Archive for the 'Networking' category

Cisco Voice-VLAN (VVLAN) inconsistencies

 | 12 Nov 2012 12:41

First off I’d like to say that this is just a minor issue, more relating for routers versus switch, I’m still a lot happier at how Cisco implements config and features as opposed to most if not all of their competitors…

At a customer I’ve recently had to commit a grave operational sin; to connect a small switch at the end of a floor patch. These things are normally operational nightmares as they have a tendency to quickly bring an entire LAN environment down to its knees when such a ‘switch’ is connected to the network twice. Always by accident but having management kick you for something someone else did is not anyone’s idea of fun. I won’t go into the underlying principles here as I’m assuming most who frequent my blog will know about broadcast storms, their causes and the tools and solutions available to mitigate the risks.

Our justification to operations was that we wanted a few more local LAN ports to test VoIP devices on than we had available through floor patches. As such I reasoned with Operations that this was a calculated choice to segregate our testing from the rest of the LAN but still make it as realistic as possible. Using the means available meant that I had to make do with a Cisco 1801. Single routed and 8 switched interfaces. Think of it as a router with one Ethernet interface and an 8 port HWIC-ESW nailed to it. Didn’t need the ATM or WiFi it has.

So I set out, disabling IP routing, admin down all non-Ethernet ports. set up the vlan database -old style, remember?-; I did not want this baby to participate in VTP, in fact I don’t think it even can! It’s limited to 8 vlans. Pulled two cables to it. One switched port as trunked with some data and voice vlans and configured the routed interface for management access.

All sweet and dandy, tested the BPDU-guard functionality prior to installation by connecting an access-port to the LAN. Clunk! it went down as desired, result I thought… Then when installing the LAN wouldn’t bring up the LAN port. Doh! I’d missed that the 1801 doesn’t send BPDU’s until a VLAN becomes active. I’d checked if spanning-tree was operational, and it wasn’t until I brought an interface up. So I disabled STP for all vlans in the VLAN database. Now my laptop received an IP address and the data VLANs all worked.

So, time to connect a Mitel phone. No dice, it received it’s first DHCP response with VLAn information, then it would just sit ennuncing it was waiting for a DHCP response. Dang, I’d configured the voice vlan so why did the switch not detect the phone, enable trunking so that the phone could send it’s DHCP request on the voice VLAN?

It was only when I started reading up on HWIC-ESW voice-VLAN config I noticed that Cisco hasn’t implemented the auto enable of dot1q trunking when a phone is detected… The solution is to add two lines of code; “switchport truck native vlan xyz” and “switchport mode trunk”. The crux is that this platform is at heart a router, not a native switch…

Cisco documentation

Alcatel 7210 port mirroring

 | 14 Jun 2012 12:52

Recently I’ve been doing more on Alcatel as I’m working in O2’s test-bed down in Slough, slaving away at testing aspects of their new LLU broadband core and new BT 21CN wholesale connectivity. Although I’ve not been able to write a lot in recent years due working for an integrator rather than an ISP; I’m mostly not allowed or it’s unwise for me to divulge what I’m working on…

However, it’s common knowledge that many providers use Alcatel and they seem to do pretty well in the ‘booming’ broadband market. Hence I thought I’d share a little snippet of an annoyance I recently encountered.

When using an Alcatel 7210 to sniff traffic and interconnect different media; 1Gbps copper and 10Gbps fibre. I found that sniffing is counter intuitive to people only trained on Cisco. A few pointers:

  1. Port mirror destinations are defined in configuration
  2. Port mirror sources are set through debug commands
  3. When mirroring VPLS ports (I needed an e-pipe/Layer-2 tunnel) I found that egress sources did not work, only ingress did and only one ingress port can be set per mirror session. It did not matter if I use the port or the SAP as source.

I was left to sniff in two places to capture both up- & down-stream traffic. YMMV as a 7750 will be different, but I don’t have one available to me to test on…

Commands used:

#--------------------------------------------------
echo "Mirror Configuration"
#--------------------------------------------------
  mirror
    mirror-dest 4 create
      sap 1/1/4 create
      exit
      no shutdown
    exit
    mirror-dest 11 create
      sap 1/1/11 create
      exit
      no shutdown
    exit
  exit

And the debug command:

*A:<hostname># debug mirror-source 4 port ?
- no port ...
- port <port-id> egress ingress
- port <port-id> egress
- port <port-id> ingress
- port lag ...

*A:<hostname># debug mirror-source 4 sap ?
- no sap <sap-id> [ingress]
- sap <sap-id> {[ingress] }

As can be seen above capturing by SAP is only supported at ingress. Using port and SAP yielded the same result, only ingress packets were ever sent to the destination port. Despite show mirror stating both Egr & Ing.

*A:<hostname># show mirror mirror-dest 11
===============================================================================
Mirror Service
===============================================================================
Service Id       : 11                   Type          : Ether
Description      : (Not Specified)
Admin State      : Up                   Oper State    : Up
Forwarding Class : be                   Remote Sources: No
Slice            : 0
Destination SAP  : 1/1/11               Egr QoS Policy: 1
-------------------------------------------------------------------------------
Local Sources
-------------------------------------------------------------------------------
Admin State      : Up
-Port                                   1/1/26                          Egr Ing
===============================================================================

Inter-AS MPLS and MTU

 | 2 Jun 2009 14:18

Type-2 interconnects are fun, but mtu issues are not. When faced with migrating subnets  from one MPLS cloud to another -different AS numbers you see- the three common inter-AS types were taken off the shelf and dusted off…

Show me more… »

DNS on IOS

 | 12 Apr 2008 10:19

I’ll leave the debate to others about running services on routers. As usual ymmv and all that, though besides the obvious objections I think it’s quite cool of my little c877 to proxy DNS and serve what it has locally. Imho, my home DNS config is not heavy enough to warrant rigging up DNS on my Samba server.

My first google tonight led me to an article on the excellent ios hints and tricks site (ioshints.info). Though this is for a full public DNS server it was a little overkill for me, please read this article as well if you do plan to go that route.

My goal was to have my DSL router serve local IP’s for a few public and local domain names. For example this allows me to use sip.djerk.nl as my proxy address in my soft-phone both at home and away.

The following code is what I ended up with.

Show me more… »

No ezvpn please!

 | 31 Oct 2007 23:44

Had a nice piece of homework cut out with getting site-to-site ipsec working between a relatives Netgear and my Cisco 877. UniverCD once again provided to be crucial in my understanding and working out what should go where. Thanks to Ilya for reminding me to browse that site rather than just search it.

Show me more… »

Debian Lenny snmpd IP binding

 | 12 Oct 2007 15:09

Yet another non CCIE post 😉

It appears that Debian Lenny by default only binds to 127.0.0.1 (localhost). I had to add the following two lines to snmpd.conf to get snmpd to listen to external requests.

interface eth0
agentaddress 217.195.248.251:161

I eventually found the solution at debianhelp.org.

No IP unreachables (and Cacti)

 | 11 Oct 2007 15:49

*Sigh* Took me an hour or two to figure this one out. Cacti now does a ping before actually polling a device for stats. I’m running a small cacti site which had been neglected for a long time. After updating cacti and cleaning up some mess I was confused why one router did get polled and the other’s graphs remained a dumb “nan”.

I debugged and pinged, even installed hping3 to do UDP pings. I don’t want to run cacti as root, especially not on a vhost. So the UDP ping had to work. The pings arrived but still no replies.

Getting sidetracked I noticed that the one router that did work was being hit by SSH login attempts and it’s cpu was spiking. An ACL took care of the break-in attempts but then I noticed that directed broadcasts were made to my server’s segment. So I nailed that down plus proxy-arps when I noticed that the router which had worked before now was causing errors in Cacti as well.

Tracking back I noticed that the UDP ping ‘replies’ were unreachables rather than ICMP replies (doh, how obvious!) . I enabled IP unreachables on both routers again and I was done. It’s amazing how blind one can be at times to the blatantly obvious…

Static routes since 12.3

 | 31 Aug 2007 10:56

Since 12.3 (T?), static routes pointing to interfaces will be advertised by RIP and EIGRP as these static subnets are assumed to be part of the interfaces on which RIP and/or EIGRP is activated.

ip route prefix mask {ip-address | interface-type interface-number [ip-address]} [dhcp] [distance] [name next-hop-name] [permanent | track number] [tag tag]

Show me more… »

Networkers EMEA 2008

 | 14 Jul 2007 21:46

Last weeks news: Networkers EMEA 2008 will be in Barcelona. For the diary: Monday Jan 21st – Thursday 24th.

I’m counting on being there, though untill my manager gives approval and it’s been booked I will not know fur sure… 🙂

Cisco EMEA Networkers2007

 | 7 Dec 2006 15:24

Just a quick note to say that I’m going to Networkers2007.

If you’re going as well and want to meet me then drop me a line, with a suggestion of when you’re free. I don’t think I’ll be able to intentionally run into anyone there, my schedule is way too busy for that.

Suggestions for surviving Networkers are welcome as I’ve never been before.

Testing test equipment

 | 8 Jun 2006 09:02

Got some pictures of Ixia and Spirent equipment in the lab, so check out the gallery if you’re interested.

A remote xmodem IOS upgrade…

 | 29 Mar 2006 01:30

Right, it’s loading and due to the baud rate of 115200 currently at 13% so I’ve got some time to write this little “note to self”. If anyone else finds this useful then I hope you’re not working away like me at 0:48 in the night.

Show me more… »

Unused protocol features (ip options)

 | 18 Feb 2006 21:34

Anyone ever heard of ‘Strict Source Routing’ or ‘Loose Source Routing’?

Well it’s in IPv4, CLNP and IPv6, but no-one seems to use it. Please leave a comment if you think I’m wrong! It could be ever so usefull for network monitoring and reporting if one could specify the route a packet should take. One could test, monitor or report on links / paths which one can’t do now due to SFP (Shortest Path First) routing, if only… Sigh

Hint: http://www.iana.org/assignments/ip-parameters

Show me more… »

200 bald men fighting over 6 combs

 | 17 Feb 2006 17:11

I’m glad Radia Perlman manages to scatter some funny anecdotes into her book “Interconnections”, this one is about the 6 TOS bits in the IP header (page 244):

Some people have affectionately referred to the -IETF Differentiated Services- working group as “200 bald men fighting over 6 combs”.

It’s funny to see the history as she’s describing the future in her book which shows how fast it’s dated. She wrote “Interconnections” in 2000 but it’s still a great book explaining fundamental issues in a comprehensive manner, my print is a 7th edition from March 2005. Definetely a book to use as network protocol reference due to the many explanations as to why things are the way they are.

Priority

 | 9 Feb 2006 21:10

I have decided to add a new category: “Networking quotes”. Here’s the first one, ‘Interconnections, 2nd edition’ page 181:

Priority is an attempt to implement the principles of jealousy and envy in computer networks.
– Tony Lauck