Chainring Circus

Hacking the 7926G MIDlet Development

jud — Sun, 06 May 2012 20:10:11 +0000

Requirements
The hospital is forming our plan to handle closed loop medication administration. What that means to a patient is that their armband will scanned to verify who they are, then the medications will be scanned to verify what they are, then the medications will be administered. We are debating what hardware to purchase and how many items. This fall and winter we are due to upgrade our nurse call phones and the 7926G has become the front runner. The nurses carry it with them every where they go, and they are well cared for devices.

My boss came up with the idea of how to use the phones with our current crop of tablets. There will be a barcode on every computer with its’ name. The nurse will scan the barcode of their computer to associate their phone to the computer, then any scanned data will be sent to that associated computer. My boss wrote the listener for the Windows tablets and I wrote the code for the 7926G.

Below is an approximation of what I drew out on a sticky note. The goal was for the PC team to be able to trouble shoot the phone scanning program quickly and easily without intervention from third level help desk.

Test Server
In order to test I built this simple server to communicate with the phone while my boss worked on the Windows receiver.

cat SimpleServer.pl
#!/usr/bin/perl

use strict;
use warnings;

package SimpleServer;

use base qw(Net::Server);

sub process_request
{
#print qq(OK\n);
while () {
s/\r?\n$//;
print STDERR "Received [$_]\n";
print qq([OK]\n);
last if /quit/i;
}
}

SimpleServer->run(port => 3000);

Scanner MIDlet
You can download my source code here.

Creating a MIDlet project in NetBeans is left as an exercise for the reader, however, in order to be able to test the scanner on the emulator you need to add the shim to the project resources.

In order to deploy the MIDlet, do not include the libraries for the scanner shim.

Below are screen shots from the Scanner MIDlet.

The opening screen, a nurse scans the computer that they want to send data.

The result of a scanned barcoded IP address.

The Help screen.

For trouble shooting purposes I added a form for manual entry of the traget PC IP adress or hostname.

Also for trouble shooting purposes here is an alert with the phones’ IP address.

More trouble shooting, this time the target PC IP address.

Finally, there is checking to make sure that the target PC is actually listening. I catch the error and display this message for the end user.

This was a fun project, so much so that I spent more than a couple weekends working on it. I would like to thank a number of people from Cisco and our partner. Thanks to David Staudt, Riley MArsh, Louis Bell, Tony Godwin, Jim Stewart, Mike Hamblett, Jim Hooker and Conrad Price. They worked as a team to make sure I was able to develop this application quickly.

Hacking the 7926G MIDlet Deployment

jud — Sun, 06 May 2012 18:20:13 +0000

I really struggled with the deployment of MIDlets to the phone. What should have been simple, became convoluted because I did not change a mime type on the web server. As a result I emailed back and forth with my Cisco team to finally get it all worked out.

At first I developed my MIDlet on the emulator and tried to deploy it. When I ran into problems I was not sure if the errors were from the MIDlet or the environment, so I stepped back and tried to deploy a Cisco sample MIDlet. As a result I am going to walk through deploying the Cisco supplied DeviceSpecifics MIDlet. This is because you know it will work correctly on a 7926G so any errors or problems are of your own creation.

Phone Trace Settings
First you have to enable access to the phone from it’s web server. IN CUCM select the phone from the phone list and under “Product Specific Configuration Layout” set “Web Access” to “Full” and “Phone Book Web Access” to “Allow Admin.” You login will be username admin and password Cisco.

Next let’s set up the phone to log to your favorite logging server. Bring up your phone in a browser and choose Trace Settings. I set the “Java Module Trace Level” to “Debug” and checked the box to “Enable Remote Syslog.”

Web Server Setttings
Page 37 of the Developers Guide explains how to set up different web servers. I am using Apache on RHEL 5.6, so I made change to /etc/mime.types. When I first added the stanza to the file I did not notice that there was a second definition for “jar” and it wreaked havoc on my trouble shooting for days.

Add the following and be sure to comment out or removed the second definition.

text/vnd.sun.j2me.app-descriptor jad
application/java-archive jar
#application/x-java-archive jar

If you do not remove that definition you will get an error similar to the one below in the logs from the phone if you set the logging up right. I did not have the logging set to a high enough setting to catch these errors.

May 2 12:39:12 172.22.16.10 SEP-java: *********************Installer - xmlVendor = Cisco Systems, Inc.
May 2 12:39:12 172.22.16.10 SEP-java: Installer - info.suiteVendor = Cisco Systems, Inc.
May 2 12:39:12 172.22.16.10 SEP-java: 1. Vendor Name are equal
May 2 12:39:12 172.22.16.10 SEP-java: Installer - info.suiteVersion = 0.0.1
May 2 12:39:12 172.22.16.10 SEP-java: TEST - Installer - checkPreviousVersion - there is no previous version - RETURN
May 2 12:39:12 172.22.16.10 SEP-java: Installer step:2
May 2 12:39:12 172.22.16.10 SEP-java: Installer step:3
May 2 12:39:12 172.22.16.10 SEP-java: Installer step:4
May 2 12:39:12 172.22.16.10 SEP-java: Installer step:5
May 2 12:39:12 172.22.16.10 SEP-java: microedition.profiles is Native System Property
May 2 12:39:12 172.22.16.10 SEP-java: microedition.configuration is Native System Property
May 2 12:39:13 172.22.16.10 SEP-java: MIDletProxyList:setForegroundMIDlet()
May 2 12:39:13 172.22.16.10 SEP-java: MIDletProxyList:setForegroundMIDlet()
May 2 12:39:13 172.22.16.10 SEP-java: MIDletProxyList:setForegroundMIDlet()
May 2 12:39:13 172.22.16.10 SEP-java: REPORT: ** Error installing suite (38): JAR did not have the correct media type, it had application/x-java-archive

And even though it does not like the JAR file it goes ahead and adds it to the MIDlet list, as seen from below. That is the reason I thought it was being installed, because you see it in the list on the phone, and see it access the .jar on the web server.

May 2 12:39:21 172.22.16.10 SEP-java: Provisioning=0
May 2 12:39:21 172.22.16.10 SEP-java: dump_svc_cfg: name[0]:Missed Calls
May 2 12:39:21 172.22.16.10 SEP-java: dump_svc_cfg: name[1]:Voicemail
May 2 12:39:21 172.22.16.10 SEP-java: dump_svc_cfg: name[2]:Received Calls
May 2 12:39:21 172.22.16.10 SEP-java: dump_svc_cfg: name[3]:Placed Calls
May 2 12:39:21 172.22.16.10 SEP-java: dump_svc_cfg: name[4]:Personal Directory
May 2 12:39:21 172.22.16.10 SEP-java: dump_svc_cfg: name[5]:Corporate Directory
May 2 12:39:21 172.22.16.10 SEP-java: dump_svc_cfg: name[6]:DeviceSpecifics

And from the web server.

172.22.16.10 - - [02/May/2012:12:43:14 -0500] "GET /7926G/DeviceSpecifics/DeviceSpecifics.jad HTTP/1.1" 200 279 "-" "Profile/MIDP-2.0 Configuration/CLDC-1.1"
172.22.16.10 - - [02/May/2012:12:43:16 -0500] "GET /7926G/DeviceSpecifics/DeviceSpecifics.jar HTTP/1.1" 200 6326 "-" "Profile/MIDP-2.0 Configuration/CLDC-1.1"

.JAD File
Page 32 of the Developer’s Guide walks you through setting up a .jad for distribution. It will be located in the “dist” directory of the DeviceSpecifics NetBeans project. According to the Cisco documentation this is how the .jad file matches up to the IP Phone Service Coniguration found under
Device
–> Device Settings
—–> Phone Services

Service Name and MIDlet-Name must match exactly, including case and white space.

Service Version must match MIDlet-Version, or it can be left blank. If left empty the phone will attempt to download the JAD file every time it registers with CUCM as well as every time the MIDlet launches. If there is a version number, it will only download if the version number changes.

Service Type is set to Standard IP Phone Service.

Service Category is set to Java MIDlet.

Service URL is the URL where the .jad file is hosted.

ASCII Service Name and Service Description do not impact whether a MIDlet will run on a phone.

# cat DeviceSpecifics.jad
MIDlet-1: DeviceSpecifics,,com.cisco.sdk.specifics.PlatformMIDlet
MIDlet-Jar-Size: 6326
MIDlet-Jar-URL: DeviceSpecifics.jar
MIDlet-Name: DeviceSpecifics
MIDlet-Vendor: Cisco Systems, Inc.
MIDlet-Version: 0.0.1
MicroEdition-Configuration: CLDC-1.1
MicroEdition-Profile: MIDP-2.0

Install MIDlet
Finally we tell the phone to download the MIDlet. From the upper right of the Phone Configuration page, choose:
Related Links
–> Subscribe Unsubscribe Services
—–> Go

You should now have the DeviceSpecifics MIDlet installed on your 7925 or 7926 IP phone.

Hacking the 7926G Getting Started

jud — Sat, 05 May 2012 22:08:02 +0000

The past month I have been writing midlets for the 7926G Cisco IP phone. The interesting aspect of this phone for the hospital is that it has a barcode scanner built into the end of the phone. All of our nurses carry IP phones with them today and we are planning to replace all of them in the next six months, so a phone that doubles as a barcode scanner eliminates carrying an extra device. The whole process of getting a phone and a test CUCM took three weeks, but our Cisco account team came through whenever we needed.

In this post I would like to walk you through the set up of my development environment. First a list of links that will help get you started. Some will be referenced through out this post, others are just for education.

7926 Development Getting Started site

7926 Emulator Installation Guide

7926 Development Firmware Downloads

7926 SDK Download

Java MIDlet Developers Guide for Cisco Unified IP Phones

NetBeans IDE

If you are using Mac OSX then the installation guide above is not correct for the current NetBeans download. This is the appropriate directory.

superfly:Java_ME_platform_SDK_3.0 jud$ pwd
/Applications/NetBeans/NetBeans 7.1.1.app/Contents/Resources/NetBeans/mobility/Java_ME_platform_SDK_3.0

Below you can see that I put the Cisco 7926 skin right in that directory and unzipped. Everything will be put in the correct place if you do it from there.

superfly:Java_ME_platform_SDK_3.0 jud$ ls -1
Cisco7926Skin.zip
CiscoWirelessPhone.jar
DeviceSpecifics
ImageDemo
KeyCodeAPI
MockScannerAPI
ScannerSample
Updater.app
apps
bin
device-manager.app
docs
legal
lib
on-device
runtimes
toolkit-lib

Below I am testing the skin installation, notice how everything falls into place nicely.

superfly:Java_ME_platform_SDK_3.0 jud$ unzip -t Cisco7926Skin.zip
Archive: Cisco7926Skin.zip
testing: toolkit-lib/devices/ OK
testing: toolkit-lib/devices/Cisco7926/ OK
testing: toolkit-lib/devices/Cisco7926/conf/ OK
testing: toolkit-lib/devices/Cisco7926/conf/Cisco7926.properties OK
testing: toolkit-lib/devices/Cisco7926/conf/device.properties OK
testing: toolkit-lib/devices/Cisco7926/conf/modules OK
testing: toolkit-lib/devices/Cisco7926/conf/networkIndicatorOn.png OK
testing: toolkit-lib/devices/Cisco7926/conf/skin-7926-highlighted.png OK
testing: toolkit-lib/devices/Cisco7926/conf/skin-7926-normal.png OK
testing: toolkit-lib/devices/Cisco7926/conf/skin-7926-pressed.png OK
testing: toolkit-lib/devices/Cisco7926/default-state.xml OK
testing: toolkit-lib/devices/Cisco7926/NetworkIndicator.bean OK
testing: toolkit-lib/devices/Cisco7926/Screen.bean OK
testing: toolkit-lib/devices/Cisco7926/ScreenGraphics.bean OK
testing: toolkit-lib/process/ OK
testing: toolkit-lib/process/device-manager/ OK
testing: toolkit-lib/process/device-manager/conf/ OK
testing: toolkit-lib/process/device-manager/conf/Cisco7926.properties OK
testing: toolkit-lib/process/device-manager/device-adapter/ OK
testing: toolkit-lib/process/device-manager/device-adapter/Cisco7926.bean OK
testing: toolkit-lib/process/device-manager/device-adapter/Cisco7926.deviceProperties.bean OK
testing: toolkit-lib/process/device-manager/device-adapter/Cisco7926/ OK
testing: toolkit-lib/process/device-manager/device-adapter/Cisco7926/1.bean OK
No errors detected in compressed data of Cisco7926Skin.zip.

When you get everything installed correctly the option for a Cisco7926 is in the configuration menu.

Virtual Switching System (VSS)

jud — Sun, 18 Mar 2012 22:08:28 +0000

This post was tedious in the formatting and was one of the reasons I put off posting it. The notes were taken months ago put I was weary of posting it because of the time involved in formatting it. As a result this post could have been better, I just dreaded working on it. Either I have to find a new editor or this will be the last post of this variety with unordered lists and line items to make bulleted points.

A few months ago we replaced our cores with a pair of 6509Es. The night of go live we had trouble because of some decisions we made at the last minute, and these notes saved us. I hope you find them as useful as we did. These are my notes from the design guide.

Because this post turned out so long, I put what most people will want to see at the top, the configuration. My notes from the configuration guide follow.

Configuration

1. Define the domain ID.

VSS(config)# switch virtual domain 100

2. Set the switch number:

VSS(config-vs-domain)# switch 1

2a. Have the switches use virtual MAC addresses:

VSS(config-vs-domain)# mac-address use-virtual

2b. Check to make sure OOB is active and set to 480 seconds.

VSS# sh mac-address-table synchonize statistics !sh stats for OOB

3. Configure VSL port-channel

VSS (config-vs-domain)# exit

3a.
Standalone SW1:

no hw-module 1 oversubscription
no hw-module 2 oversubscription
int po1
switch virtual link 1
int rnage t1/1, t2/1
channel-gr 1 mode on

Standalone SW2:

no hw-module 1 oversubscription
no hw-module 2 oversubscription
int po2
switch virtual link 2
int rnage t1/1, t2/1
channel-gr 2 mode on

4. Convert to VSS mode:

VSS# switch convert mode virtual
(Switch will ask to reload)
(Reload)

5. Only the first time conversion is this needed, this merges only VSL-related configurations, they say you MUST execute this command:

VSS# switch accept mode virtual

6. Configure fast-hello for dual-active detection. (p.4-29)

! Enable fast-hello under VSS global config.
VSS(config)# switch virtual domain 100
VSS(config-vs-domain)# dual-active detection fast-hello

!Enable fast-hello at the interface level
VSS(config)# int gi1/5/3
VSS(config-if)# dual-active fast-hello

VSS(config)# int gi2/5/3
VSS(config-if)# dual-active fast-hello

! Confirm fast-hello
VSS# sh switch virtual dual-active fast-hello
VSS# remote command standby-rp show switch virtual dual-active fast-hello

Commands
These are some commands that I kept for handy reference.

sh vslp lmp neighbor

VSS#sh vsl lmp nei

Instance #2:

LMP neighbors

Peer Group info: # Groups: 1 (* => Preferred PG)

PG # MAC Switch Ctrl Interface Interfaces
---------------------------------------------------------------
*1 9999.aaaa.0000 1 Te2/5/4 Te2/5/4, Te2/5/5

sh switch virtual role

VSS#sh switch virtual role

Switch Switch Status Priority Role Session ID
Number Oper(Conf) Local Remote
------------------------------------------------------------------
LOCAL 2 UP 100(100) ACTIVE 0 0
REMOTE 1 UP 100(100) STANDBY 9111 9273

sh int vsl

VSS#sh int vsl

VSL Port-channel: Po1
Port: Te1/5/4
Port: Te1/5/5

VSL Port-channel: Po2
Port: Te2/5/4
Port: Te2/5/5

sh switch virtual

VSS#sh switch virtual
Switch mode : Virtual Switch
Virtual switch domain number : 100
Local switch number : 2
Local switch operational role: Virtual Switch Active
Peer switch number : 1
Peer switch operational role : Virtual Switch Standby

sh switch virtual redundancy
VSS#sh switch virtual redundancy
My Switch Id = 2
Peer Switch Id = 1
Last switchover reason = none
Configured Redundancy Mode = sso
Operating Redundancy Mode = sso

Switch 2 Slot 5 Processor Information :
-----------------------------------------------
Current Software state = ACTIVE
Uptime in current state = 14 weeks, 4 days, 14 hours, 34 minutes
Image Version = Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXJ1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 22-Jun-11 18:03 by prod_rel_team
BOOT = sup-bootdisk:s72033-ipservicesk9_wan-mz.122-33.SXJ1.bin,12;
Configuration register = 0x2102
Fabric State = ACTIVE
Control Plane State = ACTIVE

Switch 1 Slot 5 Processor Information :
-----------------------------------------------
Current Software state = STANDBY HOT (switchover target)
Uptime in current state = 14 weeks, 4 days, 14 hours, 31 minutes
Image Version = Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXJ1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 22-Jun-11 18:03 by prod_rel_team
BOOT = sup-bootdisk:s72033-ipservicesk9_wan-mz.122-33.SXJ1.bin,12;
Configuration register = 0x2102
Fabric State = ACTIVE
Control Plane State = STANDBY

sh vsl rrp summ

VSS#sh vsl rrp summ
RRP Summary:
------------------------------------------------------------------------
RRP information for Instance 2

--------------------------------------------------------------------
Valid Flags Peer Preferred Reserved
Count Peer Peer

--------------------------------------------------------------------
TRUE V 1 1 1

Peer Valid Switch Status Priority Role Local Remote
Switch Group Number Oper(Conf) SID SID
---------------------------------------------------------------------
Local 0 TRUE 2 UP 100(100) ACTIVE 0 0
Remote 1 TRUE 1 UP 100(100) STANDBY 9111 9273

Peer 0 represents the local switch

Flags : V - Valid

sh mls cef

sh mls cef
Codes: decap - Decapsulation, + - Push Label
Index Prefix Adjacency
64 0.0.0.0/32 receive
! Removed for brevity

sh mac-address-table synchronize statistics

VSS#sh mac-address-table synchronize statistics

MAC Entry Out-of-band Synchronization Feature Statistics:
---------------------------------------------------------

Switch [1] Module [1]
-----------------------

Module Status:
Statistics collected from Switch/Module : 1/1
Number of L2 asics in this module : 1

! Removed for brevity.

sh switch virtual redundancy mismatch

VSS#sh switch virtual redundancy mismatch

No Config Mismatch between Active and Standby switches

redundancy reload peer

! Reload a switch from RPR mode to hot-standby
VSS#redundancy reload peer
! Did not get output.

Configuration Guide Notes Below

Virtual Switch Member Boot-up Behavior

Diagnostics
VSL Link Initialization
LMP Establishment
Role negotiation through RRP

Link Management Protocol (LMP)

Establishes and verifies bidirectional communication during startup and normal operation
Exchange switch ID
Sends hello packets to monitor health of VSL and peer

Role Resolution Protocol (RRP)

Determines the operational status of each switch member.

Virtual Switch Link (VSL)
Each member link must be configured configured in unconditional EtherChannel mode:
channel-group 12 mode on

Stateful Switch Over (SSO)

Enables supervisor redundnacy in a standalone 6000, keeping the backup
supervisor up to date.
State 13-Active If in active state the supervisor is responsible for forwarding
and managing the control plane. Manage control plane functions,
synchornizes the configuration and the protocols.
State 8-Standby Supervisor is synchronized with with the active. This is the
final state hot-standby supervisor.
SSO is the core of VSS, however VSS is a dual forwarding solution while the
control plane is managed by one supervisor.

Virtual Switch Prioroity

The first to boot will become active.
If simultaneous boot, lowest switch ID becomes active.
Highest priority wins, except highest priority switch will not become active unless preemption is enabled.
Default priority is 100.
Switch preemption should not be taken lightly.
- It forces multiple reboots of the VSS member.
- Cisco recommends _not_ configuring preemption.

Multi-chassis Etherchannel (MEC)

Preferred connectivity method using VSS.
Extends etherchannel to from multiple ports on one switch to multiple ports on two chassis.
Access-layer switches are configured with traditional etherchannel.
VSS with MEC is loop-free.

MEC Configuration

Do not explicitly create layer-2 MEC from the CLI, allow IOS to generate the interface.
Create a layer-3 MEC explicitly and associate the port-channel group under each member interface.
This syslog configuration command is recommended in VSS with MEC interfaces.

int po20
logging event link-status
logging event spanning-tree status

These hidden commands are now available in 12.2(33)SXH1

remote command switch test EtherChannel load-balance interface po 1 ip 1.1.1.1 2.2.2.2
show EtherChannel load-balance hash-result interface port-channel 2 205 ip 10.120.7.65 vlan 5 10.121.100.49

MAC Addresses

MAC address allocation is derived from the back plane EEPROM on each chassis, therefore a VSS instance has two pools. The VSS MAC address pool is determined by RRP. MAC address allocation does not change during a switch over event, however, MAC addresses will change in the event both switches reboot without the mac-address use-virtaul command. This avoids gratuitous ARPs.
When upgrading the change of MAC address for the default gateway can cause problems for hosts not capable of updating the default gateway ARP entry. It is typically cached for four hours.
MAC Out-of-Band Sync (OOB)
MAC addresses normally age out age out in a single chassis environment.
Depending upon the etherchannel hash MAC addresses have the chance to age out because they are not updated.
MAC OOB is designed to synchronize MAC addresses in all line cards of the VSS over the VSL.
In VSS trunk mode of a port-channel interfaces being desirable or undesirable does not act the same as in standalone mode. When a link member is brought on line it is not a separate negotiation, it is an addition to MEC. p.3-25

PAgP

The active switch is responsible for origination and termination of PAgP control plane traffic.
The same device ID is sent by both VSS switches so the end device assumes a single logical device.
Cisco recommends PAgP neighbors to be in desirable-desirable mode with the silent sub option.

LACP p. 2-37

In VSS it works for both layer-2 and layer-3 interfaces.
The recommended mode for LACP neighbors is Active-Active
During the EtherChannel bundling process LACP performs a configuration consistency check on each link trying to become a port-channel member.
If a port does not pass it is placed in a “lettered” system bundle.
The first etherchannel bundle contains the ports that passed the configuration check.
The second “lettered” bundle includes the ports that did not pass the configuration check.
Avoid using the min-links LACP command
Avoid LACP fast-hello in VSS

During failover and recovery the VSS might not be able to recover before the remote end declares VSS down. False positive.
Fast-hello as sent per link which can overrun a switch CPU in large deployments.

6500-VSS# show etherchannel 20 summary | inc Gi
Po20(SU) LACP Gi2/1(P)
Po20B(SU) LACP Gi2/2(P) ! Bundled in separate system-generated
! port-channel interface

Implementation Notes

Recommended to have one port from the supervisor and one from a line card, however, the have different queue structures and the etherchannel bundle would fail. To fix this turn on:

no mls channel-consistency

The Sup720-10G uplink port can be configured in one of two modes:

Default, Non-10g-only mode:

All supervisor ports have the same CoS queuing mode if any 10G port is used for VSL. VSL only allows CoS-based queuing.

Non-blocking, 10g-only mode:

All 1G ports are disabled, the entire module operates in non-blocking mode. 12.2(33)SXI allows non-VSL 10G ports to be DSCP based.

Resilient VSL Design Options (p2-18 thru 2-20)

Use the two 10G ports on the Sup720-10G supervisor.

Most common, does not provide optimal hardware diversity.

Use on 10G port on the Sup720-10G and another from a VSL capable line card.

Best for balancing cost and redundancy.

Use 10G ports on two separate VSL capable line cards.

Best option for flexibility but not as cost effective.

EtherChannel
Etherchannel is the fundamental building block of VSS. Traditionally load
sharing and failure are governed by STP, FHRP and topology (looped and
non-looped). In VSS Etherchannel replaces all three.

The etherchannel hash algorithm becomes more important to get right in VSS.
Layer-4 hashing is more random than layer-3 hashing.
Layer-2 hashing is not as efficient when all hosts are sending to a default
gateway.

There are a variety of etherchannel options in VSS.

VSS(config-if)# port-channel port hash-distribution X

By default the load-sharing hash method on all non-VSL etherchannel is fixed.

VLAN ID

Traffic optimized when:

With VSS it is possible to have more VLANs per closet.
Traffic might not be fairly hashed due to similarities such as default gateway or multicast traffic.

VSS# sh platform hardware pfc mode
VSS# sh etherchannel load-balance

Layer 3 and 4 Hash Tuning

dst-mixed-ip-port
src-dst-mixed-ip-port
rc-mixed-ip-port

For lower end switches:

Cisco Catalyst 4500

src-dst-ip

Cisco Catalyst 36xx, 37xx Stack, 29xx

src-dst-ip

Failures

Convergence

FHRP recovery default is 10 seconds, with tuning 900msec.

VSS 200msec convergence.

VSS Member Failures

Recovery is based on etherchannel, it detects the failure then rehashes the flow.

Core to VSS Failure

If all links fail from one VSS member to the core traffic will traverse the VSL.

Access Layer to VSS Failure

Traffic will flow over the VSL.

STP Loops and VSS

These issues can introduce a loop that STP might not block

Faulty hardware causes a missed BPDU
Faulty software cause high CPU load, preventing BPDU processing.
Configuration mistake
Non-standard switch implementation

VSS over comes these issues

Creates a loop free topology using MEC.
No FHRP needed, replaced by one logical node.

Unidirection Link Detection (UDLD)

Aggressive UDLD should _not_ be used as link-integrity check. VSS is by definition a loop-free topology.
STP protocols (RPVST+ and MST) converge faster than UDLD detects.

Spanning Tree Configuration with VSS

The root of the STP should always be VSS.
Loop guard is not needed.
The active switch is responsible for generating the BPDU.

Routing with VSS
Layer-3 MEC is the recommended design rather than ECMP.

Routing Protocols, Topology and Interaction

Two ways to connect VSS to the core:

Equal Cost Multipath (ECMP)
Layer-3 MEC

Link Failure Convergence

The higher the number of routes the longer ECMP takes to recover.
Because MEC failer detection is hardware based, it does not matter
the number of routes, the hardware will detect failure and adjust
traffic to the healthy link.
Advantage MEC.

Path availability during link failure

A single link failure in ECMP will result in path reprogramming.

Routing Protocol Interaction During Active Failure

When the active supervisore fails, the standby supervisor must reinitialize the routing protocol.
This can be mitigated with Non-Stop Forwarding (NSF) and the neighboring router must be NSF aware.
NSF must be enable on both the VSS and adjacent nodes.

VSS(config)# router ospf 100
VSS(config-router)# nsf cisco
VSS# sh ip osfp nsf

NSF configuration http://www.cisco.com/en/US/docs/ios/ha/configuration/guide/ha-nonstp_fwdg.html#wp1056927

Dual Active Detection (p. 4-29)

PAgP
Fast-Hello
BFD

Fast-Hello

Requires a dedicated physical port between the VSS nodes.
The dedicated link is not capable of carrying control-plan or user-data traffic.
During dual-active the that is configured to carry fast-hello is operational and continues
to exchange hellos. If the old-active continues to see hellos during
what it believes to be a failover state, then it knows dual-active has occurred.
The Sup720-10G 1Gb uplink ports can be used if the supervisor is not
configured in 10Gb on mode.

Configure fast-hello for dual-active detection. (p.4-29)

! Enable fast-hello under VSS global config.
VSS(config)# switch virtual domain 100
VSS(config-vs-domain)# dual-active detection fast-hello

!Enable fast-hello at the interface level
VSS(config)# int gi1/5/1
VSS(config-if)# no shut
VSS(config-if)# dual-active fast-hello

VSS(config)# int gi2/5/1
VSS(config-if)# no shut
VSS(config-if)# dual-active fast-hello

! Confirm fast-hello
VSS# sh switch virtual dual-active fast-hello
VSS# remote command standby-rp show switch virtual dual-active fast-hello

Using Bidirectional Forwarding Detection

BFD session establishment is the indication of dual-active condition.
Normally VSS would not be able to establish BFD with itself because it is one logical node.
BFD takes 20-25 seconds for detection.

Requires IP connectivity.
Needs IP processes and static route.

Configure BFD for dual-active Detection

VSS(config)# switch virtual domain 10
VSS(config)# dual-active pair interface gi1/5/1 int gi2/5/1 bfd
!
! Enable unique IP subnet and BFD interval on interfaces.
VSS(config)# int gi1/5/1
VSS(config-if)# ip add 192.168.1.1 255.255.255.0
VSS(config-if)# bfd interval 50 min_rx 50 multiplier 3
!
VSS(config)# int gi2/5/1
VSS(config-if)# ip add 192.168.2.1 255.255.255.0
VSS(config-if)# bfd interval 50 min_rx 50 multiplier 3
!
! The static route is automatically added.
! Confirm and monitor BFD.
VSS# sh switch virtual dual-active bfd
VSS# sh switch virtual dual-active summary

Dual-Active Recovery

Once the VSL connectivity is established RRP handles the negotiation.

OSPF Tuning

VSS(config)# router ospf 100
VSS(config-router)# nsf
VSS(config-router)# auto-cost reference bandwidth 20000
! Confirm OSPF
VSS# sh ip ospf neighbor detail
VSS# sh ip protocol

Long Time No Post

jud — Tue, 27 Dec 2011 00:15:41 +0000

I have been putting off this post because I didn’t really know what to say. So much has changed in the last six months I didn’t know how best to communicate what was going on in my life. Please understand that I am leaving out quite a bit of this story but I believe it needs to be told so that others will understand when they stumble across my blog.

Let’s start with some background. I have been working for the same employer for the last 8 years. It is a regional medical center and a great place to work. Before Fortune magazine stopped allowing non-profits to be on the “100 Best Places to Work” my employer made the list twice.

I started working at the hospital as a Programmer Analyst in early 2003 writing code that allowed hospital systems to communicate and was also the UNIX/Linux administrator. During this time I managed DNS/DHCP, most of the printing and portions of our email infrastructure on *NIX while also writing mostly TCL and Perl code.

When a Senior Network Engineer slot opened I applied and was promoted in early 2006. I earned my CCNA and began to learn quite a bit about networking. Shortly thereafter I decided I was ready to leave the hospital in order to learn more, but my wife loves working here, knows and trusts many of the doctors and made me promise that we would have our children at this hospital.

As a result of that promise to my wife I decided to work on my CCNP and started this blog, figuring both would help me get my next job. During that time I was selected for “50 for the Future” a two year management training program at the hospital and I finished my CCNP. I also became dedicated to my craft. As I learned more and more about networking, I began to understand how much I did not know and it became a joy to learn something new everyday. Not all of the lessons were fun at the time but I was learning so much I loved coming to work.

The next logical step was starting on my CCIE. It sounded like a great challenge and with a family now depending upon me, it was the next logical step for job security. It surely would allow me to get my next job and my promise to my wife was still not fulfilled. We had suffered through two miscarriages to get our first child, and our second child was born in April 2011.

With the birth of our second child my promise to my wife had been fulfilled and I was ready to leave. Literally the day after my second child was born I started applying for jobs. I was offered an interesting position in South Carolina working with a team that fit my goals. Some had their CCIEs and others were working toward their digits. I would fit right in and I knew it was the place for me, so I turned in my resignation. The wrinkle being that the hospital requests a 30 day notice for professional employees.

I had already spoken with my Director about leaving and he was gracious. I had spent $5,000 on my CCIE lab and the hospital had spent another $5,000, but my boss gave me the whole rack. Everything. I cannot describe how much that meant to me, I am truly grateful.

That day my Vice President asked me what it would take for me to stay and I told him I was chasing a dream. While I appreciated the offer and I knew the hospital was a great place to work, it was a goal I had set for myself and I felt I should leave in order to get the experience I needed.

Two weeks later I had both my AVP and VP stop by my desk within ten minutes of each other. My last day was drawing near and they wanted to discuss what it would take for me to stay. I declined a second time. I had made the decision to try to earn my CCIE and I did not want to let my family down. I believed that South Carolina offered me the best chance to achieve my goal.

My last day at the hospital came and went, but it was a tumultuous day. My AVP literally gave me a hug as I walked out the door for the last time and I cried in her arms.

I had a week off between jobs and I had lunch with friends to say goodbye, finished setting up the lab at home and packed. I made arrangements for long term housing in South Carolina and prepared to leave my family while we tried to sell our home.

Thursday evening of my week off I got a call on my cell phone. It was my VP and AVP calling to chat. The first question they asked was whether I was still in town or had I already left for South Carolina. Then they asked me to stay one last time. They had met with our CEO and Executive Vice President and wanted me to stay. I was floored. I had worked for nearly three years getting ready to leave. I had started down a road and I didn’t want to change direction.

But I did. My wife told me that I will never again be offered the chance to work at a company which knows neither what my job title will be nor what I will be doing, just that they want me to work for them. She was probably right.

I was offered the chance to make a difference working for a company that has been good to me and my family. It is a different challenge than what I had been working toward but an interesting one all the same. I am slowly settling into my new job as Technical Services Manager. Some of the changes I have made are for the better, some of the changes have not lasted and others have yet to be implemented, but I am still learning every day.

And so my goals are slowly evolving. It is hard to give up a goal that I have sacrificed so much to earn, without completing it. In the short term I will begin working toward my CCIP in the new year. Currently I do not have the time to complete the CCIE but I believe working toward my CCIP will keep my mind in networking and it will cover topics that I believe are needed if I decide to again try for my CCIE.

Thank you for reading. I plan to post more regularly in the coming year.

TestLab Script in AppleScript

jud — Sun, 14 Aug 2011 18:26:34 +0000

I got a new Mac Pro workstation at work and re-wrote some scripts to work on it. This morning I couldn’t find the script under the new file lay out, it was in /Applications so I decided I had better document the script so I don’t have to rewrite it if I can’t find it.

It uses the same script, tle, that I wrote a while ago, it just fires up iTerm instead of Gnome Terminal.

-- 2011-03-24
-- Jud Bishop

tell application "iTerm"
activate

-- If you don't have this you end up with two terminals
terminate the first session of the first terminal

set iterm to (make new terminal)

repeat with X from 1 to 6
set Y to "R" & X as string
tell iterm
make new session at the end of sessions
tell the last session
exec command "/usr/local/bin/tle " & Y & " testlab.chainringcircus.org"
set name to Y
end tell
end tell
end repeat

repeat with X from 1 to 4
set Y to "SW" & X as string
tell iterm
make new session at the end of sessions
tell the last session
exec command "/usr/local/bin/tle " & Y & " testlab.chainringcircus.org"
set name to Y
end tell
end tell
end repeat

repeat with X from 1 to 3
set Y to "BB" & X as string
tell iterm
make new session at the end of sessions
tell the last session
exec command "/usr/local/bin/tle " & Y & " testlab.chainringcircus.org"
set name to Y
end tell
end tell
end repeat

set the bounds of the first window to {0, 0, 1200, 900}

end tell

Does Google Hurt Efficiency?

jud — Sun, 31 Jul 2011 23:38:06 +0000

The other night we were doing a hardware upgrade on a cluster and testing. We were working with the command clusvcadm to relocate a service from one host in the cluster to another but the originating server kept getting power fenced. We assumed it was the command switches we were running so I went straight to the man page, my coworker went straight to google. Just for reference there is a 10 year difference in our ages, I grew up with man pages and it is a pet peeve of mine when either no man page exists or it is a terrible placeholder. I digress, through his search he came upon a webified man page while I was reading the man page. When I needled him about it his answer was, “But mine is nicely formatted and I can search the web page.” I was surprised, I can search the man page too, right in the pager and can even change man page viewers by changing the PAGER variable.

Three weeks ago I needed to bring up an https server on Ubuntu and spent 45 minutes googling around reading old, outdated or completely wrong howtos before finally going to help.ubuntu.com and 20 minutes later it was done.

The same thing happened over the past couple of weeks working with Xen and VirtualBox. I’ve toiled away looking at poorly written documentation and even mentioned it in my last Red Hat class. The instructor worked for Red Hat and took umbrage with my statement. He was amazed that I did not think Red Hat had great documentation, I was even more shocked that he considered their documentation more than rudimentary. Have a look for your self at the Red Hat documentation.

Just this week I was helping a friend who is the server and network administrator for a small school system configure the proper etherchannel load balancing for a server and he was frustrated at the Cisco documentation. I was astonished. It seemed that he was overwhelmed. He was stuck googling around trying find the “right” documentation rather than learning the layout of the Cisco documentation website.

The point of this post is that lately it seems I waste more time trying to find good information through searching on the web than trying to find the best source of information.

Service Provider Labs

jud — Thu, 09 Jun 2011 21:08:07 +0000

Running across the Hacking Cisco blog made me remember a similar site, CCIE18473.net. I actually spent about 30 minutes looking for that site and it was Tyson Scott from IPE that me helped find it.

I have added this site to my blogroll even though it is not a blog.

Routing Mnemonics

jud — Fri, 03 Jun 2011 13:28:50 +0000

I’ve been keeping track of some the mnemonics that I have come across or have figured out for myself. For instance in general, in layer 2 elections the lower priority usually wins, however, in layer 3 elections the higher priority usually wins.

Layer 2

LACP System Priority
2-bytes priority values followed by a 6-byte MAC address. Lowest system priority makes decisions about the etherchannel setup.

LACP Port Priority
LACP port priority is a 2-byte priority followed by a 2-byte port number. Lowest port priority is used to decide which ports are put in standby mode when not all ports can be put in etherchannel.

STP
Root bridge election, lowest bridge ID wins. Bridge ID consists of:
–2-byte bridge priority from 0-65,535 with a default of 32,768.
–6-byte MAC address
If the bridge priorities are equal, lowest MAC wins.

Root port, lowest root path cost.

Designated port — lowest root path cost or if equal use tie breakers:
1. Lowest root bridge ID
2. Lowest root path cost to root bridge
3. Lowest sender bridge ID
4. Lowest sender port ID

Frame Relay
DCE requires the clock rate, DCE, DTE, clock rate starts with a c and DCE is the one with a c in it.

Layer 3

HSRP
Active router election is based upon priority, highest priority wins. Default priority of 100 and a range of 0-255. Highest IP address on HSRP interface breaks ties.
Standby router is the second highest priority.

VRRP
Election of master is the router with the gateway IP address or if not a “real” IP address, the router with the highest priority. Priority ranges from 1 to 254 with 254 being highest, 100 is the default.

GLBP
Active virtual gateway (AVG) is elected by the highest priority value, tie breaker is the highest IP address in the group. Router priority is 1-255 with 255 being highest, 100 is the default.

OSPF DR/BDR Election
1. Highest priority wins.
2. Highest router ID breaks ties.
Priority range is 0-255 with 255 being highest, 1 is the default and 0 means the router will not participate in the election.

OSPF RID
1. router-id command wins.
2. If no router-id is set, the highest loopback address wins, even if it is not advertised and it is not advertised by default.
3. Highest physical address wins.

OSPF summary-address command or the range command.
The summary-address command is used on an ASBR and has an “S” in it, whereas the area range command is used on an ABR and does not have an “S” in it. Both commands are used to summarize routes.

OSPF ExStart
During ExStart of the OSPF packet exchange the neighbor with the highest RID will become the master and sets the DD sequence number.

DVMRP
An exception to the rule of Layer 2 lower takes priority and Layer 3 higher takes the priority. If two routers are the same distance from the source, the router with the numerically lower IP address becomes the designated forwarder for the network.

BGP best path mnemonic
We love oranges as oranges mean pure refreshment.

We — Weight (highest)
Love — LOCAL_PREF (highest)
Oranges — Originate (local)
AS — AS_PATH (shortest)
Oranges — Origin Code (IGP > EGP > Incomplete)
Mean — Med (lowest)
Pure — Paths (External > Internal)
Refreshment — RID (lowest)

Redistribution
RIP and any other protocol that has the letters R-I-P in it requires a seed metric, RIP, IGRP, EIGRP.

EIGRP MPLS VPN PE-CE SOO

jud — Tue, 31 May 2011 23:47:05 +0000

I couldn’t resist using all of those acronyms.
EIGRP – Enhanced Interior Gateway Routing Protocol
MPLS – Multiprotocol Label Switching
VPN – Virtual Private Networking
PE-CE – Provider Equipment – Customer Equipment
SOO – Site Of Origin

MPLS SOO
MPLS Fundamentals pp. 220-226

BGP->EIGRP and EIGRP->BGP

Advertisement of the SOO BGP extended community attribute is used to identify routes that have originated from a site so that they are not re-advertised back into the same site. Each SOO uniquely identifies the site and allows for the routes to be filtered. SOO filtering is configured at the interface level. It is commonly used when a site contains both VPN and back door links.

From the Cisco document:
The configuration of the SOO extended community allows MPLS VPN traffic to be filtered on a per-site basis. The SoO extended community is configured in an inbound BGP route map on the PE router and is applied to the interface with the ip vrf sitemap command. The SOO extended community can be applied to all exit points at the customer site for more specific filtering but must be configured on all interfaces of PE routers that provide VPN services to CE routers.