Network Engineering

How To Configure Cisco NetFlow

June 23, 2015 by Rowell Dionicio Leave a Comment

NetFlow is used to collect data flows from interfaces. The information can be stored on the switch but more commonly sent to a server which collects the NetFlow data and spits it out into something shiny. Okay, not shiny but data more easily digestible.

Each packet is looked at for a set of IP packet attributes which are called key fields. The key fields help determine if the information within a packet is unique or similar to the other packets. If there are new values in the key fields then a new flow is created.

With that data you can create trend reports or gather protocol and interface statistics. In near real time you can find out who your top talkers are and what your most widely used protocols are traversing your network. It can even act as a security tool in finding network anomalies.

Netflow has 4 components:

Records
Exporter
Monitor
Sampler

The following NetFlow configuration was tested on a Cisco Catalyst 3850 running IOS version 15. On the Catalyst 3850, the exact version used is Flexible NetFlow (FNF). You will need at least IP Base licensing to use NetFlow. In short, Flexible NetFlow is Cisco’s migration from the traditional NetFlow. Aw how cute, it’s growing up.

Here is the full configuration I ended up with. After the configuration I go into more detail.

flow record AUNTFLOW
 match ipv4 destination address
 match ipv4 source address
 match ipv4 protocol
 match interface input
 match transport destination-port
 match transport source-port
 collect counter bytes long
 collect counter packets long
 collect interface input
 collect transport tcp flags
 collect timestamp absolute first
 collect timestamp absolute last
 !
 !
 flow exporter AUNTFLOWEXPORT
 description Export to netflow system
 destination 192.168.1.10
 source vlan 10
 transport udp 4739
 ttl 60
 !
 !
 flow monitor AUNTFLOWMON
 description Netflow monitor
 exporter AUNTFLOWEXPORT
 record AUNTFLOW
 cache timeout active 30
 !
 !
 sampler AUNTFLOWSAMPLER
 description AUNTFLOW
 mode random 1 out-of 32
 !
 !
 interface range g1/0/1 - 48
 ip flow monitor AUNTFLOWMON sampler AUNTFLOWSAMPLER input

Step 1: Configure the Records

Configuring Cisco Nexus vPC

June 11, 2015 by Rowell Dionicio 2 Comments

Cisco’s vPC is a virtual port-channel which allows links physically connected to two different switches to appear as a single device to a downstream device as part of a single port-channel.

To learn more, I recommend reading NX-OS and Cisco Nexus Switching by Ron Fuller, David Jansen, and Matthew McPherson.

A vPC is configured on a Cisco Nexus switch and allows Layer 2 port-channels from a downstream device to span two separate switches.

vPC consists of two vPC peer switches connected by a vPC peer link. One switch is primary and the other is secondary. A vPC domain is formed by both Nexus switches. A Nexus can only be part of one vPC domain and only two switches can make up a vPC domain.

vPC peer link creates a single control plane which forwards BPDUs or LACP packets from the primary vPC switch to the secondary vPC switch. A vPC peer link is formed into a port-channel which can be a maximum of 16 ports but at a minimum it should be 2 ports. The peer link synchronizes MAC addresses and STP BPDUs.

In addition to the vPC peer link, there is a peer keepalive link which monitors the vPC peer switch. A keepalive link can be configured using the management interface or through an SVI. There is no data sent over this link. It’s sole purpose is for vPC keepalives.

A vPC port is a port assigned to a vPC channel group. Ports part of the vPC are split between the vPC peers.

Components of a vPC

One primary switch and one secondary switch (vPC peers)
Layer 3 link for peer-keepalives (resolves dual-active scenarios)
Redundant port channel for a peer link between vPC peers.
vPC port members forming a the virtual Port Channel.

Configuration

Connect each switch together to create a vPC peer link. You need two 10 GbE interfaces.

Connect the management interfaces to each switch to form the vPC keepalive link. You lose out on using the management interface. In my scenario, these two Nexus switches will be racked together.

Enable the vPC feature.

conf t
feature vpc

Configure the management interfaces. [Read more…] about Configuring Cisco Nexus vPC

Windows Server NLB VIP Multicast Mode Through Cisco Switch

January 19, 2015 by Rowell Dionicio 5 Comments

If you are unable to connect to a Windows Server Network Load Balancing (NLB) Virtual IP address configured for Multicast Mode it is because of the way your Cisco switch interacts with Microsoft NLB.

Symptoms

Cannot connect to Windows Server NLB Virtual IP address
Cannot ping Windows Server NLB Virtual IP address
Microsoft NLB Multicast Mode not working

I won’t go into the details of how NLB works but in short, client requests are distributed across different servers. To configure NLB, you can use three modes:

Unicast
Multicast
IGMP

Using Multicast Mode

When using Multicast mode, the cluster members will respond to ARPs using their virtual IP address and a multicast MAC address. Without the proper configuration on the switch you will not be able to connect to the Virtual IP address.

This will not work because within the ARP request packet is a unicast IP address and a multicast MAC address. Troubleshooting it can be frustrating but a Cisco switch will ignore this. Below is the configuration to be done on the switch.

Cisco Switch Configuration

To resolve the problem, create a static ARP entry for the Virtual IP Address to the NLB MAC address. Then create a static MAC address entry to the VLAN and interfaces used by the cluster.

In my case, my virtual IP address is 192.168.10.10 with MAC address of 03bf.0a65.05fa. That IP address is on VLAN 10 and the servers’ interfaces are part of a port-channel, both Port-Channel1 and Port-Channel2.

The following configuration is as follows:

arp 192.168.10.10 03bf.0a65.05fa
mac address-table static 03bf.0a65.05fa vlan 10 interface Port-Channel1 Port-Channel2

Some configuration items to note.. not all Cisco switches will support a static entry of a MAC address to multiple interfaces. In my case I am using a Cisco Catalyst 4500-X in VSS mode. The servers had two network interfaces configured into an EtherChannel.

Configuring PAgP EtherChannel

December 29, 2014 by Rowell Dionicio

There are three different methods to create an EtherChannel. One of them is Cisco’s own proprietary protocol, PAgP, Port Aggregation Protocol. It is similar to LACP which is the industry standard. A PAgP link is usually used between Cisco switches.

PAgP will aggregate physical port links into one logical link to provide redundancy and increased bandwidth. Within a PAgP link there can be up to eight active ports. PDUs are sent on the lowest numbered VLAN on the trunk link. Each port joining the PAgP link must have the same configuration.

There are two modes used in PAgP:

Auto
Desirable

Auto mode will passively negotiate PAgP. If the remote end of the link is also configured with Auto mode, a PAgP EtherChannel will not form.

Desirable mode will actively negotiate PAgP. The remote end must be configured in Auto or Desirable mode for a PAgP EtherChannel to form.

[adrotate group=”14″]

Configuration

To configure PAgP, identify the physical ports which will join to the same logical bundle.

SW1#config t
 SW1(config)#interface range f0/1 - 2
 SW1(config-if)#channel-group 5 mode desirable
 SW1(config-if)#end

SW2#config t
 SW2(config)#interface range f0/1 - 2
 SW2(config-if)#channel-group 5 mode desirable
 SW2(config-if)#end

Let’s break down the command that creates the PAgP bundle.

channel-group 5 is how we identify that we want to create an EtherChannel. 5 is the identifying value we want to assign to this EtherChannel. Depending on your switch/IOS version you will have a specific range of numbers available to use.

To find out which EtherChannel numbers already in use issue the command show etherchannel summary.

mode desirable is how we configure these interfaces to actively negotiate PAgP. If we wanted the interfaces to passively negotiate a PAgP link then we would configure it with mode auto.

The remote end of the link is configured similarly with the difference being that the channel-group numbers do not have to match.

After configuring the interfaces to be part of the same channel-group, a port-channel will automatically be configured. This is the logical interface of the bundle. The port-channel number will be the same as your channel-group number. In the example above, port-channel 5 was automatically created.

You can view this port-channel interface with the following commands:

show interface status
show interfaces po5

How To Create a Read Only User in Cisco IOS

October 28, 2014 by Rowell Dionicio 5 Comments

Sometimes you will have vendors or junior network administrators needing access to your network equipment. Giving them the keys to the kingdom is not the best decision. Additionally, you’ll need to change the password after the vendor is finished. Or you forget to remove that vendor’s full access account from your router. A safer method is to create a read only account. This is done using privilege levels built into Cisco IOS.

With this method you are using the local database of the router/switch to create a read only user account. The ideal way to grant permissions is to use TACACS+ but that is another discussion.

Create your user accounts

Cisco uses privilege levels to determine what a user account will have access to on the device. There are 16 privilege levels but the system will have two already configured. The rest of the levels are for you to modify. Privilege level 15 is the highest level and is similar to a root user. Privilege level 1 is the lowest of the levels and basically can’t do anything.

Make sure you have an account with full permissions to the device. Then configure a new user for your read only account. I will use privilege level 3 for the read only account.

R1(config)#username admin privilege 15 secret Secret01
R1(config)#username readonly privilege 3 secret ReadOnly03

Of course, use much stronger passwords than the ones I have used above. This is just for lab purposes.

Enable Password Checking

Next, I will apply enable password checking on the vty lines. When a user tries to SSH into my router, they will be prompted for a username and password. Those credentials will be looked up on the local database and if there’s a match, the user is allowed into the router.

R1(config)#line vty 0 15
R1(config-line)#login local

Verify Login

With login local configured for my vty lines, I will attempt to ssh into R1 from R2 using my readonly account.

R2#ssh -l readonly 192.168.1.1
Password:
R1#conf t
      ^
% Invalid input detected at '^' marker.

I am able to ssh into R1 but because I have assigned a privilege level 3 to the account, it can’t really perform any changes or even view the running config file. What we will now configure are commands privilege level 3 users can issue on the CLI. Because this is going to be a read only account, I want to give the user privileges to just see the running config file.

Configure Privilege Level 3 Commands

How To Install GNS3 1.0 on Windows 8.1

October 22, 2014 by Rowell Dionicio Leave a Comment

GNS3 1.0 was released to the world on October 21st, 2014. I have been using previous versions of GNS3 for some time now to simulate networks and to practice for my Cisco certifications. For those of you who aren’t familiar with GNS3, it is an application that allows you to build networks for free. The caveat there is you need to supply the images for your equipment. GNS3 supports Cisco, Juniper, HP, Arista, Citrix, and Brocade (as specified on their site, gns3.com. You build out a virtual lab which means there is no need to purchase physical hardware.

Before getting started, you’ll need to sign up on GNS3‘s website. Once you have an account. You can download GNS3. Click on the Windows download button to begin.

Once you open the installation file, click through the standard setup screen and agreement until you get to the Choose Components section.

Select all the components you will need – almost everything. SolarWinds is a new application packaged with GNS3. If you already have some of the components installed, such as Wireshark, you can uncheck it.