Monday, June 29, 2009

Cisco Certified Architect

Cisco just announced today a new certification, the Cisco Certified Architect (CCA). Requires a valid CCIE and CCDE, and picked through an application process. Sounds pretty intense, but it should be interesting to see what kind of results the new track churns out. Some initial feedback from current CCIEs seems to be a bit melancholy since they are no longer 'at the top'.

I better get crackin at studying!

http://newsroom.cisco.com/dlls/2009/prod_062909.html

Monday, June 22, 2009

Iran and the Internet

Pretty interesting read over at the WSJ about the Internet to Iran, and how they are blocking/censoring/inspecting packets: Iran's Web Spying Aided By Western Technology.

I was a bit appalled at the fact that the Siemens and Nokia joint venture that created the solution for the Iranian government to do DPI on the entire Iranian Internet connection. But as the article quotes from a spokesperson for the joint venture, they made the decision to sell the product (which was apart of a larger contract to provide a mobile network) based off of the idea that they would rather provide the ability for Iranians to communicate than not at all.

I suppose that decision is probably the correct decision (or lesser of the two wrongs). Considering that DPI isn't a perfect technology, and can often be easily circumvented, maybe they're (Siemens/Nokia) not so bad after all. Maybe knowing that fact is how they are able to sleep at night.

Follow-up to OSPF Boundary Tricks

I recently found a new trick that was posted in Shivlu's blog on how to eliminate OSPF External routes from entering the domain: http://shivlu.blogspot.com/2009/06/eradicate-ospf-external-routes.html.

The idea behind this method is to create a virtual loopback interface that has the same IP subnet of the customer network beyond the connected interface. You then apply the 'ip ospf network point-to-point' command to that loopback interface to avoid the IOS default of a stub host (it would only advertise the /32 address of the interface). A local static route for the customer network is then pointed out the real interface (use of route-maps is optional to block this static route if there are other statics that need to be redistributed into OSPF).

The router is then able to advertise the customer route, throughout the OSPF domain, that it knows about it 'internally'. Once the packet reaches the router, the router will use the static route to correctly route it.

Tip of the hat to Shivlu for this trick!

-Mark

Thursday, June 11, 2009

OSPF – Domain Boundary Tricks

There are multiple ways to limit or cut off an OSPF autonomous system from sending or receiving updates. There are a couple ways to stop updates from being sent out an interface, and there’s the concept of stubby areas that have varying levels of limiting LSAs.

Some of the reasons why a network engineer might want to enable these features are: stopping updates from being sent out an interface that connects to an external customer, reducing the processing load, reducing the memory requirements on a router, reducing bandwidth required to send updates to a remote site, and increase the stability in the OSPF process (reducing the need to run the SPF algorithm).

Database Outbound Filtering

interface Serial1/0:0.609 point-to-point
 description IP Services Link to RemoteA
 ip address 10.1.1.1 255.255.255.252
 ip ospf database-filter all out

router ospf 10
 network 10.1.1.0 0.0.0.3 area 5


Core1#sh ip ospf int s1/0:0.609
Serial1/0:0.609 is up, line protocol is up
  Internet Address 10.1.1.0/30, Area 5
  Process ID 10, Router ID 172.31.1.1, Network Type POINT_TO_POINT, Cost: 1
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Database-filter all out
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:03
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 10/11, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 0
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 172.31.1.15
  Suppress hello for 0 neighbor(s)


In the example above, the “ip ospf database-filter all out” command was enabled on the core router WAN interface facing a remote site. What this command does is it stops the transmission of all OSPF LSAs going out that interface. However, it does allow OSPF hello packets to be sent and received, and therefore it can establish a neighbor adjacency. Because of the neighbor adjacency, the remote site can advertise routes to the core router, it just doesn’t receive any routes, and requires a default route for any traffic outbound from the site.

Passive-Interface

!
interface FastEthernet0/1
 description ***Customer 1 Service Delivery Point***
 ip address 192.168.100.1 255.255.255.0
 ip access-group Cust1-IN in
 ip access-group Cust1-OUT out
 rate-limit input 512000 70400 76800 conform-action set-prec-transmit 2 exceed-action set-prec-transmit 1
 rate-limit output 512000 70400 76800 conform-action set-prec-transmit 2 exceed-action drop
 duplex auto
 speed auto
 no cdp enable

router ospf 10
 redistribute static subnets route-map Cust1
 passive-interface FastEthernet0/1
 network 192.168.100.1 0.0.0.255 area 5
 
ip route 192.168.101.0 255.255.255.0 192.168.100.1 tag 5000

route-map Cust1 permit 10
 match tag 5000
 set metric-type type-1


RemoteA#sh ip ospf int fa0/1
FastEthernet0/1 is up, line protocol is up 
  Internet Address 192.168.100.1/24, Area 5 
  Process ID 10, Router ID 172.31.1.15, Network Type BROADCAST, Cost: 1
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) RemoteA.xyz.com, Interface address 172.31.2.1
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    No Hellos (Passive interface) 
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 9/9, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 0
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 0, Adjacent neighbor count is 0 
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
      No key configured, using default key id 0


In this example, the FastEthernet0/1 interface is a connection to an external customer service and sending any OSPF packets over the interface is less than desirable. We still want to include the connected interface subnet and any subnets beyond our connected point into our OSPF domain, so other customer sites can talk to them. The “passive-interface” command stops hellos from being sent out the interface, preventing a neighbor adjacency, but still allows the connected interface route to be injected into the OSPF process. Any networks that are beyond the connected interface will require redistribution.

Stub Areas – Limiting LSAs

There are several types of stub areas that have different effects, and include: Stub Areas, Totally Stub Areas, Not So Stubby Areas (NSSA), and NSSA Totally Stub. The quick gist of their difference is which types of LSAs the ABR will send to the stub area, and then advertise a default route for all other networks.

- Stub areas will send only Intra-area and Inter-area LSAs (types 1-4) to the stub, and a default route.
- Totally stubby areas will only send Intra-area routes (types 1-2), and the default route.
- NSSAs are the same as a Stub area, but a router in the stub area is also an ASBR (routes are being redistributed into OSPF). Since Type-5 LSAs are not allowed in a Stub area, a type 7 LSA is required to send back to the core router (ABR), where it will be converted by the ABR into a type 5 LSA to advertise out.
- NSSA totally stub areas are, of course, the same as a regular NSSA, but they do not advertise any Inter-area routes into the stub (no type 3-5, only 1-2).

A network engineer might want to use one of these types of stub areas in situations similar to the first example for “Database Outbound Filtering”. Rather than cutting off all routes advertised to a remote site, having some visibility into the OSPF domain could prove to be more resilient to network outages.

Configuration of the different stub areas is fairly straight forward. Below are the commands to configure each type of stub area.

Stub Area:
router ospf 10
 area 5 stub
 network 10.1.1.0 0.0.0.3 area 5


Totally Stub Area:
router ospf 10
 area 5 stub no-summary
 network 10.1.1.0 0.0.0.3 area 5


NSSA:
router ospf 10
 area 5 nssa
 network 10.1.1.0 0.0.0.3 area 5


NSSA Totally Stub:
router ospf 10
 area 5 nssa no-summary
 network 10.1.1.0 0.0.0.3 area 5


The ‘area’ command that specifies the stub area must be configured on the ABR, and all routers in the stub area. The easiest way you can verify the functionality of each of the different types of stubs is with the “show ip route” command to see the “O” (intra-area), “O IA” (inter-area), “O E1” (external type-1), and “O E2” (external type-2) routes. The default route that is generated and advertised into the stub area is always listed as an OSPF inter-area route.

These are just some of the ways that I’ve come across over the past few years as a network engineer to adjust the way OSPF operates. If you know of any other ways, please post your ideas!

-Mark