stateful versus stateless conditions exist in many technologies and applications... firewalls, dhcp, ipv6, programming, protocols, ad nauseum... it seems every one of these define stateful and stateless in their own inimitable way, and as it concerns its particular usage...
coming to terms with a useful definition that can encompass the whole is no easy task..
stateful: systems which track the state of the communication, protocol, event, instance or synchronization
stateless: no obligatory tracking of the state of communication, protocol, event instance or synchronization
one can make an analogy using the essential difference between udp and tcp
whereas udp is connectionless (stateless), tcp is connection oriented (stateful) because of built in reliability mechanisms
is this a stretch? i don't think so...
the advantage of a stateful state is a pre-determined guarantee at a cost of more overhead
the advantage of a stateless state is best effort with little reliance on resources
Saturday, June 30, 2012
Sunday, June 24, 2012
cef punt..
why?
kick it...
the fib is full (i'm all outta fib)
entry can't be located by the fib
ttl has expired
fragment required because mtu has been exceeded
icmp redirect needed
unsupported encapsulation
tunneled packets needing encryption or compression
acl with log operation
nat needed, except for 6500 sup 720 or better which can do nat in hardware
ask fibber...
kick it...
the fib is full (i'm all outta fib)
entry can't be located by the fib
ttl has expired
fragment required because mtu has been exceeded
icmp redirect needed
unsupported encapsulation
tunneled packets needing encryption or compression
acl with log operation
nat needed, except for 6500 sup 720 or better which can do nat in hardware
ask fibber...
4096...
the significance of 4096 is understood in relation to switching, especially spanning tree...
what is 2 to the 12th?
4096...
from: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/spantree.html#wp1037363
A 12-bit extended system ID field is part of the bridge ID (see Table 28-1). Chassis that support only 64 MAC addresses always use the 12-bit extended system ID. On chassis that support 1024 MAC addresses, you can enable use of the extended system ID. STP uses the VLAN ID as the extended system ID.
When the extended system ID is enabled, the root bridge priority becomes a multiple of 4096 plus the VLAN ID. With the extended system ID enabled, a switch bridge ID (used by the spanning tree algorithm to determine the identity of the root bridge, the lowest being preferred) can only be specified as a multiple of 4096. Only the following values are possible: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440.
then given this:
Bridge Priority (2 bytes)—The priority or weight of a switch in relation to all other switches. The Priority field can have a value of 0 to 65,535 and defaults to 32,768 (or 0x8000) on every Catalyst switch.
what is 2 to the 12th?
4096...
from: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/spantree.html#wp1037363
A 12-bit extended system ID field is part of the bridge ID (see Table 28-1). Chassis that support only 64 MAC addresses always use the 12-bit extended system ID. On chassis that support 1024 MAC addresses, you can enable use of the extended system ID. STP uses the VLAN ID as the extended system ID.
When the extended system ID is enabled, the root bridge priority becomes a multiple of 4096 plus the VLAN ID. With the extended system ID enabled, a switch bridge ID (used by the spanning tree algorithm to determine the identity of the root bridge, the lowest being preferred) can only be specified as a multiple of 4096. Only the following values are possible: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440.
then given this:
Bridge Priority (2 bytes)—The priority or weight of a switch in relation to all other switches. The Priority field can have a value of 0 to 65,535 and defaults to 32,768 (or 0x8000) on every Catalyst switch.
so interpreting hex here from right to left, the first zero is the one's place holder, the second zero is the 16's place holder, the third zero is the 256's place holder and the 8 is the 4096's place holder...
8 times 4096 is 32768
0x1000 equals 4096
0x0100 equals 256
0x0010 equals 16
0x0000 equals ?
Saturday, June 23, 2012
radius...
why?
radius = remote authentication dial in user service...
the first question one should ask is, do user's actually dial in anymore?
at any rate...
enable aaa new-model as you would for tacacs
aaa new-model
then the radius server
radius-server host (hostname) (key)
define the 802.1x authentication method
configure each switchport for usage
radius = remote authentication dial in user service...
the first question one should ask is, do user's actually dial in anymore?
at any rate...
enable aaa new-model as you would for tacacs
aaa new-model
then the radius server
radius-server host (hostname) (key)
define the 802.1x authentication method
aaa authentication dot1x default group radius
enable 802.1x on the switch
dot1x system-auth-control
configure each switchport for usage
(config-if)# dot1x port-control {force-authorized | forceunauthorized
| auto}
| auto}
then sit back and try to figure out why you'd ever use this garbage...
Labels:
authentication,
ccnp,
ccnp switch,
radius
Sunday, June 17, 2012
rpr to sso...
hsrp states...
hsrp goes through various states to obtain the active role... according to david hucaby in the ccnp switch ocg we have:
When HSRP is configured on an interface, the router progresses through a series of states before becoming active. This forces a router to listen for others in a group and see where it fits into the pecking order. Devices participating in HSRP must progress their interfaces through the following state sequence:
1. Disabled
2. Init
3. Listen
4. Speak
5. Standby
6. Active
2. Init
3. Listen
4. Speak
5. Standby
6. Active
whoa... according to rfc 2281 we have...
All routers begin in the Initial state. This section discusses the
intent of each state. For specific details on the actions taken in
each state, please see the state transition table in section 5.7.
1. Initial
This is the starting state and indicates that HSRP is not running.
This state is entered via a configuration change or when an
interface first comes up.
2. Learn
The router has not determined the virtual IP address, and not yet
seen an authenticated Hello message from the active router. In
this state the router is still waiting to hear from the active
router.
3. Listen
The router knows the virtual IP address, but is neither the active
router nor the standby router. It listens for Hello messages from
those routers.
Li, et. al. Informational [Page 8]
RFC 2281 Cisco HSRP March 1998
4. Speak
The router sends periodic Hello messages and is actively
participating in the election of the active and/or standby router.
A router cannot enter Speak state unless it has the virtual IP
address.
5. Standby
The router is a candidate to become the next active router and
sends periodic Hello messages. Excluding transient conditions,
there MUST be at most one router in the group in Standby state.
6. Active
The router is currently forwarding packets that are sent to the
group's virtual MAC address. The router sends periodic Hello
messages. Excluding transient conditions, there MUST be at most
one router in Active state in the group.
i hate when that shit happens...
then from cisco.com we have...
http://www.cisco.com/en/US/docs/ios/12_1t/12_1t3/feature/guide/dt_hsrpi.html
here there is learn, but no mention of disabled... in all 3 cases there are six states...
and finally...
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gthsrpv2.html
initial and disabled got married in the fourth one...
would someone please try to get these people together...
assured forwarding and drop precedence...
it is important to remember that less is more, or better, much like with stp, when it comes to assured forwarding and its corresponding drop precedence...
look at that great dscp table again...
within this table there is no explanation of the drop precedence, but we understand that drop precedence is implied in the af number itself...
in class selector 3 the af value for the first number is THE class selector...
af31, af32, af33
the second number defines the drop precedence; 1 is low, 2 is medium and 3 is high...
the drop precedence is lower or better, which means the lower number 1 has a low drop probability compared with 3 (high drop probability), and 2 is medium...
most likely the consideration will be made in favor of af31 for traffic defined by class selector 3...
notice these granular choices are not available for cs5, 6 and 7...
one last point... the higher the class selector, the higher the priority, so cs4 beats cs3, etc... but within the af, af31 is preferred over af33...
it goes both ways...
look at that great dscp table again...
within this table there is no explanation of the drop precedence, but we understand that drop precedence is implied in the af number itself...
in class selector 3 the af value for the first number is THE class selector...
af31, af32, af33
the second number defines the drop precedence; 1 is low, 2 is medium and 3 is high...
the drop precedence is lower or better, which means the lower number 1 has a low drop probability compared with 3 (high drop probability), and 2 is medium...
most likely the consideration will be made in favor of af31 for traffic defined by class selector 3...
notice these granular choices are not available for cs5, 6 and 7...
one last point... the higher the class selector, the higher the priority, so cs4 beats cs3, etc... but within the af, af31 is preferred over af33...
it goes both ways...
Labels:
assured forwarding,
ccnp,
ccnp switch,
drop precedence
Saturday, June 16, 2012
syslog severity levels...
what do you do?
memorize... thank you anki and wiki...
sometimes logic, definition and sanity will not prevail...
E A C E W N I D
memorize... thank you anki and wiki...
sometimes logic, definition and sanity will not prevail...
E A C E W N I D
Monday, June 11, 2012
dscp/ip precedence...
even easier still... thanks to this guy http://www.dasblinkenlichten.com/?p=376
just great... ordered so well.... barely have to remember afxy(8x + 2y)
the class selector and the ip precedence follow each other... binary and decimal at cs1 (8) always increment by two, until voice... sheer genius...
thank you dasblinkerlicker... he did what i was shooting for yesterday...
just great... ordered so well.... barely have to remember afxy(8x + 2y)
the class selector and the ip precedence follow each other... binary and decimal at cs1 (8) always increment by two, until voice... sheer genius...
thank you dasblinkerlicker... he did what i was shooting for yesterday...
Sunday, June 10, 2012
yet more dscp...
cribbed from ine, by scott morris http://ieoc.com/forums/p/5257/17674.aspx
AF11 is not a hex value... So the calculator won't help you much. :)
It means Class 1 Threshold 1.
Now, the class value = IP Prec value where is where we start with the backwards compatibility.
IP Prec 0 = DSCP 0 (000 vs 000000)
IP Prec 1 = DSCP 8 (001 vs 001000)
IP Prec 2 = DSCP 16 (010 vs 010000)
IP Prec 3 = DSCP 24 (011 vs 011000)
IP Prec 4 = DSCP 32 (100 vs 100000)
IP Prec 5 = DSCP 40 (101 vs 101000)
IP Prec 6 = DSCP 48 (110 vs 110000)
IP Prec 7 = DSCP 56 (111 vs 111000)
Now, the thresholds use the "2-bit" and "4-bit" positions for values (00 being the default class)
01 = Threshold 1 (therefore 001010 is AF 11 or DSCP 10)
10 = Threshold 2 (therefore 001100 is AF 12 or DSCP 12 (the ONLY overlap in numbers))
11 = Threshold 3 (therefore 001110 is AF 13 or DSCP 14)
Just change the first three bits for the remainder of the classes 1 through 4.
AF11 is not a hex value... So the calculator won't help you much. :)
It means Class 1 Threshold 1.
Now, the class value = IP Prec value where is where we start with the backwards compatibility.
IP Prec 0 = DSCP 0 (000 vs 000000)
IP Prec 1 = DSCP 8 (001 vs 001000)
IP Prec 2 = DSCP 16 (010 vs 010000)
IP Prec 3 = DSCP 24 (011 vs 011000)
IP Prec 4 = DSCP 32 (100 vs 100000)
IP Prec 5 = DSCP 40 (101 vs 101000)
IP Prec 6 = DSCP 48 (110 vs 110000)
IP Prec 7 = DSCP 56 (111 vs 111000)
Now, the thresholds use the "2-bit" and "4-bit" positions for values (00 being the default class)
01 = Threshold 1 (therefore 001010 is AF 11 or DSCP 10)
10 = Threshold 2 (therefore 001100 is AF 12 or DSCP 12 (the ONLY overlap in numbers))
11 = Threshold 3 (therefore 001110 is AF 13 or DSCP 14)
Just change the first three bits for the remainder of the classes 1 through 4.
dscp and ip precedence cont...
but arteq, you say, the friggin af numbers don't follow the same logic... i was disappointed also...
look again...
notice that the af numbers follow the cs numbers and increase by 1, hence cs3 contains af's 31, 32 and 33.. for assured forwarding in class 3, 31 is the lowest priority for the class, 33 is the highest... that still prevails, but the ds field values don't... tough shit... life isn't fair...
notice af22's ds field value equals 20 decimal or binary 010100, but also notice the ds field values are a constant increment of 2... some compensation there...
if you remember the class selector, ie, cs4 is decimal 4 x 8 or 32, the corresponding af values beyond the cs increase by 1, and the decimal value increases by 2 each time giving af41 (4x8) + 2 or 34, af42 is then plus two or 36 decimal... kinda clunky but it works for me...
there is this formula as well... afxy = 8x + 2y = decimal value or
af32 = 3 times 8 + 2 times 2 = 24 + 4 = 28
and in a pinch there is also this...
again, af11 is cs1 plus 1, af12 is cs1 plus 2, af11 = af(8x1 + 2x1) or 10 or 001010
af21 is cs2 plus 1 or 8x2 + 2x1 or 16 plus 2 or 18
although cs5 is 8x5 or 40 expedited forwarding for voice has a ds field value of 46... you'll have to memorize that... or convert binary to decimal from the above output...
look again...
notice that the af numbers follow the cs numbers and increase by 1, hence cs3 contains af's 31, 32 and 33.. for assured forwarding in class 3, 31 is the lowest priority for the class, 33 is the highest... that still prevails, but the ds field values don't... tough shit... life isn't fair...
notice af22's ds field value equals 20 decimal or binary 010100, but also notice the ds field values are a constant increment of 2... some compensation there...
if you remember the class selector, ie, cs4 is decimal 4 x 8 or 32, the corresponding af values beyond the cs increase by 1, and the decimal value increases by 2 each time giving af41 (4x8) + 2 or 34, af42 is then plus two or 36 decimal... kinda clunky but it works for me...
there is this formula as well... afxy = 8x + 2y = decimal value or
af32 = 3 times 8 + 2 times 2 = 24 + 4 = 28
and in a pinch there is also this...
dls1(config)#access-list 101 permit ip any any dscp ?
<0-63> Differentiated services codepoint value
af11 Match packets with AF11 dscp (001010)
af12 Match packets with AF12 dscp (001100)
af13 Match packets with AF13 dscp (001110)
af21 Match packets with AF21 dscp (010010)
af22 Match packets with AF22 dscp (010100)
af23 Match packets with AF23 dscp (010110)
af31 Match packets with AF31 dscp (011010)
af32 Match packets with AF32 dscp (011100)
af33 Match packets with AF33 dscp (011110)
af41 Match packets with AF41 dscp (100010)
af42 Match packets with AF42 dscp (100100)
af43 Match packets with AF43 dscp (100110)
cs1 Match packets with CS1(precedence 1) dscp (001000)
cs2 Match packets with CS2(precedence 2) dscp (010000)
cs3 Match packets with CS3(precedence 3) dscp (011000)
cs4 Match packets with CS4(precedence 4) dscp (100000)
cs5 Match packets with CS5(precedence 5) dscp (101000)
cs6 Match packets with CS6(precedence 6) dscp (110000)
cs7 Match packets with CS7(precedence 7) dscp (111000)
default Match packets with default dscp (000000)
ef Match packets with EF dscp (101110)
again, af11 is cs1 plus 1, af12 is cs1 plus 2, af11 = af(8x1 + 2x1) or 10 or 001010
af21 is cs2 plus 1 or 8x2 + 2x1 or 16 plus 2 or 18
although cs5 is 8x5 or 40 expedited forwarding for voice has a ds field value of 46... you'll have to memorize that... or convert binary to decimal from the above output...
ef Match packets with EF dscp (101110) = 46 | |||||
dscp and ip precedence...
i am only scratching the surface of this, and i'm finding it's mostly not that complicated...
ip precedence is fairly simple, 0 to 7, with 0 being the lowest priority or best effort, and increasing the numbers the higher the priority (i do like the numbers, but i also like logic with the numbers, you'll see what i mean as we move along)
the class selector follows this logic...
cs0 is binary 000000 which translates to decimal 0 and has ip precedence 0
beautiful
cs1 increases to binary 001000 which translates to decimal 8 and has an ip precedence of 1
there are only 6 place holders, imagine the two leading zeros
if you are shaky on binary to decimal remember 128 64 32 16 8 4 2 1
0 0 0 0 1 0 0 0
so the ip precedence increases by 1 and follows the class selector...
hence, cs2 has an ip precedence of 2, cs3 has an ip precedence of 3, and so on up to cs7
also as the class selector increases by one, it's decimal value increases by 8 and is followed by the binary value
again cs0 is zero across the board
cs1 has increased by 1 from zero and it's ds value has increased to decimal 8 or binary 001000
cs2 is academic... ip precedence is now 2, and it has increased by 8 so the decimal value (it's ds field value) is now 16, binary 010000
cs3, ip precedence 3, increase another 8 to decimal 24 with the binary translation 011000
cs4, 5, 6 and 7 all follow the same logic which gives cs7 an ip precedence of 7, and ds field value decimal 56 or 111000
7 times 8 is 56 or 32 + 16 + 8 + 0 + 0 + 0 = 56
see chart below... thanks to http://bogpeople.com/networking/dscp.shtml
ip precedence is fairly simple, 0 to 7, with 0 being the lowest priority or best effort, and increasing the numbers the higher the priority (i do like the numbers, but i also like logic with the numbers, you'll see what i mean as we move along)
the class selector follows this logic...
cs0 is binary 000000 which translates to decimal 0 and has ip precedence 0
beautiful
cs1 increases to binary 001000 which translates to decimal 8 and has an ip precedence of 1
there are only 6 place holders, imagine the two leading zeros
if you are shaky on binary to decimal remember 128 64 32 16 8 4 2 1
0 0 0 0 1 0 0 0
so the ip precedence increases by 1 and follows the class selector...
hence, cs2 has an ip precedence of 2, cs3 has an ip precedence of 3, and so on up to cs7
also as the class selector increases by one, it's decimal value increases by 8 and is followed by the binary value
again cs0 is zero across the board
cs1 has increased by 1 from zero and it's ds value has increased to decimal 8 or binary 001000
cs2 is academic... ip precedence is now 2, and it has increased by 8 so the decimal value (it's ds field value) is now 16, binary 010000
cs3, ip precedence 3, increase another 8 to decimal 24 with the binary translation 011000
cs4, 5, 6 and 7 all follow the same logic which gives cs7 an ip precedence of 7, and ds field value decimal 56 or 111000
7 times 8 is 56 or 32 + 16 + 8 + 0 + 0 + 0 = 56
see chart below... thanks to http://bogpeople.com/networking/dscp.shtml
DSCP <=> IP Precedence Conversion Table
DSCP Name | DS Field Value | IP Precedence | |
---|---|---|---|
Binary | Decimal | ||
CS0 | 000 000 | 0 | 0 |
CS1 | 001 000 | 8 | 1 |
AF11 | 001 010 | 10 | 1 |
AF12 | 001 100 | 12 | 1 |
AF13 | 001 110 | 14 | 1 |
CS2 | 010 000 | 16 | 2 |
AF21 | 010 010 | 18 | 2 |
AF22 | 010 100 | 20 | 2 |
AF23 | 010 110 | 22 | 2 |
CS3 | 011 000 | 24 | 3 |
AF31 | 011 010 | 26 | 3 |
AF32 | 011 100 | 28 | 3 |
AF33 | 011 110 | 30 | 3 |
CS4 | 100 000 | 32 | 4 |
AF41 | 100 010 | 34 | 4 |
AF42 | 100 100 | 36 | 4 |
AF43 | 100 110 | 38 | 4 |
CS5 | 101 000 | 40 | 5 |
EF | 101 110 | 46 | 5 |
CS6 | 110 000 | 48 | 6 |
CS7 | 111 000 | 56 | 7 |
CS | Class Selector (RFC 2474) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AFxy | Assured Forwarding (x=class, y=drop precedence) (RFC2597) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EF | Expedited Forwarding (RFC 3246) |
Saturday, June 9, 2012
cross country drive...
i've driven across the country a few times, by necessity, not by choice... through colorado i had to traverse one of its mountain passes, i can't recall which, there are many... it was however a long way to the bottom and i remember seeing signs that read something like this, "do not be mistaken, you are not down yet" as a warning to truckers to remain in low gear...
so too with studying... remain in low gear, you are not down yet, or done yet...
this stuff often gets stale... you read the same thing over and again and while you think you have it down, you are not down yet... you convince yourself that you know something but upon putting it to the test you realize that you have a vague notion only...
you have to trick yourself to keep the material fresh... you've read it countless times, but if you take away the paragraph can you outline the larger concepts contained therein?
probably not, because if you could you wouldn't be consuming it again...
reading through is not consuming, is not digesting the finer points... read it again and convince yourself first that you know nothing... then read it again as if you'd never read it before... then take it away and see if you can recall the minutiae this time...
the test is not the end... the last thing you want is to remember for the short term and then get blurry 3 months into the next subject event...
when studying for ccent the goal is to carry all that into icnd2 without having to review... you want to carry all of ccna into ccnp, then all of ccnp into ccie...
it's not the test, it is the retention...
have you used anki yet and explored the myriad ways to manipulate the material to make it new every time? thinking of a different way to create a new deck alone is a study method... add graphs, audio, tables... if only they could be made scratch and sniff... incorporate as many of your senses as possible into the study...
so too with studying... remain in low gear, you are not down yet, or done yet...
this stuff often gets stale... you read the same thing over and again and while you think you have it down, you are not down yet... you convince yourself that you know something but upon putting it to the test you realize that you have a vague notion only...
you have to trick yourself to keep the material fresh... you've read it countless times, but if you take away the paragraph can you outline the larger concepts contained therein?
probably not, because if you could you wouldn't be consuming it again...
reading through is not consuming, is not digesting the finer points... read it again and convince yourself first that you know nothing... then read it again as if you'd never read it before... then take it away and see if you can recall the minutiae this time...
the test is not the end... the last thing you want is to remember for the short term and then get blurry 3 months into the next subject event...
when studying for ccent the goal is to carry all that into icnd2 without having to review... you want to carry all of ccna into ccnp, then all of ccnp into ccie...
it's not the test, it is the retention...
have you used anki yet and explored the myriad ways to manipulate the material to make it new every time? thinking of a different way to create a new deck alone is a study method... add graphs, audio, tables... if only they could be made scratch and sniff... incorporate as many of your senses as possible into the study...
quote of the day; cef adjacency...
from http://etherealmind.com/cef-description/
go there now...
On Page 59, Router Security Strategies: Securing IP Network Traffic Planes:
go there now...
On Page 59, Router Security Strategies: Securing IP Network Traffic Planes:
The adjacency table contains information necessary for encapsulation of the packets that must be sent to given next-hop network devices. CEF considers next-hop devices to be neighbors if they are directly connected via a shared IP subnet.
Each adjacency entry stores pre-computed frame headers used when forwarding a packet using a FIB entry referencing the corresponding adjacency entry. The adjacency table is populated as adjacencies are discovered. Each time an adjacency entry is created, such as through the ARP protocol, a link-layer header for that adjacent node is pre-computed and stored in the adjacency table.
Routes might have more than one path per entry, making it possible to use CEF to switch packets while load balancing across multiple paths.Router Security Strategies: Securing IP Network Traffic Planes By Gregg Schudel – CCIE No. 9591, David J. Smith – CCIE No. 1986 ISBN: 9781587053368 Publisher: Cisco Press
In addition to next-hop interface adjacencies (in other words host-route adjacencies), certain exception condition adjacencies exist to expedite switching for nonstandard conditions. These include, among others: punt adjacencies for handling features that are not supported in CEF (such as IP options), and drop adjacencies for prefixes referencing the Null0 interface. Packets forwarded to Null0 are dropped, making an effective, effcient form of access fltering.
udld aggressive...
set up udld globally...
verify...
yank out one of the fibers...
dls2#sh udld g0/1
Interface Gi0/1
---
Port enable administrative configuration setting: Follows device default
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Unknown
Current operational state: Link down
replace and verify...
dls2#sh udld g0/1
Interface Gi0/1
---
Port enable administrative configuration setting: Follows device default
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Bidirectional
Current operational state: Advertisement - Single neighbor detected
Message interval: 15
Time out interval: 5
Entry 1
---
Expiration time: 45
Cache Device index: 1
Current neighbor state: Bidirectional
Device ID: CAT0812N33C
Port ID: Gi0/1
Neighbor echo 1 device: CHK0648W1BG
Neighbor echo 1 port: Gi0/1
that's aggressive...
dls2#config t
Enter configuration commands, one per line. End with CNTL/Z.
dls2(config)#udld aggressive
dls2(config)#
Enter configuration commands, one per line. End with CNTL/Z.
dls2(config)#udld aggressive
dls2(config)#
verify...
dls2(config)#do sh udld g0/1
Interface Gi0/1
---
Port enable administrative configuration setting: Follows device default
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Bidirectional
Current operational state: Advertisement - Single neighbor detected
Message interval: 15
Time out interval: 5
Entry 1
---
Expiration time: 40
Cache Device index: 1
Current neighbor state: Bidirectional
Device ID: CAT0812N33C
Port ID: Gi0/1
Neighbor echo 1 device: CHK0648W1BG
Neighbor echo 1 port: Gi0/1
Message interval: 15
--More--
Interface Gi0/1
---
Port enable administrative configuration setting: Follows device default
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Bidirectional
Current operational state: Advertisement - Single neighbor detected
Message interval: 15
Time out interval: 5
Entry 1
---
Expiration time: 40
Cache Device index: 1
Current neighbor state: Bidirectional
Device ID: CAT0812N33C
Port ID: Gi0/1
Neighbor echo 1 device: CHK0648W1BG
Neighbor echo 1 port: Gi0/1
Message interval: 15
--More--
yank out one of the fibers...
dls2#sh udld g0/1
Interface Gi0/1
---
Port enable administrative configuration setting: Follows device default
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Unknown
Current operational state: Link down
replace and verify...
dls2#sh udld g0/1
Interface Gi0/1
---
Port enable administrative configuration setting: Follows device default
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Bidirectional
Current operational state: Advertisement - Single neighbor detected
Message interval: 15
Time out interval: 5
Entry 1
---
Expiration time: 45
Cache Device index: 1
Current neighbor state: Bidirectional
Device ID: CAT0812N33C
Port ID: Gi0/1
Neighbor echo 1 device: CHK0648W1BG
Neighbor echo 1 port: Gi0/1
that's aggressive...
Labels:
ccnp,
ccnp switch,
udld,
udld aggressive
Wednesday, June 6, 2012
trunk encapsulation...
oftentimes in texts 802.1q tagging will be referred to as encapsulation... this is confusing and a complete falsehood, as we know... with 802.1q there is no such thing as encapsulating the frame... injection, insertion, anything but encapsulation...
isl actually encapsulates the frame... it would be nice if isl, among others, would finally be allowed to die... many cisco ios's and platforms no longer support isl... it had it's time, served it's purpose, and now needs to be finally laid to rest...
encapsulate: to place in or as if in a capsule
inject: to introduce
insert: to put or place in
historically, cisco will fill a protocol need before the standards bodies, ie, pvst... the standards organizations will eventually come up to speed and make obsolete the proprietary protocol... for progress' sake, this is good... cisco just needs to learn when to let go, like dtp, vtp, pagp, et al...
i firmly believe learning about network artifacts is worthwhile from the point of view of history and context, but i also believe that the in's and out's of them should not be testable...
isl actually encapsulates the frame... it would be nice if isl, among others, would finally be allowed to die... many cisco ios's and platforms no longer support isl... it had it's time, served it's purpose, and now needs to be finally laid to rest...
encapsulate: to place in or as if in a capsule
inject: to introduce
insert: to put or place in
historically, cisco will fill a protocol need before the standards bodies, ie, pvst... the standards organizations will eventually come up to speed and make obsolete the proprietary protocol... for progress' sake, this is good... cisco just needs to learn when to let go, like dtp, vtp, pagp, et al...
i firmly believe learning about network artifacts is worthwhile from the point of view of history and context, but i also believe that the in's and out's of them should not be testable...
Sunday, June 3, 2012
basic pvlan graphic...
thanks to: http://startup-config.com/prevent-spoofing-private-vlan-pvlan/
this is a good graphic, simply identifying the components...
folks in this business tend to overcomplicate things by way of showing how clever they are...
i have no use for that... this isn't brain surgery, we are not defining pi...
oftentimes in the forums you will find answers to questions that are not answers to the questions, but elaborations completely off topic, or tangents, or self glorifications...
my credo is to keep it simple, straightforward...
the shortest, most direct answer, is the thing that will stay with you forever...
for instance, you could read pages upon pages about broadcast domains... it is a difficult concept to come to grips with early on... and yet you must wade through all of that to get to this...
a broadcast domain is the set of devices for which a broadcast will be experienced
ahhhhhhhhh... timeless...
this is a good graphic, simply identifying the components...
folks in this business tend to overcomplicate things by way of showing how clever they are...
i have no use for that... this isn't brain surgery, we are not defining pi...
oftentimes in the forums you will find answers to questions that are not answers to the questions, but elaborations completely off topic, or tangents, or self glorifications...
my credo is to keep it simple, straightforward...
the shortest, most direct answer, is the thing that will stay with you forever...
for instance, you could read pages upon pages about broadcast domains... it is a difficult concept to come to grips with early on... and yet you must wade through all of that to get to this...
a broadcast domain is the set of devices for which a broadcast will be experienced
ahhhhhhhhh... timeless...
mac spoofing v arp spoofing...
mac spoofing
the switch is tricked that the same mac address is connected to two different ports... this effectively poisons the cam (or mac table) also known as man in the middle
mitigation port security
arp spoofing
during arp request and reply, an attacker injects a fake reply message using their own mac address masquerading as a legitimate host
mitigation dai dynamic arp inspection
dai performs an ip to mac binding inspection... packets with invalid ip to arp bindings will be dropped
dai
inspects all requests on responses on untrusted ports; only ingress (inbound)
validates intercepted packet ip to mac bindings, before updating the local arp cache, and before forwarding
drops ip to mac binding failures
usually employed with dhcp snooping
for relay agents, use dhcp relay information option 82
ip dhcp snooping limit rate
is used to limit the number of dhcp messages an untrusted interface can receive
the switch is tricked that the same mac address is connected to two different ports... this effectively poisons the cam (or mac table) also known as man in the middle
mitigation port security
arp spoofing
during arp request and reply, an attacker injects a fake reply message using their own mac address masquerading as a legitimate host
mitigation dai dynamic arp inspection
dai performs an ip to mac binding inspection... packets with invalid ip to arp bindings will be dropped
dai
inspects all requests on responses on untrusted ports; only ingress (inbound)
validates intercepted packet ip to mac bindings, before updating the local arp cache, and before forwarding
drops ip to mac binding failures
usually employed with dhcp snooping
for relay agents, use dhcp relay information option 82
ip dhcp snooping limit rate
is used to limit the number of dhcp messages an untrusted interface can receive
Labels:
arp spoofing,
ccnp,
ccnp switch,
dai,
dhcp snooping,
mac spoofing
Subscribe to:
Posts (Atom)