So i took a break from work, reading and all things indoors today (sunday). One other goal I have this year is to get fitter, swim better - longer, jump a higher bungee, run a 21Km (half marathon) without something on or in me giving up.
So to test my current status, I went for a triathlon:-)....The swim almost killed me, so bad was I my event was changed to a duathlon - didn't finish the swim....:-(I'm yet to take the ccie lab but i suredo hope my chances with it are better than what I had in water...
I transitioned after the last swimmer - to be fair- and off we went cycling....I think apart from laziness, and probably terrible eating habits, I'm a strong, good cyclist...the trails at KU-the university are not bad at all, parts of it are single track, brief vegetation then its you and open ground....
Ahhh then came the run, after about 4Km, my left knee totally gave up on me, the rest of the body definately felt betrayed, there was this awfully sharp pain from the back of my knee (I don't run much) and I swear I could hear my heart bouncing with every step...it ended well, heck they gave me a medal - probably to console me:-) the running kicked my ass though...This knee thing! not sure whether to get it checked out, so if you get by here and have a clue let me know...
Im dedicating more hours to the run and general fitness stuff every week, not sure what to do with the swim, need a plan..to complete a full triathlon by end of year I need to probably put in as much time as I'll do the ccie lab, It will be very satisfying to accomplish both by end year-something I plan on doing-....either way I find that getting out every once in a while works wonders for my concentration..... ahhh now back to IPV6.....
Sunday, January 25, 2009
Thursday, January 22, 2009
Etherchannel Load Balancing and Forwarding Methods
a couple of WS-C3750E's - had a strange problem (mainly with my assumptions) on how etherchannel load balances. I thought it was automatic:-) it should feel what i need and do it!!!...
Imagine two ports bound to form one port channel giving 200Mbps. Now imagine on one end you have two hosts/servers that generate/carry a lot of traffic (an ftp server for instance) to multiple destinations on the other end - internet, auth servers etc etc...
One of the hosts has more traffic than the other, infact alot more then 98Mb. so when traffic hit 100Mbps, i started noticing random packet drops. why why why...I thought this is a 200mbps interface???
upon further checks we discovered that one of the interfaces within the bundle was dropping packets/frames.
so the checks started:
src-mac was the default.
Now according to cisco :
EtherChannel load balancing can use either source-MAC or destination-MAC address forwarding.
With source-MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on the source-MAC address of the incoming packet. Therefore, to provide load balancing, packets from different hosts use different ports in the channel, but packets from the same host use the same port in the channel (and the MAC address learned by the switch does not change).
With destination-MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on the destination host's MAC address of the incoming packet. Therefore, packets to the same destination are forwarded over the same port, and packets to a different destination are sent on a different port in the channel.
So obviously the default load balancing was not working for me.
Since this was a 3750, I correctly figured that it can also use IP. playing around with the setup on the end that was dropping packets, the following sort of sorted me out:
the command to make this change is:
you can play around with:
you can run a test by:
references:
before:
now :
I figure after some time I'll come across a few drops..because the network hates me!!!
Imagine two ports bound to form one port channel giving 200Mbps. Now imagine on one end you have two hosts/servers that generate/carry a lot of traffic (an ftp server for instance) to multiple destinations on the other end - internet, auth servers etc etc...
One of the hosts has more traffic than the other, infact alot more then 98Mb. so when traffic hit 100Mbps, i started noticing random packet drops. why why why...I thought this is a 200mbps interface???
upon further checks we discovered that one of the interfaces within the bundle was dropping packets/frames.
so the checks started:
Gitau-Switch-01-Sw#sh etherchannel load-balance
EtherChannel Load-Balancing Configuration:
src-mac
src-mac was the default.
Now according to cisco :
EtherChannel load balancing can use either source-MAC or destination-MAC address forwarding.
With source-MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on the source-MAC address of the incoming packet. Therefore, to provide load balancing, packets from different hosts use different ports in the channel, but packets from the same host use the same port in the channel (and the MAC address learned by the switch does not change).
With destination-MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on the destination host's MAC address of the incoming packet. Therefore, packets to the same destination are forwarded over the same port, and packets to a different destination are sent on a different port in the channel.
So obviously the default load balancing was not working for me.
Since this was a 3750, I correctly figured that it can also use IP. playing around with the setup on the end that was dropping packets, the following sort of sorted me out:
Gitau-Switch-01-Sw#sh etherchannel load-balance
EtherChannel Load-Balancing Configuration:
src-ip
the command to make this change is:
port-channel load-balance src-ip
you can play around with:
Gitau-Switch-01-Sw#port-channel load-balance ?
dst-ip Dst IP Addr
dst-mac Dst Mac Addr
src-dst-ip Src XOR Dst IP Addr
src-dst-mac Src XOR Dst Mac Addr
src-ip Src IP Addr
src-mac Src Mac Addr
you can run a test by:
test etherchannel load-balance interface port-channel [#] ip [src] [dst]
references:
http://www.edgenetworks.nl/etherchannel.html
http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtml
before:
Gitau-Switch-01-Sw#sh int g1/0/24 | include drop
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 20191
now :
Gitau-Switch-01-Sw#sh int g2/0/24 | include drop
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Gitau-Switch-01-Sw#sh int g1/0/24 | include drop
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
I figure after some time I'll come across a few drops..because the network hates me!!!
Tuesday, January 20, 2009
Understanding OSPF contd...
After about 20 hours lab and roughly 10 hours going through OSPF, I still can't say I have the confidence to go through OSPF without going down belly fast in the CCIE lab. More practice is definately called for to get at least to 70% confidence levels.
So i decided to just make some notes, go through BGP and start on Multicast as the information digested. Plus Im curious how much of all this material I'll have to cover again.
Apparently OSPF is the most widely used IGP. It brings in the concept of Areas. If you imagine a midsized no actually a midsized company in Europe is probably a LARGE company in Kenya, so if you imagine a LARGE:-) company, an area would probably be a building or a department.
Router ID's, Neighbors, Adjacencies, LSA's *,Hello protocol,Areas, election (DR,BDR) are terms you'll come across and if the books you're reading don't address them:-), google will sort you out.
OSPF sort of goes around the whole network and maps out what you ask it to giving you paths to destinations, its a link state protocol.
OSPF order of operation:
1:A router sends Hello packets, discovers neighbors and elects a Designated Router. Link-state information and a list of neighbors is included in the packet.
This is an initial hello.
Debugging ip packet detail shows the messages a bit clearly:
Protocol 89 is OSPF, 224.0.0.5 is the ALLSPFRouters multicast address, from th esource you can also tell whether we originated the hello or not. Since this are serial links, no DR/BDR election takes place.
Let me swap out the links with ethernet to see how that works out....on my next post. Seems the lab is inaccessible....this is a simple lab, I think I'll dynamip on the laptop for a while:...
So i decided to just make some notes, go through BGP and start on Multicast as the information digested. Plus Im curious how much of all this material I'll have to cover again.
Apparently OSPF is the most widely used IGP. It brings in the concept of Areas. If you imagine a midsized no actually a midsized company in Europe is probably a LARGE company in Kenya, so if you imagine a LARGE:-) company, an area would probably be a building or a department.
Router ID's, Neighbors, Adjacencies, LSA's *,Hello protocol,Areas, election (DR,BDR) are terms you'll come across and if the books you're reading don't address them:-), google will sort you out.
OSPF sort of goes around the whole network and maps out what you ask it to giving you paths to destinations, its a link state protocol.
OSPF order of operation:
1:A router sends Hello packets, discovers neighbors and elects a Designated Router. Link-state information and a list of neighbors is included in the packet.
*Mar 1 00:15:08.803: OSPF: Send hello to 224.0.0.5 area 1 on Serial1/0 from 1.1.1.1
*Mar 1 00:15:10.903: OSPF: Rcv hello from 2.2.2.1 area 1 from Serial1/0 1.1.1.2
*Mar 1 00:15:10.911: OSPF: End of hello processing
*Mar 1 00:15:11.071: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.1 on Serial1/0 from LOADING to FULL, Loading Done
*Mar 1 00:15:18.807: OSPF: Send hello to 224.0.0.5 area 1 on Serial1/0 from 1.1.1.1
*Mar 1 00:15:20.907: OSPF: Rcv hello from 2.2.2.1 area 1 from Serial1/0 1.1.1.2
*Mar 1 00:15:20.911: OSPF: End of hello processing
This is an initial hello.
Debugging ip packet detail shows the messages a bit clearly:
*Mar 1 00:20:48.815: IP: s=1.1.1.1 (local), d=224.0.0.5 (Serial1/0), len 80, sending broad/multicast, proto=89
*Mar 1 00:20:50.899: IP: s=1.1.1.2 (Serial1/0), d=224.0.0.5, len 80, rcvd 0, proto=89
Protocol 89 is OSPF, 224.0.0.5 is the ALLSPFRouters multicast address, from th esource you can also tell whether we originated the hello or not. Since this are serial links, no DR/BDR election takes place.
Let me swap out the links with ethernet to see how that works out....on my next post. Seems the lab is inaccessible....this is a simple lab, I think I'll dynamip on the laptop for a while:...
Sunday, January 18, 2009
back...yes Im back and it feels good....
Yani, that was one looong busy buuusy week.....Didn't get much done...however this weekend sort of saved it. I got through almost everything to get me sort of set for the February deadline for the written exam. Hopefully some projects at work won't come in the way, and if they do they better be fun..On the solaris+squid+wccp, my advise is don't run it in a busy production environment, far too many things coud go wrong...
OSPF from the ground up from tomorrow.....
OSPF from the ground up from tomorrow.....
Friday, January 9, 2009
new day, new solaris + squid :-challenges
Great another morning, my solaris 10, squid installed, but in comes another requirement. Run wccp2 on it. Im happy because I get to mess around with a router, sad because Ive done this countless times on linux and freeebsd but never on solaris. So quickly go to sunfreeware; not a thing when i search for wccp. hmm back to basics, maybe we can work around this by first understanding the requirements ( I always try to know the way a protocol works first before adapting it for whatever system I need it for), this way If i ever need to configure lets say OSPF on juniper, so long as I know how SPF works, i can run it on anything:
I also decided to take some debug output for future reference:
Commands you'll use on the router:
Here's how wccp works with squid:
Once squid is started with the wccp option, the router sees this and sends an I see you message as follows (I had always assumed the here I am message comes first - I was obviously wrong:
and you get this log below on the router - this is not a debug output.
Squid then sends back HERE_I_AM packets, and carries on a conversation with the router.
If you were also debugging events, you get the following:
From then on traffic gets redirected to squid.
and if you disconnect you get the following event/log:
On the router, the basic config is widely available on the internet....create an access-list for traffic to redirect, enable wccp etc etc...
This conversation (between router and squid) is totally separate from the ip_wccp or ip_gre module --these packets never go through those channels. For so long as the router is receiving WCCP HERE_I_AM packets (with the proper ID), the router will send traffic to the cache IP, encapsulated in a GRE packet, and there in lies the problem or the gotcha as ccie candidates like saying. In a production if you do this without confirming the tunnels, all your redirected traffic will be blackholed by squid.
The GRE decapsulation is a separate process from squid. Squid doesn't talk to the gre/ip_wccp module, The gre decapsulation occurs at the network layer in your kernel, and then the packets enter the normal routing table - on bsd/linux it involves iptables/chains
to hijack any packets destined for port 80 on the internet - In my case thats traffic coming from the router in GRE packets and passes it over to the cache engine's port.
I wonder what happens if I let squid listen on port 80....do you still need something to 'jack' the packets? I'll try that in a while and let you know....
So now with that understanding, you'd think I fix this on solaris pretty fast yes??? nope, nada, my cluelessness gets in the way....AGAIN!!
So again back to google, I can't get an ip_wccp for solaris module but Im sure I will get gre and the ip redirect working...and get more CLUEFUL overall then we can go back to regular work, If you stumble upon this and have a clue...bail me out:-)pleasee....I still have about 5 bgp, 5 ospf LABS to get through before Sunday....
I also decided to take some debug output for future reference:
Commands you'll use on the router:
show ip wccp web-cache detail
show ip wccp web-cache view
debug ip wccp events - display WCCP events
debug ip wccp packets - display WCCP packet information
Here's how wccp works with squid:
Once squid is started with the wccp option, the router sees this and sends an I see you message as follows (I had always assumed the here I am message comes first - I was obviously wrong:
Jan 9 08:57:51.584 NAIROBI: WCCP-PKT:S00: Sending I_See_You packet to 196.201.xx.xx w/ rcv_id 00006C9C
and you get this log below on the router - this is not a debug output.
Jan 9 08:58:01.593 NAIROBI: %WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP client 196.201.xx.xx
Squid then sends back HERE_I_AM packets, and carries on a conversation with the router.
Jan 9 08:58:01.593 NAIROBI: WCCP-PKT:S00: Received valid Here_I_Am packet from 196.201.xx.xx w/rcv_id 00006C9C
If you were also debugging events, you get the following:
Jan 9 08:58:01.593 NAIROBI: WCCP-EVNT:S00: Assignment wait timer started
Jan 9 08:58:01.593 NAIROBI: WCCP-EVNT:S00: Built new router view: 1 routers, 1 usable WCCP clients, change # 0000004D
From then on traffic gets redirected to squid.
and if you disconnect you get the following event/log:
Jan 9 08:57:37.279 NAIROBI: WCCP-EVNT:S00: Assignment wait timer started
Jan 9 08:57:37.279 NAIROBI: WCCP-EVNT:S00: Built new router view: 0 routers, 1 usable WCCP clients, change # 0000004B
Jan 9 08:57:37.279 NAIROBI: WCCP-EVNT:S00: Router 196.201.xxx.xxx removed.
Jan 9 08:57:37.279 NAIROBI: WCCP-EVNT:S00: Assignment wait timer started
Jan 9 08:57:37.279 NAIROBI: WCCP-EVNT:S00: Built new router view: 0 routers, 0 usable WCCP clients, change # 0000004C
Jan 9 08:57:37.279 NAIROBI: %WCCP-1-SERVICELOST: Service web-cache lost on WCCP client 196.201.xx.xx
On the router, the basic config is widely available on the internet....create an access-list for traffic to redirect, enable wccp etc etc...
This conversation (between router and squid) is totally separate from the ip_wccp or ip_gre module --these packets never go through those channels. For so long as the router is receiving WCCP HERE_I_AM packets (with the proper ID), the router will send traffic to the cache IP, encapsulated in a GRE packet, and there in lies the problem or the gotcha as ccie candidates like saying. In a production if you do this without confirming the tunnels, all your redirected traffic will be blackholed by squid.
The GRE decapsulation is a separate process from squid. Squid doesn't talk to the gre/ip_wccp module, The gre decapsulation occurs at the network layer in your kernel, and then the packets enter the normal routing table - on bsd/linux it involves iptables/chains
to hijack any packets destined for port 80 on the internet - In my case thats traffic coming from the router in GRE packets and passes it over to the cache engine's port.
I wonder what happens if I let squid listen on port 80....do you still need something to 'jack' the packets? I'll try that in a while and let you know....
So now with that understanding, you'd think I fix this on solaris pretty fast yes??? nope, nada, my cluelessness gets in the way....AGAIN!!
So again back to google, I can't get an ip_wccp for solaris module but Im sure I will get gre and the ip redirect working...and get more CLUEFUL overall then we can go back to regular work, If you stumble upon this and have a clue...bail me out:-)pleasee....I still have about 5 bgp, 5 ospf LABS to get through before Sunday....
Subscribe to:
Posts (Atom)
Posts
