Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT- IP-ROUTING PROTOCOLS

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss IP-Routing Protocols with Cisco expert Vivek Baveja. Vivek is a CCIE in routing and switching and has over 8 years of networking experience. Feel free to post any questions relating to IP-Routing Protocols.

Vivek may not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 21. Visit this forum often to view responses to your questions and the questions of other community members.

68 REPLIES
New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

I use CISCO3620, ISDN PRI, 30 digital modems

extensions, external Radius server for win nt.

I use attributes:

Type : Service Type

Access : Service

Value : Callback Framed

Type : Service Type

Access : Service

Value : Framed

Type : Framed Protocol

Access : Service

Value : PPP

Type : Callback Number

Access : Service

Value : Callback phone number

In CISCO 3620 in during callback process on period of autorization IPCP

send attibute callback number. This attribute do not send in during

period autorization IPCP for callback process. I get error message:

Unknown mandatory attribute callback-dialstring denied ????

--log begin

2d01h: As45 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 194.1.9.65

2d01h: As45 AAA/AUTHOR/IPCP: Processing AV service=ppp

2d01h: As45 AAA/AUTHOR/IPCP: Processing AV callback-dialstring=671921

2d01h: % AAA/AUTHOR/IPCP As45: Unknown mandatory attribute callback-dialstring denied

2d01h: As45 AAA/AUTHOR/IPCP: Authorization denied

--log end

--

Best regards

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hello Eric,

It is difficult to troubleshoot the error without seeing the complete configuration in the router. However the first thing i would like you to check is if Cisco 3620 is configured with

"aaa authorization network default group radius"

Also i would refer you to the following two documents for more details configuring PPP callback and AAA authorization.

1.http://www.cisco.com/warp/public/480/pppcallback_rad.html

2. http://www.cisco.com/warp/public/471/ppp-callback-aaa.html

Since I am an expert in IP Routing Protocols and this is a good question for an Remote Access engineer, I would not be able to do full justice to it here.

If the information I provided does not help,I would encourage you to post this question either to Remote-Access forum here at http://www.cisco.com/go/netpro or Escalate it by opening a case with cisco at http://www.cisco.com/cgi-bin/front.x/case_tools/caseOpen.pl and a engineer will be with you to troubleshoot the problem online.

Hope this helps

Regards

Vivek Baveja

CCIE 8218

Subject Matter Expert.

Cisco Systems Inc.

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hi, Vivek, I have two questions:

1. How EIGRP can be used for NBMA network? except from disabling split-horizon, is there any other options?

2. When I use the following commands on Cisco3640:

Interface group-async1

group-range 1 31

This will create the async interfaces in the configuration file. but after I issue "no gourp-range" and "no interface group-async1" commands, the async interfaces are still in the configuration file, how can I get rid of them?

Thank you alot.

Fujin

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hello fujin,

Let me answer your questions one by one.

Answer Q1

It is particularly critical to configure EIGRP on NBMA interfaces correctly, because otherwise many EIGRP packets may be lost in the switched network. There are three basic rules:

1.)The traffic that EIGRP is allowed to send on a single virtual circuit (VC) cannot exceed the capacity of that virtual circuit.

2.)The total EIGRP traffic for all virtual circuits cannot exceed the access line speed of the interface.

3.)The bandwidth allowed for EIGRP on each virtual circuit must be the same in each direction.

There are three different scenarios for NBMA interfaces are configured:

a)Pure Multipoint Configuration (No Subinterfaces)

b)Pure Point-to-Point Configuration (each VC on a separate subinterface)

c)Hybrid Configuration (point-to-point and multipoint subinterfaces)

For a more comprehensive details on each configuration refer to http://www.cisco.com/warp/customer/103/12.html#5

Typically you would require to disable Split-Horizon on Point-to-Multipoint interface configurations. To disable Split-Horizon for EIGRP use the sub-interface command

"no ip split-horizon eigrp " For more details on the usage of the command refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r/iprprt2/1rdeigrp.htm#xtocid1895713

There are couple of more options you can configure in EIGRP like ip bandwidth-percent eigrp. To see a complete list of EIGRP configurable options, refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r/iprprt2/1rdeigrp.htm

Additionally a very comprehensive list of documents over EIGRP is available at Cisco Site at http://www.cisco.com/cgi-bin/Support/PSP/psp_view.pl?p=Internetworking:EIGRP which you might find very handy and usefull in future.

Answer Q#2

The moment you remove the group-async interface, the router creates an individual async interface like as shown in the output below:

nas-09#sh run interface group-Async 1

Building configuration...

Current configuration:

!

interface Group-Async1

no ip address

no ip directed-broadcast

group-range 97 102

end

nas-09#conf t

Enter configuration commands, one per line. End with CNTL/Z.

nas-09(config)#no int gr 1

nas-09(config)#

00:06:52: %LINK-5-CHANGED: Interface Group-Async1, changed state to

administratively down

nas-09(config)#^Z

nas-09#sh run

Building configuration...

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname maui-nas-09

!

aaa new-model

aaa accounting commands 15 default stop-only radius

!

ip subnet-zero

!

!

<<<--omitted

!

interface Async97

no ip address

no ip directed-broadcast

!

interface Async98

no ip address

no ip directed-broadcast

!

interface Async99

no ip address

no ip directed-broadcast

!

interface Async100

no ip address

no ip directed-broadcast

!

interface Async101

no ip address

no ip directed-broadcast

!

interface Async102

no ip address

no ip directed-broadcast

!

To delete these Async Interfaces, you can either tie these interfaces with another group-async interface or delete every individual async interface maunally

nas-09(config)#no int as 97

nas-09(config)#no int as 98

nas-09(config)#no int as 99

nas-09(config)#

00:08:34: %LINK-5-CHANGED: Interface Async97, changed state to

administratively downno int as 9

00:08:36: %LINK-5-CHANGED: Interface Async98, changed state to

administratively dow10

00:08:37: %LINK-5-CHANGED: Interface Async99, changed state to

administratively down0

nas-09(config)#no int as 101

Hope this helps

Regards

Vivek Baveja

CCIE 8218

Subject Matter Expert- IP Routing Protocols

Cisco Systems Inc.

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

At one of my sites, I am trying to replace RIP with EIGRP. I am doing the re-distribution on a "border" router that has a WAN connection between a site that is running EIGRP and a site that is running RIP. At the border router, the routes that are learned from RIP are not going out to the "EIGRP" site. I have "passive interface" configured for RIP on both sides of the WAN link. What could cause the re-distribution to fail ? I have default metrics set for EIGRP and RIP.

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hello Jamehler

The best way to troubleshoot the redistribution problem in your network is to look at the Router Configuration. However i will try to explain the most possible reason of a failure in redistribution.

There can be a number of reason why RIP routes are not getting redistributed to EIGRP domain.

Since RIP is a classfull Protocol and EIGRP is a Classless Routing Protocol, There can be some issues in redistrubution among them.For example, RIP won't advertise routes out an interface if those routes are on the same major network, but have a different mask than that particular interface. If you have a situation similar to that please refer to http://www.cisco.com/warp/public/105/52.html for more details on how to troubleshoot this problem.

I Understand that you are migrating from RIP to EIGRP, I feel there is a high probablity that you are running into this problem of having same major network and thus the Variable lenght Subnet Mask limitation of RIP is causing problems in Redistribution.

Additionally we need to also make sure that we are configuring a default-metric ( which as you said is configured) under each Routing Process so as to make sure that the redistrubuted routes have a correct Metric. Refer http://www.cisco.com/warp/customer/105/redist.html for more details.

A complete case study about redistributing between RIP and EIGRP is available here.

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs004.htm#xtocid1232010

If all the above information and Documents does not help. I would encourage you to open a case with Cisco at http://www.cisco.com/cgi-bin/front.x/case_tools/caseOpen.pl A Cisco engineer will be there with you online to help troubleshoot the problem

Hope this helps

Regards

Vivek Baveja

CCIE 8218

Subject Matter Expert - IP Routing Protocols

Cisco Systems Inc.

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

I am currently working out a solution where I have two 2600 Series routers connected through a point to point t-1. Also we will be giving access to Internet resources through one of these routers (fractional T-1) for our network users. Also will be permitting Exchange services through Internet point and all users on your network.

Router (A) is going to be the router that routes to remote office and provide route to Internet. Also will be hosting routable IP(s) for Exchange services and other services as needed. Router (B) will be at remote location permitting access to all the same routes as corp users.

Thrown in the mix here is a PIX 506 firewall. We are thinking that it will stand between router (A) and the Internet. We are going to allow VPN client access from remote locations to any LAN/WAN resources.

Can this solution work? Will the PIX firewall route from/to Router (A)? Also can we allow Exchange to function correctly, it's our internet mail system?

Any pointers would be great.

Bob

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hello Bob

I do not see any particular reason why your solution would not work. Regarding PIX allowing Exchange Traffic, You can punch a hole in PIX and allow it to pass the relevant traffic to Router A.

Here are some good pointers which you might find useful.

#1. An Internetwork Design Guide at http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/index.htm

#2. For Configuring the Channleized T1(Fractional T1) at http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/dial_c/dcchant.htm

#3. Details about configuring PIX Firewall http://www.cisco.com/cgi-bin/Support/PSP/psp_view.pl?p=Hardware:PIX

Hope this helps

Regards

Vivek Baveja

CCIE 8218

Subject Matter Expert - IP Routing Protocols

Cisco Systems Inc.

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Another batch of questions for you, Vivek!

I have a situation left over from a merger where I've got an OSPF (all Area 0) at the central site, with a site running RIPv1 on one side. On the other side of the OSPF Area, I have a Frame Relay network with many sites and IGRP running exclusively. Looks like this:

|RIPv1|<-->|OSPF|<-->|IGRP|

RIP = 1 site

OSPF = Central Site

IGRP = Frame & many other sites

To compound matters, the RIP <> OSPF site has twin T1s, and the OSPF <> IGRP has a T1 in addition to the FR going to several major sites, for redundancy.

Ultimately, we want to get to OSPF everywhere, which will mean splitting the network into multiple OSPF areas. But this will be quite a ways off in the future. For now I have to live with it this way...

The questions are:

1) When redistributing IGRP into OSPF, then those routes into RIP (as well as the other way), it seems that IGRP and RIP are both quite finicky about the multiple paths between sites. What stopgaps do I have at my disposal to make RIP and IGRP coexist with OSPF between them, let alone load balancing issues between the multiple paths?

2) When we get to the point of migrating the FR network and these other sites to OSPF, do you recommend a huge all-at-once migration, or can we split the migration into stages, in a site-by-site fashion? Not sure how the FR topology and it's non-broadcast nature will handle partial moves, or a massive move for that matter, to OSPF. What big pitfalls do you see with this type of migration on a FR network? Anything different than from migrating sites with T1s.

3) We are currently in the process of upgrading RAM and flash on the FR site's routers (mostly 2500 series, flat networks at each site) to 16MB RAM and 16MB flash. The RIP site has 2600 T1 routers and Cat5500s with RSMs across the campus. The RSMs all have 32MB RAM and 16MB flash. In spite of such little information, do you see any obvious problems with the hardware we have, RAM & flash, in place to run OSPF?

4) In regards to load balancing across the multiple paths, RIP nor IGRP seem to be very good at balancing the traffic. We've tried several times to use access lists to help bias traffic into different patterns, but non really seem to act like we want. Is this a futile effort with RIP and IGRP?

5) What you think of using compression features on the WAN routers, particularly with FR? We found that we had to disable it on some of the 2500s as the CPU couldn't keep up with it. Perhaps you could provide a guideline (especially with 2500s) as to what CPU utilization to avoid going over during normal operation. I've been thinking somewhere in the 50% range, but I don't know if that leaves enough to handle convergence adequately during a topology change.

Sorry that's so many questions all at once. Hopefully these questions will be general enough for others to be interested in the response. Thanks in advance!

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hello Jwitherell

I will answer your questions one by one.

Q1) When redistributing IGRP into OSPF, then those routes into RIP (as well as the other way), it seems that IGRP and RIP are both quite finicky about the multiple paths between sites. What stopgaps do I have at my disposal to make RIP and IGRP coexist with OSPF between them, let alone load balancing issues between the multiple paths?

A1) RIP can have upto 6 maximum equal cost parallel paths into the routing table. The point to be noted is “Equal Cost Paths” If there are unequal cost paths, Rip would only install the route with best metric. You can control how many parallel paths RIP install into the routing table by configuring “maximum-paths <1-6>” For more details refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r/iprprt2/1rdindep.htm#xtocid1180620

IGRP allows Unqual Cost load sharing as well using the Variance command under routing process. More information at http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt2/1cdigrp.htm#12549

It is important to understand how the switching ( Process Switching/Fast Switching/CEF) path determines if the packets will be sent on equal cost paths by doing loadsharing at per packet level or at per destination. And If one of the paths has process switching and another has route-cache switching for example, You will see that all the traffic finally leaves only the path that is fast switched. I have explained in detail about this at

How packets are routed over equal cost paths http://www.cisco.com/warp/customer/105/27.html

Regarding the Second point in question. There are two issues you need to worry when running RIP/IGRP with OSPF

a) VLSM. – More details are available at Redistributing beween classfull and classless protocols.http://www.cisco.com/warp/customer/105/52.html

b) Ensuring that proper metrics are used when redistributing routes between routing processes. More details are available at

Redistributing Routing Protocols http://www.cisco.com/warp/customer/105/redist.html

Q2) When we get to the point of migrating the FR network and these other sites to OSPF, do you recommend a huge all-at-once migration, or can we split the migration into stages, in a site-by-site fashion? Not sure how the FR topology and it's non-broadcast nature will handle partial moves, or a massive move for that matter, to OSPF. What big pitfalls do you see with this type of migration on a FR network? Anything different than from migrating sites with T1s.

A2) I would suggest you a site by site fashion Migration. There should not be any specific issues with FR cloud for partial moves. What you need to do is to make sure that you are correctly redistributing into OSPF on ASBR and also you should be aware of any split horizon issues you might run into on NMBA cloud. Here is a good list of docs which talks about Configuration issues and troubleshooting on NBMA networks

http://www.cisco.com/warp/customer/104/24.html

http://www.cisco.com/warp/customer/104/22.html

http://www.cisco.com/warp/customer/104/18.html

http://www.cisco.com/warp/customer/104/3.html#11.0

http://www.cisco.com/warp/customer/104/trouble_main.html

I would also encourage you to have a Cisco Engineer with you while you are migrating the networks so that if you hit a issues while you are migrating. He would be able to help you online. To have a Cisco engineer with you, open a case at http://www.cisco.com/cgi-bin/front.x/case_tools/caseOpen.pl

Q3) We are currently in the process of upgrading RAM and flash on the FR site's routers (mostly 2500 series, flat networks at each site) to 16MB RAM and 16MB flash. The RIP site has 2600 T1 routers and Cat5500s with RSMs across the campus. The RSMs all have 32MB RAM and 16MB flash. In spite of such little information, do you see any obvious problems with the hardware we have, RAM & flash, in place to run OSPF?

A3) Since it appears that you will be having a number of OSPF routes in your network in addition to the RIP/IGRP route during migration. I would seriously suggest you to increase your RAM to atelast 32MB or preferably 64 MB.

I am suggesting you the upgrade of memory presuming that you have a large OSPF network and that you would be having RIP/IGRP also running in simultaneously. This would avoid any network meltdown because of memory issues. It’s a good idea to have extra memory rather than have less memory.

Q4) In regards to load balancing across the multiple paths, RIP nor IGRP seem to be very good at balancing the traffic. We've tried several times to use access lists to help bias traffic into different patterns, but non really seem to act like we want. Is this a futile effort with RIP and IGRP?

A4) See answer 1. I have answered it there. Basically Load balancing is dependent on two things. First the routing table should have multiple routes to do load sharing. Secondly the switching path ( cef/process/fast switching) determines how the load sharing among those paths would take place. Process would do per packet load sharing, fast switching would do per destination and cef can do both as per configuration.

What you are trying to do load sharing is via Policy routing using access-list and changing the nexthop as per you policy. This is not a very good way to achieve load sharing. Use proper switching process to achieve your results. Open a case if you need help.

Q5) What you think of using compression features on the WAN routers, particularly with FR? We found that we had to disable it on some of the 2500s as the CPU couldn't keep up with it. Perhaps you could provide a guideline (especially with 2500s) as to what CPU utilization to avoid going over during normal operation. I've been thinking somewhere in the 50% range, but I don't know if that leaves enough to handle convergence adequately during a topology change.

A5) I would not go with 50% CPU. That is too high. CPU utilzation should not remain so high ( 50 %) for a long time. If it does it indicates a churn in a network like a route flapping which is causing repetitive routing caculation. There can be other reason as well for a high CPU. Here is one good url to troubleshoot high CPU issues

http://www.cisco.com/warp/customer/63/highcpu.html

Regards

Vivek Baveja

CCIE 8218

SME-IP Routing Protocols

Cisco Sysmtems Inc,

Blue

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

We are migrating from IGRP on all of our routers to EIGRP. Everything seems to be running smoothly (we have over 75 routers). Here is the situation, we have 3 buildings connected via gigaman. One of the buildings access the internet over the gigaman connection. As soon as we cut our internet routers over to EIGRP, this particular building's internet speeds came to a creeping halt. First thought it was a default route problem, followed the path of traffic to and back in from the internet, and the path it was taking was correct both ways. Next we placed a sniffer on the 6500 the gigaman connecting to the building providing the internet traffic, and all we noticed was a lot of retransmissions. Eventually we found a route that had the default route changing every 3 seconds (if you did a show ip route x.x.x.x) there were four routes and the * would bounce between those 4 routes every few seconds??? Lastly we created a tunnel between the 6500 and one of routers closest to our internet router, and internet speed was back up again and everything was running correctly. Obviously there is a routing issue, just can't pinpoint it. I guess out of all the info I provided, thing that concerns me the most is that the traffic was taking the correct route's, just very slow. Thanks, and sorry for the long Q.

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hello Adignan

From the information you have provided. It appears to be a plain case of routing loop. What appears to be happening is.

The router having four routes in its routing table is learning the route x.x.x.x from four different sources via eigrp and installing them into routing table. Out of these 4 possible routes. Some routes are basically looped routes. And the bouncing “*” in those 4 routes means load sharing happening among those routes determined by the switching process. So when a packet goes into the loop its gets lost and we have retransmissions.

I would suggest you to open a case with Cisco as this requires troubleshooting online. To open a case pls go to this site http://www.cisco.com/cgi-bin/front.x/case_tools/caseOpen.pl and a Cisco engineer will help you troubleshot this issue.

Regards

Vivek Baveja

CCIE 8218

SME-IP Routing Protocols

Cisco Systems Inc.

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Good afternoon,

I am not sure this is the correct forum for this but ... here goes.

Management is planning on implementing VLANS across a Catalyst 4006 switch with several subnetting schemas. We currently have an external router to our ISP and a PIX 515ur with our Exchange server sitting in the DMZ and our main network behind a Proxy server. We also have a frame-relay router to 12 remote sites using private IP's. Right now we are Token Ring but have just finished recabling for Ethernet/Cat5 at the Home Office.

My question - would the following scenario work: IP PDC, BDC, Proxy servers and IT department computers to the management VLAN1, divide remaining systems and servers among 3 other VLANS (based on main activity/department) allocating network printers accordingly. Insert the 4006 between the Proxy and the PIX, eliminating the need for the hubs currently in use.

Any info would be helpful. Management wants this done as soon after the New Year as I can put it in place! Most likely, I will open a case with TAC but would also be nice if I had some basis in fact!

Thanks, Carolyn

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hello Carolyn,

The most important thing you should care about when you are moving from a flat network with hubs to a network with multiple vlans and switches is about Inter VLAN routing.

You need to make sure that VLAN1 can talk to VLAN2 and accordingly with other vlans. Else you will land up in a situations where all vlans are isolated island and you can not communicate between vlans.

Additionally, If you expect to have huge traffic on Management vlan1, I would recommend using a separate vlan other than management vlan1.

On 4006 Switch you have two choices to configure inter vlan routing. One is to have WS-X4232-L3 module which will do inter vlan routing. More details about how to configure is available at http://www.cisco.com/warp/customer/473/28.html

The other option is when you do not the above layer 3 module, You can connect Cat 4006 to a Router and achieve the same results by configuring isl trunking between them. Here is a good url which explains http://www.cisco.com/warp/customer/473/24.shtml

Hope this helps

Regards

Vivek Baveja

CCIE 8218

Cisco Systems Inc.

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

In the past we have seen behaviour where the dynamic routing process does not include addresses that are used in NAT, regardless of whether the network statement covers these addresses or not.

We have seen this in OSPF, and the only method to include this in the routing process was either to include the addresses on the outside interface, a loopback interface, or in a static and redistribute the static in the dynamic routing process.

Is there a reasoning behind this implementation of dynamic routing, apart from "this is just how it works"? If yes, which?

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hello Noostenb

A Dynamic routing protocol shall announce any network if it is directly connected or is getting redistributed into the routing process. Other wise Dynamic routing protocol has no way to know what networks to announce. Having said that, the problem comes when for example you configure NAT and translate an Inside Address (connected to inside interface) to a Inside Global address which is not configured any where in the box except in NAT configuration. In this situation dynamic routing process has no way to know and announce the global address until it is introduced into the routing process specifically either by configuring a outside/loopback interface and a network command or by configuring a static route and redistribute it.

Hope this helps

Regards

Vivek Baveja

CCIE 8218

Cisco Systems Inc.

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hi Vivek,

I understand the principle of NAT, but ths was not the (type of) answer that I had hoped for. I understand that the NAT addresses aren't directly connected, nor redistributed. However, the native addresses are. What is Cisco's reasoning in not inserting the NAT addresses in the routing process? In other words, I know why this doesn't work right now, and what needs to be done to get it working, but what is the underlying thought process? Too difficult to implement? Obvious drawbacks that I'm overlooking?

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hello Nike,

I am certain that it is not that difficult to implement and surely that is not the prime reason why Cisco has not implemented the way you have suggested. Knowing NAT is really not a a routing protocol, I see no harm in assigning those address to an interface or redistributing these Global address into routing protocols the way Cisco has implemented.

However since there are no set standards for it now, nor is there any mention in any Routing Protocols RFC's. I think if there is a requirement, then its time to define standards for it.

If you think that there a strong reason to have it implemented the way you are suggesting. I would strongly advocate you to open a case at http://www.cisco.com/cgi-bin/front.x/case_tools/caseOpen.pl for a feature request.

Regards,

Vivek Baveja

CCIE 8218

SME IP Routing Protocols

Cisco Systems Inc.

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hi, Vivek,

I have another topic need to consult you.

As we all know, the route-map is generally used for policy routing, route redistribution, and bgp route advertisement, thus, there are many "match" and "set" commands, my question is that how can I defferentiate which "match" and "set" commands are for policy routing? and which for route redistribution, and which for bgp route advertisement? I always confuse with so many match and set commands.

Do you have any suggestion when configuring route-map for the above mention application?

Thank you very much!

Fujin

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hello Fujin,

For policy Routing these are the attributes used in match and set statements

Match ip address

Match length

Set interface

Set default interface

Set ip next-hop

Set ip default next-hop

A complete list of set and match statements for redistribution/BGP and Policy routing refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r/iprprt2/1rdindep.htm#1019972

Also there a nice tool available on Cisco.com called “Command Lookup Tool” http://www.cisco.com/kobayashi/support/tac/t_index.shtml where you can put in a string of the command you are looking for and it will provide the links to command references guide at Cisco.com. For example in this case if you look for "route-map" in the above tool it will list you the possible command references where route-map is used and that can give you idea as to what all set match statements to use.

Hope this helps,

Regards

Vivek Baveja

CCIE 8218

SME - IP Routing Protocols

Cisco Systems Inc.

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hi,Vivek,

On the cisco docment http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r/iprprt2/1rdindep.htm#xtocid118062 , it says "Always set the administrative distance from the least to the most specific network",

while on the http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt2/1cdindep.htm#xtocid2568627 , it says:

The following example assigns the router with the address 192.31.7.18 an administrative distance of 100, and all other routers on subnet 192.31.7.0 an administrative distance of 200:

distance 100 192.31.7.18 0.0.0.0

distance 200 192.31.7.0 0.0.0.255

However, if you reverse the order of these commands, all routers on subnet 192.31.7.0 are assigned an administrative distance of 200, including the router at address 192.31.7.18:

distance 200 192.31.7.0 0.0.0.255

distance 100 192.31.7.18 0.0.0.0

This seems conflicts, which one is correct?

Thank you very much.

Fujin

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hello Fujin,

The second document is correct (http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt2/1cdindep.htm#xtocid2568627).

The most specific network should be on the top of the list and least specific at the bottom of the list.

The way this list is read is top down like access-list, So the most specific network has to be at the top of the list.

Thanks for pointing out the mistake, I shall ensure that it gets corrected.

Regards,

Vivek Baveja

CCIE 8218

SME – IP Routing Protocols

Cisco Systems Inc,

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hi, Vivek.

My two questions relate to NAT, especially "NAT-on-a-stick" (I think).

1. We have two Cisco routers linking LANs via T1. As a temporary workaround, can one router masquerade a device in subnet N on a local ethernet as an IP address chosen from subnet M which is assigned to an ethernet on the other router? In other words, can we take one IP from a remote subnet and assign it as an alias to a locally attached host, which can then be reached using either its native or its alias IP? The situation involves moving a server between sites while keeping its "old" IP address functional.

2. Recognizing that "NAT-on-a-stick" may not be an officially supported configuration, can you say what distinguishes situations where it works OK from where it doesn't?

Thank you.

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hello Pnicolette,

A1) What appears from your description is a case of overlapping networks where you wish to have same ip address being used on two sides of a network. To make this work refer to the document http://www.cisco.com/warp/public/556/3.html. It explains in detail how to configure it.

A2) Regarding NAT on a stick, Let me explain in detail. The term "on a stick" usually implies that we are utilizing a single physical interface of a router in order to accomplish something. For example we can use subinterfaces of the same physical interface to perform ISL trunking. In the case of NAT on a stick, we are using a single physical interface on a router in order to accomplish network address translation. In order for NAT to take place a packet must be switched from a NAT "inside" defined interface to a NAT "outside" defined interface or vice versa. This requirement for NAT hasn't changed, We can use a virtual interface, otherwise known as a loopback interface, and policy based routing to get NAT to work on a router with a single physical interface.

The need for NAT on a stick is rare. Also Note, because of the use of a loopback interface, the router will have to process-switch every packet.. This will degrade the performance of the router.

A typical situation where Nat on a Stick would be required is Cable Modem Setup where at customer premise has a CM (Cable Modem) which is basically a device that is acting like a bridge. The other Side is a CMTS(Cable Modem Termination System). The cable ISP has not given us enough valid addresses for as many hosts as we have that want to reach the internet. To make the local host reach internet. We do a set up like this

CMTS-------Internet

|

|

Cable Modem(Bridge) NAT Router(Loopback)

| |

|------------------------------

|

Host1 Host2 Host3 ...HostN

(if the diagram format gets corrupted while posting, Please View that a Lan segment connected to Host1--to HostN is connected to a Nat router and also to a CM. CM is in turn connected to CMTS and CMTS is connected to Internet.)

NAT-router#show run

Building configuration...

!

version 12.1

!

hostname NAT-router

!

interface Loopback0

ip address 10.0.1.1 255.255.255.252

ip nat outside

!Creates a virtual interface called Loopback 0 and assigns an ip address of 10.0.1.1 to it. Defines interface Loopback 0 as NAT outside

!

!

interface Ethernet0

ip address 192.168.1.2 255.255.255.0 secondary

ip address 10.0.0.2 255.255.255.0

ip nat inside

!Assigns a primary ip address of 10.0.0.2 and a secondary IP address of 192.168.1.2 to ethernet 0 Defines interface Ethernet 0 as NAT inside. The 192.168.1.2 address will be used to communicate

through the CM to the CMTS and the Internet. The 10.0.0.2 address will be used to communicate with the local hosts.

ip policy route-map nat-loop

!Assigns route-map "nat-loop" to ethernet 0 for policy routing

!

ip nat pool external 192.168.2.2 192.168.2.3 prefix-length 29

ip nat inside source list 10 pool external overload

ip nat inside source static 10.0.0.12 192.168.2.1

!NAT is defined: packets matching access-list 10 will be translated to an address from the pool called "external". A static NAT translation is defined for 10.0.0.12 to be translated to 192.168.2.1 (this is for host2 which needs

to be accessed from the internet)

ip classless

!

!

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip route 192.168.2.0 255.255.255.0 Ethernet0

!Static default route set as 192.168.1.1, also a static route for network 192.168.2.0/24 directly attached to Ethernet 0

!

!

access-list 10 permit 10.0.0.0 0.0.0.255

!Access-list 10 defined for use by NAT statement above.

access-list 102 permit ip any 192.168.2.0 0.0.0.255

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

!Access-list 102 defined and used by route-map "nat-loop" which is used for policy routing.

!

access-list 177 permit icmp any any

Access-list 177 used for debug.

!

route-map nat-loop permit 10

match ip address 102

set ip next-hop 10.0.1.2

!Creates route-map "nat-loop" used for policy routing. Route map states any packets matching access list 102 will have the next hop set to 10.0.1.2 and get routed "out" the

loopback interface. All other packets will get routed normally.

!

end

This way The IP address configured on local hosts (10.0.0.0) are made to route out via loopback interface 10.0.1.1 on “NAT-Router” where the NAT takes place and Inside Local IP addresses are translated to Inside Global IP addresses 192.168.2.1 to .3(given to us by Cabel ISP) before being routed to CMTS.

Hope this helps understand the Nat on Stick Concept and its applicability. It is important to understand that when packets are switched across loopback interface, They will get process switched which can degrade the router performance at heavy network loads.

Hope this helps

Regards

Vivek Baveja

CCIE 8218

SME- IP Routing Protocols

Cisco Systems Inc.

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hi,Vivek,

On the cisco docment http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r/iprprt2/1rdindep.htm#xtocid118062 , it says "Always set the administrative distance from the least to the most specific network",

while on the http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt2/1cdindep.htm#xtocid2568627 , it says:

The following example assigns the router with the address 192.31.7.18 an administrative distance of 100, and all other routers on subnet 192.31.7.0 an administrative distance of 200:

distance 100 192.31.7.18 0.0.0.0

distance 200 192.31.7.0 0.0.0.255

However, if you reverse the order of these commands, all routers on subnet 192.31.7.0 are assigned an administrative distance of 200, including the router at address 192.31.7.18:

distance 200 192.31.7.0 0.0.0.255

distance 100 192.31.7.18 0.0.0.0

This seems conflicts, which one is correct?

Thank you very much.

Fujin

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hello Fujin,

The second document is correct (http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt2/1cdindep.htm#xtocid2568627).

The most specific network should be on the top of the list and least specific at the bottom of the list.

The way this list is read is top down like access-list, So the most specific network has to be at the top of the list.

Thanks for pointing out the mistake, I shall ensure that it gets corrected.

Regards,

Vivek Baveja

CCIE 8218

SME – IP Routing Protocols

Cisco Systems Inc,

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hi, Vivek,

I'm a bit confused with your answer, as I know, usually, when you design an access-list, you should put the most generic (least specific) on the top and the least generic at the bottom, am I correct to say that?

For the case of distance, it should be in a reverse way, is it?

Thank you very much.

Fujin

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hi, Vivek,

I'm a bit confused with your answer, as I know, usually, when you design an access-list, you should put the most generic (least specific) on the top and the least generic at the bottom, am I correct to say that?

For the case of distance, it should be in a reverse way, is it?

Thank you very much.

Fujin

New Member

Re: ASK THE EXPERT- IP-ROUTING PROTOCOLS

Hello Fujin,

Access-list are analyzed top down, and the most specific entry should be at the top and least specific at the bottom, So for example if we wish to deny 10.10.10.19/32 and allow the remaining 10.10.10.0/24 using an access-list,

The access-list would look like

access-list 1 deny 10.10.10.19 255.255.255.255

access-list 1 permit 10.10.10.0 255.255.255.0

However had we configured the least specific 10.10.10.0/24 first, then 10.10.10.19 would never have been denied.

access-list 1 permit 10.10.10.0 255.255.255.0

access-list 1 deny 10.10.10.19 255.255.255.255

Since the ip address 10.10.10.19 will match the first line of access-list 1 as it matches all address from 10.10.10.1 to 10.10.10.255.

Hope this helps

Regards,

Vivek Baveja

CCIE 8218

SME Routing Protocols

Cisco Systems Inc.

69
Views
0
Helpful
68
Replies