Cisco Hands On Training Podcast
Summary: These podcasts include recordings of hands-on Cisco exercises. I recommend you scrounge or buy 3 routers, build a triangle, and follow along.
The linked video demonstrates RIPng, our first dynamic routing protocol for IPv6. This is a simple but inefficient routing protocol. The metric is based on number of router hops, with no provision for differentiating between links with drastically different bandwidth (a frame-relay hop has the same cost as a 10-gig-ethernet in RIPng). Each router multicasts its entire routing protocol out each interface every 30 seconds, which wastes router CPU. RIPng routinely takes minutes to reroute around network failures.RIPng does have the refinements added in RIPv2. For example, it multicasts its route updates. It is also capable of including tags in the route updates. The big advantage of RIPng is that it is simple to understand. But in production that is not good enough. RIPng is a perfect protocol for a computer science student to implement as a class project due to its simplicity, but having the PBX unreachable for 3-5 minutes while routing reconverges is unacceptable in a business environment.
In this hands-on exercise, we configure IPv6 addresses on 3 routers in a triangle. Then we configure IPv6 static routes to allow the 6 IPv6 subnets (3 loopback, 3 P2P links) to be accessible on all 3 routers.Static routes are easy to understand. At first glance they appear simple. You just manually configure which next-hop to go to for each subnet destination. But in actual use they are very complex. In our example with 3 routers and 6 subnets, we end up using 12 static route commands to implement our routing. Even then we do not achieve full redundancy, because static routes do not reroute around network failures. Even a small production network with approximately 20 routers would have too many static route commands necessary to make a static-route implementation feasible. In the real world, using dynamic routing protocols to minimize manual configurations (minimizing both effort and errors) is necessary to achieve a robust environment.That said, static routes are sometimes useful at the edge of your network. You redistribute static routes into your routing protocol at the edge of your network where you don't want to dynamically route with routers outside your administrative control. The goal there is just to use the static route to inject a route into your routing protocol. Not to use the static route as your primary routing mechanism.
In 2003, I made a VOIP call from home while downloading a large email attachment. The DSL line saturated and my audio quality became horrible while VOIP packets (and email packets) were being dropped. Doubling the bandwidth to my home would not have solved this problem. The email download would simply have been faster, but the VOIP call would still have suffered packet loss.The solution to this problem is 'quality of service' (QOS). Some applications, particularly realtime interactive applications, are sensitive to packet loss. Other applications, particularly bulk data traffic (including email, ftp, backups, software update downloads) are not time sensitive and can have their traffic delayed in favor of the realtime traffic. QOS is the network function where certain applications and traffic are prioritized over others that are deemed less urgent.The creators of the Internet Protocol version 4 understood that quality of service was a requirement. They included the 'type of service' field in the IPv4 header when it was specified in 1981. When developing IPv6, they cleaned up unnecessary header fields, but still they kept the 'class of service' field in the base IPv6 header. Every Internet Protocol packet sent on the Internet since 1983 (when IPv4 went live) included this service field in the header to enable QOS functionality.In September 2009, Julius Genachowski, chairman of the FCC commissioners, proposed two new 'network neutrality' principles. Among them was the "principle of nondiscrimination." This proposed principle states 'broadband providers cannot discriminate against particular Internet content or applications.' While there is a valid concern that ISP's may choose to impede applications or content from competitors, the current proposal as stated seems to restrict ISP's from using QOS to prioritize traffic for realtime applications, and deprioritize traffic for bulk data applications.Due to the apparent attempt to ignore a fundamental building block of the Internet, I oppose the proposed 'principle of nondiscrimination' as written. ISP's need to prioritize realtime applications, while deprioritizing non-realtime bulk-data-transfer applications. In addition, ISP's need the freedom to block applications which do not 'play nicely' in a bandwidth constrained environment. Network engineers know that sometimes particular applications need to be blocked to allow the majority of the network (and the majority of customers) to enjoy adequate performance.
The linked video introduces IPv6 theory. IPv6 is the 128-bit address replacement for IPv4. The Internet is expected to run out of it's 4-billion IPv4 addresses in 2012. IPv6 will replace IPv4 at the network-layer of the OSI stack. By replacing one layer in the stack, most applications and most layer-2 network devices will continue to function. IPv6 includes several technical improvements over IPv4. IPv6 uses optional extension headers, so only packets requiring special options will have those headers. As a result most IPv6 packets will have simpler headers than their IPv4 counterparts. IPv6 eliminates broadcast, and instead uses multicast for most neighbor discovery functions. This is more efficient CPU-wise because hosts only need to subscribe to the multicast groups they require. IPv6 hosts use stateless autoconfiguration to acquire link-local and internet routable IPv6 addresses. In many cases this can eliminate the need for a separate DHCP server. And of course IPv6 includes 128-bit addresses, allowing 256 billion billion billion billion hosts. The migration from IPv4 to IPv6 will be the highlight and most significant change of our networking careers. Most of us were not in this business during the IPv3 to IPv4 migration on January 1st 1983 (a 'flag day' migration). Odds are IPv6 will remain the dominant internet protocol until after we retire. A PDF version of my presentation will be attached to the comments section.
The linked video provides guidance for optimal IOS version selection.The large number of IOS versions makes choosing the best version for your router or switch difficult. You must pick the most reliable version which includes the features you need. Different IOS "packages" have different features. For example, the "LAN base" package includes basic switching code. "IP base" adds access-layer routing features (RIP and EIGRP-stub). "IP services" adds most layer-3 routing protocols (OSPF, EIGRP, BGP). "Advanced IP services" adds IS-IS and MPLS.Picking a version also means picking one with recently introduced features you need. For example, 16-port 10-gigabit ethernet card support was added to the 6500 line in 12.2(33)SXH code. If you require that card, you cannot pick an older version, such as 12.2(18)SXF. The release notes include details on recently added features.Finally, of all the versions that have the features you require, you want to pick the most stable version. That means picking a version that has been "rebuilt" with many bugfix-only releases. Picking 12.4(2)T, where 60 new features were just introduced, would be a bad idea. On the other hand, 12.4(23) (the lack of a letter means it is a mainline release) would be a good choice because that release has undergone dozens of releases since significant numbers of features were introduced.
In this video demonstration, we show an example of writing IOS Access Control Lists (ACL's) on a home router. We use the revision control system (RCS) to maintain the master ACL file and push the ACL's to the router via TFTP. This is similar to many production networks, where maintaing comments and old revisions of ACL's is a requirement. We also show examples explaining the "don't care bit" format of IOS ACLs. Many network engineers mistakenly refer to the format as inverse-netmask, but that is incorrect.PIXes, FWSMs, and ASA's use a netmask format for ACLs. It is vitally important not to make the mistake of accidentally pushing a netmask format ACL line to an IOS device. That sort of error could result in an unplanned hole in your firewall and a serious security incident.
IOS routers can act as DHCP clients and DHCP servers. They can also function as Network Address Translation (NAT) devices. In this video we show a demonstration using a 2621 as a DHCP client, server, and NAT translation device for my home network.It's important to understand that most IOS routers have relatively slow CPU's. An IOS router is fine as a DHCP server for a few dozen clients. But if you try to serve thousands of DHCP clients you are likely to fail and suffer an outage.IOS routers can also work as a network address translation devices. IOS NAT is "ok" but for real high capacity NAT (thousands of users) you want to use a device designed to handle high capacity NAT. PIXes, FWSMs, and ASA's are excellent NAT devices.
In this episode we show a video demonstration of the hot standby router protocol. This is a Cisco proprietary redundancy protocol. The purpose is to allow two routers to share one virtual IP address on an access subnet/vlan. Hosts on the subnet can use the virtual IP for their default route. This way if one router goes down the redundant router will assume the virtual IP address, preventing a loss of connectivity to the hosts on the net.HSRP is configured with the "standby ip" group of commands in interface configuration mode on the router.VRRP is the virtual router redundancy protocol. It is similar to HSRP but is vendor independent.GLBP is the generic load balancing protocol. It can also replace HSRP and is vendor independent. It has the added ability to load-balance the traffic between both routers. Using this feature you could configure approximately half the traffic to use each redundant router.Almost all enterprise networks use HSRP, VRRP, or GLBP to provide virtual IP addresses for each access subnet.
This video demonstrates layer-2 convergence in less than 2 seconds thanks to rapid spanning-tree.Rapid per-vlan spanning-tree is configured with "spanning-tree mode rapid-pvst".The rapid spanning tree protocol, 802.1w, is the answer to the slow convergence time of the historic 802.1d spanning-tree protocol. Rapid spanning tree replaces timers with triggered updates. Switches almost never wait for a timer to expire. When converging on a new switch-to-switch link they will start with the port in the discarding state. The upstream switch (closest to the root bridge) will send a proposal to the downstream switch. The downstream switch will put all other downstream switch-to-switch (P2P) ports into the discarding state (preventing a loop) and then accept the proposal. Once the proposal is accepted, the switches will forward on the new link. Then the downstream switch will repeat the procedure on each downstream P2P link. While seemingly complex, because none of these actions wait for a timer to expire, the end result is spanning-tree reconvergence in seconds. Edge ports (going to end hosts) are known because they are configured with "spanning-tree portfast". Edge ports never go into the discarding state because they cannot create a bridging loop.Rapid spanning-tree incorporates improved versions of the backbonefast and uplinkfast improvements, making configuration of those features unnecessary. It is still possible to configure bpduguard, rootguard, and loopguard. Configuring portfast is essential to identify edge ports.
When you have two different links between the same two switches, normally spanning tree will forward on one and block on the other. This means half of your bandwidth is sitting idle. An etherchannel is a way to bind two links into one logical link with twice the bandwidth. In addition to increased bandwidth, etherchannels fail over in a fraction of a second. So the failure of one physical link in a multi-link etherchannel will not result in a significant outage.The port aggregation protocol (PAgP) is a Cisco proprietary protocol that switches use to determine whether to bundle multiple links into an etherchannel. PAgP is similar to DTP, in that it has "desirable" and "auto" modes. One difference is that ports configured in etherchannel "on" mode do not speak the PAgP protocol, resulting in a mismatch with a PAgP-speaking switch at the other end of the link.The link aggregation control protocol (LACP) is a standards-based replacement for PAgP. If you want to dynamically negotiate etherchannels with non-Cisco gear (including some servers), LACP is the way to go.One big advantage of dynamically negotiating etherchannels is that the negotiation protocols will help prevent etherchannel mismatches. Setting the etherchannel to "on" can get you into trouble if the two channel members go to different switches, or go to a switch without etherchannel configured.
VTP is the VLAN trunking protocol. It's used to disseminate uniform vlan information between switches over 802.1q or ISL trunks. It can also "prune" vlans, dynamically removing unneeded VLANs from trunks. This decreases unneeded frame flooding.VTP can eliminate outages thanks to the uniform VLAN configuration. But it can also cause outages if incorrect VLAN information is uniformly distributed.We also attempt a loopguard demonstration, but it doesn't work out well. We'll have to revisit the documentation because it's obvious loopguard is not acting as I expect.
Switches can have multiple vlans. When we connect switches together we use 802.1q trunks (or older ISL trunks) to run multiple vlans over one physical link. With either trunking protocol, a tag is added to the ethernet frame with the vlan information. ISL is an older Cisco-proprietary trunking protocol. Newer switches do not even support ISL. Newer switches use the 802.1q vendor-indepentend trunking protocol. Cisco switches also speak the dynamic trunk protocol (DTP) to dynamically negotiate whether to enable a trunk.
We cover intermediate spanning tree concepts. The importance of specifying your root bridge and backup root bridge with spanning-tree priority. Using portfast to allow host ports to start forwarding without waiting for 30 seconds. Using bpduguard to disable portfast-enabled ports where someone erroneously plugs in a switch. Using errdisable timeout to automatically reenable those ports after 15 minutes. Using rootguard to prevent improper switches from becoming your spanning-tree root. The dangers of using bpdufilter to ignore and delete BPDUs. How uplinkfast can enable access switches to failover between uplinks without delay. And using backbone fast to improve responsiveness to indirect link failures by eliminating the need for the 20 second maxage timeout.
VLANs are a feature of ethernet switches which makes them act like multiple "virtual switches". Each VLAN is a separate broadcast domain and could be configured with a separate subnet. That way could could have separate subnets for separate purposes (IT, accounting, network management) on one physical switch. This saves money and cabling while decreasing complexity. Spanning tree is a protocol which allows you to build redundant loops out of ethernet switches without suffering a bandwidth outage due to looping ethernet frames. Spanning tree blocks ports in your switch mesh to change a topology of loops into a non-looping tree. Then if you suffer a link outage, spanning tree will reconverge in a new fully operational tree. This reconvergence make take significant time (30-50 seconds) with the old spanning tree protocol. More modern improvements to the spanning tree protocol, including RSTP (rapid spanning tree) and MST (multiple spanning tree) will be covered in a later episode.
So far we've talked about how IPv4 encodes data into a packet, and how routers learn which direction to forward those IPv4 packets based on the destination IP address and the route table. But in the end, routers and hosts need to encode the IPv4 packet onto a physical medium. Examples of physical mediums include fiber, twisted pair, coax, radio waves, lasers, and microwaves. Each encoding rate and medium requires a specification or protocol definition. Ethernet is a family of similar encoding specifications which is dominant on the Internet today. Ethernet uses a 48-bit address known as a MAC address or hardware address. There are ethernet specifications for speeds ranging from 10 megabit to 10 gigabit and for various copper and fiber physical media. Using ethernet requires the ability to map an IPv4 address into a MAC address. That is accomplished using the address resolution protocol (ARP). In this episode, we introduce the ethernet frame format, ethernet address, and how ARP works.