dual ISP static routes load-sharing with NAT( PBR and IP SLA)

I user for this lab GNS3 with c7200-adventerprisek9-mz.152-4.M8.image 

We have the network with 2 ISP, we can load share traffic on both links, ISP1 is for HTTP, HTTPS ISP2 for all other traffic.
Configure links on R1.

interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.252
 duplex auto
 speed auto
interface FastEthernet0/1
 ip address 20.20.20.1 255.255.255.252
 duplex auto
 speed auto

internal host on R1

interface Loopback0

 ip address 1.1.1.1 255.255.255.0

Configure ISP1 router R2

interface FastEthernet0/0

 ip address 10.10.10.2 255.255.255.252

 duplex auto

 speed auto

interface FastEthernet0/1

 ip address 10.10.10.5 255.255.255.252

 duplex auto

 speed auto

ip route 1.1.1.0 255.255.255.0 10.10.10.1

ip route 8.8.8.0 255.255.255.0 10.10.10.6

Configrure ISP2 router R3

interface FastEthernet0/0

 ip address 20.20.20.2 255.255.255.252

 duplex auto

 speed auto

interface FastEthernet0/1

 ip address 20.20.20.5 255.255.255.252

 duplex auto

 speed auto

ip route 1.1.1.0 255.255.255.0 20.20.20.1

ip route 8.8.8.0 255.255.255.0 20.20.20.6

Configure Internet Cloud with 8.8.8.8 ip address.

interface FastEthernet0/0

 ip address 10.10.10.6 255.255.255.252

 duplex auto

 speed auto

interface FastEthernet0/1

 ip address 20.20.20.6 255.255.255.252

 duplex auto

 speed auto

ip route 0.0.0.0 0.0.0.0 10.10.10.5

ip route 0.0.0.0 0.0.0.0 20.20.20.5

Configure IP SLA on R1 to check reachability of the ISP,s

ip sla auto discovery

ip sla 1

 icmp-echo 10.10.10.2

 threshold 400

 timeout 500

 frequency 1

ip sla schedule 1 life forever start-time now

ip sla 2

 icmp-echo 20.20.20.2

 threshold 400

 timeout 500

 frequency 1

ip sla schedule 2 life forever start-time now

create track for this sla

track 10 ip sla 1 reachability

 delay down 1 up 1

track 20 ip sla 2 reachability

 delay down 1 up 1

create static routes with this track

ip route 0.0.0.0 0.0.0.0 10.10.10.2 track 10

ip route 0.0.0.0 0.0.0.0 20.20.20.2 track 20

Create ACL for Marking web traffic

ip access-list extended permit_web

 permit tcp 1.1.1.0 0.0.0.255 any eq www

 permit tcp 1.1.1.0 0.0.0.255 any eq 443

 permit tcp 1.1.1.0 0.0.0.255 any eq 8080

ACL for Other traffuc

ip access-list extended Other

 permit ip any any

PBR to make decision about destination

route-map LOAD_SHARING permit 10

 match ip address permit_web

 set ip next-hop verify-availability 10.10.10.2 1 track 10

route-map LOAD_SHARING permit 20

 match ip address Other

 set ip next-hop verify-availability 20.20.20.2 1 track 20

ACL for NATING

access-list 1 permit 1.1.1.0 0.0.0.255

Route-map for NAT

route-map ISP2 permit 10

 match ip address 1

 match interface FastEthernet0/1

route-map ISP1 permit 10

 match ip address 1

 match interface FastEthernet0/0

nat string

ip nat inside source route-map ISP1 interface FastEthernet0/0 overload

ip nat inside source route-map ISP2 interface FastEthernet0/1 overload

Policy NAT on Cisco ASA 9.2

Task:
Server on the server's VLAN must connect to the SIP server on ISP side.
ISP give SIP trunk behind VLAN. SIP server on ISP side permit traffic only from 10.60.122.2, ISP side of that VLAN have address 10.60.122.1. Because ASA don't have Policy based routing i create Policy NAT rule for this task,

 I terminate this VLAN on cisco ASA 5555-x

interface Port-channel2.193
 vlan 193
 nameif mts_sip_int
 security-level 100
 ip address 10.60.122.2 255.255.255.0

 and add static route

route mts_sip_int 212.248.28.* 255.255.255.255 10.60.122.1 1

SIP server is available.

dat2-fw1#  ping  212.248.28.*
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 212.248.28.*, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/14/20 ms

now i can create policy NAT that translate only server(10.0.151.16 signaling tcp 5060 and  udp  range 49152 65535  for VOICE)

create server object

object network srv-dat2-medvx1_for_mts_sip
 host 10.0.151.116

create SIP server object

object network mts_sip_gateway
 host 212.248.28.*

and NAT translation

nat (inside,mts_sip_int) source static srv-dat2-medvx1_for_mts_sip interface destination static mts_sip_gateway mts_sip_gateway

and add lines to inside ACL

access-list internal_in extended permit udp object srv-dat2-medvx1_for_mts_sip object mts_sip_gateway range 49152 65535
access-list internal_in extended permit udp object srv-dat2-medvx1_for_mts_sip object mts_sip_gateway eq sip 

Create VPC between 2 nexus 7009

enable VPC feature

feature vpc
create VPC domain

vpc domain 20
  peer-switch
  peer-keepalive destination 10.254.3.21 source 10.254.3.22
  delay restore 360
  peer-gateway
  ip arp synchronize

Create vPC peer link
interface Ethernet3/1
  description -= N7K-2-2-PORT1 =-
  switchport
  switchport mode trunk
  mtu 9216
  channel-group 3 mode active
  no shutdown

interface Ethernet3/2
  description -= N7K-2-2-PORT2 =-
  switchport
  switchport mode trunk
  mtu 9216
  channel-group 3 mode active
  no shutdown

interface port-channel3
  description -= N7K-2-1 =-
  switchport
  switchport mode trunk
  spanning-tree port type network
  mtu 9216
  vpc peer-link

vPC peer-keepalive link

Interface mgmt0
  vrf member management
  ip address 10.254.3.21/24

on the other side
interface mgmt0
  vrf member management
  ip address 10.254.3.22/24

peer-keepalive destination 10.254.3.21 source 10.254.3.22
pre-n7k-002# show vpc consistency-parameters global 

    Legend:
        Type 1 : vPC will be suspended in case of mismatch

Name                        Type  Local Value            Peer Value             
-------------               ----  ---------------------- -----------------------
STP Mode                    1     Rapid-PVST             Rapid-PVST            
STP Disabled                1     None                   None                  
STP MST Region Name         1     ""                     ""                    
STP MST Region Revision     1     0                      0                     
STP MST Region Instance to  1                                                  
 VLAN Mapping                                                                  
STP Loopguard               1     Disabled               Disabled              
STP Bridge Assurance        1     Enabled                Enabled               
STP Port Type, Edge         1     Normal, Disabled,      Normal, Disabled,     
BPDUFilter, Edge BPDUGuard        Disabled               Disabled              
STP MST Simulate PVST       1     Enabled                Enabled               
Interface-vlan admin up     2     3001                   3001                  
Interface-vlan routing      2     1,2211,3001            1,2211,3001           
capability                                                                     
Allowed VLANs               -     1,2000-2002,2101-2105, 1,2000-2002,2101-2105,
                                  2109,2115,2201-2205,22 2109,2111,2115,2201-22
                                  11,3001-3003,3012-3013 05,2211,3001-3003,3012
                                  ,3021,3031,3041-3044,3 -3013,3021,3031,3041-3
                                  301-3302,3351-3357     044,3301-3302,3351-335
                                                         7                     
Local error VLANs           -     -                      -        


connect device to 2 NEXUS and create vpc 1

  interface port-channel1
  description -= ASA-MAIN =-
  switchport
  switchport mode trunk
  spanning-tree port type edge trunk
  spanning-tree bpduguard enable
  spanning-tree bpdufilter enable
  mtu 9216
  vpc 1       
interface port-channel1
  description -= ASA-MAIN =-
  switchport
  switchport mode trunk
  spanning-tree port type edge trunk
  spanning-tree bpduguard enable
  spanning-tree bpdufilter enable
  mtu 9216
  vpc 1 

cisco nexus C7009 and N2K-B22HP-P configuration

enable fex feature

install feature-set fex
  allow feature-set fex
feature-set fex


add 8 TenG ports to 1 etherchannel with LACP

int range eth3/13-18
 channel-group 21

config FEX on portchannel and associate with FEX

int p21
description  -= B22HP-4-1 =-
switchport
switchport mode fex-fabric
  fex associate 128

pre-n7k-002# sh fex
  FEX         FEX           FEX                       FEX              
Number    Description      State            Model            Serial    
------------------------------------------------------------------------
128        FEX0128                Online         N2K-B22HP-P   FOC1832R0**


pre-n7k-002# sh fex 128 detail
FEX: 128 Description: FEX0128   state: Online
  FEX version: 6.2(10) [Switch version: 6.2(10)]
  FEX Interim version: (10)FH_0_166
  Switch Interim version: 6.2(10)
  Extender Serial: FOC1832R0**
  Extender Model: N2K-B22HP-P,  Part No: 73-13780-05
  Bay: 2
  Rack: UnnamedRack
  Enclosure: CZJ44105**
  Enclosure Serial: CZJ44105**
  Rack Id: Default RUID
  Card Id: 145, Mac Addr: 64:d8:14:a2:73:42, Num Macs: 64
  Module Sw Gen: 21  [Switch Sw Gen: 21]
  Pinning-mode: static    Max-links: 1
  Fabric port for control traffic: Eth3/17
  FCoE Admin: false
  FCoE Oper: false
  FCoE FEX AA Configured: false
  Fabric interface state:
    Po21 - Interface Up. State: Active
    Eth3/13 - Interface Up. State: Active
    Eth3/14 - Interface Up. State: Active
    Eth3/15 - Interface Up. State: Active
    Eth3/16 - Interface Up. State: Active
    Eth3/17 - Interface Up. State: Active
    Eth3/18 - Interface Up. State: Active
    Eth3/19 - Interface Up. State: Active
    Eth3/20 - Interface Up. State: Active
  Fex Port        State  Fabric Port
       Eth128/1/1    Up        Po21
       Eth128/1/2    Up        Po21
       Eth128/1/3    Up        Po21
       Eth128/1/4    Up        Po21
       Eth128/1/5    Up        Po21
       Eth128/1/6    Up        Po21
       Eth128/1/7    Up        Po21
       Eth128/1/8    Up        Po21
       Eth128/1/9    Up        Po21
      Eth128/1/10    Up        Po21
      Eth128/1/11    Up        Po21
      Eth128/1/12    Up        Po21
      Eth128/1/13    Up        Po21
      Eth128/1/14    Up        Po21
      Eth128/1/15    Up        Po21
      Eth128/1/16    Up        Po21

Embedded packet capture Cisco IOS

My router cisco ISR GR 2921 have very high CPU consumption. To investigate this trouble i want to analyze traffic on that device, i can use SPAN/RSPAN and client host to collect dumped traffic, but if i haven't time host to collect dump, i use EPC Embedded Packet Capture (EPC) is a packet capture facility that allows network administrators to capture packets flowing to, through, and from the device and to analyze them locally or save and export them for offline analysis by using a tool such as Wireshark.EPC simplifies network operations by allowing devices to become active participants in the management and operation of the network. This feature facilitates troubleshooting by gathering information about the packet format. This feature also facilitates application analysis and security.

Optional (buffer size)
monitor capture buffer <name> size <value> max-size <value> circular
Optional capture can filter packet only from accepted hosts
monitor capture buffer <name> filter access-list < ACL name>
Point of monitoring, also can be a interface
monitor capture point ip process-switched cisco both
connect buffer to the captue point 
monitor capture point associate cisco cisco
start dumping traffics

monitor capture point start cisco wait a minute to capture all traffic from the process switched 
monitor capture point stop cisco
save dumped file to your ftp /tftp server as *.pcap
monitor capture buffer cisco export <server>/<filename>
then open that file in Wireshark and investigate anomaly in the traffic

guest VLAN with VRF-lite

My task is guest isolated VLAN, for security devices which can connect to few host in the Internet for Telemetric data.

add vlan to switches and this 

vlan 171
name security

int g0/0
switchport trunk allowed vlan add 171

create VRF

ip vrf security

create subinterface on router to that vlan and add vrf forwarding command

interface FastEthernet0/0.171
 encapsulation dot1Q 171
 ip vrf forwarding security
 ip address 10.16.171.254 255.255.255.0

create route to GLOBAL routing table to know about vrf subnet (route leaking)

ip route 10.16.171.0 255.255.255.0 FastEthernet0/0.171

create route ro VRF routing table to know about default route of the global routing table

ip route vrf security 0.0.0.0 0.0.0.0 Vlan500 178.173.24.* global

create extended access list for network address translation to the telemetric host on the internet

Extended IP access list 101
    10 permit tcp 10.16.171.0 0.0.0.255 host 62.117.84.* eq 24333
    20 permit tcp 10.16.171.0 0.0.0.255 host 79.98.138.* eq 24333


add this pool to the NAT overload

ip nat inside source list 101 interface Vlan500 vrf security overload

All done!

CPU using reducing on cisco isr g2 2921 with many nat translations

*/creating vrf

ip vrf out
 rd 1:1
 route-target export 1:1
 route-target import 1:1



*/Internet interface with VRF

interface GigabitEthernet0/2
 description -= WAN =-
ip vrf forwarding out
 ip address 86.62.75.* 255.255.255.240 secondary
 ip address 86.62.75.* 255.255.255.240
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto

*/ inside interface 

interface GigabitEthernet0/0.11
 description to_sw-root
 encapsulation dot1Q 11
 ip address 10.252.11.254 255.255.255.0
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly in
 service-policy input block_p2p


ip route 86.62.75.208 255.255.255.240 GigabitEthernet0/2 /* route from vrf routing table which must to leak into global routing table
ip route vrf out 0.0.0.0 0.0.0.0 86.62.75.* /* default route for vrf 


*/ keyring for VRF

crypto keyring DMVPN vrf out
  pre-shared-key address 0.0.0.0 0.0.0.0 key #**

*/ on the tunnel interfaces add command tunnel vrf out

interface Tunnel3
tunnel vrf out
int t4
tunnel vrf out
int t5
tunnel vrf out
int t8
tunnel vrf out

route from global routing table which must to leak into vrf

ip route vrf out 10.252.11.0 255.255.255.0 GigabitEthernet0/0.11 10.252.11.253 global
ip route vrf out 172.16.100.0 255.255.254.0 GigabitEthernet0/0.11 10.252.11.253 global
ip route vrf out 172.16.102.0 255.255.254.0 GigabitEthernet0/0.11 10.252.11.253 global
ip route vrf out 172.16.75.0 255.255.255.0 Tunnel6 172.254.255.85 global
ip route vrf out 10.252.0.0 255.255.0.0 GigabitEthernet0/0.11 10.252.11.253 global


port forwarding from  VRF interface to LOCAL networks

ip nat inside source static tcp 172.16.100.11 20 86.62.75.* 20 vrf out extendable
ip nat inside source static tcp 172.16.100.11 21 86.62.75.* 21 vrf out  extendable
ip nat inside source static tcp 172.16.100.3 80 86.62.75.* 80 vrf out extendable
ip nat inside source static tcp 172.16.100.245 1080 86.62.75.* 1080 vrf out  extendable
ip nat inside source static tcp 172.16.101.16 3389 86.62.75.* 3131 vrf out  extendable
ip nat inside source static tcp 172.16.100.15 3389 86.62.75.* 3315  vrf out extendable
ip nat inside source static tcp 172.16.85.4 5858 86.62.75.* 5858 vrf out extendable
ip nat inside source static tcp 172.16.101.16 9000 86.62.75.* 9000  vrf outextendable
ip nat inside source static tcp 172.16.75.17 22 86.62.75.* 2222 vrf out extendable