Re: Questions regarding Brocade FC-FC Routing

Hi,

That are indeed several questions.

1. Can I implement FC-FC Routing between two NO Virtual Fabrics-capable switches ?

A: yes

Or between one Virtual Fabrics-capable switch and one NO Virtual Fabrics-capable switch?

A: also yes.

Since the NO Virtual Fabrics-capable edge switches doesn’t have a Fabric ID, how can I setting the edge fabric ID on the FC router ?

A: That can be done with the “portcfgexport –f” option.

Fabric ID Rules:

If there are multiple EX or VEX ports connected to the same fabric then they must have the same FID.

If EX or VEX ports are connected to different edge fabrics, then they must use unique FIDs for each edge fabric.

If two different backbone fabrics are connected to the same edge fabric then the two backbone fabrics must have unique FIDs.

2. How can i connect two fabric with the same FID via FC-FC routing ?

A: See the page 541, of the Fabric OS Administrator guide 7.4.1, Chapter “Using FC-FC Routing to Connect Fabrics”.

For example, two virtual fabric with the same default FID 128, should I change the FID in one fabric ?

A: No, it should be possible, because the EX port on the router will get the FID you set on the EX port.

3. How to change the FID ?

A. I assume you meant in a Virtual fabric -> that can be done with the lscfg command. See the Fabric OS Command Reference Guide.

Is it disruptive or non-disruptive ?

A. Setting up a new LS with a new FID will be disruptive.

Will the zone configuration still be valid after the FID change ?

A. No, all zoning is gone and need to be re-applied.

4. Can I implement FC-FC Routing via a FC router or router-capable switch instead of the virtual fabric base switch inside the Virtual Fabrics-capable switch ? See the topology below

A. Yes, that should be possible.

I recommend you to contact our DELL EMC local team to get the real Implementation specialist, who should be able to design and assist you with the Fibre Channel Routing tailored to all your needs.

Best Regards,

Ed

Related:

  • No Related Posts

Questions regarding Brocade FC-FC Routing

Hi experts,

Can i ask several questions regarding Brocade FC-FC Routing ?

1. Can I implement FC-FC Routing between two NO Virtual Fabrics-capable switches ? Or between one Virtual Fabrics-capable switch and one NO Virtual Fabrics-capable switch?



Since the NO Virtual Fabrics-capable edge switches doesn’t have a Fabric ID, how can I setting the edge fabric ID on the FC router ?



2. How can i connect two fabric with the same FID via FC-FC routing ? For example, two virtual fabric with the same default FID 128, should I change the FID in one fabric ?



3. How to change the FID ? Is it disruptive or non-disruptive ? Will the zone configuration still be valid after the FID change ?



4. Can I implement FC-FC Routing via a FC router or router-capable switch instead of the virtual fabric base switch inside the Virtual Fabrics-capable switch ? See the topology below.



top.jpg

Thanks.

Related:

  • No Related Posts

NetScaler SD-WAN Troubleshooting Guide: WCCP Clustering on NetScaler SD-WAN

Note: This article applies to Citrix SD-WAN WANOP.

Symptoms

The following are some of the symptoms:

  • Caches are not load balanced properly (traffic gets redirected only to one or more but not all caches).

    Access the GUI of each Web Cache Communication Protocol (WCCP) cluster member and verify if all connections are getting accelerated by only one WCCP Cluster member:

    Monitoring > Optimization > Connections > Accelerated Connections

    CloudBridge Appliance #1 Cache

    User-added image

    CloudBridge Appliance #2 Cache

    User-added image

  • Latency

  • Disconnects

  • Crashes

  • Frequent migration of connections between caches causing unaccelerated connections.

Troubleshooting Steps

The following troubleshooting steps will not apply if the issue seen is uneven load balancing of traffic within CloudBridge4000/5000.

Note: In WCCP cluster, router load balances between CloudBridge4000/5000.

  1. Verify that all appliances within a cluster are same model and run the same software release. CloudBridge700 and VPX does not support WCCP clustering. For more information, see Citrix eDocs – Limitations.

  2. Verify if all appliances and instances (caches) are UP.

  3. Access one WCCP cluster member from Monitoring > Appliance Performance > WCCP and verify the following tabs:

    1. Cache Status:

      • Verify if all caches have an assignment, status should be displayed as “Has Assignment”.

    2. Routers:

      1. Verify if there is only one designated cache. For more information, see Citrix eDocs – Testing and Troubleshooting.

      2. Verify if all cache members of the cluster are correctly listed.

      3. Verify if all router members of the cluster are correctly listed. If there are multiple routers, ensure that all CloudBridge appliances have all the router’s IPs configured in the cluster Service Groups (SG).

      4. If all router members are not listed, then add them under Configuration > Appliance Settings > WCCP > Configure Service Group.

      5. The following are some troubleshooting commands for router configuration reference (it is strongly recommended to engage Cisco TAC to validate the router(s) configuration).

  • show ip wccp

  • show ip wccp <service group >

  • show ip wccp <service group > detail

  • show ip wccp capabilities

  1. If all caches have assignment but load is not equally distributed, then verify the following:

    1. LAN/WAN SG definition is defined equally on CloudBridge and the router:

      • WAN SG should be the SG that sees the largest pool of IP address.
      • LAN SG should be the SG that sees the smallest pool of IP address.
    2. Verify the value of the​ current mask used and confirm if this is the appropriate mask according to the cluster needs. For more information, see Citrix eDocs – Load-Balancing in the WCCP Cluster.

​Suggested Sanity Check: Count the number of caches and verify the range of mask elements that are assigned for the cluster. For example,

  • You have five caches.

  • Mask used is 0x1 (1 bit set), the number of mask elements of this mask is 2 (2 or less caches):

  • 2^N= mask elements (N is the number of bits set).
  • 2^1= 2 mask elements = 2 or less caches. Because there are five caches, this mask 0x1 is too small.
  1. If the issue still remains, collect the following data:
    1. Screen shots.

      1. Monitoring page of WCCP:

        Monitoring > Appliance Performance > WCCP > Cache Status.

        Monitoring > Appliance Performance > WCCP > Routers.

      2. Configuration page of SG:

        Configuration > Appliance Settings > WCCP (select the SG and click Modify).

    2. Technical support file. For more information, see CTX133765 – How to Collect Diagnostic Data by using the Command Line Interface on a Branch Repeater Appliance or Branch Repeater VPX Instance and CTX135546 – How to Collect Diagnostic Data by using the Graphical User Interface on a Branch Repeater Appliance or Branch Repeater VPX Instance.

    3. Router(s) configuration.

    4. Detailed network topology from all sites. Clearly depict the (switches, routers, firewalls, IPs, servers) connectivity points between the devices.

    5. IP range/subnets that you are trying to optimize.

Related:

  • No Related Posts

NetScaler Policy Based Routing

This article contains information about NetScaler Policy Based Routing (PBR) for incoming and outgoing network traffic.

Policy Based Routing

PBR is a concept that closely relates to Access Control List (ACL) on a NetScaler appliance. PBR can be leveraged to take routing decision (next hop router) based on certain criteria such as Source IP, Source Port, Destination IP, Destination Port, Protocol, Interface, VLAN and Source MAC.

PBR – Incoming Traffic

User-added image

PBR – Outgoing Traffic

User-added image

PBR is similar to ACL based rule matching. However, PBR can make decision based on any of the following criteria:

  • Source IP

  • Destination IP

  • Source Port

  • Destination Port

  • Interface

  • VLAN

  • Protocol

Using PBR, a NetScaler appliance can either ALLOW or DENY access to network packets. In scenarios where a PBR policy evaluates as True and the preferred action is ALLOW, the appliance forwards the packet to the next hop router. In scenarios where a PBR policy evaluates as False, normal routing rules apply, as shown in the following image.

User-added image

Run the following command from the command line interface to add a PBR:

add ns pbr <name> <action> [-srcIP [<operator>] <srcIPVal>] [-srcPort [<operator>] <srcPortVal>] [-destIP [<operator>] <destIPVal>] [-destPort [<operator>] <destPortVal>] [-nextHop <nextHopVal>] [-srcMac <mac_addr>] [-protocol <protocol> | -protocolNumber <positive_integer>] [-vlan <positive_integer>] [-interface <interface_name>] [-priority <positive_integer>] [-msr ( ENABLED | DISABLED ) [-monitor <string>]] [-state ( ENABLED | DISABLED )]

Example 1

Run the following command to forward all packets from VLAN 230 to next hop router 10.217.145.128:

add ns pbr VLAN_230 ALLOW -nextHop 10.217.145.128 -vlan 230 -priority 1 -kernelstate SFAPPLIED61

Example 2

Run the following command to forward all packets destined from 10.217.146.1 to 10.217.145.128:

add ns pbr DEST_IP ALLOW -destIP = 10.217.146.1 -nextHop 10.217.145.128 -priority 2 -kernelstate SFAPPLIED61

Note: The next hop router should be directly connected.

After PBR is created and enabled, it should be explicitly applied. Run the following command from the command line interface of the appliance to apply the PBR:

apply ns pbrs

Related:

  • No Related Posts

SD-WAN : Routes learnt by one Site using BGP are not getting installed on another Site over Virtual Path

Consider 3 sites : A (MCN), B (Branch) and C(Branch).

Issue : Site A is running BGP locally with a router and learning local site routes and then advertising them to Site B and Site C over the Virtual Path. However, Site B is learning those routes but Site C is not.

Symptoms : If we check the route logs from Site A, we can see that it is correctly forwarding the routes to the Virtual WAN plane as can be seen below :

2018-08-08 00:36:21 <INFO> <Got route notify>prefix: 10.1.1.1/32, Table: T0 new:00000000006989d8 old:00000000006f8828

2018-08-08 00:36:21 <INFO> <ADD_ROUTE_TO_Virtual WAN> prefix: 10.1.1.1/32, protocol: BGP, Router IP : 10.10.10.2, Table: T0

>> However, these prefixes are being ignored by Site C device as can be seen in the logs :

12994:234:661:860 ERR handle_rcvd_dynamic_routes_from_neighbor@control/route_db.c:5682 Ignore received 90 Dynamic Local Routes to SYNC from site 2 with routing domain ID 0 via Virtual_Path SiteA-SiteC, received route version:215 current:1172

The issue is not restricted between MCN and Branch only and can be seen between two branches as well.

Related:

  • No Related Posts

WCCP vs static bypass

I need a solution

We’ve recently changed our proxy topology from in-line transparent now to WCCP. Our WCCP router ACL forwards all port 80 and 443 traffic to the proxy. The proxy has a number of static bypass entries for both source and destination hosts and networks. We’ve found that for any session that has a static bypass, the proxy only sees client-initiated packets. This is because for a bypassed session the proxy maintains the client IP address as the source IP when sending the packet to the OCS. The WCCP router simply sends reply packets for these sessions straight to the client, rather than back to the proxy.

That wouldn’t necessarily be a problem, but the proxy also sometimes modifies the packets of bypassed sessions by changing payload sizes, thus modifying TCP sequence numbers. Since the client and server are now out of sequence, this causes the session to slow and usually fail.

I don’t know if this reflects some problem with router settings or proxy settings. How do we get the router to send the packets back to the proxy? How do we get the proxy to stop modifying packets in bypassed sessions? The only solution we can think of is to move the entire static bypass list to the router, but since that’s not mentioned in any documentation as a recommendation or requirement for WCCP, we’re unsure what the right course is.

Is WCCP and static bypass fundamentally incompatible? Or is there some configuration change required?

Thanks for any input.

– D

0

Related:

  • No Related Posts

Limitations in Link Definition for One-Arm Citrix SD-WAN WANOP Edition Appliance and How to Work Around by IP Address-based Configuration

This article describes the limitation in link definition for one-arm mode Citrix SD-WAN WANOP Edition and provides workaround for those limitations using IP address-based filter rules.

Note: This article applies to both the Citrix SD-WAN WANOP Edition physical appliances and VPX installed with the Citrix SD-WAN WANOP Edition software releases 6.0 and later.

Background

Starting with Citrix SD-WAN WANOP Editions software release 6.0, Citrix introduces a new traffic-shaping engine that manages all traffic on WAN links and LAN links. This traffic-shaping engine relies on accurate link definition, which is a set of filter rules to classify the network traffic in flow direction as “from LAN to WAN” or “from WAN to LAN”. If link definition is incorrect, the Citrix SD-WAN WANOP Edition appliance applies traffic-shaping in the wrong traffic flow direction, and might impact network performance.

One-arm mode deployment such as Web Cache Communication Protocol (WCCP) or Policy Based Routing (PBR) indicates that the Citrix SD-WAN WANOP Edition appliance uses only one interface adapter to connect to a network. When only one adapter is connected, any of following options does not filter network traffic in the correct flow direction, and might cause performance issue:

  • Adapter – It does not filter network traffic in the correct flow direction because the Citrix SD-WAN WANOP Edition appliance receives WAN traffic and LAN traffic in the same adapter.
  • MAC address – It does not filter network traffic in the correct flow direction because the Citrix SD-WAN WANOP Edition appliance receives WAN traffic and LAN traffic with the same source MAC address from a switch or a router interface.
  • VLAN – It does not filter network traffic in the correct flow direction because the Citrix SD-WAN WANOP Edition appliance receives WAN packets and LAN packets with the same VLAN ID tagging.
  • WCCP Service Group – It does not filter network traffic in the correct flow direction if both WAN traffic and LAN traffic are redirected by the same WCCP router. It is also not possible even if different Service Groups are used for WAN traffic and LAN traffic redirection. It is because the Citrix SD-WAN WANOP Edition appliance matches and merges all WCCP Service Groups to the router MAC address in the WCCP process. The Citrix SD-WAN WANOP Edition appliance receives WAN traffic and LAN traffic redirected from the same WCCP router with the same source MAC address.

With the preceding limitations, IP address-based configuration is the only option available in filter rules for one-arm mode Citrix SD-WAN WANOP Edition link definition.

User-added image


  • LAN IN Traffic: The Citrix SD-WAN WANOP Edition appliance receives packets from LAN containing Source IP address as local subnet 192.168.1.0/24 and Destination address as remote subnet 10.1.1.0/24.
  • WAN OUT Traffic: The Citrix SD-WAN WANOP Edition appliance sends packets to WAN without changing the IP addresses as LAN IN Traffic after acceleration process.
  • WAN IN Traffic: The Citrix SD-WAN WANOP Edition appliance receives packets from WAN containing Source IP address as remote WAN subnet 10.1.1.0/24 and Destination IP address as local LAN subnet 192.168.1.0/24.
  • LAN OUT Traffic: The Citrix SD-WAN WANOP Edition appliance sends packets to LAN without changing the IP addresses as WAN IN traffic after acceleration process.

IP Address-based Configuration

The Citrix SD-WAN WANOP Edition appliance filters network traffic when packets are received. Refer to IP address in LAN IN traffic and WAN IN traffic for the link definition. Citrix SD-WAN WANOP Edition derives “OUT” filter from “IN” filter by swapping source IP as destination IP, or destination IP as source IP in same link definition. These rules are expressed in logical terms as follows:

  • “src address” equates to ((Direction == IN && src address == 192.168.1.0/24) || (Direction == OUT && dst address == 192.168.1.0/24))
  • “dst address” equates to ((Direction == IN && dst address == 192.168.1.0/24) || (Direction == OUT && src address == 192.168.1.0/24))

To filter the LAN IN traffic, either use local LAN subnet as the source or remote WAN subnet as the destination. To filter the WAN IN traffic, either use remote WAN subnet as the source or local LAN subnet as the destination. The best practice is to filter network traffic with local LAN subnet in LAN link and WAN link definition. It is because the real world deployment can have multiple remote WAN subnets and it is difficult to identify all the subnets. The following are the examples of how to define the links:

  • LAN link definition: Local LAN subnet 192.168.1.0/24 is configured as Source IP address, and “Any” as Destination IP address in filter rules.
  • WAN link definition: Local LAN subnet 192.168.1.0/24 is configured to be Destination IP address, and “Any” as Source IP address in filter rules.

The following screen shots shows how you can define LAN link and WAN link:

User-added image

User-added image


Note: It is optional to configure adapter in the filter rules and Citrix recommends configuring adapter as “ANY”. If you configure the adapter, both LAN link and WAN link should use the same adapter, such as apa.1, in one-arm mode Citrix SD-WAN WANOP Edition appliance.

Related:

  • No Related Posts

NetScaler SD-WAN Path Continuously Flipping Between GOOD/BAD/DEAD on WAN Links

Something to observe here is whether the GOOD/BAD/DEAD is occurring while the link is idle, or while the link is under load (traffic).

The following information covers all cases, but this is the “most common root cause” for each scenario:

  • Idle – speed/duplex mismatch, ARP issue, IPS/IDS device and so on.

  • Under load – speed/duplex mismatch, misconfigured speed settings in NetScaler SD-WAN configuration, MTU issue and so on.

When a new link is installed, the following steps should be conducted:

  1. Test speed of the new link. If the SD-WAN speed settings are configured for a higher throughput than the link can actually go, the SD-WAN will try to send the full amount of the configured speed (at this time, there is no auto-discover bandwidth capability). As an example, if SD-WAN tries to send 5 Mb of traffic down a 3 Mb link, the SD-WAN will experience loss (path going “BAD”), and when the SD-WAN experiences too much loss the path is declared “DEAD.” Once the path returns to a “GOOD” state, SD-WAN will once again try to send data down the path and cycle repeats. If a speed test is not possible, try adjusting the WAN link speed down to see if this improves performance. For a more permanent solution, run speed test across the network using UDP port 4980 to validate that 4980 port will make it through the network and that the ISP is not dropping or handing UDP traffic differently then expected.

  2. Disable the SD-WAN service and ping all WAN link VIP’s (all pings should fail) validating that there is no duplicate IP on the network for VIPs. Disable the appliance by going to Configuration > Virtual WAN > Enable/DisablePurge Flows.

    User-added image

    The SD-WAN appliance will auto-detect a duplicate IP address and disable itself. This could be the reason for a path reporting a “Dead” Path State. However, if a duplicate IP address resides where the SD-WAN cannot detect the MAC address, this same symptoms could occur.

Next, work though the layers to troubleshoot this issue.

Layer 1

Verify the Ethernet settings by going to Configuration > Appliance Setting > Network Adaptors > Ethernet tab.

As shown in the following screen shot, the interfaces are set to auto-negotiate. The greyed out numbers will indicate what the ports have negotiated to. Also as shown in the following screen shot configured ports 1/1 and 1/3 have negotiated to 100Mb/Full, while port 1/2 has negotiated to 1000Mb/Full. If a connected port has been hard-coded to 100/Full and SD-WAN has been set for auto-negotiate, you might see 100Mb/Half.

User-added image

Go to Monitor > Virtual WAN > Statistics > under Show, select Ethernet from the drop-down list. Verify if there are any interface errors.

User-added image

Examine the interface settings on all applicable external devices (switch, firewall/router).

Layer 2

Go to Monitoring > Virtual WAN > Statistics > under Show, select ARP from the drop-down list.

Verify if the gateway’s ARP entry reply age exceeds 1000ms. SD-WAN will ARP for the gateway once per second. If the ARP reply is not received in less than 1000ms (1 second), the SD-WAN will then declare the path down. Some devices may have an ARP threshold (or ARP DoS setting) that must be adjusted or turned off.

User-added image

Layer 3

Send a ping WAN router to WAN router and verify if you see drops. This could indicate a Service Provider issue.

Send a ping WAN router to WAN router with a DF bit on to prevent fragmenting packets. See what MTU the ping returns for. Take a packet-capture on the SD-WAN and see what the largest MTU size is. Adjust the WAN link MTU in the SD-WAN configuration if necessary.

There are also cases when the SD-WAN is connected between multiple switches to the WAN router. In this case, there could be a misconfigured MTU or duplex issue outside of the SD-WAN physical connections. This will typically show loss on the SD-WAN when user data is pushed through the WAN link, but when idle, very little if any loss will be seen.

Verify to see if the IPS/IDS firewall features are turned on for UDP 4980. In SOHO routers, IPS is turned on by default and can cause degraded performance.

Verify if the SD-WAN appliance shares the WAN link with other traffic not flowing through the SD-WAN or unaccounted-for traffic. If SD-WAN is on a WAN link that is sharing the bandwidth with appliances on the LAN network (which does not go through the SD-WAN), consider properly configuring the firewall or router that terminates the WAN link to adequately provide a set bandwidth speed for the SD-WAN and the competing traffic which is routed to bypass the SD-WAN, then properly configure SD-WAN to that assigned speed. Also consider turning up the congestion sensitivity threshold (if SD-WAN shares the link) otherwise SD-WAN will significantly back off using that WAN Link when it encounters contention.

If path is consistently BAD or know to have a certain level of packet loss, consider disabling the following functions: Bad_Loss_Sensitive. Or utilize the path state configurability feature introduced in 9.0 to better control when SD-WAN takes the path into a BAD state.

Enabling this feature takes away from the SD-WAN’s default behavior of intelligently identifying when a link quality starts to degrade due to characteristic changes of the line. So only use this feature with that in mind, and all investigation of poor quality line have determined that the loss on the WAN link is expected and that the desired behavior is to have the SD-WAN continue to use the link in that state and not back off its send rate or usage.

User-added image

User-added image

Related:

  • No Related Posts

Smarts NCM: Does NCM support a device hardware change?

Article Number: 503857Article Version: 3 Article Type: How To



Smarts Network Configuration Manager 9.4.2,Smarts Network Configuration Manager 9.4.1,Smarts Network Configuration Manager 9.3

Network Configuration Manager does not currently support changing device hardware from one model to another with history retention. For example, if a device is initially discovered as a Cisco IOS Switch and the hardware is updated to a Cisco IOS Router, the device must be removed from NCM. The history will be lost, and the device will need to be rediscovered.

Related:

  • No Related Posts

Network test fails, clients wont sync changes

I need a solution

For about the last week, I am seeing many of my client installs showing the grey question mark on the SEP tray icon. Hovering over the icon says “Connecting to Symantec” . The machines will not sync changes made in the web interface and fail the network test with message “Presence connection timed out  heartbeat.s2.spn.com:443”  I am seeing this behavior on machines in several different geographic areas with different ISPs and router hardware. 

Does anyone have any idea how to fix?

Thank you

0

Related:

  • No Related Posts