Cisco 4400 WLC License information

Cisco 4400 series wireless LAN controllers don’t come with software activation option. It means you cannot increase the AP capacity of the controller after the purchase.

There are two models of 4400 series controller

1.4402 series controllers:- It has two gig ports and each port can handle up to 25 Aps. So maximum it can have 50 Aps on 4402.

And hence two 4402 models were supported- 

•   4402-25:- It support maximum 25 APs.
•   4402-50:- It support maximum 50 APs.

2.4404 series controllers: - It has four gigabit port which can support up to 48 AP but only 25 per port are recommended by Cisco.

There were three models available:-

•   4404-25 – Support max 25 APs
•   4404-50 – Support max 50 APs
•   4404-100 – Support max 100 Aps

Note: Cisco 4400 is End of sale now and last date of support is on 16th June 2016.

VPC FAQs

1. Can VPC port-channel number different on peer switch?

Answer: - yes, it can be different

2. Is a single VPC domain between two VDCs on the same physical Cisco Nexus 7000 device supported?

Answer: - No, It is not supported.

3. What are the default parameters of VPC?

Answer:- Below are paramaters.

Parameters	Default
vPC system priority	32667
vPC peer-keepalive interval	1 second
vPC peer-keepalive timeout	5 seconds
vPC peer-keepalive UDP port	3200

4. Are Jumbo frames enabled by default on the vPC peer link.

Answer: Yes, jumbo frame are by default enable.

5. What license is required for VPC?

Answer:- No license is required for VPC

6. Can we create both layer2/3 Only Layer 2 port channels can be in vPCs.

 Answer:- No, we can only configure Layer port-channel in VPC.

7. In VPC peer-link, is F1 on one side and M1 on the peer switch supported?

Answer:- No, Module type of both end should be identical. Please refer to the below table.

vPC Primary	vPC Secondary	Supported/Not supported
F1 I/O module	F1 I/O module	Supported
F1 I/O module	M1 I/O module	Not supported
M1 I/O module	M1 I/O module	Supported
M1 I/O module	F1 I/O module	Not supported

8. Can we use physical interface as VPC peer-link?

Answer: No, VPC peer-link can only be configured on port-channel containing 10 gig interfaces. 1 Gig interfaces  cannot be configured as VPC peer-link

9. Can we configure system-mac for VPC?

Answer: Yes, we can configure the system ID for VPC with below command

Nexus(config)# vpc domain 5

Nexus(config-if)# system-mac 0000.0000.000a

  

10. What is the default role-priority?

Answer: It can be from 1 to 65535 and default value is 32667.

Note: - Lower is better.

11. What is the default VPC domain ID?

Answer: - There is no default domain-id and can be configured from 1 to 1000.

Why we need VPC?

Initially when I heard of VPC, I neither understand the advantage of it nor its difference with VSS. Below I tried to explain the difference between VPC and VSS and the legacy setup where STP is being used to prevent L2 loops. But STP has many limitations which are discussed below:-

1.Suboptimal Path:-  To understand it, take a look to  the below topology where  three switches are connected to provide complete redundant path .

The problem with this design is, STP will block the port Gi0/3 of Sw-2. And hence traffic instead of taking direct route from SW-1 to SW-3, will reach to SW-3 via SW-1 and is known as suboptimal path. It adds extra hop in the path and reduces the efficiency of the network.

 2.Underutilization of uplink bandwidth:-

STP prevents the layer-2 loop by blocking the redundant path which is an advantage but in way reduces the uplink bandwidth which sometimes creates the congestion in the network.

Refer to the below diagram, traffic from SW-3 to internet has two path but due to spanning tree Gig0/3 of SW-3 is in blocking state. It will reduce the uplink bandwidth available to the SW-3.

3.Inefficiency: - Let’s assume the traffic is load share between SW-1 and SW-2 and both switches advertise the user subnet from same metric. There is no problem when the return traffic hit the SW-1 but what will happen when the very first return traffic that hits SW-2.

Does SW-2 have the mac-address of PC-1? Generally NO!

 SW-2 will send the unknown broadcast for the mac-address and if there are many users sitting in the LAN, unknown unicast will not only create the unnecessary traffic but it also impacts the CPU utilization of switches.

By using VSS in 6500, both the switches will virtually become one. One sup is active at a time which will control the data plan of both the chassis. It not remove the layer 2 loop from the network  but also remove the sub-optimal path and inefficiency problem which we had in our legacy environment.

As you can see there is neither a suboptimal path nor there is problem of reduced uplinks. It also removed the unnecessary unknown unicast issue.

But in VSS, control plane is active only on one switch whereas data plane is active on both the switches. As only one Sup is active the overall throughput is limited and other SUP capacity is gone wasted.

Advantage with VPC is not only it removes the above stated problems but also control and data plane of both the chassis are active at the same time. It increases the overall throughput of the system.

In the below design, traffic from PC-1 can directly reach PC-2 with adding any hop.

Also in the below design, traffic from PC-1 can go to internet via SW-1 or SW-2 depending open the hashing algorithm of SW-3. Also it removes the problem of unknown unicast in case of asymmetric routing as both the switch will be appearing as one.

Important port details:- Cisco Wireless

    Important port details:-

        1. Enable these UDP ports for LWAPP traffic:

            Data - 12222
            Control - 12223

        2. Enable these UDP ports for CAPWAP traffic:

            Data - 5247
            Control - 5246

        3. Enable these UDP ports for Mobility traffic:

            16666 - Secured Mode
            16667 - Unsecured Mode

    Mobility and data messages are usually exchanged through EtherIP packets. IP protocol 97 must be allowed on the firewall to allow EtherIP packets. If you use ESP to encapsulate mobility packets, you have to permit ISAKMP through the firewall when you open UDP port 500. You also have to open the IP protocol 50 to allow the encrypted data to pass through the firewall.

    These ports are optional (depending on your requirements):

• TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])
• UDP 69 for TFTP
• TCP 80 and/or 443 for HTTP or HTTPS for GUI access
• TCP 23 and/or 22 for Telnet or secure shell (SSH) for CLI access

OTV FAQs

1.Can OTV VDC configured with SVI of the Extended VLAN?

Answer:-No, OTV VDC cannot have SVI of the extended Vlans.

2.Is OTV supported on all series of line cards?

Answer:- No, OTV is not supported on F1,F2,F2e. It is only supported on M series and F3 line cards.

3.Does OTV advertise the mac-address?

Answer: - Unlike fabricpath, OTV advertise the mac-address.

4.What is the size of OTV header?

Answer: 42 Bytes

5.How the authoritative edge device role is negotiated?

Answer:- Edge device with lower system-id will become authoritative for all even extended vlans and edge devices with higher system-id will be elected for all odd vlans.

6.What is the COS and DSCP value of OTV control packet?

Answer:- COS=6/DSCP=48

7.Can multiple overlay interfaces share the same join interface?

Answer:- Yes, One join interface can be shared between multiple overlay interfaces.

8.How many overlay interfaces can be configured on the edge devices?

Answer:- Maximum 10 overlay interfaces can be configured.

9.How many sites can be paired on OTV?

Answer:- Maximum 6 sites can be configured.

10.   How many edge device per site can exist?

Answer:- Maximum two edge devices can be configured per site.

11. How many vlans can be extended via OTV?

Answer:- Maximum 256 Vlans can be extended.

12.What license is required for OTV?

Answer:- Transport  service license.

13.   Can we configure loopback interface as join interface?

 Answer:- NO, only physical interface, sub-interface,port-channel and port-channel sub interface can be configured as join interface.

SVI and loopback cannot be configured as join interface.

15.Can we configure 1 Gig port as join interface?

Answer:- Yes, there is no restriction for 10 gig.

16. Is OTV support fragmentation?

Answer:- No in OTV fragmentation or reassembly is not supported. All control and data traffic is sent with DF bit sent. OTV adds 42 byte header to IP packet.

17.Is STP BPDU sent across OTV link by default?

Answer: - No, STP BPDU are blocked by default.

18.Is unknown unicast is sent across OTV link?

Answer:- No, it is also not permitted to cross OTV link. OTV assume that there is no silent machine in the environment.

Fabricpath FAQs

1. What is the unique mac address used in unknown Unicast.
Answer:- 01:0F:FF:C1:01:C0

2. What is STP bridge ID used by all Fabricpath edge devices?
Answer:- C84C.75FA.6000

3. What is the maximum number of VPC+ port channel support?
Answer: - 244

Note: - On F2/F2E line card, we can increase the maximum number of VPC+ port-channel support by using no port-channel limit commands.

4. What is the default value Root priority?
Answer: - 64 ( It can be between 0 to 255)

5. What is the default TTL value set for all frames?
Answer: 32.

Note:-We can use the command fabricpath ttl to configure the TTL Value.

6. Does VPC+ support static port-channel?
Answer: - Yes, it supports both LACP and Static port-channels.

7. Is fabricpath supported on M cards?
Answer:- No. Fabricpath is only supported on F series.

8. Which license is required for Fabricpath?
Answer:- Enhanced Layer 2 Package

9. What is ethertype value of Fabricpath frame?
Answer:- 0x8903

10. What is order of preference for root election?
Answer:- Root priority-> System ID->Switch ID

Note:- Higher is better.

11. Is the mac addresses are advertised by fabricpath IS-IS like in OTV?

Answer :- No, Fabricpath IS-IS will not advertise any mac address.

F1 Vs. F2 Vs. F2E Vs. F3 - Cisco Nexus 7000

There are four types of F line cards available. Below is the difference between F1, F2, F2e and F3.

F1 Card:-

• Only perform Layer-2 task.
• No interface can be converted to Layer3.
• M and F1 card can coexist in a chassis

F2 line card:-

• Interface can be used as L2 or L3
• M and F2 card cannot coexist in a chassis.
• Don’t support OTV,MPLS and LISP

F2E line card:-

• Interface can be used as L2 or L3
•  M and F2E card can coexist in a chassis but in L2 mode only.
•  Don’t support OTV,MPLS and LISP

F3 line cards:-

• Interface can be used as L2 or L3
• M and F3 card can coexist in a chassis
• Support OTV, MPLS and LISP features.

Nexus 7000 License

1. Enterprise Services Package –  LAN_ENTERPRISE_SERVICES_PKG

- To enable Routing protocols like BGP,OSPF,EIGRP etch.

2. Advanced Services Package:- LAN_ADVANCED_SERVICES_PKG

-Without it one only one default VDC can be in use. BY installing Advance service license  4 VDC can be created on SUP1/SUP2 and SUP 2E.

In case of SUP-2E we need another VDC Licenses to support eight VDCs

3.Transport Services Package :-LAN_TRANSPORT_SERVICES_PKG 

To enable OTV and LISP

4. Scalable Services Package :-  SCALABLE_SERVICES_PKG

-A single license per system enables all XL-capable I/O modules to operate in XL mode

5. Enhanced Layer 2 Package:- ENHANCED_LAYER2_PKG 

- To enable FabricPath on F modules.

6. MPLS Services Package :- MPLS_PKG

- It is used to enable advance feature like MPLS, VPN, EoMPLS etc.

7. Storage Enterprise Package:- STORAGE_ENT

- It is require to enable IVR

8. FCoE Services Package :-  FCOE_PKG

It is the only license which is enabled on module bases. There are two different Licenses for F1 and F2 module.

FCOE_PKG- For F1 card

FCOE_F2 - F2 seires

Ethertype values

Switch identifies the type of frame by looking at the ethertype vlaue. Below are some common values and related technologies:-

Nexus port-profile

Port-profile is the way to configure the configuration template and to apply configuration on the multiple interfaces at the same time.

The entire configuration is done under port-profile and it gets replicated on the interfaces as soon as port-profile is mapped to the interface. All the configuration changes in port-profile will be replicated in the interface. It is not an initial template but an updating template which always attached to the interface.

Port-profile is used when the same configuration needs to be done on many interfaces.

There are below types of Port-profiles:-

•    Ethernet: - It is used when port-profile applied on the physical interfaces.
•    Port-channel:- Used in case of port-channel
•    Interface-vlan: - When port-profile is applied on the SVI.

Below is the process used to configure and apply the port-profiles:-

Step1. Create the port-profile based on the type of interface it is getting mapped. There are four types of port-profile like Ethernet, interface-vlan, port-channel and tunnel-te.

Note:- Ethernet is the default port-profile.

N7K-1(config)# port-profile type ?   ethernet        Ethernet type  ----------<<<<<< Default   interface-vlan  Interface-vlan type   port-channel    Port-channel type   tunnel-te       Tunnel-te type N7K-1(config)# port-profile test N7K-1# sh run port-profile test !Command: show running-config port-profile test !Time: Wed Sep 17 18:46:58 2014 version 5.2(1) port-profile type ethernet test  ------------<<<<<<Default

Step2. Configure the port-profile as per the requirement.

Note: - Please keep in mind port-profile name is case sensitive. It can be seen that same name with different case, will create two different port-profiles.

N7K-1(config)# port-profile type ethernet Access_PORT N7K-1(config-port-prof)# switchport mode access N7K-1(config-port-prof)# switchport access vlan 100 N7K-1(config-port-prof)# spanning-tree port type edge N7K-1(config)# port-profile type ethernet ACCESS_PORT N7K-1(config-port-prof)# switchport N7K-1(config-port-prof)#   switchport mode access N7K-1(config-port-prof)#   switchport access vlan 100 N7K-1(config-port-prof)#   spanning-tree port type edge N7K-1(config)# sh run port-profile !Command: show running-config port-profile !Time: Wed Sep 17 16:49:36 2014 version 5.2(1) port-profile type ethernet Access_PORT   switchport   switchport mode access   switchport access vlan 100   spanning-tree port type edge port-profile type ethernet ACCESS_PORT   switchport   switchport mode access   switchport access vlan 100   spanning-tree port type edge

Step 3. Verify the port-profile configuration.

N7K-1(config)# sh run port-profile port-profile type ethernet ACCESS_PORT   switchport   switchport mode access   switchport access vlan 100   spanning-tree port type edge

Step4. Once the configuration verification is done, enable the port profile.

N7K-1(config)# port-profile type ethernet ACCESS_PORT N7K-1(config-port-prof)#   state enabled N7K-1(config-port-prof)# exit

Step5. Apply port-profile on the physical interface which inherits the configuration of port-profile.

N7K-1(config)#Interface Eth1/1 N7K-1(config)#inherit port-profile ACCESS_PORT

N7K-1(config)# int eth1/21 N7K-1(config-if)# inherit port-profile access_port ERROR: No profile matching given profile name - - - <<This error is encountered when the port-profile name give is not correct or with different case.

Step6.  Show run interface command will not show the complete switchport configuration as shown below.

N7K-1(config)# sh run int eth1/21 !Command: show running-config interface Ethernet1/21 !Time: Wed Sep 17 16:51:12 2014 version 5.2(1) interface Ethernet1/21   inherit port-profile ACCESS_PORT

Use the below command to check the entire configuration associated to the switchport:-

N7K-1(config)# sh port-profile expand-interface name ACCESS_PORT port-profile ACCESS_PORT  Ethernet1/21   switchport   switchport mode access   switchport access vlan 100   spanning-tree port type edge

Step7.  Below command can be used to find what all interfaces as well as configuration associated to the port-profiles.

N7K-1# show port-profile name ACCESS_PORT port-profile ACCESS_PORT  type: Ethernet  description:  status: enabled  max-ports: 512  -----------------------<<<<<<<<<<<<<<  inherit:  config attributes:  ------------<<<<<<<<<<<<<<<<<<<<<   switchport   switchport mode access   switchport access vlan 100   spanning-tree port type edge  evaluated config attributes:   switchport   switchport mode access   switchport access vlan 100   spanning-tree port type edge  assigned interfaces:   Ethernet1/21  ------------------<<<<<<<<<<<<<<<<<<<<

Step8. Configuration done on the interface will take preference over the port-profile.

In the below output, Eth1/21 is configured as trunk which override the access port configuration in the port-profile.

N7K-1(config)#  int eth1/21 N7K-1(config-if)# switchport mode trunk N7K-1(config-if)# end N7K-1# sh run int eth1/21 !Command: show running-config interface Ethernet1/21 !Time: Wed Sep 17 19:03:34 2014 version 5.2(1) interface Ethernet1/21   inherit port-profile ACCESS_PORT   switchport mode trunk N7K-1# sh int eth1/21 switchport vdc 4 vlan 100Name: Ethernet1/21   Switchport: Enabled   Switchport Monitor: Not enabled   Operational Mode: trunk  ---------------<<<<<<<<<<<<<<   Access Mode VLAN: 100 (Vlan not created)   Trunking Native Mode VLAN: 1 (default)   Trunking VLANs Allowed: 1-4094   FabricPath Topology List Allowed: 0   Administrative private-vlan primary host-association: none   Administrative private-vlan secondary host-association: none   Administrative private-vlan primary mapping: none   Administrative private-vlan secondary mapping: none   Administrative private-vlan trunk native VLAN: none   Administrative private-vlan trunk encapsulation: dot1q   Administrative private-vlan trunk normal VLANs: none   Administrative private-vlan trunk

Step9. NO command is used to delete the port-profile. It also deletes the entire port-profile related configuration from the switchport whereas the configuration done inside the interface will not be removed.

N7K-1(config)# no port-profile ACCESS_PORT Profile is applied on some interfaces. Do you want to continue (y/n)? [n] y N7K-1(config)#sh run int eth1/21 !Command: show running-config interface Ethernet1/21 !Time: Wed Sep 17 19:08:33 2014 version 5.2(1) interface Ethernet1/21

Why we need Nexus 2K ( FEX) ?

 To understand the need to Nexus 2000, we must know the Datacenter architecture designs.

There are two types of design architecture:-

1.       TOP (Top of Rack) :-

2.       EOR (End of Row ):

Each above method has its own pros n corns. Please go through the below blog to find more details about the methods.

http://netterrene.blogspot.in/2014/09/top-of-rack-vs-end-of-row.html

Below are the disadvantages of both the designs:-

TOP (Top of Rack) :-

Disadvantage:-

·         Switch management: - As each Rack requires one or two switch, the management of the switch becomes an overhead. Which requires not only extra IPs but also management tool configuration is required which has its own capability to monitor the maximum number of devices. More devices in the network, more license cost etc.

EOR (End of Row) :

  

Disadvantage:-

·         Cable requirement: - As cable runs between each server and network switch, located in different racks, increases of cable requirement and add cost to the deployment and maintenance.

·         Cable management: - More resources and skill required for cable management. It increases the overall budget of the project.

·         Time to make changes: - As more cabling infrastructure is involved, modification not only becomes tedious but also require more time.

N2K not only increases the access port for end host connection but also reduces the major disadvantages of both TOR and EOR as discussed below:-

1.       Unlike EOR, it reduces the number of cable between network and server rack as there are only few uplinks between 2k and its parent switch i.e. 5k/7k. Less cable means low cable management and procurement cost. It also in turns increases the efficiency.

2.       Cisco nexus 2000 cannot work standalone. It needs either N5k or N7k as the parent and hence it reduces the management overburden unlike TOR. Less management require less number of IP address ,network resources as well as inventory and configuration management server license.

  

Apart from the above advantages, cisco 2k has few disadvantages as well which are mentioned below:-

1.       It doesn’t perform local switching. Two servers connected to same FEX cannot communicate directly. The traffic from server-1 will go to the parent switch i.e. 5k/7K and then come back to the server-2 connected to the same Fex.