Category Archives: Routing & Switching

“Final” pic..

Posted by on February 22, 2010 Comments Off

Got the cabling done. In this picture the term server is missing since I had to return it to CiscoKits so they can send a “new” one, and therefore the Octal cabling isn’t shown, but the rack is pretty much in it’s “final” shape. It should be noted, I’ve moved things around just a little bit since this picture (not very noticeably though). I’ve gone back to verifying my IOS versions are straight before I start configuring the backbone routers. My frame switch is 100% configured and all PVC’s operational, but I’ve got 6 routers to upgrade the IOS on, (3) 2500′s, and (3) 2600′s. The 2600′s currently are running 124-5 IOS, so that’s not that bad, but I’d like to run the exact same IOS as INE, which is Adventerprisek9, 124-10a. The 2500′s need to be upgraded, since they’re running 11.X (forgot exactly what they were running, I’ve already upgraded one, but have two left to do)…they don’t support IPv6 with the older version, so that’s definitely a must. Anyway, I’m hoping that I’ll finish all of the IOS upgrades tonight and be able to start labbing tomorrow.

Cables, cables, and more cables

Posted by on February 18, 2010 Comments Off

I’ve spent the last few days getting the rack all wired up and the terminal server working. It looks like I have an issue with my terminal server (2511) not working on some of my TTY lines. I have contacted CiscoKits, which is sending a return mailing address label to me, so I can ship the unit back for inspection. Hopefully they find the same issue and it can be resolved. Kind of sucks, that postpones me using the 2511- which is a pain in the butt for larger labs, but that’s OK. For the tech labs, I’ll mostly need only a couple of routers anyway, so I can deal with moving the console cable in the meantime.

Anyway, I’m getting all of the CAT5 cable made. I’m making it all myself, to save money, and to have the cables at the proper lengths. Nothing annoys me more than seeing a rack with 20 ft of extra CAT5 when that’s not necessary. I kind of understand on serial cables..mine are longer than they need to be also, but let’s at least do a LITTLE cable management people. That being said, there’s gotta be a limit, because if you’re anything like me, you move cables around sometimes, and try new things, which is great. We’re not building a permanent rack here, it’s for training purposes- but using that as a reason to not use cable management is kind of a cop out! That aside, to some extent, I expect CCIE racks to be kind of messy, that’s part of the game..just not overly messy ;)


Back to making the CAT5. I haven’t gotten much studying done since I’ve been busy getting the rack up in order to do IEWB Vol I again. I will surely post more once I make some process whether it be on the rack or my personal studies for the written.


Chapter 7: EIGRP- done!

Posted by on February 13, 2010 Comments Off

Finished Chapter 7 on EIGRP from TCP/IP Vol I. I went back and re-read a little bit of it since by the end of it I was fuzzy on some details. Mostly things like the four components of EIGRP (Protocol-dependent modules, DUAL, Neighbor discovery/recovery, and Reliable Transport Protocol, by the way..and no, I didn’t look it up), or the various specifics of the IP Internal/external TLV’s. It’s all pretty simple, but with all the different protocols it’s easy to get little things like those mixed up. Once I finish the next chapter (and largest of the book at 150 pages or so), I’ll probably go back and re-read the highlights of the EIGRP and OSPF chapters. I’d really like to lab some of the stuff up on EIGRP but I’m still waiting on my gear. In the meantime I’ll keep reading.

I’m essentially trying to start from scratch as far as I’m concerned, to make sure I know everything that will be tested on the RIGHT way, not just through memorization (which I’m guilty of doing for some topics). Hopefully by hitting those topics again I’ll have a deeper understanding of WHY and not just the WHAT.

RIPv2/RIPng done!

Posted by on February 5, 2010 Comments Off

I finished the chapter on RIPv2/RIPng in TCP/IP Vol I. I’m relieved that nothing came as a surprise. I did pick up a couple of minor details about RIPng that I didn’t know. I plan on labbing a little bit of RIPng sometime this week, but I’m calling it quits for today. My next chapter is EIGRP, which is about 80 pages of solid info, so I’m going to need some rest before beginning that!

I had someone ask me when I’d start putting more tech articles like my QOS series up here. I don’t really know. Unfortunately, the only updates I can really provide after reading is where I stand, and that I plan to continue. Until I start labbing again, I really don’t have too much golden info to share..at least none that you can’t find in a book :)

For what it’s worth, though- I am going to try to get a couple of good articles up in a timely manner once I can either get my lab setup, or get rolling on the rack rentals. I’d like to aim the articles at a subject that a lot of people have trouble with. Any suggestions?

Review: Errdisable port state

Posted by on November 23, 2009 Comments Off

Those of you “new” to the Cisco world, or those who simply don’t have experience in the layer 2 world may not have heard of errdisable (or simply might refer to it as the proper term, error-disable)- but any seasoned tech knows what a pain it is to check your port and see errdisable. Back when I was a network technician for the Air Force, I remember going to a building on a trouble ticket, only to find a couple of cisco 4500 (if I recall correctly), with no less than 200 cables running to them..you literally could not see the ports themselves, or the RJ-45 connectors. After digging around, I did indeed find a switch hidden back there. After seeing the dreaded orange light on the port LED (signaling errdisable), I consoled into the switch. At the time, I knew errdisable was bad, but that’s about it. This article would have helped tremendously if I had seen it already. Hopefully someone out there reads it in time!


What IS errdisable?

Errdisable, or error-disable, is a feature that allows the switch to detect certain error conditions on interfaces and disable them before the particular condition has a chance to affect the rest of the network. Basically, Errdisable says “Wait, something isn’t right..I’m going to shut this down so it doesn’t break anything else.” An example of some of the errdisable conditions(but not a comprehensive list) can be found below. For a more thorough list, check out cisco.com, and search for errdisable.

  • Port-security violation
  • Etherchannel flapping
  • Invalid GBIC
  • DTP flapping (trunk negotiation)

As I said, there’s more reasons, but those are some of the more common violations. In my experience, Port-security has been the largest- although you can configure error-disable to do what you want after noticing the “error condition”, this action it takes AFTER the error condition is known as the method of recovery. There are two types- manual, and automatic. Manual requires a shut/no shut on the interface; automatic recovery can recover the port itself after a specified interval.


How to tell if a port is in errdisable:

To tell if a port is in errdisable or not, do a show int status, or you can do a “show int fx/x status”. You should see “err-disable” if it is indeed, disabled. From here, depending on your recovery method, you either enable it with a shut/no shut, or let it recover automatically.


ErrDisable key commands:


Enable errdisable (already enabled by default for UDLD/Port-security):

Switch(config)#errdisable detect cause {all | arp-inspection | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap}


Configure automatic recovery from errdisable:

Switch(config)# errdisable recovery cause {all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap | pesecure-violation | security-violation | storm-control | udld | unicastflood | wmps}


Configure recovery interval (only applies to conditions for which automatic recovery is enabled):

Switch(config)#errdisable recovery interval 120 (seconds)


To check Errdisable config:

Switch(config)#Show errdisable detect

ErrDisable Reason              Detection Status

———————                ——————

udld                                          Enabled

bpduguard                              Enabled

security-violation                 Enabled

psecure-violation                 Enabled

…and so on


Switch(config)#Show errdisable recovery

ErrDisable Reason               Timer status

———————                —————

udld                                          Enabled

bpduguard                              Enabled


……………..

Timer interval: 120 seconds

Interfaces that will be enabled at the next timeout:

Interface        ErrDisable reason          Time left(sec)

———-        ———————          —————

f1/1                  security-violation                   34


Final point

ErrDisable is a good mechanism to help you find problems in your network- and to protect it- however, you should ultimately search for the root cause if you experience recurring errdisable conditions on certain ports. This is key, or your network will certainly not be operating efficiently.



Frame Relay Traffic Shaping (FRTS)

Posted by on May 13, 2009 Comments Off

While at a first glance, Frame Relay Traffic Shaping (or FRTS) seems daunting..it’s really not bad. For those of you unfamiliar with FRTS, I’ll present a couple of scenarios where you may need to configure it.


  1. High speed interface –> Low speed interface:  Picture you have one node connecting to the frame relay cloud at 1.544 Mbps, and the router at the far end connecting to the cloud at only 54Kbps. You are essentially creating a bottleneck in this scenario, and will surely experience congestion due to the downstream router having a lower access rate. Shaping the traffic ensures you are sending the data at a speed the other end can handle.
  2. Oversubscription: Let’s say your access rate (the max rate that you can send to the provider) is 128Kbps, but your CIR is only 32Kbps. You can burst above the CIR, but if congestion occurs drop back to your CIR. This ensures that bandwidth is not sitting idle and going unused..the idea is that not all users will require 100% of their bandwidth all of the time.


The information I’m going to present is mostly aimed at the first scenario. Let’s say we have a topology as such:

frts_drawing1




In such a scenario, the Access rate- or the maximum rate that the user can send data, is found on the serial links above. R1 can access the FR cloud at 256K, however R2 can only access it at 128K. Because of this mismatch, it would experience congestion at the interface leaving the FR cloud onto R2′s serial link. Let’s get some terminology out of the way that we must take care of.

AR- Access-rate- The maximum rate the user can inject data into the FR network

CIR- Committed Information Rate- The rate you would like to send under regular conditions to the service provider

Mincir- The actual guaranteed rate by the service provider. Sending less then this means you are not getting the bandwidth you have paid for. We can use mincir to “fall back” in times of congestion, and when things clear up bring our rate back to the CIR.

Tc- Time interval- By default, the service provider will divide one second into 8 parts, of 125ms in each “section”.

Bc- Committed Burst- CIR/Tc. What’s this mean? Say we have a CIR of 56000, then we divide that by the number of Tc intervals..by default 8. That means our Bc is 56000/8 = 7000 bits per timing interval. This means that every timing interval will send 7000 bits, 8 times to make up our CIR of 56000. Of course, we don’t have to send at that rate..if we don’t, the unused bandwidth can go to your token bucket filter..which allows you to burst above your Bc…this burst above Bc is called Be, or Excess burst.

frts_drawing_good3

Be- Excess Burst- Data sent above the Bc (Committed burst) per Tc (Timing interval).


Be (Excess Burst) Breakdown: If you are sending below your CIR, you can accrue “tokens” in your token bucket, to use at a time you need to burst above your Bc. It is important to note that you should only configure a Be value (the amount you want to burst above Bc..provided you have the credit available in your token bucket) if your CIR is LESS then your AR. This makes sense, if your AR (access rate) is 56k, and your CIR is 56k..you don’t want to try to burst above that. It will not work!

Case study: Without going into the configuration yet, the above example uses the adaptive shaping becn command. This causes the router to react to becn’s and adjust it’s throughput on the fly. Using the diagram above, let’s review what exactly is going on. In the first interval (0-125ms), we use our token bucket credit, and send our Bc plus our Be, with our total throughput for that interval being 24k..for that ONE interval. After the first time interval, we start sending at our CIR, which is 128k divided by the amount of time intervals- by default this is 8. That means we are sending 16000 bits per interval. The best way to think about this is that CIR is your regular throughput- over the period of 1 second. Your Bc is simply your CIR but broken up into time intervals.

Now, you’ll see at 500ms that we receive a BECN. FRTS throttles the transmit rate 25% once per interval, upon each BECN received until it reaches the Min CIR value, which in our case is 56k, or 7000 bits per interval. After throttling down to Min CIR, the router must allow 16 time intervals (2 seconds by default) to pass with no BECN’s being received, before ramping the transmit rate back up to the normal CIR. The amount it will increase by is called the byte limit, and can be seen with a show frame pvc X.

Interesting notes regarding FRTS:

  • If you configure “frame-relay traffic-shaping” under the interface but with no map-class configured/specified, the default CIR value will be 56000 bps.
  • By default, Min CIR is 1/2 of CIR (although in the above example we did it a little bit different)
  • You cannot configure the interval (Tc). The router calculates Tc based on CIR/Bc values..so although you can’t explicitly configure Tc, you can influence it by CIR/Bc values..although this also has other implications.
  • Bc = CIR/8 (by default), ie: 56000/8 = 7000 (Bc)
  • After fully configuring FRTS, if you do a “show frame pvc x“, it will show “traffic shaping inactive”. It will not show active until traffic passes that fall within the scope of the shaping.
  • Shaping activates upon the following events: BECN’s received and the DLCI is configured for adaptive shaping (BECN), FRF.12 fragmentation is configured with packets waiting to be fragmented, the number of bytes waiting to leave the interface is more then the byte limit (available credit)
  • FRTS allows you to control per-VC shaping/traffic
  • Can use WFQ/CQ/PQ or FIFO (FIFO by default)
  • In addition to configuring adaptive shaping on BECN receipt, you can configure the interface to react to interface congestion

That’s all I really have for now. There’s a lot of little details for FRTS that can be kind of tricky, but as a whole it’s fairly straightforward. I hope to post several configuration examples in the next post, although I personally feel the difficulty in FRTS lies in the terminology/concepts. Once you get those the rest is cake. Take care!



The effects of Uplinkfast

Posted by on April 26, 2009 Comments Off

Uplinkfast. How many of you can honestly say you’ve used it? Some of you? Most of you? Ok, well I guess I am the minority! I have seen spanning-tree uplinkfast used in configs, but never took the time to really understand the effects of it. The idea is simple enough. You have an access layer switch, with redunant links to the distribution layer. What if one of those links fail? Yes, the access switch will change it’s root port to the other (still working) link, but only after transitioning through the listening and learning states. The length of time it will take is based on the forward timer, which by default is 15 seconds. The default time to transition from blocking to forwarding can take up to 50 seconds. What uplinkfast will do is transition within 5 seconds from the failed link to the new link (changing it’s root port in the process). Much better!

Now, onto the actual effects of uplinkfast. First, uplinkfast will raise the STP priority from the default 32,768 to 49,152 for all VLAN’s. The best way to understand the logic behind this is to figure that by configuring uplinkfast on a switch, you are essentially saying “this switch is an access layer switch”..since uplinkfast is designed for access/edge devices. The higher priority will prevent this switch from becoming the root switch for the STP instance. As you can imagine, having an access-layer switch become the root switch is a very poor design!

The second effect of uplinkfast is that the STP path costs will be changed to 3000 + the current cost (assuming they are the default, we’ll say 19 for a 100 meg link)..this means the costs will be 3019. Why? This will also prevent the access switch from becoming somewhat of a transit point for traffic, because the cost will be so high that every other link into the core will appear much more attractive.

Finally, it’s worth mentioning that when uplinkfast transitions the new root port from blocking to forwarding, it will send out station-learning  multicast frames at a default of 150 packets per second. You can adjust this flood of multicast traffic in the following way: spanning-tree max-update-rate {0-32000}

Note: If you configure the max-update-rate to 0, no station-learning frames will be sent out. This will slow the convergence after a link failure.

There you have it! I was  talking to a buddy of mine about these bits of information regarding the path cost, and decided it’d be good to put it up for others to benefit from. Enjoy! Time to get back to STP and all the details.

Command of the week: Switchport protected

Posted by on April 22, 2009 Comments Off

I have done my share of work in the networking field, and had never heard of this command. I have also not been exposed to a wide variety of layer 2 technologies, but I must say, that this is a very cool command. Granted, it could be considered old- or not on par with private VLAN’s (which take the same idea of isolating particular ports a little bit further), but I like it’s simplicity. However, it IS available in older catalyst switches that may not support Private VLAN’s, so that is a bonus. Last but not least,  knowing how to configure PVLAN’s and protected ports, you can accomplish- to some degree- the same thing in two different ways- which is always a plus. This article will primarily function as a basic overview of the command, although I will briefly flyby the configuration as it is fairly straightforward. Let’s get to it. First, I’ll present you a scenario that will demonstrate what switchport protected does.

Let’s say you have a Cisco 3550 in a closet somewhere, and for whatever reason want two hosts coming off of that 3550 to have no traffic pass between them. Switchport protected will enable you to do just that. The idea is simple: Any protected port can not talk to any other protected port, but can talk with any unprotected port. The idea here is the same as private VLAN’s somewhat..just a more basic method. There’s a few caveats worth mentioning regarding protected ports:

  • The protection is only local to that switch. If you have User A on SW1, and User B on SW1, both on VLAN 100, configured with switchport protected..they will not talk. However, if you split the two users up on two switches that are trunking, but still within VLAN 100…they WILL talk. The protection does not span multiple switches!
  • The protection is limited to Layer 2. Once the frame becomes a packet at Layer 3, it will allow the two hosts to communicate.
  • To block traffic at Layer 3 also, you would need to look at ACL’s, or Vlan Access-lists, or other methods of access control.

So how do we configure a port to be protected? It’s cake. See below:

Switch(config)# interface fa0/1

Switch(config-if)# switchport protected

That is it! I know, almost a letdown, right? Well, the plus is, there’s more! Commonly when implementing protected ports, you will want to also block unknown unicast/multicast traffic. Why? Think about the basic nature of a switch when it receives an unknown unicast frame..it will flood it out all ports except the one it was received. This could introduce a possible avenue for attack. To mitigate this risk, we can block unknown unicast/multicasts on these ports by using the following configuration.

Switch(config-if)#switchport block {multicast | unicast}

That’s all there really is to it. I hope this short article has at least given you a small insight into small lesser-known features the Cisco IOS has to offer. I look forward to finding the next one to share with all of you!



Unicasting RIP updates without the neighbor statement

Posted by on April 9, 2009 4 comments

While reading through my Cisco Press CCIE lab workbook, I came upon a section of the configs that kind of threw me off. The lab asked you to configure RIP to unicast updates without using the neighbor/passive-interface command. For those of you unfamiliar with the “neighbor” way of doing things, here’s how it goes. You configure “neighbor x.x.x.x” as the neighbors address (obviously). This will unicast updates, however, it will also broadcast (for RIPv1) or multicast (for RIPv2) updates regardless. See below.

The following shows

Apr  9 17:29:42.815: RIP: sending v2 update to 224.0.0.9 via Serial1/0 (10.25.1.1)

R1(config-router)#neighbor 10.25.1.2 (added the neighbors IP here)

*Apr  9 17:31:04.575: RIP: sending v2 update to 224.0.0.9 via Serial1/0 (10.25.1.1)
*Apr  9 17:31:04.583: RIP: sending v2 update to 10.25.1.2 via Serial1/0 (10.25.1.1)

As you can see,  unicast RIP updates are being sent, but the multicast updates are still going out. How do we stop them? Using the passive-interface command.

R1(config-router)#passive-interface s1/0

*Apr  9 17:34:50.887: RIP: sending v2 update to 10.25.1.2 via Serial1/0 (10.25.1.1)

As you can see, RIP updates are no longer being multicasted now, however the unicast ones are still exiting the interface..success! That’s fine and dandy, but let’s see another tricky way to pull this off. What happens if the lab says you cannot use the neighbor statement?…

Enter NAT.  I won’t lie, NAT is one of my least favorite subjects due to the unfamiliarity, but I’m sure after reading the following text, you’ll be impressed. I found this to be a sneaky way of unicasting RIP updates. Here’s the idea, since the neighbor statement is out of the question, we’ll use NAT to translate any outgoing traffic on UDP port 520 (RIP updates) to multicast address 224.0.0.9 into our neighbors interface address..in this case 10.25.1.2. Here is the configuration.

R1(config)#int s1/0

R1(config-if)#ip nat outside

Above, we simply identified our s1/0 as the outside interface for NAT purposes. Next, we’ll create our NAT statement which will do the magic.

R1(config)#ip nat outside source static udp 10.25.1.2 520 224.0.0.9 520

Here’s the catch. If we look at R1′s debug ip packet detail output:

*Apr  9 17:49:04.739: IP: s=10.25.1.2 (Serial1/0), d=224.0.0.9, len 52, rcvd 2
*Apr  9 17:49:04.743:     UDP src=520, dst=520

My first impression was: “damn, not working”. Then I checked R2′s debug ip packet detail output..low and behold..

*Apr  9 17:51:13.915: IP: s=10.25.1.1 (Serial1/0), d=10.25.1.2 (Serial1/0), len52, rcvd 3
*Apr  9 17:51:13.915:     UDP src=520, dst=520

Ah ha! The RIP updates sourced from R1 (10.25.1.1) are being sent to 10.25.1.2..or unicasted. We can verify this is unicast only, because without the NAT configuration, you will see the destination as the RIP multicast address, or 224.0.0.9. Pretty sneaky! Now, why can’t we see this NAT solution in R1 through debug ip rip, or debug ip packet det? It all comes down to the NAT order of operation. When performing NAT inside-to-outside translation, routing is done before NAT (with good reason)..therefore your RIP output shows that it is addressed to the 224.0.0.9 address, but by looking at debug ip nat detail on R1, we could see the NAT translation taking place.

*Apr  9 17:56:45.843: NAT: i: udp (10.25.1.1, 520) -> (224.0.0.9, 520) [0]

*Apr  9 17:56:17.815: NAT: s=10.25.1.1, d=224.0.0.9->10.25.1.2 [0]

There you have it! The lesson learned here is to 1) use 100% of the debug commands available, and 2) sometimes debugging from a neighboring router will help troubleshoot the node with an issue.

Edit:  Although I used RIPv2 in the example above, you can do the same with RIPv1, but instead of putting the RIPv2 multicast address in the NAT statement, use the broadcast address. It is key to note that you have to specify UDP port 520, or else you will translate all broadcast traffic that leaves the router instead of just RIP updates!