Wednesday, January 23, 2013

ASA-cx,wsa,scansafe positioning and Differences

Cisco has several products in Market for Web content security. We need to understand their differences and positioning.Cisco has ASA CX Context-Aware Firewall, the Cisco Web Security Appliance (WSA), and ScanSafe Cloud Security service (aka Cloud web security).
These devices have some overlapping features and also has some positioning differences

Web Security Appliance (WSA)-

The Web Security Appliance is suitable for customers who want:

-A dedicated proxy or web-security gateway
-Comprehensive web content filtering
-Anti-malware scanning
-Data Loss Prevention
-Caching


ScanSafe is suitable for customers who want:

-Web security for mobile users without the need to backhaul all traffic
-Distributed enterprise with many Internet access points
-Ease of deployment to existing network


ASA CX Context-Aware Firewall is suitable for customers who want:

-Inline protection
-Full firewall capabilities with some content controls
-Visibility and control of web and non-web protocols and applications that may use non-standard ports
(eg. Skype, P2P, or Voice protocols like h323, SIP)





Click Here To Read Rest Of The Post...

Wednesday, January 16, 2013

WLAN subnet sizing recommendations or Best Practices


Excerpts from Mobility Design Guide-

"The default behavior of the WLC is to block broadcast and multicast traffic from being sent out the WLAN to other wireless client devices."


In most of the WLAN designs it is considered safe to use large subnet sizes if you are not allowing Bcast and not much of Mcast traffic.

As long as the WLC is not propagating Bcast/Mcast traffic and no spanning tree loops, the Mobility subnet sizing is not a constraint for WLAN. Usual recommendation to Large deployments is ---no subnet size more than /20 and /19.

Also it depends so much on the type of traffic specially Bcast/Mcast traffic. So it is NOT advisable to use large subnet size in case of Bcast/Mcast/STP loops in N/W.

Click Here To Read Rest Of The Post...

Tuesday, January 15, 2013

Difference in Cisco AP SW images

There are two image types at the time of ordering any Cisco LAP. The two images can be used in situations given below-


S3G2RK9W8-12423JY  IOS Wireless LAN Recovery-should be used for Controller based deployment

AND

SWLAP3600I-MESH-K9  Enterprise Wireless Mesh - AP3600I Controller-based SW Image-used for Wireless MESH deployments only

Click Here To Read Rest Of The Post...

Saturday, January 12, 2013

LAP real time functions

One of the most commonly asked question in wireless domain is-

"In Centralized architecture what is the function of AP?"
                             OR
"What information is stored on AP (as thin client in Centralized architecture) and what else on WLC"?

This is what a LAP (Lightweight Access Point/Thin AP) does-

Real-Time 802.11/MAC Functionality:
• Beacon Generation
• Probe Response
• Power management/Packet buffering
• 802.11e/WMM scheduling, queueing
• MAC layer data encryption/decryption
• 802.11 control messages
•Data Encapsulation/De-Encapsulation
•Translational Bridging (H-REAP Local Switching)
•Fragmentation/De-Fragmentation



And Rest is done by WLC which includes (not limited to)-


Non Real-Time 802.11/MAC Functionality:
• Association/Disassociation/Reassociation requests/response
• 802.11e/WMM (Wi-fi Multimedia)
• 802.1X/EAP (Port based authentication)
• Key management
•802.11 Distribution Services
•802.11 STA (Client/Station) Services (Auth/Deauth/Privacy)
•Wired/Wireless Integration Services




Click Here To Read Rest Of The Post...

Wednesday, January 9, 2013

Basics Of Multicast


The most popular and widely deployed multicast protocol is PIM, which is known as Protocol Independent Multicast (PIM). Unlike other multicast routing protocols such as Distance Vector Multicast Routing Protocol (DVRMP) or Multicast Open Shortest Path First (MOSPF), PIM does not maintain a separate multicast routing table, but relies on the existing IGP table when performing its Reverse Path Forwarding (RPF) check.

PIM can be configured as Dense Mode, Sparse Mode and Spare-Dense mode (Hybrid Mode).

PIM Dense Mode (PIM-DM)
PIM-DM uses a flood like broadcast and prune mechanism. When a source sends to an IP multicast group address, each router that receives the packet will create a (S, G) forwarding state entry. The receiving router will initially forward the multicast packet to output interfaces that meet the following requirements:
• Reverse Path Forwarding (RPF) check.
• Internet Group Membership Protocol (IGMP) receivers

To pass the RPF check, an incoming multicast packet must be received on an interface that the IGP routing table indicates the source (of the multicast packet) is reachable from.

Note that multicast enabled interfaces must have the corresponding unicast source routes in the IGP to avoid black holes. In the situation where equal cost paths exist, the unicast route with the highest upstream neighbor IP address is chosen. Also, when there are multiple routers sending on to the same subnet, a PIM assert process is triggered to elect a single designated router (DR).

(Design Considerations: How to select multicast group address)
When a state is created according to the RPF check, a source tree or shortest path tree (SPT) is developed with the source at the root or first hop router. Multicast packets following the tree take the optimal path through a network and packets are not duplicated over the same subnets.

Last hop routers with no receivers then prune back from the tree, however OIL in the upstream neighbour are maintained. These entries periodically (every 3minutes) move into a forwarding state and prune process re-occurs. PIM-DM is usually not suitable for a WAN environment and recommended for small and for LAN networks.

PIM Sparse Mode (PIM-SM) PIM-SM uses an explicit join model, where routers with active receivers will join multicast groups. This has advantages over the flood and prune mechanism as mentioned in PIM-DM. PIM-SM uses a control point known as Rendezvous Point or RP, a common point where all the sources register themselves first and all the receivers always comes first for the sources address.

(Multicast doesnot work with two loopbacks)
First hop designated routers (the routers with sources attached) register the sources to the RP. When the RP sees the source traffic coming in it will build an SPT back to the source, hence there will be (S, G) state entries between the RP and the source. The last hop designated routers (the routers with the receivers attached) join to the RP hop by hop, creating a shared tree (*, G) with the ‘*’ meaning any source.

When a source starts transmitting, the initial multicast traffic flows to the RP via a SPT then down to the receivers for that group via a shared tree (with the RP being the root). This may result in a non-optimal path being created to a receiver depending where the RP is positioned.

To address this problem, a mechanism known as SPT switch over can be used. The last hop router, depending on the traffic rate, sends and (S, G) join towards the source to create an optimal SPT forwarding path, and once established sends RP Prunes towards the RP. The decision to create an SPT to the source is dependant upon the SPT-threshold in terms of bandwidth.

PIM Sparse-Dense Mode
This mode is a combination of both previous modes. The decision to use sparse or dense mode for a particular multicast group depends on whether a group has a matching entry in the Group-to-RP mapping cache. If an entry exists in the cache, then that group is operates in sparse mode on that interface. If the multicast group does not have a corresponding entry in the mapping cache, then that group operates in dense mode.

This mode is required when using the Cisco Auto-RP mechanism to distribute Group-to-RP mappings.


Click Here To Read Rest Of The Post...

Thursday, January 3, 2013

MPLS QoS Testing Tools


When you're setting the mpls experiment bit on the PE router for traffic coming from CE router you must use imposition for QoS treatment. You cannot use topmost because the packet is IP packet. If you're on a P router you can set or match on the topmost label for the swap function. If you're on the PE router receiving traffic from the P router then you can also set and match on the topmost label.
Whether a customers sets the DSCP/TOS or you set an mpls exp bit inbound on a PE router you have to match on the mpls experiment bits as the packet leaves the PE router going to the P router because the packet is an mpls packet not an IP packet. If a packet is marked by a customer with a DSCP or TOS value, that value will be honored/mapped to an mpls experiment value. See the chart below for mappings honored:-
TOSTOS BinaryDSCPDSCP BinaryMPLS EXPHEXHEX Binary
0000|0000-7000000 - 000111000-1F0000|0000 - 0001|1111
1001|00041501001000 - 001111120-3F0010|0000 - 0011|1111
2010|00016-23010000 - 010111240-5F0100|0000 - 0101|1111
3011|00024-31011000 - 011111360-7F0110|0000 - 0111|1111
4100|00032-39100000 - 100111480-9F1000|0000 - 1001|1111
5101|00040-47101000 - 1011115A0-BF1010|0000 - 1011|1111
6110|00048-55110000 - 1101116C0-DF1100|0000 - 1101|1111
7111|00056-63111000 - 1111117E0-FF1110|0000 - 1111|1111
You can verify your QOS policies by using the ip telnet tos in hex command. This works great, for example if you want to generate traffic with a TOS value of 6 or a DSCP value of 54 you would use the command ip telnet tos 11000000. Telnet from one CE router to the other CE router and the telnet traffic will be marked with TOS 6 or DSCP 54.

After you configure ip telnet tos xx on an edge device telnet to the far end of your network and run some commands in order to generate some telnet traffic. Next use the "show policy-map interface and look for packets matched to see if your policy is configured correctly.

You can also see the TOS or DSCP value set on IP traffic traversing the network use ip accounting precedence output or input on the PE or CE router. Then use the show interface precedence command.


Click Here To Read Rest Of The Post...

Wednesday, January 2, 2013

Which Routing Protocol To Select? OSPF Vs EIGRP


Most of the times, network administrators and planning guys look forward to understand which routing protocol are best to deploy for their network. The selection criteria between OSPF and EIGRP based on the below points:-

1. Between OSPF and EIGRP which one is the best to deploy and why?
2. Which protocol converges faster and highly available?
3. Which protocol uses fewer resources?
4. Which protocol is easier to deploy and operate?
5. Which protocol is easier to understand and configure?
6. Which protocol is easier to scale in large network?
7. Which protocol is more scalable and easy to adopt changes?

Every protocol has its own merits and de-merits. Between OSPF which is a link state routing protocol in its own area and becomes a distance vector routing protocol from one area to another and EIGRP is a distance vector routing protocol, In fact, its not a pure DV routing protocol.

Convergence speed depends on the number of routers and routes involved in the network. The more the number, less the convergence time. Convergence speed depends on various attributes defined in Fast Convergence Tools.

At broader level below are few points which can be used as high level to understand the protocol at its best:-

1. EIGRP uses metric based on bandwidth, delay, reliability, load and MTU whereas OSPF uses interface cost which is inversely proportional to bandwidth. EIGRP is considered as best in terms of selecting the path on different attributes.
2. EIGRP is proprietary to CISCO whereas OSPF is based on OPEN Standard.
3. EIGRP sends hop by hop query when feasible successor is not found whereas OSPF syncs its LSA(LSA1, LSA2, LSA3, LSA4 and LSA5) database whenever there is change in network topology. EIGRP is considered as best as it minimizes the routing information.
4. EIGRP is simpler to understand whereas OSPF has lot of things to understand. It depends how comfort you are to select out of these.
5. EIGRP does automatic summarization whereas OSPF doesn’t.
6. EIGRP does support both equal and unequal cost load sharing whereas OSPF doesn’t.
7. EIGRP limits the usage by 50% of the link bandwidth whereas OSPF does 100%.
8. EIGRP is faster to converge when it has feasible successor but OSPF doesn’t. Still there are lot of tools available to make OSPF better in terms of convergence.

Even after so many years, we can’t say which protocol is best over another. All it depends on your business requirement, understanding, behavior of deployed applications and network design. So decision is absolutely yours.


Click Here To Read Rest Of The Post...