MavEtJu's Distorted View of the World - Cisco

All about MAC addresses
Cisco and the curse of the IOS Syntax for VLANs
Monitoring disabled ports on a C3560
Cisco 7970 HTTP client code
Cisco ATA 186
Cisco 7970 broken DNS resolver
Cisco 7970

Back to index

All about MAC addresses

Posted on 2011-03-17 18:00:00
Tags: Networking, Apple, Cisco

The "FreeBSD laptop as a Wireless Access Point for an iPhone" project I wrote earlier about has made me some followers, mostly they have no idea where the free internet connection comes from. But, based on the amount of download measured on it, they are enjoying it. One of the methods to determine how many people are on it is to use the output of the "arp -na" command: Every MAC address you see there is a mobile device which is associated with the wireless access-point you created.

One thing which you can do with that data is to match it against manufacturers. Very boring for non-networking techies... Don't read the rest :-)

MAC addresses consist of 12 hex-digits (48 bits) which are split in two parts: A six hex-digit (24 bits) prefix and a six hex-digit sequence number.

The MAC (or OUI as the IEEE calls it) prefix database can be found on the website of the IEEE at It contains at the moment of writing 14765 prefixes. The manuf(acturers) file from the Wireshark project can be found at and contains 18321 prefixes plus a handful of shared prefixes.

Why is the one from the Wireshark project larger? Not really sure, but if you look at the registration costs it (US$ 1750 for a public registrered prefix OR US$ 1750 plus US$ 2100 per year for a private registered prefix) must be part of it. So it could be that the list from the Wireshark project has determined a bunch of the private ones. And unlike IP space which you can register in advance, you can't get a new prefix until you have certificated that you have used 95% of the sequence numbers.

Some statistics based on grep and cut and wc:

 Number of prefixes	Company
		503	Cisco
		122	Shenzhen
		112	Motorola
		109	Nokia Danmark A/S
		84	Samsung Electronics
		84	Apple
		78	Intel Corp
		59	Advanced (??)
		61	Hewlett Packard
		51	Private

"Advanced" could be a mistake in here, since it matches Advanced This and Advanced That. "Private" means a company who pays the US$ 2100 per year. Shenzhen has the same issue as "Advanced", it is a large bunch of companies in the Shenzhen city in China (near Hongkong). Apple was the company I didn't expect in the Top 10, but considering their iPhone / iPad success, it shouldn't surprise much.

Every prefix has 2 ** 24 entries in it, or 16 777 216 (about 16 million if you are conservate, or 17 million if you are optimistic), making there 1.4 billion Apple MAC addresses in the world. That number is not the number of Apple devices, since you need one per network interface: Ethernet, wireless or Bluetooth.

But the other number of Cisco is much more impressive: 8 438 939 648 MAC addresses. More than the next five in the list together.

Unfortunately the list of prefixes does not contain any assignment dates, it would have been interested to see what happened when LANs based on switching instead of hubs became the norm (and thus Cisco when Cisco started to sell their switches) and when mobile devices like the iPhone became popular, it would have boosted the allocation rate by Apple for sure.

MAC prefix exhaustion?

Unlike other technologies, and IPv4 comes in mind here, the MAC address prefix pool is pretty much unlimited but also only slowly being touched: There are 2 ** 22 or 4 194 304 prefixes. The number is 22, not 24 because two bits in the first byte of the prefix are used to determine if the MAC address is globally unique one or a special one. And right now, a good 35 years after the invention of Ethernet and Tokenring there are not even 19 thousand used.

The other causes are of the more strict rules the IEEE handles: You get a single prefix and don't get more until you have informed us officially that you have used 95% of them, and of course that you actually need to produce (and sell) something which uses a MAC address.

No comments | Share on Facebook | Share on Twitter

Cisco and the curse of the IOS Syntax for VLANs

Posted on 2008-09-06 11:00:00
Tags: Networking, Rant, Cisco

When Cisco Systems started, the world of networking was simple, there were routers and there were hubs. Routers connected to other routers and hubs, hubs connected to one router and computers. Each interface on the router was its own LAN, its own IP subnet (Unless you used the interface for SNA, DECNet, IPX, AppleTalk or briding only). And the configuration on the routers made sense:

interface serial0
  ip address
interface ethernet0
  ip address

Over time, hubs got replaced by switches. Coax cables got replaced by cat5 cables. Seperate routers and switches got integrated and people started to think in VLANs instead of router interfaces. And this is where the Cisco IOS syntax went wrong: They kept talking about router interfaces instead of LANs.

For example, to create a new VLAN an Extreme Networks switch/router or a Riverstone / Cabletron switch/router (does anybody remember them?), you create the VLAN (you give it a name, not just an index number) add the IP subnet to the VLAN, add a tag to the VLAN and add (finally!) the ports, tagged or untagged, to the VLAN. So you have a VLAN, and it has the VLAN tag and IP address properties, and it has one or more ports in it. Port specific properties (speed, duplex, label) are configured in the ports section.

create vlan "backbone"
configure vlan backbone tag 2
configure vlan backbone add ports 4 tagged  
configure vlan backbone add ports 5 untagged  
configure vlan backbone ipaddress
configure ports 4 display-string fibre-to-dc1
configure ports 4 auto off speed 100 duplex full 
configure ports 5 display-string natgw
As you can see, this is readable and this is logical.

Now let's see how it goes on the Cisco switch/router. It calls both the physical and logical ports and the VLAN definitions "interfaces", so there is no hierarchical approach of obvious difference between them:

interface ethernet0/1
  description fibre-to-dc1
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 2
  switchport mode trunk
  duplex full
  spanning-tree portfast
interface ethernet0/2
  description natgw
  switchport mode access
  switchport access vlan 2
  spanning-tree portfast
interface vlan 2
  description backbone
  ip address
Let's see, vlan 2 is euhm... on ethernet0/2 and on ethernet0/1 (maybe on others too, I couldn't find it so fast in the configuration), ethernet0/2 is the access network so it is untagged but it sits in vlan 2 and ethernet0/1 is full-duplex and has vlan 2 on the trunk so it must be tagged.

So the definition of VLANs in the IOS Syntax has become more of a hack without hierarchical approach to the issue than a proper style of hierarchical definition of the VLANs, its properties and the ports in it. Instead of the above, it could have gotten its own section:

interface ethernet0/1
  description fibre-to-dc1
  duplex full
  spanning-tree portfast
interface ethernet0/2
  description natgw
  spanning-tree portfast
vlan 2
  description backbone
  ip address
  untagged ethernet0/2
  tagged ethernet0/1

Can this issue be resolved and the IOS Syntax replaced by a proper syntax in which you can define a VLAN and its properties readable and logically? Asking the question is answering it: Of course. But will it ever happen? I hope it, because the current syntax is very error-prone. But I doubt it, since it is there already for years and hundreds of thousands of devices do use this syntax. Having people to change all of these configurations isn't something Cisco would want to do.

No comments | Share on Facebook | Share on Twitter

Monitoring disabled ports on a C3560

Posted on 2007-09-19 13:00:00
Tags: Cisco, Networking, SNMP

When you try connecting strange little switches and hubs to a Cisco 3560 PoE switch, your port might end up in "err-disabled" state:

Gi0/41    **IP Phones & PCs* err-disabled 8          a-half   a-10 10/100/1000BaseTX

cisco#show interfaces gi0/41
GigabitEthernet0/41 is down, line protocol is down (err-disabled)
That port is unusable until the end of time, or until somebody manually shut and no-shut it.

Having experienced this once or two, it's a pain in the bottom and since I'm obsessed about monitoring, I tried to find out how to determine this remotely:

RFC1213-MIB::ifDescr.10141 = STRING: "GigabitEthernet0/41"
RFC1213-MIB::ifType.10141 = INTEGER: ethernet-csmacd(6)
RFC1213-MIB::ifMtu.10141 = INTEGER: 1500
RFC1213-MIB::ifSpeed.10141 = Gauge32: 10000000
RFC1213-MIB::ifPhysAddress.10141 = Hex-STRING: 00 16 46 B6 DC A9 
RFC1213-MIB::ifAdminStatus.10141 = INTEGER: up(1)
RFC1213-MIB::ifOperStatus.10141 = INTEGER: down(2)
RFC1213-MIB::ifLastChange.10141 = Timeticks: (3564555759) 412 days, 13:32:37.59
ifAdminStatus is up, but the "show interface" says it's down.

So nothing! There is no way to find an interface in the err-disabled state via SNMP!

Show comment | Share on Facebook | Share on Twitter

Cisco 7970 HTTP client code

Posted on 2006-05-17 15:45:37, modified on 2006-05-17 15:54:45
Tags: Networking, Voice over IP, Cisco

The Cisco 7970 phones have a nifty feature: IP Phone Services. With it, you can access services on the internet (for example the stock value of CSCO). I have been asked to make some nifty features, but the phone has some funky HTTP client code.

This is how our services are configured in the Cisco Call Manager

Service URL:

And this it the HTTP request the phone sends

GET /echo.xml?demo=text HTTP/1.1.
Connection: close.
User-Agent: Allegro-Software-WebClient/4.20.
Accept: x-CiscoIPPhone/*;version=3.0, text/*,image/png,*/*.
Accept-Language: en.
Accept-Charset: iso-8859-1.

So despite that the service has the full hostname, the Host line in the HTTP request contains an IP address. It's HTTP/1.1, so the Host line is required. RFC2616 says this about it:

14.23 Host

   The Host request-header field specifies the Internet host and port
   number of the resource being requested, as obtained from the original
   URI given by the user or referring resource (generally an HTTP URL,
   as described in section 3.2.2). The Host field value MUST represent
   the naming authority of the origin server or gateway given by the
   original URL. This allows the origin server or gateway to
   differentiate between internally-ambiguous URLs, such as the root "/"
   URL of a server for multiple host names on a single IP address.

       Host = "Host" ":" host [ ":" port ] ; Section 3.2.2

   A "host" without any trailing port information implies the default
   port for the service requested (e.g., "80" for an HTTP URL). For
   example, a request on the origin server for
   <> would properly include:

       GET /pub/WWW/ HTTP/1.1

   A client MUST include a Host header field in all HTTP/1.1 request
   messages . If the requested URI does not include an Internet host
   name for the service being requested, then the Host header field MUST
   be given with an empty value. An HTTP/1.1 proxy MUST ensure that any
   request message it forwards does contain an appropriate Host header
   field that identifies the service being requested by the proxy. All
   Internet-based HTTP/1.1 servers MUST respond with a 400 (Bad Request)
   status code to any HTTP/1.1 request message which lacks a Host header

Reading this, it looks like the IP address isn't even allowed there. But it should have been

No comments | Share on Facebook | Share on Twitter

Cisco ATA 186

Posted on 2005-07-29 14:40:23, modified on 2006-01-09 16:29:23
Tags: Voice over IP, Cisco

A new day, a new toy... except this is one which doesn't want to buzz.

The ATA can be called, and it rings. That part works. The other way around, it conveniently forgets to send the dialed number in its SIP INVITEs:

INVITE sip:;user=phone SIP/2.0
Via: SIP/2.0/UDP
From: sip:test5@;tag=1606025951
To: <sip:;user=phone>
Call-ID: 4113433178@
Contact: <sip:test5@;transport=udp>
User-Agent: Cisco ATA 186  v3.1.0 atasip (040211A)
Expires: 300
Content-Length: 248
Content-Type: application/sdp

I've asked for an upgrade to the 3.2(1) image, but I haven't heard anything yet. Annoying!

No comments | Share on Facebook | Share on Twitter

Cisco 7970 broken DNS resolver

Posted on 2005-03-12 22:53:41, modified on 2006-01-09 16:29:23
Tags: Voice over IP, Cisco, DNS

The Cisco 7970 phones have a nifty feature: IP Phone Services. With it, you can access services on the internet (for example the stock value of CSCO). I have been asked to make some nifty features, but up to now it's no luck for me! Read on...

An IP Phone Service is defined as an URL, which returns an XML file with the commands in it. All very simple stuff.

For example, would return an XML file. This works.

But, we're living in the 21st century and we use hostnames these days. So, I changed it to No fish. Not even an TCP session towards the webserver. Why?

15:43:25.727288 >  48+ Type1907 (Class 29802)?. (33) [tos 0x60]
0x0000   4560 003d 1186 0000 3e11 4564 0ac0 0fe5      E`.=....>.Ed....
0x0010   0ac0 0002 0499 0035 0029 0000 0030 0100      .......5.)...0..
0x0020   0001 0000 0000 0000 0007 7374 6a61 6d65      ..........stjame
0x0030   7303 6e65 7402 6175 0000 0100 01   

This is why. Don't ask me why the phone asks for A record of, but it is asking it wrong: At offset 0x0028, the value 00 is there by mistake, it shouldn't have been there in the first place.

My name server happily refuses the query, and the Cisco 7970 returns "Host not found". Let's hope that Cisco can do something about it :-/

Note: Please note that this problem has been fixed in version 6.0.3.

No comments | Share on Facebook | Share on Twitter

Cisco 7970

Posted on 2005-02-21 13:02:07, modified on 2006-01-09 16:29:23
Tags: Voice over IP, Cisco, tftp, DHCP

For a new project within BarNet, we're going to use the Cisco solution for Voice-over-IP. The central server will be the Cisco Call Manager (and friends), the phones will be Cisco 7970 phones.

DHCP-wise these devices aren't too demanding, it asks for the TFTP server and something like option 150 (which is unspecified as far as I can tell). The TFTP server option is a string with the hostname or IP address of the TFTP server. The option 150 is, after going through the documentation of the Cisco gear, *also* for specifying the TFTP server, but then only with the IP address.

So the DHCP configuration should be (for people using the ISC DHCP server):

option cisco-tftp code 150 = array of ip-address;
class "cisco7970" {
   match if substring (option vendor-class-identifier,0,37) = "Cisco Systems, Inc. IP Phone CP-7970G";
   option arp-cache-timeout 60;
   option cisco-tftp,;
   option tftp-server-name "";


There is a draft for the option 150 available at:

No comments | Share on Facebook | Share on Twitter