The Journey of a Network Engineer


July 2, 2012  7:58 AM

how to use Administrative distance? – part 3

Sulaiman Syed Profile: Sulaiman Syed

This is the last entry for the series “how to use administrative distance”. The interesting part was, why when static routes were distributed into EIGRP, they were shown as Internal?

Network Troubleshoot topology

After some testings, what i found is the following:

  1. When using command “ip route x.x.x.x y.y.y.y z.z.z.z” the redistributed static route will be external.
  2. When using command “ip route x.x.x.x y.y.y.y gigabit0/1″ the redistributed static route will be internal.
The reason is that, the IOS will assume any static route using “exit interface” as connected route, hence when redistributing it will be shown as “internal” route.
So, i have changed the static route configuration in router B, and my routes are shown as external.

Now, if the MPLS-VPN link fails, the routing will change automatically to use the Wireless point to point link. But when the MPLS-VPN comes back, the route will converge based on the minimum metric “cost” and that will be decided in router D. The route with minimum “cost” will win.

There is a way of doing it, using iBGP between Router B and C. This will make the route propagate, and the static route will be used only when the iBGP route is not in the routing table. of Course, the AD for static route has to be 201, as the AS for iBGP is 200.

May 29, 2012  9:16 AM

how to use Administrative distance? – part 2

Sulaiman Syed Profile: Sulaiman Syed

In my earlier Blog, i have shown a detailed diagram of the problem/ requirement of the network change. After 5 mins of studying the proposal i came with an easy solution to change the routing behavior. I have made few assumptions and based on it i built my design. These assumptions are correct, they are not assumptions based on false info.

The assumptions:

1- Routers will advertise the best route. So, if they have two routes to the same network. They would only advertise the best route.

2- The administrative distance for Eigrp External is 170, Internal is 90, Static is 1, and e-BGP is 20.

From the Diagram. I have BGP running only in Router C, which is connected to MPLS-VPN. and Router B running EIGRP only. My plan was to manipulate the Static route AD to be higher than 170. So i made the static route with AD of 171. At router A I changed the AD of static route to 21, cause BGP routes will be AD of 20.

Network Troubleshoot topology

But my theory did not work as i wished. Since Router B and Router C are connected through various other routers. So what happened is that the intermediate Router E will get the info of both routes from EIGRP. From Router B with AD of 90, and from Router C with AD of 170.

Since Router E installed the route from Router B. Router B never managed to learn the route from Router C. and hence, the route convergence didn’t work. So, as a workaround. I shut down the Wireless point-to-point link. The routes converged to the new ones. Once was done I turn the Wireless link UP.

Now, i know that if my MPLS-VPN link goes down, the wireless link will take over providing a redundant active link. The problem, if my MPLS-VPN comes back, the route will converge back to the MPLS-VPN link.

I’m looking at the possibility of running iBGP between router B and C, or some sort of mechanism so that i can get fully automated network that the Routing protocols will take care of the issue.


May 28, 2012  2:44 AM

How to use Administrative distance? – part 1

Sulaiman Syed Profile: Sulaiman Syed

I’ll admit, the title is slightly misleading. I will not elaborate on how to use AD for the routing benefit in general. What i would do is, explain a scenario. Then manipulate AD to have the desired routing outcome. In first entry, i would just show the scenario, while the configurations and solution would be later.

Photobucket
Figure 1

Figure 1 shows the network topology, we have one side connected through point-to-point wireless link. The connectivity is established by having a default static route at the at Router A, and static routes at Router B. Router B redistribute the static route into EIGRP which is the enterprise routing protocol.  Then we have Router A connected to Router C through MPLS-VPN cloud. This means we have BGP running between Router A and Router C.

The MPLS-VPN is new installed fiber link. Thus the requirement is to make the traffic go through this link. In the case of failure, the wireless link should be used.

The Networks in Router A such as 192.168.1.0/24 are shown “internal” in the enterprise network. Thus making the route have AD of 90. while when we redistribute the routes into enterprise from Router C, they would be shown as “external” with AD of 170.

The idea is to manipulate the AD to make the routers prefer the “external” routes over the “internal” routes without causing any kind of loops are sub-optimal routing.


May 18, 2012  4:24 AM

Different methods to advertise routes into OSPF

Sulaiman Syed Profile: Sulaiman Syed

Advertising routes into protocols is one of the interesting topics. Most of big enterprise networks will have different routing domains. Thus dealing with these routes become an essential topic in CCIE exams.

Although the topic stats into OSPF, but these methods can generally be applied into any routing protocols.

Network x.x.x.x

This is the basic way of advertising routes. This command will enable the routing protocol on that interface (sending hellos, etc) and advertising to other peers of the interfaces that match the network command.

router ospf 1
network 10.0.0.1 0.0.0.0 area 0

Redistribute connected

This is the first way of advertising routes into OSPF. When done in this way, the routes would appear external in the OSPF domain (or eigrp). The interfaces that would be advertise can be controlled with route-maps. Lets see an example or redistributing a loopback 0 into OSPF.

route-map CON>OSPF permit 10
match interface loopback 0
!
router ospf 1
redistribute connected route-map CON>OSPF
!

area x range

Another method to advertise routes is using the range command. This will cause the summary to be advertised into the an area, this summary will hide the more specific routes that were used to originate the range command. For example, the loopback interface will be used with network command to advertise the route, then with the range command the summary will hide the interface subnet mask and advertise the summary address.

int loopback 0
ip add 10.0.1.1 255.255.255.0
!
router ospf 1
network 10.0.1.1 0.0.0.0 area 1
area 1 range 10.0.1.0 255.255.255.0

Redistribute [protocol]

This is another way of advertising the route into OSPF. The redistribute connected and static are just special cases of this method. A route can be originated in one routing domain, then redistributed into OSPF. this will cause the route to appear as external route. in this example, RIP is being redistributed into OSPF.

router ospf 1
redistribute rip subnets

These methods and techniques cover the majority of route advertising techniques that can be used with OSPF and any other routing protocol.


May 14, 2012  12:26 PM

The difference between Cisco Nexus 7000 M1, F1, and F2 line cards.

Sulaiman Syed Profile: Sulaiman Syed

I have written an article few months ago touching the main differences between the F1 and M1 cards in the Cisco Nexus 7k platform. The main difference between those two that the M1 cards will do major and all Layer 3 related features and operations, while the F1 card will do the Layer 2 operations.

Recently, Cisco has introduced the F2 and M2 cards. The M2 cards will give the data center the expansion to run 40G and 100G infrastructure. In this article, i would look into the main differences between the F2 and F1 card.

The F2 still provide all the built-in features of F1 line card. It actually take the operation further to provide better bandwidth. Currently, the F2 card will give wire-rate speed. This means that 48 port populated with 10G links will run in non-blocking architecture. Something new that was not possible in the older line cards, of course this all became possibility with the FAB-2 (fabric module 2)

One of the main advantages and upgrades it the ability to run in Layer 3. The Cisco Nexus 7000 48-Port 1 and 10 Gigabit Ethernet F2-Series Module will be able to delivers 720 million packets per second (mpps) of distributed Layer 2 and Layer 3 forwarding and up to 480 Gbps of data throughput.But the F2 cards lack the ability to run OTV or MPLS.

All in one, if doing a new purchase of Nexus 7k. Just buy the F2 cards. IF there is a need for OTV and MPLS then you would need to get the M1 card. Otherwise, F2 will suffice for all the data center networking needs.


May 9, 2012  6:45 AM

How bridging works in Cisco routers?

Sulaiman Syed Profile: Sulaiman Syed

One of the layer two technologies that the CCIE candidate can face is bridging. What bridging does is that it transforms the Router’s behavior of IP routing into a switch like behavior.

The underlying commands are same, they differ when use different modes of Bridging on the router. There are three modes of bridging on Cisco routers. Transparent,  Concurrent routing and bridging, and Integrated routing and bridging.

Transparent Bridging

In this mode, the router will behave fully like a bridge (switch). It will no longer be able to do any IP routing operations. This was the legacy mode before newer modes were introduced. The syntax to run this mode is pretty simple.

no ip routing
!
bridge 1 protocol ieee \\ defining the STP protocol to be used for bridging.
!
int fa0/0
ip address 1.1.1.1 255.255.255.0
bridge-group 1
!
int fa0/1
ip address 1.1.1.1 255.255.255.0
bridge-group 1

we can still maintain reachability to the router by assigning an IP address to the bridge interfaces. But remember, the router will never be part of routing domain.

Transparent Bridging
Figure 1: transparent bridging

Concurrent routing and bridging

The transparent bridging has a major limitation. what if my router is connected to both routed domain and bridge domain? It will not work. The solution was a concurrent routing and bridging mode. In this mode, the router will be divided logically into two domains. One part will be of the “ip routing” domain running routing protocols and routed ports, while the second domain is the “bridge”. The syntax is

bridge crb
ip routing
!
bridge 1 protocol ieee \\ defining the STP protocol to be used for bridging.
!
int fa0/0
bridge-group 1
!
int fa0/1
bridge-group 1

Will the router be able to route traffic between the routed and bridge domain? No. It will not. For that, the next mode was introduced.

Concurrent Bridging

Figure 2: concurrent routing and bridging

Integrated routing and bridging

In this mode, we would have both routing and bridging in one router. We would still be able to route traffic from and to the bridge domain.

The trick in this mode is to create a Bridged virtual interface (BVI). This interface will be used to route traffic from and to the bridged domain. Figure 3 shows the syntax.

bridge crb
ip routing
!
bridge 1 protocol ieee \\ defining the STP protocol to be used for bridging.
!
int fa0/0
bridge-group 1
!
int fa0/1
bridge-group 1

Integrated Bridging

Figure 3: Integrated routing and bridging

There are other variables that can be changed for the bridging operations. But knowing the different kind of modes, how they work, and their limitation is a must know information if you are preparing for CCIE lab exam.


May 2, 2012  8:57 AM

CCIE Datacenter

Sulaiman Syed Profile: Sulaiman Syed

Cisco has finally announced the CCIE Datacenter Track. The rumors were out for almost a year now. Well, the wait is over. People should start taking the exam :)

The Track from my opinion is targeted for the Cloud services and cloud networking. As of the trend, the services are getting converged, and datacenter is becoming the connector for various sites.

The track will cover the datacenter networking, specifically the Nexus platform. The second section of the track covers the storage networking. Third part is the virtualization.  Further details can be found in https://learningnetwork.cisco.com/docs/DOC-13992

I see this as an essential for datacenter networking engineers. Specially if they want to work, and evolve into the newer technology “the Cloud”.

I would end this entry with a great article on this topic: “With CCIE Data Center, can network engineers become data center gurus?


February 21, 2012  2:38 PM

How to use route-target?

Sulaiman Syed Profile: Sulaiman Syed

The main purpose of route targets is to provide connectivity between different  MPLS-VPN  networks. For example, there are three enterprises namely A, B, and C. A and B are major networks with their own MPLS-VPN.  Enterprise A requires to access some servers and resources from Enterprise C. The ISP will use route-targets to provide partial connectivity for certain private addresses routes between A and C. Then Enterprise B went and bought Enterprise C. So they would have full connectivity to C. This is all done using route targets.

The following example will provide details on how to provide partial connectivity between Enterprise A and B. Lets see how it works, the following is the configuration with brief explanation.

!
ip vrf VPN_A
rd 100:1 (organization A will usually have 100:1 as the route target)
export map RD
route-target export 100:1
route-target import 100:1
route-target import 100:66 (additionally to our normal VPN_A network, we are importing anything with route-target set to 100:66. Organization B will make set the values for 100:66)
!
interface Loopback101
ip vrf forwarding VPN_A
ip address 172.16.5.5 255.255.255.0
!
ip prefix-list FILTER seq 10 permit 172.16.5.0/24
!
route-map RD permit 10
match ip address prefix-list FILTER
set extcommunity rt  100:55 (we are setting the route target extended value to 100:55) so any routes confirming to the prefix list will not be advertised to VPN_A networks)
!
route-map RD permit 20
set extcommunity rt  100:1 (default, all networks are set to have route target of 100:1)

Now in Router 2 (the other side of cloud) we are doing the opposite. we will be importing 100:55, and re-writing the route target value for certain routes to be 100:66.

!
ip vrf VPN_B
rd 100:2
export map RD
route-target export 100:2
route-target import 100:2
route-target import 100:55
!
!
interface Loopback102
ip vrf forwarding VPN_B
ip address 192.168.6.6 255.255.255.0
!
ip prefix-list FILTER seq 10 permit 192.168.6.0/24
!
route-map RD permit 10
match ip address prefix-list FILTER
set extcommunity rt  100:66
!
route-map RD permit 20
set extcommunity rt  100:2

A diagram for such network can be seen below.
MPLS-VPN with rd, Route target example

It really comes down on how good you can manipulate the route targets, setting them, importing and exporting them. Beaware, never forget to make sure that BGP is handling the extended community as it should, otherwise these routes will not be advertise anyways.  route target are the critical elements the decide which routes to be installed on which vrf route table.


February 16, 2012  12:03 AM

Moving from Explicit Proxy to Transparent Proxy – part 4

Sulaiman Syed Profile: Sulaiman Syed

We have reached into a finalized design to run transparent proxy setup. The figure below shows the network diagram.

transparent proxy

This is the finalized design, i will go through the logical flow of traffic since it might not be that clear from first look. Traffic will reach the core network, from there it will be routed to PBR. The PBR process will send traffic of 80 and 443 to the load balancers, while rest of traffic will be routed with the default policy. Load balancers will load balance the proxies using two or three virtual IPs.

The proxy will be installed in one leg setup. with the feature to reflect the client source IP. This is important to have a full transparent setup, so that private IPs can be natted to pool of public IPs (instead of 1 as right now).

Once that is done, the packet shaper will insure fair share of bandwidth by dividing the big pipe into 2 or 3 main segments that will be shared based on the source IPs (group based shaping), and another dynamic partition to give the IPs fair bandwidth (user based shaping).

We have multiple firewalls and VPN concentrator to provide the required security


February 13, 2012  10:33 AM

How to configure VRF-lite?

Sulaiman Syed Profile: Sulaiman Syed

VRF-lite is as the name says, light version of VRF. What is VRF? It is Virtual Routing and Forwarding. It is a logical way of segregating network traffic. Mostly used with MPLS-VPN. So, lets what what is VRF-lite

According to Cisco VRF considered to be “lite” without using MPLS. Which means that creating interfaces, and running routing protocols without the use of MPLS will make it VRF-lite.

To configure VRF-lite, follow the steps:

  1. Define the VRF instance by using ip vrf name
  2. Give the appropriate rd values rd nn:nn
  3. If using BGP, then add route-targets {export/import} nn:nn
  4. Add the Interface to the VRF by using the command ip vrf forwarding name
The above is a sample configuration of creating VRF-lite, different routing protocols have different syntax and ways of creating them for respective VRFs.

VRF-lite

For simple router to router connection that is shown in the image. The following code can be used
R1
ip vrf VPN_A
rd 100:1
!
ip vrf VPN_B
rd 100:2
!
interface FastEthernet0/0.67
encapsulation dot1Q 67
ip vrf forwarding VPN_A
ip address 155.1.67.6 255.255.255.0
!
interface FastEthernet0/0.76
encapsulation dot1Q 76
ip vrf forwarding VPN_B
ip address 155.1.76.6 255.255.255.0
!
ip route vrf VPN_A 172.16.7.0 255.255.255.0 155.1.67.7
ip route vrf VPN_B 192.168.7.0 255.255.255.0 155.1.76.7
R2
!
ip vrf VPN_A
rd 100:1
!
ip vrf VPN_B
rd 100:2
!
!
interface Loopback101
ip vrf forwarding VPN_A
ip address 172.16.7.7 255.255.255.0
!
interface Loopback102
ip vrf forwarding VPN_B
ip address 192.168.7.7 255.255.255.0
!
!
interface Vlan67
ip vrf forwarding VPN_A
ip address 155.1.67.7 255.255.255.0
!
interface Vlan76
ip vrf forwarding VPN_B
ip address 155.1.76.7 255.255.255.0
!
ip route vrf VPN_A 0.0.0.0 0.0.0.0 155.1.67.6
ip route vrf VPN_B 0.0.0.0 0.0.0.0 155.1.76.6
The configuration above will create the VRF, add static routing for the loopback interfaces. It is simple and straight forward. The above configuration can be used WITHOUT the rd command. Although it is recommended to use it.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: