tag:blogger.com,1999:blog-84712802685310797052024-03-05T14:19:57.939-08:00Aspiring Networker"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-8471280268531079705.post-21866089725075716782016-03-30T11:10:00.003-07:002016-05-09T17:12:15.630-07:00Creating a Dynamic Lab Environment with vEOS and GNS3 - Part II<h1 dir="ltr" style="line-height: 1.2; margin-bottom: 6pt; margin-top: 24pt;">
<span style="background-color: transparent; color: #3d85c6; font-family: "helvetica neue"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SETTING UP A DHCP AND FILE SERVER FOR USE WITH ZTP</span></h1>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Now that we have a couple vEOS instances configured and able to communicate, and we have our out-of-band network set up, we can now begin to use ZTP to provide an initial startup config.</span></div>
<b id="docs-internal-guid-1b07e261-c8b8-503c-7484-687687becb39" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #d9d9d9; border-bottom: solid #000000 1px; border-left: solid #000000 1px; border-right: solid #000000 1px; border-top: solid #000000 1px; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">NOTE</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Notice that we did not connect the Management1 interface of either vEOS instance to anything inside of GNS3. If you remember when we created the VMs, their first interface is a host-only adapter connected to the vboxnet in VirtualBox, so it’s automatically connected and there’s nothing additional we need to do there, but GNS3 doesn’t know that so it considers the interface disconnected, and that’s OK. That saves us from having to add our management server(s) to the topology and cluttering it up (Just imagine trying to have a nice clean-looking topology in GNS3 if you had to have a connection from every vEOS instance to the management server(s) ), which is distracting and ugly - we’re better than that.</span></div>
</td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ZTP is enabled as a default on the vEOS instances, but we still need to set up a server to provide DHCP and File services. For servers, Ubuntu is my go-to and I usually work with them in VirtualBox the same way I do with vEOS - I create a base image that is my raw golden standard and then create clones from it. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In this case, I already have a base image that is running Ubuntu Server 14.04.1 LTS, so I’ll go ahead and create a clone of that to work with. For this server we’ll want one adapter connected to the vboxnet, and another adapter attached to NAT so that we can download and install DHCP and File services:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="75" src="https://lh5.googleusercontent.com/DqxZSISm6QEVM69eTIjDyxuk-_KFoqaI190mXbSyX9EHbSd5Sq0FSqnTYskyLc49wi__Yc27E08hZIFv5p1oQ3iWXDJ6gpACblvrH9OrHz_35wXH5BFwd1Ds2Ktg7hYwXLBr_cJd" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="576" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #d9d9d9; border-bottom: solid #000000 1px; border-left: solid #000000 1px; border-right: solid #000000 1px; border-top: solid #000000 1px; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">TIP!</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Something I’ve found handy is to edit the description of my server VMs in VirtualBox to reflect what they have installed. For example, my server base image has the following description:</span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BASE IMAGE - Ubuntu Server 14.04.1 LTS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">==========================================</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ifenslave-2.6 (NIC Bonding, LACP)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">iperf 2.0.5-3</span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The description can be accessed in the VM settings under General > Description</span></div>
</td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Your NAT interface should get an IP address automatically, but you’ll need to edit /etc/network/interfaces in order to statically-set the IP address in your management subnet (vboxnet) for your host-only adapter:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"># This file describes the network interfaces available on your system</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"># and how to activate them. For more information, see interfaces(5).</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"># The loopback network interface</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">auto lo</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">iface lo inet loopback</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"># The primary network interface</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">auto eth0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">iface eth0 inet dhcp</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">auto eth1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">iface eth1 inet static</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">address 172.16.128.254</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">netmask 255.255.255.0</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #d9d9d9; border-bottom: solid #000000 1px; border-left: solid #000000 1px; border-right: solid #000000 1px; border-top: solid #000000 1px; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">TIP!</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Always make a backup of the file you’re going to edit before doing so, so that you’ll have a copy of the original in case you make a mistake and need to start over. For example, when I’m backing up the original of a file I’ll do something like:</span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">sudo cp /etc/network/interfaces /etc/network/interfaces.orig</span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">And for future temporary backups I’ll just do:</span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">sudo cp /etc/network/interfaces /etc/network/interfaces.old</span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Also, for servers that will go back and forth between different interface configurations, I’ll make backups of each config, for example:</span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">sudo cp /etc/network/interfaces /etc/network/interfaces.BOND</span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This way, when I go from a configuration that isn’t using NIC bonding to a configuration </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">with</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> NIC bonding, I can just do something like the following instead of manually re-configuring the file each time:</span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">sudo cp /etc/network/interfaces.BOND /etc/network/interfaces</span></div>
</td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<h2 dir="ltr" style="line-height: 1.2; margin-bottom: 4pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "helvetica neue"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Installing and Configuring DHCP Services</span></h2>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Once you’ve verified IP addressing is good to go, update your package lists with the </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">sudo apt-get update</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> command, then install the ISC DHCP server by using </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">sudo apt-get install isc-dhcp-server</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. Then we’ll need to modify the /etc/dhcp/dhcpd.conf file. Here is a basic dhcpd.conf file you can use, substituting as necessary:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ddns-update-style none;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">default-lease-time 600;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">max-lease-time 7200;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">log-facility local7;</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">subnet 172.16.128.0 netmask 255.255.255.0 {</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> option subnet-mask 255.255.255.0;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> range 172.16.128.100 172.16.128.200;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">host SPINE1 {</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> #option dhcp-client-identifier 08:00:27:51:2b:4b;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> hardware ethernet 08:00:27:51:2b:4b;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> #fixed-address 172.16.128.21</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> option bootfile-name "http://172.16.128.254/spine1_cfg";</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">}</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As you can see, the subnet configuration represents our management network. The host configuration is really the meat & potatoes of the ZTP configuration. For the “hardware ethernet” field, enter the MAC address of the Management1 interface of your vEOS instance, which can be retrieved by using </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">show int ma1</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> command:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="53" src="https://lh6.googleusercontent.com/2n5d_lyUX1Ui2y7CKW2-B2Y_79fUu-hrySQsZhCuNc2T-IJQfP17sOjDShZU7YpL7PIlZrc0vUa8f2ujq424qT9PWtqI9MTO-Blkd-SKub4Fvv9y6Cofp7Hal8BTPu2-qpffHlWo" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The last line of the host configuration represents the location of the bootfile, which will be on the same server (after we install and configure it first of course). You may have also noticed two lines in the host configuration that are commented out - I’ve included these for reference - the client-identifier is something we’d use for a real switch, but not needed here. The fixed-address won’t be needed here either - we’ll just let the DHCP server give it a temporary IP from the pool and instead include its management IP in a configuration file that the file server will provide. After the dhcpd.conf file is modified, start the DHCP server using the </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">sudo service isc-dhcp-server start</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> command.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #d9d9d9; border-bottom: solid #000000 1px; border-left: solid #000000 1px; border-right: solid #000000 1px; border-top: solid #000000 1px; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">NOTE</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Any time you modify the dhcpd.conf file in the future, you will need to restart the service with the </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">sudo service isc-dhcp-server restart</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> command for the changes to take effect</span></div>
</td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<h2 dir="ltr" style="line-height: 1.2; margin-bottom: 4pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "helvetica neue"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Installing and Configuring File Services</span></h2>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Now we’ll need file services. For this I prefer Apache, which can be installed by using </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">sudo apt-get install apache2</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. The default location for files to be shared is /var/www/html, so in that location we will create a file called “spine1_cfg”, and provide a basic configuration, for example:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">hostname SPINE1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">!</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">aaa authorization exec default local</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">!</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">aaa authentication policy local allow-nopassword-remote-login</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">!</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">username admin privilege 15 role network-admin nopassword</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">username eapi privilege 15 secret password</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">!</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">interface Management1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> ip address 172.16.128.21/24</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">!</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">management api http-commands</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> no shutdown</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">!</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">banner login</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">******************************</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">*** SPINE1 LOGIN BANNER ***</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">******************************</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">EOF</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">!</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">banner motd</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">*****************************</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">*** SPINE1 MOTD BANNER ***</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">*****************************</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">EOF</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">!</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">end</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">At this point we should have everything we need to verify functionality of ZTP - it’s the moment of truth. Use the </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">erase startup-config</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> command followed by </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">reload now </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">to reload the vEOS instance with no startup configuration, which will trigger ZTP:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="274" src="https://lh6.googleusercontent.com/CPvHQJhTf3DoRIcrIbCQ35cnTDpg-zqtvMtFqrrhS59-IcBGSoqfMW465moPKEJcGgJ3hi8D4W2kqgtYoZpG9Ol0VKEA2118kUnjKeoyMH5rlFnN8YdScnyXGemZYyhWI4Vs9pWG" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="448" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What we want to see is a successful DHCP process followed by the switch pulling down it’s basic config file and then rebooting:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="276" src="https://lh6.googleusercontent.com/fbNrCoO-NjChDDShxIS1w0MGhBlJKyr8XG21iN_KDh_FOk1nbCTwygmUJ4Xg6jzncmrcvCKR6TFjfONhBEhGir_2i7Y7QhKgP8RRMp1iRwzb5h543zWSyH7HLLKKWrAl9E8u_Z91" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="452" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">So in this case, the vEOS instance was assigned a temporary IP of 172.16.128.100 from the pool, which allowed it to reach the file server at 172.16.128.254 to download its configuration file before finally rebooting. Once the instance finishes rebooting, we can verify that ZTP was successful simply by the fact we can see the hostname and login banner:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="260" src="https://lh4.googleusercontent.com/Kg6OQlO4U4ovMhWO0ktwGT3BnJ1ksoDmvJWks7scxn4Wnxpc5PkpDyN0bTiIH_rTMlTm_kG2lCmamQ68xOtB0lK2tllw1UOrWmDOg9orYBSYULbtlPat1GQM4tlMyCQzjkD53HHD" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="422" /></span></div>
<br />
<span style="font-family: "cambria"; font-size: 16px; vertical-align: baseline; white-space: pre-wrap;">Congratulations - you’ve just done your first automated “bare-metal” provisioning with ZTP! Now you have a good reference config to work off of - just copy the spine1_cfg file as many times as needed for each vEOS instance, modify the appropriate fields (Mgmt IP address, hostname, etc.), and you’re good to go. Don’t forget that you’ll also need to add the appropriate DHCP host configurations as well.</span>Steve Kinghttp://www.blogger.com/profile/04775687255751268489noreply@blogger.com1tag:blogger.com,1999:blog-8471280268531079705.post-34376416972102094972016-03-30T11:09:00.000-07:002016-03-30T14:21:22.250-07:00Creating a Dynamic Lab Environment with vEOS and GNS3 - Part I<h1 dir="ltr" style="line-height: 1.2; margin-bottom: 6pt; margin-top: 24pt;">
<span style="background-color: transparent; color: #3d85c6; font-family: "helvetica neue"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">GETTING STARTED</span></h1>
<h2 dir="ltr" style="line-height: 1.2; margin-bottom: 4pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "helvetica neue"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Preliminary Installation Setup</span></h2>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Install GNS3</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Install VirtualBox</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Get ahold of the .vmdk and aboot.iso files</span></div>
<b id="docs-internal-guid-1b07e261-c8b6-aa55-6b85-89a3c5c42acc" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">It is recommended to install VirtualBox AFTER you install GNS3 to avoid problems with GNS3 detecting VirtualBox.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Go to </span><a href="http://www.arista.com/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">www.arista.com</span></a><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, and go to Support > Software Download. The two files you’ll want are the .vmdk file as well as the Aboot .iso file:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="353" src="https://lh5.googleusercontent.com/kLow5YG_-2hj98N6GUU0goq7nuQ2EEHJjXHY7Zkok97RA7IFYFK8vDmJWuT_dnEjqivjVZ00rkyU7fN42yCoTEXRaF6XbnwCnL1H8dfc-nhuO6BKyOFDpp9H0GmW-K6a9voWF1QB" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="304" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h2 dir="ltr" style="line-height: 1.2; margin-bottom: 4pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "helvetica neue"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Creating the Management Network</span></h2>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">To simulate an out-of-band management network, we will create a vboxnet interface, similar to a loopback interface, on our laptop. This will also allow us to interact with our virtual machines via SSH, etc.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Open VirtualBox, go to Preferences, and click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Network</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. Select “Host-only Networks”, and then click the NIC adapter image with a plus symbol on it to add a new host-only network if there isn’t one already:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="230" src="https://lh3.googleusercontent.com/FKgDnoL1ibW2yUrvgFH1QW9ue_hlMTUmFnw97BwFCy8_6QUcSWpGebd49PcIMDvfGW6JXUIezaspLK1PgICG2s3hBQPGWE7XHikYkB54vX2jYXcOIEYxIwc-uPKXUGrN7HcNwBgl" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="344" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Select your newly-created vboxnet and click the screwdriver icon to configure it:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="217" src="https://lh4.googleusercontent.com/LIwJvTh8CA61J1t9S8wiLgBL1t44BDS4ZU6zjvELxLD0oJhvvGYZ_U_Jvx6fC1rTqiZ7ZuHvwO6A52pO09-nJodzFtabYGpMnLCtOqTqz5frQDDFh_kYPdFL_2qsoMo6WkcagaQo" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="341" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">We’re going to be using ZTP to provision our switches, so select “DHCP Server”, ensure “Enable Server” is unchecked, and then click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OK</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="219" src="https://lh5.googleusercontent.com/4kXy3uUPL9GOJ1VuI-tYF92XZtk2-01woGvzSiJnWnsU5_JQBIksoSTmuvpzPWrgPe79P2jKmnOCt-6R1uha7HXlRj7L0oqcEfdoRqQib-fGkkq4U5bE-lEreNbNhxO2qehvhbep" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="343" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Verify you have a new interface reflecting your vboxnet configuration:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="65" src="https://lh3.googleusercontent.com/wRiJxgIJXSoHk1LefQy7rSYx7fL2MxfUHkdb7roy7nxsFk7KcHpilmkR0_EV-lJzhLD_bpEBiULmfm9J-n_sAVOYDu_Tvgeg5tcDsAv0qdmIpgbUNUepjJdQjC83pzgR6UVyKC0L" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="576" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h1 dir="ltr" style="line-height: 1.2; margin-bottom: 6pt; margin-top: 24pt;">
<span style="background-color: transparent; color: #3d85c6; font-family: "helvetica neue"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SETTING UP vEOS</span></h1>
<h2 dir="ltr" style="line-height: 1.2; margin-bottom: 4pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "helvetica neue"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Creating a Base Image</span></h2>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">You’ll want a nice, clean base image to create clones from. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">To begin, in VirtualBox, click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">New</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="269" src="https://lh4.googleusercontent.com/6EDcpAlZ7vAAF4B0NY8ZojKsd7mPaMMFtPUFGTID3CgwPNLJbQFxCFqzp4WSVfEijUR-m4ucemgQflqRjhUkoaXid_c6wuazwpsdKrejoCkH4ExcFret7kDzNOS8I5joxwD0ggZF" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="354" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Give your base image a name. Use the drop-down menus to set the Type to “Linux”, the Version to “Other Linux (64-bit)”, and then click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Continue</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="231" src="https://lh3.googleusercontent.com/dloJN2aYbXeIA5pvbLa2ncZ2uvMk4qX97nTp6w2cW7XT788w3EVyorDdVuq4lLS-b9_9CEEu0BGwjp2gIXcpoxWg_RGa7QTqFXLv7QzWchjLTBHabjgtVPAXQDbSpJltETRX6Ed-" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="362" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Set the memory allocation to 2048, and then click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Continue</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="233" src="https://lh4.googleusercontent.com/SWQuIp2PmSVpY066tKGpgPryBCoiJnUT9zzaP_sdg9nDSm7j1MsvrgEe8qMCR5y4sOCtoyn7bwq7WKYMR309DyNMQaU3kQDBC49OeIE3LY2Bj80OQet6f8RYtGNV7kLm1M_LAej9" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="360" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Select “Use an existing virtual hard disk file”, select the .vmdk file you downloaded earlier, and click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Create</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="235" src="https://lh3.googleusercontent.com/yA5tbrdGhV528jZXFKauOogh8w_o5aUsDizHNrn7rNparlaH_Oot6VQWeK_uIIsjwtlDHcMsNM3ttTHPiIw9wwlS18bSfm07lhldIRMd6u5dbqUepBw-XUEUGa9za2j5W1WFWsQM" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="364" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Our base image has been created, but now must be configured. Select the new base image, and click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Settings</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="289" src="https://lh4.googleusercontent.com/zB3aGS6oAzvL5LyExMeH8ZTcuSctYin1_fHHXoq1_QWqD-W8KMekX_zEoOTXUDegl29tO5lP3_s34KEqxWYloPt5oBgx_M8LqKBYKY5Oo6o560HW3jzJP6FMbyx_VqA81A5XlxTV" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="375" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Storage</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, and then use the drop-down menu to set the second entry under “Controller: IDE” to IDE Secondary Master, then click the small CD icon and select the Aboot.iso file downloaded earlier</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="301" src="https://lh5.googleusercontent.com/cx5QNNwiG3YNgw33J3SUCh2SXjUS5ZgchAayRm_YgV5_OBDAgKRSHg-DkrcOipRP57JSKw-tUdSaJ0gu9Cm13ViSxGFJzcVwY2ZaKt3tQRF2WvS_TR3Hs1lk-bNTTOSaxqz9qzlu" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="375" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Network</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, select Adapter 1, ensure “Enable Network Adapter” is checked, and use the drop-down menu to select “Host-only Adapter”. Ensure the Name is populated with the management network created in the previous section, use the drop-down menu to set the Adapter Type is set to “PCnet-FAST III”, and ensure that “Cable Connected” is checked. Click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OK</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to save your changes:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="272" src="https://lh4.googleusercontent.com/9mAK59HS8h9fqzTOPqZo3IBZ85M6-rw064Cxqlmyn-ecYx4zQL625lQuW_lwbh4hQVncOHdmSjlvWUeccq8yIaNRC_nOJFCbqn3jAs_Zp8TCdjaA2C4THkwiwqVJ3tL7kHUkKl3y" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="384" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Leave the rest of the Adapters alone - these will be configured for you by GNS3 later.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Verify your base image settings and launch the VM to verify it successfully boots:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="447" src="https://lh6.googleusercontent.com/USDsfqj5r12xfYfLiiTOigW-3KX1ha0U2GVZDYksspDUOMcFn9UcUZrbYan32Z0OiC6d2Qxnn2of32LMBD8oSdQTYwrdIso_Y1SDZ88geRVS259xci77-OiwNlSFNsJmVCmkQOll" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="467" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="246" src="https://lh3.googleusercontent.com/WtCaAl69mpa4DGomFUMHDdSkq0x-GKApvQuRd7y7ubgf7G4_K8gOcvqp4mc_668NwdZEJvR9RO49o0K6PFd0_kIopmwCkP4X4IO9TUHxBamQuPVxfwxlglUODlV3qwp-b4qsvQLH" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="400" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #d9d9d9; border-bottom: solid #000000 1px; border-left: solid #000000 1px; border-right: solid #000000 1px; border-top: solid #000000 1px; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">TIP!</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">At this point, you have a decision to make. You can either leave the base image as-is and configure </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">everything</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> on the clones that you will make, or if there’s something that will be configured on every clone, such as a username, you could configure this in your base image so that you won’t have to do it on your clones. For our lab though, we’re going to be provisioning everything with ZTP and Ansible, so I’m going to leave the base image as raw as possible. If you noticed, we created a host-only adapter in our base image so that every time we create a clone, it will already have its first adapter be its management connection. You’ll see why later.</span></div>
</td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<h2 dir="ltr" style="line-height: 1.2; margin-bottom: 4pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "helvetica neue"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Creating Clones</span></h2>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If you haven’t already, shut down your base image. Now, in VirtualBox, right-click it and select “Clone”. Click “Expert Mode” - because you’re clearly too awesome for that guided nonsense (And doing it this way is just quicker). Give your clone a name, ensure that “Full Clone” and “Reinitialize the MAC address of all network cards” is selected, and then click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Clone</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> - repeat as necessary to create additional clones:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="193" src="https://lh5.googleusercontent.com/bMhfY4W7wtHlZtjE-uUTE5JYcfnc39KgwQKc47tnh-oFNOuHrZzKsyRUqacoorpHG1BfgVZXpXXoBFXjSoCs3D6XQGPojBfu_yjXHGp6aX1n2PrKIVdMgDKSxvAWpgwBtvnnSuaa" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="422" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #d9d9d9; border-bottom: solid #000000 1px; border-left: solid #000000 1px; border-right: solid #000000 1px; border-top: solid #000000 1px; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">WARNING!</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This part is very important. If you select “Linked Clone”, your clone will be linked to the base image instead of creating its own file. This means if you accidentally choose to delete all files when you delete your clone later, it will also effectively delete your base image as well. </span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If you do not select “Reinitialize the MAC address of all network cards”, all clones will have the same MAC address as your base image, and you can imagine the fun that will create in your virtual network.</span></div>
</td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<h1 dir="ltr" style="line-height: 1.2; margin-bottom: 6pt; margin-top: 24pt;">
<span style="background-color: transparent; color: #3d85c6; font-family: "helvetica neue"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">GETTING STARTED IN GNS3</span></h1>
<h2 dir="ltr" style="line-height: 1.2; margin-bottom: 4pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "helvetica neue"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Adding VMs to GNS3</span></h2>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">GNS3 has very tight integration with VirtualBox. As you create connections between your vEOS instances, server VMs, etc., GNS3 takes care of all configuration needed on your VirtualBox VMs for you - no manual configuration needed inside of VirtualBox itself for each new connection. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">To get started, we’ll need to add our newly-minted cloned vEOS instances to GNS3. Open GNS3, start a new project, and then open Preferences. Go to VirtualBox > VirtualBox VMs, click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">New</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, use the drop-down menu to select your newly-created clones, and then click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Finish </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">- repeat as necessary:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="445" src="https://lh3.googleusercontent.com/EBT-lC8sN-luybaPC2PW2lSsjmehV199QDc2yUgfUh7QcTrHnhIofLxdZsQTsZcsiCWz9HJxhPJw_Bua6NL0H29KopDkzdeEgQgd-zKJ4itAmrPtcpPvizGmRWlaUsnBLGAPvJ0z" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="486" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Select your VM and click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Edit</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. Under “Network”, configure the following and then click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Ok</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, repeating as necessary for each VM:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="316" src="https://lh6.googleusercontent.com/fSArmPZf2LU9RiLE4EI3-qD_eVvI96VZQeDpOjvOZqPVLQNmvMsEm5oIpHvPCeezUgKmDtQAZ9x-_OtS05VTc910TCElrvhG3QnPdXGcqlPz2cHkRo-HcqqNeGox_cflRTdlEw-6" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="389" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #d9d9d9; border-bottom: solid #000000 1px; border-left: solid #000000 1px; border-right: solid #000000 1px; border-top: solid #000000 1px; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">NOTE</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">At the time of this writing, VirtualBox can support a maximum of 8 adapters. Refer to the article in “Resources/Recommended Reading” for details. The first adapter will be your management interface, hence the “First port name:”, and then you’ll have an additional 7 interfaces to play with.</span></div>
</td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; width: 624px;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #d9d9d9; border-bottom: solid #000000 1px; border-left: solid #000000 1px; border-right: solid #000000 1px; border-top: solid #000000 1px; padding: 7px 7px 7px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">TIP!</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If you want your VM to cosmetically appear more like a switch in GNS3, under “General Settings”, set the Category to “Switches”, and change the Symbol to “Multilayer Switch”.</span></div>
</td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Apply</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, and then click </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OK </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">to exit.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Now that our vEOS VMs are configured in GNS3, we can start building our virtual network. On the main project screen, click “Browse All Devices”, and then drag-and-drop your VMs onto the topology panel (the center panel):</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="306" src="https://lh3.googleusercontent.com/UFjpk_ACs_cELCHqaHtmBHLTwjk4pCR6XZ7j5mNS16Y-bDjS-_t7880uj5VJvcAWFLULS72Qcgk1u8NvtiyimZXG8ON6jGyXL0N-Qs7gZ_wjayTaBg-dFEWvlM9SoaHxC8tEuyaY" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="585" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Click “Add a Link”, click one VM, select “Ethernet1”, and connect it to your other VM on the same interface:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="393" src="https://lh5.googleusercontent.com/MEUhfLuN0oI8wXTw9pd07uoT_ilniRVY_8ptweCBiTiG1t1LOobEV5fx8Nfja06z35xG3qiD080WV7LLZrimiU8v34fIb2R2Lzg5jefNmZrO6xCDmYBqn014YYzaBcqo_jET0oyJ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="398" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Click “Start/Resume all devices”, and when the VMs are finished booting, setup some VLANs and SVIs and verify you have connectivity:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="472" src="https://lh6.googleusercontent.com/28hoAH3FYA2O1oTQY7PABNT2c3ZrOgL4_RMCrrR6H72oSPP7GvOa4avDLGhWGnGTt1l23wpsIDGHfojeFGC41RTEthk04HRt_NipED88PoipSCKSAUSR09hKmDHak_fumIdU_E5l" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="496" /></span></div>
<br />
<span style="font-family: "cambria"; font-size: 16px; vertical-align: baseline; white-space: pre-wrap;">Great! Let’s move on to providing “bare-metal” provisioning with ZTP.</span>Steve Kinghttp://www.blogger.com/profile/04775687255751268489noreply@blogger.com0tag:blogger.com,1999:blog-8471280268531079705.post-22307195554728780512015-09-21T16:05:00.002-07:002015-09-21T16:09:09.077-07:00How Rapid Spanning Tree Protocol (RSTP) Handles Topology ChangesFor this exploration I'm using Arista's Virtual Extensible Operating System (vEOS) version 4.15.0F running in GNS3(Which is pretty awesome). The virtual switches have been configured in rapid-pvst mode.<br />
<br />
Here is the topology:<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDnrlhQZM14CjWM080jsiixw9jGxnuz1Maqej_HdjBohF0xfKqDsWOhRKuApo5XmXOpIbl6FX7H_4NCj5YEVvWQTL7T7eCK62PzADkm_fntB0ZHvEyJrBDcgr2hruOgA4rHpfkVXNhWWTu/s1600/RSTP+TC.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDnrlhQZM14CjWM080jsiixw9jGxnuz1Maqej_HdjBohF0xfKqDsWOhRKuApo5XmXOpIbl6FX7H_4NCj5YEVvWQTL7T7eCK62PzADkm_fntB0ZHvEyJrBDcgr2hruOgA4rHpfkVXNhWWTu/s640/RSTP+TC.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
EtherSwitches have been added only to capture traffic off monitoring sessions set up on Switch1 and Switch2 to look at in Wireshark. The Ubuntu server can be ignored for the purposes of this blog entry.<br />
<br />
Only VLAN 1 is present on all switches and Switch1 is configured to be the primary root, while Switch2 is configured to be the secondary. Here's the current state of the network:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimqOwuGCP4PhXY8JL6avVX7MWoXPMs4syFup3iEosNbck7wZCWJ1giGbR9u2AzNMEY_cdWNW6BxpJAKNVm747XZsJcv3sdo38n94SeiNShIDfoKwiJ6_rLrIDPzOTP0w9yppgvZBItPhA-/s1600/RSTP+TC2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="363" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimqOwuGCP4PhXY8JL6avVX7MWoXPMs4syFup3iEosNbck7wZCWJ1giGbR9u2AzNMEY_cdWNW6BxpJAKNVm747XZsJcv3sdo38n94SeiNShIDfoKwiJ6_rLrIDPzOTP0w9yppgvZBItPhA-/s640/RSTP+TC2.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
First it's important to note that only a single thing will trigger a topology change event - the transition of a non-Edge port from a non-Forwarding to a Forwarding state. Why? Because this newly Forwarding port could possibly provide a better path to a given destination MAC address than there was before, and the CAM table will need to be updated to reflect that and prevent the same MAC being displayed on more than one port. It sounds strange that a loss of a Forwarding port doesn't trigger a topology change event, but think about it - in a L2 world, you can't have multiple paths to reach a destination. "There can be only one." Otherwise it would likely mean there is a loop. Taking that into consideration, if our only path to a destination MAC breaks, we know we can't get there unless another path is created by another port transitioning to Forwarding - which <i>will</i> trigger a topology change event. Viola - work smarter not harder!<br />
<br />
To review the Topology Change process when a switch detects a topology change event:<br />
<ol>
<li>Set tcWhile timer on all non-Edge Designated ports and Root port if it exists</li>
<li>Flush MAC addresses learned on ports in step 1</li>
<li>Send BPDUs with the Topology Change (TC) flag set on these ports every Hello seconds until tcWhile expires</li>
</ol>
So let's first look at what happens locally on a switch, as we shut interface Et1 on Switch4 which is its Root Port. First, I'll ping Switch4 from Switch2, then look at Switch4's CAM table:<br />
<br />
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Switch4#sh mac address-table </span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Mac Address Table</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">------------------------------------------------------------------</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"></span><br /></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Vlan Mac Address Type Ports Moves Last Move</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">---- ----------- ---- ----- ----- ---------</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1 <span style="background-color: yellow;">0800.274a.33f1</span> DYNAMIC Et1 1 0:00:25 ago</span></span></div>
<div class="p1">
</div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Total Mac Addresses for this criterion: 1</span></span></div>
<br />
We see it learned Switch2's MAC address on Et1. Vice-versa, we look at Switch2's CAM table and see it learned Switch4's MAC on Et1:<br />
<br />
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Switch2#sh mac address-table</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Mac Address Table</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">------------------------------------------------------------------</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"></span><br /></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Vlan Mac Address Type Ports Moves Last Move</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">---- ----------- ---- ----- ----- ---------</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1 <span style="background-color: yellow;">0800.277b.3066</span> DYNAMIC Et1 1 0:00:28 ago</span></span></div>
<div class="p1">
</div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Total Mac Addresses for this criterion: 1</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now, let's do the same process over again, but then shut down Et1 on Switch4. Et1 is Switch4's Root Port, so what should happen is Et2, which is an Alternate Port, should transition to a Forwarding state. This meets the criteria for a topology change event.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After we shut Et1, we take a look at the spanning tree status on Switch4:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Switch4#sh span</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">VL1</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Spanning tree enabled protocol rapid-pvst</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Root ID Priority 4097</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Address 0800.2773.3845</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Cost 4000 (Ext) 0 (Int)</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Port 2 (Ethernet2)</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Hello Time 2.000 sec Max Age 20 sec Forward Delay 15 sec</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"></span><br /></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Address 0800.277b.3066</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Hello Time 2.000 sec Max Age 20 sec Forward Delay 15 sec</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"></span><br /></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface Role State Cost Prio.Nbr Type</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">---------------- ---------- ---------- --------- -------- --------------------</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background-color: yellow;">Et2 root forwarding</span><span style="background-color: white;"> 2000 128.2 P2p </span> </span></span></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Et3 alternate discarding 2000 128.3 P2p</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Et2 transitioned to a Root role, Forwarding state, which qualifies as a topology change event. Looking at the CAM table of Switch4, we see the previous entry is now gone:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Switch4#sh mac address-table </span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Mac Address Table</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">------------------------------------------------------------------</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"></span><br /></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Vlan Mac Address Type Ports Moves Last Move</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">---- ----------- ---- ----- ----- ---------</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Total Mac Addresses for this criterion: <span style="background-color: yellow;">0</span></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Looking at Switch2, we see the previous entry is also gone as well:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Switch2#sh mac address-table </span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Mac Address Table</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">------------------------------------------------------------------</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"></span><br /></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Vlan Mac Address Type Ports Moves Last Move</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">---- ----------- ---- ----- ----- ---------</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Total Mac Addresses for this criterion: <span style="background-color: yellow;">0</span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Why did this also happen on Switch2? If you scroll back up and look at what happens on a switch during a topology change event, you saw that the last item mentioned sending BPDUs with the TC flag set:<br />
<blockquote class="tr_bq">
<i>Send BPDUs with the</i> <i>Topology</i> <i>Change (TC) flag set on these ports every Hello seconds until tcWhile expires</i></blockquote>
So once Switch4 detected the topology change, it started firing off BPDUs with the TC flag bit set out its newly-elected Root Port, interface Et2.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNZwATiebU339OoSVtI7WI_rb_nUKJtxjN6o1OE21GAqc_O6mpecm3094enR9tOkkKktE0WRuBPexs9ewI34Og6tF7CNXwVWvXbgERGYnCwnqqcM-050SiYOK_OvXBLfagJD_cNOnBG0J3/s1600/TC+Wireshark.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="460" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNZwATiebU339OoSVtI7WI_rb_nUKJtxjN6o1OE21GAqc_O6mpecm3094enR9tOkkKktE0WRuBPexs9ewI34Og6tF7CNXwVWvXbgERGYnCwnqqcM-050SiYOK_OvXBLfagJD_cNOnBG0J3/s640/TC+Wireshark.png" width="640" /></a></div>
<br />
<br />
Once a switch experiences a local topology change, or <i>learns</i> about one from another switch by receiving a BPDU with the TC flag set on a Root or Designated port, it too will in turn go through the same process. So let's take a look at what happened on the network holistically:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSqo-dWtDERACt21WdNWum3iBpb58-7ImsS4iJKM0Qs8z-wkglPkwGlXWCVvExbIMBeZL8jtn-3HeytGbUCasAYw9CFI94wosCt9xTN4kWP9zrbRjq7fM8wlJAwDAvEXvb4ZNKPb2mf7ee/s1600/RSTP+TC3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="442" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSqo-dWtDERACt21WdNWum3iBpb58-7ImsS4iJKM0Qs8z-wkglPkwGlXWCVvExbIMBeZL8jtn-3HeytGbUCasAYw9CFI94wosCt9xTN4kWP9zrbRjq7fM8wlJAwDAvEXvb4ZNKPb2mf7ee/s640/RSTP+TC3.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<ol>
<li>Interface Et1 which was the Root Port for Switch4 is shut down. Switch4 had elected Et2 as an Alternate Port previously, so it immediately transitions the port to the new Root Port. This places Et2 into a Forwarding state which triggers a topology change event, so Switch4 then sets the tcWhile timer and flushes the CAM table entries learned on Et2, and begins sending BPDUs with the TC flag set out the same port. At the same time, Et3 begins receiving superior BPDUs so it is transitions from a Designated Port to an Alternate Port. </li>
<li>Switch2 receives a BPDU with the TC flag set on Et4, so it sets the tcWhile timer, flushes any CAM table entries learned on, and begins sending BPDUs with the TC flag set on its Root and other Designated Port, Et1 and Et3, respectively. Ultimately, the TC BPDU sent from Et3 will be discarded upon reaching Switch3.</li>
<li>Switch1 receives a TC BPDU on Et2. It sets the tcWhile timer, flushes learned CAM table entries, and sends TC BPDUs from its only other remaining active Designated Port, Et5.</li>
<li>After interface Et1 on Switch4 was shut down, Switch3 began receiving what it determined to be inferior BPDUs on Et4 due to Switch4 now advertising a higher Root Path Cost (RPC), so Switch3 transitioned the port from an Alternate Port to a Designated Port. Switch3 then receives a TC BPDU on Et1, so it sets the tcWhile timer, flushes any learned CAM table entries, and sends TC BPDUs out its only other Designated Port, Et4 - which will end up being discarded.</li>
</ol>
<div>
At this point, all switches have been informed and made the appropriate changes into a new, loop-free converged topology. So that's how the topology change process is handled in RSTP! </div>
Steve Kinghttp://www.blogger.com/profile/04775687255751268489noreply@blogger.com0tag:blogger.com,1999:blog-8471280268531079705.post-30740634778340500352015-08-20T11:19:00.001-07:002016-02-05T18:47:28.147-08:00BGP in an Arista Data Center<br />
<br />
The following is a practical analysis of the use of BGP in the DC on Arista platforms based largely on Petr Lapukhov's work with BGP in hyperscale DCs<br />
<br />
<h2>
Why Layer 3 (L3)?</h2>
<div>
<br /></div>
There are several reasons to run a L3 routing protocol over legacy layer 2 (L2) designs in the data center. Leveraging standards-based routing protocols to avoid vendor lock-in, provide for faster convergence, minimize L2 fault domains, and provide for better traffic engineering.<br />
<br />
<h3>
Extension of L2</h3>
<div>
<br /></div>
Naturally something that comes into question in a L3 switch fabric is, “What if I need L2 adjacency between hosts?” For Arista, the extension of L2 services across a L3 switch fabric is provided by Virtual eXtensible LAN (VXLAN). While closely related, in-depth discussion of the “network overlay” provided by VXLAN is outside the scope.<br />
<br />
<div>
<h2>
Why BGP?</h2>
<div>
<br /></div>
Some might question the use of BGP within the data center due to it being designed for, and in the past primarily leveraged as, an EGP. However, BGP provides several benefits in a data center switch fabric, such as:<br />
<ul>
<li>Less complexity in protocol design</li>
<li>Relies on TCP rather than adjacency formation/maintenance and/or flow control</li>
<li>Less “chatty”</li>
<li>Supports third-party (recursively-resolved) next-hops</li>
<li>With proper ASN usage, built-in loop prevention via AS_PATH</li>
<li>Better support for traffic engineering</li>
</ul>
<div>
<br /></div>
<h2>
General Operations Within the Fabric</h2>
<div>
<br /></div>
<h3>
ASN Scheme Option 1(Per-Rack Leaf AS)</h3>
Below is a diagram derived mostly from an IETF Draft that is a joint effort by Facebook, Google, and Arista Networks for very large data centers. It is shown in entirety to help visualize the reuse of ASNs at the leaf layer.<br />
<br />
<br />
<div style="text-align: center;">
<img height="256" src="https://lh5.googleusercontent.com/twfJmRAyK8zxtBGw7z286yAQPrT1gd-0xLMw3H0xr2P5FmJD6hQP0r0u-rSoTrC23tJwG4zravDn0p4SJFQWeUe9yD_UUKiLibrwsfSsuQjU3cLLRoZZn-iyqeQbzP-mpz4u2C8" width="640" /></div>
<div style="text-align: center;">
<br /></div>
Notice that ASNs are reused at the leaf layer for each “cluster” or “pod”. This is achievable by configuring the leaf switches with <b>allowas-in</b>, and minimizes the need for 4-Byte ASNs which not all vendors support. Loop prevention is provided at the spine layer by placing spine switches within the same AS at each cluster/pod.<br />
<br />
Going forward, focus will be on the spine/leaf elements.<br />
<br />
<div style="text-align: center;">
<img height="320" src="https://lh5.googleusercontent.com/OurzKd_ty_UmW5rr85mwoqQR1_8SDwrW6LU4VAnrRKXMouopRulzrcQBaYsQKe542Te9uaI7oub7mRDoFldqYMSD2UB0ScDp26vugnJieQoYP6VKhqc_F6KPD1IAaWQ-P-YBh04" width="400" /></div>
<br />
<h3>
ASN Scheme Option 2 (Leaf Layer AS)</h3>
Another option could be to use the same AS at every leaf:<br />
<br />
<br />
<div style="text-align: center;">
<img height="340" src="https://lh3.googleusercontent.com/rcEfr_VIBGZKTMM9cR9BtkyPg1JSUuHFaMcymv44VrvhbmRIacxxzhw5NQiSpfeBMNNybhOJAM0qoZXd7HhyayjPeVnr_fWOVI9cQBiMvxfgXOtBP1WxKef9jv_EUUTqd1vvaRE" width="400" /></div>
<br />
<br />
Advantages of this design include less ASN usage, simple configuration templatization, and with that, better support for automation. A disadvantage is losing the ability to trace routes via AS_PATH (At least without additional configuration). These topics are further discussed in later sections.<br />
Intra-AS Spine-to-Spine Reachability<br />
<br />
Due to the spine switches being in the same AS, direct reachability from spine-to-spine within the same AS is not supportable without breaking loop prevention within the architecture itself. However, the impact of this is very minimal and should mostly be ignored.<br />
<br />
<h2>
Dynamic Neighbor Discovery</h2>
<div>
<br /></div>
As a data center scales out, it is possible that many more leaf switches will be added. To make life easier, it is very desirable to automate and reduce configuration however possible. BGP dynamic neighbors configured at the spine layer provides a mechanism to dynamically add new leaf switches as BGP peers based on an IP address range. To support this, care must be taken in IP addressing as described in the “IP Addressing and Prefix Advertisement” section.<br />
<br />
<h3>
BGP Dynamic Neighbors with Per-Rack Leaf AS</h3>
Below is a diagram depicting the utilization of a separate AS at each rack:<br />
<br />
<div style="text-align: center;">
<img height="404" src="https://lh4.googleusercontent.com/OyB4MmXlaf3hl994L5ZGVGo3o_AdvLN4ZZ65F-OBJWToNVxipvUJZ88yDWdUf2W6AcboG0j8xGMPLo88TXAD9zf2n17e9VOPzZ-viLAqTV2ds6QZKcmxQrgtPyOFzOSRGDJNtzY" width="640" /></div>
<br />
In this configuration, a bgp listen router configuration command is added for each new rack with the IP address range accounting for the routed links going to each leaf switch within the rack. This reduces the amount of required configuration versus static configuration for each individual leaf.<br />
<br />
<h3>
BGP Dynamic Neighbors with Leaf Layer AS</h3>
Below, the second option leverages the same AS at every leaf:<br />
<br />
<br />
<div style="text-align: center;">
<img height="552" src="https://lh6.googleusercontent.com/mYFQUxyGsxbrZhH3iDOL4ZholyAZ0EeAqpIS5kFD1K0Ny2_cMktoFX-ziHiqUbJjs8fpE8ge7xCpMadlBgBcluaVPKSXkfLTMJtFosfVUVBOc3Y5NXnmK1ARLJW7BlfEn0EnwmE" width="640" /></div>
<br />
<br />
In this configuration, a single bgp listen router configuration command is all that is required at each spine. No further configuration is needed at the spine as additional leaf switches are added to the environment. This makes the configuration easy to templatize and automate across all spine switches.<br />
<br />
<h2>
Making it Easy to Automate</h2>
<div>
<br /></div>
It is much easier to automate configuration when it can be applied to a container of devices rather than having to have specific, per-device configuration.<br />
<br />
For example, Ansible is a YAML-based automation platform that can be leveraged to push configuration to Arista switches. When configuration is simple and repeatable on as many devices as possible, that configuration can be compartmentalized into a template more easily. Ansible uses “playbooks” which are basically a list of resources and what tasks should be performed on those resources. Below is an excerpt from a playbook showing a single template configuration that could be applied to all spine switches in a per-rack Leaf AS design (Given a whopping two racks, but you get the idea): <br />
<br />
<br />
<div style="text-align: center;">
<img height="601" src="https://lh5.googleusercontent.com/ynbZSdUKU1gWNJQZ6hiNqYxDSuH_XRJnKd4J8587GoACVc_dn8t-IdOmeGLLD9Qwcka5OvnSzo-1hs29gosCzTZHgG4WQOdSD9TDefo8B8zvu059hL1P028Ool1tR3CdysSpnmo" width="640" /></div>
<br />
<br />
In summary, the more configuration you can compartmentalize and template, the less items need to be defined as variables while still being able to be repeated on multiple devices - and still meet requirements of course - the better.<br />
<br />
<h3>
Route Source Tracing via AS_PATH with Leaf Layer AS</h3>
As mentioned earlier, a disadvantage to using the same AS at every leaf is not having the ability to trace routes via AS_PATH: <br />
<br />
<div style="text-align: center;">
<img height="234" src="https://lh3.googleusercontent.com/WK0gb3ilbXAjQHGIpZVVBTYWC61GrOaceMb_I6NJkAbop2fFOK_tigYFwlxPXUsNotqKBLnjXoS8DHST05lsGH6nk6OPOWaVMJadPUnhVPQbpXfTXcJJ32Do3F8DIy-6VVJtZlc" width="640" /></div>
<br />
To get around this, an ASN could be prepended using a route map on each leaf switch, for example:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">BGPDC-LEAF1(config)#route-map BGP_PREPEND<br />BGPDC-LEAF1(config-route-map-BGP_PREPEND)#set as-path prepend 65101<br /><br />BGPDC-LEAF2(config)#route-map BGP_PREPEND<br />BGPDC-LEAF2(config-route-map-BGP_PREPEND)#set as-path prepend 65102</span><br />
<br />
Then on both leaf switches, apply the route-map to all advertised routes:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">router bgp 65000<br /> neighbor ARISTA route-map BGP_PREPEND out</span><br />
<br />
Now from LEAF3’s perspective, it is easier to see where the routes were sourced from:<br />
<br />
<div style="text-align: center;">
<img height="225" src="https://lh4.googleusercontent.com/GLpQq8sJss6oW6nKRfvqd1hjW4qE3ymF4IJDwu1UT4anjg3Rtzz_llH1Ic14082PnQ2zRB24ysr_OqS0H0i2aIC-kbYDQ5Lh2y_oztXBv4GG1rY46z5rUFBPgG-u_YXAo6BHWcU" width="640" /><br />
<br /></div>
<h2>
IP Addressing and Prefix Advertisement</h2>
<div>
<br /></div>
One challenge that resides in having a layer three (L3) switch fabric in the data center is how to handle your point-to-point routed links between spine and leaf switches. Not advertising them can increase troubleshooting difficulty, but advertising them inefficiently can lead to a large number of /31 entries in the Routing Information Base (RIB) that may become resource-intensive.<br />
<br />
As a hypothetical example, if an Arista 7050QX-32 switch were to be used as a spine switch, assuming no ports are used for uplinks to the core or edge, and only 40Gb links are used to connect leaf switches, you would have a total of 32 links with /31 addressing. This means they could be aggregated as follows:<br />
<ul>
<li>16 /30s</li>
<li>8 /29s</li>
<li>4 /28s</li>
<li>2 /27s</li>
<li><b>1 /26</b></li>
</ul>
A single /26 can represent all possible point-to-point connections that the particular spine switch could have. So if you started with 192.168.255.0 for your IP addressing on your point-to-point links, you could allocate contiguous blocks of IP addresses starting with 192.168.255.0/26 for the first spine switch, 192.168.255.64/26 for the second spine switch, and so on. Then on each spine switch, only advertise its loopback and the aggregate with the aggregate-address summary-only BGP router configuration command.<br />
<br />
What this will ultimately look like from the leaf layer perspective is an optimized RIB containing the loopbacks of all switches in the fabric, and a single additional entry per spine switch to reach point-to-point IP addresses for troubleshooting purposes.<br />
<br />
To help visualize, consider a scenario where two spine switches are connected to just three leaf switches. The two spine switches have been configured to advertise every leaf connection, like so:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">BGPDC-SPINE1(config-router-bgp)#sh active<br />router bgp 64600<br /> router-id 192.168.254.1<br /> bgp log-neighbor-changes<br /> distance bgp 20 200 200<br /> maximum-paths 32 ecmp 32<br /> bgp listen range 192.168.255.0/24 peer-group ARISTA remote-as 65000<br /> neighbor ARISTA peer-group<br /> neighbor ARISTA fall-over bfd<br /> neighbor ARISTA password 7 6x5GIQqJNWigZDc2QCgeMg==<br /> neighbor ARISTA maximum-routes 12000 <br /> network 192.168.254.1/32<br /><span style="background-color: yellow;"> network 192.168.255.0/31<br /> network 192.168.255.2/31<br /> network 192.168.255.4/31</span></span><br />
<br />
Looking at the routing table of LEAF1, there are a number of /31 entries learned via BGP:<br />
<br />
<div style="text-align: center;">
<img height="173" src="https://lh4.googleusercontent.com/GXIyaBSwTzQy150-kTSkdQq4lsnpL9Sk9yZ7Tv3wK3lx3qEXyruOFA5svgb2wVL_CMiDnNIRXlvbu5dH0qgkiS66XZ0DMkrUR_ULEkwG898TMogoAZUbCPy_eiI54F6L52ESCbs" width="640" /></div>
<br />
As you can imagine, in larger environments, the number of entries could be excessive. Instead, the spine switches can configured with the <b>aggregate-address</b> router configuration command:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">BGPDC-SPINE1(config-router-bgp)#sh active<br />router bgp 64600<br /> router-id 192.168.254.1<br /> bgp log-neighbor-changes<br /> distance bgp 20 200 200<br /> maximum-paths 32 ecmp 32<br /> bgp listen range 192.168.255.0/24 peer-group ARISTA remote-as 65000<br /> neighbor ARISTA peer-group<br /> neighbor ARISTA fall-over bfd<br /> neighbor ARISTA password 7 6x5GIQqJNWigZDc2QCgeMg==<br /> neighbor ARISTA maximum-routes 12000 <br /> network 192.168.254.1/32<br /><span style="background-color: yellow;"> aggregate-address 192.168.255.0/28 summary-only</span></span><br />
<br />
<br />
The same output from LEAF1 now shows no /31 entries learned from BGP:<br />
<div>
<br />
<div style="text-align: center;">
<img height="106" src="https://lh5.googleusercontent.com/LC73PX-t1WBNSZ7xavr8-7kgUvVenlXEXe6TuwGk71wxkHZFrFZcHQmgaNkp6BaNFksrkAHDpkQ1GfxkslQWOmQqL62E8zQ0-0q6DdKgP86zx3rMrqJ2rTo96CizL4mKoGko6yM" width="640" /></div>
<br />
Instead, there is a single /28 entry from each spine learned via BGP:<br />
<br />
<div style="text-align: center;">
<img height="236" src="https://lh3.googleusercontent.com/XrmlHA206BBoQwfFbnxFUw2IGnRCcn_qqLuoiUl8PljupLJCIbmlI_LpW5rJsIgsIhwtFfNUmWJ5iV_MyvelfExS92jclqOv_9w_0K1c5utbLTYN7u8op0kbXJNq6cT1XOUxf7o" width="640" /><br />
<br /></div>
<h2>
BGP at the Spine Layer</h2>
<div>
<br /></div>
<h3>
The Need for Fast Failure Detection</h3>
In a BGP switch fabric it is critical for failures to be detected as quickly as possible at the spine layer. Consider the following hypothetical scenario:<br />
<br />
<div style="text-align: center;">
<img height="290" src="https://lh4.googleusercontent.com/FaKo_G7hkplNEFm0Gh-YGf8IOnc5S1m1P0HoIjsE0wSu1FYxD73AzAwcnWWGtfw0BBw5eZRIoCsn-0W8YR_spjiXX9z-TEh6vGf4hgjA3wiGSTxFcrem2fdkgDpjkCDtCeCLUR8" width="400" /></div>
<br />
<br />
NODE1 is communicating with NODE2. LEAF1 and LEAF2 are MLAG peers. In an ECMP-routed switch fabric, asymmetric routing can occur, where NODE1’s traffic flow is taking the path through LEAF2, while the return traffic is taking the path through LEAF1. This is fine for now, but let’s consider what happens when LEAF1 is rebooted:<br />
<br />
<br />
<div style="text-align: center;">
<img height="290" src="https://lh3.googleusercontent.com/VEaS8dZw5EEvcS-7z3NcLXbgfGJCDsBQeQGGPbAUdIYGAWySSEigqx5AJuzH5V_IpgBUBUEN6uviniDHpaqvGe_4B_pEmPc4x0jVqN2iPF0mYHdp4Z111W1FrhBXaCete6ZVSFc" width="400" /></div>
<br />
<br />
With default behavior of MLAG, when LEAF1 finishes rebooting and re-establishes the MLAG session with LEAF2, LEAF1 will place all non-peer-link interfaces into the err-disable state for 300 seconds (five minutes) in order to allow the topology to reconverge. So including the reboot, you’re looking at ~7 minutes or so before the switch begins forwarding again. Even though you have a redundant gateway provided by LEAF2, the reboot of LEAF1 would actually create a problem when combined with the fact that the spine switches are using default configuration in this particular situation of asymmetric routing. Default BGP keepalive and hold timers are 30 seconds and 180 seconds, respectively, so for 180 seconds (3 minutes), the spine switches will still consider LEAF1 an established BGP neighbor, and still consider the path to LEAF1 a viable route even though it’s clearly not. So for any flow that gets hashed to this path, the traffic is effectively blackholed. BGP timers could be modified to provide some relief, but failover time may still be considered unacceptable, in addition to the possibility of introducing instability of the network to BGP peer flapping.<br />
<br />
By default, Arista switches will immediately tear down an eBGP neighbor adjacency when the interconnecting link goes down. This alleviates the issue described above. To further improve failure detection, Bidirectional Forwarding Detection (BFD) should also be leveraged. BFD is a very simple, low overhead Hello protocol that works in conjunction with BGP to provide sub-second failure detection. BFD adds additional protection in “gray” failure conditions such as would possibly be seen with a degraded fiber strand. The interface status may remain up and therefore not trigger the eBGP neighborship tear-down, but not pass traffic intermittently or at all - which in those cases network performance can suffer while the BGP keepalive/hold-down mechanism by itself may or may not be of much help.<br />
<br />
<h2>
BGP at the Leaf Layer</h2>
<div>
<br /></div>
<h3>
MLAG - To Peer or not to Peer</h3>
When running a pair of leaf switches in an MLAG configuration with VARP, you want to peer the two leaf switches. Although unlikely to actually happen, consider the following failure scenario:<br />
<br />
<br />
<div style="text-align: center;">
<img height="290" src="https://lh6.googleusercontent.com/nzZZxVAyRIj1mbRW8arjtfp06Gdxz19mbheIX_aM_3B9ZLhftYh7esQjfZHoNfyO6W3gHEWYWx4uDHGDpV36tD7KMNEhzzpGohvaYfP6ecGgIlGv0tOjImmeKCrV9L12bd0oAls" width="400" /></div>
<br />
<br />
NODE1 is communicating with NODE2. LEAF1 and LEAF2 are MLAG peers and are configured to run VARP to provide an active/active redundant first hop gateway for NODE1, but they are not BGP peers. On LEAF1, both of its uplinks have failed. While both SPINE1 and SPINE2 would certainly notice this failure and reconverge, some things will not be affected, such as:<br />
<ul>
<li>MLAG running between LEAF1 and LEAF2 would not notice any change, and continue functioning as normal, which in turn means that the port-channel between NODE1 and LEAF1/LEAF2 would remain up and function as normal</li>
<li>VARP would continue to function as normal</li>
</ul>
This is important because traffic leaving NODE1 that gets hashed to LEAF2 would be fine, but any traffic hashed to LEAF1 would effectively be blackholed:<br />
<br />
<br />
<div style="text-align: center;">
<img height="290" src="https://lh3.googleusercontent.com/Ctxq4WSvTXXPrAdHBOSo_8_GEnCrZl8blCybDl7oEHkYMLKI5oVfdSjYOYa4FWLyUzwRDSQwUuDLBgaXNgQ1Sct3YIm7PmxO3Adip8gOBhvnCGvSemxbxbxWYluFkZVeE9p9WiU" width="400" /></div>
<br />
<br />
Peering LEAF1 and LEAF2 alleviates this. Traffic hashed to LEAF1 would follow the only remaining route pointing to LEAF2, and then be ECMP-routed to the spine layer:<br />
<br />
<br />
<div style="text-align: center;">
<img height="290" src="https://lh4.googleusercontent.com/GbGQo30zgWUTtKMauFatXVVFfhndnumSPhy_L8ViP4s5x0Az-yBQeEBaB0kCPGbF7PMBBUv4ksfGkfis3tz9638jTFdhi3VlzTskQqfXhVDDj1x15MhQ1OAWpnMTeleQBato1NU" width="400" /></div>
<br />
<br />
Additionally, when this failure scenario doesn’t exist, you don’t have to worry about having a suboptimal path because without the failure described above, the path through the peering leaf switch is longer than those directly connected to the spine layer:<br />
<br />
<br />
<div style="text-align: center;">
<img height="290" src="https://lh3.googleusercontent.com/1tOhGmNSoicBCUz1mpTG7sE26M6LDcpoX6ZDk87LzGyqO_7EewhYAPEvTfqL0MFU79iST5vYywVVb_U1o9ZyOOqZfHyMuQhxSc8HObCuDHxnGzl-86Q7iL5rIli4TVpWxS6E7Qs" width="400" /></div>
<h2>
Optimizations</h2>
<div>
<br /></div>
<h3>
update wait-for-convergence</h3>
The <b>update wait-for-convergence</b> BGP router configuration command basically prevents BGP from programming routes into hardware and from advertising routes until a convergence event is resolved. A convergence event can occur when initializing BGP for the first time, clearing the BGP process, terminating the Rib agent, etc. The benefit this provides is reduced CPU churn from repeatedly programming routes into and out of hardware during a convergence event.<br />
<br />
Best practice is to only use this on spine switches. Enabling this on leaf switches (especially leaf switches acting as host gateways) can result in traffic being blackholed until BGP finishes installing routes in hardware.<br />
<br />
<b>NOTE:</b> Enabling this feature in vEOS will cause routes not to be advertised.<br />
<br />
<h3>
update wait-install</h3>
The update wait-install BGP router configuration command prevents routes from being advertised to peers until they are programmed in hardware, and that hardware sends an “Ack” to software. This prevents traffic being dropped in situations where routes are advertised, but they aren’t programmed yet in hardware.<br />
<br />
<b>NOTE:</b> Enabling this feature in vEOS will cause routes not to be advertised.<br />
<br />
<h3>
ip hardware fib next-hop update event bfd</h3>
The <b>ip hardware fib next-hop update event bfd</b> global configuration command allows BFD to remove an interface that went down from next-hop entries of routes using it in hardware. The benefit is reduced traffic loss compared to the normal operation of BFD which is to bring down the BGP neighborship and recompute the next-hop for all routes using the interface which went down and then reprogram hardware. This is a default configuration whenever BFD is enabled.<br />
<br />
<h3>
ip hardware fib route unprogrammed parent-drop</h3>
<br />
The ip hardware fib route unprogrammed parent-drop global configuration command makes it so that if a more specific route cannot be programmed in hardware for whatever reason, its parent route will be programmed to point to a drop index (similar to null0). This is default behavior.<br />
<br />
<b>NOTE:</b> This is not really an optimization, and is instead more of a feature. It should be noted that this will result in traffic being black-holed rather than being forwarded on to possibly undesirable destinations which is the “benefit” of this feature. An unfortunate side effect is that if there is no other parent route, <i>the default route will be pointed to a drop index instead</i>. In summary, if there isn’t a need to prevent traffic being routed using parent routes when a more specific route cannot be programmed, it is recommended to disable this feature with the “no” form of the same command.<br />
<br />
<h2>
Sources</h2>
<div>
<br /></div>
<ul>
<li>RFC 4271, “A Border Gateway Protocol 4 (BGP-4)”, <a href="https://tools.ietf.org/html/rfc4271">https://tools.ietf.org/html/rfc4271</a></li>
<li>“Use of BGP for routing in large-scale data centers”, <a href="http://datatracker.ietf.org/doc/draft-ietf-rtgwg-bgp-routing-large-dc/">http://datatracker.ietf.org/doc/draft-ietf-rtgwg-bgp-routing-large-dc/</a></li>
<li>“Understanding BGP Convergence”, <a href="http://blog.ine.com/2010/11/22/understanding-bgp-convergence/">http://blog.ine.com/2010/11/22/understanding-bgp-convergence/</a></li>
</ul>
<div>
<br /></div>
<div>
<h2>
Configuration Excerpt Examples</h2>
<div>
<br /></div>
Configuration examples are from a small-scale switch fabric created using virtual Extensible Operating System (vEOS) version 4.15.0F.<br />
<br />
<h3>
Per-Rack Leaf AS (Option 1)</h3>
<div>
<br /></div>
<h4>
SPINE1</h4>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">interface Ethernet1<br /> no switchport<br /> ip address 192.168.255.0/31<br />!<br />interface Ethernet2<br /> no switchport<br /> ip address 192.168.255.2/31<br />!<br />interface Ethernet3<br /> no switchport<br /> ip address 192.168.255.4/31<br />!<br />interface Loopback0<br /> ip address 192.168.254.1/32<br />!<br />ip routing<br />no ip hardware fib route unprogrammed parent-drop<br />!<br />router bgp 64600<br /> router-id 192.168.254.1<br /> update wait-for-convergence<br /> update wait-install<br /> bgp log-neighbor-changes<br /> distance bgp 20 200 200<br /> maximum-paths 32 ecmp 32<br /> bgp listen range 192.168.255.0/30 peer-group ARISTA remote-as 65000<br /> bgp listen range 192.168.255.4/31 peer-group ARISTA remote-as 65001<br /> neighbor ARISTA peer-group<br /> neighbor ARISTA fall-over bfd<br /> neighbor ARISTA password p4ssw0rd<br /> network 192.168.254.1/32<br /> aggregate-address 192.168.255.0/28 summary-only</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<br />
<div>
<h4>
LEAF1</h4>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">vlan 10<br /> name HOST_10<br />!<br />vlan 4093<br /> name BGP_PEER<br /> trunk group BGP_PEER<br />!<br />vlan 4094<br /> name MLAG<br /> trunk group MLAG<br />!<br />interface Port-Channel1<br /> switchport mode trunk<br /> switchport trunk group BGP_PEER<br /> switchport trunk group MLAG<br />!<br />interface Ethernet5<br /> channel-group 1 mode active<br />!<br />interface Ethernet6<br /> no switchport<br /> ip address 192.168.255.1/31<br />!<br />interface Ethernet7<br /> no switchport<br /> ip address 192.168.255.17/31<br />!<br />interface Loopback0<br /> ip address 192.168.254.3/32<br />!<br />interface Vlan10<br /> ip address 192.168.10.2/24<br /> ip virtual-router address 192.168.10.1/24<br />!<br />interface Vlan4093<br /> ip address 1.1.1.2/31<br />!<br />interface Vlan4094<br /> ip address 1.1.1.0/31<br />!<br />ip routing<br />no ip hardware fib route unprogrammed parent-drop<br />!<br />!<br />route-map BGP_PREPEND permit 10<br /> set as-path prepend 65101<br />!<br />router bgp 65000<br /> router-id 192.168.254.3<br /> update wait-install<br /> bgp log-neighbor-changes<br /> distance bgp 20 200 200<br /> maximum-paths 32 ecmp 32<br /> neighbor ARISTA peer-group<br /> neighbor ARISTA remote-as 64600<br /> neighbor ARISTA allowas-in 1<br /> neighbor ARISTA fall-over bfd<br /> neighbor ARISTA route-map BGP_PREPEND out<br /> neighbor ARISTA password p4ssw0rd<br /> neighbor 1.1.1.3 peer-group ARISTA<br /> neighbor 1.1.1.3 remote-as 65000<br /> neighbor 1.1.1.3 next-hop-self<br /> neighbor 192.168.255.0 peer-group ARISTA<br />neighbor 192.168.255.16 peer-group ARISTA<br />network 192.168.10.0/24<br /> network 192.168.254.3/32</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<br />
<h3>
Leaf Layer AS (Option 2)</h3>
<div>
<br /></div>
<h4>
SPINE1</h4>
<div>
<br /></div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">interface Ethernet1<br /> no switchport<br /> ip address 192.168.255.0/31<br />!<br />interface Ethernet2<br /> no switchport<br /> ip address 192.168.255.2/31<br />!<br />interface Ethernet3<br /> no switchport<br /> ip address 192.168.255.4/31<br />!<br />interface Loopback0<br /> ip address 192.168.254.1/32<br />!<br />ip routing<br />no ip hardware fib route unprogrammed parent-drop<br />!<br />router bgp 64600<br /> router-id 192.168.254.1<br /> update wait-for-convergence<br /> update wait-install<br /> bgp log-neighbor-changes<br /> distance bgp 20 200 200<br /> maximum-paths 32 ecmp 32<br /> bgp listen range 192.168.255.0/24 peer-group ARISTA remote-as 65000<br /> neighbor ARISTA peer-group<br /> neighbor ARISTA fall-over bfd<br /> neighbor ARISTA password p4ssw0rd<br /> neighbor ARISTA maximum-routes 12000 <br /> network 192.168.254.1/32<br /> aggregate-address 192.168.255.0/28 summary-only</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<br />
<div>
<h4>
LEAF1</h4>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">vlan 10<br /> name HOST_10<br />!<br />vlan 4093<br /> name BGP_PEER<br /> trunk group BGP_PEER<br />!<br />interface Port-Channel1<br /> switchport mode trunk<br /> switchport trunk group BGP_PEER<br /> switchport trunk group MLAG<br />!<br />interface Ethernet5<br /> channel-group 1 mode active<br />!<br />interface Ethernet6<br /> no switchport<br /> ip address 192.168.255.1/31<br />!<br />interface Ethernet7<br /> no switchport<br /> ip address 192.168.255.17/31<br />!<br />interface Loopback0<br /> ip address 192.168.254.3/32<br />!<br />interface Vlan10<br /> ip address 192.168.10.2/24<br /> ip virtual-router address 192.168.10.1<br />!<br />interface Vlan4093<br /> ip address 1.1.1.2/31<br />!<br />ip routing<br />no ip hardware fib route unprogrammed parent-drop<br />!<br />route-map BGP_PREPEND permit 10<br /> set as-path prepend 65101<br />!<br />router bgp 65000<br /> router-id 192.168.254.3<br /> update wait-install<br /> bgp log-neighbor-changes<br /> distance bgp 20 200 200<br /> maximum-paths 32 ecmp 32<br /> neighbor ARISTA peer-group<br /> neighbor ARISTA remote-as 64600<br /> neighbor ARISTA allowas-in 1<br /> neighbor ARISTA fall-over bfd<br /> neighbor ARISTA route-map BGP_PREPEND out<br /> neighbor ARISTA password p4ssw0rd<br /> neighbor 1.1.1.3 peer-group ARISTA<br /> neighbor 1.1.1.3 remote-as 65000<br /> neighbor 1.1.1.3 next-hop-self<br /> neighbor 192.168.255.0 peer-group ARISTA<br /> neighbor 192.168.255.16 peer-group ARISTA<br /> network 192.168.10.0/24<br /> network 192.168.254.3/32</span></div>
</div>
</div>
</div>
</div>
Steve Kinghttp://www.blogger.com/profile/04775687255751268489noreply@blogger.com17tag:blogger.com,1999:blog-8471280268531079705.post-8871966224801020622014-07-10T10:36:00.000-07:002014-07-10T10:36:38.915-07:00SPAN Destination ports and VLAN MembershipRecently at work, a discussion sprouted up around how to handle/configure local session Switched Port Analyzer (SPAN) destination ports. A suggestion was made to create a new VLAN just for these SPAN destination ports and place them there. The justification was that they would be out of VLAN 1, and easily identifiable. Personally I thought it was a waste of a VLAN for a few simple SPAN destination ports, as SPAN destination ports do not participate in spanning tree, and do not forward traffic. However, ultimately in this case it was a good decision due to security requirements.<br />
Some key characteristics to know about SPAN destination ports:<br />
<ul> <ul>
<li> A destination port can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group has been specified as a SPAN source. The port is removed from the group while it is configured as a SPAN destination port.<br />
</li>
<li> The port does not transmit any traffic except that traffic required for the SPAN session unless learning is enabled. <br />
</li>
<li> <span style="background-color: #4bacc6; color: black;">The state of the destination port is up/down by design. The interface shows the port in this state in order to make it evident that the port is currently not usable as a production port.</span><br />
</li>
<li> If ingress traffic forwarding is enabled for a network security device. The destination port forwards traffic at Layer 2.<br />
</li>
<li> <span style="background-color: #4bacc6; color: black;">A destination port does not participate in spanning tree while the SPAN session is active.</span><br />
</li>
<li> <span style="background-color: #4bacc6; color: black;">When it is a destination port, it does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP).</span><br />
</li>
<li> A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list and is not monitored.<br />
</li>
<li> A destination port receives copies of sent and received traffic for all monitored source ports. If a destination port is oversubscribed, it can become congested. This congestion can affect traffic forwarding on one or more of the source ports.<br />
</li>
<li> <span style="background-color: #4bacc6; color: black;">When you configure a port as a SPAN destination, it is dedicated for use only by the SPAN feature.</span><br />
</li>
<li> <span style="background-color: #4bacc6; color: black;">Destinations, by default, cannot receive any traffic. </span><span style="color: black;"><span style="color: #cccccc;">With Release 12.2(33)SXH and later releases, you can configure Layer 2 destinations to receive traffic from any attached devices.</span> </span><span style="background-color: #4bacc6; color: black;"></span><br />
</li>
<li> <span style="background-color: #4bacc6; color: black;">Destinations, by default, do not transmit anything except SPAN traffic.<span style="background-color: #4bacc6;"> </span></span><span style="color: #cccccc;">Layer 2 destinations that you have configured to receive traffic can be configured to learn the Layer 2 address of any devices attached to the destination and transmit traffic that is addressed to the devices.</span> </li>
</ul>
</ul>
Sources: <br />
<a href="http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#charac_dest" title="http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#charac_dest">http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#charac_dest</a> <br />
<a href="http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html#wp1020380" title="http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html#wp1020380">http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html#wp1020380</a> <br />
Some of the points above seem like repeats and that was done on purpose to emphasize the point. Probably the most important point is the one about the port being in an Up/Down status. To me, this would naturally indicate that it is doing nothing outside of its SPAN function. <br />
<a href="http://lh5.ggpht.com/-TWEOq3oBDBQ/UjkynSSu6eI/AAAAAAAAATM/MJrQ18KSra4/s1600-h/image%25255B4%25255D.png"><img alt="image" border="0" src="http://lh3.ggpht.com/-C57N2C5HcRk/Ujkyn8hyZ4I/AAAAAAAAATU/O8a-jDRNeOY/image_thumb%25255B2%25255D.png?imgmax=800" height="448" style="background-image: none; border-bottom-width: 0px; border-left-width: 0px; border-right-width: 0px; border-top-width: 0px; display: inline; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="image" width="689" /></a> <br />
<br />
<br />
<br />
Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com3tag:blogger.com,1999:blog-8471280268531079705.post-64694390936098671722013-10-23T17:19:00.001-07:002013-10-24T09:22:54.455-07:00Spanning Tree Exercise and Revisiting Root Guard<p>This was actually spurned from a comment I received on another one of my blog posts that you can find <a href="http://aspiringnetworker.blogspot.com/2013/07/optimizing-and-protecting-spanning-tree_13.html" target="_blank">here</a>. Seeing that comment, I white boarded it and realized that I may have been completely wrong in regards to how Root Guard could “break a network”. </p> <p>Let’s say we have the following topology:</p> <p><a href="http://lh5.ggpht.com/-_I7tiuO-Rw0/UmhnmPc07SI/AAAAAAAAAiI/Fae0O28kyAQ/s1600-h/image%25255B9%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-l1UXiWZ-hos/Umhnmr_d2kI/AAAAAAAAAiQ/BaGG26JlPd8/image_thumb%25255B3%25255D.png?imgmax=800" width="455" height="606"></a> </p> <ul> <li>Core 1 is the root for VLAN 10 with a configured priority of 4096, and is the secondary root for VLAN 20 with a configured priority of 8192. We alternate this with Core 2 in order to load balance VLAN traffic. <li>Access 3 and 4 are left in default configuration regarding spanning tree. <li>Two workstations are present – one in VLAN 10, and another in VLAN 20. Their default gateways are SVIs that are on the Core switches. <li>For simplicity, switch MAC addresses are the number contained in their names. Example: Access 4’s MAC address is “4”. <li>All link costs are the same. <li>All links between switches are trunks transporting all VLANs.</li></ul> <p>Let’s work through the spanning tree topologies.</p> <p></p> <p>Core 1 – Root bridge for VLAN 10. All ports designated.</p> <p>Core 2 – Port 1 will be a root port due to lowest cost to root. Since the cost to reach root for Core 2, Access 3, and Access 4 are equal, and a root port exists, ports 2 and 3 will be designated due to Core 2 having the <strong>lowest bridge ID </strong>(STP tie-breaker)<strong>. </strong>We know this by calculating the bridge IDs:</p> <ul> <li>Core 2 - MAC Address (2) + VLAN ID (10) + Priority (8192) = 8204 <li>Access 3 – MAC Address (3) + VLAN ID (10) + Priority (32768) = 32781 <li>Access 4 – You get the idea.</li></ul> <p>Access 3 and 4 – Port 1 will be the root port leaving port 2 as blocking since there are already designated ports on those links belonging to Core 2.</p> <table border="1" cellspacing="0" cellpadding="2" width="401"> <tbody> <tr> <td valign="top" width="82"><strong>VLAN 10</strong></td> <td valign="top" width="100">Port 1</td> <td valign="top" width="122">Port 2</td> <td valign="top" width="95">Port 3</td></tr> <tr> <td valign="top" width="82">Core 1</td> <td valign="top" width="100">Designated</td> <td valign="top" width="121">Designated</td> <td valign="top" width="96">Designated</td></tr> <tr> <td valign="top" width="82">Core 2</td> <td valign="top" width="100">Root</td> <td valign="top" width="121">Designated</td> <td valign="top" width="97">Designated</td></tr> <tr> <td valign="top" width="81">Access 3</td> <td valign="top" width="100">Root</td> <td valign="top" width="121">Blocking</td> <td valign="top" width="97">N/A</td></tr> <tr> <td valign="top" width="81">Access 4</td> <td valign="top" width="100">Root</td> <td valign="top" width="121">Blocking</td> <td valign="top" width="98">N/A</td></tr></tbody></table> <p>And for VLAN 20:</p> <table border="1" cellspacing="0" cellpadding="2" width="401"> <tbody> <tr> <td valign="top" width="82"><strong>VLAN 20</strong></td> <td valign="top" width="100">Port 1</td> <td valign="top" width="122">Port 2</td> <td valign="top" width="95">Port 3</td></tr> <tr> <td valign="top" width="82">Core 1</td> <td valign="top" width="100">Root</td> <td valign="top" width="121">Designated</td> <td valign="top" width="96">Designated</td></tr> <tr> <td valign="top" width="82">Core 2</td> <td valign="top" width="100">Designated</td> <td valign="top" width="121">Designated</td> <td valign="top" width="97">Designated</td></tr> <tr> <td valign="top" width="81">Access 3</td> <td valign="top" width="100">Blocking</td> <td valign="top" width="121">Root</td> <td valign="top" width="97">N/A</td></tr> <tr> <td valign="top" width="81">Access 4</td> <td valign="top" width="100">Blocking</td> <td valign="top" width="121">Root</td> <td valign="top" width="98">N/A</td></tr></tbody></table> <p>Now we can see how traffic will flow from each workstation to each other.</p> <p>VLAN 10 Workstation to VLAN 20 Workstation:</p> <ol> <li>Traffic leaves VLAN 10 Workstation and hits VLAN 10 SVI on Core 1 <li>Multilayer switched to VLAN 20 within Core 1. <li>Hit Core 2 since the link directly to Access 4 is blocked on VLAN 20. <li>Traverse Access 4 to reach VLAN 20 Workstation.</li></ol> <p><a href="http://lh3.ggpht.com/-YbpQi2eGeTo/UmhnnRfdFgI/AAAAAAAAAiY/QpO4FnEfR-k/s1600-h/image%25255B15%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgva2t3kRhx5A6Oz-gTHguehZT9Le1pOI4sHuek96kDg0x7KMMw-QM-QEf9qnaFKU_y_hvdlJU_fQnkHYYgQgZ4DIlT2XZZ3xeX_TZ2FZrfXoroVrvZ2tf_G1hFWj15rKrfIV_eR3LX5B4/?imgmax=800" width="438" height="581"></a> </p> <p>And now we move to the million dollar question from my previous blog article. Let’s say we have Root Guard configured on ports 2 and 3 on both Core 1 and Core 2. What happens when we lose the link between the Core switches? First it may warrant to discuss what happens without Root Guard in place:</p> <p>Core 1 – Root bridge for VLAN 10 – all remaining ports remain designated.</p> <p>Core 2 – Since the cost to root is the same going through either Access 3 or Access 4, port 2 will transition to a root port due to, again, Access 3 having the lowest bridge ID. Port 3 will transition to a blocking state since Access 4 now has the lowest cost to reach root for that link.</p> <p>Access 3 – Port 1 remains a root port. Port 2 transitions to a designated port since Access 3 has the lowest cost to reach root on that link.</p> <p>Access 4 – Port 1 remains a root port. Port 2 transitions to a designated port since Access 4 has the lowest cost to reach root on that link.</p> <p></p> <table border="1" cellspacing="0" cellpadding="2" width="401"> <tbody> <tr> <td valign="top" width="82"><strong>VLAN 10</strong></td> <td valign="top" width="100">Port 1</td> <td valign="top" width="122">Port 2</td> <td valign="top" width="95">Port 3</td></tr> <tr> <td valign="top" width="82">Core 1</td> <td valign="top" width="100">Down</td> <td valign="top" width="121">Designated</td> <td valign="top" width="96">Designated</td></tr> <tr> <td valign="top" width="82">Core 2</td> <td valign="top" width="100">Down</td> <td valign="top" width="121">Root</td> <td valign="top" width="97">Blocking</td></tr> <tr> <td valign="top" width="81">Access 3</td> <td valign="top" width="100">Root</td> <td valign="top" width="121">Designated</td> <td valign="top" width="97">N/A</td></tr> <tr> <td valign="top" width="81">Access 4</td> <td valign="top" width="100">Root</td> <td valign="top" width="121">Designated</td> <td valign="top" width="98">N/A</td></tr></tbody></table> <p>And for VLAN 20:</p> <table border="1" cellspacing="0" cellpadding="2" width="401"> <tbody> <tr> <td valign="top" width="82"><strong>VLAN 20</strong></td> <td valign="top" width="100">Port 1</td> <td valign="top" width="122">Port 2</td> <td valign="top" width="95">Port 3</td></tr> <tr> <td valign="top" width="82">Core 1</td> <td valign="top" width="100">Down</td> <td valign="top" width="121">Root</td> <td valign="top" width="96">Blocking</td></tr> <tr> <td valign="top" width="82">Core 2</td> <td valign="top" width="100">Down</td> <td valign="top" width="121">Designated</td> <td valign="top" width="97">Designated</td></tr> <tr> <td valign="top" width="81">Access 3</td> <td valign="top" width="100">Designated</td> <td valign="top" width="121">Root</td> <td valign="top" width="97">N/A</td></tr> <tr> <td valign="top" width="81">Access 4</td> <td valign="top" width="100">Designated</td> <td valign="top" width="121">Root</td> <td valign="top" width="98">N/A</td></tr></tbody></table> <p>This has some pretty drastic results:</p> <p><a href="http://lh6.ggpht.com/-i1kZyhq9NpY/Umhno_i-TvI/AAAAAAAAAio/q9ikiGSHIEA/s1600-h/image%25255B18%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnfMlDtRV_4F-QaedPLb5_9pCcsgOHPgPectx4m3FTKcBRT8rE12jjPWzarPcK91NXi87ixM29u_mUj9g0QlDaEr8mhSiE8JQS5m_QAcDOYnZj8nU1Jc9z6aDpj4Yjd8h6NxCo0h8xOHg/?imgmax=800" width="435" height="620"></a> </p> <p>The path for the blue Workstation to the red Workstation is pretty straight-forward. But check out the path from the red Workstation to the blue one:</p> <ol> <li>Traffic from the VLAN 10 Workstation hits the VLAN 10 SVI on Core 1 as usual. <li>Multilayer switched to VLAN 20 within Core 1, again, as usual. <li>Here’s where it gets interesting. The link between Core 1 and Core 2 is physically down, and STP is blocking on port 3 for VLAN 20, so this traffic must go back down to Access 3. <li>Traffic traverses Core 2 and Access 4 before finally reaching its destination.</li></ol> <p>Now let’s see what happens when we enable Root Guard on Core 1 and Core 2’s ports 2 and 3:</p> <p><a href="http://lh3.ggpht.com/-YjUG8REBoMA/Umhnp_fDSnI/AAAAAAAAAi4/DicojTG1uI8/s1600-h/image%25255B24%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCoL4ZJgLoO85f5i-xjGkCHGKIIV4-7ytuvUoagaPzJv7wht2shb7TspVMfNTCPgCy6O-bIW4v64CDXOaLD4KBZCR4IqNW_aTu7knIptzAAE1IdXlSU9DAQAEkl9VYdoYS9em574p618A/?imgmax=800" width="494" height="620"></a> </p> <ul> <li>Core 1 begins receiving superior BPDUs on VLAN 20 on ports 2 and 3, so it places those ports in root-inconsistent. <li>Core 2 begins receiving superior BPDUs on VLAN 10 on ports 2 and 3, so it places those ports in root-inconsistent.</li></ul> <table border="1" cellspacing="0" cellpadding="2" width="521"> <tbody> <tr> <td valign="top" width="82"><strong>VLAN 10</strong></td> <td valign="top" width="100">Port 1</td> <td valign="top" width="185">Port 2</td> <td valign="top" width="152">Port 3</td></tr> <tr> <td valign="top" width="82">Core 1</td> <td valign="top" width="100">Down</td> <td valign="top" width="185">Designated</td> <td valign="top" width="152">Designated</td></tr> <tr> <td valign="top" width="82">Core 2</td> <td valign="top" width="100">Down</td> <td valign="top" width="185"><strong><em>Root-Inconsistent</em></strong></td> <td valign="top" width="152"><strong><em>Root-Inconsistent</em></strong></td></tr> <tr> <td valign="top" width="81">Access 3</td> <td valign="top" width="100">Root</td> <td valign="top" width="185">Designated</td> <td valign="top" width="152">N/A</td></tr> <tr> <td valign="top" width="81">Access 4</td> <td valign="top" width="100">Root</td> <td valign="top" width="185">Designated</td> <td valign="top" width="152">N/A</td></tr></tbody></table> <p> </p> <table border="1" cellspacing="0" cellpadding="2" width="525"> <tbody> <tr> <td valign="top" width="82"><strong>VLAN 20</strong></td> <td valign="top" width="100">Port 1</td> <td valign="top" width="181">Port 2</td> <td valign="top" width="159">Port 3</td></tr> <tr> <td valign="top" width="82">Core 1</td> <td valign="top" width="100">Down</td> <td valign="top" width="181"><strong><em>Root-Inconsistent</em></strong></td> <td valign="top" width="159"><strong><em>Root-Inconsistent</em></strong></td></tr> <tr> <td valign="top" width="82">Core 2</td> <td valign="top" width="100">Down</td> <td valign="top" width="181">Designated</td> <td valign="top" width="159">Designated</td></tr> <tr> <td valign="top" width="81">Access 3</td> <td valign="top" width="100">Designated</td> <td valign="top" width="181">Root</td> <td valign="top" width="159">N/A</td></tr> <tr> <td valign="top" width="81">Access 4</td> <td valign="top" width="100">Designated</td> <td valign="top" width="181">Root</td> <td valign="top" width="159">N/A</td></tr></tbody></table> <p>Now lets take a look at traffic flow from the red Workstation to the blue:</p> <ol> <li>Traffic leaves the VLAN 10 Workstation and hits the VLAN 10 SVI on Core 1 <li>Multilayer switched to VLAN 20 within Core 1 <li>Uh oh – port 1 is physically down and ports 2 and 3 are down for VLAN 20 thanks to Root Guard. The traffic has no where to go!</li></ol> <p>Welp – guess I wasn’t wrong after all. This appears to be a corner case scenario because if it were only a single instance of spanning tree there would be no issue. Even in this scenario, <em>intra-VLAN</em> communication would be fine, but this does break <em>inter-VLAN</em> communication.</p> Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com0tag:blogger.com,1999:blog-8471280268531079705.post-28040670557746967722013-10-03T16:44:00.000-07:002013-10-03T17:03:35.255-07:00OSPF Adjacency Building Process<p>Ever curious regarding how two routers configured for OSPF become fully adjacent? The following diagram of the process was modeled directly from RFC 2328, and the steps described gleaned from the Routing TCP/IP Vol I book. Since we can see mention of a DR, this example must be based on a multi-access network.</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYOup2rsxOZNQQez2YaJufUcQhEL1Scn3Py7HhMpsrQZ6ojKEr3ZAozwE72bHcHxTO8ToD1PTgBbeIUgdoB4qctc-6r3zh_0TJGrJSP6MWVSvxrvBx9Dh_GZBDfWxN_HypTKYdi5vLedA/s1600-h/image%25255B8%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; margin-left: 0px; border-left-width: 0px; margin-right: 0px" title="image" border="0" alt="image" src="http://lh3.ggpht.com/-WIwbxh-6-rI/Uk4BX3whnRI/AAAAAAAAAh4/Sge8SzwCO50/image_thumb%25255B6%25255D.png?imgmax=800" width="925" height="601"></a> </p> <ol> <li>RT1 becomes active and sends a Hello. At this point, RT1 hasn’t seen any neighbors, so it reports such and sets its DR and BDR fields to 0.0.0.0. <li>Upon receipt by RT2, RT2 will build a data structure for RT1 and set RT1’s state to <strong>Init</strong>. RT2 will then send a Hello packet reporting that it has seen RT1, and will report itself as the DR. <li>RT1 now sees its own RID in the received Hello packet from RT2, so RT1 will now create a data structure for RT2 and set its state to <strong>ExStart</strong>. RT1 then begins Master/Slave negotiation with a DD packet with a sequence number of “x”, the Init bit set to indicate that it is the start of an exchange, the More bit set to indicate that it is not the last DD packet to be sent, and lastly with the MS-bit set to indicate that RT1 wants to be the Master. No LSA summaries are provided just yet – this is purely for Master/Slave negotiation. <li>Upon receipt of RT1’s DD packet, RT2 sets RT1’s state to <strong>ExStart</strong>. RT2 then sends a DD with a sequence number of “y”, and the MS-bit set since RT2 has a higher RID in this example. <li>RT1 agrees that RT2 is the Master and sets its state to <strong>Exchange. </strong>RT1 informs RT2 of its agreement by sending a DD packet with a sequence number “y” that matches what was sent from RT2 in step 4. The MS-bit will now be set to 0, and here is where we’ll start to see LSA summaries provided by RT1. <li>RT2 now sets RT1’s state to <strong>Exchange</strong> as well and sends a DD packet containing LSA headers from its Link State Summary list and increments the DD sequence number to “y+1”. <li>RT1 acknowledges this by sending an acknowledgement with the same sequence number that it received in the DD packet from RT2. It also begins taking the LSA summaries it received and building a Link State Request list. This process repeats until RT2 sends the last of its LSA summaries and sets the More bit to 0. <li>Once RT1 receives the last of RT2s LSA summaries and acknowledges it knowing that it has sent the last of its own LSA summaries, the <strong>Exchange </strong>state process is complete. Now RT1 will begin processing the LSA summaries it has added to its Link State Request list and transition to the <strong>Loading</strong> state. <li>Once RT2 receives RT1’s last DD packet, RT2 then sets RT1s’s state to <strong>Full</strong> because RT2 has no entries in its own Link State Request list. <li>RT1 will send Link State Requests for all entries in its Link State Request list and RT2 will send Link Sate Update packets until RT1’s list is empty. At that point, it sets RT2 to <strong>Full</strong>, and the adjacency is complete.</li></ol> Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com0tag:blogger.com,1999:blog-8471280268531079705.post-57224264601690365782013-10-01T16:31:00.000-07:002013-10-01T16:36:52.074-07:00OSPF Link State Advertisements (LSAs) and Areas – Part II<p>For a table describing the different LSA types, check out the <a href="http://aspiringnetworker.blogspot.com/2013/09/ospf-link-state-advertisements-lsas-and.html" target="_blank">first post of this series</a>.</p> <p>In the first part of the series, we looked at LSA Types 1, 2, and 3 – Router, Network, and Network Summary, respectively. To move on to the next two LSA types, we need to bring in another Autonomous System (AS). In the diagram below, we’ve added R5 which has an interface in EIGRP AS 1, and is redistributing that into OSPF Area 4. The fact that R5 has an interface inside of the OSPF AS, as well as the EIGRP AS, makes R5 an Autonomous System Boundary Router (ASBR). </p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRSmDfk-HEs7L2uboJdkCfD8U4uO5VwHbQWuT3hFFoXMk7bViaBwehOLgq8Mk4YMvdRLZRiL-KMgY0xlbsqkZmftTMHC6ZDmpjFwgT3aQla_G6aOyerSUAO4-9-OdUy6qmnA1_zvYb0i0/s1600-h/image%25255B94%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-dca39tpKuZw/UksSgiBWL8I/AAAAAAAAAgo/i7sWBfSe2tA/image_thumb%25255B58%25255D.png?imgmax=800" width="925" height="499"></a> </p> <p>The EIGRP-oriented subnet that is being redistributed is considered an external route to the OSPF domain, so a Type 5 LSA, or ASBR External, is flooded into OSPF Area 4 containing a LSID and netmask of the subnet, plus the External Type. This important because it tells other routers whether or not to add the internal link costs within the OSPF domain to the metric to reach that subnet. A type 2 external route specifies that only the external cost is taken into consideration.</p> <p><a href="http://lh4.ggpht.com/-dTn3j2ArBRI/UksShfP_KlI/AAAAAAAAAb4/X_85PjvInxE/s1600-h/image%25255B3%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-h52-UbvA00g/UksSiNLkYuI/AAAAAAAAAcA/NCgK5PPQC8E/image_thumb%25255B1%25255D.png?imgmax=800" width="640" height="374"></a></p> <p> <p>When R2 catches wind of this, it will generate a Type 4 LSA, or ASBR Summary, and flood it into Area 0 as well as the Type 5 LSA. The contents of the Type 4 LSA are mostly just the LSID of the ASBR’s RID and the metric reach it.</p> <p><a href="http://lh3.ggpht.com/-QD6vweUyNU8/UksSijJtXVI/AAAAAAAAAcI/cdssDHAMr3U/s1600-h/image%25255B18%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-yKAgKH_k5aQ/UksSjcGTpXI/AAAAAAAAAcQ/vJYTRw2ndes/image_thumb%25255B10%25255D.png?imgmax=800" width="613" height="361"></a></p> <p></p> <p>For other routers to reach this External Type 2 route, they just take metric provided in the Type 5 LSA (20) – no questions asked.</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQqMmcL9SKmbvTkmr9F0MLUQ7Md4K6TV0ZD4zul_FGp3vnY3B-whKqNxSk9AhbNA89b4UsaanpbmmKgRAEwlqbuc5c7xJ-IaMRRBuvFiNjCNi-M9J0lFVDxUIzQm3dw0Ywq9Yswu9pm5A/s1600-h/image%25255B51%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="http://lh3.ggpht.com/-4cLMSPJE1DY/UksSk6gEOTI/AAAAAAAAAdI/FUsCNOg3l2w/image_thumb%25255B35%25255D.png?imgmax=800" width="640" height="146"></a> </p> <p>However if it were an External Type 1 route, each router must determine its cost to reach it taking into account the link costs along the way.</p> <p>So in this example, if R1 needed to reach 172.16.5.0/24 as an External Type 1 route, it would first add the cost to reach R2 (The ABR) [Similar to what it would do to determine cost to an intra-area (IA) route utilizing a Type 3 LSA] to the cost to reach the ASBR as listed in the Type 4 LSA. Finally, it would then add the cost listed in the Type 5 LSA for that subnet.</p> <p>Cost to reach ABR (<strong>1</strong>) + Cost to reach ASBR (<strong>2</strong>) + Cost in Type 5 LSA (<strong>20</strong>) = <strong>23</strong></p> <p><a href="http://lh4.ggpht.com/-4H1fpjV_wvw/UksSlcOLzaI/AAAAAAAAAdQ/Sue0HahzhjY/s1600-h/image%25255B36%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-WlT5pqiI0aw/UksSmKvoZYI/AAAAAAAAAdY/ZeA9d-aqp6w/image_thumb%25255B20%25255D.png?imgmax=800" width="640" height="142"></a></p> <h1></h1> <h1>Stubby.. Totally Stubby… Not-So-Stubby… Totally Not-So-Stubby….</h1> <p>While there are several iterations of a stubby area, with varying mechanics behind them, they all serve mostly a single purpose – to reduce overhead.</p> <p><a href="http://lh6.ggpht.com/-YEH_w1kf200/UktbiCTSKMI/AAAAAAAAAgw/WhyWiuAxqB4/s1600-h/image%25255B97%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5A61YRslYM9zF7jkp5dpbTO2rc4oFm7Yx3kQ7QVcdFsOOpClFIl_Zuo5NLUmbb-D_ntt149OvcGkXAlZP0ydyKoCaBjFEHRX8Kc_dyuc4quEojZWGSi_3BtBos99QJdpw3goH_zpuzNU/?imgmax=800" width="925" height="596"></a> </p> <p>Once R6 is added and area 6 is configured as a stubby area, two major things happen:</p> <ul> <li>R3 (An ABR for area 6) will still receive, but stop flooding Type 5 LSAs into area 6. Notice that R6’s routing table does not include R5’s EIGRP-oriented subnet (172.16.5.0/24) <li>R3 injects a default route into area 6</li></ul> <p><a href="http://lh4.ggpht.com/-MvOIAjGnetY/Uktbj4cFOiI/AAAAAAAAAdw/FOLXd4LR07Y/s1600-h/image%25255B35%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="http://lh5.ggpht.com/-nJczdaZ_3OI/Uktbkmr7tUI/AAAAAAAAAd4/z45tzeHMZGY/image_thumb%25255B19%25255D.png?imgmax=800" width="640" height="338"></a> </p> <p>So we can see here that the logic is, hey, there’s only going to be one way to get out of this area, so let’s reduce the size of the LSDB and make things easier by just injecting a default route into the area and calling it a day. Imagine if R5 had 100 subnets hanging off of it in the EIGRP AS – if R6 wasn’t in a stubby area, those 100 routes would be added to its LSDB and in the routing table. Why do that if we can just inject a default route and not advertise these external routes into the area – effectively accomplishing the same thing? If R6 needs to hit any of these external routes, it just uses the default route to the ABR who knows how to get there, and greatly reduce the size of R6’s LSDB and routing table all at the same time!</p> <p><a href="http://lh5.ggpht.com/-Ek9Uj-WM0Bw/UktblVaEddI/AAAAAAAAAeA/eMVqN9HC1h8/s1600-h/image%25255B54%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTblAyGgCJMwpQaCJIr6u279vfRD_C3ARrJ_omjHN5iIl8idUAZy2PogDqP8MwISWGVRK8HRUPGfc2CWSy2DQIUZpQXMgXcEpXidsrkduiMZ2xwRK8nZ4FQ4bkTZBnqkOlZW73e7JDM98/?imgmax=800" width="453" height="66"></a> </p> <p>A “totally” stubby area takes this concept even further by also not flooding Type 3 LSAs. What’s kind of interesting about that statement though is that the default route R3 injects into the stubby area is a Type 3 LSA.</p> <p><a href="http://lh6.ggpht.com/-wbhS0lgCBlo/UktbmjiY_QI/AAAAAAAAAeQ/gAAP86KFmKc/s1600-h/image%25255B68%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgScjIFwvGY0YIfCuOPOIe9ENC5MU-VckH38MfY-zxMo5igMhLVP0bXH46-U9j0H2dGHS5d1ZzeHCpimPkweJT2Ox71a9VVj-ZyHBPn7rU5rgw-qYsM0OF1qsdyrSVvk45BuVNkR_Noj4U/?imgmax=800" width="460" height="480"></a> </p> <p></p> <p></p> <p></p> <p>A Not-So-Stubby Area (NSSA) simply allows you to redistribute external routes if needed. A special type of LSA is used in this situation – a Type 7, or NSSA External. </p> <p><a href="http://lh3.ggpht.com/-RGQaDeCxE2I/UktboPP7mEI/AAAAAAAAAhA/-jkA04WDcPk/s1600-h/image%25255B98%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-G7meaFVv91w/UktbpE5m3vI/AAAAAAAAAhE/vNyGqiHKFYs/image_thumb%25255B62%25255D.png?imgmax=800" width="925" height="566"></a> </p> <p>This will be generated by the now ASBR, R6, who is redistributing its connected 192.168.6.0/24 subnet. As depicted above, once it reaches the ABR, R3, it will convert this LSA into a Type 5 before flooding it into area 0, so you will only see Type 7 LSAs in a NSSA.</p> <p><a href="http://lh6.ggpht.com/-RWpOeuIp6Bo/Uktbpx_3eAI/AAAAAAAAAew/MLeNU7WQ3UY/s1600-h/image%25255B71%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="http://lh3.ggpht.com/-CP1FfHuMr_U/UktbqbzuG_I/AAAAAAAAAe4/5oDCGTsK7Fo/image_thumb%25255B43%25255D.png?imgmax=800" width="640" height="384"></a> <a href="http://lh3.ggpht.com/-oZFV6s42rQw/UktbrLWvNrI/AAAAAAAAAfA/JfbjJkUbayo/s1600-h/image%25255B74%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="http://lh3.ggpht.com/-_X3vUfaSXbY/Uktbr9foOSI/AAAAAAAAAfI/Ys8gHDZu4-M/image_thumb%25255B44%25255D.png?imgmax=800" width="640" height="392"></a> </p> <p><a href="http://lh4.ggpht.com/-oEbRGkrvNJs/UktbsXpTXXI/AAAAAAAAAfQ/1dlK-dFMC9k/s1600-h/image%25255B81%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="http://lh5.ggpht.com/-qx-104woMU4/UktbtGJZ3KI/AAAAAAAAAfY/YQWF5nHaGeI/image_thumb%25255B47%25255D.png?imgmax=800" width="461" height="331"></a> <a href="http://lh4.ggpht.com/-FdVUCbTe6TQ/Uktbt2LBAuI/AAAAAAAAAfg/xiv8Wii73rg/s1600-h/image%25255B84%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="http://lh3.ggpht.com/-tk-3HHW8r0Q/UktbuSPWg0I/AAAAAAAAAfo/9ueUZOWCwVU/image_thumb%25255B48%25255D.png?imgmax=800" width="548" height="113"></a></p> Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com3tag:blogger.com,1999:blog-8471280268531079705.post-42813998150313560262013-09-26T07:54:00.001-07:002013-09-27T10:37:31.932-07:00Exploring OSPF Messages in a Multi-access Network<p> </p> <p>The following network is configured with OSPF with all interfaces in area 0. Since this is a multi-access network, a Designated Router (DR) is elected which improves OSPF performance by reducing the amount of LSA flooding. R3 is the current DR, with R2 as the BDR. R4’s interface to SW1 has been configured as a passive interface to prevent an adjacency from forming and simulate R4 being a “new” router on the network. Wireshark is monitoring the link between R4 and SW1.</p> <p><a href="http://lh4.ggpht.com/-C4kq1r-fu9Y/UkRKjVvysSI/AAAAAAAAAYA/Ff3PrIz53oY/s1600-h/image80.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2dFlztsCLkVl3d1snzVXFLh2wKuMozRXIWbboYhZZ0rFVKmkQcMdq6F99UdHeDKZjcBS9C6KkHbJ0ZraunhFHyoHZaQ5JcpypW7XIL1Qw65QuEx1UhINILT9DTKC_aoGI9ZREC5nROk8/?imgmax=800" width="860" height="422"></a></p> <p>I won’t go into all the details regarding Wireshark output and the OSPF process. If you want a more detailed analysis, take a look at my previous blog article <a href="http://aspiringnetworker.blogspot.com/2013/09/exploring-ospf-messages-between-new.html" target="_blank">here</a>. In this article, we’ll only be taking a closer look at what happens specifically in a multi-access environment.</p> <p>Upon re-enabling R4’s interface for OSPF, we see R4 sends a Hello packet to the All OSPF Routers multicast address (224.0.0.5) and that no DR or BDR is listed. R4 is “new” to the network as far as OSPF is concerned, so it has no idea about the current topology.</p> <p><a href="http://lh6.ggpht.com/-NxOJNA_st44/UkRKkMRFMlI/AAAAAAAAAYQ/Ml8GDo94bws/s1600-h/image84.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-AapmRFS9pO8/UkRKk1aM8QI/AAAAAAAAAYU/laFQOcqDvyg/image_thumb52.png?imgmax=800" width="860" height="427"></a></p> <p>R1, R2, and R3 all send Hello packets with the routers they have seen, which now includes the newly added R4. It also provides information regarding the established DR and BDR. Since there is already an established DR/BDR, R4 will not attempt to participate in an election or usurp the current DR/BDR. Also note that this Hello packet, and the communication that follows afterward between R4 and routers R1, R2, and R3 is unicast – not multicast.</p> <p><a href="http://lh3.ggpht.com/-a7smg48M6RU/UkRKlJSmLvI/AAAAAAAAAYg/3vriJYIWa48/s1600-h/image88.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj32r2CwPY0o1Z3ojuWVLzHoDjcZwS-jV2XC_5KLckeohbSA5CGN4c5SfjPb17z9rnL8qtIPEDyB99aX-MQ7EbGvttk8CFqtUor3Q2tCtAskuG-iwbLgZUm_9XTWmpbuz7mhjQZCCNGm4Q/?imgmax=800" width="860" height="504"></a></p> <p>What follows next are the usual Database Descriptor (DD) packets utilized to establish Master/Slave relationships, followed by the exchange of summarized LSAs. Notice that this communication is only occurring between R4 and routers R2 and R3 – the BDR and DR, respectively. Communication between R4 and R1 stops after they have reached the 2-way state, since R1’s role in this environment is DROther (Not the DR or BDR). </p> <p><a href="http://lh5.ggpht.com/-Jlwj6Ulgikc/UkRKmUbvwOI/AAAAAAAAAYs/-Z9YGtJ1qOo/s1600-h/image92.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-9ZoZQeev55w/UkRKm8a0QUI/AAAAAAAAAY4/iw0kf0-HgWM/image_thumb56.png?imgmax=800" width="860" height="406"></a></p> <p>Of interest in this scenario is the Network LSA provided by R2 and R3 in addition to the usual Router LSAs. This is a type 2 LSA that represents a subnet where a DR has been elected. Notice that the advertising router is the DR, and the Link State ID is the DR’s IP address on that subnet. An interesting note is that the SPF process treats this as an individual node in its “mathematical model”, so this type of LSA is sometimes referred to as a <em>pseudonode</em>.</p> <p><a href="http://lh5.ggpht.com/-vraXiZJlgI4/UkRKnSrnoEI/AAAAAAAAAY8/DSrGI9DhcYE/s1600-h/image95.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-Zhwt0vOlAn4/UkRKoOw3XVI/AAAAAAAAAZI/EImvZtHN3ic/image_thumb57.png?imgmax=800" width="399" height="162"></a></p> <p>Since R4 will attempt to establish full adjacency with R2 and R3, R4 follows the usual process of requesting full LSAs from R2 and R3 for any LSAs it does not already have or that it may have but are not up to date. In addition, R2 and R3 will request at least R4’s Router LSA since they will obviously not have it. Once this process completes, R3 as a DR will send LSA Updates to the All OSPF Routers multicast address. In the picture below, R3 advertises R4’s Router LSA. This will in turn update R1 – the DR acts as a relay of sorts for updates in the OSPF environment.</p> <p><a href="http://lh5.ggpht.com/-W0_y8hrMI84/UkRKovB2XsI/AAAAAAAAAZQ/FJSoJMqEKX8/s1600-h/image100.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-gp05nY_GSQM/UkRKpJMBxxI/AAAAAAAAAZY/MkC3N60piUE/image_thumb60.png?imgmax=800" width="860" height="559"></a></p> <p>R4 will acknowledge the update utilizing the unicast IP address of the DR, mirroring the LS Sequence number. R4 has an updated LSA however, so it reports this to the DR utilizing the All OSPF DR Routers multicast address, 224.0.0.6. Notice the updated LS Sequence number.</p> <p><a href="http://lh4.ggpht.com/-wKiKAkNK55k/UkRKpuQFK7I/AAAAAAAAAZc/-HM2RkM5Mhg/s1600-h/image107.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUxU-x_a74RrIA3VrL-efeaWMZfQtf2Kpc58FmZpCTSJy0ISDaX6mMrymbmW201aA9M8PFP80qqo7Gc5GuHreuC-59U34rqlMJcmt6uL5dB3kQFlEyzvnCBEh6PQMTzcAPuwV9YLHXuYE/?imgmax=800" width="860" height="519"></a></p> <p>R3 then provides the updated LSA to the rest of the world, acknowledgements are sent back, and everything settles into place.</p> <p>Looking at the capture, there are two points I’m a little confused on. </p> <p>In one packet, R4 sends an acknowledgement using 224.0.0.6, and there are two Network LSAs contained within. Why are there two of the same network LSAs with different LS Seq numbers in the same LS Acknowledge?</p> <p><a href="http://lh4.ggpht.com/-jPuKxzHjfMY/UkRKqviVS2I/AAAAAAAAAZw/Dlu3VCCmHHI/s1600-h/image110.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-jTDYaFHq_s4/UkRKrVAET3I/AAAAAAAAAZ4/cfDSI6QqdOc/image_thumb64.png?imgmax=800" width="766" height="673"></a></p> <p>Another is that I see LS Acknowledgements sourced from R4 to the unicast address of the DR, as well as to the multicast address 224.0.0.6. What determines when an LS Acknowledgement is sent to the DR unicast address or to the multicast address?</p> <p>To be continued….</p> Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com3tag:blogger.com,1999:blog-8471280268531079705.post-69975163450965069182013-09-26T07:53:00.001-07:002013-10-04T10:25:06.884-07:00OSPF Link State Advertisements (LSAs) and Areas – Part I<p>If every router in an enterprise environment was in a single OSPF area, at some point you’re going to encounter scalability issues due to any changes in the environment causing an SPF recalculation in all routers in that single area.</p> <p>LSAs and their use within areas provide a mechanism for maximizing performance in OSPF by logically segmenting groups of contiguous links so that every router in the entire autonomous system does not have to have exact copies of the Link State Database (LSDB) and to reduce the amount of LSA flooding. SPF calculations are also isolated to each individual area rather than the entire environment. Different LSAs are used in different situations, and are treated differently depending on the type of OSPF area involved.</p> <p>The following table represents the different LSA types, and was taken from the CCIE R&S OCG.</p> <table border="0" cellspacing="0" cellpadding="2" width="772"> <tbody> <tr> <td valign="top" width="64">TYPE</td> <td valign="top" width="102">NAME</td> <td valign="top" width="604">DESCRIPTION</td></tr> <tr> <td valign="top" width="64">1</td> <td valign="top" width="102">Router</td> <td valign="top" width="604">One per router containing its RID and all interface IP addresses; also represents stub networks.</td></tr> <tr> <td valign="top" width="64">2</td> <td valign="top" width="102">Network</td> <td valign="top" width="604">One per transit network. Created by the DR and represents the subnet and router interfaces connected in the subnet.</td></tr> <tr> <td valign="top" width="64">3</td> <td valign="top" width="102">Network Summary</td> <td valign="top" width="604">Created by Area Border Routers (ABRs) to represent one area’s type 1 and 2 LSAs when being advertised into another area. This also defines the links (subnets) in the origin area, and cost, but no topology data.</td></tr> <tr> <td valign="top" width="64">4</td> <td valign="top" width="102">ASBR Summary</td> <td valign="top" width="604">Similar to a type 3 LSA, but it advertises a host route to reach an Autonomous System Boundary Router (ASBR)</td></tr> <tr> <td valign="top" width="64">5</td> <td valign="top" width="102">AS External</td> <td valign="top" width="604">Created by ASBRs for external routes injected into OSPF<br></td></tr> <tr> <td valign="top" width="64">6</td> <td valign="top" width="102">Group Membership</td> <td valign="top" width="604">Used for Multicast Open Shortest Path First (MOSPF). This is an extension to OSPF that allows multicast routing, allowing routers to share information about group memberships. This is not supported by Cisco.</td></tr> <tr> <td valign="top" width="64">7</td> <td valign="top" width="102">NSSA External</td> <td valign="top" width="604">Created by ASBRs inside of a NSSA area instead of a type 5 LSA.</td></tr> <tr> <td valign="top" width="64">8</td> <td valign="top" width="102">External Attributes</td> <td valign="top" width="604">Not implemented in Cisco routers.</td></tr> <tr> <td valign="top" width="64">9-11</td> <td valign="top" width="102">Opaque</td> <td valign="top" width="604">Used as generic LSAs to allow for easy future extension of OSPF; as an example, type 10 has been adapted for MPLS traffic engineering.</td></tr></tbody></table> <p>The diagram below depicts a simple point-to-point network with all interfaces within the same area.</p> <p><a href="http://lh4.ggpht.com/-EFQ6J0JGOQA/UkRKfZf2jWI/AAAAAAAAAXg/pIe-J7GaP4Y/s1600-h/image3.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="http://lh5.ggpht.com/-rvvvLrlKYug/UkRKf7Q1rWI/AAAAAAAAAXo/JokfNhuVWdw/image_thumb1.png?imgmax=800" width="640" height="434"></a></p> <p>In this situation, there will only be Type 1 LSAs exchanged between routers. The LSA will contain the RID of the advertising router, connected links (subnets), and the RIDs of any other routers it has seen. Below is Wireshark output taken from a different network than the one diagrammed above. The link types seen here are:</p> <ul> <li>PTP – Point-to-point connection <li>Stub – a subnet on which a router has not formed any neighbor relationships <ul> <li>*QUESTION* The CCIE R&S OCG defines a stub network this way, but Wireshark packet capture lists connected subnets that HAVE formed neighbor relationships as stubs… what gives? The entries that contain the RIDs of the other routers are listed as PTP and the loopback of the advertising router is listed as a Stub <ul> <li>*ANSWER* SPF treats these two “stub” entries as separate data structures from the PTP entries that actually specify the connected neighboring router. The more important of the two entries is the PTP entry. I don’t know exactly what that means, but I’ll push the “I Believe” button for now.</li></ul></li></ul></li></ul><a href="http://lh4.ggpht.com/-kc0Fv7_9iJ0/UkRKgWE22-I/AAAAAAAAAXs/FnSwEfgVvgs/s1600-h/image6.png"><img style="background-image: none; border-right-width: 0px; margin: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsj32Iy1MPV3wwMFF3Jhoq1-78NmPcY1wVwaMzMDERrPp5eHssHq-5bjT6-Ej9Dgbbz7Vi0yaW5stnjZ7yMpZ_awEWni_PtUJbza18aXhljyy663eeywNoQGAWdgNIzp3-SNC1qz1sXVY/?imgmax=800" width="589" height="302"></a> <p>When we talk about a multi-access environment, a DR is elected and here is where we can expect to see a Type 2 LSA – a Network LSA. </p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaIqLsqhQGjWz73shry4MmGGZVqL10bCf1lKvIhCyNuN4k-v-XMhC3qduxpKjEF6KvstSx41xFtyJx85Cc7kEz_KaUqGWcl80mJz2S-W0T4XJiVk6vpjJHFSdE8DiysLGYBcJUJKwgxvA/s1600-h/image%25255B10%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="http://lh3.ggpht.com/-9qbnAOOiHl4/UkXx3dKIZvI/AAAAAAAAAaQ/sP_ibRlT-QA/image_thumb%25255B6%25255D.png?imgmax=800" width="587" height="499"></a> <a href="http://lh3.ggpht.com/-Sar2sH57OIk/UkXx4OdFCSI/AAAAAAAAAaY/eT682VH1cD0/s1600-h/image%25255B15%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-JYh9soUCwus/UkXx43pzM0I/AAAAAAAAAag/va0prOdj6xM/image_thumb%25255B9%25255D.png?imgmax=800" width="690" height="446"></a> </p> <p>This type of LSA is generated by the DR and describes the subnet as well as the RIDs of the DR’s connected neighbors. The Link State ID will be the interface IP address of the DR within that subnet. It may seem odd that it lists itself as an attached router. This is because this LSA is treated as a <em>pseudonode – </em>not an actual physical device, but a logical node on the SPF mathematical model. So think of it as a separate entity from the actual physical router that is the acting DR.</p> <p>You will find Type 1 and 2 LSAs inside of a single area. These are the most computation-intensive LSA types and they do not traverse areas. When you bring in multiple areas, this is where you encounter a Type 3 – a Network Summary LSA. Since R2 now has interfaces in two areas – area 0 and 4, it is now an Area Border Router (ABR).</p> <p><a href="http://lh3.ggpht.com/-MdYijZPI1Fw/UkmU2MV51kI/AAAAAAAAAaw/W7RQesogk6Q/s1600-h/image%25255B10%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="http://lh3.ggpht.com/-4LZfQlAw-_c/UkmU3EFhv0I/AAAAAAAAAa4/ILsLLseUqV4/image_thumb%25255B6%25255D.png?imgmax=800" width="589" height="366"></a> <a href="http://lh6.ggpht.com/-cwghPKG-s6g/UkmU3ihm2VI/AAAAAAAAAbA/6fC7s6j4Dlc/s1600-h/image%25255B14%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtFfYuJ7e9XjB4PEmWTGyMRbwo9mTMXbuujLVBy__8jOWLPxf-ydSh7aFAjVIudS6ZZTvglKFr-bCA3s9nFeDBBfeOSq3UX3a-fvJF49d3AejM0-uyNhHBt5V49me6FA9BNeIAM7ASzS4/?imgmax=800" width="496" height="366"></a> </p> <p></p> <p></p> <p></p> <p>This type of LSA is created by ABRs to represent subnets that the ABR can reach. Notice that it not only contains its directly connected subnets in area 4, but also the route it learned from R4. The nice thing about this is that a router, for example R3, doesn’t have to run the SPF algorithm for these routes. All it does is add its cost to <em>reach</em> the ABR, to the metric value gleaned from the LSA from the ABR. So in this case, the cost for R3 to reach 192.168.4.0 would be 3 (1 for the cost of R3’s fa0/0 interface, plus 2 for the metric advertised in the Type 3 LSA).</p> <p><a href="http://lh5.ggpht.com/-NzTIrVA_9kk/UkmU4x-UqsI/AAAAAAAAAbQ/65d172xkZxg/s1600-h/image%25255B18%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi454w12wgmxnZGvl2kNIGxG6nQ2CJi7B4-RpB9Aa9nx91FAlZQnR-ny7CNBr10ntmdEq21v1veFRD60QYfUIbk1QA__HK3ECuyfp05Ov5_itNlk5bRkd5mj8hsRcJnfTxLnfgRfsZ4Lg8/?imgmax=800" width="587" height="103"></a> </p> <p>If you haven’t picked up on it already, an interesting note is that this is distance vector behavior because R3 in this example depends on R2 to tell it the metrics to reach routes in area 4 instead of R3 determining the cost on its own. So OSPF is a link state routing protocol, but when it comes to inter-area operations it uses a distance vector algorithm. Pretty cool. Something I found out from the TCP/IP Routing Vol I book is that this is the reason why there is a backbone area and that all areas must be connected to it. This essentially creates a hub-and-spoke topology and prevents the route-loops that distance vector protocols are so vulnerable to.</p> <p>Continue to <a href="http://aspiringnetworker.blogspot.com/2013/10/ospf-link-state-advertisements-lsas-and.html">Part II</a>.</p> Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com2tag:blogger.com,1999:blog-8471280268531079705.post-47034439455647371962013-09-05T23:54:00.001-07:002013-09-20T14:25:43.314-07:00Exploring OSPF Messages Between New Neighbors<p><a href="http://lh4.ggpht.com/-pxne8Rs7Y-k/UjyMGPMf7HI/AAAAAAAAATk/UCuETdel16E/s1600-h/image%25255B9%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="http://lh3.ggpht.com/-emp9qcmG4Vo/UjyMGrPgueI/AAAAAAAAATs/Dsb1piufMNw/image_thumb%25255B5%25255D.png?imgmax=800" width="703" height="126"></a> </p> <p>A basic network is setup and OSPF is configured. R1 is then prevented from forming an OSPF adjacency with R2 due to R1’s serial interface being configured as a passive interface.</p> <p>Only Hello packets are seen from R2.</p> <p><a href="http://lh6.ggpht.com/-pLL8FSISTGI/Uil8HrnqbqI/AAAAAAAAAS0/DP2zuze3c18/s1600-h/image%25255B5%25255D.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-BXWIF0zhiPo/Uil8IHz2frI/AAAAAAAAAS8/LyXM0j-dM5M/image_thumb%25255B3%25255D.png?imgmax=800" width="688" height="524"></a></p> <p>From this Wireshark output we can see:</p> <ol> <li>OSPF Version 2 is utilized <li>This is a Hello packet <li>The Hello packet is sourced from a router with OSPF Router ID 2.2.2.2. Duplicate RIDs will prevent an OSPF adjacency and cause other issues. <li>The interface that sourced this Hello packet resides in OSPF area 0. This item is used to verify that the two connected router interfaces are within the same OSPF area – this is a requirement in order to form an OSPF adjacency. <li>No authentication is used <li>A /30 network mask is used on R2’s connected interface. This item is used to verify that the two connected router interfaces are using the same subnet mask, which is a requirement in order to form an OSPF adjacency in addition to the two interfaces being within the same primary subnet. <li>Hello and Dead timers. These must be the same on both connected routers in order to form an OSPF adjacency. <ol> <li>Hello is set to the default 10 seconds <li>Dead is set to the default 40 seconds</li></ol> <li>The configured router priority is the default of 1. <li>An active neighbor is listed. This was due to the fact that an adjacency existed before I set the interface to passive, and the dead timer hadn’t expired yet on R2. This line will disappear in subsequent Hello packets once the timer on R2 expires and it drops the now broken adjacency.</li></ol> <p>Also, notice that the OSPF process-id is not included in the Hello packet. This is because the process-id is only locally-significant.</p> <p>So now, let’s re-enable R1’s s1/0 interface as an active OSPF interface.</p> <p>As the neighborship begins to form and the LSDB exchange process starts, the first thing we see is a Hello from R1 while it is in the Init state. R2 then sends a hello that indicates it has seen R1. This means R2 is now in a 2-way state.</p> <p><a href="http://lh4.ggpht.com/-SvE4aZge1go/UjyMHVju9RI/AAAAAAAAAT0/MGD8OOcpK_Y/s1600-h/image%25255B5%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-UgSddbThqbM/UjyMIEw3zUI/AAAAAAAAAT8/auzEh8zRsHM/image_thumb%25255B3%25255D.png?imgmax=800" width="589" height="466"></a> </p> <p>The next two packets appear to be a negotiation between the two routers to determine who will be the master and slave in the relationship, as they both have the master bit set, and no LSA headers. I also noticed that the Init bit is set in both of these DD packets. I believe this would equate to the ExStart state.</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2wXBFuTU7GG9XwEyVreEX1TnE7Vi2sagdkTCRnGC5rI4573LRVveQZG-LrqP0RcZJxnxno29WJnD4OS6pO-mPvlDyEZkmCV6BPtYy-ceqyo7GrfdMwtwLGNRp4HvNFnH_KxeWGbXr9Jc/s1600-h/image%25255B13%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyH9lBDHHjEkd1YhvEQL0nb0GMvixPNKYhTFBGpVTS9XGuQ6B-vKEbo34okmDVl0eI1tBTkjZqPHVJdMVrnHfRyEO6TB1ULhO8CGZxXKr9ruq95Un4iGeDYEbnAuYcC4ZpfFU5iLz0cuQ/?imgmax=800" width="421" height="419"></a> <a href="http://lh4.ggpht.com/-tGqGH-XaRgE/UjyMKEore_I/AAAAAAAAAUU/vXKviS5h_dk/s1600-h/image%25255B17%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="http://lh5.ggpht.com/-tgRFC_EZFq0/UjyMK2pVzaI/AAAAAAAAAUc/oEbCGmeAUXg/image_thumb%25255B9%25255D.png?imgmax=800" width="426" height="419"></a> </p> <p></p> <p></p> <p></p> <p></p> <p>The next two packets indicate that R2 is the master, which it should be due to the higher RID. Also notice the Init bit is no longer set, and LSA Headers are provided. The LSDB Exchange has started.</p> <p><a href="http://lh6.ggpht.com/-t-8NA8ITGig/UjyMLYyI7bI/AAAAAAAAAUk/iPBSZe6ym9A/s1600-h/image%25255B23%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_b0sdi8lUM4wssg_XbVi4i-yMHFsI94fRsHzUiwohEmqCrunivANGICIMzI6bh_VBWV_bipdG1CK12poeBKI8eN-erwHE3P94ZhTunuT3Y33T9u9GbFbLYaQM5je7S16ht3jGspq6ptg/?imgmax=800" width="421" height="426"></a> <a href="http://lh3.ggpht.com/-s6BREviOwZ0/UjyMP-frAEI/AAAAAAAAAUw/KC7C9X4b6ps/s1600-h/image%25255B31%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEUO84b4fOZYTVxsI3-VGSvl65DxfQ3CkY9mRTMAz5hxFNZgye3TZc40kn9eIDanjytyydb7vQtElvwuY1_2XwHakNqU4iYOqj10NSY0v4PAE9ulNdTlmtgXItZGWLIs1zTyiv2uEYtkw/?imgmax=800" width="422" height="424"></a> </p> <p>These LSAs are Router LSAs and do not contain any in-depth information such as the actual links contained within them. An important thing to note is the LS Sequence number. A router uses this to see if a) it already has this LSA and b) if the LS Sequence number is later than the received LSA’s. If the received LSA’s sequence number is later than the LSA it has in its database, the router assumes the received LSA is more recent, and will in turn send a LS Request to get a full copy of that LSA.</p> <p><a href="http://lh5.ggpht.com/-tsB-kRqzuac/UjyMS3VtdOI/AAAAAAAAAVE/G79Fxpp3kCs/s1600-h/image%25255B35%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-zrxZLuOW6OA/UjyMT7cOZkI/AAAAAAAAAVM/-hhhQNtnoJQ/image_thumb%25255B19%25255D.png?imgmax=800" width="412" height="412"></a> </p> <p></p> <p></p> <p></p> <p>Now that both routers have a list of LSAs that their neighbor has, LS Requests are sent to retrieve the full LSAs for any that they do not have locally, or LSAs that their neighbor has a more recent version of (Again, going off the LS Sequence number). This is the Loading state.</p> <p> <a href="http://lh5.ggpht.com/-w5pCCjoObNU/Ujy9OHk8YZI/AAAAAAAAAV4/rn_mGArdYj8/s1600-h/image%25255B51%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-TTTLWBFFnRE/Ujy9O5_0QuI/AAAAAAAAAWA/jSwsZN6FhYY/image_thumb%25255B27%25255D.png?imgmax=800" width="408" height="400"></a> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikk4Ad7qU1n26OiIoI4eZUVpdkt5PSRwVgr1oG94LPgIvaT_ZVp7ZAqUPesqAtUA6E01Co04_Sh9GZKrZ7AUWxCqg4uRE86w8LZK23dnK0emjsyfSIEhwOvxG46V96dx2pAdcGl9NiiOI/s1600-h/image%25255B43%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-_cZCYsrW8l8/Ujy9QV3kF3I/AAAAAAAAAWQ/OZCwxPyZ1I8/image_thumb%25255B23%25255D.png?imgmax=800" width="410" height="398"></a> </p> <p></p> <p></p> <p></p> <p>LS Updates are sent in return with full information regarding the requested LSA. Here we see R1 send its Router-LSA (LS ID 1.1.1.1) with sequence number ending in 04. R2 sends its Router-LSA (LS ID 2.2.2.2) with sequence number ending in 03. Both of these LSAs contain the links and metric that each respective router has at that point in time. These LSAs will then be locally updated with the new information, and their sequence numbers incremented. Also, LS Acknowledgements are sent to tell each router that their LS Updates were received successfully by mirroring the previously-received LS Sequence number. </p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp1xyWQ9a9xE26Qa59OSXcd3fzymu4RrX-Rm_CELvAGhp2XsiQzffCvzX513Z0iwzQRM7ETlPQ5Q43bQOcPsqkcfaAzIph_6zwmloziDh89JsNn9R-AJrb3BulIA_iXUBopK72-mzotiA/s1600-h/image%25255B59%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="http://lh5.ggpht.com/-Iu7cuA2dkdM/Ujy9R-i5aII/AAAAAAAAAWg/lJUuZIqwOMI/image_thumb%25255B31%25255D.png?imgmax=800" width="411" height="504"></a> <a href="http://lh4.ggpht.com/-uLu5s1JRB1Q/Ujy9Sb6-3mI/AAAAAAAAAWo/V2dVuIjwK90/s1600-h/image%25255B60%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLXvIa66MCBlCRkElZzkXxxiYTnFFpLEhaibwoBFFv3_0-KMSwdPd35VV4yGG-E_3X6SCue-T7_f9HaeJwz49Wk2-SQC1mU0b8gfyosgQN1mBDzsPB1lCUa0A0dbZhOi_E92_CFWeQcoU/?imgmax=800" width="410" height="504"></a> </p> <p></p> <p>The next LS Updates are sent out containing their previous information in addition to the updated links that were newly added by the previous LS Updates. Notice the incremented LS Sequence numbers.</p> <p><a href="http://lh4.ggpht.com/-uYDV1aUp9w0/Ujy9TpzNEjI/AAAAAAAAAW4/XECT4JN4IdU/s1600-h/image%25255B71%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="http://lh5.ggpht.com/-Lk2ViSKK_MA/Ujy9UDwYG4I/AAAAAAAAAXA/jSrF0eGHthk/image_thumb%25255B39%25255D.png?imgmax=800" width="409" height="564"></a> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKEFqLR559CIiCBr23hSn2GRMbeh1vILxWGuW0F2wwz0weA73eeWeJ-lGBTi1O0aSeDhhBW0jEp3aMR8gkhwP6ws06A2_NGxI8AyesXg3YKouWPKxBmQN9Cj4yBa0dlpODVlaE23r-Aac/s1600-h/image%25255B76%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-TdSVugBymzM/Ujy9Vb709lI/AAAAAAAAAXQ/aoK_bN8z8xU/image_thumb%25255B42%25255D.png?imgmax=800" width="410" height="563"></a> </p> <p>LS Acknowledgements are sent, LSAs and their LS Sequence numbers now match – all is good. These neighbors are now fully adjacent.</p> Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com0tag:blogger.com,1999:blog-8471280268531079705.post-15736303695492926872013-08-22T09:45:00.001-07:002013-08-22T09:45:08.584-07:00Late Night fun with a Meme Generator<p>I was watching a movie the other night with my wife and decided to hop on memegenerator.net and play around with memes. Thought I’d share my creations.</p> <p> </p> <p><a href="http://lh4.ggpht.com/-4rnGU3emf1M/UhY__0lKzLI/AAAAAAAAARM/pdhCv5pvveA/s1600-h/Cisco%252520QoS%25255B5%25255D.jpg"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="Cisco QoS" border="0" alt="Cisco QoS" src="http://lh5.ggpht.com/-HQ7b4FZNvls/UhZAAWmpHcI/AAAAAAAAARU/inyxR6T8D9I/Cisco%252520QoS_thumb%25255B1%25255D.jpg?imgmax=800" width="244" height="184"></a> <a href="http://lh5.ggpht.com/-PekirdBRlXg/UhZAA_VD3TI/AAAAAAAAARc/64RPxLlReaE/s1600-h/ImageUploadedByTapatalk1377063738_991258%25255B5%25255D.jpg"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="ImageUploadedByTapatalk1377063738_991258" border="0" alt="ImageUploadedByTapatalk1377063738_991258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKRLU97BxxQ-_BiP6mRRugc1nex_dkpgavszoKYhW6gBY-Yp0dRU7qCWeK30doNEscyjagzQHqD8uuEGfcPu-jcJYJJqNrgwADpfigTd-vhcW4NhX3zUgiirGk04ziwDbXPaGAVi-JU-c/?imgmax=800" width="244" height="244"></a> </p> <p><a href="http://lh3.ggpht.com/-buyNI2UJPKc/UhZACKyQGpI/AAAAAAAAARs/FWB9ruyZt20/s1600-h/fcoe%25255B5%25255D.jpg"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="fcoe" border="0" alt="fcoe" src="http://lh4.ggpht.com/-W0Jb3kSwqw0/UhZAClSfDKI/AAAAAAAAAR0/zwMbplu68B4/fcoe_thumb%25255B1%25255D.jpg?imgmax=800" width="244" height="140"></a><a href="http://lh6.ggpht.com/-MtMNVOlzv-Q/UhZADE1Lc-I/AAAAAAAAAR8/iVTpdRFdNXs/s1600-h/NetDiagram%25255B5%25255D.jpg"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="NetDiagram" border="0" alt="NetDiagram" src="http://lh5.ggpht.com/-T1hsWUwM5Hg/UhZADky4-GI/AAAAAAAAASE/Tdv-pW_-s1s/NetDiagram_thumb%25255B1%25255D.jpg?imgmax=800" width="195" height="244"></a><a href="http://lh5.ggpht.com/-8wUVVMwBVxM/UhZAEFvGlwI/AAAAAAAAASM/zZVJTHxXh34/s1600-h/ProConsult%25255B5%25255D.jpg"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="ProConsult" border="0" alt="ProConsult" src="http://lh3.ggpht.com/-rShgraXObMs/UhZAE50x92I/AAAAAAAAASU/QiNsbtyGyzM/ProConsult_thumb%25255B1%25255D.jpg?imgmax=800" width="244" height="244"></a></p> Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com2tag:blogger.com,1999:blog-8471280268531079705.post-84767952107786745652013-08-07T10:25:00.001-07:002013-08-07T10:26:19.813-07:00Quality of Service (QoS) – Policing and Shaping Notes<p>Policers and shapers identify traffic violations in an identical manner, but treat them differently. Policers perform instantaneous checks and immediately take action when a violation occurs. Actions can include marking, dropping, and even just transmitting the packet. Shapers on the other hand are traffic-smoothing tools. Its objective is to send all traffic out a given interface, but to smooth it out so that it never exceeds a given rate – usually in order to meet SLAs. Excess traffic is buffered and delayed until the traffic once again dips below the defined maximum rate.</p> <div align="center"> <table border="1" cellspacing="0" cellpadding="2" width="632" align="center"> <tbody> <tr> <td valign="top" width="281"><strong>Policer</strong></td> <td valign="top" width="349"><strong>Shaper</strong></td></tr> <tr> <td valign="top" width="281"> <p align="left">Causes TCP resends as traffic is dropped</p></td> <td valign="top" width="349"> <p align="left">Delays traffic; involves less TCP resends</p></td></tr> <tr> <td valign="top" width="281"> <p align="left">Inflexible; makes instant drop decisions</p></td> <td valign="top" width="349"> <p align="left">Adapts to network congestion by queuing excess traffic</p></td></tr> <tr> <td valign="top" width="281"> <p align="left">Ingress or egress interface tool</p></td> <td valign="top" width="349"> <p align="left">Typically egress only</p></td></tr> <tr> <td valign="top" width="281"> <p align="left">Rate limiting – no buffering</p></td> <td valign="top" width="349"> <p align="left">Rate limiting with buffering</p></td></tr></tbody></table></div> <p>While policing and shaping tools are not employed to directly provide QoS for real-time traffic, they do regulate/stabilize traffic flows so that unexpected bursts in data traffic do not induce jitter and latency that adversely affects real-time traffic.</p> <p>Policers determine whether each packet conforms, exceeds, or violates the policies configured for traffic, and takes the prescribed action in each case.</p> <ul> <li>Conforming – traffic that falls within the rate configured for the policer <li>Exceeding – traffic that is above the policer rate, but still within the burst parameters <li>Violating – traffic that is above both the policer rate and burst parameters</li></ul> <p>It is not productive to police voice traffic or call-signaling traffic because the incoming rates of these traffic types should be controlled at their origin by call admission control (CAC) mechanisms.</p> <p>You can also use a policer as a marker to re-mark traffic upon an exceed and/or violate action rather than just drop it.</p> <p>Although a policer can be deployed ingress or egress, it is typically deployed at the network edge on traffic ingress. If packets will be dropped, there is little point in spending CPU cycles routing these packets. Policers are also often deployed at the traffic egress interface to control bandwidth used or allocated to a particular class of traffic.</p> <p>As mentioned earlier, shapers are similar to policers in that they also limit the transmission rate of packets but they do so by delaying packets that exceed the CIR. This allows for conformance to SLAs. Shaping is crucial for non-broadcast multi-access (NBMA) topologies such as ATM and Frame Relay, or potentially anywhere else where a speed mismatch may exist. Examples of this would be line speed mismatches, aggregated traffic oversubscription, and SLA enforcement by a carrier.</p> Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com0tag:blogger.com,1999:blog-8471280268531079705.post-59167124424695152992013-08-02T09:15:00.001-07:002013-08-02T09:17:03.540-07:00EtherChannel – Quick and Dirty<p>EtherChannel allows you to aggregate several switch links into a single, fast, fault-tolerant, logical interface. 16 links can be defined for an EtherChannel, however, a maximum of 8 will be active at any one time. The other links are placed on standby.</p> <p>While having multiple links between two switches can possibly create bridging loops, EtherChannel avoids this by bundling the links into a single logical interface. This logical interface can be configured as an access or trunk interface.</p> <p>For ports to be members of the same EtherChannel, there are some restrictions. Ports must: </p> <ul> <li>Belong to the same VLAN <li>Have identical STP settings <li>Have identical speed/duplex settings <li>Note: In addition, if the EtherChannel is to be used as a trunking interface, all ports must be in trunking mode, have the same native VLAN, and pass the same set of VLANs. </li></ul> <p>The full duplex maximum bandwidth for 8 links is as follows: </p> <ul> <li>Fast EtherChannel (FEC): 1600 Mbps <li>Gigabit EtherChannel (GEC): 16Gbps <li>10-Gigabit EtherChannel (10GEC): 160Gbps <li>Note: This is <em>theoretical</em>; maximum bandwidth is not likely to be achieved due to unequal load balancing, and other factors. </li></ul> <h3>Load Balancing</h3> <p> </p> <p>EtherChannel load balancing across the links can occur in a number of configurable methods for optimization in your environment. IP addresses, MAC addresses, and TCP/UDP port numbers can be leveraged. The complete list is:</p> <ul> <li>Source IP (<strong>src-ip</strong>) <li>Destination IP (<strong>dst-ip</strong>) <li>Source and Destination IP (<strong>src-dst-ip</strong>) <li>Source MAC (<strong>src-mac</strong>) <li>Destination MAC (<strong>dst-mac</strong>) <li>Source and Destination MAC (<strong>src-dst-mac</strong>) <li>Source Port (<strong>src-port</strong>) <li>Destination Port (<strong>dst-port</strong>) <li>Source and Destination Port (<strong>src-dst-port</strong>) </li></ul> <p>When more than one item is utilized in the load balancing method, an XOR operation occurs, and for 2 links, the last bit is utilized. Four links uses the last two bits, and eight links use the last three. Below shows two switches with an EtherChannel with four links, configured to use the Source and Destination IP (<strong>src-dst-ip</strong>) method of load balancing. The four different examples show how the links are used as different devices communicate across the two switches.</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1krO-rSMJqNwMOTa0D9YwZGVZUUF7MV9WJuw09hsKTbYltSTuxX2C3SFu6LztYY69lF7Z3K754Ew2Pr6ElrZYvVaa6td0X98eWr6i75EPh2dC-6U467zRY5zgWVepuRKeh24ZuMP-FCE/s1600-h/EtherChannelLoadBalancing10.jpg"><img style="border-right-width: 0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto" title="EtherChannelLoadBalancing" border="0" alt="EtherChannelLoadBalancing" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuZ4L0TxycP-hHQ2RjNjsrdA82HDeDcowHs8-oMG76xXAAgoFBCkkjz5w2U5Fij_KrJpd2-ARGpTiKuoWA6E-Rtve5a-F2MpNjtXx3HyfrjNNoCIPRWtD025qvkqtmJFWbyipbSbowSQ4/?imgmax=800" width="506" height="232"></a></p> <p> </p> <p>For best results, it is recommended to consider using MAC addresses or the Source IP address as your load-balancing method. However, this all depends on your environment. For example, a router always uses it’s burned-in MAC address, so the destination MAC address remains the same for all frames destined through the router. When two routers are forwarding traffic to each other, MAC addresses remain constant, so only one link is used. Using IP addresses as the load-balancing method instead may be a better idea. If most of the traffic is between the same two IP addresses, use IP port numbers instead.</p> <p>If EtherChannel traffic consists of non-IP traffic, distribution according to MAC address is recommended.</p> <p>If a frame can’t meet load-balancing criteria, switch reverts to “next lowest” method. For instance is MAC traffic is sent across an EtherChannel that’s configured to load-balance by IP addressing, MAC addresses will be used instead.</p> <p>To prevent loops, inbound (received) broadcasts and multicasts are not sent back out any of the links. Outbound frames are load-balanced normally.</p> <h3></h3> <h3></h3> <p> </p> <h3></h3> <h3>EtherChannel Negotiation: PAgP vs. LACP</h3> <p> </p> <p>There are two EtherChannel negotiation protocols. Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol, while Link Aggregation Control Protocol (LACP) is standards based.</p> <p>PAgP dynamically modifies the EtherChannel if one of the ports’ VLAN, speed, etc. is changed so that all of the links in the EtherChannel match. PAgP can be configured in active mode (desirable), which actively attempts negotiation. Passive mode (auto, the default) only negotiates an EtherChannel if the far end initiates it.</p> <p>LACP assigns roles to end points. The switch with the lowest <em>system priority</em> makes decisions about what ports will participate in the EtherChannel at any given time. If you’re familiar with STP, this is similar to the way the Root Bridge is elected. Ports are selected and become active in the EtherChannel according to their <em>port priority</em>. LACP Active mode (active) – actively negotiates, while passive mode (passive) negotiates only if the far end initiates it.</p> <p>Lastly, the “on” mode forces the EtherChannel to be formed; no PAgP/LACP negotiation occurs when this mode is utilized.</p> <p>Here’s a configuration Video:</p> <p><a href="http://www.youtube.com/watch?v=AJl5Wka9gEA" target="_blank">PAgP EtherChannel Configuration</a></p> Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com6tag:blogger.com,1999:blog-8471280268531079705.post-37515062547095437072013-08-02T09:11:00.001-07:002013-08-02T09:11:59.577-07:00Brocade Auth-Change-Wait-Time<p> </p> <p>The other day I was at work doing an interoperability test with Cisco and Brocade multilayer switches, and we ran into a strange issue that really highlighted my “tunnel view” to the Cisco world.</p> <p>We were setting up basic OSPF stuff using md5 authentication and we couldn’t get the Cisco and Brocade to form an adjacency. A <strong>debug ip ospf adjacency</strong> command on the Cisco switch revealed that the Cisco was using “type 2” authentication, and the Brocade was using “type 0”. </p> <p>Here’s a quick breakdown of the authentication types:</p> <p> <table border="1" cellspacing="0" cellpadding="2" width="396"> <tbody> <tr> <td valign="top" width="67"><strong>Type 0</strong></td> <td valign="top" width="327">No authentication</td></tr> <tr> <td valign="top" width="71"><strong>Type 1</strong></td> <td valign="top" width="324">Clear text authentication</td></tr> <tr> <td valign="top" width="74"><strong>Type 2</strong></td> <td valign="top" width="321">md5 authentication</td></tr></tbody></table></p> <p>I set up a SPAN on the Cisco switch and sure enough, we were getting the OSPF Hello packets from the Brocade with no authentication.</p> <p>After some digging, it turns out the Brocade has an Auth-Change-Wait-Time command in interface configuration mode. This is set to 300 seconds (5 minutes) by default. While I don’t quite understand it, the description states it allows for graceful authentication implementation. So after you enable md5 on the interface, it waits 300 seconds before actually sending OSPF Hellos with authentication. We toyed around with it and took a packet capture to confirm the behavior, and then set it to 0 to immediately start sending packets with authentication and we were good to go.</p> <p>Here’s a screenshot of the behavior in Wireshark with the parameter set to 20 seconds. You’ll see the OSPF adjacency start forming at almost exactly 20 seconds.</p> <p><a href="http://lh6.ggpht.com/-iLnRsFWZKuc/UAMDRNiGHNI/AAAAAAAAAIs/6lBBc-IiAxo/s1600-h/OSPFBrocade%25255B3%25255D.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto; padding-top: 0px" title="OSPFBrocade" border="0" alt="OSPFBrocade" src="http://lh6.ggpht.com/-hdxK02Du4LI/UAMDSAJikvI/AAAAAAAAAI0/p1AQsJe8-6E/OSPFBrocade_thumb%25255B1%25255D.png?imgmax=800" width="481" height="342"></a></p> Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com0tag:blogger.com,1999:blog-8471280268531079705.post-75905234007446133832013-08-02T09:03:00.001-07:002013-08-02T09:03:23.365-07:00OSPF LSA Manipulation Vulnerability – 8/1/2013<p><b>Vulnerability Details</b> <p><b>OSPF LSA Manipulation Vulnerability in Multiple Cisco Products</b> <p>· <b>Summary</b> <p>Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic.<br>The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain.<br>To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability.<br>OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability.<b> </b> <p><b></b> <p>· <b>Affected Products</b> <p>Cisco devices that are running Cisco IOS Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability. <p>Cisco devices that are running Cisco IOS XE Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability. <p>The version of Cisco IOS-XE Software that is running on a Cisco device can be determined using the <strong>show version</strong> command from the Command Line Interface (CLI). <p>· <b>Workarounds</b> <p>The use of OSPF authentication is a valid workaround. OSPF packets without a valid key will not be processed. MD5 authentication is highly recommended, due to inherent weaknesses in plain text authentication. With plain text authentication, the authentication key will be sent unencrypted over the network, which can allow an attacker on a local network segment to capture the key by sniffing packets.<br>Refer to <a href="http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml">http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml</a> for more information about OSPF authentication.<br>Additionally, an OSPF Time To Live (TTL) security check can be applied as a partial workaround.<br><strong>Note:</strong><b> </b>This workaround is valid to protect against remotely triggered attacks and does not protect against attackers that are layer 2-adjacent to vulnerable devices.<br>For more information about general Interior Gateway Protocol (IGP) hardening, refer to<a href="http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml">http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml</a>. <p>Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link:<a href="http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=29974">http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=29974</a></p> Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com0tag:blogger.com,1999:blog-8471280268531079705.post-9494359865338597612013-07-24T14:11:00.001-07:002013-07-30T11:10:51.401-07:00Quality of Service (QoS) Congestion-Avoidance Notes<p>Congestion-avoidance tools are complementary to, and dependent upon, queuing algorithms. Queuing/scheduling algorithms manage the <em>front </em>of a queue, while congestion-avoidance mechanisms manage the <em>tail</em> of a queue.</p> <p>Congestion-avoidance tools are designed for TCP traffic, because TCP has built-in flow-control mechanisms that operate by gradually increasing traffic flows until packet loss has occurred. Once packet loss has occurred, the transmission rate is reduced before slowly ramping up again. This means that if no mechanism is in place to control TCP, any particular flow has the ability to eat up all available bandwidth.</p> <p>When there are no congestion-avoidance tools in place, and queues fill, tail drop occurs, which means all traffic is dropped. </p> <p>In a constricted channel without congestion-avoidance tools, TCP connections eventually synchronize with each other – they ramp up together, lose packets together, and back off together. This is called <em>global</em> <em>synchronization</em> and basically results in “waves” of TCP traffic.</p> <p>Congestion-avoidance tools has no real benefit or use for UDP traffic, because UDP traffic does not have any retry logic.</p> <h2>Random Early Detection (RED)</h2> <p>RED combats global synchronization by preemptively and randomly dropping packets before queues fill. Instead of waiting for the queues to fill, RED causes the router to monitor the buffer depth and perform early drops on random packets when the defined minimum queue threshold has been exceeded.</p> <p>RED drops occur within the bounds of TCP retry timers, which slows the transmission rate of sessions but prevents them from starting slow. This optimizes network throughput.</p> <p>It should be noted that Cisco IOS doesn’t support RED, only Weighted RED (WRED). When you utilize the <strong>random-detect</strong> command in a queue, it actually enables WRED. However, if there are no separate IPP or DSCP markings within a given class of traffic, then the <em>effective</em> policy is simply RED.</p> <h2>Weighted Random Early Detection (WRED)</h2> <p>WRED is an enhancement to RED that allows you to control how packets are selected to be “randomly” dropped. A configured minimum threshold determines when packets of a given IPP value <em>begin</em> to be dropped. The configured maximum threshold determines at what queue depth that <em>all</em> packets of that value will be dropped. The mark probability denominator determines how aggressively that packets of a given IPP value are dropped. For example, a denominator of 10 means that up to 1 of every 10 packets will be randomly dropped for that IPP value. The maximum rate of 1 out of every 10 packets being dropped in this example occurs at the configured maximum threshold. Past the maximum threshold, all packets of that value are dropped (tail drop).</p> <p>By default, packets with lower IPP values are dropped sooner than packets with higher IPP values. Also, WRED is dependent on queuing, so a queuing option (usually either bandwidth or fair-queue) has to be enabled on the traffic class before you can utilize WRED.</p> <p>DSCP values can also be used, and this is simply called DSCP-Based WRED. It pretty much works the same way. It uses AF drop-preference values (the second digit in the AF code, ex: In “AF21”, the “1”) to determine what packets will be dropped. For example, when WRED is enabled on an interface, packets with a higher drop precedence value, i.e. “AF23” would be dropped more often than those with lower drop precedence values, i.e. “AF21”.</p> <h2>Explicit Congestion Notification (ECN)</h2> <p>Traditionally, the only way to inform sending hosts that there was congestion on the network so they would slow their transmission rates was to drop TCP packets. ECN was developed to combat this by marking the final 2 bits of the Type of Service (ToS) byte of the IP header. These two bits are:</p> <ul> <li>ECN-Capable Transport (ECT) bit – indicates whether ECN is supported on the device <li>Congestion Experienced (CE) bit – used in tandem with the ECT bit to signal that congestion was experienced en route. </li></ul> <p>When congestion occurs WRED drops packets when the configured threshold value is exceeded. ECN is an extension to WRED, in that ECN marks packets instead of dropping them to communicate the existence of congestion. Routers configured with the WRED ECN feature (Introduced in IOS 12.2(8)T), use this marking to know that the network is congested. This allows TCP to be controlled without dropping packets or at least with dropping fewer packets.</p> <p>WRED ECN takes the following actions based on the bit settings:</p> <ul> <li>If the number of packets in a queue are below the configured threshold, packets are transmitted (Normal operation). <li>If the number of packets is between the configured minimum and maximum thresholds: <ul> <li>If ECT – 1, CE – 0 or ECT – 0, CE – 1 and WRED determines packet should be dropped based on drop probability, the ECT and CE bits are changed to 1 and the packet is transmitted. <li>If ECT and CE bits are 0, this indicates that the sending device is not capable of ECN and the packet then can be dropped based on WRED drop probability. <li>If both ECT and CE bits are set to 1, the packet indicates that there is network congestion, the packet is transmitted and no further marking is required.</li></ul> <li>If the number of packets in the queue is <em>above</em> the maximum threshold, all packets are dropped.</li></ul> <h2>Dynamic Buffer Limiting (DBL)</h2> <p>This was actually something I didn’t find out about until we started figuring out how to do QoS on a Catalyst 4500. I went digging on Cisco’s website and from what I saw initially seemed like it was pretty awesome:</p> <p><a href="http://lh6.ggpht.com/-hCO4nT-RDrk/UfaPJxr0AAI/AAAAAAAAAP8/4pJxaxX7SKo/s1600-h/image14.png"><img style="border-right-width: 0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-CD9HnKyseu4/UfaPKqYFi5I/AAAAAAAAAQE/H8N0h4S_bLs/image_thumb9.png?imgmax=800" width="526" height="238"></a> </p> <p>Industry’s First! Cisco innovation! High-speed hardware implementation! Of course I want more info, so I clicked on Full Story:</p> <p><a href="http://lh4.ggpht.com/-rJqUXgUAEns/UfaPLGI5tKI/AAAAAAAAAQM/x6r9wVcKHvI/s1600-h/image13.png"><img style="border-right-width: 0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto" title="image" border="0" alt="image" src="http://lh3.ggpht.com/-eHyZbsRlnDg/UfaPL4JlDXI/AAAAAAAAAQU/oVZNwA8cYN0/image_thumb8.png?imgmax=800" width="434" height="284"></a> </p> <p>Bummer – guess it can’t be found on the Kanye West - I mean cambeywest website. Even putting in “Dynamic Buffer Limiting” into the search box on Cisco.com came up with nothing. On to Google….</p> <p>Active Queue Management (AQM), which informs you of congestion <em>before</em> you run into a buffer overflow situation, utilizes DBL to track the queue length for each traffic flow. DBL tracks the queue length for each traffic flow in a switch. When the queue length exceeds its limit, DBL drops packets or sets the ECN bits in the packet headers.</p> <p>DBL classifies flows into two categories:</p> <ul> <li>adaptive – reduce the rate of packet transmission once it receives congestion notification <li>aggressive – do not take any corrective action in response to congestion notification</li></ul> <p>For every active flow, the switch maintains two parameters - “buffersUsed” and “credits”.</p> Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com2tag:blogger.com,1999:blog-8471280268531079705.post-46519640682071992532013-07-19T10:25:00.001-07:002013-07-19T12:43:26.509-07:00Quality of Service (QoS) Congestion Management Notes<p>Of all the tools within the QoS toolset, congestion management tools, also known as queuing tools, provide the biggest impact on application service levels. Whenever packets enter a device faster than can exit it, congestion exists and this is where queuing tools come into play. Queuing tools are only engaged when congestion exists, otherwise packets are sent as soon as they arrive. When congestion does exist, packets must be buffered, or queued, to mitigate dropping.</p> <p>Packet markings, or lack thereof, affect queuing policies, so queuing policies are complementary and have a dependence on classification and marking policies.</p> <h2>Scheduling vs. Queuing</h2> <p>These two terms are often incorrectly used interchangeably – they are two different things. <em>Scheduling </em>determines how a frame or packet exits a device. Whenever packets enter a device faster than they can exit it, as is the case with speed mismatches (ex. Gigabit Ethernet traffic heading to a WAN interface), congestion can occur. Devices have buffers that allow the temporary storing and <strong>subsequent</strong> scheduling of these backed-up packets, and this process is called <em>queuing</em>.</p> <p>Inbound traffic > Queuing (During congestion) > Scheduling > Outbound traffic</p> <ul> <li>Queuing – orders packets in linked output buffers. Only engaged when there is congestion <li>Scheduling – decides which packet to transmit next. This occurs whether there is congestion or not (Although the scheduling decision is of course much simpler when there is no congestion).</li></ul> <p>During congestion, the scheduler has to make a decision of what queue to service first based on various types of scheduling logic algorithms:</p> <ul> <li>Strict Priority – Lower-priority queues are served only if higher-priority queues are completely empty. This can potentially starve out lower priority queues. Strict priority is good for real-time, delay-sensitive traffic. <li>Round-robin – Services queues in a sequence. Doesn’t have the potential to starve traffic, but may not provide the level of service that delay-sensitive traffic needs that Strict Priority scheduling would be able to provide. <li>Weighted-fair – Packets in queues are weighted so that some queues are serviced more frequently than others. Addresses the cons of strict priority and round-robin, but doesn’t guarantee the bandwidth that real-time flows may require.</li></ul> <h2>Congestion Management vs. Congestion Avoidance</h2> <p>The amount of buffer space (memory) for queues is of course limited. Once the buffer is overrun, packets may be dropped as they arrive (tail drop), or proactively beforehand. The selective, proactive dropping of packets is called congestion avoidance. Congestion avoidance works best with TCP-based applications since the selective dropping causes the TCP windowing mechanism to engage and throttle back the rate of traffic flow to a manageable state. The relationship between this and congestion management is that the scheduling algorithms of congestion management manage the <em>front</em> of a queue, where with congestion avoidance, the mechanisms manage the <em>tail</em> of a queue.</p> <h2>Legacy L3 Queuing Mechanisms</h2> <p>These are considered legacy, but are what newer mechanisms are built upon:</p> <ul> <li>Priority queuing (PQ) <li>Custom queuing (CQ) <li>Weighted Fair Queuing (WFQ)</li></ul> <p>Newer queuing mechanisms used combinations of these while also attempting to minimize drawbacks, such as:</p> <ul> <li>Class-based Weighted Fair Queuing (CBWFQ) <li>Low latency queuing (LLQ)</li></ul> <h5>Priority Queuing</h5> <ul> <li>Only consists of 4 queues (high, medium, normal/default, low) <li>Scheduler empties high queue first before servicing lower queues. </li> <ul> <li>So, similar to strict priority queuing, handles real-time traffic well but risks starving other queues.</li></ul></ul> <h5>Custom Queuing</h5> <ul> <li>Introduced a round-robin scheduler based on byte counts. </li> <ul> <li>Prevented bandwidth starvation and introduced bandwidth guarantees</li></ul> <li>Supports up to 16 queues <li>No capability to provide strict priority</li></ul> <h5>Weighted Fair Queuing</h5> <ul> <li>Built to expand upon principle of fairness that CQ introduced <li>Simply divided interface bandwidth by number of flows <li>Added a fixed weight based on IPP for bandwidth calculation to favor higher-priority flows, based on that IPP marking <li>No ability to provide bandwidth guarantees due to bandwidth allocation changing as flows are added and ended</li></ul> <h2>Currently Recommended L3 Queuing Mechanisms</h2> <p>Enhanced mechanisms were developed to utilize the strengths of the legacy mechanisms while minimizing their weaknesses.</p> <h5>Class-Based Weighted Fair Queuing</h5> <ul> <li>Hybrid queuing algorithm that combines guaranteed bandwidth (from CQ) with the ability to dynamically ensure fairness to other flows within a class of traffic (from WFQ)</li> <li>Up to 256 classes of traffic with reserved queues</li> <ul> <li>Each queue is serviced based on assigned bandwidth</li> <ul> <li>Minimum bandwidth is explicitly defined and enforced</li></ul></ul> <li>Uses Modular QoS CLI (MQC)-based class maps for classification</li></ul> <p>CBWFQ lacks the ability to provide strict-priority queuing for real-time applications. To service real-time applications, a strict-priority queue was added to the CBWFQ algorithm, and low-latency queuing (LLQ) was born.</p> <h5>Low Latency Queuing</h5> <ul> <li>Enhanced combination of PQ, CQ, and WFQ.</li> <li>Basically CBWFQ with a strict PQ.</li> <li>Has a built-in policer to to prevent the strict-priority queue from starving lower-priority traffic</li> <ul> <li>Only engages when there is congestion, so it is important to provision priority classes properly</li></ul></ul> <h5>Bandwidth Provisioning in LLQ</h5> <ul> <li>General best practice is to provide at least 25% of a link’s bandwidth to class-default</li> <li>Limit the sum of all priority class traffic to no more than 33% of a link’s capacity.</li> <li>All bandwidth guarantees within LLQ should be no more than 75% link capacity.</li> <ul> <li>When the percentage-remaining (<strong>bandwidth remaining percent</strong>) form of LLQ is used, this rule goes out the window because it utilizes a percentage of the remaining bandwidth after the PQ is serviced rather than a set value.</li></ul></ul> Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com0tag:blogger.com,1999:blog-8471280268531079705.post-88123656843660981352013-07-19T09:10:00.001-07:002013-07-19T09:10:12.895-07:00Quality of Service (QoS) Classification and Marking Notes<p>The first part of building a QoS policy is to identify the traffic that you need to treat preferentially (give better priority), or differentially. This is accomplished via classification and marking.</p> <ul> <li>Classification – sorts packets into different traffic types that policies can then be applied to.</li> <li>Marking (or re-marking) – establishes a trust boundary on which scheduling tools later utilize. The edge of the network where markings are either accepted or rejected is known as the <em>trust</em>-<em>boundary.</em></li> <li>Classifier tools – Inspect one or more fields in a packet to identify the type of traffic that is being carried. After being identified, it is passed to the appropriate mechanism to handle that type of traffic class.</li> <li>Marking tools – actually write a field within the packet (or frame, cell, label) to preserve the classification decision. By marking traffic at a trust boundary, subsequent nodes do not have to perform the same in-depth analysis to determine how to treat the packet.</li></ul> <h2>Classification Tools</h2> <p>These tools can examine a number of criteria within layers 1, 2, 3, 4, and 7.</p> <ul> <li>L1 – Physical interface, subinterface, PVC, port</li> <li>L2 – MAC, 802.1Q/p CoS, VLAN, MPLS EXP, ATM Cell Loss Priority (CLP), Frame Relay DE</li> <li>L3 – IPP, DSCP, source/dest IP address</li> <li>L4 – TCP/UDP Ports</li> <li>L7 – Application signatures and URLs in packet headers or payload</li></ul> <h2>Marking Tools</h2> <p>The primary marking tools used currently are class-based marking and marking done via class-based policing. Legacy marking techniques include committed access rate (CAR) and policy-based routing (PBR). Voice gateway packet marking is also an option for IPT applications.</p> <ul> <li>L2 Marking Fields – 802.1Q/p CoS, MPLS EXP, ATM CLP, Frame Relay DE</li> <li>L3 Marking Fields – IPP or DSCP</li></ul> <p>Cisco Catalyst switches perform scheduling based on L2 CoS, however DSCP is the preferred marking method for end-to-end QoS, because L2 marking is lost whenever the L2 media changes. So it is important to ensure that L2 markings are translated to and from L3 markings consistently throughout the environment for end-to-end QoS.</p> Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com0tag:blogger.com,1999:blog-8471280268531079705.post-61943819226962124692013-07-13T00:14:00.001-07:002013-07-13T00:14:57.080-07:00Optimizing and Protecting Spanning Tree – Lab Testing<p>Unfortunately the equipment I was using didn’t support PVST+ (Sup2Ts in 6503 Catalyst Switches), so I skipped testing UplinkFast and BackboneFast as these are incorporated in 802.1w (RSTP) and 802.1s (MSTP, which is basically an extension of RSTP).</p> <h3></h3> <h2>BPDU Guard</h2> <p><a href="http://lh6.ggpht.com/-kF1EPBxUlVg/UeD-Te1AqLI/AAAAAAAAAMU/at2A9reJDUU/s1600-h/image%25255B4%25255D.png"><img style="border-right-width: 0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBvh6Xkc5ebpuKXqA4WJ221kTQK891vYESJQP0mIHksdT1WxeUd3hkasEpLppxS-gRmU4Van2rsgfxBP4vI8NssrVIvPZs9x38uueGyKr4RC0gof_Wcs7_NDsxstCWlBeDT1fLQJWTyBQ/?imgmax=800" width="340" height="419"></a></p> <p>For this test, SwitchD will be treated as a Rogue Switch being attached to the network. Initially, SwitchC’s port 2/1 is configured as an access port with only PortFast enabled.</p> <ol> <li>1. Disconnect link between SwitchC and SwitchD</li> <li>2. Configure SwitchC port 2/1 as an access port in VLAN 10 with PortFast enabled.</li> <li>3. Configure SwitchD port 2/1 as an access port in VLAN 10. Configure the priority on VLAN 10 to be 0.</li> <li>4. Reconnect link between SwitchC and SwitchD and check topology for VLAN 10. SwitchD should be the root for VLAN 10.</li> <li>5. Disconnect link between SwitchC and SwitchD</li> <li>6. Enable BPDU Guard on Switch C port 2/1</li> <li>7. Reconnect link between SwitchC and SwitchD. SwitchC port 2/1 should move to an err-disable state. Verify with <b>sh interfaces status err-disabled</b>. Verify SwitchD is no longer the root for VLAN 10.</li></ol> <p><font color="#00ff00" face="Lucida Console">*Jul 5 22:02:06.023: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port GigabitEthernet2/1 with BPDU Guard enabled. Disabling port.<br>*Jul 5 22:02:06.023: %PM-4-ERR_DISABLE: bpduguard error detected on Gi2/1, putting Gi2/1 in err-disable state </font></p> <p style="margin-right: 0px" dir="ltr"><font color="#00ff00" face="Lucida Console">SwitchC#show interfaces status err-disabled </font> <p><font color="#00ff00" face="Lucida Console">Port Name Status Reason<br>Gi2/1 SWITCHD_2/1 err-disabled bpduguard</font></p> <h2>BPDU Filtering</h2> <p><a href="http://lh5.ggpht.com/-9RdcxzxVAGU/UeD-Uc-3UYI/AAAAAAAAAMk/0Ue2Y7H-Jog/s1600-h/image%25255B11%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-BiBGQRqXv60/UeD-U_JCwBI/AAAAAAAAAMs/mLNye9wa8qA/image_thumb%25255B7%25255D.png?imgmax=800" width="362" height="352"></a> </p> <ol> <li>Run packet capture. Verify BPDUs are seen.</li> <li>Configure SwitchC port 2/1 with BPDU Filter.</li> <li>Run packet capture. Verify no BPDUs are seen.</li> <li>Verify SwitchD sees itself as the root bridge for all VLANs.</li> <li>Remove BPDU Filter from SwitchC port2/1. Verify BPDUs are seen again.</li> <li>Disconnect link between SwitchC and SwitchD.</li> <li>Configure SwitchC port 2/1 as access port in VLAN 1 with PortFast enabled.</li> <li>Configure SwitchD port 2/1 as access port in VLAN 1 with BPDU Filter enabled. Verify SwitchC sees this as an Edge port.</li> <li>Enable BPDU Filter globally on edge ports on SwitchC. Verify no BPDUs are seen in packet capture.</li> <li>Disable BPDU Filter on SwitchD port 2/1. Verify switch C port 2/1 disables BPDU Filter with <b>sh spanning-tree int gig 2/1 detail</b> and BPDUs are seen again in packet capture.</li></ol> <h2>Root Guard</h2> <p>Oh man, this one was a doozy. After some digging and posting on forums, there are definitely some differences in opinion. I saw references stating that Root Guard should be placed on all non-root ports – basically anywhere you wouldn’t expect to see the root bridge. The CCNP SWITCH Official Cert Guide (OCG) however stated that current design practices are to place Root Guard only on access ports. After my research and testing, I would say – it depends.</p> <p align="center"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgC1s1E7B0wXl4UadDk2KOeU8adIxElekPB2bijI4WsbFjeffZxIqqTu4Ax7y1hTCPdRvXGo3dyFPx9QVWNezcDHRb5DXiLvcZ25-zmo6ZByMcu7chB4U5ivMLMNQiYODSnk82wpqKO8g0/s1600-h/image%25255B17%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-HbE-y_141jM/UeD-Vvqtu9I/AAAAAAAAAM8/_eeVkL0f4fU/image_thumb%25255B11%25255D.png?imgmax=800" width="356" height="346"></a> </p> <p align="left">SwitchD will again be a Rogue Switch </p> <ol> <li>Disconnect link between SwitchC and SwitchD</li> <li>Configure SwitchD with a priority of 0 for all VLANs.</li> <li>Reconnect link between SwitchC and SwitchD. Verify SwitchD is the root for all VLANs.</li> <li>Disconnect link between SwitchC and SwitchD.</li> <li>Configure Root Guard on SwitchA ports 1/1 and 5/4.</li> <li>Reconnect link between SwitchC and SwitchD. Verify SwitchA places ports 1/1 and 5/4 in root-inconsistent state with <b>sh spanning-tree inconsistentports</b>. Verify Switch B and SwitchC sees SwitchD as the root for all VLANs.</li></ol> <blockquote> <p><font color="#00ff00" face="Lucida Console">*Jul 8 21:22:41.903: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port TenGigabitEthernet1/1.<br>*Jul 8 21:24:06.319: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port TenGigabitEthernet1/1 on VLAN0001 </font> <p><font color="#00ff00" face="Lucida Console">SwitchA#sh spanning-tree inconsistentports <br>Name Interface Inconsistency<br>-------------------- ---------------------- ------------------<br>VLAN0001 TenGigabitEthernet1/1 Root Inconsistent<br>VLAN0001 TenGigabitEthernet5/4 Root Inconsistent<br>VLAN0010 TenGigabitEthernet1/1 Root Inconsistent<br>VLAN0010 TenGigabitEthernet5/4 Root Inconsistent<br>VLAN0020 TenGigabitEthernet1/1 Root Inconsistent<br>VLAN0020 TenGigabitEthernet5/4 Root Inconsistent<br>Number of inconsistent ports (segments) in the system : 6 </font></p></blockquote> <ol> <li>Disconnect link between SwitchC and SwitchD.</li> <li>Configure Root Guard on all ports you wouldn’t expect to see superior BPDUs on.</li> <ol> <li>SwitchB port 1/1, SwitchC port 2/1</li></ol> <li>Reconnect link between SwitchC and SwitchD. Verify SwitchC places port 2/1 into root-inconsistent state. Verify SwitchA and SwitchB ports do not change.</li> <li>Disconnect the link between SwitchA and SwitchB. Verify SwitchB becomes isolated due to its only remaining link being placed into a root-inconsistent state.</li></ol> <blockquote></blockquote> <p>What I discovered from this was that Root Guard worked like a charm but in one specific scenario it’s not so great. When a link failure occurs between what would be the two distros, the only remaining path that can be utilized for convergence can’t be used because when the superior BPDUs from root hit the remaining switch uplinks that have Root Guard configured, Root Guard triggers and the ports are put into root-inconsistent, effectively breaking the network. So this led me to believe that really, Root Guard should be kept to access ports as described in the CCNP SWITCH OCG.</p> <p>I decided to run a second, more realistic type of environment to really test this out. I set up a pair of distro switches and access switches, and setup HSRP on the distros as well as alternating odd and even VLAN traffic between them. The first thing I learned was not to place Root Guard on the link between the two distros – that really screws things up. Makes sense though – I was putting it on root ports for alternating VLANs.</p> <p><a href="http://lh5.ggpht.com/-8-LDNgZYi0M/UeD-V7h1xjI/AAAAAAAAANE/RAJQ2Wa8XkM/s1600-h/image%25255B39%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-SjdTQ-MKsf8/UeD-WSZe7JI/AAAAAAAAANM/QoDTZb3ySuc/image_thumb%25255B21%25255D.png?imgmax=800" width="352" height="319"></a> </p> <p>1. Configure Root Guard on SwitchA and SwitchB ports 5/4 and 1/1-2. Note the resulting spanning tree topology and HSRP status <p><a href="http://lh4.ggpht.com/-br_0amX2c8I/UeD-W5GE7SI/AAAAAAAAANQ/VAfECJi-As4/s1600-h/image%25255B41%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGwWAVTJEPa_-yg_rGL2l4c9912XTfcimKnAxMCg2Ncsd01ZQrd4IfCOLvR83nBnVJAJ3uckvyqZ3m5S2myFjtnwN2ZlswaLXLont_su9qnNshCXGL4NFyuxMQ0eEgd_SK8VkmyStKIrQ/?imgmax=800" width="373" height="287"></a> </p> <p>2. Remove Root Guard on SwitchA and SwitchB port 5/4. Note the resulting spanning tree topology and HSRP status <p><a href="http://lh4.ggpht.com/-q-A0D9k_yCQ/UeD-X6zYsoI/AAAAAAAAANk/F2jz0qlby_Y/s1600-h/image%25255B44%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-x05t3qCv43g/UeD-YXbI3eI/AAAAAAAAANs/Wby1j55qjFU/image_thumb%25255B26%25255D.png?imgmax=800" width="403" height="372"></a> <p>3. Disable link between SwitchA and SwitchB. Note the resulting spanning tree topology and HSRP status. <p></p> <p><a href="http://lh4.ggpht.com/-IvWZMTZwVvU/UeD-YsJBloI/AAAAAAAAAN0/WD3BQWFP2cY/s1600-h/image%25255B46%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px" title="image" border="0" alt="image" src="http://lh3.ggpht.com/-79IwKAdWEVc/UeD-ZGNGzyI/AAAAAAAAAN8/7uRY1Ua0lOM/image_thumb%25255B28%25255D.png?imgmax=800" width="399" height="391"></a> </p> <p>4. Remove Root Guard from SwitchA and SwitchB ports 1/1-2. Note the resulting spanning tree topology and HSRP status. <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIFnu6l39x6gfPangYDXtDRcyB6mHMQ4uQ9fkFBnOtMqD1EXDndcbKY4-eSPDcrFEjMzKyTc0rYbPhSC9KYrNVDtUI2-FFqXY1qYSNYe1FNqQNjiOga4esIK15wv-r5wyYCE08BrCrKaw/s1600-h/image%25255B48%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuk6oLzkxBOD2rP3wWNLuBYtLm4BwnPH5RM4IUK7r4zXPB4KjCD11ifDFHBDt-1KOMgBCzr939c2dftLHrcKjYmHuicUa1_GpRSzmY5FJQcpBz2LnMifdl0NPkq7i9gPvPZ_4HdVHwvaI/?imgmax=800" width="415" height="405"></a> </p> <p>To summarize all of this, it was the same story as the first test. Root Guard works fine as long as the link between the two distros doesn’t go down. Now, most folks run at least two links between distros so this should never happen, but for me personally, I’d avoid Root Guard on interswitch links unless a security requirement forced me to do so, or as was pointed out on a forum I frequent, a situation where you have a network you don’t control that connects to your network and that needs to participate in your STP topology. In that case, just to protect yourself, Root Guard would be appropriate there.</p> <p>But what is the point of having Root Guard on access ports if you have BPDU Guard to handle that? Well, again – it depends. It was said by one individual that if you have both of them enabled on an access port, Root Guard triggers before BPDU Guard. This was eye-opening to me and sounded like a great idea. That way you can tell if some generic switch got hooked up to the network or someone was REALLY dumb (or malicious) and hooked up a switch and attempted to hijack the current root bridge. Turns out though that this must be code or platform specific, because I couldn’t get that to work on a 6503 with a Sup2T and 6848-GE-TX running 15.1.1.SY or a 3750X running 12.2.55.SE7.</p> <p><font color="#00ff00" face="Lucida Console">SwitchC(config-if)#do sh run int gig 2/1<br>Building configuration... </font> <p><font color="#00ff00" face="Lucida Console">Current configuration : 155 bytes<br>!<br>interface GigabitEthernet2/1<br> description SWITCHD_2/1<br> switchport<br> switchport mode access<br> spanning-tree bpduguard enable<br> spanning-tree guard root<br>end </font> <p><font color="#00ff00" face="Lucida Console">SwitchC(config)#int gig 2/1<br>SwitchC(config-if)#shut<br>SwitchC(config-if)#no shut<br>SwitchC(config-if)#<br>*Jul 12 21:51:26.969: RSTP(1): initializing port Gi2/1<br>*Jul 12 21:51:26.969: RSTP(1): Gi2/1 is now designated<br>*Jul 12 21:51:26.973: RSTP(1): transmitting a proposal on Gi2/1<br>*Jul 12 21:51:26.973: RSTP[1]: Gi2/1 state change completed. New state is [blocking]<br>*Jul 12 21:51:27.873: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port GigabitEthernet2/1 with BPDU Guard enabled. Disabling port.<br>SwitchC(config-if)#<br>*Jul 12 21:51:27.873: %PM-4-ERR_DISABLE: bpduguard error detected on Gi2/1, putting Gi2/1 in err-disable state<br>SwitchC(config-if)#no spann<br>SwitchC(config-if)#no spanning-tree bpduguar<br>SwitchC(config-if)#no spanning-tree bpduguard <br>SwitchC(config-if)#shut<br>SwitchC(config-if)#no shut<br>SwitchC(config-if)#<br>*Jul 12 21:51:52.577: RSTP(1): initializing port Gi2/1<br>*Jul 12 21:51:52.577: RSTP(1): Gi2/1 is now designated<br>*Jul 12 21:51:52.581: RSTP(1): transmitting a proposal on Gi2/1<br>*Jul 12 21:51:52.581: RSTP[1]: Gi2/1 state change completed. New state is [blocking]<br>SwitchC(config-if)#<br>*Jul 12 21:51:52.601: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port GigabitEthernet2/1 on VLAN0001.<br>SwitchC(config-if)#<br>SwitchC#</font></p> <p><font color="#00ff00" face="Lucida Console"></font> </p> <p><font color="#00ff00" face="Lucida Console">3750A#sh run int gig 2/0/1<br>Building configuration... </font> <p><font color="#00ff00" face="Lucida Console">Current configuration : 139 bytes<br>!<br>interface GigabitEthernet2/0/1<br> description 3750B<br> switchport mode access<br> spanning-tree bpduguard enable<br> spanning-tree guard root<br>end </font> <p><font color="#00ff00" face="Lucida Console">3750A(config)#int gig 2/0/1<br>3750A(config-if)#shut<br>3750A(config-if)#no shut<br>3750A(config-if)#<br>*Mar 1 00:05:39.914: setting bridge id (which=3) prio 32769 prio cfg 32768 sysid 1 (on) id 8001.7081.05a2.ed80<br>*Mar 1 00:05:39.914: set portid: VLAN0001 Gi2/0/1: new port id 8037<br>*Mar 1 00:05:39.914: STP: VLAN0001 Gi2/0/1 -> listening<br>*Mar 1 00:05:41.877: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi2/0/1 with BPDU Guard enabled. Disabling port.<br>*Mar 1 00:05:41.877: %PM-4-ERR_DISABLE: bpduguard error detected on Gi2/0/1, putting Gi2/0/1 in err-disable state<br>3750A(config-if)#int gig 2/0/1<br>3750A(config-if)#no spanning<br>3750A(config-if)#no spanning-tree bpduguard<br>3750A(config-if)#shut<br>3750A(config-if)#no shut<br>3750A(config-if)#<br>*Mar 1 00:06:05.399: setting bridge id (which=3) prio 32769 prio cfg 32768 sysid 1 (on) id 8001.7081.05a2.ed80<br>*Mar 1 00:06:05.399: set portid: VLAN0001 Gi2/0/1: new port id 8037<br>*Mar 1 00:06:05.399: STP: VLAN0001 Gi2/0/1 -> listening<br>*Mar 1 00:06:07.395: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/1, changed state to up<br>*Mar 1 00:06:07.404: STP: VLAN0001 heard root 1-c84c.75a6.fa80 on Gi2/0/1<br>*Mar 1 00:06:07.404: supersedes 32769-7081.05a2.ed80<br>*Mar 1 00:06:07.404: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port GigabitEthernet2/0/1 on VLAN0001.</font></p> <p>After some thought, while you may not be able to run both Root Guard and BPDU Guard on the same port (effectively), there may be a use case for one or the other. Maybe you didn’t need such a hardcore mechanism like BPDU Guard that err-disables a port upon receipt of a BPDU, but you still wanted to protect yourself at least from hijacking of the root bridge. This is where putting Root Guard on the access port makes sense instead of BPDU Guard. Not as secure, I know, but it’s an option.</p> <h2>Loop Guard Testing</h2> <p><a href="http://lh3.ggpht.com/-fulNt9WRRLU/UeD-aau1rZI/AAAAAAAAAOU/PbxXBcmLLXU/s1600-h/image%25255B53%25255D.png"><img style="border-bottom: 0px; border-left: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-_wccYo0qpt8/UeD-azUCQKI/AAAAAAAAAOc/cTUdG4XISrs/image_thumb%25255B33%25255D.png?imgmax=800" width="353" height="360"></a> </p> <p>1. Enable BPDU Filter on SwitchB port 1/1. Verify SwitchC port 1/5 transitions to forwarding. <p>2. Hook up workstation to SwitchC port 2/2 and generate broadcast traffic. Verify broadcast storm ensues via Wireshark. <p>3. Disable BPDU Filter on SwitchB port 1/1. Verify SwitchC port 1/5 resumes ALT/BLK. <p>4. Configure Loop Guard on SwitchC port 1/5. <p>5. Enable BPDU Filter on SwitchB port 1/1. Verify SwitchC port 1/5 is placed in loop-inconsistent state with <b>sh spanning-tree inconsistentports</b>. <blockquote> <p><font color="#00ff00" face="Lucida Console">SwitchC#sh span vlan 1<br>VLAN0001<br>Spanning tree enabled protocol rstp<br>Root ID Priority 4096<br>Address 0017.0f61.5281<br>Cost 2<br>Port 4 (TenGigabitEthernet1/4)<br>Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec<br>Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)<br>Address 0013.5f1c.ca40<br>Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec<br>Aging Time 480<br>Interface Role Sts Cost Prio.Nbr Type<br>------------------- ---- --- --------- -------- --------------------------------<br>Te1/4 Root FWD 2 128.4 P2p <br>Te1/5 Desg BKN*2 128.5 P2p *LOOP_Inc <br>Gi2/1 Desg FWD 4 128.129 P2p </font> <p><font color="#00ff00" face="Lucida Console">SwitchC#sh spanning-tree inconsistentports <br>Name Interface Inconsistency<br>-------------------- ---------------------- ------------------<br>VLAN0001 TenGigabitEthernet1/5 Loop Inconsistent<br>VLAN0010 TenGigabitEthernet1/5 Loop Inconsistent<br>VLAN0020 TenGigabitEthernet1/5 Loop Inconsistent</font></p></blockquote> <p>6. Disable BPDU Filter on SwitchB port 1/1. Verify SwitchC port1/5 is recovered. <p>This test was pretty fun – I don’t think before now I had ever purposely induced a loop. I knew it was working when I went to do a Wireshark Packet capture and within 3 seconds or so Wireshark was locked up and eating up almost 3Gb of my memory. :)</p> <p><a href="http://lh3.ggpht.com/-nybUcfkuvXQ/UeD-bIZymWI/AAAAAAAAAOk/1IICR0l2bgU/s1600-h/LoopWireshark%25255B4%25255D.jpg"><img style="border-bottom: 0px; border-left: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px" title="LoopWireshark" border="0" alt="LoopWireshark" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUpjmq069-Ousj9J1gME2sYl_0pEEuE4wi2Py0c8swQYSVxM2XfEvRxRMlXw5UarjeXUwLLN3w0AQeiYdfhurbWpERzEBYBuMM7rjd14u4z7RxIyH7X1lgGnaFcyGSpBWImDR1eABa3g4/?imgmax=800" width="435" height="138"></a></p> Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com5tag:blogger.com,1999:blog-8471280268531079705.post-61471040093699058432013-07-03T22:54:00.000-07:002013-07-13T00:26:55.214-07:00Optimizing and Protecting Spanning Tree<h2>Optimizing STP</h2><br>Left to defaults, 802.1d (plain old STP) can take a very long time to converge. For example, when a root switch fails, a switch must wait <em>Maxage</em> (20 seconds) before convergence can even begin. Then, the newly forwarding ports must wait 2 x <em>Forward Delay </em>(15 seconds) to transition through the listening and learning states before they can begin to actually start forwarding. This is a total of 50 seconds - a noticeable network hit.<br><br>Enhancements have been added over time to address this, such as PortFast, UplinkFast, and BackboneFast.<br><br> <h3>PortFast</h3>This Cisco-proprietary feature allows a port to immediately transition to forwarding state once it is physically up (powered on and plugged in). It does this by skipping the listening and learning states. This should only be enabled on access ports. If a switch is connected to a port with PortFast enabled, loops may occur. For this reason, it is a good idea to enable Bridge Protocol Data Unit (BPDU) Guard and Root Guard when using PortFast.<br><br> <h3>UplinkFast</h3><br>UplinkFast improves convergence by providing alternate root ports (RPs) for immediate transition in case of a failure of the current RP. When you enable UplinkFast, three things occur:<br> <ol> <li>Increases root priority to 49,152 <li>Increases port costs to 3000 <li>Tracks alternate RPs which are ports that are receiving Hello messages from the root switch.</li></ol>This lends itself well to good STP design with access switches - access switches should never become root or transit switches. The increased root priority reduces the chance of the switch becoming root. The increased port costs reduce the chance of the switch becoming a transit switch. Lastly, when the RP fails, the switch can immediately fail over to an alternate uplink.<br><br>When a failure of the RP occurs on a switch with UplinkFast enabled, the switch immediately transitions to an alternate RP and begins forwarding. It also sends out a multicast frame with the source MAC address of each local MAC address which causes other switches to update their Content Addressable Memory (CAM).<br><br> <h3>BackboneFast</h3><br>BackboneFast optimizes convergence when an <em>indirect</em> <em>failure</em> occurs. When a direct failure occurs, such as an RP, a switch doesn't have to wait Maxage to transition (thanks to UplinkFast). However, when an upstream link to the root fails, this causes lost Hello messages for downstream switches. This is where these switches would have to wait Maxage before converging. BackboneFast addresses this by causing the switch to ask their neighboring switch if <em>they</em> are still receiving Hellos from the root.<br><br> <div style="text-align: center; clear: both" class="separator"><a href="http://lh4.ggpht.com/-QBpiporvGWQ/UdcFN6rZJJI/AAAAAAAAALs/kypkQMmyYS0/s1600-h/BBFast_Indirect_Fail%25255B3%25255D.png"><img style="border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="BBFast_Indirect_Fail" border="0" alt="BBFast_Indirect_Fail" src="http://lh6.ggpht.com/--L6HLRoHJxA/UdcFOS9JFjI/AAAAAAAAAL0/yA90BZCOrLk/BBFast_Indirect_Fail_thumb%25255B1%25255D.png?imgmax=800" width="445" height="243"></a> </div> <br><br>When a Hello goes missing, a switch with BackboneFast enabled will send a <em>Root Link Query (RLQ)</em> BPDU out the port that the Hello should have arrived. If the switch that receives the RLQ has a direct failure of the root, it will send a RLQ message back to the requesting switch to inform it that the path to root has been lost. This will trigger the requesting switch to skip the Maxage timer and begin converging. These RLQs sent back and forth of course requires that BackboneFast be configured on all switches participating.<br><br>As an interesting side note, the UplinkFast and BackboneFast features were incorporated into the 802.1w (RSTP) protocol.<br><br> <h2>Protecting STP</h2><br> <h3>BPDU Guard and BPDU Filter</h3><br>BPDU Guard is basically a feature to prevent a situation where good intentions can lead to network outages. For example, just a few more ports may be needed in a meeting room, so someone goes and finds a switch (with no knowledge of how that switch operates or is configured), and attaches it to the network. Now there is the risk of your access ports receiving superior BPDUs that cause topology changes or worse. BPDU Guard is enabled per port and protects your access ports by disabling them upon receiving <em>any</em> BPDU (because we don't expect there to be any BPDUs received on access ports). When a port is shut down (<em>err-disabled</em>) by BPDU Guard, configuration must occur in order to recover. The port must be manually re-enabled or a timeout can be configured where the port will automatically recover.<br><br>BPDU Filter restricts the switch from sending BPDUs out access ports, as these would be unnecessary. It can be enabled per-interface or globally. When enabling BPDU Filter globally, the following occurs:<br> <ul> <li>Filtering takes effect on all operational PortFast ports that do not have it already specifically enabled. <li>Upon startup, the port will transmit ten BPDUs. If BPDUs are seen, the port will lose its PortFast status, BPDU Filter will disable, and the port will revert to sending and receiving BPDUs like any standard STP switch port.</li></ul> <h3>Root Guard</h3><br>Root Guard is also enabled per port and is used to ignore superior BPDUs that would allow an attached switch to become root. Upon receipt of a superior BPDU, the port is placed into a <em>root-inconsistent</em> state, and stops receiving or forwarding frames until the superior BPDUs cease. Current design practices are to place this on access ports. Placing this on inter-switch links (trunks) could result in switch isolation when inter-switch link failures occur.<br><br> <h3>Unidirectional Link Detection (UDLD)</h3><br>UDLD protects a switch trunk port from causing loops. It does this by detecting a unidirectional link condition which can be caused by miscabling, cutting one fiber cable, unplugging one fiber, GBIC problems, etc. Although the likelihood of this occurring in fiber connections is much greater, it can also occur in copper and UDLD handles that as well. UDLD can be run in regular or aggressive mode. In regular mode, L2 message is used to detect when a switch can no longer receive frames from a neighbor. The switch whose transmit interface didn't fail is placed into an err-disabled state. In aggressive mode, eight attempts are made to reconnect to the neighbor. If no reply is received, both sides become err-disabled.<br><br> <h3>Loop Guard</h3><br>Loop Guard is used to prevent a switch trunk port from transitioning from blocking to forwarding upon an absence of BPDUs. The loss of BPDUs doesn't always mean a broken link - it could be degraded performance. A port moving to forwarding could cause more damage than the absence of BPDUs itself. Loop Guard addresses this by placing a port into a <em>loop-inconsistent</em> state rather than allowing it to transition to a forwarding state. <p>Below is a picture where these features should be placed, in my opinion.</p> <p><a href="http://lh3.ggpht.com/-veZTsdCyA7E/UeEBPEk92NI/AAAAAAAAAPk/EWZx5XceDYA/s1600-h/Optimizing%252520and%252520Protecting%252520Spanning%252520Tree%25255B5%25255D.jpg"><img style="border-bottom: 0px; border-left: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px" title="Optimizing and Protecting Spanning Tree" border="0" alt="Optimizing and Protecting Spanning Tree" src="http://lh5.ggpht.com/-iO4dDHColOk/UeEBPfBOpjI/AAAAAAAAAPs/vL8tETgIJoE/Optimizing%252520and%252520Protecting%252520Spanning%252520Tree_thumb%25255B3%25255D.jpg?imgmax=800" width="533" height="453"></a> </p> <p>Notice that Root Guard is nowhere to be found. This is because after research and testing, it is my opinion that Root Guard should not be used unless there is a security requirement for it or a specific set of circumstances exist, such as a separate network you have no control over connecting to your network and needing to participate in your STP topology. Root Guard in this scenario would prevent something in that network from accidentally hijacking your root bridge.</p> Steven Kinghttp://www.blogger.com/profile/07365721320218558098noreply@blogger.com1