My Best Collection: Nexus

Showing posts with label Nexus. Show all posts

Sunday, January 2, 2011

Understanding Nexus - Part 22 - OTV

One of my most favorite part from NX-OS is OTV. It’s a very beautiful technology used to extend L2 domain in your different Datacenter (DC) locations.

But the question arises “Why do you need to extend this L2 domain?” Why cannot we work with L3? Ohhh…. You should not ask this to Network Engineer …:-) because it’s an application requirement.:-D

Certain application in DC does not have the functionality to work on L3. They need to maintain the L2 connections between various servers on which that application is running… Going forward if you need to expand your application, you may need some more extra servers. Now where will you deploy these servers? Obvious answer is “In the SAME DC”… but do you have enough space in your DC to add a new server? Do you have enough power and cooling capacity?

Well if your answer is NO, then you need different location. When you add another location to your DC, you need communication between those. Again, if your application supports L3 then no problems… But what if they don’t? So you need your L2 domain to be extended.

There are many technologies which support these, but each technology has its own pro & cons. Comparing to others, OTV adds many advantages for extending L2. The best one is, its simplicity. You deploy OTV on the edge devices in each site. OTV requires no other changes to the sites or the network.

To understand OTV, there is a great video from Cisco, which explains the fundamentals of OTV. Do have a look at it.

OTV is Overlay Transport Virtualization. OTV is a MAC-in-IP method that extends Layer 2 connectivity across a network. It uses MAC address-based routing and IP-encapsulated forwarding. For MAC based routing it uses IS-IS internally. You absolutely don’t need anything to do with IS-IS.

OTV does not extend STP across sites. Each site runs its own STP.

Okk… Now this is it. We will continue discussing OTV in next few blogs too. Till that time bye and Wish you a very happy new Tech-Year.

Wednesday, December 22, 2010

Understanding Nexus - Part 21 - VDC

Many of you might be wondering what is Cisco VDC? Some of you might be aware about what it is. But still its good to understand the concept of VDC. I will try here to explain you few things about the VDC.

Cisco VDC is nothing but the Virtual Device Context. With this you can create a separate device running on your very same physical box. It's just like creating a virtual machine on your PC with VMware.

To understand it better, just imagine your Windows PC. You want to create a new virtual machine on that PC. Now what will you do? So, you will install your VMware player, run it and create a new virtual PC. You will assign some of your CPU, DRAM Memory and Hard-disk space for new machine and install a OS in it. That's it.

In the same way, you have a Cisco Nexus Switch. It has a NX-OS which is aware of VMware environment. Or you can say, VMware is by default available in NX-OS. So now, you just have to create a new Switch. The beautiful thing here is, you dont have to assign any resources like CPU, Memory etc. The only thing you need to assign is, your network interfaces on the Nexus box. That's it!!! A new VDC is created.

By default, NX-OS shares it kernel for all the virtual boxes. On the top of Kernel, you got various processes running inside a VDC. Since these processes are running inside the VDC, they are totally different from each other. For example, the OSPF running in one VDC is totally different than OSPF running in other VDC. The moment you create a VDC, it creates a new instance of processes. This is also called as Control Plane separation.

So dont compare your VDC with VLAN. When you create a VLAN in a switch, its like just a logical separation of broadcast domain. Within a switch you can have multiple VLANs. It is group of ports created by a single process. And you have single process in a single switch. When you create VDC, you have that same VLAN process running in each VDC. To make it more simple, you can think of a MS-Excel running in one machince is totally different than MS-Excel in other machine. Hope you got it.
From the security perspective, its like, you can hack into one VLAN from another VLAN, by using VLAN hopping attack. But you cann't do the same from one VDC to another VDC, since there control planes are separate. Thats the same thing you get when you add separate switch.

So your NX-OS is capable of virtualization, with the help of which you can create VDC. VDC create partition of a single physical device into multiple logical devices that provide fault isolation, management isolation, address allocation isolation, service differentiation domains, and adaptive resource management. Each VDC maintains its own unique set of running software processes, has its own configuration, and can be managed by a separate administrator.

The physical device always has one VDC, the default VDC (VDC 1). When you first log in to a new Cisco NX-OS device, you begin in the default VDC.

You must be in the default VDC to create, change attributes for, or delete a nondefault VDC. The Cisco NX-OS software can support up to four VDCs, including the default VDC, which means that you can create up to three VDCs.

If you want to communicate between VDC's, then you must make a physical connection from a port allocated to one VDC to a port allocated to the other VDC.

Tuesday, December 21, 2010

Understanding Nexus - Part 20 - VPC 2

Since now you are well aware of what is VPC, it's time to get more serious on the practical approach, guidelines and the limitations.

There is a beautiful video which explains the VPC in details.The video explains the VPC fundamental concepts for Nexus 5000. VPC and STP differences, VPC terminology, What is VPC Peer-link, what is VPC Keepalive link, VPC member ports etc. are explained in detail. Video also discusses Data Forwarding in VPC i.e. how Unicast Forwarding works and all, How does MAC learning happens etc.

Going further VPC Failure scenarios are discussed. Like VPC peer-link failure, VPC member port failure etc. It is really worth-watching.

Now since you got the good overview of the practical approach, it's time to look at the configuration. The below video explains how to configure the VPC on Nexus. All the things are explained step by step. Hope you would like it.

Monday, November 8, 2010

Understanding Nexus -- Part 19 -- EIGRP

Enhanced Interior Gateway Routing Protocol (EIGRP), a Cisco proprietary protocol, combines the benefits of distance vector protocols with the features of link-state protocols. EIGRP sends out periodic Hello messages for neighbor discovery. Once EIGRP learns a new neighbor, it sends a one-time update of all the local EIGRP routes and route metrics. The receiving EIGRP router calculates the cost based on the received metrics plus the locally assigned cost of the link to that neighbor. After this initial full route table update, EIGRP sends incremental updates only. These updates are sent only to neighbors affected by the route changes. This process speeds convergence and minimizes the bandwidth used by EIGRP.

EIGRP Components

EIGRP has the following basic components:

Reliable Transport Protocol
Neighbor Discovery and Recovery
Diffusing Update Algorithm

Reliable Transport Protocol

RTP guarantees a delivery of EIGRP packets to all neighbors. RTP includes the following message types:

Hello - Used for neighbor discovery and recovery. By default, EIGRP sends a periodic multicast Hello message on the local network at the configured hello interval. By default, the hello interval is 5 seconds.

Acknowledgement - Sent after reception updates, queries and replies.

Updates - Send to affected neighbors when routing information changes. All the update messages contain route destination, address mask, and route metrics such as delay and bandwidth. The update information is stored in the EIGRP topology table.

Queries and Replies - Sent as necessary as part of the Diffusing Update Algorithm used by EIGRP.

Neighbor Discovery and Recovery

EIGRP uses Hello messages to discover a neighbor and adds them to the neighbor table. The neighbor table contains neighbor’s IP address, the interface it was learned on, and the hold time. Hold time indicates how long EIGRP should wait before declaring a neighbor unreachable. By default, the hold time is three times the hello interval. In our case Hold time is 15 seconds.

After the neighbor is discovered, EIGRP sends a series of Update messages to new neighbors, just to share the local EIGRP routing information. This route information is stored in the EIGRP topology table. After this initial transmission of the full EIGRP route information, EIGRP sends Update messages only when a routing change occurs.

Hello messages are also used as a keepalive to its neighbors.

Diffusing Update Algorithm

DUAL calculates the routing information based on the destination networks in the topology table. The topology table includes the following information:

IPv4 or IPv6 address/mask - The network address and its mask for the destination.

Successors - The IP address and local interface connection for all feasible successors. Feasible successors are the neighbors that advertise a shorter distance to the destination than the current feasible distance.

Feasibility distance (FD) - The lowest/shortest calculated distance to the destination. The feasibility distance is the sum of the advertised distance from a neighbor plus the cost of the link to that neighbor. i.e FD = (Advertised Distance from neighbor) + (Cost of the link to that neighbor).

Also there is one thing; EIGRP uses composite metric, which is made up of Bandwidth, Delay, Reliability, MTU and Load. It uses the K value to check which parameter will be used to calculate the metric and what is the weight of that parameter. The formula is

metric = [k1*bandwidth + (k2*bandwidth)/(256 - load) + k3*delay] * [k5/(reliability + k4)]

In short it looks like,

EIGRP Route Updates

Whenever there is change in the network, EIGRP sends an Update message with only the changed routing information to affected neighbors. This is called as partial updates. This Update message includes the distance information to the new or updated network destination.

There are 2 types of Route Metrics available in EIGRP, viz Internal and External.

Internal Route Metrics

Internal routes are routes between neighbors within the same EIGRP autonomous system. These routes have the following metrics:

Next hop - The IP address of the next-hop router.

Delay - Sum of the delays configured on the interfaces in a route towards destination network. Configured in tens of microseconds.

Bandwidth - The lowest configured bandwidth on an interface in the route towards destination.

MTU - The smallest maximum transmission unit value along the route to the destination.

Hop count - The number of hops / routers that the route passes through to the destination. This metric is not used for route calculation.

Reliability - An indication of the reliability of the links to the destination.

Load - An indication of how much traffic is on the links to the destination.

External Route Metrics

External routes are routes that occur between neighbors in different EIGRP autonomous systems. These routes have the following metrics:

Next hop - The IP address of the next-hop router.

Router ID - The router ID of the redistribution router on which routes have been redistributed into EIGRP.

AS Number - The autonomous system number of the destination.

Protocol ID - A code that represents the routing protocol that learned the destination route.

Tag - An arbitrary tag that can be used for route maps.

Metric - The route metric for this route from the external routing protocol.

Address Families

EIGRP supports both IPv4 and IPv6 address families

Authentication
EIGRP authentication can be configured per virtual routing and forwarding (VRF) instance or interface using key-chain management. EIGRP supports MD5 authentication.

Stub Routers

Stub routing is a feature which improves network stability, reduce resource usage, and simplify stub router configuration. This is mostly used in Hub-Spoke router topology, where spoke routers become Stub Routers.

A router that is configured as a stub, will send a special peer information packet to all neighboring routers, saying that he is a stub router.

Any neighbor that receives this packet, will not query the stub router for any routes. The stub router will depend on the Hub router, to send the proper routes to all other routers.

This is simply configured to reduce SIA occurence.

Summarization

You can configure a summarization on an interface basis. EIGRP will advertise the summary route only from a specified interface. The Metric of summary address is equal to the lowest metric of the more specific routes.
In NX-OS EIGRP does not support automatic route summarization.

Load Balancing

Cisco NX-OS supports the Equal Cost Multiple Paths (ECMP) feature with up to 16 equal-cost paths in the routing table. By default 8 paths are enabled.

NX-OS does not support unequal cost load balancing.

Split Horizon

Since EIGRP is a kind of Distance Vector protocol, it requires Split Horizon. NX-OS does not send update and query packets for destinations that were learned from the specific interface. Split horizon with poison reverse can also be configured.

By default, the split horizon feature is enabled on all interfaces.

Graceful Restart and High Availability

NX-OS supports nonstop forwarding (NSF) and graceful restart for EIGRP.
NSF is handy when there is a failure of SUP in a router. Previously whenever there was a Sup-failure, the data traffic used to stop. With NSF, neighboring devices do not experience routing flaps. During failover, data traffic is forwarded through intelligent modules while the standby supervisor becomes active.

For Graceful Restart, the routers should be capable of it. NX-OS supports graceful restart. During graceful restart, router uses Hello messages to notify its neighbors that graceful restart operation has started. Then both routers immediately exchange their topology tables. The neighbor router then performs the following actions to support the restarting router:

Neighbor router ends its ‘Hello hold timer’. So when the restarting router comes online it can immediately send him hello message and all the updates.
Neighbor router starts the ‘Route-hold timer’. Default time period is 240 seconds.
Neighbor router maintains adjacency, and holds known routes for the restarting neighbor. If the route-hold timer expires then it discards held routes and treats the restarting router as a new router joining the network and reestablishes adjacency.

Enable graceful restart to support in-service software upgrades (ISSU) for EIGRP. If you disable graceful restart, Cisco NX-OS issues a warning that ISSU cannot be supported with this configuration.

Configuring EIGRP

NX-OS EIGRP is compatible with EIGRP in the Cisco IOS software.

NX-OS supports only IP… No Appletalk, No DecNet

Auto summarization is disabled by default.

The basic EIGRP can be configured as follows:

switch# config t
switch(config)# feature eigrp                  - Enable EIGRP
switch(config)# router eigrp Test1           - instance tag is case-sensitive, alphanumeric, max 20 characters.
switch(config-router)# autonomous-system 33        - ranges from 1 to 65535.

Adding an Interface…

switch(config)# interface ethernet 1/2
switch(config-if)# ip router eigrp Test1

Restarting EIGRP

switch(config)# flush-routes                            - Flushes all EIGRP when this EIGRP instance restarts.

 

switch(config)# restart eigrp Test1 - Restarts the EIGRP instance

Shutting Down EIGRP

You can gracefully shut down EIGRP.

switch(config-router)# shutdown

Passive Interface

It suppresses EIGRP hellos, which prevents neighbors from forming and sending routing updates on an EIGRP interface. But it can receive the updates from other router.

switch(config-if)# ip passive-interface eigrp Test1

Shutting Down EIGRP on Interface

You can gracefully shut down EIGRP on an interface.

switch(config-router)# ip eigrp Test1 shutdown

Authentication

It can be configured by creating Key-Chain.

switch# config t
switch(config)# key chain EIGRP-Key
switch(config-keychain)# key 13
switch(config-keychain-key)# key-string 0 Secure-Key
switch(config)# router eigrp Test1
switch(config-router)# address-family ipv4 unicast
switch(config-router-af)# authentication key-chain EIGRP-Key
switch(config-router-af)# authentication mode md5
switch(config) interface ethernet 1/2
switch(config-if)# ip router eigrp Test1
switch(config-if)# ip authentication key-chain eigrp Test1 EIGRP-Key
switch(config-if)# ip authentication mode eigrp Test1 md5

Stub Routing

switch# config t
switch(config)# router eigrp Test1
switch(config-router)# address-family ipv6 unicast
switch(config-router-af)# stub direct redistributed

Summarization

For summary to be advertised, at least one specific route should be present.

switch(config)# interface ethernet 1/2
switch(config-if)# ip summary-address eigrp Test1 192.0.2.0 255.255.255.0

switch(config-if)# ip summary-address eigrp Test1 192.0.2.0/8

Load Balancing

Just like RIP this is also very simple task.

switch# config t
switch(config)# router eigrp Test1
switch(config-router)# address-family ipv4 unicast
switch(config-router-af)# maximum-paths 5

Graceful Restart

Graceful restart is enabled by default. Also for graceful restart neighboring routers must be NSF-aware or NSF-capable.

switch# config t
switch(config)# router eigrp Test1
switch(config-router)# address-family ipv4 unicast
switch(config-router-af)# graceful-restart
switch(config-router-af)# timers nsf converge 100       - range is from 60 to 180 seconds. The default is 120.
switch(config-router-af)# timers nsf route-hold 200       - range is from 20 to 300 seconds. The default is 240.
switch(config-router-af)# timers nsf signal 15            - range is from 10 to 30 seconds. The default is 20.

Hello and Hold Time

By default, Hello Time is 5 seconds and Hold Time is 3 times of Hello timer… i.e. 15 seconds.

switch(config-if)# ip hello-interval eigrp Test1 30       - range is from 1 to 65535 seconds. The default is 5.

 

switch(config-if)# ipv6 hold-time eigrp Test1 30 - range is from 1 to 65535 seconds. The default is 15.

Tuning EIGRP

switch# config t 

switch(config)# router eigrp Test1 

switch(config-router)# address-family ipv4 unicast

switch(config-router-af)# default-information originate always        - Originates default route with prefix 0.0.0.0/0

 

switch(config-router-af)# distance 25 100                 - administrative distance for EIGRP. The range is from 1 to 255. Default is 90 for internal routes and 170 for external routes.

 

switch(config-router-af)# metric max-hops 70              - maximum allowed hops for an advertised route. Range is from 1 to 255. The default is 100.

 

switch(config-router-af)# metric weights 0 1 3 2 1 0      - metric or K value.

 

switch(config-router-af)# timers active-time 200          - the time router waits in minutes before declaring the route to be stuck in the active (SIA) state. The range is from 1 to 65535. The default is 3.

Parameters in interface configuration mode

switch(config-if)# ip bandwidth eigrp Test1 30000         - bandwidth metric for EIGRP on an interface. range is from 1 to 2,560,000,000 Kb/s.

 

switch(config-if)# ip bandwidth-percent eigrp Test1 30    - max percentage of bandwidth that EIGRP might use, when there is a congestion on an interface. It doesn’t use full BW available on interface. It’s because EIGRP allows your data traffic to flow even when EIGRP itself is updating routes. range is from 0 to 100. The default is 50.

 

switch(config-if)# ip delay eigrp Test1 100               - delay metric for EIGRP on an interface. range is from 1 to 16777215 (in tens of microseconds).

 

switch(config-if)# ip distribute-list eigrp Test1 route-map EigrpTest in    - route filtering policy for EIGRP on this interface

 

switch(config-if)# ip next-hop-self eigrp Test1           - By default EIGRP uses the IP address of its interface as a next-hop address. This command allows EIGRP to use the received next-hop address.

 

switch(config-if)# ip offset-list eigrp Test1 prefix-list EigrpList in - Adds an offset to incoming and outgoing metrics. Just like RIP

To Check

show ip eigrp Test1
show ip eigrp Test1 interfaces

in short,
“show ip eigrp ?”

show run eigrp

Saturday, November 6, 2010

Understanding Nexus -- Part 18 -- RIP

RIP is Routing Information Protocol which uses User Datagram Protocol (UDP) packets to exchange routing information. It’s usually used in very small networks.

Note: Cisco NX-OS does not support IPv6 for RIP.

Here we will discuss on RIPv2 since Cisco NX-OS does not support RIPv1. If it receives a RIPv1 packet, it logs a message and drops that packet. Also NX-OS does not establish adjacencies with RIPv1 routers.

RIP uses the two message types:

Request Message - Sent to the multicast address 224.0.0.9 to request route updates from other RIP-enabled routers.

Response Message - Sent every 30 seconds by default. Response messages are also sent after router receives a Request message. It contains the entire RIP routing table. RIP process sends multiple response packets, if the RIP routing table is big and cannot fit in single packet.

RIP uses a hop count as a routing metric. The hop count is the number of routers that a packet can traverse before reaching its destination. A directly connected network has a metric of 1; an unreachable network has a metric of 16.

Authentication

RIPv2 supports authentication. NX-OS supports a simple password or an MD5 authentication.

RIP authentication can be configured on per interface basis by using key-chain. The encrypted password is used with all RIP messages (Request or Response).

Split Horizon

Split horizon is a method that controls the sending of RIP updates and query packets. When you enable split horizon on an interface, Cisco NX-OS does not send update packets for destinations that were learned from this interface.

By default, split horizon is enabled on all interfaces.

Summarization

You can configure multiple summary aggregate addresses for a specified interface. If more specific routes are present in the routing table, RIP advertises the summary address from the interface with a metric equal to the smallest metric of the specific routes.

Note: Cisco NX-OS does not support automatic route summarization.

Load Balancing

NX-OS supports the Equal Cost Multiple Paths (ECMP) feature with up to 16 equal-cost paths in the RIP route table and the unicast RIB.

Configuring RIP

switch# config t
switch(config)# feature rip
switch(config)# router RIP Enterprise
switch(config-router)# address-family ipv4 unicast
switch(config-router-af)# distance 30
switch(config-router-af)# max-paths 10

Adding an Interface

Here we have to add an interface to the routing process.

switch# config t
switch(config)# interface ethernet 1/2
switch(config-if)# ip router rip Enterprise

Configuring RIP Authentication

To configure authentication, first create a Key.

switch# conf t
switch(config)# key chain rip-keys
switch(config-keychain)# key 13
switch(config-keychain-key)# key-string 0 Secure-Key

Apply it on the interface

switch# config t
switch(config)# interface ethernet 1/2
switch(config-if)# ip rip authentication mode md5
switch(config-if)# ip rip authentication keychain rip-keys

Passive Interface

You can configure a RIP interface to receive routes but not send route updates by setting the interface to passive mode.

switch(config-if)# ip rip passive-interface

Configuring Split Horizon with Poison Reverse

Split Horizon is enabled by default. But still you can configure poison-reverse on an interface to advertise routes with unreachable metric.

switch(config-if)# ip rip poison-reverse

Configuring Summarization

NX-OS advertises the summary address metric that is the smallest metric of all the specific routes.

switch(config-if)# ip router rip summary-address 192.0.2.0/24

Tuning RIP

RIP uses several timers that determine the frequency of routing updates, the length of time before a route becomes invalid, and other parameters. You can adjust these timers as per your network requirements.

switch(config-router-af)# timers basic 30 180 180 120

update - determine the frequency of routing updates, The range is from 5 to any positive integer. The default is 30.

Timeout - time that Cisco NX-OS waits before declaring a route as invalid. If Cisco NX-OS does not receive route update information for a route before the timeout interval ends, Cisco NX-OS declares the route as invalid. The range is from 1 to any positive integer. The default is 180.

Holddown - time during which Cisco NX-OS ignores better route information for an invalid route. NX-OS waits for invalid route to become valid again, before using the new route. The range is from 0 to any positive integer. The default is 180.

garbage-collection - time from when Cisco NX-OS marks a route as invalid until Cisco NX-OS removes the route from the routing table. The range is from 1 to any positive integer. The default is 120.

switch(config-if)# ip rip metric-offset 10

Adds a value to the metric for every router received on this interface. The range is from 1 to 15. The default is 1.

switch(config-if)# ip rip route-filter route-map InputMap in

Specifies a route map to filter incoming or outgoing RIP updates

To Check

show run rip
show ip rip instance [instance-tag]?

Friday, November 5, 2010

Understanding Nexus -- Part 17 -- Static Routing

Static routing is quite simple than Dynamic routing. Static routes define explicit paths between two routers. It cannot be automatically updated; you have to manually reconfigure static routes when network change occurs. Static routes use less no bandwidth unlike the dynamic routes. No CPU cycles are used to calculate and analyze routing updates.

You can use a fully specified static route, when the output interface is a multi-access interface and, you need to identify the next-hop address.

By default, a router prefers a static route because a static route has a smaller administrative distance than a dynamic route.

Static routes support Virtual Routing and Forwarding instances (VRFs).

If the next-hop address for a static route is unreachable, the static route will not be added to the routing table.

Static Route

switch# config t
switch(config)# ip route 192.0.2.0/8 192.0.2.10

OR

switch(config)# ip route 192.0.2.0 255.0.0.0 192.0.2.10

OR

switch(config)# ip route 192.0.2.0/8 ethernet 1/2 192.0.2.4

To Check

switch(config)# show ip static-route

Understanding Nexus -- Part 16 -- Configuring IPv4

Today we will have a look at IPv4 addresses and its configuration on NX-OS. We will also look at Address Resolution Protocol (ARP), and Internet Control Message Protocol (ICMP) as these are the supplement protocols for IPv4.
NX-OS supports 2 types of protocols viz, IPv4 and IPv6 as a layer 3 protocol.

IPv4

You can configure an IPv4 address as primary or secondary on a device. An interface can have one primary IP address and multiple secondary addresses. You can specify an unlimited number of secondary addresses.

Note: Packets that are generated by the device always use the primary IPv4 address.

Address Resolution Protocol

Well I am looking for giving any explanation on ARP here. So we will just discuss about the defaults and configs.

By default, ARP timeout is 1500 seconds. And Proxy ARP is disabled.

ICMP

ICMP is an essentical protocol for IP communication. It provides message packets that report errors and other information that is relevant to IP processing
Just to give you some more details, ICMP redirects are disabled on interfaces where the local proxy ARP feature is enabled.

Configurring Primary IP

switch# config t
switch(config)# interface ethernet 2/3
switch(config-if)# ip address 192.2.1.1 255.0.0.0

switch(config-if)# ip address 192.2.1.1/8

Configuring Secondary IP

switch(config-if)# ip address 192.2.1.1 255.0.0.0 secondary

Static ARP

switch(config)# interface ethernet 2/3
switch(config-if)# ip arp 192.2.1.1 0019.076c.1a78

Proxy ARP

With Proxy ARP enabled on the Gateway Router, it replies to all ARP request initiated by the Clients/ User machines. The destination IP in the ARP request will be outside of the network (not from the same LAN).

switch(config)# interface ethernet 2/3
switch(config-if)# ip proxy-arp

Local Proxy ARP

When you enable local Proxy ARP, ARP responds to all ARP requests for IP addresses within the subnet and forwards all traffic between hosts in the subnet.

switch(config)# interface ethernet 2/3
switch(config-if)# ip local-proxy-arp

Path MTU Discovery

switch(config)# interface ethernet 2/3
switch(config-if)# ip tcp path-mtu-discovery

IP Packet Verification

NX-OS supports an Intrusion Detection System (IDS) that checks for IP packet verification. You can enable or disable these IDS checks.
Just use the following command in the global config mode and look out for the options ;-)

Switch(config)# hardware ip verify ?

Friday, October 29, 2010

Understanding Nexus -- Part 15 -- MST

MST is defined in IEEE 802.1s. MST maps multiple VLANs into “instances” that maintain their own STP topology.

You can have up to 65 MST instances on one device.
MST is compatible with 802.1d and 802.1w
You can configure MST to send pre-standard BPDU using the "spanning-tree mst pre-standard" interface command
The MST configuration for a single region must have the same Name, Revision Number, and VLAN-to-MST Instance Mapping

Enabling MST

switch# config t

switch(config)# spanning-tree mode mst

Entering MST Configuration Mode

switch(config)# spanning-tree mst configuration

switch(config-mst)#

Configuring MST Parameter

switch(config-mst)# name accounting

- Specifies the name for the MST region. The name string has a maximum length of 32 characters and is case sensitive. The default is an empty string

switch(config-mst)# revision 5

- Specifies the revision number for the MST region. The range is from 0 to 65535, and the default value is 0.

switch(config-mst)# instance 1 vlan 10-20

- For instance-id, the range is from 1 to 4094.

Configuring MST Root Bridge

switch# config t

switch(config)# spanning-tree mst 5 root primary

switch(config)# spanning-tree mst 5 root secondary

switch(config)# spanning-tree mst 5 priority 4096

Understanding Nexus -- Part 14 -- STP in Nexus

For most of the people, STP on Nexus is quite confusing. This post is just for them to elaborate the STP functions as well as to answer some of the frequently asked questions.

STP was implemented to provide a loop-free connectivity at Layer 2 network. Later it got updated to Rapid STP. And Cisco has it's own implementation standard which is known as Rapid PVST+, which is default on Nexus.

All other things like Election of Root Bridge and all are same as in IOS. So if you are familiar with it, you got the same mechanism in Nexus.

You can run either Rapid PVST+ or MST within each virtual device context or in switch (VDC - we will discuss it later). You cannot run both STP modes simultaneously in a VDC.

Both MST and Rapid PVST+ on Nexus are backward compatible with switches running PVST+.

MST interoperates with switches running PVST+ and Rapid PVST+ by leveraging PVST+ simulation. PVST simulation is enabled by default on Nexus systems running MST. The standard compliant MST can also interoperate with Cisco's pre-standard MSTP.

When pre-standard BPDUs are received, the Nexus system translates the BPDU contents to IEEE 802.1Q MSTP format for processing. As a result, the 2 MST regions will merge into one and no MST region boundary will be formed.

However, there are a few exceptions where a MST region boundary will be formed on links where switches with Cisco's pre-standard MSTP are connected.

Some differences exist in STP feature support between NX-OS and IOS. These differences include:

The NX-OS only support Rapid-PVST+ and MST.
PVST+, MISTP and VLAN bridge are not supported.
Since PVST+ is not supported, Backbonefast and uplinkfast are not supported
Each VDC will only support a single STP. However, different STP (Rapid PVST+ or MST) can be enabled on separate virtual device context (VDC).
Both NX-OS and Native IOS 12.2(33)H and later release support standard compliant MST. Prior to 12.2(33)H release, the software only support prestandard MST.
Introduction of Spanning-tree port types configuration which include edge (portfast), network (inter-switch) and normal. The introduction of port type edge change portfast related IOS commands However, the NX-OS will accept the command in IOS format and convert it to NX-OS format.
Dispute mechanism is enabled by default.
Bridge Assurance (BA) is enabled by default. The feature is operational only on ports configured as STP network type.
PVST simulation can be disabled to detect and avoid accidental connection to switches configured with Rapid-PVST and PVST+.
Nexus system does not recalculate STP cost after physical member ports were shut down.

Overview

Rapid PVST+ provides for rapid recovery of connectivity for edge ports, new root ports, and ports connected through point-to-point links as follows:

Edge ports — immediate transitions to the forwarding state. (same as previously known Cisco-proprietary feature named PortFast.)
Root port — If Rapid PVST+ selects a new root port, it blocks the old root port and immediately transitions the new root port to the forwarding state.
Point-to-point links — If you connect a port to another port through a point-to-point link and the local port becomes a designated port, it negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology.

Rapid PVST+ achieves rapid transition to the forwarding state only on edge ports and point-to-point links.

Protocol Timers


Variable	Description
Hello timer	Determines how often each device broadcasts BPDUs to other network devices. The default is 2 seconds, and the range is from 1 to 10.
Forward delay timer	Determines how long each of the listening and learning states last before the port begins forwarding. This timer is generally not used by the protocol, but it is used when interoperating with 802.1D spanning tree. The default is 15 seconds, and the range is from 4 to 30 seconds.
Maximum age timer	Determines the mount of time protocol information received on a port is stored by the network device. This timer is generally not used by the protocol, but it is used when interoperating with 802.1D spanning tree. The default is 20 seconds; the range is from 6 to 40 seconds.

Port Roles

Rapid PVST+ provides rapid convergence by assigning port roles. Rapid PVST+ select the device with the highest switch priority (lowest numerical priority value) as the root bridge.

Root Port — Provides the best path (lowest cost) towards the root bridge.

Designated Port — Connects to the designated device that has the lowest path cost when forwarding packets from that LAN to the root bridge. The port through which the designated device is attached to the LAN is called the designated port.

Alternate port — Offers an alternate path toward the root bridge. An alternate port provides a path to another device in the topology.

Backup port — Acts as a backup for the path provided by a designated port toward the leaves of the spanning tree. A backup port can exist only when two ports are connected in a loopback by a point-to-point link or when a device has two or more connections to a shared LAN segment. A backup port provides another path in the topology to the device.

Disabled port — Has no role within the operation of the spanning tree.

Rapid PVST+ Port State
Each Layer 2 LAN port on the device that uses Rapid PVST+ or MST exists in one of the following four states:
Blocking—The Layer 2 LAN port does not participate in frame forwarding.
Learning—The Layer 2 LAN port prepares to participate in frame forwarding.
Forwarding—The Layer 2 LAN port forwards frames.
Disabled—The Layer 2 LAN port does not participate in STP and is not forwarding frames.

When the STP algorithm places a Layer 2 LAN port in the forwarding state, the following process occurs:
1. The port is put into blocking state while it waits for protocol information that suggests it should go to the learning state.
2. The port waits for the forward delay timer to expire, then moves to the learning state, and restarts the forward delay timer.
3. In the learning state, the port continues to block data frames, as it learns the mac address information of the end-stations for the forwarding database.
4. The port waits for the forward delay timer to expire and then moves to the forwarding state, where both learning and frame forwarding are enabled.

Blocking State
Does not forward any frames.
In blocking state Port performs as follows:

Discards frames received from the attached segment.
Discards frames switched from another port for forwarding.
Does not incorporate the end station location into its address database. (There is no learning on a blocking Layer 2 LAN port, so there is no address database update.)
Receives BPDUs and directs them to the system module.
Receives, processes, and transmits BPDUs received from the system module.
Receives and responds to control plane messages.

Learning State
A port in learning state prepares to participate in frame forwarding by learning the MAC addresses for the frames. The Layer 2 LAN port enters the learning state from the blocking state.
In learning state Port performs as follows:

Discards frames received from the attached segment.
Discards frames switched from another port for forwarding.
Incorporates the end station location into its address database.
Receives BPDUs and directs them to the system module.
Receives, processes, and transmits BPDUs received from the system module.
Receives and responds to control plane messages.

Forwarding State
A Layer 2 LAN port in the forwarding state starts forwarding data frames.
In the forwarding state Port performs as follows:

Forwards frames received from the attached segment.
Forwards frames switched from another port for forwarding.
Incorporates the end station location information into its address database.
Receives BPDUs and directs them to the system module.
Processes BPDUs received from the system module.
Receives and responds to control plane messages.

Disabled State
A Layer 2 LAN port in the disabled state does not participate in frame forwarding or STP. A Layer 2 LAN port in the disabled state is virtually nonoperational.
A disabled Layer 2 LAN port performs as follows:

Discards frames received from the attached segment.
Discards frames switched from another port for forwarding.
Does not incorporate the end station location into its address database. (There is no learning, so there is no address database update.)
Does not receive BPDUs from neighbors.
Does not receive BPDUs for transmission from the system module.

Port Cost

Rapid PVST+ uses the short (16-bit) path-cost method to calculate the cost by default. With the short path-cost method, you can assign any value in the range of 1 to 65535. However, you can configure the device to use the long (32-bit) path-cost method, which allows you to assign any value in the range of 1 to 200,000,000. You configure the path-cost calculation method globally.


Bandwidth	Short Path-Cost Method of Port Cost	Long Path-Cost Method of Port Cost
10 Mbps	100	2,000,000
100 Mbps	19	200,000
1 Gigabit Ethernet	4	20,000
10 Gigabit Ethernet	2	2,000

STP Config

n7000(config)# vlan 20,30 

      - Make sure you create the VLAN

n7000(config)# spanning-tree mode rapid-pvst

      - Rapid-PVST is the default 

n7000(config)# spanning-tree vlan 20 root primary

      - Decrements Priority to 24,596 to increase the probability for it to become root

n7000(config)# spanning-tree vlan 30 root secondary

      - Decrements Priority to 28,672 to increase the probability for it to become the backup for the root 

Spanning-Tree Port Types

STP supports three different port types Edge, Network & Normal.
The default port type is normal. An Edge port type can be configured, so an interface immediately forwards traffic (IOS “Portfast”) and the Network port type can be configured to enable Bridge Assurance on an interface.

n7000(config-if-range)# spanning-tree port type ?

 edge         Consider the interface as edge port (enable portfast)

 network   Consider the interface as inter-switch link

 normal     Consider the interface as normal spanning tree port

Only configure ports that connect to a single end station as edge ports.

Understanding Nexus -- Part 13 -- VTP

Now we will have a look at how to configure VLAN Trunking Protocol (VTP) and VTP pruning on Cisco NX-OS devices.

Nexus supports VTP. But depends upon a NX-OS release like what kind of features it will support.

Beginning with Cisco NX-OS Release 5.1(1), VTP and VTP pruning are supported for VTP version 1 and 2.
Before Release 5.1(1), only VTP transparent mode was supported.

VTP info flows through Layer 2 trunk interfaces, Layer 2 trunk port channels, and virtual port channels (vPCs).

There is one more thing which you should keep in mind that, VLAN 1 is required on all trunk ports, if VTP is supported in the network. Disabling VLAN 1 from any of these ports prevents VTP from functioning properly.

All VTP packets received on the Nexus 7000 are dropped by default, if VTP is disabled. This is the default behavior on earlier NX-OS release versions.

Enable VTP in transparent mode to extend a VTP domain through a Nexus. Once, enabled, VTP packets received on a trunk port are relayed to all other trunk ports.

The NX-OS cannot be configured as a VTP client or server today (future feature after Release 5.1(1)).

Lets have a detailed look at VTP configuration parameters.

switch# config t
switch(config)# feature vtp
switch(config)# vtp domain accounting
switch(config)# vtp version 2 --- default is ver 1
switch(config)# vtp mode transparent --- default server for ver 5.1
switch(config)# vtp file vtp.dat
switch(config)# vtp password cisco
switch(config)# vtp pruning --- supported from 5.1
switch(config)# exit

Select the VTP domain name and version that match the values used in the existing VTP domain.

VTP Modes

Beginning with Release 5.1(1), VTP is supported in these modes.

Transparent — Mode that allows you to relay all VTP protocol packets that it receives on a trunk port to all other trunk ports
Server — Mode that allows you to create, remove, and modify VLANs over the entire network. Beginning with Release 5.1(1), the server mode is the default mode. The VLAN information is stored on the bootflash and is not erased after a reboot.
Client — Mode that allows a switch to store the last known VTP information including the configuration revision number, on the bootflash.
Off — Mode that behaves similarly to the transparent mode but does not forward any VTP packets.

VTP allows you to enable or disable the VTP protocol on a per-port basis.

Understanding Nexus -- Part 12 -- VLAN Configs

VLANs provide layer-2 separation boundaries for unicast, multicast, and broadcast packets. Even on Nexus the VLAN configuration is just as same as in IOS.

There are some facts which I would like to update you first.

Each VDC supports 4094 VLANs. VLANs 3968-4047 and 4094 are reserved for internal use.
VLANs 1 – 3967 and 4048 – 4094 are configurable (3968-4047 and 4094 are reserved for internal use – The CLI will not let you configure them)
VLAN 1 is the default VLAN and cannot be deleted
Once a VLAN is created, it automatically goes in the “active” state - Use the shutdown command to disable a VLAN
VLAN 1006 – 3967 and 4048 – 4093 cannot be disabled with the shutdown or the state suspend command – they are always “active”
When you delete a specified VLAN, the ports associated to that VLAN are shut down and no traffic flows.
However, the system retains all the VLAN-to-port mapping for that VLAN, and when you reenable or re-create, that specified VLAN, the system automatically reinstates all the original ports to that VLAN.
Commands entered in the VLAN configuration submode are immediately executed.

Here is a short table for your reference.


VLANs Numbers	Range	Usage
1	Normal	Cisco default. You can use this VLAN, but you cannot modify or delete it.
2—1005	Normal	You can create, use, modify, and delete these VLANs.
1006—3967 and 4048—4093	Extended	You can create, name, and use these VLANs. You cannot change the following parameters: The state is always active. The VLAN is always enabled. You cannot shut down these VLANs.
3968-4047 and 4094	Internally allocated	These 80 VLANs and VLAN 4094 are allocated for internal device use. You cannot create, delete, or modify any VLANs within the block reserved for internal use.

Configuring VLAN

There are lot of options you can configure for VLAN. Here is the output for VLAN config-mode.

switch(config)# vlan 10

switch(config-vlan)# ?

  ip              Configure IP features

  media           Media type of the VLAN 

  name            Ascii name of the VLAN 

  no              Negate a command or set its defaults

  remote-span     Enable remote span VLAN 

  service-policy  Configure service policy for an interface

  shutdown        Shutdown VLAN switching

  state           Operational state of the VLAN 

switch(config-vlan)# name email-vlan 

switch(config-vlan)# state active

switch(config-vlan)# no shutdown

switch(config-vlan)# vlan 11-19         --- To configure a range

switch(config-vlan)# vlan 20,30         --- To configure a range

My Blog List