Sunday, January 10, 2016

Building a fault tolerant network infrastructure for your company.

Part 3: Additional tuning for boundary and user ports on Cisco and HP ProCurve.


Today we look at what can do to protect our STP topology on the access ports, and at borders to other networks. Let's start with the most basic settings, such as PortFast, BPDUGuard, BPDUFilter and specific option for ProCurve - PVST-Filter.

PortFast

     PortFast - This mode is intended to "speed up" the initialization of the ports that are connected to servers or user stations. In the normal state, without PortFast, a port with active Spanning Tree before switching to data forwarding mode goes through several pretty long phases: blocked, listening, learning, and only after 40-50 seconds, port switched to forwarding and begins to transmit data. This is done in order for have time for discover a loop or double link on initialization stage of Spanning Tree, and we do not had problems with our network even for a short time. If to the port connected a workstation or a server, we do not need such a long procedure, it may be even harmful for the workstation or server! For example, a computer may not have a time for get an address from DHCP, if loading of computer faster than is initialized port.
     So, when we activate PortFast, a port skip phases of listening and learning, and immediately becomes to forwarding state. When you turn on PortFast, Spanning Tree continues to work on these ports, it will not turn off! Continues to send and receive BPDU. Moreover, if the port with activated PortFast, has received message BPDU, it immediately loses its status, despite settings.  Nevertheless, is not recommended to enable PortFast on ports connected to another network equipment, because it may lead to appearing routing loops for short time.

Cisco:
     On Cisco have two ways to activate this mode: locally on specific ports or globally in configuration mode.
Global:
spanning-tree portfast default
This command enables PortFast on all ports which in access mode.
Local:
interface GigabitEthernet0/1
spanning-tree portfast
Or despite an active global settings, you can disable PortFast on the ports where it is not needed:
interface GigabitEthernet0/1
spanning-tree portfast disable

Also, in some cases you may to enable PortFast on trunk's, for example, it may be necessary if the trunk connected to a server that needs to get several VLAN's from trunk.
interface GigabitEthernet0/1
spanning-tree portfast trunk

Checking PortFast state on interface:
sh spanning-tree int gi0/1 portfast
MST0                enabled
MST2                enabled

Also:
sh spanning-tree int gi0/1 detail 
 Port 1 (GigabitEthernet0/1) of MST0 is designated forwarding 
   Port path cost 20000, Port priority 128, Port Identifier 128.1.
   Designated root has priority 4096, address 001b.3fc1.a800
   Designated bridge has priority 32768, address 001d.e691.2800
   Designated port id is 128.1, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 3
   The port is in the portfast mode by default
   Link type is point-to-point by default, Internal
   Bpdu guard is enabled by default
   Loop guard is enabled by default on the port
   BPDU: sent 174100, received 0

 Port 1 (GigabitEthernet0/1) of MST2 is designated forwarding 
   Port path cost 20000, Port priority 128, Port Identifier 128.1.
   Designated root has priority 2, address 0018.71b6.a000
   Designated bridge has priority 32770, address 001d.e691.2800
   Designated port id is 128.1, designated path cost 22000
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 2
   The port is in the portfast mode by default
   Link type is point-to-point by default, Internal
   Bpdu guard is enabled by default
   Loop guard is enabled by default on the port
   BPDU: sent 174100, received 0

Here you can see if the port has lost its PortFast status. To return PortFast mode, you need to disable and enable this interface:
interface GigabitEthernet0/1
shutdown
no shutdown

HP ProCurve:
     On ProCurve have analog of PortFast called "edge-port", for manual setup port mode to "EDGE" you may use option "admin-edge-port". By default for all ports active "auto-edge-port" mode, which determine port mode (edge(PortFast) or no). And I should be noted that this automatic feature on ProCurve works very well! Port very quickly turns into EDGE mode when needed, and quickly lose it status, if received BPDU message.

How to enable:
spanning-tree A1-A2 admin-edge-port

sh run:
spanning-tree A1 admin-edge-port
spanning-tree A2 admin-edge-port

Forced disable automatic detection of edge ports:
no spanning-tree A1-A2 auto-edge-port

sh run:
no spanning-tree A1 auto-edge-port
no spanning-tree A2 auto-edge-port

Return to auto-edge-port mode and disable admin-edge-port:
spanning-tree A1-A2 auto-edge-port
and
no spanning-tree A1-A2 admin-edge-port

Checking edge port status:
sh spanning-tree A1
  Port   Type       | Cost      rity State        | Bridge        Time PtP Edge
  ------ ---------- + --------- ---- ------------ + ------------- ---- --- ----
  A1     100/1000T  | 20000     128  Forwarding   | 001b3f-582100 2    Yes No  

and also
sh spanning-tree A1 detail
  AdminEdgePort             : No 
  Auto Edge Port            : Yes         
  OperEdgePort              : No


BPDUFilter

     This feature disables the reception and transmission of BPDU on the port. It can be used for different purposes, such as protection against foreign Spanning Tree on the link to the provider or to other neighbors, with whom you have only single link. To protect against attacks based on BPDU and as a consequence, instability of your topology.

Cisco:
     On Cisco BPDUFilter as PortFast may be enabled through two ways: globally in configuration mode, and locally on the interface. But unlike PortFast, BPDUFilter have different behavior, depending on the method of activation.
Local:
interface GigabitEthernet 0/1
spanning-tree bpdufilter enable / disable
As in the case PortFast, "disable" disables the global settings for a particular port.
Global (automatically activate BPDUFilter on all PortFast interfaces):
spanning-tree portfast bpdufilter default

     When you turn on BPDUFilter locally on the interface, this works as "the wall", it equivalent to disabling Spanning Tree on the interface. BPDU do not go to any direction. In some cases, it may be dangerous. For example, in case connecting port with activated BPDUFilter to neighboring port, you get a loop that will not eliminate by Spanning Tree, and if you not have other anti-loop means, your network will be collapse. So, be careful using this function locally at the interface.
     If this feature is enabled globally, it is not dangerous, because it is activated on the PortFast ports, and blocks only sending BPDU, but not blocks receiving. Global BPDUFilter disabled on the port when receiving first BPDU packet from outside. This feature is more suitable to mask your BPDU from foreign neighbors, than for blocking it. And as soon as your interface received the first BPDU package, you start working with a neighbor on the Spanning Tree.

     When you turn BPDUFilter globally, there is another interesting feature: through the port during initialization will be sent a several BPDU messages, to make sure that this port is not contains devices STP. When you turn on BPDUFilter on the local port, will be blocked any BPDU for sent and receive.

Checking BPDUFilter state:
sh spanning-tree summary 
Switch is in mst mode (IEEE Standard)
Root bridge for: none
Extended system ID           is enabled
Portfast Default             is enabled
PortFast BPDU Guard Default  is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is enabled
EtherChannel misconfig guard is enabled
UplinkFast                   is disabled
BackboneFast                 is disabled

Checking BPDUFilter state on interface:
sh spanning-tree int gi0/1 detail 
 Port 1 (GigabitEthernet0/1) of MST0 is designated forwarding 
   Port path cost 20000, Port priority 128, Port Identifier 128.1.
   Designated root has priority 4096, address 001b.3fc1.a800
   Designated bridge has priority 32768, address 001d.e691.2800
   Designated port id is 128.1, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 3
   The port is in the portfast mode by default
   Link type is point-to-point by default, Internal
   Bpdu guard is enabled by default
   Bpdu filter is enabled
   Loop guard is enabled by default on the port
   BPDU: sent 174100, received 0

 Port 1 (GigabitEthernet0/1) of MST2 is designated forwarding 
   Port path cost 20000, Port priority 128, Port Identifier 128.1.
   Designated root has priority 2, address 0018.71b6.a000
   Designated bridge has priority 32770, address 001d.e691.2800
   Designated port id is 128.1, designated path cost 22000
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 2
   The port is in the portfast mode by default
   Link type is point-to-point by default, Internal
   Bpdu guard is enabled by default
   Bpdu filter is enabled
   Loop guard is enabled by default on the port
   BPDU: sent 174100, received 0

HP ProCurve:
     On ProCurve BPDUFilter need to enable on each port:
spanning-tree A1-A2 bpdu-filter
sh run:
spanning-tree A1 loop-guard bpdu-filter
spanning-tree A2 loop-guard bpdu-filter

Show ports with activated BPDUFilter:
sh spanning-tree | i Filter
 BPDU Filtered Ports  : A1-A2

also:
sh spanning-tree A1 detail 
  BPDU Filtering            : Yes

     Also, HP has another nice feature, which is useful in the case of using MSTP, and may help in described in this article case: Part 2: " Connect Cisco and HP ProCurve using MSTP". In the article described the case when Cisco in MST mode, going crazy with receiving PVST message, flown through ProCurve topology.

PVST-FilterEnabling like BPDUFilter:
spanning-tree A1-A2 pvst-filter

sh run:
spanning-tree A1 pvst-filter
spanning-tree A2 pvst-filter

Show PVST-Filter status:
sh spanning-tree | i PVST
  PVST Filtered Ports  : A1-A2

also:
sh spanning-tree a1 det
  PVST Filtering            : Yes

     Maybe, if you are using MSTP, this function must be activated on all ports, because nothing good from receiving PVST not will be. At least MSTP and PVST are inconsistent, and may be many problems like in my previons article: Part 2: " Connect Cisco and HP ProCurve using MSTP"...

BPDUGuard

     On Cisco BPDUGuard may be switched locally on the interface or globally. Regardless of the method of activation, when receiving an incoming BPDU on the port with the activated BPDUGuard, a port will blocked.

Cisco:
Local:
interface GigabitEthernet 0/1
spanning-tree bpduguard enable / disable
As in the case Portfast, "disable" disables the global settings for a particular port.

Global (automatically activate BPDUGuard on all PortFast interfaces):
spanning-tree portfast bpduguard default

If the port is blocked, you need to disable and enable this interface:
interface GigabitEthernet0/1
shutdown
no shutdown

Either setup automatic enable blocked ports using errdisable recovery:
errdisable recovery cause bpduguard
errdisable recovery interval 60

Checking BPDUGuard state:
sh spanning-tree summary 
PortFast BPDU Guard Default  is enabled

Checking BPDUGuard state on interface:
sh spanning-tree int gi0/1 detail 
 Port 1 (GigabitEthernet0/1) of MST0 is designated forwarding 
   Port path cost 20000, Port priority 128, Port Identifier 128.1.
   Designated root has priority 4096, address 001b.3fc1.a800
   Designated bridge has priority 32768, address 001d.e691.2800
   Designated port id is 128.1, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 3
   The port is in the portfast mode by default
   Link type is point-to-point by default, Internal
   Bpdu guard is enabled by default
   Loop guard is enabled by default on the port
   BPDU: sent 174100, received 0

 Port 1 (GigabitEthernet0/1) of MST2 is designated forwarding 
   Port path cost 20000, Port priority 128, Port Identifier 128.1.
   Designated root has priority 2, address 0018.71b6.a000
   Designated bridge has priority 32770, address 001d.e691.2800
   Designated port id is 128.1, designated path cost 22000
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 2
   The port is in the portfast mode by default
   Link type is point-to-point by default, Internal
   Bpdu guard is enabled by default
   Loop guard is enabled by default on the port
   BPDU: sent 174100, received 0

HP Procurve:
On ProCurve BPDUGuard called BPDU-Protection:

spanning-tree A1-A2 bpdu-protection

sh run:
spanning-tree A1 loop-guard bpdu-protection
spanning-tree A2 loop-guard bpdu-protection

Show ports with activated BPDU-Protection:
sh spanning-tree | i Protect
  BPDU Protected Ports : A1-A16,A18-A24,B1-B24,C1-C24,D1-D24,G...

sh spanning-tree a1 detail | i Protect
  BPDU Protection           : Yes

In my opinion BPDUGuard very useful, as it allows to protect against unauthorized connection of network equipment, as well BPDUGuard is instantly blocks the majority of the loops. But BPDUGuard can also cause problems, for example if you activate BPDUGuard on interface that connected to the provider. From providers, by my experience, often arrives STP, which immediately lead to port blocking. I am very cautious, but on the interface to the service providers with whom we have only single connect, i am typically activate BPDUFIlter :)


     In the next article I will add information about loop-guard, loop-protect and udld. I will additionally compose in one article all about fight against loops on managed and unmanaged hardware. It will be last article about Spanning Tree and LAN topology. Then we turn to fault-tolerant of internet access and cluster technologies :)

 Sorry for my English...

Posted by at No comments:

Monday, January 4, 2016

Building a fault tolerant network infrastructure for your company.
Part 2: Connect Cisco and HP ProCurve using MSTP.

Part 1: "MSTP on HP ProCurve"
Part 3: "Additional tuning for boundary and user ports on Cisco and HP ProCurve"

 на Русском

     Continuing the series for "novice professionals" :) On the last time we made single network based on HP ProCurve, and today will be connecting Cisco equipment to our network, as on this scheme:
         Connecting our Cisco 1, 2, 3 and 4, as shown in the scheme, but one of the links in each group of the two switches is turned off to prevent a loop, until Spanning Tree in not activated.

     On ProCurve, we raised MSTP, it would be very good to raise MSTP on Cisco. In the Internet has a certain amount of information on the topic of linking ProCurve and Cisco, and even the official documentation from HP and from Cisco. But unfortunately...

     Setup MSTP on Cisco.

      For starters, if you have not read Part 1: "MSTP on HP ProCurve", I advise you to read! There i told the basic principles of setting MSTP on the switches, which are common to HP and for Cisco. Here is a brief list of recommendations Cisco and common sense to configure MSTP:
  1. Use the same "region" in all your network.
  2. Minimum number of instances.
  3. Set up the priorities for the "root bridge".
  4. In advance to divide the entire possible range of a VLAN on "instances".
  5. All instances on all switches in the region must contain the same list of VLANs! On Cisco will help protocol VTP v3, which is can to serve not only VLAN's, but also instances of MSTP. HP ProCurve has only GVRP, which is similar to VTP V1/2, but not work with MSTP, synchronization of instances settings between switches, perform by hands.
  6. Region name and config revision number must be the same throughout the network!
  7. Permission is granted an identical list of VLAN's on all tanks between commutators!
     Also there are rules for connecting ProCurve and Cisco:
  1. Cisco supports 802.1s MSTP only since 2005, make sure IOS later than 2005 year. In general FirmWare update on all equipment is good idea :)
  2. Not to be confused Pre-STD MST with MSTP - they are not compatible.
  3. Verify, that native/untagged VLAN 1 was set up on trunks between Cisco and HP.
     Compliance of these regulations will allow your Spanning Tree topology to work stably, to work load-balancing between links, and is not recalculated without the critical need with dropping your network :)

Check trunk between Cisco and ProCurve for permit of all necessary VLANs, and then proceed:
conf t
spanning-tree mst configuration
Do all as on the ProCurve. Region name the same as on ProCurve, the same as in all our the region:
name H2SO4
Config revision number must be the same in all network:
revision 1
Divide all VLAN on two "instances" according to the load on them in my network. In our case, as on ProCurve:
instance 1 vlan 1-35,101,111-500,1001-4094
instance 2 vlan 36-100,102-110,501-1000
Do not exit the configuration MST check the resulting configuration:
show pending
Pending MST configuration
Name      [H2SO4]
Revision  1     Instances configured 3

Instance  Vlans mapped
--------  ---------------------------------------------------------------------
0         none
1         1-35,101,111-500,1001-4094
2         36-100,102-110,501-1000
-------------------------------------------------------------------------------
Type "exit or press CTRL-Z for exit and applying the configuration:
exit
If Cisco is root in the MSTP region, or your network is Cisco-Only, specify that our switches are root for specific instances in the MSTP region, as we did it on an HP in the last article, and set priorities for instances:  
Cisco 1/3:
conf t
spanning-tree mst 1 root primary
spanning-tree mst 0-1 priority 0
spanning-tree mst 2 priority 4096
Cisco 2/4:
conf t
spanning-tree mst 2 root primary
spanning-tree mst 0-1 priority 4096
spanning-tree mst 2 priority 0
For our configuration with Cisco and HP do not need to set up this priorities for Cisco, as the root bridge we use ProCurve, and all higher priorities are on the ProCurve!
When we finished configuration of MSTP on all Cisco of group, you need to activate MSTP: 
spanning-tree mode mst
     All should work, if you followed the instructions, and your network is not hiding a unexpected surprise, as it happened in my network :)
     I spent a few days trying to understand why MSTP between Cisco and HP do not work! As a result, in a dark corner was found the Cisco 3560, about which everyone has forgotten, and who worked in PVST mode... I never imagined that BPDU can fly through the entire network topology, and spoil life. In general, BPDU flys through network and Cisco drove crazy, when I enabled MSTP:

000068: 00:49:18: %SPANTREE-2-PVSTSIM_FAIL: Blocking root port Gi0/8: Inconsistent inferior PVST BPDU received on VLAN 110, claiming root 32878:0015.c6d7.9900

Gi0/7            Mstr BKN*20000     128.7    P2p Bound(PVST) *PVST_Inc

     By the way, ProCurve have an option pvst-filter, perhaps this option can help without searching source of wrong BPDU.

      So, what I did ... I turn on the Cisco debug for received BPDU:

term mon
debug spanning-tree bpdu receive

And I see this:

002836: Jan  5 16:36:57.625: STP: MST0 rx BPDU: config protocol = mstp, packet from GigabitEthernet0/8  , linktype IEEE_SPANNING , enctype 2, encsize 17 
002837: Jan  5 16:36:57.625: STP: enc 01 80 C2 00 00 00 00 1B 3F 58 31 EF 00 89 42 42 03 
002838: Jan  5 16:36:57.625: STP: Data     000003023C1000001B3FC1A800000000001000001B3FC1A80080110000140002000F00
002839: Jan  5 16:36:57.634: STP: MST0 Gi0/8:0000 03 02 3C 1000001B3FC1A800 00000000 1000001B3FC1A800 8011 0000 1400 0200 0F00
002840: Jan  5 16:36:58.238: STP: MST0 rx BPDU: config protocol = mstp, packet from GigabitEthernet0/8  , linktype SSTP , enctype 3, encsize 22 
002841: Jan  5 16:36:58.238: STP: enc 01 00 0C CC CC CD 9C 4E 20 B2 2E 98 00 32 AA AA 03 00 00 0C 01 0B 
002842: Jan  5 16:36:58.238: STP: Data     000000000080649C4E20B22E800000000080649C4E20B22E8080180000140002000F00
002843: Jan  5 16:36:58.238: STP: MST0 Gi0/8:0000 00 00 00 80649C4E20B22E80 00000000 80649C4E20B22E80 8018 0000 1400 0200 0F00

IEEE_SPANNING - it is normal.
А вот SSTP - It is abnormal. It is not our MSTP, it is a stranger Spanning-tree, source of this packet need to search!
Find the source of the package is very easy. The first 6 digits in the ENC is the header, it is always the same: 01 00 0C CC CC CD, but next 6 digits this is the sender's MAC address: 9C 4E 20 B2 2E 98  - in my case it was the Cisco 3560. After disabling STP all became normal. MSTP is working, and all became well.

Several commands for checking MSTP configuration on Cisco and HP:
HP:
sh spanning-tree mst-config

  MST Configuration Identifier Information

  MST Configuration Name : H2SO4                          
  MST Configuration Revision : 1    
  MST Configuration Digest : 0xF1AD53AD5D69827DFCB5C5B5D00F6D88

  IST Mapped VLANs : 

  Instance ID Mapped VLANs                                             
  ----------- ---------------------------------------------------------
  1           1-35,101,111-500,1001-4094
  2           36-100,102-110,501-1000


Highlighted in blue is control sum, it must coincide with all configurations on HP and Cisco. If it is different - look for differences. So long as the digest is different, MSTP will work through the instance 0, and all the ports will be Boundary.

Cisco:
sh spanning-tree mst configuration 

Name      [H2SO4]
Revision  1     Instances configured 3

Instance  Vlans mapped
--------  ---------------------------------------------------------------------
0         none
1         1-35,101,111-500,1001-4094
2         36-100,102-110,501-1000
-------------------------------------------------------------------------------
sh spanning-tree mst configuration digest 
Name      [H2SO4]
Revision  1     Instances configured 3
Digest          0xF1AD53AD5D69827DFCB5C5B5D00F6D88
Pre-std Digest  0x79EA425B9595B8B88B3E715854CC0CC8

     In this case, MSTP blocked not profitable route between switches for all instances, leaving him for the event of an accident.

Some statistics from Cisco:

sh spanning-tree mst 1

##### MST1    vlans mapped:   1-35,101,111-500,1001-4094
Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi0/18           Desg FWD 20000      128.18   P2p 
Gi0/20           Desg FWD 200000    128.20   P2p 
Gi0/21           Desg FWD 200000    128.21   P2p 
Gi0/22           Desg FWD 200000    128.22   P2p 
Gi0/23           Desg FWD 200000    128.23   P2p 
Gi0/24           Altn BLK 20000        128.24   P2p 
Po1                Root FWD 20000      128.36   P2p 

sh spanning-tree mst 2

##### MST2    vlans mapped:   36-100,102-110,501-1000
Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi0/24           Altn BLK 20000      128.24   P2p 
Po1               Root FWD 20000     128.36   P2p 

Documentation for configure HP and Cisco equipment together: from HP and from Cisco

The switches in a network we have collected, in following articles we will talk about setting ports for users, add protection from users and loops, make the fault-tolerant access to the internet and the fault-tolerant mail relay.
  1. Talk about BPDUGuard, BPDUFilter, PortFast, and about some features of the use of these services on the Cisco and HP ProCurve.
  2. We make a cluster of two servers based on FreeBSD + CARP for distribution Internet to users.
  3. We will make the cluster of two Debian / Ubuntu + UCARP for mail relay, relay mail between the Internet and the mail server or a cluster of company.
  4. We will make the cluster of two Cisco + HSRP for two channels from different internet providers.
Sorry for my English...
Posted by at No comments:

Saturday, January 2, 2016

UnixDaemonReloader - Update 2016.01.03



    Updated version of the program. Added new features:


  1. Delay before running the script;
  2. Opportunity to perform before basic script, "pre-app" script for checking configuration or execute other actions, and on the returned response from the "pre-app" script to restart service, or to run "error-script". All these parameters are optional and are not mandatory to use.



Configuration file:












Update from 2016.01.03:
     Added parameters "pre-app script", "result of pre-app script" and "error script" into listing of files for watching. "Pre-app" script must to return result to stdout. Example for return: "OK" :) If returned value equals value from configuration file, will running script for restarting or reloading service, else after ending amount of attempts to execute "pre-app", will running "error script". See README.md for study new syntax of WatchList.
     PS: You can add into "pre-app script" syntax check and backup configuration file. "Error script" may contain sending E-Mail or SMS and restore from backup copy of the config.
     Added parameter UDR_ScriptsPath, pointing the path to pre-app scripts.
     Added parameter UDR_PreAppAttempt, indicating the number of executing times the "pre-app" script, after that execute "error-script" or stop attempts.
     Fixed restart for all services after first initialize database of files

Update from 2015.12.23: 
UDR_PauseBefore - pause before running the script (seconds). This setting for save your daemons from "your hands". If you during editing configuration file, accidentally press "save a file" with error or unfinished, then you have time to correct the error before the daemon will be restarted.
Full description for configuration file in: Full article about Unix Daemon Reloader

     Source codes:
          UnixDaemonReloader Source Code

     Compilled binary files for FreeBSD and Linux:
          UnixDaemonReloader on SourceForge


Posted by at
Subscribe to: Posts (Atom)