Troubleshooting router-on-a-stick:
Example 1 (recommended):
interface fa0/0.42
encapsulation dot1q 42
Example 2:
interface fa0/0.42
encapsulation dot1q 24
ACL behavior:
Components of VACL:
VACL example:
ip access-list 101 permit ip host 10.1.1.10 host 10.1.1.20
!
vlan access-map TSHOOT 10
match ip address 101
action drop
vlan access-map TSHOOT 20
action forward
!
vlan filter TSHOOT vlan-list 10
Reading prefix-lists:
Example: match all routes
permit 0.0.0.0/0 le 32
Example: match the default route
permit 0.0.0.0/0
Example: match 192.168.x.x routes with /24 - /28 subnet mask
permit 192.168.0.0/16 ge 24 le 28
WRONG: permit 10.0.0.0/24 ge 8
GRE tunnel states:
Route selection:
Types of NAT:
NAT troubleshooting:
Example: PAT to outside interface
int fa0/1
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
int gi0/0
ip address 203.0.113.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
ip nat inside source list 1 interface gi0/0 overload
- incorrect dot1Q assignment on subinterface
- wrong IP addressing on subinterface or PCs (also PCs in wrong VLAN)
- switchport in wrong mode (access: no, trunk: yes; DTP not supported on router)
- NOTE: The subinterface number does not have to match the dot1Q tag but it is recommended to keep them identical.
Example 1 (recommended):
interface fa0/0.42
encapsulation dot1q 42
Example 2:
interface fa0/0.42
encapsulation dot1q 24
ACL behavior:
- top down: ACL entries are processed in order from top to bottom
- execute on a match: the first match will be used; if there is another match later, it does not matter
- implicit deny: if there is no match, the packet is automatically denied
Components of VACL:
- ACL: defines the traffic be examined by the VLAN access-map
- VLAN access-map: defines the action taken on the traffic matched in the ACL
- VLAN filter list: defines which VLANs in the VLAN access-map applies to
VACL example:
ip access-list 101 permit ip host 10.1.1.10 host 10.1.1.20
!
vlan access-map TSHOOT 10
match ip address 101
action drop
vlan access-map TSHOOT 20
action forward
!
vlan filter TSHOOT vlan-list 10
Reading prefix-lists:
- two operators: ge (greater than or equal to) and le (less than or equal to)
- if no ge/le, the route must be an exact match
- if ge/le, the prefix length specifies how many route bits must match and the ge/le value defines min/max subnet max
- RULE: prefix length < ge <= le
Example: match all routes
permit 0.0.0.0/0 le 32
Example: match the default route
permit 0.0.0.0/0
Example: match 192.168.x.x routes with /24 - /28 subnet mask
permit 192.168.0.0/16 ge 24 le 28
WRONG: permit 10.0.0.0/24 ge 8
GRE tunnel states:
- up/up: tunnel is fully functional
- [admin] down/down: the interface is administratively shut down
- up/down: tunnel is administratively up but line protocol is down
- reset/down: transient state, reset by software (e.g. NHS misconfiguration)
Route selection:
- Building the routing table:
- prefix length - unique prefixes are considered separate routes
- administrative distance - the trustworthiness of the route source
- metric - "cost" of the route; different for each routing protocol
- Making forwarding decisions:
- longest prefix match - longer prefixes are always preferred
- example: if the 10.0.0.0/16 and 10.0.0.0/24 routes are in the routing table, a packet with a destination IP 10.0.0.47 will be forwarded using the second route
- see: Route Selection in Cisco Routers
Types of NAT:
- static NAT: 1-to-1 mapping of private IP to public IP
- dynamic NAT: dynamic mapping of private IPs to a pool of public IPs
- NAT overloading/PAT: mapping of multiple private IPs to one public IP by tracking Layer 4 ports (unique for each session)
NAT troubleshooting:
- incorrect inside and outside interfaces
- misconfigured NAT pool (inside global addresses)
- NAT pool addresses unreachable (e.g. not advertised)
- access-list does not reference correct inside networks
- overload keyword missing
Example: PAT to outside interface
int fa0/1
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
int gi0/0
ip address 203.0.113.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
ip nat inside source list 1 interface gi0/0 overload
Comments
Post a Comment