Due to my domain name and site title I get a fair few visitors who get directed to this site looking for information about community strings, so I thought its about time to write some information on the topic SNMP community strings.

Simple Network Management Protocol (SNMP) is a set of standards for managing network devices, network devices are monitored by a SNMP manager which connects to an SNMP agent on network devices. Data which the SNMP agent can access is stored in a database called Management Information Base (MIB), MIBs are sometimes called MIB trees and small pieces of information (variables) are stored on MIB leaves.

A community string is a password for accessing the SNMP agent and separate community strings are usually used for systems which require read only or read/write access.

There are 4 version of SNMP;

SNMPv1 – Basic authentication through the use of community strings using SMIv1, the community string is sent in plain text

SNMPv2 – Does not community strings to authenticate. Mandates the use of SMIv2 and allows the use of a new message GetBulk and Inform

SNMPv2c – Uses SNMP version 1 style community strings sent in plain text but operates more similarly to to SNMPv2

SNMPv3 – Similar to SNMPv2 but improvements made for security and access control.

There aren’t that many SNMP message types and its useful to know them all, the SNMP message types are;

Get - Requests a single single variable from a MIB

GetNext - Requests the next MIB leaf in the MIB tree

GetBulk – Requests a sequential list of MIB leaves in a single request, GetBulk is commonly used to extract complex MIB structures

Set - this message changes the value of a MIB variable

Response - Sent in response to a set, get or inform type messages

Trap - This message is sent in an unsolicited fashion and does not require confirmation

Inform - Sent between SNMP managers to inform each other about MIB data

The 3 major steps traditional 802.1d STP uses to stabilise the network are;

Elect the root switch – Only a single switch can be the root switch in a STP domain, each switch will send STP Bridge Protocol Data Units (BPDUs) listing itself as the root switch which is sent across the Layer 2 domain. If the switch receives BPDU with a lower bridge ID, it accepts that as the root switch and BPDUs sent from the switch will list the Bridge ID or the root switch in their BPDUs. Eventually all switches in an STP domain will have the same root switch, after the election period a new root switch will not be elected until hello frames sent from the root switch have stopped being received.

The Bridge ID originally consisted of a 2 byte priority and a 6 byte system ID (MAC Address), but the first 2 bytes were altered to supported technologies which require the VLAN information to be sent in BPDUs such as Multiple Spanning Tree (MST). So now the first 2 bytes consist of 4 bits for bridge priority (as these are the high order bits hence only multiples of 4096 are accepted values), and 12 bits to hold the Vlan information the new 12 bits is called the System ID extension. There is an older post I made about why the STP priority must be a multiple of 4096 here, this bit limitation is also the reason why there is a maximum vlan ID of 4095.

Determine the root port for each switch – After the root switch is elected every other switch apart from the root switch determines the port with the lowest cost to reach the root switch. The root switch sends out hellos and each port receiving the hello adds the port cost using the table below to the hello.

I think that it might have been a bit short sighted stopping the updated costs at 10Gbps, my organisation is running lots of 40 Gbps links and has just finished a field trial of 100 Gbps.

The ports on a non root switch which received the hello and has the lowest cost to to root switch is elected the root port. If 2 ports have the same cost to reach the root bridge the tiebreaker is the forwarding switches Bridge ID, and then an administratively defined port priority and finally the lowest internal port number.

Select the designated port for each segment – Only 1 switch in a spanning tree domain is allowed to forward frames to each LAN segment, this is called the Designated Port. Each switch port will send hellos and with the cost of its root port, this will be received by other switches on the segment and and the port with the lowest cost will become the DR while the other port will move to the blocking state. For tiebreakers the lowest forwarders Bridge ID, then lowest port priority and finally lowest port number is used just like the tiebreakers for the root port.

Detecting when bad things happen – The root switch will send out periodic hellos which will be received, updated and forwarded out of every designated port. The maxage timer is reset every time a hello is sent but if the maxage timer expires (default is 10x the hello therefore 20seconds) the switches elect a new root switch.

If a trunk goes down, a switch will sent a Topology Change Notification (TCN) BPDU out of its root port and will continue doing so every hello time until it receives a Topology Change Acknowledgement (TCA) which is a bit set in the BPDU. When a switch receives a TCN BPDU it will send back a TCA BPDU and the switches will continue forwarding on the root ports until it reaches the root switch. Once the root switch receives the TCN BPDU it will send out the next few BPDUs with the TCA bit set, when a switch receives this BPDU it will time out entries in the CAM

802.1d Interface States -During a topology change there is a risk of causing Layer 2 loops to prevent this the interfaces cycle through the usual blocking, listening, learning, forwarding or disabled states.

Personal Note – Im not going to blogging in such depth and breadth any more as it takes to much time and will cover topics which are more interesting or I struggle a bit on.

VLAN Trunking Protocol (VTP) – VTP updates are sent out of all active trunking interfaces (dot1Q or ISL). Each VTP advertisement includes a revision number that is incremented by a VTP server, the advertisement will only be processed by VTP servers and VTP clients in the same domain and correct password if the revision number is greater than the one currently stored on the switch. Standard range VLAN information is stored in vlan.dat file stored in the flash.

Cisco switches are VTP servers by default but will not send out VTP advertisements until a VTP domain is configured.

There are 3 main modes a VTP switch can be in Server, Client & Transparent.

Server – In VTP server mode you can create, edit and delete VLAN information on the switch and it will be propagated throughout the VTP domain. VTP servers also originate periodic VTP updates.

Client – VTP client mode is exactly the same as server mode except it is not possible to create edit or delete VLANs on the switch, you will need to edit them on a server in the VTP domain and they will update the client, clients will also originate VTP updates.

Transparent – In VTP transparent mode the switch will forward VTP advertisements but not process any of the advertisements. VLAN information can be changed on the switch but the information will not be propagated and stay local to the switch.

Standard/Extended range VLANs – VTP will only update standard range VLANs which is any VLAN with a number between 1 and 1005. If you wish to configure extended range VLANs (VLAN numbers 1024 to 4094) then the server must be in VTP transparent mode as VTP does not support these.

Note: VLANs 1006 to to 1024 were reserved for compatibility with CatOS based switches and shouldn’t not be used.

Extended range VLANS cant be stored in the vlan.dat file and will be stored in the running configuration, if the startup config and the vlan.dat have any differences only the vlan.dat information will be used.

VLAN Trunking – Interconnects between switches are trunked using either ISL or 802.1Q. ISL is Cisco propriety and encapsulates each frame with a 26 byte header and an additional trailer where as dot1Q which is an IEE standard adds a 4 byte tag after the source address field in the frame. dot1q will not tag the native VLAN on a link therefore any frames receiving on a VLAN trunk without a tag are presumed to be part of the native VLAN, ISL does not support native VLANs.

Dynamic Trunk Protocol (DTP) – DTP allows a switch port to automatically negotiate a trunk, this can be a security issue and personally I am not to keep on this and prefer to manually make each port either a trunk or access port. The DTP modes are;

on - Permanent trunk even if the neighbour cant support it

off - Permanent access port, so wont trunk even if the neighbour cant support it

desirable - Actively sends out DTP frames to attmpt become a trunk but will become a trunk or an access port.

auto - attempts to passively become a trunk, so wont send out frames but will respond if it receives them. Note that if both ends are set to auto then the port will not become a trunk

nonnegotaite - The port  will not send any DTP frames out, its recommended that this should be used when connecting the port to a non cisco switch which could react strangely to DTP frames.  Either use switchport mode trunk or switchport mode access to dictate what mode the port should be in.

A couple of notes on the Ethernet Basics chapter from the CCIE Routing and Switching Exam Certification Guide

Wiring – On Routers & PCs transmit pair is wires 1 & 2 and the receive pair is 3 & 6, switches are the opposite way around this is so the receive pair will communicate with the transmit pair between devices. If two PCs (or routers or switches) are directly connected, to ensure the transmit and receive pairs match up a crossover cable should be used which swaps wire 1-3 and 2-6, alternatively the port will need to support Auto MDIX which can resolve the problem automatically.

Auto-negotiation – Fast Link Pulses are used to detect the speed of a connected interface with 17  100ns pulses with informs the  device on the other end of the wire the speed/duplex settings. Fiber does not use Fast Link Pulses but the negotiation works in a similar way.

Preamble - The preamble consists of 62 alternating 1s and 0s ending with a pair of 1s, this 8 bytes of signalling information is sometimes referenced as a 7byte preamble and 1 byte start of frame delimiter.

I/G, U/L MAC Bits – I wrote a post a while ago regarding a couple of bits in the MAC, its important to note that the second from last bit in the first byte of the MAC is the Individual/Group (I/G) bit which if set to 1 signifies that its a multicast or broadcast MAC. Also the last bit is Universal/Local (U/L) bit which indicates where it is set to a 1 indicates it has been administratively as opposed to vendor assigned, but many devices and drivers do not enforce the U/L bit.

As it has been well documented Cisco is changing the Routing & Switching exam to version 4.0 on the 18th of October 2009, its 4 months away so I should be able to pass before then as I was almost ready for the written late last year.

There are no materials released for the 4.0 blueprint yet  https://cisco.hosted.jivesoftware.com/docs/DOC-4604 but I will be using the 3rd edition of the CCIE Routing and Switching Exam Certification Guide, the InformIT quick reference sheets, DocCD, and blogging just to keep my thoughts together.

I have booked a date for the written in August which is going to be a busy month with a trip to the Netherlands for har2009,  so time will be tight. If I don’t pass first time which is likely I will just retake a couple of weeks later.

Beta tests for the new written exam will be going on July & August, but I am considering giving it a go just to get a feel so I know what to expect if I get delayed and had to take the 4.0 track, at $50 you cant go wrong.

I picked up a free voucher to complete a Microsoft Certified Technical Specialist exam and I didn’t have any immediate study plans for Cisco exams so I decided to give it a punt. I flicked through the MCTS exams they offer and the MCTS for Windows Server 2008, Configuring Network Infrastructure caught my eye. I deal with quite a few sites which have Windows Servers to handle things like DHCP, & DNS so I thought this would be the ideal Microsoft Certification to complement my existing Cisco qualifications.

I used a free trial of Amazon prime to get free next day delivery and ordered this book MCTS 70-642 Exam Cram: Windows Server 2008 Network Infrastructure, Configuring (Exam Cram (Que)) I have seen a few exam cram books sitting on some peoples desks and heard good things about them. The content was pretty good and it skipped alot of the basic details which might not benefit the inexperienced reader, but the book desperately needed to be proof read there were lots of errors in it. It was an easy read so I was able to cover around 80 pages each evening without much difficulty.

The voucher had a short lifetime and the furthest date I could find a testing center date in the vouchers validity was 9 days away, which gave me 8 days to prepare from when I received the book. I used the exam cram book as the method of study and had a couple of Sever 2008 VMs running using Virtual Box.

I was really disappointed in the quality of the exam, I don’t wish to break the NDA so wont discuss the contents but it was entirely multiple choice there were no simulation or drag and drop type questions.  There were 50 questions and you would have to practically take a nap to run out of time, I finished with around 50 minutes to spare. The exam was easy and even with only a week to prepare I managed to get 833 out of 700.

One of the reasons why I value my Cisco certifications is that it takes real time and commitment to study for them and pass, also Cisco works hard to make the test difficult to pass without real understanding. In my eyes this test doesn’t carry any weight and I wouldn’t recommend it unless your looking for an extra line on your CV or get hold of a free voucher.

As you might have noticed its been a bit quiet around here, since after I went on holiday.

When I went away I decided that I would complete my honours degree which meant I would not have enough time to continue studying for my CCIE, so the Cisco studies were moved to the backburner.  I’m pleased to say the degree has been completed and I am in a position to start studying again.

My dissertation involved analysing if BGP-4 was fit for the purpose of Internet routing, I also performed an analysis of the CPU requirements for BGP & OSPF with some very interesting results, I will post snippets of my research up here soon.

I also have a great new job and work in computer security for a UK ISP, but wont be working with routing & switching on a daily basis anymore which has worried me slightly but I still want to achieve my CCIE as its a lifetime goal.

It hasn’t been announced publicly yet but I will be giving a talk in August 2009 on “Securing Networks from an ISP Perspective” at a large computer security event called Hacking at Random, the last event in the series 4 years ago was called “What the Hack”.  If your attending please give me a shout.

I’m going to put a timetable for my studies online in the next week or so and continue to use this blog as a study tool to keep me motivated and all my notes in one place. But I wont be ramping the study time from manageable to crazy until after Hacking at Random.