CCNP ROUTE (Part 3 Route Protocol Types)

Although there are various routing protocols around such as RIP, OSPF, IS-IS, EIGRP and BGP. They all fall in to one of two groups, either the call of routing protocols labelled Link-state, or those labelled Distant-Vector.

The fundamental difference is that a Link-State route builds up a complete topology map of all the routers in its network segment, and how they are all linked together.  This map is built up be each router sending its own topology to every other router in its segment. This is achieved by each router sending its topology to its connected neighbour, these then check if it is newer than the current stored, and if so add it to there own topology and then forward it out to there neighbours, this way every router in the segment will receive the update. The routers then combines all the received individual topologies to create an over all map of the network. An algorithm is then run on this map by each router to determine the best paths to all the destination  networks advertised and these are added to the routing table that will be used to forward traffic. If an update is received that causes a change to the map topology then the algorithm has to be re-run to update the tables. If two routers in the segment send conflicting information about a link (eg Router A reports a link to route B but Router B does not report this link. Then when Router C receive the topology’s from A and B it will not add this possible link to its topology).

Distant-Vector protocols work in a different way. Rather than know the entire topology of the network segment. Routers only advertise if they can reach a network and the cost to reach it. Generally this cost will be higher for links that are slow and have multiply hops. and low for higher bandwidth links with less hops. Each router will updates its neighbours with the list of networks it can reach and how much it cost to reach each one. The receiving router will  place all this information, from all its neighbours in to a table and pick out (by default) the route with the best cost to each destination network to add to the routing table.

So which is best then?

Well they both have there strengths and weaknesses.

Re-convergence speed after a topology change would generally go to Link-state, most distant-vector protocols don’t remember the back up links so have to relearn them becfore they can forward data again. A link-state know the entire topology, so when a link fails it can re-run the algorithm to find a new best path.

However resources wise Link-state are very costly, to keep the topology map in memory and to run the algorithm across it means high CPU and memory usage. This means they don’t scale well to very large network, CISCO recommend a maximum of 90-100 routers and 200 subnets in a single OSPF area. More than this and the size of the topology map and time need to run the algorithm could slow the routers to a crawl. On the other hand Distant-vector do scale much better, routers only communicate with there direct neighbour and only need to know the destination network address, next-hop and cost. This is why you will find Distant-vector used for the internet backbone routers that need to deal with large routing tables and constant topology changes, while you find the link-state protocols inside company networks.

One more advantage link-state has over distant-vector is that due to the fact it has a complete topology there is little danger of loops. While for distant-vector this is a very real problem and one that needs checks to be introduce to insure against.

So the chose of what one to to use really does very much depend on the situation. In every day networks there are 5 well known protocols in use

Distant-vector = RIP, EIGRP, BGP

Link-state = OSPF, IS-IS

Of these EIGRP, OSPF and BGP are the most common. BGP is an external protocol (realy the only main stream one) used between the core internet service providers, so as I mentions most of the internet is run using distant-vector. EIGRP is highly optimised distant-vector protocols and has many of the benifits of link-state with out the huge CPU and memory cost, however its main issue is that is it CISCO proprietary so unless you have 100% CISCO devices it is ruled out. Leaving OSPF as the remaining protocol to run in internal networks. For many people in small to medium size networks the benefits gained from running OSPF or EIGRP are small and often come down to personal choice. The consistency and reliability of Link-state or the simplicity and low resources of Distant-vector?

Further Reading

Distance Vector Routing Protocols

Link State Routing Protocols

Well thats the review stuff out of the way, next time we can get in to the workings of EIGRP.

DevilWAH

CCNP ROUTE (Part 2, General Routing)

OK so what is this routing thing all about?

Well it seems to me there are two parts to routing, the actual physical routing of data across networks, and the methods in which the network devices keep track of where these route are (the routing protocols). Although there are several different routing protocols in use, they all have the same basic function, to allow routers to share the information of possible paths through the network between each other. Which in turn allows the indivual routers to build up routing tables which they can then use to look up the destination IP address in a packet and determine the next router (hop) to which the packet must be sent.

So what about this routing table? what does it look like and what does it contain?

router# <strong>show ip route</strong>

171.68.0.0/24 is subnetted, 3 subnets
S       171.68.1.0 [1/0] via 171.68.192.201
S       171.68.16.0 [1/0] via 172.16.191.254
C       171.68.192.0 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
S       172.16.88.0/24 [1/0] via 172.16.191.254
C       172.16.191.252/30 is directly connected, Serial2/0
D    192.168.80.0/24 [90/156160] via 171.68.192.201, 00:00:07, FastEthernet0/0
D    192.168.90.0/24 [90/156160] via 171.68.192.201, 00:00:08, FastEthernet0/0
S   0.0.0.0/0 [1/0] via 10.1.1.3

From this output we can see how the routing table functions. Each network/subnet that the router has learnt about there is an entry telling the router where to send a packet that is destined to that network. This destination can be either the IP address of the next router in the path, or the outgoing interface ID. There is also a priority given to each entry for deciding entry to use if a route is added twice due to multiply paths to the same destination network.

The three methods that can add entries to the routing table are , Connected networks (added automatically), statically added routes, and routes learnt through routing protocols. In terms of default priority’s, Connected bet Static which in turn bet those learnt through protocols (where in general from highest to lowest we have BGP, EIGRP, OSPF, IS-IS and RIP). The last entry in the table above is a special case static entry, often know as the “default route” this route of “0.0.0.0 0.0.0.0” will catch any packet that does not match any other entry in to the routing table and forward it to a next hop address. This is commonly used to route packets destined to the internet, so rather than you company router needing to learn the router to every address on the internet, it only knows about internal company address. Anything else is caught with by the default route and passed to the ISP to deal with. This drastically cuts down the size of routing tables and is what allows the internet to function.

However once added the function is the same, as packets enter the router the destination address will be read and checked against the routing table to determine the next step, and then forward the packet out the destination interface. Now although some routers do build up a “map” of the network segment they are part of, once a router has passed on a packet to an upstream router is has no influence on what then happens to that packet. So it is important that all routers in the path have valid routes, and that failers in the network can be notified to downstream routers, so they can route packets around network issues. This is where the routing protocols come in to the picture!

In an ideal world we would not have to add any static routes, we would simple configure IP address on interfaces, enable routing protocols and the routers would teach each other how to reach all the networks. And in fact in many cases this is how it works. Once the interface are set up, a routing protocol is enabled and you simple have to configure what networks you wish to advertise using this protocol and to what neighbouring routers you wish to send the adverts to. This configuration and exact method may change between the different routing protocols, but fundamentals are the same, what do you want to advertise and who do you want to advertise this to. Of course there is far more to it than simply this, and we cover it in more depth later in course. But for now we just want to get a fundamental picture of the why’s and the how’s of routing.

I know once again this is really a bit of revision from CCNA material, but I think it is good to once in a while return to the basics, if you make sure you are clear in your head about them, then later on they can be built on to form the more complex topics. But no matter how complex things get, these fundamentals of what routing is and why we use routing protocols will always hold true.

In the next episode of CCNP ROUTE we shall be looking in more detail at the two main types of routing protocols (link state and Distance vector), and why we may chose one over the other.

Mean while you may want to take a look at CISCO Routing Basic. As well as this one document I would recommend you add a book mark to the handbook as a whole, there is lots of useful info there.

Off to do a bit more study now. 🙂

DevilWAH

A bit of humour.

Just a little bit of light humour borrowed from Futility Closet.

Never Play a gorilla at golf. 😉

This guy takes a gorilla out golfing. At the first tee the gorilla says, “So what am I supposed to do?” The guy says, “You see that green area about 400 yards from here? You’re supposed to hit the ball onto that.” So the gorilla takes a club and whacks the ball and it soars up into the sky and drops down neatly on the green. The guy tees off and makes about 150 yards, so he hits an iron shot and then another iron shot and finally they arrive at the green. The gorilla says, “What do I do now?” The guy says, “Now you hit it into that cup.” The gorilla says, “Why didn’t you tell me that back there?”

DevilWAH

CCNP Route (Part 1, Subnetting Refresh)

OK back from a weekend away with wife and daughter, and before I get in to CCNP can I just say 4 month old babies are hard work. In the end she cried so much for her own bed we came home. Thank fully the beach is only an hours drive away, and as we where going to stay at the family owned bungalow, it just meant we came home and went back again the next day… She can never say I never do any thing for her :). All in all though a lovely weekend, Babies might be hard work but walking on the beach and her face as she saw the waves was great. 🙂 Makes me think I should post some pictures of here some time..

But now back to CCNP ROUTE.

I thought before I get in to the real core parts I would do a quick recap of subnetting, I know this is CCNP and really subnetting should be out the way by the CCNA, but I thought there was no harm in covering it again briefly.

Now in my view although there are many different “quick” methods to make subnetting “easy”, The best way to learn is the long hand method. This will teach you what and how subnetting works. Once you can subnet the long way with out problem, then the “quick” methods will make more sense and become useful. Also the long method out of all of them I think is the most logical and “simple” to learn. So lets go for it.

First you need to know what class of network you are working with. (If you just want to know the number of hosts, network and broadcast address in network when an given IP address a subnetmask then you can ignore this step. This step is important when you need to know the number of possible sub networks you can create or that will be available using a given subnet mask.

I would always start by writing out the class subnet address in binary, so.

CLASS A = 1 1 1 1 1 1 1 1 . 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0

CLASS A = 1 1 1 1 1 1 1 1 . 1 1 1 1 1 1 1 1 . 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0

CLASS A = 1 1 1 1 1 1 1 1 . 1 1 1 1 1 1 1 1 . 1 1 1 1 1 1 1 1 . 0 0 0 0 0 0 0 0

For the next steps we can discard any octet that contains only “1’s”, as these can’t change then any subnetting we do can not affect them.

We now need to decided what is important, the number of hosts the subnet or the number of networks we want to create. One very important thing to remember here is that when creating a network with  specific number host IP addresses, some of these are not usable by hosts placed in that subnet. There are the first IP in the range, as this will become the network address, and is used along with the subnet mask to identify a network. Also the last IP address in the range that will become the broadcast address of the network. (It is common practice to state the available hosts address in a given network as the IP address range minus 2).

Let’s start with an easy example by splitting up the Class C network 192.168.10.0 in to 4 equal networks.

To begin with I would always suggest you write out the octet/’s you are interested in with the decimal and binary equivalents. As I said we can ignore the octets that are all 1’s from the class divided so all we need is the last octet. which in this case is all 0’s

Decimal = 128 . 64 . 32 . 16 . 8 . 4 . 2 . 1

Binary    =  0 .   0   .  0 .   0 .  0 . 0 . 0 . 0

As we want 4 subnets we first need to work out what binary number we can use that gives us the closest to 4. The subnet must be a continues run of 1’s,  so either 1, 11, 111, 1111, 11111, 111111, 1111111, 11111111. Remembering binary starts at 0, and converting these we get 2, 4, 8 ,16 ,32, 64, 128, 256. Wanting 4 we can chose the second one from above which is 11.

So now we can put it all together, remembering network bits take the left hand positions and host bits take the right hand positions. And that in the case of subnets, where there is a 1 in the mask the bit in the IP address can’t change and where these is a 0 it can. The next step is to write out the subnet mask and the possible subnets that can go with it. here we will write all 4 octets but as you will see the first 3 will not change due to the class address. Red indicates values come from original Class mask and Blue is the two bits we have borrowed. Fell free to convert 11000000 in to binary to see how we get the 192 for the subnet mask.

Subnet Decimal = 255 . 255 . 255 . 192

Subnet Binary = 11111111.11111111.11111111.110000

IP address Decimal = 192 . 168 . 10 . 0

IP Binary = 11000000 . 10101000 . 00001010 . 00000000

Now a subnet mask of 255 means that non of the octet can change, and the 11000000 will give us four possibilities for the last octet to have.

Network A = 11000000 . 10101000 . 00001010 . 00000000

Network B = 11000000 . 10101000 . 00001010 . 01000000

Network C = 11000000 . 10101000 . 00001010 . 10000000

Network D = 11000000 . 10101000 . 00001010 . 11000000

So taking network C we can convert it back to decimal and pairing it with the new subnet mask we have created we can start working out the range of IP address that will fall in to this network.

Network Binary = 11000000 . 10101000 . 00001010 . 10000000

Subnet binary    = 11111111 . 11111111 . 11111111 . 11000000

Remember where these is a 1 in the subnet the value in the IP address can’t change. So from this we can work out the range. The bottom value is the network address we have just written above with the 4th oct of 10000000, and the top value will be 10111111. Or in decimal 128 to 191.

So all togather we have.

Network address = 192.168.10.128

Subnet mask = 255.255.255.192

Broadcast address – 192.168.10.191

And possible host are address 192.168.10.129 through to 190 which is 62 in total.

And that’s subnetting. All you need to remember is that subnet masks can only be one of 8 vlaues, 128, 192, 224, 240, 248, 252, 254, 255, and must always be borrowed from the left hand side.

If you are trying to get X number of networks or Y number of hosts. Start by working out the closest match you can from the numbers 2 , 4 , 8 , 16 , 32 , 64 , 128 , 256. If you cant get an exact match go up to the next highest. (in the cast of hosts remember to add 2 t accommodate the network can broadcast address). Once you make your decision simply convert that number to binary. And the number of binary bits that produces is the number you need to “borrow”, from the left for network and from the right for hosts.

Below is a list of all the subnets that can be created from a class C and B network. I find these are the most common you need and this can be hand to have above your desk for quick reference.

Sub-netting made easy

Above Sheet in PDF Format

Well  I hope that helps some people, and next its on with EIGRP.

DevilWAH

Filtering you Logs

I came across this feature today and thought I would share it with you.

The standard way we are taught to set up logging for Cisco IOS devices is something along the lines of,

(config)#logging buffer 5
(config)#logging trap error

where you state where you want to log to and then what level of messages you wish to log in the range 0 to 7, with 0 the most critical and 7 debug messages.

This is all fine until you find you want to log a specific alert that is informational (level 6), but you don’t want to log every level 6 event that happens. My example of this was I wanted to log a specific ACL match but not link sate or other notification level alerts (ACL’s log at level 6 / informational by default).

Cisco in there wisdom have though of this for us and given us the “discriminator” command to allow us to manage logging in more detail. The outline is that we can create a named “discriminator” that will filter out / capture events based on things like the facility, the mnemonics, a string with in the msg-body, or the severity level. This can then be used in further logging statements to determine what happens to these messages. So lets have a quick example to see how it works. As I said in my case it was an ACL I wanted to log from so lets go for that.

First we can set up an access list with a logging statement in it and assign it to an interface

(config)#ip access-list extended ACS_Critical
(config-ext-nacl)#permit ip any any eq bootps log
(config-ext-nacl)#permit ip any any
(config-ext-nacl)#exit
(config)#int vlan 888
(config-if)#ip address 192.168.5.254 255.255.255.0
(config-if)#ip access-group ACS_Critical in
(config-if)#exit

So we now have an access list that will log any DHCP traffic received coming in on the VLAN 888 interface, In my cace VLAN 888 is a critical VLAN that client pc’s will end up in if there are problems with network authorisation. So testing for DHCP traffic will let me know if the VLAN is being used and therefore if there is a authorisation issue. (last line of checking)

As I said before though ACL’s log at level 6, but if you watch a switch you will see a lot of lthese messages appearing in the day to day running of the switch and most of them you don’t need to worry about. Generally I would only save to buffer and forward to a syslogging server any level 5 (notification) or higher messages. But I do want to see the ones from this ACL…. We can set it up to do this as below

(config)#logging trap 5
(config)#logging discriminator ACS msg-body includes ACS_Critical
(config)#logging host 192.168.5.50 discriminator ACS

The Trap statement sets the default level for logging to the syslog server, the logging discriminator creates the discriminator called ACS and will filter incoming events for a message body containing ACS_Critical (name of the access list), and we then apply this to the syslog host when we set it up. Now all the default level 5 – 0 events will be logged plus the specific ACL’s generated ones.

A single host can have one discriminator assigned to it, but this can have multiply statements, and much like an access list these can allow or deny event to be passed, the commands are “includes” as used above, or “drop” to prevent a message getting logged. I find it especially useful for filtering logging to the syslog servers, as these log files can get huge if you are not careful.

Attached here is a CISCO document with more examples of setting this up.

Hope you found that intresting, and now I’m of to the seaside with wife and baby for a few days to fly my new kite 🙂 have a great weekend all.

DevilWAH

PS. I promise once I get back I will be getting on with my CCNP ROUTE posts as I said I would. Just been a busy week that I will tell you all about soon. I have also been asked to set up a web server and a few other projects so time has been tight. But I have had time to do some reading. I think I will start of with a review of sub-netting before I hit ROUTE core topics.

And now for some thing completely different…. (VBscript to show logged on users)

Now let me start by saying I am no scripting guru, in fact apart from a few batch files and a C++ course many years ago I am a novice. However I have the ideas of how scripting / programming works and over the years have managed to throw to gather a few basic scripts.

I did not intend this blog to ever contain scripting (or at least not for a few years yet), but I came across this in work and thought others might find it useful. Now before we start this is a rehash of others work, links to there sites are at the bottom of the post and I would like to thank them for posting there work to the public.

The background to this is that I am currently working on a project to implement grid computing to process long running mathematical modelling jobs. The software CONDOR is a job scheduling application running on a server. The mathematician break there jobs up in to small chunks (maybe severely hundred jobs in total), and the CONDOR server finds available desktop PC’s they are inactive and sends the job to run on them. IF you have used “folding at home” or “Boinc” you will have been the client in the same kind of system.

Now while CONDOR can determine the user activity in terms of keyboard/mouse activity and CPU usage to decided if a computer is free to run jobs, there is no built in way to use the logged in status of the PC to control jobs. The idea is we want jobs to run when users log out of there PC’s, but stop and be prevented from running once a user logs in. To do this I needed to create a script that could return a “True” or “False” result to the question “is any one logged in to this computer”.

My first Idea was PSloggedon from Sysinternals, however this does not return a true false value and would require wrapping up in a second script to parse the output. So I decided to search around for a VB script that could do it all in one step.

This lead me to the following code,

strComputer = "servername"   ' " use "." for local computer 

Set objWMI = GetObject("winmgmts:" _ 
              & "{impersonationLevel=impersonate}!\\" _ 
              & strComputer & "\root\cimv2") 

Set colSessions = objWMI.ExecQuery _ 
    ("Select * from Win32_LogonSession Where LogonType = 10") 

If colSessions.Count = 0 Then 
   Wscript.Echo "No interactive users found" 
Else 
   WScript.Echo "RDP Sessions:"
   For Each objSession in colSessions 
     
     Set colList = objWMI.ExecQuery("Associators of " _ 
         & "{Win32_LogonSession.LogonId=" & objSession.LogonId & "} " _ 
         & "Where AssocClass=Win32_LoggedOnUser Role=Dependent" ) 
     For Each objItem in colList 
       WScript.Echo "Username: " & objItem.Name & " FullName: " & objItem.FullName 
     Next 
   Next 
End If 

Not exactly what I need but at least it will find and display the logged in users, so seems a good starting place, and easy to tidy up.

First of all we don’t want it to tell us a list of users, just return a true of false statement. This is just a case of replacing Wscript.Echo "No interactive users found" with Wscript.Echo "False" , and replacing the whole of the code under the else statment with simply Wscript.Echo "True".

Secondly this script uses the statment “LogonType = 10” from windowsecurity.com we can see that this will give us remote connections, as we want local logged on users we need to replace that with “LogonType = 2”. Ending up with the revised code below.


strComputer = "."   ' " use "." for local computer 
Set objWMI = GetObject("winmgmts:" _ 
           & "{impersonationLevel=impersonate}!\\" _ 
           & strComputer & "\root\cimv2")
Set colSessions = objWMI.ExecQuery _ 
  ("Select * from Win32_LogonSession Where LogonType = 2") 
     
If colSessions.Count = 0 Then     
  Wscript.Echo "FALSE" 
Else
  WScript.Echo "True"
  
End If

Oh and notice we needed to replace the servername with “.” as suggested. Saving this as a .vbs file and running it and a pop up box will display “True” (after all you are logged on to the PC 😉 )

And that was my script done..

Apart from the fact for it to work in CONDOR I needed it to be able to return out put to stdout, which requires it to be running under Cscript.exe (cscrfipt is command line, Wsccript will interact with windows, in this script one will out put to the command line, one will pop up the same out put but in a small window). Now there are several ways to do this, simple run it from the command line by calling it using cscript.exe c:\csccript.exe script.vbs , or you can wrap it up in a batch file. Howevver I came across a nice little trick to enable the script to check if it is run as cscript and if not switch to csccript.


Public objShell : Set objShell = CreateObject("WScript.Shell")
If Instr(1, WScript.FullName, "CScript", vbTextCompare) = 0 Then
    objShell.Run "cscript " & chr(34) & WScript.ScriptFullName & chr(34) & " //Nologo" & chr(34), 0, False
 
    WScript.Quit
End If

Simply pasting this code above the main script, (And I also updated the Wscript.echo to be

Set objStdOut = WScript.StdOut
  objStdOut.Write "UserLoggedIn = True"  

for CONDOR reasons, and we end up with the complete code below.


Public objShell : Set objShell = CreateObject("WScript.Shell")
If Instr(1, WScript.FullName, "CScript", vbTextCompare) = 0 Then
    objShell.Run "cscript " & chr(34) & WScript.ScriptFullName & chr(34) & " //Nologo" & chr(34), 0, False
 
    WScript.Quit
End If
strComputer = "."   ' " use "." for local computer 
Set objWMI = GetObject("winmgmts:" _ 
           & "{impersonationLevel=impersonate}!\\" _ 
           & strComputer & "\root\cimv2")
set colSessions = objWMI.ExecQuery _ 
  ("Select * from Win32_LogonSession Where LogonType = 2") 
     
If colSessions.Count = 0 Then     
  Set objStdOut = WScript.StdOut
  objStdOut.Write "UserLoggedIn = False"
   
  
Else
  Set objStdOut = WScript.StdOut
  objStdOut.Write "UserLoggedIn = True"  
End If

Now run that and how ever you start it, if you don’t use Cscript.exe it will resubmit it’s self using Cscript.exe and output the result to stdout.

Now by playing around with the logonType and other bits of this code we could make it quite useful, it will return the logged on status of a remote machine if you replace the “.” with a valid remote computer name.

Well I hope that may be useful to some, and my thanks goes to those who came before me and provided the foundations, Please visit there sites to see many other great scripting examples.

VBScript – How to show logged on users?

Force Cscripe

DevilWAH

Download PDF Articles

Just a small update of changes to the blog today. Got things to get ready for tomorrow so busy with that, but had a few moments to play with some bits a pieces.

First of I have restructured the Link’s in the menu bar. Now rather than being a page of typed links I am using the WP Render Blogroll Links plug in. A great link that renders the pages for my from the Link Categories in wordpress. Hopefully this should make adding links much quicker in future.

And the second Plug in I have added is PDF24 Article To PDF. You will not find a small button at the bottom of the posts and pages to download as a PDF file. I am hoping that once I have got in to the ROUTE studying fully (I’m actual going through the redistribution part of it now) and I am posting material people will fine being able to save a copy off-line useful. Remember this Blog site runs on an old Dell optiplex desktop so it may take a few seconds to generate the PDF for you.

Now back to Route redistribution for me 😉

DevilWAH

Visiting the Outside from the Inside (or DNS re-writing)

For a while now I have had an idea in the back of my head to sort out a long standing issue. However due to the fact this has been and issue on a secondary network, and only affected myself (to which I had a easy work around as you will see), I have not pressed to hard to find the solution. However I had promised my self that after my exam last week I would sit down and sort it out once and for all.

So here’s the situation, on a small network you have a client in one network, a web server in a second subnet and a single router acting as both the Internet gateway router, the firewall and handling all internal routing. Now this web server is of course accessible to the outside world as many web servers are. However the Domain name of the web server is not a domain I have control over. It is in fact a mirror of a 3rd party website. So they deal with all the DNS settings.

Fig.1

So of course the first thing to do is insure that outside users can connect in to the Webserver, and the internal clients can connect to the internet. So we require a basic NAT/PAT set up. Some thing along the lines of.

!
! First we set up the interfaces with there IP addresses and determin if they are
! inside or outside for NAT
!
(config)#int Dialer 1
(config-if)#description ## Internet link #
(config-if)#ip address 82.62.42.22 255.255.255.252
(config-if)#ip nat outside
!
!
(config)#int F0/0
(config-if)#description ## Client network #
(config-if)#ip address 192.168.10.254 255.255.255.0
(config-if)#ip nat inside
!
!
(config)#int F0/1
(config-if)#description ## Web Servers #
(config-if)#ip address 172.16.10.254 255.255.255.0
(config-if)#ip nat inside
!
! next we set up a list of IP address to be NATed from inside to outside
!
(config)#ip access-list standard NAT_IP’s
(config-std-nacl)#permit 192.168.10.0 0.0.0.255
(config-std-nacl)#exit
!
!
! Now set up the client NAT’ing to allow internet access for the clients and a
! static port forward, so all Packets comming in on the external IP address
! to port 80 get directed to the internal server.
!
!
(config)#ip nat inside source list NAT_IP’s interface Dialer 1 overload
(config)#ip nat inside source static tcp 172.16.10.30 80 82.62.42.22 80 extendable
!
!


So far all straight forward. Outside users can get to the web server and inside clients can use the internet (assuming firewall rules and so forth allow it). But what happens if the inside client tries to go to the web address Mirror3.companyX.com? Well if we assume you have not set up an internal DNS zone for companyX.com. Then the internal client will use CompanyX’s DNS server, to resolve the name to the external IP address of the network 82.62.42.22, just as an outside user would. This create a problem, due to how the router processes the steps on NAT and Routing, it will not correctly forward the packets between the client and the server. Instead you will end up with a host unreachable error (if you want more detail what is happening please comment and I will add it in). So how can you allow the internal hosts to browse the web server then?

Well you have 4 (OK I am sure there are more 😉  but these are the main ones) solutions.

1. Simply point the client web browser to the internal IP address of the server. As I was almost the only person who ever needed to get to the server from the inside this was the method I have been using up until now. However this does not scale well, and neither is it pretty, so I knew there had to be a better way.

2. You could set up a DNS zone for companyX.com with a record for mirror3.companyx.com using it’s internal IP address . By pointing your internal clients to this DNS server they would  pick up a rout able IP and browse the site. This is a standard method of DNS, and in many cases would be the preferred solution. However in this case it means setting up a Zone for a name you do not own. You also have to be careful to insure the inside clients can still resolve the mirror1 and mirror2 IP addresses. With out carefully planning this can get messy, especially if you have multiply mirrored servers from multiply domains.

3. Carry out NAT hair-pinning. This was original my first choice, and I do intend to come back to this as there are benefits to this method. But as I will cover also some issues with it. As I mentioned above trying to use the outside IP address of the server from the inside client results in issues to do with routing and NAT translations. Because the packets aren’t passing between the inside and outside the router can’t carry out correct NAT translations. However with a bit of cleaver configuration, and by using a loop back interface assigned to the NAT outside. You can with the use of multiply NAT statements and a static route get the router to pass the packet twice through the NAT algorithm and have it routed correctly. While this is a nice solution, its has the issue of huge CPU overheads for the router. Routing and the NAT has to be carried out in software with this method meaning that apart from in cases where there is very low traffic you need to be very careful if you implement this. (as I mentioned I will be covering how to set this up in a later post)

4. DNS re-writes! There is a not very well documented but very useful feature of NAT, called DNS re-writing, which does exactly what it says and by default is enababled. DNS response packets are checked by the router and any matching the NAT statements for the payload IP address will get re-written.  However this will not work on PAT statements, only on pure one to one NAT. So the configuration above will NOT invoke this feature as it is. To get it working we need to add one more command.

!
!
(config)#ip nat inside source static 172.16.10.30 82.62.42.22 extendable
!
!


Now with this command added the router will replace any IP address inDNS requests coming from outside the network that contain 82.62.42.22 with the internal IP address of 172.16.10.30. Now both the external users and the internal clients can use the same DNS server to resolve the address, and each will end up with the correct (but Different) IP address to be able to contact the web server.

To me solution 4 seems to be the neatest. Both companies keep full control of there networks and DNS settings, and there is much less over heads for the router to worry about. However note two issues.

First although we can still use PAT mappings on the IP external and internal address. So for instance where above we have a mapping set up “(config)#ip nat inside source static tcp 172.16.10.30 80 82.62.42.22 80 extendable” We could also have another mapping such as “(config)#ip nat inside source static tcp 172.16.10.40 22 82.62.42.22 22 extendable” Where SSH traffic goes to 172.16.10.40 and HTTP goes to 172.16.10.30. However any DNS request will use the plain NAT mapping so will always get replaced in the response with the 172.16.10.30 address in our set up. So you need to be aware of this and plan for it.

Second by using a NAT statement, all incoming traffic to any port will be translated through NAT. So you should insure that either an ACL or Firewall is blocking all traffic apart from what you want to come through.

So none are perfect but like with every thing in networking, you chose the one that fits best. And if you can’t find one, then your not looking hard enough. Or maybe you just need to invent a new method 😉

DevilWAH

CCNP Route

Well I Official started my ROUTE studies last night. 🙂 Back when I started this blog I was already well in to my study of the SWITCH material, and like wise creating Flashcard pack I made up with Anki was a rushed job as I went over the material. So I know neither the blog or the cards are really suitable for any one but me to use for studying.However for the ROUTE I want to do things correctly, even if this means it take me a little longer to achieve. I hope (and please let me know if I don’t) to post around two or three Lab based posts for each of the major area’s of the ROUTE material. Including EIGRP, OSPF, IPv4, BGP, Redistribution and IPv6. These will be tagged in category with a quick link on the menu bar for easy access. I also will be attempting to make a much better set of Flash cards this time round, that are more suitable for using as revision / memory aid. I hope combined these will make useful addition materials to people studying for there ROUTE exam.

Of course along side the ROUTE posts, I will also be trying to keep up with other interesting things I come across both inside and outside of IT. We shall have to see how things go. But I hope over the next few months I can really start to fill out this blog and produce some thing that other people will find useful. After all half the fun in learning things is to be able to pass it on to others.

On a side note I came across this today, EIGRP disababled by default. This is interesting for two reasons. The first of course being that it is nice to see CISCO have listened and have set the default to what 95% of us have to manualy set it to any way :). And secondly this comes from www.tekcert.com. Which is a new blog that Jeremy Cioara of CBT nuggets Fame is now posting on along with a fellow IT tec guru Adam. Another site to add to the Favourite bar, don’t worry if you forget it will be in the links above. 😉

DevilWAH

SDM in LINUX (Wine)

OK leaving CCNP SWITCH aside for a bit, I finely got around to setting up Linux to allow me to run SDM.

I should point out that I am not a great fan of SDM, but I do run the IOS based firewall on one of my small networks. And while I am happy to change the config of policy’s from the command line, it can be hard to visualise what is going on in 600+ lines of code. So I do fall back to it every now and then.

On the above network I have 100% Linux machines, which included those sitting in the management subnet. So up utill now if I wanted to run SDM I had to get out a windows laptop and plug it in, so for a while I have been looking how I could get this up and running.

There is no Linux SDM version but you can install SDM either on the PC or on the router.According to CISCO as long as the web browser has jarva script enabled, then if you use the version installed on the Router it will work. However despite 2 different versions of Firefox, Google Crome, and numerous attempts with Java versions. Trying this way would always hang at the same point on all three of the PC’s I tried it from. I also don’t really like the idea of running SDM from the router, it takes up space and resources and is another thing to go wrong.

So the alternative was to attempt to run SDM from with in Linux. You will read on the web that CISCO SDM is a Java based html applications, and so in theory you can simple copy the install file across from windows to Linux, move a few files around, and then open up your web browser and point it to the “launcher.html” file you will find in the install directory. However my attempt at this again proved unsuccessful. (I am not sure if this was due to the incorrect Java version I did try with a few but SDM is very fussy with Java and Linux is not so happy with multiply Java versions. (see here for instruction s for this method)

So I decided to go the whole hog and experiment with WINE. Wine for those of you who don’t know is a platform that allows you to run native windows application with in LINUX, I like to think of it as a windows emulator, however some purists will tell you this is not quite correct. But what ever it will allow you to run many windows application on LINUX, and while some people may rebel at the idea of that, I am more of the opinion if it works and gets the job done, then I don’t really have a problem.

So setting it all up.

The first thing to do is add the wine repository ( ppa:ubuntu-wine/ppa) to you distribution. In Unbuntu this can either be done using the option settings in the graphical package manager software, or by running the following command.

sudo add-apt-repository ppa:ubuntu-wine/ppa

Then update the repository cache, (“sudo apt-get update” from the command line).

If you are running the GUI package manager, search for wine and tick the wine1.2 install (at time of writing this is the current stable version, you should pick the latest stable). or from the cli type

sudo apt-get install wine1.2

Wine will now be installed.

You now need to get hold of CISCO SDM, Firefox 3.5 (must be 3.5 this will not work with version 3.6 due to java issues), and a copy of JAVA 6 update 11 (make sure it is this exact version SDM is very very picky).

Once you have downloaded them all, you can simple open them in the GUI, you may get an error saying that they are not executable files. Linux by default will not allow a file to be executed unless it has been set to be allowed. If you get this message simple right click, go to the properties and tick the execute box under the permissions tab. You can also run “sudo chmod +x <filename>” to achieve the same.

You should not be able to run the setup and follow the install exactly as you would under windows. Once you have installed all three, check you can open Firefox. You can find this either up in the application menu under

Wine >> wine applications >> firefox

Or you should have an short cut on the desk top (you may need to make this short cut executable like above).

You will also have a SDM shortcut on the desktop, however this will bring up the WINE IE browser which does not work, so you can’t use this direct.

Instead open up the Firefox you have just installed, and in the address bar type “c:” and hit “return” / click go. This will bring up a folder list for the Wine created windows file system. Open  “programs files” >> cisco systems >> SDM >> common files >> common files. Here you will find a file called Launcher.html which you want to open (I would also suggest add this as a short cut)

And there you are, CISCO SDM will now function as in windows, pop up boxes and all. You can even create a desktop icon that will pass the file above to Firefox if you wish.

Hope that’s of some help to people. If I get it running completely native with out the need for WINE I will be sure to let you know.

DevilWAH