Category Archives: Routing

Cisco Routing

Network Address Translation (NAT) & Scenario

Configuration Notes:
Defining NAT Inside and Outside Interfaces
The first step to deploy NAT is to define NAT inside and outside interfaces. You may find it easiest to define your internal network as inside, and the external network as outside. However, the terms internal and external are subject to arbitration as well. This figure shows an example of this.

NAT Overloading
Also called Port Address Translation (PAT) is form of dynamic NAT where we have is just a single inside global IP address providing Internet access to all inside hosts. As a general case, NAT Overload is used in scenarios where the number of inside local addresses is greater than the number of inside global addresses.

Clearing Static NAT Entry
Clear command will just delete dynamic entries. If you don’t need a static entry anymore, delete it in the config.
It will not be possible to clear static NAT entry that’s the reason why error message is seen “Translation not dynamic”. If the static NAT entry is not useful/not doing intended purpose, why not just editing or removing it.


NAT Order of Operation:

  1. When a packet arrives on an interface which is configured as ‘ip nat inside’,
    • The Packet is first checked if it qualifies as per the NAT access-list aka interested traffic.
    • The packet is then checked for the destination address.
    • If the destination is reachable via an interface which is configured ‘ip nat outside’ then before sending the actual packet out on the egress interface, the source address will be masked/NATed.
  2. When the return packet arrives on an interface which is configured as ‘ip nat outside’,
    • The packet is first compared with a matching entry in the NAT translation table.
    • If a matching entry is found then the destination IP and port will be replaced as per the entry before being routed toward the internal port.

NAT Terminology:

Inside Local – The IP address of the inside network as viewed locally (e.g. your LAN network or private network)
Inside Global – The IP address of the inside network as viewed by outside world (e.g. your public IP on WAN interface)
Outside Local – The IP address of the outside network as viewed you
Outside Global – The IP address of the outside network as viewed outside world

IP NAT OUTSIDE SOURCE STATIC SCENARIO:

  1. Translating the output public IP to reach the LAN network.

nat120190923

Note: Outside perform translation before routing and inside perform routing then translation.

acnat20190923

Configure loopback on R3 and R2, make sure the route is correct on all routers.

R2#sh run int loop 30
interface Loopback30
ip address 171.68.1.1 255.255.255.255

R3#sh run int loop 30
interface Loopback30
ip address 172.16.89.32 255.255.255.255

R1#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 122.1.1.2
ip route 171.68.1.1 255.255.255.255 192.168.1.1

R1# ip nat outside source static 172.16.89.32 171.68.16.5  -> This translate the outside global source to outside local. 

R5#sh run | sec ip route
ip route 171.68.1.1 255.255.255.255 122.1.1.1
ip route 172.16.89.32 255.255.255.255 221.0.0.1

Results:

R3#ping 171.68.1.1 source loop 30

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 171.68.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.89.32
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/40/64 ms

R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
— — — 171.68.16.5 172.16.89.32
icmp 171.68.1.1:0 171.68.1.1:0 171.68.16.5:0 172.16.89.32:0

R1#sh ip nat statistics
Total active translations: 2 (1 static, 1 dynamic; 1 extended)
Peak translations: 2, occurred 00:00:26 ago
Outside interfaces:
GigabitEthernet1/0
Inside interfaces:
GigabitEthernet2/0
Hits: 10 Misses: 0
CEF Translated packets: 9, CEF Punted packets: 1
Expired translations: 0
Dynamic mappings:
Appl doors: 0
Normal doors: 0
Queued Packets: 0

2. Overlapping Network

natops120190923.PNG

acnatops20190923.PNG

R1#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 122.1.1.2
ip route 9.9.9.0 255.255.255.0 122.1.1.2
ip route 123.12.12.0 255.255.255.0 192.168.1.1
ip route 171.68.1.1 255.255.255.255 192.168.1.1
R1#sh run | sec ip nat
ip nat outside
ip nat inside
ip nat inside source static 123.12.12.3 8.8.8.1
ip nat inside source static 192.168.1.1 8.8.8.2
ip nat outside source static 123.12.12.1 9.9.9.1
ip nat outside source static 172.16.89.32 9.9.9.2

R2#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 192.168.1.254
R2#sh run int loop 40 | beg int
interface Loopback40
ip address 123.12.12.3 255.255.255.255

R3#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 221.0.0.2
R3#sh run int loop 40 | beg int
interface Loopback40
ip address 123.12.12.1 255.255.255.255

R5#sh run | sec ip route
ip route 8.8.8.0 255.255.255.0 122.1.1.1
ip route 123.12.12.0 255.255.255.0 221.0.0.1
ip route 171.68.1.1 255.255.255.255 122.1.1.1
ip route 172.16.89.32 255.255.255.255 221.0.0.1

R3#ping 8.8.8.1 source loopback 40

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.1, timeout is 2 seconds:
Packet sent with a source address of 123.12.12.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/65/76 ms

R2#ping 9.9.9.1 source loopback 40

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.1, timeout is 2 seconds:
Packet sent with a source address of 123.12.12.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/60/68 ms

Note: In troubleshooting, Make sure route is correct and all the routers that included on the path should route from both Global/Local In and out.

R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
— — — 9.9.9.1 123.12.12.1
— — — 9.9.9.2 172.16.89.32
— 8.8.8.1 123.12.12.3 — —
— 8.8.8.2 192.168.1.1 — —
R1#sh ip nat stat
Total active translations: 4 (4 static, 0 dynamic; 0 extended)
Peak translations: 53, occurred 00:19:08 ago
Outside interfaces:
GigabitEthernet1/0
Inside interfaces:
GigabitEthernet2/0
Hits: 299 Misses: 0
CEF Translated packets: 233, CEF Punted packets: 30
Expired translations: 36
Dynamic mappings:
Appl doors: 0
Normal doors: 0
Queued Packets: 0

What is CEF Punt?

https://learningnetwork.cisco.com/thread/123503

Troubleshoot/Verify NAT Configuration

1. The command: “show ip nat translations” display the details of NAT assignments; it will enable you to verify that correct translations exist in the translation table. It’s recommended that you clear any dynamic NAT translation entries that might still be on the router.

2. To view additional details about each translation us the following command;

R1#show ip nat translations verbose

This command will display additions information, which includes creation dates and usage of each translation.

To clear NAT translations use the command: clear ip nat translation.

Note: “show ip nat translations verbose” command doesn’t work in packet tracer.

3. Verify the operations of NAT by checking details about every packet that is translated by the router. To view this information use the:

R1#debug ip nat or

R1#debug ip nat detailed

The later command debug ip nat detailed Provide a description of each packet that had been considered for translation. It also displays information on some errors such as failure to assign a global IP address.

4. The show ip nat statistics command display:

a) Details of all the active translation entries
b) NAT configuration parameters
c) Number of IP addresses in the pool
d) Total number of assigned IP addresses.

http://academy.delmar.edu/Courses/download/CiscoIOS/NAT_ip_nat_outside_source_static.pdf
https://cciepursuit.wordpress.com/2007/10/07/hits-and-misses-in-ip-nat-statistics/
http://brbccie.blogspot.com/2013/06/everything-nat.html

3 ways to NAT on a Cisco Router


https://learningnetwork.cisco.com/thread/96145

Advertisements

NAT Basics

static nat
ip nat inside source static 10.0.0.2 112.1.1.5

R4#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
— 112.1.1.5 10.0.0.2 — —

R4#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 112.1.1.5:5 10.0.0.2:5 112.1.1.2:5 112.1.1.2:5
icmp 112.1.1.5:6 10.0.0.2:6 112.1.1.2:6 112.1.1.2:6
icmp 112.1.1.5:7 10.0.0.2:7 112.1.1.2:7 112.1.1.2:7

Dynamic nat
access-list 10 permit any
ip nat inside source list 10 interface g2/0 overload

R4#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 112.1.1.1:8 10.0.0.2:8 112.1.1.2:8 112.1.1.2:8
icmp 112.1.1.1:9 172.1.1.1:9 112.1.1.2:9 112.1.1.2:9
icmp 112.1.1.1:10 172.1.1.1:10 112.1.1.2:10 112.1.1.2:10

https://learningnetwork.cisco.com/thread/41202

BGP Weight Path Attribute in Network Failover Scenarios

Note: The default weight for learned routes is 0 and the default weight for a locally originated route is 32768

IGP-BGP0401

Using EIGRP

CE01#sh ip eigrp topology
EIGRP-IPv4 Topology Table for AS(10)/ID(172.1.1.1)
Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
r – reply Status, s – sia Status
P 192.168.1.1/32, 1 successors, FD is 2560002816, tag is 10
via 3.3.3.2 (2560002816/2560000256), FastEthernet2/0
P 3.3.3.0/30, 1 successors, FD is 28160
via Connected, FastEthernet2/0
P 192.168.2.2/32, 1 successors, FD is 2560002816, tag is 10
via 3.3.3.2 (2560002816/2560000256), FastEthernet2/0
P 172.1.1.1/32, 1 successors, FD is 156160
via 3.3.3.2 (156160/128256), FastEthernet2/0

CE01#sh ip bgp
BGP table version is 9, local router ID is 3.3.3.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight Path
*> 3.3.3.0/30 0.0.0.0 0 32768 ?
*> 172.1.1.1/32 3.3.3.2 156160 32768 ?
* 192.168.1.1/32 1.1.1.1 0 10 i
*> 3.3.3.2 2560002816 32768 ?
* 192.168.2.2/32 1.1.1.1 0 10 i
*> 3.3.3.2 2560002816 32768 ?

CE01#sh ip route
D 172.1.1.1 [90/156160] via 3.3.3.2, 00:05:07, FastEthernet2/0
192.168.1.0/32 is subnetted, 1 subnets
D EX 192.168.1.1 [170/2560002816] via 3.3.3.2, 00:02:23, FastEthernet2/0
192.168.2.0/32 is subnetted, 1 subnets
D EX 192.168.2.2 [170/2560002816] via 3.3.3.2, 00:02:23, FastEthernet2/0

CE01#sh run | sec router
router eigrp 10
network 3.3.3.0 0.0.0.3
router bgp 20
no synchronization
bgp log-neighbor-changes
redistribute eigrp 10
neighbor 1.1.1.1 remote-as 10
no auto-summary

##########################################
CE02#sh run | sec router
router eigrp 10
network 3.3.3.0 0.0.0.3
network 172.1.1.0 0.0.0.255
redistribute bgp 20
router bgp 20
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.1 remote-as 10

CE02#sh ip bgp
BGP table version is 4, local router ID is 3.3.3.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 192.168.1.1/32 2.2.2.1 0 10 i
*> 192.168.2.2/32 2.2.2.1 0 10 i
#########################################################################

CE01#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
172.1.1.1 1 FULL/DR 00:00:31 3.3.3.2 FastEthernet2/0

CE01#sh ip ospf database
OSPF Router with ID (3.3.3.1) (Process ID 1)

Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
3.3.3.1 3.3.3.1 17 0x80000002 0x00FB0D 1
172.1.1.1 172.1.1.1 18 0x80000003 0x0024D4 2
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
3.3.3.2 172.1.1.1 18 0x80000001 0x003494
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
192.168.1.1 172.1.1.1 94 0x80000001 0x006CA2 10
192.168.2.2 172.1.1.1 94 0x80000001 0x0057B5 10
CE01#sh ip bgp
BGP table version is 29, local router ID is 3.3.3.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 3.3.3.0/30 0.0.0.0 0 32768 ?
*> 172.1.1.1/32 3.3.3.2 2 32768 ?
* 192.168.1.1/32 1.1.1.1 0 10 i
*> 3.3.3.2 2 32768 ?
* 192.168.2.2/32 1.1.1.1 0 10 i
*> 3.3.3.2 2 32768 ?

CE01#sh ip route
Gateway of last resort is not set
O 172.1.1.1 [110/2] via 3.3.3.2, 00:06:47, FastEthernet2/0
192.168.1.0/32 is subnetted, 1 subnets
O E1 192.168.1.1 [110/2] via 3.3.3.2, 00:05:13, FastEthernet2/0
192.168.2.0/32 is subnetted, 1 subnets
O E1 192.168.2.2 [110/2] via 3.3.3.2, 00:05:13, FastEthernet2/0

CE01# sh run | sec router
router ospf 1
log-adjacency-changes
router bgp 20
no synchronization
bgp log-neighbor-changes
redistribute ospf 1 match internal external 1 external 2
neighbor 1.1.1.1 remote-as 10
no auto-summary

##################################
CE02#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.1 1 FULL/BDR 00:00:33 3.3.3.1 FastEthernet2/0

CE02#sh run | sec router
router ospf 1
log-adjacency-changes
redistribute bgp 20 metric-type 1 subnets
router bgp 20
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.1 remote-as 10
no auto-summary

Solution:
Set the Weight path attribute to 40000 for all routes received from the BGP peer.

CE01(config)#router bgp 20
CE01(config-router)#neighbor 1.1.1.1 weight 4000

CE01#sh ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 192.168.1.1/32 1.1.1.1 4000 10 i
*> 192.168.2.2/32 1.1.1.1 4000 10 i

CE01#sh ip route
O 172.1.1.1 [110/2] via 3.3.3.2, 00:56:16, FastEthernet2/0
192.168.1.0/32 is subnetted, 1 subnets
B 192.168.1.1 [20/0] via 1.1.1.1, 00:00:20
192.168.2.0/32 is subnetted, 1 subnets
B 192.168.2.2 [20/0] via 1.1.1.1, 00:00:20

Reference:
https://www.rogerperkin.co.uk/routing-protocols/bgp/bgp-weight-attribute/
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/213285-understand-the-importance-of-bgp-weight.html

BGP OUTBOUND ROUTE FILTERING (BGP ORF)

Outbound Route Filtering Capability for BGP-4 is currently an IETF draft (http://www.ietf.org/internet-drafts/draft-ietf-idr-route-filter-16.txt) that describes an optimization on how prefix filtering can occur between a Customer Edge (CE) router and a Provider Edge (PE) router that are exchanging IPv4 unicast BGP prefixes. In the design we saw above the upstream PE router sent the full BGP table downstream to the CE router, and filtering was applied inbound on the downstream CE. With BGP ORF the downstream CE router dynamically tells the upstream PE router what routes to filter *outbound*. This means that the downstream CE router will only receive update messages about the prefixes that it wants.

Implementation wise the first step of this feature is for the BGP neighbors to negotiate that they both support the BGP ORF capability. Configuration-wise this looks as follows:

AS100_PE#
router bgp 100
neighbor 10.0.0.200 remote-as 200
!
address-family ipv4
neighbor 10.0.0.200 capability orf prefix-list receive
neighbor 204.12.25.254 activate
exit-address-family

AS200_CE#
router bgp 200
neighbor 10.0.0.100 remote-as 100
!
address-family ipv4
neighbor 10.0.0.100 capability orf prefix-list send
neighbor 10.0.0.100 prefix-list AS_100_INBOUND in
exit-address-family
!

Verification:
AS100_PE#show ip bgp neighbors 10.0.0.200 | begin AF-dependant capabilities:
AS200_CE#show ip bgp neighbors 10.0.0.100 | begin AF-dependant capabilities:

Next, AS 200’s CE router tells AS 100’s PE router which prefixes it wants to receive. The logic of this configuration is that AS 200 is “sending” a prefix-list of what routes it wants, while AS 100 is “receiving” the prefix-list of what the downstream neighbor wants. The reception of the prefix-list by the upstream PE can be verified as follows.

INE LINK

BGP Aggregate Address

### R1 BGP CONFIGURATION ###
router bgp 10
no synchronization
bgp log-neighbor-changes
network 37.1.1.0 mask 255.255.255.0
neighbor 1.1.1.2 remote-as 20
neighbor 1.1.1.2 soft-reconfiguration inbound

R1#sh ip bgp neighbors 1.1.1.2 advertised-routes
BGP table version is 5, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Originating default network 0.0.0.0

Network Next Hop Metric LocPrf Weight Path
*> 37.1.1.0/26 37.1.1.252 0 32768 ?
*> 37.1.1.64/26 0.0.0.0 0 32768 ?
*> 37.1.1.128/25 0.0.0.0 0 32768 ?
Without route summmarizaton we are adversting multiple 37.1.1.0 prefixes towards to the neighbor.

Suppressing more-specific routes

The keyword summary-only filters all more-specific routes which belong to the aggregate-address and only the summary will be advertised.

R1#sh run | sec router bgp
router bgp 10
no synchronization
bgp log-neighbor-changes
network 37.1.1.0 mask 255.255.255.0
aggregate-address 37.1.1.0 255.255.255.0 summary-only

R1#sh ip bgp neighbors 1.1.1.2 advertised-routes
Originating default network 0.0.0.0

Network Next Hop Metric LocPrf Weight Path
*> 37.1.1.0/24 0.0.0.0 32768 i

What is Route Leaking
1. When running a multi MPLS network, it can be useful to leak routes between VRFs. A classic use for this would be to leak your link to a management VRF, or assigning a management address to your CE routers as a /32 address and leaking that. Other uses could be leaking public ip addresses to a separate VRF, to be handled by a different router than the LAN addresses. It is necessary to filter your route leaking to make sure that only non-overlapping addresses are leaked, and it is important to make sure that one VRF doesn’t have access to routes of another VRF.

2. 2 ways to leak one vrf to another: –
1. // statically leak a vrf to global routing table and vice versa
2.// using Rd and rt values leak it to mp bgp (other vrfs) and then redistribute to other dynamic routing protocols in that vrf.

3. In ISP environment they use common MPLS core for multiple customer,,if Ur having multiple sites like London-A and Delhi -A and another end London-B and Delhi-B,if u want to make communications between them we can do that, for that isp MPLS core routers use RD and RT concept ,edge router add RT and same applied to both site if they match they successfully communicate without any issue,,and routes of A gives to another end site A only ,,but if RT mismatch then routes will get leak and site A which is london-A route will get into another end site which is Delhi -2.

BGP – ROUTE REFLECTOR
1. Service provider environment – RR are installed to share routes with multiple PEs rather than building igbp with all PEs

2. Generally service provider must have RR. Those RR can be redundant to each other or shared traffic based on Geo location.

3. 1. RR is used to break the ibgp rule.
2. While using RR there are 2 more attributes introduced in bgp which are originator id and cluster id.
3. These two attributes also provide a loop prevention mechanism in ibgp while using RR.

http://packetpushers.net/bgp-rr-design-part-1/