SLB using Dynamic NAT Lab 2

Server load balancing using Dynamic NAT Lab2

Previous Next

Download Lab: GNS3 


Prerequisites:
 Cisco IOSv        (vios-adventerprisek9-m.vmdk.SPA.156-2.T)
 Cisco IOSvL2    (vios_l2-adventerprisek9-m.03.2017.qcow2)
Topology for this lab created in the GNS3 VM server running on the VMware ESXi 6.5.0


Introduction: 
This is a complex lab which includes configuration of multiple features related to network services and also some routing, redistributing, switching and VRF but the main task is involved with the configuration of server load balancing using dynamic NAT. There are devices which already have been configured and their running-configs available below. Primarily you will be working on routers LB1, R1 and switch SW2. Links between these devices are 802.1q trunks and more information regarding interconnections included below in the topological diagram.


Scenario: 
Corporation outsourcing some of its needs to run complex applications, to the data center where 3 servers provide access to HTTP and HTTPS-based services in a redundant fashion. Router LB1 acting as load balancer sending traffic to each of servers when every time a new TCP connection is being requested to http-balancer.loc associated with virtual IP address of 10.4.4.4.


Topology: 
 

Running-configs for devices which already configured: 

hostname CD1
!
no ip domain lookup
ip cef
no ipv6 cef
!
interface GigabitEthernet0/0
 description Link to LB1 int g0/2
 ip address 10.0.0.1 255.255.255.252
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 description CORPORATE_SRV_FARM
 ip address 10.1.1.100 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
router eigrp 10
 network 10.0.0.0 0.0.0.3
 network 10.1.1.0 0.0.0.255
 eigrp router-id 0.0.0.1
!
ip forward-protocol nd
!
end


hostname DNS1
!
no ip routing
no ip icmp rate-limit unreachable
!
no ip domain lookup
ip host cd1.corporate.loc 10.1.1.1
ip host cd2.corporate.loc 10.1.1.2
ip host cd3.corporate.loc 10.1.1.3
ip host pc1.corporate.loc 192.168.10.11
ip host pc2.corporate.loc 192.168.20.11
no ip cef
no ipv6 cef
!
interface GigabitEthernet0/0
 description Connected to SW1 int Ethernet 1
 ip address 172.16.0.101 255.255.255.0
 no ip route-cache
 duplex auto
 speed auto
 media-type rj45
!
ip default-gateway 172.16.0.1
ip forward-protocol nd
!
!
ip dns server
!
end


hostname SRV1
!
no ip routing
no ip icmp rate-limit unreachable
!
no ip domain lookup
no ip cef
no ipv6 cef
!
interface GigabitEthernet0/0
 description Connected to SW1 int Ethernet 2
 ip address 172.16.0.91 255.255.255.0
 ip access-group TRAFFIC_MONITORING in
 no ip route-cache
 duplex auto
 speed auto
 media-type rj45
!
ip default-gateway 172.16.0.1
ip forward-protocol nd
!
!
ip http server
ip http secure-server
!
ip access-list extended TRAFFIC_MONITORING
 permit tcp any host 172.16.0.91 eq www
 permit tcp any host 172.16.0.91 eq 443
 permit ip any any
!
end


hostname SRV2
!
no ip routing
no ip icmp rate-limit unreachable
!
!
no ip domain lookup
no ip cef
no ipv6 cef
!
interface GigabitEthernet0/0
 description Connected to SW1 int Ethernet3
 ip address 172.16.0.92 255.255.255.0
 ip access-group TRAFFIC_MONITORING in
 no ip route-cache
 duplex auto
 speed auto
 media-type rj45
!
ip default-gateway 172.16.0.1
ip forward-protocol nd
!
!
ip http server
ip http secure-server
!
ip access-list extended TRAFFIC_MONITORING
 permit tcp any host 172.16.0.91 eq www
 permit tcp any host 172.16.0.91 eq 443
 permit ip any any
!
end


hostname SRV3
!
no ip routing
no ip icmp rate-limit unreachable
!
!
no ip domain lookup
no ip cef
no ipv6 cef
!
interface GigabitEthernet0/0
 description Connected to SW1 int Ethernet4
 ip address 172.16.0.93 255.255.255.0
 ip access-group TRAFFIC_MONITORING in
 duplex auto
 speed auto
 media-type rj45
!
ip default-gateway 172.16.0.1
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip access-list extended TRAFFIC_MONITORING
 permit tcp any host 172.16.0.91 eq www
 permit tcp any host 172.16.0.91 eq 443
 permit ip any any
!
end


Lab procedure: 


Task 1: Configure interfaces’ IP addresses, VRF, DHCP server, trunks and VLANs on LB1, R1, and SW2.

Step1: Router LB1. The global routing table will be used for SLB. VRF “all-traffic” has to be created to let the rest of traffic pass to R1 and its local subnets.
LB1(config)#
vrf definition all-traffic
 rd 1:0
 !
 address-family ipv4
 exit-address-family


Step2: Router LB1. Configure IP addresses on the interfaces participating in the global vrf.
LB1(config)#
interface GigabitEthernet0/0
 description Connected to SW1 int Ethernet 0
 ip address 172.16.0.1 255.255.255.0
no shutdown 
!
interface GigabitEthernet0/1
 description SUPPORTS SUB-INTERFACES
no shutdown 
!
interface GigabitEthernet0/1.12
 encapsulation dot1Q 12
 ip address 10.0.12.1 255.255.255.252


Step3: Router LB1. Configure IP addresses on the interfaces participating in the vrf all-traffic.
LB1(config)#
interface GigabitEthernet0/2
 description Link to CR1 int g0/0
 vrf forwarding all-traffic
 ip address 10.0.0.2 255.255.255.252
no shutdown
!
interface GigabitEthernet0/1.11
 encapsulation dot1Q 11
 vrf forwarding all-traffic
 ip address 10.0.11.1 255.255.255.252


Step4: Router R1: Configure interfaces’ IP addresses.
R1(config)#
interface GigabitEthernet0/0
 description SUPPORTs SUB-INTERFACES
no shutdown 
!
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/1
 description SUPPORTS SUB-INTERFACES
no shutdown 
!
interface GigabitEthernet0/1.11
 encapsulation dot1Q 11
 ip address 10.0.11.2 255.255.255.252
!
interface GigabitEthernet0/1.12
 encapsulation dot1Q 12
 ip address 10.0.12.2 255.255.255.252


Step5: Router R1. Verify connectivity to the LB1’s IP addresses in VLAN 11 and 12.
R1#ping 10.0.11.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.11.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms
R1#ping 10.0.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms


Step6: Router R1. Configure DHCP servers for VLAN 10 and VLAN 20 subnets.
R1(config)#
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.20.1 192.168.20.10
!
ip dhcp pool VLAN10
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 10.4.4.4
 domain-name corporate.loc
ip dhcp pool VLAN20
 network 192.168.20.0 255.255.255.0
 default-router 192.168.20.1
 dns-server 10.4.4.4
 domain-name corporate.loc


Step7: Switch SW2. Configure trunk interface, VLANs, access ports.
SW2(config)#
interface GigabitEthernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
!
vlan 10
 name  LAN_10 
vlan 20 
 name LAN_20 
!
interface GigabitEthernet0/1
 description PC1
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/2
 description PC2
 switchport access vlan 20
 switchport mode access 


Step8: Switch SW2. Save and verify configurations.
SW2#copy running-config startup-config
SW2#show  vlan brief
SW2#show  interfaces  trunk
SW2#show  interfaces  g0/1 switchport


Step9: Hosts PC1 and PC2. Obtain IP addresses via DHCP and verify configurations and connectivity to default gateways.
PC-1> ip dhcp
DDORA IP 192.168.10.14/24 GW 192.168.10.1

PC-1> show ip

NAME        : PC-1[1]
IP/MASK     : 192.168.10.14/24
GATEWAY     : 192.168.10.1
DNS         : 10.4.4.4
DHCP SERVER : 192.168.10.1
DHCP LEASE  : 86396, 86400/43200/75600
DOMAIN NAME : corporate.loc
MAC         : 00:50:79:66:68:03
LPORT       : 10098
RHOST:PORT  : 127.0.0.1:10099
MTU:        : 1500

PC-1> ping 192.168.10.1
84 bytes from 192.168.10.1 icmp_seq=1 ttl=255 time=3.341 ms
84 bytes from 192.168.10.1 icmp_seq=2 ttl=255 time=2.918 ms

Repeat the same set of steps on the PC2.



Task2: Configure routing, redistribution, basically establish IP connectivity from R1’s local subnets to Corporate HQ office.

Step1: Router R1. Default route pointing to the ip address of LB1 in VLAN 11, to access HQ subnets will be enough. Another static route to reach DNS server and WEB services in DC is necessary, the route will be to the virtual IP address on LB1 in global vrf.
R1(config)#
ip route 0.0.0.0 0.0.0.0 10.0.11.1
!
ip route 10.4.4.4 255.255.255.255 10.0.12.1


Step2: Router R1. Verify RIB and save configurations.

R1#show  ip route static
Gateway of last resort is 10.0.11.1 to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 10.0.11.1
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
S        10.4.4.4/32 [1/0] via 10.0.12.1


Step3: Router LB1. For both global and all-traffic vrfs, two static routes to the R1’s local networks are needed. Routes in global RIB will assure that DNS server and Web servers will be able to respond back to the hosts in VLAN 10 and VLAN 20. Also, router LB1 in vrf all-traffic has to have routes to VLAN 10 and VLAN 20 in order to be able to reach these subnets and redistribute them into EIGRP domain.

LB1(config)#
ip route 192.168.10.0 255.255.255.0 10.0.12.2
ip route 192.168.20.0 255.255.255.0 10.0.12.2
!
ip route vrf all-traffic 192.168.10.0 255.255.255.0 10.0.11.2
ip route vrf all-traffic 192.168.20.0 255.255.255.0 10.0.11.2


Step4: Router LB1: Configure EIGRP routing protocol.
LB1(config)#
router eigrp 10
 !
 address-family ipv4 vrf all-traffic autonomous-system 10
  network 10.0.0.0 0.0.0.3
  eigrp router-id 0.0.0.2
 exit-address-family


Step5: Router LB1. Verify EIGRP.
R1#
show ip eigrp neighbors 
show ip eigrp interfaces 
show ip route eigrp 
show ip eigrp topology  


Step6: Router LB1. Redistribution of static routes into EIGRP is required but first, you have to identify R1’s subnets with prefix-list.

LB1(config)#
ip prefix-list LAN_SUBNETS seq 5 permit 192.168.0.0/16 le 24


Step7: Router LB1. Using route-map match prefix-list and set seed metric for EIGRP.
 LB1(config)#
route-map RM_RDR_STATIC permit 10
 match ip address prefix-list LAN_SUBNETS
 set metric 500000 10 255 1 1500


Step8: Router LB1. Redistribute static routes into EIGRP using route-map.

LB1(config)#
router eigrp 10
 address-family ipv4 vrf all-traffic autonomous-system 10
  redistribute static route-map RM_RDR_STATIC
 exit-address-family


Step9: Verify that redistribution took place.

LB1#show  ip eigrp vrf all-traffic topology
EIGRP-IPv4 Topology Table for AS(10)/ID(0.0.0.2) VRF(all-traffic)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 192.168.10.0/24, 1 successors, FD is 7680
        via Rstatic (7680/0)
P 10.0.0.0/30, 1 successors, FD is 2816
        via Connected, GigabitEthernet0/2
P 10.1.1.0/24, 1 successors, FD is 3072
        via 10.0.0.1 (3072/2816), GigabitEthernet0/2
P 192.168.20.0/24, 1 successors, FD is 7680
        via Rstatic (7680/0)


Step10: Host PC1. Ping CD1.corp at 10.1.1.1
 PC-1> ping 10.1.1.1
10.1.1.1 icmp_seq=1 timeout
10.1.1.1 icmp_seq=2 timeout
84 bytes from 10.1.1.1 icmp_seq=3 ttl=61 time=5.401 ms
84 bytes from 10.1.1.1 icmp_seq=4 ttl=61 time=5.940 ms
84 bytes from 10.1.1.1 icmp_seq=5 ttl=61 time=6.270 ms



Task3: Configure server load balancing.

Step1: Router LB1. Identify NAT interfaces. Interface facing Web servers is inside and interface which connects to R1 over VLAN 12 is outside.
LB1(config)#
interface GigabitEthernet0/0
 ip nat inside
!
interface GigabitEthernet0/1.12
 ip nat outside


Step2: Router LB1. Create a NAT pool which includes only IP addresses of web servers SRV1 through SRV3, the command should also specify type rotary.
LB1(config)#
ip nat pool HTTP_SERVERS 172.16.0.91 172.16.0.93 prefix-length 24 type rotary


Step3: Router LB1. With ACL, identify virtual IP address 10.4.4.4, which any host will use to access web services and DNS server.
LB1(config)#
access-list 1 permit 10.4.4.4


Step4: Router LB1. Finalize SLB configuration with the NAT statement.
LB1(config)#
ip nat inside destination list 1 pool HTTP_SERVERS


Step5:  Host PC1. Verify SLB. Multiple times initiate http traffic with ping command to virtual IP address.

PC-1> ping 10.4.4.4 -P 6 -p 80
Connect   80@10.4.4.4 timeout
Connect   80@10.4.4.4 timeout
^CConnect   80@10.4.4.4 timeout

PC-1> ping 10.4.4.4 -P 6 -p 80
Connect   80@10.4.4.4 seq=1 ttl=253 time=9.568 ms
SendData  80@10.4.4.4 seq=1 ttl=253 time=7.399 ms
Close     80@10.4.4.4 seq=1 ttl=253 time=8.491 ms
Connect   80@10.4.4.4 seq=2 ttl=253 time=9.608 ms
SendData  80@10.4.4.4 seq=2 ttl=253 time=5.291 ms
Close     80@10.4.4.4 seq=2 ttl=253 time=9.522 ms


Step6: Router LB1. Check the NAT translation table. As you can see in the output, Inside local shows ip address of SRV2. You can repeat step 5 couple more times to see if the NAT table contains addresses of other servers.

LB1#show  ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 10.4.4.4:80        172.16.0.92:80     192.168.10.14:61867 192.168.10.14:61867



Task4: Enable port forwarding on the router LB1 for hosts to reach DNS server.

Step1: Router LB1. As you can see from topology, DNS server is on the same network as WEB servers, meaning that it is behind NAT on the inside location, in order to access DNS server, clients’ requests to 10.4.4.4 on UDP port 53 have to be redirected using port forwarding.

LB1(config)#
ip nat inside source static udp 172.16.0.101 53 10.4.4.4 53


Step2: Host PC1. Verify that CD1.corp is reachable by its domain name cd1.corporate.loc

PC-1> ping cd1.corporate.loc
Cannot resolve cd1.corporate.loc


Step3: Router LB1. From the previous step, you can see that PC1 unable to resolve the domain name. You need to troubleshoot this, the best thing to do first is to check if static translation occurred in the NAT table.
 LB1#show  ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
udp 10.4.4.4:53        172.16.0.101:53    192.168.10.14:6343 192.168.10.14:6343


Step4: Server DNS1.  Using debug ip packet lets see if the server receives DNS request from PC1.
DNS1(config)#access-list 100 permit udp any host 172.16.0.101 eq 53
DNS1#debug ip packet 100


Step5: Host PC1. Ping cd1.corporate.loc again.
PC-1> ping cd1.corporate.loc
Cannot resolve cd1.corporate.loc

DNS1#
*Aug 12 23:00:05.041: IP: s=192.168.10.14 (GigabitEthernet0/0), d=172.16.0.101, len 63, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Aug 12 23:00:05.041: IP: s=192.168.10.14 (GigabitEthernet0/0), d=172.16.0.101, len 63, rcvd 1
DNS server receives requests but for some reason does not reply back.


Step6: Server DNS1. Investigate why responses did not come back to the host. Verify routing table of the DNS1.
DNS1#show  ip route
Default gateway is 172.16.53.100

Host               Gateway           Last Use    Total Uses  Interface
ICMP redirect cache is empty


Step7:  Server DNS1. The wrong default gateway has been assigned. Correct to the proper one.
DNS1(config)#
ip default-gateway 172.16.0.1 


Step8: Host PC1. Try again to ping cd1.corporate.loc
PC-1> ping cd1.corporate.loc
cd1.corporate.loc resolved to 10.1.1.1
cd1.corporate.loc icmp_seq=1 timeout
cd1.corporate.loc icmp_seq=2 timeout
84 bytes from 10.1.1.1 icmp_seq=3 ttl=61 time=6.517 ms
84 bytes from 10.1.1.1 icmp_seq=4 ttl=61 time=7.434 ms
84 bytes from 10.1.1.1 icmp_seq=5 ttl=61 time=6.601 ms



Task 5: Access Web services via domain name.

Step1: Host PC1. Initiate HTTP traffic using http-balancer.loc
PC-1> ping http-balancer.loc -P 6 -p 80
Cannot resolve http-balancer.loc


Step2: Server DNS1. Since you were able to ping another domain as you saw from the previous task, there might be a problem with DNS server having an entry for http-balancer.loc.
DNS1#show  running-config | section ip host
ip host cd1.corporate.loc 10.1.1.1
ip host cd2.corporate.loc 10.1.1.2
ip host cd3.corporate.loc 10.1.1.3
ip host pc1.corporate.loc 192.168.10.11
ip host pc2.corporate.loc 192.168.20.11
As you can see ip host entry is missing for this domain name.


Step3: Server DNS1. Add ip host for http-balancer.loc
DNS1(config)#
ip host http-balancer.loc 10.4.4.4


Step4: Repeat step1 again.
PC-1> ping http-balancer.loc -P 6 -p 80
http-balancer.loc resolved to 10.4.4.4
Connect   80@http-balancer.loc seq=1 ttl=253 time=8.528 ms
SendData  80@http-balancer.loc seq=1 ttl=253 time=6.339 ms
Close     80@http-balancer.loc seq=1 ttl=253 time=7.448 ms
Connect   80@http-balancer.loc seq=2 ttl=253 time=11.204 ms
SendData  80@http-balancer.loc seq=2 ttl=253 time=5.259 ms
Close     80@http-balancer.loc seq=2 ttl=253 time=8.446 ms

This lab is completed. Based on this lab there will be more troubleshooting scenarios in the network services series.

Comments

Popular Posts