Saturday, July 21, 2018

Cisco and Huawei Command references

ılılılı RouteXP ılılılı ılılılı
Cisco and Huawei Command references

This is one of the interesting topic where a network using both of the devices in a enterprise shell and want the skills of both routers so that admin can execute the commands for Cisco and Huawei routers. It's a new world where the best of the devices are mixed in the network to get the best practices in the network design.

Although the network is more now moving to the cloud or automation but the concept of the CLI is the major in today's network as many of the devices are still on the CLI based commands which is executed manually in the devices.

You can also share the information like the command lines for Cisco-Juniper, Cisco-Alcatel, Hauwei-Juniper, Huawei-Alcatel and Alcatel-Juniper commands lines with us as well.

Today i am discussing about the CLI commands of these devices as Cisco and Huawei and how they are differ from each other in the commands. Lets have a look on this. If you guys have more commands information between Cisco and Huawei please share with us, so that same can be share with the people around the world.

Fig 1.1- Cisco and Huawei Commands

Above is the some of the commands of Cisco and Huawei that how they differ from each other when used in the Cisco and in Huawei.


Please let me know if i am wrong somewhere so that we can edit and also please share if you have any other information regarding the comparison of the commands between them.

BGP Route Aggregation

ılılılı RouteXP ılılılı ılılılı
BGP Route Aggregation

Today, i am going to have the discussion on the topic called as " BGP Route Aggregation". There are many instances in the network where you really want this BGP route aggregation should be there. May be you want to have the aggregated routes not the specified routes from the other networks.

So now question is Why we required " BGP Route Aggregation" in the Network ?
Well there are lot of reason for it, some says you have lot of routes specific from the same network and needs to avoid the same, so they want route aggregation in the network. Some says it is way to shorten the multiple routes in the routing tables. It also saves the CPU utilisation on the device itself.

Where these kinds of Scenario used ?
Like if we have the cases where service provider have so many routes on the PE router and you knew you have so many customers connected to your one PE route and you limit the routes ( may be 50 ) from the customer network and customer is asking for more than 50 routes may be there are lot of routes which are specific routes then you can limit them by using the long IP prefix routes or called as aggregated routes which can accommodate all the specific routes in a one route.

Below is an sample topology showing the route aggregation on Router R2
Fig 1.1- Sample Topology BGP Route Aggregation

Well all the points which is discussed above it right, For example, for the aggregate destination 126.100.0.0/16, routes to 126.100.192.0/19 and 126.100.67.0/24 are contributing routes, but routes to 126.0.0.0./8 and 126.0.0.0/16 are not.

Route aggregation helps to minimizing the number of routing tables in an enterprise IP network which means, it consolidates selected multiple routes into a single route advertisement in which every routing table contains a unique entry for each route.

On the router which does the aggregation, this technique does not help in reducing the size of the routing-table. Whereas when you configure an export policy which only advertises the aggregate but not the contributing routes anymore, you would have the aggregation effect on the routers which receive updates.

A route can contribute only to a single aggregate route. However, an active aggregate route can recursively contribute to a less specific matching aggregate route. For example, an aggregate route to the destination 126.100.0.0/16 can contribute to an aggregate route to 126.96.0.0/13.
When an aggregate route becomes active, it is installed in the routing table with the following information:


  • Reject next hop—If a more-specific packet does not match a more-specific route, the packet is rejected and an ICMP unreachable message is sent to the packet’s originator.
  • Metric value as configured with the aggregate statement. 
  • Preference value that results from the policy filter on the primary contributor, if a filter is specified.
  • AS path as configured in the aggregate statement, if any. Otherwise, the path is computed by aggregating the paths of all contributing routes. 
  • Community as configured in the aggregate statement, if any is specified.
So let us suppose we have one AS 400. we have neighbor BGP addresses are 10.10.10.2 connected to AS 500, while neighbour 20.20.20.2 is connected to AS 600, Neighbour 30.30.30.2 connected to AS 700 and we got 3 routes named 180.10.0.0/16 and 180.20.0.0/16 received from AS 800. For the routes coming from AS 800 we need aggregated routes then we need populate the 180.0.0.0 255.0.0.0 in the BGP configuration as below.

!
router bgp 400
neighbor 10.10.10.2 remote-as 500
neighbor 20.20.20.2 remote-as 600
neighbor 30.30.30.2 remote-as 700
aggregate-address 180.0.0.0 255.0.0.0 summary-only

!

Let's check the configuration now.

Router# show ip bgp 
BGP table version is 6, local router ID is X.X.X.X
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
*> 160.0.0.0/8      0.0.0.0                            32768 i      <-----Aggregated Route
s> 160.10.0.0       3.3.3.3                  0             0 200 i   <-----Specific Route
s> 160.20.0.0       2.2.2.2                  0             0 100 I   
<-----Specific Route


Hope the above example will clear your concept on " BGP Route Aggregation concept". Now you know which routes can be aggregated and how these routes can be done as route-aggregated routes.

Basic Configuration- Configure a Cisco ASA 5510 Firewall

ılılılı RouteXP ılılılı ılılılı
Basic Configuration- Configure a Cisco ASA 5510 Firewall

#Cisco Systems Engineer
#Specially Routing Students
# Network Engineers
#Cisco TAC Engineers
#Cisco CCIE Students

This article gets back to the basics regarding Cisco ASA firewalls. I’m offering you here a basic configuration tutorial for the Cisco ASA 5510 security appliance. This device is the second model in the ASA series (ASA 5505, 5510, 5520 etc) and is fairly popular since is intended for small to medium enterprises. Like the smallest ASA 5505 model, the 5510 comes with two license options:

The Base license and the Security Plus license. The second one (security plus) provides some performance and hardware enhancements over the base license, such as 130,000 Maximum firewall connections (instead of 50,000), 100 Maximum VLANs (instead of 50), Failover Redundancy, etc. Also, the security plus license enables two of the five firewall network ports to work as 10/100/1000 instead of only 10/100.

Next we will see a simple Internet Access scenario which will help us to understand the basic steps needed to setup an ASA 5510. Assume that we are assigned a static public IP address 100.100.100.1 from our ISP. Also, the internal LAN network belongs to subnet 192.168.10.0/24. Interface Ethernet0/0 will be connected to the outside (towards the ISP), and Ethernet0/1 will be connected to the Inside LAN switch. Refer to the diagram below for our example scenario.

The firewall will be configured to supply IP addresses dynamically (using DHCP) to the internal hosts. All outbound communication (from inside to outside) will be translated using Port Address Translation (PAT) on the outside public interface. Let’s see a snippet of the required configuration steps for this basic scenario:

Fig 1.1- Sample Topology ASA 5510
Step1: Configure a privileged level password (enable password)
By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance. Configure this under Configuration Mode:
ASA5510(config)# enable password << my secret password >>

Step2: Configure the public outside interface
ASA5510(config)# interface Ethernet0/0
ASA5510(config-if)# name if outside
ASA5510(config-if)# security-level 0
ASA5510(config-if)# ip address 100.100.100.1 255.255.255.252
ASA5510(config-if)# no shut

Step3: Configure the trusted internal interface
ASA5510(config)# interface Ethernet0/1
ASA5510(config-if)# name if inside
ASA5510(config-if)# security-level 100
ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5510(config-if)# no shut

Step 4: Configure PAT on the outside interface
ASA5510(config)# global (outside) 1 interface
ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0

Step 5: Configure Default Route towards the ISP (assume default gateway is 100.100.100.2)
ASA5510(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1

Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP
ASA5510(config)# dhcpd dns 200.200.200.10
ASA5510(config)# dhcpd address 192.168.10.10-192.168.10.200 inside

ASA5510(config)# dhcpd enable inside

The above basic configuration is just the beginning for making the appliance operational. There are many more configuration features that you need to implement to increase the security of your network, such as Static and Dynamic NAT, Access Control Lists to control traffic flow, DMZ zones, VPN etc. I just tried to offer you a starting point for a basic configuration from where you can build your knowledge further. For a more complete practical guide about Cisco ASA Firewall configuration.

Tuesday, July 3, 2018

Cisco Datacenter: vPC ( Single and Double Sided vPC)

ılılılı RouteXP ılılılı ılılılı
Cisco Datacenter: vPC ( Single and Double Sided vPC)

Lets talk about the two different scenarios in Cisco Datacenter environment. The two different concept of vPC called single-sided vPC and Dual sided vPC.

We have two different deployment scenarios for vPC in the datacenter as
  • In the single datacenter environment we can use Single-sided vPC (access layer or aggregation layer) or we can go with the scenario Double-sided vPC, also called multilayer vPC (access layer using vPC interconnected to aggregation layer using vPC)
  • In the multi datacenter environment we can have Multilayer vPC for Aggregation and DCI or we can have and Dual Layer 2 /Layer 3 Pod Interconnect.
Let's start discussion on every deployment methods

Single-Sided vPC: In single-sided vPC, access devices are directly dual-attached to pair of Cisco Nexus 7000 Series Switches forming the vPC domain
The access device can be anything like L2 switches, rack mount or blade servers , Load balancers, firewalls or any storage devices. The end device which is an access device will have to support the port-channel connection between them. The Bundling can be LACP mode active, LACP mode passive and static bundling- mode on. There are some recommendations using LACP protocol connecting to the vPC domains.
  • vPC with Cisco Nexus M1 Series module line-card: 16 active member ports (8 on peer device 1 and 8 on peer device 2)
  • vPC with Cisco Nexus F1/F2 Series module line card: 32 active member ports (16 on peer device 1 and 16 on peer device 2)
Fig 1.1- vPC -Single and Double Sided vPCs

Double-Sided vPC: In Dual sided vPC where you have the two different vPC domain from distribution to Access layer parent switch and other vPC domain from parent access switch to the FEX devices you can say. vPC domain at the bottom is used for active/active connectivity from endpoint devices to network access layer. vPC domain at the top is used for active/active FHRP in the L2/L3 boundary aggregation layer

Benefits of double-sided vPC over single-sided vPC topology are listed below:
  • Enables a larger Layer 2 domain.
  • Provides a higher resilient architecture. In double-sided vPC, two access switches are connected to two aggregation switches whereas in single-sided vPC, one access switch is connected to two aggregation switches.
  • Provides more bandwidth from the access to aggregation layer. Using a Cisco Nexus F1 or F2 Series modules line card for vPC and Cisco Nexus 5000 Series Switches
we can further discuss on Multilayer vPC for Aggregation and DCI in another post. Keep connected and supported. Check out the other story on vPC as well
vPC Story

Popular Posts