In an ideal world, we’d not have to deal with IP address overlap. However, there are many factors that may require us to do so. These factors include things like acquisitions, mergers or partner relationships. When the need to address overlap is combined with the complexity of IOS VPN, a seemingly simple solution may seem impossible.
This article demonstrates the use of source NAT on two branch routers in order to address this challenge of IP overlap. The diagram below is used as a reference throughout this article and the key configuration concepts will be made on R1 and R3. It is worth noting that this requires access to both routers. In some cases the routers may be under the administrative control of two different parties. In those cases, the parties would have to work together. Alternatively, one party could do source and destination NAT in a single IOS platform.
One crucial point to understanding this is understanding how NAT and crypto relate to each other in regards to the order of packet processing. Cisco has a good document entitled NAT Order of Operation, that addresses this comprehensively. As outlined in the document, processing happens in the following order.
Traditions are different all around the globe, but today is the day that we Americans eat even more and give thanks for our many blessings and opportunities. I wanted to reach out to the PacketU readers and thank each and everyone for their support and interactions throughout the year. For those that happen to be in the USA, I also want to wish them a happy Thanksgivingholiday as well.
Over the past few months I’ve started noticing more and more concern about software defined networking and its effect on networking careers. My personal belief is that those of us choosing a career in technology must realize that we chose a path of continual change. Software Defined Networking, or SDN, is part of this process of change and will certainly have an impact on networking.
The concern most seem to have is the elimination of networking jobs. I believe that we will be able to do more with less, but I still suspect there will be plenty of work for well qualified individuals. An example I usually give revolves around virtualization in the server space. Although this has drastically increased the server to administrator ratio, good server administrators are still in demand.
This article outlines a few of the resources I’ve stumbled on that may help individuals get started with software defined networking. Getting ahead of the curve, allows us to educate ourselves and prepare for coming changes. Continue reading
Last week I took the Cisco exam 642-832, also know as TSHOOT. This is typically taken as the last exam in the CCNP Routing and Switching certification process. Although somewhat confined by the NDA, I wanted to share what I could about my experience.
This exam is unique when compared to other Cisco exams. This exam, as its name suggests, is focused on troubleshooting. As is publicly known, the majority of the exam focuses on what it calls Trouble Tickets.
The best way to describe these trouble tickets is with a demonstrations. As a way to help learners understand what to expect, Cisco created a TSHOOT demo that can be found here.
My recommendations for this exam aren’t that much different from my recommendations for other Cisco exams. Candidates should consider the following through their learning and testing process. Continue reading
I wanted to take just a moment to congratulate my friend Chandan Singh Takuli on his recent achievement. He reached out to me earlier this week and told me that he had passed his voice lab and was now CCIE 41344. I first met Chandan on the Cisco Learning Network where he regularly participates and helps others in their learning and certification endeavors. If you would also like to congratulate Mr. Takuli, you can respond below or reach out to him in this thread on the Cisco Learning Network.
Congrats my friend.
Most technicians learn about the process of mapping an IP address to a Mac address. This process, known as arp, is a layer 2 process that allows the Internet Protocol to function over Ethernet. What isn’t always well known and understood is a process called proxy ARP. Although Proxy ARP is often enabled by default on routers, it’s use is typically unintentional.
Before we get into exactly what proxy ARP is, we should probably describe what it isn’t. First, it doesn’t relay ARP requests to a remote network. It also doesn’t allow a router to route an ARP request. Proxy ARP, on the other hand, DOES permit a router’s response to arp requests for IP addresses that match routes in its routing table.
The most common use case of a proxy Arp request is a misconfigured subnet mask on a given host. Additionally, some hosts with very simply IP stacks may function by depending on the proxy Arp process. IOS based routers respond to proxy Arp requests by default. The result is that the host sends the traffic to the gateway by forwarding traffic to the appropriate Mac address. Continue reading
In A Simplified View of Proxy Arp, we looked conceptually at the function of this layer two protocol. The use of the process, typically found in what many consider a broken network, raises some concerns and should typically be disabled. In many cases, network administrators don’t even realize it is being used. Hosts that depend on this feature are typically found when a security conscious administrator disables the feature.
This article takes a deeper dive into Proxy Arp and looks at the issues that can occur when it is disabled. An IOS router can be instructed to act as a host that sends proxy arp requests. Additionally, routers typically respond to these proxy Arp requests by default. These factors make this process easy to demonstrate.
Those entering the networking field are bombarded with new terms, acronyms and concepts. Many concepts are obviously unique. Others seem to be ambiguous. At first, the concept of routing and routed protocol might seem to be overlapping. However, these are two separate terms that represent separate, but related, concepts.
This article is an attempt to disambiguate these terms. Understanding their relationship will enable more concise communication when discussing concepts and issues with collegues. Below is a visual overview of these terms.
As indicated in the visual, routed protocols go THROUGH the network. This may also be termed transit packets. Each packet has some type of header information. These headers follow the rules of their respective protocols. Examples are IPv4, IPv6, Appletalk and IPX. Currently, IPv4 and IPv6 are the routed protocols that are commonly used.
To enable the routing of routed protocols, routers need to know where all of the possible destinations are. An administrator could manually program each router to include all of the possible destinations. However this would not be a dynamic or scalable solution. To answer these concerns, routing protocols were developed.
Routing protocols allow routers to share their knowledge of networks with one another. Routers automatically know about their directly connected networks. These directly connected networks are then shared with neighboring routers via a routing protocol. In addition, routers also share the knowledge of the routes learned from their neighbors. Examples of routing protocols are EIGRP, RIP, OSPF and BGP.
I wanted to give a shout out to the TAC Security Podcast Team for covering OnePK, ONE and VIRL in show 38. These are few of the components that make up Cisco’s strategy around software defined networking. As it relates to SDN, actionable information is still a bit sparse. I’m really hoping that the release of Cisco Modeling Labs (CML), formerly known as VIRL, creates a playground for those interested in thinking outside the [proverbial] box.
The TAC Security Podcast can be found by following the link below.
TAC Security Podcast – Show Information and Episode Listing
The ASA appliance is a very popular choice for the branch office environment. It provides flexible security and is a good termination point for a VPN connection back to a headquarter location. One challenge that technicians often run into is the inability to manage the ASA across the VPN. While some may choose to connect to the outside interface, this creates some additional challenges. This article looks at a couple of commands that allows VPN based communications to and from the ASA’s inside interface.
In this article we will examine a VPN connection to an ASA Appliance. We will use the inside interface of the ASA as a termination point for management traffic that transits the VPN. Use cases for this is include ssh, snmp and radius for centralized authentication.
This article assumes an already configured VPN between the two locations. The starting configuration used is as follows. Continue reading
Sometimes odd things catch my attention. One thing that occurred to me is that packets are typically represented vertically, while frames are diagrammed horizontally. So if anyone ever asks about the differences between a frame and packet, you now have two answers. Technically a frame is layer 2 while a packet is layer 3. Additionally, a frame is short and fat.
A typical challenge that needs to be addressed in the access layer is that of providing a redundant default gateway. This is typically accomplished with something known as a First Hop Resolution Protocol, or FHRP. A common, but proprietary FHRP is the Hot Standby Router Protocol. This solution, also known by the acronym HSRP, is often deployed in Cisco networks. This article serves as a brief introduction to HSRP, the problem it solves and a brief configuration.
The first thing that should be understood is what HSRP and other FHRPs are not. HSRP is not a routing protocol and solves a different problem than interior gateway protocols like OSPF, RIP or EIGRP. While HSRP provides redundancy to the network, it exists in the access layer and solves a specific problem. HSRP provides a redundant default gateway for network connected hosts.
If you think about it, hosts are typically configured with a single gateway. While this may set with DHCP or statically, it needs to be reliable. HSRP allows a single IP address to be shared between two or more routers. One router will be active. This active router will respond to arp requests and forward packets from the hosts. If that router fails, the active role will be assumed by another router in the same broadcast domain. This allows greater uptime to be achieved for network connected hosts.
Basic HSRP configuration is quite simple. The configuration is performed using the “standby” command in interface configuration mode. Below is a simple configuration that allows the default gateway of 192.168.1.1 to be shared by two routers. RouterA will forward packets. Upon its failure, RouterB will assume the active role and continue forwarding packets.
ip address 192.168.1.254 255.255.255.0
standby 1 ip 192.168.1.1
standby 1 priority 150
standby 1 timers 1 3
standby 1 preempt
ip address 192.168.1.253 255.255.255.0
standby 1 ip 192.168.1.1
standby 1 timers 1 3
standby 1 preempt
With this configuration, HSRP hello packets are sent every second. If a router goes for three seconds without seeing a hello, it will assume the active role. By configuring preemption on both devices and setting the priority at 150, RouterA should assume the active role when it is functioning.