Skip to main content

Nexus and VTP

I would like to work today with Nexus5k in VTP Server mode and see what steps are necessary to recover configuration from the backup.

This is the platform I have in my lab:

N5548A# sh ver
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html
Copyright (c) 2002-2013, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.

Software
  BIOS:      version 3.6.0
  loader:    version N/A
  kickstart: version 6.0(2)N2(3)
  system:    version 6.0(2)N2(3)
  Power Sequencer Firmware:
             Module 1: version v3.0
             Module 2: version v1.0
             Module 3: version v5.0
  Microcontroller Firmware:        version v1.2.0.1
  SFP uC:    Module 1: v1.0.0.0
  QSFP uC:   Module not detected
  BIOS compile time:       05/09/2012
  kickstart image file is: bootflash:///n5000-uk9-kickstart.6.0.2.N2.3.bin
  kickstart compile time:  12/17/2013 2:00:00 [12/17/2013 13:52:59]
  system image file is:    bootflash:///n5000-uk9.6.0.2.N2.3.bin
  system compile time:     12/17/2013 2:00:00 [12/17/2013 17:02:31]


Hardware
  cisco Nexus5548 Chassis ("O2 32X10GE/Modular Universal Platform Supervisor")
  Intel(R) Xeon(R) CPU         with 8253856 kB of memory.
  Processor Board ID FOC16454D9A

  Device name: N5548A
  bootflash:    2007040 kB

Kernel uptime is 74 day(s), 9 hour(s), 16 minute(s), 13 second(s)

Last reset at 403970 usecs after  Thu Jan 11 21:01:25 2018

  Reason: Reset Requested by CLI command reload
  System version: 6.0(2)N2(3)
  Service:

plugin
  Core Plugin, Ethernet Plugin
N5548A#



and this is VTP status:


N5548A# sh vtp status
VTP Status Information
----------------------
VTP Version                     : 2 (capable)
Configuration Revision          : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 6
VTP Operating Mode              : Server
VTP Domain Name                 : TEST
VTP Pruning Mode                : Disabled (Operationally Disabled)
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 Digest                      : 0x9D 0xA0 0x8D 0x8D 0x07 0xAC 0x46 0xCB
Configuration last modified by 0.0.0.0 at 3-27-18 07:09:24
Local updater ID is 0.0.0.0
VTP version running             : 2

N5548A#


As you can see the switch works in VTP Server mode version 2. For this test I create two vlans: 120 and 1200:

N5548A# sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Eth1/1, Eth1/2, Eth1/5, Eth1/6
                                                Eth1/7, Eth1/8, Eth1/9, Eth1/10
                                                Eth1/11, Eth1/12, Eth1/13
                                                Eth1/14, Eth1/15, Eth1/16
                                                Eth1/17, Eth1/18, Eth1/19
                                                Eth1/20, Eth1/21, Eth1/22
                                                Eth1/23, Eth1/24, Eth1/25
                                                Eth1/26, Eth1/27, Eth1/28
                                                Eth1/29, Eth1/30, Eth1/31
                                                Eth1/32, Eth2/1, Eth2/2, Eth2/3
                                                Eth2/4, Eth2/5, Eth2/6, Eth2/7
                                                Eth2/8, Eth2/9, Eth2/10, Eth2/11
                                                Eth2/12, Eth2/13, Eth2/14
                                                Eth2/15, Eth2/16
120  VLAN120                          active    Eth1/3
1002 fddi-default                     suspended
1003 token-ring-default               suspended
1004 fddinet-default                  suspended
1005 trnet-default                    suspended
1200 VLAN1200                         active    Eth1/4


The most common way to do a backup is taking a copy of your configuration. In most cases it works fine but sometimes it isn't enough.

Now I take a copy of the config and I reset switch configuration to the default one. This is what I see when I restored my backup config:

N5548A# sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Eth1/1, Eth1/2, Eth1/5, Eth1/6
                                                Eth1/7, Eth1/8, Eth1/9, Eth1/10
                                                Eth1/11, Eth1/12, Eth1/13
                                                Eth1/14, Eth1/15, Eth1/16
                                                Eth1/17, Eth1/18, Eth1/19
                                                Eth1/20, Eth1/21, Eth1/22
                                                Eth1/23, Eth1/24, Eth1/25
                                                Eth1/26, Eth1/27, Eth1/28
                                                Eth1/29, Eth1/30, Eth1/31
                                                Eth1/32, Eth2/1, Eth2/2, Eth2/3
                                                Eth2/4, Eth2/5, Eth2/6, Eth2/7
                                                Eth2/8, Eth2/9, Eth2/10, Eth2/11
                                                Eth2/12, Eth2/13, Eth2/14
                                                Eth2/15, Eth2/16
1002 fddi-default                     suspended
1003 token-ring-default               suspended
1004 fddinet-default                  suspended
1005 trnet-default                    suspended
1200 VLAN1200                         active    Eth1/4




As you can see there is no Vlan120. Definition of this vlan is not in the backup config:


vrf context default
vrf context management
...

vlan 1200
port-profile default max-ports 512


interface Vlan1

interface Ethernet1/1

interface Ethernet1/2

interface Ethernet1/3
  switchport access vlan 120

interface Ethernet1/4
  switchport access vlan 1200

interface Ethernet1/5


Only Vlan1200 is included. This is how VTP Server mode works. Let's do one test. I paste below config:

N5548A(config)# vlan 999
N5548A(config-vlan)# name vlan999
N5548A(config-vlan)#
N5548A(config-vlan)# vlan 1000
N5548A(config-vlan)# name vlan1000
N5548A(config-vlan)#
N5548A(config-vlan)# vlan 1001
N5548A(config-vlan)# name vlan1001
N5548A(config-vlan)#
N5548A(config-vlan)# vlan 1006
N5548A(config-vlan)# name vlan1006
N5548A(config-vlan)#
N5548A(config-vlan)# vlan 1007
N5548A(config-vlan)# name vlan1007
N5548A(config-vlan)#
N5548A(config-vlan)# vlan 1008
N5548A(config-vlan)# name vlan1008
N5548A(config-vlan)#
N5548A(config-vlan)# vlan 1009
N5548A(config-vlan)# name vlan1009
N5548A(config-vlan)#
N5548A(config-vlan)# vlan 1010
N5548A(config-vlan)# name vlan1010
N5548A(config-vlan)#


and this is what I see in the config:

N5548A(config)# sh run | i vla
feature interface-vlan
vlan 1006
  name vlan1006
vlan 1007
  name vlan1007
vlan 1008
  name vlan1008
vlan 1009
  name vlan1009
vlan 1010
  name vlan1010
vlan 1200
  switchport access vlan 120
  switchport access vlan 1200
N5548A(config)#


Vlan definition from range 1 to 1001 (1005 I should say) is kept in vlan.dat file, not in the configuration file. When you plan your backup make sure you have a copy of these VLANs too.

In my case I have secondary box with the same vlans. Let's try copy vlan.dat file:

N5548b# copy bootflash:///vlan.dat tftp://12.15.3.1/test1
Enter vrf (If no input, current vrf 'default' is considered):
Trying to connect to tftp server......
Using IP address of interface loopback0
TFTP put operation failed:Permission denied


The problem is you can't copy this file when the system is using it. The only one method (I'm aware of) is to change VTP mode from Server to Transparent and copy definition of these vlans from the config:

N5548A(config)# sh run | i vla
feature interface-vlan
vlan 1006
  name vlan1006
vlan 1007
  name vlan1007
vlan 1008
  name vlan1008
vlan 1009
  name vlan1009
vlan 1010
  name vlan1010
vlan 1200
  switchport access vlan 120
  switchport access vlan 1200
N5548A(config)#
N5548A(config)# vtp mode transparent
N5548A(config)#
N5548A(config)#
N5548A(config)# sh run | i vla
feature interface-vlan
vlan 1
vlan 999
  name vlan999
vlan 1000
  name vlan1000
vlan 1001
  name vlan1001

vlan 1006
  name vlan1006
vlan 1007
  name vlan1007
vlan 1008
  name vlan1008
vlan 1009
  name vlan1009
vlan 1010
  name vlan1010
vlan 1200
  switchport access vlan 120
  switchport access vlan 1200
N5548A(config)#


As you can see in above output once we change VTP mode we can see full vlan definition.


Summary

  • VTP v2 server mode - VLANs 1-1005 definition is stored in vlan.dat file, from VLAN 1006 above - in cofiguration file. In version 2 only range 1-1005 can be exchanged between VTP servers/clients (in version 3 all VLANs can be exchanged via VTP)
  • VTP v2 transparent mode - all VLANs are stored in the configuration













Comments

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.   ! aaa new - model aaa authentication dot1x default group radius ! ! int Fas1 / 0 / 2 authentication host - mode single - host authentication port - control auto mab ! I haven’t configured ACS yet but let’s see what error message I receive:   SW1 ( config - if ) # mab - ev ( Fa1 / 0 / 2 ): Received MAB context create from AuthMgr mab - ev ( Fa1 / 0 / 2 ): Created MAB client context 0x1100000F mab : initial state mab_initialize has enter mab - ev ( Fa1 / 0 / 2 ): Sending create new context event to EAP from MAB for 0x1100000F ( 0000.0000 . 0000 ) mab - sm ( Fa1 / 0 / 2 ): Received event 'MAB_START' on handle 0x1100000F mab : during state mab_initia

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo