Clear VTY Lines

Sometimes a switch/router won't let you connect to it. Coming back as telnet/shh connection refused. If the hardware is otherwise functioning correctly, its likely that your VTY lines are full.
This is how you can:
see all sessions / see active sessions / kill sessions

# sh users all
# sh users
# clear line

Get your GNS3 project fix

Here's a link to a great site from my friend Rene Molenaar:
GNS3Vault

Description from the site:

* Cool Scenarios to get the maximum out of your networking experience ;)
* Downloadable topologies that you can use right away with the GNS3 software.
* Different levels of difficulty, there's something for everyone...novice, intermediate and expert!
* The forum where you can discuss about all the labs.
* It's possible to review labs.
* You can share your labs with others.

AND Yes, all for free ;)

Using 3rd Party SFP modules in Cisco Devices

All SFP modules contain in their EEPROM, a Serial Number, Vendor Name & ID, Security code and a CRC. The Switch checks this information, if it can't verify it might give messages like the following:

%PHY-4-UNSUPPORTED_TRANSCEIVER: Unsupported transceiver found in Gi1/0/1
%GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: GBIC in port 65538 has bad crc

There are two undocumented cisco commands to get 3rd party SFP modules to work:

switch(config)# service unsupported-transceiver
switch(config)# no errdisable detect cause gbic-invalid

Upgrading Software on a 6509 Switch

Planning on upgrading the ancient CatOS 5.5(1)on our 6509 switch.

1. Check Supervisor NMP BootROM version. If Fw 5.1(1) then you must field upgrade your ROM. Check here.



Ref: Upgrading Software Images on Catalyst 6000/6500 Series Switches

Running ASA and ASDM using GNS3/Qemu

Finally got ASA and ASDM to work nicely with GNS3.
Here's my setup:

GNS3 v0.7
Qemu (The one that comes with GNS3 v0.7)
ASA 802-k8 (files needed for Qemu are: asa802-k8.initrd.gz & asa802-k8.kernel)
ASDM 6.0(2)
Fiddler (Instructions to configure it are here)

To get ASDM to connect with ASA, you must use Fiddler to intercept the HTTPS stream and modify it to correct some of Qemu's shortcomings.
Then set your JRE to use fiddler as proxy.
All instructions can be found in the lengthy discussion at hacki.at. Make sure to read pages 17,18,+

Visio tips & tricks

In this post I will collect Visio tips & tricks that I come up with and links to similar articles.

Shortcuts:
Ctrl+1 Pointer Tool
Ctrl+2 Text Tool
Ctrl+3 Connector Tool
Ctrl+W Zoom Whole Page
Ctrl+Shift+G Group
Ctrl+Shift+U Ungroup

Links:
Shortcuts to Edit in Visio @ Visio Insights
Nortel Visio Stencils
Visio Stencils collection (lots of vendors)

IOS Packaging

Starting with version 12.3, Cisco introduced a new IOS packaging system for routers and switches.

Here are some links from cisco for detailed explanation:
Cisco IOS Packaging Product Bulletin
IOS Packaging, main page
Cisco IOS Packaging Customer Q&A

STP, PVST, RSTP, MSTP articles

Many standards, many proprietary approaches.. All this causes interoperability and management headaches.

References:
Understanding MSTP, very in-depth article from Petr Lapukhov.
Understanding STP and RSTP Convergence, again by Petr.
Lots of valuable articles from ine blog.

Cisco and HP Interoperability

Some pointers to related information on the net:

Articles:
Summaries from Dave Tucker's 3 Day Training: HP ProCurve/Cisco Interoperability – Day 1, Day 2, Day 3


Documents:
ProCurve and Cisco Spanning-tree Interoperability

Discovery Protocols, STP, Link Aggregation, IP Routing, etc:
HP & Cisco Interoperability Guide

Troubleshooting High CPU Utilization

Cisco 7500 Series Routers, Troubleshooting TechNotes

* High CPU Utilization in Exec and Virtual Exec Processes

* The show processes Command

* Troubleshooting High CPU Utilization Due to Interrupts

* Troubleshooting High CPU Utilization due to Processes

* Troubleshooting High CPU Utilization in IP Input Process

* Troubleshooting High CPU Utilization on Cisco Routers

* Understanding VIP CPU Running at 99% and Rx-Side Buffering

* What Causes %SYS-3-CPUHOG Messages?

IOS Syslog facilities

Logging and debugging messages are the cornerstone of troubleshooting.

There are 4 possible destinations for Logging:
1.Console
2.Monitor
3.Buffer
4.Host
+plus SNMP

R1(config)#do sh logging
Syslog logging: enabled (9 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
Console logging: level debugging, 33 messages logged, xml disabled
Monitor logging: level debugging, 0 messages logged, xml disabled
Buffer logging: disabled, xml disabled
Logging Exception size (8192 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 38 message lines logged

Descriptions for the fields in the output above.

When troubleshooting in High CPU utilization situations, and you have to use debugging, make sure to disable or "level-limit" the console and monitor logging facilities. Instead use the buffered logging facility to record the debug output and view it with "show logging". This will allow the CPU to process the log messages in a high utilization environment.

To use a syslog server and set the log-level:

R1(config)# logging host
R1(config)# logging trap ?
<0-7> Logging severity level
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)

Reference:
Troubleshooting and Fault Management Commands @ Cisco
Troubleshooting High CPU Utilization on Cisco Routers @ Cisco

Portable Product Sheets @ Cisco

Here's a page I came across on the Cisco Site.
Provides easy access to reference documents useful to partners.
Eg: Switch Performance, IOS Packaging, Router Memory/Performance, ISR Ref.Sheets, etc.

Portable Product Sheets

Password recovery references for almost all Cisco Devices

Here's a great reference page from Cisco, explaining the pwd recovery procedures for many of their devices.

Password Recovery Procedures

Internet Map of Autonomous Systems in Türkiye

Here's a recent and very well done study of the Networks/ASs located in Türkiye, by Hakan Çetin.

Türkiye'nin Otonom Sistem Seviyesinde İnternet Haritasının Çıkarımı (TİH) - 2009

Steps for migrating from PIX to ASA

You should be running v7.x on your PIX so that your configuration can be converted properly. Two ways of going about this:

* Tool-Assisted Conversion (Link)
* Manual Conversion

I'll covert the manual method here.
Upgrading your PIX to v7.x

1. Get copies of your config and version/license info

# show running
# write net
# show version

2a. If BIOS is earlier than 4.2, use Monitor Mode instead of copy tftp flash

Reboot and press BREAK or ESC during boot to enter Monitor Mode

monitor>interface
monitor>address
monitor>server
monitor>gateway
monitor>ping
monitor>file
monitor>tftp

PIX will automatically boot, but the software upgrade is only done in Memory, you MUST you go through the steps below to complete the upgrade!

2b. Upgrade System software

#enable
#copy tftp: flash:
Address or name of remote host []? 10.1.6.44
Source filename []? pix701.bin
Destination filename [pix701.bin]?

3. Now you have upgraded your software and your config was auto converted to v7.x
You should go through and check the changes made, which could be very different from your older pix config.

4. Use this config in your ASA appliance. Do this either with the Copy/Paste method, or via a tftp/ftp config file transfer.



Ref: Migration from PIX 500 Series Security Appliances to ASA 5500 Series Adaptive Security Appliances

G.HSDSL Config through a Cisco 828 router

I'll copy this here for reference purposes. Used a few of these configs to connect one of my customers branch offices to their headquarters.

Be careful of the vpi/vci values which should be:
Point to point g.shdsl links: 0/35
Internet g.shdsl links: 8/35

!
controller DSL 0
mode atm
line-term cpe
line-mode 2-wire line-zero
dsl-mode shdsl symmetric annex B
line-rate auto
!

!
interface ATM0
no ip address
ip nat outside
ip virtual-reassembly
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
bandwidth 2048
ip nat outside
ip virtual-reassembly
pvc 8/35
pppoe-client dial-pool-number 1
!
!

!
interface Dialer0
mtu 1476
bandwidth 2048
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression iphc-format
ip tcp adjust-mss 800
load-interval 30
dialer pool 1
ppp authentication pap chap callin
ppp chap hostname user@isp
ppp chap password 0 123
ppp pap sent-username user@isp password 0 123
ppp ipcp dns request
ip rtp header-compression iphc-format
!

Most useful Freeware/Shareware Windows Apps.

Firefox: THE browser of the Internet. Won't use anything else.
Total Commander, my choice of File Manager since, forever.
CDBurnerXP: Very nice CD/DVD/BlueRay, Data/Audio burner. Freeware.
SysInternals: Indispensable system tools.
Media Player Classic: With a few codecs, it's all you need to play your videos.
Winamp: Essential audio player for me.
TrueCrypt, an essential encryption suite.
BitComet, my choice of torrent client.
Foxit, a freeware PDF Reader. It's light-weight and fast, why use bloated Adobe apps?
Daemon Tools Lite, mount cd/dvd images

Win7 Tips&Tricks, Useful Applications

* Shortcuts: Master List of Windows 7 Keyboard Shortcuts (Mar 09)
* Take ownership and delete files/folders for good!
For Files:

takeown /f file_name /d y
icacls file_name /grant administrators:F

For Directories (will perform action recursively):

takeown /f directory_name /r /d y
icacls directory_name /grant administrators:F /t

* Turn off Driver Signing

bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit.exe -set TESTSIGNING ON

* Turn off Hibernation

powercfg -h off

* Classic Start Menu and Explorer
Classic Shell, now this is very cool, I had enough of the new featureLESS Start menu and awkward Explorer

CCNP at last!

Hooray!! Just became CCNP certified today.

Now it's onto my ultimate goal, CCIE Routing & Switching. Must start planning right away ;-)

History of Computers and the Birth of the Internet

I've been reading "Where Wizards Stay Up Late" by Hafner&Lyon which tells the story of ARPA and how the network to connect all the different mainframes in universities came to being, which then would be the foundation of the Internet. It's written in a novel fashion and once you start flipping the pages it's hard to put it down!

There are mentions of many of the first huge computing machines that were built in various Universities and Corporations, such as the TX-2 in MIT Lincoln Labs, Q-32 that was transferred by the Airforce from SDC to ARPA, etc. So being the researcher I am :) I had to track these beasts and learn more about them. I shall write a separate article about these in the near future.

Computer History Museum in California (History Timeline)

CCIE Preparation, devices to accumulate for a home lab

This is a WIP entry that I'll use to compile a list of useful devices/information for my future CCIE lab preperation

ISDN Simulator B-LinkU has 2 ports that you can connect to using U or S/T interface.

2520 Series Multiport routers, for use as Frame Relay switch, ISDN cloud.

Cisco Router boot configuration

File Systems:
system: (RAM, where running-config is kept)
nvram: (NVRAM, where startup-config is saved)
bootflash: (Internal Flash memory)
slot0: (First PCMCIA slot)
slot1: (Second PCMCIA slot)

Copying:
#copy ftp: system:running-config
#copy ncp: system:running-config
#copy tftp: system:running-config

#copy ftp: nvram:startup-config
#copy rcp: nvram:startup-config
#copy tftp: nvram:startup-config

#copy system:running-config nvram:startup-config

Booting:

#show bootvar (verify the contents of the CONFIG_FILE environment variable.)
#boot config dest-flash-url (Set the CONFIG_FILE environment variable.)

#boot network ftp:[[[//[username[:password]@]location]/directory]
/filename]
#boot network rcp:[[[//[username@]location]/directory]/filename]
#boot network tftp:[[[//location]/directory]/filename]
#service config (Enable the router to download config-files at startup)

#boot system

Other Useful commands:
#service compress-config
#boot buffersize bytes (The buffer that holds the configuration file is usually the size of NVRAM. Larger configurations need larger buffers. )
(config)#config-register value
#dir [flash-filesystem:]

Examples
#copy system:running-config tftp://172.16.1.130/istanbul-config
#copy system:running-config ftp://netadmin1:mypass@172.16.101.101/Ankara-config
#copy rcp://netadmin1@172.16.101.101/host1-confg system:running-config
#copy slot0:4:ios-upgrade-1 nvram:startup-config


Ref: Rebooting and Reloading - Configuring Image Loading Characteristics @ Cisco
Cisco IOS Conf. Fundamentals Command Reference Boot Commands

GRE over IPsec in a Hub-Spoke Topology w/ EIGRP (Lab) #2

Ok this is the enhanced version of the previous GRE lab I've posted.
We've decided to encrypt and secure all communications between our HQ and Branches.
As previously noted we needed GRE to run a dynamic routing protocol (EIGRP) between our networks. So here we implement an IPsec GRE tunnel that will encrypt all traffic including the multicast EIGRP messaging.

Download Project files for GNS3.

GRE Tunnels in a Hub-Spoke Topology w/ EIGRP (Lab) #1

Our company DasBoot Corp. has opened a few offices in Turkey.
The corporate offices are in sunny Izmir and there is one branch in Istanbul, and two in Ankara.

They all have basic Internet connectivity to our trusted ISP: DynamiteBBS. Which by the way is running IS-IS in its backbone with MPLS on top.

As the Network engineer of DasBoot, we decide to create tunnels in a hub-spoke fashion, connecting our branches to the corporate network. We use private addressing in our network (eg. 172.16.0.0). Here's a demonstration of running EIGRP to facilitate full connectivity between our networks. I know not too complicated but good practice and extensible lab anyways. Enjoy..
(Download GNS3 Project files)

My favorite Firefox addons

My browser of choice has been Firefox since the beginning, the 1.0 version in 2004. Before that I had been a longtime user of Opera.
I've been happily using the 3.5 version for a while and here are my favorite addons:

NoScript: It's a must have security addon IMHO.
Session Manager: A successful session manager. Very reliable and uses light resources.
Secure Login: Keeps track of my passwords for Forums/other sites that have low security priority on my list. I try to use different credentials for most sites.
oldbar: Brings back the Old Address Bar from version 2.
gspace: Use your gmail account space as a file cabinet.

ISCW in the bag

I'm almost there, one to go!
Been reading up on ONT for a while, so this should be quick.

Cisco Type 5 and Type 7 passwords

Cisco uses two types of password encryption to store your passwords. Type 7 is the Cisco proprietary method (Vigenere cypher) and is weak. The Type5 is encrypted using MD5 hashing, and is considered pretty strong. The "enable secret" password is stored using Type 5.

One can easily crack the Type7 passwords w/ utilities that are available on the net.
You can also do it straight from inside the IOS. Just create a key chain, and copy paste the encrypted string to the "key-string 7". Here's how:

GRE Tunnel w/ IPsec protection, (and ISAKMP association using RSA keys)

1. Generate an RSA Public Key for our router.

#crypto key generate rsa general-keys label R1

Here you can see the generated key. Do the above for also R2, and copy paste their public keys to each other in next step.

#sh crypto key mypubkey rsa
% Key pair was generated at: 12:35:34 UTC Jan 24 2010
Key name: R1
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D35594 62FB3925
22EBD28E A64B12A7 2D0D44C1 DD28F9BF 8BA52834 516FC231 F1791352 A90ADEE0
A61E77C7 5F132B9E 11193B08 B338D531 D40EE40D 9699E742 DF020301 0001
% Key pair was generated at: 13:35:36 UTC Jan 24 2010
Key name: R1.server
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00A4764D E3D85AFD
2E9254C0 DBB88E08 CE86FA63 8D82C08C D11F14DF AF9264C9 2F5C1CBC 7081C66D
DFE73BB3 66E5A354 48B73EF0 3773545B F5BACBA7 CEBA55DA 4D3D52A1 0B62BFFD
BA93A21E 9B65D23F 9A843994 FAAEB67E BF565A6F 38A8DC3A D5020301 0001

2. Create a key chain. Addressed to router R2 with its IP address and copy paste its public key in here.

#crypto key pubkey-chain rsa
addressed-key 10.1.1.6
key-string
Enter a public key as a hexidecimal number ....
(PASTE HERE)
and use quit to finish

Download project files for GNS3

IPsec VPN Lab, with stateful failover (SSO, Dual Interface Model)

Lots of stuff going on here.
We have two sites for our company named Central-Office and Branch-33.

The CO is connected to our ISP w/ two edge routers, CE_1 w/ an E3 line and CE_2 w/ a backup E1 line. Our branch33 site is using R4, which will establish the IPSec tunnels, allowing the private networks 10.1.33.0/21 talk to the central office 10.1.8.0/21 networks.

Behing them are the two IPSec Concentrators (R1 and R2, 7200 Cisco routers) which have public IP addresses on their out facing interfaces. Here all 4 routers connected to a switch, but of course in a production network you would have redundant switches there also.

Two first hop redundancy plans are integrated as an HSRP group facing to our internal network and the HSRP group facing to our edge routers, which also provides the IPsec redundandcy.

Crypto maps are setup as SSO stateful failover, R1 acting as the primary IPsec point, with R2 being the standby.

There is an extra flavor as IP SLA and reachability tracking is done where R1 and R2 are checking their next-hop routers to the outside world, CE_1 & CE_2. No routing protocol is run inside our company, for claritys sake. Thus we have two static default routes w/ different AD and the mentioned icmp tracking.

One Note, considering the Stateful Failover: "Each time an active device relinquishes control to become the standby device, the active device will reload. This functionality ensures that the state of the new standby device synchronizes correctly with the new active device." (Ref) So since Dynamips doesnt support reloading, the Router dynamips process will crash and you must shut down and turn on the router again to get it going.

Download Project files for GNS3

Links:
Cisco High Availability Solution: Stateful Failover for IPsec
Fun with IPsec stateful failover @ packetlife

IPsec VPN Lab, (using Dynamic crypto Map)

In this lab we connect the 3 sites of our company using secure IPsec VPN connections.

The ISP network consists of 4 Routers which are running EIGRP between them.

Our headquarters is connected to the ISP with the CE_4 router.
The branch offices, CE_5 being Branch1, and CE_8 Branch2.

Networks are 192.168.0.0/21 behing CE_4, edge router.
In Branch 1 we have 192.168.16.0/20 networks. (Simulated with loopback int)
In Branch 2 there are the 192.168.8.0/21 networks.

This setup demonstrates all the IPsec negotiation and tunnel establishment using a dynamic map on CE_4.. The key point is the create the relationship between the static crypto map and the dynamic one.

Due to our ISAKMP Policy we are using a Pre-Shared key for authentication. Which will be defined as a wildcard, so our VPN peers can connect using whichever address they have.

# crypto isakmp key address 0.0.0.0

Here are the lab files for gns3. Download

Good Reading:
Wildcard Pre-Shared Key Enhancement @cisco
Security Commands: crypto dynamic-map through ctype @cisco

IPSEC VPN session status

Status of VPN Sessions

IKE SA	IPsec SAs	VPN Tunnel Status
Exists, active	Exists (flow exists)	UP-ACTIVE
Exists, active	None (flow exists)	UP-IDLE
Exists, active	None (no flow exists)	UP-IDLE
Exists, inactive	Exists (flow exists)	UP-NO-IKE
Exists, inactive	None (flow exists)	DOWN-NEGOTIATING
Exists, inactive	None (no flow)	DOWN-NEGOTIATING
None	Exists (flow exists)	UP-NO-IKE
None	None (flow exists)	DOWN
None	None (no flow exists)	DOWN

SDM Hints

I was using Firefox 3.5.1 and jre 1.6.12 (java6 update 12), some of the wizards were not launching. For example the Site-to-Site VPN and GRE Tunnel wizards.

I downgraded the my JavaVM to jre 1.6.0.3 and now all is working fine.

For documentation, requirements and installations goto SDM@cisco

To connect to your router via SDM:

#ip http server
#ip http secure-server
#ip http authentication local
#username privilege 15 password 0

My Cisco Certifications Plan

Ok, here's my 2 year plan on the certifications front.

22 Jan 2010, CCNP 3/4 ISCW Exam (topics)
19 Feb 2010, CCNP 4/4 ONT Exam (topics)

5 Nov 2010, CCIE R&S Written Exam (topics)
1 July 2011, CCIE R&S Lab in Brussels! (topics)

LDP (Label Distribution Protocol)

LDP is the protocol that distributes label bindings for FECs between LSRs (Label Switching Routers.) The LIB (Label Information Base) of an MPLS enabled router is the table that all the bindings are kept. The LIB is populated by information from LDP, MP-BGP and RSVP.
LDP carries the labels for interior routes, from the IGP.
MP-BGP distributes routes for BGP prefixes, and RSVP is used in MPLS-TE.

LDP Functions:
Discovery of other LSRs
Session establishment, management
Advertisement of Labels
Housekeeping, notification

Two types of Adjacency:

Hello adjacency: LDP Hellos to 224.0.0.2 (all routers multicast), using UDP Port 646 for both source and destination. These hellos are sent on all MPLS enabled interfaces. Hello/Holdtime = 5/15sec default.




Transport session: After the Hello discovery, the LSRs will establish a TCP transport session on TCP/646. One of them will take active role (initiating the TCP connection to port 646, the other will take the passive role, listening on TCP/646) The LSR with the higher transport IP address will take the passive role.

LSRs will exchange session parameters with Initialization Messages, which contain info as LDP version, label distribution method, timer values, etc.

If they agree a Transport Session is established. If not, it is re-tried. This cycle has an LDP initial/maximum backup timers with default 15/120 seconds.

The session is kept open as long as an LDP message or a Keepalive is heard. The session holdtime is 180 seconds. The interval of Keepalive messages is 60 sec.

You can list the ldp parameters used by the router:


Example keep alive messages. Sent back and forth in 60sec intervals.

Useful commands
mpls ldp router-id interface [force]
mpls ldp discovery transport-address {interface | ip-address}
mpls ldp discovery {hello {holdtime | interval} seconds
mpls ldp backoff initial-backoff maximum-backoff
mpls ldp holdtime seconds

show mpls ldp discovery detail
show mpls ldp neighbor neighbor-ip detail
show mpls ldp parameters

Ref: LDP neighbor discovery.. @Networkers-Online

MPLS Header & Labels

Ref:Geert’s blog

MPLS header contains a 20bit Label field.
Labels 0-15 are reserved.

Label 0: Explicit Null
Label 1: Router alert label
Label 2: Explicit Null IPv6
Label 3: Implicit Null
Label 14: OAM alert label

AToM (Any Transport over MPLS) Lab

So here we have a AToM (Any Transport over MPLS) Lab which is also known as a Martini Pseudowire.

Provider Core Routers R1,R2,R3,R4 serve as the label switching MPLS Core. The Provider Edge routers PE_1,PE_2 connect to Customer networks. The IGP running on the provider network is IS-IS.
We have a Customer HQ and a Branch Office which have connections to the same ISP.
A VPN Tunnel is built between the PE_1 <-> PE_2 to connect the customer private network.

GNS3 Project file @ Filefront

Collection of OSPF Labs

Here are some of the labs I've created when studying for the CCNP Exams:

1. OSPF Network w/ two areas connected to the Backbone Area 0. One of the networks being a Totally Stub Area w/ redundant connections to the backbone. Download Project Files



2. Based on project above, with an extra Area 99 added via a Virtual-Link. Download Project Files



3. Backbone Area on a Point to Multipoint Frame-Relay network. A chance to observe different ospf area types. And also the DR/BDR relations and configurations in two different areas. Download

Collection of IS-IS Labs

A collection of IS-IS labs created by me, during CCNP Studies.

1. Based around a Frame-Relay Backbone, with 3 areas and their L1/L2 routers. Download project files



2. A different and more complex topology, with Frame Relay p2p links and other good stuff thrown in. Download

VRRP Timer tips

The default timer for VRRP advertisements by the Master Router is 1 seconds.
The holdtime is 3 times this and is a default around 6 seconds.

VRRP timers must either be the same in the Group or routers "set to learn" these timers. Because if a VRRP Backup router receives a VRRP Advertisement w/ different timer then the one it has configured, the packed will be discarded. This will cause both routers to think they are Masters!

If routers are set the "learn timers", then the adv.time learned from the vrrp adv.packet will override the one in the config.

(config-if)# vrrp 1 timers learn

If you want to use timers in msec, this must be defined in all the vrrp group routers because when using msec timers, learning the timers from the master feature will not work.

R1(config-if)#vrrp 1 timer adv msec 200
R1(config-if)#vrrp 1 timer learn
% cannot learn timer values when millisecond timers are configured
R1(config-if)#

Note: In VRRP, a sub-second hello timer results in a hello timer of 1 second being sent. So if you set msec timer on one router and a non-default non-learning vrrp on another, they won't talk to each other!


Ref: VRRP @ Cisco
Very good investigation of the topic: (HSRP,VRRP,GLBP timers)

NAT Order of Operation

To summarize, there's the old way of NATting (domain-based NAT) and the new way introduced with 12.3(T), NAT Virtual Interface (NVI).

In domain based NAT;
Packets on the outside first get translated then routed.
Packets on the inside interface the routing decision is made first and then the translation and forwarding.

In NVI based NAT
The translation/routing is done in a symmetric manner. Routing lookup is performed twice. First to send the packet to NVI, second to route packet using the post-translated addresses.

References: The Inside and Outside of Nat : CCIE Journey
NAT Order of Operation @ Cisco