Archive for the ‘Bridging + Switching’ Category

ip igmp snooping for to

Mittwoch, April 23rd, 2008

I have read about this subnet range, it`s not possible to disable the snooping feature on a switch. So routing protocols (like OSPF or EIGRP) are always forwarded to other ports regardless the snooping feature. Is that true? Someone with more informations on that.

In general, addresses from to are reserved and used by various protocols (standard or proprietary, such as Hot Standby Router Protocol (HSRP)). Cisco recommends that you not use these for GDA in a multicast network. CGMP and IGMP snooping do not work with this reserved address range.


VTP version 2 and vtp messages regardless domain name

Samstag, März 1st, 2008

This should work, but is i labbed it out, it does not as promised. Let`s say if you have a vtp domain CISCO and one switch, that is configured in transparent mode, does belong to another domain, does not forward, these vtp messages. If you have this one switch in between the others, your vlan database will not be updated because of this domain mismatch.

This should work with vtp version 2, but does not, is i tried it today on my rack with 3560 cat switches. For vtp version 1 this behavior is normal.


ACE design / implementation / GNU

Sonntag, Dezember 16th, 2007

Most difficult thing is to implement the device into the customer network. This needs a lot of planning and discussions about the design and how it should be implemented.

The logic is, that you will mostly try to implement the ACE in between. From one VLAN into the other. The ACE will provide for VIP and VLAN interfaces to be the gateway for traffic back to the clients. Even bypassing the ACE is possible. This should be planned before and it should be clear at what point the device will be implemented.  It might be a good idea to have a good look at grown network struktures. While implementing the ACE it all depends on good understanding of te traffic flow and the current network infrastructure. The best is to communicate possible problems and catches.

ACE booting messages. Here you can see, there is some Linux/GNU code included in the ACE…

Unmounting done…
INIT: Switching to runlevel: 6
INIT: Sending processes the KILL signal
Rebooting… Rest
System Bootstrap, Version 12.2[120],
Copyright (c) 1994-2006 by Cisco Systems, Inc.
Slot 3 : Running DEFAULT rommon image …

ACE platform with 1048576 Kbytes of main memory

Loading disk0:c6ace-t1k9-mz.3.0.0_A1_6_2a.bin. Please wait ….
Uncompressing Linux…
Starting the kernel…
INIT: version 2.78 booting
Mounting Second Ramdisk ….
Second Ramdisk successfully mounted
Starting periodic command scheduler: cron.
Configuring network interfaces.
CF dump: Register callback functions
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
/dev/cf: 8 files, 24304/62532 clusters
FAT FS is ok
Compact Flash size 1000512(in 1k blocks) …
Core file size 204800
Available free size in cf is 611648 (in 1k blocks) …
set_coredump 2.11, 12 Mar 2005, FAT32, LFN
first_cluster = 0x608c num_cluster = 0x40 (64)
inserting procfs
inserting isan_kthread
inserting wiremod
inserting klib
inserting resdrv
inserting tlv
inserting sse
inserting kpss
inserting sdwrap
creating sdwrap device
inserting klm_tl
creating tl device
inserting klm_scp
inserting klm_mts
creating mts0 device
creating mtscfg0 device
inserting utaker
creating utaker0 device
creating utaker1 device
inserting sysmgr-hb
creating sysmgr-hb device
inserting modlock
creating modlock device
inserting bufmgr
inserting pkt_fifo
inserting encdec
creating encdec device
inserting pseudo
inserting drammap mod
creating drammap device
inserting ixp_dnld
creating ixp_dnld device
inserting sysdrv
creating sysdrv device
New registry installed.
INIT: Entering runlevel: 3
inserting i2c module
inserting ssa driver
inserting cde driver
inserting bf_dnld driver
inserting pfm_drv driver
inserting regaccess driver
inserting bf_nvram driver

Firmware compiled 24-Aug-07 17:47 by integ Build [26368]

ACE Daughter boards DB1 not present DB2 not present.
downloading fpga to cde 1

Read 3262456 bytes from ./cde1_core.bit
FPGA Date: 2007/ 9/13 Time: 3:38: 5

CDE 1 download successful
downloading fpga to cde 2

Read 2377744 bytes from ./cde2_core.bit
FPGA Date: 2007/ 8/15 Time: 20:59:47

CDE 2 download successful
FPGA Programming Done

CDE 1 revision ID 0403
CDE 2 revision ID 0402
enabling cde 0 interrupts
finished CDE setup

Configuring NP 1 Memory
Configuring NP 2 Memory
Downloading NP 1 Image
Downloading NP 2 Image
….. 0x40b214 (4239892) bytes downloaded

….. 0x40b214 (4239892) bytes downloaded

Loading Nitrox driver.
Writing register at address 3838 with e00
size = 8148
Ctx memory range(0x0000000-0x10000000)
Cleared 262144 1024-byte blocks in 5 requests.
Writing register at address 3898 with 1
Writing register at address 38b8 with 1


Initializing Nitrox SPI1
configuring using falling clocks
Initializing CDE SPI registers
Nitrox init completed.
inserting IPCP klm
n2_perf_stats loaded
Waiting for NP handshake ……………………………………… Done
inserting IPCP klm
inserting cpu_util klm
Sleeping 10 secs… Done
Waiting for 3 seconds to enter setup mode…
No licenses installed…

Starting sysmgr processes.. Please wait…Done!!!

switch login:

loadbalancing with the ACE module for the 6500/7600

Samstag, November 10th, 2007

We have a customer who ordered the ACE module for the 6500. The installation will be with two 6500 and an 720 sup each. Currently the ace is only as a modul available. Cisco is trying to release a appliance next year in February. It’s a follow-up of the csm and css from cisco. Absolutely new is the virtualisation part. It’s possible to build up to 250 different contexts to build up sort of independent hardware loadbalancerson one machine. The module is about 80.000$ and with a max of 16 Gbps throughput and as a max 345,000 connections per second.

All traffic is send through the module as you define what should become loadbalanced.

The default license comes with 5 contexts and 1000 SSL TPS (transactions per second).

I have be on a three day course for the ace module in Berlin from wednesday this week.It was a very good lab from flane with a bulgarian teacher. We did some labs from with a virtual webserverfarm as linux machines and as clients. Only the ace-module was not virtual :-). All servers/clients have been vmware machines. Quite nice labs to test SSL termination, sticky connections, nat, layer4 balancing, layer7 balancing and other topics.

Seems like the ace module is out for some time and the new ace-20 is overcoming some bugs.

Here is an example config, like one we had in the labs, while vlan 212 is external and vlan 412 is the inernal vlan. The VIP is the virtual ip that represents all webservers. Here are some webservers and a VIP12.16.12.50. With the class-map you define the VIP and what traffic is allowed. Then you also have to setup an access-list on the incoming interface and allow this traffic. Look at this example :


login timeout 0

access-list anyone line 10 extended permit tcp any any

probe icmp pingpong

rserver host d25-lnx1

ip address

rserver host d25-lnx2
ip address
rserver host d25-lnx3
ip address
rserver host d25-lnx4
ip address
rserver host d25-lnx5
ip address

serverfarm host servers1
rserver d25-lnx1
rserver d25-lnx2
rserver d25-lnx3
rserver d25-lnx4
rserver d25-lnx5

class-map match-all VIP-50
2 match virtual-address any
class-map type management match-any remote-access
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any

policy-map type management first-match remote-mgmt
class remote-access

policy-map type loadbalance first-match lb-lo
class class-default
serverfarm servers1

policy-map multi-match client-vips
class VIP-50
loadbalance vip inservice
loadbalance policy lb-lo

interface vlan 212
ip address
access-group input anyone
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface vlan 412
description Servers vlan
ip address
no shutdown


The new thing on the commandline is, that the tab completition does work also for service-policies and class-maps.

The nice thing that juniper already has implemented it the checkpoint feature. It has nothing to do with checkpoint FW1, but its a nice and handy rollbacksystem in the case something went wrong or you want to rollback to an older configuration. It’s no longer necessary to reload the router, just say for example „checkpoint rollback config-name“ and the context will load the configuration and erase the previous one. No need to reload the router to clean up the previous configurations from RAM or running-config. The running-config is replaced completely by the checkpoint previously created. So you can easily go back to the last saved working configuration. Juniper is even more sophisticated, as you can configure on the system and later on say, that this you be implemented now.

Probably this will show up in future IOS versions too.

Nice comparison between the css, csm, ace

private-vlans 3560

Donnerstag, Januar 11th, 2007

The main new feature introduced with 3560 catalyst switches is the private vlan feature.

It’s not that complicated as it seems to be.

Basically it a „switchport protected“ bound to vlan’s over trunk ports. It’s also similar like an RSPAN session, which is SPAN over differens switches.
So if you configure two ports as switchport protected in the same vlan on the same switch, they are not able to communicate with each other.

vlan 28

int f0/2

switchport access vl 28

switchport protected

int f0/3

switchport access vl 28

switchport protected

Now these ports are not able to communicate with each other.

This feature does not work, if ports are seperated over a trunk. At this points private vlan’s come into play.

You can define a private vlan and add isolated ports to this vlan, similiar as protected ports on the same switch. These isolated ports are also not able to communicate with each other. Vtp mode has to be in transparent mode and vlan assignments have to be made on both switches.
vtp mode transpartent

vlan 28

private-vlan primary
private-vlan association 281

vlan 281
private-vlan isolated

This defines the primary vlan and the vlan 281 where later isolated hoste are added.

Adding hosts looks like this:

inf f0/7

switchport private-vlan host-association 28 281
switchport mode private-vlan host

This adds an interface as an isolated port to the primary vlan 28.

You can now define a promiscuous port in vlan 28, which is able to communicate with these isolated ports.


switchport private-vlan mapping 28 281
switchport mode private-vlan promiscuous

This promiscuous port will be able to communicate also with the SVI of the vlan, if there is any.

The communties are private-vlans inside a vlan, which build groups of ports that are able to communicate with each other only inside this private-vlan community. Different communities inside a vlan are also not able to talk to each other. There is no limitation for promisucous ports.

Convert from a multicast address to a HW address

Dienstag, Oktober 3rd, 2006

Sometime i may be neccessary to block a Multicast address on a vlan.

This could be acomplished by blocking the hardware address of this vlan. It’s possible to staticly map certain ports for a mac address. So that only these ports are recievers of the address.

So first it’s neccessary to convert the multicast address to a hardwareaddress.

The first fields 0100.5e are reserved by the IANA for such demands.

The range is 0100.5e00.0000 through 0100.5e7f.ffff.

Starting with these first digits, continue to add the last ones, by converting the numbers to hexadecimal numbers.

For example, the multicast address of EIGRP is

This gives:

0 => 00

0 => 00

10 => 0a

So the corresponding mac address for the EIGRP Mmulticast address is 0100.5e 00 00 0a

The switch does snooping for packets on vlans, to determin the recieving ports. First we have do disable ip igmp snooping for te specific vlan:

no ip igmp snooping vlan 10

Then it’s possible to map the certain multicast mac address with certain receiver switchports.

mac-address-table static 0100.5e00.000a vlan 10 int f0/1 f0/2

So now only port f0/1 and f0/2 recieve this multicast address. This is only possible by turning of snooping functionality by the switch.


STP / Spanning-Tree / IEEE 802.1D

Montag, August 21st, 2006

Spanning-Tree is an algorithm to keep a switched network loopfree. This means if you have multiple redundant switching paths in a network, without spanning-tree i will happen, that there will be switching loops in the network, which could take the whole network down. So spanning-tree is a layer2 protocol, which algorithm is selecting one bridge as the root bridge and each port a certain role. These can be:

  • Root – elected forwarding port in the STP topology
  • Designated – elected forwarding port in every switched LAN segment
  • Alternate – providing an alternate path to the root bridge
  • Backup – loopback configuration of a blocked port

These are port states that are passed in the process of becoming a forwarding port:

  • Disabled – inactive port, does not participate the STP
  • Blocking – a port is at first in the blocking stage, not forwarding any frames
  • Listening – STP decided this port should participate in forwarding, but not forwarding any frames at now, takes 15 seconds and then goes into
  • Learning – prepares to forward frames, 15 seconds duration, after that goes into last state, which is forwarding
  • Forwarding – the interface is forwarding frames

An interface can be disabled at any state of the process to become a forwading port.
The root election is based by default on the switch with the lowest MAC address value. You can also set the root bridge by setting the prioority, so the it’s the lowest priority in the STP topology.

At first every switch assumes itself as the root bridge, when it’s first powered up. It communicates with BPDU’s send every two seconds to compute the spanning-tree topology.
A BPDU (Bridge Protocol Data Units) contains the following:

  • a unique ID which the switch sending the BPDU itself identifies as the root switch
  • the path cost to the root
  • the bridge ID of the sending switch
  • the age of the message
  • identifier of the sending interface
  • hello, forward dely, max-age timer values

A BPDU packet conversation does have the following consequences.

  • electing one switch as the root switch, counting priority (default 32768) fist and then if these are equal, the lowest MAC address
  • electing a root port an each switch, except the root switch
  • calculating the shortest distance to the root switch based on path cost. Path cost it based on the interface bandwidth
  • selecting a designated switch which has the so called designated port, as this is the port with the lowest path cost to the root switch

There are also TCN BPDU’s (topology change notification) messages send in a spanning-tree network.
Each configured VLAN has it’s own bridge ID. As each VLAN is it own bridge. Take a look at this with „show spanning tree“. You will see that each vlan has it’s own priority. So changing the priority for a vlan change the probability of the switch being elected as the root bridge

There are several possible configuration values to setup. If you want, for example to to change the election of the root port use the „port-cost“ variable for the local switch. To change the choosen root port for a downstream switch, take the „port-priority“ variable.

For Example: SW1 and SW2 are connected over 3 trunks SW1 is the root for vlan 7. To setup SW1 as the root for vlan 7: „spanning-tree vlan 7 root primary

Now you want to select a certain trunk for carrying the vlan 7 traffic. When you are on the root bridge use „port-priority“ to select the trunk and set a lower prio as on the others. Default is 128. If you are on the downstream switch, use „port-cost“ to let the downstream switch elect the root port, for example:

spanning-tree vlan 7 cost 20

Here are the STP costs for different link bandwidths:

  • 4 Mbps – 250
  • 10 Mbps – 100
  • 16 Mbps – 62
  • 45 Mbps – 39
  • 100 Mbps – 19
  • 155 Mbps – 14
  • 622 Mbps – 6
  • 1 Gbps – 4
  • 10 Gbps – 2

So after the root bridge is selected based upon the Bridge ID/MAC address and Bridge priority, the differnet types of ports are selected based upon the cost and path cost.

The root port of each bridge is selected upon path cost to the root bridge. Each path is summarized to a path cost and the port with the lowest path cost gets the root port.


Different types of traffic flow

Freitag, August 11th, 2006
  • Unicast, packets to every requesting address, traffic may be carried multiple times, the primary concern is the number of network connections versus the available bandwidth. Each session requires the the full bandwidth required by the application.
  • Broadcast, one copy of a packet is send out to a broadcast address. Broadcast are stoped by layer 3 devices unless allowed to be forwarded. So evyer device with the same broadcast address receives the packet.
  • Multicast, for transporting multimedia data, a media server sends a single copy to a predetermined multicast address, replications occurs only, when necessary

Etherchannel for an 3550 Catalyst and maybe others

Dienstag, August 8th, 2006

Etherchannel is for fault tollerance and you can use it to increase the bandwidth. You can bound up to to eight interface to an eitherchannel. All interfaces must be the same speed and all have to be configured as layer 2 or layer 3 interfaces. If one interface fails, the traffic is automatically redirected to the other interfaces.

Etherchannel can be configured in one of these modes:

  • Port Aggregation Protocol (PAgP)
  • Link Aggregation Control Protocol (LACP)
  • On mode

You can setup an etherchannel in two different ways. You can set it up as layer 2 or a layer 3 interface.

There are four etherchannel modes:

  • active
  • auto
  • desirable
  • passive

Only in auto and desireable switches are exchanging PAgP packets. Only in active and passive switches are exchanging packets in LACP mode.

The following cominations are allowed for forming an etherchannel:


auto – desirable

desirable – auto

desirable – desirable


active – active

active – passive

There is also on – mode, witch is for not negotiating the etherchannel between the devices. Could be usefull if one device does not support PAgP or LACP.

Here is an configuration example, where Switch 1 is trying actively to convert this link in an etherchannel, while Switch 2 will respond to these requests. The Link is also configured as a trunk link with dot1q:


Ports fa0/13 – 15 to be configured in the etherchannel.

sw3(config-if)#int range fa0/13 – 15
sw3(config-if-range)#switchport mode trunk

sw3(config-if-range)#channel-group 1 mode desirable
Creating a port-channel interface Port-channel 1
02:19:53: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
02:19:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up

SW2(config)#int range fa0/13 – 15
SW2(config-if-range)#switchport trunk encapsulation dot1q

SW2(config-if-range)#switchport mode trunk
SW2(config-if-range)#channel-group 1 mode auto
Creating a port-channel interface Port-channel 1
01:39:20: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
01:39:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up

Here are some commands for verifying etherchannel functions. CDP is working over etherchannel, so if you see your other switch, then etherchannel will work.
To verify the etherchannel use the commands:

show etherchannel

show pagp

show lacp

show cdp


configuring portfast, STP, DHCP Client Problem

Donnerstag, August 3rd, 2006

If you setup a switch it might be a good idea to set all ports by default to portfast. But take care, this could also lead to a lot of trouble if you don’t know what you’re doing. To set all ports by default to portfast use:

spanning-tree portfast default

This stops the switch from using spanning tree on all ports. And ports are up in a few seconds.
Each port on a switch using Spanning-Tree Protocol exists in one of the following five states:

  • Blocking
  • Listening
  • Learning
  • Forwarding
  • Disabled

A port moves through these five states as follows:

  • From initialization to blocking
  • From blocking to listening or to disabled
  • From listening to learning or to disabled
  • From learning to forwarding or to disabled
  • From forwarding to disabled

The port always goes through these stats first.

Here is an example from a „debug spanning-tree events“ output, how long these states take. I just moved port fa0/3 in another vlan, and it would start the STP algorithm again.
00:55:55: STP: VLAN0013 Fa0/3 -> listening
00:56:10: STP: VLAN0013 Fa0/3 -> learning
00:56:25: STP: VLAN0013 Fa0/3 -> forwarding

So it take 30 seconds for a port to be available again.

With normal PC oder Server Ports, where it’s not possible to get a switching loop, it’s best to turn on portfast. Sometime DHCP client’s boot faster than the switchport is up. Then clients won’t get an IP address. The will still try to get one, but this will be delayed. So with portfast, this does not happen.

But portfast should be configured with care. If it’s not clear what kind of device will be connected, then better leave the cisco default setting.