Remote Site Connectivity2018-06-15
Layer 2 MPLS VPN
With a Layer 2 MPLS VPN, the MPLS network allows customer edge (CE) routers at different sites to form routing protocol neighborships with one another as if they were Layer 2 adjacent. Therefore, you can think of a Layer 2 MPLS VPN as a logical Layer 2 switch.
Layer 3 MPLS VPN
With a Layer 3 MPLS VPN, a service provider’s provider edge (PE) router (also known as an Edge Label Switch Router [ELSR] ) establishes a peering relationship with a CE router, as seen in Figure 2-2 . Routes learned from the CE router are then sent to the remote PE router in the MPLS cloud (typically using multiprotocol BGP [MP-BGP] ), where they are sent out to the remote CE router.
Dynamic Multipoint VPN (DMVPN)
DMVPN allows a VPN tunnel to be dynamically created and torn down between two remote sites on an as-needed basis. Multipoint GRE, Next Hop Resolution Protocol (NHRP), and IPsec are required to support a DMVPN topology.
The scalability offered by DMVPN is made possible, in part, by multipoint GRE (mGRE) , which allows a router to support multiple GRE tunnels on a single GRE interface.
Some of mGRE’s characteristics are as follows:
- Like traditional GRE, mGRE can transport a wide variety of protocols (for example, IP unicast, multicast, and broadcast).
- In a hub-and-spoke topology, a hub router can have a single mGRE interface, and multiple tunnels can use that single interface.
- An interface configured for mGRE is able to dynamically form a GRE tunnel by using Next Hop Resolution Protocol (NHRP) to discover the IP address of the device at the far end of the tunnel
Cisco Catalyst switches similar components for troubleshooting:
- forwarding logic - a process which make a hardware based on different tables in the data plane
- backplane - a physically tire which connect switch ports
- control plane - a CPU and memory which responsible to run operating system and building forwarding decisions tables.
Normally the control plane does not participate in the frame-forwarding process. But, the forwarding logic bield in the control plane. As result case of impact of packets rate can overload the control plane of the switch.
When troubleshooting a suspected Cisco Catalyst switch issue, a good first step is to check port statistics. For example, examining port statistics can let a troubleshooter know whether an excessive number of frames are being dropped. If a TCP application is running slowly, the reason might be that TCP flows are going into TCP slow start , which causes the window size, and therefore the bandwidth efficiency, of TCP flows to be reduced. A common reason that a TCP flow enters slow start is packet drops
TS and Maintain Toolkit2018-04-20
To increase a survivability of our network globally all nodes configuration and operating systems should be backed up remote storages. A backup configuration and images storage server have to be able to run one or more services, such as TFTP, FTP, HTTP, or SCP server.
To backing up a router configuration to an FTP server:
# copy startup-config ftp://pass:firstname.lastname@example.org
To avoid typing credentials each time we can specify it once to a specific service:
(config)# ip ftp username cisco (config)# ip ftp password cisco (config)# ip http client username cisco (config)# ip http client password cisco
Cisco archive feature can automate a configuration backuping. A configuration can be backed up at a certain interval and each time we use write-memory or copy running-config startup-config commands.
(config)# archive (config)# path ftp://10.0.0
Site 2 Site VPN2018-04-11
Here is a basic site to site IPsec VPN configuration for multi-vdom Fortigate unit and context based Cisco ASA.
Cisco ASA configuration
Multiple context mode allows convert single ASA in to multiple independent devices with ist own configuration. When we enable multiple context the ASA create two new configuration files for system and admin context.
By default all contexts belongs to a default class, its provide unlimited access to resources except for the following limits:
- telnet - 5 sessions
- ssh - 5 sessions
- ipsec - 5 sessions
- mac addresses - 65,535 entries
- anyconnect - 0 sessions
- vpn site-to-site tunnels - 0 sessions
So, we need to define a class to configure resources allocation to contexts. Other VPN sessions include Site-to-Site, IKEv1 RA and L2tp Sessions. These are guaranteed for a context and shouldn't exceed.
limit-resource VPN Other
Next create context, set class and allocate interfaces with aliases which will be used inside context configuration. A configuration file for the context will be stored in a local storage disk0:/s2svpn