Aug 29, 2008

Bootstrap Router

The Bootstrap Router (BSR) capability was added in PIM version 2. It automates and simplifies the Auto-RP process. It is enabled by default in Cisco IOS releases supporting PIMv2.

There are interoperability and design issues with PIM v1. See the Configuration Guide for more advice on this. The short form of the advice is to set up your BSR to also be Auto-RP mapping agent, make sure all RP's run PIMv2, and then the PIM versions can interoperate. We'll assume you have upgraded your routers and all are running PIM v2. This means you'll have one active RP per multicast group, compared to several for the same group in PIMv1. You configure sparse-dense-mode on interfaces, since Sparse or Dense are now properties of a multicast group, not an interface.

PIMv1 plus Auto-RP does the same tasks as BSR. But Auto-RP is Cisco proprietary, whereas PIMv2 with BSR is an IETF standards track protocol, which means it should interoperate with routers from other vendors.

To use Bootstrap Router, configure one or more candidate BSR's. These should be well-placed, in the core of your network with good connectivity. Configuration command:

ip pim bsr-candidate type number hash-mask-length [priority]

The type number part of this refers to the interface whose address is used to identify the BSR. The hash-mask-length is how many bits of a multicast group address to use before consulting a hash table of RP's. The priority is for election as BSR. The hashing allows load balancing across multiple RP's for a range of groups. Only one RP will be used for each group, but the hashing will divide up which RP is used for which group. The hashing scheme is deterministic, so that all routers will use the same scheme and determine the same RP for each group.
You also have to configure one or more candidate RPs, as with Auto-RP. RP's should also be well-connected and in a high-speed and accessible portion of the network.

ip pim rp-candidate type number [group-list access-list] [bidir]

The arguments are identical to those for the send-rp-announce command arguments above. (Interface for RP identity, access list controlling which multicast groups the router is to be an RP candidate for.)
The actual operation of BSR is a bit different than Auto-RP. First, a single BSR is elected, based on configured priority. (Highest IP address is used as a tie-breaker.) Candidate RP's then unicast announcements to this BSR, which stores all of the announcements. The BSR periodically floods BSR messages to all the other routers, hop by hop. The flooding is to 224.0.0.13 (all PIM routers) with TTL one. (All 224.0.0.x multicasts are link-local in scope.) Default flooding interval is 60 seconds. If a candidate BSR does not receive a BSR message within 150 seconds, it starts an election. It starts announcing itself until a BSR message with a higher priority is received.

To set up BSR domains, you need to stop BSR messages from going between the domains. This is done simply, via an interface command:

interface serial 0 
ip pim bsr-border


This causes the interface to neither send nor receive BSR messages on that interface. This is much simpler than TTL scoping!

Auto-RP

Auto-RP automatically distributes information to routers as to what the RP address is for various multicast groups. It simplifies use of multiple RP's for different multicast group ranges. It avoids manual configuration inconsistencies, and allows for multiple RP's acting as backups to each other. Cisco routers automatically listen for this information.

Auto-RP relies on a router designated as RP mapping agent. Potential RP's announce themselves to the mapping agent, and it resolves any conflicts. The mapping agent then sends out the multicast group-RP mapping information to the other routers.

How does it does this? It uses multicast to send the mapping information to the other routers! The specific groups used are 224.0.1.39 and .40. The first (.39) is used to advertise, the second (.40) is used for discovery. Of course, there's a chicken and egg problem there: how can you send out multicast information via multicast if the Auto-RP information is needed to make PIM-SM work in the first place?

Generally Auto-RP is used with sparse-dense mode, since then the Auto-RP information can be propagated in dense mode. If your routers are configured with pure sparse-mode on the interfaces, then you can shift to sparse-dense-mode. The other choice with PIM-SM only interfaces is to configure static RP addresses for the Auto-RP multicast groups (the multicast groups used by Auto-RP itself to communicate). That way, the static info gets the Auto-RP multicasts distributed in sparse mode, and then the Auto-RP mapping information allows the other multicast groups to be joined. By the way, you do not need to statically specify a group range for the Auto-RP multicast groups, since normally Auto-RP information takes priority over statically configured information. Thus group mappings advertised via Auto-RP will direct Joins to the correct RP, while the lack of this information for the Auto-RP groups means the statically configured RP for Auto-RP will remain in effect.

Routers that are RP's are configured with the global configuration command:

ip pim send-rp-announce type number scope ttl-value [group-list access-list] [interval seconds] [bidir]

The type number argument is the name of an interface providing the address for the RP. Scope is the TTL of the announcement (which limits how many router hops it can traverse). You specify which multicast groups the router is RP for with the access-list.

For example:
ip pim send-rp-announce loopback0 scope 16 group-list 10
access-list 10 permit 239.0.0.0 0.255.255.255


By default, such routers advertise themselves every 60 seconds to multicast group 224.0.1.39. They advertise their address, also the range of groups they are RP for. The mapping agents receive this information. They select the highest candidate RP address as RP for each group or range advertised. The mapping agents advertise this, by default every 60 seconds or when changes occur, to multicast group 224.0.1.40. You do have to configure mapping agents (so they know they're the mapping agent):

ip pim send-rp-discovery scope ttl-value

The scope is how many hops the advertisements can take. This allows you to have different mapping agents, each responsible for part of the network. (Some other configuration may also be required to optimize this.)

Because the Auto-RP mapping agents use the highest RP for each group or range, you can have redundant RP's. If the one with the highest address fails, the next one will take over (after the cache hold time expires). If you have redundant Auto-RP mapping agents, as long as they advertise the same information, there is no problem. You do need to make sure candidate RP's use a large enough scope to reach all the mapping agents.

If you use administrative scoping (ttl settings), generally you set them on the large side, to make sure the reach every router within the local domain (part of the network). Think of the multicast advertisements as a wave, with scope being the height of the wave. You need to make sure the wave is big enough to reach the fringes of the domain. If you need to keep them from "spilling over" into another part of the network, you can use a boundary command:

interface serial 0
ip multicast boundary 10
access-list 10 deny 239.0.0.0 0.255.255.255
access-list 10 permit 224.0.0.0 15.255.255.255


This stops specified multicasts from crossing the boundary. You can also use a TTL threshold:

interface serial 0
ip multicast ttl-threshold ttl-value


Only the packets with TTL greater than the threshold are forwarded out the interface.
Routers will act as RP if they receive Join or Prune messages. You can configure your routers to only accept prunes and joins in accord with the Auto-RP mapping information, with:

ip pim accept-rp auto-rp [access-list]

The access list can be used to control which groups this applies to. You could also statically configure

ip pim accept-rp rp-address [access-list]

for static RP's, but that gets painful to maintain.

ip pim autorp listener

這一個指令可能很少人知道,除非你已經準備CCIE Lab一陣時間,不然平時不太會使用到這個功能,好不容易才把它搞懂,這個指令最重要的功能就是可以讓只支援sparse/bidirectional/ssm mode的interface利用dense mode的方式來flooding Auto-RP information,如果題目要求要使用Auto-RP但是不能使用ip pim sparse-dense-mode時,請記得這個指令的存在!

To cause IP multicast traffic for the two Auto-RP groups 224.0.1.39 and 224.0.1.40 to be Protocol Independent Multicast (PIM) dense mode flooded across interfaces operating in PIM sparse mode, use the ip pim autorp listener command in global configuration mode. To disable this feature, use the no form of this command.

Usage Guidelines
Use the ip pim autorp listener command with interfaces configured for PIM sparse mode operation in order to establish a network configuration where Auto-RP operates in PIM dense mode and multicast traffic can operate in sparse mode, bidirectional mode, or source specific multicast (SSM) mode.

Examples
The following example enables IP multicast routing and the Auto-RP listener feature on a router. It also configures the router as a Candidate RP for the multicast groups 239.254.2.0 through 239.254.2.255.

ip multicast-routing
!
interface loopback 0
ip pim sparse-mode
!
interface loopback 1
ip pim sparse-mode
!
interface s0/0
ip pim sparse-mode
!
ip pim autorp listener
ip pim send-rp-announce Loopback0 scope 16 group-list 1
ip pim send-rp-discovery Loopback1 scope 16
!
access-list 1 permit 239.254.2.0 0.0.0.255

Syslog Rate Limit

設定路由器上的syslog在產生一個log封包前如果等待超過10個封包的話就會被拒絕。產生額外log訊息的頻率最多不得超過兩秒鐘。

Router(config)#ip access-list logging interval 2
Router(config)#ip access-list log-update threshold 10

Aug 28, 2008

MPLS L2 VPN - Any to Any Interworking

The L2 VPN Interworking feature supports Ethernet, 802.1Q(VLAN), Frame Relay, ATM AAL5, and PPP attachment circuits over MPLS.

The L2 VPN Interworking function is implemented in two modes.


Bridged Interworking Mode

In bridged interworking mode, Ethernet frames are extracted from the AC and sent over the pseudo wire. AC frames that are not Ethernet are dropped. In the case of a VLAN, the VLAN tag is removed, leaving an untagged Ethernet frame. This interworking functionality is implemented by configuring the interworking ethernet command under the pseudo-wire class configuration mode.


Roted Interworking Mode

In routed interworking, IP packets are extracted from the AC and sent over the pseudo wire. AC frames are dropped if they do not contain the IPv4 packets. This interworking functionality is implemented by configuring the interworking ip command under the pseudo-wire class configuration mode.


Configuring Layer 2 VPN Interworking

Ethernet to VLAN Interworking

CE1:
interface ethernet0/0
ip address 172.16.10.1 255.255.255.252


PE1:(Loopback 10.10.10.101/32)
pseudowire-class Eth-VLAN
encapsulation mpls
interworking ethernet
!
interface fastethernet5/0
no ip address
xconnect 10.10.10.102 100 encapsulation mpls pw-class Eth-VLAN


PE2:(Loopback 10.10.10.102/32)
pseudowire-class VLAN-Eth
encapsulation mpls
interworking ethernet
!
interface fastethernet5/0
!
interface fastethernet5/0.100
no ip address
encapsulation dot1q 100
xconnect 10.10.10.102 100 encapsulation mpls pw-class VLAN-Eth


CE2:
interface ethernet0/0
!
interface ethernet0/0.100
encapsulation dot1q 100
ip address 172.16.10.2 255.255.255.252


Frame Relay to AAL5 Interworking

CE1:
interface atm6/0.100
pvc 1/100
encapsulation aal5snap
ip address 172.16.1.1 255.255.255.252


PE1:
pseudowire-class AAL5-FR
encapsulation mpls
interworking ip
!
interface atm6/0.100 point-to-point
pvc 1/100 l2transport
encapsulation aal5snap
xconnect 10.10.10.102 100 pw-class AAL5-FR


PE2:
pseudowire-class FR-AAL5
encapsulation mpls
interworking ip
!
frame-relay switching
!
interface serial0/0
no ip address
encapsulation frame-relay
clock source internal
frame-relay intf-type dce
connect FR s0/0 100 l2transport
xconnect 10.10.10.101 100 pw-class FR-AAL5


CE2:
interface ethernet0/0.100
encapsulation dot1q 100
ip address 172.16.1.2 255.255.255.252



Frame Relay to PPP Interworking

CE1:
interface S0/0
encapsulation frame-relay
ip address 172.16.1.1 255.255.255.252


PE1:
pseudowire-class FR-PPP
encapsulation mpls
interworking ip
!
interface serial1/0
no ip address
encapsulation frame-relay
frame-relay intf-type dce
!
connect FR serial1/0 100 l2transport
xconnect 10.10.10.101 100 pw-class FR-PPP


PE2:
pseudowire-class PPP-FR
encapsulation mpls
interworking ip
!
interface serial1/0
encapsulation ppp
xconnect 10.10.10.102 100 pw-class PPP-FR


CE2:
interface s1/0
encapsulation ppp
ip address 172.16.1.2 255.255.255.252


Frame Relay to VLAN Interworking

CE1:
interface serial0/0.100 point-to-point
ip address 172.16.1.1 255.255.255.252
frame-relay interface-dlci 100


PE1:
frame-relay switching
!
pseudowire-class FR-PPP
encapsulation mpls
interworking ip
!
interface serial2/1
no ip address
encapsulation frame-relay
frame-relay intf-type dce
!
connect FR serial2/1 100 l2transport
xconnect 10.10.10.102 100 pw-class FR-PPP


PE2:
pseudowire-class VLAN-FR
encapsulation mpls
interworking ip
!
interface fastethernet5/0.100
encapsulation dot1q 100
xconnect 10.10.10.101 100 encapsulation mpls pw-class VLAN-FR


CE2:
interface fastethernet0/0.100
encapsulation dot1q 100
ip address 172.16.1.2 255.255.255.252


AAL5 to VLAN Interworking

CE1:
interface atm1/0.100 point-to-point
mtu 1500
ip address 172.16.1.1 255.255.255.252
pvc 1/100
encapsulation aal5snap


PE1:
pseudowire-class AAL5-VLAN
encapsulation mpls
interworking ethernet
!
interface atm3/0.100 point-to-point
mtu 1500
pvc 1/100 l2transport
encapsulation aal5snap
xconnect 10.10.10.102 100 encapsulation mpls pw-class AAL5-VLAN


PE2:
pseudowire-class VLAN-AAL5
encapsulation mpls
interworking ethernet
!
interface fastethernet0/0.100
encapsulation dot1q 100
xconnect 10.10.10.101 100 encapsulation mpls pw-class VLAN-AAL5


CE2:
interface fastethernet0/0.100
encapsulation dot1q 100
ip address 172.16.1.2 255.255.255.252

挖掘能力的黃金組合

本篇文章摘自: 商業周刊第 1083 期
作者:曠文琪

當年資、專業與金飯碗都不能被信任時,你還在靠學更多專長,或轉到熱門行業去應付嗎?今天起,你需要的是終生被雇用的力量。


你是一位專業人士嗎?你認為你夠專業,就可以一輩子無憂無慮嗎?如果你的答案為「是」,請試想一下以下的問題:

如果你所在的產業突然發生大變化,今天必須面臨無預警裁員,你能在三個月內,找到和現在一樣令你滿意的工作待遇嗎?

如果沒有把握,你就可以好好思考一下最近職場發生的趨勢:產業巨變的速度比過去更快、專業人士遭遇失業的危機比過去更高。

新危機!再專業也沒有用 白領工作憑空消失,金飯碗一夕褪色

在美國,「在華爾街工作的人,像是一夕之間消失般。」《紐約時報》引述,今年上半年,有六萬六千多位金融專業人員被裁撤。在台灣,遠東航空上千名員工,一夕之間失去工作;《中國時報》七月十七日召開會議,決定裁員人數高達四百三十人。

證券分析師、銀行經理、空姐機師……,這些過去大家眼中的金飯碗,現在都不再容易端得穩。根據美國勞動局統計(BLS),從二○○六年到二○一六年,美國消失最多的工作機會,包含了需要高度金融專業知識的證券交易員,人數可能高達十三萬人,甚至比檔案管理員或電話行銷人員還要高。

「我現在手上的履歷表,最多的就是銀行經理與IT人員。」經緯智庫總經理許書揚說。當台灣越來越多公司因為成本,而把IT部門關掉,外包給大陸與印度時,「再專業也沒用,因為工作就是憑空消失了。」

資歷久也無濟於事,許書揚舉例,一位在製造業待了十年的人事經理,想要轉行服務業卻被刁難,「在一個領域待太久,可能求變的意願不強。」一位在大型外商服務十五年的會計副理,離職後卻長達半年找不到工作,理由是「公司大,分割精細,他只會做應收帳款一個細項;說好聽是專業分工,卻沒有解決問題的能耐。」

怎麼辦?你需要「就業力」 在興趣和趨勢的交集,工作永遠不缺

職場的競爭力,正在被重新改寫!

專業沒有退位,但你很專業卻不夠,你還需要就業力(employability)。

什麼是就業力?經濟合作暨發展組織(OECD)直指,這是未來年輕人必備的能耐之一。研究就業力議題超過十年的英國學者哈維(Lee Harvey)分析,就業力的本質是永續實現自我的能力,而非只是擁有一份工作的能力。而他認為,新時代核心就業力包括態度、個人特質、職涯管理與自我行銷力。

「過去,我們都是只看外在的O(opportunity,機會),判斷要往哪裡去,但這都錯了,應該是看S(Strength,優勢),」「先從裡面往外看,找到興趣與趨勢的交集點才對。」台大國企系教授李吉仁說。

哈維與李吉仁所談的就業力,都不是往外取得某種明確的專業,而是往自己內在尋找金礦。這推翻了現在許多人以為只要拚命學專長、考證照,朝新興行業轉型就對了的思維。

「你在最專長的跑道都跑不好,怎麼會認為在其他跑道可以當第一?」一○四人力銀行董事長楊基寬說。人要想清楚自己的天賦與喜好是什麼,把所有的資源集中在上面,才能事半功倍。「而且,學習本來就是痛苦的,不喜歡,怎麼會學得好?」

要當就業力達人,先用策略角度盤點自己。

「沒有絕對強勢,只有相對強勢,要把自己放在有利的位置上,」李吉仁能從藥廠的企畫,轉型成為鴻海六十萬大軍的訓練導師,就是因為他盤點出自己有表達與整合的能耐,在學術界,這能讓他創造差異化。

第一、盤點自己 把優勢放在最有利的位置上

一○四人力銀行行銷總監邱文仁,念的是視覺傳達藝術,別人認為她到剛起步的人力資源公司工作很奇怪,她卻覺得,自己「創意角度看事情」的能耐是可跨越領域的。結果,從她開始,原本一○四提供的調查數據,被化成有趣的趨勢:一個七夕情人節,她能應景的提出這些單身男女偏好的另一半職業排名;新舊政府一交替,她開始討論直航後應運而生的新工作形態。

邱文仁讓一○四知名度大升,她的行銷創意在人才濟濟的廣告公司中很容易被淹沒,「我不一定是最出色的。」但在總是只談數字的人資領域裡,獨特性就被凸顯。「我以後也可以去旅行社推單身旅遊企畫啊!」了解自己的優勢後,她看未來,充滿了各種可能。

別再被你的學經歷限制,換個腦袋看自己,你隨時都會再創人生高峰。

當其他同業正因為媒體前景而擔心被裁員時,前蘋果日報社會記者蔡坤龍,正騎著腳踏車在嘉義培元里快樂的巡視著。他,現在是台灣知名度最高的里長伯,記錄里長心得的部落格點閱率達到八十萬人。他做里長做到有粉絲來找他合照,並要求自家的里長也要有同樣的服務水準。

蔡坤龍能有今天,與兩年前的決策有關。當時,他眼看媒體環境正在走下坡,但他卻沒有像一般人一樣用職業相關性去想出路,如當企業公關,或是做文字工作。而是想自己的專長是什麼,結果得出:「可以在短時間內,找到關鍵人做關鍵事,使命必達」的結論。於是他利用週休二日的時間,回家鄉選里長,還高票當選。

「當里長,有點像當○○七……,」蔡坤龍的部落格裡寫著。有阿伯清晨七點打電話給他,只因為前一晚在電視跑馬燈上看到社區免費健康檢查的消息,但因為閃很快,看不清楚。蔡坤龍就發揮「抽絲剝繭」的精神,從一百多個有線電視台問起,然後打到衛生所,最後是衛生局。最後,找到了健康檢查的資料,還把健檢的時間、地點、檢查項目、注意事項等等,打成了一份資料,列印出來,送到阿伯家。

這份工作,發揮了蔡坤龍的記者專長,還滿足了他想幫大家解決問題的熱情,這是過去當記者,只能做一個旁觀者無法達到的。他最近還把部落格日記集結成書,從面臨淘汰危機的媒體記者,變身為受歡迎的里長伯與作家。

轉折,往往在一念之間。「未來比的就是內省力!」創新企畫顧問公司總經理鄭啟川說。

只要你願意,與你的內心對話:「我會做得很好的事是什麼?」「我喜歡做的事是什麼?」「我未來想成為怎樣的人?」以上簡單的三個問題,就可能幫你找出你就業力的內在金礦。

哈佛大學心理學家嘉德納(Howard Gardner)提出「多重智能」(multiple intelligences)的概念指出:人類擁有至少十種以上的不同的智能,每個人的專長組合都不同,也就是說,每個人的智能DNA,都是獨一無二。

你獨特的內在金礦組合是什麼?「創意思考」、「在短時間找到重點」,不要小看一些看似跟成功沒關係的特質,例如「能說出好故事」、「真的很愛美」,這些傳統認定跟職場沒關係的特質,未來可能都是你戰勝大環境的武器。

「人,千萬別自我設限。」和碩(從華碩分割出的電子代工製造廠)發言人姚德慈說,她從心理系畢業,就是用能「看透人心」的專長,一路在宏從教育訓練做起,再自動請纓跑業務,到華碩時期還負責管理廠務。雖然教育訓練、業務、廠務,看似是不同領域的工作,但因為她洞悉自己對「人」的能耐,從人的語言與肢體動作,讀出真正的需求,然後滿足他們而找出交集,加上努力學習,所以有今日成就。

第二、不盲從的學習 靠獨特的技能讓自己無可取代

讀懂自己後,按著自己的特質深入充實是第二步。學習,不是跟隨眼前的就業熱潮,而是像一把刀,每一筆,都為了將自己的獨特性,刻得更深,成為獨一無二,讓別人無法取代。

在你閱讀這篇文章的同時,邱文仁可能正聽著iPod而念念有詞。她每天利用兩小時的通勤時間,用iPod學英文;週末又花四小時上補習班,因為她看到,未來她善於行銷的特質可以應用的領域已經不再局限台灣,「語言,可以讓我更進一步,用我的創意協助同事拓展業務。」

看到未來、起而學習,讓每天工作十二小時的她,感覺「好快樂」、「有安心的感覺」。

蔡坤龍為了要把「有執行力」的里長做到最好,他會做實驗,把一個案件同時送往里幹事、議員與線上申報系統,去計算不同行政流程的效率,然後琢磨出不同案件「送案」的最佳途徑。大量的揣摩學習,讓他可以對自己服務里民的內在特質更為深化。

第三、不拘泥舊習 冒險的熱情會點燃未來可能性

當然,盤點自己的特質之後,當你做出選擇時,並不代表立刻一帆風順。

發現自己對繪畫的天分比做竹科工程師還高的李秉祐,轉行為繪本老師時,被大家認為是「放棄金飯碗」。為了這個選擇,他一開始也需要犧牲,他從新竹搬到台北父母家中,不開車而改搭捷運,以節省開支。現在,他在文化大學開課,畫繪本,也教導凌陽等高科技公司的工程師,靠繪畫發揮想像力,因為這是目前亟欲朝美感設計發展的高科技業所最需要的。

雖然現在李秉祐的收入還沒有過去高,「但我覺得未來有很多可能。」當別人羨慕他的勇氣時,「做,就對了。」他說。

你,總是拿什麼衡量自己在職場的能力?是薪水,頭銜還是就職的公司?你真的有盤點過自己的各種可能性,找到最有利於你的戰場?

組織大師韓第(Charles Handy)在《你拿什麼定義自己》一書指出,我們每個人都有機會「讓世界為我所用,而非我為世界所用。」只不過我們太容易像在超市拿起熟悉的早餐麥片品牌一樣,面對自己的職涯,也總是直接抓起熟悉的舊日生活和習慣。

所以,別拘泥於你現在的工作跟職位上了,盡可能發覺你腦袋的可能性。美國殖民地時代的班哲明.富蘭克林(Benjamin Franklin),他的天賦與特質就是無窮的好奇心與執著,以此潛力出發,他是畫家、發明家、作家又是外交家,讓自己的一生比大多數人都精彩。

「永遠,別擔心為時已晚。」「米開朗基羅到七十二歲才開始設計聖彼得大教堂的拱頂,重點是,你有沒有熱情。」《熱情人生的冰淇淋哲學》寫著。當你找到熱情的那一瞬間,你一生的就業力能量可能就在瞬間爆發。

Aug 27, 2008

Multicast in MPLS Backbone Case Study

假設R1(PE)-R2(PE)-R3(P)-R4(PE)為MPLS Backbone AS200的Backbone Routers;R5(CE to R4),R6(CE to R1),R7(C),R8(C)屬於AS100 CE Routers;R9(to R2)屬於AS9 CE Router。

Step 1. 設定AS200中R1,R2,R3,R4啟用multicast,提供MDT transit給MPLS VPN客戶,將不使用shared multicast tree,PIM join將永遠是(S,G)的形式。

R1:

ip multicast-routing
ip pim ssm default
!
interface S0/0
! Connect to R2(PE)
ip pim sparse-mode


R2:
ip multicast-routing
ip pim ssm default
!
interface S0/0
! Connect to R1(PE)
ip pim sparse-mode
!
interface S0/1
! Connect to R3(PE)
ip pim sparse-mode


R3:
ip multicast-routing
ip pim ssm default
!
interface S0/0
! Connect to R2(PE)
ip pim sparse-mode
!
interface S0/1
! Connect to R4(PE)
ip pim sparse-mode


R4:
ip multicast-routing
ip pim ssm default
!
interface S0/0
! Connect to R3(PE)
ip pim sparse-mode


Step 2. 設定AS100 R5,R6,R7,R8啟用multicast,在這些Router之間啟用PIMv2,R5宣告自己成為這些Routers的Rendezvous Point(RP)。

R5:

ip multicast-routing
!
interface Ethernet0/0
! Connect to R4(PE)
ip pim sparse-mode
!
interface Ethernet0/1
! Connect to R7(C)
ip pim sparse-mode
!
ip pim bsr-candidate Loopback0
ip pim rp-candidate Loopback0


R6:
ip multicast-routing
!
interface S0/0
! Connect to R1(PE)
ip pim sparse-mode

R7:
ip multicast-routing
!
interface Ethernet0/0
! Connect to R5(CE)
ip pim sparse-mode
!
interface Ethernet0/1
! Connect to R8(C)
ip pim sparse-mode


R8:
ip multicast-routing
!
interface Ethernet0/0
! Connect to R7(CE)
ip pim sparse-mode


R9:
ip multicast-routing
!
interface ATM1/0.1
! Connect to R2(PE)
ip pim sparse-mode


Step 3. 設定R1,R2,R4支持在AS9和AS100之間的multicast transit,使用group address 232.1.1.1。從R5到R6(通過AS200)資料流若超過50Kbps將不會被R2接收到;這些資料流應該使用232.1.100.0/24這個範圍內的(S,G)。

R1:
ip vrf AS100
mdt default 232.1.1.1
mdt data 232.1.100.0 0.0.0.255 threshold 50
!
interface Loopback0
ip pim sparse-mode
!
interface S0/1
! Connect to R6(CE)
ip pim sparse-mode
!
ip multicast-routing vrf AS100
!
ip mroute 124.1.4.4 255.255.255.255 S0/0
! 如果有多條路由強制封包流向避免RPF check failure


R2:
ip vrf AS9
mdt default 232.1.1.1
!
interface Loopback0
ip pim sparse-mode
!
interface ATM1/0.1
! Connect to R9(CE)
ip pim sparse-mode
!
ip multicast-routing vrf AS9


R4:
ip vrf AS100
mdt default 232.1.1.1
mdt data 232.1.100.0 0.0.0.255 threshold 50
!
interface Loopback 0
ip pim sparse-mode
!
interface Ethernet0/0
! Connect to R5(PE)
ip pim sparse-mode
!
ip multicast-routing vrf AS100
!
ip mroute 124.1.1.1 255.255.255.255 S0/0
! 如果有多條路由強制封包流向避免RPF check failure


Step 4. 進行multicast測試,當R8傳送ICMP echo封包至group address 224.8.8.8時,R6及R9都會回應ICMP echo-replies。

R6:
interface S0/0
! Connect to R1(PE)
ip igmp join-group 224.8.8.8


R9:
interface ATM1/0.1
! Connect to R2(PE)
ip igmp join-group 224.8.8.8

利用Wildcard來過濾單數/偶數IP條件

在R/S,S/P Lab中常常會問到類似的問題"only accept EVEN network"或是"only allow IP address forth octet number is ODD number"。這樣的問題事實上就是要考驗考生們對於wildcard的應用是否清楚。

一般來說wildcard最常使用於routing process中的network command或是access-list中來表示一個範圍。比方說:


Router(config)#router ospf 1
Router(config-router)#network 10.1.1.0 0.0.0.255 area 0


像這樣的指令就是要求在這個router上所有active interface所使用的ip address只要屬於10.1.1.0/255.255.255.0(10.1.1.0~10.1.1.255)的範圍內就會成為ospf interface主動發送hello packet去進行neighbor discovery(224.0.0.5/224.0.0.6)。

Wildcard的定義剛好跟Mask的位元相反,所以我們也稱Wildcard是Invert Mask。這些是我們對於Wildcard常用的使用方式,就是直接將network mask轉換,將mask中的0變1,1變0。

但是wildcard的使用並非僅止於此,因為wildcard的正式定義是:
  • 當wildcard 32 bits中的第一個位元為0時,代表所有符合條件的ip/network 32bits中第一個位元必須跟設定條件中的ip/network 32bits中的第一個位元一模一樣;
  • 當wildcard 32 bits中的第一個位元為1時,代表忽略所有符合條件的ip/network 32bits中第一個位元,不論是0或是1。


因此我們來看一下,如何利用wildcard來過濾奇數(odd)的IP:
假設我們要允許192.168.1.0/24這個網段中所有奇數的IP,符合的條件可以看得出來前面三個十進位數字都必定相同,而最後一個數字則是1,3,5..,255。當我們把這些符合條件數字轉換成二進位時:

1100 0000.1010 1000.0000 0001.0000 0001(192.168.1.1)
1100 0000.1010 1000.0000 0001.0000 0011(192.168.1.3)
1100 0000.1010 1000.0000 0001.0000 0101(192.168.1.5)
...
1100 0000.1010 1000.0000 0001.1111 1111(192.168.1.255)


所以我們知道這些數字的共同處,最後一個位元永遠都是1,倒數第二個到第八個位元則會有0 or 1的組合出現,因此我們可以設定一行這樣的ACL來允許所有的奇數(odd) IP:

access-list 1 permit 192.168.1.1 0.0.0.254


以上這個ACL的條件是前面三個十進位數字都必須相同,第四個十進位數字為1(Binary:0000 0001),Wildcard第四個十進位數字為254(Binary:1111 1110),這個意思就是IP第四個數字只有最後一個位元必須是1,IP第四個數字其餘的位元可以是0 or 1,這樣的組合就可以只允許奇數(odd)的IP。

同理可證,如果今天我們要允許192.168.1.0/24中所有的偶數(even) IP,可以這樣設定:

access-list 1 permit 192.168.1.0 0.0.0.254


這樣的意思就是IP第四個數字只有最後一個位元必須是0,IP第四個數字其餘的位元可以是0 or 1。

MPLS LDP Access-List for QoS

在MPLS QoS相關的控制設定常常會要求讓MPLS LDP traffic調高priority or 保留頻寬,所以我把這個Sample ACL列出來給各位了解一下,其中比較特別是LDP會利用udp傳送至multicast ip 224.0.0.2(all routers)來flooding discovery,而且source port & destination port都是646;然後再用tcp port 646來建立LDP session:
Router(config)#ip access-list extended LDP
Router(config-ext-nacl)#permit udp any eq 646 host 224.0.0.2 eq 646
Router(config-ext-nacl)#permit tcp any any eq 646
Router(config-ext-nacl)#permit tcp any eq 646 any


另外還要特別注意LDP neighbor預設使用loopback interface當source interface,所以如果兩個Router之間設定了"mpls ldp discovery transport-address"指令的話,就會改用直連的interface當source interface,那麼在ACL上的設定就要特別留意。

比方說現在有兩個Router,R1,R2之間利用Ethernet直連建立MPLS LDP neighbor,但是我們希望沒有任何其他的Router可以加入,因此我們要設定一個ACL只允許R1,R2交換彼此之間的MPLS LDP。

R1
interface loopback 0
ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
mpls ldp discovery transport-address interface
ip access-group LDP in
!
ip access-list extended LDP
permit udp host 10.1.1.2 eq 646 host 224.0.0.2 eq 646
permit tcp host 2.2.2.2 eq 646 host 1.1.1.1
permit tcp host 2.2.2.2 host 1.1.1.1 eq 646
deny udp any any eq 646
deny tcp any any eq 646
deny tcp any eq 646 any
permit ip any any


R2
interface loopback 0
ip address 2.2.2.2 255.255.255.255
!
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
mpls ldp discovery transport-address interface
ip access-group LDP in
!
ip access-list extended LDP
permit udp host 10.1.1.1 eq 646 host 224.0.0.2 eq 646
permit tcp host 1.1.1.1 eq 646 host 2.2.2.2
permit tcp host 1.1.1.1 host 2.2.2.2 eq 646
deny udp any any eq 646
deny tcp any any eq 646
deny tcp any eq 646 any
permit ip any any

Frame-Relay Traffic Shaping

在Frame Relay網路中設定FRTS(Frame Relay Traffic Shaping)幾乎可以說是R/S, S/P共通的重點項目之一,比較特別的是要設定map-class。在面對這樣的題目最難的不是設定command,而是要了解題意內容的暗示(cisco不會主動告知你用何種方式,只會告知不可用特定方式來限制你的方向)。
(1)假設題目內容是要求你在frame-relay interface上設定限速10Mbps,但是如果有超過20個以上的封包被放進佇列中等待傳遞時,該路由器會改變限速上限為8Mbps。請參考以下設定:
Router(config)#map-class frame-relay FRTS
Router(config-map-class)#frame-relay cir 10000000
Router(config-map-class)#frame-relay mincir 8000000
Router(config-map-class)#frame-relay adaptive-shaping interface-congestion 20
!
Router(config)#interface serial0/0
Router(config-if)#frame-relay class FRTS
Router(config-if)#frame-relay traffic-shaping

(2)如果在相同的條件下,但是題目不允許你使用frame-relay traffic-shaping的指令怎麼辦呢? 這就是CCIE Lab最喜歡的考試方向,所以請務必在作Lab練習時一定要針對相同的題目給予不同的假設條件,然後自己問自己除了你所知道的解法之後還有沒有其他的解法? 另外一種方式那就是使用MQC的指令來設定Shaping(假設Tc=50ms):
Router(config)#policy-map FRTS
Router(config-pmap)#class class-default
Router(config-pmap-c)#shape average 10000000 500000 1000000
Router(config-pmap-c)#shape adaptive 8000000
!
Router(config)#int S0/0
Router(config-if)#service-policy output FRTS

Menu Configuration in IOS for SP CCIE Lab

最近在看Workbook,真的覺得CCIE Lab走在時代潮流的尖端(因為大部份人都沒有使用這些技巧..),其中有一個很特別的題目,不但要考Menu的設定方式,同時也考到了考生對於這些指令的熟悉程度(每一個option都要執行一個command),個人覺得是一個很適合CCIE Lab的考題方向,設定本身不難但是如果沒有設定過就不容易在考試中靠DocumentCD找到solution,所以我在這邊把sample config列出來供各位參考。

假設ISP ABC要開放VPN帳號連線至PE Router的權限,提供XYZ Site進行遠端troubleshooting。為了方便控管並指導XYZ網管執行相關指令,ABC要在PE Router上設定一個Menu供VPN帳號登入之後會自然呼叫此Menu提供客戶使用。

此Menu提供功能如下:
  • Option 1 should display the IP routing table for VRF XYZ
  • Option 2 should display the BGP table for VRF XYZ
  • Option 3 should display the MPLS forward-table for VRF XYZ
  • Option 4 should display the BGP learned labels for VRF XYZ
  • Option 5 should display exit item out of the command line



username VPN privilege 15 password 0 CISCO
username VPN autocommand menu VPNMENU
!
menu VPNMENU titile #
Menu for MPLS VPN Customer - XYZ Remote Administration
#
menu VPNMENU text 1. View VPN Routing Table
menu VPNMENU command 1. show ip route vrf XYZ
menu VPNMENU text 2. View VPN BGP Table
menu VPNMENU command 2. show ip bgp vpn vrf XYZ
menu VPNMENU text 3. View MPLS Forwarding Table
menu VPNMENU command 3. show mpls forwarding-table vrf XYZ
menu VPNMENU text 4. View BGP MPLS Label Forwarding Table
menu VPNMENU command 4. show ip bgp vpn vrf XYZ labels
menu VPNMENU text 5. Exit
menu VPNMENU command 5. exit
menu VPNMENU single-space
menu VPNMENU prompt #Choose your selection: #
!
line vty 0 4
login local


設定完成之後,從遠端telnet利用VPN帳號登入PE Router,就會自動啟用Menu如下:

Menu for MPLS VPN Remote Administration

1. View VPN Routing Table
2. View VPN BGP Table
3. View MPLS Forwarding Table
4. View BGP MPLS Label Forwarding Table
5. Exit

Choose your selection:

Aug 26, 2008

Implementing the DiffServ Tunneling Models in Cisco IOS - Short Pipe Model

MPLS DiffServ Short Pipe Model
  • Egress PE
!!! Egress interace:
!
class-map TOS
match ip precedence 2 4
!
policy-map TOS_OUT_QOS
class TOS
bandwidth percent 40
random-detect precedence-based
!
interface ethernet 0/0
service-policy output TOS_OUT_QOS

Implementing the DiffServ Tunneling Models in Cisco IOS - Pipe Model

MPLS DiffServ Pipe Model

For the Pipe and Short Pipe DiffServ Model, however, the ingress PE can change the EXP bits according to the policy of the service provider.

  • Egress PE

!!! Ingress interface:
!
class-map MPLS_EXP
match mpls experimental topmost 2 4
!
policy-map EXP_IN_QOS_GROUP
class MPLS_EXP
set qos-group mpls experimental topmost
!
interface ethernet 0/0
service-policy input EXP_IN_QOS_GROUP
!
!
!
!!! Egress interface:
!
class-map QOS_GROUP
match qos-group 2
match qos-group 4
!
policy-map QOS_GROUP_OUT_QOS
class QOS_GROUP
bandwidth percent 40
random-detect
!
interface ethernet 1/0
service-policy output QOS_GROUP_OUT_QOS

Implementing the DiffServ Tunneling Models in Cisco IOS - Uniform Model

MPLS DiffServ Uniform Model
  • Ingree PE


!!! Ingress interface:
!
class-map IP_TOS
match ip precedence 4
!
policy-map SET_MPLS_PHB
class IP_TOS4
police cir 8000
conform-action set-mpls-exp-transmit 4
exceed-action set-mpls-exp-transmit 2
!
interface ethernet 0/0
service-policy input SET_MPLS_PHB
!
!
!
!!! Egree interface:
!
class-map MPLS_EXP
match mpls experimental topmost 2 4
!
policy-map SET_QOS_OUT
class MPLS_EXP
bandwidth percent 40
random-detect
!
interface ethernet 1/0
service-policy output SET_QOS_OUT


For the Uniform model, you must copy the precedence bits to the EXP bits on the ingress PE.



  • P Router


!!! Ingree interface:
!
! Nothing needed because the EXP bits are copied to the swapped outgoing label by default.
!
!!! Egress interface:
!
class-map MPLS_EXP
match mpls experimental topmost 2 4
!
policy-map SET_QOS_OUT
class MPLS_EXP
bandwidth percent 40
random-detect
!
interface ethernet 0/0
service-policy output SET_QOS_OUT




  • PHP P Router


!!! Ingress interface:
!
class-map MPLS_EXP
match mpls experimental topmost 2 4
!
policy-map EXP_IN_QOS_GROUP
class MPLS_EXP
set qos-group mpls experimental topmost
!
interface ethernet 0/0
service-policy input EXP_IN_QOS_GROUP
!
!
!
!!! Egress interface:
!
class-map QOS_GROUP
match qos-group 2
match qos-group 4
!
policy-map QOS_GROUP_OUT_EXP
class QOS_GROUP
set mpls experimental topmost qos-group
bandwidth percent 40
random-detect
!
interface ethernet 1/0
service-policy output QOS_GROUP_OUT_EXP


On the PHP router, qos-group ensures that the EXP bit values 2 and 4 are copied to the exposed outgoing top label after popping the incoming label.



  • Egress PE


!!! Ingress interface:
!
class-map MPLS_EXP
match mpls experimental topmost 2 4
!
policy-map EXP_IN_QOS_GROUP
class MPLS_EXP
set qos-group mpls experimental topmost
!
interface ethernet 0/0
service-policy input EXP_IN_QOS_GROUP
!
!
!
!!! Egress interface:
!
class-map QOS_GROUP
match qos-group 2
match qos-group 4
!
policy-map SET_TOS_OUT
class QOS_GROUP
set precedecnce qos-group
bandwidth percent 40
random-detect
!
interface ethernet 3/1
service-policy output SET_TOS_OUT


On the egress PE, copy the EXP bits to the precedence bits by using qos-group.

Default MPLS QoS Behavior in Cisco IOS

In Cisco IOS, the default behavior when imposing one or more labels on an IP packets is to copy the precedence value to the EXP bits of all imposed labels. This is called TOS reflection, because nothing regarding QoS changes by default.

MPLS QoS Rule:
  1. By default, in Cisco IOS, the precedence bits or the first three bits of the DSCP field in the IP header are copied to the EXP bits of all imposed labels at the ingress LSR.
  2. By default, in Cisco IOS, the EXP bits of the incoming top label are copied to the swapped outgoing label and to any label pushed onto that.
  3. By default, in Cisco IOS, the EXP bits of the incoming top label are not copied to the newly exposed label when the incoming label is poped.
  4. By default, in Cisco IOS, the EXP bits of the incoming top label are not copied to the precedence bits of DSCP bits when the label stack is removed and the IP header becomes exposed.
  5. When you change the EXP bits value through configuration, the value of the EXP bits in labels other than the top label, the swapped label, or the imposed labels and the precedence bits or DSCP bits in the IP header remain unchanged.

This means that the QoS value of the IP packet is transported through the MPLS network without change. No matter how many times the EXP bits are changed, by default, the IP precedence or DSCP bits of the IP packet are preserved; the value at the egress LSR is the same as when the IP packet entered the MPLS network.

You can now tunnel the DiffServ value of the IP packet through the MPLS network(hence the name DiffServ Tunneling). The IETF has defined three models to tunnel the DiffServ information. All three models are distinct and have their own merits. Furthermore, the distinction between the three models is only at the edge LSRs. The P routers do not come into play with regard to the different DiffServ tunneling models.

  • Pipe Model
  • Short Pipe Model
  • Uniform Model

Aug 25, 2008

MPLS QoS MQC Command - set mpls experimental 'topmost' vs 'imposition'

研讀MPLS最容易發生鬼打牆的地方就是QoS的部份,因為MPLS的Label及IP Header中都有EXP and ToS欄位可以互相轉換,不過問題是MPLS Label可能不只一個,而且預設ingress & egress interface的behavior也不一定。

在Cisco IOS中,你可以使用以下兩個指令來修改label中的EXP位元:

Router(config-pmap-c)#set mpls experimental topmost
Router(config-pmap-c)#set mpls experimental imposition


最大的差別是

  • set mpls experimental topmost value
  1. set mpls experimental topmost可以使用在input or output service policy
  2. 在imposition(push) ingress interface上會同時修改該label及新加上去的top label EXP
  3. 在imposition(push) egress interface上只修改top label EXP
  4. 在swapping ingress interface上只修改該label EXP
  5. 在swapping egress interface上只修改該label EXP
  6. 在disposition(pop) ingress interface上只修改要pop掉的label EXP(所以沒變化)
  7. 在disposition(pop) egress interface上只修改被pop之後的top label EXP
  • set mpls experimental imposition value
  1. set mpls experimental imposition只可以使用在input service policy
  2. 在imposition(push) ingress interface上只修改新加上去的top label EXP
  3. 在swapping ingress interface上因無新加上去的label所以無任何動作(所以沒變化)
  4. 在disposition(pop) ingress interface上只修改要pop掉的label EXP(所以沒變化)

CCIE labs changing from UniversCD to Cisco Documentation

22 AUG 2008: On Sept 24 2008 CCIE labs will no longer support using the UniversCD documentation for the lab exam.

All labs are migrating to Cisco Documentation only. For those scheduled to take the CCIE lab prior to Sept 24 access will still be available for UniversCD.

The Cisco Documentation pages have the same information that currently resides on UniversCD, please refer to the links on the CCIE web pages to view these pages and become familiar with the new format.

After Sept 24 2008 only the Cisco Documentation web pages will be available for CCIE labs.