Show IP Protocols

This year, 2020, around November I started to see the global IPv6 BGP Table is getting more than 100K entries. Although the number is going above and under 100K from time to time, starting from the end of November I can safely say it is breaking 100K entries right now.This is an interesting milestone for IPv6. That means a massive majority of people are using IPv6 today. I want to note down this moment. And I want to share 3 of my own observations about the IPv6 BGP table.Source: https://twitter.com/bgp6_table/status/1330964625127583744/photo/1Number of IPv6 BGP entries is going up and downInternet is a collection of distributed, self-managed networks. No single authority can dictate how the BGP configuration should be done on all different networks. Each of the network administrators could choose when and how to add or remove BGP entries in different occasions.It is natural for BGP table to grow and shrink from time to time.For example, network administrators might decide to remove assigned but not used yet networks from BGP configurations. By this action, the number of BGP entries could go down.Another example, to achieve load spreading, administrators might break their own IPv6 prefixes into smaller ones and advertise them to different BGP neighbors. By this action, the number of BGP entries could go up.And of course, upon expanding networks with more prefixes, or dying companies returning prefixes to Internet Regional Registries, the BGP table would grow or shrink accordingly.Configuration errors could also result in fluctuations of the total number of BGP entries.Source: IPv6 CIDR Report for 30 Nov 20Projection of 100K time is pretty accurateI have read web pages by APNIC and RIPE projecting the total number of IPv6 BGP entries. They all projected the time of 100K is around the second half of year 2020. They are pretty accurate in my opinion.Source: APNIC, "BGP in 2019 - The BGP Table"Source: RIPE, "BGP in 2016"IPv6 BGP table is growing much faster than IPv4For IPv6 BGP: Last year, 2019, around October, I observed IPv6 BGP table is around 80K in size. After around 1 year now, it is over 100K. That is, the growth rate in this interval is 25% (=20/80).For IPv4 BGP: same interval as above, October 2019, I observed IPv4 BGP table is around 800K in size. After the same 1 year up to now, it is over 850K in size. That is, the growth rate in this interval is 6.25% (=50/800)My conclusion is: the growth rate of IPv6 is much higher than that of IPv4, in this interval.One more thing…Many people are also interested in estimates of router memory consumption to hold the whole global BGP table. For IPv6, unfortunately, I cannot find good firsthand samples about the number of entries versus the memory size consumed. I now try to estimate the memory consumption by samples of IPv4.For single IP address, IPv4 is 32 bits, and IPv6 is 128 bits. One IPv6 address is 4 times the size of one IPv4 address. Because essentially BGP entry fields are IP addresses, here I roughly assume IPv6 BGP table should not take more than 4 times the memory consumption of IPv4 BGP table of the same number of entries.I already wrote about this before: every 100K IPv4 BGP entries could take no more than 80 Megabytes of memory. Therefore, my estimate for the same 100K entries of IPv6 BGP table, should not take more than 320 Megabytes of memory.Do you have firsthand numbers of IPv6 BGP memory consumption? How wrong is my estimate ? I would like to hear from you in the comment section below.Overlooking from the top floor of Dragon and Tiger Pagodas (龍虎塔)Zuoying District, Kaohsiung City, TaiwanI am Li-Ji Hong. This is my blog “Show IP Protocols”. See you next time!

Software-defined networking (SDN) is an approach to create a centrally controlled programmable packet network. Any protocols with the same approach could be considered as SDN as well.For open protocols, we have one popular standard protocol “OpenFlow” talking among the central controllers to all managed networking devices. Open Network Foundation (ONF) defines OpenFlow protocol.In fact, vendors also have developed proprietary protocols to implement this same approach. For example, Cisco’s ACI is a proprietary SDN solution.Here I summarize 3 most probable scenarios when we deploy SDN.Scenario 1: Open protocol, open multiple vendorsSince OpenFlow protocol from ONF is open, any vendors can develop inter-operable software and hardware products. For enterprise customers, the first natural approach is to buy from multiple networking venders.For example, controllers from vendor A, some switches from vendor B, some routers from vendor C, and so on and so forth.The most obvious benefit of this scenario is lower buying cost. Enterprises can buy any compatible networking products from any vendors in the market with the lowest price. White-brand, or no-brand vendors have opportunities to compete on price against existing networking vendors.However, only the buying cost is lower. We also must consider other costs to build and maintain a working network. Integration of software and hardware itself is a heavy project.When we already have a capable team of hardware and software integration, we can work comfortably with this approach. If we simply don’t have such a “Tiger Team”, or we are just about to create a team from scratch, this scenario could be difficult and costly. It could cancel out all benefits of lower buying cost.Scenario 2: Open protocol, one major vendorSome vendors are capable to provide all components for OpenFlow. For example, Cisco. In this scenario, basically we buy controllers and network devices from single major vendor. For less important areas, we buy some from other venders in the market.In this approach, we might have higher buying costs. Because we now have a major vender, we can gain better support from that major vendor. We can also achieve less integration cost because our team have fewer combinations of products to experiment and integrate with. We don’t need a huge team like previous scenario.I am more familiar with Cisco. Let me summarize what Cisco can provide for OpenFlow.“Cisco Open SDN Controller” is OpenFlow protocol controller. The software is a commercial distribution of OpenDaylight by OpenDaylight open source project. This software is packaged as a virtual machine format.In addition, Cisco’s Nexus 3000 and 9000 family switches can run “Cisco OpenFlow Agent” inside to become OpenFlow switches so they can be controlled by standard OpenFlow controllers.We can deploy OpenFlow by simply selecting all components from Cisco. Because OpenFlow protocol is open, we also have the flexibility to add non-Cisco but OpenFlow compatible devices.Scenario 3: Close protocol, one vendorSome vendor can provide all features and benefits of “centrally controlled programmable packet network”, with proprietary protocol. For example, again, Cisco.Cisco’s Application Centric Infrastructure (ACI) is Cisco’s proprietary SDN solution. With Cisco’s ACI, we can achieve even more than OpenFlow such as:Device managementBetter integration with non-networking devices such as Layer 7 switches and stateful firewallsBetter programmer-friendly abstraction instead of VLANs and subnets.In this scenario, we have the highest buying cost and we are locked into single vendor. However, we have the lowest integration cost and we now have full support from that single vendor. We only need an even smaller support team and concentrate all resources on using the network instead of experimenting interoperability among vendors.One more thing…Winter flowers near Taoyuan High Speed Rail Station.SDN is a promising approach for next generation networking. Programmable network indeed is the foundation for network automation.On the other hand, I don’t think it fits well for all types and sizes of customers. Let me talk more about who needs SDN in the coming posts.I am Li-Ji Hong. This is my blog “Show IP Protocols”. See you next time!

People might still be interested in about Cisco Wildcard Masks. I try to summarize interesting information about Wildcard Masks in this post.Use Case 1: IPv4 Access Control Lists on Cisco IOS, IOS XE, and IOS XRWildcard masks are for us to select only subsets of IPv4 addresses.When we define selected source or destination IPv4 addresses for an Access Control List (ACL), we use Wildcard Mask. Here is an example for Cisco IOS and IOS XE.ip access-list extended ACL-NAME deny tcp 172.16.9.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 22 permit ip any anyHere is an equivalent ACL example for Cisco IOS XR.ipv4 access-list ACL-NAME deny tcp 172.16.9.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 22 permit ip any anyAll Cisco IOS XR Access Control Lists are “extended, and named” in Cisco IOS’s sense. And we don’t need “extended” keyword in IOS XR commands.Use Case 2: Selecting interfaces to start Routing Protocols on Cisco IOS, and IOS XEThe “network” commands for OSPFv2 and EIGRP are to select interfaces to start OSPF or EIGRP by interfaces’ IPv4 addresses. For example:router eigrp 99 network 192.168.199.0 0.0.0.255router ospf 1 network 192.168.201.0 0.0.0.255 area 0Here, all interfaces with IPv4 addresses covered by “192.168.199.0 0.0.0.255” would be enabled with EIGRP AS 99, and all interfaces with IPv4 addresses covered by “192.168.201.0 0.0.0.255“ would be enabled with OSPF and assigned to area 0.Just in case you need some help about visualizing Wildcard Masks, you can download an Excel Spreadsheet Wildcard Mask Calculator in this post:Revised post: Covering Subnet Calculator to understand more about Wildcard MaskThat's all for use cases. We simply don't use Wildcard Masks, in any other scenarios.NX-OS, ASA, and IPv6 we do not have Wildcard MasksIf you are lucky enough to work on Cisco NX-OS, Cisco ASA alone, you don’t need Wildcard Masks because they are not supported at all on these operating systems.Or, if you work in IPv6-only world without IPv4, you don’t need Wildcard Masks at all because all IPv6 commands of any Cisco’s operating systems do not use Wildcard Masks at all.Tamsui River (淡水河) Estuary after sunset.Tamsui District, New Taipei City, Taiwan.One more thing…I always say that we can simply assume Cisco IOS Wildcard Mask are derived by mapping 1s to 0s and 0s to 1s of equivalent subnet mask in binary notation. This brings up a question: why do we need Wildcard Mask at the first place? Why not just reuse IP subnet masks instead of creating new objects like Wildcard Masks?I don’t have any official information source. In my opinion, “flexibility” might be the cause.I try to imagine two possible cases. We only want to select IP subnets with “even-number 3rd digits”, or, we want to select any hosts end with number “77”. Here are single line Wildcard Masks to select them out.Single line Wildcard Mask “192.168.0.0 0.0.254.255” selects IP subnets 192.168.0.0/24, 192.168.2.0/24. 192.168.4.0/24 … 192.168.254.0/24.Single line Wildcard Mask “192.168.0.77 0.0.255.0” selects 192.168.0.77, 192.168.1.77, 192.168.2.77 … 192.168.255.77.Subnet masks are not flexible. All subnet masks must begin with contiguous “1”s, and rest of the digits must be “0”s, it is complex to combine many more subnet masks to define the identical selections for above two imaginary examples.Please don’t get me wrong! I don’t like Wildcard Masks, either. I always avoid Wildcard Masks when managing a network. I do Wildcard Masks only when taking exams. These two imaginary examples are rare in practical networks. Most administrators I know of always group endpoints with IP subnets, instead of confusing even-odd way.Maybe I will create another post to tell you how I avoid Wildcard Masks!I am Li-Ji Hong. And this is my blog “Show IP Protocols”. See you next time!

This week the global BGP IPv4 table is around 800,000 entries in size. I bring this up just to give you a head-up and say a “Wow”. I don’t want to make you worry about the number. This is not my intention.I still remember the “old good time” when I had installed a BGP router (Cisco 3660) with 256 Megabytes of DRAM memory in year 2001. At that time, the BGP table is below 150,000 entries so that router worked well.Screen capture of CIDR REPORT website on November 3, 2019The size of router DRAM memory is not a problem today for most of BGP administrators. I had created a post about BGP memory consumption and had this rough estimate: every 100K BGP entries from a single peer requires 80 Megabytes of DRAM.In other words, to store 800,000 entries today, we simply need around 800 Megabytes (that is 0.8 Gigabytes) DRAM for BGP protocol. This is simply a piece of cake for today’s router hardware.Even an old Cisco ASR 1000 RP1 router with 4 Gigabytes DRAM supports “up to 1,000,000 IPv4 routes”. No worry on 800K BGP entries.Taipei City view over Taipei Main Station (台北車站).August 21, 2019One more thing…I just want to remind you when you are planning for BGP Route Reflectors. The memory size could be an issue because you must multiply the above estimates to the number of BGP protocol peers.Again, with Cisco ASR 1000 RP1 router with 4 Gigabytes DRAM, BGP Route Reflector scalability is “up to 5,000,000 IPv4 routes”. If you are planning a route reflector using this model to have more than 5 BGP peers, you must examine the table size more carefully.And by the way, IPv6 global BGP table size is around 80K this week. IPv6 table size is still not that huge compared to IPv4 today.I am Li-Ji Hong. This is my blog “Show IP Protocols”. See you next time!

This tool is an update to my previous post:Simple visual tool to calculate Cisco IOS Wildcard MaskNotes for Cisco IOS Wildcard MaskYou can simply assume Cisco IOS Wildcard Mask are derived by mapping 1s to 0s and 0s to 1s of equivalent subnet mask in binary notation.By definition, “0” bits in a wildcard mask denote the bits you must match the base prefix, and “1” bits denote the bits you simply don’t care.All subnet masks must begin with contiguous “1”s, and rest of the digits must be “0”. On the other hand, no such requirements are for wildcard masks. That is the major difference between subnet mask and wildcard mask.UpdatesI changed my flow of using this Excel file. You simply input “Starting IPv4 Address”, and the number of contiguous hosts you desire to cover with a single IPv4 subnet, and then this Excel file calculate everything else for you.Getting this Excel fileOriginal Excel file is here. You need Microsoft Excel software or LibreOffice Calc to open and play with this file.“ipv4-covering-first-last.xlsx”If you are familiar with Google Docs, you can also “Use this template” or save this file to Google Drive for viewing and playing.One more thing…I also created a demonstration video using this Calculator on YouTube.I am Li-Ji Hong. And this is my blog “Show IP Protocols”. See you next time!

It is always a best practice to keep full track of all IP address assignments inside our local area network. From time to time, it might also be a good idea for security purposes to check whether we have any hidden nodes inside our network.To discover any node with active IP addresses inside our network, we might imagine that we must acquire powerful tools such as Cisco Prime Infrastructure before we can achieve anything. In fact, it might be much easier than you have expected. Let me show you how.All you must have is a Windows 10 PC. I think that should be easy.Step 1: Start a PowerShell window with normal user privilegeType “Windows Logo Key ❖ + R”, in the popup dialog, type “powershell”, and press Enter key to start a new PowerShell window.Step 2: Type in or copy/paste this one-liner, and press Enter key to runHere is a PowerShell one-liner I tested on my computer.$ipv4prefix=$(ipconfig | where {$_ -match 'IPv4.+s(d{1,3}.d{1,3}.d{1,3}.)' } | out-null; $Matches[1]); 0..255 | %{"$ipv4prefix$_"}| % {"$($_): $(Test-Connection -count 1 -quiet -ComputerName $($_))"}Just in case the variable “$ipv4prefix” is not parsed correctly, or you simply want to scan other networks in different IPv4 prefix, you can manually assign that string. For example, your IP address range is in “192.168.1.X”, you can assign “$ipv4prefix” variable with “192.168.1.”. Please be careful, we need a dot at the end of string. The modified one-liner now becomes like this:$ipv4prefix="192.168.1."; 0..255 | %{"$ipv4prefix$_"}| % {"$($_): $(Test-Connection -count 1 -quiet -ComputerName $($_))"} Step 3: Wait for about 5 minutes to finish the scanning and capture your PowerShell window screen.The output should be something like this screen:192.168.1.0: False192.168.1.1: True192.168.1.2: False192.168.1.3: False192.168.1.4: False192.168.1.5: True…Those lines with “True” result are active IP addresses inside your network. The rest of IP addresses are not responding at all.If you want to print out only active ones, you can attach filters at the end of previous one-liners with “| Select-String True”. For example:$ipv4prefix=$(ipconfig | where {$_ -match 'IPv4.+s(d{1,3}.d{1,3}.d{1,3}.)' } | out-null; $Matches[1]); 0..255 | %{"$ipv4prefix$_"}| % {"$($_): $(Test-Connection -count 1 -quiet -ComputerName $($_))"} | Select-String TrueThe output should be like this:192.168.1.1: True192.168.1.5: True…Playground inside Central Culture Park (中央藝文公園、華山大草原)Taipei City, TaiwanOne more thing…In this post I just showed you how easily you can explore your network with simply your Windows 10 PC. You can now imagine that with a Linux desktop we can do even more powerful discovery than this. Here is a one-liner for BASH together with standard tool “awk”:ipv4prefix="192.168.1."; for i in `seq 1 255`; do ping -c 1 ${ipv4prefix}$i | tr \n ' ' | awk '/1 received/ {print $2}'; doneNow you have no excuses to say, I cannot do any network exploration until I have Cisco Prime Infrastructure. You can start network discovery right now after reading my post here.And now you know how easily malicious hackers can find your public IP addresses, and create trouble for you if your public-facing network devices are vulnerable, just like this incident.Show IP Protocols: Bank lost 1 million US Dollars because of outdated routersI am Li-Ji Hong. This is my blog “Show IP Protocols”. See you next time!

Cisco recently announced major changes of certification programs and they all will take place on February 24, 2020. In this post, I am giving you my quick summary on CCNA alone.CCNA Exam Changes (200-301)The official new exam name for CCNA 2020 is “Cisco Certified Network Associate v2.0 (CCNA 200-301)”. I know it is quite confusing since CCNA exams has already been changed for a couple of times in recent years. I will call this 2020 CCNA by its exam code “200-301” instead.Compared to current single 200-125 exam, more topics and questions would be tested in the new 200-301, such as Wireless LAN, Automation and Programming. The exam time is also increased. For short, the new CCNA exam would be more challenging to prepare over the current exams.The good news is, we still have around 8 months to take current single 200-125 exam, before February 24, 2020 from today.If you are in the middle of CCNA preparation, I recommend keep going, which is also what Cisco recommends. Eight months should be enough for you, no matter you plan to dedicate days to take a classroom training, online training, or use self-studying kits, as tools for exam preparations.Let’s move on to impacts.Impacts to CCENT holdersIf you plan to achieve CCNA by passing 2 exams in 2 stages, the 2020 changes could impact you the most. This is because CCENT certification itself is also gone after February 24, 2020! Your CCENT passing status could not be re-certified after February 24.To acquire your CCNA, you must pass both ICND1 (100-105) and ICND2 (200-105) in 8 months from today. Otherwise, you can only restart your whole CCNA certification process after February 24.Impacts to specialized CCNA, e.g. CCNA WirelessSpecialized CCNA certifications, such as CCNA Wireless, would all be gone after February 24! They all will become the single certification: CCNA. No more individual specialized CCNA anymore. Here is the list of “specialized CCNA” I know would be gone:CCNA CloudCCNA CollaborationCCNA Cyber OpsCCNA Data CenterCCDACCNA IndustrialCCNA Routing and SwitchingCCNA SecurityCCNA Service ProviderCCNA WirelessWait a minute, what about my passing status of these above certifications?In fact, Cisco will send you a new CCNA certificate if you are still a valid specialized CCNA holder on February 24. Since you have paid extra efforts for specialized CCNA, Cisco would recognize and count them in credits. These credits would be counted for your future CCNA recertification. I will talk more on CCNA recertification soon in next topic.For short, if you already are specialized CCNA certificate holder, you still preserve your extra efforts over plain CCNA. If you are in the middle of taking specialized CCNA exam, unless your exam costs are sponsored or requested to do it anyway, then I recommend wait until February 24.I want to clarify that Cisco do also announce new Cisco Certified Specialist (or CCS for short) certifications. However, do not confuse them with specialized CCNA. Your specialized CCNA exam passing status would not help you to acquire the new CCS certifications. Although the tested topics might be overlapping with your specialized CCNA, you still must take new CCS exams after February 24 to acquire your new CCS certification.Impacts on CCNA RecertificationAfter February 24, you have more paths to recertify your CCNA. Originally, you can only re-take the same CCNA exam every 3 years to recertify. After February 24, you have more options. You can take any training classes that Cisco recognizes with credits. If you have acquired more than 30 credits every 3 years, you recertify your CCNA without taking any exams.Although up to this moment, I don’t find any “credit” assignment rules to training classes yet. I believe Cisco would announce them soon.In my opinion, this is a more flexible approach because many people have completed many major training classes, and they just don’t have the time to pass the exams.Shimen Red House (西門紅樓)Taipei City, TaiwanOne more thing…I like the new changes to CCNA certification. Although it would be more difficult to prepare for new exams, adding topics such as Automation and Programming is great because this is the trend for TCP/IP networking. I will talk more on automation and programming soon in future posts.In addition to CCNA, Cisco also announced major changes to CCNP and CCIE, and they all take place on February 24, 2020. If you want to know more on CCNP and CCIE certification changes, please let me know by leaving your questions below.This is my blog “Show IP Protocols”. I am Li-Ji Hong! Stay tuned!Links on Cisco.com:Cisco Certified Network Associate (200-301)New CCNA exam goes live on February 24, 2020

Hi, this is Li-Ji Hong speaking. We now know Google is terminating Google+ service. I understand that many of you came from Google+ to find and visit my web site “Show IP Protocols”. To keep updated and connected to my web site “Show IP Protocols”, I recommend you adding at least one of these three services: Twitter, Facebook, and Email subscription.TwitterNumber 1 is Twitter. In my opinion, Twitter is so much like Google+. I will keep posting new contents on Twitter even after Google+ stops.If you are already a Twitter user, you can simply follow my handle: hongliji. The full Twitter link is:https://twitter.com/honglijiEven if you are not Twitter user at all, I still recommend you adding this link to your browser bookmark. You can come back easier from time to time. On “Show IP Protocols” you basically find only posts that I create. When I come across good articles by others around the web, I would share them to Twitter.FacebookNumber 2 is Facebook. I started a Facebook Page for “Show IP Protocols” long time ago although I am not managing well on Facebook. If you stay on Facebook all the time, you can simply “Like” or follow this Facebook Page for “Show IP Protocols”.https://www.facebook.com/showipprotocolsThe contents posted on this page should be the same as Twitter.Email subscriptionLast one, Email subscription. Email subscription is my recommended method. You will receive the full texts and photos of my every post via Emails. Email subscription service would be always available even I understand many people like phone Apps more than Emails today.Click open this link to subscribe on FeedBurner:http://feedburner.google.com/fb/a/mailverify?uri=ShowIPProtocols&loc=en_USOne more thing…I felt surprised and sad to know that Google is terminating Google+ service. On the other hand, technologies of Internet would always evolve and be innovated. I will keep my web site “Show IP Protocols” evolving and being innovated, so you would always learn new things when visiting my web site “Show IP Protocols”.I am Li-Ji Hong. This is “Show IP Protocols”. See you next time!Cherry blossoms in Taoyuan Brewery (桃園觀光酒廠) of Taiwan Tobacco & Liquor Corporation (TTL)

I saw a post about Cisco has announced 400G Ethernet switch products.400G Ethernet means the bit rate can be up to 400 Gbps. Here are some of my observation notes on 400G Ethernet products. Cisco announced four models of Nexus 400G switchesScreen capture on Cisco.comIn the product page, Cisco announced 4 new models of Nexus switches with 400G Ethernet capability.Nexus 9316D-GX is for Cisco ACI Spine. Nexus 93600CD-GX is for Cisco ACI Leaf. Nexus 3408-S and Nexus 3432D-S are non-ACI Ethernet switches.Cisco's Product page is:https://www.cisco.com/c/en/us/solutions/data-center/high-capacity-400g-data-center-networking/index.html400G port transceivers: QSFP-DDAll four models use QSFP-DD as 400G Ethernet transceiver type.Screen capture on Cisco.com.QSFP Double Density (QSFP-DD) transceivers are the same size on the switch front panel as QSFP transceivers. The switch ports are also compatible with existing QSFP28 transceivers. That means, my current 100G transceivers can be inserted and reused on these new faster Nexus switches.The fiber connectors: LC or MPO-12Fiber connectors should be in LC or MPO-12 types.I cannot find an official datasheet to confirm that at this moment. However, I believe this should be true when I saw photos published on Cisco official web site.Screen capture on Cisco.comScreen capture on Cisco.comIf my fiber cabling connectors are in types of LC or MPO-12, I can reuse my existing fiber infrastructure to upgrade to 400G Ethernet. When you are planning for new fiber installation, I also recommend choosing LC and MPO-12 connectors.One more thing…I believe 400G Ethernet should still be very expensive today in year 2018. I might not need it soon. I know I can reuse my existing expensive 100G Ethernet transceivers and fiber infrastructures when I upgrade to 400G Ethernet in the future. And this makes me feel better.I am Li-Ji Hong. What do you think about 400G Ethernet? Please share your ideas with me in the comments below! Thank you!Lotus pond inside Taipei Botanical Garden (台北植物園).Taipei City, Taiwan

A recent news was about hackers hacked into a Russian bank because of outdated routers. When I saw the keyword “router”, I felt that I must dig further about what really happened.What I have understood nowThe victim is PIR Bank. One of the suspects is MoneyTaker. After the breach, PIR Bank hired company Group-IB to do the clean-ups, recovery, and investigating how the hackers got into their internal network.Up to this moment, Group-IB disclosed hackers exploited the outdated routers of PIR Bank. The model of the routers was Cisco 800 series routers, which was already declared publicly that the End of Support date would be someday in Year 2016, by Cisco. The running Cisco IOS version was 12.4.My understandingAll the routers involved in this incident in my opinion must had been deployed as Internet VPN routers. They must connect directly to the public Internet. Suppose those routers were purely internal routers without public Internet connections at all, hackers can only have access to them by getting through layers of firewalls. Suppose hackers already had broken through layers of firewalls, then hackers could have attacked directly without exploiting any of those outdated routers.I believe the VPN protocol used should be IPSec. However, IPSec was not to blame for this incident. Vulnerabilities were in the software or the hardware of those installed routers. It might be some discovered vulnerabilities and hackers took advantages of Zero-day Exploits to hack into the network. Hackers either used the hijacked router as a hopping location or changed the access rules so hackers had backdoor accesses to the internal network.I also want to emphasize that Cisco is not to blame. Cisco had already announced End of Support long time ago. If a customer insisted to keep using the old outdated routers, customers should take most of the responsibilities.It was a pity for a loss of nearly 1 Million US Dollars. One million dollars is enough to buy and replace a lot of new routers to prevent this loss.Enterprises should take actions, my suggestionsCreate a complete inventory of routers, especially for those connected to public Internet.Confirm with network hardware providers which routers are being or getting out of support. Create schedules to replace them as early as possible.Make sure all supported routers are running most up-to-date patched operating systems and software.Sun flowers in Taoyuan Agriculture Expo (桃園農業博覽會) 2018.Taoyuan City, TaiwanOne more thing…I don't think we should worry about the architecture of Internet VPN and IPSec protocol itself. Many new technologies are relying on Internet VPN and IPSec. For example, Software-defined Wide Area Network (SD WAN) is built on top of Internet VPN and IPSec.If we make sure all running VPN routers are in healthy condition, Internet VPN architecture is still a cost-effective WAN solution with great flexibilities for enterprises.

After reading articles by Doug Madory, and by Louis Poinsignon, here are some notes I observed and learned.[What happened in this incident?]Hackers somehow made some BGP routers of “eNet” to falsely announce that they own the following 5 IP subnets, which are indeed NOT belonging to “eNet”. The true owner is Amazon. To be more specific, they are for Amazon’s Route 53 DNS name resolution services.205.251.192.0/24205.251.193.0/24205.251.195.0/24205.251.197.0/24205.251.199.0/24The registered domain server for domain “MyEtherWallet.com” is hosted on Amazon Route 53.Hackers also somehow embedded malicious DNS server (or servers, I really don’t know) also inside service network of “eNet”.After that, any affected clients’ DNS query for domain “MyEtherWallet.com” would hit hacker’s malicious DNS server. Of course, malicious DNS server would respond with false IP addresses, and those false IP addresses are indeed hacker’s own web servers.At this moment, clients thought they were accessing “MyEtherWallet.com”, and they indeed were accessing hacker’s web servers.[Which clients are affected?]I believe all clients inside “eNet”, and any clients in other Internet Service Providers who trusted “eNet”’s false announcements, would be affected as well.[Network “eNet” should have been compromised for enough time]To falsely announce BGP routes, we must either change configurations of hardware routers, or BGP route servers (maybe on Linux).For me, to configure BGP correctly on a couple of Cisco routers is already a heavy task. It’s not easy. To modify existing BGP configurations to inject false announcements without getting noticed, or without breaking anything at the same time, is even a more difficult task for me.I really don’t think it would be easier to achieve the same results by working on BGP route servers.Moreover, hackers even embedded DNS server inside “eNet”’s service network. I really believe hackers had already controlled most of the hardware routers and some hardware servers, maybe for quite a long time, long enough for them to do all such modifications.I really think some hackers involved in this incident are quite skillful at network hardware maybe Cisco’s or Juniper’s. They could also be CCIEs.[BGP Injection, instead of BGP Leak]So, the last thing I want to say is, I would rather call this incident as BGP injection, instead of BGP leak.Why?If I hear someone says BGP Leaks, I would feel maybe some unknown bugs inside BGP protocol or some configuration errors caused this incident. As far as I understand now, I really think the false BGP announcements are “intentional”. I would rather say it is BGP Injection.Although no strong security mechanisms are defined in BGP protocol itself, in this case BGP protocol is not to blame.Flowers of East Asian sage, around Zhoumei Xian Zai Gang Park (洲美蜆仔港公園)Taipei City, Taiwan.One more thing…Amazon is also not to blame for this incident. Clients’ DNS query packets never reached Amazon at all.I suggest Internet Service Providers should pay more attention to the security of their service infrastructure. Don’t become another “eNet”.I also suggest Internet Service Providers should review their incoming BGP policy. In this case, some ISPs other than “eNet” were also affected because their BGP routers “trusted” “eNet”’s false announcements. They affected their own customers and forwarded that false information on at the same time.

Everyone today talks about the programming language Python while discussing Software-defined Networking (SDN). Since Python is so popular, it would be a good idea for network administrators to know more about Python. First thing first. I talk about how I prepare Python running environment on Microsoft Windows.It would be nothing special if I only download the installation software from Python official web site by mouse clicking. Instead, I use PowerShell to download and install for me. That is, prepare one scripting running environment using another scripting language.Here is the recorded video of how I do this.The version I talk about is version 2.7.13.One key step of this PowerShell script is to find out the appropriate direct binary download URL first. You can easily copy the URL after visiting Python.ORG official web site.I list the original PowerShell script below for you to copy/paste. You can try it for yourself.--- COPY BELOW ---$url = "https://www.python.org/ftp/python/2.7.13/python-2.7.13.amd64.msi"$output = "python-2.7.13.amd64.msi"$start_time = Get-DateInvoke-WebRequest -Uri $url -OutFile $outputWrite-Output "Time taken: $((Get-Date).Subtract($start_time).Seconds) second(s)".python-2.7.13.amd64.msi--- END OF COPY ---One more thing…In my opinion, any programming languages should be working well to implement a successful SDN system. Because most of the SDN controller is running on top of a Linux server, basically any programming languages supported by Linux is a good choice.My conclusion is: if you are already familiar and skillful enough in any mainstream programming languages, such as C, C++, Java, or Perl, you really don’t need to learn Python at all. Python is just one of the options.However, if you are not good at any programming languages at all, and you only have time to study single language, then my best recommendation for you would be Python. Python is so easy to learn and use. And the most important reason is this. Because Python is so popular, you can find any examples and answers you might ask for by simply a Google Search.I plan to talk more on Python in the future. What do you think about it? Let me know by leaving your comments below this post.(I learned the PowerShell script from Hey, I'm Jourdan. "3 ways to download files with PowerShell")

The routing protocol Intermediate System to Intermediate System (IS-IS) is an advanced and robust link-state protocol used in many service provider networks. Most of the other enterprises I know of prefer to use protocols like OSPF or EIGRP instead of IS-IS. Therefore, enterprise administrators might not be familiar to this protocol at all.Here I want to share my short note to start IS-IS quickly without digging into protocol details. In case you must configure and maintain an IS-IS network, this note might save you some time.You can follow these five steps to start IS-IS routing protocol in short time.Step 1: Prepare a pool of IPv4 addresses as non-overlapping Router-IDsRouter ID is a unique identifier of any single router. Identifiers are just unique numbers. We know one citizen should have one and only one Citizen Identifier. No two citizens share the same identifier. This is the same for router IDs.No matter we are starting a production network or we just want to practice in lab, my recommendation is to always start from this step. The earlier we do this, the lesser time we might waste afterwards.In addition, I also recommend reserving a pool of IPv4 addresses just for router IDs. This pool should not overlap with any other network addresses. Any host route (/32) in this pool is for a single router. For easier discussion, I assume we reserve 10.0.0.0/16 for router IDs. Router 1 (R1) is assigned router ID: 10.0.0.1/32, and Router 2 (R2) is assigned router ID: 10.0.0.2/32, and so on.This unique host address is not just for identifying a single router. We can use this address for management protocols such as SSH, SNMP, and SSL. We can even add DNS mapping so we don’t have to remember the IPv4 address. For example, R1.MyDomain.COM can be mapped to 10.0.0.1. When I am about to manage a router on command line, all I do is starting a SSH to R1.MyDomain.COM, like “ssh admin@R1.MyDomain.COM”.Step 2: Pick a unique Area ID for Level 1Here I want to emphasis starting from Level 1 (First Floor, Ground Floor) area. My recommendation is always start from Level 1. Expands to Level 2 only when necessary (most of the time we never need Level 2).Area ID is a unique number within 0000 to FFFF in hexadecimal (or 0~65,535 in decimal).If you really want, Area ID Zero (0000) is also a legal IS-IS area number. Area 0000 inIS-IS is just a normal Level 1 area. This is quite different from OSPF. Because we might easily confuse this area with the special OSPF Area Zero (Backbone Area), I recommend avoid using this area number at all.Many connected routers are grouped into a single area. All routers in the same area should be assigned with the same Area ID.For easier discussion, I assume we use Area 7 for Level 1.Step 3: Compose Network Entity Title (NET) for every routerNetwork Entity Title (NET) is really an awkward name for many network administrators. It’s just a name used in ISO documents that define IS-IS protocol. It is the format IS-IS protocol recognizes as Router-ID.You are correct, NET must also be unique, and we must convert the router IDs in Step 1 into this NET format. The question now is “How”.I learned on Cisco Live an easy trick to convert unique IPv4 address into a unique NET. Here you are.First, expand the four decimal numbers of IPv4 address to 3 digits. For example,10.0.0.1 -> 010.000.000.001.Now we have a 12-digit string. Then, we just see this number as hexadecimal in digits, and reposition the “dots” to separate into 3 parts instead of 4. For example,010.000.000.001 -> 0100.0000.0001In case you really want to know, this converted number “0100.0000.0001” is called System ID in IS-IS protocol. We will need this number again when we are expanding the IS-IS network to Level 2 connected topology.Finally, we can create NET now.NET is in a format of 49.[Area ID].[System ID].00.The NET for R1 is now “49.0007.0100.0000.0001.00”.Step 4: Start IS-IS on every routerWe can start IS-IS protocol on every router with the following partial commands.router isis net 49.0007.0100.0000.0001.00 is-type level-1 metric-style wideInterface loopback 999999! This interface is for easier management only. IS-IS doesn’t need it. ip address 10.0.0.1 255.255.255.255 ipv6 address fd00::1/128 ip router isis ipv6 router isisI purposely neglect the explanation of every components of NET.Step 5: Enable IS-IS on interfaces.It is simpler than you might expect. We look at the network map and every connected interface of every connected router should be enabled with IS-IS protocol, like this example.interface Ethernet0/0 no shutdown ip router isis ipv6 router isisThat’s all. Folks!One more thing…In the partial configuration example above, “interface loopback 999999” is only for easier management. IS-IS doesn’t need this interface at all. We can safely skip it for plain IS-IS practice.We can even assign illegal IPv4 address such as 0.0.0.1 or 0.0.0.2 as router IDs for easier typing IS-IS lab practices.In ISO documents, they don’t call routers as “routers”. They call routers the “Intermediate Systems” instead. Therefore, IS-IS protocol is exactly a protocol for “routers to routers”. Straightforward, isn’t it!Sunset at Gongguan Waterfront Plaza (公館水岸廣場)Taipei City, Taiwan

On April 22, 2017, one segment of Asia-Pacific Cable Network 2 (APCN2) that serves Taiwan’s major Internet connectivity with Japan, Europe, and America, was broken. According to some news sources, it might take one month just to fix this outage. I live in Taiwan, and I do feel the Internet speed became slow after this outage. I was wondering how could the repairing take one month.I want to know how to repair a broken submarine fiber cable. I searched on Google and I found this video. This video was created and published by TE SubCom. I summarize the key steps mentioned in this video, and I also added some of my own notes all in this post. I hope this post together with the original video would help you to understand the repairing operation as well.How could the submarine fiber cable break in the first place?Other than uncontrollable natural events such as earthquakes, most of the incidents are caused by human. For example, a towed fishing net might tangle with the cable and snap it. Sometimes biting the cable by sea animals might also damage it.How to locate the broken spot?In fact, we can use Optical Time-domain Reflectometer (OTDR) to measure the cable length to the broken spot from a known location first, and then determine this spot according to the cable run map.Repairing steps in this videoCutting grapnel deployed on seabed to cut target cable. (0:23)Holding grapnel deployed on seabed for recovery of cable end. (0:37)Cable end recovered to cable repair ship. (0:50)Buoy launch to mark end of cable. (0:56) I call it End A.Holding grapnel deployed to recover second cable end. I call it End B. (1:42)Cable end is recovered and brought to shipboard jointing shop. (2:02)Initial splice - spare cable is spliced to recovered cable end. (2:11)I believe in this step we must also examine the recovered cable end and cut remove the damaged portions of the cable. Here I call the new End B as End B’. After this step, End B’ is sliced with one end of the spare cable.Millenia Cable Joint Assembly. (2:53) I believe this is a special hardware to protect the cable joint.Cable joint and spare cable are deployed as repair ship moves to recover cable buoy. (3:07)Cable repair ship is positioned to recover buoy and first cable end. That is, End A. (3:16)Cable ship using dynamic positioning to maneuver. I believe this is to ensure the cable slack. (3:31)Final cable splice - First cable end is spliced to the end of the spare cable. That is, End A is sliced to the other end of the spare cable. (4:32)Millenia Cable Joint Assembly. (4:42)Final splice deployment. (4:53)Repair complete - Final splice released. (5:07)One more thing…We need special repair ships first before we can do anything to repair the broken cable. However, few such ships are standing by around the globe. It would take days or even weeks just to move one such ship to the location of repair.We must always include backup paths of cables when we design a submarine fiber cable system. This is what I learned first.Second, we also know that the spliced fiber would add up attenuation to the signal strength. When we have done enough number of repairing and slicing operations on the fiber, the whole fiber would become unusable and thus be at the end of its life.That is, any submarine fiber cables have a limited lifetime. We must be prepared to replace the whole fiber cable when it is out of its lifetime.

A friend asked a good question about how this command works on Cisco MDS FibreChannel switch: “switchport trunk allowed vsan all”.To my surprise, I cannot find any specific official documents to explain it clearly. I did some experiment on one Cisco MDS 9148. And here is my conclusion.Bay, beach, and cliff near Chung-De Station. (崇德海灣).Hualian County, Taiwan.To clear whole allowed VSAN list and make every VSAN allowed at the same time, use “switchport trunk allowed vsan all” in the interface configuration mode.To clear whole allowed VSAN list and make every VSAN NOT-allowed at the same time, use “no switchport trunk allowed vsan all”, in the interface configuration mode as well.Otherwise, just use “switchport trunk allowed vsan” or “switchport trunk allowed vsan add” commands to edit the list of allowed VSAN list.One more thing…To edit the allowed VSAN list, remember to use “switchport trunk allowed vsan” command first before “switchport trunk allowed vsan add” commands.On production network, remember to maintain the allowed VSAN list instead of allowing every new VSANs, just in case you created unnecessary VSANs by typing errors and they might have negative impacts on your MDS performance.

This is just a short notice for you in case you are not aware of it. Cisco announced a vulnerability on Cisco IOS and IOS XE operating system. For short, you only have to disable incoming TELNET service onto the router itself to avoid this vulnerability. You can use Secure Shell (SSH) instead for remote management. SSH is not vulnerable in this problem.The Jin-Dai Bridge (錦帶橋) in Dahu Park (大湖公園).Taipei City, Taiwan.You can read the original announcement for technical details.Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution VulnerabilityOne more thing…You can disable TELNET service and enable SSH at the same time by this command:transport input sshYou can list listening ports by these commands:show control-plane host open-portsshow tcp brief

To emphasis the effectiveness of a new tool, we always hear some people say it would make you “do more with less”. This is so attractive to Chief Officers. How would the other staffs think about this?Dongshan River Water Park (冬山河親水公園).The venue of  Yilan International Children's Folklore and Folkgame Festival (YICFFF, 宜蘭國際童玩藝術節). Yilan County, Taiwan. The problem of “do more with less”With the word “less”, what does that mean? Does that imply we don’t need that much budgets anymore? Does that imply we don’t need more hardware? Does that imply the workforce would be cut down?Under a not-so-good economic situation, cutting workforce means people would lose their jobs. In the end, I might not welcome and I might defend myself from such new good tools.It is really a sad story for an effective new tool X becomes an enemy to the people it is going to help.How about, with the same, we can do moreMy suggestion is we change the phrase a little bit, maybe it might not be so offensive to working staffs this way.Do more, with the same.That means, we don’t have to reduce budgets. We still need to buy new things. And the most important of all, we would not lose our jobs even if we embrace the new tool.We all still understand this new tool is so effective, because we can still “do more”.Embrace new tools, enable business growthFor example, assume we need 100 staffs to take good care of 10 large data centers before. After we add new tool X, we can now take good care of 1,000 large data centers with exactly the same 100 staffs.With this changed mindset, we don’t need to avoid new automation tools any more. We can now live happily together with the new tools.The Chief Officers still achieve their business growth. This is a win-win situation.One more thing...New tools would save us a lot of time. What can we do then with those extra time?Of course, you could spend more time browsing my website. Or, you now have enough time to watch all the videos on Cisco Live website.All photos in this post were taken here:

I create this post just to remind you in case you did not notice it yet.Shihmen Dam (石門水庫), Taoyuan City, Taiwan.  (Wikipedia)Version 3 Exam costs $250CCNA Routing Switching Version 3 exam cost is now US$ 250. This is a good news because in v2 the exam cost was US$ 295. That is, the new exam is US$ 45 less than before.This is great! Isn’t it!You can take v3 nowJust like before, you can now book CCNA v3 exam on VUE.com. The new exam code for v3 is “200-125”.If you cannot find this exam on the list, remember to search inside VUE search box with exam code “200-125”.Last day for v2 is August 20, 2016If you have to stick to v2 exam, you should remember one thing. The last day to take v2 exam is August 20, 2016, this year. You only have a couple of months left to pass this v2 exam.One more thing…Are you preparing CCNA exam? What is the most difficult topic for you to study? Remember to share your story with me in the comments below!Source: "CCNA Routing and Switching" on Cisco.com

When we study IPSec, we know Mr. Diffie and Mr. Hellman invented a method in year 1976 that is the core of Internet Key Exchange (IKE) to create mutually shared secret. We also have to specify and configure DH Group Number in ISAKMP policy sets (crypto-map in Cisco IOS).A.M. Turing Award Logo. Captured on ACM Official Website.I am not going to dig in the details about the mathematics behind Diffie-Hellman method. I just want you to know Mr. Diffie and Mr. Hellman receive Turing Award 2015 together.Photo of Whitfield Diffie, captured on ACM Official Website.Photo of Martin E. Hellman, captured on ACM Website.A.M. Turing Award of Association for Computing Machinery (ACM) is the highest honorable award in computer science just like Nobel Prize for other fields of science.This was released on March 1, 2016.One more thing…In case you want to know more about Diffie-Hellman method, I found one video on YouTube is quite helpful for you to understand it more.Have fun!

I came across a new RFC 7772: “Reducing Energy Consumption of Router Advertisements”. I want to share my learnings after reading this RFC.Internet Engineering Task Force (IETF) Logo, captured on Wikipedia.I intentionally mentioned “iPhone” at the subject to have your attention. Actually, the whole discussion applies to any mobile devices with limited battery capacity, such as smart phones and tablet computers.It is quite obvious mobile devices will consume more power while awake than asleep. The question is how serious this problem is?The problemAlthough the authors of this RFC did not mention how they got these numbers, I believe the numbers must be typical and derived from actual lab measurements.While asleep, a mobile device would consume 5 mA of current. While awake, it would consume 40 times more on the other hand. That is 200 mA.A single Router Advertisement (RA) will wake up the target mobile device. A single multicast RA to all hosts will wake up ALL the mobile devices attached to the same subnet.Remember, the power capacity of mobile devices are so limited. The more power consumption we can save, the more battery time we will have for every mobile devices attached to the same IPv6 subnet.Reasonable RA frequency: 7 RAs per hourHere I want to emphasize on the word “reasonable”. To keep IPv6 working, we do need RAs to push and refresh network information to mobile devices. If nothing changed at the network, why keep sending so many unnecessary RAs just to wake mobile devices up and waste battery capacity?Here is a reasonable goal: 2% of idle power consumption.Assume we want to achieve the goal: we do not want RAs to consume more than 2% of idle (sleeping) power consumption of every mobile device. After some calculations, we know the reasonable frequency for RAs is no more than 7 RAs per hour.Here is the calculation.A typical wakeup high power consumption surge mentioned in this RFC would last for 250 ms. That is, the wakeup power consumption is triggered by single RA is:{The battery capacity consumed for single RA wakeup in mAH} = 200 mA x 250ms/1 hour = 200 x 250/3,600,000 = 0.0138888… ~= 0.014 mAH.To calculate the idle (asleep) power consumption, I assume the device keeps asleep for the whole hour. This is the total budget for me to meet.{2% of idle (asleep) power consumption of battery capacity for an hour in mAH} = 2% x 5mA x 1 Hour = 0.02x5x1 mAH = 0.1 mAH.{Reasonable number of wakeups without exceeding the budget} = 0.1 / 0.014 ~= 7I have to be honest I did not expect this number to be this small. The default IPv6 RA interval is 200 seconds on Cisco IOS routers. That is equivalent to 18 RAs per hour. I believe configuring the interval to roughly 600 seconds would be a better idea.http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/command/ipv6-cr-book/ipv6-i3.html#wp3911380069The default interval between IPv6 RA transmissions is 200 seconds.Note: the lifetime of each RA should be 5 to 10 times of this interval. This is also mentioned in this RFC as roughly 45~90 minutes.Recommendations at network sideI will just focus on the network side.To implement the recommendations of Section 5.1.1 and 5.1.2 of this RFC, I found one interesting command on Cisco’s web site.The command is:interface E0/0 ipv6 nd ra solicited unicasthttp://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/command/ipv6-cr-book/ipv6-i3.html#wp5031733970Large networks with a high concentration of mobile devices might experience like battery depletion, when solicited Router Advertisement messages are multicast . Use the ipv6 nd ra solicited unicast to unicast solicited Router Advertisement messages extend battery life of mobile device in the network.Most of the IPv6 end devices could send out Router Solicitation even when their own link-local addresses are not determined yet. In that case, the replying RAs to such Router Solicitations would become destined to multicast address of all hosts. After enabling this feature, the router would ignore all such Router Solicitations. End devices can still get their global IPv6 prefix because after determination of their own link-local addresses, they can send out RS again and at this moment the router will respond to them because these RSs are sourced with unicast addresses.For stable network, we should keep the RA interval as large as possible to save more power on mobile devices. Here is a sample configuration on Cisco IOS Routers.interface ethernet 0/0  ipv6 nd ra interval 600  ipv6 nd ra lifetime 2700Here I use 45 minutes (2700 seconds) as a reasonable RA lifetime.We should consider increasing the frequency ONLY when we are changing network topology or renumbering address. For most of the time, we should keep below 7 RAs per hour as reasonable configuration.Zhuifen Station (追分車站) (Google Maps). Taichung City, Taiwan.One more thing…Increasing RA frequency indeed helps to push network changes much faster to all end devices. For devices without battery capacity concerns such as desktop computers, this advantage would outweigh the power consumption.My personal suggestion is we should put limited battery capacity mobile devices in separate IPv6 subnets, and enable only to such subnets with the recommendations discussed in this post.

I just want to make sure you have known this news and updated your Cisco ASA OS already.Cisco announced a "critical" vulnerability of Cisco ASA OS and released patched OS for them at the same time. Hackers could make use of this vulnerability to gain control of your Cisco ASA.The first fixed version of ASA OS to fix this problem.Screen captured on Cisco's web site.Vulnerable ProductsCisco ASA Software is affected by this vulnerability if the system is configured to terminate IKEv1 or IKEv2 VPN connections.This includes the following:LAN-to-LAN IPsec VPNRemote access VPN using the IPsec VPN clientLayer 2 Tunneling Protocol (L2TP)-over-IPsec VPN connectionsIKEv2 AnyConnectCisco ASA Software can be downloaded from the Software Center on Cisco.com by visitinghttp://www.cisco.com/cisco/software/navigator.html.The full details about this vulnerability and patched OS is on Cisco's official web site:Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability (CVE-2016-1287)One more thing...I have learned one lesson several years ago. Around 2003, I secretly installed a SQL server right in my house. I thought I was the only one who knew I have installed that SQL server, and I was the only one who knew my public IP address. I put that server at public Internet side so I can get back to it any time I want.However, I was wrong. Within just 12 hours, hackers found and broke into my SQL server.The key lesson I have learned is, if I tried again to put some hardware or software with vulnerability unfixed at public Internet, the survival time for it would be far less than 12 hours. Remember, it was only year 2003.Go patch up your Cisco ASA OS ASAP!

I saw this Cisco IOS hidden command show ip ospf route for OSPF in this post. I tried to create a running example for myself so I can learn more about this hidden command.【Output at R4】R4#show ip ospf route            OSPF Router with ID (1.0.0.4) (Process ID 1)                Base Topology (MTID 0)    Area 4    Intra-area Route List*   4.0.1.0/24, Intra, cost 64, area 4, Connected      via 4.0.1.4, Serial1/0*   4.0.2.0/24, Intra, cost 64, area 4, Connected      via 4.0.2.4, Serial1/1    Intra-area Router Path Listi 1.0.0.2 [64] via 4.0.2.2, Serial1/1, ABR, Area 4, SPF 8i 1.0.0.1 [64] via 4.0.1.1, Serial1/0, ABR, Area 4, SPF 8    Inter-area Route List*>  3.0.1.0/24, Inter, cost 128, area 4      via 4.0.1.1, Serial1/0*>  3.0.2.0/24, Inter, cost 128, area 4      via 4.0.2.2, Serial1/1*>  3.0.0.3/32, Inter, cost 129, area 4      via 4.0.2.2, Serial1/1      via 4.0.1.1, Serial1/0R4#R4#show ip ospf database            OSPF Router with ID (1.0.0.4) (Process ID 1)                Router Link States (Area 4)Link ID         ADV Router      Age         Seq#       Checksum Link count1.0.0.1         1.0.0.1         632         0x80000006 0x00F099 21.0.0.2         1.0.0.2         946         0x80000008 0x000D76 21.0.0.4         1.0.0.4         1512        0x80000007 0x006E64 4                Summary Net Link States (Area 4)Link ID         ADV Router      Age         Seq#       Checksum3.0.0.3         1.0.0.1         632         0x80000003 0x00BD343.0.0.3         1.0.0.2         682         0x80000003 0x00B7393.0.1.0         1.0.0.1         632         0x80000003 0x00C62E3.0.1.0         1.0.0.2         946         0x80000003 0x0043703.0.2.0         1.0.0.1         632         0x80000003 0x003E753.0.2.0         1.0.0.2         946         0x80000003 0x00B53DR4#【Output at R1】R1#show ip ospf route            OSPF Router with ID (1.0.0.1) (Process ID 1)                Base Topology (MTID 0)    Area BACKBONE(0)    Intra-area Route List*   3.0.1.0/24, Intra, cost 64, area 0, Connected      via 3.0.1.1, Serial1/0*>  3.0.2.0/24, Intra, cost 128, area 0      via 3.0.1.3, Serial1/0*>  3.0.0.3/32, Intra, cost 65, area 0      via 3.0.1.3, Serial1/0    Intra-area Router Path Listi 1.0.0.2 [128] via 3.0.1.3, Serial1/0, ABR, Area 0, SPF 3    Area 4    Intra-area Route List*   4.0.1.0/24, Intra, cost 64, area 4, Connected      via 4.0.1.1, Serial1/1*>  4.0.2.0/24, Intra, cost 128, area 4      via 4.0.1.4, Serial1/1    Intra-area Router Path Listi 1.0.0.2 [128] via 4.0.1.4, Serial1/1, ABR, Area 4, SPF 9R1#R1#show ip ospf database            OSPF Router with ID (1.0.0.1) (Process ID 1)                Router Link States (Area 0)Link ID         ADV Router      Age         Seq#       Checksum Link count1.0.0.1         1.0.0.1         703         0x80000004 0x00CCC2 21.0.0.2         1.0.0.2         1019        0x80000006 0x00E89F 21.0.0.3         1.0.0.3         617         0x80000008 0x00368C 5                Summary Net Link States (Area 0)Link ID         ADV Router      Age         Seq#       Checksum4.0.1.0         1.0.0.1         703         0x80000003 0x00B93A4.0.1.0         1.0.0.2         1534        0x80000004 0x00347D4.0.2.0         1.0.0.1         1729        0x80000004 0x002F824.0.2.0         1.0.0.2         1019        0x80000003 0x00A849                Router Link States (Area 4)Link ID         ADV Router      Age         Seq#       Checksum Link count1.0.0.1         1.0.0.1         703         0x80000006 0x00F099 21.0.0.2         1.0.0.2         1019        0x80000008 0x000D76 21.0.0.4         1.0.0.4         1585        0x80000007 0x006E64 4                Summary Net Link States (Area 4)Link ID         ADV Router      Age         Seq#       Checksum3.0.0.3         1.0.0.1         703         0x80000003 0x00BD343.0.0.3         1.0.0.2         755         0x80000003 0x00B7393.0.1.0         1.0.0.1         703         0x80000003 0x00C62E3.0.1.0         1.0.0.2         1019        0x80000003 0x0043703.0.2.0         1.0.0.1         703         0x80000003 0x003E753.0.2.0         1.0.0.2         1019        0x80000003 0x00B53DR1#【My Observation】From my observation, this command is helpful when I am not familiar to other OSPF commands such as “show ip ospf database”. This command provides more readable information about ip prefixes themselves, instead of cryptic link state objects.Because this is a hidden command, do not rely on it when you are preparing for exams.【My Configurations】! R1hostname R1interface Loopback0 ip address 1.0.0.1 255.255.255.255!interface Serial1/0 ip address 3.0.1.1 255.255.255.0 no shutdown!interface Serial1/1 ip address 4.0.1.1 255.255.255.0 no shutdown!router ospf 1 network 3.0.0.0 0.0.255.255 area 0 network 4.0.0.0 0.0.255.255 area 4!! R2hostname R2!interface Loopback0 ip address 1.0.0.2 255.255.255.255!interface Serial1/0 ip address 3.0.2.2 255.255.255.0 no shutdown!interface Serial1/1 ip address 4.0.2.2 255.255.255.0 no shutdown!router ospf 1 network 3.0.0.0 0.0.255.255 area 0 network 4.0.0.0 0.0.255.255 area 4!! R3hostname R3interface Loopback0 ip address 1.0.0.3 255.255.255.255!interface Loopback1 ip address 3.0.0.3 255.255.255.0!interface Serial1/0 ip address 3.0.1.3 255.255.255.0 no shutdown!interface Serial1/1 ip address 3.0.2.3 255.255.255.0 no shutdown!router ospf 1 router-id 1.0.0.3 network 3.0.0.0 0.0.255.255 area 0!! R4interface Loopback0 ip address 1.0.0.4 255.255.255.255!interface Serial1/0 ip address 4.0.1.4 255.255.255.0 no shutdown!interface Serial1/1 ip address 4.0.2.4 255.255.255.0 no shutdown!router ospf 1 network 4.0.0.0 0.0.255.255 area 4!Skin-removed Persimmons are to be air-dried. This is a traditional Hakka sweets.Photoed at this farm (味衛佳觀光果園) in Hsinpu Township, Hsinchu County, Taiwan.

We all know adding redundant supervisors/CPUs to any given system, we can increase the uptime for that system. With In-Service Software Upgrade (ISSU), Cisco hardware even allow us to upgrade the operating system software on-the-fly without stopping the whole system.Flowers of Cassia fistula was blooming together in southern Taiwan starting from mid-May.This photo was taken around this location in Baihe District of Tainan City, Taiwan.An interesting question might be asked. Does Cisco hardware keep track of system uptime even upon supervisor/CPU failover events? And how to display the system uptime, in addition to individual supervisor/CPU uptime?I spent some time and I summarize my findings in this post.[Cisco NX-OS on Nexus 7000 and MDS 9500]Basically the command “show system uptime” is for NX-OS to display system uptime for both Nexus 7000 and MDS 9500For Cisco MDS 9500, the official web site gives me an explaining example.http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/clibook/ha.html#pgfId-1120592switch# show system uptimeSystem start time: Fri Aug 27 09:00:02 2004System uptime: 1546 days, 2 hours, 59 minutes, 9 secondsKernel uptime: 117 days, 1 hours, 22 minutes, 40 secondsActive supervisor uptime: 117 days, 0 hours, 30 minutes, 32 seconds For Nexus 7000, the following link tell us “show system uptime” is a legal command for Nexus 7000.http://docwiki.cisco.com/wiki/Cisco_Nexus_7000_Series_NX-OS_Troubleshooting_Guide_--_Troubleshooting_Installs,_Upgrades,_and_RebootsHowever, the screen capture is not helpful for me to clarify system uptime and supervisor uptime.I found another more meaningful example here.http://ccie5851.blogspot.tw/2011/01/joys-of-issu-on-nexus-7000.htmlcmhlab-dc2-sw2-otv1# show system uptimeSystem start time: Tue Oct 26 19:46:38 2010System uptime: 89 days, 6 hours, 56 minutes, 26 secondsKernel uptime: 0 days, 0 hours, 29 minutes, 16 secondsActive supervisor uptime: 0 days, 0 hours, 19 minutes, 56 secondscmhlab-dc2-sw2-otv1#[Cisco IOS on Catalyst 6500 and Catalyst 4500]The command for Cisco IOS platforms, such as Catalyst 6500 and 4500, is “show redundancy”.http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/71585-cat6k-red-supeng-swimg-upg.htmlRouter#show redundancy Redundant System Information :------------------------------ Available system uptime = 34 minutesSwitchovers system experienced = 1 Standby failures = 0 Last switchover reason = unsupported Hardware Mode = Duplex Configured Redundancy Mode = Stateful SwitchOver - SSO Operating Redundancy Mode = Stateful SwitchOver - SSO!--- This verifies that software has set the redundancy mode !--- back to SSO after the software upgrade. Maintenance Mode = Disabled Communications = Up Current Processor Information :------------------------------- Active Location = slot 6 Current Software state = ACTIVE Uptime in current state = 4 minutes Image Version = Cisco Internetwork Operating System Software IOS (tm) MSFC2A Software (C6MSFC2A-IPBASE_WAN-M), Version 12.2(18)SXF6, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2006 by cisco Systems, Inc.Compiled Mon 18-Sep-06 17:17 by tinhuang BOOT = bootflash:c6msfc2a-ipbase_wan-mz.122-18.SXF6.bin,1; CONFIG_FILE = BOOTLDR = Configuration register = 0x2102 Peer Processor Information :---------------------------- Standby Location = slot 5 Current Software state = STANDBY HOT Uptime in current state = 3 minutes Image Version = Cisco Internetwork Operating System Software IOS (tm) MSFC2A Software (C6MSFC2A-IPBASE_WAN-M), Version 12.2(18)SXF6, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2006 by cisco Systems, Inc.Compiled Mon 18-Sep-06 17:17 by tinhuang BOOT = bootflash:c6msfc2a-ipbase_wan-mz.122-18.SXF6.bin,1; CONFIG_FILE = BOOTLDR = Configuration register = 0x2102This is for Catalyst 4500. However, the screen capture is not good.http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/RPR.html[Cisco IOS XR, ASR 9000]The command for ASR 9000 is again “show redundancy”.http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/rommon/configuration/guide/b_rommon_cg_42asr9k/b_rommon_cg_42asr9k_chapter_0101.html#ID2119RP/0/RSP1/CPU0:router# show redundancy Redundancy information for node 0/RSP1/CPU0:==========================================Node 0/RSP1/CPU0 is in ACTIVE rolePartner node (0/RSP0/CPU0) is in STANDBY roleStandby node in 0/RSP0/CPU0 is readyStandby node in 0/RSP0/CPU0 is NSR-readyReload and boot info----------------------A9K-RSP-4G-HDD reloaded Thu Dec 11 14:50:47 2008: 2 hours, 41 minutes agoActive node booted Thu Dec 11 17:15:15 2008: 16 minutes agoLast switch-over Thu Dec 11 17:19:29 2008: 12 minutes agoStandby node boot Thu Dec 11 17:28:56 2008: 3 minutes agoStandby node last went not ready Thu Dec 11 17:30:02 2008: 2 minutes agoStandby node last went ready Thu Dec 11 17:31:02 2008: 1 minute agoThere has been 1 switch-over since reloadRP/0/RSP1/CPU0:router#One more thing…I also found one example for Cisco ASA.[Cisco ASA Cluster]For Cisco ASA, the hardware itself does not provide system-wide redundancy. It only provides cluster-wide (pair-wide) redundancy. Here is the “show version” command output example of Cisco ASA, which explains Cisco ASA also keeps track of cluster-wide uptime in addition to single hardware box uptime.https://supportforums.cisco.com/discussion/11291816/failover-cluster-uptimeasa-firewall> sh verCisco Adaptive Security Appliance Software Version 8.2(1)Compiled on Tue 05-May-09 22:45 by buildersSystem image file is "disk0:/asa821-k8.bin"Config file at boot was "startup-config"asa-firewall up 2 days 22 hoursfailover cluster up 1 year 79 daysHardware:   ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHzWhy do I have to write down this post? If I can capture the system-wide uptime (or cluster-wide uptime) in addition to single hardware uptime, I have something much more persuading to buying decision makers because the traffic is not stopped at all right here at this system (or cluster) for such a long time.By the way, what is the “longest” system or cluster uptime you have ever seen before? Please share your experiences with me here at the comments area!Thank you so much!