Connecting a switch to a Nexus 2000

April 5, 2012 Leave a comment

 The other day I tried to connect a test 3750 switch to a Nexus 2000 switch. I picked the 2000 switch since it was in the same cabinet. Once I connected the cable, the port on the 2000, went into shutdown mode with: BPDUGuard errDisable. I tried disabling bpdufiltering, but that didn’t work.

Hostname(config-if)# spanning-tree bpduguard disable
ERROR: Command not supported on FEX interfaces. BPDUGuard is enabled by default for FEX interface
 
From that message, I had an “ah” moment and realized that only end point devices should be connected to the Nexus 2000. I ran a cable to the Nexus 5000. I used a cooper GBIC and plug it into port 17, but got SPF validation failed message. I read online that you have to specific speed 1000, but the command did not work on port 17. Only ports 1-8 on the 5000 supports 1GB. Moved the GBIC over to port 5, entered speed 1000, and finally the connection came up.
 
 
Categories: Networking

Cisco Nexus and vrf for vPC keepalives

March 9, 2012 Leave a comment

More musings with the Cisco Nexus 7000 core configuration. I noticed we had commands referencing vrf. Haven’t really worked with vrf before…

Core 1
interface port-channel500
  description VCP Keepalive
  vrf member vpc-keepalive
  ip address 172.31.255.253/30

Core 2
interface port-channel500
  description VCP Keepalive
  vrf member vpc-keepalive
  ip address 172.31.255.254/30

——————————————

Core 1
vpc domain 1
  role priority 8192
  peer-keepalive destination 172.31.255.254 source 172.31.255.253 vrf vpc-keepalive
  peer-gateway

Core 2
vpc domain 1
  role priority 16384
  peer-keepalive destination 172.31.255.253 source 172.31.255.254 vrf vpc-keepalive
  peer-gateway

——————————————-

On Core 1

interface Ethernet6/40
  description Connect to Core 2 VPC-KEEPALIVE
  channel-group 500
  no shutdown

interface Ethernet6/41
  description COnnection to Core 2 VPC-KEEPALIVE
  channel-group 500
  no shutdown

———————————————

You could have created a VLAN that carried the VPC keepalive messages but if that VLAN is apart of the vPC peer-link, then you could be shooting yourself in the foot. You can be in a situation where the vPC goes down and can never be restored. In our config, we are using two interfaces in a port-channel to carry the keep a live messages.

Categories: Networking

Cisco ASA how to use capin

February 24, 2012 Leave a comment

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml 

access-list TEMPcapin extended permit ip host 10.20.10.2 host 172.16.1.2
access-list TEMPcapin extended permit ip host 172.16.1.2 host 10.20.10.2

access-list TEMPcapout extended permit ip host 172.16.1.2 host 10.20.10.2
access-list TEMPcapout extended permit ip host 10.20.10.2 host 172.16.1.2

capture capin interface inside access-list TEMPcapin
capture capout interface outside access-list TEMPcapout

sh capture capin
sh capture capout

Categories: Networking

Cisco H-REAP Wireless Config

February 24, 2012 Leave a comment

 Hybrid Remote Edge Access Point (H-REAP)

 
Commands to enter on the AP to discover the controller:
 
H REAPs will most commonly discover upstream controllers via DHCP option 43 or DNS resolution. Without either of these methods available, it may be desirable to provide detailed instructions to administrators at remote sites so that each H REAP may be configured with the IP address of the controllers to which they should connect. Optionally, H REAP IP addressing may be set manually as well (if DHCP is either not available or not desired).
 
AP_CLI#capwap ap hostname ap1130
ap1130#capwap ap ip address 10.10.10.51 255.255.255.0
ap1130#capwap ap ip default-gateway 10.10.10.1
ap1130#capwap ap controller ip address 172.17.2.172
 
Config to create the DHCP pool:
ip dhcp pool AccessPoints
network 10.0.200.0 255.255.255.0
default-router 10.0.200.254
dns-server 10.0.154.7
option 43 hex xxxx.xxxx.xxxx
 
WLANS > Edit your SSID > Advanced > checkmark the H-REAP Local switching option.
APs > select AP mode to be H-REAP
 
Categories: Networking

Enable Portfast with SOHO switches

February 13, 2012 Leave a comment

 I have a 2960G 48 port with portfast enabled.
I have a D-Link SoHo 5 port switch connected to BOTH 0/43 and 0/44 on the 2960G switch.
STP is blocking 0/44 and forwarding 0/43 (this is good)

If you unplug 0/43 (the forwarding port), you will see 0/44 go through the Listening > Learning > Forwarding STP states. After going through all the states, the port will become active and go into the forwarding state.

TEST-2960G-SW#sh spanning-tree detail

VLAN0104 is executing the ieee compatible Spanning Tree protocol
  Bridge Identifier has priority 32768, sysid 104, address 001b.5446.5500
  Configured hello time 2, max age 20, forward delay 15
  We are the root of the spanning tree
  Topology change flag not set, detected flag not set
  Number of topology changes 1 last change occurred 00:04:43 ago
          from GigabitEthernet0/44
  Times:  hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
  Timers: hello 1, topology change 0, notification 0, aging 300

Port 43 (GigabitEthernet0/43) of VLAN0104 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.43.
   Designated root has priority 32872, address 001b.5446.5500
   Designated bridge has priority 32872, address 001b.5446.5500
   Designated port id is 128.43, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 152, received 1

Port 44 (GigabitEthernet0/44) of VLAN0104 is blocking
   Port path cost 4, Port priority 128, Port Identifier 128.44.
   Designated root has priority 32872, address 001b.5446.5500
   Designated bridge has priority 32872, address 001b.5446.5500
   Designated port id is 128.43, designated path cost 0
   Timers: message age 2, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1, received 143

This is what happens when I connect both 0/43 and 0/44 (0/43 is in the forwarding state)
If only one port, 0/43 is connected, I do not get BPDU packets(?)

*Mar  1 01:49:59.418 UTC: %SYS-5-CONFIG_I: Configured from console by console
*Mar  1 01:50:06.666 UTC: STP: VLAN0104 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/44  , linktype IEEE_SPANNING , enctype 2, encsize 17
*Mar  1 01:50:06.666 UTC: STP: enc 01 80 C2 00 00 00 00 1B 54 46 55 2B 00 26 42 42 03
*Mar  1 01:50:06.666 UTC: STP: Data     00000000008068001B54465500000000008068001B54465500802B0000140002000F00
*Mar  1 01:50:06.666 UTC: STP: VLAN0104 Gi0/44:0000 00 00 00 8068001B54465500 00000000 8068001B54465500 802B 0000 1400 0200 0F00
*Mar  1 01:50:06.666 UTC: STP(104) port Gi0/44 supersedes -1
*Mar  1 01:50:06.666 UTC: STP: VLAN0104 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/43  , linktype IEEE_SPANNING , enctype 2, encsize 17
*Mar  1 01:50:06.666 UTC: STP: enc 01 80 C2 00 00 00 00 1B 54 46 55 2C 00 26 42 42 03
*Mar  1 01:50:06.666 UTC: STP: Data     00000000008068001B54465500000000008068001B54465500802C0000140002000F00
*Mar  1 01:50:06.666 UTC: STP: VLAN0104 Gi0/43:0000 00 00 00 8068001B54465500 00000000 8068001B54465500 802C 0000 1400 0200 0F00
*Mar  1 01:50:06.674 UTC: STP(104) port Gi0/43 supersedes 1
*Mar  1 01:50:06.909 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/44, changed state to up
*Mar  1 01:50:07.672 UTC: STP: VLAN0104 Gi0/43 tx BPDU: config protocol=ieee

Categories: Networking

Cisco Nexus Basic Config

February 7, 2012 Leave a comment

 Here are some basic configs for the Cisco Nexus platform. I just started managing Nexus switches and immediately I realized how quickly these switches can scale. You can have just a huge huge data center with tons of 10GB connectivity with basically the same core configs.

Hopefully there will be more blog entries regarding the Cisco Nexus as they are a really cool product.

A couple of things I noticed:
no more wr mem (you can create an alias command)
There isn’t fa0/1, gig0/1, tengig0/1, everything is eth0/1.

———————————————————

vPC - virtual Port-Channel. vPC is just like a regular port-channel, but can span across two different switches.

vPC domain - the domain is between two switches that share the vPC. You can configure switch priority within the domain. Like STP, 8192 and 16384 are common values, the lower the better. You also need to configure the peer-keepalive destination IP address.

——————————————————-

Step 1
Create the vPC domain. Once the vPC domain is created, all the port-channel control data is sent over the vPC domain link. This is why you must create the vPC relationship first.

vpc domain 1
role priority 8192
peer-keepalive destination 172.31.1.254 source 172.31.1.253 vrf vpc-keepalive
peer-gateway

interface port-channel1001
switchport
switchport mode trunk
vpc peer-link
spanning-tree port type network

interface Ethernet1/1
switchport
switchport mode trunk
channel-group 1001 mode active
no shutdown

interface Ethernet1/2
switchport
switchport mode trunk
channel-group 1001 mode active
no shutdown


Step 2
int port-channel 20
vpc 20

In the second step, you create your port-channels as normal, except for the vpc 20 command. The “vpc 20″ tells the port-channel that this is a part of a vPC.

In the Nexus platform, you have to enable features as you need them. This saves memory, performance, less running processes.

———————————————————–

Nexus 5000 switch is a pure Layer 2 switch. You will not find any int vlan commands on the switch. The 5K can manage the Nexus 2K switches, very much like a Cisco 3750 stack configuration. This feature is called Fabric Extenders (FEX).

You still need to create the vPC domain and associate the vPC peer link to another Nexus 5K.

fex 30
pinning max-links 1
description “N2K”

interface port-channel30
switchport mode fex-fabric
vpc 30
fex associate 30

interface Ethernet1/4
fex associate 30
switchport mode fex-fabric
channel-group 30


In port-channel 30, noticed the commands related to the FEX command.

interface Ethernet30/1/1
interface Ethernet30/1/2
interface Ethernet30/1/3

You’ll see Ethernet30 is really FEX 30 and 1/1 is the physical ports belonging to the Nexus 2K switch. In this configuration, you do not need to SSH into the 2K switch. You can assign switchport commands and assign VLANs via int Ethernet30/1/X

In addition, if you created FEX 31 for another 2K switch, then you would refer those interfaces as int Ethernet31.
Categories: Networking

Cisco TACACS example config

February 7, 2012 Leave a comment

aaa new-model
!
!
aaa authentication login vty group tacacs+ local-case

list of logins, for VTY use tacacs+, then the local (case sensitive user database)

aaa authorization exec vty group tacacs+ local

For executing commands (start a shell), for VTY use tacacs+, then the local user database)

aaa accounting exec vty start-stop group tacacs+
aaa accounting commands 0 vty start-stop group tacacs+
aaa accounting commands 1 vty start-stop group tacacs+
aaa accounting commands 15 vty start-stop group tacacs+

Record when executing commands (start a shell), for VTY use tacacs+. Recording start-stop without waiting (not sure what this is)

aaa session-id common
AAA common session-id (not sure what this means)

tacacs-server host 10.3.3.51 timeout 5
tacacs-server host 10.3.3.52
tacacs-server directed-request
tacacs-server key 7 removed

line con 0
stopbits 1
line vty 0 4
password 7
 authorization exec vty
accounting commands 0 vty
accounting commands 1 vty
accounting commands 15 vty
accounting exec vty
login authentication vty
transport input ssh
line vty 5 15
password 7
authorization exec vty
accounting commands 0 vty
accounting commands 1 vty
accounting commands 15 vty
accounting exec vty
login authentication vty
transport input ssh

Categories: Networking
Follow

Get every new post delivered to your Inbox.