From the blog.

Managing Digital Racket
The more I tune out, the less I miss it. But that has presented me with some complex choices for a nuanced approach to curb
Complexity – My Friend, My Enemy
Over my years of network engineering, I've learned that the fewer features you can implement while still achieving a business goal, the better. Why? Fewer

NMC DOiT Vol.2 Scenario 15 – bgp cluster-id + Dual Route-Reflectors + ip as-path access-list + Embedded Event Manager + IPv6 Tunnel

648 Words. Plan about 4 minute(s) to read this.

More tech highlights.

  • I ran into some obscure wording on a BGP task: “provide redundant NLRI exchange”. Hmm. I got what they were looking for after a bit (routes to be provided to the AS via 2 sources), but at first I didn’t really get it. The other criteria was that a full-mesh was not allowed (meaning route-reflectors and/or a confederation would be used instead). And since we needed redundant NLRI exchange, dual route-reflectors sounded like the right answer. And indeed it was.
  • When using multiple route-reflectors to reflect routes to the same client routers, you need to avoid routing loops (RR1 sends a route to client 1, who sends the route to RR2, who sends the route to RR1, etc.). You do this by identifying each route-reflector with a “bgp cluster-id“. That way, the route-reflectors can tell what route came from where and avoid loops within the cluster.
  • How do you filter for prefixes that come only from a locally attached AS? Well, if you think about it, the AS path will only be one AS long if originated from a locally attached AS. So you can write an as-path filter using regex with that in mind, such as this one: “ip as-path access-list 1 permit ^[0-9]+$”. Which, being interpreted, means “permit an AS path who starts ( ^ ) with any number ( [0-9] ), has several more characters that are only numbers ( + ), and then ends ( $ ).
  • When you NAT, make an effort to put your “ip nat” statements on the right interfaces. Duh. In my case, I put a “ip nat outside” on the physical interface instead of the frame-relay subinterface. I spent A LOT of time troubleshooting this problem, I’m embarrassed to say, until I realized what I had done. Oops.
  • Read up on the Cisco Embedded Event Manager. It’s one of those things you should have seen at least once before walking into the actual lab. I don’t know that I’m going to spend a lot of time on it, but in short, you can schedule TCL scripts to run at certain times or react to certain events. Bring the pain.
  • How do you connect 2 IPv6 domains across IPv4 address space, without adding IPv6 addressing to that IPv4 interfaces in your way? Why, you tunnel, of course! I’ve run into IPv6 tunneling several times now in the NMC scenarios. This one left me free to do what I wanted, so I went with a bonehead-simple IPv6-in-IP tunnel with static configuration. Worked like a champ, and even matched the answer key. :)
  • Again, read, read, read the stupid task. Yet another dumb move on my part. In the QoS section, I skipped the part telling me to apply the rate-limiting to the router interface. I soldiered on ahead with info from the previous task, where I was led to believe that I needed to apply rate-limiting to a Cat 3550 interface. So, I spent quite a bit of time setting up a MQC-style policer, knowing the whole time I’m doing it that I wasn’t going to be able to meet quite all of the burst requirements listed in the task. And then my brain finally noticed that I’m supposed to be rate-limiting the router interface, at which point the task made all the sense in the world. <sigh> Silly brain.
  • spanning-tree portfast” (which probably every single one of us has used for years) allows you to skip the spanning-tree listen and learning states.
  • monitor session” (both source and destination) allow you to copy traffic from one port to another. Useful for packet sniffers and IPS appliances. Again, probably something nearly all of us use all the time.
  • A MAC will age out of the 3550 MAC address table in 300 seconds by default. To change this behavior, use “mac-address-table aging-time xx vlan yy”, where “xx” is the time in seconds, and “yy” is the VLAN number you which to apply this change to.