[c-nsp] MPLS VPN QoS on a SP core
Gaurav Prakash
gsinl at yahoo.com
Mon Aug 18 06:13:08 EDT 2008
Hi,
There are ways to do it.. typically 3 mode..
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hmp_c/part15/hdtmode.htm
Basically we cash in the feature of MPLS EXP bits used to mark/classify packet and treat them acc..
Regards,
Gaurav Prakash
Save our Earth
----- Original Message ----
From: "cisco-nsp-request at puck.nether.net" <cisco-nsp-request at puck.nether.net>
To: cisco-nsp at puck.nether.net
Sent: Monday, 18 August, 2008 2:34:58 PM
Subject: cisco-nsp Digest, Vol 69, Issue 54
Send cisco-nsp mailing list submissions to
cisco-nsp at puck.nether.net
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/cisco-nsp
or, via email, send a message with subject or body 'help' to
cisco-nsp-request at puck.nether.net
You can reach the person managing the list at
cisco-nsp-owner at puck.nether.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisco-nsp digest..."
Today's Topics:
1. MPLS VPN QoS on a SP core (Sami Joseph)
2. content filter placement in data center (Dan Letkeman)
3. Re: content filter placement in data center (Adrian Chadd)
4. Re: IP/MPLS Design Resource (Andy Saykao)
5. IBM CIGESM aggregation and Private VLANs. (Adrian Chung)
6. Re: content filter placement in data center (Dan Letkeman)
7. Re: MPLS VPN QoS on a SP core (Mikael Abrahamsson)
8. 11503 ssl redundancy synch (Toby Burrows (Qube))
9. Re: MPLS VPN QoS on a SP core (Sami Joseph)
----------------------------------------------------------------------
Message: 1
Date: Mon, 18 Aug 2008 01:41:07 +0300
From: "Sami Joseph" <sami.joseph at gmail.com>
Subject: [c-nsp] MPLS VPN QoS on a SP core
To: Cisco-nsp <cisco-nsp at puck.nether.net>
Message-ID:
<9da37ec40808171541x7c168f1br359e6491e98131cd at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hello,
Is there a way to provide QoS for a specific VPN in an MPLS VPN Core?
Thanks,
Sam
------------------------------
Message: 2
Date: Sun, 17 Aug 2008 18:15:09 -0500
From: "Dan Letkeman" <danletkeman at gmail.com>
Subject: [c-nsp] content filter placement in data center
To: cisco-nsp at puck.nether.net
Message-ID:
<dcbb85870808171615y3f7bd499k15a2f61d8c86dc92 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hello,
I have a few questions regarding content filter placement and routing
in the data center. I would like to place our content/spyware/web
filter in our data center, but I would like to place it in such a way
that if it fails or has problems that it does not take everything
down.
Currently I have a Cisco router with two fast ethernet interfaces, and
I have two internet connections to different ISP's. One of the
connections is used for download for all of the users and the other
connection is used for services (www, ftp, mail, etc). On the cisco
router I am policy routing for those services and for the users.
The current content filter is inline with the router and the rest of
the network as a default route on the switch.
3560switch-------content filter-----------router--------internet (isp1)
|
-------------internet (isp2)
Is there a way to connect it to the router and use policy routing, and
the verify availability option so that if the content filter is down
the system still works with out it?
Thanks,
Dan.
------------------------------
Message: 3
Date: Mon, 18 Aug 2008 07:17:33 +0800
From: Adrian Chadd <adrian at creative.net.au>
Subject: Re: [c-nsp] content filter placement in data center
To: Dan Letkeman <danletkeman at gmail.com>
Cc: cisco-nsp at puck.nether.net
Message-ID: <20080817231733.GG4568 at skywalker.creative.net.au>
Content-Type: text/plain; charset=us-ascii
On Sun, Aug 17, 2008, Dan Letkeman wrote:
> Is there a way to connect it to the router and use policy routing, and
> the verify availability option so that if the content filter is down
> the system still works with out it?
Yes.
* Does the content filter speak WCCPv2? Or can you glue it to Squid?
If so, try WCCPv2.
* Otherwise, see if your platform/IOS supports object tracking and
conditional route maps. You can set things up to use a route-map
(or route!) if a destination host is reachable via ICMP.
The archives have details on both of these.
Adrian
------------------------------
Message: 4
Date: Mon, 18 Aug 2008 11:09:47 +1000
From: "Andy Saykao" <andy.saykao at staff.netspace.net.au>
Subject: Re: [c-nsp] IP/MPLS Design Resource
To: <cisco-nsp at puck.nether.net>, <junaid.x86 at gmail.com>
Message-ID:
<56F211C5E3F24F47B103EA1B253822BE0365486E at vic-cr-ex1.staff.netspace.net.au>
Content-Type: text/plain; charset="us-ascii"
Hi Junaid,
Welcome to the world of MPLS. I'm currently going through the same thing
and have been designing and fine tuning our MPLS network for the past
few months. The guys on NSP are very knowledgable so if you get stuck,
try posting on the forum. Special thanks to Oli whose been helping me a
fair bit :)
Here's a book I recommend.
Read the first few chapters to give you a good foundation.
* MPLS Fundamentals by Luc De Ghein
Also nothing beats some hands on experience and these labs are a great
introduction.
I used GNS3 to simulate these labs (http://www.gns3.net/).
* MPLS Series - Vol. 1 - Basic MPLS
http://blog.humanmodem.com/?p=115
* MPLS Series - Vol. 2 - MPLS VPN
http://blog.humanmodem.com/?p=121
I also went through the Cisco PEC (Partner Education Connection) web
site and listened to most of this series:
* Implementing Cisco Multi-Protocol Label Switching (MPLS) 2.1 - EXPRESS
http://www.cisco.com/web/learning/le36/learning_partner_e-learning_conne
ction_tool_launch.html
--
Regards,
Andy Saykao
System Administrator
Netspace Online Systems
Ph : 03 9811 0049
Mob : 0401 422 406
Fax : 03 9811 0044
Email: andy.saykao at staff.netspace.net.au
-----Original Message-----
Message: 4
Date: Sat, 16 Aug 2008 11:03:16 +0600
From: Junaid <junaid.x86 at gmail.com>
Subject: [c-nsp] IP/MPLS Design Resource
To: cisco-nsp <cisco-nsp at puck.nether.net>
Message-ID:
<c10d10920808152203u741a9be4if38bc6fe2b7c10bb at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi,
Can you please recommend/refer me to some good books/online-resource on
IP/MPLS design? I am thinking of making an investment and buying a few
books. Will appreciate if you can recommend any titles.
Thanks.
Regards,
Junaid
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
Please notify the sender immediately by email if you have received this
email by mistake and delete this email from your system. Please note that
any views or opinions presented in this email are solely those of the
author and do not necessarily represent those of the organisation.
Finally, the recipient should check this email and any attachments for
the presence of viruses. The organisation accepts no liability for any
damage caused by any virus transmitted by this email.
------------------------------
Message: 5
Date: Sun, 17 Aug 2008 21:43:04 -0400
From: Adrian Chung <adrian at enfusion-group.com>
Subject: [c-nsp] IBM CIGESM aggregation and Private VLANs.
To: <cisco-nsp at puck.nether.net>
Message-ID: <C4CE4BE8.D372%adrian at enfusion-group.com>
Content-Type: text/plain; charset="ISO-8859-1"
Apologies if this has been discussed before on this list, feel free to point
me in the right direction, though the usual searches didn?t turn anything
up.
A couple of questions about Private VLANs between PVLAN speaking switches
and non-PVLAN speaking switches.
In the process of setting up a couple of Cisco Intelligent Gigabit Ethernet
Switch Modules - these are the Cisco 2950-like switches that come as a
modular option in IBM Blade Center server chassis. They have 4 external
uplink ports and no private VLAN support.
We?re connecting them up to a couple of 6500s over port-channelled bundles
but are running up against questions surrounding private VLANs and trunking
particularly between switches which do and do not support PVLANs.
For argument sake, lets say the 6500s have an isolated PVLAN numbered 101,
where the primary is 100. On the CIGESM side, there is no support for
PVLANs, and the blades themselves only have 2 NICs. Because there are more
than 2 VLANs to carry into each blade, the OS is configured for VLAN
tagging. In testing, if we tag VLAN 101 in the OS, no communication to
other isolated or promiscuous PVLAN ports happens across the trunk on the
6500.
If we tag VLAN 100 in the OS, the OS has communication to all of the
promiscuous ports and none of the other isolated ports, just like a proper
isolated PVLAN port would.
If I check the mac-address-table on the CIGESM trunk-port side, I see both
entries for VLAN 100 (mapping back, all correspond to promiscuous ports) and
VLAN 101 (mapping back, corresponding to isolated ports).
Weird thing is, even if an interface tagged VLAN 101 is brought up in the
OS, and a tcpdump is run on it, no traffic from other isolated PVLAN 101
ports is ever seen.
A couple of questions around this behaviour:
1. Does anyone actually know how PVLANs are tagged and carried across a
regular trunk? Is it simply tagged with the appropriate primary or
secondary VLAN tags and expected that the receiving switch understands
PVLANs and maps the secondaries the same way as the sender?
2. The scenario above with the OS tagging the primary VLAN but still
seemingly maintaining isolation from other isolated ports and being able to
reach promiscuous ports is technically fine, but what security issues
surround this configuration? Cisco's documentation touches upon making sure
that all switches involved in PVLAN trunking support PVLANs to ensure that
no security is lost...
3. Does anyone else use CIGESMs and have requirements to see more than two
VLANs inside the OS which are a mix of both regular and PVLAN ports, and if
so, how do you configure your environment?
(As an aside, this particular H blade chassis supports additional CIGESM
modules and the blades can take an additional two NICs, which would mean we
could have 4 CIGESMs and the problem goes away -- except for the fact that
that means there's no room for Fiber Channel connectivity, which is also a
requirement).
--
Adrian Chung
------------------------------
Message: 6
Date: Sun, 17 Aug 2008 20:45:28 -0500
From: "Dan Letkeman" <danletkeman at gmail.com>
Subject: Re: [c-nsp] content filter placement in data center
To: "Adrian Chadd" <adrian at creative.net.au>, cisco-nsp at puck.nether.net
Message-ID:
<dcbb85870808171845w161ace8dmd8fe82a351dc2824 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
I'm still a bit confused as to how I would connect this to the router?
The filter appliance has an ingress and egress interface and only
works in this configuration. Would I route-map incoming traffic and
outgoing traffic to and from the router? I would like to make sure
all incoming and outgoing traffic is filtered.
I'm visualizing this configuration:
--------------internet
|
switch----------router---------content filter
|
--------------wccp cache
So if I route-map source ip's(workstations) to the content filter, the
content filter will redirect the traffic back to the router and out
the default route to the internet, but do I need to route-map the
internet traffic back to the content filter? If I don't won't the
traffic just go back into the network unfiltered?
Would I be better off using my current configuration and rather
setting up an object track between the switch and router with an
alternate route? eg:
switch----------content filter------------router-------------internet
| |
-------------------------------------------------
Thanks,
Dan.
On Sun, Aug 17, 2008 at 6:17 PM, Adrian Chadd <adrian at creative.net.au> wrote:
> On Sun, Aug 17, 2008, Dan Letkeman wrote:
>
>> Is there a way to connect it to the router and use policy routing, and
>> the verify availability option so that if the content filter is down
>> the system still works with out it?
>
> Yes.
>
> * Does the content filter speak WCCPv2? Or can you glue it to Squid?
> If so, try WCCPv2.
>
> * Otherwise, see if your platform/IOS supports object tracking and
> conditional route maps. You can set things up to use a route-map
> (or route!) if a destination host is reachable via ICMP.
>
> The archives have details on both of these.
>
>
> Adrian
>
>
------------------------------
Message: 7
Date: Mon, 18 Aug 2008 07:41:48 +0200 (CEST)
From: Mikael Abrahamsson <swmike at swm.pp.se>
Subject: Re: [c-nsp] MPLS VPN QoS on a SP core
To: Sami Joseph <sami.joseph at gmail.com>
Cc: Cisco-nsp <cisco-nsp at puck.nether.net>
Message-ID: <alpine.DEB.1.10.0808180740340.12843 at uplift.swm.pp.se>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Mon, 18 Aug 2008, Sami Joseph wrote:
> Is there a way to provide QoS for a specific VPN in an MPLS VPN Core?
Yes.
Depends on what you want, but you can for instance mark MPLS EXP for the
traffic in a certain VPN and treat those packets differently in your core.
--
Mikael Abrahamsson email: swmike at swm.pp.se
------------------------------
Message: 8
Date: Mon, 18 Aug 2008 09:51:57 +0100
From: "Toby Burrows \(Qube\)" <Toby.Burrows at qubenet.net>
Subject: [c-nsp] 11503 ssl redundancy synch
To: <cisco-nsp at puck.nether.net>
Message-ID:
<AAABE3A3F4BE98459EDD3973709A613D7764F9 at exc01.qube.qubenet.net>
Content-Type: text/plain; charset="US-ASCII"
Hi all,
I have 2 css11503's in active/passive redundancy config. When using the
commit_redundConfig command the ssl does not copy across. I have cleared
the standby box and started again, but with no luck. The config guides I
have found offer little info on the ssl redundancy, just the normal IP
redundancy, the question is should I configure the ssl config and import
the certs on both boxes and then
commit the redundant config when I have verified the ssl config on the
standby unit? Or should it copy all config including all the ssl stuff
and I'm missing something?
Thanks in advance
Toby Burrows
Network Engineer
Qube Networks :: The Engineer's Choice for Co-Location, Internet Bandwidth, Design & Build, and Managed Servers
Qube Networks Ltd :: Company Number 04155284 Registered in England and Wales :: VAT Registration No: GB 769 6428 71
This e-mail and the information it contains are confidential. If you have received this e-mail in error please notify the sender immediately. You should not copy it for any purpose, or disclose its contents to any other person.
P Please consider the environment - do you really need to print this email?
------------------------------
Message: 9
Date: Mon, 18 Aug 2008 12:04:57 +0300
From: "Sami Joseph" <sami.joseph at gmail.com>
Subject: Re: [c-nsp] MPLS VPN QoS on a SP core
To: "Mikael Abrahamsson" <swmike at swm.pp.se>
Cc: Cisco-nsp <cisco-nsp at puck.nether.net>
Message-ID:
<9da37ec40808180204k5dc61621gb4f26c1394501b3 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi Mikael,
I am not going to do in my Core but i'm just curious how this is done?
So i guess if we want to differentiate between VPNs in my core then we need
alot of different classes which is not really available and thats what makes
it difficult?
Thanks,
Sam
On Mon, Aug 18, 2008 at 8:41 AM, Mikael Abrahamsson <swmike at swm.pp.se>wrote:
> On Mon, 18 Aug 2008, Sami Joseph wrote:
>
> Is there a way to provide QoS for a specific VPN in an MPLS VPN Core?
>>
>
> Yes.
>
> Depends on what you want, but you can for instance mark MPLS EXP for the
> traffic in a certain VPN and treat those packets differently in your core.
>
> --
> Mikael Abrahamsson email: swmike at swm.pp.se
>
------------------------------
_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
End of cisco-nsp Digest, Vol 69, Issue 54
*****************************************
Get an email ID as yourname at ymail.com or yourname at rocketmail.com. Click here http://in.promos.yahoo.com/address
More information about the cisco-nsp
mailing list