Cisco Cisco ASA for Nexus 1000V Series Switch Manual Técnica
and PIX2 are not configured to perform Network Address Translation (NAT).
Scenario 1
In this scenario, Router12 in AS 64496 does external BGP (eBGP) peering with Router14 (ISP-A) in AS
64500. Router12 also does internal BGP (iBGP) peering with Router11 through PIX1. If eBGP learned routes
from ISP-A are present, Router12 announces a default route 0.0.0.0/0 on iBGP to Router11. If the link to
ISP-A fails, Router12 stops announcing the default route.
64500. Router12 also does internal BGP (iBGP) peering with Router11 through PIX1. If eBGP learned routes
from ISP-A are present, Router12 announces a default route 0.0.0.0/0 on iBGP to Router11. If the link to
ISP-A fails, Router12 stops announcing the default route.
Similarly, Router22 in AS 64496 does eBGP peering with Router24 (ISP-B) in AS 64503 and announces a
default route on iBGP to Router21 conditionally based on the presence of ISP-B routes in its routing table.
default route on iBGP to Router21 conditionally based on the presence of ISP-B routes in its routing table.
Through the use of an access list, PIX1 and PIX2 are configured to allow the BGP traffic (TCP, port 179)
between iBGP peers. This is because PIX interfaces have an associated security level. By default, the inside
interface (ethernet1) has a security level 100 and the outside interface (ethernet0) has a security level 0.
Connections and traffic are normally permitted from higher to lower security level interfaces. To permit traffic
from a lower security level interface to a higher security level interface, however, you must explicitly define
an access list on the PIX. Also, you must configure a static NAT translation on PIX1 and PIX2, to allow
routers on the outside to initiate a BGP session with routers on the inside of PIX.
between iBGP peers. This is because PIX interfaces have an associated security level. By default, the inside
interface (ethernet1) has a security level 100 and the outside interface (ethernet0) has a security level 0.
Connections and traffic are normally permitted from higher to lower security level interfaces. To permit traffic
from a lower security level interface to a higher security level interface, however, you must explicitly define
an access list on the PIX. Also, you must configure a static NAT translation on PIX1 and PIX2, to allow
routers on the outside to initiate a BGP session with routers on the inside of PIX.
Both Router11 and Router21 conditionally announce the default route into the Open Shortest Path First
(OSPF) domain based on the iBGP-learned default route. Router11 announces the default route into the OSPF
domain with a metric of 5, Router21 announces the default route with a metric of 30, and therefore the default
route from Router11 is preferred. This configuration helps propagate only the default route 0.0.0.0/0 to
Router11 and Router21, which conserves memory consumption on the inside routers and achieves optimum
performance.
(OSPF) domain based on the iBGP-learned default route. Router11 announces the default route into the OSPF
domain with a metric of 5, Router21 announces the default route with a metric of 30, and therefore the default
route from Router11 is preferred. This configuration helps propagate only the default route 0.0.0.0/0 to
Router11 and Router21, which conserves memory consumption on the inside routers and achieves optimum
performance.
Thus, to summarize these conditions, this is the routing policy for AS 64496:
AS 64496 prefers the link from Router12 to ISP-A for all outbound traffic (from 192.168.10.0/24 to
the Internet).
the Internet).
•
If connectivity to ISP-A fails, all traffic is routed via the link from Router22 to ISP-B.
•
All traffic that comes from the Internet to 192.168.10.0/24 uses the link from ISP-A to Router12.
•
If the link from ISP-A to Router12 fails, all inbound traffic is routed via the link from ISP-B to
Router22.
Router22.
•