Access layer design

refer to

1, Looped triangle

The triangle looped topology is currently the most widely implemented in the enterprise data center. This topology provides a deterministic design that makes it easy to troubleshoot while providing a high level of flexibility

2, looped square

The square-based looped topology is not as common today in the enterprise data center but has recently gained more interest. The square looped topology increases the access layer switch density when compared to a triangle loop topology while retaining the same loop topology characteristics. This becomes particularly important when 10GE uplinks are used. This topology is very similar to the triangle loop topology, with differences in where spanning tree blocking occurs

Spanning tree blocks the link between the access layer switches, with the lowest cost path to root being via the uplinks to the aggregation switches, as shown in Figure 6-9. This allows both uplinks to be active to the aggregation layer switches while providing a backup path in the event of an uplink failure. The backup path can also be a lower bandwidth path because it is used only in a backup situation. This might also permit configurations such as 10GE uplinks with GEC backup.

The possible disadvantages of the square loop design relate to inter-switch link use, because 50 percent of access layer traffic might cross the inter-switch link to reach the default gateway/active service module. There can also be degradation in performance in the event of an uplink failure because, in this case, the oversubscription ratio doubles.

3, Loop free U

4, Loop free invented U



Useful F5 commands

1, When copy configuration from one unit to the other unit, or creating a lot of vips at the same time, it would be easier to do it via CLI:
a) Edit the configuration on editor
b) Copy and paste the configuration throught F5 cli terminal
user@(xxx)(cfg-sync In Sync)(/S1-green-P:Active)(/partition)(tmos)# load sys config from-terminal merge
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.

2, ssldump for trouble ssl session
a) use find to find the path of keyfile
[user@xxx:/S1-green-P:Active:In Sync] / # find -iname *.key*
for example
b) ssldump -A -d -k <key file> -n -i <capture VLAN> <traffic expression>
-A Print all fields
-d Show application data when private key is provided via -k
-k Private key file, found in /config/ssl/ssl.key/; the key file can be located under client SSL profile
-n Do not try to resolve PTR records for IP addresses
-i The capture VLAN name is the ingres VLAN for the TLS traffic
For example:
[user@xxx:/S1-green-P:Active:Changes Pending] / # ssldump -A -k ./config/filestore/files_d/partition_d/certificate_key_d/ -i 0.0 host and port 443

3, Use command biptop on cli to check all currenct connections
For example:
[user@xxx:/S1-green-P:Active:In Sync] ~ # bigtop
QUERYING… | bits since | bits in prior | current
| Mar 4 00:16:03 | 0 seconds | time
BIG-IP ACTIVE |—In—-Out—Conn-|—In—-Out—Conn-| 14:28:57 691.0T 1.418P 8.543G 0 0 0

VIRTUAL ip:port |—In—-Out—Conn-|—In—-Out—Conn-|-Nodes Up–
/partition/ 668.2T 213.5T 704.4M 0 0 0 0

4, You can use the openssl command to verify the client certificate against the Trusted Certificate Authority bundle prior to importing it onto the BIG-IP system. For example, the following openssl command verifies the client certificate, client.crt, against the Trusted Certificate Authority bundle:

openssl verify -purpose sslclient -CAfile /path/to/trusted-ca-bundle.crt /path/to/client.crt

If the chain of trust can be established for the server certificate using the specified chain, the command returns output similar to the following example:

client.crt: OK
5, Use tcpdump to show more tmm information,
for example, to check routed vip:
tcpdump -vs0 -i 0.0:nnn host
it shows below, the red part showed routed vip when received request from client.
16:28:44.474154 IP (tos 0x0, ttl 255, id 37043, offset 0, flags [DF], proto: TCP (6), length: 52) vip.http > host.38934: ., cksum 0x4282 (incorrect (-> 0x8e1f), ack 159 win 4297 <nop,nop,timestamp 913578425 3245706819> out slot1/tmm2 lis=/partition/xxxhttp-vip flowtype=64 flowid=5701C0361D00 peerid=5

Fundentimental of BGP

Find neighbour:

1, From idle to active: router will initiate tcp connection first via port 169.
2, From active to connected: router finished 3way handshake of TCP. If no 3 way handshake finished, router will go back to step 169
3, From connected to open send: router will send hello packets in order to find neighbour
4, From open send to open confirm: received reply from peer for open send message
5, Established: received KEEP ALIVE from peer

Advertise networks:

BGP can advertise networks to peer in the ways as below:
1, Use redistribute method to redistribute routes from other routing protocal into BGP. Route will only be redistributed if it is in the routing table
2, Use network command to advertise routes into BGP. Router will first check if the route existed in the routing table, if not, network can not be advertised, also using network command to advertize route need match exactly (prefix, mask) the route in the routing table. But if auto summary enabled, network command advertised route does not have to match exactly the route prefix/mast in the routing table, if at least one subnet existed in the routing table, network command can successfully advertize the whole network into BGP peer.
3, When autosummary used, BGP will advertize only classful route for all locally originated routes. If the redistributed routes are not classful network, BGP will use the mostly matched classful network and then advertise it. The same to network command advertised routes.


There are several ways that BGP use to filter the routes that will be advertised to the peer:
1, Filter-list with AS PATH access-list. use route map
2, prefix list filter
3, distribution list, not very scalable solution, not recommend when there is much ip range for filering
4, no export community

route map is mostly used and recommended for BGP filter


Community can be used to mark the advertised/received routes, so this routes can be treated in desired way (increase preference, etc)
There are 3 common community for BGP:
no export: routes will not be advertised outside of the local AS
no advertise: route will not be advertised to any iBGP or EBGP peer
local AS: The local AS community is a well known BGP community and can be used for BGP confederations. It’s basically the same as the no export community but this one works for within the sub-AS of a confederation

Notice in configuration

1, BGP x, x should match ASN number, or sub AS number if confederation is used

Uplinkfast & backbonefast

Both uplinkfast and backbonefast are features for classic spanning tree, not for rstp.

1, uplink fast should be applied on the switch, not on the interface
2, uplink fast will bring blocked port into forwarding immediately when it meets 2 conditions :
a) root port has lost connection from peer side
b) there is a blocked port in the switch that just lost root port
3, without uplink fast, when switch lost root port, the blocked port will have to go through listening (15 secs) and learning (15 secs) period before going to forwarding state; with uplink fast enabled, switch will save 30 secs to move blocked port into forwarding state.

Backbone fast
1, backbone fast is used to speed up recovering for INDIRECTED LINK FAILURE. Indirected link failure means that switch has received TCN from peer switch A because switch A has lost root port (link towards root bridge failed).
2,  Assume that port A on switch has received inferior BPDUs from peer switch A, it will ignore this BPDU because it is inferior BPDUs, instead it will continue waiting for root bridge BPDUs from peer switch A until max-age (20 secs by default) timed out. After that port A can go to listening and learning period.
3, With backbone fast enabled, As soon as switch receives an inferior BPDU it will send a root link query on its root port and non-designated ports to check if the root bridge is still available. Thus it will save 20 secs for recovery
4, Backbone fast is a global command, can not be configured in interface level.

OSFP details that is esay to ignore:

OSFP details that is esay to ignore:
1, Passive interface will not send hello packet, therefore will not form adjacency to any other router. But subnet that attached to this interface will be advertized inside OSPF
2, SPF calcuateion within the area will be triggered only when there is changes of type1 and type2 LSA in the update. Type1 and type2 LSA will only be exchanged within the area.
3, ABR is the router that at least has one interface connecting to backbone area, the the other one to the other area. ABS will generate 2 self type1 LSA, one is for Backbone type1 LSA, the the other is type1 LSA for the other area which ABR connects to.
4, OSPF uses a reference bandwidth of 100 Mbps for cost calculation. The formula to calculate the cost is reference bandwidth divided by interface bandwidth. For example, in the case of Ethernet, it is 100 Mbps / 10 Mbps = 10. Note: If ip ospf cost cost is used on the interface, it overrides this formulated cost. take reference bandwidth of 100mbps, any interface that greater or equal to 100mbps will have the same cost 1 becuase no fraction is allowed.So the OC-3, FastEthernet and GigabitEthernet will all have an OSPF cost of “1” given the default reference bandwidth.
5, With ‘default-information orignate’ command generate ASBR a default route into ospf area but only if there is a default route exited already in its routing table
6, In Cisco configuraiton, use “area x range” for net summary in ABR, and “summary-address …”in ASBR for external route summary. OSPF DOES NOT perform auto-summarizatio.