2014年3月10日星期一

EOL and EOS Announcement for Cisco 2960 Series Switches

According to cisco.com, some of the most popular Cisco 2960 series switches are coming to their EOS and EOL, the table 1 and table 2 will tell you the details:
Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s).

Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available under the terms and conditions of customers' service contract.

Table 1. End-of-Life Milestones and Dates for the Cisco Catalyst 2960 Series Switches

Milestone

Definition

Date

End-of-Life Announcement Date

The date the document that announces the end-of-sale and end-of-life of a product is distributed to the general public.

October 31, 2013

End-of-Sale Date

The last date to order the product through Cisco point-of-sale mechanisms. The product is no longer for sale after this date.

October 31, 2014

Last Ship Date:
HW

The last-possible ship date that can be requested of Cisco and/or its contract manufacturers. Actual ship date is dependent on lead time.

January 29, 2015

End of SW Maintenance Releases Date:
HW

The last date that Cisco Engineering may release any final software maintenance releases or bug fixes. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software.

October 31, 2015

End of Vulnerability/Security Support:
HW

The last date that Cisco Engineering may release a planned maintenance release or scheduled software remedy for a security vulnerability issue.

October 30, 2017

End of Routine Failure Analysis Date:
HW

The last-possible date a routine failure analysis may be performed to determine the cause of hardware product failure or defect.

October 31, 2015

End of New Service Attachment Date:
HW

For equipment and software that is not covered by a service-and-support contract, this is the last date to order a new service-and-support contract or add the equipment and/or software to an existing service-and-support contract.

October 31, 2015

End of Service Contract Renewal Date:
HW

The last date to extend or renew a service contract for the product.

January 29, 2019

Last Date of Support:
HW

The last date to receive applicable service and support for the product as entitled by active service contracts or by warranty terms and conditions. After this date, all support services for the product are unavailable, and the product becomes obsolete.

October 31, 2019

HW = Hardware OS SW = Operating System Software App. SW = Application Software

Table 2. Product Part Numbers Affected by This Announcement


End-of-Sale Product Part Number

Product Description

Replacement Product Part Number

Replacement Product Description

Additional Information

WS-C2960-24-S

Catalyst 2960 24 10/100 LAN Lite Image

WS-C2960+24TC-S

Catalyst 2960 Plus 24 10/100 + 2 T/SFP LAN Lite

-

WS-C2960-24LC-S

Catalyst 2960 24 10/100 (8 PoE) + 2 T/SFP LAN Lite Image

WS-C2960+24LC-S

Catalyst 2960 Plus 24 10/100 (8 PoE) + 2 T/SFP LAN Lite

-

WS-C2960-24LT-L

Catalyst 2960 24 10/100 (8 PoE)+ 2 1000BT LAN Base Image

WS-C2960+24LC-L

Catalyst 2960 Plus 24 10/100 (8 PoE) + 2 T/SFP LAN Base

-


Catalyst 2960 24 10/100 PoE + 2 T/SFP LAN Base Image

WS-C2960+24PC-L

Catalyst 2960 Plus 24 10/100 PoE + 2 T/SFP LAN Base

-

WS-C2960-24PC-S

Catalyst 2960 24 10/100 PoE + 2 T/SFP LAN Lite Image

WS-C2960+24PC-S

Catalyst 2960 Plus 24 10/100 PoE + 2 T/SFP LAN Lite

-

WS-C2960-24TC-L

Catalyst 2960 24 10/100 + 2T/SFP LAN Base Image

WS-C2960+24TC-L

Catalyst 2960 Plus 24 10/100 + 2T/SFP LAN Base

-

WS-C2960-24TC-S

Catalyst 2960 24 10/100 + 2 T/SFP LAN Lite Image

WS-C2960+24TC-S

Catalyst 2960 Plus 24 10/100 + 2 T/SFP LAN Lite

-


Catalyst 2960 24 10/100 + 2 1000BT LAN Base Image

WS-C2960+24TC-L

Catalyst 2960 Plus 24 10/100 + 2T/SFP LAN Base

-

WS-C2960-48PST-L

Catalyst 2960 48 10/100 PoE + 2 1000BT +2 SFP LAN Base Image

WS-C2960+48PST-L

Catalyst 2960 Plus 48 10/100 PoE + 2 1000BT +2 SFP LAN Base

-

WS-C2960-48PST-S

Catalyst 2960 48 10/100 PoE + 2 1000BT +2 SFP LAN Lite Image

WS-C2960+48PST-S

Catalyst 2960 Plus 48 10/100 PoE + 2 1000BT +2 SFP LAN Lite

-

WS-C2960-48TC-L

Catalyst 2960 48 10/100 + 2 T/SFP LAN Base Image

WS-C2960+48TC-L

Catalyst 2960 Plus 48 10/100 + 2 T/SFP LAN Base

-

WS-C2960-48TC-S

Catalyst 2960 48 10/100 + 2 T/SFP LAN Lite Image

WS-C2960+48TC-S

Catalyst 2960 Plus 48 10/100 + 2 T/SFP LAN Lite

-


Catalyst 2960 48 10/100 + 2 1000BT LAN Base Image

WS-C2960+48TC-L

Catalyst 2960 Plus 48 10/100 + 2 T/SFP LAN Base

-

WS-C2960-48TT-S

Catalyst 2960 48 10/100 + 2 1000BT LAN Lite Image

WS-C2960+48TC-S

Catalyst 2960 Plus 48 10/100 + 2 T/SFP LAN Lite

-
It is referred from: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/eos-eol-notice-c51-730121.html

2014年3月3日星期一

Why the Virtual Switches Need Bpdu Guard

I have receive the question as below:
What happens if a VM running within a vSphere host sends a BPDU? Will it get dropped by the vSwitch or will it be sent to the physical switch (potentially triggering BPDU guard)?

Last, I got the answer from visibly harassed Kurt (@networkjanitor) Bales during the Networking Tech Field Day; one of his customers has managed to do just that.


Here’s a sketchy overview of what was going on: they were running a Windows VM inside his VMware infrastructure, decided to configure bridging between a vNIC and a VPN link, and the VM started to send BPDUs through the vNIC. vSwitch ignored them, but the physical switch didn’t – it shut down the port, cutting a number of VMs off the network.
Best case, BPDU guard on the physical switch blocks but doesn’t shut down the port – all VMs pinned to that link get blackholed, but the damage stops there. More often BPDU guard shuts down the physical port (the reaction of BPDU guard is vendor/switch-specific), VMs using that port get pinned to another port, and the misconfigured VM triggers BPDU guard on yet another port, until the whole vSphere host is cut off from the rest of the network. Absolutely worst case, you’re running VMware High Availability, the vSphere host triggers isolation response, and the offending VM is restarted on another host (eventually bringing down the whole cluster).

There is only one good solution to this problem: implement BPDU guard on the virtual switch. Unfortunately, no virtual switch running in VMware environment implements BPDU guard.

Nexus 1000V seems to offer a viable alternative. It has an implicit BPDU filter (you cannot configure it) that would block the BPDUs coming from a VM, but that only hides the problem – you could still get forwarding loops if a VM bridges between two vNICs connected to the same LAN. However, you can reject forged transmits (source-MAC-based filter, a standard vSphere feature) to block bridged packets coming from a VM.

Lacking Nexus 1000V, you can use a virtual firewall (example: vShield App) that can filter layer-2 packets based on ethertype. Yet again, you should combine that with rejection of forged transmits.

In theory, an interesting approach might be to use VM-FEX. A VM using VM-FEX is connected directly to a logical interface in the upstream switch and the BPDU guard configured on that interface would shut down just the offending VM. Unfortunately, I can’t find a way to configure BPDU guard in UCS Manager.

Other alternatives to BPDU guard in a vSwitch range from bad to worse:

Disable BPDU guard on the physical Cisco Switch. You’ve just moved the problem from access to distribution layer (if you use BPDU guard there) ... or you’ve made the whole layer-2 domain totally unstable, as any VM could cause STP topology change.

Enable BPDU filter on the physical switch. Even worse – if someone actually manages to configure bridging between two vNICs (or two physical NICs in a Hyper-V host), you’re toast; BPDU filter causes the physical switch to pretend the problem doesn’t exist.

Enable BPDU filter on the physical switch and reject forged transmits in vSwitch. This one protects against bridging within a VM, but not against physical server misconfiguration. If you’re absolutely utterly positive all your physical servers are vSphere hosts, you can use this approach (vSwitch has built-in loop prevention); if there’s a minimal chance someone might connect bare-metal server or a Hyper-V/XenServer host to your network, don’t even think about using BPDU filter on the physical switch.


Summary

BPDU filter available in Nexus 1000V or ethertype-based filters available in virtual firewalls can stop the BPDUs within the vSphere host (and thus protect the physical links). If you combine it with forged transmit rejection, you get a solution that protects the network from almost any VM-level misconfiguration.

However, I would still prefer a proper BPDU guard with logging in the virtual switches for several reasons:

BPDU filter just masks the configuration problem;
If the vSwitch accepts forged transmits, you could get an actual forwarding loop;
While the solution described above does protect the network on Catalyst 2960 , it also makes troubleshooting a lot more obscure – a clear logging message in vCenter telling the virtualization admin that BPDU guard has shut down a vNIC would be way better;
Last but definitely not least, someone just might decide to change the settings and accept forged transmits (with potentially disastrous results) while troubleshooting a customer problem @ 2AM.

Notes: There are more comments of discussing Virtual Switches Need Bpdu Guard in the original page http://blog.ipspace.net/2011/11/virtual-switches-need-bpdu-guard.html