01-08-2020 09:19 AM
Hello,
One of our vendors is trying to perform bandwidth and traffic performance testing. They have completed their testing by attaching various end-point devices to the access-layer, dist-layer, and core layer switches in our infra. The vendor is requesting to connect their laptop directly to our edge-router.
We currently have an ASR1001 router which has one physical port with 3 sub-interfaces(1.1.1.1; 2.2.2.1; 3.3.3.1) connected directly a trunk port (802.1q; VL1000; VL2000; VL3000) on an edge-switch and a default gateway to our ISP. Our firewall has a physical port configured with a port-channel (VL1000: 1.1.1.2; VL2000: 2.2.2.2; VL3000:3.3.3.2) directly connected to the same edge-switch and a default gateway 0/0 to 1.1.1.1).
The question what is the configuration required to connect a laptop directly to a pyhiscal port on the ASR1001 router?
Much appreciated.
Best, ~zK
Solved! Go to Solution.
01-08-2020 03:48 PM - edited 01-08-2020 03:49 PM
Hello
@zekebashi wrote:
Will this method cause any impact to the ingress/egress traffic on the edge router? This is a production edge router for a major organization!
No it wont, you are just enabling NAT on the wan/spare interfaces its not intrusive, However I would say any change on a production router would need to go through change control so its best for all concerned you have a change window scheduled
example:
interface GigabitEthernet0/0/1
ip nat outside
exit
01-17-2020 06:01 AM
zK
Thank you for the clarification. Based on what you have told us I would repeat what I said in my previous response: based on what we have been told it should not have an impact on the production network if you use a spare interface to connect a PC, and if you configure ip nat inside, ip nat outside, and address translation with an access list that specifically permits only that PC address to be translated.
Having said that I would also say that since this is a production network for a major organization I would proceed with caution. There is some possibility that there is some aspect that we have not considered that could cause an impact. For example is it possible that the volume of test traffic from the PC could impact production traffic? Is it possible that something in the test traffic could trigger some security policy in the provider network? Ultimately you and your management must evaluate the benefits of performing these tests against the (remote) possibility that it could impact the production traffic and decide whether to proceed with this testing.
HTH
Rick
01-08-2020 12:38 PM
Hi there,
What is the subnet mask of V1000 ?
If it is small than /29 then you should be able accommodate the test laptop in addition to the router and firewall interfaces. Simply configure a switchport in mode access on VLAN1000 on the edge switch, assign the laptop an IP (eg 1.1.1.3) and connect it there. That should give it sufficient connectivity and placement.
cheers,
Seb.
01-08-2020 01:23 PM
Thanks for the input, Seb!
The requirement is to connect the Laptop directly to the edge router (ASR1001) and not to the edge-switch (this was already done).
I can connect the laptop to the edge-router and assign it a public IP address; however, I am not sure what the proper configuration on the router is.
Is there a way to create a L2 interface on the ASR1001? Ref: https://www.cisco.com/c/en/us/td/docs/wireless/asr_900/feature/guides/evc.html
01-08-2020 02:15 PM
hmm OK, looking through the documentation I have come up with this:
! interface Gi0/0/0.1000 service instance 1 ethernet encapsulation dot1q 1000 bridge-domain 1 ! interface Gi0/0/1 service instance 1 ethernet encapsulation untagged bridge-domain 1 ! interface BDI1 ip address 1.1.1.1 255.255.255.x !
Then connect the laptop to Gi0/0/1 . you will need to remove the IP from gi0/0/0.1000 .
01-08-2020 02:34 PM - edited 01-08-2020 02:36 PM
hello
why dont you just nat on the spare port?
interface xx
description spare router port
ip address 192.168.1.1 255.255.255.252
ip nat inside
int xx
description wan port
ip nat outside
exit
access-list 1 permit 192.168.1.0 0.0.0.3
ip nat inside source list 1 interface (wan)
laptop ip =192.168.1.2 255.255.255.252
gateway=192.168.1.1
01-08-2020 03:21 PM
Will this method cause any impact to the ingress/egress traffic on the edge router? This is a production edge router for a major organization!
Here is the ports configuration (using bogus IP addresses) and your recommended configuration. Is this correct?
01-08-2020 03:48 PM - edited 01-08-2020 03:49 PM
Hello
@zekebashi wrote:
Will this method cause any impact to the ingress/egress traffic on the edge router? This is a production edge router for a major organization!
No it wont, you are just enabling NAT on the wan/spare interfaces its not intrusive, However I would say any change on a production router would need to go through change control so its best for all concerned you have a change window scheduled
example:
interface GigabitEthernet0/0/1
ip nat outside
exit
01-08-2020 04:47 PM
Outstanding!
Thanks for the input, Paul!
Much appreciated.
Best, ~zK
01-21-2020 01:49 PM
@paul driver, Hello, Paul, your recommended solution worked perfectly. I implemented the change last Fri it worked as expected.
Thank you for your valuable input.
Much appreciated.
Best, ~zK
01-15-2020 02:35 PM
@paul driver Hi Paul,
I've some concerns regarding configuring the "ip nat outside" on the port connected to out ISP/Carrier. We are currently using BGP peering with our ISP using that port. Would configuring the "ip nat outside" impact/nat the traffic traversing this port? In your example below, you give it a desc as "wan port"!
int xx
description wan port
ip nat outside
exit
Thanks in advance.
Best, ~zK
01-15-2020 03:05 PM
zK
There are things about your environment that we do not know and that impacts our ability to give good advice. So can you provide clarification on some points? Is there any address translation configured on any interfaces of your ASR? If there is no address translation on your ASR then where is the translation done? Is it on your firewall? Does your ISP provide the translation?
In general I would advise that if there is currently no address translation configured on your ASR then configuring address translation using ip nat outside on the interface to the ISP and ip nat inside on the interface used for the test PC, and address translation configured using an access list that identified specifically the traffic from the test PC should not have any impact on your production traffic. But if this is a production router for a major organization, I would certainly advise having someone who has better visibility into the specifics of the environment review the implications of making these changes.
HTH
Rick
01-15-2020 04:01 PM
Hi Richard,
No, we are not using the ASR for any address translation. We are using our Firewall to perform NAT'ng.
Yes, this a prod router for a major org.
The specifics are as I mentioned in my original post:
- We are using ASR1001 and peering with our ISP (BGP) for Internet access
- We are using one physical interface on ASR and configured with a public IP address (G0/0/1= 100.100.100.2/29) , which is use to peer with our ISP (100.100.100.1/29) ------ This is the "Outside Interface"
- The ASR has a physical interface(G0/0/0) configured with 3 sub-interfaces(G0/0/0.1000 =1.1.1.1/23; G0/0/0.2000 =2.2.2.1/24; and G0/0/0.3000 = 3.3.3.1/24) --- This is the "Inside Interface" which connects to the Internet edge switch
- The ASR's G0/0/0 (Inside Interface) connects directly to a trunk port on the Internet edge switch (802.1q: VL1000; VL2000; VL3000)
- On the ASR, we have a default route to the ISP's address 0/0 --- 100.100.100.1
- We have a FW configured with a physical interface (802.1q: VL1000; VL2000; VL3000) and connected directly to same Internet edge switch as the ASR
- On the FW, we have a default route to 0/0 100.100.100.2, which is one of the sub-interfaces on the ASR: G0/0/1= 100.100.100.2/29
- We have all the NAT'ng configured on our FW
I hope this helps.
Best, ~zK
01-17-2020 06:01 AM
zK
Thank you for the clarification. Based on what you have told us I would repeat what I said in my previous response: based on what we have been told it should not have an impact on the production network if you use a spare interface to connect a PC, and if you configure ip nat inside, ip nat outside, and address translation with an access list that specifically permits only that PC address to be translated.
Having said that I would also say that since this is a production network for a major organization I would proceed with caution. There is some possibility that there is some aspect that we have not considered that could cause an impact. For example is it possible that the volume of test traffic from the PC could impact production traffic? Is it possible that something in the test traffic could trigger some security policy in the provider network? Ultimately you and your management must evaluate the benefits of performing these tests against the (remote) possibility that it could impact the production traffic and decide whether to proceed with this testing.
HTH
Rick
01-21-2020 01:47 PM
@Richard Burts. Hi, Rich, I implemented the change last Fri and tested the connectivity from the laptop out to the Internet. It worked like a charm. Thanks so much for your time, input, and patience.
Much appreciated.
Best, ~zK
01-21-2020 02:44 PM
zK
I am glad that our responses have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide