Month: September 2013

CCDA 640-864 Summary Notes – Chapter 6 – Day 14

Posted on Updated on


Exam Topic 3: WAN Design Methodology

Use PPDIOO Methodology. Key concepts:

  • Analyze the network requirements
    • Application type
    • Traffic volume
    • Traffic patterns
  • Characterize existing network
  • Design topology
    • chould be flexible and have room for growth
  • Implement High Availability. Consider:
    • Response time
    • Throughput
    • Reliability
  • Application requirements
    • Data File transfer
      • Reasonable response time (time between the cient user request and the response from the server host)
      • High Throughput (throughput – measure of data transferred from one host to another in a given amount of time)
      • Medium packet loss tolerance
      • Reliability: Reasonable downtime (Reliability – measure of a given application’s availability to its users + whether the service is performing as it should)
    • Interactive Data Applications
      • < 1sec response time
      • Low Throughput
      • Low packet loss tolerance
      • Reliability: Low downtime
    • Real Time Voice
      • RTT < 250 ms (delay + jitter)
      • Low throughput
      • Low packet loss tolerance
      • Reliability: Low downtime
    • Real Time Video
      • Min delay and jitter
      • High throughput
      • Medium packet loss tolerance
      • Reliability: Minimum downtime

Bandwidth

Bandwidth considerations for different mediums

  • Copper
    • < 2 Mbps
      • Serial
      • ISDN
      • FrameRelay
      • TDM
      • ASDL
    • 2 – 45 Mbps
      • Frame Relay
      • Ethernet
      • ADSL
      • Cable T3
    • 45 – 100 Mbps
      • Fast Ethernet
    • 100Mbps – 10 Gbps
      • GE
      • 10GE (10GBaseCX4)
  • Fiber
    • < 2 Mbps -NA
    • 2 – 45 Mbps
      • Ethernet
    • 45 – 100 Mbps
      • FE
      • ATM
    • 100Mbps – 10 Gbps
      • GE
      • 10GE
      • ATM
      • SONET/SDH
      • POS
      • dark fiber
  • Wireless
    • < 2 Mbps
      • 802.11b
    • 2 – 45 Mbps
      • 802.11b
      • wireless WAN (varies)
    • 45 – 100 Mbps
      • 802.11a/g
    • 100 Mbps – 10 Gbps
      • 802.11n

When Link utilization

  • reaches 50 to 60 % consider increasing bandwidth and closely monitor
  • 75% – immediate attention is required to avoid congestion , packet loss

WAN Link Categories

Private

  • Use:
    • Connects distant LANs
  • Cost:
    • Expensive. Owner must buy and maintain
  • Advantages:
    • High security
    • Transmission Quality
  • Examples:
    • Metro Ethernet using dark fiber

Leased

  • Use:
    • Connects distant LANs
  • Cost:
    • High Cost. Equipment is leased or private
  • Advantages:
    • Maintenance is done by provider
    • Dedicated bandwidth
  • Examples:
    • TDM
    • SONET

Shared

  • Use:
    • Shared circuit or packet-switched WAN
  • Cost:
    • Fair
    • Leased bandwidth
    • Leased or private equipment
  • Advantages:
    • Provider responsible for maintenance
    • Shared network for multiple sites
  • Examples:
    • MPLS
    • Frame Relay

Cost Types:

  • Fixed
    • network equipment
    • circuit provisioning
    • network management tools
  • Recurring
    • service provider monthly WAN service fees
    • maintenance costs of the WAN
    • network operations personnel

Bandwidth Optimization using QoS

QoS ensures that the most critical traffic gets the best treatment and available bandwidth in times of congestion

QoS Mechanisms:

Queuing – the process of buffering traffic that is used by network appliances when the rate of incoming traffic is greater than the rate at which they are processing the traffic

Classification – the process of identifying and marking traffic. The traffic is assigned priority according to type. Example: NBAR which is used for deep packet content classification I order to identify the type of traffic. It can identify traffic at the application layer and also traffic that does not use standard ports. Committed Access Rate CAR also supports classification by the use of an access list.

Congestion Management – mechanism that is used to handle traffic when congestion is prevalent using different queuing techniques. There are 2 types of queues in a router, the hardware and software queue. Hardware queue always handles traffic in a first in first come basis. The software queue is used only when there is congestion In order to schedule traffic using different queuing techniques, police or shape the traffic before sending it to the hardware one.

Priority queue: traffic is passed to either the high, low, default or medium traffic output queues. The high priority queue must be emptied before the other queues and that Mingus lead to queue starvation.

Custom queuing is a legacy queuing system fairer than PQ. The traffic has upto 16 output queues that have customisable byte sizes.  All queues are serviced at one time or the other

Weighted fair Queuing WFQ. Traffic is separated into flows. High bandwidth flows have precedence over low bandwidth flows. Both flows are assigned weights. Default for interfaces with 2 Mbps or less speed

Class Based weighted fair queuing CBWFQ ( Modular QoS CLI MQC ) This is enhanced WFQ. It is modular in nature. Traffic classes are user defined and have corresponding queues. After matching the traffic, it’s characteristics can be modified. When congestion occurs, only the guaranteed characteristics are provided

Low Latency Queuing ( LLQ) = PQ + CBWFQ. PQ provides for prioritisation of low latency traffic. The queue has a maximum threshold so as not to starve other queues.

Traffic Shaping, and Policing are used for congestion avoidance.
Shaping is used to slow down the rate at which traffic goes out of an interface. The provider also can avoid dropping traffic that exceeds the CAR. It eliminates bottlenecks. It uses a to ken bucket technique. Shaping buffers packets.
Policing (CAR) uses the leaky bucket technique to limit the amount of traffic coming into an interface. Policing can be configured to drop packets.

Link efficiency is used on slow speed links to reduce the amount of latency and or jitter. The mechanisms include the following:
1) link fragmentation and interleaving – breaks larger packets and inserts smaller ones between them
2) multilink PPP – bonds multiple links between two nodes In order to increase the bandwidth
3) RTP header compression – compresses the header from 40 bytes to 2-5 bytes on slower links.

TCP window size- this is the number of frames that can be received without an acknowledgement. It can be adjusted to minimise delay. If the window size is not adjusted, retransmission can occur.

Advertisements

CCDA 640-864 Summary Notes – Chapter 6 – Day 13

Posted on Updated on


Exam Topic 1: Wide-area networks (WAN) Overview

WAN – communication networks that are used to connect network locations that are geographically separated.

Tarrif – a fee charged by a service provider for providing WAN services to customers.

Service – WAN communications provided by service providers or telecommunication carriers Read the rest of this entry »

CCDA 640-864 Summary Notes – Chapter 5 – Day 12

Posted on Updated on


Exam Topic 3: Wireless LAN Design

Controller Redundancy Design:

  • Deterministic
  • Dynamic

Deterministic Controller Redundancy

  • Ap is configured with
    • Primary Controller
    • Secondary controller
    • Tertiary controller
  • DisAdvantages
    • More planning required
    • More configuration
  • Advantages
    • Better predictability
    • Faster failover times
    • Network stability
    • Flexible and powerful redundancy design options
    • Fallback incase of failover
  • Recommended best practice
  • Examples:
    • N+1
    • N+N
    • N+N+1

Read the rest of this entry »

CCDA 640-864 Summary Notes – Chapter 5 – Day 11

Posted on Updated on


Exam Topic 2 – Part 2: Cisco Unified Wireless Network (UWN) Architecture

LWAPP Discovery of WLC

LWAPP Image procedure:

Untitled Read the rest of this entry »

Citrix Netscaler 10 Summary Notes – Getting Started – Day 6

Posted on


Load Balancing

Overview

  • Distributes client requests across multiple servers to optimize resource utilization
  • Prevents bottlenecks
  • Configuration:
    • Define a virtual server that proxies multiple servers in a server farm
    • Balance the load
  • Provides traffic management from Layer 4 (TCP and UDP) through Layer 7 (FTP, HTTP, and HTTPS)
  • Load balancing algorithms are used to determine how to distribute the load among servers
    • Least Connections method – default

How it works:

  • Client initiates a connection to the server
  • Virtual server terminates client connection
  • Virtual server initiates new connection to selected server or reuses connection to load balance
  • Entities:
    • Virtual server
      • Represented by IP, port and protocol
      • VIP is usually a public address
      • Clients connect to its address
      • Represents a bank of servers
    • Service
      • Logical representation of a server or an application running on a server
      • Identifies server’s IP, port, protocol
      • Bound to virtual servers
    • Server object
      • Represented by IP
      • Created when a service is created
      • IP address of the service is used as the name of the object
    • Monitor
      • Tracks health of services
      • Priodically probes the servers bound to each service
      • Failure, to respond within a specified timeframe and specified number of probes, service is marked as down. Load balancing is performed among other servers

Configuration

  • Enable load balancing
enable feature lb
show feature
 
System>Settings>Modes and features>change basic features>load balancing > check > ok>enable
  • (optional) create server object
  • Create services or service groups
add service <name> <IPaddress> <serviceType> <port>
  • (optional) create monitors
  • Create virtual servers
add lb vserver []
  • Bind service to virtual servers
bind lb vserver
show service bindings <serviceName>
  • (optional) assign weights to service –
  • Load balancing method will use the weight to select a service
  • (Optional) Configure basic persistance settings – for sessions that have to maintain connections to particular servers. For initial connection to the server, the appliance uses the configured load balancing method to select the server, subsequent connections from the same client are to that specific server. Persistance overrides the load balancing methods once the server is selected. If service is down, appliance uses load balancing method to select new service then connects persistantly to that service for subsequent requests from the same server. If service state is out-of-service, the service serves only the outstanding requests for a specific shutdown period but does not allow new connections. Once shutdown period is up, existing connections are terminated.
    • Max 250K persistance connections for Source IP, SSL Session ID, Rule, DESTIP, SRCIPDESTIP
    • persistant connections are allowed until the memory limit for CookieInsert (if timeout is not 0), URL passive, Custom Server ID
    • If persistance cannot be maintained because of lack of resources, appliance uses load balancing methods to select server
    • Persistance is maintained for a configured period of time depending on type
    • If persistance is enabled on a group of servers, the requests are directed to the same selected server regardless of which virtual server in the group receives the request. If configured time ends, then any vserver in the group can be selected for incoming requests.

2013_09_18_13_23_59_Greenshot2013_09_18_13_37_29_Greenshot

  • cookie persistance
    • NetScaler adds an HTTP cookie into the Set-Cookie header field of the HTTP response:

<NSC_XXXX>= <ServiceIP> <ServicePort>

<nsc_xxxx> vserver ID (from vserver name)

 IP add of service in hexadecimal (encrypted by netscaler when sent. decrypted on receipt)

<ServicePort>  port of the service in hexadecimal

(encrypted by netscaler when sent. decrypted on receipt)

  • Cookie contains info for the service to which the http requests should be sent
  • Client stores cookie and uses it in subsequent requests. If it is not allowed to store cookies, persistance is not honoured in subsequent requests
  • Netscaler checks the cookie and uses it to  select the service for the requests
  • Can be used on HTTP and HTTPS vservers
  • By default HTTP cookie version 0 is sent (Netscape specification). Can also send RFC 2109  HTTP cookie version 1
  • Timeout can be configured
    • If HTTP cookie version 0 (mostly used)
      • Expiration = current GMT time on a NetScaler + Timeout
    • If HTTP cookie version 1
      • Expiration = Max-Age attribute of the HTTP cookie is sent by netscaler to the client. client calculates the value
    • Value = 0 Netscaler does not specify expiration time. Value depends on client and becomes invalid if the software is shut down
      • Persistance does not use system resources
      • unlimited number of persistant clients supported

System > Settings > HTTP Parameters

set lb vserver -persistenceType COOKIEINSERT

show lb vserver

Traffic Management > Load Balancing > Virtual Servers> select vserver > Open

  • URL PASSIVE persistance (Persistance  Based on Server IDs in URLs)
    • Netscaler extracts server iD (IPadd and port in hexa) from server response and adds it to the URL query of the client request
    • Netscaler extracts server ID in subsequent requests and uses it to select server. If unable to extract ID, then netscaler uses load balancing method to select server
    • Requires either of the following configurations:
      • payload expression
      • policy infrastructure expression
    • Not affected by timeout value. persistance maintained as long as SID can be extracted
    • Does not consume system resources
    • Can be unlimited number of persistant clients

set lb vserver -persistenceType URLPASSIVE

show lb vserver

Traffic Management > Load Balancing > Virtual Servers

  • (optional) basic configuration – protection settings
    • URL redirection – notifies of vserver (HTTP and HTTPS) malfunctions. Can be a local or remore link. Netscaler uses HTTP 302 redirect
      • Redirects can be:
        • Absolute URL – HTTP redirect is sent to the configured location, regardless of the URL specified in the incoming HTTP request
        • Relative URL (domain name) – HTTP redirect is sent to a location after appending the incoming URL to the domain configured in the redirect URL
      • incase a backup server is configured, backup virtual server takes precedence over the redirect URL.
      • redirect is used when both primary and backup vservers are down

set lb vserver -redirectURL

show lb vserver

Traffic Management > Load Balancing > Virtual Servers > select server > open >

  • Backup vserver – takes over incase the primary vserver fails
    • It is a proxy and is transparent to client
    • Can be configured:
      • when a vserver is created
      • when the optional parameters of an existing vserver are changed
    • a backup server can be configured for another backup server (maximum cascading depth = 10)
    • if no backup and no redirect url, an error message is displayed
    • Backup server takes precedence over a URL redirect if both are configured

set lb vserver [-backupVserver ]

show lb vserver

Traffic Management > Load Balancing > Virtual Servers

  • Verify config
  • Verify stats

stat lb vserver

Compression

Overview

  • Means of optimizing bandwidth usage
  • Netscaler gets requests from clients and checks to see if clients accept compressed data
  • Appliance receive HTTP response from server and checks to see if compressable, if so – compresses, modifies header to show compression type then forwards to client
  • Policy based feature
    • Policy filters requests and responses to check which responses can be compressed and specifies type of compression to apply to response
    • There are several built in policies
    • Can create custom policies
  • Some Multipurpose Internet Mail Extensions (MIME) types that can be compressed
    • text/html
    • text/plain
    • text/xml, text/css
    • text/rtf
    • application/msword
    • application/vnd.ms-excel
    • application/vnd.ms-powerpoint
  • Multipurpose Internet Mail Extensions (MIME) that Cannot be compressed:
    • application/octet-stream
    • binary
    • bytes
    • compressed image formats : GIF and JPEG
  • Configuration

    1) Enable globally – not enabled by default.

    enable ns feature CMP

    show ns feature

    System > Settings > Modes and Features > change basic features > check compression > OK > Enable

    2) Enable it on each service that will provide responses that need to be compressed

    set service -CMP YES

    show service <name>

    Traffic Management > Load Balancing > Services > select service > advanced > settings> compression > OK

    3) (If applicable)Bind compression policy to the loadbalancing vservers. If load balancing is not enabled, then compression will apply to the whole traffic that passes through the appliance. If bound, the compression policy will be evaluated only by this service.

    (bind|unbind) lb vserver -policyName

    show lb vserver

    Traffic Management > Load Balancing > Virtual Servers > select vserver > policies > compression  > insert policy > OK

    4) Verify configuration

    Securing Load Balanced traffic ( SSL Offload)

    Overview:

    • offloading CPU-intensive SSL encryption and decryption tasks from the local web server to the NS. This allows the servers to process a greater number of requests.
    • Improves performance of sites that conduct SSL transactions
    • Ensures secure delivery of web applications
    • SSL works seemlessly with some HTTP and TCP data

    Configuration:

    1) Enable SSL Offloading. SSL entities can be configured before enabling SSL, but they become active only when SSL is enabled.

    enable ns feature SSL

    show ns feature

    System > Settings > Modes and features > Change basic features > SSL Offloading > OK  > enable

    2) Configure HTTP or TCP services to represent the applications on the server. Services are disabled until netscaler can reach the server and monitor it.

    add service <name> (<IP> | <serverName>) <serviceType> <port>

    show service <name>

    Traffic Management > SSL Offload > Services > Add >

    3) Configure SSL vserver. The server will intercept encrypted traffic, decrypt it and send it to the services bound

    add lb vserver []

    show lb vserver

    Traffic Management > SSL Offload > Virtual Servers > Add >

    4) Bind the services to the SSL  vserver

    bind lb vserver

    show lb vserver

    Traffic Management > SSL Offload > Virtual Servers > Services  > select > OK

    5) Create (if already not there) and add SSL certificate key pair. The certificate is used to identify the server during SSL handshake. NS supports RSA/DSA certificates of up to 4096 bits

    • Certificate must be paired with key for it to be used
    • Cert and Key are stoored in /nsconfig/ssl/

    add ssl certKey -cert [-key ]

    show sslcertkey

    Traffic Management > SSL > Certificates > Add >

    6) Bind SSL certkey to vserver

    bind ssl vserver -certkeyName

    show ssl vserver

    Traffic Management > SSL Offload > Virtual Servers > select server > SSL settings >

    7) Configure Optional parameters

    (In the case of Outlook Web Access OWA Servers) . Only for HTTP based traffic

    • Create an action to enable SSL OWA support

    add ssl action -OWASupport ENABLED

    show SSL action <name>

    Traffic Management > SSL > Policies > Add >

    • Create a policy to apply the action

    add ssl policy -rule -reqAction

    show ssl policy

    Traffic Management > SSL > Policies > Add >

    • Bind the policy to the SSL virtual server

    bind ssl vserver -policyName

    show ssl vserver

    Traffic Management > SSL Offload > Virtual Servers > select server >

    Features

    • application switching and traffic management features
    • application acceleration features
    • application security and firewall features
    • application visibility feature.

     

     

    CCDA 640-864 Summary Notes – Chapter 5 – Day 10

    Posted on Updated on


    Exam Topic 2 – Part 1: Cisco Unified Wireless Network (UWN) Architecture

    Benefits:

    • Deliivers scalable, manageable and secure WLANs
    • Combines wired and wireless network
    • Reduced Total Cost of Ownership (TCO)
    • Enhanced visibility and control
    • Dynamic RF management
    • WLAN Security
    • Mobility
    • Enhanced productivity and collaboration

    Read the rest of this entry »

    Citrix Netscaler 10 Summary Notes – Getting Started – Day 5

    Posted on


    System Configuration

    slot/port

    VLANS

    • Supports IEEE802.1Q
    • VLANS Supported:
      • Default VLAN = 1
      • PortBased VLAN
      • Tagged VLAN (nsvlan)

    Link Aggregate Channels

    • Channel parameters have precedence over the interface parameters

    Clock

    • Clock synchronization is done in shell

    DNS

    • Can Function as:
      • Authoritative Domain Name Server (ADNS)
      • DNS proxy server
      • End Resolver
      • Forwarder (typical config)
    • Can add resource records such as:
    • Can balance load on external DNS Servers
    • Actions allowed for external name servers:
      • add server

    add dns nameServer

    show dns nameServer

    • By IP address – appliance will load balance requests to the dns servers in round robin
    • By Virtual IP (VIP) – can specify load balancing method
    • remove server
    • enable server
    • disable server

    SNMP

    • Supports SNMP v1, v2 and v3
    • Message types:
      • Alarms
      • Traps – events that the agent generates to signal abnormal conditions
    • Agent Operates in bilingual mode
      • Can handle SNMPv2 queries eg. Get-Bulk
      • Can handle SNMPv1 queries
      • Sends traps compliant with SNMPv2
      • Supports SNMPv2 data types eg counter64
    • SNMPv1 managers use NS-MIB-smiv1.mib file when processing SNMP queries
    • SNMPv2 Managers use NS-MIB-smiv2.mib file to process snmp queries
    • Supported enterprise-specific MIBs
      • A subset of standard MIB-2 groups – Provides MIB-2 groups SYSTEM, IF, ICMP, UDP, and SNMP
      • A system enterprise MIB – Provides system-specific configuration and statistics
    • Configuration Procedure:
      • Specify managers that can query SNMP agent
        • This is a computer running a management application
        • If not configured, Netscaler accepts and responds to all IP address
        • If configured, Netscaler accepts and responds snmp queries only from them
        • Netmask can be used to allow a subnet
        • Maxium 100 managers in a network

    add snmp manager … [-netmask ]

    show snmp manager

    • Add SNMP trap listeners that receive trap messages
      • Specify IP address + Destination port
      • Type of trap (generic or specific)
      • SNMP version
      • Max of 20 listeners

    add snmp trap specific

    show snmp trap

    OR

    System > SNMP > Traps> Add

    • configure SNMP alarms
      • Enable the alarm

    set snmp alarm [-state ENABLED | DISABLED ]

    show snmp alarm

    • Set the severity level (Critical, Major, Minor, Warning, and Informational) when the trap will be generated

    set snmp alarm [-severity ]

    show snmp alarm

    System > SNMP > Alarms

    Syslog

    • Logging can be done locally in Netscaler or to external log servers
    • Audit Server Logging feature is used to log the states and status information collected in different modules in the kernel and by user-level daemons
    • Used to monitor netscaler and log info

    Firewall ports

    • • UDP 161 (SNMP)
      • UDP 162 (SNMP trap)
      • TCP/UDP 3010 (GUI)
      • HTTP 80 (GUI)
      • TCP 22 (SSH)

    Server Configuration

    • Keep-alive should be enabled on servers
    • If Microsoft® Internet Information Server – enable buffering
    • If Apache Server – maximum connections (MaxConn) should be enabled on server and netscaler
    • If Netscape® Enterprise Server – max request per connection should be set on netscaler

    Software features

    • L2 Mode should be disabled if  L2 device is working in parallel with netscaler
    • Disable MAC based forwarding if MAc address of return traffic is different

    CCDA 640-864 Summary Notes – Chapter 5 – Day 9

    Posted on Updated on


    Cisco Unified Wireless Network (UWN) architecture – combines wireless and wired network.

    Exam Topic 1: Wireless LAN Technologies

    WLAN Standards

    IEEE 802.11 (Legacy) (1997)

    • Speeds of 1 (typical) and 2 (max)  Mbps
    • Used direct sequence spread spectrum (DSSS) and frequency-hopping spread spectrum (FHSS) in L1 
      • DSSS divides data into separate sections; each section travels over different frequencies at the same time
      • FHSS sends data in bursts and uses a frequency-hopping sequence  – first frequency 1 then 2 , eventually back to 1.
    • Wireless Fidelity (WiFi) is the interoperability certification for 802.11 and is governed by Wireless Ethernet Compatibility Alliance (WECA)
    • Uses ISM Frequency

    Read the rest of this entry »

    Citrix Netscaler 10 Summary Notes – Getting Started – Day 4

    Posted on Updated on


    Citrix NetScaler Editions

    Feature licence required on all editions

    • Standard Edition
      • SME
      • comprehensive L4-L7 traffic management
      • Web application availability
    • Enterprise Edition
      • Advanced  L4-L7 traffic management
      • Web Application acceleration
      • Increases Web application performance, availability and reduced costs
    • Platinum Edition
      • Reduces data center costs
      • Accelerates application performance
      • End to end visibility of application performance
      • Advanced application security

    Administration options:

    • CLI
      • VT100 terminal emulation, 9600 baud, 8 data bits, 1 stop bit, parity, and flow control set to NONE
      • username: nsroot
      • password:  nsroot
    • GUI

    Deployment types:

    • NetScaler ADC – Optimization over the internet and private network
    • Netscaler Gateway – Allows users to work from anywhere
    • XenMobile MDM – Load balances data from the mobile devices to the XenMobile MDM Servers
    • CloudBridge Connector – Sets up a secure tunnel beween 2 data centers or between a data center and cloud

    Initial Configuration options

    • First-time use wizard – Via web browser. Network configuration + Licencing information
      • Assign NSIP for management of the Netscaler appliance + mask
      • SNIP for servers to connect + mask
      • Timezone
      • Hostname (optional)
      • DNS (Optional) – can then use hardware serial number (HSN) or license activation code (LAC) to allocate your licenses instead of uploading them to the appliance
      • Upload licences
    • LCD keypad – Located in the front panel of the appliance. Just network configuration. Licencing info is entered using a different interface
      • Press <
      • First Enter Subnet Mask
      • Next NSIP
      • Last Gateway
      • Press enter
    • Serial console – Via Console. Network configuration + Licencing information
      • Login
      • config ns
        • system IP address
        • create a subnet or mapped IP address
        • configure advanced network settings
        • change the time zone

    set ns config -ipaddress -netmask add ns ip -type add route set system user -password save ns config reboot

    First Time High Availability Configuration

    • One Unit (primary)actively accepts connections and manages servers, Other unit (secondary) monitors the first
    • Units monitor each other by sending periodic heartbeats or health checks. Incase of failure, heartbeats are sent for a specific period of time, then the secondary takes over (failover)
    • Mode of operation
      • One-arm – servers andnetscaler appliances are connected to the same switch
        • Can be:
          • Single subnet. Clients and servers on the same subnet.
          • Multiple subnet. Client and servers reside on different subnets.

    pic1

    • Inline Mode (Two-arm) – netscaler are connected to 2 switches. servers are connected to the second switch. Traffic between client and serverspass through either netscaler appliances.
      • One Interface is connected to the client network, the other to the server network
      • Can be:
        • Appliance in public subnet, servers in private (Multiple Subnet Mode)
        • Both servers and appliance in public network (transparent mode). Used when the clients need to access the servers directly without an intervening virtual server. L2 Mode must be enabled for bridging the packets. NSIP and MIP are in the same public subnet

    pic2

    • Configuration procedure
      • Configure 1 NS as primary, other as secondary
      • Add a node on both NS ( logical representation of the peer NS). Used to exchange heartbeat messages
        • From CLI

    add HA node <id> <IPAddress>

    show HA node <id>

    • GUI

    System> HA>Nodes>Add

    • Disable HA on unused interfaces on both NS
      • CLI

    set interface -haMonitor OFF

    show interface <id>

    • GUI

    System > Network > Interfaces – Open – HA Monitoring = OFF

    Netscaler Packet forwarding Modes L2 Mode

    • Netscaler behaves like a layer 2 device
    • (Default – L2 disabled) – appliance drops packets that are not destined for one of its MAC address.
    • Netscaler does not support STP
    • If enabled: packets are not forwarded to any of the MAC addresses, because the packets can arrive on any interface of the appliance and each interface has its own MAC address

    > enable ns mode l2 > disable ns mode l2 > show ns mode

    L3 Mode

    • Netscaler routes packets which are not destined for it (default mode)

    > enable ns mode l3 > disable ns mode l3 > show ns mode

    MAC-Based Forwarding Mode

    • useful in VPN devices. Netscaler remembers the source MAC and MAC of the responding server.

    > enable ns mode mbf

    > disable ns mode mbf

    > show ns mode

    CCDA 640-864 Summary Notes – Chapter 4 – Day 8

    Posted on Updated on


    Exam Topic 4: Virtualization Overview

    Virtualization technologies abstract logical elements from hardware (applications or operating systems) or networks (LANs and SANs) and run them in a virtual state

    • Allow a physical device to share its resources by acting as multiple versions of itself
    • Allow multiple physical devices to logically appear as one

    Read the rest of this entry »

    Citrix Netscaler 10 Summary Notes – Getting Started – Day 3

    Posted on


    Understanding the NetScaler

    An Application L4-L7 Switch. Used for Web Applications. Functions as a TCP Proxy

    Features:

    • Switching Features for optimal distribution of client requests
    • Security and protection Features protects web applications from application-layer attacks
    • Server-farm Optimization Features speeds up applications by offloading resource-intensive operations from the server

    Placement

    2013_09_13_13_18_21_Greenshot

    Request Switching

    • Netscaler is deployed infront of a server farm as a transparent TCP proxy
    • No client side  config needed
    • Appliance can separate HTTP Request from TCP Connection request

    Physical Deployment Modes

    Inline Mode

    • The appliance has a separate network interface to each client network and a separate network interface to each server network
    • Appliance transparently applys L4-L7 features

    One-Arm Mode

    • Only one network interface of the appliance is connected to an Ethernet segment
    • Does not isolate the client and server sides of the network

    L2 Mode

    • Operates as an L2 device
    • Packets are forwarded if:
      • Destination MAC is for another device
      • Destination MAC is on a different interface
      • Interface is member of same VLAn (Default vlan =1 )

    L3 Mode

    NetScaler-Owned IP Addresses

    NetScaler IP address (NSIP) – Management address + High Availability (HA) Communication

    Mapped IP address (MIP) – For server side communication. Appliance changes source IP with MIP before sending to server

    Virtual server IP address (VIP) – IP of a virtual server. Public IP that clients connect to

    Subnet IP address (SNIP) – If multiple subnets, SNIP is MIP for each subnet

    IP Set – Set of IP SNIPs or MIPs

    Net Profile – contains an IP add or IP Set. Used for communication with physical servers

    Traffic Flow Management

    If Virtual Server is present

    • Clients connect to VIP address of the virtual server
    • Appliance sends request to the server using MIP or SNIP by default

    If Virtual server is absent (Transparent Mode)

    • Client sends request using Source IP SIP
    • Nescaler changes SIP to MIP or SNIP but does not change destination IP  transparently forwards request to server
    • If server needs actual SIP, netscaler adjusts HTTP header and adds SIP as additional field or configured to use SIP instead of MIP or SNIP to connect to servers

    Building blocks for Traffic Management

    • Helps separate traffic flows
    • Cliets access applications through the Virtual servers

    Load Balancing

    • Create a service for every server
    • Bind the service to a virtual server
    • Create a monitor to track the service
    • Clients connect to the VIP. Netscaler sends to the server accordingly

    Virtual Servers

    • Represented by Alphanumeric name + VIP + port + Protocol
    • Name is locally significant
    • Clients conect to VIP and not address of the physical server
    • Multiple virtual servers can use the same VIP but different protocols and ports
    • Deliver features like compression, caching, SSL offload
    • Multiple services can be bound to 1 virtual server

    Load balancing virtual servers – redirects requests to appropriate server

    Cache redirection virtual server – redirect requests for dynamic contect to origin servers and for static content to cache servers. Work in conjunction with load balancing virtual servers

    Content Switching virtual server – redirect traffic on the basis of content requested. Work in conjunction with load balancing virtual servers

    Virtual private network (VPN) virtual server – decrypts traffic and sends to intranet applications

    SSL virtual server – receives and decrypts traffic then sends to appropriate server

    Services

    • Represents applications on a server
    • Can exist in the absence of a virtual server
    • Point for applying features
    • Use entities (monitors) to track the health of the application
    • Every service has a default monitor (probes are sent at regular intervals to check state of service). If check fails – netscaler marks it as down.

    Service-only mode

    • Appliance is proxy
    • Netscaler translates IP addresses, port numbers, and sequence numbers

    Policies and Expression

    • Defines details on traffic filtering and management

    2013_09_13_16_58_19_Greenshot

    L7 Packet Flow Diagram for Netscaler

    2013_09_13_17_43_10_Greenshot

    • Multipath TCP is a TCP extension specified in RFC6824 that allows endhosts to efficiently use multiple interfaces for a single TCP connection
    • SPYDY is an open networking protocol developed primarily at Google for transporting web content  with particular goals of reducing web page load latency and improving web security

    Data Packet Flow Diagram (Supported by MySQL and MYSQL database)

    2013_09_13_17_55_24_Greenshot

    CCDA 640-864 Summary Notes – Chapter 4 – Day 7

    Posted on Updated on


    Data Center Design

    Exam Topic 1: Enterprise DC Architectures

    Data Center 1.0

    • Centralized
    • Used mainframes to process and store data
    • Users used terminals to access and work on mainframes
    • benefits: availability, resiliency, and service level agreements (SLA)

    Read the rest of this entry »

    CCDA 640-864 Summary Notes – Chapter 3 – Day 6

    Posted on Updated on


    Server Connectivity Options

    • Single NIC (FE GE Full duplex + No redundancy)
    • Dual NIC Etherchannel – redundancy
    • Dual NIC to separate access – redundancy
    • Content switching – redundancy + load balancing per user request

    Read the rest of this entry »

    CCDA 640-864 Summary Notes – Day 5

    Posted on Updated on


    LAN Hardware

    Repeaters

    • Layer 1 device
    • Connects separate segments
    • Do not control broadcasts or collision domains
    • Forward frames out all other interfaces
    • Protocol transparent
    • understands bits
    • Amplify the signals
    • 5-4-3 Rule:

      The maximum path between two stations on the network should not be more than five segments, with four repeaters between those segments, and no more than three populated segments.

    • The round-trip propagation delay in one collision domain must not exceed 512-bit times.

    Read the rest of this entry »

    CCDA 640-864 Summary Notes – Day 4

    Posted on Updated on


    IEEE 802.3-2002 (Ethernet Standards) Design Rules

    Round trip propagation delay should be less than 512-bit times in one collision domain. Max for 10 Mbps – 51.2 microseconds. Max for 100 Mbps – 5.12 microseconds

    • 10 Base 5

    No longer used

    Max segment = 500 m

    Max collision domain = 2500m of 5 segments

    Has a maximum diameter of 2500 m when repeaters ae used

    • 10 Base 2

    Not used

    Max segment = 185 m

    Max collision domain = 2500m of 5 segments

    • 10 Base T

    Max segment = 100 m

    Max collision domain = 2500m of 5 segments

    Has a maximum diameter of 500 m when repeaters are used

    Read the rest of this entry »

    Aruba620 -SSID Prunning on a specific AP

    Posted on Updated on


    Situation:

    I have the Aruba620 controller configured with several SSIDs. 

    Image

    I would like a specific AP RAP-2WG to announce 3/4 SSIDs. The unlucky SSID that we will prune is Test2-620 🙂

    We need to locate that specific AP by MAC address:

    Configuration > AP Specific > Edit “00:0b:86:xx:xx:xx”

    Image

    Commands:

    ap-name “00:0b:86:c3:50:9d”
      exclude-virtual-ap “Test2-620-vap_prof”

    Image

    Dont forget to Apply and save configuration 🙂

    What if we want to add it back ? Just click the  delete button. Apply and save

    Image

     

     

    CCDA 640-864 Summary Notes – Day 3

    Posted on Updated on


    Hierarchical Network Models

    Advantages

    • Cost savings
    • Ease of understanding becausee of simple design and lower management costs as monitoring systems are distributed.
    • Network growth as changes are contained to a small subset  of the network and only impact that small area
    • Easy to isolate a problem in the network if the hierarchial model is used
    • Facilitates route summarization

    Read the rest of this entry »

    Summary Notes: JUNOS as a second Language

    Posted on Updated on


    Differences between IOS and JUNOS.

    1) JUNOS can be managed using the following options:
    CLI – Console, SSh and Telnet
    J-Web
    SNMP
    Junoscope
    Junos Script API
    NETCONF API
    SDX Service Deployment System

    2) Using pipe
    show interfaces terse
    show interfaces terse | match se-3
    show interfaces terse | except fe-

    show interfaces terse | count

    3) configuration structure

    IOS has some hierarchy but many are global. The opposite is the same for JUNOS.

    ; – no further sublevels
    {} – additional levels

    4) JUNOS has an active and candidate configuration. Candidate configuration is a copy of the active configuration. IOS does not have candidate configurations.

    configure private command – only the changes that I have made are intergrated into the configuration. Several users can make changes at the same time.

    Example:
    Configure
    edit command is used to move to lower hierarchy
    edit interface se-1/0/0

    edit unit 0

    set family inet address 10.10.10.1/30

    show

    delete family inet address 10.10.10.1/30

    delete family inet

    up – go up one level of the hierarchy
    top – to the top level

    set interface se-0/0/0 unit 0 family inet add 10.10.10.1/30

    5) Operational-mode

    Use the run command in the configuration mode to achieve the same output as the do command in IOS

    Example:

    run show interfaces terse

    6) Ports that are not yet installed can be configured and then activated at a later time.

    set neighbour
    deactivate neighbour
    activate neighbour

    7) Moving configuration from port to port

    show interfaces
    rename interfaces fe-2/0/1 to fe-2/0/0
    show interfaces
    commit

    run show interfaces terse | match fe-2

    8) Replicate an existing command and only make a few changes

    copy interfaces fe-2/0/1 to fe-3/0/1
    edit int fe-3/0/1 unit 240 family inet
    rename address 10.10.10.10/30 to address 10.10.10.3/20
    top
    show interfaces fe-3/0/1

    9) An interface can have as many addresses as needed.
    show
    set unit 240 family inet address 10.14.250.17/28
    set unit 240 family inet address 10.14.250.33/28
    set unit 240 family inet address 10.14.250.49/28
    set unit 240 family inet address 10.14.250.65/28
    show

    To make an IP address the main IP address:
    set unit 240 family inet address 10.14.250.33/28 primary

    Change an IP address:

    rename unit 240 family inet address 10.14.250.65/28 to address 10.14.150.65/28

    10) The commit command is used to activate the changes

    commit check – check the changes made without commiting them
    commit at 23:00 – schedule commit for a future time
    commit confirmed 1 – commits changes immediately
    commit and-quit – commits and returns to priviledged exec mode

    11) Rolling back changes

    Undoes changes :

    rollback
    rollback 0

    show | compare rollback 2 – compares the candidate config with the second

    show | compare – difference between the current config and the candidate config

    12) Interface Configuration

    fe-2/1/0
    fpc slot 2
    pic in slot 1
    port 0

    PIC Slots are numbered right to left
    FPCs are numbered top to bottom

    Special inerfaces:
    lo0 – Loopback interface
    fxp0 – out of band FE interface for management (only in some series)

    All physical interfaces have logical interfaces called units. Layer 3 parameters are made in units.

    Layer 2 parameters are configured at the physical interface.

    Some configurations can only be done on unit 0

    The unit concept is the same as subinterfaces

    inet – ipv4 configuration
    inet6 – ipv6 configuration
    mpls – mpls config

    Changing speed and duplex:
    set speed 100m
    set link-mode full-duplex

    Giga config:
    set gigether-options auto-negotiation
    set gigether-options flow-control

    Vlan config:
    Vlan tags are configured in the unit level

    set vlan-tagging -> enable vlan tagging
    set unit 201 vlan-id 201
    set unit 201 family inet add 10.10.10.10/24

    EtherChannel Link aggregation steps:
    * Create aggregated interfaces
    set ethernet device-count 1
    top

    * Associate physical interfaces with the aggregated interfaces
    set interfaces fe-4/0/2 fastether-options 802.3ad ae0
    set interfaces fe-4/0/3 fastether-options 802.3ad ae0

    * Configure the aggregated ethernet interface
    set interfaces ae0 aggregated-ether-options lacp active
    set interfaces ae0 unit 0 family inet address 10.10.10.10/24

    Layer 1 Properties:
    set t1-options line-encoding ami
    set t1-options framing sf
    set t1-options line-encoding b8zs
    set t1-options framing esf

    Interface encapsulaton:
    HDLC

    set encapsulation cisco-hdlc
    set unit 0 family inet address 10.10.10.10/20

    PPP – this is the default
    set encapsulation ppp
    set ppp-options compress acfc pfc

    FRAMERELAY
    set unit 0 dlci 511
    —–multipoint—-
    set unit 0 multipoint
    set address 10.10.10.10/31 multipoint-destination 10.10.5.2 dlci 511
    up 2

    12) Monitoring interfaces

    show interfaces descriptions
    show interfaces terse (show ip int bri: IOS)
    show interfaces fe-2/0/1
    show interfaces fe-2/0/1 brief
    show interfaces fe-2/0/1 detail –
    show interfaces fe-2/0/1 extensive – shows layer 2 errors

    13) FIREWALLS

    Access List (Firewall filters):

    firewall family inet
    filter sample-filter (name of the filter)
    term block-bad-subnet (each access list line )

    Default is deny (discard – just dropped, rejected – drops and sends a message)

    edit filter sample-filter term block-bad-subnet from
    set source-address 192.168.10.0/24
    set source-address 192.168.20.0/24
    annotate

    14) Routing protocols

    show route
    show ospf
    show bgp neighbour

    set static route 10.10.10.10/24 next-hop se-1/0/0.0
    set static route default next-hop 10.10.10.10
    set qualified-next-hop 10.10.10.10

    show route hidden
    show route 10.10.10.10

    show route receive-protocol
    show route advertising-protocol

    OSPF:
    edit protocols ospf
    set area 2 interface fe-0/0/0.0
    set area 2 interface fe-0/0/0.0 passive
    set area 2 interface fe-0/0/0.0 metric 200

    stub
    set area 2 stub
    nssa
    set area 2 nssa
    set area 2 stub default-metric 1
    set area 2 nssa default-lsa default-metric 1

    set area 0 interface fe-0/0/1.0

    set export my-export-policy -> inject additional routes into ospf
    set export static-to-ospf
    set interface fe-0/0/0.0 authentication md5 1 key testkey

    show | no-more
    show ospf database
    show ospf interface
    show ospf interface fe-0/01.0 extensive
    show ospf neighbor
    show route protocol ospf

    BGP:

    edit routing-options
    set autonomous-system 65432
    edit protocols bgp
    edit group ISP-A
    edit descriprion “All BGP Partners”
    set peer-as 64512
    set neighbor 10.10.10.10
    set neighbor 10.20.20.20
    set neighbor 10.10.10.10 description “partner A”
    set neighbor 10.10.10.10 peer-as 65333
    up

    Import policy – controls which routes the router will accept from a neighbour
    Export policy – controls which routes the router will accept from a neighbour

    edit policy-options

    show bgp summary
    show bgp neighbor
    show route receive-protocol bgp 10.10.10.10
    show route advertising-protocol bgp 10.10.10.10