Network Engineering

How To Configure Cisco NetFlow

June 23, 2015 by Rowell Dionicio Leave a Comment

NetFlow is used to collect data flows from interfaces. The information can be stored on the switch but more commonly sent to a server which collects the NetFlow data and spits it out into something shiny. Okay, not shiny but data more easily digestible.

Each packet is looked at for a set of IP packet attributes which are called key fields. The key fields help determine if the information within a packet is unique or similar to the other packets. If there are new values in the key fields then a new flow is created.

With that data you can create trend reports or gather protocol and interface statistics. In near real time you can find out who your top talkers are and what your most widely used protocols are traversing your network. It can even act as a security tool in finding network anomalies.

Netflow has 4 components:

Records
Exporter
Monitor
Sampler

The following NetFlow configuration was tested on a Cisco Catalyst 3850 running IOS version 15. On the Catalyst 3850, the exact version used is Flexible NetFlow (FNF). You will need at least IP Base licensing to use NetFlow. In short, Flexible NetFlow is Cisco’s migration from the traditional NetFlow. Aw how cute, it’s growing up.

Here is the full configuration I ended up with. After the configuration I go into more detail.

flow record AUNTFLOW
 match ipv4 destination address
 match ipv4 source address
 match ipv4 protocol
 match interface input
 match transport destination-port
 match transport source-port
 collect counter bytes long
 collect counter packets long
 collect interface input
 collect transport tcp flags
 collect timestamp absolute first
 collect timestamp absolute last
 !
 !
 flow exporter AUNTFLOWEXPORT
 description Export to netflow system
 destination 192.168.1.10
 source vlan 10
 transport udp 4739
 ttl 60
 !
 !
 flow monitor AUNTFLOWMON
 description Netflow monitor
 exporter AUNTFLOWEXPORT
 record AUNTFLOW
 cache timeout active 30
 !
 !
 sampler AUNTFLOWSAMPLER
 description AUNTFLOW
 mode random 1 out-of 32
 !
 !
 interface range g1/0/1 - 48
 ip flow monitor AUNTFLOWMON sampler AUNTFLOWSAMPLER input

Step 1: Configure the Records

Configuring Cisco Nexus vPC

June 11, 2015 by Rowell Dionicio 2 Comments

Cisco’s vPC is a virtual port-channel which allows links physically connected to two different switches to appear as a single device to a downstream device as part of a single port-channel.

To learn more, I recommend reading NX-OS and Cisco Nexus Switching by Ron Fuller, David Jansen, and Matthew McPherson.

A vPC is configured on a Cisco Nexus switch and allows Layer 2 port-channels from a downstream device to span two separate switches.

vPC consists of two vPC peer switches connected by a vPC peer link. One switch is primary and the other is secondary. A vPC domain is formed by both Nexus switches. A Nexus can only be part of one vPC domain and only two switches can make up a vPC domain.

vPC peer link creates a single control plane which forwards BPDUs or LACP packets from the primary vPC switch to the secondary vPC switch. A vPC peer link is formed into a port-channel which can be a maximum of 16 ports but at a minimum it should be 2 ports. The peer link synchronizes MAC addresses and STP BPDUs.

In addition to the vPC peer link, there is a peer keepalive link which monitors the vPC peer switch. A keepalive link can be configured using the management interface or through an SVI. There is no data sent over this link. It’s sole purpose is for vPC keepalives.

A vPC port is a port assigned to a vPC channel group. Ports part of the vPC are split between the vPC peers.

Components of a vPC

One primary switch and one secondary switch (vPC peers)
Layer 3 link for peer-keepalives (resolves dual-active scenarios)
Redundant port channel for a peer link between vPC peers.
vPC port members forming a the virtual Port Channel.

Configuration

Connect each switch together to create a vPC peer link. You need two 10 GbE interfaces.

Connect the management interfaces to each switch to form the vPC keepalive link. You lose out on using the management interface. In my scenario, these two Nexus switches will be racked together.

Enable the vPC feature.

conf t
feature vpc

Configure the management interfaces. [Read more…] about Configuring Cisco Nexus vPC

Windows Server NLB VIP Multicast Mode Through Cisco Switch

January 19, 2015 by Rowell Dionicio 5 Comments

If you are unable to connect to a Windows Server Network Load Balancing (NLB) Virtual IP address configured for Multicast Mode it is because of the way your Cisco switch interacts with Microsoft NLB.

Symptoms

Cannot connect to Windows Server NLB Virtual IP address
Cannot ping Windows Server NLB Virtual IP address
Microsoft NLB Multicast Mode not working

I won’t go into the details of how NLB works but in short, client requests are distributed across different servers. To configure NLB, you can use three modes:

Unicast
Multicast
IGMP

Using Multicast Mode

When using Multicast mode, the cluster members will respond to ARPs using their virtual IP address and a multicast MAC address. Without the proper configuration on the switch you will not be able to connect to the Virtual IP address.

This will not work because within the ARP request packet is a unicast IP address and a multicast MAC address. Troubleshooting it can be frustrating but a Cisco switch will ignore this. Below is the configuration to be done on the switch.

Cisco Switch Configuration

To resolve the problem, create a static ARP entry for the Virtual IP Address to the NLB MAC address. Then create a static MAC address entry to the VLAN and interfaces used by the cluster.

In my case, my virtual IP address is 192.168.10.10 with MAC address of 03bf.0a65.05fa. That IP address is on VLAN 10 and the servers’ interfaces are part of a port-channel, both Port-Channel1 and Port-Channel2.

The following configuration is as follows:

arp 192.168.10.10 03bf.0a65.05fa
mac address-table static 03bf.0a65.05fa vlan 10 interface Port-Channel1 Port-Channel2

Some configuration items to note.. not all Cisco switches will support a static entry of a MAC address to multiple interfaces. In my case I am using a Cisco Catalyst 4500-X in VSS mode. The servers had two network interfaces configured into an EtherChannel.

7 Free Tools for Network Administrators (#3 is Essential!)

June 2, 2014 by Rowell Dionicio Leave a Comment

When it comes to building your toolbox we all have a few select favorites. Many tools come and go but there are those that have stuck around for the long haul. The ones you install on new computers and the ones you keep on a thumb drive, for portability.

Below is a list from my toolbox, 7 free tools for Network Administrators.

Wireshark

Once called Ethereal, this application is handy for troubleshooting networks and applications. With the plethora of options available, you can filter by protocols, IP addresses, and more.

Additionally, it makes a great learning resource for understanding TCP/IP communications.

Because Wireshark is such a powerful tool, I recommend reading Laura Chappell’s Wireshark 101.

Download Wireshark

TFTPD32

This application makes it easy to do maintenance tasks such as uploading firmware to network devices and downloading backups of configuration files from network devices. If you have a template configuration file you can also upload them using TFTPD32.

Download TFTPD32

Putty

My #1 most-used tool. Whether it’s consoling, ssh, or telnetting into a switch this is the application I use. It’s lightweight and simple to use. I can log all of my output to a text file which I have written about previously. It also interfaces with SuperPutty if you like using tabs.

Download Putty [Read more…] about 7 Free Tools for Network Administrators (#3 is Essential!)

Navigating IOS CLI Like a Ninja

August 19, 2013 by Rowell Dionicio 1 Comment

I’m always looking for ways to be more efficient with my work. And when little things like this come my way, I be sure to memorize it and share it.

Here are different keystrokes to help you move around in the Cisco IOS Command Line.

CTRL-A

Moves the cursor to the beginning of the line

CTRL-E

Moves the cursor to the end of the line

Esc B

Moves the cursor back one word.

Esc F

Moves the cursor forward one word.

CTRL-K

Deletes all characters from the cursor to the end of the line.

CTRL-U

Deletes all characters from the cursor to the beginning of the line.

CTRL-W

Deletes the word left of the cursor.

Esc D

Deletes from the cursor to the end of the word.

Esc U

Capatilizes letters from the cursor to the end of the word.

CTRL-L

Redisplay the current command line if you get a message on the screen.

CSMA/CD :: Fundamental Switch Operation

July 31, 2013 by Rowell Dionicio 3 Comments

CSMA/CD, or Carrier Sense Multiple Access with Collision Detection, is an access method used in Ethernet.

When a device is about to send data over the network, it will sense if another device is already transmitting. If there is indeed another device transmitting, the device checking will back off from communicating for a random amount of time before retrying.

If two devices check the network at the same time and don’t see any other devices transmitting data, they will both transmit at the same time. When this occurs there is a collision. When a collision is detected, both devices use a random time to back off before retrying.

The back off time is random since if both devices talk on the network at the same time and back off at the same time they will have another collision.