Tuesday, October 11, 2011


Nowadays, all geeks are well know about CSTP common spanning tree protocol and it did great help to manage a loop free switching only network. It well known for it steable and flexible for all sorts of network enviroment. This is all about some one do not know RSPT, a improved version of STP!

STP algorithm
1.       root bridge selection
2.       root port selection
3.       designated port selection

Root bridge selection phase
1.       bridge priority and system ID (VLAN ID) extension (optional, used in PVST and PVST+, used to calculate STP for each VLAN)
2.       system ID (SW MAC address)
Root port selection phase
1.       The cost to the root bridge
2.       directly connected bridge ID, the lower the better
3.       port ID
Designated port selection phase
1.       The cost to the root bridge, designated ports are always reverse to the root bridge.
2.       Directly connected bridge ID, the lower the better
3.       port ID

1.       If the convergence is done, only Root Bridge will propagate BPDU.
2.       Every STP operation is based on BPDU and some system timers (hello interval, hold timer etc.)

BPDU format

STP Timers
Hello Timer This is how often the root bridge will send out BPDUs. These BPDUs get relayed down the spanning-tree to all the other switches. The default is 2 seconds.
Max Age Timer This is how often a bridge will actually save the BPDU information it receives from other switches. Think of it as sort of a hold timer. The default is 20 seconds, and it helps prevent against loops in the event of indirect link failures.
Forward-Delay This determines how long a switch will spend in each of the listening and learning states of STP. The default is 15 seconds, which means that out of the box we spend 15 seconds in listening and 15 seconds in learning.
The different states of STP are as follows:

STP States
Blocking In the blocking state the port is essentially shut down. The switch discards frames received on the interface. It will receive BPDUs from the DP on the segment but will not pass them along to other switches. The important thing to note, and that we will see in this blog through actual logs is that the blocking state is not something that a port goes into every single time it comes up. A switch will go through the blocking state when it is first initialized (boots up) and it will place ports that could cause L2 loops into blocking when necessary. This does not mean that every single time you plug a device into the switch that the port goes into blocking before going to listening and learning. As we will see later, the blocking state is typically only seen during indirect link failures.

Listening In listening state the port is starting to transition into doing something. In this state, the switch will actually process the BPDUs it receives on the port although we are still discarding frames at this point. Note that per the RFC Listening and Learning MUST be the same amount of time. There is no way to tweak one or the other. If you change one, you change the other.

Learning In the learning state the port continues its transition by learning MAC addresses on the port, continuing to receive and process BPDUs, and transmitting BPDUs on to neighboring switches. Note that per the RFC Listening and Learning MUST be the same amount of time. There is no way to tweak one or the other. If you change one, you change the other.

Forwarding In the forwarding state the port is up and running. At this point the port actually forwards frames and continues to monitor BPDUs

Disabled This isn't really a state of STP. This means STP is essentially turned off.

The beauty of this algorithm is, STP could automatically calculate a loop free topology for our network, but there are several drawbacks for calculating:

1.        The max_age timer: if topology changed, an indirect block port will wait for its “max_age” expires to enable it to listening state, by default, it will wait @ 20 secs on cisco switches.
2.        Accesses ports do not need to participate in STP calculating, because it directly connected to end-devices.
3.        Even the STP radius is smaller than default (7 switches), the STP port will wait a whole rtt time to proceed to forwarding state ( 15sec for sending, 15 secs for receiving) no feedback solution

Because of above reasons, we need to wait at least 50 secs to re-converge into a new STP network, which is totally unendurable for some critical business env. So a btr version 802.1W RSTP.

Rapid transition is the most important feature introduced by 802.1w. The legacy STA passively waited for the network to converge before it turned a port into the forwarding state. The achievement of faster convergence was a matter of tuning the conservative default parameters (forward delay and max_age timers) and often put the stability of the network at stake. The new rapid STP is able to actively confirm that a port can safely transition to the forwarding state without having to rely on any timer configuration.
There is now a real feedback mechanism that takes place between RSTP-compliant bridges.

Since there are so many good materials about RSTP features and they have already done an excellent explication so I won’t write anything on it, instead I will put some very great references, after read thru those docs, you will totally fall in love with that. Hope you will enjoy the new RSTP worldJ

Saturday, October 8, 2011

PAC and DNS requests annoyed problem

there are serveral functions that are not working properly as we expected, they always perform DNS request to DNS servers which we do not like to see:


isInNet(host, "999.99.9.9", "");

If those functions are invoked, a numerous DNS requests are generated from the client, so the clients just dully wait for the responses for those requests, therefore to the end-users, it just like the broswer is dreadfully dead there.

if (isResolvable(host))
 return "DIRECT";
 return "PROXY";

this, the "isResolvable" evil cuased a lot of troubles to our broswers, we did not expect the client initiate DNS request, instead, we would work everything with proxy, every request is and should be performed by proxy. Unfortunately, our PAC script is not that clever, since it is a locally functioned script, it cannot ask proxy server to the "isResolvable" functionality, it has to be done by the broswer which employs so many useless DNS requests to us. In order to avoid this scenario happens to us, we should avoid to use those functions.

Here below is my solution, I know, it's really far away from perfect, if you have any better ideas, just share it!

 if (isPlainHostName(host)
     || dnsDomainIs(host, "companydomain.com")
     || (url.substring(7, 12) == "192.10.") //for ftp
     || (url.substring(7, 12) == "192.11.")
     || (url.substring(8, 13) == "192.11.") //for http
     || (url.substring(8, 13) == "192.10.")
     || (host == ""))
 return "DIRECT";
 return "PROXY proxy:8080";

Wednesday, August 10, 2011

how to learn a new network protocol

There are always problems for newbies that do not know where to start for a new protocol learning.

I have been so suffered those sort of problems for a long time, after years of self studying I have found some golden rules:

1. The state machine, this is perfectly described how the protocol works.

2. The packet structure, this is perfectly described how the protocol communicates with the counterparts.

3. The roles (relationship), different roles functions differently, this described the relationship between different processes.

For any protocols, all those 3 golden rules have to be clearly understood.

Tuesday, July 5, 2011

Monitoring traffic (With Wireshark)

Wireshark and monitoring session

  1. Monitoring session
C2950(config)#monitor session 1 source interface fastethernet 0/2

!--- This configures interface Fast Ethernet 0/2 as source port.

C2950(config)#monitor session 1 destination interface fastethernet 0/3

!--- This configures interface Fast Ethernet 0/3 as destination port.

  1. Capture filters


Catalyst Switched Port Analyzer (SPAN) Configuration Example

Filtering while capturing

Wednesday, June 22, 2011

TCP 4-times close

TCP 4-times close

TCP close diagram.png
1. Client send finish datagram to the server, indicated that client will close the transmission from client to server. This is called active close. (FIN=1, seq=u)
2. Server acknowledged the FIN datagram. (ACK=1, seq=v, ack=u+1)
3. Server contiues to transmit, if the server finishs the transmission it will close transmission from server to client. This is called passive close.(FIN=1, ACK=1, seq=w, ack=u+1)
4. Client acknowledged the FIN datagram to the server.[1] (ACK=1, seq=u+1, ack=w+1) 

Capture Example

4 times close.pcap

[1]. After the ACK send, the client will not release the resource immediately, it will turn into TIME-WAIT status and wait 2-MSL (Maximum Segment Lifetime) time to release resource.

TCP 3-way handshake

TCP 3-way handshake

We assume that both host (A) and server (B) side start from CLOSED status.
1. The server process create a TCB [1] and use TCB prepares to accept the host's request. After TCB born the server change status to LISTEN.
2. The host does the same thing, create a TCB and use this TCB to send request, set the "SYN=1" in the request header, and initates a arbitrary sequence number, seq=x. SYN paccket (which means SYN=1) can not take any data content, but it will consume a sequence number. After request sent, the host goes into SYN-SENT status.
3. After receiving the host's request:
  • i. If the server accept to this connection, it will send back a confirm response. In the response both SYN and ACK bits should be '1', and server side also initiates a SEQ number, seq=y. The server will send its sequence number within packet which is used to be acknowledged to the clinet's SYN packet. This packet can not take any data content either, but it consumes a sequence number. So in this packet seq=y, ack=x+1. And the server goes into SYN-RCVD status.
  • ii. If the server rejects the connection, it just responses a RST packet to reset the connection.
4. After the host received the server's response, it will send back also a confirm packet with ACK bit sets to '1' and seq=x+1, ack=y+1. [2]
After that, both side gose into ESTABLISHED status. This is what we called three-way handshake.

Capture Example

[1]. TCB---Transmission Control Block, something like PCB, it stores some significant info like, TCP connectio table, the pointer for the sending and receiving buffer, retransmission queue pointer, the current sequence number and acknowledge number and ext.
[2]. ACK packet could take data content, if not, this packet will not consume SYN number. So the sequence number of the confirm packet is seq=x+1. But in practice, at times, TCP 3-way handshake not only just initiates the connection, but also negotiate some very important parameters. MSS (maximum segment size) negotiation occurs in this steps.