The Journey of a Network Engineer


February 8, 2012  3:01 AM

Review of INE workbook I

Sulaiman Syed Profile: Sulaiman Syed

In the process of gaining my CCIE certification, I had to select a CCIE vendor to start. I used INE workbook for the lab preparation.

The book covered almost every command possible to enter. If you read the DOC you would find that they managed to utilize all details. I was surprised by the amount of depth, but again CCIE is about doing one thing by 3 different ways.

This is what i wish for,

    • More explanation, yes the book is detailed. but there are some points that were not explained and some other points that need more details.
    • Fix the questions/answers. Few tasks were asked in wrong manner or unclear. I found some some solutions that were not right. in some cases, the question asked something and the answer did something else.
I really advice people to use this workbook. It has almost everything you would think and imagine. of course, it is only giving you the commands to use. How to use these commands is what CCIE skill is about.

February 5, 2012  9:03 AM

BlueCoat Certified ProxySG Professional Exam

Sulaiman Syed Profile: Sulaiman Syed

I have attended the BlueCoat ProxySG training for the Professional course. While i did learn a lot, in the operation of ProxySG I did learn more about Proxy operations, theory, forwarding and reverse proxy setups. It is intriguing how many things can be done with the ProxySG

What i really applaud Bluecoat, is the caching in their ProxySG. later I would write, and show you how did the traffic changed within our enterprise once we started caching youtube.

The exam was tough, not easy at all. After reading the course book, it did solidify much of the theory and information i had. But when i started doing the test, i realized how tough the exam is.

I’m glad the exam was open book, otherwise I’m very sure that I would have failed in it. It was a tough one to crack. My advice will be, be ready! Read multiple times, understand everything, and highlight any details that you can’t memorize and you think it is important.

Lastly, I would say. best of luck. :)


January 8, 2012  6:21 AM

BlueCoat Certified ProxySG administrator Course

Sulaiman Syed Profile: Sulaiman Syed

I recently have passed the Blue Coat Certified ProxySG administrator course. The exam could have been better, what i suggest to bluecoat is:

  1. The questions should address the understanding of ProxySG functions.
  2. NO questions about other blue coat products.
  3. More efforts into the concepts and implementations of ProxySG.
  4. Reduce the exam time, 4 hours is a lot.
The topics covered in this exam are
-> Blue Coat Family of Products
-> Understanding Proxy Servers
-> ProxySG Deployment
-> ProxySG Licensing
-> ProxySG Initial Setup
-> ProxySG Management Console
-> Services
-> Hypertext Transfer Protocol
-> Policy Management
-> WebPulse
-> Authentication Introduction
-> Authentication using LDAP
-> Creating Notifications
-> Creating Exceptions
-> Access Logging
-> WAN Optimization Features
-> Service and Support
To anyone who is thinking of taking the exam, i would suggest that you read materials at least one. Mark and highlight all the points that matter. The exam is open book, so finding the right information in the right time is important.


January 1, 2012  8:05 AM

Moving from Explicit Proxy to Transparent Proxy – part 3

Sulaiman Syed Profile: Sulaiman Syed

While we had overall idea of the design direction, we have identified other points that were integrated into the final design. The diagram below shows the almost finalized design.

Transparent Proxy Design 2

I would like to mention the hardware being used at this design, as it could provide guidelines for other network engineers when it comes to transparent proxy for enterprise networks.

  1. PBR are Cisco Catalyst 6506-E with SUP720-B3, X6748 line cards
  2. Proxies are Bluecoat ProxySG x5,
  3. Packetshapers are Bluecoat 0 x3
  4. Core layer Cisco Catalyst 6509 with SUP720-3B.
More detailed Logical diagram will be prepared with the traffic flow details.


December 27, 2011  1:11 AM

Moving from Explicit Proxy to Transparent Proxy – part 2

Sulaiman Syed Profile: Sulaiman Syed

If you have read the first part of this series, you would know that there is major upgrade plan move from explicit proxy to transparent. One of the major objective that during migration to the new network, there should be minimal downtime. But since we are going to utilize the same hardware, downtime can’t be totally avoided. The current firewall is not able to handle the traffic going to the internet by itself.

Transparent proxy design

with that in mind, we have few things to workout to finilize the network design:

  1. IP addressing scheme throughout the network.
  2. The integration of older firewall with the new firewall.
  3. The implementation of packet shaping for provisioning IP based, and group based bandwidth.
  4. How the traffic will route from the PBR to IR going by two firewalls contexts.
  5. The integration of new LB by keeping the proxy traffic/control plane segregated from the other traffic.

In the above diagram, we are showing a basic idea of the connectivity. I would go into the details of hardware and logical connectivity in the next blog entry.


December 25, 2011  4:42 AM

Moving from Explicit Proxy to Transparent Proxy – part 1

Sulaiman Syed Profile: Sulaiman Syed

Proxy can  be implemented in either a explicit or transparent mode. The deployment of proxy (network logical location) can be either in-line (bridge) or out-line. Since we are planning to more from the explicit mode to transparent mode, various changes are required to be done, on both network and security levels. Lets review how the current network setup is.

  1. The default route is pointing toward the firewall.
  2. firewall is part of Server Farm Vlan (wrong design).
  3. Proxy are configured to be inline. one leg in server farm, the other leg directly to the internet. (wrong design).
  4. All internal IPs are converted into one IP (many to one).
  5. Since it is explicit, the returning traffic will always come back to the proxy
The image below shows the setup, and how simple routing is done for it. I have changes the IP addresses for security measures.

Current Proxy Diagram

In the second part, I would go into the details of our target design, and how we would want our traffic to go.


December 24, 2011  12:18 AM

How to configure ProxySG to cache youtube video?

Sulaiman Syed Profile: Sulaiman Syed

Many medium to big organizations use ProxySG to filter and control the traffic leaving the enterprise network. One of the big strengths of Bluecoat ProxySG is the cache. It is one of the best cache devices out there in the market.

As we all know, youtube can be considered one of the main web applications that eat up the bandwidth. The content is very dynamic, and the url’s are ever changing. one of the main issues with youtube videos that they are served from various mirroring websites. Thus, proxySG can’t cache the videos by default since the URL are different for the same data. I have came across a policy that can be added to ProxySG. This will enable youtube caching!

<Proxy “YouTube specific caching rewrite”> condition=youtube_related_request
condition=youtube_seek_video_requests ; leave seek requests alone, not caching
condition=youtube_video_request_style1 url.query.regex=”itag=34″ action.rename_youtubeSD(yes)
condition=youtube_video_request_style2 url.query.regex=”itag=34″ action.rename_youtube_style2SD(yes)
condition=youtube_video_request_style1 action.rename_youtube(yes)
condition=youtube_video_request_style2 action.rename_youtube_style2(yes)
condition=youtube_host_patterns condition=youtube_video_requests action.rename_youtube_url_hostname(yes)
<Cache “video content”>

; YOUTUBE & GOOGLEVIDEO – 10 days
[rule]
condition=youtube_seek_video_requests cache(no)
condition=youtube_video_requests ttl(864000) force_cache(all)

; YOUTUBE DEFINITIONS
;
define condition youtube_related_request
request.header.Referer.exists=yes condition=youtube_referer_present
condition=youtube_host_patterns
end

define condition youtube_host_patterns
url.host.substring=”youtube”
url.host.substring=”googlevideo”
url.host.is_numeric=yes url.address=youtube_subnets
end

define subnet youtube_subnets
;; these can be fairly broadly drawn, since appearance in here
;; alone does not itself force youtubeization; the request also
;; has to be relatively youtube specific.
;; IE this is an optimization, not a pure correctness filter
; observed in eval logs Mar2010

74.125.0.0/16    ; GOOGLE NET-74-125-0-0-1
173.194.0.0/16   ; GOOGLE NET-173-194-0-0-1
;204.246.234.23/24 ; used by cache but assigned to frontiernet.net
;youtube_ARIN_IPs
;IPv4 CIDR:
208.65.152.0/22  ; YOUTUBE
64.15.112.0/20   ; YOUTUBE2
208.117.224.0/19 ; YOUTUBE3
72.51.34.221/32
72.51.34.222/31
72.51.34.224/29
72.51.34.232/30
72.51.34.236/32
72.51.35.205/32
72.51.35.206/31
72.51.35.208/30
72.51.35.212/32
; 75.35.233.64/29   ; now sbcglobal
; 75.31.180.240/29  ; now sbcglobal
76.210.160.216/29
76.208.211.160/29
; 75.48.116.72/29   ; now sbcglobal
75.55.218.8/29
;IPv6 CIDR:
;2620:0000:0040:0000:0000:0000:0000:0000/48
;
;youtube_RIPE_IPs
;IPv4 CIDR:
194.221.68.0/24
195.27.182.0/24
195.59.171.0/24
213.146.171.0/24
82.129.37.0/24     ; YOUTUBE-EUROPE
89.207.225.0/24
209.85.128.0/17    ; Seen at Mobily
end

define condition youtube_referer_present
request.header.Referer.url.substring=”ytimg”
request.header.Referer.url.substring=”youtube”
request.header.Referer.url.substring=”video.google.com”
end

define condition youtube_video_request_style1
url.path.exact=”/get_video” url.query.regex=”video_id=”
end

define condition youtube_video_request_style2
url.path.exact=”/videoplayback” url.query.regex=”id=”
end

define condition youtube_video_requests
condition=youtube_video_request_style1
condition=youtube_video_request_style2
end

define condition youtube_seek_video_requests
url.path.exact=/videoplayback url.query.regex=”begin=[1-9]”
url.path.exact=/get_video url.query.regex=”begin=[1-9]”
end

define action rename_youtube
;–NOTE the following is one line (approximately 120 characters long)
rewrite(url, “(.+)video_id=([^&]+)(\&.*|$)”, “http://youtube.proxysg-cache/get_video/$(2)”, cache)
end

define action rename_youtube_style2
;–NOTE the following is one line (approximately 120 characters long)
rewrite(url, “(.+)id=([^&]+)(\&.*|$)”, “http://youtube.proxysg-cache/get_video_style2/$(2)”, cache)
end

define action rename_youtubeSD
;–NOTE the following is one line (approximately 120 characters long)
rewrite(url, “(.+)video_id=([^&]+)(\&.*|$)”, “http://youtube.proxysg-cache/get_video/$(2)_SD”, cache)
end

define action rename_youtube_style2SD
;–NOTE the following is one line (approximately 120 characters long)
rewrite(url, “(.+)id=([^&]+)(\&.*|$)”, “http://youtube.proxysg-cache/get_video_style2/$(2)_SD”, cache)
end

define action rename_youtube_url_hostname
rewrite(url.host, “.*”, “youtube.proxysg-cache”, cache)
end

This policy was not written by me. but of course it can be used by any ProxySG administrator. Please just copy paste it into the local policy files.


December 14, 2011  12:26 AM

How to configure per-vlan QoS in Cisco 3550 and 3560

Sulaiman Syed Profile: Sulaiman Syed

You might think that configuring QoS in Cisco Switches will follow the same syntax. That what I thought till i started studying CCIE. Let’s See one major difference in how policing is implemented on these two platforms.

Cisco Catalyst 3550

I find the configuration of 3550 rather easier. First, you would enable QoS. second, when classifying traffic (you of course will use MQC) in the class map you match vlan id. Then you just police that traffic however you want it. Lets see a configuration for that.

mls qos
!
class-map HTTP_VLAN_10
match vlan 10
match protocol http
!
policy-map HIGH_BANDWIDTH
class HTTP_VLAN_10
set dscp af11
policy 12800 1600 exceed-action drop
!
interface fastethernet 0/1
service-policy input HIGH_BANDWIDTH

That is straight forward, and should be done easily without much confusion since that approach is what used in most routers.

Cisco Catalyst 3560

Here where we have rather different way of doing the same task. First, enable mls qos. Second, Match the interesting traffic. Third, enable mls qos on the interface. Fourth, mark the traffic in the First policy. Fifth, Police the rate at the nested policy. lastly, Apply it at the vlan interface.

mls qos
!
interface fa0/2
mls qos vlan-based
!
class-map INT
match input-interface fa0/2
!
policy-map NESTED_POLICE
class INT
policy 12800 1600 exceed-action drop
!
class-map HTTP
match protocol http
!
policy-map PARENT_MARK
class HTTP
set dscp af11
service-policy NESTED_POLICE
!
interface vlan 10
service-policy PARENT_MARK

Please note that you can’t MARK and POLICE the traffic in the same policy. So creating parent policy for marking and nested policy for rate police. We have to enable the interfaces that we want to participate in policing the vlan traffic since a direct match can’t be made. lastly, the service-policy will be applied into the Vlan interface and not the physical interface.


December 12, 2011  3:56 AM

CCIE RS INE Topology in GNS3

Sulaiman Syed Profile: Sulaiman Syed

Continued »


December 9, 2011  1:33 AM

How to traffic shape Frame-Relay? – part 2

Sulaiman Syed Profile: Sulaiman Syed

In How to traffic shape frame-relay? part 1 , i have mentioned four types of QoS mechanism that can be applied to frame-relay interface. Lets have a look at the other two methods that can be used with frame-relay networks.

MQC Frame-Relay Traffic shaping

In here, we see the efforts put into introducing the MQC style for traffic shaping. but with this method, you nest the MQC into a map-class. Yes, it doesn’t look pretty, and seems slightly confusing. But let’s have an example, and this will ease our understanding of the topic.

policy-map CBWFQ
class VOICE
priority 64
class class-default
fair-queue
!
policy-map SHAPE
class class-default
shape average 256000 2560 0
shape adaptive 128000
service-policy CBWFQ
!
map-class frame-relay TEST_DLCI
service-policy output SHAPE
!
interface Serial 0/0.1
frame-relay interface-dlci 101
class TEST_DLCI

This example lengthy as it seems, but it is still straight forward. we have defined shaping in MCQ style, then impliemented that into map-class. lastly, this map-class was configured inside the interface-dlci.

Class Based Generic Traffic Shaping

This is the last method out of the four methods that can be used for FRTS. It is similar to the legacy GTS. In this, you have the advantage to match the class based of frame-relay dlci. Lets see an example and that should show us the details.

class-map DLCI
match fr-dlci 123
!
policy-map SHAPE_123
class DLCI
shape average 256000
!
interface s0/1
service-policy output SHAPE_123

One of the main issues of this method is that adaptive shaping can’t be used, nor voice-adaptive fragmentation.

all of the four methods have their advantage and disadvantage to them. from the simplest, to more complicated ones. The situations/requirment will be the deciding factor on which method use for FRTS.



Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: