Posts

Showing posts from October 7, 2007

Frame Relay Local Management Interface

Image
The Local Management Interface (LMI) is a set of enhancements to the basic Frame Relay specification. The LMI was developed in 1990 by Cisco Systems, StrataCom, Northern Telecom, and Digital Equipment Corporation. It offers a number of features (called extensions) for managing complex internetworks. Key Frame Relay LMI extensions include global addressing, virtual circuit status messages, and multicasting.

The LMI global addressing extension gives Frame Relay data-link connection identifier (DLCI) values global rather than local significance. DLCI values become DTE addresses that are unique in the Frame Relay WAN. The global addressing extension adds functionality and manageability to Frame Relay internetworks. Individual network interfaces and the end nodes attached to them, for example, can be identified by using standard address-resolution and discovery techniques. In addition, the entire Frame Relay network appears to be a typical LAN to routers on its periphery.

LMI virtual circuit…

Cisco EtherChannel Technology

Image
Cisco EtherChannel Technology
Introduction

The increasing deployment of switched Ethernet to the desktop can be attributed to the proliferation of bandwidth-intensive intranet applications. Any-to-any communications of new intranet applications such as video to the desktop, interactive messaging, and collaborative white-boarding are increasing the need for scalable bandwidth within the core and at the edge of campus networks. At the same time, mission-critical applications call for resilient network designs. With the wide deployment of faster switched Ethernet links in the campus, users need to either aggregate their existing resources or upgrade the speed in their uplinks and core to scale performance across the network backbone.

Cisco EtherChannel® technology builds upon standards-based 802.3 full-duplex Fast Ethernet to provide network managers with a reliable, high-speed solution for the campus network backbone. EtherChannel technology provides bandwidth scalability within the camp…

Operation of Multicast Source Discovery Protocol (MSDP)

Image
這份文章的來源,如果各位曾經很認真讀過書的話,可能有印象,這是一個可以線上閱讀書本內容的網站,而我所摘錄的內容就是來自於Routing TCP IP Volume II CCIE Professional Development,這一個關於MSDP的說明我想對各位都蠻重要的,因為大部份的人都沒有使用過MSDP的經驗,但是如果要準備SP CCIE的Candidates就不得不認真學習一下了!

...(略)

Operation of Multicast Source Discovery Protocol (MSDP)

The purpose of MSDP is, as the name states, to discover multicast sources in other PIM domains. The advantage of running MSDP is that your own RPs exchange source information with RPs in other domains; your group members do not have to be directly dependent on another domain's RP.

NOTE

You will see in some subsequent case studies how MSDP can prove useful for sharing source information within a single domain, too.

MSDP uses TCP (port 639) for its peering connections. As with BGP, using point-to-point TCP peering means that each peer must be explicitly configured. When a PIM DR registers a source with its RP as illustrated in Figure 7-8. the RP sends a Source Active (SA) message to all of its MSDP peers.

Figure 7-8. RPs Advertise Sou…

Deploying Control Plane Policing

Image
PROTECTING THE ROUTE PROCESSOR

A router can be logically divided into four functional components or planes:
1. Data Plane
2. Management Plane
3. Control Plane
4. Services Plane

The vast majority of traffic travels through the router via the data plane; however, the Route Processor must handle certain packets, such as routing updates, keepalives, and network management. This is often referred to as control and management plane traffic.

Because the Route Processor is critical to network operations, any service disruption to the Route Processor or the control and management planes can result in business-impacting network outages. A DoS attack targeting the Route Processor, which can be perpetrated either inadvertently or maliciously, typically involves high rates of punted traffic that result in excessive CPU utilization on the Route Processor itself. This type of attack, which can be devastating to network stability and availability, may display the following symptoms:

• High Route Processor CP…

MPLS FAQ For Beginners

...(略)

Q. What protocol and port numbers do LDP and TDP use to distribute labels to LDP/TDP peers?

A. LDP uses TCP port 646, and TDP uses TCP port 711. These ports are opened on the router interface only when mpls ip is configured on the interface. The use of TCP as a transport protocol results in reliable delivery of LDP/TDP information with robust flow control and congestion handling mechanisms.

...(略)

CISCO IOS NETFLOW OVERVIEW

說真的,在我尋找重點的同時,我深深地覺得CCIE出題目的考官已經幾近瘋狂,各位可以發現我現在找到的相關資料已經幾乎都不在Cisco Press的書籍範圍內,而是來自於各時期Cisco Seminar PPT/PDF或Document CD中的某段文字內容,也就是說如果你沒有考古題也沒有看額外的Cisco Tech PowerPoint Slide,那有很大的機會是你從來沒有看過的題目及答案內容(就算有看過也記不得這麼清楚吧…),我想這也是為什麼考古題市場會這麼大的原因,不看考古題去應考那就是跟"錢"過不去,因為這已經不是考驗實力了…,追根究底還是因為出題目的人員並沒有花心思設計題目來考驗應考者的實力,而是從五花八門的Tech Material中直接Copy & Paste,這也難怪CCIE Written常常題目跟答案牛頭不對馬嘴…花了很多時間整理順便發發牢騷,請包涵~

Cisco IOS NetFlow Origination

• Developed and patented at Cisco® Systems in 1996
• NetFlow is now the primary network accounting technology in the industry
Answers questions regarding IP traffic: who, what, where, when, and how
• Provides a detailed view of network behavior

...(略)

NetFlow Principles

• Inbound traffic only today
• Unidirectional flow
Accounts for both transit traffic and traffic destined for the router
• Works with Cisco Express Forwarding or fast switching
=> Not a switching path
• Supported on all interfaces and Cisco IOS Software hardware products
Returns the sub-interface …

Cisco IP/MPLS Interprovider Solution Deployment Overview

Image
...(略)

Inter-AS/Interprovider specification in RFC2547bis

IETF, RFC2547bis, Paragraph 10 :
.10A: Simple IP interconnect: The other network looks like a CE for each cross-SP VPN

.10B: Trusted MPLS interconnect: One logical connection for all VPN’s but VPN routes still have to be maintained on provider border routers

.10C: Trusted and even more scalable MPLS interconnect: Provider border routers don’t have to maintain VPN routes










...(略)

Autonomous system interconnect using content identification and validation

...(略)

[0010] The industry has standardized on a few Inter-Autonomous System (AS) models that the service providers may deploy. The current industry standards for Inter-AS solutions include the models defined as 10a, 10b, and 10c.

[0011] The first model defined and deployed by many service providers is the 10a model. The 10a model requires the provider to build on their ASBR a VRF per VPN, a unique peering interface per VRF, and a unique routing process per VRF. The peer ASBR does the same …

MPLS VPN - Route Target Rewrite

Image
The MPLS VPN—Route Target Rewrite feature allows the replacement of route targets on incoming and outgoing Border Gateway Protocol (BGP) updates. Typically, Autonomous System Border Routers (ASBRs) perform the replacement of route targets at autonomous system boundaries. Route Reflectors (RRs) and provider edge (PE) routers can also perform route target replacement.

The main advantage of the MPLS VPN - Route Target Rewrite feature is that it keeps the administration of routing policy local to the autonomous system.

Prerequisites for MPLS VPN - Route Target Rewrite

The MPLS VPN - Route Target Rewrite feature requires the following:

•You should know how to configure Multiprotocol Virtual Private Networks (MPLS VPNs).

•You need to configure your network to support interautonomous systems (Inter-autonomous system) with different route target (RT) values in each autonomous system.

•You need to identify the RT replacement policy and target router for each autonomous system.

Restrictions for MPLS …

Using IS-IS ATT-Bit Control Feature

Image
Using the IS-IS Attach-Bit
Control Feature


Introduction

In Intermediate System-to-Intermediate System (IS-IS) networks, routing inter-area traffic from Layer 1 areas is accomplished by sending the traffic to the nearest Layer 1/Layer 2 router.A Layer 1/Layer 2 router identifies itself by setting an attach-bit (ATT-bit) in its Layer 1 link-state packet (LSP). In some situations, however, it might not be desirable to set the ATT-bit. For example, if there are multiple Layer 1/Layer 2 routers within a Layer 1 area and one of the Layer 1/Layer 2 routers loses its backbone connection, continuing to send inter-area traffic to this Layer 1/Layer 2 router can cause the traffic to be dropped. Cisco IOS® Software now introduces a new capability to allow network administrators to control when a Layer 1/Layer 2 router should set the ATT bit and avert dropped traffic.

Overview

In networks running hierarchical routing protocols—IS-IS or Open Shortest Path First (OSPF) Protocol, for example—it is bene…

Selective Packet Discard(SPD)

Selective Packet Discard

• When a link goes to a saturated state, you will drop packets. The problem is that you will drop any type of packets – Including your routing protocols.

• Selective Packet Discard (SPD) will attempt to drop non-routing packets instead of routing packets when the link is overloaded.

ip spd enable

• Enabled by default from 11.2(5)P and later releases, available option in 11.1CA/CC.

A standardized way for mapping IP Packets into SONET/SDH payloads

...(略)

How does it work?

The layer 2 protocol used by POS technology offers astandarized way for mapping IP packets into SONET/SDH payloads.

1. Data is first segmented into an IP datagram that includes a 20-byte IP header.

2. This datagram is encapsulated via Point-to-Point Protocol (PPP) packets and framing information is added with High-level Data Link Control (HDLC) – framing.

3. Gaps between frames are filled withflags, set to value 7E.

4. Octet stuffing occurs if any flags or resultant escape characters (of value 7D) are found in the data.

5. The resulting data is scrambled, and mapped synchronously by octet into the SONET/SDH frame.



POS is defined by the Internet Engineering Task Force (IETF) in the following ‘Request For Comment’(RFC) documents:

RFC-1661 The Point-to-Point Protocol (PPP)
RFC-1662 PPP in HDLC framing
RFC-2615 PPP over SONET/SDHA standardized way for mapping IP Packets into SONET/SDH payloads

...(略)

802.1q Tunneling

802.1q Tunneling

One of the enterprise's business requirements can entail sending multiple VLANs across the service provider's Metro Ethernet network. The enterprise can accomplish this via 802.1q tunneling, also known as QinQ. This chapter uses both names interchangeably.

802.1q tunneling is a tunneling mechanism that service providers can use to provide secure Ethernet VPN services to their customers. Ethernet VPNs using QinQ are possible because of the two-level VLAN tag scheme that QinQ uses. The outer VLAN tag is referred to as the service provider VLAN and uniquely identifies a given customer within the network of the service provider. The inner VLAN tag is referred to as the customer VLAN tag because the customer assigns it.

QinQ's use of double VLAN tags is similar to the label stack used in MPLS to enable Layer 3 VPNs and Layer 2 VPNs. It is also possible for multiple customer VLANs to be tagged using the same outer or service provider VLAN tag, thereby trunking mult…

BGP Best Practices for ISPs(RFC 2827/BCP 38)

…(略)

RFC 2827/BCP 38

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing

"Thou shalt only sendth and receiveth IP packets you have rights for"

Packets should be sourced from valid, allocated address space, consistent with the topology and space allocation

Guidelines for BCP38

Networks connecting to the Internet
=>Must use inbound and outbound packet filters to protect network

Configuration example:
=>Outbound—only allow my network source addresses out
=>Inbound—only allow specific ports to specific destinations in

Techniques for BCP 38 Filtering
.Static ACLs on the edge of the network
.Dynamic ACLs with AAA profiles
.Unicast RPF strict mode
.IP source guard
.Cable source verify (DHCP)

Using ACLs to Enforce BCP38

Static ACLs are the traditional method of
ensuring that source addresses are not
spoofed:

.Permit all traffic whose source address equals the allocation block
.Deny any other packet

Principles:
.Filter as close to the edge as poss…

RFC3931 - Layer Two Tunneling Protocol - Version 3 (L2TPv3)

...(略)

1. Introduction


The Layer Two Tunneling Protocol (L2TP) provides a dynamic mechanism for tunneling Layer 2 (L2) "circuits" across a packet-oriented data network (e.g., over IP). L2TP, as originally defined in RFC 2661, is a standard method for tunneling Point-to-Point Protocol (PPP) [RFC1661] sessions. L2TP has since been adopted for tunneling a number of other L2 protocols. In order to provide greater modularity, this document describes the base L2TP protocol, independent of the L2 payload that is being tunneled.
The base L2TP protocol defined in this document consists of (1) the control protocol for dynamic creation, maintenance, and teardown of L2TP sessions, and (2) the L2TP data encapsulation to multiplex and demultiplex L2 data streams between two L2TP nodes across an IP network. Additional documents are expected to be published for each L2 data link emulation type (a.k.a. pseudowire-type) supported by L2TP (i.e., PPP, Ethernet, Frame Relay, etc.). These documents …

Cisco IOS MPLS Virtual Private LAN Service(VPLS): Q&A

Image
Cisco IOS MPLS
Virtual Private LAN Service


Q. What is VPLS?

A. VPLS stands for Virtual Private LAN Service, and is a VPN technology that enables Ethernet multipoint services (EMSs) over a packet-switched network infrastructure. VPN users get an emulated LAN segment that offers a Layer 2 broadcast domain. The end user perceives the service as a virtual private Ethernet switch that forwards frames to their respective destinations within the VPN. Ethernet is the technology of choice for LANs due to its relative low cost and simplicity. Ethernet has also gained recent popularity as a metropolitan-area network (MAN or metro) technology.

VPLS helps extend the reach of Ethernet further to be used as a WAN technology. Other technologies also enable Ethernet across the WAN, Ethernet over Multiprotocol Label Switching (MPLS), Ethernet over SONET/SDH, Ethernet bridging over ATM, and ATM LAN emulation (LANE). However, they only provide point-to-point connectivity and their mass deployment is limite…

Understanding IS-IS Pseudonode LSP

Image
Introduction

This Tech Note describes the line-state packet (LSP) pseudonode. A pseudonode is a logical representation of the LAN which is generated by a Designated Intermediate System (DIS) on a LAN segment. The document also describes the propagation of information to the routers.

What is the DIS?

On broadcast multi-access networks, a single router is elected as the DIS. There is no backup DIS elected. The DIS is the router that creates the pseudonode and acts on behalf of the pseudonode.

The DIS

There are two major tasks performed by the DIS:

.Creating and updating pseudonode LSP for reporting links to all systems on the broadcast subnetwork. See the Pseudenode LSP section for more information.
.Flooding LSPs over the LAN.

The flooding over the LAN means that the DIS sends periodic complete sequence number protocol data units (CSNPs) (default setting of 10 seconds) summarizing the following information:

.LSP ID
.Sequence Number
.Checksum
.Remaining Lifetime

The DIS is responsible for flooding. …

Configuring Redundancy for POS / APS

...(略)

K1/K2 Bytes
When you discuss APS, you first need to understand how SONET uses K1/K2 bytes in the LOH.

The K1/K2 bytes form a 16-bit field. Table 2 lists the usage of each bit.

Table 2 – K1 Bit Descriptions

Bits 5 through 8
nnnn: Channel number associated with the command code.
1111 (0xF): Lockout of protection request.
1110 (0xE): Forced switch request.
1101 (0xD): SF - high priority request.
1100 (0xC): SF - low priority request.
1011 (0xB): SD - high priority request.
1010 (0xA): SD - low priority request.

1001 (0x9): Not used.
1000 (0x8): Manual switch request.
0111 (0x7): Not used.
0110 (0x6): Wait to restore request.
0101 (0x5): Not used.
0100 (0x4): Exercise request.
0011 (0x3): Not used.
0010 (0x2): Reverse request.
0001 (0x1): Do not revert request.
0000 (0x0): No request.

Note: Bit 1 is the low-order bit.

...(略)

MPLS Basic Traffic Engineering Using OSPF Configuration Example

Image
Introduction

This document provides a sample configuration for implementing traffic engineering (TE) on top of an existing Multiprotocol Label Switching (MPLS) network using Frame Relay and Open Shortest Path First (OSPF). Our example implements two dynamic tunnels (automatically set up by the ingress Label Switch Routers [LSR]) and two tunnels that use explicit paths.

TE is a generic name corresponding to the use of different technologies to optimize the utilization of a given backbone capacity and topology.

MPLS TE provides a way to integrate TE capabilities (such as those used on Layer 2 protocols like ATM) into Layer 3 protocols (IP). MPLS TE uses an extension to existing protocols (Intermediate System-to-Intermediate System (IS-IS), Resource Reservation Protocol (RSVP), OSPF) to calculate and establish unidirectional tunnels that are set according to the network constraint. Traffic flows are mapped on the different tunnels depending on their destination.

Functional Components

IP tunne…

Remote Triggering Black Hole Filtering(RTBH)

Image
INTRODUCTION

Black hole filtering is a flexible ISP Security tool that will route packets to Null0 (i.e.black holed). The Cisco ISP Essentials book covers the fundamentals of the singlerouter based black hole routing technique. It does not cover the remote triggered black hole routing technique. Remote triggering via iBGP allows ISPs to active anetwork wide destination based black hole throughout their network. This techniqueis especially useful in some of the new ISP security classification, traceback, and reaction techniques. This supplement reviews, enhances, and adds to what is already in the book.

BLACK HOLE ROUTING AS A PACKET FILTER (FORWARDING TO NULL0)

Forwarding packets to Null 0 is a common way to filter packets to a specific destination. These are often done by creating specific static host routes and point them to the pseudo interface Null0. This technique commonly refereed as black hole routing or black hole filtering. Null0 is a pseudo-interface, which functions similarly …