Jaycee's Networking

May 17, 2009

NAT

Filed under: IOS — Tags: — Jaycee @ 2:58 am

A. NAT (Network Address Translation):

1. NAT provides a method for mapping an internal IP address space to an external IP address space.

2. NAT is configured on our gateway.

3. There are two methods of performaing NAT: static and dynamic.

a. With static translation, each inside address is mapped to a specific outside address.
b. With dynamic translation, possible outside addresses are collected into an address pool and are selected from the pool on an as-needed basis.

B. Static NAT:

1. Assign IP address for NAT for IP addresses .2 ~ .5

2. We can’t map 172.168.1.1 because that’s the address of the serial0 interface.

ip nat inside source static 10.10.1.2 172.168.1.2
ip nat inside source static 10.10.1.3 172.168.1.3
ip nat inside source static 10.10.1.4 172.168.1.4
ip nat inside source static 10.10.1.5 172.168.1.5
!
interface ethernet0
 ip address 10.10.1.1 255.255.255.0
 ip nat inside
!
interface serial0
 ip address 172.168.1.1 255.255.255.0
 ip nat outside

C. Dynamic NAT:

1. Define the IP address pool from 172.168.1.2 ~ 172.168.1.254.

2. Leave out 172.168.1.1 because that is our serial 0 interface.

ip nat pool poolone 172.168.1.2 172.168.1.254 netmask 255.255.255.0
ip nat inside source list 20 pool poolone
!
interface ethernet0
 ip address 10.10.1.1 255.255.255.0
 ip nat inside
!
interface serial0
 ip address 172.168.1.1 255.255.255.0
 ip nat outside
!
access-list 20 permit 10.10.0.0 0.0.255.255
access-list 20 permit 10.10.0.0 0.0.255.255

3. Static and dynamic mappings can be combined; just do NOT include the statically mapped internal addresses in your address pool.

4. This allows you to specify some hosts (i.e. mail servers) that have a fixed external address but belong to your internal network, while allowing other hosts to be assigned their external address dynamically.

D. PAT (Port Address Translation):

1. The router uses the port number to distinguish between different connections using the same address.

2. In this example, we have one public IP address (172.168.1.2) that is shared by all our hosts on the 10.10.1.0/24 private network.

3. It creates an explicit external address pool and then uses it to map inside addresses.

ip nat pool poolone 172.168.1.2 172.168.1.2 netmask 255.255.255.0
ip nat inside source list 20 pool poolone overload
!
interface ethernet0
 ip address 10.10.1.1 255.255.255.0
 ip nat inside
!
interface serial0
 ip address 172.168.1.1 255.255.255.0
 ip nat outside
!
access-list 20 permit 10.10.0.0 0.0.255.255

4. You can also do this for only single IP translation: you can omit the “ip nat pool” command and instead tell the “ip nat inside” command to use the IP address of your serial interface for translations.

ip nat inside source list 20 interface serial0 overload
!
interface ethernet0
 ip address 10.10.1.1 255.255.255.0
 ip nat inside
!
interface serial0
 ip address 172.168.1.1 255.255.255.0
 ip nat outside
!
access-list 20 permit 10.10.0.0 0.0.255.255

E. Static PAT:

If you want the servers on different machines but you want only one external address.

=> Mapping incoming ports to different NAT addresses.

1. The solution is static PAT.

2. To do the port-based translation, we use the keyword “extendable,” which allows us to map UDP and TCP ports to internal addresses.

3. In this example, we have one unique global IP address (172.168.1.1) mapped to our internal network (10.10.1.0/24) using the “overload” keyword.

4. We want our incoming email traffic (port 25) to go to 10.10.1.5, and our incoming web traffic (port 80) to go to 10.10.1.4.

ip nat inside source list 20 interface serial0 overload
!
ip nat inside source static tcp 10.10.1.5 25 172.168.1.1 25 extendable
!
ip nat inside source static tcp 10.10.1.4 80 172.168.1.1 80 extendable
!
interface ethernet0
 ip address 10.10.1.1 255.255.255.0
 ip nat inside
!
interface serial0
 ip address 172.168.1.1 255.255.255.0
 ip nat outside
!
access-list 20 permit 10.10.0.0 0.0.255.255

F. NAT show Commands:

1. show ip nat statistics:

a. the total number of translations
b. the interfaces configured for NAT
c. the hits (the number of times the router looked in the NAT table and found a match)
d. the misses (the number of times the router looked in the NAT table and didn’t find an entry)
e. the number of translations that have expired

R1#show ip nat statistics
Total translations: 1 (0 static, 1 dynamic; 0 extended)
Outside interfaces: Serial0
Inside interfaces: Ethernet0
Hits: 9  Misses: 1
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list 20 pool poolone refcount 1
 pool poolone: netmask 255.255.255.0
            start 172.168.1.2 end 172.168.1.2
            type generic, total addresses 1, allocated 1 (100%), misses 1

2. show ip nat translations

It shows all the NAT translations that occur.

R1#show ip nat translations
Pro Inside global     Inside local     Outside local     Outside global
--- 172.168.1.2          10.10.1.1         ---               ---

3. clear ip nat translations *

a. It’s possible for dynamic address translation to get confused. Then this happens, translated traffic stops flowing through the router.

b. To fix, use “clear ip nat translations *“. (* means to clear all dynamic translations.)

G. SNAT (Stateful NAT) with HSRP:

1. SNAT provides increased IP resiliency.

2. SNAT allows two or more routers to perform NAT.

3. One router is the active NAT router, the other one as the backup.

4. SNAT is designed to work in concert (協調) with HSRP to detect failover. However, you can configure SNAT to work on its own.

5. A new feature that broadens SNAT’s protocol support: embedded addressing.

=> With embedded addressing, the NAT process learns ports from the application itself. It allows SNAT to support VoIP, FTP, and DNS applications.

6. Configuring SNAT with HSRP:

a. use “ip nat stateful” command.

b. It takes 3 important options: id, redundancy, and mapping-id.

(1) id — identifies the router to the SNAT protocol (each router should be configured with a unique id value).

(2) redundancy — identifies the HSRP process that we are going to use for our configuration.

=> In this example, we have given our HSRP configuration the name SNATHSRP.

(3) mapping-id — identifies which NAT translations are sent to SNAT peers.

=> In this case, we have chosen a mapping id of 10, which means that any translations created in our NAT rule will have an id of 10 associated with them.

=> These translations are then identified – by the mapping id – as ones to send to our peer router.

=> You can have multiple mapping-ids that form a mapping list.

R1:

interface ethernet0
 ip address 10.10.1.1 255.255.255.0
 ip nat outside
 standby name SNATHSRP
 standby preempt
 standby priority 120
 standby ip 10.10.1.3
! Any NAT translations with a mapping id of 10 are sent to our peer
ip nat stateful id 1 redundancy SNATHSRP mapping-id 10
!
ip nat pool poolone 172.168.1.1 172.168.1.254 prefix-length 24
!
ip nat inside source list 20 pool poolone mapping-id 10 overload
!
access-list 20 permit 10.10.0.0 0.0.255.255

R2:

interface ethernet0
 ip address 10.10.1.2 255.255.255.0
 ip nat outside
 standby name SNATHSRP
 standby preempt
 standby ip 10.10.1.3
! Enable SNAT for the group (id is 2 for router 2)
! Any NAT translations with a mapping id of 10 are sent to our peer
ip nat stateful id 2 redundancy SNATHSRP mapping-id 10
!
ip nat pool poolone 172.168.1.1 172.168.1.254 prefix-length 24
!
ip nat inside source list 20 pool poolone mapping-id 10 overload
!
access-list 20 permit 10.10.0.0 0.0.255.255

H. SNAT without HSRP:

1. It’s possible to configure SNAT without the benefit of HSRP by using a static primary and peer relationship.

2. Use “primary” defines the interface and IP address to use for SNAT:

R1:

ip nat stateful id 1 primary 10.10.1.1 peer 10.10.1.2 mapping-id 10

R2:

ip nat stateful id 2 primary 10.10.1.2 peer 10.10.1.1 mapping-id 10
Advertisements

HSRP

Filed under: IOS — Tags: — Jaycee @ 12:53 am

A. HSRP (Host Standby Router Protocol):

1. Since you dont’ want to be running a routing protocol on individual hosts; you want to set up each host with a simple default route and leave it at that.

2. A redundant pair of routers (one is active and one is standby) act as a default gateway.

3. Need 3 IPs: IP of active router, IP of standby router, and a VIP as the gateway.

4. VIP is active on whichever router has the highest priority. The priority default = 100. (value b/w 0-255)

5. Routers send out HSRP packets to the multicast address 224.0.0.2 using UDP port 1985.

ALL HSRP packets have a TTL of 1, so they will not escape the local Ethernet segment.

6. Routers automatically generates a virtual MAC address for each HSRP router. A virtual MAC address ensures that the ARP caches remain valid when HSRP switches over to another router.

7. With HSRP groups, the routers use a unique MAC addres for each HSRP group.

B. HSRP Interface Tracking:

1. With “track” command, we can tell our HSRP process to watch another interface and decrement our priority if the other interface goes down.

Primary Internet link failure without interface tracking

R1:

interface FastEthernet0/0
 ip address 192.168.100.2 255.255.255.0
 standby ip 192.168.100.1
 standby preempt
 standby track Serial0/0 10

R2:

interface FastEthernet0/0
 ip address 192.168.100.3 255.255.255.0
 standby ip 192.168.100.1
 standby priority 95
 standby preempt
 standby track Serial0/0 10

2. As the above configuration, it will allow the Ethernet inferface to failover in the result of a serial interface failure.

3. Adding a priority decrement value is a very handy feature.

a. If each router had 3 links to the internet, you could decrement the priority be 3 for each tracked interface.

b. In our exmple, if one link went down, R1 would remain active, but if 2 serial links went down, we would decrement its priority by a total of 6, bringing it down to 94; this would be lower than R2’s priority of 95, so R2 would become the active router.

c. With 2 routers, each containing 3 links to the internet, the one with the most serial links up would become the active router.

C. Naming HSRP:

interface ethernet1
 standby name hsrpname1

D. Multiple-Group HSRP:

1. default group = 0.

2. In this example, we’ll use 3 physical routers to create 3 virtual routers, using three router groups:

a. R1 – Active for group 1 and standby for group 3
b. R2 – Active for group 2 and standby for group 3
c. R3 – Active for group 3 and standby for group 1 and group 2
d. Virtual router for group 1 is 10.10.1.11; group 2 has 10.10.1.12; group 3 has 10.10.1.13.

R1:

interface ethernet1
 ip address 10.10.1.1 255.255.255.0
 standby 1 priority 120
 standby 1 preempt
 standby 1 ip 10.10.1.11
 standby 3 ip 10.10.1.13

R1:

interface ethernet1
 ip address 10.10.1.2 255.255.255.0
 standby 2 priority 120
 standby 2 preempt
 standby 2 ip 10.10.1.12
 standby 3 ip 10.10.1.13

R1:

interface ethernet1
 ip address 10.10.1.3 255.255.255.0
 standby 3 priority 120
 standby 3 preempt
 standby 3 ip 10.10.1.13
 standby 1 ip 10.10.1.11
 standby 2 ip 10.10.1.12

E.Load Sharing with HSRP:

loadsharing with hot standby

1. Network 1 use the virtual Router 1 (10.10.28.3) for its default route, and Network 2 use the virtual Router 2 (10.10.28.4).

2. They both carry traffic until one of the routers goes down, and then the other router takes over all the traffic.

R1:

interface ethernet1
 ip address 10.10.28.1 255.255.255.0
 standby 1 preempt
 standby 1 priority 120
 standby 1 ip 10.10.28.3
 standby 2 ip 10.10.28.4

R2:

interface ethernet1
 ip address 10.10.28.2 255.255.255.0
 standby 2 preempt
 standby 2 priority 120
 standby 2 ip 10.10.28.4
 standby 1 ip 10.10.28.3

3. This configuration provides a primitive (簡單的) form of load sharing across the two networks. If either router goes down, the other takes over.

May 12, 2009

Server Load Balancing

Filed under: Information, Load Balancing, Routing Design — Tags: , — Jaycee @ 2:12 am

A. Load Balancing:

1. DNS-Based Load Balancing (as known as DNS Round Robin):

a. Allows more than one IP to associate with a hostname

b. Domain name server looks up the domain name with one of the root servers. The root servers do not have IP info, but they know who does and report that to the user’s DNS server. The query goes out to the authoritative name server, the IP is reported back. The entire process as below:

(1) The user types the URL into the browser.
(2) The OS makes a DNS request to the configured DNS server.
(3) The DNS server sees if it has that IP address cached. If not, it makes a query to the root servers to see what DNS servers have the information.
(4) The root servers reply back with an authoritative DNS server for the requested hostname.
(5) The DNS server makes a query to the authoritative DNS server and receives a response.

c. Limitation of DNS round robin:

(1) Unpredictable traffic/load distribution

Since individual users don’t make requests to the authoritative name servers, they make requests to the name servers configured in their operating systems. Those DNS servers then make the requests to the authoritative DNS servers and cache the received information.

(2) DNS Caching

To prevent DNS servers from being hammered with requests, and to keep bandwidth utilization low, DNS servers emply quite a bit of DNS caching.

(3) Lack of fault-tolerance measures

When demand increases suddenly, more servers are required quickly. Any new server entries in DNS take a while to propagate which makes scaling a site’s capacity quicly difficult.

2. Firewall Load Balancing:

Most firewalls are CPU-based, such as a SPARC machine or an x86-based machine. Because of the processor limitations involved, the amount of throughput a firewall can handle is often limited, generally they tend to max out at around 70 to 80 Mbps of throughput.

3. Global Server Load Balancing (GSLB):

a. SLB works on LAN; GSLB works on WAN.

b. There are serveral ways to implement GSLB, such as DNS-based and BGP-based.

c. Two main reasons to implement GSLB:

(1) GSLB brings content closer to the users.
(2) GSLB provides redundancy in case any site fails.

B. Clustering vs. SLB:

1. Clustering is application-based, reserving load balancing for the network-based aspect of the technology; SLB is network-based load balancing.

2. Disadvantages of Clustering:

a. It’s tight integration between the servers.
b. special software is required
c. a vendor will most likely support a limited number of platforms
d. a limited number of protocols are supported

3. SLB:

a. It’s platform and OS neutral, so it works as long as there is a network stack.
b. It’s extremely flexible: it supports just about any network protocol, from HTTP to NFS, to Real Media, to almost any TCP- or UDP-based protocol.
c. With no interaction between the servers and a clear delineation of functions, a SLB design is very simple and elegant, as well as powerful and functional.

C. OSI model with SLB:

1. Layer 1 – physical

2. Layer 2 – Data link:

Ethernet frame consists of a header, a checksum, and a payload. Ethernet frame size has a limit of 1.5KB. Some devices support Jumbo Frames for Gigabit Ethernet, which is over 9KB.

3. Layer 3 – Network:

These device are routers, although SLB devices have router characteristics.

4. Layer 4 – Transport:

An SLB instance will involve an IP address and a TCP/UDP port.

5. Layer 5 -7 – Session, Presentation, Application:

Layers 5-7 involve URL load balancing and parsing. URL load balancing can set persistence based on the “cookie” negotiated between teh client and the server.

D. Components of SLB:

1. VIPs (Virtual IPs):

It’s the load-balancing instance. A TCP or UDP port number is associated with the VIP, such as TCP port 80 for web traffic.

2. Servers

3. Groups/Farm/Server Farm

4. User-Access Levels: Read-only, Superuser, Other levels

E. Redundancy:

Typically, 2 devices are implemented. A protocol is used by one device to check on its partner’s health. In “active/active” scenario, both devices are active and accept traffic in “active/passive”, only one device is used while the other waits in case of failure.

1. Active/Passive ( as known as Active/Standby or Master/Slave) Scenario:

2. Active/Active Scenarios:

(1) VIPs are distributed between the two LBs to share teh incoming traffic. For example, VIP 1 goes to LB A, and VIP 2 to LB B.

(2) Both VIPs answer on both LBs, but 2 LBs may not hold the same IP. For example, VIP 1 and VIP 2 both on LB A and LB B.

3. Redundancy Protocols:

a. VRRP (Virtual Router Redundancy Protocol):

(1) An open standard.
(2) Each unit in a pair sends out packets to see if the other will respond.
(3) VRRP uses UDP port 1985 and sends packets to the multicast address 225.0.0.2.
(4) VRRP requires that the two units are able to communicate with each other.

b. ESRP (Extreme Standby Router Protocol): Extreeme Networks’ proprietary.

c. HSRP (Hot Stndby Routing Protocol): Cisco proprietary.

d. GLBP (Gateway Load Balancing Protocol):

(1) Cisco proprietary.

(2) To overcome the limitations of existing redundant router protocols.

(3) GLBP allows a weighting parameter to be set. Based on this weighting, ARP requests will be answered with AMC addresses pointint to different routers. Thus, load balancing is not absed on traffic load, but the number of hosts that will use each gateway routers. By default, GLBP LBs in round-robin fashion.

GLBP elects one AVG (Active Virtual Gateway) for each group. The elected AVG then assigns a virtual MAC address to each member of the GLBP group, including itself, thus enabling AVFs (Active Virtual Forwarders). Each AVF assumes responsibility for forwarding packets sent to it’s virtual MAC address. There could be up to four active AVFs at the same time.

By default, GLBP routers use the local multicast address 224.0.0.102 to send hello packets to their peers every 3 seconds over UDP 3222 (source and destination).

4. Fail-Over Cable:

This method uses a proprietary “heartbeat” checking protocol running over a serial line between a pair of load balancers.

If this fail-Over cable is disconnected, it can cause serious network problems that both units tries to take on “master” status. STP can avoid bridgin loops.

5. Stateful Fail-Over:

If a device fails over, all of the active TCP connections are reset, TCP sequence number information is lost, and network error displayed on end user’s browser.

“Stateful Fail-Over” keeps session and persistence information on both the active and passive unit. If the active unit fails, then the passive unit will have all of the information, and service will be completely uninterrupted. The end user wont notice anything.

6. Persistence (sticky):

It’s the act of keeping a specific user’s traffic going to the same server that was initially hit when the site was contacted. This is especially important in web-store type applications, where a user fills a shopping cart, and that information may only be stored on one particular machine.

7. Health Checking (Service Checking):

It can be performed a number of ways:

a. ping check
b. port check
c. content check

SLB will continuously run these service checks at user-definable intervals.

8. Load-Balancing Algorithms:

There are several methods of distributing traffic using a given metric. These are the mathematical algorithms programmed into the SLB device. They can run on top and in conjunction with any persistence methods, and they are assigned to individual VIPs.

F. SLB benefits:

1. Flexibility

SLB allows the addtion and removal of servers to a site at any time. LB can also direct traffic using cookies, URL parsing, static and dynamic algorithms, and much more.

2. High availability (HA)

SLB can automatically check the status of the available servers, take any nonresponding servers out of the rotation, and put them in rotation when they are functioning again. LB themselves come in a redundant configuration.

3. Scalability

Since SLB distributes load among many servers, all that is needed to increase the serving power of a site is to add more servers.

Blog at WordPress.com.