SSL certificates Apache / OpenSSL

A customer ordered a few webSSL certificates from a public certificate authority (in this case, Thawte). In one specific Windows server Apache with openSSL is used. It took me some time to figure out the complete proces for requesting and completing the certificate. This blog post is about the complete certificate proces: creating the certificate request till export of the certificate chain to a pfx file.
The first part is about requesting the certificate:
Read more

Cisco Nexus 7000 OTV configuration

Another post, this time about the basic OTV configuration on a Nexus 7000.
The OTV configuration has the be made on a different switch (or VDC) where no SVI’s are configured for the VLAN’s you want to extend to the other site.
First of all some terminology:
  • Edge device: This device performs layer 2 activities (to the internal network) and OTV transportation to the other site(s).
  • Transport network: This is the network (can be layer 3) that connects all the sites. This is your WAN connection, possible managed by your service provider.
  • Join interface: This is the uplink interface on the edge device that is connected to the transport network.
  • Internal interface: This is the interface on the edge device that is connected to the internal network.
  • Overlay interface: This is a logical interface, with support for multi access, multicast. This interface encapsulates layer 2 frames in IP headers (also ‘MAC routing’)
  • Overlay network: A logical network that connects all sites together and uses MAC routing for interconnecting the sites.
  • Site: Your (layer 2) network on a location. In most cases, this is one of your datacenters.

Nexus 2248TP FEX connected to a Nexus 7000: part 1 basic connection

Cisco published a configuration guide for connecting a Nexus 2248TP FEX to a Nexus 7000. I’ll explain the configuration process to configure the FEX for basic connectivity.
A FEX is a Nexus 2000 series switch. In a very high level explanation, this switch is a switchport module in a separate 1U chassis, which is configured and controlled from a Nexus 5000/7000. There is 1 drawback: the switchports on the FEX can only be used for host ports. It’s not possible to connect other switches to a FEX port because of the fact that BPDUguard is enabled by default. It’s not possible to disable BPDUguard. Switchports on the FEX can be used for layer 2 and layer 3 connections. For more information about the FEX itself I’ll refer to this link
All configuration is done on the Nexus 7000 with NX-OS 6.0(1). In this scenario, the 2248TP FEX is connected to switchport ethernet 1/1  (10GE port) of the Nexus 7000 with a twinax cable.

First, let’s configure a switchport for the FEX:
switch(config)# int ethernet 1/1
switch(config-if)# switchport mode fex-fabric
Error: feature-set fex is not enabled
Okay, we have to install (!) and enable the fex feature before we can continue
switch(config)# install feature-set fex
switch(config)# feature-set fex
And try again to configure the fex-fabric mode:

IP helper with ACL on SVI

Just another short post about IP helpers:
It took me last week a few minutes to figure out why my new configured IP helpers were not working.
The starting config was like:

interface Vlan6
 description Voice VLAN
 ip address
 ip access-group Voice in
 ip helper-address
 ip helper-address
 no ip redirects
 no ip unreachables
 standby 6 ip
 standby 6 timers 1 2
 standby 6 priority 110
 standby 6 preempt
ip access-list extended Voice
 permit ip host
 permit ip host
 permit ip
 permit ip any host

Read more

Etherchannel – suspended port state

I’ve seen a few suspended ports in etherchannels lately. Not everyone is familiar with this port status. So let’s take a minute to talk about this:
There is one important rule when configuring etherchannels: All interfaces in the etherchannel need the same speed and duplex settings, trunking encapsulation (dot1q/isl) or the same access VLAN in case of an access port, same STP cost and last but not least: no etherchannel port can be configured in a monitor session (SPAN port).
Read more

IP helper

We all are familiar with the IP helper command to allow DHCP requests (broadcast) passthrough a router to get as a unicast packet to a DHCP server. Pretty easy and simple.. But the IP helper can do more!
When there is a network with multiple vlans and you need the use the good old “net send” command from Windows computers on all computers on all the VLAN’s, you have to configure the IP helper.
Read more

Bridging / IRB

This is just a summary about the bridging and IRB functions in Cisco routers and switches. The configuration on routers and switches is identical, but only the interfaces are different (real interfaces on routers, vlan interfaces on switches).
If you have a network and a router splits this network, you’ll need the bridging functionality.
Read more

OSPF part 2

LSA Types
There are 6 common used (by Cisco) LSA types:

LSA type 1 updates describe the router itself: interfaces (in the area), list of neighbor routers and the router ID (RID). The RID is transmited by a linkstate-ID in this hello packet. The linkstate-ID is equal to the RID.
LSA type 2 updates represent a transit subnet for which a DR is elected. The LSID are the RID of the DR IP’s address on that particular subnet. I’ts only active on subnets with a active DR. For subnets without a DR (like a point-to-point), type 1 packets are enough for creating the topology database. Inside one area, only LSA types 1 and 2 are send out. All the routers can create a topology table with only these type 1 and 2 LSA’s. A “show ip ospf database” lists all the received LSA types.
Read more


OSPF is a link-state routing protoocol which uses factors such as speed or the link’s shortest path to decide which route is the best.
Link state protocol routers maintain a common picture of the network and exchange link informantion during discovery and/or network changes.
OSPF is designed for large and scalable networks, becauses of the following advantages:

  • Convergence speed
    • OSPF sends only routing changes instead of the entire routing table. Because of the small routing changes, updates are flooded rapidly across the network
  • Support for VLSM
  • Network size
  • Use of bandwidth
    • OSPF uses multicast to advertertise the updates: LSU’s (link state updates) are small in packetsize
  • path selection
    • OSPF selects optimal routes using cost instead of hopcount (RIP)
  • Member groupings
    • OSPF uses areas: every network segment is cut into smaller areas of routers: less LSU’s are sent out and more efficient routing takes place. eh Every router in a area does have the same topology table.

Read more

1 4 5 6 7