Switch Vs Route

I see a lot of people as Questions such as what is harder the Switch or the Route exam, Or Why is the Route coarse materials so much larger than the Switch, does this mean there is less to it? 642-902 ROUTE  642-813 SWITCH

So having now completed both foundation and cert guides here are my views.

First the two have very different goals that they are trying to teach, and approach things in the same way as you would likely see in the Real world.  

ROUTE

In the real world generally Routing protocols stand apart, while you may run EIGRP and OSPF with in he same organisation, most people will keep them separate and they will only interact at the borders. And there are only 3/4 major routing protocals that you woudl expect to see.

RIP,

OSPF,

EIGRP and

BGP.

While there are others these are the common ones that most people will using there jobs. So the ROUTE exam deals with these along with redistributing the routes between them.

This give the following Topics to study

EIGRP
OSPF
BRP
Redistribution and Patch control
IPv6

And each is covered in some detail.

SWITCH

On the other hand has many more topics, and in the case of switch’s many of these will be run on the same devices across the entire network, (eg. VLANS, Spanning Tree, ACL’s Switch Security) so the number of topics in the SWITCH exam is much higher. They are covered in less depth individual than the topics in ROUTE, however you are expected to understand how they all work together and how issues configuring one can cause issues in others.

A partial list of topics covered in switch are.

VLANS
Switch Operation (CAM TCAM and other switch tables)
CEF
VLANS
STP (all modes)
STP enhancements like BPDU guard and ULD detection.
Ether channels and port channels
Multilayer switches
High availabilities (redundet router and redundant supervisors)
IP telephony
Wireless
Securing switch devices
Port security
ACL’s
Vlan ACL’s
Private VLANS
QOS
and the list goes on….

So the question of what one is hard and what one is easy will very much depend on the person taking them, and the current experience they have. Many people do seem to find the Routing exam nicer and I think this is because you can take each topic seperatly and concentrate with out worrying about the rest. While I enjoyed Switch as it was lots of bite size chunks to get stuck in to.

People also ask what one to take first, honestly I don’t think knowing either one will help learning the other one, as long as you have  a decent understanding of networks. Personal I would first go for the one you have most experience with, and get it under your belt first.

The only one I would suggest leaving till last is the Trouble Shoot as this assumes you have knowlage of both Switch and Route.

Continuing in to C# and Automation.

So still not had much time to be studying CCNP, but have been getting my hands dirty on C# around the automation of generating configuration for cisco devices.

As mentioned before part of my job is change management which means a lot of repetitive configurations. In the past the tools I have written in VB and Excel have been limited to a single master config, what I decided was needed was a tool that could take a generic config written in notepad or other simple text editor and present the variables to the end user in a friendly form, for them to complete and generate the config.

Confgen

Screen shot of early version of Confgen

This is currently has a simple template loaded for changing the vlan and description of a port and enabling / disabling it. But the application is flexible to be able to take any length or complexly of config you can enter.

There are still lots of things to tidy up,

currently only the first row of variables entered can be parsed in to a complete script, I also want to eventually use a word template to give a professional output for the final script. And have a menu driven system that will look for files in a specified folder at start up and load them ready to be picked by the end user.

However its a start and the core of the application is working. I would say its still very much a Beta version, but am hoping over the coming weeks and months to develop it in to a much more compete tool. A few bugs to resolve and functions to add but I hope it gives people an idea of what i am looking achieveive.

I also have a stage 2 idea to add to this that will make it even mousefulull for new deployments to build up complex configurations, as well as these simple snipits.

If any one wants to try it out the zip file is below, simple extract to a folder and run, file >> open. to open the included example. (you will need .net version 3.5 framwork installed to run it)

Confgen

Please play around and let me know what you think.

Edit: added page to site to keep track of this tool and its development, see above.

DevilWAH

A bit of perl while I’ve been away (Always including some CISCO of course).

Well no matter how many times I head back to post just lately I have never had the time. Studying been put on hold, house move on hold, and working falt out at the new job, but I have to say it has been fun.

Like I say not much studying done, but I have been playing with perl scripting latley. So rather than post nothing I thought I would share the results with you.

At work one of my teams jobs is to provision ports and reclaim ports on switchs. we basicaly write scritps during the day and then batch implement at night. So to make things a bit simpler, (and casue I was bored) I wrote a little web page using perl scripting as the back end.

Now I know I could use client side scripting to get a neater effect, and / or a stand alone program. But one thing about this was I wanted it as client friendly as possible, so decided to go for a web interface. And I have been meaning to learn a scripting language for ages so this seemed an good opportunity.

The web page is in two parts, one for provisioning ports and a second for reclaims, both can handle CATOS and IOS configs

They both still need some tidying up and I want to add some better functions to them soon, but Just so you don’t think i have disappeared here’s the link is you want to try them out. :) (they link to each other)

Port provisioning script

The reason it is set out as it is, is that for my job servers are duel link to two switch, so for each script we are provisioning 3 or 5 ports per server mostly. Also the second switch is normally a mirror of the first, so by ticking the copy check box you only then need to fill in the interface on the second switch, the vlan, speed, duplex, ilo (integrate lights out for use when server crashes to remote reboot and get access to the bios) and sub-net information will be copied from the first switch. Port description as set to the name of the server configured.

I want to put some error checking in the webpage so users can’t skip filling in fields, and then expand to allow users to alter the number of switch / interfaces on the fly.

But for now it seems to work OK, and definitely speeds up or scripting tasks.

Let me know what you think :) If you have any suggestions or would like to see the source code let me know. If you wold like a bit more in depth of what I did may be i can do a follow up artical at some point.

Cheers

DEVILWAH.

PS. little baby is doing great. 9 months old and I finaly understand what people mean when the say how life changing having a baby is! Miss Lilith as she is know in our house is laughing smiling and generaly making my life great. Can’t wait for the warm weather to take her out more :)

CISCO commands

Just lately while cleaning up things at work, and on the web I have come across some CISCO commands that are usefully but often over looked, or forgotten. So I thought I would write them up here and attach them to the Tips and Tricks page so I would always have them to hand. IT might start of a small list but I hope to increase it gradually as I remember/find more. Think of it as a work in progress which you can find here.

I also though as well as the useful ones I would create a common list as well. These are things like the #show IP interface brief, and show Interface status. Again a work in progress and found under the tips and tricks page. If you have any ides suggestions for things that should be included let me know.

I don’t want to have a list of every command on CISCO, but the common ones we all use daily and take for granted. Or ones that are not quite so well known but very useful nevertheless

As I say the lists are no way completed, but I have put up the pages so I can start adding thing on, as and when I think of them.

DevilWAH

SDM in LINUX (Wine)

OK leaving CCNP SWITCH aside for a bit, I finely got around to setting up Linux to allow me to run SDM.

I should point out that I am not a great fan of SDM, but I do run the IOS based firewall on one of my small networks. And while I am happy to change the config of policy’s from the command line, it can be hard to visualise what is going on in 600+ lines of code. So I do fall back to it every now and then.

On the above network I have 100% Linux machines, which included those sitting in the management subnet. So up utill now if I wanted to run SDM I had to get out a windows laptop and plug it in, so for a while I have been looking how I could get this up and running.

There is no Linux SDM version but you can install SDM either on the PC or on the router.According to CISCO as long as the web browser has jarva script enabled, then if you use the version installed on the Router it will work. However despite 2 different versions of Firefox, Google Crome, and numerous attempts with Java versions. Trying this way would always hang at the same point on all three of the PC’s I tried it from. I also don’t really like the idea of running SDM from the router, it takes up space and resources and is another thing to go wrong.

So the alternative was to attempt to run SDM from with in Linux. You will read on the web that CISCO SDM is a Java based html applications, and so in theory you can simple copy the install file across from windows to Linux, move a few files around, and then open up your web browser and point it to the “launcher.html” file you will find in the install directory. However my attempt at this again proved unsuccessful. (I am not sure if this was due to the incorrect Java version I did try with a few but SDM is very fussy with Java and Linux is not so happy with multiply Java versions. (see here for instruction s for this method)

So I decided to go the whole hog and experiment with WINE. Wine for those of you who don’t know is a platform that allows you to run native windows application with in LINUX, I like to think of it as a windows emulator, however some purists will tell you this is not quite correct. But what ever it will allow you to run many windows application on LINUX, and while some people may rebel at the idea of that, I am more of the opinion if it works and gets the job done, then I don’t really have a problem.

So setting it all up.

The first thing to do is add the wine repository ( ppa:ubuntu-wine/ppa) to you distribution. In Unbuntu this can either be done using the option settings in the graphical package manager software, or by running the following command.

sudo add-apt-repository ppa:ubuntu-wine/ppa

Then update the repository cache, (“sudo apt-get update” from the command line).

If you are running the GUI package manager, search for wine and tick the wine1.2 install (at time of writing this is the current stable version, you should pick the latest stable). or from the cli type

sudo apt-get install wine1.2

Wine will now be installed.

You now need to get hold of CISCO SDM, Firefox 3.5 (must be 3.5 this will not work with version 3.6 due to java issues), and a copy of JAVA 6 update 11 (make sure it is this exact version SDM is very very picky).

Once you have downloaded them all, you can simple open them in the GUI, you may get an error saying that they are not executable files. Linux by default will not allow a file to be executed unless it has been set to be allowed. If you get this message simple right click, go to the properties and tick the execute box under the permissions tab. You can also run “sudo chmod +x <filename>” to achieve the same.

You should not be able to run the setup and follow the install exactly as you would under windows. Once you have installed all three, check you can open Firefox. You can find this either up in the application menu under

Wine >> wine applications >> firefox

Or you should have an short cut on the desk top (you may need to make this short cut executable like above).

You will also have a SDM shortcut on the desktop, however this will bring up the WINE IE browser which does not work, so you can’t use this direct.

Instead open up the Firefox you have just installed, and in the address bar type “c:” and hit “return” / click go. This will bring up a folder list for the Wine created windows file system. Open  “programs files” >> cisco systems >> SDM >> common files >> common files. Here you will find a file called Launcher.html which you want to open (I would also suggest add this as a short cut)

And there you are, CISCO SDM will now function as in windows, pop up boxes and all. You can even create a desktop icon that will pass the file above to Firefox if you wish.

Hope that’s of some help to people. If I get it running completely native with out the need for WINE I will be sure to let you know.

DevilWAH

CCNP SWITCH update

Well no luck I’m afraid :(

I agree with many of the other complaints about this exam, there seems to be a large number of questions that are not covered in the course material. I say that having read the foundation guide, cert guide, flash cards, and quick reference sheets.

CISCO have now made a statement that due to the high levels of complaints they will be reviewing the exam. So rather than wast time trying to pass it again. I will carry on my studies with the ROUTE course, which has had much better reviews, and come back to the SWITCH. Hopfuly by then CISCO will have sorted out the issues.

DevilWAH

Time up!

Well a night of study and now its to bed for some sleep before my CCNP SWITCH exam.

Hopefully by the time of my next post I will be one third of the way towards achieving my CCNP.

If I’m honest I have not been impressed with the Cisco Press books, or the BOSON test exam, both I have found many errors in. (Hopefully the fact I spot the errors means I understand the topics)

But all going well I will be back with a little something on getting the CISCO SDM to work in Linux soon.

The Peculiar case of the missing bandwidth.

Where I work we have a slightly strange network set up, as an agency of the government we run under what is knows as the GSI (government secure internet). What this means in practice is that our main site + the 16 or so regional sites have there WAN routers managed by a central government IT centre, and all traffic to the outside world has to pass through there systems. This in its self causes no end of issues in terms of restrictions such as no VPN access and no FTP allowed. But leaving that aside it does mean we sit behind a very secure gateway. All you really need to understand is that we have  “10mbs” full duplex fibre as our primary link of the main site, through which both internet and WAN traffic is routed. Oh and of course we have no access to the WAN router to see what is going on.

Well last Friday, the network grinds to a screeching halt..  What was a 20msec latency link to the regional sites has now become 4000msec (yep that’s right 4 seconds!!). As I say no access to the WAN router but from out 4506 that connects to it I can see the link to it is looking fine. So nothing for it but to call the service provider, after a short chat they agree that traffic has dropped and latency has shot up and start looking in to it for me.

A few hours pass (well 3 days to be more correct during which time we have moved over to the 4 mbs backup link) and they finally come back saying that the link seems to have dropped and the most data they can push through it is 1.6mbs, and they think it is a routing issue on our sites subnet as latency to the outside address of the router seems fine.

Now at this point my mine is saying 1.6mbs??? hmmm why does that number sound familiar, may be if they measured it a bit more accurately they would find it was actually 1.54mbs which of course is a T1 link speed.  Which suggests to  me either some one added a bandwidth policy along the link or the route had changed to pass across a T1 link. But no “defiantly not!!”, I am told with absolutely certainty that no changes have been made to the configuration and some one will attend site to test it out.

Following day the service provider has an engineer on site, after hours of testing the local loop section on the fibre can’t find anything wrong signal strength is perfect and router on site has low latency to next hop. After hours on the phone and a few more suggestions from me that 1.6mbs suggests a T1 link some where along the line. I am told again there have been no changed to the configure or routes, but he say he will call head office and have them check the configs. He come of the phone and says he will try one last test… And what do you know the Link is suddenly back working, latency’s dropped back to the 20msec region and pushing about 9mb of data across the link.

So what did they change? “Nothing”, all they did was set a 10mbsec bandwidth policy on one of the interfaces along the router… So why did it drop in the first place “no idea, some times these things happen”. Hold on so they are telling me they changed nothing, the link just stopped working on its own, and where as it had worked fine for the last 4 years with out the policy configured, it now just happens that adding it has solved the issue??

Forgive me for feeling that someone made a cock up, and had to fix it in a hurry, and I have not been told the full story.

So great after 4 days all back up and working. Or is it? For a long time now I have been suggesting that we don’t have the 10mbs full duplex link we have been paying for. In tests I have never been able to get more than 9mbs total throughput. As I push the outgoing traffic if pulls the incoming down. (Of course as I said I don’t have access to the routers so all I can do is push traffic from our devices at either end). But one of the engineers mentioned in passing that our link was 2 X 4.5mbs??? Which  is exactly 9mbs which is what my test show… So not only did they muck up the link for 4 days but for the last 4 years they have not been providing the service we pay for!!

Not really impressed with them over the last week (not that I have been overly impressed with them before, although a few members of there staff I have to say have been very helpful to me over the years), but maybe some thing good will come out of it and I will have the full 10mbs full duplex link promised.

It is also quite nice in the sense that I informed management and the service providers of my consern’s about the link speed, about 2 years ago when I first really had reason to look at it. All of who dismissed me, and told me it was a 10mbs full duplex and that I was only seeing 9mbs due to the type and volume of traffic. So I would be laying if I said I didn’t slip the “as I told you 3 years ago” in to my report to management this time round. :)

I still can’t believe that no one can hold there hands up though and tell us what really happened last Friday. This is where network device management accounting comes in handy, can’t even log on to my devices, let alone update config with out it getting logged. It’s not just I like to spy on people, but if all changes are logged on the syslog server, then if some one does make a change, and the next day when they are off it all falls apart. I can view the last 24 hours, 3 days, etc, of changes at a glance and see what has happened. No need for them to remember to document every change they make, that’s all done for them.

Well I wait to see what come of this episode. But after this I not sure I will ever trust a service provider again.

laters all

DevilWAH

Tree’s that Span the network

Lets start with a few links.

Cisco’s introduction to STP.

Cisco’s configuration guide

Before I learnt about sub-netting, trunk links, access ports, or vlan’s, I started looking in to STP. In fact my introduction to networking went along the lines of. Learn to log on to a 3COM 3300 super stack, assign it an IP address, sort out spanning tree. I had only been working in IT a few months with no previous IT experience when I was given the job of single handily auditing the network and assigning management IP address.  At the time the network was a pure Layer 2 single VLAN domain containing around 120 switches spread over 30 buildings. It was during this audit and while setting up a monitoring system that I first notice these network reconfiguration messages that kept popping up, not one to be able to leave alone I looked in to the cause and discovered STP!

I look back on horror as I dread to think how many of those reconfiguration where due to me rebooting a switch, or altering configs. those 3COM’s only ran old CST (802.1d) so every time I was causing up to 50 seconds of down time.. I can only plead ignorance and hope over the past 4 years I have made up for it.

The Spanning Tree Protocol (STP) I think is at its fundamental core, one of the more straight forward networking topics to understand. STP runs at layer 2 and its core function is to prevent loops in the network. Why do we need to prevent loops? Layer 2 has no default inbuilt method to detect if a switch has forwarded the same frame before, so if there are any cabling loops in the network frames will circle endlessly round them, clogging up bandwidth and switch CPU causing poor performance before it all grinds to a halt. At the same time though surely duplicate links are a good thing, if one fails you have one spare?

And this is where all versions of STP come along, by analysing the network as a whole, by sending special packets (bridge discover protocol units BPDU’s)  along every link of the network and seeing where the end up, the switches can detect any loops. They will then decided on which links to “block” so that there is only a single complete path across the network. And of course they have there methods to bring back up any of the blocked links in the event any of the primary links they back up should fail.

Before we get in to how this work lets recap the various versions of STP.

CST = 802.1d = Low =SLOW
PVST+ = CISCO = High = SLOW (default)
RSTP = 802.1w = Medium = FAST
PVRST = CISCO = Very High = FAST
MSTP = 802.1s = Medium/High = FAST

Lets start with PVST+, This differers from CST only in that it runs a separate instance for each VLAN on the switch, this allows load balancing or backup links as we shall see.  First lets get a digram up so we have some thing to refer to.

STP works by each switch determining which of its own ports should be forwarding and which should be blocking to insure the network is loop free. Because this is carry out in isolation of what ports other switches and to reduce the time and traffic the network administrator selects a central switch (the ROOT bridge) to act as a reference point for all the other switches. This central switch sends out packets (BPDU’s) on all its ports that are connected. As other switches receive these they note on what ports they are received and then add on the cost of the link. This cost is based on the speed of the link, the following is the table of defaults but these can be tuned if needed.

10Mbs =100
100Mbs = 19
1Gbs = 4
10Gbs = 2

So our fist step should be to configure what switch is root. This should be your core switch, as this will become the centre of the network with all other switches sending there traffic through it. In the case above we can used Switch A.

Switch_A(config)#spanning tree mode pvst
Switch_A(config)#spanning tree VLAN <ID> root Primary

All done…

Switch A is now the root bridge for the spanning tree on what ever VLAN ID you enter. The keyword root will cause Switch A to listen out on the network for BPDU’s being advertised on the VLAN, each switch advertise its root priority in its BPDU. Switch A will listen for the lowest and then set its own priority lower again. (lowest wins). This only happens as you enter the command. If at a later time another switch is set to a lower priority this switch will take over the root, Switch A will NOT lower its priority again. For this reason there are things like Root Guard that can be enabled.

At the moment the network digram still has loops so how does STP sort it out? Fist of all, ALL ports on A will be in the forwarding state (unblocked), and it is sending out BPDU’s. So lets see how Switch B figures it all out. First it receives a BPDU from Switch A on port F0/1, this has come in over a 100>bs link so it is given a cost of 19, the BPDU on port F0/2 has come via switch D, this will have added a cost of 19 is self as it received it, and Switch B will add a further cost of 100, giving a total root cost of F0/2 as 119. Working the same way F0/3 will be 19 + 100 + 19 = 138.

So the as the lowest cost port becomes the root back to port, Switch B will assign F0/1 as the root port. Repeat for switches C and D, and you will find, for switch C the root port is  F0/1 with a cost of 38 and for Switch D it is F0/1 with a cost of 19.

And what now? well now the root ports are sorted out we need to move on to designated ports. These are ports that are connected upstream pointing away from the root. With Switch B and D we see there is a stale mate, both have a 100Mbs link to the root and are connected together by a 10Mbs link. Next STP look towards port priority and as this is the same (both using same port ID) it looks to the MAC address. We will assume Switch B has the lower mac and so it has the higher priority). Switch B will there for place its port F0/3 in to a designated state, Switch D on the other hand seeing Switch B is higher Priority will leave its port with out a STP state.  Both Switch B and D will place ports F0/2 that connect to switch C in to the designated state. Switch C already having a root port to B, and seeing that port F0/2 also leads back to the root will again leave this port in a non designated state.

Once the Switches have decided what ports are assigned what states, any port still with out a state and that is receiving the Root BPDU, is put in the blocking state. So we end up with the logical network below.

As you can see where a link is blocked, one end will be in the designated state on one in the blocking state. In the case of CST and PVST, all BPDU’s are send from the root bridge. In the event of a link failure the affected switch must wait for the Root bridge to send out a BPDU (20 seconds time out by default), Only then does the switch start to listen for BPDU’s on its blocked ports before bringing them up. and this process in its self requires 15 seconds in the listing phase (listing out for the BPDU and building the STP) and a further 15 seconds of learning MAC address before the switch is again forwarding traffic across the back up link. So a total of 50 seconds can elapse.

RSTP and PVRSTP, address this issue, By allowing all switchs in the STP to send and recive BPDU’s, and keeping a note of what are the back up links that are currently being blocked, RSTP and PVRSTP can bring up a failed link with in a second or two. They introduce two new port states. The backup port, which is a second link back to the root. (in the network digram here port F0/3 on switch D and F0/2 on C would be back up ports) And the alternative port, this is when two links connect to the same uplink switch, Imagen switch B and C has two links directly between them, then one would be in the designated port state and the other blocked in the alternative state. By holing a note of the back up links, if the link between Switch D and the root failed, it knows it can bring the link on port F0/3 to switch B up with out danger of causing a loop.

So that’s STP in a nutshell, I will cover MSTP another day, but hopefully there’s enough there to get you head round it, with out load of configuration. All you need to remember is to define your root bridges correctly and insure all you switches are using and support the same STP mode. Once you have that configured correctly then STP will work for you. You then can spend the time tuning it and securing it. Which is a whole other post.