Friday, 22 August 2014

Spanning-tree port type network and normal

Network Port:-

Switchport connected to other switches and bridges via point to point link should be configured as network port. 

It can be enable per interface basis we well as in global mode.

As soon as we configure network port, it enables the bridge assurance.

Bridge assurance is used to prevent unidirection link. Port on which bridge assurance is configured, send BPDU no matter it is in alternate and backup port. It the port didn't receive BPDU from other end it will move in blocking state and will resume the running state when it start receiving the BPDUs.

       If network port is configured on the switchport connected to a host, it will move it to blocking state as it will not receive the BPDU from host machine.

  Normal port :-

Switchport which will go through all STP stages. It is the default switchport state.

Switchport connected to switchport or bridge is configured as normal port. One exception is VPC peer link which is configured by default as network port.

It is used as the backup compatibility for the switches which do not support switchport type network.
Posted by at No comments:
Labels:

Thursday, 21 August 2014

Spanning port types in Nexus switches


1.     Edge port :-


Switchport configured as edge ports when it is connected to end host devices. It can be enabled on access or trunk port.

Sometimes there is a requirement to transition the trunk port, e.g port connected to server running ESXi, immediately in forwarding state without going to the various spanning tree states (listening, learning etc..).Edge port feature can be used in such scenarios.

It is similar to the portfast feature in Legacy switchport.

Always configure the port as edge port with cautious as it can create Layer 2 loops if not correctly configured specially when it is enabled on switchport connected to  other switch or bridge.

configuration..

It can be enabled globally as shown in below command.

Note:- BY default switchport is configured as normal.



Switch(config)# spanning-tree port type edge default

It can also be enabled per port.


switch(config)# interface ethernet 1/1
switch(config-if)#  spanning-tree port type edge


2. Network Port:-


Switchport connected to other switches and bridges via point to point link should be configured as network port. 

It can be enable per interface basis we well as in global mode.


switch(config)# interface ethernet 1/4
switch(config-if)# spanning-tree port type network






switch# configure terminal
switch(config)# spanning-tree port type network default





As soon as we configure network port, it enables the bridge assurance.

Bridge assurance is used to prevent uni direction link. Port on which bridge assurance is configured, send BPDU no matter it is in alternate and backup port. It the port didn't receive BPDU from other end it will move in blocking state and will resume the running state when it start receiving the BPDUs.

       If network port is configured on the switchport connected to a host, it will move it to blocking state as it will not receive the BPDU from host machine.

3.     Normal port :-


Switchport which will go through all STP stages. It is the default switchport state.

Switchport connected to switchport or bridge is configured as normal port. One exception is VPC peer link which is configured by default as network port.

Note:-
a.     Configure all access and trunk ports connected to hosts as edge ports.

b.     Bridge Assurance runs only on point-to-point spanning tree network ports. You must configure each side of the link for this feature. 
Posted by at No comments:
Labels:

Monday, 18 August 2014

Requirement for RE-IP addressing of a site

In order to do re IP address of a site we need to get the below information so that we can plan our changes with less impact.

  1. List of network devices router,switches,wan optimizer etc..
  2. List of security devices like firewall, load balancers , proxy devices etc..
  3. List of wireless devices like WLC, MSE, APs etc.
  4. Existing subnet details and its use including wireless network subnet details.
  5. Access-list and firewall rules details.
  6. Current Routing and VRF details.
  7. Network diagrams (logical and physical) including LAN, WAN and WLAN.
  8. Application in use.
  9. List of all static IPs.
  10. Servers located at the site.
  11. Surveillance devices like security cameras etc.
  12. List of Printers and scanners.
  13. Voice Phone setup.
  14. Number of users per floor per building. 
  15. Video Meeting room setup.
  16. List and escalation matrix of site contacts.
  17. Hand and feet engineer details.
  18. Working hours of the site.
  19. Vendor availability if any dependencies on vendor like WAN or third party devices.

Posted by at No comments:

Sunday, 17 August 2014

HSRP filtering in OTV

While using OTV we need to pay additional attention to the HSRP. As a best practice we don't use the same HSRP VIP between the DCs. Each DCs should have their own HSRP pair and VIPs.

Since OTV doesn't block to the HSRP hello packet and mac learning by default. We need to block the traffic manually by applying the below access lists.

A. VLAN FILTER

(i) Create access-list for all traffic
       ip access-list ALL_IPs
       10 permit ip any any

(ii) Create access-list to match HSRP hello packet.

       ip access-list HSRP_IP
       10 permit udp any 224.0.0.2/32 eq 1985 --<<<<<HSRP ver1
       20 permit udp any 224.0.0.102/32 eq 1985----<<<<HSRP ver 2

(iii) Create mac access-list to allow all mac address

        mac access-list ALL_MACs
        10 permit any any

 (iv) Create mac access list to match HSRP hello packet.
        mac access-list HSRP_MAC
        10 permit 0000.0c07.ac00 0000.0000.00ff any --<<<<HSRP ver 1
        20 permit 0000.0c9f.f000 0000.0000.0fff any---<<<<HSRP ver 2

 (v) Create vlan access-map to block HSRP hello packet.

         vlan access-map BLOCK_HSRP 10
         match mac address HSRP_MAC
         match ip address HSRP_IP
         action drop

         vlan access-map  BLOCK_HSRP 20
         match mac address ALL_MACs
         match ip address ALL_IPs
         action forward

 (vi) Apply vlan filer

         vlan filter  BLOCK_HSRP vlan-list 90

B.  ARP INSPECTION FILTER :-

(i ) Enable DHCP feature

              feature dhcp

 (ii) Create Arp access-list 

          arp access-list HSRP_MAC_ARP
         10 deny ip any mac 0000.0c07.ac00 ffff.ffff.ff00
         20 deny ip any mac 0000.0c9f.f000 ffff.ffff.f000
         30 permit ip any mac any

(iii) Apply ARP inspection filter

          ip arp inspection filter HSRP_MAC_ARP vlan 90


C.  MAC-LIST FILTERING

(i) Create mac-list to block HSRP hello packets

   mac-list OTV_HSRP_BLOCK seq 10 deny 0000.0c07.ac00 ffff.ffff.ff00
  mac-list OTV_HSRP_BLOCK seq 11 deny 0000.0c9f.f000 ffff.ffff.f000
 mac-list OTV_HSRP_BLOCK seq 20 permit 0000.0000.0000 0000.0000.0000

 (ii) Create route-map to block hello packet and call mac-list created above in it.

        route-map RESTRICT_HSRP permit 10
         match mac-list OTV_HSRP_BLOCK

(iv) Apply route-map to vpn overlay.

             otv-isis default
             vpn Overlay1 ---<< Overlay interface created in OTV VDC
               redistribute filter route-map RESTRICT_HSRP

Posted by at 9 comments:

Type of storage HBAs

HBAs (Host Bus Adapter) are just Nic cards for SAN that connects servers and storage to the SAN network.

There are three types of HBAs:-

A. Fibre channe HBAs :-
  • It only supports native FC(fibre channel) traffic. 
  • It supports 1/2/4/8/16 Gbps. 

B. iSCSI HBAs :-
  • It offloads CPU from iSCSI read and writes.
  • It is a normal Ethernet interface
  • 1/10 Gbps supported
C. CNA (Converged Network Adapter) :-
  • Used in FCOE ( Fibre channel over ethernet)
  • It carries both ethernet and storage traffic together.

Posted by at No comments:

Saturday, 16 August 2014

F5 provisioning

Provisioning :--->

A. To allocate F5 resources (like CPU and RAM) to the moduels.

B. Introduced in version 10.

C. If you have GTM and LTM modules. you need to perform provision for GTM whereas LTM is provisioned by default.

Provision types:--->>

A. Dedicated :- If there is only one module is used and hence it will utilized all the resources.

B. Nominal :- Gives module sufficient resources to work and can ask for more resources when needed.

C. Minimum :- allocate minimum resources to module and this is used to facilitate maximum number of modules.

D. None :- No resources allocated to the module


Posted by at No comments:

F5 Licensing methods - Automatic and Manual

Licensing methods:-

Automatic : - When BIG-IP has the direct internet access.

Always store the license file in correct or appropiate directory.

Manual:- when there is a firewall between BIP -IP and licensing server located in internet. And BIG-IP does't have direct internet excess.

Manual Licensing process:-

A. Form the BIG-IP web configuration utility, copy the dossier or download it in a file in your PC.

B. Connect the PC containing the dossier to the internet or copy the dossier t a different PC that is already connected to the internet.

C. Send the dossier to the F5 license server.

D. Get the license from F5 License server.

E. Copy the License to BIG-IP.
Posted by at No comments:
Subscribe to: Posts (Atom)