Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
625
Views
10
Helpful
4
Replies

Default Routing vs BGP

TuralLachinov
Level 1
Level 1

‎07-17-2012 03:32 AM - edited ‎03-04-2019 04:59 PM

Hello,

I have one problem, We have configured BGP on Cisco Switch 6509E, firewall module on the switch is making nat for all users,

but users is not going to internet yet, I do not know hot to configure 6509E to give internet access to users.If I route default route to FWSM,

then BGP will not work? If I route default route what is the meaning of BGP then?

I do not want to write static route because BGP should work (4 ISPs redundancy)

Please help how to let users to go out to the internet throug BGP, but nat is being done on the firewall module on 6509, routing is beiing done on 6509,

to to configure it?

Regards

Tural L

Labels:
0 Helpful
4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-17-2012 05:20 AM

Hello Tural,

the FWSM is like a separate device within your C6500 anatomy

the best way to advertise NAT pools should be the following:

on supervisor/MSFC you configure static routes for the NAT pools with IP next hop = FWSM outside L3 interface

under router bgp you add network statements that match exactly (including the network mask) the static routes defined for the NAT pools.

Traffic coming from the internet has to be routed to FWSM outside interface, the FWSM will perform NAT and after it can route again to the MSFC on the FWSM inside to reach the inslde local addresses.

On the opposite direction the opposite should happen:

traffic from internal networks have to be routed to the FWSM in order to have NAT to be performed.

In order to achieve this, the detailed BGP table has to be separated from internal network otherwise the traffic will try to go to the internet bypassing the FWSM and NAT operation.

To achieve this  (the internal networks facing interfaces and FWSM inside) and ( the interfaces facing the ISPs and the FWSM outside)  have to be associated to different VRFs = two different routing tables.

Example:

VRF INSIDE include interfaces facing the internal network and the FWSM inside

You run in VRF your IGP to learn about internal routes and you configure a static default route in VRF INSIDE pointing to the FWSM inside interface.

On the FWSM you configure static routes for internal networks pointing to MSFC SVI connected to the FWSM inside interface.

On the FWSM you configure the static default route pointing to the MSFC SVI in the outside interface, this SVI is in global routing table.

In this example interfaces facing the ISPs and the one facing the FWSM outside are left in global routing table.

The FWSM creates communication between the two separated routing tables. But use of the VRFs is mandatory to avoid NAT bypass.

Hope to help

Giuseppe

TuralLachinov
Level 1
Level 1
In response to Giuseppe Larosa

‎07-17-2012 05:56 AM

Hello Giuseppe,

Thank you very much for reply, you gave great information an I hope you gave light to me to understand the configuration

that will let users not bypass natting while exiting to the internet,

Just let me tell you tah I do not have dynamic IGP configured,cauce 6509 is the only L3 device, if I configure it I have to configure IGP on fwsm and ASA (only for vpn) too.

I would be very happy if you give some config example!

my loopback ip is 91.240.27.1/128  (outside) which is my bgp peer, default route is to one of the ISP, when I route default route to fwsm i lose connection to 91.240.27.1 from internet.

Do you have config example for this issue pls?

Best Regards

Tural

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to TuralLachinov

‎07-17-2012 06:29 AM

Hello Tural,

I can provide two links to VRF lite

http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/vrflitsb.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/vrf.html

that may be helpful see the example of VRF lite in the second link it may be easier. You don't need to leak routes between VRFs just to divide the interfaces in two subsets and to have separate routing tables.

Example (following what I suggested in previous post)

ip vrf INSIDE

rd 1000:10

!

on each L3 interface "internal" you do the following

interface type x/y

ip vrf forwarding INSIDE

! at this point you retype ip address and mask

ip address x.y.z.k 255.255.255.H

you have to do this for each client facing SVI

static routes in vrf require the vrf INSIDE keyword

ip route vrf INSIDE 0.0.0.0 0.0.0.0

on main global routing table you keep the ISPs connections and link to FWSM outside

ip route NAT-pool NAT-pool-mask

router bgp

network NAT-pool mask NAT-pool-mask

and a link to FWSM configuration guide 4.0

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/intro_f.html

Hope to help

Giuseppe

TuralLachinov
Level 1
Level 1
In response to Giuseppe Larosa

‎07-18-2012 04:33 AM

Thank you Very much Giuseppe

I t helped me, I already configured and worked vrf and two different routing tables,but  for internal routing I configured OSPF

Regards

Tural L

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card