Sunday, December 21, 2008

MPLS Deployment reasons

1) Faster convergence, in the old days that was a valid reason due to the relatively complex forwarding task that required more resources then Label forwarding. Today non relevant

2) RFC 1483 the newer 2684 AAL5 ATM Adaptation Layer 5 the implementation of IP over ATM

3) BGP Core Free on the SP network, as with MPLS lookup is done based on Labels and not destination address there is no need to have the BGP table in the Core for external prefixes lookup's. this is a massive change from the requirement that Every router in the core must have BGP enabled (cpu and memory intensive load) to only the edge router have BGP enabled mean higher performance and capability.

Note: edge routers still need to have the BGP routing tables, edge routers are translating between ip routing decision to label based decisions.

4) Deployment scalability, when we face with large scale client to deploy (client that connect with 50 - 300 sites and more) we need to have under the consideration the deployment scalability and management, with that in mind 2 models of deployment are optional:

a) VPN Overlay - creating a point to point connection over the SP network, can be achieved in layer 1, 2 or 3.

Layer 1 TDM E1 T1... Layer 2 ATM FR... Layer 3 GRE, IPIP...

b) Peer to Peer - creating a connection between sites trough the ISP and with him, what I mean is that the SP need to join the client network and to achieve client privacy the SP need to manage acl's and routing updates, not very scalable and a lot of overhead. notice that in addition to the disadvantage for the SP on the additional management overhead and complexity there is the client control (doesn't have any) of his layer 3 network trough the SP.

With MPLS the VPN allow the Peer to Peer bad model to have advantage over the Overlay model where in the MPLS we use VRF Virtual Routing Forwarding separators between each network and the configuration is done only on each new site. meaning that if I am an SP and I have 3 client (Cisco, Microsoft, Verizon) each vrf will have a unique color vrf Cisco, vrf Microsoft and vrf Verizon, and to join a new branch is only to color this branch traffic accordingly, so the main work is done in the initial design and implementation and any new addition is actually very simple to add.

5) TE - traffic engineering is a small phrase for a very big spectrum of options, normally traffic routing is decided at each point separately and usually the best route is chosen according to the shortest path to destination, using TE we can make the routing decision based on multiple criteria options. allowing the traffic to fully utilize network capability.

FRR - Fast ReRouting is a very good feature that allow you to detect and reroute based on router availability in less than 50ms Very important in high sensitive traffic like VoIP.

Friday, October 24, 2008


Well I know this is not Cisco but I have just passed 30 min ago my JNCIA-ER exam with score of 90, to be honest that was one of the shortest test's I have ever had, usually I stay no meter what to the last minute but because I was pretty sure on my answers I have left after ~20 min. The resources provided from the site are excellent and answer 100% to the test questions. almost to good to be true. I must say that the last 3 weeks I have been playing with the junos (under my vmware setup) it seem to be realy nice and powerful OS. So for you professionals and experts I think it should be very nice knowledge edition, I am still thinking if I want to proceed with the JNCIS-ER exam or stop here with juniper, I will update you later. All of you have a nice weekend :-)

Friday, October 10, 2008

Spanning Tree Basics

Spanning Tree is one of the topics that most people a really scared as it is almost fully automatic feature People don’t bother to dig into it; my idea here is to give you a simple way to understand the protocol basics And also get a glance on its complex. First thing when I learn a new protocol I would like to look how it is working on the low level, so here I have drown you the BPDU structure, you can see that all implementations have a common ground and thus there is full backward support: Filed Description: PID = Protocol ID Always 0x0000 VID = Version ID 1) STP 0x00 2) R-PVST 0x02 BT = BPDU Type 1) STP 0x00 2) R-PVST / MST 0x02

TCN / TCN Ack is used only with IEEE 802.1D or with interoperation with RSTP. Proposal and agreement handshake are bits used to prevent loops, proposal sent from a designated port And agreement is sent from the root port. Unlike IEEE 802.1D in which any transition between the blocking and the forwarding state causes a topology change, Only transitions from the blocking to the forwarding state cause a topology change with RSTP. Root ID Show the Root Bridge Priority and the MAC address Root Cost Show your distance from the Root Bridge BID = Bridge ID Here the switch advertise his own Bridge MAC and Priority Port ID A 2 byte number, the first octet build from a configurable priority, the second octet is a number set by the Bridge for the port BPDU was sent from usually in newer Bridge model the port id is the Port number but in Older models it was a random number assigned to the port. Newer models: Show spanning-tree vlan 1 detail Older models: Show spanning-tree MAge = Message Age Indicate an estimated time required for a BPDU to be sent and received by any other bridge, although specified in time it is actually increasing The value by hop count. MA = Max Age This filed is given from the root bridge and by default set to 20 sec indicate the max age of a BPDU. Hello Indicate the time between each BPDU sent from the root bridge. Default 2 sec FWDD = Forward Delay Indicate the amount of time the bridge should stay in each state when transiting from blocking to forwarding. V1_L = Version 1 Length V3_L = Version 3 Length MST EXTENTION MST Config ID MST Config Name = configuration name MST Config Revision Number = configuration revision number MST Config digest = configuration digest CIST Bridge Identifier = CIST Internal Root Path Cost = cost to the root bridge CIST Remaining hops = default (20) state the max number of hops from the root bridge if packet received a packet with remaining hops set to 0 then he will Ignore the spanning tree BPDU and will be able to declare himself as Root Understand the debug as it is one of the tools you have to troubleshoot in real time, but with that said you need to make sure you do not activate spanning tree debug on production with logging console enable as you will probably end up locked out from your switch. ! Do before debug under global config No logging console logging buffered 200000 end clear logging debug spanning-tree bpdu ! output will be displayed under the “show logging” ! to disable debug un all Example output from the debug: *Apr 14 01:19:56: STP: enc 01 00 0C CC CC CD 00 14 F2 E9 44 16 00 32 AA AA 03 00 00 0C 01 0B ! you can see destination MAC 01 00 0C CC CC CD the Cisco multicast address for PVST+ also LCP show AA AA indicate to look into the next 5 byte of information in the LCP, the last 2 byte indicate the ethertype 010b is for PVST+ *Apr 14 01:19:56: STP: Data 000002023C60670014F2E944000000000060670014F2E9440080160000140002000F00 *Apr 14 01:19:56: STP: VLAN0103 Fa0/22:0000 02 02 3C 60670014F2E94400 00000000 60670014F2E94400 8016 0000 1400 0200 0F00 ! BPDU represented in hex *Apr 14 01:19:56: RSTP(103): Fa0/22 repeated msg *Apr 14 01:19:56: RSTP(103): Fa0/22 rcvd info remaining 6 *Apr 14 01:19:56: STP: VLAN0104 rx BPDU: config protocol = rstp, packet from FastEthernet0/22 , linktype SSTP , enctype 3, encsize 22 Short story on the LCP LLC (Logical Link Control) also called 802.2 header and is between 3 to 8 byte long containing protocol type information of the packet. The 3 first bytes are mandatory: DSAP Destination Service Access Point SSAP Source Service Access Point And one more byte that is important only when using SNA in any other cases it is ignored Now you will probably ask what the additional 5 byte is. Now this is where it gets little complex, when using standard STP IEEE or ISL trunks (Cisco Run ISL with PVST that is much similar to the standard accept for the vlan ID addition) then DSAP and SSAP will be set to 0x42 but when configuring DOT1Q trunks on Cisco then they use PVST+ and they are setting the SSAP and DSAP to 0xAA where it point to the additional 5 byte where we get the SNAP (SubNetwork Access Protocol) that is giving us a description of what protocol we are using in layer 3 (AppleTalk, IP, XNS….) Ok this until now are the basics for STP, once you have the structure in place it will be much easier (warning: it is not easy) to understand how it works. Recommended reading:

Friday, May 02, 2008


  1. Read the entire exam – now I know everyone is saying that and even Cisco it advising that in there site, but this is one of the important things you need to do before you start configuring as when you start configuring, your mind is set to different mode and you will miss important details.
  2. Take Notes - In addition to step 1 you must know to take notes, what I mean you ask yourself?! Well when you read the exam you will probably be thinking "am I wasting my time reading when other are typing and almost finishing their exam" I say NO you are not but because you all stress and your brain is speeding in almost 200mph you will not remember if you will not take notes.
  3. Work Your Way UP – After first two steps are done you are probably 30 min – 40 min into your exam do not panic, work in a step by step layer 2 to layer 3…
  4. Ask The Proctor – there was in my lab a real nice person that I am sorry I didn't ask for his name but for me his name was Mr. Proctor and whenever I had a question about something that I didn't understand or I thought that it is not well asked then I got up from my seat and went to his desk and ASKED, no shame, If you do not understand ASK that is one of his jobs, Accept for escorting you to the dining room J
  5. Don't ASK Dumb Questions – The Proctor will not give you an answer to your lab question, he will only answer "yes" or "no" format and only if he understand from your question that you know what you are talking about, so do not go and ask "question 1.1 what do you want me to do here" (In CCIE Routing and Switching Practice Labs, Cisco Press book you can see a lot of questions / Answers like that).
  6. Be Polite – the proctor doesn't work for you so be nice, that is the end of proctor candidate relation advice.
  7. You Can Jump Back and FWD – the exam is open to your judgment you can say I will do first security then multicast or I will do IPv6 last
  8. Keep Track – the exam have a lot of questions and sections, you need to write down questions and/or sections you finished, I myself written every question and its points, when done I have marked with "ok" when skipped marked with "later" when I have finished I looked on my paper and made sure I didn't left any question without "ok"
  9. Know How to check – after every question I did a check to make sure that what they want to work dose work, it is not always sufficient to put the commands as some time one section is relaying on another and putting the command relating to that question will not work until you add or remove other commands, I hope that is not to confusing, but most of the exam time went in my exam to verification. Also once you go to sections like security that may brake other sections, I would go back and verify the sections all over again and if they don't work I know where is the problem, if I didn't check every step it would be hard and more stressful when something would not work at the end.
  10. Do not panic – that is important and for some it is more for other it is less, when you see the exam for the first time do not panic take it and brake it to small pieces, and do it one step at a time, if you face a problem skip ahead do not try to solve it for 2hr you can come back to it later


Monday, April 28, 2008

CCIE LAB Learn Process

I will separate the LAB study process from the Written Exam as they are 2 different process from my point of view, so my study to the lab started at the end of 2006 after I passed my Written Exam, first my plan was to study for 4 months using Rack Rental but as I progressed I saw that this target was not realistic and I had a lot more to practice and to study before I will attempt to go to the lab so I scheduled my lab for mid August 2007, I rented almost 600 hours of rack time and scheduled almost every day a lab session, very important detail I forgot to mention is that I purchased the IEWB from Internetworkexpert. At first stage of my study the version that was available of the Work Book was 3 that was according to the old LAB format with 2 Catalysts only later they released version 4 and 4.1 according to the updated format of 4 Catalysts, but never mind that, at first few months I had a lot of mess in my brain as I didn't had any structured plan on how to approach the lab, then I saw that that mess is getting me no where I stoped and done a study plan divided to subjects that need to be covered and to the importance level meaning that OSPF BGP EIGRP... FR, VLAN, VTP, STP... all these are core subjects and needed to get the highest focus then I taken the Security QoS Multicast IPv6 and other miscellaneous subjects and given them a lower priority and each subject like that I divided to sub category and gave them also priority, finely I had a structured plan of approach and I started working according to it but yet again I saw that I have short time to my LAB so I postponed my first lab attempt to Jan 16 2008, I have rented additional ~500 hours, also I didn't mention but I done also a lot of reading both books like TCP/IP vol 1 and 2 CCIE R&S Practice Labs CCIE Practical Studies vol 1 and 2 RFC's of OSPF BGP RIP IGMP and more It is needless to say that the books are sufficient but it is nice to know the source of the books and some time I found the RFC information clearer then the books. The final stages before the first attempt was almost 3 weeks of each day 8hr doing full lab from the IEWB. I managed to solve most of the labs within 6hr max. as I mentioned my first attempt was in Jan 16th in San Jose California and it was unsuccessful, although I did 100% on the core subjects I had failed the other miscellaneous subjects and there is no excuse for that as most likely I was not ready for all areas, I got my answer on the morning before my flight back and that was a depressing moment (or should I say a week), but after a week I decided that I should not let this effect me and taken my conclusion from the test result on what I need to give my attention and prepared another plan for making my knowledge in these areas stronger for my next attempt that I scheduled for April 18th 2008 (this was passover evening in Israel) I have scheduled this time only ~80hr of rack time and focused on reading. the second attempt I have had in my first 20 min a blackout I said to my self what the hell do I do now?! but then I taken a step back and started all over again reading and taking notes only after ~40min I have started my configuration and from that moment I went trough it like a tornado it was like the cartoons where you get the spot light above your head and then you start doing every thing fast, I got my spot light and went trough one section after another by lunch I had finished almost 80% of the test then when I returned from lunch I finished all the config by 2PM after all checks and 2 full lab reboots. I must say the proctor was very nice and answered all my questions, my suggestion is in your question do not ask for an answer ask for clarification meaning make the proctor know that you know what you are talking about and do not shoot in the dark for answers. Although I finished at 2PM I stayed and tested my configuration until the test timed out just to make sure, I probably went trough the lab 20times, and very important thing SAVE CONFIG. After the lab I was so nerves starting to question my self although deep down I felt that I passed, I had a very long weekend waiting for the report but then it came at 5AM San Jose time Sunday I saw my number and what a wonderful feeling. Now I will take a time off before my next quest

Sunday, April 20, 2008

CCIE #20572

That is one happy weekend for me, I posting this from my room Residence Inn in Milpitas City an hour after I recived one of the best news after a very long year and half of studying and one failiur, I passed my CCIE of R&S in San Jose Apr 18 2008. Wonderful feeling, please forgive me for the short story. Thank you all for the support especialy to my wife, son and parents that suffered my moods and my busy schedual.

Saturday, February 16, 2008

IPSec Basics

IPSec is an suit of protocols designed to provide interopable and high secure data transfer service. to understand IPSec we need to go to the basics and see some defenitions and protocols used by IPSec and start from there to build our understanding on IPSec, after we know what is IPSec and what he need to provide us we can go over to the practical usage and some configuration samples. so as I have said we have some basics to cover and we will start with: Authentication - is how the units verify they are who they say they are Data Integrity - making sure that the data that was sent it what was recived in the other side with no change Confidentiality - it the Encription of the data Anti-Replay - preventing play back attack, if this mechanizem was not enable then a potential attacker could capture a stream of data and replay it to the box this stream was sent and potentialy could log into the network even if the data is hashed it dosent metter as the other side need to know to unpack that data. this 4 definitios are the very basic to understand, and each one is playing a very important role in the vpn. AH Authentication Header - as it is mentioned in his name it is a header authentication method and can provide integrity authentication and anti-relplay, it is the older form of creating IPSec VPN, and today less used. ESP encapsulation security protocol - this is the new form of creatign IPSec VPN and it add the very important element of Confidentiality or encription of the data as I mentioned. the methods we have to encrypt the data are very wide spread but here are the most common ones DES data encription standart 64bit key 3DES it is 192bit what is even funy The procedure for encryption is exactly the same as regular DES, but it is repeated three times. AES Advanced Encryption Standard has a minimum key size of 128bit and maximum of 256bit, a AES 128 is considered more secure then 3DES. RSA (Ron Rivest, Adi Shamir, and Leonard Adleman) is used for Asymetric Public Private Keys Authentication there are 2 main methods to authenticate pre-shared key is a staticly defigned by the Admin on the units the less secure way but the more common method Certificate Authority this is the high security methode and the less common due to the complex of configuration and usually also you need to buy Certificate from one of the vendors like verisign, commodo... Integrity is using hashing for making sure that that the data is not changed: MD5 Message-Digest algorithm 5 the most commonly hash used today the hash size is 128bit. SHA-1 Secure Hash Algorithm 1 the hash size is 160bit DH Diffie-Hellman "A public-key cryptography protocol which allows two parties to establish a shared secret over an insecure communications channel. Diffie-Hellman is used within IKE to establish session keys and is a component of Oakley." (this line was taken from Cisco Site: ) Let Me try to expalin the proccess; each unit have a private key (used for decryption) a key that is never passed, and a Diffie-Helman Key (Public Key used for encryption) when a unit want to do a key exchange they each send there Public Key to the other side so lets drill down to Unit_A, Unit_A get the Public Key of Unit_B then using the RSA create a shared key that shared key can only be opened on Unit_B with Unit_B Private Key so even if you intercept the shared key you cant reverse engineer it to see as only the private key of Unit_B will be able to understand it. ok untill here I have summerized for you all the key concepts and provided an example of the proccess used in Asymetric Process of the IPSec next I will take the concept and show you in practice what need to be done to form an IPSec connection. General Guide lines to configure an IPSec connection: 1) Create IKE Policy 2) Create IPsec Transform Set 3) Defign ACL for the encription 4) Configure a Crypto Map 5) Assign the Crypto Map to an Interface Note: when you want to create an IPsec between 2 units you must make sure there configuration match so this is a tip copy the configuration you did to a notepad and on the other side unit only flip the ACL IP address to match the other side and paset it, if you did correct on the first side you will have a working connection, if you did bad then you will need to troubleshoot only one side and again copy paste to the other side, save time and pain!

Tuesday, February 12, 2008

New Job

Hi Guys, Sorry I don’t have much time as I started a week ago new job in Expand Networks as one of the 3rd level Support Team, our product is the answer to Cisco WAAS, currently I am only learning trying to catch up some huge amount of information on a product that I was never familiar before and in between still studying and preparing for My CCIE. so wish me luck I hope soon I will be able to catch a breath and give you some nice articles :-)

Saturday, February 02, 2008

Juniper start here

Ok although I am a fan of Cisco you cant go around and not see that Juniper is there and slow but safely moving up and up, I remembered that I heard the name Juniper in 2001 I said yes yes... and thought to my self another one of thus companies... Today I cant ignore them anymore, and why I saw today the first (I think, as I never saw before) online rack rental and workbook for Juniper this I think is the first but many will follow after, as the demand and the deployments of Juniper in the world today are growing and I do not think there is an ISP or any SP (Wireless / Mobile / Others) in the Industry today that do not have Juniper some where in his network, now I do not think it is bad for Cisco (other then sales), I think that good competitors bring the best in you, when I was in school if some one tried had better grades then me then I always tried to do harder and if I was the better one I always made sure that it would stay that way (I was very competitive with subjects I liked). so competition is good for Cisco from my point of view.

Wednesday, January 30, 2008


One of my major weakness until recently was security, security is the one topic that can kill you if you do not know what you are doing or if you are not careful enough to lookinto the small details. in the past when I came to a task I would attack it straight ahead and not thinking what it can do to other things I did before or what I need to do in the next task, I worked in a task by task strategy, today as I grown :-) I learned that nothing especially in real life is not presented to you in a step by step manner, you always need to gather all the information and sort it your self like a puzzle, some time the puzzle is small and easy some time you cant find the middle piece to complete your puzzle. so my advice to you is take the exam as a puzzle put all the parts in front of you (mean read all and draw basic topology accordingly) and build your puzzle from bottom up (piece by piece) if you cant find a piece then skip you will find it later. Now with that analogy the Security is one of those last pieces in your puzzle that can brake your entire puzzle so you can decide either to leave one piece out or to start rearrange everything (not recommended). With that in mind I would like to talk here on CBAC or the IOS Firewall, the basic Idea is very similar to reflexive ACL but with enhanced support of features and application. What Do we need for the firewall to work: 1) We Must have an ACL - the ACL will be in most of the cases (for the R&S CCIE) on the outside interface and it will have a Deny all statement, now that was a hard issue for me to grasp at first I said to my self what the hell do I need the Firewall to use a ACL?! isn’t that already build into the firewall, well no! the Firewall is "inspecting" traffic as it go out or come in but the ACL define what to be denied from coming into the Router, so that mean only traffic that is coming from inside the network to outside is allowed back in and traffic that is trying to come from outside need to stay out unless there is a permit statement. 2) We need to define and inspect rules and that is another thing that you need to be careful, as if you only set a rule to inspect icmp that mean that only icmp traffic from your network to the outside and back will be allowed, if you will try to browse the internet without setting an inspect rule your traffic will not be inspected and therefore not been allowed back in!!! Now here is my home router example: I start by defign the traffic that I am using from in --> out ip inspect name HOME-FW sip <- My Voip service need to be up ip inspect name HOME-FW snmp <- I have Snmp Server to monitor the networks I maintain ip inspect name HOME-FW http <- a man need to surf :-) ip inspect name HOME-FW https <- some time need to use a secure web browsing ip inspect name HOME-FW dns <- well I do not want to use IP for all my surfing so I need name resolve server access ip inspect name HOME-FW smtp <- need to sent out mail ip inspect name HOME-FW pop3 <- mail in ip inspect name HOME-FW ssh <- all my servers using SSH (linux RHES) ip inspect name HOME-FW icmp <- Pings ip inspect name HOME-FW telnet <- Some of the router I manage are old or do not have SSH ip inspect name HOME-FW udp <- miscellaneous traffic ip inspect name HOME-FW tcp <- miscellaneous traffic ! ip access-list extended ACCESS-CONTROL permit icmp any any echo-reply <- that I am using as the traffic from the router it self is not inspected so if I will not permit it then I will not babble to ping from the router, the same go for the traceroute permit icmp any any time-exceeded permit icmp any any port-unreachable permit udp x.x.x.80 any eq snmptrap <- I have in my home a Snmp Server and to allow traps from outside to come in I need a permit permit udp x.x.x.80 any eq 5060 <- although I enabled SIP in the inspection rule calls that are originated from outside in need to be permitted as only traffic inspected from inside to outside is permited permit udp host x.x.x.83 any range 10000 20000 <- that is for the RTP, it is not really needed but for the "obscure" bugs that can happen I rather permit it then loose a call. deny ip any any log-input <- the log-input is for tracing attackers always good to have. ! interface Dialer0 <-- that is my outside interface .. ip access-group ACCESS-CONTROL in .. ! interface Vlan16 <-- that is my inside interface .. ip inspect HOME-FW in .. !

This is In response to the comment posted: The ACL has no direct relation to the CBAC firewall, it is there to prevent traffic coming into your network from the outside, the inspection rule is there to inspect traffic going out from your network. if the ACL was not there the traffic would have been inspected but still people would able to go into your network. so if you want to block traffic you must have ACL but if you inspect traffic then even if there is a deny statement on the outside interface traffic is allowed to return. so the short answer CBAC is not inspecting the ACL, CBAC is inspecting what you tell him on the inspection rule.

Monday, January 21, 2008

CCIE Lab San Jose 16 Jan 2008

Ok, I wished to tell you my number after that date but unfurtunetly for me I will need to hold on with that post. so for now I will tell you my expireance, I traveled from Israel to San Francisco California on Jan 12 2008 arrived after painful 18hr flight with a connection in London. Days before the exam I have taken the liberty to relax and sleep as much as I can. The lab Day I have arrived as early as I could at 7am to Tasman Drive 150 bldg C waiting for them to open the doors (yes I am that freek). at about 7:30 they have opened the doors and I waited for the other candidates to arrive, at about 8:15 we where guided to the Lab...(now I cant tell you what happen there as I am obligated to the NDA). What I can tell you is that it was hard but not impossiable I have actually had no problem with the core topics and but I did found the security and qos to be confusing enough to fail me. I certenly learned from this expireance (it was expensive lesson) and hope to not fail on that again, but with no pain there is no gain.