NAT44 Config Check Tool (NCCT)

Suprabha P · ‎04-20-2016

Introduction

Configuring CGN on VSM involves several steps, as described in the "CGv6 on VSM: CGN / NAT44 Deployment Guide". NCCT (NAT Config Check tool) was developed to validate the CGN configuration and report the missing/wrong configs. This document shows two flavours of the same tool: a) EEM/Tcl script that should be installed on the router; b) shell script that can be run from any unix system.

Implementation

Algorithm :

The script logs into the router and checks for the different cgn instances configured on the router. The script then loops through the cgn instances and checks the following :

1) Checks the location under the cgn instance and makes sure if this is for VSM

2) Checks if the cgn ova is installed/activated on that VSM

3) Checks the serviceinfra configuration

4) For each vrf configured for NAT, it then checks if the vrf is defined and the serviceapps defined under the vrf do belong to the same vrf as in the config.

5) Appropriate error messages are displayed whenever the above checks fail.

NCCT EEM SCRIPT

Steps to execute EEM script:

Step 1: Create a directory scripts under harddisk:
------------------------------------------
cd harddisk:
mkdir scripts

Copy the script to the asr9k
-----------------------------
copy EEM script(EEM_NCCT.tcl) to harddisk:/scripts on the router.

Step2 : EEM user authentication:

RP/0/RSP1/CPU0:SRV_PE1#conf

Sat Mar 12 19:09:38.727 IST

RP/0/RSP1/CPU0:SRV_PE1(config)#event manager directory user policy harddisk:/scripts

RP/0/RSP1/CPU0: SRV_PE1(config)#aaa authorization eventmanager default local

RP/0/RSP1/CPU0:SRV_PE1(config)#commit

Sat Mar 12 19:09:42.028 IST

RP/0/RSP1/CPU0:SRV_PE1(config)#end

RP/0/RSP0/CPU0:SRV_PE1#conf

Sat Mar 12 19:10:29.886 IST

R0/RSP1/CPU0:SRV_PE1(config)#username eem_user

RP/0/RSP1/CPU0:SRV_PE1(config-un)# group root-system

RP/0/RSP1/CPU0:SRV_PE1(config-un)# group cisco-support

RP/0/RSP1/CPU0:SRV_PE1(config-un)#commit

Sat Mar 12 19:10:33.967 IST

RP/0/RSP1/CPU0:SRV_PE1(config-un)#

Step3: EEM Script registration:

RP/0/RSP1/CPU0:SRV_PE1#conf

Tue Mar 15 17:39:51.579 IST

RP/0/RSP1/CPU0:SRV_PE1(config)#event manager policy EEM_NCCT.tcl username eem_user persist-time 3600 type user

RP/0/RSP1/CPU0:SRV_PE1(config)#commit

Tue Mar 15 17:40:02.882 IST

RP/0/RSP1/CPU0:Mar 15 17:40:13.064 : eem_policy_dir[197]: %HA-HA_EM-6-FMPD_POLICY_REG_SUCC : fh_reg_unreg_policy: Policy 'EEM_NCCT.tcl' registered successfully, by user eem_user, with persist time 3600 and type 1

RP/0/RSP1/CPU0:Mar 15 17:40:13.180 : config[65853]: %MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user 'lab'. Use 'show configuration commit changes 1000000150' to view the changes.

RP/0/RSP1/CPU0:SRV_PE1(config)#exit

RP/0/RSP1/CPU0:Mar 15 17:40:21.730 : config[65853]: %MGBL-SYS-5-CONFIG_I : Configured from console by lab

Step4: Verified script has registered successfully:

RP/0/RSP1/CPU0:SRV_PE1#show event manager policy registered

Tue Mar 15 18:24:20.233 IST

No. Class Type Event Type Trap Time Registered Name

1 script user syslog Off Tue Mar 15 17:59:01 2016 EEM_NCCT.tcl

pattern {A9K-VSM-500 state:IOS XR RUN}

nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary Secu none

persist_time: 3600 seconds, username: eem_user

Step5 : Executing EEM script:

RP/0/RSP1/CPU0:SRV_PE1#event manager run EEM_NCCT.tcl

Sample output :

RP/0/RSP0/CPU0:SRV_PE1#event manager run EEM_NCCT.tcl

****** NAT CONFIGURATION CHECKING TOOL ******

NCCT>>> Active CGN instances: cgn1 vcgn1

****** CHECKING THE LINECARD AND ITS STATUS OF CGN INSTANCE cgn1******

NCCT ERROR >>> FAIL, VSM IS NOT PRESENT IN 0/4/CPU0

****** CHECKING THE LINECARD AND ITS STATUS OF CGN INSTANCE vcgn1******

NCCT >>> PASS

****** CHECKING WHEATHER OVA IS INSTALLED ******

NCCT >>> PASS

****** VALIDATING SERVICEINFRA CONFIGURATION ******

NCCT >>> PASS

****** VALIDATING INSIDE-VRF bvrf CONFIGURATION ******

NCCT >>> PASS

****** VALIDATING OUTSIDE-VRF bovrf CONFIGURATION ******

NCCT >>> PASS

****** VALIDATING OUTSIDE SERVICEAPP ServiceApp208 CONFIGURATION ******

NCCT >>> PASS

****** VALIDATING INSIDE SERVICEAPP serviceapp207 FOR OUTSIDE SERVICEAPP ServiceApp208 ******

NCCT >>> PASS

****** VALIDATING INSIDE-VRF cvrf CONFIGURATION ******

NCCT >>> PASS

****** VALIDATING OUTSIDE-VRF covrf CONFIGURATION ******

NCCT >>> PASS

****** VALIDATING OUTSIDE SERVICEAPP ServiceApp216 CONFIGURATION ******

NCCT >>> PASS

****** VALIDATING INSIDE SERVICEAPP serviceapp215 FOR OUTSIDE SERVICEAPP ServiceApp216 ******

NCCT >>> PASS

****** VALIDATING INSIDE-VRF det_in CONFIGURATION ******

NCCT >>> PASS

****** VALIDATING INSIDE-VRF det_out CONFIGURATION ******

NCCT >>> PASS

NCCT MANAGEMENT SCRIPT

Steps to execute Management script:

Prerequisite :

This is a TCL script, hence the server should have TCL/Expect libraries for running this script.

Step 1: Run the script

./<filename.tcl> <Mgmt ip of the router> <username> <pwd>

Note : To execute script first user has to login server from where router is accessible.

Sample Output :

gsr-india03-lnx:168> ./Mgmt_ncct.tcl 5.29.6.67 lab lab

spawn telnet 5.29.6.67

Trying 5.29.6.67...

Connected to 5.29.6.67.

Escape character is '^]'.

User Access Verification

Username: lab

Password:

RP/0/RSP0/CPU0:Forge-4#

***********************************************************************

******************LOGGED INTO ROUTER SUCCESSFULLY**********************

***********************************************************************

terminal length 0

RP/0/RSP0/CPU0:Forge-4#show run service cgn * | in cgn

service cgn cgn1

RP/0/RSP0/CPU0:Forge-4#show run service cgn cgn1

service cgn cgn1

service-location preferred-active 0/3/CPU0 preferred-standby 0/5/CPU0

service-type nat44 NAT44

portlimit 65535

dynamic-port-range start 1

inside-vrf insidevrf2

map outside-vrf outsidevrf2 outsideServiceApp ServiceApp2 address-pool 150.1.0.0/21

!

inside-vrf insidevrf3

map outside-vrf outsidevrf3 outsideServiceApp ServiceApp4 address-pool 150.2.0.0/21

!

protocol tcp

session initial timeout 65535

session active timeout 65535

!

RP/0/RSP0/CPU0:Forge-4#0/3/CPU0 0/5/CPU0

show platform | inc 0/3/CPU0

0/3/CPU0 A9K-VSM-500 IOS XR RUN PWR,NSHUT,MON

RP/0/RSP0/CPU0:Forge-4#

VSM CARD IS PRESENT IN 0/3/CPU0 AND IS IN XR-RUN STATE

show platform | inc 0/5/CPU0

0/5/CPU0 A9K-VSM-500 IOS XR RUN PWR,NSHUT,MON

RP/0/RSP0/CPU0:Forge-4#

VSM CARD IS PRESENT IN 0/5/CPU0 AND IS IN XR-RUN STATE

show virtual-service list

Virtual Service List:

Service Name Status Package Name Node Name

______________________________________________________________________________

cgn123 Activated vsmcgv6_ivybridge601.ova 0/3/CPU0

cgn456 Activated vsmcgv6_ivybridge601.ova 0/5/CPU0

RP/0/RSP0/CPU0:Forge-4#

CGV6 OVA IS INSTALLED AND ACTIVATED

show virtual-service list

Virtual Service List:

Service Name Status Package Name Node Name

______________________________________________________________________________

cgn123 Activated vsmcgv6_ivybridge601.ova 0/3/CPU0

cgn456 Activated vsmcgv6_ivybridge601.ova 0/5/CPU0

RP/0/RSP0/CPU0:Forge-4#

CGV6 OVA IS INSTALLED AND ACTIVATED

show run interface ServiceInfra *

interface ServiceInfra1

ipv4 address 1.1.1.1 255.255.255.252

service-location 0/3/CPU0

!

interface ServiceInfra2

ipv4 address 2.2.2.2 255.255.255.252

service-location 0/5/CPU0

!

RP/0/RSP0/CPU0:Forge-4#

SERVICE INFRA ServiceInfra2 IS CONFIGURED AT 0/5/CPU0

show run vrf insidevrf2

vrf insidevrf2

address-family ipv4 unicast

!

RP/0/RSP0/CPU0:Forge-4#

INSIDE-VRF insidevrf2 IS CONFIGURED

show run vrf outsidevrf2

vrf outsidevrf2

address-family ipv4 unicast

!

RP/0/RSP0/CPU0:Forge-4#

OUTSIDE-VRF outsidevrf2 IS CONFIGURED

show run interface ServiceApp2

interface ServiceApp2

vrf outsidevrf2

ipv4 address 200.1.2.1 255.255.255.0

service cgn cgn1 service-type nat44

!

RP/0/RSP0/CPU0:Forge-4#

SA INTF ServiceApp2 IS CONFIGURED UNDER THE CORRECT OUTSIDE-VRF outsidevrf2 and CORRECT CGN INSTANCE cgn1

show run interface serviceapp1

interface ServiceApp1

vrf insidevrf2

ipv4 address 200.1.1.1 255.255.255.0

service cgn cgn1 service-type nat44

!

RP/0/RSP0/CPU0:Forge-4#

SA INTF serviceapp1 IS CONFIGURED UNDER INSIDE-VRF insidevrf2 and CORRECT CGN INSTANCE cgn1

show run vrf insidevrf3

vrf insidevrf3

address-family ipv4 unicast

!

RP/0/RSP0/CPU0:Forge-4#

INSIDE-VRF insidevrf3 IS CONFIGURED

show run vrf outsidevrf3

vrf outsidevrf3

address-family ipv4 unicast

!

RP/0/RSP0/CPU0:Forge-4#

OUTSIDE-VRF outsidevrf3 IS CONFIGURED

show run interface ServiceApp4

interface ServiceApp4

vrf outsidevrf3

ipv4 address 200.1.4.1 255.255.255.0

service cgn cgn1 service-type nat44

RP/0/RSP0/CPU0:Forge-4#

SA INTF ServiceApp4 IS CONFIGURED UNDER THE CORRECT OUTSIDE-VRF outsidevrf3 and CORRECT CGN INSTANCE cgn1

show run interface serviceapp3

interface ServiceApp3

vrf insidevrf3

ipv4 address 200.1.3.1 255.255.255.0

service cgn cgn1 service-type nat44

RP/0/RSP0/CPU0:Forge-4#

SA INTF serviceapp3 IS CONFIGURED UNDER INSIDE-VRF insidevrf3 and CORRECT CGN INSTANCE cgn1

Errors :