AI, ML, Development + Cisco Learning Blog Learning about Machine Learning, Artificial Intelligence, related devlopment topics and formerly Routing and Switching, Datacenter, Security and other topics, CCIE #23664, Frank Wagner

10. November 2007

loadbalancing with the ACE module for the 6500/7600

Filed under: Bridging + Switching,module types — ocsic @ 14:10

We have a customer who ordered the ACE module for the 6500. The installation will be with two 6500 and an 720 sup each. Currently the ace is only as a modul available. Cisco is trying to release a appliance next year in February. It’s a follow-up of the csm and css from cisco. Absolutely new is the virtualisation part. It’s possible to build up to 250 different contexts to build up sort of independent hardware loadbalancerson one machine. The module is about 80.000$ and with a max of 16 Gbps throughput and as a max 345,000 connections per second.

All traffic is send through the module as you define what should become loadbalanced.

The default license comes with 5 contexts and 1000 SSL TPS (transactions per second).

I have be on a three day course for the ace module in Berlin from wednesday this week.It was a very good lab from flane with a bulgarian teacher. We did some labs from labgear.net with a virtual webserverfarm as linux machines and as clients. Only the ace-module was not virtual :-). All servers/clients have been vmware machines. Quite nice labs to test SSL termination, sticky connections, nat, layer4 balancing, layer7 balancing and other topics.

Seems like the ace module is out for some time and the new ace-20 is overcoming some bugs.

Here is an example config, like one we had in the labs, while vlan 212 is external and vlan 412 is the inernal vlan. The VIP is the virtual ip that represents all webservers. Here are some webservers and a VIP12.16.12.50. With the class-map you define the VIP and what traffic is allowed. Then you also have to setup an access-list on the incoming interface and allow this traffic. Look at this example :

——————————————————————————–

login timeout 0

access-list anyone line 10 extended permit tcp any any

probe icmp pingpong

rserver host d25-lnx1

ip address 172.168.1.11

inservice
rserver host d25-lnx2
ip address 172.168.1.12
inservice
rserver host d25-lnx3
ip address 172.168.1.13
inservice
rserver host d25-lnx4
ip address 172.168.1.14
inservice
rserver host d25-lnx5
ip address 172.168.1.15
inservice

serverfarm host servers1
rserver d25-lnx1
inservice
rserver d25-lnx2
inservice
rserver d25-lnx3
inservice
rserver d25-lnx4
inservice
rserver d25-lnx5
inservice

class-map match-all VIP-50
2 match virtual-address 12.16.12.50 any
class-map type management match-any remote-access
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any

policy-map type management first-match remote-mgmt
class remote-access
permit

policy-map type loadbalance first-match lb-lo
class class-default
serverfarm servers1

policy-map multi-match client-vips
class VIP-50
loadbalance vip inservice
loadbalance policy lb-lo

interface vlan 212
ip address 12.16.12.5 255.255.255.0
access-group input anyone
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface vlan 412
description Servers vlan
ip address 172.168.1.1 255.255.255.0
no shutdown

——————————————————————————–

The new thing on the commandline is, that the tab completition does work also for service-policies and class-maps.

The nice thing that juniper already has implemented it the checkpoint feature. It has nothing to do with checkpoint FW1, but its a nice and handy rollbacksystem in the case something went wrong or you want to rollback to an older configuration. It’s no longer necessary to reload the router, just say for example „checkpoint rollback config-name“ and the context will load the configuration and erase the previous one. No need to reload the router to clean up the previous configurations from RAM or running-config. The running-config is replaced completely by the checkpoint previously created. So you can easily go back to the last saved working configuration. Juniper is even more sophisticated, as you can configure on the system and later on say, that this you be implemented now.

Probably this will show up in future IOS versions too.
Source:

http://www.cisco.com/en/US/products/ps6906/index.html

Nice comparison between the css, csm, ace

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_qanda_item0900aecd8045867c.shtml

28. Oktober 2007

road to ccie with dynamips

Filed under: dynamips — ocsic @ 13:48

I came along some topics that do not work with dynamips and that have to be covered with other devices for training. The only problem is with 3560 specific features that are not availble on the NM-16ESW:

  • some optional available STP features, like bpduguard, bpdufilter
  • MSTP
  • layer 3 port-channel
  • different etherchannel protocols, a channel-group can only be turned on, no lacp/pgacp
  • private-vlans
  • sdm modes
  • udld
  • port security
  • port protected
  • qos specific configuration of hardware queues like srr-queue
  • port configurations like dynamic, desirable
  • some configurations are similar but do not look the same like on the 3560, for example vlan config, on the NM-16ESW there is only the old vlan database mode available
  • vtp transparent mode with vlan numbers from 1006 – 4094. Dynamips only knows about 1005 vlan numbers also in transparent mode, some workbooks might ask for vlan numbers greater than 1005, what then indicates that you have to use vtp transparent mode

Other features that are not only switching dependent

  • clocking feature for serial lines (no need to set up „clock 64000“)

There are probably other features to add here. I will keep up completing this list.

10. Oktober 2007

asa 5510 active/active

Filed under: Security — ocsic @ 21:59

Doing currently a failover installation with two 5510 on both sides so there will be four devices altogether. Seems like there was some kind of not planning things good enough.

The customer situation is, there we have two leased lines that are direct connections from one site to the other.Both leased lines are direct connected from site to site. So the idea was to make a failover config with both firewalls in an active/active failover configuration.

But the pitfall was, that the traffic has to be encrypted over a site-to-site vpn tunnel. But active/active you have to configure in multiple context mode. And multiple context mode does not have ipsec available. So in multiple context mode, you can not configure any vpn’s.

So then you have only active/standby. There’s acatch also. If you configure active/standby and both end’s are active, everthing is ok. But if one side goes standby and the other side is still active because the „monitored“ interface is just working fine, this will be a dead lock. Neither side will match and the tunnel will not come  again.

It would be a great advantage if you could track or monitor the tunnel interface. Then you could switch from active to standby if the tunnel is no longer available.

Small diagramm:

fw1(active) — leased line(vpn) — fw3(active)

fw2(standby) — leased line(vpn) — fw4(standby)

active/active does also not real load balancing. You can switch the different vlan’s over both leased lines, so that the traffic is about the same amount.

The better solution for such a szenario is, if possible, two routers with vpn and VRRP/HSRP and OSPF/EIGRP. So you can to real load balancing and also can have  both lines active.

30. September 2007

Starting a new job next week near Frankfurt and start learning again

Filed under: Allgemein — ocsic @ 18:50

I got several offers from companies. Altogether four. Some that had only time limited contracts. But i was looking for a longer investment. I will start tomorrow. Working as a consultant and system engineer mainly in the Cisco world, but will probably have to cover one other manufacturer like extremnetworks or so on. We will see. My new company will support me in making the ccie and i plan to do so in the next year. I think this is an obtainable goal. So i will do my next lab and maybe my last attempt for the R&S next year. I plan to keep working with dynamips and internetworkexpert. I think i will still need some online session to test certain switching features, which will not be reproducable on dynamips. But my new notebook is able to fire up 13 devices including bb routers and 4 switches. I have already tested this in the past and it worked. You have to adjust idle values though.

Currently i don’t know exactly if i have to recert for the CCIE Written. Since in remember, that you have to make an attempt at least every 18 months. But i don’t know exactly.

So i’m looking forward to start learning again and i will have to take time for this on a regular basis.

30. August 2007

Done 642-642 QoS today

Filed under: QoS,Voip — ocsic @ 21:28

As my last project would haven’nt been about qos, i would have not been that good and it would have not been that easy. I’m on my way to the CCVP cert. Currently i just hope i can learn things as quickly as possible. This test has not been that difficult. QoS is a topic that has not changed a lot in the last years. Even cisco’s design guide for campus qos is about 2 years old from 2005. So things you will learn are about standards, that have not changed a lot since.

What i haven’t seen is an RSVP or IntServ implementation. I would like to test it a bit with dynamips, but i have to keep an going.

Just know now how to implement LLQ, CBWFQ, PQ, CQ and WRED for example. Knowing about COS and DSCP values. I have not had anything about thresholds in the test. I had 45 questions and the passing score was 790 points. Thanks to the good vue testcenter. I had quite a lot of problems with prometric. Probably this is the reason why cisco changed to use only vue as a testing center for cisco tests. Everythings was working fine. I did the test at OpenLine, Maastricht in the Netherlands.

25. August 2007

QoS campus design / telephony / avaya / diffserv

Filed under: QoS,Voip — ocsic @ 12:52

I have implemented a QoS design for a customer with about 5000 nodes per campus. The design is relatively straigt through. Once you have decided with classes you want to implement, you have to configure the different devices. There has been an access, distribution and core layer. It’s the best to mark as close to the apllications as possible. So at the access layer we had 3750, 4000/4500. The 3750 supports srr and for the 4000 it’s dependend on the module. But for the 4000/45000 you don’t have input queues. As forexample the 6500 it depends all also on the module. You have to find out what kind of hardware queues there are. It’s probable a notation like 1P3Q8T, what means something like, 1 priority queue, 3 normal queues and 8 thresholds per queue. Sometime you can find also the notation 4Q8T/1P3Q8T, that means the one priority queue is able to be a normal or a prio queue.

If you have measurements about the actual network traffic, you can distribute the traffic on the different queues and thresholds. If not, it’s maybe good enough to have a priority queue and to roughly estimate the other queues, but maybe not go to deep into changing the default thresholds. Later it might be necessary. If you don’t have enough queues left and you want to keep up you queuing schema.

There is a good design guide for enterprise campus QoS implementation and i suggest taking this as a good starting point in you QoS campus design. It coves all the different catalyst types and also gives some suggestions about the ECN/DBL (dynamic buffer limiting) marking espacially for the 4000/4500’er catalyst.

This could be a good feature when both stations (server/client) support the ECN flag. I read about the xp/vista does it not have enabled by default. But it’s only available at the 4000/4500’er.

Make sure you use hardware queueing and not queuing in software. This will save you from having problems with cpu overload. As long queueing is done in hardware, you will be on the safe side.

Avaya does not have recomandations about qos implementations on cisco hardware. Phones can be configures like setting voice bearer traffic to COS 5 and Signaling traffic to COS 3. You can overwrite the data port with the PC connected to COS 0. This would be a relativ straight forwarded setup.

QoS is a quite complex task. It’s necessary to develop and administrate the current needs constantly.

Source:

http://www.cisco.com/univercd/cc/td/doc/solution/esm/qossrnd.pdf

http://de.wikipedia.org/wiki/Network_congestion_avoidance

23. August 2007

642-642 QoS

Filed under: QoS,Voip — ocsic @ 12:25

Currently going for the first QoS test for the CCVP. Think this is the most difficult one. I like to take the hard part first. I haven’t seen any RSVP implementations. I wonder if it’s really widely used outside in the network for QoS. I will write some comments to my QoS implementation for a customer with about 5000 access ports per site in the next days.

QoS can be quite a complex task. It seems simple, but implementing it continuously on differnt kinds of hardware queues and different queueing techniques, could be quite callenging.

6. August 2007

CCVP / Job

Filed under: Allgemein,Voip — ocsic @ 11:14

I’m currently starting the ccvp path first. I think this is a better idea in terms making your value sure. I don’t know if i will reach ccie for routing and switching. But i can do ccvp in time. So this will be my next goal first.

I had a very bad experiance with head hunters and a company. Seems like they are only out there to make the profil and after half a year they kick you out again. Well i should have known this. I’m currently looking for a new job. So if anyone has something to offer, i would be glad to hear about.

28. Mai 2007

Password recovery for the CCM 5.0

Filed under: Voip — ocsic @ 11:29

If you don’t have access to the ccm anymore, cisco provides a neat way to reset the password.

Just login with pwrecovery on the console and password is pwreset.

Then you can reset the admin and secure password.

Here is the corresponding link:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a00806c3e28.html

26. Mai 2007

CallManager Express and Dynamips

Filed under: dynamips,Voip — ocsic @ 22:17

As you know maybe, CallManager Express is able to manage small sites with up to 100 phones. I installed a CME capable IOS on a dynamips 3660 router and i’m able to connect a real phone to the dynamips router.

Here i explained who you could make your local device and network available to your dynamips routers. Keep in mind that you have to allow traffic on your newly created interfaces, for example br0 and allow the new traffic, if you have a firewall enabled.

For using tap0 and br0 look at this link:

http://blog.sazza.de/?cat=26

You need an image that is callmanager express capable IOS. Look at cisco.com and IOS Feature Navigator http://www.cisco.com/go/cfn and search for CallManager Express. You need a valid CCO account for downloading IOS images.

Currently dynamips is able to simulate a lot of 3600’er and 3700’er routers. So choose the one that matches your needs.The 3660 only support CME 3.0 though.

You have to add then some extra flash to keep up the files for the phones.

Dynamips supports the disk option. So „disk0 = 256“ gives you a lot of space for files.

You have to format the flash before using it.Do thi dependend on the router IOS with „erase flash:““ or „format flash:“

On the 3725:

cme#erase flash:
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device… eeeeeeeeeeeeeeeeeeeeeeeeeeeeee …erased
Erase of flash: complete

Then you can tftp files to flash, for example moh file „music-on-hold.au“

cme#copy tftp flash
Address or name of remote host []? 1.1.1.29
Source filename []? music-on-hold.au
Destination filename [music-on-hold.au]?
Accessing tftp://1.1.1.29/music-on-hold.au…
Erase flash: before copying? [confirm]n
Loading music-on-hold.au from 1.1.1.29 (via FastEthernet2/0): !OOO!OO
[OK – 496521 bytes]

Verifying checksum… OK (0x206E)
496521 bytes copied in 15.516 secs (32001 bytes/sec)

cme#dir
Directory of flash:/

1 -rw- 757 <no date> startup-config
2 -rw- 496521 <no date> music-on-hold.au

268435452 bytes total (267938040 bytes free)

To setup moh (music on hold) do the following:

telephony-service
ip source-address 192.168.1.31 port 2000
moh flash:music-on-hold.au

…..

And configure, as it’s not the default, „multicast-moh“ under each ephone you want the feature.

You should hear now the moh sound.

You should also copy the cme-gui archive to the flash:

cme#archive tar /xtract tftp://1.1.1.29:/cme-gui.tar flash:/

Login to your router through:

http://1.1.1.31/telephony_service.html

« Newer PostsOlder Posts »

Powered by WordPress