From: Sean C (Upp_and_Upp@hotmail.com)
Date: Mon Jun 06 2005 - 17:07:10 GMT-3
We use add-route on customer's production networks, works like it's expected -
installs a /32 route on the NAT router.
Too be honest, there is a lot of stuff going on with your config. While
everything should work together and be happy, not knowing all the config
parameters, not sure what could be tripping it up.
I mean, you've got:
-nested policy-map
-ISIS authentication
-bgp neighbors set in a shutdown state
-access-groups on ints
-ACL 1 has a 'permit any' and then more permits underneath it. ACL 2 is only
for 1 host.
When I'm playing with stuff I've never touched before, I keep the configs as
simple as possible.
Like I wrote, I don't see anything in your pasted config that is can be
purposely tripping up your NAT, but I have seen add-route work.
Sean
----- Original Message -----
From: gladston@br.ibm.com
To: Sean C
Cc: ccielab@groupstudy.com
Sent: Monday, June 06, 2005 3:12 PM
Subject: Re: Add-route keyword
Hi Sean,
Thanks for the reply.
My typo, it is on R5. IOS on R5 does not add the /32 route with the keyword
add-route.
I just tested on 3600. (before was on 2600)
The result is the same. Cisco says the router should automatically adds a
/32 route, but it don't.
Have you tested this feature?
Here is the complete configuration on 3600 (I added another NAT, using
exactly the same one used on Cisco page, but does not work either).
r2------(s1/3.23)Rack2R3(e0/0)-------bb2
version 12.2
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname Rack2R3
!
logging queue-limit 100
logging buffered 4096 debugging
no logging console
!
memory-size iomem 10
ip subnet-zero
ip tcp mss 10000
ip tcp window-size 10000
!
!
no ip domain lookup
ip host www.cisco.com 142.20.1.1
!
ip cef
ipv6 unicast-routing
mpls ldp logging neighbor-changes
frame-relay switching
!
!
key chain Isis-authen
key 1
key-string cisco
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
class-map match-all rtp
match protocol rtp audio
!
!
policy-map rtp
class rtp
priority 32
policy-map shape-all
class class-default
shape average 96000 9600
service-policy rtp
!
!
dlsw local-peer peer-id 142.20.3.1
dlsw remote-peer 0 tcp 142.20.5.1
!
!
interface Loopback0
ip address 142.20.3.1 255.255.255.0
ip router isis
!
interface Loopback20
no ip address
ipv6 address 2003:33::3/64
ipv6 router isis
!
interface Ethernet0/0
ip address 150.100.20.3 255.255.255.0
ip access-group Fragments in
ip nat inside
no ip route-cache
no ip mroute-cache
half-duplex
!
interface Serial1/0
no ip address
shutdown
no fair-queue
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
encapsulation frame-relay
clockrate 128000
no frame-relay inverse-arp
frame-relay intf-type dce
!
interface Serial1/3.23 multipoint
ip address 142.20.23.3 255.255.255.0
ip nat outside
ip router isis
ip igmp join-group 239.8.8.8
ipv6 address FEC0:2E3D:5B7C:23::3/64
ipv6 router isis
isis circuit-type level-2-only
isis authentication mode md5 level-2
isis authentication key-chain Isis-authen
frame-relay map clns 200 broadcast
frame-relay map ipv6 FE80::230:94FF:FED8:E9A0 200 broadcast
frame-relay map ipv6 FEC0:2E3D:5B7C:23::2 200 broadcast
frame-relay map ip 142.20.23.2 200 broadcast
frame-relay interface-dlci 200
class Frame-Priority
!
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
!
router isis
net 49.0023.3333.3333.3333.00
!
router bgp 65203
no synchronization
bgp router-id 142.20.3.1
bgp log-neighbor-changes
bgp confederation identifier 20
bgp confederation peers 65202
neighbor 142.20.23.2 remote-as 65202
neighbor 142.20.23.2 shutdown
neighbor 150.100.20.254 remote-as 254
no auto-summary
!
address-family ipv4 multicast
no auto-summary
no synchronization
exit-address-family
!
address-family ipv6
network 2003:33::/64
exit-address-family
!
address-family ipv4
neighbor 142.20.23.2 activate
neighbor 142.20.23.2 next-hop-self
neighbor 142.20.23.2 send-community
neighbor 150.100.20.254 activate
neighbor 150.100.20.254 route-map Set-attribute in
neighbor 150.100.20.254 filter-list 70 in
neighbor 150.100.20.254 filter-list 60 out
no auto-summary
no synchronization
aggregate-address 65.2.0.0 255.255.0.0 as-set summary-only advertise-map
Advertise-map
exit-address-family
!
ip nat pool Nat-pool 222.222.222.1 222.222.222.10 prefix-length 24
ip nat pool Net171 171.68.16.10 171.68.16.254 netmask 255.255.255.0
ip nat outside source list 1 pool Net171 add-route
ip nat outside source list 2 pool Nat-pool add-route
ip http server
ip classless
!
ip as-path access-list 50 permit ^65202$
ip as-path access-list 50 permit ^$
ip as-path access-list 60 permit ^$
ip as-path access-list 70 permit ^254_[0-9]*$
!
!
ip access-list extended Fragments
deny tcp any any fragments
deny udp any any fragments
deny icmp any any fragments
permit tcp host 150.100.20.254 host 150.100.20.3 eq bgp
permit udp host 150.100.20.254 eq ntp host 150.100.20.3
permit icmp any any echo
permit icmp any any echo-reply
deny ip any any log
!
!
map-class frame-relay Frame-Priority
access-list 1 deny 65.2.1.0
access-list 1 permit any
access-list 1 permit 142.20.1.0 0.0.0.255
access-list 2 permit 142.20.2.1
access-list 21 permit 142.20.1.1
access-list 21 deny any
access-list 22 permit 150.100.20.254
access-list 22 permit 142.20.6.1
access-list 22 deny any
access-list 23 permit 142.20.2.1
access-list 100 permit ip host 65.2.1.0 host 255.255.255.0
access-list 101 permit ip host 65.2.2.0 host 255.255.255.0
access-list 110 permit ip host 65.2.1.0 host 255.255.255.0
access-list 140 remark ** filter bgp update from BB2 **
access-list 140 permit ip 192.67.0.0 0.0.5.0 host 255.255.255.0
ipv6 router ospf 10
log-adjacency-changes
!
!
route-map Set-attribute permit 10
match ip address 100
set origin incomplete
set as-path prepend 2540
set community local-AS
!
route-map Set-attribute permit 20
match ip address 101
set community 42
!
route-map Set-attribute permit 30
!
route-map Advertise-map permit 10
match ip address 110
!
route-map SELECT_SP_ROUTE permit 10
match ip address 1
!
!
snmp-server enable traps snmp authentication linkdown linkup coldstart
warmstart
snmp-server enable traps tty
snmp-server enable traps casa
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps bgp
snmp-server enable traps pim neighbor-change rp-mapping-change
invalid-pim-message
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps syslog
snmp-server enable traps rtr
snmp-server enable traps mpls ldp
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls vpn
snmp-server enable traps cnpd
snmp-server enable traps dlsw
snmp-server enable traps pppoe
snmp-server enable traps atm subif
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps ipmobile
snmp-server enable traps vtp
snmp-server enable traps director server-up server-down
snmp-server enable traps voice poor-qov
snmp-server enable traps dnis
snmp-server enable traps xgcp
snmp-server host 142.20.28.150 COMMUNITY-STRING config
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
alias exec c conf t
alias exec s show run
alias exec sib show ip interface brief
alias exec sl sh logg
alias exec cl clear logg
alias exec sb show ip bgp
alias exec sibs show ip bgp su
alias exec cb clear ip bgp * soft
alias exec sir show ip route
alias exec so show ip os ne
alias exec sip show ip protocols
alias exec cir clear ip route *
alias exec u no debug all
alias exec b sh run | begin
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
password cisco
login
!
ntp authentication-key 1 md5 101E514B57 7
ntp authenticate
ntp trusted-key 1
ntp access-group peer 22
ntp access-group serve 23
ntp access-group serve-only 21
ntp peer 142.20.6.1
ntp server 150.100.20.254 key 1
!
end
Rack2R3#term def len
Rack2R3#
Cordialmente,
------------------------------------------------------------------
Alaerte Gladston Vidali
IBM Global Services - SO
Tel.55+11+2121-2879 Fax:55+11+2121-2449
"Sean C" <Upp_and_Upp@hotmail.com>
06/06/2005 15:57
To Alaerte Gladston Vidali/Brazil/IBM@IBMBR, <ccielab@groupstudy.com>
cc
Subject Re: Add-route keyword
Hi Gladstone,
Your sir is from R1,
> Rack2R1#sir 200.200.5.1
> % Network not in table
Yet NAT is applied to R5. Does R5 at least have the static /32? Per the
document you site, the router doing the NAT should have a static /32
applied
and then it's up to you to redistribute. So, not knowing if/how R5 is
advertising it's routes to R1, does R5 at least have the /32 in it's RIB?
HTH,
Sean
----- Original Message -----
From: <gladston@br.ibm.com>
To: <ccielab@groupstudy.com>
Sent: Monday, June 06, 2005 2:15 PM
Subject: Add-route keyword
> Add-route keyword on ip nat outside list is not working.
>
> Can you see any problem on the config?
>
> I am using the example located at
> http://www.cisco.com/warp/public/556/1.html
> but the router simply does not add the route.
>
> Rack2R5#sh ip nat tra
> Pro Inside global Inside local Outside local Outside
> global
> --- --- --- 200.200.5.1 142.20.66.1
> --- 142.20.1.1 142.20.1.1 200.200.5.1 142.20.66.1
> Rack2R5#
> Rack2R5#sh run int e 0/0
> Building configuration...
>
> Rack2R5#sh run int e 1/0
> interface Ethernet1/0
> ip address 142.20.65.5 255.255.255.0
> ip nat outside
> service-policy output Premium-gold-normal
> ip policy route-map Avoid-BRI
> half-duplex
> end
>
> Rack2R5#sh run int s 0/0
> Building configuration...
>
> interface Serial0/0
> bandwidth 64
> ip address 142.20.125.5 255.255.255.224
> ip nat inside
> ip pim nbma-mode
> ip pim sparse-dense-mode
> ip multicast boundary 50
> ip multicast helper-map 229.1.1.1 142.20.56.255 111
> encapsulation frame-relay
> ip ospf authentication-key cisco
> ip igmp join-group 229.1.1.1
> no fair-queue
> cdp enable
> end
>
> Rack2R5#sh run | i nat
>
> ip nat pool Nat-pool 200.200.5.1 200.200.5.10 prefix-length 24
> ip nat outside source list 2 pool Nat-pool add-route
>
> Rack2R5#sh access-list 2
> Standard IP access list 2
> 10 permit 142.20.66.1 (3 matches)
> Rack2R5#
>
> Nat is being done:
>
> *Mar 1 00:20:34: NAT*: s=142.20.66.1->200.200.5.1, d=142.20.1.1 [478]
> Rack2R5#
> *Mar 1 00:20:36: NAT*: s=142.20.66.1->200.200.5.1, d=142.20.1.1 [479]
> Rack2R5#
> *Mar 1 00:20:38: NAT*: s=142.20.66.1->200.200.5.1, d=142.20.1.1 [480]
> Rack2R5#
> *Mar 1 00:20:40: NAT*: s=142.20.66.1->200.200.5.1, d=142.20.1.1 [481]
> Rack2R5#
>
> Traffic is reaching the far end node:
>
> *Mar 1 06:30:04: IP: s=142.20.14.4 (Serial0/0.14), d=224.0.0.5, len 120,
> rcvd 0
> Rack2R1#no
> *Mar 1 06:30:06: IP: s=142.20.125.1 (local), d=224.0.0.13
> (Serial0/0.125), len 54, sending broad/multicast
> *Mar 1 06:30:06: IP: s=200.200.5.1 (Serial0/0.125), d=142.20.1.1, len
> 100, rcvd 4
> *Mar 1 06:30:06: IP: s=142.20.1.1 (local), d=200.200.5.1
(Serial0/0.125),
> len 100, sending
>
> But the route used by nat is not added to RIB. I reset the router:
>
> Rack2R1#sir 200.200.5.1
> % Network not in table
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:41 GMT-3