Saturday, May 29, 2010

INE Workbook Vol 1 IP Services

The first topic is proxy arp. Pretty simple logic overall, but there was one item I didn't know about - ip local-proxy-arp. This means that the router will run proxy-arp for the locally connected segment, which isn't usually the case because they are directly connected. INE showcased this by using 'switchport protected' on the switchports to show that the only way to get the devices on VL146 to talk, was to enable local proxy-arp on one of the nodes. Now pinging between the two protected ports is possible as the one in the middle will do proxy-arp and respond with it's own mac address.

With DHCP, configure the following to disable the BOOTP server and ignore requests.


R6(config)#ip dhcp bootp ignore 
R6(config)#no ip bootp server

To configure a host to use it's MAC address only as the dhcp client-id; issue the following:


R1(config)#int f0/0
R1(config-if)#ip address dhcp client-id fastEthernet 0/0

Verify with 'show dhcp lease' on the client. Remember, 01 is added to the client-id, so if your mac address was c200.05c5.0000, the client-id would be 01c2.0005.c500.00.

PPP and address assignment is still something I need to work on (including PPPoE). On the 'client' side, add 'ip address negotiated'. Optionally, you can also request the netmask and the dns addresses. With the DHCP On-Demand Pool, you can import IPCP parameters.


ip dhcp pool ODAP_POOL
   import all
   origin ipcp
interface Serial0/1
 ip address negotiated
 ip rip advertise 10
 encapsulation ppp
 no peer neighbor-route
 clock rate 64000
 ppp ipcp dns request
 ppp ipcp mask request

On the flip side, configure the other side like so...


interface Serial1/2
 ip address 155.1.13.3 255.255.255.0
 ip rip advertise 10
 encapsulation ppp
 no peer neighbor-route
 peer default ip address 155.1.13.1
 serial restart-delay 0
 clock rate 64000
 ppp ipcp dns 155.1.146.4 155.1.146.6
 ppp ipcp mask 255.255.255.0

A word of caution when doing IGP routing w/ PPP. You will obviously have a host route (unless you disable it) that will be injected into the IGP routing domain (depending on protocol and network advertisements). Also watch out since each end of the PPP link will be a /32 and the IGP neighbors will see updates that are NOT on the connected subnet.

DHCP proxy w/ PPP was interesting. On the client side, you do the same - 'ip address negotiated', again disabling the neighbor-route to preserve IGP functionality. On the 'server' side, just do a 'peer default ip address dhcp' instead of actually assigning an IP. Next, you need to create a default IP address pool using the proxy-client feature. Now tell the router where the DHCP server is located (instead of the helper-address). Everything should work, but the DHCP server will not have a route back to the host until IP is negotiated. So now you must add static routes to go around the host that will be assigned the IP address. Not really difficult, just new!


ip address-pool dhcp-proxy-client
ip dhcp-server 155.1.146.6
interface Serial1/3
 ip address 155.1.23.3 255.255.255.0
 ip rip advertise 10
 encapsulation ppp
 no peer neighbor-route
 peer default ip address dhcp
 serial restart-delay 0
 clock rate 64000


In summary, one host can proxy requests for another. Adding this to my list of things to revisit!

On to Option 82. To enable, you must first enable globally - 'ip dhcp relay information option'. Optionally you can set the subscriber-id per link.


interface FastEthernet0/0
 ip dhcp relay information option subscriber-id VLAN58
 ip address 155.1.58.5 255.255.255.0
 ip helper-address 150.1.6.6


On the DHCP server side, this is where 'classes' come into play. Create a class, select the relay agent information option (option 82) and then enter the HEX relay-information. How do you get the hex information? With a debug dump w/ DHCP matching ACL. Find the ASCII subscriber-id string (you did set that right?). The information option starts with decimal value 82 (hex 0x52), followed by the total option length (0x16). Following that are the suboptions. Whew. What a task...I really didn't think this would be that difficult.


ip dhcp pool VL58
   network 155.1.58.0 255.255.255.0
   default-router 155.1.58.5 
   class TEST
      address range 155.1.58.8 155.1.58.8
ip dhcp class TEST
   relay agent information
      relay-information hex 020c020a00009b013a05000000000606564c414e3538

Something pretty easy - you can have DHCP update ARP. And then you can only allow authorized arp entries thus disabling dynamic ARP.


ip dhcp pool VL146
   network 155.1.146.0 255.255.255.0
   default-router 155.1.146.4 155.1.146.6
   dns-server 155.1.146.4 155.1.146.6 
   lease 0 12
   update arp
ip dhcp pool R1
   host 155.1.146.11 255.255.255.0
   client-identifier 01c2.0005.c500.00
   update arp
interface FastEthernet0/0.146
 encapsulation dot1Q 146
 ip address 155.1.146.6 255.255.255.0
 ip rip advertise 10
 arp authorized


If not all hosts are DHCP, you need to statically add their ARP entries; 'arp 155.1.146.4 1234.5678.90AB.CDEF'.


IP SLA, VRRP and HSRP are all pretty simple. GLBP can be slightly more difficult, only because of the load-balancing aspect to it. The weighting always trips me up, but to do a 2:1 ratio, just do the following:



R4(config-if)#glbp 146 weighting 20
R4(config-if)#glbp 146 load-balancing weighted


R6(config-subif)#glbp 146 weighting 10
R6(config-subif)#glbp 146 load-balancing weighted

With the above configuration, you will achieve the 2:1 ratio since R4 has a higher weighting. Weighting does not affect the round-robin method or the host-dependent method.


IRDP is pretty easy, I just always forget the client command 'ip gdp irdp'. Moving on to NAT...


The NAT no-alias commands removes the proxy-arp ability from the NAT entries. When you do NAT, the router making the translations will proxy-arp for the NAT'd addresses. You can verify with the 'show ip alias' command. Adding the no-alias option means the proxy-arp will not happen, and you will not be able to ping that static TCP PAT address.


Overlapping addressing w/ NAT was interesting. The requirement said that only one host would complete NAT. So R1 was configured like so...



interface Loopback1
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip route 11.0.0.0 255.255.255.0 Null0
ip route 22.0.0.0 255.255.255.0 Serial0/1
!
ip nat pool NET22 22.0.0.1 22.0.0.254 prefix-length 24
ip nat inside source static network 10.0.0.0 11.0.0.0 /24
ip nat outside source list NET10 pool NET22

The static route to Null0 was required because NAT will first do a route table lookup before performing any translations. We simply translate 10.x.x.x to 11.x.x.x, and on the incoming we translate 10.x.x.x to 22.x.x.x so that R1 'hides' it's 10.x.x.x network (that overlaps with R2). So packets appear to come in with a dest of 11.0.0.1 and a source of 22.0.0.x.

On to TCP Load balancing. This requires the ip nat inside destination command. Pretty easy to understand - I can just never construct the proper NAT entries for some reason. I guess I get confused by items such as 'ip nat source' and 'ip nat inside|outside source'.


interface FastEthernet0/0
 ip address 155.1.58.5 255.255.255.0
 ip nat outside
interface Serial0/0
 ip address 155.1.0.5 255.255.255.0
 ip nat inside
ip nat pool ROTARY prefix-length 24 type rotary
 address 155.1.0.1 155.1.0.1
 address 155.1.0.2 155.1.0.2
 address 155.1.0.3 155.1.0.3
ip nat inside destination list LOAD_BALANCE pool ROTARY
ip access-list extended LOAD_BALANCE
 permit tcp any host 155.1.58.55 eq telnet


So now connecting to telnet via 155.1.58.55 will load-balance between R1, R2 and R3.

When doing stateful nat, without HSRP - configure the routers like so...



R4

ip nat Stateful id 1
  backup 155.1.146.4
   peer 155.1.146.6
   mapping-id 1
ip nat pool TST 155.1.254.1 155.1.254.254 prefix-length 24
ip nat inside source list Net155 pool TST mapping-id 1

R6


ip nat Stateful id 2
  primary 155.1.146.6
   peer 155.1.146.4
   mapping-id 1
ip nat pool TST 155.1.254.1 155.1.254.254 prefix-length 24
ip nat inside source list Net155 pool TST mapping-id 1

I always get confused between primary, backup and peer. Should each one have a primary and backup entry? Should they both include peer statements? The above configuration is correct.

I finally found the use for the NAT Virtual Interface.


R5(config)# int s0/0
R5(config-if)#ip nat enable 
R5(config-if)#int s0/1
R5(config-if)#ip nat en
R5(config-if)#int f0/0
R5(config-if)#ip nat en
R5(config-if)#ip access-list st VLAN8
R5(config-std-nacl)#permit 155.1.8.0 0.0.0.255
R5(config-std-nacl)#exi
R5(config)#ip nat pool NVI_POOL 155.1.188.1 155.1.188.254 prefix-length 24 
  accounting  Specify the accounting
  add-route   Add special route to Virtual Interface
  arp-ping    WLAN ARP Ping
  type        Specify the pool type
  


R5(config)#$ NVI_POOL 155.1.188.1 155.1.188.254 prefix-length 24 add-route 
R5(config)#ip nat source list VLAN8 pool NVI_POOL
R5(config)#router rip
R5(config-router)#redistribute static metric 1

The NAT direction is always inside for NVI NAT. A routing looking is performed before the translation. After the routing decision is made, the packet source is translated and then forwarded. NVI eliminates the need for a separate static route but you still need to advertise the static into the routing domain. We also finally have a use for the 'ip nat source' command.

Extendable static NAT allows you to configure multiple static mappings for the same local or global IP address.

Well, that is it for NAT. I will say I understand NAT a lot better, and I am able to craft the solutions to the majority of the scenarios. There were some slightly tricky scenarios, but nothing really all the difficult. Moving on to the remainder of IP Services....

Ahh!!! I finally found it! How to figure out the TOS from Precedence...multiply it by 32! Precedence of 3 would be TOS 96. It's easy to turn on IP Accounting for precedence packets...'ip accounting precedence' but the regular 'show ip accounting' does not show anything. Instead you need to 'show interface s0/1 precedence'.


R6(config-if)#do sh int s0/0 prece
Serial0/0 
  Input
    Precedence 6:  34 packets, 2436 bytes
  Output
    Precedence 0:  10 packets, 1040 bytes
    Precedence 3:  5 packets, 520 bytes
    Precedence 6:  38 packets, 14457 bytes


Display mac-accounting with 'sho interface fa0/0 mac-accounting'. Enable it on the interface with 'ip accounting mac in|out'.

By default, IOS routers will forward UDP packets only for the following protocols:

  • TACACS(not TACACS+)
  • TFTP
  • BOOTP
  • TIME
  • NETBIO NS and DG
  • DNS
Enable or disable with the 'ip forward-protocol udp [protocol]'. The command 'ip directed broadcast' will forward broadcast to 255.255.255.255. This can be changed with the 'ip broadcast-address x.x.x.x'.

With WCCP, the direction of the redirection indicated which traffic flows are redirected. You can exclude interface from redirection with the 'ip wccp redirect exclude in|out' interface command. You can also enable outbound ACL checks with 'ip wccp outbound-acl-check'. 

For WCCP version 2 to support multicast group membership, you must enable 'ip wccp [serviceID] group-listen' on the interface.

Server Load balancing. What IOS version is this supported on? Again, across all my real and dynamips routers, I don't have the 'ip slb' command. Here are the pertinent configs for directed mode. Pretty self-explanatory.

ip slb serverfarm SERVERS
     nat server (nat to the virtual IP and real IP)
     predictor roundrobin (round-robin)
     real 150.1.1.1 (IP address of real server)
          reassign 2 (reassign to another server after x failed syn packets)
          faildetect numconns 3 (detect a failed server after x number of connections)
          retry 120 (retry the server after x seconds
          weight 1 (round-robin weighting)
          inservice (is active)
          exit
     real 150.1.2.2
          reassign 2
          faildetect numconns 3
          retry 120
          weight 2
          inservice
          exit
     real 150.1.3.3
          reassign 2
          faildetect numconns 3
          retry 120
          weight 3
          inservice
          end
!
ip slb vserver VSERVER
     virtual 155.1.58.55 tcp telnet
     serverfarm SERVERFARM
     inservice
     exit

If anyone has any experience with any type of loadbalancers (cisco CSS, linux heartbeat, etc). These command should be very familiar. Verify with 'show ip slb vservers|serverfarns|reals|conns|stats'

SLB dispatched mode uses layer 2 mods only to forward packets to the real servers and does not do any layer 3 mods. The real servers are each assigned a unique IP address and share an overlapping anycast address to accept packets to the virtual server. In dispatched mode, SLB implements a load-balancing algorithm. The weight setting actually specifies the # of connections a server can accept before moving to another server in the farm.

'ip nbar custom' and 'ip nbar port-map' are the keys to creating custom classifications, including low-level byte string match.

You can modify netflow sampling to something say, one in every 10 packets using a policy.

R6(config)#flow-sampler-map SAMPLER
R6(config-sampler)#mode random one-out-of 10
R6(config-sampler)#policy-map NETFLOW_MAP
R6(config-pmap)#class class-default
R6(config-pmap-c)#netflow-sampler SAMPLER
R6(config-pmap-c)#int s0/0
R6(config-if)#no ip flow egress 
R6(config-if)#service-policy output NETFLOW_MAP

The interface-level netflow configuration will override the MQC configuration so it must be disabled. 

I didn't know IOS could act as an authoritive DNS server. If you know how to run a DNS server, this should be pretty easy. 

ip host cisco.com ns 155.1.146.4
ip host cisco.com ns 155.1.146.6
ip host R4.cisco.com 150.1.4.4 155.1.146.4 155.1.45.4 204.12.1.4 155.1.0.4
ip host R6.cisco.com 150.1.6.6 155.1.146.6 155.1.67.6 54.1.1.6
ip dns server
ip dns primary cisco.com soa ns.cisco.com ccie.cisco.com 21600 900 7776000 86400

The following will dampen the connection to BB1 for 30 seconds after a reload. 

R6(config-if)#dampening 30 1000 2000 60 restart 2000

The half time 30 seconds. The reuse penalty is 1000. The suppress penalty is 2000. The max dampen time is 60 seconds. With the 'restart' command, we can configure the penalty value following a restart; in this case - 2000. Since the half-life is 30 seconds, it will be down to 1000 after 30 seconds, which is the reuse penalty value.

Whew. Nice section, as usual I picked up on a few things, reinforced some others. Things are going well. Hopefully I can tackle MPLS and Bridging/Switching next week. I'm taking a day off tomorrow and probably Monday - I need it!

No comments:

Post a Comment