Sunday, December 31, 2017

Cisco CCNP:300-115 - 1.1 Configure and verify switch administration: 1.1.a SDM templates - Saqib

Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.

- Used for optimizing system resources on the switch for specific features
              - SDM Stands for Switching Database Manger
              - Manages Layer2 and Layer3 switching information
              - SDMs are maintained in the switch TCAM, which is used for forwarding lookups. Lookups are done in hardware
              - Most switches have one TCAM which is stored between L2 and L3
              - 3 predefined types of SDM templates:
                -> Access Template
                      - Maximizes the system for Access Control Lists (ACLs)
                      - Used to optimize the system for a large number of ACLs
                -> Routing Template
                      - Do not use if you do not have routing enabled on the switch
                      - Maximizes resources for IPv4 Unicat routing
                      - Switch has to be acting as a router or route aggregator
                      - When enabled prevents other features from using memory allocated to Unicast Routing
                -> VLAN Template
                      - Unicast Routing is Disabled
                      - Allows for the maximum number of supported MAC addresses
                      - Implemented when the switch is purely a layer 2 device     
                      - Typicall selected for L2 switch
                      - Should be used only on switches intended for L2 functionality and no routing
                      - No system resources are allocated for routing entries and routing is done via software/release/12-2_52_se/configuration/guide/3750scg/swsdm
                      - When enabled, CPU becomes overloaded thus downgrading routing performance
                -> Default Template
                      - Best of Access, Routing and VLAN templates
                      - Balances resources
                ->  dual-ipv4-and-ipv6 Template
                      - When trying to enable this IPv6 without enabling this template, then a warning message is generated
                      - Do not use if you plan to use only IPv4
                      - Enables dual stack environment
                      - Has the following sub templates:
                          - VLAN
                          - Routing
                          - Default                 
              - Each template has two versions a "Desktop Template" and an "Aggregator Template"
              - "Aggregator Template" is limited to specific switches
              - "Default" Template is the default template for Desktop switches
              - "Aggregator" Template is the default template for  3750-12s
              - When modifying a template a "Reload" for the template to become effective
              - If being used on a stack, the SDM template on the master, overrides any SDM templates on a newly added switch
              - Larger TCAM size available in the "Aggregator Template"
              - Only 3750-12S supports the larger TCAM
              - All other switches ONLY support the "Desktop Template"
              - If "Desktop" keyword is not entered on an aggregator switch, the "Aggregator Template" is used
              - An IPv4 route requires only 1 TCAM entry
              - An IPv6 route can require MORE THAN 1 TCAM entry
              - For IPv6 the "Desktop Template" can allow fewer than 2000 entries for directly connected IP addresses
              - All switches in a stack use the SDM template used by the master. This can be either the "Desktop Template" or the "Aggregator Template"
              - If a switch which supports aggregator such as 3750-12s is added to the a stack in which the master is using the "Desktop Template", this switch template will be downgraded
              - If a switch (non 3750-12s) using the "Desktop template" is added to a stack in which the Master (3750-12s) is using the "Aggregator" template, the new switch goes into "SDM Mismatch" mode. The stack master does not attempt to change the SDM template and the switch cannot be a functioning member of the stack.
              - If the stack master is a 3750-12s, changing the SDM template can have the following effects:
                - Changing the template from "Aggregator" to "Desktop" and reloading can result in:
                    - The entire stack now operates with the "Desktop" template
                    - configuration losses if the number of TCAM entries exceed the "Desktop template" sizes
                - Changing the template from "Desktop" to "Aggregator" and reloading can result in the following:
                    - Desktop switches which were part of the stack goes into "SDM Mismatch" mode
                    - When a switch goes into "SDM Mismatch" mode, a syslog message is sent to the Stack Master notifying it of the switch being in "SDM Mismatch" mode and the actions to bring the switch out of "SDM Mismatch" mode
                - Use the "show switch" privilege exec mode command to look for switches in "SDM Mismatch" mode
        - To Set the template use in:
              SecurityNik(config)#sdm prefer ?
                          access              Access bias
                          default             Default bias
                          dual-ipv4-and-ipv6  Support both IPv4 and IPv6                          routing             Unicast bias
                          vlan                VLAN bias
        - Remember to reload after choosing the template by using
              SecurityNik#reload ?
                          *Apr 15 02:22:56.882: %SYS-5-CONFIG_I: Configured from console by console?
                          /noverify    Don't verify file signature before reload.
                          /verify      Verify file signature before reload.
                          LINE         Reason for reload
                          at           Reload at a specific time/date
                          cancel       Cancel pending reload
                          in           Reload after a time interval
                          slot         Slot number card
                          standby-cpu  Standby RP
        - To See the current SDM configuration in use or to see a specific template use:
              SecurityNik#show sdm prefer ?                         
                          access              Access bias
                          default             Default bias
                          dual-ipv4-and-ipv6  Support both IPv4 and IPv6
                          routing             Unicast bias
                          vlan                VLAN bias
                          |                   Output modifiers
        - When a template is changed and the system has not been reload, using the "SecurityNik#show sdm prefer" will include a message about the next template which will be used at reload.
              - SecurityNik#show sdm prefer
                  The current template is "desktop default" template.
                    ..... (Omitted for brevity)
                  On next reload, template will be "desktop access IPv4" template.
        - To revert to the default policy enter:
              SecurityNik(config)#no sdm prefer

No comments:

Post a Comment