Best practice wise - should I let the router or the ASA handle NAT
(Overloading)?
In the most general of design best practices NAT is performed between an inside and outside network. NAT overloading is generally performed at the edge when there is limited public IP address space. You can learn more about NAT overloading, also known as Port Address Translation or PAT, in RFC 2663 (PAT is referred to as Network Address Port Translation (NAPT) in section 4.1.2).
In this particular scenario you can argue that you have two inside and outside networks and will need to perform some form of NAT on both the ASA (whether that is the NAT overloading you're using now, NAT exemption, static NAT, etc) and the Cisco Router.
I can ping the 172.16.2.2
interface but not 172.16.2.1
from a pc
connected to one of the layer 2 switches (proves intervlan routing is
working -- i have a 172.20.100.8
address on the PC). Why can't I ping
172.16.2.1
from a PC but I can from the Layer 3 Switch?
The ASA 172.16.2.2
is receiving the ICMP echo-request but does not have a route back to 172.20.100.0/27
. The echo-reply is actually being forwarded to the Router 172.16.1.1
via the default route.
And most of all -- Why can't I get out to the Internet from the Layer 3 switch?
Currently your ASA and Cisco Router do not have routes to internal devices other than their connected routes.
Your ASA configuration:
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?
You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.
ASA static routing example:
route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2
Further reading: ASA static routing
Your Cisco Router's configuration:
ip route 0.0.0.0 0.0.0.0 200.200.200.200
Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200
?
Router static routing example:
ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10
Further reading: ISR static routing
I cannot get an ip address right now from the DHCP server (Windows).
Any insight into why?
Ensure you have end-to-end IP reachability between the client(s) sending DHCP discover messages and the DHCP server.
From what I can gather from your topology and configuration, the subnets 172.19.3.0/24
, 172.19.12.0/28
and 172.20.100.0/27
should have no issues connecting to each other (assuming they are configured to use their respective default gateways) from a networking perspective.
You can remove the ip helper-address
syntax from the SVI 100 given that the DHCP server is on the same segment and that command is used for a DHCP server(s) that is on a different segment.
interface Vlan100
ip address 172.20.100.1 255.255.255.224
ip helper-address 172.20.100.27
1.Would it be better to setup traffic policing?
You're using shaping, which is better in this case. The important thing is to buffer your traffic before sending it to your internet provider. Consider this:
- Your ISP asks you to set your physical interface to 100Mbps
- Your service from the ISP is 30Mbps
- What happens if you're already sending 30Mbps of traffic, and you need to send a ping?
By default, your Cisco 2901 router's interface will buffer based on the physical transmit rate (100Mbps) you are configuring. If you do not add traffic shaping, that ping has a decent chance of being dropped because the ISP is almost certainly policing ingress to 30Mbps on the other end. Traffic shaping allows you to buffer your instantaneous traffic in excess of 30Mbps, so it has a chance of making it past your ISP's ingress policing; otherwise your router won't even think about buffering traffic until it reaches the physical interface transmit rate (100Mbps).
Setup traffic shaping:
class-map match-any SHAPE match any
policy-map SHAPE
class SHAPE
shape average 30000000
interface GigabitEthernet0/1
service-policy output SHAPE
...
Would it be better to setup traffic shaping/policing on outside interface (gig 0/0)?
You should definitely set up egress shaping on Gi0/0; consider qos, and / or wred as well.
Since Gi0/1 is a LAN-facing interface, egress shaping doesn't help much unless you need to prioritize certain traffic, or use wred on the queue (which wouldn't be a bad idea, if you set it up right).
When you configure your QoS policies, I recommend you do it in this order:
- Test ping loss from Gi0/0 to 50.204.xxx.81 for at least 20 minutes without qos on either interface; if you don't have a clean baseline, then you'll spend a lot of time chasing the wrong packet loss in the next steps.
- Test egress shaping rates on your Gi0/0 interface at about 200-300 byte IP packets (i.e. somewhere at or below imix sizes), and adjust the rates until you don't drop traffic to them (see below). You might need to ask them to temporarily colo some of your test equipment in their network. Failing that, you can rent a server on the internet to test with; however, that gets fairly complicated since there would likely be several additional congestion points.
- Test egress shaping rates on your Gi0/1 interface, in the same way you did above.
- Add wred (if you plan to do so). Test again with 3 parallel TCP streams in each traffic direction.
Test strategy:
I strongly recommend that you perform a UDP non-drop transmit rate test with whatever qos settings you choose because it's possible that your shaping rate could be slightly higher than your ISP's rate. If so, then you need to lower your shaping parameters until you don't drop traffic when you send it to them.
- I am confused with ISP giving me 50.204.xxx.80/30 address for interconnect block and then saying that I can use 50.204.xxx.83 thru 50.204.xxx.86?
That definitely is confusing, as far as I can tell, that sentence can be safely ignored; however, please double check with them to be sure. The reason I say this:
- They said "ISP Internet gateway: 50.204.xxx.81"
- They said "Customer Layer 3 device WAN interface: 50.204.xxx.82"
- They said "The /29 of usable IP space is statically routed by ISP to 50.204.xxx.82"
Regarding your question in the comments
The routes shown in this diagram are adequate. You only need a default route to the provider, unless you plan to turn up other networks besides 50.204.xxx.88/29.
Side notes
- I normally don't recommend hard-coding speed and duplex on ethernet interfaces, but this practice is entrenched in many ISP procedures, so there is no point in fighting it.
- You should adequately protect your network with a firewall as well, as Kit suggested.
Best Answer
On a point-to-point link, you don't always need an IP address on the router's interface but you must inform the router of this fact, using the
ip unnumbered
commandSetting
will borrow the loopback 5 IP address to use it on the GigabitEthernet0/0 interface as a next hop for the neighbor router. Doing so on both router will allow you to ping each other loopback address (and run a routing protocol).
More information on this Cisco page