Making Changes to MST Config with Care

Multiple Spanning Tree (MST) is great for VLAN spanning tree management and load-balancing. In concept, you can have multiple VLANs and group them up into 2 regions. Instead of managing every individual VLAN spanning tree, you would just need to manage the two MST regions regardless of the number of VLANs.

However, for two or more switches to be in the same MST region, they must have the identical MST name,

VLAN-to-instance mapping, and MST revision number. Any changes applied to existing MST configuration on one switch but not on others would cause network disruptions. To minimize such disruptions, learn to make MST changes but only commit them until all switches are 'standardized' in the new MST configuration.

This is how to enter MST configuration sub-mode on the switch:

switch# configure terminal

switch(config)# spanning-tree mst configuration

This shows how to leave MST-submode configuration on the switch without committing the

changes:

switch(config-mst)# abort

This shows how to commit the changes and leave MST configuration sub-mode on the switch:

switch(config-mst)# exit

For more information, download this Cisco "Configuring MST" doc.

How to add new interfaces on Juniper SRX chassis cluster

There are many good JUNOS articles on setting up the Juniper SRX chassis. But I just want to summarize the steps on how to add new interfaces to existing chassis cluster. In other words, the following pre-requites are complete as follows:

1. Configuring Chassis Cluster information on both nodes e.g. set chassis cluster-id 1 node 0 
2. Configuring Redundancy Groups (RG) and specify which node should be the primary node for each RG. e.g. set chassis cluster redundancy-group 1 node 0 priority 200. This is also where you determine whether it is a Active-Passive or Active-Active setup
3. Configuring Out-of-Band management interface for fxp0 - optional
4. Configuring Virtual Routing instances (a.k.a VRF-lite in Cisco networking) - optional 
5. Configure the number of Redundant Interfaces using "set chassis cluster reth-count n" where n is the number of reth.
6. Configuring Redundant Interface (reth) using at least one interface from each node
7. Configuring control link using fxp1 interface where configuration synchronization takes place between 2 nodes 
8. Configuring fabric interface (fabn where n denotes the node id) consisting of at least one ethernet interface from each node
9. Successful cluster setup!

After you have established the cluster successfully, you may wish to add more interfaces to it. The additional steps are as follows:

Step1: Increase the reth count by using

• set chassis cluster reth-count n where n is the new number of reth interfaces

Step 2: Identify 2 similar interfaces (one from each node e.g. ge-0/0/2 and ge-8/0/2) to form a new reth. e.g. 

• set interfaces ge-0/0/2 gigether-options redundant-parent reth2
• set interfaces ge-8/0/2 gigether-options redundant-parent reth2

Step 3: Configure new reth2 by heading to "edit interfaces reth2"

• Enable VLAN tagging if you intend to use VLAN: "set vlan-tagging"
• Create new sub-interface: "set unit nnn vlan-id " where nnn is any sub-interface number.
• Assign IP address to sub-interface: "set unit nnn family inet address 1.1.1.1/24" 
• Return to top level edit: "top"

Step 4: Assign this interface to the virtual routing instance

• set routing-instances interface reth2.nnn

Step 5: Assign this interface to the appropriate security zone

• set security zones security-zone interfaces reth2.nnn

Step 6: Check new configurations and commit

• top
• show | compare rollback 0
• commit

Ethernet over MPLS (EoMPLS) Cisco Configuration Makes Simple

Ethernet over MPLS (EoMPLS) is part of Cisco's Any Transport over MPLS to provide L2 connectivity (pseudo-wire) over MPLS cloud. If you wish to extend EoMPLS on L3 VLAN interface (SVI-based EoMPLS or SwEoMPLS), you must have an OSM or an Enhanced FlexWAN module on the MPLS core-facing interface. Otherwise, you can configure PFC-based EoMPLS on a physical interface or sub-interface. In this example, we would use PFC-based EoMPLS on Cisco IOS 15.x, as I believe most of us won't have any special interface cards. Consider this network diagram below. We'll extend L2 connectivity on VLAN 10 to connect both servers over the MPLS cloud.

Here, we assume that basic MPLS configuration has been put in place. Configuring EoMPLS would be pretty straightforward.

On both PE1 and PE2 routers:
!

interface GigabitEthernet0/1.10
encapsulation dot1Q 10
xconnect 10.1.1.x 10 encapsulation mpls
no shut

!
Replace above 'x' with the peer PE router ID i.e. on PE1 x = 2 and on PE2 x = 1. The router ID is determined by the "mpls ldp router-id" command on the router.

On both CE1 and CE2 switches, let's assume Gi0/1 switch interface is used to connect to their respective PE routers.
!
Vlan 10
  name EoMPLS
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1Q
switchport mode trunk
!
interface GigabitEthernet0/2
description Host port
switchport mode access
switchport access vlan 10
!

To verify the EoMPLS connectivity, enter "show mpls l2transport vc" on both PE routers. The status should indicate UP. You can also perform "show spanning tree vlan 10" on both CE switches to ensure the sanity of spanning tree i.e. only one of the switches should be the root. And finally, both hosts should be able to ping each other on same IP subnet. For further details, refer to this Cisco article.

Comparision between iSCSI and FCoE on Cisco Nexus

There are much confusions and debates over the choice between iSCSI and FCoE (Fiber Channel over Ethernet) for SAN storage choice, especially when you have invested on the Cisco Nexus data center infrastructure. Both choices are well supported by Nexus and both can definitely run concurrently together with the data network traffic. On top of that, you can even run both Jumbo and non-Jumbo frames without any loss in packets and performance! This truly fulfill the promise of "Unified Fabric Data Center".

The main advantage of iSCSI is its low-cost and its ease of implementation. You don't need any additional hardware on your existing servers and you can run it off on any server-class Gigabit Ethernet NICs that support TCP offload (even though it's non-mandatory). Because iSCSI runs on top of TCP/IP, you may suffer some slight deterioration in performance due to its inherent latency, especially when you have to route the traffic over L3 hops.

FCoE, on the hand, is a replicate of existing FC technologies (except the physical cables, it simply replaces the Fibre Channel physical layer with 10GbE). If you do own existing FC infrastructure (i.e. Cisco MDS) and intend to "migrate", "converge" or "consolidate" into Ethernet infrastructure, FCoE would be the choice. You can simply map VSAN into VLAN on the Lossless Ethernet-based Nexus for inter-operability. Typically, you would need Converged Network Adapters (CNAs) on the servers, which contain both Fibre Channel Host Bus Adapter (HBA) and Ethernet Network Interface Card (NIC) functionality on the same adapter card. CNAs have one or more physical Ethernet ports, which facilitate transition and migration from FC to FCoE.

Below is a good comparision table between iSCSI and FCoE taken from this NetApp site.

Salary Increase for IT workers and managers in Singapore

According to this Hays group report, salaries for mid to senior level IT roles have increased between 15 to 20%, while lower level IT roles have seen a salary increase of around 10% in Singapore.

The report has specifically highlighted that there is an ongoing strong hiring for IT infrastructure professionals and managers. Since I'm on this profession, naturally I feel good about it.

Sabbatical leave reflection - Family, Relationship and Career

No technical posts this month, as I'm on sabbatical leave for the entire month of March. It's a moment of personal and career reflection. My company offers sabbatical leave as part of talent retention programme for every 10-year of service. But it does come with a "price" i.e. I'm obligated to stay on with my current company for at least another year. For me, the "price" is the career opportunity cost when Singapore and regional economies in Asia are still booming. 

Before I decided to take the leave, I was still mulling over whether its benefits worth the opportunity costs . It's one of my greatest dilemmas in life of pursuing between a new jet-setting regional career with a big name MNC or to stay at least another year (or probably longer) in government sector with more family time. Frankly speaking, for the past couple of years, maybe because of my passions and expertise in IT infrastructure and security, I've no lack of recruiters and head-hunters on LinkedIn (whom I've never met) "enticing" me with attractive high six-figure annual remuneration packages. 

As my month-long leave is finishing in a week, let me try to reflect whether this is a "right" choice. My 6 year-old child was at risk of being diagnosed as dyslexic. Even at age of 3-4, we could hardly understand what he was trying to say and express. And he had great difficulties remembering new simple words that we taught him repeatedly. (Unlike my younger 3 year-old, he could already speak in complete logical sentences.) Since then, he had been on KKH's early childhood intervention programme. However, the therapy sessions were patchy at best and the progress was so slow that both my wife and I were concerned that he could never catch up with his peers. We were even at thought of delaying him to primary school enrolment a year later.

During these couple of months, I've worked closely with an newly assigned English literacy therapist who hailed from England - Teacher Ann. She was my son's favourite teacher who helped him to improve his English literacy by leaps and bounds. She was encouraging and engaging. Both my son and I enjoyed her many lessons tremendously that involved interesting actions of jolly phonics like ee-or (both hands on heads), sh (finger across lips) and interactive readings. How I wished I was taught this way when I was young! Hence, I've to re-learn English from her, so that I know how to train my son. If I didn't do my part well, I would get an "earful" from her in next following Monday. I supervised my child every evening for at least 30 min in writing, reading and phonic. The efforts paid off. Before intervention, his literacy score was only 26/100. In his recent latest assessment, his score was 81/100, which compared well to the median score of 50/100 among his peers in England (that's what according to teacher Ann). We were so happy and excited that we asked his another local teacher Jacqueline (from NuturyIn) to put him on her K2 class (he was placed on K1 class originally, as he was behind his peers). But the class was full. Because she shared our joys, she decided to open up a new K2 class just for us. We were so thankful and relieved. But it's not going to end our "intervention". We know we're in a long haul process to keep him going until he can fully read and learn independently. 

Meanwhile, I took a step back and reflected on goals and objectives in life. I've started relating to my loved ones and people around me. I've also settled on our Wills and Testaments in case both my wife and I "leave" this planet pre-maturely. We also went to Chiang Mai, Thailand and had good spa/massage and hair treatments. 

Coming April, I'll be moving on to a new technical consultancy role within the same organisation. I still can't decide whether this is a right choice ultimately. But at least, I've no "regrets" for my personal "achievements" within the month, as it's not "wasted" and something that I probably couldn't and won't do normally.

BGP does not advertise iBGP-learned routes to eBGP peers?

Theoretically, BGP does not advertise iBGP-learned routes to eBGP peers. Hence, I did not filter iBGP learned routes to my eBGP peers. I didn't realise my eBGP router did advertise these iBGP routes (not meant for transit) until our partner informed me and I did a "show ip bgp vpnv4 VRF-name neighbors 1.1.1.1 advertised-routes" to verify. So, is this theory wrong?

Well, it comes with a caveat. This theory is true only if BGP synchronisation is enabled. The rule of synchronization states that routes learned via BGP must be validated by the interior routing table before they can be advertised to remote peers. So, what does this mean? Click here for explanation.

In older Cisco IOS versions, Synchronization is enabled by default. However, it is disabled by default in Cisco IOS Software Release 12.2(8)T and later. If you do not intend for the iBGP learnt routes to be on transit among different AS, it is probably safer to enable BGP synchronization.