This is a pretty complex BGP issue because you really need to know the BGP philosophy and maybe even have some basic experience in programming. The trick is to change the behaviour of the BGP advertisements depending on the routes that are being learned.
Step 1:
Configure 2 Route Maps, one for the CHECK condition, and another for PREFIXES you will advertise if CHECK passes.
For example we want to CHECK if the 2.0.0.0 is learned:
(config)#access-list 2 permit 2.0.0.0
(config)#route-map CHECK permit 10
(config-rmap)#match ip address 2
And ONLY if it's NOT in the routing table, we want to advertise 1.0.0.0
(config)#access-list 1 permit 1.0.0.0
(config)#route-map ADVERTISE permit 10
(config-rmap)#match ip address 1
Step 2:
Configure the advertise map and the condition in the BGP routing process:
(config)#router bgp 65545
(config-router)#neighbor 10.1.12.2 advertise-map ADVERTISE ?
exist-map advertise prefix only if prefix is in the condition exists <- CHECK THESE OPTIONS
non-exist-map advertise prefix only if prefix in the condition does not exist
(config-router)#neighbor 10.1.12.2 advertise-map ADVERTISE non-exist-map CHECK
Intuitively we can see that the ADV_ROUTE_MAP is the route map that defines the routes that will be broadcast, in this case if the conditions defined in the route-map CONDITION_ROUTE_MAP is NOT satisfied, meaning - if the prefixes are NOT in the table.
Advanced BGP Features: Route Dampening
When you check the BGP prefixes using the "show ip bgp", besides the arguments that appeared so far (*, >, r) there
is another "Tag" that can appear, and it's a letter "d", which stends for DAMPENING.
#show ip bgp
BGP table version is 5, local router ID is 192.168.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal <- CHECK THIS LINE
r RIB-failure, S Stale
From Cisco Docs: "Route dampening is a BGP feature designed to minimize the propagation of flapping routes across
an internetwork. A route is considered to be flapping when its availability alternates repeatedly"
If you're configuring it without any parameter tuning, there is an enable command under the BGP process:
(config-router)#bgp dampening
If you want to use this feature - make sure you understand the concept of PENALTIES being "rewarded" to a route
every time it FLAPS, and make sure you're familiar with the PARAMETERS of BGP DAMPENING:
#sh ip bgp dampening parameters
dampening 15 750 2000 60 (DEFAULT)
Half-life time : 15 mins Decay Time : 2320 secs
Max suppress penalty: 12000 Max suppress time: 60 mins
Suppress penalty : 2000 Reuse penalty : 750
1. HALF-TIME (default 15 minutes)
When the penalty is assigned to a route, the accumulated penalty is decreased every 5 seconds. When the half-time
expires, accumulated penalties are reduced by half. Default HALF-TIME is 15 minutes, and range 1-45 minutes.
2. REUSE (default 750)
The route can be REUSABLE if the penalties for flapping route go BELOW THIS VALUE. By default it's 750,
and the range is 1 to 20000
3. SUPRESS
The route is SUPRESSED when the penalties REACH THIS VALUE. Default is 2000, and the range is 1-20000
4. MAX-SUPRESS-TIME
Max time that the route can STAY SUPRESSED. Default is 4 times Half-Time value (60 minutes), range is 1-255
If you need to configure the BGP DAMPENING for a certain routes, use the ROUTE-MAP:
(config-router)#route-map DAMPEN_1
(config-route-map)#match ip add 15 <- CONFIGURE THE ROUTES YOU ARE DAMPENING IN AN ACL
(config-route-map)#set dampening 15 700 2000 60 <- SET DESIRED DAMPENING PARAMETERS
Then apply it within the BGP configuration process:
(config-router)#bgp dampening route-map DAMPEN_1
!!!This configuration can get quite complicated, so you might need to MATCH THE AS-PATH,
for this you need to be quite comfortable with META CHARACTERS, so for example match prefixes originated in AS 300:
(config)#ip as-path access-list 15 permit ^300$
And then MATCH it in the route-map and SET the dampening parameters:
(config-router)#route-map DAMPEN_2
(config-route-map)#match as-path 15
(config-route-map)#set dampening 15 700 2000 60
is another "Tag" that can appear, and it's a letter "d", which stends for DAMPENING.
#show ip bgp
BGP table version is 5, local router ID is 192.168.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal <- CHECK THIS LINE
r RIB-failure, S Stale
From Cisco Docs: "Route dampening is a BGP feature designed to minimize the propagation of flapping routes across
an internetwork. A route is considered to be flapping when its availability alternates repeatedly"
If you're configuring it without any parameter tuning, there is an enable command under the BGP process:
(config-router)#bgp dampening
If you want to use this feature - make sure you understand the concept of PENALTIES being "rewarded" to a route
every time it FLAPS, and make sure you're familiar with the PARAMETERS of BGP DAMPENING:
#sh ip bgp dampening parameters
dampening 15 750 2000 60 (DEFAULT)
Half-life time : 15 mins Decay Time : 2320 secs
Max suppress penalty: 12000 Max suppress time: 60 mins
Suppress penalty : 2000 Reuse penalty : 750
1. HALF-TIME (default 15 minutes)
When the penalty is assigned to a route, the accumulated penalty is decreased every 5 seconds. When the half-time
expires, accumulated penalties are reduced by half. Default HALF-TIME is 15 minutes, and range 1-45 minutes.
2. REUSE (default 750)
The route can be REUSABLE if the penalties for flapping route go BELOW THIS VALUE. By default it's 750,
and the range is 1 to 20000
3. SUPRESS
The route is SUPRESSED when the penalties REACH THIS VALUE. Default is 2000, and the range is 1-20000
4. MAX-SUPRESS-TIME
Max time that the route can STAY SUPRESSED. Default is 4 times Half-Time value (60 minutes), range is 1-255
If you need to configure the BGP DAMPENING for a certain routes, use the ROUTE-MAP:
(config-router)#route-map DAMPEN_1
(config-route-map)#match ip add 15 <- CONFIGURE THE ROUTES YOU ARE DAMPENING IN AN ACL
(config-route-map)#set dampening 15 700 2000 60 <- SET DESIRED DAMPENING PARAMETERS
Then apply it within the BGP configuration process:
(config-router)#bgp dampening route-map DAMPEN_1
!!!This configuration can get quite complicated, so you might need to MATCH THE AS-PATH,
for this you need to be quite comfortable with META CHARACTERS, so for example match prefixes originated in AS 300:
(config)#ip as-path access-list 15 permit ^300$
And then MATCH it in the route-map and SET the dampening parameters:
(config-router)#route-map DAMPEN_2
(config-route-map)#match as-path 15
(config-route-map)#set dampening 15 700 2000 60
BGP Peer-Session Templates
Another way to make the BGP configuration easier by avoiding configuring the same command set on every router. It makes your life easier if you have various neighbors to which you'd like to apply a common set of attributes.
Step 1: Define the peer-session and give it a name:
(config-router)#template peer-session MYBGP
Step 2: Assign the attributes to the peer-session:
(config-router-stmp)#version 4
(config-router-stmp)#update-source lo0
(config-router-stmp)#password Cisqueros
Step 3: If you have more groups of neighbors, and they all have some commmon settings (for example the ones defined
in the template IBGP), and some different ones. Then create another template, and inherit the first template:
(config-router)#template peer-session GROUP_1 <- FOR AS 100
(config-router-stmp)#inherit peer-session MYBGP
(config-router-stmp)#remote-as 100
(config-router)#template peer-session GROUP_2 <- FOR AS 200
(config-router-stmp)#inherit peer-session MYBGP
(config-router-stmp)#remote-as 200
Step 4: Apply the LAST defined Template to RELEVANT NEIGHBORS, that inherited the settings of the initial Templates:
(config-router)#neighbor 1.1.1.1 inherit peer-session GROUP_1
(config-router)#neighbor 2.2.2.2 inherit peer-session GROUP_1
(config-router)#neighbor 3.3.3.3 inherit peer-session GROUP_2
Step 1: Define the peer-session and give it a name:
(config-router)#template peer-session MYBGP
Step 2: Assign the attributes to the peer-session:
(config-router-stmp)#version 4
(config-router-stmp)#update-source lo0
(config-router-stmp)#password Cisqueros
Step 3: If you have more groups of neighbors, and they all have some commmon settings (for example the ones defined
in the template IBGP), and some different ones. Then create another template, and inherit the first template:
(config-router)#template peer-session GROUP_1 <- FOR AS 100
(config-router-stmp)#inherit peer-session MYBGP
(config-router-stmp)#remote-as 100
(config-router)#template peer-session GROUP_2 <- FOR AS 200
(config-router-stmp)#inherit peer-session MYBGP
(config-router-stmp)#remote-as 200
Step 4: Apply the LAST defined Template to RELEVANT NEIGHBORS, that inherited the settings of the initial Templates:
(config-router)#neighbor 1.1.1.1 inherit peer-session GROUP_1
(config-router)#neighbor 2.2.2.2 inherit peer-session GROUP_1
(config-router)#neighbor 3.3.3.3 inherit peer-session GROUP_2
Convert MAC to Link Local IPv6 Address
Check how the Link Local address has been generated using the interface MAC address using the following command:
#sh int fa0/0 | i Hard
Hardware is Gt96k FE, address is 001e.be5d.27f0 (bia 001e.be5d.27f0)
IPv6: FE80::21E:BEFF:FE5D:27F0
Step 1: Start with the Link-Local "Signature", which is FE80:: - For Link Local IPv6 Addresses
Step 2: First two 0s from MAC are replaced with a HEX 2, to fill up MACs 48 bits up to the 64 bits that we need
Step 3: Then the "1e.be" part is COPIED and PASTED - 2|1E:BE|FF:FE|5D:27F0
Step 4: FFFE is Added after this, in the MIDDLE of the MAC address
Step 5: The rest of MAC follows
So - 2 + 4HEXofMAC + FFEE + 6HEXofMAC
Now check the complete IPv6 configuration of the interface:
#sh ipv6 int fa0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::21E:BEFF:FE5D:27F0
No global unicast address is configured
Joined group address(es):
FF02::1 <- 0 after F means the IPv6 is PERMANENT (if it were 1 - it would be temporal)
FF02::2 <- Subnet routers MULTICAST
FF02::1:FF5D:27F0 <- Solicited-Node-Multicast Address
#sh int fa0/0 | i Hard
Hardware is Gt96k FE, address is 001e.be5d.27f0 (bia 001e.be5d.27f0)
IPv6: FE80::21E:BEFF:FE5D:27F0
Step 1: Start with the Link-Local "Signature", which is FE80:: - For Link Local IPv6 Addresses
Step 2: First two 0s from MAC are replaced with a HEX 2, to fill up MACs 48 bits up to the 64 bits that we need
Step 3: Then the "1e.be" part is COPIED and PASTED - 2|1E:BE|FF:FE|5D:27F0
Step 4: FFFE is Added after this, in the MIDDLE of the MAC address
Step 5: The rest of MAC follows
So - 2 + 4HEXofMAC + FFEE + 6HEXofMAC
Now check the complete IPv6 configuration of the interface:
#sh ipv6 int fa0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::21E:BEFF:FE5D:27F0
No global unicast address is configured
Joined group address(es):
FF02::1 <- 0 after F means the IPv6 is PERMANENT (if it were 1 - it would be temporal)
FF02::2 <- Subnet routers MULTICAST
FF02::1:FF5D:27F0 <- Solicited-Node-Multicast Address
IPv6 Basics
Loopback: ::1/128
Multicast: FF00::/8
Link Local: FE80::/10 - used for stateless auto-configuration, Neighbor discovery, Router discovery
FC00::/7 Unique Local, Unicast (equivalent to the IPv4 private addresses), not routable via global BGP
EUI-64 - always use the /64 addresses for all the INTERFACES
!!!(MAC can be converted into EUI-64 format to get the interface address)
ARP has been replaced with ICMPv6 Neighbor Discovery.
Inverse ARP has been removed, so for NBMA networks we need to provide a static L2-L3 mapping
TIP: before enabling IPv6 on a router and configuring the interfaces male sure there is a IPv4 connectivity
IPv6 is not enabled by default, so first enable IPv6 globally on the Router/Switch:
(config)#ipv6 unicast-routing
On a ROUTER you should enable IPv6 on an interface:
(config-if)#ipv6 enable
!!!LINK-LOCAL address is generated based on the interfaces MAC Address by doing "ipv6 enable"
Assign the UNICAST IPv6 address:
(config)#no switchport <--- DONT FORGET on 3560 OR 3750
(config-if)#ipv6 add 12:1:1::3/64
Assign a LINK-LOCAL IPv6 Address, if you want to configure it STATICALLY:
(config-if)#ipv6 address FE80::1 link-local
!!!Be sure it starts with FE80, or you will get a message "% Invalid link-local address"
By default IPv6 has Neighbor Discovery as a L2-L3 mapping mechanism, instead of ARP. To debug it do:
#debug ipv6 nd
When you configure the "ipv6 enable" on the interface, the Link Local address is assigned:
*Nov 21 08:21:02.068: ICMPv6-ND: Sending NS for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0
!!!NS -Neighbor Solicitation
*Nov 21 08:21:03.068: ICMPv6-ND: DAD: FE80::21E:BEFF:FE5D:27F0 is unique.
!!!FE80::21E:BEFF:FE5D:27F0 Assigned. DAD - Duplicate Address Detection confirms IP is UNIQUE!
*Nov 21 08:21:03.068: ICMPv6-ND: Sending NA for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0
!!!NA - Neighbor Advertisment for routers Link Local address
*Nov 21 08:21:03.068: ICMPv6-ND: Address FE80::21E:BEFF:FE5D:27F0/10 is up on FastEthernet0/0
!!!Interface comes UP because noone complained
Check if the interface got the correct IPv6 Address:
#sh ipv6 int br
FastEthernet0/0 [up/up]
FE80::21E:BEFF:FE5D:27F0
FastEthernet0/1 [administratively down/down]
Serial0/1/0 [up/down]
Serial0/1/1 [administratively down/down]
Serial0/2/0 [administratively down/down]
When you SHUT the local interface, the Link Local address is deleted:
*Nov 21 08:19:12.972: ICMPv6-ND: Sending Final RA on FastEthernet0/0
*Nov 21 08:19:12.984: ICMPv6-ND: STALE -> DELETE: FE80::213:60FF:FE85:AEEA
And we are finally reaching my favorite change in the IPv6, the NEIGHBOR DISCOVERY and DISPLAY:
#show ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface
12:1:1:12::1 0 0013.6085.aeea STALE Fa0/0 <- UNICAST
FE80::1 0 0013.6085.aeea STALE Fa0/0 <- LINK-LOCAL
Multicast: FF00::/8
Link Local: FE80::/10 - used for stateless auto-configuration, Neighbor discovery, Router discovery
FC00::/7 Unique Local, Unicast (equivalent to the IPv4 private addresses), not routable via global BGP
EUI-64 - always use the /64 addresses for all the INTERFACES
!!!(MAC can be converted into EUI-64 format to get the interface address)
ARP has been replaced with ICMPv6 Neighbor Discovery.
Inverse ARP has been removed, so for NBMA networks we need to provide a static L2-L3 mapping
TIP: before enabling IPv6 on a router and configuring the interfaces male sure there is a IPv4 connectivity
IPv6 is not enabled by default, so first enable IPv6 globally on the Router/Switch:
(config)#ipv6 unicast-routing
On a ROUTER you should enable IPv6 on an interface:
(config-if)#ipv6 enable
!!!LINK-LOCAL address is generated based on the interfaces MAC Address by doing "ipv6 enable"
Assign the UNICAST IPv6 address:
(config)#no switchport <--- DONT FORGET on 3560 OR 3750
(config-if)#ipv6 add 12:1:1::3/64
Assign a LINK-LOCAL IPv6 Address, if you want to configure it STATICALLY:
(config-if)#ipv6 address FE80::1 link-local
!!!Be sure it starts with FE80, or you will get a message "% Invalid link-local address"
By default IPv6 has Neighbor Discovery as a L2-L3 mapping mechanism, instead of ARP. To debug it do:
#debug ipv6 nd
When you configure the "ipv6 enable" on the interface, the Link Local address is assigned:
*Nov 21 08:21:02.068: ICMPv6-ND: Sending NS for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0
!!!NS -Neighbor Solicitation
*Nov 21 08:21:03.068: ICMPv6-ND: DAD: FE80::21E:BEFF:FE5D:27F0 is unique.
!!!FE80::21E:BEFF:FE5D:27F0 Assigned. DAD - Duplicate Address Detection confirms IP is UNIQUE!
*Nov 21 08:21:03.068: ICMPv6-ND: Sending NA for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0
!!!NA - Neighbor Advertisment for routers Link Local address
*Nov 21 08:21:03.068: ICMPv6-ND: Address FE80::21E:BEFF:FE5D:27F0/10 is up on FastEthernet0/0
!!!Interface comes UP because noone complained
Check if the interface got the correct IPv6 Address:
#sh ipv6 int br
FastEthernet0/0 [up/up]
FE80::21E:BEFF:FE5D:27F0
FastEthernet0/1 [administratively down/down]
Serial0/1/0 [up/down]
Serial0/1/1 [administratively down/down]
Serial0/2/0 [administratively down/down]
When you SHUT the local interface, the Link Local address is deleted:
*Nov 21 08:19:12.972: ICMPv6-ND: Sending Final RA on FastEthernet0/0
*Nov 21 08:19:12.984: ICMPv6-ND: STALE -> DELETE: FE80::213:60FF:FE85:AEEA
And we are finally reaching my favorite change in the IPv6, the NEIGHBOR DISCOVERY and DISPLAY:
#show ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface
12:1:1:12::1 0 0013.6085.aeea STALE Fa0/0 <- UNICAST
FE80::1 0 0013.6085.aeea STALE Fa0/0 <- LINK-LOCAL
OSPF Forward Address Suppression
The aim is to SUPRESS the address of the router that originated the Prefix. When the area is NSSA, and you want to CONTROL the remap process of the LSA7 to LSA5, but use 0.0.0.0 as the forwarding address instead of the one specified in the LSA7:
(config-router)#area 1 nssa translate type7 suppress-fa ?
default-information-originate Originate Type 7 default into NSSA area
no-redistribution No redistribution into this NSSA area
no-summary Do not send summary LSA into NSSA
<cr>
Before the command has been applied the external (LSA5) subnet within the area 0 is seen as:
#sh ip ospf database external 6.0.0.0
OSPF Router with ID (1.1.1.1) (Process ID 1)
Type-5 AS External Link States
LS age: 557
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 6.0.0.0 (External Network Number )
Advertising Router: 3.3.3.3
LS Seq Number: 80000003
Checksum: 0x1286
Length: 36
Network Mask: /8
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 20
Forward Address: 200.1.36.6
External Route Tag: 0
While after the command has been implemented, we have:
#sh ip ospf database external 6.0.0.0
OSPF Router with ID (1.1.1.1) (Process ID 1)
Type-5 AS External Link States
Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 41
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 6.0.0.0 (External Network Number )
Advertising Router: 3.3.3.3
LS Seq Number: 80000004
Checksum: 0x3952
Length: 36
Network Mask: /8
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 20
Forward Address: 0.0.0.0 <- THE FORWARD ADDRESS HAD CHANGED
External Route Tag: 0
If you add "no-summary" to this command, LSA3 s are filtered, and the default route is advertised instead.
You can use the similar approach to NOT ADVERTISE THE SPECIFIC PREFIXES into the NSSA, but advertise only the defult route on the ABR. In this example the Area 1 is NSSA:
(config-router)#area 1 nssa default-information-originate no-summary
Area 1 (NSSA Area) will learn the Default Route as the LSA7 (N2):
#sh ip route
...
Gateway of last resort is 205.1.36.3 to network 0.0.0.0
O*N2 0.0.0.0/0 [110/1] via 205.1.36.3, 00:05:21, Serial1/0.63
1.0.0.0/32 is subnetted, 1 subnets
!!!Regardless of whether you´re using the "nssa default-information-originate" or the "nssa no-summary" command
in the OSPF Area, the Default Route will be injected into that area. The difference is the route type:
NSSA NO-SUMMARY
Gateway of last resort is 10.1.34.3 to network 0.0.0.0
O*IA 0.0.0.0/0 [110/65] via 10.1.34.3, 00:04:22, Serial1/0.43
NSSA DEFAULT-INFORMATION-ORIGINATE
Gateway of last resort is 10.1.35.3 to network 0.0.0.0
O*N2 0.0.0.0/0 [110/1] via 10.1.35.3, 00:00:22, Serial1/0.53
1.0.0.0/32 is subnetted, 1 subnets
(config-router)#area 1 nssa translate type7 suppress-fa ?
default-information-originate Originate Type 7 default into NSSA area
no-redistribution No redistribution into this NSSA area
no-summary Do not send summary LSA into NSSA
<cr>
Before the command has been applied the external (LSA5) subnet within the area 0 is seen as:
#sh ip ospf database external 6.0.0.0
OSPF Router with ID (1.1.1.1) (Process ID 1)
Type-5 AS External Link States
LS age: 557
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 6.0.0.0 (External Network Number )
Advertising Router: 3.3.3.3
LS Seq Number: 80000003
Checksum: 0x1286
Length: 36
Network Mask: /8
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 20
Forward Address: 200.1.36.6
External Route Tag: 0
While after the command has been implemented, we have:
#sh ip ospf database external 6.0.0.0
OSPF Router with ID (1.1.1.1) (Process ID 1)
Type-5 AS External Link States
Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 41
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 6.0.0.0 (External Network Number )
Advertising Router: 3.3.3.3
LS Seq Number: 80000004
Checksum: 0x3952
Length: 36
Network Mask: /8
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 20
Forward Address: 0.0.0.0 <- THE FORWARD ADDRESS HAD CHANGED
External Route Tag: 0
If you add "no-summary" to this command, LSA3 s are filtered, and the default route is advertised instead.
You can use the similar approach to NOT ADVERTISE THE SPECIFIC PREFIXES into the NSSA, but advertise only the defult route on the ABR. In this example the Area 1 is NSSA:
(config-router)#area 1 nssa default-information-originate no-summary
Area 1 (NSSA Area) will learn the Default Route as the LSA7 (N2):
#sh ip route
...
Gateway of last resort is 205.1.36.3 to network 0.0.0.0
O*N2 0.0.0.0/0 [110/1] via 205.1.36.3, 00:05:21, Serial1/0.63
1.0.0.0/32 is subnetted, 1 subnets
!!!Regardless of whether you´re using the "nssa default-information-originate" or the "nssa no-summary" command
in the OSPF Area, the Default Route will be injected into that area. The difference is the route type:
NSSA NO-SUMMARY
Gateway of last resort is 10.1.34.3 to network 0.0.0.0
O*IA 0.0.0.0/0 [110/65] via 10.1.34.3, 00:04:22, Serial1/0.43
NSSA DEFAULT-INFORMATION-ORIGINATE
Gateway of last resort is 10.1.35.3 to network 0.0.0.0
O*N2 0.0.0.0/0 [110/1] via 10.1.35.3, 00:00:22, Serial1/0.53
1.0.0.0/32 is subnetted, 1 subnets
NTP - Network Time Protocol
First there is an "old school" method of setting time on your IOS Device, which is fine if you're one of those :)
#clock set 16:50:00 15 NOVEMBER 2013
*Nov 15 16:50:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 15:50:31 UTC Fri Nov 15 2013 to 16:50:00 UTC
Fri Nov 15 2013, configured from console by console.
Now if you set this time really good, and the Switch is new generation and you really trust it, then in order to have
an entire network to be synchronized (and absolutely no external NTP available), set the most awesome switch to be
a NTP Server:
(config)#ntp master ?
<1-15> Stratum number <- STRATUM Number, all DOWNFLOW routers shall have SERVER + Number of HOPS
Check what's happening:
#show ntp status
Clock is synchronized, stratum 2, reference is 127.127.7.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D630D0D3.99A45AAB (16:56:51.600 UTC Fri Nov 15 2013)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec
Then configure ALL the other Devices to synchronize their time based on the Awesome NTP Master Switch:
(config)#ntp server 131.1.13.1
Configure the BROADCAST on the Interfaces:
(config-if)#ntp broadcast <- On the NTP MASTER
(config-if)#ntp broadcast client <-ON NTP CLIENTS
#clock set 16:50:00 15 NOVEMBER 2013
*Nov 15 16:50:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 15:50:31 UTC Fri Nov 15 2013 to 16:50:00 UTC
Fri Nov 15 2013, configured from console by console.
Now if you set this time really good, and the Switch is new generation and you really trust it, then in order to have
an entire network to be synchronized (and absolutely no external NTP available), set the most awesome switch to be
a NTP Server:
(config)#ntp master ?
<1-15> Stratum number <- STRATUM Number, all DOWNFLOW routers shall have SERVER + Number of HOPS
Check what's happening:
#show ntp status
Clock is synchronized, stratum 2, reference is 127.127.7.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D630D0D3.99A45AAB (16:56:51.600 UTC Fri Nov 15 2013)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec
Then configure ALL the other Devices to synchronize their time based on the Awesome NTP Master Switch:
(config)#ntp server 131.1.13.1
Configure the BROADCAST on the Interfaces:
(config-if)#ntp broadcast <- On the NTP MASTER
(config-if)#ntp broadcast client <-ON NTP CLIENTS
IRDP - ICMP Router Discovery Protocol
IRDP enables Routers to automatically discover the IP of their potential Default Gateway. It uses ICMP and Solicitation Messages.
Potential GW Routers periodically announce the IP address of their IRDP configured interface to a roadcast destination. IRDP Preference value is advertised with these messages, along with the IP Address.
Step 1:
The configuration is pretty straight-forward. First you MUST turn the Routing off on the router that you want to discover it's own GW:
(config)#no ip routing
Step 2:
IRDP Needs to be enabled on the Router:
(config)#ip gdp ?
eigrp Discover routers transmitting EIGRP router updates
irdp Discover routers transmitting IRDP router updates <- THIS ONE is the one we want here
rip Discover routers transmitting RIP router updates
Step 3:
Here is what needs to be defined on the interface:
(config-if)#ip irdp <- ENABLE IRDP ON THE INTERFACE
(config-if)#ip irdp maxadvertinterval 5 <- DEFINE THE ADVERTISING TIMERS
(config-if)#ip irdp minadvertinterval 3
(config-if)#ip irdp holdtime 15
(config-if)#ip irdp preference 600 <- DEFINE THE ROUTER PREFERENCE
Step 4:
TEST by pinging the IP behind the routers that are supposedly advertising the GW
PING will work ONLY if Proxy-ARP is enabled on the IP Interface
#sh ip inter fa0/0 | i ARP
Proxy ARP is enabled <- THIS ONE MATTERS
Local Proxy ARP is disabled
#show ip route
Gateway Using Interval Priority Interface
10.187.117.2 IRDP 4 600 FastEthernet0/0
10.187.117.1 IRDP 4 200 FastEthernet0/0
When you do a DEBUG of ICMP, you see that IRDP is using the ICMP Type 9 Code 0 messages to advertise the GW:
ES-MAT-AES-SR03#debug ip icmp
ICMP packet debugging is on
*Nov 14 16:03:08.288: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.2
*Nov 14 16:03:09.340: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.1
*Nov 14 16:03:12.288: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.2
*Nov 14 16:03:12.340: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.1
*Nov 14 16:03:16.288: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.2
*Nov 14 16:03:16.340: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.1
*Nov 14 16:03:19.340: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.1
*Nov 14 16:03:20.288: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.2
*Nov 14 16:03:23.288: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.2
*Nov 14 16:03:23.340: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.1
Potential GW Routers periodically announce the IP address of their IRDP configured interface to a roadcast destination. IRDP Preference value is advertised with these messages, along with the IP Address.
Step 1:
The configuration is pretty straight-forward. First you MUST turn the Routing off on the router that you want to discover it's own GW:
(config)#no ip routing
Step 2:
IRDP Needs to be enabled on the Router:
(config)#ip gdp ?
eigrp Discover routers transmitting EIGRP router updates
irdp Discover routers transmitting IRDP router updates <- THIS ONE is the one we want here
rip Discover routers transmitting RIP router updates
Step 3:
Here is what needs to be defined on the interface:
(config-if)#ip irdp <- ENABLE IRDP ON THE INTERFACE
(config-if)#ip irdp maxadvertinterval 5 <- DEFINE THE ADVERTISING TIMERS
(config-if)#ip irdp minadvertinterval 3
(config-if)#ip irdp holdtime 15
(config-if)#ip irdp preference 600 <- DEFINE THE ROUTER PREFERENCE
Step 4:
TEST by pinging the IP behind the routers that are supposedly advertising the GW
PING will work ONLY if Proxy-ARP is enabled on the IP Interface
#sh ip inter fa0/0 | i ARP
Proxy ARP is enabled <- THIS ONE MATTERS
Local Proxy ARP is disabled
#show ip route
Gateway Using Interval Priority Interface
10.187.117.2 IRDP 4 600 FastEthernet0/0
10.187.117.1 IRDP 4 200 FastEthernet0/0
When you do a DEBUG of ICMP, you see that IRDP is using the ICMP Type 9 Code 0 messages to advertise the GW:
ES-MAT-AES-SR03#debug ip icmp
ICMP packet debugging is on
*Nov 14 16:03:08.288: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.2
*Nov 14 16:03:09.340: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.1
*Nov 14 16:03:12.288: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.2
*Nov 14 16:03:12.340: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.1
*Nov 14 16:03:16.288: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.2
*Nov 14 16:03:16.340: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.1
*Nov 14 16:03:19.340: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.1
*Nov 14 16:03:20.288: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.2
*Nov 14 16:03:23.288: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.2
*Nov 14 16:03:23.340: ICMP: rdp advert rcvd type 9, code 0, from 10.187.117.1
GLBP - Configure the Global Load Balancing Protocol
GLBP is different from HSRP and GLBP, as in - it's more complex and gives more possibilities, such as LoadBalancing
It's got 1 VIRTUAL IP, and VARIOUS MACs
!!!You can have UP TO 4 ROUTERS IN A GLBP GROUP!!!
GLBP Group Members communicate using HELLOs 224.0.0.102, UDP/3222, by default Hello Timer = 3 sec
Basically there are 2 roles:
- AVG (Active Virtual Gateway) MASTER Router in charge of Assigning Virtual MAC Addresses to other Routers
and it has to know ALL the MACs of the AVFs
- AVFs (Active Virtual Forwarders) the rest of the Routers, which take AVG function if AVG dies.
sh glbp br
Interface Grp Fwd Pri State Address Active router Standby route
Fa0/0 1 - 100 Standby 10.1.1.100 10.1.1.2 local
Fa0/0 1 1 7 Active 0007.b400.0101 local -
Fa0/0 1 2 7 Listen 0007.b400.0102 10.1.1.2 -
You can tune GLBP as you like, which means that (besides all the stuff you can also do in HSRP and VRRP) you can
choose the Load Balancing method:
ES-MAT-AES-SR03(config-if)#glbp 1 load-balancing ?
host-dependent Load balance equally, source MAC determines forwarder choice
round-robin Load balance equally using each forwarder in turn
weighted Load balance in proportion to forwarder weighting (GLBP places WEIGHT on each router)
<cr>
As an additional GLBP feature, there is a REDIRECT timer, which sets the time-out for assigning the Virtual MAC
of AVF that has failed.
ES-MAT-AES-SR03(config-if)#glbp 1 timers ?
<1-60> Hello interval in seconds
msec Specify hello interval in milliseconds
redirect Specify time-out values for failed forwarders
TRACKing is also different on GLBP, as in - it's configured in the Global Configuration mode, with a global Track Object.
ADVANTAGE: You can track 2 interfaces at once!!!
ES-MAT-AES-SR03(config)#track 1 interface fa0/0 ?
ip IP parameters <- TO TRACK IP ROUTING
line-protocol Track interface line-protocol <- TRACK IF THE INTERFACE IS DOWN
(config)#track 1 interface fa0/0 line-protocol
(config-track)#track 2 interface s0/1/0 line-protocol
#show track
Track 1
Interface FastEthernet0/1 line-protocol
Line protocol is Up
1 change, last change 00:02:39
Track 2
Interface Serial0/1/0 line-protocol
Line protocol is Up
1 change, last change 00:02:10
Now the TRACK OBJECTS need to be applied to the Interface where GLBP is configured (If any of the tracked interfaces go DOWN, the WEIGHT will be decremented by 10, but these values can be tuned):
ES-MAT-AES-SR03(config-if)#glbp 1 weighting track 1 <-MEMORIZE as it's a bit NON-INTUITIVE
ES-MAT-AES-SR03(config-if)#glbp 1 weighting track 2
It's got 1 VIRTUAL IP, and VARIOUS MACs
!!!You can have UP TO 4 ROUTERS IN A GLBP GROUP!!!
GLBP Group Members communicate using HELLOs 224.0.0.102, UDP/3222, by default Hello Timer = 3 sec
Basically there are 2 roles:
- AVG (Active Virtual Gateway) MASTER Router in charge of Assigning Virtual MAC Addresses to other Routers
and it has to know ALL the MACs of the AVFs
- AVFs (Active Virtual Forwarders) the rest of the Routers, which take AVG function if AVG dies.
sh glbp br
Interface Grp Fwd Pri State Address Active router Standby route
Fa0/0 1 - 100 Standby 10.1.1.100 10.1.1.2 local
Fa0/0 1 1 7 Active 0007.b400.0101 local -
Fa0/0 1 2 7 Listen 0007.b400.0102 10.1.1.2 -
You can tune GLBP as you like, which means that (besides all the stuff you can also do in HSRP and VRRP) you can
choose the Load Balancing method:
ES-MAT-AES-SR03(config-if)#glbp 1 load-balancing ?
host-dependent Load balance equally, source MAC determines forwarder choice
round-robin Load balance equally using each forwarder in turn
weighted Load balance in proportion to forwarder weighting (GLBP places WEIGHT on each router)
<cr>
As an additional GLBP feature, there is a REDIRECT timer, which sets the time-out for assigning the Virtual MAC
of AVF that has failed.
ES-MAT-AES-SR03(config-if)#glbp 1 timers ?
<1-60> Hello interval in seconds
msec Specify hello interval in milliseconds
redirect Specify time-out values for failed forwarders
TRACKing is also different on GLBP, as in - it's configured in the Global Configuration mode, with a global Track Object.
ADVANTAGE: You can track 2 interfaces at once!!!
ES-MAT-AES-SR03(config)#track 1 interface fa0/0 ?
ip IP parameters <- TO TRACK IP ROUTING
line-protocol Track interface line-protocol <- TRACK IF THE INTERFACE IS DOWN
(config)#track 1 interface fa0/0 line-protocol
(config-track)#track 2 interface s0/1/0 line-protocol
#show track
Track 1
Interface FastEthernet0/1 line-protocol
Line protocol is Up
1 change, last change 00:02:39
Track 2
Interface Serial0/1/0 line-protocol
Line protocol is Up
1 change, last change 00:02:10
Now the TRACK OBJECTS need to be applied to the Interface where GLBP is configured (If any of the tracked interfaces go DOWN, the WEIGHT will be decremented by 10, but these values can be tuned):
ES-MAT-AES-SR03(config-if)#glbp 1 weighting track 1 <-MEMORIZE as it's a bit NON-INTUITIVE
ES-MAT-AES-SR03(config-if)#glbp 1 weighting track 2
VRRP - Configure the Virtual Routing Redundancy Protocol
The VRRP configuration is similar to the HSRP, with a few slight differences. For example, there are no
ACTIVE and STANDBU, but MASTER and BACKUP router, as shown below:
#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 1 200 3218 Y Master 172.25.12.1 172.25.12.22
Fa0/0 2 100 3609 Y Backup 172.25.12.2 172.25.12.11
TIMERS are a bit different to configure. You need to tell Master to ADVERTISE the Hello Timer value to the Backup,
and tell the Backup to LEARN the Hello Timer from the Master:
(config-if)#vrrp 1 timers advertise 10
(config-if)#vrrp 2 timers learn
*Router is Mater for VRRP Group 1, and Backup for VRRP Group 2
VRRP Authentication is configured PER GROUP using the command "vrrp X authentication text PASSWORD", and the debug
on the VRRP Pair router is as follows (before the authentication is configured on BOTH):
ES-MAT-AES-SR02#debug vrrp
*Nov 13 15:04:37.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*Nov 13 15:04:38.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*Nov 13 15:04:38.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*Nov 13 15:04:39.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*Nov 13 15:04:39.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*Nov 13 15:04:40.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*Nov 13 15:04:40.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*Nov 13 15:04:40.973: VRRP: Grp 2 sending Advertisement checksum 87E5
*Nov 13 15:04:41.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*Nov 13 15:04:41.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*Nov 13 15:04:42.001: VRRP: Grp 1 sending Advertisement checksum EBE4
ES-MAT-AES-SR02#u all
All possible debugging has been turned off
At the end the configuration on the interface will look similar to the HSRP config:
interface FastEthernet0/0
ip address 172.25.12.2 255.255.255.0
vrrp 1 description MAT1
vrrp 1 ip 172.25.12.22
vrrp 1 timers learn
vrrp 1 authentication cisco
vrrp 2 description MAT2
vrrp 2 ip 172.25.12.11
vrrp 2 timers advertise 10
vrrp 2 priority 200
end
!!!IMPORTANT DIFFERENCE between HSRP and VRRP: VRRP has Preempt enabled by default on Cisco devices!
ACTIVE and STANDBU, but MASTER and BACKUP router, as shown below:
#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 1 200 3218 Y Master 172.25.12.1 172.25.12.22
Fa0/0 2 100 3609 Y Backup 172.25.12.2 172.25.12.11
TIMERS are a bit different to configure. You need to tell Master to ADVERTISE the Hello Timer value to the Backup,
and tell the Backup to LEARN the Hello Timer from the Master:
(config-if)#vrrp 1 timers advertise 10
(config-if)#vrrp 2 timers learn
*Router is Mater for VRRP Group 1, and Backup for VRRP Group 2
VRRP Authentication is configured PER GROUP using the command "vrrp X authentication text PASSWORD", and the debug
on the VRRP Pair router is as follows (before the authentication is configured on BOTH):
ES-MAT-AES-SR02#debug vrrp
*Nov 13 15:04:37.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*Nov 13 15:04:38.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*Nov 13 15:04:38.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*Nov 13 15:04:39.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*Nov 13 15:04:39.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*Nov 13 15:04:40.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*Nov 13 15:04:40.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*Nov 13 15:04:40.973: VRRP: Grp 2 sending Advertisement checksum 87E5
*Nov 13 15:04:41.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*Nov 13 15:04:41.585: VRRP: Grp 2 Advertisement from 172.25.12.1 has incorrect authentication type 1 expected 0
*Nov 13 15:04:42.001: VRRP: Grp 1 sending Advertisement checksum EBE4
ES-MAT-AES-SR02#u all
All possible debugging has been turned off
At the end the configuration on the interface will look similar to the HSRP config:
interface FastEthernet0/0
ip address 172.25.12.2 255.255.255.0
vrrp 1 description MAT1
vrrp 1 ip 172.25.12.22
vrrp 1 timers learn
vrrp 1 authentication cisco
vrrp 2 description MAT2
vrrp 2 ip 172.25.12.11
vrrp 2 timers advertise 10
vrrp 2 priority 200
end
!!!IMPORTANT DIFFERENCE between HSRP and VRRP: VRRP has Preempt enabled by default on Cisco devices!
HSRP - Configure the Hot Standby Routing Protocol
Redundancy Protocol, Cisco Proprietary.
Configuration is quite straight-forward, but there are many ways to tune it, in accordance with your needs:
interface FastEthernet0/0
ip address 172.25.25.2 255.255.255.0
standby 1 ip 172.25.25.22 <- Group 1 VIRTUAL IP Address
standby 1 timers 5 15 <- Can also be done in miliseconds using "standby 1 timers msec 250 800"
standby 1 priority 150 <- Default it 100, Default
standby 1 preempt
standby 1 authentication Cisco
standby 1 name R2-Act
standby 2 ip 172.25.25.55
standby 2 timers 5 15
standby 2 authentication Cisco
standby 2 name R5-Act
"07-ac" is the SIGNARURE part of Virtual MAC Address of the HSRP:
#sh standby | i 07
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
To check the current configuration, including the HSRP Status and whether
preempt is configured:
#sh standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 1 100 Standby 172.25.25.2 local 172.25.25.22
Fa0/0 2 200 P Active local 172.25.25.2 172.25.25.55
If you need to TRACK an interface, just add the interface line, and define for how much you want to decrease the
HSRP priority in order to fail over to the HSRP Peer:
(config-if)#standby 1 track serial 0/1/0.21 60
Configuration is quite straight-forward, but there are many ways to tune it, in accordance with your needs:
interface FastEthernet0/0
ip address 172.25.25.2 255.255.255.0
standby 1 ip 172.25.25.22 <- Group 1 VIRTUAL IP Address
standby 1 timers 5 15 <- Can also be done in miliseconds using "standby 1 timers msec 250 800"
standby 1 priority 150 <- Default it 100, Default
standby 1 preempt
standby 1 authentication Cisco
standby 1 name R2-Act
standby 2 ip 172.25.25.55
standby 2 timers 5 15
standby 2 authentication Cisco
standby 2 name R5-Act
"07-ac" is the SIGNARURE part of Virtual MAC Address of the HSRP:
#sh standby | i 07
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
To check the current configuration, including the HSRP Status and whether
preempt is configured:
#sh standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 1 100 Standby 172.25.25.2 local 172.25.25.22
Fa0/0 2 200 P Active local 172.25.25.2 172.25.25.55
If you need to TRACK an interface, just add the interface line, and define for how much you want to decrease the
HSRP priority in order to fail over to the HSRP Peer:
(config-if)#standby 1 track serial 0/1/0.21 60
Configuring the DHCP Server
Using the DHCP Pool configured on a IOS device is somewhat obsolete, but in cases of smaller companies where this solution is inevitable (or in a case such as mine, preparations for a CCIE exam) - you should know how to configure a full DSCP on a Cisco Router:
Step 1: Enable DHCP Server on a Device:
(config)#service dhcp
Step 2: Configure global DHCP options:
(config)#ip dhcp pool Cisco
(config-dhcp)#network 172.25.185.0 255.255.255.0 <- Network Range
(config-dhcp)#netbios-note-type h-node <- If you're using WINS, set the HYBRID TYPE
(config-dhcp)#netbios-name-server 172.25.185.253 <- WINS Server IP
(config-dhcp)#dns-server 172.25.185.200 172.25.185.201 <- Primary and Secondary IPs
(config-dhcp)#lease 3 5 <- The duration of the DHCP Lease (3 days 5 hours)
Step 3: Configure the IP Exclusions (IPs) you do not want to lease, in the Global Config mode:
(config)#ip dhcp excluded-address 172.25.185.252 172.25.185.254
Step 4: Disable the DSCP Logging of the Conflicts, because quite a few are likely to occur, and your log file can
fill in the memory:
(config)#no ip dhcp conflict logging
Step 5: Static DHCP entries must be configured IN A SEPARATE POOL!!! This is a trick that you need to know by heart because there is no other (more intuitive) way to do it. So - create another DHCP pool, and assign the hosts IP and the MAC address (THIS HOST WILL INHERIT THE CONFIG FROM THE DEFAULT POOL):
(dhcp-config)#host 10.184.117.37
(dhcp-config)#hardware-address 0014.2526.ef46
Check if your manual entry was configured:
#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.184.117.37 0014.2526.ef46 Infinite Manual
Step 1: Enable DHCP Server on a Device:
(config)#service dhcp
Step 2: Configure global DHCP options:
(config)#ip dhcp pool Cisco
(config-dhcp)#network 172.25.185.0 255.255.255.0 <- Network Range
(config-dhcp)#netbios-note-type h-node <- If you're using WINS, set the HYBRID TYPE
(config-dhcp)#netbios-name-server 172.25.185.253 <- WINS Server IP
(config-dhcp)#dns-server 172.25.185.200 172.25.185.201 <- Primary and Secondary IPs
(config-dhcp)#lease 3 5 <- The duration of the DHCP Lease (3 days 5 hours)
Step 3: Configure the IP Exclusions (IPs) you do not want to lease, in the Global Config mode:
(config)#ip dhcp excluded-address 172.25.185.252 172.25.185.254
Step 4: Disable the DSCP Logging of the Conflicts, because quite a few are likely to occur, and your log file can
fill in the memory:
(config)#no ip dhcp conflict logging
Step 5: Static DHCP entries must be configured IN A SEPARATE POOL!!! This is a trick that you need to know by heart because there is no other (more intuitive) way to do it. So - create another DHCP pool, and assign the hosts IP and the MAC address (THIS HOST WILL INHERIT THE CONFIG FROM THE DEFAULT POOL):
(dhcp-config)#host 10.184.117.37
(dhcp-config)#hardware-address 0014.2526.ef46
Check if your manual entry was configured:
#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.184.117.37 0014.2526.ef46 Infinite Manual
Scalability for Stateful NAT (SNAT)
Scalability for Stateful NAT feature allows Stateful Network Address Translation (SNAT) to control the Hot Standby Router Protocol (HSRP) state change until the NAT information is completely exchanged. Reference:
http://www.cisco.com/en/US/docs/ios/12_4/12_4_mainline/snatsca.html
Step 1:
You need to create the SNAT group, and assign a unique identifier to each router within the group:
(config)#ip nat stateful id 1
Step 2:
In order to configure the Stateful Failover, you need to have the HSRP previously configured. Within the stateful
nat group configurarion, assign the HSRP redundancy name to the router:
(config-ipnat-snat)#redundancy HSRP-1
Step 3:
The Active HSRP Router sends the NAT Translation to the Standby Routers. This translation is assigned an ID,
which is called "mapping-id" and it MUST BE THE SAME ON THE ENTIRE GROUP.
(config-ipnat-snat-red)#mapping-id 1
Step 4:
Consider adding features such Asymetric queuing, or define a specific protocol for the redundancy group:
IP Stateful NAT Redundancy mode configuration commands:
as-queuing Disable asymmetric process for this redundancy group
exit Exit from IP Stateful NAT Redundancy config mode
mapping-id Configure mapping-id for this redundancy group
no Negate or set default values of a command
protocol Select transport protocol for this redundancy group
Step 5:
Configure the Dynamic NAT, as described in my previous posts, and just attach the configured mapping-id:
(config)#ip nat inside source route-map ROUTE_MAP_MATCHING_ACL pool INSIDE_GLOBAL mapping-id 1
Step 6:
Check the translations
#sh ip snat distributed
Stateful NAT Connected Peers
No entries will appear until you perform a PING, and when you do, and do a debug, you'll see:
*Nov 7 14:47:12.081: SNAT (Add_node): Allocated database distributed-id 1
*Nov 7 14:47:12.081: SNAT (Add_node): Init RTree for distributed-id 1
*Nov 7 14:47:12.081: SNAT (Add_node): Allocate Node for nat-id 19, Router-id 1
*Nov 7 14:47:12.081: NAT: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [271]
*Nov 7 14:47:12.081: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [271]
*Nov 7 14:47:12.085: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [272]
*Nov 7 14:47:12.085: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [272]
*Nov 7 14:47:12.085: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [273]
*Nov 7 14:47:12.085: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [273]
*Nov 7 14:47:12.089: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [274]
*Nov 7 14:47:12.089: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [274]
*Nov 7 14:47:12.089: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [275]
*Nov 7 14:47:12.089: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [275]
http://www.cisco.com/en/US/docs/ios/12_4/12_4_mainline/snatsca.html
Step 1:
You need to create the SNAT group, and assign a unique identifier to each router within the group:
(config)#ip nat stateful id 1
Step 2:
In order to configure the Stateful Failover, you need to have the HSRP previously configured. Within the stateful
nat group configurarion, assign the HSRP redundancy name to the router:
(config-ipnat-snat)#redundancy HSRP-1
Step 3:
The Active HSRP Router sends the NAT Translation to the Standby Routers. This translation is assigned an ID,
which is called "mapping-id" and it MUST BE THE SAME ON THE ENTIRE GROUP.
(config-ipnat-snat-red)#mapping-id 1
Step 4:
Consider adding features such Asymetric queuing, or define a specific protocol for the redundancy group:
IP Stateful NAT Redundancy mode configuration commands:
as-queuing Disable asymmetric process for this redundancy group
exit Exit from IP Stateful NAT Redundancy config mode
mapping-id Configure mapping-id for this redundancy group
no Negate or set default values of a command
protocol Select transport protocol for this redundancy group
Step 5:
Configure the Dynamic NAT, as described in my previous posts, and just attach the configured mapping-id:
(config)#ip nat inside source route-map ROUTE_MAP_MATCHING_ACL pool INSIDE_GLOBAL mapping-id 1
Step 6:
Check the translations
#sh ip snat distributed
Stateful NAT Connected Peers
No entries will appear until you perform a PING, and when you do, and do a debug, you'll see:
*Nov 7 14:47:12.081: SNAT (Add_node): Allocated database distributed-id 1
*Nov 7 14:47:12.081: SNAT (Add_node): Init RTree for distributed-id 1
*Nov 7 14:47:12.081: SNAT (Add_node): Allocate Node for nat-id 19, Router-id 1
*Nov 7 14:47:12.081: NAT: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [271]
*Nov 7 14:47:12.081: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [271]
*Nov 7 14:47:12.085: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [272]
*Nov 7 14:47:12.085: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [272]
*Nov 7 14:47:12.085: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [273]
*Nov 7 14:47:12.085: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [273]
*Nov 7 14:47:12.089: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [274]
*Nov 7 14:47:12.089: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [274]
*Nov 7 14:47:12.089: NAT*: s=15.10.1.1->172.25.185.1, d=10.185.117.4 [275]
*Nov 7 14:47:12.089: NAT*: s=10.185.117.4, d=172.25.185.1->15.10.1.1 [275]
Static NAT redundancy with HSRP
This approach is used when you want to configure NAT and integrate it with HSRP (enable the same NAT on all the
routers that form the HSRP group). In order to do this, it's necessary to NAME each of the HSRP groups:
Step 1: Name the already configured HSRP group:
(config-if)#standby name HSRP-1 <- HSRP Group Name is HSRP-1
Step 2: Congigure NAT on the relevant interfaces
(config-if)#ip nat inside <- NAT inside interface
Step 3: Static NAT redundancy with HSRP
After you've named the HSRP group, configure the Redundancy NAT:
(config)#ip nat inside source static 10.185.117.1 152.168.13.9 redundancy HSRP-1
This means that the traffic originated from the IP 10.185.117.1 will be NAT-ed into 152.168.13.9
Tests:
In this example the router 10.185.117.1 is pinging the IP 200.1.1.4. The final router (232.32.32.4) does have the route back to 152.168.13.9
When the DEBUG is done on the router, the PING done from 10.185.117.1 gives the following display:
*Nov 7 11:34:02.606: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [226]
*Nov 7 11:34:02.606: NAT*: s=232.32.32.4, d=152.168.13.9->10.185.117.1 [226]
*Nov 7 11:34:02.610: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [227]
*Nov 7 11:34:04.606: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [228]
*Nov 7 11:34:04.606: NAT*: s=232.32.32.4, d=152.168.13.9->10.185.117.1 [228]
*Nov 7 11:34:04.606: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [229]
*Nov 7 11:34:04.606: NAT*: s=232.32.32.4, d=152.168.13.9->10.185.117.1 [229]
*Nov 7 11:34:04.610: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [230]
*Nov 7 11:34:04.610: NAT*: s=232.32.32.4, d=152.168.13.9->10.185.117.1 [230]
routers that form the HSRP group). In order to do this, it's necessary to NAME each of the HSRP groups:
Step 1: Name the already configured HSRP group:
(config-if)#standby name HSRP-1 <- HSRP Group Name is HSRP-1
Step 2: Congigure NAT on the relevant interfaces
(config-if)#ip nat inside <- NAT inside interface
Step 3: Static NAT redundancy with HSRP
After you've named the HSRP group, configure the Redundancy NAT:
(config)#ip nat inside source static 10.185.117.1 152.168.13.9 redundancy HSRP-1
This means that the traffic originated from the IP 10.185.117.1 will be NAT-ed into 152.168.13.9
Tests:
In this example the router 10.185.117.1 is pinging the IP 200.1.1.4. The final router (232.32.32.4) does have the route back to 152.168.13.9
When the DEBUG is done on the router, the PING done from 10.185.117.1 gives the following display:
*Nov 7 11:34:02.606: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [226]
*Nov 7 11:34:02.606: NAT*: s=232.32.32.4, d=152.168.13.9->10.185.117.1 [226]
*Nov 7 11:34:02.610: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [227]
*Nov 7 11:34:04.606: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [228]
*Nov 7 11:34:04.606: NAT*: s=232.32.32.4, d=152.168.13.9->10.185.117.1 [228]
*Nov 7 11:34:04.606: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [229]
*Nov 7 11:34:04.606: NAT*: s=232.32.32.4, d=152.168.13.9->10.185.117.1 [229]
*Nov 7 11:34:04.610: NAT*: s=10.185.117.1->152.168.13.9, d=232.32.32.4 [230]
*Nov 7 11:34:04.610: NAT*: s=232.32.32.4, d=152.168.13.9->10.185.117.1 [230]
PAR - When you need to implement traffic redirections using NAT
You can define the traffic redirection using Static Entries, but there is a trick.
For example you want all the http traffic DESTINED FOR s0/0.5 to be REDIRECTED to the IP 10.1.123.3 instead.
You can configure this by defining the static NAT:
R1(config)#ip nat inside source static tcp 10.1.123.3 80 int s0/0.5 80
Make sure you understand how this command works, because it´s quite a complicated principle because it works a bit "upside down".
So when you try to telnet R1s IP using the port 80, from the router on the s0/0.5 side (R4):
R4#telnet 131.1.14.1 80
Trying 131.1.14.1, 80 ... Open
You see the following debug:
*Nov 6 15:54:48.703: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23053] <- 131.1.14.4: Router from where we telnet
*Nov 6 15:54:48.707: NAT*: s=10.1.123.3->131.1.14.1, d=131.1.14.4 [31747] <- NATed and FWD-ed to to 10.1.123.3
*Nov 6 15:54:48.735: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23054]
*Nov 6 15:54:48.739: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23055]
*Nov 6 15:55:48.739: NAT*: s=10.1.123.3->131.1.14.1, d=131.1.14.4 [31748]
*Nov 6 15:55:48.767: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23056]
*Nov 6 15:56:48.763: NAT*: s=10.1.123.3->131.1.14.1, d=131.1.14.4 [31749]
*Nov 6 15:56:48.791: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23057]
*Nov 6 15:57:12.959: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23058]
*Nov 6 15:57:13.127: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23059]
*Nov 6 15:57:13.155: NAT*: s=10.1.123.3->131.1.14.1, d=131.1.14.4 [31750]
*Nov 6 15:57:13.311: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23060]
*Nov 6 15:57:13.507: NAT*: s=10.1.123.3->131.1.14.1, d=131.1.14.4 [31751]
For example you want all the http traffic DESTINED FOR s0/0.5 to be REDIRECTED to the IP 10.1.123.3 instead.
You can configure this by defining the static NAT:
R1(config)#ip nat inside source static tcp 10.1.123.3 80 int s0/0.5 80
Make sure you understand how this command works, because it´s quite a complicated principle because it works a bit "upside down".
So when you try to telnet R1s IP using the port 80, from the router on the s0/0.5 side (R4):
R4#telnet 131.1.14.1 80
Trying 131.1.14.1, 80 ... Open
You see the following debug:
*Nov 6 15:54:48.703: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23053] <- 131.1.14.4: Router from where we telnet
*Nov 6 15:54:48.707: NAT*: s=10.1.123.3->131.1.14.1, d=131.1.14.4 [31747] <- NATed and FWD-ed to to 10.1.123.3
*Nov 6 15:54:48.735: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23054]
*Nov 6 15:54:48.739: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23055]
*Nov 6 15:55:48.739: NAT*: s=10.1.123.3->131.1.14.1, d=131.1.14.4 [31748]
*Nov 6 15:55:48.767: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23056]
*Nov 6 15:56:48.763: NAT*: s=10.1.123.3->131.1.14.1, d=131.1.14.4 [31749]
*Nov 6 15:56:48.791: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23057]
*Nov 6 15:57:12.959: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23058]
*Nov 6 15:57:13.127: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23059]
*Nov 6 15:57:13.155: NAT*: s=10.1.123.3->131.1.14.1, d=131.1.14.4 [31750]
*Nov 6 15:57:13.311: NAT*: s=131.1.14.4, d=131.1.14.1->10.1.123.3 [23060]
*Nov 6 15:57:13.507: NAT*: s=10.1.123.3->131.1.14.1, d=131.1.14.4 [31751]
PAT (NAT Overload)
Port Address Translation (PAT) means using PORTS in order to NAT various Inside Local IPs to 1 Inside Global IP.
Step 1: Create an ACL with all the Inside Local addresses:
(config)#access-list 1 permit 10.2.2.0 0.0.0.7
Step 2: There are 2 ways to configure PAT, described in Steps 2.1 and 2.2:
Step 2.1:
- Create the Inside Global IP Pool of any addresses from the Link towards the other Router:
(config)#ip nat pool OVERLOAD 10.1.1.2 10.1.1.2 prefix-length 24
- Configure the NAT Overload with the defined pool:
(config)#ip nat inside source list 1 pool TASK2 overload
Step 2.2:
Configure the NAT to point to the Interface you need the traffic to go out from:
(config)#ip nat inside source list 1 interface s0/1/0.21
!!! The system adds "overload" argument:
(config)#do sh run | i nat inside
ip nat inside
ip nat inside source list 1 interface Serial0/1/0.21 overload
Step 1: Create an ACL with all the Inside Local addresses:
(config)#access-list 1 permit 10.2.2.0 0.0.0.7
Step 2: There are 2 ways to configure PAT, described in Steps 2.1 and 2.2:
Step 2.1:
- Create the Inside Global IP Pool of any addresses from the Link towards the other Router:
(config)#ip nat pool OVERLOAD 10.1.1.2 10.1.1.2 prefix-length 24
- Configure the NAT Overload with the defined pool:
(config)#ip nat inside source list 1 pool TASK2 overload
Step 2.2:
Configure the NAT to point to the Interface you need the traffic to go out from:
(config)#ip nat inside source list 1 interface s0/1/0.21
!!! The system adds "overload" argument:
(config)#do sh run | i nat inside
ip nat inside
ip nat inside source list 1 interface Serial0/1/0.21 overload
Load Balancing using NAT
This is a configuration that I´ve never implemented in any production environment, but I see quite a few cases where it can be usefull.
Step 1: Create a POOL of all the INSIDE IPs, and define the pool type: "type rotary":
(config)#ip nat pool TASK1 10.2.2.1 10.2.2.5 prefix-length 24 type rotary
Step 2: Define an ACL with the Inside Global IP (the one we´re NAT-ing into):
(config)#access-list 1 permit 200.2.2.2
Step 3: Do the inside NAT with the ACL 1 as the DESTINATION list, and the POOL or LOCAL IPs:
(config)#ip nat inside destination list 1 pool ?
WORD Pool name for local addresses
Step 4: Define the NAT inside and outside interfaces, exactly like in case of Static/Dynamic NAT:
(config)#int lo0
(config-if)#ip nat inside
(config-if)#
(config-if)#int s0/1/0.21
(config-subif)#ip nat outside
!!!Be sure that the routing is in place (both, go and return path towards the NAT-ed IP, 200.2.2.2)!!!
Step 5: Make sure that the IP NAT Translations are correct, and that the sources VARY:
#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 200.2.2.2:23 10.2.2.1:23 131.1.12.1:20186 131.1.12.1:20186
tcp 200.2.2.2:23 10.2.2.2:23 131.1.12.1:25096 131.1.12.1:25096
tcp 200.2.2.2:23 10.2.2.3:23 131.1.12.1:20389 131.1.12.1:20389
Step 1: Create a POOL of all the INSIDE IPs, and define the pool type: "type rotary":
(config)#ip nat pool TASK1 10.2.2.1 10.2.2.5 prefix-length 24 type rotary
Step 2: Define an ACL with the Inside Global IP (the one we´re NAT-ing into):
(config)#access-list 1 permit 200.2.2.2
Step 3: Do the inside NAT with the ACL 1 as the DESTINATION list, and the POOL or LOCAL IPs:
(config)#ip nat inside destination list 1 pool ?
WORD Pool name for local addresses
Step 4: Define the NAT inside and outside interfaces, exactly like in case of Static/Dynamic NAT:
(config)#int lo0
(config-if)#ip nat inside
(config-if)#
(config-if)#int s0/1/0.21
(config-subif)#ip nat outside
!!!Be sure that the routing is in place (both, go and return path towards the NAT-ed IP, 200.2.2.2)!!!
Step 5: Make sure that the IP NAT Translations are correct, and that the sources VARY:
#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 200.2.2.2:23 10.2.2.1:23 131.1.12.1:20186 131.1.12.1:20186
tcp 200.2.2.2:23 10.2.2.2:23 131.1.12.1:25096 131.1.12.1:25096
tcp 200.2.2.2:23 10.2.2.3:23 131.1.12.1:20389 131.1.12.1:20389
Subscribe to:
Posts (Atom)
Most Popular Posts
-
Before we start, lets once again make sure we fully understand what Bridge Domain is. The bridge domain can be compared to a giant distribut...
-
Ever since Cisco bought Insieme and created Cisco ACI, and VMware bought Nicira and created NSX, I've been intensively deep-diving and b...
-
[In collaboration with the guest blogger, Marc Espinosa ] Let's start with the messaging protocols, MQTT and CoAP, and consider which ...
-
By know you should know the following facts about ACI: Cisco Nexus 9k Switches make the ACI Fabric, which is the Control and the Data pla...
-
Get ready to have your mind blown. One of the easiest procedures I've encountered. You just need to follow these 3 steps, to migrate the...
-
The VM-Series firewall for VMware NSX is jointly developed by Palo Alto Networks and VMware. NetX APIs are used to integrate the Palo Alto N...
-
Google has made their Cloud Platform (GCP) so that you can host your application any way your business requires. When we talk about the ...
-
First time we “unpack” ACI, we will find a certain number of potential Spine and potential Leaf switches, and hopefully 3 (or 5) APIC Contro...
-
Narbik Topology for web-iou Disclaimer: I DON’T OWN NOR HAVE AN ACCESS TO THE TOPOLOGY, INITIAL CONFIGS, IOU/IOL BINARIES OR ANY OTHER ...
-
Before I get into the Python for NX-OS, let me explain a few concepts that I've seen Network Engineers have been struggling with. Dev...