From the blog.

Managing Digital Racket
The more I tune out, the less I miss it. But that has presented me with some complex choices for a nuanced approach to curb
Complexity – My Friend, My Enemy
Over my years of network engineering, I've learned that the fewer features you can implement while still achieving a business goal, the better. Why? Fewer

NMC DOiT Vol.2 Scenario 18 – BGP Synchronization + BGP network route-map + tunnel mode ipsec ipv4 + 3550 flowcontrol + Fair-queueing In Class-Default

400 Words. Plan about 2 minute(s) to read this.

More notes continued from the previous post.

  • We’re probably all familiar with the fundamental rule of BGP synchronization. BGP will not advertise a route to a neighbor, unless that route already lives in the RIB via some other IGP. In other words, if you have synchronization enabled, learning a route via BGP isn’t enough – the route must also be known by an IGP. But there’s another rule of synchronization that I didn’t know. If the IGP is OSPF, the router ID (RID) of the autonomous system boundary router (ASBR) must equal the RID of the IBGP speaker advertising that route. If the RIDs are mismatched, then BGP assumes synchronization is broken, and the route will not be advertised to a BGP neighbor. So go ahead and wrap your brain around that one. Heh…it had me scratching my head for a while. :)
  • The BGP network statement accepts a “route-map” option that allows you to (among other things) attach BGP attributes to a route as it’s originated into the BGP AS.
  • You can create a tunnel interface that functions in tunnel mode “ipsec ipv4”, meaning that you don’t have to nest IPSEC in a GRE interface anymore. Check out this code for a simple DES tunnel between R2 and R5.

    R2:
    crypto isakmp policy 10
    hash md5
    authentication pre-share
    crypto isakmp key doit address 151.10.100.5
    !
    crypto ipsec transform-set VPN25 esp-des esp-md5-hmac
    !
    crypto ipsec profile VPN25
    set transform-set VPN25
    !
    interface Tunnel25
    ip address 151.10.50.2 255.255.255.0
    ip rip advertise 10
    tunnel source 151.10.100.2
    tunnel destination 151.10.100.5
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile VPN25

    R5:
    crypto isakmp policy 10
    hash md5
    authentication pre-share
    crypto isakmp key doit address 151.10.100.2
    !
    crypto ipsec transform-set VPN25 esp-des esp-md5-hmac
    !
    crypto ipsec profile VPN25
    set transform-set VPN25
    !
    interface Tunnel25
    ip address 151.10.50.5 255.255.255.0
    ip rip advertise 10
    tunnel source 151.10.100.5
    tunnel destination 151.10.100.2
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile VPN25

  • In the context of a Cat3550 switch, if the task asks you to do something with “pause link operation” frames, you need to be working with interface “flowcontrol“.
  • If a QoS task asks you to configure “preferential treatment of interactive traffic” in traffic that will be in class-default of CBWFQ, they want you to turn on “fair-queue” for class-default. Class-default is the only class in which you can turn on fair-queue…all other classes are FIFO within the class, although the classes as a whole are queued via fair-queuing.

More in the next post, later tonight…