Lab 8-3: CẤU HÌNH BGP VỚI NAT Mơ tả Trong thực hành này, cấu hình BGP với NAT Mạng Cơng ty XYZ Sài Gịn, thuộc AS64512, sử dụng giao thức định tuyến OSPF để định tuyến internal router SaiGon1 SaiGon2 ISP nối với SaiGon1 dùng eBGP, đồng thời SaiGon1 cấu hình NAT trước đến ISP Thực hiện: Kết nối mạng theo sơ đồ Cấu hình hostname, địa IP cổng serial, loopback theo sơ đồ Chưa cấu hình giao thức định tuyến Kiểm tra kết nối trực tiếp lệnh ping show cdp neighbor Cấu hình OSPF router SaiGon1 SaiGon2: SaiGon1(config)#router ospf SaiGon1(config-router)#network 172.16.1.1 0.0.0.0 area SaiGon1(config-router)#network 172.16.64.1 0.0.0.0 area SaiGon2(config)#router ospf SaiGon2(config-router)#network 172.16.1.2 0.0.0.0 area SaiGon2(config-router)#network 172.16.32.1 0.0.0.0 area Kiểm tra kết nối SaiGon1 SaiGon2 lệnh show ip ospf neighbor show ip ospf interface SaiGon1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 172.16.32.1 FULL/ - 00:00:30 172.16.1.2 Serial0/1 SaiGon1#show ip ospf interface serial 0/1 Serial0/1 is up, line protocol is up Internet Address 172.16.1.1/24, Area Process ID 1, Router ID 172.16.64.1, Network Type POINT_TO_POINT, Cost: 64 Transmit Delay is sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit Hello due in 00:00:09 Neighbor Count is 1, Adjacent neighbor count is Adjacent with neighbor 172.16.32.1 Suppress hello for neighbor(s) Cấu hình eBGP ISP SaiGon1: SaiGon1(config)#router bgp 64512 SaiGon1(config-router)#neighbor 192.168.1.5 remote-as 200 ISP(config)#router bgp 200 ISP(config-router)#network 210.210.210.0 mask 255.255.255.0 ISP(config-router)#neighbor 192.168.1.6 remote-as 64512 Ở đây, ta lưu ý SaiGon1 không quảng bá network bên AS cho ISP (khơng có câu lệnh network) Kiểm tra kết nối BGP SaiGon1 ISP Dùng lệnh clear ip bgp * để xóa quan hệ BGP có router saigon1 Sau đó, dùng lệnh show ip bgp để kiểm tra: SaiGon1#show ip bgp Network Next Hop Metric LocPrf Weight Path *> 210.210.210.0 192.168.1.5 0 200 i SaiGon1#show ip bgp summary Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.5 200 33 27 0 00:06:36 Kiểm tra bảng định tuyến router Saigon1: SaiGon1#show ip route Gateway of last resort is not set B 210.210.210.0/24 [20/0] via 192.168.1.5, 00:07:12 172.16.0.0/16 is variably subnetted, subnets, masks O 172.16.32.1/32 [110/65] via 172.16.1.2, 00:07:44, Serial0/1 C 172.16.1.0/24 is directly connected, Serial0/1 C 172.16.64.0/24 is directly connected, Loopback0 192.168.1.0/30 is subnetted, subnets C 192.168.1.4 is directly connected, Serial0/0 Tại SaiGon1, dùng extend ping đến 210.210.210.1 với địa source 172.16.64.1 Ping không thành công, packet từ SaiGon1 đến ISP ISP khơng có route đến network 172.16.64.0 SaiGon1#ping Protocol [ip]: Target IP address: 210.210.210.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 172.16.64.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 210.210.210.1, timeout is seconds: Success rate is percent (0/5) Cấu hình NAT SaiGon1, đổi địa riêng 172.16.0.0 thành địa thật Internet (đến ISP) SaiGon1(config)#interface s0/0 SaiGon1(config-if)#ip nat outside SaiGon1(config-if)#interface lo0 SaiGon1(config-if)#ip nat inside SaiGon1(config-if)#interface s0/1 SaiGon1(config-if)#ip nat inside Cấu hình NAT pool NAT translation SaiGon1: SaiGon1(config)#access-list permit 172.16.0.0 0.0.255.255 SaiGon1(config)#ip nat pool NAT_POOL 66.122.33.98 66.122.33.126 netmask 255.255.255.224 SaiGon1(config)#ip nat inside source list pool NAT_POOL overload Ở đây, ta sử dụng dãy địa IP thật 66.122.33.96/27 host Internet Đưa mạng 66.122.33.96/27 vào BGP: SaiGon1(config)#router bgp 64512 SaiGon1(config-router)#network 66.122.33.96 mask 255.255.255.224 Ta sử dụng cổng loopback100 với địa IP 66.122.33.97 để BGP quảng bá network 66.122.33.96/27 SaiGon1(config)#interface lo100 SaiGon1(config-if)#ip address 66.122.33.97 255.255.255.224 Kiểm tra cấu hình BGP: SaiGon1#show ip bgp Network Next Hop Metric LocPrf Weight Path *> 66.122.33.96/27 0.0.0.0 32768 i *> 210.210.210.0 192.168.1.5 0 200 i Dùng extend ping 210.210.210.1 từ riêng address 172.16.64.1 SaiGon1: SaiGon1#ping Protocol [ip]: Target IP address: 210.210.210.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 172.16.64.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 210.210.210.1, timeout is seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms Từ SaiGon2 ping thử đến 210.210.210.1 SaiGon2#debug ip packet SaiGon2#ping 210.210.210.1 Sending 5, 100-byte ICMP Echos to 210.210.210.1, timeout is seconds: Success rate is percent (0/5) 01:44:13: IP: s=172.16.32.1 (local), d=210.210.210.1, len 100, unroutable 01:44:15: IP: s=172.16.32.1 (local), d=210.210.210.1, len 100, unroutable 01:44:17: IP: s=172.16.32.1 (local), d=210.210.210.1, len 100, unroutable 01:44:19: IP: s=172.16.32.1 (local), d=210.210.210.1, len 100, unroutable 01:44:21: IP: s=172.16.32.1 (local), d=210.210.210.1, len 100, unroutable Router SaiGon2 chưa có thơng tin mạng 210.210.210.0 nên lệnh ping cho kết khơng thành cơng Ta cấu hình default route SaiGon1 cho phép quảng bá miền OSPF: SaiGon1(config)#router ospf SaiGon1(config-router)#defaul-information originate always metric 2500 metric-type SaiGon1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.5 Kiểm tra bảng định tuyến SaiGon2: SaiGon2#show ip route Gateway of last resort is 172.16.1.1 to network 0.0.0.0 172.16.0.0/16 is variably subnetted, subnets, masks C 172.16.32.0/24 is directly connected, Loopback0 C 172.16.1.0/24 is directly connected, Serial1 O 172.16.64.1/32 [110/65] via 172.16.1.1, 00:08:01, Serial1 O*E1 0.0.0.0/0 [110/2564] via 172.16.1.1, 00:07:09, Serial1 Default route xuất SaiGon2 Tại SaiGon2 ping 210.210.210.1 để kiểm tra kết nối, đồng thời SaiGon1 debug ip nat để kiểm tra trình NAT: SaiGon2#ping 210.210.210.1 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 210.210.210.1, timeout is seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 64/70/84 ms SaiGon1#debug ip nat IP NAT debugging is on SaiGon1# 00:45:00: NAT: s=172.16.1.2->66.122.33.98, d=210.210.210.1 [25] 00:45:00: NAT*: s=210.210.210.1, d=66.122.33.98->172.16.1.2 [25] 00:45:00: NAT: s=172.16.1.2->66.122.33.98, d=210.210.210.1 [26] 00:45:00: NAT*: s=210.210.210.1, d=66.122.33.98->172.16.1.2 [26] 00:45:00: NAT: s=172.16.1.2->66.122.33.98, d=210.210.210.1 [27] 00:45:00: NAT*: s=210.210.210.1, d=66.122.33.98->172.16.1.2 [27] 00:45:00: NAT: s=172.16.1.2->66.122.33.98, d=210.210.210.1 [28] 00:45:00: NAT*: s=210.210.210.1, d=66.122.33.98->172.16.1.2 [28] 00:45:00: NAT: s=172.16.1.2->66.122.33.98, d=210.210.210.1 [29] 00:45:00: NAT*: s=210.210.210.1, d=66.122.33.98->172.16.1.2 [29] Cấu hình SaiGon1#show running-config ! hostname SaiGon1 ! ip nat pool NAT_POOL 66.122.33.98 66.122.33.126 netmask 255.255.255.224 ip nat inside source list pool NAT_POOL overload ! interface Loopback0 ip address 172.16.64.1 255.255.255.0 ip nat inside ! interface Loopback100 ip address 66.122.33.97 255.255.255.224 ! interface Serial0/0 ip address 192.168.1.6 255.255.255.252 ip nat outside no ip mroute-cache ! interface Serial0/1 ip address 172.16.1.1 255.255.255.0 ip nat inside ! router ospf network 172.16.1.1 0.0.0.0 area network 172.16.64.1 0.0.0.0 area default-information originate always metric 2500 metric-type ! router bgp 64512 network 66.122.33.96 mask 255.255.255.224 neighbor 192.168.1.5 remote-as 200 ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.1.5 ip route 66.122.33.96 255.255.255.224 Null0 230 ! access-list permit 172.16.0.0 0.0.255.255 ! line logging synchronous line aux line vty privilege level 15 no login ! end SaiGon2#show running-config ! hostname SaiGon2 ! ip subnet-zero no ip domain-lookup ! interface Loopback0 ip address 172.16.32.1 255.255.255.0 no ip directed-broadcast ! interface Serial1 ip address 172.16.1.2 255.255.255.0 no ip directed-broadcast clockrate 64000 ! router ospf network 172.16.1.2 0.0.0.0 area network 172.16.32.1 0.0.0.0 area ! ip classless no ip http server ! line logging synchronous transport input none line aux line vty privilege level 15 no login ! end ISP#show running-config ! hostname ISP ! ip subnet-zero no ip domain-lookup ! interface Loopback0 ip address 210.210.210.1 255.255.255.0 ! interface Serial0 ip address 192.168.1.5 255.255.255.252 no fair-queue clockrate 64000 ! router bgp 200 no synchronization bgp log-neighbor-changes network 210.210.210.0 neighbor 192.168.1.6 remote-as 64512 ! ip classless ip http server ! line logging synchronous line aux line vty privilege level 15 no login ! end ... SaiGon1(config-if)#interface lo0 SaiGon1(config-if)#ip nat inside SaiGon1(config-if)#interface s0/1 SaiGon1(config-if)#ip nat inside Cấu hình NAT pool NAT translation SaiGon1: SaiGon1(config)#access-list... 00:45:00: NAT* : s=210.210.210.1, d=66.122.33.98->172.16.1.2 [29] Cấu hình SaiGon1#show running-config ! hostname SaiGon1 ! ip nat pool NAT_ POOL 66.122.33.98 66.122.33.126 netmask 255.255.255.224 ip nat. .. Suppress hello for neighbor(s) Cấu hình eBGP ISP SaiGon1: SaiGon1(config)#router bgp 64512 SaiGon1(config-router)#neighbor 192.168.1.5 remote-as 200 ISP(config)#router bgp 200 ISP(config-router)#network