STP convergence – MST
In the comments I received a wish to compare RPVST+ with MST.
RPVST+ is Ciscos proprietary STP running one instance per VLAN over
802.1Q trunks. MST is an industry standard which can run multiple
instances but not one per VLAN. MST does run RSTP as underlying
protocol so in theory there should be no difference at all. Let’s
give it a try. The topology is very similar to last time but a couple
of extra routers are involved. We’ll get back to these later. This is
the topology:
These are the current port roles:
I just have put some basic MST configuration and NTP on the switches.
SW3(config)#ntp server 13.13.13.1 SW3(config)#span mode mst SW3(config)#span mst 0 prio 16384 SW3(config)#span mst 1 prio 16384 SW3(config)#span mst conf SW3(config-mst)#name TST SW3(config-mst)#revision 1
Verify initial reachability between the routers.
R1#ping 13.13.13.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 13.13.13.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms R2#ping 25.25.25.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 25.25.25.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Now let’s shutdown Gi0/21 on SW3 which is leading to SW2 root port.
Debug spanning-tree events will show the sequence of events.
May 7 20:32:18.975: MST[0]: Fa0/21 state change forwarding -> disabled May 7 20:32:18.975: MST[0]: updt roles, root port Fa0/21 going down May 7 20:32:18.975: MST[0]: Fa0/23 is now root port May 7 20:32:18.975: MST[0]: Fa0/21 state change disabled -> blocking May 7 20:32:18.975: MST[0]: Fa0/23 state change blocking -> forwarding May 7 20:32:18.979: MST[0]: sending proposal on Fa0/3 May 7 20:32:18.983: MST[0]: sending proposal on Fa0/5
The switchover is immediate as expected. Now let’s try to simulate passive
error by implementing BPDU filter.
SW3(config-if)#span bpdufilter enable SW3(config-if)#do sh clock 20:36:14.354 UTC Tue May 7 2013
This is from SW2:
May 7 20:36:20.008: MST[0]: updt roles, information on root port Fa0/21 expired May 7 20:36:20.008: MST[0]: Fa0/23 is now root port May 7 20:36:20.008: MST[0]: Fa0/21 state change forwarding -> blocking May 7 20:36:20.008: MST[0]: Fa0/3 state change forwarding -> blocking May 7 20:36:20.008: MST[0]: Fa0/5 state change forwarding -> blocking May 7 20:36:20.008: MST[0]: Fa0/23 state change blocking -> forwarding May 7 20:36:20.008: MST[0]: Fa0/21 is now designated May 7 20:36:20.012: MST[0]: sending proposal on Fa0/21 May 7 20:36:20.012: MST[0]: sending proposal on Fa0/3 May 7 20:36:20.012: MST[0]: sending proposal on Fa0/5
So it took roughly 6 seconds which was expected. Because MST runs
RSTP the results are exactly the same. The only thing that’s really different
with MST is that all BPDUs are piggybacked in the CIST (instance 0). If you have
VLANs mapped to instance 0 and there is a change then the other ISTs may have
to recalculate as well.
So using MST is no different than using RPVST+ from a convergence standpoint.
In future posts I will look at running a mix of RPVST+ and MST and see how
they interconnect.
Spanning tree convergence
Someone asked the other day how fast STP converges depending on PVST+ or
RPVST+ or MST is running. Usually the answer for PVST+ is 30-50 seconds
and for RPVST+ it’s fast, maybe less than a second. I thought I would
explore on this and check difference between PVST+ and RPVST+ and also
using PVST+ with features like uplinkfast.
This post assumes you already have a good basic understanding of STP. This
is not an introductory post on STP.
This is the topology being used:
SW1 is the root and ports towards the routers have been configured with VLAN 23
and portfast. I will run NTP to have the clocks properly synchronized. Currently
the port roles look like this:
I will configure the routers in 23.23.23.0/24 subnet and do a ping to verify connectivity.
R2#ping 23.23.23.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 ms
Working fine so far. Now let’s take a look at some different failure scenarios.
We turn on logging to a buffer to not flood the console. We will be looking at
spanning tree events.
SW1(config)#logging con 6 SW1(config)#logging buff 7 SW1(config)#logging buff 32768 SW1(config)#do debug spanning-tree events Spanning Tree event debugging is on
What happens when the root port is shutdown? In theory when the carrier detects
that the link is down it should look at alternate BPDU and start to take that
port through the different port states. This should take around 30 seconds.
This is output from SW2.
May 7 10:27:03.314: STP: VLAN0023 new root port Fa0/16, cost 38 May 7 10:27:18.321: STP: VLAN0023 Fa0/16 -> learning May 7 10:27:33.329: STP: VLAN0023 sent Topology Change Notice on Fa0/16 May 7 10:27:33.329: STP: VLAN0023 Fa0/16 -> forwarding
The timing is almost perfect. The port goes through listening and learning
at 15 seconds each before it goes to forwarding almost exactly 30 seconds after
the port was shutdown.
What happens when there is an indirect failure? The switch has to expire the root BPDU
before it believes other BPDUs with worse cost. This should take around 20 seconds. By
default Maxage will be set to 20 seconds.
SW1#sh span | i Age
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
SW2#sh span int f0/13 det | i age
Timers: message age 1, forward delay 0, hold 0
We will this time simulate a passive error by configuring BPDU filter on SW1 towards
SW2.
SW1(config-if)#span bpdufilter enable SW1(config-if)#do sh clock 10:39:05.598 UTC Tue May 7 2013
This has created a bridging loop but in this case we just want to see how long it
takes before the alternate port is coming up as root.
May 7 10:39:24.046: STP: VLAN0023 new root port Fa0/16, cost 38 May 7 10:39:24.046: STP: VLAN0023 Fa0/16 -> listening May 7 10:39:39.053: STP: VLAN0023 Fa0/16 -> learning May 7 10:39:54.061: STP: VLAN0023 sent Topology Change Notice on Fa0/16 May 7 10:39:54.061: STP: VLAN0023 Fa0/16 -> forwarding
So it took almost 20 seconds for the BPDU to expire. Then the port goes through
the ordinary state changes. Roughly 48.5 seconds after the filter was applied
the port went into forwarding. For passive failures when running PVST+ the
maximum recovery time should be 50 seconds.
Now let’s look at PVST+ with Uplinkfast configured. The theory is that when a
root port fails the Alternate port should be bypass listening and learning
states and go direct to forwarding. Let’s try this out.
SW2(config)#spanning-tree uplinkfast
May 7 10:46:37.260: STP: VLAN0023 new root port Fa0/16, cost 3038 May 7 10:46:38.249: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down May 7 10:46:39.264: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down May 7 10:46:39.264: STP: VLAN0023 sent Topology Change Notice on Fa0/16
It took only 2 seconds from realizing the port was down to putting the alternate
port into forwarding. For PVST+ this is a great enhancement. What if there is
a passive error?
SW1(config-if)#span bpdufilter enable SW1(config-if)#do sh clock 10:51:11.870 UTC Tue May 7 2013
May 7 10:51:30.216: STP: VLAN0023 new root port Fa0/16, cost 3038 May 7 10:51:30.216: STP: VLAN0023 sent Topology Change Notice on Fa0/16
There is nothing to be done about the Maxage expiring but the port is
brought up after that. So instead of 50 seconds it takes about 20 seconds.
That’s it for PVST+. Now let’s move on to RPVST+. RPVST+ works by synchronizing
the topology and it has optimizations builtin. If a port fails then it should
converge almost instantly.
May 7 10:56:34.421: RSTP(1): updt roles, root port Fa0/13 going down May 7 10:56:34.421: RSTP(1): Fa0/16 is now root port May 7 10:56:34.421: RSTP(1): syncing port Fa0/4 May 7 10:56:34.421: RSTP(1): syncing port Fa0/6 May 7 10:56:34.421: RSTP(1): syncing port Fa0/24 May 7 10:56:34.421: RSTP(23): updt roles, root port Fa0/13 going down May 7 10:56:34.421: RSTP(23): Fa0/16 is now root port May 7 10:56:34.438: RSTP(1): transmitting a proposal on Fa0/4 May 7 10:56:34.438: RSTP(1): transmitting a proposal on Fa0/6 May 7 10:56:34.438: RSTP(1): transmitting a proposal on Fa0/24 May 7 10:56:35.419: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down May 7 10:56:35.578: RSTP(1): transmitting a proposal on Fa0/4 May 7 10:56:35.578: RSTP(1): transmitting a proposal on Fa0/6 May 7 10:56:35.578: RSTP(1): transmitting a proposal on Fa0/24 May 7 10:56:36.434: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down
It instantly failovers to the Alternate port and then starts synchronizing
the topology by sending out proposals. What if there was a passive failure?
In theory after RPVST+ misses 3 BPDUs it should realize that it needs to
start using the alternate path. Let’s try it out.
SW1(config-if)#span bpdufilter enable SW1(config-if)#do sh clock 11:01:12.960 UTC Tue May 7 2013
May 7 11:01:16.648: RSTP(1): Fa0/13 rcvd info expired May 7 11:01:16.648: RSTP(1): updt roles, information on root port Fa0/13 expired May 7 11:01:16.648: RSTP(1): Fa0/16 is now root port May 7 11:01:16.648: RSTP(1): Fa0/13 blocked by re-root May 7 11:01:16.648: RSTP(1): syncing port Fa0/4 May 7 11:01:16.648: RSTP(1): syncing port Fa0/6 May 7 11:01:16.648: RSTP(1): syncing port Fa0/24 May 7 11:01:16.648: RSTP(1): Fa0/13 is now designated May 7 11:01:16.648: RSTP(23): Fa0/13 rcvd info expired May 7 11:01:16.648: RSTP(23): updt roles, information on root port Fa0/13 expired May 7 11:01:16.648: RSTP(23): Fa0/16 is now root port May 7 11:01:16.648: RSTP(23): Fa0/13 blocked by re-root May 7 11:01:16.648: RSTP(23): Fa0/13 is now designated
Already around 4 seconds later the topology has converged. It should take
maximum 6 seconds depending on when the last BPDU was received before the
failure.
As you can see it’s very important to detect carrier down. If you do detect it
and are running RPVST+ then convergence is almost immediate. So when designing your
network try to avoid use fiber converts and such that won’t shut down the RJ45 side
if the optical goes down. Designing for convergence is just not about protocols, you
also need to consider the physical infrastructure.
I hope this post has given you a good insight to the convergence of STP.
Routing-bits SP handbook now available
We are many CCIE RS candidates that have used Ruhanns RS handbook to
aid us in passing the CCIE lab. Ruhann has now released a SP handbook
as well to aid all SP candidates.
Who is Ruhann?
Ruhann du Plessis 2x CCIE #24163 (RS, SP) is an experienced engineer
that designs and works with large MPLS VPN networks, intra/inter-AS
routing, large data centers and so on.
The book was written to be used as a kind of quick reference. You
will find both theory but must important config sets that describe
how to configure the different features. Relevant show commands
and how to troubleshoot is also shown which is really good. Also links
to the DOCCD are included so that it becomes easy to find where all
features are located.
The book starts by describing a feature/protocol with some theory and
facts, often in bullet point form. On top of the page there is a
reference to the DOCCD to find the relevant feature. Then the config set
shows how to configure the feature and finally show commands and how
to troubleshoot is shown at the end of the section. There is also a
reference to relevant RFCs describing the features/protocols.
From what I’ve seen this book looks great! The RS book is a great help
in passing the RS lab and now there is an equally good book to help
in passing the SP lab as well.
I really like to use the book as a reference. It’s sometimes easier to
find the information the the handbook than going to the Cisco documentation.
The config sets are even better then what is shown in the Cisco docs.
There is a sample available of the SP handbook here.
To buy it go to Ruhanns site. It’s only 98$.
Introduction to NX-OS – Basic system setup
I’m trying to learn more about Ciscos datacenter products and obviously NX-OS is a
big part of that. I’ll do some blog posts to introduce anyone not familiar with
NX-OS to it and that will help me with the learning as well.
One important thing to know about NX-OS is that features are selectively enabled.
This means that if you are not running OSPF then there is no need to have that
process running. We can check what features are running.
N7K-1# sh feature | ex not | grep enabled hsrp_engine 1 enabled sshServer 1 enabled vtp 1 enabled
As you can see NX-OS has some nice features like grep which is a nice addition
to regular IOS. There are also additional things that can be done like sort, count
and count unique instances.
N7K-1# sh feature | ex not | grep enabled | count 3
By default Telnet is not enabled which is good. It’s more secure to use SSH.
If we want to add it we can do it with the feature command.
N7K-1(config)# feature telnet N7K-1# sh feature | grep telnet telnetServer 1 enabled
In regular IOS we limit the number of VTY sessions with the line vty command.
In NX-OS the session-limit command is used instead.
N7K-1# conf t Enter configuration commands, one per line. End with CNTL/Z. N7K-1(config)# line vty N7K-1(config-line)# session-limit 5
SSH is enabled by default. A crypto key should already be generated or you can generate
a new one.
N7K-1(config)# ssh key rsa 1024 force deleting old rsa key..... generating rsa key(1024 bits)..... . generated rsa key
With the show users command we can see from which TTYs the users are logged in.
N7K-1# sh users NAME LINE TIME IDLE PID COMMENT admin pts/0 Apr 30 05:22 . 21294 (10.20.30.200) admin pts/1 Apr 30 05:28 . 21845 (10.20.30.200) session=ssh *
When logging in to a NX-OS device the user goes straight to exec mode. There
is no need to enable. There are 4 different types of accounts available in NX-OS.
These are:
- network-admin—Complete read-and-write access to the entire Cisco NX-OS device (only available in the default VDC)
- network-operator—Complete read access to the entire Cisco NX-OS device (only available in the default VDC)
- vdc-admin—Read-and-write access limited to a VDC
- vdc-operator—Read access limited to a VDC
This makes it easy to create users that should have only read access.
N7K-1(config)# username daniel password daniel role network-operator login: daniel Password: Last login: Mon Apr 29 18:56:23 from 10.20.30.200 Cisco NX-OS Software N7K-1# conf t Enter configuration commands, one per line. End with CNTL/Z. N7K-1(config)# router ospf 1 % Permission denied for the role N7K-1(config)#
SNMP should be enabled for network management. SNMP version 2C or 3 can
be enabled.
N7K-1(config)# snmp-server community public ro N7K-1# show snmp community Community Group / Access context acl_filter --------- -------------- ------- ---------- public network-operator
For more secure SNMP setup version 3 should be used. SNMPv3 can be setup to use
authentication or authentication and encryption. By default the users we create
will be created as SNMP users also which makes the configuration simple.
N7K-1# show snmp user
______________________________________________________________
SNMP USERS
______________________________________________________________
User Auth Priv(enforce) Groups
____ ____ _____________ ______
daniel md5 des(no) network-operator
New users can be created as well.
N7K-1# conf t Enter configuration commands, one per line. End with CNTL/Z. N7K-1(config)# snmp-server user SNMPadmin ? WORD Group name (ignored for notif target user) (Max Size 28) auth Authentication parameters for the user N7K-1(config)# snmp-server user SNMPadmin auth ? md5 Use HMAC MD5 algorithm for authentication sha Use HMAC SHA algorithm for authentication N7K-1(config)# snmp-server user SNMPadmin auth md5 ? WORD Authentication password for user (Max Size 130) N7K-1(config)# snmp-server user SNMPadmin auth md5 admin ? engineID EngineID for configuring notif target user (for V3 informs) localizedkey Specifies whether the passwords are in localized key format priv Encryption parameters for the user N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv ? WORD Privacy password for user (Max Size 130) aes-128 Use 128-bit AES algorithm for privacy N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv aes-128 ? WORD Privacy password for user (Max Size 130) N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv aes-128 secret ? engineID EngineID for configuring notif target user (for V3 informs) localizedkey Specifies whether the passwords are in localized key format N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv aes-128 secret user password must be atleast 8 characters N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv aes-128 secret1234 user password must be atleast 8 characters N7K-1(config)# snmp-server user SNMPadmin auth md5 admin1234 priv aes-128 secret1234
The password must be at least 8 characters. To enforce all SNMPv3 PDUs to be
authenticated and encrypted the following command is used.
N7K-1(config)# snmp-server globalEnforcePriv N7K-1(config)#
Now to see that it works.
N7K-1# sh snmp user
______________________________________________________________
SNMP USERS [global privacy flag enabled]
______________________________________________________________
User Auth Priv(enforce) Groups
____ ____ _____________ ______
daniel md5 des(no) network-operator
SNMPadmin md5 aes-128(no) network-operator
And there you have it. A basic look at the management setup of NX-OS. More
posts will follow.
200k views
This blog has now seen 200k views since I started it. It started out slow but after a year
or so it gained some pace. The blog started out describing my journey to the CCIE which I
accomplished 6 months ago.
In the future I will try to blog more about datacenter technologies like CSR and Nexus1kv.
If you have something you want covered post in comments and I’ll have a look at it. Thanks
for reading!
Daniel Dib
CCIE #37149
Connecting Cisco CSR1000v to Dynamips
As we all know Cisco recently released the CSR1000v. This post will describe how
to create a home lab consisting of Dynamips and CSR1000v running on ESXi.
You should already have deployed the CSR and have a Dynamips box ready. I will
use Ubuntu for my Dynamips machine but you can choose whatever OS you like.
So to start you should have ESXi 5.0. If you have an enterprise version of ESX
that is great but I don’t so I’m using ESXi. I am managing it via the vSphere client.
To install the CSR you can go to Cisco CSR config guide or read the guide by Brian Dennis at INE
I have installed Ubuntu desktop 12.10 64-bit version. You will need some tools to
have a good setup. I recommend you install the following:
Dynamips
Dynagen
XRDP
Wireshark
Gnome-fallback
Vmware tools
Screen
sudo apt-get install dynamips sudo apt-get install dynagen sudo apt-get install xrdp sudo apt-get install wireshark sudo apt-get install open-vm-tools sudo apt-get install screen sudo apt-get install gnome-session-fallback cd ~ touch .xsession echo gnome-session --session=gnome-fallback > .xsession
You can then use RDP to connect to the Ubuntu machine. If you don’t need the graphics you
can use use SSH as usual.
I will put together a topology that looks like this:
As you can see I will be using 3 VLANs. One VLAN is for managing the devices.
I can login to the CSRs and the Dynamips routers from this network. The CSRs
uses GigabitEthernet0 by default as a management interface that are placed
in the VRF Mgmt-intf.
You can use a dedicated vSwitch or create the VLANs on the standard vSwitch. I have
just created VLANs in the regular vSwitch. You configure this under Inventory -> Configuration
-> Networking -> Add networking
After clicking “Add Networking” choose connection type “Virtual machine”
Choose an existing vSwitch or create a new one if you wish.
Then choose the name for your network and assign a VLAN ID to it. You can use the same
numbers I did or choose something else.
Finish the guide and the new network will be present. We want to edit a setting
for the networks that will connect to Dynamips. We want to set the port group to
promiscous mode so that CDP frames and other traffic not destined to the VM can
arrive to the VMs. This will create some overhead but shouldn’t be an issue in
a lab network. Click “Properties…” for the vSwitch.
Select the network and choose “Edit…” then under the Security tab set
“Promiscous Mode:” to Accept.
After creating all the networks they need to be assigned to the virtual machines.
For the CSRs the GigabitEthernet0 will be assigned to the MGMT network and Gi1 to
CSR to Dynamips 1 and Gi2 to CSR to Dynamips2.
Right click the VM and choose “Edit Settings…”. The NICs should be assigned like this:
Do the same also for the Dynamips VM. In theory there should now be connectivity.
We will use a topology that looks like this:
We need to create a .net file that can be used to create this topology.
5 routers will be running in Dynamips so 1 or 2 hypervisors should be enough.
As usual you need to find suitable Idle-PC value for your topology. My .net
looks like this.
autostart = False
[127.0.0.1:7200]
workingdir = /home/daniel/dynamips/working/CSR
udp = 10000
[[7200]]
image = /home/daniel/IOS/c7200-adventerprisek9-mz.150-1.M1.bin-unpacked
ram = 256
idlepc = 0x628cc49c
ghostios = True
[[ROUTER R1]]
model = 7200
console = 20061
f1/0 = R2 f1/0
f1/1 = R3 f1/0
f2/0 = nio_gen_eth:eth1
[[ROUTER R2]]
model = 7200
console = 2002
f1/0 = R1 f1/0
f1/1 = R4 f1/0
[[ROUTER R3]]
model = 7200
console = 2003
f1/0 = R1 f1/1
f1/1 = R4 f1/0
[[ROUTER R4]]
model = 7200
console = 2004
f1/0 = R2 f1/1
f1/1 = R3 f1/1
[[ROUTER R5]]
model = 7200
console = 2005
f1/0 = nio_gen_eth:eth2
The only thing special here is that R1 and R5 are connecting to the outside
world. By using the generic NIO descriptor we are connecting to the Ethernet
interfaces leading to the VM networks.
It’s time to start the Dynamips process. I will use screen because I want to
keep the process running even if I disconnect my session.
daniel@Dynamips:~/.gns3$ sudo screen -mS dynamips dynamips -H 7200 & daniel@Dynamips:~/.gns3$ dynagen CSR3.net
I have started all devices so I should be able to reach them and configure them now.
I will configure routers R1-R4 to run OSPF. R4 will announce its loopback 4.4.4.4
and this should be reachable from R5 on the other side of the network.
R1 will run BGP to both CSR1 and 2. This is the configuration applied to R1.
interface FastEthernet1/0 ip address 12.12.12.1 255.255.255.0 ip ospf 1 area 0 duplex auto speed auto ! ! interface FastEthernet1/1 ip address 13.13.13.1 255.255.255.0 ip ospf 1 area 0 duplex auto speed auto ! ! interface FastEthernet2/0 ip address 10.10.10.1 255.255.255.0 duplex auto speed auto ! ! interface FastEthernet2/1 no ip address shutdown duplex auto speed auto ! ! router ospf 1 router-id 1.1.1.1 log-adjacency-changes redistribute bgp 1 subnets ! router bgp 1 no synchronization bgp router-id 1.1.1.1 bgp log-neighbor-changes redistribute ospf 1 neighbor 10.10.10.11 remote-as 100 neighbor 10.10.10.12 remote-as 100 no auto-summary
Configuration for CSRs is very simple.
interface GigabitEthernet1 ip address 10.10.10.11 255.255.255.0 negotiation auto ! interface GigabitEthernet2 ip address 20.20.20.1 255.255.255.0 ip ospf 1 area 0 negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address dhcp negotiation auto ! router ospf 1 redistribute bgp 100 subnets ! router bgp 100 bgp log-neighbor-changes redistribute ospf 1 neighbor 10.10.10.1 remote-as 1
CSR2 only has different addressing. Now do we see any routes?
CSR1#sh bgp ipv4 uni
BGP table version is 7, local router ID is 20.20.20.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.4/32 10.10.10.1 3 0 1 ?
*> 12.12.12.0/24 10.10.10.1 0 0 1 ?
*> 13.13.13.0/24 10.10.10.1 0 0 1 ?
*> 20.20.20.0/24 0.0.0.0 0 32768 ?
*> 24.24.24.0/24 10.10.10.1 2 0 1 ?
*> 34.34.34.0/24 10.10.10.1 2 0 1 ?
Looks good. Now let’s just verify that R5 sees them as well.
R5#sh ip route ospf | be Gate
Gateway of last resort is not set
4.0.0.0/32 is subnetted, 1 subnets
O E2 4.4.4.4 [110/1] via 20.20.20.2, 00:03:33, FastEthernet1/0
[110/1] via 20.20.20.1, 00:05:18, FastEthernet1/0
12.0.0.0/24 is subnetted, 1 subnets
O E2 12.12.12.0 [110/1] via 20.20.20.2, 00:03:33, FastEthernet1/0
[110/1] via 20.20.20.1, 00:05:18, FastEthernet1/0
13.0.0.0/24 is subnetted, 1 subnets
O E2 13.13.13.0 [110/1] via 20.20.20.2, 00:03:33, FastEthernet1/0
[110/1] via 20.20.20.1, 00:05:18, FastEthernet1/0
24.0.0.0/24 is subnetted, 1 subnets
O E2 24.24.24.0 [110/1] via 20.20.20.2, 00:03:33, FastEthernet1/0
[110/1] via 20.20.20.1, 00:05:18, FastEthernet1/0
34.0.0.0/24 is subnetted, 1 subnets
O E2 34.34.34.0 [110/1] via 20.20.20.2, 00:03:33, FastEthernet1/0
[110/1] via 20.20.20.1, 00:05:18, FastEthernet1/0
ECMP is implemented since the cost is the same to ASBRs.
Final test is to ping 4.4.4.4.
R5#ping 4.4.4.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms
And it works! Pretty cool stuff. So now we have a lab with both IOS and IOS-XE.
If we had real switches we could throw this into the topology as well.
If you have enterprise ESX you could even practice Nexus with N1kv image.
So you see that we can build some great topologies here.
This does take some computing power, mostly RAM. If I check ESXi I see that
the Ubuntu box is using around 2GHz CPU and about 2GB RAM. The CSRs are using
each 750MHz CPU and 3GB RAM. So in total you are looking at around 4GHz CPU
and 8GB RAM. It is doable on a well equipped laptop.
Network articles for CCNA students – First one out IP ACLs
Hey everyone,
As most of my readers know by now I like to help people get started with their
careers and help them along with their studies. I’ve been quite active on the
Cisco Learning Network lately and also I have now started to write technical
articles to prepare students for the CCNA. These articles will be published
by Intense School which is a training company.
Most of you here might already be past CCNA level but I’ll link to my articles
anyway in case you want to read it or if you have friends studying for the CCNA.
The first one is about IP access-lists and you can find it at Intense school.
