Dear All,
We moved to http://ourtut.blogspot.com .....
Thanks,
Monday 15 December 2014
Thursday 27 November 2014
MPLS: OSPF sham-links
Introduction
The provider’s MPLS cloud has three routers namely – R1 (P-router), R2 (PE-R2) and R3 (PE-R3). These routers formed OSPF adjacency with one another. R2 and R3 are iBGP neighbors peering with each other’s loopback address.
The TTL propagation within the MPLS cloud was suppressed with
Reason to use ospf sham link
It is possible that customer’s network has an OSPF backdoor link to each other despite subscribing MPLS service which links customer’s edge routers.
The OSPF link through the MPLS cloud would be an inter-area link
despite both site-a and site-b links are in OSPF area 0, this poses a
problem if customer wants traffic to traverse from site-a to site-b or
vice versa through the MPLS core. OSPF will prefer the intra-area route,
in this case is the backdoor link which resides in the same OSPF area,
to reach the destination.
To solve this problem, OSPF sham link is used.
The provider’s MPLS cloud has three routers namely – R1 (P-router), R2 (PE-R2) and R3 (PE-R3). These routers formed OSPF adjacency with one another. R2 and R3 are iBGP neighbors peering with each other’s loopback address.
The TTL propagation within the MPLS cloud was suppressed with
no mpls ip propagate-ttl command. This is to “hide” the number of mpls routers that exist within the provider’s MPLS core.Reason to use ospf sham link
It is possible that customer’s network has an OSPF backdoor link to each other despite subscribing MPLS service which links customer’s edge routers.
R4 and R5 has OSPF backdoor link between them.
To solve this problem, OSPF sham link is used.
Wednesday 19 November 2014
Dynamic Multipoint VPN (DMVPN) Configuration
DMVPN
(Dynamic Multipoint VPN) is a technique where we use multipoint GRE tunnels
instead of GRE point-to-point tunneling. These multipoint GRE tunnels will be
encrypted using IPSEC so that we have a secure scalable tunneling solution. If
you are unfamiliar with tunneling or IPSEC I highly recommend to check the basic configuration for GRE first and how to configure
an encrypted GRE tunnel with IPSEC. Having
said that let’s look at the configuration of DMVPN. This is the topology that
we will use:
Let me explain this topology to you:
·
R1,R2 and
R3 are able to reach each other using their FastEthernet 0/0 interfaces. I used
the 192.168.123.0 /24 subnet so that they can reach each other.
·
R1 will
be the hub router and R2/R3 will be the spoke routers.
·
R2 and R3
will establish a tunnel to R1 as shown with the green
dotted line.
·
When R2
and R3 want to communicate with each other they will create a spoke-to-spoke
tunnel as shown with the purple dotted line.
·
We will
use the 172.16.123.0 /24 subnet for the tunnel interfaces.
·
Each
router has a loopback interface with an IP address. The routers will reach each
others loopback by going through the tunnel interface.
The
configuration consists of a number of steps:
1. Basic configuration of IP
addresses.
2. GRE Multipoint Tunnel
configuration on all routers
3. Encryption of tunnels using
IPSEC.
4. Routing configuration so the
routers can reach each others loopback interfaces.
Let’s get
started!
Monday 22 September 2014
Failover on Cisco ASA
Configuring high availability requires two identical ASAs connected to each other through a dedicated failover link and, optionally, a Stateful Failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.
The ASA supports two failover configurations, Active/Active failover and Active/Standby failover. Each failover configuration has its own method for determining and performing failover.
With Active/Active failover, both units can pass network traffic. This also lets you configure traffic sharing on your network. Active/Active failover is available only on units running in multiple context mode.
With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby failover is available on units running in either single or multiple context mode.
Both failover configurations support stateful or stateless (regular) failover.
Hardware Requirements
The two units in a failover configuration must be the same model, have the same number and types of interfaces, and the same SSMs installed (if any).
If you are using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail.
Although it is not required, it is recommended that both units have the same amount of RAM memory installed.
Use Google Chrome as a SSH Client
We always use Putty client software for Secure SSH connection between PC to Router or PC to Firewall.
Today i am going to show you how to use your Google chrome browser as a SSH Client.
Open your Chrome browser and enter chrome://extensions/
then search for Secure Shell chrome extension. Install it
Then after it will prompt you SSH client option
Today i am going to show you how to use your Google chrome browser as a SSH Client.
Open your Chrome browser and enter chrome://extensions/
then search for Secure Shell chrome extension. Install it
Then after it will prompt you SSH client option
Tuesday 2 September 2014
IP Unnumbered Explained
In this tutorial we will take a look at IP unnumbered and how to
configure it. First of all…what is IP unnumbered and why do we need it?
On a router each interface requires a unique IP address so it can install an entry in the routing table and process IP packets. IP unnumbered allows you to process IP packets without configuring a unique IP address on an interface, this works by “borrowing” an IP address from another interface.
Why would you want this and not just configure an IP address on the interface? To answer that question we have to dive into the past.
Once upon a time we didn’t have VLSM (Variable Length Subnet Mask) and we used classful routing protocols like RIP version 1 and IGRP (the predecessor of EIGRP). This means that the smallest subnet you could use was a /24. When using public IP addresses this is a huge waste of IP space. Take a look at the picture below:
There are 3 routers connected with each other using point-to-point serial links. We have to use two /24 subnets while we only require 4 IP addresses in total…such a waste!
IP unnumbered was created to solve this problem so you didn’t have to waste entire subnets on point-to-point interfaces. It borrows an IP address from another interface so you don’t have to configure one on the point-to-point interface.
On a router each interface requires a unique IP address so it can install an entry in the routing table and process IP packets. IP unnumbered allows you to process IP packets without configuring a unique IP address on an interface, this works by “borrowing” an IP address from another interface.
Why would you want this and not just configure an IP address on the interface? To answer that question we have to dive into the past.
Once upon a time we didn’t have VLSM (Variable Length Subnet Mask) and we used classful routing protocols like RIP version 1 and IGRP (the predecessor of EIGRP). This means that the smallest subnet you could use was a /24. When using public IP addresses this is a huge waste of IP space. Take a look at the picture below:
There are 3 routers connected with each other using point-to-point serial links. We have to use two /24 subnets while we only require 4 IP addresses in total…such a waste!
IP unnumbered was created to solve this problem so you didn’t have to waste entire subnets on point-to-point interfaces. It borrows an IP address from another interface so you don’t have to configure one on the point-to-point interface.
Multiple Spanning Tree (MST)
By default Cisco Catalyst Switches run PVST+ or Rapid PVST+ (Per VLAN
Spanning Tree). This means that each VLAN is mapped to a single
spanning tree instance. When you have 20 VLANs, it means there are 20
instances of spanning tree.
Is this a problem? Like always…it depends, let’s take a look at an example:
Take a look at the topology above. We have three switches and a lot of VLANs. There’s 199 VLANs in total. If we are running PVST or Rapid PVST this means that we have 199 different calculations for each VLAN. This requires a lot of CPU power and memory.
When SwitchB is the root bridge for VLAN 100 – 200 and SwitchC for VLAN 201 – 300 our spanning-tree topologies will look like this:
Is this a problem? Like always…it depends, let’s take a look at an example:
Take a look at the topology above. We have three switches and a lot of VLANs. There’s 199 VLANs in total. If we are running PVST or Rapid PVST this means that we have 199 different calculations for each VLAN. This requires a lot of CPU power and memory.
When SwitchB is the root bridge for VLAN 100 – 200 and SwitchC for VLAN 201 – 300 our spanning-tree topologies will look like this:
Subscribe to:
Posts (Atom)