Archive Page 2

OSPF – Part 9

Published February 22, 2010 Al Friebe , Routing & Switching Leave a Comment
Tags:

Continuing on with our detailed discussion of OSPF, let’s look at how OSPF routers handle prefixes from external routing domains. Refer to Figure 1:

Let’s say that there are 100 subnets in the RIP cloud. If we configure R3 to redistribute the RIP routes into OSPF (using the “redistribute” command under OSPF), R3 will be an ASBR (Autonomous System Boundary Router). Likewise, let’s assume that there are also 100 prefixes within the EIGRP cloud, and that we have configured R4 as an ASBR, redistributing EIGRP into OSPF. As part of their ASBR function, R3 and R4 will advertise each individual prefix within their respective external routing domain into Area 0, using a Type 5 (external) LSA. Since by default Type 5 LSAs have autonomous system flooding scope, they will be passed into Area 1 by R3 and R4. Thus, R5 will have two possible paths (via R3 or R4) to all 200 external prefixes.

When configuring an ASBR, we have the option of including or ignoring internal costs (those of the links within the OSPF cloud) when calculating the metrics to external destinations. Let’s assume that “O E1” (“OSPF External Type 1”) routes are used, for which the internal metrics are considered. If we look at things from R5’s perspective, each of the destinations listed would be reached using the lowest-cost path, via the specified next hop:

  • Subnet A via R3 (cost = 3)
  • Subnet B via R3 (cost = 3)
  • Subnet C via R4 (cost = 3)
  • Subnet D via R4 (cost = 3)
  • RIP cloud via R3 (100 prefixes, each at cost = 21)
  • EIGRP cloud via R4 (100 prefixes, each at cost = 21)

At this point, each router within the OSPF routing domain will know the best path to each individual prefix within the OSPF cloud, as well as to each individual prefix within the RIP and EIGRP clouds. The best path to each external prefix will appear in R5’s IP routing table as “O E1” route.

Next time, we’ll take a detailed look at OSPF’s route summarization features, including possible unintended consequences of their use.

Author: Al Friebe

Virtualized Data Center Webcasts

Published February 19, 2010 Data Center Leave a Comment
Tags: ,

Last month, Cisco, VMWare, and intel put together a virtual conference on data center virtualization. The recordings of the 13 webcasts presented are now available online. Topics covered were:

  • Virtualized Data Center Roundtable
  • Emerging Trends in Enterprise Cloud Infrastructure
  • Virtualized SAP Applications: From The Datacenter To The Cloud
  • Enterprise Cloud Solutions – Focus on Flexibility
  • Transformational Business Value of Data Center Virtualization
  • Unified Computing System Innovations
  • Case Study: Terremark’s InfiniCenter Virtualization Story
  • Data Center 3.0: Unifying the Virtualized DC Infrastructure
  • Nexus 1000V
  • Cloud Computing: Will a Growth Story Unfold in 2010?
  • SAP Applications in Virtual Environments
  • HyperCED the new Data Center as a Service
  • Server Virtualization: Maturity Brings Complexity

Virtualization – ASA vs. IPS

Published February 19, 2010 Doug McKillip , Security Leave a Comment
Tags: , ,

Many of the students I teach for the Cisco Intrusion Prevention Systems (IPS 6.0) class attend because they have procured an ASA Security appliance with the AIP-SSM, or the Advanced Intrusion Prevention Security Services Module. These students also may have recently attended the Securing Networks with ASA Fundamentals (SNAF) class as well.

While each class discusses the topic of virtualization, yet neither offers a comparison of implementation between the ASA and IPS platforms, I have been offering the “chalk talk” table shown below:

Let’s look at the features in this table one by one. First, for the ASA virtualization is a feature that is licensed; the base license allows for only two of them, the upper end models can support up to 50. With the IPS sensor, however, the virtualization is bundled; consequently, no additional procurement expense is required for additional virtual “instances”. The downside to this, however, is that the IPS sensor only supports four virtual sensors.

A feature on the ASA which some administrators find attractive is the ability of segregating the appliance into separate administrative domains. In this manner, a member of an IT staff could establish a ssh session to the ASA and only see a subset of the available physical or logical interfaces. By contrast, anyone logging into either the CLI or the GUI interface of the IPS sensor with administrator privilege would have access to ALL virtual sensors.

With the ASA appliance, each virtual firewall (or security context) is maintained through a distinctly separate configuration file; with the IPS sensor a single configuration file is used for all virtual sensors. For the ASA, these context configuration files can be kept on an external server and retrieved using the config-url location specified in the system configuration area. For the IPS sensor, however, only the default current-config file is used.

Finally, a common characteristic of both virtualization implementations is the allocation of interfaces between the virtual instances. Both the ASA and the IPS allow for the use of logical subinterfaces with 802.1q VLANs although the IPS sensor does not allow for an interface to be shared between virtual sensors as it can be with virtual firewalls.

Author: Doug McKillip

References

Quality of Service, Part 12 – Low Latency Queuing

Published February 18, 2010 Paul Stryer , Unified Communications Comments
Tags:

Part 11 of this blog series looked at Class Based Weighted Fair Queuing. This blog will explore the next queue mechanism; Low Latency Queuing (LLQ).

As seen in the previous section of this QoS series, CBWFQ provides user defined traffic classes allowing for more control and functionality than weighted Fair Queuing. CBWFQ uses matching criteria obtained by Network Based Application Recognition (NBAR), or access control lists (ACLs). A queue is reserved for each class and matching traffic is directed to that queue.

Low Latency Queuing
LLQ adds strict priority to the CBWFQ and allows delay sensitive data (Voice and Video) to be dequeued and sent before lower priority packets. This practice gives delay sensitive data preferential treatment over other traffic. To direct traffic to the LLQ, use the priority command for the class after the named class within a policy map is specified. Any class of traffic can be attached to a service policy, which uses priority scheduling, and that traffic can be prioritized over other class traffic.

When you specify the priority command for a class, it takes a bandwidth argument that gives maximum bandwidth in kilobits per second (kbps). Use this parameter to specify the maximum amount of bandwidth allocated for packets belonging to the class configured with the priority command. The bandwidth parameter both guarantees bandwidth to the priority class and restrains the flow of packets from the priority class.

Without Low Latency Queueing, CBWFQ provides weighted fair queuing based on defined classes with no strict priority queue available for real-time traffic. CBWFQ allows you to define traffic classes and then assign characteristics to that class. For CBWFQ all packets are serviced fairly based on weight; no class of packets may be granted strict priority. This scheme poses problems for voice traffic that is largely intolerant of delay, especially variation in delay. For voice traffic, variations in delay introduce irregularities of transmission manifesting as jitter in the heard conversation.

LLQ Configuration

In this configuration notice that the Class-Map VoIP sets the IP Precedence of 5, which sets all traffic with an IPP of 5 to this class. The priority command within the policy-map indicates the VoIP Class is a Priority Queue (PQ) and this traffic will get priority over other queues. In this example, the priority is set to 10% of the bandwidth for this traffic.

Priority Bandwidth = Allocates a fixed amount of bandwidth to a class to ensure expedited forwarding.
Priority Percent = Allocates a percentage of the configured or default interface bandwidth to ensure expedited forwarding.

LLQ Show Command

Author: Paul Stryer

References

OSPF – Part 8

Published February 17, 2010 Al Friebe , Routing & Switching Leave a Comment
Tags:

Having discussed OSPF route summarization and the various types of stub areas, let’s look at the potential drawbacks of using those features. We’ll start by reviewing how OSPF acts before any summarization features are configured. Refer to Figure 1:

As you can see, R3 connects Area 0 and Area 1 together, making R3 an OSPF ABR (Area Border Router), and likewise for R4 (for fault-tolerance, it’s always a good idea to have two ABRs connecting a pair of areas). As part of their ABR function, both R3 and R4 will advertise each individual prefix within Area 0 into Area 1 (and vice-versa) using a Type 3 (Summary) LSA (Link State Advertisement). Each individual Type 3 LSA sent into Area 1 by the ABRs will appear in R5’s LSDB (Link State Data Base).

As we know, each OSPF router uses Dijkstra’s SPF (Shortest Path First) algorithm to determine the lowest-cost path to each prefix. For this simple topology, we can see by inspection that R5 (an OSPF internal router) will have two possible paths (via R3 or R4) to each prefix within Area 0.

Assuming that all of the links within the OSPF domain are Fast Ethernet, each link will have an OSPF cost of 1 (by default Cisco routers set the OSPF link cost equal to 100 Mbps divided by the bandwidth). Therefore, from R5’s perspective, we should have the following lowest-cost paths:

  • Subnet A via R3 (cost = 3)
  • Subnet B via R3 (cost = 3)
  • Subnet C via R4 (cost = 3)
  • Subnet D via R4 (cost = 3)

Note that all four subnets can also be reached the “long way around” (for example, Subnet A via R4 at a cost of 4), but those paths would not be used if a lower-cost path exists. The best path to each prefix within Area 0 will appear in R5’s IP routing table as an “O IA” (OSPF Inter-Area) route.

Next time, we’ll discuss how R5 sees the prefixes within the RIP and EIGRP clouds.

Author: Al Friebe

The Unified Computing Journey

Published February 16, 2010 Data Center Leave a Comment

Organizations are ready to promote greater value with virtualization, however, data center complexity and costs are skyrocketing. Virtual machines have emerged as the new “atomic unit,” moving fluidly throughout the data center, promising reduced costs and increased flexibility. Hindered by decreasing budgets and accidental architectures of the past, IT managers are struggling to realize the full potential of virtualization. IT leaders must navigate a complex maze; combining diverse solutions and manual processes in the quest to cost effectively refresh aging technology, adhere to industry standards, and plan a safe path to the future. Strategic architecture decisions made today will largely determine an organization’s competitive position for the next economic cycle. As a result, core assumptions about infrastructure and data center strategies are shifting radically.

The key to a more efficient, simplified, and manageable data center lies with Cisco Unified Computing. This integrated architectural approach is built upon the virtual machine as the core element, uniting virtualized compute, network, and storage resources to reduce costs and increase agility. Cisco’s innovations are designed to unify data processes, simplify data center complexity, and amplify business results.

The journey to Unified Computing can be taken in an incremental “building block” approach with unique benefits at each stage. Unified Computing is not an “all or nothing” proposition — Cisco understands that modern data centers are heterogeneous environments with complex interdependencies. Unified Computing components can be deployed as your needs and operational readiness dictate, bringing incremental advantages and investment protection to your computing infrastructure. You can embark upon this journey in several stages:

  1. Converges the Fibre Channel network with the Ethernet network
    • Cisco UCS C-Series rack mount servers take advantage of Intel Xeon 5500 processor innovations that maximize performance and virtualization capabilities.
    • Extended memory technology enhances and increases the number of virtual machines that each physical system is capable of maintaining. Cisco’s patented extended memory technology offers the ability to move well beyond the limitations of traditional servers offering up to 384GB of memory in a 2RU form factor, offering dramatic memory cost savings and server consolidation.
    • Cisco UCS C-Series servers integrate easily into heterogeneous data centers that use enterprise management tools such as BMC BladeLogic and others.
  2. Unify fabrics across all your servers and storage:
    • Unified fabric with Cisco Nexus 5000 Series Switches and Nexus 2000 Series Fabric Extenders that support both IP network and storage connectivity at the server access layer that reduces infrastructure costs and simplifies connectivity, cabling, administration, and management.
    • VN Link, virtualization-aware networking with Cisco Nexus 1000V that allows consistent policy driven network capabilities that move with the virtual machine during a VMware VMotion event. Additionally, Cisco offers a Virtual Interface Card that is a hardware instantiation of the Nexus 1000V, offering performance enhancements to Cisco’s UCS C-Series servers.
  3. Unify management:
    • In today’s data centers, servers are difficult to deploy and repurpose, often requiring days to implement. This requires careful coordination between server, networking, and storage teams to make sure that all devices work together properly. Cisco UCS Manager embeds, unifies, and abstracts all those individually combined management consoles off the compute devices themselves and makes them role based with access controls that allow a more effective enforcement of infrastructure policies under a single, cohesive management domain. In addition, Cisco UCS Manager can flexibly integrate with existing enterprise management tools through an advanced API toolset.
    • Dynamic provisioning and service profiles offer the ability to move the server identity fluidly throughout the data center, allowing provisioning and re-provisioning in minutes, dramatically simplifying a previously tedious process.
    • Role-based access and policy controls within a single management toolset streamline interdepartmental workflows, releasing vital resources to other tasks.

Unified Computing is a revolutionary new approach to the virtualized data center. It offers the means to integrating virtualized compute, network, and storage access into a centrally managed environment. Each innovation can be deployed as a building block to reduce cost and increase agility; delivering a more efficient, simplified data center that’s easier to manage. The journey to Unified Computing can be one of incremental improvements, dictated by your needs, that when fully combined can help you realize the full potential of your data center.

Author: Scott Ciccone, Product Marketing Manager, Unified Computing System Solutions

**Reprinted from the Cisco Data Center e-newsletter. Subscribe here to get your own copy.

Reference: Cisco’s Unified Computing Solution – Learn more

Quality of Service, Part 11: CBWFQ

Published February 16, 2010 Paul Stryer , Unified Communications Leave a Comment
Tags:

Part 10 of this blog series looked at Weighted Fair Queuing, so now we move on to the next queue mechanism; Class Based Weighted Fair Queuing (CBWFQ).

CBWFQ provides user defined traffic classes allowing for more control and functionality then weighted Fair Queuing. CBWFQ uses matching criteria obtained by Network Based Application Recognition (NBAR), or access control lists (ACLs). A queue is reserved for each class and matching traffic is directed to that queue.

Low Latency Queuing (LLQ) adds priority to the CBWFQ and allows delay sensitive data to be dequeued and sent before lower priority packets, giving delay sensitive data preferential treatment over other traffic. LLQ will be discussed in the next part of this QoS series.

Class Based Weighted Fair Queuing
Once the packets have been matched and the class is defined, a characteristic is assigned to the class. The characteristics that are assigned are bandwidth, weight, and maximum packet limit. The bandwidth is the minimum bandwidth delivered to the class during congestion, and the maximum packets is how many packets are allowed to accumulate in the class queue before tail drops start happening to the worst finish time packets.

CBWFQ supports multiple class maps to classify traffic, with tail drop being the default dropping scheme. Weighted random early detection (WRED) can be used with CBWFQ to prevent class congestion. Guaranteed bandwidth is configured by weights and assigned to traffic classes. The following weights can be used to specify class weight. The reserve default is set to 75%, and must be within the allocated bandwidth. Single service policies cannot mix fixed bandwidth and bandwidth percentages commands.

  • Bandwidth = This command allocates a fixed amount of bandwidth and the reserve bandwidth is subtracted from the available bandwidth of the interface where the service policy is used.
  • Bandwidth percent = This command is used to allocate a percentage of the default or available bandwidth of an interface.
  • Bandwidth remaining percent = This command allocates a portion of the unallocated bandwidth.

Continue reading ‘Quality of Service, Part 11: CBWFQ’

AnyConnect Syslog Troubleshooting

Published February 15, 2010 Doug McKillip , Security Leave a Comment
Tags: , ,

I recently was presented with the challenge of logging ALL of the pertinent connection, disconnection, and termination messages associated with the Cisco SSL AnyConnect client without overwhelming the syslog capture display with extraneous messages. This blog will briefly outline the applicable log messages and what they do, along with some screenshots displaying both the provisioning in ASDM and the behavior in the log itself.

Listed below are blocks of syslog message ID’s appropriate for AnyConnect connectivity issues for the Cisco ASA security appliance running OS8.2. Rather than give a specific for each and every log message, message ranges are listed along with a general description of what the messages are indicating. Later we will describe how we adjusted the log levels.

113001 – 113009 – AAA Success/Failures for user authentication/group authorization
716001 – 716023 - WebVPN group-specific access functions for a user success/failure
716038 – 716040 - User-specific login success/failure/failure due to reboot
716043 – 716045 – WebVPN port-forwarding / AAA parameter problems
716052 – 716057 – Server-terminated sessions, Single-Sign-On login status
719022 – 719023 – WebVPN user authentication success / failure
721016 – 721019 – WebVPN session creation / deletion
722001 – 722028 – SVC connection success / failure issues
722032 – 722038 – SVC connection establishment / termination
722042 – 722053 – ASA VPN server issues (software, config, etc.)
725001 – 725015 – SSL session establishment / termination
734001 – 734005 – Dynamic Access Policy (DAP) messages
737001 – 737019 – IP Address Assignment (IPAA) messages
737024 – 737026 – IP Address Assignment (IPAA) messages, continued

Continue reading ‘AnyConnect Syslog Troubleshooting’

Quality of Service, Part 10 – Weighted Fair Queuing

Published February 12, 2010 Paul Stryer , Unified Communications Leave a Comment

Last time we looked at First-In First-Out queue management, in this blog we’ll explore the next queue mechanism on our list: Weighted Fair Queuing (WFQ).

WFQ is a flow-based queuing algorithm used in Quality of Service (QoS) that does two things simultaneously: It schedules interactive traffic to the front of the queue to reduce response time, and it fairly shares the remaining bandwidth between high bandwidth flows.

A stream of packets within a single session of a single application is known as flow or conversation. WFQ is a flow-based method that sends packets over the network and ensures packet transmission efficiency which is critical to the interactive traffic. This method automatically stabilizes network congestion between individual packet transmission flows. There are three types of WFQ:

  • Flow based Weighted Fair Queuing
  • VIP distributed Weighted Fair Queuing
  • Class based Weighted Fair Queuing

The WFQ method has the advantage of being fast, reliable and easy to implement. WFQ follows these main criteria:

  • Dedicated queues for each flow (referred to as conversations), messages are sorted into conversations reducing starvation, delay, and jitter within the queue.
  • Allocating bandwidth fairly and accurately among all flows, reducing scheduling delay and guaranteeing service.
  • IP Precedence is used as weight when allocating bandwidth.

Although bandwidth is allocated fairly among all flows, unfairness is reinstated by giving proportionately more bandwidth to flows with higher IP precedence or lower weight.

WFQ has to classify individual flows using the following information taken from the IP/TCP/UDP headers. These parameters are used as input for a hash algorithm that produces a fixed length number that is used as the index of the queue.

  • Source IP address
  • Destination IP address
  • Protocol number to identify TCP or UDP
  • Type of service field
  • Source TCP/UDP port number
  • Destination TCP/UDP port number

Continue reading ‘Quality of Service, Part 10 – Weighted Fair Queuing’

Quality of Service, Part 9 – FIFO Queuing

Published February 9, 2010 Paul Stryer , Unified Communications Leave a Comment
Tags:

In part 8 of this blog series congestion management and its four main queuing methods were explored. This post will look at the first of four queuing methods: First In First Out (FIFO) queuing.

To refresh our memories, congestion can occur anywhere within a network, such as sections of the network that have speed mismatches, aggregations points, or confluences. Queuing algorithms are used to manage congestion. There are many different algorithms to serve multiple needs. The ultimate goal is to provide bandwidth and delay guarantees in order to prioritize the network traffic.

Speed mismatches occur when traffic moves from one speed network (such as a 100Mbps LAN) to another network with a different speed (Such as a 10Mbps LAN). This could be a LAN-to-LAN or LAN-to-WAN mismatch; however, usually it is a high speed to a low speed connection.

Aggregation congestion occurs when multiple connections feed into one main connection. A typical situation would be when multiple remote sites connect into one central site. For example if you have twenty remote sites with 256K WAN links that all connect to the headquarters via a single T1 connection, it would be very easy for the T1 connection to become oversubscribed.

Queuing Components
Queuing accommodates bursts on the router when the arrival rate of packets is greater than the departure rate. Two main reasons for bursts are the cause of queuing to be used:

  1. Input interface is faster than the output interface
  2. Output interface is receiving packets coming in from multiple other interfaces

Queuing is split into two parts:

  1. Hardware queue: Uses FIFO , and is sometimes called the transmit queue (TxQ)
  2. Software queue: Schedules packets into the hardware queue based on the QoS settings

A full hardware queue indicates interface congestion and software queuing is used to manage it. When a packet is being forwarded, the router will bypass the software queue if the hardware queue is not full.
First In First Out(FIFO)  Queuing

FIFO queuing algorithm is the simplest of the congestion management methods. All packets are treated equally, and placed into a single queue and serviced the order they were received. Hence the name FIRST-IN FIRST-OUT. FIFO queuing offers the following benefits:

  • FIFO is supported on all Cisco Platforms
  • FIFO queuing is supported in all version of Cisco IOS
  • FIFO queuing places an extremely low load on the system when compared with other queuing mechanisms.
  • FIFO queuing is predictable, and delay is determined by the maximum depth of the queue.
  • FIFO queuing does not add significant queuing delay at each hop as long and the queue depth remains low.

FIFO queuing also poses the following limitations:

  • FIFO queuing is extremely unfair when an aggressive flow contests with a time sensitive flow. Aggressive flows send a large number of packets, many of which are dropped. Time sensitive flows send a modest number of packets and most are dropped due to the queue always being full of aggressive flow packets. This behavior is called starvation.
  • When the Queue is full, packets entering the queue have to wait longer. When the queue is not full, packets entering the queue do not have to wait as long as when the queue was full. Variation in delay is called Jitter.
  • A single FIFO queue does not allow routers to organize buffered packets and service one class of traffic differently from other classes of traffic.
  • During periods of congestion, FIFO queuing benefits UDP flows over TCP flows. When experiencing packet loss due to congestion, TCP based applications reduce their transmission rate. UDP based applications remain oblivious to packet loss and continue transmitting packets at their usual rate. Because TCP based applications slow their transmission rate to adapt to changing network conditions, FIFO queuing can result in increased delay, jitter, and a reduction in the amount of output bandwidth consumed byTCP applications.

Author: Paul Stryer

References

« Previous PageNext Page »

Subscribe in a Reader

Subscribe by Email

Follow us on Twitter

Featured Courses

Archives

Cisco Live 2010