On groupstudy they say, it’s currently Windows and SecureCRT. So i have to take a look before, to get a thought of how this would be.
27. Juli 2006
22. Juli 2006
NAT, PAT, overload, RFC 1631
Network Address Translation
NAT has developed because of short address spaces on the internet. There is no reason why LAN’s should have globally reachable IP addresses. So private address space is used in local LAN. And at the boarder router, addresses are translated into globally valid ip addresse. There can be many different kinds of mapping. For example you can map a number of local LAN addresses to one global address. N -> 1 Or you can map a group of local addresses to a group of global addresses N -> M. The special N -> 1 mapping is called „overload“ at cisco devices. Also clalled PAT (Port Address Transloation). Differnet inside addresses are mapped to one outside address over different TCP port mappings.
First important thing is to know about the mapping included with NAT. Cisco speaks of inside local, inside global, outside local and outside global mappings.
It’s important to know these terms good.
At first you have to decide witch interface is outside and witch is inside. The outside interface is for example the side connected to the WAN.
For understanding, keep in mind, local IP addresses are seen in the inside world and global IP addresses are seen in the outside world.
Here is an picture of these definitions and a description for a static overload definition.
Here are the definitions for the NAT router:
ip nat inside source list 1 interface Serial0/0 overload
Where serial0/0 is the outside interface. You can also set the ip address of the outside interface:
ip nat inside source list 1 interface 192.168.1.1 overload
Source list is an defined access list. This would be any addresses you would like to participate in port address translation:
access-list 1 permit 1.1.1.0 0.0.0.255
This would allow the subnet 1.1.1.0 to be translated to the outside with ip add 192.168.1.1.
Don’t forget to set on the inside interface:
interface ethernet0/0
ip nat inside
and on the outside interface:
interface serial0/0
ip nat outside
This is what is also called PAT (Port Address Translation).
The logic behind this, is a little bit different from what happens on a linux system for example. In the cisco world you sit in between the interfaces. In the linux world with iptables you concentrate on one interface and define most definitions there. Well there is not that much difference, but for me it was a kind of new, to understand cisco NAT.
The following solutions are possible:
static NAT:
it’s a one to one mapping. One indide address can be translated to one outside address.
Or PAT is possible. This is many inside addresses to one outside address.
dynamic NAT:
a group of inside addresses can be translated to a group or pool of outside addresses.
match host:
To assign the same host portion to an translated address. The network portion stays the same. For example to translate the address 1.1.1.1/16 to 192.168.1.1/16.
Source:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml
21. Juli 2006
HSRP => Hot Standby Router Protocol
HSRP = HOT Standby Router Protocol
This protocol provides redundancy in case a router is not more available, by emulating a virtual router. This virtual router can consist of many other routers depending on how many are setup for redundancy. At least there have to be two routers configured for redundancy.
MHSRP is Multi Group Hot Standby Router Protocol. It can be used for load sharing.
This configuration is an example for MHSRP.
R1 config:
interface e0
ip add 192.168.1.30 255.255.255.0
standby 1 preempt
standby 1 priority 110
standby 1 ip 192.168.1.100
standby 1 track serial0 120
standby 2 preempt
standby 2 ip 192.168.1.200
R2 config:
interface e0
standby 1 ip 192.168.1.100
standby 1 preempt
standby 2 ip 192.168.1.200
standby 2 priority 110
standby 2 preempt
standby 2 track serial0 120
Explanation:
The default prio for an interface is 110. So for 1.100 R1 has by default active state. For 1.200 it’s router 2. The track parameter change the prio, so if an serial interface goes down, the prio is changed, the means decremented by the value configured. So then the other interface with the higher value goes into active state.
You can watch state change from „Standby -> Active“ if a serial0 interface comes back again. And the other side reactes with:
02:21:09: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 1 state Active -> Speak
02:21:19: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 1 state Speak -> Standby
And goes to standby again.
If a serial0 interface goes down, the other side imediately goes into active state:
06:50:01: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 2 state Standby -> Active
and the other router reacts with:
02:22:41: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 2 state Active -> Speak
02:22:51: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 2 state Speak -> Standby
Pay attention. A really pitfall i have meet, was that with my old 2500’er router and the AUI – ethernet Transiver/Adapter, it was not possbile to configure MHSRP. There seems to be a problem with the mac address handling. Although i could set it up, it does not work and there are no error messages and it works partly. But if you try to have more than one group active on the 2500’er, that does not work. Took me three hours, after that i changed the 2500’er with a 2600’er and i worked like a charm.
Source:
HSRP Load sharing
http://www.cisco.com/warp/public/619/7.html
HSRP Technology:
http://www.cisco.com/en/US/tech/tk648/tk362/tk321/tsd_technology_support_sub-protocol_home.html
20. Juli 2006
Basic OSPF details
For startup OSPF needs a process ID. This could be confusing. This is not at all an autonomous system number or anything else. It’s just the ID of the OSPF process running in the memory of the router.
router ospf [process id]
for example:
router ospf 1
Cisco allows more than one ospf process on the router. So you can define more than one OSPF process.
Most of the OSPF commands are configured under the „router“ command. Some are configured on the „interface“ itself. For example interface cost.
The basic network definition has three parameters:
network ip add wildcard-mask area area-number
NTP time service
It’s defined in RFC 1305. It’s an UDP based protocol, with is taken for time syncrounisation with NTP servers. An NTP server can be any source speaking the time protocol. Normaly this server has a atomic or radio clock attached. NTP uses a stratum to describe how many NTP hops away a machine. It stratum 1 if the NTP server with clock is directly available. If there is another stratum 1 time server in between, it a stratum 2 server. Cisco does not provide stratum 1 server with clock attached. Normaly this is a Unix daemon from www.ntp.org. Well i just read cisco provides an external clock. But as an extension kit for the cisco 7200 series routers only. If found this, as there is an „ntp refclock“ variable in the IOS 12.4 documentation. You find this information here:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hcf_r/cfn_05h.htm#wp1047024
To configure an NTP server for a router:
ntp server [ip add]
ntp timezone [WORD] +/- hours
The timezone is the difference between the UTC or called GMT and the local time. Here in germany in the summer it’s +2. With the variable
NTP Authentication:
Server:
ntp server [ip]
ntp authentication-key [number] md5 [password]
ntp trusted-key [number]
Client:
ntp server [ip]
ntp authentication-key [number] md5 [password]
ntp authenticate
ntp trusted-key 1
It could be a good idea to keep times on routers and server in sync. This can help a lot, to identify problems. You can always exactly track down the problem to a specific time.
Configuring authentication does not mean other ntp client’s can not connect to an server any more. You have to configure this with access lists.
A good source about NTP on cisco routers:
19. Juli 2006
OSPF process clearing
A very helpful command to reset the current ospf process is:
clear ip ospf process
This restarts the process and let OSPF re-establish adjacencies.
What i found out, ist that the router-id does not change, when you have set up another ip address for a loopback.
But then resetting the OSPF process with the „router-id“ command is successful.
So for example the current router-id is 1.1.1.1 because of loopback0 with ip add 1.1.1.1 and you change the ip address of loopback0, the OSPF process does not update the router-id, even with „clear ip ospf proc“ not.
„router-id“ does reset the OSPF process too. So setting it and then removing with „no router-id“ would do the trick. Anyway, you can of course set the right id before. Just to mention that. Hope i made that clear. 🙂
ip address classes
Class A: 0.0.0.0 – 127.255.255.255
Class B: 128.0.0.0 – 191.255.255.255
Class C: 192.0.0.0 – 223.255.255.255
Class D: 224.0.0.0 – 239.255.255.255
Class E: 240.0.0.0 – 255.255.255.255
private IP address ranges (RFC1918)
These are private IP address range as described in RFC 1918. They are not routed on the internet and they are for private or internal use only.
10.0.0.0 – 10.255.255.255Â Â Â Â Â Â or 10.0.0.0/8
172.16.0.0 – 172.31.255.255Â Â Â Â or 172.16.0.0/12
192.168.0.0 – 192.168.255.255Â or 192.168.0.0/16
Source:
ftp://ftp.rfc-editor.org/in-notes/rfc1918.txt