I set up 7Ks with fabricpath and SVI's to route the vlans. We use all F2 cards. But I notice on the 7K's that when I check the learning mode that the routed vlans now say non-conversational-learning I was told that is becuase we have SVI's. Does anyone know if that is true, and why would that be?
↧
Conversational Learning and SVI's on Nexus 7k
↧
MSTP and IST BPDUs !!
hi all
the IST is the only instance which send and receive BPDUs inside MSTP region !
but how the other instances guarantee loop-free in the network (inside the region)?
I did not understand this point !
↧
↧
MPLS VPN QoS Tunneling
I am just wondering...what is the default tunneling mode in MPLS VPN or do we have to manually configure each mode?
↧
Down bit in Type-5 LSAs?
Has anyone else noticed that Cisco is now including the Down bit in Type-5 LSAs?
R7#show ver | i IOS
Cisco IOS XE Software, Version 03.11.01.S - Standard Support Release
Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(1)S1, RELEASE SOFTWARE (fc2)
R7#show ip ospf database external 150.1.8.8
OSPF Router with ID (172.16.7.7) (Process ID 1)
Type-5 AS External Link States
Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 1343
Options: (No TOS-capability, DC, Downward)
LS Type: AS External Link
Link State ID: 150.1.8.8 (External Network Number )
Advertising Router: 155.1.67.6
LS Seq Number: 80000002
Checksum: 0x1F4F
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 2
Forward Address: 0.0.0.0
External Route Tag: 3489661028
Looks like Cisco is now doing what the RFC says =)
I wonder how much stuff this will break when people deploy new code and don't know about this new surprise.
↧
IP Multicast Boundary IN/OUT
Hello,
I was just reading these days some multicast and i noticed that something was not working as expected.
The topology is as below with PIM-SM everywhere, R5's loopback 120.1.5.5 as RP. R6's Lo0 joined 224.1.1.10
On Router R5 before multicast boundary
R5#show ip mroute 224.1.1.10
(*, 224.1.1.10), 00:39:32/00:03:14, RP 120.1.5.5, flags: S
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0/0.56, Forward/Sparse, 00:14:56/00:03:14
Configuration for Multicast Boundary
!
R5(config)#do show run | s access-list
access-list 10 deny 224.1.1.10
access-list 10 permit any
!
R5(config-subif)#do show run int e0/0.56
!
interface Ethernet0/0.56
ip multicast boundary 10 in
!
After this, I would expect that PIM Join messages for (*,224.1.1.10) will be dropped inbound on e0/0.56, however apparently that's not the case.
R5(config-subif)#do show ip mroute 224.1.1.10
(*, 224.1.1.10), 00:02:58/00:03:29, RP 120.1.5.5, flags: S
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0/0.56, Forward/Sparse, 00:01:00/00:03:29
!
Based on these results a ping from R3 to 224.1.1.10 is successfull
R5(config-subif)#do show ip mroute 224.1.1.10
(*, 224.1.1.10), 00:04:51/stopped, RP 120.1.5.5, flags: S
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0/0.56, Forward/Sparse, 00:02:53/00:02:34
(125.1.123.3, 224.1.1.10), 00:00:05/00:02:54, flags:
Incoming interface: Ethernet0/0.15, RPF nbr 125.1.15.1
Outgoing interface list:
Ethernet0/0.56, Forward/Sparse, 00:00:05/00:03:24
The question is WHY? Isn't "ip multicast boundary <ACL> in" supposed to filter control plane traffic(PIM Join, IGMP) according to ACL?
↧
↧
Automatic reply: IP Multicast Boundary IN/OUT
Dear sender,
I am out of office untill 18/04 , My substitute is Zied sassi (29535331). You can also send me SMS.
Br.
↧
7.20 - BGP Bestpath Selection - AS-PAth Prepending
Hi,
I've noticed that the route-map statement in the solution was different from the route-map statement of the previous tasks. I mean it was missing the "route-map TO_R1 permit 100" permitting (in my mind) to keep announcements of others routes from R3 to R1.
But when applying it, I don't have the expected behavior.
Before applying the route-map statement TO_R1, I have the following routes advertised to R1 through BGP :
R3(config-router)#do sho ip bgp nei 155.1.13.1 adv
BGP table version is 15, local router ID is 150.1.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 28.119.16.0/24 155.1.13.1 0 100 54 i
*> 28.119.17.0/24 155.1.13.1 0 100 54 i
*> 112.0.0.0 155.1.13.1 0 100 54 50 60 i
*> 113.0.0.0 155.1.13.1 0 100 54 50 60 i
*> 114.0.0.0 155.1.13.1 0 100 54 i
*> 115.0.0.0 155.1.13.1 0 100 54 i
*> 116.0.0.0 155.1.13.1 0 100 54 i
*> 117.0.0.0 155.1.13.1 0 100 54 i
*> 118.0.0.0 155.1.13.1 0 100 54 i
*> 119.0.0.0 155.1.13.1 0 100 54 i
*> 155.1.0.0 155.1.13.1 0 100 i
*>i205.90.31.0 192.10.1.254 0 100 0 254 ?
*>i220.20.3.0 192.10.1.254 0 100 0 254 ?
*>i222.22.2.0 192.10.1.254 0 100 0 254 ?
Total number of prefixes 14
I created the following route-map :
route-map AS254 permit 10
match as-path 1
set as-path prepend 200 200 200
route-map AS254 permit 20
And apply it to R1 neighbor : neighbor 155.1.13.1 route-map AS254 out
But after the soft clear on R3, I see only 3 routes, like if there was no "permit 20" statement or if it was ignored :
R3(config-router)#do sho ip bgp nei 155.1.13.1 adv
BGP table version is 15, local router ID is 150.1.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i205.90.31.0 192.10.1.254 0 100 0 254 ?
*>i220.20.3.0 192.10.1.254 0 100 0 254 ?
*>i222.22.2.0 192.10.1.254 0 100 0 254 ?
Same when I use debugging :
Before the route-map applied :
R3#clear ip bgp 155.1.13.1 out
R3#
*Mar 2 02:02:09.549: BGP(0): 155.1.13.1 NEXT_HOP part 1 net 119.0.0.0/8, next 155.1.13.1
*Mar 2 02:02:09.553: BGP(0): 155.1.13.1 send UPDATE (format) 119.0.0.0/8, next 155.1.13.1, metric 0, path 100 54
*Mar 2 02:02:09.557: BGP(0): 155.1.13.1 NEXT_HOP part 1 net 118.0.0.0/8, next 155.1.13.1
*Mar 2 02:02:09.561: BGP(0): 155.1.13.1 send UPDATE (prepend, chgflags: 0x0) 118.0.0.0/8, next 155.1.13.1, metric 0, path 100 54
*Mar 2 02:02:09.561: BGP(0): 155.1.13.1 NEXT_HOP part 1 net 117.0.0.0/8, next 155.1.13.1
*Mar 2 02:02:09.561: BGP(0): 155.1.13.1 send UPDATE (prepend, chgflags: 0x0) 117.0.0.0/8, next 155.1.13.1, metric 0, path 100 54
*Mar 2 02:02:09.561: BGP(0): 155.1.13.1 NEXT_HOP part 1 net 116.0.0.0/8, next 155.1.13.1
*Mar 2 02:02:09.561: BGP(0): 155.1.13.1 send UPDATE (prepend, chgflags: 0x0) 116.0.0.0/8, next 155.1.13.1, metric 0, path 100 54
*Mar 2 02:02:09.561: BGP(0): 155.1.13.1 NEXT_HOP part 1 net 115.0.0.0/8, next 155.1.13.1
*Mar 2 02:02:09.565: BGP(0): 155.1.13.1 send UPDATE (prepend, chgflags: 0x0) 115.0.0.0/8, next 155.1.13.1, metric 0, path 100 54
*Mar 2 02:02:09.565: BGP(0): 155.1.13.1 NEXT_HOP part 1 net 114.0.0.0/8, next 155.1.13.1
*Mar 2 02:02:09.565: BGP(0): 155.1.13.1 send UPDATE (prepend, chgflags: 0x0) 114.0.0.0/8, next 155.1.13.1, metric 0, path 100 54
*Mar 2 02:02:09.565: BGP(0): 155.1.13.1 NEXT_HOP part 1 net 28.119.17.0/24, next 155.1.13.1
*Mar 2 02:02:09.565: BGP(0): 155.1.13.1 send UPDATE (prepend, chgflags: 0x0) 28.119.17.0/24, next 155.1.13.1, metric 0, path 100 54
*Mar 2 02:02:09.565: BGP(0): 155.1.13.1 NEXT_HOP part 1 net 28.119.16.0/24, next 155.1.13.1
*Mar 2 02:02:09.565: BGP(0): 155.1.13.1 send UPDATE (prepend, chgflags: 0x0) 28.119.16.0/24, next 155.1.13.1, metric 0, path 100 54
*Mar 2 02:02:09.565: BGP(0): 155.1.13.1 NEXT_HOP part 1 net 155.1.0.0/16, next 155.1.13.1
*Mar 2 02:02:09.565: BGP(0): 155.1.13.1 send UPDATE (format) 155.1.0.0/16, next 155.1.13.1, metric 0, path 100
*Mar 2 02:02:09.565: BGP(0): 155.1.13.1 send UPDATE (format) 222.22.2.0/24, next 155.1.13.3, metric 0, path 254
*Mar 2 02:02:09.565: BGP(0): 155.1.13.1 send UPDATE (prepend, chgflags: 0x0) 220.20.3.0/24, next 155.1.13.3, metric 0, path 254
*Mar 2 02:02:09.569: BGP(0): 155.1.13.1 send UPDATE (prepend, chgflags: 0x0) 205.90.31.0/24, next 155.1.13.3, metric 0, path 254
*Mar 2 02:02:09.569: BGP(0): 155.1.13.1 NEXT_HOP part 1 net 113.0.0.0/8, next 155.1.13.1
*Mar 2 02:02:09.569: BGP(0): 155.1.13.1 send UPDATE (format) 113.0.0.0/8, next 155.1.13.1, metric 0, path 100 54 50 60
*Mar 2 02:02:09.569: BGP(0): 155.1.13.1 NEXT_HOP part 1 net 112.0.0.0/8, next 155.1.13.1
*Mar 2 02:02:09.569: BGP(0): 155.1.13.1 send UPDATE (prepend, chgflags: 0x0) 112.0.0.0/8, next 155.1.13.1, metric 0, path 100 54 50 60
*Mar 2 02:02:09.593: BGP(0): 155.1.13.1 rcv UPDATE about 205.90.31.0/24 -- withdrawn
*Mar 2 02:02:09.593: BGP(0): 155.1.13.1 rcv UPDATE about 220.20.3.0/24 -- withdrawn
*Mar 2 02:02:09.593: BGP(0): 155.1.13.1 rcv UPDATE about 222.22.2.0/24 -- withdrawn
*Mar 2 02:02:09.593: BGP(0): updgrp 3 - 155.1.13.1 updates replicated for neighbors:
R
After the route-map applied :
R3#clear ip bgp 155.1.13.1 out
R3#
*Mar 2 01:59:11.525: BGP(0): 155.1.13.1 send UPDATE (format) 222.22.2.0/24, next 155.1.13.3, metric 0, path 254
*Mar 2 01:59:11.525: BGP(0): 155.1.13.1 send UPDATE (prepend, chgflags: 0x0) 220.20.3.0/24, next 155.1.13.3, metric 0, path 254
*Mar 2 01:59:11.529: BGP(0): 155.1.13.1 send UPDATE (prepend, chgflags: 0x0) 205.90.31.0/24, next 155.1.13.3, metric 0, path 254
I dont't see where I'm wrong or what I misunderstood in any part of either route-map or bgp.
Thanks for your help.
Franck.
↧
Using Global ACL's
Section5: Perimeter Security and Services - ASA
Firewalls
ASA Basic Access-Lists
ASA2:
access-list GLOBAL remark *** PERMIT TASK TRAFFIC ***
access-list GLOBAL extended permit icmp host 150.1.22.22 any echo
access-list GLOBAL extended permit tcp any host 172.16.10.100 eq 80
access-list GLOBAL extended permit tcp any host 172.16.10.100 eq 3389
access-list GLOBAL extended permit udp any host 172.16.10.100 eq 514
access-list GLOBAL remark *** PERMIT RESTRICTED TRAFFIC DUE TO USING GLOBAL ACL ***
access-list GLOBAL permit ip 172.16.10.0 255.255.255.0 136.1.29.0 255.255.255.0
access-list GLOBAL permit ip 172.16.10.0 255.255.255.0 host 150.1.22.22
access-list GLOBAL permit ip 136.1.19.0 255.255.255.0 any
access-list GLOBAL permit ip 136.1.27.0 255.255.255.0 any
access-list GLOBAL permit ip host 150.1.11.11 any
!
access-group GLOBAL global
Why do we need to permit restricted traffic due to using global ACL? As per the task, we have permitted inbound traffic. As Inbound traffic will first check the Interface ACL then checking Global ACL's, so isn't these permit statements be present in Interface ACL instead of being in Global ACL's ??
↧
FCOE Lab interface vfc 111
Under SAN 3rd Lab FCOE Lab configuration.
Under interface vfc 111 INE have put the command switchport trunk allowed vsan 101
This means Interface vfc 111 becomes virtual E Port.
But in a separate command vsan 101 interface vfc 111. This will mean interface vfc 111 is a virtual F port
Can anybody explain this.
↧
↧
Automatic reply: RE: CCIE RSv5 Equipment Build
Dear sender,
I am out of office untill 18/04 , My substitute is Zied sassi (29535331). You can also send me SMS.
Br.
↧
Double-Sided vPC between 2 X Pair of 5Ks
Hi Guys,
I am just checking if its possible to setup double-sided (back-to-back) between a two pairs of Nexus 5Ks.
I have set this up between a pair Nexus 5K and a pair of Nexus 7K but just wondering if there is any limitation to doing the same between a 2 pairs of Nexus 5ks i.e. a pair in DC1 having back-to-back vPC to DC2 via fibre connections.
I can't see why not but just thought i ask the question?
Thanks
Luke
↧
Data Center job role
Not sure if this is the right place to post this, but figured I'd try here. My background is in Windows administration and virtualization (desktop/server). I completed my CCNA R&S and CCNA Data Center. I've been going through Mark's UCS Course (which is excellent btw). From a job role perspective, I'm still having a hard time figuring out where it fits in, and what else I should be focusing on learning.
In my current role, I handle everything VMware, we use Brocade for FC switches, which I handle for zoning, and we use EMC storage, which I create LUNS on but that's about it. I have a lot to learn where it comes to storage. So from a CCNP DC/CCIE DC perspective, I can see UCS and MDS fitting in with my current job role, if we were to get rid of our Dell blades and brocade switches. I see positions now that ask for VMware and UCS, which makes sense. I see Storage Administrator job openings that have MDS as a requirement, which also makes sense.
My confusion comes in with the Nexus side of things. Who's going to be the person to configure/troubleshoot these in a corporate setting?Will this be the "typical" network engineer? The main reason for me asking is because I'm wondering if there are other skills that I need to pick up to be successful on my journey. When I first looked at this track, I thought I'd have to start gaining knowledge on storage arrays, maybe get a netapp or emc cert or 2, but now I'm wondering, if I was looking at it wrong, and maybe I need to add more route/switch, security, wireless,voip skills instead. I was reading somewhere that someone wrote companies aren't looking for nexus experts, they are looking for typical network engineers who know some nexus
Any pointers would be helpful.
↧
ASA Dynamic Policy NAT and PAT
On ASA2, SG
includes "destination" on twice nat with "object network
ANY_DESTINATION" as shown below:
object network ANY_DESTINATION
subnet 0.0.0.0 0.0.0.0
nat (VLAN19,any) source dynamic VLAN19_REAL VLAN19_TELNET_MAPPED destination static ANY_DESTINATION
ANY_DESTINATION service TELNET TELNET
nat
(VLAN19,any) source dynamic VLAN19_REAL VLAN19_HTTP_MAPPED destination static ANY_DESTINATION ANY_DESTINATION service HTTP
HTTP
My solution, since we don't care about the destination, I skipped the"destination" as shown below, it seems working fine, is it a valid
solution?
nat (VLAN19,any) source dynamic VLAN19_REAL VLAN19_HTTP_MAPPED service TELNET
TELNET
nat (VLAN19,any) source dynamic VLAN19_REAL VLAN19_HTTP_MAPPED service HTTP HTTP
In addition, can I use “nat (VLAN19,any) source dynamic R1_LO1_REAL interface” to cover below two
statements as shown in SG? Will this
make any difference?
nat (VLAN19,VLAN26) source dynamic R1_LO1_REAL interface
nat (VLAN19,VLAN29) source dynamic R1_LO1_REAL interface
Thanks
Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}
↧
↧
Multihop FCOE and Storage VDC
Can INE include one technology lab on Multihop FCOE with Storage VDC in there Data Center workbook. Even if the rack is not compatible with it we can go through it theoritically.
I am not able to clear doubts in this topic even after reading many books.
↧
PIR question (2 rate/3 colour Policer)
Question states:
Use the CIR value of 64Kbps and PIR value of 128Kbps.
Use the values of CIR*400ms and PIR*200ms for normal and excess burst sizes.
I can understand Bc = 3200, but I also make Be = 3200 (but apparently Be = 6400).
Does Be always =BC*2 ?
↧
FCOE between switches vs FCOE to host
So, just for clarification
1. FCOE between switches (NPV or E) - no need for Edge trunk, restrict ethernet trunk to the FCOE VLANS ?
2. FCOE to host - edge trunk is needed. ?
Additional question - FIP vlan discovery operate on the native vlan - is it really needed to be allowed on the ethernet trunk (since it is multicast traffic and allowed on the trunk whether the native vlan is allowed or not).
thanks
↧
MQC nesting - question
Could someone help cement the action of nesting in an MQC policy map for me please.
In the scenario below, would the "subrate_policer" policy be applied to http traffic from R1, or would the "police_vlan146" policy be applied?
class-map FROM_R1
match access-group name FROM_R1
policy-map SUBRATE_POLICER
class FROM_R1
police 64000 3200 4800
conform-action set-prec-transmit 1
exceed-action set-prec-transmit 0
violate-action set-prec-transmit 0
policy-map POLICE_VLAN146
class HTTP
police 128000 3200 4800
conform-action transmit
exceed-action set-prec-transmit 0
violate-action drop
service-policy SUBRATE_POLICER
interface FastEthernet 0/1
service-policy input POLICE_VLAN146
Reason I ask is I need to confirm what happens in the event where traffic matches more than one policy.
cheers
↧
↧
10.38 QoS Pre-Classify
Still missing "Priority 64" on policy map.
Also part of the task asks us to: "Limit the rate of traffic leaving the VLAN 146 interface of R6 to 256Kbps."
The SG uses shaping to do this (via MQC). Would setting bandwidth on the phys int be ok? (the task doesnt mention anything about not being able to?)
↧
Initial Configs for RSv5 Workbook - MPLS labs
The MPLS labs in the v5 workbook don't list as "Pending update" so I was assuming they are updated for the V5 topo - but I can't find the initial configs fro them. They aren't in the zip file download from the front of the book - am I looking in the wrong place or are these still v4 topology?
↧
Automatic reply: Question about traffic policing and priority bandwidth.
Dear sender,
I am out of office untill 21/05 , My substitute is Zied sassi (29535331). You can also send me SMS.
Br.
↧