Over the recent weekend, the digital world faced a stark reminder of its vulnerabilities...
This tutorial discusses the configuration of a multihomed enterprise network where routers CE-1 and CE-2 in AS 64501 are connected to routers ISP-A in AS64500 and ISP-B in AS64502 for redundancy. The connection via ISP-A is used as a primary connection for both outbound and inbound traffic. The connection via ISP-B is a backup connection. Identical inside hosts behind NAT are translated to different addresses assigned by the respective ISPs depending on whether traffic is forwarded via ISP-A or ISP-B to the Internet.
Diagram 1: Enterprise Network (AS64501) is Multi-homed to ISP-A and ISP-B
Let’s go through every line of our configuration to explain its purpose. Below are the rules for outbound traffic from the enterprise to the Internet.
- All outbound traffic from 172.16.0.0/16 forwarded from R-NAT to R1 router has an inside global IP addresses assigned from the 188.8.131.52/24.
- All outbound traffic from 172.16.0.0/16 forwarded to R2 router has an inside global IP address assigned from the 184.108.40.206/24.
- AS64501 prefers the path from CE-1 to ISP-A for outbound traffic. Hence, a preferred outbound path for traffic sent from hosts behind NAT into the Internet is R-NAT→R1→ASA-1→CE-1→ISP-A. We give this path the name nat-north-internet. NAT pool 220.127.116.11/24 is used for mapping the inside local addressees (172.16.0.0/16) to the inside global addresses when the nat-north-internet path is taken.
- DMZ prefers a path via ASA-1, CE-1 and ISP-A for outbound traffic to the Internet. The path’s name is dmz-north-internet path.
- If connectivity to ISP-A fails, all outbound traffic from hosts behind NAT is forwarded via a link from CE-2 to ISP-B. Therefore, it takes the path R-NAT→R2→ASA-2→CE-2→ISP-B, aka nat-south-internet path. The NAT pool 18.104.22.168/24 is used for mapping the inside local addresses to the inside global addresses in this case.
- If connectivity to ISP-A fails, all outbound traffic from hosts in DMZ to the Internet is routed via a link from CE-2 to ISP-B. In this case, traffic is forwarded to ASA-2→CE-2→ISP-B, via the dmz-south-internet path.
Here are the rules for inbound traffic.
- All inbound traffic that comes from the Internet to the enterprise uses the link from ISP-A to CE-1. This traffic is destined either for hosts in DMZ or for NAT pool 22.214.171.124/24 (translated local inside IP addresses 172.16.0.0/16).
- If a link from ISP-A to CE-1 fails, all inbound traffic from the Internet is routed via the link from ISP-B to CE-2. This traffic is destined either for DMZ or for NAT pool 126.96.36.199/24.
IP Addresses Assignment:
The enterprise has received a prefix from each ISP. These are used for NAT and interfaces configuration (Picture 1). In addition, the enterprise has also assigned the prefix 188.8.131.52/24 to be used for DMZ configuration. The prefix 184.108.40.206/23 is assigned from ISP-A. This prefix consists of two /24 subnets – 220.127.116.11 and 18.104.22.168. The company uses the subnet 22.214.171.124/24 for IP address configuration of devices located on the north path (R1, ASA-1 and CE-1). The prefix 126.96.36.199/24 is reserved for NAT pool ISP-A. The enterprise has assigned the prefix 188.8.131.52/23 from ISP-B. The 184.108.40.206/24 subnet has been allocated for the south path configuration (R2, ASA-2 and CE-2). The prefix 220.127.116.11/24 is reserved for NAT pool ISP-B.
Prefix Advertisement and Path Selection
The IP address range 18.104.22.168/24 is used for IP address configuration of devices in DMZ. The prefix is advertised by routers CE-1 and CE-2 via eBGP to ISP-A and ISP-B, respectively. However, since the dmz-north-internet path is preferred over the dmz-south-internet for the outbound traffic from DMZ to the Internet, we set a local preference to 150 for a default route 0.0.0.0/0 via CE-1. It effectively makes the path via CE-1 preferred as the default local preference is 100 for a default route installed in the routing table of CE-2.
The prefix for NAT 22.214.171.124/24 is announced solely by CE-1 in an eBGP update to the ISP-A and from ISP-A into the Internet. As CE-1 is the only router advertising this prefix, the inbound traffic sent from the Internet to the NAT prefix 126.96.36.199/24 takes the internet-north-nat path. The inbound traffic destined for the DMZ 188.8.131.52/24 is also routed via ISP-A to CE-1 and ASA-1 (internet-north-dmz path). The path via ISP-A gets selected by BGP routers located in the other ASs because CE-2 is configured to prepend as-path three times with its own AS 64501 for the DMZ route 184.108.40.206/24 advertised to CE-2. Therefore, the shorter AS_PATH via ISP-A is preferred.
If a link between CE-1 and ISP-A fails, the 220.127.116.11/24 prefix is not advertised by AS64501 at all. It might seem to be a design mistake at first, however when that link fails, the path nat-north-internet is not being used anymore. Instead, outbound traffic from R-NAT to ISP-B is routed via nat-south-internet path with the source IP addresses translated to the pool NAT 18.104.22.168/24. As the prefix 22.214.171.124/24 is advertised by CE-2, the devices behind NAT can communicate with devices in the Internet.
|Note: Routers CE-1 and CE-2 contain the full Internet routing table. The Internet routes are simulated by prefixes 126.96.36.199/16 and 12.0.0./16 advertised by ISPs via an eBGP update to CE routers.
Default Route Distribution
We have already mentioned that if a link between ISP-A and CE-1 fails, outbound traffic from devices behind NAT into the Internet is routed via a backup path nat-south-internet. But how does this magic work? Both CE-1 and CE-2 advertise a default route to R1 and R2 in an iBGP update message, respectively. However, they do it conditionally as they advertise a default route only if there is an appropriate route (188.8.131.52/16 for ISP-A and 184.108.40.206/16 for ISP-B) along with the ISP’s IP address as a next-hop installed in their routing table. If not, CE routers do not advertise a default route to R1, R2 and DMZ.
Routers R1 and R2 advertise a default route to R-NAT conditionally, based on the links between CE and ISP routers being active. For instance, if R1 receives a default route via iBGP from CE-1 it installs it into its routing table. If the route-map CHECK-DEFAULT matches a default route and the next-hop IP address (CE-1), R1 advertises it via OSPF to R1, with the metric 5. R2, however advertises a default route (if the link between CE-2 and ISP-B is active) via OSPF to R-NAT with the metric 30. As a result, R-NAT installs a default route received from R1 with the metric 5 since it is lower than metric 30 of the default route advertised by R2.
Adjusting Administrative Distance (AD) for iBGP learned Default Route on R1
For the iBGP routes with a default AD value 200 to be prefered over OSPF routes with a default AD value 110, we need to change the AD of iBGP routes bellow 110. If we use the command distance 20 105 200 under the BGP configuration of R1, a default route with AD 105 received from CE-1 in an iBGP update message has an AD lower than 110. The AD of a default route advertised by R-NAT from R2 is 110. Therefore, R1 installs a route 0.0.0.0 via CE-1 into its routing table.
If a link between CE-1 and ISP-1 goes down, R-NAT installs a default route with AD 110 and metric 30 advertised by R2 via OSPF. R1 also installs a default route received from R-NAT into its routing table. Outbound traffic is then sent to ISP-B. If the link between CE-1 and ISP-A goes up, a default route via CE-1 will be reinstalled into the routing table of R1.. The AD of this route is 105 thus it will be preferred to a default route with AD 110 advertised by R-NAT. Outbound traffic will be routed via ISP-A again.
|Note: The default values of the command distance are bgp 20 200 200. The eBGP-learned routes have an administrative distance of 20, iBGP-learned routes have an administrative distance of 200, and local BGP routes have an administrative distance of 200.