Preventing Network Loops! A Feature You Need to be Aware of

No matter how secured or precise the configurations are, there are some problems you can’t almost avoid, particularly L2 loops. The looped frames have no TTL to decrement and nothing else to lose. It unleashes at a perfect time, a critical production hour or perhaps Friday nights!

A common approach is to tighten STP configuration and enable BPDU guard, root guard, loop guard, Unidirectional Link Detection (UDLD), storm-control or disable unused ports, where ever applicable.

Even with the right configurations in place, incorrect STP port transitions, hardware issues, misplaced root bridge etc., can still cause loops. And not to forget the mysterious unmanaged switches that occasionally show up on the network.

The STP loopguard will only react if a root or Alternate port stops receiving BPDUs. But nothing that explicitly detects and stops an ongoing loop.

One such feature is the Loop Detection Guard on the catalyst 9000 switches. The function is simple, send a frame out of one port and see if it returns on another. The feature is introduced on 17.2.x & later releases and supported on all Catalyst 9000 platforms.

So how does the Loop Detection Guard work?

A port enabled with Loop Detection Guard sends out a loopback frame and checks if it returns to the switch. If it does, the switch error disables source port or destination port, whichever is the configured action. The loop detect frames are L2 frames with Ethertype loopback. The loopback frames have the source interface mac as the source mac and switch base mac address as the destination mac.

A recipient device typically drops these frames as the destination MAC address is different. If the frame is forwarded back to the originating switch, the loop detect guard will kick in.

The loopback frames are untagged, it doesn’t matter what VLAN the frame is sent on, it just shouldn’t return to the originating switch.

Configuration & Implementation Flexibility

The configuration guide for Loop Detection guard provides the CLI and options. The loop detection guard feature needs to be defined explicitly per port. Unlike STP, there’s no global configuration line for this feature and there is a good reason why; you will know as you read on.

Strictly speaking STP should prevent loops at the first place; but if STP fails for any reason and causes a network loop, the loop detect guard (if enabled) can kick in to stop.

On detecting a loop, option to disable either the source or the destination port provides implementation flexibility. What that means is the feature can be enabled on only key ports of a switch and let the feature take action on rest of the other ports.

Let’s say there is a loop in the network between the uplink and one of the downlink ports. The Loop Detect Guard can be enabled only on the uplink ports. And if the actionable port is set to destination port, it will err-disable the downlink port that is participating in a loop with the uplink. The downlink ports need not have this feature explicitly enabled.

The loop detection guard can be configured on all ports as well, but the configuration is simpler if it is enabled only on the uplink or any other key ports and let the feature take action on the downlinks. I recommend it to be tested before it is implemented in production.

STP Loopguard vs Loop Detection Guard

Here’s a quick comparison of feature names and its functions:

If a port configured with STP loopguard stops receiving BPDU’s, the blocked port will transition to loop-inconsistent state only after max age expires. At this point ports stop processing user traffic until BPDUs arrive.

Loop detection guard has default timer value at 5 seconds and configurable maximum of 10 seconds. The loop detect feature reacts to a loop more quickly than STP loop guard and provides option to shut down only ports in question.

Source: cisco.com

Continue reading

Meet the Enchanted Virtual Classroom

Cisco Networking Academy enables distance learning

The COVID-19 pandemic has disrupted the traditional education model for millions of students and teachers around the world, including the nearly 12,000 learning institutions worldwide that participate as Cisco Networking Academy schools. 

The Networking Academy curriculum has been delivered via a hybrid model of in-person and online teaching. So when the pandemic hit, and while many schools, teachers, and students experienced widespread disruption and challenges in making the move to a 100 percent online model, the Networking Academy transition was manageable, and students and teachers were already equipped to operate exclusively online effectively.

Beyond the move to a fully online model, the events of 2020 pushed our engineering teams at Cisco to look for new ways to offer both students and teachers more immersive experiences and better learning engagement opportunities.  

Working hand in hand with Networking Academy instructors, our engineers delivered significant enhancements to Cisco Packet Tracer’s physical mode. Combined with significant increases in the availability of our Cisco Webex collaboration suite, our teams have created what we like to think of as an “Enchanted Virtual Classroom.” 

Welcome to a world of enchantment

The concept of enchantment in the digital world – and specifically the notion of “Enchanted Objects” – has been introduced by David Rose, product designer and lecturer at the MIT Media Lab. According to Rose, Enchanted Objects can be brought to life thanks to specific design guidelines for immersive Internet of Things (IoT) environments that align with fundamental human desires including “omniscience, telepathy, safekeeping, immortality, teleportation, and expression.” 

Rose believes that IoT sensors and actuators embedded in our physical environments can lead to enchanting experiences. 

Within Cisco Networking Academy, we are applying this design philosophy to distance learning. 

Fusing Packet Tracer – which invokes senses of safekeeping (a safe place to make mistakes), omniscience (creating networks from scratch), and expression (telling networking stories relevant to their lives), with Webex – which invokes senses of telepathy (insight into how others think) and teleportation (video collaboration as if we were sharing the same physical space doing labs together) enables useful, purpose-driven, even enchanting distance learning experiences. 

We seek to help address issues that arise from the loss of physically co-located instructors, students, and equipment. A simulation-based microworld, like Packet Tracer 8.0, with enhanced physical mode representations, used in tandem with collaboration software such as Webex, may have synergies that lead to effective and delightful experiences. 

The Charm of Packet Tracer

The new version of Packet Tracer (PT 8.0), released last month, approximates the experiences of the real-world job and classroom lab interactions as shown in Figure 1. 

Using the “Geo” mode (Figure 2) students can explore floor plans, maps, and other background images that help provide context heat maps showing Wi-Fi, cellular, and Bluetooth signals, as well as manipulable cables. This representation encourages tracing a packet across various physical locations. 

With the new Packet Tracer capabilities, students can build “What-if” models, following their own inquiry, using Packet Tracer as a “virtual Lego kit.” Students can also be assigned structured design, configuration, and troubleshooting challenges, using activities that were authored via Packet Tracer’s Activity Wizard and which are automatically graded (as shown in Figure 3). 

Students can interact with a shelf (inventory system) at right, having to choose amongst devices. They can also interact with a pegboard, having to choose among cables, place devices at specific locations on tables (centre) and equipment racks (left), as well as power devices and read status LEDs.

The magic of learning through Webex 

Webex is now integrated within the NetAcad.com platform, making relevant features for teaching more readily available to Networking Academy instructors, including:

◉ Whole-class, lecture-style interaction via video and audio

◉ Breakout lab-group style interaction

◉ Screen sharing with remote annotation, desktop mouse and keyboard sharing, and whiteboarding

◉ Attendance, chat, polling, and notes

We believe Webex can enable interactions like “over the shoulder” coaching and peer-to-peer group collaboration within Packet Tracer labs, creating powerful synchronous and asynchronous distance learning experiences.

We know that human-to-human relationships are central to learning. Cisco Networking Academy is pioneering better distance learning by making enchanted virtual classrooms with playful, simulation-based, collaborative educational interactions a reality. And this is just the beginning.

Source: cisco.com

Continue reading

Five Industries for Monetizing your 5G Investment

Unless you’ve been living in a cave for the last few years, you probably know that the fifth generation of cellular network technology, 5G, is going to unleash some serious power with lower latency, higher bandwidth, greater density, and network slicing. There’s been a lot of talk about everything from self-driving cars and robots to refrigerators that can sense that you’re out of broccoli and call the store to restock your supply of cruciferous vegetables.

Although a lot of hype surrounds 5G, it clearly does have the power to transform established industries. It will affect business models and customer’s experiences and interactions across the globe.

What is 5G?

Whether it’s on the move or standing in place, everything needs to be connected. Mobility will play an increasing role in connecting everyone and everything. With the rise of interconnectivity comes a variety of new wireless technologies that are going to have to coexist. Wi-Fi 6, CBRS, and 5G are all similar in terms of what they are going to deliver. However, each of them uses different means to deliver these capabilities.

We’ve come to a major inflection point with 5G. Because of the wireless nature, it will allow us to accelerate digital disruption. At the same time, the new attributes of 5G will allow it to take on characteristics that were previously reserved for wired technologies. An added benefit is that wireless is more cost effective than wired connections.

Although 5G will primarily be used for outdoor connections, it will be able to seamlessly connect indoors as well. It will coexist with Wi-Fi 6 and CBRS, so users won’t be able to detect a hand-off.

How does this seamless experience work? A major difference in the 5G era is behind the radios. Software-defined “telco cloud” networks will be the foundation of intent-based networks. This will allow service providers to offer customers the tools and experiences they need and want.

5G for Service Providers and Enterprises

Service providers are at the center of the move to 5G, working to deliver network services. Enterprises will have to make a choice: do they want to buy from a service provider or build a 5G network themselves?

The relationship between industries and service providers will change as industries rely on providers for more applications, features, and services. Service providers can commit to new business models, cost models, and service levels. By playing a larger role, service providers can give industries the confidence to make the transition to 5G.

5G Blog Series

We want to shed some light on how service providers and enterprises across industries can fully reach their 5G potential. To do so, we’ve worked with several of our resident subject matter experts to show you some ways 5G can help companies cut costs and increase revenue. In the next five blogs, we’ll focus on two common themes: the rise of the sensor ecosystem and the impact of 5G on knowledge workers.

Cisco is at the center of the move to 5G because we provide the technologies that are going to enable the transition. We want our customers to do the disrupting before they get disrupted.

We’re going to roll out this blog series each Monday for the next five weeks. Each blog post centers on a different key industry that we expect will go through a major transformation with the advent of 5G: retail, healthcare, industrials, smart cities, and education.

We could write a blog about every industry out there because 5G will be that far-reaching. However, we’ve chosen these five industries because many people can relate to them. These industries affect people’s everyday lives, and we’ll all feel positive change when the promise of 5G evolves into a reality.

Continue reading

How to Find Relief for Your Network Infrastructure in the Age of Apps

If you’re like most IT people, never does a day go by that you’re not working on multiple tasks at once: ensuring on prem data centers and public cloud networks are running smoothly; monitoring the consistency of network security policies; and making sure all of it meets compliance demands. And that doesn’t even begin to address the enormous pressure applications have begun to put on the underlying network infrastructure. As a result, data centers are no longer a fixed entity, but rather a mesh of intelligent infrastructure that spans multiple clouds and geographies. With new applications constantly being added to an infrastructure, roadblocks are beginning to arise, making the role of IT teams more complicated than ever.

Dynamic Network Alignment with IT and Business Policies

The network industry has recognized its unique set of challenges and is addressing them in the form of an intent-based networking architectural approach that builds on software-defined networking to allow continuous, dynamic network alignment with IT and business policies. This means that application, security, and compliance policies can be defined once then enforced and monitored between any groups of users or things and any application or service – or even between application services themselves – wherever they are located.

Forward-looking companies are now using applications not just as a way to engage with customers but also as a means for employees and the organizations themselves to communicate and work together efficiently. To create a more streamlined infrastructure, Cisco has integrated Application Centric Infrastructure (ACI) with the application layer and the enterprise campus to help large and medium-sized organizations that need to adopt a holistic network infrastructure strategy. Designed to help businesses cope with the unique performance, security, and management challenges of highly distributed applications, data, users, and devices, Cisco ACI also addresses the issue of legacy approaches. Having relied on manual processes to secure data and applications and control access, these approaches are no longer adequate or sustainable, and therefore need to be modernized.

With the ACI and AppDynamics (AppD) integration, application performance correlates with network health, while the Cisco DNA Center and the Identity Services Engine (ISE) work together to deliver end-to-end identity-based policy and access control between users or devices on campus and applications or data anywhere.

Richer Diagnostic Capabilities for Healthier Networks and Apps

Simplifying the deployments and management of applications requires more than just providing and managing the infrastructure that supports them. Cicso’s AppD provides IT teams with the application-layer visibility and monitoring required in an intent-based architecture to validate that IT and business policies are being met across the network. The Cisco ACI and AppDynamics solution also offers high-quality app performance monitoring, richer diagnostic capability for app and network performance, and faster root-cause analysis of problems, with immediate triage sent to the right people quickly.

That said, failures in applications can happen for a variety of reasons, often leading to what’s commonly known as “the blame game,” with people asking questions like, “Is it the network failure or the application failure? Who is responsible – the network team or the apps team?” Manual methods are slow, cumbersome and oftentimes simply impossible to detect failures in an assertive fashion. The ACI and AppD integration offers deep visibility into the application processes andenables faster root cause analysis bytaking the ambiguity out and pinpointing the problem – saving time, money, and, most importantly, getting the application back up and running right away.

Network Segmentation is a Must

Hyper-distributed applications and highly mobile users, increased cyber-security threats, and even more regulatory requirements make network segmentation a must for reducing risk and better compliance. Cisco ACI and Cisco DNA Center/ISE policy integration allows the marrying of Cisco ACI’s application-based microsegmentation in the data center, with Cisco SD Access user-group based segmentation across the campus and branch. This integration automates the mapping and enforcement of segmentation policy based on the user’s security profile as they access resources within the data center, enabling security administrators to manage end-to-end, user-to-application segmentation seamlessly. A common and consistent identity-based microsegmentation capability is then provided from the user to the application.

Experience ACI Integrations for Yourself

To practice using Cisco ACI, we’ve put together two-minute walkthroughs to help you experience the impact of the integrations and see first-hand how they can make an IT team’s life easier.

1. The story of simplicity with Cisco Cloud ACI 

Watch how Cisco Cloud ACI helps policy-driven connectivity between on-premises data centers and AWS and Azure public clouds. The aim is to simplify routing and to ensure consistency of network security policies, ultimately helping to meet compliance demands.

2. Fastest RCA from application to the network with ACI and AppDynamics

Learn how to correlate application health and network constructs for optimal app performance, deeper monitoring, and faster root cause analysis with Cisco ACI and AppDynamics integration.

3. Seamless user-to-application segmentation with ACI and Cisco DNA and ISE

See how Cisco ACI and Cisco DNA Center/ISE policy integration allows the marrying of ACI’s application-based micro-segmentation in the data center with Cisco SD-Access and user group-based segmentation across the campus and branch.

Source: Cisco.com

Continue reading

How to Use the Plug and Play Template Editor in DNA Center – Part 3

The first and second blog posts in this series gave an overview of network Plug and Play (PnP) and how it has evolved in Cisco DNA Center.   They showed a very simple workflow to provision a device with a configuration template with a variable called “hostname.”   This was done by the UI and programmatically via the API.

This blog post looks at creating PnP configuration templates using template editor in Cisco DNA Center.  Here, we will cover the User Interface and basic concepts, and subsequent blog posts will cover advanced topics, Day-N provisioning and the associated API.

Template Editor

The template editor is a standalone application at the bottom of the Cisco DNA Center home page.  It can be used for Day-0 (PnP) or Day-N configurations.

When the editor is opened for the first time, a project needs to be created along with a template. Projects are like folders to contain and structure the templates you build.  The example below, shows the “base config” template used in the earlier blogs.  “pnp” and “adam” are just project names.

Creating a new Template

Click the “+” at the top of the template page or the gear beside a project to add a new template.  The “+” allows you to create a project or a template, while the gear creates a template with the project.

The “add new template” slide out will appear.  This contains metadata about the template, such as the device types it applies to and the flavor of IOS. The example below applies to routers and switches (all models) which run IOS-XE.  It is possible to restrict the template to a specific version of code or model of device.

NOTE:  It is possible to have a single template or a composite sequence of templates. Currently composite sequences are not supported in PnP.

Click on the template to edit it.  The three boxes on the top right are used to navigate between the following views:

◈ Edit – to edit/commit the template.

◈ Variable – provide metadata about the variables used in the template. “$” is used to signify a variable.

◈ Simulation mode – View the rendered template by providing a set of test values for the variables.

It is important to realize that templates have a 2-phase commit.  A template can be saved, but it needs to be “committed” before it can be used. Templates have version control based on the “commit process”.

First Version

After entering some commands, the template needs to be saved and committed.  Any string that starts with “$” will be treated as a variable. In this example, “$hostname” is a variable.  Multiple variables are supported.

Variable Types

After committing an initial template version, the variables view can be used to change the type of the variable if required.  Variables can also be marked as “not a variable”, which is useful for configuration strings that contain  “$”.  I will discuss this more in the advanced blog post.

Simulation

Simulations can be used to test the template with dummy variables.  This is particularly useful later on when using loops and other control structures in a template.

Select the simulation tab, and then the “New Simulation” action.

You then need to provide a value for the variables, and run the simulation to see the result.  Notice how the hostname variable has been replaced by its value (“fred”).

The simulation feature is particularly relevant with more sophisticated templates.

Continue reading