Search this blog

Monday, March 22, 2010

proxy prevents ppm to access ActiveState Package Repository

When you're trying to install packages with Perl Package Manager (ppm) in a Windows environment a proxy will block the connection to it's repository. 

Avoid this by setting the environmental variable HTTP_PROXY like this: 

set http_proxy=

checking sessions to an Oracle database

Checking the maximum number of sessions:
SQL> select name, value from v$parameter where name='sessions';

Checking the number of currently active sessions:
SQL> select count(*) from v$session;

Looking for blocking sessions:
SQL> select blocking_session from v$session where blocking_session is not NULL;

Looking for idle sessions (more than 24 hours in this example):
SQL> select username from v$session where username is not NULL and status='inactive' and last_call_et/60/60>=24;

Please note that you'll need to be connected as sysdba!

Useful links:

Saturday, March 13, 2010

connecting to a database with sqlplus

Here are some examples:

sqlplus user/password@alias
Here the alias has to be resolved into the full name. This can be done with the tnsnames.ora file or by contacting an LDAP directory. Alternative is to provide all the connect details in line.

sqlplus sys/oracle@orcl as sysdba
While this is handy it's also a potential security risk. In Linux/Unix it might show up in show processes. Before 10g you could use quotes like sqlplus "/ as sysdba", now you safely login with sqlplus / as sysdba

sqlplus /nologon
This prevents the immediate login prompt. Afterwards you connect from the SQL prompt:
SQL> connect sys/oracle@orcl as sysdba
Please note that it's not always necessary to specify the sid.

Tuesday, March 9, 2010

listener.ora – tnsnames.ora – alert log

The listener is a server-side process that listens for database connection requests from user processes and launches dedicated server processes to establish sessions. The sessions become the connections between the user process and the database unless shared servers are in use, in which case a dispatcher process is used to share time to shared server processes.

With local naming the user supplies an Oracle Net service alias for the connect string and this is resolved by a local file into the full network address. This local file is the tnsnames.ora file. There's no need for any relationship between the alias, service name and the instance name - it's recommended to keep them the same! The Service Naming branch of the Net Manager creates or edits the Local Naming tnsnames.ora file that resides in ORACLE_HOME/network/admin directory.

You can configure several listeners in the listener.ora file but they must all have different names and addresses. Under Windows the listener will run as a Windows service, but there's no need to create the service explicitly; it'll be created implicitly the first time the listener is started.

A listener finds out about instances by the process of "registration". For static registration, you hard-code a list of instances in the listener.ora file. Dynamic registration means that the instance itself, at startup time, locates a listener and registers with it.

You can start and stop listeners through Database Control, but there's also a command-line utility lsnrctl.
The tnsnames.ora file is a client-side file used for name resolution. It is used by user processes to locate database listeners. It may also be used the instance itself, to locate a listener with which to register.

TNS stands for Transparent Network Substrate

The heart of Oracle Net, a proprietary layered protocol running on top of whatever underlying network transport protocol you choose to use - probably TCP/IP.

The Oracle Net files by default exist in the directory ORACLE_HOME/network/admin. It's possible to relocate them with an environment variable: TNSADMIN. Mainly on systems that have several Oracle Homes. Example on Windows:

set TNSADMIN=c:\oracle\net


The standard Oracle alert log location defined by the initialization parameter DIAGNOSTIC_DEST or USER_DUMP_DEST.

The alert log file, located in the directory specified by the initialization parameter BACKGROUND_DUMP_DEST, contains the most significant routine status messages as well as critical error conditions. When the database is started up or shut down, a message is recorded in the alert log, along with a list of initialization parameters that are different from their default values. In addition, any ALTER DATABASE or ALTER SYSTEM commands issued by the DBA are recorded. Operations involving tablespaces and their datafiles are also recorded here. All error/critical conditions are recorded. The alert log file can be deleted or renamed at any time; it's re-created the next time an alert log message is generated. The trace files for the Oracle instance background processes are also located in BACKGROUND_DUMP_DEST. Trace files are also created for individual user sessions or connections to the database; these are located in the directory specified by the initialization parameter USER_DUMP_DEST. As of Oracle Database 11g Release 1, the diagnostics for an instance are centralized in a single directory specified by the initialization parameter DIAGNOSTIC_DEST.

The DBA will often set up a daily batch job to rename and archive the alert log on a daily basis.

The alert log is a continuous record of critical operations applied to the instance and the database. Its location is determined by the instance parameter BACKGROUND_DUMP_DEST, and its name is alert_SID.log where SID is the name of the instance. The alert log entry for a startup shows all the non-default initialization parameters. Locate the file with this command:

SQL> select value from v$parameter where name='background_dump_dest';

Thursday, March 4, 2010

starting up an instance in different states

startup nomount  
Start the instance without mounting a database. This does not allow access to the database and usually would be done only for database creation or the re-creation of control files. The database instance has been started using initialization file, processes are started and memory is allocated.

alter database mount
Start the instance and mount the database, but leave it closed. This state allows for certain DBA activities, but does not allow general access to the database. The instance is started and the control file is opened, read but it's contents are not validated.
alter database open
startup force restrict 
Start the instance, and mount and open the database. Normal database operation means that an instance is started and the database is mounted and open. This mode allows any valid user to connect to the database and perform data access operations. This can be done in unrestricted mode, allowing access to all users, or in restricted mode, allowing access for database administrators only. Normal database operation means that an instance is started and the database is mounted and open. This mode allows any valid user to connect to the database and perform data access operations. If the database is opened then control file is validated against the physical structure of database. The database is verified that all of it's file are in consistent state. If any of the file is not in consistent state, we may need some sort of recovery.
Beginning with Oracle Database 11g Release 2, the preferred (and platform-independent) method of configuring automatic startup of a database is Oracle Restart. Oracle Restart improves the availability of your Oracle database. When you install Oracle Restart, various Oracle components can be automatically restarted after a hardware or software failure or whenever your database host computer restarts.  


ip tcp adjust-mss command

While a host will know the MTU of its own interface and possibly that of its peers (from initial handshakes), it will not initially know the lowest MTU in a chain of links to any other peers.
To get around this issue, IP allows fragmentation: dividing the datagram into pieces, each small enough to pass over the single link that is being fragmented for, using the MTU parameter configured for that interface.
RFC 1191 (IPv4) and RFC 1981 (IPv6) describe "Path MTU discovery", a technique for determining the path MTU between two IP hosts. It works by setting the DF (Don't Fragment) option in the IP headers of outgoing packets. Any device along the path whose MTU is smaller than the packet will drop such packets and send back an ICMP "Destination Unreachable (Datagram Too Big)" message containing its MTU. This information allows the source host to reduce its assumed path MTU appropriately. The process repeats until the MTU becomes small enough to traverse the entire path without fragmentation.
Unfortunately, increasing numbers of networks drop ICMP traffic (e.g. to prevent denial-of-service attacks), which prevents path MTU discovery from working. One often detects such blocking in the cases where a connection works for low-volume data but hangs as soon as a host sends a large block of data at a time
Most Ethernet LANs use an MTU of 1500 bytes (modern LANs can use Jumbo frames, allowing for an MTU up to 9000 bytes); however, border protocols like PPPoE will reduce this.
he difference between the MTU seen by end-nodes (e.g. 1500) and the path MTU causes path MTU discovery to come into effect, with the possible result of making some sites behind badly-configured firewalls unreachable. One can possibly work around this, depending on which part of the network one controls; for example one can change the MSS (maximum segment size) in the initial packet that sets up the TCP connection at one's firewall.

Sometimes the demands of efficiency encourage artificially declaring a reduced MTU in software below the true maximum possible length supported - for example: where an ATM (Asynchronous Transfer Mode) network carries IP traffic. Some providers, particularly those with a telephony background, use ATM on their internal backbone network.

ATM operates at optimum efficiency when packet length is a multiple of 48 bytes. This is because ATM is sent as a stream of fixed-length packets (known as 'cells'), each of which can carry a payload of 48 bytes of user data with 5 bytes of overhead for a total cost of 53 bytes per cell. Artificially declaring a reduced MTU in software maximises protocol efficiency at the ATM layer by making the ATM AAL5 total payload length a multiple of 48 bytes whenever possible.
RFC 2516 prescribes a maximum MTU for PPPoE/DSL connections of 1492: a PPPoE header of 6 bytes, leaving enough room for a 1488 byte payload, or 31 full ATM cells.

The TCP MSS Adjustment feature enables the configuration of the maximum segment size (MSS) for transient packets that traverse a router, specifically TCP segments in the SYN bit set, when PPP over Ethernet (PPPoE) is being used in the network. PPPoE truncates the Ethernet maximum transmission unit (MTU) 1492, and if the effective MTU on the hosts (PCs) is not changed, the router in between the host and the server can terminate the TCP sessions. The ip tcp adjust-mss command specifies the MSS value on the intermediate router of the SYN packets to avoid truncation.

When a host (usually a PC) initiates a TCP session with a server, it negotiates the IP segment size by using the MSS option field in the TCP SYN packet. The value of the MSS field is determined by the maximum transmission unit (MTU) configuration on the host. The default MSS value for a PC is 1500 bytes.
The PPP over Ethernet (PPPoE) standard supports a MTU of only 1492 bytes. The disparity between the host and PPPoE MTU size can cause the router in between the host and the server to drop 1500-byte packets and terminate TCP sessions over the PPPoE network. Even if the path MTU (which detects the correct MTU across the path) is enabled on the host, sessions may be dropped because system administrators sometimes disable the ICMP error messages that must be relayed from the host in order for path MTU to work. The ip tcp adjust-mss command helps prevent TCP sessions from being dropped by adjusting the MSS value of the TCP SYN packets. The ip tcp adjust-mss command is effective only for TCP connections passing through the router. In most cases, the optimum value for the max-segment-size argument is 1452 bytes. This value plus the 20-byte IP header, the 20-byte TCP header, and the 8-byte PPPoE header add up to a 1500-byte packet that matches the MTU size for the Ethernet link.
If you are configuring the ip mtu command on the same interface as the ip tcp adjust-mss command, it is recommended that you use the following commands and values:
ip tcp adjust-mss 1452
ip mtu 1492


XXXNR#conf t
Enter configuration commands, one per line. End with CNTL/Z.
XXXNR(config)#interface vlan 104
XXXNR(config-if)#ip tcp adjust-mss 1250
XXXNR#copy run start

> MTU Ping Test

Tuesday, March 2, 2010

client-identifier command

Router(dhcp-config)#client-identifier unique-identifier

Specifies the unique identifier for DHCP clients. This command is used for DHCP requests. DHCP clients require client identifiers. The unique identification of the client is specified in dotted hexadecimal notation, for example, 01b7.0813.8811.66, where 01 represents the Ethernet media type. Every request sent from a DHCP client to DHCP servers contains a hardware type and a client hardware address. For Ethernet and 802.11 wireless clients, the hardware type is always 01. The client hardware address is simply the MAC address of the client's network (Ethernet or Wireless) interface. Every request sent from a DHCP client to DHCP servers may optionally also contain a DHCP Client Identifier option. This is an arbitrary value that may be used to identify a client instead of the hardware type and client hardware address. Traditionally, the DHCP Client Identifier (when present) has been set to a value equal to the hardware type followed by the client hardware address. (For example, 01 00 01 02 a0 bc d3.)

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip dhcp pool AccessPoint1
Router(config)#client identifier 01ab.cdef.ghij.kl
Router(config)#client-name AccessPoint1


Monday, March 1, 2010

Earned my Cisco CCENT

Today I finally took the Cisco ICND1 exam and passed without any real problems.
As we're not allowed to discuss it, let me just say that you really need to understand it and get some hands on experience.

Sunday, February 28, 2010

Day 1: ICND1 Last Review (WAN basics, NAT/PAT terminology and RIP)

My ICND1 exam is booked on monday but I didn't have much time this week so I'll focus mainly on WAN connections, namings in NAT/PAT and RIP.

There are two major categories for WANs:
  1. Dedicated: point-point lines provide a preestablished WAN communications path from the customer premises through the provider network to a remote destination. Usually leased from a carrier and obviously called leased lines.
  2. Switched:
    1. Circuit-Switched: dynamically establishing a dedicated virtual connection. Before communication can start it's necessary to establish the connection through the network of the service provider. Examples are PSTN and DSL (I know it's also a bit packet-switched but for the exam I'll keep it to this).
    2. Packet-Switched: because data flow fluctuates (nobody uses 100% bandwith all the time) so in these networks the data is transmitted in labeled cells, frames or packets. There's no dedicated path between source and destination endpoints, allowing for the sharing of connection links and common carrier resources for data transmission. The carrier can create virtual circuits between customer sites. When the customer is not using the full bandwith on its virtual circuit, the carrier, through statistical multiplexing, can make the unused bandwith available to another customer. Examples are Cable, Frame Relay.
    3. Cell-Switched: an example is ATM and it uses small fixed-size cells of 53 bytes (48 bytes for data).
NAT connects two networks together and translates the private addresses (inside local) in the internal network into public addresses (inside global) before packets are forwarded to another network. The inside network is the set of networks that are subject to translation, the outside network refers to all other addresses.
  • inside local address: the IP address assigned to a host on the inside network, likely not assigned by the NIC or service provider.
  • inside global address: a legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.
  • outside local address: the IP address of an outside host as it appears to the inside network, not necessarily legitimate, it's allocated from an address space routable on the inside.
  • outside global address: the IP address assigned to a host on the outside network by the host owner. This address is allocated from a globally routable address or network space.
You can verify the NAT and PAT configuration by using
show ip nat translation to display active translations and
clear ip nat translation * to clear all dynamic address translation entries (they'll time out after 24 hours by default).

Static routes are commonly used when you're routing from a network to a stub network. This stub network or leaf node is a network accessed by a single route. They can also be useful for specifying a "gateway of last resort" to which all packets with an unknown destination address will be sent. Obviously the static route must be configured in both directions for end-to-end connectivity. An example:
ip route
Don't mix it up with default route, for this you also give the IP address of the next-hop router to be used as default for packet forwarding, an example:
ip route
The ip classless command tells the route not to drop packets that are destined for a network that's not in the routing table, but to use the default route instead. If you don't use the ip classless command, packets like that would be dropped before being sent to the default route. (ip classless is on by default in IOS 12.x.).

It's recommended to set the bandwith command on the serial interface, this provides a minimum bandwith guarantee during congestion (used by some routing protocols). It has no effect on the actual speed of the line. Bandwith refers to the rate at which data is transferred over the communication link.
1DS0 = 64 kb/s
24DS0s = DS1 or T1 = 1.544 Mb/s

The show controller command displays information about the physical interface itself. Very useful to termine the type of cable connected to the serial interface. Please note that this information is determined when the router initially starts!

High-Level Data Link Control (HDLC) protocol specifies an encapsulation method for data on synchronous serial data links using frame character and checksum. HDLC supports both point-to-point and multipoint configurations and includes a means for authentication. HDLC may not be compatible between vendors from different vendors. There's a Cisco implementation of HDLC which is the default encapsulation for serial lines, as you probably know it doesn't show up in running-config! Cisco HDLC has no windowing or flow control, and only point-to-point connections are allowed. The Cisco HDLC implementation includes proprietary extensions in the data field to allow multiprotocol support at a time before PPP was specified. Use ppp when interoperability is required.

Routing protocols (like RIP, EIGRP) are used between routers to determine paths and maintain routing tables. After the path is determined, a router can route a routed protocol (like IP).

An autonomous system is a collection of networks under a common administrative domain. IGPs operate within an autonomous system and EGPs connect different autonomous systems.

Classful routing protocols do not include the subnet mask with the route advertisements (most distance vector routing protocols). When a classful routing protocol is used, all subnetworks of the same major network must use the same subnet mask. Routers that are running a classful routing protocol perform automatic route summarization accross network boundaries. When receiving a routing update packet, the router will apply the default classful mask if the routing update information contains a major network that is different! If the routing update information contains the same major network number as is configured on the receiving interface, the router applies the subnet mask that is configured on the receiving interface.
Classless routing protocols include the subnet mask with the route advertisement, they support variable-length subnet mask (VLSM). The summarization process is controlled manually and can usually be invoked at any bit position with in the address. Manual summarization may be required to keep the size of the routing tables manageable.

RIP is capable of load-balancing over as many as 16 equal-cost paths (default = 4).
RIPv1: classful, no VLSM, subnet mask is not send, broadcast, no manual route summarization and no authentication support.
RIPv2: classless, VLSM, subnet mask is sent, multicast, manual route summarization, authentication support.

router rip command starts the RIP routing process.
version 2 enables RIP version 2
network selects the participating attached networks and requires a major classful network number!
Use the show ip protocols command to display values about routing protocols and the routing protocol timer information associated with the routers. Important values is the flushed field (240 seconds) which specifies the time after which the individual routing information will be thrown out. The hold down (180 seconds) field: an update to a route that was down and is now up will stay in the hold down (possibly down) state until 180 seconds have passed.

Friday, February 19, 2010

show users - show sessions

If you want to see who's logged onto a router, use command show users

BE-607NR01#show users
    Line       User       Host(s)              Idle       Location
*  6 vty 0     admin      idle                 00:00:00
   7 vty 1     admin      idle                 00:00:22

  Interface    User               Mode         Idle     Peer Address
  Vi3                             PPPoATM      00:00:00

This shows the open sessions to your router. The line with the * is the current session, where we used the command. If you want to kill an open Telnet session, use command clear line x


To see the active sessions from your remote device, use command show sessions
If you enter a sessionnumber you'll access it, use disconnect to leave.
Ctrl-Shift-6-x brings you back, it also suspends Telnet/SSH sessions.

XX-001NR01#show sessions
% No connections open

Another useful command is show line which gives a nice overview.

Thursday, February 18, 2010

dash shell

Just noticed that Ubuntu Server 9.10 has dash for default shell.

In case you're wondering what it is:
dash stands for Debian Almquist shell en is a POSIX-compliant implementation of /bin/sh that aims to be as small as possible. It does this without sacrificing speed where possible. In fact, it is significantly faster than bash (the GNU Bourne-Again SHell) for most tasks.
If you want to figure your current shell, the command is
echo $0

Changing the default shell can be done by the command  
ln -sf /bin/bash /bin/sh
-s symbolic links instead of hard links
-f force

Useful links:

Tuesday, February 16, 2010

Day 2: Studying Sample Exam Questions

I'm probably not gonna be able to take the exam this weekend plus I'm booked for an Oracle course next week so I'll spend some extra time studying sample exam questions. This is gonna be an overview of interesting questions (for me) collected from various books and sites to review just before exam day.

This post will be updated till I take (and pass) the exam...
  • It is not possible to obtain CDP information about a remote device. Don't answer that you can use SSH or Telnet.
  • A CDP update packet has platform and device identifiers information.
  • show cdp entry * produces the same result as the show cdp neighbors detail command.
  • show cdp interface displays the frequency at which packets are sent, encapsulation type and holdtime for an interface where CDP is enabled. show cdp traffic displays CDP packet checksum errors. This is an example (thx to David L. from CLN):
          P1R1#show cdp interface
          FastEthernet0/0 is up, line protocol is down
          Encapsulation ARPA
          Sending CDP packets every 60 seconds
          Holdtime is 180 seconds
          FastEthernet0/1 is administratively down, line protocol is down
          Encapsulation ARPA
          Sending CDP packets every 60 seconds
          Holdtime is 180 seconds
          Serial0/0/1 is up, line protocol is up
          Encapsulation HDLC
          Sending CDP packets every 60 seconds
          Holdtime is 180 seconds
          P1R1#show cdp traffic
          CDP counters :
          Total packets output: 38, Input: 34
          Hdr syntax: 0, Chksum error: 0, Encaps failed: 0
          No memory: 0, Invalid packet: 0, Fragmented: 0
          CDP version 1 advertisements output: 0, Input: 0
          CDP version 2 advertisements output: 38, Input: 34
  • ROMMON is a low-level os normally used for manufacturing testing and troubleshooting.
  • If the boot field value is 0x2 then the router will check the startup-config file for boot system commands. The boot field is the low-order 4 bits of the configuration register in a Cisco router. the value in part tells the router where to look for a Cisco IOS image to load.
  • On most routers, the Cisco IOS software is loaded into RAM to run, but on some routers it's run directly from flahs memory.
  • show flash displays the amount of memory that's available where the IOS image is stored, don't mix this up with show run!
  • service timestamps command is used to add time stamps to a debug or log message.
  • The application layer is the most diverse area of the OSI model and the TCP/IP stack.

Monday, February 15, 2010

Day 3: WAN Connections

A telecommunications service provider (TSP) can offer these WAN connection types:
  • Point-to-Point Protocol (PPP): a specific dedicated path through the TSP network that connects two LANs over a large geographic area. Typically leased lines.
  • Circuit-switched: allows the client to create and close connections over the TSP network. Think of the operation as phone call. Examples are ISDN or dialup network access.
  • Packet-switched: a client uses a software-managed virtual circuit over a shared connection. Examples are Frame Relay.
After connecting your router or customer premises equipment (CPE) device to the Channel Service Unit/Data Service Unit (CSU/DSU) provided by the ISP, you need to configure the interface on the router. If its a serial interface, the CSU/DSU provides the clock rate as the data circuit-terminating equipment (DCE) and your router acts as the data terminal equipment (DTE).

The Cisco default encapsulation for a serial interface is High-Level Data Link Control (HDLC). This is a Data Link layer protocol used to encapsulate and transmit packets over point-to-point links. It handles the transfer of data in full duplex, as well as link management functions. As an OSI standard, many vendors implement the HDLC protocol in their equipment. These are usually not interoperable. This is because the Cisco HDLC frame uses a proprietary "Type" field that may not be compatible with equipment of other vendors. When the HDLC frame format was defined, it did not enclude a field to identify the Network layer protocol that it was framing. As such, the OSI version of HDLC assumes that any link using HDLC is running only a single Network layer protocol like IP. This has led vendors to implement HDLC using a proprietary frame format that includes a type code field, thus allowing the Network layer protocol within a frame to be identified. Because of this proprietary nature, you should only use HDLC framing on point-to-point links when the routers at each end of a link is from the same vendor. In cases where you want to connect equipment from different vendors over a leased line, the Point-to-Point protocol (or PPP) should be used. Always remember that the router on both sides of a ppp link must be using the same data framing method in order to communicate. You can change the encapsulation to PPP as a more flexible, nonpropietary encapsulation. PPP supports authentication in clear-text Password Authentication Protocol (PAP) or encrypted Challenge Handshake Authentication Protocol (CHAP). A router can also use Frame Relay as an encapsulation. Frame Relay virtual circuits use HDLC encapsulation and each circuit is identified by a data link connection identifier (DLCI).

You can use the encapsulation command in interface configuration mode. An example is encapsulation ppp.

HDLC and PPP are layer 2 protocols. HDLC is actually the default protocol on all Cisco serial interfaces. If you do a show run on a Cisco router, your serial interfaces will have no encapsulation by default (it's HDLC)! Use a show interface serial ... to see that you're running HDLC.

You can select one of the following address types for a serial WAN connection:
  • A static IP address allows the administrator to manually enter the IP address and subnet mask. Available for PPP, Frame Relay and HDLC.
  • IP unnumbered sets the interface to match the IP address of another enabled interface on the router. Available for PPP, Frame Relay and HDLC.
  • IP negotiated is available for PPP and allows the router to obtain address information automatically from the ISP.

Day 4: Security Applications

Besides antivirus, antispam and antispyware software you should make use of a firewall. This can come packaged as a standalone security appliance, a server-based firewall that installs on a network operating system (NOS), a module that can be installed or is integrated inside an existing router, or a personal firewall that installs on a network host. Firewalls are installed between two networks and can control traffic in the following ways:
  • Filter traffic based on destination and source IP address or MAC address, block websites based on url or keywords, and filter traffic based on the type of application used for network transmission.
  • Inspect incoming traffic and ensure that each incoming packet is a response to a legitimate outgoing request. This stateful packet inspection (SPI) can prevent DoS attacks.
  • Firewalls can also provide network address translation (NAT) for additional security on an internal network.
A firewall can protect users on the intranet but some network devices may need greater access. Servers outside the internal network protected by another firewall are in the demilitarized zone (DMZ). This is typically an area more secure than a direct connection to the Internet lcoated between an internal and external firewall. When setting up a smaller network, you can create a subnet and configure a single integrated router/firewall to provide DMZ levels of security to only specific devices. A standard DMZ allows incoming requests on standard server ports like 80, 21 and 110 (POP3). I bet you know the other two :)
On larger networks you usually design firewall security in layers. Border routers filter packets and route traffic to the DMZ or an internal firewall. The internal firewall only allows outside traffic that was specifically requested by an internal device. Additional internal firewalls may seperate and protect sensitive areas. These can provide an extra layer of security in case an internal host is infected.

Short overview of two types of sensors available to detect and prevent network intrusions:
  • Intrusion Detection Systems (IDS): monitors traffic on one port and notifies a management station. Can detect only the first malicious transmission but can reconfigure the router to block future attacks. Used on the network perimeter in front of a firewall to analyze attacks or behind a firewall to detect firewall configuration issues.
  • Intrusion Prevention Systems (IPS): traffic passes through the IPS in one port and out another which filters suspicious traffic in real time. Can examine the entire data packet from L7 to L2. Usually placed behind a firewall to further examine packets destined for the internal network.
Both are implemented as software (Cisco IOS ISP), hardware and Adaptive Security Appliance (ASA).

Network security can also be improved by:
  • Authentication requires users to verify their identity with a username and password using a RADIUS or TACACS server.
  • Authorization limits access for users based on rights assigned to the user account by the administrator.
  • Accounting tracks user network activity and application use.

Day 5: Security Threats

These are some common techniques that focus on the user as the weak link:
  • Pretexting: an attacker masquerades as the helpdesk or creates a legitimate-sounding scenario to convince the user to reveal sensitive network information.
  • Phishing: an attacker sends an email posing as a legitimate organization and requests verification of account username and passwords.
  • Vishing/phone phishing: an attacker uses Voice over Internet Protocol (VoIP) to leave a message with a user that claims to be from a banking service with a callback number.
Attackers can also use software in many forms to gain access to a network:
  • Virus: typically attached to and activated within another legitimate program.
  • Worm: runs independently to send copies of itself.
  • Trojan horse: looks like a legitimate program to trick the user into intalling.
  • Denial of service (DoS): attackers also use bandwith and available connections to affect the network's operation. A DoS attack floods a network or server with traffic, preventing any legitimate connections or use.
Overview of various Network Service Attacks:
  • DoS - Synchronous (SYN) flooding: flooding a server with requests from a fake IP address and cause the server to use resources responding to these requests.
  • DoS - Ping of death: attackers send a ping greater than the maximum allowed and causes a system to shut down.
  • DDoS - Distributed Denial of Service: attackers use multiple hosts to attack a single server or servcie. Usually there'll be botnets used to attack a target site.
  • Brute force: repeated attempts to crack usernames/passwords with software that uses combinations.
Besides all these there are also spyware, cookies, spam, even randomware nowadays:

Don't forget that internal users can also (un)intentionally harm a network and an ISP should be the first line of defence!

Here are some common methods for protecting our networks:
  • Patch
  • Update
  • Virus protection
  • Spyware protection
  • Spam blocker
  • Popup blocker
  • Firewall

Day 6: Wireless Security

A network administrator shoudl implement the following security features on a WLAN during initial setup (mind you they're easily avoided):
  • Disable SSID broadcast.
  • Change default settings.
  • Enable MAC address filtering.
We can implement authentication for the WLAN (by username or password). This will occur before MAC filtering and there are three types of wireless authentication:
  1. Open authentication: all clients can connect to the WLAN.
  2. Preshared keys (PSK): both AP and client are configured with the same key. This is a one-way authentication because the AP doesn't authenticate with the host (user doesn't have to authenticate).
  3. Extensible Authentication Protocol (EAP): the EAP software on the client communicates with an authentication server as RADIUS which maintains a database of users separate from the AP. 802.1x can also provide AP security through user authentication (EAP).
Its obvious that we need to protect transmission by using some form of WLAN encryption:
  • Wired Equivalent Privacy - WEP key is 64 to 256 bits but all devices (including AP) must have the same manually configured static key to understand transmissions. This is easily avoided nowadays with hacking software.
  • Wi-Fi Protected Access (WPA) is also 64 to 256 but has a more secure encryption because it rotates keys. WPA uses TKIP (temporal key integrity protocol) to generate new keys for clients and rotate them at a configurable interval, both client and AP have the key. Remember that WPA dynamically generates a different key with each client communication with the AP.
  • 802.11i/WPA2 is a better version that uses advanced encryption standard (AES) technology.
WPA is a more powerful security technology for Wi-Fi networks than WEP. It provides strong data protection by using encryption as well as strong access controls and user authentication. WPA utilizes 128-bit encryption keys and dynamic session keys to ensure your wireless network's privacy and enterprise security. There are two basic forms of WPA: WPA Enterprise (requires a Radius server) and WPA Personal (also known as WPA-PSK). Either can use TKIP or AES for encryption. Not all WPA hardware supports AES. WPA-PSK is basically an authentication mechanism in which users provide some form of credentials to verify that they should be allowed access to a network. This requires a single password entered into each WLAN node. As long as the passwords match, a client will be granted access to a WLAN. Encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is in WPA-PSK, authentication is reduced to a simple common password, instead of user-specific credentials. The Pre-Shared Key (PSK) mode of WPA is considered vulnerable to the same risks as any other shared password system - dictionary attacks for example. Another issue may be key management difficulties such as removing a user once access has been granted when the key is shared among multiple users, not likely in a home environment.

Consider these points when planning/troubleshooting a WLAN:
  • Signal: 802.11b/g/n have a larger coverage area than 802.11a. Generally speaking: the more data rates the lower the coverage area. There's also interference and reflection (RF waves bounce off metal or glass surfaces).
  • Standards: be careful with backward-compatibility, some AP's don't support the 5 GHz frequency (802.11a).
  • Bandwith: all users share the same bandwith on a BSS.
  • Association: make sure that the SSID is correct on clients and AP.
  • Total cost of ownership (TCO).
  • Channels and correct placing.
  • Authentication/security.

Day 7: Wireless Standards

Wireless devices use electromagnetic waves as the physical media for data transmission. Infrared (IR)  transmits over short distances, radio frequency (RF) waves can be used for "real networking". The Industrial, Scientific and Medical (ISM) bands are free to use by unlicensed devices for communication:
  • 900 MHz (902 to 928 MHz) supports devices such as wireless headphones and cordless phones.
  • 2.4 GHz (2.400 to 2.4835) supports lower-speed, short-range Bluetooth as well as wireless LAN technologies compliant with IEEE 802.11 standards.
  • 5 GHz (5.725 to 5.850) supports IEEE 802.11 standards at a higher power level, providing a wider range and increased speeds.
Unfortunately Wireless LANs can interfere with each other. Reduced cost and increased mobility are major advantages.

We can define wireless networks in three categories:
  • WPAN - wireless personal-area network: these include PDAs, mice, keyboards and other short-range IR or Bluetooth devices.
  • WLAN - wireless local-area network: typically the wireless portion of a LAN that uses RF technology and IEEE 802.11 standards. An access point (AP) usually provides connectivity fro the wireless clients to the wired Ethernet network.
  • WWAN - wireless wide-area network: networks that can use cell phone technologies such as Global System for Mobile Communication (GSM) or Code Division Multiple Access (CDMA) to cover large geographic areas.
The Wireless Fidelity (Wi-Fi) Alliance tests wireless devices from different manufacturers and ensures that each device meets standards and will function with devices using the same standards. So its a global, nonprofit industry trade assocation devoted to promoting the growth and acceptance of wireless LANs. The IEEE 802.11 standard governs implementations of WLANs.

IEEE 802.11 Wireless LAN Standards
  • 802.11: This original standard was released in 1997 and supports a 2 Mbps data rate over the 2.4 GHz frequency. A maximum range is undefined.
  • 802.11a: This amendment was released in 1999 and supports a 54 Mbps data rate over the 5 GHz frequency. The maximum range is estimated at about 50 meters. Interesting sidenote is that this didn't make due to shortage of material at the time, so 802.11b made it.
  • 802.11b: released at the same time as 802.11a and made it despite supporting an 11 Mbps data rate over the 2.4 GHz frequency. Maximum range is estimated at about 100 meters.
  • 802.11g: This amendment was released in 2003 and supports a 54 Mbps data rate over the 2.4 GHz frequency. Maximum range is estimated at about 100 meters. 802.11g is backwards compatible with 802.11b!
  • 802.11n: This is a recent amendment (october 2009) and adds multiple-input and multiple output (MIMO). 802.11n is backwards compatible with 802.11a, 802.11b and 802.11g!
A wireless networks consists of the following components:
  • Wireless clients or wireless stations (STA) are devices that participate in a wireless network.
  • Wireless access point (AP) provides connectivity between a wired and wireless network by converting Ethernet frames into 802.11-compliant frames or vice versa. APs support connectivity in a basic service set (BSS) or limited area.
  • Wireless bridge provides connectivity between two wired networks with a wireless link - typically a long-range ppp connection over RF frequencies.
  • Wireless antenna can be a directional antenna that concentrates the signal in one direction or an omnidirectional antenna that increases the signal in all directions. Antennas increase signal strength or gain an can increase distances.
A WLAN is located with a Service Set Identifier (SSID). This is a 32-character, case-sensitive, alphanumeric string located in the header of WLAN frames. WLANs can be set up in od-hoc or infrastructure mode:
  • Ad-hoc: Independent basic service set (IBSS) in which devices communicate with each other and are not part of a network. This is a simple peer-to-peer connection among clients to exchange files and data without an access point.
  • Infrastructure: BSS in which a group of devices are connnected to an AP. Devices cannot communicate directly; connectivity is centralized, controlle and directed by an access point.
Multiple BSS access points can be connected by a distribution system (DS) to form an extended service set (ESS). To create it, each BSS AP's range must overlap by 10 to 15 percent! This allows a client to move through the ESS without a loss of signal. The ability to shift data rates allows a client to communicate while moving!
Another important aspect is to use different channels for efficient communicatino. Multiple AP's can overlap in range and divide the available RF spectrum by using separate channels (for example 1-6-11).

Wireless networks use an access method called Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). These points define this process and how a client can reserve a channel:
  • A device on a BSS asks permission from the AP to communicate in the form of a request to send (RTS).
  • If the channel's available, the AP responds with a clear to send (CTS) message.
  • The CTS is broadcast to all devices on the BSS so that all devices know that the channel is in use or that a reservation is in place on the channel.
  • When the communication is complete, the sending device sends an acknowledgement (ACK)  to the AP, saying that the channel can be released. This ACK is also broadcast to all devices on the BSS to indicate that the channel is available.
The following common parameters must be configured on a wireless access point to provide connectivity:
  • Wireless or network mode: can be 802.11a , 802.11b, 802.11g, 802.11n or mixed mode.
  • SSID or network name: all devices connected to the WLAN must have the same SSID. It may be a good idea to disable broadcast of the SSID.
  • Wireless channel: you can manually configure a channel that doesn't overlap with nearby BSSs or you can allow the AP to automatically find the best channel.

Day 8: Network Status Verification

Show commands are important in ICND1 so I'll describe some common commands to verify network status:
  • show running-config: displays running configuration form RAM on the router.
  • show interfaces: displays information about the router interfaces, including encapsulation, address configuration and whether the interface is up or down. I use this one a lot!
  • show arp: displays any address resolution protocol entries learned by the router.
  • show ip route: displays routes manually configured or dynamically discovered by the router.
  • show users: displays any users connected to the router.
  • show version: displays the version of Cisco IOS software running on the router, name of image and amount of RAM.
There are also well-known some utilities to use on hosts like:
  • ipconfig (ifconfig on Linux).
  • ping to test Layer 3 connectivity and basic DNS functionality.
  • tracert (on windows)
  • traceroute
  • netstat show information about devices communicating with a host, including IP address and TCP port information.
  • nslookup
Important reminder:
After all this you can test Layer 7 connectivity by accessing the router through SSH, Telnet and a web browser.

There's also some debugging with the debug commands, for example debug ip rip. Stop debugging with undebug all.

Day 9: Configuration, IOS and Security

Sometimes you'll use static and default routes.
Any packet for which a router doesn't know the destination will be dropped or forwarded to the default route. This can be done like this:
ip route {outgoing-interface | next-hop-address}

If you look in the routing table you'll see static routes identified with prefix S. This is how we manually configure static routes:
ip route

These can all be reviewed with show running-config, and show ip route.

Reviewing IOS configuration files management is also needed for the ICND1 exam. You can either copy/paste the show runs but preferably you have a trivial file transfer protocol (TFTP) server on your network.
  • copy running-config tftp: you'll have to enter the ip/hostname of the server and destination filename (router-config).
  • copy tftp running-config: restoring the file.
The show version command allows to check the name of the IOS image. We can use copy flash tftp to copy the IOS image from flash memory to a TFTP server. To restore it back we can use copy tftp flash.

It's very important to secure the telecommunications room or wiring closets in your facility. The main distribution facility (MDF) and intermediate distribution facilities (IDF) are the backbone of the network and should be protected. Access to these areas should be restricted. Besides this we also have to protect configuration privileges by adding password security. Don't forget that passwords are encrypted if the command service password encryption is entered.

ESENT - Extensible Storage Engine

Just noticed that this post was unreadable so:

One of my database servers gave this error in event viewer:
svchost (828) The database engine stopped

Windows comes with an embeddable, transactional database engine which is available to developers through the Windows SDK. The ESENT database engine can be used whenever an application wants high-performance, low-overhead storage of structured or semi-structured data. This can range from something as simple as a hash table which is too large to store in memory to a complex application with many tables, columns and indexes. ESENT is used by the Active Directory, Windows Desktop Search, Windows Mail and several other Windows services and a slightly modified version of the code is used by Microsoft Exchange to store all its mailbox data.

Interesting links:

Wednesday, February 3, 2010

err-disabled mode

Today I had a switchport that went in err-disabled mode. Command show interfaces status err-disabled indicated loopback for reason. It took a while but our technicians eventually followed the cables in the ceiling and they were badly patched.

Cisco has a great page with all the details:

Tuesday, February 2, 2010

Day 10: CLI Parameter

Cisco IOS Editing keys/commands:
Ctrl-P or up arrow: repeats previous command
Ctrl-A: beginning of command line
Ctrl-E: end of command line
Esc-B: move back one word
Esc-F: move forward one word
Ctrl-Z: exits configuration mode
show history: displays command buffer
terminal history size x: sets history buffer size
terminal no editing: turns off advanced editing (why would you use this...)

Router Initial Configuration:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Cairo
Cairo(config)#banner motd #
Enter TEXT message. End with the character '#'.
Cairo - unauthorized use prohibited
Cairo(config)#enable password cisco
Cairo(config)#enable secret sanfran
Cairo(config)#line console 0
Cairo(config-line)#password sanjose
Cairo(config)#line vty 0 4
Cairo(config-line)#password netadmin
Cairo(config)#service password-encryption
%SYS-5-CONFIG_I: Configured from console by console
Cairo#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...

Router Ethernet Interface Configuration:
Cairo#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Cairo(config)#interface fa0/0
Cairo(config-if)#ip address
Cairo(config-if)#description Ethernet segment
Cairo(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Cairo(config)#ip host Cairo

This last command defines static hostname-to-address mappings in the DNS hostname cache, more info at this link:

If the serial interface is a data communications equipment (DCE) device, you'll need to set the clock rate. A router is usually the data terminal equipment (DTE) device so you don't need to set it. As a DTE, the router would accept the clock from a DCE device. Think of it this way, DCE and the C is clock :)

Cairo#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Cairo(config)#interface serial 0/0
Cairo(config-if)#ip address
Cairo(config-if)#clock rate 64000
Cairo(config-if)#no shutdown
%SYS-5-CONFIG_I: Configured from console by console
Cairo#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...

Router Initial Configuration for SDM:
Cairo#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Cairo(config)#ip http server
Cairo(config)#ip http secure-server
Cairo(config)#username cisco privilege 15 password 0 class
Cairo(config)#line vty 0 4
Cairo(config-line)#privilege level 15

To establish a username-based authentication system, use the username command in global configuration mode. To enable password checking at login, use the login local command in line configuration mode.

Cairo(config-line)#login local
Cairo(config-line)#transport input telnet
Cairo(config-line)#transport input telnet ssh

Day 11: RIP Configuration

RIP version 2 or RIPv2 allows a router to discover the location of remote networks dynamically from other routers running RIPv2. In order to confiure it, you'll have to connect to each router and determine which networks are directly connected to each router, and use RIP to configure that router to advertise the location of those networks.

Enter the router configuration mode, tell it's version 2 and specify that RIP will send update information about the directly connected networks. It's extremy simple, you only have to use router rip, version 2, network directly-connected-network.
The most important is that you have to enter the networks CLASSFUL, so a class A is for example instead of the!!!!

Cairo#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Cairo(config)#router rip
Cairo(config-router)#version 2
%SYS-5-CONFIG_I: Configured from console by console

show ip route displays all routes in the routing table and indicates routes learned through RIPv2 using the prefix R.

show ip protocols verifies that RIPv2 is configured and operating on the router and that the router is receiving updates and advertising routes. Important to notice are the updates that're being sent every 30 seconds, hold down of 180 seconds and flushed after 240!

debug ip rip displays RIP advertisements on the network in real time. This is very CPU-intensive, so it should be turned off with the undebug all command after use.

The Cisco Learning Network CCENT page has a good 15' video on this subject:

Day 12: Routing and Routers

Routers see networks, not hosts. There's a big difference between routed and routing protocols.
  • Protocols such as IP are routed protocols because the router uses the protocol to forward a packet from one router to another.
  • Routing protocols are used by routers to exchange routing information.
Routers decide where to forward a packet by using information stored in routing tables. They maintain a list of its interfaces and which networks are connected to those interfaces in its routing tables. Routers can dynamically learn about routes from other routers (routing protocol!) or the administrator can manually add a static route. When a packet arrives at a router, it'll look at the subnet mask, its routing table and cost.

We have four types of routes that exist in a routing table:
  1. Directly connected: a router detects configured networks connected to its interfaces and adds them to the routing table automatically (identified by prefix C). These are automatically updated when the configuration changes or an interface is shut down.
  2. Static: manually configured route, identifed by prefix S.
  3. Dynamic: these are dynamically updated by the router protocol. Prefix depends on the type of protocol, Routing Information Protocol (RIP) has prefix R.
  4. Default: static route that identifies the default gateway for packets addressed with a destination network that a router doesn't have in its routing table.
Dynamic routing protocols typically use the distance vector or link-state algorithm:

Distance Vector:
  • Periodically exchanges routing tables with neighboring routers.
  • Routes are evaluated on distance (how far) and vector (what direction).
  • Distance is expressed in a route cost or metric.
  • When a routing table is received it updates its routing information and forwards its routing table with an added hop to neighboring routers.
  • Exchanges link-state advertisements (LSA) when a change occurs in a link.
  • Maintains a topological database of the network and builds a shortest path first (SPF) tree.
  • When an LSA is received, the router will update and recalculate paths.
Routing Information Protocol (RIP):
  • Simple distance vector protocol, an interior routing protocol.
  • Exchanges complete copies of routing table.
  • Maximum 15 hop count - this to determine best path.
  • RIP version 2 (RIPv2) is preferred because it includes subnet mask information, where RIPv1 relies on classful default subnet masks. This means that RIPv2 allows VLSM and CIDR.
Enhanced Interior Gateway Routing Protocol (EIGRP):
  • Cisco-proprietary interior routing protocol.
  • Uses hop count (maximum 224), metrics and advertisements.
  • Maintains routing table, neighbor table and topology table.
Open Shortest Path First (OSPF):
  • Nonproprietary link-state interior routing protocol that sends LSA updates when there's a topology change.
Router Bootup Process, POST and loading Cisco IOS software:
  1. Router performs power-on self-test (POST) to check hardware.
  2. Loads bootstrap and initializes Cisco IOS from flash, TFTP or ROM. The location is defined in configuration register.
  3. Loads startup configuration file from nonvolatile random-access memory (NVRAM) to random-access memory (RAM) as running configuration.
  4. If NVRAM has no configuration file, the router will look for a TFTP-server. If it can't find it, it starts setup.

Saturday, January 30, 2010

Day 13: IP Address Troubleshooting

What if an IP address or subnet mask is entered incorrectly and your computer is configured to obtain an IP address automatically?

We could directly start at Layer 3 and use ping. If that's ok, there's probably an upper-layer issue. There could also be a DNS problem, I've already discussed it in my day 17 post.

Follow these steps on a Windows machine to verify the DHCP operation:
  1. Enter the command ipconfig /all in a command box. It should show lots of info like subnet mask, gateway, DNS server(s) and IP address.
  2. Are the gateway and host IP address on the same subnet?
  3. Release and renew the dynamic assignment with ipconfig /release and ipconfig /renew.
  4. If you can ping your gateway but no Internet address, there's a problem between your router and ISP (DNS, etc.). You could also use the tracert command (traceroute in IOS) to further investigate the issue.

Tuesday, January 26, 2010

Day 14: Static and Dynamic Addressing

Hosts in our LAN can be assigned an IP address in one of two ways:
  • Manual configuration: we can enter a static IP address, subnet mask, and gateway on hosts in our network. These static addresses remain the same for these devices unless we manually change'em.
  • Dynamic configuration: we can configure a DHCP server (as discussed on day 15) to dynamically assign addresses to computers on your network. We can specify the address range, client lease and other parameters on the DHCP server. You also need to configure clients to request addressing information from the DHCP server. 
Remember the ip helper-address command used to forward DHCP requests. 

Use the ipconfig /release and ipconfig /renew commands to refresh.

Monday, January 25, 2010

Day 15: DHCP Operation

A client on a DHCP (Dynamic Host Configuration Protocol) network will follow these steps to obtain an IP address:
  1. the client sends a DHCP Discover message with a destination IP address of and a destination MAC address of FF-FF-FF-FF-FF-FF.
  2. This DHCP Discover message broadcasts over the network, and the DHCP server replies with a DHCP Offer, including initial IP configuration for the client such as IP address, subnet mask and default gateway.
  3. The requesting client sends a DHCP Request to use the IP address suggested in the DHCP offer.
  4. The DHCP server responds with a DHCP Acknowledgment.
A DHCP server can provide addresses to a host on a different network if the routers on those networks are configured to forward DHCP requests with the ip helper-address command.

The configuration can be done by SDM or CLI.
Use these commands in global configuration mode:
ip dhcp pool pool-name
network network-address subnet-mask
domain-name domain-name
dns-server dns-server-address
default-router default-router-address
lease {days [hours] [minutes] | infinite}

Use these commands to exclude a range of addresses or a single address from the DHCP pool that you want to reserve and assign to specific hosts from global configuration mode:
ip dhcp excluded-address start-address end-address
ip dhcp excluded-address single-address

DHCP service can be started with service dhcp and stopped with no service dhcp.

Verification is done with these show commands:
show running-config
show ip dhcp binding
show ip dhcp server statistics
debug ip dhcp server events

Sunday, January 24, 2010

determining if broadcast storm has occured

These are some useful fields while determining if a broadcast storm has occured.

Router# show interfaces ethernet 0
Ethernet 0 is up, line protocol is up
Hardware is MCI Ethernet, address is aa00.0400.0134 (via 0000.0c00.4369)
Internet address is, subnet mask is
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, PROBE, ARP Timeout 4:00:00
Last input 0:00:00, output 0:00:00, output hang never
Output queue 0/40, 0 drops; input queue 0/75, 2 drops
Five minute input rate 61000 bits/sec, 4 packets/sec
Five minute output rate 1000 bits/sec, 2 packets/sec
2295197 packets input, 305539992 bytes, 0 no bufferReceived 1925500 broadcasts, 0 runts, 0 giants
3 input errors, 3 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 input packets with dribble condition detected
3594664 packets output, 436549843 bytes, 0 underruns
8 output errors, 1790 collisions, 10 interface resets, 0 restarts

  1. no buffers: gives the number of received packets discarded because there was no buffer space in the main system. Compare this with the ignored count. Broadcast storms on Ethernet networks and bursts of noise on serial lines are often responsible for no input buffer events.
  2. ignored: shows the number of received packets ignored by the interface because the interface hardware ran low on internal buffers. These buffers are different from the system buffers mentioned previously in the buffer description. Broadcast storms and bursts of noise can cause the ignored count to be increased.