Let’s assume the following for this example

• We have 2 public IP addresses (192.168.1.1 & 192.168.1.2)
• The IP address on the outside interface has been configured to use PAT for all internal IP addresses for Internet access (192.168.1.1)
• I have a DMZ with 3 servers, FTP, E-mail, and Web Server (10.0.1.1, 10.0.1.2 & 10.0.1.3 respectively)
• I need my 3 DMZ servers to be reachable from the Internet.

The above scenario poses a slight problem. If I have already used one of my public addresses for PAT to allow all internal hosts to access the Internet, I only have one IP address left but I require 3 static NAT entries to be created. In my post on Static NAT we saw that we configure NAT to map on a one-to-one basis, so in this scenario I would require 3 IP addresses, one for each of my DMZ servers.

The nice thing about the above scenario, is that each of the three servers is hosting a totally different service and therefore each requires different ports to be accessible from the Internet. This allows me to create static NAT’s that specify the ports, a type of overload function.

FTP would require ports 20,21 to be allowed
E-mail would require port 25 to be opened, and possibly 143 and 110 if you are using IMAP or POP
Web Server will require port 80, and possibly 443 if there is any SSL been used (https).

The above can be configured in the following way (interfaces would need to be configured as inside and outside as well, as seen here)

AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.1 192.168.1.2 20
AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.1 192.168.1.2 21

AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.2 192.168.1.2 25
AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.2 192.168.1.2 143
AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.2 192.168.1.2 110

AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.3 192.168.1.2 80
AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.3 192.168.1.2 443

Related posts:

1. Configuring Static NAT on Cisco Routers
2. Configuring PAT on Cisco Routers (NAT Overload)
3. NAT (Network Address Translation)

There are 3 ways to configure NAT on a Cisco Router
1/ Static NAT
2/ Dynamic NAT
3/ NAT overload (PAT – Port Address translation)

Static NAT is a one-to-one mapping. This is usually only required when you have a server inside your network (ie: Webserver, FTP, E-mail) that needs to be accessed from the internet. Users on the internet will access a public IP address that you have statically and permanently linked to your servers internal IP address. Of course any time your internal server sends packet to the internet, it’s source IP address will be translated into a public IP address configured with static NAT.

Dynamic NAT is used for many-to-many mapping. This will allow all your internal computers to be translated into a pool of public IP addresses, however if you only have 10 public IP addresses available in the NAT pool, only 10 computers will be able to access the public network at a time. Each computer will consume one public address at a time which makes this very limited for public internet access. The main purpose for dynamic NAT is to fix overlap IP addresses often experienced after a merger or acquisition. Since all companies use RFC 1918 for internal addresses, it’s not uncommon for 2 companies to be using the exact same internal IP addresses. When a merger or acquisition takes place there are issues with the IP addresses conflicting. Dynamic NAT allows us to translate the internal IP addresses from company ‘A’ into something unique that company ‘B’ does not use, and similarly translate all the internal IP addresses in company ‘B’ into something unique that company ‘A’ does not use. In most cases the ‘public’ address that the two companies will be translated into, will be part of RFC 1918 and will be used purely to resolve IP address overlaps, and NOT internet access.

NAT overload, or otherwise known as PAT (Port Address Translation), allows us to create a many-to-one mapping. Every computer in your network will be translated into a single Public IP address. This allows us to save on public addresses but still allows each computer in our organisation to access the internet at the same time. PAT identifies each session based on the source port number used in the communication flow. Since each session uses a random source port number, each session in theory should have a different number which allows PAT to associate a session with the single public IP addresses been shared. In the occurrence of two computers randomly choosing the same source port number, PAT will translate the port number and keep a record of the original as well as the new translated port to maintain the session. PAT will not allow internet users to access your internal servers as there is no mapping from outside to inside. The maximum theoretical limit for sharing a single IP address is 64,513 however the practical limit is dependent on the router or firewall doing the PAT and is usually limited to no more than 4,000 sessions to a single IP address.

Related posts:

1. Configuring PAT on Cisco Routers (NAT Overload)
2. Configuring Dynamic NAT on Cisco Routers
3. Useable IP addresses in private networks

Using floating static routing as a backup solution works on the following principle.

-          A dynamic routing protocol is running over your primary line

-          When the link fails, the routing updates will fail and the routing table will flush

-          A static route that uses the dial-up interface will become the best route

-          The backup interface will dial and traffic will continue to flow

-          When the primary line comes back up the dynamic routing protocol will fill the routing table, overwriting the floating static.

NOTE: Any type of dial-up interface may be used (modem / ISDN / 3G etc)

Based on the above it’s important to understand a few things about routing.

-          A router will look for a route with the longest match (most specific route wins).

-          If more than one identical route exists, the route with the LOWEST administration distance will be inserted into the routing table

So in order for us to configure floating static routes, we need 2 things configured.

-          A dynamic routing protocol MUST be configured for this solution

-          An identical static route must be created with an administrative distance higher than our routing protocol.

Example:

If I am running EIGRP as my routing protocol and it has learnt a route to network 192.168.1.0 /24 with an admin distance of 90 ( EIGRP has an administrative distance of 90 by default). I must create a static route for the network 192.168.1.0 /24 with a next hop of my remote routers dial-up interface. A static route however has a default administrative distance of 1, which at this point would mean it would overwrite my dynamically learnt route and all my traffic would be sent over my dial-up interface leaving me with a rather large phone bill. So when I create my static route it’s imperative that I change the default administrative distance to something higher than that of my routing protocol – I suggest a value of 250.

My static route would look like this:

AOIP.ORG(config)# ip route 192.168.1.0 255.255.255.0 10.0.1.1 200

Destination network : 192.168.1.0

Subnetmask for destination : 255.255.255.0

Next hop address of the remote routers dial-up interface: 10.0.1.1

Administrative Distance : 200

Related posts:

1. Static Routing
2. Cisco Administrative Distance
3. ISDN and Multilink with load-threshold

For example: If I define an access-list that allows telnet and denies everything else, then telnet is the only traffic that will cause my ISDN interface to dial the remote router. Once the line has connected, ANY traffic may flow over the ISDN line. The router is looking purely for ‘interesting traffic’ so if no telnet traffic is sent over the line for the idle-timeout value, the line will drop.

This type of installation of ISDN is fantastic for very small branch offices that do not need to be connected to HQ permanently and you only need the link to be established for short periods of time. This however is not a good link backup solution.

In the below configuration we have created an access-list that will allow telnet traffic to cause the link to be established.

AOIP.ORG(config)# access-list 102 permit tcp any any eq telnet

Create the Access-list to be used to specify interesting traffic

AOIP.ORG(config)# dialer-list 2 protocol ip list 102    

The dialer-list defines what traffic is interesting, in this case – Access list 102

AOIP.ORG(config)# isdn switch-type basic-net3

Define the switch-type needed for ISDN, This is the settings for BRI interfaces in Europe and Africa

AOIP.ORG(config)# int bri 2/0

Enter the BRI interface you wish to configure

AOIP.ORG(config-if)# ip address 10.0.1.1

Set an IP address on the ISDN interface

AOIP.ORG(config-if)# encapsulation ppp

Define PPP as the encapsulation method

AOIP.ORG(config-if)# ppp authentication chap

Authentication for PPP has been set to CHAP

AOIP.ORG(config-if)# dialer-group 2

This tells our ISDN interface to use Dialer-list 2, you will notice the numbers for ‘dialer-group’ and ‘dialer-list’ match

AOIP.ORG(config-if)# dialer idle-timeout 180

If no interesting traffic is sent for 180 seconds, the line will drop

AOIP.ORG(config-if)# dialer map ip 10.0.1.2 name Router2 5551234  

If you need to connect to the IP address 10.0.1.2 (The remote routers ISDN interface), The remote router is name “Router2” and the telephone number to dial is “5551234”

AOIP.ORG(config-if)# no shut

AOIP.ORG(config)# ip route 192.168.2.0 255.255.255.0 10.0.1.2

Create a static route for the remote subnet with a next hop of Router2’s ISDN interface.

AOIP.ORG(config)# username Router2 password aoip

The remote routers hostname and a password that will be used for PPP authentication

Related posts:

1. ISDN and Multilink with load-threshold
2. ISDN Switch-type
3. Floating Static Routes

The switch-type is very much country dependant so it’s also important to memorize the switch-type that applies to where you do most of your installations.

If Layer-1 is showing ‘Deactivated’ when using the show isdn status command, only 3 things can be the source of the problem.

1/ isdn switch-type has not been set, or has not been set correctly (The most common problem)

2/ There is a problem with the PSTN (call your telephony service provider)

3/ Cable problems

4/ Physical port failure on the Router.

In order to configure the switch-type you can enter the command

Isdn switch-type {switch-type}

This can be done either in global configuration mode, or on the interface depending on the router and IOS version.

Below are all the switch-type options available 

Related posts:

1. Configuring Basic ISDN with Interesting Traffic
2. ISDN and Multilink with load-threshold
3. Floating Static Routes

As an example, I have 2 VLANS, VLAN 10 and VLAN 20 which have subnets 10.0.10.0/24 and 10.0.20.0/24 respectively. In order to have traffic from one subnet communicate with the other routing would have to take place. Furthermore the switch I have used in the example below is a layer 2 switch so there is no routing functionality available so I am forced to use a router.

This leaves me with 2 options.

1/ Plug my router into my switch with 2 cables. Configure 1 port on the router to be in subnet 10.0.10.0/24 and in VLAN 10, and configure a second port to be in subnet 10.0.20.0/24 and associate that port to VLAN 20.

This is not a major issue, and this is something that could easily be configured, however it will require a router with 2 interfaces free for me to use. What if I had more than 2 VLAN’s? What if I had 200 VLAN’s (Not an uncommon scenario)? Not only would this mean I need a router with 200 interfaces, but it would also mean that my switch would need 200 interfaces. So far this is not looking like a very scalable solution.

2/ I can plug my router in my switch with a single cable. Configure Sub-interfaces on the router and associate each sub-interface to each VLAN. This is FAR more scalable and would allow me to configure more than 2 VLAN’s on a single interface

NOTE: A sub-interface is a logical separation of the physical interface. Each sub-interface can be configured as if it were a physical port on the device.

As you can see from the above, option 2 is the only logical solution for scalability and ease. There is however one small problem with using this option. In order to have multiple VLAN’s been sent over a single cable/port the port needs to be configured as a Trunk port. In my example I have already configured the switch and made FastEthernet 0/23 a trunk port using dot1q as my encapsulation protocol. (Port f0/23 on the switch is plugged into the router’s port f0/1)

Here is the breakdown of the configuration needed to configure a Router on a stick.

AOIP.ORG# ping 10.0.10.2

Confirming that ping does not work to the interface VLAN 10 on my switch which has IP address 10.0.10.2

AOIP.ORG# ping 10.0.20.2

Confirming that ping does not work to the interface VLAN 20 on my switch which has IP address 10.0.20.2

AOIP.ORG(config)# interface fastethernet 0/1.10

This enters the interface FastEthernet 0/1 and creates a sub-interface named ‘10’. NOTE: It is a wise idea to name your sub-interface the same as the VLAN number you are going to allocate it to for help with troubleshooting.

AOIP.ORG(config-subif)# encapsulation dot1q 10

Configures the sub-interface to be encapsulated with dot1q, and allocates this sub-interface to VLAN 10

AOIP.ORG(config-subif)# ip address 10.0.10.1 255.255.255.0

Associate an IP address to the sub-interface

AOIP.ORG(config-subif)# exit

AOIP.ORG(config)# interface fastethernet 0/1.20

This enters the interface FastEthernet 0/1 and creates a sub-interface named ‘20’. NOTE: It is a wise idea to name your sub-interface the same as the VLAN number you are going to allocate it to for help with troubleshooting.

AOIP.ORG(config-subif)# encapsulation dot1q 20

Configures the sub-interface to be encapsulated with dot1q, and allocates this sub-interface to VLAN 20

AOIP.ORG(config-subif)# ip address 10.0.20.1 255.255.255.0

Associate an IP address to the sub-interface

AOIP.ORG(config-subif)# exit

AOIP.ORG(config)# exit

AOIP.ORG# ping 10.0.10.2

Confirm that ping now works, you will notice the first ping failed, but this is purely a ARP delay that caused this

AOIP.ORG# ping 10.0.20.2

Confirm that ping now works, you will notice the first ping failed, but this is purely a ARP delay that caused this

In order to complete the design and installation of the above, all computers that are in VLAN 10 would need to have their Default-gateway configured as 10.0.10.1 and machines in VLAN 20 would need their Default-gateway configured as 10.0.20.1.

When a machine from VLAN 10 tries to communicate with a machine in VLAN 20 the following will take place

1/ Packet enters the switch

2/ The Switch will send the packet via the TRUNK port on VLAN 10 to the router.

3/  The router will receive the packet on sub-interface f0/1.10 tagged as VLAN 10

4/ The router will remove the TAG on the packet and do a lookup in the routing table

5/ The router will encapsulate the packet with a TAG for VLAN 20

6/ The router will send the packet via the TRUNK to the switch on VLAN 20 through sub-interface f0/1.20

7/ The switch will receive the packet on the trunk port on VLAN 20

8/ The switch will send the packet to the destination computer.

Below is the live demo.

Related posts:

1. Configuring a Trunk port on a Cisco Switch
2. VTP (VLAN Trunking Protocol)
3. Configuring an Access port on a Cisco switch

Duplex defines how traffic will be sent and can be related to a 2-way radio vs. A telephone.

With a 2-way radio, more so when there are more than 2 people on the same radio frequency, only 1 person may speak at the same time. If 2 people were to push the PTT (push to talk) button at the same time, they would hear a squelch. Both people would hear the squelch, release the PTT button and try again at a random time interval. Hopefully only 1 person would press the button this time and would be able to speak on the radio frequency, of course if both people pressed the button at the same time again, they would have to repeat the procedure until they managed to be the only person communicating.

In terms of Duplex, a 2-way radio would be the same as ‘Half-Duplex’ were only 1 person may communicate at the same time, if computers tried to talk at the same time, they would have a ‘collision’. Like the people, the 2 computers notice the collision and wait a random time frame before transmitting the packet again.

Full duplex on the other hand is like a telephone. Both parties in a telephone call can talk at the same time. Granted most humans cannot hear and talk at the same time on the phone, but the telephone is able to transmit both flows of traffic from both sides of the telephone line at the same time. If 2 computers wished to send data to each other, and full duplex was available, they would be able to transmit and receive at the same time.

NOTE: A hub can ONLY run at half-duplex. It is not possible for a hub to run at full duplex. A Switch however can be configured for either.

AOIP.ORG_Switch# show interface f0/7

In the live demo below you will notice I have highlighted the current status of the interface (Auto-duplex, Auto-speed)

AOIP.ORG_Switch# conf t

AOIP.ORG_Switch(config)# interface fastethernet 0/7

Enter the interface you wish to configure

AOIP.ORG_Switch(config-if)# duplex full

Set the Duplex to Full, Half or Auto. Auto doesn’t always end up with the best result, so forcing the duplex to the correct value to recommended

AOIP.ORG_Switch(config-if)# speed 100

Set the speed of the interface. Depending on the interface will depend on the possible options. Ethernet can only be set at 10Mbps, FastEthernet can be set at either 10Mbps or 100Mbps, and GigabitEthernet can be set to 10/100/1000 mbps

AOIP.ORG_Switch(config-if)# no shut

Activate the interface

AOIP.ORG_Switch(config-if)# do show interface f0/7

Confirm the new setting have taken effect.

Related posts:

1. Configuring an IP address and Default-Gateway on a Cisco Switch
2. Port Security on a Cisco Switch
3. Configuring a Trunk port on a Cisco Switch

In order to understand clock rate we first need to understand how the cabling works on routers. When connecting two routers together with a serial cable, one of the routers needs to host the DCE (Data Communications Equipment) side of the cable, and the other will host the DTE (Date Terminal Equipment) side. Most serial cables are marked on the connector if it’s the DTE or DCE.

So what’s the difference between the 2 sides? The DCE side of the cable is the side that sets the speed of the link (also known as clocking). Based on this, it’s safe to assume that the cable coming out of your router and going to your service provider is the DTE side, since you service provider sets the speed of the line based on the subscription you have purchased. The DTE side of the cable is where the communications terminate ie: your router terminates the connection from the service provider.

From a configuration point of view the DCE side of the cable is able to use the clock rate command to set the speed of the line. If the command is not used the interface will run at the maximum speed supported by the interface. If you have only subscribed for a 64k line, then the clock rate would have been set on the DCE side of the cable using the command ‘clock rate 64000’ under the interface.

AOIP.ORG# conf t

AOIP.ORG(config)# interface serial 1/0

AOIP.ORG(config-if)# clock rate 64000 (represented in BITS per second)

If you try use the clock rate command on the DTE interface you will receive the following error message “This command applies only to DCE interfaces”

To identify which end of the cable has been plugged into a Cisco router, you can also use the command “show controller” – see below diagram.

Cisco Show Controller Command

The bandwidth command however does not adjust the speed of the line at all, however it should be configured on ALL DTE and DCE interfaces because it is used by;

1/ Routing protocols – to calculate the cost of a path

2/ QOS (Quality of Service) – to identify how much bandwidth is availble to prioritize,

If no bandwidth command has been configured on the interface, Routing protocols and QOS will assume the line is running at the maximum speed supported by the interface which can result in incorrect routing and incorrect prioritization of packets.

The bandwidth command is issued under the interface, as is represented in Kilobits per second

AOIP.ORG# conf t

AOIP.ORG(config)# interface serial 1/0

AOIP.ORG(config-if)# bandwidth 64 (represented in kilobits per second)

Related posts:

1. Interface Status
2. Configuring EIGRP on a Cisco Router
3. Cisco Administrative Distance

The same applies with protocols such as ping. Ping sends a echo to the destination, and when the destination device receives the ICMP packet it must send a echo-reply packet back to the source. If there is no route going back to the source, ping will be unsuccessful.

In the live demo below I have illustrated this exact problem. On my router AOIP.ORG I have tried to ping the IP address 2.2.2.2 (the loopback interface of R2). AOIP.ORG has a default gateway of last resort configured to send all traffic to the router R1 (R1 already has routing configured correctly), R1 will send the packet to R2 however R2 does not have a route back to the 192.168.1.0 network (attached to AOIP.ORG). Only after I telnet into R1, and then telnet into R2 and configure a route to the network 192.168.1.0 do my pings begin to work. ( I can’t telnet directly to R2 since it does not have a route back to me, so I have to do this on a hop by hop basis).

Related posts:

1. Static Routing
2. Inter-VLAN Routing (Router on a Stick)
3. Configuring EIGRP on a Cisco Router

OSPF is a classless routing protocol so subnetmask values are sent in the update and it supports CIDR.

OSPF does not send periodic updates and is designed to only send updates when something has changed or a new route has been added, it does this through the use of LSA’s (Link State Advertisements).

 OSPF is designed in a hierarchical fashion through Areas. Routers running OSPF, flood LSA updates to routers in the same area rather than sending the entire routing table.

 OSPF is a link-state protocol, and pieces the information received from LSA’s to calculate the best path using the SPF (Shortest Path First) algorithm. Its cost value (metric) is based on the formula: Cost = 10⁸/bandwidth (bps)

 Each router running the OSPF process has a Router ID which is known by all other devices. By default the Router ID is the highest IP address of an active interface at the point the OSPF process started. This can be manually forced by using loopback interfaces, as they are permanently in a Up Up status, and insuring the loopback has the highest IP address on the router. The default value can also be overwritten by using the router-id command

 OSPF has a default administration distance of 110

 OSPF does not do automatic summarization of routes like EIGRP does, but routes can be manually summarized as required.

In the Live demo below, the following configuration was entered.

 AOIP.ORG# ping 10.0.3.2

(ping is unsuccessful)

AOIP.ORG# show ip route

(no routes for network 10.0.3.0 exist)

AOIP.ORG# conf t

AOIP.ORG(config)# router ospf 100

(enables OSPF with a process ID of 100 – this value is used by THIS ROUTER ONLY)

AOIP.ORG(config-router)# network 192.168.1.0 0.0.0.255 area 0

(enables all interfaces with IP addresses beginning with 192.168.1 to belong to Area 0 – the backbone area. OSPF uses wildcard mask values for the network statement)

AOIP.ORG(config-router)# exit

AOIP.ORG(config)# exit

AOIP.ORG# ping 10.0.3.2 repeat 15

(ping is successful after a few attempts, it can take OSPF a little while to discover and learn the topology of the network)

AOIP.ORG# show ip route

(3 new entries are in the routing table with a ‘O’ to represent OSPF, the entries are not summarized by default, 10.0.1.0, 10.0.2.0 and 10.0.3.0)

Related posts:

1. Configuring EIGRP on a Cisco Router
2. Configuring RIP on a Cisco Router
3. Cisco Administrative Distance