Become CCIE with Simulator FAQ

Posted by admin on 09/01/2010 0 comments

Should I use emulator like dynamips or buy real lab?
Well, it depends. Dynamips is an emulator that somehow “tricks” the real IOS image so it will boot and run on standard PC. So far it can run IOS for 7200 routers, 3600, 3700 and 2600 series. So if you need to practice features outside those IOS, then you can’t do it with dynamips and must go with real lab.
What does exactly dynamips lack of?
Performance, even it doesn’t matter for CCIE practice lab, features that must be run in hardware such as certain QoS, and all the features outside the supported IOS for example L2 and switching features from a normal 3550 or 3560 switch. And we need to be aware that if there is any issue, we need to be able to identify if the issue is from wrong config, IOS bugs, or bug from the dynamips itself. With real lab, it’s just wrong config and IOS bugs.

Which CCIE track do you think can be done with emulator only?
For Service Provider track, you can practice almost 100% of the topic. The focus of the lab is on SP infrastructure so personally I don’t think you need to spend much time to practice L2 switch features. For Routing & Switching I think dynamips can still be used to cover almost 90%. Despite it has support Ethernet module but it still can’t be used to test real L2 switch features such as VTP and STP. But all L3 features from 3550/3560 switch can be tested or will have the same behavior just as if we use normal router. For Security track the emulator can be used to test IOS FW, IOS IPS, VPN between routers and security features in routers (NAT, ACL, RTBH etc). But more than half of the features for this track require Firewall, VPN, IDS and Cisco Secure ACS. For the rest of tracks, I would say the emulator won’t help that much. Check the CCIE lab blueprint and CCIE lab equipments to give you the idea.
What would I miss from the real lab?
Using real lab we would be able to test all the features required in CCIE lab, real router with real performance, capable to test hardware-dependent features, ability to sell it back when we are done and last but not least, the noise I guess. I used to sleep next to my lab for months so sometime I feel that I can still hear the noise inside my head until now.
What would be your suggestion to cover the lacks from dynamips?
There are several options. You may invest and buy a complete real lab. The challenge to have real lab is we need to replicate as close as possible to the lab equipments. It means, it can be expensive. But the good thing is, if our lab is still in decent condition after we are done, we may be able to sell it again (to another CCIE candidates) without losing a penny at all. Another option is to rent an online rack. It has advantage since we can connect to it as long we have Internet and we don’t need to invest big pile of money in the beginning, but obviously the money won’t go back after we are done. The option that you may want to consider is using dynamips to practice and cover as many features as possible (such as R&S and Security) then go to online rack rental a couple of weeks before the exam. For track like security, you may want to invest in Firewall and VPN hardware, then connect them to dynamips. To practice IDS and for final preparation before taking the exam, you can use online rack for several days. List down all your options then make the pros and cons from each of them before you decide.
Do you know people who passed using dynamips only?
Yes, I know many people have passed CCIE lab using dynamips/emulator. In fact, for my third lab which is Service Provider track I practiced only using the emulator similar like dynamips. And no, I won’t tell you what it is nor I would discuss about it in this blog.
Do you think the people who passed using dynamips/emulator only are not real CCIE, since they never touch real routers?
No, there is no such thing. Passing CCIE lab just means you pass a lab exam. What makes a difference later on is your experience and expertise in real life. So someone may pass CCIE using only emulator and never touch the real routers, and he is still a CCIE. Later on he can gain experience and expertise with real routers. That’s what matter at the end of the day.
Will you teach me how to configure dynamips/other emulator?
No. RTFM. Googling.
Will you send IOS for me to use in emulator?
No. It’s actually illegal to run IOS software without license, but for practice lab at home I don’t think Cisco would bother chasing you. But I won’t send any IOS.
How to find info if I have issue with dynamips?
Again, RTFM and googling. And you should join the forum and become active member to discuss it. As I mentioned above, if there is any issue when you practice CCIE with emulator, it may come from wrong config, IOS bugs or bug in dynamips. So by becoming active member in the forum, and if you are willing to use the emulator heavily, you can contribute if you think the issue is from dynamips itself. Help the community to maintain and develop this wonderful emulator.

Simulator – GNS3

Posted by admin on 08/31/2010 0 comments

GNS3 is a graphical network simulator that allows simulation of complex networks.

To allow complete simulations, GNS3 is strongly linked with :

  • Dynamips, the core program that allows Cisco IOS emulation.
  • Dynagen, a text-based front-end for Dynamips.
  • Pemu, a Cisco PIX firewall emulator based on Qemu.

GNS3 is an excellent complementary tool to real labs for Cisco network engineers, administrators and people wanting to pass certifications such as CCNA, CCNP, CCIP or CCIE.

It can also be used to experiment features of Cisco IOS or to check configurations that need to be deployed later on real routers.

This project is an open source, free program that may be used on multiple operating systems, including Windows, Linux, and MacOS X.

Features overview

  • Design of high quality and complex network topologies.
  • Emulation of many Cisco router platforms and PIX firewalls.
  • Simulation of simple Ethernet, ATM and Frame Relay switches.
  • Connection of the simulated network to the real world!
  • Packet capture using Wireshark.

Important notice: users have to provide their own Cisco IOS to use with GNS3. About installing and using , you can visit here.

Comparing EIGRP & OSPF

Posted by admin on 08/31/2010 0 comments

EIGRP and OSPF are both excellent routing protocols and each provides a unique set of benefits for designing and implementing a scalable network. Both protocols can be used for a wide variety of networks from small regional networks to large global network systems. A question which is frequently asked is, “Which protocol, EIGRP or OSPF, is best?” This is not an easy question, as both protocols have their benefits. This paper compares EIGRP and OSPF and provides criteria to compare the two protocols and determine which is most suitable for your network application. The following criteria have been analyzed so that key differentiating features can be considered when selecting the routing protocol which best fits your network requirements. This paper does not cover the basic operation and features of each protocol; it compares the similar features of each protocol.
Network Architecture – OSPF requires your network topology to be hierarchical, EIGRP does not. It is good design practice to design EIGRP hierarchically as well, but it is not required. Thus, EIGRP is more versatile from a topology standpoint, but still care must be taken to design the network correctly. Sometimes all the versatility of EIGRP allows improper network design, whereas, OSPF forces you to design in a backbone. OSPF also has limitations in number of routers in a OSPF area (guideline – maximum 40-50*) and number of areas per router (guideline – up to 3*). Thus, designing an OSPF network can be more challenging and limiting than designing an EIGRP network.

*Note: Guideline numbers are good general numbers. These numbers can vary widely depending on the topology and number of links in an area – they are not hard and fast rules.
Ease of Use – Because OSPF requires a hierarchical topology, desires a summarized address structure, and requires manually configured summary addresses, it can be seen as harder to implement. In addition, the different rules for the several types of areas and LSA types are conceptually more difficult to understand. However, all these features can be desirable and support a large scalable network, when done properly. EIGRP can also require some difficult advanced configuration when special features are needed. However, many people feel EIGRP is more flexible than OSPF and network designs are easier to implement using EIGRP.
Neighbors – EIGRP forms adjacencies and exchanges routing updates with each neighboring router, whereas, OSPF performs an election process for a DR (Designated Router) and BDR (Backup DR) which act as a “distribution” point for routing information. In OSPF, routers only form a full adjacency to the DR and BDR (there is one DR/BDR per network segment). This means that, all things being equal, OSPF can more efficiently support a full mesh of neighboring routers per interface. This point is especially valid on high speed LAN media. As a rule of thumb, this issue gets to be important at about 20 neighbors per interface, but depends on routing table size, router platform, utilization, media type, etc.
However, many network designs do not have a large amount of neighbors per LAN interface, they have a large amount of neighbors per router. In these cases, there are design limitations regarding the number of routers in an OSPF area and the number of areas supported per router (see Network Architecture section of this document for guidelines). It is important to note that both EIGRP and OSPF have design considerations regarding neighbors. These design considerations depend on many factors include routing table size, media type, topology, etc., but a general rule of thumb is that OSPF can have more neighbors per interface, whereas, EIGRP allows more design flexibility for many neighbors per router.
Route Filtering and Aggregation – Filtering routes in OSPF is very difficult. “Distribute-list in” does not work on OSPF routes and “Distribute-list out” works only on the routes being redistributed from other processes into OSPF. Additionally, route aggregation can only be performed at OSPF area or AS boundaries. With EIGRP, information can be filtered and aggregated at any interface and at any bit boundary, theoretically allowing multiple hierarchies based on topology. Therefore, EIGRP is much more versatile and easier to work when performing route filtering and aggregation. Additionally, EIGRP is far superior to OSPF in in-bound and out-bound filtering on a per interface basis.
Route Summarization (Configuration) – EIGRP does an automatic summarization process (by default), whereas, OSPF requires you to define each summary address. As discussed above, EIGRP can thus be easier to implement. However, in many large networks with meshed links and/or redistribution points, not paying careful attention to summarization can cause routing loops and stability problems. You need to carefully understand the topology and addressing design – incorrect auto-summarization is a frequently encountered problem by many customers.
Of course, you can get around these problems in EIGRP (by using interface summary address commands) or OSPF (by using area range commands), but it takes extra steps, good practice, and some knowledge of how the routing protocol works. OSPF requires all manual summary commands and thus requires more thought to this process. With EIGRP, careful consideration should also be given to summarization, even when using the automatic summarization features. Not performing summarization properly with either protocol can cause severe network problems.
Convergence – To recover from a network topology change, EIGRP uses DUAL (Diffusing Update Algorithm) which provides very fast convergence if a “feasible successor” exists. OSPF sends a LSA and recalculates the Diskjtra SPF algorithm. From this perspective, EIGRP can converge faster than OSPF and can require less CPU processing. However, convergence is dependent on many factors including topology, metric, type of failure, etc., so a definitive conclusion can not be made here.
When a feasible successor does not exist, EIGRP will query neighboring routers for the lost route which then query their neighbors creating an expanding tree of queries until the route is found or determined to be unavailable. In this case, the speed of convergence depends on many factors including the network topology and it is impossible to explicitly state which protocol is faster.
Memory and CPU – EIGRP sends partial updates and only sends updates when a topology change occurs. The existence of a “feasible successor” in EIGRP limits the effect of topology changes to directly affected routers and routes. OSPF multicasts LSAs to all routers in the area upon a topology change and sends periodic database updates. Memory and CPU utilization come into account when considering the routing table size, number of neighbors, and how frequently the routing protocol is actively running it’s algorithm. OSPF is generally more CPU intensive on the DR router and this router should have more memory and CPU power to accommodate this function. Also, OSPF may require more CPU and memory resources on other routers in the network.Vendor Interoperability – OSPF is supported by a variety of router vendors and is an industry standard (RFC 1583); EIGRP is not. If a vendor independent routing protocol is required, EIGRP can not meet this criteria. However, care should be take when interoperating with other vendor’s OSPF routers because some vendor’s OSPF implementations can not handle large routing table sizes (as few as 200 maximum routes with 4 neighbors as been reported). It should also be noted that multiple routing protocols can be supported on a router so it is possible to implement EIGRP and still interoperate with OSPF routers by adding another routing process.
Multi-protocol Support – EIGRP can be used for IP, IPX, and AppleTalk, whereas, OSPF is just for IP. EIGRP for IPX and AppleTalk offers significant improvements over IPX RIP and AppleTalk RTMP by reducing routing information exchanged, improving network convergence, and increasing scalability. Additionally, EIGRP reduces IPX SAP traffic by performing incremental update-only based SAP updates instead of full periodic SAP updates like IPX RIP. EIGRP is therefore superior if one multi-protocol routing protocol is desired for IP, IPX, and AppleTalk support. Keep in mind that although EIGRP is conceptually similar for IP, IPX, and AppleTalk, multi-protocol EIGRP processes are “ships in the night” processes and, therefore, EIGRP is not an integrated multi-protocol routing protocol and should not be treated as such.
Route Selection – OSPF uses the interface cost (inversely proportional to bandwidth) to determine the shortest path. EIGRP builds a topology table and computes shortest paths using link bandwidth and delay as criteria. EIGRP thus offers more versatility and control in selecting the best routing path.
Routing Overhead – OSPF synchronizes router databases every 30 minutes and exchanges Link State Advertisements (LSA) whenever a topology change occurs. EIGRP builds a topology table which does not have to be periodically synchronized and does not send LSAs when the network topology changes. Instead, EIGRP sends out queries only when an acceptable “feasible successor” does not exist to an effort to find a route. Therefore, depending on the network topology, state, and configuration, EIGRP can be more efficient than OSPF by minimizing routing information exchanged.
Link Bandwidth Conservation – OSPF utilizes whatever bandwidth it requires. EIGRP will default to consume only 50% of a link bandwidth, worst case. EIGRP allows you to configure bandwidth utilization parameters, whereas, OSPF does not. Also, EIGRP changes hello timers and hold down timers on NBMA interfaces to minimize the bandwidth used and to increase network convergence reliability. EIGRP further conserves WAN bandwidth by suppressing ACKs and using unicast data packets for this function. Thus, EIGRP is better suited for WAN applications where link bandwidth is precious.
Reliable Delivery of Routing Information – EIGRP provides reliable delivery of query, update, and reply packets to ensure routing information is not lost. OSPF multicasts update information and uses acknowledgments for the packets. Both protocols provide a reliable mechanism to exchange routing information.
Security – OSPF supports password and message digest authentication key security for routing information. EIGRP also supports authentication using an encrypted key. Both protocols have a good degree of security available.

Cisco 3550 Switch MAC Address Access Control list

Posted by admin on 08/30/2010 0 comments

Network management at work, usually encounter such a situation: some users in violation of management rules, modify their own private IP address, in order to achieve access restricted resources. Such behavior not only undermines the information security rules, but also probably because the address network communications failures caused by the conflict.

Network administrators might try to use after the above such as the various technical means to solve this problem, but the effect may not be ideal: First of all technical means can not fully prevent the occurrence of this phenomenon, followed by an increase of the complexity of management and cost. Curb this situation so the most effective method is a means of administration, which is the technical means can not be replaced.

Introduction of these management tools at our first look at prior to a simulated environment: SERVER workstation PC and connect to a Cisco Catalyst 3550 switch on, and they belong to different VLAN, through 3550 to carry out the routing of communications (with switch configuration):

Hostname Cisco3550

!

interface GigabitEthernet0/11 description Connect to PC

!

interface GigabitEthernet0/12 description Connect to SERVER switchport access vlan 2

!

Interface Vlan1

P address 1.1.1.254 255.255.255.0

!

Interface Vlan2

P address 2.1.1.254 255.255.255.0

If you do not need to do permissions restrictions only to prevent IP address conflicts, the best program possible are the use of DHCP.DHCP server settings for the user IP address, subnet mask, gateway, DNS and other parameters, easy to use, but also save IP addresses. Cisco equipment set up at DPCP can refer to: “Cisco router on DHCP configuration explain the entire process.” Static distribution and settings will require more administrative overhead, if the user does not make trouble, then because of the user name and IP address-one correspondence, to maintain more convenient, the following assumptions were used in the management methods are static.

Test 1. VLAN1 only assumptions permit IP 1.1.1.1 Access Server: 2.1.1.1, to prohibit all other visits.

Restricted methods: the use of IP Access Control List

Interface Vlan1

P address 1.1.1.254 255.255.255.0

P access-group 100 in

access-list 100 permit ip host 1.1.1.1 host 2.1.1.1

Breakthrough Methods: illegal users will be changed to IP address 1.1.1.1 to access their own Server. Unauthorized users to seize the address 1.1.1.1 will cause IP address conflicts. If the user will set the gateway IP address of the IP, will also affect the entire VLAN communications. By modifying the Windows settings to prevent users to modify the “network” property, but this method can also easily be a breakthrough.

Test 2. At one of the basic test to add a static ARP on binding can prevent IP address theft.

Implementation methods: the test at one of the basic configuration settings on arp 1.1.1.1 0001.0001.1111 ARPA

Attention to the following order is wrong, because ARP are three-port parameters (routing) port instead of two (exchange) port:

arp 1.1.1.1 0001.0001.1111 ARPA GigabitEthernet0/11

Set up after the finish, if the illegal users put the address changed to 1.1.1.1, it is sent to the router packet to normal, but back from the target server 2.1.1.1 packets at routers on the forward time, the target MAC address of the total are set to 0001.0001.1111, unauthorized users should not receive.

Similar approach: the use of “ARP SERVER” according to a certain time interval network  all host broadcasting right IP-MAC mapping table

Breakthrough Methods: MAC address is easy to amend in the Windows network connection settings modify the network card configuration, in the “advanced” page to find Network Address set to the specified value can be.

Test 3. The use of Port Secure

Principle: If the limits specified port can only be a specific MAC address of the machine, the user to alter the MAC address of the port will enter the status is unavailable.

Set Method:

Interface g 0 / 1

Switchport mode access

Switchport port-security

Set up after the completion of the first switch port connected to PC on the MAC address will be recorded into the switch and become the only port able to use the MAC address. If the PC replacement MAC address, the default will be used by port under shutdown status, unable to communicate with network connectivity.

Can use the command to provide a safety means for dealing with conflicts:

sw port-security violation [protect | restrict | shutdown]

protect discarded from the illegal source address of the packet, not alarm

restrict discarded from the illegal source address of the packet, send syslog alerts

shutdown (default) turn off port, to send SNMP trap, Syslog alarm, unless the administrator of orders shut / no shut, otherwise the ports deal has been down status.

Breakthrough Method: the proxy server. Users within the same VLAN can access the external host agent is installed on the server, through agent visit.

Test 4. The use of VLAN, PVLAN user isolation

Principle: The authorized users and non-authorized users to a different division of the VLAN, and use the access control list limit communications between VLAN. You can also use the same VLAN isolation PVLAN certain direct communication between the hosts should not … …

Interface range g 0 / 10

Description Connect to PC1

Switchport access vlan 7

Interface range g 0 / 11

Description Connect to PC2

Switchport access vlan 8

Special way: switch also supports the Cisco 3550 switches at the second floor (exchange) port settings on mac / ip access control list, the following settings will enable the f0 / 1 port on the PC can only use the ip address of 1.1.1.1 and the mac address 0000.0c31 . ba9b, otherwise the network communication is not normal.

Ac access-list extended macacl

Permit host 0000.0c31.ba9b any

Permit any host 0000.0c31.ba9b

Interface FastEthernet0 / 1

O ip address

P access-group ipacl in

Ac access-group macacl in

P access-list extended ipacl

Permit ip any host 1.1.1.1

Permit ip host 1.1.1.1 any

Breakthrough Method: The user went to authorized users of the machines on the visit

This is a breakthrough in atypical methods, there is no good solution.

Other possible restrictions on methods:

1. Certification agent: the user access to specific resources to be at on a web page enter your username and password, or barrier

2.802.1x: users through 802.1x authentication at the same time by the DHCP server IP address distribution, or barrier

3.PPPoE: users need to install PPPoE client software, use the username and password to use the network

Discussion Update: Maying called a friend after reading this article to a BBS Posts hair asked: “How to set up the router to filter out a specific mac address traffic? Do not want to use the mac address of the host through the router! . ”

This relatively new requirement. When you against a MAC address filtering, when the action happened at the second level. The general implementation of the router is the third layer routing task, only a few circumstances when the only bridge to do to enter the MAC address filtering, so this kind of filtering at the best settings on the second floor of the exchange equipment.

However, this calls for a router is not impossible for the mission, wheat using the following configuration to achieve the required effect:

p cef / / Rate-limit necessary support cef, router probably is not enabled by default cef interface Ethernet0 / 0 ip address 192.168.1.254 255.255.255.0 rate-limit input access-group rate-limit 100 8000 1500 2000 conform-action drop exceed-action drop / / If the source MAC address for a specified value discarded (all other permit) access-list rate-limit 100 0001.0001. abcd / / to limit the MAC addresses

At this time attention should be paid to the target workstation should not arrive before the router after the other three devices, or MAC address will be changed.

Discussion update: Maying Friends ask: “My router is a Cisco 1720, do not support CEF, how do?”

Cisco 1720 router can support the CEF, but the requirement is 12.0 (3) T for more than IP PLUS version of the software, 12.2 (11) YV from standard IP software can also support CEF. If the router IOS software version is currently not enough, necessary upgrade.

You can also use bridging (IRB) approach to the solution, this method required only 12.0 (2) T over the standard version of software IP. Configuration is as follows:

Bridge irb / / Enable IRB support

Interface Ethernet0 / 0

o ip address / / routing done on the logical port BVI 1

Bridge-group 1 / / add one bridging group

!

Interface BVI1

p address 192.168.1.254 255.255.255.0 / / for the bridging group of 1 to provide routing

!

bridge 1 protocol ieee / / run the spanning tree protocol to prevent loops

Bridge 1 route ip / / routing IP traffic

Bridge 1 address 0001.0001.abcd discard

/ / Throw away from the MAC address of packets 0001.0001.abcd

CCNP ROUTE 642-902 Exam Foundation Learning: Implementing Path Control

Posted by admin on 08/30/2010 0 comments

Implementing Path Control Using Offset Lists

This section introduces offset lists and how to configure and verify path control using offset lists.

Using Offset Lists to Control Path Selection

An offset list is the mechanism for increasing incoming and outgoing metrics to routes learned via EIGRP or Routing Information Protocol (RIP). (Offset lists are only used for distance vector routing protocols.) Optionally, an offset list can be limited by specifying either an access list or an interface.

Configuring Path Control Using Offset Lists

To add an offset to incoming and outgoing metrics to routes learned via EIGRP or RIP, use the offset-list {access-list-number | access-list-name} {in | out} offset [interface-type interface-number] router configuration command, as explained in Table 5-2.

Table 5-2. offset-list Command

Parameter Description
access-list-number | access-list-name Standard access list number or name to be applied. Access list number 0 indicates all access lists. If the offset value is 0, no action is taken.
in Applies the access list to incoming metrics.
out Applies the access list to outgoing metrics.
offset Positive offset to be applied to metrics for networks matching the access list. If the offset is 0, no action is taken.
interface-type interface-number (Optional) Interface type and number to which the offset list is applied.

The offset value is added to the routing metric. An offset list that specifies an interface type and interface number is considered to be an extended list and takes precedence over an offset list that is not extended. Therefore, if an entry passes the extended offset list and a normal offset list, the offset of the extended offset list is added to the metric.

Figure 5-3 illustrates an example network in which an organization is using RIP and is connected to the Internet service provider (ISP) via edge Routers R4 and R5. A subset of routes is received from each of the edge routers. The metric between Routers R2 and R5 is smaller than the metric between Routers R2 and R4, because it is only one hop. However, this is very slow link. An offset list can be used on Router R2 so that it prefers the path toward the edge Router R4 for a specific set of destinations.

Figure 5-3Figure 5-3 An Offset List Can Be Used to Prefer a Faster Path.

A partial configuration of Router R2 is shown in Example 5-1. In this example, the offset-list 21 in 2 serial 0/0 command adds an offset of 2 to the metric of routes learned from interface serial 0/0 (connected to Router R5) that are permitted by access list 21. Access list 21 permits a specific set of routes (any in the 172.16.0.0/16 network) being learned from Router R5. This command is entered in RIP configuration mode on Router R2. This configuration results in the path toward Router R4 being considered better for the set of selected routes; R4 becomes the preferred way out toward the ISP for these routes.

Example 5-1. Offset List Configuration for Router R2 in Figure 5-3

router rip
 offset-list 21 in 2 serial 0/0
!
access-list 21 permit 172.16.0.0 0.0.255.255

Verifying Path Control Using Offset Lists

You can use the traceroute EXEC to verify that an offset list is affecting the path that traffic takes.

The routing table, viewed with the show ip route command, identifies the metrics for learned routes. You should compare these metrics to what was expected by the offset list configuration. For EIGRP, the EIGRP topology table can be examined using the show ip eigrp topology command. The topology table contains all routes learned from the router’s EIGRP neighbors, and includes the metric information for those routes, including the best route and any other feasible routes that the router has learned about.

NOTE

Recall that only successor and feasible successor routes are displayed with the show ip eigrp topology command. Add the all-links keyword to display all routes, including those not eligible to be successor or feasible successor routes.

You can use debug commands, such as debug ip rip and debug ip eigrp, to view the real-time processing of incoming and outgoing RIP routing updates, to ensure that the metric is being processed appropriately.

CAUTION

Use caution when executing debug commands because they may consume a lot of router resources and could cause problems in a busy production network. Debugging output takes priority over other network traffic; too much debug output might severely reduce the performance of the router or even render it unusable in the worst case.

CCNP ROUTE 642-902 Exam Foundation Learning: Implementing Path Control

Posted by admin on 08/27/2010 0 comments
This chapter starts by discussing path control fundamentals. Three tools for path control are detailed: offset lists, Cisco IOS IP service level agreements (SLAs), and policy-based routing (PBR). The chapter concludes with a discussion of advanced path control tools.

Understanding Path Control

This section introduces path control performance issues and introduces the tools available to control path selection.

Assessing Path Control Network Performance

This chapter is concerned with controlling the path that traffic takes through a network. In some cases, there might be only one way for traffic to go. However, many networks include redundant paths, by having redundant devices or redundant links. In these cases, the network administrator may want to control which way certain traffic flows.

The choice of routing protocol or routing protocols used in a network is one factor in defining how paths are selected; for example, different administrative distances, metrics, and convergence times may result in different paths being selected. As described in Chapter 4, “Manipulating Routing Updates,” when multiple routing protocols are implemented, inefficient routing may result. For example, two-way multipoint redistribution requires careful planning and implementation to ensure that traffic travels the optimal way, and that there are no routing loops.

When a network includes redundancy, other considerations include the following:

  • Resiliency—Having redundancy does not guarantee resiliency, the ability to maintain an acceptable level of service when faults occur. For example, having redundant links between two sites does not automatically result in the backup link being used if the primary link fails. Configuration is necessary to implement failover, and to use the backup link for load sharing if that is desired. (Even if failover is configured correctly, the redundant link may not operate when needed; for example, if it uses the same physical infrastructure as the primary link.)
  • Availability—The time required for a routing protocol to learn about a backup path when a primary link fails is the convergence time. If the convergence time is relatively long, some applications may time out. Thus, using a fast-converging routing protocol, and tuning parameters to ensure that it does converge fast, is crucial for high-availability networks.
  • Adaptability—The network can also be configured to adapt to changing conditions. For example, a redundant path could be brought up and used when the primary path becomes congested, not just when it fails.
  • Performance—Network performance can be improved by tuning routers to load share across multiple links, making more efficient use of the bandwidth. For example, route advertisements for specific prefixes can be advertised on one link to change the balance of bandwidth use relative to other links.
  • Support for network and application services—More advanced path control solutions involve adjusting routing for specific services, such as security, optimization, and quality of service (QoS). For example, to optimize traffic via a Cisco Wide Area Application Services (WAAS) Central Manager, traffic must be directed to flow through the Cisco WAAS device.

    NOTE

    Cisco WAAS is a WAN optimization and application acceleration solution that optimizes application and video delivery over a WAN, and is illustrated briefly in the “Cisco Wide Area Application Services” section, later in this chapter.

  • Predictability—The path control solution implemented should derive from an overall strategy, so that the results are deterministic and predictable. For example, traffic is bidirectional by nature; for every packet that goes out, a reply typically must come back. When configuring a routing protocol to deploy a path control strategy, consider both upstream and downstream traffic. For example, changing or tuning downstream advertisements toward a server farm could adversely affect upstream traffic flows from the server farm.
  • Asymmetric traffic—Asymmetric traffic, traffic that flows one on path in one direction and on a different path in the opposite direction, occurs in many networks that have redundant paths. Asymmetry, far from being a negative trait, is often desirable network trait, because it uses available bandwidth effectively, such as on an Internet connection on which downstream traffic may require higher bandwidth than upstream traffic. Border Gateway Protocol (BGP) includes a good set of tools to control traffic in both directions on an Internet connection. However, in most routing protocols, there are no specific tools to control traffic direction.In a part of a network that includes devices or services such as stateful firewalls, Network Address Translation (NAT) devices, and voice traffic, which require symmetrical routing, traffic symmetry must be enforced or the services must be tuned to accommodate asymmetry. For example, asymmetry in voice networks may introduce jitter and QoS issues. In other areas of the network, though, it might be inefficient and undesirable to try to engineer artificial symmetry.

Optimal routing in terms of network utilization within specific requirements is typically a design goal. Those requirements should be considered within the context of the applications in use, the user experience, and a comprehensive set of performance parameters. These parameters include delay, bandwidth utilization, jitter, availability, and overall application performance. Even if the routing table on the routers includes the necessary prefixes, applications might still fail if the performance requirements are not met.

Path Control Tools

Unfortunately there is not a “one-command” solution to implement path control. Instead, many tools are available.

Path control tools include the following:

  • A good addressing design: A good design should include summarizable address blocks and classless interdomain routing (CIDR) that align with the physical topology. These aspects are key to a stable network. As discussed in Chapter 1, “Routing Services,” summarization hides addressing details, isolates routing issues, and defines failure domains. Controlling summarization in strategic areas of the network affects path control. For example, in the network in Figure 5-1, the 10.0.0.0/8 summary is advertised from both routers, and the more specific route for 10.1.80.0/24 is advertised from the router on the right, providing direct access to that subnet. The resulting traffic flows are deterministic and more resilient.

    Figure 5-1 AdvertisiFigure 5-1 ng Summaries and More-Specific Routes Affects Traffic Flow.

  • Redistribution and other routing protocol characteristics—The capabilities of the routing protocol used can help implement a path control strategy more effectively, as summarized in Table 5-1. For example, Enhanced Interior Gateway Routing Protocol (EIGRP) automatically summarizes on network boundaries, and Open Shortest Path First (OSPF) can summarize only on Area Border Routers (ABRs) and Autonomous System Boundary Routers (ASBRs). Metrics can be changed and external routes can be tagged during redistribution between protocols. When multiple routing protocols are used, routes must be redistributed between them carefully, as detailed in Chapter 4.

    Table 5-1. Routing Protocol Characteristics

    Characteristic OSPF EIGRP
    Route marking Tags for external routes can be added at distribution points. Tags for all routes can be configured.
    Metric Can be changed for external routes at redistribution points. Can be set using route maps.
    Next hop Can be changed for external routes at redistribution points. Can be set for all routes under various conditions.
    Filtering Summary information can be filtered at ABRs and ASBRs. Can be configured anywhere for any routes.
    Route summarization Can be configured only on ABRs and ASBRs. Can be configured anywhere for any routes. Autosummarization is on by default.1
    Unequal-cost load balancing Not available. Available, with variance command.
  • Passive interfaces—As also described in Chapter 4, passive interfaces prevent a routing protocol’s routing updates from being sent through the specified router interface.

Other tools include the following:

  • Distribute lists
  • Prefix lists
  • Administrative distance
  • Route maps
  • Route tagging
  • Offset lists
  • Cisco IOS IP SLAs
  • PBR

The first five of these tools were covered in Chapter 4; the others are the focus of the rest of this chapter.

NOTE

Three other tools are covered in the “Advanced Path Control Tools” section, at the end of the chapter.

You can use all of these tools as part of an integrated strategy to implement path control, as illustrated in Figure 5-2. It is important to have a strategy before implementing specific path control tools and technologies.

Figure 5-2 Figure 5-2 Path Control Requires an Integrated Strategy.

For example, filters allow specific control of routing updates and provide security mechanisms to hide specific destinations. In contrast, PBR can bypass the routing table and define a path based on static or dynamic information, forcing traffic to specific destinations such as security appliances, NAT devices, and WAN optimization elements.

As another example, by controlling and filtering routing updates in one direction, you can affect traffic flowing in the opposite direction and prevent that traffic from reaching those destinations

By tagging routes by using route maps, you can define priorities for specific destinations along multiple paths, allowing those paths to be used in a deterministic order. For example, on an Internet connection when multiple exit points exist out of a network, route maps can be used to tag and define priorities for specific destinations.

12 Ways To Get The Most Out Of Lab Time

Posted by admin on 08/25/2010 0 comments

Often times you may have rack time only to find that much of it is wasted away. At the end of the session you sit asking yourself where all your time went. Here are  12 Ways to Get the Most out of Lab Time:

  1. Download the pre-configuration files from whatever vendor you are using ahead of time.  There is no reason why you shouldn’t have them prior to starting you lab.
  2. Choose the scenario you want to work on prior to the start of your lab time.
  3. Once you have the scenario selected look at the default (pre-) configurations for that lab.  Add things to them like the “no shut” command on interfaces you need to use or the “enable” and “config t” commands at the beginning of the configuration file.  This makes it faster when you past the configurations into an empty router.
  4. Write a perl or expect script. You can quickly write a perl or expect script to log in and load a configuration.  This automates much of the initial process.  More lab time for you!
  5. Don’t waste your lab time reading the lab. You should have already done this.  Lab time is Lab time.
  6. Put it on the calendar and set a reminder. If its in writing and you are reminded about it you are more likely to start on time.  You are committed.
  7. Shut the door. If you study at home let your family know that you will be busy for a while and shut the door.
  8. Go to a coffee shop: This gets you away from the demands of the family.
  9. If you study at Work then put a sign up that tells people you are busy.
  10. Shut off your phone.
  11. Turn off your email.
  12. If you are using a Mac you can download “Isolatorto block out distracting windows.  This brings focus to just your terminal window.  If you are using Windows try DropCloth.

So- What do you think?  How do you make lab time more effective?

Page 1 of 111234510...Last »