I stepped on this issue few weeks ago. I was implementing a new ASA Firewall solution, first time for me with software newer than version 8.4.2
It seems that all those stories about changes in the NAT logic after that version were true. This is what I found out about ASA packet processing.
Configuration was really straightforward and everything worked fine except one thing. When connected remotely using Cisco AnyConnect I was able to access all devices inside the network (inside ASA firewall), but not the ASA itself. I wasn’t able to connect with SSH nor with ASDM.
This is the second part in the series of posts dedicated to network virtualization and path isolation.
Ever needed one extra router? It’s possible to split the router into more logical routers by using VRF. How? Here’s how!
Virtual Routing and Forwarding or VRF allows a router to run more that one routing table simultaneously. When running more routing tables in the same time, they are completely independent. For example, you could use overlapping IP addresses inside more VRFs on the same router and they will function independently without conflict (You can see this kind of overlap in the example below). It is possible to use same VRF instance on more routers and connect every instance separately using VRF dedicated router port or only a sub-interface.
You can find VRFs to be used on ISP side. Provider Edge (PE) routers are usually running one VRF per customer VPN so that one router can act as a PE router for multiple Customer Edge (CE) routers even with more customers exchanging the same subnets across the VPN. By running VRF per customer, those subnets will never mix in-between them.
VRFs are used to create multiple virtual routers from one physical router.
Every VRF is creating his own Routing table and CEF table, basically a separate RIB and FIB.
If you have two routers / two Layer3 switches connected with two L3 links (two paths) you can route with two equal static routes towards the same prefix and the router will load balance traffic across both links.
The idea is to make two same static routes on the same router but with different next-hops. The question was: Which link or which route will be used? And if the traffic will be load balanced, which mechanism will be used to share the traffic across both of links.
ip route 10.0.0.0 255.0.0.0 192.168.10.2
ip route 10.0.0.0 255.0.0.0 192.168.11.2
I found different kinds of explanations about what Proxy ARP is, just few of them were understandable at first. After merging all of them this explanation came out of my networking workshop:
Proxy ARP is fairly simple technique for nodes to get MAC address of a destination host that is on the same subnet but behind a router.
And this one to:
If we have in the network one edge router that is our way out from the local LAN network. That router has Proxy ARP enabled by default. When it receives an ARP request on his interface for a client that is not actually from that local network it will try to be helpful and it will search his routing table if that network is locally connected on some other local interface. If he finds it, it will respond with his own MAC address to tell the source that he is the way to go towards that host.
If we look at the image below, I prepared a more detailed example for those who are still a bit confused about it.
It’s a technique that enables our R7 router on the image below to proxy ARP request from C1 computer which tries to find MAC address of computer C3.
You need to note that C1 has address from /16 range and that is why it thinks that 192.168.50.50 is on the same subnet as 192.168.1.11 . If that was not the case and C1 had the address 192.168.1.11/24, it would send the ARP asking what is MAC address of default gateway. It will go to default gateway because he will know that he is not directly connected to all of network 192.168.0.0/16. We are then talking about standard routing by getting the packets from one subnet to another using routing table examination.
As this is networking blog I will focus mostly on the usage of CAM and TCAM memory in routers and switches. I will explain TCAM role in router prefix lookup process and switch mac address table lookup. However, when we talk about this specific topic, most of you will ask: how is this memory made from architectural aspect? How it is made in order to have the capability of making lookups faster than any other hardware or software solution? That is the reason for the second part of the article where I will try to explain in short how are the most usual TCAM memory build to have the capabilities they have.
CAM and TCAM memory
When using Ternary Content Addressable Memory TCAM inside routers it’s used for faster address lookup that enables fast routing. In switches Content Addressable Memory CAM is used for building and lookup of mac address table that enable L2 forwarding decisions. By implementing router prefix lookup in TCAM, we are moving process of Forwarding Information Base lookup from software to hardware. When we implement TCAM we enable the address search process not to depend on number of prefix entries because TCAM main characteristic is that it is able to search all its entries in parallel. It means that no matter how many address prefixes are stored in TCAM, router will find the longest prefix match in one iteration. It’s magic, right?
Image 1 shows how FIB lookup functions and points to entry in adjacency table. Search process goes through all entries in TCAM table in one iteration.
In routers, like High-End Cisco ones, TCAM is used to enable CEF – Cisco Express Forwarding in hardware. CEF is building FIB table from RIB table (Routing table) and Adjacency table from ARP table for building pre-prepared L2 headers for every next-hop neighbor.