Pete's Packet

Limitless

Archive for October, 2009

« Previous Entries
Next Entries »

Control Plane Policing Implementation Best Practices

Posted by Peter Kurdziel on October 22, 2009


Control Plane Policing Implementation Best Practices

Introduction: Network Device Operations

IP networks provide users with connectivity to networked resources such as corporate servers, extranet partners, multimedia content, the Internet, and any other application envisioned within IP networks. While these networks function to carry data plane (user-generated) packets, they are also created and operated by control plane and management plane packets. Unlike legacy network technologies such as ISDN, Frame Relay, and ATM that defined separate data and control channels, IP carries all packets within a single pipe. Thus, IP network devices such as routers and switches must be able to distinguish between data plane, control plane, and management plane packets to treat each packet appropriately.

Read the rest here: http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html

Posted in Best practices, Multicast | Leave a Comment »

IP Multicast Best Practices for Enterprise Customers

Posted by Peter Kurdziel on October 22, 2009

IP Multicast Best Practices for Enterprise Customers

customer networks. Although many of the practices in this document were developed for Financial customers to deliver Market Data the general principles apply to any Enterprise Multicast Deployment. It describes ways to optimize multicast delivery according to basic design principals including:

• Resiliency

– Path diversity

– Redundancy

– Load sharing or splitting

• Latency

• Security

These recommendations are consistent with the existing Solution Reference Network Designs (SRND) listed below. They should be consulted for further information.

Designing a Campus Network for High Availability: http://www.cisco.com/application/pdf/en/us/guest/netsol/ns431/c649/ccmigration_09186a008093b876.pdf

High Availability Campus Network Design-Routed Access Layer using EIGRP or OSPF: http://www.cisco.com/application/pdf/en/us/guest/netsol/ns432/c649/ccmigration_09186a0080811468.pdf

Cisco AVVID Network Infrastructure IP Multicast Design (SRND): http://www.cisco.com/application/pdf/en/us/guest/tech/tk363/c1501/ccmigration_09186a008015e7cc.pdf

General information about IP Multicast: http://www.cisco.com/go/ipmulticast

Read the rest here: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6552/ps6592/whitepaper_c11-474791.html

Posted in Best practices, Multicast | Leave a Comment »

VTPv3 differences

Posted by Peter Kurdziel on October 22, 2009

One of the major differences between VTPv3 implementation and the earlier version is the introduction of a VTP primary server. Ideally, there must be only one primary server in a VTPv3 domain, if the domain is not partitioned. Any changes that you make to the VTP domain must be executed on the VTP primary server in order to be propagated to the VTP domain. There can be multiple servers within a VTPv3 domain, which are also known as secondary servers. When a switch is configured to be a server, the switch becomes a secondary server by default. The secondary server can store the configuration of the domain but cannot modify the configuration. A secondary server can become the primary server with a successful takeover from the switch.

Switches that run VTPv3 only accept a VTP database with a higher revision number than the current primary server. This process differs significantly from VTPv1 and VTPv2, in which a switch always accepts a superior configuration from a neighbor in the same domain. This change with VTPv3 provides protection. A new switch that is introduced into the network with a higher VTP revision number cannot overwrite the VLAN configuration of the entire domain.

The VTPv3 also introduces an enhancement to how the VTP handles passwords. If you use the hidden password configuration option in order to configure a password as “hidden”, these items occur:

  • The password does not appear in plain text in the configuration. The secret hexadecimal format of the password is saved in the configuration.

  • If you try to configure the switch as a primary server, you are prompted for the password. If your password matches the secret password, the switch becomes a primary server, which allows you to configure the domain.

Note: It is important to note that the primary server is only necessary when you need to modify the VTP configuration for any instance. A VTP domain can operate with no active primary server because the secondary servers ensure persistence of the configuration over reloads. The primary server state is exited for these reasons:

  • A switch reload

  • A high-availability switchover between the active and redundant supervisor engines

  • A takeover from another server

  • A change in the mode configuration

  • Any VTP domain configuration change, such as a change in:

    • Version

    • Domain name

    • Domain password

VTPv3 also allows the switches to participate in multiple instances of VTP. In this case, the same switch can be the VTP server for one instance and a client for another instance because the VTP modes are specific to different VTP instances. For example, a switch can operate in transparent mode for an MST instance while the switch is configured in server mode for a VLAN instance.

In terms of interaction with VTPv1 and VTPv2, the default behavior in all versions of VTP has been that the earlier versions of VTP simply drop the new version updates. Unless the VTPv1 and VTPv2 switches are in transparent mode, all VTPv3 updates are dropped. On the other hand, after VTPv3 switches receive a legacy VTPv1 or VTPv2 frame on a trunk, the switches pass a scaled-down version of their database update to the VTPv1 and VTPv2 switches. However, this information exchange is unidirectional in that no updates from VTPv1 and VTPv2 switches are accepted by the VTPv3 switches. On trunk connections, VTPv3 switches continue to send out scaled-down updates as well as full-fledged VTPv3 updates in order to cater to the existence of VTPv2 and VTPv3 neighbors across the trunk ports.

In order to provide VTPv3 support for extended VLANs, the format of the VLAN database, in which the VTP assigns 70 bytes per VLAN, is changed. The change allows for the coding of non-default values only, instead of the carrying of unmodified fields for the legacy protocols. Because of this change, 4K VLAN support is the size of the resulting VLAN database.

Posted in CATALYST | Leave a Comment »

Best Practices for Catalyst 4500/4000, 5500/5000, and 6500/6000 Series Switches Running CatOS Configuration and Management

Posted by Peter Kurdziel on October 22, 2009

Best Practices for Catalyst 4500/4000, 5500/5000, and 6500/6000 Series Switches Running CatOS Configuration and Management


Introduction

This document discusses the implementation of Cisco Catalyst series switches in your network, specifically the Catalyst 4500/4000, 5500/5000, and 6500/6000 platforms. Configurations and commands are discussed under the assumption that you are running Catalyst OS (CatOS) General Deployment software 6.4(3) or later. Although some design considerations are presented, this document does not cover overall campus design.

More here: http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml

Posted in Best practices | Leave a Comment »

High Availability New Solution Deployment: Best Practices White Pape

Posted by Peter Kurdziel on October 22, 2009

High Availability

New Solution Deployment: Best Practices White Pape


Introduction

This document discusses planning, design, and implementation practices for the deploying new solutions in your network. The biggest challenge when introducing new solutions is keeping the existing network highly available, or minimizing the impact on the existing networking environment. Successful deployment of new solutions requires structured processes that include parties from planning, design, network management, and implementation.

This best-practice document outlines the steps you need to take to successfully deploy a new network solution. We’ll look at the following critical steps in detail: Requirements, Management, Validation, and Deployment.

More here: http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a008014f908.shtml

Posted in Best practices | Leave a Comment »

Wireless, LAN (WLAN) Wireless LAN Controller (WLC) Configuration Best Practices

Posted by Peter Kurdziel on October 22, 2009

Wireless, LAN (WLAN)

Wireless LAN Controller (WLC) Configuration Best Practices


Introduction

This document offers short configuration tips that cover several Wireless Unified Infrastructure issues commonly seen in the Technical Assistance Center (TAC).

The objective is to provide important notes that you can apply on most network implementations in order to minimize possible problems.

Note: Not all networks are equal, therefore some tips might not be applicable on your installation. Always verify them before you perform any changes on a live network.

More here:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080810880.shtml

Posted in Best practices | Leave a Comment »

High Availability Configuration Management: Best Practices White Pape

Posted by Peter Kurdziel on October 22, 2009

High Availability

Configuration Management: Best Practices White Paper


Introduction

Configuration management is a collection of processes and tools that promote network consistency, track network change, and provide up to date network documentation and visibility. By building and maintaining configuration management best-practices, you can expect several benefits such as improved network availability and lower costs. These include:

  • Lower support costs due to a decrease in reactive support issues.

  • Lower network costs due to device, circuit, and user tracking tools and processes that identify unused network components.

  • Improved network availability due to a decrease in reactive support costs and improved time to resolve problems.

We have seen the following issues resulting from a lack of configuration management:

  • Inability to determine user impact from network changes

  • Increased reactive support issues and lower availability

  • Increased time to resolve problems

  • Higher network costs due to unused network components

This best-practice document provides a process flowchart for implementing a successful configuration management plan. We’ll look at the following steps in detail: create standards, maintain documentation, and validate and audit standards.

more here:


http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a008014f924.shtml

Posted in Best practices | Leave a Comment »

Cisco Guide to Harden Cisco IOS Devices

Posted by Peter Kurdziel on October 22, 2009


Introduction

This document contains information to help you secure your Cisco IOS® system devices, which increases the overall security of your network. Structured around the three planes into which functions of a network device can be categorized, this document provides an overview of each included feature and references to related documentation.

The three functional planes of a network, the management plane, control plane, and data plane, each provide different functionality that needs to be protected.

  • Management Plane—The management plane manages traffic that is sent to the Cisco IOS device and is made up of applications and protocols such as SSH and SNMP.

  • Control Plane—The control plane of a network device processes the traffic that is paramount to maintaining the functionality of the network infrastructure. The control plane consists of applications and protocols between network devices, which includes the Border Gateway Protocol (BGP), as well as the Interior Gateway Protocols (IGPs) such as the Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF).

  • Data Plane—The data plane forwards data through a network device. The data plane does not include traffic that is sent to the local Cisco IOS device.

The coverage of security features in this document often provides enough detail for you to configure the feature. However, in cases where it does not, the feature is explained in such a way that you can evaluate whether additional attention to the feature is required. Where possible and appropriate, this document contains recommendations that, if implemented, help secure a network.


More here: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

Posted in Best practices, Real World | Leave a Comment »

CCIE Security Home Lab with dynamips

Posted by Peter Kurdziel on October 22, 2009

http://inetpro.org/wiki/CCIE_Security_Home_Lab_with_dynamips_&_Co

This page contains configuration examples or information on dynamips

The examples on this page are intended for use with dynamips, the Cisco router emulator. This information is not intended for use on hardware routers, and is primarily used for troubleshooting, testing, and certification lab study.
Support of Dynamips is found on Hackis_Forum. For other dynamips pages see Category:Dynamips

Posted in Security | Leave a Comment »

The MPLS FAQ

Posted by Peter Kurdziel on October 21, 2009

http://www.mplsrc.com/mplsfaq.shtml

Posted in MPLS | 1 Comment »

« Previous Entries
Next Entries »
 
Follow

Get every new post delivered to your Inbox.