BGP and NAT

12/05/2012
BGP and NAT - The Cisco Learning Network

Login
Register
Contact Us/Help
About Us
Site Map
Mobile View
Languages:
Connect with us on:
Search the Learning Network
Cisco Learning Home
Careers
Connections
Certifications
Learning Center
Our Store
Cisco Learning Hom e > CCNP R&S Study Group > Discussions Up to Discussions in CCNP R&S Study Group
Actions
Register / Login for more Actions View print preview
Like
This Question is Answered

5521 View s 12 Replies Latest reply: 25-May-2010 14:24 by Keith Barker - CCIE RS/Security, CISSP, CCSI
More Like This
BGP and NAT

25-May-2010 07:57 Duane, CCNA
76 posts since 18-Dec-2009
Three BGP doubts Re: EBGP peering using loopback interfaces without using static routes. Re: Understanding BGP Questions Re: Dynamic NAT not working in my setup Re: iBGP routes = preferred over eBGP
For BGP you want to advertise the public address range. Also, for BGP to advertise a route, it has to be in the router's routing table. But if you are using NAT, then the routes in the router's routing table will be the private prefixes, not the public ones. So, do you just configure a static route to the public prefix with an outgoing interface of null0? Wouldn't that cause packets to be discarded before they are translated since there wouldn't be any more specific routes in the table to the public subnets of that public prefix? How do you handle this?
Bookmarked By (0)
Correct Answer by Keith Barker - CCIE RS/Security, CISSP, CCSI on May 25, 2010 2:24 PM
View: Everyone No public bookmarks exist for this content.
Thanks for sticking with me Keith! Sorry, I don't mean to be a pest. So you need to add a route to 128.1.64.0/18 in your edge router's routing table to get the BGP advertizement you've configured to work. Odom mentions configuring a static route, as you've suggested, refering to null0 as the outgoing interface, just to get that network in the routing table. But if you do that, would the router discard an incoming packed destined for that network before translating the IP address and routing it to the 10.0.0.0/18 network? And if so, are there other options to accomplish this?
Legend
Correct Answers - 4 points Helpful Answers - 2 points
Ok - New topology.
AS2 owns the network space of 128.1.64.0/18, and just for fun lets say that not a single PC or router really has an IP address configured in that address space. There is a device at 10.0.0.1/18, located somewhere to the left of R1 (actually, it is a loopback on R1). R2 is doing NAT for anyone in the 10.0.0.0/18 network, and we have decided to give every device their own NAT address, and we will use our entire available block for this.
i pn a tp o o lM Y P O O L1 2 8 . 1 . 6 4 . 11 2 8 . 1 . 1 2 7 . 2 5 4p r e f i x l e n g t h1 8 i pn a ti n s i d es o u r c el i s t1p o o lM Y P O O L ! a c c e s s l i s t1p e r m i t1 0 . 0 . 0 . 00 . 0 . 6 3 . 2 5 5 !
On R2, we create the static route for our block of addresses, and we add that into BGP.
r o u t e rb g p2 n os y n c h r o n i z a t i o n b g pl o g n e i g h b o r c h a n g e s n e t w o r k1 2 8 . 1 . 6 4 . 0m a s k2 5 5 . 2 5 5 . 1 9 2 . 0 n e i g h b o r2 3 . 0 . 0 . 3r e m o t e a s3 n oa u t o s u m m a r y ! i pr o u t e1 2 8 . 1 . 6 4 . 02 5 5 . 2 5 5 . 1 9 2 . 0N u l l 0 !
https://learningnetwork.cisco.com/thread/13828
1/9
12/05/2012
Then we telnet from the device who has the IP address of 10.0.0.1 (R1)
R 1 # t e l n e t2 3 . 0 . 0 . 3/ s o u r c e i n t e r f a c el o o p b a c k1 T r y i n g2 3 . 0 . 0 . 3. . .O p e n R 3 # w h o L i n e *9 8v t y0 I n t e r f a c e R 3 # U s e r U s e r H o s t ( s ) i d l e M o d e I d l e L o c a t i o n
0 0 : 0 0 : 0 01 2 8 . 1 . 6 4 . 1 I d l e P e e rA d d r e s s
R3 sees the client as the NAT address of 128.1.64.1 The routing table of R3 looks like this:
R 3 # s h o wi pb g p B G Pt a b l ev e r s i o ni s2 ,l o c a lr o u t e rI Di s3 . 3 . 3 . 3 S t a t u sc o d e s :ss u p p r e s s e d ,dd a m p e d ,hh i s t o r y ,*v a l i d ,>b e s t ,i-i n t e r n a l , rR I B f a i l u r e ,SS t a l e O r i g i nc o d e s :i-I G P ,e-E G P ,?-i n c o m p l e t e N e t w o r k N e x tH o p M e t r i cL o c P r fW e i g h tP a t h * >1 2 8 . 1 . 6 4 . 0 / 1 8 2 3 . 0 . 0 . 2 0 02i R 3 # s h o wi pr o u t eb g p 1 2 8 . 1 . 0 . 0 / 1 8i ss u b n e t t e d ,1s u b n e t s B 1 2 8 . 1 . 6 4 . 0[ 2 0 / 0 ]v i a2 3 . 0 . 0 . 2 ,0 0 : 2 9 : 0 6 R 3 #
The NAT table on R2 looks like this:

R 2 # s h o wi pn a tt r a n s R 2 # s h o wi pn a tt r a n s l a t i o n s P r oI n s i d eg l o b a l I n s i d el o c a l t c p1 2 8 . 1 . 6 4 . 1 : 4 8 2 3 3 1 0 . 0 . 0 . 1 : 4 8 2 3 3 -1 2 8 . 1 . 6 4 . 1 1 0 . 0 . 0 . 1 R 2 #
O u t s i d el o c a l 2 3 . 0 . 0 . 3 : 2 3 -
O u t s i d eg l o b a l 2 3 . 0 . 0 . 3 : 2 3 -
The routing table on R2 looks like this: R2#show ip route | begin resort Gateway of last resort is not set
O C C C S O O R 2 # 1 . 0 . 0 . 0 / 3 2i ss u b n e t t e d ,1s u b n e t s 1 . 1 . 1 . 1[ 1 1 0 / 1 1 ]v i a1 7 2 . 1 6 . 0 . 1 ,0 0 : 3 2 : 4 8 ,F a s t E t h e r n e t 0 / 0 2 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s 2 . 2 . 2 . 0i sd i r e c t l yc o n n e c t e d ,L o o p b a c k 0 2 3 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s 2 3 . 0 . 0 . 0i sd i r e c t l yc o n n e c t e d ,F a s t E t h e r n e t 0 / 1 1 7 2 . 1 6 . 0 . 0 / 1 6i sd i r e c t l yc o n n e c t e d ,F a s t E t h e r n e t 0 / 0 1 2 8 . 1 . 0 . 0 / 1 8i ss u b n e t t e d ,1s u b n e t s 1 2 8 . 1 . 6 4 . 0i sd i r e c t l yc o n n e c t e d ,N u l l 0 9 . 0 . 0 . 0 / 8[ 1 1 0 / 2 0 ]v i a1 7 2 . 1 6 . 0 . 1 ,0 0 : 3 2 : 4 8 ,F a s t E t h e r n e t 0 / 0 1 0 . 0 . 0 . 0 / 3 2i ss u b n e t t e d ,1s u b n e t s 1 0 . 0 . 0 . 1[ 1 1 0 / 1 1 ]v i a1 7 2 . 1 6 . 0 . 1 ,0 0 : 3 2 : 4 8 ,F a s t E t h e r n e t 0 / 0
Here is the order of operations table for NAT, as well: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml When translating from global to local addresses, the NAT is done before the routing, and that would explain why the packet isn't dropped. This was a fun exercise. If the question is answered, please indicate it. Otherwise, what questions do you have? Best wishes, Keith See the answer in context Helpful Answers by Keith Barker - CCIE RS/Security, CISSP, CCSI, Keith Barker - CCIE RS/Security, CISSP, CCSI
Tags: bgp, nat, ccnp
1. 25-May-2010 09:03 (in response to Duane, CCNA)
Helpful Answer Re: BGP and NAT
Keith Barker - CCIE RS/Security, CISSP, CCSI

4,895 posts since 03-Jul-2009
For BGP you want to advertise the public address range. Also, for BGP to advertise a route, it has to be in the router's routing table. But if you are using NAT, then the routes in the router's routing table will be the private prefixes, not the public ones. So, do you just configure a static route to the public prefix with an outgoing interface of null0? Wouldn't that cause packets to be discarded before they are translated since there wouldn't be any more specific routes in the
2/9
12/05/2012

table to the public subnets of that public prefix? How do you handle this?
Hello Duane When BGP advertises routes, it doesn't have to advertise all the routes in the routing table. A BGP router may have hundreds of private address network routes, but the administrator will not configure those private address networks to be advertised via a BGP, at least not on the Internet, (although advertising a private network space is technically possible, and may be done in a private network).
R1 and R3 are BGP neighbors. R1, although it knows about and is connected to the 10.0.0.0/24 network, is not advertising that network through BGP to R3. Because of the way R1 is configured, it is only sharing the 78.52.33.0/24 network with R3.
R 1 # s h o wi pr o u t e|b e g i nr e s o r t G a t e w a yo fl a s tr e s o r ti sn o ts e t 1 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s 1 . 1 . 1 . 0i sd i r e c t l yc o n n e c t e d ,L o o p b a c k 0 2 . 0 . 0 . 0 / 3 2i ss u b n e t t e d ,1s u b n e t s 2 . 2 . 2 . 2[ 1 1 0 / 1 1 ]v i a1 0 . 0 . 0 . 2 ,0 0 : 0 8 : 0 9 ,F a s t E t h e r n e t 0 / 0 2 3 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s 2 3 . 0 . 0 . 0[ 1 1 0 / 2 0 ]v i a1 0 . 0 . 0 . 2 ,0 0 : 0 7 : 3 0 ,F a s t E t h e r n e t 0 / 0 9 . 0 . 0 . 0 / 8i sd i r e c t l yc o n n e c t e d ,F a s t E t h e r n e t 0 / 1 1 0 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s 1 0 . 0 . 0 . 0i sd i r e c t l yc o n n e c t e d ,F a s t E t h e r n e t 0 / 0 7 8 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s 7 8 . 5 2 . 3 3 . 0i sd i r e c t l yc o n n e c t e d ,L o o p b a c k 9 9
C O O C C C
R 1 # s h o wi pb g ps u m m a r y B G Pr o u t e ri d e n t i f i e r1 . 1 . 1 . 1 ,l o c a lA Sn u m b e r1 3 B G Pt a b l ev e r s i o ni s4 ,m a i nr o u t i n gt a b l ev e r s i o n4 1n e t w o r ke n t r i e su s i n g1 2 0b y t e so fm e m o r y 1p a t he n t r i e su s i n g5 2b y t e so fm e m o r y 2 / 1B G Pp a t h / b e s t p a t ha t t r i b u t ee n t r i e su s i n g2 4 8b y t e so fm e m o r y 0B G Pr o u t e m a pc a c h ee n t r i e su s i n g0b y t e so fm e m o r y 0B G Pf i l t e r l i s tc a c h ee n t r i e su s i n g0b y t e so fm e m o r y B i t f i e l dc a c h ee n t r i e s :c u r r e n t1( a tp e a k1 )u s i n g3 2b y t e so fm e m o r y B G Pu s i n g4 5 2t o t a lb y t e so fm e m o r y B G Pa c t i v i t y2 / 1p r e f i x e s ,2 / 1p a t h s ,s c a ni n t e r v a l6 0s e c s N e i g h b o r 2 3 . 0 . 0 . 3 R 1 # V 4 A SM s g R c v dM s g S e n t 1 3 1 1 1 0 T b l V e r I n QO u t QU p / D o w n S t a t e / P f x R c d 4 0 00 0 : 0 6 : 2 2 0
R 1 # s h o wi pb g p B G Pt a b l ev e r s i o ni s4 ,l o c a lr o u t e rI Di s1 . 1 . 1 . 1 S t a t u sc o d e s :ss u p p r e s s e d ,dd a m p e d ,hh i s t o r y ,*v a l i d ,>b e s t ,i-i n t e r n a l , rR I B f a i l u r e ,SS t a l e O r i g i nc o d e s :i-I G P ,e-E G P ,?-i n c o m p l e t e N e t w o r k * >7 8 . 5 2 . 3 3 . 0 / 2 4 R 1 # N e x tH o p 0 . 0 . 0 . 0 M e t r i cL o c P r fW e i g h tP a t h 0 3 2 7 6 8i
Here is R3 - Notice that the only route it got from R1, doesn't include the private address space of 10.0.0.0
R 3 # s h o wi pr o u t e|b e g i nr e s o r t G a t e w a yo fl a s tr e s o r ti sn o ts e t O O C C O O O B 1 . 0 . 0 . 0 / 3 2i ss u b n e t t e d ,1s u b n e t s 1 . 1 . 1 . 1[ 1 1 0 / 2 1 ]v i a2 3 . 0 . 0 . 2 ,0 0 : 0 8 : 1 8 ,F a s t E t h e r n e t 0 / 1 2 . 0 . 0 . 0 / 3 2i ss u b n e t t e d ,1s u b n e t s 2 . 2 . 2 . 2[ 1 1 0 / 1 1 ]v i a2 3 . 0 . 0 . 2 ,0 0 : 0 8 : 1 8 ,F a s t E t h e r n e t 0 / 1 3 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s 3 . 3 . 3 . 0i sd i r e c t l yc o n n e c t e d ,L o o p b a c k 0 2 3 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s 2 3 . 0 . 0 . 0i sd i r e c t l yc o n n e c t e d ,F a s t E t h e r n e t 0 / 1 9 . 0 . 0 . 0 / 8[ 1 1 0 / 3 0 ]v i a2 3 . 0 . 0 . 2 ,0 0 : 0 8 : 1 8 ,F a s t E t h e r n e t 0 / 1 1 0 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s 1 0 . 0 . 0 . 0[ 1 1 0 / 2 0 ]v i a2 3 . 0 . 0 . 2 ,0 0 : 0 8 : 1 8 ,F a s t E t h e r n e t 0 / 1 7 8 . 0 . 0 . 0 / 8i sv a r i a b l ys u b n e t t e d ,2s u b n e t s ,2m a s k s 7 8 . 5 2 . 3 3 . 1 / 3 2[ 1 1 0 / 2 1 ]v i a2 3 . 0 . 0 . 2 ,0 0 : 0 1 : 3 5 ,F a s t E t h e r n e t 0 / 1 7 8 . 5 2 . 3 3 . 0 / 2 4[ 2 0 0 / 0 ]v i a1 0 . 0 . 0 . 1 ,0 0 : 0 1 : 2 6
R 3 # s h o wi pb g ps u m m a r y B G Pr o u t e ri d e n t i f i e r3 . 3 . 3 . 3 ,l o c a lA Sn u m b e r1 3 B G Pt a b l ev e r s i o ni s4 ,m a i nr o u t i n gt a b l ev e r s i o n4 1n e t w o r ke n t r i e su s i n g1 2 0b y t e so fm e m o r y
3/9
12/05/2012

1p a t he n t r i e su s i n g5 2b y t e so fm e m o r y 2 / 1B G Pp a t h / b e s t p a t ha t t r i b u t ee n t r i e su s i n g2 4 8b y t e so fm e m o r y 0B G Pr o u t e m a pc a c h ee n t r i e su s i n g0b y t e so fm e m o r y 0B G Pf i l t e r l i s tc a c h ee n t r i e su s i n g0b y t e so fm e m o r y B G Pu s i n g4 2 0t o t a lb y t e so fm e m o r y B G Pa c t i v i t y2 / 1p r e f i x e s ,2 / 1p a t h s ,s c a ni n t e r v a l6 0s e c s N e i g h b o r 1 0 . 0 . 0 . 1 V 4 A SM s g R c v dM s g S e n t 1 3 1 1 1 2 T b l V e r I n QO u t QU p / D o w n S t a t e / P f x R c d 4 0 00 0 : 0 7 : 0 3 1
R 3 # s h o wi pb g p B G Pt a b l ev e r s i o ni s4 ,l o c a lr o u t e rI Di s3 . 3 . 3 . 3 S t a t u sc o d e s :ss u p p r e s s e d ,dd a m p e d ,hh i s t o r y ,*v a l i d ,>b e s t ,i-i n t e r n a l , rR I B f a i l u r e ,SS t a l e O r i g i nc o d e s :i-I G P ,e-E G P ,?-i n c o m p l e t e N e t w o r k * > i 7 8 . 5 2 . 3 3 . 0 / 2 4 R 3 # N e x tH o p 1 0 . 0 . 0 . 1 M e t r i cL o c P r fW e i g h tP a t h 0 1 0 0 0i
C O O C C C R 1 #
1 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s 1 . 1 . 1 . 0i sd i r e c t l yc o n n e c t e d ,L o o p b a c k 0 2 . 0 . 0 . 0 / 3 2i ss u b n e t t e d ,1s u b n e t s 2 . 2 . 2 . 2[ 1 1 0 / 1 1 ]v i a1 0 . 0 . 0 . 2 ,0 0 : 0 8 : 0 9 ,F a s t E t h e r n e t 0 / 0 2 3 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s 2 3 . 0 . 0 . 0[ 1 1 0 / 2 0 ]v i a1 0 . 0 . 0 . 2 ,0 0 : 0 7 : 3 0 ,F a s t E t h e r n e t 0 / 0 9 . 0 . 0 . 0 / 8i sd i r e c t l yc o n n e c t e d ,F a s t E t h e r n e t 0 / 1 1 0 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s 1 0 . 0 . 0 . 0i sd i r e c t l yc o n n e c t e d ,F a s t E t h e r n e t 0 / 0 7 8 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s 7 8 . 5 2 . 3 3 . 0i sd i r e c t l yc o n n e c t e d ,L o o p b a c k 9 9
So from the Internet perspective, everyone reachable, needs to appear as a globally routable IP address. What the customer does regarding NAT/PAT is hidden from the outside world. Hope that helps a little, Keith.
Report Abuse
2. 25-May-2010 09:08 (in response to Duane, CCNA) Re: BGP and NAT The way i would do it for example is if you had OSPF running, and the edge router is also running BGP to the ISP i would not advertise the public address into the private network or the private into the public. I would create a static route to the ISP and redistribute that route into OSPF. I think the null0 interface is used when you are going to redistribute the private into the public network. You create a null interface matching your private network range and then you redistribute that into BGP.
mickey61
73 posts since 03-Nov-2009
Report Abuse
3. 25-May-2010 10:03 (in response to Keith Barker - CCIE RS/Security, CISSP, CCSI) Re: BGP and NAT First of all, thank you so much for taking the time to answer my question in so much detail. So, the only route in R1's routing table that references any part of the public address space is the IP of the loopback, and that is the only route it is advertizing to R3 via BGP. But don't you need to advertize the whole public address space allocated to R1 via BGP to the outside world, even thought the routes it has to it's LANs will be the private prefixes and the public equivolents won't be in the routing table? Are you somehow configuring the IP of the loopback to advertize the whole public address space, and overcoming the requirement for the route to be in R1's routing table in order to be advertizable via BGP that way?
Duane, CCNA
Report Abuse
4. 25-May-2010 10:23 (in response to mickey61) Re: BGP and NAT Hey Mickey, I don't want to advertize the private IP space publically, I want to advertize my allocated public address space. But if my router is performing NAT then all of it's connected LANs will be using the private IP addresses, so the routes in it's routing table will reference the private subnets, not their public equivolents. If a route has to be in the routing table to be advertized via BGP, how do you get the public routes in the routing table (or public summary route) so they can be advertized?
Duane, CCNA
4/9
12/05/2012

Report Abuse
Helpful Answer Re: BGP and NAT

So, the only route in R1's routing table that references any part of the public address space is the IP of the loopback, and that is the only route it is advertizing to R3 via BGP. But don't you need to advertize the whole public address space allocated to R1 via BGP to the outside world, even thought the routes it has to it's LANs will be the private prefixes and the public equivolents won't be in the routing table? Are you somehow configuring the IP of the loopback to advertize the whole public address space, and overcoming the requirement for the route to be in R1's routing table in order to be advertizable via BGP that way? Let's say that on R1, the 78.52.33.0/24 network represents the globally reachable network block of addresses that has been assigned to ACME Inc, who has the single BGP router R1. Lets also say that R1 has multiple BGP neighbors, who are advertising their network address blocks as well. When R1 sends BGP updates to its neighbors, it will advertise the 78.52.33.0/24 as reachable, as well as other networks it has learned from other BGP neighbors. The best path to the networks advertised by our BGP neighbors will be automatically placed in the routing table. I modified the configuration, so that R1 only has a neighbor of R2, and R3 only has a neighbor of R2.
On R2, notice that the BGP advertised route from R1, shows up in the routing table.
R 2 # s h o wi pr o u t eb g p 7 8 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s B 7 8 . 5 2 . 3 3 . 0[ 2 0 0 / 0 ]v i a1 0 . 0 . 0 . 1 ,0 0 : 1 0 : 0 0 R 2 # s h o wi pb g ps u m m a r y B G Pr o u t e ri d e n t i f i e r2 . 2 . 2 . 2 ,l o c a lA Sn u m b e r1 3 B G Pt a b l ev e r s i o ni s4 ,m a i nr o u t i n gt a b l ev e r s i o n4 1n e t w o r ke n t r i e su s i n g1 2 0b y t e so fm e m o r y 1p a t he n t r i e su s i n g5 2b y t e so fm e m o r y 2 / 1B G Pp a t h / b e s t p a t ha t t r i b u t ee n t r i e su s i n g2 4 8b y t e so fm e m o r y 0B G Pr o u t e m a pc a c h ee n t r i e su s i n g0b y t e so fm e m o r y 0B G Pf i l t e r l i s tc a c h ee n t r i e su s i n g0b y t e so fm e m o r y B i t f i e l dc a c h ee n t r i e s :c u r r e n t1( a tp e a k1 )u s i n g3 2b y t e so fm e m o r y B G Pu s i n g4 5 2t o t a lb y t e so fm e m o r y B G Pa c t i v i t y1 / 0p r e f i x e s ,2 / 1p a t h s ,s c a ni n t e r v a l6 0s e c s N e i g h b o r 1 0 . 0 . 0 . 1 2 3 . 0 . 0 . 3 R 2 # V 4 4 A SM s g R c v dM s g S e n t 1 3 2 3 2 2 1 3 1 6 1 7 T b l V e r I n QO u t QU p / D o w n S t a t e / P f x R c d 4 0 00 0 : 1 2 : 0 7 1 4 0 00 0 : 1 3 : 4 7 0
R 2 # s h o wi pb g p B G Pt a b l ev e r s i o ni s4 ,l o c a lr o u t e rI Di s2 . 2 . 2 . 2 S t a t u sc o d e s :ss u p p r e s s e d ,dd a m p e d ,hh i s t o r y ,*v a l i d ,>b e s t ,i-i n t e r n a l , rR I B f a i l u r e ,SS t a l e O r i g i nc o d e s :i-I G P ,e-E G P ,?-i n c o m p l e t e N e t w o r k * > i 7 8 . 5 2 . 3 3 . 0 / 2 4 N e x tH o p 1 0 . 0 . 0 . 1 M e t r i cL o c P r fW e i g h tP a t h 0 1 0 0 0i
R2, will forward the network it learned from R1, to R3.

R 3 # s h o wi pr o u t eb g p 7 8 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s B 7 8 . 5 2 . 3 3 . 0[ 2 0 0 / 0 ]v i a1 0 . 0 . 0 . 1 ,0 0 : 1 1 : 1 2 R 3 # s h o wi pb g ps u m m a r y B G Pr o u t e ri d e n t i f i e r3 . 3 . 3 . 3 ,l o c a lA Sn u m b e r1 3 B G Pt a b l ev e r s i o ni s2 ,m a i nr o u t i n gt a b l ev e r s i o n2 1n e t w o r ke n t r i e su s i n g1 2 0b y t e so fm e m o r y 1p a t he n t r i e su s i n g5 2b y t e so fm e m o r y 2 / 1B G Pp a t h / b e s t p a t ha t t r i b u t ee n t r i e su s i n g2 4 8b y t e so fm e m o r y 1B G Pr r i n f oe n t r i e su s i n g2 4b y t e so fm e m o r y 0B G Pr o u t e m a pc a c h ee n t r i e su s i n g0b y t e so fm e m o r y 0B G Pf i l t e r l i s tc a c h ee n t r i e su s i n g0b y t e so fm e m o r y B G Pu s i n g4 4 4t o t a lb y t e so fm e m o r y
5/9
12/05/2012
N e i g h b o r 2 3 . 0 . 0 . 2 V 4

B G Pa c t i v i t y1 / 0p r e f i x e s ,1 / 0p a t h s ,s c a ni n t e r v a l6 0s e c s A SM s g R c v dM s g S e n t 1 3 1 6 1 5 T b l V e r I n QO u t QU p / D o w n S t a t e / P f x R c d 2 0 00 0 : 1 2 : 5 8 1
R 3 # s h o wi pb g p B G Pt a b l ev e r s i o ni s2 ,l o c a lr o u t e rI Di s3 . 3 . 3 . 3 S t a t u sc o d e s :ss u p p r e s s e d ,dd a m p e d ,hh i s t o r y ,*v a l i d ,>b e s t ,i-i n t e r n a l , rR I B f a i l u r e ,SS t a l e O r i g i nc o d e s :i-I G P ,e-E G P ,?-i n c o m p l e t e N e t w o r k * > i 7 8 . 5 2 . 3 3 . 0 / 2 4 R 3 # N e x tH o p 1 0 . 0 . 0 . 1 M e t r i cL o c P r fW e i g h tP a t h 0 1 0 0 0i
Now, when anyone on the planet tries to forward a packet to the network 78.52.33.0/24, that packet will be forwarded to R1. For network 78.52.33.0/24, we have 254 host addresses, and behind each one of those, R1 could be using PAT to hide thousands of private IP addressed hosts. The current version of IOS doesn't require a BGP route to also be learned by an IGP before being added to the routing table. (the "no synchronization" command is set by default with current IOS, causing this default behavior). Just the BGP learned routes in the routing table are passed on to other BGP routers, including any local networks that we have specifically included via the network statement inside the BGP router configuration. Does that help? Keith
Report Abuse
6. 25-May-2010 11:14 (in response to Keith Barker - CCIE RS/Security, CISSP, CCSI) Re: BGP and NAT Hey Keith, That sort of helps. I know R1 will advertize the routes it learns via BGP, but it also has to advertize it's connected routes. Since R1 is performing NAT, those connected routes will be private subnets, and those are the routes that will populate R1's routing table. However, we don't want to advertize those private subnets via BGP, we want to use their public translations, which will NOT appear in R1's routing table and will therefore not be advertizable. So how do we get the routes to the public subnets (or a summary route for the allocated public address block) into the routing table so R1 can advertize that rather than the connected routes it actually has in the table?
Duane, CCNA
Report Abuse
7. 25-May-2010 11:19 (in response to Duane, CCNA) Re: BGP and NAT

I know R1 will advertize the routes it learns via BGP, but it also has to advertize it's connected routes. R1 will not include ANY connected networks (routes) by default. It is the network statement, inside of BGP that is the selector of which connected networks are added. If R1 wanted to add a network that was not directly connected, we could create a static route, and redistribute the static route into BGP to then advertise it. So in short, in the original example, R1 is directly connected to the 10 network, but is not advertising that route via BGP to anyone else. Keith
Report Abuse
8. 25-May-2010 11:32 (in response to Keith Barker - CCIE RS/Security, CISSP, CCSI) Re: BGP and NAT OK, but if R1 is the edge router for an enterprise, and you want to advertize your publically allocated address space to your BGP neighbors so you can be found on the internet, and all of your internal routes in your routing table refer to private prefixes because you are performing NAT, how do you do it?
Duane, CCNA
Report Abuse
6/9
12/05/2012
Re: BGP and NAT


If all of your internal routes in your routing table refer to private prefixes because you are performing NAT, how do you do it?
Quoted from the previous post: " If R1 wanted to add a network that was not directly connected, we could create a static route, and redistribute the static route into BGP to then advertise it." The static route would be for the network we want to redistribute into BGP, so it would then be advertised. By adding the static route, it would also be in the routing table as well. Keith.
Report Abuse
10. 25-May-2010 13:03 (in response to Keith Barker - CCIE RS/Security, CISSP, CCSI) Re: BGP and NAT Thanks for sticking with me Keith! Sorry, I don't mean to be a pest. OK, so let's say you have been allocated the public IP address block 128.1.64.0/18 for your enterprise. Those addresses are your NAT pool. You are assigning addresses from the private IP address block 10.0.0.0/18 to your hosts. Your edge router is performing NAT. You want to advertize 128.1.64.0/18 to your edge router's BGP neighbors, but no routes to that network exist in its routing table, because all of its routes to the internal enterprise network refer to NAT translations and list subnets of 10.0.0.0/18. When you configure the network 128.1.64.0 mask 255.255.192.0 command for BGP, it won't be advertized, because no routes to that network exist in the routing table. So you need to add a route to 128.1.64.0/18 in your edge router's routing table to get the BGP advertizement you've configured to work. Odom mentions configuring a static route, as you've suggested, refering to null0 as the outgoing interface, just to get that network in the routing table. But if you do that, would the router discard an incoming packed destined for that network before translating the IP address and routing it to the 10.0.0.0/18 network? And if so, are there other options to accomplish this?
Duane, CCNA
Report Abuse
Correct Answer Re: BGP and NAT

Thanks for sticking with me Keith! Sorry, I don't mean to be a pest. So you need to add a route to 128.1.64.0/18 in your edge router's routing table to get the BGP advertizement you've configured to work. Odom mentions configuring a static route, as you've suggested, refering to null0 as the outgoing interface, just to get that network in the routing table. But if you do that, would the router discard an incoming packed destined for that network before translating the IP address and routing it to the 10.0.0.0/18 network? And if so, are there other options to accomplish this?
Ok - New topology.
AS2 owns the network space of 128.1.64.0/18, and just for fun lets say that not a single PC or router really has an IP address configured in that address space. There is a device at 10.0.0.1/18, located somewhere to the left of R1 (actually, it is a loopback on R1). R2 is doing NAT for anyone in the 10.0.0.0/18 network, and we have decided to give every device their own NAT address, and we will use our entire available block for this.
i pn a tp o o lM Y P O O L1 2 8 . 1 . 6 4 . 11 2 8 . 1 . 1 2 7 . 2 5 4p r e f i x l e n g t h1 8 i pn a ti n s i d es o u r c el i s t1p o o lM Y P O O L !
7/9
12/05/2012

a c c e s s l i s t1p e r m i t1 0 . 0 . 0 . 00 . 0 . 6 3 . 2 5 5 !
On R2, we create the static route for our block of addresses, and we add that into BGP.
r o u t e rb g p2 n os y n c h r o n i z a t i o n b g pl o g n e i g h b o r c h a n g e s n e t w o r k1 2 8 . 1 . 6 4 . 0m a s k2 5 5 . 2 5 5 . 1 9 2 . 0 n e i g h b o r2 3 . 0 . 0 . 3r e m o t e a s3 n oa u t o s u m m a r y ! i pr o u t e1 2 8 . 1 . 6 4 . 02 5 5 . 2 5 5 . 1 9 2 . 0N u l l 0 !
Then we telnet from the device who has the IP address of 10.0.0.1 (R1)
R 1 # t e l n e t2 3 . 0 . 0 . 3/ s o u r c e i n t e r f a c el o o p b a c k1 T r y i n g2 3 . 0 . 0 . 3. . .O p e n R 3 # w h o L i n e *9 8v t y0 I n t e r f a c e R 3 # U s e r U s e r H o s t ( s ) i d l e M o d e I d l e L o c a t i o n
0 0 : 0 0 : 0 01 2 8 . 1 . 6 4 . 1 I d l e P e e rA d d r e s s
R3 sees the client as the NAT address of 128.1.64.1 The routing table of R3 looks like this:
R 3 # s h o wi pb g p B G Pt a b l ev e r s i o ni s2 ,l o c a lr o u t e rI Di s3 . 3 . 3 . 3 S t a t u sc o d e s :ss u p p r e s s e d ,dd a m p e d ,hh i s t o r y ,*v a l i d ,>b e s t ,i-i n t e r n a l , rR I B f a i l u r e ,SS t a l e O r i g i nc o d e s :i-I G P ,e-E G P ,?-i n c o m p l e t e N e t w o r k N e x tH o p M e t r i cL o c P r fW e i g h tP a t h * >1 2 8 . 1 . 6 4 . 0 / 1 8 2 3 . 0 . 0 . 2 0 02i R 3 # s h o wi pr o u t eb g p 1 2 8 . 1 . 0 . 0 / 1 8i ss u b n e t t e d ,1s u b n e t s B 1 2 8 . 1 . 6 4 . 0[ 2 0 / 0 ]v i a2 3 . 0 . 0 . 2 ,0 0 : 2 9 : 0 6 R 3 #
The NAT table on R2 looks like this:

R 2 # s h o wi pn a tt r a n s R 2 # s h o wi pn a tt r a n s l a t i o n s P r oI n s i d eg l o b a l I n s i d el o c a l t c p1 2 8 . 1 . 6 4 . 1 : 4 8 2 3 3 1 0 . 0 . 0 . 1 : 4 8 2 3 3 -1 2 8 . 1 . 6 4 . 1 1 0 . 0 . 0 . 1 R 2 #
O u t s i d el o c a l 2 3 . 0 . 0 . 3 : 2 3 -
O u t s i d eg l o b a l 2 3 . 0 . 0 . 3 : 2 3 -
The routing table on R2 looks like this: R2#show ip route | begin resort Gateway of last resort is not set
O C C C S O O R 2 # 1 . 0 . 0 . 0 / 3 2i ss u b n e t t e d ,1s u b n e t s 1 . 1 . 1 . 1[ 1 1 0 / 1 1 ]v i a1 7 2 . 1 6 . 0 . 1 ,0 0 : 3 2 : 4 8 ,F a s t E t h e r n e t 0 / 0 2 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s 2 . 2 . 2 . 0i sd i r e c t l yc o n n e c t e d ,L o o p b a c k 0 2 3 . 0 . 0 . 0 / 2 4i ss u b n e t t e d ,1s u b n e t s 2 3 . 0 . 0 . 0i sd i r e c t l yc o n n e c t e d ,F a s t E t h e r n e t 0 / 1 1 7 2 . 1 6 . 0 . 0 / 1 6i sd i r e c t l yc o n n e c t e d ,F a s t E t h e r n e t 0 / 0 1 2 8 . 1 . 0 . 0 / 1 8i ss u b n e t t e d ,1s u b n e t s 1 2 8 . 1 . 6 4 . 0i sd i r e c t l yc o n n e c t e d ,N u l l 0 9 . 0 . 0 . 0 / 8[ 1 1 0 / 2 0 ]v i a1 7 2 . 1 6 . 0 . 1 ,0 0 : 3 2 : 4 8 ,F a s t E t h e r n e t 0 / 0 1 0 . 0 . 0 . 0 / 3 2i ss u b n e t t e d ,1s u b n e t s 1 0 . 0 . 0 . 1[ 1 1 0 / 1 1 ]v i a1 7 2 . 1 6 . 0 . 1 ,0 0 : 3 2 : 4 8 ,F a s t E t h e r n e t 0 / 0
Here is the order of operations table for NAT, as well: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml When translating from global to local addresses, the NAT is done before the routing, and that would explain why the packet isn't dropped. This was a fun exercise. If the question is answered, please indicate it. Otherwise, what questions do you have? Best wishes, Keith
Report Abuse
12. 25-May-2010 15:49 (in response to Keith Barker - CCIE RS/Security, CISSP, CCSI) Re: BGP and NAT
8/9
12/05/2012

NATting done before the routing. That answers it! Thanks for all your effort. I gave you the 2 helpfuls as well.
Duane, CCNA
76 posts since 18-Dec-2009 Report Abuse
Go to original post
1992-2012 Cisco System s Inc. All rights reserved.
Term s & Conditions
Privacy Statem ent
Cookie Policy
Tradem arks of Cisco System s, Inc.
9/9

BGP and NAT - The Cisco Learning Network PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BGP and NAT - The Cisco Learning Network PDF

Uploaded by

Copyright:

Available Formats

12/05/2012

BGP and NAT - The Cisco Learning Network

Connect with us on:

Search the Learning Network

Cisco Learning Home

This Question is Answered

More Like This

BGP and NAT - The Cisco Learning Network

The NAT table on R2 looks like this:

Tags: bgp, nat, ccnp

1. 25-May-2010 09:03 (in response to Duane, CCNA)

Helpful Answer Re: BGP and NAT

Keith Barker - CCIE RS/Security, CISSP, CCSI

BGP and NAT - The Cisco Learning Network

BGP and NAT - The Cisco Learning Network

BGP and NAT - The Cisco Learning Network

5. 25-May-2010 10:46 (in response to Duane, CCNA)

Helpful Answer Re: BGP and NAT

Keith Barker - CCIE RS/Security, CISSP, CCSI

R2, will forward the network it learned from R1, to R3.

BGP and NAT - The Cisco Learning Network

Keith Barker - CCIE RS/Security, CISSP, CCSI

BGP and NAT - The Cisco Learning Network

Keith Barker - CCIE RS/Security, CISSP, CCSI

11. 25-May-2010 14:24 (in response to Duane, CCNA)

Correct Answer Re: BGP and NAT

Keith Barker - CCIE RS/Security, CISSP, CCSI

BGP and NAT - The Cisco Learning Network

The NAT table on R2 looks like this:

BGP and NAT - The Cisco Learning Network

1992-2012 Cisco System s Inc. All rights reserved.

Term s & Conditions

Privacy Statem ent

Tradem arks of Cisco System s, Inc.

You might also like