BGP CONDITIONAL Advertisements - Advertise Maps

This is a pretty complex BGP issue because you really need to know the BGP philosophy and maybe even have some basic experience in programming. The trick is to change the behaviour of the BGP advertisements depending on the routes that are being learned.

Step 1:
Configure 2 Route Maps, one for the CHECK condition, and another for PREFIXES you will advertise if CHECK passes.
For example we want to CHECK if the is learned:
(config)#access-list 2 permit
(config)#route-map CHECK permit 10
(config-rmap)#match ip address 2

And ONLY if it's NOT in the routing table, we want to advertise
(config)#access-list 1 permit
(config)#route-map ADVERTISE permit 10
(config-rmap)#match ip address 1

Step 2:
Configure the advertise map and the condition in the BGP routing process:
(config)#router bgp 65545
(config-router)#neighbor advertise-map ADVERTISE ?
  exist-map      advertise prefix only if prefix is in the condition exists <- CHECK THESE OPTIONS
  non-exist-map  advertise prefix only if prefix in the condition does not exist
(config-router)#neighbor advertise-map ADVERTISE non-exist-map CHECK

Intuitively we can see that the ADV_ROUTE_MAP is the route map that defines the routes that will be broadcast, in this case if the conditions defined in the route-map CONDITION_ROUTE_MAP is NOT satisfied, meaning - if the prefixes are NOT in the table.

Advanced BGP Features: Route Dampening

When you check the BGP prefixes using the "show ip bgp", besides the arguments that appeared so far (*, >, r) there
is another "Tag" that can appear, and it's a letter "d", which stends for DAMPENING.
#show ip bgp
BGP table version is 5, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal <- CHECK THIS LINE
              r RIB-failure, S Stale

From Cisco Docs: "Route dampening is a BGP feature designed to minimize the propagation of flapping routes across
an internetwork. A route is considered to be flapping when its availability alternates repeatedly"

If you're configuring it without any parameter tuning, there is an enable command under the BGP process:
(config-router)#bgp dampening

If you want to use this feature - make sure you understand the concept of PENALTIES being "rewarded" to a route
every time it FLAPS, and make sure you're familiar with the PARAMETERS of BGP DAMPENING:
#sh ip bgp dampening parameters
 dampening 15 750 2000 60 (DEFAULT)
  Half-life time      : 15 mins       Decay Time       : 2320 secs
  Max suppress penalty: 12000         Max suppress time: 60 mins
  Suppress penalty    :  2000         Reuse penalty    : 750
1. HALF-TIME (default 15 minutes)
When the penalty is assigned to a route, the accumulated penalty is decreased every 5 seconds. When the half-time
expires, accumulated penalties are reduced by half.  Default HALF-TIME is 15 minutes, and range 1-45 minutes.

2. REUSE (default 750)
The route can be REUSABLE if the penalties for flapping route go BELOW THIS VALUE. By default it's 750,
and the range is 1 to 20000

The route is SUPRESSED when the penalties REACH THIS VALUE. Default is 2000, and the range is 1-20000

Max time that the route can STAY SUPRESSED. Default is 4 times Half-Time value (60 minutes), range is 1-255

If you need to configure the BGP DAMPENING for a certain routes, use the ROUTE-MAP:
(config-router)#route-map DAMPEN_1
(config-route-map)#match ip add 15 <- CONFIGURE THE ROUTES YOU ARE DAMPENING IN AN ACL
(config-route-map)#set dampening 15 700 2000 60 <- SET DESIRED DAMPENING PARAMETERS

Then apply it within the BGP configuration process:
(config-router)#bgp dampening route-map DAMPEN_1

!!!This configuration can get quite complicated, so you might need to MATCH THE AS-PATH,
for this you need to be quite comfortable with META CHARACTERS, so for example match prefixes originated in AS 300:
(config)#ip as-path access-list 15 permit ^300$

And then MATCH it in the route-map and SET the dampening parameters:
(config-router)#route-map DAMPEN_2
(config-route-map)#match as-path 15
(config-route-map)#set dampening 15 700 2000 60

BGP Peer-Session Templates

Another way to make the BGP configuration easier by avoiding configuring the same command set on every router. It makes your life easier if you have various neighbors to which you'd like to apply a common set of attributes.

Step 1: Define the peer-session and give it a name:
(config-router)#template peer-session MYBGP

Step 2: Assign the attributes to the peer-session:
(config-router-stmp)#version 4
(config-router-stmp)#update-source lo0
(config-router-stmp)#password Cisqueros

Step 3: If you have more groups of neighbors, and they all have some commmon settings (for example the ones defined
in the template IBGP), and some different ones. Then create another template, and inherit the first template:
(config-router)#template peer-session GROUP_1 <- FOR AS 100
(config-router-stmp)#inherit peer-session MYBGP
(config-router-stmp)#remote-as 100

(config-router)#template peer-session GROUP_2 <- FOR AS 200
(config-router-stmp)#inherit peer-session MYBGP
(config-router-stmp)#remote-as 200

Step 4: Apply the LAST defined Template to RELEVANT NEIGHBORS, that inherited the settings of the initial Templates:
(config-router)#neighbor inherit peer-session GROUP_1
(config-router)#neighbor inherit peer-session GROUP_1
(config-router)#neighbor inherit peer-session GROUP_2

Convert MAC to Link Local IPv6 Address

Check how the Link Local address has been generated using the interface MAC address using the following command:

#sh int fa0/0 | i Hard
  Hardware is Gt96k FE, address is 001e.be5d.27f0 (bia 001e.be5d.27f0)

  IPv6: FE80::21E:BEFF:FE5D:27F0
Step 1: Start with the Link-Local "Signature", which is FE80:: - For Link Local IPv6 Addresses

Step 2: First two 0s from MAC are replaced with a HEX 2, to fill up MACs 48 bits up to the 64 bits that we need

Step 3:  Then the "" part is COPIED and PASTED - 2|1E:BE|FF:FE|5D:27F0

Step 4:  FFFE is Added after this, in the MIDDLE of the MAC address

Step 5:  The rest of MAC follows
  So - 2 + 4HEXofMAC + FFEE + 6HEXofMAC

Now check the complete IPv6 configuration of the interface:

#sh ipv6 int fa0/0
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::21E:BEFF:FE5D:27F0
  No global unicast address is configured

  Joined group address(es):
    FF02::1 <- 0 after F means the IPv6 is PERMANENT (if it were 1 - it would be temporal)
    FF02::2 <- Subnet routers MULTICAST
    FF02::1:FF5D:27F0 <- Solicited-Node-Multicast Address

IPv6 Basics

Loopback: ::1/128
Multicast: FF00::/8
Link Local: FE80::/10 - used for stateless auto-configuration, Neighbor discovery, Router discovery
FC00::/7 Unique Local, Unicast (equivalent to the IPv4 private addresses), not routable via global BGP
EUI-64 - always use the /64 addresses for all the INTERFACES
!!!(MAC can be converted into EUI-64 format to get the interface address)

ARP has been replaced with ICMPv6 Neighbor Discovery.
Inverse ARP has been removed, so for NBMA networks we need to provide a static L2-L3 mapping

TIP: before enabling IPv6 on a router and configuring the interfaces male sure there is a IPv4 connectivity

IPv6 is not enabled by default, so first enable IPv6 globally on the Router/Switch:
(config)#ipv6 unicast-routing

On a ROUTER you should enable IPv6 on an interface:
(config-if)#ipv6 enable
!!!LINK-LOCAL address is generated based on the interfaces MAC Address by doing "ipv6 enable"

Assign the UNICAST IPv6 address:
(config)#no switchport <--- DONT FORGET on 3560 OR 3750
(config-if)#ipv6 add 12:1:1::3/64

Assign a LINK-LOCAL IPv6 Address, if you want to configure it STATICALLY:
(config-if)#ipv6 address FE80::1 link-local
!!!Be sure it starts with FE80, or you will get a message "% Invalid link-local address"

By default IPv6 has Neighbor Discovery as a L2-L3 mapping mechanism, instead of ARP. To debug it do:
#debug ipv6 nd

When you configure the "ipv6 enable" on the interface, the Link Local address is assigned:
*Nov 21 08:21:02.068: ICMPv6-ND: Sending NS for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0
!!!NS -Neighbor Solicitation
*Nov 21 08:21:03.068: ICMPv6-ND: DAD: FE80::21E:BEFF:FE5D:27F0 is unique.
!!!FE80::21E:BEFF:FE5D:27F0 Assigned. DAD - Duplicate Address Detection confirms IP is UNIQUE!
*Nov 21 08:21:03.068: ICMPv6-ND: Sending NA for FE80::21E:BEFF:FE5D:27F0 on FastEthernet0/0
!!!NA - Neighbor Advertisment for routers Link Local address
*Nov 21 08:21:03.068: ICMPv6-ND: Address FE80::21E:BEFF:FE5D:27F0/10 is up on FastEthernet0/0
!!!Interface comes UP because noone complained

Check if the interface got the correct IPv6 Address:
#sh ipv6 int br
FastEthernet0/0            [up/up]
FastEthernet0/1            [administratively down/down]
Serial0/1/0                [up/down]
Serial0/1/1                [administratively down/down]
Serial0/2/0                [administratively down/down]

When you SHUT the local interface, the Link Local address is deleted:
*Nov 21 08:19:12.972: ICMPv6-ND: Sending Final RA on FastEthernet0/0
*Nov 21 08:19:12.984: ICMPv6-ND: STALE -> DELETE: FE80::213:60FF:FE85:AEEA

And we are finally reaching my favorite change in the IPv6, the NEIGHBOR DISCOVERY and DISPLAY:
#show ipv6 neighbors
IPv6 Address                              Age Link-layer Addr State Interface
12:1:1:12::1                                0 0013.6085.aeea  STALE Fa0/0 <- UNICAST
FE80::1                                     0 0013.6085.aeea  STALE Fa0/0 <- LINK-LOCAL

OSPF Forward Address Suppression

The aim is to SUPRESS the address of the router that originated the Prefix. When the area is NSSA, and you want to CONTROL the remap process of the LSA7 to LSA5, but use as the forwarding address instead of the one specified in the LSA7:
(config-router)#area 1 nssa translate type7 suppress-fa ?
  default-information-originate  Originate Type 7 default into NSSA area
  no-redistribution              No redistribution into this NSSA area
  no-summary                     Do not send summary LSA into NSSA

Before the command has been applied the external (LSA5) subnet within the area 0 is seen as:
#sh ip ospf database external
            OSPF Router with ID ( (Process ID 1)
                Type-5 AS External Link States
  LS age: 557
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: (External Network Number )
  Advertising Router:
  LS Seq Number: 80000003
  Checksum: 0x1286
  Length: 36
  Network Mask: /8
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address:
        External Route Tag: 0

While after the command has been implemented, we have:
#sh ip ospf database external
            OSPF Router with ID ( (Process ID 1)
                Type-5 AS External Link States
  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 41
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: (External Network Number )
  Advertising Router:
  LS Seq Number: 80000004
  Checksum: 0x3952
  Length: 36
  Network Mask: /8
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address: <- THE FORWARD ADDRESS HAD CHANGED
        External Route Tag: 0

If you add "no-summary" to this command, LSA3 s are filtered, and the default route is advertised instead.
You can use the similar approach to NOT ADVERTISE THE SPECIFIC PREFIXES into the NSSA, but advertise only the defult route on the ABR. In this example the Area 1 is NSSA:
(config-router)#area 1 nssa default-information-originate no-summary

Area 1 (NSSA Area) will learn the Default Route as the LSA7 (N2):
#sh ip route
Gateway of last resort is to network
O*N2 [110/1] via, 00:05:21, Serial1/0.63 is subnetted, 1 subnets

!!!Regardless of whether you´re using the "nssa default-information-originate" or the "nssa no-summary" command
in the OSPF Area, the Default Route will be injected into that area. The difference is the route type:
Gateway of last resort is to network
O*IA [110/65] via, 00:04:22, Serial1/0.43

Gateway of last resort is to network
O*N2 [110/1] via, 00:00:22, Serial1/0.53 is subnetted, 1 subnets

NTP - Network Time Protocol

First there is an "old school" method of setting time on your IOS Device, which is fine if you're one of those :)
#clock set 16:50:00 15 NOVEMBER 2013
*Nov 15 16:50:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 15:50:31 UTC Fri Nov 15 2013 to 16:50:00 UTC
Fri Nov 15 2013, configured from console by console.

Now if you set this time really good, and the Switch is new generation and you really trust it, then in order to have
an entire network to be synchronized (and absolutely no external NTP available), set the most awesome switch to be
a NTP Server:
(config)#ntp master ?
  <1-15>  Stratum number <- STRATUM Number, all DOWNFLOW routers shall have SERVER + Number of HOPS

Check what's happening:
#show ntp status
Clock is synchronized, stratum 2, reference is
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D630D0D3.99A45AAB (16:56:51.600 UTC Fri Nov 15 2013)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec

Then configure ALL the other Devices to synchronize their time based on the Awesome NTP Master Switch:
(config)#ntp server

Configure the BROADCAST on the Interfaces:
(config-if)#ntp broadcast <- On the NTP MASTER
(config-if)#ntp broadcast client <-ON NTP CLIENTS

IRDP - ICMP Router Discovery Protocol

IRDP enables Routers to automatically discover the IP of their potential Default Gateway. It uses ICMP and Solicitation Messages.

Potential GW Routers periodically announce the IP address of their IRDP configured interface to a roadcast destination. IRDP Preference value is advertised with these messages, along with the IP Address.

Step 1:
The configuration is pretty straight-forward. First you MUST turn the Routing off on the router that you want to discover it's own GW:
(config)#no ip routing

Step 2:
IRDP Needs to be enabled on the Router:
(config)#ip gdp ?
  eigrp  Discover routers transmitting EIGRP router updates
  irdp   Discover routers transmitting IRDP router updates <- THIS ONE is the one we want here
  rip    Discover routers transmitting RIP router updates

Step 3:
Here is what needs to be defined on the interface:
 (config-if)#ip irdp <- ENABLE IRDP ON THE INTERFACE
 (config-if)#ip irdp maxadvertinterval 5 <- DEFINE THE ADVERTISING TIMERS
 (config-if)#ip irdp minadvertinterval 3
 (config-if)#ip irdp holdtime 15
 (config-if)#ip irdp preference 600 <- DEFINE THE ROUTER PREFERENCE

Step 4:
TEST by pinging the IP behind the routers that are supposedly advertising the GW
PING will work ONLY if Proxy-ARP is enabled on the IP Interface
 #sh ip inter fa0/0 | i ARP
  Proxy ARP is enabled <- THIS ONE MATTERS
  Local Proxy ARP is disabled
 #show ip route
 Gateway         Using  Interval  Priority   Interface      IRDP        4       600     FastEthernet0/0      IRDP        4       200     FastEthernet0/0

When you do a DEBUG of ICMP, you see that IRDP is using the ICMP Type 9 Code 0 messages to advertise the GW:
ES-MAT-AES-SR03#debug ip icmp
ICMP packet debugging is on
*Nov 14 16:03:08.288: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:09.340: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:12.288: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:12.340: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:16.288: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:16.340: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:19.340: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:20.288: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:23.288: ICMP: rdp advert rcvd type 9, code 0, from
*Nov 14 16:03:23.340: ICMP: rdp advert rcvd type 9, code 0, from

GLBP - Configure the Global Load Balancing Protocol

GLBP is different from HSRP and GLBP, as in - it's more complex and gives more possibilities, such as LoadBalancing

!!!You can have UP TO 4 ROUTERS IN A GLBP GROUP!!!

GLBP Group Members communicate using HELLOs, UDP/3222, by default Hello Timer = 3 sec

Basically there are 2 roles:
- AVG (Active Virtual Gateway) MASTER Router in charge of Assigning Virtual MAC Addresses to other Routers
and it has to know ALL the MACs of the AVFs
- AVFs (Active Virtual Forwarders) the rest of the Routers, which take AVG function if AVG dies.

sh glbp br
Interface   Grp  Fwd Pri State    Address         Active router   Standby route
Fa0/0       1    -   100 Standby        local
Fa0/0       1    1   7   Active   0007.b400.0101  local           -
Fa0/0       1    2   7   Listen   0007.b400.0102        -

You can tune GLBP as you like, which means that (besides all the stuff you can also do in HSRP and VRRP) you can
choose the Load Balancing method:
ES-MAT-AES-SR03(config-if)#glbp 1 load-balancing ?
  host-dependent  Load balance equally, source MAC determines forwarder choice
  round-robin     Load balance equally using each forwarder in turn
  weighted        Load balance in proportion to forwarder weighting (GLBP places WEIGHT on each router)

As an additional GLBP feature, there is a REDIRECT timer, which sets the time-out for assigning the Virtual MAC
of AVF that has failed.
ES-MAT-AES-SR03(config-if)#glbp 1 timers ?
  <1-60>    Hello interval in seconds
  msec      Specify hello interval in milliseconds
  redirect  Specify time-out values for failed forwarders

TRACKing is also different on GLBP, as in - it's configured in the Global Configuration mode, with a global Track Object.
ADVANTAGE: You can track 2 interfaces at once!!!
ES-MAT-AES-SR03(config)#track 1 interface fa0/0 ?
  ip             IP parameters <- TO TRACK IP ROUTING
  line-protocol  Track interface line-protocol <- TRACK IF THE INTERFACE IS DOWN

(config)#track 1 interface fa0/0 line-protocol
(config-track)#track 2 interface s0/1/0 line-protocol

#show track
Track 1
  Interface FastEthernet0/1 line-protocol
  Line protocol is Up
    1 change, last change 00:02:39
Track 2
  Interface Serial0/1/0 line-protocol
  Line protocol is Up
    1 change, last change 00:02:10

Now the TRACK OBJECTS need to be applied to the Interface where GLBP is configured (If any of the tracked interfaces go DOWN, the WEIGHT will be decremented by 10, but these values can be tuned):
ES-MAT-AES-SR03(config-if)#glbp 1 weighting track  1 <-MEMORIZE as it's a bit NON-INTUITIVE
ES-MAT-AES-SR03(config-if)#glbp 1 weighting track  2

VRRP - Configure the Virtual Routing Redundancy Protocol

The VRRP configuration is similar to the HSRP, with a few slight differences. For example, there are no
ACTIVE and STANDBU, but MASTER and BACKUP router, as shown below:
#show vrrp brief
Interface          Grp Pri Time  Own Pre State   Master addr     Group addr
Fa0/0              1   200 3218       Y  Master
Fa0/0              2   100 3609       Y  Backup

TIMERS are a bit different to configure. You need to tell Master to ADVERTISE the Hello Timer value to the Backup,
and tell the Backup to LEARN the Hello Timer from the Master:
(config-if)#vrrp 1 timers advertise 10
(config-if)#vrrp 2 timers learn
*Router is Mater for VRRP Group 1, and Backup for VRRP Group 2

VRRP Authentication is configured PER GROUP using the command "vrrp X authentication text PASSWORD", and the debug
on the VRRP Pair router is as follows (before the authentication is configured on BOTH):
ES-MAT-AES-SR02#debug vrrp
*Nov 13 15:04:37.585: VRRP: Grp 2 Advertisement from has incorrect authentication type 1 expected 0
*Nov 13 15:04:38.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*Nov 13 15:04:38.585: VRRP: Grp 2 Advertisement from has incorrect authentication type 1 expected 0
*Nov 13 15:04:39.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*Nov 13 15:04:39.585: VRRP: Grp 2 Advertisement from has incorrect authentication type 1 expected 0
*Nov 13 15:04:40.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*Nov 13 15:04:40.585: VRRP: Grp 2 Advertisement from has incorrect authentication type 1 expected 0
*Nov 13 15:04:40.973: VRRP: Grp 2 sending Advertisement checksum 87E5
*Nov 13 15:04:41.001: VRRP: Grp 1 sending Advertisement checksum EBE4
*Nov 13 15:04:41.585: VRRP: Grp 2 Advertisement from has incorrect authentication type 1 expected 0
*Nov 13 15:04:42.001: VRRP: Grp 1 sending Advertisement checksum EBE4
ES-MAT-AES-SR02#u all
All possible debugging has been turned off

At the end the configuration on the interface will look similar to the HSRP config:
interface FastEthernet0/0
 ip address
 vrrp 1 description MAT1
 vrrp 1 ip
 vrrp 1 timers learn
 vrrp 1 authentication cisco
 vrrp 2 description MAT2
 vrrp 2 ip
 vrrp 2 timers advertise 10
 vrrp 2 priority 200

!!!IMPORTANT DIFFERENCE between HSRP and VRRP: VRRP has Preempt enabled by default on Cisco devices!

HSRP - Configure the Hot Standby Routing Protocol

Redundancy Protocol, Cisco Proprietary.
Configuration is quite straight-forward, but there are many ways to tune it, in accordance with your needs:
interface FastEthernet0/0
 ip address
 standby 1 ip <- Group 1 VIRTUAL IP Address
 standby 1 timers 5 15 <- Can also be done in miliseconds using "standby 1 timers msec 250 800"
 standby 1 priority 150 <- Default it 100, Default
 standby 1 preempt
 standby 1 authentication Cisco
 standby 1 name R2-Act
 standby 2 ip
 standby 2 timers 5 15
 standby 2 authentication Cisco
 standby 2 name R5-Act

"07-ac" is the SIGNARURE part of Virtual MAC Address of the HSRP:
#sh standby | i 07
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)

To check the current configuration, including the HSRP Status and whether
preempt is configured:
#sh standby brief
                     P indicates configured to preempt.
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa0/0       1   100    Standby      local 
Fa0/0       2   200  P Active   local 

If you need to TRACK an interface, just add the interface line, and define for how much you want to decrease the
HSRP priority in order to fail over to the HSRP Peer:
(config-if)#standby 1 track serial 0/1/0.21 60

Configuring the DHCP Server

Using the DHCP Pool configured on a IOS device is somewhat obsolete, but in cases of smaller companies where this solution is inevitable (or in a case such as mine, preparations for a CCIE exam) - you should know how to configure a full DSCP on a Cisco Router:

Step 1: Enable DHCP Server on a Device:
(config)#service dhcp

Step 2: Configure global DHCP options:
(config)#ip dhcp pool Cisco
(config-dhcp)#network <- Network Range
(config-dhcp)#netbios-note-type h-node <- If you're using WINS, set the HYBRID TYPE
(config-dhcp)#netbios-name-server <- WINS Server IP
(config-dhcp)#dns-server <- Primary and Secondary IPs
(config-dhcp)#lease 3 5 <- The duration of the DHCP Lease (3 days 5 hours)

Step 3: Configure the IP Exclusions (IPs) you do not want to lease, in the Global Config mode:
(config)#ip dhcp excluded-address

Step 4: Disable the DSCP Logging of the Conflicts, because quite a few are likely to occur, and your log file can
fill in the memory:
(config)#no ip dhcp conflict logging

Step 5: Static DHCP entries must be configured IN A SEPARATE POOL!!! This is a trick that you need to know by heart because there is no other (more intuitive) way to do it. So - create another DHCP pool, and assign the hosts IP and the MAC address (THIS HOST WILL INHERIT THE CONFIG FROM THE DEFAULT POOL):
(dhcp-config)#hardware-address 0014.2526.ef46

Check if your manual entry was configured:
#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name       0014.2526.ef46          Infinite                Manual

Scalability for Stateful NAT (SNAT)

Scalability for Stateful NAT feature allows Stateful Network Address Translation (SNAT) to control the Hot Standby Router Protocol (HSRP) state change until the NAT information is completely exchanged. Reference:

Step 1:
You need to create the SNAT group, and assign a unique identifier to each router within the group:
(config)#ip nat stateful id 1

Step 2:
In order to configure the Stateful Failover, you need to have the HSRP previously configured. Within the stateful
nat group configurarion, assign the HSRP redundancy name to the router:
(config-ipnat-snat)#redundancy HSRP-1

Step 3:
The Active HSRP Router sends the NAT Translation to the Standby Routers. This translation is assigned an ID,
which is called "mapping-id" and it MUST BE THE SAME ON THE ENTIRE GROUP.
(config-ipnat-snat-red)#mapping-id 1

Step 4:
Consider adding features such Asymetric queuing, or define a specific protocol for the redundancy group:
IP Stateful NAT Redundancy mode configuration commands:
  as-queuing  Disable asymmetric process for this redundancy group
  exit        Exit from IP Stateful NAT Redundancy config mode
  mapping-id  Configure mapping-id for this redundancy group
  no          Negate or set default values of a command
  protocol    Select transport protocol for this redundancy group

Step 5:
Configure the Dynamic NAT, as described in my previous posts, and just attach the configured mapping-id:
(config)#ip nat inside source route-map ROUTE_MAP_MATCHING_ACL pool INSIDE_GLOBAL mapping-id 1

Step 6:
Check the translations
#sh ip snat distributed

Stateful NAT Connected Peers

No entries will appear until you perform a PING, and when you do, and do a debug, you'll see:
*Nov  7 14:47:12.081: SNAT (Add_node): Allocated database distributed-id 1
*Nov  7 14:47:12.081: SNAT (Add_node): Init RTree for distributed-id 1
*Nov  7 14:47:12.081: SNAT (Add_node): Allocate Node for nat-id 19, Router-id 1
*Nov  7 14:47:12.081: NAT: s=>, d= [271]
*Nov  7 14:47:12.081: NAT*: s=, d=> [271]
*Nov  7 14:47:12.085: NAT*: s=>, d= [272]
*Nov  7 14:47:12.085: NAT*: s=, d=> [272]
*Nov  7 14:47:12.085: NAT*: s=>, d= [273]
*Nov  7 14:47:12.085: NAT*: s=, d=> [273]
*Nov  7 14:47:12.089: NAT*: s=>, d= [274]
*Nov  7 14:47:12.089: NAT*: s=, d=> [274]
*Nov  7 14:47:12.089: NAT*: s=>, d= [275]
*Nov  7 14:47:12.089: NAT*: s=, d=> [275]

Static NAT redundancy with HSRP

This approach is used when you want to configure NAT and integrate it with HSRP (enable the same NAT on all the
routers that form the HSRP group). In order to do this, it's necessary to NAME each of the HSRP groups:

Step 1: Name the already configured HSRP group:
(config-if)#standby name HSRP-1 <- HSRP Group Name is HSRP-1

Step 2: Congigure NAT on the relevant interfaces
(config-if)#ip nat inside <- NAT inside interface

Step 3: Static NAT redundancy with HSRP
After you've named the HSRP group, configure the Redundancy NAT:
(config)#ip nat inside source static redundancy HSRP-1

This means that the traffic originated from the IP will be NAT-ed into

In this example the router is pinging the IP The final router ( does have the route back to
When the DEBUG is done on the router, the PING done from gives the following display:
*Nov  7 11:34:02.606: NAT*: s=>, d= [226]
*Nov  7 11:34:02.606: NAT*: s=, d=> [226]
*Nov  7 11:34:02.610: NAT*: s=>, d= [227]
*Nov  7 11:34:04.606: NAT*: s=>, d= [228]
*Nov  7 11:34:04.606: NAT*: s=, d=> [228]
*Nov  7 11:34:04.606: NAT*: s=>, d= [229]
*Nov  7 11:34:04.606: NAT*: s=, d=> [229]
*Nov  7 11:34:04.610: NAT*: s=>, d= [230]
*Nov  7 11:34:04.610: NAT*: s=, d=> [230]

PAR - When you need to implement traffic redirections using NAT

You can define the traffic redirection using Static Entries, but there is a trick.
For example you want all the http traffic DESTINED FOR s0/0.5 to be REDIRECTED to the IP instead.
You can configure this by defining the static NAT:
R1(config)#ip nat inside source static tcp 80 int s0/0.5 80

Make sure you understand how this command works, because it´s quite a complicated principle because it works a bit "upside down".

So when you try to telnet R1s IP using the port 80, from the router on the s0/0.5 side (R4):
R4#telnet 80
Trying, 80 ... Open

You see the following debug:

*Nov  6 15:54:48.703: NAT*: s=, d=> [23053] <- Router from where we telnet
*Nov  6 15:54:48.707: NAT*: s=>, d= [31747] <- NATed and FWD-ed to to
*Nov  6 15:54:48.735: NAT*: s=, d=> [23054]
*Nov  6 15:54:48.739: NAT*: s=, d=> [23055]
*Nov  6 15:55:48.739: NAT*: s=>, d= [31748]
*Nov  6 15:55:48.767: NAT*: s=, d=> [23056]
*Nov  6 15:56:48.763: NAT*: s=>, d= [31749]
*Nov  6 15:56:48.791: NAT*: s=, d=> [23057]
*Nov  6 15:57:12.959: NAT*: s=, d=> [23058]
*Nov  6 15:57:13.127: NAT*: s=, d=> [23059]
*Nov  6 15:57:13.155: NAT*: s=>, d= [31750]
*Nov  6 15:57:13.311: NAT*: s=, d=> [23060]
*Nov  6 15:57:13.507: NAT*: s=>, d= [31751]

PAT (NAT Overload)

Port Address Translation (PAT) means using PORTS in order to NAT various Inside Local IPs to 1 Inside Global IP.

Step 1: Create an ACL with all the Inside Local addresses:
 (config)#access-list 1 permit

Step 2: There are 2 ways to configure PAT, described in Steps 2.1 and 2.2:

Step 2.1: 
- Create the Inside Global IP Pool of any addresses from the Link towards the other Router:
 (config)#ip nat pool OVERLOAD prefix-length 24

- Configure the NAT Overload with the defined pool:
 (config)#ip nat inside source list 1 pool TASK2 overload

Step 2.2:
Configure the NAT to point to the Interface you need the traffic to go out from:
 (config)#ip nat inside source list 1 interface s0/1/0.21

!!! The system adds "overload" argument:
 (config)#do sh run | i nat inside
  ip nat inside
  ip nat inside source list 1 interface Serial0/1/0.21 overload

Load Balancing using NAT

This is a configuration that I´ve never implemented in any production environment, but I see quite a few cases where it can be usefull.

Step 1: Create a POOL of all the INSIDE IPs, and define the pool type: "type rotary":
 (config)#ip nat pool TASK1 prefix-length 24 type rotary

Step 2: Define an ACL with the Inside Global IP (the one we´re NAT-ing into):
 (config)#access-list 1 permit

Step 3: Do the inside NAT with the ACL 1 as the DESTINATION list, and the POOL or LOCAL IPs:
 (config)#ip nat inside destination list 1 pool ?
   WORD  Pool name for local addresses

Step 4: Define the NAT inside and outside interfaces, exactly like in case of Static/Dynamic NAT:
 (config)#int lo0
 (config-if)#ip nat inside
 (config-if)#int s0/1/0.21
 (config-subif)#ip nat outside

!!!Be sure that the routing is in place (both, go and return path towards the NAT-ed IP,!!!

Step 5: Make sure that the IP NAT Translations are correct, and that the sources VARY:
 #sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global

Most Popular Posts