Blog Posts in September 2009
The “P-to-P router encryption” post has generated numerous comments. One of the readers suggested using dedicated Ethernet encryption devices, which is probably the best option if you’ve realized you need encryption in the network acquisition phase when there’s still some budget left (too bad the vendor recommended in the comments does not want to admit how expensive the boxes are).
However, assuming you have high-speed IPSec encryption modules and you have to implement P-to-P encryption in existing network, the only option left to you is GRE tunnel. Here’s why:
One of the readers sent me an interesting question: he’d like to know the IP address of his home router (to be able to connect to it from the office), but its IP address is assigned through DHCP and changes occasionally.
I wanted to solve the problem by hooking an EEM applet onto the DHCP-6-ADDRESS_ASSIGN syslog message. No good; as it turns out, Cisco IOS generates the logging message only when a DHCP-acquired IP address is assigned to an interface without one. If the IP address is changed via DHCP, the change is not logged.
I was invited to present my views on the IPv6 deployment in enterprise networks during the local IPv6 summit. Instead of joining the cheering few or the dubious crowds, I’m trying to present a realistic view answering questions like “what do I have to do”, “when should I start” and “where should I focus my efforts”.
Here’s the outline of my presentation, any feedback, additional thoughts or insightful critique is most welcome.
Rob sent me a really good question:
I have an enterprise MPLS network. Two P routers are connected via carrier point-to-point Gigabit Ethernet and I would like to encrypt the MPLS traffic traversing the GE link. The PE-routers don't have hardware crypto accelerators, so I would like to keep the MPLS within the buildings running in cleartext and only encrypt the inter-site (P-to-P) MPLS traffic.
The only solution I could imagine would nicely fit the motto of one of our engineers: »Any time you have a problem, use more GRE tunnels« (if you have a better solution, please post it in the comments).
My friend Ronald sent me this comment:
I don't drink this Cisco Kool Aid about interconnecting data centres using an IP backbone. Rather use FC directly over DWDM instead of FCIP on MPLS.
This time I could agree with him wholeheartedly ... assuming you already have DWDM gear (or infinite budget to buy some) and you can get dark fiber when and where you need it. Unfortunately not everyone is so lucky and/or rich, so we have to compromise.
A while ago the amount of queries I’ve been receiving has reached a threshold where I felt the need to be very honest about the type of questions I will answer (after all, we’re in business of providing networking-related services and if I want to continue blogging there has to be some revenue to pay the bills). Some people don’t mind and still send me requests for free information they need to implement the projects they’re paid to do. Recently I’ve got this shopping list …
As the Carrier Ethernet services are becoming more popular, people are starting to wonder how to use it in a router-based network. I’ve got the following question from one of my readers:
I was wondering if it was possible to design a redundant network where the core uses L2 MPLS, the provider edge uses L2 for access but the customer edge equipment uses L3 Routers. We don't want to customer to see any STP at their routers.
Of course you can do that. There are two scenarios to consider:
(A) The Service Provider is offering point-to-point Ethernet service (pseudowire). In this case, two of the customer routers would be connected with what looks like a point-to-point Ethernet link. Usually the remote site would have just one "outside" Ethernet connection while the hub site would have numerous links bundled in a trunked (VLAN) link.
(B) The SP is offering VPLS service. In this case, all customer routers appear as being connected to the same Ethernet segment.
In both cases, the customer edge (CE) routers should treat the SP Ethernet link as a simple LAN segment, in case (A) connecting two routers, in case (B) connecting many routers.
You would think that an expired DHCP lease is not a big deal for a DHCP client. Although the interface IP address is lost, you can always try to get a new address from the DHCP server.
IOS has a different opinion: when the DHCP lease expires on a router configured with ip address dhcp interface configuration command, the interface is administratively shut down and re-enabled. Here’s a sample printout taken from a router running 15.6(1)T software:
Some of you might have noticed that I was somewhat quieter than usual the last few days … and I had an excellent reason: finally I’ve managed to sneak a week of climbing vacations into my schedule. There’s a fantastic eco lodge (chalet) in a nice valley between Chamonix and Geneva and they’re offering combined climbing-yoga classes.
If you’re interested in one or the other, you simply have to try them … and in the meantime you can enjoy a few pictures I’ve taken during the week.