Networking Blog

A few weeks ago, i was confronted with a Juniper Secure Services Gateway (aka SSG) for the first time. After playing a little bit with the box, i quickly learned to like her.
Okay, it took a time to get used to the CLI with its behaviour and the Virtual-System/-Router stuff, but the WebUI is very intuitive and easy to use for the first steps.
Somewhere along the way, i intended to configure VRRP between two SSG140 firewalls but i couldn’t find it neither in CLI nor in WebUI.

I sift through the endless depth of Juniper website and discovered that VRRP was firstly introduced in ScreenOS 6.1.
My SSG140 sadly was running ScreenOS 6.or2. Thus i downloaded a 6.1 version and installed it.
Anyway there was still no possibility to configure VRRP via WebUI…

But here comes the necessary steps to configure VRRP with CLI:

set interface ethernet0/6 protocol vrrp
set interface ethernet0/6 protocol vrrp enable            # activate VRRP for eth6/0
set interface ethernet0/6 ip 192.168.1.253/24             # "real" IP for VRRP group 1
set interface ethernet0/6:1 ip 192.168.1.254/24           # virtual IP for VRRP group 1
set interface ethernet0/6:1 protocol vrrp preempt         # preemption (if desired)
set interface ethernet0/6:1 protocol vrrp priority 50     # priority (default is 100)

You can obtain inforbations about VRRP with the “get vrrp” command:

SSG-140-> get vrrp ?
interface            vrrp info for all interfaces
statistics           vrrp statistics
virtual-group        vrrp info for all virtual groups
SSG-140->

A lot of restritions:

• works only for native ethernet interfaces, not for bridge-groups
• only use of one VRRP group supported per interface
• no secondary VRRP ip possible
• either VRRP or NSRP can be activated for the whole device, not both
• no VRRP authentication supported

Hope this helps you, if you really need VRRP. But i think NSRP (NetScreen Redundancy Protocol) is the better choice.

Recently, there was a need for additional FastEthernet ports on a Cisco 1841. The router had already one  HWIC-4ESW attached, but all ports were occupied.
Fortunately, there was a second HWIC-4ESW at stock which was inserted immediately. Two additional ports was configured quickly to a vlan already in use on the other HWIC.

But then the problem occured:
The “new” ports on HWIC #2 couldn’t neither communicate with the VLAN-Interface on the router nor with other clients in the same VLAN connected to ports at HWIC #1.

In MAC-Address-Table, all was looking okay –> The “new” MAC-Addresses were seen in the corresponding VLAN.
But after pinging from the router, there were only “incompletes” in the ARP-Cache.

After further investigating, i came to the result, that there is a common VLAN-Database shared by both HWICs.
It seems that there is no direct communication between the attached HWIC-4ESW. Perhaps due to hardware- or design limitations.

My first try to fix the problem was a crossover cable between fa0/0/3 and fa0/1/3 which was resulting in a loop.
So, that was not an accurate solution
I found an answer and the limitations at Cisco Website (Cisco EtherSwitch Modules Comparison).

Here’s a short summary:

• only 2 HWIC or EtherSwitch network modules can be in any platform
• HWICs do not support Etherchannel
• only one SPAN port supported. SPAN port output also contains always a dot1q-tag (NM-ESW don’t have this limitation)
• to achive that two ESW share the same L2 domain, you have to configure intra-chassis-stacking with the stacking-partner command (shown below) and connect the corresponding ports externally
• stacking-interfaces have to be configured as trunks
• “show interface” for stacking-ports shows UP/DOWN while working correctly

Configuration

! ESW #1
interface FastEthernet0/0/3
 switchport mode trunk
 switchport stacking-partner interface FastEthernet0/1/3
end

! ESW #2
interface FastEthernet0/1/3
 switchport mode trunk
 switchport stacking-partner interface FastEthernet0/0/3
end

Conclusion

Though the “stacking-partner” command solved my problem, it’s annoying to lose 2 external ports for communication between modules.
In future, i would rather use a 2960-8TCL and connect it to the switch than attaching a second HWIC-4ESW.
Indeed there is an additional point of failure, but i personally sense this as the cleaner (and also cheaper) solution.

Resilient Ethernet Protocol (REP) is a Cisco propietary protocol which allows you to build redundant Ethernet rings. It’s an alternative to Spanning-Tree protocol and also avoids bridging loops or responds to link failures.
Compared to STP, it offers a faster convergence time (< 300ms) and gives you a simple VLAN load-balancing method.

In our example, we interconnect three switches (Cisco ME3400 with me340x-metroaccess-mz.122-50.SE1.bin) to a ring topology. In REP terminology, this is called a segment.

A REP segment is a chain of ports connected to each other and configured with a segment ID. Each segment consists of standard (nonedge) segment ports and two user-configured edge ports. A switch can have only two ports belonging to the same segment, and each segment port can have only one external neighbor.

REP segments have the following characteristics:

• When all ports in a segment are operational, one port (referred to as the alternate port) is in the blocked state for each VLAN.
• If VLAN load balancing is configured, two ports in the segment control the blocked state of VLANs.
• If one or more ports in a segment is not operational, causing a link failure, all ports forward traffic on all VLANs to ensure connectivity.
• In case of a link failure, the alternate ports are unblocked as quickly as possible. When the failed link comes back up, a logically blocked port per VLAN is selected with minimal disruption to the network.

Valid port states in REP segments are Failed, Open, or Alternate.

• A port configured as a regular segment port starts as a failed port.
• After the neighbor adjacencies are determined, the port changes to alternate port state, blocking all VLANs on the interface. Blocked port negotiations occur and when the segment settles, one blocked port remains in the alternate role, and all other ports become open ports.
• When a failure occurs in a link, all ports move to the open state. When the alternate port receives the failure notification, it changes to the open state, forwarding all VLANs.

Simple Configuration without VLAN load-balancing

First, we configure all ring interfaces as REP ports with segment ID 911. All interface have to be Layer 2 trunk interfaces.  To get REP working, we have to configure at least on edge port. For VLAN load-balancing, two edge ports are necessary.

I decided to configure the two edge ports on switch ME_A. Ports on ME_B and ME_C are configured as standard segment ports.

ME_A:
interface GigabitEthernet0/11
 description Trunk to ME_B
 port-type nni
 switchport mode trunk
 rep segment 911 edge primary

interface GigabitEthernet0/12
 description Trunk to ME_C
 port-type nni
 switchport mode trunk
 rep segment 911 edge

ME_B:
interface GigabitEthernet0/11
 description Trunk to ME_A
 port-type nni
 switchport mode trunk
 rep segment 911

interface GigabitEthernet0/16
 description Trunk to ME_C
 port-type nni
 switchport mode trunk
 rep segment 911

ME_C:
interface GigabitEthernet0/12
 description Trunk to ME_A
 port-type nni
 switchport mode trunk
 rep segment 911

interface GigabitEthernet0/16
 description Trunk to ME_B
 port-type nni
 switchport mode trunk
 rep segment 911

Activating REP produces a log message and you can examine the topology with “show rep topology” on switch ME_C:

ME_C#sh rep topology
REP Segment 911
BridgeName       PortName   Edge Role
---------------- ---------- ---- ----
ME_A             Gi0/11     Pri  Open
ME_B             Gi0/11          Open
ME_B             Gi0/16          Open
ME_C             Gi0/16          Open
ME_C             Gi0/12          Open
ME_A             Gi0/12     Sec  Alt

As you can see, port Gi0/12 on ME_A is in “Alt-state” and doesn’t forward traffic.  (VLAN load-balancing is disabled per default).

You can also examine the REP status of a particular interface with “show int <interface> rep [detail]“

ME_C#sh int g0/12 rep
Interface              Seg-id Type            LinkOp      Role
---------------------- ------ --------------- ----------- ----
GigabitEthernet0/12    911                    TWO_WAY     Open

ME_C#sh int g0/12 rep det
GigabitEthernet0/12   REP enabled
Segment-id: 911 (Segment)
PortID: 000C0024F7C1FE00
Preferred flag: No
Operational Link Status: TWO_WAY
Current Key: 00100024F7C1FE0070BB
Port Role: Open
Blocked VLAN: <empty>
Admin-vlan: 1
Preempt Delay Timer: disabled
LSL Ageout Timer: 5000 ms
Configured Load-balancing Block Port: none
Configured Load-balancing Block VLAN: none
STCN Propagate to: none
LSL PDU rx: 11400, tx: 7422
HFL PDU rx: 0, tx: 0
BPA TLV rx: 8680, tx: 860
BPA (STCN, LSL) TLV rx: 0, tx: 0
BPA (STCN, HFL) TLV rx: 0, tx: 0
EPA-ELECTION TLV rx: 148, tx: 19
EPA-COMMAND TLV rx: 0, tx: 0
EPA-INFO TLV rx: 2197, tx: 2202

I case of a link failure on Gi0/16 between ME_B and ME_C , you will see the following syslog message:

*Mar  1 07:03:17.617: %REP-4-LINKSTATUS: GigabitEthernet0/16 (segment 911) is non-operational due to
 port become non-trunk

REP converges immediately and unblocks the “Alt”-Link. Gi0/16 changes to “fail -state

ME_C#sh rep topology
REP Segment 911
Warning: REP detects a segment failure, topology may be incomplete

BridgeName       PortName   Edge Role
---------------- ---------- ---- ----
ME_C             Gi0/16          Fail
ME_C             Gi0/12          Open
ME_A             Gi0/12     Sec  Open

(All informations taken from Cisco Website)

A lot of dynamic routing protocols uses ip multicast for neighbor discovery, hellos and other things.

Here are some well known multicast adresses:

• 224.0.0.1 all hosts on a subnet
• 224.0.0.2 all routers on a subnet
• 224.0.0.4 Distance Vector Multicast Routing Protocols (DVMRP)
• 224.0.0.5 OSPF routers
• 224.0.0.6 OSPF designated routers
• 224.0.0.9 RIP Version 2 routers
• 224.0.0.10 EIGRP routers
• 224.0.0.13 Protocol independent Multicast (PIM) routers

IP routing/forwarding is disabled per default in Debian.

For enabling on the fly, you only have to write “1″ in /proc/sys/net/ipv4/ip_forward or to set the kernel parameter net.ipv4.ip_forward to “1″.

Method #1:
echo 1 > /proc/sys/net/ipv4/ip_forward

Method #2:
sysctl -w net.ipv4.ip_forward=1

The actual setting can be checked as following:

debian:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
debian:~# cat /proc/sys/net/ipv4/ip_forward
1
debian:~#

If you want permanent setting, the most common way is to add a line containing  “net.ipv4.ip_forward = 1″ to the file /etc/sysctl.conf

/etc/sysctl.conf:
net.ipv4.ip_forward = 1

You can activate the changes made in the kernel parameter configuration file by running the command:

sysctl -p /etc/sysctl.conf

Perhaps there are some distribution specific scripts available in Debian, but i didn’t check it.

I often use the feature interface-range on Cisco switches running IOS.
Not so long ago, i discovered the command interface-range macro, from which i never heard before.

With this macro, you can group several interfaces together and address them by a significant name.

Short example:

define interface-range UPLINKS FastEthernet0/1, FastEthernet0/24
define interface-range USERPORTS FastEthernet0/2 - 23

Usage:

switch#conf t
switch(config)#interface range macro USERPORTS
switch(config-if-range)#switchport access vlan 111
switch(config-if-range)#no shutdown
switch(config-if-range)#description User-Ports
switch(config-if-range)#end
switch#

This command was introduced in 12.0(7)XE and extended to the T train in 12.1(5)T

To create a network interface without an IP address at all use the manual method and use pre-up and post-down commands to bring the interface up and down.
This can be necessary, when you like to bridge a VMWare VM to this interface or when it’s connected to a mirror port on the switch for sniffing purposes.

Add an entry like this in your /etc/network/interfaces file:

iface eth0 inet manual
      pre-up ifconfig $IFACE up
      post-down ifconfig $IFACE down

When doing an apt-get update to refresh index files from their sources, the indexes of available packages are fetched from the location(s) specified in /etc/apt/sources.list
Sometimes you will see an error like that:

debian:~# apt-get update
Get:1 http://www.backports.org etch-backports Release.gpg [189B]
Hit http://www.backports.org etch-backports Release    
~             
~
(output shortened)
~
~
Hit http://security.debian.org etch/updates/contrib Packages
Hit http://security.debian.org etch/updates/main Sources
Hit http://security.debian.org etch/updates/contrib Sources
Fetched 180kB in 2s (75.2kB/s)
Reading package lists... Done
W: GPG error: http://www.backports.org etch-backports Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EA8E8B2116BA136C
W: You may want to run apt-get update to correct these problems
debian:~#

The error message is pretty understandable.
To resolve this problem, you only have to fetch the public key(s) from the mirror and execute apt-key add <keyfile>

debian:~# apt-key add archive.key
OK

After adding the key, your update should work…

Recently i stumbled across a nice feature in Cisco IOS for building customized menus.
The “menu”-command is really old and was introduced in IOS 10.0
You can i.e. use it for building a menu for CLI-unexperienced staff to simplify troubleshooting.

First of all, you have to configure a little bit AAA  as well as create a user with appropriate permissions and autocommand:

aaa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local

username operator privilege 15 password 0 Oper
username operator autocommand menu Operator

Simple menu

Now we configure a simple menu called “Operator”:

menu Operator title X
             Device Informations
            ---------------------

             Hostname:  R1
             Type:      Router
             Model:     3725
             Memory:    256MB
             IOS:       12.4(15)T6

                Operator Menu
            ---------------------       
X
menu Operator text 0.) exit
menu Operator command 0.) exit
menu Operator text 1.) show logging
menu Operator command 1.) show logging
menu Operator text 2.) show ip interface brief
menu Operator command 2.) show ip interface brief
menu Operator text 3.) show interface description
menu Operator command 3.) show interface description
menu Operator text 4.) show interfaces
menu Operator command 4.) sh interfaces
menu Operator text 5.) show interfaces errors
menu Operator command 5.) sh interfaces | i protocol|Desc|CRC|late|lost|clearing
menu Operator text 6.) show ip route
menu Operator command 6.) show ip route
menu Operator text 7.) show ip protocols
menu Operator command 7.) show ip protocols
menu Operator text 8.) show ip eigrp topology
menu Operator command 8.) show ip eigrp topology
menu Operator text 9.) show ip eigrp interfaces
menu Operator command 9.) show ip eigrp interfaces
menu Operator text 10.) show ip eigrp traffic
menu Operator command 10.) show ip eigrp traffic
menu Operator text 11.) show ip eigrp neighbors
menu Operator command 11.) show ip eigrp neighbors
menu Operator text 12.) show cdp neighbors
menu Operator command 12.) show cdp neighbors
menu Operator text 13.) show tech-support (password required)
menu Operator command 13.) show tech-support
menu Operator options 13.) login
menu Operator prompt XYour choice: X
menu Operator line-mode

The syntax is fairly self-explanatory. Try it out…

When you now telnet into your router with user “operator”, you will see the configured menu:

User Access Verification

Username: operator
Password: 

             Device Informations
            ---------------------

             Hostname:  R1
             Type:      Router
             Model:     3725
             Memory:    256MB
             IOS:       12.4(15)T6

                Operator Menu
            ---------------------        

    0.)        exit
    1.)        show logging
    2.)        show ip interface brief
    3.)        show interface description
    4.)        show interfaces
    5.)        show interfaces errors
    6.)        show ip route
    7.)        show ip protocols
    8.)        show ip eigrp topology
    9.)        show ip eigrp interfaces
    10.)       show ip eigrp traffic
    11.)       show ip eigrp neighbors
    12.)       show cdp neighbors
    13.)       show tech-support (password required)

Your choice:

More complex menu

If you like a more complex menu with submenu structure, try this out:

menu Operator title X

             Device Informations
            ---------------------

             Hostname:  R1
             Type:      Router
             Model:     3725
             Memory:    256MB
             IOS:       12.4(15)T6

                Operator Menu
            ---------------------
X
menu Operator text 0.) Exit
menu Operator command 0.) exit
menu Operator text 1.) Interfaces
menu Operator command 1.) menu Interfaces
menu Operator text 2.) Routing
menu Operator command 2.) menu Routing
menu Operator text 3.) Support Infos
menu Operator command 3.) menu Support
menu Operator clear-screen
menu Operator single-space
menu Operator prompt XYour choice: X
menu Operator line-mode
menu Operator status-line

menu Interfaces title X

              Interface Sub-Menu
            ----------------------
X
menu Interfaces text 0.) Go back
menu Interfaces command 0.) menu-exit
menu Interfaces text 1.) Interface Summary
menu Interfaces command 1.) show ip interface brief
menu Interfaces text 2.) Interface Descriptions
menu Interfaces command 2.) show interface description
menu Interfaces text 3.) Interface Errors
menu Interfaces command 3.) show interfaces | i protocol|Desc|CRC|late|lost|clearing
menu Interfaces text 4.) Interface Traffic Rates
menu Interfaces command 4.) show interfaces | i protocol|Desc|rate
menu Interfaces text 5.) Interface Status (full)
menu Interfaces command 5.) show interface
menu Interfaces single-space
menu Interfaces prompt XYour choice: X
menu Interfaces line-mode

menu Routing title X

               Routing Sub-Menu
            ----------------------
X
menu Routing text 0.) Go back
menu Routing command 0.) menu-exit
menu Routing text 1.) Global
menu Routing command 1.) menu Global
menu Routing text 2.) EIGRP
menu Routing command 2.) menu EIGRP
menu Routing text 3.) OSPF
menu Routing command 3.) menu ospf
menu Routing single-space
menu Routing prompt XYour choice: X
menu Routing line-mode

menu EIGRP title X

           Global Routing Sub-Menu
          -------------------------
X
menu Global text 0.) Go back
menu Global command 0.) menu-exit
menu Global text 1.) Global Routing Table
menu Global command 1.) show ip route
menu Global text 2.) Static Routes
menu Global command 2.) show ip route static
menu Global text 3.) Directly connected Routes
menu Global command 3.) show ip route connected
menu Global text 4.) Summary
menu Global command 4.) show ip route summary
menu Global single-space
menu Global prompt XYour choice: X
menu Global line-mode
menu Global title X

                EIGRP Sub-Menu
            ----------------------
X
menu EIGRP text 0.) Go back
menu EIGRP command 0.) menu-exit
menu EIGRP text 1.) EIGRP Routing Table
menu EIGRP command 1.) show ip route eigrp
menu EIGRP text 2.) EIGRP Topology Table
menu EIGRP command 2.) show ip eigrp topology
menu EIGRP text 3.) EIGRP Interfaces
menu EIGRP command 3.) show ip eigrp interfaces
menu EIGRP text 4.) EIGRP Neighbors
menu EIGRP command 4.) show ip eigrp neighbors
menu EIGRP text 5.) EIGRP Traffic
menu EIGRP command 5.) show ip eigrp traffic
menu EIGRP single-space
menu EIGRP prompt XYour choice: X
menu EIGRP line-mode

menu OSPF title X

                OSPF Sub-Menu
            ----------------------
X
menu OSPF text 0.) Go back
menu OSPF command 0.) menu-exit
menu OSPF text 1.) OSPF Routing Table
menu OSPF command 1.) show ip route ospf
menu OSPF text 2.) OSPF Database
menu OSPF command 2.) show ip ospf database
menu OSPF text 3.) OSPF Interfaces
menu OSPF command 3.) show ip ospf interfaces
menu OSPF text 4.) OSPF Neighbors
menu OSPF command 4.) show ip ospf neighbors
menu OSPF text 5.) OSPF Traffic
menu OSPF command 5.) show ip ospf traffic      
menu OSPF text 5.) OSPF Statistics         
menu OSPF command 5.) show ip ospf statistics
menu OSPF single-space
menu OSPF prompt XYour choice: X
menu OSPF line-mode

menu Support title X

               Support Sub-Menu
            ----------------------
X
menu Support text 0.) Go back
menu Support command 0.) menu-exit
menu Support text 1.) Running Configuration
menu Support command 1.) show run
menu Support text 2.) CDP Neighbors
menu Support command 2.) show cdp neighbor
menu Support text 3.) CPU Usage
menu Support command 3.) show processes cpu sorted | exclude 0.00%__0.00%__0.00%
menu Support text 4.) Memory Usage
menu Support command 4.) show processes memory sorted
menu Support text 5.) Get Infos for Cisco Support
menu Support command 5.) show tech-support
menu Support single-space
menu Support prompt XYour choice: X
menu Support line-mode

cas

Solaris Network configuration is a little bit different to Debian.
Because i always forget it, there’s a quick explanation of the necessary steps (taken from here and used with Solaris 5,6,7,8 +9).

/etc-Files

All configuration data, such as IP addresses, gateways, and so on, can be defined and changed at runtime level.
But first of all you have to activate the interface (load the driver), e.g with ifconfig qfe0 plumb

However, only those definitions stored in /etc files will survive the next reboot.
The host name can be found in these files:

• /etc/nodename
• /etc/hostname.<interface-name>
• /etc/inet/hosts
• /etc/net/{ticlts,ticots,ticotsord}/hosts

/etc/nodename defines the name of the system. Looking from a network perspective, a system with multiple network interfaces and multiple IP addresses can have multiple names, each one defined in /etc/inet/hosts. One of these names may be equal to the nodename, but this is not necessarily the case.
Certain files create the connection between IP-addresses and interface names. These are named /etc/hostname.<interface-name><number>.

The most common interface names are:

• le Ethernet on older SPARC® systems
• hme FastEthernet on most UltraSPARC® systems
• eri FastEthernet on most UltraSPARC-III systems
• qfe FastEthernet on QuadFastEthernet-extension cards
• bge Four 10/100/1000Base-T Ethernet (Sun Fire)

Example:
An Ultra 60 workstation with QFE (QuadFastEthernet) has five network interfaces: hme0 (on board), qfe0, qfe1, qfe2 and qfe3 (on the QFE-card). Nodename is sparky, and the /etc/inet/hosts
looks like this:

127.0.0.1      localhost
192.168.222.17 sparky sparky.example.com
194.x.x.x      sparky-ext

The identity of the system in the internal LAN using the address 192.168.222.17 should be sparky.
Accordingly, the file hostname.hme0 must contain the name sparky.
sparky-ext is an address assigned by an Internet Service Provider (ISP): 194.x.x.x. That circuit is connected to the first QFE port, qfe0. So the file hostname.qfe0 contains the string sparky-ext.
qfe1-3 are currently not used. Do not create hostname.* files for unused interfaces to avoid Solaris OS error messages complaining about interfaces with no network cables attached.

!!! A system with more than one network interface will automatically route between the subnets (i.e. 192.168.222… and 194.x.x…) !!!
During boot, the message “machine is a router” is printed. If this behavior is not desired, create an empty file /etc/notrouter and reboot.
The netmasks for the IP-addresses are defined in the file /etc/netmasks.

Routing

The default router (or standard-gateway) can be entered with its IP address into the file /etc/defaultrouter. If you specify a host name in that file, make sure the host name is defined in /etc/inet/hosts.

The equivalent runtime commands are:

• Delete all current routes: route flush
• Define 1.2.3.4 as default router: route add default 1.2.3.4
• Check with netstat -r

DNS

Enter your DNS server into the file /etc/resolv.conf

nameserver 192.168.222.254

Tell Solaris OS software to use DNS when resolving host names. Edit /etc/nsswitch.conf,and add dns after files in the line starting with hosts.

# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

~
~
hosts:      files dns
~
~

sys-unconfig

If you want to change the network configuration and you are unsure which files are involved, there is an easy solution:
The command sys-unconfig shuts down the machine. After the next reboot (enter boot at the OK prompt), all network-related questions you know from the Solaris OS installation tool are asked again (IP address, gateway, netmask, and so on).

Virtual Interfaces

Sometimes, it may be useful to define two IP addresses for a system with only one physical network interface.
This can be done in the same manner like “normal” interfaces. The only difference is that you now use a interface <interface-name>:<number

Example:
# ifconfig hme0:1 172.16.1.27 netmask 255.255.255.0
# ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
        inet 127.0.0.1 netmask ff000000
hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
        inet 192.168.222.7 netmask ffffff00 broadcast 192.168.222.255
        ether 8:0:20:86:94:6f
hme0:1: flags=843<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 172.16.1.27 netmask ffffff00 broadcast 172.16.1.255