Extending Layer 2

extended bridge

Layer 2 Bridging

If you make your way into the world of networking, you’re bound to come across a decision path on how you should handle network expansion. Should your default method always be to extend or stretch your layer 2 bridge domain? The root of the answer can be found when discussing the why. Let’s take a look at some of the use cases I’ve come across within enterprise network environments:

Device Requirement Device “A” needs to communicate with device “B” and those two devices are “required” to live on the same layer 2 broadcast domain. I haven’t come across any new devices or applications that fall into that spectrum, and it’s 2018. However, some enterprise organizations may still have legacy devices or poorly manufactured devices/applications with no foreseeable updates that may fall into this category.

Customer demand A customer you service in area “A” needs network services expanded to area “B.” They want their equipment to stay on the same subnet. Cough, cough, point of sales systems. I believe that modern POS systems can talk via IP across different subnets, but this can also be a possible use case that still comes up.

Data center disaster recovery or should I say “specific” DR models. I say “specific” because not all DC DR needs to be developed with an absolute layer 2 requirement extension model. Specific apps that are short-sighted will include layer 2 extension as a requirement. Someone insists that a VM pinned to a specific IP move from region “A” to region “B” and the IP needs to stay the same. What!?! Let’s think of better ways to do this, DNS, automate IP provisioning? However, this can still be a possible use case.

Ease of use Sometimes if you’re uncomfortable with routing protocols, it may seem easier to span a VLAN across the core of the network. Less IP provisioning, less ACL’s, potentially less firewall rules, and less management of those dreaded IP routing protocols. However, this is something we are in control of, so it’s OK to take time to research and learn what routing protocol would work best for your environment. Don’t let the lack of information drive your operation.

I can confirm that extending 100’s of VLAN’s through your core along with multiple instances of STP with a sprinkle of HSRP is NOT scalable. You will run into issues at some point. Others would say, “but my superior wants things done yesterday.” That’s another topic which may be worth blogging about in the future but hang in there.

You’re getting the point. There are some better ways to accomplish the listed use cases, but I understand that sometimes you may not be able to work with vendor X, customer Y, or technician Z to remove the necessity of layer 2 extension. Maybe your options are limited, but you’re a Rockstar network admin/engineer, so can we design around the “end user requirements”? If you must, you have quite a few options to extend layer 2 through the use of overlays. There will be some added complexity, but overlays may be worth considering instead of spanning layer 2 segments across the core.

Over What?

Ok, so what’s this overlay stuff? Say you designed your network with proper layer 2 segmentation along with a layer 3 routing protocol. Everything is working great. Your layer 2 fault domains are isolated through the use of routing protocols, you don’t have STP running across your core, and you’re taking advantage of multipath layer 3 routing. All is wonderful in the world. You then have a “hard” requirement, maybe one listed above to extend layer 2. Do you go back and span a VLAN through your core? No, overlays to the rescue! Overlays have been around for quite some time, think GRE, Pseudo-wires, etc. Some of the latest overlays you may have heard of are VXLAN or EVPN. Basically you’re encapsulating information from one segment of your network and forwarding it across an existing layer. The information de-encapsulates at an endpoint and voila you’ve extended layer 2 across your layer 3 network. I know, easier said than done. There’s plenty of resources out there on how to setup overlay protocols, so I won’t go into the details.

Alternative Thinking

Now let’s say you want to build your network from the ground up with extension services in mind. This would allow you to have a robust layer 2 transport natively built into your network. Extreme Networks has something called Fabric Connect which was an acquired technology from their Avaya network acquisition. Fabric connect is designed around shortest path bridging MAC (SPBM) as the forwarding plane and IS-IS as a control plane. You forward traffic not by IP routes, but by using an I-SID or Individual Service Identifier. You can create a layer 2 virtual service network (VSN) that’s more “circuit” based. The core of your network becomes a fabric connect mesh, and from an operational perspective, you configure services at the edge. You no longer have to segment devices to only certain parts of your network. Extreme Networks claim is that you get something like MPLS (however different) without the complexity.

Fabric connect makes me start thinking about locator/ID Separation Protocol or LISP which focuses on separating location (think IP address) from a device ID (think IP address again). If you separate location and device apart, you can now create two namespaces. In LISP, that’s the endpoint identifier (EID) and the routing locator (RLOC). What you then create is a mapping architecture similar to DNS mapping an IP to a name for determining forwarding. In fact, Cisco Campus Fabric uses LISP and VXLAN that creates another overlay solution that allows client mobility across a network.

The next time you have the opportunity to design or redesign a network, take time to study the why before you implement the how. And most importantly have fun!

Resources

Netcraftsmen on Layer2 (older, but still relevant challenges enterprises face today) https://www.netcraftsmen.com/extended-vlan-mitigation/ 
Locator/ID Separation Protocol (LISP) http://lisp.cisco.com/docs/LISP_Overview.pdf
Fabric connect – Extreme networks

Why I’m so fascinated with white box switching

All the hype

White box switching seems to be all the networking hype.  For some in-depth research, check out this podcast from packet pushers about ATT making its move into white box switching. Cisco is also committed to offering a decoupled version of IOS-XR from Cisco hardware to enable running their NOS on OCP (open compute project) compliant hardware aka “white box switching.” Fascinating stuff, but what’s the big deal? Well, I’m going to try and make a comparison.

A Lego comparison

I’m a huge adult fan of Lego (AFOL). I remember dumping old tin popcorn bins with Legos all over my bedroom floor as a child. I’m more organized today, but I can’t help tearing down and building new creations. Now imagine you have an advanced Lego technic set put together. You have gears that move, hinges that open and close, wheels turn, etc. Now imagine all those connecting pieces glued together. A nightmare for those AFOL’s who want to rebuild something special.

white box switch lego

Picture that glued together Lego set as a networking switch or router. Sure you can plug and unplug a few items, configure features within the CLI, and even get some sweet stats via SNMP. However, your switch or router’s underlying code is static which you can’t change. You’re at the mercy of the vendors nicely glued together product. I’m not suggesting that’s necessarily a bad thing, but you get where I’m going. With white box switching, you finally get to be a bit more creative with your switch or router. You can unload the default network operating system and load up something completely different. You’ve just expanded your imagination beyond one vendor and their fixed code.

A modular future

Maybe we’ll start to see advanced hardware modularity for white box switching as well. You need more processing power; upgrade your CPU. You need more space for your NOS apps or massively large routing tables, then go ahead and add more RAM. Are you a Cisco or Cumulus fan, who cares, you choose what NOS to run. Now you’re building like an AFOL. The possibilities of customization that deliver high flexibility are endless.

Lego 16 port white box switch

Extreme Networks EXOS on Nutanix CE

EXOS in Nutanix CE

Now that I have my Nutanix CE lab setup, I wanted to get some of my virtual network operating systems installed within my home lab. One of the NOS’s I’ve been running is Extreme Networks virtual EXOS. My last EXOS-VM lived in Virtualbox and ESXi. Extreme Networks has a github page here with all the information you need to get started with running the VM within a Virtualbox or ESXi environment.

Issue and Solution with Nutanix

Following the EXOS installation guide using the downloadable iso and mimicking the Vmware/Virtualbox VM settings within Nutanix CE wouldn’t work. I kept receiving an issue with the disk not correctly detected while Continue reading »

Best of Breed

I recently heard the term “best of breed” used when discussing network vendor selection. I was surprised by this answer because you don’t hear it too often.  The more I thought about it, why not “best of breed” selection? My time as a network and infrastructure supervisor has taught me that a data center environment can be full of different compute and storage vendor products. Our SAN environment consists of Pure, Tegile, EMC, and even QNAP. Each product has its place.  Pure serves the VDI environment, Tegile/EMC host production, and QNAP serves as a target for our Veeam backups. The team has also categorized and carved out each platform into tiered offerings.

On the other hand, network vendor selection tends to be biased. Typically you’ll see one network vendor selected for the edge/access, distribution, and core. However, you will find a different wireless vendor from time to time.

Many reasons exist

A compilation of the most popular

  • We would like to interact with only one vendor for purchases and support.
  • ABC vendor only works well with a particular management tool.
  • I only know vendor ABC, and we don’t have time to learn something new.
  • Did you hear that vendor ABC had an issue with XYZ product, I don’t want those problems.
  • Everyone else uses vendor ABC.
  • No other vendor supports my VOIP feature set.
  • You can’t do XYZ well or at all with any other vendor product.

I will say that there are a few use cases that keep you tied Continue reading »

Extreme Networks – enabling a few things on b5/c5/k series

Extreme Networks Switching Commands

Some of my most visited posts seem to be on brocade switching configuration/commands, so I decided to put together our standard list of commands for some Extreme Networks switches we use. These commands can be used on the B5, C5, K series, 7100 series, and S Series Extreme Networks switches. These switches run the EOS network operating system. Extreme networks product line moving forward will be purely EXOS (ExtremeXOS operating system). Therefore the following commands will become legacy, but are still very useful to know since some of the EOS product line hasn’t reached EOL.  Some commands are self explanatory, but for other’s I added a short description. Continue reading »

Troubleshooting ARP/IGMP/Router CPU

The Issue

We recently starting having issues with a building reporting that icmp stopped responding on a distribution router and some access switches behind the router. Some routing interfaces would respond, but the management VLAN interface wouldn’t. Further troubleshooting showed that the CPU processes on the router comprised of two Extreme Networks 7100 series switching running OSPF climbed up to 80/100% utilization. The “show logging buffer” revealed massive amounts of host-dos ARP attack events. The first thought was that a possible infected machine was creating an ARP storm. Continue reading »

Cisco Virtual Internet Routing Lab – Up and Running…

I was finally able to fix the issue that I described having in my earlier Cisco VIRL article. My original bare metal box only had 3 NICs. VIRL requires that you have at least 5 NICs. If you don’t have 5 NIC’s, then you have to modify the /etc/virl.ini file with dummy interfaces. I did this earlier, but must have had a mistake in the config. I double checked the config and also ran the VIRL-rehost script that’s on the desktop when you login to VIRL. Running the script wasn’t in the VIRL doc steps, so I didn’t do this before. Running the script after modifying the virl.ini file with the dummy interfaces finally fixed my issue. The script modified the /etc/network/interfaces with the correct dummy interfaces. Here’s an example of what the script changed:

iface dummy1 inet static

address 172.16.3.254/24

netmask 255.255.255.0

post-up ip link set dummy1 promisc on

I setup an IOSv router and connected it to an L2 External (flat) network which connects back through one of my physical NICs. That connection then goes into a real cisco ws-c3560x 24 port switch. That switch is connected to my network and I assigned my PC another IP address on the 172.16.1.x network. I can now ssh into the IOSv router directly from my desktop.

virl flat network

 

Now that I have worked out all the bugs, I’m pretty impressed with the functionality that VIRL provides. Now I’m going to see how many routers I can throw at this box.

Ping you later,

@javi_isolis

Cisco VIRL setup

In my last post, I spoke about getting a cisco virl (virtual internet routing lab) server going. I started with a hyper-V installation, which wasn’t listed as being supported. I gave it a try anyways. What I came to find out is that hyper-V would not work with my setup because I couldn’t do nested virtualization. Cisco Virl runs KVM under the hood which needs native VT-d. I couldn’t get hyper-v to pass VT-d to the host, so that was a no go. I decided to wipe the drive and load the iso version of cisco virl directly on my box. After a few failed attempts, I finally got virl to run without giving an error when trying to license the software. You have to follow the virl install guide to the T. I accidentally didn’t put in the correct hostname that the guide said to use. That caused the initial installation of virl to give an error every time I tried to run the user workspace manager. After following the exact directions, I was able to get virl to load.

Now I’m running into one last error message:

state changed from BUILD to ERROR with message: No valid host was found. Exceeded max scheduling attempts 3 for instance

cisco virl

I’m digging into the logs in order to figure out what the issue is, I’m really close. Hopefully my next post will be an in depth review of cisco virl.

occupied, time to setup Cisco VIRL

I’ve been occupied with many other things going on lately especially with the holidays. Family, work, etc. I haven’t been able to sit and write, but I ran into something pretty cool that I wanted to share. Those of you who are always looking to expand your knowledge in networking, cisco just released VIRL or virtual internet routing lab. This is Cisco’s newest virtualization lab simulation tool. It reasonably priced as well.

I saw this as a perfect opportunity to build a homebrew cisco VIRL hyper-v server. Unfortunately hyper-v isn’t supported, but that didn’t stop me. I recently found a dell studio 435 with an i7-920 processor in the garbage down the street. The only issue it had was a dying power supply.

cisco VIRL home server

Once that was fixed, I started to install hyper-v 2012. To my dismay, I couldn’t get hyper-v loaded without the installation crashing. All settings looked to be good. Virtualization was enabled in the bios and all other recommended settings were set. I then realized that the bios version was pretty old and figured I try to do an update. Low and behold a bios firmware fixed the crashing issue. I slapped another broadcom pci-e nic and finished the install. Now I’m having issues getting the broadcom nic and the onboard nic to load correctly. After searching the Internet, I figured out how to manually add drivers in hyper-v core mode. I’m still running into some issues with NIC detection, so I think I may run esxi on another partition of the drive just to get VIRL running. Stay tuned….

You can now follow up on my cisco bare metal home build here.

 

ICX6610 Brocade Switch – Firmware

Ok, so I’m in the process of configuring our spare icx 6610 brocade switch with the same firmware and configuration of one of our main border WAN icx 6610’s that’s running BGP. If our router fails, then I will have a hot spare ready to go while I wait for an RMA. This requires that the space icx 6610 is running router firmware along with an icx 6610 advanced license. The icx 6610 has the ability to run in layer 2 switching mode only or layer 3 mode when the proper firmware is loaded. By default, I had two code versions loaded on the icx 6610. You can identify which code is which by looking at the flash file name. Running the show flash command will give you the following:

#show flash
Stack unit 1:
Compressed Pri Code size = 7189206, Version:07.4.00cT7f3 (FCXR07400c.bin)
Compressed Sec Code size = 8874046, Version:08.0.00aT7f3 (FCXR08000a.bin)
Compressed Boot-Monitor Image size = 370733, Version:07.3.03T7f5
Code Flash Free Space = 49020928

You want to look at the character after FCX in parentheses, I have (FCXR07400c.bin) and (FCXR08000a.bin). The fourth character is an R, which is for routing. If the letter was an S, then that would represent switching only. Right now, I have two different routing versions. Since this is a major rev., there was also a new boot code as well (07.3.03T7f5). Unfortunately, there’s not two slots in the flash to have two different boot codes. If I try to boot back to the 7.4 code, I won’t have the proper boot code that I had before. I will therefore copy another version 8 code to the primary flash space. To do that I will run the following command:

#copy tftp flash <ip-of-tftp-server> <flash-image> primary

In order to boot to the new flash (assuming you don’t need a new boot code), you can then run the following command:

#boot system flash <primary | secondary>

HINT: The default boot is set to boot from the primary location, so if you reboot again without running another command, it will boot back to the default location. If you want to always boot from the secondary flash location, run the following command in config t mode:

(config)#boot system flash secondary

Don’t forget to write mem.

 

1 2