Great write up on RSTP sync process.
http://routemyworld.com/2009/06/19/bcmsn-rstp-convergence-changes-and-compatibilty/
Tuesday, December 11, 2012
Wednesday, December 5, 2012
Upgrading an ASA5520 - IOS Upgrade 9.1
In order to create a port-channel between an ASA5520 and a 4948 I needed to upgrade the code. The process is very simple to say the least. For some reason I expected it to be difficult. The process I followed is below.
1. Confirm the feature set you are looking for is supported in the new code and look for any new potential gotchas. Its is customary to request a BUG SCRUB from Cisco before deploying any new code.
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/asa_91_general_config.html
2. Download the code from the Cisco portal.
3. Confirm you have enough space for the new code. Use the DIR command.
Cisco-ASA5520-01# dir
Directory of disk0:/
129 -rwx 16275456 06:03:42 Jan 30 2011 asa821-k8.bin
130 -rwx 11348300 09:15:52 Jan 30 2011 asdm-621.bin
6 drwx 4096 00:03:46 Jan 01 2003 log
13 drwx 4096 00:03:54 Jan 01 2003 crypto_archive
14 drwx 4096 00:04:28 Jan 01 2003 coredumpinfo
132 -rwx 12105313 09:13:20 Jan 30 2011 csd_3.5.841-k9.pkg
133 drwx 4096 09:13:24 Jan 30 2011 sdesktop
134 -rwx 2857568 09:13:26 Jan 30 2011 anyconnect-wince-ARMv4I-2.4.1012-k9.pkg
135 -rwx 3203909 09:13:26 Jan 30 2011 anyconnect-win-2.4.1012-k9.pkg
136 -rwx 4832344 09:13:28 Jan 30 2011 anyconnect-macosx-i386-2.4.1012-k9.pkg
137 -rwx 5209423 09:13:30 Jan 30 2011 anyconnect-linux-2.4.1012-k9.pkg
118 -rwx 3080 13:40:55 Dec 05 2012 8_2_1_0_startup_cfg.sav
255582208 bytes total (170237952 bytes free)
4. Upload the code onto the device via tftp. Use the following command copy tftp disk0:/ and you will be prompted for the ip address of the tftp server, source file name, and press enter unless you want to change the name of the file once its uploaded, I never do. Confirm the MD5 key with what was show on the Cisco website.
5. Change your boot statement and confirm it took. I always like to setup two statements in case there are any issues with the first IOS code.;
config t
boot system disk0:/asa911-k8.bin
boot system disk0:/asa821-k8.bin
end
!
WR
!
Cisco-ASA5520-01# show bootvar
BOOT variable = disk0:/asa911-k8.bin;disk0:/asa821-k8.bin
Current BOOT variable = disk0:/asa911-k8.bin;disk0:/asa821-k8.bin;disk0:/end
CONFIG_FILE variable =
Current CONFIG_FILE variable =
6. Save your configuration and reload the device with the reload command.
7. Confirm your new code is running with the show version command.
Cisco-ASA5520-01# show version
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 6.2(1)
Compiled on Wed 28-Nov-12 10:38 by builders
System image file is "disk0:/asa911-k8.bin"
Config file at boot was "startup-config"
1. Confirm the feature set you are looking for is supported in the new code and look for any new potential gotchas. Its is customary to request a BUG SCRUB from Cisco before deploying any new code.
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/asa_91_general_config.html
2. Download the code from the Cisco portal.
3. Confirm you have enough space for the new code. Use the DIR command.
Cisco-ASA5520-01# dir
Directory of disk0:/
129 -rwx 16275456 06:03:42 Jan 30 2011 asa821-k8.bin
130 -rwx 11348300 09:15:52 Jan 30 2011 asdm-621.bin
6 drwx 4096 00:03:46 Jan 01 2003 log
13 drwx 4096 00:03:54 Jan 01 2003 crypto_archive
14 drwx 4096 00:04:28 Jan 01 2003 coredumpinfo
132 -rwx 12105313 09:13:20 Jan 30 2011 csd_3.5.841-k9.pkg
133 drwx 4096 09:13:24 Jan 30 2011 sdesktop
134 -rwx 2857568 09:13:26 Jan 30 2011 anyconnect-wince-ARMv4I-2.4.1012-k9.pkg
135 -rwx 3203909 09:13:26 Jan 30 2011 anyconnect-win-2.4.1012-k9.pkg
136 -rwx 4832344 09:13:28 Jan 30 2011 anyconnect-macosx-i386-2.4.1012-k9.pkg
137 -rwx 5209423 09:13:30 Jan 30 2011 anyconnect-linux-2.4.1012-k9.pkg
118 -rwx 3080 13:40:55 Dec 05 2012 8_2_1_0_startup_cfg.sav
255582208 bytes total (170237952 bytes free)
4. Upload the code onto the device via tftp. Use the following command copy tftp disk0:/ and you will be prompted for the ip address of the tftp server, source file name, and press enter unless you want to change the name of the file once its uploaded, I never do. Confirm the MD5 key with what was show on the Cisco website.
5. Change your boot statement and confirm it took. I always like to setup two statements in case there are any issues with the first IOS code.;
config t
boot system disk0:/asa911-k8.bin
boot system disk0:/asa821-k8.bin
end
!
WR
!
Cisco-ASA5520-01# show bootvar
BOOT variable = disk0:/asa911-k8.bin;disk0:/asa821-k8.bin
Current BOOT variable = disk0:/asa911-k8.bin;disk0:/asa821-k8.bin;disk0:/end
CONFIG_FILE variable =
Current CONFIG_FILE variable =
6. Save your configuration and reload the device with the reload command.
7. Confirm your new code is running with the show version command.
Cisco-ASA5520-01# show version
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 6.2(1)
Compiled on Wed 28-Nov-12 10:38 by builders
System image file is "disk0:/asa911-k8.bin"
Config file at boot was "startup-config"
Saturday, December 1, 2012
Cisco ASA Oversubscription - Maximizing Throughput (ASA 5550) Part 1
This week I ran into an oversubcription issue on an ASA5550. To alleviate the issue, we followed the recommendations below from Cisco. I am including some of the conditions I saw before the change. Keyword is Alleviate, depending on your traffic rates you might resolve the problem going this route. In other cases, you would just have to get a second pair or firewalls to segregate traffic or just upgrade to 10GB. The best way to determine this is to place a sniffer between the ASA and drill down as close to the microsecond to see the microbursts on the line and data rate patterns.
Maximizing Throughput (ASA 5550)
Show Traffic
----------------------------------------
Per Slot Throughput Profile (1 minute)
----------------------------------------
Packets-per-second profile:
Slot 0: 12654 89%|********************************************
Slot 1: 1603 11%|*****
Bytes-per-second profile:
Slot 0: 1649003 76%|**************************************
Slot 1: 511183 24%|************
On the interface level, you would see the Underruns counter increment along with the Overruns counter (See below). To try and alleviate or resolve this issue move one of the ports to Gi1/X and mmonitor it over a few days.
Per Cisco:
ASA5550/act# show interface gigabitEthernet 0/1
Interface GigabitEthernet0/1 "HM", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: 6509
MAC address 6400.f182.6771, MTU 1500
IP address 192.168.1.1 subnet mask 255.255.255.0
24794625 packets input, 4336231091 bytes, 0 no buffer
Received 4648 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
40981082 packets output, 3012528711 bytes, 1614642 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "HM":
23737668 packets input, 3724976676 bytes
42595724 packets output, 2342955016 bytes
6597 packets dropped
Maximizing Throughput (ASA 5550)
The ASA 5550 has two internal buses providing
copper Gigabit Ethernet and fiber Gigabit Ethernet connectivity. For Slot 1 (Bus
1), you can use either the copper ports or the fiber ports. The copper ports are
enabled by default.
For maximum throughput, configure the ASA so that traffic is
distributed equally between the two buses. Lay out the network so that traffic
enters through one bus and exits through the other.
For example, the following figure shows the ASA configured so
that traffic from the unsecure network and the secure network is evenly
distributed between Bus 0 and Bus 1. Traffic from hosts on the secured network
flows through interface 0/0 on Bus 0 to hosts on the unsecured network. Traffic
from hosts on the unsecured network flows through interface 1/0 on Bus 1 to
hosts on the secured network.
http://www.cisco.com/en/US/docs/security/asa/quick_start/5500/5500_quick_start.html#wp35995
On the ASA you can issue the show traffic command and near the end of the output you will see the following output. Ideally you would want this to be balance. In this case, both of the oversubscribed interfaces were both on Slot 0.
----------------------------------------
Per Slot Throughput Profile (1 minute)
----------------------------------------
Packets-per-second profile:
Slot 0: 12654 89%|********************************************
Slot 1: 1603 11%|*****
Bytes-per-second profile:
Slot 0: 1649003 76%|**************************************
Slot 1: 511183 24%|************
On the interface level, you would see the Underruns counter increment along with the Overruns counter (See below). To try and alleviate or resolve this issue move one of the ports to Gi1/X and mmonitor it over a few days.
Per Cisco:
Interface overruns, no buffer
and underruns often show that the firewall cannot process all the traffic it is
receiving on its NIC. Overruns and no buffers indicate that input traffic is
too much on a given interface. The interface maintains a receive ring where
packets are stored before they are processed by the ASA. If the NIC is
receiving traffic faster than the ASA can pull them off the receive ring, the
packet will be dropped and either the no buffer or overrun counter will
increment. Underruns behavior similarly but deal with the transmit ring
instead.
ASA5550/act# show interface gigabitEthernet 0/0
Interface GigabitEthernet0/0 "HH", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: 6509
MAC address 6400.f182.6770, MTU 1500
IP address 192.168.168.2, subnet mask 255.255.255.248
56937880 packets input, 12657181986 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
831 input errors, 0 CRC, 0 frame, 831 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
33686564 packets output, 5457717040 bytes, 577125 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "HH":
56937881 packets input, 11616408550 bytes
34263689 packets output, 5097504222 bytes
12365 packets dropped
Interface GigabitEthernet0/0 "HH", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: 6509
MAC address 6400.f182.6770, MTU 1500
IP address 192.168.168.2, subnet mask 255.255.255.248
56937880 packets input, 12657181986 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
831 input errors, 0 CRC, 0 frame, 831 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
33686564 packets output, 5457717040 bytes, 577125 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "HH":
56937881 packets input, 11616408550 bytes
34263689 packets output, 5097504222 bytes
12365 packets dropped
ASA5550/act# show interface gigabitEthernet 0/1
Interface GigabitEthernet0/1 "HM", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: 6509
MAC address 6400.f182.6771, MTU 1500
IP address 192.168.1.1 subnet mask 255.255.255.0
24794625 packets input, 4336231091 bytes, 0 no buffer
Received 4648 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
40981082 packets output, 3012528711 bytes, 1614642 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "HM":
23737668 packets input, 3724976676 bytes
42595724 packets output, 2342955016 bytes
6597 packets dropped
Wednesday, November 28, 2012
Data Center Knowledge
Two great sites that I personally to follow to keep current with the Data Center Industry.
http://www.datacenterknowledge.com/
http://blogs.cisco.com/tag/datacenterdeconstructed/
http://www.datacenterknowledge.com/
http://blogs.cisco.com/tag/datacenterdeconstructed/
Tuesday, November 27, 2012
PIM Sparse-Mode: Register via one link and SPT cutover via another link.
 |
| Figure 1 |
Lets enable multicast routing on all the devices, sparse-mode on the interfaces and configure RP details.
R1 - R2 - R3
ip multicast-routing
!
interface range fa0/0 - 1
ip pim sparse-mode
!
ip pim rp-address 1.1.1.1 multicast_groups override
!
ip access-list standard multicast_groups
permit 233.54.1.1
Now lets assign some ip addresses to the interfaces and setup static routes.
R3:
interface FastEthernet0/0
ip address 192.168.100.1 255.255.255.0
ip pim sparse-mode
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 192.168.101.1 255.255.255.0
ip pim sparse-mode
speed 100
full-duplex
!
ip route 1.1.1.1 255.255.255.255 FastEthernet0/0 192.168.100.2 name RP
ip route 2.2.2.2 255.255.255.255 FastEthernet0/1 192.168.101.2 name 233_54_1_1_Source
R2:
interface FastEthernet0/0
ip address 192.168.103.2 255.255.255.0
ip pim sparse-mode
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 192.168.101.2 255.255.255.0
ip pim sparse-mode
speed 100
full-duplex
ip route 1.1.1.1 255.255.255.255 FastEthernet0/0 192.168.103.1 name RP
ip route 2.2.2.2 255.255.255.255 FastEthernet0/0 192.168.103.1 name 233_54_1_1_Source
R1:
interface FastEthernet0/0
ip address 192.168.103.1 255.255.255.0
ip pim sparse-mode
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 192.168.100.2 255.255.255.0
ip pim sparse-mode
speed 100
full-duplex
Now we need to configure our loopback interfaces on R1 for the RP address and Source address. Also enable sparse-mode on the loopback interfaces as well. If not, it wont work.
R1:
interface Loopback1
ip address 1.1.1.1 255.255.255.255
ip pim sparse-mode
!
interface Loopback2
ip address 2.2.2.2 255.255.255.255
ip pim sparse-mode
Lets setup a dummy loopback interface on R3 and we will statically configure our multicast group to it since I don't have an actual host to use to join the group. This will take the place of that.
R3:
interface Loopback0
ip address 3.3.3.3 255.255.255.255ip pim sparse-mode
ip igmp static-group 233.54.1.1
Now lets issue this command from R1. "ping 233.54.1.1 source loopback 2 repeat 3" I am just going to show you how R2 looks after we issue the command.
Currently R2 has no mcast state until the ping command is issued on R1 because R3 is sending a Join only to R1 and not R2 because of how routing is setup by design. When we added the static join to the R3 loopback interface, it let R1 know that it was interested in joinng this group and wanted to also know the source of the group. Since no data was being published from the host at that time, it never sent anything to R2. Once we issue the above command R3 will learn the source(2.2.2.2) and see that it has to go through R2 to reach that source and in turn tell R2 that it was to Join 233.54.1.1
R2#
*Mar 1 01:42:52.495: PIM(0): Check RP 1.1.1.1 into the (*, 233.54.1.1) entry
*Mar 1 01:42:52.551: PIM(0): Received v2 Join/Prune on FastEthernet0/1 from 192.168.101.1, to us
*Mar 1 01:42:52.551: PIM(0): Join-list: (2.2.2.2/32, 233.54.1.1), S-bit set
*Mar 1 01:42:52.555: PIM(0): Add FastEthernet0/1/192.168.101.1 to (2.2.2.2, 233.54.1.1), Forward state, by PI M SG Join
*Mar 1 01:42:52.555: PIM(0): Insert (2.2.2.2,233.54.1.1) join in nbr 192.168.103.1's queue
*Mar 1 01:42:52.559: PIM(0): Building Join/Prune packet for nbr 192.168.103.1
*Mar 1 01:42:52.559: PIM(0): Adding v2 (2.2.2.2/32, 233.54.1.1), S-bit Join
R2#
*Mar 1 01:42:52.559: PIM(0): Send v2 join/prune to 192.168.103.1 (FastEthernet0/0)
R2#
On R3 we can see the *,G and S,G have two different incoming interfaces. This is by design and expected because of how we have this setup.
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry,
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
U - URD, I - Received Source Specific Host Report,
Z - Multicast Tunnel, z - MDT-data group sender,
Y - Joined MDT-data group, y - Sending to MDT-data group
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode
(*, 233.54.1.1), 00:51:56/stopped, RP 1.1.1.1, flags: SJC
Incoming interface: FastEthernet0/0, RPF nbr 192.168.100.2
Outgoing interface list:
Loopback0, Forward/Sparse, 00:51:56/00:01:44
(2.2.2.2, 233.54.1.1), 00:00:03/00:02:56, flags: J
Incoming interface: FastEthernet0/1, RPF nbr 192.168.101.2
Outgoing interface list:
Loopback0, Forward/Sparse, 00:00:03/00:02:56
R3#
Sunday, November 25, 2012
Spanning-Tree Customization - Port Cost & Port Priority
We are going to review how to modify STA(Spanning Tree Algorithm) selection. We are going to use figure 1 for this.
Keep the following STP Rules in mind that will be used to choose a path:
Based on the below output we can see that the root port for vlan 25 is Gi1/47. Let supposed we wanted to use Gi1/48 instead of Gi1/47. How would we do this? We would need to modify the port cost on Switch 02 or modify the port priority that we are receiving from 01. In our case we will modify the port cost on Switch 02 for Gi1/48. The port cost is related to the port bandwidth. If you have a 10Mbit port then the port cost will be higher. Its an inverse affect.
Cisco_4948E_02#show spanning-tree vlan 25
VLAN0025
Spanning tree enabled protocol rstp
Root ID Priority 32793
Address 4055.39a7.bb80
Cost 4
Port 47 (GigabitEthernet1/47)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32793 (priority 32768 sys-id-ext 25)
Address 4055.39a8.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/47 Root FWD 4 128.47 P2p
Gi1/48 Altn BLK 4 128.48 P2p
Lets make our changes and confirm Gi1/48 is now being used as the root port.
Cisco_4948E_02(config)#int gi 1/48
Cisco_4948E_02(config-if)#spanning-tree vlan 25 cost 2
Cisco_4948E_02(config-if)#end
Cisco_4948E_02#show spanning-tree vlan 25
VLAN0025
Spanning tree enabled protocol rstp
Root ID Priority 32793
Address 4055.39a7.bb80
Cost 2
Port 48 (GigabitEthernet1/48)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32793 (priority 32768 sys-id-ext 25)
Address 4055.39a8.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/47 Altn BLK 4 128.47 P2p
Gi1/48 Root FWD 2 128.48 P2p
Now lets put everything back to default and we will modify the port-priority on Switch 01 and see how it affects the decision Switch 02 makes. Based on the below output all is back to Normal.
Cisco_4948E_02#show spanning-tree vlan 25
VLAN0025
Spanning tree enabled protocol rstp
Root ID Priority 32793
Address 4055.39a7.bb80
Cost 4
Port 47 (GigabitEthernet1/47)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32793 (priority 32768 sys-id-ext 25)
Address 4055.39a8.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/47 Root FWD 4 128.47 P2p
Gi1/48 Altn BLK 4 128.48 P2p
Lets make some changes on Switch 01, but before we do this lets verify some details to compare afterwards. We can see the port id being received from Switch 01 is 128.47 for Gi1/47 and 128.48 for Gi1/48. We will modify this on Switch 01 and by changing this we will prefer Gi1/48. This will keep us inline with the original goal of using Gi1/48.
Cisco_4948E_02#show spanning-tree vlan 25 detail
VLAN0025 is executing the rstp compatible Spanning Tree protocol
Bridge Identifier has priority 32768, sysid 25, address 4055.39a8.1000
Configured hello time 2, max age 20, forward delay 15, transmit hold-count 6
Current root has priority 32793, address 4055.39a7.bb80
Root port is 47 (GigabitEthernet1/47), cost of root path is 4
Topology change flag not set, detected flag not set
Number of topology changes 10 last change occurred 00:32:15 ago
from GigabitEthernet1/47
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0, aging 300
Port 47 (GigabitEthernet1/47) of VLAN0025 is root forwarding
Port path cost 4, Port priority 128, Port Identifier 128.47.
Designated root has priority 32793, address 4055.39a7.bb80
Designated bridge has priority 32793, address 4055.39a7.bb80
Designated port id is 128.47, designated path cost 0
Timers: message age 16, forward delay 0, hold 0
Number of transitions to forwarding state: 3
Link type is point-to-point by default
BPDU: sent 10, received 1362
Port 48 (GigabitEthernet1/48) of VLAN0025 is alternate blocking
Port path cost 4, Port priority 128, Port Identifier 128.48.
Designated root has priority 32793, address 4055.39a7.bb80
Designated bridge has priority 32793, address 4055.39a7.bb80
Designated port id is 128.48, designated path cost 0
Timers: message age 16, forward delay 0, hold 0
Number of transitions to forwarding state: 4
Link type is point-to-point by default
BPDU: sent 14, received 88569
Cisco_4948E_01(config)#int gi 1/47
Cisco_4948E_01(config-if)#spanning-tree port-priority 32
Cisco_4948E_01(config-if)#int gi 1/48
Cisco_4948E_01(config-if)#spanning-tree port-priority 16
Cisco_4948E_01(config-if)#endCisco_4948E_02#show spanning-tree vlan 25 detail
VLAN0025 is executing the rstp compatible Spanning Tree protocol
Bridge Identifier has priority 32768, sysid 25, address 4055.39a8.1000
Configured hello time 2, max age 20, forward delay 15, transmit hold-count 6
Current root has priority 32793, address 4055.39a7.bb80
Root port is 48 (GigabitEthernet1/48), cost of root path is 4
Topology change flag set, detected flag not set
Number of topology changes 11 last change occurred 00:00:02 ago
from GigabitEthernet1/48
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 32, notification 0, aging 300
Port 47 (GigabitEthernet1/47) of VLAN0025 is alternate blocking
Port path cost 4, Port priority 128, Port Identifier 128.47.
Designated root has priority 32793, address 4055.39a7.bb80
Designated bridge has priority 32793, address 4055.39a7.bb80
Designated port id is 32.47, designated path cost 0
Timers: message age 15, forward delay 0, hold 0
Number of transitions to forwarding state: 3
Link type is point-to-point by default
BPDU: sent 10, received 1400
Port 48 (GigabitEthernet1/48) of VLAN0025 is root forwarding
Port path cost 4, Port priority 128, Port Identifier 128.48.
Designated root has priority 32793, address 4055.39a7.bb80
Designated bridge has priority 32793, address 4055.39a7.bb80
Designated port id is 16.48, designated path cost 0
Timers: message age 15, forward delay 0, hold 0
Number of transitions to forwarding state: 5
Link type is point-to-point by default
BPDU: sent 16, received 88606
Cisco_4948E_02#
Cisco_4948E_02#show spanning-tree vlan 25
VLAN0025
Spanning tree enabled protocol rstp
Root ID Priority 32793
Address 4055.39a7.bb80
Cost 4
Port 48 (GigabitEthernet1/48)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32793 (priority 32768 sys-id-ext 25)
Address 4055.39a8.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/47 Altn BLK 4 128.47 P2p
Gi1/48 Root FWD 4 128.48 P2p
 |
| Figure 1 |
Keep the following STP Rules in mind that will be used to choose a path:
- Lowest Bridge ID -
- Lowest root path cost
- Lowest sender bridge ID
- Lowest sender port ID
Based on the below output we can see that the root port for vlan 25 is Gi1/47. Let supposed we wanted to use Gi1/48 instead of Gi1/47. How would we do this? We would need to modify the port cost on Switch 02 or modify the port priority that we are receiving from 01. In our case we will modify the port cost on Switch 02 for Gi1/48. The port cost is related to the port bandwidth. If you have a 10Mbit port then the port cost will be higher. Its an inverse affect.
Cisco_4948E_02#show spanning-tree vlan 25
VLAN0025
Spanning tree enabled protocol rstp
Root ID Priority 32793
Address 4055.39a7.bb80
Cost 4
Port 47 (GigabitEthernet1/47)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32793 (priority 32768 sys-id-ext 25)
Address 4055.39a8.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/47 Root FWD 4 128.47 P2p
Gi1/48 Altn BLK 4 128.48 P2p
Lets make our changes and confirm Gi1/48 is now being used as the root port.
Cisco_4948E_02(config)#int gi 1/48
Cisco_4948E_02(config-if)#spanning-tree vlan 25 cost 2
Cisco_4948E_02(config-if)#end
Cisco_4948E_02#show spanning-tree vlan 25
VLAN0025
Spanning tree enabled protocol rstp
Root ID Priority 32793
Address 4055.39a7.bb80
Cost 2
Port 48 (GigabitEthernet1/48)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32793 (priority 32768 sys-id-ext 25)
Address 4055.39a8.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/47 Altn BLK 4 128.47 P2p
Gi1/48 Root FWD 2 128.48 P2p
Now lets put everything back to default and we will modify the port-priority on Switch 01 and see how it affects the decision Switch 02 makes. Based on the below output all is back to Normal.
Cisco_4948E_02#show spanning-tree vlan 25
VLAN0025
Spanning tree enabled protocol rstp
Root ID Priority 32793
Address 4055.39a7.bb80
Cost 4
Port 47 (GigabitEthernet1/47)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32793 (priority 32768 sys-id-ext 25)
Address 4055.39a8.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/47 Root FWD 4 128.47 P2p
Gi1/48 Altn BLK 4 128.48 P2p
Lets make some changes on Switch 01, but before we do this lets verify some details to compare afterwards. We can see the port id being received from Switch 01 is 128.47 for Gi1/47 and 128.48 for Gi1/48. We will modify this on Switch 01 and by changing this we will prefer Gi1/48. This will keep us inline with the original goal of using Gi1/48.
Cisco_4948E_02#show spanning-tree vlan 25 detail
VLAN0025 is executing the rstp compatible Spanning Tree protocol
Bridge Identifier has priority 32768, sysid 25, address 4055.39a8.1000
Configured hello time 2, max age 20, forward delay 15, transmit hold-count 6
Current root has priority 32793, address 4055.39a7.bb80
Root port is 47 (GigabitEthernet1/47), cost of root path is 4
Topology change flag not set, detected flag not set
Number of topology changes 10 last change occurred 00:32:15 ago
from GigabitEthernet1/47
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0, aging 300
Port 47 (GigabitEthernet1/47) of VLAN0025 is root forwarding
Port path cost 4, Port priority 128, Port Identifier 128.47.
Designated root has priority 32793, address 4055.39a7.bb80
Designated bridge has priority 32793, address 4055.39a7.bb80
Designated port id is 128.47, designated path cost 0
Timers: message age 16, forward delay 0, hold 0
Number of transitions to forwarding state: 3
Link type is point-to-point by default
BPDU: sent 10, received 1362
Port 48 (GigabitEthernet1/48) of VLAN0025 is alternate blocking
Port path cost 4, Port priority 128, Port Identifier 128.48.
Designated root has priority 32793, address 4055.39a7.bb80
Designated bridge has priority 32793, address 4055.39a7.bb80
Designated port id is 128.48, designated path cost 0
Timers: message age 16, forward delay 0, hold 0
Number of transitions to forwarding state: 4
Link type is point-to-point by default
BPDU: sent 14, received 88569
Cisco_4948E_01(config)#int gi 1/47
Cisco_4948E_01(config-if)#spanning-tree port-priority 32
Cisco_4948E_01(config-if)#int gi 1/48
Cisco_4948E_01(config-if)#spanning-tree port-priority 16
Cisco_4948E_01(config-if)#endCisco_4948E_02#show spanning-tree vlan 25 detail
VLAN0025 is executing the rstp compatible Spanning Tree protocol
Bridge Identifier has priority 32768, sysid 25, address 4055.39a8.1000
Configured hello time 2, max age 20, forward delay 15, transmit hold-count 6
Current root has priority 32793, address 4055.39a7.bb80
Root port is 48 (GigabitEthernet1/48), cost of root path is 4
Topology change flag set, detected flag not set
Number of topology changes 11 last change occurred 00:00:02 ago
from GigabitEthernet1/48
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 32, notification 0, aging 300
Port 47 (GigabitEthernet1/47) of VLAN0025 is alternate blocking
Port path cost 4, Port priority 128, Port Identifier 128.47.
Designated root has priority 32793, address 4055.39a7.bb80
Designated bridge has priority 32793, address 4055.39a7.bb80
Designated port id is 32.47, designated path cost 0
Timers: message age 15, forward delay 0, hold 0
Number of transitions to forwarding state: 3
Link type is point-to-point by default
BPDU: sent 10, received 1400
Port 48 (GigabitEthernet1/48) of VLAN0025 is root forwarding
Port path cost 4, Port priority 128, Port Identifier 128.48.
Designated root has priority 32793, address 4055.39a7.bb80
Designated bridge has priority 32793, address 4055.39a7.bb80
Designated port id is 16.48, designated path cost 0
Timers: message age 15, forward delay 0, hold 0
Number of transitions to forwarding state: 5
Link type is point-to-point by default
BPDU: sent 16, received 88606
Cisco_4948E_02#
Cisco_4948E_02#show spanning-tree vlan 25
VLAN0025
Spanning tree enabled protocol rstp
Root ID Priority 32793
Address 4055.39a7.bb80
Cost 4
Port 48 (GigabitEthernet1/48)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32793 (priority 32768 sys-id-ext 25)
Address 4055.39a8.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/47 Altn BLK 4 128.47 P2p
Gi1/48 Root FWD 4 128.48 P2p
Friday, November 23, 2012
Spanning Tree (STP 802.1d and RSTP 802.1w) Debug & Notes
I am going to simulate a failure scenario while running 802.1d and then while running 802.1w. Currently Port Gi1/47(Green) and Gi1/48(Red) are configured as trunk ports and are allowing all vlans through. Gi1/48 is in a blocking(ALTN) state for Vlan 25 . I am going to admin down Gi1/47 and Enable debugging so we can see the events that occur. At the same time I will ping from SW01 to SW02 to see how long it takes to converge.
Verifications:
Cisco_4948E_02#show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 20481 4055.39a8.1000 0 2 20 15
VLAN0025 32793 4055.39a7.bb80 4 2 20 15 Gi1/47
VLAN0026 32794 4055.39a8.1000 0 2 20 15
VLAN0052 32820 4055.39a8.1000 0 2 20 15
Cisco_4948E_02#show spanning-tree vlan 25
VLAN0025
Spanning tree enabled protocol ieee
Root ID Priority 32793
Address 4055.39a7.bb80
Cost 4
Port 47 (GigabitEthernet1/47)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32793 (priority 32768 sys-id-ext 25)
Address 4055.39a8.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/47 Root FWD 4 128.47 P2p
Gi1/48 Altn BLK 4 128.48 P2p
Cisco_4948E_02#
Enable Debugging & Setup Ping:
Cisco_4948E_02#debug spanning-tree events
Spanning Tree event debugging is on
!
Cisco_4948E_02#terminal monitor
Cisco_4948E_02#
Cisco_4948E_01#ping 192.168.25.2 repeat 100000 timeout 5
Fail Over:
Now we shutdown Gi1/47 while running 802.1d.
Cisco_4948E_02(config)#int gi 1/47
Cisco_4948E_02(config-if)#shut
Cisco_4948E_02(config-if)#
*Nov 23 11:51:10.423: STP: VLAN0025 new root port Gi1/48, cost 4
*Nov 23 11:51:10.423: STP: VLAN0025 Gi1/48 -> listening
*Nov 23 11:51:12.419: %HSRP-5-STATECHANGE: Vlan25 Grp 25 state Standby -> Init
*Nov 23 11:51:12.423: STP: VLAN0025 sent Topology Change Notice on Gi1/48
*Nov 23 11:51:13.331: STP: VLAN0001 Topology Change rcvd on Gi1/48
*Nov 23 11:51:13.331: STP: VLAN0026 Topology Change rcvd on Gi1/48
*Nov 23 11:51:25.423: STP: VLAN0025 Gi1/48 -> learning
*Nov 23 11:51:40.423: STP: VLAN0025 Gi1/48 -> forwarding
*Nov 23 11:52:05.347: %HSRP-5-STATECHANGE: Vlan25 Grp 25 state Speak -> Standby
Results:
It took forty seconds for spanning tree to converge. This can be seen from the below ping output which was set with a time out of 5 seconds. By default it can take up to 50 seconds plus any additional time it takes your first hop redundancy protocols.
!!!!!!!........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!
Success rate is 99 percent (9246/9254), round-trip min/avg/max = 1/1/28 ms
Cisco_4948E_01#
Lets do the same test while running 802.1w and all timers are default.
Cisco_4948E_02#show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 20481 4055.39a8.1000 0 2 20 15
VLAN0025 32793 4055.39a7.bb80 4 2 20 15 Gi1/47
VLAN0026 32794 4055.39a8.1000 0 2 20 15
VLAN0052 32820 4055.39a8.1000 0 2 20 15
Cisco_4948E_02#show spanning-tree vlan 25
VLAN0025
Spanning tree enabled protocol rstp
Root ID Priority 32793
Address 4055.39a7.bb80
Cost 4
Port 47 (GigabitEthernet1/47)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32793 (priority 32768 sys-id-ext 25)
Address 4055.39a8.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/47 Root FWD 4 128.47 P2p
Gi1/48 Altn BLK 4 128.48 P2p
Cisco_4948E_02(config-if)#
*Nov 23 14:13:30.643: RSTP(25): updt roles, root port Gi1/47 going down
*Nov 23 14:13:30.643: RSTP(25): Gi1/48 is now root port
Cisco_4948E_01#ping 192.168.25.2 repeat 100000 timeout 2
Type escape sequence to abort.
Sending 100000, 100-byte ICMP Echos to 192.168.25.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!
Success rate is 99 percent (984/985), round-trip min/avg/max = 1/1/16 ms
Cisco_4948E_01#
Since RSTP is much faster then legacy STP I set the timeout for 2 seconds. We can see that it converges well within 2 seconds. Compare that to the 40 seconds we waited for legacy STP.
Notes:
Default 802.1d Timers and States:
Disabled: Port is admin down.
Blocking: Port is up but not building the cam table or forwarding any frames via this interface.
Max Age: 20 Seconds - How long the bridge(Switch) should wait before it stops hearings hellos.
Listening: 15 Seconds - Receiving BPDU's but not building the cam(MAC) table.
Learning: 15 Seconds -Starts building the cam (MAC) table.
Forwarding: Processing Frames.
Legacy Spanning Tree - The root bridge controls the forwarding delay as it is responsible for sending out BPDU.
 |
| Figure 1 |
Verifications:
Cisco_4948E_02#show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 20481 4055.39a8.1000 0 2 20 15
VLAN0025 32793 4055.39a7.bb80 4 2 20 15 Gi1/47
VLAN0026 32794 4055.39a8.1000 0 2 20 15
VLAN0052 32820 4055.39a8.1000 0 2 20 15
Cisco_4948E_02#show spanning-tree vlan 25
VLAN0025
Spanning tree enabled protocol ieee
Root ID Priority 32793
Address 4055.39a7.bb80
Cost 4
Port 47 (GigabitEthernet1/47)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32793 (priority 32768 sys-id-ext 25)
Address 4055.39a8.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/47 Root FWD 4 128.47 P2p
Gi1/48 Altn BLK 4 128.48 P2p
Cisco_4948E_02#
Enable Debugging & Setup Ping:
Cisco_4948E_02#debug spanning-tree events
Spanning Tree event debugging is on
!
Cisco_4948E_02#terminal monitor
Cisco_4948E_02#
Cisco_4948E_01#ping 192.168.25.2 repeat 100000 timeout 5
Fail Over:
Now we shutdown Gi1/47 while running 802.1d.
Cisco_4948E_02(config)#int gi 1/47
Cisco_4948E_02(config-if)#shut
Cisco_4948E_02(config-if)#
*Nov 23 11:51:10.423: STP: VLAN0025 new root port Gi1/48, cost 4
*Nov 23 11:51:10.423: STP: VLAN0025 Gi1/48 -> listening
*Nov 23 11:51:12.419: %HSRP-5-STATECHANGE: Vlan25 Grp 25 state Standby -> Init
*Nov 23 11:51:12.423: STP: VLAN0025 sent Topology Change Notice on Gi1/48
*Nov 23 11:51:13.331: STP: VLAN0001 Topology Change rcvd on Gi1/48
*Nov 23 11:51:13.331: STP: VLAN0026 Topology Change rcvd on Gi1/48
*Nov 23 11:51:25.423: STP: VLAN0025 Gi1/48 -> learning
*Nov 23 11:51:40.423: STP: VLAN0025 Gi1/48 -> forwarding
*Nov 23 11:52:05.347: %HSRP-5-STATECHANGE: Vlan25 Grp 25 state Speak -> Standby
Results:
It took forty seconds for spanning tree to converge. This can be seen from the below ping output which was set with a time out of 5 seconds. By default it can take up to 50 seconds plus any additional time it takes your first hop redundancy protocols.
!!!!!!!........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!
Success rate is 99 percent (9246/9254), round-trip min/avg/max = 1/1/28 ms
Cisco_4948E_01#
Lets do the same test while running 802.1w and all timers are default.
Cisco_4948E_02#show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 20481 4055.39a8.1000 0 2 20 15
VLAN0025 32793 4055.39a7.bb80 4 2 20 15 Gi1/47
VLAN0026 32794 4055.39a8.1000 0 2 20 15
VLAN0052 32820 4055.39a8.1000 0 2 20 15
Cisco_4948E_02#show spanning-tree vlan 25
VLAN0025
Spanning tree enabled protocol rstp
Root ID Priority 32793
Address 4055.39a7.bb80
Cost 4
Port 47 (GigabitEthernet1/47)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32793 (priority 32768 sys-id-ext 25)
Address 4055.39a8.1000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/47 Root FWD 4 128.47 P2p
Gi1/48 Altn BLK 4 128.48 P2p
Cisco_4948E_02(config-if)#
*Nov 23 14:13:30.643: RSTP(25): updt roles, root port Gi1/47 going down
*Nov 23 14:13:30.643: RSTP(25): Gi1/48 is now root port
Cisco_4948E_01#ping 192.168.25.2 repeat 100000 timeout 2
Type escape sequence to abort.
Sending 100000, 100-byte ICMP Echos to 192.168.25.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!
Success rate is 99 percent (984/985), round-trip min/avg/max = 1/1/16 ms
Cisco_4948E_01#
Since RSTP is much faster then legacy STP I set the timeout for 2 seconds. We can see that it converges well within 2 seconds. Compare that to the 40 seconds we waited for legacy STP.
Notes:
Default 802.1d Timers and States:
Disabled: Port is admin down.
Blocking: Port is up but not building the cam table or forwarding any frames via this interface.
Max Age: 20 Seconds - How long the bridge(Switch) should wait before it stops hearings hellos.
Listening: 15 Seconds - Receiving BPDU's but not building the cam(MAC) table.
Learning: 15 Seconds -Starts building the cam (MAC) table.
Forwarding: Processing Frames.
Legacy Spanning Tree - The root bridge controls the forwarding delay as it is responsible for sending out BPDU.
| Data rate | STP Cost (802.1D-1998) |
| 4 Mbit/s | 250 |
| 10 Mbit/s | 100 |
| 16 Mbit/s | 62 |
| 100 Mbit/s | 19 |
| 1 Gbit/s | 4 |
| 2 Gbit/s | 3 |
| 10 Gbit/s | 2 |
| Data rate | RSTP Cost (802.1D-2004 / 802.1w)[3] |
| 4 Mbit/s | 5,000,000 |
| 10 Mbit/s | 2,000,000 |
| 16 Mbit/s | 1,250,000 |
| 100 Mbit/s | 200,000 |
| 1 Gbit/s | 20,000 |
| 2 Gbit/s | 10,000 |
| 10 Gbit/s | 2,000 |
Tuesday, November 20, 2012
Installing a new Cisco ASA-5520 & Creating Secure Networks
I decided to add a Cisco ASA 5520 to my lab. We will use figure 1 to
visualize this. I am going to Guide you on how to this and actually
route some packets through it. I have only done minor configurations on
an ASA before hand, never to this extent. I created two networks,
10.50.51.0/24 and 10.50.52.0/24 for this lab. These are what I will call
secure networks. All communication between these two networks must
traverse the Firewall.
On 4948_01 I created VLAN 51 (10.50.51.0/24) and on 4948_02, I created VLAN 52. All communication between these two networks must traverse the Firewall. I have seen this used in networks as it was a security requirement by the infosec guys. I also could of created both vlans on one switch and still routed the traffic via the firewall. Some people might use Vlan ACLS to secure communications between two vlans, but lets say that for this we had a requirement to use a Firewall. Additionally, the networks had two live on two separate switches.
Lets create the Vlan on the switches and SVI along with assigning IP addresses.
Cisco_4948E_01#
vlan 51
name secure_network_10.50.51.0
!
interface Vlan51
ip address 10.50.51.254 255.255.255.0
no shut
Cisco_4948E_02#
vlan 52
name secure_network_10.50.52.0
!
interface Vlan52
ip address 10.50.52.254 255.255.255.0
no shut
Now we need to add the firewall into the mix. For this I connected one cable from each 4948(Gi1/46) to the ASA_5520. I made the interfaces on the 4948's routed(L23). I also defined a static route to point to the opposite network. By the way, I used named static routes, a few weeks or months from now you might not remember why you put in that static route. When possible, use them..
Cisco_4948E_01
interface GigabitEthernet1/46
description ASA_GigabitEthernet0/3
no switchport
ip address 192.168.1.1 255.255.255.252
exit
!
ip route 10.50.52.0 255.255.255.0 GigabitEthernet1/46 192.168.1.2 name secure_network
!
Cisco_4948E_02
interface GigabitEthernet1/46
description ASA_GigabitEthernet0/2
no switchport
ip address 192.168.1.5 255.255.255.252
!
ip route 10.50.51.0 255.255.255.0 GigabitEthernet1/46 192.168.1.6 name secure_network
!
This takes care of the switching end of things. Now onto the firewall configuration. First you need to configure your interfaces because the static routes and ACLS will tie into them later. Under each interface you need to assign it a name and ip address. Then you need to assign it a security level. I chose 50 and 100 at random. Security Levels are exactly that. A higher level interface can talk to a lower level interface but not a lower level interface to a higher level interface unless an ACL is define.
Cisco-ASA5520-01#
interface GigabitEthernet0/2
description Cisco_4948E_02 Gi1/46
nameif Cisco_4948E_02
security-level 50
ip address 192.168.1.6 255.255.255.252
interface GigabitEthernet0/3
description Cisco_4948E_01 Gi1/46
nameif Cisco_4948E_01
security-level 100
ip address 192.168.1.2 255.255.255.252
Now we need to create an acl and in this case I created a ACL that will permit anything and applied it to the lower level interface per Cisco Rule. The permit any is just for this example, I will harden it later.
Cisco-ASA5520-01#
access-list any permit ip any any Cisco_4948E_02
!
access-group any in interface Cisco_4948E_02
Now we need to tell the ASA how to route the traffic and for this I created static routes. Now lets test.
Cisco-ASA5520-01#
route Cisco_4948E_01 10.50.51.0 255.255.255.0 192.168.1.1 1
route Cisco_4948E_02 10.50.52.0 255.255.255.0 192.168.1.5 1
Success!!!!!
Cisco_4948E_02#ping 10.50.51.254 source 10.50.52.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.51.254, timeout is 2 seconds:
Packet sent with a source address of 10.50.52.254
!!!!!
Cisco_4948E_01#ping 10.50.52.254 source 10.50.51.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.52.254, timeout is 2 seconds:
Packet sent with a source address of 10.50.51.254
!!!!!
 |
| Figure 1 |
Lets create the Vlan on the switches and SVI along with assigning IP addresses.
Cisco_4948E_01#
vlan 51
name secure_network_10.50.51.0
!
interface Vlan51
ip address 10.50.51.254 255.255.255.0
no shut
Cisco_4948E_02#
vlan 52
name secure_network_10.50.52.0
!
interface Vlan52
ip address 10.50.52.254 255.255.255.0
no shut
Now we need to add the firewall into the mix. For this I connected one cable from each 4948(Gi1/46) to the ASA_5520. I made the interfaces on the 4948's routed(L23). I also defined a static route to point to the opposite network. By the way, I used named static routes, a few weeks or months from now you might not remember why you put in that static route. When possible, use them..
Cisco_4948E_01
interface GigabitEthernet1/46
description ASA_GigabitEthernet0/3
no switchport
ip address 192.168.1.1 255.255.255.252
exit
!
ip route 10.50.52.0 255.255.255.0 GigabitEthernet1/46 192.168.1.2 name secure_network
!
Cisco_4948E_02
interface GigabitEthernet1/46
description ASA_GigabitEthernet0/2
no switchport
ip address 192.168.1.5 255.255.255.252
!
ip route 10.50.51.0 255.255.255.0 GigabitEthernet1/46 192.168.1.6 name secure_network
!
This takes care of the switching end of things. Now onto the firewall configuration. First you need to configure your interfaces because the static routes and ACLS will tie into them later. Under each interface you need to assign it a name and ip address. Then you need to assign it a security level. I chose 50 and 100 at random. Security Levels are exactly that. A higher level interface can talk to a lower level interface but not a lower level interface to a higher level interface unless an ACL is define.
Cisco-ASA5520-01#
interface GigabitEthernet0/2
description Cisco_4948E_02 Gi1/46
nameif Cisco_4948E_02
security-level 50
ip address 192.168.1.6 255.255.255.252
interface GigabitEthernet0/3
description Cisco_4948E_01 Gi1/46
nameif Cisco_4948E_01
security-level 100
ip address 192.168.1.2 255.255.255.252
Now we need to create an acl and in this case I created a ACL that will permit anything and applied it to the lower level interface per Cisco Rule. The permit any is just for this example, I will harden it later.
Cisco-ASA5520-01#
access-list any permit ip any any Cisco_4948E_02
!
access-group any in interface Cisco_4948E_02
Now we need to tell the ASA how to route the traffic and for this I created static routes. Now lets test.
Cisco-ASA5520-01#
route Cisco_4948E_01 10.50.51.0 255.255.255.0 192.168.1.1 1
route Cisco_4948E_02 10.50.52.0 255.255.255.0 192.168.1.5 1
Success!!!!!
Cisco_4948E_02#ping 10.50.51.254 source 10.50.52.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.51.254, timeout is 2 seconds:
Packet sent with a source address of 10.50.52.254
!!!!!
Cisco_4948E_01#ping 10.50.52.254 source 10.50.51.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.52.254, timeout is 2 seconds:
Packet sent with a source address of 10.50.51.254
!!!!!
Monday, November 19, 2012
Understanding STP and RSTP Convergence
A must read on STP.
http://blog.ine.com/wp-content/uploads/2011/11/understanding-stp-rstp-convergence.pdf
http://blog.ine.com/wp-content/uploads/2011/11/understanding-stp-rstp-convergence.pdf
Sunday, November 18, 2012
Spanning Tree Protocol (STP) Convergance
Two great articles that I highly recommend you read to get a deeper understanding of STP. I have been so busy with work and personal things, that It has taken time away from me being able to update this blog. Hence why I am posting links to other sites. Never stop learning. I am studying for my switch Exam and would like to take the Exam sometime in late December.
Monday, October 22, 2012
Cisco Nexus 2000 and 5000: Configuration and Troubleshooting
Great Video on Cisco
Nexus 2000 and 5000 switches. The video is geared towards configuration and troubleshooting. Please note that the video is two years old and config sync along with the L3 daughter cards have been release by Cisco.
http://www.youtube.com/watch?v=T6ty_38bJpc
http://www.youtube.com/watch?v=T6ty_38bJpc
Friday, October 19, 2012
Nexus - Config Sync
When you have two Nexus devices connected to each other via a VPC lpeer link, I have
found it useful to have Config Sync enabled. If you don't have config
sync enabled, you will need to update each 5k separately and that is a
pain at times. Additionally, if you make a change to one 5k and not the
other, it will drop the connection. For example, you update the vlan
associated with a switchport on Nexus5596_01, and not Nexus5596_02, it will down the port until Nexus5596_02 is updated. For this lab we are going to use Figure 1.
Unfortunatley you cant simulate a switch in GNS3 so you will need to get
your hands on some Nexus gear.
 | |||
| Figure 1 - Nexus Lab |
We will use the VPC Keep alive interface for this which is really cat6 cable connected between the switches on the mgmt interface on the back side.
Configurations:
Nexus5596_02# config t
Nexus5596_02(config)# configure syncNexus5596_02(config-sync)# switch-profile 5596 (This is what name you want to assigned to the profile)
Nexus5596_02(config-sync-sp)# sync-peers destination 192.168.1.1 (Peer device IP address)
Nexus5596_01(config)# configure sync
Nexus5596_01(config-sync)# switch-profile 5596
Nexus5596_01(config-sync-sp)# sync-peers destination 192.168.1.2
Nexus5596_02# show cfs peers
Physical Fabric
-------------------------------------------------------------------------
Switch WWN IP Address
-------------------------------------------------------------------------
20:00:54:7f:ee:28:c3:00 192.168.1.2 [Local]
Nexus5596_02
20:00:54:7f:ee:25:08:80 192.168.1.1
Total number of entries = 2
Nexus5596_02#
Using the new feature:
Nexus5596_02# config t
Enter configuration commands, one per line. End with CNTL/Z.Nexus5596_02(config)# configure sync
Nexus5596_02(config-sync)# switch-profile 5596
Switch-Profile started, Profile ID is 1
Nexus5596_02(config-sync-sp)# interface eth 101/1/12
Nexus5596_02(config-sync-sp-if)# switchport access vlan 100
Nexus5596_02(config-sync-sp-if)# verify (Optional)
Verification Successful
Nexus5596_02(config-sync-sp)# commit (Committing your changes to this device and the peer device)
Verification successful...
Proceeding to apply configuration. This might take a while depending on amount of configuration in buffer.
Please avoid other configuration changes during this time.
Commit Successful
Nexus5596_02(config-sync)# end
Nexus5596_02#
Nexus5596_01# show run int eth 101/1/12
!Command: show running-config interface Ethernet101/1/12
!Time: Fri Oct 19 04:30:13 2012
version 5.1(3)N1(1a)
interface Ethernet101/1/12
switchport access vlan 100
Nexus5596_01#
Additional views:
If you don't want to commit your changes, they are stored on the switch untill you commit and you can view them.
Nexus5596_02(config)# config t
Nexus5596_02(config)# configure syncNexus5596_02(config-sync)# switch-profile 5596
Switch-Profile started, Profile ID is 1
Nexus5596_02(config-sync-sp)# interface ethernet 101/1/13
Nexus5596_02(config-sync-sp-if)# description example_of_not_commiting
Nexus5596_02(config-sync-sp-if)# end
switch-profile : 5596
----------------------------------------------------------
Seq-no Command
----------------------------------------------------------
1 interface Ethernet101/1/13
1.1 description example_of_not_commiting
Further Reading:
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/system_management/502_n1_1/Cisco_n5k_system_mgmt_cg_rel_502_n1_1_chapter3.html
Tuesday, October 16, 2012
Monday, October 15, 2012
A Day in the Life in a Cisco Connected Classroom
Great Video for those interested in what Cisco is doing beyond the router and switch world. Cisco is just great..
http://www.youtube.com/watch?v=XowBo7tGJbI&feature=channel&list=UL
http://www.youtube.com/watch?v=XowBo7tGJbI&feature=channel&list=UL
Monday, September 24, 2012
Passed CCNP-Route 642-902
Got my first exam done... 895 out of 1000. Now starting on the Switch exam. Hopefully take that test sometime in late December...
Wednesday, September 19, 2012
OSPF Packet Format
Packet Format: Taken from,
http://docwiki.cisco.com/wiki/Open_Shortest_Path_First
This is useful when you are looking at a packet capture of an OSPF packet. Same can be said for any packet format visualization of any protocol. I am reviewing some OSPF reading material and figured I would post this.
All OSPF packets begin with a 24-byte header, as illustrated in Figure: OSPF Packets Consist of Nine Fields.Figure: OSPF Packets Consist of Nine Fields
The following descriptions summarize the header fields:
- Version number - Identifies the OSPF version used.
- Type - Identifies the OSPF packet type as one of the following:
- Hello - Establishes and maintains neighbor relationships.
- Database description - Describes the contents of the topological database. These messages are exchanged when an adjacency is initialized.
- Link-state request - Requests pieces of the topological database from neighbor routers. These messages are exchanged after a router discovers (by examining database-description packets) that parts of its topological database are outdated.
- Link-state update - Responds to a link-state request packet. These messages also are used for the regular dispersal of LSAs. Several LSAs can be included within a single link-state update packet.
- Link-state acknowledgment - Acknowledges link-state update packets.
- Packet length - Specifies the packet length, including the OSPF header, in bytes.
- Router ID - Identifies the source of the packet.
- Area ID - Identifies the area to which the packet belongs. All OSPF packets are associated with a single area.
- Checksum - Checks the entire packet contents for any damage suffered in transit.
- Authentication type - Contains the authentication type. All OSPF protocol exchanges are authenticated. The authentication type is configurable on per-area basis.
- Authentication - Contains authentication information.
- Data - Contains encapsulated upper-layer information.
Tuesday, September 18, 2012
Qucik EIGRP troubleshooting
If you can ping your neighbor, this confirms that you don't have duplicate ip addresses. The next step is to check the K values but lets assume everything is left to default. You can then ping 224.0.0.10 which is the multicast address that all EIGRP routers should be listening to. If you don't get a response like i am getting below, then EIGRP is not enabled.
EIGRP ENABLED on the neighboring router:
R1#ping 224.0.0.10
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 224.0.0.10, timeout is 2 seconds:
Reply to request 0 from 192.168.2.2, 24 ms
Reply to request 0 from 192.168.1.2, 28 ms
R1#
R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 192.168.2.2 Fa0/1 14 00:28:35 41 246 0 28
0 192.168.1.2 Fa0/0 10 00:28:38 48 288 0 29
R1#
EIGRP DISABLED on the neighboring router:
R1#ping 224.0.0.10
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 224.0.0.10, timeout is 2 seconds:
.
R1#
EIGRP ENABLED on the neighboring router:
R1#ping 224.0.0.10
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 224.0.0.10, timeout is 2 seconds:
Reply to request 0 from 192.168.2.2, 24 ms
Reply to request 0 from 192.168.1.2, 28 ms
R1#
R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 192.168.2.2 Fa0/1 14 00:28:35 41 246 0 28
0 192.168.1.2 Fa0/0 10 00:28:38 48 288 0 29
R1#
EIGRP DISABLED on the neighboring router:
R1#ping 224.0.0.10
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 224.0.0.10, timeout is 2 seconds:
.
R1#
EIGRP VARIANCE and OFFSET
R1 Variance Command:
Variance commands allows you to do unequal cost load balancing. Variance 1 is default which means equal cost load balancing. Variance 2 to 128 is unequal cost load balancing. This commands takes the FD from the best eigrp route in the topology table and multiplies this by X. X being the number specified in the variance command. We are going to take route 4.4.4.0/24 and unequal cost load balance it.
Before: You can see that we have two paths to reach 4.4.4.0/24 but the router is picking the path with the lower FD.
R1#show ip route
Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
D 4.4.4.0 [90/179200] via 192.168.2.2, 00:00:05, FastEthernet0/1
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/1
R1#show ip eigrp topology all-links
IP-EIGRP Topology Table for AS(10)/ID(192.168.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 4.4.4.0/24, 1 successors, FD is 179200, serno 12
via 192.168.2.2 (179200/128256), FastEthernet0/1
via 192.168.1.2 (409600/128256), FastEthernet0/0
P 192.168.1.0/24, 1 successors, FD is 281600, serno 1
via Connected, FastEthernet0/0
via 192.168.2.2 (307200/281600), FastEthernet0/1
P 192.168.2.0/24, 1 successors, FD is 51200, serno 9
via Connected, FastEthernet0/1
via 192.168.1.2 (307200/281600), FastEthernet0/0
R1#
After: You can see the FD is diffrent but when you multiply 179200*3, 4097000 is well within this range.
R1#show ip route
Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
D 4.4.4.0 [90/179200] via 192.168.2.2, 00:12:53, FastEthernet0/1
[90/409700] via 192.168.1.2, 00:12:53, FastEthernet0/0
5.0.0.0/24 is subnetted, 1 subnets
D 5.5.5.0 [90/179200] via 192.168.2.2, 00:11:29, FastEthernet0/1
[90/409600] via 192.168.1.2, 00:11:29, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/1
R1#
Confirming the variance setting before and after the change:
Routing Protocol is "eigrp 10"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 10
EIGRP NSF-aware route hold timer is 240s
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
192.168.1.0
192.168.2.0
Routing Information Sources:
Gateway Distance Last Update
192.168.2.2 90 00:00:37
192.168.1.2 90 00:00:37
Distance: internal 90 external 170
router eigrp 10
variance 3
exit
!
R1#show ip protocols
Routing Protocol is "eigrp 10"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 3
Redistributing: eigrp 10
EIGRP NSF-aware route hold timer is 240s
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
192.168.1.0
192.168.2.0
Routing Information Sources:
Gateway Distance Last Update
192.168.2.2 90 00:00:03
192.168.1.2 90 00:00:03
Distance: internal 90 external 170
R1#
Offset list allows you to inflate the FD of a route. You can apply this inbound or outbound. Depending on your needs.
Offset-list on R2:
ip access-list standard eigrp
permit 4.4.4.0
!
router eigrp 10
offset-list eigrp out 100
Before:
R1#show ip route
Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
D 4.4.4.0 [90/179200] via 192.168.2.2, 00:00:58, FastEthernet0/1
[90/409600] via 192.168.1.2, 00:00:58, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/1
After:
R1#show ip route
Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
D 4.4.4.0 [90/179300] via 192.168.2.2, 00:00:05, FastEthernet0/1
[90/409700] via 192.168.1.2, 00:00:05, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/1
R1#
Saturday, September 15, 2012
GRE Tunnel
Below is the configuration on how to configure a GRE tunnel between R3 and R4. R5 is considered a ISP router or transit routers. Its job is to get you from R3 to R4 and you don't care how just that it gets you from point a to point b.
R3: CONIFG
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source 172.16.0.1
tunnel destination 172.16.0.6
!
interface FastEthernet0/0
ip address 172.16.0.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip route 9.9.9.9 255.255.255.255 Tunnel0
ip route 172.16.0.6 255.255.255.255 FastEthernet0/0
!
R5: CONFIG
interface FastEthernet0/0
ip address 172.16.0.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.5 255.255.255.252
duplex auto
speed auto
R4:CONFIG
interface Loopback9
ip address 9.9.9.9 255.255.255.255
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.252
tunnel source 172.16.0.6
tunnel destination 172.16.0.1
!
interface FastEthernet0/0
ip address 172.16.0.6 255.255.255.252
duplex auto
speed auto
!
ip route 172.16.0.1 255.255.255.255 FastEthernet0/0
Capture: When you ping 9.9.9.9 from R3. You see there are two sources and destinations listed. One is the tunnel interface source/destination and the other is the tunnel ip address and remote destination address. R5 will process this as if it came from 172.16.0.1 to 172.16.0.6 and it does not care about the second source listed. R4 will care.
Subscribe to:
Posts (Atom)