In the comments I received a wish to compare RPVST+ with MST.
RPVST+ is Ciscos proprietary STP running one instance per VLAN over
802.1Q trunks. MST is an industry standard which can run multiple
instances but not one per VLAN. MST does run RSTP as underlying
protocol so in theory there should be no difference at all. Let’s
give it a try. The topology is very similar to last time but a couple
of extra routers are involved. We’ll get back to these later. This is
These are the current port roles:
I just have put some basic MST configuration and NTP on the switches.
SW3(config)#ntp server 22.214.171.124 SW3(config)#span mode mst SW3(config)#span mst 0 prio 16384 SW3(config)#span mst 1 prio 16384 SW3(config)#span mst conf SW3(config-mst)#name TST SW3(config-mst)#revision 1
Verify initial reachability between the routers.
R1#ping 126.96.36.199 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 188.8.131.52, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms R2#ping 184.108.40.206 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 220.127.116.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Now let’s shutdown Gi0/21 on SW3 which is leading to SW2 root port.
Debug spanning-tree events will show the sequence of events.
May 7 20:32:18.975: MST: Fa0/21 state change forwarding -> disabled May 7 20:32:18.975: MST: updt roles, root port Fa0/21 going down May 7 20:32:18.975: MST: Fa0/23 is now root port May 7 20:32:18.975: MST: Fa0/21 state change disabled -> blocking May 7 20:32:18.975: MST: Fa0/23 state change blocking -> forwarding May 7 20:32:18.979: MST: sending proposal on Fa0/3 May 7 20:32:18.983: MST: sending proposal on Fa0/5
The switchover is immediate as expected. Now let’s try to simulate passive
error by implementing BPDU filter.
SW3(config-if)#span bpdufilter enable SW3(config-if)#do sh clock 20:36:14.354 UTC Tue May 7 2013
This is from SW2:
May 7 20:36:20.008: MST: updt roles, information on root port Fa0/21 expired May 7 20:36:20.008: MST: Fa0/23 is now root port May 7 20:36:20.008: MST: Fa0/21 state change forwarding -> blocking May 7 20:36:20.008: MST: Fa0/3 state change forwarding -> blocking May 7 20:36:20.008: MST: Fa0/5 state change forwarding -> blocking May 7 20:36:20.008: MST: Fa0/23 state change blocking -> forwarding May 7 20:36:20.008: MST: Fa0/21 is now designated May 7 20:36:20.012: MST: sending proposal on Fa0/21 May 7 20:36:20.012: MST: sending proposal on Fa0/3 May 7 20:36:20.012: MST: sending proposal on Fa0/5
So it took roughly 6 seconds which was expected. Because MST runs
RSTP the results are exactly the same. The only thing that’s really different
with MST is that all BPDUs are piggybacked in the CIST (instance 0). If you have
VLANs mapped to instance 0 and there is a change then the other ISTs may have
to recalculate as well.
So using MST is no different than using RPVST+ from a convergence standpoint.
In future posts I will look at running a mix of RPVST+ and MST and see how
We are many CCIE RS candidates that have used Ruhanns RS handbook to
aid us in passing the CCIE lab. Ruhann has now released a SP handbook
as well to aid all SP candidates.
Who is Ruhann?
Ruhann du Plessis 2x CCIE #24163 (RS, SP) is an experienced engineer
that designs and works with large MPLS VPN networks, intra/inter-AS
routing, large data centers and so on.
The book was written to be used as a kind of quick reference. You
will find both theory but must important config sets that describe
how to configure the different features. Relevant show commands
and how to troubleshoot is also shown which is really good. Also links
to the DOCCD are included so that it becomes easy to find where all
features are located.
The book starts by describing a feature/protocol with some theory and
facts, often in bullet point form. On top of the page there is a
reference to the DOCCD to find the relevant feature. Then the config set
shows how to configure the feature and finally show commands and how
to troubleshoot is shown at the end of the section. There is also a
reference to relevant RFCs describing the features/protocols.
From what I’ve seen this book looks great! The RS book is a great help
in passing the RS lab and now there is an equally good book to help
in passing the SP lab as well.
I really like to use the book as a reference. It’s sometimes easier to
find the information the the handbook than going to the Cisco documentation.
The config sets are even better then what is shown in the Cisco docs.
There is a sample available of the SP handbook here.
To buy it go to Ruhanns site. It’s only 98$.
I’m trying to learn more about Ciscos datacenter products and obviously NX-OS is a
big part of that. I’ll do some blog posts to introduce anyone not familiar with
NX-OS to it and that will help me with the learning as well.
One important thing to know about NX-OS is that features are selectively enabled.
This means that if you are not running OSPF then there is no need to have that
process running. We can check what features are running.
N7K-1# sh feature | ex not | grep enabled hsrp_engine 1 enabled sshServer 1 enabled vtp 1 enabled
As you can see NX-OS has some nice features like grep which is a nice addition
to regular IOS. There are also additional things that can be done like sort, count
and count unique instances.
N7K-1# sh feature | ex not | grep enabled | count 3
By default Telnet is not enabled which is good. It’s more secure to use SSH.
If we want to add it we can do it with the feature command.
N7K-1(config)# feature telnet N7K-1# sh feature | grep telnet telnetServer 1 enabled
In regular IOS we limit the number of VTY sessions with the line vty command.
In NX-OS the session-limit command is used instead.
N7K-1# conf t Enter configuration commands, one per line. End with CNTL/Z. N7K-1(config)# line vty N7K-1(config-line)# session-limit 5
SSH is enabled by default. A crypto key should already be generated or you can generate
a new one.
N7K-1(config)# ssh key rsa 1024 force deleting old rsa key..... generating rsa key(1024 bits)..... . generated rsa key
With the show users command we can see from which TTYs the users are logged in.
N7K-1# sh users NAME LINE TIME IDLE PID COMMENT admin pts/0 Apr 30 05:22 . 21294 (10.20.30.200) admin pts/1 Apr 30 05:28 . 21845 (10.20.30.200) session=ssh *
When logging in to a NX-OS device the user goes straight to exec mode. There
is no need to enable. There are 4 different types of accounts available in NX-OS.
- network-admin—Complete read-and-write access to the entire Cisco NX-OS device (only available in the default VDC)
- network-operator—Complete read access to the entire Cisco NX-OS device (only available in the default VDC)
- vdc-admin—Read-and-write access limited to a VDC
- vdc-operator—Read access limited to a VDC
This makes it easy to create users that should have only read access.
N7K-1(config)# username daniel password daniel role network-operator login: daniel Password: Last login: Mon Apr 29 18:56:23 from 10.20.30.200 Cisco NX-OS Software N7K-1# conf t Enter configuration commands, one per line. End with CNTL/Z. N7K-1(config)# router ospf 1 % Permission denied for the role N7K-1(config)#
SNMP should be enabled for network management. SNMP version 2C or 3 can
N7K-1(config)# snmp-server community public ro N7K-1# show snmp community Community Group / Access context acl_filter --------- -------------- ------- ---------- public network-operator
For more secure SNMP setup version 3 should be used. SNMPv3 can be setup to use
authentication or authentication and encryption. By default the users we create
will be created as SNMP users also which makes the configuration simple.
N7K-1# show snmp user ______________________________________________________________ SNMP USERS ______________________________________________________________ User Auth Priv(enforce) Groups ____ ____ _____________ ______ daniel md5 des(no) network-operator
New users can be created as well.
N7K-1# conf t Enter configuration commands, one per line. End with CNTL/Z. N7K-1(config)# snmp-server user SNMPadmin ? WORD Group name (ignored for notif target user) (Max Size 28) auth Authentication parameters for the user N7K-1(config)# snmp-server user SNMPadmin auth ? md5 Use HMAC MD5 algorithm for authentication sha Use HMAC SHA algorithm for authentication N7K-1(config)# snmp-server user SNMPadmin auth md5 ? WORD Authentication password for user (Max Size 130) N7K-1(config)# snmp-server user SNMPadmin auth md5 admin ? engineID EngineID for configuring notif target user (for V3 informs) localizedkey Specifies whether the passwords are in localized key format priv Encryption parameters for the user N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv ? WORD Privacy password for user (Max Size 130) aes-128 Use 128-bit AES algorithm for privacy N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv aes-128 ? WORD Privacy password for user (Max Size 130) N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv aes-128 secret ? engineID EngineID for configuring notif target user (for V3 informs) localizedkey Specifies whether the passwords are in localized key format N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv aes-128 secret user password must be atleast 8 characters N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv aes-128 secret1234 user password must be atleast 8 characters N7K-1(config)# snmp-server user SNMPadmin auth md5 admin1234 priv aes-128 secret1234
The password must be at least 8 characters. To enforce all SNMPv3 PDUs to be
authenticated and encrypted the following command is used.
N7K-1(config)# snmp-server globalEnforcePriv N7K-1(config)#
Now to see that it works.
N7K-1# sh snmp user ______________________________________________________________ SNMP USERS [global privacy flag enabled] ______________________________________________________________ User Auth Priv(enforce) Groups ____ ____ _____________ ______ daniel md5 des(no) network-operator SNMPadmin md5 aes-128(no) network-operator
And there you have it. A basic look at the management setup of NX-OS. More
posts will follow.
This blog has now seen 200k views since I started it. It started out slow but after a year
or so it gained some pace. The blog started out describing my journey to the CCIE which I
accomplished 6 months ago.
In the future I will try to blog more about datacenter technologies like CSR and Nexus1kv.
If you have something you want covered post in comments and I’ll have a look at it. Thanks
As we all know Cisco recently released the CSR1000v. This post will describe how
to create a home lab consisting of Dynamips and CSR1000v running on ESXi.
You should already have deployed the CSR and have a Dynamips box ready. I will
use Ubuntu for my Dynamips machine but you can choose whatever OS you like.
So to start you should have ESXi 5.0. If you have an enterprise version of ESX
that is great but I don’t so I’m using ESXi. I am managing it via the vSphere client.
I have installed Ubuntu desktop 12.10 64-bit version. You will need some tools to
have a good setup. I recommend you install the following:
sudo apt-get install dynamips sudo apt-get install dynagen sudo apt-get install xrdp sudo apt-get install wireshark sudo apt-get install open-vm-tools sudo apt-get install screen sudo apt-get install gnome-session-fallback cd ~ touch .xsession echo gnome-session --session=gnome-fallback > .xsession
You can then use RDP to connect to the Ubuntu machine. If you don’t need the graphics you
can use use SSH as usual.
I will put together a topology that looks like this:
As you can see I will be using 3 VLANs. One VLAN is for managing the devices.
I can login to the CSRs and the Dynamips routers from this network. The CSRs
uses GigabitEthernet0 by default as a management interface that are placed
in the VRF Mgmt-intf.
You can use a dedicated vSwitch or create the VLANs on the standard vSwitch. I have
just created VLANs in the regular vSwitch. You configure this under Inventory -> Configuration
-> Networking -> Add networking
After clicking “Add Networking” choose connection type “Virtual machine”
Choose an existing vSwitch or create a new one if you wish.
Then choose the name for your network and assign a VLAN ID to it. You can use the same
numbers I did or choose something else.
Finish the guide and the new network will be present. We want to edit a setting
for the networks that will connect to Dynamips. We want to set the port group to
promiscous mode so that CDP frames and other traffic not destined to the VM can
arrive to the VMs. This will create some overhead but shouldn’t be an issue in
a lab network. Click “Properties…” for the vSwitch.
Select the network and choose “Edit…” then under the Security tab set
“Promiscous Mode:” to Accept.
After creating all the networks they need to be assigned to the virtual machines.
For the CSRs the GigabitEthernet0 will be assigned to the MGMT network and Gi1 to
CSR to Dynamips 1 and Gi2 to CSR to Dynamips2.
Right click the VM and choose “Edit Settings…”. The NICs should be assigned like this:
Do the same also for the Dynamips VM. In theory there should now be connectivity.
We will use a topology that looks like this:
We need to create a .net file that can be used to create this topology.
5 routers will be running in Dynamips so 1 or 2 hypervisors should be enough.
As usual you need to find suitable Idle-PC value for your topology. My .net
looks like this.
autostart = False [127.0.0.1:7200] workingdir = /home/daniel/dynamips/working/CSR udp = 10000 [] image = /home/daniel/IOS/c7200-adventerprisek9-mz.150-1.M1.bin-unpacked ram = 256 idlepc = 0x628cc49c ghostios = True [[ROUTER R1]] model = 7200 console = 20061 f1/0 = R2 f1/0 f1/1 = R3 f1/0 f2/0 = nio_gen_eth:eth1 [[ROUTER R2]] model = 7200 console = 2002 f1/0 = R1 f1/0 f1/1 = R4 f1/0 [[ROUTER R3]] model = 7200 console = 2003 f1/0 = R1 f1/1 f1/1 = R4 f1/0 [[ROUTER R4]] model = 7200 console = 2004 f1/0 = R2 f1/1 f1/1 = R3 f1/1 [[ROUTER R5]] model = 7200 console = 2005 f1/0 = nio_gen_eth:eth2
The only thing special here is that R1 and R5 are connecting to the outside
world. By using the generic NIO descriptor we are connecting to the Ethernet
interfaces leading to the VM networks.
It’s time to start the Dynamips process. I will use screen because I want to
keep the process running even if I disconnect my session.
daniel@Dynamips:~/.gns3$ sudo screen -mS dynamips dynamips -H 7200 & daniel@Dynamips:~/.gns3$ dynagen CSR3.net
I have started all devices so I should be able to reach them and configure them now.
I will configure routers R1-R4 to run OSPF. R4 will announce its loopback 18.104.22.168
and this should be reachable from R5 on the other side of the network.
R1 will run BGP to both CSR1 and 2. This is the configuration applied to R1.
interface FastEthernet1/0 ip address 22.214.171.124 255.255.255.0 ip ospf 1 area 0 duplex auto speed auto ! ! interface FastEthernet1/1 ip address 126.96.36.199 255.255.255.0 ip ospf 1 area 0 duplex auto speed auto ! ! interface FastEthernet2/0 ip address 10.10.10.1 255.255.255.0 duplex auto speed auto ! ! interface FastEthernet2/1 no ip address shutdown duplex auto speed auto ! ! router ospf 1 router-id 188.8.131.52 log-adjacency-changes redistribute bgp 1 subnets ! router bgp 1 no synchronization bgp router-id 184.108.40.206 bgp log-neighbor-changes redistribute ospf 1 neighbor 10.10.10.11 remote-as 100 neighbor 10.10.10.12 remote-as 100 no auto-summary
Configuration for CSRs is very simple.
interface GigabitEthernet1 ip address 10.10.10.11 255.255.255.0 negotiation auto ! interface GigabitEthernet2 ip address 220.127.116.11 255.255.255.0 ip ospf 1 area 0 negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address dhcp negotiation auto ! router ospf 1 redistribute bgp 100 subnets ! router bgp 100 bgp log-neighbor-changes redistribute ospf 1 neighbor 10.10.10.1 remote-as 1
CSR2 only has different addressing. Now do we see any routes?
CSR1#sh bgp ipv4 uni BGP table version is 7, local router ID is 18.104.22.168 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 22.214.171.124/32 10.10.10.1 3 0 1 ? *> 126.96.36.199/24 10.10.10.1 0 0 1 ? *> 188.8.131.52/24 10.10.10.1 0 0 1 ? *> 184.108.40.206/24 0.0.0.0 0 32768 ? *> 220.127.116.11/24 10.10.10.1 2 0 1 ? *> 18.104.22.168/24 10.10.10.1 2 0 1 ?
Looks good. Now let’s just verify that R5 sees them as well.
R5#sh ip route ospf | be Gate Gateway of last resort is not set 22.214.171.124/32 is subnetted, 1 subnets O E2 126.96.36.199 [110/1] via 188.8.131.52, 00:03:33, FastEthernet1/0 [110/1] via 184.108.40.206, 00:05:18, FastEthernet1/0 220.127.116.11/24 is subnetted, 1 subnets O E2 18.104.22.168 [110/1] via 22.214.171.124, 00:03:33, FastEthernet1/0 [110/1] via 126.96.36.199, 00:05:18, FastEthernet1/0 188.8.131.52/24 is subnetted, 1 subnets O E2 184.108.40.206 [110/1] via 220.127.116.11, 00:03:33, FastEthernet1/0 [110/1] via 18.104.22.168, 00:05:18, FastEthernet1/0 22.214.171.124/24 is subnetted, 1 subnets O E2 126.96.36.199 [110/1] via 188.8.131.52, 00:03:33, FastEthernet1/0 [110/1] via 184.108.40.206, 00:05:18, FastEthernet1/0 220.127.116.11/24 is subnetted, 1 subnets O E2 18.104.22.168 [110/1] via 22.214.171.124, 00:03:33, FastEthernet1/0 [110/1] via 126.96.36.199, 00:05:18, FastEthernet1/0
ECMP is implemented since the cost is the same to ASBRs.
Final test is to ping 188.8.131.52.
R5#ping 184.108.40.206 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 220.127.116.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms
And it works! Pretty cool stuff. So now we have a lab with both IOS and IOS-XE.
If we had real switches we could throw this into the topology as well.
If you have enterprise ESX you could even practice Nexus with N1kv image.
So you see that we can build some great topologies here.
This does take some computing power, mostly RAM. If I check ESXi I see that
the Ubuntu box is using around 2GHz CPU and about 2GB RAM. The CSRs are using
each 750MHz CPU and 3GB RAM. So in total you are looking at around 4GHz CPU
and 8GB RAM. It is doable on a well equipped laptop.
As most of my readers know by now I like to help people get started with their
careers and help them along with their studies. I’ve been quite active on the
Cisco Learning Network lately and also I have now started to write technical
articles to prepare students for the CCNA. These articles will be published
by Intense School which is a training company.
Most of you here might already be past CCNA level but I’ll link to my articles
anyway in case you want to read it or if you have friends studying for the CCNA.
The first one is about IP access-lists and you can find it at Intense school.