Posts Tagged ‘Cisco’

Link Layer Discovery Protocol (LLDP)

November 17th, 2011

Several months ago I co-wrote a piece titled Cisco Discovery Protocol (CDP) Tag Team.  The article talks about CDP, walks through some working examples, and provides a view of what information the protocol advertises.  CDP is a great tool but it’s proprietary to Cisco network gear.  In the past, if you were using non-Cisco switches, you couldn’t leverage CDP in either direction (listen or advertise).

Today is the first look at a new vSphere 5 networking feature which is Link Layer Discovery Protocol – essentially CDP for every other switch vendor which supports this IEEE 802.1AB open standard.

Take a look at the images below which show a side by side comparison of LLDP and CDP from the vSphere Client perspective:

Snagit Capture  Snagit Capture

As you can see, there’s a lot of parity between the two protocols.  Each provides some very helpful information from the upstream physical network perspective.  Namely the identification of the switch and the port number.  From what I’ve seen so far, LLDP is a completely viable alternative to CDP.

In case you’re wondering where to configure LLDP or CDP on a vNetwork Distributed Switch, it’s an advanced setting of the vDS itself:

Snagit Capture

Cisco Discovery Protocol (CDP) Tag Team

May 15th, 2011

For this blog post, I collaborated with Dawn Theirl (@KokopeIIi on Twitter) who is a Network Engineer in the San Francisco Bay Area.  Dawn performs a  lot of hands-on work in her day to day role as a wired and wireless network guru.  We understand that CDP provides benefits for both the network and virtualization platform teams.  However, in larger or siloed environments, our two teams don’t necessarily know what the other is seeing in their dashboard.  Curiosity prevailed and here we are.  In this writing, Dawn and I will discuss CDP, its implementation, and what exactly is seen in each of our siloed roles using our respective management tools, as well as the benefits provided by both having and sharing this information..

CDP is a useful troubleshooting tool in networking…. When given an IP of a host that someone has questions about and tracing the IP and MAC from a distribution layer switch down to the access layer, CDP info can tell you what switch to look at next. It is also useful if you don’t have an accurate network map to get an idea of how a network is physically laid out by learning what devices are physically connected to each other.  CDP operates at Layer 2 (Datalink) of the OSI model.  CDP packets are non-routable.

By default, CDP is enabled (and advertising) on Cisco switches and routers.  CDP is enabled and effectively configured as listen on ESX(i) vSwitches.  The value added by CDP benefits VMware administrators.  Looking at the CDP properties of each vmnic from the vSphere Client, CDP information is provided.  The most useful information is highlighted in yellow.  The name of the switch which the vmnic is cabled to as well as the port number on the switch that the network cable is connected to.  In access port configurations where 802.1Q VLANs are enabled, the VLAN field will also contain useful information:

SnagIt Capture

From the Cisco switch point of view in the default configuration, we don’t see any information about the ESXi host or its vmnics.  This is because the vSwitch tied to the vmnic uplinks is in listen mode only (no advertising).  # show cdp neighbors is the command which would display information about other devices advertising information by way of CDP:

SnagIt Capture

So out of the box, ESXi is configured to pull CDP information about the upstream network and this is quite valuable to have for implementation and troubleshooting.  However, there is an additional configuration which can be made on the ESXi host which will allow it to provide its own intrinsic data to the Cisco switch via CDP and that is by enabling CDP advertising.  This information is useful for troubleshooting which benefits both the network and virtual infrastructure teams by providing a method for close collaboration.  Let’s make the additional configuration change and note the additional information which is exposed by the ESXi host.

At the ESXi host DCUI, we can examine the CDP status of a vSwitch by issuing the command # esxcfg-vswitch -b vSwitch0.  Shown here, vSwitch0 is in listen only mode:

SnagIt Capture

Now let’s change the CDP mode for vSwitch0 to both (meaning both listen and advertise) and then verify the configuration change:

5-15-2011 11-30-24 AM

At this point, both the Cisco switch and the ESXi host are listening and advertising which is mutually beneficial to the network and virtual infrastructure teams.  Nothing changes visibility wise on the ESXi side.  However, the network team is now able to receive and view CDP advertisements on their Cisco gear from the ESXi hosts.  Let’s take a look by issuing the > show cdp neighbors command on the Cisco switch.  Note a difference from when I ran this command earlier that we can view CDP neighbor information in either user or privileged mode on the switch.  With CDP advertisements enabled on the ESXi host, we’re able to see ESXi host information as well as the host vmnic uplinks and the respective ports they’re cabled to on the Cisco switch:

5-15-2011 11-42-58 AM

From the switch side I can see what ports the VMs are on. This can be useful as unless you put a description on a port with the host name every time something gets installed (and then moved), you don’t know what is connected on any given port without a lot effort to backtrack a mac address to a IP to a hostname.  Lots of information… you get the host name, what port it’s connected to on the switch and which nic the host is using for that connection. Very useful for troubleshooting when a systems admin is questioning if there are problems on the network when a particular host is having issues. Usually the most the sys admin can tell you is what network the host is on and the network admin has to trace the IP and then the MAC address to find what port the host is on. With the CDP exchange once you narrow down what switch the host is on just issuing the “show CDP neighbor” command will tell you what port to focus on. One interesting note is the Host advertises itself as a switch instead of a host.

> show cdp neighbors detail provides some additional information about the host such as the build number and CDP version.  This detail is not quite as valuable for troubleshooting but nonetheless could come in handy for either a large enterprise or a smaller environment with consolidated roles:

5-15-2011 11-43-56 AM

Looking at the [advertised] Cisco Discovery Protocol output from the VM, important information seen is the switch name, IP address, vlan and port the host is connected to. Other things I can see are that the port is set to full duplex, and that it’s a switch vs. a router (don’t laugh, I’ve seen a router with a blade with a small number of ports used for a very small office.)

With the implementation details and benefits out of the way, let’s focus a bit on CDP strategy.  There are a few approaches to CDP which can be evaluated from labor, change management, and security primitives:

  1. Infrastructure implementation with default configurations – No changes required at implementation time providing the easiest and fastest deployment of ESXi in addition to providing CDP listen mode benefits from the virtual platform point of view.  The virtual platform remains secure while upstream network information is advertised to neighbors.
  2. Disable CDP globally, enable only as needed for the short term – Requires disabling CDP at implementation time in addition to change management time spent temporarily enabling and disabling CDP later on to aid troubleshooting.  Most secure from the network and virtual platform standpoint.
  3. Enable bidirectional CDP globally, always on – Requires enabling CDP both (listen and advertise) at implementation time thereby providing comprehensive information for troubleshooting later on.  Least secure; both network and virtual platform information is exposed by CDP advertisements to neighbors.

I’ve worked with organizations who implement one, of or a combination of all three.  As with many design decisions, philosophy and justifications will vary.  A decision here could be made based on the size of the datacenter, distribution of roles, security approach, or the vertical which the business operates in (think regulatory compliance).  CDP is of course beneficial to network and virtual platform owners but it can also aid a hacker who has penetrated the environment thereby becoming a sharing recipient of the same network information.  Speaking for myself, I’ve gotten a lot of operational benefits while leveraging CDP for troubleshooting.  Network engineers often ask me to configure CDP for advertising on the host side.  What helps them ultimately helps me in a troubleshooting scenario and can ultimately shorten the time we spend focusing on an issue.  In customer facing or production environments, every minute of downtime costs and therefore counts.  My preference is to operate with CDP configured for listen on the host side.  This configuration provides the most bang for the buck as it the default out-of-box configuration on both the Cisco and VMware side.  In other words, if you do nothing at all, you can reap major benefits with the native configuration when it comes time to troubleshoot or provide capacity and/or SPOF planning for network resources.  That’s my preference.  That said, I get the security side of the discussion and of course I’m not opposed to disabling CDP when compelling requirements or constraints exist.

Aside from the design decisions above, I would be remiss if I did not also mention a potential stability issue (categorize as potential risk in your design) I came across from Cisco. When enabling CDP or leaving CDP enabled in an environment, there is a known CDP issue which should be taken into consideration because it can cause a disruption of the network.  CDP Can Consume All Router Memory.  When a large amount of CDP neighbor announcements are sent, it is possible to consume all memory of an available device. This causes a crash or other abnormal behavior. Refer to Cisco’s Response to the CDP Issue (Document ID: 13621) for more details.  This issue is quite old and may no longer be a threat with modern versions of IOS and NX-OS.

CDP is wonderful tool.  However, one obvious weakness in the heterogeneous datacenter is that it is vendor specific to Cisco switches and routers.  Other networking vendors don’t support CDP and therefore cannot integrate with it.  A newer and similar vendor neutral protocol called LLDP (Link Layer Discovery Protocol) appears to fill the need for the other vendors which choose support it.  At this time however VMware is not supporting LLDP though at least one source claims it is on the VMware roadmap which is a good thing.

In closing, I’d like to leave the audience with an Appendix style list of VMware and Cisco CDP commands, as well as a few links to additional Cisco resources on the web.  I would also like to thank Dawn for her contribution and eager willingness to collaborate with me on this article.

Update 11/17/11: Link Layer Discovery Protocol (LLDP) has been published

Appendix A: ESX(i) esxcfg-vswitch (or vicfg-vswitch) parameters:

-B or –set-cdp Set the CDP status for a given virtual switch. To set, pass one of “down”, “listen”, “advertise”, “both”.
-b or –get-cdp Print the current CDP setting for this switch.

Appendix B: Cisco switch commands (some require privileged mode):

cdp run Enables CDP globally (on by default).
cdp enable Enables CDP on an interface.
cdp advertise-v2 Enables CDP Version-2 advertising functionality on a device.
clear cdp counters Resets the traffic counters to zero.
clear cdp table Deletes the CDP table of information about neighbors.
debug cdp adjacency Monitors CDP neighbor information.
show cdp Displays global CDP information such as the interval between transmissions of CDP advertisements, the number of seconds the CDP advertisement is valid for a given port, and the version of the advertisement.
show cdp neighbors  Displays information about neighbors.
show cdp neighbors detail  Displays more detail about neighboring devices.
show cdp entry * Displays information about all devices.
show cdp interface [type number] Displays information about interfaces on which CDP is enabled.
show cdp traffic Displays CDP counters, including the number of packets sent and received and checksum errors.
cdp timer seconds Specifies frequency of transmission of CDP updates.
cdp holdtime seconds Specifies the amount of time a receiving device should hold the information sent by your device before discarding it.
no cdp run Turns off CDP globally.

Appendix C: Helpful CDP resources from Cisco and VMware:

Configuring Cisco Discovery Protocol (CDP)

Configuring Cisco Discovery Protocol on Cisco Routers and Switches Running Cisco IOS (Document ID: 43485)

Cisco Discovery Protocol (CDP) network information

Configuring the Cisco Discovery Protocol (CDP) with ESX

New Cisco Nexus 1000v Video

July 27th, 2009

I’m not sure what I like better – the informative video, or the fact that I can embed it neatly into my blog.

Please enjoy!

What I’m reading

December 31st, 2008

What I’m reading:

VMware Infrastructure 3:  Advanced Technical Design Guide and Advanced Operations Guide by Scott Herold, Ron Oglesby (formerly of GlassHouse, now with Dell, and bench presser of Lord knows how many pounds), and Mike Laverick. ISBN:  978-0971151086.

Ok, the truth is I’ve had the pre-release Author’s Edition of this book since February of 2008 and I had read a few chapters, but I haven’t read the final copy cover to cover like a book of this calibre warrants.  I picked up the final copy in September 2008 just before VMworld 2008.  If the author names sound familiar to you, well, they should.  Oglesby and Herold wrote the earlier version of this book a few years ago and it was dynamite!  Laverick joins the duo as a VMware Infrastructure expert, VMware instructor, proprietor of RTFM Eduction, plus extensive Citrix experience (the man has paid his dues).  Lately, Laverick has been on a VMware Site Recovery Manager kick.  If you’re getting into SRM, definitely check out Mike’s site where you’ll find valuable information plus the first and only book I’m aware of dedicated to SRM.

Expectations:  Advanced concepts.  Tips and tricks I won’t find in VMware documentation.  Real world scenarios from the datacenter and classroom.  At just over 800 pages, I would have been able to devour this in a week or less in my younger days.  With a busy family and work life, I expect I’ll be chipping away at this book for a good month or more.  But it’s not a race.  What’s important is understanding and retention of the concepts.  I’m thinking about the VMware Certified Design Expert (VCDX) certification soon and hopefully this book will help in those studies.

What I’m watching:

VMware ESX Server training by Trainsignal.  Iman Jalali (Director of Sales and Support, Trainsignal) contacted me via Twitter and asked if I’d like to review a copy of Trainsignal’s latest VMware ESX video training.  Are you kidding me?  Just about anything VMware related I can get my hands on is a good thing.  Jalali did not ask for a blog review or even a mention, however, I appreciate his generosity as well as the generosity of Scott Skinger (Founder/President of Trainsignal) who comped me Microsoft Exchange Server 2003 video training back in 2007.

David Davis (from this and this, among other things) is the instructor of this 18+ hour 2-DVD series.  I’ve known (of) David for a few years from my participation at the Petri IT Knowledgebase.  David has a lot of positive energy and his certifications include CCIE (I’m not worthy sharing the same Oxygen as he) and VCP.  I very much look forward to watching this series.  One thing though guys (and this goes out to all the VMware book authors too):  With the virtualization landscape evolving so quickly, the versions and configuration maximums being rasied by VMware almost quarterly, I wish you the best of luck keeping your material current!  That has to be a big challenge and somewhat of a frustration at the same time.

It is now time for my Pre-New-Years cheesecake.  As if I needed an excuse for cheesecake.

Oh yeah, Happy New Year!

Jas

VMware earns multiple Redmond Triple Crown awards

November 8th, 2008

The November 2008 issue of Redmond magzine, the independent voice for the Microsoft IT community and formerly known as Microsoft Certified Professional Magazine, is bubbling over with VMWare virtualization news this month.  They have announced the 2008 Reader’s Choice Awards Triple Crown achievers.  The prestigious Triple Crown award is described by Redmond as follows:

“To recognize the dynasties in our annual Readers’ Choice competition, Redmond is introducing the “Triple Crown,” a new award for products that have won (at least) three Readers’ Choice honors in a row.”

VMware GSX Server (retired but replaced by the free VMware Server) won the Triple Crown in the “Best Virtual Server Product” category as well as taking “ISV Winner” honors.  Redmond goes on to explain GSX easily won over Microsoft Virtual Server 2005 which was the only other product in the category.  No surprises there.  Like today’s comparison of VMware ESX and ESXi to Microsoft Hyper-V, GSX Server was years ahead of Microsoft in terms of development.

VMware Workstation dominated the more competitive “Best Virtual PC Product” field (5 products) and, like VMware GSX Server, was also named “ISV Winner”.  Microsoft Virtual PC for Windows, a technology Microsoft bought its way into by purchasing from Connectix in February 2003 along with Virtual Server, was honorably mentioned as a runner up.  Microsoft came to the realization that the product they had been developing was not capable and started over from scratch.  VMware’s latest Workstation 6.5 offering is sure to continue embarrassing the competition with features like Unity and enhanced record and reply technology.

Read more about Redmond’s virtualization category and other categories here.

The same issue also contains three other VMware related articles:

  1. Maritz:  VMware’s Answer to Microsoft?”  An interview with VMware CEO Paul Maritz whom they labeled “The Microsoft Menace” on the issue’s cover.
  2. VMware Wants It All” Editor In Chief Doug Barney talks about VMware’s future technology announcements and contemplates how they will fit together and will they work?
  3. Cisco and VMware Collaborate on Next-Gen Data Center” The companies’ new products could change the virtualization game.