Want to know what subnets are being discovered/learned off a specific interface? The the show ip cef [interface]

wan-gw1#show ip cef ser2/0
0.0.0.0/0
nexthop 10.129.23.65 Serial2/0
10.16.0.0/12
nexthop 10.129.23.65 Serial2/0
10.32.0.0/16
nexthop 10.129.23.65 Serial2/0
.....Lines omitted for brevity

Just that simple, just remember the purpose of CEF, if you forgot, read: Cisco IP CEF Overview

Let’s just get down to business, we all use it but few of us understand what any of it means. The documentation is a little, well, complicated for some people so I aim to give you a better understanding of the Cisco configuration register, also known as the config register or config-reg. Read the rest of this entry »

No doubt every engineer has their own twist on coding something to better automate configurations and deployment on networks; however, with the every increasing pace of release changes to current software sets installed on some vendors hardware, the workload to keep your scripts updated can become your full time job. There will always be two schools of engineer: the home brew and the purchased software schools, each one with their own compelling reason to use the other and why the other is wrong. I, personally, prefer the purchased software route with a small dash of home brew scripts to accomplish my job, very small. I’ll outline some experiences I’ve had in the past where both moving towards the use of purchased software solved the many problems the home brew scripts were giving us and how a small, but powerful, set of home brew scripts gave us complete control over the network from building, deploying, operating, and debugging. Read the rest of this entry »

I recently was watching a CBTNuggets video when I heard mention that you could use a careful wildcard mask to select odd or even numbered subnets for route advertisement; however, I noticed there was something off about the comment and investigated a little deeper.

We’re continuously taught early in our networking careers about having wildcard masks which end at byte boundaries or needing to be consecutive 1′s and 0′s; however, this is merely a teaching tool and not so much the case in real life. You see, a wildcard mask in an ACL is used to select routes based on the selected wildcard masks and what positions the 1′s line up to ensure matching, just remember that where you have a 0 you must match and where you have a 1 you don’t need to match exactly, the “I don’t care bit”.

Now, let’s get down to an example you’ve probably seen: You need to only redistribute odd number routes from one protocol to another using a distribute-list that references an ACL.

Let’s say we have: 10.0.[0-20].0/24 and these networks are the ones in question. You only want to select the odd number ranges to be redistributed. Let’s look at this from a binary perspective to see what all the odd numbers have in common in the third octet:

10.0.1.0/24 = 00000001
10.0.3.0/24 = 00000011
10.0.5.0/24 = 00000101
10.0.17.0/24= 00010001
10.0.19.0/24= 00010011

Notice in the odd numbers the only bit remaining the same is the last bit, all the others are changing. Now, here is an interesting concept which may blow your mind, but we’ll move back to the old way from when you were probably learning subnetting:

128|64|32|16|8|4|2|1

Now, you can add up all those numbers except the last bit (1) and you’ll always have an even number; however, utilize the last bit and you have an odd number, always. So, what is the wildcard mask you ask? Not 0000001 like some people will tell you, no, in fact that is quite the opposite because you’re saying you don’t care about the last bit, it can be whatever, even or odd in the third octet. Instead, your wildcard mask looks like this:

00000000.00000000.11111110.00000000 = 0.0.254.0 – The last bit in the third octet must always be the same from the start.

How does that work you ask? Quite simple, when you setup your ACL the key point isn’t so much the wildcard mask, it is the starting subnet you reference in the ACL:

10.0.1.0 0.0.254.0 = Will match all odd number subnets
10.0.0.0 0.0.254.0 = Will match all even number subnets

Why? Take a peek at the binary in the third octet:

10.0.1.0 = 00000001
0.0.254.0= 11111110

You see the last bit is one and must remain the same. What about even?

10.0.0.0 = 00000000
0.0.254.0= 11111110

Now, the last bit is zero, meaning any combination of bits used before it will always equal even numbers. How is this still all possible you ask? Well, we’re using standard ACLs, so we’re only referencing the host/source as a “starting point”. Think not of ACLs as “networks” but a tool which takes the portion you set in the “network” portion as a starting point to begin processing against the wildcard mask.

Just a quick tip for those looking. If you’re using 6.X code you can use the F2E for an internal OTV interface. You can actually get control plane traffic between two devices using an F2E, you’ll see the mac addresses in the: show otv route command; however, no encapsulation will occur. You will need to get an M-series card to perform OTV in a Nexus chassis.

Let me start with something from a distant memory. I knew a principal of a school and I asked “What qualifications does a person need to be a principal”? I remember the answer was “just a master’s degree” and I responded “no experience needed?” and he replied “yes, but that creates problems because principals with no experience teaching have high turnover, low morale, and have pitiful results in their school”. It was then and there I knew one thing mattered most to me over anything, experience and a variety of it; however, this “variety” can harm and help you at the same time, it just depends on how you go about it and that brings me into a new chapter into my life… Read the rest of this entry »

MPLS, an acronym thrown around my field, some understand it and others just say it to look smarter than they really are. Either way, very few people will ever touch the actual configuration on the service provider (SP) side and will only interface from a CE (Customer Equipment) side. I will give a very brief overview of the three most common types and their generic terms.

  • L3VPN MPLS Private IP – This is a layer 3 solution where you are given a private, RFC1918 address, to peer with SP PE (Provider Equipment). Most of the time you’ll want to peer with OSPF, if available, or more likely BGP, to exchange routes between sites
  • L3VPN MPLS Public IP – Same as above with public IP addresses provided by either the SP or if you happen to own your own block; however, the latter has considerable design attributed to it and most don’t resort to this option. You’re likely to find more L3VPN MPLS with private IP
  • L2VPN VPLS – This service, very popular with people who can manage their own infrastructure responsibly, creates a WAN solution which appears as if all your offices are on one big ole VLAN/broadcast domain. In this scenario you can connect at layer 2 and span your broadcast domain or, like most implementations you’ll see, connect using a layer 3 interface and peer with a dynamic routing protocol like OSPF.

There are lots of design considerations to be taken into account when building your MPLS cloud, each with it’s own little issues and “kinks” to iron out; however, DO NOT choose loosely. Building a fully meshed MPLS requires considerable thought about how your network works today and how you plan on running it in the future. Take it from my experience in having to migrate a global network from a L3VPN solution with 60+ static routes to a VPLS based solution using OSPF, the road to get there is painful and frustrating.

For those of you who are wondering how to bill for a COTA’s time against NC Medicaid, you will use the supervising OT NPI on the billing; however, you must be in coordination with the NCBOT supervision found here: .

All Cisco switches by default have PVST+ as their spanning-tree protocol (mode). PVST+ is Cisco proprietary and, in my humble opinion, should never be used in a production environment. The alternatives are: RPVST and MST. In a basic 1-3 VLAN network with little to no knowledge of spanning-tree you should run RPVST (802.1w) and be done with it. However, if you have a lot of VLANs and/or you need to ensure you’re not over utilizing the CPU resources, you should use MST (802.1s).

MST (802.1s) is called Multiple instances of Spanning-Tree Protocol and actually relies on RPVST to run inside each instance. MST runs in instances (think of them as groups) and in those instances you can map as many VLANs as you want; thus, you reduce the number of RPVST processes running. For example, in RPVST if you have 10 VLANs, you will have 10 instances of RPVST running, one per VLAN. However, in MST, if you have 10 VLANs grouped into only one instance, there is only one instance running, not 10.

MST is powerful because it reduces the CPU cycles used for spanning-tree operations but can also be used to create multiple paths for groups of VLANs. Configuring MST is simple and requires only a few things to be configured, which I will show here


spanning-tree mode mst

spanning-tree mst configuration
name SOMENAMEGOESHERE
revision 1
instance 1 vlan 1-4094

spanning-tree mst 0-1 priority 4096

For the breakdown:

  • spanning-tree mode mst – Turns on MST as the spanning-tree mode
  • spanning-tree mst configuration – Places you into MST subconfiguration menu
  • name – The name is case sensitive and must match on ALL switches
  • revision 1 – This sets the revision number, which must match across ALL switches, any number will do
  • instance 1 vlan 1-4094 – This maps all the VLANs to instance (group) #1, taking them out of the default IST instance 0
  • spanning-tree mst 0-1 priority 4096 – This sets the priority of both the IST (0) and instance 1 to 4096 to ensure it is always the root bridge

By default there are two instances started by default: IST (Internal Spanning-tree) and CST (Common instance Spanning-tree); however, these are commonly viewed as just one instance CIST. Basically, CIST interacts with other “modes” of spanning tree and is ALWAYS active on access and trunk ports. You can review the details here .

This brief introduction will end with the output of the command: show spanning-tree mst

Core-Switch-01#sh spanning-tree mst

##### MST0 vlans mapped: none
Bridge address 1833.9da2.5700 priority 4096 (4096 sysid 0)
Root this switch for the CIST
Operational hello time 2 , forward delay 4 , max age 6 , txholdcount 6
Configured hello time 2 , forward delay 4 , max age 6 , max hops 20

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa1/0/1 Desg FWD 200000 128.3 P2p
Fa1/0/2 Desg FWD 200000 128.4 P2p
Fa1/0/3 Desg FWD 200000 128.5 P2p
Fa1/0/4 Desg FWD 200000 128.6 P2p
Fa1/0/5 Desg FWD 200000 128.7 P2p
Fa1/0/6 Desg FWD 200000 128.8 P2p
Fa1/0/9 Desg FWD 200000 128.11 P2p
Fa1/0/12 Desg FWD 200000 128.14 P2p
Fa1/0/22 Desg FWD 200000 128.24 P2p
Fa1/0/23 Desg FWD 200000 128.25 P2p
Fa1/0/24 Desg FWD 200000 128.26 P2p

##### MST1 vlans mapped: 1-4094
Bridge address 1833.9da2.5700 priority 4097 (4096 sysid 1)
Root this switch for MST1

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa1/0/1 Desg FWD 200000 128.3 P2p
Fa1/0/2 Desg FWD 200000 128.4 P2p
Fa1/0/3 Desg FWD 200000 128.5 P2p
Fa1/0/4 Desg FWD 200000 128.6 P2p
Fa1/0/5 Desg FWD 200000 128.7 P2p
Fa1/0/6 Desg FWD 200000 128.8 P2p
Fa1/0/9 Desg FWD 200000 128.11 P2p
Fa1/0/12 Desg FWD 200000 128.14 P2p
Fa1/0/22 Desg FWD 200000 128.24 P2p
Fa1/0/23 Desg FWD 200000 128.25 P2p
Fa1/0/24 Desg FWD 200000 128.26 P2p

Notice that MST0 has no VLANs mapped but is still active on all the same ports listed in MST1. Also notice it says: Root this switch for CIST

Yup, they have something similar now, here is the skinny:


archive
path flash1:
maximum 14

Now, before you make a change, issue this command:


configure terminal revert timer <1-120> <--- in minutes

Go ahead and make your changes, if you get disconnected, it will rollback the configuration in the amount of time you selected.

If the configuration works and you want to commit the changes:


configure confirm

That's all folks, a "commit confirmed" for Cisco IOS.