yes, we can connect a transceiver XFP-10G-MM-SR in one side and SFP-10G-SR in other side.
Friday, 11 December 2020
Throughput license installation in ASR 1002-x
There is no need to install the license on the router as cisco ASR 1002-x supports RTU(Right to use) method where cisco trust the customer.
I have installed L-FLSA1-2X-5-10G= on the router 1002-x.
Below is the command to configure new throughput level but it requires the reboot to activate.
(config)#platform hardware throughput level 10000000
PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR LICENSE KEY PROVIDED FOR ANY CISCO PRODUCT FEATURE OR USING SUCH PRODUCT FEATURE CONSTITUTES YOUR FULL ACCEPTANCE OF THE FOLLOWING TERMS.
YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO BE BOUND BY ALL THE TERMS SET FORTH HEREIN. Use of this product feature requires an additional license from Cisco, together with an additional payment. You may use this product feature on an evaluation basis, without payment to Cisco, for 60 days. Your use of the product, including during the 60 day evaluation period, is subject to the Cisco end user license agreement http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.htmlOUTPUT SHORTENED
Activation of the software command line interface will be evidence of your acceptance of this agreement.
ACCEPT? (yes/[no]): yes
ASR# write memory
Building configuration…
[OK]
ASR##reload
Proceed with reload? [confirm]
After reboot, license remains as EvalRTU license for 60 days and then it changes automatically to Right-To-Use License
You can also use below command to move the license directly to permanent status instead of waiting for 60days.
ASR # license right-to-use move throughput
Use below commands to verify the throughput
ASR # show platform hardware throughput level
ASR# show license feature | include Feature|throughput
Sunday, 25 October 2020
Steps to establish a physical connection in ACI
To implement a physical connection in ACI, first define the following:
• Domain – Defines what you want to connect (bare-metal server or switch, router, virtual environment, etc.).
• VLAN/VSAN Pool – Defines which VLANs or VSANs this connection will use.
• AEP – Groups the Domain(s) you need to allow through a specific port and their corresponding VLANs/VSANs.
• Interface Profile – The interface for this connection.
• Interface Policy Group – The set of policies applied to an interface.
• Interface Policies – The actual policies (e.g. cdp, lldp, link speed, AEP, etc.) for this connection.
• Switch Profile – The Switch/Node for this connection.
Friday, 25 September 2020
Host a SSL (https) website on Ubuntu
Below are the steps to host a website on port 80. In the below example 172.16.1.11 is the IP adddress on the Ubuntu server which will receive the customer traffic.
sudo a2enmod ssl
sudo service apache2 restart
STEP 2: Create a directory which contatin the certifcate and key.
Sudo Su
mkdir /etc/apache2/ssl
STEP 3: Generate self sign certificate and key
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
STEP 2: Create the index html file and add the HTML code in it
nano /var/www/html/172.16.1.12_all/index.html
<html>
<title>172.16.1.12_8080</title>
<h1>Welcome to 172.16.1.12_8080 Website</h1>
<p>Website on port 8080</p>
</html>
ctrl + X then press Y
Press Enter
STEP 4: Add below ServerName in apache2.conf file
/etc/apache2/apache2.conf file:
ServerName localhost
STEP 5: Add the website to the "SITES-AVAILABLE" FOLDER.
nano /etc/apache2/sites-available/172.16.1.12_all_ssl.conf
<VirtualHost 172.16.1.12:443>
ServerAdmin admin@localhost
ServerName 172.16.1.12
DocumentRoot /var/www/html/172.16.1.12_all
DirectoryIndex index.html
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
</VirtualHost>
ctrl + X then press Y
Press Enter
STEP 6: Publish the website on Ubuntu
sudo a2ensite 172.16.1.12_all_ssl
STEP 7: Restart Apache service
sudo service apache2 restart
STEP 8: Check the website syntax
apachectl configtest
Tuesday, 22 September 2020
Host a website on Ubuntu on multiple ports
Below are the steps to host a website on multiple ports. In the below example 172.16.1.11 is the IP adddress on the Ubuntu server which will receive the customer traffic.
STEP 1: Create a directory which will contain the HTML page of the website.
Sudo Su
mkdir /var/www/html/172.16.1.10_all
STEP 2: Create the index html file and add the HTML code in it
nano /var/www/html/172.16.1.10_all/index.html
<html>
<title>172.16.1.10</title>
<h1>Welcome to 172.16.1.10 Website</h1>
<body style="background-color:orange;">
</body>
<p>Website on port 80</p>
</html>
ctrl + X then press Y
Press Enter
STEP 4: Give Sufficient permission to the folder
chown -R www-data:www-data /var/www/html/172.16.1.10_all
STEP 5: Add the website to the "SITES-AVAILABLE" FOLDER.
nano /etc/apache2/sites-available/172.16.1.10_all.conf
<VirtualHost 172.16.1.10:*>
ServerAdmin admin@localhost
ServerName 172.16.1.10
DocumentRoot /var/www/html/172.16.1.10_all
DirectoryIndex index.html
ErrorLog ${APACHE_LOG_DIR}/80_error.log
CustomLog ${APACHE_LOG_DIR}/80_access.log combined
</VirtualHost>
ctrl + X then press Y
Press Enter
STEP 6: Publish the website on Ubuntu
a2ensite 172.16.1.10_all
STEP 7: Restart Apache service
systemctl restart apache2
Host a website on Ubuntu on port 80
Below are the steps to host a website on port 80. In the below example 172.16.1.11 is the IP adddress on the Ubuntu server which will receive the customer traffic.
STEP 1: Create a directory which will contain the HTML page of the website.
Sudo Su
mkdir /var/www/html/172.16.1.11_80
STEP 2: Create the index html file and add the HTML code in it
nano /var/www/html/172.16.1.11_80/index.html
<html>
<title>172.16.1.11_80</title>
<h1>Welcome to 172.16.1.11_80 Website</h1>
<p>Website on port 80</p>
</html>
ctrl + X then press Y
Press Enter
STEP 4: Give Sufficient permission to the folder
chown -R www-data:www-data /var/www/html/172.16.1.11_80
STEP 5: Add the website to the "SITES-AVAILABLE" FOLDER.
nano /etc/apache2/sites-available/172.16.1.11_80.conf
<VirtualHost 172.16.1.11:80>
ServerAdmin admin@localhost
ServerName 172.16.1.11
DocumentRoot /var/www/html/172.16.1.11_80
DirectoryIndex index.html
ErrorLog ${APACHE_LOG_DIR}/80_error.log
CustomLog ${APACHE_LOG_DIR}/80_access.log combined
</VirtualHost>
ctrl + X then press Y
Press Enter
STEP 6: Publish the website on Ubuntu
a2ensite 172.16.1.11_80
STEP 7: Restart Apache service
systemctl restart apache2
Monday, 21 September 2020
Host Multiple Websites on a Single Server with Apache on Ubuntu
Below config is to host multiple website which runs on different port on same server:-
Step1: Make two directories one for each port
mkdir /var/www/html/172.16.1.12_8080
mkdir /var/www/html/172.16.1.12_8081
Step2: Create index file for site on port 8080
nano /var/www/html/172.16.1.12_8080/index.html
<html>
<title>172.16.1.12_8080</title>
<h1>Welcome to 172.16.1.12_8080 Website</h1>
<p>Website on port 8080</p>
</html>
CTRL X then press Y
press Enter
Step3: Create index file for site on port 8081
nano /var/www/html/172.16.1.12_8081/index.html
<html>
<title>8081</title>
<h1>Welcome to 172.16.1.12_8081 Website</h1>
<p>Website on port 8081</p>
</html>
CTRL X then press Y
press Enter
Step4: Assign priviledge to sites
chown -R www-data:www-data /var/www/html/172.16.1.12_8080
chown -R www-data:www-data /var/www/html/172.16.1.12_8081
Step5: Add 8080 site
nano /etc/apache2/sites-available/172.16.1.12_8080.conf
<VirtualHost 172.16.1.12:8080>
ServerAdmin admin@localhost
ServerName 172.16.1.12
DocumentRoot /var/www/html/172.16.1.12_8080
DirectoryIndex index.html
ErrorLog ${APACHE_LOG_DIR}/8080_error.log
CustomLog ${APACHE_LOG_DIR}/8080_access.log combined
</VirtualHost>
CTRL X then press Y
press Enter
Step6: Add 8081 site
nano /etc/apache2/sites-available/172.16.1.12_8081.conf
<VirtualHost 172.16.1.12:8081>
ServerAdmin admin@localhost
ServerName 172.16.1.12
DocumentRoot /var/www/html/172.16.1.12_8081
DirectoryIndex index.html
ErrorLog ${APACHE_LOG_DIR}/8081_error.log
CustomLog ${APACHE_LOG_DIR}/8081_access.log combined
</VirtualHost>
CTRL X then press Y
press Enter
Step7: Enable sites
a2ensite 172.16.1.12_8080
a2ensite 172.16.1.12_8081
Step7: Restart Apache
systemctl restart apache2
Sunday, 20 September 2020
Stuck in Configuration Utility restarting - Big IP
1. Log in to BIG-IP .
2. Make a backup using below command :
/config/httpd/conf.d/proxy_ajp.conf cp /config/httpd/conf.d/proxy_ajp.conf /config/httpd/conf.d/proxy_ajp.conf.bk
3.Edit /config/httpd/conf.d/proxy_ajp.conf
Below is the command to make the changes. After the command press "i" (insert) to enable the editing and once the changes are done, enter esc and type :wq!(write and quite).
vi /config/httpd/conf.d/proxy_ajp.conf
Locate the following two "#ProxyPass" lines and the below command .
#ProxyPass /tomcat/ ajp://localhost:8009/
#ProxyPass /examples/ ajp://localhost:8009/jsp-examples/
ProxyTimeout 10 #<----- Add this line
4.Save and close the file.
5.Restart httpd and tomcat.
bigstart restart httpd tomcat
Wednesday, 16 September 2020
F5 default credentials and some interesting Facts.
Below are the default credentials for F5. you can change the credentials during initial setup wizard.
Cli
Username: root
Password: default
GUI
Username:admin
Password:admin
Interesting Fact:-
- Root and admin username cannot be deleted from F5.
- BY default, username admin doesnot have access to the CLI but we can assign either advance shell or TMOS access to the "admin" user.
- No GUI access can be given to user "root"
Global NTP servers
NTP is a UDP based service which works on port number 123.It is recommended to use pool.ntp.org to find an NTP server.
All zones in All Pool Servers.
- Africa — africa.pool.ntp.org
- Antarctica — antarctica.pool.ntp.org
- Asia — asia.pool.ntp.org
- Europe — europe.pool.ntp.org
- North America — north-america.pool.ntp.org
- Oceania — oceania.pool.ntp.org
- South America — south-america.pool.ntp.org
Below is the command to check the ntp status on respective platforms.
A. Windows
w32tm /query /peers
B. Ubuntu
/etc/ntp.conf
Wednesday, 9 September 2020
Wednesday, 5 August 2020
SNMPv3 config on Cisco routers/Switches
1) Create an access-list to allow SNMP source servers.
access-list 10 permit 10.10.10.10
access-list 10 permit 10.10.10.11
access-list 10 permit 10.10.10.12
All SNMP servers must be allowed in above ACLs.
2) Now, Create the new Group using below command.
snmp-server group GROUP1 v3 auth read access 10
3) Create new credentials using the group "GROUP1"
snmp-server user SNMP_USER v3 auth md5 PASSWORD-AUTH priv aes 128 PASSWORD2-PRIV
All bold text are variables.
Monday, 3 August 2020
Enable Password vs Enable Secret command on cisco routers/switches
We all know that enable password is used to change from user mode to priviledge mode.
Enable password command will configure the password in unencrypted form whereas Enable secret command encrypts the password using MD5 hashing algorithm.
Enable secret command is always recommended.
Secret password will take precedence over enable password command.
Thursday, 18 June 2020
uRPF and its modes : Strict vs Loose
Unicast Reverse Path Forwarding (Unicast RPF) Is a security feature to address the spoofed address attack. it is recommended to configure it on the L3 interfaces of the routers to verify the reach-ability of the source address in packets. Packet will be dropped in case source IP address is not valid.
Unicast RPF works in one of below modes:
1. Strict mode: Router will perform two checks:.
A. Router checks the routing entry for the source address of the packet and will drop the packet in case no route is present on the routing table for the source address.
B. Router will ensure that the source of incoming packet is reachable via same interface. Router will drop the packet in case source address is learned via different interface than from the one, packet in ingress ed.
Command:-
Int eth1/1
ip verify unicast reverse-path --<<< Old command but still available on some platforms
or
IP verify unicast source reachable-via rx
ip verify unicast reverse-path (Unicast RPF)
2. Loose mode: Only make sure that route for the source address is present in the routing table.
Int eth1/1
IP verify unicast source reachable-via Any
Note:- Above matching criteria is not applicable for default route and will not allow traffic where source is only matching the default route. the " Allow-default" keyword is used to change this behaviour and traffic will be allowed where source address is matching only the default route.
Unicast RPF works in one of below modes:
1. Strict mode: Router will perform two checks:.
A. Router checks the routing entry for the source address of the packet and will drop the packet in case no route is present on the routing table for the source address.
B. Router will ensure that the source of incoming packet is reachable via same interface. Router will drop the packet in case source address is learned via different interface than from the one, packet in ingress ed.
Command:-
Int eth1/1
ip verify unicast reverse-path --<<< Old command but still available on some platforms
or
IP verify unicast source reachable-via rx
ip verify unicast reverse-path (Unicast RPF)
2. Loose mode: Only make sure that route for the source address is present in the routing table.
Int eth1/1
IP verify unicast source reachable-via Any
Note:- Above matching criteria is not applicable for default route and will not allow traffic where source is only matching the default route. the " Allow-default" keyword is used to change this behaviour and traffic will be allowed where source address is matching only the default route.
Wednesday, 17 June 2020
BGP: x.x.x.x Active open failed - no route to peer, open active delayed 9216ms (35000ms max, 60% jitter)
BGP: x.x.x.x Active open failed - no route to peer, open active
delayed 9216ms (35000ms max, 60% jitter)
I was working on an issue and got above logs while doing the debug of BGP on the cisco router.
Below are the two thing which we need to test to resolve such issues.
1. Specific route for the BGP neighbor IP address. BGP neighborship is dependent on it and default route won't work.
2. Ebgp multihop. Make sure to configure the eBGP multihop command while making the ebgp neighborship on the indirectly connected routers.
Monday, 2 March 2020
Cisco Traditional Vs Smart Licensing
Below are few important distance between Cisco traditional license and new smart licensing.
|
Traditional (node locked) licencing
|
Smart (dynamic) licencing
|
|
Manual individual license procurement and installation
|
Device initiates a call home and requests the licenses it needs.
|
|
Node-locked licences - license is associated
with a specific device.
|
Pooled
licences - licences are company account-specific, and can be used with any
compatible device in your company. You can activate or deactivate different
types of licenses on the device without actually installing a license file on
the device.
|
|
No common install base location to view
licenses purchased or software usage trends
|
Licenses are stored securely on Cisco servers accessible all the time.
|
|
No easy means to transfer licenses from one
device to another.
|
Licenses
can be moved between product instances without a license transfer. This
greatly simplifies the reassignment of a software license as part of the
Return Material Authorization (RMA) process.
|
|
Limited visibility into all software
licenses being used in the network. Licenses are tracked only on per node
basis.
|
Complete view of all Smart Software Licenses used in the network using
a consolidated usage report of software licenses and devices in one
easy-to-use portal.
|
Tuesday, 18 February 2020
IP NAT inside source vs IP NAT outside source
IP NAT inside source vs IP NAT outside source
For more information please refer to below cisco link
https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13773-2.html
Friday, 14 February 2020
ISR 4331/4531 features in Evaluation mode
Below are the features available in Evaluation mode.
#sh license feature
Feature name Enforcement Evaluation Subscription Enabled RightToUse
appxk9 yes yes no no yes
uck9 yes yes no no yes
securityk9 yes yes no yes yes
ipbasek9 no no no yes no
cme-srst yes yes no no yes
hseck9 yes no no yes no
throughput yes yes no no yes
internal_service yes no no no no
How to enable RTU package on ISR 4331/4531
config t
license accept end user agreement
yes
exit
license right-to-use move appxk9
config t
license boot level appxk9
end
wr mem
How to enable evaluation license
license feature appxk9
Friday, 7 February 2020
Catalyst 9000 License
The
previous cisco licensing is divided into three following feature sets:
A.
LAN Base: It is primarily a
Layer 2 feature set which offers enterprise access layer 2 switching features. It
doesn’t provide any l3 functionality.
B.
IP Base: It provides the
enterprise access layer 3 switching features in addition to all LAN base
features. It doesn’t provide the advance layer3 features.
C.
IP Services: - It is an advance
enterprise layer 3 switching features including EIGRP, OSPF, BGP, PIM and IPV6
routing protocols. It also supports all the IP base features.
The
Cisco Catalyst 9000 does not use the above feature set and has its own package
types. All Cisco Catalyst 9000 hardware has two software options i.e.
Essentials and Advantage. Each software option includes two components, as
show:
|
License Level
|
Network Stack offer (Perpetual and embedded)
|
Cisco DNA Software Subscription offer (Term
based)
|
|
-E
|
Network Essentials
|
Cisco DNA Essentials (3, 5, or 7 years)
|
|
-A
|
Network Advantage
|
Cisco DNA Advantage (3, 5, or 7 years)
|
The
Network Stack license is perpetual and embedded in the hardware by default and
it is aligned with the hardware PID(-E/-A).
The
Cisco DNA license is term-based and preselected by default to the 5-year term
but can be changed to 3- or 7-year terms. Minimum of 3-year term DNA license is
mandatory.
Customers
will be able to upgrade the Network Stack and Cisco DNA license levels for
example, -E to -A license upgrade.
Here
is the comparison between three-tier packaging and Catalyst 9K new two-tier
packaging.
Below
features are included in the advantage and essential packages:
Monday, 3 February 2020
Install python and Paramiko on windows machine
We can follow below procedure to install Python on windows machine. Paramiko package is required for the ssh functionality wihtin the python. We cannot install the package directly and require a package manager called PIP. Below is the procedure to isntall paramiko on the windows box.
STEP A: Install Python:
1. Create a folder Python in system and download python from https://www.python.org/downloads/ .
2. Run the exe file and follow the steps.
3. Once it is finished, python is installed on your system.
4. To install additional packages PIP is required. Follow below procedure to install PIP.
STEP B: Install PP
2. To install packages within python we need to install a package manager PIP. You can download PIP "get-pip.py" from https://pypi.org/project/pip/#files.
3. Open a command prompt and navigate to the folder
containing.
4. Run the following command:python get-pip.py=
5. Pip is
now installed!
STEP C: Install Paramiko
1. Paramiko is used to ssh the devices.
2. Once PIP is install, you can install the paramiko package using command " pip install paramiko".
Thursday, 30 January 2020
3850 stack requirement
3850 stackwise-480 supports mixed stack which means any model of 3850 cannot be used in a stack.
Whereas License(LAN base, IP base or IP services( and IOS XE version must be same on all stack switches. for example, Catalyst 3850 switches with LAN Base feature can only be stack with other 3850 LAB switches.
Maximum 8 switches can be part of single stack.
Whereas License(LAN base, IP base or IP services( and IOS XE version must be same on all stack switches. for example, Catalyst 3850 switches with LAN Base feature can only be stack with other 3850 LAB switches.
Maximum 8 switches can be part of single stack.
Cisco IPN configuration and hardware requirement
Below are the configuration requirement for IPN network.
1. Routed Sub-Interface with Vlan-4 : IPN device interface which is connected to Spine must be a sub interface and tag to vlan 4. We cannot use routed port or SVI for the interconnection. Also no other vlan tag can be used.
2. IPN device must support 9150B mtu and it is a mandatory requirement. Make sure all device in the path must support jumbo frames. Otherwise MP-BGP will flap between the SPINes of different PODs.
3. IPN device must support PIM BiDIR. It is used to carry BUM (Broadcast, unknown unicast and multicast) traffic.
4. OSPF protocol. Only OSPF protocol can be configured between IPN and ACI fabric (Spines). No other protocol can be used.
5. DHCP relay must be configured if you want to perform the zero touch deployment of POD 2.
6. QOS POlicy:- It is not a madatory requirement but it is good to prioritize the Multipod control packets.
Hardware requirement:-
IPN device can be any box which can support aforementioned features. generally below hardware are used for IPN.
1. Nexus 7000
2. ASR 1K
3. N3K-C3548P-10GX
N3K-C3172PQ-10GE cannot be used as IPN device.
Saturday, 25 January 2020
SSH accessibility check of multiple cisco router and save the output in a file
import paramiko
import time
import sys
import logging
import socket
remote_conn_pre = paramiko.SSHClient()
remote_conn_pre.set_missing_host_key_policy(paramiko.AutoAddPolicy())
f= open("output.txt","w+")
ips = [i.strip() for i in open("ip.txt")]
import logging
logging.getLogger('paramiko.transport').setLevel(logging.DEBUG)
paramiko.util.log_to_file("logs")
for ip in ips:
try:
remote_conn_pre.connect(ip, username='test', password='test', timeout=4, look_for_keys=False, allow_agent=False)
remote_conn = remote_conn_pre.invoke_shell()
print (ip + ' === Device Reachable')
f.write(ip + ' === Device Reachable'"\n")
time.sleep(2)
except paramiko.AuthenticationException:
print ip + ' === Bad credentials'
f.write(ip + ' === Bad credentials'"\n")
time.sleep(2)
except paramiko.SSHException:
print ip + ' === Issues with ssh service'
f.write(ip + ' === Issues with ssh service'"\n")
time.sleep(2)
except socket.error:
print ip + ' === Device unreachable'
f.write(ip + ' === Device unreachable'"\n")
time.sleep(2)
f.close()
import time
import sys
import logging
import socket
remote_conn_pre = paramiko.SSHClient()
remote_conn_pre.set_missing_host_key_policy(paramiko.AutoAddPolicy())
f= open("output.txt","w+")
ips = [i.strip() for i in open("ip.txt")]
import logging
logging.getLogger('paramiko.transport').setLevel(logging.DEBUG)
paramiko.util.log_to_file("logs")
for ip in ips:
try:
remote_conn_pre.connect(ip, username='test', password='test', timeout=4, look_for_keys=False, allow_agent=False)
remote_conn = remote_conn_pre.invoke_shell()
print (ip + ' === Device Reachable')
f.write(ip + ' === Device Reachable'"\n")
time.sleep(2)
except paramiko.AuthenticationException:
print ip + ' === Bad credentials'
f.write(ip + ' === Bad credentials'"\n")
time.sleep(2)
except paramiko.SSHException:
print ip + ' === Issues with ssh service'
f.write(ip + ' === Issues with ssh service'"\n")
time.sleep(2)
except socket.error:
print ip + ' === Device unreachable'
f.write(ip + ' === Device unreachable'"\n")
time.sleep(2)
f.close()
SSH accessibility check on mulitple routers
Make a notepad contain IP address of the routers where we need to check the SSH accessibility.
import paramiko
import time
import sys
import logging
import socket
remote_conn_pre = paramiko.SSHClient()
remote_conn_pre.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ips = [i.strip() for i in open("ip.txt")]
for ip in ips:
try:
remote_conn_pre.connect(ip, username='test', password='test', timeout=4, look_for_keys=False, allow_agent=False)
remote_conn = remote_conn_pre.invoke_shell()
print (ip + ' === Device Reachable')
remote_conn.send("\n")
time.sleep(2)
except paramiko.AuthenticationException:
print ip + ' === Bad credentials'
except paramiko.SSHException:
print ip + ' === Issues with ssh service'
except socket.error:
print ip + ' === Device unreachable'
Friday, 24 January 2020
Jumbo frame configuration on Nexus
I have tried
to explain the MTU configuration on the Nexus platform. MTU configuration varies
based on the port type and hardware platform.
1. Layer 3 MTU
Configurations
MTU configuraiton on L3 port is quite straight forward. Configuration is also same on all the platforms. We just need to give the MTU command on the interface configuration mode.
interface vlan 1
mtu 9216
mtu 9216
Configure MTU on a Layer 3 Port
interface ethernet
1/1
no switchport
mtu 9216
no switchport
mtu 9216
2. Layer 2 MTU
Configurations
MTU
configuration on L2 port varies based on the hardware. On some platforms, we
have to modify MTU under network-qos policy whereas on some MTU commands can be
given under interface configuration mode.
2.1 Using QOS policy
On
below hardware, jumbo frames can be configured using QOS policy.
Nexus
3000: Includes Nexus 3048, 3064, 3132Q, 3132Q-X, 3132Q-XL, 3172,
and 3500 Series switches
Nexus 5000: All
Nexus 5000 and 5500 Series switches
Nexus 6000: All
Nexus 6000 Series switches
Configuration: -
policy-map type network-qos jumbo
class type network-qos class-default
mtu 9216
system qos
service-policy type network-qos jumbo
class type network-qos class-default
mtu 9216
system qos
service-policy type network-qos jumbo
2.1 Per-Port MTU Configuration
On
below hardware, jumbo frames can be configured directly under the interface.
Nexus 7000: All
Nexus 7000- and 7700 Series switches
Nexus 9000: All
Nexus 9200 Series switches (includes 92xxx), 9300 Series switches (includes
93xxx), and 9500 Series switches
Nexus(config)#interface
ethernet 1/1
Nexus(config-if)#mtu 9216
Nexus(config-if)#mtu 9216
Wednesday, 15 January 2020
How to create BD in Cisco ACI
In traditional networking, we used to have VLAN as the Layer
2 forwarding domain which also define the broadcast domain. Whereas in ACI,
Vlan are just an identifier and doesn’t defines the L2 domain. Bride domain defines the broadcast and L2 domain in ACI.
Like Vlan SVI in traditional network, subnets can also be
defined in BD. We can also define more than one subnet under BD.
1. Go to TENANT => HK TENANT=>Right click on
BRIDGE DOMAIN => Select “CREATE BRIDGE DOMAIN”.
2. Name BD and map the VRF to this BD. Press NEXT to proceed.
3. Configure the L3 parameters and Click + to
configure the subnet information under BD.
4. Enter the BD IP address with subnet mask. Check the
“MAKE THIS IP ADDRESS PRIMARY”.
Private to VRF—Subnet remains local to the VRF and Tenant.
Advertised Externally—Subnet can be advertised out of ACI Fabric over L3
out.
Shared between VRFs—Subnet can be exported to other VRFs in case inter-VRF
routing is required.
"Treat as Virtual IP Address" option is only checked in case of multiple Fabrics.
5. You can see subnet details will be displayed in L3 configuration section. Click NEXT to Proceed.
6. Click Finish to create the BD
Tuesday, 14 January 2020
How to create VRF in Cisco ACI
In ACI, VRF concept is still the same as traditional network
the only difference is VRF is not fabric wide unique but has a significance within
the tenant.
1. To create VRF go to TENANT -> HK -> NETWORKING->RIGHT
CLICK ON VRF -> PRESS CREATE VRF.
2. Enter the VRF name and keep the other settings on default. In this step you also get an option to create the BD. It is by default checked. Press Next to create the VRF.
3. If you don’t want to create BD in this step then uncheck the
option and press Finish to create the VRF.
4. VRF is created once you click the Finish button.
How to Create Tenant on Cisco ACI
I assumed that
your basic Fabric is UP where all the APICs/leafs and Spines are joined to the
fabric.
The first step
after the Fabric is up, is to create the tenant. Don’t confuse the tenant
concept with the Nexus VDC. Tenant cannot provide the physical separation within fabric but is just a container of the policies. There are few types of default
tenants present in the fabric like Infra, management and common tenant.
A Infra Tenant controls
the infrastructure related policies like VXLAN overlay. It is by default in the
system but can be modified by the administrator.
A Management Tenant
controls the fabric wide management access( inband or out of band) related polices. It is also by
default in the system and can be modified by the administrator.
A Common tenant contains the resources which are shared among the user VDCs like the connection
to internet, firewalls, load balancer etc. Again by default in the system and policies
in it can be modified by the administrator.
A user tenant is
the one which is created by the Fabric administrator for the policies that can
be used for the work loads like application, web EPGS. Below method shows how
to create the an user Tenant.
1. Login to APIC and on the left top of the APIC HOME page you
can see there is an option to add new tenant to the fabric. Click on “ADD
TENANT”.
Adding a tenant to the fabric is a non-impacting change and can be done at any moment.
Adding a tenant to the fabric is a non-impacting change and can be done at any moment.
2. Below screen will appear when you click on ADD TENANT.
Add the Tenant name and click on Submit.
3. HK tenant will be created once you click the
Submit button.
Subscribe to:
Posts (Atom)