QoS Cheat sheet

BGP RPKI

ISPs peer with each other at Internet Exchange Point to exchange prefixes. They also peer to exchange server information hosted in their AS. Network attackers have became sophisticated and they can launch prefix hijacking attack by announcing someone else’s prefix or by announcing a more specific of someone else’s prefix. Either way, they are trying to “steal” someone else’s traffic by getting it routed to attackers.

RPKI is a open and secure way to validate prefixes received. A router connects to RPKI servers/caches/peers to download information in order to build special RPKI database that can be used by BGP to validate origin-ASes for the internet routing table. One RPKI cache can provide origin-AS validation data to multiple routers and one router can be connected to multiple RPKI caches.

Typically, origin-AS validation will be done at ASBRs in an AS for paths received from an outside AS (eBGP paths), Internal routers (e.g. RRs) do not take part in origin-AS validation

The ASBRs simply mark the eBGP paths with an origin-AS validity state:

Valid: There are database prefix sets in RPKI data that covers prefix and one of them has origin-AS number

Invalid: There are database prefix sets in RPKI data that covers prefix and none of them has the origin-AS number

Unknown: There is no matching or covering prefixes in RPKI data.

However the reception of eBGP paths and the reception of RPKI data are completely decoupled. The router will not ask the RPKI caches as it receives BGP prefixes

The origin-AS validation data is mostly driven by the RPKI caches which sends data to the routers at their own pace (initial database dump, followed by incremental updates)

If RPKI data from RPKI cache in the router covers a prefix when eBGP path is received, BGP will be able to validate that path upon reception, marking the path “valid” or “invalid”

If RPKI data does not have validation data covering a prefix upon receiving an eBGP path, the BGP will mark the path with an “Unknown”

If any RPKI cache later sends validation data covering that prefix, BGP has to revalidate that prefix.

 

 

Adding Timestamps for “show” Commands in Cisco IOS-XE

Unlike IOS when you enable following in command in IOS-XE –

service timestamps log datetime localtime msec

service timestamps debug datetime localtime msec

 

you only see the logs and debugs are supplied with timestamp, However to see timestamp for each CLI commands you issue, you can enable the feature by following methods –

Router> terminal exec prompt timestamp

OR

Router(config)#line con 0

Router(config-line)#exec prompt timestamp

However when you enable this it comes with additional CPU load info and time source every time. Please see the output once you enable the timestamp.

Router#show ip interface brief

Load for five secs: 2%/0%; one minute: 5%; five minutes: 3%

 

No time source, *07:28:21.826 UTC Thu Oct 24 2013

—–Output Truncketed———

FHRP (First Hop redundancy Protocol) best practices in Nexus 7K

vPC (virtual port channel) allows two Nexus switches to share port-channel Attached devices believes that they are connected to a single device via ether-channel bundle so that STP treat them as a single link. To achieve this, the paired Nexus switches uses to different communication channel. The first link is called Peer-Keepalive link which is a continuous L3 UDP ping going between them and use to detect the presence of peer.

Second link is called Peer-link, it is a L2 connectivity and mainly use for control traffic between switches.

When running HSRP between Nexus, by default Nexus switches will work in active/active mode despite of its configured role i.e. if a frame received on standby switch it will not forward it to Active HSRP switch but forward itself. This behavior of HSRP is tweaked specially for vPC optimization.

However till this point everything is good but then some storage and data center equipment manufacturers like NetApp, EMC, F5 load balancers etc thought it would be good idea to optimize their handling of Ethernet Frames. Some NetApp and EMC equipment ignores ARP reply given by HSRP primary and instead forward Ethernet frames to whichever MAC address it receives frames from. NetApp called this “Fast Path Source Mac address caching”. It is a nonstandard behavior.

So what is wrong with this vendor optimization. According to Cisco, “Packets reaching a vPC device for the non-local router MAC address are sent across the peer-link and could be dropped by the built in vPC loop avoidance mechanism if the final destination is behind another vPC.”. Because of this at the application level we saw very poor performance due to these dropped packets.  Enough of the packets got through to allow access to the storage device, but file load times were measured in the tens of seconds, rather than milliseconds.

So How Peer –Gateway help :

Configuring peer-gateway will allow the nexus switches to route frames which are destined to the mac address of their peer device.  Only exception is if a packet is destined to both the physical mac of the peer and the physical ip address.  Under that circumstance the packet will be tunneled across the peer link.

Configuring Peer-Gateway :

Configuring the peer-gateway feature needs to be done on both primary and secondary vPC peers and is non-disruptive to the operations of the device or to the vPC traffic. The vPC peer-gateway feature can be configured globally under the vPC domain submode.

When enabling this feature it is also required to disable IP redirects on all interface VLANs mapped over a vPC VLAN to avoid generation of IP redirect messages for packets switched through the peer gateway router. When the feature is enabled in the vPC domain, the user is notified of such a requirement through an appropriate message.

Packets arriving at the peer-gateway vPC device will have their TTL decremented, so packets carrying TTL = 1 may be dropped in transit due to TTL expire. This needs to be taken into account when the peer-gateway feature is enabled and particular network protocols sourcing packets with TTL = 1 operate on a vPC VLAN.

Therefore Peer-Gateway should be enabled when dealing with nonstandard behavior of date center devices available. To enable this feature configure on both pair of Nexus switches as following  :

switch# config t

switch(config)# VPC domain <domain-id>

switch(config-vpc-domain)# peer-gateway

Fundamentals of Carrier Ethernet

Hi Folks,

It’s been a while I posted something for my readers. Today I am going to start a new discussion – Carrier Ethernet with Metro Ethernet Forum perspective.

The very widely used LAN Ethernet technology developed and implemented around the world since the 1970’s is just that – a Local Area Network technology designed for use within buildings or between buildings in a campus. LAN Ethernet is not designed for use over long distances within cities, across regions and between continents. LAN Ethernet is also designed for use only over specific short distance infrastructures (e.g. 100BaseT cabling), not over Wide Area Network infrastructures (e.g. PDH, SONET/SDH, DOCSIS, PON, WDM etc). The different aspects of a true service are also not supported by the very popular LAN Ethernet technology which does not guarantee levels of availability (e.g. 5 nines), Classes of Service suited to different application and user needs nor does it support the type of management capabilities required for large network service delivery that is available with legacy WAN technologies.

In order to combine the advantages of LAN Ethernet’s large installed base and the familiarity of its technology with the requirements of multi-site users and their service providers, the MEF began in 2001 to develop the specifications that today provide the basis for the use of Ethernet as a global networking solution.

The MEF defined five key attributes that differentiate Carrier Ethernet from LAN Ethernet, and which form the basis for the development of Carrier Ethernet specifications by the MEF.

5 Attributes of Carrier Ethernet

• Standardized services
• Scalability
• Reliability
• Service management
• Quality of service Read the rest of this entry →

Etherchannel

Hi Folks,

 Ethernet, Fast Ethernet, and Gigabit Ethernet switch ports scale link speeds by a factor of 10.
The Cisco EtherChannel technology offers another method of scaling link bandwidth by bundling or aggregating multiple physical links into a single logical link.
2 to 8 physical Fast Ethernet (FE) or Gigabit Ethernet (GE) compatibly configured links can be aggregated as a single logical Fast EtherChannel (FEC) or Gigabit EtherChannel (GEC) link respectively.
EtherChannel provides a full-duplex bandwidth of up to 1600Mbps (8 x Fast Ethernet links) or 16Gbps (8 x Gigabit Ethernet links).

Higher-speed networking hardware that is early in the product life cycle is inevitably expensive.
EtherChannel provides incremental capacity upgrade to grow or expand the capacity between switches without having to continually purchase hardware for the next magnitude of bandwidth and throughput. Read the rest of this entry →

Cisco’s CCNP Service providers – a closer look

Hi Folks,

In our News you can use section we will look at the newly introduced certification track from Cisco. Cisco’s CCNP Service providers is a professional level certification and much in news because it is a replacement to CCIP certification which will be EOL by october’12. At the time when Service provides network and technology is changing rapidly it is very necessary to have an updated skill set available in market and this is why Cisco has come up with such a competitive and modern course curriculum. Cisco’s CCNP SP track has 4 papers like other professional level certifications namely  Read the rest of this entry →

Cisco retires CCIP certification

Hi Folks,

In our new section News-which you can use I will be posting industry update to help students and peers. Latest buzz in market is Cisco has decided to let go old IOS dominated course curriculum from its certification path. beginning October 29 ‘2012 Cisco CCIP certification will be retired and Cisco will no longer issue new certifications. Individuals interested in pursuing a professional-level Cisco Service Provider certification are encouraged to obtain the newly introduced and highly anticipated CCNP in Service providers. However i f you currently have a valid CCIP certification or in the process of pursuing a CCIP certification and would like to instead pursue a CCNP Service Provider certification, they can visit the following link and check the migration requirement. You have to put your existing Exam and it will tell you which additional papers you need to take in case you want to obtain CCNP service provides. I looked into the CCNP service provider topic which I will post in separate post, it is undoubtedly at par with growing technology and really updated though the challenge remains with student that they need more means to practice IOS-XR and IOS-XE. Lets wait and watch cisco’s initiative in this area. Till then keep simplifying and keep smiling.

http://www.cisco.com/web/learning/tools/ccip_migration_tool.html

 

 

HTH,

please share your comments/feedback

 

Spanning Tree Protocol – Advanced Features

Hi Folks,

In our preceding we talked about the basic Spanning tree protocol functioning and its uses. With the technical advancement of fast LAN environment the primitive uses of SPT has taken a leap and made several enhancements to make LAN more attractive and reliable. In this post we will talk about some of those enhancements.

i. Spanning tree Portfast – Generally when a port on a bridge comes UP it will go 50 sec of delay before it goes into forwarding state. Portfast feature is enabled on the ports where the end users are connected so that it will bypass the listening and learning state to diminish access time to connect to network and to save from DHCP failures. Ports enable Posrtfast feature do not expect to hear BPDUs therefore when a BPDU is received on a portfast enabled port it goes into Listening State. Portfast enbled port also cannot generate TCN BPDUs.

Read the rest of this entry →

IPv6 – all you want to know

Hi Folks,

Here is a very interesting Article I come across on IPv6 and I thought of sharing with all of you.

The last time a new Internet protocol came into being was in the early 1980’s, when the Internet was still a fledgling research network. Thirty years later, the migration to a new standard, IPv6, is now a gargantuan task that involves businesses, online enterprises and consumers alike.

Without new addresses, billions of people will never be able to use new Internet services or access applications and technologies that are in the blueprints of today’s businesses and in the minds of tomorrow’s entrepreneurs.

With minimal investment, companies can jump ahead of the competition by making their systems IPv6 compatible, according to Amod Malviya, Vice-President-Engineering at Flipkart. Surely, IT managers across India will have their work cut out in making a case to senior level executives. Read the rest of this entry →