p***a
发帖数: 28 | 1 最近发现vrf lite ce-pe connection上在总流量低于端口速率,voice class流量低于
EF class priority值得时候,最后一个vpn的EF class会有丢包
如果改大了该EF class的bc,则问题消失,但是实际进ce的流量是constant的,点解? |
|
t*******r
发帖数: 3271 | 2 来自主题: EmergingNetworking版 - 一个面试题 以下回答不针对楼主提的问题, 只是一般性的看法:
1, 最好不要用私有地址做PE-P-PE的互联, 因为一般是一张网干多件事, 而且loopback
是私有IP地址会有
管理的问题;
2, 同一个VRF里做Internet访问确实比较扯, 早年JUNIPER实现过, 十分不scalable.
用户是公网地址
那是好的, 用户是私有IP让你做VRF里的NAT那才是生不如死;
3, Saiwong提出的2个IFL(逻辑接口)确实是个好办法, 但是, 仍然需要SP端做相对复杂
的配置更改;
4, 对于P router(P only), 的确要减轻控制平面的压力, 最好是RR/P/PE功能性分开.
细化一点儿来说,
L3VPN RR/L2VPN(VPLS) RR/IPv4 RR/IPv6 RR最好也分开, 当然, PE就不必了.
BGP table还是要适当控制(route-target方式), 避免所有PE(不需要full bgp feed的)
都有全网路由
针对快速无缝切换:
A. 先试点开几个VPN site的业务(不同类的, 比如VPLS/L3VPN), 证明端到端LSP是通的
, V... 阅读全帖 |
|
a***n
发帖数: 262 | 3 来自主题: EmergingNetworking版 - 一个面试题 Actually this is what we are doing with our regional education network. We
have several VLANs to them, each is a different VRF on SP PE side. For
example, one for commodity internet, one for research and education network,
the other is for SP commercial peering. We took full internet routing
table from commodity internet connection.
Then we have flexibility of putting any VLAN on our end to a vrf/GRT in back
-to-back vrf architecture.
customers want to have full Internet BGP feed, so each VR... 阅读全帖 |
|
a***n
发帖数: 262 | 4 来自主题: EmergingNetworking版 - 一个面试题 GRT means global routing table :-)
I used your proposed loopback cable solution. You could also have one end of
a VLAN in router one vrf green and the other end in router two vrf fusion/
global
Another is fusion router/vrf? GRT could be fusion vrf though.
Cisco Network Virtulization Service Edge Design Guide.
Will that fit the question? |
|
s*****g
发帖数: 1055 | 5 来自主题: EmergingNetworking版 - 一个面试题 Internet access inside VRFs? how scalable is that going to be? say customers want to have full Internet BGP feed, so each VRF will have 350K FIB entries, in that case how many VRFs can a typical PE provide? 3?
Also how is SP's IGP prefixes size relevant? SP's IGP prefixes can well be in RFC1918 space. If PE-CE connection is Ethernet, can't we configure VLAN/sub-interfaces on both sides, one VLAN/subinterface for L3 VPN access and the other one for Internet access? that way each VRF FIB can be sm... 阅读全帖 |
|
c*****i
发帖数: 631 | 6 你的core/border router有2个vrf,campuswan和resnet,在isp的uplink上有
subinterface对应这2个vrf,是吗?
你的option 2应该是在router上create 2 个vrf resnetwan和resnet。用ips把这2个
vrf连起来,然后用static router force traffic go through ips.我以前有看过在
学校的campus network用过,不过不清楚是不是common implementation. |
|
c*****i
发帖数: 631 | 7 你的core/border router有2个vrf,campuswan和resnet,在isp的uplink上有
subinterface对应这2个vrf,是吗?
你的option 2应该是在router上create 2 个vrf resnetwan和resnet。用ips把这2个
vrf连起来,然后用static router force traffic go through ips. 我以前有看过在
学校的campus network用过,不过不清楚是不是common practice. |
|
s*****g
发帖数: 1055 | 8 Policing at 128K for a phone? would that be enough for ad hoc conferencing? also when puting voice in a VRF, how do you handle inter-VRF communication especially for hosts running softphone? don't you need to import all other VRF's routes into Voice VRF?
Care to explain to us what are your design goals and challenges you are facing?
It |
|
a***n
发帖数: 262 | 9 Attached please find the network virtualization hierarchical diagram. The
design will use global routing table as trunk of the tree while individual
L3VPN as leaf of the tree. From leaf to leaf, you have to go thru trunk.
Between trunk and leaf, there will be a virtual firewall.
We will see how this architecture will go along.
Challenges:
Impacts of going thru 2 VFWs between leaves.
Voice applications have to go from VoIP L3VPN to global table for campus wide
services, will that work out we... 阅读全帖 |
|
z**r
发帖数: 17771 | 10 in http://tools.ietf.org/html/draft-raggarwa-l3vpn-2547-mvpn-00#page-10
it says
Option A: VRF-to-VRF connections at the AS border routers.
Option B: EBGP redistribution of labeled VPN-IP routes from AS to
neighboring AS.
Option C: Multihop EBGP distribution of labeled VPN-IP routes between
source and destination ASes, with EBGP redistribution of labeled IP
routes from AS to neighboring AS.
but in many other document, I see
Back to Back VRF connections (Option A)
VPNv4 routes di |
|
s*****g
发帖数: 1055 | 11 This is not quite right ...
RD is not local, distinguish-er means it is unique, so it has to be global,
such that vpnv4 routes are uniquely identified when learned through BGP.Once
the routes are filtered to different VRFs, RD loses its meaning.
While RT is kind of local in the sense that it is just a tag added in
community such that other sides can selectively filter the prefixes to
achieve complex connectivity requirement between VRFs such that different
VPNs can be established, so within an I... 阅读全帖 |
|
z**r
发帖数: 17771 | 12 来自主题: EmergingNetworking版 - 一个面试题 一个网络要从IP core升级到MPLS core+L3VPN,这个core大约1000台PE,IGP大约30K。
有什么办法可以seamlessly把所有现有的CE router都升级到相应的VRF里?要求是在升
级的过程中,不能中断服务,当然,短时间的中断是可以忍受的,比如改变一个配置,
这个新配置生效的过程中,服务中断可以接受。
今天面试别人,team里另外一个家伙问的,俺似乎也想不起啥有效的措施,route
leaking between GRT and VRF似乎不太灵,主要涉及大量的IGP prefixes,只能用
routing protocol来leak,但这样的话,貌似只有加一个local的loop一端是VRF,一端
是GRT才可能行得通。
还有啥办法? |
|
a***n
发帖数: 262 | 13 Hi All,
We are trying to deploy the 10G IPS at our campus. Attached please find the
simplified version of our network topology. All devices are standalone
catalyst 6500, and we currently have iBGP full mesh between core and
distribution. campus and resnet have different routing/security policy.
My question is where is the good place to place the IPS?
1) directly put them inline with our connection to our service provider. IPS
admins are not so confident about it even they have the fail-open har... 阅读全帖 |
|
z**r
发帖数: 17771 | 14 don't think he is doing user based policing, all VoIP traffic in his design
shares the PQ pipe, so I think it should be fine
? also when puting voice in a VRF, how do you handle inter-VRF communication
especially for hosts running softphone? don't you need to import all other
VRF's routes into Voice
facing? |
|
v***1
发帖数: 3 | 15 对 就是那本书里的 这张图
我也感觉sp的目的就是不想让两个spoke端直接通信
但是这样不是增加复杂度了吗 这个例子中hub端pe跟ce的路由协议是ospf
这里分两种情况
①如果是hub端和spoke端的domain-id一致 那type-3 lsa有down-bit的问题 做export
的vrf默认不会把设置的down-bit的lsa参与的路由计算 我看书上是通过sham-link来解
决的
②如果hub端和spoke端domain-id不一致 那pe就是通过type-5 las来通告路由给ce的
那做export的vrf又有domain-tag的问题了 得手工在做import的vrf里指定domain-
tag
不知道我理解的对不对? |
|
t*******r
发帖数: 3271 | 16 绝对比你在PE们上维护vrf-import/vrf-export简洁明快.
而且如果出问题, 影响的只是单个CE问题本身.
PE上vrf policy如果写错了....嘿嘿..... |
|
m**t
发帖数: 1292 | 17 问下有人做过没有,用 nexus switch 做 DHCP relay. 希望能 在NEXUS switch 截获
VLAN A 上client 的DHCP, 然后 通过relay 到VRF B 前往在不同IP subnet 的DHCP
server, 能做到吗? 或者一般怎么做DHCP relay, 尤其在CISCO R/S 上
M-plane Router
|
VRF B
|
---VLAN/VRF A----【Nexus switch】
|
|
【U-plane
Router】 |
|
z**r
发帖数: 17771 | 18 well I over looked the option C statement in the draft. it does say "labeled
IP routes" from AS to neighboring AS, that means IPv4 and labels are
distributed between the ASBRs.
so the more clear way to describe option A B C should be,
option A: VRF-to-VRF connections at the ASBRs
option B: VPNv4 distribution is done at the ASBRs by directed connected eBGP
option 1: next-hop-self
option 2: redistribute connected
option C: VPNv4 distribution is done at the RRs in each AS, and IPv4+ |
|
z**r
发帖数: 17771 | 19
then
TE can establish the LSP you want, but you still need MPLS functionality to
switch the labeled packets.
configuring mpls means enable ldp right? if you have full meshed bi-
directonal TE tunnels for each VPN, the P routers don't have to have LDP
tuned on.
I just checked this in "mpls fundamentals", page 321, and I am posting the
content here:
TE Tunnels Between PE Routers
When two TE tunnels (one for each direction) exist between a pair of PE
routers and the Border Gateway Protocol (BGP) n... 阅读全帖 |
|
z**r
发帖数: 17771 | 20 是啊,所以说VRF和SDR不是一个级别的,不过很多时候,VRF也挺实用的,起码上个几
百上千没啥问题,SDR就没戏了 |
|
z**r
发帖数: 17771 | 21 来自主题: EmergingNetworking版 - 一个面试题 "You could also have one end of a VLAN in router one vrf green and the other
end in router two vrf fusion/global"
why the heck I cannot get what you are talking about?
of |
|
z**r
发帖数: 17771 | 22 来自主题: EmergingNetworking版 - 一个面试题 let's assume the service is private service.
customers want to have full Internet BGP feed, so each VRF will have 350K
FIB entries, in that case how many VRFs can a typical PE provide? 3?
in RFC1918 space. If PE-CE connection is Ethernet, can't we configure VLAN/
sub-interfaces on both sides, one VLAN/subinterface for L3 VPN access and
the other one for Internet |
|
a***n
发帖数: 262 | 23 Can you ping PE's ip in vrf to anther PE's ip in the same vrf?
if using ospf for ldp, make sure to use /32 mask on ldp interface. |
|
l******2
发帖数: 18 | 24 address-family ipv4 vrf red
redistribute static metric 1
..
..
ip route vrf red 0/0 x.x.x.x |
|
a***n
发帖数: 262 | 25 crypto map is old fashion, new way in Cisco is Virtual Tunnel Interface.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide
So basically, there are IPSec VPN, SSL VPN, Easy VPN, DMVPN, GET VPN, and
MPLS VPN(L2 or L3) in terms of VPN world.
Almost all of these VPNs could be integrated with VRF to further separate
traffic.
Now days, most firewall features are VRF aware too.
router's mind:
is GRE tunnel, so router encap's original packet with IP-GRE header, which
subsequently triggers... 阅读全帖 |
|
v***1
发帖数: 3 | 26 为什么hub端PE跟CE要用两个vrf,一个只做RT的import,一个只用来做RT的export?
用一个vrf不行吗? |
|
s******v
发帖数: 4495 | 27 没看出来图里有2个vrf,不过这种2 vrf for 1 biz,常见的原因是merge and
accquisation, 两边的IT不愿意动现有的cfg,就出来这种 looks very two solution. |
|
x*********n
发帖数: 28013 | 28 我的理解是一个vrf就像是一个大tunnel,不管RT,RD是否足够能distinguished each
other。你都得这么搞。
config里面RT RD不是可以both么,而且一样么。但是vrf还是照旧。 |
|
z**r
发帖数: 17771 | 29 这不是里面的一个case study的图吗?
这么做的唯一目的是用mpls vpn做一个hub and spoke的infrastructure,如果不用两
个VRF,site 2, 3就直接可以通信了,在hub site (PE1-AS1)上弄两个VRF,一个
import,一个export,这样site 2和site3必须得通过这个CE1-A来通信。 |
|
s*****g
发帖数: 1055 | 30 Is this not a simple MPLS-VPN hub-spoke configuration? or if you are
concerned by VRF configuration scalability, use scalable MPLS-VPN hub-spoke
configuration by using upstream/downstream VRFs? |
|
a***n
发帖数: 262 | 31 Usually VRF defined on PE, but there is multi-vrf CE. |
|
c*****i
发帖数: 631 | 32 nexus好像不可以relay到different vrf,如果只是vlan可以。IOS应该可以做到relay
到different vrf,你看下cco的doc。 |
|
l***y
发帖数: 791 | 33 似乎是看什么平台上需要哪些功能。这个VRF-lite好像解决的是一个比较简单的情况
我也在看这些的细节呢。没准最后上这个VRF-lite更好。那时候就谢谢您啦! |
|
l***y
发帖数: 791 | 34 Got answer:
Limitation of VRF-Lite:
PE <-> CE running VRF-lite
|_____ if this link is traditional WAN then it requires multiple WAN
circuits or Frame-relay encap.
Alt. solutions of Spe/Upe:
multiple ospf area in IGP?
split mpls domains and have option A at split point?
UPE/SPE is kinda cumbersome to implement/roll-out/troubleshoot. Also bonds
us to Junos more.
I am no expert so just taking notes. Zher has comment? All comments welcome!
RR
draft |
|
s*****g
发帖数: 1055 | 35 VPN label is exchanged by BGP, it is used to de-mux the traffic coming from
the same LSP, usually there is one-to-one mapping between a vpn-label and a
vrf, but you can have BGP to advertise a label per prefix. Not sure what
this "associated next hop" is, I believe it refers to CE router which
advertises the prefixes in (PE's) VRF context. |
|
x*********n
发帖数: 28013 | 36 这个有点像export-map 在vrf里面
vrf export-map,意思是我vpn4 按照RT filter out一些,only eligible的
进入最后的CE端。
看上去是export,实际上是选择性的into。 |
|
o***s
发帖数: 42149 | 37 据台湾媒体报道,42岁港星杨千嬅2009年与小5岁的丁子高结婚,育有一子。
近年来杨千嬅不是被拍到带儿子上街,就是跟老公在街头血拼,相当享受家庭生活。
没想到她4日出席活动,竟自曝老公最近半夜不知道跟谁讲电话。
“我都不知道他在做什么,还以为他包二奶”。
杨千嬅2013年以电影《春娇与志明》勇夺香港电影金像奖女主角奖。
据报道,4日晚她现身联合国儿童基金会慈善活动,宣布续集《春娇救志明》最快下周开镜。
她已为此推掉许多工作。
并透露续集剧本比之前难演很多。
话锋一转,杨千嬅说老公丁子高最近为工作忙得焦头烂额。
她本要求丁子高陪她参加当晚的活动,他却因工作太忙抽不开身,让杨千嬅心疼说:“我都叫他不要压力这么大,就怕他掉头发”。
说到此处杨千嬅不忘开玩笑说:“有时他半夜都还在讲电话,不知道在做什么,还以为他有二奶”,让现场媒体一惊。
但他们夫妻俩平时现身就爱斗嘴,这次应也是老夫老妻的玩笑话啦!
对于丁字高估计很多网友并不太熟悉,其实他曾参加全球华人新秀歌唱大赛,以乐队组合VRF出道,之后创立了RM Workshop公关公司和Collaboration Group。
2009年,丁字高与杨千... 阅读全帖 |
|
o***s
发帖数: 42149 | 38 已经仙逝多年的香港歌坛天后梅艳芳曾经在《似是故人来》里唱道:“但凡未得到,但凡是过去,总是最登对”,将这歌词用来形容歌坛天王陈奕迅和天后杨千嬅正是恰如其分。他们俩相识于微时,互生情愫,正是友情以上恋人未满的暧昧时期,杨千嬅却出国学习,两人的恋情嘎然而止,之后陈奕迅与徐濠萦爱情长跑十年步入婚姻的殿堂,而杨千嬅情路兜兜转转后嫁给了比自己小五岁的丁子高。
2007年,也就是在陈奕迅的婚礼之后,杨千嬅与小她5岁的丁子高谈起了恋爱,外界对于丁子高的印象不外乎就是花心,所以这一段《女尊男卑》的姐弟恋并不被看好。更是有人爆料,丁子高将所有的压力都丢给杨千嬅,一个人到上海躲避了三个星期。
但最终,丁子高打电话给杨千嬅,透过电话,丁子高便是愿意和她一起承担所有的压力,愿意再试一次。当丁子高说完了这一番话之后,电话这头的杨千嬅哭的稀里哗啦的,这一次,她知道她终于找对了人,找到了一个愿意陪她承担压力的男人。
2009年,两人修成正果,领证结婚;2010年,杨千嬅风光大嫁,扬眉吐气,陈奕迅更是到场祝福。
2012年,杨千嬅升级当妈妈,生下了儿子Torres。
拍拖8年,结婚7年,杨千嬅和丁子高从一开始的不被人... 阅读全帖 |
|
c******n
发帖数: 891 | 39 中央空调根本不适用于住宅楼。没脑子外行瞎鸡巴咧咧。先去弄明白AHU, VAV/CAV,
FCU, RTU, VRF是什么。 |
|
c******n
发帖数: 891 | 40 那叫multi-zone ductless system,,一些小的商用楼用VRF, 也是DX系统。中央空调要
用管道给房间提供冷风,成本高,载荷差异大的话,不好控制,效率低。用FCU的话,
要向房间输送冷水,也不适合普通居民楼。 |
|
c*******n
发帖数: 112 | 41 In this case, you need to know how VRF is operated in a network, e.g, BGP,
RT, RD. I guess this is not very easy to describe in a interview. I do not
think this is a good interview question.
Since the question is related to TCP/IP, I assume it is L3VPN, not L2VPN. |
|
x*********n
发帖数: 28013 | 42 不用打印啊……直接软件load vrf file。
他说的是填表,问题是没人填表啊。 |
|
x*********n
发帖数: 28013 | 43 8849 is for your reference.
1099 b, misc,int, div 是你报的。
turbo tax跟broker直接给的,只要填账户密码。没关系的下载vrf,load 进turbo tax。
对了, turbo tax load只支持download版本!online的不行 |
|
|
x*********n
发帖数: 28013 | 45 下载vrf文件。import。
全程20秒。
结束的时候会报错,要你填code,把W填上去就OK了 |
|
j********r
发帖数: 96 | 46 If you are interested, please contact: j**[email protected]
We are in need of a mid-to-senior level Network Engineer interested in
working in a massive, diverse, and global environment. This is a 6 month (
plus extension) W2 contract position that pays $55 + per hour.
Requirements:
- In-depth experience with TCP/IP and packet sniffers
- Experience administering and troubleshooting F5, Cisco, and Citrix load-
balancers
- Experience with Cisco, Juniper, and Foundry routers, and a wide variety of
sw... 阅读全帖 |
|
s*****g
发帖数: 1055 | 47 Of course you don't run IGP between to SPs for option C, this is a basic
requriement of any inter-AS, no IGP between ASBRs.
Problem with option B is also obvious, ASBRs have to be VPN aware (you need
to configure vrf/vpn address family under ASBR's bgp in order to exchange
VPN labels with neighbors) and ASBRs have to hold all VPN routes (just
imagine if you have a dozen customers and each customer wants to have whole
Internet routes ..., not many vendors on the market can do over 1M routes
hardw |
|
z**r
发帖数: 17771 | 48 有没有具体点的config,而且这个qos的东西跟具体产品很相关,甚至linecard不同,
差别也很大。
算速率的时候,那些相关header们在不同的情况下,有时候要算,有时候又不要 |
|
p***a
发帖数: 28 | 49 我在v.35,e1,t1,ethernet下都碰到类似问题,header计算应该没有问题,而且流量也
低于配置的priority不少。开了个case,cisco as说有时候router对queue的size计算
有误。 |
|
