Posts Tagged ‘cisco’

8 Great Resources that Every Computer Technician Should Know About

Tuesday, March 3rd, 2009

This post is a must read for computer technicians, and the resources can be used by both amateurs and professionals. I hereby share some of my clues for knowledge!

  1. The MAC address vendor search lets you identify the vendor for a MAC address, it is very helpful when troubleshooting ARP tables. Just insert the MAC address such as 00-00-01, you will see that it is identified as XEROX.
  2. Ever been on the lookout for a BGP looking glass? Wonder what your network look like on the Internet? Need to traceroute yourself? Thomas Kernen maintains, which is a public looking glass listing service. Alternatively you can use which also provides an excellent service!
  3. Need Cisco documentation? Ciscos own site can be a very good source for information, at least when you learn to find your way around. You can find an article about mostly every technology in a Cisco box on their website!
  4. Need something that can calculate your subnets on the fly? I have an Online IPv4 and IPv6 IP Calculator, and I also made an AJAX version of it which is available on, it can be faster to use in some situations.
  5. The RIRs (Regional Internet Registry) can give you information about IP addresses, you can find out mostly anything you would like to know about the EU IP address space from querying for example RIPEs Whois Database.
    Here is a list of the RIRs and their respective Whois Database

    • RIPE Serves the EU Region
    • ARIN Serves the US Region
    • LACNIC Serves Latin America and the Carribean
    • AfriNIC serves the African Region
    • APNIC serves the Asian Region
    • If you just want to query one time, here is a free whois proxy
  6. To monitor your BGP announced prefix from the outside you can use the service BGPmon, which will monitor your prefixes and alert you in case of path changes.
  7. Dynamips is a Cisco emulator, it successfully emulates Cisco 7200, 3600 (3620, 3640 and 3660), 2691, 3725, 3745 and the 2600 platform. You can for example use it for testing network scenarios before deploying it!
  8. New software! Fresh meat! Check out, this has been around forever now. New versions of open software projects are announced there, and it is also a browsable site for Open Software.

Now it is time for you to do your homework, let me know which sites you find useful or funny in your work or sites that you use on a daily basis, GO COMMENT!

Using Tcpdump in Linux to Analyze Network Traffic

Wednesday, February 25th, 2009

Have you ever needed to see traffic in front of your eyes? There exists a tool in linux to do this. You can see it all, even .. passwords.

I will just give you the commands to see different types of traffic, use it for what you want.
You will not see network traffic going between other devices on the network, only to your workstation – assuming you are on a switched network, on a WLAN things are different.
If you want to monitor a network port, you can use a ‘mirror port’ in Cisco, configuration is as follows:

monitor session 1 source interface fastethernet 0/1
monitor session 1 destination interface fastethernet 0/2 encap ingress vlan 1

This will mirror all network traffic on FastEthernet 0/1 to FastEthernet 0/2.
There also exists methods for injecting ARP to a switched network to make network devices believe you are the gateway, so that you can inspect the packets before passing them on to the gateway.

Tcpdump commands
So back to tcpdump, to look at for example web traffic
Always remember that if you want to see the traffic as ASCII, just apply the argument ‘-A’ to tcpdump

I am assuming you are using eth0, -n turns off DNS.

tcpdump -i eth0 -n port 80

Now a little more fancy, using egrep – this will show all your web requests in real time!

tcpdump -i eth0 -A -n port 80 | egrep -i \(GET.\/\|POST.\/\|Host:\)

Did you know you can tcpdump for a subnet by just excluding the last octet?

tcpdump -i eth0 -n port 80 and host 10.0.5

You can see I used ‘and’ here to specify more filter, you can also use or
For example port 80 or port 81

If you forgot your pop3 password, but have it stored in the client

tcpdump -i eth0 -n port 110 -A | egrep -i \(user\|pass\)

This also applies to passwords for the web, I have used this a lot instead of the ‘forgot password’ mechanism.

If I forgot to mention anything, please let me know.

Multiple Area OSPF Networks on Cisco – Part 1 of 2

Sunday, January 18th, 2009

Multi-area OSPF networks are widely used, in this article I am going to show some of the logic behind multi-area OSPF Networks. I will write a series of all 2 (yey!) posts about multiple area OSPF the next couple of weeks. Stay tuned in!

Single areas can be considered subsets of a larger autonomous system.

What are the benefits of splitting networks up in multiple areas?

You can solve situations like

  1. Every time a route flaps, it initiates shortest-path-first algorithm calculations on all routers in that area.
    This causes high CPU utilization that could be used for something more productive.
  2. The routing table is getting too large and equipment that can handle less IPv4 routes will have trouble operating.
  3. The Link-state Topology table (we will get back to this) is getting unmanageable.

Terms and definitions
There are some terms and definitions that you should know:

  1. Backbone area / Transit area / area 0
    This refers to the area with area id 0, which can be a group of routers acting as the main path for traffic between OSPF areas.
  2. ABR
    Area Border Router, technically – a router that is connected to area 0 and at least another area, and therefore maintains two link-state databases are considered ABRs.
  3. ASBR
    Autonomous System Border Router is a router that are between the OSPF network and another routing protocol network, for example BGP or IGRP.
  4. IR
    Internal router, this type have all its interfaces connected to a single area.

You should be familiar with terms like LSU, LSA and the different types.

This IMPORTANT rule applies to multiarea OSPF networks:
All areas needs to be connected to area 0, if it is impossible to physically connect an area directly to area 0, you can utilize a virtual-link to create a logical path for the traffic from this area to reach the backbone area.

Different area types

  1. Standard/normal area
    A default route (0/0) is generally not generated by routers in a normal area, but it can be forced with this command under router ospf

    Router( config-router)# default-information originate always

    Normal areas (like in single area setups) can receive external route information, link updates and route summaries.

  2. Stub area
    While stub areas can’t receive external routes, they can receive inter-area routes, intra-area routes and default routes.

  3. Totally stubby area
    This area does not receive summary routes from other areas in the network, and it does not receive external routes. To reach networks outside the area it will always use the default route (0/0)
  4. Not So Stubby Area (NSSA)
    This is a stubby area which can receive a part of external routes from outside the AS.
    The LSA it can receive is Type 7 LSA.

  5. Backbone area
    ..or “transit area” always has the area id 0, every other area must have a link to area 0. Either physically or via a logical ‘virtual-link’.
  6. That was the area types, these are defined under the router ospf configuration.
    So, every 30 minute all the OSPF routers floods the area with so called LSU (Link state updates) just to make sure that every router in that area agree about the link state database. These LSUs are received by the other routers and flooded across the area until all the routers agree about the current link-state database.

    Network events and LSA flooding
    When an event happens, for example an interface goes down; the router will send a LSA and a LSU packet to – the multicast address for the BR and BDR – which in turn will flood this packet out on all their active interfaces on the multicast address – which is the multicast address that all routers should listen on, and they will then do the same until the network agrees about the topology and is so called ‘converged’.

    In my next post I will cover the configuration and route summarization and LSA types.

    Have a nice OSPF Sunday!

How to setup a GRE tunnel on a Cisco Router

Tuesday, January 13th, 2009

Hey peeps, it has been a while now…
Sorry about that, I have had a lot of things on my mind lately.
Sometimes I also have issues figuring about a new subject to write about, but I will try to take on more advanced networking as someone requested it per email.  If you want me to write about something or need help with anything, don’t hesitate to contact me.

So, let’s warm up the new year with an easy tutorial on how to setup a GRE tunnel on a Cisco router.

Consider this scenario:
Router1 =
Router2 =

The routing between these routers are fixed so that they can reach each other, like on the internet.
Router2 will have the network routed to it via a GRE tunnel.
The address on the tunnel interfaces will be and for Router1 and Router2 respectively.

Router1 configuration:

Router1(config)#interface Tunnel 0
Router1(config-if)#tunnel source
Router1(config-if)#tunnel destination
Router1(config-if)#tunnel mode gre ip
Router1(config-if)#ip address
Router1(config-if)#no shutdown
Router1(config)#ip route

Router1(config)#interface Tunnel 0
Router1(config-if)#tunnel source
Router1(config-if)#tunnel destination
Router1(config-if)#tunnel mode gre ip
Router1(config-if)#ip address
Router1(config-if)#no shutdown
Router1(config)#ip route Null 0

You can now setup addresses within on any interface you want and use them like as they were routed to your router directly.
The traceroute from Router2 to Router1 should look something like this:


Type escape sequence to abort.
Tracing the route to

1 8 msec 8 msec 8 msec

Voila, we got routing over GRE!

Locating the Cisco Switchport of a Server based on IP Address

Thursday, October 23rd, 2008

Locating computers or servers is a task I often do, and this is a tutorial on how I do it.

I have mentioned the do command, and mentioned it again in my 5 Magic Cisco Tips and Tricks article.

I am now going to give you more of a tutorial!

Locating a machine on switch port in a larger Cisco network
If you only have the IP address, just run this command:

show ip route *ipaddress*

The router will now tell you which interface this subnet is connected to.

In a usual setting you might have routed a larger block of addresses to for example a routing switch.
If this is the case, you will need to investigate layer 3 further down to that switch/router.

When you have found the IP address as directly connected issue this command to look up the MAC address in the ARP table.

show ip arp | include *ipaddress*

This will output the MAC address for this IP address, you can use this with this command:

show mac address-table | include *macaddress*

You will now see which port this hardware address is connected to.

In case you have a switch connected, you will need do the show mac address-table command on that switch also.

You can often identify switches by doing a show mac address-table interface *port*
If this gives a long list of MAC addresses with the TYPE dynamic, this is probably a switch.

syslog-ng | Cisco: Setting Up Remote Syslog To MySQL in Linux

Thursday, October 16th, 2008

We are all in the need of a good method of keeping track of our log messages.

It’s a good feeling to know that all the syslog messages from all the equipment I manage are safely deposited into a MySQL database which is backed up daily by our backup software.

First, syslog-ng
I use Ubuntu, so I can also use their practical package manager and run

apt-get install syslog-ng

Then whip up /etc/syslog-ng/syslog-ng.conf in your favourite editor and add this to the configuration.

source s_net {
udp(ip( port(514));
tcp(ip( port(51400));

The should be the IP address that you want syslog-ng to listen on, it has to be bound up to the server that runs syslog-ng.

Also add this to make syslog-ng write to a special pipe:

destination d_mysql {
template(“INSERT INTO logs (host, facility, priority, level, tag, date,
time, program, msg) VALUES ( ‘$HOST’, ‘$FACILITY’, ‘$PRIORITY’, ‘$LEVEL’,’$TAG’,
‘$YEAR-$MONTH-$DAY’, ‘$HOUR:$MIN:$SEC’, ‘$PROGRAM’, ‘$MSG’ );\n”) template-escape(yes));

And to make things that comes from s_net go to d_mysql to make the
messages from the cisco device go to mysql instead:

log {

Make a pipe that syslog-ng can write to with this command:

mkfifo /tmp/mysql.pipe

Almost ready for the Cisco configuration, just get the database up first.
Setup the MySQL database like this:

USE syslog

host varchar(32) default NULL,
facility varchar(10) default NULL,
priority varchar(10) default NULL,
level varchar(10) default NULL,
tag varchar(10) default NULL,
date date default NULL,
time time default NULL,
program varchar(15) default NULL,
msg text,
seq int(10) unsigned NOT NULL auto_increment,
KEY host (host),
KEY seq (seq),
KEY program (program),
KEY time (time),
KEY date (date),
KEY priority (priority),
KEY facility (facility)

# Also create the user, replace username and password
GRANT ALL PRIVILEGES ON syslog.* TO syslogng@localhost IDENTIFIED BY ‘mypassword’;

Run this command to pipe the queries to MySQL, preferably in a screen or make a script that can run it in the background.

mysql -u syslogng –password=mypassword syslog < /tmp/mysql.pipe

Restart the syslog-ng process now:

/etc/init.d/syslog-ng stop
/etc/init.d/syslog-ng start

Cisco Syslog Configuration
Now all you have to do on the cisco router is one simple command to make it log to the syslog database.

Router(config)# logging

This will make the Cisco Router send all logging output to the syslog-ng process on

I have made a simple PHP page that makes the syslog output more viewable, it is not very pretty – but it works.
I am sure anyone of you can improve it, if you do please send me the change and if it is generally usefull I will update the package here with your improvement and leave a credit for you in it!

You can download the package syslog-ng PHP page

3 Tips On How to Solve The Need for Network Redundancy

Saturday, October 4th, 2008

Take a look at these tips for solving redundancy in a Cisco based network!

HSRP is the Hot Standby Router Protocol.

Most client hosts do not run any dynamic routing, and is seemingly prone to a single point of failure in the event of a router failure.

With HSRP running on two routers, the actual gateway IP address is bound to a virtual MAC address. The active HSRP router will respond to frames destined for the virtual MAC address, and redundancy is provided.

Configuration of HSRP in Cisco IOS

Enter interface configuration

Router(config)# interface fastethernet 0/0

Set an IP address

Router(config-if)# ip address

The router will still need an IP address to communicate on, for example when not elected as active.

Activate HSRP for this interface

Router(config-if)# standby 1 ip

The IP address is the redundant virtual IP address.
This is the command that enables the HSRP process on the interface.

Tweaking the priority

Router(config-if)# standby 1 priority 100
Router(config-if)# standby 1 preemt

The router with the higher priority will become the active HSRP router when the preemt command is enabled.

Verifying HSRP configuration

Router#sh standby
FastEthernet0/0 – Group 1
State is Active
2 state changes, last state change 00:00:59
Virtual IP address is
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.576 secs
Preemption enabled
Active router is local
Standby router is unknown

Priority 100 (default 100)
IP redundancy name is “hsrp-Fa0/0-1” (default)

As you can see from this output, we are the active HSRP Router for HSRP standby group 1 – and the Standby router is unknown, this means the other side has not been configured.

There has been 2 state changes, because it will first automatically be in mode Speak, then it will eventually go through Standby to Active.

Using BGP is a must when it comes to redundancy, it will let you multihome with different upstream providers. I have written an article with an introduction and a Basic example BGP configuration in Cisco IOS.

If you need IPv4 addresses for your organization, you may qualify for a PI Network (Provider Independent). This will enable you to take part in the global routing and pick and choose among several upstream providers.

Rapid Spanning Tree Protocol
STP is a layer 2 protocol that detects and blocks layer 2 loops, with a very fast convergence time on link state changes. To configure spanning-tree you can use the following commands.

Enable spanning-tree

Switch(config)# spanning-tree mode rapid-pvst

This command enables the per vlan rapid spanning tree, this means one STP instance per vlan.
Be aware, there is a limit in at least Cisco 3560 and Cisco 3750 that limits it to 128 simultaneous spanning tree processes.

How STP Detects Loops and BPDU filters
The switch will flood BPDU’s (Bridge Protocol Data Units) out on all interfaces per default, and if it can see its own MAC address in an incoming BPDU it will know when a link have looped.

Switch(config)#interface GigabitEthernet 1/0/1
Switch(config-if)#spanning-tree bpdufilter enable

This will stop sending and receiving of BPDUs on the interface GigabitEthernet 1/0/1.

Switch(config-if)#spanning-tree bpduguard enable

This command will make the switch ignore BPDU’s received on the configured interface.

Change spanning tree priority

Switch(config)#interface GigabitEthernet 1/0/1
Switch(config-if)#spanning-tree vlan 100 cost 200

This will apply a cost of 200 to vlan 100 traversing over GigabitEthernet 1/0/1

Verify Spanning Tree

Switch#show spanning-tree vlan 2000

Spanning tree enabled protocol rstp
Root ID Priority 27223
Address 0012.5555.0000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 27223 (priority 24576 sys-id-ext 2000)
Address 0012.55555.0000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Gi1/0/2 Desg FWD 4 128.2 P2p Peer(STP)
Gi1/0/3 Desg FWD 4 128.3 P2p Peer(STP)
Gi1/0/5 Desg FWD 4 128.5 P2p
Gi1/0/15 Desg FWD 4 128.15 P2p

This is output from the root bridge, all ports the vlan exists on are in Forwarding mode.
The protocol output in the top verifies that we are running rapid STP.

Output from Neighbor STP Switch

Switch2#show spanning-tree vlan 2000

Spanning tree enabled protocol rstp
Root ID Priority 27223
Address 0012.55555.0000
Cost 4
Port 1 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 35415 (priority 32768 sys-id-ext 2000)
Address 0012.0007.dddd
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Gi0/1 Root FWD 4 128.1 P2p
Gi0/4 Desg FWD 4 128.4 P2p
Gi0/8 Desg FWD 4 128.8 P2p Peer(STP)

We are not the root bridge, the output shows that ‘Switch’ is the root bridge for this spanning tree.

Understanding and Configuring IPv6 Routing on a Cisco Router

Saturday, September 27th, 2008

You do have a backup plan for IP addressing, now that we are running out of IPv4 space, right?

IPv6 isn’t something awfully new, but some of the ideas can be hard to grasp.
To understand IPv6 routing, I had to learn how to do subnetting of IPv6 address space.

Subnetting basics
To understand IPv6 subnetting, I took it from what I had learned about the basics of subnetting IPv4 addresses.

IPv4: The number only represents a 32-bit number, split into 4 ‘octets’, which are groupings of 8 bits (256 combinations 0 – 255), each octet is separated with a dot ‘.’.
The network mask represents the subnet size, because the network mask eventuallyl decides who you can talk to (for example means that all bits in the last octet can be freely manipulated, hence a subnet mask of means you can change the tweak last octets to your hearts content.

IPv6 addresses and subnetting
This is basically just the same as for IPv4, except the address is now 128 bits compared to 32.
This makes room for 2^128 addresses while IP version 4 was limited to 2^32.
Just a little calculation, for the fun of it:

(2^128)-(2^32) = 340282366920938463463374607427473244160

This is how many MORE addresses the IP version 6 will give us.

In IPv6 the octets we all know from IPv4 are 8 groupings of 16 bits, and instead of being written in decimal format – they are written in hex.
So a valid IPv6 address could be 3ffe:1000:0000:0000:0000:0000:0000:0001/126.
How does this work?
/126 indicates that 2 bits left from the mask for host addressing, this will give four host addresses.

One thing you should notice is that while it can feel natural, it will not work to use addresses such as ::9, ::10, ::11, and ::12 for the same subnet.

The key here is hex, which ranges from 0 – 9 and a – f, so it’s counted like 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d,e and f.

To be certain, use the Online IPv4 and IPv6 calculator, it will calculate the subnets for you.
Just enter an IPv6 or IPv4 address with the corresponding CIDR (for example /24) and it will return the network range.

Enable forwarding of IPv6 Unicast Packets in Cisco IOS

Router(config)# ipv6 unicast-routing

Configure a static IPv6 default gateway/route

Router(config)# ipv6 route ::/0 3ffe:1::1

This would configure a default route to 3ffe:1::1.

Configuring an IPv6 address on an interface

Router(config-if)# ipv6 address 3ffe:1::1/64

Verifying configuration
Verify IPv6 Routing Table

Router# show ipv6 route

Pinging over IPv6 from Cisco IOS

Router# ping ipv6

Also check out these featured articles
Configuring IPv6 OSPF Routing In Cisco IOS

Get Support for IPv6 Rouing on the 3750 Platform

Routing – Understanding And Tweaking the CAM

Thursday, September 18th, 2008

If you don’t pay attention to the CAM, your network could face serious problems.

What is the CAM and Why is it important?
The CAM is short for Content-Adressable Memory and is a type of memory for high speed searching applications. Other names are associative memory or when programming; associative arrays.

The CAM makes it possible to make routing decisions in hardware instead of bothering the CPU, routes are placed in the CAM so that the linecard ASIC or FPGA hardware can look up which interface to send the packet out on somewhat directly from the memory. This decreases routing latency drastically and makes wirespeed performance possible.

Imagine how your router would perform without this now..

OK, Why is it important?
Because every router have a limited amount of physical memory, and this memory space has to contain IPv4 routes, IPv6 routes and everything you are (or want to do) in hardware.
This makes partitioning of this memory important.

You have different ways of doing this, but it mostly involves a reload of the router.

CAM Profiles
On Foundry routers it’s called CAM profiles, here are the basics:

The Internet Routing table now have about 260K prefixes, so you should worry.

To check my CAM usage I use:

show cam-partition usage

On a Cisco 6500/7600 switch, you could use

show tcam details

When there are no more CAM space for a route, it will become unreachable.
So pay attention to your CAM/TCAM. :-)

Setting up an office router with in/out NAT, DHCP server

Monday, September 1st, 2008

The scenario is as follows:

Fa4 = WAN port =
Fa1 – 3 = VLAN1 =

All of the clients connected to FastEthernet port 1 to 3 of the router needs:

  1. Automatic host configuration with DHCP
  2. Internet access via NAT
  3. The machine at should be excluded from DHCP,
    and have port 80 forwarded to it.

DHCP configuration
router(config)# ip dhcp excluded-address
router(config)# service dhcp
router(config)# ip dhcp pool Clients
router(dhcp-config)# network
router(dhcp-config)# domain-name clients.lan
router(dhcp-config)# default-router
router(dhcp-config)# dns-server
router(dhcp-config)# lease 0 1

This give 0 day and 1 hour leases (leasetime 1 hour)

NAT configuration
router(config)# interface vlan 1
router(config-if)# ip nat inside
router(config-if)# interface Fa 4
router(config-if)# ip nat outside
router(config-if)# exit
router(config)# access-list 20 permit
router(config)# ip nat pool ovrld prefix-length 24
router(config)# ip nat inside source list 20 pool ovrld overload

The forwarding of port 80 to
router(config)# ip nat inside source static tcp 80 interface Fa4 80

That should be all, if there are any errors, please comment!