300-135 TSHOOT Quick Study Notes: ACL/VACL, prefix-lists, GRE, NAT

Troubleshooting router-on-a-stick:
  • incorrect dot1Q assignment on subinterface
  • wrong IP addressing on subinterface or PCs (also PCs in wrong VLAN)
  • switchport in wrong mode (access: no, trunk: yes; DTP not supported on router)
  • NOTE: The subinterface number does not have to match the dot1Q tag but it is recommended to keep them identical.

Example 1 (recommended):

interface fa0/0.42
 encapsulation dot1q 42

Example 2:

interface fa0/0.42
 encapsulation dot1q 24

ACL behavior:
  • top down: ACL entries are processed in order from top to bottom
  • execute on a match: the first match will be used; if there is another match later, it does not matter
  • implicit deny: if there is no match, the packet is automatically denied

Components of VACL:
  • ACL: defines the traffic be examined by the VLAN access-map
  • VLAN access-map: defines the action taken on the traffic matched in the ACL
  • VLAN filter list: defines which VLANs in the VLAN access-map applies to

VACL example:

ip access-list 101 permit ip host host
vlan access-map TSHOOT 10
 match ip address 101
 action drop
vlan access-map TSHOOT 20
 action forward
vlan filter TSHOOT vlan-list 10

Reading prefix-lists:
  • two operators: ge (greater than or equal to) and le (less than or equal to)
  • if no ge/le, the route must be an exact match
  • if ge/le, the prefix length specifies how many route bits must match and the ge/le value defines min/max subnet max
  • RULE: prefix length < ge <= le

Example: match all routes
permit le 32

Example: match the default route

Example: match 192.168.x.x routes with /24 - /28 subnet mask
permit ge 24 le 28

WRONG: permit ge 8

GRE tunnel states:
  • up/up: tunnel is fully functional
  • [admin] down/down: the interface is administratively shut down
  • up/down: tunnel is administratively up but line protocol is down
  • reset/down: transient state, reset by software (e.g. NHS misconfiguration)

Route selection:
  • Building the routing table:
    • prefix length - unique prefixes are considered separate routes
    • administrative distance - the trustworthiness of the route source
    • metric - "cost" of the route; different for each routing protocol
  • Making forwarding decisions:
    • longest prefix match - longer prefixes are always preferred
    • example: if the and routes are in the routing table, a packet with a destination IP will be forwarded using the second route
    • see: Route Selection in Cisco Routers

Types of NAT:
  • static NAT: 1-to-1 mapping of private IP to public IP
  • dynamic NAT: dynamic mapping of private IPs to a pool of public IPs
  • NAT overloading/PAT: mapping of multiple private IPs to one public IP by tracking Layer 4 ports (unique for each session)

NAT troubleshooting:
  • incorrect inside and outside interfaces
  • misconfigured NAT pool (inside global addresses)
  • NAT pool addresses unreachable (e.g. not advertised)
  • access-list does not reference correct inside networks
  • overload keyword missing

Example: PAT to outside interface

int fa0/1
 ip address
 ip nat inside
int gi0/0
 ip address
 ip nat outside
access-list 1 permit
ip nat inside source list 1 interface gi0/0 overload