Windows Wireless Troubleshooting

Categories Uncategorized, Windows, Wireless

Windows 10 includes a feature that allows you to create a detailed report of the Wi-Fi connection history that can help to ease the process. The report provides information about each adapter, error events, as well as information about networks you have connected and session durations, which you can use to diagnose and solve connectivity related problems.

Steps

  • Open an elevated command prompt.

Start -> cmd -> right click and choose to run as admin

Commands

  • netsh wlan show wlanreport

Go to the file path in windows file explorer and you can then view the report for the computers wireless interface.

Traffic Monitoring With SPAN

Categories Cisco, Switch
  • Switchport Analyzer (SPAN) – Copies ingress traffic from a port/VLAN and sends the frame copies to an egress port for observation
  • Also known as local SPAN or port SPAN.
  • Source and destination ports are on the same switch.
  • Remote SPAN – Allows you to capture traffic on one switch and send it over to a ‘remote VLAN’ to a remote switch that has the destination port.
  • The connecting switches must be connected VIA layer 2 and trunked all the way through.

Sources of SPAN Traffic

  • One or more ports
  • Select direction (RX, TX, both) – Default is both
  • one or more VLAN
  • Traffic to/from switch CPU
  • Remote VLAN (RSPAN destination switches)

SPAN Destinations

  • One or more ports (Local SPAN)
  • One or more remote VLANS (RSPAN)
  • A port identified as a SPAN Destination is ‘monitoring’ – (All other features are disabled on the port)
  • Once a destination port is set the only thing the port is good for is sending the traffic to the monitoring device – (normally PC with wireshark).
  • A SPAN destination may only belong to ONE SPAN session.

Things to Know

  • Do NOT oversubscribe the destination ports. ex: destination port is 1 Fast Ethernet port and you are monitoring 5 x Fast Ethernet ports. The switch will start dropping packets because the receiving (destination) interface is saturated due to the 500Mbps source traffic vs 100Mbps destination port.
  • A SPAN source may belong to more than a single SPAN session.

Commands

  • ex: monitor all traffic on fa 0/1
monitor session <session number> source [interface/remote/vlan]
monitor session 1 source int fa 0/1
  • show current SPAN sessions
show monitor
  • ex: set session 1 destination interface for monitor to fa 0/3
monitor session 1 destination int fa 0/3

NTP – Network Time Protocol

Categories Cisco, Route, Switch

NTP is a layer 3 protocol. NTP is used for proper time, which is critical in networks. Making sure the network devices are all synchronized with the same time can help with management. Networking devices utilize time for several reasons:

  • Logging output
  • Debugging output
  • User ‘show’ commands
  • Network management/Reporting tools
  • Certificates – If time is incorrect your certificates can become out-of-date

Where do we get the time?

  • All devices have an internal system clock.
  • Most are battery driven and maintain the time/date when the device reloads
  • Devices with battery driven system clocks can also distribute this information to remove devices VIA NTP.

Sources Of Time

  • Manual configuration ie: clock set command
  • NTP
  • SNTP
  • VINES

NTP

  • IETF Standard – RFC 1305 and RFC 5905
  • UDP port 123 (source and destination)
  • NTP nodes obtain time from an authoritative source:
    -Atomic clock
    -GPS
    -Radio
    -Other network devices

NTP Device Roles

  • Client – Device that periodically polls a server for time/calendar information.
  • Server – Provides the information to the client.
  • Stratum 1 – Most accurate clock
  • Stratum 2 – Time server that is one hop away from stratum-1 device, etc
  • The default for an ntp master is stratum 8.
  • When using authentication the clients authenticate the server.

IOS Configuration (server aka Master)

clock set hour:minute:seconds day month year
conf t
ntp master [1 - 15]

IOS Configuration (Client)

conf t
ntp server x.x.x.x

IOS Server Authentication Config

ntp authentication-key 1 md5 something
ntp trusted-key 1

IOS Client Authentication Config

ntp authentication-key 1 md5 something
ntp trusted-key 1
ntp authenticate
ntp server x.x.x.x key 1

Verification

show ntp status
show ntp associations
show ntp stat | i in sync

**look for asterisk , clock is synced or synchronized references.**

**show ntp association detail will show authenticated**

Cisco MPLS Configuration Lab

Categories Cisco, IOS, Route
  • VRF 1 = Client1 Two routers, two locations
  • 192.168.1.0/24 and 192.168.2.0/24
  • VRF 2 = Client2 Two Routers, two locations
  • 172.16.1.0/24 and 172.16.2.0/24
  • Two PE Routers – PE1 and PE2. They are connected with the 10.0.0.0/24 network. PE1 has a loopback of 1.1.1.1 and PE2 has 2.2.2.2. This Provider network could easily be increased in size and number of devices. Most labs will use OSPF or EIGRP for the Provider network with a BGP connection between the specific provider edge devices connecting to the client.

C-1-1 Configuration

hostname C-1-1
 !
 interface Loopback0
  ip address 11.11.11.11 255.255.255.255
 !
 interface GigabitEthernet0/0
  ip address 192.168.1.2 255.255.255.0
  ip ospf 1 area 0
  duplex auto
  speed auto
  media-type rj45
 !
 router ospf 1
  router-id 11.11.11.11

C-1-2 Configuration

 hostname C-1-2
 !
 interface Loopback0
  ip address 12.12.12.12 255.255.255.255
 !
 interface GigabitEthernet0/0
  ip address 192.168.2.2 255.255.255.0
  ip ospf 1 area 0
  duplex auto
  speed auto
  media-type rj45
 !
 router ospf 1
  router-id 12.12.12.12
 !

C-2-1 Configuration

hostname C-2-1
 !
 interface Loopback0
  ip address 21.21.21.21 255.255.255.255
 !
 interface GigabitEthernet0/1
  ip address 172.16.1.2 255.255.255.0
  ip ospf 1 area 0
  duplex auto
  speed auto
  media-type rj45
 !
 router ospf 1
  router-id 21.21.21.21
 !

C-2-2 Configuration

hostname C-2-2
 !
 interface Loopback0
  ip address 22.22.22.22 255.255.255.255
 !
 interface GigabitEthernet0/1
  ip address 172.16.2.2 255.255.255.0
  ip ospf 2 area 0
  duplex auto
  speed auto
  media-type rj45
 !
 router ospf 2
  router-id 22.22.22.22
 !

PE1

hostname PE1
 !
 ip vrf Client1
  rd 65000:1
  route-target export 65000:1
  route-target import 65000:1
 !
 ip vrf Client2
  rd 65000:2
  route-target export 65000:1
  route-target import 65000:1
 !
 interface Loopback0
  ip address 1.1.1.1 255.255.255.255
 !
 interface GigabitEthernet0/0
  ip vrf forwarding Client1
  ip address 192.168.1.1 255.255.255.0
  ip ospf 1 area 0
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/1
  ip vrf forwarding Client2
  ip address 172.16.1.1 255.255.255.0
  ip ospf 2 area 0
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/2
  ip address 10.0.0.1 255.255.255.0
  duplex auto
  speed auto
  media-type rj45
  mpls ip
 !
 router ospf 1 vrf Client1
  router-id 192.168.1.1
  redistribute bgp 65000 subnets
 !
 router ospf 2 vrf Client2
  router-id 172.16.1.1
  redistribute bgp 65000 subnets
 !
 router bgp 65000
  bgp router-id 1.1.1.1
  bgp log-neighbor-changes
  neighbor 2.2.2.2 remote-as 65000
  neighbor 2.2.2.2 update-source Loopback0
  !
  address-family ipv4
   neighbor 2.2.2.2 activate
  exit-address-family
  !
  address-family vpnv4
   neighbor 2.2.2.2 activate
   neighbor 2.2.2.2 send-community extended
  exit-address-family
  !
  address-family ipv4 vrf Client1
   redistribute ospf 1
  exit-address-family
  !
  address-family ipv4 vrf Client2
   redistribute ospf 2
  exit-address-family
 !
 ip route 2.2.2.2 255.255.255.255 10.0.0.2

PE2 Configuration

hostname PE2
 !
 ip vrf Client1
  rd 65000:1
  route-target export 65000:1
  route-target import 65000:1
 !
 ip vrf Client2
  rd 65000:2
  route-target export 65000:2
  route-target import 65000:2
 !
 interface Loopback0
  ip address 2.2.2.2 255.255.255.255
 !
 interface GigabitEthernet0/0
  ip vrf forwarding Client1
  ip address 192.168.2.1 255.255.255.0
  ip ospf 1 area 0
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/1
  ip vrf forwarding Client2
  ip address 172.16.2.1 255.255.255.0
  ip ospf 2 area 0
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/2
  ip address 10.0.0.2 255.255.255.0
  duplex auto
  speed auto
  media-type rj45
  mpls ip
 !
 router ospf 1 vrf Client1
  router-id 192.168.2.1
  redistribute bgp 65000 subnets
 !
 router ospf 2 vrf Client2
  router-id 172.16.2.1
  redistribute bgp 65000 subnets
 !
 router bgp 65000
  bgp router-id 2.2.2.2
  bgp log-neighbor-changes
  neighbor 1.1.1.1 remote-as 65000
  neighbor 1.1.1.1 update-source Loopback0
  !
  address-family ipv4
   neighbor 1.1.1.1 activate
  exit-address-family
  !
  address-family vpnv4
   neighbor 1.1.1.1 activate
   neighbor 1.1.1.1 send-community extended
  exit-address-family
  !
  address-family ipv4 vrf Client1
   redistribute ospf 1
  exit-address-family
  !
  address-family ipv4 vrf Client2
   redistribute ospf 2
  exit-address-family
 !
 ip route 1.1.1.1 255.255.255.255 10.0.0.1

BGP Practice Lab

Categories Cisco, Route

NOTE: THIS LAB IS NOT COMPLETE IT IS SETUP SO BGP GOES DOWN DUE TO AN ISSUE WITH KEEP ALIVES. EVERY 3 MINUTES BGP WILL GO DOWN AND THEN THE DYNAMIC ROUTING PROTOCOL WILL TAKE PLACE. AFTER THIS BGP WILL COME UP AGAIN FOR ANOTHER 3 MINUTES AND KEEP REPEATING. THIS IS AN EXAMPLE OF WHY YOU USE STATIC ROUTING ACROSS EXTERNAL PEERS. THERE ARE OTHER SOLUTIONS..FIND THEM!

  • BGP’s primary purpose is to interconnect autonomous systems.
  • Autonomous system (ASN) – Networks or a group of networks under the same administrations control and have a common routing policy.
  • BGP is the glue that holds the internet together!
  • BGP is designed to carry large amounts of routes.
  • BGP removes the strain of carrying large amounts for IGPs.
  • ISP speak ‘customer routes’
  • External and Internal BGP use different policies.
  • IBGP is not able to replace IGP’s. IBGP is meant to work alongside an IGP to create an efficient network.

External BGP

  • External peers must be directly connected.
  • TTL of 1 is given
  • Time-to-live (TTL) tells a router whether or not the packet has been in the network too long and should be discarded – it times out at 0 and is discarded. Each hop is -1.
  • This is to avoid long peering from occurring.
  • TTL-Security is used to provide security to make sure neighbors are directly connected. This works by using a TTL of 255. This must be enabled on both peers (routers).

BGP Configuration Categories

  • Configuration consists of two categories.
  • Session commands tell BGP how to create the session.
  • session commands can be global or per address family(Apply to all address families or just one)
  • Policy commands control the routes.
  • Policy commands are ALWAYS per address family.

Internal Peering

  • No requirement for direct connectivity when doing iBGP.

Huh?

  • After the configuration has been completed and we have verified R2 and R4’s loopbacks are being advertised to one another we check the BGP table and find something interesting.
  • RIB-failure!!?? Normally failure is never a good thing but in this case we can see that we have an internal route that’s not being added to our routing table.
  • We can check to see if their is a better route for our destination and we certainly see that the route is being learned VIA OSPF which has a lower admin distance than iBGP – thus winning the route.

vIOS1 Configuration

vIOS1#sh runn
 Building configuration…
 Current configuration : 3589 bytes
 !
 ! Last configuration change at 15:13:59 UTC Sat Mar 13 2021
 !
 version 15.6
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 !
 hostname vIOS1
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 ethernet lmi ce
 !
 !
 !
 mmi polling-interval 60
 no mmi auto-configure
 no mmi pvc
 mmi snmp-timeout 180
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 multilink bundle-name authenticated
 !
 !
 !
 !
 !
 redundancy
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface Loopback0
  ip address 192.168.0.1 255.255.255.255
  ip ospf 1 area 0
 !
 interface GigabitEthernet0/0
  ip address 192.168.69.1 255.255.255.0
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/2
  ip address 192.168.26.1 255.255.255.0
  ip ospf 1 area 0
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/3
  no ip address
  shutdown
  duplex auto
  speed auto
  media-type rj45
 !
 !
 router eigrp 69
  network 192.168.0.0
  network 192.168.69.0
 !
 router ospf 1
 !
 router bgp 600
  bgp log-neighbor-changes
  neighbor 192.168.0.2 remote-as 900
  neighbor 192.168.0.2 ebgp-multihop 255
  neighbor 192.168.0.2 update-source Loopback0
  neighbor 192.168.0.4 remote-as 600
  neighbor 192.168.0.4 update-source Loopback0
  !
  address-family ipv4
   neighbor 192.168.0.2 activate
   neighbor 192.168.0.2 send-community
   neighbor 192.168.0.4 activate
   neighbor 192.168.0.4 send-community
  exit-address-family
 !
 ip forward-protocol nd
 !
 ip bgp-community new-format
 !
 no ip http server
 no ip http secure-server
 !

vIOS2 Configuration

vIOS2#sh runn
 Building configuration…
 Current configuration : 3368 bytes
 !
 ! Last configuration change at 15:19:15 UTC Sat Mar 13 2021
 !
 version 15.6
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 !
 hostname vIOS2
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 ethernet lmi ce
 !
 !
 !
 mmi polling-interval 60
 no mmi auto-configure
 no mmi pvc
 mmi snmp-timeout 180
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 multilink bundle-name authenticated
 !
 !
 !
 !
 !
 redundancy
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface Loopback0
  ip address 192.168.0.2 255.255.255.255
 !
 interface GigabitEthernet0/0
  ip address 192.168.69.2 255.255.255.0
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/2
  no ip address
  shutdown
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/3
  no ip address
  shutdown
  duplex auto
  speed auto
  media-type rj45
 !
 !
 router eigrp 69
  network 192.168.0.0
  network 192.168.69.0
 !
 router bgp 900
  bgp log-neighbor-changes
  neighbor 192.168.0.1 remote-as 600
  neighbor 192.168.0.1 ebgp-multihop 255
  !
  address-family ipv4
   network 192.168.0.2 mask 255.255.255.255
   neighbor 192.168.0.1 activate
   neighbor 192.168.0.1 send-community
  exit-address-family
 !
 ip forward-protocol nd
 !
 ip bgp-community new-format
 !
 no ip http server
 no ip http secure-server

vIOS4 Configuration

vIOS4#sh runn
 Building configuration…
 Current configuration : 3363 bytes
 !
 ! Last configuration change at 15:18:58 UTC Sat Mar 13 2021
 !
 version 15.6
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 !
 hostname vIOS4
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 ethernet lmi ce
 !
 !
 !
 mmi polling-interval 60
 no mmi auto-configure
 no mmi pvc
 mmi snmp-timeout 180
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 multilink bundle-name authenticated
 !
 !
 !
 !
 !
 redundancy
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface Loopback0
  ip address 192.168.0.4 255.255.255.255
  ip ospf 1 area 0
 !
 interface GigabitEthernet0/0
  no ip address
  shutdown
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/2
  ip address 192.168.26.2 255.255.255.0
  ip ospf 1 area 0
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/3
  no ip address
  shutdown
  duplex auto
  speed auto
  media-type rj45
 !
 router ospf 1
 !
 router bgp 600
  bgp log-neighbor-changes
  neighbor 192.168.0.1 remote-as 600
  neighbor 192.168.0.1 update-source Loopback0
  !
  address-family ipv4
   network 192.168.0.4 mask 255.255.255.255
   neighbor 192.168.0.1 activate
   neighbor 192.168.0.1 send-community
  exit-address-family
 !
 ip forward-protocol nd
 !
 ip bgp-community new-format
 !
 no ip http server
 no ip http secure-server

Spanning Tree Review

Categories Cisco, IOS, Switch

Why do we need Spanning Tree

  • Good network design provides redundancy in devices and network links
  • The simplest solution involves adding a second link between switches to overcome a network link failure or ensuring that a switch is connected to at least two other switches in a topology.
  • This can cause problems when a switch must forward broadcasts or when unknown unicast flooding occurs.
  • Network broadcasts forward in a continuous loop until the link becomes saturated, and the switch is forced to drop packets.
  • Also the MAC address table must constantly change ports as the packets make loops. The packets continue to loop around the topology because there is not a time-to-live (TTL) mechanism for Layer 2 forwarding. The switch CPU utilization increases, as does memory consumption, which could result in the crashing of the switch.

Common Causes of Layer 2 Loops

  • STP disabled on a switch
  • A misconfigured load balancer that transmits traffic out multiple ports with the same MAC address
  • A misconfigured virtual switch that bridges two physical ports (Virtual switches typically do not participate in STP.)
  • End users using a dumb network switch or hub

How Spanning Tree Works

  • Spanning Tree Protocol (STP) enables switches to become aware of other switches through the advertisement and receipt of bridge protocol data units (BPDUs).
  • STP builds a Layer 2 loop-free topology in an environment by temporarily blocking traffic on redundant ports.
  • STP operates by selecting a specific switch as the master switch and running a tree-based algorithm to identify which redundant ports should not forward traffic.

Root bridge: The root bridge is the most important switch in the Layer 2 topology.

Bridge protocol data unit (BPDU): This network packet is used for network switches to identify a hierarchy and notify of changes in the topology.

Two Types of BPDUs:

  • Configuration
  • TCN

Max age: This is the maximum length of time that passes before a bridge port saves its BPDU information.

  • default is 20 seconds command spanning-tree vlan vlan-id max-age maxage. If a switch loses contact with the BPDU’s source, it assumes that the BPDU information is still valid for the duration of the Max Age timer

Hello time: time that a BPDU is advertised out of a port.

  • default is 2 seconds can be configured to 1 to 10 seconds with the command spanning-tree vlan vlan-id hellotime hello-time.

Forward delay: time that a port stays in a listening and learning state.

  • default value is 15 seconds can be 15 to 30 seconds with the command spanning-tree vlan vlan-id forward-time forward-time.

Election

  • Hello BPDUs are exchanged between all switches at the beginning of the root bridge election process
  • each switch considers itself as the root bridge, in fact it sends its BPDUs with its bridge ID as the root bridge ID
  • when a switch receives a BPDU with a lower bridge ID, it “adjusts” its BPDUs by sending them with the received lower bridge ID, otherwise it would just discard that BPDU with a higher bridge ID.
  • That process continues until all switches agree on the root bridge which has the lowest bridge ID.
  • In case all switches have same bridge priority then the tiebreaker here would be the mac address, the switch with the lowest mac address would be the root bridge.
  • The bridge ID is combined by the bridge priority, System ID Extension (based on IEEE 802.1t standard) and the mac address of the switch.

Finding Topology Change Causes

  • determining why TCNs are occurring involves checking a port to see whether it is connected to a host or to another switch.
  •  If it is connected to another switch, you need to connect to that switch and repeat the process of examining the STP details.
  • You might need to examine CDP tables or your network documentation.
  • You can execute the show spanningtree [vlan vlan-id] detail command again to find the last switch in the topology to identify the problematic port.

RSTP (802.1W) Port States

  • Discarding: The switch port is enabled, but the port is not forwarding any traffic to ensure that a loop is not created. This state combines the traditional STP states disabled, blocking, and listening.
  • Learning: The switch port modifies the MAC address table with any network traffic it receives. The switch still does not forward any other network traffic besides BPDUs.
  • Forwarding: The switch port forwards all network traffic and updates the MAC address table as expected. This is the final state for a switch port to forward network traffic.

STP Tuning

  • Ideally the root bridge is placed on a core switch, and a secondary root bridge is designated to minimize changes to the overall spanning tree

Root and Secondary Placement

  • spanning-tree vlan vlan-id priority priority: The priority is a value between 0 and 61,440, in increments of 4,096.
  • spanning-tree vlan vlan-id root {primary | secondary} [diameter diameter]: This command executes a script that modifies certain values. The primary keyword sets the priority
  • Generally, root switches are at Layer 2/Layer 3 boundaries.
  • minimize the number of hops to the furthest switch in the topology.
  • BEST PRACTICE: set the priority to 0 for the primary root switch and to 4096 for the secondary root switch.

Oh Snap, There’s a Loop!

  • Catalyst switches detect a MAC address that is flapping between interfaces and notify via syslog.
  • MAC address of the host, VLAN, and ports between which the MAC address is flapping.
  • These messages should be investigated to ensure that a forwarding loop does not exist

Root Guard

  • Enabled on a port-by-port basis; it prevents a configured port from becoming a root port.
  • Stops downstream switches from becoming the root bridge – Errdisables ports that receive the BPDU
  • Command spanningtree guard root – Root guard is placed on designated ports toward other switches that should never become root bridges.

STP Portfast

  • Placed on host ports, disables TCNs
  • Bypass listen and learning state go straight to forwarding
  • Saves time, used on Access ports
  • Beneficial in environments where computers use Dynamic Host Configuration Protocol (DHCP) or Preboot Execution Environment (PXE).
  • Command spanning-tree portfast trunk. ONLY USED ON SINGLE HOST EX: ESXI SERVER
  • command spanning-tree portfast or globally on all access ports with the command spanning-tree portfast default

BPDU Guard

  • BPDU guard is a safety mechanism that shuts down portfast ports upon receipt of a BPDU.
  • Ensures that a loop cannot accidentally be created if an unauthorized switch is added to a topology.
  • spanning-tree portfast bpduguard default. BPDU guard can be enabled or disabled on a specific interface with the command spanning-tree bpduguard {enable | disable}.
  • BPDU guard is typically configured with all host-facing ports that are enabled with portfast.
  • Use Error Recovery to recover ports that were shut down from BPDU guard errdisable recovery cause bpduguard
  •  The period that the Error Recovery checks for ports is configured with the command errdisable recovery interval time-seconds

BPDU Filter

  • Blocks BPDUs from being transmitted out a port
  • Most network designs do not require BPDU filter, which adds an unnecessary level of complexity and also introduces risk.

UDLD Fiber Trunking

  • Unidirectional Link Detection (UDLD) allows for the bidirectional monitoring of fiber-optic cables.

Lab

SW-01 Configuration

SW-01#sh runn
 Building configuration…
 Current configuration : 3810 bytes
 !
 ! Last configuration change at 19:53:21 UTC Sat Mar 13 2021
 !
 version 15.2
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 service compress-config
 !
 hostname SW-01
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 !
 errdisable recovery cause bpduguard
 errdisable recovery interval 30
 !
 spanning-tree mode rapid-pvst
 spanning-tree extend system-id
 !
 vlan internal allocation policy ascending
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface GigabitEthernet0/0
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/2
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/3
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/0
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/1
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/2
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/3
  description ACCESS-WIRED
  switchport access vlan 10
  switchport mode access
  media-type rj45
  negotiation auto
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 ip forward-protocol nd
 !
 no ip http server
 no ip http secure-server
 !
 !
 !
 !
 !
 !
 control-plane
 !
 line con 0
 line aux 0
 line vty 0 4
 !
 !
 end

SW-02 Configuration

SW-02#sh runn
 Building configuration…
 Current configuration : 3810 bytes
 !
 ! Last configuration change at 19:53:22 UTC Sat Mar 13 2021
 !
 version 15.2
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 service compress-config
 !
 hostname SW-02
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 !
 errdisable recovery cause bpduguard
 errdisable recovery interval 30
 !
 spanning-tree mode rapid-pvst
 spanning-tree extend system-id
 !
 vlan internal allocation policy ascending
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface GigabitEthernet0/0
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/2
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/3
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/0
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/1
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/2
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/3
  description ACCESS-WIRED
  switchport access vlan 10
  switchport mode access
  media-type rj45
  negotiation auto
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 ip forward-protocol nd
 !
 no ip http server
 no ip http secure-server
 !
 !
 !
 !
 !
 !
 control-plane
!
 line con 0
 line aux 0
 line vty 0 4
 !
 !
 end 
 SW-02#

SW-03 Configuration

SW-03#sh runn
 Building configuration…
 Current configuration : 3443 bytes
 !
 ! Last configuration change at 19:53:38 UTC Sat Mar 13 2021
 !
 version 15.2
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 service compress-config
 !
 hostname SW-03
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 !
 !
 spanning-tree mode rapid-pvst
 spanning-tree extend system-id
 spanning-tree vlan 1-4094 priority 0
 !
 vlan internal allocation policy ascending
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface GigabitEthernet0/0
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
  spanning-tree guard root
 !
 interface GigabitEthernet0/2
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
  spanning-tree guard root
 !
 interface GigabitEthernet0/3
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/0
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/1
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/2
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/3
  media-type rj45
  negotiation auto
 !
 ip forward-protocol nd
 !
 no ip http server
 no ip http secure-server
 !
 !
 !
 !
 !
 !
 control-plane
 !
 line con 0
 line aux 0
 line vty 0 4
 !
 !
 end 
 SW-03#

SW-04 Configuration

SW-04#sh runn
 Building configuration…
 Current configuration : 3446 bytes
 !
 ! Last configuration change at 19:53:44 UTC Sat Mar 13 2021
 !
 version 15.2
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 service compress-config
 !
 hostname SW-04
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 !
 !
 spanning-tree mode rapid-pvst
 spanning-tree extend system-id
 spanning-tree vlan 1-4094 priority 4096
 !
 vlan internal allocation policy ascending
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface GigabitEthernet0/0
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
  spanning-tree guard root
 !
 interface GigabitEthernet0/2
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
  spanning-tree guard root
 !
 interface GigabitEthernet0/3
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/0
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/1
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/2
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/3
  media-type rj45
  negotiation auto
 !
 ip forward-protocol nd
 !
 no ip http server
 no ip http secure-server
 !
 !
 !
 !
 !
 !
 control-plane
 !
 line con 0
 line aux 0
 line vty 0 4
 !
 !
 end

VPC Design and Best Practices

Categories Cisco, Switch

What You Say?

In order to understand Virtual Port Channels we must know what a Port-Channel is. A port channel provides a way to aggregate (bond) multiple interfaces together. Traffic is then load balanced across each of the connections.

Port Channel Benefits

  • Redundancy – Should one of the interfaces fail traffic is sent over the remaining links.
  • Bandwidth – Increase in bandwidth due to bundling multiple interfaces together. Traffic is then loadbalanced across each of the links within the ‘bundle’.
  • Spanning Tree – Port-Channels are seen as a single switchport by Spanning-Tree protocols.

Though Port-Channels are great, the problem is that all links within the “bundle” must be connected to the same switch.

vPC: Virtual Port Channel

  • vPC (Virtual Port-Channel), also known as multichassis EtherChannel (MEC) is a feature on the Cisco Nexus switches that provides the ability to configure a Port-Channel across multiple switches (i.e. vPC peers).
  • vPC is similar to Virtual Switch System (VSS) on the Catalyst 6500s. However, the key difference between vPC and VSS is that VSS creates a single logical switch. This results in a single control plane for both management and configuration purposes. Whereas with vPC each switch is managed and configured independently.
  • It is important to remember that with vPC both switches are managed independently. This means you will need to create and permit your VLANs on both Nexus switches.

Design Best Practices

  • You should create a separate Layer 2 trunk port-channel between peer switches to transport non-vPC VLAN traffic.
  • Do not use VPC to connect more than two Data Centers. You should use OTV for that.
  • Use multiple line cards for VPC peer-link. For example, if you choose 6 links for VPC peer-link, take ports from at least two separate line cards, more is better. It’s because, if one line card got faulty, you still have another line-cards to provide backup. Probability of peer-link down issue is less here.
  • Use dedicated link for keep-alive. 1GE port is enough for keep-alive. Port-channel with 2x1G port is even better. In addition, try to take ports from multiple line cards just like peer-link recommendation.

Configuration Best Practices

  • Use a dedicated VRF for keep-alive link. For example, OUR-KEPPALIVE-VRF
  • You must configure vpc keep-alive link before configuring peer-link. Otherwise, VPC will remain down.
  • VLAN Pruning is highly recommended on peer-link. In other words, always configure allowed VLANs list in Peer-link.
  • vPC peer-gateway should be enabled in the vPC domain.
  • vPC ARP Sync should be enabled in the vPC domain.
  • Delay restore should be enabled in the vPC domain & then add the time based on network profile.
  • vPC graceful type-1 check should be enabled in the vPC domain.
  • vPC auto-recovery should be enabled in the vPC domain.
  • Auto-recovery reload-delay should be enabled in the vPC domain.
  • vPC member port configuration must be same on both vPC peer devices.
  • It is not must, but it is a good idea to use same vPC ID as port-channel ID for ease of configuration, monitoring, and troubleshooting.
  • Active-Active LACP is recommended for member port.