From trunk ports to routed ports – part 3

This is the final part of the series. In this blog entry, I would post the sequence and the configuration lines that are needed to be done in order to have smooth transition from trunk ports to routed ports. The motive to change from trunk ports to routed ports can be read in part 1 , while the part two covered the network design scheme.

Implementation Plan:

The implementation will be carried in specific number of steps. The following syntax will give a general configuration which later on can be changed depending on IP addresses, switches, and number of links.

First Step: configuring IP addressed and default gateways in all network devices
en
conf t
int vlan 1
ip address 10.0.yy.xx 255.255.255.0 (where yy is distribution switch location, xx is switch number)
exit
ip default gateway 10.254.yy.1 (where yy is distribution switch location)
Second Step: configuring STP root on distribution switch.
en
conf t
spanning-tree vlan xx priority 4096 (do for all respective vlans in that building)
Third Step: configuring STP root on second distribution switch if available.
en
conf t
spanning-tree vlan xx priority 8192 (do for all respective vlans in that building)
Fourth Step: configuring the routing protocol on core switches.
en
conf t
router eigrp 10
network 10.0.0.0
Fifth Step: configuring the ports on core switches.
en
conf t
int gig x/x (x/x is the interface number)
no switchport
ip address 10.1.255.254 255.255.255.252
Sixth Step: configuring the routing protocol on distribution switch.
en
Conf t
router eigrp 10
network 10.0.0.0
Seventh Step: configuring the ports on distribution switch.
en
conf t
int gig x/x (x/x is the interface number)
no switchport
ip address 10.1.255.253 255.255.255.252
Eighth Step: configuring distribution switch for VTP
en
conf t
vtp mode server
vtp domain VTPDOMAIN
no vlan x,x-x (where x is the vlan numbers wanted to be removed)
Ninth Step: configuring access switch for VTP
en
conf t
vtp mode client
vtp domain VTPDOMAIN
Step four to step five can be combined. Step six to eight can be done in one instance as well. Since most of distribution switches do have two links, it will not be necessary to go to the building physically. Buildings that have single link connecting distribution switch to core switch will require the presence physically at both ends.

From trunk ports to routed ports – part 2

In this part, I would talk bout the migration from current network, to the proposed network.

Figure 1 shows a core layer with two distribution layer, the one on the left is current, and the one on the right is the proposed. Before explaining any further, take note that although user vlans were local (shouldn’t span to core and other distribution) they were spanning cause of some poor configuration.

The core network will have ip address of 10.0.y.x/16 where y = 0 for core layer, and x = host number/id. The distribution layer follow the scheme of 10.0.y.x/16, where y = distribution switch location, x = host number/id. access switches will have same scheme as distribution just their x will start from 100.

The objective is to migrate to routed ports without loosing connectivity in management vlan and providing a good summary for routing table. This is possible by following the design on the right side of the figure. Change the subnet mask from /16 to /24 from distribution layer and lower. The routed ports will have IP address from the last subnet of the user vlans. The user vlan IP scheme follows as 10.y.x.z/24 where y is distribution switch location, x is vlan number, z is host id.  so for first distribution switch the following subnets were allocated for the routed ports. 10.1.255.255/31 and 10.1.255.252/31. second distribution switch used subnets 10.1.255.250/31 and 10.1.255.248/31.

How to Configure Router on GNS3 to work with SDM.

This is pretty basic configurations that can be done on GNS3 router, or any router that it matters. it is useful for first time users, or who wants to practice CCNA security.

on host do the following settings:

IP address: 10.0.0.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.0.1

on the router do the following settings to the interface connecting to your host.

Router>
Router> en
Router# conf t
Router(config)# int fa0/0
Router(config-if)#ip address 10.0.0.1 255.255.255.0
Router(config-if)#no shut

Now, you need to configure the router to be able

Router(config)# ip domain-name TEST (need domain name setup for sdm)
Router(config)#username test privilege 15 secret 5 TeSt (username / used with SDM)
Router(config)#ip http server (normal http)
Router(config)#ip http secure-server (to enable ssh/https)
Router(config)#ip http authentication local
Router(config)#line vty 0 4
Router(config-line)# login local
Router(config-line)# transport input telnet ssh
Router(config-line)# privilege level 15 (it is recommended to add this line, if not no harm)
Router(config-line)# exit
Router(config)# crypto key gen rsa gen mod 1024

Once this done. the router is ready to be used using SDM. as a side note, if the additional task doesn’t work with your sdm. then just change to older java version, it solves this problem.

From trunk ports to routed ports – part 1

In this post I’ll talk about the migration of our backbone links from layer two to layer three links. Cisco recommends using layer three links between the distribution and the core switches for various reasons:

1. Faster Convergence.
2. Equal load balancing on redundant links.
3. loops will be taken care by routing protocol not STP.

Another objective of this project is to localize the VTP domain for each building’s network. Currently, all vlans are distributed through one VTP domain. The enterprise backbone is running STP instances for 129 vlans.

The figure shows the network, that is the connectivity between distribution and core layer switches. All the links connecting the Core switches to distribution switches are layer two links. Making the campus a wide broadcast domain, manual pruning is taking place, but yet the management vlan is spanning throughout the network, and new distribution switches are not pruning properly. Many of the redundant links are blocked by STP as a step to mitigate layer two loops.

One of the major issues with this design is that vlans are spanned throughout the network. The core switches already have exceeded the running spanning tree instance recommendation. The current design consist of user vlans that are confined  to the distribution switch, (although spanning tree is running network wide for these vlans.), the management vlan with ip scheme of 10.xx.0.0/16 is spanning throughout the enterprise from core switch to the access point.

In part two, i would discuss how we have done the change. and the issues that we faced.

Issues with VTP

Although Vlan Trunking Protocol does its job in distributing vlan database from server to all the other client switches.  It has some major issues when wrongly implemented or trunk negotiation between switches.
1- Always reset the revision number of a switch before adding to production network. It happened almost everywhere.

The usual scenario, a switch goes down somewhere. and in the emergency state, someone will go bring that test lab switch, delete the running config. Then add it to production network. BAM, suddenly all vlans have disappeared, and we have whole network outage.

Reason for this phenomena is that the test lab switch will have higher configuration revision than the normal production network. Remember a Server will accept VTP update from client if the client had a higher revision number.

2-Always Hard code a trunk link between two different VTP domains.
In the case of keeping the default setting of trunk config in just one side.

interface FastEthernet0/1
switchport mode dynamic desirable

this will cause trunk negotiation to fail and the port will work as access, and you would have partial network outage.

In interesting case, it happened in my own organization. where the negotiation failed. but in Sw1 it showed the link as trunk using the command (show int trunk), and showed the link access in the Sw2!!

3-Know the maximum Vlan supported by a switch.
Some low end switches (2960, 2950,etc) have a maximum vlans support. If you make these switches into client mode. They will cause various issues, and the best solution would be to make them transparent.

Connecting your PC to GNS3

In this entry, we would see how to connect a router from the GNS3 simulator to your pc.

This will help you with all the basic simulations using SDM, it is specially good for people taking the CCNA Security exam.

First, we would need loopback interface in your PC. The following steps are used to create the loopback interface:

1. Go to Control Panel–>Add Hardware then click Next
2. Yes I have already connected the hardware
3. Scroll to the bottom and click on Add a new hardware device then Next
4. Install the hardware that I manually select from a list (Advanced)
5. Click on Network Adapters then Next
6. Select Microsoft as the Manufacturer then on Microsoft Loop-back Adapter under Network Adapter then click Next then Next again.
7. Open up Control Panel–>Network Connections to see the adapter in place.

Once that is done. Now run your GNS3 simulator, and do the following.

1- Drag the Cloud shape into the screen.
2-Right click, and configure.
3-go to the designated cloud (usually C1)
4-click on the Generic ethernet NIO
5-Select the Microsoft Loop-back Adapter, then ADD

Now, all you need to do, is add the router. connect a link between the Cloud and router. and you would be able to use SDM, of course you would still need to configure the router. Configuring the router will be in part 2 of this entry.

Cisco Certified Design Professional

CCDP or Cisco Certified Design Professional is one of the best certificates for any engineer working in middle to large enterprise.

CCDP requires the candidate to pass Route, Switch, and Arch. Since most Engineers would have CCNP which requires Route, Switch, and Tshoot. CCDP becomes much easier task to gain, and with high benefits.

Studying material for Cisco Certified Design Professional are available through ciscopress. Designing Cisco Network Service Architectures is a good guide to prepare for the Arch exam. Advanced topics from this book, that are very helpful to any engineer are:

• Implement advanced WAN services
• Evaluate design considerations in the data center core, aggregation, and access layers
• Design storage area networks (SANs) and extend the SAN with various protocols
• Design and tune an integrated e-commerce architecture
• Integrate firewall, NAC, and intrusion detection/prevention into your network design
• Incorporate voice over WLAN in the enterprise network

The data center design is fundamental for any enterprise, while the e-commerce is important for almost all commercial and profit organizations.

Lastly, don’t expect the exam to be easy. The questions would require you to use your experience and thinking to find the right answer.

Policy Based Routing – Part 2

In Policy Based Routing – part 1 I have explained why and how we can use PBR in production environment. Today, i shall post how i did, and what i did. with brief explanation. Keep in mind that the image shown with the IP scheme is not real.

ip access-list extended web
permit tcp 192.0.0.0 0.0.31.255 any eq www
permit tcp 192.0.0.0 0.0.31.255 any eq 443

First, i have defined the interesting traffic. 192.0.0.0/22 is the network i would like to redirect to my proxy server. the traffic should be sourced from this network, to any network with port number 80 and 443 (HTTP, HTTPS).

route-map web permit 10
match ip address web
set ip next-hop 10.10.0.100

here, i created a route map, that matches the Access list i made in first step, and i sat the next hope address as 10.10.0.100

route-map web permit 20

This command is important, without it. the rest of traffic will be dropped. (just the way how the last command in Access List is deny deny.)

interface Vlan10
ip address 10.10.0.2 255.255.255.0
ip policy route-map web

Since, im using a multilayer switch and my interface is defined in a vlan. i have applied the Policy in the vlan interface.

Yes, of course. why not just apply the PBR on the distribution switch. I wonder why i didn’t think of that earlier. I will test my switch by tomorrow. once i get confirmed results. I think It would be best just to apply the configuration into the distribution switch.

How to use Policy Based Routing? – part 1

Troubleshooting Packeteer 6500

Today’s topic is about packeteer. Blue Coat’s packet shaping device. We have packeteer 10000, 7500,and 6500. So one day, the 6500 decided to crash and not boot up! After spending hours and hours reading forums, and support documents. We just had to try everything to solve it ourselves. and yes, we reached to step by step troubleshooting method. We tried it many times with that device, and it always seems to work.

1- Make back up of all the files in the Flash of packeteer device. The files should be backed up before/after any major upgrade.

2- In the case that the device fails:
a. Try resetting the flash, hard disk and the rams. If it doesn’t work.
b. Try to run the backup image by pressing Crlt+B while in the “loading…” If it doesn’t show.
c. Try to run the backup image from the boot monitor. Boot monitor can be accessed by pressing Ctrl+Y during “booting…”, then using option C. If no image files can be seen.
d. Try to format the flash from the boot monitor. during “booting…”, then using option H. after formatting.
e. Add the image file under BIN.
f. Try run the image.zoo from the boot . (it is better to call the OS as image.zoo since the device gave us error while using other names.)if it works.
g. Add configuration files to CFG. If the loading of the image doesn’t work.
h. Repeat A. if the image doesn’t work.
i. Repeat B.
j. If working on the mentioned step fails, then try troubleshooting it out of sequence.
k. There is safe mode using Ctrl+A. this mode was not helpful to us at all.
l. To reset the password, type at the password prompt “ touchpwd= ”.

3- The device is very sensitive to many things, it could reject a working flash, or a working image for no apparent good logical reason.

These steps were concluded from our troubleshooting of two packeteer devices for almost 6-7 hours straight.

One of the main issues was that we had we just loaded the image after formatting the flash. The implication of the actions were:

1- We lost the CGF folder for the external device, which the license files. Specifically Basic.cfg (in this file, the license is bounded to the serial number of the device, without this file the device is just a piece of stone.)
2- Configuration menu was not checked. Again resulted in unstable device which kept hanging.

We were fortunate that we had a very old backup of the device (dated 2008), which we managed to use the files from. But it took us to go through all the troubleshoot sequence cause of the mismatch that happened between the configuration files and the image files.

Future advice is, when buying a new device from packeteer, the support contract must be for a period of 3-4 years. It was noted in our troubleshooting that these devices were very unstable and many other people have complained bout some of the issues that come up randomly.