Monday, July 25, 2016

BGP: Path Selection Criteria - Path Vector Protocol

No comments    

#Cisco #Routing #BGP
BGP ( Border Gateway Protocol )

TCP 179 port local and an Application Protocol.
AD: eBGP AD: 20; iBGP AD: 200

BGP used when we need to connect to different AS numbers ( Autonomous Systems) with larger values of the routes in count.

The below diagram shows the path selection criteria for BGP to prefer the routes.

Fig 1.1- BGP Attributes ( Networks-Baseline)
Fig 1.1- BGP Attributes ( Networks-Baseline)
Below is the mentioned way to have the path selection criteria for routes to be preferred.
Highest WEIGHT attribute will be preferred First ( can be used in one router with two paths)
 WEIGHT is a Cisco-specific parameter. It is only used when you have Cisco Routers.

Highest LOCAL_PREF will be preferred ( two routers with two paths from different service providers)
Note: A path without LOCAL_PREF is considered to have had the value set with the bgp default local-preference  command, or to have a value of 100 by default. It can be used with any router( Cisco,juniper, Huawei and so on)

locally originated path will be preferred via a network or aggregate BGP subcommand or through redistribution from an IGP.
Local paths that are sourced by the network  or redistribute commands are preferred over local aggregates that are sourced by the aggregate-address  command.

Shortest AS_PATH will be preferred
◦This step is skipped if you have configured the bgp bestpath as-path ignore  command.
◦An AS_SET counts as 1, no matter how many ASs are in the set.
◦The AS_CONFED_SEQUENCE and AS_CONFED_SET are not included in the AS_PATH length.

Lowest origin type will be preferred.
 IGP is lower than Exterior Gateway Protocol (EGP), and EGP is lower than INCOMPLETE.

Lowest multi-exit discriminator (MED).
◦This comparison only occurs if the first (the neighboring) AS is the same in the two paths. Any confederation sub-ASs are ignored.

In other words, MEDs are compared only if the first AS in the AS_SEQUENCE is the same for multiple paths. Any preceding AS_CONFED_SEQUENCE is ignored.

◦If bgp always-compare-med  is enabled, MEDs are compared for all paths.
You must disable this option over the entire AS. Otherwise, routing loops can occur.
◦If bgp bestpath med-confed  is enabled, MEDs are compared for all paths that consist only of AS_CONFED_SEQUENCE.
These paths originated within the local confederation.
◦THE MED of paths that are received from a neighbor with a MED of 4,294,967,295 is changed before insertion into the BGP table. The MED changes to to 4,294,967,294.
◦THE MED of paths that are received from a neighbor with a MED of 4,294,967,295 are considered valid and are inserted into BGP table with effect to Codes fixed for Cisco bug ID CSCef34800.
◦Paths received with no MED are assigned a MED of 0, unless you have enabled bgp bestpath med missing-as-worst .
If you have enabled bgp bestpath med missing-as-worst , the paths are assigned a MED of 4,294,967,294.
If you have enabled bgp bestpath med missing-as-worst , the paths are assigned a MED of 4,294,967,295 with effect to Codes fixed for Cisco bug ID CSCef34800.
◦The bgp deterministic-med  command can also influence this step.
Refer to How BGP Routers Use the Multi-Exit Discriminator for Best Path Selection for a demonstration.

eBGP over iBGP paths will be preferred.
If bestpath is selected, go to Step 9 (multipath).
Note: Paths that contain AS_CONFED_SEQUENCE and AS_CONFED_SET are local to the confederation. Therefore, these paths are treated as internal paths. There is no distinction between Confederation External and Confederation Internal.

Lowest IGP metric to the BGP next hop will be preferred.
Continue, even if bestpath is already selected.

Determine if multiple paths require installation in the routing table for BGP Multipath.
Continue, if bestpath is not yet selected.

When both paths are external, then path that was received first (the oldest one) will be preferred.

◦ The router ID is the same for multiple paths because the routes were received from the same router.

◦There is no current best path.
The current best path can be lost when, for example, the neighbor that offers the path goes down.

BGP router with the lowest router ID.
The router ID is the highest IP address on the router, with preference given to loopback addresses. Also, you can use the bgp router-id  command to manually set the router ID.
Note: If a path contains route reflector (RR) attributes, the originator ID is substituted for the router ID in the path selection process.

If the originator or router ID is the same for multiple paths, path with the minimum cluster list length will be preferred
This is only present in BGP RR environments. It allows clients to peer with RRs or clients in other clusters. In this scenario, the client must be aware of the RR-specific BGP attribute.

Path that comes from the lowest neighbor address will be preferred
This address is the IP address that is used in the BGP neighbor configuration. The address corresponds to the remote peer that is used in the TCP connection with the local router.

Sunday, July 17, 2016

Data Center :Cisco Nexus Leaf-Spine Architecture Nexus

New Technology in data-center comes into picture in the form of spine-leaf topology where we can have the east west traffic to be propagate in the equidistance.

How Spine-leaf topology describe, lets have a look below.

Starting for the Spine-Leaf Topology:-
Spine-Leaf topologies are based at the near community structure. The time period originates from Charles Clos at Bell Laboratories, who posted a paper in 1953 describing a mathematical theory of a multi pathing, non-blockading, more than one-level community topology wherein to replace smartphone calls.

These days, Clos’ original thoughts on layout are implemented to the modern spine-Leaf topology. spine-leaf is typically deployed as two layers: spines (like an aggregation layer), and leaves (like an get right of entry to layer). spine-leaf topologies provide excessive-bandwidth, low-latency, non-blocking server-to-server connectivity.

Fig 1.1 Spine-Leaf Structure (Networks-Baseline )
Fig 1.1 Spine-Leaf Structure (Networks-Baseline )

What it makes the difference:-
Leaf (aggregation) switches are what offer devices get entry  to the material (the network of spine and Leaf switches) and are generally deployed on the top of the rack. typically, gadgets connect with the Leaf switches. gadgets may include servers, Layer four - 7 services (firewalls and cargo balancers), and WAN or net routers. Leaf switches do not connect with different leaf switches (until jogging vPC in standalone NX-OS mode). however, each leaf should hook up with each spine in a full mesh. some ports on the leaf can be used for cease devices (commonly 10 Gigabits), and some ports might be used for the spine connections (commonly forty Gigabits).

Fig 1.2 Stages of the Leaf-Spine Network( Networks-baseline)
Fig 1.2 Stages of the Leaf-Spine Network( Networks-baseline)

Spine Topology:-
Spine (aggregation) switches are used to hook up with all Leaf switches, and are typically deployed at the stop or middle of the row. spine switches do not connect with different backbone switches. Spines function backbone interconnects for Leaf switches. typically, spines best connect with leaves, but when integrating a Cisco Nexus 9000 transfer into an current surroundings it's miles perfectly applicable to connect other switches, services, or devices to the spines.
All devices connected to the cloth are an same range of hops away from one another. This gives you predictable latency and high bandwidth among servers. The diagram in determine 6 indicates a easy two-tier design.

Fig 1.3 Design in Data-center ( Networks-Baseline )
Fig 1.3 Design in Data-center ( Networks-Baseline )

How we achieve this:-
With Leaf-spine configurations, all gadgets are exactly the equal quantity of segments away and comprise a predictable and consistent quantity of put off or latency for touring statistics. this is possible because of the brand new topology design that has best two layers, the Leaf layer and backbone layer. The Leaf layer includes access switches that connect with devices like servers, firewalls, load balancers, and side routers. The backbone layer which is called as spine (made of switches that perform routing) is the spine of the network, where each Leaf switch is interconnected with each and each backbone transfer.

Fig 1.4 Layer 3 Spine-Leaf Fabric
Fig 1.4 Layer 3 Spine-Leaf Fabric

To allow for the predictable distance between devices on this -layered design, dynamic Layer three routing is used to interconnect the layers. Dynamic routing allows the exceptional direction to be determined and altered primarily based on responses to community trade. This type of network is for records center architectures with a focal point on “East-West” network site visitors. “East-West” visitors carries information designed to travel within the statistics middle itself and now not outdoor to a one-of-a-kind site or network.  This new method is a method to the intrinsic barriers of Spanning Tree with the capacity to utilize different networking protocols and methodologies to obtain a dynamic community.
Fig 1.5 Core Fabric ( Networks-Baseline)
Fig 1.5 Core Fabric ( Networks-Baseline)

 Rest of the Story:-
With Leaf-spine, the network makes use of Layer three routing. All routes are configured in an active country via using identical-value Multipath (ECMP). This lets in all connections to be applied on the equal time while still last solid and averting loops within the network. With traditional Layer 2 switching protocols like Spanning Tree on three-tiered networks, it ought to be configured on all devices efficaciously and all the assumptions that Spanning Tree Protocol (STP) is predicated on need to be taken into account (one of the smooth errors to make when configuring STP is with mislabeling device priorities that could lead to an inefficient route setup). The removal of STP between the get entry to and Aggregation layers in lieu of Layer three routing consequences in a miles greater strong surroundings.

Every other gain is the convenience of adding additional hardware and capability. when oversubscription of links occurs (which means that more visitors is generated than may be aggregated onto the lively link at one time), the capacity to make bigger potential is simple. an additional spine switch may be added and uplinks can be prolonged to each Leaf transfer, ensuing inside the addition of interlayer bandwidth and reduction of the oversubscription. whilst device port potential turns into an issue, a new Leaf switch may be added by way of connecting it to each spine and adding the community configuration to the switch. the convenience of growth optimizes the IT department’s procedure of scaling the community with out dealing with or disrupting the Layer 2 switching protocols.

Leaf-Spine Worries:
There are a few worries around making use of the Leaf-backbone network structure. the first comes from the sheer amount of cable needed to connect every backbone with each Leaf. The cable glut will handiest worsen in time as new Leaf and spine switches are introduced to increase potential. issues ought to be given for wherein to strategically locate the spine switches within a facts center, in particular for massive deployments. that is to make sure cabling is deliberate, organized, and workable when scaling out capacity because the network grows.

The alternative principal drawback comes from the use of Layer three routing. This eliminates the spanning of VLANs (digital LAN) throughout a network. VLANs in a Leaf-spine network are localized to each person Leaf switch; any VLAN segments which are left on a Leaf switch are not reachable through the alternative Leafs. this could create troubles with a scenario inclusive of guest virtual system mobility inside a statistics middle.

Leaf-Spine Cases:
web scale packages where server area within the network is static could benefit from the implementation of Leaf-backbone. the use of Layer 3 routing among layers of the structure does no longer avoid net scale programs because they do not require server mobility. The removal of Spanning Tree Protocol (STP) results in a greater stable and dependable community overall performance of East-West traffic flows. Scalability of the structure is likewise improved.

Organization packages leveraging cellular digital machines (e.g. vMotion) create an trouble while a server wishes to be supportable anywhere inside the records middle.  the use of Layer three routing and shortage of VLANs extending among Leafs breaks this requirement.  To paintings round this trouble, an answer such as software program defined Networking (SDN) may be employed, which creates a virtual Layer 2 above/on pinnacle of the Leaf-backbone network.  This lets in servers to transport around in the environment with impunity at no detriment to “East-West” overall performance, scalability, and stability attributes of a Leaf-backbone community topology.  greater info round SDN may be mentioned in a future blog article



Sunday, July 10, 2016

Aruba Indoor Wifi Models

No comments    
Aruba Central™

The Aruba principal services platform, hosted inside the cloud, simplifies network operations with the aid of supplying zero-touch setup, centralized management of multiple Aruba instant networks and Mobility get right of entry to Switches, ancient information reporting, PCI compliance tracking, and troubleshooting for networks positioned around city or around the world.

groups also have a preference of acquiring the Aruba AirWave™ personal cloud control machine as well as the free instantaneous AP management interface that lets you control character AP clusters.

Aruba Central public cloud management services offer:

• Modern-day cloud architecture for continually-on carrier  - net-scale database design for responsive overall performance  - Clustered and allotted with more than one records center providers for redundancy  - international attain with statistics center locations around the world
• Unmarried factor of control for multiple web sites and multiple immediately AP clusters in a single site • unified stressed out and wireless monitoring and management
• Remote monitoring and troubleshooting  - Proactively discover problems  - Assisted problem isolation  - clean, actionable data with steering  - unique device records  - Execute troubleshooting commands on APs and Mobility get entry to Switches from the cloud
• Primary configuration and firmware management  - Configure your whole network from a unmarried point  - arrange your community the usage of agencies  - proportion common configurations throughout more than one Aruba instant AP clusters and Mobility get entry to Switches  - Flexibility to override at any character cluster degree  - Cloud-hosted firmware server  - flexible version to assist organizational policy for enhancements  - schedule automatic improvements at some stage in off-top home windows across extraordinary time zones
• Compliance information and ancient facts  - community and security snapshots over a  customizable duration  - Scheduled reports allows for low-attempt tracking  - PCI-compliance reporting
• Authentic zero-touch provisioning  - Saves time in deploying far off, multisite networks  - connect point-of-sale facts + AP MAC deal with + control carrier  - hundreds a preset configuration on new APs and Mobility access Switches with out intervention  - Any individual on website can plug in an Aruba immediate AP and power it on  - No MAC cope with entry, no manual intervention
complete-featured operating gadget whether or not controlled from the cloud or controlled domestically, controller much less Aruba instantaneous APs supply agency grade security, resiliency and scale to enable the best performance WLANs inside the industry. The key is its operating systems, Aruba InstantoS™.
With Aruba InstantoS, one dynamically-elected instant AP automatically distributes the community configuration to other on the spot APs in the WLAN. certainly strength-up one immediate AP, configure it over the air or in the cloud, and plug inside the other APs – the whole process takes approximately five minutes.
The Aruba InstantoS comes with integrated Adaptive Radio management™ (ARM) era, which optimizes wi-fi community behavior and mechanically guarantees that immediate APs live clear of RF interference, resulting in a extra dependable, higher-performing WLAN.

It additionally integrates patented ClientMatch™ era, which constantly gathers session overall performance metrics from cellular gadgets. those metrics are then used to intelligently steer man or woman clients to the excellent AP with the most powerful wi-fi signal as they roam.

Deep packet inspection
AppRF™ technology in Aruba InstantoS with deep packet inspection (dPI) monitors mobile app usage and performance while optimizing bandwidth, priority and network paths in real time – even for apps that are encrypted or appear as web traffic.
dPI is vital to understanding usage patterns that may require changes to network design and capacity. ApprF provides insight into over 1,500 apps, including apps like Lync, SharePoint, box, Go To Meeting and Salesforce

Web content filtering
ApprF technology also provides web content filtering, enabling IT to control what users can browse on the  Internet. Integrated with Aruba InstantoS, ApprF redirects web url requests to a cloud database that contains  always-up-to-date content and reputation information about millions of web pages.
This information can be used to determine what types of web browsing and web apps are allowed on the network for different users or different times of day. You can even combine rules that allow Facebook traffic but block other social media or permit Netflix traffic only after business hours.
Whether users are local or remote, ApprF web content filtering is instrumental in protecting the network against viruses and malware and gives IT precise control over which web sites users can access.
The ApprF cloud database is updated in real-time with new information about malicious web addresses. Aruba ApprF will catch new types of web attacks before they cause damage. Clients can be configured to use the ApprF web content filter even when they’re not connected to an Aruba Instant WLAN, which keeps clients safe no matter where  they are.
Aruba InstantoS also features integrated device fingerprinting that supports a wide range and high densities of smartphones, tablets and laptops.

Instant 224/225

The ultimate in 802.11ac Wi-Fi performance
• For extremely high-density  client environments
• 3x3 MIMo, three spatial  streams, up to 1.3 Gbps
• 2.4- and 5-Ghz radios
• Internal and external  antenna options • Mounts on ceiling or wall

Instant 224/225
Instant 224/225

Instant 204/205

Most affordable 802.11ac
• Top performance in medium- density environments
• 2x2 MIMo, two spatial  streams, up to 867 Mbps
• 2.4- and 5-Ghz radios
• Internal and external  antenna options
• Mounts on ceiling or wall

Instant 204/205
Instant 204/205

Instant 134/135

Highest performance 802.11n
• For high-density Wi-Fi  environments
• 3x3 MIMo, three spatial  streams, up to 450 Mbps
• 2.4- and 5-Ghz radios
• Internal and external  antenna options
• Mounts on ceiling or wall

Instant 134/135
Instant 134/135

Instant 114/115

Most popular 802.11n
• For medium-density  Wi-Fi environments
• 3x3 MIMo, three spatial  streams, up to 450 Mbps
• 2.4- and 5-Ghz radios
• Internal and external  antenna options
• Mounts on ceiling or wall

Instant 114/115
Instant 114/115

Instant 103 Most affordable 802.11n
• For low-density Wi-Fi  environments
• 2x2 MIMo, two spatial  streams, up to 300 Mbps
• 2.4- and 5-Ghz radios
• Two internal antennas  per radio
• Mounts on ceiling or wall

Instant 103
Instant 103

Instant 155 Fastest performance, highest density wired and wireless
• 2.4- and 5-Ghz radios
• 3x3 MIMo, three spatial  streams, up to 450 Mbps,  100 Mbps encrypted  throughput
• Four ports to connect  wired devices (optional  power-over-Ethernet on  two ports)
• optional 3G/4G WAN  connection
• Sits on your desk

Instant 155
Instant 155

Instant 108/109 high-performance, high-density wired and wireless
• 2.4- and 5-Ghz radios
• 2x2 MIMo, up to 300 Mbps
• one port to connect  wired devices
• optional 3G/4G WAN  connection
• Sits on your desk

Instant 108/109
Instant 108/109

Instant 3 Most compact and affordable wired and wireless
• one 2.4-Ghz radio
• 2x2 MIMo, up to 300 Mbps
• Two ports to connect  wired devices
• optional 3G/4G WAN connection
• Sits on your desk

Wednesday, July 6, 2016

ProxySG TechBrief – Enabling NTLM Authentication

No comments    
what's NTLM Authentication? NTLM is a Microsoft-proprietary protocol that authenticates users and computer systems based totally on an authentication venture and response. when a Blue Coat NTLM realm is used and a resource is asked, the Blue Coat ProxySG equipment contacts the person or pc's account domain to confirm identification and requests an get admission to token. The get right of entry to token is generated by way of the domain controller and surpassed to (and if legitimate, accepted via) the equipment. (refer to Microsoft’s web web site for particular statistics approximately the NTLM protocol and a listing of Microsoft working system variations that support NTLM.) The gain of NTLM authentication is that it gives a unmarried signal-on answer for internet Explorer customers who are already logged in to a domain.  Why enable NTLM Authentication with Blue Coat? The Blue Coat SG collection appliance offers the capability to authenticate customers defined in an NTLM database thereby utilizing an organizations’ present authentication mechanism via the Blue Coat appliance. An administrator can know who's having access to community assets and outline consumer/group based totally policy to govern access to web content material and internet programs.  the way to enforce NTLM authentication There are four steps to enforce authentication services

1. Install the Blue Coat NTLM Authentication Agent Service
2. Create an NTLM Realm
3. Enable NTLM authentication through the Blue Coat Visual Policy Manager and create policy based on user and group identification
4. Test NTLM policy  Step 1 – Install the Blue Coat NTLM Authentication Agent Service The Blue Coat NTLM Authentication Agent Service must be installed on a PDC or BDC or a member server/workstation Windows NT/2000 Server. The Blue Coat NTLM Authentication Agent (BCAAA) is a Windows NT/2000-compatible application that aids in integrating and managing NTLM security with the Blue Coat appliance. A copy of the latest agent can be obtained by going to the following URL and locating the BCAAA Agent download:


Installing the Blue Coat NTLM Authentication Agent Service (BCAAA) 
1. Unzip and copy the files bcaaa.exe to the %SystemRoot%\system32 directory of the computer used as the domain controller.
2. Install the BCAAA service by opening a command window, switching to the %SystemRoot%\system32 directory, and typing bcaaa /install
3. View the Services Application Event Log via the Windows Server Administrator Tools and validate that the BCAAA Service is running.

To view the Application event log: The BCAAA service logs all errors to the Windows NT/2000 Application Event Log under the name BCAAA. 
1. To view the event log, right click on My Computer and choose Manage. The Computer Management window is displayed.
2. Choose System Tools, Event Viewer, and then Application. When the BCAAA service has started it will log an informational message to the Event Log. 
To view the Services event log: The BCAAA service logs all errors to the Windows NT/2000 Application Event Log under the name BCAAA. 
1. T o view the event log, right click on My Computer and choose Manage. The Computer Management window is displayed.
2. Choose Services and Applications, then Services.
3. Right-click on CASSNT and choose Properties to manage the service. For example, to make CASSNT start only manually, set the Startup Type to Manual. (Automatic is the default setting.) 2002 

Step 2 – Create an NTLM Realm Create a realm using the Blue Coat GUI Management Console, select the Authentication Option and then select the NTLM tab. 
1. Click the New button. The Add Realm dialog is displayed. Type in NTLM (or any other name) as the Realm name
2. Specify the IP address and port for the primary NTLM server that the BCAAA Agent Service is running. The default port is 16101. Click on OK. 
3. Click Apply to save your changes. Repeat the above steps for additional NTLM servers, up to a total of 50
4. Select the NTLM Servers tab to enable SSL from the ProxySG to the NTLM server and if you want the ProxySG to verify the NTLM’s certificate. A valid certificate must exist for the NTLM server. Click Apply to save any changes
5. Select the NTLM General tab to allow Basic credentials, NTLM credentials, or both. Consult your corporate security policy for this information. 
6. Credentials are cached by default for 900 seconds. This parameter can be adjusted to comply with your companies security rules
7. If you are using Transparent Authentication with NTLM, see the TechBrief  “Enabling Transparent Authentication” for more details

Step 3 - Enable NTLM Realm Authentication Policy 
1. Open the Blue Coat Visual Policy Manager (VPM) and create a new Web authentication layer by selecting edit from the tool bar, and choosing Add Web Authentication Layer
2. Accept the default name (Web Authentication Layer (1) or give it a new name. Click OK.
3. On the Action field, right click and click on authenticate.
4. A pop-up window will display the newly created NTLM realm, click on OK, twice
5. Click on Install Policy to compile and load Policy.

Step 4 - Test NTLM Policy The first test is to ensure that the NTLM directory is visible from the client through the ProxySG to the directory server. The ProxySG provides the means to view users and groups in a directory without the need to install additional client software. 
1. Create a Web access layer, select Source and then Set. Click on New. Select User or Group from the drop down list.
2. Select the newly created NTLM realm from the drop down menu and click on Browse
3. A successful configuration will display the directory information including users and groups. If the directory (NTLM) users and groups are not visible, there is a misconfiguration. Verify that the IP address configured is correct for the directory server you are attempting to contact.
Test NTLM Authentication by opening up an Internet Explorer browser and configuring the proxy settings of the browser to point to the ProxySG IP address and port 80. Refresh the browser and you will be prompted to enter a valid user name and password credentials prior to accessing any Web site.

Popular Posts