Wednesday, April 27, 2011

Price "inflation" for Microsoft exams from July 2011

IT certification is not shielded from the current world-wide commodity price inflation. From July 2011, Microsoft will raise most of its certification exam fees (~10% depending on regions). For Singapore, the price will be increased from SGD 225 to 246 for the TS and PRO series exams. Meanwhile, there is also an ongoing promotion (15-20% discount + free 2nd shot) till 30 Jun 2011.

So, hurry and sign up for the current promotion. Even if you're not ready, just book your first exam before 30 Jun and you still can have the free re-take until end of this year.

  1. New announcement on Microsoft exam fee
  2. Microsoft Exam Discount and free 2nd shot
Posted by samyee at 2:48 PM 62 comments
Labels:

Tuesday, April 26, 2011

Part 3: Configuring RIP routing on Windows Server 2008

This is following up on part 2 that described the concept of network high availability for single  non-clustered Windows server using dynamic IP routing. This final part is to outline implementation steps. On the Cisco routers, ensure that auto-summarization of RIP routing is disabled, as we are using /32 host addresses on the server loopback adapters.

Step 1: Install Windows loopback adapter
Add microsoft loopback adaptor using hardware wizard (hdwwiz.exe) with elevated admin rights. Assign a host IP address on it using /32 or 255.255.255.255 subnet mask. Add a host record statically on the DNS server using this IP address.

Step 2: Install “Routing and Remote Access Services” Server Role 
Open up Server Manager and add a server role named "Routing and Remote Access". Check on the following items:

Step 3: Add new routing protocol “RIP”
On the Server Manager console, right click on “Routing & Remote Access”, choose “Enable and Configure Routing ….” Click “Next”, select “Custom Configuration”. Select “LAN routing” and complete the wizard. Under “Routing and Remote Access > IPv4”, right click on “General” and choose “New Routing Protocol”. Select “RIPv2 for Internet Protocol”.

Step 4: Enable RIP on Network Adapter
Click on RIP and add new adapters (only public interfaces and loopback that you want users to access – never put in your management interface!). By default, Cisco routers would perform RIPv2 routing on multicast protocol, so select this option on the General tab.

For route optimization, it may be a good idea that your network routers to simply inject default routes into your server routing table. Click on "Advanced" tab and enable to following options:

You would also want to allow the server to advertise the host address (remember the loopback interface in step 1), which can be statically map to a host record on the DNS server.

Step 5: Securing RIP routing (Optional) (Important for better stability & security)
To prevent your server from listening to "rogue" RIP router/server that give bad routes, specify your trusted RIP neighbors on the Security tab (Right-click on RIP and choose Properties).

Furthermore, you probably won’t want your servers to become routers and carry network traffics unknowingly. You can further secure it by limiting it to advertise its own addresses only. For each interface added to RIP routing, choose “Properties”. Permit only the NIC address and the loopback address for outgoing routes.



Step 6: Verify IP routing
There are two ways to verify the IP routing table on your server, which should be populated by the network routers. You can view the IP routing table through the Routing And Remote Access console or through a command prompt. In the Routing And Remote Access console, expand the IP Routing node, right-click the Static Routes node, and then click Show IP Routing.


On the client network, do a continuous ping check (ping -t x.x.x.x) on the loopback address of the server. To simulate a NIC failure, disable one NIC and you may just see a couple of timeouts before resuming.

Posted by samyee at 2:37 PM 5 comments
Labels: , ,

Monday, April 25, 2011

Using Anycast RP for Video Multicasting

In my earlier post on Bridging Dense-Mode to Sparse-Mode PIM, I mentioned about using Sparse-Mode Anycast Rendezvous Point (RP). But what is it about?

First of all, let's understand what Sparse-Mode Rendezvous Point is. For all multicast PIM, there is always at least one source (which is typically a video streaming server like the Microsoft Windows Media Services) and many client receivers. Instead of sourcing from the streaming server directly (as in the case of Source-Specific Multicast), multicast sources and receivers must register with their local rendezvous point (RP). So think of RP like a common meeting point for all sources and receivers. It is also known as a Shared Tree multicast model. In Cisco, there are a few configuration models for RP, including Manual RP (i.e. "hard-coding" of RP in every router), Auto-RP (i.e. elect one of many RP candidates), bootstrap RP (similar to Auto-RP) and Anycast RP.

Most RP models support only a single active RP at any one time. Only the Anycast RP model provides load sharing and redundancy in the multicast network. Anycast RP allows two or more rendezvous points (RPs) to share the load for source registration and the ability to act as hot backup routers for each other. Two or more RPs are configured with a common IP address on loopback interfaces with a 32-bit mask, making it a host address. All other routers are statically configured to map the RP to this common address and are likely to be linked up to the nearest RP. The protocol that links up multiple RPs is known as the Multicast Source Discovery Protocol (MSDP).

Static Anycast RP is also relatively easy to configure and troubleshoot. Consider the following example from Cisco.com:


As you can see from above example, both RP1 and RP2 share the common IP address of 10.0.0.1 on loopback 0 interface. MSDP is enabled to peer both RPs on the respective loopback 1 interfaces using the ip msdp commands. All other routers (the 2 routers at the bottom) just statically map the RP to this common IP address using the ip pim rp-address 10.0.0.1 command. Of course, you have to ensure that the loopback addresses are routable within your domain, which can be easily achieved in any dynamic IGP, such as OSPF.

Troubleshooting Summary
For troubleshooting, the most common failure is the breaking of Reverse Path Forwarding (RPF), which is a mechanism for the receiving routers to determine the best path to the source or the RP in this case. The most common omission is the missing  ip pim sparse-mode or ip pim sparse-dense-mode on all router interfaces.

After which still fail, have a client join to the multicast address. Alternatively,  you may simulate the joining by having the client's next-hop L3 access switch or router to join the multicast group using ip igmp join-group 239.1.1.1 (replace this address with the actual multicast address configured on your streaming server) on the receiver's interface level. Trace on every router from the receiver to the source using show ip mroute command (with vrf option in MPLS VPN or VRF-lite situation). Check for broken reverse path (.e.g. take note of missing RPF neighbor with Null incoming interface).

#show ip mroute 239.1.1.1
.....
(10.1.12.4, 239.1.1.1), 00:00:01/00:02:58, flags:
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0/0, Forward/Dense, 00:00:02/00:00:00
Vlan111, Forward/Dense, 00:00:02/00:00:00

Take note of above output, if you see that the incoming interface is null and the neigbour is empty on a router (bold red), it usually means a missing "ip pim" on some interfaces or an issue on the underlying unicast routing issue. If it's latter, perform standard routing troubleshooting on the underlying IGP or static routes.

There is this good blog post that further elaborates the detailed steps on RPF troubleshooting.
Posted by samyee at 8:03 PM 1 comments
Labels: ,

Sunday, April 17, 2011

Part 2: Network Redundancy for Windows Server: Dynamic IP Routing

Besides NIC teaming in earlier part 1, another way to achieve network redundancy for Windows Server is to employ dynamic IP routing. Windows Servers support both static and dynamic IP routing. In dynamic routing, new routes are learned dynamically from the route peers (typically routers and L3 switches). Any changes in network topology (including failure of server NICs or switches) would trigger a routing update for all participating routing nodes. In other words, if there were any failure in any switches or NICs, traffic would have avoided the broken path and continue to route on unbroken links.


Examples of dynamic routing include Open Shortest Path First (OSPF) and Routing Information Protocol (RIP). Windows Server 2003 supports both OSPF and RIP while Windows Server 2008 only supports RIP. Besides achieving network redundancy, you need not configure routing statically, which is otherwise prone to network topology changes and configuration errors. Consider the following example:

Dual-homed ServerX is connected to 2 different switches on different subnets. RIPv2 routing is enabled on both NICs. By default, ServerX would dynamically register both DNS records with AD-integrated DNS servers. With DNS round-robin, network load-balancing can even be achieved among multiple clients. However, in the event of either NIC or switch failure, half of the clients would lose connection with ServerX, which is usually not desirable. Consider the next example:

MS Loopback adapter is installed. RIPv2 routing is enabled on two physical NICs, as well as the loopback adapter. Dynamic DNS update is also disabled. Single static A record is created with loopback IP address.  As dynamic routing supports equal-cost multi-path load-balancing, multiple clients reach ServerX loopback via both NICs. If either NIC or switch fails, dynamic routing would have to re-converge. After a short converging time, clients can regain access to ServerX on its loopback address via the sole remaining NIC.

In conclusion, with both dynamic routing and static DNS record on loopback adapter, both network load-balancing and network redundancy can be achieved. In my next post, I would summarize the steps to achieve this in part 3.
Posted by samyee at 7:19 PM 1 comments
Labels: ,

Wednesday, April 13, 2011

Part 1: Network Redundancy for Windows Servers: NIC Teaming

To provide network redundancy to a single Windows server, you would first need to have 2 or more NICs. To protect against a single switch failure, you would further need to ensure different NICs are connected to different network switches.

Generally, the most common way is to use hardware vendors' specific NIC teaming solutions, where multiple NICs are grouped and teamed into a single virtual network adapter. And you manage the Virtual Adapter just like how you manage a physical adapter. The most common NIC teaming solutions include:

For each of the vendor solutions, there are various teaming modes. Some protect against single NIC failure, single switch failure or even both (including load-balancing features). For Intel ANS, it supports the following teaming modes:

1) Adapter Fault Tolerance (AFT)
A team of 2 - 8 NICs connect to the same switch. Only 1 NIC is active and others on standby. Use one common IP address and MAC address. A 'failed' active adapter will pass its MAC and IP address to the standby adapter. As the name implied, it only protects against single NIC failure.

2) Switch Fault Tolerance (SFT)
Similar to AFT above, except that NICs are connected to different switches and supports only 2 NICs. In addition to single adapter protection, it protects against single switch failure.

3) Adaptive Load Balancing (ALB)
2 - 8 NICs can be teamed. One NIC receives and all ports transmit using one IP address and multiple MAC addresses. With Receive Load Balancing (RLB) enabled, more than one NIC (of the fastest speed) can receive traffic in load-balancing mode. Work with 1 or more switches.

4) Virtual Machine Load Balancing (VMLB)
Support multiple Hyper-V VMs on a team of 2 - 8 NICs. It provides transmit and receive traffic load balancing across multiple Virtual Machines (VM) bound to the common team interface. In a VMLB team, each VM is associated with one team member for its TX and RX traffic. If only one virtual NIC is bound to the team, or if Hyper-V is removed, then the VMLB team will act like an AFT team.

5) Link Aggregation
In Cisco term, it is known as EtherChannel where 2 - 8 NICs are teamed to the same switch. It uses a common virtual MAC address and IP address. It supports load-balancing across the team members.

NIC Teaming Configuration
Configuring Intel NIC teaming is a pretty straightforward task once you understand the basic network concept. For step-by-step, see this YouTube demo. Nevertheless, it is important to note that Microsoft (see KB254101 and KB968703) does not support vendor specific NIC teaming. If you raise support issues and NIC teaming is in suspect, MS may ask that the NIC teaming be removed.

In my next posting, I would talk about using Microsoft Windows 2008 Routing (RIPv2) for network redundancy as an alternative.
Posted by samyee at 1:49 PM 3 comments
Labels: , ,

Saturday, April 9, 2011

Reverse Route Injection for VPN Remote Clients

In my previous post, I mentioned that Cisco ASA remote access can be easily setup using VPN wizard. One of the steps involve creating a IP address pool or DHCP server to assign dynamically inside IP addresses to the remote clients. Often, this range of IP addresses may not be routable in the trusted networks.

To resolve it, you either use NAT or Reverse Route Injection (RRI). For the latter, a static host route for the remote client would be injected into the IGP (e.g. RIP or OSPF), so that it would become routable. Enabling RRI is easy, on the ASDM conole, click on "Remote Access VPN > Network Access > Advanced > IPSec -> Crypto Maps". Edit an existing map, click on "Tunnel Policy (Crypto Map) - Advanced" tab and check on "Enable Reverse Route Injection".


Alternatively, on the command line, just append set reverse-route on the existing crypto map, e.g. "crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route".
Posted by samyee at 1:21 PM 2 comments
Labels: ,

Friday, April 8, 2011

Faster OSPF Convergence using iSPF

According to this Cisco config guide, OSPF uses Dijkstra's SPF algorithm to compute the shortest path tree (SPT). During the computation of the SPT, the shortest path to each node is discovered. The topology tree is used to populate the routing table with routes to IP networks. When changes to a Type-1 or Type-2 link-state advertisement (LSA) occur in an area, the entire SPT is recomputed.

In many cases, the entire SPT need not be recomputed because most of the tree remains unchanged. Incremental SPF (iSPF) allows the system to recompute only the affected part of the tree. Recomputing only a portion of the tree rather than the entire tree results in faster OSPF convergence and saves CPU resources. Note that if the change to a Type-1 or Type-2 LSA occurs in the calculating router itself, then the full SPT is performed. Incremental SPF is scheduled in the same way as the full SPF. Routers enabled with incremental SPF and routers not enabled with incremental SPF can function in the same internetwork.

Given only pros and not cons, we should enable iSPF by default. iSPF can be easily enabled using ispf command under each router ospf process.
  1. router ospf 1
  2. ispf
  3. !
To verify:
  1. show ip ospf 1 | inc SPF
  2. ........
  3. Incremental-SPF enabled 
  4. .......
    Posted by samyee at 10:01 PM 2 comments
    Labels: ,
    Subscribe to: Posts (Atom)