Ok - I figured this might be the case. I just thought it'd be cool to run the
same exact version of IOS in my lab so that it'd be less likely I'd run into
issues like this NAT problem...
Thanks,
Ron
From: Rick Mur [mailto:rmur_at_ipexpert.com]
Sent: Thursday, August 20, 2009 2:11 AM
To: Ronald Johns
Cc: groupstudy_at_cconlinelabs.com; ccielab_at_groupstudy.com
Subject: Re: Natting multicast problem...
Besides that it's forbidden to share that kind of specific information, you
don't need to know.
You will hardly ever be able to run into an IOS bug if you solve the question
the way Cisco wants. They develop and test the exams on the IOS versions that
runs on the racks, so if they run into a bug, they'll change the question.
-- Regards, Rick Mur CCIE2 #21946 (R&S / Service Provider) Juniper JNCIA-ER & JNCIA-EX MCSA:Messaging, MCSE Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Thu, Aug 20, 2009 at 6:17 AM, Ronald Johns <rj686b_at_att.com<mailto:rj686b_at_att.com>> wrote: Good to go. There have been a few labs where I've run into similar NAT issues so I've got a job ahead of me upgrading 7x2811's and a 2651XM tomorrow... Thanks for your help on this! - Ron -----Original Message----- From: Tony Schaffran (GS) [mailto:groupstudy_at_cconlinelabs.com<mailto:groupstudy_at_cconlinelabs.com>] Sent: Wednesday, August 19, 2009 11:10 PM To: Ronald Johns; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com> Subject: RE: Natting multicast problem... Confirmed. Definite NAT problem with that version of IOS. I just tried the same config on a different version and it is working as designed. Tony Schaffran Sr. Network Consultant CCIE #11071 CCNP, CCNA, CCDA, NNCDS, NNCSS, CNE, MCSE cconlinelabs.com<http://cconlinelabs.com> Your #1 choice for online Cisco rack rentals. -----Original Message----- From: Ronald Johns [mailto:rj686b_at_att.com<mailto:rj686b_at_att.com>] Sent: Wednesday, August 19, 2009 9:01 PM To: groupstudy_at_cconlinelabs.com<mailto:groupstudy_at_cconlinelabs.com>; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com> Subject: RE: Natting multicast problem... Yup! That's exactly what I'm seeing. -----Original Message----- From: Tony Schaffran (GS) [mailto:groupstudy_at_cconlinelabs.com<mailto:groupstudy_at_cconlinelabs.com>] Sent: Wednesday, August 19, 2009 11:00 PM To: Ronald Johns; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com> Subject: RE: Natting multicast problem... I seem to be missing the second part of the nat translation in the document. Rack1R1#sh ip nat trans Pro Inside global Inside local Outside local Outside global udp --- --- 224.0.0.9:520<http://224.0.0.9:520> 160.1.12.2:520<http://160.1.12.2:520> udp 160.1.12.1:520<http://160.1.12.1:520> 160.1.12.1:520<http://160.1.12.1:520> 224.0.0.9:520<http://224.0.0.9:520> 160.1.12.2:520<http://160.1.12.2:520> Here is my NAT trans R1#sh ip nat trans Pro Inside global Inside local Outside local Outside global udp --- --- 224.0.0.9:520<http://224.0.0.9:520> 160.1.12.2:520<http://160.1.12.2:520> Tony Schaffran Sr. Network Consultant CCIE #11071 CCNP, CCNA, CCDA, NNCDS, NNCSS, CNE, MCSE cconlinelabs.com<http://cconlinelabs.com> Your #1 choice for online Cisco rack rentals. -----Original Message----- From: Ronald Johns [mailto:rj686b_at_att.com<mailto:rj686b_at_att.com>] Sent: Wednesday, August 19, 2009 8:40 PM To: groupstudy_at_cconlinelabs.com<mailto:groupstudy_at_cconlinelabs.com>; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com> Subject: RE: Natting multicast problem... Here's what I see: R7's debug IP packet detail: IP: s=150.100.78.8 (Serial0/0/0), d=224.0.0.9, len 92, rcvd 2 UDP src=520, dst=520 IP: s=150.100.78.7 (local), d=224.0.0.9 (Serial0/0/0), len 52, sending broad/multicast UDP src=520, dst=520 IP: s=150.100.78.8 (Serial0/0/0), d=224.0.0.9, len 52, rcvd 2 UDP src=520, dst=520 R8's: IP: s=150.100.78.8 (local), d=224.0.0.9 (Serial0/0/0), len 92, sending broad/multicast UDP src=520, dst=520 IP: s=150.100.78.7 (Serial0/0/0), d=224.0.0.9, len 92, rcvd 2 UDP src=520, dst=520 IP: s=150.100.78.8 (local), d=224.0.0.9 (Serial0/0/0), len 92, sending broad/multicast UDP src=520, dst=520 IP: s=150.100.78.7 (Serial0/0/0), d=224.0.0.9, len 92, rcvd 2 UDP src=520, dst=520 Nat's configured: R7(config-if)#do sh ip nat trans Pro Inside global Inside local Outside local Outside global udp --- --- 224.0.0.9:520<http://224.0.0.9:520> 150.100.78.8:520<http://150.100.78.8:520> There's no debug info showing for nat on R7 either with deb ip nat detail configured. -----Original Message----- From: Tony Schaffran (GS) [mailto:groupstudy_at_cconlinelabs.com<mailto:groupstudy_at_cconlinelabs.com>] Sent: Wednesday, August 19, 2009 10:31 PM To: Ronald Johns; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com> Subject: RE: Natting multicast problem... What symptoms are you seeing? I loaded the same IOS and configured as per the document I sent you. I am seeing the unicast on R2, but I am also still seeing the multicast. Tony Schaffran Sr. Network Consultant CCIE #11071 CCNP, CCNA, CCDA, NNCDS, NNCSS, CNE, MCSE cconlinelabs.com<http://cconlinelabs.com> Your #1 choice for online Cisco rack rentals. -----Original Message----- From: Ronald Johns [mailto:rj686b_at_att.com<mailto:rj686b_at_att.com>] Sent: Wednesday, August 19, 2009 8:07 PM To: groupstudy_at_cconlinelabs.com<mailto:groupstudy_at_cconlinelabs.com>; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com> Subject: RE: Natting multicast problem... Advanced Enterprise 12.4(23) on a 2811. Thanks, Ron -----Original Message----- From: Tony Schaffran (GS) [mailto:groupstudy_at_cconlinelabs.com<mailto:groupstudy_at_cconlinelabs.com>] Sent: Wednesday, August 19, 2009 10:06 PM To: Ronald Johns; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com> Subject: RE: Natting multicast problem... What exact IOS version and feature set are you using? Tony Schaffran Sr. Network Consultant CCIE #11071 CCNP, CCNA, CCDA, NNCDS, NNCSS, CNE, MCSE cconlinelabs.com<http://cconlinelabs.com> Your #1 choice for online Cisco rack rentals. -----Original Message----- From: Ronald Johns [mailto:rj686b_at_att.com<mailto:rj686b_at_att.com>] Sent: Wednesday, August 19, 2009 7:57 PM To: groupstudy_at_cconlinelabs.com<mailto:groupstudy_at_cconlinelabs.com>; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com> Subject: RE: Natting multicast problem... Yeah - I tried that too - the config I used is towards the end of the post, and my debug ip packet detail (pasted below as well) shows that it's not working for some reason... I need to try a different version of IOS... I'll do this tomorrow and see what happens. Ultimately, I was curious to know what version of IOS was on the San Jose CCIE R&S lab routers, but like I mentioned previously, I have no idea if this would be a violation of NDA. It'd sure be nice to have the same exact version of code on my lab routers... -----Original Message----- From: Tony Schaffran (GS) [mailto:groupstudy_at_cconlinelabs.com<mailto:groupstudy_at_cconlinelabs.com>] Sent: Wednesday, August 19, 2009 9:49 PM To: Ronald Johns; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com> Subject: RE: Natting multicast problem... Wait. Yes it did. I did not look down far enough. Tony Schaffran Sr. Network Consultant CCIE #11071 CCNP, CCNA, CCDA, NNCDS, NNCSS, CNE, MCSE cconlinelabs.com<http://cconlinelabs.com> Your #1 choice for online Cisco rack rentals. -----Original Message----- From: Ronald Johns [mailto:rj686b_at_att.com<mailto:rj686b_at_att.com>] Sent: Wednesday, August 19, 2009 7:45 PM To: groupstudy_at_cconlinelabs.com<mailto:groupstudy_at_cconlinelabs.com>; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com> Subject: RE: Natting multicast problem... I sorta added that because I thought without passive interface configured, there'd still be multicasts sent, wouldn't there? The actual task states this: RIP updates from R7 on 150.100.78.0/24<http://150.100.78.0/24> network should not send multicast or broadcast packets. Do NOT use the "neighbor" command to accomplish this. -----Original Message----- From: Tony Schaffran (GS) [mailto:groupstudy_at_cconlinelabs.com<mailto:groupstudy_at_cconlinelabs.com>] Sent: Wednesday, August 19, 2009 9:42 PM To: Ronald Johns; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com> Subject: RE: Natting multicast problem... You said neighbor with passive interface. How about just neighbor statement? Tony Schaffran Sr. Network Consultant CCIE #11071 CCNP, CCNA, CCDA, NNCDS, NNCSS, CNE, MCSE cconlinelabs.com<http://cconlinelabs.com> Your #1 choice for online Cisco rack rentals. -----Original Message----- From: Ronald Johns [mailto:rj686b_at_att.com<mailto:rj686b_at_att.com>] Sent: Wednesday, August 19, 2009 7:37 PM To: groupstudy_at_cconlinelabs.com<mailto:groupstudy_at_cconlinelabs.com>; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com> Subject: RE: Natting multicast problem... Yeah - that was part of the requirement - can't use "neighbor"... -----Original Message----- From: Tony Schaffran (GS) [mailto:groupstudy_at_cconlinelabs.com<mailto:groupstudy_at_cconlinelabs.com>] Sent: Wednesday, August 19, 2009 9:35 PM To: Ronald Johns; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com> Subject: RE: Natting multicast problem... Why use NAT? Wouldn't that just need a neighbor statement in your RIP config to use unicast instead of multicast? Why does it need to be so difficult? Am I reading your requirement wrong? Tony Schaffran Sr. Network Consultant CCIE #11071 CCNP, CCNA, CCDA, NNCDS, NNCSS, CNE, MCSE cconlinelabs.com<http://cconlinelabs.com> Your #1 choice for online Cisco rack rentals. -----Original Message----- From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com> [mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of Ronald Johns Sent: Wednesday, August 19, 2009 7:15 PM To: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com> Subject: Natting multicast problem... Is it possible to find out the specific version of code on the San Jose lab routers? Are they all running the same code? Would this be a violation of NDA to share? The reason I'm asking is I think I'm running into a NAT bug in 12.4(23). At least I think it's a nat bug... R7 s0/0/0 (150.100.78.7/24)--------------R8<http://150.100.78.7/24)--------------R8> s0/0/0 (150.100.78.8/24<http://150.100.78.8/24>) Running RIP between the routers, the requirement is to not send multicasts or broadcasts across the link and you can't use "neighbor" w/passive interface. Here's the related parts of the NAT config: int s0/0/0 ip nat outside access-list 101 permit udp host 150.100.78.8 eq 520 host 224.0.0.9 eq 520 ip nat pool rip 224.0.0.9 224.0.0.9 netmask 255.255.255.0 ip nat outside source list 101 pool rip Here's what debug ip nat detail shows: Aug 20 01:51:57.291: NAT: failed to allocate address for 150.100.78.8, list/map 101 *Aug 20 01:51:57.291: NAT: failed to allocate address for 150.100.78.8, list/map 101 *Aug 20 02:02:39.599: NAT: translation failed (B), dropping packet s=150.100.78.8 d=224.0.0.9 I thought it might have had to do with the pool referencing multicast space or something like that so I tried a different pool with a random unicast IP and got the same "failed to allocate..." error. I found this bug, but it only refers to this being a problem when natting at a GRE tunnel (Bug ID CSCsy97506 <http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fe t chBugDetails&bugId=CSCsy97506&from=summary> ) so I tried disabling ip cef and ip mroute cache on the interface, but that didn't make any difference. I also tried a static translation: ip nat outside source static udp 150.100.78.8 520 224.0.0.9 520 That didn't work either, but I didn't see any errors show up in my "debug ip nat detail"... I see the translation: Pro Inside global Inside local Outside local Outside global udp --- --- 224.0.0.9:520<http://224.0.0.9:520> 150.100.78.8:520<http://150.100.78.8:520> but it's not getting used: *Aug 20 02:05:49.123: IP: s=150.100.78.8 (Serial0/0/0), d=224.0.0.9, len 92, rcvd 2 *Aug 20 02:05:49.123: UDP src=520, dst=520 *Aug 20 02:05:59.155: IP: s=150.100.78.7 (local), d=224.0.0.9 (Serial0/0/0), len 412, sending broad/multicast *Aug 20 02:05:59.155: UDP src=520, dst=520 Any ideas? Is my config jacked? Thanks, Ron Johns Sr. Network Engineer IT Department CCNP, CCDP, CCSP, CISSP AT&T WiFi Services Blogs and organic groups at http://www.ccie.netReceived on Thu Aug 20 2009 - 11:10:51 ART
This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:57 ART