EtherChannel – Quick and Dirty

EtherChannel allows you to aggregate several switch links into a single, fast, fault-tolerant, logical interface. 16 links can be defined for an EtherChannel, however, a maximum of 8 will be active at any one time.  The other links are placed on standby.

While having multiple links between two switches can possibly create bridging loops, EtherChannel avoids this by bundling the links into a single logical interface.  This logical interface can be configured as an access or trunk interface.

For ports to be members of the same EtherChannel, there are some restrictions. Ports must:

  • Belong to the same VLAN
  • Have identical STP settings
  • Have identical speed/duplex settings
  • Note: In addition, if the EtherChannel is to be used as a trunking interface, all ports must be in trunking mode, have the same native VLAN, and pass the same set of VLANs.

The full duplex maximum bandwidth for 8 links is as follows:

  • Fast EtherChannel (FEC): 1600 Mbps
  • Gigabit EtherChannel (GEC): 16Gbps
  • 10-Gigabit EtherChannel (10GEC): 160Gbps
  • Note:  This is theoretical; maximum bandwidth is not likely to be achieved due to unequal load balancing, and other factors.

Load Balancing

 

EtherChannel load balancing across the links can occur in a number Continue reading

Brocade Auth-Change-Wait-Time

 

The other day I was at work doing an interoperability test with Cisco and Brocade multilayer switches, and we ran into a strange issue that really highlighted my “tunnel view” to the Cisco world.

We were setting up basic OSPF stuff using md5 authentication and we couldn’t get the Cisco and Brocade to form an adjacency.  A debug ip ospf adjacency command on the Cisco switch revealed that the Cisco was using “type 2” authentication, and the Brocade was using “type 0”. 

Here’s a quick breakdown of the authentication types:

Type 0 No authentication
Type 1 Clear text authentication
Type 2 md5 authentication

I set up a SPAN on the Cisco switch and sure enough, we were getting the OSPF Hello packets from the Brocade with no authentication.

After some digging, it turns out the Brocade has an Auth-Change-Wait-Time command in interface configuration mode.  This is set to 300 seconds (5 minutes) by default.  While I don’t quite understand it, the description states it allows for graceful authentication implementation.  So after you enable md5 on the interface, it waits 300 seconds before actually sending OSPF Hellos with authentication.  We toyed around with it Continue reading

OSPF LSA Manipulation Vulnerability – 8/1/2013

Vulnerability Details

OSPF LSA Manipulation Vulnerability in Multiple Cisco Products

· Summary

Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic.
The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain.
To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability.
OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability.

· Affected Products

Cisco devices that are running Cisco IOS Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability.

Cisco devices that are running Cisco IOS Continue reading

UCS Central 1.1 Lab

I saw the announcement that Cisco had posted the emulator for UCS version 2.1(2a) a week ago. @CiscoServerGeek that integrates with UCS Central 1.1, right? — Frank Jimenez (@franjimecsco) July 26, 2013 This was pretty cool, seeing as the firmware version in general had only been out for a few weeks, and the emulators have traditionally taken a bit longer after their firmware release. I took this as an opportunity to set up my own UCS Central lab.

UCS Central 1.1 Lab

I saw the announcement that Cisco had posted the emulator for UCS version 2.1(2a) a week ago. @CiscoServerGeek that integrates with UCS Central 1.1, right? — Frank Jimenez (@franjimecsco) July 26, 2013 This was pretty cool, seeing as the firmware version in general had only been out for a few weeks, and the emulators have traditionally taken a bit longer after their firmware release. I took this as an opportunity to set up my own UCS Central lab.

Security Word of the Day: Stoogecraft

Today’s word of the day comes to Packetpushers courtesy of Seth Godin*: Stoogecraft. Stoogecraft is what happens when people or organizations in power do what feels right in the short run without thinking at all about the alternatives or the implications. It’s the result of fear or boredom or a misplaced focus. Sound familiar? Stoogecraft […]

Author information

Mrs. Y

Snarkitecht at Island of Misfit Toys

Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.
TwitterLinkedIn

The post Security Word of the Day: Stoogecraft appeared first on Packet Pushers Podcast and was written by Mrs. Y.

Nobody says it but we all feel like frauds

I am going to deviate a little bit from my normal career advice here and talk about something a bit more personal for me. I have told this story to colleagues at times over the past several years, and I am always a little surprised that everyone appears to feel the same way. But we […]

Author information

Michael Bushong

The post Nobody says it but we all feel like frauds appeared first on Packet Pushers Podcast and was written by Michael Bushong.

Teaching Without a Teaching Degree

So, let’s say you’re a technical admin, engineer, architect, whatever (most of you are). It’s probably safe to say that nearly all of you (I fit into this) have an occupation where our primary ongoing task is some combination of system or network administration, design, software and hardware engineering work, including build-out or troubleshooting, etc. Maybe it’s all of these. No matter what, it’s a safe assumption that a big, or maybe even number one reason we all get paid is because we’re really good at the technical work.

Teaching Without a Teaching Degree

So, let’s say you’re a technical admin, engineer, architect, whatever (most of you are). It’s probably safe to say that nearly all of you (I fit into this) have an occupation where our primary ongoing task is some combination of system or network administration, design, software and hardware engineering work, including build-out or troubleshooting, etc. Maybe it’s all of these. No matter what, it’s a safe assumption that a big, or maybe even number one reason we all get paid is because we’re really good at the technical work.

Quiz #16 &#8211 BGP Filtering Updates

Company ABC is in process of configuring BGP Confederations between its sites. During a small transition period, there will be no BGP between R3 and R2, but instead only static routing. Have a look at the quiz and try answering the question !

The Dangers of Fanboyism

In the short amount of time since I tripped and fell into this industry, one thing is clear - fanboyism (Is that a word? It is now.) is EVERYWHERE. Those that love Cisco, really love Cisco. Those that love Juniper, really hate Cisco. It’s hard to start working in this industry, especially in a relatively single-vendor environment, and not acquire a strong affinity to one side of the other. Not to mention the fact that big companies like Cisco have huge, widely used and respected certification programs, so it’s easy for an engineer to take Cisco’s word as the word of god.

That Ole Familiar “Network” Command

A basic concept, but one that is consistently the cause of confusion even in the most learned technical circles within Cisco networking, is the specific role that the “network” command plays in various routing protocols. The reason for this confusion? The use of the word “network” itself. Let’s explain. The Problem Let’s say you had a shiny new Cisco router, and that router had 4 networks you wished to advertise (I used loopbacks for simplicity):

The Dangers of Fanboyism

In the short amount of time since I tripped and fell into this industry, one thing is clear - fanboyism (Is that a word? It is now.) is EVERYWHERE. Those that love Cisco, really love Cisco. Those that love Juniper, really hate Cisco. It’s hard to start working in this industry, especially in a relatively single-vendor environment, and not acquire a strong affinity to one side of the other. Not to mention the fact that big companies like Cisco have huge, widely used and respected certification programs, so it’s easy for an engineer to take Cisco’s word as the word of god.

That Ole Familiar “Network” Command

A basic concept, but one that is consistently the cause of confusion even in the most learned technical circles within Cisco networking, is the specific role that the “network” command plays in various routing protocols. The reason for this confusion? The use of the word “network” itself. Let’s explain. The Problem Let’s say you had a shiny new Cisco router, and that router had 4 networks you wished to advertise (I used loopbacks for simplicity):

The Importance of Effective Communication at Work

There are many different personality traits found in individuals in our industry. One trait that I’ve found dominant in technical roles is that of introversion. This trait is one that often manifests itself by creating challenges with verbal communications. Depending on an individual’s role, or desired role, this can prevent a technology rockstar from reaching […]

Author information

Paul Stewart

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With nearly 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems. Paul also writes technical content at PacketU.

The post The Importance of Effective Communication at Work appeared first on Packet Pushers Podcast and was written by Paul Stewart.

Nexus 5500 ASIC to port mapping


While assigning ports on a Cisco Nexus 5500 switch, it is a good practice to span out ports that belong to separate ASICs on board to uplink to upstream or downstream devices. For e.g. while connecting a 5500 to say a UCS FI, it is good practice to select 2 ports from one ASIC bay and 2 from another ASIC bay. The way you find out ASIC to port mapping is with the following CLI command : 'show hardware internal carmel asic <0-13>' where 0-13 are the ASIC numbers. 


Here, Ports 9-16 are mapped to ASIC 1. On Nexus 5500 switches, 8 ports are mapped to each ASIC.

HP Moonshot

Despite my humble beginnings as a network engineer, I’m almost always including servers/virtualization/storage in my day-to-day work. If you’re not into building servers from scratch (not a bad venture) then the leaders in the server space might be a good fit for you - most are doing some pretty interesting things in the battle for the top spot in this space. Most folks would agree that HP is still the number one leader, even if only considering pure volume (I see c7000 chassis EVERYWHERE).
1 3,736 3,737 3,738 3,739 3,740 3,793