Monthly Archives: July 2015

Cisco Supervisor Redundancy Convert RPR to SSO mode

When you have only one chassis (not recommended!), 2 * supervisors can bring some resiliency (Maintenance, High Availability,etc..) to your environment, there are 2 modes:RPR and SSO (and Nonstop Forwarding (NSF) with SSO)

Operation

Route Process Redundancy (RPR)

  • redudant supervisor pauses on system initialization, and become active if active supervisor fails (physical ports restart)
  • works in active/standby

Stateful Switchover (SSO)

  • is an enhancement of RPR, a fully-initialized state
  • works in active/hot-standby
  • synchronize the state of interfaces
  • it offers zero interruption to Layer 2 sessions

On both modes you have:replication of configuration startup/private, config-register, bootvar, vlan database

Note:SSO is supported in Cisco IOS Release 12.2(20)EWA and later releases

For my tests i used 2 * Supervisors V in a 4510-R chassis, both were using an old code 12.2(18)

Plan

1. Configure RPR using 12.2(18)
2. Upgrade supervisors to 15.0(2)SG9
3. Migrate RPR to SSO

RPR Configuration

redundancy
 mode rpr
 main-cpu
 auto-sync standard

Checking the Redundancy state (active/standby)

Sw-4510R#show redundancy states
my state = 13 ACTIVE
 peer state = 4  STANDBY COLD
 Mode = Duplex
 Unit = Primary
 Unit ID = 2
 Redundancy Mode (Operational) = RPR
 Redundancy Mode (Configured)  = RPR
 Redundancy State              = RPR
 Maintenance Mode = Disabled
 Manual Swact = enabled
 Communications = Up
 (omitted)

The commands on 15.x code changed slightly

Sw-4510R#show redundancy domain default
Redundant System Information :
------------------------------
Available system uptime = 1 week, 4 days, 18 hours, 25 minutes
Switchovers system experienced = 0
Standby failures = 0
Last switchover reason = none

Hardware Mode = Duplex
Configured Redundancy Mode = RPR
Operating Redundancy Mode = RPR
Maintenance Mode = Disabled
Communications = Up

Current Processor Information :
-------------------------------
Active Location = slot 2
Current Software state = ACTIVE
Uptime in current state = 1 week, 4 days, 18 hours, 25 minutes
Image Version = Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASE-M), Version 15.0(2)SG9, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 25-Sep-14 05:01 by prod_rel_team
BOOT = bootflash:cat4500-ipbase-mz.150-2.SG9.bin,1;
Configuration register = 0x2101

Peer Processor Information :
----------------------------
Standby Location = slot 1
Current Software state = STANDBY COLD
Uptime in current state = 1 week, 4 days, 17 hours, 39 minutes
Image Version = Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASE-M), Version 15.0(2)SG9, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 25-Sep-14 05:01 by prod_rel
BOOT = bootflash:cat4500-ipbase-mz.150-2.SG9.bin,1;
Configuration register = 0x2101

Upgrading

After copy IOS 15.x to both supervisors, i redeem the free space in bootflash (took around 10 minutes for both supervisors)

***** The system will autoboot in 5 seconds *****


 Type control-C to prevent autobooting.
 . .
 Autoboot cancelled......... please wait!!!
rommon 1 > [interrupt]

rommon 7 >dir bootflash:

   File size                  Checksum      File name
   --------------------------------------------------
  17130956 bytes (0x10565cc)  0x219ae893    cat4500-ipbase-mz.150-2.SG9.bin
  12486676 bytes (0xbe8814)   0xb1588783    cat4000-i5s-mz.122-25.EWA3.bin(deleted)
  13478072 bytes (0xcda8b8)   0xc06beffc    cat4500-entservicesk9-mz.122-31.SG.bin(deleted)
    966656 bytes (0xec000)    0x93180cd0    cat4500e-entservices-mz.122-46.SG.bin(invalid)

   Total space = 59244544 bytes, Available = 15181672 bytes
Sw-4510R#dir bootflash:
Directory of bootflash:/

    4  -rwx    17130956  Mar 12 2013 15:50:50 +01:00  cat4500-ipbase-mz.150-2.SG9.bin

Sw-4510R#squeeze bootflash: 
All deleted files will be removed. Continue? [confirm]
Squeeze operation may take a while. Continue? [confirm]
                     
Sw-4510R#squeeze slavebootflash: 
All deleted files will be removed. Continue? [confirm]
Squeeze operation may take a while. Continue? [confirm]

Convert RPR to SSO mode, this will force a reboot on standby supervisor

Sw-4510R(config-red)#>redundancy
Sw-4510R(config-red)#mode sso  
Changing to sso mode will reset the standby. Do you want to continue?[confirm]
Sw-4510R(config-red)#
Jul  1 2015 22:00:03.833: %C4K_REDUNDANCY-3-COMMUNICATION: Communication with the peer Supervisor has been lost
Jul  1 2015 22:00:03.865: %C4K_REDUNDANCY-3-SIMPLEX_MODE: The peer Supervisor has been lost

This is how a console on standby supervisor looks like, but you are not able to execute any command

***********************************
 *       STANDBY SUPERVISOR        *
 *     REDUNDANCY mode is SSO      *
 *        Continue bootup          *
 ***********************************
 (...)
 Sw-4510R-standby#show ?
 Standby console disabled.
 Valid commands are: exit, logout

Forcing a switchover and get SSO kickedin without interruption

Sw-4510R#redundancy force-switchover
This will reload the active unit and force switchover to standby[confirm]
 Preparing for switchover..

 

Rescan NIC on Centos

After clone a VM (Centos 6) in Vmware i was not able to use the nic (eth0), after some research it was using the same original VM MAC-ADDRESS (00:0c:29:2c:a9:ae)

To solve it i did:

rm -f /etc/udev/rules.d/70-persistent-net.rules

Because this is my lab i can reboot my vservers whenever i want :), so i rebooted

After reboot i was able too see correct mac-address assigned to my vserver

[[email protected] ~]# cat /etc/udev/rules.d/70-persistent-net.rules
# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.

# PCI device 0x8086:0x100f (e1000) (custom name provided by external tool)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:2c:a9:af", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

Eth0 Interface pick up the right MAC and  i was able to communicate with my Lab World :)

[[email protected] ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=00:0C:29:2c:a9:af
TYPE=Ethernet
UUID=9e18221f-2e93-4326-8923-d3f834d15c62
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
IPADDR=10.0.0.100
NETMASK=255.255.255.0
GATEWAY=10.0.0.254

Check Point launch vSEC for VMware NSX

Check point bring Security Gateways to the heart of VMware NSX, this will provide:

  • Scalable micro-segmentation
  • Context-aware security policy
  • Ubiquitous security enforcement
  • Security automation and orchestration
  • Comprehensive control and visibility

vsec-chart-1024x768

vsec_architecture  vsec_table 

icon-vsec

Documentation

vSEC Controller R77.30 and vSEC Gateway R77.20VSEC Release Notes
vSEC Controller R77.30 and vSEC Gateway R77.20VSEC Administration Guide

References:

Check Point vSEC

Support Center vSEC

 

Mate’s license (Licensed Cores ) is not compatible with my license (Licensed Cores )

I’ve configured many clusters using Cisco ASA gear, but this time i got a strange message bringing the cluster UP (active/passive) using a pair of 5510 (code asa842-k8.bin).

Error message:

Mate’s license (Licensed Cores ) is not compatible with my license (Licensed Cores ). Failover will be disabled.
Understanding Licensing models it´s always hard, because of the product evolution. But i was wondering even with same License (Security Plus) could be because of having different AnyConnect seats? After generate a demo license didn’t work, so my last guess was look to release notes and Bingo! Affected by CSCtj87870

After upgrade to 8.4(7) it worked!

Firewall 1

FW1# show activation-key
Serial Number: JMXyyyyyyyy
Running Permanent Activation Key: 0x0f19ee7b 0x2cf2fb8c 0x4ce23d7c 0xb0d4587c 0x013d09beLicensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5510 Security Plus license.

The flash permanent activation key is the SAME as the running permanent key.

Firewall 2

FW2# show activation-key
Serial Number: JMXxxxxxxx
Running Permanent Activation Key: 0xfe13ca68 0xd8bc8063 0x697114e4 0xccd4b0c0 0x4004cbb6Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 50 perpetual
AnyConnect Essentials : 250 perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5510 Security Plus license.

The flash permanent activation key is the SAME as the running permanent key.

FW1/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 110 maximum
failover replication http
Version: Ours 8.4(7), Mate 8.4(7)
Last Failover at: 19:24:17 GMT/BDT Jul 13 2015
This host: Primary – Active
Active time: 72212 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(7)) status (Up Sys)
Interface outside (185.11.166.209): Normal (Not-Monitored)
Interface inside (10.1.1.254): Normal (Not-Monitored)
slot 1: empty
Other host: Secondary – Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(7)) status (Up Sys)
Interface outside (0.0.0.0): Normal (Not-Monitored)
Interface inside (0.0.0.0): Normal (Not-Monitored)
slot 1: emptyStateful Failover Logical Update Statistics
Link : FAILOVER Ethernet0/3 (up)
Stateful Obj    xmit       xerr       rcv        rerr
General         10714600   0          9605       1
sys cmd         9605       0          9605       1
up time         0          0          0          0
RPC services    0          0          0          0
TCP conn        265004     0          0          0
UDP conn        9540443    0          0          0
ARP tbl         488430     0          0          0
Xlate_Timeout   0          0          0          0
IPv6 ND tbl     0          0          0          0
VPN IKEv1 SA    3          0          0          0
VPN IKEv1 P2    146        0          0          0
VPN IKEv2 SA    0          0          0          0
VPN IKEv2 P2    0          0          0          0
VPN CTCP upd    0          0          0          0
VPN SDI upd     0          0          0          0
VPN DHCP upd    0          0          0          0
SIP Session     410969     0          0          0
Route Session   0          0          0          0
User-Identity   0          0          0          0

Logical Update Queue Information
Cur     Max     Total
Recv Q:         0       8       9606
Xmit Q:         0       122     10979540