Cisco UDLD configuration.

                                     UDLD-unidirectional link detection 

Most network communicate in two way or bidirectional, sometime due to software or hardware failure, traffic start moving in One Direction only and this kind of issues are normaly seen in network domain where  Fibre connections are introduced.

According to STP rules, what it generally governs is that, those switches  participating in STP topology should send and receive BPDU bidirectionally between each other to make STP out of loop, by chance If one of switch port failed and BPDU start moving in One Direction, then switch which not recieving BPDU frame may then considered something is wrong in uplink switch and it's incorrectly transitioned it's own blocked port into forwarding state and finally create huge switching loops .

In order to overcome such issue,  Cisco has developed UDLD feature to ensure  that bidirectional comnication is maintained. 

Switch where UDLD feature enabled do send out ID frame on a port and wait for the remote switch to respond back with its own ID frame. If remote switch do not respond back,  then UDLD will assumes that port is in unidirectional fault, 

By default UDLD send out ID frame in every 15 sec. But some Cisco switch do send it out in 7sec. 

UDLD operate in two mode.

>Normal mode

>Aggressive mode. 

Normal mode is the default mode and it doesn't shutdown the port instead set flag that port is operating in unidirectional mode. 

In aggressive mode - port is simply put into errordisable state,  which is auto recoverable if BPDU start recieve on the port,

UDLD can be configure globally with below command.

Switch(config)#udld enable 

Enable parameter set UDLD into normal mode,  and if you want to configure it's in Aggressive mode then you should set the parameter as

Switch(config)#udld aggressive 

And can be disabled by 

Switch(config)#udld disable 

And disabled statebcan be reset by 

Switch#udld reset 

Detail information for UDLD can be viewed by 

Switch#show udld

 

STP BackboneFast

                            BackboneFast

UplinkFast provides faster convergence process if directly-connected local port fail. inorder to handle indirect failures , BackboneFast was introduced in the STP technology. Let say link between SW1n SW3 fails, because of this failure, eventually Sw5 has to recalculate the STP topology and learn path through Sw4 to reach root bridge , how ever Sw5 has to wait Max Age Timer (20sec) before purging SW3's superior BPDU and accept inferior BPDU  from SW4.

So what BackboneFast feature does is it simply bypass the Max Age timer on Sw5 and immediately start accepting inferior BPDU from sw4. And Blocked port on Sw5 gradually transitioned into forwarding state and thus its essentially reduced total convergence time from 50 sec to 30 sec during Indrect failure. This is accomplished by sending out Root Link Query(RLQ) by Sw5,

Root Bridge will response to RLQ with RLQ reply in two ways.

1. If RLQ reply is received on root port (Sw5)then switch assumes that root port is stable and don't act further .

2. If RLQ reply from root bridge is received on Non Root Port then switch (Sw5) knows that it path to root bridge has been failed n it's own Max Age Timer expired immediately and start electing Root port again.

BackboneFast is enabled globally and it should enable on all switches participating in STP topology. 

Switch(config)#spanning-tree backbonefast

 

STP Uplinkfast

What are STP features to improve STP convergence process ?

1. Port-fast (already explained in the previous post )

2. UplinkFast

3. BackboneFast,

UplinkFast

Normally in STP topology, if root port on the local switch failed , let say RP on switch 3 failed due to some reason, during such situation, STP has to perform a recalculation to bring out other blocked port and so that port will transition into root port ,but this process will takes at least 30 sec , two forward-delay timer to bring port into forwarding mode, again this 30 sec delay is unavoidable in some environments, hence what UplinkFast does is it allow the blocked port to be held in Standby mode, so that when ever local switch detects there  is root port failure, UplinkFast feature immediately transitioned blocked port into forwarding state and  helps to inprove convergence process by bypassing those 30 sec forward  delay .

Note: if there are multiple blocked port , then UplinkFast will choose port having lowest root path cost n transitioned that port into forwarding state.

By default, UplinkFast is disabled and we can enable it globally for all Vlans on switch by below command .

Switch(config)# spanning-tree uplinkfast 

Actual function of UplinkFast is track the link to root bridge , hence UplinkFast is not supported on Root Bridge , it's only intended for down stream switches ,

Enabling UplinkFast feature automatically increase bridge priority to 49152

How to avoid loops in switch

SWITCHING BASIC.

STP topology of switched network is very susceptible to indefinite attack by various means,  most of the case,  intruder do introduced rouge switch into already running  STP domain and wiped out entire STP database, in order to protect STP topology such cases,  STP introduced many features as below.

1. PORT FAST.

2. BPDU guard 

3. BPDU filter

4. ROOT guard 

5. LOOP guard 

1.  PORT FAST

generally, according to spanning tree protocol rules, every port has to go through diffrent port state inorder to come into forwarding mode like blocked--->listening-->learning-->forwarding. Means port has to spent 15 sec in listening and another 15 sec in learning mode, this 30 seconday is consider as delay in network before ports get ready to send actual data packets.  Since some network environment where time and delay senstive services like voip n video streaming need good take care from these delays. Hence inorder to overcome  these delay situations we can put those ports which is connecting mentioned delay senstive servers into port fast, now tbese ports are no need to spent 30 sec in order to come into forwarding mode. I.e once cable is connected on those ports, ports will go into forwarding state n ready to send n recieve data packets. Simply you can enable port fast feature on all those ports which is connecting Workstatkons and Servers, Remember! at any Cause if any bpdu packets are received on port fast enabled ports, port will loss its port fast feature and come into normal port state.because port-fast actually does not disable STP on port , it merely accelerates STP convergence process, hence if any BPDU received on port-fast enabled port , it will transition through normal STP process state.

2. BPDU GUARD.

Bpdu guard is tecnique where you are  forcefully guarding, receiving and processing Bpdu messages on switch port where its enabled. Normally all switch port has to go through stp rules where it has to  spend 15 sec for listening and 15 sec for learning mode before making it available to send data packets. Total 30 sec,switch ports are not ready to send or receive actual data packet. this 30 sec delay is not a avoidable in some situation where delay sensitive services like VOIP and others. Inorder to overcome this 30 sec delay we confugure those port as port fast.so that they dont have to wait 30 sec and stp put those ports into forwarding state directly. Some how this isnt be mission acomplished. If a bad guy connected other stitch with better priority on that port. What will happen? Blahh. rogue switch will elected as root switch in your stp domain and Advertised better bpdu messages and all your existing stp domain will over write n reconverged. This is buge pain. In order to avoid these situations, we can configure Bpdu guard globally on switch or by port basis. If we configure bpdu globally, it will apply automatically on those ports which is configured as port fast.   Once bpdu received on those ports, bpdu guard will put those port into error mode  and will not process bpdu messages any more. Means its save your stp domain from reconverged. Shortly bpdu guard is switch feature where u can apply on those port where u r not expecting bpdu messages at all.

3.  BPDU FILTER

this is the type of method where BPDU is filtered at switch interface level. Once bpdu filter command is configured under any of switch port, and same port will stop sending or receiving BPDU to and from other switches. Issue arises when mustakenly configured this command under switch port where filter BPDU is not actually intended. once switch interface stop receiving Bpdu, so Stp thinks that there must be issue at upstream switches or its port level, because of that its not receiving or sending out BPDU. So alternatively, stp act and will put blocked port in to forwarding mode, and this cause huge l2 loops, l2 packets dont have any TTL values set  n hence it moves indefinate time.

if you dont cautiously use this command in the switching network. You are are going to loss your job soon or later.

i suggest, use this filter command as less as possible, because using this command without understanding proper network topology or stp domain, it siliently create huge switch loops.

4. ROOT GUARD

root guard is specific feafure provided by all STP types where it helps  network engineers to predict exact  Root bridge location or position in complicated stp network. They can simply asuring root bridge by making non-root switches  a non-elegible for root bridge selection by applying all there port with root guard command. After root guard command is configured on those non root switches , if superior BPDU are  recieved on those switches. Simply switch port which recieved suprior BPDU goes into root inconsistance state(error) and  avoid advertising same BPDU further to other switches. Or stop itself from root bridge election.

Subnetting tricks in easiest way.

As system admin or Network admin, the most basic things to understand is all about Subnetting. i have created cheat sheets to make newbies to understand subnetting techniques without compromising much of their  time and  energies.

Etherchannel part-III How loadbalancing works,

We have already discussed lot about basic information and configuration of ether-channel  in part I and II, today we will briefly discuss about how does load-balancing  works in ether-channel.
Most of us thinks that traffic sent across ether-channel is distributed equally among all ports participating in ether-channel or bonding.But this is not true, In Cisco, load-balancing is quite different on different platforms, because ether-channel use load-balancing algorithm to determine the port to sent the traffic out based on one of several criteria . Like,

• source ip address= src-ip
• destination ip address= dst-ip
• source and destination ip address= src-dst-ip
• source mac address= src-mac
• destination mac=dst-mac
• source and destination mac address= src-dst-mac
• source port =src-port
• destination port= dst-port
•  source and destination port=src-dst-port 

The most of cisco switch do support  per flow balancing because this is the way how hardware works. When switch receive the packet it would make a hash result from fields located in the header line mentioned in above 9 hash types, From which  device would make a hash depends on certain ASIC. Not all switches were made equally. Software is using those hashes to make a decision on which port  send the packet out to another device in the path. Hashes are also used to balance the traffic across etherchannel.

•  By default Layer 2 packets are distributed on XOR computation of source and destination MAC address.
•  Layer 3 packets based on XOR source and destination IP address:

As we have discussed earlier etherchannel only support up to eight active ports, amount of Traffic sharing or balancing is depend upon No of active ports are participating in etherchannel,

1.  2 ports =   traffic share will be  50%:50%  on each port.
2.  3 ports =  traffic share will be 37,5%:37,5%:25%  on each port.
3.  4 ports =  traffic share will be  25%:25%:25%:25%   on each port.
4.  5 ports =  traffic share will be   25%:25%:25%:12,5%:12,5%  on each port.
5.  6 ports =  traffic share will be  25%:25%:12,5%:12,5%:12,5%:12,5% on each port.
6. 7 ports = traffic share will be 25%:12,5%:12,5%:12,5%:12,5%:12,5%:12,5% on each port.
7.  8 ports= traffic share is 12,5%:12,5%:12,5%:12,5%:12,5%:12,5%:12,5%:12,5% on each port.

Today for the practical purpose, we will discussed with simple configuration of etherchannel and will check how does loadbalancing works according to Hash type it used.

                                                                                                                                                                                                                                          

According to above diagram, Assume that the load-balancing method is based on src-ip,
First port in the ether-channel will be Link 0 and second port in the ether-channel will be Link 1.

two link in the ether-channel can be represent in one binary bit. the load-balancing algorithm create  an index that associate with lonk 0 with  binary bit 0 and link 1  with a bit 1.
When traffic passed through the ether-channel , the algorithm will convert the source ip address into binary hash and it will compare against the Index table already created.
 For example purpose we will take two different source ip addresses.

192.168.0.1 = 11000000.10101000.00000000.00000001
192.168.0.2 = 11000000.10101000.00000000.00000010
-------------------------------------------------------------------------


Currently we used two ports in etherchannel hence only two links are used in indext, link 0 and link 1. so last binary bit of source ip 192.168.0.1 end with 1, hence it will used link 1,
And second source ip address 192.168.0.2 , binary bit end with 0, hence it will used link 0.

If we used four ports in the etherchannel, then its will used 2-bit index will used,hence last bit of ip address should be consider like
link 0=00,
link 1=01,
link 2=10,
link 3=11


To check which type of load balancing type is currently used in etherchannel.

Cat3500#show etherchannel load-balance
 EtherChannel Load-Balancing Configuration:
 src-dst-ip

for now i am going to stop here, will discussed detail about hashing types and balancing method in different platform will be soon in near future.

Port Aggregation, Etherchannel or Bonding part-II

In the previous post we have discussed about fundamental of etherchannel and prerequisite details of etherchannel prior to its configuration. etherchannel simply means, its a technology which allows multiple physical links combines together to form one logical interface, from switch STP perspective this logical interface is treated as single link or port.
Today we will practically illustrating the etherchannel configuration, before that its important to bring here out for your knowledge  that ether channel can configure  through two different methods.
1. manual configuration
2. dynamic confirmation,  

Manual configuration is very straight forward and no negotiation packets are used to form etherchannel. Hence etherchannel will never form if you configured one switch manually and other switch with dynamic configuration by  using PAgP or LACP protocol.  Config command is very simple.
SW1(config)#int range fas0/1 - 2

SW1(config-if-range)#channel-group 1 mode on

SW1(config-if-range)#

SW2(config)#int range fas0/1 - 2

SW2(config-if-range)#channel-group 1 mode on

SW2(config-if-range)#

In the later case, dynamic configuration can be done through two different protocols,
1. PAgP -->cisco  proprietary protocol and only support on cisco switches which is called Port Aggregation Protocol.And it is not compatible with LACP protocol.  PAgP supports two mode.

•  Desireable mode -- means actively sending nagotiation packets and attempt to form a channel.

•  Auto mode ---        Means actively waiting for remote or other switch to form a channel.

Ether channel is established  if below conditions are meet in channel mode setting on each switch.

• desirable --- desirable        both switch channel mode is configured as Desirable.
• desirable----auto                 one of switch channel mode is desirable and auto in other end..

Channel will never form if both switch channel mode is configured as Auto,

• auto -- auto            because auto means simply waiting for remote switch to form channel.

PAgP configuration command sample..
SW1(config)#int range fas0/1 - 2

SW1(config-if-range)#channel-protocol pagp

SW1(config-if-range)#channel-group 1 mode desirable

SW1(config-if-range)#

SW2(config)#int range fas0/1 - 2

SW2(config-if-range)#channel-protocol pagp

SW2(config-if-range)#channel-group 1 mode auto

SW2(config-if-range)#

2. LACP (802.3ad)--> Open standard aggregation protocol developed by IEEE, which is supported between  multi-vendor  switches and is called Link Aggregation Control Protocol. Its  also operates on two different mode.

• Active mode --> in this mode, switch is actively sending negotiation packets and form a channel.

• Passive mode--> in this mode switch is simply waiting other switch to form a channel.

Ether channel is established  if below conditions are meet in mode setting on each switch.

• active -- active            both switch channel mode is configured as active.
• active -- passive          one switch with channel mode active and passive on other switch.

Channel will never form if channel mode is configured as passive on both switch,

•  Passive -- passive       in this mode, both switches waiting remote switch to form a channel.

LACP configuration command sample.
SW1(config)#int range fas0/1 - 2

SW1(config-if-range)#channel-protocol lacp

SW1(config-if-range)#channel-group 1 mode active

SW1(config-if-range)#

SW2(config)#int range fas0/1 - 2

SW2(config-if-range)#channel-protocol lacp

SW2(config-if-range)#channel-group 1 mode passive

SW2(config-if-range)#

Actual etherchannel configuration setup..

 SW1  VLAN configuration..

interface FastEthernet0/3
switchport access vlan 50
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 60
switchport mode access

interface Vlan50
ip address 10.10.10.1 255.255.255.0
!
interface Vlan60
ip address 20.20.20.1 255.255.255.0

etherchannel configuration! we have configured PAgP as aggregation protocol in this scenerio.

SW1(config)#int range fas0/1 - 2

SW1(config-if-range)#channel-protocol pagp

SW1(config-if-range)#channel-group 1 mode desirable

SW1(config-if-range)#

Trunk configuration over etherchannel link. by default , dot1Q is used as encapsulation protocol.

SW1(config)#int port-channel 1

SW1(config-if)#switchport mode trunk

SW1(config-if)#switchport trunk allowed vlan 50,60

SW2 vlan configuration.

interface FastEthernet0/3

switchport access vlan 50

switchport mode access

!

interface FastEthernet0/4

switchport access vlan 60

switchport mode access

 interface Vlan50

ip address 10.10.10.100 255.255.255.0

!

interface Vlan60

ip address 20.20.20.100 255.255.255.0

etherchannel configuration! we have configured PAgP as aggregation protocol in this scenerio.

SW2(config)#int range fas0/1 - 2

SW2(config-if-range)#channel-protocol pagp

SW2(config-if-range)#channel-group 1 mode desirable

SW2(config-if-range)#

Trunk configuration over etherchannel link. by default , dot1Q is used as encapsulation protocol.

SW2(config)#int port-channel 1

SW2(config-if)#switchport mode trunk

SW2(config-if)#switchport trunk allowed vlan 50,60

If you wished to configure port-channel as a layer3 interface,then 

SW1#int port-channel 1

SW1#no switch-port 

SW1#ip add 192.168.0.1 255.255.255.0

To add port-channel in Vlan 

SW1#vlan 200

SW1#int port-channel 1

SW1#switchport mode access

SW1# switchport access vlan 200

Both interface fas0/1 and fas0/2 are participating in etherchannel.

SW1#sh etherchannel port-channel

Channel-group listing:

----------------------

Group: 1

----------

Port-channels in the group:

---------------------------

Port-channel: Po1

------------

Age of the Port-channel = 00d:02h:19m:01s

Logical slot/port = 2/1 Number of ports = 2

GC = 0x00000000 HotStandBy port = null

Port state = Port-channel

Protocol = PAGP

Port Security = Disabled

Ports in the Port-channel:

Index Load Port EC state No of bits

------+------+------+------------------+-----------

0 00 Fa0/1 On 0

0 00 Fa0/2 On 0

Time since last port bundled: 00d:02h:02m:57s Fa0/2

Below etherchannel summary status , we came to know that etherchannel is properly formed, indicated by  "P" letter.
SW1#sh etherchannel summary

Flags: D - down P - in port-channel

Number of channel-groups in use: 1

Number of aggregators: 1

Group Port-channel Protocol Ports

------+-------------+-----------+----------------------------------------------

1 Po1(SU) - Fa0/1(P) Fa0/2(P) 

Trunk Link verification on both switches..

SW1#sh interfaces trunk

Port Mode Encapsulation Status Native vlan

Po1 on 802.1q trunking 1

Port Vlans allowed on trunk

Po1 50,60

Port Vlans allowed and active in management domain

Po1 50,60

Port Vlans in spanning tree forwarding state and not pruned

Po1 50,60

From above result, both VLAN 50 and 60 are  allowed on trunk link and is in forwarding state.  

STP on these two switches are currently operated in PVST.

SW1#sh spanning-tree summary

Switch is in pvst mode

Root bridge for: default VLAN0050 VLAN0060

Name Blocking Listening Learning Forwarding STP Active

---------------------- -------- --------- -------- ---------- ----------

VLAN0001 0 0 0 3 3

VLAN0050 0 1 0 4 5

VLAN0060 0 0 0 4 4

---------------------- -------- --------- -------- ---------- ----------

3 vlans 0 1 0 11 12.

connectivity verification,
pinging from PC1 to PC3, both are in same vlan but in different switch.

PC1>ping 10.10.10.101

Pinging 10.10.10.101 with 32 bytes of data:

Reply from 10.10.10.101: bytes=32 time=1ms TTL=128

Reply from 10.10.10.101: bytes=32 time=0ms TTL=128

Reply from 10.10.10.101: bytes=32 time=0ms TTL=128

Reply from 10.10.10.101: bytes=32 time=1ms TTL=128

Ping statistics for 10.10.10.101:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms

Reachbility from PC4 to PC2
PC4>ping 20.20.20.2

Pinging 20.20.20.2 with 32 bytes of data:

Reply from 20.20.20.2: bytes=32 time=1ms TTL=128

Reply from 20.20.20.2: bytes=32 time=1ms TTL=128

Reply from 20.20.20.2: bytes=32 time=0ms TTL=128

Reply from 20.20.20.2: bytes=32 time=0ms TTL=128

Ping statistics for 20.20.20.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms