Cisco DHCP with client-identifier 27 bytes

How configure the good value for a DHCP reservation with a client-identifier 27 bytes?

R1 will be the dhcp server with a DHCP POOL SERVER3. The client MAC Address will be : aacf.a2e3.aaff

Configuration ont the client :

 interface Ethernet0/0
 mac-address aacf.a2e3.aaff
 ip address dhcp

The problem here is to find the good value for the client identifier with 27 bytes (vendor-xxxx.xxxx.xxxx-Interface)

The first possibility is to find on the Internet a convertor Hex to ASCII.

The other one is to use the debug information on the client to find the good value with debug dhcp detail command.

Now we will shutting down the interface and no shut to generate a DHCP negotiation.

Now we see the good value here :

Retry count: 1 Client-ID: cisco-aacf.a2e3.aaff-Et0/0
 Client-ID hex dump: 636973636F2D616163662E613265332E
 616166662D4574302F30

The request is the following in ASCII : Client-ID: cisco-aacf.a2e3.aaff-Et0/0

In Hexadecimal : 636973636F2D616163662E613265332E616166662D4574302F30

Now you just need to configure the DHCP pool on the server and add « 00 » to the Hexadecimal value like this :

ip dhcp pool SERVER3
 host 192.168.30.103 255.255.255.0
 client-identifier 00636973636F2D616163662E613265332E616166662D4574302F30

Now the client can receive the IP address :

*Jul 23 17:44:36.638: DHCP: SRequest attempt # 1 for entry:
*Jul 23 17:44:36.638: Temp IP addr: 192.168.30.103 for peer on Interface: Ethernet0/0
*Jul 23 17:44:36.638: Temp sub net mask: 255.255.255.0
*Jul 23 17:44:36.638: DHCP Lease server: 192.168.30.13, state: 4 Requesting
*Jul 23 17:44:36.638: DHCP transaction id: B43
*Jul 23 17:44:36.638: Lease: 86400 secs, Renewal: 0 secs, Rebind: 0 secs
*Jul 23 17:44:36.638: Next timer fires after: 00:00:03
*Jul 23 17:44:36.638: Retry count: 1 Client-ID: cisco-aacf.a2e3.aaff-Et0/0
*Jul 23 17:44:36.638: Client-ID hex dump: 636973636F2D616163662E613265332E
*Jul 23 17:44:36.639: 616166662D4574302F30
<...>
*Jul 23 17:44:39.657: DHCP: Releasing ipl options:
*Jul 23 17:44:39.657: DHCP: Applying DHCP options:
*Jul 23 17:44:39.657: DHCP: Sending notification of ASSIGNMENT:
*Jul 23 17:44:39.657: Address 192.168.30.103 mask 255.255.255.0
*Jul 23 17:44:39.657: DHCP Client Pooling: ***Allocated IP address: 192.168.30.103
*Jul 23 17:44:39.730: Allocated IP address = 192.168.30.103 255.255.255.0
Client(config-if)#do sh ip int brief
 Interface IP-Address OK? Method Status Protocol
 Ethernet0/0 192.168.30.103 YES DHCP up up

Convert LWAPP to Autonomous AP

AP4403.xxxx.xxxx>en

Password: <= Cisco

AP4403.xxxx.xxxx#sh ver

Cisco IOS Software, C2600 Software (AP3G2-RCVK9W8-M), Version 15.2(2)JA, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2012 by Cisco Systems, Inc.Compiled Thu 23-Aug-12 02:43 by prod_rel_team
ROM: Bootstrap program is C2600 boot loaderBOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M)
LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)
AP4403.a7a0.db3e uptime is 4 minutesSystem returned to ROM by power-onSystem image file is « flash:/ap3g2-rcvk9w8-mx/ap3g2-rcvk9w8-xx »

P4403.xxxx.xxxx#debug capwap console cli
This command is meant only for debugging/troubleshooting
Any configuration change may result in different
behavior from centralized configuration.

CAPWAP console CLI allow/disallow debugging is on
AP4403.a7a0.db3e#

AP4403.a7a0.db3e(config)#ip defa
AP4403.a7a0.db3e(config)#ip default-g
AP4403.a7a0.db3e(config)#ip default-gateway 10.0.100.254
AP4403.a7a0.db3e(config)#int gi0
Not in Bound state.
AP4403.a7a0.db3e(config-if)#i
*Mar 1 00:06:53.019: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.nt gi0
AP4403.a7a0.db3e(config-if)#int gi0
AP4403.a7a0.db3e(config-if)#int gi0
*Mar 1 00:06:56.023: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.
*Mar 1 00:06:56.091: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.0.100.249, mask 255.255.255.0, hostname AP4403.a7a0.db3e

AP4403.a7a0.db3e(config-if)#ip add
AP4403.a7a0.db3e(config-if)#ip address 1
Translating « CISCO-CAPWAP-CONTROLLER.zed-network.fr »…domain server (10.0.100.1)0.
*Mar 1 00:07:04.019: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
AP4403.a7a0.db3e(config-if)#ip address 10.0.10
0.
*Mar 1 00:07:07.019: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.zed-network.fr
AP4403.a7a0.db3e(config-if)#ip address 10.0.100.200 255.255.255.0
% 10.0.100.0 overlaps with BVI1
AP4403.a7a0.db3e(config-if)#no sh
AP4403.a7a0.db3e(config-if)#
AP4403.a7a0.db3e(config-if)#
AP4403.a7a0.db3e(config-if)#
AP4403.a7a0.db3e(config-if)#exit
AP4403.a7a0.db3e(config)#end
AP4403.a7a0.db3e#ping
*Mar 1 00:07:28.527: %SYS-5-CONFIG_I: Configured from console by console10.0.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

AP4403.a7a0.db3e#archive download-sw /force-reload /overwrite tftp://10.0.100.1/ap3g2-k9w7-tar.default
examining image…
Loading ap3g2-k9w7-tar.default from 10.0.100.1 (via BVI1): !
extracting info (279 bytes)
Image info:
Version Suffix: k9w7-.153-3.JC
Image Name: ap3g2-k9w7-mx.153-3.JC
Version Directory: ap3g2-k9w7-mx.153-3.JC
Ios Image Size: 10322432
Total Image Size: 13384192
Image Feature: WIRELESS LAN
Image Family: AP3G2
Wireless Switch Management Version: 8.2.100.0
Extracting files…
ap3g2-k9w7-mx.153-3.JC/ (directory) 0 (bytes)
extracting ap3g2-k9w7-mx.153-3.JC/ap3g2-k9w7-mx.153-3.JC (215867 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/ap3g2-k9w7-tx.153-3.JC (73 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/ap3g2-bl-2600 (190140 bytes)!
extracting ap3g2-k9w7-mx.153-3.JC/ap3g2-bl-3600 (189183 bytes)!
ap3g2-k9w7-mx.153-3.JC/html/ (directory) 0 (bytes)
ap3g2-k9w7-mx.153-3.JC/html/level/ (directory) 0 (bytes)
ap3g2-k9w7-mx.153-3.JC/html/level/1/ (directory) 0 (bytes)

extracting ap3g2-k9w7-mx.153-3.JC/html/level/1/appsui.js (563 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/html/level/1/back.shtml (512 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/html/level/1/cookies.js (5032 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/html/level/1/forms.js (20442 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/HA5.bin (2049 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/B2.bin (10512 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/B5.bin (1995 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/Y2.bin (7008 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/Y5.bin (1555 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/8006.img (568619 bytes)!!!
extracting ap3g2-k9w7-mx.153-3.JC/triggerfish.jed (0 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/uart_firmware_upgrade.bin (18239 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/MCU.bin (8799 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/info (279 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/file_hashes (36832 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/final_hash (141 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/final_hash.sig (513 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/img_sign_rel.cert (1375 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/img_sign_rel_sha2.cert (1371 bytes)
extracting info.ver (279 bytes)
[OK – 13434880 bytes]

Deleting current version: flash:/ap3g2-rcvk9w8-mx…done.
New software image installed in flash:/ap3g2-k9w7-mx.153-3.JC
Confi
Writing out the event log to flash:/event.log …
guring system to use new image…done.
Requested system reload in progress…
archive download: takes 220 seconds

Write of event.log done

*Mar 1 00:13:17.647: %SYS-5-RELOAD: Reload requested by Exec. Reload Reason: Reason unspecified.
*Mar 1 00:13:17.647: %LWAPP-5-CHANGED: CAPWAP changed state to DOWN
IOS Bootloader – Starting system.
flash is writable
FLASH CHIP: Numonyx Mirrorbit (0089)
Xmodem file system is available.
flashfs[0]: 237 files, 8 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31997952
flashfs[0]: Bytes used: 13329408
flashfs[0]: Bytes available: 18668544
flashfs[0]: flashfs fsck took 16 seconds.
Reading cookie from SEEPROM
Base Ethernet MAC address: 44:03:a7:a0:db:3e
Ethernet speed is 1000 Mb – FULL Duplex
Loading « flash:/ap3g2-k9w7-mx.153-3.JC/ap3g2-k9w7-mx.153-3.JC »…#########################

File « flash:/ap3g2-k9w7-mx.153-3.JC/ap3g2-k9w7-mx.153-3.JC » uncompressed and installed, entry point: 0x2003000
executing…

Secondary Bootloader – Starting system.
Tide MB – 32MB of flash
Xmodem file system is available.
flashfs[0]: 237 files, 8 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31997952
flashfs[0]: Bytes used: 13329408
flashfs[0]: Bytes available: 18668544
flashfs[0]: flashfs fsck took 8 seconds.
flashfs[1]: 0 files, 1 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 12257280
flashfs[1]: Bytes used: 1024
flashfs[1]: Bytes available: 12256256
flashfs[1]: flashfs fsck took 1 seconds.
Base Ethernet MAC address: 44:03:a7:a0:db:3e

From TFTP Server :
May 5 19:53:52 srv1 in.tftpd[5529]: connect from 10.0.100.249 (10.0.100.249)
May 5 19:53:52 srv1 atftpd[5529]: Advanced Trivial FTP server started (0.7)
May 5 19:53:52 srv1 atftpd[5529]: Serving ap3g2-k9w7-tar.default to 10.0.100.249:50607
May 5 19:53:52 srv1 atftpd[5529]: Serving ap3g2-k9w7-tar.default to 10.0.100.249:55118
May 5 19:54:11 srv1 atftpd[5529]: timeout: retrying…
May 5 19:55:08 srv1 atftpd[5529]: timeout: retrying…

 

How upgrade a module C3Kx-SM10G

First download on Cisco web site the tarball associate to your version.

Example :

# sh version | i System image
System image file is "flash:/c3750e-universalk9-mz.152-1.E3.bin"

Upload the tarball on your flash or upgrade directly by ftp. Here, we use this file : c3kx-sm10g-tar.152-1.E3.tar

After use this command :

switch#archive download-sw /leave-old-sw flash:/c3kx-sm10g-tar.152-1.E3.tar
examining image...
extracting info (99 bytes)
extracting c3kx-sm10g-mz.152-1.E3/info (501 bytes)
extracting info (99 bytes)
Stacking Version Number: 1.51
System Type: 0x00010002
 Ios Image File Size: 0x017AEA00
 Total Image File Size: 0x017AEA00
 Minimum Dram required: 0x08000000
 Image Suffix: sm10g-152-1.E3
 Image Directory: c3kx-sm10g-mz.152-1.E3
 Image Name: c3kx-sm10g-mz.152-1.E3.bin
 Image Feature: IP|LAYER_3|MIN_DRAM_MEG=128
 FRU Module Version: 03.05.03.IND3
Updating FRU Module on switch 2...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
All software images installed.

Reload your switch and your module will be ok.

 

How simplify the configuration on your Cisco Nexus 5K

Port profiles can reduce errors and apply the same configurations.

You create a port-profile and inherit it on your interface. Don’t forget the max-port  on your port-profile if you apply on a lot interface.

port-profile type ethernet FREE
max-port 1024
shutdown
state enable
port-profile type ethernet ACCESS_PORT
max-port 1024
switchport mode access
spanning-tree port type edge
no cdp enable
no shutdown
state enable

After you can use your port-profile and add you Vlan ID for example. You reduce the number of line and use each time your interface with the same commands.

interface eth101/1/1
inherit port-profile ACCESS_PORT
switchport access vlan 100

You can use this command to display the complete configuration :

sh run int eth101/1/1 expand-port-profile

PVLAN

Network architecture

In this test, we used an ASA5505 as gateway, a Cisco 3750 for the switching and ESXi.

PVLAN_ARCHI

We used 4 Vlans. Vlan110 as primary and 111 to 113 as secondary.

We created a distributed switch on the vCenter and created the private vlans.

PVLAN_ESX

DVSwitch PVLAN Settings

PVLAN_esx2

PortGroup List

PVLAN_esx3

PortGroup Settings

On this plateform, SRV1, SRV2 and SRV4 can communicate together and with her gateway and the SVI, but can’t with SRV3, SRV5, SRV6 and SRV7.

SRV6 and SRV7 can communicate together and with her gateway and the SVI, but can’t with this other SRV.

Finally SRV3 and SRV5 are totally isolated and can only communicate with the gateway and the SVI.

Limitation: With a 3750, you can’t trunk the promiscuous port to a router or firewall tag with 802.1q

With a Nexus some commands have been added.

# switchport private-vlan ?
 association Private vlan trunk association
 host-association Set the private VLAN host association
 mapping Set the private VLAN access/trunk promiscuous mapping
 trunk Set the private vlan trunking configuration

Now you can trunk your promiscuous port :

# switchport private-vlan mapping trunk ?
 <1-3967,4048-4093> Primary private VLAN

Now we will try to use PVLAN in promicuous and add a Nexus 3548 with the following version : 6.0(2)A7(1). Before this version, I can’t enable the feature private-vlan.

PVLAN_ARCHI2

The main difference is the capacity to trunk on the promiscuous port.

interface Ethernet1/1
 speed 1000
 switchport mode private-vlan trunk promiscuous
 spanning-tree port type edge trunk
 duplex full
 switchport private-vlan mapping trunk 300 301
 switchport private-vlan mapping trunk 200 201-202
 switchport private-vlan mapping trunk 110 111-113
 no shutdown

Here we have three primary vlans (110, 200 and 300) trunked to the firewall.

ASA5510# sh run interface
!
interface Ethernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 213.218.130.78 255.255.255.0
!
interface Ethernet0/1
 no nameif
 security-level 100
 no ip address
!
interface Ethernet0/1.110
 vlan 110
 nameif INSIDE
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1.200
 vlan 200
 nameif INSIDE200
 security-level 100
 ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/1.300
 vlan 300
 nameif INSIDE300
 security-level 100
 ip address 192.168.30.1 255.255.255.0

Now in the following design, we transport the Private-vlan through a 3750 and we transform the private-vlan isolated 113 to a normal vlan 10. But you can also just terminated with private-vlan.

PVLAN_ARCHI3

The SRV7 can ping every other servers and the gateway (SRV1 to SRV6), but SRV1 to 6 can’t ping themself except the SRV7.