Tag Archives: exam

BCvRP – Brocade Certified virtual Router Professional – Objectives

For training these I set up networks. Many.
Drawing the networks first in LibreOffice Draw and then setting them up with virtual machine templates and LAN segments.

The exam I took in October and because it was a beta exam the results aren’t out until December :)

The BCvRP has the below objectives (included for free are some of my comments on each topic).
None of this should be taken as a replacement for taking the actual course and actually doing these things on a vrouter.
And honestly, the various concepts and technologies described in the objectives below can become very complex. So before taking this course/exam you at a minimum want to know the basics of BGP and setting up an OSPF network should be a breeze.

 

OSPF Multi-Area Concepts

  • Describe OSPF routing concepts
  • Stub area – replace external routes with a default route
  • NSSA – not so stubby – can have a local external route inside a stub area
  • no-summary : exclude inter-area routes
  • LSA – link state advertisements
    • 1 All OSPFs: Lists subnets/links directly connected, does not cross area boundaries
    • 2 from DR: Lists routers connected to a network, does not cross
    • 3 from ABR: Lists networks from outside the local area
    • 4 from ASBR: Summary, lists location of ASBR
    • 5 from ASBR: AS external, list networks outside OSPF AS. 7 for NSSA.
  • Summarization: Good to have continuous addresses in an area, easier to summarize.
    • Do not summarize routes originating in Area 0.

BGP, EBGP and IBGP Concepts

  • Describe gateway protocol concepts
  • BGP Basics
    • Purpose is to determine best path (not necessarily the shortest)
    • TCP Connection, no periodic updates.
    • iBGP – within an AS / eBGP – between AS
    • Attributes – BGP policies – costs
    • eBGP – best to be on the same network
    • TCP port 179
    • A unique AS number is needed, there are private AS numbers.

eBGP

set protocols bgp AS# router-id IP
set protocols bgp AS# neighbor ip-address remote-as as-number
set protocols bgp AS# network address/mask

exact match must be in the router’s table: create a static route to blackhole on the router

iBGP = same AS on the BGP peer (the neighbor)

iBGP – a full mesh is necessary. iBGP does not forward routes learned from other iBGP peers.
One can use “next-hop-self” so that iBGP router’s change the next-hop address to a network whenever it propagates the route.
update-source – this needs to be the same as the router-id.

iBGP required settings: local AS number, neighbor address and “update source”.

bgp does not reset advertised routes after an administrator’s changes.
Changes to eBGP does not come into affect until you run the reset:
reset ip bgp external out‘. The BGP table can be large – gigabytes.
Use the word soft to only request updates and not reset the peer connection.

reset ip bgp external [ipv4 address]

 

Tuning attributes and priority

  1. Local preference – only included within an AS. Default is 100. Higher is better.
  2. AS Path – always forwarded – shorter is better
  3. Origin – lowest
  4. Multi-exit discriminator # modified by an ISP to indicate preference
  5. eBGP preferred over iBGP
  6. Lowest Peer ID
  7. Community # group of prefixes with a common property. Can be used in filters.

 

Prepending: insert your AS number in the AS in the beginning of the AS path.
Communities are created with: set policy community list

BGP troubleshooting

An active peer – not good. Trying to actively set up a session.

 

iBGP design

  • Does not have to be physically connected (as in BGP).
    • Connectivity over BGP
  • Peer to loopback address
  • Full mesh is required
    • Doesn’t scale. You can use a Route reflector (“concentrator”) and have other iBGP routers as clients.
    • route reflectors must be meshed
    • You can also create multiple private AS within your AS. Reduces members in the mesh. Called a confederation.
      • Public AS number is only visible in the config
      • The Private numbers are visible in the show ip bgp commands.

 

Create a peer group, set BGP settings on the peer group. Then assign peers to the group.

Route Redistribution

  • Describe route redistribution design and configuration
  • Best practices:
    • Set metrics
    • Do not redistribute into or out of BGP
    • Use network statements
    • Statements to direct towards BGP exit points
    • Only redistribute a network from one host (VRRP)
  • OSPF: metric type (increase cost)
  • Only active routes are redistributed

IPsec VPNs

  • Identify IKE Phase 1 and Phase 2 operations
  • Describe how to configure and troubleshoot an IPsec VPN

OpenVPN Concepts

  • Identify the features of OpenVPN
  • Describe OpenVPN configuration

VRRP Concepts

  • Describe VRRP concepts and operations

Optimization

  • Describe the attributes of WAN load balancing
  • Describe QoS features and configuration

Policy-Based Routing

  • Explain where policy-based routing falls in Brocade Vyatta packet flow
  • Configure and verify policy-based routing
  • Default: drop route entry . By default it only takes the first action that matches.
  • Rule -> Filter -> Route Map (excluding deny filters) > Take action as defined
  • Filter list: prefix 172.16.0.0/16, le 24. Any netmasks between /16 and 24, including /16.
  • Regexp for matching AS lists – use underscore to match whitespaces
  • Filter has the rules.
    • permit/deny in the filters affects if the rule is applied to the filter.
  • Route-maps has the rules.

Multicast Routing

  • Describe multicast protocols/elements
  • Configure and troubleshoot multicast routing

BCvRE – Brocade Certified virtual Router Engineer – Objectives

This post will be continuously updated with my short notes under each concept.
It’s not meant to be a replacement of the official training materials.
I’m just starting out playing with the vRouter Core / open source version and installing it in a VM and set up some networks and firewalls is probably one of the best way to learn this.
Learn by doing!

The Brocade Certified vRouter Engineer 2013 exam has these objectives:

 

Brocade Vyatta vRouter System Operations

  • Describe show command system usage
    • show – in operational mode shows status of components
    • show – in configurational mode shows the configurations
    • run show –  in configurational mode shows status of components
  • Identify key CLI operations
    • set/delete
    • copy (configs)
    • renew (new dhcp IP)
    • install (to disk)
  • Describe the commit and save processes

Ethernet Concepts

  • Identify Ethernet operations
  • Identify VLAN operations and settings
    • set interface ethernet eth0 vif <vlanid> # this creates eth0.<vlanid> a subinterface. This looks like a normal ethernet interface.
    • set interface pseudo-ethernet # these can be used if you want to set the MAC-address. Some features are not allowed for these peth devices though (VLAN, bonding).
  • Identify bonded interface operations
    • Two NICs on the same network
    • set interface bonding (IP address, mode)
    • set interface ethernet (bond-group)
  • Demonstrate knowledge of configuration and operation using show commands

TCP/IP

  • Demonstrate knowledge of the relationship between Layer 2, IP and TCP/IP
  • Identify TCD and UDP differences
  • Identify address subnets

DHCP and DNS Troubleshooting

http://www.guldmyr.com/blog/?p=2022 I’m going through how to set it up.

  • Describe troubleshooting of DHCP operations
    • show dhcp server leases
    • show log dhcp
  • Describe troubleshooting of DNS forwarding
    • monitor dns forwarding # I could not get anything into the log)
    • show dns forwarding # shows cache size for example)

Routing

http://www.guldmyr.com/blog/?p=2022 went through how to set up static routes

  • Identify uses for routing
  • Identify show commands for use with routing
  • Identify configuration of different types of static routes

Firewalls

  • Describe firewall operations and troubleshooting using show commands
  • Describe firewall rulebase operations
    • set firewall name <name> default-action
    • set firewall name <name> rule 1 destination/source
    • set firewall name <name> rule 1 action <action>
    • set interface bonding bond0 firewall in/local/out name <name>
      • in – into the router (matching on destination IP)
      • out – out from the router  (matching on source IP)
      • local – to the router itself

NAT

  • Describe NAT concepts

Upgrades

  • Describe the Brocade Vyatta upgrade process
    • 1. Install 6.5R1 to disk.
    • 2. add system image URL
    • 3. reboot
    • It is also possible to copy the config elsewhere and reinstall

Logging and Packet Captures

  • Identify logging options for firewall and NAT operations
    • set firewall name <name> rule <num> log enable
    • commit; exit
    • monitor firewall .. # and see matches to the rule.
  • Identify methods to verify operations and troubleshooting

OSPF Single-Area

http://www.guldmyr.com/blog/?p=2022 set up an area 0 OSPF

  • Describe OSPF show command output
  • Describe how to configure OSPF

BCvRE – Brocade Certified virtual Router Engineer

Been checking out the Vyatta vRouter a bit closer. Mostly because of the BCvRE exam but I’m slowly starting to think there might be some benefits to using it elsewhere too.

  1. See vyatta-a-routervpnfirewall-in-a-vm-brocade-certified-vrouter-engineer/ for where to find manuals or training materials.
  2. See the objectives.

I tried installing Vyatta vRouter 6.6 amd64 Live ISO to disk first in a Virtualbox VDI file and then uploading said file to openstack. This works, but:

Ethernet interfaces might get renamed but a startup, log in and save, poweroff and another boot should get the first interface back to eth0.

In the openstack available to me I could set up my own networking topology like this:

  • Create one network (VLAN) and define several subnets inside (these are still kind of firewalled based on IP and MACs).
  • Then create machines and add the network.
  • Power off and start the machines again (or the links stay DOWN).

VMs should see an individual eth interface per subnet.
The machines still get an IP assigned to each interface/subnet even if DHCP is disabled. If DHCP is disabled you still have to statically assign only this assigned address on the interface.
The interfaces are in order: the IP listed at the top is the IP you need to put on the first interface (eth0).

Because a lot of the things you can do with a router involves creating networks and assigning IP addresses, which openstack would block for security reasons – it was much easier to do all of these in VMWare Workstation:

DHCP/DNS

  1. Install a Vyatta VM – bridged and a private network (without a DHCP).
  2. Install another OS in a VM – this will be a client – only on the private network.
  3. Put both VMs in the same network.
  4. Configure dhcp on the Vyatta VM:
configure
delete interfaces ethernet eth1 address dhcp 
set interfaces ethernet eth1 address 10.1.1.1/24
commit

Configure dhcpd on the Vyatta VM:

configure
set service dhcp-server
set service dhcp-server shared-network-name ETH1_POOL subnet ??? # pool, dns, router

Then, set up so that the Vyatta VM routes traffic from the private network to the Internets. A NAT. This is called a source NAT in the vyatta CLI.

set nat source rule 10 ??? # Put in the settings you need. Source, outbound interface and the IP they should be seen as from the outside.

Real easy to set up a DNS forwarding server too:

set service dns forwarding listen-on eth1 
set service dns forwarding name-server 8.8.8.8
commit

Now we have a client behind the Vyatta gateway that can access the Internet!

It’s possible to set up different kinds of VPNs. For example site-to-site or remote access.

It is possible to ssh from the vyatta VM – you can even run ssh-keygen. How to add an authorized key you wonder?:

set system login user vyatta authentication ...

Routing

Another thing to test: launch a bunch of Vyatta VM and use them to route IP traffic, woop woop! The BCvRE objectives actually mention OSPF so this would be wise to test.

Starting with static routing

Key: Network Name (IP subnet, interface on the host)

  • VM hostname – Interface inside the VM: IP address

Topology:

Public (192.168.1.0/24, bridged):

  • Vyatta – eth0: 192.168.0.23

Network A (10.1.1.0/24, vmnet2):

  • Vyatta – eth1: 10.1.1.1
  • V1 – eth0: 10.1.1.10
  • V2 – eth1: 10.1.1.20

Nework B (10.2.2.0/24 , vmnet3):

  • V2 – eth2: 10.2.2.20
  • V3 – eth0: 10.2.2.30

Static routing:

Vyatta: set protocol static 10.2.2.0/24 next-hop 10.1.1.20
V1: set protocol static 10.2.2.0/24 next-hop 10.1.1.20
V3: set protocol static 10.1.1.0/24 next-hop 10.2.2.20
V3: ping 10.1.1.10

OSPF!

Adding host V4 that is in Network B and Network C.
Basically Vyatta, V2 and V4 are routers.
V1 and V3 do not run OSPF, they have their default gateway to one of their local routers.
So V3 has 10.2.2.20 and V1 has 10.1.1.1.

Public (192.168.1.0/24, bridged):

  • Vyatta – eth0: 192.168.0.23

Network A (10.1.1.0/24, vmnet2):

  • Vyatta – eth1: 10.1.1.1
  • V1 – eth0: 10.1.1.10
  • V2 – eth1: 10.1.1.20

Network B: (10.2.2.0/24, vmnet3)

  • V2 – eth2: 10.2.2.20
  • V3 – eth0: 10.2.2.30
  • V4 – eth0: 10.2.2.40

Network C: (10.3.3.0/24, vmnet4)

  • V4 – eth1: 10.3.3.40

Remove all static routes we did previously on Vyatta and V[1-2,4]:

delete protocols static route
commit
save
show proto

Set up OSPF – define the networks on each router that that router share with another router:

ALL: set loopback interface IP to something unique and with a /32
ALL: set protocols ospf redistribute connected
V4: set protocols ospf area 0 10.2.2.0/24
V2: set protocols ospf area 0 10.2.2.0/24
V2: set protocols ospf area 0 10.1.1.0/24
Vyatta: set protocols ospf area 0 10.1.1.0/24
V3: set system gateway 10.2.2.20
V1: set system gateway 10.1.1.1

Test:

V4: ping 192.168.0.23
V4: show ip ospf route

Debug:

V2: monitor protocol ospf enable lsa
V4: reboot # and wait
V2: show log|less

Vyatta: a router/vpn/firewall in a VM

Brocade has a beta exam up for BCVRE – Certified vRouter Engineer – which is on the Vyatta software from the company with the same name that Brocade bought last year.

There is the free open source core. Download from here: http://vyatta.org/downloads (no you don’t have to register).  The evaluation/subscriber version has the API and web gui available, I’ll probably check those out closer to the exam date.

I grabbed VC6.6 – Virtualization ISO. Use it in a VM and assign 5GB disk (install only requires 1G, or you could just run it on the iso, but then it doesn’t keep state between reboots) and 1GB RAM. Two NICs: One NAT and one private. But to get more acquainted with it you’ll likely have to do a bit more configuration on the hypervisor side. Such as turn off dhcpd in your virtual networks.

To install it to disk: hit “install system” at the CLI after it’s booted.

More documentation: http://docs.vyatta.com/current/wwhelp/wwhimpl/js/html/wwhelp.htm – there are descriptions how to get for example ssh management working ( set service ssh ).

The server is basically Debian with a more recent kernel (6.6 has 3.3) and a shell to make it more switch-like. It actually uses the bash completion to make it look like this. Check out /etc/bash_completion.d/vyatta-*

To remove a setting use “delete” (comparable to no in other CLIs). There is a web interface, but this is only for subscribers. Core version allows SNMP though if you want to use that :)

What to do with vyatta? A bunch of tutorials are here: http://www.vyatta.org/documentation/tips-tricks

  • NAT
  • VPN (for example connect private cloud <-> Amazon VPN)
  • Firewall
  • Routing (OSPF, BGP, etc)

But no SDN stuff (separate data and the control plane). It looks like it’s not possible to modify the flow table of a switch via Vyatta. This looks like a software router/VPN/firewall with some extras added to it.

BCFP – How to prepare for the exam

Until now I’ve been just reading the material, when there’s something unclear in the material I’ve looked it up in command reference guides, release notes, user guides or otherwise on the Intertubes.

This doesn’t really prepare you for the format the exam is in. I mean the exam is in questions and the answers are multiple-choice one. Unless you actively do it while reading this doesn’t put your brain in – answer-questions-mode(tm).

What I’ve done is make flash cards with the question on one side and the answer on the other side. You can put whatever you want of course, but for example ‘ what is the command to enable fcr ‘ or if you want something more theoretical how about ‘ what are the advantages with fcip compared to dark fibre extension’ ? Or the negatives? I have no idea what the questions were when I did the BCFA (I was just so happy I passed) but I hope this will prepare me somewhat for what might come.

BCFP – Brocade Certified Fabric Professional 16G Beta Exam

More studying. Only a month and a half to go.

Currently repeating/re-reading BCFA stuff and mostly focusing on the new stuff. Expect to do this this whole week but gradually weave in more BCFP stuff.

An idea – I don’t think I need to re-hearse the BCFA that much. The objectives between the two exams are very different and there’s no overlap as far as I can tell. Focusing more on the BCFP now but it was nice anyway to do a short repeat of the BCFA stuff, get back in the game.

The Material

I’ve been going through what’s recommended (the material) and these are the useful pages:
Please note that the second item in each list is the actual page number in the document.
I also took the liberty of adding pages before/after in case they were adding context to the page. It’s not like I’m going to try to remember the pages by heart. And quite often the pages referenced by Brocade were just one page in the middle of a chapter.

For example page 63 in FOS Admin Guide 7 is either about setting ipaddr or routing/FC NAT. I think it’s the FC NAT. Page 77 is either for adressing/WWN based PID assignment or lossless DLS. Page 80 is port numbering schemes for various blades or Forward Error Correction. 99 is verifying syslog/audit log or introduction to RADIUS/LDAP. 117-118 is lossless DLS or overview of IP protocols.
Page 3 in the troubleshooting guide is to the document history or one of the pages with list of common symptoms. Also Page 1 in FCIP Admin Guide is probably not the one they meant :)

There’s some really weird ones in the admin guide. For example page 582 does not exist in FOS admin or 132 is empty in FCIP Admin guide , in both real page counters and the numbers on the pages in the book.

Also some starting/ending points/pages are a little strange, why cut it off there and not the whole chapter/section?

From the Brocade Certified group on facebook I saw that these pages numbers were used to writing a/questions on the exam. Guess this explains why some of the pages are odd, maybe they were written down at a previous version of the document or they just don’t want to document everything :) In the same group they claim that the page they used is the one on the actual page, not the one in for example adobe reader. This means the numbers under Real are the ones pointing to the right pages.

Anyway, with the details from http://community.brocade.com/docs/DOC-2041 here we go:

Updated the numbers on FOS Admin guide (2011-08-18)

  • Fabric OS Administrators Guide v7.0 (53-1002148-02)
    • Pages 63,77,80,99,100,117,118,128,133,137,200,272-281,287-302,372,382,395,404-412,413,418,422-433,435-438,447-481,582
    • Real Pages: 102-103, 120, 139, 168, 173-174, 177, 240, (271-303), 311-343, 410, 412, 422, 435, 444-453, 458-478, 487-521,
  • Fabric OS Command Reference Guide v7.0 (53-1002147-01)
    • Pages 239,244-246,283-290,380-383,609,610,637,653,661-663,701-710,714-717,824,885,930,953-956,1028,1029,1083
    • Real Pages: 273, 278-280, 316-324, 643, 644, 671, 687, 695-697, 735-744, 748-751, 857-858, 918-920, 964, 987-990, 1061-1063
  • Fabric OS Troubleshooting Guide v7.0 (51-1002150-02)
    • Pages 3,22,31,38,92,
    • Real Pages: 23, 43-44, 51-52, 112
  • Brocade 1860 Datasheet (GA-DS-1566-00)
  • Brocade SAN Health Family Data Sheet (GA-DS-870-03)
  • Fabric OS v7.0 Release Notes
    • Pages 11,12
    • Real Pages: 11, 12
  • Brocade Network Advisor SAN User Manual 11.1.x (53-1002167-01)
    • Pages xxxviii,xxxix,47-52,148,202,230-233,647,648,782,911
    • Real Pages: 38-39, 91-96, 192, 246, 274-277, 691-692, 826, 955
  • Brocade Network Advisor Installation Guide 11.1.x (53-1002320-01)
    • Page 9
    • Real Page: 9
  • Fabric OS FCIP Administrator’s Guide (53-1002155-01)
    • Pages 1,6,29-37,54,111-113,132
    • Real Pages: 15, 20-21, 43-52, 68, 125-127
  • Access Gateway Administrator’s Guide (53-1002156-01)
    • Pages 11,22,52,53,67-69,
    • Real Pages: 31, 42, 72-73, 87-89
  • Brocade Adapters Administrator’s Guide (53-1001923-01)
    • Page 35
    • Real Page: 57
  • Pre-release CFP 300 Course (unedited material)
    • Modules 2-8

BCFA – Brocade Certified Fabric Administrator 16G Beta

I am currently going for the BCFP – fabric professional – exam, but I did the BCFA 6 months ago so I’ll re-read the material and of course there’s the new stuff with FOS 7, new hardware, 16g, new ASIC that I should probably learn as well.

Some new stuff

‘fabric name’ is a new feature. But this is also more usable in VF – which is not part of BCFA. Firmware upgrades are the same (phew).
DCFM is now called Network Advisor and it also has IP/routing and MPLS functionality now.
Of course the 16G blades (with the first 8 ports capable of handling 10GB FC) and the FC10-6 blades.
D_port diagnostics (set a port to this before joining it to a trunk, or use it to measure distance on a long distance link, is accurate up to 5m).
IDLE/ARB fill words are no longer necessary to configure (except on 8G platforms and not on Condor3).
Condor3 is the new ASIC for the 16G blades.
New/larger/longer/better ICL between the new directors that use QSFP instead of the crap max 2m copper cable.

Kindle

One thing that’s great about the kindle is that you can put the Brocade material on it (even in PDF) – just change viewing mode to landscape/horizontal and it will look great. Two pages per slide. I still have material from my old so that one works. But the material that is given for free now has 0 access rights so it does not work on the Kindle.

The way I write my personal notes is: write them off from the brocade material in my own words.

  1. I do this on google docs.
  2. I then download it into .doc and then
  3. e-mail it as an attachment to youraccount@free.kindle.com.
  4. Then next time you hook up your kindle to wifi it will download the documents, converted to .azw.

What’s important here is to not use lists, as the conversion from a google doc saved as word and then e-mailed to youraccount@free.kindle.com does not like lists, it only takes the first level in the list.

I instead used headers, lost of them.

This is also nice because you can put a TOC which is clickable on the kindle.

Also pictures work in this conversation.

Reading encrypted/password protected pdf on Linux

Brocade Logo

The problematic PDF

The CFP300 material on http://community.brocade.com/docs/DOC-2041 is encrypted so that it cannot be printed/re-edited without a password.

If you try to open this with evince (default .pdf viewer in Gnome) it will ask for a password.
pdftotext (comes with the software suite poppler) says:

Error: Weird encryption info
Error: Incorrect password

It’s only the material starting with M0* that has this issue, this has also been seen with other documents. Maybe this is because they were created with a too new version of Adobe Acrobat that evince/pdftotext doesn’t support.
The rest of the material are going to be public and they are user/admin guides anyway. But the M0* files are from the actual course material for the 16G so this is why.

The solution on RHEL6 x64: install FoxitReader. Download the .rpm – then hit ‘rpm -Uvh FoxitReader-1.1-0.fc9.i386.rpm’ and it will be installed. To start it just hit ‘FoxitReader’.

Anyway I think it’s nice of Brocade to pre-release the course material for those doing the beta-test. If you want the real material the cheapest is 650$ and then you get the material, narration of the pdfs (usually good quality, not just reading off the presentations) and a few quite good lab exercises.

The Studying

Just threading along here with the material, slowly but steady.
I’m starting with the NPIV / Access Gateway stuff. It’s a bit more complicated than just a switch that isn’t its own domain, it’s also mapping the virtual WWN to the N_ports (a switch in AG mode has N_ports that connect to F_ports in another switch). Usually N_ports are on hosts’ and targets’ ports and the switches’ has the F_ports.