Enterprise Network on GNS3 - Part 6 - Edge Router and ISPs

This is the sixth article from the series of the articles discussing the configuration of an entire enterprise network. The article explains the configuration of the edge router vIOS-EDGE-I and configuration of ISP routers.  Now let's say few words about the router vIOS-EDGE-I. The router is Cisco IOSv Qemu appliance, version 15.6(2)T. It has assigned 512MB RAM by GNS3. The router connects all three parts of the company network to the Internet. These parts are the the campus network, data center and DMZ.

Picture 1 - Company Connection to the Internet via vIOS-EDGE-I

The company has assigned the prefix 195.1.1.0/24. Devices located in DMZ have assigned the prefix 195.1.1.128/25. The prefix 195.1.1.0/25 is assigned for devices hidden behind NAT. NAT is configured on vIOS-EDGE-I router, translating campus and data center subnets to the subnet 195.1.1.128/25. The router is connected to the upstream providers via their Ethernet ports Gi0/1 and Gi0/3. This is a single multi homed topology when a company is connected to two upstream providers with a single edge router. The entire prefix 195.1.1.0/24 is advertised to the both ISPs via BGP routing protocol. When one of the ISP goes down, the incoming traffic to the prefix 195.1.1.0/24 is not no affected. The outgoing traffic from the edge router to the Internet is primary sent to ISP1. If the ISP1 goes down, traffic is sent via ISP2.

Routers ISP1 and ISP2 are Cisco 7206 routers, emulated by Dynamips. They are running IOS version 15.2(4)S4 and they have assigned 512MB RAM by GNS3. Both routers are bridged to the interface enp4s0f2 by GNS3 cloud via their interfaces Gi0/0. The interface enps4s0f2 is NIC presented in my laptop. The NIC is connected to the SOHO router that connects home network to the Internet. The routers ISP1 and IPS2 receive the IP addresses on the ports GigabitEthernet0/0 ports from DHCP server running on SOHO router. DHCP server configured on SOHO router assigns IP address in a range 172.17.100.2/16 - 172.17.100.100/16 along with the IP address of the default gw 172.17.100.1.

Picture 2 - ISP1 Connection to SOHO Network Using GNS3 Cloud

Note: The configuration files are: vIOS-EDGE-I, ISP1 and ISP2.

1. Router vIOS-EDGE-I Configuration

Firstly, we change the hostname of the edge router.

Router> en
Router# conf t
Router(config)# hostname vIOS-EDGE-I

1.1 Create Local User and Set password to Privileged Exec Mode

Create a local user.  We do not want to authenticate users accessing Edge Router using RADIUS.

vIOS-EDGE-I(config)# username admin secret cisco

We will also set password for privileged exec mode.

vIOS-EDGE-I(config)# enable secret cisco

1.2 IP Addresses Configuration

vIOS-EDGE-I(config)# interface GigabitEthernet 0/0
vIOS-EDGE-I(config-if)# description Link to ASA-DMZ-I
vIOS-EDGE-I(config-if)# ip address 195.1.1.129 255.255.255.252
vIOS-EDGE-I(config-if)# no shutdown

vIOS-EDGE-I(config)# interface GigabitEthernet 0/2
vIOS-EDGE-I(config-if)# description Link to ASAv-I
vIOS-EDGE-I(config-if)# ip address 172.16.0.2 255.255.255.252
vIOS-EDGE-I(config-if)# no shutdown
vIOS-EDGE-I(config-if)# exit

vIOS-EDGE-I(config)# interface GigabitEthernet 0/1
vIOS-EDGE-I(config-if)# description Link to ISP1
vIOS-EDGE-I(config-if)# ip address 198.10.10.2 255.255.255.252
vIOS-EDGE-I(config-if)# no shutdown
vIOS-EDGE-I(config-if)# exit

vIOS-EDGE-I(config)# interface GigabitEthernet 0/3
vIOS-EDGE-I(config-if)# description Link to ISP2
vIOS-EDGE-I(config-if)# ip address 197.10.10.2 255.255.255.252
vIOS-EDGE-I(config-if)# no shutdown
vIOS-EDGE-I(config-if)# exit

vIOS-EDGE-I(config)# interface loopback 0
vIOS-EDGE-I(config-if)# description Management
vIOS-EDGE-I(config-if)# ip address 10.1.1.5 255.255.255.255
vIOS-EDGE-I(config-if)# no shutdown
vIOS-EDGE-I(config-if)# exit

1.3 Network Address Translation - NAT Configuration

Configure Port Address Translation (PAT) to translate all campus subnets network and a data center subnet into public IP address pool 195.1.1.0/25.

Standard access-list 1 selects subnets that are going to be translated.

vIOS-EDGE-I(config)# access-list 1 permit 192.168.10.0 0.0.0.255
vIOS-EDGE-I(config)# access-list 1 permit 192.168.20.0 0.0.0.255
vIOS-EDGE-I(config)# access-list 1 permit 192.168.30.0 0.0.0.255
vIOS-EDGE-I(config)# access-list 1 permit 192.168.40.0 0.0.0.255
vIOS-EDGE-I(config)# access-list 1 permit 10.0.0.0 0.0.0.255
vIOS-EDGE-I(config)# access-list 1 permit 10.1.1.0 0.0.0.255
vIOS-EDGE-I(config)# access-list 1 permit 172.16.0.0 0.0.0.255
vIOS-EDGE-I(config)# access-list 1 permit 172.16.50.0 0.0.0.255
vIOS-EDGE-I(config)# access-list 1 deny any

Define NAT pool of inside global addresses.

vIOS-EDGE-I(config)# ip nat pool 1 195.1.1.1 195.1.1.127 netmask 255.255.255.128

Configure NAT Overload (Port Address Translation).

vIOS-EDGE-I(config)# ip nat inside source list 1 pool 1 overload

Define inside and outside interfaces.

vIOS-EDGE-I(config)# interface GigabitEthernet 0/0
vIOS-EDGE-I(config-if)# ip nat outside

vIOS-EDGE-I(config)# interface GigabitEthernet 0/1
vIOS-EDGE-I(config-if)# ip nat outside

vIOS-EDGE-I(config)# interface GigabitEthernet 0/2
vIOS-EDGE-I(config-if)# ip nat inside

vIOS-EDGE-I(config)# interface gigabitEthernet 0/2
vIOS-EDGE-I(config-if)# ip nat outside

Picture 3 - NAT Translation

1.4 Static Routes Configuration

We need to configure static routes pointing back to campus and data center networks hidden behind NAT.

vIOS-EDGE-I(config)# ip route 172.16.0.0 255.255.0.0 172.16.0.1
vIOS-EDGE-I(config)# ip route 192.168.0.0 255.255.192.0 172.16.0.1
vIOS-EDGE-I(config)# ip route 10.0.0.0 255.0.0.0 172.16.0.1

We also need a static route pointing toward DMZ.

vIOS-EDGE-I(config)# ip route 195.1.1.128 255.255.255.128 195.1.1.130

1.5 eBGP Configuration

We need a static route to 195.1.1.0/24 pointing to a null interface that we will be advertised to ISP1 and ISP2 via BGP.

vIOS-EDGE-I(config)# ip route 195.1.1.0 255.255.255.0 null0

Our company has assigned AS number 64500. We need to define both neighbors ISP1 - 198.10.10.1 (ASN 64501) and ISP2 - 197.10.10.1 (ASN 64502). We will also configure BGP peers authentication to validate BGP neighbors. Password is set to sop1md5pass for ISP1 and isp2md5pass for ISP2 BGP neighbors. To prevent hijacking BGP neighbor session we use ttl-security mechanism that also protects eBGP peering session from CPU utilization-based attacks using forged IP packets. The parameter ttl-security defines the number of the hops between the vIOS-EDGE-I router and its BGP neighbors. In our case, the hop count is 1 as the neighbors are directly connected to the edge router. The expected incoming TTL value is then 254 (255 minus 1). The edge router accepts the peering session only if the TTL value is 254 or greater. For instance, if the neighbor is two hops away, we must set ttl-security value to 2 and accepted TTL is 253 or greater. The edge router then accept BGP peering session if the BGP neighbor router is 1 or maximum 2 hop away.

Note: The number of hops between vIOS-EDGE-I and its BGP neighbors can be easily found out with the trace command.

vIOS-EDGE-I(config)# router bgp 64500
vIOS-EDGE-I(config-router)# neighbor 198.10.10.1 remote-as 64501
vIOS-EDGE-I(config-router)# neighbor 198.10.10.1 password isp1md5pass
vIOS-EDGE-I(config-router)# neighbor 197.10.10.1 remote-as 64502
vIOS-EDGE-I(config-router)# neighbor 197.10.10.1 password isp2md5pass
vIOS-EDGE-I(config-router)# network 195.1.1.0 mask 255.255.255.0
vIOS-EDGE-I(config-router)# neighbor isp-group peer-group
vIOS-EDGE-I(config-router)# neighbor isp-group ttl-security hops 1
vIOS-EDGE-I(config-router)# neighbor isp-group filter-list 10 out
vIOS-EDGE-I(config-router)# neighbor 198.10.10.1 peer-group isp-group
vIOS-EDGE-I(config-router)# neighbor 198.10.10.1 route-map setlocalin in
vIOS-EDGE-I(config-router)# neighbor 197.10.10.1 peer-group isp-group

The prefix 195.1.1.0/24 is aannouncedto the ISP1 and ISP2 peers with the network command. To prevent becoming a transit AS, advertisements received from ISP1 router are not advertised to ISP2 and vice versa. Only local prefix 195.1.1.0/24 originating on the edge router vIOS_EDGE-I is advertised to the peers. The BGP AS path filter 10 contains a regular expression ^$ that matches only empty ASN in AS_PATH attribute. The AS path filter 10 is then applied for outgoing routes for isp-group that includes both ISPs - BGP neighbors 198.10.10.1 and 197.10.10.1.

Note: The ASN 64500 is added to the AS_PATH attribute after the filter is applied.

vIOS-EDGE-I(config)# ip as-path access-list 10 permit ^$

To ensure that vIOS-EDGE-I is not a transit AS, we inspect BGP routing table of ISP1 router.  There should not be any prefixes received via BGP update messages, except the prefix 195.1.1.0/24 from ASN 64500.

Picture 4 - Inspecting BGP Table of ISP1

As we have already mentioned, the router ISP1 is preferred gateway to the Internet. For this reason, we will configure local preference 150 for prefixes received from the neighbor 198.10.10.1 (ISP1). As the prefixes received from the neighbor 197.10.10.1 (ISP2) have a default local preference set to 100, prefixes received from ISP1 will be preffered and traffic is forwarded via ISP1.

vIOS-EDGE-I(config)# route-map setlocalin permit 10
vIOS-EDGE-I(config-route-map)# set local-preference 150

Note: The route-map setlocalin is applied for the neighbor 198.10.10.1 to incoming routes.

The BGP table of the vIOS-EDGE-I is shown on the picture 5. The prefix 0.0.0.0 is received from the neighbor 197.10.10.1 (AS 64502) and from the neighbor 198.10.10.1 (AS 64501). However the path via 198.10.10.1 is preferred because the local preference is set to 150 for all prefixes received from this neighbor. For this reason, the route 0.0.0.0 with the next hop 198.10.10.1 is installed into the routing table of vIOS-EDGE-I router.

Picture 5 - Inspecting BGP Table of vIOS-EDGE-I

The routes received via BGP that are installed in a routing table of the router vIOS-EDGE-I are shown on the picture 6.

Picture 6 - Inspecting BGP Routes Installed Into Routing Table of vIOS-EDGE-I

1.6 NTP Configuration

vIOS-EDGE-I(config)# ntp server 172.16.50.1
vIOS-EDGE-I(config)# clock timezone UTC+2 +2
vIOS-EDGE-I(config)# ntp source loopback 0

Picture 7 - Checking NTP Synchronization

1.7 Logging Configuration

vIOS-EDGE-I(config)# logging trap notifications
vIOS-EDGE-I(config)# logging host 172.16.50.1
vIOS-EDGE-I(config)# logging source-interface loopback 0

1.8 DNS Client Configuration

vIOS-EDGE-I(config)# ip name-server 195.1.1.161
vIOS-EDGE-I(config)# ip domain-lookup

To check if the company DNS server 195.1.1.161 located DMZ is working, we will ping a domain cisco.hu. The domain name is translated to the IP address 72.163.4.154.

Picture 8 - Checking Company DNS Server Located in DMZ

1.9 SSH Access and VTY Access-list Configuration

In order to manage vIOS-EDGE-I router remotely we will configure the router to support SSH access.

vIOS-EDGE-I(config)# ip domain name companyXYZ.sk
vIOS-EDGE-I(config)# ip ssh version 2

vIOS-EDGE-I(config)# crypto key generate rsa modulus 4096

vIOS-EDGE-I(config)# line vty 0 924
vIOS-EDGE-I(config-line)# login local
vIOS-EDGE-I(config-line)# transport input ssh

We certainly do not wish to expose VTY access to the vIOS-EDGE-I for the entire world. For this reason, we create a named standard access-list ssh-access that permits login to VTY from the management subnet 192.168.40.0/24 only.

vIOS-EDGE-I(config)# ip access-list standard ssh-access
vIOS-EDGE-I(config-std-nacl)# permit 192.168.40.0 0.0.0.255
vIOS-EDGE-I(config-std-nacl)# deny any

Afterwards we can configure the access-list ssh-access under vty configuration in incoming direction.

vIOS-EDGE-I(config)# line vty 0 924
vIOS-EDGE-I(config-line)# access-class ssh-access in

2. ISP1 Router Configuration

To simulate service provider's router, we are going to deploy a basic configuration on the ISP1 router that connects the company network to the Internet.

2.1 IP Address Configuration

The interface GigabitEthernet0/0 connects the router ISP1 to the GNS3 cloud. The IP address on this interface is obtained from DHCP server that is running on SOHO router.

ISP1(config)# interface GigabitEthernet 0/0
ISP1(config-if)# description Link to Simulated Internet
ISP1(config-if)# ip address dhcp
ISP1(config-if)# ip nat outside
ISP1(config-if)# no shutdown

ISP1(config)# interface gigabitEthernet 1/0
ISP1(config-if)# description Link to Company Inc.
ISP1(config-if)# ip address 198.10.10.1 255.255.255.252
ISP1(config-if)# ip nat inside
ISP1(config-if)# no shutdown

As we can see, the IP address received from the DHCP server is 172.17.100.5/16.

Picture 9 - Checking the IP Address from DHCP server with IP address 172.17.100.1

2.2 eBGP Configuration

The company has agreement with the ISP1 that the ISP advertises only the prefix 0.0.0.0 (a static default route) toward vIOS-EDGE-I router (198.10.10.2). No other prefixes are being advertised toward the enterprise router. To fulfill this requirement, ISP creates a prefix-list static_default on its router that permits the prefix 0.0.0.0/0.

ISP1(config)# ip prefix-list static_default permit 0.0.0.0/0

The prefix-list static_default is added to the route-map static_default.

ISP1(config)# route-map static_default permit 10
ISP1(config-route-map)# match ip address prefix-list static_default

The route-map is then applied for a neighbor 198.10.10.2 for outgoing routes.

ISP1(config)# router bgp 64501
ISP1(config-router)# neighbor 198.10.10.2 remote-as 64500
ISP1(config-router)# neighbor 198.10.10.2 ttl-security hops 1
ISP1(config-router)# neighbor 198.10.10.2 password isp1md5pass
ISP1(config-router)# neighbor 198.10.10.2 route-map static_default out
ISP1(config-router)# network 0.0.0.0 mask 0.0.0.0

Note: We do not need to create a static default route pointing to a null interface because the static default route exists in the ISP1 routing table. The route is received from the DHCP server 172.17.100.1.

Picture 10 - Routing Table of ISP1 Router

2.3 NAT Configuration

We need to translate the entire subnet 195.1.1.0/24 and the subnet 198.10.10.0/30 to the IP address that is received from the DHCP server on interface GigabitEthernet0/0 of ISP1 router. In our case, the obtained IP address is 172.17.100.5.

ISP1(config)# ip access-list standard 1
ISP1(config-std-nacl)# permit 195.1.1.0 0.0.0.255
ISP1(config-std-nacl)# permit 198.10.10.0 0.0.0.3
ISP1(config-std-nacl)# deny any

And finally, we will configure PAT on the interface GigabitEthernet 0/0.

SP1(config)# ip nat inside source list 1 interface GigabitEthernet 0/0 overload

2.4 DNS Configuration

We will configure ISP1 router to use Google public DNS server 8.8.8.8 and 8.8.4.4.

ISP1(config)# ip domain-lookup
ISP1(config)# ip name-server 8.8.8.8 8.8.4.4

2.5 Testing Connectivity

As the last step, we will test IPv4 connectivity from the host 192.168.40.1 to the Internet. Issue the ping command below.

Picture 11 - Testing Connectivity to the Internet with ICMP ECHO Request

We can point the host 192.168.30.1 to download a file index.html from web server Cisco.com with wget command.

 Picture 12 - Downloading File from Web Server in the Internet

3. ISP2 Router Configuration

Configuration of the router ISP2 is similar to the configuration of the ISP1. For this reason we only share the configuration file of ISP2. The IP address assigned from the DHCP server to the interface GigabitEthernet0/0 of ISP2 is 172.17.100.7/16.  Below is the BGP table of ISP2.

Picture 13 - BGP Table of Router ISP2

We will test connectivity from management PC4 (192.168.40.1) to the Internet. Let's shutdown  ISP1 router and inspect available BGP peers on VIOS-EDGE-I. The neighbor 198.10.10.1 (ISP1) is in Active state. It means that the edge router is trying to establish BGP peer session. We also see that a single prefix is received from the neighbor 197.10.10.1 (ISP2).

Picture 14 - BGP Neighbors on vIOS-EDGE-I Router

Below is the BGP table of the router vIOS-EDGE-I.

Picture 15 - BGP Table  of Router vIOS-EDGE-I

Now issue the ping command on PC4 to cisco.hu. Traffic is forwarded from vIOS-EDGE-I to ISP2 router and from the SOHO router to the Internet.

Picture 16 - Testing Connectivity to the Internet from PC4

Share

Leave a comment

Your email address will not be published. Required fields are marked *