BGP OSPF Questions: Difference between revisions
m
→load balacing mehtods
(→=) |
|||
(41 intermediate revisions by the same user not shown) | |||
Line 2:
= Hardware =
*1900 series routers for small branch office they support wan connectivity up to 25 M also called ISRG2 with two intergrated Gig ports.
*rd
*3900 series for medium and large branch office support up to 375 Mbps ,for example in 3945 we have 3 intergrated Gig ports and we can installed T3/E3 card based on bandidth requirement of site.
*ASR1002 -for large branch office and HuB topology.
*Cisco Catalyst 2960G 24 and 48-Port Switches is EOL ,is replaced with 2960 X seris that is with 24 port and 48 ports switches, support stacking,provide backplance of 80 GBPS.
= 2960X =
Total 10/100/1000 Ethernet Ports 24 or 48
Uplinks 2x10 GE (SFP+) or 4x1 GE (SFP) options
FlexStack+ Optional on all LAN Base AND IP-Lite models
PoE/PoE+ Power Available 370W or 740W
= Architecture =
*Small branch office - up to 50 users .for small branch its not neccessary to have mutlilayer architecture.
*Medium branch - up to 100 users .for medium/large we should have mutlilayer architecture to provide high availiblity and resilency,
*Large branch - up to 200 users or more
= IPSEC =
*Two modes trasnport ,tunnel mode
*Transport mode only data packet is encrypted
*Tunnel mode - ESP header is placed between new IP header and data
|-----Encrypted---------------|
Data | Original IP Header | ESP Header | New IP Header
*In Transport mode only the data is encrypted, and the original IP header is places in front of the ESP header.
|--Encrypted-----|
Data ------ | ESP Header | Original IP Header
*Encryption algo -DES,3DES,AES
Phase 1 - authenticatation of IPsec peers and negotiation of SA to provide secure communication channel for phase 2
Phase 2 - data is tranfered based on SA parameters exhange and keys stored in SA database.
Phase 1 - securty poiclies are negotiated,Diffe helman exchange ( used to genrate the preshared keys) ,authentication of remote peer
*Tranform sets-consist of encryption algo,authication algo,key length proposed.
*Diffe helman -public key exchange method that alows two peers to establish shared secret key.
*Secret preshared keys are manuualy entered to authiticate the remote Peer.
*SA consist of encryption algo ,authtication algo ,destination adress ,key lenghth and life time of tunnel .
*Each SA has life time based on two factors either amount of data transfered or time in seconds.
1. Define ISAKMP polciy
2. Define tranform set includes encryptio and data intergrity also
3. create ACL for intersting traffic
4. create crypto map which matches previously defined paramters
5. apply crypto on outgoing interface.
*We want to use RSA Keys instead of preshared key then isakmp identity need to be defined
crypto isakmp policy 1
authentication rsa-encr
group 2
lifetime 240
crypto isakmp identity hostname
*Protocol 50-ESP traffic
*Protocol 51-AH traffic
*udp 500-ISKMP Traffic
*ISAKMP: Authenticates the peers, Determines if Authentication is preshared ot RSA-ecryption, and prepares the SA which includes group(length of key in Bits) and lifetime of the tunnel.
*IPSEC Trasnform set determines the encyption protocol AH/ESP with Data Encryption standards(DES/3DES) for the data to be trasported across the secure tunnel & esp-sha-hmac defines the key stregth and hashing algorithm for sharing keys
*Mode (Tunnel/Transport can be defind in trasform set only.
*All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process.
*A stateful firewall like the ASA, however, takes into consideration the state of a packet:
*Is this a new connection?
*If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the "session management path," and depending on the type of traffic, it might also pass through the "control plane path."
*The session management path is responsible for the following tasks:
Performing the access list checks
Performing route lookups
Allocating NAT translations (xlates)
Establishing sessions in the "fast path"
*Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
*Is this an established connection? sa
*If the connection is already established, the ASA does not need to re-check packets; most matching packets can go through the "fast" path in both directions. The fast path is responsible for the following tasks:
IP checksum verification
Session lookup
TCP sequence number check
NAT translations based on existing sessions
Layer 3 and Layer 4 header adjustments
*Data packets for protocols that require Layer 7 inspection can also go through the fast path.
= MPLS =
* Labels are locally significant between two attached devices .Once the mpls ip is enabled lables are advertised for connected interfaces and IGP learned routes.
* MPLS label - 32 bit
First 20 bits label value
20-22 - Experimental bits for qos
23 - BoS - bottom of stack bit to signify the bottom label in stack
24-32 - TTL vaule
* MPLS label is placed between layer 2 and lyer 3 header know as shim headder.
* FEC-group or flow of packets that are forwaded along the same path with same treatment.
* Protocol used to distribute labels are LDP, TDP and RSVP TDP is cisco propriatry. There is formation of LIB which contains local binding and remote binding from all the LSR, what extacly the remote binding need to be used based on best route in Ip routing table information is populated in LFIB.
* LDP is used for neighbour discovery over udp port 646 on multicast address 224.0.0.2
* For neighbor adjancy on tcp port 646.
* Label advertisemnt is for IGP connected interfaces and IGP leanred routes.
* How does router determine wheather it is ip packet or labeled - there is protocol field is layer 2 frame ,that tell router to look the cef for ip packet or to look LFIB.
* In order to see extract from LFIB:
sh mpls forwading-table
* LFIB can be also seen as:
sh mpls forwading-table prefix length
* MPLS Stack operatios (Push, pop, swap, Untagged, aggregate - summaristion is performed on router, to remove the lable and perform IP lookup)
* Labels 0 to 15 are reserved lables - lable 0 is explict null lable, lable 3 is implict null lable, label 1 router alert, label 14 OAM alert label
* Use of Implict null lable is penultimate hop popping.
* Explict null lable is used to reserve the Qos information.
* Inorder to change the mpls lable range - mpls lable range 16 to 10 lakh
* MPLS LDP works on UDP protocol 646 and LDP hello messages are sent over multicast address 224.0.0.2
* Inroder to check labels are received or not - sh mpls ldp discovery detail
* COMMAND LINES FOR MPLS:
IP CEF
MPLS LABEL PROTOCOL TDP / LDP
MPLS IP
SH MPLS LDP INTERFACE
sh MPlS LDP NEIGHBOR
sh MPLS FORWADING TABLE SIMMILAR TO sH IP ROUTE.
* PHP - Penultimate Hope Popping which says that device next to last hop in the path is going to remove the label for the optimisation of lable lookup so that end device doesnot need to perform two looks while sending the traffic to end customer.
* So to acomplish this router which is next to last hop send implicit null label for all its connected and loopbackinterfaces.
* Note for any destination which is one hop away in mpls forwading tabel we are going to see POP LABEL.
* P routers in the core doesnot need to know the full reachbilty of customer routing information as they just swicthed the packets based on labels.
* FOR MPLS to work correctly we need to enable BGP next hop self command for the EBGP updates to propagate over IBGP PEER with next hop information for loopback interface. If the BGP peering is formed not over loopbacks between PE'sinstead of phyical interfaces peerring will be formed but it will lead to black hole as the pHP will cause third last hop to perform POP operation and traffic will be forwared to next to last hop as ip packet for which it doesnt have information for the destination.
* The isssue is PHP get processed one hop too soon.
* MPLS basis consist of two comonents
1) VRF's -separatation of customer routing information using vrf's per interface
2) exchange of routing information using MP-BGP.
* VRF's without MPLS is called VRF lite. When using VRF's lite route distingusiher is only locally significant.
* When we create VRF's any packet that comes to interface in VRF then the routing loopkup is done on that VRF's.
* VNPV4 route- RD+IPV4 prefix (makes vpnv4 routes unique globly (RD is 8 byte).
* mpls vpn label - PE route exchange lable for each customer route via VPNV4.
* Transport label- to tranport packet across remote PE.
* RT_route target is used to tell the PE which VRF route belongs and its BGP extented community attribute.
* If we are running EIGRP over VRF's then we need to specify the autonomus system inside the vrf's separately else EIGRP adjancy will not be formed over EIGRP.
* Route Target export- to advertise the routes from vrf into BGP.
* Route Target import -To import the routes from BGP into VRF.
* Between the PE's routers peering will be done globaly however customer routes will be redistributed in address-famil vpnv4.
* Please note while configuring vpnv4 we need to acitivate the vpnv4 capabilty with remote-peers.
* loop prevention mechanism for route-target - the route will not import any prefix into vrf unless it is specified.
* Packet structure:
Layer2 header-Transport+VPN--IP header-Layer4 header----Payload
* So when the traffic reaches from remote PE to PE on other side it will just refer to VPN label to see which exitinterface or VRF packet belongs too.
* Steps for MPLS once basic connectvity and MPLS is enabled on interface in MPLS n/w
1. Create VRF with route distingusiher+RT
2. Assign VRF to interfaces
3. RUN VRF aware routing process betweem PE to CE
4. ESTABLISH VPNV4 PEERS
5. Redistriute subnet from VRF to BGP and vice versa.
* SHAM links are basically creation of Virtual links between PE running BGP network and extending OSPF domain over mpls.
* When we are running OSPF between PE to CE and rediribute ospf routes into bGP and vice versa there is addtion ospf attibutes that is attached in BGP VPNV4 routes.
* So on other PE sidte when this routes are rediributed back from BGP to ospf these attributes helps where the redisributes routes to place in OSPF database as type 1,2,3,4,or 5.
* Additional attributed encoded from OSPF to BGP is like expample ( OSPF domain id ) which is created by the the local process id running if the ospf process id is same as doamin id in VPNV4 prefix, the routes are injected in OPSF database as Type 3 LSA even if they are redistributed from BGP to OSPF.
* If the domain id do not match the routes are leanred as type 5 for other vpn site.
* So if we have backdoor link between two sites, backdoor link is always perfered instead of MPLS, so to avoid it we create a SHAM links over PE's like GRE tunnel to extend the OSPF domain over MPLS. So when the routes are reditrbuted from BGP to OSPF as Intra-area routes rather than inter-area.
* How to create SHAM links
1. Allocate a address between the PE's reachable over mpls
2. under OSPF for that VRf create adjancy over PE's
router osps 1 vrf c
area 0 shamlink source address destination address
* OSPF path selection creteria - if we have two routes learned as Inter area routes but one of route is leanred BY ABR in backbone area and other via ABR in over non backbone area, prefix is always preferd by backbone area.
* Loop prevention mechanism for OSPF changes when its being used as Layer 3 MPLS.
* Using OSPF Between PE/CE customer routes are sent as Type 3 LSA so this sent as DN(down) bit set so if the same route is recieved BY PE on other side it will make PE aware not to redistibute the route back in BGP.
* Cabailty VRF lite command under OSPF process is used to ignore down bit and TyPE 3 lSA will not installed in routing table.
* For Type 5 LSA either we need to do with DOWN bit or route TAG to prevent the loop.
= Switching =
* Note - Layer 2 header contains source mac, des mac, ether type, ether type fields tells the process next layer 3 protocol like ipv4, ipv6.
sh int fa0/1 switchport ( trunk, access, administrative mode )
sh int trunk ( ports which are trunk )
sh spanning tree vlan 1 ( to check wheather traffic is forwaded in spanning tree )
* If we have layer 2 ether channel then if we do sh spanning tree output it should show individual port channel group in output rather than individually phsyical links else we have issue.
* On the switch we have root port and designate port, all the traffic from root port will be forwaded towards root bridge.
* If the two switches are in differnt VTP domain, as long as they have trunking set between them is correct they will not effect the broadcast domain -Good
* Two ways to change priorty for root bridge
spaniing tree vlan 2 root primary
spanning tree vlan 2 priorty lesser than 32768
* In spanning tree one of election for root port on non route bridge is based path cost that is local to interface
* In 3560 swicth by default PVST+ is enabled
* Auto -Auto -results in access port
* access mode-Dynamic desirable -Access port
* tunk with nonnegotiate ---auto -Because switch on left side is not sending DTP frames.
* Best practises of truking -mode trunk and non negotiate, Trunk negotaition are done on DTP when using DTP both the ends should in same VTP domain
* When frame traverse the trunk link it is marked over truking protocol and on receiving end VID is removed before sending to access link
== ISL and 802.1Q ==
* ISL -encapulsate entire frame, it dos not native vlan traffic, orginal frame unmodifed, ISL adds 26 byts header and 4 bytes trailer.range of isl 1-1024.
* 802.1Q-insert 4 byte tag, does not tag the frame that belong to native vlan, additonal tag includes priroty field, extending qos support, 4096 Vlans, 1-4096.
* Inorder to maintain identical information of vlan database, VLAN information is propagatd over trunk links in same VTP domain, VTP information is advertized over trunk links only.
* VTP is layer 2 messaging protocol. Three version of VTP (1,2,3).
* Limitaion of VTP version 1,2 - extended VLAN funstionality was only used in when switch is configured in transparent mode, so the VTP version 3 is used.
Server mode - create, del, modify, send and forward advertizements, syn vlan database, store information in nvram
Transparent mode - create, del, modify local Vlan, forward advertizements, no syn vlan database, store information in nvram
Client mode - cannot create, del, modify vlans, forward advertizements, syn vlan database, do not store information in nvram.
Important: when ver new switch is added make sure its configration revision is less than any other swiches in VTP doamin else if it is high then it will erase all the vlan information of server and client
to protect that either add switch in transpanrent mode or in differnt domain.
* For VTP configration requires VTP domain ,password ,VTP mode on each switch .sh VTP status or VTP counters.
* VTP pruning -used to remove unnessary flooding of brodcast traffic on the network.
== STP ==
* STP is used to avoid unwanted loops in the environment.
* STP created one refernce point in n/w that is called root of tree, based on rerfernce point decides whether there is redundant path in the n/w.
* Layer 2 forwading - By default CAM table entries got aged out every 300 sec
* We can also create static mac address table entry in cam - command (mac-address-table static mac-address VLAN id interface type)
* Bridge segments collsion domain dose not segmets broadcast doamin.
* Root bridge - selection is based on bPDU contains bridge id which is combination of mac address and priorty (both are chosen lower) on root bridge both the ports are DP.
* Then there is selection of root port on non root bridge.
* For root port selection is based on following paramteters (lower root bride id, lowest path to root brige, lowest sender bridge id, lowest port priority, lowest port id.
* For every lan segment -there is secltion of DP (selection is based on root id creteria)
* 802.1d states:
Disabled
Blocking (listen to incoming BPDU)
Listening
Learning
Forwading (tranmit BPDU)
* Hello time - Default is 2 seconds, time interval in which subsequent configration BPDU send root bridge, for non root bridge TCN BPDU is 2 sec.
* Forward delay - time interval swich port spends in listening and learning states, default time is 15 second.
* Maximum age - time when max age is timed out is 20 seconds when the BPDU is aged out.
* In case if any interface flap (up/down states) switch will send the TCN BPDU untill it reach root bridge, root bridge will send the configration BPDU with TC flag set and each switch will will rebuild its mac table based on forwarding delay time. Default is 300 sec. Total time is 17 seconds.
* Total time the port trantion from blocking to forwadig state is 30 seconds
* Port fast feature - When we enable port fast on the port so TCN BPDU is send in case of Topolgy change and port directly transtion to forwading state. So there are chances that port fast enabled port could cause STP loops if the accidently switch is installed on that port, to prevent this we use BPDU Guard along with STP.
* We can manully select the root bridge:
spanning tree VLAn vlanid priotry (bridge priority)
* We can set mannualy to become one bridge to be root bridge:
spanning tree vlan vlanid root (primary, secondary, diameter)
* We can aslo set the path cost:
spanning tree vlan vlanid cost
* Port id is 16 bit -8 bit port priorty + 8 bit port number
spanning tree vlan vlanid port priority
== RSTP ==
* RSTP have rapid convergence time (discadring, listening, forwading)
* RSTP works on port rules instead of rely on BPDU from root bridge.
* RSTP-root port, DP, Alternate port is back up of root port (have two up links), back up port (given segment active ling fail and there is no path to reach root then back up port become active.
* IN RSTP all the full duplex ports are point to point links, BPDU are exchanged between swiches in form of proposal and agreement, once the given port is selected as DP and other switch send agrements message, RSTP convergys quickly by through RSTP handhake.
== HSRP/VRRP/GLBP ==
* HSPR-Provide redudancy of the gateways ,HSRP exchange the HSRP hello message on 224.0.0.2
* VRRP-In VRRP we can use real ip add of router as virtual address, IEE standard,router with highestest priorty is master router and other acts a back and VRRP messages are send on multicast address 224.0.0.18 ,Default interval is 1 second and preemtion is enabled by default.
* GLBP -uses concept of AVG and one router act as primary while other act as backup ,AVG assign virtual macs to AVF,and it is AVF's which forwrd the packets based on virual mac's assgin by AVG.,
* GLBP communicate over hello packets send every 3 seconds on multicast address (224.0.0.102),GLBP suppots up to 1024 vrtual routers.
== MST ==
* This table shows the support of MST in Catalyst switches and the minimum software required for that support.
Catalyst Platform MST with RSTP -- (12.1 or higher )
Catalyst 2900 XL and 3500 XL Not Available
Catalyst 2950 and 3550 Cisco IOS\AE 12.1(9)EA1
Catalyst 3560 Cisco IOS 12.1(9)EA1
Catalyst 3750 Cisco IOS 12.1(14)EA1
Catalyst 2955 All Cisco IOS versions
Catalyst 2948G-L3 and 4908G-L3 Not Available
Catalyst 4000, 2948G, and 2980G (Catalyst OS (CatOS)) 7.1
Catalyst 4000 and 4500 (Cisco IOS) 12.1(12c)EW
Catalyst 5000 and 5500 Not Available
Catalyst 6000 and 6500 (CatOS) 7.1
Catalyst 6000 and 6500 (Cisco IOS) 12.1(11b)EX, 12.1(13)E, 12.2(14)SX
Catalyst 8500
== Spaning tree features ==
Spaning tree features that helps in reducing covergence time
* Portfast
Used for access layer ports, Ports directly transtion to forwading state with out going to lisening and learing states.
* Uplink fast
Used in case of one of uplink goes down, Root port and alternate port forms uplink group, If the root port goes down alternate port directyly transtion to forwading state with out going to lisening and learing states.
* Backbone fast
In case of indirect link failure, switch on where backbone fast is enabled receice inferior BPD's from Desiganting switch anouncing it self as root bride,
On receiving the inferior BPDUS it will expire the max aga time immediatelly and reconverge the toplogy.
Backbone fast helps in optimisation of max-age timer, should be implemented globally.
Switch determine that path to root bridge has gone down so send the RLQ out all its ports and once the root bridge recieve the RLQ and send the response back and port receving the response can transtion to forwading the state
== PAGP ==
* Auto
Places a port into a passive negotiating state, in which the port responds to PAgP packets it receives but does not start PAgP packet negotiation.
This setting minimizes the transmission of PAgP packets.
This mode is not supported when the EtherChannel members are from different switches in the switch stack (cross-stack EtherChannel).
* Desirable
Places a port into an active negotiating state, in which the port starts negotiations with other ports by sending PAgP packets.
This mode is not supported when the EtherChannel members are from different switches in the switch stack (cross-stack EtherChannel).
== CISCO 3750 Stacking ==
* All stack members are eligible stack masters. If the stack master becomes unavailable, the stack members that remain participate in the election of a new stack master from among themselves
* Switches should have same ios for stack memeber to be fully functional ,if there is major version misimatch then switch will not join the stack however if there is minor version mismacth it will upgrade the switch to become fully functional.
* The default stack member number of a 3750 switch is 1. When it joins a switch stack, its default stack member number changes to the lowest available member number in the stack. Stack members in the same switch stack cannot have the same stack member number. Every stack member, which includes a standalone switch, retains its member number until you manually change the number or unless the number is already used by another member in the stack.
== Provisioning of switch ==
* You can use the offline configuration feature to provision (to supply a configuration to) a new switch before it joins the switch stack.
* In advance, you can configure the stack member number, switch type, and interfaces associated with a switch that are not currently part of the stack.
* The configuration that you create on the switch stack is called the provisioned configuration.
* The switch that is added to the switch stack and that receives this configuration is called the provisioned switch.
* You manually create the provisioned configuration through the ''switch stack-member-number provision type'' global configuration command.
* The provisioned configuration also is automatically created when a switch is added to a switch stack that runs Cisco IOS Release 12.2(20)SE or later and when no provisioned configuration exists.
switch 2 provision ws-c3750-48ts
* Remove switch from stack
no switch 2 provision ws-c3750-48ts
== Spaning tree security features ==
== Spanning Tree enhancements ==
* Bpdu Guard
Enable on the edge ports, connected to the hosts.
If bpdu is reveived on these interfaces, it will put the interface in shudown state.
* Bpdu Filter
Enable on edge ports
It dont send and recieve bpdu if enabled, if bpdu received, drop the bpdu, port goes, through normal stp states.
* Root guard
Root guard prevent the switch to become root bridge, It is enabled on the designated ports of root switch, so that if those ports listen to the superior BPDU then put that port in inconsistent state.
* Loop Guard
Spanning Tree Loop Guard helps to prevent loops when you use fibre links.
STP is not able to detect Layer 1 issue, Enable alternate ports/backup ports when Loop Guard detects that BPDUs are no longer being received on a non-designated port, the port is moved into a loop-inconsistent state instead of transitioning to the listening/learning/forwarding state and idealy it can be enabled on all the ports.should be enabled on non-designated ports.
Actually, Loopguard is a method of protecting against unidirectional links. In order for spanning tree to function correctly, any link participating in the STP have to be bidirectional. If a link should become unidirectional, through a cable failure or interface fault, spanning tree could unblock a link which would cause a loop.
UDLD (UniDirectional Link Detection) is a Cisco proprietary protocol that will detect this condition.
Loopguard is what you would use if you didn't have Cisco switches at each end of the link in question.
Based on the various design considerations, you can choose either UDLD or the loop guard feature.
In regards to STP, the most noticeable difference between the two features is the absence of protection in UDLD against STP failures caused by problems in software.
As a result, the designated switch does not send BPDUs.
However, this type of failure is (by an order of magnitude) more rare than failures caused by unidirectional links.
In return, UDLD might be more flexible in the case of unidirectional links on EtherChannel.
In this case, UDLD disables only failed links, and the channel should remain functional with the links that remain.
In such a failure, the loop guard puts it into loop-inconsistent state in order to block the whole channel.
Additionally, loop guard does not work on shared links or in situations where the link has been unidirectional since the link-up.
In the last case, the port never receives BPDU and becomes designated.
Because this behaviour could be normal, this particular case is not covered by loop guard.
UDLD provides protection against such a scenario.
Loopguard is not able to detect misiwring problem but UDLD able to detect this and UDLD is using its own layer 1 keepalive message.
* DHCP snooping - allowed confgration of trusted and untrusted ports, trusted will sorurce all the DHCP messages and untrusted will source on DHCP request, if the rouge DHCP server tries to reply the DHCP request DHCP snopping will make this port shut.
DHCP option 82 - in which port number is also added in DHCP request.
* Spanning port security feature only works if we have configured the port in statc access/trunk port, it won't work with port in dynamic mode.
We can bind the mac address with switchport port security command and if we use sticky what ever mac is learned over interface it will manually add to secure cam table and also add in running config.
Second option is manaul create static enriers in CAM table.
* Storm control feature - used to limit the amount of unicast/mutlicast/broadcast packet recieved on interface. Simmilar to polcier in MQC.
* Port based ACL - is used to apply access list on layer 2 port but its only used to filter inbound traffic.
We can also use MAC based ACL but that is only used to restrict non-IP traffic.
* IP source guard (layer 2 port, Dyanmic arp inspection is for arp spoofing.
== VLAN ==
* Create a broadcast domain,PVlan allows splitting the domain into multiple isolated subdomains.
* Private Vlans - Promicious, Community, Isolated
* Promiciuos - Carry traffic for all the pvlans
* Community Vlan - Can only talk to ports in same community vlan and its promiciuos port
* Isolated - Can only talk to promicious port
* Primary VLAN - The primary VLAN carries traffic from the promiscuous ports to the host ports, both isolated and community, and to other promiscuous ports.
* For low end switches, there is command switchport mode protected act simmlar to isloated vlan, all those ports configured for protected donot talk to each other. Usually, ports configured as protected are also configured not to receive unknown unicast (frame with destination MAC address not in switch's MAC table) and multicast frames flooding for added security.
== Configure ==
vlan 1000
Private vlan primary
vlan 1012
private vlan community
vlan 1013
private vlan Isolated
vlan 1000
private vlan association 1012,1013
== Configure ports ==
1. int fa0/1
swicth port private-vlan 1000,1012 -each host port is member of two vlans .
switch port private-vlan host
2. int fa0/2
3. int vlan 1000
* This example shows how to associate community VLANs 100 through 103 and isolated VLAN 109 with primary VLAN 5:
switch# configure terminal
switch(config)# vlan 5
switch(config-vlan)# private-vlan association 100-103, 109
* This example shows how to configure the Ethernet port 1/12 as a host port for a private VLAN and associate it to primary VLAN 5 and secondary VLAN 101:
switch# configure terminal
switch(config)# interface ethernet 1/12
switch(config-if)# switchport mode private-vlan host
switch(config-if)# switchport private-vlan host-association 5 101
= Layer 2 COS =
* We need to enable MLS QOS,FOr switches we can do both the inbound and outbound queing ,whenever traffic hit the ingress port switch will first do cleassifcation/marking based on port configration ,then it goes to policer if configured to trasmit/remark/drop the traffic ,then it goes to inbound queing before it is transmitted .on swicthes when we enable MLS QOS and there is no trust boundary configured it will rewrite the traffic to ZERO.ss
* Ingress/EGRess -Packets are mapped to queue bases on DSCP/COS value.
* If the port is an access port or Layer 3 port, you need to configure the mls qos trust dscp command. You cannot use the mls qos trust cos command because the frame from the access port or Layer 3 port does not contain dot1q or ISL tag. CoS bits are present in the dot1q or ISL frame only.
* If the port is trunk port, you can configure either the mls qos trust cos or mls qos trust dscp command. The dscp-cos map table is used to calculate the CoS value if the port is configured to trust DSCP
* Similarly, the cos-dscp map table is used to calculate the DSCP value if the port is configured to trust CoS.
* By default, the PC sends data untagged. Untagged traffic from the device attached to the Cisco IP Phone passes through the phone unchanged, regardless of the trust state of the access port on the phone. The phone sends dot1q tagged frames with voice VLAN ID 20. Therefore, if you configure the port with the mls qos trust cos command, it trusts the CoS values of the frames from the phone (tagged frames) and sets the CoS value of the frames (untagged) from the PC to 0. After that, the CoS-DSCP map table sets the DSCP value of the packet inside the frame to 0 because the CoS-DSCP map table has DSCP value 0 for the CoS value 0. * If the packets from the PC have any specific DSCP value, that value will be reset to 0. If you configure the mls qos cos 3 command on the port, it sets the CoS value of all the frames from the PC to 3 and does not alter the CoS value of the frames from the phone.
* Queing for 6500 -
Receive queue -1p1q4t -One priority queue and 1 standard queue wth 4 threshold .
1p1q8t ,1q2t
Transmit queue -1p3q4t ,1p7q8
= 6500 Architecture =
* Cisco has introduced new E series chasis
* The first generation switching fabric was delivered by the switch fabric modules (WS-C6500-SFM and WS-C6500-SFM2), each providing a total switching capacity of 256 Gbps.
* More recently, with the introduction of the Supervisor Engine 720, the crossbar switch fabric has been integrated into the Supervisor Engine 720 baseboard itself, eliminating the need for a standalone switch fabric module.
* The Supervisor Engine 720-3B and Supervisor Engine 720-3BXL also maintain the same fabric capacity size of 720 Gbps.
* 6509 - Sup cards on slots 5 and 6, supported sup - sup32&sup720
* 6513-13 slots - sup cards on 7th and 8th slot, sup32&sup720
* The
6501676
* SUP32 - This supervisor engine provides an integrated PFC3B and MSFC2a by default
* Cards.supports 6700 series line cards
* SUp720-3B - same backplane capacity, It incorporates new PFC3B for addtionnal funcationality (mainly supports of mpls in hardware)
* Sup720-3BXl - It incorporates new PFC3BXL, It is functionally identical to the Supervisor Engine 720-3B, but differs in its capacity
* For supporting routes and NetFlow entries.
* Sup2T - incorporates MSFC5 (control plane functions) and PFC4 (hardware accelarated data plane function) cards, 2 Tbps Switch Fabric
* PFC4 supports addtional featuers Cisco TrustSec (CTS) and Virtual Private LAN Service (VPLS).
* The 2 Tbps Switch Fabric provides 26 dedicated 20 Gbps or 40 Gbps channels to support the new 6513-E chassis
* SUP2T- All new 6900 series modules
* All new 6800 series modules (again, WS-X6816-GBIC is not one of those)
* Those 6700 series modules that are equipped either with CFC or DFC4
* Some 6100 series modules
* The control plane funations are mainly performed by route processor situated on MFSc3 itself includes running process for running routing protocol ,addres resoltion ,maintaing SVI's ,...
* Switch processor looks after switching functions building layer 2 cam tables .. , all layer 2 protocols (SPaniing tree,VTP...)
* MFSC - maintains routing table does not participate in forwading the packets, it build cef table pushed down to PFC and DFCs.
* The PFC is a daughter card that sits on the supervisor base board and contains the ASICs that are used to accelerate Layer 2 and
; Layer 3 switching in hardware.
* Layer 2 funations -mac based forwading based on cam table , layer 3 functions forwading the packets using layer 3 look up.
* Classic line cards support a connection to the 32-Gbps shared bus but do not have any connections into the crossbar switch fabric.
* Classic line cards are supported by all generations of the supervisor engines, from the Supervisor Engine 1 through to the Supervisor Engine 720-3BXL
* Modes in SUP720
RPR - state information is not in syc - time taken to switchover is 2-4 minutes, traffic disrupption, IO modules are reloaded.
RPR+ - state is partially intialized. need a addtional information to have the sytem in sych. switchover time is 30 to 60 seconds, IO modules are not reloded.
SSO - fully synchronised
* To check the redundancy status:
show redundancy
* To set the redandancy mode
redundancy
keepalive-enable
mode sso
main-cpu
auto-sync running-config
VS-S720-10G-3C *
VS-S720-10G-3CXL*
Sup2T
*Stacking - VSS have single control plane as master while vpc is having two independent control planes
= Nexus Archetecture =
* Independant control and data plane , High availiabilty - Dual SUP, Power redundancy , line card reduandancy
7009,7010,7018
7009- 9 slots -Sup on 1 and 2 ,suppport of 5 Fabric chanel ,each fab channel provides 46 Gig backplane capacity so total of 5X46=230 per slot bandwidth
7010-10 slots -Sup on 5 and 6 ,suppport of 5 Fabric chanel ,each fab channel provides 46 Gig backplane capacity so total of 5X46=230 per slot bandwidth
7018-18 slots -Sup on 9 and 10 ,suppport of 5 Fabric chanel ,each fab channel provides 46 Gig backplane capacity so total of 5X46=230 per slot bandwidth
Sup supported -SUP1 which includes 4 VDC including default VDC - on default VDC you can allocate resource and perform data plane functions as well.
SUP2- 4+1 VDC - extra one is admin vdc just for allocating resoucres, not passes data.
SUP2E-8+1 VDC's - Require additional licence to add extra 4 VDC.
* Line cards supported - M and F series I/O module
* The initial series of line cards launched by cisco for Nexus 7k series switches were M1 and F1.
* M1 series line cards are basicaly used for all major layer 3 operations like MPLS, OTV, routing etc, however, the F1 series line cards are basically layer 2 cards and used for for FEX, FabricPath, FCoE etc.
* If there is only F1 card in your chassis, then you can not achieve layer 3 routing.
* You need to have a M1 card installed in chassis so that F1 card can send the traffic to M1 card for proxy routing.
* The fabric capacity of M1 line card is 80 Gbps.
* Since F1 line card dont have L3 functionality, they are cheaper and provide a fabric capacity of 230 Gbps.
* Later cisco released M2 and F2 series of line cards.
* A F2 series line card can also do basic Layer 3 functions, however, can not be used for OTV or MPLS.
* M2 line card's fabric capacity is 240 Gbps while F2 series line cards have fabric capacity of 480 Gbps.
* There are two series of Fabric modules, FAB1 and FAB2.
* Each FAB1 has a maximum throughput of 46Gbps per slot meaning the total per slot bandwidth available when chassis is running on full capacity, i.e. there are five FAB1s in a single chassis would be 230Gbps.
* Each FAB2 has a maximum throughput of 110Gbps/slot meaning the total per slot bandwidth available when there are five FAB2s in a single chassis would be 550Gbps.
* These are the FAB module capacity, however, the actual throughput from a line card is really dependent on type of line card being used and the fabric connection of the linecard being used.
* You can mix all cards in same vdc EXCEPT F2 card.
* The F2 card has to be on it's own VDC.
* You can't mix F2 cards with M1/M2 and F1 in the same VDC.
* As per cisco, its a hardware limitation and it creates forwarding issues.
M & M1Xl series are used for creating layer 3 routing functions, creation of SVI's, fex, OTV, trustsec - example - M132XP
f- layer 2 functions, fabric path, vpc+, FCOE -F132XP, F248XP
* The current shipping I/O module do not leaverage full bandwidth max is 80 Gig for 10 Gig module
* In Ideal design we should have pair of M1 and F1 series module per VDC
* Depending on line cards we have shared mode Vs Dedicated mode
Shared mode - All the ports in port group share the bandwidth
Dedicared Mode - first port in port group will get the entire bandwidth and rest of ports are disable
Example - 32 Port 10 Gig IoModule -N7k-M132Xp-12 and back plane capacity of 80 gig
* Per port group will have 10 Gig bandwidth that can used as shared mode or dedicated mode
* Port group is combination of contiguous ports in odd and even numbering.
* 1 Gig module require 1 Fabric ie is 46 Gig and 2 Fab for N+1 redundancy
* 10 Gig -require 2 FABric and 3 for N+1 redundancy
* VoQ's -are virtual output queues, is called virtual as it resides on Ingrees I/O module but represnt egress bandwidth capacity.
* VoQ's are managed by central arbiter.
* Nex 5000 & 5500 - Mainly used for layer 2 only (Access layer)
5000 -5010, 5020
5500 -5548, layer 2 only but supports for layer 3 card as well.
* Nex2k- act as remote line cards for 7k and 5k.
* Once we have connected the downlink ports from 7kor 5k, enable the feature fex parent swicth will automatically discover fex switch.
* We need to configure uplink port on parent switch with switchmode fex, fex associate number.
* Once the featuer is enabled and ports and cables are connected it start pulling the IOS from its parent switch.
* Once the fex is online you can see the port number on parent swicth as int(fexassociatenumber)1/x.
Note - Downlink ports on parent switch need to configure with switchmode fex, fex associate no and there is no configration required on ports on fex switch connectected uplink port.
* Nex2k -Doesnot support local swictinig... if two host in same vlan connected to 2k are tring to communicate, then communication will happen through parent switch.
* These fexed ports are pinned to uplink connected to parent switch. All management is done from parent switch.
;Pinning
* Two types of pinning - Static pinning & Dynamic Pinning
* Issue with static piining - Once the uplink fail b/w nex2k and parent switch all the piined fexed port need to mannual move to other uplink to make it operational while on dynamic piining its automatically redistribued
* Nex 5k -Support static pinning and vpc when we connect Nex 2k.
* Nex 7k - Not all the line cards support Fex, only support port channel when we connect Nex 2k to 7k
* All the fexed ports are considered as edge ports from STP point of view and there is BPDU guard is enabled on this.
* CFS- Cisco fabric services is used to syn configration and control box between chasis.
* Mangement interface is out of band connectivity as this is separte management vrf.
;VDC
* VDC is virtual device context used for virtuallization of hardware (both control plane and data plane)
* Allocate resource in VDC - can allocate M1, F1, M2 but not F2 cards apart from its own vdc.
* VDC 1 is default VDC - used to create/delete/suspend other vdc, allocate resoucres, system wide qos, ethanalizer, NX-Os upgrade across all the vdc.
* From default vdc we can use switchto command to move to other vdc, switch back to return to default vdc.
* Creating an Admin VDC:
Enter the system admin-vdc command after bootup.
The default VDC becomes the admin VDC.
All the nonglobal configuration in the default VDC is lost after you enter this command.
This option is recommended for existing deployments where the default VDC is used only for administration and does not pass any traffic.
You can change the default VDC to the admin VDC with the system admin-vdc migratenew vdc name command.
After entering this command, the nonglobal configuration on a default VDC is migrated to the new migrated VDC.
This option is recommended for existing deployments where the default VDC is used for production traffic whose downtime must be minimized.
* CMP port is associated in SUP 1 - used a console access to SUP as separte kickstart and system image then chasis.
* Non default vdc has two separate user roles
* vdc admin - has read /write access to vdc
* vdc operator -read only access to vdc.
* vdc high availiablity polciy - based on single sup / or dual Sup
== Bridge Assurance and Network Ports ==
* Cisco NX-OS contains additional features to promote the stability of the network by protecting STP from bridging loops.
* Bridge assurance works in conjunction with Rapid-PVST BPDUs, and is enabled globally by default in NX-OS.
* Bridge assurance causes the switch to send BPDUs on all operational ports that carry a port type setting of "network", including alternate and backup ports for each hello time period.
* If a neighbor port stops receiving BPDUs, the port is moved into the blocking state.
* If the blocked port begins receiving BPDUs again, it is removed from bridge assurance blocking, and goes through normal Rapid-PVST transition.
* This bidirectional hello mechanism helps prevent looping conditions caused by unidirectional links or a malfunctioning switch.
* Bridge assurance works in conjunction with the spanning-tree port type command.
* The default port type for all ports in the switch is "normal" for backward compatibility with devices that do not yet support bridge assurance; therefore, even though bridge assurance is enabled globally, it is not active by default on these ports.
* The port must be configured to a spanning tree port type of "network" for bridge assurance to function on that port.
* Both ends of a point-to-point Rapid-PVST connection must have the switches enabled for bridge assurance, and have the connecting ports set to type "network" for bridge assurance to function properly.
* This can be accomplished on two switches running NX-OS, with bridge assurance on by default, and ports configured as type "network" as shown below.
Cisco Nexus 7009-- sUP IN slot 1 and Slot 2
Cisco Nexus 7010--
Cisco Nexus 7018--
Line card Capacity differ in different modules...
* Two type of line cards are available :
1) M sERIES:
Layer 3 cards--svi, ospf, otv, Can be layer 2, Trust Sec
Fex
2) F Series :
Layer 2 cards only
F2 SUPPORT fabric Path, VPC+, FCOE
* Cisco Nexus 5k :Used Mainly layer 2 switches
5000--5020 and 5010
5500--5548 and 5596
* Nexus 2k: Remote line card
Line 1,475 ⟶ 851:
switch(config-vsan-db)# vsan <number> interface vfc <number>
switch(config-vsan-db)# exit
= Security =
Line 1,990 ⟶ 1,138:
UCS--
|