Random thoughts while lab’n

A short non-technical blog just to share with you guys the random thoughts that ran in my mind whenever I go study.

– How much time do I have left before I take my lab?
– Thinking of checking facebook, youtube, linkedin, techexam
– Should I write a blog after learning this lesson
– How would I apply this in my job
– I hope work doesn’t think I am not doing my job well bec I am focused studying
– Is this all worth it? What if I fail?
– You can do this!!! You are what you think!
– Should I stand or sit? Is it time to take a break?
– I am hungry what should I eat?
– Should I be labbing this now, what if I watch the video first then lab
– I am so confused…should I just skip this or change topic?
– I hope my wife’s fine with me stuck in the room for how many hours studying
– Do I need coffee right now?
– Should I take another leave weeks before the actual exam?
– Do I really need to study or remember this command? What if I am just wasting my time remember this?
– Why am I doing this in the first place?

I will probably add more in the future…

Time-based ACLs

Continuing on to our security basics this time with ACLs. When I was studying for my CCNA almost 3 years ago, it made mentioned of time-based policies but not once in any lab manuals was I able to encounter what it looked like.

Well here it is, so imagine you are managing your network (really neat application would be your own internet connection at home). You can create a policy where you can limit the time internet can be access via your router, you can even go beyond by being specific with websites but for simplicity sake we’ll just limit all internet access.

Obviously for this to really work, just make sure that your router’s clock is in sync with the correct time.

conf t
!
time-range NO_INTERNET_WEEKDAYS
periodic monday wednesday friday 0:00 7:00
periodic monday wednesday friday 18:00 23:54
!
time-range NO_INTERNET_WEEKEND
periodic weekends 7:00 15:00
!
ip access-list extended NO_INTERNET_TIME
deny tcp any any eq www time-range NO_INTERNET_WEEKDAYS
deny tcp any any eq www time-range NO_INTERNET_WEEKEND
permit ip any any
!
int fa0/0
description WAN
ip access-group NO_INTERNET_TIME out
!

AAA back to basics

I think I’ve done enough BGP for the week and time to do some security basics.

service password-encryption
!
username delan password ccie
enable secret ccie
!
aaa new-model
!
aaa authentication login VTY local group tacacs+
aaa authentication login CONSOLE group tacacs+ line
aaa authentication enable default enable
aaa authorization exec group tacacs+ if-authenticated
!
aaa authentication username-prompt “Please enter your username: ”
aaa authentication password-prompt “Please enter your password: ”
aaa authentication banner #
Access to this router is restricted to friends of Delan A
#
!
aaa authentication fail-message #
Invalid password, please check your username, password or both
#
!
line con 0
login authentication CONSOLE
password ccie321
!
line vty 0 4
privilege level 15
authorization exec VTY
login authentication VTY
!

BGP Local-AS to save the day

local-as

You are the network engineer for ACME Inc and your company has decided to change Autonomous System (AS) number, not sure what the reason for the change but you’re just doing what you are being told.

There’s two upstream connection to AS 900 and AS 800, according to ISP AS 900 it would take a month for them to accept your new AS while ISP AS 800 will be cutting over to the new AS tonight but you need to go to a dinner party this evening as its you and your wife’s Anniversary and you wouldn’t want to miss that.

The goal is to configure the network now according to management to make the necessary changes, use the new AS internally, R1 is acting as a route-reflector in your network, peer with AS 900 still using AS 17111 and prep your peering with AS 800 to accept both the old and new AS in the event they do the cut-ver tonight while you get to enjoy dinner with the misis.

Solution: configure your edge routers with local-as. neighbor x.x.x.x local-as <oldAS> no-append replace-as {dual-as}. Configure the router facing AS 900 (R2) to maintain bgp peering by using the previous AS. Configure R3 with dual-as, so when AS 800 make their changes they would maintain the peering.

R1:

!
no router bgp 17111
router bgp 17146
neighbor 155.1.123.2 remote-as 17146
neighbor 155.1.123.3 remote-as 17146
neighbor 155.1.123.2 route-reflector-client
neighbor 155.1.123.3 route-reflector-client
!

R2:

!
no router bgp 17111
router bgp 17146
neighbor 155.1.123.1 remote-as 17146
neighbor 155.1.27.7 remote-as 900
neighbor 155.1.27.7 local-as 17111 no-append replace-as
!

R3:

!
no router bgp 17111
router bgp 17146
neighbor 155.1.123.1 remote-as 17146
neighbor 155.1.38.8 remote-as 800
neighbor 155.1.38.8 local-as 17111 no-append replace-as dual-as

BGP Advertise Maps

This will just be a quick blog about BGP Advertise Maps, so imagine you manage AS 200 and you have peers on 2 upstream providers AS 300 and 100. Both 300 and 100 are peering as well. You are also the transit for AS 254.

AS 300 is learning routes from AS 254 both from your AS (200) and AS 300 but because of best-path selection is choosing you as you have a direct connection to AS 254 somewhere in the network. Your task is let AS 300 learn routes from AS 254 via AS 300 instead of your direct connection to AS 300. Yes, its hard to visualize that and I got a diagram to follow later on.

If we check the routing table of the directly connected router of AS300 to your AS(200), you’ll notice its choosing you as the preferred path and has AS 100 as the alternate path.

AS300_AS200#sh ip bgp regex _254$
BGP table version is 21, local router ID is 150.1.7.7
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i – IGP, e – EGP, ? – incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
* 51.51.51.51/32 155.1.67.6 0 100 200 254 ? <—-Secondary path
*> 155.1.37.3 0 200 254 ? <—Primary path
* 192.10.1.0 155.1.67.6 0 100 200 254 ?
*> 155.1.37.3 0 200 254 ?
* 205.90.31.0 155.1.67.6 0 100 200 254 ?
*> 155.1.37.3 0 200 254 ?
* 220.20.3.0 155.1.67.6 0 100 200 254 ?
*> 155.1.37.3 0 200 254 ?
* 222.22.2.0 155.1.67.6 0 100 200 254 ?
*> 155.1.37.3 0 200 254 ?

Another task is you are only to use this directly connected path, if a link between you and AS 100 goes down. There are multiple connection between you and AS100 but we’ll choose a specific link and that’s the subnet link 155.1.13.0/24.

There is a number of way of doing this but for this blog we’ll use BGP’s advertise maps specifically with the use of non-exist-maps.

Syntax: neighbor x.x.x.x advertise-map <route-map 1> non-exist-map <route-map 2>

route-map 1 would match the path that you are advertising to the neighbor

route-map 2 is the route-map containing the subnet that you are testing if it does not exist, you can start advertising to your neighbor.

Full config from the edge router facing AS 300:

AS200_AS300#:

ip as-path access-list 1 permit _254$
!
route-map EXIST_MAP permit 10
match as-path 1
!
ip prefix-list PL_NON_EXIST_MAP seq 10 permit 155.1.13.0/24
!
route-map NON_EXIST_MAP permit 10
match ip address prefix-list PL_NON_EXIST_MAP
!
router bgp 200
neigh 155.1.37.7 advertise-map EXIST_MAP non-exist-map NON_EXIST_MAP
!

Now if we check on the edge router from AS300#

#sh ip bgp regex _254$
BGP table version is 26, local router ID is 150.1.7.7
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i – IGP, e – EGP, ? – incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
*> 51.51.51.51/32 155.1.67.6 0 100 200 254 ?
*> 192.10.1.0 155.1.67.6 0 100 200 254 ?
*> 205.90.31.0 155.1.67.6 0 100 200 254 ?
*> 220.20.3.0 155.1.67.6 0 100 200 254 ?
*> 222.22.2.0 155.1.67.6 0 100 200 254 ?

We are now just learning the path from AS 100.
 

 

 

Short check-in

Just checking in tonight before I go to sleep and call it a day. I think I have mentioned in a previous blog that I will be taking a week’s leave to give myself kinda like a mid-term big push into my CCIE study. It will be starting tomorrow. I am really hoping that I will get a lot of things done in a week of undistracted (hopefully) labbing and studying.

Last week I have started on Multicast, boy that was really challenging. It was so challenging I thought I was getting into myself into burning out. I don’t wanna tackle that topic during my entire study week. I will probably will get back to it later on or once in a while get back to it little by little and not go full gung ho with it.

I think its really hard to study something that you don’t get to see in production, unless you are dealing with iptv or trading application in the network. I went through DMVPN, QoS and other routing protocol quite nicely because at the back of my mind, I’d know I will use them at work. Actually whenever I get to learn anything new in MPLS or BGP I would go through our core-network and see how it works in production. All the more I actually I appreciate our network and how it was designed.

It feels like going to a bootcamp by myself. I am also contemplating to taking those paid mock lab exams by INE just to simulate how I will do in an actual 8 hour exam. Just the thought of it already gives me the hibigibees.

Shaping vs Policing

I will admit it took me studying for the CCIE R&S to understand the difference between shaping and policing. Yes, you will slightly encounter this topic during CCNP switch but from how I remember it, it was in the switch exam which talks about hardware QoS.

Now working for a Service Provider I get to apply this, especially with our internet-cross connect with our customers. Basically, we shape for outbound traffic going to customer device to prevent them from trying to download their provisioned speed and Police, drop packet if they try to upload or push traffic towards us.

It is advisable that you match your shaper and your policer on the link. Remember that shaper is usually outbound and outbound only while policers can be both outbound and (usually) inbound.

Below is a good example of a shaper and policer config wherein for the policer, it will start dropping packets once its exceeded its provisioned bandwidth.

policy-map SHAPER
class class-default
shape average 100000000
!
policy-map POLICER
class class-default
police 100000000
comform-action transmit
violate-action drop
!
interface Gigabitethernet0/1
service-policy output SHAPER
service-policy input POLICER
!

I believe I have a previous blog post on QoS which focuses on LLQ.