eBGP over NAT boundaries

Answered Question
Apr 7th, 2010

Hi there,

Let’s assume this unrealistic scenario in a totally private network. I have two eBGP peer connections coming into my private network, one for Customer A and one for Customer B.  Both Customer A and Customer B have identical subnet ranges, for example 10.15.100.0/24.  I know I could separate these with VRF's, but lets exclude this for the minute.

If Customer A wishes to exchange data with Customer B then I have a problem due to conflicting subnet ranges. If I were to use NAT, can I establish an eBGP session across a NAT boundary? Furthermore, can Customer A or Customer B have their BGP advertised networks NAT’d to a non conflicting private range of addresses?

If I did use VRF's to separate overlapping networks how could I get these two VRF's to communicate with the knowledge they have the same private networks?

Thanks, Wayne

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 9 months ago

wrgoulden wrote:

Jon,

I guess firstly can you establish a BGP session from a BGP NAT'd peer address? Secondly, would I need a transit network behind the customer BGP router to perform the NAT then advertise the NAT ranges into BGP?

Thanks,


Wayne

Wayne

The first one will be tricky - would the 2 EBGP peers be using WAN IPs from the same subnet ? If so that may take a bit of experimenting with but i though the requirement was simply to NAT an internal network.

As for natting an internal network this should be relatively straighforward and i suspect altho i would need to test the Natting could be done on the same router that runs EBGP.

Don't mind testing but could you just answer whether the WAN IPs would need Natting ?

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 04/07/2010 - 03:54

wrgoulden wrote:

Hi there,

Let’s assume this unrealistic scenario in a totally private network. I have two eBGP peer connections coming into my private network, one for Customer A and one for Customer B.  Both Customer A and Customer B have identical subnet ranges, for example 10.15.100.0/24.  I know I could separate these with VRF's, but lets exclude this for the minute.

If Customer A wishes to exchange data with Customer B then I have a problem due to conflicting subnet ranges. If I were to use NAT, can I establish an eBGP session across a NAT boundary? Furthermore, can Customer A or Customer B have their BGP advertised networks NAT’d to a non conflicting private range of addresses?

If I did use VRF's to separate overlapping networks how could I get these two VRF's to communicate with the knowledge they have the same private networks?

Thanks, Wayne

Wayne

Yes you can establish BGP, you would simply advertise out the Natted subnet range rather than the real subnet range. Is this what you are asking or are you asking whether the actual BGP peer address can be Natted ?

Jon

wrgoulden Wed, 04/07/2010 - 04:52

Jon,

I guess firstly can you establish a BGP session from a BGP NAT'd peer address? Secondly, would I need a transit network behind the customer BGP router to perform the NAT then advertise the NAT ranges into BGP?

Thanks,


Wayne

Correct Answer
Jon Marshall Wed, 04/07/2010 - 05:03

wrgoulden wrote:

Jon,

I guess firstly can you establish a BGP session from a BGP NAT'd peer address? Secondly, would I need a transit network behind the customer BGP router to perform the NAT then advertise the NAT ranges into BGP?

Thanks,


Wayne

Wayne

The first one will be tricky - would the 2 EBGP peers be using WAN IPs from the same subnet ? If so that may take a bit of experimenting with but i though the requirement was simply to NAT an internal network.

As for natting an internal network this should be relatively straighforward and i suspect altho i would need to test the Natting could be done on the same router that runs EBGP.

Don't mind testing but could you just answer whether the WAN IPs would need Natting ?

Jon

wrgoulden Wed, 04/07/2010 - 05:47

Jon,

Just looked over it again and the NAT'ing of the internal ranges is fine.  No need to set peers up over a NAT boundary as I first thought. Thanks for your help.

Wayne

Actions

This Discussion

Related Content