Can XFP-10G-MM-SR compatible with SFP-10G-SR ?

 yes, we can connect a transceiver XFP-10G-MM-SR in one side and SFP-10G-SR in other side.

Throughput license installation in ASR 1002-x

There is no need to install the license on the router as cisco ASR 1002-x supports RTU(Right to use) method where cisco trust the customer.

I have installed L-FLSA1-2X-5-10G= on the router 1002-x.

Below is the command to configure new throughput level but it requires the reboot to activate.

(config)#platform hardware throughput level 10000000

PLEASE  READ THE  FOLLOWING TERMS  CAREFULLY. INSTALLING THE LICENSE OR LICENSE  KEY  PROVIDED FOR  ANY CISCO  PRODUCT  FEATURE  OR  USING SUCH PRODUCT  FEATURE  CONSTITUTES  YOUR  FULL ACCEPTANCE  OF  THE FOLLOWING TERMS. 

YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO  BE BOUND BY ALL THE TERMS SET FORTH HEREIN.   Use of this product feature requires  an additional license from Cisco, together with an additional  payment.  You may use this product feature on an evaluation basis, without payment to Cisco, for 60 days. Your use of the  product,  including  during the 60 day  evaluation  period,  is subject to the Cisco end user license agreement http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.htmlOUTPUT SHORTENED

Activation  of the  software command line interface will be evidence of your acceptance of this agreement.

ACCEPT? (yes/[no]): yes

ASR# write memory

Building configuration…

[OK]

ASR##reload

Proceed with reload? [confirm] 

After reboot, license remains as EvalRTU license for 60 days and then it changes automatically to Right-To-Use License

You can also use below command to move the license directly to permanent status instead of waiting for 60days.

ASR # license right-to-use move throughput

Use below commands to verify the throughput

ASR # show platform hardware throughput level

ASR# show license feature | include Feature|throughput

Steps to establish a physical connection in ACI

 To implement a physical connection in ACI, first define the following:

• Domain – Defines what you want to connect (bare-metal server or switch, router, virtual environment, etc.).

• VLAN/VSAN Pool – Defines which VLANs or VSANs this connection will use.

• AEP – Groups the Domain(s) you need to allow through a specific port and their corresponding VLANs/VSANs.

• Interface Profile – The interface for this connection.

• Interface Policy Group – The set of policies applied to an interface.

• Interface Policies – The actual policies (e.g. cdp, lldp, link speed, AEP, etc.) for this connection.

• Switch Profile – The Switch/Node for this connection.

Host a SSL (https) website on Ubuntu

  Below are the steps to host a website on port 80. In the below example 172.16.1.11 is the IP adddress on the Ubuntu server which will receive the customer traffic.

Step 1 : Enable SSL and restart Apache services

sudo a2enmod ssl

sudo service apache2 restart

STEP 2: Create a directory which contatin the certifcate and key.

Sudo Su

mkdir /etc/apache2/ssl

STEP 3: Generate self sign certificate and key

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

STEP 2:  Create the index html file and add the HTML code in it

nano /var/www/html/172.16.1.12_all/index.html

<html>

<title>172.16.1.12_8080</title>

<h1>Welcome to 172.16.1.12_8080 Website</h1>

<p>Website on port 8080</p>

</html>

ctrl + X then press Y 

Press Enter

STEP 4:  Add below ServerName in apache2.conf file

/etc/apache2/apache2.conf file:

ServerName localhost

STEP 5:   Add the website to the "SITES-AVAILABLE" FOLDER.

nano /etc/apache2/sites-available/172.16.1.12_all_ssl.conf

<VirtualHost 172.16.1.12:443>

ServerAdmin admin@localhost

ServerName  172.16.1.12

DocumentRoot /var/www/html/172.16.1.12_all

DirectoryIndex index.html

SSLEngine on

SSLCertificateFile      /etc/apache2/ssl/apache.crt

SSLCertificateKeyFile /etc/apache2/ssl/apache.key

</VirtualHost>

ctrl + X then press Y 

Press Enter

STEP 6:  Publish the website on Ubuntu

sudo a2ensite 172.16.1.12_all_ssl

STEP 7:   Restart Apache service

sudo service apache2 restart

STEP 8:   Check the website syntax

apachectl configtest

Host a website on Ubuntu on multiple ports

 Below are the steps to host a website on multiple ports. In the below example 172.16.1.11 is the IP adddress on the Ubuntu server which will receive the customer traffic.

STEP 1: Create a directory which will contain the HTML page of the website.

Sudo Su

mkdir /var/www/html/172.16.1.10_all

STEP 2:  Create the index html file and add the HTML code in it

nano /var/www/html/172.16.1.10_all/index.html

<html>

<title>172.16.1.10</title>

<h1>Welcome to 172.16.1.10 Website</h1>

<body style="background-color:orange;">

</body>

<p>Website on port 80</p>

</html>

ctrl + X then press Y 

Press Enter

STEP 4:  Give Sufficient permission to the folder

chown -R www-data:www-data /var/www/html/172.16.1.10_all

STEP 5:   Add the website to the "SITES-AVAILABLE" FOLDER.

nano /etc/apache2/sites-available/172.16.1.10_all.conf

<VirtualHost 172.16.1.10:*>

ServerAdmin admin@localhost

ServerName  172.16.1.10

DocumentRoot /var/www/html/172.16.1.10_all

DirectoryIndex index.html

ErrorLog ${APACHE_LOG_DIR}/80_error.log

CustomLog ${APACHE_LOG_DIR}/80_access.log combined

</VirtualHost>

ctrl + X then press Y 

Press Enter

STEP 6:  Publish the website on Ubuntu

a2ensite 172.16.1.10_all

STEP 7:   Restart Apache service

systemctl restart apache2

Host a website on Ubuntu on port 80

 Below are the steps to host a website on port 80. In the below example 172.16.1.11 is the IP adddress on the Ubuntu server which will receive the customer traffic.

STEP 1: Create a directory which will contain the HTML page of the website.

Sudo Su

mkdir /var/www/html/172.16.1.11_80

STEP 2:  Create the index html file and add the HTML code in it

nano /var/www/html/172.16.1.11_80/index.html

<html>

<title>172.16.1.11_80</title>

<h1>Welcome to 172.16.1.11_80 Website</h1>

<p>Website on port 80</p>

</html>

ctrl + X then press Y 

Press Enter

STEP 4:  Give Sufficient permission to the folder

chown -R www-data:www-data /var/www/html/172.16.1.11_80

STEP 5:   Add the website to the "SITES-AVAILABLE" FOLDER.

nano /etc/apache2/sites-available/172.16.1.11_80.conf

<VirtualHost 172.16.1.11:80>

ServerAdmin admin@localhost

ServerName  172.16.1.11

DocumentRoot /var/www/html/172.16.1.11_80

DirectoryIndex index.html

ErrorLog ${APACHE_LOG_DIR}/80_error.log

CustomLog ${APACHE_LOG_DIR}/80_access.log combined

</VirtualHost>

ctrl + X then press Y 

Press Enter

STEP 6:  Publish the website on Ubuntu

a2ensite 172.16.1.11_80

STEP 7:   Restart Apache service

systemctl restart apache2

Host Multiple Websites on a Single Server with Apache on Ubuntu

Below config is to host multiple website which runs on different port on same server:-

Step1: Make two directories one for each port

mkdir /var/www/html/172.16.1.12_8080

mkdir /var/www/html/172.16.1.12_8081

Step2: Create index file for site on port 8080

nano /var/www/html/172.16.1.12_8080/index.html

<html>

<title>172.16.1.12_8080</title>

<h1>Welcome to 172.16.1.12_8080 Website</h1>

<p>Website on port 8080</p>

</html>

CTRL X then press Y

press Enter

Step3: Create index file for site on port 8081

nano /var/www/html/172.16.1.12_8081/index.html

<html>

<title>8081</title>

<h1>Welcome to 172.16.1.12_8081 Website</h1>

<p>Website on port 8081</p>

</html>

CTRL X then press Y

press Enter

Step4: Assign priviledge to sites

chown -R www-data:www-data /var/www/html/172.16.1.12_8080

chown -R www-data:www-data /var/www/html/172.16.1.12_8081

Step5: Add 8080 site 

nano /etc/apache2/sites-available/172.16.1.12_8080.conf

<VirtualHost 172.16.1.12:8080>

ServerAdmin admin@localhost

ServerName  172.16.1.12

DocumentRoot /var/www/html/172.16.1.12_8080

DirectoryIndex index.html

ErrorLog ${APACHE_LOG_DIR}/8080_error.log

CustomLog ${APACHE_LOG_DIR}/8080_access.log combined

</VirtualHost>

CTRL X then press Y

press Enter

Step6: Add 8081 site

nano /etc/apache2/sites-available/172.16.1.12_8081.conf

<VirtualHost 172.16.1.12:8081>

ServerAdmin admin@localhost

ServerName  172.16.1.12

DocumentRoot /var/www/html/172.16.1.12_8081

DirectoryIndex index.html

ErrorLog ${APACHE_LOG_DIR}/8081_error.log

CustomLog ${APACHE_LOG_DIR}/8081_access.log combined

</VirtualHost>

CTRL X then press Y

press Enter

Step7: Enable sites

a2ensite 172.16.1.12_8080

a2ensite 172.16.1.12_8081

Step7: Restart Apache

systemctl restart apache2

Stuck in Configuration Utility restarting - Big IP

1. Log in to BIG-IP .

2. Make a backup using below command :

 /config/httpd/conf.d/proxy_ajp.conf cp /config/httpd/conf.d/proxy_ajp.conf /config/httpd/conf.d/proxy_ajp.conf.bk

3.Edit /config/httpd/conf.d/proxy_ajp.conf 

Below is the command to make the changes. After the command press "i"  (insert) to enable the editing and once the changes are done, enter esc and type :wq!(write and quite).

vi /config/httpd/conf.d/proxy_ajp.conf

Locate the following two "#ProxyPass" lines and  the below command .

#ProxyPass /tomcat/ ajp://localhost:8009/

#ProxyPass /examples/ ajp://localhost:8009/jsp-examples/

ProxyTimeout 10            #<----- Add this line

4.Save and close the file.

5.Restart httpd and tomcat.

bigstart restart httpd tomcat

F5 default credentials and some interesting Facts.

 Below are the default credentials for F5. you can change the credentials during initial setup wizard.

Cli

Username: root

Password: default

GUI

Username:admin

Password:admin

Interesting Fact:-

• Root and admin username cannot be deleted from F5.
• BY default,  username admin doesnot have access to the CLI but we can assign either advance shell or TMOS access to the "admin" user.

System >> Users : User List>> click user admin>> choose tmsh from drop down of "Terminal Access">> click update

• No GUI access can be given to user "root"

Global NTP servers

 NTP is a UDP based service which works on port number 123.It is recommended to use pool.ntp.org to find an NTP server.

All zones in All Pool Servers.

• Africa — africa.pool.ntp.org 
• Antarctica — antarctica.pool.ntp.org 
• Asia — asia.pool.ntp.org 
• Europe — europe.pool.ntp.org 
• North America — north-america.pool.ntp.org 
• Oceania — oceania.pool.ntp.org 
• South America — south-america.pool.ntp.org

Below is the command to check the ntp status on respective platforms.

A. Windows 

w32tm /query /peers

B. Ubuntu

/etc/ntp.conf

DNS root server list - A-M

 Below is the list of root servers starting from a to m.

SNMPv3 config on Cisco routers/Switches

   

1) Create an access-list to allow SNMP source servers.

access-list 10 permit 10.10.10.10

access-list 10 permit 10.10.10.11

access-list 10 permit 10.10.10.12

All SNMP servers must be allowed in above ACLs.

2) Now, Create the new Group using below command.

snmp-server group GROUP1 v3 auth read access 10

3) Create new credentials using the group "GROUP1"

snmp-server user SNMP_USER v3 auth md5 PASSWORD-AUTH priv aes 128 PASSWORD2-PRIV

All bold text are variables.

Enable Password vs Enable Secret command on cisco routers/switches

We all know that enable password is used to change from user mode to priviledge mode.

Enable password command will configure the password in unencrypted form whereas Enable secret command encrypts the password using MD5 hashing algorithm.

Enable secret command is always recommended.

Secret password will take precedence over enable password command.

uRPF and its modes : Strict vs Loose

Unicast Reverse Path Forwarding (Unicast RPF) Is a security feature to address the spoofed address attack. it is recommended to configure it on the L3 interfaces of the routers to verify the reach-ability of the source address in packets. Packet will be dropped in case source IP address is not valid. 

Unicast RPF works in one of below modes:

1. Strict mode: Router will perform two checks:. 

    A. Router checks the routing entry for the source address of the packet and will drop the packet in case no route is present on the routing table for the source address.
    B. Router will ensure that the source of incoming packet is reachable via same interface. Router will drop the packet in case source address is learned via different interface than from the one, packet in ingress ed.

Command:- 

Int eth1/1
ip verify unicast reverse-path    --<<< Old command but still available on some platforms
      or
IP verify unicast source reachable-via rx

ip verify unicast reverse-path (Unicast RPF)

2.  Loose mode(default mode): Only make sure that route for the source address is present in the routing table.

Int eth1/1
IP verify unicast source reachable-via Any

Note:-  Above matching criteria is not applicable for default route and will not allow traffic where source is only matching the default route. the " Allow-default" keyword is used to change this behaviour and traffic will be allowed where source address is matching only the default route.

BGP: x.x.x.x Active open failed - no route to peer, open active delayed 9216ms (35000ms max, 60% jitter)

BGP: x.x.x.x Active open failed - no route to peer, open active delayed 9216ms (35000ms max, 60% jitter)

I was working on an issue and got above logs while doing the debug of BGP on the cisco router.

Below are the two thing which we need to test to resolve such issues.

1. Specific route for the BGP neighbor IP address. BGP neighborship is dependent on it and default route won't work.

2. Ebgp multihop. Make sure to configure the eBGP multihop command while making the ebgp neighborship on the indirectly connected routers.

Cisco Traditional Vs Smart Licensing

Below are few important distance between Cisco traditional license and new smart licensing.

Traditional (node locked) licencing	Smart (dynamic) licencing
Manual individual license procurement and installation	Device initiates a call home and requests the licenses it needs.
Node-locked licences - license is associated with a specific device.	Pooled licences - licences are company account-specific, and can be used with any compatible device in your company. You can activate or deactivate different types of licenses on the device without actually installing a license file on the device.
No common install base location to view licenses purchased or software usage trends	Licenses are stored securely on Cisco servers accessible all the time.
No easy means to transfer licenses from one device to another.	Licenses can be moved between product instances without a license transfer. This greatly simplifies the reassignment of a software license as part of the Return Material Authorization (RMA) process.
Limited visibility into all software licenses being used in the network. Licenses are tracked only on per node basis.	Complete view of all Smart Software Licenses used in the network using a consolidated usage report of software licenses and devices in one easy-to-use portal.

IP NAT inside source vs IP NAT outside source

IP NAT inside source vs IP NAT outside source

For more information please refer to below cisco link

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13773-2.html

ISR 4331/4531 features in Evaluation mode

Below are the features available in Evaluation mode.

#sh license feature

Feature name Enforcement Evaluation Subscription Enabled  RightToUse
appxk9         yes          yes         no         no     yes       
uck9           yes          yes         no         no     yes       
securityk9     yes          yes         no         yes    yes       
ipbasek9       no           no          no         yes    no        
cme-srst       yes          yes         no         no     yes       
hseck9         yes          no          no         yes    no        
throughput     yes          yes         no         no     yes       
internal_service yes        no          no         no       no   


How to enable RTU package on ISR 4331/4531

config t
license accept end user agreement
yes
exit
license right-to-use move appxk9
config t
license boot level appxk9
end
wr mem

How to enable evaluation license

license feature appxk9

Catalyst 9000 License

The previous cisco licensing is divided into three following feature sets:

A.     LAN Base: It is primarily a Layer 2 feature set which offers enterprise access layer 2 switching features. It doesn’t provide any l3 functionality.

B.     IP Base: It provides the enterprise access layer 3 switching features in addition to all LAN base features. It doesn’t provide the advance layer3 features.

C.     IP Services: - It is an advance enterprise layer 3 switching features including EIGRP, OSPF, BGP, PIM and IPV6 routing protocols. It also supports all the IP base features.

The Cisco Catalyst 9000 does not use the above feature set and has its own package types. All Cisco Catalyst 9000 hardware has two software options i.e. Essentials and Advantage. Each software option includes two components, as show:

License Level	Network Stack offer (Perpetual and embedded)	Cisco DNA Software Subscription offer (Term based)
-E	Network Essentials	Cisco DNA Essentials (3, 5, or 7 years)
-A	Network Advantage	Cisco DNA Advantage (3, 5, or 7 years)

The Network Stack license is perpetual and embedded in the hardware by default and it is aligned with the hardware PID(-E/-A).

The Cisco DNA license is term-based and preselected by default to the 5-year term but can be changed to 3- or 7-year terms. Minimum of 3-year term DNA license is mandatory.

Customers will be able to upgrade the Network Stack and Cisco DNA license levels for example, -E to -A license upgrade.

Here is the comparison between three-tier packaging and Catalyst 9K new two-tier packaging.

Below features are included in the advantage and essential packages:

Install python and Paramiko on windows machine

We can follow below procedure to install Python on windows machine. Paramiko package is required for the ssh functionality wihtin the python. We cannot install the package directly and require a package manager called PIP. Below is the procedure to isntall paramiko on the windows box.

STEP A: Install Python:

1. Create a folder Python in system and download python from https://www.python.org/downloads/ .

2. Run the exe file and follow the steps.

3. Once it is finished, python is installed on your system.

4. To install additional packages PIP is required. Follow below procedure to install PIP.

STEP B: Install PP

2. To install packages within python we need to install a package manager PIP. You can download PIP "get-pip.py" from https://pypi.org/project/pip/#files.

3. Open a command prompt and navigate to the folder containing.

4. Run the following command:python get-pip.py=

5. Pip is now installed!

STEP C: Install Paramiko

1. Paramiko is used to ssh the devices.

2. Once PIP is install, you can install the paramiko package using command " pip install paramiko".

3850 stack requirement

3850 stackwise-480 supports mixed stack which means any model of 3850 cannot be used in a stack.

Whereas License(LAN base, IP base or IP services( and IOS XE version must be same on all stack switches. for example, Catalyst 3850 switches with LAN Base feature can only be stack with other 3850 LAB switches.

Maximum 8 switches can be part of single stack.

Cisco ACI Multi-Pod IPN Configuration Explained (Design, Requirements & Best Practices)

Introduction

In Cisco ACI Multi-Pod architecture, the Inter-Pod Network (IPN) is a critical component that connects spine switches across different pods. A properly designed IPN ensures stable control plane communication, efficient traffic forwarding, and overall data center reliability.

This guide explains IPN configuration requirements, supported hardware, and key design considerations for real-world deployments.

Why IPN Is Important in ACI Multi-Pod

The IPN enables communication between multiple ACI pods and is responsible for:

• MP-BGP control plane communication
• Endpoint information exchange
• Forwarding BUM traffic (Broadcast, Unknown Unicast, Multicast)
• Maintaining inter-pod connectivity

Incorrect IPN design can lead to MP-BGP instability, endpoint learning issues, and network outages.

Mandatory IPN Configuration Requirements

Routed Sub-Interface with VLAN 4

IPN interfaces must be configured as routed sub-interfaces using VLAN 4. Other configurations like routed physical ports or SVIs are not supported.

Jumbo MTU Requirement

IPN devices must support an MTU of 9150 bytes. All devices in the path must support jumbo frames.

If MTU is not consistent:

• MP-BGP adjacency may flap
• VXLAN traffic may fail

PIM BiDir Support

IPN must support PIM Bidirectional mode.

This is required to handle:

• Broadcast traffic
• Unknown unicast traffic
• Multicast traffic

OSPF Routing Protocol

• Only OSPF is supported between IPN devices and ACI spine switches.
• Other routing protocols like BGP and EIGRP cannot be used in this scenario.

DHCP Relay Requirement

If you plan to deploy additional pods using Zero Touch Provisioning (ZTP), DHCP relay must be configured on the IPN network.

QoS Policy Recommendation

QoS is not mandatory but recommended.

It helps prioritize:

• Control plane traffic
• MP-BGP updates
• Critical ACI communication

Design Best Practices

For a stable Multi-Pod deployment, ensure:

• End-to-end MTU consistency
• Redundant IPN paths
• Correct multicast design
• Stable OSPF neighbor relationships

These factors directly impact performance and scalability.

Supported IPN Hardware

IPN devices must support all required features such as MTU, PIM BiDir, and OSPF.

Commonly used hardware includes:

• Cisco Nexus 7000
• Cisco ASR 1000 Series
• Nexus N3K-C3548P-10GX

Unsupported hardware:

• Nexus N3K-C3172PQ-10GE

Always validate hardware capability before deployment.

Real-World Deployment Tips

• Verify MTU end-to-end before deployment
• Validate multicast configuration carefully
• Monitor MP-BGP sessions between pods
• Use QoS to protect control plane traffic
• Avoid unsupported hardware

Important Cisco ACI IPN Questions (Multi-Pod Interview Guide)

1. What are the Cisco ACI IPN configuration requirements?

Answer:
Key requirements for IPN in ACI Multi-Pod include:

• Routed sub-interface using VLAN 4
• MTU size of 9150 across the entire path
• Support for PIM Bidirectional (BiDir)
• OSPF as the routing protocol
• DHCP relay for zero-touch deployment (optional but recommended)
• QoS for prioritizing control-plane traffic

Explanation:
These requirements ensure stable communication between pods. Any mismatch (especially MTU or VLAN) can cause MP-BGP instability and traffic drops.

2. Why is VLAN 4 used in Cisco ACI IPN?

Answer:
VLAN 4 is a mandatory VLAN used for IPN connectivity between ACI spine switches across different pods.

Explanation:
Cisco ACI is designed to use VLAN 4 internally for IPN communication. It cannot be changed or replaced. This ensures standardized communication and compatibility in Multi-Pod deployments.

3. Why is MTU 9150 required in Cisco ACI?

Answer:
MTU 9150 is required to support VXLAN encapsulated traffic in ACI Multi-Pod environments.

Explanation:
VXLAN adds additional headers to packets. If MTU is less than 9150:

• Packets may get fragmented
• MP-BGP sessions may flap
• Traffic forwarding may fail

Ensuring jumbo frame support across all devices is critical.

4. What is the role of PIM BiDir in ACI Multi-Pod?

Answer:
PIM Bidirectional (BiDir) is used to carry BUM traffic (Broadcast, Unknown Unicast, Multicast) across pods.

Explanation:
In ACI Multi-Pod:

• BUM traffic must reach all endpoints
• PIM BiDir provides efficient multicast forwarding
• Reduces unnecessary flooding

This ensures optimized and scalable communication between pods.

5. How does IPN work in Cisco ACI Multi-Pod?

Answer:
IPN acts as a Layer 3 interconnect between spine switches of different pods.

Explanation:
It enables:

• MP-BGP exchange between spines
• Endpoint learning across pods
• VXLAN traffic forwarding

Traffic flow:

• Leaf → Local Spine → IPN → Remote Spine → Remote Leaf

This ensures seamless communication across geographically separated data centers.

6. What are the best practices for ACI Multi-Pod IPN design?

Answer:
Best practices include:

• Ensure MTU 9150 end-to-end
• Use redundant IPN paths
• Enable PIM BiDir correctly
• Maintain stable OSPF adjacency
• Implement QoS for control traffic
• Avoid unsupported hardware

Explanation:
Following these practices prevents:

• Traffic loss
• Control plane instability
• Fabric outages

A properly designed IPN ensures scalability and high availability.

SSH accessibility check of multiple cisco router and save the output in a file

import paramiko
import time
import sys
import logging
import socket

remote_conn_pre = paramiko.SSHClient()
remote_conn_pre.set_missing_host_key_policy(paramiko.AutoAddPolicy())

f= open("output.txt","w+")

ips = [i.strip() for i in open("ip.txt")]

import logging
logging.getLogger('paramiko.transport').setLevel(logging.DEBUG)
paramiko.util.log_to_file("logs")

for ip in ips:
    try:
        remote_conn_pre.connect(ip, username='test', password='test', timeout=4, look_for_keys=False, allow_agent=False)
        remote_conn = remote_conn_pre.invoke_shell()
        print (ip + ' === Device Reachable')
        f.write(ip + ' === Device Reachable'"\n")
        time.sleep(2)
    except paramiko.AuthenticationException:
        print ip + ' === Bad credentials'
        f.write(ip + ' === Bad credentials'"\n")
        time.sleep(2)
    except paramiko.SSHException:
        print ip + ' === Issues with ssh service'
        f.write(ip + ' === Issues with ssh service'"\n")
        time.sleep(2)
    except socket.error:
        print ip + ' === Device unreachable'
        f.write(ip + ' === Device unreachable'"\n")
        time.sleep(2)
f.close()

SSH accessibility check on mulitple routers

Make a notepad contain IP address of the routers where we need to check the SSH accessibility.

import paramiko
import time
import sys
import logging
import socket

remote_conn_pre = paramiko.SSHClient()
remote_conn_pre.set_missing_host_key_policy(paramiko.AutoAddPolicy())

ips = [i.strip() for i in open("ip.txt")]

for ip in ips:
    try:
        remote_conn_pre.connect(ip, username='test', password='test', timeout=4, look_for_keys=False, allow_agent=False)

        remote_conn = remote_conn_pre.invoke_shell()
        print (ip + ' === Device Reachable')
        remote_conn.send("\n")
        time.sleep(2)
    except paramiko.AuthenticationException:
        print ip + ' === Bad credentials'
    except paramiko.SSHException:
        print ip + ' === Issues with ssh service'
    except socket.error:
        print ip + ' === Device unreachable'

Jumbo frame configuration on Nexus

I have tried to explain the MTU configuration on the Nexus platform. MTU configuration varies based on the port type and hardware platform.

1. Layer 3 MTU Configurations

MTU configuraiton on L3 port is quite straight forward. Configuration is also same on all the platforms. We just need to give the MTU command on the interface configuration mode.

Configure MTU on a Switched Virtual Interface (SVI)

interface vlan 1
mtu 9216

Configure MTU on a Layer 3 Port

interface ethernet 1/1
no switchport
mtu 9216

2. Layer 2 MTU Configurations

MTU configuration on L2 port varies based on the hardware. On some platforms, we have to modify MTU under network-qos policy whereas on some MTU commands can be given under interface configuration mode.

2.1 Using QOS policy

On below hardware, jumbo frames can be configured using QOS policy.

Nexus 3000: Includes Nexus 3048, 3064, 3132Q, 3132Q-X, 3132Q-XL, 3172, and 3500 Series switches

Nexus 5000: All Nexus 5000 and 5500 Series switches

Nexus 6000: All Nexus 6000 Series switches

    Configuration: -

policy-map type network-qos jumbo
  class type network-qos class-default
          mtu 9216
system qos
  service-policy type network-qos jumbo

2.1 Per-Port MTU Configuration

On below hardware, jumbo frames can be configured directly under the interface.

           Nexus 3000: Includes Nexus 3132Q-V, 3164, 31108, 31128PQ, 3200 Series, and 36180YC-R switches

Nexus 7000: All Nexus 7000- and 7700 Series switches

Nexus 9000: All Nexus 9200 Series switches (includes 92xxx), 9300 Series switches (includes 93xxx), and 9500 Series switches

Nexus(config)#interface ethernet 1/1
Nexus(config-if)#mtu 9216

How to create BD in Cisco ACI

In traditional networking, we used to have VLAN as the Layer 2 forwarding domain which also define the broadcast domain. Whereas in ACI, Vlan are just an identifier and doesn’t defines the L2 domain. Bride domain defines the broadcast and L2 domain in ACI.

Like Vlan SVI in traditional network, subnets can also be defined in BD. We can also define more than one subnet under BD.

1.  Go to TENANT => HK TENANT=>Right click on BRIDGE DOMAIN => Select “CREATE BRIDGE DOMAIN”.

2. Name BD and map the VRF to this BD. Press NEXT to proceed.

3. Configure the L3 parameters and Click + to configure the subnet information under BD.

 4.      Enter the BD IP address with subnet mask. Check the “MAKE THIS IP ADDRESS    PRIMARY”.

Private to VRF—Subnet remains local to the VRF and Tenant.

Advertised Externally—Subnet can be advertised out of ACI Fabric over L3 out.

Shared between VRFs—Subnet can be exported to other VRFs in case inter-VRF routing is required.

"Treat as Virtual IP Address" option is only checked in case of multiple Fabrics.

 5. You can see subnet details will be displayed in L3 configuration section. Click NEXT to Proceed.

 6. Click Finish to create the BD

How to create VRF in Cisco ACI

In ACI, VRF concept is still the same as traditional network the only difference is VRF is not fabric wide unique but has a significance within the tenant.

1. To create VRF go to TENANT -> HK -> NETWORKING->RIGHT CLICK ON VRF ->  PRESS CREATE VRF.

2. Enter the VRF name and keep the other settings on default.  In this step you also get an option to create the BD. It is by default checked. Press Next to create the VRF.

3. If you don’t want to create BD in this step then uncheck the option and press Finish to create the VRF.

4. VRF is created once you click the Finish button.

How to Create Tenant on Cisco ACI

I assumed that your basic Fabric is UP where all the APICs/leafs and Spines are joined to the fabric.

The first step after the Fabric is up, is to create the tenant. Don’t confuse the tenant concept with the Nexus VDC. Tenant cannot provide the physical separation within fabric but is just a container of the policies. There are few types of default tenants present in the fabric like Infra, management and common tenant.

A Infra Tenant controls the infrastructure related policies like VXLAN overlay. It is by default in the system but can be modified by the administrator.

A Management Tenant controls the fabric wide management access( inband or out of band) related polices. It is also by default in the system and can be modified by the administrator.

A Common tenant contains the resources which are shared among the user VDCs like the connection to internet, firewalls, load balancer etc. Again by default in the system and policies in it can be modified by the administrator.

A user tenant is the one which is created by the Fabric administrator for the policies that can be used for the work loads like application, web EPGS. Below method shows how to create the an user Tenant.

     1.  Login to APIC and on the left top of the APIC HOME page you can see there is an option to add new tenant to the fabric. Click on “ADD TENANT”. 

     Adding a tenant to the fabric is a non-impacting change and can be done at any moment.

2.  Below screen will appear when you click on ADD TENANT. Add the Tenant name and click on Submit.

      3.    HK tenant will be created once you click the Submit button.