Cisco IOS: Ether-Channel Trunks

KB ID 0001533

Problem

This is a subject that every time I need to create an Ether-Channel I end up checking beforehand, so it’s about time I wrote it up. We are combining two different things, an Ether-channel, (an aggregation of links) and a Trunk (the ability to carry many VLANS). If you are NOT from a Cisco background then you might want to read though the following post first to avoid confusion about the world ‘Trunk‘.

HP and Cisco – VLANs and Trunks Confusion!

So this is what I’m going to create;

I will combine the TWO links between the switches to act at one link (Ether-Channel). An Ether-Channel can have up to eight links.

Note: I’m only concentrating on the Ether-Channel setup so VLANs/VTP and Routing are not covered.

Solution

You can use two types of Ether-Channels PAgP (Port Aggregation Protocol), but WHY when it only works on Cisco switches. LACP (Link Aggregation control Protocol) which is supported by just about everything else, so let’s stick with that! By default a ‘Trunk’ will pass ALL VLANS, you might not want that, I’ll cover filtering VLANs a bit further down.

WARNING: If you simply connect two switches with two cables you will create a LOOP, if you have STP enabled the network will recover and block one of the links, but your colleagues will shake their heads and pull a ‘frowny face’. For that reason ‘SHUT THE PORTS DOWN BEFORE YOU CABLE / CONFIGURE THEM“. 

Starting on Switch1 make sure there’s is no existing Ether-Channels configured;

[box]

SW-1#show etherchannel
                Channel-group listing:
                ----------------------

Group: 1
----------
Group state = L2
Ports: 2   Maxports = 4
Port-channels: 1 Max Port-channels = 4
Protocol:   LACP
Minimum Links: 0

[/box]

Above there is already an Ether-Channel (port-channel) on the switch (group 1) so you would have to use group 2. For arguments sake we will say I don’t have one, so I can use group 1.

Note: ‘show etherchannel summary’ is also a handy command to remember!

[box]

First shut down the uplinks, Note the syntax for the 'range interfaces', may differ from device to device, 
so use the TAB key.

SW-1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW-1(config)#interface range ethernet 0/1 - 2
SW-1(config-if-range)#shutdown

Add the ports to channel group 1, Note 'Active' denotes use LACP, (Passive also works, but one (or both) ends
should be active.)

SW-1(config-if-range)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1

Create a 'trunk' with 802.1q encapsulation.

SW-1(config-if-range)#switchport trunk encapsulation dot1q
SW-1(config-if-range)#switchport mode trunk

[/box]

Then configure the other end the same, (assuming the port numbers are the same!) As mentioned above you can use LACP mode ‘passive‘ but I tend to set both ends active.

Once you have both ends configured and the cables in place, enable the interfaces with a ‘no shutdown‘ command, on both ends!

[box]

SW-1(config)#interface range ethernet 0/1 - 2
SW-1(config-if-range)#no shutdown

[/box]

Filtering VLANs on an Ether-Channel Trunk

Any further port-channel changes need to be done on the port-channel interface, so if you want to filter what’s allowed you simply use the following syntax;

[box]

SW-1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW-1(config)#interface Port-channel1
SW-1(config-if)#switchport trunk allowed vlan 1,10,100,200

[/box]

Note: When adding any future VLANS check the syntax, if you simply add a new one it will overwrite all the others, and things will break!

Do all Ether-Channels need to be Trunks? No! Not at all, they can be access ports (as long as they are all in the same VLAN), and they can also be routed uplinks, with an IP address at both ends, (specified in the port-channel interface). 

Related Articles, References, Credits, or External Links

NA

Cisco IOS – Enabling LLDP

KB ID 0001289 

Problem

If you’re running Cisco IOS on all you devices then you can use CDP  to see what’s directly connected, (unless you are on a Cisco firewall, but I did say IOS devices). 

[box]

Petes-Switch#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
Petes-CPE.petenetlive.com
                 Gig 1/0/19        148             R S I  CISCO2901 Gig 0/0
Petes-Switch#

[/box]

But just about every other vendor uses LLDP (Link Layer Discovery Protocol,) to do the same job. So how do you discover what ports you are plugged into on them, or what they are?

 

Solution

Well in most cases, (depending on your code) your devices also support LLDP, it’s just disabled by default. You simply turn it on with an ‘lldp run’ command.

[box]

Petes-Switch(config)#lldp run
Petes-Switch(config)#exit
Petes-Switch#show lldp ?
  entry      Information for specific neighbor entry
  errors     LLDP computational errors and overflows
  interface  LLDP interface status and configuration
  neighbors  LLDP neighbor entries
  traffic    LLDP statistics
  |          Output modifiers
  

[/box]

Now I see my neighbours, (yes that is how it’s spelt I’m English!) In my example below the neighbour is a Dell Switch.

[box]

Petes-Switch#show lldp neighbors
Capability codes:
    (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
    (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other

Device ID           Local Intf     Hold-time  Capability      Port ID
90b1.1cf4.39e1      Gi1/0/11       120                        ManagementEthernet 0/0
90b1.1cf4.39e1      Gi1/0/14       120                        TenGigabitEthernet 1/45
90b1.1cf4.39e1      Gi2/0/13       120                        TenGigabitEthernet 0/44
90b1.1cf4.39e1      Gi1/0/13       120                        TenGigabitEthernet 1/44
90b1.1cf4.39e1      Gi2/0/14       120                        TenGigabitEthernet 0/45
90b1.1cf4.39e1      Gi1/0/16       120                        TenGigabitEthernet 1/47
90b1.1cf4.39e1      Gi2/0/16       120                        TenGigabitEthernet 0/46
90b1.1cf4.39e1      Gi1/0/15       120                        TenGigabitEthernet 1/46
90b1.1cf4.39e1      Gi2/0/15       120                        TenGigabitEthernet 0/47

Total entries displayed: 9

[/box]

 

Related Articles, References, Credits, or External Links

HP Networking – Tracing Networks and Locating IP addresses

Cisco IOS – An interface whose trunk encapsulation is “Auto” can not be configured to “trunk” mode.

KB ID0001167

Problem

If you try and change a ports status, to make it a trunk port, you may see this error;

[box]

Petes-Switch(config-if)#switchport mode trunk
Command rejected: An interface whose trunk encapsulation is "Auto" can not be configured to "trunk" mode.

[/box]

Trunk Settings

I don’t know if this is a throwback to when we had ISL trunking and 802.1q, but you need to specify the encapsulation before you can specify a trunk.

[box]

Petes-Switch(config-if)#switchport mode trunk
Command rejected: An interface whose trunk encapsulation is "Auto" can not be configured to "trunk" mode.
Petes-Switch(config-if)#switchport trunk encapsulation dot1q
Petes-Switch(config-if)#switchport mode trunk
Petes-Switch(config-if)#

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco IOS – “configuration not allowed when device is not the primary server for vlan database.”

KB ID 0001127 

Problem

I was trying to delete a VLAN from a client switch, and this was happening;

[box]

Core-3560#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Core-3560(config)#no vlan 30
VTP VLAN configuration not allowed when device is not the primary server for vlan database.

[/box]

Solution

Now as far as I was aware there was only one switch, (certainly on this LAN segment anyway). What you need to do is change the VTP mode to transparent, then you can make your changes. Afterwards I changed the mode back because a. Never assume you know everything, b. They are at the other end of the country, and c. Its never cause a problem before.

[box]

Core-3560-S(config)#vtp mode transparent
Setting device to VTP Transparent mode for VLANS.

NOW I CAN RECONFIGURE VLANS

Core-3560(config)#no vlan 30
Core-3560(config)#vlan 120
Core-3560(config-vlan)#name Voice-VLAN
Core-3560(config-vlan)#exit
Core-3560(config)#no vtp mode transparent
Resetting device to VTP SERVER mode.

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco – Automatic Re-enrollment Fails to MSCEP/NDES

KB ID 0000970

Problem

I’ve covered setting up NDES at length in the past, but what happens when your issued certificates expire? If you are using them for all your VPNs what then? Well thankfully you can get your devices to automatically re-enroll and before they expire, for example to renew the cert at 80% of its lifetime you would use the following;

[box]

crypto pki trustpoint PNL-TRUSTPOINT
enrollment url http://123.123.123.130/CertSrv/mscep/mscep.dll
usage ike
serial-number
ip-address 123.123.123.90
enrollment mode ra
revocation-check none
enrollment retry count 100
enrollment retry period 5
fqdn RTR2hr.testbench.local
rsakeypair PNL-TRUSTPOINT 2048
auto-enroll 80 regenerate

[/box]

However, there is a problem, if you are using Server 2008 there’s a hot-fix (and you need to make the following change as well) I’m on Server 2012 and mine was failing.

Solution

1. On the server running the NDES Server role > Open the registry editor and navigate to;

[box]
HKEY_LOCAL_MACHINESoftwareMicrosoftCryptographyMSCEP
[/box]

Create a new 32bit DWORD Value called DisableRenewalSubjectNameMatch and set its value to 1 (one).

2. Also ensure the certificate that you are using or NDES, has the following settings, here I’m using a custom template called NDESTemplete, If you are using the default one it will be called ‘IPSec (Offline request)‘. On the Subject Name tab make sure ‘Supply in the request’ is selected.

3. On the ‘Issuance Requirements’ tab, ensure ‘CA certificate manager approval’ is NOT selected.

 

Related Articles, References, Credits, or External Links

NA

Cisco Catalyst – ‘Daughtercard inserted in this switch may not have been manufactured by Cisco’

KB ID 0001018 

Problem

In a newly deployed switch, the MACSEC link refused to establish, when I consoled in I was greeted with this;

[box]

Dec 06 01:30:07.023: %ILET-1-DEVICE_AUTHENTICATION_FAIL: The FRULink SM Daughtercard inserted in this switch may not have been manufactured by Cisco or with Cisco's authorization. If your use of this product is the cause of a support issue, Cisco may deny operation of the product, support under your warranty or under a Cisco technical support program such as Smartnet. Please contact Cisco's Technical Assistance Center for more information.
Dec 06 01:30:07.023: %PLATFORM_SM10G-3-AUTHENTICATION: The FRULink 10G Service Module (C3KX-SM-10G) may not have been entirely manufactured by Cisco. Module is in pass-through mode.
Dec 06 01:30:07.090: %FRNTEND_CTRLR-2-SUB_INACTIVE: The front end controller 1 is inactive
-Traceback= 4E12E0z 250AA2Cz 26A1BE8z 269C198z
Dec 06 01:30:18.079: %FRNTEND_CTRLR-2-SUB_INACTIVE: The front end controller 0 is inactive
-Traceback= 4E12E0z 250AA2Cz 26A1BE8z 269C198z
[/box]

Solution

At first I assumed the C3KX-SM-10G was faulty, so I put it in another 3560-X switch and the problem moved, problem solved (or so I thought).

However I moved the service module in it’s entirety (SFP’s as well). After some more troubleshooting it turns out the service module was fine, the entire problem was caused by a faulty SFP (GLC-SX-MMD).

Related Articles, References, Credits, or External Links

Cisco IOS – Configuring Switch to Switch MACSEC

 

Cisco Router – Configure NAT (NAT Overload)

KB ID 0000971 

Problem

NAT is the process of taking one or more IP adresses and tranlsating it/them into differnet IP addreses. You may require your router to translate all your internal IP addresses to your public (ISP allocated) IP address. To do that we use a process called NAT Overload.

Solution

1. Connect to the router, and got to enable mode, then global configuration mode.

[box]

PetesRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PetesRouter(config)#

[/box]

2. Setup the WAN (outside facing) interface.

[box]

PetesRouter(config)#interface GigabitEthernet0/0
PetesRouter(config-if)#ip address 123.123.123.123 255.255.255.0
PetesRouter(config-if)#ip nat outside
PetesRouter(config-if)#no shutdown
PetesRouter(config-if)#exit

[/box]

3. Setup the LAN (inside facing) interface.

[box]

PetesRouter(config)#interface GigabitEthernet0/1
PetesRouter(config-if)#ip address 192.168.1.1 255.255.255.0
PetesRouter(config-if)#ip nat inside
PetesRouter(config-if)#no shutdown
PetesRouter(config-if)#exit

[/box]

4. You will need a ‘default route’ which will be the routers ‘next hop’ towards the internet.

[box]

PetesRouter(config)#ip route 0.0.0.0 0.0.0.0 123.123.123.2

[/box]

5. Create an ACL that wil match any trafic coming from inside (remember permit means match).

[box]

PetesRouter(config)#access-list 100 remark NAT-ACL
PetesRouter(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 any

[/box]

6. Then tie it all together with the following command;

[box]

PetesRouter(config)#ip nat inside source list 100 interface GigabitEthernet 0/0 overload

[/box]

7. Save the changes.

[box]

PetesRouter(config)#exit
PetesRouter#write mem
Building configuration...
[OK]
PetesRouter#

[/box]

 

Related Articles, References, Credits, or External Links

NA

Cisco IOS and ASA Showing the Config Without the ‘More’ Breaks/Pauses

KB ID 0001017

Problem

When looking at a router, switch or firewall running config, it will usually display a page at a time, you can page down with the space bar, or line down with the Enter/Return key.

Normally that’s fine, but what if you want to capture (take a quick backup,) of the config?

If you do that, and page down you get a copy of the config that looks like this;

–More–

Yes, you can delete them, but in a big config that can take time, how about making the config scroll right to the end without the breaks/pauses.

Solution

Cisco ASA Disable Paging

On a firewall that’s done with a pager command, normally a firewall config will display 25 lines at a time, to get it to scroll straight to the end set the pager length to zero.

[box]

Type help or '?' for a list of available commands.
Petes-ASA> enable
Password:*********
Petes-ASA# configure terminal
Petes-ASA(config)# pager 0
Petes-ASA(config)#

[/box]

Tip: If you want to take a copy of a firewall config it will blank, (replace with asterisks) the VPN shared secrets and failover keys, you can suppress that from happening, and show the hidden values with the following command;

[box]

Petes-ASA(config)# more system:running-config

[/box]

To return it back to pausing every 25 lines and giving the <— More —> prompt again.

[box]

Petes-ASA(config)# pager 25 

[/box]

Cisco Router / Switch IOS Terminal Length

On IOS the default is 24 lines at a time (show terminal will tell you). You can change this by changing the terminal length. Note: This is NOT a global configuration command.

[box]

Petes-Router#terminal length 0

[/box]

To reset it, and get the –More– prompt back again;

[box]

Petes-Router#terminal length 24

[/box]

Related Articles, References, Credits, or External Links

NA