Rowell Dionicio

Get Techie With It

Networking

Manage Cisco Catalyst in the (Meraki) Cloud

By 2 Comments

Table Of Contents
  1. Supported Platforms & Licensing
  2. Catalyst Wireless Support
  3. Features
  4. How do you get started?
  5. My Thoughts

Cisco Catalyst is coming to the Meraki cloud. Get ready to manage your Catalyst switches and access points using the Meraki dashboard.

With 47% of employees wanting to work with a hybrid option, cloud management infrastructure is a must.

Infrastructure we can manage and automate from anywhere creates a highly productive workforce.

Cisco has decided to bring flexibility for network operators by combining Meraki’s cloud management with Cisco Catalyst hardware. What you get is a centralized view of your network with real-time switch status and health.

It’s easier to monitor your network remotely and get traffic visibility where you weren’t able to previously.

Migrate to Meraki cloud monitoring for a unified view of your network infrastructure and troubleshoot from anywhere. Leverage the cloud and spend less time in the CLI using overlay management for your Catalyst hardware.

Catalyst 9500 switches

Supported Platforms & Licensing

Today, the Catalyst 9200, 9300 and 9500 switching platforms will be supported in the Meraki dashboard with two options:

  • Cloud Monitoring (monitor only)
  • Cloud Management (monitor and configuration)

The minimum firmware version to run on these switches is IOS-XE 17.3 or higher.

What about licensing?

Fully managed Catalyst switches will need to have DNA Advantage (DNA-A) or DNA Essentials (DNA-E).

Monitored Catalyst switches will use a Meraki license.

The difference between the two switching licenses is that DNA-E will not include application visibility or client usage data.

Will Meraki displace DNA Center? No. Cisco is providing flexibility and options. But you will need to decide where you want to manage your Catalyst infrastructure – Meraki, DNA Center, or standalone?

Once a Catalyst switch is fully managed by Meraki it will no longer be an IOS device. It will run Meraki software. But if it is a monitored switch, it can still be accessible via CLI.

Catalyst Wireless Support

Cisco is introducing three new Catalyst wireless access points that can be managed by the Meraki dashboard or a C9800 controller. Those are the:

  • CW9166
  • CW9164
  • CW9162

The SKUs with CW prepended will support either Meraki dashboard or the C9800 controller.

There isn’t much information on this yet but maybe more details will come out during Cisco Live 2022.

Features

This is the first iteration of Catalyst crossing over to the Meraki dashboard. We won’t see 100% feature parity of Catalyst switching features into the Meraki dashboard but it appears you can do basic monitoring and configuration. Additional details should be arriving soon.

Catalyst switches will in one of two modes: monitor-only or fully-managed.

Some of the features already supported include the Topology view to see where your network infrastructure is connecting.

Viewing Catalyst switches in the Meraki Topology view

A centralized view of your network switches and which are in monitor only mode.

Viewing a list of Catalyst switches in the Meraki dashboard

Drill into an individual switch, such as the Catalyst 9500, within the Meraki dashboard.

Catalyst 9500 monitoring in the Meraki Dashboard

Don’t forget the Catalyst Wi-Fi management capability in the Meraki dashboard.

Catalyst access point (CW9166) in the Meraki dashboard

How do you get started?

It’s a three step process to get started with monitoring Catalyst in the Meraki Dashboard:

  1. Collect your Catalyst device credentials
  2. Enable API access in your Meraki dashboard
  3. Use the Catalyst Onboarding app from the Meraki dashboard (Organization > Inventory)

My Thoughts

Is Cisco going all-in with Meraki? While Cisco has been building on-prem software solutions, such as DNA Center, we’ve seen competitors place their bets in the cloud. Cisco has always provided multiple options and this could just be another option. An option where DNA Center couldn’t fit in an organization’s environment but Meraki can.

But what drives one towards DNA or Meraki? Will the options confuse people? I’m hoping the licensing model will become more simplified as it has been with Meraki.

This is a good move for those in their upgrade cycles. It’s easier to migrate to cloud management with Meraki but still have the feature-rich capabilities of the Catalyst product line.

I hope to see more feature extensibility with Meraki, API, and NETCONF. I can see so many benefits leveraging the Meraki dashboard.

I’m going to be keeping my eye out for more during Cisco Live 2022.

Allow Ping and Traceroute to Prisma SD-WAN ION

By 4 Comments

One way to know whether your configurations have gone right is if you can ping certain IP addresses. When I was migrating a network to a Palo Alto Networks Prisma SD-WAN ION, I wanted to ensure it had network connectivity.

The way I had planned to do that was by pinging the public IP address of the Prisma Ion appliance. I started to sweat when I couldn’t ping the IP. But I knew there was network connectivity when devices on the network were able to access the internet.

By default, the Prisma SD-WAN ION doesn’t respond to ping or traceroute. There’s a Device Management Policy that needs to have ping and traceroute allowed.

When you log into the CloudGenix portal, our URL will be https://portal.hood.cloudgenix.com/#home

Prisma (CloudGenix) SD-WAN Portal

Change home to advanced and hit Enter. You’ll land on a hidden menu.

**Note: The new URL will be https://portal.hood.cloudgenix.com/sdwan/manage/advanced
Thank you to Joe, in the comments, for providing this update.

You can take a look at all the options but right now I’m more interested in allowing Ping and Traceroute.

Click on Device Management Policy

Select your Site and click Done.

Now select your Element. An element is an ION.

Then select the Internet interface on that ION. I selected my Internet and bypass pair.

Then click on GET

You’ll see there is no device management policy for this interface. We’re going to create one.

Empty Interface policy

In the empty Name field, type in ALLOW_PING_TRACEROUTE

In the empty prefix text box, type in the prefix you will allow Ping and Traceroute from. I’m allowing it from any with 0.0.0.0/0.

In the App drop down box, select Ping.

In the Action drop down box, select Allow.

Do the same for Traceroute in the next line.

Click Submit.

You should now be able to Ping and Traceroute the public IP of your CloudGenix ION.

MAC Address Table on Cisco Switches

By Leave a Comment

Network switching fundamentals are required for CCNP Enterprise Core studies. We’ll review the MAC address table on a Cisco switch to learn how a device to port mapping is created and why it is needed.

We don’t think much about connecting our hosts to a Cisco switch. Whether 1 Gbps or 10 Gbps Ethernet ports, MAC address learning is performed the same way. 

Each host connecting to a switch port will have its MAC address entered into the switch’s MAC address table. 

The MAC address table is a way to map each port to a MAC address. This makes it efficient to forward traffic directly to a host. Without the MAC address table, traffic would be forwarded out each port, like a hub (hopefully you haven’t used one of those in a long time.)

MAC address table on a switch for CCNP ENCOR
MAC Address Table

Host A has a fictitious MAC address of AA:AA:AA:AA:AA:AA and it wants to send traffic to Host B with a fictitious MAC address of BB:BB:BB:BB:BB:BB. When the network switch receives the traffic destined for Host B, it knows to forward that traffic destined to interface g1/0/27 because the MAC address table lists Host B’s MAC address for interface g1/0/27. Assume they are also on the same VLAN.

What happens if a destination MAC address is not in the MAC address table? The switch must flood the traffic out of all ports in what’s called unknown unicast flooding. The switch wants the host with the destination MAC address to respond. 

What happens if the host is no longer connected? The host’s MAC address remains in the table until it ages out. There is a default aging timer. 

What happens if the host changes to a different port? The MAC address table is updated accordingly. 

How to view the Cisco MAC address table

First, let’s see what’s connected to my Cisco switch.

sw1#show interface status | include connected
Gi1/0/1                      connected    129        a-full  a-100 10/100/1000BaseTX
Gi1/0/3                      connected    trunk      a-full a-1000 10/100/1000BaseTX
Gi1/0/9   3504               connected    trunk      a-full a-1000 10/100/1000BaseTX
Gi1/0/14                     connected    trunk      a-full a-1000 10/100/1000BaseTX

Next, we use a show command to view the MAC address table of all dynamically learned addresses:

show mac address-table dynamic

The dynamic MAC addresses on my switch:

sw1#show mac address-table dynamic
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    – ------- –       – ------    – ---
 129    0017.88a9.b5dc    DYNAMIC     Gi1/0/1
 129    7483.c279.3a4c    DYNAMIC     Gi1/0/14
 129    c869.cd81.2307    DYNAMIC     Gi1/0/14
 103    000c.2979.60af    DYNAMIC     Gi1/0/14
 103    38f9.d329.a785    DYNAMIC     Gi1/0/14
 103    3c52.82af.08b6    DYNAMIC     Gi1/0/14
 103    5032.37d2.9089    DYNAMIC     Gi1/0/14
 103    6cae.f6b0.3fd2    DYNAMIC     Gi1/0/14
 103    701f.53b7.da81    DYNAMIC     Gi1/0/9
 103    7483.c279.3a4c    DYNAMIC     Gi1/0/14
 103    8e0a.c4f3.5e49    DYNAMIC     Gi1/0/14
 103    9c20.7bb9.6f35    DYNAMIC     Gi1/0/14
 103    b02a.4357.9868    DYNAMIC     Gi1/0/14
 120    18e8.29b0.84b8    DYNAMIC     Gi1/0/14
 140    000c.2979.60a5    DYNAMIC     Gi1/0/14
 140    000c.2979.60b9    DYNAMIC     Gi1/0/14
 140    0011.329f.c5a1    DYNAMIC     Gi1/0/14
   1    18e8.29b0.84b8    DYNAMIC     Gi1/0/14
   1    18e8.29b0.84b9    DYNAMIC     Gi1/0/14
   1    7483.c273.d835    DYNAMIC     Gi1/0/14
   3    5c5b.3550.0776    DYNAMIC     Gi1/0/3
   3    7483.c279.3a4c    DYNAMIC     Gi1/0/14
Total Mac Addresses for this criterion: 22

Viewing the MAC address seen on a specific interface

What if we want to verify what MAC address is seen off an individual port. This is useful for troubleshooting and verifying where a host might be located. The command syntax is:

show mac address-table <interface-name>

Here’s the output on my switch for interface g1/0/9:

sw1#show mac address-table interface g1/0/9
           Mac Address Table
 Vlan    Mac Address       Type        Ports
 –  –    – ------- –       – ---- –    – ---
  103    701f.53b7.da81    DYNAMIC     Gi1/0/9

View MAC addresses for a specific VLAN

It’s possible to view all learned MAC addresses for a specific VLAN. I use this command to ensure I’ve trunked a VLAN across all necessary uplinks. The command syntax is:

show mac address-table vlan <vlan-id>

The output on my switch for vlan 103:

sw1#show mac address-table dynamic vlan 103
           Mac Address Table
 Vlan    Mac Address       Type        Ports
 –  –    – ------- –       – ---- –    – ---
  103    000c.2979.60af    DYNAMIC     Gi1/0/14
  103    38f9.d329.a785    DYNAMIC     Gi1/0/14
  103    5032.37d2.9089    DYNAMIC     Gi1/0/14
  103    6cae.f6b0.3fd2    DYNAMIC     Gi1/0/14
  103    701f.53b7.da81    DYNAMIC     Gi1/0/9
  103    7483.c279.3a4c    DYNAMIC     Gi1/0/14
  103    8e0a.c4f3.5e49    DYNAMIC     Gi1/0/14
  103    b02a.4357.9868    DYNAMIC     Gi1/0/14
  103    f65a.0212.e051    DYNAMIC     Gi1/0/14
 Total Mac Addresses for this criterion: 9

UniFi Switch Port Profiles

By 8 Comments

Consistency in configuration is key for management and troubleshooting. The UniFi platform allows the configuration of Profiles. I’ll be looking at Switch Port Profiles in order to quickly set parameters to a switch port with just a drop down option.

In my lab, I have an 8-port UniFi switch, UniFi Cloud Key Gen2 Plus, and a UniFi Security Gateway (USG).

As an example, let’s say there’s an environment where many access points will connect. In my Wi-Fi network I’ll have two SSIDs broadcasting, both on different subnets. Rather than going every single port, converting it to a trunk and allowing the specific VLANs, I’d like to just select a Switch Port Profile to configure that all for me.

Log into your UniFi dashboard and click on the Gear icon located on the bottom left of the window. Once the Settings page is available, on the left navigation under Settings, click on Profiles.

Profiles has two sections, RADIUS and Switch Ports. Click on Switch Ports.

I already have Switch Port profiles configured. But we’ll add a new one for this example. On the bottom, click on Add New Port Profile.

Next, we enter the various parameters for our UniFi Switch Port Profile. Give it a descriptive name. Since I’m configuring this profile for access points I will enable PoE/PoE+.

My access points will be plugged into a trunk port. I’ll need to set the Native VLAN or what UniFi calls the Native Network. I like to place all my access points on my infrastructure VLAN which I’ve selected in the drop down. 

Next, we tag the networks we want to include on this trunk. These are the two networks I’ll map to my SSIDs.

The other settings I’ll leave as default. But we could modify settings such as the Link Speed or maybe set up Storm Control. There have been scenarios where I’ve needed to set a threshold for multicast or broadcast.

Once finished, click on Save.

Now it’s time to use this Switch Port Profile. I head over to  Devices and select my UniFi switch. 

I see see switch ports I can modify. Select one of the ports to bring up the menu so we can modify the settings.

Hover over the port you want to configure and click on the pencil icon to modify.

Within the individual switch port, we can select a Switch Port Profile, the one we just configured, in the drop down menu.  Select this profile and click on Apply.

The switch port is now configured as a trunk with the requirements we need to properly allow the broadcast and operation of our Wi-Fi network. 

Switch Port Profiles can be configured to your requirements. In my example, I used access points. But maybe you have a set of different server port configurations. Configure the Switch Port Profile and now it’s much simpler, efficient, and clean to set the port configuration. 

Sure, you can set up the port to be a trunk allowing all VLANs, but why should you allow VLANs on a port that isn’t required to be on? 

Nmap Ping Sweep

By Leave a Comment

Identifying what hosts are alive on a network can be a simple task with nmap. It’s a utility I have installed on my computer, often used for security analysis.

But sometimes I forget what flags to use for a simple ping sweep of active devices on a network.

nmap -sP <subnet>/<mask>

Here’s the output for my lab:

% nmap -sP 172.16.103.0/24
 Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 22:47 PST
 Nmap scan report for 172.16.103.1
 Host is up (0.010s latency).
 Nmap scan report for 172.16.103.2
 Host is up (0.018s latency).
 Nmap scan report for 172.16.103.10
 Host is up (0.010s latency).
 Nmap scan report for 172.16.103.37
 Host is up (0.0015s latency).
 Nmap scan report for 172.16.103.46
 Host is up (0.078s latency).
 Nmap scan report for 172.16.103.62
 Host is up (0.069s latency).
 Nmap scan report for 172.16.103.63
 Host is up (0.013s latency).
 Nmap scan report for 172.16.103.64
 Host is up (0.069s latency).
 Nmap scan report for 172.16.103.69
 Host is up (0.037s latency).
 Nmap scan report for 172.16.103.70
 Host is up (0.037s latency).
 Nmap scan report for 172.16.103.71
 Host is up (0.015s latency).
 Nmap scan report for 172.16.103.72
 Host is up (0.046s latency).
 Nmap scan report for 172.16.103.74
 Host is up (0.055s latency).
 Nmap scan report for 172.16.103.76
 Host is up (0.068s latency).
 Nmap scan report for 172.16.103.77
 Host is up (0.072s latency).
 Nmap scan report for 172.16.103.78
 Host is up (0.087s latency).
 Nmap scan report for 172.16.103.85
 Host is up (0.041s latency).
 Nmap done: 256 IP addresses (17 hosts up) scanned in 4.44 seconds