BGPとNATの設定について
- フォーラムは新サイトへ移行しました。
- このフォーラムではゲスト投稿が禁止されています
AKvolt
投稿数: 5
投稿数: 5
ping-tの問題についてではないですが
検証していて詰まってしまったのでご教示お願いいたします。
内容は、1台のルータにStaticNATとBGPを設定した際、BGPピアが確立できない事です。
(BGP関連のパケットが全く送受信できていない)
分かっている事は、「ip nat outside」のコマンドを消すと、BGPピアが確立され、再度投入すると切れます。
「ip nat outside」を入れると、途端にBGPパケットが送受信しなくなるのは、なぜでしょうか。
ちなみに、debugのログには下記出力されているので、やはりHoldtimeの時間内にKeepaliveが受信できなかったので切れたと認識してます。
%BGP-3-NOTIFICATION: received from neighbor 1.1.1.1 4/0 (hold time expired) 0 bytes
構成は下記のとおりです。
R2(Gi0/1)−−(Gi0/1)NATRouter(Gi0/0)−−R1
-----Config抜粋---
【R2】
interface GigabitEthernet0/1
ip address 1.1.1.2 255.255.255.252
duplex auto
speed auto
media-type rj45
router bgp 20
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 10
【NATRouter】
interface GigabitEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1
ip address 1.1.1.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
router bgp 10
bgp log-neighbor-changes
neighbor 1.1.1.2 remote-as 20
ip nat inside source static 192.168.1.1 1.1.1.1
【R1】
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
お手数ですが、ご教示お願いいたします。。
検証していて詰まってしまったのでご教示お願いいたします。
内容は、1台のルータにStaticNATとBGPを設定した際、BGPピアが確立できない事です。
(BGP関連のパケットが全く送受信できていない)
分かっている事は、「ip nat outside」のコマンドを消すと、BGPピアが確立され、再度投入すると切れます。
「ip nat outside」を入れると、途端にBGPパケットが送受信しなくなるのは、なぜでしょうか。
ちなみに、debugのログには下記出力されているので、やはりHoldtimeの時間内にKeepaliveが受信できなかったので切れたと認識してます。
%BGP-3-NOTIFICATION: received from neighbor 1.1.1.1 4/0 (hold time expired) 0 bytes
構成は下記のとおりです。
R2(Gi0/1)−−(Gi0/1)NATRouter(Gi0/0)−−R1
-----Config抜粋---
【R2】
interface GigabitEthernet0/1
ip address 1.1.1.2 255.255.255.252
duplex auto
speed auto
media-type rj45
router bgp 20
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 10
【NATRouter】
interface GigabitEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1
ip address 1.1.1.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
router bgp 10
bgp log-neighbor-changes
neighbor 1.1.1.2 remote-as 20
ip nat inside source static 192.168.1.1 1.1.1.1
【R1】
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
お手数ですが、ご教示お願いいたします。。
slachet
投稿数: 4
投稿数: 4
NATでBGPパケットがinside側に流れているからだと思います。
R2の送出するBGPパケットの宛先は1.1.1.1であり、NAT Routerは192.168.1.1を1.1.1.1に変換しているから、NAT Routerが宛先1.1.1.1のパケットを受け取れば、当然これを192.168.1.1に (逆に) 変換してinside側に流すということです。これはNATがBGPよりも優先されて機能することに起因すると思います。
間違っていたらすみません。
R2の送出するBGPパケットの宛先は1.1.1.1であり、NAT Routerは192.168.1.1を1.1.1.1に変換しているから、NAT Routerが宛先1.1.1.1のパケットを受け取れば、当然これを192.168.1.1に (逆に) 変換してinside側に流すということです。これはNATがBGPよりも優先されて機能することに起因すると思います。
間違っていたらすみません。
arashi1977
居住地: 広島
投稿数: 1715
居住地: 広島
投稿数: 1715
引用:情報を小出しにしてると、答えは得られませんよ。少なくとも
・R1のBGP設定
・各ルータのルーティングテーブル
がないので、これだけでは何も判断できません。
構成は下記のとおりです。
R2(Gi0/1)−−(Gi0/1)NATRouter(Gi0/0)−−R1
・R1のBGP設定
・各ルータのルーティングテーブル
がないので、これだけでは何も判断できません。
AKvolt
投稿数: 5
投稿数: 5
R1ではBGPの設定はしておりません。
ルーティングテーブルは下記の通りです。
その他、確認コマンドも併せて貼り付けました。
お手数ですが、ご確認お願いいたします。
【R2】
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/30 is directly connected, GigabitEthernet0/1
L 1.1.1.2/32 is directly connected, GigabitEthernet0/1
【NATRouter】
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/30 is directly connected, GigabitEthernet0/1
L 1.1.1.1/32 is directly connected, GigabitEthernet0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
L 192.168.1.254/32 is directly connected, GigabitEthernet0/0
【R1】
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, GigabitEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
L 192.168.1.1/32 is directly connected, GigabitEthernet0/0
NATRouter#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 1.1.1.1 192.168.1.1 --- ---
NATRouter#sh ip nat statistics
Total active translations: 2 (1 static, 1 dynamic; 1 extended)
Peak translations: 3, occurred 00:19:57 ago
Outside interfaces:
GigabitEthernet0/1
Inside interfaces:
GigabitEthernet0/0
Hits: 671 Misses: 0
CEF Translated packets: 19, CEF Punted packets: 0
Expired translations: 2
Dynamic mappings:
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
R2#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/1 1.1.1.2 YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
GigabitEthernet0/3 unassigned YES NVRAM administratively down down
NATRouter#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.254 YES NVRAM up up
GigabitEthernet0/1 1.1.1.1 YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM up up
GigabitEthernet0/3 unassigned YES NVRAM administratively down down
NVI0 192.168.1.254 YES unset up up
R1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.1 YES NVRAM up up
GigabitEthernet0/1 unassigned YES NVRAM administratively down down
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
GigabitEthernet0/3 unassigned YES NVRAM administratively down down
NATRouter#sh ip bgp summary
BGP router identifier 192.168.1.254, local AS number 10
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.2 4 20 0 0 1 0 0 00:28:19 Idle
R2#sh ip bgp summary
BGP router identifier 1.1.1.2, local AS number 20
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.1 4 10 0 0 1 0 0 00:28:10 Idle
R2#sh ip bgp neighbors
BGP neighbor is 1.1.1.1, remote AS 10, external link
BGP version 4, remote router ID 0.0.0.0
BGP state = Active
Neighbor sessions:
0 active, is not multisession capable (disabled)
Stateful switchover support enabled: NO for session 0
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 0 0
Notifications: 0 0
Updates: 0 0
Keepalives: 0 0
Route Refresh: 0 0
Total: 0 0
Do log neighbor state changes (via global configuration)
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
BGP table version 1, neighbor version 1/0
Output queue size : 0
Index 0, Advertise bit 0
Slow-peer detection is disabled
Slow-peer split-update-group dynamic is disabled
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 0 0
Prefixes Total: 0 0
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 0
Used as multipath: n/a 0
Used as secondary: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Total: 0 0
Number of NLRIs in the update sent: max 0, min 0
Last detected as dynamic slow peer: never
Dynamic slow peer recovered: never
Refresh Epoch: 1
Last Sent Refresh Start-of-rib: never
Last Sent Refresh End-of-rib: never
Last Received Refresh Start-of-rib: never
Last Received Refresh End-of-rib: never
Sent Rcvd
Refresh activity: ---- ----
Refresh Start-of-RIB 0 0
Refresh End-of-RIB 0 0
Address tracking is enabled, the RIB does have a route to 1.1.1.1
Route to peer address reachability Up: 1; Down: 0
Last notification 00:41:59
Connections established 1; dropped 1
Last reset 00:29:04, due to Active open failed
External BGP neighbor configured for connected checks (single-hop no-disable-connected-check)
Interface associated: GigabitEthernet0/1 (peering address in same link)
Transport(tcp) path-mtu-discovery is enabled
Graceful-Restart is disabled
SSO is disabled
No active TCP connection
NATRouter#sh ip bgp neighbors
BGP neighbor is 1.1.1.2, remote AS 20, external link
BGP version 4, remote router ID 0.0.0.0
BGP state = Idle
Neighbor sessions:
0 active, is not multisession capable (disabled)
Stateful switchover support enabled: NO
Do log neighbor state changes (via global configuration)
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
BGP table version 1, neighbor version 1/0
Output queue size : 0
Index 0, Advertise bit 0
Slow-peer detection is disabled
Slow-peer split-update-group dynamic is disabled
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 0 0
Prefixes Total: 0 0
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 0
Used as multipath: n/a 0
Used as secondary: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Total: 0 0
Number of NLRIs in the update sent: max 0, min 0
Last detected as dynamic slow peer: never
Dynamic slow peer recovered: never
Refresh Epoch: 1
Last Sent Refresh Start-of-rib: never
Last Sent Refresh End-of-rib: never
Last Received Refresh Start-of-rib: never
Last Received Refresh End-of-rib: never
Sent Rcvd
Refresh activity: ---- ----
Refresh Start-of-RIB 0 0
Refresh End-of-RIB 0 0
Address tracking is enabled, the RIB does have a route to 1.1.1.2
Route to peer address reachability Up: 1; Down: 0
Last notification 00:42:43
Connections established 1; dropped 1
Last reset 00:29:41, due to Active open failed
External BGP neighbor configured for connected checks (single-hop no-disable-connected-check)
Interface associated: GigabitEthernet0/1 (peering address NOT in same link)
Transport(tcp) path-mtu-discovery is enabled
Graceful-Restart is disabled
SSO is disabled
No active TCP connection
ルーティングテーブルは下記の通りです。
その他、確認コマンドも併せて貼り付けました。
お手数ですが、ご確認お願いいたします。
【R2】
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/30 is directly connected, GigabitEthernet0/1
L 1.1.1.2/32 is directly connected, GigabitEthernet0/1
【NATRouter】
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/30 is directly connected, GigabitEthernet0/1
L 1.1.1.1/32 is directly connected, GigabitEthernet0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
L 192.168.1.254/32 is directly connected, GigabitEthernet0/0
【R1】
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, GigabitEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
L 192.168.1.1/32 is directly connected, GigabitEthernet0/0
NATRouter#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 1.1.1.1 192.168.1.1 --- ---
NATRouter#sh ip nat statistics
Total active translations: 2 (1 static, 1 dynamic; 1 extended)
Peak translations: 3, occurred 00:19:57 ago
Outside interfaces:
GigabitEthernet0/1
Inside interfaces:
GigabitEthernet0/0
Hits: 671 Misses: 0
CEF Translated packets: 19, CEF Punted packets: 0
Expired translations: 2
Dynamic mappings:
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
R2#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/1 1.1.1.2 YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
GigabitEthernet0/3 unassigned YES NVRAM administratively down down
NATRouter#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.254 YES NVRAM up up
GigabitEthernet0/1 1.1.1.1 YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM up up
GigabitEthernet0/3 unassigned YES NVRAM administratively down down
NVI0 192.168.1.254 YES unset up up
R1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.1 YES NVRAM up up
GigabitEthernet0/1 unassigned YES NVRAM administratively down down
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
GigabitEthernet0/3 unassigned YES NVRAM administratively down down
NATRouter#sh ip bgp summary
BGP router identifier 192.168.1.254, local AS number 10
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.2 4 20 0 0 1 0 0 00:28:19 Idle
R2#sh ip bgp summary
BGP router identifier 1.1.1.2, local AS number 20
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.1 4 10 0 0 1 0 0 00:28:10 Idle
R2#sh ip bgp neighbors
BGP neighbor is 1.1.1.1, remote AS 10, external link
BGP version 4, remote router ID 0.0.0.0
BGP state = Active
Neighbor sessions:
0 active, is not multisession capable (disabled)
Stateful switchover support enabled: NO for session 0
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 0 0
Notifications: 0 0
Updates: 0 0
Keepalives: 0 0
Route Refresh: 0 0
Total: 0 0
Do log neighbor state changes (via global configuration)
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
BGP table version 1, neighbor version 1/0
Output queue size : 0
Index 0, Advertise bit 0
Slow-peer detection is disabled
Slow-peer split-update-group dynamic is disabled
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 0 0
Prefixes Total: 0 0
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 0
Used as multipath: n/a 0
Used as secondary: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Total: 0 0
Number of NLRIs in the update sent: max 0, min 0
Last detected as dynamic slow peer: never
Dynamic slow peer recovered: never
Refresh Epoch: 1
Last Sent Refresh Start-of-rib: never
Last Sent Refresh End-of-rib: never
Last Received Refresh Start-of-rib: never
Last Received Refresh End-of-rib: never
Sent Rcvd
Refresh activity: ---- ----
Refresh Start-of-RIB 0 0
Refresh End-of-RIB 0 0
Address tracking is enabled, the RIB does have a route to 1.1.1.1
Route to peer address reachability Up: 1; Down: 0
Last notification 00:41:59
Connections established 1; dropped 1
Last reset 00:29:04, due to Active open failed
External BGP neighbor configured for connected checks (single-hop no-disable-connected-check)
Interface associated: GigabitEthernet0/1 (peering address in same link)
Transport(tcp) path-mtu-discovery is enabled
Graceful-Restart is disabled
SSO is disabled
No active TCP connection
NATRouter#sh ip bgp neighbors
BGP neighbor is 1.1.1.2, remote AS 20, external link
BGP version 4, remote router ID 0.0.0.0
BGP state = Idle
Neighbor sessions:
0 active, is not multisession capable (disabled)
Stateful switchover support enabled: NO
Do log neighbor state changes (via global configuration)
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
BGP table version 1, neighbor version 1/0
Output queue size : 0
Index 0, Advertise bit 0
Slow-peer detection is disabled
Slow-peer split-update-group dynamic is disabled
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 0 0
Prefixes Total: 0 0
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 0
Used as multipath: n/a 0
Used as secondary: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Total: 0 0
Number of NLRIs in the update sent: max 0, min 0
Last detected as dynamic slow peer: never
Dynamic slow peer recovered: never
Refresh Epoch: 1
Last Sent Refresh Start-of-rib: never
Last Sent Refresh End-of-rib: never
Last Received Refresh Start-of-rib: never
Last Received Refresh End-of-rib: never
Sent Rcvd
Refresh activity: ---- ----
Refresh Start-of-RIB 0 0
Refresh End-of-RIB 0 0
Address tracking is enabled, the RIB does have a route to 1.1.1.2
Route to peer address reachability Up: 1; Down: 0
Last notification 00:42:43
Connections established 1; dropped 1
Last reset 00:29:41, due to Active open failed
External BGP neighbor configured for connected checks (single-hop no-disable-connected-check)
Interface associated: GigabitEthernet0/1 (peering address NOT in same link)
Transport(tcp) path-mtu-discovery is enabled
Graceful-Restart is disabled
SSO is disabled
No active TCP connection
arashi1977
居住地: 広島
投稿数: 1715
居住地: 広島
投稿数: 1715
引用:そういうことか!勘違いすみません。
R2とピアリングするのはR1だ(NATしてR2-R1でBGPピアリングするのだろう)と思っていたのですが、NATrouterとのピアリングってことなのですね!
であれば、slachetさんが言われたとおり
引用:ということですね。(R1とR2でBGPパケットを交換するようになっている)
R1ではBGPの設定はしておりません。
R2とピアリングするのはR1だ(NATしてR2-R1でBGPピアリングするのだろう)と思っていたのですが、NATrouterとのピアリングってことなのですね!
であれば、slachetさんが言われたとおり
引用:
1.1.1.1のパケットを受け取れば、当然これを192.168.1.1に (逆に) 変換してinside側に流すということです。
AKvolt
投稿数: 5
投稿数: 5
返信遅くなりました。
ご回答いただき、ありがとうございます。
仰る通りのようです。。(優先順位など全く考慮できてませんでした。。)
ご回答いただき、ありがとうございます。
仰る通りのようです。。(優先順位など全く考慮できてませんでした。。)
