Pages

Monday, October 3, 2011

NAT Static

I wont talk about what NATing does in this article. However, I will show you some basic configuration of NAT to clarify everyone understanding.


Configuration example



Configuration

R2
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 192.168.1.2 0.0.0.0 area 0
 network 192.168.2.1 0.0.0.0 area 0
!
ip http server
no ip http secure-server
!
ip route 2.2.2.0 255.255.255.0 192.168.2.2
// from inside to outside : route before translate
!
ip nat inside source static 1.1.1.1 172.16.1.1
ip nat outside source static 3.3.3.3 2.2.2.2
!

Providing route for R1 and R3 to pass the traffic through R2 to translate

R1
ip route 2.2.2.2 255.255.255.255 192.168.1.2

R2
ip route 172.16.1.0 255.255.255.0 192.168.2.1


Verify Configuration

R1#ping 2.2.2.2 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/66/176 ms
R1#

R3#ping 172.16.1.1 source 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/71/144 ms
R3#


R2#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                2.2.2.2            3.3.3.3
icmp 172.16.1.1:2      1.1.1.1:2          2.2.2.2:2          3.3.3.3:2
icmp 172.16.1.1:8      1.1.1.1:8          2.2.2.2:8          3.3.3.3:8
--- 172.16.1.1         1.1.1.1            ---                ---
R2#

R2 debug ip nat

Mar  1 00:32:18.007: NAT*: s=3.3.3.3->2.2.2.2, d=172.16.1.1 [41]
*Mar  1 00:32:18.007: NAT*: s=2.2.2.2, d=172.16.1.1->1.1.1.1 [41]
*Mar  1 00:32:18.035: NAT*: s=1.1.1.1->172.16.1.1, d=2.2.2.2 [42]
*Mar  1 00:32:18.035: NAT*: s=172.16.1.1, d=2.2.2.2->3.3.3.3 [42]
*Mar  1 00:32:18.051: NAT*: s=3.3.3.3->2.2.2.2, d=172.16.1.1 [42]
*Mar  1 00:32:18.051: NAT*: s=2.2.2.2, d=172.16.1.1->1.1.1.1 [42]
*Mar  1 00:32:18.063: NAT*: s=1.1.1.1->172.16.1.1, d=2.2.2.2 [43]
*Mar  1 00:32:18.063: NAT*: s=172.16.1.1, d=2.2.2.2->3.3.3.3 [43]


Posted by BBru at 4:54 PM 0 comments
Labels:

OSPF nssa

Not-so-stubby-area

OSPF nssa is the area that prohibits the LSA type 5 into the area but instead allow LSA type 7 to the area for the external routes.

There are options added on to the nssa area
 - area x nssa no-summary
     This area does not allow also the LSA type 3 or above into the area.
 - area x nssa no-redistribute
     This command is used in the the router that acts both ABR and ASBR. This command will not allow redistributed routes LSA type 7 into the nssa area but still allow the type 5 LSA in the OSPF process in area 0 ( backbone area )

Example for the NSSA no-redistribute


From the network diagram above, R2 is working as both ABR and ASBR. It redistributes the network 2.2.2.2/32 into the OSFP domian. However we do not want the router to advertise LSA type 7 in to the nssa area. but it is acceptable to have LSA type 5 in the OSPF domain. Here is the configuration on the R2.


interface Loopback0
 ip address 2.2.2.2 255.255.255.255



router ospf 1
 log-adjacency-changes
 area 1 nssa no-redistribution
 redistribute connected subnets
 network 192.168.1.2 0.0.0.0 area 0
 network 192.168.2.1 0.0.0.0 area 1


Looking at the R1 routing table, we can see the 2.2.2.2/32 network in it.



R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     2.0.0.0/32 is subnetted, 1 subnets
O E2    2.2.2.2 [110/20] via 192.168.1.2, 00:21:56, FastEthernet0/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
O IA 192.168.2.0/24 [110/20] via 192.168.1.2, 00:34:03, FastEthernet0/0
O IA 192.168.3.0/24 [110/30] via 192.168.1.2, 00:27:32, FastEthernet0/0

However R4 doesn't see the 2.2.2.2/32 network in its database and its routing table.

R4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     4.0.0.0/32 is subnetted, 1 subnets
C       4.4.4.4 is directly connected, Loopback0
O IA 192.168.1.0/24 [110/30] via 192.168.3.1, 00:29:46, FastEthernet0/0
O    192.168.2.0/24 [110/20] via 192.168.3.1, 00:29:46, FastEthernet0/0
C    192.168.3.0/24 is directly connected, FastEthernet0/0

So this illustrate how the nssa no-redistribute works.
Posted by BBru at 1:10 PM 1 comments
Labels:

Saturday, October 1, 2011

Auto QoS Discovery

Auto-Discovery


Started with the command:
(config-if)# auto discovery qos [trust]

Trust mode 


auto-discovery trusts the DSCP values in the IP header and uses it to classify packets, collect bandwidth statistics, calculate traffic average and traffic peak rate, then passes the data to the template module.

Untrust mode
auto-discovery uses NBAR to detect application on the network to collect data and perform statistical analysis.

To show the data that has been collected:
# show auto discovery qos [interface [interface type]]
Posted by BBru at 10:57 PM 1 comments
Labels:

DHCP manually binding

<copy from http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html#wp23682>

 The IP address of a client can be assigned manually by an administrator or assigned automatically from a pool by a DHCP server.


Manual bindings are IP addresses that have been manually mapped to the MAC addresses of hosts that are found in the DHCP database. Manual bindings are stored in NVRAM on the DHCP server. Manual bindings are just special address pools. There is no limit on the number of manual bindings but you can only configure one manual binding per host pool.

To configure a manual binding, first create a host pool, then specify the IP address and hardware address of the client or client identifier. The hardware address is the MAC address. The client identifier, which is required for Microsoft clients (instead of hardware addresses), is formed by concatenating the media type and the MAC address of the client. Refer to the "Address Resolution Protocol Parameters" section of RFC 1700, Assigned Numbers, for a list of media type

Example Configuration



ip dhcp pool DHCP-TEST
   host 10.1.2.10 255.255.255.0
   hardware-address c204.07d0.0001 ieee802
   default-router 10.1.2.1
   dns-server 10.1.2.1
!
ip dhcp pool DHCP-TEST1
   host 10.1.2.11 255.255.255.0
   hardware-address 1111.1111.1111 ieee802
!

Verify Configuration


R3#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
10.1.2.10           c204.07d0.0001          Infinite                Manual
10.1.2.11           1111.1111.1111          Infinite                Manual

Posted by BBru at 7:59 PM 0 comments
Labels:

Tuesday, September 27, 2011

Spanning tree portfast

Spanning-tree portfast command makes interface on the switch jump up from spanning-tree disable mode to spanning-tree forwarding mode which is different from the normal spanning tree operation that the interface needs to go through listening status and learning state. Therefore, the interface will come up right away.

How to enable spanning-tree portfast


Spanning-tree portfast in interface level
  In the interface level we use " spanning-tree portfast" command to enable it. This is for an access port only. If you want to enable portfast for trunk port "spanning-tree portfast trunk" is required.


Spanning-tree portfast option in the global configuration
  In the global configuration, we can enable the portfast for all of the access ports on the switch by using "spanning-tree portfast default " command. However, this command will not affect the trunk port on the switch

Option for spanning-tree portfast
   - spanning-tree portfast bpduguard default
   - spanning-tree portfast bpdufilter default

   -spanning-tree portfast bpduguard default :  it will enable the bgpuguard on the all of the portfast interfaces on the switch. This is only valid for access port.
   - spanning-tree portfast bpdufilter default  :  it will enable the bgpufilter on the all of the portfast interfaces on the switch. This is only valid for access port.



Posted by BBru at 10:34 AM 0 comments
Labels:

Sunday, September 25, 2011

GLBP Load Balancing options

There are 3 different options for the GLBP load balancing

  • Host-dependent : load balancing based on MAC address of a host where the same forwarder is used for a particular host while the number of GLBP group members remains unchanged.
  • Round-Robin  :   Each active forwarder will in turns forward the packets. This is a default setting of glbp
  • Weighted   :  load balancing based on the weighting value advertised by the gateway.

Configuration Command

       glbp group load-balancing [host-dependent round-robin weighted]


Posted by BBru at 10:32 PM 0 comments
Labels:

Saturday, September 24, 2011

MPLS LDP advertise lable

mpls ldp advertise-label 


This command is enable by default. The MPLS router will advertise every network it learnt or connected network to its neighbor. In order to stop this advertisement, we use  "no mpls ldp advertise-label " However, this command will disable every advertisement in the network.

If we want to specifically advertise label for specific network to specific destination, we can use the command as followings.
      mpls ldp advertise-lable for <dest prefix>  to <ldp peer>

Example

As shown in the figure, R1, R2 and R3 are in the MPLS network. In this scenario, we specify what prefix and what destination we want to have label advertised for the MPLS network. R1 will advertise label for 1.1.1.1/32 only but not 10.10.10.10/32. Here is the configuration example on R1
( we omitted the IGP configuration )
Before configuration
R2#sh mpls forwarding-table
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     30.30.30.30/32    570        Fa0/1      192.168.2.2
17     Pop tag     3.3.3.3/32        0          Fa0/1      192.168.2.2
18     Pop tag     10.10.10.10/32    0          Fa0/0      192.168.1.1
19     Pop tag     1.1.1.1/32        0          Fa0/0      192.168.1.1


Configuration command

no mpls ldp advertise-labels

mpls ldp advertise-labels for 2 to 1

access-list 1 permit 192.168.1.2
access-list 2 permit 1.1.1.1

Result / Verification

R2#sh mpls forwarding-table
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     30.30.30.30/32    570        Fa0/1      192.168.2.2
17     Pop tag     3.3.3.3/32        0          Fa0/1      192.168.2.2
18     Untagged    10.10.10.10/32    0          Fa0/0      192.168.1.1
19     Pop tag     1.1.1.1/32        0          Fa0/0      192.168.1.1

We can see now that the 10.10.10.10/32 label is not advertised to R2 from R1
Posted by BBru at 1:33 PM 2 comments
Labels:
Subscribe to: Posts (Atom)