The Telecom Networking: 2010

Friday, December 31, 2010

How to pass CCIE SP Lab before the changes

Pass the test strategy:

Pass the CCIE SP LAB in 3 Months

source : Ine Blog

Saturday, December 18, 2010

Layer 2 VPN in Service Provider

Layer 2 VPN Model

AToM supports the following Layer 2 technologies over MPLS:

• Ethernet

• 802.1Q VLAN

• ATM AAL5 frames

• ATM cells

• Frame Relay

• PPP

• HDLC

Here Some example notes of :

• Implementing AToM for like to like circuits

• Implementing AToM for any to any circuits

• Local switching

Implementing AToM for Like to Like Circuits

Configuring AAL5 over MPLS

PE1(config)#interface ATM3/0.100 point-to-point

PE1(config-subif)# pvc 1/100 l2transport

PE1(cfg-if-atm-l2trans-pvc)# encapsulation aal5snap

PE2(config)#interface ATM3/0.100 point-to-point

PE2(config-subif)# pvc 1/100 l2transport

PE2(cfg-if-atm-l2trans-pvc)# encapsulation aal5snap

PE1(cfg-if-atm-l2trans-pvc)#xconnect 10.10.10.102 100 encapsulation mpls

PE2(cfg-if-atm-l2trans-pvc)#xconnect 10.10.10.101 100 encapsulation mpls

Configuring ATM Cell over MPLS

PE1(config)#interface ATM3/0.100 point-to-point

PE1(config-subif)# pvc 1/100 l2transport

PE1(cfg-if-atm-l2trans-pvc)# encapsulation aal0

PE2(config)#interface ATM3/0.100 point-to-point

PE2(config-subif)# pvc 1/100 l2transport

PE2(cfg-if-atm-l2trans-pvc)# encapsulation aal0

PE1(cfg-if-atm-l2trans-pvc)#xconnect 10.10.10.102 100 encapsulation mpls

PE2(cfg-if-atm-l2trans-pvc)#xconnect 10.10.10.101 100 encapsulation mpls

Ethernet over MPLS

Port mode:

PE1(config)#interface FastEthernet5/0

PE1(config-if)#xconnect 10.10.10.102 100 encapsulation mpls

PE2(config)#interface FastEthernet5/0

PE2(config-if)#xconnect 10.10.10.101 100 encapsulation mpls

Vlan Mode:

PE1(config)#interface FastEthernet5/0.100

PE1(config-subif)# encapsulation dot1Q 100

PE1(config-subif)# no cdp enable

PE1(config-subif)# xconnect 10.10.10.102 100 encapsulation mpls

PE2(config)#interface FastEthernet5/0.100

PE2(config-subif)# encapsulation dot1Q 100

PE2(config-subif)# no cdp enable

PE2(config-subif)# xconnect 10.10.10.101 100 encapsulation mpls

Configuring Ethernet over MPLS:

PE1(config)#vlan 100

PE1(config-vlan)#state active

PE1(config-vlan)#exit

PE1(config)#interface fastEthernet 4/1

PE1(config-if)#switchport

PE1(config-if)#switchport access vlan 100

PE1(config-if)#switchport mode access

PE1(config-if)#exit

PE1(config)#interface vlan 100

PE1(config-if)#xconnect 10.10.10.102 100 encapsulation mpls

PE2(config)#vlan 100

PE2(config-vlan)#state active

PE2(config-vlan)#exit

PE2(config)#interface fastEthernet 4/1

PE2(config-if)#switchport

PE2(config-if)#switchport access vlan 100

PE2(config-if)#switchport mode access

PE2(config-if)#exit

PE2(config)#interface vlan 100

PE2(config-if)#xconnect 10.10.10.101 100 encapsulation mpls

Configuring Ethernet over MPLS—dot1q Mode

PE1(config)#vlan 10

PE1(config-vlan)#state active

PE1(config-vlan)#exit

PE1(config)#interface FastEthernet4/12

PE1(config-if)#switchport

PE1(config-if)# switchport access vlan 10

PE1(config-if)# switchport trunk encapsulation dot1q

PE1(config-if)# switchport trunk allowed vlan 100,200

PE1(config-if)# switchport mode dot1q-tunnel

PE1(config-if)#exit

PE1(config)#interface vlan 10

PE1(config-if)#xconnect 10.10.10.102 100 encapsulation mpls

PE2(config)#vlan 10

PE2(config-vlan)#state active

PE2(config-vlan)#exit

PE2(config)#int fastEthernet 4/12

PE2(config-if)#switchport

PE2(config-if)# switchport trunk encapsulation dot1q

PE2(config-if)# switchport trunk allowed vlan 100,200

PE2(config-if)# switchport mode dot1q-tunnel

PE2(config-if)#exit

PE2(config)#interface vlan 10

PE2(config-if)#xconnect 10.10.10.101 100 encapsulation mpls

Configuring PPP over MPLS

PE1(config)# interface Serial2/1

PE1(config-if)#encapsulation ppp

PE1(config-if)# xconnect 10.10.10.102 100 encapsulation mpls

PE2(config)# interface Serial2/1

PE2(config-if)#encapsulation ppp

PE2(config-if)# xconnect 10.10.10.102 100 encapsulation mpls

Configuring Frame Relay over MPLS—DLCI Mode

PE1(config)#frame-relay switching

PE1(config)#interface Serial2/1

PE1(config-if)# encapsulation frame-relay

PE1(config-if)# frame-relay intf-type dce

PE1(config-if)#exit

PE1(config)#connect FR Serial2/1 100 l2transport

PE1(config-fr-pw-switching)# xconnect 10.10.10.102 100 encapsulation mpls

PE2(config)#frame-relay switching

PE2(config)#interface Serial2/1

PE2(config-if)# encapsulation frame-relay

PE2(config-if)# frame-relay intf-type dce

PE2(config-if)#exit

PE2(config)#connect FR Serial2/1 100 l2transport

PE2(config-fr-pw-switching)# xconnect 10.10.10.101 100 encapsulation mpls

L2 VPN—Any to Any Interworking

Ethernet to VLAN Interworking

PE1(config)#pseudowire-class Eth-VLAN

PE1(config-pw-class)# encapsulation mpls

PE1(config-pw-class)# interworking ethernet

PE2(config)#pseudowire-class VLAN-Eth

PE2(config-pw-class)# encapsulation mpls

PE2(config-pw-class)# interworking Ethernet

PE1(config)#interface Ethernet0/0

PE1(config-if)#xconnect 10.10.10.102 100 pw-class Eth-VLAN

PE2(config)#interface Ethernet0/0.10

PE2(config-subif)# encapsulation dot1Q 10

PE2(config-subif)# xconnect 10.10.10.101 100 pw-class VLAN-Eth

Frame Relay to AAL5 Interworking

PE1(config)#pseudowire-class AAL5-FR

PE1(config-pw-class)# encapsulation mpls

PE1(config-pw-class)# interworking ip

PE2(config)#pseudowire-class FR-AAL5

PE2(config-pw-class)# encapsulation mpls

PE2(config-pw-class)# interworking ip

PE1(config-subif)#interface ATM6/0.100 point-to-point

PE1(config-subif)# pvc 1/100 l2transport

PE1(cfg-if-atm-l2trans-pvc)#encapsulation aal5snap

PE1(cfg-if-atm-l2trans-pvc)#xconnect 10.10.10.102 100 pw-class AAL5-FR

PE2(config)#frame-relay switching

PE2(config)#interface POS3/0

PE2(config-if)# no ip address

PE2(config-if)# encapsulation frame-relay

PE2(config-if)# clock source internal

PE2(config-if)# frame-relay intf-type dce

PE2(config-if)#connect FR POS3/0 100 l2transport

PE2(config-fr-pw-switching)#xconnect 10.10.10.101 100 pw-class FR-AAL5

Frame Relay to PPP Interworking

PE1(config)#pseudowire-class FR-PPP

PE1(config-pw-class)# encapsulation mpls

PE1(config-pw-class)# interworking ip

PE2(config)#pseudowire-class PPP-FR

PE2(config-pw-class)# encapsulation mpls

PE2(config-pw-class)# interworking ip

PE1(config-if)#interface Serial1/0

PE1(config-if)#no ip address

PE1(config-if)#encapsulation frame-relay

PE1(config-if)#frame-relay intf-type dce

PE1(config-if)#exit

PE1(config)#connect FR Serial1/0 100 l2transport

PE1(config-fr-pw-switching)#xconnect 10.10.10.101 100 pw-class FR-PPP

PE2(config-if)#interface Serial1/0

PE2(config-subif)#encapsulation ppp

PE2(config-subif)#xconnect 10.10.10.102 100 pw-class PPP-FR

Frame Relay to VLAN Interworking

PE1(config)#pseudowire-class FR-VLAN

PE1(config-pw-class)# encapsulation mpls
PE1(config-pw-class)# interworking ip

PE2(config)#pseudowire-class VLAN-FR

PE2(config-pw-class)# encapsulation mpls
PE2(config-pw-class)# interworking ip

PE1(config-pw-class)#interface Serial2/1

PE1(config-if)# no ip address
PE1(config-if)# encapsulation frame-relay
PE1(config-if)# frame-relay intf-type dce
PE1(config-if)#connect FR Serial2/1 100 l2transport
PE1(config-fr-pw-switching)#xconnect 10.10.10.101 100 pw-class FR-VLAN

PE2(config-pw-class)#interface Ethernet0/0.10

PE2(config-subif)# encapsulation dot1Q 10
PE2(config-subif)#xconnect 10.10.10.102 100 pw-class VLAN-FR

AAL5 to VLAN Interworking

PE1(config)#pseudowire-class AAL5-VLAN

PE1(config-pw-class)# encapsulation mpls
PE1(config-pw-class)# interworking ip

PE2(config)#pseudowire-class VLAN-AAL5

PE2(config-pw-class)# encapsulation mpls
PE2(config-pw-class)# interworking ip

PE1(config)#interface ATM3/0.100 point-to-point

PE1(config)#mtu 1500
PE1(config-subif)# pvc 1/100 l2transport
PE1(cfg-if-atm-l2trans-pvc)# encapsulation aal5snap
PE1(cfg-if-atm-l2trans-pvc)#xconnect 10.10.10.102 100 pw-class AAL5-VLAN

PE2(config)#interface FastEthernet5/0.100

PE2(config-subif)# encapsulation dot1Q 100
PE2(config-subif)# xconnect 10.10.10.102 100 pw-class VLAN-AAL5

Local Switching

Configuring Frame Relay to Frame Relay Local Switching

PE1(config)#frame-relay switching

PE1(config)#interface Serial2/0
PE1(config-if)# no ip address
PE1(config-if)# encapsulation frame-relay
PE1(config-if)# frame-relay interface-dlci 100 switched
PE1(config-fr-dlci)# frame-relay intf-type dce
PE1(config-fr-dlci)# exit
PE1(config-if)#interface Serial2/2
PE1(config-if)# no ip addressPE1(config-if)# encapsulation frame-relay
PE1(config-if)# frame-relay interface-dlci 101 switched
PE1(config-fr-dlci)# frame-relay intf-type dce
PE1(config-fr-dlci)# exit
PE1(config)#connect FR Serial2/0 100 Serial2/2 101

Local Switching—Ethernet to Ethernet

PE1(config)# connect Ethernet fastEthernet 5/0 fastEthernet 1/

Local Switching—ATM to ATM

PE1(config-if)#pvc 1/100 l2transport
PE1(config-if)#exit
PE1(config)#interface atm 4/0
PE1(config-if)# pvc 1/100 l2transport
PE1(config-if)#exit
PE1(config)#connect ATM atm 3/0 1/100 atm 4/0 1/100

Local Switching—Ethernet to Frame Relay

PE1(config)#frame-relay switching

PE1(config-if)#interface Serial2/2
PE1(config-if)# no ip address
PE1(config-if)# encapsulation frame-relay
PE1(config-fr-dlci)# frame-relay intf-type dce
PE1(config-fr-dlci)# exit
PE1(config)# connect ETH-FR fastEthernet 5/0 s2/2 100 interworking ip

Source :MPLS Configuration on Cisco IOS Software

Friday, September 24, 2010

Tracerouting in MPLS Networks

in mpls network the recommand command :"no mpls ip propagate-ttl" are to add the "forwarded" for better troubleshooting for the service provider.

no mpls ip propagate-ttl:

When the IP packet first becomes labeled on the ingress PE router, the following rule is observed:

■ When an IP packet is first labeled, the TTL field is copied from the IP header to the TTL fields

of all the labels in the label stack after being decremented by 1.

You can change that default behavior with the command no mpls ip propagate-ttl .

The command no mpls ip propagate-ttl stops the copying of the IP TTL to the TTL fields

in the MPLS labels. In that case, the TTL fields in the labels are set to 255. The result of this is

that for a traceroute on the local CE router to the remote CE router, the topology of the MPLS

network is hidden from the customer because the MPLS routers (except the ingress PE) are skippe.

If you configure no mpls ip propagate-ttl on the PE routers, the output of the traceroute looks

like Example 1. The P routers and egress PE router are removed from the traceroute. As such,

the customer in the VPN cannot see the P routers when tracerouting through the MPLS network.

Example1:

A drawback of this command is that when the service provider performs a traceroute in his

network (from ingress PE to egress PE), he has the same result and sees his own network as only

one hop. This obviously makes troubleshooting a bit painful. Therefore, it might be better for the

service provider to configure no mpls ip propagate-ttl forwarded on his PE routers. Disabling

TTL propagation of forwarded packets allows only the structure of the MPLS network to be

hidden from customers, but not the service provider in an MPLS VPN network. If no mpls ip

propagate-ttl forwarded is used, the TTL value from the IP header is not copied into the TTL

fields of the labels for the packets that are switched through the ingress LSR. The TTL value is,

however, copied for the locally generated packets on the ingress LSR. An illustrative example of

the latter case is an MPLS VPN network with no mpls ip propagate-ttl forwarded configured on

the ingress PE. The TTL value is not copied for packets that are received from the CE router, but

it is copied into the labels for packets that are locally generated on the ingress PE router, such as

for a traceroute in the VRF on the ingress PE router.

Example 2 illustrates this. The first traceroute is what the customer sees from the CE router, and the second traceroute is what the service provider sees from the PE router.

source:Mpls Fundamentals book.

Saturday, August 28, 2010

History of the BGP protocol Lecture of "Yakov Rekhter" (the inventor)

Introduction from “Yakov Rekhter” the father of BGP :

Friday, July 23, 2010

Command Scheduler KRON Policy

Cisco IOS has a built-in command scheduler called kron .Introduced in cisco IOS 12.3(1)

this command scheduler similar to windows at program and the UNIX cron or at programs.

For Example let's say you want to automatically disable the all debug command after 1 minute.

First,createa kron policy list, essentially .this policy list serves as your "script",which list what

you want the router to run at the scheduled time ,Here an example :

Router(config)# kron policy-list UNALL

Router(config-kron-policy)# cli un all

Router(config-kron-policy)# exit

Next create a kron occurrence ,in which you tell the router when and how often you want

to run this policy list ,Here an example:

Router(config)#kron occurrence UNALL in 00:01 recurring

Router(config-kron-occurrence)#policy-list UNALL

This code sets up your router to disable the all debug command every one minute

Finally,verify that you've entered everything correctly by using the show command:

Router#sh kron schedule

Kron Occurrence Schedule

UNALL inactive, will run again in 0 days 00:00:47

Router#sh kron schedule

Kron Occurrence Schedule

UNALL inactive, will run again in 0 days 00:00:45

Router#sh kron schedule

Kron Occurrence Schedule

UNALL inactive, will run again in 0 days 00:00:44

another tip is to run a backup for your router once in a day.

http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/g_kron.html

Thursday, July 15, 2010

mLDP-Multicast VPN

The new way refers to the setting up of Multipoint LSP in the MPLS VPN environment to carry multicast traffic in the VPN. Here, all CE routers belong to a single customer at different branches. There is no multicast receiver behind CE3 router. The MPLS core is PIM-free. Only PE routers will run PIM with the CE routers

This Internet Draft introduces the Label Distribution Protocol (LDP) extensions for point-to-multipoint (P2MP) and multipoint-to-multipoint (MP2MP) Label Switched Paths (LSPs) in MPLS networks. These extensions are also called mLDP or Multipoint LDP. Of the various applications for multipoint LSPs, one is support for multicast in MPLS VPN. Previously, this was achieved through mVPN.

LDP RFC introduced the mechanism to setup point-to-point LSP (P2P) in the MPLS network where there is a single source and single destination. However, a P2MP LSP allows traffic from a single ingress router (root node) to be delivered to multiple egress routers (leaf nodes). A MP2MP LSP allows traffic from multiple ingress routers to multiple egress routers. At any point, a single copy of packet is sent to any LSP without any multicast routing protocol in the network.

PE routers configuration

The Loopback 0 interface of PE1 router is configured to be used as the Root Node IP address. The Opaque value for the multipoint LSP is constructed based on the VPN ID value of 1:1. The mdt default mpls mldp command creates the MP2MP LSP known to all PE routers for that particular VRF. This LSP is used to forward all customer multicast traffic by default

PE1 router:

Setting up a P2MP LSP with LDP Traditionally, LDP-signaled LSPs are initiated by the egress router. The egress (receiving) router initiates the label propagation and is propagated throughout the MPLS network. All LSRs maintain a forwarding state towards the egress router following the shortest IGP path, and any LSR can act as an ingress LSR. This, essentially, sets up a multipoint-to-point (MP2P) LSP as multiple senders can send traffic to a single receiver.In contrast, a P2MP LSP has a single ingress (root) node and one or more egress (leaf) nodes. The transit nodes provide reachability to the root node. Leaf nodes initiate P2MP LSP setup. The leaf nodes should be aware of the ingress router. Also, the leaf nodes should be able to identify the correct P2MP LSP as several P2MP LSPs could be originated from the ingress router. A new Capability Parameter is introduced for P2MP capability which is exchanged using LDP Initialization message. A new P2MP FEC Element is defined which carries the IPv4 address of the root and an Opaque value (also called tree identifier and is manually configured VPN ID). This combination uniquely identifies a P2MP LSP within the MPLS network. Leaf node allocates a label and advertises its P2MP Label Mapping {Root IP Address, Opaque Value, Label} to the upstream LDP node on the shortest path to the root. The upstream node creates its own Label Mapping on receiving this from its downstream node. When the root node receives this P2MP Label Mapping from its downstream (transit) node, it checks the forwarding state for {Root IP Address, Opaque Value}. If not, it creates the forwarding state and pushes this "Label" onto all traffic that is forwarded over this P2MP LSP.In P2MP LSP, the rule for distribution is to advertise a label only towards the neighbor that lies on the IGP best path to the root. Thus the sender of the label determines the best path to the root.

ip vrf CUST1
 rd 1:1
 vpn id 1:1

route-target both 1:1
 mdt default mpls mldp 1.1.1.1

!
 interface Loopback 0
 ip address 1.1.1.1 255.255.255.255
 ip ospf 1 area 0
!
ip multicast-routing vrf CUST1          
!
ip pim vrf CUST1 rp-address 12.1.1.1
!
interface fastethernet 1/1
 ip vrf forwarding CUST1
 ip address 192.168.1.1 255.255.255.0
 ip pim sparse-mode
!
router bgp 100
 neighbor 3.3.3.3 remote-as 100
 neighbor 3.3.3.3 update-source Loopback 0
 neighbor 4.4.4.4 remote-as 100
 neighbor 4.4.4.4 update-source Loopback 0
 !
 address-family vpnv4
 neighbor 3.3.3.3 activate
 neighbor 4.4.4.4 activate
 exit-address-family
 !
 address-family ipv4 vrf CUST1
 redistribute connected
 exit-address-family
!


PE2 and PE3 are config the same!!.

 PE1 has no PIM adjacency with P router. However, it has PIM adjacency with PE2 and PE3 routers via Lspvif0 interface.

!--- The following output shows no PIM adjacencies within MPLS core

PE1# show ip pim neighbor
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
      P - Proxy Capable, S - State Refresh Capable, G - GenID Capable
Neighbor          Interface                Uptime/Expires    Ver   DR
Address                                                            Prio/Mode
PE1#
!--- The following output shows PIM adjacencies with CE1 router, PE2 and PE3 routers

PE1# show ip pim vrf CUST1 neighbor
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
      P - Proxy Capable, S - State Refresh Capable, G - GenID Capable
Neighbor          Interface                Uptime/Expires    Ver   DR
Address                                                            Prio/Mode
192.168.1.2       FastEthernet1/1          00:01:03/00:01:40 v2    1 / DR S G
4.4.4.4           Lspvif0                  00:26:24/00:01:25 v2    1 / DR S P G
3.3.3.3           Lspvif0                  00:28:36/00:01:23 v2    1 / S P G


Now multicast traffic is sourced from CE1 router with CE2 being the multicast receiver. For PE1 router, the incoming interface is the interface connected to the CE1 router. The outgoing interface will be Lspvif0.

PE1# show ip mroute vrf CUST1 239.10.10.1
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
       L - Local, P - Pruned, R - RP-bit set, F - Register flag,
       T - SPT-bit set, J - Join SPT, M - MSDP created entry, E - Extranet,
       X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
       U - URD, I - Received Source Specific Host Report,
       Z - Multicast Tunnel, z - MDT-data group sender,
       Y - Joined MDT-data group, y - Sending to MDT-data group,
       V - RD & Vector, v - Vector
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 239.10.10.1), 00:00:55/stopped, RP 12.1.1.1, flags: SP
Incoming interface: Lspvif0, RPF nbr 3.3.3.3
Outgoing interface list: Null

(192.168.1.2, 239.10.10.1), 00:00:55/00:02:04, flags: T
Incoming interface: FastEthernet1/1, RPF nbr 192.168.1.2
Outgoing interface list:
    Lspvif0, Forward/Sparse, 00:00:50/00:02:39

http://blog.ine.com/2010/03/08/using-mpls-and-m-ldp-signaling-for-multicast-vpns/comment-page-1/#comment-108787
tested on "Cisco 7200 routers with 12.3(33)SRE"

Monday, July 12, 2010

QOS Multi-Service-Site

cool feature in Alcatel , limit two PW to one QOS package:

here are example of customer that have two Epipe, with limit together to 75Mbps :

A:PE-7750-LAB1# configure service customer 550 
A:PE-7750-LAB1>config>service>cust# info 
----------------------------------------------
            multi-service-site "LIMIT-75Mbps" create
                description "LIMIT-75Mbps"
                assignment port 2/2/5
                ingress
                    scheduler-policy "SLA-75Mbps"
                exit
                egress
                    scheduler-policy "SLA-75Mbps"
                exit
            exit
            description "ESP NET-60038464"
----------------------------------------------

A:PE-7750-LAB1# configure service epipe 1268 
A:PE-7750-LAB1>config>service>epipe# info 
----------------------------------------------
            description "EPIPE-NAMEXXX-7750-PE-LAB1"
            service-mtu 2014
            sap 2/2/5:1655.0 create
                description "EPIPE-NAMEXXX-GI2/2/5:1655-7001291-59.38"
                multi-service-site "LIMIT-75Mbps"
                collect-sLAB1ts
            exit
            sap lag-4:1655 create
                description "EPIPE-NAMEXXX-Lag 4:1655-NV-017"
                ingress
                    qos 90 
                exit
                egress
                    qos 84
                exit
                collect-sLAB1ts
            exit
            no shutdown
----------------------------------------------

A:PE-7750-LAB1>config>service>epipe# info 
----------------------------------------------
            description "EPIPE-ESP NET-"
            service-mtu 2014
            sap 2/2/5:1656.0 create
                multi-service-site "LIMIT-75Mbps"
                collect-sLAB1ts
            exit
            sap lag-4:1656 create
                ingress
                    qos 90 
                exit
                egress
                    qos 84
                exit
                collect-sLAB1ts
            exit
            no shutdown
----------------------------------------------


A:PE-7750-LAB1# configure qos sap-ingress 90 
A:PE-7750-LAB1>config>qos>sap-ingress# info 
----------------------------------------------
            description "Silver-75M-ONLY-FOR-EPIPE"
            queue 1 create
                parent "SLA-75Mbps"
                rate 75000
            exit
            queue 11 multipoint create
                parent "SLA-75Mbps"
                rate 75000
            exit
            fc "be" create
                queue 1
            exit
----------------------------------------------


A:PE-7750-LAB1# configure qos sap-egress 84  
A:PE-7750-LAB1>config>qos>sap-egress# info 
----------------------------------------------
            description "Silver-75M-ONLY-FOR-EPIPE"
            queue 1 create
                parent "SLA-75Mbps"
                rate 75000
            exit
            fc be create
                queue 1
            exit 
----------------------------------------------


A:PE-7750-LAB1# monitor qos scheduler-sLAB1ts customer 550 site LIMIT-75Mbps rate 

===============================================================================
Monitor Scheduler SLAB1tistics
===============================================================================
Scheduler                          Forwarded Packets      Forwarded Octets     
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
At time t = 0 sec (Base SLAB1tistics)
-------------------------------------------------------------------------------
Ingress Schedulers
SLA-75Mbps                         1866961307             937166785248         
 
Egress Schedulers
SLA-75Mbps                         2076599441             1682363329954        
 
-------------------------------------------------------------------------------
At time t = 11 sec (Mode: Rate)
-------------------------------------------------------------------------------
Ingress Schedulers
SLA-75Mbps                         4164                   2196854              
 
Egress Schedulers
SLA-75Mbps                         4333                   3531426              
 
-------------------------------------------------------------------------------
At time t = 22 sec (Mode: Rate)
-------------------------------------------------------------------------------
Ingress Schedulers
SLA-75Mbps                         3653                   1954032              
 
Egress Schedulers
SLA-75Mbps                         4067                   3216902

BGP-Regular-Expression

Using regexp with as-path access-list are one of the coolest features of BGP. The show ip bgp regexp command is good way to test your regular expression

Here is what I have currently on R1's bgp table:

R1#show ip bgp | be Ne
Network Next Hop Metric LocPrf Weight Path
*> 100.3.0.0/24 172.12.123.3 0 0 300 i
*> 100.3.1.0/24 172.12.123.3 0 0 300 i
*> 100.3.2.0/24 172.12.123.3 0 0 300 i
*> 100.6.0.0/24 172.12.123.3 0 300 600 i
*> 100.6.1.0/24 172.12.123.3 0 300 600 i
*>; 100.6.2.0/24 172.12.123.3 0 300 600 i
*> 100.6.3.0/24 172.12.123.3 0 300 600 1000 1200 i
*> 100.6.4.0/24 172.12.123.3 0 300 600 1000 1200 i

Suppose I want to match routes that contain one AS or two AS but no more. I could do this:

R1#show ip bgp regexp ^[0-9]*$|^[0-9]*_[0-9]*$

Network Next Hop Metric LocPrf Weight Path
*> 100.3.0.0/24 172.12.123.3 0 0 300 i
*> 100.3.1.0/24 172.12.123.3 0 0 300 i
*> 100.3.2.0/24 172.12.123.3 0 0 300 i
*> 100.6.0.0/24 172.12.123.3 0 300 600 i
*> 100.6.1.0/24 172.12.123.3 0 300 600 i
*> 100.6.2.0/24 172.12.123.3 0 300 600 i

How about paths that only contain at least one 4-digit AS# (why? i have no clue but here's how)
R1#show ip bgp regexp _[0-9][0-9][0-9][0-9]_

Network Next Hop Metric LocPrf Weight Path
*> 100.6.3.0/24 172.12.123.3 0 300 600 1000 1200 i
*> 100.6.4.0/24 172.12.123.3 0 300 600 1000 1200 i

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a92.shtml#

http://ccietobe.blogspot.com/

Wednesday, July 7, 2010

MPLS NAT Aware

Internet access is perhaps one of the most popular services that Service Providers offer their customers. Customers have flexibility to purchase MPLS VPN services Internet connectivity from separate Service Providers. Customers can alternatively offer Internet connectivity directly from their network may it be from one of their remote sites or the central site. In the latter case, the Internet Service Provider (ISP) does not need to distinguish customer’s Internet and VPN traffic, because all traffic traversing through a Service Provider network would be MPLS VPN traffic.

In MPLS based BGP-VPNs (RFC 2547), ISPs offered customers an interface that was capable of carrying intranet and internet traffic.

Traffic between intranet and internet in a MPLS BGP-VPNs requires NAT Services at the customer edge router, between the customer private addresses and a globally routable address.

R3NATPE#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
R3NATPE(config)#
R3NATPE(config)#ip vrf 23
R3NATPE(config-vrf)#rd 23:23
R3NATPE(config-vrf)#route-t 23:23
R3NATPE(config-vrf)#
R3NATPE(config-vrf)#ip vrf 13
R3NATPE(config-vrf)#rd 13:13
R3NATPE(config-vrf)#route-t 13:13
R3NATPE(config-vrf)#
R3NATPE(config-vrf)#int s0/0
R3NATPE(config-if)#ip vrf for 13
R3NATPE(config-if)#ip add 10.1.13.3 255.255.255.0
R3NATPE(config-if)#ip nat inside
R3NATPE(config-if)#no sh
R3NATPE(config-if)#
R3NATPE(config-if)#int s0/1
R3NATPE(config-if)#ip vrf for 23
R3NATPE(config-if)#ip add 10.1.23.3 255.255.255.0
R3NATPE(config-if)#ip nat inside
R3NATPE(config-if)#no sh
R3NATPE(config-if)#
R3NATPE(config-if)#int s0/2
R3NATPE(config-if)#ip add 10.1.34.3 255.255.255.0
R3NATPE(config-if)#ip nat out
R3NATPE(config-if)#no sh
R3NATPE(config-if)#exit
R3NATPE(config)#access-list 1 permit any
R3NATPE(config)#ip route vrf 13 1.1.1.1 255.255.255.255 10.1.13.1
R3NATPE(config)#ip route vrf 13 0.0.0.0 0.0.0.0 10.1.34.4 global
R3NATPE(config)#
R3NATPE(config)#ip route vrf 23 2.2.2.2 255.255.255.255 10.1.23.2
R3NATPE(config)#ip route vrf 23 0.0.0.0 0.0.0.0 10.1.34.4 global
R3NATPE(config)#
R3NATPE(config)#ip nat pool MYPOOL 10.1.34.50 10.1.34.255 netmask 255.255.255.0
R3NATPE(config)#ip nat inside source list 1 pool MYPOOL vrf 13
R3NATPE(config)#
R3NATPE(config)#ip nat inside source list 1 pool MYPOOL vrf 23
R3NATPE(config)#

NAT get hold of the packet, and does the translation (static or dynamic) and also stores the VRF table ID in the translation entry

R3NATPE#show ip nat translations verbose
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.1.34.50:5      10.1.23.2:5        4.4.4.4:5          4.4.4.4:5
 create 00:00:10, use 00:00:00 timeout:60000, left 00:00:59, Map-Id(In): 2,
 flags:
extended, use_count: 0, VRF : 23, entry-id: 3, lc_entries: 0
--- 10.1.34.50         10.1.23.2          ---                ---
 create 00:16:50, use 00:00:11 timeout:86400000, left 23:59:48, Map-Id(In): 2,
 flags:
none, use_count: 1, VRF : 23, entry-id: 1, lc_entries: 0

NAT receives the packet before routing and performs lookup on the translation table. NAT performs the reverse translation, and also sets the VRF table ID in the packet descriptor header. This enables the subsequent route lookup to occur on the right Forwarding Information Block (FIB). If the outgoing interface is in a VRF on the same PE, then the packet is forwarded as an IP packet. If the destination is on a remote PE, then the packet is imposed with labels and forwarded on the core facing interface.

Note:For security reasons, this approach is not recommended. It is not a good practice to
bring in Internet traffic using the corporate VPN. This practice negates the isolation of the
corporate VPN.
This option is briefly discussed only to show an alternate practice that has been used in the
industry.(from the Implementing Cisco Mpls Volume 2)

Friday, April 30, 2010

ACE-Basic Load Balancing Using Bridged Mode

Goal

Configure basic load balancing (Layer 3) where client traffic enters on one VLAN and is bridged to servers residing on a second VLAN, while the VIP and server IPs reside in the same network.

Design

Clients will send application requests through the multilayer switch feature card (MSFC), which routes them to a virtual IP address (VIP) within the Cisco® Application Control Engine (ACE). The VIP used in this example resides in an ACE context, which is configured with a client VLAN and a server VLAN (Figure 1), and a Bridge Group Virtual Interface (BVI) to tie the VLANs together in a bridge-group. Client requests will arrive at the VIP, and the ACE will pick the appropriate server and then use the destination Network Address Translation (NAT) to send the client request to the server. The server will respond using the interface VLAN of the MSFC as its default gateway to the client. The ACE will then change the source IP to be the VIP and bridge the traffic to the MSFC. The MSFC will then forward the response to the client.

Configuration

The Cisco ACE needs to be configured via access control lists (ACLs) to allow traffic into the ACE data plane. After the ACL checks are made, a service policy, which is applied to the interface, is used to classify traffic destined for the VIP. The VIP is associated with a load-balancing action within the multimatch policy. The load-balancing action tells the ACE how to handle traffic that has been directed to a VIP. In this example, all traffic is sent to a server farm, where it is distributed in round-robin fashion to one of five real servers. The ACE configuration occurs in layers, such that it builds from the real IPs to applying the VIP on an interface. Due to this layered structure, it is optimal to create the configuration by working backward from the way the flow is processed. Thus, to enable server load balancing you need to do the following:

Enable ACLs to allow data traffic through the ACE device, as it is denied by default.
Configure the IPs of the servers (define rservers).
Group the real servers (create a server farm).
Define the virtual IP address (VIP).
Define how traffic is to be handled as it is received (create a policy map for load-balancing).
Associate a VIP to a handling action (create a multimatch policy map [a service policy])
Create client- and server-facing interfaces and a BVI to join them.
Apply the VIP and ACL permitting client connections to the interface (apply access group and service policy to interface).

To begin the configuration, create an access list for permitting client connections.

ACE-1/bridged(config)# access-list everyone extended permit ip any any
ACE-1/bridged(config)# access-list everyone extended permit icmp any any

The Cisco ACE needs to know the IP address of the servers available to handle client connections. The rserver command is used to define the IP address of the service. In addition, each rserver must be place in service for it to be used. The benefit of this design is that no matter how many applications or services an rserver hosts, the entire real server can be completely removed from the load-balancing rotation by issuing a single “no inservice” or “no inservice-standby” command at the rserver level. This is very beneficial for users needing to upgrade or patch an rserver, because they no longer have to go to each application and remove each instance of the rserver.

ACE-1/bridged(config)# rserver lnx1
ACE-1/bridged(config-rserver-host)# ip add 172.16.3.11
ACE-1/bridged(config-rserver-host)# inservice
ACE-1/bridged(config-rserver-host)# rserver lnx2
ACE-1/bridged(config-rserver-host)# ip add 172.16.3.12
ACE-1/bridged(config-rserver-host)# inservice
ACE-1/bridged(config-rserver-host)# rserver lnx3
ACE-1/bridged(config-rserver-host)# ip add 172.16.3.13
ACE-1/bridged(config-rserver-host)# inservice
ACE-1/bridged(config-rserver-host)# rserver lnx4
ACE-1/bridged(config-rserver-host)# ip add 172.16.3.14
ACE-1/bridged(config-rserver-host)# inservice
ACE-1/bridged(config-rserver-host)# rserver lnx5
ACE-1/bridged(config-rserver-host)# ip add 172.16.3.15
ACE-1/bridged(config-rserver-host)# inservice

Now group the rservers to be used to handle client connections into a server farm. Again, the rserver must be placed in service. This allows a single instance of an rserver to be manually removed from rotation.

ACE-1/bridged(config-cmap)# serverfarm web
ACE-1/bridged(config-sfarm-host)# rserver lnx1
ACE-1/bridged(config-sfarm-host-rs)# inservice
ACE-1/bridged(config-sfarm-host-rs)# rserver lnx2
ACE-1/bridged(config-sfarm-host-rs)# inservice
ACE-1/bridged(config-sfarm-host-rs)# rserver lnx3
ACE-1/bridged(config-sfarm-host-rs)# inservice
ACE-1/bridged(config-sfarm-host-rs)# rserver lnx4
ACE-1/bridged(config-sfarm-host-rs)# inservice
ACE-1/bridged(config-sfarm-host-rs)# rserver lnx5
ACE-1/bridged(config-sfarm-host-rs)# inservice

Use a class map to define the VIP to which clients will send their requests. In this example, the VIP is considered L3 (Layer 3) because there is a match on any port. If the VIP were to match only HTTP traffic, the match would be bound to port 80 and considered an L4 (Layer 4) VIP. (For example, “match virtual-address 172.16.1.100 tcp eq 80”).

ACE-1/bridged(config)# class-map slb-vip
ACE-1/bridged(config-cmap)# match virtual-address 172.16.1.100 any

Next define the action to take when a new client request arrives. In this case, all traffic will be sent to the “web” serverfarm. This type of load balancing is considered L4 since only class-default is used.

ACE-1/bridged(config)# policy-map type loadbalance http first-match slb
ACE-1/bridged(config-pmap-lb)# class class-default
ACE-1/bridged(config-pmap-lb-c)# serverfarm web

Since the VIPs and load-balancing actions are defined independently, they must be associated so that the Cisco ACE knows how to handle traffic destined for a VIP. The association is made using a multimatch policy map. Keep in mind that multimatch policy maps are applied to interfaces as service policies.

ACE-1/bridged(config)# policy-map multi-match client-vips
ACE-1/bridged(config-pmap)# class slb-vip
ACE-1/bridged(config-pmap-c)# loadbalance policy slb
ACE-1/bridged(config-pmap-c)# loadbalance vip inservice

At this point the interface VLANs and BVI can be created to interconnect the Cisco ACE to the client side of the network and to the servers.

ACE-1/bridged(config)# interface vlan 30
ACE-1/bridged(config-if)# description “Client Side”
ACE-1/bridged(config-if)# bridge-group 3
ACE-1/bridged(config-if)# no shutdown

ACE-1/bridged(config-if)# interface vlan 31
ACE-1/bridged(config-if)# description “Server Side”
ACE-1/bridged(config-if)# bridge-group 3
ACE-1/bridged(config-if)# no shutdown

ACE-1/bridged(config-if)# interface bvi 3
ACE-1/bridged(config-if)# description “client – server bridge group”
ACE-1/bridged(config-if)# ip address 172.16.3.5 255.255.255.0

The last step is to apply the ACL and service policy (“policy-map multi-match”) to the client-side interface. Both the access group and service policy are applied on the input side of the interface.

ACE-1/bridged(config)# interface vlan 30
ACE-1/bridged(config-if)# access-group input everyone
ACE-1/bridged(config-if)# service-policy input client-vips

Related show Commands

ACE-1/bridged #show arp
ACE-1/bridged #show acl 
ACE-1/bridged #show service-policy client-vips
ACE-1/bridged #show serverfarm
ACE-1/bridged #show rserver
ACE-1/bridged #show stats

Comments

Once you’ve completed the configuration, verify that the Cisco ACE has an Address Resolution Protocol (ARP) response for each rserver and the default Bridge to the client. Check the ACL hits to ensure that client connections are being accepted. Check the service policy output to see the client connection hits, and verify that the server is responding with response packets. The “show” command for serverfarm and rserver can be used to display the exact rserver handling the connection and the amount of work the entire server farm has handled. The “show stats” command provides a higher level of monitoring of ACE load balancing, inspection, probes, and other important metrics.

show running-config

ACE-1/bridged# show run
Generating configuration....

access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any

rserver host lnx1
  ip address 172.16.3.11
  inservice
rserver host lnx2
  ip address 172.16.3.12
  inservice
rserver host lnx3
  ip address 172.16.3.13
  inservice
rserver host lnx4
  ip address 172.16.3.14
  inservice
rserver host lnx5
  ip address 172.16.3.15
  inservice

serverfarm host web
  rserver lnx1
    inservice
  rserver lnx2
    inservice
  rserver lnx3
    inservice
  rserver lnx4
    inservice
  rserver lnx5
    inservice

class-map match-all slb-vip
  2 match virtual-address 172.16.3.100 any

policy-map type management first-match remote-access
  class class-default
    permit

policy-map type loadbalance http first-match slb
  class class-default
    serverfarm web

policy-map multi-match client-vips
  class slb-vip
    loadbalance vip inservice
    loadbalance policy slb

interface vlan 30
  description "Client Side"
  bridge-group 3
  access-group input everyone
  service-policy input client-vips
  no shutdown

interface vlan 31
  description "Server Side"
  bridge-group 3
  service-policy input remote-access
  no shutdown

interface bvi 3
  ip address 172.16.3.5 255.255.255.0
  description "client - server bridge group"
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.3.1

Retrieved from "http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Bridged_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example"

Monday, March 8, 2010

QOS & MPLS

In some cases (for example, a plain non-VPN MPLS network), the PHP action on the final P router can expose a plain IP packet when a packet with only one label is received. When this IP packet is received by the egress LSR (PE), it is not possible to classify the packet based on the MPLS EXP bits because there is no label now. In these situations, you must configure the egress PE router to advertise an explicit-null label. When the PHP action is performed on the P router, a label with a value of zero is sent, and with this special label you can mark the EXP bits as normally labeled packets, allowing the correct classification on the egress PE router.

Default Behavior: Penultimate Hop Pop (PHP)

R8#show mpls for 5.5.5.5 32
 Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
 tag    tag or VC   or Tunnel Id      switched   interface
 16     Untagged    5.5.5.5/32        0          Se0/0/0.57 point2point

Behavior with Ultimate Hop Popping (UHP)

R9(config)#mpls ldp explicit-null !this is how you enable UHP

R9#show mpls for 5.5.5.5 32
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     0          5.5.5.5/32        0          Se0/0/0.57 point2point

UHP: in other words: explicit-null, instead of advertising a pop we send a label (0, for both LDP/TDP)

DiffServ Tunneling Modes for MPLS Networks
RFC3270

Friday, March 5, 2010

MPLS LDP Session Protection

when a link flap or just fail it can take a long time for ldp to reexchange lable , with MPLS LDP session from an outage,protection ,we can provide fastr ldp convergence when a link recovers:

MPLS LDP Session Protection maintains LDP bindings when a link fails.

MPLS LDP sessions are protected through the use of LDP Hello messages. When you enable MPLS LDP,

the label switched routers (LSRs) send messages to find other LSRs with which they can create LDP sessions.

•If the LSR is one hop from its neighbor, it is directly connected to its neighbor.

The LSR sends out LDP Hello messages as User Datagram Protocol (UDP) packets to all the routers on the subnet.

The hello message is called an LDP Link Hello. A neighboring LSR responds to the hello message and the two routers begin to establish an LDP session.

•If the LSR is more than one hop from its neighbor, it is not directly connected to its neighbor.

The LSR sends out a directed hello message as a UDP packet, but as a unicast message specifically addressed to that LSR.

The hello message is called an LDP Targeted Hello. The nondirectly connected LSR responds to the Hello message and the two routers establish an LDP session. (If the path between two LSRs has been traffic engineered and has LDP enabled, the LDP session between them is called a targeted session.)

MPLS LDP Session Protection uses LDP Targeted Hellos to protect LDP sessions.

Take, for example, two directly connected routers that have LDP enabled and can reach each other through alternate IP routes in the network. An LDP session that exists between two routers is called an LDP Link Hello Adjacency. When MPLS LDP Session Protection is enabled, an LDP Targeted Hello Adjacency is also established for the LDP session.

If the link between the two routers fails, the LDP Link Adjacency also fails. However, if the LDP peer is still reachable through IP, the LDP session stays up, because the LDP Targeted Hello Adjacency still exists between the routers. When the directly connected link recovers, he session does not need to be reestablished,

and LDP bindings for prefixes do not need to be relearned

command: mpls ldp session protection [vrf vpn-name] [for acl] [duration seconds]

MPLS Fundamentals Book by Luc de Ghen CCIE 1897

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fssespro.html

Friday, February 26, 2010

Synchronization in packet-based mobile backhaul networks

as more and more traffic is being delivered in ethernet format,carriers are reelizing the advantages to migration to pure Ethernet infrastrucyure,but there are some features that not able to do so with Ethernet as presently defind.new standard/recommendations from MEF/ITU/IEEE make the Ethernet networks close the gap between Ethernet and SONET/SDH networks.

the final diffrerence between conventional TDM-base network and ethernet is that the former also transport frrequency information ,need for some application,while Ethernt does not.numerous methods have been suggested for augmenting Ethernt to distribute frequncy and /or timing informatin,such as IEEE 1588,SYNE,NTP

in this article by Antonis Karvelas he cover the metod for transport of synchronization over Ethernet network

https://www.ethernetacademy.net/index.php/20090917204/Ethernet-Academy-Articles/synchronization-in-packet-networks.html

Sunday, January 31, 2010

Interface range macro

Interface range macro.

With this macro, you can group several interfaces together and address them by a significant name,very useful for script.

example:

define interface-range WANPORT FastEthernet0/1, FastEthernet0/5

define interface-range USERLANPORTS FastEthernet0/6 - 23

Usage:

switch#conf t

switch(config)#interface range macro USERLANPORTS

switch(config-if-range)#switchport access vlan 345

switch(config-if-range)#no shutdown

switch(config-if-range)#description User-Ports

switch(config-if-range)#end

switch#

Friday, January 15, 2010

Juniper Netscreen Commands

Interface

get counter statistics	Show interface statistics (CRC errors etc)
get interface trust port phy	Show physical ports for a certain zone
get driver phy	Show all link states of interfaces
get counter statistics interface ethernet3	Show hardware stats on interface
set interface [interface] no-subnet-conflict-check	Allows you to configure multiple interfaces in the same IP broadcast domain.

Current Settings /
Values

get envar	get environment variable
get config	get device configuration
get system	get system information
get arp	get arp cache
get route	get routing table
get system \| i Box	get port-mode
get alg h323 counters	get the ALG counters
get alg	get status of ALGs (disabled or enabled)
get sys-cfg	get default settings for the device
get sys scale	get basic system limits
get debug	get currently enabled debug level
get tcp	get system socket information

NAT

get mip	get mip (nat)
get vip	get vip (nat)
get nat cookie	get show nat cookies

Statistics /
Performance

get perf cpu detail	get cpu performance
get session info	get load on firewall
get counter flow	Show flow stats (fragmentation etc)
get counter screen	Show screen stats (SYN Floods etc)

VPN

clear ike-cookie [gateway ip]	clear ike cookies
clear sa [id]	clear sa
get vpn	show vpns

NSRP

get nsrp cluster	Show cluster info
get nsrp monitor	Show list of monitored interfaces
get nsrp vsd id 0	Show VSD id 0
get counters ha	Show HA interface hardware counters
exec nsrp sync global-config check-sum	Allows you to see if the cluster configs are syncronised
exec nsrp sync global save	Sync's the nodes.A reboot is required to complete the update.
exec nsrp vsd-group 0 mode	Fails over the cluster. Run this command on the Master node.

IGMP

set interface ethernet0/1 igmp router	enable IGMP on interface eth0/1
get vrouter trust-vr protocol pim	get the multicast sources visible to your ScreenOS device

Misc

set exec port-mode	set the port mode
set flow tcp-mss 1460	sets the MSS

get config : to get device configuration

save : to save changes to config

get system : gets system information, Netscreen mode

get session info : shows load on the firewall 85+ implies there will be some latency

get interface : shows interfaces, zones

get address trust/unturst: shows defined network objects

get Arp : shows firewall Arp entries

get route : shows firewall routes

get service : shows firewall services

get group address : network groups

get group service : service groups

get policy in/out : shows applied firewall policies

get log traffic : shows firewall logs – options: based on src/dst/IP/port

unset : to remove a config statement

get user all : shows vpn users

get log event : shows vpn logs

get MIP : shows one to one Nat’s

get VIP : shows configured port forwarding rules

get route ip x.x.x.x: finds the specific route for an ip

set policy id xx : put you in a specific policy then you can add more objects it instead of creating a group

define networks & network groups:

Set address trust int-10.1.1.0_24 10.1.1.0/24

Set address untrust ext-192.168.15.15 192.168.15.15/32

Set group address untrust Remote

Set group address untrust Remote add ext-192.168.15.15

define services & service groups:

Set service tcp_445 protocol tcp src-port 1024-65535 dst-port 445-445 timeout 120

Set service tcp_3399 protocol tcp src-port 1024-65535 dst-port 3390-3390 timeout 120

Set group service outsrvgroup1

Set group service outsrvgroup1 add http

Set group service outsrvgroup1 add https

Define policies:

set policy from trust to untrust int-10.1.1.0_24 any outsrvgrp1 permit log count

define one to one NAT (MIP):

Set interface untrust MIP 192.168.1.15 host 10.1.1.15 netmask 255.255.255.255

Set group service insrvgroup1

Set group service insrvgroup1 add http

Set group service insrvgroup1 add https

Set policy from untrust to trust any MIP(192.168.1.15) insrvgroup1 permit log count

Set policy move 59 before 4

define port forwarding (VIP):

Set interface untrust VIP 192.168.1.55 443 https 10.1.1.55

Set policy from untrust to trust any VIP::1 https permit log count

define routes:

Set route 10.1.1.0/24 gateway 192.168.1.254