It's funny to see how Huawei VRP CLI tries to convince us that it's really-really not IOS CLI. And, sadly, it does that in a pretty inconvenient way.
F.ex. "display" instead of "show" and "undo" instead of "no". If shortcuts "di" and "un" won't work, I'll be mad... Hopefully they have command aliases so that I'd be able to customize the CLI in a more familiar way.
Though they have a feature of assigning commands to keyboard shortcuts. Smth like Ctrl-G for "display running-configuration" or Ctrl-T for "display route-table" (I don't remeber exactly, but you've caught the idea, eh?). Seems rather convenient. I don't remember such a thing in IOS. There are only a few shortcuts available (kind of 5 or 7), but nevertheless... Something like that could be of great help in CCIE lab, for example. I only hope that it's accessible in any context (or view, as VRP calls them).
Our pack of Huawei devices hopefully will be deployed in August. Let's wait... Currently reading lots of Config guides, product descriptions etc. Let's hope that they'll provide some gear for testing. I need some hands-on experience before diving into full-featured maintenance of a live network.
суббота, 20 июня 2009 г.
среда, 15 апреля 2009 г.
воскресенье, 22 марта 2009 г.
пятница, 20 марта 2009 г.
Notes on OSPF
Hmm, despite all the guidelines from Cisco's curriculums about OSPF obligatorily having area 0, it isn't the whole truth.
Today I wondered - can OSPF actually live without backbone aka area 0. In a design sense the answer is "yes", one can dump all his routers into 1 area. But I've thought about a possibility of, maybe, ABR going down or something equally awful :)
And some research on that matter proved that in fact it can be so. Area 0 is mandatory for multiarea deployments, though, because all the inter-area routes need to go through backbone. To be a bit more technical - LSA types 1 and 2 are exchanged, but types 3 to 7 need a functional link to area 0.
Some proof to back up my words - a case study from Cisco
BTW, in order not to fire up composing window once more, a list of common OSPF LSA types:
1 - Router LSA (O). Intra-area routes, generated by all OSPF routers. Flooded only within an area.
2 - Network LSA (O). Generated by DR for a multi-access segment. Intra-area type.
3 - Summary LSA (O IA). Generated by ABR, flooded to it's connected areas.
4 - Summary LSA (O IA). These are special summary LSAs generated by ASBR's area ABR's to tell everyone about his whereabouts.
5 - External LSA (O E1/E2). Generated by ASBR, contains routes external to OSPF domain. Type 1 metric is increased with on every hop, Type 2 remains the same as originally advertised.
6 - Multicast LSA. Used to indicate multicast group membership in MOSPF.
7 - NSSA LSA (O N1/N2) - Same as type 5, but, due to NSSA area preventing circulation of type 5 LSAs, it is in fact type 5 one, but differently named. ABR converts these into proper type 5 on area boundary and injects them into backbone.
And now a little bit about OSPF areas.
1. Common area - permits all LSA types, except 7. Areas with virtual links in them should be common areas. It requires no special configuration.
2. Stub area - doesn't permit type 5 LSAs. Neither in, nor out. Instead of it the default route is injected by ABR. All the internal routers and ABR must be configured for stub area. In fact, stub area flag set/unset in hellos for both peers is one of the criterias for OSPF adjacency establishment.
3. Not-so-stubby area - for all counts a stub area, but with one little addition. It permits type 7 LSAs to be passed from an ASBR. All routers in an area should be configured for an NSSA.
And now - Cisco's proprietary extensions:
4. Totally stub area - same as stub area, but taken further. It even doesn't permit type 3 and 4 LSAs, so an ABR only passes a default route to backbone via himself. Routers in an area have regular stub flags, but additional no-summary command is passed to an ABR area statement. So, it can be configured in vendor-heterogenous environment, with only ABRs needing to be Cisco.
5. Totally NSSA - see NSSA+totally stub. LSA types 1,2 and 7.
That's it for today. There are also types 8 through 11, but so far I haven't encountered any mention of their functions and specifics in my study materials. Type 8 has smth to do with BGP and 9 through 11, opaque LSA are used for MPLS/OSPF interaction.
Today I wondered - can OSPF actually live without backbone aka area 0. In a design sense the answer is "yes", one can dump all his routers into 1 area. But I've thought about a possibility of, maybe, ABR going down or something equally awful :)
And some research on that matter proved that in fact it can be so. Area 0 is mandatory for multiarea deployments, though, because all the inter-area routes need to go through backbone. To be a bit more technical - LSA types 1 and 2 are exchanged, but types 3 to 7 need a functional link to area 0.
Some proof to back up my words - a case study from Cisco
BTW, in order not to fire up composing window once more, a list of common OSPF LSA types:
1 - Router LSA (O). Intra-area routes, generated by all OSPF routers. Flooded only within an area.
2 - Network LSA (O). Generated by DR for a multi-access segment. Intra-area type.
3 - Summary LSA (O IA). Generated by ABR, flooded to it's connected areas.
4 - Summary LSA (O IA). These are special summary LSAs generated by ASBR's area ABR's to tell everyone about his whereabouts.
5 - External LSA (O E1/E2). Generated by ASBR, contains routes external to OSPF domain. Type 1 metric is increased with on every hop, Type 2 remains the same as originally advertised.
6 - Multicast LSA. Used to indicate multicast group membership in MOSPF.
7 - NSSA LSA (O N1/N2) - Same as type 5, but, due to NSSA area preventing circulation of type 5 LSAs, it is in fact type 5 one, but differently named. ABR converts these into proper type 5 on area boundary and injects them into backbone.
And now a little bit about OSPF areas.
1. Common area - permits all LSA types, except 7. Areas with virtual links in them should be common areas. It requires no special configuration.
2. Stub area - doesn't permit type 5 LSAs. Neither in, nor out. Instead of it the default route is injected by ABR. All the internal routers and ABR must be configured for stub area. In fact, stub area flag set/unset in hellos for both peers is one of the criterias for OSPF adjacency establishment.
3. Not-so-stubby area - for all counts a stub area, but with one little addition. It permits type 7 LSAs to be passed from an ASBR. All routers in an area should be configured for an NSSA.
And now - Cisco's proprietary extensions:
4. Totally stub area - same as stub area, but taken further. It even doesn't permit type 3 and 4 LSAs, so an ABR only passes a default route to backbone via himself. Routers in an area have regular stub flags, but additional no-summary command is passed to an ABR area statement. So, it can be configured in vendor-heterogenous environment, with only ABRs needing to be Cisco.
5. Totally NSSA - see NSSA+totally stub. LSA types 1,2 and 7.
That's it for today. There are also types 8 through 11, but so far I haven't encountered any mention of their functions and specifics in my study materials. Type 8 has smth to do with BGP and 9 through 11, opaque LSA are used for MPLS/OSPF interaction.
среда, 18 марта 2009 г.
Единственной кодировкой должна быть UTF-8, а использование других следует приравнять к разжиганию межнациональной розни и карать соответствующей статьёй УК.
http://ibash.org.ru/quote.php?id=9354
Целиком и полностью, яро и пламенно +1.
http://ibash.org.ru/quote.php?id=9354
Целиком и полностью, яро и пламенно +1.
понедельник, 16 марта 2009 г.
BGP Path Selection
0. Synchronized - TRUE>FALSE - there must be confirmation from someone other than BGP for internal routes.
- Weight(O,N) - Highest - admin override, proprietary
- Local preference(W,D) - Highest - almost same as weight, but standard and for AS
- Self-origin - TRUE>FALSE - own paths are better
- AS-Path(W,M) - shorter routes with less hops are generally better
- Origin(W.M) - i < ? - Stable routes are better
- MED (Multi-exit Discriminator)(O,N) - Lowest - for external peers, to prefer some path into AS
- External - EBGP
- IGP cost - Lower -
- EBGP Peering - Oldest - more stable and time-proven routes
- RID - Lowest - Last resort :)
Why cyberwarfare sounds more like AK-47s than like stealth bombers
Rather insightful article, comparing DDoS to handing out AK-47s in thousands to militia and 0-day exploits to high-precision weaponry, used by professional army.
My personal note: DDoS is like "i zerg rush u, kekeke". And exploit is like "I'm in ur base, killing ur doodz" to an unsuspecting opponent. :)
Rather insightful article, comparing DDoS to handing out AK-47s in thousands to militia and 0-day exploits to high-precision weaponry, used by professional army.
My personal note: DDoS is like "i zerg rush u, kekeke". And exploit is like "I'm in ur base, killing ur doodz" to an unsuspecting opponent. :)
пятница, 13 марта 2009 г.
понедельник, 9 марта 2009 г.
Switching extracts 1: VLANs, trunks, VTP
VLAN config:
R1(config) vlan [number]
R1(config-vlan)# ...
NM-16ESW: only ISL VLANs, only vlan database. VTP there too.
R1#vlan database
R1(vlan)#vlan [number] name [name]
VLAN assignment:
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan [number]
OR
SW1(config-if)# switchport access vlan dynamic
SW1(config-if)# vmps server [ip]
Note to self: VMPS
show's -
show vlan brief
sh run int [num]
sh mac addr int [num] vlan [num]
sh int [num] switchport
Trunks:
ISL - more overhead, encapsulation. Non-trunk discards
.1q - standard, tagging. Non-trunk forwards, regardless of tag.
Configuring trunks
DTP auto - passive, DTP desirable - active. auto+auto - access.
R1(config-if) switchport mode {dynamic {auto | desirable} | trunk}
R1 (config-if) switchport trunk encapsulation {dot1q | isl | negotiate}
R1 (config-if) switchport trunk native vlan {num}
R1 (config-if) switchport trunk allowed vlan {(num1, num2-num3) | add (num...) | all | except (num...) | remove (num) }
Native VLAN is 1 by default. Passes untagged. Must match on both sides.
NM-16ESW: only .1q trunks, no DTP.
show's:
sh run
sh int [num] switchport | include trunk
sh int [num] trunk
Note to self: QinQ, GBPT
Troubleshooting trunks.
1. Encapsulation
2. VTP Mode (auto, desirable, etc.)
3. Native VLAN
4. Allowed VLANs
VTP
1. Advertisements every 5 mins or triggered.
2. Config revision number. If an advert has higher number - it substitutes current info. BEWARE! If lower - reply with it's DB. Same - ignore. Change domain name in new switches. Even better to make them transparent before attaching. And VERIFY config revision! (sh vtp status)
Roles:
1. Server - can modify database,
2. Client - listens to updates.
3. Transparent - ignores updates, passes adverts to others.
VTP Pruning:
Keeping track of ports in downstream switches. If a broad/multi/unknown unicast goes on VLAN 10 and downstream has no ports in VLAN 10, do not pass it through downstream trunk.
Config - through global config or vlan database (C3640 - vlan DB only)
R1(config)# vtp mode { server | client | transparent}
R1(config)# vtp domain [name]
R1(config)# vtp password [pass]
R1(config)# vtp version 2 (OR - vtp v2-mode in vlan DB)
R1(config)# vtp pruning
R1(config-if)#switchport trunk pruning vlan {add | except | none |
remove} vlan-list [,vlan[,vlan[,,,]] - (not allowed in C3640)
R1(config)# sh vtp status
R1(config) vlan [number]
R1(config-vlan)# ...
NM-16ESW: only ISL VLANs, only vlan database. VTP there too.
R1#vlan database
R1(vlan)#vlan [number] name [name]
VLAN assignment:
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan [number]
OR
SW1(config-if)# switchport access vlan dynamic
SW1(config-if)# vmps server [ip]
Note to self: VMPS
show's -
show vlan brief
sh run int [num]
sh mac addr int [num] vlan [num]
sh int [num] switchport
Trunks:
ISL - more overhead, encapsulation. Non-trunk discards
.1q - standard, tagging. Non-trunk forwards, regardless of tag.
Configuring trunks
DTP auto - passive, DTP desirable - active. auto+auto - access.
R1(config-if) switchport mode {dynamic {auto | desirable} | trunk}
R1 (config-if) switchport trunk encapsulation {dot1q | isl | negotiate}
R1 (config-if) switchport trunk native vlan {num}
R1 (config-if) switchport trunk allowed vlan {(num1, num2-num3) | add (num...) | all | except (num...) | remove (num) }
Native VLAN is 1 by default. Passes untagged. Must match on both sides.
NM-16ESW: only .1q trunks, no DTP.
show's:
sh run
sh int [num] switchport | include trunk
sh int [num] trunk
Note to self: QinQ, GBPT
Troubleshooting trunks.
1. Encapsulation
2. VTP Mode (auto, desirable, etc.)
3. Native VLAN
4. Allowed VLANs
VTP
1. Advertisements every 5 mins or triggered.
2. Config revision number. If an advert has higher number - it substitutes current info. BEWARE! If lower - reply with it's DB. Same - ignore. Change domain name in new switches. Even better to make them transparent before attaching. And VERIFY config revision! (sh vtp status)
Roles:
1. Server - can modify database,
2. Client - listens to updates.
3. Transparent - ignores updates, passes adverts to others.
VTP Pruning:
Keeping track of ports in downstream switches. If a broad/multi/unknown unicast goes on VLAN 10 and downstream has no ports in VLAN 10, do not pass it through downstream trunk.
Config - through global config or vlan database (C3640 - vlan DB only)
R1(config)# vtp mode { server | client | transparent}
R1(config)# vtp domain [name]
R1(config)# vtp password [pass]
R1(config)# vtp version 2 (OR - vtp v2-mode in vlan DB)
R1(config)# vtp pruning
R1(config-if)#switchport trunk pruning vlan {add | except | none |
remove} vlan-list [,vlan[,vlan[,,,]] - (not allowed in C3640)
R1(config)# sh vtp status
воскресенье, 1 марта 2009 г.
Подписаться на:
Сообщения (Atom)