Show IP Protocols

Command lines to setup IP address and DNS of Windows PC

2011-07-02T23:07:00.000+08:00

When I use my Windows notebook as connectivity tester, I often have to switch the IP address configuration from DHCP to some fixed IP, and back and forth. Also, different customers have different assigned fixed IP addresses.

It is very annoying using GUI to change the configuration repeatedly. It also creates lots of typos to add up more troubleshooting time. I decided to create some automation. If I can create small scripts or batch files to do such routines for me, it will save me so much time!

After some research and try-and-error, I found NETSH, and I also learned something:

When we use NETSH to switch back to DHCP, we must issue two commands: one for IP address, and one for DNS.
NETSH command "set dnsserver" replaces all previous DNS settings. Only the First DNS server can be configured using this command.
To add more DNS servers, we have to use "add dnsserver ... index=2" for the Second one, and so on.

Here are the sample batch contents for you to cut-and-paste. To execute them without error, you should raise your privilege level to system administrator, especially in Windows Vista and Windows 7.

Setup PC's NIC as DHCP

netsh interface ip set address "Local Area Network" dhcp
netsh interface ip set dnsserver "Local Area Network" dhcp

Setup PC's NIC as Fixed configuration

set ADDRESS="1.2.3.4"
set    MASK="255.255.255.0"
set GATEWAY="1.2.3.1"
set  METRIC="1"

set    DNS1="192.168.0.253"
set    DNS2="192.168.0.254"
set    DNS3="192.168.0.252"

netsh interface ip set address "Local Area Network" ^
   static %ADDRESS% %MASK% %GATEWAY% %METRIC%

netsh interface ip set dnsserver "Local Area Network" static %DNS1%
netsh interface ip add dnsserver "Local Area Network" %DNS2% index=2
netsh interface ip add dnsserver "Local Area Network" %DNS3% index=3

References

Net workers' nightmare came true. Lesson from April 21 outage of Amazon.com

2011-05-12T19:13:00.000+08:00

The incident summary of April 21 outage of Amazon.com has been published for a while. It reminds me some typical nightmares of an Net worker like me.

The "prelude" of that incident was because of network execution error, as this:

..... The configuration change was to upgrade the capacity of the primary network. During the change, one of the standard steps is to shift traffic off of one of the redundant routers in the primary EBS network to allow the upgrade to happen. The traffic shift was executed incorrectly and rather than routing the traffic to the other router on the primary network, the traffic was routed onto the lower capacity redundant EBS network. .....

I made mistakes while I was making configurations. I felt lucky that most of my mistakes are quickly found and easily recovered. Although I am skillful enough to be titled as an "expert", I can never guarantee that I would make no mistakes anymore!

I think Amazon.com has learned a lot from this incident. I like this statement:

We will audit our change process and increase the automation to prevent this mistake from happening in the future.

Automation is the key to minimize the possibility of human error, although it is not easy!

"April 21 2011" incident of Amazon.com: not the end of the "Cloud Era"

2011-04-23T02:50:00.000+08:00

Many reports (such as this) mentioned the "April 21 2011" incident of Amazon.com.

If Amazon.com does not lie on its status history, this incident looks to me quite controlled and not that surprising! The failures are almost contained in North Virgina data center.

(One exception: "AWS Elastic Beanstalk". Since I do not know the hosting location of "AWS Elastic Beanstalk", I will wait for the official incident report from Amazon.com.)

It is time for businesses to review their "Cloud" strategy. "Cloud" is a good way to scale out computing capacity, but not a cure-all. "Cloud" should not be "the only" strategy for your business to depend on!

The "Cloud Era" is just at the beginning. This incident is not the end of it!

My full page capture of "AWS Service Health Dashboard" is at below:

No more IPv4 unicast addresses in IANA's pool since Feburary 2011. Be cautious, but not panic!

2011-02-12T01:00:00.000+08:00

It does NOT mean "the world ran out of ALL IPv4 addresses" now. It only means no more IPv4 unicast addresses are "as reserves". There are still some in five RIRs' pool today!

(However, it is quite close. When those in RIRs are also used up soon after, then we can really say "no more IPv4 addresses".)

This is just an important reminder for you to speed up your migration to IPv6! However, as I pointed out before, don't get panic about this!

Many news posts are written about this since Feburary 2011. I believe they are based on this post:

Five /8s allocated to RIRs - no unallocated IPv4 unicast /8s remain

Leo Vegoda leo.vegoda at icann.org
Thu Feb 3 14:51:35 UTC 2011
...

Hi,

The IANA IPv4 registry has been updated to reflect the allocation of five /8 IPv4 blocks: one to each RIR, in February 2011. You can find the updated IANA IPv4 registry at:

http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml
http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt

And if you do open the "IANA IPv4 Address Space Registry" in the last link, you could check yourself that the first 224 "/8" blocks (that is, the whole IPv4 unicast address space) are all used.

No single "/8" block is in "UNALLOCATED" status. Wow!

If you are wary of what you can do now, check my older post:
Possible actions to begin with for entering IPv6 era

No more HyperTerminal on Windows 7? Try Putty!

2011-02-09T22:58:00.000+08:00

  Bits per sec    :  9600  
  Data bits       :     8 
  Parity          :  none 
  Stop bits       :     1 
  Flow control    :  none

(This post is re-posted in English from my original post.)

We are all used to start HyperTerminal included in old Microsoft Windows XP to do initial console configurations of routers and switches. However, starting from Windows Vista (and also Windows 7), no HyperTerminal software anymore! Now how can we do console configuration in Windows Vista or Windows 7?

In fact, Putty, the software we use as daily Secure Shell (SSH) client, can also be used to do console configuration on routers and switches.

After downloading it, we can just double-click Putty.exe icon to start it. This is much simpler than locating HyperTerminal from "Accessories/Communications/HyperTerminal" path every time as we did in Windows XP.

First choose "Serial" as the connection type, as the following screen capture.

Because the default "Baud Rate" of Putty is exactly 9600, and the default "Flow Control" is "Xon/Xoff", we can start console configuration right away on Cisco's routers and switches.

NOTE: Cisco asks you to set "Flow Control" as "none". However, Xon/Xoff also works in all my experiences.

Bits per sec    :  9600 
Data bits       :     8 
Parity          :  none 
Stop bits       :     1 
Flow control    :  none

You can do this additional step to change "Flow Control" to "None", in "Connection/Serial" dialog.

You can save even more time everytime using Putty by saving above Putty attribute set as "Saved Session". Type your chosen name first (in this example, "Console") and then click "Save".

Haven't you start to consider replacing HyperTerminal with Putty, even in old Windows XP?

[Reference]

"CCIE is just the beginning" I totally agree!

2011-02-02T23:46:00.000+08:00

Golden Needles Field (DSC_0547),
originally uploaded by Li-Ji.

I like this quote of Himawan! This post is for those who are preparing to get or just got an CCIE certification!

Himawan Nugroho:

CCIE is NOT supposed to be the final target.
CCIE is just the beginning.

Source:
inevitable: What is CCIE?

Have a backup plan before power off your routers, especially for old ones

2011-01-28T18:26:00.003+08:00

Entrance of the Taoyuangu Trail (DSCN0349),
originally uploaded by Li-Ji.

Even Cisco routers are reliable enough to run non-stop for several years, it does not guarantee it to power on normally after simply one power off.

A friend told me his such embarrassing story. The router was a Cisco 3600. Luckily enough, he had a spare 3600 gear in warehouse. After several hours of down time for him to bring back the spare, the network was finally restored.

Watch out, especially when your models are already out of services and you do not have any working spares in hand.

This lesson also applies to any network devices or servers!

Soft phones can never replace all hardware IP phones

2011-01-15T23:04:00.000+08:00

Intersection (DSCN0462),
originally uploaded by Li-Ji.

I was in a voice conference inside company Intranet using a soft phone in my Intel Core i5, 2G DRAM notebook. Unfortunately, I encountered voice loss several times during the conference. I noticed it might not be the problem of network QoS, because when voice loss happened again, my notebook was also busy accessing the hard drive, which is also 7200 rpm model.

General purpose PC is not good at QoS, especially for voice application

There are always some disk-demanding tasks running in the background, such as anti-virus software scanner. Even my notebook is great enough in performance (i5, 2G DRAM, 7200 rpm disk), the audio quality is still suffering in such moments.

I do not think PC venders would add some easy switch to slow down other tasks when soft phone is running, in the near future. Consumers expect PCs to be able to multitasking. If they found they cannot receive Emails while they are speaking on the phone software, it would become a really big problem.

Voice quality is more critical than you might expect

The worst thing is, I cannot ask the speaker to repeat my missed (but important) phrases. Because the limited time and so many participants were also in the conference, it would be very rude to make such request. I did record the conference in my local hard disk. However, the loss is still recorded as a loss. No way to recover those missing phrases!

PC is not an always-available platform

We have to reboot PC to complete its security updates from time to time. Most of these patches are not related to the soft phone we care about.

On the other hand, it is not energy efficient at all to keep a PC running only to make telephone service always available.

My Conclusion: Soft phones are only good for casual talk among two people

It would be easier to ask for a repeat only when two people are talking to each other. However, if you ask for repeat too many times, it is not a working communication because that is really annoying.

You must have dedicated hardware IP phone, if you do not want to repeat my pains!

Long scheduled down time again! People are watching!

2011-01-08T14:09:00.000+08:00

Screen capture upon Facebook down incident
(Sep. 24, 2010).

I received this notification from Cisco Network Academy mailing list. WOW! It's going down for 72 hours! That is 3 whole days!

Subject: Reminder: Scheduled Academy Connection Downtime begins January 8 (1 AM GMT)
...
Cisco Networking Academy is upgrading its data center infrastructure. This change will help Cisco in continuing to give you excellent services and support.

During the upgrade, Academy Connection and all Academy Connection services will be unavailable for 72 hours. The outage will start Friday Jan 7th at 5 pm and finish on Monday Jan 10th at 5 pm (San Francisco (-8 GMT)).
...

I would not be surprised if it is just some other academy. However, this is "Cisco" Network Academy!

Facebook, a free service, recovered within 2.5 hours in unscheduled down incident on September 24, 2010. Unless one system have more users than Facebook, or, is more complex than that on Facebook, I expect one system's scheduled and unscheduled down time should also be near around 2.5 hours.

Why not make use of your own great solutions such as UCS to host your own Academy Connection service? Invest a little more is not an extra expense. It would become a proof of concept! A success and highly available Academy Connection is a great live demo of your own solutions!

I really hope no more such long scheduled down time notifications, for Cisco Network Academy Connection!

Fw: Cisco Positioned as a Leader in the 2010 Magic Quadrant for SSL VPNs

2011-01-03T21:27:00.002+08:00

The Magic Quadrant.
Captured from original Gartner's Report

I am refreshed by a blog post on Cisco's "The Platform" blog, that Cisco is now "positioned as leader in SSL VPNs".

Cisco Blog, The Platform, Cisco Positioned as a Leader in the 2010 Magic Quadrant for SSL VPNs

(Yes, Cisco used to call SSL VPN as WebVPN.)

A Little Surprise

In mentioned Gartner's Magic Quadrant, only Juniper and Cisco are classified as leaders. Juniper as leader is without doubt. Cisco, on the other side, is a bit surprise to me!

However, I would like to point out Cisco is catching up very closely to Apple's i-products, such as Apple's iPad. I personally would choose Cisco as SSL VPN provider, if Apple's iPhone and iPad are required to be supported!

Cost of Cisco's Might be Very Attractive

The comments of Gartner in the same report about Cisco is quite interesting. It looks to me the cost to buy Cisco's SSL VPN solutions could be much lower than I expected.

Its SSL VPN entry cost and discount rates are the lowest reported. Other surveyed vendors consider Cisco a major competitive threat, earning Cisco a close second place after Juniper Networks as a named competitive threat.
...
... and may indicate that in some cases SSL is purchased incidentally, rather than intentionally.

(Incidentally! Could that means the costs are almost unnoticeable?)

Conclusion

In addition to its support of Apple's iPhone/iPad, it's a good idea to consider Cisco as your next SSL VPN provider when the budgets are really tight in your business.

Why we need TelePresence?

2010-12-24T23:43:00.000+08:00

TelePresence for short, is a better video conference "room" system with "HD video quality" and "1:1 people size".

From the "IP network" 's perspective, it is just another "bandwidth-hunger" application. Not that interesting to network workers.

However, from user's point of view, it is a very wonderful application! I list some good reasons for users to want such system.

Feasible and ready

TelePresence typically requires 4Mbps to 24Mbps of WAN bandwidth. Today such bandwidths are cheap enough for most of the businesses to afford them.

The HD's video quality is also well understood by so many consumers.

Easy to use

TelePresence today is not just the network video codec box. It's a whole "conference room": the TV screens, projections, microphones, speakers, furniture, lighting, and even the position of everything. If you install a new TelePresence room, yours would be almost the same as that in the above video.

You do not have to find each pieces to construct it yourself. In fact, few options are left for you to change elements of it.

Once installed, everything is fixed. Users do not have to adjust the camera position, lightings, nor audio setups anymore. You only have to sit in, and start the conference. Done!

In the old DIY-style conference room, you would have to spend tens of minutes only to adjust videos and audios, before each conference. What a waste of time!

Live facial expressions are finally acceptable in TelePresence

In traditional conference system, you can only see some vague videos of each other. You can identify the participants, but you cannot see clearly the faces, the expressions, and the body languages of them.

In TelePresence, you can see each other in 1:1 real size. Just as the name describes: as if you were present and in front of me!

Through TelePresence, you can deliver more "messages" to your audiences, such as your passion, your confidence, or your concerns. You can also see more truth from the reactions of remote participants.

[Side notes for network workers]

Then what is in it for me, as a network worker?

I believe TelePresence is a very straightforward "network readiness" live demo to those who are not familiar with network technologies.

You will need TelePresence, no matter you are network worker or IT decision maker!

---

By the way, Merry Christmas and Happy New Year!

Fwd: Choosing Different Passwords for Different Websites

2010-10-22T01:09:00.000+08:00

I always wonder how to pick a good password, strong enough not to be guessed, and easy enough to be remembered, for my so many identities on the Internet.

I believe this post might be a good start!
Digital Inspiration - Choosing Different Passwords for Different Websites

The tips discussed could be summarized in 3 key points.

Start with familiar phrase.
Add special characters.
Customize for each web site.

I personally do not like Point 2. Special characters are quite awkward to be typed on keyboards. It would slow down your typing speed of passwords, and thus easily to be obscured.

In addition, when you are typing passwords on mobile phones, it would become quite a headache upon typing special characters.

My personal suggestion to replace Point 2 would be "Make passwords extremely long". How? Maybe repeating Point 1 result in random times would be a good start.

The video in the post was created by "Mozilla.org".

Choosing good passwords is a necessary skill for network technicians. Most of the time, you not only have to choose passwords for yourself, but also for "so many different customers".

Well, when is the last time you changed your passwords?

Fwd: 10 Networking Books to read before you die – My Etherealmind

2010-09-27T23:43:00.001+08:00

I came across this post. I have some comments to share with you.

10 Networking Books to read before you die – My Etherealmind

Note for young students: you do not have to buy new books of them. These books are so classic that "used" second-hand books can be easily found anywhere! Borrowing from senior schoolmates is also good idea!

I personally recommend four of them. The others might be also good, but I have not read them to give correct recommendations!

W. Richard Stevens, "TCP/IP Illustrated, Vol. 1: The Protocols"

In fact, this book inspired me to enter the wild Internet age. Without catching this book, I might be just another mediocre software programmer today.

The basic Internet protocols are clearly explained in this book. If you want to start from very basic, this is the book for you!

And yes, only Volume 1 is enough. Volume 2 and 3 are more for system programmers.

Radia Perlman, "Interconnections: Bridges, Routers, Switches, and Internetworking Protocols (2nd Edition)"

Dr. Radia Perlman is the inventor of Spanning Tree Protocol. She is a researcher and she explains the network components from vendor-neutral view. If you prefer to read network technology sources other than Cisco's point of view, this is a good start!

Jeff Doyle, Jennifer Carroll , "Routing TCP/IP, Volume 1 (2nd Edition)"
Jeff Doyle, Jennifer DeHaven Carroll, "Routing TCP/IP, Volume II"

These two books are must-read if you are preparing for R&S CCIE certification! In addition to detailed protocol explanation, the lab scenarios, configurations, and screen dumps are really helpful if you want to recollect some crucial lab results from time to time.

All examples in these 2 books use only Cisco's products.

Have you read above books? Go get them and enjoy your reading!
---

Unlicensed radio bands open wide - FCC approved

2010-09-24T22:21:00.001+08:00

Federal Communications Commission (FCC) of United States approved the use of new unlicensed radio bands on September 23, 2010.

The bands are in fact "White Spaces" between consecutive existing TV channels' radio bands. The spaces collectively are much larger than the famous 2.4 GHz or 5 GHz unlicensed bands. That is, if this new space was used as packet communication media, the capacity of bits transported would be much larger than today's Wi-Fi, and the coverage area would be city or campus wide, just like those of existing TV radios.

That's why many people call it "Wi-Fi on steriods": as if current Wi-Fi expanded with so much more capacity as if being dosed with steroids. Some people also call it as "Super Wi-Fi".

Although not all are happy about this result and mature new technologies are still to be developed, the future could be far beyond today's imagination!

It is just like when 25 years ago (1985) FCC released unlicensed band, nobody at that time could imagine we would have affordable Wireless LAN everywhere around the globe decades later!

The new space could be used as wireless Internet broadband access, or Smart Grid wireless network for power industry in the near future. And surely there would be more and more applications coming!

FCC's action would also profoundly affect the regulations in other countries. The effect would become global soon!

[More Related News]

Vacant TV Airwaves Opened for $4 Billion Wireless Market by U.S. - Bloomberg
FCC Approves "Wi-Fi On Steroids" | Fast Company
FCC heralds a new era of 'super Wi-Fi' - CNN.com
Google Public Policy Blog: FCC vote on white spaces lays promising foundation for “Wi-Fi on steroids”
Google Public Policy Blog: Larry Page talks about Google's vision of "wi-fi on steroids": "Larry Page talks about Google's vision of 'wi-fi on steroids'"

---

Fw: The Day The Routers Died...

2010-09-17T12:36:00.019+08:00

Take a break, and listen to some music!

Wow! It's about IPv6!

The lyrics is at the description below the video.

Yes! I am giving "IPv6" a try! Have a nice weekend!

a long long time ago
i can still remember
when my laptop could connect elsewhere

and i tell you all there was a day
the network card i threw away
had a purpose - and worked for you and me....

But 18 years completely wasted
with each address we've aggregated
the tables overflowing
the traffic just stopped flowing....

And now we're bearing all the scars
and all my traceroutes showing stars...
the packets would travel faster in cars...
the day....the routers died



Chorus (ALL!!!!!)

So bye bye, folks at RIPE 55
Be persuaded to upgrade it or your network will die
IPv6 just makes me let out a sigh
But I spose we'd better give it a try
I suppose we'd better give it a try

Now did you write an RFC
That dictated how we all should be
Did we listen like we should that day

Now were you back at RIPE fifty-four
Where we heard the same things months before
And the people knew they'd have to change their ways....

And we - knew that all the ISPs 
Could be - future proof for centuries

But that was then not now
Spent too much time playing WoW

ooh there was time we sat on IRC
Making jokes on how this day would be
Now there's no more use for TCP
The day the routers died...

Chorus (chime in now)

So bye bye, folks at RIPE 55
Be persuaded to upgrade it or your network will die
IPv6 just makes me let out a sigh
But I spose we'd better give it a try
I suppose we'd better give it a try

I remember those old days I mourn
Sitting in my room, downloading porn
Yeah that's how it used to be....

When the packets flowed from A to B
via routers that could talk IP
There was data..that could be exchanged between you and me....

Oh but - I could see you all ignore
The fact - we'd fill up IPv4

But we all lost the nerve
And we got what we deserved!

And while...we threw our network kit away
And wished we'd heard the things they say
Put all our lives in disarray

The day...the routers died...

Chorus (those silent will be shot)

So bye bye, folks at RIPE 55
Be persuaded to upgrade it or your network will die
IPv6 just makes me let out a sigh
But I spose we'd better give it a try
I suppose we'd better give it a try


Saw a man with whom I used to peer
Asked him to rescue my career
He just sighed and turned away..

I went down to the net cafe
that I used to visit everyday
But the man there said I might as well just leave...

And now we've all lost our purpose..
my cisco shares completely worthless...

No future meetings for me
At the Hotel Krasnapolsky

and the men that make us push and push
Like Geoff Huston and Randy Bush
Should've listened to what they told us....
The day...the routers....died 

Chorus (time to lose your voice)

So bye bye, folks at RIPE 55
Be persuaded to upgrade it or your network will die
IPv6 just makes me let out a sigh
But I spose we'd better give it a try
I suppose we'd better give it a try


Words and performance by Gary Feldman

---

Source of Cisco IOS "show ip bgp" screen outputs: archive.routeviews.org

2010-09-07T16:52:00.001+08:00

It would not be easy for us to capture meaningful BGP table in the lab environment. An archive site of "University of Oregon Route Views Project" provides us such samples of captures.

Following the link "'sh ip bgp' format RIBs" on the front page we can go to a huge collection of "show ip bgp" (that is , printing out BGP table in Cisco IOS) output. *** But, wait a moment here!

Why? Although each snapshot in the archive takes only around 30 Megabytes, in "bzip2" compressed format, it expands to near 1 Gigabytes after de-compression! That is, most Windows applications cannot handle well a file this large, and your computer might freeze after you try to open the file!

In Unix-like systems, you can use "head", "tail", "grep" utilities to get partial contents from the capture. In Windows, I can only use an CMD window with "type | more" command to get heading lines like this:

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*  0.0.0.0/0        96.4.0.55                0      0      0 11686 19151 i
*  1.9.0.0/16       95.140.80.254            0      0      0 31500 4788 i
*  1.9.0.0/16       144.228.241.130          0      0      0 1239 7018 4788 i
*  1.9.0.0/16       216.218.252.164          0      0      0 6939 4788 i
*  1.9.0.0/16       64.71.255.61             0      0      0 812 1273 4788 i
*  1.9.0.0/16       154.11.11.113            0      0      0 852 174 3549 4788 i
*  1.9.0.0/16       209.161.175.4            0      0      0 14608 4323 4788 i
*  1.9.0.0/16       208.51.134.246       13928      0      0 3549 4788 i
*  1.9.0.0/16       154.11.98.225            0      0      0 852 174 3549 4788 i
*  1.9.0.0/16       167.142.3.6              0      0      0 5056 7018 4788 i
*  1.9.0.0/16       147.28.7.1               0      0      0 3130 2914 4788 i

And yes! It is really a "show ip bgp" capture! Cheers!

[URLs]

---
Side notes: You might be like me following another link on the same page:

route dampening data from route-views3.route-views.org

I found the data was not correctly collected after March 10, 2010. I Email notified the site administrator. I hope they would fix it soon!

Incident details of last Friday, by RIPE NCC

2010-09-01T17:48:00.000+08:00

This is the follow-up of last Friday's incident, by RIPE NCC.

In my opinion, RIPE NCC did a good job in this incident. They identified and stopped the problem within 30 minutes!

The problem would be easier to be identified if it caused disconnection on direct peers immediately. However, in this incident, only some and indirect BGP routers kept reseting peers. If they did not deploy Remote Route Collector (RRC) to monitor BGP at remote Internet Exchanges (IX) sites, I believe it would cost us much more time to know this is not day-to-day general BGP incident.

The report itself provides us so many information to be dug further. I need more time to digest!

[Original Post]
RIPE NCC and Duke University BGP Experiment — RIPE Labs
---

Some Internet BGP routers reset neighbors within half an hour last Friday

2010-08-30T17:41:00.004+08:00

We know when the BGP neighbor relation resets itself, the network would become disrupted before the new relation re-establishes. In the Intenet BGP scenario, this means a sudden outage of couple of minutes.

This was what happened last Friday (August 27, 2010, from 08:41 to 09:08 UTC)

The incident started on August 27 08:41 UTC when the RIPE advertised through BGP a route with an experimental BGP attribute. A bug in Cisco IOS XR would corrupt this experimental attribute and send it out to neighbors. Since the attribute thereafter became an "invalid attribute", by design every BGP neighbors reset relations to this telling IOS XR router. So, many disruptions happened at the same time. Bad luck!

Because of the popularity of Cisco IOS XR platform (such as GSR and CRS family), the disruption was quite substantial and all over the world. RIPE stopped the advertisement at 09:08 UTC and everything went back to normal later.

All IOS XR software affected! Even if your IOS XR router was lucky enough not involved in this incident, you still have to upgrade the router software fast.

Related Links

Cisco.com, Cisco Security Advisory: Cisco IOS XR Software Border Gateway Protocol Vulnerability
Discussion on NANOG (Wiki): Starting from this post.
RIPE Announcement for this incident.
NetworkWorld.com,"Research experiment disrupts Internet, for some"
yebo blog, "RIPE NCCがルーティング事故、IOS-XRの脆弱性発覚"

---

PC attached ports are no exceptions to Spanning Tree Protocol processing

2010-08-25T17:20:00.000+08:00

I came across this page on Cisco.com. I do not agree with some text mentioned inside.

STP Rule 4—All the other ports in all the switches (VLAN-specific) must be placed in blocking mode. The rule only applies to ports that connect to other bridges or switches. STP does not affect ports that connect to workstations or PCs. These ports remain forwarded.

In fact, PC attached ports also counted in STP. The link between the PC and the switch port is still a segment. Since general PCs do not send BPDUs, the switch port itself where the PC attached to becomes the "Designated Port" of this tiny segment, after two "Forward Delay"s by definition. That's how PCs can send and receive traffic through the switch later.

I think the last two sentences should be removed.

[Original Page]
Understanding and Configuring Spanning Tree Protocol (STP) on Catalyst Switches

TCP Denial of Service Vulnerability of Cisco IOS 15.1(2)T

2010-08-13T16:44:00.002+08:00

If the IOS version your Cisco Router (or Switch) is 15.1(2)T and exposed publicly on the Internet, you might have to schedule an emergency IOS update this weekend.

Only IOS version 15.1(2)T is affected.

The Denial of Service (DoS) attack to make use of this vulnerability must be targeted at router's IP addresses themselves. Although not described in this Advisory, I believe the router being attacked would become non-responding during remote management or unexpectedly reload itself from time to time. Your network would become unavailable while the router reloads.

There are workarounds instead of IOS update, such as Control Plane Policing (CoPP). However, updating IOS image with one reload would be much simpler and cleaner.

At this moment, the updated IOS version with fixes is "15.1(2)T0a".

For more information about workarounds or how to determine whether your systems have this vulnerability or not, please refer to the original Advisory on Cisco.com:

Cisco Security Advisory: Cisco IOS Software TCP Denial of Service Vulnerability� [Products & Services] - Cisco Systems

Cisco stopped Web Application Firewall (WAF) product

2010-08-06T08:55:00.001+08:00

Full name of this product on Cisco.com is "Cisco ACE Web Application Firewall".

WAF Icon, on Cisco.com

I agree with Ivan's post, that development of this product in Cisco is not catching up to the market's need. It would not be very surprising that Cisco would stop this product in the end.

Cisco WAF Photo, on Cisco.com

In addition, stopping this product almost means Cisco would be out of WAF market from now! Unlike other End of Sales Announcements, Cisco does not provide migration options for customers.

Product Migration Options

There is no replacement available for the Cisco ACE Web Application Firewall at this time.

I believe there should be something more about the story. I am keeping an eye on it!

---
Cisco EOS Announcement.

End-of-Sale Date: January 30, 2011
Last Date of Support: App. Software: January 31, 2014
Last Date of Support: Hardware: January 31, 2016

Evan's Post: Cisco IOS Hints and Tricks: Rest in peace, my WAF friend

An ultimate ruggedized Branch Office Box

2010-07-30T18:12:00.062+08:00

I came across this post on Riverbed's blog. What a ruggedized box!

Clips on CBO site, "THE EDGE™ Office In A Box"

blogs.riverbed.com: The ultimate ruggedized Branch Office Box platform: "July 28, 2010

One of our partners CBO has taken Riverbed's Steelhead appliance to another level. CBO's EDGE product is the ultimate ruggedized platform that delivers enterprise connectivity anyplace, anywhere, anytime with LAN like speed and provides a platform for consolidation of infrastructure at the edge.

I believe this box encloses one Riverbed Steelhead 250 and several wireless routers as its networking function. The box even has an Uninterruptible power supply (UPS) in it! That is, unless the box were smashed or sunk in the water, the network would be still working for a while!

Then what would be its application? Up to now I can only come up "Networking on moving buses/cars/yachts/trains", or some "Outdoor stages".

What are your creative ideas about using it?

---
Have a nice weekend!

Advices for college students preparing CCNA Exam

2010-07-29T18:11:00.003+08:00

A college student Email asked me how to prepare CCNA Exam. I gave him my advices, and I also would like to share them with you all!

Get books and always from Cisco Press first

Why Cisco Press? My exam experience these years taught me that other publisher's book might be helpful to understand topics, they are not that helpful for "exam" itself.

Books about CCNA on Cisco Press web site: http://www.ciscopress.com/markets/detail.asp?st=44711

I can pick two recommendations for you:

Above two book's chapters and sections are exactly the same as Cisco's official ICND1 and ICND2 courses materials.

Another tip for you: you can find some good deals of "used books" or even borrow one from your school mates. Most people do not keep the book after they pass the exam!

Acquire working experience on switches and routers

Working experience can give you more confidence on CCNA exam. Many topics in the textbook are not so concrete until you encounter them live at work. Another hidden benefit is, the colleagues around you would be a great source to discuss with and ask questions!

You can try some intern jobs in school labs/computing center, or research projects.

Make good use of official CCNA Prep Center

Clip from "The Cisco Learning Network" web site. CCNA Prep Center is part of it.

Cisco officially have a "CCNA Prep Center" web site. Contents inside are the most relevant to CCNA Exam. The best news is, it is totally free to sign-up!

The URL changes very often so the best way to find the right URL is to search on Google with keywords "ccna prep center". It should be on the top. CCNA Prep Center site is part of "the Cisco Learning Network" site.

Take Cisco Network Academy CCNA courses in your college

Cisco Network Academy CCNA courses cost less than official Cisco training courses, and can be counted as credit for your graduation. You will have a companion tool "Packet Tracer" during the course, which is a great simulation software so you do not need real router/switch hardware to practice.

Remember to make friends with your academy course instructor, and the classmates!

With time pressure, find a instructor-led Cisco official course

Cisco's Instructor-led courses are very time-effective. However, this is the most expensive choice! Most people I know take such course only when their employers sponsor the cost. If you can afford the cost and have urgent deadline of time, this is the best one!

---
I wish you all successfully pass and get your CCNA certification!

Simple BGP Multipath Test in Packet Tracer 5.3

2010-07-23T12:50:00.013+08:00

This is another simple BGP test file in Packet Tracer 5.3. We can see selection of the best route by AS_PATH.

BGP-Multipath-Test.zip

I changed the topology a bit from previous BGP sample, so that we can see different paths to the same destination network in the BGP table (the output of "show ip bgp").

In addition, the output of "show ip bgp" would now have meaningful "best route" selected, according to each possible path's AS_PATH length.

AS1>show ip bgp 
BGP table version is 11, local router ID is 11.0.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 11.0.0.0/24       0.0.0.0                  0     0 32768 i
*> 12.0.0.0/24       1.1.2.2                  0     0     0 2 i
*                    1.1.3.3                  0     0     0 2 3 i
*                    1.1.4.4                  0     0     0 2 3 4 i
*  13.0.0.0/24       1.1.2.2                  0     0     0 3 2 i
*                    1.1.4.4                  0     0     0 3 4 i
*>                   1.1.3.3                  0     0     0 3 i
*> 14.0.0.0/24       1.1.4.4                  0     0     0 4 i
*                    1.1.2.2                  0     0     0 4 2 i
*                    1.1.3.3                  0     0     0 4 3 i
AS1>

In this example, at AS1's point of view, the best route for destination 14.0.0.0/24 is going via 1.1.4.4 at AS4. This is correct and can be verified on the diagram.

---
Cheers!

Reference:
"BGP Best Path Selection Algorithm" documentation on Cisco.com

My VLANs are all gone?! "VTP Chaos" Packet Tracer Demo

2010-07-21T18:45:00.009+08:00

This file was inspired by the example presented in APJ Instructor Forum on July 15, 2010.

VTP (VLAN Trunk Protocol) is a very convenient tool for us to distribute VLAN information. However, some serious LAN outage might happen if we do not use it with care, while adding new switches.

I created this Packet Tracer (v5.2) file to demonstrate such disastrous situation.

VTP-Chaos.zip

You can make use of this file by "Normal Scenario" first, then "Chaos Scenario", to demonstrate the disaster.

Normal Scenario

Start this PT file, and the spanning tree will become stable after a while.

Now PC1 should be able to PING PC3. At the same time, PC2 should be able to PING PC4. In fact, PC1 and PC3 are both in VLAN 10, while PC2 and PC4 are both in VLAN 20. When PINGs are successful, it shows a normal working LAN scenario.

Live network contains only Switch1 and Switch2. Switch3 and Switch4 denote the new switches to be added later.

Note: at this step, the trunk link between Switch3 and Switch1 is shutdown at Switch3 side on purpose. This simulates the new switch Switch3 is not plugged into Switch1 yet. So is that between Switch4 and Switch2.

Chaos Scenario

Before next step, I suggest to start continuous PINGs to show clearly the effects of chaos. Continuous PING can be done by "ping -t 1.1.1.3" on PC1, for example.

Now, clear existing configuration by "write erase" on Switch3 (or Switch4), and then do a reload.

The trunk link between Switch3 and Switch1 will become active. This simulates Switch3 is plugged into live network at Switch1. So is that between Switch4 and Switch2.

The chaos would begin soon! You can see it on the failed PING responses on PCs. The ports PCs attached to will also become in "err-disabled" state, in orange color.

More on this: How to "solve the problem" when it happens?

The only way out is to re-create all live VLANs on one VTP server role switch. If you have good maintenance documentation and are a good typer, you would be able to recover all VLANs in tens of minutes.

In this case, create VLAN 10 and VLAN 20 on Switch1, by these commands:

config t
vlan 10
vlan 20

More on this: How to "prevent the problem"?

The root cause of the problem is at the VTP revision number. When the newly added switch has larger revision number, its VLAN information would overwrite existing VLAN information, and on, and thus whole network is down.

Please note that adding VTP server or VTP client would both cause such problem. I assigned Swtich3 as VTP client role to demonstrate this scenario. That is, adding VTP client is no safer than VTP server!

To prevent this, you must reset the VTP revision number to zero before plugging in the new switch. To reset the revision number, you can do one of the following:

Set VTP mode to transparent and then back
Change VTP domain string to other and then back
Delete flash:vlan.dat before power-off the new switch

---
Cheers!

Reference:
Reference of the problem on Cisco.com: "How a Recently Inserted Switch Can Cause Network Problems"