Posts Tagged ‘Cisco’

Much like on firewalls you can create object groups in Nexus, which you can utilize when you’re implementing ACLs


object-group ip address {OBJECTNAME}
{subnet/mask}
{subnet/mask}
{subnet/mask}...
exit

ip access-list {ACL_NAME} permit ip addrgroup {OBJECTNAME} [destination]

Makes like simple, huh? What about showing the access-list that has been configured with an object group? Well, under the show access-lists summary you won’t see this, you’ll need to “expand”

show access-lists {ACL_NAME} expanded


Why do VTP in the data center? I have absolutely no explanation for this, it is generally just a bad idea to use VTP to begin with. Perhaps “easy” is one argument, but look at the problems you face with it:

  • Rogue switch with higher revision can screw the network
  • ON some IOS versions, if not all, the VLAN configuration doesn’t reside in the startup-config
  • Rogue switch can be used to gather VLAN information on the network, helping form an inside attack

In a data center you expect a highly available, reliable, and secure computing environment, this is something VTP simply doesn’t offer for a network in the data center. Look at the Nexus lineup, VTP is a feature which is disabled by default! What a great concept, finally! I’ll go ahead and just say it, if you’re using VTP in the data center, you’re just being lazy.


Want to know what subnets are being discovered/learned off a specific interface? The the show ip cef [interface]

wan-gw1#show ip cef ser2/0
0.0.0.0/0
nexthop 10.129.23.65 Serial2/0
10.16.0.0/12
nexthop 10.129.23.65 Serial2/0
10.32.0.0/16
nexthop 10.129.23.65 Serial2/0
.....Lines omitted for brevity

Just that simple, just remember the purpose of CEF, if you forgot, read: Cisco IP CEF Overview


Let’s just get down to business, we all use it but few of us understand what any of it means. The documentation is a little, well, complicated for some people so I aim to give you a better understanding of the Cisco configuration register, also known as the config register or config-reg. Read the rest of this entry »


No doubt every engineer has their own twist on coding something to better automate configurations and deployment on networks; however, with the every increasing pace of release changes to current software sets installed on some vendors hardware, the workload to keep your scripts updated can become your full time job. There will always be two schools of engineer: the home brew and the purchased software schools, each one with their own compelling reason to use the other and why the other is wrong. I, personally, prefer the purchased software route with a small dash of home brew scripts to accomplish my job, very small. I’ll outline some experiences I’ve had in the past where both moving towards the use of purchased software solved the many problems the home brew scripts were giving us and how a small, but powerful, set of home brew scripts gave us complete control over the network from building, deploying, operating, and debugging. Read the rest of this entry »


All Cisco switches by default have PVST+ as their spanning-tree protocol (mode). PVST+ is Cisco proprietary and, in my humble opinion, should never be used in a production environment. The alternatives are: RPVST and MST. In a basic 1-3 VLAN network with little to no knowledge of spanning-tree you should run RPVST (802.1w) and be done with it. However, if you have a lot of VLANs and/or you need to ensure you’re not over utilizing the CPU resources, you should use MST (802.1s).

MST (802.1s) is called Multiple instances of Spanning-Tree Protocol and actually relies on RPVST to run inside each instance. MST runs in instances (think of them as groups) and in those instances you can map as many VLANs as you want; thus, you reduce the number of RPVST processes running. For example, in RPVST if you have 10 VLANs, you will have 10 instances of RPVST running, one per VLAN. However, in MST, if you have 10 VLANs grouped into only one instance, there is only one instance running, not 10.

MST is powerful because it reduces the CPU cycles used for spanning-tree operations but can also be used to create multiple paths for groups of VLANs. Configuring MST is simple and requires only a few things to be configured, which I will show here


spanning-tree mode mst

spanning-tree mst configuration
name SOMENAMEGOESHERE
revision 1
instance 1 vlan 1-4094

spanning-tree mst 0-1 priority 4096

For the breakdown:

  • spanning-tree mode mst – Turns on MST as the spanning-tree mode
  • spanning-tree mst configuration – Places you into MST subconfiguration menu
  • name – The name is case sensitive and must match on ALL switches
  • revision 1 – This sets the revision number, which must match across ALL switches, any number will do
  • instance 1 vlan 1-4094 – This maps all the VLANs to instance (group) #1, taking them out of the default IST instance 0
  • spanning-tree mst 0-1 priority 4096 – This sets the priority of both the IST (0) and instance 1 to 4096 to ensure it is always the root bridge

By default there are two instances started by default: IST (Internal Spanning-tree) and CST (Common instance Spanning-tree); however, these are commonly viewed as just one instance CIST. Basically, CIST interacts with other “modes” of spanning tree and is ALWAYS active on access and trunk ports. You can review the details here .

This brief introduction will end with the output of the command: show spanning-tree mst

Core-Switch-01#sh spanning-tree mst

##### MST0 vlans mapped: none
Bridge address 1833.9da2.5700 priority 4096 (4096 sysid 0)
Root this switch for the CIST
Operational hello time 2 , forward delay 4 , max age 6 , txholdcount 6
Configured hello time 2 , forward delay 4 , max age 6 , max hops 20

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa1/0/1 Desg FWD 200000 128.3 P2p
Fa1/0/2 Desg FWD 200000 128.4 P2p
Fa1/0/3 Desg FWD 200000 128.5 P2p
Fa1/0/4 Desg FWD 200000 128.6 P2p
Fa1/0/5 Desg FWD 200000 128.7 P2p
Fa1/0/6 Desg FWD 200000 128.8 P2p
Fa1/0/9 Desg FWD 200000 128.11 P2p
Fa1/0/12 Desg FWD 200000 128.14 P2p
Fa1/0/22 Desg FWD 200000 128.24 P2p
Fa1/0/23 Desg FWD 200000 128.25 P2p
Fa1/0/24 Desg FWD 200000 128.26 P2p

##### MST1 vlans mapped: 1-4094
Bridge address 1833.9da2.5700 priority 4097 (4096 sysid 1)
Root this switch for MST1

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa1/0/1 Desg FWD 200000 128.3 P2p
Fa1/0/2 Desg FWD 200000 128.4 P2p
Fa1/0/3 Desg FWD 200000 128.5 P2p
Fa1/0/4 Desg FWD 200000 128.6 P2p
Fa1/0/5 Desg FWD 200000 128.7 P2p
Fa1/0/6 Desg FWD 200000 128.8 P2p
Fa1/0/9 Desg FWD 200000 128.11 P2p
Fa1/0/12 Desg FWD 200000 128.14 P2p
Fa1/0/22 Desg FWD 200000 128.24 P2p
Fa1/0/23 Desg FWD 200000 128.25 P2p
Fa1/0/24 Desg FWD 200000 128.26 P2p

Notice that MST0 has no VLANs mapped but is still active on all the same ports listed in MST1. Also notice it says: Root this switch for CIST


Yup, they have something similar now, here is the skinny:


archive
path flash1:
maximum 14

Now, before you make a change, issue this command:


configure terminal revert timer <1-120> <--- in minutes

Go ahead and make your changes, if you get disconnected, it will rollback the configuration in the amount of time you selected.

If the configuration works and you want to commit the changes:


configure confirm

That's all folks, a "commit confirmed" for Cisco IOS.


From: 9 Immutable Laws of Network Design – Let’s be simple, this is opinion, not law. Network design is network design and each person will have their own unique view on how to build networks. However, to say immutable laws is arrogant and only tells people you’re stuck in your ways; thus, if you stand still you’re falling behind. Read the rest of this entry »


Recently I have noticed a lot of confusion among people when configuring and forming port-channels on Cisco IOS equipment. I had someone recently say “Just configure the trunking commands under the interfaces and it’ll work. Now, while this will work, it is more or less, a hack. A port-channel/etherchannel is a logical interface holding certain configuration parameters which will absorb into the physical interface configuration when you apply a physical interface into the “channel-group”. The following describes how I setup etherchannel successfully each time, every time: Read the rest of this entry »


I see a lot of confusion about the Type-4 LSA and what it does. This confusion is high in the CCNA world because little is explained about it and one might think it is useless; however, this is valuable when you’re learning or doing route redistributing into OSPF using External type-2 redistributed routes with multple ASBRs redistributing the same external routes. Read more… Read the rest of this entry »