Ethan Banks On productivity.

NMC DOiT Vol.2 Scenario 8 Days 3+4 – Login Block + Long Fat Networks/TCP Window Scaling + IP Protocol 41


I finished up scenario 8 between Thursday and today. I had a good session today, spending about 6 hours on the rack, taking my time to read and understand all of what I was doing. I’m getting better and better and identifying a task and finding it on Other things are just coming more naturally. Still a long way to go, but at about 30% through the NMC scenarios, I feel like I’m making good progress. The fundamentals are rooting in deeper with each visit to a particular technology.

I felt that I made great strides with Cat QoS this round, getting all the way through a scenario that required me to map DSCP values on certain interfaces, queue, and police. I got it 90% correct, only missed one thing on shaped round-robin queueing that I found both the Cisco documentation and the NMC explanation to be vague.

Sorry I didn’t blog much in the way of technical detail this week. Work was overwhelming, plus I spent time at work writing documentation. So coming home and blogging more just wasn’t in the cards. But, I do have some simple little things that are “good to know” I wanted to mention.

  • IPV6inIP = IP protocol 41. Helpful if you need to write an ACL to police or otherwise manage these kinds of tunnel packets.
  • ip tcp synwait-time” governs how long the router will wait for a 3-way handshake to complete before giving up. In the scenario, I had a task to configure the router to wait the minimum amount of time before giving up on a telnet session to a bogus IP. You can set it as low as 5 seconds, high as 300.
  • If you get tasked with optimizing a Long Fat Network (LFN), it’s talking about a fat pipe with a long delay, like a cross-country OC-3. IOS can use TCP window scaling to help optimize TCP traffic over a LFN. You configure “ip tcp window-size x” on either side of the link, where “x” is some value above 65535. Read about TCP window scaling.
  • According to NMC, generic traffic shaping is not supported on IP-in-IP tunnels. So, if you get a task that you think calls for a simple GTS one-liner, double-check the interface type and make sure GTS is supported. Also consider this quote from the Cisco documentation, “GTS is not supported on the following interfaces: Multilink PPP (MLP) interfaces, Integrated Services Digital Networks (ISDNs), dialer interfaces, or generic routing encapsulation (GRE) tunnel interfaces on the Cisco 7500 series router . GTS is not supported with flow switching.” If it turns our that GTS is not supported on the interface in question, you may need to do an MQC-based shaper instead.
  • Newer IOS has a login security feature called “login block”, where IOS will lock out an account based on a number of failed attempts in a specific amount of time. Read about it here.

I am set to roll on scenario 9 on Monday, and we’ll see how that goes. Monday morning, I’ll be at work at 4am doing a system upgrade, so my sleep cycle will be way off. But if I can make it home early and catch a few ZZZs, I should be able to get cracking on it.

By Ethan Banks
Ethan Banks On productivity.

You probably know Ethan Banks because he writes & podcasts about IT. For example, he co-authored "Computer Networks Problems & Solutions" with Russ White.

This site is Ethan on productivity--not tech so much.

Find out more on his about page.