Most of the recent firmware on Cisco devices run on top of Linux operating system. Yout IOS XE or NX-OS is just a Linux process! It is nothing new; Juniper does it for years. However, it does not mean you can access the operating system directly; this is reserved just for Cisco TAC and developers in case the base operating system might be the source of the problems. However, you can use the IOx and the guestshell container introduced in IOS XE Everest 16.5.1 release.
BGP Route Server is feature designated mostly for IX (Internet Exchange) deployment. You can find many deployment around the world mostly using open software like Quagga, but it’s also available on Cisco’s ASR1000 routers. Route server is an advanced route reflector which provide customized policy support for each service provider, which means that standard path selection can be overridden by route policies set per particular provider.
Just yesterday IOS XE 3.5S for ASR1000 platform has been released. One of the new features introduced for ASR1000 platform is Origin AS Validation for BGP protocol. This feature helps prevent operators from inadvertently advertising routes to networks they do not control using RPKI server to authenticate that certain BGP prefixes.
In some cases router running IOS XE might crash or produce traceback if we try to delete logical interface (like ie. port-channel) or subinterface that runs IPv6 EIGRP. This can occur mostly on XNE or older releaseses, has been fixed in new ones. Cisco have internal bug CSCtd63242 describing this problem (might be released into public).
With IOS 15.1(3)T for ISR G2 comes quite a change when in comes how communication between SM, ISM and SM-ES modules occurs. Without Multi Gigabit Fabric (MGF) all communication between devices within a router involves the CPU. With MGF modules can communicate with each other without involving the router CPU.
EEM (Embedded Event Manager) is quite nice feature on IOS platforms allowing administrator to configure router behavior during predefined events. Usually it’s connected with IP SLA – if probes returns negative value appropriate applet is executed. But EEM itself can be used for deeper interface and link monitoring than IP SLA allows with it’s probes
Cisco routers never liked secondary addresses if NAT is configured on same interface. You can always expect unpredictable behaviors, and making translations over secondary addresses never worked. On ASR1k it’s even worse.
Configuration for testing was pretty simple.
interface TenGigabitEthernet0/2/0 ip address 10.15.15.254 255.255.255.0 secondary ip address 188.8.131.52 255.255.255.252 ip nat outside ! ip nat pool test-robot 184.108.40.206 220.127.116.11 netmask 255.255.255.252 ip nat inside source list test-r-list pool test-r overload
On ISR this configuration should work, at least I made it run on dynamips and 12.4T software. On ASR1k and IOS XE it’s not working regardless of version of software used. If you enable debugging you’ll find something like that in logs
*Mar 24 06:49:12.482: NAT: setup alias for 18.104.22.168 (redundancy_name , idb TenGigabitEthernet0/2/0, flags 0x2) *Mar 24 06:49:12.482: NAT: installing alias for address 22.214.171.124, addr_flags 0x2 *Mar 24 06:49:12.482: NAT: alias insert failed for 126.96.36.199
Traffic flows through ASR router, translation entry is created in NAT table and it reaches destination, but almost every traffic that is sent back and should use same translation is dropped by ASR. Almost every because ICMP pings are working fine, UDP and TCP flows are dropped.
There are two solutions of this problem. You can create translation rule using interface instead of pool, then ASR will use primary address as a source of translation and it will work fine.
ip nat inside source list test-r-list interface TenGigabitEthernet0/2/0 overload
Other solution is to split physical interface into two subinterfaces using dot1q tagging and use ip nat outsideonly on subinterface with public addresses.
What’s also disturbing is fact, that NetFlow Event Logger (refer to this post, that should send NetFlow v9 events to collector starts sending weird data. In my tests it stopped sending informations about creation or removal of NAT entry. No data sets were sent to collector, just templates that weren’t the ones described by templateId=259.
According to Cisco’s documentation misses represents “number of times the software performs a translation table lookup and fails to find an entry, and creates one“. So all routers should have some misses in their counters. Let’s look at some 1841 router statistics:
C1841#sh ip nat statistics Total active translations: 3339 (0 static, 3339 dynamic; 3339 extended) Peak translations: 8114, occurred 18:35:17 ago Outside interfaces: FastEthernet0/0 Inside interfaces: FastEthernet0/1 Hits: 28658670 Misses: 0
No misses, only hits that increases every time “the software performs a translation table lookup and finds an entry“. It works same on every ISR and 7200 routers. But still documentation says otherwise.