Posts

Showing posts from August 24, 2008

Bootstrap Router

The Bootstrap Router (BSR) capability was added in PIM version 2. It automates and simplifies the Auto-RP process. It is enabled by default in Cisco IOS releases supporting PIMv2.

There are interoperability and design issues with PIM v1. See the Configuration Guide for more advice on this. The short form of the advice is to set up your BSR to also be Auto-RP mapping agent, make sure all RP's run PIMv2, and then the PIM versions can interoperate. We'll assume you have upgraded your routers and all are running PIM v2. This means you'll have one active RP per multicast group, compared to several for the same group in PIMv1. You configure sparse-dense-mode on interfaces, since Sparse or Dense are now properties of a multicast group, not an interface.

PIMv1 plus Auto-RP does the same tasks as BSR. But Auto-RP is Cisco proprietary, whereas PIMv2 with BSR is an IETF standards track protocol, which means it should interoperate with routers from other vendors.

To use Bootstrap Rout…

Auto-RP

Auto-RP automatically distributes information to routers as to what the RP address is for various multicast groups. It simplifies use of multiple RP's for different multicast group ranges. It avoids manual configuration inconsistencies, and allows for multiple RP's acting as backups to each other. Cisco routers automatically listen for this information.

Auto-RP relies on a router designated as RP mapping agent. Potential RP's announce themselves to the mapping agent, and it resolves any conflicts. The mapping agent then sends out the multicast group-RP mapping information to the other routers.

How does it does this? It uses multicast to send the mapping information to the other routers! The specific groups used are 224.0.1.39 and .40. The first (.39) is used to advertise, the second (.40) is used for discovery. Of course, there's a chicken and egg problem there: how can you send out multicast information via multicast if the Auto-RP information is needed to make PIM-SM w…

ip pim autorp listener

這一個指令可能很少人知道,除非你已經準備CCIE Lab一陣時間,不然平時不太會使用到這個功能,好不容易才把它搞懂,這個指令最重要的功能就是可以讓只支援sparse/bidirectional/ssm mode的interface利用dense mode的方式來flooding Auto-RP information,如果題目要求要使用Auto-RP但是不能使用ip pim sparse-dense-mode時,請記得這個指令的存在!

To cause IP multicast traffic for the two Auto-RP groups 224.0.1.39 and 224.0.1.40 to be Protocol Independent Multicast (PIM) dense mode flooded across interfaces operating in PIM sparse mode, use the ip pim autorp listener command in global configuration mode. To disable this feature, use the no form of this command.

Usage Guidelines
Use the ip pim autorp listener command with interfaces configured for PIM sparse mode operation in order to establish a network configuration where Auto-RP operates in PIM dense mode and multicast traffic can operate in sparse mode, bidirectional mode, or source specific multicast (SSM) mode.

Examples
The following example enables IP multicast routing and the Auto-RP listener feature on a router. It also configures the router as a Candidate RP…

Syslog Rate Limit

設定路由器上的syslog在產生一個log封包前如果等待超過10個封包的話就會被拒絕。產生額外log訊息的頻率最多不得超過兩秒鐘。

Router(config)#ip access-list logging interval 2
Router(config)#ip access-list log-update threshold 10

MPLS L2 VPN - Any to Any Interworking

The L2 VPN Interworking feature supports Ethernet, 802.1Q(VLAN), Frame Relay, ATM AAL5, and PPP attachment circuits over MPLS.

The L2 VPN Interworking function is implemented in two modes.


Bridged Interworking Mode

In bridged interworking mode, Ethernet frames are extracted from the AC and sent over the pseudo wire. AC frames that are not Ethernet are dropped. In the case of a VLAN, the VLAN tag is removed, leaving an untagged Ethernet frame. This interworking functionality is implemented by configuring the interworking ethernet command under the pseudo-wire class configuration mode.


Roted Interworking Mode

In routed interworking, IP packets are extracted from the AC and sent over the pseudo wire. AC frames are dropped if they do not contain the IPv4 packets. This interworking functionality is implemented by configuring the interworking ip command under the pseudo-wire class configuration mode.


Configuring Layer 2 VPN Interworking

Ethernet to VLAN Interworking

CE1:
interface ethernet0/0
ip a…

挖掘能力的黃金組合

本篇文章摘自: 商業周刊第 1083 期
作者:曠文琪

當年資、專業與金飯碗都不能被信任時,你還在靠學更多專長,或轉到熱門行業去應付嗎?今天起,你需要的是終生被雇用的力量。


你是一位專業人士嗎?你認為你夠專業,就可以一輩子無憂無慮嗎?如果你的答案為「是」,請試想一下以下的問題:

如果你所在的產業突然發生大變化,今天必須面臨無預警裁員,你能在三個月內,找到和現在一樣令你滿意的工作待遇嗎?

如果沒有把握,你就可以好好思考一下最近職場發生的趨勢:產業巨變的速度比過去更快、專業人士遭遇失業的危機比過去更高。

新危機!再專業也沒有用 白領工作憑空消失,金飯碗一夕褪色

在美國,「在華爾街工作的人,像是一夕之間消失般。」《紐約時報》引述,今年上半年,有六萬六千多位金融專業人員被裁撤。在台灣,遠東航空上千名員工,一夕之間失去工作;《中國時報》七月十七日召開會議,決定裁員人數高達四百三十人。

證券分析師、銀行經理、空姐機師……,這些過去大家眼中的金飯碗,現在都不再容易端得穩。根據美國勞動局統計(BLS),從二○○六年到二○一六年,美國消失最多的工作機會,包含了需要高度金融專業知識的證券交易員,人數可能高達十三萬人,甚至比檔案管理員或電話行銷人員還要高。

「我現在手上的履歷表,最多的就是銀行經理與IT人員。」經緯智庫總經理許書揚說。當台灣越來越多公司因為成本,而把IT部門關掉,外包給大陸與印度時,「再專業也沒用,因為工作就是憑空消失了。」

資歷久也無濟於事,許書揚舉例,一位在製造業待了十年的人事經理,想要轉行服務業卻被刁難,「在一個領域待太久,可能求變的意願不強。」一位在大型外商服務十五年的會計副理,離職後卻長達半年找不到工作,理由是「公司大,分割精細,他只會做應收帳款一個細項;說好聽是專業分工,卻沒有解決問題的能耐。」

怎麼辦?你需要「就業力」 在興趣和趨勢的交集,工作永遠不缺

職場的競爭力,正在被重新改寫!

專業沒有退位,但你很專業卻不夠,你還需要就業力(employability)。

什麼是就業力?經濟合作暨發展組織(OECD)直指,這是未來年輕人必備的能耐之一。研究就業力議題超過十年的英國學者哈維(Lee Harvey)分析,就業力的本質是永續實現自我的能力,而非只是擁有一份工作的能力。而他認為,新時代核心就業力包括態度、個人特質、職涯管理與自我行銷力。

「過去,我們都是只看外在的O…

Multicast in MPLS Backbone Case Study

假設R1(PE)-R2(PE)-R3(P)-R4(PE)為MPLS Backbone AS200的Backbone Routers;R5(CE to R4),R6(CE to R1),R7(C),R8(C)屬於AS100 CE Routers;R9(to R2)屬於AS9 CE Router。

Step 1. 設定AS200中R1,R2,R3,R4啟用multicast,提供MDT transit給MPLS VPN客戶,將不使用shared multicast tree,PIM join將永遠是(S,G)的形式。

R1:

ip multicast-routing
ip pim ssm default
!
interface S0/0
! Connect to R2(PE)
ip pim sparse-mode

R2:
ip multicast-routing
ip pim ssm default
!
interface S0/0
! Connect to R1(PE)
ip pim sparse-mode
!
interface S0/1
! Connect to R3(PE)
ip pim sparse-mode

R3:
ip multicast-routing
ip pim ssm default
!
interface S0/0
! Connect to R2(PE)
ip pim sparse-mode
!
interface S0/1
! Connect to R4(PE)
ip pim sparse-mode

R4:
ip multicast-routing
ip pim ssm default
!
interface S0/0
! Connect to R3(PE)
ip pim sparse-mode

Step 2. 設定AS100 R5,R6,R7,R8啟用multicast,在這些Router之間啟用PIMv2,R5宣告自己成為這些Routers的Rendezvous Point(RP)。

R5:

ip multicast-routing
!
interface Ethernet0/0
! Connect to R4(PE)
ip pim sparse-mode
!
interface Ethernet0/1
! Connect to R7(C)
ip pim sparse-mode
!
ip pim bsr-…

利用Wildcard來過濾單數/偶數IP條件

在R/S,S/P Lab中常常會問到類似的問題"only accept EVEN network"或是"only allow IP address forth octet number is ODD number"。這樣的問題事實上就是要考驗考生們對於wildcard的應用是否清楚。

一般來說wildcard最常使用於routing process中的network command或是access-list中來表示一個範圍。比方說:


Router(config)#router ospf 1
Router(config-router)#network 10.1.1.0 0.0.0.255 area 0

像這樣的指令就是要求在這個router上所有active interface所使用的ip address只要屬於10.1.1.0/255.255.255.0(10.1.1.0~10.1.1.255)的範圍內就會成為ospf interface主動發送hello packet去進行neighbor discovery(224.0.0.5/224.0.0.6)。

Wildcard的定義剛好跟Mask的位元相反,所以我們也稱Wildcard是Invert Mask。這些是我們對於Wildcard常用的使用方式,就是直接將network mask轉換,將mask中的0變1,1變0。

但是wildcard的使用並非僅止於此,因為wildcard的正式定義是:
當wildcard 32 bits中的第一個位元為0時,代表所有符合條件的ip/network 32bits中第一個位元必須跟設定條件中的ip/network 32bits中的第一個位元一模一樣; 當wildcard 32 bits中的第一個位元為1時,代表忽略所有符合條件的ip/network 32bits中第一個位元,不論是0或是1。

因此我們來看一下,如何利用wildcard來過濾奇數(odd)的IP:
假設我們要允許192.168.1.0/24這個網段中所有奇數的IP,符合的條件可以看得出來前面三個十進位數字都必定相同,而最後一個數字則是1,3,5..,255。當我們把這些符合條件數字轉換成二進位時:

1100 0000.1010 1000.0000 0001.0000 0001(192.168…

MPLS LDP Access-List for QoS

在MPLS QoS相關的控制設定常常會要求讓MPLS LDP traffic調高priority or 保留頻寬,所以我把這個Sample ACL列出來給各位了解一下,其中比較特別是LDP會利用udp傳送至multicast ip 224.0.0.2(all routers)來flooding discovery,而且source port & destination port都是646;然後再用tcp port 646來建立LDP session:
Router(config)#ip access-list extended LDP
Router(config-ext-nacl)#permit udp any eq 646 host 224.0.0.2 eq 646
Router(config-ext-nacl)#permit tcp any any eq 646
Router(config-ext-nacl)#permit tcp any eq 646 any

另外還要特別注意LDP neighbor預設使用loopback interface當source interface,所以如果兩個Router之間設定了"mpls ldp discovery transport-address"指令的話,就會改用直連的interface當source interface,那麼在ACL上的設定就要特別留意。

比方說現在有兩個Router,R1,R2之間利用Ethernet直連建立MPLS LDP neighbor,但是我們希望沒有任何其他的Router可以加入,因此我們要設定一個ACL只允許R1,R2交換彼此之間的MPLS LDP。

R1
interface loopback 0
ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
mpls ldp discovery transport-address interface
ip access-group LDP in
!
ip access-list extended LDP
permit udp host 10.1.1.2 eq 646 host 224.0.0.2 eq 646
permit…

Frame-Relay Traffic Shaping

在Frame Relay網路中設定FRTS(Frame Relay Traffic Shaping)幾乎可以說是R/S, S/P共通的重點項目之一,比較特別的是要設定map-class。在面對這樣的題目最難的不是設定command,而是要了解題意內容的暗示(cisco不會主動告知你用何種方式,只會告知不可用特定方式來限制你的方向)。
(1)假設題目內容是要求你在frame-relay interface上設定限速10Mbps,但是如果有超過20個以上的封包被放進佇列中等待傳遞時,該路由器會改變限速上限為8Mbps。請參考以下設定:
Router(config)#map-class frame-relay FRTS
Router(config-map-class)#frame-relay cir 10000000
Router(config-map-class)#frame-relay mincir 8000000
Router(config-map-class)#frame-relay adaptive-shaping interface-congestion 20
!
Router(config)#interface serial0/0
Router(config-if)#frame-relay class FRTS
Router(config-if)#frame-relay traffic-shaping
(2)如果在相同的條件下,但是題目不允許你使用frame-relay traffic-shaping的指令怎麼辦呢? 這就是CCIE Lab最喜歡的考試方向,所以請務必在作Lab練習時一定要針對相同的題目給予不同的假設條件,然後自己問自己除了你所知道的解法之後還有沒有其他的解法? 另外一種方式那就是使用MQC的指令來設定Shaping(假設Tc=50ms):
Router(config)#policy-map FRTS
Router(config-pmap)#class class-default
Router(config-pmap-c)#shape average 10000000 500000 1000000
Router(config-pmap-c)#shape adaptive 8000000
!
Router(config)#int S0…

Menu Configuration in IOS for SP CCIE Lab

最近在看Workbook,真的覺得CCIE Lab走在時代潮流的尖端(因為大部份人都沒有使用這些技巧..),其中有一個很特別的題目,不但要考Menu的設定方式,同時也考到了考生對於這些指令的熟悉程度(每一個option都要執行一個command),個人覺得是一個很適合CCIE Lab的考題方向,設定本身不難但是如果沒有設定過就不容易在考試中靠DocumentCD找到solution,所以我在這邊把sample config列出來供各位參考。

假設ISP ABC要開放VPN帳號連線至PE Router的權限,提供XYZ Site進行遠端troubleshooting。為了方便控管並指導XYZ網管執行相關指令,ABC要在PE Router上設定一個Menu供VPN帳號登入之後會自然呼叫此Menu提供客戶使用。

此Menu提供功能如下:
Option 1 should display the IP routing table for VRF XYZOption 2 should display the BGP table for VRF XYZOption 3 should display the MPLS forward-table for VRF XYZOption 4 should display the BGP learned labels for VRF XYZOption 5 should display exit item out of the command line

username VPN privilege 15 password 0 CISCO
username VPN autocommand menu VPNMENU
!
menu VPNMENU titile #
Menu for MPLS VPN Customer - XYZ Remote Administration
#
menu VPNMENU text 1. View VPN Routing Table
menu VPNMENU command 1. show ip route vrf XYZ
menu VPNMENU text 2. View VPN BGP Table
menu VPNMENU command 2. show ip bgp vpn vrf XYZ
menu VPNMENU text 3. Vi…

Implementing the DiffServ Tunneling Models in Cisco IOS - Short Pipe Model

MPLS DiffServ Short Pipe Model
Egress PE!!! Egress interace:
!
class-map TOS
match ip precedence 2 4
!
policy-map TOS_OUT_QOS
class TOS
bandwidth percent 40
random-detect precedence-based
!
interface ethernet 0/0
service-policy output TOS_OUT_QOS

Implementing the DiffServ Tunneling Models in Cisco IOS - Pipe Model

MPLS DiffServ Pipe Model

For the Pipe and Short Pipe DiffServ Model, however, the ingress PE can change the EXP bits according to the policy of the service provider.

Egress PE
!!! Ingress interface:
!
class-map MPLS_EXP
match mpls experimental topmost 2 4
!
policy-map EXP_IN_QOS_GROUP
class MPLS_EXP
set qos-group mpls experimental topmost
!
interface ethernet 0/0
service-policy input EXP_IN_QOS_GROUP
!
!
!
!!! Egress interface:
!
class-map QOS_GROUP
match qos-group 2
match qos-group 4
!
policy-map QOS_GROUP_OUT_QOS
class QOS_GROUP
bandwidth percent 40
random-detect
!
interface ethernet 1/0
service-policy output QOS_GROUP_OUT_QOS

Implementing the DiffServ Tunneling Models in Cisco IOS - Uniform Model

MPLS DiffServ Uniform Model
Ingree PE
!!! Ingress interface:
!
class-map IP_TOS
match ip precedence 4
!
policy-map SET_MPLS_PHB
class IP_TOS4
police cir 8000
conform-action set-mpls-exp-transmit 4
exceed-action set-mpls-exp-transmit 2
!
interface ethernet 0/0
service-policy input SET_MPLS_PHB
!
!
!
!!! Egree interface:
!
class-map MPLS_EXP
match mpls experimental topmost 2 4
!
policy-map SET_QOS_OUT
class MPLS_EXP
bandwidth percent 40
random-detect
!
interface ethernet 1/0
service-policy output SET_QOS_OUT

For the Uniform model, you must copy the precedence bits to the EXP bits on the ingress PE.



P Router
!!! Ingree interface:
!
! Nothing needed because the EXP bits are copied to the swapped outgoing label by default.
!
!!! Egress interface:
!
class-map MPLS_EXP
match mpls experimental topmost 2 4
!
policy-map SET_QOS_OUT
class MPLS_EXP
bandwidth percent 40
random-detect
!
interface ethernet 0/0
service-policy output SET_QOS_OUT



PHP P Router
!!! Ingress interface:
!
class-map MPLS_EXP

Default MPLS QoS Behavior in Cisco IOS

In Cisco IOS, the default behavior when imposing one or more labels on an IP packets is to copy the precedence value to the EXP bits of all imposed labels. This is called TOS reflection, because nothing regarding QoS changes by default.

MPLS QoS Rule:
By default, in Cisco IOS, the precedence bits or the first three bits of the DSCP field in the IP header are copied to the EXP bits of all imposed labels at the ingress LSR.By default, in Cisco IOS, the EXP bits of the incoming top label are copied to the swapped outgoing label and to any label pushed onto that.By default, in Cisco IOS, the EXP bits of the incoming top label are not copied to the newly exposed label when the incoming label is poped.By default, in Cisco IOS, the EXP bits of the incoming top label are not copied to the precedence bits of DSCP bits when the label stack is removed and the IP header becomes exposed.When you change the EXP bits value through configuration, the value of the EXP bits in labels other than the top l…

MPLS QoS MQC Command - set mpls experimental 'topmost' vs 'imposition'

研讀MPLS最容易發生鬼打牆的地方就是QoS的部份,因為MPLS的Label及IP Header中都有EXP and ToS欄位可以互相轉換,不過問題是MPLS Label可能不只一個,而且預設ingress & egress interface的behavior也不一定。

在Cisco IOS中,你可以使用以下兩個指令來修改label中的EXP位元:

Router(config-pmap-c)#set mpls experimental topmost
Router(config-pmap-c)#set mpls experimental imposition

最大的差別是set mpls experimental topmost valueset mpls experimental topmost可以使用在input or output service policy在imposition(push) ingress interface上會同時修改該label及新加上去的top label EXP在imposition(push) egress interface上只修改top label EXP在swapping ingress interface上只修改該label EXP在swapping egress interface上只修改該label EXP在disposition(pop) ingress interface上只修改要pop掉的label EXP(所以沒變化)在disposition(pop) egress interface上只修改被pop之後的top label EXPset mpls experimental imposition valueset mpls experimental imposition只可以使用在input service policy在imposition(push) ingress interface上只修改新加上去的top label EXP在swapping ingress interface上因無新加上去的label所以無任何動作(所以沒變化)在disposition(pop) ingress interface上只修改要pop掉的label EXP(所以沒變化)

CCIE labs changing from UniversCD to Cisco Documentation

22 AUG 2008: On Sept 24 2008 CCIE labs will no longer support using the UniversCD documentation for the lab exam.

All labs are migrating to Cisco Documentation only. For those scheduled to take the CCIE lab prior to Sept 24 access will still be available for UniversCD.

The Cisco Documentation pages have the same information that currently resides on UniversCD, please refer to the links on the CCIE web pages to view these pages and become familiar with the new format.

After Sept 24 2008 only the Cisco Documentation web pages will be available for CCIE labs.