IP Networks | Tech Blog

Interface software loop

If you ever worked in an environment where you have to deal with leased / dedicated lines provider by your SP (service provider) then you know that whenever it’s a problem on the line they request, if possible, to put a loop on the line from one end toward the other end, so they can do some measurements. Usually from my experience with SP, this is a standard approach in case that they don’t know exactly what problem is with your line or where the issue occurred, especially if they use sub-providers of their own.

Lately I saw some questions on Cisco support forums regarding the usage of software loops on Ethernet interfaces so I’ve decided to write a small how-to about the basic configuration of a soft loop on different interfaces.

Controller (E3, T3) soft loop on all channels

configure terminal
! Apply the loop on the controller interface to loop the entire (e.g.) T3 interface (all 28 x T1 channels)
controller t3 3/0
loopback [local | network | remote]

Mandatory parameter:

– loopback – place the loop

Optional:

local – Loops the data back toward the router and sends an AIS signal out toward the network

network – Loops the data toward the network at the T1 framer

remote – Sends a far-end alarm control (FEAC) request to the remote end requesting that it enter into a network line loopback. FEAC requests (and therefore remote loopbacks) are only possible when the T3 is configured for C-bit framing.

Controller (T3, E3) soft loop on one channel (T1, E1)

If your controller is channelized for T1, E1, you can avoid to loop the entire controller, but choose to apply the soft loop on only one channel:

configure terminal
! Apply the soft loop under interface configuration rather than controller
interface Serial3/0:1
loopback [local | network {line | payload} | remote {line {fdl {ansi | bellcore} | inband} | payload [fdl] [ansi]}]

Mandatory:

loopback – applies the soft loop

Optional:

local – Loops the router output data back toward the router at the T1 framer and sends an AIS signal out toward the network.

network – Loops the data back toward the network before the T1 framer and automatically sets a local loopback at the HDLC controllers (line) or loops the payload data back toward the network at the T1 framer and automatically sets a local loopback at the HDLC controllers (payload

remote line fdl – Sends a repeating, 16-bit ESF data link code word; ansi—Places the CSU into loopback, per the ANSI T1.403 Specification; bellcore—Places the SmartJack into loopback, per the TR-TSY-000312 Specification

remote line inband – Sends a repeating, 5-bit inband pattern (00001) to the remote end requesting that it enter into a network line loopback.

payload – Sends a repeating, 16-bit ESF data link code word to the remote end requesting that it enter into a network payload loopback. Enables the remote payload Facility Data Link (FDL) ANSI bit loopback on the T1 channel. Rarely it’s necessary to specify fdl or ansi keywords

To be honest I never used here more than local or network parameters. The other ones I add them here with explanation, but never use them.

Serial interfaces (PA-E3 or a PA-T3 port adapter)

configure terminal
! Apply the soft loop on the serial interface
interface Serial3/0
! If the interface is a port on a PA-E3
loopback [dte | local | network {line | payload}]
! If the interface is a port on a PA-T3
loopback [dte | local | network {line | payload} | remote]

Mandatory:

loopback – apply the soft loop

Optional:

dte – Sets the loopback after the LIU toward the terminal.

local – Sets the loopback after going through the framer toward the terminal.

network – Sets the loopback toward the network before going through the framer (line) or after going through the framer (payload).

remote (only T3) – Sends a far-end alarm control (FEAC) to set the remote framer in loopback.

Ethernet interfaces

configure terminal
! Apply the soft loop on a Ethernet interface
interface GigabitEthernet
loopback [driver | mac]

Mandatory:

loopback – apply the loop

Optional (only on Gigabit Interfaces):

– driver – apply the loop at the transceiver level

– mac – apply the loop at the MAC controller level

You can use the loopback driver and loopback mac interface configuration commands with the 2-Port 10/100/1000 Gigabit Ethernet SPA. These commands do not apply to the 4-Port 10/100 Fast Ethernet SPA.To properly enable internal loopback, you must disable autonegotiation (under interface configuration, you have to apply no negotiation auto)
Due to different card/router models, IOS versions and specific SP configuration not all the commands will fit exactly how described above, but at least this is a starting point to check when you need to enable a soft loop. If you are a beginner you may wonder why I’m calling it soft loop. This is because is a software loop, opposite to a hardware loop which implies that wires are physically looped.

[adsense_id=”2″]

Cisco IOS release naming

Most probably you already know this, but for those who are interested, here is a list of the letter definitions for Cisco IOS release trains. In more human terms, if you have loaded an IOS image like c2900-universalk9-mz.SPA.150-1.M5.bin, what those letters (in this case SPA) mean:

A = Aggregation/Access Server/Dial technology
B = Broadband
C = Core routers (11.1CA, 11.1CT, 11.1CC)
D = xDSL technology
E = Enterprise feature set
F = Feature Specific enhancements (11.2F)
G = Gigabit Switch Routers (GSR)
H = SDH/SONET technology (11.3HA)
J = Wireless Networking technology (Aironet)
M = Mobile (Restricted to Mobile Wireless BU usage and further reserved for Mainline)
N = Voice, Multimedia, Conference (11.3NA)
P = Platform features (11.2P)
R = Reserved for ROMMON reference
S = Service Provider
T = Reserved for Consolidated Technology Train
W = LAN Switching/Layer 2 routing
X = A short lived, one-time release (12.0XA)
Y = A short-lived, one-time release (when Xs are exhausted)
Z = A short-lived, one-time release (reserved if Ys are exhausted)

Additional information can be found here.

Cisco QoS at-a-glance

Stephan, a colleague of mine, found the following documents digging through multiple pages of Cisco.com. The documents present a nice view of different QoS approaches and the most important information. Somehow like “cheatsheets”. They were helpful to us when need to implement QoS in some parts of the network that we administer. I hope they will help you as well.

Maybe you’re wondering why I’m adding them here, since the documents are already somewhere in Cisco.com. As you probably know, Cisco has constantly changing their website in the last months and a lot of documentation is misplaced in the Cisco.com sitemap. We already had problems finding all links, so I said why not share it here as they are already public made by Cisco.

You’ll find a Download button under each document, for PDF version and at the end of this post there is a Link to download all documents in an archive. If somebody needs only one document and has a poor Internet connection why to force them to download the full archive.

Cisco – Campus QoS Design

Cisco – Branch QoS Design

Cisco – IPv6 QoS

Cisco – QoS Best Practices

Cisco – QoS Design for IPsec VPNs

Cisco – QoS Design for MPLS VPN Service Providers

Cisco – Scavenger class – QoS Strategy for DoS Worm Attack

Cisco – QoS Design for MPLS VPN Subscribers

Cisco – QoS-Baseline

Cisco – WAN QoS Design

As said in the beginning, if you’d prefer, you download all QoS graphs in one archive.

Let me know your opinions on the above approach on QoS from Cisco. Is is accurate? Do you apply them in your organization weather for Campus, WAN, VPN or even Security?

ACS 5.1 integration with Active Directory [Part II]

In the first part of this article, I described a little bit the installation process for Microsoft Active Directory. Now it’s time to go ahead and talk about the ACS 5.x integration with AD. In the meantime I changed the version “5.1” to “5.x” as version 5.2 is already out there. This tutorials work for both versions.

Maybe you are wondering why I don’t have a separate chapter about the installation process of ACS 5.x. The reason is that the installation is pretty straightforward, as you can see below. You have to follow some instructions, add some mandatory information (IP address, username, password…) and you’re done. Very simple. Because an image worth a thousand words, I took some screenshots during the process to make explanation more easy to follow.

Load the ACS 5.x image and after the initial screen you have to see the following warning. YES is the correct answer.

ACS 5.x will start the installation

If everything goes well, you should see a screen asking to type the keyword “setup”

Next, ACS 5.x will ask for some mandatory information:

Next, ACS 5.x will install all core files and when done it will show a prompt to login. You can go ahead and login or open a web browser and type https://your-ip/acsadmin (in my case this would be https://172.31.82.8/acsadmin , according to the image above). You should see something like this:

Default username: acsadmin and password: default. The system will require to change the default password:

Last step, before system is operational, require you to add the license file. If you got the ACS 5.x image from Cisco website they will provide you with a trial license file or a standard / extended license , if your company already acquired one.

If the installation part is very simple, the next lines I’m sure are critical for some of you. ACS 5.x is available for 2 platforms: bare metal system (that means a dedicated machine) or VMware appliance. If you are like me, then you don’t have a dedicate machine for testing some ACS 5.x solutions and VMware can be difficult sometimes to install and operate. The next alternative, which is free by the way, is VirtualBox. Thanks to Nick Bettison, (Twitter @linickx) we have now a solution to install ACS 5.x on VirtualBox.

He describes step-by-step in an easy to understand example how you can install ACS 5.1 on VirtualBox. As confirmed in a later post, this solution works also for ACS 5.2, just you have to download that release from Cisco website. As Nick says on his website, I want to highlight also that you will not find the ACS 5.x image for download neither on his blog or here. If you have a CCO account you can download a trial version from Cisco website. The trial is free and you can try the ACS solution for 90 days, which I say it’s more than enough for the tests you have in mind.

Note: Lately I saw on some websites, images of ACS 5.x system that pretend to be able to install directly on VirtualBox, without using Nick’s method. Most probably these images work just fine, but keep in mind that you’ll have to download those files from somewhere else than Cisco and I think this is illegal. Using Nick’s method you are on the safe side as you download the ACS 5.x image from Cisco website and the rest on the tutorial uses open source tools.

OK, enough about this, let’s go an see how you can integrate ACS 5.x with AD.

I assume now that you have already installed an Active Directory system and an ACS 5.x (doesn’t matter if bare metal system, VMware or VirtualBox). Also from the ACS 5.x CLI check to see if you can reach AD system (ping test would do it). This test has to be successful to proceed.

On ACS 5.x Web management interface find on the left panel the Users and Identity Stores sections and chose Active Directory:

Important Note: While trying to join ACS to the AD domain, ACS and AD must be time-synchronized. Time in ACS is set according to the Network Time Protocol (NTP) server. Both AD and ACS should be synchronized by the same NTP server. If time is not synchronized when you join ACS to the AD domain, ACS displays a clock skew error. Using the command line interface on your appliance, you must configure the NTP client to work with the same NTP server that the AD domain is synchronized with. Refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/acs5_1_cli.html for more information.

Let’s add ACS 5.x to the AD:

Complete the Active Directory Domain Name field with the necessary value. Then, add the username and password. This user needs to be a domain administrator and to have rights to add new machines to Active Directory. Use the Test Connection to see if everything is correct. You can save the configuration. After you save, you will notice that Connectivity Status changed and now it’s showing the joined domain. Also on the top page additional two tabs appear. You’re done!

It seems like an easy task and if everything is prepared in advance the integration itself will work like a charm. From experience I know that if this part is not working smoothly, troubleshooting is not an easy task. If you run into problems, please let me know in Comments and I will help as much as I can.

Next part will be about using the AD Groups and Users together with ACS 5.x.

[adsense_id=”3″]

Cisco CCDA: 640-863 and 640-864

As you probably know the CCDA exam 640-863 will be replaced by the newer version 640-864. The problem is not that Cisco is changing them (this is actually a good thing) but the fact that are too less materials regarding new exam and a lot of contradictory information.

First of all the official Cisco guide: CCDA 640-864 Official Cert Guide, 4th Edition is not yet available. Ciscopress.com announce it to be available June 10, 2011. Despite the fact that you need more knowledge that this guide offer, it would be a good sense to enforce an exam after the documentation for that particular exam is available. It’s true that the CCDA 640-864 Official Cert Guide, Rough Cuts, 4th Edition exist already in electronic format (PDF) on Ciscopress.com. For those of you who are not familiar with Rough Cuts concept, here is a small explanation from Cisco Press:

The Rough Cuts service from Safari Books Online gives you exclusive access to an evolving manuscript that you can read online or download as a PDF and print. A Rough Cuts book is not fully edited or completely formatted, but you’ll get access to new versions as they are created.

Fine, but Rough Cuts, is are not the official guide. I don’t know about your preferences, but from time to time I prefer to read from a hard-copy book than from my monitor.

Now for some good news, even if these are full of contradictory information. According to https://learningnetwork.cisco.com/community/certifications/ccda/syllabus ,
it seems that the 640-863 availability has been prolonged until June 15, 2011 (was April 30, 2011):

Good news for those who plan to take the exam in near future. Bad news? Confusion!

This link: https://learningnetwork.cisco.com/community/certifications/ccda/desgn sustain that nothing is changed:

Pretty confusing, isn’t it? Both are official Cisco links. In the meantime, there is a discussion about this topic on The Cisco Learning Network where few members confirmed that Cisco postponed the date for 640-863 for June 15, 2011. This would be a good thing, giving the conditions that I’ve explained above.

If there is an official statement (beside The Cisco Learning Network thread) I will add an update here.

UPDATE:

Yes, the correct EOL date for the 640-863 DESGN exam is June 15, 2011.

The correct EOL date for the 642-873 ARCH exam is June 16, 2011.

Hope this clarifies any confusion.

Regards,

Rigo
Cisco Learning Network Moderator

I’m just glad that this confusion has been solved and there is still time to take 640-863, before the official documentation for 640-864 is released.