Search this blog

Saturday, January 30, 2010

Day 13: IP Address Troubleshooting

What if an IP address or subnet mask is entered incorrectly and your computer is configured to obtain an IP address automatically?

We could directly start at Layer 3 and use ping. If that's ok, there's probably an upper-layer issue. There could also be a DNS problem, I've already discussed it in my day 17 post.

Follow these steps on a Windows machine to verify the DHCP operation:
  1. Enter the command ipconfig /all in a command box. It should show lots of info like subnet mask, gateway, DNS server(s) and IP address.
  2. Are the gateway and host IP address on the same subnet?
  3. Release and renew the dynamic assignment with ipconfig /release and ipconfig /renew.
  4. If you can ping your gateway but no Internet address, there's a problem between your router and ISP (DNS, etc.). You could also use the tracert command (traceroute in IOS) to further investigate the issue.

Tuesday, January 26, 2010

Day 14: Static and Dynamic Addressing

Hosts in our LAN can be assigned an IP address in one of two ways:
  • Manual configuration: we can enter a static IP address, subnet mask, and gateway on hosts in our network. These static addresses remain the same for these devices unless we manually change'em.
  • Dynamic configuration: we can configure a DHCP server (as discussed on day 15) to dynamically assign addresses to computers on your network. We can specify the address range, client lease and other parameters on the DHCP server. You also need to configure clients to request addressing information from the DHCP server. 
Remember the ip helper-address command used to forward DHCP requests. 

Use the ipconfig /release and ipconfig /renew commands to refresh.

Monday, January 25, 2010

Day 15: DHCP Operation

A client on a DHCP (Dynamic Host Configuration Protocol) network will follow these steps to obtain an IP address:
  1. the client sends a DHCP Discover message with a destination IP address of 255.255.255.255 and a destination MAC address of FF-FF-FF-FF-FF-FF.
  2. This DHCP Discover message broadcasts over the network, and the DHCP server replies with a DHCP Offer, including initial IP configuration for the client such as IP address, subnet mask and default gateway.
  3. The requesting client sends a DHCP Request to use the IP address suggested in the DHCP offer.
  4. The DHCP server responds with a DHCP Acknowledgment.
A DHCP server can provide addresses to a host on a different network if the routers on those networks are configured to forward DHCP requests with the ip helper-address command.

The configuration can be done by SDM or CLI.
Use these commands in global configuration mode:
ip dhcp pool pool-name
network network-address subnet-mask
domain-name domain-name
dns-server dns-server-address
default-router default-router-address
lease {days [hours] [minutes] | infinite}

Use these commands to exclude a range of addresses or a single address from the DHCP pool that you want to reserve and assign to specific hosts from global configuration mode:
ip dhcp excluded-address start-address end-address
ip dhcp excluded-address single-address

DHCP service can be started with service dhcp and stopped with no service dhcp.

Verification is done with these show commands:
show running-config
show ip dhcp binding
show ip dhcp server statistics
debug ip dhcp server events

Sunday, January 24, 2010

determining if broadcast storm has occured

These are some useful fields while determining if a broadcast storm has occured.

Router# show interfaces ethernet 0
Ethernet 0 is up, line protocol is up
Hardware is MCI Ethernet, address is aa00.0400.0134 (via 0000.0c00.4369)
Internet address is 131.108.1.1, subnet mask is 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, PROBE, ARP Timeout 4:00:00
Last input 0:00:00, output 0:00:00, output hang never
Output queue 0/40, 0 drops; input queue 0/75, 2 drops
Five minute input rate 61000 bits/sec, 4 packets/sec
Five minute output rate 1000 bits/sec, 2 packets/sec
2295197 packets input, 305539992 bytes, 0 no bufferReceived 1925500 broadcasts, 0 runts, 0 giants
3 input errors, 3 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 input packets with dribble condition detected
3594664 packets output, 436549843 bytes, 0 underruns
8 output errors, 1790 collisions, 10 interface resets, 0 restarts

  1. no buffers: gives the number of received packets discarded because there was no buffer space in the main system. Compare this with the ignored count. Broadcast storms on Ethernet networks and bursts of noise on serial lines are often responsible for no input buffer events.
  2. ignored: shows the number of received packets ignored by the interface because the interface hardware ran low on internal buffers. These buffers are different from the system buffers mentioned previously in the buffer description. Broadcast storms and bursts of noise can cause the ignored count to be increased.
Reference: http://www.cisco.biz/en/US/docs/internetworking/troubleshooting/guide/tr1904.html

Thursday, January 21, 2010

RMAN error – Use CROSSCHECK command to fix status

Our RMAN backup control mail gave an error: x objects could not be deleted for DISK channel(s) due to mismatched status. Use CROSSCHECK command to fix status.

CROSSCHECK is a check to determine whether files on disk or in the media management catalog correspond to the data in the RMAN repository. Because the media manager can mark tapes as expired or unusable, and because files can be deleted from disk or otherwise become corrupted, the RMAN repository can contain outdated information about backups. Crosschecks update outdated RMAN repository information about backups whose repository records do not match their physical status. For example, if a user removes archived logs from disk with an operating system command, the repository still indicates that the logs are on disk, when in fact they are not. The crosscheck command is used to validate RMAN records in the database control file and the recovery catalog against what is physically on the backup media. The crosscheck command can be used on both disk backups and tape backups. You can cross-check the gambit of backups, from database backups and archive-log backups to image copies, the crosscheck command covers them all.

When you run the crosscheck command, any missing backup files will be marked as EXPIRED, meaning that they are no longer on the media where they are expected to be. The list expired command will show you the backups that are expired. You can review this list and then use the delete command to mark the backup files as deleted in the control file and the recovery catalog. The CROSSCHECK command does not delete any files that it is unable to find, but updates their repository records to EXPIRED. Then, you can run DELETE EXPIRED to remove the repository records for all expired files as well as any existing physical files whose records show the status EXPIRED. Expired backups will not show up on this report until the crosscheck command detects they are missing.

Oracle SID should be correctly set, so we'll log on directly.

F:\oracle\rman>rman target =/

We use show all to get the backup retention policy to determine how long backups and archived logs need to be retained for media recovery. You can define a retention policy in terms of backup redundancy or a recovery window. RMAN retains the datafile backups required to satisfy the current retention policy, and any archived redo logs required for complete recovery of those datafile backups. In our case I got RETENTION POLICY TO REDUNDANCY 1 and ARCHIVELOG BACKUP COPIES FOR DEVICE TYPE DISK TO 1.

RMAN> show all;

RMAN> delete noprompt obsolete;

Will give the same errors as in our control mail, so let’s do what it wants.

    RMAN> crosscheck archivelog all;

RMAN is not removing all of the files because some of them may still be needed for a full recovery!  It's all about how RMAN defines an obsolete file.  Generally, an obsolete file is one that supplements a full backup that will never be used for a recovery and roll-forward. The Oracle docs note the rules for a file becoming obsolete:
DELETE OBSOLETE does not delete backups required to satisfy the specified retention policy, even if some backups have KEEP UNTIL times set which have passed to override the retention policy.
Backups are never obsolete if they are still needed to meet the retention policy, regardless of any KEEP UNTIL time. With a recovery window-based retention policy, even if the specified KEEP UNTIL time has expired, the backup is retained if the backup is needed to satisfy the recovery window.

With a redundancy-based retention policy, even if the specified KEEP UNTIL time has expired, the backup is retained as long as it is required to satisfy the redundancy requirement. 
You can also use the REDUNDANCY or RECOVERY WINDOW clauses with DELETE to delete backups obsolete under a specific retention policy instead of the configured default:
DELETE OBSOLETE REDUNDANCY = 3;
DELETE OBSOLETE RECOVERY WINDOW OF 7 DAYS;

RMAN> delete noprompt obsolete;

I got a similar error as in the controlemail, this time for the controlefilecopy (32 is here the key):

RMAN> crosscheck controlfilecopy 32;

Now we can delete them:

RMAN> delete noprompt obsolete;

And rerun the last delete to verify if anything’s left:

References:
http://download.oracle.com/docs/cd/B19306_01/backup.102/b14192/maint002.htm
http://users.telenet.be/oraguy.be/rman1.htm
http://download.oracle.com/docs/cd/E11882_01/backup.112/e10643/toc.htm

Wednesday, January 20, 2010

Lines on Cisco routers

Lines on Cisco routers are physical async serial ports on the router (such as a terminal or modem), a virtual network connection, or another type of serial line on the router. To see which lines you have on your router, use the show line command. Example: show line serial 0/0

Use the show line summary command to get a nice overview.

The console port doesn't need any introduction. The CTY port is, of course, where you configure the router when it’s brand-new — before it has any IP address configuration. The console port is a serial port, so you must have a PC/laptop with a serial interface and connect to the console with a rolled cable, it should be included with your newly arrived devices :)

Once you’ve used the console port to configure the router’s network configuration, it isn’t common to have to use it again. However, it’s good to know that it’s there if anything ever goes wrong. In addition, you should secure the console port to keep someone from connecting to it when you aren’t around.

While not all routers these days have an AUX port, the AUX port is the auxiliary. Think of it as a secondary console port. The AUX ports don’t get a lot of use except to access the router if locked out of the console port. In the past, network admins would connect modems to the AUX ports so they could dial into their routers. Like the console port, the AUX port is a serial port, and you should also take steps to secure it.

VTY ports are virtual TTY ports, used to Telnet or SSH into the router over the network. You can use them to connect to the router to make configuration changes or check the status. Most routers have five VTY ports, numbered 0 to 4. That means you can have up to five concurrent network admins configuring the router at one time.
 

Remember that you can always use the clear line command to clear out a connection on a router line if you run into a problem.

Day 16: Private Networks and NAT

A device directly connected to the Internet has a public IP address, this is routable. The number of public IP addresses is limited so RFC 1918 reserves class A, B and C networks for private use on an internal network. These addresses can be reused for multiple internal networks because the networks are not visible to the Internet or each other.

I've mentioned them a few times but once again a quick overview:
  • one class A address for private networks: 10.0.0.0, >16 million private addresses
  • 16 class B networks for private use: 172.16.0.0 to 172.31.0.0, each networks allows > 65000 private addresses
  • 256 class C networks for private use: 192.168.0.0 to 192.168.255.0, each network allows up to 254 private addresses
A router running NAT and PAT can allow devices on a private network to share a single public IP address and communicate over the Internet. Devices on a private network behind a router running NAT are not directly accessible on the Internet, providing additional security.

Oracle DBA - managing listener.log

As the listener.log file grows, we'll want to remove or rename it. This will fail as it's "being used by another process".
The DBA can simply stop the service, rename/remove the file and restart the service. This can be problematic for users attempting to connect while the listener's down.

Here's a good way to do this without stopping the TNS listener process. This'll work on Windows and with some small changes on Linux as well (ren = mv):
C:\cd \oracle\product\10.2.0\db_1\NETWORK\log
C:\oracle\product\10.2.0\db_1\NETWORK\log\lsnrctl set log_status off
C:\oracle\product\10.2.0\db_1\NETWORK\log\ren listener.log listener.old
C:\oracle\product\10.2.0\db_1\NETWORK\log\lsnrctl set log_status on

In Oracle 11g, the listener log files by default are located in /diag/tnslsnr/product_name/listener. The nice feature about listener log file in this version is, whenever the size of log file grow to 10MB, Oracle starts to writes to a new file. So the log file will not be too large to open for troubleshooting. Overtime, you will have a lot of 10MB log file in the directory. An Oracle DBA needs to manage the listener log files regularly so the log files will not take too much space on the server.

This is a great link with DBA Tips: http://www.idevelopment.info/

Monday, January 18, 2010

Day 17: DNS Operation

All hosts have a HOSTS file that matches names to IP addresses. This file is first used to resolve a request for a domain. Obviously its impossible to keep it all in file, so a DNS server performs this task on a network. If you want to verify the capability to access a DNS server you'd use the nslookup utility: http://technet.microsoft.com/en-us/library/cc725991(WS.10).aspx

The domain naming system has these components: resource records and domain namespace, domain name servers and resolvers. The hierarchy of the domain name system begins at the top with top-level domains such as .com, .org - they could also represent countries. These are followed by second-level domains such as cisco, yet they could also have specific locations such as mail.

So, what happens if a host wants to resolve a Domain Name System (DNS - port 53) name such as mail.cisco.com? A domain that that points to a specific computer in a domain is considered a fully qualified domain name (FQDN). The host uses a resolver to query a DNS server inside its domain to get the IP address of mail.cisco.com. This DNS server is preconfigured (see ipconfig /all). You could use the well known 4.2.2.2 but there's always a security risk using one that you're not authorized to.
  1. The DNS server (usually from our ISP) receives the request and checks its local records. If the DNS server cannot resolve the domain name, it forwards the request to another preconfigured DNS server. The local DNS server may query a root DNS server to discover the location of top-level.com domain name servers.
  2. The top-level DNS server, after it's queried responds with the location of the cisco.com DNS server for the requested domain.
  3. The local DNS server queries the cisco.com DNS server for the location of mail.cisco.com. When the resolved name to IP address is returned, each DNS server caches the record for a limited amount of time.
  4. The local DNS server receives the returned request, temporarily caches the record and responds to the requesting host with the IP address for mail.cisco.com.
 It's important to know that DNS zones can be broken into primary or secondary forward lookup or reverse lookup zones:
  • Primary and secondary: there can be primary and secondary forward lookup and reverse lookup zones. The primary zone is where you update records, and the secondary zone operates as a read-only backup copy of the primary zone.
  • Forward lookup zones: standard zone that resolves FQDNs to IP addresses.
  • Reverse lookup zones: this query works in reverse: a host wants to know the FQDN because it knows the IP address. Private networks use reverse lookup to identify host names on their local network. I've had some issues with this lately when we forgot to set this zone up during a rollout of hosts, we got the error Nonexistent domain when testing with nslookup.
It's a good idea to use redundant DNS servers!

There's good information and links on wikipedia: http://en.wikipedia.org/wiki/Domain_Name_System

Sunday, January 17, 2010

Day 18: NAT

If you've ever wondered why we're not all using IPv6 yet, the simple answer is Network Address TranslationNAT (NAT overload or PAT).

As seen on day 20, the RPC1918 has identified the private networks. These addresses don't allow us to connect to the Internet, routers cannot route these private IP addresses (they get dropped). A router can however receive a public Internet-routable address from the ISP and provide Internet connectivity for the hosts on the local private network. The router will use NAT to exchange private IP addresses for a public IP address or a pool of public IP addresses. This translation allows an internal host to appear as though it has a public IP address. Nat also provides some basic security.

NAT was developed because of too few available IP addresses. Here are some terms:
  • inside local network: the privately addressed internal network connected to a router
  • inside local address: internal IP address assigned to a host on the inside, private network. This is usually a private IP address
  • outside global network: any network outside the local network that would also not recognize the private addresses assigned to hosts in the local network
  • inside global address: a registered, Internet-routable IP address that represents one or more inside local IP addresses to the outside world
  • outside local address: destination address of the packet while on the inside local network - typically the same as the outside global address. So it's the IP address of an outside host as it appears to the inside, private network.
  • outside global address: actual destination address of the intended external host on the Internet. The IP address assigned to a host on the outside network by the host's owner - usually a routable IP address.
Static NAT translates one private address to one public address. In dynamic NAT will have a pool of public addresses to temporarily assign for internal hosts (the public address will afterwards return to the pool).
A router uses NAT overload, or port address translation (PAT) to allow multiple internal hosts to communicate with just one public IP address. The router uses source port numbers to identify the internal connection request. Note that this implicates that internal hosts must initiate communications with outside networks. If you're wondering what would happen if two hosts used the same source port (from the 65535), it's simple: whoever gets there first gets that port, the other one will get a different one - for example 61751 would then become 61752.

To configure static NAT, you have to designate an inside interface (this is the interface connected to the private network). You also have to designate the interface connected to the outside world as the outside interface. Needed commands:
ip nat outside
ip nat inside
ip nat inside source static local-IP-address global-IP-address

We don't have to know the CLI for ICND1 but I'll give a quick overview, we're preparing for the CCNA - please try it with SDM (use GNS3 if needed).

Router#enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface serial 1/0
Router(config-if)#ip nat outside
Router(config-if)#interface fa 0/0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#ip nat inside source static 192.168.1.2 200.1.1.1

NAT with overload enables PAT (a many-to-one mapping). Use the access-list command to define the private address pool that you want to translate to a single IP address. An access list uses a wildcard mask instead of a subnet mask to identify the bits available for use as hosts in the pool. Needed commands (see the differences above):
access-list access-list-number permit  inside-network wildcard-mask
ip nat inside source list access-list-number interface interface overload
ip nat outside
ip nat inside
 
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)#ip nat inside source list 1 interface serial 1/0 overloadRouter(config)#interface serial 1/0
Router(config-if)#ip nat outside
Router(config-if)#interface fa 0/0
Router(config-if)#ip nat inside
 
Look at 0.0.0.255 as a reversed subnet mask. The overload keyword allows to map multiple IP addresses to a single registered IP address (many-to-one) by using different source port numbers. Use show run and show ip nat translations to verify NAT configuration. A useful command for testing/troubleshooting is debug ip icmp which outputs any ICMP traffic processed by the router. Don't forget to turn it off with undebug all or u all. The clear ip nat translation * command clears all the NAT translations in the NAT table, its useful for troubleshooting.
 
A useful link is http://www.9tut.com/ccna-lab-sim/52-ccna-nat-sim-question

Wednesday, January 13, 2010

Day 19: Assign Addresses

After having developed a logical topology and proper addressing scheme, we must assign the addresses to devices in our network. A host needs an IP address, default gateway and subnet mask. These can be assigned manually or obtained automatically by a Dynamic Host Configuration Protocol (DHCP) server.

In Windows we'll verify the IP configuration by using ipconfig /all
In Linux use the ifconfig command.

The default gateway for a host is typically the IP address of the connected interface on the router for the network. Each host on the network can then use the router as the gateway to other networks.

This how we assign an IP to the interface of a router (we've already showed it for a switch):

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 10.0.0.1 255.255.255.0
Router(config-if)#no shutdown
 
The configuration can be verified by using the known commands:
show interfaces
an example is Router#show interfaces fastEthernet 0/0
show running-configuration
show startup-configuration

Tuesday, January 12, 2010

Day 20: IP Addressing and Subnetting

An IP address is typically assigned to the NIC, routers need an IP address for each interface.

An IPv4 address is made up of 32 binary bits, divided in four octects and represented in decimal format. I'm not going to cover converting to decimal or binary! Only remember that the maximum decimal equivalent for an octet is 255, the minimum is obviously 0.

The RPC 2460 proposed IPv6 in 1998 to increase address space. For now it's enough to know that they're 128-bit addresses respresented as 32 hexadecimal digits, broken into 8 groups of 4 digits separated by colons.
http://tools.ietf.org/html/rfc2460

An IP address contains a network portion and host portion. The first part is the network portion and the second is the host portion. The network portion is determined with the subnet mask, a 32-bit address in which the binary 1s identify the network portion. For example:
255.255.255.224 (or /27) - the last octet is 11100000

We also focus on the network address which has all 0s in the host portion and the broadcast address which has all 1s in the host portion. An example:
network address - 172.16.1.0
subnet mask - 255.255.255.0
first available host address - 172.16.1.1
broadcast address - 172.16.1.255
As you can see you always lose two host IP addresses from the possible combinations.

You probably know all the classes but I'll give a quick overview:
  • Class A, binary start is 0, first octet range 1-126, subnet mask is 255.0.0.0, 16777214 hosts, 8 bits network address
  • Class B, binary start is 10, first octet range 128-191, subnet mask is 255.255.0.0, 65534 hosts, 16 bits network address
  • Class C, binary start is 110, first octet range 192-223, subnet mask is 255.255.255.0, 254 hosts, 24 bits network address
  • Class D, binary start is 1110, first octet range 224-239, multicast
  • Class E, binary start is 1111, first octet range 240-255, used for research
The complete 127 range is used for loopback testing (TCPIP stack), you probably know the loopback address 127.0.0.1 but it actually works with all hosts in this range (127.255.255.255).

The RFC 1918 identifies the networks reserved for internal or private use:
http://tools.ietf.org/html/rfc1918
  • Class A: 10.0.0.0 to 10.255.255.255
  • Class B: 172.16.0.0 to 172.31.255.255
  • Class C: 192.168.0.0 to 192.168.255.255
I've mentioned multicast, this is used by devices that send multicasts to the hosts that are part of the multicast group. Might be used for videoconferencing or remote gaming.
Devices use broadcast addresses to communicate with all hosts on a network (ARP, DHCP). Directed broadcasts are forwarded to remote networks (normally all 1's are not forwarded).
Devices use unicast to communicate with another device, one-to-one.

When we divide a network beyond its default class, and use bits from the host portion as network bits; the router looks at the new mask and determines the network address regardless of the default class. This is called Classless Interdomain Routing (CIDR).

I'm not going to cover subnetting as there are a zillion good places to find more information, CBTNuggets explains it well, Todd Lammle, the Cisco Learning Discussions...

A great site to practice is http://www.subnettingquestions.com/
Updated with this great link as well: http://faculty.valleycollege.net/rpowell/jscript/subnet2.htm

I'll review "my way" with the current question: "What is the first valid host on the subnetwork that the node 10.201.251.121/20 belongs to?"
  • 10.201.251.121 is class A
  • /20 is 255.255.240.0, so third octet is important!
  • 4 network bits in the relevant octet, 12 subnet bits in total so 2^12 is 4096, so 4096 possible subnets. The formula is 2 to the n-th power where n is the number of network bits.
  • 4 host bits in the relevant octet so 2^4 is 16 (this is my block size or increment size). If we want the number of hosts it's 12 host bits (including last octet), so 2^12 minus 2 because we need to subtract 2 (network and broadcast address) so 4094 possible hosts
  • my block size is 16 so multiplications of 16 (0-16-32-48-64-80-96-112-etc), third octet is important and the closest to 251 is obviously 240
  • the network address is then 10.201.240.0, first possible address is 10.201.240.1 and broadcast is 10.201.255.255
Please note that I know the multiplications of 8 and 16 by heart, this makes it all a lot easier. However, I admit that my method is not the easiest :)
Contact me if you have questions.

Monday, January 11, 2010

Day 21: Switch Troubleshooting

I had to take a few days off but we're back and today's topic is basic switch troubleshooting.
Basic troubleshooting starts at Layer 1 with switch hardware issues and continue to Layer 2 with possible switch softwareor configuration issues. Only last week I encountered a wrong labeling of an old wall jack! The LED indicators are really helpful, so use them.

There's a variety of available show commands:
  • show running-config: running configuration stored in RAM on the switch
  • show startup-config: startup configuration stored in NVRAM on the switch
  • show version: Cisco IOS software version, image name, memory and processor on a switch
  • show interfaces: includes addressing and security
  • show mac-address-table
  • show port-security
Besides these we also have the Cisco Discovery Protocol. CDP can verify Layer 2 connectivity even when a Layer 3 IP address is not properly configured. It can also be used to learn about the hardware and software configuration of connected devices with CDP enabled.
  • no dcp run:  will disable CDP globally on a switch (from global configuration mode)
  • no cdp enable: will disable CDP on a specific interface (from interface configuration mode)
  • show cdp: shows whether its running on a switch, no info about connected neighbors
  • show cdp neighbors: uses Layer 2 CDP communication to discover and display information about directly connected Cisco devices and their platforms
  • show cdp neighbors detail: this includes the Layer 3 IP address

Wednesday, January 6, 2010

Day 22: Switch Security

The switchport can be assigned a static MAC address:
mac-address-table static {host-mac-address} interface {interface} vlan {vlan}
and verified with show mac-address-table, cleared with clear mac-address-table

This is how we secure a switchport:
enter the interface mode:
S2(config)#interface fastEthernet 0/6
first we need to define whether the port is an access port (end host) or trunk ports. A trunk port is configured to trunk multiple VLANs. Only access ports (with only one VLAN) can have port security enable. Notice that the default mode is trunk!
S2(config-if)#switchport mode access
switchport port-security enables port security:
S2(config-if)#switchport port-security
S2(config-if)#switchport port-security maximum 1
this last command will not appear in show run because 1 is the default maximum!
easiest way is to allow the switch to dynamically learn the first MAC address by enabling sticky.
S2(config-if)#switchport port-security mac-address sticky
the switchport needs to go administratively down when a wrong device connects, other options are protected and restrict. The difference between these two is not that obvious, restrict will send a message.
S2(config-if)#switchport port-security violation shutdown
we can also manually configure a MAC address for this port (if we remove port security), notice global configuration:
S2(config)#mac-address-table static 0001.C7C1.E31C vlan 1 interface fastEthernet 0/6
use no mac-address-table... to remove it
S2(config-if)#end
S2#
 
when an nauthorized device connects to the port, the switch shuts it down. Once this happened, the port must be administratively shutdown and re-enabled to bring it back online.
S2(config-if)#shutdown
S2(config-if)# no shutdown
it's important to secure unused switch ports, use ranges instead of manually doing one interface at a time. You can secure it by disabling the port or putting the port in an unused VLAN.

Speed and duplex can be set on a switch port like this:
speed {speed-imegabits-per-second}
duplex {half | full}

Other interesting show commands are:
show port-security
show interfaces
show vlan

As a sidenote: we can delete VLAN database information and erase the startup configuration with the following two commands in privileged EXEC mode:
delete flash:vlan.dat
erase startup-config

Tuesday, January 5, 2010

Day 23: Switch Configuration

Finally some action on switches, first connecting with a console (or rolled cable) and then a quick configuration:

The console configuration settings needed to connect to a Cisco device's console port are as follows:
  • Speed: 9600 bits per second
  • Data bits: 8
  • Parity: None
  • Stop bit: 1
  • Flow control: None
By default we'll receive user access or user EXEC, only commands that show basic information about the operation and connectivity.
Switch>enable
Now we're in Privileged EXEC after entering enable. We can now adjust the operation of a switch and view configuration files.
Switch#configure terminal
The configuration mode allow us to configure the device and enter submodes for specific configurations (for example interface).
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S1
S1(config)#line console 0
S1(config-line)#password cisco
S1(config-line)#login
S1(config-line)#line vty 0 4
S1(config-line)#password class
S1(config-line)#login
S1(config-line)#exit
S1(config)#enable password cisco
S1(config)#enable secret class
Remotely accessing a switch for management requires an IP address and basic security information. This can be done in VLAN1, the logical interface used for management.
S1(config)#interface vlan 1
S1(config-if)#ip address 192.168.1.2 255.255.255.0
S1(config-if)#no shutdown
S1(config-if)#exit
Note that setting a default gateway for a switch is done in global configuration!!! Although a switch doesn't see Layer 3 and above information it's still necessary to configure the default gateway to remotely administer and configure the switch.
S1(config)#ip default-gateway 192.168.1.1
S1(config)#exit
S1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]

Other basic commands are:
show history: will show by default the last ten commands used
terminal history size 20: changes the history size
service password-encryption: used to encrypt the passwords in a config (except enable secret), this is still no solid security measure because it can easily be cracked.
The banner motd is displayed upon connection to the switch either by Telnet or by the console port. The login banner is displayed before the username and pasword login prompts on a Catalyst switch. See my other post with in depth explanation.

Monday, January 4, 2010

Day 24: Switch Operation

As a reminder each switch port is its own collision domain. A switch maintains a MAC table, when it doesn't know the port for a frame's destination MAC address it will then flood the frame out all other ports. It will not forward frames with errors or with the same source and destination. When we connect a hub to a switch port, the switch will associate all MAC addresses of devices connected to that hub with that port.

A switch port can operate in full-duplex mode which allows is to alternately send and receive data simultaneously. They can also work in half-duplex mode allowing it to alternately send and receive data but not simultaneously.

Switches attempt to autonegotiate the speed and either full- or half-duplex transmission when devices connect. If the device doesn't support autonegotiation, the switch will default to the speed of the other device and half-duplex. We can turn autonegotiation off and manually set a switch to full or half duplex and speed of the connection.

Switches can operate in store and forward mode which means that the entire frame is received before sending plus computes the CRC (introduces latency). It can also use cut-through mode in which switches look at the first part of the frame (destination address) and immediately beings forwarding the frame out the approprate port. We also have modified cut-through, known as fragment-free switching. This means checking the first 64 bytes before forwarding the frame. Ethernet specs state that collisions should be detected during the first 64 bytes of the frame, late collissions are still possible.
Switches use Spanning Tree Protocol (STP) to avoid switching loops and set ports as blocking, listening, learning or forwarding. This is needed when you have redundant links between switches, which is normal in modern network design.

To summarize we can use Layer 2 switches for address learning, packet forwarding and filtering, loop avoidance with the Spanning Tree Protocol.

Sunday, January 3, 2010

Day 25: Media Access Control

Ethernet media access control (MAC) defines how a transmission is prepared for the phsycial media, when a device can transmit over the wire and to decypher received transmissions.

An Ethernet frame is an OSI layer 2 PDU. Its maximum size is 64 bits and hosts do not process frames that are larger than 1518 bytes (giants) or smaller than 64 bits (runts).

As a reminder the MAC address consists of 12 hexadecimal digits and is 48 bits or 6 bytes. Cisco prefers to group them in three groups of 4 digits, for example: 01:23:45:67:89:ab

It's important to remember that only hosts with an IP address use an ARP request to find the destination MAC and create a socket to identify the device.

Let's discuss CSMA/CD (Carrier Sense Multiple Access Collision Detect):
many stations can transmit on the same cable with CSMA/CD and no station has priority over another (multiple access). Before a station transmits, it listens on the wire (carrier sense) to make sure that no other station is transmitting. If a collision occurs, the transmitting stations detect the collission and run a backoff algorithm, its a random time that each station waits before retransmitting.

Collision domains can be increased by switches (and bridges) because switches filter and forward frames based on source and destination MACs. That ability is also called microsegmentation of the network. Switches still forward all frames with FFFF:FFFF:FFFF as destination MAC address because it's a broadcast frame. Only routers do not forward these BC's. So, each switch port is its own collision domain and routers break up broadcast domains!

Layer 2 switches have these four advantages over bridges:
  • A high-speed backplane that enables multiple simultaneous conversations to occur.
  • Data-buffering capabilities that store and forward packets to the correct ports or port.
  • Higher port densities versus bridges.
  • Lower latency than bridges. Layer 2 switches are implemented in hardware, allowing millions of bits per second to be transmitted at the same time.

Day 26: Network Physical Media

Before finally moving on to working with swiches, we can review a bit by viewing a short study video available at the Cisco Learning Home page:

Understanding the TCP/IP Internet Layer:
https://learningnetwork.cisco.com/docs/DOC-1301

A directed-broadcast address is an address that has all 1s in the host field. It allows the network administrator to address every host on a subnet. When directed broadcast is enable (directed-broadcast command) a router translate of layer 3 broadcast into layer 2 broadcast. It can be use to target all host in subnet to perform remote management or administration services (WOL, DHCP relay).

Unshielded twisted-pair (UTP) cabling is a type of twisted-pair cable that relies solely on the cancellation effects produced by the twisted wire pairs to limit electromagnetic interference (EMI) and radio frequency interference (RFI). UTP cable is often installed using an RJ-45 connector, and UTP cabling must follow precise specifications dictating how many twists are required per meter of cable. The advantages of UTP are ease of installation and low cost. A disadvantage of UTP is that it is more prone to EMI than other types of media.
Shielded twisted-pair (STP) cable combines the twisting techniques of UTP, but each pair of wires is wrapped in a metallic foil. The four pairs of wires are then wrapped in a metallic braid or foil. STP reduces electrical noise and EMI. STP is installed with an STP data connector but can also use an RJ-45 connector. An advantage of STP is that it is more resistant to outside interference; a disadvantage is that it is more expensive and difficult to install.
Both UTP and STP have a maximum cable length of 100m.

A coaxial cable carries electrical signals over a copper wire and is capable of longer lengths than UTP.
Fiber-optic cables send and receive data with pulses of light. Multimode is less expensive than single-mode but cannnot go such long distances (2000m for multimode).

TIA/EIA defines the wiring schemes T568A and T568B for network cables.
A straight-through cable is used to connect unlike devices, like switch to router, hub to pc, switch to pc - think of it things that are meant to be connected! They're wired the same way at both ends. This cable uses pins 1, 2, 3, and 6. The send and receive wires are not crossed.
Crossover cables are used to connect like devices, like pc to pc, hub to hub, switch to switch but also hub to switch! It's a cable that has the send and receive wires crossed at one of the ends. In a Category 5 cable, the 1 and 3 wires are switched and the 2 and 6 wires are switched at one end of the cable.
A console cable is used to connect to the console port on a router or switch for configuring the device. It's also called a rolled cable.
A serial cable is used to connect a router to an Internet connection.

Ethernet IEEE 802.3 (10BASE or baseband signal rate of 10Mbps)
  • 10BASE2: Known as thin Ethernet, this specification uses thin coaxial cable as its medium and provides access for multiple stations on the same segments.
  • 10BASE5: Called thick Ethernet, this specification uses a thick coaxial cable as its medium. The maximum segment length of 10BASE5 is over twice that of 10BASE2.
  • 10BASE-T: This specification provides access for a single station only, so all stations connect to a switch or hub. The physical topology of 10BASE-T is that of a star network. It uses unshielded twisted-pair (UTP) cable Category 3, 4, 5, and 5e as its network medium.
Fast Ethernet IEEE 802.3u (raises Ethernet standard of 10Mbps to 100Mbps)
  • 100BASE-FX: Uses two strands of multimode fiber-optic cable as its medium and has a maximum segment length of 400 meters. 
  • 100BASE-T: Defines UTP as its medium and has a maximum segment length of 100 meters. 
  • 100BASE-T4: Uses four pairs of Cat 3 to 5 UTP as its medium. It maximum segment length is 100 meters. 
  • 100BASE-TX: Specifies two pairs of UTP or shielded twisted-pair (STP) cable as its medium with a maximum segment distance of 100 meters.
We also have these Gigabit possibilities:
  • 1000BASE-T: 100 meters 
  • 1000BASE-LX: 550 meters for multimode fiber, 10 km for single-mode fiber 
  • 1000BASE-SX: 250 meters for multimode fiber, 550 meters for single-mode fiber 
  • 1000BASE-CX: 25 meter

Friday, January 1, 2010

Day 27: Troubleshooting and LAN versus WAN

The OSI and TCP/IP models provide an excellent framework for troubleshooting. You can isolate the network issues to a particular layer and test the protocols and configurations for that layer.
You can work top down, starting with the application layer (are other apps working?), or bottom up, are the problems caused by media connections or power to a device. Experienced troubleshooters will often begin at the layer indicated by the symptoms of a particular problem, this is called divide and conquer. In addition to this you could troubleshoot through trail and error or substitution.
  • ipconfig shows the IP configuration.
  • ping tests the network layer connectivity between devices.
  • tracert tests connectivity and displays each hop.
  • netstat shows current TCP/IP network connections to the device and protocol statistics.
  • nslookup queries the configured name serve for DNS information.
As a reminder of yesterday: a physical topology represents the location of the hardware and the logical topology represents how the devices use the network.
LANs today often represent the logical grouping of hosts for a single organization. Network administrators typically refer to the network they maintain in their building(s) as a LAN or a private intranet. LANs support high data transfer rates over Ethernet or wireless protocols in a smaller geographic area.
A wide-area-network (WAN) provides relatively lower data transfer rates over a larger geographical area. These connectivities can be symmetric or assymetric. An assymetric connection typically has a faster download speed than upload speed. Symmetric connections on the other hand provide the same upload an download speed.

These are some WAN connections:
  • A point-to-point (PPP) connection provides a specific dedicated path through the TSP network to connect two LANs over large distances.
  • A circuit-switched WAN connection allows the client to create and close connections over the TSP network (uses the entire connection), operates lke a phone call - an example is ISDN.
  • A packet-switched WAN connection allows multiple clients to share a single connection (uses a virtual circuit). An example is Frame Relay.
WANs operate at the physical and data link layers of the OSI model.