AI, ML, Development + Cisco Learning Blog Learning about Machine Learning, Artificial Intelligence, related devlopment topics and formerly Routing and Switching, Datacenter, Security and other topics, CCIE #23664, Frank Wagner

19. Oktober 2006

DSCP values and usage guidelines

Filed under: QoS — ocsic @ 16:24 
------------------------------------------------------------------
|   Service     |  DSCP   |    DSCP     |       Application        |
|  Class name   |  name   |    value    |        Examples          |
|===============+=========+=============+==========================|
|Administration |  CS7    |   111000    | Heartbeats, SSH, Telnet  |
|---------------+---------+-------------+--------------------------|
|Network Control|  CS6    |   110000    | Network routing          |
|---------------+---------+-------------+--------------------------|
| Telephony     | EF,CS5  |101010,101000| IP Telephony             |
|---------------+---------+-------------+--------------------------|
| Multimedia    |AF41,AF42|100010,100100| Video conferencing       |
| Conferencing  |  AF43   |100110       | Interactive gaming       |
|---------------+---------+-------------+--------------------------|
| Multimedia    |AF31,AF32|011010,011100|Broadcast TV, Pay per view|
| Streaming     |AF33, CS4|011110,100000|Video surveillance        |
|---------------+---------+-------------+--------------------------|
| Low Latency   |AF21,AF22|010010,010100|Client/server transactions|
|   Data        |AF23, CS3|010110,011000|peer-to-peer signaling    |
|---------------+---------+-------------+--------------------------|
|High Throughput|AF11,AF12|001010,001100|Store&forward applications|
|    Data       |AF13, CS2|001110,010000|Non-critcal OAM&P         |
|---------------+---------+-------------+--------------------------|
|    Standard   | DF,(CS0)|   000000    | Undifferentiated         |
|               |         |             | applications             |
|---------------+---------+-------------+--------------------------|
| Low Priority  | CS1     |   001000    | Any flow that has no BW  |
|     Data      |         |             | assurance                |
------------------------------------------------------------------

Source:

http://tools.ietf.org/html/draft-baker-diffserv-basic-classes-01

18. Oktober 2006

CCIE Lab Blueprint R&S

Filed under: Lab — ocsic @ 15:11

Added CBAC from the last time i checked it.

  1. Bridging and Switching
    1. Frame relay
    2. Catalyst configuration: VLANs, VTP, STP, trunk, management, features, advanced configuration, Layer 3
  2. IP IGP Routing
    1. OSPF
    2. EIGRP
    3. RIPv2
    4. IPv6: Addressing, RIPng, OSPFv3
    5. GRE
    6. ODR
    7. Filtering, redistribution, summarization and other advanced features
  3. BGP
    1. IBGP
    2. EBGP
    3. Filtering, redistribution, summarization, synchronization, attributes and other advanced features
  4. IP and IOS Features
    1. IP addressing
    2. DHCP
    3. HSRP
    4. IP services
    5. IOS user interfaces
    6. System management
    7. NAT
    8. NTP
    9. SNMP
    10. RMON
    11. Accounting
  5. IP Multicast
    1. PIM, bi-directional PIM
    2. MSDP
    3. Multicast tools, source specific multicast
    4. DVMRP
    5. Anycast
  6. QoS
    1. Quality of service solutions
    2. Classification
    3. Congestion management, congestion avoidance
    4. Policing and shaping
    5. Signaling
    6. Link efficiency mechanisms
    7. Modular QoS command line
  7. Security
    1. AAA
    2. Security server protocols
    3. Traffic filtering and firewalls
    4. Access lists
    5. Routing protocols security, catalyst security
    6. CBAC
    7. Other security features

Source:

http://www.cisco.com/web/learning/le3/ccie/rs/lab_exam_blueprint.html

CCIE lab checklist

Filed under: Lab — ocsic @ 08:56

CCIE Routing and Switching Lab checklist
This checklist is an adapted version of JongSoo Kim’s popular checklist for the CCIE Routing and Switching Lab exam revised for 2006.
Exam Topics:
• Frame Relay
• Catalyst 3550
• OSPF
• RIP
• EIGRP
• Golden Moment
• BGP
• IPv6
• Multicast
• IOS/IP service
• QoS
• Security
________________________________________

1. Spend a few minutes to understand the point of distribution between core requirement (L2, IGP, and BGP) and non-core (IOS, Service, Security, and Multicast)
2. Spend a few minutes to understand the topology. Figure out the core network, stub network, BB, et cetera.
3. Create Alias commands in notepad and copy/paste them to all routers. One of my favourite Alias is „show run | b Se“
4. Frame Relay (10~15 min.)
Configure router by router rather than interface by interface. Always configure interfaces in the following order
1) enc frame-relay
2) no frame inverse
3) no shut
Check to see if spoke-to-spoke connectivity is required by checking the core IGP section. Ping from spoke-to-spoke if possible. Not from hub-to-spoke.
If PPP over FR is required, then always create VT first, user/password
5. Catalyst 3550 (15~20 min.)
5.1. Read task and create VLAN table as listed below
VL Router CAT1 CAT2 Router VL
10 R1 f0/0——f0/1 f0/2——f0/0 R2 10
20 R3 f0/1——f0/3 f0/4——f0/0 R4 30
40 R5 f0/0——f0/5
40 R6 f0/1——f0/6
f0/23—f0/23
f0/24—f0/24
vl 10 vl 40
client vtp server vtp
5.2. Configure CAT1 and CAT2 and validate configuration
5.3. Read task once again and make sure nothing is missed.
5.4. Ping vlan by vlan. Select only one device and ping all others on a specific vlan. There is no need to ping from multiple interfaces on the same vlan. Don’t wait for ARP resolution.
L2 is over between 30~50 min. (Worst case = 60 min.)
6. OSPF (25~45 min.)
6.1. Draw a diagram to configure OSPF router by router rather than area by area. (10 min.)
Check if authentication is required, stub or NSSA areas’s need to be configured and if the nescessity of a virtual link is present. Make notes for route redistribution, summarization and aggregation. Pay attention to DR/BDR election and OSPF network type.
6.2. Configure OSPF router by router based on drawing in Black w/ green high-lighter (10~30 min.)
6.2.1. Always configure interface in this order
1) OSPF network type based on DR/BDR, hello interval, et cetera
2) authentication
3) priority
4) Loop interface ospf network type.
6.2.2. Configure OSPF process in this order
1) router-id
2) network (copy past from interface address)
3) neighbor
6.2.3. Validate everything is working (5 min.)
6.3. Do redistribute, summary, area range (5 min.)
6.4. Avoid any engagement with giant beasts. Instead make a note.
OSPF takes about 25~45 min. (total 55 ~1:45)
7. RIP (20~30 min.)
Warning: It is very tricky!
7.1. Draw RIP topology next to the OSPF drawing in blue (2 min.)
7.2. Check if interfaces are active or passive. Pay attention to RIP update method (multicast, broadcast or unicast), version and authentication. Never assume the default version is 2, no auto-summary, multicast, et cetera. This selection can be applied to each direction of the interface.
7.3. Configure router by router (5 min.) per drawing
7.4. validate everything is working (3 min.)
7.5. Spend enough time to be absolutely correct on route-filter, summary, et cetera (5 min.)
7.6. If mutual-redistribution is required, make sure multi-exit point to single-exit point. Don’t forget metric. If it is multi-exit point, write down „rip subnets“ on notepad and do the following (5 min.)
7.6.1. „redistribute ospf“ under „router rip“
Pitfal: Protect RIP routes re-entering from OSPF: „Deny rip routes and permit all“ route-map for „redistribute ospf“ to rip Don’t wait after „clear ip route * “ is issued.
7.6.2. „redistribute rip subnets“ under „router ospf“
Pitfal: Protect OSPF external routes re-entering from RIP: „Permit only rip routes“ route-map for „redistribute rip subnets“ to OSPF Don’t wait after „clear ip route * “ is issued.
7.6.3. distance 121 0.0.0.0 255.255.255.255 11 under „router OSPF“
Pitfal: Fix redistributing router’s AD for RIP routes: distance 121 0.0.0.0 255.255.255.255 11 „access-list 11 permit rip routes“ I saw sometimes this takes quite a few second. Don’t do „clear ip OPSF“ or I will end up spending more time just for watching.
RIP is over 20 ~30 min (total 1:15 ~ 2:15)
8. EIGRP (20~30 min.)
8.1. Draw EIGRP topology into OPSF drawing in black w/o high lighter (2 min.)
8.2. Determine non/passive/active-eigrp interface. Be open minded that BB can be multicast/unicast. Load-balance, authentication, stub, summary address (5 min.)
8.3. Configure router by router (5 min) per drawing
8.4. validate (5 min.)
8.5. Spend enough time to be absolutely correct on route-filter, summary, etc (5 min.)
8.6. If mutual-redistribution is required, make sure multi-exit point to single-exit point. If it is multi-exit point, write down „eigrp subnets“ on notepad ( 5 min) 8-6-1″redistribute ospf“ under „router eigrp“
Protect EIGRP external route re-entering from OSPF
„Deny eigrp routes and permit all“ route-map for „redistribute ospf“ to eigrp Make sure metric is configured.
8.6.2. „redistribute eigrp subnet“ under „router ospf“
Protect OSPF external routes re-entering from EIGRP
„Only permit eigrp routes“ route-map for „redistribute ospf“ to eigrp Make sure metric is configured.
8.6.3 distance 121 0.0.0.0 255.255.255.255 11 under „router OSPF“
Fix redistributing router’s AD for eigrp external routes
distance 121 0.0.0.0 255.255.255.255 11 „access-list 11 permit eigrp routes“
I saw sometimes this takes quite a few second. Don’t do „clear ip OPSF“ or I will end up spending more time just for watching. Technically, only eigrp external route needs to be applied but eigrp route won’t hurt and make it simple.
EIGRP is over in 20~30 min. (1:35 ~2:45 min.)
9. Golden Moment (5~30 min.)
Check the Golden moment per NMC meaning the exciting moment when you get ping response from every router to every router.
9.1. Run tclsh script
„foreach addr {
1.1.1.1

} { ping $ addr}“
Just copy/paste after tclsh (it is really cool when you see pings go through from everywhere to everywhere). To quit,type “tclq“.
9.2. when ping has no response, write down ip address and troubleshoot. Drawing will be the excellent tool for troubleshooting.
Full reachability is done in 5~30 min. (2:05~4:00)
10. BGP (20~40 min.)
10.1 Drawing a BGP topology on a separate paper. (3 min.)
10.2 Determine RR or CON or both to do full-mesh iBGP. See if neighbor peer-group is required, decide ip address to use bgp session.
10.3. Configure router by router not BGP session-by-session always put no sync and no auto-summary if allowed.
10.4. Spend enough time to be absolutely correct on route-filtering (ACL, prefix-list, as-path filter), route-aggregate (w/ as-set, summary-only, suppress-map, attribute-map, advertise-map), route-manipulation (w/as-pretending, med, local-pref, weight, next-hop, advertise-map/non/existing-map, origin, community, etc) route-dampening, et cetera.
10.5. validate config. Don’t wait for route updates after „clear ip bgp *“. It takes longer than a minute to complete.
BGP is over in 20~40 min. (2:25 ~ 4:40) My target is before lunch!
11. IPv6 (10 min.)
11.1. Draw a simple diagram (1 min.)
11.2. Watch out link local address over FR multilink.
SLA ID is 4th 16bit
16bit:16bit:16bit:SLA ID(16 bit) : interface ID( 64 bits)
site-local = FEC0::
link-local = fe80::
11.3. Check full reachability using tcl script or just manual ping depending on the number of routers.
IPv6 is over 10 min. (total 2:35 ~ 4:50)
Core routing is done. You should have at least three hours to go. Strategy will depend on much time you have left at this moment.
12. Multicast (15 min.)
12.1. Mark a Mcast topology with red high lighter on OSPF drawing.
12.2. Determine mcast topology (dense-mode, static RP pim sparse, Auto-rp/MA, pim V2 bsr, Auto-rp/MA/MSDP).
12.3. Configure router-by-router
12.4. validate config
12.5. If second part is difficult, skip by making a note.
13. IOS/IP service
Warning: Be careful not to block or drop any IGP updates
13.1 just check quickly and do easy one first.
13.2. skip difficult task by making a note.
14. QoS
Warning: Be careful not to block or drop any IGP updates
14.1. Draw a flow on paper instead of in brain.
14.2. Always determine classification method (ACL, NBAR) and direction.
14.3. Determine shaping vs. policing
14.4. Consider all options for queuing (legacy custom/priority, bandwidth/priority, shape average/peak, FRTS/GTS)
14.5. consider all options for policing (police, rate-limit, ip multicast rate-limit, aggregate police (3550))
14.6. If frame-relay, don’t forget adaptive-shaping.( becn, fecn, foresight)
14.7. Consider all dropping mode (random detect, ecn, tail drop, marking, etc)
15. Security
Warning: Be careful not to block or drop any IGP updates
15.1. Draw a flow on paper instead of in brain.
15.2. Consider all options for classification std/ext/reflexive/dynamic ACL, IP inspect, tcp intercept, unicast RFP, ip accounting output packet /access-violation/precedence
18.3. When configuring Switchport port-security mac-address, be careful to include virtual and physical mac if HSRP is running.

17. Oktober 2006

ipv6 subnetmask calculation

Filed under: IPv6 — ocsic @ 17:55

The relevant prefixes from BB2 are:

2001:205:
2001:200:
2001:222:

The first hexadezimal fields are the same. So you can at least use a mask of /16.
But let’s look for a more specific one and for bits to add.

The secound field also exists of 16 bits. So the full numbers would be:

1234 Fields
—-
0205
0200
0222

In binary format for this is:

0205 = 0000 0010 0000 0101
0200 = 0000 0010 0000 0000
0222 = 0000 0010 0010 0010

If you AND these numbers:

0000 0010 0000 0101
0000 0010 0000 0000
0000 0010 0010 0010
——————-
0000 0010 0000 0000

Thats: 2001:0200: then.

So get the right CIDR notation look what bits are needed for the subnet:

XOR
0000 0010 0000 0101
0000 0010 0000 0000
0000 0010 0010 0010
——————-
0000 0000 0010 0111

xxxx xxxx xx so the first 10 bits are all usable for the netmask.
16+10=26

So the mask is 2001:200::/26

Source:

http://www.internetworkexpert.com/resources/01700370.htm

15. Oktober 2006

FTP passive and active mode

Filed under: Security,services — ocsic @ 10:45

FTP supports two tranfer mode. With the first active mode, the client initiates the connection to the server on port 21 and the server then binds his on port 20 and opens  a connection to a port above  1023 to the client.

While using passive FTP both connections are established from the client to port tcp 21 and 20 to the  server.

FTP connections

5. Oktober 2006

CQ Custom Queuing

Filed under: QoS — ocsic @ 17:29
  • Custom Queuing has 16 queues available.
  • All queues are serviced in a round-robin fashion.
  • Bandwidth is specified in terms of byte count and queue length

3. Oktober 2006

Order of operations on interfaces

Filed under: interfaces — ocsic @ 19:50

Here’s the order of operations for the inside-to-outside list:

  • If IPSec, then check input access list
  • Decryption—for Cisco Encryption Technology (CET) or IPSec
  • Check input access list
  • Check input rate limits
  • Input accounting
  • Policy routing
  • Routing
  • Redirect to Web cache
  • NAT inside to outside (local to global translation)
  • Crypto (check map and mark for encryption)
  • Check output access list
  • Inspect context-based access control (CBAC)
  • TCP intercept
  • Encryption

Here’s the order of operations for the outside-to-inside list:

  • If IPSec, then check input access list
  • Decryption—for CET or IPSec
  • Check input access list
  • Check input rate limits
  • Input accounting
  • NAT outside to inside (global to local translation)
  • Policy routing
  • Routing
  • Redirect to Web cache
  • Crypto (check map and mark for encryption)
  • Check output access list
  • Inspect CBAC
  • TCP intercept
  • Encryption

Source:

http://articles.techrepublic.com.com/5102-1035-6055946.html

Convert from a multicast address to a HW address

Filed under: Bridging + Switching,Multicast — ocsic @ 10:35

Sometime i may be neccessary to block a Multicast address on a vlan.

This could be acomplished by blocking the hardware address of this vlan. It’s possible to staticly map certain ports for a mac address. So that only these ports are recievers of the address.

So first it’s neccessary to convert the multicast address to a hardwareaddress.

The first fields 0100.5e are reserved by the IANA for such demands.

The range is 0100.5e00.0000 through 0100.5e7f.ffff.

Starting with these first digits, continue to add the last ones, by converting the numbers to hexadecimal numbers.

For example, the multicast address of EIGRP is 224.0.0.10.

This gives:

0 => 00

0 => 00

10 => 0a

So the corresponding mac address for the EIGRP 224.0.0.10 Mmulticast address is 0100.5e 00 00 0a

The switch does snooping for packets on vlans, to determin the recieving ports. First we have do disable ip igmp snooping for te specific vlan:

no ip igmp snooping vlan 10

Then it’s possible to map the certain multicast mac address with certain receiver switchports.

mac-address-table static 0100.5e00.000a vlan 10 int f0/1 f0/2

So now only port f0/1 and f0/2 recieve this multicast address. This is only possible by turning of snooping functionality by the switch.

Source:

http://www.hep.ucl.ac.uk/~ytl/multi-cast/addresstranslation_01.html

Powered by WordPress