Browsed by
Month: January 2012

CCIE: PPP Authentication

CCIE: PPP Authentication

Personally, this is an area that I struggled with during my studies. Not quite sure why, the concept is not that difficult. Perhaps, it’s one of those “boring” subjects and I just could not get excited about it no matter how hard I tried. In real world use cases, I used PPP all the time for the PE to CE encapsulation method. The thing is at the SP, there was no need to “secure” the /30 MPLS circuits so, LCP was not necessary. Now for ADSL customers, that was a totally different story. LCP and NCP were both used. Fact is, PPP is still widely deployed and I don’t see it going away anytime soon so, we better understand it.

#1 Recommendation: ALWAYS think of PPP authentication as a client (response) and server (authenticator/challenge) relationship.

The authentication does not have to be bi-directional (although it could be).

So, the PAP/CHAP SERVER would require authentication and the PAP/CHAP CLIENT must respond.

Example 1 (PAP): 

R1: SERVER
username R2PAP password CISCO

interface serial 0/1/0
encap ppp
ppp authentication pap (P1) chap (P2)
try Protocol1 first and if unsuccessful try P2

R2: CLIENT
int ser 0/1/0
encap ppp
ppp pap sent-username R2PAP password CISCO 

Example 2 (CHAP):

R1: SERVER
username R2 password CISCO

interface serial 0/1/0
encap ppp
ppp authentication pap (P1) chap (P2)
try Protocol1 first and if unsuccessful try P2

R2: CLIENT
username R1 password CISCO
int ser 0/1/0
encap ppp

CCIE: 802.1s (MST)

CCIE: 802.1s (MST)

Overview:

MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.

All the details can be found here.

My personal field experience:

It’s funny, I always hear how great MST is (and it does have advantages) but, I only saw it in a production enterprise environment a handful of times. The primary drivers are lots of VLANs (500+) and load balancing traffic (VLAN traffic engineering) across redundant links. Service providers could use this on small metro rings that utilize STP as the ring failover mechanism (RPR may be a better option).

Configuration:

For correct operation, all switches in the MST region must agree on the same CIST regional root. Therefore, any two switches in the region only synchronize their port roles for an MST instance if they converge to a common CIST regional root.

For two or more switches to be in the same MST region, they must have the same VLAN-to-instance map, the same configuration revision number, and the same name.

SW1 (Root for Instance 2 and 3, backup root for Instance 1)

spanning-tree mst configuration

instance 1 vlan 1-100

instance 2 vlan 101-200

instance 3 vlan 201-4094

spanning-tree mst 1 priority 4096
spanning-tree mst 2 priority 0
spanning-tree mst 3 priority 0
Additional information:  
http://en.wikipedia.org/wiki/Spanning_Tree_Protocol#Multiple_Spanning_Tree_Protocol_.28MSTP.29
http://www.ieee802.org/1/pages/802.1s.html

 

CCIE: UDLD

CCIE: UDLD

UDLD is a Layer 2 protocol that enables devices connected through fiber-optic or twisted-pair Ethernet cables to monitor the physical configuration of the cables and detect when a unidirectional link exists. All connected devices must support UDLD for the protocol to successfully identify and disable unidirectional links. When UDLD detects a unidirectional link, it disables the affected port and alerts you. Unidirectional links can cause a variety of problems, including spanning-tree topology loops.

UDLD uses it’s own keepalives and not STP BPDU keepalives. Cisco propriaity.

Normal mode does not prevent STP loops and is informational only

Aggressive mode prevents STP loops by putting the port into errdisabled state.

For best protection (interface wiring and STP software) use both UDLD and LoopGuard together.

UDLD works great on fiber optic interfaces because of the separate TX and RX. On copper base-T FLP signals track interface status.

CCIE: Root Guard, BPDU Guard, BPDU Filter, and Loop Guard

CCIE: Root Guard, BPDU Guard, BPDU Filter, and Loop Guard

The BPDU guard feature can be globally enabled on the switch or can be enabled per port, but the feature operates with some differences.
At the global level, you enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down ports that are in a Port Fast-operational state if any BPDU is received on them. In a valid configuration, Port Fast-enabled ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port means an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state. When this happens, the switch shuts down the entire port on which the violation occurred.

The “default” global option works in conjunction with spanning-tree portfast default on interfaces that are in the portfast state.

verify with “sh interface fa x/x status”
test bpdu to router with bridging interface “bridge 1 proto ieee , int fa x/x bridge-group 1”

The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences.

At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the spanning-tree portfast bpdufilter default global configuration command. This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

At the interface level, you can enable BPDU filtering on any interface by using the spanning-tree bpdufilter enable interface configuration command without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs.
BPDU filter works in conjuction with portfast as well.

If BPDU’s are dectect the interfaces will revert out of portfast mode.

Verify with “sh span inter fa x/x portfast” RootGuard will not errdisable a port. It will go into root inconsistant state until superior BPDUs cease.

Loop Guard is similar to UDLD except it uses STP bpdu keepalives to determine if there is a uni-directional link failure.

Understanding Loop Guard

You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link.This feature is most effective when it is enabled on the entire switched network. Loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.

You can enable this feature by using the spanning-tree loopguard default global configuration command.

When the switch is operating in PVST+ or rapid-PVST+ mode, loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.

When the switch is operating in MST mode, BPDUs are not sent on nonboundary ports only if the interface is blocked by loop guard in all MST instances. On a boundary port, loop guard blocks the interface in all MST instances.

Understanding Root Guard

The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch as the root switch, as shown in Figure 18-8. You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches in your customer’s network. If spanning-tree calculations cause an interface in the customer network to be selected as the root port, root guard then places the interface in the root-inconsistent (blocked) state to prevent the customer’s switch from becoming the root switch or being in the path to the root.

If a switch outside the SP network becomes the root switch, the interface is blocked (root-inconsistent state), and spanning tree selects a new root switch. The customer’s switch does not become the root switch and is not in the path to the root.

If the switch is operating in multiple spanning-tree (MST) mode, root guard forces the interface to be a designated port. If a boundary port is blocked in an internal spanning-tree (IST) instance because of root guard, the interface also is blocked in all MST instances. A boundary port is an interface that connects to a LAN, the designated switch of which is either an IEEE 802.1D switch or a switch with a different MST region configuration.

Root guard enabled on an interface applies to all the VLANs to which the interface belongs. VLANs can be grouped and mapped to an MST instance.

You can enable this feature by using the spanning-tree guard root interface configuration command.

CCIE: STP (802.1d)

CCIE: STP (802.1d)

So, first a little history on Spanning tree protocol (STP). Based on an algorithm created by Radia Pearlman in 1985. http://en.wikipedia.org/wiki/Radia_Perlman

Became a standard IEEE protocol in 1990. Still widely deployed. Flavors of spanning tree. 802.1d (ieee), 802.1w (rapid), and 802.1s (mst). Evolution of STP, Cisco vPC (2-way non blocking, still requires STP) and Fabric Path (eliminates STP completely). TRILL is a standardized version of Fabric Path. Both TRILL and Fabric Path utilize a link state protocol (IS-IS) as their loop prevention method.

Specific Cisco enhancement to 802.1d (prior to 802.1w): UplinkFast and BackboneFast

UplinkFast: The UplinkFast feature is designed to run in a switched environment when the switch has at least one alternate/backup root port (port in blocking state), that is why Cisco recommends that UplinkFast be enabled only for switches with blocked ports, typically at the access-layer. Do not use on switches without the implied topology knowledge of a alternative/backup root link typically to distribution and core switches in Cisco multilayer design. ONLY enable on NON-ROOT switches. 

In order to be effective, the feature needs to have blocked ports that provides redundant connectivity to the root. As soon as Uplink Fast is configured on a switch, switch automatically adjusts some STP parameters are adjusted in order to help achieve this:

  • The bridge priority of the switch is increased to a significantly higher value than the default. This ensures that the switch is not likely to be elected root bridge, which does not have any root ports (all ports are designated).
  • All the ports of the switch have their cost increased by 3000. This ensures that switch ports are not likely be elected designated ports.

BackboneFast: 

 

CCIE: 802.1q (QinQ tunneling/802.1ad)

CCIE: 802.1q (QinQ tunneling/802.1ad)

One of my personal favorite L2 subjects to discuss. When I was at the service provider this was a very cost effective Metro solution to extend customer VLANs. No routing protocols on the CPE and no expensive EoMPLS hardware required from the SP perspective. Simple and effective. You will hear many names for the outer tag (S-TAG, metro tag, etc…) just remember that the outer tag is the unique SP ID for that customer and the inner tags are the customers tags. This extra instance of .1q requires an additional 4 bytes so, make sure your system/global MTU is at least 1504 bytes to transmit a data frame size of 1500 bytes.

Combine this with L2TP and you can easily tunnel VTP,STP,and CDP frames.

Here is a brief example:

SW1: 

interface FastEthernet0/1
des connection to Customer_SITE_A
 switchport access vlan 100
 switchport mode dot1q-tunnel
 l2protocol-tunnel cdp
 l2protocol-tunnel stp
 l2protocol-tunnel vtp
 no cdp enable
SW4:
interface FastEthernet0/4
 des Cucstomer_SITE_B
 switchport access vlan 100
 switchport mode dot1q-tunnel
 l2protocol-tunnel cdp
 l2protocol-tunnel stp
 l2protocol-tunnel vtp
 no cdp enable
Now to expand upon this concept you can create an Etherchannel/Portchannel between the customer CE devices using separate SP tag for each link.
SW1: CPE_Site_A
interface fa 0/12
sw tr en dot
sw mo tr
channel-protocol LACP
channel-group 1 mode active

interface fa 0/13
sw tr en dot
sw mo tr
channel-protocol LACP
channel-group 1 mode
SW2: SP_SW1

int fa 0/12
 switchport access vlan 100
 switchport mode dot1q-tunnel
 l2protocol-tunnel cdp
 l2protocol-tunnel lldp
 l2protocol-tunnel stp
 l2protocol-tunnel vtp
 l2protocol-tunnel point-to-point lacp
int fa 0/13
 switchport access vlan 200
 switchport mode dot1q-tunnel
 l2protocol-tunnel cdp
 l2protocol-tunnel lldp
 l2protocol-tunnel stp
 l2protocol-tunnel vtp
 l2protocol-tunnel point-to-point lacp
int fa 0/24
sw tr en dot
sw mo tru
SW3: SP_SW2

int fa 0/12
 switchport access vlan 100
 switchport mode dot1q-tunnel
 l2protocol-tunnel cdp
 l2protocol-tunnel lldp
 l2protocol-tunnel stp
 l2protocol-tunnel vtp
 l2protocol-tunnel point-to-point lacp
int fa 0/13
 switchport access vlan 200
 switchport mode dot1q-tunnel
 l2protocol-tunnel cdp
 l2protocol-tunnel lldp
 l2protocol-tunnel stp
 l2protocol-tunnel vtp
 l2protocol-tunnel point-to-point lacp
int fa 0/24
sw tr en dot
sw mo tru
SW4: CPE_Site_B
interface fa 0/12
sw tr en dot
sw mo tr
channel-protocol LACP
channel-group 1 mode active

interface fa 0/13
sw tr en dot
sw mo tr
channel-protocol LACP
channel-group 1 mode active
CCIE: VTP or not to VTP, that is the question.

CCIE: VTP or not to VTP, that is the question.

In *most* productions networks device limitations (VLAN,TCAM entries) must be taken into consideration. This is one of the downsides of using VTP. All switches will get the entire database regardless if they have local assignments or even are in the transit L2 path. Transparent mode and manually creating the necessary VLANs may be your best option. Switches to not create a STP instance for unnecessary VLANs thus conserving resources and CPU cycles. If you are using VTP be sure to enable pruning to conserve bandwidth or statically remove unnecessary VLANs from the trunk links. “sh interface pruning” or “sh interface trunk | begin pruned” to verify.

Two quick ways to view port/vlan assignment.

“sh vlan brief” or “sh interface status”

VTP can save time by allowing a central place to manage and create VLANs. Here are some tips when implementing VTP.

1) Make sure your trunk (ISL/.1q) interfaces are healthy.

2) Assign a domain name on the VTP server. All other clients will inherit this.

3) Create VLANs on server and verify creation/revision sync on clients.

Verify with “sh vtp status” and if a password is configured “sh vtp password”.

Transparent mode switches will pass updates but not accept them. Their revision number should be “0”.

"Sh interface trunk" can help determine the L2 transit path if the VLAN exists. This helps with tasks that required you to restrict the VLAN's allowed on trunks. 

Investigate pruning elegiable list (except/all/none). "sw tr prun vlan"