Skip to content

Afroz Ahmad

My Official Blog

Archive

Category: CCDE

What is Bluecoat Packet Shaper and why we need it ?? :-  

Does your network know the difference between important web traffic like online meetings, and lower-priority traffic like games or streaming media? In a world that is increasingly more interactive, mobile, and content-driven, Blue Coat PacketShaper helps enterprises control bandwidth cost, deliver a superior user experience and align network resources with business priorities.

Below are some of the benefits of Bluecoat Packetshaper :-

  • Superior user experience.
  • Lower bandwidth cost.
  • Reserve bandwidth for critical applications
  • Contain disruptive traffic and slow bandwidth increases
  • Easily embrace new trends such as BYOD, video, cloud and social media
  • Eliminate potential bandwidth increases

Requirement :-

The very first step in deploying any new hardware into the production network is to understand the requirement and actual need of the hardware to be deployed. It is evident that addition of a new hardware adds complexity and sometime creates more problems rather than solving them. Also , placement of the device in the production network directly relates to the requirement or the purpose we want that device to serve.

In our scenario, the main reason of adding Bluecoat packet shaper is to classify, shape and prioritize outgoing internet traffic so that bandwidth hungry application (like facebook, youtube,etc) can be limited to certain level and business related internet traffic can be prioritized accordingly.
The second reason was to see internet traffic in real time aka visibility.
Ordering the right Hardware :- 
We have ordered Bluecoat PS400 with one year support and additionally we ordered 4 port expansion NIC card in order to connect more devices. Below is the snap of actual bill of material.
Image
 
Deployment Strategy :-
After understanding the requirement , the second step is to plan for deployment. As the primary goal was to shape outgoing internet traffic , so the best place to install packetshaper is just behind the internet router and above all firewalls so that it can capture all traffic.
Although this deployment cannot classify encrypted traffic (for example , site to site or remote client VPN traffic terminating on firewalls ).
Image-1
After finalizing device placement the next step was to design the strategy and phases in which the installation will take place.  Initially we thought of doing this in two phases , watch mode and inline mode. Watch
For minimal impact on production network , initially we thought that we will deploy Bluecoat packet shaper in two Phases.
1. Watch Mode
We will connect Bluecoat Packet-shaper in watch mode in DMZ area first , and monitor and understand the traffic flow. We will use SPAN to copy traffic from Internet interface to bluecoat interface.
2. Inline Mode
After traffic segregation, we will connect Bluecoat into the internet traffic flow .
But after discussion with Bluecoat experts we finalized that in first phase we will deploy packet shaper directly in Inline mode and will turn shaping off while discovery on , so that it can pass through all traffic without applying any shaping rules.
In second phase, We will monitor traffic for at least two weeks and after understanding traffic types and flows we will put shaping rules in place.
Implementation :-
There are lots of good documents available on bluecoat website that I will provide in the end of the topic as reference points. Here I will only discuss the approach that I took and problems I faced.
Image-3
Below are the steps I performed :-
1.Unbox the bluecoat package and verify that all required parts are available inside box.
2.If you have ordered any separate NIC cards then install it into the slot. Here I have faced difficulty in opening the slot , after sometimes I figured out that there is button on the top of the Bluecoat packetshaper that you need to open first and then remove the entire module in order to install the NIC. I would suggest doing configuration first and then rack and cable the device.
3.Now you need to access Blueocat  via GUI or CLI through console. Because bluecoat comes with factory set ip that is 207.78.98.254 , so the easiest way I found is to connect laptop through a RJ45 cable into Management port and provide one ip on the laptop in the same range without any default gateway  (For example 207.78.98.250/24) . And then open the browser and type https://207.78.98.254
the default read-write username/password is “touch/touch”. Alternatively you can also get CLI access (as it is required for running some critical commands) through console port.
I would suggest to do the initial configuration through CLI and the steps are self explanatory and easy.
Only two things that I found little bit tricky is Inbound and outbound bps rate that I set to 100m as my switch and router interfaces are also hardcoded to 100m/full duplex. The next thing is the class tree , as there are two option Default or Model , I selected default. Also make sure Shaping is turned off if you donot have rules in place as this might drop traffic.
4.Now once you are in the bluecoat , the next important thing is to license the device. You can get the license by providing serial number on the bluecoat site or to the vendor from where you have purchased the device. After getting license (in .bcl format), you need to upload it via inbuilt file browser into bluecoat file directories.
and then run  command (license load <file location>) in order to install the license. In order to complete license installation you need to reset the device as well.
Here I faced some challenges in finding the directory where I loaded the license , so make sure the directory location must start with” file://localhost” and then the file location.
Sample Output :-

PacketShaper# license load file://localhost/9.258/license.bcl
Updating license from: file://localhost/9.258/license.bcl
License is updated.
Run the “reset” command to activate the new license.
PacketShaper# reset

Please confirm if you really want to proceed (YES):

Image-4
5.After license installation , the next step is to install the latest software/image into the Bluecoat. The method is same , we need to first upload software in to the directory called “9.258/images” and then run command “setup images add file://ps_11_3-.bcs”  .The latest software recommended by Bluecoat was 11.3 at the time of installation.
Sample Output :-
PacketShaper# setup images add file://ps_11_3-.bcs
Installing image. Please wait…
Image upgrade successful. Please reset to activate new image.
PacketShaper# reset
 
Please confirm if you really want to proceed (YES): y
Run below command for verification.
PacketShaper# setup image show
——————————————————————————-
List of Installed Images
——————————————————————————-
PacketShaper 11.2.1.3     Release Id: 146516
PacketShaper 11.3.2.1     Release Id: 157419  (A)

Total 2 images. (A) Active image
——————————————————————————-

Image-5
6. Now your bluecoat is ready to be racked and cabled.
Racking instruction :- As bluecoat comes with RAIL type kit so make sure you are familiar of racking rail mounted devices.
Cabling Instruction :-
Bluecoat and Router :- Cross Over cable (out port)
Bluecoat and Switch :- Straight through (in port)
 
 
Image-67
7. After successfully installing bluecoat device I faced a strange thing that all bluecoat ports negotiated speed as 100 mbps and half duplex although all upstream and downstream devices was hard coded for 100 mbps and full duplex. This was critical as it might hamper entire internet performance of users on the production day .
Image-8
After troubleshooting for sometime , I realized that it is better to hard code at Blueocoat interface level as well.
And voila it worked like a champ. Below are the sample outputs.
PacketShaper# setup nic Slot4_in1 100bt full
 
slot4_in1 interface set to 100Mbps full-duplex
PacketShaper# setup nic Slot4_out1 100bt full
 
slot4_out1 interface set to 100Mbps full-duplex
PacketShaper# setup nic Slot4_in2 100bt full
 
slot4_in2 interface set to 100Mbps full-duplex
PacketShaper# setup nic Slot4_out2 100bt full
 
slot4_out2 interface set to 100Mbps full-duplex
PacketShaper#
 
Image-9
8. If everything is fine and traffic is passing through Bluecoat as expected , we will see below graph on the home screen.
Image-10
Testing :-
Testing is very critical for any kind of deployment.
Although we are putting Bluecoat in inline mode , initially all traffic will be pass through and we will observe traffic for two  week and collect data before putting any rules.
1.Unplug first physical connection from Internet Router and see if traffic going through second connection.
2.Switch off the Bluecoat and test whether traffic is passing or not.. –> Very Important
3. Test all of its VPN’s and Wensense traffic before and after bluecoat PS Installation.
4.Test all DMVPN tunnels from the DMVPN router before and after bluecoat PS installation.
5.Test public services from LAN before and after bluecoat PS installation.
Useful Links :-

WHY CCDE ??

This question was popped  in front of me , when i finally decided to pursue my next certification in the Design field. Some people say that CCIE is somehow act as a prerequisite before doing CCDE. However, in my point of view it really depends on which background you are coming and what you are trying to achieve in your future endeavors. Although cisco have no prerequisite for CCDE, you can do CCDE even if you don’t have CCNA, however it is recommended that you have at least 7 years of experience in network design , implementation and operation.

In my perspective CCIE is all about implementation and troubleshooting, however on the other hand CCDE is the mind and soul behind big designs. CCDE is a control plane driven test, and in cisco world they call it as a Layer 3, where business and technology meet together.

 

CCDE Layer3

 

As a whole, CCDE breaks the problem into two pieces :-
1. Domains
Large common problem areas in designing a network.
2. Drivers
What problem are you trying to solve?
What tools do you have to solve the problem?

Domain deals with question related to Availability , Serviceability , Scalability, Security and Flexibility.

There are three main drivers. Firstly, Business drivers are supposed to be at layer 9 and answers questions related to scale, continuity , expense and advantage. Secondly , Application drivers are at layer 7 and deals with bandwidth, delay, jitter and continuity requirements. Lastly, Link drivers works at layer 1 and provide bandwidth, delay , expense and detection like features.

Cisco call it layer 3 aka control plane , where all above drivers meet and build networks that will support business and applications requirements on top of available links and hardware.

 

I have enjoyed my 2 years CCIE ride and I did lots of implementation and design work related to Security , Data Center , Service Provider, Wireless, F5 and what not. As my CCIE certification is about to expire very soon,  I was a bit confused from past 1 year about the next certification . I have given almost every technology its holy share. I read all the CCIE blueprints cisco have in its database, and then i finally came across CCDE blueprint and the recent development in this area amazed me. Well to cut long story in short , CCIE is all about implementation however CCDE is the design and mind behind it. As now i have finally decided to do CCDE , my first step is written exam and that i am giving it very soon. Please hang around as WHY, HOW ,WHERE and WHEN questions of networking field will be answered here..