Remote Site Connectivity

2018-06-15

Discussion

Layer 2 MPLS VPN

    With a Layer 2 MPLS VPN, the MPLS network allows customer edge (CE) routers at different sites to form routing protocol neighborships with one another as if they were Layer 2 adjacent. Therefore, you can think of a Layer 2 MPLS VPN as a logical Layer 2 switch.

Layer 3 MPLS VPN

    With a Layer 3 MPLS VPN, a service provider’s provider edge (PE) router (also known as an Edge Label Switch Router [ELSR] ) establishes a peering relationship with a CE router, as seen in Figure 2-2 . Routes learned from the CE router are then sent to the remote PE router in the MPLS cloud (typically using multiprotocol BGP [MP-BGP] ), where they are sent out to the remote CE router.

Dynamic Multipoint VPN (DMVPN)

    DMVPN allows a VPN tunnel to be dynamically created and torn down between two remote sites on an as-needed basis. Multipoint GRE, Next Hop Resolution Protocol (NHRP), and IPsec are required to support a DMVPN topology.

Multipoint GRE

    The scalability offered by DMVPN is made possible, in part, by multipoint GRE (mGRE) , which allows a router to support multiple GRE tunnels on a single GRE interface.

    Some of mGRE’s characteristics are as follows:

  • Like traditional GRE, mGRE can transport a wide variety of protocols (for example, IP unicast, multicast, and broadcast).
  • In a hub-and-spoke topology, a hub router can have a single mGRE interface, and multiple tunnels can use that single interface.
  • An interface configured for mGRE is able to dynamically form a GRE tunnel by using Next Hop Resolution Protocol (NHRP) to discover the IP address of the device at the far end of the tunnel
Read Comments

TS Performance

2018-05-08

Switch targets

    Cisco Catalyst switches similar components for troubleshooting:

  • ports
  • forwarding logic - a process which make a hardware based on different tables in the data plane
  • backplane - a physically tire which connect switch ports
  • control plane - a CPU and memory which responsible to run operating system and building forwarding decisions tables.

    Normally the control plane does not participate in the frame-forwarding process. But, the forwarding logic bield in the control plane. As result case of impact of packets rate can overload the control plane of the switch.

Port errors

    When troubleshooting a suspected Cisco Catalyst switch issue, a good first step is to check port statistics. For example, examining port statistics can let a troubleshooter know whether an excessive number of frames are being dropped. If a TCP application is running slowly, the reason might be that TCP flows are going into TCP slow start , which causes the window size, and therefore the bandwidth efficiency, of TCP flows to be reduced. A common reason that a TCP flow enters slow start is packet drops

Read Comments

TS and Maintain Toolkit

2018-04-20

Recovery tools

    To increase a survivability of our network globally all nodes configuration and operating systems should be backed up remote storages. A backup configuration and images storage server have to be able to run one or more services, such as TFTP, FTP, HTTP, or SCP server.

To backing up a router configuration to an FTP server:

# copy startup-config ftp://pass:login@10.0.0.1

    To avoid typing credentials each time we can specify it once to a specific service:

(config)# ip ftp username cisco
(config)# ip ftp password cisco
(config)# ip http client username cisco
(config)# ip http client password cisco

    Cisco archive feature can automate a configuration backuping. A configuration can be backed up at a certain interval and each time we use write-memory or copy running-config startup-config commands.

(config)# archive
(config)# path ftp://10.0.0
                        
Read Comments

Site 2 Site VPN

2018-04-11

Introduction

    Here is a basic site to site IPsec VPN configuration for multi-vdom Fortigate unit and context based Cisco ASA.

Cisco ASA configuration

    Multiple context mode allows convert single ASA in to multiple independent devices with ist own configuration. When we enable multiple context the ASA create two new configuration files for system and admin context.

mode multiple

    By default all contexts belongs to a default class, its provide unlimited access to resources except for the following limits:

  • telnet - 5 sessions
  • ssh - 5 sessions
  • ipsec - 5 sessions
  • mac addresses - 65,535 entries
  • anyconnect - 0 sessions
  • vpn site-to-site tunnels - 0 sessions

    So, we need to define a class to configure resources allocation to contexts.  Other VPN sessions include Site-to-Site, IKEv1 RA and L2tp Sessions. These are guaranteed for a context and shouldn't exceed.

class vpn
limit-resource VPN Other 1

    Next create context, set class and allocate interfaces with aliases which will be used inside context configuration. A configuration file for the context will be stored in a local storage disk0:/s2svpn

Read Comments