Aaron's Worthless Words » documentation http://aconaway.com Not something you want to hear Wed, 08 Sep 2010 14:39:15 +0000 en hourly 1 http://wordpress.org/?v=3.0.1 ONT Notes – Pre-classify and End-to-end QoS http://aconaway.com/2010/02/03/ont-notes-pre-classify-and-end-to-end-qos/ http://aconaway.com/2010/02/03/ont-notes-pre-classify-and-end-to-end-qos/#comments Thu, 04 Feb 2010 03:13:53 +0000 Aaron Conaway http://aconaway.com/?p=482
  • VPNs (Didn’t ISCW cover this?)
    • Provide
      • Confidentiality
      • Integrity
      • Authentication
    • Types
      • Remote-access
        • Client-initiated
        • NAS-initiated
      • Site-to-site
        • LAN-to-LAN
        • Extranet
  • L3 Tunneling protocols
    • GRE
    • IPSec
  • Pre-classify allows traffic to be classified before being sent across a tunnel or crypto-ed.
    • qos pre-classify
    • Provides a view into the original IP headers
    • To classify on pre-tunnel header, apply the policy to the tunnel interface WITHOUT pre-classify.
    • To classify on post-tunnel header, apply the policy to the physical interface WITHOUT pre-classify.
    • To classify on pre-tunnel header, apply the policy to the physical interface WITH pre-classify.
  • SLA – agreement with provider to guarantee QoS mechanisms across their network based on your markings.
    • Assures availability, loss, throughput, delay, and jitter.
  • End-to-end QoS
    • To be effective, each hop in the path must have QoS configured similarly.
    • Necessary in three locations
      • Campus – within the customer network
      • The edges – customer facing the provider, provider facing customer
      • On the provider network
  • QoS tasks
    • Campus access switches
      • Speed/duplex settings
      • Classification
      • Trust
      • Phone/access switch configs
      • Multiple queues on switch ports, including priority for VOIP
    • Campus distribution
      • L3 policing and marking
      • Multiple queues on switch ports, including priority for VOIP
      • WRED
    • WAN edge
      • SLA definitions
      • LLQ
      • LFI
      • WRED
      • Shaping
    • Provider cloud
      • Capacity planning
      • PHB
      • LLQ
      • WRED
  • Enterprise campus QoS implementation
    • Implement multiple queues to avoid congestion
    • Assign VOIP and video to highest priority queue
    • Esablish trust boundaries
    • Use policing to rate-limit excess traffic
    • Use hardware QoS when possible
  • Control Plane Policing (CoPP)
    • Applies QoS policy to traffic destined for the router
      • Routing protocols
      • Management protocols
    • Can be used to avoid DOS attacks
    • Applied to control-plane in global config
    • ]]>     http://aconaway.com/2010/02/03/ont-notes-pre-classify-and-end-to-end-qos/feed/ 2     Using CDP To Track Down Physical Connections http://aconaway.com/2008/10/31/using-cdp-to-track-down-physical-connections/ http://aconaway.com/2008/10/31/using-cdp-to-track-down-physical-connections/#comments Fri, 31 Oct 2008 15:53:03 +0000 Aaron Conaway http://aconaway.com/?p=143 We have a location that’s a few blocks down from the main office here, and we were reviewing the circuit size to make sure it was sized properly.  Since not one person knows what’s going on and the trending graphs gave us conflicting details, one of our network dudes took me down to the site to do a physical survey to see what’s going on.  Well, besides the fact that no one was there, we discovered a hodgepodge of routers and switches that were cross-connected to one another on multiple floors of the building (I really wish I could post pics to emote the effect).  It’s kind of hard to figure out what’s going on when you can’t see both ends of the cable, so we had to abandon all hope.

    What are our options, then, to see how things are uplinked and connected?  In this case, CDP is the answer.  The Cisco Discovery Protocol (CDP), if you don’t know, tells you what other Cisco devices a particular Cisco device in plugged into.  So, if you have a 2811 plugged into a 2960, you can see what ports they’re connect on along with some other details.  Here’s an example.

    Switch1#sh cdp neighbors
    Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
    S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

    Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
    Router1                    Gig 0/10              122             R       3640      Fas 0/1
    Switch2                    Gig 0/9               141            S I      WS-C2950G-Fas 0/48

    As you can see from the output, Switch1′s G0/10 is plugged into Router1′s F0/1 interface, and Switch1′s G0/9 is plugged into Switch2′s F0/48.  You can also see that Router1 is a 3640 and a router (the “R” under Capability).  Switch2 is a 2950G switch.

    So, today, I’m going to start at the head end of my frazzled location and try to figure out where everything is connected.  I’ll get all the CDP neighbors for that device, document it, then repeat for the next hop until I’m all the way through.  When I’m done, I should have a nice physical map.

    Beware, my friends, that the “C” stands for Cisco.  It doesn’t stand for Juniper or Nortel or anybody else.  The rule is that CDP only shows your Cisco devices that are connected together and won’t show any other devices in the path, but there are exceptions.  Since it’s broadcast-based, a lot (maybe all?) non-Cisco switches just pass along the packet to the next hop on layer 2, so you may see CDP neighbor adjacencies between switches that aren’t connected to one another.  CDP will think they are, and I don’t know of any way to detect that, so be careful.

    Send me money Halloween candy comments if you feel inclined.

    ]]>     http://aconaway.com/2008/10/31/using-cdp-to-track-down-physical-connections/feed/ 2     Diagrams — Physical Is Not Enough! http://aconaway.com/2008/04/24/diagrams-physical-is-not-enough/ http://aconaway.com/2008/04/24/diagrams-physical-is-not-enough/#comments Thu, 24 Apr 2008 14:22:09 +0000 Aaron Conaway http://aconaway.com/2008/04/24/diagrams-physical-is-not-enough/ In my billion years in the industry, when I’ve asked for network diagrams, I’ve inevitably received a physical diagram — a diagram that shows where stuff is plugged in. This is fine and dandy and has lots of information, but that’s not really enough these days. In the times of Arthur, when every piece of network gear did a single thing, you only needed to know where things were plugged in. In the modern era, devices do more — a switch can route and house wireless, an ASA can terminate VPNs and be a switch — so you need more than just where the cables run.

    Logical diagrams show layer-3 (the IP networks) and how those are interconnected. From that, the diagram inherits the data paths as well — how does the packet get from network A to network B and back. You can’t see that with physical diagrams in a lot of cases.

    Here’s a physical diagram of a single Internet router and a 6509 with an FWSM. It literally shows a router and a switch. How many IP networks do I have? How many firewall interfaces do I have? How many layer-3 interfaces on the 6509 am I using? This logical diagram, however, shows the same network from layer-3. A big difference, eh? Didn’t know I had 8 networks, did you?

    Don’t go replacing all your physical diagrams with logical ones, though. You still have to know where things are plugged in, so keep the physical…just add a logical as well.

    Tip of the day: Use Visio tabs for logical and physical diagrams on the same document.

    ]]>     http://aconaway.com/2008/04/24/diagrams-physical-is-not-enough/feed/ 4