So how does multiple spanning tree protocol work? The idea is to reduce the number of spanning tree instances operating in a switch network. Joe covers operational principles of MSTP, including the Common Spanning-Tree CST and Per-VLAN Spanning Tree models in this video, as well as the elements of MST regions.

Earn Your CCNP

Our series of CCNP Training courses will prepare you for each exam of the CCNP certification: SWITCH, ROUTE, and coming soon, TSHOOT. Learn all about the CCNP SWITCH exam topics and move one step closer to a bigger salary with Cisco expert & CCIE #14256 Joe Rinehart. In addition to MSTP, RSTP and CSTP, the course covers a wealth of topics:

• VLANs and VTP
• Cisco Express Forwarding
• Layer 3 Switching Solutions
• Everything to pass CCNP SWITCH Exam 642-813

Increase your salary by up to $20k this year with certified instruction and CCNP SWITCH Training.

One of the topics that does not get that much attention, but is available on many different series of switches, is private VLANs. A private VLAN expands on the abilities of a standard VLAN, allowing traffic to be separated at another level allowing the design engineer a number of flexible options. This article provides a short review of what a VLAN is and what it provides. Then, we will review the concepts behind the private VLAN feature and how it can expand on the capabilities of the standard VLAN.

What is a VLAN?

The first thing to review is what VLAN means and what it provides. A Virtual Local Area Network, or VLAN, provides the ability to logically separate a LAN the same way that would be possible with multiple physical switches. For example, if an engineer had four different physical switches, each of the switches could be connected to separate departments within a company. Without an interconnection or a routing device, the devices within each department would not be able to send traffic to each other and would typically be put into different subnets. A VLAN takes this ability to separate devices, but does it logically instead of physically; a separate VLAN can be created for each department and the physical ports that connect these devices can be configured into the correct VLAN. It is important to keep in mind however that the same rules apply to VLANs as physical LANs; that is in order to communicate between them a routing device is required and separate subnets should be assigned to the devices in each VLAN.

Private VLANs: Extending the abilities of a VLAN

The private VLAN feature provides the ability to extend the capabilities of a “standard” VLAN. It does this by introducing some additional concepts: Primary VLAN, Community VLAN and Isolated VLAN. The Primary VLAN should be considered the Master in the master/slave relationship with the other two sub-types. Switch ports assigned within the primary VLAN are able to see traffic from all devices within the primary VLAN and all sub-types (also referred to as secondary VLANs).

Both Community and Isolated VLANs should be considered slaves in the master/slave relationship with the primary VLAN. Switchports assigned to a Community VLAN can see traffic from all other devices in the same Community VLAN and can send traffic back and forth with devices in the primary VLAN. Switchports assigned to an Isolated VLAN can send traffic back and forth with devices in the primary VLAN, but CANNOT see traffic from other devices in the same Isolated VLAN.

It is important to understand that regardless of the VLAN assignment of the switchport, all of the devices will share the same IP subnet; the private VLAN feature just sets up rules as to which devices are able to speak to each other.

A visual representation is shown in Figure 1 below:

Why Use a Private VLAN?

The next question really is why would an engineer want to implement the private VLAN feature? This section goes over a few possibilities.

What if an Internet Service Provider (ISP) had a limited number of subnet space and wanted to maximize it by assigning all of the customers in a geographic area into the same IP subnet. Of course, most customers do not want other people seeing their layer 2 switched traffic, as it opens up potential security issues. Individual customers who only have a single port connected into the service provider can be assigned into an isolated private VLAN; their traffic would then only be sent and received by the ISP devices connected directly to the primary VLAN.

What if a company existed in the same geographic area and had multiple offices with multiple Internet connections? It is possible with community VLANs to connect all of these Internet connections together so that each would be able to talk directly to each other as well as go out and utilize the same Internet connection.

These are some very simple examples but they do show that the functionality of private VLANs can be useful to any design engineer looking for a solution to a specific set of design requirements.

Summary

The private VLAN feature can certainly be a useful tool in the belt of any engineer looking to solve a design problem with a certain set of requirements. It is important to take a look over all of the available options when designing or modifying a network to see if there is a better way of solving a problem that would work better under specific circumstances; the private VLAN feature certainly has some interesting traits that can be very useful to any engineer. Hopefully the content in this article has made the concept of private VLANs easier to understand.

Cisco CCNP SWITCH Training: Now Available

Cisco CCNP SWITCH Training covers all the Cisco switching concepts that you’ll need on the job and for the exam. Taught by Joe Rinehart, IT pro of over 14 years, this course will help you stay current with your skill set, while giving you the chance to make a splash in the networking industry. Here are the key topics routing explored in this course:

• Spanning-Tree (STP), Rapid Spanning-Tree (RSTP) and Multiple Spanning-Tree Protocol (MSTP)
• VLANs, Trunking and Virtual Trunking Protocol (VTP)
• Cisco Express Forwarding
• Layer 3 Switching Solutions
• High Availability Features

Read a letter from Joe Rinehart about the benefits of a career on the CCNP track.

Students will also learn about switch-based security considerations, interface & port configuration, and more. All the lessons are outlined to provide exam coverage for Cisco’s 642-813 CCNP SWITCH Exam.

Certified Instruction

In addition to authoring ROUTE, CCNA Wireless, and CCNA Voice courses, Joe has developed courses for colleges and implemented networking technologies for Fortune 500 companies. He’s also a speaker and published author, so his perspective is always at the forefront of IT.

Earn your CCNP and increase your salary this year with Cisco CCNP SWITCH Training.

That’s right folks; rogue access points are still a legitimate concern for businesses. But it’s not just the organizations that need to be concerned; end-users need to understand that these are a legitimate threat to their personal data as well.

What are Rouge Access Points?

Businesses typically classify rogue access points in two categories. The first, and most serious, are the rogue AP’s that are plugged into the business network. Most organizations that are on the ball have a security policy that states no one should be plugging-in unauthorized access points. Hopefully this prevents users from bringing in an access point from home and setting it up in the conference room because of a shortage of data jacks. But there are those incidents, though rare, where someone gains access to the business floor and is able to plug in a rogue device. It could be someplace inconspicuous like the waiting area or even a conference or break room. You need to keep in mind that if you remove an AP from its shell, it’s not very big. They can even be concealed inside the data jack and powered over Ethernet.

Additionally, they’re not going to be broadcasting the SSID on the Rogue device and will limit connectivity during working hours as to not draw attention. If not detected and removed quickly enough, this can provide the hacker unfettered access to the corporate infrastructure. Diligent companies will have their servers locked down and segmented behind a firewall along with other security measures. What about the user workstations on that segment? How secure are they? They can be compromised for the data they hold, both personal and corporate. It’s extremely rare for us not to have some sort of personal data on our work computers. Additionally the computer can be used as a pivot point to gain access to those critical servers. Keep in mind that if someone has taken the risk to get an access point on the corporate network, they’ve probably done a significant amount of reconnaissance already. Part of this could have been to sit in a car or lobby and sniff wireless traffic in effort to gain credentials or other information about your network.

The other more interesting issue involves rogue access points that are not plugged into the network, but are close enough to cause problems. These are the ones that organizations have a vast amount of trouble dealing with because there is really nothing they can do about them. And if the company is in a major city, like New York, it’s a big headache as the entire city is blanketed by 802.11 networks.

As demonstrated by our friends at Wigle.net, just this two-block area of NYC has hundreds of WLANs. If your company is blocking Facebook or any other favorite sites, what’s stopping them from connecting to “FreePublicWiFi”, “Starbucks” or some other SSID that’s open and inviting? Or it might be an incidental connection. Many of these residential access points that you can purchase from Best Buy are set up to work right out of the box or with minimal configuration. Often people don’t think to change the SSID of the device. How many “Linksys” SSIDs do you still see today? Most people have their Wi-Fi settings configured to automatically connect to their home’s SSID whenever in range. So what do you think happens when that wireless card sees the home’s SSID when the user is at work? Now, if the user is plugged into the corporate network and connected to a rogue device at the same time, the computer is dual-homed. It’s essentially acting like an open bridge right into the network. Unknowingly, the user can be passing domain credentials and other nuggets of information that would help the hackers get deeper into the network.

Another bad guy trick that is still somewhat effective in heavily congested areas is to set up an access point (physically) close to the company and use their SSID on this device, but not have any security on it. This is typically the easiest to detect as the signal on this device is usually not as strong as the ones inside the company’s walls, as well as other detection criteria that I’ll discuss down the road.

There are certainly a large number of topics that need to be studied to successfully ROUTE exam to help you better prepare for this portion of the 642-902 exam.

I hope that this article will give you some direction when studying IPv6 for the Cisco ROUTE exam. Let’s take a brief look at the main topics that you will have to be familiar with to be successful with the IPv6 material that is covered on the ROUTE exam.

IPv6 Address

The IPv6 address is a whole new beast compared to the much more familiar IPv4 address that has been used for the last 30 years; it is 128 bits, is notated in hex and just looks confusing. When studying for the ROUTE exam, it is very important to be familiar with the IPv6 address, its structure and how it can be notated; keep in mind a single IPv6 address can be notated a number of different ways using substitution and omission rules. Be familiar with all of these as questions will be asked about this specifically.

The other part of IPv6 addresses that will definitely be on the ROUTE exam is how to enable IPv6 routing and configuring IPv6 addresses (statically and dynamically). IPv6 addresses can be assigned in a number of ways including methods that are not provided with IPv4 (stateless autoconfiguration), make sure to be familiar with these for the exam.

IPv6 Address Types

If you’re familiar with IPv4, then you’re used to seeing unicast, multicast and broadcast address types. IPv6 makes use of the unicast and multicast address types in the same ways as IPv4; it does however differ in that it does not support broadcasts. The duties that have traditionally used the broadcast address type in IPv4 have been substituted either by directed unicast or the new Anycast address type. The Anycast address type is used to locate and use the closest device utilizing the anycast address.

Inside these three main address type categories there are also sub-types that a candidate must be familiar with including: Global Unicast Addresses, Link-Local Addresses, and Site-Local Addresses.

IPv6 Routing Protocols

Just as a candidate must be familiar with IPv4 routing protocols they must also be familiar with IPv6 routing protocols. Most of the concepts that have been learned for these protocol implementations using IPv4 are the same so learning the additional requirements for an IPv6 implementation should not be that much of a stretch. Make sure to reserve some amount of time to configure these concepts in a lab environment (or dynamips).

IPv4/IPv6 Address Transition

Part of a wider scale implementation of IPv6 is transitioning IPv4 networks to IPv6 and providing a communications method between IPv4 and IPv6 devices. There are a number of different methods that can be used to provide this capability; many of these are covered in the ROUTE exam. The following topics are covered on the exam; ensure a familiarity with the concepts and application (configuration) of these concepts.

• Dual Stack
• Manual IPv6 Tunnels
• GRE Tunnels
• 6to4 Tunnels
• IPv4 Compatible Tunnels
• ISATAP Tunnels
• NAT-PT

Summary

Hopefully, the content in this article will help you get a good direction when studying for the IPv6 portion of the Cisco ROUTE exam. Keep in mind that while there is a lot of material covered on this exam, it is an achievable task and can be completed successfully.

Implementing Cisco UCS Training

Installing and configuring UCS blades like Jason Nash is not a process made for newbies, but with some solid knowledge of Cisco networking and VMware virtualization learning the skills of a Cisco Data Center Unified Computing Support Specialist is definitely feasible. Jason’s Cisco Unified Computing System training will show the IT pro with a diverse skill set how to implement with UCS technology from start to finish. Here are some highlights:

• Configuring LAN & SAN Connectivity
• Pools and Service Profiles
• UCS Architecture and Components
• DCUCI Exam Coverage

Capitalize on your cross-platform skill set with Implementing Cisco UCS Training.

Implementing Cisco Unified Computing System Training: Available Now

This course has benn authored by VCDX #49 and vExpert Jason Nash to train professionals that are already using Cisco and VMware in an emerging technology. Implementing Cisco UCS Training will expand cross platform skill sets to help experienced IT pros turn into sought-after, certified experts.

The course is aimed at preparing students for the Cisco Data Center Unified Computing Support Specialist exam (642-994). Video lessons address Cisco UCS concepts in the context of GUI and command line, and Jason Nash even demonstrates in a live server room how to work with UCS server blades. Students ultimately learn the best practices of Cisco UCS implementation from start to finish. Here are some of the key lessons:

• UCS Architecture & Components
• Configuring Connectivity
• Routine & Advanced Management of UCS
• Pools and Service Profiles

Certified Instruction

Instructor Jason Nash holds over 15 years of experience in IT and also made our vSphere Security Design Training course. As a recognized leader in the virtualization field, Jason’s learning environment combines networking expertise with critical business awareness in order to emphasize the opportunities provided by knowledge in multiple fields. Watch a video where Jason Nash explains the future of IT specializations.

If you are looking to take your Cisco and VMware experience to the next level, this cross-platform Implementing Cisco UCS course will help distinguish you as a certified expert who is competitive in the job market.

Once you turn on tracking protection, not all third-party content is necessarily blocked. You may want to use lists to keep track of content you want to block. Lisa simulates what Active X filtering does to sites while browsing, and how to use filtering to allow only certain content to be displayed.

PKI is an asymmetric, or 2-key, encryption system containing a public key and a private key verified by a digital certificate. Lisa explains the role that certificate authorities play in authentication, as well as how to identify digital certificates.

Break into IT Security with CompTIA Security+

CompTIA Security+ Training has been totally re-designed by Lisa Szpunar to keep up-to-date with the SY0-301 certification exam from CompTIA. The course is much more than a piecemeal update with new videos, but rather an entirely new course that covers all the key fundamentals of network security, including:

• Cryptography Concepts and Tools
• Malware Prevention and Cleanup
• Application, Data and Host Security
• Everything to Pass the Security+ Exam!

Take your networking knowledge to the next level with CompTIA Security Plus Training.

CompTIA has updated their security exam (SY0-301), and as of the end of 2011 the SY0-201 Security Plus exam will not be available to take. While certain security concepts and applied knowledge will still be relevant to new security standards, the career benefits of current CompTIA Security Plus certification are significant.

CompTIA Security Plus Training: Now Available

The new CompTIA Security Plus Training course is much more than a series of updates that correspond to requirements of the new exam. This course has been fully re-created to make sure you have all the information you need to pass the exam.

The SY0-301 exam can also open doors to jobs with attractive organizations that hire for positions, such as security architect, security engineer, and network administrator that require up to date certification for consideration, according to CompTIA.

Some of the key lessons in this re-created course are:

• Network Security Compliance
• Operational Security
• Threats and Vulnerabilities
• Application, Data and Host Security
• Access Control and Identity Management
• Cryptography Concepts and Tools

You will also learn about essential types of attacks, as well as malware prevention and cleanup. There is also a strong focus on secure network administration best practices including disaster recovery planning and securing of applications. Ultimately, all the lessons make up comprehensive preparation for updated CompTIA Security Plus certification.

The course instructor is Lisa Szpunar, a former elementary school teacher, librarian, and network administrator. Lisa specializes in systems design and security with a Master of Science in Computer Science, CompTIA Security+ SY0-201 and SY0-301, A+, MCTS. Her unique background in education and techie expertise help make a fun and engaging learning environment for her students.

Take your networking skills to the next level with a certification and CompTIA Security Plus Training.

IPv4 has essentially run its course, as no significant changes have been made since the 1980s, and this creates a plethora of problems (security, scalability, etc.). The worldwide use of mobile devices has caused the available address space to quickly shrink. Joe discusses the part IPv6 will play moving forward.

CCNP ROUTE Training: IP Addressing, EIGRP, BGP & More

The CCNP ROUTE Training course from Cisco pro Joe Rinehart covers the wide range of networking topics covered in the ROUTE exam required for the CCNP. His stacked lesson plan goes in-depth with planning & design, configuration and troubleshooting with OSPF, EIGRP & BGP.

It’s time to advance your career and see the impact on your salary. Work towards a valuable certification with CCNP ROUTE Training.

Wireless Router Configuration

Configuring the wireless security on a router can vary from router to router but the general options are the same. There are three main security options that typically are supported on modern routers, these include (listed from least to most secure):

• Wireless Equivalent Privacy (WEP)
• Wi-Fi Protected Access (WPA)
• Wi-Fi Protected Access2 – IEEE 802.11i (WPA2)

WEP typically requires that a key be entered on the router that will also be configured on the endpoint wireless devices. Routers that support WPA and/or WPA2 typically support two modes of operation: Personal Mode and Enterprise Mode. Personal Mode utilizes a passphrase (Pre-Shared Key – PSK) that is entered at both sides and is used to encrypt the connection. Enterprise Mode utilizes a connection to a remote authentication server which governs access onto the wireless network.

This article takes a look at the configuration of WPA2-Personal configuration on a Linksys WRT610N router. This router supports only WPA2 (with the current firmware) and this is the configuration that will be shown.

Configuring a Linksys WRT610N Wireless Router

The first step is to log in to the router and to click on the Wireless option and from here navigate to the Wireless security tab; the Wireless Security tab screen is shown in figure 1:

Figure 1: Wireless Security Tab Screen

On this screen, we are able to choose the security mode that is being configured. On this router WEP, WPA and WPA2 are supported; these options are shown in Figure 2:

Figure 2: Wireless Security Modes

As stated previously, we will focus on the configuration of WPA2-Personal. Once the WPA2-Personal security option has been selected, what type of encryption to use needs to be determined. The two options on this router include:

• Temporal Key Integrity Protocol (TKIP)
• Advanced Encryption Standard (AES)

Figure 3: Wireless Encryption Options

Once the encryption option is selected, a passphrase is entered which is also used by the wireless client devices; typically it is best that this passphrase is complex.

Windows 7 Wireless Configuration

When configuring a wireless connection on a Windows 7 machine, there are two different methods that can be used to set up the connection and choose an encrypting method. The first connection uses the parameters transmitted from an existing wireless router and the second connection is configured in preparation for a future connection to a wireless router and requires some additional configuration. Let’s take a look at both.

• Connecting to a Broadcasting Wireless Router

When a wireless network is broadcast from a wireless router and within range of a Windows 7 computer it is shown as a System Tray option, as shown in Figure 4:

Figure 4: Available Wireless Networks

As shown in Figure 4, there are two networks that are within range of this Windows 7 computer; when a specific wireless network is selected the option to connect is offered. If the connection is to be repeatedly used, a wireless network can also be set up to connect automatically.

Once the connect button has been selected, a dialog will be shown indicating the device is getting information from the wireless router; this dialog is shown in Figure 5:

Figure 5: Getting Information Dialog

In this example, the wireless router has already been configured with a passphrase (security key).  The dialog shown in Figure 6 will be displayed asking for this passphrase to verify permission to connect to the wireless network. When using this method of wireless network connection, the specific security mode is automatically gathered with the initial connection to the wireless router.

Figure 6: Passphrase Entry Dialog

Once the client has connected to a wireless network, it will be displayed in the System Tray; this is shown in Figure 7:

Figure 7: Connected Wireless Network

• Configuring a Non-Local/Not Broadcasting Wireless Network Connection

The second method that is used to configure a wireless network connection is to manually configure a device to connect to a specific wireless network that is either not local or is not broadcasting. The intial setup for this type of configuration is to goto the Network and Sharing Center; this is shown in Figure 8:

Figure 8: Network and Sharing Center

From this screen, the Manage Wireless Networks option in the upper left corner needs to be selected; this will bring up the screen shown in Figure 9:

Figure 9: Manage Wireless Networks

From this screen, a Windows 7 device can be configured to support a number of different wireless networks. To configure a new network select the Add option; once this is selected the screen shown in Figure 10 will be displayed.

Figure 10: Add a Wireless Network

Once this screen is displayed, select the option to Manually Create a Network Profile; once this is selected the screen shown in Figure 11 will be displayed.

Figure 11: Manual Wireless Connection Options

Once this screen is displayed, the wireless network name and security settings will be configured; the available security type options are shown in Figure 12:

Figure 12: Manual Wireless Connection Security Type Options

The settings that are configured on this screen must match those already configured on the connecting wireless router or a connection will not be established. Windows 7 supports all of the available wireless security types and can be configured to connect to any standard router.

Summary

The configuration of a wireless connection with proper security can be daunting for the inexperienced user.  With modern standards, the use of a passphrase that can be entered rather simply on both the wireless router and the end device allows anyone the ability to properly set this up within a short period of time. Hopefully, the steps outlined in this article enable this process to be even easier and provide a more secure wireless option.

Jason presented two sessions related vSphere this year, one of them on using the Nexus 1000v. In this brief interview, he goes on to talk about how conference attendees should take advantage of unique opportunities only possible at VMworld, such as direct Q&A with employees of companies like VMware and Cisco. He’s also looking to get involved in a variety of writing projects related to vSphere how-to content, networking tutorials, reviews and anything that might spark some interest in the online IT community. On Jason Nash’s blog you can find great resources, like his vSphere 5 101 series. Follow him on Twitter @nash_j.

There are three things to keep in mind regarding redundancy:

• Access Point Redundancy: AP coverage through good wireless design
• WLAN Controller Redundancy: N+1, N+N and N+N+1 Controller Redundancy
• Infrastructure Redundancy: LAG (Link Aggregation), Path Redundancy, Routing Redundancy and Disaster Recovery Sites

Joe has close to 15 years of experience deploying networks with Cisco equipment for Fortune 500 companies, and also using that real-world knowledge in training settings. This lesson offers a perspective on how these vital wireless network redundancy principles take effect in physical environments.

Accelerate Your Career with CCNA Wireless Training

Our Cisco CCNA Wireless Training course offers certification-ready instruction in a specialized avenue of Cisco netwoking. As more organizations are looking to expand infrastructures to accomodate users with secure wireless networks, certified wireless pros are sought after the overwhelming majority of the time. This course not only prepares you for the topics covered in the CCNA Wireless exam, it focuses on a foundation in wireless LAN fundamentals & practical application:

• Wireless Seceurity Considerations
• Wireless LAN Design Principles
• Cisco Wireless Architecture
• WLAN Troubleshooting
• Exam Prep: Implementing Cisco Unified Wireless Network Exam (IUWNE) 640-721

Find out how you can set yourself apart by studying with Joe Rinehart and Cisco CCNA Wireless Training.

Available Now: Cisco CCNA Wireless Training

Create a spot on your resume as a network administrator specializing in implementing wireless networks with Cisco CCNA Wireless Training. A professional certification track leading to a proficiency with wireless technologies is worth considering, especially if you already have Cisco experience and the CCNA certification.

This course delivers a foundation of WLAN and RF theory before showing you how to set up your own simple lab to develop a familiarity with the Cisco Unified Wireless environment. The course focuses on a solid fundation intially because according to instructor Joe Rinehart, “if the network isn’t stable and operational, working the way it needs to, then introducing wireless onto it is going to be more difficult.” Watch a video interview with instructor Joe Rinehart to learn more: Joe Rinehart talks about his CCNA Wireless training.

If you’re looking for a useful avenue that will benefit your career, a CCNA Wireless certification can set you apart from the competition.

In our latest Cisco CCNA Wireless Training course, students can expect practice with wireless architecture, system configuration and operation that also serves as prep for the Implementing Unified Wireless Network Essentials (IUWNE) 640-721 exam. The key fetures covered in the course’s 15 lessons include:

• Wireless LAN Fundamentals
• Wireless Security Considerations
• Wireless LAN Basic Design Principles
• WLAN Maintenance and Troubleshooting
• Overview of CUWN Products
• Exam Prep for CCNA Wireless 640-721 Exam

Certified Instruction

CCNA Wireless Training instructor Joe Rinehart (CCIE #14256, CCNA, CCNP, CCDA, CCDP, CCVP, MBA) has over 14 years experience with Cisco technology deploying for Fortune 500 companies, and training in business and educational settings. Joe also developed our CCNA Voice Training and runs a Cisco User Group in Seattle, so he understands what different users are experiencing working with Cisco.

Enhance Your Skills by Learning Cisco Wireless

This course will teach you how to implement a Cisco Unified Wireless Network with enough confidence to pass the 640-721 exam. Learn more about how to take your professional skills to the next level with Cisco CCNA Wireless Training.

To provide redundancy at the network layer a few approaches can be considered. The most famous protocols used for router redundancy are Cisco’s proprietary HSRP: Hot Standby Routing Protocol and IETF standardized VRRP: Virtual Router Redundancy Protocol. Both protocols have the same concept. They utilize virtual IP addresses shared across several gateways within a network. Only a single gateway at a time can acquire and utilize a virtual address. In case of failure, the virtual address is undertaken by another gateway so that service is never discontinued.

In the past I have described in detail the HSRP protocol. You can refresh your memory and learn more about it in my article on how to achieve network redundancy with HSRP.

In this article we will focus on VRRP which is a standardized protocol used across multivendor routers, although Cisco also supports it. It is the only network layer redundancy protocol that can be used in a network with multivendor routers, so it is very important to get familiar with it.

VRRP Terms

The virtual Router Redundancy Protocol (VRRP) is defined in IETF standard RFC 2338. Before looking into the details of VRRP’s functionality you should get familiar with the following terms related to VVRP:

• VRRP Router: A router that runs VRRP protocol. It may participate in one or more virtual routers.
• Virtual Router: From the Client’s perspective, the virtual router represents the default gateway for hosts within a LAN. It utilizes a Virtual Router Identifier (VRID) within a given LAN subnet and exchanges VRRP protocol messages with other Virtual Routers within the same LAN in order to decide upon the selection of Master and Backup Virtual Routers.
• IP Address Owner: The VRRP router that owns the Virtual Router’s IP address as real interface address and respond’s to clients ARP request for this address.
• Primary IP: VRRP Advertisements are always transmitted using this IP address as source IP address. It is the physical IP address assigned on an interface or VLAN participating in VRRP.
• Master VR: The Virtual Router that is currently elected as master. It is the Virtual Router that serves clients within the specific shared LAN.This VR is the current owner of the Virtual IP address.
• Backup VR: The Virtual Router or set of Virtual Routers that behave as backup routers for the IP address(es) associated with them. The Backup VR immediately takes over the responsibilities of the VR when the Master fails.
• VRID: The Virtual Router Identifier field of the VRRP packet. It has only local significance (within a single LAN) and it is only used for differentiating exchange of messages between Virtual Router instances in a given LAN. It can take a number between 1 and 255.
• Priority: The priority field within the VRRP packet indicates the sending VRRP Router’s priority for the Virtual Router. It can take any value between 0 (which means no participation in VRRP Master election) and 255 (which means that the router owns the IP address associated with the VR). The VR with the highest priority is elected as the Master VR. The default Priority for VRRP routers backing up a VR is 100.

VRRP Message Interaction

One major difference compared to HSRP which is worth telling is the fact that only the VRRP Master VR transmits periodic VRRP messages. This is a major difference compared to HSRP, where, the later specifies that both Master and Backup exchange VRRP messages. We should now examine the VR’s operation on both Master and Backup roles.

VRRP Master

While in Master state, the Virtual Router operates as the default gateway of end-users within the LAN. It responses to ARP requests for the IP address associated with the VR. While in Master state, the VR has to periodically send VRRP Advertisements. The Advertisement Internal is manually configured. By default the advertisement interval is set to 1 second. The Master VR, in case it receives a VRRP Advertisement, it performs the following:

• If the received Priority is greater than the locally configured Priority, transition to the Backup state occurs.
• If the Priority is equal to the local Priority and the IP address of the sender is greater than the local primary IP address, then transition to the Backup state is initialized.

VRRP Backup

While in Backup state, the VR does not participate in any way in normal traffic. It monitors VRRP announcements from the Master and performs the following:

• If an announcement is not received (after a predefined time interval) then, transition to the Master State is performed. To do so, the Backup VR, broadcasts a gratuitous ARP request containing the VR MAC address of the IP address associated with the VR so that layer 2 devices update their forwarding table. From that point onwards, the previously backup VR is now the current master VR.
• By default, if a Backup VR is elected as Master VR and the previously Master (with higher Priority) becomes available, pre-emption takes place, i.e. the active master gives its place to the previous master. Pre-emption can be disabled.

VRRP Message Format

They say that a single picture is equivalent to a thousand words. Well, that is partly true. In our case, I guess, the following picture tells everything about the VRRP packet layout.

Pay attention to the following major characteristics:

• Sender’s source MAC address has the format 00-00-5E-00-01-[XX], where the “XX” consists of a two digit hexadecimal value equivalent to the VRRP Virtual Router Identifier (VRID). For example, a VRRP interface assigned the VRID 12 would have a MAC address of 00-00-5E-00-01-0C.
• Destination MAC address is equivalent the well known multicast address defined for VRRP which is 00-00-5E-00-01-12.

I have included some notes next to the marked items on the above diagram. It is all that you need to know about VRRP message content.

Major VRRP Commands

I would like to close the discussion about VRRP with the major VRRP Interface commands.

Vrrp [VRID] priority [value]
e.g. vrrp 1 priority 110

Vrrp [VRID] timers advertise [msec] [interval]
e.g. vrrp 1 timers advertise msec 500
e.g. vrrp 1 timers advertise 1 …….(seconds)

Vrrp [VRID] ip[ip address]
e.g. vrrp 1 ip 10.10.10.10

No Vrrp [VRID] preempt
e.g no vrrp 1 preempt

In this article we will examine everything you need to know regarding error message logging, reachability and routing troubleshooting as well as technical information collection from Cisco devices. Cisco has incorporated this section into the CCNP TSHOOT exam because it is extremely important to know what your troubleshooting tools can do and how to benefit from them. Learn them now so that you can apply them in real life tomorrow.

Cisco devices are like people; you need to listen to them. They can tell you important things about their hidden thoughts and worries. Always monitor your device logs at frequent intervals. In general, logged messages will assist you in identifying future problems. They will indicate active running malfunctions or even disturbances that happened during your off hours.

Cisco Troubleshooting: Message Logging Levels

The level of message logging is configurable. There are eight distinct levels of logging based on severity. Higher severity messages are given a lower level number. The following table presents these logging levels:

Things to Keep in Mind:

• The highest severity logging level is the “Emergencies” (level 0)
• The lowest severity logs are the “Debug” (level 7)
• Enabling a logging level automatically activates logging of higher severity levels. For example if you configure logging level “3″ then all messages falling into levels zero (0) up to three (3) are logged.

Message Logging Methods

There are four different methods of logging messages in Cisco devices. By default, logging of messages is enabled on the Console and on the device’s internal buffer. The four logging methods are:

• Console
• Internal buffer
• Virtual Terminal ( telnet session)
• Syslog server

The format of the Cisco command to enable logging is:

Logging [method] [level]

The following list displays the commands you need to use to configure each logging method:

• Logging console [level]: This command enables console logging (enabled by default). Use the no logging console command to disable it.
• Logging buffered [level]: This command enables logging of messages to the internal buffer (enabled by default). Use the no logging buffered command to disable it.
• Logging monitor [level]: Use this command to enable logging of messages towards virtual terminal sessions. On your telnet session use the terminal monitor commands to enable the display of messages on your terminal. The command terminal no monitor disables this feature. Also the command no logging monitor disables this logging method.
• Logging [ip address]: This command enables logging of messages towards a syslog server. You can specify several syslog servers by issuing separate commands with the ip address of each syslog server respectively.
• Logging trap [level]: Use this command to specify the level of messages transmitted to the syslog servers. The no logging trap command disables logging of messages to syslog servers.

Display Logging Configuration and Status

To display the configured logging methods and logging messages, issue the show logging privileged executable command. An example is shown below:

Troubleshooting with PING and TRACEROUTE

Do not underestimate the power of the PING and TRACEROUTE commands. You need to know them for your exam preparation as well.

• With the PING command you verify reachability with the remote device. By default, PING sends five ICMP echo requests to the destination IP address expecting to receive an ICMP echo Reply within a time interval of 2 seconds to each request.
• With the TRACEROUTE command you find the path taken to reach a specific destination. It can be used to verify reachability as well. It can provide important information regarding possible network bottlenecks.

Take a look at my article on how to troubleshoot your connections with Ping and Traceroute to learn more.

Important “Show” Cisco Commands

When it comes to identifying hardware problems or service malfunctions, you need to know the basic Cisco commands to use in order to diagnose the problem. Moreover, these are the commands that Cisco experts would ask from you in case you have a maintenance agreement with them, so it is necessary to know them.

When suffering from performance degradation, the following commands are the first to consider:

• Show interfaces
• Show buffers
• Show processes cpu
• Show memory

When you come across IP protocol errors or connectivity errors, the outputs from the following commands need to be evaluated:

• Show ip protocol
• Show ip route
• Show ip interfaces
• Show ip access-lists
• Show ip traffic

There is a single Cisco command that collects a lot of information equivalent to issuing many “show” commands. I am talking about the show tech-support command.

There is another crucial command, a very important one. That is the show version command. This command provides the following important information:

• The installed IOS number and name.
• The system’s Bootstrap and installed BootLoader.
• The system’s uptime.
• The reason for the latest system’s restart.
• The date of the last restart.
• The image filename and stored location.
• Hardware information such as processor type, memory usage, controllers, DSPs, etc.
• The value of the configuration register.

Using Cisco Troubleshooting Tools

Cisco provides a variety of troubleshooting tools to help you identify and isolate potential hardware or software problems. Cisco expects know these tools inside-out. I have presented some of the basic troubleshooting commands in this article, but be sure to learn them well. You will definitely need them!

But, as in real life, “nothing good comes without a price.” Therefore, redundant links may cause frame loops within the network if there is no mechanism to detect these loops. One could ask: What are a few repeated frames within a segment? The answer is that they do not harm the network, but remember broadcast frames occur all the time in switched networks. These frames in bridging loops keep circulating forever. They are exponentially procreating, leading both network bandwidth and resources into starvation.

By the time you notice the problem, it’s too late, your infrastructure is falling down.

Prevent Loops with the Spanning Tree Protocol

IEEE standardized a solution (IEEE 802.1D) to prevent bridging loops in data networks and provide loop-free topologies. This standardized solution is called Spanning Tree Protocol (STP). In this Spanning Tree Protocol tutorial, I will present in simplest terms the operation of STP and indicate how this protocol prevents the creation of bridging loops.

What is Spanning Tree Protocol

As the name implies, STP, spans all switches in a network or subnet. All switches generate and process data messages called Bridge Protocol Data Units (BPDUs). The basic idea behind the exchange of BPDUs is for switches to identify redundant paths and by using the Spanning Tree algorithm, to ensure that there is no loop path in the network.

The STP algorithm is responsible for identifying active redundant links in the network and blocking one of these links, thus preventing possible network loops. The operation of STP is as follows:

• STP enabled switches exchange BPDU messages between them to agree upon the “root bridge;” the process is called Root Bridge Election.
• Once the root bridge is elected, every switch has to determine which of its ports will communicate with the root bridge. Therefore Root Port Election takes place on every network switch.
• Finally, Designated Port Election takes place in order to have only one active path towards every network segment.

Root Bridge Election

Spanning tree enabled switches need to have a common view of the whole network topology. In order to achieve this goal, they communicate between each other using standardized data messages called BPDUs, which are being transmitted using the standardized multicast layer 2 address 01-80-c2-00-00-00. These BPDUs contain various fields.

For the election of the Root Bridge (bridge is equivalent to Switch), the one that will be the initial point of reference, switches manipulate and analyze the Root Bridge ID and Sender Bridge ID fields. Both of these fields consist of a six byte MAC address header and a two byte Bridge Priority header. The switch with the smallest Bridge Priority is automatically elected as the Root Bridge. If Bridge Priority is the same on all switches then the switch with the smaller MAC address is elected as the Root Bridge.

By default all catalyst switches have the same Bridge Priority value (32,768). Let us say that we have three switches as shown in the figure below. All have the same Bridge Priority of 32,768. All switches start by sending BPDUs with a Root Bridge ID and Sender Bridge ID equal of their own. After a few message exchanges, the root election process converges and the Switch with the lower MAC (00-00-00-01-01-01) becomes the Root Bridge.

Learn more about the process of Root Bridge Election in this video from CCIE Chris Bryant: Video: The Root Bridge Election.

Root Port Election

Now that the Root Bridge is elected, every non-root switch has to select a root port, i.e. a port that has the best path towards the Root Bridge. The election of the Root port is determined by the four byte Root path Cost field within each BPDU. Here’s how whole concept is comprised:

• Every switch port has its own path cost based on the port’s bandwidth (equal to 1000Mbps divided by the port bandwidth in Mbps as specified in the original IEEE 802.1D standard).
• The higher the bandwidth, the lower the path cost across the specific port.
• The Path Cost is added to the received Root Path Cost for each BPDU received. Root switch has Root Path Cost of zero (0) for all its ports.
• The port with the lowest resulting Root Path Cost on every non-root switch is finally elected as the Root Port.

Here’s a schematic representation to help clarify this concept.

Learn more about the process of Root Port Election in this video from CCIE Chris Bryant: Video: Root Ports and Designated Ports.

Designated Port Election

The final step of the Spanning Tree Protocol’s computational process is the election of one Designated Port on each network segment. The election of the Designated Port is also based on the Root Path Cost. In case the two or more ports have the same Root Path Cost, the switch with the lower Sender Bridge ID wins and its corresponding port is selected as the segment’s Designated Port.

Any port which is not a Root Port or a Designated Port moves into the Blocking State where it cannot receive nor transmit frames, ensuring that the network is loop-free. Keep in mind that all ports of the Root Bridge are considered Designated Ports and can not be blocked. In our sample network design, the election of the Designated Port on every segment is shown below.

Learn more about the process of Designated Port Election in this video from CCIE Chris Bryant: Video: Root Ports and Designated Ports.

STP Convergence

Traditional Spanning Tree Protocol, by implementation, takes about fifty (50) seconds to adapt and converge to topology changes. In simple words, whenever a topology change occurs in the network (e.g. a link goes down-up), no frame forwarding takes place for about fifty seconds until STP convergences. This is a lot of time of inactivity especially in large networks where topology changes may happen relatively often.

Therefore, great caution needs to be taken where to activate STP. As a rule of thumb STP should be disabled on access ports. To do that you should set all access ports as portfast (meaning that these ports should be put immediately back in forwarding state and avoid the 50 seconds of blackout) and also enable bpdufilter on those ports so that they do not participate in STP.

The necessary commands on interface configuration level, that you need in order to achieve this are:

• Spanning-tree portfast
• Spanning-tree bpdufilter enable

Spanning Tree Protocol Resources

Now that you’ve seen the overview of how you can prevent loops with the Spanning Tree Protocol, continue your learning with these STP Resources:

• Cisco Switching and Spanning Tree Protocol (STP) Basics
• Video: So What Happens if I Turn STP Off?
• title=”STP in Action – STP Examples”>Video: STP in Action – STP Examples
• Video: STP Interface States
• Video: Rapid Spanning Tree Protocol (RSTP)

Today I will show you with the help of diagrams everything that you need to know about the various DHCP messages, their capabilities and their flow of sequence. Moreover, I will show you how to distinguish messages of the same type but with different scope. Mastering the DHCP protocol will not only help you conquer your CCNP TSHOOT exam, but will definitely help you understand and better operate your IP infrastructure.

Throughout this article we will assume that we are using DHCP Relays for forwarding DHCP messages and that two (2) DHCP servers exist in our sample configuration that support DHCP Failover (both running at the same time, sharing the serving load). Their IP addresses are 10.10.10.10 and 10.10.10.20.

A detailed DHCP protocol explanation as well as configuration paradigm can be found in my article on how to configure DHCP on Cisco IOS devices.

DHCP Initialization State

A DHCP client broadcasts a DHCP Discover message to acquire an IP address as well as various options such as static routes, default gateway, etc. This message reaches both DHCP servers.

The structure of the DHCP Discover message received on DHCP server 1 is shown below. Notice that:

• UDP port 67 is used for communication between the DHCP Relay and DHCP server.
• Relay agent IP address is included in the packet. Without this, the DHCP server wouldn’t have a way to match the client’s subnet and allocate a proper IP address.
• Client’s MAC address is stored on the DHCP server so that an allocated IP address always relates with a MAC address.
• Requested IP address is an optional parameter used by the client indicating its desire to use this specific IP address.
• More optional parameters can be requested through the use of option 55 ( specifies a request list).

• The DHCP Discover message that reaches DHCP server 2 is shown below. The only difference is that the destination address belongs to the second DHCP server.

Selecting State

Based upon a special algorithm, our DHCP servers must decide which one of them will server the client’s request. Do not worry, you do not need to know how this calculation is performed. Only the winning server is allowed to offer an IP lease and option parameters to the client.

In our example, DHCP server 2 with IP 10.10.10.20 is offering to the client the IP address 10.228.217.184. You can see this information by looking at the “ Your (client) IP address” field in the DHCP Offer message presented below:

Looking at the DHCP Offer message one could see that the offer includes various options besides the IP address and subnet mask assignment. In out example these options are:

• Server Identifier field used by the Client during the Renewing state in order to renew its lease.
• IP Address lease time indicates the duration that the lease is consider to be active.
• Renewal time value indicates the remaining time before entering into the Renewal State, where the client should try to renew its lease. By the standard this time is equal to 50% of the lease time.
• Rebinding time value indicates the remaining time before moving into the Rebinding state. The client will enter this state only if it couldn’t renew its lease. In the Rebinding state it will try to extend its lease by broadcasting its request. This value, by default, is equal to the 87,5% of the IP address lease time.
• Classless static routes, default router, etc, are issued by the server so that no manual configuration is needed on the Client for setting up network and service connectivity.

Requiring State

The Client evaluates the server’s offer and upon accepting that offer, it broadcasts a DHCP Request message in order to indicate its intention to request and acquire that offer to all DHCP servers. (The DHCP Relay server constructs separate DHCP unicast messages and forwards them to each one of the DHCP Servers). The DHCP Request that reaches DHCP Server 1 is the following:

Rebinding State

If the client’s attempt to renew its lease fails and the Rebinding time value has been reached, the client moves into the Rebinding state. DHCP Broadcast requests are initiated by the client in order to renew its lease. Observe on the following figure the fact that the client includes its current IP address within the DHCP Request message in order to indicate to the server that this is a request for Renewing its lease.

Wasn’t that exciting!

Somewhere here, we have reached the end of this article. I hope you found it interesting and useful. Even if you didn’t like it, I advise you to bookmark this page because “Never say Never”. Life is so unpredictable and some day you might need this info.

The reason that these tools are used by higher level engineers is not because the tools are hard to use, but because the interpretation of the information that is obtained from them requires a higher level of networking knowledge. This article covers the top 5 advanced network troubleshooting tools that can be used to obtain different levels of network information that can be used to troubleshoot higher level networking problems.

5. Nmap (zenmap)

The nmap utility is one of the most versatile of network tools that is available. Regardless of how much experience a network engineer has, the nmap utility should always be available. Just a few of the things that can be done with nmap include:

• port scanning (TCP/UDP),
• version detection,
• OS detection,
• ping sweeps.

These different capabilities make it possible to do everything from a simple single host port scan to an entire network sweep for host detection and auditing purposes. The number of tasks possible through nmap is really left to the imagination of the user, more information can be found at the nmap website.

While the nmap tool itself is command line based, a GUI has also been developed called zenmap that can be used to make the configuration of nmap considerably easier. Both the nmap command line tool and zenmap are available on a number of different platforms including Windows, Linux (many flavors), *nix (also many flavors) and Mac OS X. Figure 1 below shows the zenmap GUI with results from a simple scan of a Linksys router from an inside interface.

Figure 1: Zenmap GUI

4. Wireshark/tcpdump

Another one of those essential network troubleshooting tools that should be in the bag of utilities of any experienced engineer is a packet scanner. The most basic of functions that is provided by a packet scanner is the ability to capture and analyze individual packets that are sent across a network.

Wireshark includes many different functions that provide the ability to perform a number of different analysis including filtering by conversation (i.e. IPv4, TCP, UDP..) and
protocol analysis (HTTP, VoIP protocols (RTP, SIP, H.225..).

Tcpdump is another packet scanner that is available that provides the ability to analyze network traffic and is very easy to configure. Tcpdump is used on a Linux machine (various flavors) and is available for Windows as Windump.

Figure 2 below shows the wireshark GUI that is available for a number of different OS’s including Windows, Linux, and Mac OS X.

Figure 2: Wireshark GUI

3. InSSIDer

When troubleshooting or designing a wireless network, it is vital that some analysis be done on the currently available and used channels being used at specific locations within a network. As the 802.11b, g, and n standards all use the 2.4 GHz range and are limited to only 3 nonoverlapping channels, it is important to determine what networks are using these channels. If more than one network is attempting to use the same channel (or a channel that overlaps), the wireless network will be affected.

The 802.11a and n standard use the 5 GHz range; when using this range there are many more available channels that do not overlap with each other. The inSSIDer utility can be used to not only scan for different networks within the 2.4 and 5 GHz ranges but also list the current signal strengths of different wireless networks within range.

Figure 3 below shows an example of inSSIDer in use scanning the 2.4GHz range and showing how the various wireless channels overlap.

Figure 3: inSSIDer

2. Syslog Server (KLog)

While it may not seem like a normal utility to recommend, a syslog server can be used as an important tool when troubleshooting network troubles. This is true especially when the cause of a networking issue has been hard to determine.

In large organizations, often a network management system is put in place automatically which allows all of the network elements to record network events (i.e. interfaces going up and down, CPU utilizations, memory utilizations). This can then be used as a historical reference when troubleshooting a network problem. In smaller organizations, this type of system is typically too expensive to justify and is thus not installed.

A simple syslog server can be installed in the field to receive network events from key network elements. This information can then be recorded over time and help in determining the cause of a networking problem.

Figure 4 below shows an example of the KLog syslog server.

Figure 4: Klog syslog server

1. PTRG Network Monitor

Finally, the last of the five recommended networking troubleshooting tools includes the PTRG network monitor (there are others as well). This utility offers the ability to track the status of different sensors over a period of time; these sensors monitor anything from simple reachability (ping) to the response time of specific services (i.e. HTTP or POP).

Along with the implementation of a syslog server, this utility can monitor not only the different messages send from different network elements but also can monitor the status of these various servers run on network elements. As with most of these tools, there are a number of different configuration options that are available that can all be used and customized to the needs of a specific situation.

Figure 5 below shows an example of the PTRG network monitor screen when monitoring HTTP live over a period of 2 hours and running. The free version of PTRG network monitor provides the ability to monitor up to 10 sensors.

Figure 5: PTRG network monitor

Summary

As with all of these types of articles, the contents are subjective; if any utilities were not listed that you believe should be included in this list please comment and leave links to these utilities. Hopefully, the information about the different network troubleshooting tools in this article will help IT pros to keep on hand when troubleshooting network issues.