From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Wed Dec 31 2003 - 01:03:40 GMT-3
Nathasha,
Actually yes you can do this (in a way) with NAT. The following
configuration can be used to set a router in BGP "promiscuous" mode. While
completely impractical, this is a fun (yes I said fun) exercise in IOS
logic.
R1--R3--RX
R1 will be our "promiscuous" router. R3 will be a staging device
for address translation, and RX is one or more devices that want to create a
BGP session with R1.
First, R1 is configured with various neighbor statements that will
be used when one or more devices want to initiate a BGP session. This
configuration cannot occur without these neighbor statements. A random
remote-as value of 2 has been chosen. Devices that want to peer with R1
will need to know that R1 is expecting their AS number to be 2.
R1:
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Serial0/1
description TO R3
ip address 13.0.0.1 255.0.0.0
!
router bgp 1
neighbor PSEUDO_PEERS peer-group
neighbor PSEUDO_PEERS remote-as 2
neighbor PSEUDO_PEERS ebgp-multihop 255
neighbor PSEUDO_PEERS update-source Loopback0
neighbor 13.0.0.100 peer-group PSEUDO_PEERS
neighbor 13.0.0.101 peer-group PSEUDO_PEERS
neighbor 13.0.0.102 peer-group PSEUDO_PEERS
neighbor 13.0.0.103 peer-group PSEUDO_PEERS
neighbor 13.0.0.104 peer-group PSEUDO_PEERS
neighbor 13.0.0.105 peer-group PSEUDO_PEERS
neighbor 13.0.0.106 peer-group PSEUDO_PEERS
neighbor 13.0.0.107 peer-group PSEUDO_PEERS
neighbor 13.0.0.108 peer-group PSEUDO_PEERS
neighbor 13.0.0.109 peer-group PSEUDO_PEERS
Now R1 is expecting a BGP session from any of these addresses. Now
all we need to do is intercept BGP traffic on R3 that is going to R1 and
translate it.
R3:
interface Serial1/2
description TO R1
ip address 13.0.0.3 255.0.0.0
ip nat outside
!
interface Serial1/3
description TO RX
ip address 23.0.0.3 255.0.0.0
ip nat inside
!
ip nat pool PSEUDO_PEERS 13.0.0.100 13.0.0.109 netmask 255.0.0.0
ip nat inside source list BGP_TRAFFIC_TO_TRANSLATE pool PSEUDO_PEERS
!
ip access-list extended BGP_TRAFFIC_TO_TRANSLATE
permit tcp any host 1.1.1.1 eq bgp
Now any BGP traffic that is destined for R1 will be translated to
one of the addresses that R1 is expecting. Now for the config on RX. This
will simply specify R1 as a peer, and include the fact that R1 expects RX's
ASN to be 2.
RX:
router bgp 12345
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 local-as 2
neighbor 1.1.1.1 ebgp-multihop 255
RX#sh ip bgp sum
BGP router identifier 23.0.0.2, local AS number 12345
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
1.1.1.1 4 1 21 21 1 0 0 00:17:58 0
As long as R1 has a default route to the staging router it will
accept a BGP session from anyone who tries to initiate it.
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Nathasha Aleyevka
> Sent: Monday, December 29, 2003 11:44 PM
> To: ccielab@groupstudy.com
> Subject: BGP in promiscous/passive mode!
>
> Good Evening All,
>
>
> I have 2 questions regarding BGP:
>
> a) I would like to establish a BGP session between two routers
> R1 in AS10 and R2 in AS20(Central site), I can configure R1 with the
> neighbor 1.1.1.2 remote-as 20 command, is it possible to configure R2 in a
> promiscous mode so it will establish a session with R1/x without entering
> the neighbor commands on R2?
>
> R1
> R2
>
> int e0
> int e0
> ip addres 1.1.1.1/24 ip
> address 1.1.1.2/24
> router bgp 10
> neighbor 1.1.1.2 remote-as 20
> ===========================================================
>
> b) I only want R1 to be able to start a BGP session with R2, destination
> port 179.
> By using a local policy & route-map on R2 with an outbound access-list,
> applied to R2's E0, here is what I got:
> IP: s=1.1.1.1 (Ethernet0), d=1.1.1.2 (Ethernet0), len 60, rcvd 3
> TCP src=11009, dst=179, seq=2156087920, ack=0, win=16384 SYN
> IP: s=1.1.1.1 (Ethernet0), d=1.1.1.2 (Ethernet0), len 60, rcvd 3
> TCP src=11009, dst=179, seq=2156087921, ack=2260118643, win=16384 ACK
> IP: s=1.1.1.1 (Ethernet0), d=1.1.1.2 (Ethernet0), len 99, rcvd 3
> TCP src=11009, dst=179, seq=2156087921, ack=2260118643, win=16384 ACK
> PSH
> IP: s=1.1.1.1 (Ethernet0), d=1.1.1.2 (Ethernet0), len 73, rcvd 3
> TCP src=11009, dst=179, seq=2156087966, ack=2260118672, win=16355 ACK
> PSH su
> BGP table version is 1, main routing table version 1
> Having said that, it seems to me that the router initiating the
> TCPconnection in the above scenarion is router R1, but the BGP session is
> started by R2.
>
> If router R1 were to iniate a BGP session second line should look like
> IP: s=1.1.1.1 (Ethernet0), d=1.1.1.2 (Ethernet0), len 60, rcvd 3
> TCP src=179, dst=11016, seq=2918566711, ack=3022616789, win=16384 ACK
> SYN
> therefore the configuration should be done on the router which stops
> traffic going to port 179
>
> Am I reading this correctly? Thank you
> Nathasha
>
>
>
>
>
>
> ---------------------------------
> Do you Yahoo!?
> New Yahoo! Photos - easier uploading and sharing
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:46 GMT-3