Tag: Interface

Posted on

Ansible Interface Playbook (ios_config): Cisco interface config

Here an Ansible Playbook with three different examples how to configure Cisco router interfaces:

1. Static IP address configuration in playbook
2. Configuration comes out of Jinja2 template, can be run dynamic with variables
3. Loop in playbook configures multiple interfaces

There are some disadvantages to work with templates, if you use commands like “no shutdown” to enable the interface. They are not shown in the running-configuration which means Ansible will assume that the configuration is not matching and execute the template again.
Another disadvantage with templates is that you cannot run “before” or “after” commands to remove existing configuration all this needs to be implemented in your Jinja2 template.

Here the Ansible Playbook:

- name: Cisco interface config
  connection: local
  hosts: all
  gather_facts: false
  vars:
    cli:
      username: "{{ username }}"
      password: "{{ password }}"
      host: "{{ device_ip }}"
  tasks:
    - name: configure IP address
      ios_config:
        before: 
          - default interface FastEthernet1/0
        lines: 
          - ip address 10.1.1.1 255.255.255.0
        after: 
          - no shutdown
        match: strict
        parents: interface FastEthernet1/0
        provider: "{{ cli }}"

    - name: configure IP out of template
      ios_config:
        src: "interfaces.j2"
        provider: "{{ cli }}"

    - name: configure IP with loop
      ios_config:
        provider: "{{ cli }}"
        before:
          - "default interface {{ item.interface }}"
        lines:
          - "ip address {{ item.address }} 255.255.255.0"
        after:
          - no shutdown
        parents: "interface {{ item.interface }}"
      with_items:
        - { interface : FastEthernet2/0, address : 10.3.3.3 }
        - { interface : FastEthernet2/1, address : 10.4.4.4 }

Read my new posts about Ansible Playbook for Cisco ASAv Firewall Topology or Ansible Playbook for Cisco BGP Routing Topology.

Posted on

Cisco ASA EtherChannel Interfaces

With the ASA version 8.4 Cisco introduced port-channels (ASA5510 or higher) what is a really nice feature because you can share the load over more interfaces. When it comes to a physical interface the incoming or outgoing traffic is processed through Fifo queues and RX/TX-rings per interface, when theses queues or rings are full nothing can pass through. So its not always related to CPU load of the device also the phsical interfaces are in the scope when it comes to performance. With port-channel you share the load over more Fifo queues and RX/TX-rings but keep in mind about the port-channel balancing mode.

Physical interface configuration

interface GigabitEthernet0/0
  description GigTrunk-Po1
  channel-group 1 mode active
  no shutdown
  exit

interface GigabitEthernet0/1
  description GigTrunk-Po1
  channel-group 1 mode active
  no shutdown
  exit

interface GigabitEthernet0/2
  description GigTrunk-Po1
  channel-group 1 mode active
  no shutdown
  exit

interface GigabitEthernet0/3
  description GigTrunk-Po1
  channel-group 1 mode active
  no shutdown
  exit

Port-channel configuration with VLAN sub-interfaces

interface Port-channel1
  no shutdown
  exit

interface Port-channel1.100
  description Server VLAN
  vlan 100
  nameif SERVER
  security-level 100
  ip address 10.1.0.254 255.255.255.0 standby 10.1.0.253
  mac-address 0a00.0a00.0011 standby 0a00.0a00.0021
  no shutdown
  exit

interface Port-channel1.200
  description Clients VLAN
  vlan 200
  nameif CLIENTS
  security-level 100
  ip address 10.2.0.254 255.255.255.0 standby 10.2.0.253
  mac-address 0a00.0a00.0011 standby 0a00.0a00.0021
  no shutdown
  exit

For more information read the Cisco ASA 8.4 Configuration Guide – EtherChannels

Posted on

Cisco Catalyst SPAN and Remote SPAN Configuration

To analyze network traffic passing through ports or VLANs you can configure SPAN or remote SPAN to mirror the traffic to another port on the switch or on another switch that has been connected to a network analyzer. The network analyzer can be Wireshark or Riverbed Cascade Pilot what capture or analyze the traffic. Cascade Pilot is here quite interesting because you can filter the traffic before and then send it to Wireshark for a deep analysis.

Back to the configuration, SPAN mirrors traffic received or sent (or both) on source ports or source VLANs to a destination port for analysis. The SPAN session does not affect the switching of network traffic on the source. Except for traffic on the destination, ports do not receive or forward traffic there are shown as monitoring interfaces.

 

Configure local SPAN session:

Define the source interface which traffic you want to mirror

monitor session 1 source interface GigabitEthernet 0/41

or VLAN as source

monitor session 1 source vlan 500

Define the destination interface

monitor session 1 destination interface GigabitEthernet 0/10

 

Configure remote SPAN session (1st switch):

At first create an remote SPAN VLAN

vlan 2010
  name RSPAN_VLAN
  remote-span
  exit

Then like the local SPAN session define the source

monitor session 1 source interface gi 0/47

or VLAN

monitor session 1 source vlan 500

At the end of the configuration of the 1st switch you configure the remote SPAN VLAN as destination

monitor session 1 destination remote vlan 2010

 

Configure remote SPAN session (2nd switch):

Like on the other switch you need to create at first an remote SPAN VLAN

vlan 2010
  name RSPAN_VLAN
  remote-span
  exit

Then as source you configure the RSPAN VLAN

monitor session 1 source remote vlan 2010

In the end the destination interface

monitor session 1 destination interface gi 0/18

Important is to verify that the RSPAN VLAN is allowed between these two switches on thier Trunk Interfaces!

 

With the following command you can verify the monitoring session you configured

show monitor session 1