One of the most powerful aspects of ACI is the fact that all information about the state of the network is available in the object database that is stored on the APIC cluster. To access the information contained in this database you can use the GUI, which presents the information visually, or you can use the APIC CLI to present specific information in text format using more traditional NX-OS style commands. However, it is also possible to query the APIC object database directly using the managed object browser (also known as “visore”) and its command line form “moquery”. I found visore and moquery to be valuable tools in the ACI troubleshooting toolkit to supplement the GUI and APIC CLI. Unfortunately, I found the documentation of these tools to be somewhat limited and most of my knowledge about these tools was pieced together from various different sources. To gather some of the facts that I learned about the use of the moquery tool in a single place I decided to write this article. Continue reading
Author Archives: Tom
Mapping a FabricPath LID to an Outbound Interface
When a FabricPath edge switch needs to send a frame to a remote MAC address, it performs a MAC address table lookup and finds an entry of the form SWID.SSID.LID. The SWID represents the switch-ID of the remote FabricPath edge switch, the SSID represents the sub-switch ID (which is only used in vPC+) and the LID represents the outbound port on the remote edge switch. However, the method by which these LIDs are derived doesn’t seem to be very well documented and this had been bugging me for a while. So I decided to dig in and see if I could find out a bit more about the way LIDs are used on the Nexus switches. Continue reading
IPv6 Allocation Chart
Almost every network engineer knows the classic IPv4 network assignments by heart: Class A through E, private address space, loopback, link-local, etc. However, when it comes to IPv6, many engineers still need to get a good grip on the various address blocks that have been allocated for these and other functions. As a study-aid for students attending the IP6FD courses that I teach (or just anybody with an interest in IPv6), I decided to compile the information from various RFCs into a chart that lists the major IPv6 blocks, their use, and the initial bit patterns associated with these blocks. Continue reading
As I was studying for the Troubleshooting Cisco Data Center Unified Fabric (DCUFT) exam, I came across a couple of low level NX-OS commands that can help determine whether the Data Center Bridging eXchange (DCBX) protocol is functioning correctly. Being able to verify the operation of DCBX is important when troubleshooting FCoE, because the proper operation of the Data Center Bridging (DCB) extensions is a prerequisite for FCoE.
Unfortunately, the output of these commands is rather cryptic, because it essentially shows the content of the DCBX TLVs as raw hex dumps, rather than nicely decoding the fields in the output of the command. Because I still wanted to understand how to read the DCBX information contained in these commands, I decided to dive a bit deeper into the DCBX protocol. Continue reading
Using FreeRADIUS with Cisco Devices
Even though I am the only administrator for the devices in my lab and home network, I thought it would be nice to have some form of centralized authentication, authorization and accounting for these devices. However, I quickly realized that using a dedicated appliance such as Cisco ACS or ISE would mean adding another always-on VM to my lab environment. I wasn’t quite ready to start wasting my lab resources on a basic function like AAA. So instead of using a dedicated appliance, I decide to implement FreeRADIUS on the Ubuntu Linux server that I use for DNS, DHCP, syslog, and other network services in my lab.
Although, TACACS+ is usually the protocol of choice for Cisco AAA, my requirements are simple enough that RADIUS will work just as well. And since FreeRADIUS is included in the standard Ubuntu repositories this should be very easy to install. Continue reading