Thursday, January 15, 2015

CCIE Route/Switch v5: GNS3 ZBFW, Subnet Overlap, NAT Trickery

Hey all,

This lab features a number of technologies melded together to achieve some cool stuff. In a typical service provider environment a few different partners will connect to a single entity (the provider). That provider is required to not bridge the partner networks in any way (if the provider wants to stay in business, that is). There is often a requirement to avoid simple routing, as subnets will often overlap.

This is assuming the provider hasn't embraced the awesomeness that is VRFs all over their network.

When things don't work right, the network engineer team must prove what connections are made and what aren't, a difficult thing when you can't see the whole picture. Zone-based firewall bridges that gap in spectacular fashion. It allows an engineer to see each and every session that is generated through the device. It allows matching of ACLs for allowed traffic - and here I use the same ACLs to match NAT statements in order to not overlap subnets with the partners.

BGP is also used as an IGP for each of our partners and our core network, but you could just as easily connect with a partner via a single-use IGP (ospf, eigrp, etc.) and then redistribute on both side.

Other cool stuff I didn't even mention:
Prefix lists to match routes
Route-maps applied in and out from the provider to each partner via BGP to only allow in/out selected, required routes (don't want to bleed any routes in or out, do we?).

The lab is built with all c7200 IOS routers in GNS3. Hopefully you can find an IOS in that same family so you can turn it all on.
Download the GNS3 files here and enjoy!

Good luck!

No comments:

Post a Comment