May 14 2012 12:26PM GMT
Posted by: Sulaiman Syed
Cisco,
Nexus,
Nexus 5000,
Nexus 7000,
M1,
F2,
F1,
line cards,
MPLS,
OTV,
fabric path
I have written an article few months ago touching the main differences between the F1 and M1 cards in the Cisco Nexus 7k platform. The main difference between those two that the M1 cards will do major and all Layer 3 related features and operations, while the F1 card will do the Layer 2 operations.
Recently, Cisco has introduced the F2 and M2 cards. The M2 cards will give the data center the expansion to run 40G and 100G infrastructure. In this article, i would look into the main differences between the F2 and F1 card.
The F2 still provide all the built-in features of F1 line card. It actually take the operation further to provide better bandwidth. Currently, the F2 card will give wire-rate speed. This means that 48 port populated with 10G links will run in non-blocking architecture. Something new that was not possible in the older line cards, of course this all became possibility with the FAB-2 (fabric module 2)
One of the main advantages and upgrades it the ability to run in Layer 3. The Cisco Nexus 7000 48-Port 1 and 10 Gigabit Ethernet F2-Series Module will be able to delivers 720 million packets per second (mpps) of distributed Layer 2 and Layer 3 forwarding and up to 480 Gbps of data throughput.But the F2 cards lack the ability to run OTV or MPLS.
All in one, if doing a new purchase of Nexus 7k. Just buy the F2 cards. IF there is a need for OTV and MPLS then you would need to get the M1 card. Otherwise, F2 will suffice for all the data center networking needs.
May 9 2012 6:45AM GMT
Posted by: Sulaiman Syed
Cisco,
router,
bridge,
routing,
transparent
One of the layer two technologies that the CCIE candidate can face is bridging. What bridging does is that it transforms the Router’s behavior of IP routing into a switch like behavior.
The underlying commands are same, they differ when use different modes of Bridging on the router. There are three modes of bridging on Cisco routers. Transparent, Concurrent routing and bridging, and Integrated routing and bridging.
Transparent Bridging
In this mode, the router will behave fully like a bridge (switch). It will no longer be able to do any IP routing operations. This was the legacy mode before newer modes were introduced. The syntax to run this mode is pretty simple.
no ip routing
!
bridge 1 protocol ieee \\ defining the STP protocol to be used for bridging.
!
int fa0/0
ip address 1.1.1.1 255.255.255.0
bridge-group 1
!
int fa0/1
ip address 1.1.1.1 255.255.255.0
bridge-group 1
we can still maintain reachability to the router by assigning an IP address to the bridge interfaces. But remember, the router will never be part of routing domain.
Figure 1: transparent bridging
Concurrent routing and bridging
The transparent bridging has a major limitation. what if my router is connected to both routed domain and bridge domain? It will not work. The solution was a concurrent routing and bridging mode. In this mode, the router will be divided logically into two domains. One part will be of the “ip routing” domain running routing protocols and routed ports, while the second domain is the “bridge”. The syntax is
bridge crb
ip routing
!
bridge 1 protocol ieee \\ defining the STP protocol to be used for bridging.
!
int fa0/0
bridge-group 1
!
int fa0/1
bridge-group 1
Will the router be able to route traffic between the routed and bridge domain? No. It will not. For that, the next mode was introduced.
Figure 2: concurrent routing and bridging
Integrated routing and bridging
In this mode, we would have both routing and bridging in one router. We would still be able to route traffic from and to the bridge domain.
The trick in this mode is to create a Bridged virtual interface (BVI). This interface will be used to route traffic from and to the bridged domain. Figure 3 shows the syntax.
bridge crb
ip routing
!
bridge 1 protocol ieee \\ defining the STP protocol to be used for bridging.
!
int fa0/0
bridge-group 1
!
int fa0/1
bridge-group 1
Figure 3: Integrated routing and bridging
There are other variables that can be changed for the bridging operations. But knowing the different kind of modes, how they work, and their limitation is a must know information if you are preparing for CCIE lab exam.
May 2 2012 8:57AM GMT
Posted by: Sulaiman Syed
CCIE,
Cisco,
Certification
Cisco has finally announced the CCIE Datacenter Track. The rumors were out for almost a year now. Well, the wait is over. People should start taking the exam 
The Track from my opinion is targeted for the Cloud services and cloud networking. As of the trend, the services are getting converged, and datacenter is becoming the connector for various sites.
The track will cover the datacenter networking, specifically the Nexus platform. The second section of the track covers the storage networking. Third part is the virtualization. Further details can be found in https://learningnetwork.cisco.com/docs/DOC-13992
I see this as an essential for datacenter networking engineers. Specially if they want to work, and evolve into the newer technology “the Cloud”.
I would end this entry with a great article on this topic: “With CCIE Data Center, can network engineers become data center gurus?“
Feb 21 2012 2:38PM GMT
Posted by: Sulaiman Syed
vpn,
MPLS,
route-map,
Cisco,
router,
CCIE
The main purpose of route targets is to provide connectivity between different MPLS-VPN networks. For example, there are three enterprises namely A, B, and C. A and B are major networks with their own MPLS-VPN. Enterprise A requires to access some servers and resources from Enterprise C. The ISP will use route-targets to provide partial connectivity for certain private addresses routes between A and C. Then Enterprise B went and bought Enterprise C. So they would have full connectivity to C. This is all done using route targets.
The following example will provide details on how to provide partial connectivity between Enterprise A and B. Lets see how it works, the following is the configuration with brief explanation.
!
ip vrf VPN_A
rd 100:1 (organization A will usually have 100:1 as the route target)
export map RD
route-target export 100:1
route-target import 100:1
route-target import 100:66 (additionally to our normal VPN_A network, we are importing anything with route-target set to 100:66. Organization B will make set the values for 100:66)
!
interface Loopback101
ip vrf forwarding VPN_A
ip address 172.16.5.5 255.255.255.0
!
ip prefix-list FILTER seq 10 permit 172.16.5.0/24
!
route-map RD permit 10
match ip address prefix-list FILTER
set extcommunity rt 100:55 (we are setting the route target extended value to 100:55) so any routes confirming to the prefix list will not be advertised to VPN_A networks)
!
route-map RD permit 20
set extcommunity rt 100:1 (default, all networks are set to have route target of 100:1)
Now in Router 2 (the other side of cloud) we are doing the opposite. we will be importing 100:55, and re-writing the route target value for certain routes to be 100:66.
!
ip vrf VPN_B
rd 100:2
export map RD
route-target export 100:2
route-target import 100:2
route-target import 100:55
!
!
interface Loopback102
ip vrf forwarding VPN_B
ip address 192.168.6.6 255.255.255.0
!
ip prefix-list FILTER seq 10 permit 192.168.6.0/24
!
route-map RD permit 10
match ip address prefix-list FILTER
set extcommunity rt 100:66
!
route-map RD permit 20
set extcommunity rt 100:2
A diagram for such network can be seen below.
It really comes down on how good you can manipulate the route targets, setting them, importing and exporting them. Beaware, never forget to make sure that BGP is handling the extended community as it should, otherwise these routes will not be advertise anyways. route target are the critical elements the decide which routes to be installed on which vrf route table.
Feb 16 2012 12:03AM GMT
Posted by: Sulaiman Syed
Cisco,
transparent,
proxy,
explicit,
PBR,
router,
switch,
proxysg,
Citrix
We have reached into a finalized design to run transparent proxy setup. The figure below shows the network diagram.
This is the finalized design, i will go through the logical flow of traffic since it might not be that clear from first look. Traffic will reach the core network, from there it will be routed to PBR. The PBR process will send traffic of 80 and 443 to the load balancers, while rest of traffic will be routed with the default policy. Load balancers will load balance the proxies using two or three virtual IPs.
The proxy will be installed in one leg setup. with the feature to reflect the client source IP. This is important to have a full transparent setup, so that private IPs can be natted to pool of public IPs (instead of 1 as right now).
Once that is done, the packet shaper will insure fair share of bandwidth by dividing the big pipe into 2 or 3 main segments that will be shared based on the source IPs (group based shaping), and another dynamic partition to give the IPs fair bandwidth (user based shaping).
We have multiple firewalls and VPN concentrator to provide the required security
Feb 13 2012 10:33AM GMT
Posted by: Sulaiman Syed
Cisco,
virtual,
routing,
forwarding,
how,
to,
Configure,
CCIE
VRF-lite is as the name says, light version of VRF. What is VRF? It is Virtual Routing and Forwarding. It is a logical way of segregating network traffic. Mostly used with MPLS-VPN. So, lets what what is VRF-lite
According to Cisco VRF considered to be “lite” without using MPLS. Which means that creating interfaces, and running routing protocols without the use of MPLS will make it VRF-lite.
To configure VRF-lite, follow the steps:
- Define the VRF instance by using ip vrf name
- Give the appropriate rd values rd nn:nn
- If using BGP, then add route-targets {export/import} nn:nn
- Add the Interface to the VRF by using the command ip vrf forwarding name
The above is a sample configuration of creating VRF-lite, different routing protocols have different syntax and ways of creating them for respective VRFs.
For simple router to router connection that is shown in the image. The following code can be used
R1
ip vrf VPN_A
rd 100:1
!
ip vrf VPN_B
rd 100:2
!
interface FastEthernet0/0.67
encapsulation dot1Q 67
ip vrf forwarding VPN_A
ip address 155.1.67.6 255.255.255.0
!
interface FastEthernet0/0.76
encapsulation dot1Q 76
ip vrf forwarding VPN_B
ip address 155.1.76.6 255.255.255.0
!
ip route vrf VPN_A 172.16.7.0 255.255.255.0 155.1.67.7
ip route vrf VPN_B 192.168.7.0 255.255.255.0 155.1.76.7
R2
!
ip vrf VPN_A
rd 100:1
!
ip vrf VPN_B
rd 100:2
!
!
interface Loopback101
ip vrf forwarding VPN_A
ip address 172.16.7.7 255.255.255.0
!
interface Loopback102
ip vrf forwarding VPN_B
ip address 192.168.7.7 255.255.255.0
!
!
interface Vlan67
ip vrf forwarding VPN_A
ip address 155.1.67.7 255.255.255.0
!
interface Vlan76
ip vrf forwarding VPN_B
ip address 155.1.76.7 255.255.255.0
!
ip route vrf VPN_A 0.0.0.0 0.0.0.0 155.1.67.6
ip route vrf VPN_B 0.0.0.0 0.0.0.0 155.1.76.6
The configuration above will create the VRF, add static routing for the loopback interfaces. It is simple and straight forward. The above configuration can be used WITHOUT the rd command. Although it is recommended to use it.
Feb 8 2012 3:01AM GMT
Posted by: Sulaiman Syed
CCIE,
INE,
Review,
Lab,
exam,
Cisco,
router,
switch,
routing
In the process of gaining my CCIE certification, I had to select a CCIE vendor to start. I used INE workbook for the lab preparation.
The book covered almost every command possible to enter. If you read the DOC you would find that they managed to utilize all details. I was surprised by the amount of depth, but again CCIE is about doing one thing by 3 different ways.
This is what i wish for,
-
- More explanation, yes the book is detailed. but there are some points that were not explained and some other points that need more details.
- Fix the questions/answers. Few tasks were asked in wrong manner or unclear. I found some some solutions that were not right. in some cases, the question asked something and the answer did something else.
I really advice people to use this workbook. It has almost everything you would think and imagine. of course, it is only giving you the commands to use. How to use these commands is what CCIE skill is about.
Feb 5 2012 9:03AM GMT
Posted by: Sulaiman Syed
proxysg,
BlueCoat,
exam,
professional,
Lab
I have attended the BlueCoat ProxySG training for the Professional course. While i did learn a lot, in the operation of ProxySG I did learn more about Proxy operations, theory, forwarding and reverse proxy setups. It is intriguing how many things can be done with the ProxySG
What i really applaud Bluecoat, is the caching in their ProxySG. later I would write, and show you how did the traffic changed within our enterprise once we started caching youtube.
The exam was tough, not easy at all. After reading the course book, it did solidify much of the theory and information i had. But when i started doing the test, i realized how tough the exam is.
I’m glad the exam was open book, otherwise I’m very sure that I would have failed in it. It was a tough one to crack. My advice will be, be ready! Read multiple times, understand everything, and highlight any details that you can’t memorize and you think it is important.
Lastly, I would say. best of luck.
Jan 8 2012 6:21AM GMT
Posted by: Sulaiman Syed
Blue coat,
proxysg,
exam,
Certified,
administrator
I recently have passed the Blue Coat Certified ProxySG administrator course. The exam could have been better, what i suggest to bluecoat is:
- The questions should address the understanding of ProxySG functions.
- NO questions about other blue coat products.
- More efforts into the concepts and implementations of ProxySG.
- Reduce the exam time, 4 hours is a lot.
The topics covered in this exam are
-> Blue Coat Family of Products
-> Understanding Proxy Servers
-> ProxySG Deployment
-> ProxySG Licensing
-> ProxySG Initial Setup
-> ProxySG Management Console
-> Services
-> Hypertext Transfer Protocol
-> Policy Management
-> WebPulse
-> Authentication Introduction
-> Authentication using LDAP
-> Creating Notifications
-> Creating Exceptions
-> Access Logging
-> WAN Optimization Features
-> Service and Support
To anyone who is thinking of taking the exam, i would suggest that you read materials at least one. Mark and highlight all the points that matter. The exam is open book, so finding the right information in the right time is important.
