisco.com/thread/13828

Login Register Contact Us/Help About Us Site Map Mobile View

Connect with us on: Search the Learning Network

Cisco Learning Home Careers Connections Certifications Learning Center Our Store

Cisco Learning Home > CCNP R&S Study Group > Discussions

Up to Discussions in CCNP R&S Study Group

This Question is Answered

5521 View s 12 Replies Latest reply: 25-May-2010 14:24 by Keith Barker - CCIE RS/Security , CISSP, CCSI Like

BGP and NAT

25-May-2010 07:57

For BGP you want to advertise the public addres s range. Also, for BGP to advertise a route, it has to be in the router's routing table. But

if you are using NAT, then the routes in the router's routing table will be the private prefixes, not the publ ic ones. So, do you just

configure a static route to the public prefix with an outgoing interface of null0? Wouldn't that cause packets to be dis carded before they

are translated since there wouldn't be any more specific routes in the table to the publ ic subnets of that public prefix? How do you

handle this?

Correct Answer by Keith Barker - CCIE RS/Security, CISSP, CCSI on May 25, 2010 2:24 PM

Thanks for sticking with me Kei th! Sorry, I don't mean to be a pest.

So you need to add a route to 128.1.64.0/18 in your edge router's routing table to get the BGP advertizement

you've configured to work. Odom mentions configuring a static route, as you've suggested, refering to null0 as

the outgoing interface, just to get that network in the routing table. But if you do that, would the router discard

an incoming packed destined for that network before translating the IP address and routing it to the 10.0.0.0/18

network? And if so, are there other options to accomplis h this?

Ok - New topology.

AS2 owns the network space of 128.1.64.0/18, and just for fun lets say that not a single PC or router really has an IP

address configured in that address space.

There is a device at 10.0.0.1/18, located somewhere to the left of R1 (actually, it is a loopback on R1). R2 is doing NAT for

anyone in the 10.0.0.0/18 network, and we have decided to give every device their own NAT address, and we will use our

entire available block for this.

ip nat pool MYPOOL 128.1.64.1 128.1.127.254 prefix-length 18

ip nat inside source list 1 pool MYPOOL

!

access-list 1 permit 10.0.0.0 0.0.63.255

!

On R2, we create the static route for our block of address es, and we add that into BGP.

router bgp 2

no synchronization

bgp log-neighbor-changes

network 128.1.64.0 mask 255.255.192.0

neighbor 23.0.0.3 remote-as 3

no auto-summary

!

ip route 128.1.64.0 255.255.192.0 Null0

!

Actions

Register / Login for more Actions

View print preview

More Like This

Three BGP doubts

Re: EBGP peering us ing

loopback interfaces without

using s tatic routes.

Re: Understanding BGP -

Questions

Re: Dynamic NAT not working

in my setup

Re: iBGP routes = preferred

over eBGP

View: Everyone

Bookmarked By (0)

No public bookmarks exist for

this content.

Legend

Correct Answers - 4 points

Helpful Answers - 2 points

Duane, CCNA

76 po sts since

18-Dec-2009

Languages:





Helpful Answers by Keith Barker - CCIE RS/Security, CISSP, CCSI, Keith Barker - CCIE RS/Security, CISSP, CCSI

See the answer in context

Then we telnet from the device who has the IP address of 10.0.0.1 (R1)

R1#telnet 23.0.0.3 /source-interface loopback 1

Trying 23.0.0.3 ... Open

R3#who

Line User Host(s) Idle Location

* 98 vty 0 idle 00:00:00 128.1.64.1

Interface User Mode Idle Peer Address

R3#

R3 sees the client as the NAT address of 128.1.64.1

The routing table of R3 looks like this : R3#show ip bgp

BGP table version is 2, local router ID is 3.3.3.3

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 128.1.64.0/18 23.0.0.2 0 0 2 i

R3#show ip route bgp

128.1.0.0/18 is subnetted, 1 subnets

B 128.1.64.0 [20/0] via 23.0.0.2, 00:29:06

R3#

The NAT table on R2 looks like this:

R2#show ip nat trans

R2#show ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 128.1.64.1:48233 10.0.0.1:48233 23.0.0.3:23 23.0.0.3:23--- 128.1.64.1 10.0.0.1 --- ---

R2#

The routing table on R2 looks like this:

R2#show ip route | begin reso rt

Gateway of last resort is not set


O 1.1.1.1 [110/11] via 172.16.0.1, 00:32:48, FastEthernet0/0


C 2.2.2.0 is directly connected, Loopback0


C 23.0.0.0 is directly connected, FastEthernet0/1

C 172.16.0.0/16 is directly connected, FastEthernet0/0


S 128.1.64.0 is directly connected, Null0

O 9.0.0.0/8 [110/20] via 172.16.0.1, 00:32:48, FastEthernet0/0


O 10.0.0.1 [110/11] via 172.16.0.1, 00:32:48, FastEthernet0/0R2#

Here is the order of operations table for NAT, as well:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

When translating from global to local add resses , the NAT is done before the routing, and that would explain why the

packet isn't dropped.

This was a fun exercise.

If the question is answered, please indicate it. Otherwise, what questions do you have?

Best wishes,

Keith

Tags: bgp, nat, ccnp

1. 25-May-2010 09:03 (in response to Duane, CCNA)

Helpful Answer Re: BGP and NAT

For BGP you want to advertise the public address range. Also, for BGP to advertise a route, it

has to be in the router's routing table. But if you are us ing NAT, then the routes in the router's

routing table will be the private prefixes, not the public ones . So, do you jus t configure a static

route to the public prefix with an outgoing interface of null0? Wouldn't that cause packets to be

discarded before they are translated since there wouldn't be any more specific routes in the

Keith Barker - CCIE

RS/Security, CISSP,

CCSI

4,895 posts since

03-Jul-2009





table to the public subnets of that public prefix? How do you handle this?

Hello Duane -

When BGP advertises routes, it doesn 't have to advertise all the routes in the routing table. A BGP router

may have hundreds of private address network routes, but the administrator will no t configure those

private address networks to be advertised via a BGP, at leas t not on the Internet, (although advertising a

private network space is technically possible, and m ay be done in a private network).

R1 and R3 are BGP neighbors. R1, although it knows about and is connected to the 10.0.0.0/24 network,

is not advertising that network through BGP to R3. Because of the way R1 is configured, it is only sharing

the 78.52.33.0/24 network with R3.

R1#show ip route | begin resort








C 9.0.0.0/8 is directly connected, FastEthernet0/1 10.0.0.0/24 is subnetted, 1 subnets




R1#show ip bgp summary

BGP router identifier 1.1.1.1, local AS number 13

BGP table version is 4, main routing table version 4

1 network entries using 120 bytes of memory

1 path entries using 52 bytes of memory

2/1 BGP path/bestpath attribute entries using 248 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory

BGP using 452 total bytes of memory

BGP activity 2/1 prefixes, 2/1 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

23.0.0.3 4 13 11 10 4 0 0 00:06:22 0

R1#

R1#show ip bgp






*> 78.52.33.0/24 0.0.0.0 0 32768 i

R1#

Here is R3 - Notice that the only route it got from R1, does n't include the private address space of 10.0.0.0

R3#show ip route | begin resort


1.0.0.0/32 is subnetted, 1 subnetsO 1.1.1.1 [110/21] via 23.0.0.2, 00:08:18, FastEthernet0/1










78.0.0.0/8 is variably subnetted, 2 subnets, 2 masks


B 78.52.33.0/24 [200/0] via 10.0.0.1, 00:01:26
















10.0.0.1 4 13 11 12 4 0 0 00:07:03 1

R3#show ip bgp






*>i78.52.33.0/24 10.0.0.1 0 100 0 i

R3#












R1#

So from the Internet perspective, everyone reachable, needs to appear as a globally routable IP address .

What the customer does regarding NAT/PAT is hidden from the outside world.

Hope that helps a little,

Keith.

Report Abuse


Re: BGP and NAT

The way i would do it for example is if you had OSPF running, and the edge router is als o running BGP to

the ISP i would not advertise the publ ic address into the private network or the private into the public. I

would create a static route to the ISP and redistribute that route into OSPF. I think the null0 interface is used

when you are going to redistribute the private into the pub lic network. You create a null interface matching

your private network range and then you redistribute that into BGP.

Report Abuse

3. 25-May-2010 10:03 (in response to Keith Barker - CCIE RS/Security, CISSP, CCSI)

Re: BGP and NAT

First of all, thank you so much for taking the time to answer m y question in so m uch detail. So, the only route

in R1's routing table that references any part of the public address space is the IP of the loopback, and that is

the only route it is advertizing to R3 via BGP. But don't you need to advertize the whole public address space

allocated to R1 via BGP to the outside world, even thought the routes it has to it's LANs will be the private

prefixes and the public equivolents won't be in the routing table? Are you somehow configuring the IP of the

loopback to advertize the whole public address space, and overcoming the requirement for the route to be in

R1's routing table in order to be advertizable via BGP that way?

Report Abuse

4. 25-May-2010 10:23 (in response to mickey61)

Re: BGP and NAT

Hey Mickey,

I don't want to advertize the private IP space publically, I want to advertize my allocated public address space.

But if my router is performing NAT then all of it's connected LANs will be using the private IP addresses , so the

routes in it's routing table will reference the private subne ts, not their public equivolents. If a route has to be in

the routing table to be advertized via BGP, how do you get the public routes in the routing table (or public

summary route) so they can be advertized?

mickey61

73 posts since

03-Nov-2009

Duane, CCNA

76 posts since

18-Dec-2009

Duane, CCNA

76 posts since

18-Dec-2009





Report Abuse


Helpful Answer Re: BGP and NAT

So, the only route in R1's routing table that references any part of the public address space is

the IP of the loopback, and that is the only route it is advertizing to R3 via BGP.

But don't you need to advertize the whole public address space allocated to R1 via BGP to the

outside world, even thought the routes it has to it's LANs will be the private prefixes and thepublic equivolents won't be in the routing table?

Are you som ehow configuring the IP of the loopback to advertize the whole publ ic addres s

space, and overcoming the requirem ent for the route to be in R1's routing table in order to be

advertizable via BGP that way?

Let's say that on R1, the 78.52.33.0/24 network represents the globally reachable network block of

addresses that has been assigned to ACME Inc, who has the single BGP router R1. Lets also say that

R1 has m ultiple BGP neighbors, who are advertising their network address blocks as well.

When R1 sends BGP updates to its neighbors, it will advertise the 78.52.33.0/24 as reachable, as well as

other networks it has learned from other BGP neighbors. The best path to the networks advertised by our

BGP neighbors will be au tomatically placed in the routing table.

I modified the configuration, so that R1 only has a neighbor of R2, and R3 only has a neighbor of R2.

On R2, notice that the BGP advertised route from R1, shows up in the routing table.



B 78.52.33.0 [200/0] via 10.0.0.1, 00:10:00





1 path entries using 52 bytes of memory2/1 BGP path/bestpath attribute entries using 248 bytes of memory



Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory




10.0.0.1 4 13 23 22 4 0 0 00:12:07 1

23.0.0.3 4 13 16 17 4 0 0 00:13:47 0

R2#

R2#show ip bgp





Network Next Hop Metric LocPrf Weight Path*>i78.52.33.0/24 10.0.0.1 0 100 0 i

R2, will forward the network it learned from R1, to R3.



B 78.52.33.0 [200/0] via 10.0.0.1, 00:11:12







1 BGP rrinfo entries using 24 bytes of memory




Keith Barker - CCIE

RS/Security, CISSP,

CCSI

4,895 posts since

03-Jul-2009







23.0.0.2 4 13 16 15 2 0 0 00:12:58 1

R3#show ip bgp






*>i78.52.33.0/24 10.0.0.1 0 100 0 i

R3#

Now, when anyone on the planet tries to forward a packet to the network 78.52.33.0/24, that packet will be

forwarded to R1. For network 78.52.33.0/24, we have 254 host addresses, and behind each one of

those, R1 could be us ing PAT to hide thous ands of private IP addressed hosts.

The current version of IOS doesn't require a BGP route to also be learned by an IGP before being added to

the routing table. (the "no synchronization" comm and is set by defaul t with current IOS, caus ing this

default behavior).

Just the BGP learned routes in the routing table are pass ed on to other BGP routers, including any local

networks that we have specifically included via the network statement inside the BGP router configuration.

Does that help?

Keith

Report Abuse


Re: BGP and NAT

Hey Keith,

That sort of helps . I know R1 will advertize the routes it learns via BGP, but it also has to advertize it's

connected routes. Since R1 is performing NAT, those connected routes will be private subnets, and those are

the routes that will populate R1's routing table. However, we don't want to advertize those private subnets via

BGP, we want to use their public translations , which will NOT appear in R1's routing table and will therefore

not be advertizable. So how do we get the routes to the public subnets (or a sum mary route for the allocated

public address block) into the routing table so R1 can advertize that rather than the connected routes it actually

has in the table?

Report Abuse


Re: BGP and NAT

I know R1 will advertize the routes it learns via BGP, but it also has to advertize it's connected

routes.

R1 will not include ANY connected networks (routes ) by default. It is the network statement, inside of BGP

that is the selector of which connected networks are added. If R1 wanted to add a network that was not

directly connected, we could create a static route, and redistribute the static route into BGP to then

advertise it.

So in s hort, in the original example, R1 i s di rectly connected to the 10 network, but is not advertising that

route via BGP to anyone else.

Keith

Report Abuse


Re: BGP and NAT

OK, but if R1 is the edge router for an enterprise, and you want to advertize your publically allocated address

space to your BGP neighbors so you can be found on the i nternet, and all of your internal routes in your routing

table refer to private prefixes because you are performing NAT, how do you do it?

Report Abuse

Duane, CCNA

76 posts since

18-Dec-2009

Keith Barker - CCIE

RS/Security, CISSP,

CCSI

4,895 posts since

03-Jul-2009

Duane, CCNA

76 posts since

18-Dec-2009






Re: BGP and NAT

If all of your internal routes in your routing table refer to private prefixes because you are

performing NAT, how do you do it?

Quoted from the previous post:

" If R1 wanted to add a network that was not directly connected, we could create a static route, and

redis tribute the static route into BGP to then advertise it."

The static route would be for the network we want to redistribute into BGP, so it would then be advertised.

By adding the static route, it would also be in the routing table as well.

Keith.

Report Abuse


Re: BGP and NAT


OK, so let's say you have been all ocated the public IP address block 128.1.64.0/18 for your enterprise. Those

addresses are your NAT pool. You are assigning addresses from the private IP address block 10.0.0.0/18 to

your hosts. Your edge router is performing NAT. You want to advertize 128.1.64.0/18 to your edge router's

BGP neighbors, but no routes to that network exist in its routing table, because all of its routes to the internalenterprise network refer to NAT translations and list s ubnets of 10.0.0.0/18. When you configure the network

128.1.64.0 mask 255 .255.192.0 command for BGP, it won't be advertized, because no routes to that network

exist in the routing table.

So you need to add a route to 128.1.64.0/18 in your edge router's routing table to get the BGP advertizement

you've configured to work. Odom mentions configuring a static route, as you've suggested, refering to null0 as

the outgoing in terface, just to get that network in the routing table. But if you do that, would the router discard

an incoming packed destined for that network before translating the IP address and routing it to the

10.0.0.0/18 network? And if so, are there other options to accomplish this?

Report Abuse


Correct Answer Re: BGP and NAT


So you need to add a route to 128.1.64.0/18 in your edge router's routing table to get the BGP

advertizement you've configured to work. Odom mentions configuring a static route, as you've

sugges ted, refering to null0 as the outgoing interface, just to get that network in the routing

table. But if you do that, would the router discard an incoming packed destined for that network

before translating the IP address and routing it to the 10.0.0.0/18 network? And if so, are there

other options to accomplish this?

Ok - New topology.

AS2 owns the network space of 128.1.64.0/18, and just for fun lets say that not a sing le PC or router really

has an IP address configured in that address s pace.

There is a device at 10.0.0.1/18, located somewhere to the left of R1 (actually, it is a loopback on R1). R2

is doing NAT for anyone in the 10.0.0.0/18 network, and we have decided to give every device their own

NAT address, and we will us e our entire available block for this.

ip nat pool MYPOOL 128.1.64.1 128.1.127.254 prefix-length 18

ip nat inside source list 1 pool MYPOOL

!

Keith Barker - CCIE

RS/Security, CISSP,

CCSI

4,895 posts since

03-Jul-2009

Duane, CCNA

76 posts since

18-Dec-2009

Keith Barker - CCIE

RS/Security, CISSP,

CCSI

4,895 posts since

03-Jul-2009





access-list 1 permit 10.0.0.0 0.0.63.255

!

On R2, we create the static route for our block of addresses, and we add that into BGP.

router bgp 2

no synchronization

bgp log-neighbor-changes

network 128.1.64.0 mask 255.255.192.0

neighbor 23.0.0.3 remote-as 3

no auto-summary

!

ip route 128.1.64.0 255.255.192.0 Null0

!

Then we telnet from the device who has the IP address of 10.0.0.1 (R1) R1#telnet 23.0.0.3 /source-interface loopback 1

Trying 23.0.0.3 ... Open

R3#who

Line User Host(s) Idle Location

* 98 vty 0 idle 00:00:00 128.1.64.1

Interface User Mode Idle Peer Address

R3#

R3 sees the client as the NAT address of 128.1.64.1

The routing table of R3 looks like this:

R3#show ip bgp



r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incomplete


*> 128.1.64.0/18 23.0.0.2 0 0 2 i



B 128.1.64.0 [20/0] via 23.0.0.2, 00:29:06

R3#

The NAT table on R2 looks like this:

R2#show ip nat trans

R2#show ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 128.1.64.1:48233 10.0.0.1:48233 23.0.0.3:23 23.0.0.3:23

--- 128.1.64.1 10.0.0.1 --- ---

R2#

The routing table on R2 looks like this:

R2#show ip route | begin reso rt










S 128.1.64.0 is directly connected, Null0




R2#

Here is the order of operations table for NAT, as well:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml When translating from global to local add resses , the NAT is done before the routing, and that would

explain why the packet isn't dropped.

This was a fun exercise.

If the question is answered, please indicate it. Otherwise, what questions do you have?

Best wishes,

Keith

Report Abuse


Re: BGP and NAT




ps://learningnetwork cisco com/thread/13828

© 1992-2012 Cisco System s Inc. All rights r es erved. Terms & Condit ions Pr ivacy Statement Cookie Po licy Trademarks of Cisco Systems, Inc

NATting done before the routing. That answers it! Thanks for all your effort. I gave you the 2 helpfuls as wel l.

Report Abuse

Go to original post

Duane, CCNA

76 posts since

18-Dec-2009

BGP and NAT - The Cisco Learning Network.pdf

Documents

Transcript of BGP and NAT - The Cisco Learning Network.pdf