Event Organization

There were plenty of partner booths showing various Cisco and Cisco partner components, but the space felt crowded. The hall was big, with enough space for walking and meeting up with people. Although I didn’t like how the coffee and drinks time was very restrictive.

Talks

The talks were all very informative. The keynote was the highlight, Duncan, Dan, and Rabih made a very interesting presentation. I would say that I enjoyed it thoroughly. The other talks were interesting as well. I give it to Cisco to give interesting talks.

Technology

We saw a new networking device. The Unified Access Switch. It is a switch that give connectivity for the wired and wireless. It is a Switch and a controller. I would say that switch 3850 is the go switch to install at the edge of network. To this day, no competitor has came up with something even remotely similar to this. I would talk about this switch in details in coming days.

Identity Services Engine (ISE) +BYOD was the second highlight. With a live demonstration how BYOD can be added to the enterprise network with the right security policies applied through a single interface. I did like how Cisco are trying to integrate their management solutions, and easing the network and security operations with Prime + ISE.

Overall, the event was successful, entertaining and informative. We saw new technologies, how Cisco is adapting to changes in the networking field,  A killer switch 3850 which was being sold at the price of 3750X, and ISE with adaptability to observe the BYOD movement.

Nexus Line card modules fall into two major categories. M1, and F1. There is another variation to the M1 which is M1-XL. Brad Hedlund wrote a good article that can be referenced for reading, titled “Cisco Nexus 7000 connectivity solutions for Cisco UCS”

M1, M1-XL

M1 Series were the introductory line cards that were offered by Cisco for Nexus. They come with a fabric of 80GB. These cards have 10Gig links making them ideal for Distribution layer. Lets put down the specifications or performance Metrics from the data sheets. These cards provide the Layer 2 and Layer 3 connectivity! You can always multiply these numbers with the maximum line cards possible to install into a chassis to get the marketing figures.
1- Delivery at 60 Million Packets per second (Mpps) for layer 2,3 IPv4.
2- Delivery at 30 Mpps IPv6 unicast.
3- Delivery of Access Control List (ACL) to 64k entries per module. The entries include address of Layer 2,3,4 and Cisco’s Metadata fields- security group tags (SGTs)
4- in 32 Port line card, each 4 ports share 10GB of Fabric. They can run either 1 port 10GIG disable 2,3, and 4 OR all 4 in shared mode.
5- Memory 1GB DRAM
6- Network management: Cisco DCNM 4.0
7- Mac addresses table size of 128k entry
8- FIB table of 128k entry
9- Netflow supports 512k Entry in both Ingres and Egress
10- 16384 bridge domains and 4096 vlan per Virtual Device Context (VDC)
11- Policers of 16k entry

M1-XL Series offers the flexibility or the performance to be internet-facing deployment with wider transceivers module support. What it basically offers the possibility of larger FIB. This can be seen from the following:
* up to 1M IPv4 routes (depending on prefix distribution)
* up to 350k IPv6 routes (depending on prefix distribution)

This was not possible in the M1 Line Cards. M1-XL does provide extra ACL entries support compared to M1, which increased DRAM
1- Memory 2GB DRAM
2- Delivery of Access Control List (ACL) to 128k entries per module.
3- Network management: Cisco DCNM 5.1

F1
F1 Series Line Cards were introduced after the M1. They provide a slight cheaper and more port density with ONLY layer 2 forwarding. This makes an ideal Line card for Access layer. What happens if layer three processing is required? The Line card will forward that traffic to M1, M1-XL cards for processing. These cards have Fabric of 230 GB.

1- 480 Mpps layer two forwarding
2- Delivery of Access Control List (ACL) to 32k entries per module. The entries include address of Layer 2,3,4 and Cisoc’s Metadata fields- security group tags (SGTs)
3- in 32 Port line card with 230GB of fabric.
4- Memory 1GB DRAM
5- Network managment: Cisco DCNM 5.1
6- Mac addresses table size of 16k entry per forwarding engine.

The forwarding engine is something new. Every two ports are connected by a switch on chip. (SoC), these SoC are the forwarding engine. So each SoC supports 16k. What this implies (How marketing figured came) that for 32 port, we have 16 SoC. With careful planning, if we use one VLAN per SoC we get total of 256k of Mac address support. But if we span one vlan among all SoC then we are bounded by max limit of 16k MAC entry.

These cards have the Cisco FiberPath Technology. From the data sheet

The benefits of Cisco FabricPath include:

• Operational simplicity: Cisco FabricPath embeds an autodiscovery mechanism that does not require any additional platform configuration. By offering Layer 2 connectivity, this “VLAN anywhere” characteristic simplifies provisioning and offers workload flexibility across the network.

• High resiliency and performance: Since Cisco FabricPath is a Layer 2 routed protocol, it offers stability, scalability, and optimized resiliency along with network failure containment.

• Massively scalable fabric: By building a forwarding model on 16-way ECMP, Cisco FabricPath helps prevent bandwidth bottlenecks and allows capacity to be added dynamically, without network disruption.

They also have the ability to connect FCoE. these features include
1-Virtual Sans (VSANs)
2-Inter-VSAN Routing
3-PortChannels (UP to 16 links)
4- Storage VDC.

This sums up what I found. I would include or add more things later as I learn or gather them.

Prefix list can be used with route map, and they would be referred with a match command. The command syntax as follows:

ip prefix-list list-name [seq value] {deny network/length | permit network/length} [ge value] [le value]

as seen from the syntax, the command is divided into two parts. First, the network/length. Then, ge, and le. To summarize the meaning of two parts.

1. network/length will determine range of addressed implied by the prefix list.
2. the prefix (subnet mask) of the route must match the prefixes implied by the ge (greater or equal) and le (less or equal).

This mind sound confusing slightly, but an example will show what it means.

1. 192.168.10.0/8. This means any network with 192 in the first octet only. which would mean 192.0.0.0/8 network.
2. 192.168.10.0/16 ge 16. This means any network starting 192.168.0.0/16 to 192.168.xx.xx/32
3. 192.168.10.0/8 ge 8 le 16. This will imply network starting from 192.0.0.0/8 to 192.xx.0.0/16
4. 0.0.0.0/0. This means any network with prefix zero. only default routes have this.
5. 0.0.0.0/0 le 32. This range implies all networks.

Another example to show how it works, imagine the following networks.

1. 10.1.0.0/16
2. 10.0.0.0/8
3. 10.2.0.0/16
4. 10.128.0.0/9

10.0.0.0/8 will match only network 2. since it is exact match.

10.0.0.0/8 ge 8 will match all routes. Since all of the above networks are starting with 10. and the lowest subnet mask is 8.

10.0.0.0/8 ge 9 le 16 will match network 1,3, and 4. Because ge 9 implies a subnet mask equal or greater than 9. and route 2 has subnet mask of 8.

I hope this article did explain how to write and understand prefix list. It is strong tool when it comes to filter routes in any route map. For further reading, please refer to IP prefix List by Cisco.

Implementation Plan:

The implementation will be carried in specific number of steps. The following syntax will give a general configuration which later on can be changed depending on IP addresses, switches, and number of links.

First Step: configuring IP addressed and default gateways in all network devices
en
conf t
int vlan 1
ip address 10.0.yy.xx 255.255.255.0 (where yy is distribution switch location, xx is switch number)
exit
ip default gateway 10.254.yy.1 (where yy is distribution switch location)
Second Step: configuring STP root on distribution switch.
en
conf t
spanning-tree vlan xx priority 4096 (do for all respective vlans in that building)
Third Step: configuring STP root on second distribution switch if available.
en
conf t
spanning-tree vlan xx priority 8192 (do for all respective vlans in that building)
Fourth Step: configuring the routing protocol on core switches.
en
conf t
router eigrp 10
network 10.0.0.0
Fifth Step: configuring the ports on core switches.
en
conf t
int gig x/x (x/x is the interface number)
no switchport
ip address 10.1.255.254 255.255.255.252
Sixth Step: configuring the routing protocol on distribution switch.
en
Conf t
router eigrp 10
network 10.0.0.0
Seventh Step: configuring the ports on distribution switch.
en
conf t
int gig x/x (x/x is the interface number)
no switchport
ip address 10.1.255.253 255.255.255.252
Eighth Step: configuring distribution switch for VTP
en
conf t
vtp mode server
vtp domain VTPDOMAIN
no vlan x,x-x (where x is the vlan numbers wanted to be removed)
Ninth Step: configuring access switch for VTP
en
conf t
vtp mode client
vtp domain VTPDOMAIN
Step four to step five can be combined. Step six to eight can be done in one instance as well. Since most of distribution switches do have two links, it will not be necessary to go to the building physically. Buildings that have single link connecting distribution switch to core switch will require the presence physically at both ends.

Figure 1 shows a core layer with two distribution layer, the one on the left is current, and the one on the right is the proposed. Before explaining any further, take note that although user vlans were local (shouldn’t span to core and other distribution) they were spanning cause of some poor configuration.

The core network will have ip address of 10.0.y.x/16 where y = 0 for core layer, and x = host number/id. The distribution layer follow the scheme of 10.0.y.x/16, where y = distribution switch location, x = host number/id. access switches will have same scheme as distribution just their x will start from 100.

The objective is to migrate to routed ports without loosing connectivity in management vlan and providing a good summary for routing table. This is possible by following the design on the right side of the figure. Change the subnet mask from /16 to /24 from distribution layer and lower. The routed ports will have IP address from the last subnet of the user vlans. The user vlan IP scheme follows as 10.y.x.z/24 where y is distribution switch location, x is vlan number, z is host id.  so for first distribution switch the following subnets were allocated for the routed ports. 10.1.255.255/31 and 10.1.255.252/31. second distribution switch used subnets 10.1.255.250/31 and 10.1.255.248/31.

The usual scenario, a switch goes down somewhere. and in the emergency state, someone will go bring that test lab switch, delete the running config. Then add it to production network. BAM, suddenly all vlans have disappeared, and we have whole network outage.

Reason for this phenomena is that the test lab switch will have higher configuration revision than the normal production network. Remember a Server will accept VTP update from client if the client had a higher revision number.

2-Always Hard code a trunk link between two different VTP domains.
In the case of keeping the default setting of trunk config in just one side.

interface FastEthernet0/1
switchport mode dynamic desirable

this will cause trunk negotiation to fail and the port will work as access, and you would have partial network outage.

In interesting case, it happened in my own organization. where the negotiation failed. but in Sw1 it showed the link as trunk using the command (show int trunk), and showed the link access in the Sw2!!

3-Know the maximum Vlan supported by a switch.
Some low end switches (2960, 2950,etc) have a maximum vlans support. If you make these switches into client mode. They will cause various issues, and the best solution would be to make them transparent.

ip access-list extended web
permit tcp 192.0.0.0 0.0.31.255 any eq www
permit tcp 192.0.0.0 0.0.31.255 any eq 443

First, i have defined the interesting traffic. 192.0.0.0/22 is the network i would like to redirect to my proxy server. the traffic should be sourced from this network, to any network with port number 80 and 443 (HTTP, HTTPS).

route-map web permit 10
match ip address web
set ip next-hop 10.10.0.100

here, i created a route map, that matches the Access list i made in first step, and i sat the next hope address as 10.10.0.100

route-map web permit 20

This command is important, without it. the rest of traffic will be dropped. (just the way how the last command in Access List is deny deny.)

interface Vlan10
ip address 10.10.0.2 255.255.255.0
ip policy route-map web

Since, im using a multilayer switch and my interface is defined in a vlan. i have applied the Policy in the vlan interface.

Yes, of course. why not just apply the PBR on the distribution switch. I wonder why i didn’t think of that earlier. I will test my switch by tomorrow. once i get confirmed results. I think It would be best just to apply the configuration into the distribution switch.