Friday, January 20, 2017

Investigating the MAC Address Table and SDM Templates


                  A really common troubleshooting approach we use when we have a device like an End user PC that cannot get to some destination out on the network “is to follow the path as we following the path during our troubleshooting, the first step along that path is often a wiring clauses Switch to which that End devices connected, what we might want to do is go to that Switch and Verify that the clients mac-address has been learned on the appropriate port on that Switch, let see how to we can take a look at context of Switch Mac-address table, we can do a
Ø  Sw1#show mac address-table

Notice that, we got several Static entries and few dynamic entries and Static entries could be an entry that we made ourselves
Ø  We could of Statically
Ø  We could of manually said, this Mac-Address of this Port
                     However, you notice that all of these ports say CPU these Mac-Addresses associated with the Switches Processor, it looks like we have not statically entered any Mac-Addresses mapping but we have Dynamically learned a few.
                       Different Switches have different capacities to store Mac-Addresses maybe this is because we have just a really really large network with thousands of Mac-Addresses but it could be because of Security issue sometime, an Attacker would send just a flood of frames into a Switch with each of those frames claiming to be from a different Mac-Address and that can fairly quickly fill up Switches Mac Address-Table.
                      If that Table fills to capacity, what happens when we add a new device to the Switch there is no room to learned the Mac-Address of that new Device, so what happens when a frame comes in destined for that device?
                       Well since the Switch has not learned of which port that Mac-Address lives, to make sure gets to the right place, the Switch is going to flood that frame another words, it’s gonna send a copy of that frame out of all other Switchport’s other than the port on which the frame was received and that might allow the attacker to start capturing they could start sniffing the packets coming of the different port, we can prevent that attack by Port Security which is the topic we talked about back in the CCNP Switch Course.
                              If the Mac Address-Table is filling up not because of an Attack because we just have a large network we got lots of Switches that are interconnected, to help prevent that Mac-Address Table from filing to capacity what we could do is make sure that if we have not heard from one of those Devices with one of those Mac-Addresses for a certain period of time, we can age them out we can remove them from the Mac Address-Table, we can simply relearn the Mac-Address, no need keeping Mac-Addresses for Hours and Days or Weeks possibly, what we can do is Time out Mac-Address entry again if don’t heard from that Mac-Address for a while, here is a command we can issue to see how quickly aging out those entries
Ø  Sw1#show mac address-table aging-time

                      On looks like, this Cisco 3750 Series Switch the aging time is 300 Seconds or 5 Minutes, i am aging out Mac-Address entries every 5 Minutes if i am not heard from those Mac-Addresses within the last 5 minutes and Well Layer 2 Switch makes a forwarding decision based on Mac-Mddresses, many our Switches are Multilayer Switches they can make forwarding decision based on other criteria such as Destination IP Addresses, such as Quality of Service Access Control Entries or Qos ACE’s, we might have Security ACE’s, Security Access Control Entries which make up Security ACL an Access Control List, and many of our Switches have a TCAM or Ternary Content Addressable Memory
                       That can help us Switch make a forwarding decision based on criteria like that very very rapidly the TCAM can help us Switch very efficiently make a forwarding decision because it combines Quality of Service Entries, Security Access Control Lists and IPv4 Route information into an area of memory that can be queried when the Switch wants to make a forwarding decision and notice i said IP Version 4, there is a way for the TCAM to support IPv6 Routing but it might not be enabled by default on your Cisco Catalyst Switch, it’s not enabled by default on Cisco Catalyst 3750 Series Switch but depending on what we want our Switch to,
Ø  We want to do IPv4 and IPv6 Routing?
Ø  Do we want to keep track lots of Route?
Ø  Do we want to support multiple Routed interfaces?
Ø  Or would we rather it just learned lots of lots Mac-Addresses
                      With that finite amount of resources in our TCAM and we can reallocate there resources depending on what we want to Switch to do, where it’s going to be playing a role of our network but a great news is we got some flexibility and how we allocate these resources we can apply a SDM Templates
                        SDM that stands for Switch Database Management and this templates can tell the TCAM how to allocate its resources for example, let’s say we had a Switch that needed to keep track of lots of Vlan or lots of Mac-Addresses but it didn’t need to do much if any routing or we would probably want the TCAM configure differently than a Switch, we might have at the distribution Layer or the Core Layer we might need to keep track of lots of IP Routes
To see what SDM Templets were running right now we can give this command
Sw1#show sdm prefer
                      And right now, it says we are running Desktop Default that’s the SDM templates we are running and that’s the default on this Switch and notice
Ø  It supports 8 Routed interfaces
Ø  It supports the 1024 Vlans
Ø  And its support certain number of Qos Entries
Ø  A certain number of Security Access Control Entries
Ø  A certain number of IPv4 Unicast Routes
                      Notice this output doesn’t say anything about IPv6 but there is a way i am gonna demonstrated for you to support IPv6 routing on this Cisco Catalyst Switch, infect let’s look at command that lets us select the SDM Templates to use.
Ø  Sw1(config)#sdm prefer ?
We have got 5 options here
Ø  Access: - The Access SDM Templates might be appropriate for an Access Layer Switch where we know about lots of Vlan’s but we are not doing much Routing
Ø  Default: - What we have by default and it gives us mixture of support for some Routing and the ability to know about several Vlans
Ø  Dual IPv4 and IPv6: - is going to add IPv6 Routing support and this is the SDM Templates we going to applying just a movement
Ø  Routing: - A Routing might appropriate for a distribution Layer Switch or Core Layer Switch where we need to keep track of multiple Routes but keep in mind if you just say Routing by itself that only giving you IPv4 support, you are not routing IPv6 traffic.
Ø  Vlan: - If we have a lot of Vlans and those Vlan contain lots of devices, we might need to go with this Templates in order to store all of the Mac-Address
                              Now let’s say that we got a Trouble Ticket that’s indicating this Multi-Layer Switch is unable to Route IPv6 traffic, we might begin by saying what’s is the SDM Templates applied right now and does it gives IPv6 support let’s go to global Configuration mode
Ø  Sw1(config)#sdm prefer dual-ipv4-and-ipv6 default
Now when i do this it doesn’t take effect immediately, let me prove that
Ø  Sw#show sdm prefer
You will see it still in desktop default if i try to configure IPv6 unicast-routing, it will not let me check this out
Ø  Sw1(config)#ipv6 unicast-routing
                        It doesn’t even know about the IPv6 command because this change that i have made doesn’t take effect until we reload, it says next reload the templates is gonna be installed, lets reload the Switch.
All right Switch has been rebooted, let’s see what our SDM Templates is now
Ø  Sw1#show sdm prefer
                  This time it says “desktop ipv4 and IPv6 default”, now we see references IPv6 and this output, let’s see we can now enable IPv6 Routing
Ø  Sw1(config)#ipv6 unicast-routing
                      We now have IPv6 Routing support by changing the SDM templates and that’s one of most common reason would change the SDM Templates another reason, we might change this Templates is we running out of specific resource and we want to reallocate the TCAM resources to see the current usage of the TCAM resources, we can give this command
Ø  Sw1#show platform tcam utilization
                  Notice that, we have columns for the maximum number of values that TCAM can accommodate for things like IPv4 Qos ACE’s, IPv4 Security ACE’s for example it looks like i can support a maximum of 768 Qos Access Control Entries and i am currently using 260 of those 768 available entries, if the number in the used columns are approaching the maximum values that might be a concern to us.
                    One of things that i would encourage you to do first before just changing the SDM Templates is to see if it can more efficient in your Configuration for example, if you running out of entries for IPv4 Unicast Indirectly Connected Routes instead of changing the SDM Templates with if you did Route Summarization that can cut down the number of Route Entries you had, think about ways optimize the current Configuration before changing the SDM template.


                     If You Like the Post. Don’t forget 
            to “Subscribe/Share/Comment”. Thank You.

0 comments:

Post a Comment