- Switching device manager
- Power over Ethernet (PoE)
- Interfaces
- Switch virtual interface (SVI)
- Wedged interface
- Subinterfaces
- Null0
- GRE
- Tunnel
- Errors
- Err-disable
- Interface error counters
- Excessive CPU utilization
- SFP
- Hardware queue
- Thresholds
- Redundancy
- Non-stop forwarding (NSF)
- Non-stop routing (NSR)
- Stackwise
- Stackwise+
- Stackwise-480
- FlexStack
- StackWise Virtual (VSS)
- Config archive
- Embedded event manager (EEM)
- Dynamic VLAN
- Boot
- License
- Alias
- Generic online diagnostics (GOLD)
- In-service software upgrade (ISSU)
- Software maintenance upgrade (SMU)
- Electrical programmable logical devices (EPLD)
- Callhome
- Cisco fabric services (CFS)
- Cisco Nexus
- NX-API
- NX-OS RBAC
- Adjacency manager (AM)
- Host mobility manager (HMM)
- PBR
- L3 MTU
- L2 MTU
- Upgrade
- Checkpoint
- Power-on auto provisioning (POAP)
- Port Profile
- Graceful insertion and removal
- Unified ports
- N5k
- N7k
- Virtual device context (VDC)
- Storage VDC
- IDS
Switching device manager
- templates:
- access: max ACL
- default
- dual-ipv4-and-ipv6: IPv6 support
- routing: IPv4 routing
- vlan: max CAM, disable hardware routing
; reload is required
(config)# sdm prefer <TEMPLATE>
; TCAM resource distribution across the functions
# show sdm prefer
Power over Ethernet (PoE)
- implementations:
- Cisco inline
- FE only
- max wattage: 7.7W
- IEEE 802.3af
- initial wattage: 12.95W
- max wattage: 15.40W (2.4W of losses)
- IEEE 802.3at
- initial wattage: 25.50W (4 wires), 51W (8 wires, non-standard)
- max wattage: 34.20W
- IEEE 802.3bt (UPoE)
- max wattage: 60W (8 wires), 90W
- PoE pass-through (e.g., 3560CX): power sensors, cameras
- consumption
- phone: 5W standby, 7W on call
- AP: 12W, 802.11ac – 22W
- if client does not request specific power level with CDP/LLDP, it is allocated initial wattage level
- PoE client:
- classes:
- 0 ≡ no info
- 1 ≡ max 4W
- 2 ≡ max 7W
- 3 ≡ max 15.4W
- 4 ≡ max 30W
- discovery:
- Cisco inline: send tone that is echoed back through client via closed circuit
- IEEE: measure resistance (kΩ), value → class
- power delivery type:
- A:
- over 2 unused wires
- up to 100 Mbps
- Cat3, Cat4, Cat5e
- B:
- phantom power
- 2-10V initially; if device is PoE-capable – 48V, otherwise – 0V
- perpetual PoE: provides power during software-initiated reboot
- fast PoE: provides last negotiated power level during boot prior to negotiation
(config-if)# power inline never
; real power supply, provided by auto mode for PoE-capable
; useful if CDP is disabled, does not account for power loss in cable
(config-if)# power inline consumption <mW>
; max valid request for power from client, no client – no power
(config-if)# power inline auto max <mW>
; reserve from power bank regardless of whether client is actually present
; ignores consumption
(config-if)# power inline static max <mW>
; perpetual PoE + fast PoE
(config-if)# power inline port poe-ha
Interfaces
; turn Ethernet into unnumbered interface
(config-if)# medium p2p
; 300s default, interval to calculate statistics over
(config-if)# load-interval <sec>
Switch virtual interface (SVI)
- create SVI ≠ create VLAN
- up/up:
- VLAN exists
- not admin down
- at least one port (access/trunk) in STP forwarding (either access or voice VLAN)
- down/down:
- VLAN does not exist
- VLAN shutdown/suspended
- up/down
- VLAN exists
- no port with VLAN in STP forwarding
- SVI autostate: SVI does not switch to up/up, unless at least one port in VLAN is up/up and not blocked by STP
; on SVI, state – permanently active
(config-if)# no autostate
; physical interface, disable affecting SVI autostate
; useful on ports to sniffers, sniffer exists ≠ VLAN active
(config-if)# switchport autostate exclude
; NX-OS, enable SVIs
(config)# feature interface-vlan
Wedged interface
- interface with full input queue
- does not forward ingress traffic
Subinterfaces
- router physical interface does not accept tagged frames, only subints do (required for QoS)
- FastEthernet0/0.0 ≡ FastEthernet0/0
Null0
- static routes via Null0 are connected ⇒ affected by network or redistribute connected
GRE
- IP 47
- line status is based upon destination reachability by default
- may be not supported in HW ⇒ processed by CPU
- can transport several protocols at once
- IPsec – on-demand
# enable IPv4 forwarding
$ echo 1 > /proc/sys/net/ipv4/ip_forward
# load kernel module
$ modprobe ip_gre
# add tunnel interface
$ ip tunnel add <GRE> mode gre remote <remoteIP> local <localIP>
$ ip addr add <IP> dev <GRE>
$ ip link set <GRE> up
# add route via tunnel
$ ip route add <route> via <nexthop>
# disable RPF check (strong send and receive)
$ echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
$ echo 0 > /proc/sys/net/ipv4/conf/<GRE>/rp_filter
Tunnel
- DF-bit from passenger packet by default
- Cisco: not copied to tunnel header
- Juniper: copied to tunnel header
- PMTUD value is unavailable through show commands
- value is used even after disabling the feature
- low value can cause 100% CPU util due to fragmentation – attack opportunity
- when ICMP Fragmentation Needed is received, accounts for only external IP header, does not include GRE ⇒ PMTUD affects all tunnels with the same endpoints
- ToS byte is copied from inner DSCP to outer DSCP
; copies DF-bit from passenger to transport
(config-if)# tunnel path-mtu-discovery
; shows fragmentation according with PMTUD value
# debug tunnel
Errors
Err-disable
- modes:
- ARP inspection
- BPDU guard
- DHCP rate limit: via DHCP snooping
- DTP flag: change of encapsulation
- GBIC invalid
- inline power
- link flap
- loopback: short circuit to itself
- PAgP flap
- Port Security violation
- Security violation: 802.1x
- small frame
- storm control
- UDLD
(config)# errdisable detect cause all|<MODE>
; autorecover interface from err-disable
(config)# errdisable recovery cause all|<MODE>
; 300s default
(config)# errdisable recovery interval <sec>
# show interface status err-disabled
; services for err-disable
# show errdisable detect
; services with auto-recovery, ports in err-disabled and cause for error
# show errdisable recovery
Interface error counters
- Align-Err:
- L1 issue
- alignment misses byte boundary
- FCS-Err:
- L1 issue, duplex mismatch
- only CRC is incorrect
- Xmit-Err:
- speed mismatch
- egress buffer overflow
- Rev-Err:
- congestion, duplex mismatch
- ingress buffer overflow
- UnderSize:
- less than 64 bytes
- CRC is correct
- Single-Col:
- single collision before successful transmission
- duplex mismatch, overflow for half-duplex
- Multi-Col:
- more than one collision before successful transmission
- Late-Col:
- collision after 64 bytes
- duplex mismatch, cable is too long
- Excess-Col:
- after 16 successive collisions
- too long cable, duplex mismatch, too many users
- Carri-Sen:
- increased on every attempt to send
- Runts:
- less than 64 bytes
- CRC is incorrect
- L1 issue, duplex mismatch
- Giants:
- > 1518 bytes, incorrect CRC
- host NIC failure
; counter for 5s: load/interrupt load
# show processes cpu
# show memory
# show interfaces
# show controllers
# show platform
# show module
; routers, burned-in info and EEPROM
# show diagnostics
; shortened diag
# show inventory
Excessive CPU utilization
- ARP input process
- Net background process: buffer distribution for interfaces
- IP background process: interface status change
- TCP timer process:
- every TCP session to device
- resets embryonic state (no ACK after SYN+ACK)
- 5% is normal, up to 10%
- reasons
- TCAM overload
- frequent IGP/FHRP/SNMP
- debug
SFP
; hidden command, allows using non-Cisco SFP
(config)# service unsupported-transceiver
; disable err-disable for non-Cisco SFP
(config)# no errdisable detect cause gbic-invalid
Hardware queue
- transmit ring
- does not involve CPU ⇒ no QoS
- FIFO
- the faster interface is, the deeper queue is:
- shallow queue ≡ more CPU interrupts ≡ more wait state
- deep queue ≡ penalty for voice, real-time traffic
; 60 default, output hardware queue
(config-if)# tx-ring-limit <pkts>
; software queue, defaults: 75 in, 40 out
(config-if)# hold-queue <pkts> in|out
Thresholds
(config)# process cpu threshold type process rising <%> interval <sec>
; low threshold, high = low + 5%
(config)# memory free low-watermark IO|processor <KB>
Redundancy
- modular switch with 2 supervisors
- master – the first switch to boot, no preemption after failover
- C4k: L2 failover < 1s
- C6k: L2 failover < 0-3s
- modes
- Route Processor Redundancy (RPR)
- standby is partially initialized
- module reboot on failover
- 2 mins
- RPR+
- route engine is fully initialized
- modules are not reloaded
- IOS must match
- 30s
- Stateful switchover (SSO)
- SRM – single router mode
- DRM – dual router mode
(config)# redundancy
(config-red)# mode rpr|rpr-plus|sso
# show redundancy status
Non-stop forwarding (NSF)
- along with SSO, uses CEF that was built by failed master
- requests RIB information from peer
- indicates that SSO happened, not peer disappeared
Non-stop routing (NSR)
- protocol data is synced between RPs
- seamless switchover for control plane
Stackwise
- source stripping
- switching through master ≡ through backplane
- master election
- process
- priority: manual config
- switch with configured interfaces > blank switch
- better feature set: crypto IP services > IP services > crypto IP base > IP base
- longest uptime
- min MAC
- 20s delay after boot before election – allow heavier IOS to load
- common IP, configuration, CAM
- IOS must match (feature set does not have to, but recommended)
- up to 9 switches
- no master preemption
- IOS is different:
- master sends IOS from Flash along with config
- master downloads IOS via TFTP
- if subordinate switch does not support image, master puts it into suspended state
- supports RPR+
- physical stack cables – Cisco only
; 15 default
(config)# switch <N> priority <M>
(config)# switch <N> renumber <NEW_NUM>
; list of switches in stack, stack ports and their status
# show switch [stack-ports]
; closed stack ring – Full config, half of ring – Half (½ Full)
# show switch stack-ring speed
# show platform stack manager all
Stackwise+
- local switching
- destination stripping
- C3750X
Stackwise-480
FlexStack
StackWise Virtual (VSS)
- distribution-level campus switches
- virtual switch link (VSL) ≡ etherchannel (8×10GE max)
- control and mgmt plane are prioritized
- dual-active detection: VSL is down, but control plane is up
- Standby → Active
- Active: non-VSL ports → err-disable
- detection:
- fast-hello link
- enhanced PAgP (includes VSS ID in Update) via another switch (upstream/downstream)
- 2 devices only
- SSO + NSF
- no preemption
(config)# redundancy
(config-red)# mode sso|rpr
; Active and Standby sync options
(config-red)# main-cpu
(config-r-mc)# auto-sync running-config
; DOMAIN must match
(config)# switch virtual domain <DOMAIN>
; switch number in VSS
(config-vs-domain) switch <N>
; off default, recovery IP for mgmt on switch incase of dual-active
(config-vs-domain) dual-active recovery ip address <IP>
; on default
(config-vs-domain) dual-active detection pagp
; enable ePAgP on etherchannel <N>
(config-vs-domain) dual-active detection pagp trust channel <N>
(config-vs-domain) dual-active detection fast-hello
(config)# interface port-channel 1
(config-if)# switchport
; switch N – owner of the po1, different port-channels on switches
(config-if)# switch virtual link <N>
; on physical interface
(config-if)# dual-active fast-hello
; enable VSS
# switch convert mode virtual
# show switch virtual [link]
# show switch virtual role
# show switch virtual port-channel
# show switch virtual dual-active
Config archive
(config)# archive
(config-archive)# path <PATH>
; disabled by default
(config-archive)# time-period <mins>
(config-archive)# write-memory
; 10 default, number of local archives
(config-archive)# maximum <N>
; merges config, if tie – use value from startup-config
# copy startup-config running-config
; replaces running-config with startup-config, list – dry run ≡ only show the difference
# configure replace <PATH> [list]
; replacement must be confirmed within time window, otherwise – revert back
# configure replace <PATH> time <mins>
; confirm replacement after using time keyword
# configure confirm
; change time window for confirm
# config revert now|timer <mins>
; does not show the output, rewrites destination file contents
# show run | redirect <URL>
; shows the output, rewrites destination file contents
# show run | tee <URL>
; does not show the output, appends to destination file contents
# show run | append <URL>
; pipes after first pipe – logical OR in regex
# show run | include <S1>|<S2>|<S3>
Embedded event manager (EEM)
- custom events and reactions to events
- triggers: syslog, SNMP trap, IOS cmd
; NAME appears in Syslog
(config)# event manager applet <NAME> [override <SYSTEM_POLICY>]
; sync no ≡ run along with CLI command being executed, do not waitfor cmd
; skip no ≡ run command instead of skipping it
; occurs 1 ≡ 1 event is enough for event to be triggered
(config-applet)# event cli pattern <REGEX> sync no skip no occurs 1
(config-applet)# action <ACTION> syslog priority <LEVEL> msg <MESSAGE>
; permit manual run
(config-applet)# event none
(config)# event environment <VARNAME> <VALUE>
; if manual run is not permitted, syslog about "not registered to event none"
# event manager run <NAME>
Dynamic VLAN
- access ports only
- based on client MAC
- deprecated, replaced by 802.1x
- PortFast is enabled automatically
- not compatible with port-security, 802.1x, SPAN, Etherchannel
- all VLANs must be defined on all switches (e.g., distributed via VTP)
- VLAN membership policy server: VMPS
; up to 3 secondary servers
(config)# vmps server <IP> [primary]
(config-if)# switchport mode access
(config-if)# switchport access vlan dynamic
# show vmps
# vmps reconfirm
Boot
- sequence
- POST
- bootstrap: ROM → RAM
- bootstrap selects and loads IOS
- IOS searches for startup-config
- ROMMON: ROM monitor
- invoked on Break during boot (old) or external Flash missing (new)
- BootROM: RxBoot, boot helper (legacy devices) – replaced by ROMMON
- confreg:
- 0x2100: load ROMMON in lieu of IOS
- 0x2102: load IOS, default
- 0x2142: ignore startup-config
; selects first file on Flash, if path not specified
(config)# boot system flash [<FILE>]
(config)# boot system tftp <FILE> <IP>
# config-register <VALUE>
# show version
; run first-run setup script
# setup
License
; unique device ID: product ID + serial number
# show license udi
# show license feature
# license install <PATH>
Alias
(config)# alias <MODE> <CMD>
Generic online diagnostics (GOLD)
- proactive
- boot diagnostics
- health monitor: non-disruptive tests
- periodic background
- reactive
- on-demand, scheduled
- disruptive: used during manufacturing
; complete default, bypass ≡ skip bootup test
(config)# diagnostic bootup level complete|bypass
# show diagnostic boot level
# diagnostic start module <N> test <ID>|<NAME>|all|non-disruptive
In-service software upgrade (ISSU)
- sequence
- Nexus
- N7K
- BIOS
- boot standby, → active
- boot old active
- data module
- CMP on supervisor
- N9K
- supervisor with switchover
- line card
- fabric module
- system controller
- FEX
- kickstart: Linux
- system: NX-OS
- N9k:
- requires 2 system controllers and 2 fabric modules
- divides LC and FM into 2 group, upgrade once group at a time
Software maintenance upgrade (SMU)
- patch to fix defect
- issued by TAC
- not supported on classic IOS (monolith), MDS
; runtime
# install activate <PATH>
; applied after reboot
# install commit <PATH>
Electrical programmable logical devices (EPLD)
# show install all impact epld <PATH>
# show version module <N> epld
; Xbar utilization
# show hardware fabric-utilization detail
# install module <N> epld <PATH>
# install all epld <PATH> parallel xbar-module <SLOT>
Callhome
- sent on trigger: page, e-mail (up to 50 addresses), TAC case
- format
- short: paging
- full
- XML: TAC
(config)# callhome
(config-callhome)# destination-profile <PROFILE> format xml|full|short
(config-callhome)# destination-profile <PROFILE> email-addr <EMAIL>
; webhook
(config-callhome)# destination-profile <PROFILE> http <URL>
(config-callhome)# destination-profile <PROFILE> transport-method email|http
(config-callhome)# destination-profile <PROFILE> alert-group <ALERT>
(config-callhome)# alert-group <ALERT> user-def-cmd <CLI>
(config-callhome)# transport email from <EMAIL>
(config-callhome)# transport mail-server <IP> use-vrf <VRF>
(config-callhome)# enable
Cisco fabric services (CFS)
- synchonize within region
- AAA, RBAC
- Syslog
- NTP
- SCSI
- VSAN, IVR
- iSNS
- can discover CFS-capable devices
- designated manager: applies config locally and distributes it across CFS
- CFSoFC
- FC-2
- fabric controller address
- FC > IP > Ethernet
(config)# role distribute
; CFSoFC, on default
(config)# cfs distribute
; CFSoEthernet
(config)# cfs eth distribute
; CFSoIP
(config)# cfs ipv4 distribute
(config)# cfs ipv4 mcast-address <IP>
; disables discovery
(config)# cfs static-peers
(config-cfs-static)# ip address <IP>
; create region
(config)# cfs region <N>
; add service to region
(config-cfs-region)# ntp
# show cfs status
# show cfs application
# show cfs lock
# show cfs static peers
Cisco Nexus
NX-API
- sandbox, CLI commands via HTTP
- nginx
- XML, JSON
- authC cookie timeout – 10 mins
(config)# feature nxapi
(config)# nxapi sandbox
(config)# nxapi https port <N>
# show ... | xml|json
; run Python script
# source <PATH>
NX-OS RBAC
- descending order: rule 2 evaluated earlier than rule 1
- the most privileged union across all roles is applied
- permit > deny across roles
- privilege compatibility:
- 0 ≡ all show, some exec
- 14 ≡ vdc-admin
- 15 ≡ network-admin
- translates privilege level from AAA into role priv-X
- rule parameters
- command
- feature
- feature group
- SNMP OID
(config)# feature privilege
Adjacency manager (AM)
# show forwarding <PREFIX>
# show forwarding adjacency
Host mobility manager (HMM)
- installs host route into RIB
- based on ARP table
; hmm makes sure that route is known via HMM in lieu of recursive routing, EVPN
(config)# track <N> ip route <HOST_ROUTE> reachability [hmm]
# show fabric forwarding ip local-host-db [vrf <NAME>]
PBR
; off default, enables hit counts
(config)# route-map <RMAP> pbr-statistics
L3 MTU
; L3 port
(config-if)# mtu <N>
L2 MTU
- N5k and N7k only
- N9k – global jumbo MTU
(config)# policy-map type network-qos <PMAP>
(config-pmap-nq)# class type network-qos class-default
(config-pmap-c-nq)# match qos-group 0
(config-pmap-c-nq)# mtu 9216
(config)# system qos
(config-sys-qos)# service-policy type network-qos jumbo
# show queueing interface <INTF>
Upgrade
- mode
- non-disruptive
- only control plane is down, data plane remains active
- upgrade time does not exceed 80s (N5k) or 120s (N9k)
- no topology change
- disruptive
- graceful stop is impossible (e.g., failure)
- EPLD upgrade
- upgrade targets
- FEX
- kickstart image
- system image
- supervisor BIOS
- module BIOS
- module image
- vPC
- not disrupted during upgrade
- reset after upgrade – different SW version
- disabled guestshell
- enhanced ISSU: supervisor and LC software run in container
; enhanced ISSU
(config)# boot mode lxc
# install all kickstart <PATH> system <PATH> [impact]
# show incompatibility system
Checkpoint
- create
- manual
- automatic: prefix system-…
- on feature disabled
- on L3 protocol instance disabled and removed
- on license expiration
- not created on VDC manipulation
- restore only from own checkpoint: switch, VDC
- unique names, no overwrite
- 10 per VDC
- network-admin only
; create
# checkpoint <NAME>
# show checkpoint
# rollback run checkpoint <NAME>
# clear checkpoint database
# no checkpoint <NAME>
Power-on auto provisioning (POAP)
- uses DHCP to obtain IP and TFTP, downloads config script from TFTP, then gets image + actual config via TFTP or HTTP
- DHCP client ID = SN
- path – DHCP option
- script: Python, TCL
- DHCP lease ≥ 1h
- invoked if no startup-config is found
- phases
- power up
- USB discovery: except N9k
- DHCP discovery
- ports are defaulted
- N9K -EX and newer: L3 ports
- script execution
- post-install reload
```shell
; N9k, enable POAP after reboot without erasing startup-config, e.g., for upgrade
# boot poap enable
```
Port Profile
- if profile is changed, changes are applied to interfaces
- types:
- Ethernet
- SVI
- MPLS TE
- MPLS PW
- port-channel
- BDI
(config)# port-profile type <TYPE> <PROFILE>
(config-port-prof)# state enable
(config-if)# inherit port-profile <PROFILE>
# show run interface <INTF> expand-port-profile
Graceful insertion and removal
- BGP, EIGRP, OSPF, IS-IS, vPC, FabricPath
- ≈ IS-IS overload bit
- creates snapshot on switchover
- profile names
- maintenance-mode
- normal-mode
; use default profile
(config)# system mode maintenance
; use custom profile
(config)# system mode maintenance dont-generate-profile
# show snapshot
; custom profile
# configure maintenance profile <NAME>
(config-mm-profile)# router ospf <OSPF>
(config-mm-profile-router)# max-metric router lsa
Unified ports
- can be either Ethernet or native FC
- per slot (N5k) or per port (N9k)
; counted from the end
(config)# slot <N>
(config-slot)# port <M> type ethernet|fc
N5k
- VoQ: per port per CoS
- ingress queueing
- class-default: always CoS = 0 and qos-group = 0
- CoS-to-queue only
- CoS setting – via network-qos matching on qos-group
- no DSCP-to-CoS
N7k
- set dscp also sets CoS (3 MSB): this CoS is used to select egress queue even for access
Virtual device context (VDC)
- each VDC is allocated MAC
; disable prepending admin VDC to name
(config)# no vdc combined-hostname
(config)# vdc <NAME>
(config-vdc)# allocate interface <INTF>
# show feature-set
# show vdc [detail]
# show vdc membership
; system MAC pool
# show sprom backplane
# switchto <NAME>
# switchback
Storage VDC
- single instance
- SAN configuration
(config)# install feature-set fcoe
(config)# vdc fcoe_vdc type storage
(config-vdc)# allocate fcoe-vlan-range <RANGE> from vdc <VDC>
; FC – in storage VDC, Ethernet – usual VDC
(config-vdc)# allocate shared interface <INTF>
IDS
- ASIC verifies that packets do not have incorrect fields
- src = dst
- version ≠ 4 or 6
- size in header ≠ actual size
- needs tuning for BFD (src IP = dst IP)
; has to be disabled for BFD
(config)# hardware ip verify address identical