DLSW and NAT

hernan-g · ‎02-12-2004

Good Day:

can i do configure dlsw with nat???

I have a router 1760v. with ios Version 12.2(4)YB.

thank you very much

h

dixho · ‎02-12-2004

Yes. The following URL should answer most of the concerns of DLSw and NAT:

http://www.cisco.com/en/US/partner/tech/tk331/tk336/technologies_tech_note09186a0080093db6.shtml

hernan-g · ‎02-12-2004

Thank you very much but i dont have cco account.

i activate a debug dlsw in the router 1760 (remote) and this is the message

Router#

04:28:08: DLSw: START-TPFSM (peer 1.1.1.1(2065)): event:ADMIN-OPEN CONNECTION st

ate:DISCONN

04:28:08: DLSw: dtp_action_a() attempting to connect peer 1.1.1.1(2065)

04:28:08: DLSw: END-TPFSM (peer 1.1.1.1(2065)): state:DISCONN->WAIT_WR

04:28:13: DLSw: Async Open Callback 1.1.1.1(2065) -> 11062

04:28:13: DLSw: START-TPFSM (peer 1.1.1.1(2065)): event:TCP-WR PIPE OPENED state

:WAIT_WR

04:28:13: DLSw: dtp_action_f() start read open timer for peer 1.1.1.1(2065)

04:28:13: DLSw: END-TPFSM (peer 1.1.1.1(2065)): state:WAIT_WR->WAIT_RD

04:28:20: DLSw: START-TPFSM (peer 1.1.1.1(2065)): event:TIMER-TIMER EXPIRED stat

e:WAIT_RD

04:28:20: DLSw: dtp_action_b() close connection for peer 1.1.1.1(2065)

04:28:20: DLSw: aborting tcp connection for peer 1.1.1.1(2065)

04:28:20: DLSw: END-TPFSM (peer 1.1.1.1(2065)): state:WAIT_RD->DISCONN

in the central router the status of the dlsw is AB-PENDING

Configuration Central Router

source-bridge ring-group 2000

source-bridge transparent 2000 444 1 1

dlsw local-peer peer-id 1.1.1.1 promiscuous

dlsw bridge-group 1

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

no ip directed-broadcast

no ip route-cache

no ip mroute-cache

Configuracion Remote Router

source-bridge ring-group 2000

dlsw local-peer peer-id 2.2.2.2

dlsw remote-peer 0 tcp 1.1.1.1

dlsw bridge-group 1

!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

ip nat inside

no ip mroute-cache

Thank you very much

jolmo · ‎02-13-2004

Where are your NAT statements (translation commands)?

What lines do you use to connect both routers?

Which interface is your NAT outside interface?

When configuring DLSw with NAT you need to be careful with this:

http://www.cisco.com/en/US/tech/tk331/tk336/technologies_tech_note09186a0080093db6.shtml (no CCO account required)

Please, let us know

hernan-g · ‎02-13-2004

Hi, thank you very much by your answer.

I did read the document and my configuration is similar.

the entire configuration oh the remoter router is this:

Router#sh run

Building configuration...

Current configuration : 2155 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router

!

logging buffered 10000 informational

aaa new-model

!

aaa authentication login default local

aaa authentication ppp default local

aaa session-id common

enable secret xxxx

!

username xxxx password xxxx

username xxx password xxx

memory-size iomem 25

clock timezone GTM-4 -4

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

no ip domain-lookup

!

ip audit notify log

ip audit po max-events 100

ip ssh time-out 120

ip ssh authentication-retries 3

!

source-bridge ring-group 2000

dlsw local-peer peer-id 2.2.2.2

dlsw remote-peer 0 tcp 1.1.1.1

dlsw bridge-group 1

!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

ip nat inside

no ip mroute-cache

!

interface FastEthernet0/0

description CONEXION AL TERMINAL

ip address 10.95.50.1 255.255.255.0

ip nat inside

no ip route-cache

no ip mroute-cache

load-interval 30

no keepalive

speed auto

bridge-group 1

!

interface Serial0/0

physical-layer async

description conexion al modem iport

ip address negotiated !!!(172.18.172.1/32)!!!!

ip nat outside

encapsulation ppp

load-interval 30

dialer in-band

dialer idle-timeout 0

dialer string "#777" modem-script iport

dialer-group 1

async default routing

async mode interactive

no peer default ip address

ppp accm 0

ppp authentication chap callin

ppp chap hostname xxxxx

ppp chap password xxxx

!

ip nat inside source list 100 interface Serial0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0

no ip http server

ip pim bidir-enable

!

access-list 100 permit ip any any

dialer-list 1 protocol ip permit

!

bridge 1 protocol ieee

call rsvp-sync

!

voice-port 1/0

!

voice-port 1/1

!

voice-port 2/0

!

voice-port 2/1

!

voice-port 3/0

!

voice-port 3/1

!

dial-peer cor custom

!

line con 0

line 1

script connection iport

modem InOut

modem autoconfigure discovery

no exec

transport input all

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

!

end

Router#

This router is connect to a LNS router, and the LNS router is a 1751 and this is the configuration

Router_LNS#sh run

Building configuration...

Current configuration:

!

version 12.1

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router_LNS

!

logging buffered 64000 debugging

logging console critical

aaa new-model

aaa authentication login default local

aaa authentication ppp default local

aaa authentication ppp vpdn local

aaa authorization network default local

enable secret xxxxx

!

username xxxx password xxxx

username xxxxx password xxx

!

memory-size iomem 25

ip subnet-zero

!

vpdn enable

no vpdn logging

!

vpdn-group 1

accept-dialin

protocol l2tp

virtual-template 1

terminate-from hostname IWF-CC5-1

local name Router_LNS

lcp renegotiation on-mismatch

no l2tp tunnel authentication

source-ip 192.168.201.209

!

vpdn-group 2

accept-dialin

protocol l2tp

virtual-template 2

terminate-from hostname IWF-CC5-2

local name BIV_Movilnet

lcp renegotiation on-mismatch

no l2tp tunnel authentication

source-ip 192.168.201.209

!

interface Loopback0

ip address 172.18.1.1 255.255.255.0

!

interface Virtual-Template1

ip unnumbered Loopback0

peer default ip address pool cisco

ppp authentication chap pap vpdn

!

interface Virtual-Template2

ip unnumbered Loopback0

peer default ip address pool cisco

ppp authentication chap pap vpdn

!

interface Serial0

bandwidth 64000

ip address 192.168.201.198 255.255.255.252

encapsulation frame-relay IETF

no ip mroute-cache

no fair-queue

frame-relay interface-dlci 100

frame-relay lmi-type ansi

!

interface FastEthernet0

ip address 192.168.201.209 255.255.255.248 secondary

ip address 172.16.12.6 255.255.255.0

speed auto

!

ip local pool cisco 172.18.172.1 172.18.172.254

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.201.197

ip route 1.1.1.1 255.255.255.255 172.16.12.2

ip route 2.2.2.2 255.255.255.255 192.168.201.197

ip route 172.16.0.0 255.255.0.0 172.16.12.2

ip route 172.17.0.0 255.255.0.0 172.16.12.2

no ip http server

!

logging history debugging

no logging trap

access-list 3 permit 172.16.12.237

access-list 3 permit 172.16.12.52

access-list 3 permit 172.16.12.7

access-list 3 permit 172.16.12.112

access-list 3 permit 172.16.12.69

snmp-server engineID local xxxxx

snmp-server community Router RO

!

line con 0

exec-timeout 0 0

transport input none

line aux 0

line vty 0 4

access-class 3 in

!

no scheduler allocate

end

the router LNS is Connect with the central site with frame relay

ip subnet-zero

no ip domain-lookup

!

frame-relay switching

!

source-bridge ring-group 2000

source-bridge transparent 2000 444 1 1

dlsw local-peer peer-id 1.1.1.1 promiscuous

dlsw bridge-group 1

!

process-max-time 200

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

no ip directed-broadcast

no ip route-cache

no ip mroute-cache

!

interface Channel1/0

no ip address

no ip directed-broadcast

no ip route-cache

no ip mroute-cache

no keepalive

csna 0100 E0

max-llc2-sessions 5000

lan TokenRing 0

source-bridge 100 1 2000

adapter 0 4000.7000.0001

name cpa7200

llc2 recv-window 11

lan TokenRing 1

adapter 1 4000.7000.0002

*********************************************

thank you thank you very much

h

mbinzer · ‎02-13-2004

Hi,

yes you can. Dlsw in general has no knowledge about nat.

Please look at this URL for some more info about the problems you can run into:

http://www.cisco.com/en/US/partner/tech/tk331/tk336/technologies_tech_note09186a0080093db6.shtml

Additional cisco introduced a new command to make this a bit easier. The ddts which introduced this change is CSCeb47150. The relase note is copied below for reference how this is designed to work.

Above URL is for dlsw Version 1 according to RFC1795.

This defines two tcp sessions to bring up a dlsw peer, once the dlsw cap exchange is done the two routers may decide to drop one of the two tcp sessions.

However the handling of the two tcp sessions depends on the numerical order of the two peer ip addresses.

When you use nat you change those ip addresses and this can cause problems. Please see the URL for details.

CSCeb47150 does allow to specify a remote peer as a dlsw Version 2, RFC2166, peer and in this case there is no nat problem since this uses only one tcp session to establish the peer. Please read above URL and the release note.

thanks....

Matthias

Release-Note:

Symptom: Customer has DLSW defined at two locations. The locations are connected together over a

VPN tunnel. The peers start to establish and drop after capabilities excahnge.

Conditions: NAT is being used but outside the customer's point of control.

Problem: DLSw Version 1, RFC1795, defines the dlsw peer with tcp encapsulation to use 2 tcp pipes

for the peer bringup. A Write and a Read pipe. Both routers establish their respective Write pipe.

That means that if router A opens a dlsw peer to router B router A establishes his Write pipe to

router B and router B than establishes his Write Pipe back to router A. Next the capabilities

exchange happens and during this exchange the two routers decide if they can drop one tcp

connection and use the resulting tcp session for traffic in both directions. This decision is

based on the numericaly order of the local peer ip addresses. The peer with the numericaly higher

ip address is supposed to drop his tcp pipe. This is defined in RFC 1795 section 7.6.7.

If ip NAT is used inbetween the two dlsw peer routers and the NAT is changing the order of numericaly

higher or lower local peer ip address the peer may fail to establish. Both routers may think that they

are the higher ip address and both drop their tcp session or both think they are the lower ip address

and wait for the other end to take action.

Workaround: The user must preserve the numericaly order of the dlsw local peer ip addresses through

ip NAT. This is not always possible and in any case it is not an easy task.

Solution:

This ddts added a new configuration option to the dlsw peer statements:

v2-single-tcp

This is intended to do the following:

DLSw Version 2, RFC2166, defines the dlsw tcp peer bringup with a single tcp session. So above Problem

does not exist anymore since there is only one tcp session and it makes no difference which end has the

numericaly higher or lower ip address.

The v2-single-tcp keyword will instruct this router to bring up a dlsw Version 2 peer and thus both routers

will automatically only use 1 tcp session to establish the peer.

The usage of the new keyword should be like this:

Branch router A tries to establish a dlsw peer to data center router B.

Data center router B is running ios 12.0 or higher and thus already supporting dlsw version 2.

The dlsw local peer configuration on data center router B is either promiscous, to allow any incoming

peer connection, or if you have to configure each connection individual the peer to branch router A is

configured to be passive.

Branch router A is configured on his dlsw remote-peer statement with the new keyword v2-single-tcp and thus

it starts a version 2 peer to the central data center router A.

Caveats:

DLSw version 2 does not support priority peers.