I had the opportunity to attend Cisco Connect 2013, It was a two day conference at the Four Seasons Hotel in Riyadh, with multiple sessions of talks, presentations, and technology demonstrations.
There were plenty of partner booths showing various Cisco and Cisco partner components, but the space felt crowded. The hall was big, with enough space for walking and meeting up with people. Although I didn’t like how the coffee and drinks time was very restrictive.
The talks were all very informative. The keynote was the highlight, Duncan, Dan, and Rabih made a very interesting presentation. I would say that I enjoyed it thoroughly. The other talks were interesting as well. I give it to Cisco to give interesting talks.
We saw a new networking device. The Unified Access Switch. It is a switch that give connectivity for the wired and wireless. It is a Switch and a controller. I would say that switch 3850 is the go switch to install at the edge of network. To this day, no competitor has came up with something even remotely similar to this. I would talk about this switch in details in coming days.
Identity Services Engine (ISE) +BYOD was the second highlight. With a live demonstration how BYOD can be added to the enterprise network with the right security policies applied through a single interface. I did like how Cisco are trying to integrate their management solutions, and easing the network and security operations with Prime + ISE.
Overall, the event was successful, entertaining and informative. We saw new technologies, how Cisco is adapting to changes in the networking field, A killer switch 3850 which was being sold at the price of 3750X, and ISE with adaptability to observe the BYOD movement.
I’m really glad to say that i have passed the lab exam. I would really have to say that the journey was not short, nor it was easy.
I would really have to thank INE for providing the best materials out there for any CCIE candidates. They really do provide that technical depth, the speed, and qualities that are required to pass this exam.
Well, since that is done. I would certainly take a small break from studying. GNS3, Real Routers became my best friends for the past 15 months.
Cisco FWSM’s image/ios version 4.1 was mainly intended to solve compatibility issues with the 6500 VSS. the update process is pretty simple and straight forward. download the ios into TFTP server, it is preferred that the ios image is in the root directory. type the following command
copy tftp://server[/path]/filename flash:[image]
So, assuming server ip is 10.1.1.1 and directory is root. file name is fwsm-ios-4.1 the command would be
copy tftp://10.1.1.1/fwsm-ios-4.1.bin flash:image
is this the only way to write that command? simple answer is no. But this is the most effective and working way.
We had to FWSM, one was upgraded the convintional way:
copy tftp flash Address or name of remote host ? 10.1.1.1 Source filename ? fwsm-ios-4.1.bin Destination filename [test]?image
to our surprise, it worked only in one FWSM. the second FWSM, will not take the image. it had errors copying, saving, and things just didn’t work. lastly, we followed the one line syntax. and it worked!!
I have mentioned the DC design that was at hand, A new network design was proposed to tackle the issues. Figure below shows the proposed design. The benefits of such design are:
1- Virtual Switching System (VSS)
- With VSS, the two 6500 will become one.
- This will make both 6500 active in same time, increasing the network bandwidth for all servers and applications.
- This design will eliminate STP.
2- User Vlans terminated at MSFC
- This will reduce the operational and management task. It will keep the network simple, yet the Data Center will be secured by the FWSM.
- Dynamic routing can be used between the MPLS routing, Core (6500), and future distribution switches that can/should be introduced to follow the standard hierarchy network design.
I’ve came upon a network design for data center. While the physical infrastructure consisted of the latest technology, it had “flaws” in the technical side of it. The figure blew shows the connectivity.
From the diagram, we found the following observations.
1- Two MSFC (SUP engine) in each 6500.
- Since all servers are connected two different Chassis (6500), there was no need for redundant (SUP). This is extra redundancy that has no benefit, but only cost of running and purchasing. Redundant SUP are used in scenarios with a single chassis.
- The probability of two SUPs going down is very very low from the manufacturing point of view. It has higher probability in going down in case of fire or loss electricity, then even the Second Chassis with 2 SUPs will go down.
2- Using Static Routing.
- Static routes are not Scalable, not Flexible, not simple, don’t provide high availability. These are major issues that need to be handle when making a new network design. Dynamic routing is a MUST.
- Only when dynamic routing a high available and redundant paths can be utilized.
3- Using Spanning Tree Protocol (STP)
- No new data Center based on STP. All new data center technologies from CISCO, HP, JUNIPER, and BROCADE are going away from STP.
- STP will always have links not utilized. As STP works by “blocking” ports. Hence, all networking components and servers will be running with the half networking capacity.
4- Terminating user Vlans at FWSM (firewall)
- Although this is good for security, it has many issues when it comes to scalability, management, and operation.
- The Server Farm is protected by FWSM, user Vlans are not required to be controlled.
- Referring to point one. The two MSFC (SUP) will not be utilized at all! The 6500 will be used as a giant firewall. If, this is the case. Then there was no requirement to purchase 6500 in first place. Any cheap Cisco 2960 will do the job.
These are the points that i did not like from the design. to tackle this, I would propose my own design that would make better use of the links and hardware in questions.
In my previous entry, I have mentioned the methods that can be used to interconnect different areas in OSPF. In this entry, I would post another similar network diagram. with possible methods to connect the Areas to have full network connectivity.
Diagram 1 shows that We have two Area 0 in a network, between them we have Area 1 and Area 2.
A simple solution will be to have two virtual-links between R3 – R1/R2, and R4-R3. Another will be to have two GRE tunnels between R3-R1/R2 and R3-R4. Or mix of both, virtual-link between R3-R1/R2 and GRE tunnel between R4-R3.
One interesting and very easy method is to have two instances of OSPF in R3, and perform mutual redistribution. How it works?
R4 is part of Area 0, while R1/R2 are part of Area 0 as well. What remains in R3, which is not connected directly to Area 0 by any side. But, if we break OSPF instance in two. we end up having two full proper OSPF networks. The right of R3 we have Area 2 connected to Area 0. while the Left of R3 we have Area 1 connected to Area 0. Hence, doing mutual redistribution at R3 between those two OSPF networks will yield a full network database.
While studying for CCIE, i realized that no scenario will be without connecting different OSPF areas. So, what are the rules when having multiple areas in OSPF to have a fully converged network with full route propagation? The rule is one
Every Area is OSPF should be connected to Area 0
That is the requirement, but is it possible to have them all connected. Yes, specially in a green network (new network design). But what happens when different networks get connected randomly cause of some older design that existed (this what happens in real life). For that there are few methods to resolve this issue. Namely:
- Virtual Links
- GRE Tunnels
- Different OSPF instances
Lets have a look at diagram 1 to get the feeling of the scenario at hand. We have three routers in Area 0, one router between area 1 and 2. and one router between area 2 and 3.
Now routers in Area 1 will not have any issue, since they are connected to Area 0 through R1 and R2. But routers in Area 2 will suffer (other than R3) as they are not connected to Area 0. All routers in Area 3 won’t have any interarea routes as they are not connected to Area 0.
Virtual links by their name, it means a link that will virtually connected any area to another area. For the above Scenario, we can create a virtual link between R3 and R1/R2. Once that is done, R2 will be virtually part of Area 0. Thus Area 2 will be directly connected to Area 0, and route propagation will work as intended. A second virtual link will be required between R4 and R3. Since R3 is part of Area 0, a Virtual link from R4 will make R4 part of Area 0.
Can a Virtual link extend from R4 to R1/R2 directly? No. that is not possible. Virtual links can connected two routers in the same Area.
Will GRE tunnel are functionally the same as Virtual links, the only real issue with these tunnels is that you don’t want to learn the tunnel destination through the tunnel itself. (a common issue that should be aware of when creating GRE tunnels).
Once the GRE tunnels are created, we make the Tunnel interface in Area 0. Thus connecting the OSPF areas. A Tunnel can form between R3 and R1/R2. While another Tunnel between R4 and R3.
The GRE tunnel can be formed directly between R4 and R1/R2. But how will the route of tunnel destination be reached without functioning routing table? Not possible, unless we run other protocols in the same routers, which defies the purpose of having OSPF. So the solution is Two Tunnels.
Unlike EIGRP, different routers using different OSPF instances can become neighbors. Since Area 1 has no issues. The solution is to run two instances of OSPF in R3. OSPF 1 for Area 1, and OSPF 2 for Area 2. Then do mutual route redistribute between OSPF 1 and OSPF 2 in R3. This will give full routing information in Area 2. Once that is done, the same exercise should be done in R4. R4 will have OSPF 1 for Area 2 and OSPF 2 for Area 3, then perform Mutual redistribution.
In the process of studying, i came upon a dreaded topic. Well, it was dreaded cause i never got my hands at it. PPP over Frame Relay, or PPPoFR. For some reason, I can’t figure it out. So, the best is. Do little studying about it, write it. and Hopefully it sticks in my head.
To configure PPP over Frame-relay. Then using “virtual-template” is a must.
1- PPP with virtual template
This is the rather straight forward configurations. associate the virtual template interface with the frame-relay interface. All interface commands (ip address, authentication, etc) will be applied to the virtual template.
interface virtual-template 1
ip address 10.1.1.1 255.255.255.0
ppp authentication pap
Then, this virtual template will be associated with the frame-relay DLCI.
frame-relay interface-dlci 101 ppp virtual-template 1
2- PPP with Multilink
In this, we merge two different DLCI (FR circuits) to act like a single PPP link. The Multilink will have IP address, as well as the ppp configurations.
interface Multilink 10
ip add 10.1.1.1 255.255.255.0
ppp multilink group 10
Then, virtual template will be used to mind the ppp multilink interface to it.
interface virtual-template 1
ppp multilink group 10
lastly, the frame-relay interface-dlci will be associated with this virtual template
frame-relay interface-dlci 101 ppp virtual-template 1
As a conclusion, i can say it is straight forward. The fact that it was not practiced enough made it more difficult. Hopefully, in my next time, while practice lab, i would be able to configure PPPoFR without any issues.
Couple of months ago, Brian mentioned in his blog “INE R&S CCIE Product and Rack Updates – May 2012” the new troubleshoot rack, scenario. Yes, this will go inline with the 2 hour sections that in real CCIE R&S candidates do face.
The setup currently involved 27 routers, and 4 switches. These labs will have grading (interesting feature), and they would be timed.
They are about to change the rack rental times from standard 5.5hrs to 3hrs (not sure about the half hour). For me, this is more hassle. It means changing racks, saving configurations, etc. I really liked it when i worked straight. My brains would be heating with concentration (something that would happen in actual exam).
Overall, i’m looking forward for the new Racks, and Tshoot section. I would like to mention that although July was targeted date for releasing their TS labs and materials, and doing the other changes. Nothing has been done yet.
When i started writing the first article, i never thought that it will turn into a three different blogs. Truth to be told, the scenario was such a complicated one. that just changing the AD was not enough to provide the intended routing path.
The scenario is from the network shown in Diagram 1.
It is about the path the routers will use to route packets from the EIGRP domain to network 192.168.1.1. Of course, i have changed the IP addressing for the purpose of this blog.
The entries for the full working solution are: