Skip to main content


Network A system of interconnected computers and computerized peripherals such as printers is called computer network. This interconnection among computers facilitates information sharing among them. Computers may connect to each other by either wired or wireless media. A computer network consists of a collection of computers, printers and other equipment that is connected together so that they can communicate with each other.  

Network application
A Network application is any application running on one host and provides a communication to another application running on a different host, the application may use an existing application layer protocols such as: HTTP(e.g. the Browser and web server), SMTP(e.g. the email-client). And may be the application does not use any existing protocols and depends on the socket programming to communicate to another application. So the web application is a type of the network applications. 
There are lots of advantages from build up a network, but the th…

IP Services

The following ICND2 exam topics
are covered in this chapter :
1 IP Services
Image result for ip services"
■Recognize high availability (FHRP)
■ Configure and verify Syslog
■ Utilize Syslog Output
■ Describe SNMP v2 & v3
1 Troubleshooting
■ Utilize netflow data
■ Monitor NetFlow statistics

In this chapter, I’m going to show you how to integrate redundancy and load-balancing features into your network elegantly 
with the routers that you likely have already. Acquiring some 
overpriced load-balancing device just isn’t always necessary because knowing how to properly configure and use Hot Standby Router Protocol (HSRP), as well as the nonproprietary 
Virtual Router Redundancy Protocol (VRRP), can often meet your needs instead. You’ll 
soon see that while these technologies are very similar in function, they operate slightly 
differently. I’ll also show you how to configure and use Gateway Load Balancing Protocol 
(GLBP), which allows you to use up to four routers for an effective load-balancing solution 
within your first hop redundancy protocols (FHRPs).
I know we discussed syslog in earlier CCENT chapters, but I’m going to delve into it 
more in-depth in this chapter, as well as look at Simple Network Management Protocol 
(SNMP) and the type of alerts sent to the network management station (NMS). In addition, 
we’ll cover Cisco NetFlow and how it works in an internetwork. 
To find up-to-the-minute updates for this chapter, please see or the book’s web page at
Client Redundancy Issues
If you’re wondering how you can possibly configure a client to send data off its local link 
when its default gateway router has gone down, you’ve targeted a key issue because the 
answer is that usually, you can’t! Most host operating systems just don’t allow you to 
change data routing. Sure, if a host’s default gateway router goes down, the rest of the 
network will still converge, but it won’t share that information with the hosts. Take a look 
at Figure 17.1 to see what I am talking about. There are actually two routers available to 
forward data for the local subnet, but the hosts know about only one of them. They learn 
about this router when you provide them with the default gateway either statically or 
through DHCP.
This begs the question: Is there another way to use the second active router? The answer 
is a bit complicated, but bear with me. There is a feature that’s enabled by default on Cisco 
routers called Proxy Address Resolution Protocol (Proxy ARP). Proxy ARP enables hosts, 
which have no knowledge of routing options, to obtain the MAC address of a gateway 
router that can forward packets for them.
Client Redundancy Issues 701
F ig u re 17.1 Default gateway
You can see how this happens in Figure 17.2. If a Proxy ARP–enabled router receives 
an ARP request for an IP address that it knows isn’t on the same subnet as the request￾ing host, it will respond with an ARP reply packet to the host. The router will give its 
own local MAC address—the MAC address of its interface on the host’s subnet—as the 
destination MAC address for the IP address that the host is seeking to be resolved. After 
receiving the destination MAC address, the host will then send all the packets to the 
router, not knowing that what it sees as the destination host is really a router. The router 
will then forward the packets toward the intended host.
So with Proxy ARP, the host device sends traffic as if the destination device were located 
on its own network segment. If the router that responded to the ARP request fails, the 
source host continues to send packets for that destination to the same MAC address. But 
because they’re being sent to a failed router, the packets will be sent to the other router that 
is also responding to ARP requests for remote hosts.
After the time-out period on the host, the proxy ARP MAC address ages out of the ARP 
cache. The host can then make a new ARP request for the destination and get the address of 
another proxy ARP router. Still, keep in mind that the host cannot send packets off of its sub￾net during the failover time. This isn’t exactly a perfect situation, so there has to be a better 
way, right? Well, there is, and that’s precisely where redundancy protocols come to the rescue!
702 Chapter 17 u IP Services
F ig u re 17. 2 Proxy ARP
Proxy ARP
ARP request for remote host
Introducing First Hop Redundancy 
Protocol (FHRP)
First hop redundancy protocols (FHRPs) work by giving you a way to configure more than 
one physical router to appear as if they were only a single logical one. This makes client 
configuration and communication easier because you can simply configure a single default 
gateway and the host machine can use its standard protocols to communicate. First hop is 
a reference to the default router being the first router, or first router hop, through which a 
packet must pass.
So how does a redundancy protocol accomplish this? The protocols I’m going to describe 
to you do this basically by presenting a virtual router to all of the clients. The virtual router 
has its own IP and MAC addresses. The virtual IP address is the address that’s configured 
on each of the host machines as the default gateway. The virtual MAC address is the address 
that will be returned when an ARP request is sent by a host. The hosts don’t know or care 
which physical router is actually forwarding the traffic, as you can see in Figure 17.3.
Introducing First Hop Redundancy Protocol (FHRP) 703
F ig u re 17. 3 FHRPs use a virtual router with a virtual IP address and virtual MAC 
Virtual router
It’s the responsibility of the redundancy protocol to decide which physical router will 
actively forward traffic and which one will be placed on standby in case the active router 
fails. Even if the active router fails, the transition to the standby router will be transparent to 
the hosts because the virtual router, which is identified by the virtual IP and MAC addresses, 
is now used by the standby router. The hosts never change default gateway information, so 
traffic keeps flowing.
Fault-tolerant solutions provide continued operation in the event of 
a device failure, and load-balancing solutions distribute the workload 
over multiple devices.
Next we’ll explore these three important redundancy protocols:
Hot Standby Router Protocol (HSRP) is by far Cisco’s favorite protocol ever! Don’t buy just 
one router; buy up to eight routers to provide the same service, and keep seven as backup in 
case of failure! HSRP is a Cisco proprietary protocol that provides a redundant gateway for 
hosts on a local subnet, but this isn’t a load-balanced solution. HSRP allows you to configure 
704 Chapter 17 u IP Services
two or more routers into a standby group that shares an IP address and MAC address and 
provides a default gateway. When the IP and MAC addresses are independent from the routers’ 
physical addresses (on a virtual interface, not tied to a specific interface), they can swap control 
of an address if the current forwarding and active router fails. But there is actually a way you 
can sort of achieve load balancing with HSRP—by using multiple VLANs and designating a 
specific router active for one VLAN, then an alternate router as active for the other VLAN via 
trunking. This still isn’t a true load-balancing solution and it’s not nearly as solid as what you 
can achieve with GLBP!
Virtual Router Redundancy Protocol (VRRP) also provides a redundant—but again, 
not load-balanced—gateway for hosts on a local subnet. It’s an open standard protocol 
that functions almost identically to HSRP. I’ll comb through the fine differences that exist 
between these protocols later in the chapter.
Gateway Load Balancing Protocol (GLBP) doesn’t just stop at providing us with a redundant gateway; it’s a true load-balancing solution for routers. GLBP allows a maximum of 
four routers in each forwarding group. By default, the active router directs the traffic from 
hosts to each successive router in the group using a round-robin algorithm. The hosts are 
directed to send their traffic toward a specific router by being given the MAC address of 
the next router in line to be used.
Hot Standby Router Protocol (HSRP)
Again, HSRP is a Cisco proprietary protocol that can be run on most, but not all, of 
Cisco’s router and multilayer switch models. It defines a standby group, and each standby 
group that you define includes the following routers:
uu Active router
uu Standby router
uu Virtual router
uu Any other routers that maybe attached to the subnet
The problem with HSRP is that with it, only one router is active and two or more routers 
just sit there in standby mode and won’t be used unless a failure occurs—not very cost effective or efficient! Figure 17.4 shows how only one router is used at a time in an HSRP group.
The standby group will always have at least two routers participating in it. The primary 
players in the group are the one active router and one standby router that communicate to 
each other using multicast Hello messages. The Hello messages provide all of the required 
communication for the routers. The Hellos contain the information required to accomplish 
the election that determines the active and standby router positions. They also hold the key 
to the failover process. If the standby router stops receiving Hello packets from the active 
router, it then takes over the active router role, as shown in Figure 17.5.
As soon as the active router stops responding to Hellos, the standby router automatically 
becomes the active router and starts responding to host requests.
Hot Standby Router Protocol (HSRP) 705
F ig u re 17. 4 HSRP active and standby routers
Virtual router

Virtual MAC Address

A virtual router in an HSRP group has a virtual IP address and a virtual MAC address. So 
where does that virtual MAC come from? The virtual IP address isn’t that hard to figure 
out; it just has to be a unique IP address on the same subnet as the hosts defined in the 
configuration. But MAC addresses are a little different, right? Or are they? The answer is 
yes—sort of. With HSRP, you create a totally new, made-up MAC address in addition to 
the IP address.
The HSRP MAC address has only one variable piece in it. The first 24 bits still identify 
the vendor who manufactured the device (the organizationally unique identifier, or OUI). 
The next 16 bits in the address tell us that the MAC address is a well-known HSRP MAC 
address. Finally, the last 8 bits of the address are the hexadecimal representation of the 
HSRP group number.
Let me clarify all this with an example of what an HSRP MAC address would look like:
706 Chapter 17 u IP Services
uu The first 24 bits (0000.0c) are the vendor ID of the address; in the case of HSRP being 
a Cisco protocol, the ID is assigned to Cisco.
uu The next 16 bits ( are the well-known HSRP ID. This part of the address was 
assigned by Cisco in the protocol, so it’s always easy to recognize that this address is 
for use with HSRP.
uu The last 8 bits (0a) are the only variable bits and represent the HSRP group number 
that you assign. In this case, the group number is 10 and converted to hexadecimal 
when placed in the MAC address, where it becomes the 0a that you see.
F ig u re 17.5 Example of HSRP active and standby routers swapping interfaces 
Virtual router
You can see this displayed with every MAC address added to the ARP cache of every 
router in the HSRP group. There will be the translation from the IP address to the MAC 
address, as well as the interface on which it’s located.
HSRP Timers
Before we get deeper into the roles that each of the routers can have in an HSRP group, I 
want to define the HSRP timers. The timers are very important to HSRP function because 
Hot Standby Router Protocol (HSRP) 707
they ensure communication between the routers, and if something goes wrong, they allow 
the standby router to take over. The HSRP timers include hello, hold, active, and standby.
Hello timer The hello timer is the defined interval during which each of the routers send 
out Hello messages. Their default interval is 3 seconds and they identify the state that each 
router is in. This is important because the particular state determines the specific role of 
each router and, as a result, the actions each will take within the group. Figure 17.6 shows 
the Hello messages being sent and the router using the hello timer to keep the network 
flowing in case of a failure.
F ig u re 17.6 HSRP Hellos
Virtual router
This timer can be changed and people used to avoid doing so because it was thought that lowering the hello value would place an unnecessary load on the routers. That isn’t true with most 
of the routers today; in fact, you can configure the timers in milliseconds, meaning the fail-over 
time can be in milliseconds! Still, keep in mind that increasing the value will make the standby 
router wait longer before taking over for the active router when it fails or can’t communicate.
Hold timer The hold timer specifies the interval the standby router uses to determine whether 
the active router is offline or out of communication. By default, the hold timer is 10 seconds, 
roughly three times the default for the hello timer. If one timer is changed for some reason, 

 IP Services

I recommend using this multiplier to adjust the other timers too. By setting the hold timer at 
three times the hello timer, you ensure that the standby router doesn’t take over the active role 
every time there’s a short break in communication.
Active timer The active timer monitors the state of the active router. The timer resets 
each time a router in the standby group receives a Hello packet from the active router. 
This timer expires based on the hold time value that’s set in the corresponding field of 
the HSRP hello message.
Standby timer The standby timer is used to monitor the state of the standby router. The 
timer resets anytime a router in the standby group receives a Hello packet from the standby 
router and expires based on the hold time value that’s set in the respective Hello packet.
Large Enterprise Network Outages with FHRPs
Years ago when HSRP was all the rage, and before VRRP and GLBP, enterprises used hundreds of HSRP groups. With the hello timer set to 3 seconds and a hold time of 10 seconds, 
these timers worked just fine and we had great redundancy with our core routers.
However, in the last few years, and certainly in the future, 10 seconds is now a lifetime! 
Some of my customers have been complaining with the failover time and loss of connectivity to their virtual server farm.
So lately I’ve been changing the timers to well below the defaults. Cisco had changed the 
timers so you could use sub-second times for failover. Because these are multicast packets, 
the overhead that is seen on a current high-speed network is almost nothing.
The hello timer is typically set to 200 msec and the hold time is 700 msec. The command 
is as follows:
(config-if)#Standby 1 timers msec 200 msec 700
This almost ensures that not even a single packet is lost when there is an outage.
Group Roles
Each of the routers in the standby group has a specific function and role to fulfill. The three 
main roles are as virtual router, active router, and standby router. Additional routers can 
also be included in the group.
Virtual router As its name implies, the virtual router is not a physical entity. It really 
just defines the role that’s held by one of the physical routers. The physical router that 
Hot Standby Router Protocol (HSRP) 709
communicates as the virtual router is the current active router. The virtual router is 
nothing more than a separate IP address and MAC address to which packets are sent.
Active router The active router is the physical router that receives data sent to the virtual 
router address and routes it onward to its various destinations. As I mentioned, this router 
accepts all the data sent to the MAC address of the virtual router in addition to the data 
that’s been sent to its own physical MAC address. The active router processes the data 
that’s being forwarded and will also answer any ARP requests destined for the virtual 
router’s IP address.
Standby router The standby router is the backup to the active router. Its job is to monitor 
the status of the HSRP group and quickly take over packet-forwarding responsibilities if 
the active router fails or loses communication. Both the active and standby routers transmit 
Hello messages to inform all other routers in the group of their role and status.
Other routers An HSRP group can include additional routers, which are members of the 
group but that don’t take the primary roles of either active or standby states. These routers 
monitor the Hello messages sent by the active and standby routers to ensure that an active 
and standby router exists for the HSRP group that they belong to. They will forward data 
that’s specifically addressed to their own IP addresses, but they will never forward data 
addressed to the virtual router unless elected to the active or standby state. These routers 
send “speak” messages based on the hello timer interval that informs other routers of their 
position in an election. 

Interface Tracking

By now, you probably understand why having a virtual router on a LAN is a great idea. 
You also know why it’s a very good thing that the active router can change dynamically, 
giving us much needed redundancy on our inside network. But what about the links to the 
upstream network or the Internet connection off of those HSRP-enabled routers? And how 
will the inside hosts know if an outside interface goes down or if they are sending packets 
to an active router that can’t route to a remote network? Key questions and HSRP do provide a solution for them called interface tracking.
Figure 17.7 shows how HSRP-enabled routers can keep track of the interface status of the 
outside interfaces and how they can switch the inside active router as needed to keep the inside hosts from losing connectivity upstream.
If the outside link of the active router goes down, the standby router will take over and 
become the active router. There is a default priority of 100 on routers configured with an 
HSRP interface, and if you raise this priority (we’ll do this in a minute), it means your router has a higher priority to become the active router. The reason I am bringing this up now is because when a tracked interface goes down, it decrements the priority of this router.

Configuring and Verifying HSRP

Configuring and verifying the different FHRPs can be pretty simple, especially regarding the Cisco objectives, but as with most technologies, you can quickly get into advanced 
configurations and territory with the different FHRPs. The Cisco objectives don’t cover 
710 Chapter 17 u IP Services
much about the configuration of FHRPs, but verification is important, so I’ll use a simple 
configuration on two routers here, starting with HSRP, which I’ll also refer to for a simple 
GLBP configuration and verification later in this chapter. Figure 17.8 shows the network I’ll 
use to demonstrate the FHRPs. 
F ig u re 17.7 Interface tracking setup
Tracked interfaces
Virtual router
Tracked interfaces
Virtual router
This is a simple configuration that you really need only one command for: standby group
ip virtual_ip. After using this single mandatory command, I’ll name the group and set the 
interface on router HSRP1 so it wins the election and becomes the active router by default.
HSRP1#config t
HSRP1(config)#int fa0/0
HSRP1(config-if)#standby ?
 <0-255> group number
 authentication Authentication
 delay HSRP initialisation delay
 ip Enable HSRP and set the virtual IP address
 mac-address Virtual MAC address
 name Redundancy name string
 preempt Overthrow lower priority Active routers
 priority Priority level
 redirect Configure sending of ICMP Redirect messages with an HSRP
 virtual IP address as the gateway IP address
Hot Standby Router Protocol (HSRP) 711
 timers Hello and hold timers
 track Priority tracking
 use-bia HSRP uses interface's burned in address
 version HSRP version
HSRP1(config-if)#standby 1 ip
HSRP1(config-if)#standby 1 name HSRP_Test
HSRP1(config-if)#standby 1 priority ?
 <0-255> Priority value
HSRP1(config-if)#standby 1 priority 110
000047: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
000048: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active110
F ig u re 17. 8 HSRP configuration and verification
Virtual router
712 Chapter 17 u IP Services
There are quite a few commands available to use in an advanced setting with the standby
command, but we’ll stick with the simple commands that follow the Cisco objectives. First, 
I numbered the group (1), which must be the same on all routers sharing HSRP duties; then 
I added the virtual IP address shared by all routers in the HSRP group. Optionally, I named 
the group and then set the priority of HSRP1 to 110, and I left HSRP2 to a default of 100. 
The router with the highest priority will win the election to become the active router. Let’s 
configure the HSRP2 router now: 
HSRP2#config t
HSRP2(config)#int fa0/0
HSRP2(config-if)#standby 1 ip
HSRP2(config-if)#standby 1 name HSRP_Test
*Jun 23 21:40:10.699:%HSRP-5-STATECHANGE:FastEthernet0/0 Grp 1 state 
Speak -> Standby
I really only needed the first command—naming it was for administrative purposes 
only. Notice that the link came up and HSRP2 became the standby router because it had 
the lower priority of 100 (the default). Make a note that this priority comes into play only 
if both routers were to come up at the same time. This means that HSRP2 would be the 
active router, regardless of the priority, if it comes up first.
Let’s take a look at the configurations with the show standby and show standby brief
HSRP1(config-if)#do show standby
FastEthernet0/0 - Group 1
 State is Active
 2 state changes, last state change 00:03:40
 Virtual IP address is
 Active virtual MAC address is 0000.0c07.ac01
 Local virtual MAC address is 0000.0c07.ac01 (v1 default)
 Hello time 3 sec, hold time 10 sec
 Next hello sent in 1.076 secs
 Preemption disabled
 Active router is local
 Standby router is, priority 100 (expires in 7.448 sec)
 Priority 110 (configured 110)
 IP redundancy name is "HSRP_Test" (cfgd)
HSRP1(config-if)#do show standby brief
 P indicates configured to preempt.
Hot Standby Router Protocol (HSRP) 713
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 1 110 Active local
Notice the group number in each output—it’s a key troubleshooting spot! Each router must 
be configured in the same group or they won’t work. Also, you can see the virtual MAC and 
configured virtual IP address, as well as the hello time of 3 seconds. The standby and virtual 
IP addresses are also displayed.
HSRP2’s output tells us that it’s in standby mode:
HSRP2(config-if)#do show standby brief
 P indicates configured to preempt.
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 1 100 Standby local
There is one other command that I want to cover. If you’re studying and want to under￾stand HSRP, you should learn to use this debug command and have your active and standby 
routers move. You’ll really get to see what is going on.
HSRP2#debug standby
*Sep 15 00:07:32.344:HSRP:Fa0/0 Interface UP 
*Sep 15 00:07:32.344:HSRP:Fa0/0 Initialize swsb, Intf state Up
*Sep 15 00:07:32.344:HSRP:Fa0/0 Starting minimum intf delay (1 secs)
*Sep 15 00:07:32.344:HSRP:Fa0/0 Grp 1 Set virtual MAC 0000.0c07.ac01 
type: v1 default
*Sep 15 00:07:32.344:HSRP:Fa0/0 MAC hash entry 0000.0c07.ac01, Added 
Fa0/0 Grp 1 to list
*Sep 15 00:07:32.348:HSRP:Fa0/0 Added to hash table
*Sep 15 00:07:32.348:HSRP:Fa0/0 Grp 1 Has mac changed? cur 0000.0c07.ac01 
new 0000.0c07.ac01
*Sep 15 00:07:32.348:HSRP:Fa0/0 Grp 1 Disabled -> Init
*Sep 15 00:07:32.348:HSRP:Fa0/0 Grp 1 Redundancy "hsrp-Fa0/0-1" state Disabled -> 
*Sep 15 00:07:32.348:HSRP:Fa0/0 IP Redundancy "hsrp-Fa0/0-1" added
*Sep 15 00:07:32.348:HSRP:Fa0/0 IP Redundancy "hsrp-Fa0/0-1" update, 
Disabled -> Init
*Sep 15 00:07:33.352:HSRP:Fa0/0 Intf min delay expired
*Sep 15 00:07:39.936:HSRP:Fa0/0 Grp 1 MAC addr update Delete from SMF 0000.0c07.
*Sep 15 00:07:39.936:HSRP:Fa0/0 Grp 1 MAC addr update Delete from SMF 0000.0c07.
*Sep 15 00:07:39.940:HSRP:Fa0/0 ARP reload
714 Chapter 17 u IP Services
HSRP Load Balancing
As you know, HSRP doesn’t really perform true load balancing, but it can be configured 
to use more than one router at a time for use with different VLANs. This is different from 
the true load balancing that’s possible with GLBP, which I’ll demonstrate in a minute, but 
HSRP still performs a load-balancing act of sorts. Figure 17.9 shows how load balancing 
would look with HSRP.
F ig u re 17. 9 HSRP load balancing per VLAN
Ip address for VLAN 10
Ip address for VLAN 20
Ip address for VLAN 10
Ip address for VLAN 20
Trunk Trunk
HSRP active group 10 HSRP active group 20
How can you get two HSRP routers active at the same time? Well for the same subnet 
with this simple configuration you can’t, but by trunking the links to each router, they’ll 
run and be configured with a “router on a stick” (ROAS) configuration. This means that 
each router can be the default gateway for different VLANs, but you still can have only 
one active router per VLAN. Typically, in a more advanced setting you won’t use HSRP for 
load balancing; you’ll use GLBP, but you can do load-sharing with HSRP, and that is the 
topic of an objective, so we’ll remember that, right? It comes in handy because it prevents 
situations where a single point of failure causes traffic interruptions. This HSRP feature 
improves network resilience by allowing for load-balancing and redundancy capabilities 
between subnets and VLANs.
Virtual Router Redundancy Protocol 715
Virtual Router Redundancy Protocol
Like HSRP, Virtual Router Redundancy Protocol (VRRP) allows a group of routers to 
form a single virtual router. In an HSRP or VRRP group, one router is elected to handle 
all requests sent to the virtual IP address. With HSRP, this is the active router. An HSRP 
group has one active router, at least one standby router, and many listening routers. A 
VRRP group has one master router and one or more backup routers and is the open stan￾dard implementation of HSRP.
Comparing VRRP and HSRP
The LAN workstations are configured with the address of the virtual router as their default 
gateway, just as they are with HSRP, but VRRP differs from HSRP in these important ways:
uu VRRP is an IEEE standard (RFC 2338) for router redundancy; HSRP is a Cisco 
proprietary protocol.
uu The virtual router that represents a group of routers is known as a VRRP group.
uu The active router is referred to as the master virtual router.
uu The master virtual router may have the same IP address as the virtual router group.
uu Multiple routers can function as backup routers.
uu VRRP is supported on Ethernet, Fast Ethernet, and Gigabit Ethernet interfaces, as well as 
on Multiprotocol Label Switching (MPLS) virtual private networks (VPNs) and VLANs.
VRRP Redundancy Characteristics
VRRP has some unique features:
uu VRRP provides redundancy for the real IP address of a router or for a virtual IP address 
shared among the VRRP group members.
uu If a real IP address is used, the router with that address becomes the master.
uu If a virtual IP address is used, the master is the router with the highest priority.
uu A VRRP group has one master router and one or more backup routers.
uu The master router uses VRRP messages to inform group members of its status.
uu VRRP allows load sharing across more than one virtual router.
716 Chapter 17 u IP Services
Gateway Load Balancing Protocol
Although HSRP and VRRP provide gateway resiliency with per-subnet load balancing, the 
upstream bandwidth of the standby members of the redundancy group isn’t used while the 
devices are in standby mode.
Only the active routers in HSRP and VRRP groups forward traffic for the virtual MAC. 
Resources associated with the standby router are not fully utilized. Some load-balancing can 
be accomplished with these protocols through the creation of multiple groups and through 
the assignment of multiple default gateways, but be warned—these configurations create an 
administrative burden and are inefficient for today’s networks!
Cisco designed a proprietary load-balancing protocol, Gateway Load Balancing Protocol 
(GLBP), to allow automatic selection and simultaneous use of multiple available gateways, 
as well as permit automatic failover between those gateways. GLBP takes an active/active 
approach on a per-subnet basis to support first-hop (default router) traffic when implemented 
with two routers on the same LAN. Multiple routers share the load of frames that, from a 
client perspective, are sent to a single default gateway address, as shown in Figure 17.10.
F ig u re 17.10 Gateway Load Balancing Protocol (GLBP)
Virtual router
Gateway Load Balancing Protocol 717
With GLBP, resources can be fully utilized without the administrative hassle of config￾uring multiple groups and managing multiple default gateway configurations as required 
when working with HSRP and VRRP.
GLBP Functions
GLBP essentially provides clients with the following:
uu An active virtual gateway (AVG)
uu An active virtual forwarder (AVF)
It also allows members of the group to communicate with each other through Hello mes￾sages sent every 3 seconds to the multicast address, User Datagram Protocol 
(UDP) port 3222.
GLBP AVG Members of a GLBP group elect one gateway to be the AVG for that group. 
Other group members provide backup for the AVG in the event that the AVG becomes unavail￾able. The AVG assigns a different virtual MAC address to each member of the GLBP group.
GLBP AVF Each gateway assumes responsibility for forwarding packets that are sent to 
the virtual MAC address assigned to that gateway by the AVG. These gateways are known 
as AVFs for their virtual MAC address. 
GLBP Features
GLBP provides upstream load-sharing by utilizing the redundant uplinks simultaneously. It 
uses link capacity efficiently, thus providing solid peak-load traffic coverage. By making use 
of multiple available paths upstream from the routers or layer 3 switches running GLBP, 
you can also reduce output queues. GLBP supports the following features: 
Load sharing You can configure GLBP so that traffic from LAN clients is shared by 
multiple routers. As the name suggests, load sharing distributes the traffic load more 
evenly among available routers.
Multiple virtual routers GLBP supports up to 1,024 virtual routers as GLBP groups on 
each router’s physical interface and up to four virtual forwarders per group.
Preemption According to the dictionary, preempt means “to replace with something consid￾ered to be of greater value or priority.” The redundancy scheme of GLBP allows us to preempt 
an AVG with a higher-priority backup virtual gateway that has become available. Forwarder 
preemption works in a similar way, except that it’s based upon weighting instead of priority 
and is enabled by default. One router can take over another router only during an election, and 
preemption is the only way to force an election when a device hasn’t gone down. 
718 Chapter 17 u IP Services
Efficient resource utilization GLBP makes it possible for any router in a group to serve 
as a backup, which eliminates the need for a dedicated backup router because all available 
routers can support network traffic.
Remember that only a single path is used with HSRP or VRRP, while other resources are 
idle unless you’ve got multiple groups and gateways configured. This means that a single path 
can be subjected to higher output queue rates during peak times, leading to lower performance 
caused by higher jitter rates. The good news is that we can mitigate the impact of jitter with 
GLBP because with it, more upstream bandwidth is available and additional upstream paths 
are used.
Further, GLBP permits automatic selection and simultaneous use of all available gate￾ways in the group. The members of a GLBP group elect one gateway to be the AVG for 
that group, and other members of the group provide backup for the AVG if it becomes 
unavailable. The AVG assigns a virtual MAC address to each member of the GLBP group. 
All routers become AVFs for frames addressed to that specific virtual MAC address. And 
as clients send ARP requests for the address of the default gateway, the AVG sends these 
virtual MAC addresses in the ARP replies. Don’t forget that a GLBP group can have up to 
four group members.
GLBP automatically manages the virtual MAC address assignment, determines who 
handles the forwarding, and ensures that each host has a reliable forwarding path if failures 
to gateways or tracked interfaces occur. Also, when failures do occur, the load-balancing 
ratio is adjusted among the remaining AVFs so that resources are used in the most efficient 
GLBP Per-host Traffic Balancing
These two steps will really help clarify how GLBP balances traffic using the round-robin 
1. When a client sends an ARP message for the gateway IP address, the AVG returns the 
virtual MAC address of one of the AVFs.
2. When a second client sends an ARP message, the AVG returns the next virtual MAC 
address from the list.
So having resolved a different MAC address for the default gateway, each client will send 
its routed traffic to separate routers even though they both have the same default gateway 
address configured. Remember that each GLBP router will be the designated AVF for the 
specific virtual MAC address that’s been assigned to it.
Configuring GLBP
Let’s go ahead and configure GLBP on our little internetwork now, as shown in Figure 17.11. 
I’ll use the same minimal configuration, with GLBP1 getting a higher priority:
Gateway Load Balancing Protocol 719
F ig u re 17.11 Configuring GLBP
Virtual router
GLBP1(config)#int fa0/0
GLBP1(config-if)#glbp 1 ip
GLBP1(config-if)#glbp 1 name GLBP_Test
GLBP1(config-if)#GLBP 1 priority 110
000050:%GLBP-6-STATECHANGE:FastEthernet0/0 Grp 1 state Standby -> Active
000051:%GLBP-6-FWDSTATECHANGE:FastEthernet0/0 Grp 1 Fwd 1 state Listen -> Active
Next, I’ll configure GLBP2: 
GLBP2(config)#int fa0/0
GLBP2(config-if)#glbp 1 ip
GLBP2(config-if)#glbp 1 name GLBP_Test
*Jun 23 21:49:16.059:%GLBP-6-FWDSTATECHANGE:FastEthernet0/0 Grp 1 Fwd 2 
state Listen -> Active
720 Chapter 17 u IP Services
Okay—this is pretty much the same configuration as HSRP, except that I used glbp
instead of the standby command. Let’s see which router is active now:
GLBP1(config-if)#do sh glbp
FastEthernet0/0 - Group 1
 State is Active
 2 state changes, last state change 00:02:29
 Virtual IP address is
 Hello time 3 sec, hold time 10 sec
 Next hello sent in 0.140 secs
 Redirect time 600 sec, forwarder time-out 14400 sec
 Preemption disabled
 Active is local
 Standby is, priority 100 (expires in 8.444 sec)
 Priority 110 (configured)
 Weighting 100 (default 100), thresholds: lower 1, upper 100
 Load balancing: round-robin
 IP redundancy name is "GLBP_Test"
 Group members:
 001a.2fe7.4398 ( local
 001a.6ca1.1f48 (
 There are 2 forwarders (1 active)
 Forwarder 1
 State is Active
 1 state change, last state change 00:02:19
 MAC address is 0007.b400.0101 (default)
 Owner ID is 001a.2fe7.4398
 Redirection enabled
 Preemption enabled, min delay 30 sec
 Active is local, weighting 100
 Forwarder 2
 State is Listen
 MAC address is 0007.b400.0102 (learnt)
 Owner ID is 001a.6ca1.1f48
 Redirection enabled, 599.788 sec remaining (maximum 600 sec)
 Time to live: 14399.788 sec (maximum 14400 sec)
 Preemption enabled, min delay 30 sec
 Active is (primary), weighting 100 (expires in 9.788 sec)
GLBP1(config-if)#do sh glbp brief
Interface Grp Fwd Pri State Address Active router Standby route
Fa0/0 1 - 110 Active local
Syslog 721
Fa0/0 1 1 7 Active 0007.b400.0101 local -
Fa0/0 1 2 7 Listen 0007.b400.0102 -
Wow—the show glbp command gave us a lot more output than the show standby com￾mand did because there’s more to GLBP than there is to HSRP! For example, you can see 
that there are two forwarders listed under the Fwd heading.
And there are three lines associated with the show glbp brief command. The first is the 
AVG, the dash (-) that shows up under the Fwd column. Don’t get confused about the active 
and listen states in the output because they just indicate which router will respond to ARP 
requests for the virtual IP address. This example highlights GLBP1 as the active router. Make 
sure to note the two MAC addresses under the Address column because they reveal the virtual 
MAC addresses used by the routers.
Reading system messages from a switch’s or router’s internal buffer is the most popular 
and efficient method of seeing what’s going on with your network at a particular time. But 
the best way is to log messages to a syslog server, which stores messages from you and can 
even time-stamp and sequence them for you, and it’s easy to set up and configure!
Syslog allows you to display, sort, and even search messages, all of which makes it a 
really great troubleshooting tool. The search feature is especially powerful because you 
can use keywords and even severity levels. Plus, the server can email admins based on 
the severity level of the message.
Network devices can be configured to generate a syslog message and forward it to various 
destinations. These four examples are popular ways to gather messages from Cisco devices:
uu Logging buffer (on by default)
uu Console line (on by default)
uu Terminal lines (using the terminal monitor command)
uu Syslog server
As you already know, all system messages and debug output generated by the IOS go out 
only the console port by default and are also logged in buffers in RAM. And you also know 
that Cisco routers aren’t exactly shy about sending messages! To send message to the VTY 
lines, use the terminal monitor command. We’ll also add a small configuration needed for 
syslog, which I’ll show you soon in the configuration section.
Okay, so by default, we’d see something like this on our console line: 
*Oct 21 17:33:50.565:%LINK-5-CHANGED:Interface FastEthernet0/0, changed 
state to administratively down
*Oct 21 17:33:51.565:%LINEPROTO-5-UPDOWN:Line protocol on Interface 
FastEthernet0/0, changed state to down
722 Chapter 17 u IP Services
And the Cisco router would send a general version of the message to the syslog server 
that would be formatted into something like this:
Seq no:timestamp: %facility-severity-MNEMONIC:description
The system message format can be broken down in this way:
seq no This stamp logs messages with a sequence number, but not by default. If you want 
this output, you’ve got to configure it.
Timestamp Data and time of the message or event, which again will show up only if 
Facility The facility to which the message refers.
Severity A single-digit code from 0 to 7 that indicates the severity of the message.
MNEMONIC Text string that uniquely describes the message.
Description Text string containing detailed information about the event being reported.
The severity levels, from the most severe level to the least severe, are explained in 
Table 17.1. Informational is the default and will result in all messages being sent to the 
buffers and console.
Table 17.1 Severity levels
Severity Level Explanation
Emergency (severity 0) System is unusable.
Alert (severity 1) Immediate action is needed.
Critical (severity 2) Critical condition.
Error (severity 3) Error condition.
Warning (severity 4) Warning condition.
Notification (severity 5) Normal but significant condition.
Information (severity 6) Normal information message.
Debugging (severity 7) Debugging message.
If you are studying for your Cisco exam, you need to memorize Table 17.1. 
Syslog 723
Understand that only emergency-level messages will be displayed if you’ve configured 
severity level 0. But if, for example, you opt for level 4 instead, level 0 through 4 will be 
displayed, giving you emergency, alert, critical, error, and warning messages too. Level 7 
is the highest-level security option and displays everything, but be warned that going with 
it could have a serious impact on the performance of your device. So always use debugging 
commands carefully with an eye on the messages you really need to meet your specific busi￾ness requirements! 
Configuring and Verifying Syslog
As I said, Cisco devices send all log messages of the severity level you’ve chosen to the con￾sole. They’ll also go to the buffer, and both happen by default. Because of this, it’s good to 
know that you can disable and enable these features with the following commands:
Router(config)#logging ?
 Hostname or A.B.C.D IP address of the logging host
 buffered Set buffered logging parameters
 buginf Enable buginf logging for debugging
 cns-events Set CNS Event logging level
 console Set console logging parameters
 count Count every log message and timestamp last occurrence
 esm Set ESM filter restrictions
 exception Limit size of exception flush output
 facility Facility parameter for syslog messages
 filter Specify logging filter
 history Configure syslog history table
 host Set syslog server IP address and parameters
 monitor Set terminal line (monitor) logging parameters
 on Enable logging to all enabled destinations
 origin-id Add origin ID to syslog messages
 queue-limit Set logger message queue size
 rate-limit Set messages per second limit
 reload Set reload logging level
 server-arp Enable sending ARP requests for syslog servers when
 first configured
 source-interface Specify interface for source address in logging
 trap Set syslog server logging level
 userinfo Enable logging of user info on privileged mode enabling
Router(config)#logging console
Router(config)#logging buffered
724 Chapter 17 u IP Services
Wow—as you can see in this output, there are plenty of options you can use with the 
logging command! The preceding configuration enabled the console and buffer to receive 
all log message of all severities, and don’t forget that this is the default setting for all Cisco 
IOS devices. If you want to disable the defaults, use the following commands:
Router(config)#no logging console
Router(config)#no logging buffered
I like leaving the console and buffers commands on in order to receive the logging info, 
but that’s up to you. You can see the buffers with the show logging command here:
Router#sh logging
Syslog logging: enabled (11 messages dropped, 1 messages rate-limited,
 0 flushes, 0 overruns, xml disabled, filtering disabled)
 Console logging: level debugging, 29 messages logged, xml disabled,
 filtering disabled
 Monitor logging: level debugging, 0 messages logged, xml disabled,
 filtering disabled
 Buffer logging: level debugging, 1 messages logged, xml disabled,
 filtering disabled
 Logging Exception size (4096 bytes)
 Count and timestamp logging messages: disabled
No active filter modules.
 Trap logging: level informational, 33 message lines logged
Log Buffer (4096 bytes):
*Jun 21 23:09:37.822: %SYS-5-CONFIG_I: Configured from console by console
Notice that the default trap (message from device to NMS) level is informational, but 
you can change this too. And now that you’ve seen the default system message format on 
a Cisco device, I want to show you how you can also control the format of your messages 
via sequence numbers and time stamps, which aren’t enabled by default. We’ll begin with a 
basic, very simple example of how to configure a device to send messages to a syslog server, 
demonstrated in Figure 17.12.
F ig u re 17.12 Messages sent to a syslog server
Syslog server
I want to look at the console messages
of the SF router from last night.
Syslog 725
A syslog server saves copies of console messages and can time-stamp them for viewing at 
a later time. This is actually pretty easy to configure and here’s how doing that would look 
on the SF router:
SF(config)#service timestamps log datetime msec
This is awesome—now all the console messages will be stored in one location to be 
viewed at your convenience! I typically use the logging host ip_address command, but 
logging IP_address command without the host keyword gets the same result.
I want to point out that even though I had the messages time-stamped in the configura￾tion associated with Figure 17.12, the command service timestamps log datetime msec
doesn’t mean that I’ll know the messages’ exact time if I’m using default clock sources. To 
make sure all devices are synchronized with the same time information, make sure you use 
an NTP server. 
We can limit the amount of messages sent to the syslog server, based on severity with the 
following command:
SF(config)#logging trap ?
 <0-7> Logging severity level
 alerts Immediate action needed (severity=1)
 critical Critical conditions (severity=2)
 debugging Debugging messages (severity=7)
 emergencies System is unusable (severity=0)
 errors Error conditions (severity=3)
 informational Informational messages (severity=6)
 notifications Normal but significant conditions (severity=5)
 warnings Warning conditions (severity=4)
SF(config)#logging trap warnings
Notice that we can use either the number or the actual severity level name—and they are 
in alphabetical order, not severity order, which makes it even harder to memorize the order! 
(Thanks, Cisco!) Since I went with severity level 4, I’ll receive messages for levels 0 through 4. 
Now let’s configure the router to use sequence numbers:
SF(config)#no service timestamps
SF(config)#service sequence-numbers
000038: %SYS-5-CONFIG_I: Configured from console by console
When you exit configuration mode, the router will send a message like the one shown in 
the preceding code lines. Without the time stamps enabled, we’ll no longer see a time and 
date, but we will see a sequence number.
726 Chapter 17 u IP Services
So we now have the following:
uu Sequence number: 000038
uu Facility: %SYS
uu Severity level: 5
uu Description: Configured from console by console
I want to stress that of all of these, the security level is what you need to pay attention to 
the most for the Cisco exams as well as for a means to control the amount of messages sent 
to the syslog server!
Although Simple Network Management Protocol (SNMP) certainly isn’t the oldest protocol 
ever, it’s still pretty old, considering it was created way back in 1988 (RFC 1065)!
SNMP is an Application layer protocol that provides a message format for agents on 
a variety of devices to communicate with network management stations (NMSs)—for 
example, Cisco Prime or HP Openview. These agents send messages to the NMS station 
which then either reads or writes information in the database stored on the NMS that’s 
called a Management Information Base (MIB). 
The NMS periodically queries or polls the SNMP agent on a device to gather and analyze 
statistics via GET messages. End devices running SNMP agents would send an SNMP trap 
to the NMS if a problem occurs. This is demonstrated in Figure 17.13.
F ig u re 17.13 SNMP GET and TRAP messages
My interface Gi0/1 went down!
It’s the end of the world!
Check interface status!
Router reply
SNMP 727
Admins can also use SNMP to provide some configurations to agents as well, called SET 
messages. In addition to polling to obtain statistics, SNMP can be used for analyzing informa￾tion and compiling the results in a report or even a graph. Thresholds can be used to trigger a 
notification process when exceeded. Graphing tools are used to monitor the CPU statistics of 
Cisco devices like a core router. The CPU should be monitored continuously and the NMS can 
graph the statistics. Notification will be sent when any threshold you’ve set has been exceeded.
SNMP has three versions, with version 1 being rarely, if ever implemented today. Here’s 
a summary of these three versions:
SNMPv1 Supports plaintext authentication with community strings and uses only UDP.
SNMPv2c Supports plaintext authentication with MD5 or SHA with no encryption but 
provides GET BULK, which is a way to gather many types of information at once and mini￾mize the number of GET requests. It offers a more detailed error message reporting method, 
but it’s not more secure than v1. It uses UDP even though it can be configured to use TCP.
SNMPv3 Supports strong authentication with MD5 or SHA, providing confidentiality 
(encryption) and data integrity of messages via DES or DES-256 encryption between agents 
and managers. GET BULK is a supported feature of SNMPv3, and this version also uses TCP. 
Management Information Base (MIB)
With so many kinds of devices and so much data that can be accessed, there needed to be 
a standard way to organize this plethora of data, so MIB to the rescue! A management 
information base (MIB) is a collection of information that’s organized hierarchically and 
can be accessed by protocols like SNMP. RFCs define some common public variables, but 
most organizations define their own private branches along with basic SNMP standards. 
Organizational IDs (OIDs) are laid out as a tree with different levels assigned by different 
organizations, with top-level MIB OIDs belonging to various standards organizations.
Vendors assign private branches in their own products. Let’s take a look at Cisco’s 
OIDs, which are described in words or numbers to locate a particular variable in the tree, 
as shown in Figure 17.14.
Luckily, you don’t need to memorize the OIDs in Figure 17.14 for the Cisco exams!
I’ll use CPU as an example of a key thing to check at least every 5 minutes. We’ll examine 
output from an SNMP application. It’s called snmpget and it comes from an NMS station. 
Here’s the command from an NMS prompt on a Linux box running the SNMP 
[14:11][admin@nms]$~snmpget -v2c -c community 
SNMPv2-SMI::enterprises. 19
You must specify the version, the correct community string, the IP address of the network 
device you’re querying, plus the OID number. The community string will authenticate your 
access to the MIB database; and so the NMS can access the switch, the community string 
definition on the NMS must match at least one of the three community string definitions on 
the network devices.
728 Chapter 17 u IP Services
F ig u re 17.14 Cisco’s MIB OIDs
.iso (1)
.org (3)
.dod (6)
.internet (1)
.private (4)
.enterprise (1)
.cisco (9)
.local variables (2)
.interface goup (2)
.cisco mgmt (9)
.cisco flash group (10)
Configuring SNMP
Configuring SNMP is a pretty straightforward process for which you only need a few 
commands. These four steps are all you need to run through to configure a Cisco device 
for SNMP access:
1. Enable SNMP read-write access to the router.
2. Configure SNMP contact information.
3. Configure SNMP location.
4. Configure an ACL to restrict SNMP access to the NMS hosts.
The only required configuration is the community string because the other three are 
optional. Here’s an example of a typical SNMP router configuration:
Router(config)#snmp-server ?
 chassis-id String to uniquely identify this chassis
 community Enable SNMP; set community string and access privs
 contact Text for mib object sysContact
 context Create/Delete a context apart from default
 drop Silently drop SNMP packets
 enable Enable SNMP Traps or Informs
 engineID Configure a local or remote SNMPv3 engineID
SNMP 729
 group Define a User Security Model group
 host Specify hosts to receive SNMP notifications
 ifindex Enable ifindex persistence
 inform Configure SNMP Informs options
 location Text for mib object sysLocation
 manager Modify SNMP manager parameters
 packetsize Largest SNMP packet size
 queue-length Message queue length for each TRAP host
 source-interface Assign an source interface
 system-shutdown Enable use of the SNMP reload command
 tftp-server-list Limit TFTP servers used via SNMP
 trap SNMP trap options
 trap-source Assign an interface for the source address of all traps
 trap-timeout Set timeout for TRAP message retransmissions
 user Define a user who can access the SNMP engine
 view Define an SNMP MIB view
Router(config)#snmp-server community ?
 WORD SNMP community string
Router(config)#snmp-server community Todd ?
 <1-99> Std IP accesslist allowing access with this community string
 <1300-1999> Expanded IP accesslist allowing access with this community
 WORD Access-list name
 ipv6 Specify IPv6 Named Access-List
 ro Read-only access with this community string
 rw Read-write access with this community string
 view Restrict this community to a named MIB view
Router(config)#snmp-server community Todd rw
Router(config)#snmp-server location Boulder
Router(config)#snmp-server contact Todd Lammle
Router(config)#ip access-list standard Protect_NMS_Station
Router(config-std-nacl)#permit host
Entering the snmp-server command enables SNMPv1 on the Cisco device.
730 Chapter 17 u IP Services
You can enter the ACL directly in the SNMP configuration to provide security, using 
either a number or a name. Here is an example:
Router(config)#snmp-server community Todd Protect_NMS_Station rw
Notice that even though there’s a boatload of configuration options under SNMP, you 
only really need to work with a few of them to configure a basic SNMP trap setup on a 
router. First, I chose the community name of Todd with RW access (read-write), which means 
the NMS will be able to retrieve and modify MIB objects from the router. Location and con￾tact information comes in really handy for troubleshooting the configuration. Make sure you 
understand that the ACL protects the NMS from access, not the devices with the agents! 
Let’s define the SNMP read and write options.
Read-only Gives authorized management stations read-access to all objects in the MIB 
except the community strings and doesn’t allow write-access 
Read-write Gives authorized management stations read-and write-access to all objects in 
the MIB but doesn’t allow access to the community strings
There are still more ways to gather information from Cisco devices, and next, we’ll 
explore a Cisco proprietary method of gathering statistics on internetwork devices.
SNMP can be a powerful tool to help you manage and troubleshoot your network, but 
Cisco knew it would be very helpful for engineers to be able to track TCP/IP flows within 
the network as well.
That’s why we have NetFlow as an application for collecting IP traffic information. 
Cisco compares NetFlow informational reports to receiving a phone bill with detailed call 
information to track calls, call frequency, and even calls that shouldn’t have been made at 
all! A more current analogy would be the IRS and certain additional government “alphabet 
agencies” watching who has talked to whom, when, and for how long!
Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including net￾work traffic accounting for baselining, usage-based network billing for consumers of network 
services, network design and planning, general network security, and DoS and DDoS monitoring 
capabilities as well as general network monitoring. Figure 17.15 shows basic flow monitoring via 
Cisco NetFlow with the latest version, version 9, which is called Flexible NetFlow.
F ig u re 17.15 Basic Flexible NetFlow
(listens for NetFlow on port 9996)
NetFlow Collector
Visit ccna 
for a 
from CBT 
NetFlow 731
In Figure 17.15, let’s assume that a host has connected to a server located in the fictitious 
Sales VLAN using Telnet. NetFlow can monitor the application by counting packets, bytes 
sent and received, and so on, and then send this information to a NetFlow collector.
NetFlow Overview and Flows
Understand that NetFlow is completely transparent to the users in the network, including 
all end stations and applications, and you don’t need to run it on all your routers. Actually, 
you shouldn’t because there’s definitely overhead when using NetFlow because it requires 
memory for storing information in cache on the device. NetFlow enables near real-time 
visualization and analysis of recorded and aggregated flow data. You can specify the router, 
the aggregation scheme, and the time interval for when you want to view and then retrieve 
the relevant data and sort it into bar charts, pie charts, and so on. The components used 
with NetFlow include a router enabled with NetFlow and a NetFlow collector.
Service providers use NetFlow to do the following:
uu Efficiently measuring who is using network service and for which purpose
uu Accounting and charging back according to the resource utilizing level
uu Using the measured information for more effective network planning so that resource 
allocation and deployment are well aligned with customer requirements
uu Using the information to better structure and customize the set of available applica￾tions and services to meet user needs and customer service requirements
Moreover, there are different types of analyzers available to gather NetFlow statistics 
and analyze the traffic on your network by showing the following:
uu Major users of the network, meaning top talkers, top listeners, top protocols, and so on
uu Websites that are routinely visited, plus what’s been downloaded
uu Who’s generating the most traffic and using excessive bandwidth
uu Descriptions of bandwidth needs for an application as well as your available bandwidth
NetFlow is built around TCP/IP communication for statistical record-keeping using the 
concept of a flow. A flow is a unidirectional stream of packets between a source and desti￾nation host or system. With an understanding of TCP/IP, you can figure out that NetFlow 
is using socket information, meaning source and destination IP addresses and source and 
destination port numbers. But there are a few more fields that NetFlow uses. Here is a list 
of commonly used NetFlow flows:
uu Source IP address
uu Destination IP address
uu Source port number
uu Destination port number
uu Layer 3 protocol field
uu Type of Service (ToS) marking
uu Input logical interface
732 Chapter 17 u IP Services
As mentioned, the first four listings are the sockets used between the source and destina￾tion host, which identify the application. The protocol field identifies the data the packet is 
carrying, and ToS in the IPv4 header describes how QoS rules are applied to the packets in 
the flow. If a packet has a key field that’s different from another packet, it’s considered to 
belong to another flow. You configure NetFlow on the router’s interfaces, and that’s exactly 
what I’ll show you next—how to configure and then verify NetFlow.
Configuring NetFlow
These four factors must be completed to properly implement NetFlow on a router:
uu Configure NetFlow data capture by configuring ingress (incoming) and egress (outgo￾ing) packets.
uu Configure NetFlow data export by specifying the IP address of the NetFlow collector 
and the UDP port the collector listens for.
uu Configure the NetFlow data export version by specifying the version of NetFlow, with 
version 9 being the most current.
uu Verify NetFlow by analyzing the exported data on a host running a NetFlow collection 
engine or by using show command on the NetFlow router.
Here’s an example of configuring NetFlow on the SF router:
SF(config)#int fa0/0
SF(config-if)#ip flow ingress
SF(config-if)#ip flow egress
SF(config)#ip flow-export destination 9996
SF(config)#ip flow-export version ?
SF(config)#ip flow-export version 9
SF(config)#ip flow-export source loopback 0
First I configured the Fast Ethernet 0/0 interface of the Corp router as both my ingress 
and egress interface, which tells the router to capture NetFlow data for flows on the interface. 
After that, I configured the NetFlow collector’s IP address, as well as the version. Notice that 
I could opt to configure only versions 1, 5, and 9. Version 9 includes all the fields I mentioned 
already, plus MPLS and IPv6 information and ports. The loopback interface defines the source 
IP address of packets sent to the collector.
To verify NetFlow, you need to verify that the correct interfaces in the correct direction 
have been configured, starting with the show ip flow interface command like this:
SF#sh ip flow interface
NetFlow 733
 ip flow ingress
 ip flow egress
Sure enough! The correct interface of Fast Ethernet 0/0 is configured with the ingress 
and egress command. Now I’ll check that I’ve correctly configured the export parameters 
via the show ip flow export command:
SF#sh ip flow export
Flow export v9 is enabled for main cache
 Exporting flows to (9996) (9996)
 Exporting using source interface Loopback0
 Version 9 flow records
 43 flows exported in 15 udp datagrams
[output cut]
Notice that the destination port is 9996. This is the Cisco default port number on which 
the NetFlow collectors listen for NetFlow packets. I can use the sh ip cache flow command 
to verify my flows by examining the information stored on a router directly, which will show 
that I’m actually collecting packets: 
SF#sh ip cache flow
IP packet size distribution (161 total packets):
[output cut]
IP Flow Switching Cache, 278544 bytes
 1 active, 4095 inactive, 1 added
 215 ager polls, 0 flow alloc failures
 Active flows timeout in 30 minutes
 Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
 1 active, 1023 inactive, 1 added, 1 added to flow
 0 alloc failures, 0 force free
 1 chunk, 1 chunk added
 last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 14 0.0 19 58 0.1 6.5 11.7
TCP-WWW 8 0.0 9 108 0.1 2.5 1.7
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/0 gig0/1 11 0044 0050 1161 
Nice: You can see that packets are truly being received—1161 so far—and the bottom 
lines show that the router is collecting flow for Telnet and HTTP. You can also see the 
source interface, source IP, destination interface, and source and destination ports in hex 
(50 is 80 in hex). It’s important to remember that the show ip cache flow command pro￾vides a summary of the NetFlow statistics, including which protocols are in use.
Visit ccna 
for a 
from CBT 
734 Chapter 17 u IP Services
Now you can implement and configure three different redundancy protocols! You learned 
that HSRP and VRRP are very similar but that VRRP is the open standard and can be used 
on any vendor’s equipment. HSRP is Cisco proprietary and has a couple of features and con￾figurations not available in VRRP—specifically, the preempt and interface tracking features.
You were then introduced to GLBP, which is also a Cisco proprietary protocol that can 
provide true load balancing for all of your clients, even if they are in the same subnet.
SNMP is an Application layer protocol that provides a message format for agents on a 
variety of devices to communicate to network management stations (NMSs). I discussed the 
basic information you need to use syslog and SNMP, that is, configuration and verification. 
Last, I discussed Cisco NetFlow. Cisco IOS NetFlow efficiently provides a key set of 
services for IP applications, including network traffic accounting for baselining, usage￾based network billing for consumers of network services, network design and planning, 
general network security, and DoS and DDoS monitoring capabilities, as well as general 
network monitoring.
Exam Essentials
Remember the three FHRPs. HSRP, VVRP, and GLBP are all FHRPs, with HSRP and 
GLBP being Cisco proprietary protocols.
Remember how load balancing works with HSRP and GLBP. HSRP load balance per 
VLAN’s trunk links and GLBP can perform per-host load balancing.
Remember how to verify HSRP and GLBP. Use the show standby command with HSRP 
and show glbp with GLBP.
Remember the eight severity levels you can configure with the logging trap command. They 
are not listed in severity, but in alphabetical order, which makes it slightly more difficult 
to remember: 1=alerts, 2=critical, 7=debugging, 0=emergencies, 3=errors, 6=information, 
5=notifications, 4=warnings.
Remember the differences between SNMPv2 and SNMPv3. SNMPv2 uses UDP but can 
use TCP, however, v2 still sends data to the NMS station in clear text. SNMPv3 uses TCP 
and authenticates users, plus can use ACLs in the SNMP strings to protect the NMS station 
from unauthorized use.
Understand what Cisco’s NetFlow is used for. Cisco IOS NetFlow efficiently provides a 
key set of services for IP applications, including network traffic accounting for baselining, 
usage-based network billing for consumers of network services, network design and plan￾ning, general network security, and DoS and DDoS monitoring capabilities as well as gen￾eral network monitoring.
Written Lab 3 735
Written Lab 3
The answers to this lab can be found in Appendix A, “Answers to Written Labs.”
1. What command is used to verify your active router with HSRP?
2. Which command is used to verify your forwarding routers with GLBP?
3. Which FHRP can perform true load-balancing within the same subnet?
4. Which Cisco protocol can efficiently provide a key set of services for IP applications, 
including network traffic accounting? 
5. Which syslog severity level results in notification-level messages? 
6. Which protocol can request and receive information from a monitored device on the 
7. Which syslog severity level results in warning-level messages?
8. Which command provides a summary of the NetFlow statistics, including which 
protocols are in use?
9. What command is used to configure a host to send messages to a syslog server?
10. Which router assigns a virtual MAC address to each member of the GLBP group?
736 Chapter 17 u IP Services
Review Questions
The following questions are designed to test your understanding of this 
chapter’s material. For more information on how to get additional questions, 
please see this book’s introduction.
The answers to these questions can be found in Appendix B, “Answers to Chapter 
Review Questions.”
1. How can you efficiently restrict the read-only function of a requesting SNMP manage￾ment station based on the IP address?
A. Place an ACL on the logical control plane.
B. Place an ACL on the line when configuring the RO community string.
C. Place an ACL on the VTY line.
D. Place an ACL on all router interfaces.
2. Why would you use GLBP over HSRP and VRRP?
A. GLBP is an open standard protocol.
B. GLBP uses a virtual IP address, whereas HSRP and VRRP must have a static 
default gateway on each host.
C. GLBP provides true load-balancing within a single subnet.
D. GLBP is easily configured and propagated by DHCP to clients.
E. There is no reason to choose GLBP.
3. What is the default priority setting on an HSRP router?
A. 25
B. 50
C. 100
D. 125
4. You want to add a sequence number on your console message on a Cisco router. Which 
command will you use?
A. service sequence-numbers
B. service timestamps
C. service number-sequence
D. sequence service messages
Review Questions 737
5. You want to collect details about network traffic patterns on your network, including 
source and destination addresses and protocols used. Which of the following will you use?
B. Syslogv2
C. NetFlow 9
D. logging host ip_address
6. You want to send a console message to a syslog server, but you only want to send status 
messages of 4 and lower. Which of the following commands will you use?
A. logging trap emergencies
B. logging trap errors
C. logging trap debugging
D. logging trap notifications
E. logging trap critical
F. logging trap warnings
G. logging trap alerts
7. In an FHRP network, which feature allows you to keep track of outside interfaces of 
an FHRP configured router?
A. Interface up/down status from show ip int brief command
B. show nvram:show running-config in RAM
C. Interface tracking within the HSRP configuration
D. HSRP’s inability to verify or understand the status of outside interfaces 
8. Which command enables you to view a summary of the NetFlow statistics of the pro￾tocols on a router?
A. show ip flow
B. show ip cache flow
C. show ip netflow
D. show ip flow interface gi0/1
9. Why should you use NetFlow over SNMP or syslog? (Choose three.)
A. NetFlow allows you to send configuration information to a remote network device.
B. NetFlow allows you to learn who is using which network resources.
C. NetFlow allows you to perform network capacity planning.
D. NetFlow allows you to retrieve accounting of network resource usage.
E. NetFlow receives alerts from remote routers if an interface fails.
738 Chapter 17 u IP Services
10. You want to send a console message to a syslog server, but you only want to send status 
messages of 5 and lower. Which of the following commands will you use?
A. logging trap emergencies
B. logging trap errors
C. logging trap debugging
D. logging trap notifications
E. logging trap critical
F. logging trap warnings
G. logging trap alerts
11. Which two of the following are true regarding the output of the show log command? 
(Choose two.)
Corp#sh log
Syslog logging: enabled (11 messages dropped, 0 messages rate-limited,
 0 flushes, 0 overrunds, xml disabled, filtering disabled)
Console logging: level debugging, 3013 messages logged, xml disabled,
 filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
 filtering disabled
Buffer logging: level debugging, 582 messages logged, xml disabled,
 filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level debugging, 2523 message lines logged
Logging to
A. The router is configured for trap level 6.
B. The router is configured for trap level 7.
C. Debugging messages will be sent only to
D. Debugging messages will not be sent to the buffers.
12. What are the two pieces needed for NetFlow to gather data? (Choose two.)
A. An SNMP NMS station
B. Collector
C. Syslog configured
D. NetFlow-configured router
Review Questions 739
13. You want to send a console message to a syslog server, but you only want to send status 
messages of 3 and lower. Which of the following commands will you use?
A. logging trap emergencies
B. logging trap errors
C. logging trap debugging
D. logging trap notifications
E. logging trap critical
F. logging trap warnings
G. logging trap alerts
14. Which device will send the ARP replies to clients with GLBP?
A. The HSRP active router
B. The router with the highest IP address
C. The AVR router
D. The VRRP router
E. The passive listening router
15. Which command will you type in to see the active and listening router with GLBP?
A. show standby
B. sh glbp
C. show active
D. show glbp infromation
16. You want to send a console message to a syslog server, but you only want to send status 
messages of 7 and lower. Which of the following commands will you use?
A. logging trap emergencies
B. logging trap errors
C. logging trap debugging
D. logging trap notifications
E. logging trap critical
F. logging trap warnings
G. logging trap alerts
740 Chapter 17 u IP Services
17. HSRP is load-balancing with three routers and three VLANs. Each router is configured 
with subinterfaces, one for each VLAN. How many routers in the group will forward 
traffic for each VLAN?
A. All the routers in the same group
B. Up to two routers per VLAN
C. One router per VLAN

D. HSRP must be configured with the GLBP command in order to do any load￾balancing.

18. You want to send a console message to a syslog server, but you only want to send status 
messages of 6 and lower. Which of the following commands will you use?
A. logging trap emergencies
B. logging trap errors
C. logging trap debugging
D. logging trap notifications
E. logging trap critical
F. logging trap warnings
G. logging trap informational
19. Which SNMP version provides authentication, data integrity, and encryption?
20. Which statements are true about both HSRP and GLBP? (Choose two.)
A. VRRP should always be used if possible instead of HSRP and GLBP.
B. HSRP is proprietary, and GLBP should be used with multiple vendors.
C. HSRP can load-balance based on VLANs for which they are active.
D. GLBP can have multiple forwarders with the same subnet/VLAN.
E. HSRP can load-balance on the same LAN.


Popular posts from this blog

What if Analysis

What-If Analysis What-If Analysis in Excel allows you to try out different values (scenarios) for formulas. The following example helps you master what-if analysis quickly and easily.  Use scenarios to consider many different variables  A scenario is a set of values that Excel saves and can substitute automatically in cells on a worksheet. You can create and save different groups of values on a worksheet and then switch to any of these new scenarios to view different results. 
Create Different Scenarios 
Note: You can simply type in a different revenue and Cost into cell B2 and B3 respectively to see the corresponding result of a scenario in cell B4. However, what-if analysis enables you to easily compare the results of different scenarios.  
I. On the Data tab, click What-If Analysis and select Scenario Manager from the list. The Scenario Manager Dialog box appears  II. Add a scenario by clicking on Add.  III. Type a name (e.g. “First Case”), select cell B2 and B3 (represents “Revenue” and “…


Asking For and Giving Opinions on Likes and Dislikes

Words Meaning Sample Sentence Opinion A statement or judgment formed about some matter. Bhoomika gave her final opinion on the company’s matter. Dialogue A conversation between two or more people. Her dialogue stated her opinion about the company’s matter. Expression The action of making known one’s thought or feelings. Her expression was sad at the meeting. Frank An open, honest, and direct speech or writing Bhoomika is very frank with her friends. Recover Return to normal state of health, mind or strength. The company’s economic crisis will be recovered soon. Turmoil A state of great disturbance. The company is facing financial turmoil. Economics The branch of knowledge concerned with the production, consumption, and transfer of wealth. Bhoomika studied Economics at the State University. Betrayed Expose to danger by treacherously giving information to an enemy.


Apology Etiquette and Office Vocabulary 

Chapter Vocabulary

Word Meaning Sample Sentence Stressed A state of any mental or emotional tension. Ram seems much stressed after his poor exam. Launch An act of instance of starting something. The government launched a new scheme for the poor people. Error A mistake Ravi found a grammatical error in his new grammar book. Scold Blaming someone for any wrong doing Bhuvan scolded his employees for their poor performance. Accuse Claiming that someone has done something wrong. Bharati accuses her friend Chaya for stealing her necklace. Fair Good and honest Ravi got promoted for doing a fair job. Ashamed Embarrassed or guilty because of one’s action. <