Monthly Archives: August 2012

6500 VSS

In this first post on VSS I’m just dumping my notes from a breakout session on VSS at Networkers back in January, mostly for my own reference.

Summary

  • Makes two switches look like one switch
  • although in theory a VSS domain could contain many switches – only 2 are allowed today
  • Requires a dedicated link between the switches called a VSL (Virtual Switch Link)
  • Note: virtual SWITCHING system, this isn’t a router technology.
  • One time conversion involving changes to rommon (or conf-reg?)
    • The switch will find the VSL config before parsing the startup-config file fully
  • Switches referred to as Switch1 and Switch2, nomenclature fixed at conversion
  • One config
  • Ports are renumbered like when you stack 3750s e.g. Te1/1/1 and Te2/4/4
  • Control Plane -> only one box active (the other supervisor has state STANDBY_HOT)
  • Data Plane -> both boxes active
  • VSS has a considerably longer boot time

Deployment considerations and best practices

  • Never ever just type reload (you will get a warning). Use redundancy reload peer | self or redundancy force-switchover. If you are on the console you’ll need to connect to the other sup. If you go ahead with the reload then both switches will reboot at the same time – probably something you never want to do in a redundant setup.
    • The console will be disabled on switch 2, but cable it up in case of failover (like a 6500 with dual sup)
  • Never ever use write erase. It will wipe the rommon var which sets VSS at startup. Use erase nvram instead.
  • NSF is off by default – switch this on. It replicates the RIB to the standby chassis and greatly speeds up failover as forwarding to non directly attached routes can continue
router ospf 1
 nsf
  • Etherchannel, CEF forwarding and L3 ECMP (Equal Cost Multipath) have both been modified to always favour local links.
    • In a DC the traffic isn’t very random so we may want a L4 EC hash algorithm
    • Sup720 has 3-bit RBH (result bundle has), Sup2T has 8-bit so the algorithm can be more even..
  • Use unique domain IDs for each VSS pair.  Unique across entire campus network.
    • some MAC addresses as well as the system-id are derived from this
    • h/w swap outs between domains could break things.
    • avoid issues with sup swaps with mac-address use-virtual. This will require a reboot so build it into the boiler plate config
    • Switch MAC addresses are taken from the active chassis but retained on failover
  • Use out of band mac sync: mac address-table synchronize
  • Always dual attach in and out of the VSS or you create a SPOF
    • VSL is there principally for virtualisation and will only be used for data if there isn’t a local path
  • If you understand dual sup SSO (Stateful SwitchOver) you can think of VSS as this, but with the redundant sup in its own chassis and with the line cards in the second chassis available to the active sup.
    • SSO EOBC (100M Ethernet Out of Band Channel) replaced by VSL
    • To be SSO adjacent (fully standby hot on second sup) requires certain conditions to be true
  • We still need to run STP in the background in case a loop is accidentally introduced
  • Mechanisms exist to prevent split brain
    • LMP (Link Management Protocol), a bit like UDLD for the VSL
    • RRP (Role Resolution Protocol), decide who is active (lowest MAC by default), never force a failover. This is what makes the boot time so slow.
  • VSL
    • the split brain state (active-active) is a disaster – duplicate MAC addresses, router IDs etc.
    • VSL is main defence against this so important for it to be as resilient as possible
    • VSL ports must be 10G
    • use at least one of the 10G port on the Supervisor card since this boots before the line cards
    • have a minimum of 2 x 10G links (can have upto 8)
    • use a 10G port on a line card (both 10G ports on the Supervisor share an ASIC)
      • line card 10G ports must be VSL capable (note: the X6704 is not capable)
    • VSL takes control and data traffic between the chassis
      • the bandwidth of the VSL should be at least equal to the uplink bandwidth of each individual switch
    • Don’t change the VSL hashing algorithm in production networks since you will cut off some live flows
    • something about the QoS queues being different on the Sup 10G ports if you also use the Sup 1G ports – check my notes and write something sensible

Sample Config

Conversion

This is a one time process which doesn’t need to be symaltaneously on each switch, but probably should be

! VSS Domain is globally significant 

switch virtual domain 100 
  switch 1
  exit
int po 1
 switch virtual link 1
 exit
int ra ten 1/5/4-5
 channel-group 1 mode on 
 exit
switch convert mode virtual

switch virtual domain 100 
  switch 2
  exit
int po 2
 switch virtual link 2 
int ra ten 2/5/4-5
 channel-group 2 mode on
switch convert mode virtual
  • This will reboot the switch and change config to tell the switch it is a VSS
  • The switch will pre-parse the config for the VSL info so chatter can commence – on boot you can see which is ACTIVE or STANDBY

Ponder this: the port channels need different numbers as this will be one logical switch at the end.

VSL

! switch 1
int Po 1 
 no switchport
 no ip address
 switch virtual link 1
 mls trust cos
 no mls qos channel-consistancy

! switch 2
int Po 2
 no switchport
 no ip address
 switch virtual link 2
 mls trust cos
 no mls qos channel-consistancy

Verification

show switch virtual redundancy
- which switch am I?
- is control plane active?
- fabric (data plane) will be ..
show switch virtual role - active switch always first 

VSL Failure recovery

There are three methods we can use more than one.

  1. Enhanced PAgP
  2. VSLP “Fast hello”
  3. IP-BFD (Bi-Directional Forwarding detection) (deprecated feature)

We are interested in the first two. We need to detect the failure, recover from it and then reload the previously active sup.

While in recovery mode, avoid config changes (don’t even type conf t). This marks the config as modified and will require manual intervention to bring the VSS back.

  • 1. Enhanced PAgP
    • been around the longest
    • only on 3750 (12.2(46)SE, 4500, 6500 (with min software release)
    • new TLV field in PAgP message with active switch ID
    • sub-second convergence
    • If they see two different switch-ids then feed them back up the port channel and trigger the process
  • 2. VSLP “Fast Hello”
    • Virtual Switch Link Protocol
    • dedicated L2 link between the two switches
    • on all the time
    • sub-second hello
    • can be 100M link, no sync, just there as a heartbeat mechanism

Reboots

To reload only one VSS member use one of these commands:
redundancy reload shelf <shelf-ID>
redundancy force-switchover (switch to standby and reload active)
redundancy reload peer (reload standby)

 Software upgrade considerations

  • With VSS, the 6500 can be synced across different s/w releases so you can reboot one at a time
  • a message translation mechanism exists but this is limited to compatible versions
  • You have some time with 50% bandwidth but *no outage*
  • If something is broken by the upgrade and we cannot connect, there is a rollback Timer (45 minutes by default)
    • need to run issu acceptversion within that time to stop the timer
    • if there is a problem use issu rejectversion to bring forward
    • no unique features are available until you do issu commitversion
    • this allows you trial the existing features and make sure nothing broke before upgrading the second sup
  • s/w compatibilty matrix on cisco.com
  • 15.X train is the only way to get EFSU

ISSU History lesson

  • ISSU available across platforms
  • It is hitless, except on the 6500
  • The 6500 can do ISSU in standalone (non-VSS) mode, but the line cards have to reload
    • ISSU was renamed EFSU on the 6500 because of the hit
    • same commands are used though
  • pre SXI ‘Fast Software Upgrade’ is all we had, which resulted in an outage
  • 12.2(33)SXI – brough in Enhanced FSU

6500 Transit ACLs

A while ago we found that our FWSMs were no longer up to the job. As it happens we were doing nothing more than stateless packet filtering with them so could replicate their functionality with access-lists. I noticed the hit count on the ACLs was rather low and came across this blog post, which explained what was going on rather well.

In summary:

show ip access-list NAME

will only show packets destined for the router, not those passing through it. To see transit traffic you need this command:

show tcam interface <INT> acl [in | out] ip

This makes sense given that ACLs are implemented in TCAM on the 6500 platform.

Verification

We have an interface which originates a default route into our campus, with an ACL in each direction applied to it. We permit ip any any at the end after filtering out the cruft we don’t want to see. Here is a comparison of the two commands for that ACL.

ROUTER#show ip access-lists TO_CAMPUS | i permit ip any
    230 permit ip any any (4475 matches)

Given that this ACL has around 30,000 users behind it and the counters had been cleared earlier on the day the command was run, I would expect number to be larger.

Now the tcam command:

ROUTER#show tcam interface vlan 80 acl out ip | i ip any any
    permit       ip any any (4141914 matches)

That is more realistic.

Recruitment 2: Advertising a job

In this second post in this series I’ll record my thoughts on recruiting. I work in Data Networking but hopefully some of the principals will apply in other fields.

The job specification

  • Think about the job that needs doing and weigh this against the skills the sort of candidate you are trying to attract could reasonably have. If somebody leaves who built up a bespoke skillset over many years you probably won’t be able to replace them with one person. You may get somebody with a sufficient subset of those skills though.
  • It is vital that the job you advertise is the one you need doing. It sounds obvious but only ask for the skills and experience you need.
  • Research what other organisations are paying for similar roles.

The job advert

If you get this right you’ll attract the right candidates. The job advert should be:

  • Accurate
  • Attractive
  • Clear
  • Concise
  • Visible

On this last point, getting your advert out to the right people is quite an art. You may find your organisation has a policy on this. Don’t be afraid to challenge it if you are having trouble recruiting though, but make your case carefully and bring evidence.

Reviewing Applications

If you are fortunate to get a lot of applications you’ll need to allocate time for the whole panel to review them. There is a huge man-hour cost to this, which is one reason why the specification and advert are some important. Don’t schedule the interviews too close to the deadline and make sure the panel have some help with their day to day duties if you want them to do a good job. I would suggest at least a week between deadline and interviews is needed.

Have a grid with your essential and desirable criteria in columns and a row for each candidate. As you review CVs, try to objectively score the candidates in each area. You’ll soon warm to the candidates who make this easy for you. Reject any candidates who don’t bother to show how they meet your criteria or who don’t meet enough of them.

Preparing for the interviews

Decide if you want a written or practical test, or if you want the candidate to do a presentation. Plan the tests carefully and get colleagues to try them out. I like to make Cisco certified candidates solve some problems on Lab kit via the CLI. If there is an equivalent in your field, consider this. For example you may wish to ask a web developer to look at some code and fix a bug. Don’t make these overly difficult – they should verify the candidate has the skills they claim, not terrify them. They should be challenging enough to expose frauds though.

Thing about the questions you will ask the candidates and make a note of them so that you can ask the same questions to all candidates. Score them on each question and make notes if possible as you’ll forget who said what by the end of the day.

Trust your instincts.

Allow enough time for each test and interview. Allow a good hour for lunch for the panel. Don’t schedule too many interviews for one day. I would suggest three in the morning and two in the afternoon as a maximum, but it will depend on the seniority of the role.

Feedback

When candidates ask for feedback, be very careful. Ask HR for the official policy and where possible refer unsuccessful candidates to them.

Thoughts

Recruitment involves a lot of hard work on both sides. The process can be made easier if there is empathy between candidate and recruiter. Hopefully my ramblings will encourage that.

Recruitment 1: Applying for a job

I recently sat on both sides of the job interview process. Both were successful so in the following two posts I’ll record how I approached each of them. I am not an expert, these are just my own views recorded in the hope that they may be useful.

Before you apply

Spend some time considering what you are looking for in a job. Think about your primary motivators:

  • Are you looking for career progression now or for a step sideways which you hope will open up future opportunities?
  • Is it all about the paycheck or do you want more time at home?
  • Does the reason d’etre of the organization matter to you? Is what you are doing as important as whom you are doing it for?
  • How much time and money are you willing to spend commuting?
  • Are you willing to relocate?

Read the job description carefully. Go and do something else for a while and then read it again. Pay close attention to the essential criteria (more on that later). Ask yourself whether you:

  • could do the job
  • would like to do the job
  • would get the right kind of work/life balance
  • would earn enough money

On the last point, be realistic – both about what you need to earn and what the market is offering for the role type that you are considering. If a salary range is advertised, don’t apply if the top of that range is not going to be enough in the short term. Clearly it is different if the starting salary is lower than you would like, but the opportunities are there and you can manage. I’ve known several people (including myself) who have taken a pay cut to move to a job which ultimately proved to be the better choice in terms of career progression. A CxO at the first company I worked at told us how it was his move sideways which gave him the broad skillset he needed to take on a more senior role. Having said that, sometimes you need to change jobs to increase your salary. Also, having a higher salaried job can make you appear more valuable, however perverse that may seem.

The application process

Assuming you now wish to apply for the job, read any documentation around the process provided by the organisation. Some observations:

  • This part is all about getting an interview.
  • The only view of you the organisation has is what you send them.
  • If you exaggerate your abilities or experience this will be picked up in interview in most cases.
  • Be honest
  • Don’t be falsely modest – It is your chance to sell yourself.
  • Be terse, it is not an English essay. People on the other side may be reading many applications. The easier it is to read yours the better your chances.
  • Is there an application form or are they looking for a CV? Similar principals apply to both but make sure you do the right one.
  • Pick out the essential criteria. A good application form will make it easy for you to demonstrate how you meet these. If the application form has space for a supporting statement or if it is a CV application, make sure your supporting statement clearly demonstrates how you meet the essential and desirable criteria. One popular technique is to simply list them as heading with a short paragraph for each one.
  • Use real examples. Here is a slightly contrived one:

Candidate must be able to interact with staff at all levels of the organisation

In my current role I spend two hours a week on the helpdesk, fielding calls from staff experiencing issues with their wireless Internet access. I have assisted everyone from the CxO to the receptionist and once I have prioritised the call, I aim to provide the same level of service to all. I received an award for my consistent performance in this area.

  • Try to use examples that people without in-depth knowledge of the situation will be able to understand.
  • Avoid jargon.
  • Get someone to proof read your application
  • Applying for a job takes a long time if you do it right.

The job interview

The interview is two-way:

  • The organisation is trying to determine whether you are suitable for the job both in terms of ability and organisation fit.
  • You should be trying to determine whether you would like to work with these people in the environment they work in.

The first is obvious, the second may not be. You will probably be asked whether you have any questions towards the end of the interview so you may wish to have some prepared. Was anything not covered by the job specification? For example:

  • Salary
  • Other benefits (pension, healthcare, mobile phone, bonus etc)
  • Holiday allowance
  • Official working hours
  • Actual hours worked by the team on an average week
  • Overtime arrangements
  • Any regular out of hours commitments
  • What the culture is like
  • What social activities are organised
  • Flexible working arrangements
  • Probation period
  • Any details about the kind of work you would be doing, projects or immediate tasks

Try to anticipate the kinds of questions you may be asked. Review your application before going to the interview and have examples of how you meet the essential criteria fresh in your mind. Be clear on why you want the job. If the job requires technical skills, make sure you review any relevant study notes. If you have a qualification, try to be a close as you can to the level you were the day you passed the exam – especially if it is an essential criteria. If you don’t, somebody else will.

Some other thoughts:

  • Be smart
  • Smile
  • Breath
  • Don’t speak too quickly or too slowly
  • Make eye contact when you shake hands
  • Make you grip firm, not floppy or bone-crushing
  • Plan your route to the interview carefully
  • Allow enough time to get there
  • Try to get enough sleep the night before
  • Read up on the organisation
  • You cannot over-prepare
  • Be yourself
  • Don’t interrupt the panel
  • Listen to the questions carefully
  • Ask for clarification if you are not sure
  • Check you answered the question
  • Don’t be afraid to say “I don’t know”. Never try to fudge an answer to something you don’t know about.
  • If there is a second interview, make sure your read up on anything you got wrong the first time

If you are asked to do a presentation:

  • Have multiple copies of any slideshows with you
  • Keep slides simple
  • Use prompt cards. Punch a hole in them and tie some string through it to hold them all in order
  • Practice
  • Time yourself – stay within any time limits you are given
  • Keep in mind the general interview points above while presenting
  • Research the topic thoroughly
  • Some humor can help, don’t overdo it.

Unemployment

It has been said that it is always easier to get a job if you have one. I’m sure that is true, as you will likely be more relaxed and the employer can see you are employable. If you are unemployed, consider volunteering. It can help raise your self-esteem and prove to potential employers that you are reliable. It may also lead to a paid job.

Summary

Remember that you are going through this process to ascertain whether the job is right for you and you are right for the job. It is not about tricking anyone into hiring you but showing yourself in your best light to some people you may work with one day. If you prepare well then there is nothing to stop you doing this. If you don’t get the first job you go for, don’t worry. Learn from the experience and try again. The right job is out there for you somewhere.

TACACS+ on MRV LX4000T Console Servers

In this forth post in the TACACS+ series, I’ll look at using TACACS+ for access to the console port of an IOS device via an MRV console server.

MRV LX4000T Console Servers

Configure TACACS+ for authentication and accounting.  The “local subscriber” means that if a username is defined locally, it can be authenticated by TACACS+ and use the properties defined locally.

TOUCS:0 >>config
Config:0 >>aaa
AAA:0 >>tacacs+ primary authentication server address <IP>
AAA:0 >>tacacs+ primary authentication server secret ...    
AAA:0 >>tacacs+ secondary authentication server address <IP2>
AAA:0 >>tacacs+ secondary authentication server secret ...   
AAA:0 >>tacacs+ primary accounting server address <IP>
AAA:0 >>tacacs+ primary accounting server secret ...   
AAA:0 >>tacacs+ secondary accounting server address <IP2>  
AAA:0 >>tacacs+ secondary accounting server secret ...   
AAA:0 >>tacacs+ local subscriber enable

Enable authentication and accounting on the ethernet interfaces.  The fallback statement allows the local authentication database to be used if the TACACS+ servers are unreachable.

TOUCS:0 >>config
Config:0 >>interface 1
Warning Interface active
Intf 1-1:0 >>authentication tacacs+ enable
Intf 1-1:0 >>tacacs+ accounting enable
Intf 1-1:0 >>authentication fallback attempts 3 
Intf 1-1:0 >>exit 
Config:0 >>interface 2
Warning Interface active
Intf 2-2:0 >>authentication tacacs+ enable
Intf 2-2:0 >>tacacs+ accounting enable
Intf 2-2:0 >>authentication fallback attempts 3 
Intf 2-2:0 >>end

Confirm our configuration

TOUCS:0 >>show tacacs+ characteristics
 Time:                                          Mon, 21 Jun 2010 14:22:58 UTC
 Primary TACACS+ Authentication Server:
 IP Address:              <IP>  TACACS+ Auth. TCP Port:            49
 Secret:                    Configured  Timeout:                            5
 Retry:                              3
 Secondary TACACS+ Authentication Server:
 IP Address:               <IP2>  TACACS+ Auth. TCP Port:            49
 Secret:                    Configured  Timeout:                            5
 Retry:                              3
 Primary TACACS+ Authorization Server:
 IP Address:                   0.0.0.0  TACACS+ Author. TCP Port:          49
 Secret:                Not configured  Timeout:                            5
 Retry:                              3
 Secondary TACACS+ Authorization Server:
 IP Address:                   0.0.0.0  TACACS+ Author. TCP Port:          49
 Secret:                Not configured  Timeout:                            5
 Retry:                              3
 Primary TACACS+ Accounting Server:   
 IP Address:              <IP>  TACACS+ Acct. TCP Port:            49
 Secret:                    Configured  Timeout:                            5
 Retry:                              3
 Secondary TACACS+ Accounting Server: 
 IP Address:               <IP2>  TACACS+ Acct. TCP Port:            49
 Secret:                    Configured  Timeout:                            5
 Retry:                              3
 Superuser Request:           Disabled  Accounting Server Period:           5
 Local Subscriber:             Enabled  Source Interface:                   1
 Command Authorization:       Disabled  Command Logging:             Disabled
 Command Authorization Fallback:                                     Disabled
 TACACS+ Authentication Serial Ports:
 TACACS+ Authentication Interfaces: 1
 TACACS+ Accounting Serial Ports:
 TACACS+ Accounting Interfaces: 1

TACACs+ on Cisco WLCs

In this third post in the TACACS+ series, I’ll cover using TACACS+ for administering a Cisco WLC device.

Cisco WLC

Server Config

			
group = wlc {
  service = ciscowlc {
    role1 = ALL
  } 
}

group = wlc-read-only {
  cmd = show {
    permit .*
  }
  cmd = ping {
    permit .*
  }
  cmd = traceroute {
    permit .*
  }
  service = exec {
    priv-lvl = 15
  }   
  service = ciscowlc {
    role1 = ALL
  }   
}

Client Config

This is fairly trivial and best done through the GUI. Just go to security->tacacs+ and add the servers and keys for Authentication and Authorization. I didn’t find the Accounting data very useful so left that off. To work out the server settings I ran the daemon in debugging mode and looked at what the WCS was sending. Something like:

# tac_plus -C /path/to/tac_plus.conf -g -d <level>

TACACS+ on Cisco ASAs

In this second post in the TACACS+ series, I’ll cover using TACACS+ for administering an ASA via SSH and ASDM, as well as for SSL VPN access.

Cisco ASA 5500 Series

  • After you ssh in, you’ll need to enable.
  • You can use your TACACS+ password to do this
  • Users with privilege level 5 are read only

Server Config

# Groups
group = asa {
  default service = permit
  service = exec {
    priv-lvl = 15
  }
}
group = asa-read-only {
  default service = permit
  service = exec {
    priv-lvl = 5
  }
}
# Users
user = admin {
  member = all
  login = des <snip>
  enable = des <snip>
}
user = read-only {
  member = asa-read-only
  login = des <snip>
}

Client Config

# To generate an RSA key pair, which is required for SSH, enter the following command:
crypto key generate rsa modulus 2048
# Give the device a hostname / domain name
!
hostname foo
domain-name bar.domain
!
# Add local AAA users
username user1 password <snip>
enable password <snip>
!
# Set up the management interface
interface Management0/0
 nameif manage
 security-level 50
 ip address 192.168.1.254 255.255.255.0
!
# ACL which selects who should use tacacs for AAA
access-list LOGIN extended permit tcp 192.168.1.0 255.255.255.0 interface manage eq ssh
access-list LOGIN extended permit tcp 192.168.1.0 255.255.255.0 interface manage eq https
!
# Set a default route for management access
route manage 0.0.0.0 0.0.0.0 192.168.1.254 1
!
# Set up tacacs
aaa-server data-tacacs protocol tacacs+
aaa-server data-tacacs (manage) host [ip] key <snip>
aaa authentication match LOGIN manage data-tacacs
aaa authentication ssh console data-tacacs LOCAL
# Console access local auth - optional
# aaa authentication enable console LOCAL
aaa authentication http console data-tacacs LOCAL
aaa authentication enable console data-tacacs
aaa authorization command data-tacacs LOCAL
aaa accounting command data-tacacs
aaa accounting enable console data-tacacs
aaa accounting ssh console data-tacacs
!
# Enable ASDM
http server enable
# ACL for ASDM
http 192.168.1.0 255.255.255.0 manage
!
# Allow ssh in for management subnet
ssh 192.168.1.0 255.255.255.0 manage
!
# You'll need NTP for TACACS to work - best have > 1
ntp server ntp0.domain source outside prefer
ntp server ntp1.domain source outside
ntp server ntp2.domain source outside
!

If your want to use tacacs+ as the auth mechanism for an SSL VPN running on an ASA:

tunnel-group DefaultRAGroup general-attributes
 authentication-server-group data-tacacs

Be careful if you run command authorisation on an ASA and have two TACACS+ servers. The default reactivation-mode is timed so if the networking on your device fails you can lock yourself out of it.

WARNING: 
If fallback authentication is configured with this server and reactivation mode is set to timed. 
Multiple aaa servers may prevent the appliance from ever invoking the fallback auth mechanism.
*** Output from config line 126, " reactivation-mode timed"
WARNING: 
Fallback authentication is configured, but reactivation mode is set to timed. Multiple aaa servers 
may prevent the appliance from ever invoking the fallback auth mechanism.

If you do have two servers available the answer is to do this:

asa(config-aaa-server-group)# reactivation-mode ?
aaa-server-group mode commands/options:
    depletion Failed servers will remain inactive until all other servers in this group are inactive
    timed Failed servers will be reactivated after 30 seconds of down time
asa(config-aaa-server-group)# reactivation-mode depletion

TACACS+ on IOS devices

In this first post in the TACACS+ series, I’ll look at some general server stuff and then configuring TACACS+ on IOS devices. I’ll cover ASAs, WLCs and MRV LX-4000T console servers in later posts.

Packaging

These days I used the stock Debian package. A few years ago I hand rolled an RPM based on the Shrubbery Networks code. You can download that here:tac_plus-F4.0.4-15.i386.rpm.

Generating a password for the config file

htpasswd -nd <username>

A script to parse and email the logs

I use a script I wrote called tac_logmail to dump a summary of the logs in our RT queue every day. It assumes you use syslog-ng to dump your tacacs logs to a central syslog server.

On tacacs+ servers:

source s_tacacs {
file("/var/log/tacacs" follow_freq(1) flags(no-parse));
};
destination d_remote {
tcp("syslog.domain", localip([% hostname %]), destport());
};

On central server:

template t_isotemplate { 
    template("$S_ISODATE $HOST_FROM $MSGHDR$MSG\n");    
    template_escape(no); 
};
# === Tacacs+ 
filter f_tacacs_plus_host {
    host ("foo") or host("bar");
};
destination d_tacacs_plus {
    file("/var/log/remote/tacacs+/tacacs+-$YEAR-$MONTH-$DAY" template(t_isotemplate));
};
log {
    source(s_tcp);
    source(s_udp);
    filter(f_tacacs_plus_host);
    destination(d_tacacs_plus);
};

Cisco IOS Switch / Router Configuration

Server Config

		
group = ios {
  default service = permit
  service = exec {
    priv-lvl = 15
  }
}

Client Config

aaa new-model
!
aaa authentication login default local group tacacs+
aaa authentication enable default enable group tacacs+
aaa authorization console
aaa authorization exec default local group tacacs+ if-authenticated 
aaa authorization commands 15 default local group tacacs+ if-authenticated 
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
!
ip tacacs source-interface [int]
!
tacacs-server host [ip] key [foo]
tacacs-server directed-request
!
line con 0
authorization exec default
line vty 0 [n]
login authentication default
!
# You'll need NTP for TACACS to work - best have > 1
ntp server [ip] key 0

 

Using LACP to create a backup link

Background

Let’s say you have a layer 2 firewall and you wish traffic to still be forwarded in the event it fails. One way of achieving this is to use LACP and limit the number of links in the path to one.

Diagram

Config

! SWITCH1
interface po1
lacp fast-switchover
lacp max-bundle 1
!
interface Gi0/1
channel-protocol lacp
channel-group 1 mode active
!
interface Gi0/2
channel-protocol lacp
channel-group 1 mode active
lacp port-priority 65535 
!
!SWITCH2
interface po2
lacp fast-switchover
lacp max-bundle 1
!
interface Gi0/1
channel-protocol lacp
channel-group 2 mode active
!
interface Gi0/2
channel-protocol lacp
channel-group 2 mode active
lacp port-priority 65535
!

Notes

  • The max-bundle command specifies how many active links the channel-group can have, we limit this to one.
  • With LACP the priority is a 16 bit number, note that the range is 1 – 64535, no zero for some reason. The default it 32768 (half way up) and a higher priority is worse, so setting the priority on port Gi0/2 on each box to 65535 means those ports won’t be used by default.
  • We use lacp fast-switchover for obvious reasons.

Switch1 and Switch2 can be the same device if you use a different VLAN on each etherchannel interface. The frames will get de-tagged when entering Po10 and re-tagged in a different VLAN on ingress to Po20 but that hardly matters as the L2 headers will get stripped right away when they are routed. We do this on our Internet routers to allow us to put a passive tap on our traffic.

Thoughts

This is a nice little trick I’ve seen used when the vendor doesn’t provide a fail active solution. It is reasonably simple and works well.