Archive for June, 2010
BGP Path Manipulation: Bob is at it again…
Summer was in full swing, and it was over 105 degrees Fahrenheit outside. Bob was told it was a “dry heat”, but he thought “so is my oven”. Needless to say, Bob was glad to be in the data center, where the temperature and humidity controls kept it very cold. He had been asked to setup up a basic route-map with BGP, and here is the diagram he worked from.
The goal, was to modify BGP, so that all traffic going towards the 1.1.1.0 network (which is sourced from AS1), traveling either from or through AS23, would only use the 13.0.0.0/24 segment (between R3 and R1), and not use the 10.0.0.0/24 segment (between R2 and R1) as a transit path.
Bob reviewed some of the BGP topics he had recently learned. Here is the list he made of possibilities: Continue Reading
Try these questions on for size! Learn all this and much more in the new QoS class – woohoo!
1. Based on the following configuration, what traffic will be policed?
class-map C_MUSIC
match protocol kazaa2
match protocol napster
!
class-map match-any C_WEB
match protocol http
match class-map C_MUSIC
!
policy-map P_WEB
class C_WEB
police 64000
!
interface serial 0/0
service-policy output P_WEB
A. All Kazaa version 2 traffic is policed
B. All Napster traffic is policed
C. All web traffic is policed
D. All Kazaa version 2, Napster, and web traffic is policed
E. No traffic is policed
2. You are configuring a Cisco Catalyst 3560 switch port to trust CoS markings if, and only if, the marking originated from a Cisco IP Phone. In an attempt to perform this configuration, you enter the mls qos trust device cisco-phone command. However, your configuration does not seem to be working properly. Why is the switch not trusting CoS markings coming from an attached Cisco IP Phone?
A. A Cisco Catalyst 2950 switch supports the mls qos trust device cisco-phone command, but the Cisco Catalyst 3560 does not support this command
B. The mls qos trust cos command is missing
C. The mls qos trust extend command is missing
D. The mls qos cos 5 command is missing
E. The PC attached to the phone is overriding the CoS markings
In the previous MPLS Components post, we discussed the many benefits that MPLS can bring to the network, and we detailed the typical components found in a Layer 3 MPLS VPN design. In this post, we will provide more details for the MPLS components and their important, inner workings. We will make reference to the previous diagram in this post as well:
MPLS Components
When PE1 receives a packet from CE1, it will engage in what we call a Push operation. PE1 is considered the ingress PE router and engages in label imposition. (Notice that we like to speak in fancy terminology here; when we add a label to a packet, it is termed a push or an imposition).
Join us Friday, June 25th at 11AM Pacific / 2PM Eastern for another installment in the Open Lecture Series.
The topic that will be covered is Privilege Levels and Role Based CLI.
We look forward to seeing you there. Seats are limited.
Starting July 1st, we are introducing downloadable content for the CCSP and CCVP bootcamp class-on-demand courses. This exciting new addition will come as a warm welcome to all those looking to have the world’s best training programs on the go. These courses will be offered in .m4v video format and work seamlessly on the iPhone, iPad, and other mobile devices as well as on your desktop. We will be providing a upgrade option for everyone who currently has these classes as well as a product add-on to those who have held out for this option. The upgrade price will be just $49.95 and give you the freedom to watch Flash free content wherever you go.
There is even more good news! If you purchase either the CCSP Bootcamp Class-on-Demand or the CCVP Bootcamp Class-on-Demand between now and July 1st, you will receive this upgrade at no additional cost, and the downloadable version will be added to your account on July 1st.
Tags: class on demand, downloadable content, ipad, iphone
Do you want to see how a CCIE would handle a tricky EtherChannel and 802.1X scenario in the lab exam. Subscribers to the Interactive Video Companion for Volume 2 need to log in and watch the new training modules.
These tasks provide great opportunities to analyze task interpretation, diagramming strategy, and DOC-CD utilization during the CCIE lab exam.
Enjoy your studies!
Tags: 802.1x, ccie, etherchannel, lab, practice
We know from the 5-Day QoS bootcamp that Differentiated Services is one of the three major overall approaches to providing Quality of Service in an enterprise. The other options are Integrated Services and Best Effort.
When we studied Differentiated Services, we saw that the primary marking technology approach was the Differentiated Services Code Point (DSCP) concept. These are the high order 6 bits in the IP packet ToS Byte. But how can MPLS use these markings in order to provide QoS treatment (Per Hop Behaviors (PHBs)) to various traffic forms?
The first major issue to solve is the fact that Label Switch Routers (LSRs) rely solely on the MPLS header when making forwarding decisions. These devices will no longer analyze the IP Header information, thus negating the use of the ToS Byte. This was solved through the creation of the Experimental Bits field in the MPLS header. The IETF has now renamed the field to the Traffic Class field. See RFC 5462.
A big shout out to all the students in the Raleigh Security CCIE bootcamp last week. I had a blast! Thank you for all your hard work, as well as the after hours discussions about the unknown, and why people feel they know it. 
I promised a few blog posts related to security over the next few weeks, and this one is regarding Certificate-based ACLs.
This blog may also serve as a review on how to configure the CA clients so that their certificates contain various fields and values, such as subject-name.
Let’s use this diagram for the backdrop of our discussion:
R2 will be the NTP and CA server with R1 and R3 as IPSec VPN peers. (Remember, with certificates we really do need time to be on “our side”).
R1′s configuration for the trustpoint is as follows:
crypto pki trustpoint R2 enrollment url http://2.2.2.2:80 serial-number ip-address 10.0.0.1 subject-name cn=R1,ou=ccsp,o=ine,st=NV,c=US revocation-check none
In this short blog post, we are going to give condensed overview of the four main flavors of Frame-Relay Traffic Shaping (FRTS). Historically, as IOS evolved with time, different methods have been introduced, having various level of feature support. Two main features, specific to Frame-Relay Traffic-Shaping are per-VC shaping and queueing and adaptive shaping in response to Frame-Rleay congestion notifications (e.g. BECNs). You’ll see that not every flavor supports these two features. We begin with the «fossil» known as Generic Traffic Shaping.
Generic Traffic Shaping
This feature was initially designed to shape packet traffic sent over any media, be it Ethernet, Frame-Relay, PPP etc. The command syntax is traffic-shape {rate|group} and allows specifying traffic scope using an access-list (notice that different ACL types are supported). You may tune the Bc/Be values as well as the shaping queue depth (amount of buffers). If the shaper delays traffic, the queue service strategy would be fixed to WFQ with the queue size equal to the buffer space allocated. Additional WFQ parameters such as number of flows and congestive discard threshold could not be tuned and set based on the shaper rate automatically.
An unique feature of GTS is the ability to apply multiple shapers to a single interface. However, shapers are not cascaded, but rather a packet is assigned to the first matching shaper rule. In the example below, there are three rules, with the last one being “fallback”, matching all packets that didn’t match access-lists 100 and 101. Unlike using the legacy CAR feature (rate-limit command) you cannot «cascade» multiple traffic-shape statements on the same interface, i.e. there is no “continue” action.
traffic-shape group 100 128000 traffic-shape group 101 64000 traffic-shape group 199 256000 ! access-list 199 permit ip any any
Tags: Frame-Relay, QoS, traffic-shaping
I just returned from an awesome Security bootcamp in Raleigh, and am looking forward to more there in the future. Core knowledge is still alive and well in the Security LAB exam, as well as troubleshooting, which is integrated as part of the configuration section.
Often times, what seem like complex network troubleshooting scenarios are caused by overlooking simple fundamental components of the technology. Join me on Tuesday, June 8th as we discuss developing the Tier 1 knowledge that you need to know for the CCIE Security LAB, as well as strategy that may be used to continually build your base of knowledge as you prepare for your CCIE certification.
This v-Seminar is open to the public, and will be held online at
| U.S.A. – Pacific) | Tuesday, June 8, 2010 at 11:00:00 AM | UTC-7 hours PDT |
| UTC | Tuesday, June 8, 2010 at 18:00:00 |
To sign up for v-Seminars, click here, and select the link for Free v-Seminars.
To join the meeting listed above, click here now.
See you soon!
