Archive for December, 2010

Closing in on the written

December 31, 2010 Leave a comment

I have finished my second read of the certification guide. Now it is time to do some serious studying with the questions from the book and from the Boson software I bought a couple of weeks ago. Every answer I get wrong I will research why I got it wrong instead of just memorizing the correct answer. After doing this for a couple of weeks I think I will be ready for the written. When that is finished I will start with the labbing. I have 500 tokens at graded labs waiting for me.

Categories: Announcement, CCIE Tags: , ,

INE – 35% off self paced training

December 30, 2010 Leave a comment

INE has a year end deal for self paced training with 35% off. I just purchased some tokens for rack rentals. So if you need to buy some workbooks or do rack rentals now is a good time to do some shopping 🙂

CCIE lab exam environment

December 25, 2010 2 comments

Preparing some stuff at home to be as prepared as possible when my day comes to do the lab. I live in Sweden but I have ordered an english (US) layout keyboard since that is what is used at the lab. I’m going to start using Putty without any tabs although I’m used to SecureCRT. Putty is used in the lab for R&S. Also going to do all labs on one screen (21.5″ TFT). Only one screen is available at the lab. When the day comes hopefully I will feel very comfortable and keep the stress down.

200 hours done

December 22, 2010 3 comments

So hit 200 hours today. Closing in on the written, have a few more chapters to read and then study questions with Boson and the cert guide. Probably approaching 20% done of the CCIE as I calculate that I need at least 1000 hours to be fully prepared. Merry christmas to everyone reading the blog 🙂

Categories: Announcement, CCIE Tags: ,

IP forwarding – notes

December 20, 2010 Leave a comment

Fast switching

First packet to a specific destination IP is process switched. With the first packet the router adds an entry in the fast switch cache, also called route cache. The cache contains the destination IP, data link header information and the next hop. The next packet to the same desination will hit the cache and be fast switched.

Cisco Express Forwarding (CEF)

CEF has a construct called the Forwarding Information Base (FIB) where the best routes from the Routing Information Base (RIB) end up. The FIB is used for forwarding packets. The CEF table is designed as a mtrie which reduces the time needed to lookup a packet. CEF also uses an adjacency table with information needed to create the data link header and trailer and the outgoing interface. The FIB has a pointer to the adjacency table. CEF is enabled globally with the ip cef command. To turn off CEF per interface use the no ip route-cache cef command.

Adjacency table

Uses ARP, inverse ARP and other sources to find out layer tree to layer two mappings. After lookup has been done in FIB the information in the adjacency table is needed to build the header and trailer for the layer two protocol in use.

Inverse ARP

Used with frame-relay. Data Link Connection Identifier (DLCI) is already know but what IP address does the other side have? This is unknown information and is discovered via inverse ARP or statically entered. After receiving a PVC UP message with Local Management Interface (LMI) each router announces its IP over the Virtual Circuit (VC). If LMI is disabled nothing will trigger the inverse ARP process. Point-to-point interfaces ignore InARP information since there is only one way the traffic can be sent on a point-to-point interface.

Performance routing (PfR)

Originally named Optimized Edge Routing (OER) but Cisco added functionality and renamed it PfR. Can take into account the following information:

  • Packet loss
  • Response time
  • Path availabiliy
  • Traffic load distribution

PfR uses a five phase operational model:

Profile – Learn the flows of traffic that have high latency or high throughput
Measure – Passively/actively collect traffic performance metrics
Apply policy – Create low and high thresholds to define in-policy and out-of-policy (OOP) performance categories
Control – Influence traffic by manipulating routing or in conjunction with PBR
Verify – Measure OOP event performance and adjust policy to bring performance in-policy

PfR learns about network performance using IP SLA and Netflow features (one or both). Requirements for running PfR:

  • CEF must be enabled
  • IGP/BGP routing must be configured and working
  • PfR does not support MPLS

Device roles in PfR

Master Controller (MC)

Configured using the oer master command, this device is the decision maker in the cluster of PfR routers. Learns information from the border routers and makes configuration decisions for the network based on this information.

Border Router (BR)

Configured with the oer border command. Provides information to the master and accepts commands from the MC.

It is possible for a router to hold both roles. BR and MC routers mantain communication using keepalives. If keepalives from the MC stops the BR will remove PfR configuration and return to its pre PfR state. More than one MC can be used for failover purposes. PfR traffic classes can be defined by IP address, protocol, port numbers or even DSCP markings

Generic Routing Encapsulation (GRE)

Method for tunneling data from one router to another. Can be used to tunnel multicast and other protocols. The tunnel destination address must be known over something that is not the tunnel itself like a static route.

Categories: CCIE, Notes, Routing Tags: , , , ,

IP services – Notes

December 19, 2010 Leave a comment


Address Resolution Protocol, used to discovery layer two address when IP address is already known. Uses protocol 0x0806 compared to Ethernet which uses 0x0800. At layer two an ARP request is a broadcast since the MAC address of the destination device is unknown, this means that the destination MAC is FF:FF:FF:FF:FF:FF. In the ARP packet itself the target MAC address is set to 00:00:00:00:00:00. The device receving the request will answer with a reply (hopefully) with its MAC address in the sender MAC address field in the ARP packet.

Proxy ARP

Uses the same message types as regular ARP. Can be used together with other methods to force traffic to go through a router even if hosts are in the same subnet, useful in a FTTH/ETTH scenario. If a host has the IP with a GW of and wants to send a packet to they are in the same network according to subnetmask but the router with IP might have /24 masks on these subnets. Unless proxy ARP is enabled the traffic will never reach its destination since the first host won’t know what MAC address to use as a destination.


Uses same messages as ARP but is used by hosts to discover their IP address. The host will broadcast a RARP request with a sender IP of A RARP server has to be present on the local subnet and it has mappings of MAC addresses to IP addresses. The server will reply with the IP address that the host should use.


Partly designed to be an improvement of RARP. Encapsulated in UDP and uses different kind of messages. With a correct configuration on a router messages can be forwarded to a centrally placed server instead of using locally placed servers. Supports more information in reply like default gateway, DNS server, subnet mask and an address to a boot (image) server. Still has the burden of mapping MAC addresses to IP addresses.


The next step in dynamic addressing. Support for sending pretty much any information needed to a host including IP, gateway, subnetmask, DNS, custom options. Servers are most often centrally located and relies on the function of DHCP relay. On a cisco router DHCP relay is configured with the ip helper-address command. When the router receives a broadcast on the LAN from a host trying to find out its IP it will change the destination IP ( to the IP of the DHCP server. It will also set its own IP in the gateway IP address field (GIADDR).

Hot Standby Router Protocol (HSRP)

  • Cisco proprietary
  • Virtual IP and virtual MAC address active on Master router
  • Default hello-interval of three seconds and dead-interval of 10
  • Highest priority will win (1-255), preempt not enabled by default
  • Supports tracking
  • Up to 255 groups per interface
  • Uses virtual MAC of 0000.0C07.ACxx where xx is the group number in hex

Virtual Router Redundancy Protocol (VRRP)

  • Open standard, very similar to HSRP
  • Uses the virtual MAC 0000.5E00.01xx where xx is the group number in hex
  • Uses preemption by default
  • VRRP can use the interface IP as the VRRP IP which means only two adresses are needed instead of three

Gateway Load Balancing Protocol (GLBP)

GLBP is a Cisco proprietary protocol. The Active Virtual Gateway (AVG) assigns each router in the group a virtual MAC of the form 0007.B400.xxyy where xx is the group number and yy is the identifier for the routers
When a host ARPs for its default gateway the AVG will respond with the MAC of one of the virtual routers, this leads to load balancing

Network Time Protocol

Used to synchronize time for a host/router/server. Will most often run in client mode but a router can also be a NTP server. Uses the concept of stratum to indicate how accurate a time source is, lower stratum is better. Stratum one time sources are very accurate and most of them are atomic clocks.

Simple Network Management Protocol (SNMP)

Used to discover status and information for routers/switches/servers. Version 2C is the most commonly used. SNMP v2C is SNMP version two with version one authentication (clear text). Uses UDP for transport port 61 and 62 for SNMP traps. Cisco devices can send traps when something goes down like an interface failing. SNMP uses Management Information Bases (MIBs) to access the information, to request information from a device the OID is specified in the request. There is also a special Remote Monitoring MIB (RMON) which is used to get interface statistics and information about flows.

SNMP version 3

Supports authentication and encryption
Uses MD5 and SHA for authentication and DES for encryption


Cisco devices do not log to NVRAM by default, can be configured with logging buffered command
Uses UDP port 514 by default
Most often used to send syslog to a remote device which collects syslog from all devices

Web Cache Communication Protocol (WCCP)

Used to ease pressure on WAN links and optimize WAN links. Redirects traffic to content engine which has a cache. Uses UDP port 2048, up to 32 content engines can communicate with a single router, if more than one content engine is present the one with the lowest IP will become the lead engine. With WCCPv1 only one router can redirect the traffic for the content engines but in WCCPv2 multiple routers and content engines can be configured in a service group. WCCPv1 can only support port 80 but v2 supports other protocols as well.

WCCPv2 advantages:

  • Supports TCP and UDP other than port 80, like FTP, video and telephony
  • Supports multicast
  • Supports multiple routers (up to 32 per cluster)
  • Can use MD5 for security
  • Provides load distribution


Can be used to measure delay, jitter, packet loss and other parameters. Configured with ip sla monitor command. Type of monitor and lifetime needs to be specified.


Used to monitor traffic levels and can be used to look for DDOS. Terms used in Netflow:

Records – A set of predefined and user-defined fields like the source IP and destination IP or ports for UDP/TCP.
Flow monitors – Applied to an interface, include records, a cache and optionally a flow exporter
Flow exporters – Export the cached flow information to an outside system, like a netflow collector
Flow sampler – Reduce the load by only sampling packets like very 1/1000 packets

Router IP traffic Export (RITE)

Used to export IP packets to a VLAN or LAN interface for analysis, like an IDS. Can sample packets in same way as Netflow. Redirects packets to a MAC address.

Embedded Event Manager (EEM)

Designed to make life easier for administrators by tracking and classifying events that take place on a router also provides notification for those events. EEM can be used to:

  • Monitor SNMP objects
  • Monitor counters
  • Screen syslog messages for a pattern match (using regexp)
  • Screening CLI input (using regexp)

Actions that EEM can take:

  • Send an email
  • Reload router
  • Generate SNMP traps
  • Execute IOS command


Can be used to monitor interface usage or CPU usage. Can warn if CPU rises more than x % in 60 seconds or if CPU has gone over 80%. Can also set falling thresholds.

Secure Shell (SSH)

Requires some parameters to work:

  • Hostname configured
  • Domain name has been set
  • Generate RSA keys
  • Transport input allows SSH
Categories: CCIE, IP services, Notes Tags: , ,

Spanning tree – notes

December 18, 2010 Leave a comment

Electing the root

Only one switch can be the root bridge. From the start all switches announce themselves as the root, when a switch hears of a superior BPDU it stops announcing itself as the root and instead forwards the superior BDPUs. The switch with the lowest priority will be elected the root, the priority can range from 0 to 65535 where lower is better. If there is a tie in priority the lowest MAC address will decide which bridge becomes the root.

Electing a root port

The port with the lowest cost to the root will be elected the root port. The switch adds its incoming cost on an interface when receiving BPDU hellos. If there is a tie in cost these are the tie breakers.

1. Pick the lowest value of the forwarding switch’s bridge ID
2. Use the lowest port priority of the neighboring switch.
3. Use the lowest internal port number of the forwarding switch.

Note that if multiple links exist between two switches the ID will be the same and port priority may be the same but the port number will always differ.

Electing a designated port

For every segment there can only be one designated port and one designated switch. The switch that sends a hello with the lowest path cost will be the designated port. If there is a tie the same tie breakers as for electing a root port will be used.

STP normal behaviour

The root switch generates hello packets every two seconds. Each non root switch receives the hello on its root port. Each switch updates and forwards the hello out of its designated ports. On each blocked port the switch will receive a copy of the hello from the designated switch on the segment. Hellos are not forwarded out blocking ports.

Changes in the topology

If there is a change in the topology the switch needs to notify the other switches about the change. It will send a TCN BPDU out its root port, it will repeat this message every hello time until acknowledged. The next switch receiving the BPDU will send back an acknowledgement via the next forwarded hello message and set the Topology Change Acknowledgement (TCA) bit. Eventually the TCN will reach the root which will then send hellos with the TC flag set on the next hellos. When the switches receive hellos with TC set they know they should age out their Content Addressable Memory (CAM) tables. This takes 15 seconds default (forward delay timer).

802.1D port states

  • Blocking
  • Listening
  • Learning
  • Forwarding

Taking a port from blocking to forwarding takes between 30 to 50 seconds. If there is an intermediate failure max age has to expire first (20 seconds). After that the port will be listening for 15 seconds (forward delay), if it hears no BPDUs it will move to learning and stay there for 15 seconds. Finally the port will be forwarding. The switch doesn’t learn any MAC addresses until it is in the learning state.

Making a switch the root

The switch that should become the root can be configured with spanning tree vlan vlan-id root primary. If the current root has a higher priority than 24576 the switch sets 24576 as its priority. If the current root has a lower value than 24576 the switch sets its priority to 4096 lower than the current value. Note that the value can not be zero when using this command. If the current root has a priority of 4096 this command will fail. Setting the priority to zero is a safer bet to make sure the root doesn’t change. This command can also be used with the secondary option, this sets the priority to 28672. The second best switch might already have a lower priority than this but there is no way of knowing this from the show spanning tree output.

Spanning tree enhancements

Portfast – Immiediately transitions a port into forwarding mode. Should be set on end user ports. Make sure no switches will ever connect to this port.
Uplinkfast – Used on access layer switches with multiple uplinks to distribution/core. If RP is lost immediately switch to other port as RP and start forwarding. Also notifies other switches to flush their CAM tables.
Backbonefast – Used to detect indirect failures, usually in the core. Avoids waiting for the maxage timer to expire, queries the switch attached to its RP.

These actions are taken when enabling uplinkfast:

  • Increases the root priority to 49152
  • Sets the port cost to 3000
  • Tracks alternate RPs, which are ports in which root hellos are being received.

When a failure has occured the switch with uplinkfast sends frames with the source of its locally learned MAC addresses to the multicast destination 0100.0CCD.CDCD. This forces the upstream switch to relarn the MAC addresses.

When backbonefast is used (should be enabled everwhere if used) then when a hello goes missing the local switch ask its upstream if there is a failure by using a Root Link Query (RLQ). If the upstream has a failure it can reply to the local switch which can now converge to another port without waiting for maxage to expire.


Used for loadbalancing and redundancy. Multiple physical links bundled to one logical link, STP will see the port as one logical link. Can loadbalance on different fields like source and destination MAC address, source and destination IP and layer four port numbers. Can be hardcoded to form a portchannel or use PAgP or LACP. PAgP is Cisco proprietary and LACP is an IEEE standard (802.1AD). PAgP uses the modes auto and desirable (same as DTP) and LACP used active and passive. To be able to form a portchannel some conditions must be met:

  • Same speed and duplex on ports
  • If not trunking use the same access VLAN
  • If trunking use the same trunk type, allowed VLANs and native VLAN
  • On a single switch port costs per VLAN must be the same
  • Must not be a port of a span session

Rapid Spanning Tree

Defined in IEEE 802.1W
Waits for only three missed hellos on RP before reacting
Fewer portstates, uses only discarding, learning and forwarding
Standardization of portfast, uplinkfast and backbonefast
Allows the use of backup RP when a switch has multiple links connected to the same shared segment.

RSTP link types

Point-to-point – Connects to another switch. Full duplex links are treated as point-to-point.
Shared – The link is shared, connected to a hub or using half duplex.
Edge – Connects a switch to a single end user device.

RSTP port roles

RP – Same as in 802.1D
DP – Same as in 802.1D
Alternate port – Same as in upinkfast, alternate port to RP
Backup port – Backup port for DP, can take over for the DP if the DP fails

Multiple Spanning Tree

Specified in IEEE 802.1S. Allows multiple instaces of spanning tree to run (like RSTP) but can have several VLANs mapped to every instance. Relies on RSTP for convergence. A group of switches that use MST is called an MST region. To be part of the same region some parameters must match:

  • Globally enable MST with the spanning-tree mode mst command
  • Set the name for the region with the name command
  • Set a revision number with the revision command
  • Map VLANs to the different instances

These parameters must be identical on the switches in the same region. MST can connect to non MST switches and to the outside world the MST region will be looked at as if it was one switch. MST uses an Internal Spanning Tree (IST) to communicate with the outside switches and ensure the link between is loop-free.

Protecting the spanning tree

To protect the spanning tree from choosing the wrong root or loops that form on end use ports there are some ways of protecting the spanning tree.

BPDU guard – Enabled on ports where switches never will connect (end user ports). If a BPDU is received on the port the port is put into error-disabled state. The port will not recover until the port is shutdown and then no shutdown unless error recovery has been configured.
Root guard – Protects from choosing the wrong RP, could happen by accident or a rougue switch has been connected. If a superior BPDU is received the port is put in the root-inconsistent state and will recover when the superior BPDUs ceases.

UDLD – UniDirectional Link Detection is used to detect unidirectional links which can leed to loops and loss of network connectivity. UDLD has a normal mode and aggressive mode. The normal mode can detect misconnect fibre strands but can not detect unidirectional links where interfaces are connected correctly.

Loop-guard – When BPDUs are no longer received on a port instead of going into forwarding mode the port ends up in a loop-inconsistent mode.