NAT Deployment in Cloud Networks
|
|
- Louise Walker
- 6 years ago
- Views:
Transcription
1
2 NAT Deployment in Cloud Networks Jason Yang CCIE #10467 Technical Marketing Engineer
3 Session Goals NAT is becoming the critical component of the Cloud Gateway, customers are thirsty for recommendations and best practices to design NAT with high scalability and high availability in the Hosted Cloud Networks. This session will share 1. How VRF Aware Network Address Translation (NAT) enables Cloud Gateway Architecture 2. Cloud Gateway High Availability Design 3. Performance, Scalability & Operation Best Practice* *This section will focus on ASR 1000 as the Cloud Gateway platform 3
4 Agenda Cloud Gateway Architecture enabled by VRF-Aware NAT Cloud Gateway HA Design Perf/Scale & Operation Best Practice Summary and Take Away 4
5 Cloud Gateway Architecture enabled by VRF-Aware NAT
6 Cloud Gateway Architecture Apps MPLS VPN Hosted Cloud Services Internet Partners PE GW AAA Location Multi-tenant VRF Aware VRF Scale Private/Overlapping Addressing access Common Services Network Address Translation Inter-VRFs Communication VRF Aware Service Infrastructure (VASI) High Availability Dual Box Design Stateless Redundancy NAT Scale Stateful Redundancy 6
7 VRF Aware NAT & VASI VRF NAT supports MPLS/VPN for Communication between remote hosts in different VPNs and Internet common servers. Intra-VPN communication. VRF-Aware Service Infrastructure (VASI) for Traffic flows and routing exchange across different VRFs VASI is implemented by using virtual interface pairs (vasileftx, vasirightx), where each of the interfaces in the pair is associated with a different VRF instance. Apply services such as NAT, ACL, Policing, ZBFW, IPsec, PBR. 7
8 Connectivity Model Summary Cloud Gateway Autonomous System Connectivity to the VPN network (a) Connectivity to the Cloud in Global (b) Connectivity to the Cloud in VRF Model 1 Model 2 Model 3 GW and PE are in different BGP AS Cloud Services is managed outside the business VPN network Inter-AS Option A (ebgp + back to back VRF) NAT Inside interface GW and PE are in different BGP AS - Cloud Services is managed outside the business VPN network Inter-AS Option B (ebgp + label) NAT inside interface NAT outside interface NAT outside interface N/A Requires VASI NAT outside in VASIleft Requires VASI NAT outside in VASIleft Routing over VASI ibgp ibgp ebgp GW and PE are in the same BGP AS Cloud Services is managed as part of business VPN network MP-iBGP NAT inside interface Requires VASI NAT outside in VASIleft AS: Autonomous System the most common 8
9 Connectivity Model 1a HCS service in global routing table Inter-AS Option A VRF/VLAN sub-interface as VRF aware NAT inside Interface Global interface as NAT outside interface AS65004 N x ebgp AS577 C_NetworkR C_NetworkB PE VRFR VRFB VRFG VRFR VRFB VRFG GW Global HCS SR S_Network C_NetworkG ip nat inside ip nat outside PE Provider Edge Router; GW Cloud Gateway Router; SR Service Router 9
10 Connectivity Model 1b HCS service in VRF Inter-AS Option A VRF/VLAN sub-interface as VRF aware NAT inside Interface VASI to facilitate Inter-VRF communication VASIleft VRF interface as NAT outside interface AS65004 N x ebgp AS577 C_NetworkR C_NetworkB PE VRFR VRFB VRFG VRFR VRFB VRFG GW Service VRF HCS SR S_Network C_NetworkG ip nat inside VASILeftx ip nat outside VASIRightx 10
11 Connectivity Model 2a HCS service in global route table Inter-AS Option B MPLS as VRF Aware of NAT inside interface Global Interface as NAT outside interface C_NetworkR AS x ebgp AS577 C_NetworkB PE MPLS MPLS GW Global HCS SR S_Network C_NetworkG ip nat inside ip nat outside 11
12 Connectivity Model 2b HCS service in VRF Inter-AS Option B MPLS as VRF Aware of NAT inside interface VASI to facilitate Inter-VRF communication VASILeft VRF interface as NAT outside interface C_NetworkR AS x ebgp AS577 C_NetworkB PE MPLS MPLS GW Service VRF HCS SR S_Network C_NetworkG ip nat inside VASILeftx ip nat outside VASIRightx 12
13 Connectivity Model 3 HCS service in VRF MP-iBGP MPLS as VRF Aware of NAT inside interface VASI to facilitate Inter-VRF communication VASILeft VRF interface as NAT outside interface C_NetworkR MP-iBGP AS65004 MP-iBGP C_NetworkB PE MPLS/VPN MPLS GW MPLS SR S_Network C_NetworkG ip nat inside VASILeftx ip nat outside VASIRightx 13
14 Connectivity Model 1 Control Plane Inter-AS Option A is the most secure and easiest to provision Inter-AS Option A may face manageability challenge as #s of VRFs grow GW and SR can run Static/IGP/BGP to exchange routes, though BGP scales and seamless ibgp can run in the VASI pairs to exchange routes between VRFs C_NetworkB C_NetworkR AS65004 PE VRFR VRFB VRFG N x ebgp AS VRFR Service VRF VRFB VRFG GW ebgp HCS AS223 SR S_Network C_NetworkG ibgp Cloud Service Network Advertised to the Customers NAT Pool Advertised to the Cloud 14
15 Connectivity Model 1 Data Plane Customer initiate the connection to the cloud Routing lookup performed before VRF- Aware NAT translation VASI allows customer VRF traffic flow to the Cloud Service VRF and Vice Versa For the return traffic, NAT performed in customer VRF first, then make the routing lookup. AS65004 N x ebgp AS577 ebgp C_NetworkB C_NetworkR PE VRFR VRFB VRFG VRFR VRFB VRFG GW Service VRF HCS AS223 SR S_Network ibgp C_NetworkG (S) (D) (S) (D) (D) (S) (D) (S)
16 Connectivity Model 1 Configuration interface GigabitEthernet0/0/0.2 description PE facing interface for VRFR encapsulation dot1q 2 vrf forwarding VRFR ip address ip nat inside interface vasileft1 vrf forwarding VRFR ip address ip nat outside interface vasiright1 vrf forwarding VRFS ip address interface GigabitEthernet0/0/1 description Cloud facing interface for Service VRF vrf forwarding VRFS ip address access-list 4 permit ip nat pool pool-pc prefix-length 30 ip nat inside source list 4 pool pool-pc vrf VRFR overload router bgp 577 address-family ipv4 vrf VRFS bgp router-id bgp log-neighbor-changes neighbor remote-as 223 neighbor description PEERING to SR neighbor active neighbor remote-as 577 neighbor next-hop-self neighbor description PEERING to VASI VRFR interface neighbor active address-family ipv4 vrf VRFR bgp router-id redistribute static neighbor remote-as 577 neighbor description PEERING to VASI VRFS interface neighbor activate neighbor prefix-list VRF_Pool out neighbor remote-as neighbor description PEERING to PE neighbor activate ip prefix-list VRF_Pool seq 5 permit /32 Ip route vrf VRFR null0 16
17 Connectivity Model 2 Control Plane Inter-AS Option B - single ebgp session to exchange VPN routes and labels Label spoofing could be concern GW and SR can run Static/IGP/BGP to exchange routes, though BGP scales and seamless ibgp can run in the VASI pairs to exchange routes between VRFs C_NetworkB L6 C_NetworkR AS65004 PE MPLS 1 x ebgp AS L Service VRF MPLS GW ebgp HCS AS223 SR S_Network C_NetworkG ibgp Cloud Service Network Advertised to the Customers NAT Pool Advertised to the Cloud 17
18 Connectivity Model 2 Data Plane Customer initiate the connection to the cloud VASI allows customer VRF traffic flow to the Cloud Service VRF and Vice Versa Label disposition, followed by routing lookup, then performed VRF-Aware NAT translation For the return traffic, NAT performed in customer VRF first, then make the routing lookup, then impose the label C_NetworkB C_NetworkR AS65004 PE MPLS 1 x ebgp MPLS AS577 GW Service VRF ebgp HCS AS223 SR S_Network ibgp C_NetworkG (S) (D) L (S) (D) L6 (D) (S) (D) (S)
19 Connectivity Model 2 Configuration interface GigabitEthernet0/0/0 description PE facing interface ip address ip nat inside mpls bgp forwarding interface vasileft1 vrf forwarding VRFR ip address ip nat outside interface vasiright1 vrf forwarding VRFS ip address interface GigabitEthernet0/0/1 description Cloud facing interface for Service VRF vrf forwarding VRFS ip address access-list 4 permit ip nat pool pool-pc prefix-length 30 ip nat inside source list 4 pool pool-pc vrf VRFR overload router bgp 577 neighbor remote-as neighbor description PEERING to PE address-family ipv4 vrf VRFS bgp router-id bgp log-neighbor-changes neighbor remote-as 223 neighbor description PEERING to SR neighbor active neighbor remote-as 577 neighbor next-hop-self neighbor active neighbor description PEERING to VASI VRFR interface address-family ipv4 vrf VRFR bgp router-id redistribute static neighbor remote-as 577 neighbor description PEERING to VASI VRFS interface neighbor activate neighbor prefix-list VRF_Pool out address-family vpnv4 neighbor active neighbor send-community both ip prefix-list VRF_Pool seq 5 permit /32 Ip route vrf VRFR null0 19
20 Connectivity Model 2 Configuration (cont d) VASI becomes VRF termination point in the GW, an ideal place to apply per VRF Security and QoS policy interface vasileft1 vrf forwarding VRFR ip address ip access-group VASI-1-LEFT-IN in ip access-group VASI-1-LEFT-OUT out ip nat outside service-policy output Police_Cloud_ACCESS_VRFR_10meg* interface vasiright1 vrf forwarding VRFS ip address ip access-group VASI-1-RIGHT-IN in ip access-group VASI-1-RIGHT-OUT out *Queuing Policy is not supported, only policing and marking 20
21 Connectivity Model 3 Control Plane Cloud service is part of business VPN network MP-iBGP full mesh with all other PEs/RR/SR to exchange VPN routes and labels ebgp can run in the VASI pairs to exchange routes between VRFs L6 C_NetworkR MP-iBGP AS L3 MP-iBGP C_NetworkB PE MPLS/VPN L MPLS MPLS GW SR L1 S_Network C_NetworkG ebgp Cloud Service Network Advertised to the Customers NAT Pool Advertised to the Cloud 21
22 Connectivity Model 3 Data Plane Customer initiate the connection to the cloud VASI allows customer VRF traffic flow to the Cloud Service VRF and Vice Versa Label disposition, followed by routing lookup, then performed VRF-Aware NAT translation For the return traffic, NAT performed in customer VRF first, then make the routing lookup, then impose the label C_NetworkR MP-iBGP AS65004 MP-iBGP C_NetworkB PE MPLS/VPN MPLS GW MPLS SR S_Network ebgp C_NetworkG (S) (D) L (S) (D) L1 L6 (D) (S) L3 (D) (S)
23 Connectivity Model 3 Configuration interface GigabitEthernet0/0/0 description MPLS VPN facing interface ip address ip nat inside mpls ip interface vasileft1 vrf forwarding VRFR ip address ip nat outside interface vasiright1 vrf forwarding VRFS ip address ip policy route-map PBR_FW interface GigabitEthernet0/0/1 description Service facing interface ip address mpls ip route-map PBR_FW permit 10 match ip address PBR_FW set ip nexthop recursive vrf FW_VRF access-list 4 permit ip nat pool pool-pc prefix-length 30 ip nat inside source list 4 pool pool-pc vrf VRFR overload router bgp neighbor remote-as neighbor description PEERING to RR neighbor update-source loopback0 address-family ipv4 vrf VRFS redistribute connected neighbor remote-as neighbor local-as neighbor update-source vasiright1 neighbor active address-family ipv4 vrf VRFR redistribute static neighbor remote-as neighbor local-as neighbor update-source vasileft1 neighbor activate neighbor prefix-list VRF_Pool out default-information originate address-family vpnv4 neighbor active neighbor send-community both ip prefix-list VRF_Pool seq 5 permit /32 Ip route vrf VRFR null0 23
24 Design of NAT Pool Pool per VRF 1. Easy of maintenance 2. Easy of debugging 3. Add/Remove customers without service disruption ip nat pool customer1-nat-pool prefix-length 24 ip access-list extended customer1-acl deny ip <router-generated-ip> permit ip ip nat inside source list customer1-acl pool customer1-nat-pool overload vrf customer1-vrf ip nat pool customer2-nat-pool prefix-length 24 ip access-list extended customer2-acl deny ip <router-generated-ip> permit ip ip nat inside source list customer2-acl pool customer2-nat-pool overload vrf customer2-vrf 24 Shared Pool by all VRFs 1. Efficient use of addresses 2. Less configuration 3. Removing of one customer cause interruption of all other customers NAT ip nat pool shared-nat-pool prefix-length 16 ip access-list extended shared-cust-acl deny ip <router-generated-ip> permit ip ip nat inside source list shared-cust-acl pool shared-nat-pool overload vrf customer1-vrf ip nat inside source list shared-cust-acl pool shared-nat-pool overload vrf customer2-vrf
25 What Mode of NAT to Run - NAT vs. CGN Session Entry Traditional NAT full 5 tuples {protocol, source address, source port, destination address, destination port} Default timeout 24 hrs for TCP 15 mins for TCP Outside mapping rule (ip nat outside source) Supported Carrier Grade NAT (CGN) 3 tuples - {protocol, source address, source port} Not supported EIM/EIF Not Supported Supported High Speed Logging (HSL) Bulk logging and Port Block Allocation Log full tuples Not Supported No destination info in the logging record Supported Salability - Double than traditional NAT License No license required Require license 25
26 NAT vs. CGN Session Entry Traditional NAT Pro Inside global Inside local Outside local Outside global tcp : : : :23 CGN Pro Inside global Inside local Outside local Outside global tcp : :
27 NAT vs. CGN EIM/EIF Endpoint-Independent Mapping (EIM) provides a stable, long-term binding where internal hosts may connect by utilizing the same NAT binding for multiple external hosts (as long as the internal port does not change) Endpoint-Independent Filtering (EIF) is closely related to EIM, and controls which external servers may access a host using an established binding Pro Inside global Inside local Outside local Outside global tcp : : This is typical for peer-to-peer applications and some Internet messenger protocols. SrcIP:Port DstIP:Port SrcIP:Port DstIP:Port X:x Y1:y1 X1:x1 Y1:y1 inside CGN outside SrcIP:Port DstIP:Port SrcIP:Port DstIP:Port X:x Y2:y2 X1:x1 Y2:y2 EIM implies X1:x1 = X2:x2 for all Y:y (Y1:y1 and Y2:y2) 27
28 NAT vs. CGN High Speed Logging (HSL) High speed NAT device generate NAT transaction events (creation/deletion) in the rate of >100k events/sec, syslog is not able to support it. HSL enables NAT datapath directly export the transaction records (NetFlowv9-like) to an external collector. Field Source IP address Translated source IP address Format IPv4 address IPv4 address Destination IP address Info not available IPv4 in address CGN Translated destination IP address Original source port Translated source port IPv4 address 16-bit port 16-bit port Original Destination destination Info port not available 16-bit in port CGN Translated destination port VRF ID Protocol Event Mode Mode 16-bit port 32-bit ID 8-bit value 0-Invalid 1-Adds event 2-Deletes event Unix timestamp in milliseconds 64-bit value 28
29 NAT vs. CGN Bulk Logging and Port Block Allocation (BPA) Problem: High setup/teardown rates on NAT devices cause customers to have to store Terabits of data a day for NAT HSL. Customer want to see this volume of logging significantly reduced. Solution: Provide each end user with a block of ports. Only log when the block get (dis)associated with a user. For example: a BPA configuration with set size 8 and step size of 4. Set 0 = {1024, 1028, 1032, 1036, 1040, 1044, 1048, 1052} Set 1 = {1025, 1029, 1033, 1037, 1041, 1045, 1049, 1053} Set 2 = {1026, 1030, 1034, 1038, 1042, 1046, 1050, 1054} Set 3 = {1027, 1031, 1035, 1039, 1043, 1045, 1051, 1055} Field Source IP address Translated source IP address VRF ID Protocol Event Unix timestamp in milliseconds Port block start Port block step size Number of ports in the block Format IPv4 address IPv4 address 32-bit ID 8-bit value 0-Invalid 1-Adds event 2-Deletes event 64-bit value 16-bit port 16-bit step size 16-bit number 29
30 Cloud Gateway HA Design
31 High Availability Design Dual-GWs; Dual-PEs; Dual-SRs Fast Failure Detection: BFD (sub-second) may not all platforms support BFD Common Failure Detection: BGP (~tens of sec) BGP determines the active path, symmetric routing and convergence time GWs are in (stateless) active/standby from NAT perspective C_NetworkR AS65004 N x ebgp/bfd AS577 ebgp/bfd AS223 C_NetworkB PE1 VRFR VRFR GW1 GW Service VRF Service VRF HCS SR1 SR2 S_Network C_NetworkG PE2 VRFR VRFR GW2 ibgp 31
32 Failover Scenario GW1-SR1 BGP session down PE1-GW1-SR1 active path; PE2-GW2-SR2 standby path. GW1-SR1 BGP session down GW1 withdraw S_Network from PE1 PE2-GW2-SR2 become the best, GW2 will begin to set up NAT translations C_NetworkB AS65004 C_NetworkR C_NetworkG VRFR PE VRFR PE2 N x ebgp/bfd VRFR VRFR AS577 GW1 GW GW2 Service VRF ebgp/bfd Service VRF HCS AS223 SR1 SR S_Network ibgp 32
33 Failover Scenario PE1-GW1 BGP session down PE1-GW1-SR1 active path; PE2-GW2-SR2 standby path. PE1-GW1 BGP session down GW1 is still advertising the NAT_Pool to SR1, which cause SR1 to blackhole customer traffic to GW1 C_NetworkR AS65004 N x ebgp/bfd AS ebgp/bfd AS223 C_NetworkB PE1 VRFR VRFR GW1 GW Service VRF Service VRF HCS SR1 SR S_Network C_NetworkG PE2 VRFR VRFR GW2 ibgp 33
34 Failover Scenario PE1-GW1 BGP session down (cont d) Solution: BGP VRF Aware Conditional Advertisement The condition is that C_networkR exist in BGP VRFR table in GW1, then GW1 can advertise NAT_Pool to VASIRight, otherwise withdraw NAT_Pool back from VASIRight C_NetworkR AS65004 N x ebgp/bfd AS ebgp/bfd AS223 C_NetworkB PE1 VRFR VRFR GW1 GW Service VRF Service VRF HCS SR1 SR S_Network C_NetworkG PE2 VRFR VRFR GW2 ibgp 34
35 Failover Scenario PE1-GW1 BGP session down (cont d) interface GigabitEthernet0/0/0.2 description PE facing interface for VRFR encapsulation dot1q 2 vrf forwarding VRFR ip address ip nat inside bfd interval 50 min_rx 50 multiplier 3 interface vasileft1 vrf forwarding VRFR ip address ip nat outside interface vasiright1 vrf forwarding VRFS ip address interface GigabitEthernet0/0/1 description Cloud facing interface for Service VRF vrf forwarding VRFS ip address access-list 4 permit ip nat pool pool-pc prefix-length 30 ip nat inside source list 4 pool pool-pc vrf VRFR overload ip prefix-list VRF_Pool seq 5 permit /32 ip prefix-list p1-adv-1 seq 5 permit /32 ip prefix-list p1-exist-1 seq 5 permit /32 router bgp 577 address-family ipv4 vrf VRFS bgp router-id bgp log-neighbor-changes neighbor remote-as 223 neighbor description PEERING to SR neighbor active neighbor remote-as 577 neighbor next-hop-self neighbor description PEERING to VASI VRFR interface neighbor active address-family ipv4 vrf VRFR bgp router-id redistribute static neighbor remote-as 577 neighbor description PEERING to VASI VRFS interface neighbor activate neighbor advertise-map ADV-1 exist-map EXIST-1 neighbor prefix-list VRF_Pool out neighbor remote-as neighbor description PEERING to PE neighbor activate route-map ADV-1 permit 10 match ip address prefix-list p1-adv-1 route-map EXIST-1 permit 10 match ip address prefix-list p1-exist-1 Ip route vrf VRFR null0 35
36 SIP SIP SIP ESP ESP RP RP GW Intra-Chassis Redundancy - ASR 1000 built for Carrier-Grade HA Redundant ESP / RP on ASR 1006 and ASR 1013 Zero packet loss on RP fail-over < 50ms loss for ESP fail-over Intra-chassis Stateful Switchover (SSO) Support for NAT IOS XE also provides full support for Network Resiliency NSR/GR for BGP BFD SSO Support for ISSU Crypto Assist. Crypto SPA Aggreg. SPA CPU FECP QFP PPE BQS IOCP SPA SPA Aggreg. SPA Crypto Assist. IOCP SPA Crypto CPU FECP SPA Aggreg. SPA QFP PPE BQS IOCP SPA 36
37 Performance, Scalability & Operation Best Practice
38 SIP SIP SIP ESP ESP RP RP ASR1000 Building Blocks Crypto Assist. FECP PPE QFP interconnect BQS interconn. Embedded Midplane Service Processor Handles forwarding plane traffic SPA Interface Processor Houses SPA s Buffer packets in & out interconnect SPA Aggreg. SPA IOCP SPA interconn. CPU GE switch Route Processor Handles control plane Manages system SPA Aggreg. SPA Route Processor (RP) Handles control plane traffic Manages CPU system FECP Embedded interconn. GE switch Service Processor (ESP) interconnect IOCP SPA SPA Aggreg. SPA Crypto Assist. IOCP SPA PPE QFP Handles forwarding plane traffic BQS SPA Interface Processor interconnect (SIP) Shared Port Adapters provide interface connectivity Centralized Forwarding Architecture All traffic flows through interconnect the active ESP, standby is synchronized with all flow state with a dedicated 10-Gbps link Distributed Control Architecture All major system components have a powerful control processor dedicated for control and management planes 38
39 NAT <> ESP Resources Dependency ACL/ACE, Route-map NAT sessions NAT VFR re-assembly Memory for FECP QFP client / driver Statistics ACL ACEs copy NAT config objects DDRAM Boot Flash (OBFL, ) JTAG Ctrl Reset / Pwr Ctrl Temp Sensor EEPROM FECP E-RP* PCI* E-CSR TCAM Resource DRAM Packet Processor Engines PPE 1 PPE 2 PPE 3 PPE 4 PPE 5 Packet Buffer DRAM QFP complex PPE 6 PPE 7 PPE 8 PPE 40 BQS GE, 1Gbps I 2 C SPA Control SPA Bus ESI, 11.2Gbps SPA-SPI, 11.2Gbps Hypertransport, 10Gbps Other Reset / Pwr Ctrl Crypto (Nitrox-II CN2430) SA table DRAM Dispatcher Packet Buffer SPI Mux Interconnect Interconnect RPs RPs ESP RPs SIPs 39
40 ASR1000 NAT Scalability (uni-dimensional) ASR 1001 ASR 1002-X ESP5 ESP10 ESP20 ESP40 ESP100 ESP200 NAT Sessions (classic) NAT Sessions (CGN) 250k 2M 250k 1M 2M 2M 4M 4M 500k 4M 500k 1.75M 4M 4M 12M 12M NAT Pools VRFs for VRF-Aware NAT Route-maps w/ NAT 4k 4k 1k 1k 4k 4k 4k 4k
41 ASR1000 NAT Performance (uni-dimensional) g ASR 1001 ASR 1002-X ESP5 ESP10 ESP20 ESP40 ESP100 ESP200 NAT Session Setup Rate NAT (classic) Performance NAT (CGN) Performance NAT (classic) Throughput 50cps 230cps(pat) 50kcps 100kcps 200kcps(dyn) 139kcps(pat) 200kcps(dyn) 95kcps(pat) 250kcps(pat) 300kcps(pat) 3Mpps 10Mpps 3Mpps 6Mpps 8Mpps 9Mpps 23Mpps 45Mpps 2.2Mpps - 2.2Mpps 5Mpps 7Mpps 7Mpps 18Mpps 34Mpps 5Gbps 36Gbps 5Gbps 10Gbps 20Gbps 40Gbps 100Gbps 200Gbps 41
42 Application Layer Gateway (ALG) ASR 1000 support comprehensive ALGs With ALG traffic, "any any" ACL is not supported. This could lead to undesired payload translations, causing unexpected application behavior ALG VFR vtcp L4 VRF HA FTP Yes No tco Yes Yes H323 No Yes tcp,udp Yes Yes RTSP Yes Yes tcp Yes Yes SCCP No No tcp Yes Yes SIP Yes Yes tcp,udp Yes Yes TFTP No N/A udp Yes Yes NETBIOS No No tcp,udp Yes Yes RCMD No No tcp Yes Yes LDAP No No tcp Yes Yes DNS Yes Yes tcp,udp Yes Yes SUNPRC Yes No tcp Yes Yes MSRPC Yes No tcp Yes Yes PPTP No tcp Yes Yes 42
43 ASR 1000 HSL Supported Collector Isarflow Lancope ActionPacked 43
44 Key System Resources to Monitor show mem stat IOS Forwarding Manager Forwarding Manager QFP Client Driver Datapath show proc cpu sort show plat hardware qfp active tcam resource-manager -usage 85% show plat hardware qfp active infra exmem statistics SIP RP memory TCAM resource DRAM pkt memory crypto assist RP CPU ESP memory FECP CPU QFP 75% show plat show plat software software status status controlprocessor brief control-processor brief show plat hardware qfp active datapath util summary 44
45 ASR 1000 Cloud Gateway Monitoring Guide (1) It is general best practice that ASR 1000 in live deployment RP/IOS/ESP CPU and Memory utilization do not exceed 75% in steady state It is general best practice that ASR 1000 in live deployment QFP DRAM utilization do not exceed 85% in steady state 45
46 ASR 1000 Cloud Gateway Monitoring Guide (2) For TCAM monitoring, keep an eye on syslog: %QFPTCAMRM-6-TCAM_RSRC_ERR: F0: QFP_sp: Allocation failed because of insufficient TCAM resources in the system Recommendations 1. Test out TCAM utilization before making changes 2. Always there should be unused TCAM entries which are = or > the size of biggest ACL on the router. Be aware of the TCAM deny jump issue 46
47 SET the Limit Set NAT max-entries per system to no more than platform scale: ip nat translation max-entries <number of entries> Be aware of that 1. NAT sessions scaling numbers are based on a few pools 2. PAT session scaling numbers are expected to be reduced while the number of overload pools are rising 3. One data point we have is ESP20 support 500k sessions w/ 1200 overload pools vs. 2M session w/ a few pools Set NAT max-entries per VRF to prevent single customer starving entire system translation limit: ip nat translation max-entries vrf <vrf_name> <number of entries> 47
48 Features Interaction This architecture is proven with following features on Cloud Gateway, do not enable more features unless been tested prior to deployment. VRF Aware NAT + VASI + MP-BGP On VASI: ACL, Policing/Marking MQC, PBR, ebgp or ibgp 48
49 Common Issues - TCAM Deny-Jump (1) Problem Description: In ASR 1000 IPsec/FW/NAT deployment, user may see following message: %CPP_FM-3-CPP_FM_TCAM_ERROR: F0: cpp_sp: TCAM limit exceeded Error Message Explanation: This is an protection mechanism prevents system from crashing with WATCH-DOG timeout error or malloc failure. Root Cause Analysis: 1. Classification engine in the TCAM can only represent permit. 2. System convertes the DENY entries into PERMIT ones using cross product 3. This recursive nature cause the required number of entries to explode. 49
50 Common Issues - TCAM Deny-Jump (2) Workaround: 1. Before deploying the platform in production, apply the configuration in lab 2. Modify the ACLs to use multiple specific permit statement, and try to reduce or eliminate the explicit use of deny statement 3. Use PBR to bypass NAT Original NAT Config VASI & PBR to bypass NAT ip nat inside source list NAT-ACL pool NAT-POOL overload ip access-list extended NAT-ACL deny ip any permit ip any ip nat inside source list NAT-ACL pool NAT-POOL overload interface GigabitEthernet0/0/1 description nat inside interface ip address ip nat inside ip policy route-map no-nat-rmap interface vasileft1 ip address interface vasiright1 ip address ip access-list extended NAT-ACL permit ip any ip access-list extended bypass-nat permit ip any route-map no-nat-rmap permit 10 match ip address bypass-nat set interface vasileft1 4. Static NAT Original NAT Config Identity NAT ip nat inside source list NAT-ACL pool NAT-POOL overload ip access-list extended NAT-ACL deny ip host any permit ip any ip nat inside source static no-alias ip nat inside source list NAT-ACL pool NAT-POOL overload ip access-list extended NAT-ACL permit ip any Solutions: 1. IOS XE3.10 introduced the SW classification engine to handle deny-jump like classification 2. System still use TCAM as long as it has room, in case TCAM does not fit, it will switch to SW classification engine. 50
51 Common Issues - NAT ADDR ALLOC FAILURE (1) Problem Description: In ASR 1000 PAT/Overload configuration, system get error message: "%NAT-6-ADDR_ALLOC_FAILURE: Address allocation failed; pool 1 may be exhausted Debug Information that should be gathered: show platform hardware qfp active feature nat data pool show platform hardware qfp active feature nat data port show platform hardware qfp active feature nat data stat show platform hardware qfp active feature nat data base show ip nat translation inc <global address of interest> Common Reason for Failure: 1. Customer has a small pool which is being consumed by non-pattable binds. 2. A non-pattable bind will show in 'sh ip nat trans' as a single local associated with a single global IP address. 3. It consumes an entire address in the pool
52 Common Issues - NAT ADDR ALLOC FAILURE (2) Solution 1 1. A non-pattable bind could be created by packet with a non-pattable protocol. 2. The best way to prevent this is to tighten the ACL to exclude non-pattable protocols. access-list 100 permit udp any access-list 100 permit tcp any access-list 100 permit icmp any Solution 2 1. A non-pattable bind could be created by ALG like DNS which does not have ports in its L7 header has requested a global NAT address. 2. Often customers do not need the DNS ALG so the solution is to turn it off. 3. Below shows the most common ALGs which produce non-pattable binds being turned off. no ip nat service dns udp no ip nat service dns tcp no ip nat service netbios-ns tcp no ip nat service netbios-ns udp no ip nat service netbios-ssn no ip nat service netbios-dgm no ip nat service ldap 52
53 Summary and Take Away
54 NAT Deployment in Cloud Networks Summary and Take Away Follow proven connectivity models Stateless failover with BGP/BFD High scale, high performance NAT on ASR 1000 Monitor key system resources proactively Cloud Gateway 200Gbps HA BGP VASI NAT/CGN Connectivity HSL ALG 12M Sess 54
55 Relevant Sessions at Cisco Live 2014 Breakout Sessions BRKSPG IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers BRKARC-2019 Operating an ASR 1000 BRKARC IOS XE Advanced Troubleshooting (NAT, VPN, FW packet forwarding) 55
56 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 56
57 Continue Your Education Demos in the Cisco Campus (ASR1001-X Live Demo) Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings 57
58 Thank you.
59
Network Address Translation Bindings
In Network Address Translation (NAT), the term binding describes the address binding between a local address and the global address to which the local address is translated. A binding is also called a
More informationInterchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT The Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT feature supports the forwarding of packets from a standby
More informationCarrier Grade Network Address Translation
(CGN) is a large-scale NAT that translates private IPv4 addresses into public IPv4 addresses. CGN employs Network Address and Port Translation methods to aggregate multiple private IPv4 addresses into
More informationIP Addressing: NAT Configuration Guide
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 2018 Cisco Systems, Inc. All rights
More informationCisco ASR 1000 Series Routers Embedded Services Processors
Cisco ASR 1000 Series Routers Embedded Services Processors The Cisco ASR 1000 Series embedded services processors are based on the Cisco QuantumFlow Processor (QFP) for next-generation forwarding and queuing.
More informationBulk Logging and Port Block Allocation
The feature allocates a block of ports for translation instead of allocating individual ports. This feature is supported only in carrier-grade Network Address Translation (CGN) mode. This module provides
More informationMPLS VPN C H A P T E R S U P P L E M E N T. BGP Advertising IPv4 Prefixes with a Label
7 C H A P T E R S U P P L E M E N T This online supplement of Chapter 7 focuses on two important developments. The first one is Inter-Autonomous. Inter-Autonomous is a concept whereby two service provider
More informationECMP Load Balancing. MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 900 Series) 1
Equal-cost multi-path routing (ECMP) is a routing strategy where next-hop packet forwarding to a single destination can occur over multiple "best paths" which tie for top place in routing metric calculations.
More informationMPLS VPN--Inter-AS Option AB
The feature combines the best functionality of an Inter-AS Option (10) A and Inter-AS Option (10) B network to allow a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) service provider
More informationWAN Edge MPLSoL2 Service
4 CHAPTER While Layer 3 VPN services are becoming increasing popular as a primary connection for the WAN, there are a much larger percentage of customers still using Layer 2 services such Frame-Relay (FR).
More informationCisco Virtual Office High-Scalability Design
Solution Overview Cisco Virtual Office High-Scalability Design Contents Scope of Document... 2 Introduction... 2 Platforms and Images... 2 Design A... 3 1. Configure the ACE Module... 3 2. Configure the
More informationC. The ESP that is installed in the Cisco ASR 1006 Router does not support SSO.
Volume: 197 Questions Question No : 1 SSO was configured on a Cisco ASR 1006 Router by using two RPs. When the main RP failed, a service disruption occurred. What are two reasons that the SSO did not work?
More informationThe CCIE Candidate s Introduction to MPLS L3VPN Networks
The CCIE Candidate s Introduction to MPLS L3VPN Networks Keith Barker, Scott Morris Tour Guide Keith Barker, CCIEx2 #6783, CCDP, CISSP CCIE Route/Switch and Security Twitter: @KeithBarkerCCIE YouTube:
More informationVRF, MPLS and MP-BGP Fundamentals
VRF, MPLS and MP-BGP Fundamentals Jason Gooley, CCIEx2 (RS, SP) #38759 Twitter: @ccie38759 LinkedIn: http://www.linkedin.com/in/jgooley Agenda Introduction to Virtualization VRF-Lite MPLS & BGP Free Core
More informationInterAS Option B. Information About InterAS. InterAS and ASBR
This chapter explains the different InterAS option B configuration options. The available options are InterAS option B, InterAS option B (with RFC 3107), and InterAS option B lite. The InterAS option B
More informationMPLS VPN Inter-AS Option AB
First Published: December 17, 2007 Last Updated: September 21, 2011 The feature combines the best functionality of an Inter-AS Option (10) A and Inter-AS Option (10) B network to allow a Multiprotocol
More informationMulti-Protocol Label Switching (MPLS) Support
This chapter describes the system's support for BGP/MPLS VPN and explains how it is d. The product administration guides provide examples and procedures for configuration of basic services on specific
More informationDMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458
DMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458 BRKCCIE-3003 @CCIE6458 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public About the Presenter Johnny Bass Networking industry since
More informationCVP Enterprise Cisco SD-WAN Retail Profile (Hybrid WAN, Segmentation, Zone-Based Firewall, Quality of Service, and Centralized Policies)
CVP CVP Enterprise Cisco SD-WAN Retail Profile (Hybrid WAN, Segmentation, Zone-Based Firewall, Quality of Service, and Centralized Policies) 2018 Cisco and/or its affiliates. All rights reserved. This
More informationImplementing MPLS VPNs over IP Tunnels
The MPLS VPNs over IP Tunnels feature lets you deploy Layer 3 Virtual Private Network (L3VPN) services, over an IP core network, using L2TPv3 multipoint tunneling instead of MPLS. This allows L2TPv3 tunnels
More informationConfiguring Stateful Interchassis Redundancy
The Stateful Interchassis Redundancy feature enables you to configure pairs of devices to act as backups for each other. This module describes conceptual information about and tasks for configuring stateful
More informationAdvanced IPv6 Training Course. Lab Manual. v1.3 Page 1
Advanced IPv6 Training Course Lab Manual v1.3 Page 1 Network Diagram AS66 AS99 10.X.0.1/30 2001:ffXX:0:01::a/127 E0/0 R 1 E1/0 172.X.255.1 2001:ffXX::1/128 172.16.0.X/24 2001:ff69::X/64 E0/1 10.X.0.5/30
More informationIntroduction to External Connectivity
Before you begin Ensure you know about Programmable Fabric. Conceptual information is covered in the Introduction to Cisco Programmable Fabric and Introducing Cisco Programmable Fabric (VXLAN/EVPN) chapters.
More informationFlexVPN HA Dual Hub Configuration Example
FlexVPN HA Dual Hub Configuration Example Document ID: 118888 Contributed by Piotr Kupisiewicz, Wen Zhang, and Frederic Detienne, Cisco TAC Engineers. Apr 08, 2015 Contents Introduction Prerequisites Requirements
More informationMultihoming with BGP and NAT
Eliminating ISP as a single point of failure www.noction.com Table of Contents Introduction 1. R-NAT Configuration 1.1 NAT Configuration 5. ISPs Routers Configuration 3 15 7 7 5.1 ISP-A Configuration 5.2
More informationCisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6
IP6FD v6 Fundamentals, Design, and Deployment v3.0 Cisco IOS IPv6 Cisco IOS IPv6 IPv6 IPv6 service provider IPv6 IP IPv6 IPv6 data link IPv6 Cisco IOS IPv6 IPv6 IPv6 DHCP DNS DHCP DNS IPv6 IPv4 IPv6 multicast
More informationConfiguring Bridge Domain Interfaces
The Cisco ASR 1000 Series Aggregation Services Routers support the bridge domain interface (BDI) feature for packaging Layer 2 Ethernet segments into Layer 3 IP. Restrictions for Bridge Domain Interfaces,
More informationDeploying and Troubleshooting Network Address Translation
Deploying and Troubleshooting Network Address Translation Session mihollow@cisco.com 2 Copyright Printed in USA. Agenda The WWW of NAT The Why, the What, and the Where Pitfalls and How to Avoid Tools for
More informationConfiguring Multicast VPN Inter-AS Support
Configuring Multicast VPN Inter-AS Support Last Updated: December 23, 2011 The Multicast VPN Inter-AS Support feature enables Multicast Distribution Trees (MDTs) used for Multicast VPNs (MVPNs) to span
More informationStateful Network Address Translation 64
The feature provides a translation mechanism that translates IPv6 packets into IPv4 packets and vice versa. The stateful NAT64 translator algorithmically translates the IPv4 addresses of IPv4 hosts to
More informationUsing the Management Ethernet Interface
This chapter covers the following topics: Gigabit Ethernet Management Interface Overview, page 1 Gigabit Ethernet Port Numbering, page 1 IP Address Handling in ROMmon and the Management Ethernet Port,
More informationBGP MPLS VPNs. Introduction
This chapter describes services that are supported for Border Gateway Protocol (BGP) Multi-Protocol Label Switching (MPLS) Virtual Private Networks (VPNs). MPLS is a licensed Cisco feature that requires
More informationExam Questions Demo Cisco. Exam Questions CCIE SP CCIE Service Provider Written Exam
Cisco Exam Questions 400-201 CCIE SP CCIE Service Provider Written Exam Version:Demo 1. Which is one difference between H-VPLS and VPLS? A. VPLS is a point-to-point Layer-2 services and H-VPLS is a multipoint
More informationConfiguring multicast VPN
Contents Configuring multicast VPN 1 Multicast VPN overview 1 Multicast VPN overview 1 MD-VPN overview 3 Protocols and standards 6 How MD-VPN works 6 Share-MDT establishment 6 Share-MDT-based delivery
More informationConfiguring Network Address Translation
Finding Feature Information, on page 1 Network Address Translation (NAT), on page 2 Benefits of Configuring NAT, on page 2 How NAT Works, on page 2 Uses of NAT, on page 3 NAT Inside and Outside Addresses,
More informationDMVPN for R&S CCIE Candidates
DMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458 BRKCCIE-3003 @CCIE6458 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public About the Presenter Johnny Bass Networking industry since
More informationTable of Contents Chapter 1 MPLS L3VPN Configuration
Table of Contents Table of Contents... 1-1 1.1 MPLS L3VPN Overview... 1-1 1.1.1 MPLS L3VPN Model... 1-2 1.1.2 MPLS L3VPN Implementation... 1-5 1.1.3 Nested MPLS L3VPN Implementation... 1-7 1.1.4 Hierarchical
More informationCCIE R&S Techtorial MPLS
CCIE R&S Techtorial MPLS Ing. Tomáš Kelemen Partner Systems Engineer CCIE #24395 Ing. Peter Mesjar Systems Engineer CCIE #17428 2011 Cisco Systems, Inc. All rights reserved. 1 Agenda Introduction to MPLS
More informationThis document is not restricted to specific software and hardware versions.
Contents Introduction Prerequisites Requirements Components Used Background Information Configure Network Diagram Configuration DN Bit Verify Troubleshoot Related Cisco Support Community Discussions Introduction
More informationConfiguring MPLS L3VPN
Contents Configuring MPLS L3VPN 1 MPLS L3VPN overview 1 Introduction to MPLS L3VPN 1 MPLS L3VPN concepts 2 MPLS L3VPN packet forwarding 5 MPLS L3VPN networking schemes 5 MPLS L3VPN routing information
More informationL3VPN Configuration. L3VPN Overview. Introduction to L3VPN
Table of Contents L3VPN Configuration 1 L3VPN Overview 1 Introduction to L3VPN 1 L3VPN Concepts 2 L3VPN Networking Schemes 3 OSPF VPN Extension 6 L3VPN Configuration Task List 8 Configuring VPN Instances
More informationFeature Information for BGP Control Plane, page 1 BGP Control Plane Setup, page 1. Feature Information for BGP Control Plane
Feature Information for, page 1 Setup, page 1 Feature Information for Table 1: Feature Information for Feature Releases Feature Information PoAP diagnostics 7.2(0)N1(1) Included a new section on POAP Diagnostics.
More informationConfiguring NetFlow and NetFlow Data Export
This module contains information about and instructions for configuring NetFlow to capture and export network traffic data. NetFlow capture and export are performed independently on each internetworking
More informationImplementing MPLS Layer 3 VPNs
A Multiprotocol Label Switching (MPLS) Layer 3 Virtual Private Network (VPN) consists of a set of sites that are interconnected by means of an MPLS provider core network. At each customer site, one or
More informationCCIE R&S v5.0. Troubleshooting Lab. Q1. PC 110 cannot access R7/R8, fix the problem so that PC 110 can ping R7
Troubleshooting Lab Q1. PC 110 cannot access R7/R8, fix the problem so that PC 110 can ping R7 Q2. R17 should have one default route which points to R12 via PPP as shown below R17# sh ip route S* 0.0.0.0/0
More informationProvisioning Overlay Networks
This chapter has the following sections: Using Cisco Virtual Topology System, page 1 Creating Overlays, page 2 Creating Network using VMware, page 4 Creating Subnetwork using VMware, page 4 Creating Routers
More informationCisco ASR 1000 Series Aggregation Services Routers: QoS Architecture and Solutions
Cisco ASR 1000 Series Aggregation Services Routers: QoS Architecture and Solutions Introduction Much more bandwidth is available now than during the times of 300-bps modems, but the same business principles
More informationBIG-IP CGNAT: Implementations. Version 12.1
BIG-IP CGNAT: Implementations Version 12.1 Table of Contents Table of Contents Deploying a Carrier Grade NAT... 7 Overview: The carrier-grade NAT (CGNAT) module... 7 About ALG Profiles...8 About CGNAT
More informationContents. EVPN overview 1
Contents EVPN overview 1 EVPN network model 1 MP-BGP extension for EVPN 2 Configuration automation 3 Assignment of traffic to VXLANs 3 Traffic from the local site to a remote site 3 Traffic from a remote
More informationRouting Configuration Guide, Cisco IOS XE Everest a (Catalyst 9300 Switches)
Routing Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches) First Published: 2017-06-20 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA
More informationImplementing NAT-PT for IPv6
Implementing NAT-PT for IPv6 Last Updated: August 1, 2012 Network Address Translation--Protocol Translation (NAT-PT) is an IPv6 to IPv4 translation mechanism, as defined in RFC 2765 and RFC 2766, allowing
More informationRouter 6000 R17 Training Programs. Catalog of Course Descriptions
Router 6000 R7 Training Programs Catalog of Course Descriptions Catalog of Course Descriptions INTRODUCTION... 3 IP NETWORKING... 4 IP OVERVIEW & FUNDAMENTALS... 8 IP ROUTING OVERVIEW & FUNDAMENTALS...0
More informationMultiprotocol Label Switching
This module describes and how to configure it on Cisco switches. Restrictions for, page 1 Information about, page 1 How to Configure, page 3 Verifying Configuration, page 6 Restrictions for (MPLS) fragmentation
More informationMPLS VPN Explicit Null Label Support with BGP. BGP IPv4 Label Session
MPLS VPN Explicit Null Label Support with BGP IPv4 Label Session The MPLS VPN Explicit Null Label Support with BGP IPv4 Label Session feature provides a method to advertise explicit null in a Border Gateway
More informationConfiguring IPv6 Provider Edge over MPLS (6PE)
Finding Feature Information, page 1 Configuring 6PE, page 1 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature
More informationThe Loopback Interface
1 Overview The Loopback Interface ISP/IXP Workshops Requires IOS 11.1CC or 12.0 trains ISP software trains Covers router access, security, information gathering, configuration and scalability. 2 Motivation
More informationSecurizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN
Platformă de e-learning și curriculă e-content pentru învățământul superior tehnic Securizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN MPLS VPN 5-ian-2010 What this lecture is about: IP
More informationBGP mvpn BGP safi IPv4
The BGP mvpn BGP safi 129 IPv4 feature provides the capability to support multicast routing in the service provider s core IPv4 network This feature is needed to support BGP-based MVPNs BGP MVPN provides
More informationConfiguring Multiprotocol Label Switching (MPLS)
Configuring Multiprotocol Label Switching (MPLS) Multiprotocol Label Switching, page 1 Finding Feature Information, page 1 Information about Multiprotocol Label Switching, page 1 How to Configure Multiprotocol
More informationMPLS VPN. 5 ian 2010
MPLS VPN 5 ian 2010 What this lecture is about: IP CEF MPLS architecture What is MPLS? MPLS labels Packet forwarding in MPLS MPLS VPNs 3 IP CEF & MPLS Overview How does a router forward packets? Process
More informationConfiguring Static and Dynamic NAT Translation
This chapter includes the following sections: Network Address Translation Overview, on page 1 Information About Static NAT, on page 2 Dynamic NAT Overview, on page 3 Timeout Mechanisms, on page 3 NAT Inside
More informationImplementing Management Plane Protection
The Management Plane Protection (MPP) feature in Cisco IOS XR software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature
More informationIPv6 Bootcamp Course (5 Days)
IPv6 Bootcamp Course (5 Days) Course Description: This intermediate - advanced, hands-on course covers pertinent topics needed for IPv6 migration and deployment strategies. IPv6 novices can expect to gain
More informationCase Study A Service Provider s Road to IPv6
Case Study A Service Provider s Road to IPv6 September 2010 Menog Amir Tabdili UnisonIP Consulting amir@unisonip.com The Scenario Residential Network L3 MPLS VPN Network Public Network The Scenario What
More informationCisco CCIE Service Provider.
Cisco 400-201 CCIE Service Provider http://killexams.com/pass4sure/exam-detail/400-201 Question: 569 **Refer to the exhibit. After the BGP TCP negotiation between RouterA and RouterB, what will be the
More informationRoute Leaking in MPLS/VPN Networks
Route Leaking in MPLS/VPN Networks Document ID: 47807 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Route Leaking from a Global Routing Table into a VRF and Route
More informationMPLS VPN Inter-AS with ASBRs Exchanging VPN-IPv4 Addresses
MPLS VPN Inter-AS with ASBRs Exchanging VPN-IPv4 Addresses The Multiprotocol Label Switching (MPLS) VPN Inter-AS with Autonomous System Boundary Routers (ASBRs) Exchanging VPN-IPv4 Addresses feature allows
More informationCCIE R&S LAB CFG H2/A5 (Jacob s & Jameson s)
Contents Section 1 Layer 2 Technologies... 2 1.1 Jameson s Datacenter: Access port... 2 1.2 Jameson s Datacenter: Trunk ports... 4 1.3 Jameson s Datacenter: Link bundling... 5 1.4 Jameson s Branch Offices...
More informationJunos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services
Junos Security Chapter 4: Security Policies 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services Chapter Objectives After successfully completing this chapter,
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST IT Certification Guaranteed, The Easy Way \ http://www.pass4test.com We offer free update service for one year Exam : 642-691 Title : CCIP BGP + MPLS Exam (BGP + MPLS) Vendors : Cisco Version
More informationIPv6 Switching: Provider Edge Router over MPLS
Multiprotocol Label Switching (MPLS) is deployed by many service providers in their IPv4 networks. Service providers want to introduce IPv6 services to their customers, but changes to their existing IPv4
More informationCisco Evolved Programmable Network Implementation Guide for Large Network with End-to-End Segment Routing, Release 5.0
Cisco Evolved Programmable Network Implementation Guide for Large Network with End-to-End Segment Routing, Release 5.0 First Published: 2017-06-22 Americas Headquarters Cisco Systems, Inc. 170 West Tasman
More informationConfiguring MPLS, MPLS VPN, MPLS OAM, and EoMPLS
CHAPTER 43 Configuring MPLS, MPLS VPN, MPLS OAM, and EoMPLS This chapter describes how to configure multiprotocol label switching (MPLS) and Ethernet over MPLS (EoMPLS) on the Cisco ME 3800X and ME 3600X
More informationAdvanced CSR Lab with High Availability and Transit VPC
Advanced CSR Lab with High Availability and Transit VPC Fan Yang, Cisco, Engineer, Technical Marketing Nikolai Pitaev, Cisco, Engineer, Technical Marketing LTRVIR-3004 Agenda Slides (30 Min.): CSR 1000V
More informationConfiguring High Availability
The Cisco High Availability (HA) technology enable network-wide protection by providing quick recovery from disruptions that may occur in any part of a network. A network's hardware and software work together
More informationRestrictions for Disabling Flow Cache Entries in NAT and NAT64
The feature allows you to disable flow cache entries for dynamic and static Network Address Translation (NAT) translations. Disabling flow cache entries for dynamic and static translations saves memory
More informationPREREQUISITES TARGET AUDIENCE. Length Days: 5
Cisco Implementing Cisco IP Routing v2.0 (ROUTE) ROUTE v2.0 includes major updates and follows an updated blueprint. However, note that this course does not cover all items listed on the blueprint. Some
More informationImplementing DCI VXLAN Layer 3 Gateway
This chapter module provides conceptual and configuration information for Data Center Interconnect (DCI) VXLAN Layer 3 Gateway on Cisco ASR 9000 Series Router. Release Modification Release 5.3.2 This feature
More informationVRF Aware Cisco IOS Firewall
VRF Aware Cisco IOS Firewall VRF Aware Cisco IOS Firewall applies Cisco IOS Firewall functionality to VRF (Virtual Routing and Forwarding) interfaces when the firewall is configured on a service provider
More informationImplementing MPLS Forwarding
All Multiprotocol Label Switching (MPLS) features require a core set of MPLS label management and forwarding services; the MPLS Forwarding Infrastructure (MFI) supplies these services. Feature History
More informationEnterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.
2 CHAPTER Cisco's Disaster Recovery as a Service (DRaaS) architecture supports virtual data centers that consist of a collection of geographically-dispersed data center locations. Since data centers are
More informationConfiguring MPLS L3VPN
Contents Configuring MPLS L3VPN 1 MPLS L3VPN overview 1 MPLS L3VPN concepts 2 MPLS L3VPN packet forwarding 4 MPLS L3VPN networking schemes 5 MPLS L3VPN routing information advertisement 8 Inter-AS VPN
More informationINTRODUCTION...2 SOLUTION DETAILS...3 NOTES...3 HOW IT WORKS...4
TESTING & INTEGRATION GROUP TECHNICAL DOCUMENT DefensePro out of path with Cisco router INTRODUCTION...2 SOLUTION DETAILS...3 NOTES...3 HOW IT WORKS...4 CONFIGURATION... 4 TRAFFIC FLOW... 4 SOFTWARE AND
More informationBGP Support for Next-Hop Address Tracking
The feature is enabled by default when a supporting Cisco software image is installed. BGP next-hop address tracking is event driven. BGP prefixes are automatically tracked as peering sessions are established.
More informationConfiguring MPLS and EoMPLS
37 CHAPTER This chapter describes how to configure multiprotocol label switching (MPLS) and Ethernet over MPLS (EoMPLS) on the Catalyst 3750 Metro switch. MPLS is a packet-switching technology that integrates
More informationFlow-Based Redirect. Finding Feature Information
The traffic from an IP session is redirected based on the destination address (for a simple IP session), and to a tunnel (for a mobile IP session). However, in some application scenarios, some of the traffic
More informationMPLS over GRE. Finding Feature Information. Prerequisites for MPLS VPN L3VPN over GRE
The feature provides a mechanism for tunneling Multiprotocol Label Switching (MPLS) packets over a non-mpls network. This feature utilizes MPLS over generic routing encapsulation (MPLSoGRE) to encapsulate
More informationSolution Guide. Infrastructure as a Service: EVPN and VXLAN. Modified: Copyright 2016, Juniper Networks, Inc.
Solution Guide Infrastructure as a Service: EVPN and VXLAN Modified: 2016-10-16 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net All rights reserved.
More informationThe Loopback Interface
1 Overview The Loopback Interface Requires IOS 11.1CC, 12.0S or 12.0T ISP software trains ISP/IXP Workshops Covers router access, security, information gathering, configuration and scalability. ISP/IXP
More informationInitial motivation: 32-bit address space soon to be completely allocated. Additional motivation:
IPv6 Initial motivation: 32-bit address space soon to be completely allocated. Additional motivation: header format helps speed processing/forwarding header changes to facilitate QoS IPv6 datagram format:
More informationIPv6 Commands: n to re
IPv6 Commands: n to re nai (proxy mobile IPv6), page 3 neighbor override-capability-neg, page 4 neighbor send-label, page 6 neighbor translate-update, page 9 network (IPv6), page 12 nis address, page 14
More informationBIG-IP CGNAT: Implementations. Version 13.0
BIG-IP CGNAT: Implementations Version 13.0 Table of Contents Table of Contents Deploying a Carrier Grade NAT... 9 Overview: The carrier-grade NAT (CGNAT) module... 9 About ALG Profiles...10 About CGNAT
More informationMatch-in-VRF Support for NAT
The feature supports Network Address Translation (NAT) of packets that communicate between two hosts within the same VPN routing and forwarding (VRF) instance. In intra-vpn NAT, both the local and global
More informationThis document describes how to perform datapath packet tracing for Cisco IOS -XE software via the Packet Trace feature.
Contents Introduction Prerequisites Requirements Components Used Reference Topology Packet Tracing in Use Quick Start Guide Enable Platform Conditional Debugs Enable Packet Trace Egress Condition Limitation
More informationFlow-Based Redirect. Finding Feature Information
The traffic from an IP session is redirected based on the destination address (for a simple IP session), and to a tunnel (for a mobile IP session). However, in some application scenarios, some of the traffic
More informationipv6 mobile home-agent (global configuration)
ipv6 mobile home-agent (global configuration) ipv6 mobile home-agent (global configuration) To enter home agent configuration mode, use the ipv6 mobile home-agent command in global configuration mode.
More informationOperation Manual MCE H3C S3610&S5510 Series Ethernet Switches. Table of Contents
Table of Contents Table of Contents Chapter 1 MCE Overview... 1-1 1.1 MCE Overview... 1-1 1.1.1 Introduction to BGP/MPLS VPN... 1-1 1.1.2 BGP/MPLS VPN Concepts... 1-2 1.1.3 Introduction to MCE... 1-5 1.1.4
More informationMPLS VPN Carrier Supporting Carrier Using LDP and an IGP
MPLS VPN Carrier Supporting Carrier Using LDP and an IGP Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) Carrier Supporting Carrier (CSC) enables one MPLS VPN-based service provider
More informationDeploying MPLS L3VPN. Apricot Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploying MPLS L3VPN 1 Abstract This session describes the implementation of IP Virtual Private Networks (IP VPNs) using MPLS. It is the most common Layer 3 VPN technology, as standardized by IETF RFC2547/4364,
More informationImplementing Traffic Filters for IPv6 Security
Implementing Traffic Filters for IPv6 Security Last Updated: November 14, 2011 This module describes how to configure Cisco IOS XE IPv6 traffic filter and firewall features for your Cisco networking devices.
More information