routing | IPNET

CCIE R&S V4.0 Written: Beta Exam Announcement

The beta version of CCIE Routing and Switching Written Exam v4.0 (351-001) is available for scheduling at all worldwide, Cisco-authorized Pearson VUE testing centers starting August 7, 2009 and continuing through September 9, 2009.

Nevertheless the number of beta exams is limited, so as soon as all the seats are taken this beta test period will end, even if this is before September 9, 2009.

Candidates may schedule and take the exam on the same day. The beta exam will be offered at a discounted price of US$50, with full recertification or lab qualification credit granted to all passing candidates.

Another point to keep in mind is that the results will be received six to eight weeks after the close of the beta period. Therefore, CCIEs in suspended status with an expiration date before November 30, 2009 should recertify using another exam. Candidates may only attempt a beta exam once during the beta period.

More information about the steps to register for exam, you can find on The Cisco Learning Network website.

Cisco: The basics about VRF implementation

VRF, meaning Virtual Routing and Forwarding, is a technology implemented in the IP network routers that allows multiple instances of a routing table to exist on the same router in the same time. Since each VRF is independent, the same IP subnet can exist in 2 different VRFs. Basically you can overlap one IP address in 2 VRFs but without conflicting with each other. Even this is possible, I would not suggest doing so, unless you have a very good reason to do it.

Another meaning of VRF is VPN Routing and Forwarding which is a key element in Cisco’s MPLS (Multiprotocol Label Switching) VPN technology. Internet service providers often take advantage of VRF to create separate virtual private networks (VPNs) for customers. Some advantages of using this technology is than an ISP can provision scalable IP MPLS VPN services, generate reports (e.g. audit for services), Service Level Agreements (SLA) contracts and more…

To summarize, virtual networks enable administrators to split a physical link into multiple virtual links completely isolated one from the others. Typically, a virtual network will be dedicated to traffic from a specific application or from a specific users / customers.

Now that we clarify the basic of what is and how it works, let’s see where is VRF used the most. As you maybe guess already, this is in the MPLS VPN environment, due to the fact that in today’s business granularity is very important and VRF help network engineers to isolate and provide security for its customers in an ISP environment or to separate services in an Intranet environment. As you probably already know, MPLS functionality is based on P (Provider) routers, PE (Provider edge) routers and CE (Customer edge) routers. Each of these routers must be configured in order for MPLS to work within an enterprise’s architecture. I describe a little bit the MPLS technology, so you can understand better the topology presented below and then following configuration example:

As you can see from the topology, one PE router can hold and manage multiple virtual routing table, one for each customer that an ISP have. If you are running in a private environment (e.g. Intranet), you can use MPLS VPN to separate services (e.g. office, development…) The basic functionality is the same and I’ll show you below how to implement VRFs.

The actual configuration of VRFs is not a complicate task to achieve. There are two main components to a VRF: The route distinguisher(RD) and the route target(RT).

The route distinguisher (RD) is a number which help identify a VPN in a provider’s network and allow for overlapping IP space.

The route target (RT) indicates the VPN membership of a route and allows VPN routes to be imported or exported into or out of your VRFs. The RT functions a little like a routing policy — determining how routes are distributed throughout the particular VPN.

The RD / RT is a 8-byte (64-bits) number which can be written down as follow:

– 16-bit AS number: your 32-bit number
(e.g.) 65000:100

–32-bit IP address: your 16-bit number
(e.g) 192.168.0.1:10

Usually the first method is used more often.

For some very basic VRF configuration follow the steps:
1. Enters VRF configuration mode and assigns a VRF name.

Router(config)#ip vrf vrf-name

2. Creates a VPN route distinguisher (RD) following one of the 16bit-ASN:32bit-number or 32bit-IP:16bit-number explained above

Router(config-vrf)#rd route-distinguisher

3. Creates a list of import and/or export route target communities for the specified VRF.

Router(config-vrf)# route-target {import | export | both} route-distinguisher

4. (Optional step) Associates the specified route map with the VRF.

Router(config-vrf)# import map route-map

5. Specifies an interface and enters interface configuration mode.

Router(config)# interface type number

6. Associates a VRF with an interface or subinterface.

Router(config-vrf)# ip vrf forwarding vrf-name

To check your configuration, you can use ping or traceroute tools under Cisco CLI, but remember that you have to use “vrf vrf-name” parameter:

Router# ping vrf vrf-name IP-address

Also you can check the virtual routing table:

Router# show ip route vrf vrf-name

In some of the following posts, I will present a VRF implementation following a real environment topology, but until then I hope you understood the basics of VRF functionality. It’s not hard to implement (from case to case it might be due to local topologies and technology) but it can help you to have a more granular connections and makes troubleshooting more easy, especially in the environments which have a lot of IP addresses under management.

Routing + QoS + Security all free for you and your small business

OK, you catch me as this is not from Cisco, but is related to networking and security, so I believe it fit in the idea of this blog. What I’m talking about here?! Well, let’s assume that you are the IT guy of one small business or even your home network, and like all of us, you want what’s the best for your network. With today’s key words (even I don’t understand why) like saving, cost reduction, zero budget for new deployments no manager will approve new hardware to be bought. And to be fair enough why would you like to buy an expensive Cisco 6500 if you have 50 PCs in your network and some servers? Cisco and other brands in the same line are good, actually very good, and money worth spending to have them, but only if they are really required. Continuing on this idea, somebody asked me to find a solution for his small to medium business as he has a small user network and some servers. Of course he wanted all the possible features and security but without investing too much, or if possible nothing. To keep everything into this limits, I had the idea to use a Linux box with 3 NICs and a bunch of software for achieving the other features like QoS, routing and so on. But I found something better to manage and to maintain over the time.

The product is called Untangle and I found out to be perfect for my solution and maybe for yours if you want to give it a try. Among the other good features that it has integrated, you will see that this is a FREE product. Of course nothing is just white and black, and if you want some features you have to pay for them. Anyway I managed to do everything without paying anything. Untangle can be installed on a dedicated machine or as an application in Windows. Installing on Windows is …how can I say…useless, at least from my point of view. I mean who put the trust of his network gateway on a Windows machine?! As a dedicated machine is one of the best solutions that I tested.

As explained on the Untangle documentation, this solution can be installed on any regular Intel / AMD machine with some decent configuration. If you want to keep this solution for a longer time and logs I would recommend something dual core with 2 GB of memory and at least 80GB hard-disk capacity. The minimum requirements from the developers would be a 800Mhz processor with 512KB of memory and 20GB hard-drive, if you plan to run this for a network with less than 50 stations. The process is very simple, you download an image, burn it on a disc and then install it. If you ever installed another OS, you will handle this for sure.

The new device can be deployed as a router or as a transparent bridge:
On my private installation I deployed it as a router, as I wanted this to be the main gateway and to separate the LAN from the DMZ area. After you configure the basic stuff, you may want to choose what services you will use on this machine. Everything is modular. You have a virtual rack in which you insert free or paid applications. Maybe you are wondering which are the free applications. Here is the list: Web Filter, Virus Blocker, Spam Blocker, Ad Blocker, Attack Blocker, Phish Blocker, Spyware Blocker, Firewall, Routing & QoS, Intrusion Prevention, Protocol Control, OpenVPN, Reports. This covers most of my basics needs for a small network. If you want advanced features like WAN Load Balancer, WAN Failover or Remote Access Portal than you have to buy this applications. Of course I would preferred to have this also for free, but as I said in other articles, nothing is 100% free on this world.

Every module is than configured in a graphical interface with easy to understand and follow menus. You can choose what to activate, what traffic to be inspected, what packets to be subject of QoS and may more. One thing before you proceed to test this. By routing please don’t understand Dynamic Routing Protocol or other advanced features. Like I said before this solution is for small to medium sites which does not have to support complex routing environment. However it does support basic routing and it can be installed as a router. Regarding the support you get for this product there is good forum and also a Wiki page

Below I prepared a small gallery with screenshots from Untangle. The screenshots are copyrighted to Untangle.com and can be found on there site together with a some nice video presentations of the product.

Please be aware that this site is not affiliated in any way with Untangle.com. The opinion presented here represent my own experience with Untagle product.

[nggallery id=16]

Cisco: OSPF conditional inject of a Default Route

I believe most of you are familiar how OSPF is injecting a default route in a normal area. If not, you can find here all the documentation that you need. Please be familiar with this concept before reading this article.

Now, let’s assume that we have the following topology (click on image to have a more detailed view) :

As you can see we have a BGP peering between PE and CE router, with CE router having and OSPF connection with the Core. CE router is injecting a default route to Core:

router ospf 1
default-information originate always

This configuration is OK, but we can run into the following issue. Imagine that for some reason the BGP peering between PE and CE is broken (e.g. line being down), the CE router will have no clue about this and will still propagate the default route to the Core. In this situation, the Core will still forward all the packets without specific route to CE where it will have no further route to reach the destination, as the CE does not receive any route from the BGP peer. As you can imagine is better to avoid this situation, especially if for some reasons you are not monitoring the connection between PE and CE and you cannot react to change manually the route in case of a failure. We are lucky because some smart engineers have developed a solution to avoid this problem, called Conditional inject of a default route in OSPF.

With this solution, OSPF is monitoring the reachability of the point-to-point IP connection between PE and CE. When OSPF process on CE router notice that the IP connection is not available anymore, it automatically retract the propagation of the default route to the Core. The solution is simple an assume use of an ACL or prefix-list then match this on a route-map and finally use this route-map under “router ospf” process. For step-by-step configuration check below.

First we will create and ACL matching the IP subnet between PE and CE. In this example I’m using a p2p subnet 10.10.10.0 /30:

access-list 1 permit 10.10.10.0 0.0.0.3

Then I will match this into a route-map as follow:

route-map WAN-LINK permit 10
match ip address 1

Finall, we will use this route-map to implement the OSPF conditional injection of default route to Core router (192.168.0.0 /30 is the p2p IP subnet between CE and Core):

router ospf 1
log-adjacency-changes
network 192.168.10.2 0.0.0.0 area 0
default-information originate always route-map WAN-LINK

Now, the OSPF process on CE will inject a default route to the Core as long as the IP subnet between CE and PE is reachable.
IMPORTANT NOTE: This solution might not work if your connection from CE to PE is Ethernet and not Serial like in the example. I will explain why on the next post, when I’ll achieve the same behavior but using EEM together with an Ethernet based connection instead of a Serial one.

Please check below to see a small presentation how this is working on a test environment:

Two CCIE R&S Certification Webinars

Source: https://cisco.hosted.jivesoftware.com/docs/DOC-4862

Cisco will conduct two webinar events on Wednesday, May 20, 2009 to describe recent enhancements to CCIE R&S certification and Cisco 360 Learning Program for CCIE R&S.
Attendees can choose from calls at 8:00 am and 7:00 pm PST.
Participants need only attend one event as content will be identical.

Registration information is as follows:

MEETING DETAILS

Meeting Name:	CCIE R&S Refresh
Date/Time:	5/20/2009 @ 8:00 AM and 7:00PM US/Pacific Time
Length:	90 minutes
Frequency:	Once
Meeting ID:	222333

Register for each event:

Please visit https://cisco.hosted.jivesoftware.com/docs/DOC-4862 to register for this event.

Join the Voice Conference

1. Call MeetingPlace:

Toll-free (US only): 1-800-370-2618

Toll-free (Canada only): 1-800-370-2618

International Direct Dial: 1-650-599-0315

2. Press 1 to attend a meeting.

3. Enter Meeting ID (222333) followed by the # key.

4. Follow the prompts to record your name and enter the meeting.

Join the Web Conference

1. Disable any pop-up blocker software.

2. Go to http://gc46gw1.meetingplace.net.

3. Enter meeting ID (222333) and click Attend Meeting.

4. Enter your first and last name in the My name is box and click Attend Meeting.

5. Answer Yes to any security warnings you receive and wait for the Meeting Room to initialize.