Skip to main content

Posts

Showing posts from April, 2011

QoS:What happens at the Service Provider PE ?

A while back I wrote an article on DSCP QoS over MPLS http://etherealmind.com/dscp-qos-over-mpls-thoughts/ , since that time I have been working on some service provider networks and thought this would be a good opportunity to expand what happens at the PE with regards to DSCP to Experimental bit mapping(Traffic Class).


CE to PE
I have put together a diagram to help illustrate how many different service providers customers traffic is aggregated at the service providers PE.

[caption id="attachment_183" align="aligncenter" width="300" caption="CEtoPEQoS"][/caption]





We can see in this example that each customer has different bandwidth requirements for voice and other traffic. We should also note that the PE is where we change from IP VRF domains to the MPLS domain of the Service Provider, once traffic is inside the MPLS we lose the ability to identify traffic on a per customer basis (in relation to QoS). When the traffic moves from the IP VRF domains t…

ASR1006 Dual Route Processors Password Recovery - Tip

I recently ran into an issue when trying to perform dual route processors password recovery on a Cisco  ASR1006
Problem
After breaking into rommon mode and using confreg to ignore the startup configuration, during the rest the ASR1006 loaded the startup configuration!!!!!!!!
Solution
So quick and simple, I pulled one of the RP and preformed password recovery running on a single RP. All went according to the Cisco documentation

http://www.cisco.com/en/US/docs/routers/asr1000/install/guide/routers/asr1_hwc.html#wp1045971



After the system running on a single RP was recovered and fully booted I waiting for 5 minutes just to be sure; then I inserted the second RP and allowed everything to sync up.



All was well again :) phew



Note: The system was previously fully functioning with dual RPs; a configuration error was made during Tacacs+ configuration which resulted in lockout.


Summary
I hit an issue recovering and ASR with dual RPs, so rather that spending hour researching, I decided very quickly to go …

No Service Password Recovery - It is not the end of the world

Myth
Having a chat with some people and this came up in conversation, "no service password recovery" and people seemed to be taking it quite literally. e.g. if you forget your password the devices it is dead and needs to go back to Cisco, not being a security guy I though ok, but it was bothering me. So a quick lookup on cisco http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpwd.html
Fact
In fact what this feature does is prevent you from getting access to the startup configuration, you can recover the device to FACTORY DEFAULT - the config has gone. Of course will have a backup of the config so it should be no big deal to switch this feature on every device, assuming the device supports it.



Take Note of the comments : "

Before deploying this feature, TEST the password recovery. Some platforms (based on ROMMON version) are EXTREMELY hard to recover.

http://blog.ioshints.info/2007/12/recovering-from-disabled-password.html

"

Thanks Ivan

Are you VRF aware?

Virtual Routing and Forwarding
VRFs Virtual Routing and Forwarding Instances have been about for a long time in the world of service providers, we are now seeing VRFs capabilities as part of the world outside service providers.

VRFs have their own routing instance in a router (own routing table) and the instance is assigned generally assigned to an interface, the interface then only applys to that particular VRF. So for example you could have a Management VRF and this is connected to a separate management network.
Management Processes need to know
If you assign an interface in a VRF for management then the management processes:

TACACS
SNMP
SSH
TELNET
NTP
NETFLOW
etc.....

need to know "be VRF aware", because typically they will be running against the Global (Default) routing table.
Examples
TACACS
aaa group server tacacs+ Management
server-private 10.100.100.1 timeout 15 key mysecretket
ip vrf forwarding Management-VRF
ip tacacs source-interface Loopback10
NETFLOW
flow exporter MYFLOW destinatio…