Archive for June 29th, 2010
One more to go
Posted by TacAck in CCIE-Security on June 29th, 2010
Alright, i’m getting excited 
I just have 1 more Vol 1 lab to go ( 8 ) , and then i move on to INE Vol 2 labs!
I spent about 4 hours yesterday and 3 hours today doing IPX Vol 7A. It’s one of the easier labs in the IPX series and it was a good change to know some of the configs. There were still many topics that i was not comfortable with and i looked them up on the doc-cd. Here’s a list :
- The order of operation of NAT in the IOS
- When using route-maps in order to specify different NAT rules for different traffic, the order in which they are processed is a little tricky. It’s processed in alphabetical order. This is what cisco has to say
- NAT processes route map-based mappings in lexicographical order. When static NAT and dynamic NAT are configured with route maps that share the same name, static NAT is given precedence over dynamic NAT. In order to ensure the precedence of static NAT over dynamic NAT, you can either configure the route map associated with static NAT and dynamic NAT to share the same name, or configure the static NAT route map name so that it is lexicographically lower than that of the dynamic NAT route map name.
- I encountered this issue in one of the configuration tasks where i had to configure a static translation and also a general dynamic translation. Both were using route-maps. I ran into this in the doc-cd which helped me out a lot. So what i did was, i renamed the static NAT route-map to a name which was lexicographically lower than the route-map being used in dynamic NAT.
- ex : Suppose i have 2 NAT translation rules, both using route-maps to classify the traffic which is to be NAT’d ( if that’s a word )
- ip nat inside source static x.x.x.x y.y.y.y route-map yusuf
(and) - ip nat inside source route-map vybhav pool Z What happens is that if traffic from x.x.x.x goes from the inside to the outside, it will match the 2nd NAT statement ( even though it’s dynamic NAT ), as “vybhav” is lexcographically lower than “yusuf”.
- ip nat inside source static x.x.x.x y.y.y.y route-map yusuf
- I encourage you to lab this and try it out. Trust me, it’s a complete joy to watch when it works
- There was a task which required packets going out of a frame-relay interface to be marked. I thought it could be done using the usual packet marking techniques (NBAR, route-maps, etc ). But apparently there’s a better way to do it. HERE’s the doc-cd reference for that.
- I knew about flow-capture on the IOS. It was a tool being used to store information about traffic flows on configured interfaces. We could tweak the flow-capture size , export the flow-capture data to a server ,etc. But i didn’t know about the AGGREGATION-CACHES. They’re super cool!
- Finally, i remember reading something about this on Packetlife.net a long time back . It’s a technique to uniquely identify which ACL was responsible for the logs that were being generated ( Assuming you have entered the log keyword at the end of the ACE ). There are 2 ways to do this.
- Manually specify a TAG value after the log keyword. This tag value will show up in the logs, and can be used to correlate the logs to the corresponding ACE which generated it.
- Instruct the router to dynamically generate a hash-value and use that as the TAG , instead of manually having to enter the tags after each ACE . This was designed because, if you have large number of ACE’s, it becomes a pain to manually have to enter unique tags for each ACE.
- This can be achieved by using the command -> #ip access-list logging hash-generation
I have lab 8A remaining and i hope to do that tomorrow. Also, i’m a little apprehensive about the inital VPN sections that i configured, so i’ll spend some time browsing through the DSG ( INE and IPX ) tonight or tomorrow.
Cheers and have a GREAT evening!
TacACK
