Border Gateway Protocol (BGP) is not merely a protocol—it’s the backbone of the...

So far, we have finished the configuration of R-NAT, R1 and R2. Let’s continue and complete the configuration of the remaining devices in our topology (Diagram 1). We’ll start with the ASA configuration.
The Cisco Adaptive Security Appliance (ASA) protects the inside network and DMZ. As our guide focuses on a multihoming configuration using BGP, we only cover the basic ASA configuration. It includes the access-lists configuration to allow BGP in all direction. In order to protect the enterprise network from advanced threats, application layer protocol inspection should be configured, in addition to the access-lists configuration.
interface GigabitEthernet0/0 description Link to CE-1 nameif OUTSIDE security-level 0 ip address 193.0.0.6 255.255.255.252 interface GigabitEthernet0/1 description Link to R1 nameif INSIDE security-level 100 ip address 193.0.0.9 255.255.255.252 interface GigabitEthernet0/2 description Link to DMZ nameif DMZ security-level 50 ip address 195.0.1.1 255.255.255.0Б.
Router R1 can initiate a TCP connection to CE-1 (193.0.0.5), destination TCP port 179 since R1 is connected to the interface Gi0/1 of ASA, configured with security level 100. Therefore, R1 can establish an iBGP adjacency with CE-1. However, we need to configure the access-list 1 (ACL1) that allows to initiate a TCP connection from CE-1 (outside) to R1 (inside), with the destination IP address 193.0.0.10 and TCP port 179. As the interface Gi0/0 is configured with a security level 0, we need to add the rule that permits traffic from CE-1 to DMZ router (195.0.1.3), with the destination TCP port 179. The statement permits traffic from the interface Gi0/0 with the security level 0 to the interface Gi0/2 with higher security level – 50. Therefore, CE-1 can initiate a TCP connection to the DMZ router.
access-list ACL1 extended permit tcp host 193.0.0.5 host 193.0.0.10 eq bgp access-list ACL1 extended permit tcp host 193.0.0.5 host 195.0.1.3 eq bgp
The ACL1 is applied on the outside interface (Gi0/0) in the inbound direction.
access-group ACL1 in interface OUTSIDE
The ACL2 contains a rule that permits TCP traffic from interface Gi0/2 connected to the DMZ and configured with security level 50, to the interface Gi0/1 with a level 100, destination IP 193.0.0.10 and TCP port 179 (BGP).
access-list ACL2 extended permit tcp host 195.0.1.3 host 193.0.0.10 eq bgp
The ACL2 is applied on the DMZ interface (Gi0/2) in the inbound direction.
access-group ACL2 in interface DMZ
ASA-1 is not participating in OSPF, so we need static routes in order to forward traffic to subnets that are outside the Gi0/1 interface. The subnets are NAT pools 193.0.1.0/24 (ISP-A), 194.0.1.0/24 (ISP-B), and 193.0.0.12/30, all routed via the next-hop IP address 193.0.0.10 (R1). The default route for forwarding outbound traffic to the Internet is configured with the next-hop 193.0.0.5 (CE-1).
route INSIDE 193.0.1.0 255.255.255.0 193.0.0.10 route INSIDE 194.0.1.0 255.255.255.0 193.0.0.10 route INSIDE 193.0.0.12 255.255.255.252 193.0.0.10 route OUTSIDE 0.0.0.0 0.0.0.0 193.0.0.5
interface GigabitEthernet0/0 description Link to CE-2 nameif OUTSIDE security-level 0 ip address 194.0.0.6 255.255.255.252 interface GigabitEthernet0/1 description Link to R2 nameif INSIDE security-level 100 ip address 194.0.0.9 255.255.255.252 interface GigabitEthernet0/2 description Link to DMZ nameif DMZ security-level 50 ip address 195.0.1.2 255.255.255.0
Access-lists configuration is similar to ASA-1. ACL1 permits BGP traffic from the outside BGP peer 194.0.0.5 (CE-1) to the peer 194.0.0.10 (inside) (R2) and to the peer 195.0.1.3 (DMZ) (router DMZ). ACL2 permits BGP traffic from a peer in DMZ interface to the inside R2.
access-list ACL1 extended permit tcp host 194.0.0.5 host 194.0.0.10 eq bgp access-list ACL1 extended permit tcp host 194.0.0.5 host 195.0.1.3 eq bgp access-list ACL2 extended permit tcp host 195.0.1.3 host 194.0.0.10 eq bgp
ACLs are applied in the inbound direction to the outside and DMZ interfaces.
access-group ACL1 in interface OUTSIDE access-group ACL2 in interface DMZ
We need to configure static routes to reach subnets behind the interface Gi0/1 and a default static route for outgoing traffic to the Internet.
route INSIDE 193.0.1.0 255.255.255.0 194.0.0.10 route INSIDE 194.0.0.12 255.255.255.252 194.0.0.10 route INSIDE 194.0.1.0 255.255.255.0 194.0.0.10 route OUTSIDE 0.0.0.0 0.0.0.0 194.0.0.5
interface GigabitEthernet0/0 description Link to ISP-A ip address 193.0.0.2 255.255.255.252 interface GigabitEthernet0/1 description Link to ASA-1 ip address 193.0.0.5 255.255.255.252
CE-1 router is configured as an eBGP peer with the router ISP-A and as an iBGP with routers R1 and DMZ. Only the prefixes 193.0.1.0/24 (NAT pool ISP-A) and 195.0.1.0/24 (DMZ) matched by route-map ADV-TO-ISPA are advertised to ISP-A. The route-map CHECK-ISPA-ROUTE checks if the route 11.0.0.0/16 with the next-hop 193.0.0.1 is available in the routing table of CE-1. If yes, a default route is advertised to the BGP neighbors: R1 (193.0.0.10) and DMZ (195.0.1.3). The default route is then advertised conditionally, based on whether a link between CE-1 and ISP-A is active.
CE-1 receives a full Internet table from ISP-A. The routes are simulated by the prefix 11.0.0.0/16 advertised by ISP-A. However, only a default route is conditionally advertised to R1 and DMZ routers. Therefore, we permit only advertisement of the default route in outgoing direction to R1 and DMZ with distribute-list that refers to access-list 1.
router bgp 64501 neighbor 193.0.0.1 remote-as 64500 neighbor 193.0.0.1 route-map ADV-TO-ISPA out neighbor 193.0.0.10 remote-as 64501 neighbor 193.0.0.10 next-hop-self neighbor 193.0.0.10 default-originate route-map CHECK-ISPA-ROUTE neighbor 193.0.0.10 distribute-list 1 out neighbor 195.0.1.3 remote-as 64501 neighbor 195.0.1.3 next-hop-self neighbor 195.0.1.3 default-originate route-map CHECK-ISPA-ROUTE neighbor 195.0.1.3 distribute-list 1 out
Static routes to iBGP peers are required because peers are not directly connected.
ip route 193.0.0.8 255.255.255.252 193.0.0.6 ip route 195.0.1.3 255.255.255.255 193.0.0.6 route-map CHECK-ISPA-ROUTE permit 10 match ip address 20 match ip next-hop 21 route-map ADV-TO-ISPA permit 10 match ip address 10 11 access-list 1 permit 0.0.0.0 access-list 10 permit 193.0.1.0 0.0.0.255 access-list 11 permit 195.0.1.0 0.0.0.255 access-list 20 permit 11.0.0.0 0.0.255.255 access-list 21 permit 193.0.0.1
interface GigabitEthernet0/0 description Link to ISP-B ip address 194.0.0.2 255.255.255.252 interface GigabitEthernet0/1 description Link to ASA-2 ip address 194.0.0.5 255.255.255.252
CE-2 is configured as an eBGP peer with ISP-B and as an iBGP peer with routers R2 and DMZ. The prefixes 194.0.1.0/24 (NAT pool ISP-B) and 195.0.1.0/24 (DMZ) are matched by route-map ADV-TO-ISPB and advertised to ISP-B. Default route is advertised conditionally to R2 and DMZ routers based on whether a link between CE-2 and ISP-B is active.
router bgp 64501 neighbor 194.0.0.1 remote-as 64502 neighbor 194.0.0.1 route-map ADV-TO-ISPB out neighbor 194.0.0.10 remote-as 64501 neighbor 194.0.0.10 next-hop-self neighbor 194.0.0.10 default-originate route-map CHECK-ISPB-ROUTE neighbor 194.0.0.10 distribute-list 1 out neighbor 195.0.1.3 remote-as 64501 neighbor 195.0.1.3 next-hop-self neighbor 195.0.1.3 default-originate route-map CHECK-ISPB-ROUTE neighbor 195.0.1.3 distribute-list 1 out
Static routes to iBGP peers are required because they are not directly connected.
ip route 194.0.0.8 255.255.255.252 194.0.0.6 ip route 195.0.1.3 255.255.255.255 194.0.0.6 route-map CHECK-ISPB-ROUTE permit 10 match ip address 20 match ip next-hop 21
Both CE-1 and CE-2 routers advertise DMZ route 195.0.1.0/24 to their respective ISPs. However, incoming traffic to DMZ is forwarded via ISP-A because CE-1 is configured to prepend AS_PATH 64501 three times for the route 195.0.1.0/24 advertised to ISP-B. Therefore, BGP routers select a shorter path via ISP-A for traffic to 195.0.1.0/24.
route-map ADV-TO-ISPB permit 10 match ip address 10 route-map ADV-TO-ISPB permit 20 match ip address 11 set as-path prepend 64501 64501 64501 access-list 1 permit 0.0.0.0 access-list 10 permit 194.0.1.0 0.0.0.255 access-list 11 permit 195.0.1.0 0.0.0.255 access-list 20 permit 12.0.0.0 0.0.255.255 access-list 21 permit 194.0.0.1
ISP-A and ISP-B are configured as eBGP peers with CE-1 and CE-2, respectively. They also peer between themselves. Both ISPs advertise full Internet routing table, simulated by prefixes 11.0.0.0/16 and 12.0.0.0/16.
interface GigabitEthernet0/0 description Link to CE-1 ip address 193.0.0.1 255.255.255.252 interface GigabitEthernet0/1 description Link to ISP-B ip address 196.0.0.1 255.255.255.252 router bgp 64500 network 11.0.0.0 mask 255.255.0.0 neighbor 193.0.0.2 remote-as 64501 neighbor 196.0.0.2 remote-as 64502
BGP will always advertise the network 11.0.0.0/16 because a null route is installed in the routing table of ISP-A.
ip route 11.0.0.0 255.255.0.0 Null0
interface GigabitEthernet0/0 description Link to CE-2 ip address 194.0.0.1 255.255.255.252 interface GigabitEthernet0/1 description Link to ISP-A ip address 196.0.0.2 255.255.255.252 router bgp 64502 network 12.0.0.0 mask 255.255.0.0 neighbor 194.0.0.2 remote-as 64501 neighbor 196.0.0.1 remote-as 64500
BGP will always advertise the network 12.0.0.0/16 because a null route is installed in a routing table of ISP-B.
ip route 12.0.0.0 255.255.0.0 Null0