Monday, December 24, 2007

Calculating Frame-Relay map-class parameters

Have you struggle to understand what seems like black magic behind the calculation of the parameters of a frame-relay map? Well, I did for a long time. Frame-relay is one of those technologies that isn't going to disappear anytime soon. So if you are a consultant you will find yourself implementing QoS over frame-relay.
Now Cisco provides several ways of doing QoS over Frame-Relay but here I'm going to cover the map-class and its basic parameters.

Tuesday, December 11, 2007

Using QoS and NBAR: Example 1

We have all have seen QoS in our networking life. And from the deployment perspective many networks administrators complain is a technology too complex to use. The truth is that QoS can be as simple as you want and as complex as you don't want.

Now, lets start by saying that QoS is not a protocol but a concept. Quality-of-Service is a concept that has been applied in various methods from Layer2 to Layer 7.

Sunday, December 9, 2007

Broadcast, Unicast and Multicast Storm Control on Cisco Switches

Note: I will cover this topic from the LAN perspective. Some of these concepts may not be recommended for carriers (at least not in this way).

Broadcast storm still a big issue in todays networks. Sometimes this broadcasts storms come from a virus, others times come from a mis configured network device.

Wednesday, December 5, 2007

Using Cisco's Integrated TDR

Did you know most Cisco switches with 10/100/1000 RJ45 ports have TDR capabilities? Yes, it is true.

At the time of this writing it is my understanding that this feature is not supported on any 10/100 ports or SFP module ports.

Cisco's UniDirectional Link Detection (UDLD) Feature

One of the most frustrating outages occurs because of a bad link with unidirectional traffic. At campus, enterprise and carrier levels these are just a nightmare.

Imagine, you have redundant paths but since the device is receiving traffic and the links still up, the fail-over never happens. Then your boss or customer come to you complaining that the redundancy does not work! Well, there is a solution which won't cost you anything (if you already have the Cisco devices).

Monday, December 3, 2007

Fine Tunning Spanning-Tree Protocol

Lets say you have received your new switches and you want to configure the spanning-tree parameters according to their final role. You will have core, aggregation and access switches.

As mentioned before, I personally like rapid-pvst as minimum. So I will start with it, even though all the rests of the parameters are not dependent to rapid-pvst.

Optimizing Layer2 Switching Environments (Part 2): Spanning-Tree Management

Spanning-Tree Protocols

In Part1 we saw how a simple tweaking of the spanning-tree timers could improve the perceived uptime for a large switched environment. In this Part2 we will be considering the selection of an alternate spanning-tree protocol for our network.

Cisco support the following spanning-Tree protocols:
  • pvst+: Per-VLAN spanning-tree which is based on IEEE 802.1d with some Cisco proprietary extensions 
  • rapid pvst+: the same as the pvst+ but use IEEE 802.1w for convergence. In plain English, immediately removes all dynamically learned mac-addresses from the vlan had the STP change. In addition it quickly transition root ports or designated ports to forwarding state. 
  • MSTP: multiple spanning-tree protocol (also known as multiple instances spanning-tree protocol due to the pre-802.1s standard implementation from Cisco, but that is not the correct term). This ones runs over rapid pvst+. But, instead of having a single VLAN per STP instance, MSTP allows you to map multiple VLANs to a single STP instance.

    The default spanning-tree protocol for Cisco switches is pvst+.

    Sunday, December 2, 2007

    Optimizing Layer2 Switching Environments (Part 1): Spanning-Tree Management

    MAC Address Aging
    For the stability of a Layer2 switched environment it is important to tune certain parameters. This Part1 will cover the mac address aging timers. The switch can operate in a default "out-of-the-box" configuration, but that won't bring the benefits and expected performance.

    Lets say you have a fully redundant switched configuration but you notice that when a link failure occurs some devices are delayed too much to regain connectivity while others almost does not experience the failure. What might be the reason?

    The default mac-address aging, for dynamically learned addresses, on a switch, is 5 minutes or 300 seconds. In a fully switched environment, the spanning-tree reconfiguration, might cause for certain devices to become unreachable for up to 5 minutes.

    Saturday, December 1, 2007

    Starting with IPv6 on Cisco Routers

    Well, for years we have hearing many voices shouting "IPv4 is ending!!!" or "We are gonna run out of IPs next year or year ____" whatever the prediction of that year was.
    For the first time, this year, I do believe in their prediction. It has been predicted that by 2010 - 2012 we are going to run out of IPs. Actually, there is a very interesting "count down" at the Take a look at it. At the time of this writing the counter says we have 1357 Days, 00 Hours, 57 Minutes, 27 Seconds to dooms-day. (Well, not in those words.)

    The 2008 is the year when the DoD expect to move all their infrastructure to pure IPv6 and they are forcing for all of their subcontractor to do the same. This will be a very good incentive for the further development of IPv6.

    Configuring 802.1x authentication on Cisco's devices

    This is a quite simple task. The main issue I've seen with this is that it mainly works with Windows. I use a mixed environment and all my deployments I make sure the solutions I deploy are supported no matter the platform or device.

    Anyway, this is a requirement that you might find in financial institutions or environments where the need for authentication of the end devices is required.

    I won't be covering how to setup the end device since is different for each platform. The only comments I can do related to this is that in Windows you must go to your interface setting and activate the 802.1x authentication. Then you have to figure out if you want a device authentication, user authentication or user+device authentication. But again, I'm not covering that here.

    Friday, November 30, 2007

    Using Cisco's timed access-list (Part2)

    Well, in Part1 we saw how easy was to create a timed access-list. Now, lets say you want to apply that access-list today but your company's policy for the web browsing start January 1st, 2008.

    I'm sure you will not plan on receiving the new year at your office. So lets resolve this issue.

    time-range ActivateNewPolicy
    absolute start 0:00 1 Jan 2008

    We had this:

    ip access-list extended ControlWeb
    10 permit tcp any any eq www time-range WebTime
    20 deny tcp any any eq www ! This will be matched if WebTime is not in range
    30 permit ip any any ! Permit anything else

    Using Cisco's timed access-list (Part1)

    Timed access-list are somehow "nice" but I haven't still used in a production network.

    The initial reaction of people is "lets do some timed access-list" but then, when the reality comes, they get scare. The truth is that many times people want to have some features and capabilities and they get them. But then, when they find out is going to cost them some more administrative overhead they go away.

    Well, the concept is quite simple. You have a network element which you want to control based on day/time/month, etc. Well, Cisco's timed access-list let you do that.

    Using Cisco's reflexive access-lists

    Reflexive access-lists are Cisco's answer to some security guys about their access-lists and the "established" option.

    For example, lets say we have the following scenario:


    Lets say I have "Serial 0/0" as my T1 to the Internet and I want to block the access to my LAN except for WWW to my web server (The access-list can be applied to the LAN interface or the WAN interface. In this case I'm using the WAN)

    Using Cisco's reflexive access-lists

    Reflexive access-lists are Cisco's answer to some security guys about their access-lists and the "established" option.

    For example, lets say we have the following scenario:


    Lets say I have "Serial 0/0" as my T1 to the Internet and I want to block the access to my LAN except for WWW to my web server (The access-list can be applied to the LAN interface or the WAN interface. In this case I'm using the WAN)