And now the big reveal. The reason I haven’t been blogging or doing much of anything for some time now is because I’ve had a teeny tiny side project going on:
And this week I passed the lab exam! I am CCIE 47321 (Routing and Switching).
I work as a Network Engineer at a Research Center in Silicon Valley. Being the only ‘network guy’ here, I’m responsible for the management of all networking devices like Routers, Switches, Firewalls, Radius Servers, VPNs, Wireless controllers, Linux servers, etc, etc… For a couple years, we have been trying to replace our ageing and end-of-life […]
The post How we upgraded the entire Network Infrastructure in 2 weeks appeared first on Packet Pushers Podcast and was written by Kunal Vaidya.
Quality of Service configuration for the traffic entering/leaving a VPN tunnel may require some special considerations. In this article, I am going to focus on interactions between QoS and IPSec on IOS and the ASA.
There are two methods of deploying QoS for VPNs – you can match the original (Clear-text/ unencrypted) traffic flows or the actual VPN (Aggregate traffic). This second option can be useful when you want to apply a single QoS policy to all packets leaving a tunnel, no matter what are the original sources and destinations protected by the VPN.
We have got a VPN tunnel built between R1 and ASA. R6 and 10.1.1.0/24 are protected networks
Let’s start on IOS (R1). The VPN tunnel is already up – we will configure a basic QoS Policy to enable LLQ for delay-sensitive traffic, such as Voice (I assume these are all packets with DSCP of EF). Note that this configuration would normally match all EF-colored packets (including non-VPN EF traffic), but since we won’t have any clear-text EF flows in this network we don’t really care:
class-map match-all VOICE
match dscp ef
policy-map QOS
class VOICE
priority
int f0/0
service-policy output QOS
Voice traffic Continue reading
Part 1 of this blog series created a topology, much like you see below, where we configured a single vE (virtual expansion) port from MDS1 to MDS2 across an IP network. We merged VSAN 10 across this FCIP tunnel and verified it by looking into the FCNS database and ensuring that we saw entries from both sides. Today we are going to build upon this topology, and get into some more advanced features like changing the default TCP port, setting DSCP values for the two TCP streams, and controlling who initiates the tunnel!
So first things first…the default port for FCIP is TCP port 3225. We will terminate both of our TCP streams on this port (we have 1 stream for control and another for data traffic). Essentially 1 of the MDS’s will initiate the connection to the other, and their destination port will be TCP/3225. Their source port will be some high-number ephemeral port by default (usually over 65000). We can look at the output of a ‘show int fcip #’ to find out who initiated, and on which ports!
MDS1-6(config-if)# show int fcip1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 20:10:00:0d:ec:1f:a4:00
Peer port WWN is Continue reading
