Category Archives: Network Services

Router Virtualization Concepts; IOS XR Virtualization

Hardware-Isolated Virtual Router (HVR)

Dedicates both control plane and data plane resources on a per-module boundary to individual virtual entities.

HVR implementation multiplies the available resources (add modules, processors, etc.).
Software-Isolated Virtual Router (SVR)
Share hardware ressources in the data plane.
Multiple guest operating systems to overlay on a host operating system – detrimental impact on scale because it introduces significant contention of resources.
Approach to overprovision ressources on all SVRs – wastes ressources decreasing overall scale.

Integrate virtualization into kernel. Same contention of resources. Complexity and instability in the kernel.

Virtualization in the individual applications. Better scale. Complicates design, testing and management.

SVR implementation divides the available resources.

Chassis resources (power supplies, blowers, fabric) are shared for both HVR and SVR.

Secure Domain Routers
HVR technology.
Distributed Route Processors (DRPs; hardware modules)  = full isolation between instances.
SDR defined on per-slot boundary with entire RP and Modular Service Card dedicated to an SDR.

The only parts of the chassis that are shared are the fabric, the fans, and the power supplies.
Owner SDR -system-wide functions including creation of non-owner SDRs. Admin config mode access.

In each SDR, administration and control capabilities are provided by the designated secure  domain router system controller (DSDRSC). Each SDR must include a DSDRSC to operate, and you must assign an RP or DRP to act as the DSDRSC.

The DSDRSC of the owner SDR is also the DSC of the entire system.
CPU and memory of an SDR are not shared with other SDRs

Performance Routing (PfR)

Phases wheel:

  1. Profile/Learning Phase – learn flows with high latency and throughput = monitored traffic classes (MTC).
  2. Measure Phase – Collect and compute performance metrics for MTC.
  3. Apply Policy Phase – create low and high thresholds defining in-policy and out-of-policy (OOP) categories.
  4. Control Phase – influence by manipulating routing or PBR.
  5. Verify Phase – verify OOP event to make adjustmets to bring back in-policy.

Inrefaces types:

  1. Internal – connect to the internal network with Master Controller
  2. External – used to transmit packets out of the local network. Interfaces that monitored. At least 2.
  3. Local – used in the formation of the control plane mechanism. Source to communicate with Master Controller.

Operational Roles

Mandatory authentication – key-chains!

Master Controller (MC) and Border router (BR).

A single MC can support up to ten individual border routers
or up to 20 managed exit interfaces (external interfaces).


Passive monitoring: Measuring the performance metrics of interesting prefixes while the traffic is flowing through the device using NetFlow technology

Active monitoring: Creating a stream of synthetic traffic replicating the interesting traffic classes as closely as possible to measure the performance metrics of the synthetic traffic; uses Cisco integrated IP SLAs technology

Both active and passive monitoring: Combining both active and passive monitoring to generate a more complete picture of traffic flows within the network

DHCP options

Option Description Command
Option 12
Name of the client ip dhcp client hostname host-name
Option 51
Request lease time ip dhcp client lease days [hours] [minutes]
Option 55
Turn off some of the requested options [no] ip dhcp client request option-name
Option 60
Vendor class identifier string ip dhcp client class-id { ascii string | hex string }
Option 61
Specify unique client identifier ip dhcp client client-id { interface-name| ascii string | hex string }

DHCP Client Identifier = hardware type (usually 01) + client hardware address.

Client Identifier NOT used for BOOTP. Solely for DHCP.


EEM uses event detectors and actions to provide notifications of
those events.

Event detectors that EEM supports include the following:
■ Monitoring SNMP objects
■ Screening Syslog messages for a pattern match (using regular expressions)
■ Monitoring counters
Timers (absolute time-of-day, countdown, watchdog, and CRON)
■ Screening CLI input for a regular expression match
Hardware insertion and removal
Routing table changes
IP SLA and NetFlow events
■ Generic On-Line Diagnostics (GOLD) events
■ Many others, including redundant switchover events, inbound SNMP messages, and
Event actions that EEM provides include the following:
■ Generating prioritized Syslog messages
Reloading the router
Switching to a secondary processor in a redundant platform
■ Generating SNMP traps
■ Setting or modifying a counter
■ Executing a Cisco IOS command
■ Sending a brief email message
Requesting system information when an event occurs
■ Reading or setting the state of a tracked object


IP Traffic Export, or Router IP Traffic Export (RITE), exports IP packets to a VLAN or
LAN interface for analysis. RITE does this only for traffic received on multiple WAN
or LAN interfaces simultaneously as would typically take place only if the device were
being targeted in a denial of service attack.

When configuring RITE, you enable it and configure it to direct copied packets to the
MAC address of the IDS host or protocol analyzer.

Inbound traffic (the default), outbound traffic, or both, and filtering on the number of
packets forwarded.

Edge# config term
Edge(config)# ip traffic-export profile export-this
Edge(config-rite)# interface fa0/0
Edge(config-rite)# bidirectional
Edge(config-rite)# mac-address 0018.0fad.df30
Edge(config-rite)# incoming sample one-in-every 20
Edge(config-rite)# outgoing sample one-in-every 100
Edge(config-rite)# exit
Edge(config)# interface fa0/1
Edge(config-if)# ip traffic-export apply export-this
Edge(config-if)# end
%RITE-5-ACTIVATE: Activated IP traffic export on interface FastEthernet 0/1.


The components of NetFlow are
Records: A set of predefined and user-defined key fields (such as source IP address,
destination IP address, source port, and so on) for network monitoring.
Flow monitors: Applied to an interface, flow monitors include records, a cache, and
optionally a flow exporter. The flow monitor cache collects information about flows.
Flow exporters: These export the cached flow information to outside systems (typically
a server running a NetFlow collector).
Flow samplers: Designed to reduce the load on NetFlow-enabled devices, flow samplers
allow specifying the sample size of traffic, NetFlow analyzes to a ratio of 1:2
through 1:32768 packets. That is, the number of packets analyzed is configurable
from 1/2 to 1/32768 of the packets flowing across the interface.

Version 1 (V1) is the original format supported in the initial NetFlow releases.

Version 5 (V5) is an enhancement that adds Border Gateway Protocol (BGP) autonomous system information and flow sequence numbers.

Version 8 (V8) is an enhancement that adds router-based aggregation schemes.

Version 9 is an enhancement to support different technologies such as Multicast, Internet Protocol Security (IPSec), BGP next-hops and Multi Protocol Label Switching (MPLS).


  • UDP port 2048
  • content engines also communicate with each other using WCCP
  • Up to 32 content engines WCCPv1; lowest IP address – lead engine
  • Content engines request information on the cluster members from the WCCP
    router, which replies with a list. This permits the lead content engine to determine how
    traffic should be distributed to the cluster.
  • WCCPv1 – only HTTP port 80
  • WCCPv2:
    • TCP and UDP traffic other than TCP port 80 (FTP, Real Audio, Video)
    • Permits segmenting caching services provided by a caching cluster to a particular
      protocol or protocols
    • Supports multicast
    • Supports multiple routers (up to 32 per cluster)
    • MD5
    • Load distribution
    • Transparent error handling
ip wccp web-cache group-address password cisco
! Next we configure an interface to redirect WCCP web-cache
! traffic outbound to a content engine:
int fa0/0
           ip wccp web-cache redirect out
! Finally, inbound traffic on interface fa0/1 is excluded from redirection:
int fa0/1
         ip wccp redirect exclude in
! filter traffic only for certain clients
ip wccp web-cache redirect-list access-list
! types of redirected traffic the router should accept
ip wccp web-cache group-list access-list


  • UDP 161
  • UDP 162 (traps & informs)
SNMP Version Description
1 Uses SMIv1, simple authentication with communities, but used MIB-I originally.
2 Uses SMIv2, removed requirement for communities, added GetBulk and Inform messages, but began with MIB-II originally.
2c Pseudo-release (RFC 1905) that allowed SNMPv1-style communities with SNMPv2; otherwise, equivalent to SNMPv2.
3 Mostly identical to SNMPv2, but adds significantly better security, although it supports communities for backward compatibility. Uses MIB-II. MD5/SHA + DES.




Remote Monitoring, or RMON, is an event-notification extension of the SNMP capability
on a Cisco router or switch. RMON enables you to configure thresholds for alerting
based on SNMP objects, so that you can monitor device performance and take appropriate
action to any deviations from the normal range of performance indications.
RMON is divided into two classes: alarms and events.

rmon event 1 log trap public description Fa0.0RisingErrors owner config
rmon event 2 log trap public description Fa0.0FallingErrors owner config
rmon event 3 log trap public description Se0.0RisingErrors owner config
rmon event 4 log trap public description Se0.0FallingErrors owner config
rmon alarm 11 ifInErrors.1 60 delta rising-threshold 10 1 falling-threshold 5 2 
owner config
rmon alarm 20 ifInErrors.2 60 absolute rising-threshold 20 3 falling-threshold 10 
owner config

show rmon alarm
show rmon event

Jun 9 12:54:14.787: %RMON-5-FALLINGTRAP: Falling trap is generated
because the value of ifInErrors.1 has fallen below the fallingthreshold
value 5
Jun 9 12:55:40.732: %RMON-5-FALLINGTRAP: Falling trap is generated
because the value of ifInErrors.2 has fallen below the fallingthreshold
value 10


  • UDP 123
  • Modes: client (static/broadcast); server; symmetric active mode (ntp peer)

1) Peer – permits router to respond to NTP requests and accept NTP updates. NTP control queries are also accepted. This is the only class which allows a router to be synchronized by other devices.
2) Serve – permits router to reply to NTP requests, but rejects NTP updates (e.g. replies from a server or update packets from a peer). Control queries are also permitted.
3) Serve-only – permits router to respond to NTP requests only. Rejects attempt to synchronize local system time, and does not access control queries.
4) Query-only – only accepts NTP control queries. No response to NTP requests are sent, and no local system time synchronization with remote system is permitted.




  • Virtual IP address and virtual MAC are active on the HSRP Active router.
  • 3 sec hello, 10 sec dead
  • – V1
  • – V2
  • Virtual MAC of 0000.0C07.ACxx (v1)
  • Virtual MAC of 0000.0c9f.fxxx for IPv4 (v2) and 0005.73a0.0xxx for IPv6 (v2)
  • Port UDP 1985 for IPv4
  • Port UDP 2029  for IPv6 
  • Clear-text & MD5 auth
  • MHSRP (administrative LB)
  • Only 1 standby, highest IP preemts standby.


  • IP protocol number 112; TTL 255 – MUST
  • 1 sec hello, 3 sec dead
  • Virtual MAC of 0000.5E00.01xx
  • Preempts by default
  • Group IP address is the interface IP address of one of routers (prio for the router will be 255)
  • Higest IP preempts; more than 1 standby
  • The priority value zero (0) has special meaning indicating that the current Master has stopped participating in VRRP. Backups quickly transition to master.


  • UDP 3222
  • 3 sec hello, 10 sec dead
  • 0007.B400.xxyy , where xx is the GLBP group number and yy is a different number for each router (01, 02, 03, or 04).
  • 1024 GLBP groups per physical interface and up to four AVF per GLBP group
  • If multiple gateways have the same priority (1-255), the gateway with the highest real IP address becomes the AVG; standby AVG election – same principle.
  • The Redirect timer (600 sec) determines how long will AVG continue to respond to ARP requests with the virtual MAC of the failed AVF. The Secondary Hold  (4 hours, 14400 sec) timer sets the amount of time the backup AVF will continue to accept packet for the virtual MAC address taken from the failed AVF.


Relies on server to allocate IP addresses Yes Yes Yes
Encapsulates messages inside IP and UDP so that they can be forwarded to a remote server No Yes Yes
Client can discover its own mask/gateway/DNS/download server No Yes Yes
Dynamic address assignment from a pool of IP addresses without requiring knowledge of client MACs No No Yes
Allows temporary lease of IP address No No Yes
Includes extensions for registering client’s FQDN with a DNS No No Yes



Ethernet proto type: 0x0806


Same old ARP message, but the ARP request lists a MAC address target of its own MAC address and a target IP address of RARP server on the same subnet. ARP reply, after entering the configured IP address in the Source IP address field.


IP+UDP header.


IP+UDP header.

DHCP relay:

  • set own IP address in gateway IP address (giaddr) field while relaying
  • change the destination IP address to a LAN broadcast, and forward the packet
    onto the client’s LAN

DHCP format

Table 1 BOOTP Request and Reply Format
Field Bytes Name Description
op 1 OpCode Identifies the packet as a request or reply. 1=BOOTREQUEST and 2=BOOTREPLY.
htype 1 Hardware Type Specifies the network hardware type.
hlen 1 Hardware Length Specifies the length hardware address length.
hops 1 Hops The client sets the value to zero and the value increments if the request is forwarded across a router.
xid 4 Transaction ID A random number that is chosen by the client. All DHCP messages exchanged for a given DHCP transaction use the ID (xid).
secs 2 Seconds Specifies number of seconds since the DHCP process started.
flags 2 Flags Indicates whether the message will be broadcast or unicast.
ciaddr 4 Client IP Address Used when the client is aware of the IP address as in the case of the Bound, Renew, or Rebinding states.
yiaddr 4 Your IP Address If the client IP address is, the DHCP server places the offered client IP address in this field.
siaddr 4 Server IP Address If the client knows the IP address of the DHCP server, this field is populated with the DHCP server address. Otherwise, it is used in DHCPOFFER and DHCPACK from the DHCP server.
giaddr 4 Router IP Address The gateway IP address, filled in by the DHCP/BootP Relay Agent.
chaddr 16 Client MAC Address The DHCP client MAC address.
sname 64 Server Name The optional server hostname.
File 128 Boot Filename The boot filename.
Options Variable Option Parameters The optional parameters that can be provided by the DHCP server. RFC 2132 lists all possible options.