Last active
March 23, 2023 01:24
-
-
Save shsingh/e6f08d75f7e877273d9cb57c33b9e72d to your computer and use it in GitHub Desktop.
F5 CGNAT using AFM module with BGP for LSN advertising
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - Ensure 'bash' access to device | |
| - SSH into device | |
| - Configure device before BGP |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| router bgp <BGP_ASN> | |
| no bgp default ipv4-unicast | |
| bgp log-neighbor-changes | |
| bgp graceful-restart restart-time 30 | |
| redistribute kernel | |
| timers bgp 4 12 | |
| neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> remote-as <BGP_REMOTE_AS_SUBSCRIBER_PEER> | |
| neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> fall-over bfd | |
| neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> activate | |
| neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> next-hop-self | |
| neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> soft-reconfiguration inbound | |
| neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> prefix-list ipv4-subscriber-only in | |
| neighbor <BGP_NEIGHBOUR_SUBSCRIBER_PEER> prefix-list default-only out | |
| neighbor <BGP_NEIGHBOUR_INTERNET_PEER> remote-as <BGP_REMOTE_AS_INTERNET_PEER> | |
| neighbor <BGP_NEIGHBOUR_INTERNET_PEER> fall-over bfd | |
| neighbor <BGP_NEIGHBOUR_INTERNET_PEER> activate | |
| neighbor <BGP_NEIGHBOUR_INTERNET_PEER> soft-reconfiguration inbound | |
| neighbor <BGP_NEIGHBOUR_INTERNET_PEER> prefix-list default-only in | |
| neighbor <BGP_NEIGHBOUR_INTERNET_PEER> prefix-list ipv4-cgnat-only out | |
| ! | |
| ! | |
| ip prefix-list default-only seq 5 permit 0.0.0.0/0 | |
| ip prefix-list ipv4-cgnat-only seq 5 permit <CGNAT_V4_CIDR> | |
| ip prefix-list ipv4-subscriber-only seq 5 permit <SUBSCRIBER_V4_CIDR> | |
| ! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##### Create Trunks | |
| tmsh create net trunk <TRUNK_NAME> interfaces add { <INTERFACES_IN_TRUNK> } lacp enabled lacp-mode passive lacp-timeout long distribution-hash src-dst-ipport link-select-policy auto | |
| ##### Create VLANs | |
| tmsh create net vlan vlan_subscriber app-service none cmp-hash src-ip interfaces add { <TRUNK_NAME> { tagged } } tag <VLAN_SUBSCRIBER> | |
| tmsh create net vlan vlan_internet app-service none cmp-hash dst-ip interfaces add { <TRUNK_NAME> { tagged } } tag <VLAN_INTERNET> | |
| #### Create Route Domains | |
| tmsh create net route-domain Internet { id <VRF-ID> routing-protocol { BGP BFD } vlans { <VLAN_INTERNET> <VLAN_SUBSCRIBER> } } | |
| #### create SELF IPs | |
| tmsh create net self self_subcriber_v4 { address <SELFIP_SUBSCRIBER_V4>%<VRF-ID>/<SELFIP_SUBSCRIBER_V4_SUBNET_MASK> traffic-group traffic-group-local-only vlan <VLAN_SUBSCRIBER> } | |
| tmsh create net self self_internet_v4 { address <SELFIP_INTERNET_V4>%<VRF-ID>/<SELFIP_INTERNET_V4_SUBNET_MASK> traffic-group traffic-group-local-only vlan <VLAN_INTERNET> } | |
| tmsh create net self self_control_v4 { address <SELFIP_CONTROL_V4>/<SELFIP_CONTROL_V4_SUBNET_MASK> traffic-group traffic-group-local-only vlan <VLAN_CONTROL> } | |
| #### Create pool of syslog servers | |
| ltm pool pool_logging_servers { } | |
| #### Create LSN session and PBA information to log | |
| tmsh create sys log-config destination remote-high-speed-log cgnat-logging-server-pool { pool-name pool_logging_servers protocol udp } | |
| tmsh create sys log-config publisher cgnat-logging-servers { destinations { cgnat-logging-server-pool { } local-db { } local-syslog { } } } | |
| tmsh create security log profile remote-cgnat-logging { nat { end-inbound-session enabled end-outbound-session { action enabled elements { destination } } errors enabled log-publisher cgnat-logging-servers quota-exceeded enabled start-inbound-session enabled start-outbound-session { action enabled elements { destination } } } network { remote-cgnat-logging { } } } | |
| #### Create Destination NAT LSN range and PBA configuration | |
| tmsh create security firewall address-list cgnat-lsn-ip-addresses { addresses { <LSN-RANGE-WITH-CIDR-MASK>%<VRF-ID> { } } } | |
| tmsh create security nat source-translation nat_pba { addresses { <LSN-RANGE-WITH-CIDR-MASK>%<VRF-ID> { } } egress-interfaces { vlan_internet } egress-interfaces-enabled hairpin-mode enabled icmp-echo enabled inbound-mode endpoint-independent-filtering mapping { mode endpoint-independent-mapping timeout 60 } nat-stats-profile nat-stats pat-mode pba ports { 1025-64000 { } } route-advertisement enabled traffic-group /Common/traffic-group-1 type dynamic-pat } | |
| #### Create NAT policy for destination translation for egress traffic | |
| tmsh create security nat policy cgnat { rules { pba { destination { addresses { 0.0.0.0/0 { } } } ip-protocol any log-profile remote-cgnat-logging source { addresses { 0.0.0.0/0 { } } } translation { source nat_pba } } } traffic-group /Common/traffic-group-1 } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment