Archive

Category Archives for "Daniels networking blog"

CCDE – Introduction to GET VPN and GET VPN Design Considerations

Introduction to GET VPN

GET VPN is a Cisco proprietary technology aimed for private WAN designs where there is a need to encrypt the traffic. This may be due to regulatory requirements or just a need to keep traffic private. GET VPN is common deployed over private WAN topologies such as MPLS VPN or VPLS.

GET VPN uses IPSec to encrypt the traffic but the main concept of GET VPN is to use group security association (SA) as opposed to the standard LAN to LAN tunnels where the SA is created in a point to point fashion.

Technologies such as DMVPN requires overlaying a secondary routing infrastructure through the tunnels while GET VPN can use the underlying routing infrastructure. Traditional point to point IPSec tunneling solutions suffer from multicast replication issues because the replication must be performed before tunnel encapsulation and encryption at the router closest to the source. The provider will see all traffic as unicasts due to the overlay which means that replication can not performed in the provider network.

In GET VPN, all group members (GMs) share a common SA which is also known as the group SA. A GM can then decrypt traffic that was encrypted Continue reading

Firewall – Some Insight into the Cisco ASA Failover Process

I’m currently working on a design and needed to verify some failover behavior of the Cisco ASA firewall.

The ASA can run in active/active or active/standby mode where most deployments I see run in active/standby mode. When in a failover pair the firewalls will share an IP address and MAC address, very similar to HSRP or VRRP but it also synchronizes the state of TCP sessions, IPSec SA’s, routes and so on. The secondary firewall gets its config from the primary firewall so everything is configured exactly the same on both firewalls.

To verify if the other firewalls is reachable and to synchronize state, a failover link is used between the firewalls. The firewalls use a keepalive to verify if the other firewall is still there. This works just like any routing protocol running over a link where you expect to see a hello from your neighbor and if you miss 3 hello’s, the other firewall is gone. This timer can be configured and in my tests I used a hello of 333 ms and a holdtime of 999 ms which means that convergence should happen within one second.

The first scenario I was testing was to manually trigger a Continue reading

CCDE – WAN Speeds and Basic Voice Calculation

I’m preparing for the CCDE practical and I was doing a practice scenario by Jeremy Filliben and I realized that I’m not comfortable with all of the WAN speeds so I might as well write a blog post on it. I was familiar with some of them like T1, E1, DS3, OC-192 etc but there are still some I could not remember. This post will describe some of the most commonly used WAN rates.

Some of the CCDE scenarios are based on that we are upgrading a network or migrating from an old network. In real life it’s likely that most service providers will already have moved to Ethernet but it makes a more interesting scenario to build a network mimicing the FRR capabilities of SDH for example.

Digital Signal 0 (DS0) is a rate that was introduced to carry a digitized single call at 64 kbits/s. A DS1 can transport 24 DS0 and runs at 1544 kbit/s. Note that 24 * 64 is 1536 but the extra 8 kbit/s is used for frame synchronization. A DS3 runs at 44736 kbit/s and can transport 28 DS1 or 672 DS0. A T3 also runs at the same rate as a DS3. Continue reading

CCIE – CCIE SPv4 Review by Nick Russo

Nick Russo is a good friend of mine which just took the CCIE SPv4 exam. As far as I know he’s one of the first to attempt it and this blog may be the first actual review of the lab experience. Here is Nick’s story from the CCIE SPv4 lab.

On 2 Feb 2016, I attempted the CCIE SPv4 lab exam for the first time. I have not seen nor heard of anyone else attempting it; the proctor at RTP mentioned that only “a few” people take it each month and everyone has done poorly. That was both a good and bad thing: good, because after leaving the test I felt confident that I had done respectably. If I failed, it wouldn’t have been by much. It was bad because it choked me up for a minute or so, reminding me that I am crossing into uncharted territory with this exam. Every time I read a question I always had a general idea of how to solve it, even the trick questions with which Cisco hopes to catch you.

As a general comment, there is a ton of IOS XR on this exam. Unlike SPv3, there aren’t a few XR Continue reading

CCIE – How to Prepare for the CCIE Lab

Summary: By preparing a plan and strategy for the CCIE lab, the chance of passing will be a lot higher.

Over the years I have written about the CCIE multiple times and also mentored people on how to prepare for the lab. This post will summarize my experience of how to prepare for the CCIE lab. This post assumes that the CCIE written has already been successfully passed.

The first thing to do if you haven’t done it already is to make sure you have the support from your family before starting to prepare for the lab. Explain to them the time that you will need to put in to prepare and also explain why you want to do it and what the benefits of doing it will be. Preparing for the lab can take 1000-2000h which is a big commitment. Don’t bypass this step as it may seriously affect your family situation if you do.

Once you have commited it is time to grade yourself. Go through the blueprint for the track you are preparing for at the Cisco Learning Network. Grade yourself on each topic from 1-5 on where you believe you are today. Make a realistic assessment, Continue reading

CCDE – MPLS-TE Auto Tunnels

This post will briefly discuss the challenges of manually setting up MPLS-TE tunnels and how Auto Tunnels can lessen the burden of MPLS-TE tunnels.

One of the main challenges with traffic engineering and MPLS-TE is the number of tunnels that will be needed. To setup tunnels between all PE’s may not be a scalable solution. For a provider with 200 PE’s, 199 tunnels would have to be configured on each PE and that is if only one traffic class is used. This would mean that 39800 tunnels would be present in the network. If you then want to add a tunnel for voice at each PE you end up with 398 tunnels per PE and a total of 79600 tunnels.

Another option is to enable tunnels only on the P routers. If the number of P routers are 20, then each P router would need 19 tunnels and we would have 380 tunnels in total or 760 if adding an extra tunnel for voice. This is a much more reasonable number. It would require to enable LDP over the tunnels if MPLS L3VPNs are in use to have an end to end LSP. With the P to P tunnels we Continue reading

CCDE – Review Of CCDE Practical Workbook By Orhan Ergun

To kick off the new year, I will give you a review of the CCDE Practical Workbook by Orhan Ergun, CCIE #26567 and CCDE #2014:17.

Orhan is a friend and has provided the workbook to me for reviewing. I would like to make it clear that being a friend or providing a product for free does not give any leverage when I review a product. I always give my honest opinion when reviewing a product.

Orhan is a CCDE trainer running the website orhanergun.net and he writes and blogs a lot about network design. He has written a practical workbook to aid CCDE candidates in their studies for the CCDE practical.

As with any workbook for any exam, your expectations must be realistic before purchasing a product. You can only get as much out of a workbook as the effort you put into your studying. A workbook is not a complete solution that will be your only source of studying. You must do additional reading, and lots of it.

The CCDE practical workbook is divided into sections such as layer two, layer three, MPLS, BGP, multicast and so on. Each section starts with some introduction to each technology and Continue reading

CCDE – CCDE Qualification Exam Passed

A couple of days ago I passed the Cisco Certified Design Expert (CCDE) Qualification Exam which means that I am now eligible to take the CCDE practical. I’m aiming to give that a try in May. This post will give some insight into what a candidate needs to pass the CCDE Qualification exam and how to study for it.

The CCDE is a very broad exam. The ideal candidate must have a very strong background in Routing & Switching (RS) and Service Provider (SP) technologies. These are the meat of the exam. It is also desirable to have a decent knowledge of Data Center (DC) and security technologies. It’s also desirable to have a basic understanding of wireless and storage technologies.

It’s difficult to study for the CCDE and the CCDE Qualification Exam if you don’t have enough experience in the real world. While a person can study for the CCIE without a lot of experience, doing the same for the CCDE is difficult because design and network architecture requires implementation experience and design experience. The ideal candidate should be CCIE RS and SP certified already or have the equivalent knowledge of someone that is. Does that mean that it’s Continue reading

Network Simulation – Cisco Releases VIRL 1.0

Just in time for thanksgiving, Cisco has released version 1.0 of the popular network simulation tool VIRL. This is a major new release moving from Openstack Icehouse to Openstack Kilo. This means that your previous release of VIRL will NOT be upgradeable, only a fresh install is available. Cisco has started mailing out a link to the new release and I received my download link yesterday. It is also possible to download the image from the Salt server to the VM itself and then SCP it out from the VM, this is described in the release notes here.

The following platform reference VMs are included in this release:

  • IOSv – 15.5(3)M image
  • IOSvL2 – 15.2.4055 DSGS image
  • IOSXRv – 5.3.2 image
  • CSR1000v – 3.16 XE-based image
  • NX-OSv 7.2.0.D1.1(121)
  • ASAv 9.5.1
  • Ubuntu 14.4.2 Cloud-init

There are also Linux container images included. These are the following:

  • Ubuntu 14.4.2 LXC
  • iPerf LXC
  • Routem LXC
  • Ostinato LXC

This means that it will be a lot easier to do traffic generation, bandwidth testing and simulating a WAN by inserting delay, packet loss and jitter. It’s great to see Continue reading

General – Behavior Of QoS Queues On Cisco IOS

I have been running some QoS tests lately and wanted to share some of my results. Some of this behavior is described in various documentation guides but it’s not really clearly described in one place. I’ll describe what I have found so far in this post.

QoS is only active during congestion. This is well known but it’s not as well known how congestion is detected. the TX ring is used to hold packets before they get transmitted out on an interface. This is a hardware FIFO queue and when the queue gets filled, the interface is congested. When buying a subrate circuit from a SP, something must be added to achieve the backpressure so that the TX ring is considered full. This is done by applying a parent shaper and a child policy with the actual queue configuration.

The LLQ is used for high priority traffic. When the interface is not congested, the LLQ can use all available bandwidth unless an explicit policer is configured under the LLQ.

A normal queue can use more bandwidth than it is guaranteed when there is no congestion.

When a normal queue wants to use more bandwidth than its guaranteed, it can if Continue reading

CCDE – Firewall And IPS Design Considerations

Introduction

This post will discuss different design options for deploying firewalls and Intrusion Prevention Systems (IPS) and how firewalls can be used in the data center.

Firewall Designs

Firewalls have traditionally been used to protect inside resources from being accessed from the outside. The firewall is then deployed at the edge of the network. The security zones are then referred to as “outside” and “inside” or “untrusted” and “trusted”.

CCDE basic firewall inside and outside
CCDE basic firewall inside and outside

Anything coming from the outside is by default blocked unless the connection initiated from the inside. Anything from the inside going out is allowed by default. The default behavior can of course be modified with access-lists.

It is also common to use a Demilitarized Zone (DMZ) when publishing external services such as e-mail, web and DNS. The goal of the DMZ is to separate the servers hosting these external services from the inside LAN to lower the risk of having a breach on the inside. From the outside only the ports that the service is using will be allowed in to the DMZ such as port 80, 443, 53 and so on. From the DMZ only a very limited set of traffic will be allowed Continue reading

Network Simulation – Cisco VIRL Increases Node Count

Great news everyone. Some of you might have seen that I created a petition to increase the node limit in VIRL. I know there have been discussions within Cisco about the node limit and surely our petition wasn’t the single thing that convinced the VIRL team but I know that they have seen it and I’m proud that we were able to make a difference!

On November 1st the node limit will be increased to 20 nodes for free! That’s right, you get 5 extra nodes for free. There will also be a license upgrade available that gets you to 30 nodes. I’m not sure of the pricing yet for the 30 node limit so I will get back when I get more information on that.

When the community comes together, great things happen! This post on Cisco VIRL will get updated as I get more information. Cisco VIRL will be a much more useful tool now to simulate the CCIE lab and large customer topologies. I tip my hat to the Cisco VIRL team for listening to the community.

The post Network Simulation – Cisco VIRL Increases Node Count appeared first on Daniels Networking Blog.

CCDE – Load Balancer Designs

Introduction

This post will describe different load balancer designs, the pros and cons of the designs and how they affect the forwarding of packets.

Load Sharing Vs Load Balancing

The terms load sharing and load balancing often get intermixed. An algorithm such as Cisco Express Forwarding (CEF) does load sharing of packets meaning that packets get sent on a link based on parameters such as source and destination MAC address or source and destination IP address or in some cases also the layer 4 ports in the IP packet. The CEF algorithm does not take into consideration the utilization of the link or how many flows have been assigned to each link. Load balancing on the other hand tries to utilize the links more evenly by tracking the bandwidth of the flows and assigning flows based on this information to the different links. The goal is to distribute the traffic across the links as evenly as possible. However load balancing is mostly used to distribute traffic to different servers to share the load among them.

Why Load Balancing?

What warrants the use of a load balancer? Think of a web site such as facebook.com. Imagine the number of users Continue reading

CCNA – Operation Of IP Data Networks 1.5

We move on to the next topic which is

1.5 Predict the data flow between two hosts across a network

This is a very important topic for the CCNA. It may feel a bit overwhelming at first to grasp all the steps of the data flow but as a CCNA you need to learn how this process works. We will start out with an example where two hosts are on the same LAN and then we will look at an example which involves routing as well.

The first topology has two hosts H1 and H2 with IP adresses 10.0.0.10 and 10.0.0.20 respectively.

CCNA Basic LAN 1
CCNA Basic LAN 1

Host 1 and Host 2 are both connected to Switch 1 and has not communicated previously. H1 has the MAC adress 0000.0000.0001 and H2 has the MAC address 0000.0000.0002. H1 wants to send data to H2, which steps are involved?

1. H1 knows the destination IP of H2 (10.0.0.20) and runs AND to determine that they are on the same subnet.
2. H1 checkts its ARP cache which is empty for 10.0.0.20.
3. H1 generates ARP message Continue reading

CCNA – Operation Of IP Data Networks 1.4

It’s time for the next topic for the CCNA.

1.4 Describe the purpose and basic operation of the protocols in the OSI and TCP/IP models

There are tons of books written on the OSI and TCP/IP model so I won’t describe these models in depth here. What I will do is explain what you need to know at each level and explain how the real world works. We have two models, one from OSI and one from DOD.

CCNA OSI vs DOD model
CCNA OSI vs DOD model

In the real life everyone references the OSI model. I’ve never heard anyone reference the DOD model which doesn’t mean it doesn’t have its merits but everyone always uses the OSI model as a reference.

The OSI model has seven layers but people sometimes joke that layer 8 is financial and layer 9 is political.

Starting out with the physical layer, what you need to know is auto negotiation. Auto negotiation is good, hard coding speed and duplex will no doubt lead to ports that are hard coded on one side and auto on the other side to end up in half duplex. Gone are the days when auto negotiation wasn’t compatible and lead to misconfigured Continue reading

CCDE – Optical Design Considerations

Introduction

As a network architect you should not have to know all the details of the physical and data link layer. What you need to know though is how different transports can support the topology that you are looking to build. If you buy a circuit from an ISP, what protocols can you run over it? Is running MPLS over the circuit supported? What’s the maximum MTU? Is it possible to run STP over the link? This may be important when connecting data centers together through a Data Center Interconnect (DCI).

To be able to connect two data centers together, you will need to either connect via fibre or over a wavelength or buy circuits from an ISP. Renting a fibre will likely be more expensive but also more flexible if you have the need to run protocols such as MPLS over the link. For a pure DCI, just running IP may be enough so there could be cost savings if buying a circuit from an ISP instead.

For a big enough player it may also be feasible to build it all yourself. This post will look at the difference between Coarse Wave Division Multiplexing (CWDM) and Dense Wave Division Continue reading

CCNA – Operation of IP Data Networks 1.3

We move on to the next topic:

1.3 Identify common applications and their impact on the network

When you work in networking, it’s important to have an understanding of how applications work and what are their characteristics. Is it sensitive to packet loss? Is it sensitive to jitter? What ports does it use? Let’s have a look at some of the common applications that you need to be aware of for the CCNA certification.

HTTP

HTTP is the most important protocol on the Internet. The major part of all traffic from the Internet is HTTP. With sites like Facebook, Youtube, Netflix, this will not decrease in the future, rather web traffic will dominate even more. HTTP is normally run on TCP port 80 but it’s possible to run it on custom ports as well. Because HTTP runs over TCP, it is not very sensitive to packet loss and it does not have strict requirements for delay or jitter. However, people still don’t have a lot of patience for a web page loading and if there is a lot of packet loss, it may affect streaming services such as Netflix or services where downloading/uploading of files is done. From a Continue reading

CCNA – Operation of IP Data Networks 1.2

The next topic for CCNA is:

1.2 Select the components required to meet a given network specification

I wish the blueprint would have been a bit clearer on what they mean with this topic but it’s reasonable to think that it’s about picking routers and switches depending on the networking requirements.

Picking a router or switch will depend on what kind of circuit is bought from the ISP, if the service is managed, the number of users on the network, the number of subnets needed and if there are requirements for NAT and/or firewalling among many decision points. Since this is the CCNA RS we will pretend that devices such as the Cisco ASA does not exist which can be used for small offices to do both firewalling and routing.

I’ll give different examples and we’ll look at which devices make sense and why to pick one device over another.

MPLS VPN circuit
10 users
One subnet (data)
No need to NAT
No need for firewall

The MPLS VPN circuit is a managed service, meaning that the ISP will have a Customer Premises Equipment (CPE) at the customer. In other words, the ISP will put a router at the Continue reading

CCNA – Operation of IP Data Networks 1.1

We kick off the CCNA series from the beginning. Operation of IP data networks is weighted as 5% in the CCNA RS blueprint. The first topic is:

1.1 Recognize the purpose and functions of various network devices such as routers, switches, bridges and hubs

Router

A router is a device that routes between different networks, meaning that it looks at the IP header and more specifically the destination IP of a packet to do forwarding. It uses a routing table which is populated by static routes and routes from dynamic protocols such as RIP, EIGRP, OSPF, ISIS and BGP. These routes are inserted into the Routing Information Base (RIB). The routes from different sources compete against each other and the best route gets inserted into the RIB. To define how trustworthy a route is, there is a metric called Administrative Distance (AD). These are some of the common AD values:

0          Connected route
1          Static route
20         External BGP
90         EIGRP
110        OSPF
115        ISIS
120        RIP
200        Internal BGP
255        Don't install

If a value of 255 is used, the route will not installed in the RIB as the route is deemed not trustworthy at all.

The goal Continue reading

CCNA RS Workbook

Hi everyone,

People that know me know that I have always been keen on giving back to the community and helping people in their studies. On that note, I have decided to start creating content for a CCNA RS workbook which will be published online. The goal is to take the blueprint and cover one item from the blueprint in each post.

I hope this will be helpful for people in their CCNA studies.

1 10 11 12 13 14 15