Load-Sharing on the SAME router

Load-balance-1router-2Assume you have either of the following setups. A single router (R3) with multiple links, either to the same upstream router (R2) or to 2 different upstream routers(R2+R4). And you want to load-share traffic across both links outbound (direction from left to right). Obviously the routing table needs multiple outgoing links as next-hops to perform the desired balancing. The command maximum-paths specifies how many paths or next hops are allowed per prefix in the routing table for a specific routing protocol, else default behavior dictates only the best route from each routing protocol which are candidate for insertion into the routing table.

Since the links terminate on the same router (R3) you have the following options:

  1. Per-Destination Load-Sharing using Fast Switching
  2. Per-Source-Destination Load-Sharing using CEF
  3. Per-Packet Load-Balancing using Process Switching
  4. Per-Packet Load-Balancing using CEF

You need to be aware that IOS makes switching decisions based on the configuration of the inbound interface first. If CEF is configured on an inbound interface, the packets will be CEF switched regardless of the configuration on the outbound interface. CEF is ONLY used if  enabled on the inbound interface. If CEF is not configured on the inbound interface, the configuration of the exit interface determines the switching method. The following table illustrates the different behaviors:

Inbound Configuration Outbound Configuration Switching Method Used
CEF Process CEF
Fast Fast Fast
Fast CEF Fast
Fast Process Process
Process Process Process
Process CEF Fast
Process Fast Fast

Refer to the following article, for more info about the Switching Types and how to enable each.

Continue reading “Load-Sharing on the SAME router”

Load-sharing vs Load-balancing

The terminology load sharing vs. load balancing are commonly misunderstood terms in the networking industry.  Most people use the term load-balancing when they in fact referring to load sharing.

So what is Load Balancing?

Definition: Load balancing is a concept that aims to make a network more efficient. Load balancing distributes of traffic load evenly across a network with multiple-paths, in order to get optimal resource utilization, maximize throughput and minimize response time. Thus load-balancing will split the traffic down the configured paths equally towards the destination. E.g., with two 768 kpbs links and 800 kpbs traffic at any point, conceptually with load-balancing each path should have 400 kpbs worth of traffic. But is that what happens?

How does Load Sharing differ?

Definition: Load sharing is inherent to the forwarding process of a router to share the forwarding of traffic, if the routing table has multiple paths to a destination. If equal paths, the forwarding process will decide the manner of forwarding and forward packets based on the load-sharing algorithm used. This still bears the possibility of unbalanced forwarding. If unequal paths, the traffic is distributed inversely proportionally to the cost of the routes. That is, paths with lower costs (metrics) are assigned more traffic, and paths with higher costs are assigned less traffic. Continue reading “Load-sharing vs Load-balancing”

Understanding CEF

What is CEF?

Definition from Cisco.com :

Cisco Express Forwarding (CEF) is advanced, Layer 3 IP switching technology. CEF optimizes network performance and scalability for networks with large and dynamic traffic patterns, such as the Internet, on networks characterized by intensive Web-based applications, or interactive sessions.

To understand this better, one has to understand why and how CEF came about.  With Cisco IOS  there are different Switching Methods, that define how packets are forwarded through a router. The first method, which happens to be the oldest and slowest is Process-Switching. Alternatively when  packets arrive, the interface processor can interrupt the central CPU and asks it to switch the packet according to a route cache or switching table. That cache or table can be built in several ways, the two of interest here are Fast-Switching and CEF.

Continue reading “Understanding CEF”

R&S Quick Notes – Security & IP Services


  • Know how to use extended access-lists in distribute-lists, see Brian McGahan article @INE.
  • Know how to use extended access-lists instead of prefix-lists, see Brian Dennis article @ INE.
  • Know your binary voodoo as Scott Morris @ INE calls it,  PartI & PartII.
  • Dont forget to allow IGP’s, BGP, Multicast , IPv6 and any other needed protocols when adding ACL to a interface.
  • Know when to use the “established” keyword.
  • When matching Multicast traffic in a extended ACL, remember that Multicast traffic can NEVER be a source.
  • Allowing Telnet to a local router on a port other then 23: Option 1- Rotary command or Option 2- Port NAT.
  • NBAR can be used if you not forbidden from using ACL’s.  You can also map undefined custom ports with “ip nbar port-map custom”
  • Dynamic ACL time-outs specified in the acl:  “dynamic NAME timeout {x} permit tcp any any eq 80”.
  • When configuring SSH, don’t forget to specify a Domain-name and generate your RSA keys.


  • “no service config” – Disables the router from auto-answering for tftp config files
  • WCCP uses udp port 2048 and protcol 47-GRE
  • If talk about router discovery > IRDP
  • DNS server config : “ip dns server” & “ip host”
  • DNS client config : “ip domain-lookup” & “ip name-server”
  • DHCP stands for Dont Hit Computer People
  • DHCP option-82 = dhcp-relay.
  • DHCP option-66 = Hand out IP address off TFTP server
  • When configuring DHCP and earlier in the swithcing section you configured DHCP snooping you must enable the port connecting to the DHCP server as trusted.
  • Incase DHCP was configured you need either “no ip dhcp snooping info option” on the switch OR “ip dhcp relay information trust” on the dhcp router.
  • HSRP timers only need to be configure on one of the participating routers.
  • HSRP uses UDP port 1984.
  • When using HSRP with earlier configured port-security, you might need to allow you HSRP MAC 0000.0c07.acxx – where XX is the group number in hex.

Converting IPv4 to IPv6 and back

Converting from IPv4 to IPv6

is so easy, yet everyone seem to convert a IPv4 address to binary, then to IPv6. Why? Why waste time and do things the long way? Not cool.

When would you need to do this? One specific use is IPv6 6-to-4 tunnels, which always concatenates 2002::/16 with the IPv4 address embedded.
With Automatic 6-to-4-tunnels, your address format is as follow:
2002:<32 bit IPv4 site address in Hex>:<16 bit network number in Hex>::/64

The question is how to do the conversion.

Firstly before starting I will assume everyone knows the following:

  • Binary is a Base-2 numbering system, as it has only 0,1
  • Decimal is a Base-10 numbering system, as it has 0,1,2,3,4,5,6,7,8,9
  • Hexadecimal is a Base-16 numbering system, as it has 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F

I also assume you know the hex values in decimal:

A = 10
B = 11
C = 12
D = 13
E = 14
F = 15

Two more things I would like to mention before explaining the conversion.
An IPv4 address : example

  • Each Octet (8 bits) “between the dot-thingys” denote 1 byte

An IPv6 address : example 2001:0db8:85a3:0000:0000:8a2e:0370:7334

  • Two Tuples (1 Tuple = 4 bits = 1 Hex character) denotes 1 byte

Then converting is easy. Lets take the following IPv4 address : and convert it to Hex.

Continue reading “Converting IPv4 to IPv6 and back”

ACL Editing

Let say you create the following numbered extended access-list:

access-list 123 permit tcp any any eq www
access-list 123 permit udp any any eq 54
access-list 123 permit tcp any any eq smtp
access-list 123 permit tcp any any eq pop3
access-list 123 permit udp any any eq syslog

As you type in the last line you release you made a typo, by entering UDP-54 instead of UDP-53. This is likely why most of us prefer using Named-ACL’s, because without sequence numbers in the ACL you can not remove that one entry, you have to remove the whole ACL. Although Named-ACL’s are handy, there are still times when you have to use a Numbered-ACL.

Continue reading “ACL Editing”

Accounting packets on the fly

Have you ever quickly needed to see how much traffic a host is sending/receiving or how much traffic is in a flow between hosts. IP accounting can easily provide the amount of packets and data for each source/destination pair.

By enabling the following under the interface:
R4#interface fa0/0
ip accounting output-packets

After a couple minutes, you should get a quick idea of the data flows

R4#sh ip accounting output-packets
Source          Destination     Packets  Bytes    2394     1410785    5119     6976939    662      194296   124      15048

ICMP Rate-Limit

Ever wonder why when you do a trace and the last hop shows timeouts?



This is due to a built-in Deniel-Of-Service protection mechanism, to limit the rate of transmitted ICMP packets out an Interface. The default value is one ICMP destination unreachable message per 500 milliseconds ( 1/2 second), this would be why 1 in 3 response from the destination appears as a timeout, since the destination router silently discards the second packet.

The following command allows you to change the interval at which ICMP unreachable messages are generated (1 packet every 100 ms):

R5#conf t
R5(config)#ip icmp  rate-limit  unreachable 100

The show and clear commands available, was only introduced in IOS 12.4(2).

clear ip icmp rate-limit
show ip icmp rate-limit


A trace route will then complete as you would expect:


Hung/Orphaned telnet sessions

If you have had your reverse telnet sessions timeout, or your remote connection lost, you might have come across the following error when trying to reconnect:

Translating "sw1"
Trying R1 (, 2002)...
% Connection refused by remote host


The happens because the sessions according to the router is still active and the inactive timeout has not yet expired. To fix this is easy, using the show line command you will see the active sessions marked with a “*”, like below:



In order to reconnect, you have to release the current active/orphaned sessions. Use the clear line {line number} command referencing the output from above.
IETS#clear line 2

IETS#clear line 3


Then once all the orphaned sessions are closed, you will be able to connect again.

Translating "sw1"
Trying SW1 (, 2002)... Open

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

History of Ping

Ever wondered where ping comes from? Who wrote it? When was it written? What it stand for?

From the experts to the noobs using it as a basic first line troubleshooting tool, to the non-technical people, just knowing the term appose to what it actually does, I think it is safe to say, that ping has become one of the most widely used terms in computer technology and networks.

Michael John Muuss
Michael John Muuss

MIKE MUUSS,  (pronounced “moose”) ‘A graduate of Johns Hopkins University, Muuss was a senior scientist specializing in geometric solid modeling, ray-tracing, MIMD architectures and digital computer networks at the United States Army Research Laboratory in Maryland when he died.’ –from WIKI–

Mike is the author PING for UNIX, a little thousand-line hack that Mike wrote one evening,  July 1983, from an idea that came about to measure path latency using timed ICMP Echo packets. PING is NOT an acronym, many believe PING is short for Packet Internet Groper, but this is not the case nor was Mike’s intention.

Mike named PING after the sounds a Sonar makes, due to operational simularities, in that ping uses timed IP/ICMP ECHO_REQUEST and ECHO_REPLY packets to probe the “distance” to the target machine. PING is included in every copy of UNIX® and Microsoft Windows®, putting it into nearly every computer on the planet.


Mike  also wrote a number of software packages (including architect of BRL-CAD) and network tools (including TTCP and the concept of the default route or “default gateway”) and contributed to many others (including BIND).

Sadly, Mike was killed in an automobile accident on US route 95 in Maryland, on November 20, 2000. His homepage is still available, a testament to his intellect and indomitable spirit. A true loss indeed.

ACL Object-groups now on Cisco IOS

A week of standby and late shift is not really permitting of time to blog.

Cisco IOS 12.4(20)T, have some neat new features. One in particular that I’m very excited about, is ACL Obect-groups. Object-groups were very popular and widely used on  PIX-OS.  It minimizes complex and large ACL configurations, in production environment tremendously.

Being able to group ACE entries into groups, you can easily, add/remove entries, while maintaining ordered and more readable ACL structure, while keeping the time spend on changes to a minimum. It provides a simple and intuitive mechanism for configuring and managing large ACLs, especially ones that frequently change.

You have two types of objects-groups: network object groups and service object groups.

Continue reading “ACL Object-groups now on Cisco IOS”

Cisco Terminal Server with ‘Menu’ command

To setup  a Cisco Terminal Server for your CCIE Lab you would require the following:
– Either a Cisco 2509/11 access router or 1841 with a HWIC-8A (8ports) or 28xx with a HWIC-16A (16ports) expansion card.
–  1 or 2 Octal Cables(CAB-HD8-ASYNC) to connect the Access Router(above) to every other router in your LAB, via their console ports.

To configure your Terminal Server you can setup just reverse telnet sessions with the ‘host’ command, but I prefer using the ‘Menu’ command, it looks a lot better and is more convenient to use.

This current lab setup is according to Internetwork Expert R&S Lab Workbook V4, so the menu config will be based on that. This is what is looks like:

The configuration is as follow:

Continue reading “Cisco Terminal Server with ‘Menu’ command”

tftpdnld not on Cisco 3640

I discovered the most irritating thing last week setting up routers and prepping kit for my LAB. The Cisco 3640 does not support the TFTPDNLD in ROMMON mode. This is particularly painful, when you don’t have a IOS image loaded, replacing or upgrading the Flash Memory.

The only way to do this,  if you do not have a spare (8Mb or 16Mb ONLY) PCMCIA Flash card formatted with File system Class “B” and a valid 3640 IOS image on it, is via the Grandfather of file transfer protocols: XMODEM.

The good news is that you can use Ymodem protocol extension with -y switch, which is a bit more efficient than old Xmodem, in that your transfer time is less.

xmodem  -y  c3640-ik9s-mz.124-19b.bin

Be sure to change you Baud Rate before hand, as per the following article at Cisco Land :


Service Nagle

The Nagle congestion-control algorithm is something that many ISPs turn on to improve the performance of their Telnet sessions to and from the router. When using a standard TCP implementation to send keystrokes between machines, TCP tends to send one packet for each keystroke typed. On larger networks, many small packets use up bandwidth and contribute to congestion.

John Nagle’s algorithm (RFC 896) helps alleviate the small-packet problem in TCP. In general, it works this way: The first character typed after connection establishment is sent in a single packet, but TCP holds any additional characters typed until the receiver acknowledges the previous packet. The second, larger packet is sent, and additional typed characters are saved until the acknowledgment comes back. The effect is to accumulate characters into larger chunks and pace them out to the network at a rate matching the round-trip time of the given connection. This method is usually good for all TCP-based traffic and helps when connectivity to the router is poor or congested or the router itself is busier than normal. However, do not use the service nagle command if you have XRemote users on X Window sessions or sourcing voice over IP traffic or other real-time traffic from the router—performance will become very poor.

The IOS Software command to enable Nagle follows:

(config)#service nagle

Regular Expression Examples

Have you had difficulty getting the hang of using Regular Expression in Cisco world.
The examples here are mostly used with BGP, but can be used elsewhere.


It is all rather simple once you understand


Represents ‘OR’ Statements

Represents a range of characters

. – DOT
Matches any single character

Matches Beginning of string

Matches End of string

Matches any Delimiter (beginning, end, space, tab, comma)

are used for “and” operations. To Group thing together

Removes the special meaning of one of the above characters

(a Atom is a single preceding character or preceding group)
(The special characters *,?,+ all apply repetition to what immediately precedes them)

Matches ZERO or MORE Atoms(single or group of characters)

Matches ZERO or ONE Atoms

+ – PLUS
Matches ONE or more Atoms



>> will match either 21 or 31 in a line.

>> will match any in the range 1 to 4

>> will match either 6 or 7

>> match 1/2/3/4 and 6/7, thus 16 or 37

From the String :’213 317 31 218 731′ the following:
>> will only match the first 21

>> will only match the 31 at the end

>> will only match the 31 in the middle

>> matches 213 or 218 followed by 31, ie ‘213 317’ or ‘218 31’

>> will match “23 45” or “23 78 45” OR “23 78 78 78 78 45”


>> will match “23 45” OR “23 78 45”


>> will match “23 78 45” OR “23 78 78 78 78 78 78 45”

>> will match (213 at the beginning of string



>> going through AS 100

>> Directly connected to AS 100 (begins and ends in AS 100)


>> Originated in AS 100

>> Networks behind AS 100

>> AS Paths that is one AS long

>> Networks originating in Neighboring AS, with possible Prependings

>> Networks originating in LOCAL AS

>> Matches Everything



sh ip cache flow | i*0031
>> Matches any line that contains and 0031

sh ip cache flow | i*|**0D3D

>> Show only traffic between the above 2 IP on port 0D3D, ( ie 3389 in decimal)

sh ip cache flow | i Fa1/1.313|Null|255
>> Matches Fa1/1.313 OR Null OR 255