Q n Q Tunneling
Q n Q Tunneling
December 16, 2009
By David Clark, CCIE# 14742 (Routing and Switching), CCSI# 31937
Service providers often have multiple customers with overlapping VLAN ranges. Q-in-Q tunneling or 802.1Q tunneling is the mechanism that allows service providers to preserve customer VLANS being transported through the service provider networks. Q-in-Q tunneling uses a two-level VLAN tag structure. Each customer is assigned a unique VLAN within the service providers network, this unique tag is added to all incoming frames from the customer network. The original frame from the customer remains untouched. The inner frame is often referred to as the customer VLAN tag because the customer originally assigns it.
Q-in-Q tunneling significantly reduces the number of VLAN required within a customer network as each customer is assigned a unique VLAN. To the customer the service provider network appears as a transparent bridge connecting their sites together.
When configuring Q-in-Q tunneling the ports connected directly to the customer switch are configured with the command “switchport trunk encapsulation dot1q”. The customer ports are configured as per normal and require no extra configuration.
interface FastEthernet0/20
description customer
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
end
Interface FastEthernet0/21
description service provider
switchport access vlan 21
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
end
In the above example Fast 0/20 resides on the customer switch, while Fast 0/21 is on the service provider switch and configured as a tunnel port. VLAN 21 becomes the outer tag and is added to all frames from Fast 0/20 sent down to Fast 0/21. The service provider port is specifically configured also to carry CDP, STP and VTP frames. The configuration can be verified with the command “show l2protocol-tunnel interface fast 0/21”
If the customer is running a negotiated EtherChannel a slightly different configuration is required. On the customer side a normal EtherChannel is configured.
interface Fastethernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode desirable
interface Fastethernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode desirable
The service provider configuration is slightly different from the previous example.
interface Fastethernet0/1
switchport access vlan 17
switchport mode dot1q-tunnel
l2protocol-tunnel point-to-point pagp
end
interface fastethernet0/2
switchport access vlan 18
switchport mode dot1q-tunnel
l2protocol-tunnel point-to-point pagp
end
In this case we use the “l2protocol-tunnel point-to-point pagp” command to carry the PagP frames across the service provider network. Also one customer VLAN is assigned per incoming from port from the customer switch. For LACP the ““l2protocol-tunnel point-to-point LACP” would be used.
Article Source: http://www.ccbootcamp.com/support-resources/resources/articles-by-ccbootcamp.html
Tags: ccie, cisco, computer training, VLAN
. 17 Dec 08 | Uncategorized | Comments (0)
iCOD Arrival!! Watch the iCOD in action on YouTube.
iCOD Arrival!! Watch the iCOD in action on YouTube:
http://www.youtube.com/watch?v=2KYjpvP56sE
Tags: ccbootcamp, ccie, CCIE Training, cisco, computer training, IPOD
Configuring a Router to Support SDM
Configuring a Router to Support SDM
November 10, 2008
By Luke Foster
Cisco SDM (Security Device Manager) is a web based management tool that works with the Cisco IOS to aid in the configuration and management of Cisco routers. The GUI (Graphical User Interface) allows engineers with little experience to configure Cisco routers, and stage large deployments. SDM is also powerful enough to help experienced engineers efficiently implement advanced security measures such as an IPS (intrusion Prevention System).
There are two types of SDM, SDM and SDM Express. The express version is just a limited form of SDM for routers that do not have enough flash memory to support the full SDM (SDM requires 6MB of flash, SDM Express requires only 2MB of flash). SDM is factory installed on the 1800 series, 2800 series, and 3800 series routers. SDM is also factory installed on router platforms with the (K9) security bundle. If a router does not have SDM installed, the software can be downloaded for free from Cisco. When downloading the SDM software from Cisco, make sure to verify the IOS version of the router can support SDM.
SDM provides several wizards to walk an engineer through configuring a router. These wizards range from interface configurations, to VPN (Virtual Private Network), and even QoS (Quality of Service) configurations. The Security Device Manager also provides real time monitoring, logging, and security audit features. It will even notify an engineer if it notices conflicting configuration parameters and suggest resolutions.
Note - SDM can be enabled on deployed routers without affecting the network
To configure a router to support SDM:
First, enable the HTTP or HTTPS server on the router.
Router# configure terminal
Router(config)# ip http server
Router(config)# ip http secure-server
Router(config)# ip http authentication local
Router(config)# ip http timeout-policy idle 600 life 86400 requests 10000
Next, create a user who has enable privileges
Router(config)# username username privilege 15 secret 0 password
Finally, configure the vty lines to support telnet / ssh local login and privileged level 15 users
Router(config)# line vty 0 4
Router(config-line)# privilege level 15
Router(config-line)# login local
Router(config-line)# transport input telnet ssh
Note – If your router supports 16 vty lines, enter the commands above for vty line 5-15 as well
Article Source: http://www.ccbootcamp.com/support-resources/resources/articles-by-ccbootcamp.html
Tags: ccbootcamp, ccie, cisco, computer training, Network Learning, Routers
. 17 Nov 08 | ccbootcamp | Comments (0)
CCNA - CLASS ON DEMAND LEADS THE WAY TO HIGHER CERTIFICATIONS
Contact: Dawn Tesar
FOR IMMEDIATE RELEASE
Tel: 877-654-2243
October 31, 2008
Website: http://www.ccbootcamp.com
Email: dawn@ccbootcamp.com
CCNA - CLASS ON DEMAND LEADS THE WAY TO HIGHER CERTIFICATIONS
Innovative product offers a more flexible and affordable starting point for IT professionals
Today’s information technology engineers are in greater demand than ever before. Like many professions, IT engineers must always learn, advance, and increase their knowledge. Companies depend on them to be on the cutting-edge of the industry. However, with the challenging economic climate, companies are eliminating training and travel budgets. Engineers are looking for innovative to get the training necessary that leads to higher certifications.
The newest and most ground-breaking training option has recently been released by CCBOOTCAMP. Dawn Tesar, Director of Marketing for CCBOOTCAMP, says, “We talked to thousands of engineers world-wide when we were developing this new product. We believe that the iCOD® – Class on Demand addresses many of the concerns we heard.” The CCNA iCOD® – Class on Demand gives these engineers an affordable, flexible and portable option to traditional or even online courses.
IT engineers who plan to work toward the highest Cisco® Expert level certification, generally begin with a CCNA, Cisco® Certified Network Associate certification. This is the newest course now available on the iCOD®. Engineers can now have all of the benefits of a traditional, week long; instructor led boot camp without sacrificing time away from work or family. Employers are excited too because engineers can now get the same high level of training at a reduced cost, no travel required.
The CCNA iCOD® comes on an 8GB iTouch® iPod®. The CCNA course includes over 40 hours of classroom instruction that uses lecture and labs. Students get the same Cisco® CCNA course curriculum and lab guides as they would in a traditional training course. The material included is specifically designed to prepare the student for the CCNA 640-802 exam. Also included for the student’s success is 40 hours of virtual rack time. This allows the student to thoroughly and effectively practice what is being learned. Students can easily review trouble areas as many times as necessary. This, along with the dedicated instructor mentoring via www.routerie.com, ensures that all concepts are completely understood by the student.
CCBOOTCAMP expects to release additional Cisco® courses in the iCOD® format to cover all levels from CCENT through CCIE in the coming months.
###
If you would like more information about this topic, or to schedule an interview with Brad Ellis, please call Dawn Tesar at 877-654-2243 or email Dawn at dawn@ccbootcamp.com.
Tags: CCNA, CCNA Security, CCNA Voice, CCNA Wireless, certifications, cisco, Class on Demand, ICND1, ICND2, iCOD, networking, routing and switching, training, www.routerie.com
Sorry Bruce!!!
Okay, so originally I was just trying to poke fun at a couple vendors with their marketing tactics using my Trolley Car report. I unintentionally offended Bruce Caslow with, what I intended to be funny picture, was insulting to him. Since then, we have updated the report with his and Va’ls correct picture. I really have the utmost respect for Bruce Caslow and his true dedication to providing quality training. He’s one of the few guys left in this industry that gives a damn as much about making money as he does about training. Bruce - you rock. Sorry to offend you. Hopefully you’ll let me buy you a drink the next time we are together at a conference or networkers 09.
. 29 Oct 08 | Uncategorized | Comments (0)
The Trolley Car - A spoof of one of our competitors “reports”
http://www.ccbootcamp.com/collateral/the_trolley_car.pdf
. 28 Oct 08 | Uncategorized | Comments (0)
New Features in Cisco ASA version 8
New Features in Cisco ASA version 8October 20, 2008
By Keith Barker
Often, I am asked about the differences between ASA5500 series firewall software version 7.x and version 8.x. This article will point out a few of the key differences, and include some sample configurations. The most noticeable feature new to version 8 is the support of EIGRP. This is configured the same way it is on an IOS router:
ASA(config)# router eigrp 1
ASA(config-router)#
network 10.0.0.0
ASA(config-router)#no auto-summary
Another new aspect of version 8.x is that NAT can be performed even when the firewall is in transparent mode. Also the GUI of the ASA Device Manager (ASDM) has changed. It is more visually appealing than its predecessor, which is nice, but once you get used to the menus being slightly rearranged, the basics of configuring the ASA with ASDM are the same as it was in the prior version.
network 10.0.0.0
Many of the “behind the scenes” improvements for version 8.x went into the SSL VPN component. Cisco’s latest SSL client, named AnyConnect, can be loaded onto the ASA and download/installed for authenticated remote users on demand. After downloading, it can automatically uninstall itself after the connection terminates, or it can remain on the remote PC for future SSL VPN connections. This makes it very simple to deploy in large (and small) environments.
The AIP module, which is available for the 5500 series, performs Intrusion Detection/Prevention Services in conjunction with the ASA. The IPS module has the ability to perform as multiple virtual sensors (4 being the max). Unfortunately, these virtual sensors could not be independently assigned to separate ASA contexts (virtual firewalls), until now. Version 8.x of the ASA code supports allocating a specific virtual sensor to a single virtual firewall. The configuration, shown from the system execution space on the ASA, illustrates how to assign a virtual sensor named VS1 to the virtual firewall named VF1:
ASA(config)# context VF1
ASA(config-ctx)#
allocate-interface gigabitethernet0/1
ASA(config-ctx)#
allocate-interface gigabitethernet0/0
ASA(config-ctx)# allocate-ips VS1
Once the sensor has been assigned to VF1, the Modular Policy Framework (MPF) needs to be used within the virtual firewall (VF1) to direct the traffic to the senor (VS1) for analysis. In the example, all traffic destined for the IP address of 24.234.2.10 will be sent to the sensor, inline, for analysis. If the sensor fails, the traffic will not be forwarded.
ASA(config-ctx)#
changeto context VF1
ASA/VF1(config)#
access-list IPS_ACL permit ip any host 24.234.2.10
ASA/VF1(config)#
class-map IPS_CLASS
ASA/VF1(config-cmap)#
match access-list IPS_ACL
ASA/VF1(config-cmap)#
exit
ASA/VF1(config)#
policy-map IPS_POLICY
ASA/VF1(config-pmap)#
class IPS_CLASS
ASA/VF1(config-pmap-c)#
ips inline fail-close
ASA/VF1(config-pmap-c)#
exit
ASA/VF1(config-pmap)#
exit
ASA/VF1(config)#
service-policy IPS_POLICY interface outside
ASA/VF1(config)#
Some of the most recent releases of the 8.x code is only for the higher end 5500 devices, such as the 5580. In time, these versions will also be available on the lower end devices including the 5505 and 5510. All in all, if you don’t specifically need EIGRP or some of the other enhancements to version 8, you may want to wait, and allow someone else to discover what bug fixes may be in store.
Article Source: http://www.ccbootcamp.com/support-resources/resources/articles-by-ccbootcamp.html
Tags: ASA Device Manager, ASA5500, CCIE Security, firewall, Intrusion Detection/Prevention Services, security, training
. 24 Oct 08 | training | Comments (0)
CCBOOTCAMP’s Executive Program Offers IT Professionals Exciting Option
Contact: Dawn Tesar
FOR IMMEDIATE RELEASE
October 09, 2008
Tel: 877-654-2243
Email: dawn@ccbootcamp.com
Website: http://www.ccbootcamp.com
CCBOOTCAMP’s EXECUTIVE PROGRAM OFFERS IT PROFESSIONALS EXCITING OPTION
Engineers no longer have to choose between career advancement and family.
In complex economic times companies have to work harder to maintain a competitive edge, stay on top of cyber threats and ensure their engineers are fully trained to protect their networks. Executives tell us that it is imperative their IT staff is trained and up-to-date on all technologies. Company executives and IT professionals are constantly challenged with balancing the demands of work and family. Coupled with this, the IT professional is also faced with additional requirements from their employers to continually improve their skills and knowledge by attending training courses or “boot camps” in order to obtain additional and higher certifications in their field of expertise.
“IT professionals are being pulled in every direction and many tell us that it’s usually their families who get short changed,” says Dawn Tesar, Director of Marketing for CCBOOTCAMP. Tesar says that these engineers are tired of having to choose between their families or furthering their careers. Tesar stated that, “CCBOOTCAMP’s new 12 Week Executive Online CCIE Program will allow IT professionals to get the necessary training they need in a relatively short period of time and still keep up with their job responsibilities and have time for their family too.”
CCBOOTCAMP’s world-renowned CCIE® courses are now in a new online format. The Executive Online CCIE Program consists of twelve (12) weeks of instructor-led, online interactive training with one of our Cisco® certified industry experts. IT professionals are now able to obtain the coveted CCIE – Cisco Certified Internetwork Expert certification over a more flexible timeframe (2 online trainings per week) without having to be away from work or family commitments for multiple weeks at a time. The program is custom designed to encompass all aspects of preparation for the IT professional to take and pass the practical lab exam which is required by Cisco® to obtain a CCIE certification.
CCBOOTCAMP, a division of Network Learning, Inc. was founded in 1998 to provide authorized Cisco and CompTIA training courses for IT engineers at every level of expertise. The company offers training solutions to individuals as well as companies who employ engineers to maintain their networks.
###
If you’d like more information about this topic please call Dawn Tesar at 877-654-2243 or email dawn@ccbootcamp.com
Tags: CCIE Routing and Switching, CCIE Security, CCIE Service Provider, CCIE Vocie, executice, online, training
. 16 Oct 08 | Press Releases | Comments (0)
IT ENGINEERS FOCUS ON CISCO AUTHORIZED SELF-PACED LEARNING
Contact: Dawn Tesar
FOR IMMEDIATE RELEASE
October 1, 2008
Tel: 877.654.2243
Email: dawn@ccbootcamp.com
IT ENGINEERS FOCUS ON CISCO AUTHORIZED SELF-PACED LEARNING
Companies cut training and travel budgets; Self-paced, Self-study closes the gap
Information technology engineers are continually expected by their employers to keep up on the ever changing and rapidly advancing technologies within their field of expertise. At conventions across the country and around the world, more and more engineers are expressing their frustrations. They need additional authorized training, but because of heavy work loads and shrinking budgets, they’re not able to take time away from work to attend training courses. Traditional training courses or “boot camps” require engineers to be away from work for 5 to 17 days depending on the level of training they’re pursuing. Companies today are cutting back on what they consider the luxury of training courses and the additional expenses of travel and per diem. However, many companies are still willing to pay for other forms of authorized training where employees can self-study.
According to Brad Ellis, CEO of CCBOOTCAMP, these engineers are looking for ways to get their necessary training and advanced certifications and stay within their company restrictions. “The changing economy is putting the squeeze on companies today, but the need for trained engineers is more necessary today than ever before in order for these companies to remain competitive,” Ellis said.
To close the gap between the need for training and the engineers’ heavy work load, lack of travel budget and increased pressure to self-study, CCBOOTCAMP’s Brad Ellis says engineers are excited about the release of the new Cisco Authorized iCOD – Classes on Demand. This new form of training course available on the Apple iPOD Touch platform allows the engineers to self-study whenever and where ever is convenient. Each Apple iPOD Touch is preloaded with a self-paced instructor led lecture featuring Official Cisco Curriculum and discussion pertaining to a specific training level and certification.
CCBOOTCAMP, a division of Network Learning, Inc. was founded in 1998 to provide authorized Cisco and Comptia training courses for IT engineers at every level of expertise. The company offers training solutions to individuals as well as companies who employ engineers to maintain their networks.
###
If you’d like more information about this topic, or to schedule an interview with Brad Ellis, please call Dawn Tesar at 877.654.2243 or email at dawn@ccbootcamp.com
Tags: CCNA Security, cisco, Class on Demand, CompTIA, iCOD, self-paced, self-study, training
. 16 Oct 08 | Press Releases | Comments (0)
TRAINED IT SECURITY ENGINEERS IN DEMAND
Contact: Dawn Tesar
FOR IMMEDIATE RELEASE
October 2, 2008
Tel: 877-654-2243
Email: dawn@ccbootcamp.com
Website: http://www.ccbootcamp.com
TRAINED IT SECURITY ENGINEERS IN DEMAND
Newly released CCNA – Security iCOD™ gives engineers a new option
IT engineers who are responsible for network security must continually stay on top of the newest security threats by making sure they have the most current and cutting edge training. While the need for training increases, the available time and budget for the training is decreasing. Companies’ today need employees who are adequately trained to keep their networks secure, but simply don’t have enough room in their budget to pay for the training, travel expenses and accommodations. In addition to these expenses, they also lose the productivity of the employee who is away for training courses that can last anywhere from 5 to 17 days.
According to Dawn Tesar, Director of Marketing for CCBOOTCAMP, the release of the new iCOD™ – Class on Demand, which contains training for the Cisco CCNA Security course, will meet many of the needs these engineers have. “Engineers today need a product that is portable, convenient and affordable,” says Tesar. She also noted that engineers at all levels of training and experience are looking for better options.
The first Cisco authorized training course to be released on the iPod™ is CCNA Security, Implementing Cisco IOS Network Security. This Cisco authorized training covers over 40 hours of classroom instruction using lecture and labs in this convenient iPod™ format. It is specifically designed to prepare the engineer for the CCNA Security IINS exam. Students also have 40 hours of virtual rack time where they can work through scenarios and homework assignments to get practical experience. An engineer from a local technology company said that this course is innovative and remarkable for several reasons. First, the portability of the product is unmatched. Engineers can access the lessons while commuting, at home or at work without the need of a laptop. Second, students are able to put into practice what they’re learning as they’re learning it by using the virtual racks. They also receive dedicated instructor mentoring via www.securityie.com to ensure all concepts are completely understood. Finally, the course is affordable for almost all individuals and companies. Companies can actually save money because they don’t have to pay for travel and lodging or loose employee productivity.
Additional Cisco courses are expected to be released in this iCOD™ format in the coming months to cover all levels of Cisco certifications from the CCENT level through the CCIE level.
CCBOOTCAMP, a division of Network Learning, Inc. was founded in 1998 to provide authorized Cisco and CompTIA training courses for IT engineers at every level of expertise. The company offers training solutions to individuals as well as companies who employ engineers to maintain their networks.
###
If you’d like more information about this topic please call Dawn Tesar at 877-654-2243 or email at dawn@ccbootcamp.com
. 16 Oct 08 | Press Releases | Comments (0)