Wednesday, July 30, 2008

today: Datacenter Switch Migration in a new RACK

No new topologies for today, the "exercise" is a real migration of switches in my actual datacenter environment.
The mission is to move existing switches from servers rack into a new dedicated Panduit rack (photos when finished, Panduit have great vert/hor cables management!).

There are: 2 x 4948 + 1 x 2960 really full, there are only 2 free ports!
In the new rack we will move: 2 x existing 4948 + 3 x new 4948. In addition, two of this 4948 will be used only for storage vlans (iscsi and nfs), these vlans aren't routed, but only L2.


Topology:



The first problem is how will reacts existing switches configured with STP 802.1D standard when i will add two new switch configured with RPVST+ (rapid stp, one process for each for vlan). Well this is adetail of one vlan in my production switches:

xxx#sh spanning-tree vlan 23 detail

VLAN0023 is executing the ieee compatible Spanning Tree protocol
Bridge Identifier has priority 32768, sysid 23, address 0019.e79d.1b00
Configured hello time 2, max age 20, forward delay 15
Current root has priority 32791, address 0015.fa7c.3c80
Root port is 45 (GigabitEthernet1/45), cost of root path is 4
Topology change flag not set, detected flag not set
Number of topology changes 2071 last change occurred 2w6d ago
from GigabitEthernet1/27
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0, aging 300
Ok, i will try to use a mixed STP environment, with 2 switches using traditional STP and 2 configured with RPSTP+.
I'll test it on my own lab before go into production system, because i want to know how are reacting traditional STP sw to avoiding STP to run on storage vlan (i don't want to destroy all in production! ;-)| )
So, this is the lab topology: (but i said "no new topologies for today?" ;-) a refresh of bcmsn!)

CON1 and CON2 will have STP 802.1D, CON3 and CON4 will have RPVSTP+ i'll activate the 2 links betw CON2 and CON3 and debug spanning-tree on all 4 switches to see what happens.

Here the 4 sw configuration [+/-]









CON1#CON2#CON3#spanning-tree mode rapid-pvstCON4#spanning-tree mode rapid-pvst
interface FastEthernet0/11
description Trunk CON1 <-> CON2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface FastEthernet0/12
description Trunk CON1 <-> CON2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface GigabitEthernet0/2
description Trunk CON1 <-> CON2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface FastEthernet0/3
description Trunk CON2 <-> CON3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
shutdown
!
interface FastEthernet0/4
description Trunk CON2 <-> CON3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
shutdown
!
interface FastEthernet0/11
description Trunk CON2 <-> CON1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface FastEthernet0/12
description Trunk CON2 <-> CON1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface GigabitEthernet0/2
description Trunk CON2 <-> CON1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface FastEthernet1/0/1
description Trunk CON3 <-> CON2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
shutdown
!
interface FastEthernet1/0/2
description Trunk CON3 <-> CON2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
shutdown
!
interface FastEthernet1/0/11
description Trunk CON3 <-> CON4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface FastEthernet1/0/12
description Trunk CON3 <-> CON4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface FastEthernet1/0/11
description Trunk CON4 <-> CON3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
interface FastEthernet1/0/12
description Trunk CON4 <-> CON3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!
CON1#sh spanning-tree summary
Switch is in pvst mode
Root bridge for: VLAN0001-VLAN0003
....
CON2#sh spanning-tree summary
Switch is in pvst mode
Root bridge for: none
....
CON3#sh spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0001-VLAN0003
....
CON4#sh spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: none
....



Ok now i enable debug spanning-tree events and bring up links betw CON2 and CON3:

CON2#
01:53:51: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to up
01:53:51: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up
01:53:52: set portid: VLAN0001 Fa0/3: new port id 8003
01:53:52: STP: VLAN0001 Fa0/3 -> listening
01:53:52: set portid: VLAN0002 Fa0/3: new port id 8003
01:53:52: STP: VLAN0002 Fa0/3 -> listening
01:53:52: set portid: VLAN0003 Fa0/3: new port id 8003
01:53:52: STP: VLAN0003 Fa0/3 -> listening
01:53:52: set portid: VLAN0001 Fa0/4: new port id 8004
01:53.52: STP: VLAN0001 Fa0/4 -> listening
01:53:52: set portid: VLAN0002 Fa0/4: new port id 8004
01:53:52: STP: VLAN0002 Fa0/4 -> listening
01:53:52: set portid: VLAN0003 Fa0/4: new port id 8004
01:53:52: STP: VLAN0003 Fa0/4 -> listening
01:53:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up
01:53:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to up
01:53:56: STP: VLAN0001 Topology Change rcvd on Fa0/3
01:53:56: STP: VLAN0001 sent Topology Change Notice on Gi0/2
01:53:56: STP: VLAN0002 Topology Change rcvd on Fa0/3
01:53:56: STP: VLAN0002 sent Topology Change Notice on Gi0/2
01:53:56: STP: VLAN0003 Topology Change rcvd on Fa0/3
01:53:56: STP: VLAN0003 sent Topology Change Notice on Gi0/2
01:54:07: STP: VLAN0001 Fa0/3 -> learning
01:54:07: STP: VLAN0002 Fa0/3 -> learning
01:54:07: STP: VLAN0003 Fa0/3 -> learning
01:54:07: STP: VLAN0001 Fa0/4 -> learning
01:54:07: STP: VLAN0002 Fa0/4 -> learning
01:54:07: STP: VLAN0003 Fa0/4 -> learning
01:54:22: STP: VLAN0001 sent Topology Change Notice on Gi0/2
01:54:22: STP: VLAN0001 Fa0/3 -> forwarding
01:54:22: STP: VLAN0002 sent Topology Change Notice on Gi0/2
01:54:22: STP: VLAN0002 Fa0/3 -> forwarding
01:54:22: STP: VLAN0003 sent Topology Change Notice on Gi0/2
01:54:22: STP: VLAN0003 Fa0/3 -> forwarding
01:54:22: STP: VLAN0001 Fa0/4 -> forwarding
01:54:22: STP: VLAN0002 Fa0/4 -> forwarding
01:54:22: STP: VLAN0003 Fa0/4 -> forwarding
CON2#
Bingooo, only the upcoming port will transit upon spanning-tree states, other ports are not affected..
On CON3 we see CON2 as 802.1d


CON3#sh spanning-tree vlan 1

VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 0013.1a55.8000
Cost 23
Port 3 (FastEthernet1/0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0014.a98c.8780
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa1/0/1 Root FWD 19 128.3 P2p Peer(STP)
Fa1/0/2 Altn BLK 19 128.4 P2p Peer(STP)
Fa1/0/11 Desg FWD 19 128.13 P2p
Fa1/0/12 Desg FWD 19 128.14 P2p




Tuesday, July 29, 2008

Interconnecting IPv6 and IPv4 networks with NAT-PT

A modified version of the previous Lab include a pure IPv6 Link between CON7 and CON8, and CON8 acting as NAT-PT for interconnecting the IPv6 networks into the existing IPv4 cloud.
Here the modified scenario:


As usual, first i read Cisco official documentation ( http://www.cisco.com/en/../ip6-nat_trnsln_ps6350_TSD_Products_Configuration_Guide_Chapter.html ) and then the configuration follows.

Lol! my CON8 doesn't support NAT-PT! It's a poor 1841 without advanced enterprise image! ;-(

However, i added the Serial 0/0/0 link configuration and OSPFv3 as follows:

CON7#
interface Serial0/0/0
description Link CON7 <-> CON8
no ip address
ipv6 address 2001:ABCD::FFFF/64
ipv6 ospf 1 area 0
no fair-queue
clock rate 800000
!
ipv6 router ospf 1
router-id 172.32.100.4
log-adjacency-changes
redistribute static metric 20 metric-type 1 tag 567

CON8#
interface Serial0/0/0
description Link CON8 <-> CON7
no ip address
ipv6 address 2001:ABCD::1/64
ipv6 ospf 1 area 0
!
ipv6 router ospf 1
router-id 172.31.100.3
log-adjacency-changes

So no static routes on CON8, but a beautiful OSPFv3, on CON7 i redistribute static routes, so CON8 can reach CON5 and CON6 ;-)
For full connectivity with IPv6 networks, i just added a default IPv6 route on CON5 and CON6 pointing to CON7 Tun0 address:

CON5# and CON6#
ipv6 route ::/0 2002:AC20:6404:1::1

That's all i can configure, but from cisco docs, my config will be a NAT-PT / PAT with a single fixed IPv4 address for translation...
something like this... (from Cisco docs)

SUMMARY STEPS

1. enable

2. configure terminal

3. ipv6 nat v6v4 source {list access-list-name | route-map map-name} pool name overload

or

ipv6 nat v6v4 source {list access-list-name | route-map map-name} interface interface name overload

4. ipv6 nat v6v4 pool name start-ipv4 end-ipv4 prefix-length prefix-length

5. ipv6 nat translation [max-entries number] {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout | icmp-timeout} {seconds | never}

6. ipv6 access-list access-list-name

7. permit {protocol} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address}


Friday, July 25, 2008

now playing on... IPv6 Tunnels 6to4

An argument that i will try is 6to4 tunnels, first i read some Cisco docs:

http://www.cisco.com/en/US/docs/ios/solutions_docs/ipv6/v6domain.html#wp1030706

then i will try my own lab, as usually:

this is the lab for today...
The main goal is allow connectivity between all IPv6 clouds (here i use a Loopback 6 interface) through IPv4 wan connections.

When finished, i'll post configurations and comments.

Next step will be NAT-PT extension on CON8... stay tuned! see u ! ;-)

Here are some parts of my config:

CON5#
interface Tunnel0
description Tunn 6to4 CON5 <-> CON6 <-> CON7
no ip address
no ip redirects
ipv6 address 2002:AC20:6401:1::1/64
tunnel source Loopback100
tunnel mode ipv6ip 6to4
!
interface Serial0/0
description Link CON5 <-> CON7
ip address 10.0.2.30 255.255.255.224
!
interface Serial1/0
description Link CON5 <-> CON6
ip address 10.0.2.62 255.255.255.224
clockrate 4000000
!
interface Loopback100
ip address 172.32.100.1 255.255.255.255
!
ipv6 route 2002::/16 Tunnel0

CON6#
interface Tunnel0
no ip address
no ip redirects
ipv6 address 2002:AC20:6402:1::1/64
tunnel source Loopback100
tunnel mode ipv6ip 6to4
!

interface Serial0/0
description Link CON6 <-> CON5
ip address 10.0.2.33 255.255.255.224
!
interface Serial0/1
description Link CON6 <-> CON7
ip address 10.0.2.129 255.255.255.240
!
interface Loopback100
ip address 172.32.100.2 255.255.255.255
!
ipv6 route 2002::/16 Tunnel0
CON7#
interface Tunnel0
no ip address
no ip redirects
ipv6 address 2002:AC20:6404:1::1/64
tunnel source Loopback100
tunnel mode ipv6ip 6to4
!
interface Serial0/1/0
description Link CON7 <-> CON6
ip address 10.0.2.142 255.255.255.240
fair-queue
clock rate 800000
!
interface Serial0/2/0
description Link CON7 <-> CON5
ip address 10.0.2.1 255.255.255.224
clock rate 800000
!
interface Loopback100
ip address 172.32.100.4 255.255.255.255
!
ipv6 route 2002::/16 Tunnel0
Ping works with all tunnel Ipv6 addresses, here i used Loopback 100 as tunnel source because Lo100 are routed (via ospf in this case) so Tunnel is always up despite one serial possible failure.

Ok, after Tunnel interfaces pings... we must configure routing between our customers IPv6 networks (Lo6 in this lab).
So i read here: http://www.cisco.com/en/US/tech/tk872/technologies_configuration_example09186a00801f3b4f.shtml

"
The benefits to the enterprise of using 6to4 tunnels are as follows:
  • Cisco IOS software supports 6to4 tunnels.

  • The end-user host configuration is simple—it requires minimal management overhead.

  • The tunnel is automatic; no enterprise-specific configuration is required at the 6to4 relay site. 6to4 tunnels scale well.

  • This solution accommodates dynamic IP addresses at the enterprise.

  • The tunnel exists only for the duration of the session.

  • A 6to4 tunnel requires only a one-time configuration at the ISP, which makes the 6to4 relay service available simultaneously to many enterprises.

Limitations of 6to4 Tunnels

6to4 tunnel usage has the following limitations:

  • Independently managed NAT is not allowed along the path of the tunnel.

  • You cannot easily implement multihoming.

  • The 6to4 tunnel mechanism provides a /48 address block; no more addresses are available.

  • Because 6to4 tunnels are configured many-to-one and tunnel traffic can originate from multiple endpoints, 6to4 tunnels can provide only overall traffic information to the ISP.

  • The underlying IPv4 address determines the enterprise 6to4 IPv6 address prefix, so the migration to native IPv6 requires renumbering the network.

  • This solution is limited to static or BGP4+ routing. "

The most relevant for me is the limitation of routing via STATIC (mmm really don't like static routing!) or BGP4+ .
Well, my ios images seems doesn't suppport bgp4, but only RIP-NG and OSPFv3
... i tried to use OSPFv3 but no adiacency was established between tunnel interfaces, with RIP-NG too.. ;-(

Well i configured static ipv6 entries for end users lan (Lo6) for each router, as follows:

CON5#
ipv6 route 2001:1C5::/64 2002:AC20:6402:1::1
ipv6 route 2001:AFA::/64 2002:AC20:6404:1::1
CON6#
ipv6 route 2001:AFA::/64 2002:AC20:6404:1::1
ipv6 route 2001:FEFE::/64 2002:AC20:6401:1::1
CON7#
ipv6 route 2001:1C5::/64 2002:AC20:6402:1::1
ipv6 route 2001:FEFE::/64 2002:AC20:6401:1::1
For each router there are two static entries for L06 IPv6 network and the next hop is the remote tunnel IPv6 address.

Well, next step is NAT-PT on CON8...

Thursday, July 24, 2008

A little presentation...

Ok, First post on this new blog, not much to say about me... i created this TECH blog only for:
  • improve my written (poor) english (if you find mistakes and correct me... i'll appreciate!)
  • write about my technology world and (mis)configurations of Cisco various equips
nothing more...

about me, what can i say?
I work as Network Administrator, and actually i'm studying for CCNP certification... i have already passed BCMSN and ONT exams, and actually preparing BSCI, scheduled for aug 5th (2008) ;-)

Today's (tech) activities (i'm on vacations):
  • Studied a bit BSCI... 2-3 hours
  • Played with an old Satellite Router (Skystream Networks EMR-5010) (not much useful game...)
  • disassembled a damn' Pix 506E that not start... maybe a power supply failure, ok on cisco tech support -> hardware -> pix they say "if no led blinks, check power supply, try with another one" ... Lol! now i'll try with one of my 1000 pix power supplys ;-(
  • watched the online event "CCNP TV: Implementing Multicast Forwarding" in Cisco Learning Network... it was a great refresh of Rocco Tessicini's lessons.... (more posts about him will follow... stay tuned ;-) )
  • installed GNS3 router emulator (http://www.gns3.net/ ), to learn more about Frame Relay and ATM environments (not available on my real routers lab)
  • Now working on... new IPv6 topology to learn!