A little screw up worth knowing

When you look at the list of topics required or recommended to pass Cisco ICND2 exam you will find

4.4.a Verify routing is enabled (extenSible and Hierarchical Interaction Protocol(SHIP))

It is not entirely mysterious topic.

Continue reading

Posted in Cisco | Tagged , , , , , , | Leave a comment

Digest of Spanning Tree Protocol

Things you absolutely need to know about Spanning Tree Protocol for your CCNA exam.

Example of output of the root bridge

On the root bridge, the output of the show spanning-tree command will tell you in simple and simple English, that this switch (bridge) is a root of the topology / spanning-tree. Also notice that information for root and local bridge / switch are identical (root ID, MAC address, timers values).

SW1#show spanning-tree vlan 1VLAN0040
  Spanning tree enabled protocol ieee
  Root ID    Priority    32808
             Address     001e.f6d6.e400
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32808  (priority 32768 sys-id-ext 40)
             Address     001e.f6d6.e400
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interpreting the output of show command

SW2#show spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     0014.f2d2.4180
             Cost        9
             Port        216 (Port-channel21)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     001c.57d8.9000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- ---------------------------
Po21                Root FWD 9         128.216  P2p 
Po23                Altn BLK 9         128.232  P2p 

The output of the show spanning-tree command has a few parts.

  1. elmer-fudd-103166The version of spanning tree protocol running on the local machine.
  • ieee – is equivalent of the IEEE 802.1d
  • rstp – is equivalent of the IEEE 802.1w

On the right hand side Elmer Fudd is going to hunt the wabbit, as in ‘Wappit Spanning Twee Pwotocol‘ for IEEE 802.1w refering to Rapid Spaning Tree Protocol.

The standard (old) STP uses port states

Blocking – A port that would cause a switching loop if it were active. No user data is sent or received over a blocking port, but it may go into forwarding mode if the other links in use fail and the spanning tree algorithm determines the port may transition to the forwarding state. BPDU data is still received in blocking state. Prevents the use of looped paths.
Listening – The switch processes BPDUs and awaits possible new information that would cause it to return to the blocking state. It does not populate the MAC address table and it does not forward frames.
Learning – While the port does not yet forward frames it does learn source addresses from frames received and adds them to the filtering database (switching database). It populates the MAC address table, but does not forward frames.
Forwarding – A port receiving and sending data, normal operation. STP still monitors incoming BPDUs that would indicate it should return to the blocking state to prevent a loop.
Disabled – Not strictly part of STP, a network administrator can manually disable a port
To prevent the delay when connecting hosts to a switch and during some topology changes, Rapid STP was developed, which allows a switch port to rapidly transition into the forwarding state during these situations.

The port states used by the Rapid STP

Discarding – No user data is sent over the port
Learning – The port is not forwarding frames yet, but is populating its MAC-address-table
Forwarding – The port is fully operational

The Rapid STP also uses port roles

Root – A forwarding port that is the best port from non-root bridge to root bridge
Designated – A forwarding port for every LAN segment
Alternate – An alternate path to the root bridge. This path is different from using the root port
Backup – A backup/redundant path to a segment where another bridge port already connects
Disabled – Not strictly part of STP, a network administrator can manually disable a port
RSTP switch port states:

Could port, such and such, be a discarding port for a different VLAN

Yes, it can. On another or different VLAN there could be different configuration, different root priority, different ports can belong to the other VLAN and the switched with theirs MAC addresses can belong or not to a different VLAN. Another VLAN can have all parameters different – MAC, switch ports, bridge priorities.

Elections of the root bridge and it’s designated port

Lower is better !

  1. Lowest bridge priority – can be default (32768) or hard-coded manually
S1(config)#spanning-tree vlan 10 priority 4096
S1(config)#spanning-tree vlan 10 root primary
S1(config)#spanning-tree vlan 10 root secondary
  1. When priorities are the same the lowers MAC address wins the root bridge elections

  2. To elect the designated port on the root bridge the port with the lowest ID is choosen.

For example Fa0/0 is preferred before Fa0/1

Note: I would be rather surprised if the ports were not preferred according to their speed, that is the GigabitEthernet before FastEthernet and before 10Mbps Ethernet. Although as of now, I haven’t managed to confirm such feature with appropriate experiments, so exercise caution about this topic.

Question 1
Could port such and such be a discarding port for a different VLAN ?
Yes, it can. On another or different VLAN there could be different configuration, different root priority, different ports can belong to the other VLANs and the switched with theirs MAC addresses can belong or not to a different VLAN. Another VLAN can have all parameters different – MAC, switch ports, bridge priorities.

Question 2
On the example bellow, is port Po23 in the Discarding state ?

SW2#show spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    24577
             Address     0014.f2d2.4180
             Cost        9
             Port        216 (Port-channel21)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     001c.57d8.9000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- ---------------------------
Fa1                 Desg FWD 19        128.216  P2p Edge
Po21                Root FWD 9         128.216  P2p (Peer STP)
Po23                Altn BLK 9         128.232  P2p

On the example the Po23 port is described as in BLK (Blocking) state. However the version of the Spanning Tree Protocol is RSTP, so the correct name of the port state is in fact Discarding.

Question 3
Referring to the last example. Is root bridge running the Rapid Spanning Tree Protocol ?

No it isn’t. The peer of the local switch, on the other end of the Po21 link runs old version of the STP. Note the (Peer STP) on the command output, letting you know the although the local switch runs RSTP it’s peer is not.

Question 4
Referring to the example from question 2. Is the local switch directly connected to the root switch / bridge ?

Yes, because the cost for Po21 (9) is the same as the cost mentioned in Root bridge section in the command output Cost 9 .

Question 5
Is the Fa1 port, from the question 2, receiving BPDU packets ?

No, because BPDUs are disable on this port, by using the
S1(config)#spanning-tree portfast
command. The port is directly connected to a device that has no other connections with the network, so it can’t cause the loop in the topology – i.e. a client computer.

Consider the example

S1#show spanning-tree interface fastEthernet 0/1
Vlan             Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0010         Altn BLK 19        128.19    P2p
VLAN0020         Root FWD 19        128.19    P2p
VLAN0030         Desg FWD 19        128.19    P2p

The fastEthenet 0/1 is a trunk port, because it serves more than one VLAN

  • VLAN 10 has other root and designated port on some other switch or port
  • VLAN 20 is a root port – meaning this switch is not a root bridge. The root bridge has all ports in designated role.
  • VLAN 30 is a designated port – the port is either on the root bridge or is on the shortest path to it, going from the root bridge towards further switches.

Spanning Tree Protocol has converged, because ports are either in Blocking or Forwarding states (they are not in Listening, Learning states)

Question 6
Based on the last example with the spanning-tree interface output, is the port fastEthernet 0/1 receiving BPDU on all VLANs (10,20,30) ?

Yes. Although the interface is in Blocking / Discarding state it still receives BDPU messages, because the port is not in spanning-tree portfast mode.

.. TBC


STP Digest


Switch with the lowest priority (Bridge ID = priority + MAC address) is elected root bridge

Links between Gigabit and Fast Ethernet alway are going to negotiate the highest common speed. In case of a deal between Gigabit and Fast Ethernet the speed will be Fast Ethernet that is 100Mbps.

The costs of the links are going to corespond to the negotiated link speed, regardless of declared / local speed of the port.

Root bridge advertise link cost 0 and the local switch add local cost to it that corespond to the effective port speed on that receiving switch. On the link between SW1 and SW2, the link cost to reach the root bridge (SW3) is 0.

As soon as you consider it from the SW1 perspective you need to add costs of all links along the way. In this case it is cost 19 for the negotiated Fast Ethernet between SW1 and SW3. The link costs between SW2-SW3 and SW1-SW2 are also going to be 19, so the cost of reaching the root bridge (SW3) from SW1 through SW2 would be 19+19=38.

Equal cost – tie
Equal priority comming from the root bridge – tie
The advertising, not receiving, lower ID port is prefered as tie breaker. The lowest port of the root bridge is prefered.

Setting switch priority on one VLAN has no impast on priorities on a different VLAN.

Designated switch is the one with the lowest path cost from the root bridge. In this case SW2.

RSTP is backwards compatible with 802.1d STP

RSTP is faster to converge than 802.1d STP

RSTP add new port roles – alternate and backup

RSTP operates at data-link layer, not the physical one

For RSTP all ports on the root bridge are designated and are forwarding the frames

Posted in Testing | Leave a comment

Entirely legit use for a web server over the TOR network

2000px-Tor-logo-2011-flat.svgThe anonymity service, TOR, is commonly used by

  • spies [founded by governments, corporations or entirely private people],
  • criminals trading illegal goods and services [the Silk Road Market],
  • political activists [Arab Spring in Syria, China other countries with dysfunctional or non-existing democracy],
  • whistle-blowers [Julian Assange, Edward Snowden],
  • internet privacy campaigners [Jacob Applebaum],
  • perverts,
  • copyright pirates,
  • hackers,
  • everybody else who is concerned about their privacy and anonymity in the 21st century.

The TOR also could be used for an entirely legitimate application that maybe not as romantic as being The 007 secret agent. Continue reading

Posted in Testing | Leave a comment

CPU benchmarks are a bit misleading

I have Intel Core i7 3623QM @ 2.20GHz with 3.20GHz boost. So far wherever I look I see that when CPUs are compared authors use the normal or nominal frequency, in my case that is 2.20GHz. The trouble with those comparisons is that Intel processors, probably like many CPUs from others manufacturers, have built-in mechanism that prevents from overheating, which makes any comparisons meaningless.

Continue reading

Posted in Testing | Leave a comment

IPv4 and IPv6 troubleshooting side by side

When you troubleshoot networking issues, you are usually told by most tutors, authors or lecturers, to do it by following the layers of the either layered model i.e. seven layers of the ISO model. *** You can start from the physical layer and keep looking for potential problems at each layer and then move on to the higher layers. Also, you can do it the reverse order. Whichever way floats your boat. It is worth considering that solving problems at lower layers first can solve the whole problem, including its side effects at the higher layers. It is a valuable skill to be able to find and solve problems at the lower layers without ever leaving your chair. It saves you journey there and back again.

The network for today

IPv6 tshootISO Layer 1 – Physical – Interface statistics for diagnostics of cables

The important things to look for when you use the show interfaces fastEthernet 0/0 for physical layer troubleshooting.

Input queue dropping packets indicate too weak CPU, which is not able to process incoming frames fast enough.

Input errors – the frames are dropped, because they are malformed, which is detected with the CRC checksums. Malformed frames also can indicate problems with cabling. When cables are not done correctly to required standard (i.e. Cat 3 cable for 100Mbps, incorrect order of wires – not following EIA/TIA 568A/B standards) there will be attenuations between wires of the cables, that is the cable will interfere with itself causing data transmission problems. Also, the common symptom could be a very slow transmission of data at just a few percent of its intended speed.

Output queue – when it gets full or overfilled it means the data cannot be send off quick enough, which can be described as congestion of the link. The bandwidth can get saturated because data are coming in big volumes through fast links and are squeezed into a much slower link. The session layer should take care of it, by adjusting the sending speed at the source. Otherwise, it can indicate malicious activity like (Distributed)-Denial-of-Service attack.

Output errors – it is an indication of collisions of frames in the network. In switched network, there should be no collisions.

Apart from the above errors, there may be a mismatch in configuration on both ends of the link. The ends could be mismatched in terms of the duplex, speed or VLAN configuration.

Note: Usually when the native VLAN mismatch is detected the link is automatically shutdown.

R1#show interfaces fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
  Hardware is Gt96k FE, address is c402.19a4.0000 (bia c402.19a4.0000)
  Internet address is 192.168.1.1/24
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Half-duplex, 10Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:02, output 00:00:03, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     3051 packets input, 359100 bytes
     Received 3034 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected
     4425 packets output, 442147 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

ISO Layer 2 – Data-link – Line control protocols

At the data link layer you have to check if the interface is up, down, administratively down or error-down.

To see the status of network interfaces use the following commands

R1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES NVRAM  up                    up
FastEthernet0/1            10.0.1.1        YES NVRAM  up                    up

Instead of the IPv4 version, you can use the IPv6 flavour. An interface that is in any given state i.e. down/down for the IPv4 version of the command will also be in the same state for the IPv6.

R1#show ipv6 interface brief
FastEthernet0/0            [up/up]
    FE80::C602:12FF:FE18:0
    2001:DB8:DEAF:BEEF::1
FastEthernet0/1            [up/up]
    FE80::C602:12FF:FE18:1
    2001:DB8:D00D:1::1

If an interface is in down/down state simply use the following

R1(config)#interface fastEthernet 0/0
R1(config-if)#no shutdown
*Mar  1 00:23:56.155: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 00:23:57.155: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Here are the meanings of each link status

adm-down – means the interface was shutdown manually
err-down – indicates that the interface is shutdown because of the error i.e. as a response to the port security policy of the interface
up/down – The 1st ‘up’ is for the physical layer, the 2nd ‘down’ is for the data-link operation. The data-link layer problem could be a misconfiguration of the protocols operating at this layer. Examples could be speed, duplex or VLAN mismatch.

Note: The first status is indicating the state in physical terms the second one indicates the data-link protocol status. When the cables don’t operate correctly at the physical layer, the data-link protocol will not as well – imagine a cable sitting in an empty drawer on its own, not being connected to anything. As a result, you can see up/down, but you won’t see down/up.

When your network interface successfully got it’s IP address you can check whether it can communicate with any other network device by looking at IP and MAC address resolution table. The IPv4 and IPv6 protocols have its own respective MAC addresses resolution tables, each for its own IP version of addressing.

Note: To trigger populating of the ARP tables for each, IPv4 and IPv6, your network device needs to have a reason to request the MAC address of the remote device. The easiest way to cause your device to request translation between IP and MAC addresses is to send a ping.

PC#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.1.1               84   c402.05ac.0001  ARPA   FastEthernet0/0
Internet  10.0.1.5                -   c401.05ac.0000  ARPA   FastEthernet0/0

IPv6 local addressing resolution

PC#ping 2001:DB8:B00B:135::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:B00B:135::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/75/148 ms
PC#show ipv6 neighbors
IPv6 Address                              Age Link-layer Addr State Interface
FE80::C602:5FF:FEAC:1                       0 c402.05ac.0001  REACH Fa0/0

Note: Sometimes, when you have problems with cabling all that your network interface is able to get from the surrounding network devices, are theirs MAC addresses, either via ARP/RARP protocol or Neighbour Solicitation Protocol.

ISO Layer 3 – Network – Logical addressing, IPv4 and IPv6 protocols

After you are done with the data-link issues, make sure that your interface has the correct IP address. If it is configured via DHCP, SLAAC auto-configuration or manually. When your interface doesn’t have an IP address it cannot take advantage of the network layer communication.

To check if your interface has IP address use the following for MS Windows

C:\Users\Bart>ipconfig

Windows IP Configuration

Ethernet adapter Loopback:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::7942:11aa:4628:e280%14
   Autoconfiguration IPv4 Address. . : 169.254.226.128
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::2c39:6e32:112f:3437%4
   IPv4 Address. . . . . . . . . . . : 10.89.6.103
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.98.6.1

Note 1: Some network interfaces were edited out for briefness

Note 2: When your network interfaces don’t have an IP addresses it may be that they are not configured manually or, for some reason, they cannot take advantage of DHCP server or IPv6 auto-configuration Stateful or Stateless (SLAAC).

To find out more about configuration of IP protocols use the following on the Cisco devices

R1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES NVRAM  up                    up
FastEthernet0/1            10.0.1.1        YES NVRAM  up                    up

…and for IPv6

R1#show ipv6 interface brief
FastEthernet0/0            [up/up]
    FE80::C602:19FF:FEA4:0
    2001:DB8:DEAF:BEEF::1
FastEthernet0/1            [up/up]
    FE80::C602:19FF:FEA4:1
    2001:DB8:D00D:1::1

Once your IP addresses are properly configured you need to make sure that you can communicate with the neighbouring devices i.e. by using the ping command.

Note: Apart from obtaining IP address the interface also needs to have an address that is in the range of the same network address range as the default gateway. Otherwise, it won’t be able to communicate with the outside world. It is also worth looking at the routing tables and checking if the addresses match the interfaces for the respective networks as well as checking that the received IP addresses are in the address range of theirs respective destination networks, the same way as it is the case with the default gateway.

To find out what routing paths are available, use the following command

PC#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    10.0.0.0/8 is directly connected, FastEthernet0/0
O    192.168.1.0/24 [110/20] via 10.0.1.1, 03:49:38, FastEthernet0/0
O    172.16.0.0/12 [110/30] via 10.0.1.1, 03:49:38, FastEthernet0/0

…and the IPv6 flavour

PC#show ipv6 route
IPv6 Routing Table - 9 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
O   2001:DB8:B00B:135::1/128 [110/20]
     via FE80::C602:19FF:FEA4:1, FastEthernet0/0
O   2001:DB8:B00B:135::2/128 [110/30]
     via FE80::C602:19FF:FEA4:1, FastEthernet0/0
C   2001:DB8:D00D:1::/64 [0/0]
     via ::, FastEthernet0/0
S   2001:DB8:D00D:1::/72 [1/0]
     via ::, Null0
L   2001:DB8:D00D:1:C601:19FF:FEA4:0/128 [0/0]
     via ::, FastEthernet0/0
O   2001:DB8:DEAF:BEEF::1/128 [110/10]
     via FE80::C602:19FF:FEA4:1, FastEthernet0/0
O   2001:DB8:DEAF:BEEF::2/128 [110/20]
     via FE80::C602:19FF:FEA4:1, FastEthernet0/0
L   FE80::/10 [0/0]
     via ::, Null0
L   FF00::/8 [0/0]
     via ::, Null0

When you configuring routing protocols it is easy enough to make mistakes like to configure not matching area or process numbers.

R1#show ip ospf
 Routing Process "ospf 1" with ID 192.168.1.1
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Supports Link-local Signaling (LLS)
 Supports area transit capability
 Initial SPF schedule delay 5000 msecs
 Minimum hold time between two consecutive SPFs 10000 msecs
 Maximum wait time between two consecutive SPFs 10000 msecs
 Incremental-SPF disabled
 Minimum LSA interval 5 secs
 Minimum LSA arrival 1000 msecs
 LSA group pacing timer 240 secs
 Interface flood pacing timer 33 msecs
 Retransmission pacing timer 66 msecs
 Number of external LSA 0. Checksum Sum 0x000000
 Number of opaque AS LSA 0. Checksum Sum 0x000000
 Number of DCbitless external and opaque AS LSA 0
 Number of DoNotAge external and opaque AS LSA 0
 Number of areas in this router is 1. 1 normal 0 stub 0 nssa
 Number of areas transit capable is 0
 External flood list length 0
    Area BACKBONE(0)
        Number of interfaces in this area is 2
        Area has no authentication
        SPF algorithm last executed 00:02:03.240 ago
        SPF algorithm executed 4 times
        Area ranges are
        Number of LSA 7. Checksum Sum 0x02593A
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0
R1#show ipv6 ospf
 Routing Process "ospfv3 1" with ID 1.1.1.1
 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
 Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
 LSA group pacing timer 240 secs
 Interface flood pacing timer 33 msecs
 Retransmission pacing timer 66 msecs
 Number of external LSA 0. Checksum Sum 0x000000
 Number of areas in this router is 1. 1 normal 0 stub 0 nssa
    Area BACKBONE(0)
        Number of interfaces in this area is 2
        SPF algorithm executed 3 times
        Number of LSA 12. Checksum Sum 0x05886F
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

Note: Troubleshooting issues with adjacency is beyond the scope of this article and a topic of its own. However, just for the record, here is the comparison of IPv4 and IPv6 versions of show ip ospf neighbor commands.

R1#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.1.5          1   FULL/BDR        00:00:33    10.0.1.5        FastEthernet0/1
2.2.2.2           1   FULL/BDR        00:00:36    192.168.1.254   FastEthernet0/0
R1#show ipv6 ospf neighbor

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
3.3.3.3           1   FULL/DR         00:00:36    4               FastEthernet0/1
2.2.2.2           1   FULL/DR         00:00:39    4               FastEthernet0/0

As you can see the output for the IPv4 and IPv6 version is practically the same.

When finding out about area and process numbers for the OSPF troubleshooting, you can use the following commands.

R1#show ip ospf database

            OSPF Router with ID (192.168.1.1) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
2.2.2.2         2.2.2.2         906         0x80000004 0x00790B 2
10.0.1.5        10.0.1.5        913         0x80000003 0x006685 1
172.16.20.2     172.16.20.2     911         0x80000003 0x0038A4 1
192.168.1.1     192.168.1.1     908         0x80000004 0x000840 2

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.1.1        192.168.1.1     913         0x80000001 0x004EF8
172.16.20.2     172.16.20.2     911         0x80000001 0x0028A0
192.168.1.1     192.168.1.1     908         0x80000001 0x00C12E
R1#show ipv6 ospf database

            OSPFv3 Router with ID (1.1.1.1) (Process ID 1)

                Router Link States (Area 0)

ADV Router      Age         Seq#        Fragment ID  Link count  Bits
1.1.1.1         883         0x80000005  0            2           None
2.2.2.2         884         0x80000004  0            1           None
3.3.3.3         891         0x80000004  0            1           None

                Net Link States (Area 0)

ADV Router      Age         Seq#        Link ID    Rtr count
2.2.2.2         893         0x80000001  4          2
3.3.3.3         891         0x80000001  4          2

                Link (Type-8) Link States (Area 0)

ADV Router      Age         Seq#        Link ID    Interface
1.1.1.1         928         0x80000002  5          Fa0/1
3.3.3.3         930         0x80000002  4          Fa0/1
1.1.1.1         928         0x80000002  4          Fa0/0
2.2.2.2         927         0x80000002  4          Fa0/0

                Intra Area Prefix Link States (Area 0)

ADV Router      Age         Seq#        Link ID    Ref-lstype  Ref-LSID
1.1.1.1         890         0x80000002  0          0x2001      0
2.2.2.2         944         0x80000001  0          0x2001      0
3.3.3.3         907         0x80000001  1004       0x2002      4

When you wish to correct the OSPF process or area number, simply execute the
show running-config command, use the ‘no’ command and then issue the same command with the correct number.

Note: As for Cisco certification exams the show running-config command could be blocked, just because Cisco wants you to use different commands… and because they are being awkward.

IP address ranges

When you have an IP address, you need to make sure that IP address of your device is within the address range of the same network as the device you wish to communicate i.e. a gateway. However, it is way easier to ping the desired IP address and see if you can communicate with it, as oppose to working out the address range of networks and find out that the ping should work. In other words instead doing the theory whether or not it should work, just try to ping – it could work just fine and give you the answer.

The way to do that is by pinging your local loopback interface. For the IPv4 it is 127.0.0.1 and for IPv6 it is ::1 .

The loopback ping

R1#ping ipv6 ::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to ::1, timeout is 2 seconds:

% No valid source address for destination

Note: For a reason, I still don’t know, any attempt to ping ::1 within the GNS usually ends with the above error message. However, as soon as you ping any specific and locally existing IPv6 address it works fine. Also, the ::1 ping usually works like a charm on your local computer without any additional configuration.

Ping of the link-local

PC#ping FE80::C601:12FF:FE18:0
Output Interface: FastEthernet0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::C601:12FF:FE18:0, timeout is 2 seconds:
Packet sent with a source address of FE80::C601:12FF:FE18:0
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms

The global unique ping

PC#ping 2001:DB8:B00B:135::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:B00B:135::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/63/80 ms

When you cannot communicate with you desired IP address it might be down to a few reasons: your device, any device along the way or the destination device don’t have appropriate IP routing information, so they don’t know where they should direct the packets to reach the destination. Usually, when you send a packet you expect a packet in response, so the come back routing path also need to be known. To make sure that the required devices know the routing paths to the desired destination you can configure if via DHCP, routing protocols (RIP, RIPng, OSPF, EIGRP) or manually (specific or default route – for all unknown destinations).

To find out the routing paths on MS Windows use the following command

C:\Windows\System32>route print
===========================================================================
Interface List
  4...20 89 84 ** ** ** ......Broadcom NetLink (TM) Gigabit Ethernet
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.89.6.1      10.89.6.103     20
        10.89.6.0    255.255.255.0         On-link       10.89.6.103    276
      10.89.6.103  255.255.255.255         On-link       10.89.6.103    276
      10.89.6.255  255.255.255.255         On-link       10.89.6.103    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0         On-link   169.254.226.128    266
  169.254.226.128  255.255.255.255         On-link   169.254.226.128    266
  169.254.255.255  255.255.255.255         On-link   169.254.226.128    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link   169.254.226.128    266
        224.0.0.0        240.0.0.0         On-link       10.89.6.103    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link   169.254.226.128    266
  255.255.255.255  255.255.255.255         On-link       10.89.6.103    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  4    276 fe80::/64                On-link
  4    276 fe80::2c39:6e32:112f:3437/128
  1    306 ff00::/8                 On-link
  4    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

ISO Layer 4 – Session and above

Access Control Lists

Serv(config)#ipv6 access-list PermitAll
Serv(config-ipv6-acl)#permit icmp any any log
Serv(config)#exit
Serv(config)#interface fastEthernet 0/0
Serv(config-if)#ipv6 traffic-filter PermitAll in

PC#ping  2001:DB8:B00B:135::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:B00B:135::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/61/80 ms
PC#telnet 2001:DB8:B00B:135::2 80
Trying 2001:DB8:B00B:135::2, 80 ...
% Destination unreachable; gateway or host down

The reason why the ping goes through and the TCP at the port 80 doesn’t, is the implicit deny at the end of every Access Control List. Although the above ACL permit all ICMP packets it also denies everything else, that includes TCP packets at the port 80.

To find out which rules of the ACL are applied use the following

Serv#show ipv6 access-list
IPv6 access list PermitAll
    permit icmp any any log sequence 10

Note 1: IPv4 and IPv6 have separate Access Control Lists. Rules that applies to IPv4 doesn’t automatically apply to the IPv6 and vice-versa. The result could be that the webserver works fine for IPv6, but it doesn’t for IPv4.

Note 2: Too restrictive ACL can disable normal operation of routing protocols like OSPF because neighbouring routers are not able to exchange hello packets and as a result are not able to maintain the adjacency relationship.

To see how many times the implied deny rule was used you could explicitly add it at the end of your ACL

Serv(config)#ipv6 access-list PermitAll
Serv(config-ipv6-acl)#deny any any log

Now when you look at the ACL matches numbers you will also see how many times implied deny any any rule was used.

Serv#show ipv6 access-list
IPv6 access list PermitAll
    permit icmp any any log (14 matches) sequence 10
    deny ipv6 any any log (46 matches) sequence 20

Note 1: After you have an ACL applied to the network interface, any changes that you will make to the ACL rules (denies or permits) will apply immediately. It is a good idea to disable the ACL at your network interface before you modify the rules. Otherwise, you can disable remote access to your device – i.e. cut-off the telnet or SSH session.. there won’t be any error message, but your remote terminal session will just stop responding.

Note 2: When thinking about ACLs always remember that the network traffic is matched against the ACL rules in order starting from the first one. As soon as the match is found, none other rules are checked. This is why you can safely put deny any any rule at the end of an ACL without disabling any allowed traffic.

Posted in Cisco | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Native VLAN

Cisco switches are capable of tagging Ethernet frames, so they can be forwarded to appropriate VLANs. Simpler or less sophisticated switches are not able to make sense of the tagging information and will discard the frames as incorrect or corrupt because the CRC checksum will not match the content of the frame. Even less sophisticated devices like an Ethernet hubs will not even do any frame integrity checks and will simply electrically connect the appropriate pins in all its ports.

The following article is a case study and was inspired by the question from Cisco community study group https://learningnetwork.cisco.com/message/484915#


Native VLAN 01The above is very simple topology. As you can see the PCs are connected via cross-over Ethernet cable. In order to communicate, they will require some basic configuration.

Let’s start from simple example and continue in baby steps.

Note: All my simulations are done within the GNS, so I will use routers to emulate all devices, that is routers, switches and PCs. For more information how to do it, take a look here https://zarzyc.wordpress.com/2014/02/17/switch-emulation-with-the-gns3/.

PC1

PC1(config)#ip route 0.0.0.0 0.0.0.0 fastEthernet 0/0
PC1(config)#interface fastEthernet 0/0
PC1(config-if)#ip address 192.168.1.1 255.255.255.0
PC1(config-if)#no shutdown
PC1(config-if)#duplex full
PC1(config-if)#speed 100

PC2

PC2(config)#ip route 0.0.0.0 0.0.0.0 fastEthernet 0/0
PC2(config)#interface fastEthernet 0/0
PC2(config-if)#ip address 192.168.2.1 255.255.255.0
PC2(config-if)#no shutdown
PC2(config-if)#duplex full
PC2(config-if)#speed 100

Note: Without manually configuring the duplex mode and speed you will see one of the following

*Mar  1 00:01:13.831: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/0 (not full duplex), with SW1 FastEthernet1/0 (full duplex).

The above configuration is as basic as it can be, to make sure that PCs can ping one another.

The next step is to introduce a switch, configure it’s access ports.

Note: The switch is going to be emulated by a router, so use (config)#no ip routing command and NM-16ESW module in one of the slots.

Native VLAN 02Let’s configure SW1 and its ports so both are part of VLAN 10.

SW1#vlan database
SW1(vlan)#vlan 10
VLAN 10 added:
    Name: VLAN0010
SW1(vlan)#exit
APPLY completed.
Exiting....
SW1#configure terminal
SW1(config)#no ip routing
SW1(config)#interface range fastEthernet 1/0 - 1
SW1(config-if-range)#switchport mode access
SW1(config-if-range)#switchport access vlan 10

The ping is still going just fine, so let’s insert another switch.

Native VLAN 03

SW2

SW2#vlan database
SW2(vlan)#
*Mar  1 00:31:31.367: %SYS-5-CONFIG_I: Configured from console by console
SW2(vlan)#vlan 10
VLAN 10 added:
    Name: VLAN0010
SW2(vlan)#exit
APPLY completed.
Exiting....
SW2#configure terminal
SW2(config)#no ip routing
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)#interface range fastEthernet 1/0 - 1
SW2(config-if-range)#switchport mode access
SW2(config-if-range)#switchport access vlan 10
SW2(config-if-range)#
*Mar  1 00:32:03.183: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
SW2(config-if-range)#

Trunk links and VLAN tags

So far nothing greatly interesting has happened in terms of VLAN tagging.

SW1

SW1(config)#interface fastEthernet 1/1
SW1(config-if)#switchport mode trunk

SW2

SW2(config)#interface fastEthernet 1/1
SW2(config-if)#switchport mode trunk

For the given topology, when you investigate a frame on any cable, you will see that they are formatted like any other Ethernet frames. After changing the port modes to trunk mode, on the cable between SW1 and SW2, the frames start to be tagged, that is formatted slightly different, so on the other end of the link the receiving switch can recognise to which VLAN which the frames belongs.

VLAN tagged frameWhen you try to connect VLAN ‘aware’ device with another device that doesn’t recognise VLAN tagging, the frames will be dropped as incorrect. The way around the problem is to switch off the VLAN tagging, while at the same time keep the link as a trunk. To achieve this use the following

SW1

SW1(config-if)#switchport trunk native vlan 10
SW1(config-if)#
*Mar  1 03:25:11.599: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on FastEthernet1/1 VLAN10.
*Mar  1 03:25:11.599: %SPANTREE-2-BLOCK_PVID_PEER: Blocking FastEthernet1/1 on VLAN1. Inconsistent peer vlan.
*Mar  1 03:25:11.607: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet1/1 on VLAN10. Inconsistent local vlan.
SW1(config-if)#
*Mar  1 03:25:40.591: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet1/1 on VLAN1. Port consistency restored.
*Mar  1 03:25:40.611: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet1/1 on VLAN10. Port consistency restored.
SW1(config-if)# PVST+:Inconsistency timer expired. inconsistency 0
                 cleared for FastEthernet1/1
 PVST+:Inconsistency timer expired. inconsistency 0
                 cleared for FastEthernet1/1

SW1(config-if)#

SW2

SW2(config-if)#switchport trunk native vlan 10
SW2(config-if)#
*Mar  1 01:27:00.835: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet1/1 on VLAN10. Port consistency restored.
*Mar  1 01:27:00.863: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet1/1 on VLAN1. Port consistency restored.
SW2(config-if)# PVST+:Inconsistency timer expired. inconsistency 0
                 cleared for FastEthernet1/1
 PVST+:Inconsistency timer expired. inconsistency 0
                 cleared for FastEthernet1/1

SW2(config-if)#

Note: Because the mode of the trunk link has been changed to native VLAN the spanning tree also needs to be recalculated. The recalculation takes a few seconds, so be patient when trying to test your network with a ping.

Now, as the link between SW1 and SW2 doesn’t use any VLAN tagging you can attach ‘dummy switch’ or another device via a hub and the pings will go through.

Native VLAN mismatch

However, if you configure different native VLANs on each end of the native VLAN trunk, there will be a mismatch.

Note: SW1 is still configured with VLAN 10 as native for the trunk link

SW2#vlan database
SW2(vlan)#vlan 20
VLAN 20 added:
    Name: VLAN0020
SW2(vlan)#exit
APPLY completed.
Exiting....
SW2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)#interface fastEthernet 1/1
SW2(config-if)#switchport trunk native vlan 20
SW2(config-if)#
*Mar  1 01:34:37.939: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 10 on FastEthernet1/1 VLAN20.
*Mar  1 01:34:37.939: %SPANTREE-2-BLOCK_PVID_PEER: Blocking FastEthernet1/1 on VLAN10. Inconsistent peer vlan.PVST+: restarted the forward delay timer for FastEthernet1/1
SW2(config-if)#
*Mar  1 01:34:37.987: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet1/1 on VLAN20. Inconsistent local vlan.
SW2(config-if)#

While previously you were able to ping PC2 from PC1 or vice-versa, now you cannot, because both ends of the trunk link belong to different VLANs.

The VLAN leaks

According to my understanding, when you configure VLAN 10 on one network and VLAN 20 on the other and then cause a native VLANs mismatch on both ends of the trunk link, the ping should still go through, causing leaking of frames from one network to the other via the trunk link. However, as you have noticed, the switches after detecting the mismatch, will switch the ports of the trunk link into blocking state to prevent such leaks.

Posted in Cisco | Tagged , , , , , , | Leave a comment

Network Time Protocol

The last weekend change of daylight saving time is a good opportunity to think about how to set clocks across your network. Of course, you can do it manually using clock command, but also you can synchronise all clocks across your network to agreed timer, so later when you look at system logs you will be able to correlate the events between devices using the time as what happened when. ***

Without any configuration, the time set on your device is going to something like the following

R1#show clock
*00:00:22.755 UTC Fri Mar 1 2002

The * (asterisk) means that the clock is not authoritative or was never set manually nor synchronised with a time server

To manually configure time you can use clock command

R1#clock set 12:23:45 30 mar 2015
.Mar 30 12:23:45.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 12:59:43 UTC Wed Apr 1 2015 to 12:23:45 UTC Mon Mar 30 2015, configured from console by console.
R1#show clock
.12:23:47.415 UTC Mon Mar 30 2015

Note: To set clock you don’t need to be in global configuration mode

As you can see now, the asterisk (*) have been replaced by . (dot). It is to indicate that the time is now authoritative, but is was not synchronised with a time server – in this case, it was set manually. When you see [blank] in front of the clock output, it means the time is authoritative and have been synchronised with a time server.

Levels of Time servers

To synchronise your devices with a Time server you will need… a time server. At some point, you will need a time server that is accurate and always up-to-date. Time servers come with levels of accuracy and how close they are to the most accurate clock in the neighbourhood. The closeness to the most accurate clock is described as Stratum level.

Stratum 0 – usually atomic clock, GSM  clock or other very accurate clock device

Stratum 1 – Time server directly connected to an atomic clock

Stratum 2 and higher – Time server connected to Stratum 1 server and distributing the time settings.

Let synchronise the device with a Time Server

Note: Before you can synchronise with a time server you need to have a server and a way to communicate with it. For simplicity, I assume you know how to connect network device within the GNS to a real life network, that is to a time server. If you don’t, simply read my previous articles about the topic (Connecting the GNS3 to the real network device).

To make your network device to synchronise with a time server use the following commands

R1(config)#ntp server 204.9.54.119
R1(config)#ntp server 207.171.7.151
R1(config)#ntp server 81.168.77.149
R1(config)#end
R1#
*Mar  1 00:00:42.575: %SYS-5-CONFIG_I: Configured from console by console
R1#show clock
15:53:47.783 UTC Mon Mar 30 2015

In order to tell if your network device has communicated with a time server, you can use

R1#show ntp associations

      address         ref clock     st  when  poll reach  delay  offset    disp
*~204.9.54.119     .CDMA.            1    18    64  377   127.1    8.37     2.3
+~207.171.7.151    128.9.176.30      2    16    64  377   164.1   12.10     3.3
 ~81.168.77.149    82.219.4.30       3    79  1024  377    52.0   -0.98     3.1
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
R1#

The st column is the Stratum value. As you can see the first server on the list is directly connected to the very accurate clock.

Note 1: The stratum value works a bit like RIP hop count. The value describes how many servers there are between you and the accurate clock. It doesn’t provide information how physically close or how much delay there is between you and a time server.

Note 2: When configuring addresses of time servers you may wish to enable resolving names to IP with the following command
(config)#ip domain-lookup

Note 3: To acquire a list of available time servers you can visit http://support.ntp.org/bin/view/Servers/WebHome and browse for servers that are available to you (open and free access) and which are geographically close to ensure low delay over the Internet.

Now the source of the time setting is the NTP server

R1#show clock detail
16:06:05.825 UTC Mon Mar 30 2015
Time source is NTP

As you may or may not notice the clock settings doesn’t know about the time zone

R1(config)#clock timezone DST +1 0
Mar 30 16:09:58.755: %SYS-6-CLOCKUPDATE: System clock has been updated from 16:09:58 UTC Mon Mar 30 2015 to 17:09:58 DST Mon Mar 30 2015, configured from console by console.
R1(config)#end
Mar 30 16:12:23.928: %SYS-5-CONFIG_I: Configured from console by console
R1#show clock
17:12:25.976 DST Mon Mar 30 2015

Note 1: The word DST can be replaced by any continuous string of letters, this is a completely arbitrary word.

Note 2: +1 is the number of hours between your time zone and Coordinated Universal Time (UTC). In the example above 0 (zero) stands for the number of minutes difference between your time-zone and the UTC.

To find out more about your local time-zone visit http://www.timeanddate.com/. The website is devoted to time, time zones, date, date and time calculator and converters along some other loosely time and date related application and toys.

Local time server configuration

To have an idea about the network here is the diagram

 NTP

R1(config)#ntp master 5

Note: ‘5’ is your stratum level, that you wish to advertise your server with. The value should not be set too high, so it won’t get in the way of a more accurate clock that is closely connected to your high-level clocks. Also stratum level of your server shouldn’t be too low because stratum 16 means that the server is unreachable.

Configuration on the local NTP client is trivial

R2(config)#ntp server 192.168.5.1

Where 192.168.5.1 is the address of local time server

Auto time-zone update

At the place where I live, a few days ago, the time have changed from BST (British Standard Time) to DST (Daylight Saving Time). The rule to change time is to push clock one hour ahead on the last Sunday of March from 02:00am to 03:00am and to pull it back one hour on last Sunday of October from 03:00am to 02:00am.

If your time-zone or local regulations work in a different way you can manually configure when your local time-zone is set to one hour ahead astronomical time.

R2(config)#clock summer-time DST recurring last Sun Mar 02:00 last Sun Oct 03:00
Mar 30 19:31:28.446: %SYS-6-CLOCKUPDATE: System clock has been updated from 20:31:28 DST Mon Mar 30 2015 to 21:31:28 DST Mon Mar 30 2015, configured from console by console.
Posted in Cisco | Tagged , , , , , , , , , , , , , , | Leave a comment