TOF1314: CCIE RS

Showing posts with label CCIE RS. Show all posts

Sunday, October 6, 2013

Synchronize a Cisco router's clock with Network Time Protocol (NTP)

It's critical that all devices on an organization's network display the accurate time and date. If they don't, things can go wrong in a hurry. David Davis explains why Cisco devices need to use Network Time Protocol (NTP) for their time synchronization needs, and he tells you how to configure NTP on your Cisco devices.

Whether you're working with a server, router, switch, firewall, or PC, it's imperative that all devices on your organization's network exhibit the correct time and date. If this critical information isn't accurate, a variety of things can go wrong.

That means event logs and firewall logs can be incorrect, you might not be able to tell when your router rebooted, and/or Windows devices may not be able to log in to the domain. The fact that Microsoft has integrated the Windows Time Service into its products only underscores the importance of proper time synchronization.

Cisco routers have embraced the Network Time Protocol (NTP), a protocol designed to synchronize the clocks of computers over a network, for many years. NTP Version 3 is a standard—formalized in RFC 1305—that uses the User Datagram Protocol (UDP) and port 123.

Unlike PCs or servers, Cisco network devices specifically need to run NTP to synchronize the time and date. That's because most Cisco devices don't have an internal clock.

For example, when a Cisco 2600 or 3600 series router loses power or the network administrator needs to reload it, the time and date are lost. Consequently, all log files, time-based access lists, or any other configuration based on time or date will either be incorrect or not work at all.

An NTP client synchronizes the time and date with an NTP server. The NTP server should be a reliable source, such as a time server on the Internet. A number of free public Internet time servers are available.

One example is the National Institute of Standards and Technology (NIST) Internet Time Service, which bases its time on an atomic clock. The NIST Web site also provides a list of the publicly available NIST Internet Time Servers on the Internet. In fact, you'll even find Microsoft on this list. The software giant runs its own free Internet time server—time-nw.nist.gov with an IP address of 131.107.1.10.

Known as stratum-1 time servers, these public Internet time servers obtain their time directly from a stratum-0 device, a reference clock that can't be an NTP server on the network (such as an atomic clock). The greater the stratum of the server, the greater the distance between that server and the reliable time source.

To ensure that your network devices display the most accurate time, you need to configure the NTP protocol and link your devices to a reliable time source. To do so, you have a couple of options.

You could purchase a hardware time device that obtains the time via GPS or some other method. In effect, you're essentially creating your own stratum-1 time server. However, for most small to midsize companies, a better alternative is to opt for a free Internet time server.

In my organization, we use UNIX scripts that depend on the proper router date. We receive a morning e-mail that lists all router events that occurred the previous day. The scripts go to each router and use a command similar to show logging | include May 16 to gather the date, combine it in a file, and e-mail it to all network administrators.

So, when a router reboots, if no one has configured NTP, then the command will find no data from that router. Nor is the command likely to ever retrieve data again because the router reverts back to its default date of February or March 1993.

Because of such possibilities, it's easy to see why it's imperative to configure NTP on your routers and switches. Configuring NTP on a Cisco IOS device is a relatively easy process.

Follow these steps:

Choose the NTP server your devices will use.
Find out the IP address for this server. It could be an external source such as NIST, or it could be an internal device that offers NTP services (such as a hardware device or software server from Symmetricom).
Enter the following commands on the IOS device:

Router# configure terminal
Router(config)# ntp server <IP address of NTP Server>

Verify the association with the server using the show ntp status and show ntp associationscommands. Listing A offers an example of the output of these commands.

Before you get started, I'd like to point out a couple of things to keep in mind:

NTP is a slow protocol, and the formation of NTP associations can take a long time. So, don't expect anything to happen fast. You can keep an eye on it using the debug ntp <option> set of commands.
If you decide to use an Internet NTP server, make sure you open UDP port 123 inbound on your firewall to your NTP client.

For more information, as well as detailed instructions for the options you can enable with NTP, check out Cisco's "Configuring NTP" documentation.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Sunday, September 22, 2013

Understanding Spanning-Tree Root-Port Election

The STP Root Por selections follows the following sequence of FOUR conditions:

1. Lower Root Bridge ID
2. Lower Path Cost to the Root bridge.
3. Lower sending Bridge ID
4. Lower Sending Port ID

Lab1:

The root path cost on both fa0/1 and fa0/2 (SW4) is the same
First before looking the port-ID ,SW4 looks the BID of SW2 and SW3 (the neighbors swiches of SW4),SW2 has (advertises) a better BID than SW3 ,The BID= priority+mac address, here since the priority of SW2 and SW3 is the same=32769 , the mac address wil be used ,the mac address of SW2(0010.11BA.32CB) is lower than the mac address of SW3 (0060.7011.98C3) thus fa0/2 receives a better BID of BPDUs so fa0/2 will the root port:

SW2#show spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 4097
Address 000A.F3CC.3EA1
Cost 19
Port 1(FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0010.11BA.32CB
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2            Desg FWD 19        128.2    P2p
Fa0/1            Root FWD 19        128.1    P2p

SW3#show spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 4097
Address 000A.F3CC.3EA1
Cost 19
Port 2(FastEthernet0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0060.7011.98C3
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2            Root FWD 19        128.2    P2p
Fa0/1            Desg FWD 19        128.1    P2p

Now let's configure the BID of SW3 to be better than the BID of SW2:

SW3(config)#spanning-tree vlan 1 priority 8192

Now the BID of SW3 is 8193:0060.7011.98C3 as shown by the show spann of SW3 below and the BID of SW2 is 32769:0010.11BA.32CB ,so fa0/1 receives a better BID from SW3 thus fa0/1 is the root port for SW4 as shown by the show spann on SW4 below:

SW3(config)#do show spann
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 4097
Address 000A.F3CC.3EA1
Cost 19
Port 2(FastEthernet0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 8193 (priority 8192 sys-id-ext 1)
Address 0060.7011.98C3
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2            Root FWD 19        128.2    P2p
Fa0/1            Desg FWD 19        128.1    P2p

SW4#show spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 4097
Address 000A.F3CC.3EA1
Cost 38
Port 1(FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0060.2F98.0E5A
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2            Altn FWD 19        128.2    P2p
Fa0/1            Root FWD 19        128.1    P2p

Lab2:

SW1 is the root bridge,Remember all ports of a root bridge are a designated ports not a Root Ports as shown by the following output:

SW1(config)#do show spa
VLAN0001
Spanning tree enabled protocol rstp
Root ID    Priority    24577
             Address     0006.2A94.4A8D
             This bridge is the root
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    24577 (priority 24576 sys-id-ext 1)
             Address     0006.2A94.4A8D
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    P2p
Fa0/10           Desg FWD 19        128.10   P2p

let's see with SW2:

SW2 chooses Fa0/10 as a Root Port and fa0/1 as a Bolocked Port.
how SW2 chooses fa0/10 as a Root Port?

SW2 needs to pick a single Root Port to reach the Root Bridge SW1 .After electing SW1 as the Root Bridge, SW2 evaluates Root Path Cost. Because both SW2:fa0/1 and SW2:fa0/10 have the same cost toward the Root Bridge, there is a tie. To break the tie, SW2 considers the Sending BID that it is receiving over both links.But both ports are connected to the same bridge,causing SW2 to receive the same Sending BID on both links. This results in another tie.Finally, SW2 evaluates the Port ID received in Configuration BPDUs on both ports. SW2:fa0/1 is receiving a Port ID of SW1:fa0/10, and SW2:fa0/10 is receiving a Port ID of SW1:fa0/1. SW2 chooses the lower value for a Root Port, finally fa0/10 is the root port while fa0/1 is a blocked port.
So it is the received values that are used here. SW2 does not evaluate its own BID and Port ID; it is looking at the values contained in the BPDUs being received from SW1.

SW2(config)#do show spann
VLAN0001
Spanning tree enabled protocol rstp
Root ID    Priority    24577
             Address     0006.2A94.4A8D
             Cost        19
             Port        10(FastEthernet0/10)
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    32769 (priority 32768 sys-id-ext 1)
             Address     00D0.FF26.2375
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Altn BLK 19        128.1    P2p
Fa0/10           Root FWD 19        128.10   P2p

The Port-ID is the priority of the port+the interface number
To ensure that fa0/1 becomes the Root Port,we will increase the priority of fa0/10 of SW1:

SW1(config)#int fa0/1
SW1(config-if)#spanning-tree vlan 1 port-priority ?
<0-240> port priority in increments of 16
SW1(config-if)#spanning-tree vlan 1 port-priority 240

verify the priority of fa0/1 on SW1:
SW1(config-if)#do show span
VLAN0001
Spanning tree enabled protocol rstp
Root ID    Priority    24577
             Address     0006.2A94.4A8D
             This bridge is the root
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    24577 (priority 24576 sys-id-ext 1)
             Address     0006.2A94.4A8D
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        240.1    P2p
Fa0/10           Desg FWD 19        128.10   P2p

As expected ,On SW2 now fa0/1 is the Root Port and fa0/10 is the Blocked port because now fa0/1 receives the lowest port-ID 128 from the port fa0/10 and fa0/10 receives the port-ID 240.1 from the port fa0/1 as shown by the following output:

SW2#show spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Root ID    Priority    24577
             Address     0006.2A94.4A8D
             Cost        19
             Port        1(FastEthernet0/1)
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    32769 (priority 32768 sys-id-ext 1)
             Address     00D0.FF26.2375
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Root FWD 19        128.1    P2p
Fa0/10           Altn BLK 19        128.10   P2p

Lab3:

SW1 is the root bridge and it's connected to SW2 via a Hub:

SW1 is the root bridge,we know that all ports of a Root Bridge are in Designated roles as shown in the following output:

SW1#show spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Root ID    Priority    24577
             Address     00E0.B0D2.5A23
             This bridge is the root
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    24577 (priority 24576 sys-id-ext 1)
             Address     00E0.B0D2.5A23
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    Shr

Let's see on SW2,fa0/2 is the Root Port while fa0/3 is a Blocked Port:
SW2#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID    Priority    24577
             Address     00E0.B0D2.5A23
             Cost        19
             Port        2(FastEthernet0/2)
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    32769 (priority 32768 sys-id-ext 1)
             Address     00D0.BA83.2AA4
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2            Root FWD 19        128.2    Shr
Fa0/3            Altn BLK 19        128.3    Shr

Let's look SW2 which is the interesting case.
SW2 needs to select one Root Port.After electing SW1 as the Root Bridge, SW2 evaluates Root Path Cost. Because both SW2:fa0/2 and SW2:fa0/3 have the same cost toward the Root Bridge, there is a tie. To break the tie, SW2 considers the Sending BID that it receives over both links.But both ports are connected to the same Root Bridge, which causes SW2 to receive the same Sending BID on both links. There is another tie. SW2 evaluates the Port ID received in Configuration BPDUs on both ports. SW2:fa0/2 is receiving a Port ID 128.1 of SW1:fa0/1, and SW2:fa0/3 is receiving a Port ID 128.1 of SW1:fa0/1. There is a tie because the sender Port ID is the same from SW1 which is 128.1 on both ports of SW2. To override the tie, SW2 will evaluate its own local Port ID values (the lower Port ID will be the Root Port),so fa0/2 is RP and fa0/3 is BP.
Notice that the condition: "Using the Local Port ID Value As a Tie-Breaker "is not included in the four conditions described above.

STP Root port selection becomes:

1. Lower Root Bridge ID
2. Lower Path Cost to the Root bridge.
3. Lower sending Bridge ID
4. Lower Sending Port ID
5. Lower Local port-id

the fifth tie breaker is the local Switch port-id, the lowest is prefered.
This is the only case where the local Port ID is used.

To ensure that fa0/3 becomes the root port we will either increase the port-priority of fa0/2 or decrease the port-priority of fa0/3:

Let' go:

SW2(config)#int fa0/3
SW2(config-if)#spanning-tree vlan 1 port-priority 16

Now fa0/3 is the Root port and fa0/2 is the Blocked Port as shown by the following output:

Switch#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID    Priority    24577
             Address     00E0.B0D2.5A23
             Cost        19
             Port        3(FastEthernet0/3)
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    32769 (priority 32768 sys-id-ext 1)
             Address     00D0.BA83.2AA4
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2            Altn BLK 19        128.2    Shr
Fa0/3            Root FWD 19        16.3     Shr

Notice when connecting the Switch with a Hub the link Type displayed in the show spanning-tree which is Shr.

By definition:
RSTP uses three Link Types.
-Point-to-Point Link - This is connected to another switch. If a switchport is operating at full duplex and is receiving Hellos, then it is a Point-to-Point Link.
-Shared Link - This is connected to something like a hub. Hellos are being received but it is operating at half duplex.
-Edge - This is connected to an end-device. Equivalent to PortFast in traditional 802.1d.

Tuesday, August 20, 2013

EIGRP - Auto Summarization

I dont like auto-summarization, especially since you can always manual summarize networks as you please in EIGRP. But it seems to be enabled by default in all the IOS versions I use and it's probably a good idea to know how it works for the lab.

EIGRP auto-summarizes at classful network boundaries. This means that if one interface is in 1.1.0.0/16 and another interface is in 2.2.2.0/24 then EIGRP will summarize the networks before advertising them out of the opposite interface. This is because each subnet belongs to a separate major classful network: 1.0.0.0/8 and 2.0.0.0/8 in this case.

However if you have one interface in 2.2.2.0/24 and another interface in 2.3.0.0 then auto-summarization will not take affect because both interfaces belong to the major network 2.0.0.0/8. EIGRP may auto-summarize for some networks and not others in the same EIGRP process. Here we take a look:

[R1]----[R2]

R1 and R2 are connected to the same LAN 12.0.0.0/16

R1 has two loopbacks:

R1#show run | section interface Loopback
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface Loopback1
ip address 12.1.1.1 255.255.255.0

R2 also has two loopbacks:

R2#show run | section interface Loopback
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface Loopback1
ip address 12.2.2.2 255.255.255.0

All interface have EIGRP enabled with auto-summary on (default).

R1's route table:

R1#show ip route | begin Gate
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.1/32 is directly connected, Loopback0
D 1.0.0.0/8 is a summary, 00:09:40, Null0
D 2.0.0.0/8 [90/156160] via 12.0.0.2, 00:09:34, FastEthernet0/0
12.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
D 12.2.2.0/24 [90/156160] via 12.0.0.2, 00:09:43, FastEthernet0/0
C 12.1.1.0/24 is directly connected, Loopback1
C 12.0.0.0/16 is directly connected, FastEthernet0/0
D 12.0.0.0/8 is a summary, 00:09:40, Null0

R2's route table:
R2#show ip route | begin Gate
Gateway of last resort is not set

D 1.0.0.0/8 [90/156160] via 12.0.0.1, 00:19:01, FastEthernet0/0
2.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 2.2.2.2/32 is directly connected, Loopback0
D 2.0.0.0/8 is a summary, 00:18:55, Null0
12.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
C 12.2.2.0/24 is directly connected, Loopback1
D 12.1.1.0/24 [90/156160] via 12.0.0.1, 00:00:02, FastEthernet0/0
C 12.0.0.0/16 is directly connected, FastEthernet0/0
D 12.0.0.0/8 is a summary, 00:18:55, Null0
R2#

Analysis:

Looking at R1's route table you can see that R2 has summarized the route 2.2.2.2/32 into 2.0.0.0/8. This is because R2 sits in the boundary between two classful networks 12.0.0.0 and 2.0.0.0. It does not summarize loopback 1 which is 12.2.2.0/24. This shows up on R1 with the 24 bit mask.

On R2 the same can be said for routes from R1. R1 summarizes it's loopback0 interface into 1.0.0.0/8 because it sits on the boundary between 1.0.0.0 and 12.0.0.0. It does not summarize 12.1.1.1/24.

RIP version 2 auto-summarization works pretty much the same way as far as I can tell. If you know any differences please let me know.

Monday, August 19, 2013

EIGRP Variance & Traffic Distribution Ratios

If you have been given two links, one with 2 Mbps & another is 512Kbps. How would you load balance in the below ratio with EIGRP?

What does the above mean is, for 5 packets sent on 2 Mbps link, 2 packets should be sent over 512Kbps. Same with the next ratio, 4 packets sent over 2 Mbps, 3 packets should be on 512Kbps

Look at the below diagram

By looking at the diagram, we notice there are two paths to reach R4's Loopback 0 interface 1.1.1.1/32. One is via the Fastethernet interface & another via serial interface. So, what are the technical stuffs coming into your end w.r.t EIGRP. Assume only "Delay" parameter is used to perform the composite metric calculation.

1) Path via R2 is the preferred path currently as the Delay parameters are least.
2) Path via R3 is the feasible successor because the Relative distance advertised by R3 to R1 is the same as advertised by R2 to R1. (i.e 100 + 5000 = 5100)

What is that we can do in order for path via R3 to be used for load balancing? To achieve this, we need to use EIGRP variance feature. Lets calculate the metric to reach R4's loopback from R1 manually. Below is the formula

Metric = 256 * (Sum of Delay/10)

Note : Delay is in tens of microseconds

Metric via R2 is = 256 * (100+100+5000)/10 = 133120
Metric via R3 is = 256 * (20000 + 100 + 5000) = 642560

So, we know that Metric via R2 will be the preferred path of the least Feasible distance. So, lets use our R3 path as well.

Remember, Variance = FD of the Feasible successor / FD of the successor
So, Variance = 642560/133120 = 4.82
Lets round that up to a whole number. So, Variance = 5

Now, by setting variance 5 under the EIGRP routing process, you would have the load balancing between two paths up.
Note : For the variance command to take effect, the path must be a feasible successor

But how to achieve 5:2 or 4:3 ratio load balancing? For this to happen, you need to consider the below things

1) How much delay should be set on the path via R3(the serial interface path) in order to get 5:2 ratio?
2) What would be the calculation to obtain the delay value?

To calculate the delay, below is the formula

Lowest Metric * = 256 * [delay/10]
* Lowest Metric is the path with the lowest feasible distance (in our case path via R2)

133120 * (5/2) = 256 * [delay]/10
332800 = 256 * [delay/10]
332800/256 = delay/10
1300=delay/10
13000=delay

Maths :)

The above delay value we calculated is the delay of the entire path (end-to-end). Now, we need to determine the delay value of the local interface. To find that, you need to subtract the advertised delay received from R3.

So, it would be 13000-5100 = 7900

The actual delay to be set on the serial interface of R1 is 790. Yes, re-read 790. Delay is read in tens of microseconds. So, by setting up 790, you would receive a ratio of 5:2 now.

I haven't added any screenshots of the configs as it's left to you to perform it :-D Oh ya, even 4:3 calculation is left to you for practice !!!!