Add to collection(s) Add to saved
  1. No category
Uploaded by Ramos

CGN-41 Labs-CGN 202306

advertisement 
CGN Class Labs:
Complete
ACOS 4.1.4 (2/28/2023)
Contents
CGN Lab 1: Configuring CGNAT ......................................................................................................................................... 4
Overview ................................................................................................................. Error! Bookmark not defined.
Device Preparation............................................................................................................................................................. 5
Configuring Basic CGN ...................................................................................................................................................... 8
VRRP-A Connection Mirroring .................................................................................................................................... 10
Lab 1 View, Verify, and Backup the Configuration.............................................................................................. 10
CGN Lab 2: Additional Features....................................................................................................................................... 12
Overview ................................................................................................................. Error! Bookmark not defined.
Device Preparation........................................................................................................................................................... 13
Enable Application Layer Gateways (ALG) for CGN ........................................................................................... 13
FTP ..................................................................................................................................................................................... 13
RSTP .................................................................................................................................................................................. 13
Understanding User Quota behavior ........................................................................................................................ 14
Understanding Endpoint Independent Mapping and Filtering ..................................................................... 15
Understanding EIM/EIF (Full-Cone NAT) STUN behavior .............................................................................. 18
Understanding Session User Quota behavior ....................................................................................................... 19
Static Port Mapping ......................................................................................................................................................... 19
Hairpinning filtering ........................................................................................................................................................ 20
Lab 2 View, Verify, and Backup the Configuration.............................................................................................. 20
CGN Lab 3: Configuring NAT64/DNS64 ....................................................................................................................... 21
Overview ................................................................................................................. Error! Bookmark not defined.
Device Preparation........................................................................................................................................................... 22
ACOS IPv6 setup ........................................................................................................................................................... 22
Configuring Basic NAT64 .............................................................................................................................................. 23
VRRP-A Connection Mirroring .................................................................................................................................... 25
View, Verify, and Backup the Configuration .......................................................................................................... 25
Configuring DNS64........................................................................................................................................................... 26
Lab 3 View, Verify, and Backup the Configuration.............................................................................................. 27
CGN Lab 4: Routing ............................................................................................................................................................... 28
Overview ................................................................................................................. Error! Bookmark not defined.
Device Preparation........................................................................................................................................................... 29
Configuring Egress BGP for IPv4 ................................................................................................................................ 29
Configuring Ingress OSPF for IPv4 ............................................................................................................................ 31
A10 CGN Lab 1:
Configuring CGNAT
4.1.4
2/28/2023
Page 2 of 46
Configuring Ingress OSPFv3 for IPv6 ....................................................................................................................... 32
Lab 4 View, Verify, and Backup the Configuration.............................................................................................. 33
CGN Lab 5: LSN Logging...................................................................................................................................................... 35
Overview ................................................................................................................. Error! Bookmark not defined.
Device Preparation........................................................................................................................................................... 36
Setup Data-Plane Syslog Based Logging.................................................................................................................. 36
Logging Template Options ............................................................................................................................................ 37
Port Batching ...................................................................................................................................................................... 38
Lab 5 View, Verify, and Backup the Configuration.............................................................................................. 39
CGN Lab 6: Monitoring / Troubleshooting ................................................................................................................. 40
Overview ................................................................................................................. Error! Bookmark not defined.
Device Preparation........................................................................................................................................................... 41
Monitoring the System ................................................................................................................................................... 41
Monitor LSN ........................................................................................................................................................................ 42
axdebug ................................................................................................................................................................................. 42
A10 CGN Lab 1:
Configuring CGNAT
4.1.4
2/28/2023
Page 3 of 46
CGN Lab 1:
Configuring CGNAT
ACOS 4.1.4 (2/28/2023)
A10 CGN Lab 1:
Configuring CGNAT
4.1.4
2/28/2023
Page 4 of 46
Device Preparation
1. On StudentRD, open an SSH session to vMaster(192.168.0.10). If needed, open a new terminal
window.
[student: ~]$ ssh admin@192.168.0.10
(password is a10)
The resulting prompt on ACOS should be:
A1-vMaster[1/1]>
2. If A1 is not vMaster, use the ”vcs vMaster-take-over 255” command to take over vcs
vMaster status. Log directly into A1 (ssh admin@192.168.0.1), enter enable mode and run
command.
3. Enter Enable Mode.
A1-vMaster[1/1]> enable
Password:
A1-vMaster[1/1]#
<press enter key>
4. Confirm vcs
A1-vMaster[1/1]# sh vcs summary
ID State
Priority IP:Port
Location
------------------------------------------------------------------------------1
vMaster(*) 200
192.168.0.1:41216
Local
10.5.250.1:41216
2
vBlade
180
192.168.0.2:41216
Remote
10.5.250.2:41216
3
vBlade
160
192.168.0.3:41216
Remote
10.5.250.3:41216
Total: 3
5. Confirm VRRP-A Default VRID has a Floating IP of 100.64.0.10
A1-vMaster[1/1]# show running-config vrrp-a vrid
vrrp-a vrid 0
floating-ip 100.64.0.10
6. Confirm VRRP-A status.
A10 CGN Lab 1:
Configuring CGNAT
4.1.4
2/28/2023
Page 5 of 46
A1-vMaster[1/1]# show vrrp-a
vrid 0
Unit
1 (Local)
2 (Peer)
3 (Peer)
vrid 1
Unit
1 (Local)
2 (Peer)
3 (Peer)
vrid 2
Unit
1 (Local)
State
Active
became
Standby
Standby
Weight
Priority
65534
200
Active at: Apr 25 15:26:49 2017
for 0 Day, 1 Hour, 4 min
65534
180
65534
160
State
Weight
Priority
Standby
65534
160
became Standby at: Apr 25 15:28:45 2017
for 0 Day, 1 Hour, 2 min
Active
65534
200
Standby
65534
180
State
Weight
Priority
Standby
65534
180
became Standby at: Apr 25 15:28:45 2017
for 0 Day, 1 Hour, 2 min
2 (Peer)
Standby
65534
160
3 (Peer)
Active
65534
200
vrid that is running: 0 1 2
*
*
*
7. Confirm routes.
A1-vMaster[1/1]# show ip route
Contains
B*
0.0.0.0/0 [20/0] via 10.5.0.254, ve 200, 00:40:27
O E2
100.64.110.0/24 [110/20] via 100.64.0.254, ve 100, 00:40:24
8. From A1, make sure you can ping StudentRD (100.64.110.100), Server1, and Server2.
A1-vMaster[1/1]# ping 100.64.110.100
A1-vMaster[1/1]# ping 10.5.30.11
9. In a new terminal, verify that StudentRD cannot access the “outside” network (10.5.0.0/16).
From StudentRD, ping Server1 by its IP address 10.5.30.11. Use the “-O” (capital O, not 0)
option. The ping should time out. If you get a “Destination Net Unreachable” type error, talk to
the instructor.
student:~$ ping -O 10.5.30.11
PING 210.0.0.11 (210.0.0.11) 56(84) bytes of data.
no answer yet for icmp_seq=1
no answer yet for icmp_seq=2
A10 CGN Lab 1:
Configuring CGNAT
4.1.4
2/28/2023
Page 6 of 46
Configuring Basic CGN
1. On device A1, enter config mode.
2. In Global Config Mode, build two CGN-LSN NAT pools named CGN21 and CGN121.
cgnv6 nat pool CGN21 10.5.0.21 10.5.0.22 netmask /30
cgnv6 nat pool CGN121 10.5.0.121 netmask /30
3. Verify the CGN-LSN NAT pool configuration. Confirm that both pools exist. Notice that the pools
are associated with the default VRID
sh cgnv6 nat pool
4. Build a CGN-LSN NAT pool-group named CGN_PG1 that includes the nat pools as members.
cgnv6 nat pool-group CGN_PG1
member CGN21
member CGN121
exit
5. Create a CGN-LSN Limit ID (LID) and assign the desired NAT pool-group.
cgnv6 lsn-lid 1
source-nat-pool CGN_PG1
6. Specify some optional parameters for this LID by configuring User-quotas for ICMP, UDP, and
TCP.
user-quota icmp 31
user-quota udp 256
user-quota tcp 256
exit
7. Create a class list that assigns StudentRD’s subnet to lsn-lid 1.
class-list CL_CGN1
100.64.110.0/24 lsn-lid 1
exit
8. Set CGN-LSN NAT address selection method to round-robin (default is random)
cgnv6 lsn ip-selection round-robin
You can explore the other IP selection methods if you choose. Note that since there are so few
addresses in the pools, the selection settings will not have a dramatic affect in the lab environment.
9. Bind the class list to the CGN-LSN packet processing flow.
cgnv6 lsn inside source class-list CL_CGN1
10. Bind the interfaces for CGN-LSN packet processing flow by configuring the client side interfaces
as NAT inside and the server side (i.e., our “Internet”) as NAT outside.
A10 CGN Lab 1:
Configuring CGNAT
4.1.4
2/28/2023
Page 7 of 46
As there are three devices in our aVCS cluster, we will configure each of units similarly. Track
your progress by noting the change in the config prompt and the feedback from the vMaster.
Configuring the NAT inside interfaces:
device-context 1
All the following configuration will go to device 1
interface ve 100
ip nat inside
This operation applied to device 1
device-context 2
All the following configuration will go to device 2
ip nat inside
This operation applied to device 2
device-context 3
All the following configuration will go to device 3
ip nat inside
This operation applied to device 3
Configuring the NAT outside interfaces:
device-context 1
All the following configuration will go to device 1
interface ve 200
ip nat outside
This operation applied to device 1
device-context 2
All the following configuration will go to device 2
ip nat outside
This operation applied to device 2
device-context 3
All the following configuration will go to device 3
ip nat outside
This operation applied to device 3
11. Open the second terminal window (create a new one, if needed), confirm that the Windows
client can now access the “outside” network (10.5.30.0/24). Ping server1 by its IP address of
10.5.30.11, you should receive a reply.
student:~$ ping -O 10.5.30.11
12. Open the Nmap –Zenmap GUI (it’s the All Seeing Eye icon on the Launcher Panel, next to the
System menu. Password to run the program is “a10”). Enter Target 10.5.8.3, and select Profile
“port 4569 test”, if not already selected. Finally, click the Scan button. The Command field
should read
nmap -sU -p 4569 –T4 -n -Pn -g 5000 10.5.8.3
A10 CGN Lab 1:
Configuring CGNAT
4.1.4
2/28/2023
Page 8 of 46
and the result should include the lines:
Host is up (0.075s latency).
PORT
STATE SERVICE
4569/udp open unknown
State of `open|filtered` is an error. Please inform the instructor.
13. Open a browser. Connect to server1 and server2 via http (http://10.5.30.11/,
http://10.5.30.12).
Notice that the same Request Source --> IP address is used for both requests.
14. In the SSH connection to the ACOS device, clear all sessions.
clear sessions all
15. Wait at least 10 seconds. Connect again to server1 or server2 via http. Notice that a different
“Request Source --> IP address” is reported.
VRRP-A Connection Mirroring
16. In the SSH connection to A1 device, clear all sessions.
clear sessions all
17. Set up a repeating display of sessions from StudentRD in the session table of A1
repeat 5 sh session ipv4 | inc 100.64.110.
18. Open a new BASH window and SSH to A2 (192.168.0.2, user/pass of admin/a10). Enter
enable mode and set up a repeating display of sessions from StudentRD in the session table of
A2.
19. Connect again to server1 via http. Notice that the session table entries appear on both systems.
20. Quit the repeat command, exit from A2, and then SSH to A3 (192.168.0.3, user/pass of
admin/a10). Enter enable mode and set up a repeating display of sessions from StudentRD in
the session table of A3.
21. Connect again to server1 via http. Notice that the session table entries appear only on A2 (and
A1, of course) but not on A3.
22. Quit the repeat command and look at the VRRP-A status for VRID 0. Notice that A2 is the
Standby with the highest Priority and is next in line to become Active for VRID 0 (the asterisk
(*) in the last column).
Lab 1 View, Verify, and Backup the Configuration
23. View the CGN-LSN configuration.
show running-config | sec cgn\|CGN\|ve
A10 CGN Lab 1:
Configuring CGNAT
4.1.4
2/28/2023
Page 9 of 46
There is some extra stuff in the output, but you should see the class-list, the inside and outside
interface configuration, CGN-LSN inside source configuration, nat pools, nat pool-group, and the
LSN-LID you created.
24. Save you running-config to startup-config. It should write configuration to profile “PR-CLASS”
write memory
25. Make sure you are in device-content 1 (device-context command can only be run from config
mode).
device-context 1
26. Backup the system. As you are on A1, name the file appropriately.
(Following command on one ( 1 ) line)
backup system use-mgmt-port ftp://192.168.0.100/ConfigBackup/CGNLab1A1.tar.gz
(leave blank, just hit return)
(leave blank, just hit return)
(enter no for saving to a profile)
User name []?
Password []?
A10 CGN Lab 1:
Configuring CGNAT
4.1.4
2/28/2023
Page 10 of 46
CGN Lab 2:
Additional Features
ACOS 4.1.4 (2/28/2023)
A10 CGN Lab 2:
Additional Features
4.1.4
2/28/2023
Page 11 of 46
Device Preparation
If the Configuring CGNAT lab was completed successful, then the ACOS CGN devices are ready to
go.
When starting this lab from any other starting point, prepare the devices by following the
instructions in Appendix A section Device Preparation: Lab 2 – Additional Features.
Enable Application Layer Gateways (ALG) for CGN
FTP
1. FTP is supported by default. Test it by opening a terminal based ftp session to 10.5.30.11 (user:
ftp, i.e. anonymous, the “-A” option is required). Simply list the contents of the FTP home
directory.
student:~$ ftp -A 10.5.30.11
Connected to 10.5.30.11 (10.5.30.11).
220 (vsFTPd 2.2.2)
User (10.5.30.11:(student)): ftp
230-Welcome to A10 FTP & TFTP server
[. . .]
ftp> ls
2. Confirm that you using active mode by looking for the line below in the output:
200 PORT command successful. Consider using PASV.
3. Close the ftp session with the `bye` command
4. In a separate terminal window, SSH in to A1 (aVCS vMaster), and disable the FTP ALG
cgnv6 lsn alg ftp disable
5. Back in the first terminal, open a new PORT based (i.e., active) ftp session to Server1 –
10.5.30.11. Test access by attempting to list the contents of the FTP home directory. It will fail.
Close the ftp session.
6. Switch to the SSH session to A1 (aVCS vMaster), remove the FTP AGL disablement.
no cgnv6 lsn alg ftp disable
RSTP
7. Test that the RSTP ALG is not enabled by playing an RTSP video stream:
•
Open VLC Media player (click the road cone icon in the panel).
•
In the application menu, select “Media” > “Open Network Stream…”.
•
In the “Please enter a network url,” box, type rtsp://10.5.30.11/test.ts (if not
already present).
•
Press the Play button.
A10 CGN Lab 2:
Additional Features
4.1.4
2/28/2023
Page 12 of 46
8. After about ten to fifteen seconds, a video stream should start. Stop the video by hitting the
Stop Playback button (the button with the square). VLC window should return to the Traffic
Cone image.
(The video plays because VLC has multiple ways built in to overcome NAT. Although the video
will play, the network configuration forces VLC to use its least efficient streaming mechanism,
RTP over RTSP/TCP, which takes about ten seconds to kick in.)
9. Back in the SSH session to A1 (aVCS vMaster), enable the RTSP ALG.
cgnv6 lsn alg rtsp enable
10. Test that the RSTP ALG is enabled by playing an RTSP video stream from 10.5.30.12
(rtsp://10.5.30.12/test.ts). Notice that the video starts almost instantly.
11. Check your RTSP ALG statistics.
show cgnv6 lsn alg rtsp statistics
It should show 2 Streams Created, Ports Allocated, and Data Session Created (or at least 2 times
the number of times you started the video).
Optional: To confirm, one could clear the statistics with the command below and test again
clear cgnv6 lsn alg rtsp statistics
12. View the sessions tracked by your ACOS device. You should see a number of active sessions at
the bottom of the output.
show session
13. Close the media player.
14. Look at the default timeout values for various kinds of traffic.
show ip nat timeouts
To adjust the values you can use the ip nat translation command. TCP and UDP can be
adjusted globally or can be further customized with the addition of the service-timeout
parameter (use CLI Help (the “?”) for full protocol/port syntax).
Understanding User Quota behavior
15. Edit the LSN-LID 1 and modify the TCP quota. (For testing purposes, this quota will be set
unreasonably small for a production environment)
cgnv6 lsn-lid 1
user-quota tcp 2
16. Open 3 instances of VLC Media player on your Windows client and network stream to
rtsp://10.5.30.11/test.ts and/or rtsp://10.5.30.12/test.ts. The third connection should not
connect and produce an error after about 10 seconds. Leave the two successful streams
running.
A10 CGN Lab 2:
Additional Features
4.1.4
2/28/2023
Page 13 of 46
17. Increase the tcp quota back to 256 and attempt to open that third stream again, it should now
establish.
18. Widen the window with the SSH session to A1 to fill the width of the desktop. It’s easiest if it
fills the bottom half of the screen.
19. Look at the statistics for your nat pool usage (either command works, but the second has
reduced output).
sh cgnv6 nat pool statistics
sh cgnv6 nat pool statistics top 2 used
20. Noticed that column Rsvd shows that CGN reserved 256 ports for 1 user. Adjust the user-quota
so that CGN only reserves 128 TCP ports per user
cgnv6 lsn-lid 1
user-quota tcp 256 reserve 128
21. Look at the statistics for your nat pool usage. Notice that CGN is now reserving 128 TCP ports
for your 1 user (IP address) but is still reserving 256 UDP ports for that user.
22. Adjust the user-quota so that CGN only reserves 128 UDP ports per user (in general, the reserve
and quota for TCP and UDP should match)
cgnv6 lsn-lid 1
user-quota udp 256 reserve 128
23. Save your current configuration.
24. Close the media player windows.
Understanding Endpoint Independent Mapping and Filtering
EIM – Endpoint Independent Mapping
25. In the wide terminal with the SSH to A1, clear all sessions
clear sessions all
26. Create a session filter to see all traffic from StudentRD’s network.
session-filter WIN set source-addr 100.64.110.100 source-mask /24
27. Use the session filter to display the session table. The session table should be empty.
show session filter WIN
28. In the Zenmap GUI, set the Target: to “10.5.30.11 10.5.30.12” and the Profile: to
“port 5555 EIM test”. Finally, click the Scan button. Zenmap should return “Host is up” for
both hosts. The command should read:
nmap -sn -T4 -n -PU5000,5060 -g 5555 10.5.30.11 10.5.30.12
A10 CGN Lab 2:
Additional Features
4.1.4
2/28/2023
Page 14 of 46
29. Return to the wide window with the SSH session to A1. Use the session filter to display the
session table. Notice that one session we created used port 5555 on the NAT address (the
Reverse Dest column). This is caused by the default Attempt-Port-Preservation feature. The
other connections were assigned other ports, because 5555 was already in use.
show session filter WIN
[. . .]
Prot Forward Source
Forward Dest
Reverse Source
Reverse Dest
Age
Hash Flags
Type
---------------------------------------------------------------------------------------------------------------------------------Udp 100.64.110.100:5555
10.5.30.11:5000
10.5.30.11:5000
10.5.0.21:8321
300
2
NFe0f0r0
LSN
Udp 100.64.110.100:5555
10.5.30.11:5060
10.5.30.11:5060
10.5.0.21:9857
300
2
NFe0f0r0
LSN
Udp 100.64.110.100:5555
10.5.30.12:5060
10.5.30.12:5060
10.5.0.21:31233
300
2
NFe0f0r0
LSN
Udp 100.64.110.100:5555
10.5.30.12:5000
10.5.30.12:5000
10.5.0.21:5555
300
2
NFe0f0r0
LSN
30. Clear the session table.
31. In global config mode, enable EIM for ports 1024-65535
cgnv6 lsn endpoint-independent-mapping tcp
port 1024 to 65535
cgnv6 lsn endpoint-independent-mapping udp
port 1024 to 65535
32. In Zenmap GUI, re-scan with “port 5555 EIM test”.
33. In the wide window SSH the session to A1, use the session filter to display the session table.
Notice that all the sessions are now using port 5555 on the NAT address. Only 1 public port was
used for all the sessions.
34. Clear the session table.
EIF – Endpoint Independent Filtering
35. In the Zenmap GUI, set the Target: to “10.5.30.11”, and set the Profile: to
“port 5566 EIF test”. Finally, click the Scan button. Zenmap should return “Host is up”. The
command should read:
nmap -sn -T4 -n -PU5000 -g 5566 10.5.30.11
36. In the SSH session to A1, look at the sessions table. You should see a result showing a
connection to 10.5.30.11 port 5000, and the Reverse Dest column shows the NAT address and
port used to reach 10.5.30.11. In this example, 10.5.0.22 port 5566:
A10 CGN Lab 2:
Additional Features
4.1.4
2/28/2023
Page 15 of 46
show session filter WIN
[. . .]
Prot Forward Source
Forward Dest
Reverse Source
Reverse Dest
Age
Hash Flags
Type
------------------------------------------------------------------------------------------------------------------------------------Udp 100.64.110.100:5566
10.5.30.11:5000
10.5.30.11:5000
10.5.0.22:5566
300
1
NFe0f0r0
LSN
37. In a new terminal window bash shell, run the following command to connect back from server1
to the “public” IP and port.
student:~$ ssh s1 "eifNcat <ReverseDest_IP>"
(Just for example) ssh s1 "eifNcat 10.5.0.22"
Warning: Permanently added 's1,192.168.0.11' (RSA) to the list of known
hosts.
student@s1's password:
(enter a10)
- - - Test callback from s1 port 5000 to 10.5.0.22 port 5566 - - Hello There
- - - Test new connection: s1:5000 to 10.5.0.22:5667 - - No one's home
- - - Test new connection: s1:5001 to 10.5.0.22:5666' - - No one's home
Using SSH, we are running the helper script eifNcat on server1. If server1 (10.5.30.11) can
reach StudentRD through the lsn session, the script responds, “Hello There”.
38. Back in the SSH session to A1, clear all sessions.
39. In the global config mode on A1, enable EIF (completing Full-Cone NAT configuration) for ports
1024-65535.
cgnv6 lsn endpoint-independent-filtering tcp
port 1024 to 65535
cgnv6 lsn endpoint-independent-filtering udp
port 1024 to 65535
40. In Zenmap GUI, re-scan with “port 5566 EIF test”.
41. Once again, In the SSH session to A1, look at the session table. You should see a result showing
a connection to 10.5.30.11 port 5000, and the Reverse Dest column will likely show a different
NAT address used to reach 10.5.30.11. In this example, 10.5.0.122 port 5566.
A10 CGN Lab 2:
Additional Features
4.1.4
2/28/2023
Page 16 of 46
show session filter WIN
[. . .]
Prot Forward Source
Forward Dest
Reverse Source
Reverse Dest
Age
Hash Flags
Type
------------------------------------------------------------------------------------------------------------------------------------Udp 100.64.110.100:5566
10.5.30.11:5000
10.5.30.11:5000
10.5.0.122:5566
300
1
NFe0f0r0
LSN
42. Rerun the eifNcat utility, but change the destination to the new “Reverse Dest” IP address.
This time, the first and third connections will return “Hello There”, but the second connection
targeting port 5567 fail.
student:~$ ssh s1 "eifNcat <ReverseDest_IP>"
(Just for example) ssh s1 "eifNcat 10.5.0.122"
43. Save your current configuration
Understanding EIM/EIF (Full-Cone NAT) STUN behavior
44. In the long window with the SSH to A1, clear all sessions.
clear sessions all
45. Set the UDP session timeout to an unreasonably low value of 30 seconds.
cgnv6 translation udp-timeout 30
46. In Zenmap GUI, re-scan with “port 5566 EIF test”.
47. On A1, view the sessions table (run command several times to show countdown)
show session filter WIN
Note: Ordinarily, the Age column, which is really a Time Remaining column, displays time
remaining for the session in 60 second (1 minute) increments. Because the timeout is set so low, it
will display in second increments
48. Before the session times out, show the EIM/EIF (Full-Cone) sessions. Notice that the Age
column is listing nothing (a “-“)
show cgnv6 lsn full-cone-sessions
49. Check the session table. After the session times out, check the full-cone-sessions table. Notice
that the Age column now lists 120 or perhaps 60 (seconds left until time out).
50. Set the STUN-Timeout to 4 minutes
cgnv6 lsn stun-timeout tcp port 1024 to 65535 4
cgnv6 lsn stun-timeout udp port 1024 to 65535 4
51. Restore the UDP session timeout to the default. Either of the following commands should work.
A10 CGN Lab 2:
Additional Features
4.1.4
2/28/2023
Page 17 of 46
no cgnv6 translation udp-timeout 30
or
cgnv6 translation udp-timeout 300
52. Verify the settings have been restored. Note: the command should return no “cgnv6 translation”
entries.
show running-config cgnv6 translation
(or include with-default to see the setting)
show running-config with-default cgnv6 translation
53. Save your configuration
Understanding Session User Quota behavior
54. In the SSH session to A1, in global config mode, edit the LSN-LID 1 and modify the session quota.
(For testing purposes, this quota will be set unreasonably small for a production environment)
cgnv6 lsn-lid 1
user-quota session 2
55. In the Zenmap GUI, set the Target: to “10.5.30.11 10.5.30.12” and the Profile: to
“port 5555 EIM test”. Finally, click the Scan button. Zenmap should return “Host is up” for
both hosts.
56. In SSH session to A1, use the session filter to display the session table. Notice that only 2
sessions, rather than 4 sessions, were allowed through.
57. Set user-quota session to 500
cgnv6 lsn-lid 1
user-quota session 512
58. Save the configuration.
Static Port Mapping
59. In the SSH to server1, test if the “Internet” can access a web server on StudentRD. It will fail.
[s1: ~]$ lynx 100.64.110.100
[s1: ~]$ lynx 10.5.0.21
CTRL-c to quit
CTRL-c to quit
60. Back in the SSH session to A1, clear all sessions.
61. In the global config mode on A1, enable a static mapping for inside address 100.64.110.100 to
outside address 10.5.0.21 for port 80 (command is one line).
cgnv6 lsn port-reservation inside 100.64.110.100 80 80 nat
10.5.0.21 80 80
62. Back on server1, test if the “Internet” can access a web server on StudentRD.
[s1: ~]$ lynx 10.5.0.21
A10 CGN Lab 2:
Additional Features
4.1.4
2/28/2023
Page 18 of 46
Hairpinning filtering
63. On StudentRD, open a browser to http://10.5.0.21/. Compare output with http://localhost/.
64. Back in the SSH session to A1, clear all sessions.
65. Limit an inside host from talking to itself through CGN by configuring a hairpinning filter based
on self-ip
cgnv6 lsn hairpinning filter-self-ip
66. On StudentRD, reload page http://10.5.0.21/. It should time out.
67. Remove the static mapping (command is one line).
no cgnv6 lsn port-reservation inside 100.64.110.100 80 80 nat
10.5.0.21 80 80
Lab 2 View, Verify, and Backup the Configuration
68. View the CGN-LSN configuration.
show running-config cgnv6
You won’t see the class-list, but you should see the hairpinning filter, ip-selection, LSN ALGs,
EIM, EIF, nat pools, nat pool-group, and LSN-LID you created. You should also see the CGN-LSN
inside source configuration.
69. Save you running-config to startup-config. It should write configuration to profile “PR-CLASS”
write memory
70. Make sure you are in device-content 1 (device-context command can only be run from config
mode).
device-context 1
71. Backup the system. As you are on A1, name the file appropriately.
Following command on one 1 line
backup system use-mgmt-port ftp://192.168.0.100/ConfigBackup/CGNLab2-A1.tar.gz
A10 CGN Lab 2:
Additional Features
4.1.4
2/28/2023
Page 19 of 46
CGN Lab 3:
Configuring NAT64/DNS64
ACOS 4.1.4 (2/28/2023)
A10 CGN Lab 3:
Configuring NAT64/DNS64
4.1.4
2/28/2023
Page 20 of 46
Device Preparation
If the Configuring CGNAT lab was completed successful, then the ACOS CGN devices are ready to
go.
When starting this lab from any other starting point, prepare the devices by following the
instructions in Appendix A section Device Preparation: Lab 3 – Configuring NAT64/DNS64.
ACOS IPv6 setup
1. On StudentRD, open an SSH session to vMaster(192.168.0.10). If needed, open a new terminal
window.
[student: ~]$ ssh admin@192.168.0.10
(password is a10)
2. Add IPv6 the appropriate addresses to the interface ve 100 on all three devices in the aVCS
cluster.
interface ve 1/100
ipv6 address 2001:db8:a10:100::1/64
ipv6 address fe80::a10:100:1/64 link-local
interface ve 2/100
ipv6 address 2001:db8:a10:100::2/64
ipv6 address fe80::a10:100:2/64 link-local
interface ve 3/100
ipv6 address 2001:db8:a10:100::3/64
ipv6 address fe80::a10:100:3/64 link-local
3. Add static routes to the StudentRD network (remember your Up Arrow).
device-context 1
ipv6 route 2001:db8:a10:110::/64 2001:db8:a10:100::254
device-context 2
ipv6 route 2001:db8:a10:110::/64 2001:db8:a10:100::254
device-context 3
ipv6 route 2001:db8:a10:110::/64 2001:db8:a10:100::254
4. Test connectivity by pinging StudentRD from A1
ping ipv6 2001:db8:a10:110::100
5. Configure the client side router’s next IPv6 hop by adding a VRRP-A Floating-IP to VRID 1.
vrrp-a vrid 1
floating-ip 2001:db8:a10:100::10
A10 CGN Lab 3:
Configuring NAT64/DNS64
4.1.4
2/28/2023
Page 21 of 46
Configuring Basic NAT64
1. Set the NAT64 prefix for this specific IPv6 network to use to route to the IPv4 Internet.
cgnv6 nat64 prefix 2001:db8:a10:624::/96 vrid 1
2. Build two CGNv6 NAT pools named CGN65 and CGN165, and associate them with
VRID 1.
cgnv6 nat pool CGN65 10.5.0.65 netmask /30 vrid 1
cgnv6 nat pool CGN165 10.5.0.165 netmask /30 vrid 1
3. Verify the CGNv6 NAT pool configuration. Notice that the pools are associated with the default
VRID
sh cgnv6 nat pool
4. Build a CGNv6 NAT pool-group named CGN_PG2 that includes the NAT pools as members.
cgnv6 nat pool-group CGN_PG2
member CGN65
member CGN165
exit
5. Create a CGNv6 Limit ID (LID) of 2 and assign the desired NAT pool-group. Specify some
optional parameters for this LID by configuring User-quotas for ICMP, UDP, TCP, and Sessions.
cgnv6 lsn-lid 2
name NAT64
source-nat-pool CGN_PG2
user-quota icmp 31
user-quota udp 256
user-quota tcp 256
user-quota session 512
exit
6. Create a class list that assigns the internal IPv6 networks to lsn-lid 2.
class-list CL_CGN2
2001:db8:a10::/48 lsn-lid 2
exit
7. Set CGN-NAT64 NAT address selection method to round-robin (default is random)
cgnv6 lsn ip-selection round-robin
You can explore the other IP selection methods if you choose. Note that since there are so few
addresses in the pools, the selection settings will not have a dramatic affect in the lab environment.
8. Bind the class list to the CGN-NAT64 packet processing flow.
cgnv6 nat64 inside source class-list CL_CGN2
A10 CGN Lab 3:
Configuring NAT64/DNS64
4.1.4
2/28/2023
Page 22 of 46
9. Bind the interfaces for CGN-NAT64 packet processing flow by configuring the client side
interfaces as IPv6 NAT inside and the server side (i.e., our “Internet”) as NAT outside.
As there are three devices in our aVCS cluster, we will configure each of units similarly. Track
your progress by noting the change in the config prompt and the feedback from the vMaster.
Configuring the NAT inside interfaces:
device-context 1
All the following configuration will go to device 1
interface ve 100
ipv6 nat inside
This operation applied to device 1
device-context 2
All the following configuration will go to device 2
ipv6 nat inside
This operation applied to device 2
device-context 3
All the following configuration will go to device 3
ipv6 nat inside
This operation applied to device 3
If not configure in a previous lab, configure the IP NAT outside interfaces (Note: not ipv6 nat).
device-context 1
All the following configuration will go to device 1
interface ve 200
ip nat outside
This operation applied to device 1
device-context 2
All the following configuration will go to device 2
ip nat outside
This operation applied to device 2
device-context 3
All the following configuration will go to device 3
ip nat outside
This operation applied to device 3
In the following steps, we will connect to server1 and server2 by IP address. Based on our
NAT64 prefix setting of 2001:db8:a10:624::/96, server1 (10.5.30.11) should be accessible at
2001:db8:a10:624::10.5.30.11, a commonly understood alias for IPv4 addresses embedded at
the end of IPv6 addresses. The proper IPv6 address in this case would be
2001:db8:a10:624::a05:1e0b.
10. Open a new BASH shell window. Confirm that the Windows client can now access the “outside”
network (10.5.8.0/24). Ping the echo server by its NAT64 representation of its IP address of
10.5.8.3, you should receive a reply.
A10 CGN Lab 3:
Configuring NAT64/DNS64
4.1.4
2/28/2023
Page 23 of 46
ping -6 2001:db8:a10:624::10.5.8.3
11. Open the Nmap –Zenmap GUI (it’s the All Seeing Eye icon on the Taskbar, over near the left).
Enter Target 2001:db8:a10:624::10.5.8.3, and select Profile “port 4569 test IPv6”, if not
already selected. Finally, click the Scan button. The Command field should read
nmap -sU -6 -p 4569 -T4 -n -Pn -g 5000 2001:db8:a10:624::10.5.8.3
and the result should include the lines:
Host is up (0.015s latency).
PORT
STATE SERVICE
4569/udp open unknown
State of `open|filtered` is an error. Please inform the instructor.
12. Connect to server1 and server2 via http (http://[2001:db8:a10:624::10.5.30.11]/ or
http://[2001:db8:a10:624::10.5.30.12]/). Notice that the same Request Source --> IP address is
used for both requests.
13. In the SSH connection to A1, view the sessions. Notice that there are no sessions in A1.
show session ipv6
14. Check the VRRP-A state. Notice that VRID 1 is active on device 2 and the next highest priority
for VRID 1 is device 3.
show vrrp-a
15. SSH to A2(192.168.0.2) and log in (admin / a10). Show the IPv6 sessions on A2. If you don’t see
any, try the ncat command again to generate a new session entry.
VRRP-A Connection Mirroring
16. In the SSH connection to A2 device, clear all sessions.
clear sessions all
17. Set up a repeating display of the session table of A2.
repeat 5 show session ipv6
18. Open a new BASH window and SSH to A3 (192.168.0.3, user/pass of admin/a10). Enter
enable mode and set up a repeating display of the session table of A3.
19. Connect again to server1 via http. Notice that the session table entries appear on both systems.
View, Verify, and Backup the Configuration
20. Back in the SSH session to A1, view the CGN-NAT64 configuration.
show running-config class-list
show running-config cgnv6
A10 CGN Lab 3:
Configuring NAT64/DNS64
4.1.4
2/28/2023
Page 24 of 46
show running-config interface ve
You should see the class-list, nat pools, nat pool-group, the LSN-LID, the CGN-NAT64 inside
source configuration, the NAT64 prefix, the ipv6 nat inside and the ip nat outside interface
configurations.
21. Save you running-config to startup-config. It should write configuration to profile “PR-CLASS”
write memory
Configuring DNS64
22. On A1 (vMaster), in global config mode, tell ACOS where the local DNS servers are.
cgnv6 server LOCAL_DNS11 10.5.30.11
port 53 udp
cgnv6 server LOCAL_DNS12 10.5.30.12
port 53 udp
23. In global config mode, create a service-group for the DNS servers and name them as members.
cgnv6 service-group DNSV4 udp
member LOCAL_DNS11 53
member LOCAL_DNS12 53
24. In global config mode, create a DNS Template to control how the DNS64 virtual-server will
handle IPv6 DNS queries it forwards to the IPv4 Internet.
cgnv6 template dns TP_TRAINING_DNS
dns64 enable
25. In global config mode, create a NAT pool the IPv6 virtual-server will use to forward DNS queries
to the IPv4 Internet. Associate the pool with VRID 1
ip nat pool DNS64_POOL 10.5.0.53 10.5.0.53 netmask /32 vrid 1
26. In global config mode, create a virtual-server to be the front end for IPv6 DNS queries to the
IPv4 Internet. It will use the Service-Group, IP NAT pool, and DNS template we just created.
cgnv6 dns64-virtualserver LOCAL_DNS 2001:db8:a10:100::53
vrid 1
port 53 dns-udp
source-nat pool DNS64_POOL
service-group DNSV4
template dns TP_TRAINING_DNS
27. In a BASH shell window running commands on StudentRD, test that the DNS64 Virtual Server is
working.
[student: ~]$ dig s1.a10class.com @2001:db8:a10:100::53 AAAA
;; ANSWER SECTION:
s1.a10class.com. 0
IN
AAAA 2001:db8:a10:624::a05:1e0b
A10 CGN Lab 3:
Configuring NAT64/DNS64
4.1.4
2/28/2023
Page 25 of 46
Lab 3 View, Verify, and Backup the Configuration
28. Back in the SSH session to A1, view the CGN-NAT64 configuration.
show running-config cgnv6
In addition to the NAT64 configure you saw before, you should now see the two cgnv6 servers,
the cgnv6 service-group with two members, the DNS template, and the DNS64 Virtual Server
configurations.
29. Save you running-config to startup-config. It should write configuration to profile “PR-CLASS”
write memory
30. Make sure you are in device-content 1 (device-context command can only be run from config
mode).
device-context 1
31. Backup the system. As you are on A1, name the file appropriately.
Following command on one 1 line
backup system use-mgmt-port ftp://192.168.0.100/ConfigBackup/CGNLab3-A1.tar.gz
A10 CGN Lab 3:
Configuring NAT64/DNS64
4.1.4
2/28/2023
Page 26 of 46
CGN Lab 4:
Routing
ACOS 4.1.4 (2/28/2023)
A10 CGN Lab 4:
Routing
4.1.4
2/28/2023
Page 27 of 46
Device Preparation
If the Configuring CGNAT lab was completed successful, then the ACOS CGN devices are ready to
go.
When starting this lab from any other starting point, prepare the devices by following the
instructions in Appendix A section Device Preparation: Lab 4 – Routing.
Configuring Egress BGP for IPv4
1. View the current routing table and routes learned from BGP. Notice that the BGP neighbor
10.5.0.254 is sharing a Default Route, 10.5.30.0/24 route, and 10.5.8.0/22 route.
show ip route
show ip bgp ipv4 unicast
2. View the current dynamic routing configuration. Notice that we are configuring eBGP in this
environment.
show running-config | begin bgp
3. Add the VRRP-A floating IP 10.5.0.10 to VRID 0.
vrrp-a vrid 0
floating-ip 10.5.0.10
4. For each device, create a route-map to set the next-hop to the VRRP-A Floating IP
device-context 1
route-map TO_NATPOOL permit 10
match group 0 active
set ip next-hop 10.5.0.10
device-context 2
route-map TO_NATPOOL permit 10
match group 0 active
set ip next-hop 10.5.0.10
device-context 3
route-map TO_NATPOOL permit 10
match group 0 active
set ip next-hop 10.5.0.10
5. For each device, create an IP Prefix-List to filter addresses learn from the BGP neighbor.
device-context 1
ip prefix-list BGP_ALLOW seq 5 permit 0.0.0.0/0
device-context 2
ip prefix-list BGP_ALLOW seq 5 permit 0.0.0.0/0
A10 CGN Lab 4:
Routing
4.1.4
2/28/2023
Page 28 of 46
device-context 3
ip prefix-list BGP_ALLOW seq 5 permit 0.0.0.0/0
6. Adjust the BGP configuration to filter out the extra learned routes and to redistribute the NAT
pool addresses (will need to be repeated for all 3 devices)
device-context 1
router bgp 64500
bgp router-id 192.168.0.1
neighbor 10.5.0.254 prefix-list BGP_ALLOW in
redistribute ip-nat route-map TO_NATPOOL
device-context 2
bgp router-id 192.168.0.2
neighbor 10.5.0.254 prefix-list BGP_ALLOW in
redistribute ip-nat route-map TO_NATPOOL
device-context 3
bgp router-id 192.168.0.3
neighbor 10.5.0.254 prefix-list BGP_ALLOW in
redistribute ip-nat route-map TO_NATPOOL
7. Check your routing table. Notice that we may still have specific routes to 10.5.30.0/24 and
10.5.8.0/22. Clear the bgp process.
show ip route
clear ip bgp *
(wait 5-10 seconds)
show ip route
8. Check the state of the BGP advertisements. Notice that we are now advertising that the nexthop for our NAT pools is the VRRP-A Floating-IP
show ip bgp ipv4 unicast
9. Open a new terminal window. Use the scripts/acoscli.sh script to check what routes the
upstream router is learning. Note: The ANSI-C Quoting can be a little finicky and may not copy
and paste. Also, the command is a single line.
student:~$ bash scripts/acoscli.sh -t router -u student $'act server \n
sh ip route'
[. . .]
C
10.5.0.0/24 is directly connected, ve 200, 00:22:28
B
10.5.0.20/30 [20/0] via 10.5.0.10, ve 200, 00:02:41
B
10.5.0.120/30 [20/0] via 10.5.0.10, ve 200, 00:02:41
[. . .]
A10 CGN Lab 4:
Routing
4.1.4
2/28/2023
Page 29 of 46
Configuring Ingress OSPF for IPv4
10. From that new terminal, use the scripts/acoscli.sh script to check the status of routes learned
via OSPF on the client side router.
student:~$ bash scripts/acoscli.sh -t router -u student 'sh ip ospf
100 database'
[. . .]
Link ID
100.64.1.0
100.64.2.0
100.64.50.0
100.64.110.0
AS External Link States
ADV Router
Age Seq#
100.64.0.254
742 0x80000002
100.64.0.254
1432 0x80000002
100.64.0.254
1482 0x80000002
100.64.0.254
702 0x80000002
CkSum
0xfe75
0xf37f
0xe161
0x4bbb
Route
E2 100.64.1.0/24
E2 100.64.2.0/24
E2 100.64.50.0/24
E2 100.64.110.0/24
Tag
0
0
0
0
11. In the ssh session to A1 (i.e., vMaster) view the current OSPF database. Notice that there are
four OSPF advertisers and that we are learning the route to 100.64.110.0/24 from
100.64.0.254.
show ip ospf database
12. View the current OSPF configuration
show running-config router
13. For each device, create a route-map to set the next-hop to the VRRP-A VRID 0 Floating IP of
100.64.0.10.
device-context 1
route-map TO_FLOATIP permit 10
match group 0 active
set ip next-hop 100.64.0.10
device-context 2
route-map TO_FLOATIP permit 10
match group 0 active
set ip next-hop 100.64.0.10
device-context 3
route-map TO_FLOATIP permit 10
match group 0 active
set ip next-hop 100.64.0.10
14. Adjust the OSPF configuration on all 3 devices so that they advertise a default route to the client
side router.
device-context 1
router ospf 1
default-information originate route-map TO_FLOATIP
device-context 2
default-information originate route-map TO_FLOATIP
A10 CGN Lab 4:
Routing
4.1.4
2/28/2023
Page 30 of 46
device-context 3
default-information originate route-map TO_FLOATIP
15. Use the scripts/acoscli.sh script to check the updated status of routes learned via OSPF on the
client side router.
student:~$ bash scripts/acoscli.sh -t router -u student 'sh ip ospf
100 database'
[. . .]
Link ID
0.0.0.0
100.64.1.0
100.64.2.0
100.64.50.0
100.64.110.0
AS External Link States
ADV Router
Age Seq#
100.64.0.1
4 0x80000001
100.64.0.254
742 0x80000002
100.64.0.254
1432 0x80000002
100.64.0.254
1482 0x80000002
100.64.0.254
702 0x80000002
CkSum
0x97dc
0xfe75
0xf37f
0xe161
0x4bbb
Route
E2 0.0.0.0/0
E2 100.64.1.0/24
E2 100.64.2.0/24
E2 100.64.50.0/24
E2 100.64.110.0/24
Tag
0
0
0
0
0
Configuring Ingress OSPFv3 for IPv6
This portion of the lab assumes you have completed the NAT64/DNS64 lab.
16. Show the IPv6 routing table
show ipv6 route
17. For each device, create a route-map to set the next-hop to the VRRP-A IPv6 Floating IP.
device-context 1
route-map TO_NAT64 permit 2
match group 1 active
set ipv6 next-hop 2001:db8:a10:100::10
device-context 2
route-map TO_NAT64 permit 2
match group 1 active
set ipv6 next-hop 2001:db8:a10:100::10
device-context 3
route-map TO_NAT64 permit 2
match group 1 active
set ipv6 next-hop 2001:db8:a10:100::10
18. For each device, configure an OSPFv3 routing process with a process tag of 100. Set a router-id,
and redistribute the nat64 prefix with the route-map created earlier.
device-context 1
router ipv6 ospf 100
router-id 0.0.0.1
redistribute nat64 route-map TO_NAT64
device-context 2
A10 CGN Lab 4:
Routing
4.1.4
2/28/2023
Page 31 of 46
router ipv6 ospf 100
router-id 0.0.0.2
redistribute nat64 route-map TO_NAT64
device-context 3
router ipv6 ospf 100
router-id 0.0.0.3
redistribute nat64 route-map TO_NAT64
19. For each device, add interface ve 100 to area 0 of the OSPFv3 configuration
device-context 1
interface ve 100
ipv6 router ospf area 0 tag 100
device-context 2
ipv6 router ospf area 0 tag 100
device-context 3
ipv6 router ospf area 0 tag 100
20. Remove the static route for 2001:db8:a10:110::/64 from all 3 devices.
device-context 1
no ipv6 route 2001:db8:a10:110::/64 2001:db8:a10:100::254
device-context 2
no ipv6 route 2001:db8:a10:110::/64 2001:db8:a10:100::254
device-context 3
no ipv6 route 2001:db8:a10:110::/64 2001:db8:a10:100::254
21. Check the IPv6 routing table and the OSPFv3 external routes. Notice that there are four OSPF
advertisers and that we are learning a route to 2001:db8:a10:624::/96 (our NAT64 Prefix) from
A2 (router 0.0.0.2). Also notice the next hop for the 2001:db8:a10:110::/64 network.
show ipv6 ospf database
show ipv6 ospf database external
show ipv6 route
22. In our alternate terminal, verify that the client side router is learning the route to the NAT64
prefix.
student:~$ bash scripts/acoscli.sh -t router -u student 'sh ipv6
ospf route'
[. . .]
E2 2001:db8:a10:624::/96
via 2001:db8:a10:100::10, ve 100
10/20
Lab 4 View, Verify, and Backup the Configuration
23. Back in the SSH session to A1, view the CGN-NAT64 configuration.
A10 CGN Lab 4:
Routing
4.1.4
2/28/2023
Page 32 of 46
show running-config interface ve
show running-config | begin router ipv6
In addition to the NAT64 configure you saw before, you should now see the two cgnv6 servers,
the cgnv6 service-group with two members, the DNS template, and the DNS64 Virtual Server
configurations.
24. Save you running-config to startup-config. It should write configuration to profile “PR-CLASS”
write memory
25. Make sure you are in device-content 1 (device-context command can only be run from config
mode).
device-context 1
26. Backup the system. As you are on A1, name the file appropriately.
Following command on one 1 line
backup system use-mgmt-port ftp://192.168.0.100/ConfigBackup/CGNLab4-A1.tar.gz
A10 CGN Lab 4:
Routing
4.1.4
2/28/2023
Page 33 of 46
CGN Lab 5:
LSN Logging
ACOS 4.1.4 (2/28/2023)
A10 CGN Lab 5:
LSN Logging
4.1.4
2/28/2023
Page 34 of 46
Device Preparation
If the Configuring CGNAT lab was completed successfully, then the ACOS CGN devices are ready to
go. If the Configuring NAT64/DNS64 lab was completed successfully, then the IPv6 based parts of
the lab can be used.
The section Port Batching requires that the Routing lab be completed. If the Routing lab was
skipped, then skip the Port Batching section.
When starting this lab from any other starting point, prepare the devices by following the
instructions in Appendix A section Device Preparation: Lab 5 – Logging.
Setup Data-Plane Syslog Based Logging
1. Watch the syslog server as you configure Data Plane Logging. Open a new terminal window.
Resize that window so that if fills about the bottom half of the screen. Then use tshark to view
the syslog messages generated during the following exercise.
Note: You will notice some duplicate entries in the output because of the multiple “-e” options.
student:~$ tshark -i DATA -f "port 514" -T fields -e syslog -e
syslog.msg
Capturing on 'DATA'
2. Open an SSH connection to A1 (192.168.0.1) and log in (admin / a10). Enter Config mode. If A1
is not vMaster, use the ”vcs vMaster-take-over 255” command to take over vcs vMaster
status.
3. Define the syslog server so the ACOS knows where to send its traffic logs.
cgnv6 server MYSYSLOG 100.64.110.100
4. At the real server configuration level, specify the port and protocol for the syslog service.
Usually, these arguments are port “514” and protocol “TCP” or protocol “UDP. If a non-standard
syslog port is required, the operator may modify the port number to match the logging
environment.
port 514 udp
5. You will notice that once the “port 514 udp” is defined, ACOS systems begin sending packets
containing the string “A10”. This is the health check for a UDP port. Ordinarily, the syslog server
administrator would set rules to filter out these messages. We will simply disable them. The
following configuration is entered directly after port 514 udp
health-check-disable
6. At the global configuration level, create a UDP based service group for syslog servers and add
the defined server to the group.
cgnv6 service-group SG_SYSLOG udp
member MYSYSLOG 514
A10 CGN Lab 5:
LSN Logging
4.1.4
2/28/2023
Page 35 of 46
7. At the global configuration level, create a basic logging template and specify the syslog server
group to receive the session creation and deletion messages
cgnv6 template logging CGN_LOG
service-group SG_SYSLOG
8. At the global configuration level, activate the template for CGN-LSN logging.
Note: the following applies to both LSN and NAT64.
cgnv6 lsn logging default-template CGN_LOG
9. Open the Nmap –Zenmap GUI (it’s the All Seeing Eye icon on the Taskbar, over near the left).
Enter Target 10.5.8.3 and select Profile “port 80 Logging Test”. Finally, click the Scan button.
The Command field should read:
nmap -p 80 -T4 -n -Pn --script http-chrono --script-args httpchrono.maxdepth=1 10.5.8.3
10. Observe the syslog. Notice that the NAT-TCP-C (Create) and NAT-TCP-F (FIN) logs come
relatively quickly one after another. This is because the FIN log arrives when the Session is
removed from the table, which happens when the TCP session is closed.
Logging Template Options
11. In the SSH session to A1 (vMaster), adjust the logging template so that CGNAT logs are sent in
RFC5424 format
cgnv6 template logging CGN_LOG
format rfc5424
12. Create some more TCP traffic and observe the difference,
13. Change the format to Compact HEX, then create some more TCP traffice
format compact
14. Remove the format compact
no format compact
15. Adjust the logging template so that CGNAT logs are sent with Facility of Local7 and severity 6
(informational).
cgnv6 template logging CGN_LOG
facility local7
severity informational
16. Create some more TCP traffic and observe the difference.
17. While continuing to watch the syslog server log entries, use a browser to connect to
http://10.5.30.11. Notice that several (4-6) mapping are created but are not closed for a while
(a minute or so, depending on the browser)
A10 CGN Lab 5:
LSN Logging
4.1.4
2/28/2023
Page 36 of 46
18. In the SSH session to A1 (vMaster), adjust the logging template to log sessions (by default, only
Creation and Deletion of Port-Mappings are logged).
cgnv6 template logging CGN_LOG
log sessions
19. Create some more TCP traffic and observe the difference. Notice that in addition to gaining
details about the destination, we have doubled the number log entries created.
20. Disable the default logging and log only sessions. In the logging template, disable the logging of
port-mappings.
cgnv6 template logging CGN_LOG
log port-mappings disable
21. Set the format to binary. Generate some TCP traffic. Notice that we don’t see any logs in our
`show syslog | grep local7` instance.
cgnv6 template logging CGN_LOG
format binary
22. In the ssh session to A1, remove the format binary configuration.
no format binary
Port Batching
23. Create a CGNV6 NAT Pool with a version 2 Port Batch size of 64.
cgnv6 nat pool CGN_BATCH 10.1.1.1 netmask /30 port-batch-v2-size 64
24. Change the LSN-LID 1 NAT Pool to CGN_BATCH.
(Alternativly, if you are testing with NAT64, change LSN-LID 2 NAT Pool).
cgnv6 lsn-lid 1
source-nat-pool CGN_BATCH
25. Clear the sessions table, twice to be sure
clear sessions all
26. Generate some TCP traffic. Notice that Port Batching has not seemed to reduce the number of
log entries. This is because we are logging Sessions rather than L4 Port allocation.
27. Restore the Logging Template CGN_LOG to the default state of logging port-mappings
cgnv6 template logging CGN_LOG
no log sessions
no log port-mappings disable
28. Generate some TCP traffic. Notice that now we see a log entry displaying a series of L4 port
allocations
<date><time> A1 NAT-TCP-T: 100.64.110.100 -> 10.1.1.2:49536,49599
A10 CGN Lab 5:
LSN Logging
4.1.4
2/28/2023
Page 37 of 46
<date><time> A1 NAT-TCP-Y: 100.64.110.100 -> 10.1.1.2:49536,49599
29. In Zenmap, set the target to 10.5.8-11.1-254.
The Command field should read:
nmap -p 80 -T4 -n -Pn --script http-chrono --script-args httpchrono.maxdepth=1 10.5.8-11.1-254
30. After observing the log entries.
31. Take a look at the Zenmap output. Some of the IP addresses report “80/tcp open http”, and
some report “80/tcp filtered http”. Look at your ACOS system log.
show log
You should see an entry like:
Session user-quota exceeded on pool CGN_BATCH
32. Restore the LSN-LID NAT Pool to its previous setting.
cgnv6 lsn-lid 1
source-nat-pool CGN_PG1
Lab 5 View, Verify, and Backup the Configuration
33. View the CGN-LSN configuration.
show running-config cgnv6 template logging
34. Save you running-config to startup-config. It should write configuration to profile “PR-CLASS”
write memory
35. Make sure you are in device-content 1 (device-context command can only be run from config
mode).
device-context 1
36. Backup the system. As you are on A1, name the file appropriately.
Following command on one 1 line
backup system use-mgmt-port ftp://192.168.0.100/ConfigBackup/CGNLab5-A1.tar.gz
A10 CGN Lab 5:
LSN Logging
4.1.4
2/28/2023
Page 38 of 46
CGN Lab 6:
Monitoring / Troubleshooting
ACOS 4.1.4 (2/28/2023)
A10 CGN Lab 6:
Monitoring /
Troubleshooting
4.1.4
2/28/2023
Page 39 of 46
Device Preparation
If the Configuring CGNAT lab was completed successfully, then the ACOS CGN devices are ready to
go.
When starting this lab from any other starting point, prepare the devices by following the
instructions in Appendix A section Device Preparation: Lab 6 – Monitoring / Troubleshooting.
Monitoring the System
1. Open an SSH connection to A1 (192.168.0.1) and log in (admin / a10). Enter Enable mode.
2. View the system log. Look for any User Quota Exceeded messages
show log | include quota
Note: if you didn’t complete lab 5: LSN logging, you may not see any
3. Enter Config mode and remove the User Quotas for LSN-LID 1
cgnv6
no
no
no
no
lsn-lid 1
user-quota
user-quota
user-quota
user-quota
icmp 31
udp 256 reserve 128
tcp 256 reserve 128
session 512
4. Show the audit log
show audit
5. Start monitoring the CPU of the system
repeat 3 show cpu
6. In a separate SSH session to A1, start monitoring NAT Pool Statistics.
repeat 3 sh cgnv6 nat pool statistics
7. If all the labs have been completed, then the number of NAT Pool addresses is too large to easily
monitor on our screen. Change the command to monitor only the top 4 used NAT Pool IP
Addresses.
repeat 3 sh cgnv6 nat pool statistics top 4 used
8. In Zenmap, run the test “tshoot-monitor”, and set the target to 10.5.8-11.1-254, and monitor the
effect on CPU and nat pool statistics. Notice that it may take 30-60 seconds before the number
of connections begin to impact CPU.
The Command field should read:
A10 CGN Lab 6:
Monitoring /
Troubleshooting
4.1.4
2/28/2023
Page 40 of 46
nmap -sS -sU -p 80-64000 -T5 -n --min-hostgroup 512 --maxparallelism 1024 --max-retries 20 -Pn -D
100.64.110.101,100.64.110.102,100.64.110.103,100.64.110.104,100.64.
110.105,100.64.110.106,100.64.110.107,100.64.110.108,100.64.110.109
,100.64.110.110 10.5.8-11.1-254
9. Open the Web GUI to A1. View the System Dashboard and the CGN Dashboard.
Dashboard > System
(https://192.168.0.1/gui/#/dashboard/)
Dashboard > CGN
(https://192.168.0.1/gui/#/dashboard/cgn)
Monitor LSN
If the Zenmap test completes or you get errors, just Cancel the test (if needed) and restart (click
the Scan button.
10. View the active Full-Cone NAT session entries (can substitute nat64 for lsn for NAT64
monitoring).
show cgnv6 lsn full-cone-sessions
11. View table of active sessions by user (source IP address) (can substitute nat64 for lsn for
NAT64 monitoring).
show cgnv6 lsn user-quota-sessions
12. View the number of active sessions per CGNAT Pool (can substitute nat64 for lsn for NAT64
monitoring).
show cgnv6 nat pool
show cgnv6 nat pool-group
show cgnv6 lsn user-quota-sessions pool <cut-n-past_Pool_or_Group>
13. View the number of active sessions for a particular internal IP address (can substitute nat64 for
lsn for NAT64 monitoring).
show cgnv6 lsn user-quota-sessions inside-user 100.64.110.100
14. View general system information about CGNAT.
show cgnv6 lsn system-status
axdebug
If the Zenmap test completes or you get errors, just Cancel the test (if needed) and restart (click
the Scan button.
15. On A1, from Enable Mode, enter axdebug mode
# axdebug
(axdebug)#
A10 CGN Lab 6:
Monitoring /
Troubleshooting
4.1.4
2/28/2023
Page 41 of 46
16. show the existing axdebug filter configurations.
show axdebug filter
17. If any filters currently exist, remove them.
no filter-config 1
(and repeat for 2,3,etc, if needed)
18. Enter the axdebug filter 1 configuration mode.
(axdebug)# filter-config 1
(axdebug-filter:1)#
19. Set a filter for traffic to destination 10.5.30.11 from source 100.64.110.100.
dst ip 10.5.30.11
src ip 100.64.110.100
20. Exit axdebug filter configuration mode and show your capture filter.
exit
show axdebug filter
21. Start a brief capture to your terminal screen.
capture brief
22. Using a browser, generate some traffic to 10.5.30.11.
End the capture: <ctrl c> to exit.
23. Perform a detail capture, use the browser to generate some traffic to 10.5.30.11, and end the
capture (<ctrl c> to exit). Examine the HTTP request and response by scrolling up in the
terminal window.
capture detail
24. Perform a brief capture while also saving the packet capture to a file. Use the browser to
generate some traffic to 10.5.30.11, and end the capture (<ctrl c> to exit).
capture brief save mycapture
25. View your axdebug capture files
show axdebug file
26. Exit axdebug capture mode, then export the packet capture to StudentRD.
export axdebug mycapture ftp://192.168.0.100/ConfigBackup/mycapture
A10 CGN Lab 6:
Monitoring /
Troubleshooting
4.1.4
2/28/2023
Page 42 of 46
Appendix A:
Device preparation
Procedures
ACOS 4.1.4 (2/28/2023)
A10 Appendix A:
4.1.4
2/28/2023
Page 43 of 46
Restoring Training Pod from Backups
To perform the labs out of order or to return the training pod to an earlier state, usually we will
need restore each device from a known good backup. We will use the Web GUI to perform the
restore.
In order to complete the restore, we must first ensure that aVCS is disabled on all devices. Then we
restore each device from the files indicated in the appropriate Device Preparation further below.
Restore using Web GUI
Disable aVCS
27. Open a Web GUI session to A1 (https://192.168.0.1).
If needed, Click the Advanced and Proceed to 192.168.0.1 (unsafe) text links. Note: in
Firefox, click the Add Exception button and then the Confirm Security Exception button.
28. Log in with username / password: admin / a10
29. Confirm if aVCS is enabled. Look to the icons in the upper right corner. The
that aVCS is active:
icon indicates
30. If needed, disable aVCS.
Navigate to the Create aVCS Settings page.
System > aVCS
(Error! Hyperlink reference not valid.)
For aVCS Enable radio selector, select Disable
At bottom of page, click OK button
31. Open a new tab, connect to A2 (https://192.168.0.2) Web GUI, and, if needed, disable aVCS.
32. Open a new tab, connect to A3 (https://192.168.0.3) Web GUI, and, if needed, disable aVCS.
A10 Device preparation
Procedures
4.1.4
2/28/2023
Page 44 of 46
Restore from Backup
33. Back in device A1, navigate to the System Restore page.
System > Maintenance >>> Restore
(https://192.168.0.1/gui/#/system/maintenance/restore/system/)
34. On the System Restore page, select:
For Local or Remote radio selector, select Local
For Reboot, select Checkbox
Click the Choose File button
In Open File window, navigate to ftp-root/BaseConfig/CGN41/
directory (/var/ftp/pub/BaseConfig/CGN41)
Select the file indicated in the section below
Back on the System Restore page, confirm you selected the correct
file
Click the Restore button
35. Wait 30 seconds.
36. Return to the session to device A2 and restore from the indicated file.
37. While waiting, return to the session to device A3 and restore from the indicated file.
38. After all three devices are restored, perform any Device Verification steps needed, and then
return to the desired lab.
A10 Device preparation
Procedures
4.1.4
2/28/2023
Page 45 of 46
A10 Device preparation
Procedures
4.1.4
2/28/2023
Page 46 of 46
Related documents
Writing can be very hard, in this module we'll be looking at the basic steps of writing a creative story
Writing can be very hard, in this module we'll be looking at the basic steps of writing a creative story
Public Finance (Overview)
Public Finance (Overview)
empowerment quiz
empowerment quiz
Training Evaluation Sheet - Overall Feedback (1)
Training Evaluation Sheet - Overall Feedback (1)
Download
advertisement