Joel Knight

Author Archives: Joel Knight

Label Switched Multicast – Ethernet Header

I got an interesting email from Ying Lu who had read my posts on LSM:

I am curious about the Ethernet DA and codepoint used for multicast MPLS. Previously, I understand that:
– Ethernet DA is unicast MAC of nexthop of each replication leg.
– codepoint is 0x8847
However, looking at RFC5332, I am not so sure…
Quote:
“Ethernet is an example of a multipoint-to-multipoint data link. Ethertype 0x8847 is used whenever a unicast ethernet frame carries an MPLS packet.

Ethertype 0x8847 is also used whenever a multicast ethernet frame carries an MPLS packet, EXCEPT for the case where the top label of the MPLS packet has been upstream-assigned.

Ethertype 0x8848, formerly known as the “MPLS multicast codepoint”, is to be used only when an MPLS packet whose top label is upstream assigned is carried in a multicast ethernet frame.

Interesting question. What is the ethernet destination address (DA) and the value of the ethernet type field (codepoint) when the MPLS packet is being sent on an LSM LSP?

Getting back into the lab, I started a ping from CE1 to a group that CE3 had joined. I then ran a sniff on the segment between P and PE3.

Sample LSM Topology
Sample LSM Topology

Examining the Continue reading

NSF and GR on Nexus 5000

NSF and GR are two features in Layer 3 network elements (NEs) that allows two adjacent elements to work together when one of them undergoes a control plane switchover or control plane restart.

The benefit is that when a control plane switchover/restart occurs, the impact to network traffic is kept to a minimum and in most cases, to zero.

NSF

  • Non-Stop Forwarding
  • When a control plane protocol such as BGP, OSPF, or EIGRP restarts and neighbors/adjacencies are reset, NSF will allow the data plane to hold onto the routes that were learned via that control plane protocol and continue to forward traffic while the neighbors/adjacencies are re-established.
  • Control plane restarts occur when you have a router or switch with dual route processors or supervisor engines and there is a switchover from the active to the hot standby. When the newly active RP/sup takes over, it has to re-establish neighbors/adjacencies because that information is not part of the synchronization that occurs between the two RPs/sups.
  • NSF keeps traffic moving — without the need to reroute — while the switchover is happening.
  • NSF happens locally, all within the network element where the switchover is happening.

GR

BRKRST-3014 – Policy, Complexity, and Modern Control Planes


Presented by: Russ White, LinkedIn

Networks are complex. How do we measure complexity? How do we measure scale? What’s the unit of measure?

You can’t “solve” complexity.

Alderson D and J Dole “complexity in highly organized systems arises primarily from design strategies intended to create robustness to uncertainty.” There’s a point on the complexity scale where robustness actually drops. “Robust but fragile”.

Dunning Kruger effect?

What is complexity?

  • Anything you don’t understand?
  • Anything with many parts?
  • Anything with unintended consequences?
  • Something that can’t be solved; can’t be easily defined.
  • We need to develop a model to understand complex systems quickly

“If you haven’t found the trade off, you haven’t looked hard enough” — Russ

The model:

  • Ask, Why?
  • Ask ,What & How?
  • State
  • Optimization
  • [Interaction] Surface (where two components interact with each other [which could be, and often is, human on CLI])
  • Ask, This is like what? (what’s it similar to?)
  • Now matter how you’re analyzing a network (protocols, applications, whatever), you’ll find these 3 things.
  • Good examples of questions to ask for each point in different use cases

3-way trade off:

  • Quick/Cheap/Quality, or
  • State/Surface/Optimization

“Adding more state to the system should result in an increase in optimization” Continue reading

BRKEWN-2011 – Managing An Enterprise WLAN With Cisco Prime Infrastructure

Presenter: Paul Lysander, Technical Marketing Engineer, Cisco

“How many of you are not using PI 3.x?” –Paul; perhaps 10-20% put up their hands.

Morning after the customer Appreciation Event. Good turnout. ?

Where does PI fit in the network? 

  • PI gets information from the network; it’s not the source of data
  • Sources include: wireless LAN controller, CMX, ISE

Side note: PI 3.1 maintenance release 1 (MR1) is coming next week. When released, it will be the generally recommended release for customers to run.

Create Sites and Location Groups before adding devices to the inventory. These groups are used throughout PI. Eg: a Site can be used with a Virtual Domain to provide role-based access to devices in the environment (Admin1 can’t see Admin2’s devices; Admin1 only session Campus1 and SuperAdmin sees all). Device membership in a site can be done statically or by policy.

  • Administration > Users > Virtual Domains (create and edit Virtual Domains)
  • Administration > Users > Users, Roles & AAA (map users to a Domain)

Config Templates:

  • Discovery: templates can be discovered by pulling in the config (or parts thereof) from an already configured WLC

New feature in 3.1: Plug and Play for Continue reading

BRKRST-2042 – Highly Available Wide Area Network Design

Presented by: David Prall, Communications Architect, Cisco

For reference, David is the “father of IWAN”.

This session was not what I was expecting. I was expecting design and architecture, but it was all about features in IOS and IOS-XE (eg, FHRPs, talked about routing protocol timers, PfRv3, BFD). I guess I need to pay more attention to the session code (RST == routing; ARC == architecture).

Original article: BRKRST-2042 – Highly Available Wide Area Network Design

Copyright © 2016 Joel Knight . All Rights Reserved.

BRKEWN-2017 – Understanding RF Fundamentals and the Radio Design of 11n/ac Networks


Presenter: Fred Niehaus, Technical Marketing Engineer, Cisco Wireless Networking Group

Basic understanding of radio:

  • Every radio wave has a physical size (proportionate to its wavelength)
  • The lower the frequency, the physically longer the radio wave
  • Higher frequencies have shorter waves and as such, takes more power to move them greater distances
  • 5Ghz UNI 2 and UNI 2 Ext overlap with DFS (RADAR)
  • Dynamic Freq Selection (DFS) requires that if a radio is operating in UNI 2/UNI 2 Ext and it hears something that is not WiFi, it has to get off that channel

Antenna basics:

  • Directional or omnidirectional (360 degree)
  • Cisco color markings: blue: 5, black 2.4, orange 2.4 and 5ghz
  • Low gain omnidirectional antennas radiate in a beach ball pattern
  • Omni-direction dipoles in a pancake pattern
  • Yagis are directional; radiate more like a flashlight
  • Patch: multiple elements in a square form factor; radiates like a flashlight
  • Dipole: does not require a ground plane as the bottom half is the ground
  • Monopole requires a (conductive surface) ground plate; monopoles are shorter than dipoles and often used on APs (because of the smaller size) and they can use the metal in the AP as the ground plate.
  • Azimuth: how Continue reading

BRKARC-3300 – IOS-XE: Enabling the Digital Network Architecture

Presented by Muhammad A Imam, Sr Manager Technical Marketing Engineering

Brand new session!

The goal of the session is to give an understanding of IOS-XE Denali 16.x.

How many have downloaded 16.x?” — maybe 10% put up their hands

The upcoming 16.3 (target for this month) will support Cat 3850,3650, ISR, and ASR 1000.

The original operating system on the AGS, back in 1986, was simply called “Operating System”. There are still parts of Operating System in IOS today (scary!!).

IOS-XE (code name BinOS) came around in 2007 on the ASR 1000. In 2010, IOS-XE (code name Nova) was released for the Cat4k. These two editions of XE were similar, but different and were written by different engineering teams.

The vision for IOS-XE Denali is a single code base across Cisco enterprise platforms. Benefits include: similar features, consistent version numbers, consistent release schedule, consistent test and validation of releases, consistent commands (eg “show platform …”).

“We are changing the way we write code” –Muhammad; code is being pulled out of the IOSd blob and written as a subsystem within IOS-XE (over time).

Crimson database:

  • New component in Denali
  • Maintains state for subsystems
  • Holds configuration
  • Continue reading

BRKNMS-2701 – How I Learned to Stop Worrying and Love Prime Infrastructure

Presenters:

  • Lewis Hickman, Consulting Systems Engineer
  • Jennifer Valentine, Systems Engineer


Quick survey in the room: 60-70% of attendees running PI 3.x; 10-20 PI 2.x; some still on LMS.

“There are 37 different ‘Cisco Prime’ products” — Lewis

“Cisco Prime” isn’t a product; “Cisco Prime Infrastructure” is. Cisco Prime is a family of products.

PI traces its lineage back to 1996: CWSI > Cisco Works LMS > Cisco Prime LMS > WCS > NCS > Prime Infrastructure.

“1232 SysObjIds supported in PI today” — Lewis (aka, 1232 different devices supported by PI)

Two people (only!!) in the room running Network Analysis Module.

UCS Server Assurance module: enables mgmt of UCS servers; will integrate into vCenter and map VMs to physical hosts for you. 

Operations Center: manager of managers for PI

Licensing in PI 3.x:

  • One license for Lifecycle and Assurance now
  • Different license files for different device types
  • Different device types require a specific number of “tokens”
  • When a license is installed in PI 3.x, it gets converted into the appropriate number of tokens
  • As you add devices to PI, it draws down on the number of free tokens in the pool
  • Hint: You don’t Continue reading

BRKEWN-2019 – 7 Ways to Fail as a Wireless Expert

Presenter: Steven Heinsius, Product Manager, Enterprise Networking Group

I’m hoping the title of this session could also be “7 Ways to not be a TOTAL Wireless Noob” since that’s more my level. ?

The Basics

  • WiFI has been a standard since 1997

Taking a 100 employee company….

  • 1999: 1-2 clients on the network
  • 2005: 5 or 10
  • 2007: 25+ (802.11n came around)
  • 2010: 150 (smartphones in the office; laptops becoming the norm in the office)
  • 2013: > 200
  • 2016: > 300 (3 devices per person)

In 2007-2009, networks were designed for coverage. Those networks are still around and are being asked to support (on average) 3 devices per person.

WiFi is

  • Half duplex
  • A shared medium (like a hub!)
  • AP talks to one client at a time; airtime is time sliced amongst all clients
  • AP asks a client to ack every packet (?) it sends to a client
  • Acks are retransmitted if not answered which means all other clients have to remain silent (and lowers performance)

Distance vs modulation

  • When a client is farther away from the AP, the modulation is stepped down to increase the likelihood that the signal will make it
  • The trade off is that Continue reading

BRKIOT-2109 – Connecting Oil and Gas Pipelines


Presenters:

  • Rick Irons-Mclean, Oil & Gas and Energy Architecture Lead
  • Jason Greengrass, IoT Solution Architect


Connected Pipelines Validated Design: coming this week! Cisco.com/go/cvd > Oil & Gas area

  • This CVD was built with customer input (from around the globe) and Cisco account team input (including yours truly)
  • Next iteration of the CVD will contain more security, including providing better visibility into  traffic and events in the control center network

For those that aren’t familiar with the oil/gas business, there’s three areas:

  • Upstream: discovery and extraction
  • Midstream: storage and transport
  • Downstream: refining (turning it into product) and marketing/selling

Cisco can work and play in all three areas. Eg:

  • Connected Pipeline
  • Connected Refinery
  • Secure Ops (managed security services from Cisco)
  • Connected Oilfield

ISA95/99 (aka Perdue Model) – describes an architecture for different security zones within the industrial environment.

  • Bottom is Level 0 – where the process actually happens (valves, pumps, etc)
  • Top is Level 5 – the business/enterprise network

Operational principles (compare this with a typical enterprise environment and principles):

  • Continuous operation: 24×7, 365 days a year
  • Continuous visibility and control: operators need constant communication to the pipeline
  • Safety and compliance: pipeline integrity, safety, security and reliability

With respect to 24×7 Continue reading

Random Notes From My Third CPOC

I was lucky enough (volunteering for very challenging work is luck, right? ?) to finish my third tour through Cisco CPOC last wcpoceek. CPOC is Cisco’s Customer Proof of Concept facility where customer’s can bring their network design, build it in Cisco’s lab, and beat the hell out of it. CPOC has tons of network and compute gear, all the right testing tools and processes, and excellent work areas that cater to collaborative work and information sharing. It’s also staffed by very senior and experienced engineers.

I know it’s cliche and I know I’m biased because I have an @cisco.com email address, but I’ve truthfully never seen anything like CPOC before. And the customer’s I’ve worked with at CPOC haven’t either. It’s extremely gratifying to take something you built “on paper” and prove that it works; to take it to the next level and work those final kinks out that the paper design just didn’t account for.

If you want more information about CPOC, get in touch with me or leave a comment below. Or ask your Cisco SE (and if they don’t know, have them get in touch with me).

Anyways, on to the point of this Continue reading

Label Switched Multicast – Q&A

This post is the last one I’m planning in this series on Label Switched Multicast (LSM). The questions & answers below are meant to expand on topics from the previous posts or address topics that weren’t mentioned in the previous posts at all.

If you’re not familiar with LSM yet then this Q&A likely won’t make much sense to you and I recommend you go back and read through the previous posts.

Please post a comment if one of the answers isn’t clear or you have additional questions!

How can the mapping between a (*,G) or (S,G) and a Multicast Distribution Tree be found?

If you have a (*,G) or an (S,G), the following commands will show you which MDT is being used through the MPLS core. I find the easiest place in the network to check the mapping between a (*,G) or (S,G) and an MDT is on the Ingress PE. Two tables hold the mapping:

1 – the MFIB:

PE1#show ip mfib vrf BLUE 239.3.3.3
[...]
VRF BLUE
 (*,239.3.3.3) Flags: C
   SW Forwarding: 0/0/0/0, Other: 0/0/0
   Tunnel0 Flags: A
   Lspvif0, LSM/2 Flags: F NS
     Pkts:  Continue reading

Getting Traffic to a Virtual Firepower Sensor

I wanted to jot down some quick notes relating to running a virtual Firepower sensor on ESXi and how to validate that all the settings are correct for getting traffic from the physical network down into the sensor.

Firepower is the name of Cisco’s (formerly Sourcefire’s) so-called Next-Gen IPS. The IPS comes in many form-factors, including beefy physical appliances, integrated into the ASA firewall, and as a discrete virtual machine.

Since the virtual machine (likely) does not sit in-line of the traffic that needs to be monitored, traffic needs to be fed into the VM via some method such as a SPAN port or a tap of some sort.

1 – Validate vSwitch Settings

This is probably not a very real-world example since most environments will be running some form of distributed vSwitch (dvSwitch) and not the regular vSwitch, but all I’ve got in my lab is the vSwitch, so work with me. The same considerations apply when running a dvSwitch.

Ensure that the port-group where you’re attaching the NGIPSv allows promiscuous mode. The NGIPSv acts as sniffer and will attempt to put its NICs into promisc mode.

NGIPSv_ESXi_Port_Group_Promisc
Set ESXi Port Group to Allow Promiscuous Mode

Set this either at Continue reading

Label Switched Multicast – Packet Walk

This post is going to follow a multicast packet as it moves through a sample MPLS network using Label Switched Multicast (LSM). I’ll show how the packet moves through the network by looking at the forwarding tables on different routers and also by doing some packet captures.

This post is part of a series I’m writing on LSM and if you’re not already familiar with LSM, I recommend you go back and read the previous posts.

After reading this post you will be able to precisely describe how LSM forwarding works in the data plane and will be able to do some basic troubleshooting.

Let’s get into the lab!

The Topology

I’m using the same sample network as the previous posts with three CEs all in the same VRF, three PEs and just a single P router. Each of the CEs and PEs is multicast enabled.

Sample LSM Topology
Sample LSM Topology

The scenario I’m going to be running here is CE1 sending an ICMP echo to the group 239.23.23.23. The receivers in this group are CE2 and CE3.

Between CE1 and PE1

I’m going to just gloss over the traffic exchanged between CE1 and PE1 since nothing changes here Continue reading

Label Switched Multicast – Configuration

In the previous post (Label Switched Multicast – An Introduction) in this series on Label Switched Multicast (LSM) I introduced the concepts behind LSM and draft-rosen, the two most poplar methods for transporting multicast traffic through MPLS Layer 3 VPNs.

In this article I will talk through the configuration of LSM on the PE and P routers and get to the point where two CEs are successfully passing multicast traffic via the MPLS network. All of the configuration examples will be relevant to Cisco IOS.

As was the case in the introduction article in the series, it’s best if you already have a good understanding of multicast and MPLS before reading this article.

At the end of this article you’ll be able to start configuring your own LSM environment using the configuration samples here as a template.

To the CLI!

Configuring the Provider Network

In order to keep this post on point, I’m going to start on the basis that basic routing, LDP and MP-BGP are already configured and that unicast traffic is successfully flowing between all CEs.

The basic topology being used here is the same as the one in the introduction post:

Sample LSM Topology
Sample LSM Topology

Within the Continue reading

Label Switched Multicast – An Introduction

There are two common methods for transporting multicast packets within an MPLS-based Layer 3 VPN:

  1. Generic Routing Encapsulation (GRE) with Protocol Independent Multicast (PIM) (also known as “draft-rosen”)
  2. Label Switched Multicast (LSM)

There’s also a third method which uses Resource Reservation Protocol—Traffic Engineering (RSVP-TE) but I’m not going to get into that one.

In this first post in a series on LSM, I’ll describe how draft-rosen works, how LSM works, and then compare and contrast the two. Subsequent posts will focus solely on LSM.

At the end of this post, you will be able to describe conceptually how the control and data planes work with LSM and what the pros and cons are of LSM as compared to draft-rosen.

I will not be covering any theory on multicast or MPLS and will instead recommend that you be familiar with both topics before reading further.

Here we go!

Draft-rosen

All in all, draft-rosen is not all that different from running PIM-Sparse Mode (SM) in a non-MPLS network.

Draft-rosen requires that the MPLS network — the P and PE routers — all be multicast enabled and all run PIM. Each PE that is participating in the draft-rosen multicast network will form a Continue reading

2015 End of Year Blog Statistics

Happy New Year! As is my tradition, here are the 2015 blog statistics as compared to 2014.

I’m pretty excited that once again readership and overall reach of this blog has increased by double digits. I’m looking forward to growing these numbers and creating challenging and interesting new content in 2016.

Here are the overall statistics comparing Jan 1 – Dec 30 2015 (first number) to Jan 1 – Dec 30 2014 (second number):

2015 YoY
2015 YoY

The number of sessions and number of unique users clipped the 100,000 mark for the first time. Session duration fell off, but I think that is a funny metric. I’ve not bothered to investigate how Google Analytics measures that nor do I understand conceptually how it’s even possible to measure how long someone stays on a web page, so I’ve never put much stock in that metric.

New vs returning visitors are basically unchanged from last year:

2015 YoY Visitors
2015 YoY Visitors

The top five browsers hitting the site is precisely the same as last year:

2015 YoY Browsers
2015 YoY Browsers

What’s interesting here is that out of the ~138,000 sessions that hit the site in 2015, Chrome was the only browser that was used for a bigger Continue reading

Avoiding an ISSUe on the Nexus 5000

The idea for this post came from someone I was working with recently. Thanks Fan (and Carson, and Shree) :-)

In Service Software Upgrade (ISSU) is a method of upgrading software on a switch without interrupting the flow of traffic through the switch. The conditions for successfully completing an ISSU are usually pretty strict and if you don’t comply, the hitless upgrade can all of a sudden become impacting.

The conditions for ISSU on the Nexus 5000 are pretty well documented (cisco.com link) however, there are a couple bits of knowledge that are not.  This post is a reminder of the ISSU conditions you need to comply with and a call out to the bits of information that aren’t so well documented.

The two major ISSU conditions on the n5k are:

  1. You must unconfigure all Layer 3 features
  2. The n5k must not have any Spanning Tree (STP) ports in Designated state unless the port is an Edge port.

The first one is easy: the switch cannot be doing any routing. Even if the switch is Layer 2 only, this condition will still fail if any of the following are true:

OSPF vs EIGRP for DMVPN

In this post I’m going to look at the characteristics of OSPF and EIGRP when used in a Dynamic Multipoint VPN (DMVPN). I will do my best not to play favorites and instead stick to the facts (yes, I do have a preference :-). To that end I will back everything up with data from my lab. The focus areas of the comparison will be:

  • Scalability of the hub router’s control plane
  • Overall control plane stability
  • Traffic engineering

This post won’t go into any background on how DMVPN works. If you’re not yet familiar with DMVPN, I recommend watching these introductory videos by Brian McGahan. This post also does not do a deep dive on OSPF or EIGRP. I’m making the assumption that you’re already familiar with the different LSA types in OSPF and general functions of EIGRP.

After reading this post you should be able to describe the pros and cons of OSPF and EIGRP in the three areas listed above and incorporate this knowlege into a DMVPN design.

Continue reading

Book Review: Design For How People Learn

Design For How People Learn, by Julie Dirksen (ISBN 978-0321768438)

Design_for_how_people_learn

I saw the title for this book roll across my Twitter feed — can’t remember from who, sorry — from someone who had a blog and was advocating for other bloggers to check this book out. When I read the abstract for the book, I immediately added it to my reading list.

“Whether it’s giving a presentation, writing documentation, or creating a website or blog, we need and want to share our knowledge with other people. But if you’ve ever fallen asleep over a boring textbook, or fast-forwarded through a tedious e-learning exercise, you know that creating a great learning experience is harder than it seems.”

Continue reading

1 2 3 4 5 6