Process of defining E-Line connections, either local or as EoMPLS, consists of two steps – creation of EFP’s (Ethernet Flow Point) and defining xconnect between them. Each EFP represents one customer service demarcation point and can be in example physical subinterface or bundle. Connection between EFP’s can be either local, if both ESP’s are in the same chassis (same or different line cards) or EoMPLS link.
Read More
On ASR9000 router you have two RSP’s, both with MgmtEth0 interfaces. Interfaces on both of RSP’s have to be in the same subnet, what more a Virtual IP address, that is in the same subnet as MgmtEth0’s interfaces have to be configured. So technically you may think that you have three out-of-band management entry points to the router. This is unfortunately false.
Read More
I’m getting familiar with ASR9k routers and IOS XR right now at the training in Cisco HQ. IOS XR is different. It’s modular, it have slightly different fordesigns that traditional IOS or IOS XE, which is more or less IOS converted as a Linux process on ASR1k.
For those familiar with JunOS CLI and programming new IOS XR might be easier to use than traditional IOS CLI. You can prepare your configuration ahead, review it and commit all the changes at once. To bad Cisco didn’t implement commit check command like on JunOS that let you test if configuration that you’re going to commit is consistent. Another big disadvantage – when you execute show configuration changes diff you can see changes that will be made to running-config when you commit your changes. Diff looks quite similar to one you know from UNIX platforms. Except the fact that both lines that will be unchanged or removed are preceded with “-“, while lines that be added to configuration are preceded with “+”. Not really clear to tell what you remove and what not. But you can always perform show configuration changes to look how your configuration will look like after commit.
SBC feature on ASR1k have flexible, but maybe not easy to configure call routing policy mechanism. Many factors can be taken into consideration while deciding how call should be routed including time, category, prefix and you can even apply round robin fashion of call distribution. Let’s look at the simplest of possible call routing.
Read More
By default when register message passes SBC username in contact field is replaced with random string. This string identifies pinhole opened for particular user for management purposes. But this behavior is not always desirable. Many SIP implementations identifies user by Contact field and rewriting it with random string would prevent application from registration.
SBC can be configured to pass username set in Contact field. To do this you have to configure
registration contact username passthrough
This have to be set on adjacency that should not rewrite username when SIP REGISTER comes from
On IOS routers you can disable built-in DHCP server issuing command
no service dhcp
you should expect that it will disable whole DHCP service no matter what protocol it’s going to service. Wellm you are wrong. It disable only IPv4 DHCP service leaving IPv6 one still running. Therefor following configuration
ipv6 dhcp pool IPv6 dns-server FC00:2::D911:220A ! interface GigabitEthernet0/0 ipv6 address FC00:3::1/64 ipv6 nd other-config-flag ipv6 dhcp server IPv6
will still work and built-in DHCP server will assign DNS information to requesting IPv6 host.
Cisco routers never liked secondary addresses if NAT is configured on same interface. You can always expect unpredictable behaviors, and making translations over secondary addresses never worked. On ASR1k it’s even worse.
Configuration for testing was pretty simple.
interface TenGigabitEthernet0/2/0 ip address 10.15.15.254 255.255.255.0 secondary ip address 130.189.160.161 255.255.255.252 ip nat outside ! ip nat pool test-robot 130.189.160.161 130.189.160.161 netmask 255.255.255.252 ip nat inside source list test-r-list pool test-r overload
On ISR this configuration should work, at least I made it run on dynamips and 12.4T software. On ASR1k and IOS XE it’s not working regardless of version of software used. If you enable debugging you’ll find something like that in logs
*Mar 24 06:49:12.482: NAT: setup alias for 130.189.160.161 (redundancy_name , idb TenGigabitEthernet0/2/0, flags 0x2) *Mar 24 06:49:12.482: NAT: installing alias for address 130.189.160.161, addr_flags 0x2 *Mar 24 06:49:12.482: NAT: alias insert failed for 130.189.160.161
Traffic flows through ASR router, translation entry is created in NAT table and it reaches destination, but almost every traffic that is sent back and should use same translation is dropped by ASR. Almost every because ICMP pings are working fine, UDP and TCP flows are dropped.
There are two solutions of this problem. You can create translation rule using interface instead of pool, then ASR will use primary address as a source of translation and it will work fine.
ip nat inside source list test-r-list interface TenGigabitEthernet0/2/0 overload
Other solution is to split physical interface into two subinterfaces using dot1q tagging and use ip nat outsideonly on subinterface with public addresses.
What’s also disturbing is fact, that NetFlow Event Logger (refer to this post, that should send NetFlow v9 events to collector starts sending weird data. In my tests it stopped sending informations about creation or removal of NAT entry. No data sets were sent to collector, just templates that weren’t the ones described by templateId=259.
According to Cisco’s documentation misses represents “number of times the software performs a translation table lookup and fails to find an entry, and creates one“. So all routers should have some misses in their counters. Let’s look at some 1841 router statistics:
C1841#sh ip nat statistics Total active translations: 3339 (0 static, 3339 dynamic; 3339 extended) Peak translations: 8114, occurred 18:35:17 ago Outside interfaces: FastEthernet0/0 Inside interfaces: FastEthernet0/1 Hits: 28658670 Misses: 0
No misses, only hits that increases every time “the software performs a translation table lookup and finds an entry“. It works same on every ISR and 7200 routers. But still documentation says otherwise.
Read More
ISP’s are not ready yet to deploy IPv6 to end customers and lack of IPv4 address spaces force them to use NAT in their networks. Unfortunately more and more governments require logging what users do and what IP addresses they are connecting to. NAT even logger to syslog is available for quite long time already. But with all AJAX and P2P applications logging, and especially querying logged data is ineffective. On ASR1k routers you can log NAT and firewall events using NetFlow v9.
Read More
IOS XE on ASR1000 provides two forms of redundancy. First one is well-known hardware redundancy available in ASR1006 where two RP’s and ESP’s can be installed. On other platforms software redundancy and ISSU can be configured. Because IOS XE is in fact just one of a Linux processes running on the platform while system is booting up no one but two instances of iosd are executed in background, but only one is active. Both processes are running on same Route Processor. Standby IOS process can be switched to in the event of an IOS failure, and can also be used to upgrade sub-package software in some scenarios as the standby IOS process in an ISSU upgrade.
Read More