stateful v stateless

stateful versus stateless conditions exist in many technologies and applications... firewalls, dhcp, ipv6, programming, protocols, ad nauseum... it seems every one of these define stateful and stateless in their own inimitable way, and as it concerns its particular  usage...

coming to terms with a useful definition that can encompass the whole is no easy task..

stateful: systems which track the state of the communication, protocol, event, instance or synchronization

stateless: no obligatory tracking of the state of communication, protocol, event instance or synchronization

one can make an analogy using the essential difference between udp and tcp

whereas  udp is connectionless (stateless),  tcp is connection oriented (stateful) because of built in reliability mechanisms

is this a stretch? i don't think so...

the advantage of a stateful state is a pre-determined guarantee at a cost of more overhead

the advantage of a stateless state is best effort with little reliance on resources

cef punt..

why?

kick it...

the fib is full (i'm all outta fib)
entry can't be located by the fib
ttl has expired
fragment required because mtu has been exceeded
icmp redirect needed
unsupported encapsulation
tunneled packets needing encryption or compression
acl with log operation
nat needed, except for 6500 sup 720 or better which can do nat in hardware

ask fibber...

4096...

the significance of 4096 is understood in relation to switching, especially spanning tree...

what is 2 to the 12th?

4096... 

from: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/spantree.html#wp1037363

A 12-bit extended system ID field is part of the bridge ID (see Table 28-1). Chassis that support only 64 MAC addresses always use the 12-bit extended system ID. On chassis that support 1024 MAC addresses, you can enable use of the extended system ID. STP uses the VLAN ID as the extended system ID.

When the extended system ID is enabled, the root bridge priority becomes a multiple of 4096 plus the VLAN ID. With the extended system ID enabled, a switch bridge ID (used by the spanning tree algorithm to determine the identity of the root bridge, the lowest being preferred) can only be specified as a multiple of 4096. Only the following values are possible: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440. 


then given this:

 Bridge Priority (2 bytes)—The priority or weight of a switch in relation to all other switches. The Priority field can have a value of 0 to 65,535 and defaults to 32,768 (or 0x8000) on every Catalyst switch.

so interpreting hex here from right to left, the first zero is the one's place holder, the second zero is the 16's place holder, the third zero is the 256's place holder and the 8 is the 4096's place holder...

8 times 4096 is 32768

0x1000 equals 4096

0x0100 equals 256

0x0010 equals 16

0x0000 equals ?

radius...

why?

radius = remote authentication dial in user service...

the first question one should ask is, do user's actually dial in anymore?

at any rate...

enable aaa new-model as you would for tacacs

aaa new-model

then the radius server
radius-server  host (hostname) (key)

define the 802.1x authentication method

aaa authentication dot1x default group radius

enable 802.1x on the switch

  dot1x system-auth-control

configure each switchport for usage

(config-if)# dot1x port-control {force-authorized | forceunauthorized
| auto}

then sit back and try to figure out why you'd ever use this garbage...

rpr to sso...

this is the best graphic that i could find... from the hucaby ocg... read it and weep...

isolate...

hsrp states...

hsrp goes through various states to obtain the active role... according to david hucaby in the ccnp switch ocg we have:

When HSRP is configured on an interface, the router progresses through a series of states before becoming active. This forces a router to listen for others in a group and see where it fits into the pecking order. Devices participating in HSRP must progress their interfaces through the following state sequence:
 

1. Disabled
2. Init
3. Listen
4. Speak
5. Standby
6. Active

whoa... according to rfc 2281 we have...

 All routers begin in the Initial state.  This section discusses the
   intent of each state.  For specific details on the actions taken in
   each state, please see the state transition table in section 5.7.

   1. Initial

      This is the starting state and indicates that HSRP is not running.
      This state is entered via a configuration change or when an
      interface first comes up.

   2. Learn

      The router has not determined the virtual IP address, and not yet
      seen an authenticated Hello message from the active router.  In
      this state the router is still waiting to hear from the active
      router.

   3. Listen

      The router knows the virtual IP address, but is neither the active
      router nor the standby router.  It listens for Hello messages from
      those routers.


Li, et. al.                  Informational                      [Page 8]
 
RFC 2281                       Cisco HSRP                     March 1998


   4. Speak

      The router sends periodic Hello messages and is actively
      participating in the election of the active and/or standby router.
      A router cannot enter Speak state unless it has the virtual IP
      address.

   5. Standby

      The router is a candidate to become the next active router and
      sends periodic Hello messages.  Excluding transient conditions,
      there MUST be at most one router in the group in Standby state.

   6. Active

      The router is currently forwarding packets that are sent to the
      group's virtual MAC address.  The router sends periodic Hello
      messages.  Excluding transient conditions, there MUST be at most
      one router in Active state in the group.

 i hate when that shit happens...

then from cisco.com we have...

http://www.cisco.com/en/US/docs/ios/12_1t/12_1t3/feature/guide/dt_hsrpi.html

State

State of local router; can be one of the following: •Active—Current Hot Standby router •Standby—Router next in line to be the Hot Standby router •Speak—Router is sending packets to claim the active or standby role. •Init—Router is not yet ready to participate in HSRP, possibly because the associated interface is not up. HSRP groups configured in other routers on the network that are learned via snooping are displayed as being in the Init state. In these cases, an IP address is displayed in the "Active addr" field. Locally configured groups with an interface that is down or groups without a specified interface IP address appear in the Init state. For these cases, the Active addr and Standby addr will show "unknown." •Listen—Router is in neither active nor standby state, but if no messages are received from the active or standby router, it will start to speak. •Learn—Router is in neither active nor standby state, nor does it have enough information to attempt to claim the active or standby roles.

here there is learn, but no mention of disabled... in all 3 cases there are six states...

and finally...

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gthsrpv2.html

State is

State of local router; can be one of the following: •Active—Indicates the current Hot Standby router. •Standby—Indicates the router next in line to be the Hot Standby router. •Speak—Router is sending packets to claim the active or standby role. •Listen—Router is neither in the active nor standby state, but if no messages are received from the active or standby router, it will start to speak. •Learn—Router is neither in the active nor standby state, nor does it have enough information to attempt to claim the active or standby roles. •Init or Disabled—Router is not yet ready or able to participate in HSRP, possibly because the associated interface is not up. HSRP groups configured on other routers on the network that are learned via snooping are displayed as being in the Init state. Locally configured groups with an interface that is down or groups without a specified interface IP address appear in the Init state. For these cases, the Active addr and Standby addr fields will show "unknown." The state is listed as disabled in the fields when the standby ip command has not been specified.

initial and disabled got married in the fourth one...

would someone please try to get these people together...

assured forwarding and drop precedence...

it is important to remember that less is more, or better, much like with stp, when it comes to assured forwarding and its corresponding drop precedence...

look at that great dscp table again...

within this table there is no explanation of the drop precedence, but we understand that drop precedence is implied in the af number itself...

in class selector 3 the af value for the first number is THE class selector...

af31, af32, af33

the second number defines the drop precedence; 1 is low, 2 is medium and 3 is high...

the drop precedence is lower or better, which means the lower number 1 has a low drop probability compared with 3 (high drop probability), and 2 is medium...

most likely the consideration will be made in favor of af31 for traffic defined by class selector 3...

notice these granular choices are not available for cs5, 6 and 7...

one last point... the higher the class selector, the higher the priority, so cs4 beats cs3, etc... but within the af, af31 is preferred over af33...

it goes both ways...

syslog severity levels...

what do you do?

memorize... thank you anki and wiki...

sometimes logic, definition and sanity will not prevail...

E A C E W N I D

dscp/ip precedence...

even easier still... thanks to this guy   http://www.dasblinkenlichten.com/?p=376

just great... ordered so well.... barely have to remember afxy(8x + 2y)

the class selector and the ip precedence follow each other... binary and decimal at cs1 (8) always increment by two, until voice... sheer genius...

thank you dasblinkerlicker... he did what i was shooting for yesterday...

yet more dscp...

cribbed from ine, by scott morris http://ieoc.com/forums/p/5257/17674.aspx


AF11 is not a hex value...  So the calculator won't help you much.  :)

It means Class 1 Threshold 1.

Now, the class value = IP Prec value where is where we start with the backwards compatibility.

IP Prec 0 = DSCP 0 (000 vs 000000)
IP Prec 1 = DSCP 8 (001 vs 001000)
IP Prec 2 = DSCP 16 (010 vs 010000)
IP Prec 3 = DSCP 24 (011 vs 011000)
IP Prec 4 = DSCP 32 (100 vs 100000)
IP Prec 5 = DSCP 40 (101 vs 101000)
IP Prec 6 = DSCP 48 (110 vs 110000)
IP Prec 7 = DSCP 56 (111 vs 111000)

Now, the thresholds use the "2-bit" and "4-bit" positions for values (00 being the default class)

01 = Threshold 1 (therefore 001010 is AF 11 or DSCP 10)
10 = Threshold 2 (therefore 001100 is AF 12 or DSCP 12 (the ONLY overlap in numbers))
11 = Threshold 3 (therefore 001110 is AF 13 or DSCP 14)

Just change the first three bits for the remainder of the classes 1 through 4.

dscp and ip precedence cont...

but arteq, you say, the friggin af numbers don't follow the same logic... i was disappointed also...

look again...

notice that the af numbers follow the cs numbers and increase by 1, hence cs3 contains af's 31, 32 and 33.. for assured forwarding in class 3, 31 is the lowest priority for the class, 33 is the highest... that still prevails, but the ds field values don't... tough shit... life isn't fair...

notice af22's ds field value equals 20 decimal or binary 010100, but also notice the ds field values are a constant increment of 2... some compensation there...

if you remember the class selector, ie, cs4 is decimal 4 x 8 or 32, the corresponding af values beyond the cs increase by 1, and the decimal value increases by 2 each time giving  af41 (4x8) + 2 or 34, af42 is then plus two or 36 decimal...  kinda clunky but it works for me...

there is this formula as well...   afxy = 8x + 2y = decimal value or

af32 = 3 times 8 + 2 times 2 = 24 + 4 = 28

and in a pinch there is also this...

dls1(config)#access-list 101 permit ip any any dscp ?

  <0-63>   Differentiated services codepoint value

  af11     Match packets with AF11 dscp (001010)

  af12     Match packets with AF12 dscp (001100)

  af13     Match packets with AF13 dscp (001110)

  af21     Match packets with AF21 dscp (010010)

  af22     Match packets with AF22 dscp (010100)

  af23     Match packets with AF23 dscp (010110)

  af31     Match packets with AF31 dscp (011010)

  af32     Match packets with AF32 dscp (011100)

  af33     Match packets with AF33 dscp (011110)

  af41     Match packets with AF41 dscp (100010)

  af42     Match packets with AF42 dscp (100100)

  af43     Match packets with AF43 dscp (100110)

  cs1      Match packets with CS1(precedence 1) dscp (001000)

  cs2      Match packets with CS2(precedence 2) dscp (010000)

  cs3      Match packets with CS3(precedence 3) dscp (011000)

  cs4      Match packets with CS4(precedence 4) dscp (100000)

  cs5      Match packets with CS5(precedence 5) dscp (101000)

  cs6      Match packets with CS6(precedence 6) dscp (110000)

  cs7      Match packets with CS7(precedence 7) dscp (111000)

  default  Match packets with default dscp (000000)

  ef       Match packets with EF dscp (101110)

again, af11 is cs1 plus 1, af12 is cs1 plus 2, af11 = af(8x1 + 2x1) or 10 or 001010

af21 is cs2 plus 1 or 8x2 + 2x1 or 16 plus 2 or 18
although  cs5 is 8x5 or 40 expedited forwarding for voice has a ds field value of 46... you'll have to memorize that... or convert binary to decimal from the above output...

	ef       Match packets with EF dscp (101110) = 46

dscp and ip precedence...

i am only scratching the surface of this, and i'm finding it's mostly not that complicated...

ip precedence is fairly simple, 0 to 7, with 0 being the lowest priority or best effort, and increasing the numbers the higher the priority (i do like the numbers, but i also like logic with the numbers, you'll see what i mean as we move along)

the class selector follows this logic...

cs0 is binary 000000 which translates to decimal 0 and has ip precedence 0
beautiful

cs1 increases to binary 001000 which translates to decimal 8 and has an ip precedence of 1
there are only 6 place holders, imagine the two leading zeros

if you are shaky on binary to decimal remember 128 64 32 16 8 4 2 1
                                                                                  0   0   0   0  1 0 0 0

                                            

so the ip precedence increases by 1 and follows the class selector...

hence, cs2  has an ip precedence of 2, cs3 has an ip precedence of 3, and so on up to cs7

also as the class selector increases by one, it's decimal value increases by 8 and is followed by the binary value

again cs0 is zero across the board
cs1 has increased by 1 from zero and it's ds value has increased to decimal 8 or  binary 001000

cs2 is academic... ip precedence is now 2, and it has increased by 8 so the decimal value (it's ds field value) is now 16, binary 010000

cs3, ip precedence 3, increase another 8 to decimal 24 with the binary translation 011000

cs4, 5, 6 and 7 all follow the same logic which gives cs7 an ip precedence of 7, and ds field value decimal 56 or 111000
7 times 8 is 56 or 32 + 16 + 8 + 0 + 0 + 0 = 56

see chart below... thanks to http://bogpeople.com/networking/dscp.shtml

DSCP <=> IP Precedence Conversion Table

DSCP Name	DS Field Value		IP Precedence
	Binary	Decimal
CS0	000 000	0	0
CS1	001 000	8	1
AF11	001 010	10	1
AF12	001 100	12	1
AF13	001 110	14	1
CS2	010 000	16	2
AF21	010 010	18	2
AF22	010 100	20	2
AF23	010 110	22	2
CS3	011 000	24	3
AF31	011 010	26	3
AF32	011 100	28	3
AF33	011 110	30	3
CS4	100 000	32	4
AF41	100 010	34	4
AF42	100 100	36	4
AF43	100 110	38	4
CS5	101 000	40	5
EF	101 110	46	5
CS6	110 000	48	6
CS7	111 000	56	7

CS	Class Selector (RFC 2474)
AFxy	Assured Forwarding (x=class, y=drop precedence) (RFC2597)
EF	Expedited Forwarding (RFC 3246)

cross country drive...

i've driven across the country a few times, by necessity, not by choice... through colorado i had to traverse one of its  mountain passes, i can't recall which, there are many... it was however a long way to the bottom and i remember seeing signs that read something like this, "do not be mistaken, you are not down yet" as a warning to truckers to remain in low gear...

so too with studying... remain in low gear, you are not down yet, or done yet...

this stuff often gets stale... you read the same thing over and again and while you think you have it down, you are not down yet... you convince yourself that you know something but upon putting it to the test you realize that you have a vague notion only...

you have to trick yourself to keep the material fresh... you've read it countless times, but if you take away the paragraph can you outline the larger concepts contained therein?

probably not, because if you could you wouldn't be consuming it again...

reading through is not consuming, is not digesting the finer points... read it again and convince yourself first that you know nothing... then read it again as if you'd never read it before...  then take it away and see if you can recall the minutiae this time...

the test is not the end... the last thing you want is to remember for the short term and then get blurry 3 months into the next subject event... 

when studying for ccent the goal is to carry all that into icnd2 without having to review... you want to carry all of ccna into ccnp, then all of ccnp into ccie...

it's not the test, it is the retention...

have you used anki yet and explored the myriad ways to manipulate the material to make it new every time? thinking of a different way to create a new deck alone is a study method... add graphs, audio, tables... if only they could be made scratch and sniff... incorporate as many of your senses as possible into the study...

quote of the day; cef adjacency...

from http://etherealmind.com/cef-description/

go there now...

On Page 59, Router Security Strategies: Securing IP Network Traffic Planes:

The adjacency table contains information necessary for encapsulation of the packets that must be sent to given next-hop network devices. CEF considers next-hop devices to be neighbors if they are directly connected via a shared IP subnet.
Each adjacency entry stores pre-computed frame headers used when forwarding a packet using a FIB entry referencing the corresponding adjacency entry. The adjacency table is populated as adjacencies are discovered. Each time an adjacency entry is created, such as through the ARP protocol, a link-layer header for that adjacent node is pre-computed and stored in the adjacency table.

Routes might have more than one path per entry, making it possible to use CEF to switch packets while load balancing across multiple paths.
In addition to next-hop interface adjacencies (in other words host-route adjacencies), certain exception condition adjacencies exist to expedite switching for nonstandard conditions. These include, among others: punt adjacencies for handling features that are not supported in CEF (such as IP options), and drop adjacencies for prefixes referencing the Null0 interface. Packets forwarded to Null0 are dropped, making an effective, effcient form of access fltering.

Router Security Strategies: Securing IP Network Traffic Planes By Gregg Schudel – CCIE No. 9591, David J. Smith – CCIE No. 1986 ISBN: 9781587053368 Publisher: Cisco Press

udld aggressive...

set up udld globally...

dls2#config t
Enter configuration commands, one per line.  End with CNTL/Z.
dls2(config)#udld aggressive
dls2(config)#

verify...

dls2(config)#do sh udld g0/1

Interface Gi0/1
---
Port enable administrative configuration setting: Follows device default
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Bidirectional
Current operational state: Advertisement - Single neighbor detected
Message interval: 15
Time out interval: 5

    Entry 1
    ---
    Expiration time: 40
    Cache Device index: 1
    Current neighbor state: Bidirectional
    Device ID: CAT0812N33C 
    Port ID: Gi0/1 
    Neighbor echo 1 device: CHK0648W1BG
    Neighbor echo 1 port: Gi0/1

    Message interval: 15
 --More--

yank out one of the fibers...

dls2#sh udld g0/1

Interface Gi0/1
---
Port enable administrative configuration setting: Follows device default
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Unknown
Current operational state: Link down


replace  and verify...

dls2#sh udld g0/1

Interface Gi0/1
---
Port enable administrative configuration setting: Follows device default
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Bidirectional
Current operational state: Advertisement - Single neighbor detected
Message interval: 15
Time out interval: 5

    Entry 1
    ---
    Expiration time: 45
    Cache Device index: 1
    Current neighbor state: Bidirectional
    Device ID: CAT0812N33C 
    Port ID: Gi0/1 
    Neighbor echo 1 device: CHK0648W1BG
    Neighbor echo 1 port: Gi0/1


that's aggressive...

trunk encapsulation...

oftentimes in texts 802.1q tagging will be referred to as encapsulation... this is confusing and a complete falsehood, as we know... with 802.1q there is no such thing as encapsulating the frame... injection, insertion, anything but encapsulation...

isl actually encapsulates the frame... it would be nice if isl, among others, would finally be allowed to die... many cisco ios's and platforms no longer support isl... it  had it's time, served it's purpose, and now needs to be finally laid to rest...

encapsulate: to place in or as if in a capsule
inject:  to introduce
insert: to put or place in

historically, cisco will fill a protocol need before the standards bodies, ie, pvst... the standards organizations will eventually come up to speed and make obsolete the proprietary protocol...  for progress' sake, this is good... cisco just needs to learn when to let go, like dtp, vtp, pagp, et al... 

i firmly believe learning about network artifacts is worthwhile from the point of view of history and context, but i also believe that the in's and out's of them should not be testable...

basic pvlan graphic...

thanks to: http://startup-config.com/prevent-spoofing-private-vlan-pvlan/

this is a good graphic, simply identifying the components...

folks in this business tend to overcomplicate things by way of showing how clever they are...

i have no use for that...  this isn't brain surgery, we are not defining pi...

oftentimes in the forums you will find answers to questions that are not answers to the questions, but elaborations completely off topic, or tangents, or self glorifications...

my credo is to keep it simple, straightforward...

the shortest, most direct answer, is the thing that will stay with you forever...

for instance, you could read pages upon pages about broadcast domains... it is a difficult concept to come to grips with early on... and yet you must wade through all of that to get to this...

a broadcast domain is the set of devices for which a broadcast will be experienced

ahhhhhhhhh... timeless...

mac spoofing v arp spoofing...

mac spoofing

   the switch is tricked that the same mac address is connected to two different ports... this effectively poisons the cam (or mac table) also known as man in the middle

mitigation port security

arp spoofing

   during arp request and reply, an attacker injects a fake reply message using their own mac address masquerading as a legitimate host

mitigation dai dynamic arp inspection
   dai  performs an ip to mac binding  inspection... packets with invalid ip to arp bindings will be dropped

   dai
      inspects all requests on responses on untrusted ports; only ingress (inbound)
      validates intercepted packet ip to mac bindings, before updating the local arp cache, and before forwarding
      drops ip to mac binding failures

usually employed with  dhcp snooping

for relay agents, use dhcp relay information option 82

ip dhcp  snooping limit rate
is used to limit the number of dhcp messages an untrusted interface can receive