Tag Archives: routing

Studying for BCNE – Brocade Certified Network Engineer

In early April of 2013 Brocade had a great offer – ask for it and you’ll get a voucher to an exam – for free!

I took them up on their offer and scored a voucher for the BCNE – Brocade Certified Network Engineer.

After that I noticed that Brocade also has a limited offer for BCNE http://www.brocade.com/education/CNE_250.page , you can take them up on it if you already have a CCNA. By doing that you also get a free voucher to the BCNE exam..

I chose to try it without the recommended course. A bit risky but a long time ago I took the CCNA and passed. For me this exam was probably more about remembering and looking at improvements to all the things in CCNA back in 2005. This post is about my study technique or perhaps more of a record of how I did things. To find places for improvement.

Do you have any study tips you would like to share?

Some really useful links:

  • BCNE in a Nutshell guide – It’s also available on their saba/education page. But it’s out of date in there.
  • Brocade IP Primer – this is a great refresher on most Ethernet things if you’ve been out of touch.
  • Go through the manuals – but read the material in the newer released manuals.
  • IP Quick Reference – CLI Quick and quite comprehensive overview not only of commands but also of technologies.

http://community.brocade.com/docs/DOC-2613 has the list of pages and manuals and guides, but to get the newest documents you have to look elsewhere.
One place to get them is on each Product’s page on brocade.com, at the bottom there is a place to get some manuals.

First thing I did before diving into the materials was to take the BCNE Knowledge Assessment test. Get some sort of idea of what kind of topic the exam is about.

Then I read the nutshell guide and marked the things I needed to learn more about (basically all). Last time I took an exam with Brocade I only read the nutshell in the beginning of my study time, this time I’m re-reading it every now and then to see if I catch something that is not clear and I want to focus extra on. I’m also keeping a focus on the objectives of the exam. Reading the objectives and trying to answer them with as much detail as I can.-The objectives are general so there’s quite a lot of room for freedom there. As a bonus, if you can’t describe something in the objectives well, you just found something you do not know well  enough.

After going through the nutshell guide and checking up on a few acronyms and technologies I hadn’t heard about I read through the IP Primer and did the same things there: Mark the things that I thought would be of interest and what I would need to dig deeper into.

Then went through the NetIron and FastIron configuration guides. Not only did I have a peak at all the pages that were listed as relevant, but also read chapters that was not listed. Either because I found them interesting or perhaps because the subject in those chapters are touched upon in Nutshell. To me that just means the more you know about the subject the better.

Rehash objectives/previous notes and dig deeper. Perhaps first time you read it you glanced over some part. By digging deeper I mean finding the chapters in all the manuals that touch on this subject and reading them, making more notes. Could also be surfing the Internets or Wikipedia for basic overview of how a technology operates. Eventually all of this crystallizes into a view that describes things in your own words.

To me there are parts of IT exams that you just can’t know even if you’ve been working with it for a long time. For example license options or feature differences between all the products. To learn things like these (also other types of questions I thought would come on the exam) I made flashcards in a spreadsheet and printed it on normal A4 so that the question is on one side and the answer is on the back. This was no easy feat.

After going through all these documents you should be able to figure out yourself which areas are being focused on – which you should be making sure that you know.

Some good articles/blog posts:

P.s. I passed :)

Red Hat Certification – RHCE – Course Outline

Howdy!

In case you saw my previous posts I’ve been prepping for a RHCE course the last couple of weeks.

Here are the posts based on the objectives:

Odds are quite high that I’ve missed something or not gone deep enough into some subjects and for the record some subjects I decided to skip.

I’m taking the course over at Tieturi here in Helsinki and they have published the schedule for the course, with quite detailed outline.

This outline of the course can with benefit be used to see if you missed any terms or functions while going through the objectives.

I’ll go through the ones I find more interesting below:

Network Resource Access Controls

-Internet Protocol and Routing

OK, well this is quite obvious, some commands:

ip addr
ip route
route add
netstat -rn

IPv6

-IPv6: Dynamic Interface Configuration
-IPv6: StaticInterface Configuration
-IPv6: Routing Configuration

You can add IPV6 specific lines in the ifcfg-device files in /etc/sysconfig/network-scripts/. See /usr/share/doc/initscripts*/sysconfig

Some settings can also go into /etc/sysconfig/network

iptables

Netfilter Overview
-Rules: General Considerations
Connection Tracking
-Network Address Translation (NAT)
-IPv6 and ip6tables

 

Web Services

-Squid Web Proxy Cache

On client check what IP you get:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

On server install and setup squid:

yum install squid
vi /etc/squid/squid.conf
#add this line in the right place:
acl localnet src 192.168.1.1/32
#allow port 3128 TCP in the firewall (use very strict access here)
service squid start

On client:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

Beware that this is unsecure. Very unsecure. You should at least set up a password for the proxy, change the default port and have as limited firewall rules as possible.

E-mail Services

-Simple Mail Transport Protocol
-Sendmail SMTP Restrictions
-Sendmail Operation

 

Securing Data

-The Need For Encryption

-Symmetric Encryption

Symmetric uses a secret/password to encrypt and decrypt a message.
You can use GnuPG (cli command is ‘gpg’) to encrypt and decrypt a file symmetrically. Arguments:

–symmetric/-c == symmetric cipher (CAST5 by default)
–force-mdc == if you don’t have this you’ll get “message was not integrity protected”

There are many more things you can specify.

echo "awesome secret message" > /tmp/file
gpg --symmetric --force-mdc /tmp/file
#(enter password)
#this creates a /tmp/file.gpg
#beware that /tmp/file still exists
#to decrypt:
gpg --decrypt /tmp/file.gpg
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
awesome secret message

 

-Asymmetric Encryption

Uses a key-pair. A public key and a private key.
A message encrypted with the public key can only be decrypted with the private key.
A message encrypted with the private key can only be decrypted with the public key.

GnuPG can let you handle this.

Login with a user called ‘labber’:

gpg --gen-key
# in this interactive dialog enter username: labber, e-mail and password
# this doesn't always work, might take _long_time_, eventually I just tried on another machine
echo "secret message" > /tmp/file
gpg -e -r labber /tmp/file
# enter password
gpg --decrypt /tmp/file
# enter password

To export the public key in ASCII format you can:

gpg --armor --output "key.txt" --export "labber"

However, how to encrypt a file with somebody else’s public key?

-Public Key Infrastructures – PKI

Consists of:

  • CA – certificate authority – issues and verifies digital certiciates
  • RA – registration authoriy – verifies user identity requesting info from the CA
  • central directory – used to store and index keys

-Digital Certificates

A certificate has user details and the public key.

Account Management

-Account Management
-Account Information (Name Service)
Name Service Switch (NSS)
Pluggable Authentication Modules (PAM)
-PAM Operation
-Utilities and Authentication

 

PAM

Basically a way to authenticate users. You can put different types of authentication ways behind PAM. So that a software only needs to learn to authenticate to PAM and then PAM takes care of the behind-the-scenes-work.

For example you can have PAM connect to an ldap-server.

CLI: authconfig

Files:
/etc/sysconfig/authconfig
/etc/pam.d/
/etc/sssd/sssd.conf

 

BCFP – FCIP – Fibre Channel over TCP/IP

Still studying for Brocade’s BCFP Exam.
This post is to try to put light on some of the terms/technologies you’ll be surrounded by when learning about FCIP.

Guides you should see are the “Fabric OS FCIP Administrator’s Guide” and you should probably start with the material for BCFP – part 4 (theory) and 5 (administration).

Basically the FC frames will be encapsulated in packets over TCP/IP, making the TCP/IP part  invisible/irrelevant to the SAN fabric and the FC frames invisible/irrelevant to the TCP/IP. Except of course for the FC routers that bridge the networks. It is possible to run FCR over FCIP as well via the VEX ports (virtual EX_port). Extension. This means that it’s using TCP flow control, no BB credits.

Terminology

Tunnel (VE_port) – are seen as VE_ports in the fabric.

Circuits (GbE ports) are inside a tunnel (VE_port)
Is a logical connection between two IP addresses.

Metric 0 – active (you can have several links at metric 0)
Metric 1 – standby

FCIP tunnels support max two hops.

Multi-Gigabit Circuits

On the FX8-24:

2x 10GbE
1x 10Gbe and 10x 1GbE
10x 1GbE
Not,  all ports at the same time.

FCIP Trunking

Basically adding more circuits to a tunnel, not recommended to set up several tunnels (limited anyway) but because ISL trunking is not supported on VE_ports.

FICON timeout: 1s
FC timeout: 4s
Consider altering these depending on your setup/latencies.

Virtual Fabric considerations

Define several logical switches inside a physical.
You can with FOS 7.0.0 have a VE_port (the GbE ports) defined in the base/default switch and then share it with other logical switches, giving you the possibility to extend/route the fabrics over a shared trunk while they are still isolated. You cannot mix dedicated (in an LS) and a shared (in default) in the same FCIP tunnel.

QoS

Not enforced if there is no contention (there is free bandwidth)

VC0 (or F_frames – fabric frames) – always first.
QoS_High: >50% : : 6
QoS_Medium: >30% : 3
QoS_low: >20% : 1

DSCP (6 bits of priorities – 64 )
L2CoS (3 bits of priorities- 8 )
Priority is set in the TOS – in the header.

Compression

(four different ones, hardware, software, mix, auto)

10GbE

“lossless” failover only in FOS 7.0.0. (brocade chipset did not share ports)
You cannot use both 10GbE and get 20GbE. You can have them active/standby or use both A/A and get 5Gbps on each.
Disabling port != failover testing.  Can/will cause disruptions.

Crossport

Crossports are addresses and routes that belong to the other 10GbE (XGE) port’s DP or VE group.

The crossport for xge0 is xge1 and for xge1, the crossport is xge0. To use crossports, the port must be configured in 10 Gbps mode.

The crossport is the non-local XGE port for a VE_Port group. In other words, for
VE ports 12 through 21, xge1 is the local XGE port and xge0 is the crossport. For VE ports 22
through 31, xge0 is the local XGE port and xge1 is the crossport.

SACK

(selective acknoledgement – prevent that each lost packet requires an ack, bundles up several lost packets into one, default is ON)

Adaptive Rate Limiting

Configure minimum and maximum rates on an FCIP circuit.
Let’s say you have one FCIP router with two circuits going to two independent IP-routers, these two share a link to another site. The idea is that then you can use ARL to configure minimum half of the shared link on each of the circuits from the FCIP router to the IP router, and a max of the whole one. So if one goes down, you’re not stuck with half and you’re not oversubscribing. There, easy to explain in words :d


Hardware

FX8-24

2 x 10GbE ports, 12 x 1GbE and 12 x FC8
Link to hardware page on Brocade.

7800

6 x 1GbE ports, 16 x FC8
Link to hardware page on Brocade.

Steps

  1. What settings are you going to have on the ports/links/tunnels?
  2. Configure hw ports (media type, mode etc)
  3. Disable VE_ports (Virtual FC E_ports) with the tunnel (portdisable)
  4. Create ip intf for each phy Ethernet port that’s going to be used (portcfg ipif)
  5. Config IP route for each port to specify an IP Gateway (not required; portcfg iproute)
  6. Verify IP network between the two IP interfaces that will form the tunnel. (portcmd –ping slot/port)
  7. Create an FCIP tunnel (circuit 0; portcfg fciptunnel; portcfg fcipcircuit)
  8. Config FCIP Features (SACK, compression, etc)
  9. Verify config, enable VE_ports, verify that it’s working
  10. Add more circuits to the tunnel(s).