Archive for June, 2010

Jun
30

Summer was in full swing, and it was over 105 degrees Fahrenheit outside.   Bob was told it was a “dry heat”, but he thought “so is my oven”.  Needless to say, Bob was glad to be in the data center, where the temperature and humidity controls kept it very cold.   He had been asked to setup up a basic route-map with BGP, and here is the diagram he worked from.

BGP Triangle
The goal, was to modify BGP,  so that all traffic going towards the 1.1.1.0 network (which is sourced from AS1), traveling either from or through AS23, would only use the 13.0.0.0/24 segment (between R3 and R1), and not use the 10.0.0.0/24 segment (between R2 and R1) as a transit path.
Bob reviewed some of the BGP topics he had recently learned.   Here is the list he made of possibilities: Continue Reading

Tags: ,

Jun
29

Try these questions on for size! Learn all this and much more in the new QoS class – woohoo!

1. Based on the following configuration, what traffic will be policed?
class-map C_MUSIC
match protocol kazaa2
match protocol napster
!
class-map match-any C_WEB
match protocol http
match class-map C_MUSIC
!
policy-map P_WEB
class C_WEB
police 64000
!
interface serial 0/0
service-policy output P_WEB
A. All Kazaa version 2 traffic is policed
B. All Napster traffic is policed
C. All web traffic is policed
D. All Kazaa version 2, Napster, and web traffic is policed
E. No traffic is policed
2. You are configuring a Cisco Catalyst 3550 switch port to trust CoS markings if, and only if, the marking originated from a Cisco IP Phone. In an attempt to perform this configuration, you enter the mls qos trust device cisco-phone command. However, your configuration does not seem to be working properly. Why is the switch not trusting CoS markings coming from an attached Cisco IP Phone?
A. A Cisco Catalyst 3550 switch supports the mls qos trust device cisco-phone command, but the Cisco Catalyst 2950 does not support this command.
B. The mls qos trust cos command is missing.
C. The mls qos trust extend command is missing.
D. The mls qos cos 5 command is missing.
3. You administer a network that transports both voice and interactive video traffic. Since these traffic types are both latency-sensitive, you decide to implement the following configuration. Which statement is true regarding the configuration?
class-map C_VOICE
match protocol rtp audio
class-map C_VIDEO
match protocol rtp video
!
policy-map P_HIGH_PRIORITY
class C_VOICE
priority percent 15
class C_VIDEO
priority percent 35
class class-default
fair-queue
!
interface serial 0/0
service-policy output P_HIGH_PRIORITY
A. The configuration results in three queues, one for the C_VOICE class, one for the C_VIDEO class, and one queue for the class-default class.
B. The configuration results in two queues, one priority queue and one queue for the class-default class.
C. The class-default class uses FIFO as its queuing mechanism for traffic flows within its queue.
D. The two priority queues use WFQ for queuing traffic within those queues.
4. CB-WRED is configured using the random-detect command. Which two of the following statements are true concerning the random-detect command? (Choose 2)
A. The random-detect command cannot be issued for the class-default class.
B. The random-detect command cannot be issued for the priority class(es).
C. The random-detect command must be issued in conjunction with the bandwidth command (with the exception of the class-default class).
D. The random-detect command should be issued in conjunction with the priority command.
5. Consider the following configuration:
class-map TRANSACTIONAL
match protocol http
!
policy-map CBPOLICING
class TRANSACTIONAL
police 128000 conform-action set-dscp-transmit af11 exceed-action set-dscp-transmit af13 violate-action drop
!
interface serial 0/1
service-policy input CBPOLICING
What type of class-based policing configuration is represented by this configuration?
A. Single rate, single bucket
B. Single rate, dual bucket
C. Dual rate, single bucket
D. Dual rate, dual bucket
6. You configure CB-Shaping by issuing the command shape peak 8000 2000 2000. This configuration shapes to what peak rate?
A. 4000 bps
B. 8000 bps
C. 16000 bps
D. 32000 bps
7. You are configuring Multilink PPP (MLP) as your Link Fragmentation and Interleaving (LFI) mechanism for a WAN link. Identify the correct statements regarding the configuration of MLP. (Choose 2)
A. The configuration of Multilink PPP requires at least two physical links (e.g. two serial interfaces).
B. The IP address is removed from any serial interface that makes up the MLP bundle.
C. Any policy-map that was previously assigned to a physical interface should be reassigned to the multilink interface, that the physical interface is associated with, in order for the policy to take effect.
D. The virtual multilink interface does not use an IP address. Rather, it uses the IP unnumbered feature which allows the multilink interface to share an IP address with the multilink bundle member that has the highest IP address.

1. Based on the following configuration, what traffic will be policed?

class-map C_MUSIC
  match protocol kazaa2
  match protocol napster
!
class-map match-any C_WEB
  match protocol http
  match class-map C_MUSIC
!
policy-map P_WEB
  class C_WEB
    police 64000
!
interface serial 0/0
  service-policy output P_WEB

A. All Kazaa version 2 traffic is policed

B. All Napster traffic is policed

C. All web traffic is policed

D. All Kazaa version 2, Napster, and web traffic is policed

E. No traffic is policed

2. You are configuring a Cisco Catalyst 3560 switch port to trust CoS markings if, and only if, the marking originated from a Cisco IP Phone. In an attempt to perform this configuration, you enter the mls qos trust device cisco-phone command. However, your configuration does not seem to be working properly. Why is the switch not trusting CoS markings coming from an attached Cisco IP Phone?

A. A Cisco Catalyst 2950 switch supports the mls qos trust device cisco-phone command, but the Cisco Catalyst 3560 does not support this command

B. The mls qos trust cos command is missing

C. The mls qos trust extend command is missing

D. The mls qos cos 5 command is missing

E. The PC attached to the phone is overriding the CoS markings

Continue Reading

Tags: , , , ,

Jun
28

In the previous MPLS Components post, we discussed the many benefits that MPLS can bring to the network, and we detailed the typical components found in a Layer 3 MPLS VPN design. In this post, we will provide more details for the MPLS components and their important, inner workings. We will make reference to the previous diagram in this post as well:

MPLS Components

MPLS Components

When PE1 receives a packet from CE1, it will engage in what we call a Push operation. PE1 is considered the ingress PE router and engages in label imposition. (Notice that we like to speak in fancy terminology here; when we add a label to a packet, it is termed a push or an imposition).

Continue Reading

Tags: , , ,

Jun
21

Join us Friday, June 25th at 11AM Pacific / 2PM Eastern for another installment in the Open Lecture Series.

The topic that will be covered is Privilege Levels and Role Based CLI.

We look forward to seeing you there. Seats are limited.

Tags: , , ,

Jun
18

Starting July 1st, we are introducing downloadable content for the CCSP and CCVP bootcamp class-on-demand courses.  This exciting new addition will come as a warm welcome to all those looking to have the world’s best training programs on the go.  These courses will be offered in .m4v video format and work seamlessly on the iPhone, iPad, and other mobile devices as well as on your desktop.  We will be providing a upgrade option for everyone who currently has these classes as well as a product add-on to those who have held out for this option.  The upgrade price will be just $49.95 and give you the freedom to watch Flash free content wherever you go.

There is even more good news! If you purchase either the CCSP Bootcamp Class-on-Demand or the CCVP Bootcamp Class-on-Demand between now and July 1st, you will receive this upgrade at no additional cost, and the downloadable version will be added to your account on July 1st.

Tags: , , ,

Jun
18

Do you want to see how a CCIE would handle a tricky EtherChannel and 802.1X scenario in the lab exam. Subscribers to the Interactive Video Companion for Volume 2 need to log in and watch the new training modules.

These tasks provide great opportunities to analyze task interpretation, diagramming strategy, and DOC-CD utilization during the CCIE lab exam.

Enjoy your studies!

Tags: , , , ,

Jun
17

We know from the 5-Day QoS bootcamp that Differentiated Services is one of the three major overall approaches to providing Quality of Service in an enterprise. The other options are Integrated Services and Best Effort.

When we studied Differentiated Services, we saw that the primary marking technology approach was the Differentiated Services Code Point (DSCP) concept. These are the high order 6 bits in the IP packet ToS Byte. But how can MPLS use these markings in order to provide QoS treatment (Per Hop Behaviors (PHBs)) to various traffic forms?

The first major issue to solve is the fact that Label Switch Routers (LSRs) rely solely on the MPLS header when making forwarding decisions. These devices will no longer analyze the IP Header information, thus negating the use of the ToS Byte. This was solved through the creation of the Experimental Bits field  in the MPLS header. The IETF has now renamed the field to the Traffic Class field.  See RFC 5462.

Continue Reading

Tags: , , ,

Jun
15

A big shout out to all the students in the Raleigh Security CCIE bootcamp last week.   I had a blast!   Thank you for all your hard work, as well as the after hours discussions about the unknown, and why people feel they know it.  :)

I promised a few blog posts related to security over the next few weeks, and this one is regarding Certificate-based ACLs.

This blog may also serve as a review on how to configure the CA clients so that their certificates contain various fields and values, such as subject-name.

Let’s use this diagram for the backdrop of our discussion:

3 routers in a row-NO-user

R2 will be the NTP and CA server with R1 and R3 as IPSec VPN peers.  (Remember, with certificates we really do need time to be on “our side”).  :)

R1′s configuration for the trustpoint is as follows:

crypto pki trustpoint R2
enrollment url http://2.2.2.2:80
serial-number
ip-address 10.0.0.1
subject-name cn=R1,ou=ccsp,o=ine,st=NV,c=US
revocation-check none

Continue Reading

Tags: ,

Jun
14

In this short blog post, we are going to give condensed overview of the four main flavors of Frame-Relay Traffic Shaping (FRTS). Historically, as IOS evolved with time, different methods have been introduced, having various level of feature support. Two main features, specific to Frame-Relay Traffic-Shaping are per-VC shaping and queueing and adaptive shaping in response to Frame-Rleay congestion notifications (e.g. BECNs). You’ll see that not every flavor supports these two features. We begin with the «fossil» known as Generic Traffic Shaping.

Generic Traffic Shaping

This feature was initially designed to shape packet traffic sent over any media, be it Ethernet, Frame-Relay, PPP etc. The command syntax is traffic-shape {rate|group} and allows specifying traffic scope using an access-list (notice that different ACL types are supported). You may tune the Bc/Be values as well as the shaping queue depth (amount of buffers). If the shaper delays traffic, the queue service strategy would be fixed to WFQ with the queue size equal to the buffer space allocated. Additional WFQ parameters such as number of flows and congestive discard threshold could not be tuned and set based on the shaper rate automatically.

An unique feature of GTS is the ability to apply multiple shapers to a single interface. However, shapers are not cascaded, but rather a packet is assigned to the first matching shaper rule. In the example below, there are three rules, with the last one being “fallback”, matching all packets that didn’t match access-lists 100 and 101. Unlike using the legacy CAR feature (rate-limit command) you cannot «cascade» multiple traffic-shape statements on the same interface, i.e. there is no “continue” action.

traffic-shape group 100 128000
traffic-shape group 101 64000
traffic-shape group 199 256000
!
access-list 199 permit ip any any

Continue Reading

Tags: , ,

Jun
06

I just returned from an awesome Security bootcamp in Raleigh, and am looking forward to more there in the future. Core knowledge is still alive and well in the Security LAB exam, as well as troubleshooting, which is integrated as part of the configuration section.

Often times, what seem like complex network troubleshooting scenarios are caused by overlooking simple fundamental components of the technology. Join me on Tuesday, June 8th as we discuss developing the Tier 1 knowledge that you need to know for the CCIE Security LAB, as well as strategy that may be used to continually build your base of knowledge as you prepare for your CCIE certification.

This v-Seminar is open to the public, and will be held online at

U.S.A. – Pacific) Tuesday, June 8, 2010 at 11:00:00 AM UTC-7 hours PDT
UTC Tuesday, June 8, 2010 at 18:00:00

To sign up for v-Seminars, click here, and select the link for Free v-Seminars.

To join the meeting listed above, click here now.

See you soon!

Tags: ,

Categories

CCIE Bloggers