ddib

Author Archives: ddib

General – How to Build a Network Pt.2

In the previous post I talked about why you should build a network of people to both help you in your career and to improve your own skillset. How does one build this network of people?

There are endless ways of building a network and the ways I describe here are based on my personal experience. That said, I do believe that there are some common factors regardless of what approach you take.

Interacting in Forums – There are a lot of forums available, forums for Cisco Learning Network, Cisco Support Community, training vendor forums, product forums, vendor forums. These are often the best resources for getting help on a product and finding those golden nuggets of information that are not always available from the official documentation. There are often very skilled and experienced people in these forums answering posts and writing posts. Try to contribute to the forums and to learn from them and start interacting with these people. Many forums have some form of ranking which makes it easier to spot the people that are the most active on the forums.

I started writing a lot on CLN several years ago and that has been very benificial for Continue reading

General – How to Build a Network Pt.1

Building a strong network of people is very important in creating a successful career in IT. In these posts we will start first look at why building a network is important and in the other posts we will look at how to actually build the network and how to make sure that you are also contributing to the network and not only exploiting it.

If you came here to read about connecting cables or routing protocols, sorry, this is not that kind of post. This post is about how to build a network of people.

People often understimate the power of having a big reach in the industry through a network of people. I often hear in my role that I’m almost too effective sometimes. Part of that is because I have a very good network of people that I trust and rely on. In this blog we will look at WHY you want to build a network of people.

The Borg Mind – Have you heard of Star Trek? No? Are you sure you work in IT? ? Jokes aside, there is species called the Borg in the series which do not so nice things. What it is nice about Continue reading

CCIE – CCIE SPv4 Review by Nick Russo

My friend Nick Russo just took the SPv4 lab and passed it. This is his story.

On 8 March 2016, I passed Cisco’s CCIE Service Provider version 4 lab exam. It was my second attempt. I realize there is little information on the Internet about this test because it is still rather new. This blog post will detail my personal strategy for passing the CCIE SPv4 lab exam. Most CCIEs and CCDEs agree that a smart strategy is a critical part of passing any Cisco expert-level lab; many folks are technically proficient but need to remain organized to be effective.

Note: the views expressed in this blog post are mine alone and do not necessarily represent the views of Cisco. No correlation between my comments and Cisco’s recommendation study strategies should be made. Also note that no technical exam content is discussed here in accordance with Cisco’s CCIE NDA. Comments fishing for such information will be deleted.

First, the new blueprint has 3 sections: Troubleshooting (TSHOOT), Diagnostic (DIAG), and Configuration (CONFIG). The CCIE SPv4 program explains these topics in detail within the new blueprint so that is not discussed again here. Since each section is slightly different, one should have Continue reading

CCDE – Carrier Supporting Carrier

Introduction

In the previous post I showed some of the options two interconnect two AS so that a customer can buy a VPN in two different locations from two different SPs. There is another technology called Carrier Supporting Carrier or Carrier of Carriers. This technology is used when a customer buys a circuit from an SP, Internet service or L3 VPN and that SP uses another SP to carry their traffic between the locations. The SP connecting the customer is then the customer carrier and the SP providing the backbone is the backbone carrier. It is also possible to combine CSC with the Inter-AS options in the previous post, I will show an example of this being used in a real life network in the research world.

Carrier Supporting Carrier

CSC is a technology used to expand the reach of a SP by using another SP as transport. The concept is shown in the following diagram.

CSC-Overview
CSC-Overview

The customer carrier is providing a service to the customer. It can be an Internet service, MPLS switched or not or an MPLS L3 VPN. The CSC VPN service provides MPLS transport for the customer carrier. It is also sometimes referred to as Continue reading

CCDE – Inter AS L3 VPNs

Introduction

Sometimes a customer needs a L3 VPN between two locations where the same SP is not present. This can be on a national or international basis. It would be possible to buy an Internet circuit and run an overlay such as DMVPN but what if the customer wants to buy a MPLS VPN circuit?

The customer could buy a VPN from SP1 in location1 and a VPN from SP2 in location2. The two SPs would then have to exchange traffic somehow to make the customer circuit end to end. The concept is shown in the following topology.

Inter-AS-L3VPN Overview
Inter-AS-L3VPN Overview

The customer connects to the PE of each of the SPs. The SPs need to interconnect at some common point, either through a public peering place such as an IX or with an private interconnect at a common location. The routers that connect to each other are called autonomous system border routers (ASBR). There are three main options and a fourth option which combines two of the others.

Inter-AS Option A

Option A is the most simple of the options to interconnect the ASBRs. Each customer VRF requires either a physical interface or more likely a subinterface. Option A has Continue reading

CCDE – BGP Confederations

Introduction

BGP Confederations are one of two tools a network designer has to work around the full mesh requirement of iBGP. BGP confederations are defined in RFC 5065 which obsoletes RFC 3065. This is how the RFC defines BGP confederations:

This document describes an extension to BGP that may be used
to create a confederation of autonomous systems that is
represented as a single autonomous system to BGP peers
external to the confederation, thereby removing the “full mesh”
requirement. The intention of this extension is to aid in
policy administration and reduce the management complexity
of maintaining a large autonomous system.

The other option to work around the full mesh requirement is of course route reflection.

BGP Confederation Operation and Use Case

BGP confederations work by having several sub AS or member AS that are used internally to divide the BGP domain. From the outside they all look like they are the same AS though. By breaking up the BGP domain, there will be less iBGP peerings which makes the full mesh requirements easier to handle. Do note though that it’s entirely possible to use route reflection within a member AS to combine the two technologies.

BGP confederations made a Continue reading

CCDE – BGP Convergence

Introduction

This post will look at the steps involved in BGP convergence and how it interacts with IGP to converge.

Any network of scale will use route reflectors (RRs) so this post will focus on deployments with RRs. Networks running a full mesh will have all paths available which makes hot potato routing and fast convergence easily achievable, at the cost of scaling and management overhead. A combination of full mesh and RRs is also possible where one scenario would be to run a full mesh within a point of presence (PoP) and RRs within the pop, peering with central RRs.

BGP can be used for both internal (iBGP) and external (eBGP) peerings and convergence and timers differ depending if it’s internal or external peerings.

BGP is a path vector protocol which means that it behaves as a distance vector protocol where it can only advertise routes that are installed into the RIB. There is an exception to the rule when BGP selective route download (SRD) is used to not download routes to the RIB but still advertise the routes. BGP will by default only install one path into the RIB even if there are multiple equal candidates and it Continue reading

Network Simulation – Cisco VIRL Now Available in the Cloud

There has been a lot happening around VIRL the last few weeks. A new release of VIRL just got released and today the VIRL team announced that they are adding support for running VIRL in the cloud.

Cisco has chosen to work together with Packet, a bare metal cloud provider. This is how Packet describes themselves.

At Packet, we're out to build a better internet by supercharging the container revolution with smart, API-driven bare metal. Our platform brings the price and performance benefits of bare metal servers to the cloud, powering highly-available performance workloads through a unique, never-congested network.

The following picture summarizes why Cisco has chosen Packet.

Packet Bare Metal Cloud
Packet Bare Metal Cloud

Compared to Amazon AWS, Packet is a bare metal cloud provider which means that the resources you rent will be dedicated to you. Packet does not run any hypervisors, meaning that the workloads are not virtualized.

If you have an existing install of VIRL, you can use Terraform by Hashicorp to provision your new VIRL server at Packet. I had never heard of Terraform before, this is how Hashicorp describes Terraform.

Today we announce Terraform, a tool for safely and efficiently building, combining, and launching infrastructure. From  Continue reading

CCDE – DMVPN Crypto Design Considerations

This post will describe some of the crypto design considerations for DMVPN.

DMVPN Overview and Crypto Overhead

First let’s have a quick recap of what Dynamic Multipoint VPN (DMVPN) is. DMVPN is an overlay technology where multi point GRE tunnels are used to form an overlay where a routing protocol will run across the overlay. DMVPN is a hub and spoke technology where the DMVPN hub acts as a centralized control plane. DMVPN uses Next Hop Resolution Protocol (NHRP) to register the IP addresses of the spokes with the hub. When a router looks in its routing table, the next-hop will be the IP address of the tunnel, not the real outside IP which must be used for the GRE encapsulation. To find the outside IP of the spoke, NHRP is used to resolve the next-hop to the real outside IP.

DMVPN runs over public transport. This means that it’s possible to snoop the traffic while in transit. To prevent this from happening, DMVPN is often combined with IPSec to encrypt the packets. IPSec can run in two modes, transport mode and tunnel mode. In transport mode, the original IP header is not encrypted and there is no additional IP Continue reading

CCDE – Introduction to GET VPN and GET VPN Design Considerations

Introduction to GET VPN

GET VPN is a Cisco proprietary technology aimed for private WAN designs where there is a need to encrypt the traffic. This may be due to regulatory requirements or just a need to keep traffic private. GET VPN is common deployed over private WAN topologies such as MPLS VPN or VPLS.

GET VPN uses IPSec to encrypt the traffic but the main concept of GET VPN is to use group security association (SA) as opposed to the standard LAN to LAN tunnels where the SA is created in a point to point fashion.

Technologies such as DMVPN requires overlaying a secondary routing infrastructure through the tunnels while GET VPN can use the underlying routing infrastructure. Traditional point to point IPSec tunneling solutions suffer from multicast replication issues because the replication must be performed before tunnel encapsulation and encryption at the router closest to the source. The provider will see all traffic as unicasts due to the overlay which means that replication can not performed in the provider network.

In GET VPN, all group members (GMs) share a common SA which is also known as the group SA. A GM can then decrypt traffic that was encrypted Continue reading

Firewall – Some Insight into the Cisco ASA Failover Process

I’m currently working on a design and needed to verify some failover behavior of the Cisco ASA firewall.

The ASA can run in active/active or active/standby mode where most deployments I see run in active/standby mode. When in a failover pair the firewalls will share an IP address and MAC address, very similar to HSRP or VRRP but it also synchronizes the state of TCP sessions, IPSec SA’s, routes and so on. The secondary firewall gets its config from the primary firewall so everything is configured exactly the same on both firewalls.

To verify if the other firewalls is reachable and to synchronize state, a failover link is used between the firewalls. The firewalls use a keepalive to verify if the other firewall is still there. This works just like any routing protocol running over a link where you expect to see a hello from your neighbor and if you miss 3 hello’s, the other firewall is gone. This timer can be configured and in my tests I used a hello of 333 ms and a holdtime of 999 ms which means that convergence should happen within one second.

The first scenario I was testing was to manually trigger a Continue reading

CCDE – WAN Speeds and Basic Voice Calculation

I’m preparing for the CCDE practical and I was doing a practice scenario by Jeremy Filliben and I realized that I’m not comfortable with all of the WAN speeds so I might as well write a blog post on it. I was familiar with some of them like T1, E1, DS3, OC-192 etc but there are still some I could not remember. This post will describe some of the most commonly used WAN rates.

Some of the CCDE scenarios are based on that we are upgrading a network or migrating from an old network. In real life it’s likely that most service providers will already have moved to Ethernet but it makes a more interesting scenario to build a network mimicing the FRR capabilities of SDH for example.

Digital Signal 0 (DS0) is a rate that was introduced to carry a digitized single call at 64 kbits/s. A DS1 can transport 24 DS0 and runs at 1544 kbit/s. Note that 24 * 64 is 1536 but the extra 8 kbit/s is used for frame synchronization. A DS3 runs at 44736 kbit/s and can transport 28 DS1 or 672 DS0. A T3 also runs at the same rate as a DS3. Continue reading

CCIE – CCIE SPv4 Review by Nick Russo

Nick Russo is a good friend of mine which just took the CCIE SPv4 exam. As far as I know he’s one of the first to attempt it and this blog may be the first actual review of the lab experience. Here is Nick’s story from the CCIE SPv4 lab.

On 2 Feb 2016, I attempted the CCIE SPv4 lab exam for the first time. I have not seen nor heard of anyone else attempting it; the proctor at RTP mentioned that only “a few” people take it each month and everyone has done poorly. That was both a good and bad thing: good, because after leaving the test I felt confident that I had done respectably. If I failed, it wouldn’t have been by much. It was bad because it choked me up for a minute or so, reminding me that I am crossing into uncharted territory with this exam. Every time I read a question I always had a general idea of how to solve it, even the trick questions with which Cisco hopes to catch you.

As a general comment, there is a ton of IOS XR on this exam. Unlike SPv3, there aren’t a few XR Continue reading

CCIE – How to Prepare for the CCIE Lab

Summary: By preparing a plan and strategy for the CCIE lab, the chance of passing will be a lot higher.

Over the years I have written about the CCIE multiple times and also mentored people on how to prepare for the lab. This post will summarize my experience of how to prepare for the CCIE lab. This post assumes that the CCIE written has already been successfully passed.

The first thing to do if you haven’t done it already is to make sure you have the support from your family before starting to prepare for the lab. Explain to them the time that you will need to put in to prepare and also explain why you want to do it and what the benefits of doing it will be. Preparing for the lab can take 1000-2000h which is a big commitment. Don’t bypass this step as it may seriously affect your family situation if you do.

Once you have commited it is time to grade yourself. Go through the blueprint for the track you are preparing for at the Cisco Learning Network. Grade yourself on each topic from 1-5 on where you believe you are today. Make a realistic assessment, Continue reading

CCDE – MPLS-TE Auto Tunnels

This post will briefly discuss the challenges of manually setting up MPLS-TE tunnels and how Auto Tunnels can lessen the burden of MPLS-TE tunnels.

One of the main challenges with traffic engineering and MPLS-TE is the number of tunnels that will be needed. To setup tunnels between all PE’s may not be a scalable solution. For a provider with 200 PE’s, 199 tunnels would have to be configured on each PE and that is if only one traffic class is used. This would mean that 39800 tunnels would be present in the network. If you then want to add a tunnel for voice at each PE you end up with 398 tunnels per PE and a total of 79600 tunnels.

Another option is to enable tunnels only on the P routers. If the number of P routers are 20, then each P router would need 19 tunnels and we would have 380 tunnels in total or 760 if adding an extra tunnel for voice. This is a much more reasonable number. It would require to enable LDP over the tunnels if MPLS L3VPNs are in use to have an end to end LSP. With the P to P tunnels we Continue reading

CCDE – Review Of CCDE Practical Workbook By Orhan Ergun

To kick off the new year, I will give you a review of the CCDE Practical Workbook by Orhan Ergun, CCIE #26567 and CCDE #2014:17.

Orhan is a friend and has provided the workbook to me for reviewing. I would like to make it clear that being a friend or providing a product for free does not give any leverage when I review a product. I always give my honest opinion when reviewing a product.

Orhan is a CCDE trainer running the website orhanergun.net and he writes and blogs a lot about network design. He has written a practical workbook to aid CCDE candidates in their studies for the CCDE practical.

As with any workbook for any exam, your expectations must be realistic before purchasing a product. You can only get as much out of a workbook as the effort you put into your studying. A workbook is not a complete solution that will be your only source of studying. You must do additional reading, and lots of it.

The CCDE practical workbook is divided into sections such as layer two, layer three, MPLS, BGP, multicast and so on. Each section starts with some introduction to each technology and Continue reading

CCDE – CCDE Qualification Exam Passed

A couple of days ago I passed the Cisco Certified Design Expert (CCDE) Qualification Exam which means that I am now eligible to take the CCDE practical. I’m aiming to give that a try in May. This post will give some insight into what a candidate needs to pass the CCDE Qualification exam and how to study for it.

The CCDE is a very broad exam. The ideal candidate must have a very strong background in Routing & Switching (RS) and Service Provider (SP) technologies. These are the meat of the exam. It is also desirable to have a decent knowledge of Data Center (DC) and security technologies. It’s also desirable to have a basic understanding of wireless and storage technologies.

It’s difficult to study for the CCDE and the CCDE Qualification Exam if you don’t have enough experience in the real world. While a person can study for the CCIE without a lot of experience, doing the same for the CCDE is difficult because design and network architecture requires implementation experience and design experience. The ideal candidate should be CCIE RS and SP certified already or have the equivalent knowledge of someone that is. Does that mean that it’s Continue reading

Network Simulation – Cisco Releases VIRL 1.0

Just in time for thanksgiving, Cisco has released version 1.0 of the popular network simulation tool VIRL. This is a major new release moving from Openstack Icehouse to Openstack Kilo. This means that your previous release of VIRL will NOT be upgradeable, only a fresh install is available. Cisco has started mailing out a link to the new release and I received my download link yesterday. It is also possible to download the image from the Salt server to the VM itself and then SCP it out from the VM, this is described in the release notes here.

The following platform reference VMs are included in this release:

  • IOSv – 15.5(3)M image
  • IOSvL2 – 15.2.4055 DSGS image
  • IOSXRv – 5.3.2 image
  • CSR1000v – 3.16 XE-based image
  • NX-OSv 7.2.0.D1.1(121)
  • ASAv 9.5.1
  • Ubuntu 14.4.2 Cloud-init

There are also Linux container images included. These are the following:

  • Ubuntu 14.4.2 LXC
  • iPerf LXC
  • Routem LXC
  • Ostinato LXC

This means that it will be a lot easier to do traffic generation, bandwidth testing and simulating a WAN by inserting delay, packet loss and jitter. It’s great to see Continue reading

General – Behavior Of QoS Queues On Cisco IOS

I have been running some QoS tests lately and wanted to share some of my results. Some of this behavior is described in various documentation guides but it’s not really clearly described in one place. I’ll describe what I have found so far in this post.

QoS is only active during congestion. This is well known but it’s not as well known how congestion is detected. the TX ring is used to hold packets before they get transmitted out on an interface. This is a hardware FIFO queue and when the queue gets filled, the interface is congested. When buying a subrate circuit from a SP, something must be added to achieve the backpressure so that the TX ring is considered full. This is done by applying a parent shaper and a child policy with the actual queue configuration.

The LLQ is used for high priority traffic. When the interface is not congested, the LLQ can use all available bandwidth unless an explicit policer is configured under the LLQ.

A normal queue can use more bandwidth than it is guaranteed when there is no congestion.

When a normal queue wants to use more bandwidth than its guaranteed, it can if Continue reading

CCDE – Firewall And IPS Design Considerations

Introduction

This post will discuss different design options for deploying firewalls and Intrusion Prevention Systems (IPS) and how firewalls can be used in the data center.

Firewall Designs

Firewalls have traditionally been used to protect inside resources from being accessed from the outside. The firewall is then deployed at the edge of the network. The security zones are then referred to as “outside” and “inside” or “untrusted” and “trusted”.

CCDE basic firewall inside and outside
CCDE basic firewall inside and outside

Anything coming from the outside is by default blocked unless the connection initiated from the inside. Anything from the inside going out is allowed by default. The default behavior can of course be modified with access-lists.

It is also common to use a Demilitarized Zone (DMZ) when publishing external services such as e-mail, web and DNS. The goal of the DMZ is to separate the servers hosting these external services from the inside LAN to lower the risk of having a breach on the inside. From the outside only the ports that the service is using will be allowed in to the DMZ such as port 80, 443, 53 and so on. From the DMZ only a very limited set of traffic will be allowed Continue reading

1 9 10 11 12