Tag Archives: ISR

06 Apr

DHCPv6 service

On IOS routers you can disable built-in DHCP server issuing command 

no service dhcp

you should expect that it will disable whole DHCP service no matter what protocol it’s going to service. Wellm you are wrong. It disable only IPv4 DHCP service leaving IPv6 one still running. Therefor following configuration

ipv6 dhcp pool IPv6
 dns-server FC00:2::D911:220A
!
interface GigabitEthernet0/0
  ipv6 address FC00:3::1/64
  ipv6 nd other-config-flag
  ipv6 dhcp server IPv6

will still work and built-in DHCP server will assign DNS information to requesting IPv6 host.

30 Mar

ASR1k NAT really does not like secondary addresses

Cisco routers never liked secondary addresses if NAT is configured on same interface. You can always expect unpredictable behaviors, and making translations over secondary addresses never worked. On ASR1k it’s even worse.

Configuration for testing was pretty simple.

interface TenGigabitEthernet0/2/0
 ip address 10.15.15.254 255.255.255.0 secondary
 ip address 130.189.160.161 255.255.255.252
 ip nat outside
!
ip nat pool test-robot 130.189.160.161 130.189.160.161 netmask 255.255.255.252
ip nat inside source list test-r-list pool test-r overload

On ISR this configuration should work, at least I made it run on dynamips and 12.4T software. On ASR1k and IOS XE it’s not working regardless of version of software used. If you enable debugging you’ll find something like that in logs

*Mar 24 06:49:12.482: NAT: setup alias for 130.189.160.161 (redundancy_name , idb TenGigabitEthernet0/2/0, flags 0x2)
*Mar 24 06:49:12.482: NAT: installing alias for address 130.189.160.161, addr_flags 0x2
*Mar 24 06:49:12.482: NAT: alias insert failed for 130.189.160.161

Traffic flows through ASR router, translation entry is created in NAT table and it reaches destination, but almost every traffic that is sent back and should use same translation is dropped by ASR. Almost every because ICMP pings are working fine, UDP and TCP flows are dropped.

There are two solutions of this problem. You can create translation rule using interface instead of pool, then ASR will use primary address as a source of translation and it will work fine.

ip nat inside source list test-r-list interface TenGigabitEthernet0/2/0 overload

Other solution is to split physical interface into two subinterfaces using dot1q tagging and use ip nat outsideonly on subinterface with public addresses.

What’s also disturbing is fact, that NetFlow Event Logger (refer to this post, that should send NetFlow v9 events to collector starts sending weird data. In my tests it stopped sending informations about creation or removal of NAT entry. No data sets were sent to collector, just templates that weren’t the ones described by templateId=259.

23 Mar

Missess counters on Cisco routers

According to Cisco’s documentation misses represents “number of times the software performs a translation table lookup and fails to find an entry, and creates one“. So all routers should have some misses in their counters. Let’s look at some 1841 router statistics:

C1841#sh ip nat statistics 
Total active translations: 3339 (0 static, 3339 dynamic; 3339 extended)
Peak translations: 8114, occurred 18:35:17 ago
Outside interfaces:
  FastEthernet0/0
Inside interfaces: 
  FastEthernet0/1
Hits: 28658670  Misses: 0

No misses, only hits that increases every time “the software performs a translation table lookup and finds an entry“. It works same on every ISR and 7200 routers. But still documentation says otherwise.
Read More