- 1900 series routers for small branch office they support wan connectivity up to 25 M also called ISRG2 with two intergrated Gig ports.
- 3900 series for medium and large branch office support up to 375 Mbps ,for example in 3945 we have 3 intergrated Gig ports and we can installed T3/E3 card based on bandidth requirement of site.
- ASR1002 -for large branch office and HuB topology.
- Cisco Catalyst 2960G 24 and 48-Port Switches is EOL ,is replaced with 2960 X seris that is with 24 port and 48 ports switches, support stacking,provide backplance of 80 GBPS.
Total 10/100/1000 Ethernet Ports 24 or 48 Uplinks 2x10 GE (SFP+) or 4x1 GE (SFP) options FlexStack+ Optional on all LAN Base AND IP-Lite models PoE/PoE+ Power Available 370W or 740W
- Small branch office - up to 50 users .for small branch its not neccessary to have mutlilayer architecture.
- Medium branch - up to 100 users .for medium/large we should have mutlilayer architecture to provide high availiblity and resilency,
- Large branch - up to 200 users or more
- Two modes trasnport ,tunnel mode
- Transport mode only data packet is encrypted
- Tunnel mode - ESP header is placed between new IP header and data
|-----Encrypted---------------| Data | Original IP Header | ESP Header | New IP Header
- In Transport mode only the data is encrypted, and the original IP header is places in front of the ESP header.
|--Encrypted-----| Data ------ | ESP Header | Original IP Header
- Encryption algo -DES,3DES,AES
Phase 1 - authenticatation of IPsec peers and negotiation of SA to provide secure communication channel for phase 2 Phase 2 - data is tranfered based on SA parameters exhange and keys stored in SA database. Phase 1 - securty poiclies are negotiated,Diffe helman exchange ( used to genrate the preshared keys) ,authentication of remote peer
- Tranform sets-consist of encryption algo,authication algo,key length proposed.
- Diffe helman -public key exchange method that alows two peers to establish shared secret key.
- Secret preshared keys are manuualy entered to authiticate the remote Peer.
- SA consist of encryption algo ,authtication algo ,destination adress ,key lenghth and life time of tunnel .
- Each SA has life time based on two factors either amount of data transfered or time in seconds.
1. Define ISAKMP polciy 2. Define tranform set includes encryptio and data intergrity also 3. create ACL for intersting traffic 4. create crypto map which matches previously defined paramters 5. apply crypto on outgoing interface.
- We want to use RSA Keys instead of preshared key then isakmp identity need to be defined
crypto isakmp policy 1 authentication rsa-encr group 2 lifetime 240 crypto isakmp identity hostname
- Protocol 50-ESP traffic
- Protocol 51-AH traffic
- udp 500-ISKMP Traffic
- ISAKMP: Authenticates the peers, Determines if Authentication is preshared ot RSA-ecryption, and prepares the SA which includes group(length of key in Bits) and lifetime of the tunnel.
- IPSEC Trasnform set determines the encyption protocol AH/ESP with Data Encryption standards(DES/3DES) for the data to be trasported across the secure tunnel & esp-sha-hmac defines the key stregth and hashing algorithm for sharing keys
- Mode (Tunnel/Transport can be defind in trasform set only.
- All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process.
- A stateful firewall like the ASA, however, takes into consideration the state of a packet:
- Is this a new connection?
- If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the "session management path," and depending on the type of traffic, it might also pass through the "control plane path."
- The session management path is responsible for the following tasks:
Performing the access list checks Performing route lookups Allocating NAT translations (xlates) Establishing sessions in the "fast path"
- Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
- Is this an established connection? sa
- If the connection is already established, the ASA does not need to re-check packets; most matching packets can go through the "fast" path in both directions. The fast path is responsible for the following tasks:
IP checksum verification Session lookup TCP sequence number check NAT translations based on existing sessions Layer 3 and Layer 4 header adjustments
- Data packets for protocols that require Layer 7 inspection can also go through the fast path.
- Labels are locally significant between two attached devices .Once the mpls ip is enabled lables are advertised for connected interfaces and IGP learned routes.
- MPLS label - 32 bit
First 20 bits label value 20-22 - Experimental bits for qos 23 - BoS - bottom of stack bit to signify the bottom label in stack 24-32 - TTL vaule
- MPLS label is placed between layer 2 and lyer 3 header know as shim headder.
- FEC-group or flow of packets that are forwaded along the same path with same treatment.
- Protocol used to distribute labels are LDP, TDP and RSVP TDP is cisco propriatry. There is formation of LIB which contains local binding and remote binding from all the LSR, what extacly the remote binding need to be used based on best route in Ip routing table information is populated in LFIB.
- LDP is used for neighbour discovery over udp port 646 on multicast address 22.214.171.124
- For neighbor adjancy on tcp port 646.
- Label advertisemnt is for IGP connected interfaces and IGP leanred routes.
- How does router determine wheather it is ip packet or labeled - there is protocol field is layer 2 frame ,that tell router to look the cef for ip packet or to look LFIB.
- In order to see extract from LFIB:
sh mpls forwading-table
- LFIB can be also seen as:
sh mpls forwading-table prefix length
- MPLS Stack operatios (Push, pop, swap, Untagged, aggregate - summaristion is performed on router, to remove the lable and perform IP lookup)
- Labels 0 to 15 are reserved lables - lable 0 is explict null lable, lable 3 is implict null lable, label 1 router alert, label 14 OAM alert label
- Use of Implict null lable is penultimate hop popping.
- Explict null lable is used to reserve the Qos information.
- Inorder to change the mpls lable range - mpls lable range 16 to 10 lakh
- MPLS LDP works on UDP protocol 646 and LDP hello messages are sent over multicast address 126.96.36.199
- Inroder to check labels are received or not - sh mpls ldp discovery detail
- COMMAND LINES FOR MPLS:
IP CEF MPLS LABEL PROTOCOL TDP / LDP MPLS IP SH MPLS LDP INTERFACE sh MPlS LDP NEIGHBOR sh MPLS FORWADING TABLE SIMMILAR TO sH IP ROUTE.
- PHP - Penultimate Hope Popping which says that device next to last hop in the path is going to remove the label for the optimisation of lable lookup so that end device doesnot need to perform two looks while sending the traffic to end customer.
- So to acomplish this router which is next to last hop send implicit null label for all its connected and loopbackinterfaces.
- Note for any destination which is one hop away in mpls forwading tabel we are going to see POP LABEL.
- P routers in the core doesnot need to know the full reachbilty of customer routing information as they just swicthed the packets based on labels.
- FOR MPLS to work correctly we need to enable BGP next hop self command for the EBGP updates to propagate over IBGP PEER with next hop information for loopback interface. If the BGP peering is formed not over loopbacks between PE'sinstead of phyical interfaces peerring will be formed but it will lead to black hole as the pHP will cause third last hop to perform POP operation and traffic will be forwared to next to last hop as ip packet for which it doesnt have information for the destination.
- The isssue is PHP get processed one hop too soon.
- MPLS basis consist of two comonents
1) VRF's -separatation of customer routing information using vrf's per interface 2) exchange of routing information using MP-BGP.
- VRF's without MPLS is called VRF lite. When using VRF's lite route distingusiher is only locally significant.
- When we create VRF's any packet that comes to interface in VRF then the routing loopkup is done on that VRF's.
- VNPV4 route- RD+IPV4 prefix (makes vpnv4 routes unique globly (RD is 8 byte).
- mpls vpn label - PE route exchange lable for each customer route via VPNV4.
- Transport label- to tranport packet across remote PE.
- RT_route target is used to tell the PE which VRF route belongs and its BGP extented community attribute.
- If we are running EIGRP over VRF's then we need to specify the autonomus system inside the vrf's separately else EIGRP adjancy will not be formed over EIGRP.
- Route Target export- to advertise the routes from vrf into BGP.
- Route Target import -To import the routes from BGP into VRF.
- Between the PE's routers peering will be done globaly however customer routes will be redistributed in address-famil vpnv4.
- Please note while configuring vpnv4 we need to acitivate the vpnv4 capabilty with remote-peers.
- loop prevention mechanism for route-target - the route will not import any prefix into vrf unless it is specified.
- Packet structure:
Layer2 header-Transport+VPN--IP header-Layer4 header----Payload
- So when the traffic reaches from remote PE to PE on other side it will just refer to VPN label to see which exitinterface or VRF packet belongs too.
- Steps for MPLS once basic connectvity and MPLS is enabled on interface in MPLS n/w
1. Create VRF with route distingusiher+RT 2. Assign VRF to interfaces 3. RUN VRF aware routing process betweem PE to CE 4. ESTABLISH VPNV4 PEERS 5. Redistriute subnet from VRF to BGP and vice versa.
- SHAM links are basically creation of Virtual links between PE running BGP network and extending OSPF domain over mpls.
- When we are running OSPF between PE to CE and rediribute ospf routes into bGP and vice versa there is addtion ospf attibutes that is attached in BGP VPNV4 routes.
- So on other PE sidte when this routes are rediributed back from BGP to ospf these attributes helps where the redisributes routes to place in OSPF database as type 1,2,3,4,or 5.
- Additional attributed encoded from OSPF to BGP is like expample ( OSPF domain id ) which is created by the the local process id running if the ospf process id is same as doamin id in VPNV4 prefix, the routes are injected in OPSF database as Type 3 LSA even if they are redistributed from BGP to OSPF.
- If the domain id do not match the routes are leanred as type 5 for other vpn site.
- So if we have backdoor link between two sites, backdoor link is always perfered instead of MPLS, so to avoid it we create a SHAM links over PE's like GRE tunnel to extend the OSPF domain over MPLS. So when the routes are reditrbuted from BGP to OSPF as Intra-area routes rather than inter-area.
- How to create SHAM links
1. Allocate a address between the PE's reachable over mpls 2. under OSPF for that VRf create adjancy over PE's
router osps 1 vrf c area 0 shamlink source address destination address
- OSPF path selection creteria - if we have two routes learned as Inter area routes but one of route is leanred BY ABR in backbone area and other via ABR in over non backbone area, prefix is always preferd by backbone area.
- Loop prevention mechanism for OSPF changes when its being used as Layer 3 MPLS.
- Using OSPF Between PE/CE customer routes are sent as Type 3 LSA so this sent as DN(down) bit set so if the same route is recieved BY PE on other side it will make PE aware not to redistibute the route back in BGP.
- Cabailty VRF lite command under OSPF process is used to ignore down bit and TyPE 3 lSA will not installed in routing table.
- For Type 5 LSA either we need to do with DOWN bit or route TAG to prevent the loop.
Commands for switching
- Note - Layer 2 header contains source mac, des mac, ether type, ether type fields tells the process next layer 3 protocol like ipv4, ipv6.
sh int fa0/1 switchport ( trunk, access, administrative mode ) sh int trunk ( ports which are trunk ) sh spanning tree vlan 1 ( to check wheather traffic is forwaded in spanning tree )
- If we have layer 2 ether channel then if we do sh spanning tree output it should show individual port channel group in output rather than individually phsyical links else we have issue.
- On the switch we have root port and designate port, all the traffic from root port will be forwaded towards root bridge.
- If the two switches are in differnt VTP domain, as long as they have trunking set between them is correct they will not effect the broadcast domain -Good
- Two ways to change priorty for root bridge
spaniing tree vlan 2 root primary spanning tree vlan 2 priorty lesser than 32768
- In spanning tree one of election for root port on non route bridge is based path cost that is local to interface
- In 3560 swicth by default PVST+ is enabled
- Auto -Auto -results in access port
- access mode-Dynamic desirable -Access port
- tunk with nonnegotiate ---auto -Because switch on left side is not sending DTP frames.
- Best practises of truking -mode trunk and non negotiate, Trunk negotaition are done on DTP when using DTP both the ends should in same VTP domain
- When frame traverse the trunk link it is marked over truking protocol and on receiving end VID is removed before sending to access link
ISL and 802.1Q
- ISL -encapulsate entire frame, it dos not native vlan traffic, orginal frame unmodifed, ISL adds 26 byts header and 4 bytes trailer.range of isl 1-1024.
- 802.1Q-insert 4 byte tag, does not tag the frame that belong to native vlan, additonal tag includes priroty field, extending qos support, 4096 Vlans, 1-4096.
- Inorder to maintain identical information of vlan database, VLAN information is propagatd over trunk links in same VTP domain, VTP information is advertized over trunk links only.
- VTP is layer 2 messaging protocol. Three version of VTP (1,2,3).
- Limitaion of VTP version 1,2 - extended VLAN funstionality was only used in when switch is configured in transparent mode, so the VTP version 3 is used.
Server mode - create, del, modify, send and forward advertizements, syn vlan database, store information in nvram Transparent mode - create, del, modify local Vlan, forward advertizements, no syn vlan database, store information in nvram Client mode - cannot create, del, modify vlans, forward advertizements, syn vlan database, do not store information in nvram.
Important: when ver new switch is added make sure its configration revision is less than any other swiches in VTP doamin else if it is high then it will erase all the vlan information of server and client
to protect that either add switch in transpanrent mode or in differnt domain.
- For VTP configration requires VTP domain ,password ,VTP mode on each switch .sh VTP status or VTP counters.
- VTP pruning -used to remove unnessary flooding of brodcast traffic on the network.
- STP is used to avoid unwanted loops in the environment.
- STP created one refernce point in n/w that is called root of tree, based on rerfernce point decides whether there is redundant path in the n/w.
- Layer 2 forwading - By default CAM table entries got aged out every 300 sec
- We can also create static mac address table entry in cam - command (mac-address-table static mac-address VLAN id interface type)
- Bridge segments collsion domain dose not segmets broadcast doamin.
- Root bridge - selection is based on bPDU contains bridge id which is combination of mac address and priorty (both are chosen lower) on root bridge both the ports are DP.
- Then there is selection of root port on non root bridge.
- For root port selection is based on following paramteters (lower root bride id, lowest path to root brige, lowest sender bridge id, lowest port priority, lowest port id.
- For every lan segment -there is secltion of DP (selection is based on root id creteria)
- 802.1d states:
Disabled Blocking (listen to incoming BPDU) Listening Learning Forwading (tranmit BPDU)
- Hello time - Default is 2 seconds, time interval in which subsequent configration BPDU send root bridge, for non root bridge TCN BPDU is 2 sec.
- Forward delay - time interval swich port spends in listening and learning states, default time is 15 second.
- Maximum age - time when max age is timed out is 20 seconds when the BPDU is aged out.
- In case if any interface flap (up/down states) switch will send the TCN BPDU untill it reach root bridge, root bridge will send the configration BPDU with TC flag set and each switch will will rebuild its mac table based on forwarding delay time. Default is 300 sec. Total time is 17 seconds.
- Total time the port trantion from blocking to forwadig state is 30 seconds
- Port fast feature - When we enable port fast on the port so TCN BPDU is send in case of Topolgy change and port directly transtion to forwading state. So there are chances that port fast enabled port could cause STP loops if the accidently switch is installed on that port, to prevent this we use BPDU Guard along with STP.
- We can manully select the root bridge:
spanning tree VLAn vlanid priotry (bridge priority)
- We can set mannualy to become one bridge to be root bridge:
spanning tree vlan vlanid root (primary, secondary, diameter)
- We can aslo set the path cost:
spanning tree vlan vlanid cost
- Port id is 16 bit -8 bit port priorty + 8 bit port number
spanning tree vlan vlanid port priority
- RSTP have rapid convergence time (discadring, listening, forwading)
- RSTP works on port rules instead of rely on BPDU from root bridge.
- RSTP-root port, DP, Alternate port is back up of root port (have two up links), back up port (given segment active ling fail and there is no path to reach root then back up port become active.
- IN RSTP all the full duplex ports are point to point links, BPDU are exchanged between swiches in form of proposal and agreement, once the given port is selected as DP and other switch send agrements message, RSTP convergys quickly by through RSTP handhake.
- HSPR-Provide redudancy of the gateways ,HSRP exchange the HSRP hello message on 188.8.131.52
- VRRP-In VRRP we can use real ip add of router as virtual address, IEE standard,router with highestest priorty is master router and other acts a back and VRRP messages are send on multicast address 184.108.40.206 ,Default interval is 1 second and preemtion is enabled by default.
- GLBP -uses concept of AVG and one router act as primary while other act as backup ,AVG assign virtual macs to AVF,and it is AVF's which forwrd the packets based on virual mac's assgin by AVG.,
- GLBP communicate over hello packets send every 3 seconds on multicast address (220.127.116.11),GLBP suppots up to 1024 vrtual routers.
- This table shows the support of MST in Catalyst switches and the minimum software required for that support.
Catalyst Platform MST with RSTP -- (12.1 or higher ) Catalyst 2900 XL and 3500 XL Not Available Catalyst 2950 and 3550 Cisco IOS\AE 12.1(9)EA1 Catalyst 3560 Cisco IOS 12.1(9)EA1 Catalyst 3750 Cisco IOS 12.1(14)EA1 Catalyst 2955 All Cisco IOS versions Catalyst 2948G-L3 and 4908G-L3 Not Available Catalyst 4000, 2948G, and 2980G (Catalyst OS (CatOS)) 7.1 Catalyst 4000 and 4500 (Cisco IOS) 12.1(12c)EW Catalyst 5000 and 5500 Not Available Catalyst 6000 and 6500 (CatOS) 7.1 Catalyst 6000 and 6500 (Cisco IOS) 12.1(11b)EX, 12.1(13)E, 12.2(14)SX Catalyst 8500
Spaning tree features
Spaning tree features that helps in reducing covergence time
Used for access layer ports, Ports directly transtion to forwading state with out going to lisening and learing states.
- Uplink fast
Used in case of one of uplink goes down, Root port and alternate port forms uplink group, If the root port goes down alternate port directyly transtion to forwading state with out going to lisening and learing states.
- Backbone fast
In case of indirect link failure, switch on where backbone fast is enabled receice inferior BPD's from Desiganting switch anouncing it self as root bride, On receiving the inferior BPDUS it will expire the max aga time immediatelly and reconverge the toplogy. Backbone fast helps in optimisation of max-age timer, should be implemented globally. Switch determine that path to root bridge has gone down so send the RLQ out all its ports and once the root bridge recieve the RLQ and send the response back and port receving the response can transtion to forwading the state
Places a port into a passive negotiating state, in which the port responds to PAgP packets it receives but does not start PAgP packet negotiation. This setting minimizes the transmission of PAgP packets. This mode is not supported when the EtherChannel members are from different switches in the switch stack (cross-stack EtherChannel).
Places a port into an active negotiating state, in which the port starts negotiations with other ports by sending PAgP packets. This mode is not supported when the EtherChannel members are from different switches in the switch stack (cross-stack EtherChannel).
CISCO 3750 Stacking
- All stack members are eligible stack masters. If the stack master becomes unavailable, the stack members that remain participate in the election of a new stack master from among themselves
- Switches should have same ios for stack memeber to be fully functional ,if there is major version misimatch then switch will not join the stack however if there is minor version mismacth it will upgrade the switch to become fully functional.
- The default stack member number of a 3750 switch is 1. When it joins a switch stack, its default stack member number changes to the lowest available member number in the stack. Stack members in the same switch stack cannot have the same stack member number. Every stack member, which includes a standalone switch, retains its member number until you manually change the number or unless the number is already used by another member in the stack.
Provisioning of switch
- You can use the offline configuration feature to provision (to supply a configuration to) a new switch before it joins the switch stack.
- In advance, you can configure the stack member number, switch type, and interfaces associated with a switch that are not currently part of the stack.
- The configuration that you create on the switch stack is called the provisioned configuration.
- The switch that is added to the switch stack and that receives this configuration is called the provisioned switch.
- You manually create the provisioned configuration through the switch stack-member-number provision type global configuration command.
- The provisioned configuration also is automatically created when a switch is added to a switch stack that runs Cisco IOS Release 12.2(20)SE or later and when no provisioned configuration exists.
switch 2 provision ws-c3750-48ts
- Remove switch from stack:
no switch 2 provision ws-c3750-48ts
Spaning tree security features
Spanning Tree enhancements
- Bpdu Guard
Enable on the edge ports, connected to the hosts. If bpdu is reveived on these interfaces, it will put the interface in shudown state.
- Bpdu Filter
Enable on edge ports It dont send and recieve bpdu if enabled, if bpdu received, drop the bpdu, port goes, through normal stp states.
- Root guard
Root guard prevent the switch to become root bridge, It is enabled on the designated ports of root switch, so that if those ports listen to the superior BPDU then put that port in inconsistent state.
- Loop Guard
Spanning Tree Loop Guard helps to prevent loops when you use fibre links. STP is not able to detect Layer 1 issue, Enable alternate ports/backup ports when Loop Guard detects that BPDUs are no longer being received on a non-designated port, the port is moved into a loop-inconsistent state instead of transitioning to the listening/learning/forwarding state and idealy it can be enabled on all the ports.should be enabled on non-designated ports. Actually, Loopguard is a method of protecting against unidirectional links. In order for spanning tree to function correctly, any link participating in the STP have to be bidirectional. If a link should become unidirectional, through a cable failure or interface fault, spanning tree could unblock a link which would cause a loop. UDLD (UniDirectional Link Detection) is a Cisco proprietary protocol that will detect this condition. Loopguard is what you would use if you didn't have Cisco switches at each end of the link in question. Based on the various design considerations, you can choose either UDLD or the loop guard feature. In regards to STP, the most noticeable difference between the two features is the absence of protection in UDLD against STP failures caused by problems in software. As a result, the designated switch does not send BPDUs. However, this type of failure is (by an order of magnitude) more rare than failures caused by unidirectional links. In return, UDLD might be more flexible in the case of unidirectional links on EtherChannel. In this case, UDLD disables only failed links, and the channel should remain functional with the links that remain. In such a failure, the loop guard puts it into loop-inconsistent state in order to block the whole channel. Additionally, loop guard does not work on shared links or in situations where the link has been unidirectional since the link-up. In the last case, the port never receives BPDU and becomes designated. Because this behaviour could be normal, this particular case is not covered by loop guard. UDLD provides protection against such a scenario. Loopguard is not able to detect misiwring problem but UDLD able to detect this and UDLD is using its own layer 1 keepalive message.
- DHCP snooping - allowed confgration of trusted and untrusted ports, trusted will sorurce all the DHCP messages and untrusted will source on DHCP request, if the rouge DHCP server tries to reply the DHCP request DHCP snopping will make this port shut.
DHCP option 82 - in which port number is also added in DHCP request.
- Spanning port security feature only works if we have configured the port in statc access/trunk port, it won't work with port in dynamic mode.
We can bind the mac address with switchport port security command and if we use sticky what ever mac is learned over interface it will manually add to secure cam table and also add in running config. Second option is manaul create static enriers in CAM table.
- Storm control feature - used to limit the amount of unicast/mutlicast/broadcast packet recieved on interface. Simmilar to polcier in MQC.
- Port based ACL - is used to apply access list on layer 2 port but its only used to filter inbound traffic.
We can also use MAC based ACL but that is only used to restrict non-IP traffic.
- IP source guard (layer 2 port, Dyanmic arp inspection is for arp spoofing.
- Create a broadcast domain,PVlan allows splitting the domain into multiple isolated subdomains.
- Private Vlans - Promicious, Community, Isolated
- Promiciuos - Carry traffic for all the pvlans
- Community Vlan - Can only talk to ports in same community vlan and its promiciuos port
- Isolated - Can only talk to promicious port
- Primary VLAN - The primary VLAN carries traffic from the promiscuous ports to the host ports, both isolated and community, and to other promiscuous ports.
- For low end switches, there is command switchport mode protected act simmlar to isloated vlan, all those ports configured for protected donot talk to each other. Usually, ports configured as protected are also configured not to receive unknown unicast (frame with destination MAC address not in switch's MAC table) and multicast frames flooding for added security.
vlan 1000 Private vlan primary
vlan 1012 private vlan community
vlan 1013 private vlan Isolated
vlan 1000 private vlan association 1012,1013
1. int fa0/1
swicth port private-vlan 1000,1012 -each host port is member of two vlans . switch port private-vlan host
2. int fa0/2
switch port private-vlan 1000,1013 -isolocated port switch port private-vlan host
3. int vlan 1000
private vlan mapping 1012,1013 -promciuos port
- This example shows how to associate community VLANs 100 through 103 and isolated VLAN 109 with primary VLAN 5:
switch# configure terminal switch(config)# vlan 5 switch(config-vlan)# private-vlan association 100-103, 109
- This example shows how to configure the Ethernet port 1/12 as a host port for a private VLAN and associate it to primary VLAN 5 and secondary VLAN 101:
switch# configure terminal switch(config)# interface ethernet 1/12 switch(config-if)# switchport mode private-vlan host switch(config-if)# switchport private-vlan host-association 5 101
Layer 2 COS
- We need to enable MLS QOS,FOr switches we can do both the inbound and outbound queing ,whenever traffic hit the ingress port switch will first do cleassifcation/marking based on port configration ,then it goes to policer if configured to trasmit/remark/drop the traffic ,then it goes to inbound queing before it is transmitted .on swicthes when we enable MLS QOS and there is no trust boundary configured it will rewrite the traffic to ZERO.ss
- Ingress/EGRess -Packets are mapped to queue bases on DSCP/COS value.
- If the port is an access port or Layer 3 port, you need to configure the mls qos trust dscp command. You cannot use the mls qos trust cos command because the frame from the access port or Layer 3 port does not contain dot1q or ISL tag. CoS bits are present in the dot1q or ISL frame only.
- If the port is trunk port, you can configure either the mls qos trust cos or mls qos trust dscp command. The dscp-cos map table is used to calculate the CoS value if the port is configured to trust DSCP.
- Similarly, the cos-dscp map table is used to calculate the DSCP value if the port is configured to trust CoS.
- By default, the PC sends data untagged. Untagged traffic from the device attached to the Cisco IP Phone passes through the phone unchanged, regardless of the trust state of the access port on the phone. The phone sends dot1q tagged frames with voice VLAN ID 20. Therefore, if you configure the port with the mls qos trust cos command, it trusts the CoS values of the frames from the phone (tagged frames) and sets the CoS value of the frames (untagged) from the PC to 0. After that, the CoS-DSCP map table sets the DSCP value of the packet inside the frame to 0 because the CoS-DSCP map table has DSCP value 0 for the CoS value 0. * If the packets from the PC have any specific DSCP value, that value will be reset to 0. If you configure the mls qos cos 3 command on the port, it sets the CoS value of all the frames from the PC to 3 and does not alter the CoS value of the frames from the phone.
- Queing for 6500 -
Receive queue -1p1q4t -One priority queue and 1 standard queue wth 4 threshold . 1p1q8t ,1q2t
Transmit queue -1p3q4t ,1p7q8
- Chassis -6503/6503-E, 6504-E, 6506/6506-E, 6509, 6513 (13 slot chassis)
- Cisco has introduced new E series chasis.
- The first generation switching fabric was delivered by the switch fabric modules (WS-C6500-SFM and WS-C6500-SFM2), each providing a total switching capacity of 256 Gbps.
- More recently, with the introduction of the Supervisor Engine 720, the crossbar switch fabric has been integrated into the Supervisor Engine 720 baseboard itself, eliminating the need for a standalone switch fabric module.
- The capacity of the new integrated crossbar switch fabric on the Supervisor Engine 720 has been increased from 256 Gbps to 720 Gbps.
- The Supervisor Engine 720-3B and Supervisor Engine 720-3BXL also maintain the same fabric capacity size of 720 Gbps.
- 6509 - Sup cards on slots 5 and 6, supported sup - sup32&sup720
- 6513-13 slots - sup cards on 7th and 8th slot, sup32&sup720
- The Supervisor Engine 720-3B and Supervisor Engine 720-3BXL also maintain the same fabric capacity size of 720 Gbps.
- SUP32 - This supervisor engine provides an integrated PFC3B and MSFC2a by default
- Cards.supports 6700 series line cards
- SUp720-3B - same backplane capacity, It incorporates new PFC3B for addtionnal funcationality (mainly supports of mpls in hardware)
- Sup720-3BXl - It incorporates new PFC3BXL, It is functionally identical to the Supervisor Engine 720-3B, but differs in its capacity
- For supporting routes and NetFlow entries.
- Sup2T - incorporates MSFC5 (control plane functions) and PFC4 (hardware accelarated data plane function) cards, 2 Tbps Switch Fabric
- PFC4 supports addtional featuers Cisco TrustSec (CTS) and Virtual Private LAN Service (VPLS).
- The 2 Tbps Switch Fabric provides 26 dedicated 20 Gbps or 40 Gbps channels to support the new 6513-E chassis
- SUP2T- All new 6900 series modules
- All new 6800 series modules (again, WS-X6816-GBIC is not one of those)
- Those 6700 series modules that are equipped either with CFC or DFC4
- Some 6100 series modules
- The control plane funations are mainly performed by route processor situated on MFSc3 itself includes running process for running routing protocol ,addres resoltion ,maintaing SVI's ,...
- Switch processor looks after switching functions building layer 2 cam tables .. , all layer 2 protocols (SPaniing tree,VTP...)
- MFSC - maintains routing table does not participate in forwading the packets, it build cef table pushed down to PFC and DFCs.
- The PFC is a daughter card that sits on the supervisor base board and contains the ASICs that are used to accelerate Layer 2 and
- Layer 3 switching in hardware.
- Layer 2 funations -mac based forwading based on cam table , layer 3 functions forwading the packets using layer 3 look up.
- Classic line cards support a connection to the 32-Gbps shared bus but do not have any connections into the crossbar switch fabric.
- Classic line cards are supported by all generations of the supervisor engines, from the Supervisor Engine 1 through to the Supervisor Engine 720-3BXL
- Modes in SUP720
RPR - state information is not in syc - time taken to switchover is 2-4 minutes, traffic disrupption, IO modules are reloaded. RPR+ - state is partially intialized. need a addtional information to have the sytem in sych. switchover time is 30 to 60 seconds, IO modules are not reloded. SSO - fully synchronised
- To check the redundancy status:
- To set the redandancy mode
redundancy keepalive-enable mode sso main-cpu auto-sync running-config
- Sups supporting VSS-
VS-S720-10G-3C * VS-S720-10G-3CXL* Sup2T
- Stacking - VSS have single control plane as master while vpc is having two independent control planes
- Independant control and data plane , High availiabilty - Dual SUP, Power redundancy , line card reduandancy
7009,7010,7018 7009- 9 slots -Sup on 1 and 2 ,suppport of 5 Fabric chanel ,each fab channel provides 46 Gig backplane capacity so total of 5X46=230 per slot bandwidth 7010-10 slots -Sup on 5 and 6 ,suppport of 5 Fabric chanel ,each fab channel provides 46 Gig backplane capacity so total of 5X46=230 per slot bandwidth 7018-18 slots -Sup on 9 and 10 ,suppport of 5 Fabric chanel ,each fab channel provides 46 Gig backplane capacity so total of 5X46=230 per slot bandwidth
Sup supported -SUP1 which includes 4 VDC including default VDC - on default VDC you can allocate resource and perform data plane functions as well. SUP2- 4+1 VDC - extra one is admin vdc just for allocating resoucres, not passes data. SUP2E-8+1 VDC's - Require additional licence to add extra 4 VDC.
- Line cards supported - M and F series I/O module
- The initial series of line cards launched by cisco for Nexus 7k series switches were M1 and F1.
- M1 series line cards are basicaly used for all major layer 3 operations like MPLS, OTV, routing etc, however, the F1 series line cards are basically layer 2 cards and used for for FEX, FabricPath, FCoE etc.
- If there is only F1 card in your chassis, then you can not achieve layer 3 routing.
- You need to have a M1 card installed in chassis so that F1 card can send the traffic to M1 card for proxy routing.
- The fabric capacity of M1 line card is 80 Gbps.
- Since F1 line card dont have L3 functionality, they are cheaper and provide a fabric capacity of 230 Gbps.
- Later cisco released M2 and F2 series of line cards.
- A F2 series line card can also do basic Layer 3 functions, however, can not be used for OTV or MPLS.
- M2 line card's fabric capacity is 240 Gbps while F2 series line cards have fabric capacity of 480 Gbps.
- There are two series of Fabric modules, FAB1 and FAB2.
- Each FAB1 has a maximum throughput of 46Gbps per slot meaning the total per slot bandwidth available when chassis is running on full capacity, i.e. there are five FAB1s in a single chassis would be 230Gbps.
- Each FAB2 has a maximum throughput of 110Gbps/slot meaning the total per slot bandwidth available when there are five FAB2s in a single chassis would be 550Gbps.
- These are the FAB module capacity, however, the actual throughput from a line card is really dependent on type of line card being used and the fabric connection of the linecard being used.
- You can mix all cards in same vdc EXCEPT F2 card.
- The F2 card has to be on it's own VDC.
- You can't mix F2 cards with M1/M2 and F1 in the same VDC.
- As per cisco, its a hardware limitation and it creates forwarding issues.
M & M1Xl series are used for creating layer 3 routing functions, creation of SVI's, fex, OTV, trustsec - example - M132XP f- layer 2 functions, fabric path, vpc+, FCOE -F132XP, F248XP
- The current shipping I/O module do not leaverage full bandwidth max is 80 Gig for 10 Gig module
- In Ideal design we should have pair of M1 and F1 series module per VDC
- Depending on line cards we have shared mode Vs Dedicated mode
Shared mode - All the ports in port group share the bandwidth Dedicared Mode - first port in port group will get the entire bandwidth and rest of ports are disable Example - 32 Port 10 Gig IoModule -N7k-M132Xp-12 and back plane capacity of 80 gig
- Per port group will have 10 Gig bandwidth that can used as shared mode or dedicated mode
- Port group is combination of contiguous ports in odd and even numbering.
- 1 Gig module require 1 Fabric ie is 46 Gig and 2 Fab for N+1 redundancy
- 10 Gig -require 2 FABric and 3 for N+1 redundancy
- VoQ's -are virtual output queues, is called virtual as it resides on Ingrees I/O module but represnt egress bandwidth capacity.
- VoQ's are managed by central arbiter.
- Nex 5000 & 5500 - Mainly used for layer 2 only (Access layer)
5000 -5010, 5020 5500 -5548, layer 2 only but supports for layer 3 card as well.
- Nex2k- act as remote line cards for 7k and 5k.
- Once we have connected the downlink ports from 7kor 5k, enable the feature fex parent swicth will automatically discover fex switch.
- We need to configure uplink port on parent switch with switchmode fex, fex associate number.
- Once the featuer is enabled and ports and cables are connected it start pulling the IOS from its parent switch.
- Once the fex is online you can see the port number on parent swicth as int(fexassociatenumber)1/x.
Note - Downlink ports on parent switch need to configure with switchmode fex, fex associate no and there is no configration required on ports on fex switch connectected uplink port.
- Nex2k -Doesnot support local swictinig... if two host in same vlan connected to 2k are tring to communicate, then communication will happen through parent switch.
- These fexed ports are pinned to uplink connected to parent switch. All management is done from parent switch.
- Two types of pinning - Static pinning & Dynamic Pinning
- Issue with static piining - Once the uplink fail b/w nex2k and parent switch all the piined fexed port need to mannual move to other uplink to make it operational while on dynamic piining its automatically redistribued
- Nex 5k -Support static pinning and vpc when we connect Nex 2k.
- Nex 7k - Not all the line cards support Fex, only support port channel when we connect Nex 2k to 7k
- All the fexed ports are considered as edge ports from STP point of view and there is BPDU guard is enabled on this.
- CFS- Cisco fabric services is used to syn configration and control box between chasis.
- Mangement interface is out of band connectivity as this is separte management vrf.
- VDC is virtual device context used for virtuallization of hardware (both control plane and data plane)
- Allocate resource in VDC - can allocate M1, F1, M2 but not F2 cards apart from its own vdc.
- VDC 1 is default VDC - used to create/delete/suspend other vdc, allocate resoucres, system wide qos, ethanalizer, NX-Os upgrade across all the vdc.
- From default vdc we can use switchto command to move to other vdc, switch back to return to default vdc.
- Creating an Admin VDC:
Enter the system admin-vdc command after bootup. The default VDC becomes the admin VDC. All the nonglobal configuration in the default VDC is lost after you enter this command. This option is recommended for existing deployments where the default VDC is used only for administration and does not pass any traffic.
You can change the default VDC to the admin VDC with the system admin-vdc migratenew vdc name command. After entering this command, the nonglobal configuration on a default VDC is migrated to the new migrated VDC. This option is recommended for existing deployments where the default VDC is used for production traffic whose downtime must be minimized.
- CMP port is associated in SUP 1 - used a console access to SUP as separte kickstart and system image then chasis.
- Non default vdc has two separate user roles
- vdc admin - has read /write access to vdc
- vdc operator -read only access to vdc.
- vdc high availiablity polciy - based on single sup / or dual Sup
Bridge Assurance and Network Ports
- Cisco NX-OS contains additional features to promote the stability of the network by protecting STP from bridging loops.
- Bridge assurance works in conjunction with Rapid-PVST BPDUs, and is enabled globally by default in NX-OS.
- Bridge assurance causes the switch to send BPDUs on all operational ports that carry a port type setting of "network", including alternate and backup ports for each hello time period.
- If a neighbor port stops receiving BPDUs, the port is moved into the blocking state.
- If the blocked port begins receiving BPDUs again, it is removed from bridge assurance blocking, and goes through normal Rapid-PVST transition.
- This bidirectional hello mechanism helps prevent looping conditions caused by unidirectional links or a malfunctioning switch.
- Bridge assurance works in conjunction with the spanning-tree port type command.
- The default port type for all ports in the switch is "normal" for backward compatibility with devices that do not yet support bridge assurance; therefore, even though bridge assurance is enabled globally, it is not active by default on these ports.
- The port must be configured to a spanning tree port type of "network" for bridge assurance to function on that port.
- Both ends of a point-to-point Rapid-PVST connection must have the switches enabled for bridge assurance, and have the connecting ports set to type "network" for bridge assurance to function properly.
- This can be accomplished on two switches running NX-OS, with bridge assurance on by default, and ports configured as type "network" as shown below.
Cisco Nexus 7009-- sUP IN slot 1 and Slot 2 Cisco Nexus 7010-- Cisco Nexus 7018-- Line card Capacity differ in different modules...
- Two type of line cards are available :
1) M sERIES: Layer 3 cards--svi, ospf, otv, Can be layer 2, Trust Sec Fex
2) F Series : Layer 2 cards only F2 SUPPORT fabric Path, VPC+, FCOE
- Cisco Nexus 5k :Used Mainly layer 2 switches
5000--5020 and 5010 5500--5548 and 5596
- Nexus 2k: Remote line card
VDC: Seprate control plan per vdc Why use vdc : Diffrent roles per chassis per vdc Multiple tenanats Test users for later production use
vdc limitation : 4 vdc in sup 1- vdc 1 default vdc used for allocating resoureces ,system vide Qos ,passes traffic as well . 4 vdc + 1 in sup 2- 4 vdc passes traffic but 1 is admin vdc only for allocating resources does not passes traffic . 8 + 1 vdc in sup 2e
Default vdc 1 is default can not be removed.
VPC-two independ control planes ,to syn the state information we use VPC Peer link.when we create vpc domain id ,it creates unique system mac for the peer devices that present the downstream devices as a single logical unit ,the system mac information is present in LACP system id which is combination of priority and mac address. In case of orphan ports each vpc peer uses it own local system mac .
based on lowest priorty there is selection of VPC primary and seconday , in case of primary goes down and recovers vpc secondary will still be seconday peer however operational role will primary.
Prmary peer is responsible for reply to arp broadcast and stp BPDU information.
Two type of inconsistency while formation of peers .
type 1 - global which incldues stp parameters ,stp mode ,port type ,stp revision no
- vpc interface configration ( speed ,duplex ,allowed vlans , on/active)
type 2 - HRSP sysncronsation ,mac age time for BPDU ,glbp syscorinsation ,SVI ,IGMP snooping ,vlan data base... etc.
VPC Peers - two phsyical switches .vpc design is possible only when we have two remote peers .
Peer link -to sys control plane information ,layer 2 link simmilar to VSL link in VSS. use CFS ( cisco fabric services to sys the control plane information). Peer link- not used for data plane .
keepalive link- Layer 3 link to make sure both the chasis are active ,as heartbeat in the control plane use UDP ping also used to prevent split brain situation(dual active).
VPC member ports -downstream ports facing towards end servers that is forming port channel used for data plane forwading .
from spanning tree point of view we don't have any blocking ports . what ever vlans we are allowing on VPC port channel same no of vlans should be allowed on peer link.
oder of creation of vpc .
1. establish ip connectivity for VPC Keep alive link 2. enable feature for vpc and lacp. 3. create vpc domain . 4. define keepalive peer address 5. create port channel for vpc peer link -if this goes down then there will be services failure so should have redandancy. 6. verify vpc consistency paramteres .( speed ,duplex ,allowed vlan on member ports ) 7. disable vpc menmber ports 8. configure vpc member port 9 enable vpc member port.
VPC Peer link get down -
The range of values is 1 to 65636, and the default value is 32667. The switch with lower priority will be elected as the vPC primary switch. If the peer link fails, vPC peer will detect whether the peer switch is alive through the vPC peer keepalive link. If the vPC primary switch is alive, the vPC secondary switch will suspend its vPC member ports to prevent potential looping while the vPC primary switch keeps all its vPC member ports active. when the vPC peer-link is down then both vPC peers will not be seen or acting a one virtual switch to the downstream switch and this will revert back to traditional STP and may cause a potential loop as well as the downstream switch is multi homed and this will end up to L2 loops
second case once the secondary vpc peer disable its member port and vpc primary peer got failed ? in this case both the chassis will be disabled and traffic will not be passed ...
vpc auto recovery feature is there to avoid above situation.
Senario 2: peer-link up and running, keepalive link down
Q1: According to the cisco official docs, it seems that nothing is affacted by this failure and the only reaction is that peer-link will act as keepalive link temporarily. So, end users will not be aware of this failure at all, Am I right?
Yes, cfs still running in the peer-link.
Senario 3: both peer-link and keepalive link are down, split-brain scenario will be formed
orphan ports - like if we have server connected with single link on vpc domain can lead to issues for that server for rest of the connectivity.
in ideal design use M cards for Keepalive link and use pair of F cards for peer link.
VPC roles -when we configure the vpc for port channeling one of chaisi act as primary other as a seconday if both the chasis are primary then we have dual active conditon or split brain condition.
VPC Loop avoidance -if the frame arrive through vpc memeber port crossing vpc peer link it will not allow to exit through member port unless all the remote members ports are up. ALso vpc loop avoidance is reprogammed in dataplane based on state information of vpc member ports .
In double-sided vPC, two access switches are connected to two aggregation switches whereas in single-sided vPC, one access switch is connected to two aggregation switches.
VPC+ -running fabric path and vpc together .
FHRP- In case of HSRP/VRRP/GLBP using vpc ..when we configure one chais as active and other as standby for Layer 3 gateway ,some how remote host forward the traffic to standy VPC peer ,the standby vpc peer will not forward the traffic using peer-link for active HSRP gateway address istead it will forward out the traffic for the destination out its ports as if it is active member of HSRP group ,so both acts as active -active .Peer gateway feature must be enables while configering vpc with HSRP to avoid traffic over PEER link.
Fabric path -layer 2 routing ,eliminates need of STP also called mac-in-mac out routing .
Terminology in fabric path 1.Leaf switch -connects CE domain to FP doamin 2.spine switch -All the ports are in FP domain 3.FP core ports -links omnm leaf to spine or spine to spine switches (switches in core ) command line -Switchport mode fabricpath. IS_IS used in the fabric path core for layer 2 routing .
Advantages of IS-IS-Uses its own layer 3 tranport protocol and IPV4 or IPV6 is not required .
Fabric path uses concept of Fabric path switch id -automatically genrated -simmilar to ospf router id and the switch ids are part of new TLV's defines in FP protcol.
Fabric path support ECMP-Equal cost mutlipathing.. Fabric path is simmilar to Trill but FP is cisco proietry feature and trill is open standard.
Switch id -identifies the node in shortest path tree .
To mannual assign switch id -Fabric path switch-id
Fabric path data plane - CE frames are received on classical ethernet doamin are encapsulated with Fabric path header. hardware supported for fabric path -nex7k F1 and F2 cards and nex 5500 only ,5010 ,5020 donot suppot fabric path. Traffic is forwaded in FP domain used source and destination switch id's and SPT is calculated uses the same IS_IS or ospf routing protocol .
fabric path uses convention mac learning to learns the mac of soucre/destination.it will not learan mac as mac being leanred in traditional mac learning during arp flooding ,Spine swicthes will install the mac address in CAM table when there is bidirectional communication and ARP is send as unicast to get mac of remote host for layer 2 encapsualtion.
please note leaf switches must be root brides of spanning tree and they are demarcation point for st,spanning tree is not extened over FP. commands for fabric path
1. install feature-set fabric path
3. under vlan command
mode fabricpath- those vlans that need to tunneled over fabric path.
4. leaf switch - switchport mode fabricpath- for the upstream ports facing spine swicthes ..
spine switch -all the ports .
Fabric path runs on conversational mac learning insted of tradional mac learning ,in tradition mac learning one host need to send traffic to other host will send arp broadcast and switches in transient path populate the mac table .
in conversational mac leanring -all the devices in FP domain will have mac address of conntected host ,so if one host needs to communicate to other host over FP domain,it will initiate arp request and then mac address of remote host get populated on FP domain swicth and communication take place .
fabric path we don't get layer 2 loop and also they have TTL vlaue in data field to prevent indefinate loop if it occured .
OTV--layer 2 data centre interconnect technology ,layer 2 vpn over ipv4.,for oTV we should have understaning of SSM,ASM.
To setup FCOE
1.Enable FCoE on the switch.
2.Map a VSAN for FCoE traffic onto a VLAN. 3.Create virtual Fibre Channel interfaces to carry the FCoE traffic.
switch(config)# feature fcoe
switch(config)# vlan XXX
switch(config-vlan)# fcoe vsan YYY switch(config-vlan)# exit
switch(config)# interface vfc ZZ
switch(config-if)# bind interface ethernet 1/ZZ switch(config-if)# no shutdown switch(config-if)# exit
switch(config)# vsan database
switch(config-vsan-db)# vsan <number> interface vfc <number> switch(config-vsan-db)# exit
when we enable aaa new-model it will check for local autentication for line vty lines ,but we can log in through console ,Dot1x only works in conjection with radius configration and provide autthetication between client and switch
802.11 a/b - 5 ghz with 54 mbps and 2.4 ghz with 11 mbps 802.11 g- 2.4 ghz ,54 mbps transmission rate 802.11 n -2.4 or 5 ghz with 600 mbps 802.11 ac -5 ghz with 1 gbps
WLAN covered area -100 m /300 ft .
WMAN-802.16 -WIMAX to cover large geographical areas . SSID- AN AP can broadcast mutliple SSID over a single channel.
Roaming -client connected to one coverage area is moving to other coverage area (one AP to other AP).
Higer than frequency lower the wavelengh. AMplitude -there can be different level of powers to inject the signals in air .
SNR is measured in DBM ,its signal to noise ratio ...-50 SNR is good signal strength. SSID are maps to vlans either at WLC or autonomas AP but there is different encryption domain per SSID.As the wireless ,no separte broadcast doamin on wireless ,every one listem to management frame and discard the frame if it is not intented for them.
WCS manage the WLC ---AP's.
CUWN- manages all the AP's ,through WLC and Most of config is done through WLC.
LWAP and CAPWAP - relay lot of information from AP to WLC that coverage ,interference that AP is expering ,client data encapsulated in CAPWAP protocol ,ALSO information about RSSI and SNR what client is getting .
LWAP -12222 &12223 (control and data),IPV4,encrpt control data only
CAPWAP-5246,5247,IPV4 and IPV6,NAT traversal,uses different option for DHCP based AP association,encrpt data via DTLS (datagram trasport layer securty ,P-MTU discovery.
CLient data is send to AP - relay to WLC ,WLC decpatulate 802.11 header and elcapsulate 803.1 header with 803.1Q TAG based on SSID on which traffic is received .
WLC -performs RRM -dyanamic channel assignments.
WLC modes -LAyer 2 mode -AP and controller in same subnet (not used at all now )and LAyer 3 subnet -AP and controller are in differnt subnet.
CLient roaming -
Layer 2 roaming - that includes moving over from one AP to other and intercontroller movemnet -in case of interconroller client data base is send across to other contoller so the client is not required to reauthicate again.
Layer 3 roaming -controler on different subnet.when client moves from one controlelr to other controller in differnt subnet ,first controler see the client has moved to other controller and does the mobiltiy anoucement so copy of client data base is send to second controller with the entry marked as anchor and remote controller marks it forigen entry,howver client address is still retained ,all the traffic sent over to second controller will send acorss to first controller as tunneled traffic and forward to destination.
Requirments for seamless roaming - controllers in same moblity group,same SSID,same code of version ,same acl ,same virtual ip address,same capwap mode.
Anchor mobility - is used in Guest access to send the traffic from guest users to specifc WLC in enterprise enviorment.
Wirless security- symetric encrption -both using same key at both the ends to decrypt the traffic . Asymetric encryption -uses pair of public and private key ,data will be encrpted using public key and sent to me and I will use private key to decrpt the data (public certificates).
Layer 2 authication and encryption-
open authtication -open to all .
WEP( Wired equivalent protocol)- authetication is open or shared ,confidentiality is mainted through CRC check ,Encryption using 128 bit key .
setps -client sends authentication request ,AP respond by sending clear text message ,client encrypt using encrypted packet and respond to AP,AP comapre the response using static wep key.
LEAP- light weight extensible protocol -Better than EAP ,but it was nonstandar so depricated .
WPA-Wifi protected access (WPA) -uses 802.1x for key managment and authentication,TKIP for encryption and data integrity.
WPA2-802.1x for key managment,strong encrption methods using AES-CCMP ,was designed using AES in mind .
802.1x -origanlly used for wired network for authtication ,uses radius server for centralize management and uses EAP protocol for communication . EAP protcol is used between client and AP ,Radius protocol is used between AP and Server. Steps for 802.1x 1. client send authentication credentials to AP ,AP in truns forwards to ACS server using RAdius protocol ,Radius server send the respone back to AP ,AP in tuurns to client. 2. CLient then send the challenge to Radius server ,Radius server respond with validation ,client and radius server dervie the unique session keys ,passed to AP and AP cache the key which is used for encrpting data between client and AP.
EAP is used in genric terms ,actuall implemenation are EAP-FAST ,EAP-TLS,CISCO LEAP.....
like EAP-FAST uses active directory while EAP-TLS uses certificates .
Where encryption happend -Between AP and WLC form secure CAPWAP-DTLS tunnel using manafacture install certificates at both the devices to genrate public keys .WPA2/AES with PSK or 802.1x is used between client and AP .
Nexusus Swicthes MDS Switches- 9222i _running NXOS version.(Multi layer director switches (9200/9500),Support native fiber channel swicthes of TOR access or EOR aggregation , support of FCOE,FCIP ,ISCSI.
ACE-4710 _local application load balancing .
ACE -GSS 4400 -GSS _Globl site selector-DNS based global load balancing.
UCS-6248 Fabric intraconnect
C Series -Rack mount server
UCS Fabric intronnect -COntrol and managment for C and B series server.
B Series- Blade server chaisis,
DCNM-(Data centre network manager)
Nexsus 5k- End of row (EOR) aggregation or top of RAC Access and doesnot have reduandant Sup ,Support Unified IO support FCOE and native FC swicthing. Mainly support Layer 2 swicthing but there is add in module for layer 3 in 5548 &5596. Supports of Unified IO means support both ethernet and FCOE ,there is also 5548UP and 5596 UP support unified ports . Storage -like we create vlan and use VTP to advertise the vlan information we can use CFS to distrbiute the zonning information to other switches ,it like acl in wan.
Nexus 2 K - TOp of rack access swicthes.Support Unified IO support FCOE and no native FC swicthing like nex7k. Parent switch could be 5k or 7k.No local switching ,its VN TAG/802.1 BR SWITCH. Nex2k just uses the VN Tag to forward the frames.doesnot look at layer 2 header.
Nexus 7k having redandunt SUP use graceful restart/ NSF to signal other devices in network that switchover is taking place ,Goal is to keep sending the traffic during swicthover
Basically two roles in Graceful restart/NSF 1. NSF Capable device signal remote peer about the switchover and send a grace LSA like type 9 Opaque LSA in OSPF ,which will signal remote peer to hold down the control plance information until the switchover to take place.Traffic will contunue to send using data plane line cards.
2. NSF helper device- which understand the Graceful retart signals .
NS-OS ISSU & ISSD -SSO allow software upgrades or downgrades whithout traffic disruption.
1. Download image to flash 2. Upgrade the stanby sup 3. DO SSO standby sup become primary SUP -Command line (System switchover)
EPLD -Firmware required to upgrade the cards for certain functionality.- to check show version module x epld. 4. Upgrade the software on standby SUP.
OTV-Overlay Transport virtulization - Layer 2 VPN over IPV4,Layer 2 data centre intraconnect -Used for Virtual machine vmware mobilty.Same subnet across differnt datacentre commnuicating using OTV. Helps in optimisation of ARP request . STP is not spanned over DCI.
1. OTV edge device -Device running OTV feature . 2. Authorative Edge device - if we have mutliple devices for redanducny purpose and they are used to forward traffic for same set of vlans ,so AED is active router for that vlan and there is a election. 3.Extend vlan -VLans that are briging over OTV. 4. Site vlans -Internal vlan that is not extend over OTV. 5 OTV site identifier - Unique per DC site Shared between AED's . 6. Internal interface - Where the end host traffic is received . 7. Overlay interface -tunnell interface taht perform OTV encapsulation 8. OTV join interface -Layer 3 physical link taht is used to route the traffic upstream towards DCI cannot be loopback or SVI.
otv cONTROL GROUP -mUTLICAST ADDRESS USED TO DISCOVER remote sites in control plane .Uses IS_IS to advertise mac address b/w AED for the end devices. MAcs are advertised as mutlicast control group ,so DCI must support ASM.
OTV data group -to tunnel mutlicast traffic over OTV data planne.it uses SSM so AED devcies must run IGMPV3 to join source specific mutlicast.
OTV Adjacny server is used to remove the mutlicast requirment in the middle . one of AED is choosen as OTV adjancy servers and other AED register with AED server.Now all the end points are known.In this case all the data and control traffic is unicast as all the end points are known.
NX-OS -Storage Archtect
Stoarge High level componets : 1. Storage Arrays -physical dis -Block level access to servers.RADI -Physical writing is done on multiple disc for redundancy purpose. Please note SAN is differnt from DAS or NAS (anything which we need to login for file shares).
2. SAN swicthes -nex 5k,7K,MDS .MDS SWicthes can support mutltiple protocol conversions like IP routers like FC to FCOE,FC to ISCSI and FC to FCIP vice versa. Nexsus -support fibre channel ,doesnot support FCIP or ISCSI which is IP based.
3.HBA-Host Bus adapter-Server interface inorder to address storage network.Basically NIC card for SAN- used to connect servers and stoarges to SAN swicthes
NAtive fibre channel HBA- speed 1/2/4/8/16 GBPS. ISCSI HBA's -regular ethernet NIC cards but support ISCSI offload ,1/10 GBPS.
FCOE - CNA -unified IO - would be using in UCS C series chasis ,so this card can be used as ethernet or as FCOE traffic.
Nexsus 5558UP and 5596 UP will be used support both ethernet 1/10 GIg or 1/2/4/8 NAtive Fiber channel. to change the port type from ethernet to FC- slot 1 ---> port 24-34 type FC.
Nexsus is etherent switch does support FCOE but not navtive FC .-Supported on F1 and F2 modules. in case of F2 require sup 2/2E with.6.1 (1) or above .
Please note whatever model of hardware we use for storage should be in its OWN VDC .
Fiber channel - rplaces the tradditon locally attached disc with SCSCI cable over disc accessible over network. fiber channel is protocol static used to send SCISI data over SAN.
Fiber channel port types : N_port - Node port -END host where traget or initiatore resides in P2p topology. NL_port- End port in artibary loop topology. F_port- Fabric port which is a switch port. F_L port-Switches connected to NL_port. E_port-expansion port-Inter switch link- simmilar to trunking in ethernet. TE_port- Simmilar to dot1Q in ethernet.-used to trunk multiple VSANS across swicthes.
Fiber channel addressing : WWNs- 8 byte address burned in by manyfacturer.
WWNN - physical address of server, switch ,physical disc WWPN-physical address of ports of server, switch ,physical disc used in zoning to limit the traffic. HBAS in SAN world have mutliple physical ports can be used to access same physical disc denoted as mutliple VSANS.Each of these multiple ports get its own port name.
FCID- 3 byte logical address assigned by Fabric.Is used in data plane swicthing . consist of three parts 1. Domain ID -each switch gets its own domain ID.-identify switch in Fabric.is assigned by principle switch simmar to spanning tree root bridge or can be assigned mannualy. 2. Area id -set of ports on switch have a area id 3. port id -End station connected to switch have port id .
Fibre channel routing - Fabric shortes path first protocol is used to route traffic between swicthes.simmilar to router ids in ospf we have domain ids in FCID. support ECMP.runns automatically as Fabric service.
fiber channel is connection oriented aservice means end station need to register in the control plane of fabric before sending the traffiic . Registration consist of three parts 1. F logi -where Nport register with F port of fabric ,switch learns the WWNN and WWPN and assign the FCId to the node. can be checked using sh flogi database.
2. Plogi- initiator tells target it wants to talk . 3. process login ( PLRI) -Uperlayer login between node ports .
Fiber channel name server- Is simmilar to arp chache .-used to resolve WWNM to FCID.,this doesnot require configration.
VSAN -is the virtulization of SANs simmalar to VLAN.fiber channel service is going to run per vsan basis means (FLOGI,FCNS,Zoning etc per vsan).Isolates the management and failure domain .
Zoning is simmailar to acess-list in ip world,controls which initiator can talk to which Target and is required not optional.By default zoning policy is deny.
SOftzoning - Initiator register with fcns to get the zoning information.zoning is enforsed in control plane only ,intiator can mannualy mount the wrong Target.
Hard zoning - Initiator register with fcns to get the zoning information.zoning is enforsed in control plane and dataplane ,intiator cannot mannualy mount the wrong Target.Nx-OS /SAN-OS runs this by default.
Zone/zoneset -Zones is simmilar to acl entry is called in zoneset ,one zoneset can be applied to vsan and activated.
FC alliases -makes zoning configration simplier and can be distributed through mannual zone distribution. Device aliases are advertised through CFS.
SAN port channel -simmar to ethernet port channel, uses same numbering as ethernet port channel.Sh port channel usage command in nexsus to check unused port channel numbers.
Tyopically support three interface :
1. FC 2. Iscsi for low to mid range array 3.native FCOE (Newer arrays)-which can be direclty attached to fibre channel forwading switches ( like nex7k and nex5k).
Node port virtualization- as there is limitaion of domain ids max to 256 out of which some are reserved and only 239 are availiaable ,fixes the domain id problem by remving the switch not to be participated in Fabric services.switches that run NPV appear to rest of fabric as end host Upstream lport on NP swicth is called N_P port (proxy node port) and downstream port on NPIV switch is called F_Port.
Upstream switch or core switch runs NPIV feature and downstream device run in NPV mode and in NPV mode it allocated mutliple FCID's per port basis .
IPstorage features- FC vs FCOE -uper layer protocol will be same just the difference in layer 1 and layer 2 transport ,in FC it will be FCP in upper layer and layer 1 and layer 2 transport is FC while in FCOE ethernet is at layer 2 transport. FCIP was designed to do ISCSI read and writes over long distance which consist of FCP at upper layers followed by TCP then Ip headed then ethernet header.Native FC is sensitive to latency and drops so FCIP was designed.
ISCSI-inerternet small computers system interface-sending scsi commands over IP.completly different protocol stack than FC.used to small to medium range SAN's.No dedicated SAN swicthes required.ISCSI is not SAN switching ,storage is running IP, end host running IP, transport is running IP.MDS is used on protocol conversion between FC and ISSCI.
FCOE-is also called converged ethernet ,unified fabric,unified wire.
FCOE intiation protocol is FIP port that is end host . FCOE forwader (FCF) that is fabric switch . the device starts the negotiation is ENODE and uses virtual fiber interface on switch for registration purpose.
different port tyype - V_N -node port -end host side. V_F-virtual fabric port -switch port V_E- for trunking between switches.
IN fCOE we are replacing layer 1 and layer 2 transport as ethernet while all the upper layer services remaian the same which includes FCID,domain ids ,FCNS,FSPF.. etc. FIP is a control plane protocol used for negotition and uses a ether type 0x8914,used to discover FCF and perform Flogi. fcoe uses separate ether type 0x8906.
FCOE addressing- as ethernet uses 6 byes but FCID is 3 bytes so to make it 6 bytes ,Switch is configured with FCOE mac address that is appended to FCID result is 6 byte FPMA.
1.Configure VSAN 2 Associate VSAN to VLAN 3. configure virtual fiber channel interface 4. Bind physical interface to VFC 5. assign vfc to VSAN 6. configure physical interface as trunk to support ethernet lan traffic ,7. activate interfaces.