« Posts under ネットワーク

DMVPN with NAT

In that case, you have to pay attention on IPsec encap mode…

 

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/12-4t/sec-conn-dmvpn-12-4t-book/sec-conn-dmvpn-dt-spokes-b-nat.html

NHRP Registration

When an NHRP registration is received, the hub checks the source IP address on the encapsulating GRE/IP header of the NHRP packet with the source NBMA IP address, which is contained in the NHRP registration packet. If these IP addresses are different, then NHRP knows that NAT is changing the outer IP header source address. The hub preserves both the pre- and post-NAT address of the registered spoke.

Note

If encryption is used, then IPsec transport mode must be used to enable NHRP.


 

Let’s see this behavior.

1) show ip nhrp output in transport mode DMVPN.

Router-NHS#sh ip nhrp
10.10.10.1/32 via 10.10.10.2
Tunnel0 created 00:16:58, expire 01:43:02
Type: dynamic, Flags: unique registered
NBMA address: 1.1.1.1
(Claimed NBMA address: 192.168.1.1)

NHRP realize the IP address is changed by NAT (192.168.1.1 to 1.1.1.1).

2) show ip nhrp output in tunnel mode DMVPN.

Router-NHS#sh ip nhrp
10.10.10.1/32 via 10.10.10.2
Tunnel0 created 00:00:11, expire 01:59:49
Type: dynamic, Flags: unique registered used
NBMA address: 192.168.1.1

 

In the Case(2), NHRP believes the packet is not NATted since the original IP header is encapsulation and not changed. Therefore, original local(before nat) address is used as the NBMA address.

uRPF – Unicast Reverse Path Forwarding

 

interface FastEthernet 0/0
ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [list]

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

ip alias with NAT

https://supportforums.cisco.com/ja/document/100311

まず Cisco Router での IP Alias 機能とは、設定を行なった IP Address について
Router にて Ping 応答等を行なう機能となります。この IP Address は local の
network/subnet に属する必要があります。下記コマンドにて設定できます。

ip alias
http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_a1.html#wp1027063

NAT における Alias 作成は、Insiobal や Outside Local のように仮想的な Address に対して、Router 上に該当 Address と同一 IP subnet をもつ Interface がある状況に対応するためで、Alias の作成を行い、ARP に応答します。

なお no-alias option は default で disable のため、default では alias が作成されます。

No Entries in the ARP table
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094c32.shtml#ar

AutoInstall Process Flowchart

It is placed in Configuration Fundamentals Configuration Guide on CCO.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/configuration/15mt/fundamentals-15-mt-book/cf-autoinstall.html#GUID-FD029ACF-FC65-4E72-97D8-81FB2F14C6BC

About connected routes when redistributing IGP mutually

This is very basic atomic primitive important issue but I note it intentionally for my understanding.

When you use mutual redistribution between IGPs, you need to care for connected networks.

Assuming IGP-A and IGP-B are redistributed mutually:

  • If a connected network is included IGP-A, the connected route is redistributed into IGP-B, in spite of the route is not shown Router’s  ip route table as IGP-B (since it should be shown as connected, naturally.)
  • If a connected route is NOT included IGP-A, the route is not redistributed into IGP-B. You need to say “redistribute connected” if you want to redistribute it.

This is very simple, but sometime it might make you confused. At least I’m confused occasionally…

Additional information:

If you will say “redistribute connected”, above rules are not applied. For example, when you set “redistribute connected route-map INTERFACES”, only the interfaces permitted in the route-map are redistributed even if other connected interfaces are included in source IGP.

 

Question for something about redirect issues

If you (I) will be asked the traffic to redirect to somewhere,

  • Use rotary under line vty + autocommand (for management, administration router/SW)
  • Use nat for destination address as a inside host (for general redirection)

I’ll add here if I remind or realize new ones.

rotary under line vty

We can change telnet service port on a Router using rotary command under line vty setting.

There seems to be missing the link to this guide…

http://www.cisco.com/c/en/us/td/docs/ios/dial/command/reference/dia-cr-book/dia_p3.html#wp1014642

or, we can see this in old (12.2) guide.

http://www.cisco.com/c/en/us/td/docs/ios/12_2/dial/command/reference/fdial_r/drfprshe.html#wp1096743

Table 19 Services and Port Numbers for Rotary Groups and Lines

Services Provided
Base TCP Port for Rotaries
Base TCP Port for
Individual Lines

Telnet protocol

3000

2000

Raw TCP protocol (no
Telnet protocol)

5000

4000

Telnet protocol, binary mode

7000

6000

XRemote protocol

10000

9000

 

あとはこれくらいしか見つからない。※supportforumsはCisco公式扱いではないので注意。とはいえ、間違ってることは極めて稀。

Telnet ポート番号の変更

次に、Telnet 接続のポート番号を変更する設定を行います。この例ではポート番号 3001 からの接続のみを許可します。

Router(config-line)#rotary 1

上記の rotary 1 コマンドによって、ポート番号 23(デフォルトポート)、3001、5001、7001、10001 からの接続が可能になります。指定できるポート番号は、以下に示す表の Base TCP Port for Rotaries の値に rotary コマンドで指定した値を加えた番号になります。

https://supportforums.cisco.com/ja/document/12021661

ip rcmd rsh-enable

If you are asked about a kind of rsh (remote shell protocol), you can use ip rcmd rsh-enable command to allow remote command on a router.

Cisco uses the abbreviation RCMD (Remote Command) to indicate both rsh and rcp.

 

Examples

The following example shows how to add two entries for remote users to the authentication database, and enable a router to support rsh commands from remote users:

ip rcmd remote-host Router1 172.16.101.101 rmtnetad1
ip rcmd remote-host Router1 172.16.101.101 netadmin4 enable
ip rcmd rsh-enable

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ifs/configuration/15mt/ifs-15-mt-book/ifs-file-trans.html#GUID-3E24FE38-FABA-4BF3-85C0-242746F04A1C

http://www.cisco.com/c/en/us/td/docs/ios/fundamentals/command/reference/cf_book/cf_f1.html#wp1011681

PIR = CIR (1 + Be / Bc)

shape peak <CIR> <Bc> <Be>

maximum burst rate = shape peak rate

http://blog.ine.com/2008/08/26/understanding-the-shape-peak-command/

http://brbccie.blogspot.jp/2012/12/a-different-perspective-on-cir-pir-tc_1785.html

http://www.techexams.net/forums/ccie/46786-shape-peak-vs-shape-average.html

http://www.flashcardmachine.com/ccie-traffic-shaping.html

 

 

The router ID should match BGP and OSPF when you are using BGP synchronization

Oh, I didn’t know this restriction…

http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html#background

If BGP synchronization is enabled, there must be a match for the prefix in the IP routing table in order for an internal BGP (iBGP) path to be considered a valid path. BGP synchronization is enabled by default in Cisco IOS® Software. If the matching route is learned from an Open Shortest Path First (OSPF) neighbor, its OSPF router ID must match the BGP router ID of the iBGP neighbor. Most users prefer to disable synchronization with use of the no synchronization BGP subcommand.

BGP sync feature is not used now normally…