Nice! Interesting resolution!

Drake22x · ‎07-10-2017

I have this peculiar problem and I hope somebody could shed some light onto it.

I was running out of public IP addresses, so I ordered a new /27 range from the ISP, so I could do more NAT, but somehow I am failing to make it work. Really looking for some help.

The topology is as follows:

Internet --> L2 switch --> Router (NAT) --> L3 switch --> Server

The config I have is as follows:

Router:

interface GigabitEthernet0/0/0.423
description *** VPN LINK ***
encapsulation dot1Q 423
ip vrf forwarding INTERNET
ip address X.X.X.163 255.255.255.240
crypto map CM
end

interface GigabitEthernet0/0/2.423
description *** NAT/INTERNET LINK ***
encapsulation dot1Q 423
ip address X.X.X.162 255.255.255.240
ip nat outside
end

ip route vrf INTERNET 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0.423 X.X.X.161
ip route vrf INTERNET Y.Y.Y.192 255.255.255.224 Null0 name **NEW_RANGE**

!

--->> natting that works:

ip nat pool Client_1_Address X.X.X.164 X.X.X.164 prefix-length 28
ip nat pool Client_2_Address X.X.X.165 X.X.X.165 prefix-length 28

ip nat inside source list RFC pool Client_1_Address vrf CUST1 overload
ip nat inside source list RFC pool Client_2_Address vrf CUST2 overload

--->> natting that doesn't work:

ip nat pool Client_20_Address Y.Y.Y.192 Y.Y.Y.192 prefix-length 27
ip nat pool Client_21_Address Y.Y.Y.193 Y.Y.Y.193 prefix-length 27

ip nat inside source list RFC pool Client_20_Address vrf CUST20 overload
ip nat inside source list RFC pool Client_21_Address vrf CUST21 overload

BGP config:

router bgp NNNN1
bgp router-id vrf auto-assign
bgp log-neighbor-changes
!
address-family ipv4 vrf INTERNET
redistribute static
neighbor X.X.X.161 remote-as NNNN2
neighbor X.X.X.161 ebgp-multihop 10
neighbor X.X.X.161 update-source GigabitEthernet0/0/0.423
neighbor X.X.X.161 timers 10 30
neighbor X.X.X.161 activate
neighbor X.X.X.161 prefix-list FILTER_ROUTES in
neighbor X.X.X.161 prefix-list PUBLIC_ADDRESSES out
default-information originate

!

ip prefix-list PUBLIC_ADDRESSES seq 5 permit Y.Y.Y.192/27 le 32

ip prefix-list FILTER_ROUTES seq 5 deny 0.0.0.0/0 le 32

The ISP have confirmed that they can see the new range being advertised, and I have also tested that it works if I was to assign one of the new public IPs to a loopback on the router, but when I try to assign that address to the server and NAT it, server loses Internet connection. However, if I flick the NAT back onto the old public IP range, it works instantly.

Router#sh ip bgp vpnv4 vrf INTERNET neighbors X.X.X.161 advertised-routes
BGP table version is 61, local router ID is X.X.X.163

Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: NNNN1:1 (default for vrf INTERNET) VRF Router ID X.X.X.163
*> Y.Y.Y.192/27 0.0.0.0 0 NNNN2 ?

Total number of prefixes 1

Many thanks to anybody who can offer some advice

Drake22x · ‎07-11-2017

Does anyone have any ideas how to make this work please?

dperezoquendo · ‎07-11-2017

Hello,

Edit: Don't know what my initial reply was about. Disregard. I'll try to look more into it but for now your config is looking solid to me.

Edit2: What are you trying to block with ip prefix-list FILTER_ROUTES seq 5 deny 0.0.0.0/0 le 32? Doesn't this block everything advertised from neighbor x.x.x.161? If you wanted to block only default route, it would be:

ip prefix-list FILTER_ROUTES seq 5 deny 0.0.0.0/0

ip prefix-list FILTER_ROUTES seq 10 permit 0.0.0.0/0 le 32

Would you also be able to provide the output for the RFC ACL?

Drake22x · ‎07-12-2017

Hey dperezoquendo, thank you for having a look for me.

The idea of that prefix-list was to block anything coming from the ISP to prevent them accidentally sending wrong routes to me and taking the network down. I am the one advertising the new range to the ISP, so that shouldn't cause the issue.

This is what ISP is seeing when I asked to show ip route for the new IP I assigned to a host:

edge12#show ip route Y.Y.Y.218
Routing entry for Y.Y.Y.192/27
Known via "bgp NNNN1", distance 20, metric 0
Tag NNNN2, type external
Redistributing via ospf 100
Advertised by ospf 100 subnets route-map ospf_frombgp
Last update from X.X.X.163 02:20:58 ago
Routing Descriptor Blocks:
* X.X.X.163, from X.X.X.163, 02:20:58 ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag NNNN2

and this is the RFC acl:

Extended IP access list RFC
10 permit ip 10.0.0.0 0.255.255.255 any
20 permit ip 172.16.0.0 0.15.255.255 any
30 permit ip 192.168.0.0 0.0.255.255 any

Thanks

dperezoquendo · ‎07-12-2017

Hmm..

Honestly, I may not be good enough to help you on this one.

Since you're the one advertising the new range, the null0 route should be fine. Routing to ISP appears to work as well. RFC ACL looks good to me and same NAT config used on original ip block appears to work just fine.

The only thing I can think of would be to do some debugging if you haven't done so yet. Try "debug ip nat detailed" and generate some traffic either via ping, telnet, etc., to get some information.

Have you also tried clearing the NAT translations after switching to the new block?

Sorry if I am no more help.

Drake22x · ‎07-24-2017

Hey man, just wanted to say thanks for your help and to let you know that I have figured it out finally!

This was the fix:

router bgp NNNN1
bgp router-id vrf auto-assign
bgp log-neighbor-changes
!
address-family ipv4 vrf INTERNET
redistribute static
no neighbor X.X.X.161 remote-as NNNN2
no neighbor X.X.X.161 ebgp-multihop 10
no neighbor X.X.X.161 update-source GigabitEthernet0/0/0.423
no neighbor X.X.X.161 timers 10 30
no neighbor X.X.X.161 activate
no neighbor X.X.X.161 prefix-list FILTER_ROUTES in
no neighbor X.X.X.161 prefix-list PUBLIC_ADDRESSES out
default-information originate
exit-address-family
!
address-family ipv4
redistribute static
neighbor X.X.X.161 remote-as NNNN2
neighbor X.X.X.161 ebgp-multihop 10
neighbor X.X.X.161 update-source GigabitEthernet0/0/2.423
neighbor X.X.X.161 timers 10 30
neighbor X.X.X.161 activate
neighbor X.X.X.161 prefix-list FILTER_ROUTES in
neighbor X.X.X.161 prefix-list PUBLIC_ADDRESSES out

exit-address-family
!
no ip route vrf INTERNET Y.Y.Y.192 255.255.255.224 Null0

dperezoquendo · ‎07-24-2017

Nice! Interesting resolution! Glad you got it figured it out. I really appreciate you updating me on this.

BGP/NAT issue with additional public IP range