Study of Infiniband Technology

初見 Infiniband 時, 感覺有點像當年看到 ATM 的 spec 一樣。 "這應該會成為未來的主流技術, 並且汰換掉乙太網路"， 不過 ATM 最後還是沒能成為主流, 目前只有在 WAN 的應用部份為主。 不過其實 Infiniband 的訴求和 ATM 並不一樣。
新的技術要在規格上汰換掉現有的技術, 看起來好像並不是那麼的難。 其實真正難的部份是如何吸引更多的 Vendor 進來參予, 更多的優點來吸引消費者採用, 希望能看到這個技術發光發熱。
這是我初見 Infiniband 的感想。

InfiniBand is a switched fabric communications link primarily used in high-performance computing. Its features include quality of service and failover, and it is designed to be scalable. The InfiniBand architecture specification defines a connection between processor nodes and high performance I/O nodes such as storage devices.

InfiniBand forms a superset of the Virtual Interface Architecture.

 

Like Fibre Channel, PCI Express, Serial ATA, and many other modern interconnects, InfiniBand offers point-to-point bidirectional serial links intended for the connection of processors with high-speed peripherals such as disks. It supports several signalling rates and, as with PCI Express, links can be bonded together for additional bandwidth.

Signaling rate

The serial connection's signalling rate is 2.5 gigabit per second (Gbit/s) in each direction per connection. InfiniBand supports double (DDR) and quad data rate (QDR) speeds, for 5 Gbit/s or 10 Gbit/s respectively, at the same data-clock rate.

Links use 8B/10B encoding — every 10 bits sent carry 8bits of data — making the useful data transmission rate four-fifths the raw rate. Thus single, double, and quad data rates carry 2, 4, or 8 Gbit/s respectively.

Implementers can aggregate links in units of 4 or 12, called 4X or 12X. A quad-rate 12X link therefore carries 120 Gbit/s raw, or 96 Gbit/s of useful data. As of 2009^[update] most systems use either a 4X 10 Gbit/s (SDR), 20 Gbit/s (DDR) or 40 Gbit/s (QDR) connection. Larger systems with 12x links are typically used for cluster and supercomputer interconnects and for inter-switch connections.

Latency

The single data rate switch chips have a latency of 200 nanoseconds, and DDR switch chips have a latency of 140 nanoseconds.The end-to-end latency range ranges from 1.07 microseconds MPI latency (Mellanox ConnectX HCAs) to 1.29 microseconds MPI latency (Qlogic InfiniPath HTX HCAs) to 2.6 microseconds (Mellanox InfiniHost III HCAs).^{[citation needed]} As of 2009^[update] various InfiniBand host channel adapters (HCA) exist in the market, each with different latency and bandwidth characteristics. InfiniBand also provides RDMA capabilities for low CPU overhead. The latency for RDMA operations is less than 1 microsecond (Mellanox ConnectX HCAs).

Topology

InfiniBand uses a switched fabric topology, as opposed to a hierarchical switched network like Ethernet.

As in the channel model used in most mainframe computers, all transmissions begin or end at a channel adapter. Each processor contains a host channel adapter (HCA) and each peripheral has a target channel adapter (TCA). These adapters can also exchange information for security or quality of service.

Messages

InfiniBand transmits data in packets of up to 4 kB that are taken together to form a message. A message can be:

• a direct memory access read from or, write to, a remote node (RDMA)
• a channel send or receive
• a transaction-based operation (that can be reversed)
• a multicast transmission.
• an atomic operation

 

Reference:

http://en.wikipedia.org/wiki/InfiniBand

http://www.infinibandta.org/index.php

Understanding Layer 2 Trunk Failover

Layer 2 trunk failover, also known as link-state tracking, is a feature that provides Layer 2 redundancy in the network when used with server NIC adapter teaming. When the server network adapters are configured in a primary or secondary relationship known as teaming, if the link is lost on the primary interface, connectivity is transparently switched to the secondary interface.

When you enable Layer 2 trunk failover on the switch, the link state of the internal downstream ports are bound to the link state of one or more of the external upstream ports. An internal downstream port is an interface that is connected to the server. An external upstream port is an interface that is connected to the external network. When you associate a set of downstream ports to a set of upstream ports, if all of the upstream ports become unavailable, trunk failover automatically puts all of the associated downstream ports in an error-disabled state. This causes the server primary interface to failover to the secondary interface.

When Layer 2 trunk failover is not enabled, if the upstream interfaces lose connectivity, (the external switch or router goes down, the cables are disconnected, or link is lost), the link state of the downstream interfaces remain unchanged. The server is not aware that external connectivity has been lost and does not failover to the secondary interface.

An interface can be an aggregation of ports (an EtherChannel), or a single physical port in access or trunk mode. Each downstream interface can be associated with one or more upstream interfaces. Upstream interfaces can be bundled together, and each downstream interface can be associated with a single group consisting of multiple upstream interfaces. These groups are referred to as link-state groups.

In a link-state group, the link states of the downstream interfaces are dependent on the link states of the upstream interfaces. If all of the upstream interfaces in a link-state group are in the link-down state, the associated downstream interfaces are forced into the link-down state. If any one of the upstream interfaces in the link-state group is in a link-up state, the associated downstream interfaces can change to or remain in the link-up state.

Figure 28-4 Typical Layer 2 Trunk Failover Configuration

In Figure 28-4, downstream interfaces 1, 3, and 5 are defined in link-state group 1 with upstream interfaces 19 and 20. Similarly, downstream interfaces 2, 4, and 6 are defined in link-state group 2 with upstream interfaces 21 and 22.

If link is lost on upstream interface 19, the link states of downstream interfaces 1, 3, and 5 do not change. If upstream interface 20 also loses link, downstream interfaces 1, 3 and 5 go into a link-down state. Downstream interfaces 2, 4, and 6 do not change states.

You can recover a downstream interface link-down condition by removing the failed downstream port from the link-state group. To recover multiple downstream interfaces, disable the link-state group.

Configuring Layer 2 Trunk Failover

These sections describe how to configure trunk failover ports:

•Default Layer 2 Trunk Failover Configuration

•Layer 2 Trunk Failover Configuration Guidelines

•Configuring Layer 2 Trunk Failover

Default Layer 2 Trunk Failover Configuration

There are no link-state groups defined, and trunk failover is not enabled for any group.

Layer 2 Trunk Failover Configuration Guidelines

Follow these guidelines to avoid configuration problems:

•Do not configure a cross-connect interface (gi0/23 or gi0/24) as a member of a link-state
group.

•Do not configure an EtherChannel as a downstream interface.

•Only interfaces gi0/1 through gi0/16 can be configured as downstream ports in a specific link-state group.

•Only interfaces gi0/17 through gi0/24 can be configured as upstream ports in a specific link-state group.

•An interface that is defined as an upstream interface cannot also be defined as a downstream interface in the same or a different link-state group. The reverse is also true.

•An interface cannot be a member of more than one link-state group.

•You can configure only two link-state groups per switch.

Configuring Layer 2 Trunk Failover

Beginning in privileged EXEC mode, follow these steps to configure a link-state group and to assign an interface to a group:

This example shows how to create a link-state group and configure the interfaces:

Switch# configure terminal 

Switch(config)# link state track 1

Switch(config)# interface range gigabitethernet0/21 - 22

Switch(config-if)# link state group 1 upstream

Switch(config-if)# interface gigabitethernet0/1 

Switch(config-if)# link state group 1 downstream

Switch(config-if)# interface gigabitethernet0/3 

Switch(config-if)# link state group 1 downstream

Switch(config-if)# interface gigabitethernet0/5 

Switch(config-if)# link state group 1 downstream

Switch(config-if)# end

---

Note If the interfaces are part of an EtherChannel, you must specify the port channel name as part of the link-state group, not the individual port members.

---

This example shows how to create a link-state group using ports in an EtherChannel:

Switch# configure terminal 

Switch(config)# link state track 1

Switch(config)# interface P01

Switch(config-if)# link state group 1 upstream

Switch(config-if-range)# interface range gigabitethernet0/1, gigabitethernet0/3, 
gigabitethernet0/5

Switch(config-if)# link state group 1 downstream

Switch(config-if)# end

To disable a link-state group, use the no link state track number global configuration command.

Displaying Layer 2 Trunk Failover Status

Use the show link state group command to display the link-state group information. Enter this command without keywords to display information about all link-state groups. Enter the group number to display information specific to the group. Enter the detail keyword to display detailed information about the group.

This is an example of output from the show link state group 1 command:

Switch> show link state group 1

Link State Group: 1      Status: Enabled, Up

This is an example of output from the show link state group detail command:

Switch> show link state group detail

Link State Group: 1      Status: Enabled, Up

Upstream Interfaces   : Po1(Up)

Downstream Interfaces : Gi0/3(Up) Gi0/4(Up)

Link State Group: 2      Status: Disabled, Down

Upstream Interfaces   :

Downstream Interfaces :

(Up):Interface up   (Dwn):Interface Down   (Dis):Interface disabled

 

這個功能可以用在 loop-free 的 topology 來避免因為 access-layer lost up-link 時所造成的 traffic black-holing。

Reference:

http://www.cisco.com/en/US/docs/switches/blades/3020/software/release/12.2_25_sef1/configuration/guide/swethchl.html#wp1346176

Using “vpn-filter” to restrict access from RA VPN or EZVPN client

 

By default, the VPN server(PIX/ASA) will allow all traffic that is tunneled to it to exit the tunnel. To restrict such traffic which going thru the tunnel, you can use “vpn-filter value acl” command under group-policy.

Be careful that this acl restrict traffic not only on the direction from client to server but also from server to client.

 

See below diagram for detail. As acl applies on both direction, use specifically ip/subnets as src within acl. If the range is too “broad”, then unexpected traffic might also be filtered.

If you want to permit traffic from client to only Internal DNS server(172.16.1.1) and configured the acl for vpn-filter as below.

access-list 103 extended permit udp any host 172.16.1.1 eq 53

You will not only restrict traffic from client to DNS server with udp/53 but also the returned from server to client. Client will never get the response from server because vpn-filter also block it at the reverse direction.

Notes:
When I test this with MS-L2TP vpn client, the acl is not working as expected unless I re-established the vpn tunnel. In the worst case, even need to reboot the Client.

Reference:

 http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Configuring Windows L2TP/IPSec VPN with PIX515E using pre-shared key

 

【緣起】

其實現在要在 Windows Server 上安裝設定 CA 已經比以前簡單許多了, 所以用 rsa-sig (certificate) 來做 phase I 的 authentication 會比較安全一些, 為什麼還要回頭來用 pre-shared key 呢?

在管理企業內的電腦時, 通常會加入AD, 只要有 join AD, 要 deploy computer or user 的 certificate 就可以透過 AD 來做大量佈署了。 一旦有了 certificate 要連線 VPN 就可以透過 rsa-sig 來做 authentication 了。不過就是這個"要先加入 AD"的前提遇到了一個困難。

有一些長期在外的 mobile user 或 home worker, 因為很久才會進一次公司, 所以產生了下列的問題

1. new laptop provisioning to remote user.
2. re-image remote user’s laptop.
3. AD password aging.

 

第 1 和 2 的情況會比較類似, user 的 laptop 會是沒有加入 AD 的狀態, 因此需要先 VPN 連上公司網路, 再 Join 至 AD, 如果用 RSA-sig 的方式來認證, 則必需先加入 AD 取得 certificate, 形成了 catch-22 的情況。

第 3 種則是 user 的 behavior 使然, password 在 aged out 之前通常 AD 就會 warning 要 change 了, 但是 User 通常會繼續使用直到過期, 這個時候就會發生無法連線 VPN 的問題了。
就算 user 發現密碼是過期了, 要改密碼還會遇到 password complexity policy 的問題而一直改不成功, network team 的人也會覺得很無奈!@#$#。

所以還是再開個後門來用 pre-shared key auth 來解決吧。

======================================================================
以下節錄自 Cisco configuration example http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00807213a7.shtml
======================================================================

Introduction

This document describes how to configure Layer 2 Tunneling Protocol (L2TP) over IP Security (IPsec) from remote Microsoft Windows 2000/2003 and XP clients to a PIX Security Appliance corporate office using pre-shared keys with Microsoft Windows 2003 Internet Authentication Service (IAS) RADIUS Server for user authentication. Refer to Microsoft - Checklist: Configuring IAS for dial-up and VPN access for further information on IAS.

The primary benefit of configuring L2TP with IPsec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line. This enables remote access from virtually any place with POTS. An additional benefit is that the only client requirement for VPN access is the use of Windows 2000 with Microsoft Dial-Up Networking (DUN). No additional client software, such as Cisco VPN Client software, is required.

This document also describes how to use the Cisco Adaptive Security Device Manager (ASDM) in order to configure the PIX 500 Series Security Appliance for L2TP over IPsec.

Note: Layer 2 Tunneling Protocol (L2TP) over IPsec is supported on Cisco Secure PIX Firewall Software Release 6.x and later.

In order to configure L2TP Over IPsec between the PIX 6.x and Windows 2000, refer to Configuring L2TP Over IPsec Between PIX Firewall and Windows 2000 PC Using Certificates.

In order to configure L2TP over IPsec from remote Microsoft Windows 2000 and XP clients to a corporate site using an encrypted method, refer to Configuring L2TP over IPsec from a Windows 2000 or XP Client to a Cisco VPN 3000 Series Concentrator Using Pre-Shared Keys.

Prerequisites

Requirements

Before the secure tunnel establishment, IP connectivity needs to exist between the peers.

Make sure that UDP port 1701 is not blocked anywhere along the path of the connection.

Use only the default tunnel group and default group policy on the Cisco PIX/ASA. User-defined policies and groups do not work.

Note: The security appliance does not establish an L2TP/IPsec tunnel with Windows 2000 if either Cisco VPN Client 3.x or Cisco VPN 3000 Client 2.5 is installed. Disable the Cisco VPN service for Cisco VPN Client 3.x, or the ANetIKE service for Cisco VPN 3000 Client 2.5 from the Services panel in Windows 2000. In order to do this choose Start > Programs > Administrative Tools > Services, restart the IPsec Policy Agent Service from the Services panel, and reboot the machine.

Components Used

The information in this document is based on these software and hardware versions:

• PIX Security Appliance 515E with software version 7.2(1) or later (mine is 8.0(4))

• Adaptive Security Device Manager 5.2(1) or later

• Microsoft Windows 2000 Server

• Microsoft Windows XP Professional with SP2 (mine is WinXP w/sp3 & Win7)

• Windows 2003 Server with IAS

Note: If you upgrade the PIX 6.3 to version 7.x, make sure that you have installed SP2 in Windows XP (L2TP Client).

Note: The information in the document is also valid for ASA security appliance.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Related Products

This configuration can also be used with Cisco ASA 5500 Series Security Appliance 7.2(1) or later.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Background Information

Complete these steps in order to configure L2TP over IPsec.

1. Configure IPsec transport mode in order to enable IPsec with L2TP.

   Windows 2000 L2TP/IPsec client uses IPsec transport mode—Only the IP payload is encrypted, and the original IP headers are left intact. The advantages of this mode are that it adds only a few bytes to each packet and allows devices on the public network to see the final source and destination of the packet. Therefore, in order for Windows 2000 L2TP/IPsec clients to connect to the security appliance, you must configure IPsec transport mode for a transform (see step 2 in the ASDM configuration). With this capability (transport), you can enable special processing (for example, QoS) on the intermediate network based on the information in the IP header. However, the Layer 4 header is encrypted, which limits the examination of the packet. Unfortunately, the transmission of the IP header in clear text, transport mode allows an attacker to perform some traffic analysis.

2. Configure L2TP with a virtual private dial-up network (VPDN) group.

The configuration of L2TP with IPsec supports certificates that use the pre-shared keys or RSA signature methods, and the use of dynamic (as opposed to static) crypto maps. Pre-shared key is used as an authentication to establish the L2TP over IPsec tunnel.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool ( registered customers only) to find more information on the commands used in this document.

Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses which have been used in a lab environment.

Network Diagram

This document uses this network setup:

Configurations

This document uses these configurations:

• Windows L2TP/IPsec Client Configuration

• L2TP Server in PIX Configuration

• L2TP using ASDM Configuration

• Microsoft Windows 2003 Server with IAS Configuration

Windows L2TP/IPsec Client Configuration

Complete these steps in order to configure L2TP over IPsec on Windows 2000. For Windows XP skip steps 1 and 2 and start from step 3:

1. Add this registry value to your Windows 2000 machine:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters

   
   

   
   



2. 
   

   Add this registry value to this key:

   
   
   

   
   

   Value Name: ProhibitIpSec
   Data Type: REG_DWORD
   Value: 1

   
   

   
   
   

   Note: In some cases (Windows XP Sp2), the addition of this key (Value: 1) appears to break the connection as it makes the XP box negotiate L2TP only rather than an L2TP with IPsec connection. It is mandatory to add an IPsec policy in conjunction with that registry key. If you receive an error 800 when you try to establish a connection, remove the key (Value: 1) in order to get the connection to work.

   
   
   

   Note: You must restart Windows 2000/2003 or XP machine in order for the changes to take effect. By default the Windows client attempts to use IPsec with a Certificate Authority (CA). The configuration of this registry key prevents this from occurring. Now you can configure an IPsec policy on the Windows station to match the parameters that you want on the PIX/ASA. Refer to How to Configure a L2TP/IPSec Connection Using Pre-shared Key Authentication (Q240262) for a step-by-step configuration of the Windows IPsec policy.

   
   
   

   Refer to Configure a Preshared Key for Use with Layer 2 Tunneling Protocol Connections in Windows XP (Q281555)\ for more information.

   
   



3. 
   

   Create your connection.

   
   



4. 
   

   Under Network and Dial-up Connections, right-click on the connection and choose Properties.

   
   
   

   Go to the Security tab and click Advanced. Choose the protocols as this image shows.

   
   
   

   

   
   



5. 
   

   Note: This step is applicable only for Windows XP.

   
   
   

   Click IPSec Settings, check Use pre-shared key for authentication and type in the pre-shared key in order to set the pre-shared key.

   
   
   

   In this example, test is used as the pre-shared key.

   
   
   

   

   
   

L2TP Server in PIX Configuration

PIX 7.2

pixfirewall#show run
                     
PIX Version 7.2(1)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!

!--- Configures the outside and inside interfaces.

interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.4.4.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid


access-list nonat extended permit ip 10.4.4.0 255.255.255.0 10.4.5.0 255.255.255.0
nat (inside) 0 access-list nonat

pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500


!--- Creates a pool of addresses from which IP addresses are assigned 
!--- dynamically to the remote VPN Clients.

ip local pool clientVPNpool 10.4.5.10-10.4.5.20 mask 255.255.255.0

no failover
asdm image flash:/asdm-521.bin
no asdm history enable
arp timeout 14400


!--- The global and nat command enable 
!--- the Port Address Translation (PAT) using an outside interface IP
!--- address for all outgoing traffic.

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0


route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute


!--- Create the AAA server group "vpn" and specify its protocol as RADIUS.
!--- Specify the IAS server as a member of the "vpn" group and provide its
!--- location and key.


aaa-server vpn protocol radius
aaa-server vpn host 10.4.4.2
 key radiuskey


!--- Identifies the group policy as internal. 


group-policy DefaultRAGroup internal


!--- Instructs the security appliance to send DNS and 
!--- WINS server IP addresses to the client. 


group-policy DefaultRAGroup attributes
 wins-server value 10.4.4.99
 dns-server value 10.4.4.99


!--- Configures L2TP over IPsec as a valid VPN tunneling protocol for a group. 

 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value cisco.com

!--- Configure usernames and passwords on the device
!--- in addition to using AAA.
!--- If the user is an L2TP client that uses Microsoft CHAP version 1 or 
!--- version 2, and the security appliance is configured 
!--- to authenticate against the local 
!--- database, you must include the mschap keyword. 
!--- For example, username <username> password <password> mschap.


username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted


 vpn-tunnel-protocol l2tp-ipsec

http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart



!--- Identifies the IPsec encryption and hash algorithms 
!--- to be used by the transform set.


crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac


!--- Since the Windows 2000 L2TP/IPsec client uses IPsec transport mode, 
!--- set the mode to transport.
!--- The default is tunnel mode.


crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport





!--- Specifies the transform sets to use in a dynamic crypto map entry.


crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5


!--- Requires a given crypto map entry to refer to a pre-existing 
!--- dynamic crypto map.


crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map


!--- Applies a previously defined crypto map set to an outside interface.


crypto map outside_map interface outside

crypto isakmp enable outside
crypto isakmp nat-traversal 20


!--- Specifies the IKE Phase I policy parameters.


crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400


!--- Creates a tunnel group with the tunnel-group command, and specifies the local 
!--- address pool name used to allocate the IP address to the client. 
!--- Associate the AAA server group (VPN) with the tunnel group.


tunnel-group DefaultRAGroup general-attributes
 address-pool clientVPNpool
 authentication-server-group vpn


!--- Link the name of the group policy to the default tunnel 
!--- group from tunnel group general-attributes mode. 



 default-group-policy DefaultRAGroup


!--- Use the tunnel-group ipsec-attributes command 
!--- in order to enter the ipsec-attribute configuration mode. 
!--- Set the pre-shared key. 
!--- This key should be the same as the key configured on the Windows machine.


tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *


!--- Configures the PPP authentication protocol with the authentication type 
!--- command from tunnel group ppp-attributes mode.


tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2

telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e1e0730fa260244caa2e2784f632accd
: end

Survey Internet BGP multihoming@TW

 

二個基本條件一定要有

1. Portable IPv4 block (vendor independent)
2. ASN

受理單位: TWNIC
http://www.twnic.net.tw/ip/ip_01.htm

 

原本以為是需要附上一大堆的文件而以, 在看過下面這個 APNIC 定出來的收費標準後, 也只能打退堂鼓了。http://ftp.apnic.net/apnic/docs/non-member-fees

 

設定費(第一次) 最少要 AUD$13,500, 應該至少 NT300,000 了。
年費最少要 AUD$1,350, 約合 NT30,000。

難怪一問之下, 整個新竹也只有一家公家單位有這樣介接到 Hinet而以。

VMWare VCP-410 考後心得

 

1. 為什麼要考VCP-410?
其實最大的原因是因為上課不用錢。 拜同事的專案所賜, 有含vSphere 4.0 ICM 的群環的上課名額, 同事又很慷慨的讓給了我, 所以就去上課囉。在此順便推薦一下群環的"鍾言詳"講師。在很有限的時間裏, 大部份的 ICM 課程重點都有提到, 不過如果是完全沒有經驗的人來上的話, 上完課回去後可能要多花一些時間自修和實作才能理解一些 features 的運作原理。

另外一個動力當然是讓履歷上的資料更好看一些, 額外的收穫是讓我再複習一下已經流失掉不少的 UNIX Skill 啦!!

2. 如何取得VCP-410?
VCP取得的方式在官網有詳細的介紹, 我就節錄重點就好了。
如下圖所示, 有 4 個 path, 沒有 version 3 經驗的人當然就選 Path 1 囉!!
VMWare最讓人覺得機車的部份就是, "一定要上課完再參加VCP-410的考試", 否則 vmware 是不會發給你證書的。但是我上的這門課已經含有一次免費考試的 voucher 了, 所以我還真的是很幸運, 沒花到一毛錢。
另外這裏是 blueprint 供參考。

3. 我的準備過程

3.1 把 ICM 教材(vol1 & 2 + LAB excercise 共3本)確實的讀過一遍。
在我看 ICM 教材的過程, 其實也發現到教材裏的資訊其實缺乏詳細的細節說明, ICM 的教材只能說是一份各項主要功能的 overview 而以。會讓你覺得其實不夠深入, 我後來在 vSphere 4 的這份 documentation sets 解決了大部份的疑惑。 vmware 的教材和 KB 的資料其實非常的多, 再加上 community 內的文章, 其實夠你學好一陣子了。

3.2 手邊一定要有一個LAB
有很多的功能是在做完 LAB 之後才真正得到了解, 所以手邊一定要有一個 LAB 環境才行。由於配合同事的專案, 我有一套相當"頂級"的 LAB 環境, 不過講師有提到其實你也可以把整個 lab 環境虛擬化。簡單說明如下

• 一台 RAM 大一點的 PC, 建議至少 4G 以上
• 安裝作業系統 Linux 或 Windows OS (建議 64-bit 才能有 4G 以上的可用記憶體)
  PS: 如果裝 esxi 的話, 就不用再裝上面的 OS 和下面的 vm workstation 了。
• 安裝 vmware workstation
• 再把 vcenter 和 esx/esxi 安裝在上述的環境下(等於虛擬化了兩次 )
• 有些工具軟體當然一定要準備, 才能測試一些相關的功能
  1. startbluescreen (要搞掛 Windows 用的)
  2. 延伸磁碟分割的工具, diskpart or extpart(第一次用時, 覺得滿神奇的)
  3. Free software iSCSI target (StarWind)  和另外一台 NFS server (一般 Linux 即可) 來練習 storage 的相關設定(FC SAN 因為要 HBA, 所以一般人應該是付擔不起吧?)
  4. cpu burn-in 操 CPU 的工具程式, 可以 trigger DRS
• 其它有想到的話再 update 吧

4. 報名和考試
在任何一家 VUE 的考場都可以考, 習慣了 Cisco 考試的人應該是沒有任何的問題才對。 不過有一點要注意的是, 在上課前或上課期間, 教育訓中心會要你在官網註冊你的學員資料, 這些資料要和你 VUE 上的資料相符才行, 如果不 match 的話, 有可能會收不到証書哦, 我再等等看一個月後我會不會收到我的 certificate。
在 schedule 的過程發現到一個額外的好康, 如果你有通過考試時, vmware 會送你一套 vmware workstation, (Linux 或 Windows 二擇一)。

在應考時發現其很多題都是要你有真正實作過, 才能知道正確答案的。也有一些是必須死記硬背的 config_max, 還有這份 Pricing guide 關於 feature 和 editon 的 mapping 也要記一下(這不是 sales 才要知道的嗎?)

其實考試的整體難度並不高, 只要 300 分就可以 pass 了, score range from 100 to 500。 Native English Speaker 考試時間是 90 分鐘, non-Native English speaker 可以再加 30 分鐘, 時間算是蠻充裕的。

Reference: http://www.vmware.com

今天把快荒廢的 Blog 改個名字

好久沒有上來Update了, 前陣子花了些時間準備 VMware VCP-410, 還有公司的一些雜事, 幾乎都沒時間碰 Voice 的東西, 所以把 Blog 改個名字, 來記錄更多 IT 相關學習歷程。