The Journey of a Network Engineer


February 27, 2011  7:41 AM

Errdisable Port State Recovery on the Cisco IOS



Posted by: Sulaiman Syed
Cisco, errdisable, ios, loopback, no shut, Port, recovery, shut

Ports in Cisco switches go into errdisable state for various reasons. some reasons are configured such as arp-inspection, bpdugaurd, psecure-violation, etc. While some are turned on by default such as loopback, link-flap, etc. Following the typical default configuration of cisco switch.  Once it goes into errdisable state, the only way to enable the port manually is by shut and no shut command.

Switch#show errdisable recovery
ErrDisable Reason            Timer Status
—————–            ————–
arp-inspection                       Disabled
bpduguard                             Disabled
channel-misconfig (STP)        Disabled
dhcp-rate-limit                     Disabled
dtp-flap                                 Disabled
gbic-invalid                           Disabled
inline-power                          Disabled
l2ptguard                               Disabled
link-flap                                Disabled
mac-limit                              Disabled
loopback                               Disabled
pagp-flap                              Disabled
port-mode-failure                 Disabled
pppoe-ia-rate-limit              Disabled
psecure-violation                 Disabled
security-violation                 Disabled
sfp-config-mismatch          Disabled
small-frame                         Disabled
storm-control                      Disabled
udld                                     Disabled
vmps                                    Disabled

Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
Switch#

Since, we have implemented port security, that we limited the number of mac addressed connected to a port (port-security). we wanted to make it possible to recover automatically.  we have added the following commands.

errdisable recovery cause psecure-violation

errdisable recovery interval 14400

This will insure that the port will be automatically up in 4 hrs. which is good enough to shut down the port so the user knows he is doing something wrong. and short enough that it will recover in time so it will not be required for him to contact the administrators.

here is the output as can be seen from the switch after adding the commands.

ErrDisable Reason    Timer Status
—————–    ————–
udld                               Disabled
bpduguard                     Disabled
security-violatio            Disabled
channel-misconfig        Disabled
vmps                             Disabled
pagp-flap                      Disabled
dtp-flap                        Disabled
link-flap                       Disabled
psecure-violation         Enabled
sfp-config-mismat      Disabled
gbic-invalid                 Disabled
dhcp-rate-limit           Disabled
unicast-flood              Disabled
storm-control             Disabled
loopback                    Disabled

Timer interval: 14400 seconds

February 23, 2011  5:29 AM

How to design transparent proxy?



Posted by: Sulaiman Syed
Cisco, design, in-line, network, PBR, proxy, router, transparent, WCCP

Almost every organization uses proxy. The benefits of proxy servers are countless. Some of these benefits are mentioned:

  • Add Accounting
  • Add Authorization
  • Reduce the load on the external (wan) link

When the proxy is installed in transparent setup. it makes it easier for end users, since they don’t have to add the proxy in their browser, applications explicitly. After all, not all users are computers savvy.

Most proxy appliances can be used in transparent by few means.

  • By using WCCP
  • By using Policy Based Routing (multilayer switches)
  • By making proxy in bridge mode (in line with traffic going to router).

WCCP Cisco-developed content-routing protocol.

The main advantages:

  • Scalability—This feature allows clusters of up to 32 cache appliances.
  • Availability—Any cluster can be serviced by up to 32 different switches/routers. Load-balancing switches/routers are not required.
  • Ease of configuration—Caches and routers can automatically discover each other without explicit configuration.

The Disadvantages

  • drawback of WCCP is that some implementations are either not supported, or not supported very well in Cisco’s high-end switching routers.
  • It has documented a fair number of bugs and other implementation issues in specific Cisco IOS releases.
  • was not particularly consistent stability between various trains or train revisions

PBR is typically used as Cisco feature, although technically it is layer 4 routing. The advantages of using Cisco PBR:

  • Its forwarding throughput is higher than the WCCP approach in many cases, as PBR in the Cisco equipment can be supported through Cisco Express Forwarding (CEF). As a result, forwarding throughput can be in gigabit-per-second range.
  • Simplicity of configuration.

Disadvantages:

  • No mechanism to deal with failover.
  • Can’t load balancing.

Note: From various research, it is found that WCCP is preferred for resiliency, given that the appropriate implementation is conducted.

Making the proxy in line of traffic although sounds easy, it doesn’t come off as a practical design set up. It could be done in small networks. but when the network is handling thousands of users, such implementation get severely hindered and becomes ineffective.


February 22, 2011  1:04 AM

How to subnet?



Posted by: Sulaiman Syed
binary, CCNA, cheat sheet, Cisco, mathematics, subnet, subnetting

For any Network Engineer, knowing how to subnet is as important as typing ” en ” in the CLI. The engineer will have to type access lists that have wild masks, break networks to smaller parts, create vlans, point to point links, and design a whole new enterprise network. Subnetting is part of all these process.

I think most of the books will show how to subnet using the binary mathematics. which is the fundamental of IP addressing scheme. But is there any other way to do subnetting, without doing binary mathematics? The answer is yes.

Im not sure if this is a unique way that i have discovered, or someone else have been using it. A cheat sheet was made by me helped me to do all subnettings without touching a calculator. it did require doing some mathematics initially in constructing the cheat sheet, but once done no mathematics was required.

4th byte

25

26

27

28

29

30

31

32

3rd byte

17

18

19

20

21

22

23

24

2nd byte

9

10

11

12

13

14

15

16

1st byte

1

2

3

4

5

6

7

8

Mask

128

192

224

240

248

252

254

255

address

0

0

0

0

0

0

0

0

Magic number

128

64

32

16

8

4

2

1

128

64

32

16

8

4

2

192

96

48

24

12

6

3

128

64

32

16

8

4

160

80

40

20

10

5

192

96

48

24

12

6

224

112

56

28

14

7

128

64

32

16

8

144

.

36

18

9

160

.

40

20

10

176

.

.

22

11

192

.

.

24

12

208

.

.

26

13

224

.

.

.

14

240

.

.

.

.

248

.

.

.

252

.

.

254

.

255

Ok, so the table is not as complicated as it may seem. the First four rows indicate subnet mask, if it is numbered then you would need to convert it into decimal by referring to the table it gets clear. 5th raw is the subnet in decimal format. 6th row is where the network address will start. 7th raw is the magic number. the networks in these columns will always be multiplications of the magic number.

Taking a random example of 10.14.0.4/20. First, We find 20 in the first four rows. it is the 3rd byte with 240. and multiplication of 16. the ip address 10.14.0.4 comes between 0 and 16. so the network address is 10.14.0.0/20, broadcast is 10.14.15.255 (10.14.16.0 – 1).

another example 200.32.172.100/18. First, We find 18 in the first four rows. it is the 3rd byte with 192. and multiplication of 64. the ip address 200.32.172.100 comes between 128 and 192. so the network address is 200.32.128.0, broadcast is 200.32.191.255 (200.32.192.0 – 1).

This cheat sheet, helped me pass my CCNA exams. took the first 10 mins of the exam to make this cheat sheet. and then any question of subnetting was solved within a min or less.


February 15, 2011  7:53 AM

How to pass ITILv3 Foundation?



Posted by: Sulaiman Syed
Certification, exam, Foundation, ITIL, itskiptic, Pass, pdf

For many employees seeking to enhance their career in IT field the certification of ITIL is a very big added advantage. The question is, how to pass it?

Questions such as, Do i need to take formal training for ITIL? How much ITIL foundation exam will cost? are valid that go through the minds.

Good news is, for Foundation a formal training is not required. Which means that it is possible to pass the exam with self study. Even the material can be found in the internet that can be used.

Pass ITIL V3 Foundation by itskiptic. Please get yourself familiar with what is there. Download all the Free materials, read them. Do some mock exams, and you should be ready to take a real exam.


February 10, 2011  4:44 AM

MPLS VPN tutorial



Posted by: Sulaiman Syed
Cisco, configuration, Dynamips, example, GNS3, MPLS, mpls vpn, tutorial, vpn

I would like to post a simple example of how to set up MPLS-VPN for two users. This example was used from the Cisco Press book CCIE Routing and Switching . Although the book didn’t show the full working configuration for the scenario, i have made it complete so anyone using that example can refer to my configuration file to make the routers work.

MPLS,GNS3

The picture above shows the topology to be used with the example. as it is seen, it is simple yet effective that demonstrate almost all aspects of MPLS-VPN, interesting scenarios can be made from the same toplogy by changing varoius parameters of MPLS-VPN which i advice to do.

mpls-example

The link above is the download for the configuration files. Enjoy.


February 9, 2011  8:16 AM

what is MPLS VPN?



Posted by: Sulaiman Syed
Cisco, how mpls vpn works, MPLS, mpls vpn, network, router, routing, service provider, virtual, virtual routing, vpn

When a service provider connects to sites that belong to one customer that uses private address then SP will advertise those routes within his autonomous systems. This could be handled when he is serving one ogranization. What if the SP is connecting 10 customers each with three sites and all of them use network 10.0.0.0!  The SP can’t run seperate networks for these customers to connect them. VPN will not work, how the router will know to which other router to associate, (in the case of same IP address assigned to more than one router). In scenarios such these, MPLS VPN is the perfect solution.

MPLS VPN solves this problem by using multiple routing tables, this featured called Virtual Routing and Forwarding (VRF). VRF table will create different routing tables for each customer, and solve the issue of multiple overlapping IP addressed.

Usually, the costumer router will not be aware of any MPLS cloud, or VRF. Costumer router will be called Customer edge (CE). The first Label Switch Router (LSR) and the last one will be called Provider edge (PE). The LSR router that is connected within the SP is called Provider (P). The PE router will be aware of VRF, while the P routers will just forward packets based on labels.

Router P and PE both will run LDP and IGP, IGP will advertise the SP subnets only (no customer prefexes are advertiesed) to enable MPLS unicast IP routing. PE does the extra work of learning costumer routes, keeping track of which routes belong to which customer. PE will not put the routes in normal IP routing table, but stored in per customer tables. PE will use IBGP to exchange these routes with other PE routers.

PE routers will push two labels for each packet. An Outer label that is used to packet to be switched to the egress PE, and an Inner label that is used to correlate the VRF with the packet destenation.

Figure below shows the operation in a simple manner.

MPLS VPN

MPLS VPN works using three important concepts. They are VRF, Route Distiguishers (Rds), and Route Targets (RT). Further reading required to get more comprehensive view of MPLS VPN.


February 8, 2011  3:35 AM

How MPLS works?



Posted by: Sulaiman Syed
Cisco, how, how mpls works, ip, label, LDP, LFIB, MPLS, network, pop, push, QoS, tag, Unicast, works

MPLS protocol uses a different mechanism to forward packets. Packets are sent based on MPLS lable instead of the conventional packet’s destination IP address. It add the ability to make forwarding decisions based on other factors beside the IP address, such as traffic engineering, QoS, and privecy requirements.

MPLS uses unicast IP forwarding, where forwarding logic works based on the labels. These labels are chosen based on the routes in the unicast IP routing table. Hence, they follow the same path as the normal IP packets without making any advantages over IP routing. It is when used with with the different applications of MPLS it shines over IP routing. Specially when used as MPLS VPN or MPLS traffic engineering, as they use MPLS as the principle protocol and add various advantages to it.

For MPLS to work, it requires the use of control plans, any routing protocol and LDP (or TDP) to learn the routes, learn the labels, and to correlate these labels to particular prefixes.

MPLS is transparent to the end users, they never send or receive labeled packets. The routers will add labels, and another router will remove the label. Injecting labels called  (push), while removing labels called (pop) this will be helpful when reading the Label Forwarding Information Base (LFIB) table. LFIB is the table used by Cisco routers to know what action should be done to the labeled packets.

To see an simplified example how MPLS works, refer to the figure below.

MPLS Network

1-Host A send a packet to host B
2-R1 is not configured with MPLS, hence the packet is forwarded based on the destination IP address.
3-R2 recieves the packet, and check the LFIB table. It decides to push a new label of value 10 into the packet and send it out the respective interface.
4-R3 checks the LFIB table, and swap the older label with a newer one. From 10 to 33, and forwards the packet.
5-R4 checks the LFIB table, the label is poped and packet is forwarded.
6-R5 forwards the packet as normal IP packet based on the destination IP address.

This is as simple as MPLS unicast IP forwarding works, to understand how the various protocols works, referring to LDP, LFIB will suffice.


December 29, 2010  3:30 AM

Certified Cisco Design Associate – CCDA



Posted by: Sulaiman Syed
ccda, CCDP, CCNA, CCNP, Certification, Cisco

This exam will touch the topics of enterprise network in a brief yet fundamentally important way. It covers all the basics from wireless, VOIP, and the enterprise model.

I would recommend to study this not for the sake of certifications but the great knowledge acquired . It shows what are the best practices for network design and operation. It will also direct the engineers during network expansions or upgrades.

CCDA official exam certification guide (v3) is a good book that bring all the topics in one volume for easy, and effective reading.

After reading the book, you would expect to learn the following

  • Network design methodology
  • Network structure models
  • Enterprise LAN design
  • Wireless LAN design
  • Enterprise edge module design
  • WAN design
  • IPv4 and IPv6
  • Routing protocol selection
  • RIP, EIGRP, OSPF, and IS-IS
  • BGP, route manipulation, and IP multicast
  • Security management, technologies, and design
  • Voice architectures and IP telephony design
  • Network management

Many topics would have been covered if you have done CCNP, but CCDA is requirement for CCDP. It would be good to get CCNA and CCDA in same time frame, since it will work as a brief introduction to CCNP.


December 26, 2010  3:45 AM

How to aggregate ports?



Posted by: Sulaiman Syed
Aggregation, Cisco, LACP, PAgP, Port, vlan

In many cases we would require higher bandwidth within the organization while we have 1GB uplinks, or we stack switches and want to have multiple uplinks from each switch, or just to keep redundant link that is unblocked by STP. All these are simple scenarios that we face and the solution is rather simple.

Port Aggregation is the answer. Cisco calls it Etherchannel. Before configuring etherchannel, the ports taking part in this channel should have the following unified:
1-Speed
2-Duplex
3-Spanning tree settings
4-access in same vlan
5-if trunk, then native vlan should be same. and should pass the same vlans.
6-all ports should belong to the same ether channel group.

There are besically two protocols to negotiate portchannels, LACP and PAgP. I would prefer to just turn the channel on without negotiating.

sample configuration
switch(config)# int range gig 0/1 – 4
switch(config-if)# channel-group 1 on

do the same configuration at the other side.


December 25, 2010  4:20 AM

AirWave



Posted by: Sulaiman Syed
Acesss, AirWave, Aruba, Cisco, fat, management, networks, Points, thin, Visual, WiFI

Last week, we were contacted by Aruba networks. They were marketing their latest WiFi solutions, and AirWave. But what caught our attention is airwave. It is a full management solution for WiFi networks. It has interoperability with various vendors, including Cisco.

After going through the brief training/setup we were able to test the airwave ourselves. Aruba were nice enough to give us a webinar with their System Engineers Director Johan Schaap.

The product is impressive, loaded with so much information in just few clicks. Lets go through main features, a screen shot is shown for the homepage. Keep in mind we have only added one building for testing purposes

AirWave

The most AP/Devices is the menu to see list of access points, users connected to these access points, and bandwidth utilization. In this list, the IP, Channel, IOS, Location, MAC of LAN and Wireless are all shown for each access point. Clicking on the access point will give us more information regarding the access point, CDP neighbor, Users connected.

Users Tap will show all users connected, their bandwidth usage, the history of the user (based on mac) for upto 2 years. in which access points connected, which SSID, duration, location, signal strength, IP address.

Reports, here all kind of reports can be generated, weekly, daily, yearly bases. about almost every event! it is highly customizable, with all kinda of data, and the data available is just a lot!

RAPIDS is the rouge access points detection, airwave can do much with this. it can block these access points, find their location, etc.

VisualRF is interesting as well. it shows nicely the access points on maps uploaded. Which users connected to which Access point. Signal Strength, data rate, and plenty more. A screen shot for such example.
VisualRF

One of the features is to manage Fat access points. Some organizations still use fat access points, although it is recommended to use thin AP. With AirWave, it is possible to create a template, and the software will make sure that all access points using this configuration (for unified configuration). It can also pushes any new configuration to access points.

All i can say, this is one of the best management tools for wireless that i ever used. I would recommend it to everyone, regardless what their infrastructure consist of.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: