300-135 TSHOOT Quick Study Notes: ACL/VACL, prefix-lists, GRE, NAT

Troubleshooting router-on-a-stick:

• incorrect dot1Q assignment on subinterface
• wrong IP addressing on subinterface or PCs (also PCs in wrong VLAN)
• switchport in wrong mode (access: no, trunk: yes; DTP not supported on router)
• NOTE: The subinterface number does not have to match the dot1Q tag but it is recommended to keep them identical.

Example 1 (recommended):

interface fa0/0.42
 encapsulation dot1q 42

Example 2:

interface fa0/0.42
 encapsulation dot1q 24


ACL behavior:

• top down: ACL entries are processed in order from top to bottom
• execute on a match: the first match will be used; if there is another match later, it does not matter
• implicit deny: if there is no match, the packet is automatically denied

Components of VACL:

• ACL: defines the traffic be examined by the VLAN access-map
• VLAN access-map: defines the action taken on the traffic matched in the ACL
• VLAN filter list: defines which VLANs in the VLAN access-map applies to

VACL example:

ip access-list 101 permit ip host 10.1.1.10 host 10.1.1.20
!
vlan access-map TSHOOT 10
 match ip address 101
 action drop
vlan access-map TSHOOT 20
 action forward
!
vlan filter TSHOOT vlan-list 10


Reading prefix-lists:

• two operators: ge (greater than or equal to) and le (less than or equal to)
• if no ge/le, the route must be an exact match
• if ge/le, the prefix length specifies how many route bits must match and the ge/le value defines min/max subnet max
• RULE: prefix length < ge <= le

Example: match all routes
permit 0.0.0.0/0 le 32

Example: match the default route
permit 0.0.0.0/0

Example: match 192.168.x.x routes with /24 - /28 subnet mask
permit 192.168.0.0/16 ge 24 le 28

WRONG: permit 10.0.0.0/24 ge 8


GRE tunnel states:

• up/up: tunnel is fully functional
• [admin] down/down: the interface is administratively shut down
• up/down: tunnel is administratively up but line protocol is down
• reset/down: transient state, reset by software (e.g. NHS misconfiguration)

Route selection:

• Building the routing table:
• prefix length - unique prefixes are considered separate routes
• administrative distance - the trustworthiness of the route source
• metric - "cost" of the route; different for each routing protocol
• Making forwarding decisions:
• longest prefix match - longer prefixes are always preferred
• example: if the 10.0.0.0/16 and 10.0.0.0/24 routes are in the routing table, a packet with a destination IP 10.0.0.47 will be forwarded using the second route
• see: Route Selection in Cisco Routers

Types of NAT:

• static NAT: 1-to-1 mapping of private IP to public IP
• dynamic NAT: dynamic mapping of private IPs to a pool of public IPs
• NAT overloading/PAT: mapping of multiple private IPs to one public IP by tracking Layer 4 ports (unique for each session)

NAT troubleshooting:

• incorrect inside and outside interfaces
• misconfigured NAT pool (inside global addresses)
• NAT pool addresses unreachable (e.g. not advertised)
• access-list does not reference correct inside networks
• overload keyword missing

Example: PAT to outside interface

int fa0/1
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
!
int gi0/0
 ip address 203.0.113.1 255.255.255.0
 ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
ip nat inside source list 1 interface gi0/0 overload