IT vault

proxy prevents ppm to access ActiveState Package Repository

2010-03-22T07:56:00.000-07:00

When you're trying to install packages with Perl Package Manager (ppm) in a Windows environment a proxy will block the connection to it's repository.

Avoid this by setting the environmental variable HTTP_PROXY like this:

set http_proxy=http://username:password@proxy.net:8080

checking sessions to an Oracle database

2010-03-22T02:58:00.000-07:00

Checking the maximum number of sessions:
SQL> select name, value from v$parameter where name='sessions';

Checking the number of currently active sessions:
SQL> select count(*) from v$session;

Looking for blocking sessions:

SQL> select blocking_session from v$session where blocking_session is not NULL;

Looking for idle sessions (more than 24 hours in this example):

SQL> select username from v$session where username is not NULL and status='inactive' and last_call_et/60/60>=24;

Please note that you'll need to be connected as sysdba!

Useful links:
http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:209412348074#tom26247484939076

connecting to a database with sqlplus

2010-03-13T12:54:00.000-08:00

Here are some examples:

sqlplus user/password@alias
Here the alias has to be resolved into the full name. This can be done with the tnsnames.ora file or by contacting an LDAP directory. Alternative is to provide all the connect details in line.

sqlplus sys/oracle@orcl as sysdba
While this is handy it's also a potential security risk. In Linux/Unix it might show up in show processes. Before 10g you could use quotes like sqlplus "/ as sysdba", now you safely login with sqlplus / as sysdba

sqlplus /nologon
This prevents the immediate login prompt. Afterwards you connect from the SQL prompt:
SQL> connect sys/oracle@orcl as sysdba
Please note that it's not always necessary to specify the sid.

listener.ora – tnsnames.ora – alert log

2010-03-09T08:14:00.000-08:00

listener.ora
The listener is a server-side process that listens for database connection requests from user processes and launches dedicated server processes to establish sessions. The sessions become the connections between the user process and the database unless shared servers are in use, in which case a dispatcher process is used to share time to shared server processes.

With local naming the user supplies an Oracle Net service alias for the connect string and this is resolved by a local file into the full network address. This local file is the tnsnames.ora file. There's no need for any relationship between the alias, service name and the instance name - it's recommended to keep them the same! The Service Naming branch of the Net Manager creates or edits the Local Naming tnsnames.ora file that resides in ORACLE_HOME/network/admin directory.

You can configure several listeners in the listener.ora file but they must all have different names and addresses. Under Windows the listener will run as a Windows service, but there's no need to create the service explicitly; it'll be created implicitly the first time the listener is started.

A listener finds out about instances by the process of "registration". For static registration, you hard-code a list of instances in the listener.ora file. Dynamic registration means that the instance itself, at startup time, locates a listener and registers with it.

You can start and stop listeners through Database Control, but there's also a command-line utility lsnrctl.

The tnsnames.ora file is a client-side file used for name resolution. It is used by user processes to locate database listeners. It may also be used the instance itself, to locate a listener with which to register.

TNS stands for Transparent Network Substrate

The heart of Oracle Net, a proprietary layered protocol running on top of whatever underlying network transport protocol you choose to use - probably TCP/IP.

The Oracle Net files by default exist in the directory ORACLE_HOME/network/admin. It's possible to relocate them with an environment variable: TNSADMIN. Mainly on systems that have several Oracle Homes. Example on Windows:

set TNSADMIN=c:\oracle\net

alert_.log

The standard Oracle alert log location defined by the initialization parameter DIAGNOSTIC_DEST or USER_DUMP_DEST.

The alert log file, located in the directory specified by the initialization parameter BACKGROUND_DUMP_DEST, contains the most significant routine status messages as well as critical error conditions. When the database is started up or shut down, a message is recorded in the alert log, along with a list of initialization parameters that are different from their default values. In addition, any ALTER DATABASE or ALTER SYSTEM commands issued by the DBA are recorded. Operations involving tablespaces and their datafiles are also recorded here. All error/critical conditions are recorded. The alert log file can be deleted or renamed at any time; it's re-created the next time an alert log message is generated. The trace files for the Oracle instance background processes are also located in BACKGROUND_DUMP_DEST. Trace files are also created for individual user sessions or connections to the database; these are located in the directory specified by the initialization parameter USER_DUMP_DEST. As of Oracle Database 11g Release 1, the diagnostics for an instance are centralized in a single directory specified by the initialization parameter DIAGNOSTIC_DEST.

The DBA will often set up a daily batch job to rename and archive the alert log on a daily basis.

The alert log is a continuous record of critical operations applied to the instance and the database. Its location is determined by the instance parameter BACKGROUND_DUMP_DEST, and its name is alert_SID.log where SID is the name of the instance. The alert log entry for a startup shows all the non-default initialization parameters. Locate the file with this command:

SQL> select value from v$parameter where name='background_dump_dest';

starting up an instance in different states

2010-03-04T08:16:00.000-08:00

NOMOUNT

startup nomount

Start the instance without mounting a database. This does not allow access to the database and usually would be done only for database creation or the re-creation of control files. The database instance has been started using initialization file, processes are started and memory is allocated.

MOUNT

alter database mount

Start the instance and mount the database, but leave it closed. This state allows for certain DBA activities, but does not allow general access to the database. The instance is started and the control file is opened, read but it's contents are not validated.

OPEN

alter database open

startup force restrict

Start the instance, and mount and open the database. Normal database operation means that an instance is started and the database is mounted and open. This mode allows any valid user to connect to the database and perform data access operations. This can be done in unrestricted mode, allowing access to all users, or in restricted mode, allowing access for database administrators only. Normal database operation means that an instance is started and the database is mounted and open. This mode allows any valid user to connect to the database and perform data access operations. If the database is opened then control file is validated against the physical structure of database. The database is verified that all of it's file are in consistent state. If any of the file is not in consistent state, we may need some sort of recovery.

Beginning with Oracle Database 11g Release 2, the preferred (and platform-independent) method of configuring automatic startup of a database is Oracle Restart. Oracle Restart improves the availability of your Oracle database. When you install Oracle Restart, various Oracle components can be automatically restarted after a hardware or software failure or whenever your database host computer restarts.

References:

http://forums.oracle.com/forums/thread.jspa?messageID=3750464

http://download.oracle.com/docs/cd/E11882_01/server.112/e10595/start001.htm#i1006285

http://download.oracle.com/docs/cd/E11882_01/server.112/e10595/restart005.htm#srvstartdb1

http://download.oracle.com/docs/cd/E11882_01/server.112/e10595/restart.htm#BABGIGDB

ip tcp adjust-mss command

2010-03-04T02:08:00.000-08:00

While a host will know the MTU of its own interface and possibly that of its peers (from initial handshakes), it will not initially know the lowest MTU in a chain of links to any other peers.
To get around this issue, IP allows fragmentation: dividing the datagram into pieces, each small enough to pass over the single link that is being fragmented for, using the MTU parameter configured for that interface.
RFC 1191 (IPv4) and RFC 1981 (IPv6) describe "Path MTU discovery", a technique for determining the path MTU between two IP hosts. It works by setting the DF (Don't Fragment) option in the IP headers of outgoing packets. Any device along the path whose MTU is smaller than the packet will drop such packets and send back an ICMP "Destination Unreachable (Datagram Too Big)" message containing its MTU. This information allows the source host to reduce its assumed path MTU appropriately. The process repeats until the MTU becomes small enough to traverse the entire path without fragmentation.
Unfortunately, increasing numbers of networks drop ICMP traffic (e.g. to prevent denial-of-service attacks), which prevents path MTU discovery from working. One often detects such blocking in the cases where a connection works for low-volume data but hangs as soon as a host sends a large block of data at a time
Most Ethernet LANs use an MTU of 1500 bytes (modern LANs can use Jumbo frames, allowing for an MTU up to 9000 bytes); however, border protocols like PPPoE will reduce this.
he difference between the MTU seen by end-nodes (e.g. 1500) and the path MTU causes path MTU discovery to come into effect, with the possible result of making some sites behind badly-configured firewalls unreachable. One can possibly work around this, depending on which part of the network one controls; for example one can change the MSS (maximum segment size) in the initial packet that sets up the TCP connection at one's firewall.

Sometimes the demands of efficiency encourage artificially declaring a reduced MTU in software below the true maximum possible length supported - for example: where an ATM (Asynchronous Transfer Mode) network carries IP traffic. Some providers, particularly those with a telephony background, use ATM on their internal backbone network.

ATM operates at optimum efficiency when packet length is a multiple of 48 bytes. This is because ATM is sent as a stream of fixed-length packets (known as 'cells'), each of which can carry a payload of 48 bytes of user data with 5 bytes of overhead for a total cost of 53 bytes per cell. Artificially declaring a reduced MTU in software maximises protocol efficiency at the ATM layer by making the ATM AAL5 total payload length a multiple of 48 bytes whenever possible.
RFC 2516 prescribes a maximum MTU for PPPoE/DSL connections of 1492: a PPPoE header of 6 bytes, leaving enough room for a 1488 byte payload, or 31 full ATM cells.

The TCP MSS Adjustment feature enables the configuration of the maximum segment size (MSS) for transient packets that traverse a router, specifically TCP segments in the SYN bit set, when PPP over Ethernet (PPPoE) is being used in the network. PPPoE truncates the Ethernet maximum transmission unit (MTU) 1492, and if the effective MTU on the hosts (PCs) is not changed, the router in between the host and the server can terminate the TCP sessions. The ip tcp adjust-mss command specifies the MSS value on the intermediate router of the SYN packets to avoid truncation.

When a host (usually a PC) initiates a TCP session with a server, it negotiates the IP segment size by using the MSS option field in the TCP SYN packet. The value of the MSS field is determined by the maximum transmission unit (MTU) configuration on the host. The default MSS value for a PC is 1500 bytes.
The PPP over Ethernet (PPPoE) standard supports a MTU of only 1492 bytes. The disparity between the host and PPPoE MTU size can cause the router in between the host and the server to drop 1500-byte packets and terminate TCP sessions over the PPPoE network. Even if the path MTU (which detects the correct MTU across the path) is enabled on the host, sessions may be dropped because system administrators sometimes disable the ICMP error messages that must be relayed from the host in order for path MTU to work. The ip tcp adjust-mss command helps prevent TCP sessions from being dropped by adjusting the MSS value of the TCP SYN packets. The ip tcp adjust-mss command is effective only for TCP connections passing through the router. In most cases, the optimum value for the max-segment-size argument is 1452 bytes. This value plus the 20-byte IP header, the 20-byte TCP header, and the 8-byte PPPoE header add up to a 1500-byte packet that matches the MTU size for the Ethernet link.
If you are configuring the ip mtu command on the same interface as the ip tcp adjust-mss command, it is recommended that you use the following commands and values:
ip tcp adjust-mss 1452
ip mtu 1492

Example:
XXXNR>enable
XXXNR#conf t
Enter configuration commands, one per line. End with CNTL/Z.
XXXNR(config)#interface vlan 104
XXXNR(config-if)#ip tcp adjust-mss 1250
XXXNR(config-if)#end
XXXNR#copy run start

References:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html
http://en.wikipedia.org/wiki/Maximum_transmission_unit
http://help.expedient.net/broadband/mtu_ping_test.shtml
> MTU Ping Test

client-identifier command

2010-03-02T10:35:00.000-08:00

Router(dhcp-config)#client-identifier unique-identifier

Specifies the unique identifier for DHCP clients. This command is used for DHCP requests. DHCP clients require client identifiers. The unique identification of the client is specified in dotted hexadecimal notation, for example, 01b7.0813.8811.66, where 01 represents the Ethernet media type. Every request sent from a DHCP client to DHCP servers contains a hardware type and a client hardware address. For Ethernet and 802.11 wireless clients, the hardware type is always 01. The client hardware address is simply the MAC address of the client's network (Ethernet or Wireless) interface. Every request sent from a DHCP client to DHCP servers may optionally also contain a DHCP Client Identifier option. This is an arbitrary value that may be used to identify a client instead of the hardware type and client hardware address. Traditionally, the DHCP Client Identifier (when present) has been set to a value equal to the hardware type followed by the client hardware address. (For example, 01 00 01 02 a0 bc d3.)

Example:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip dhcp pool AccessPoint1
Router(config)#client identifier 01ab.cdef.ghij.kl
Router(config)#client-name AccessPoint1

References:
http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfdhcp.html#wp1001108

Earned my Cisco CCENT

2010-03-01T10:05:00.000-08:00

Today I finally took the Cisco ICND1 exam and passed without any real problems.
As we're not allowed to discuss it, let me just say that you really need to understand it and get some hands on experience.

Day 1: ICND1 Last Review (WAN basics, NAT/PAT terminology and RIP)

2010-02-28T02:37:00.000-08:00

My ICND1 exam is booked on monday but I didn't have much time this week so I'll focus mainly on WAN connections, namings in NAT/PAT and RIP.

There are two major categories for WANs:

Dedicated: point-point lines provide a preestablished WAN communications path from the customer premises through the provider network to a remote destination. Usually leased from a carrier and obviously called leased lines.
Switched:

Circuit-Switched: dynamically establishing a dedicated virtual connection. Before communication can start it's necessary to establish the connection through the network of the service provider. Examples are PSTN and DSL (I know it's also a bit packet-switched but for the exam I'll keep it to this).
Packet-Switched: because data flow fluctuates (nobody uses 100% bandwith all the time) so in these networks the data is transmitted in labeled cells, frames or packets. There's no dedicated path between source and destination endpoints, allowing for the sharing of connection links and common carrier resources for data transmission. The carrier can create virtual circuits between customer sites. When the customer is not using the full bandwith on its virtual circuit, the carrier, through statistical multiplexing, can make the unused bandwith available to another customer. Examples are Cable, Frame Relay.
Cell-Switched: an example is ATM and it uses small fixed-size cells of 53 bytes (48 bytes for data).

NAT connects two networks together and translates the private addresses (inside local) in the internal network into public addresses (inside global) before packets are forwarded to another network. The inside network is the set of networks that are subject to translation, the outside network refers to all other addresses.

inside local address: the IP address assigned to a host on the inside network, likely not assigned by the NIC or service provider.
inside global address: a legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.
outside local address: the IP address of an outside host as it appears to the inside network, not necessarily legitimate, it's allocated from an address space routable on the inside.
outside global address: the IP address assigned to a host on the outside network by the host owner. This address is allocated from a globally routable address or network space.

You can verify the NAT and PAT configuration by using
show ip nat translation to display active translations and
clear ip nat translation * to clear all dynamic address translation entries (they'll time out after 24 hours by default).

Static routes are commonly used when you're routing from a network to a stub network. This stub network or leaf node is a network accessed by a single route. They can also be useful for specifying a "gateway of last resort" to which all packets with an unknown destination address will be sent. Obviously the static route must be configured in both directions for end-to-end connectivity. An example:
ip route 172.16.1.0 255.255.255.0 172.16.2.1
Don't mix it up with default route, for this you also give the IP address of the next-hop router to be used as default for packet forwarding, an example:
ip route 0.0.0.0 0.0.0.0 172.16.2.2
The ip classless command tells the route not to drop packets that are destined for a network that's not in the routing table, but to use the default route instead. If you don't use the ip classless command, packets like that would be dropped before being sent to the default route. (ip classless is on by default in IOS 12.x.).

It's recommended to set the bandwith command on the serial interface, this provides a minimum bandwith guarantee during congestion (used by some routing protocols). It has no effect on the actual speed of the line. Bandwith refers to the rate at which data is transferred over the communication link.
1DS0 = 64 kb/s
24DS0s = DS1 or T1 = 1.544 Mb/s

The show controller command displays information about the physical interface itself. Very useful to termine the type of cable connected to the serial interface. Please note that this information is determined when the router initially starts!

High-Level Data Link Control (HDLC) protocol specifies an encapsulation method for data on synchronous serial data links using frame character and checksum. HDLC supports both point-to-point and multipoint configurations and includes a means for authentication. HDLC may not be compatible between vendors from different vendors. There's a Cisco implementation of HDLC which is the default encapsulation for serial lines, as you probably know it doesn't show up in running-config! Cisco HDLC has no windowing or flow control, and only point-to-point connections are allowed. The Cisco HDLC implementation includes proprietary extensions in the data field to allow multiprotocol support at a time before PPP was specified. Use ppp when interoperability is required.

Routing protocols (like RIP, EIGRP) are used between routers to determine paths and maintain routing tables. After the path is determined, a router can route a routed protocol (like IP).

An autonomous system is a collection of networks under a common administrative domain. IGPs operate within an autonomous system and EGPs connect different autonomous systems.

Classful routing protocols do not include the subnet mask with the route advertisements (most distance vector routing protocols). When a classful routing protocol is used, all subnetworks of the same major network must use the same subnet mask. Routers that are running a classful routing protocol perform automatic route summarization accross network boundaries. When receiving a routing update packet, the router will apply the default classful mask if the routing update information contains a major network that is different! If the routing update information contains the same major network number as is configured on the receiving interface, the router applies the subnet mask that is configured on the receiving interface.
Classless routing protocols include the subnet mask with the route advertisement, they support variable-length subnet mask (VLSM). The summarization process is controlled manually and can usually be invoked at any bit position with in the address. Manual summarization may be required to keep the size of the routing tables manageable.

RIP is capable of load-balancing over as many as 16 equal-cost paths (default = 4).
RIPv1: classful, no VLSM, subnet mask is not send, broadcast, no manual route summarization and no authentication support.
RIPv2: classless, VLSM, subnet mask is sent, multicast, manual route summarization, authentication support.

router rip command starts the RIP routing process.
version 2 enables RIP version 2
network 10.0.0.0 selects the participating attached networks and requires a major classful network number!
Use the show ip protocols command to display values about routing protocols and the routing protocol timer information associated with the routers. Important values is the flushed field (240 seconds) which specifies the time after which the individual routing information will be thrown out. The hold down (180 seconds) field: an update to a route that was down and is now up will stay in the hold down (possibly down) state until 180 seconds have passed.

show users - show sessions

2010-02-19T02:23:00.000-08:00

If you want to see who's logged onto a router, use command show users

BE-607NR01#show users
    Line       User       Host(s)              Idle       Location
* 6 vty 0     admin      idle                 00:00:00 10.32.20.1
   7 vty 1     admin      idle                 00:00:22 10.32.20.7

Interface    User               Mode         Idle     Peer Address
Vi3                             PPPoATM      00:00:00 80.1.2.2

This shows the open sessions to your router. The line with the * is the current session, where we used the command. If you want to kill an open Telnet session, use command clear line x

Reference:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/5.x/command/reference/sh_ti_tr.html#wp1028456

To see the active sessions from your remote device, use command show sessions
If you enter a sessionnumber you'll access it, use disconnect to leave.
Ctrl-Shift-6-x brings you back, it also suspends Telnet/SSH sessions.

XX-001NR01#show sessions

% No connections open

Another useful command is show line which gives a nice overview.

dash shell

2010-02-18T03:03:00.000-08:00

Just noticed that Ubuntu Server 9.10 has dash for default shell.

In case you're wondering what it is:

dash stands for Debian Almquist shell en is a POSIX-compliant implementation of /bin/sh that aims to be as small as possible. It does this without sacrificing speed where possible. In fact, it is significantly faster than bash (the GNU Bourne-Again SHell) for most tasks.

If you want to figure your current shell, the command is

echo $0

Changing the default shell can be done by the command

ln -sf /bin/bash /bin/sh

-s symbolic links instead of hard links

-f force

Useful links:

http://en.wikipedia.org/wiki/Debian_Almquist_shell

http://en.wikipedia.org/wiki/POSIX

Day 2: Studying Sample Exam Questions

2010-02-16T12:04:00.000-08:00

I'm probably not gonna be able to take the exam this weekend plus I'm booked for an Oracle course next week so I'll spend some extra time studying sample exam questions. This is gonna be an overview of interesting questions (for me) collected from various books and sites to review just before exam day.

This post will be updated till I take (and pass) the exam...

It is not possible to obtain CDP information about a remote device. Don't answer that you can use SSH or Telnet.
A CDP update packet has platform and device identifiers information.
show cdp entry * produces the same result as the show cdp neighbors detail command.
show cdp interface displays the frequency at which packets are sent, encapsulation type and holdtime for an interface where CDP is enabled. show cdp traffic displays CDP packet checksum errors. This is an example (thx to David L. from CLN):

P1R1#show cdp interface

FastEthernet0/0 is up, line protocol is down

Encapsulation ARPA

Sending CDP packets every 60 seconds

Holdtime is 180 seconds

FastEthernet0/1 is administratively down, line protocol is down

Encapsulation ARPA

Sending CDP packets every 60 seconds

Holdtime is 180 seconds

Serial0/0/1 is up, line protocol is up

Encapsulation HDLC

Sending CDP packets every 60 seconds

Holdtime is 180 seconds

P1R1#show cdp traffic

CDP counters :

Total packets output: 38, Input: 34

Hdr syntax: 0, Chksum error: 0, Encaps failed: 0

No memory: 0, Invalid packet: 0, Fragmented: 0

CDP version 1 advertisements output: 0, Input: 0

CDP version 2 advertisements output: 38, Input: 34

ROMMON is a low-level os normally used for manufacturing testing and troubleshooting.
If the boot field value is 0x2 then the router will check the startup-config file for boot system commands. The boot field is the low-order 4 bits of the configuration register in a Cisco router. the value in part tells the router where to look for a Cisco IOS image to load.
On most routers, the Cisco IOS software is loaded into RAM to run, but on some routers it's run directly from flahs memory.
show flash displays the amount of memory that's available where the IOS image is stored, don't mix this up with show run!
service timestamps command is used to add time stamps to a debug or log message.
The application layer is the most diverse area of the OSI model and the TCP/IP stack.

Day 3: WAN Connections

2010-02-15T13:11:00.000-08:00

A telecommunications service provider (TSP) can offer these WAN connection types:

Point-to-Point Protocol (PPP): a specific dedicated path through the TSP network that connects two LANs over a large geographic area. Typically leased lines.
Circuit-switched: allows the client to create and close connections over the TSP network. Think of the operation as phone call. Examples are ISDN or dialup network access.
Packet-switched: a client uses a software-managed virtual circuit over a shared connection. Examples are Frame Relay.

After connecting your router or customer premises equipment (CPE) device to the Channel Service Unit/Data Service Unit (CSU/DSU) provided by the ISP, you need to configure the interface on the router. If its a serial interface, the CSU/DSU provides the clock rate as the data circuit-terminating equipment (DCE) and your router acts as the data terminal equipment (DTE).

The Cisco default encapsulation for a serial interface is High-Level Data Link Control (HDLC). This is a Data Link layer protocol used to encapsulate and transmit packets over point-to-point links. It handles the transfer of data in full duplex, as well as link management functions. As an OSI standard, many vendors implement the HDLC protocol in their equipment. These are usually not interoperable. This is because the Cisco HDLC frame uses a proprietary "Type" field that may not be compatible with equipment of other vendors. When the HDLC frame format was defined, it did not enclude a field to identify the Network layer protocol that it was framing. As such, the OSI version of HDLC assumes that any link using HDLC is running only a single Network layer protocol like IP. This has led vendors to implement HDLC using a proprietary frame format that includes a type code field, thus allowing the Network layer protocol within a frame to be identified. Because of this proprietary nature, you should only use HDLC framing on point-to-point links when the routers at each end of a link is from the same vendor. In cases where you want to connect equipment from different vendors over a leased line, the Point-to-Point protocol (or PPP) should be used. Always remember that the router on both sides of a ppp link must be using the same data framing method in order to communicate. You can change the encapsulation to PPP as a more flexible, nonpropietary encapsulation. PPP supports authentication in clear-text Password Authentication Protocol (PAP) or encrypted Challenge Handshake Authentication Protocol (CHAP). A router can also use Frame Relay as an encapsulation. Frame Relay virtual circuits use HDLC encapsulation and each circuit is identified by a data link connection identifier (DLCI).

You can use the encapsulation command in interface configuration mode. An example is encapsulation ppp.

HDLC and PPP are layer 2 protocols. HDLC is actually the default protocol on all Cisco serial interfaces. If you do a show run on a Cisco router, your serial interfaces will have no encapsulation by default (it's HDLC)! Use a show interface serial ... to see that you're running HDLC.

You can select one of the following address types for a serial WAN connection:

A static IP address allows the administrator to manually enter the IP address and subnet mask. Available for PPP, Frame Relay and HDLC.
IP unnumbered sets the interface to match the IP address of another enabled interface on the router. Available for PPP, Frame Relay and HDLC.
IP negotiated is available for PPP and allows the router to obtain address information automatically from the ISP.

Day 4: Security Applications

2010-02-15T12:46:00.000-08:00

Besides antivirus, antispam and antispyware software you should make use of a firewall. This can come packaged as a standalone security appliance, a server-based firewall that installs on a network operating system (NOS), a module that can be installed or is integrated inside an existing router, or a personal firewall that installs on a network host. Firewalls are installed between two networks and can control traffic in the following ways:

Filter traffic based on destination and source IP address or MAC address, block websites based on url or keywords, and filter traffic based on the type of application used for network transmission.
Inspect incoming traffic and ensure that each incoming packet is a response to a legitimate outgoing request. This stateful packet inspection (SPI) can prevent DoS attacks.
Firewalls can also provide network address translation (NAT) for additional security on an internal network.

A firewall can protect users on the intranet but some network devices may need greater access. Servers outside the internal network protected by another firewall are in the demilitarized zone (DMZ). This is typically an area more secure than a direct connection to the Internet lcoated between an internal and external firewall. When setting up a smaller network, you can create a subnet and configure a single integrated router/firewall to provide DMZ levels of security to only specific devices. A standard DMZ allows incoming requests on standard server ports like 80, 21 and 110 (POP3). I bet you know the other two :)
On larger networks you usually design firewall security in layers. Border routers filter packets and route traffic to the DMZ or an internal firewall. The internal firewall only allows outside traffic that was specifically requested by an internal device. Additional internal firewalls may seperate and protect sensitive areas. These can provide an extra layer of security in case an internal host is infected.

Short overview of two types of sensors available to detect and prevent network intrusions:

Intrusion Detection Systems (IDS): monitors traffic on one port and notifies a management station. Can detect only the first malicious transmission but can reconfigure the router to block future attacks. Used on the network perimeter in front of a firewall to analyze attacks or behind a firewall to detect firewall configuration issues.
Intrusion Prevention Systems (IPS): traffic passes through the IPS in one port and out another which filters suspicious traffic in real time. Can examine the entire data packet from L7 to L2. Usually placed behind a firewall to further examine packets destined for the internal network.

Both are implemented as software (Cisco IOS ISP), hardware and Adaptive Security Appliance (ASA).

Network security can also be improved by:

Authentication requires users to verify their identity with a username and password using a RADIUS or TACACS server.
Authorization limits access for users based on rights assigned to the user account by the administrator.
Accounting tracks user network activity and application use.

Day 5: Security Threats

2010-02-15T11:42:00.000-08:00

These are some common techniques that focus on the user as the weak link:

Pretexting: an attacker masquerades as the helpdesk or creates a legitimate-sounding scenario to convince the user to reveal sensitive network information.
Phishing: an attacker sends an email posing as a legitimate organization and requests verification of account username and passwords.
Vishing/phone phishing: an attacker uses Voice over Internet Protocol (VoIP) to leave a message with a user that claims to be from a banking service with a callback number.

Attackers can also use software in many forms to gain access to a network:

Virus: typically attached to and activated within another legitimate program.
Worm: runs independently to send copies of itself.
Trojan horse: looks like a legitimate program to trick the user into intalling.
Denial of service (DoS): attackers also use bandwith and available connections to affect the network's operation. A DoS attack floods a network or server with traffic, preventing any legitimate connections or use.

Overview of various Network Service Attacks:

DoS - Synchronous (SYN) flooding: flooding a server with requests from a fake IP address and cause the server to use resources responding to these requests.
DoS - Ping of death: attackers send a ping greater than the maximum allowed and causes a system to shut down.
DDoS - Distributed Denial of Service: attackers use multiple hosts to attack a single server or servcie. Usually there'll be botnets used to attack a target site.
Brute force: repeated attempts to crack usernames/passwords with software that uses combinations.

Besides all these there are also spyware, cookies, spam, even randomware nowadays:
https://patrickwbarnes.com/blog/2009/11/on-borrowed-time-the-threat-of-ransomware/

Don't forget that internal users can also (un)intentionally harm a network and an ISP should be the first line of defence!

Here are some common methods for protecting our networks:

Patch
Update
Virus protection
Spyware protection
Spam blocker
Popup blocker
Firewall

Day 6: Wireless Security

2010-02-15T09:48:00.000-08:00

A network administrator shoudl implement the following security features on a WLAN during initial setup (mind you they're easily avoided):

Disable SSID broadcast.
Change default settings.
Enable MAC address filtering.

We can implement authentication for the WLAN (by username or password). This will occur before MAC filtering and there are three types of wireless authentication:

Open authentication: all clients can connect to the WLAN.
Preshared keys (PSK): both AP and client are configured with the same key. This is a one-way authentication because the AP doesn't authenticate with the host (user doesn't have to authenticate).
Extensible Authentication Protocol (EAP): the EAP software on the client communicates with an authentication server as RADIUS which maintains a database of users separate from the AP. 802.1x can also provide AP security through user authentication (EAP).

Its obvious that we need to protect transmission by using some form of WLAN encryption:

Wired Equivalent Privacy - WEP key is 64 to 256 bits but all devices (including AP) must have the same manually configured static key to understand transmissions. This is easily avoided nowadays with hacking software.
Wi-Fi Protected Access (WPA) is also 64 to 256 but has a more secure encryption because it rotates keys. WPA uses TKIP (temporal key integrity protocol) to generate new keys for clients and rotate them at a configurable interval, both client and AP have the key. Remember that WPA dynamically generates a different key with each client communication with the AP.
802.11i/WPA2 is a better version that uses advanced encryption standard (AES) technology.

WPA is a more powerful security technology for Wi-Fi networks than WEP. It provides strong data protection by using encryption as well as strong access controls and user authentication. WPA utilizes 128-bit encryption keys and dynamic session keys to ensure your wireless network's privacy and enterprise security. There are two basic forms of WPA: WPA Enterprise (requires a Radius server) and WPA Personal (also known as WPA-PSK). Either can use TKIP or AES for encryption. Not all WPA hardware supports AES. WPA-PSK is basically an authentication mechanism in which users provide some form of credentials to verify that they should be allowed access to a network. This requires a single password entered into each WLAN node. As long as the passwords match, a client will be granted access to a WLAN. Encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is in WPA-PSK, authentication is reduced to a simple common password, instead of user-specific credentials. The Pre-Shared Key (PSK) mode of WPA is considered vulnerable to the same risks as any other shared password system - dictionary attacks for example. Another issue may be key management difficulties such as removing a user once access has been granted when the key is shared among multiple users, not likely in a home environment.

Consider these points when planning/troubleshooting a WLAN:

Signal: 802.11b/g/n have a larger coverage area than 802.11a. Generally speaking: the more data rates the lower the coverage area. There's also interference and reflection (RF waves bounce off metal or glass surfaces).
Standards: be careful with backward-compatibility, some AP's don't support the 5 GHz frequency (802.11a).
Bandwith: all users share the same bandwith on a BSS.
Association: make sure that the SSID is correct on clients and AP.
Total cost of ownership (TCO).
Channels and correct placing.
Authentication/security.

Day 7: Wireless Standards

2010-02-15T09:25:00.000-08:00

Wireless devices use electromagnetic waves as the physical media for data transmission. Infrared (IR) transmits over short distances, radio frequency (RF) waves can be used for "real networking". The Industrial, Scientific and Medical (ISM) bands are free to use by unlicensed devices for communication:

900 MHz (902 to 928 MHz) supports devices such as wireless headphones and cordless phones.
2.4 GHz (2.400 to 2.4835) supports lower-speed, short-range Bluetooth as well as wireless LAN technologies compliant with IEEE 802.11 standards.
5 GHz (5.725 to 5.850) supports IEEE 802.11 standards at a higher power level, providing a wider range and increased speeds.

Unfortunately Wireless LANs can interfere with each other. Reduced cost and increased mobility are major advantages.

We can define wireless networks in three categories:

WPAN - wireless personal-area network: these include PDAs, mice, keyboards and other short-range IR or Bluetooth devices.
WLAN - wireless local-area network: typically the wireless portion of a LAN that uses RF technology and IEEE 802.11 standards. An access point (AP) usually provides connectivity fro the wireless clients to the wired Ethernet network.
WWAN - wireless wide-area network: networks that can use cell phone technologies such as Global System for Mobile Communication (GSM) or Code Division Multiple Access (CDMA) to cover large geographic areas.

The Wireless Fidelity (Wi-Fi) Alliance tests wireless devices from different manufacturers and ensures that each device meets standards and will function with devices using the same standards. So its a global, nonprofit industry trade assocation devoted to promoting the growth and acceptance of wireless LANs. The IEEE 802.11 standard governs implementations of WLANs.

IEEE 802.11 Wireless LAN Standards

802.11: This original standard was released in 1997 and supports a 2 Mbps data rate over the 2.4 GHz frequency. A maximum range is undefined.
802.11a: This amendment was released in 1999 and supports a 54 Mbps data rate over the 5 GHz frequency. The maximum range is estimated at about 50 meters. Interesting sidenote is that this didn't make due to shortage of material at the time, so 802.11b made it.
802.11b: released at the same time as 802.11a and made it despite supporting an 11 Mbps data rate over the 2.4 GHz frequency. Maximum range is estimated at about 100 meters.
802.11g: This amendment was released in 2003 and supports a 54 Mbps data rate over the 2.4 GHz frequency. Maximum range is estimated at about 100 meters. 802.11g is backwards compatible with 802.11b!
802.11n: This is a recent amendment (october 2009) and adds multiple-input and multiple output (MIMO). 802.11n is backwards compatible with 802.11a, 802.11b and 802.11g!

A wireless networks consists of the following components:

Wireless clients or wireless stations (STA) are devices that participate in a wireless network.
Wireless access point (AP) provides connectivity between a wired and wireless network by converting Ethernet frames into 802.11-compliant frames or vice versa. APs support connectivity in a basic service set (BSS) or limited area.
Wireless bridge provides connectivity between two wired networks with a wireless link - typically a long-range ppp connection over RF frequencies.
Wireless antenna can be a directional antenna that concentrates the signal in one direction or an omnidirectional antenna that increases the signal in all directions. Antennas increase signal strength or gain an can increase distances.

A WLAN is located with a Service Set Identifier (SSID). This is a 32-character, case-sensitive, alphanumeric string located in the header of WLAN frames. WLANs can be set up in od-hoc or infrastructure mode:

Ad-hoc: Independent basic service set (IBSS) in which devices communicate with each other and are not part of a network. This is a simple peer-to-peer connection among clients to exchange files and data without an access point.
Infrastructure: BSS in which a group of devices are connnected to an AP. Devices cannot communicate directly; connectivity is centralized, controlle and directed by an access point.

Multiple BSS access points can be connected by a distribution system (DS) to form an extended service set (ESS). To create it, each BSS AP's range must overlap by 10 to 15 percent! This allows a client to move through the ESS without a loss of signal. The ability to shift data rates allows a client to communicate while moving!
Another important aspect is to use different channels for efficient communicatino. Multiple AP's can overlap in range and divide the available RF spectrum by using separate channels (for example 1-6-11).

Wireless networks use an access method called Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). These points define this process and how a client can reserve a channel:

A device on a BSS asks permission from the AP to communicate in the form of a request to send (RTS).
If the channel's available, the AP responds with a clear to send (CTS) message.
The CTS is broadcast to all devices on the BSS so that all devices know that the channel is in use or that a reservation is in place on the channel.
When the communication is complete, the sending device sends an acknowledgement (ACK) to the AP, saying that the channel can be released. This ACK is also broadcast to all devices on the BSS to indicate that the channel is available.

The following common parameters must be configured on a wireless access point to provide connectivity:

Wireless or network mode: can be 802.11a , 802.11b, 802.11g, 802.11n or mixed mode.
SSID or network name: all devices connected to the WLAN must have the same SSID. It may be a good idea to disable broadcast of the SSID.
Wireless channel: you can manually configure a channel that doesn't overlap with nearby BSSs or you can allow the AP to automatically find the best channel.

Day 8: Network Status Verification

2010-02-15T05:29:00.000-08:00

Show commands are important in ICND1 so I'll describe some common commands to verify network status:

show running-config: displays running configuration form RAM on the router.
show interfaces: displays information about the router interfaces, including encapsulation, address configuration and whether the interface is up or down. I use this one a lot!
show arp: displays any address resolution protocol entries learned by the router.
show ip route: displays routes manually configured or dynamically discovered by the router.
show users: displays any users connected to the router.
show version: displays the version of Cisco IOS software running on the router, name of image and amount of RAM.

There are also well-known some utilities to use on hosts like:

ipconfig (ifconfig on Linux).
ping to test Layer 3 connectivity and basic DNS functionality.
tracert (on windows)
traceroute
netstat show information about devices communicating with a host, including IP address and TCP port information.
nslookup

Important reminder:
After all this you can test Layer 7 connectivity by accessing the router through SSH, Telnet and a web browser.

There's also some debugging with the debug commands, for example debug ip rip. Stop debugging with undebug all.

Day 9: Configuration, IOS and Security

2010-02-15T05:19:00.000-08:00

Sometimes you'll use static and default routes.
Any packet for which a router doesn't know the destination will be dropped or forwarded to the default route. This can be done like this:
ip route 0.0.0.0 0.0.0.0 {outgoing-interface | next-hop-address}

If you look in the routing table you'll see static routes identified with prefix S. This is how we manually configure static routes:
ip route 192.168.2.0 255.255.255.0 192.168.1.2

These can all be reviewed with show running-config, and show ip route.

Reviewing IOS configuration files management is also needed for the ICND1 exam. You can either copy/paste the show runs but preferably you have a trivial file transfer protocol (TFTP) server on your network.

copy running-config tftp: you'll have to enter the ip/hostname of the server and destination filename (router-config).
copy tftp running-config: restoring the file.

The show version command allows to check the name of the IOS image. We can use copy flash tftp to copy the IOS image from flash memory to a TFTP server. To restore it back we can use copy tftp flash.

It's very important to secure the telecommunications room or wiring closets in your facility. The main distribution facility (MDF) and intermediate distribution facilities (IDF) are the backbone of the network and should be protected. Access to these areas should be restricted. Besides this we also have to protect configuration privileges by adding password security. Don't forget that passwords are encrypted if the command service password encryption is entered.

ESENT - Extensible Storage Engine

2010-02-15T05:01:00.000-08:00

Just noticed that this post was unreadable so:

One of my database servers gave this error in event viewer:
svchost (828) The database engine stopped

Windows comes with an embeddable, transactional database engine which is available to developers through the Windows SDK. The ESENT database engine can be used whenever an application wants high-performance, low-overhead storage of structured or semi-structured data. This can range from something as simple as a hash table which is too large to store in memory to a complex application with many tables, columns and indexes. ESENT is used by the Active Directory, Windows Desktop Search, Windows Mail and several other Windows services and a slightly modified version of the code is used by Microsoft Exchange to store all its mailbox data.

Interesting links:
http://msdn.microsoft.com/en-us/library/ms684493%28EXCHG.10%29.aspx
http://managedesent.codeplex.com/

err-disabled mode

2010-02-03T02:39:00.000-08:00

Today I had a switchport that went in err-disabled mode. Command show interfaces status err-disabled indicated loopback for reason. It took a while but our technicians eventually followed the cables in the ceiling and they were badly patched.

Cisco has a great page with all the details:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml#topic2

Day 10: CLI Parameter

2010-02-02T08:51:00.000-08:00

Cisco IOS Editing keys/commands:
Ctrl-P or up arrow: repeats previous command
Ctrl-A: beginning of command line
Ctrl-E: end of command line
Esc-B: move back one word
Esc-F: move forward one word
Ctrl-Z: exits configuration mode
show history: displays command buffer
terminal history size x: sets history buffer size
terminal no editing: turns off advanced editing (why would you use this...)

Router Initial Configuration:
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Cairo
Cairo(config)#banner motd #
Enter TEXT message. End with the character '#'.
Cairo - unauthorized use prohibited
#
Cairo(config)#enable password cisco
Cairo(config)#enable secret sanfran
Cairo(config)#line console 0
Cairo(config-line)#password sanjose
Cairo(config-line)#login
Cairo(config-line)#exit
Cairo(config)#line vty 0 4
Cairo(config-line)#password netadmin
Cairo(config-line)#login
Cairo(config-line)#exit
Cairo(config)#service password-encryption
Cairo(config)#exit
Cairo#
%SYS-5-CONFIG_I: Configured from console by console
Cairo#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]

Router Ethernet Interface Configuration:
Cairo>enable
Password:
Cairo#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Cairo(config)#interface fa0/0
Cairo(config-if)#ip address 192.168.1.1 255.255.255.0
Cairo(config-if)#description Ethernet segment 192.168.1.0
Cairo(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Cairo(config-if)#exit
Cairo(config)#ip host Cairo 192.168.1.1

This last command defines static hostname-to-address mappings in the DNS hostname cache, more info at this link:
http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_ip.html#wp1012102

If the serial interface is a data communications equipment (DCE) device, you'll need to set the clock rate. A router is usually the data terminal equipment (DTE) device so you don't need to set it. As a DTE, the router would accept the clock from a DCE device. Think of it this way, DCE and the C is clock :)

Cairo>enable
Cairo#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Cairo(config)#interface serial 0/0
Cairo(config-if)#ip address 192.168.2.5 255.255.255.252
Cairo(config-if)#clock rate 64000
Cairo(config-if)#no shutdown
Cairo(config)#exit
Cairo#
%SYS-5-CONFIG_I: Configured from console by console
Cairo#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]

Router Initial Configuration for SDM:
Cairo>enable
Password:
Cairo#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Cairo(config)#ip http server
Cairo(config)#ip http secure-server
Cairo(config)#username cisco privilege 15 password 0 class
Cairo(config)#line vty 0 4
Cairo(config-line)#privilege level 15

To establish a username-based authentication system, use the username command in global configuration mode. To enable password checking at login, use the login local command in line configuration mode.

Cairo(config-line)#login local
Cairo(config-line)#transport input telnet
Cairo(config-line)#transport input telnet ssh
Cairo(config-line)#exit

Day 11: RIP Configuration

2010-02-02T08:38:00.000-08:00

RIP version 2 or RIPv2 allows a router to discover the location of remote networks dynamically from other routers running RIPv2. In order to confiure it, you'll have to connect to each router and determine which networks are directly connected to each router, and use RIP to configure that router to advertise the location of those networks.

Enter the router configuration mode, tell it's version 2 and specify that RIP will send update information about the directly connected networks. It's extremy simple, you only have to use router rip, version 2, network directly-connected-network.
The most important is that you have to enter the networks CLASSFUL, so a class A is for example 65.0.0.0 instead of the 65.3.0.0!!!!

Cairo>enable
Password:
Cairo#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Cairo(config)#router rip
Cairo(config-router)#version 2
Cairo(config-router)#network 192.168.1.0
Cairo(config-router)#network 192.168.2.0
Cairo(config-router)#end
Cairo#
%SYS-5-CONFIG_I: Configured from console by console
Cairo#

show ip route displays all routes in the routing table and indicates routes learned through RIPv2 using the prefix R.

show ip protocols verifies that RIPv2 is configured and operating on the router and that the router is receiving updates and advertising routes. Important to notice are the updates that're being sent every 30 seconds, hold down of 180 seconds and flushed after 240!

debug ip rip displays RIP advertisements on the network in real time. This is very CPU-intensive, so it should be turned off with the undebug all command after use.

The Cisco Learning Network CCENT page has a good 15' video on this subject:
https://learningnetwork.cisco.com/docs/DOC-1300

Day 12: Routing and Routers

2010-02-02T08:36:00.000-08:00

Routers see networks, not hosts. There's a big difference between routed and routing protocols.

Protocols such as IP are routed protocols because the router uses the protocol to forward a packet from one router to another.
Routing protocols are used by routers to exchange routing information.

Routers decide where to forward a packet by using information stored in routing tables. They maintain a list of its interfaces and which networks are connected to those interfaces in its routing tables. Routers can dynamically learn about routes from other routers (routing protocol!) or the administrator can manually add a static route. When a packet arrives at a router, it'll look at the subnet mask, its routing table and cost.

We have four types of routes that exist in a routing table:

Directly connected: a router detects configured networks connected to its interfaces and adds them to the routing table automatically (identified by prefix C). These are automatically updated when the configuration changes or an interface is shut down.
Static: manually configured route, identifed by prefix S.
Dynamic: these are dynamically updated by the router protocol. Prefix depends on the type of protocol, Routing Information Protocol (RIP) has prefix R.
Default: static route that identifies the default gateway for packets addressed with a destination network that a router doesn't have in its routing table.

Dynamic routing protocols typically use the distance vector or link-state algorithm:

Distance Vector:

Periodically exchanges routing tables with neighboring routers.
Routes are evaluated on distance (how far) and vector (what direction).
Distance is expressed in a route cost or metric.
When a routing table is received it updates its routing information and forwards its routing table with an added hop to neighboring routers.

Link-State:

Exchanges link-state advertisements (LSA) when a change occurs in a link.
Maintains a topological database of the network and builds a shortest path first (SPF) tree.
When an LSA is received, the router will update and recalculate paths.

Routing Information Protocol (RIP):

Simple distance vector protocol, an interior routing protocol.
Exchanges complete copies of routing table.
Maximum 15 hop count - this to determine best path.
RIP version 2 (RIPv2) is preferred because it includes subnet mask information, where RIPv1 relies on classful default subnet masks. This means that RIPv2 allows VLSM and CIDR.

Enhanced Interior Gateway Routing Protocol (EIGRP):

Cisco-proprietary interior routing protocol.
Uses hop count (maximum 224), metrics and advertisements.
Maintains routing table, neighbor table and topology table.

Open Shortest Path First (OSPF):

Nonproprietary link-state interior routing protocol that sends LSA updates when there's a topology change.

Router Bootup Process, POST and loading Cisco IOS software:

Router performs power-on self-test (POST) to check hardware.
Loads bootstrap and initializes Cisco IOS from flash, TFTP or ROM. The location is defined in configuration register.
Loads startup configuration file from nonvolatile random-access memory (NVRAM) to random-access memory (RAM) as running configuration.
If NVRAM has no configuration file, the router will look for a TFTP-server. If it can't find it, it starts setup.

Day 13: IP Address Troubleshooting

2010-01-30T05:52:00.000-08:00

What if an IP address or subnet mask is entered incorrectly and your computer is configured to obtain an IP address automatically?

We could directly start at Layer 3 and use ping. If that's ok, there's probably an upper-layer issue. There could also be a DNS problem, I've already discussed it in my day 17 post.

Follow these steps on a Windows machine to verify the DHCP operation:

Enter the command ipconfig /all in a command box. It should show lots of info like subnet mask, gateway, DNS server(s) and IP address.
Are the gateway and host IP address on the same subnet?
Release and renew the dynamic assignment with ipconfig /release and ipconfig /renew.
If you can ping your gateway but no Internet address, there's a problem between your router and ISP (DNS, etc.). You could also use the tracert command (traceroute in IOS) to further investigate the issue.

Day 14: Static and Dynamic Addressing

2010-01-26T10:26:00.000-08:00

Hosts in our LAN can be assigned an IP address in one of two ways:

Manual configuration: we can enter a static IP address, subnet mask, and gateway on hosts in our network. These static addresses remain the same for these devices unless we manually change'em.
Dynamic configuration: we can configure a DHCP server (as discussed on day 15) to dynamically assign addresses to computers on your network. We can specify the address range, client lease and other parameters on the DHCP server. You also need to configure clients to request addressing information from the DHCP server.

Remember the ip helper-address command used to forward DHCP requests.

Use the ipconfig /release and ipconfig /renew commands to refresh.

Day 15: DHCP Operation

2010-01-25T09:49:00.000-08:00

A client on a DHCP (Dynamic Host Configuration Protocol) network will follow these steps to obtain an IP address:

the client sends a DHCP Discover message with a destination IP address of 255.255.255.255 and a destination MAC address of FF-FF-FF-FF-FF-FF.
This DHCP Discover message broadcasts over the network, and the DHCP server replies with a DHCP Offer, including initial IP configuration for the client such as IP address, subnet mask and default gateway.
The requesting client sends a DHCP Request to use the IP address suggested in the DHCP offer.
The DHCP server responds with a DHCP Acknowledgment.

A DHCP server can provide addresses to a host on a different network if the routers on those networks are configured to forward DHCP requests with the ip helper-address command.

The configuration can be done by SDM or CLI.
Use these commands in global configuration mode:
ip dhcp pool pool-name
network network-address subnet-mask
domain-name domain-name
dns-server dns-server-address
default-router default-router-address
lease {days [hours] [minutes] | infinite}

Use these commands to exclude a range of addresses or a single address from the DHCP pool that you want to reserve and assign to specific hosts from global configuration mode:
ip dhcp excluded-address start-address end-address
ip dhcp excluded-address single-address

DHCP service can be started with service dhcp and stopped with no service dhcp.

Verification is done with these show commands:
show running-config
show ip dhcp binding
show ip dhcp server statistics
debug ip dhcp server events

determining if broadcast storm has occured

2010-01-24T08:42:00.000-08:00

These are some useful fields while determining if a broadcast storm has occured.

Router# show interfaces ethernet 0
Ethernet 0 is up, line protocol is up
Hardware is MCI Ethernet, address is aa00.0400.0134 (via 0000.0c00.4369)
Internet address is 131.108.1.1, subnet mask is 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, PROBE, ARP Timeout 4:00:00
Last input 0:00:00, output 0:00:00, output hang never
Output queue 0/40, 0 drops; input queue 0/75, 2 drops
Five minute input rate 61000 bits/sec, 4 packets/sec
Five minute output rate 1000 bits/sec, 2 packets/sec
2295197 packets input, 305539992 bytes, 0 no bufferReceived 1925500 broadcasts, 0 runts, 0 giants
3 input errors, 3 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 input packets with dribble condition detected
3594664 packets output, 436549843 bytes, 0 underruns
8 output errors, 1790 collisions, 10 interface resets, 0 restarts

no buffers: gives the number of received packets discarded because there was no buffer space in the main system. Compare this with the ignored count. Broadcast storms on Ethernet networks and bursts of noise on serial lines are often responsible for no input buffer events.
ignored: shows the number of received packets ignored by the interface because the interface hardware ran low on internal buffers. These buffers are different from the system buffers mentioned previously in the buffer description. Broadcast storms and bursts of noise can cause the ignored count to be increased.

Reference: http://www.cisco.biz/en/US/docs/internetworking/troubleshooting/guide/tr1904.html

RMAN error – Use CROSSCHECK command to fix status

2010-01-21T04:42:00.000-08:00

Our RMAN backup control mail gave an error: x objects could not be deleted for DISK channel(s) due to mismatched status. Use CROSSCHECK command to fix status.

CROSSCHECK is a check to determine whether files on disk or in the media management catalog correspond to the data in the RMAN repository. Because the media manager can mark tapes as expired or unusable, and because files can be deleted from disk or otherwise become corrupted, the RMAN repository can contain outdated information about backups. Crosschecks update outdated RMAN repository information about backups whose repository records do not match their physical status. For example, if a user removes archived logs from disk with an operating system command, the repository still indicates that the logs are on disk, when in fact they are not. The crosscheck command is used to validate RMAN records in the database control file and the recovery catalog against what is physically on the backup media. The crosscheck command can be used on both disk backups and tape backups. You can cross-check the gambit of backups, from database backups and archive-log backups to image copies, the crosscheck command covers them all.

When you run the crosscheck command, any missing backup files will be marked as EXPIRED, meaning that they are no longer on the media where they are expected to be. The list expired command will show you the backups that are expired. You can review this list and then use the delete command to mark the backup files as deleted in the control file and the recovery catalog. The CROSSCHECK command does not delete any files that it is unable to find, but updates their repository records to EXPIRED. Then, you can run DELETE EXPIRED to remove the repository records for all expired files as well as any existing physical files whose records show the status EXPIRED. Expired backups will not show up on this report until the crosscheck command detects they are missing.

Oracle SID should be correctly set, so we'll log on directly.

F:\oracle\rman>rman target =/

We use show all to get the backup retention policy to determine how long backups and archived logs need to be retained for media recovery. You can define a retention policy in terms of backup redundancy or a recovery window. RMAN retains the datafile backups required to satisfy the current retention policy, and any archived redo logs required for complete recovery of those datafile backups. In our case I got RETENTION POLICY TO REDUNDANCY 1 and ARCHIVELOG BACKUP COPIES FOR DEVICE TYPE DISK TO 1.

RMAN> show all;

RMAN> delete noprompt obsolete;

Will give the same errors as in our control mail, so let’s do what it wants.

RMAN> crosscheck archivelog all;

RMAN is not removing all of the files because some of them may still be needed for a full recovery! It's all about how RMAN defines an obsolete file. Generally, an obsolete file is one that supplements a full backup that will never be used for a recovery and roll-forward. The Oracle docs note the rules for a file becoming obsolete:
DELETE OBSOLETE does not delete backups required to satisfy the specified retention policy, even if some backups have KEEP UNTIL times set which have passed to override the retention policy.
Backups are never obsolete if they are still needed to meet the retention policy, regardless of any KEEP UNTIL time. With a recovery window-based retention policy, even if the specified KEEP UNTIL time has expired, the backup is retained if the backup is needed to satisfy the recovery window.

With a redundancy-based retention policy, even if the specified KEEP UNTIL time has expired, the backup is retained as long as it is required to satisfy the redundancy requirement.
You can also use the REDUNDANCY or RECOVERY WINDOW clauses with DELETE to delete backups obsolete under a specific retention policy instead of the configured default:
DELETE OBSOLETE REDUNDANCY = 3;
DELETE OBSOLETE RECOVERY WINDOW OF 7 DAYS;

RMAN> delete noprompt obsolete;

I got a similar error as in the controlemail, this time for the controlefilecopy (32 is here the key):

RMAN> crosscheck controlfilecopy 32;

Now we can delete them:

RMAN> delete noprompt obsolete;

And rerun the last delete to verify if anything’s left:

References:
http://download.oracle.com/docs/cd/B19306_01/backup.102/b14192/maint002.htm
http://users.telenet.be/oraguy.be/rman1.htm
http://download.oracle.com/docs/cd/E11882_01/backup.112/e10643/toc.htm

Lines on Cisco routers

2010-01-20T10:42:00.000-08:00

Lines on Cisco routers are physical async serial ports on the router (such as a terminal or modem), a virtual network connection, or another type of serial line on the router. To see which lines you have on your router, use the show line command. Example: show line serial 0/0

Use the show line summary command to get a nice overview.

The console port doesn't need any introduction. The CTY port is, of course, where you configure the router when it’s brand-new — before it has any IP address configuration. The console port is a serial port, so you must have a PC/laptop with a serial interface and connect to the console with a rolled cable, it should be included with your newly arrived devices :)

Once you’ve used the console port to configure the router’s network configuration, it isn’t common to have to use it again. However, it’s good to know that it’s there if anything ever goes wrong. In addition, you should secure the console port to keep someone from connecting to it when you aren’t around.

While not all routers these days have an AUX port, the AUX port is the auxiliary. Think of it as a secondary console port. The AUX ports don’t get a lot of use except to access the router if locked out of the console port. In the past, network admins would connect modems to the AUX ports so they could dial into their routers. Like the console port, the AUX port is a serial port, and you should also take steps to secure it.

VTY ports are virtual TTY ports, used to Telnet or SSH into the router over the network. You can use them to connect to the router to make configuration changes or check the status. Most routers have five VTY ports, numbered 0 to 4. That means you can have up to five concurrent network admins configuring the router at one time.

Remember that you can always use the clear line command to clear out a connection on a router line if you run into a problem.

Day 16: Private Networks and NAT

2010-01-20T09:42:00.000-08:00

A device directly connected to the Internet has a public IP address, this is routable. The number of public IP addresses is limited so RFC 1918 reserves class A, B and C networks for private use on an internal network. These addresses can be reused for multiple internal networks because the networks are not visible to the Internet or each other.

I've mentioned them a few times but once again a quick overview:

one class A address for private networks: 10.0.0.0, >16 million private addresses
16 class B networks for private use: 172.16.0.0 to 172.31.0.0, each networks allows > 65000 private addresses
256 class C networks for private use: 192.168.0.0 to 192.168.255.0, each network allows up to 254 private addresses

A router running NAT and PAT can allow devices on a private network to share a single public IP address and communicate over the Internet. Devices on a private network behind a router running NAT are not directly accessible on the Internet, providing additional security.

Oracle DBA - managing listener.log

2010-01-20T06:53:00.000-08:00

As the listener.log file grows, we'll want to remove or rename it. This will fail as it's "being used by another process".
The DBA can simply stop the service, rename/remove the file and restart the service. This can be problematic for users attempting to connect while the listener's down.

Here's a good way to do this without stopping the TNS listener process. This'll work on Windows and with some small changes on Linux as well (ren = mv):
C:\cd \oracle\product\10.2.0\db_1\NETWORK\log
C:\oracle\product\10.2.0\db_1\NETWORK\log\lsnrctl set log_status off
C:\oracle\product\10.2.0\db_1\NETWORK\log\ren listener.log listener.old
C:\oracle\product\10.2.0\db_1\NETWORK\log\lsnrctl set log_status on

In Oracle 11g, the listener log files by default are located in /diag/tnslsnr/product_name/listener. The nice feature about listener log file in this version is, whenever the size of log file grow to 10MB, Oracle starts to writes to a new file. So the log file will not be too large to open for troubleshooting. Overtime, you will have a lot of 10MB log file in the directory. An Oracle DBA needs to manage the listener log files regularly so the log files will not take too much space on the server.

This is a great link with DBA Tips: http://www.idevelopment.info/

Day 17: DNS Operation

2010-01-18T11:13:00.000-08:00

All hosts have a HOSTS file that matches names to IP addresses. This file is first used to resolve a request for a domain. Obviously its impossible to keep it all in file, so a DNS server performs this task on a network. If you want to verify the capability to access a DNS server you'd use the nslookup utility: http://technet.microsoft.com/en-us/library/cc725991(WS.10).aspx

The domain naming system has these components: resource records and domain namespace, domain name servers and resolvers. The hierarchy of the domain name system begins at the top with top-level domains such as .com, .org - they could also represent countries. These are followed by second-level domains such as cisco, yet they could also have specific locations such as mail.

So, what happens if a host wants to resolve a Domain Name System (DNS - port 53) name such as mail.cisco.com? A domain that that points to a specific computer in a domain is considered a fully qualified domain name (FQDN). The host uses a resolver to query a DNS server inside its domain to get the IP address of mail.cisco.com. This DNS server is preconfigured (see ipconfig /all). You could use the well known 4.2.2.2 but there's always a security risk using one that you're not authorized to.

The DNS server (usually from our ISP) receives the request and checks its local records. If the DNS server cannot resolve the domain name, it forwards the request to another preconfigured DNS server. The local DNS server may query a root DNS server to discover the location of top-level.com domain name servers.
The top-level DNS server, after it's queried responds with the location of the cisco.com DNS server for the requested domain.
The local DNS server queries the cisco.com DNS server for the location of mail.cisco.com. When the resolved name to IP address is returned, each DNS server caches the record for a limited amount of time.
The local DNS server receives the returned request, temporarily caches the record and responds to the requesting host with the IP address for mail.cisco.com.

It's important to know that DNS zones can be broken into primary or secondary forward lookup or reverse lookup zones:

Primary and secondary: there can be primary and secondary forward lookup and reverse lookup zones. The primary zone is where you update records, and the secondary zone operates as a read-only backup copy of the primary zone.
Forward lookup zones: standard zone that resolves FQDNs to IP addresses.
Reverse lookup zones: this query works in reverse: a host wants to know the FQDN because it knows the IP address. Private networks use reverse lookup to identify host names on their local network. I've had some issues with this lately when we forgot to set this zone up during a rollout of hosts, we got the error Nonexistent domain when testing with nslookup.

It's a good idea to use redundant DNS servers!

There's good information and links on wikipedia: http://en.wikipedia.org/wiki/Domain_Name_System

Day 18: NAT

2010-01-17T12:52:00.000-08:00

If you've ever wondered why we're not all using IPv6 yet, the simple answer is Network Address Translation - NAT (NAT overload or PAT).

As seen on day 20, the RPC1918 has identified the private networks. These addresses don't allow us to connect to the Internet, routers cannot route these private IP addresses (they get dropped). A router can however receive a public Internet-routable address from the ISP and provide Internet connectivity for the hosts on the local private network. The router will use NAT to exchange private IP addresses for a public IP address or a pool of public IP addresses. This translation allows an internal host to appear as though it has a public IP address. Nat also provides some basic security.

NAT was developed because of too few available IP addresses. Here are some terms:

inside local network: the privately addressed internal network connected to a router
inside local address: internal IP address assigned to a host on the inside, private network. This is usually a private IP address
outside global network: any network outside the local network that would also not recognize the private addresses assigned to hosts in the local network
inside global address: a registered, Internet-routable IP address that represents one or more inside local IP addresses to the outside world
outside local address: destination address of the packet while on the inside local network - typically the same as the outside global address. So it's the IP address of an outside host as it appears to the inside, private network.
outside global address: actual destination address of the intended external host on the Internet. The IP address assigned to a host on the outside network by the host's owner - usually a routable IP address.

Static NAT translates one private address to one public address. In dynamic NAT will have a pool of public addresses to temporarily assign for internal hosts (the public address will afterwards return to the pool).
A router uses NAT overload, or port address translation (PAT) to allow multiple internal hosts to communicate with just one public IP address. The router uses source port numbers to identify the internal connection request. Note that this implicates that internal hosts must initiate communications with outside networks. If you're wondering what would happen if two hosts used the same source port (from the 65535), it's simple: whoever gets there first gets that port, the other one will get a different one - for example 61751 would then become 61752.

To configure static NAT, you have to designate an inside interface (this is the interface connected to the private network). You also have to designate the interface connected to the outside world as the outside interface. Needed commands:
ip nat outside
ip nat inside
ip nat inside source static local-IP-address global-IP-address

We don't have to know the CLI for ICND1 but I'll give a quick overview, we're preparing for the CCNA - please try it with SDM (use GNS3 if needed).

Router#enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface serial 1/0
Router(config-if)#ip nat outside
Router(config-if)#interface fa 0/0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#ip nat inside source static 192.168.1.2 200.1.1.1

NAT with overload enables PAT (a many-to-one mapping). Use the access-list command to define the private address pool that you want to translate to a single IP address. An access list uses a wildcard mask instead of a subnet mask to identify the bits available for use as hosts in the pool. Needed commands (see the differences above):
access-list access-list-number permit inside-network wildcard-mask
ip nat inside source list access-list-number interface interface overload
ip nat outside
ip nat inside

Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)#ip nat inside source list 1 interface serial 1/0 overloadRouter(config)#interface serial 1/0
Router(config-if)#ip nat outside
Router(config-if)#interface fa 0/0
Router(config-if)#ip nat inside

Look at 0.0.0.255 as a reversed subnet mask. The overload keyword allows to map multiple IP addresses to a single registered IP address (many-to-one) by using different source port numbers. Use show run and show ip nat translations to verify NAT configuration. A useful command for testing/troubleshooting is debug ip icmp which outputs any ICMP traffic processed by the router. Don't forget to turn it off with undebug all or u all. The clear ip nat translation * command clears all the NAT translations in the NAT table, its useful for troubleshooting.

A useful link is http://www.9tut.com/ccna-lab-sim/52-ccna-nat-sim-question

Day 19: Assign Addresses

2010-01-13T10:21:00.000-08:00

After having developed a logical topology and proper addressing scheme, we must assign the addresses to devices in our network. A host needs an IP address, default gateway and subnet mask. These can be assigned manually or obtained automatically by a Dynamic Host Configuration Protocol (DHCP) server.

In Windows we'll verify the IP configuration by using ipconfig /all
In Linux use the ifconfig command.

The default gateway for a host is typically the IP address of the connected interface on the router for the network. Each host on the network can then use the router as the gateway to other networks.

This how we assign an IP to the interface of a router (we've already showed it for a switch):

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 10.0.0.1 255.255.255.0
Router(config-if)#no shutdown

The configuration can be verified by using the known commands:
show interfaces
an example is Router#show interfaces fastEthernet 0/0
show running-configuration
show startup-configuration

Day 20: IP Addressing and Subnetting

2010-01-12T10:09:00.000-08:00

An IP address is typically assigned to the NIC, routers need an IP address for each interface.

An IPv4 address is made up of 32 binary bits, divided in four octects and represented in decimal format. I'm not going to cover converting to decimal or binary! Only remember that the maximum decimal equivalent for an octet is 255, the minimum is obviously 0.

The RPC 2460 proposed IPv6 in 1998 to increase address space. For now it's enough to know that they're 128-bit addresses respresented as 32 hexadecimal digits, broken into 8 groups of 4 digits separated by colons.
http://tools.ietf.org/html/rfc2460

An IP address contains a network portion and host portion. The first part is the network portion and the second is the host portion. The network portion is determined with the subnet mask, a 32-bit address in which the binary 1s identify the network portion. For example:
255.255.255.224 (or /27) - the last octet is 11100000

We also focus on the network address which has all 0s in the host portion and the broadcast address which has all 1s in the host portion. An example:
network address - 172.16.1.0
subnet mask - 255.255.255.0
first available host address - 172.16.1.1
broadcast address - 172.16.1.255
As you can see you always lose two host IP addresses from the possible combinations.

You probably know all the classes but I'll give a quick overview:

Class A, binary start is 0, first octet range 1-126, subnet mask is 255.0.0.0, 16777214 hosts, 8 bits network address
Class B, binary start is 10, first octet range 128-191, subnet mask is 255.255.0.0, 65534 hosts, 16 bits network address
Class C, binary start is 110, first octet range 192-223, subnet mask is 255.255.255.0, 254 hosts, 24 bits network address
Class D, binary start is 1110, first octet range 224-239, multicast
Class E, binary start is 1111, first octet range 240-255, used for research

The complete 127 range is used for loopback testing (TCPIP stack), you probably know the loopback address 127.0.0.1 but it actually works with all hosts in this range (127.255.255.255).

The RFC 1918 identifies the networks reserved for internal or private use:
http://tools.ietf.org/html/rfc1918

Class A: 10.0.0.0 to 10.255.255.255
Class B: 172.16.0.0 to 172.31.255.255
Class C: 192.168.0.0 to 192.168.255.255

I've mentioned multicast, this is used by devices that send multicasts to the hosts that are part of the multicast group. Might be used for videoconferencing or remote gaming.
Devices use broadcast addresses to communicate with all hosts on a network (ARP, DHCP). Directed broadcasts are forwarded to remote networks (normally all 1's are not forwarded).
Devices use unicast to communicate with another device, one-to-one.

When we divide a network beyond its default class, and use bits from the host portion as network bits; the router looks at the new mask and determines the network address regardless of the default class. This is called Classless Interdomain Routing (CIDR).

I'm not going to cover subnetting as there are a zillion good places to find more information, CBTNuggets explains it well, Todd Lammle, the Cisco Learning Discussions...

A great site to practice is http://www.subnettingquestions.com/
Updated with this great link as well: http://faculty.valleycollege.net/rpowell/jscript/subnet2.htm

I'll review "my way" with the current question: "What is the first valid host on the subnetwork that the node 10.201.251.121/20 belongs to?"

10.201.251.121 is class A
/20 is 255.255.240.0, so third octet is important!
4 network bits in the relevant octet, 12 subnet bits in total so 2^12 is 4096, so 4096 possible subnets. The formula is 2 to the n-th power where n is the number of network bits.
4 host bits in the relevant octet so 2^4 is 16 (this is my block size or increment size). If we want the number of hosts it's 12 host bits (including last octet), so 2^12 minus 2 because we need to subtract 2 (network and broadcast address) so 4094 possible hosts
my block size is 16 so multiplications of 16 (0-16-32-48-64-80-96-112-etc), third octet is important and the closest to 251 is obviously 240
the network address is then 10.201.240.0, first possible address is 10.201.240.1 and broadcast is 10.201.255.255

Please note that I know the multiplications of 8 and 16 by heart, this makes it all a lot easier. However, I admit that my method is not the easiest :)
Contact me if you have questions.

Day 21: Switch Troubleshooting

2010-01-11T11:15:00.000-08:00

I had to take a few days off but we're back and today's topic is basic switch troubleshooting.
Basic troubleshooting starts at Layer 1 with switch hardware issues and continue to Layer 2 with possible switch softwareor configuration issues. Only last week I encountered a wrong labeling of an old wall jack! The LED indicators are really helpful, so use them.

There's a variety of available show commands:

show running-config: running configuration stored in RAM on the switch
show startup-config: startup configuration stored in NVRAM on the switch
show version: Cisco IOS software version, image name, memory and processor on a switch
show interfaces: includes addressing and security
show mac-address-table
show port-security

Besides these we also have the Cisco Discovery Protocol. CDP can verify Layer 2 connectivity even when a Layer 3 IP address is not properly configured. It can also be used to learn about the hardware and software configuration of connected devices with CDP enabled.

no dcp run: will disable CDP globally on a switch (from global configuration mode)
no cdp enable: will disable CDP on a specific interface (from interface configuration mode)
show cdp: shows whether its running on a switch, no info about connected neighbors
show cdp neighbors: uses Layer 2 CDP communication to discover and display information about directly connected Cisco devices and their platforms
show cdp neighbors detail: this includes the Layer 3 IP address

Day 22: Switch Security

2010-01-06T11:44:00.000-08:00

The switchport can be assigned a static MAC address:
mac-address-table static {host-mac-address} interface {interface} vlan {vlan}
and verified with show mac-address-table, cleared with clear mac-address-table

This is how we secure a switchport:
enter the interface mode:
S2(config)#interface fastEthernet 0/6
first we need to define whether the port is an access port (end host) or trunk ports. A trunk port is configured to trunk multiple VLANs. Only access ports (with only one VLAN) can have port security enable. Notice that the default mode is trunk!
S2(config-if)#switchport mode access
switchport port-security enables port security:
S2(config-if)#switchport port-security
S2(config-if)#switchport port-security maximum 1
this last command will not appear in show run because 1 is the default maximum!
easiest way is to allow the switch to dynamically learn the first MAC address by enabling sticky.
S2(config-if)#switchport port-security mac-address sticky
the switchport needs to go administratively down when a wrong device connects, other options are protected and restrict. The difference between these two is not that obvious, restrict will send a message.
S2(config-if)#switchport port-security violation shutdown
we can also manually configure a MAC address for this port (if we remove port security), notice global configuration:
S2(config)#mac-address-table static 0001.C7C1.E31C vlan 1 interface fastEthernet 0/6
use no mac-address-table... to remove it

S2(config-if)#end

S2#

when an nauthorized device connects to the port, the switch shuts it down. Once this happened, the port must be administratively shutdown and re-enabled to bring it back online.
S2(config-if)#shutdown
S2(config-if)# no shutdown
it's important to secure unused switch ports, use ranges instead of manually doing one interface at a time. You can secure it by disabling the port or putting the port in an unused VLAN.

Speed and duplex can be set on a switch port like this:
speed {speed-imegabits-per-second}
duplex {half | full}

Other interesting show commands are:
show port-security
show interfaces
show vlan

As a sidenote: we can delete VLAN database information and erase the startup configuration with the following two commands in privileged EXEC mode:
delete flash:vlan.dat
erase startup-config

Day 23: Switch Configuration

2010-01-05T10:24:00.000-08:00

Finally some action on switches, first connecting with a console (or rolled cable) and then a quick configuration:

The console configuration settings needed to connect to a Cisco device's console port are as follows:

Speed: 9600 bits per second
Data bits: 8
Parity: None
Stop bit: 1
Flow control: None

By default we'll receive user access or user EXEC, only commands that show basic information about the operation and connectivity.
Switch>enable
Now we're in Privileged EXEC after entering enable. We can now adjust the operation of a switch and view configuration files.
Switch#configure terminal
The configuration mode allow us to configure the device and enter submodes for specific configurations (for example interface).
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S1
S1(config)#line console 0
S1(config-line)#password cisco
S1(config-line)#login
S1(config-line)#line vty 0 4
S1(config-line)#password class
S1(config-line)#login
S1(config-line)#exit
S1(config)#enable password cisco
S1(config)#enable secret class
Remotely accessing a switch for management requires an IP address and basic security information. This can be done in VLAN1, the logical interface used for management.
S1(config)#interface vlan 1
S1(config-if)#ip address 192.168.1.2 255.255.255.0
S1(config-if)#no shutdown
S1(config-if)#exit
Note that setting a default gateway for a switch is done in global configuration!!! Although a switch doesn't see Layer 3 and above information it's still necessary to configure the default gateway to remotely administer and configure the switch.
S1(config)#ip default-gateway 192.168.1.1
S1(config)#exit
S1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]

Other basic commands are:
show history: will show by default the last ten commands used
terminal history size 20: changes the history size
service password-encryption: used to encrypt the passwords in a config (except enable secret), this is still no solid security measure because it can easily be cracked.
The banner motd is displayed upon connection to the switch either by Telnet or by the console port. The login banner is displayed before the username and pasword login prompts on a Catalyst switch. See my other post with in depth explanation.

Day 24: Switch Operation

2010-01-04T12:08:00.000-08:00

As a reminder each switch port is its own collision domain. A switch maintains a MAC table, when it doesn't know the port for a frame's destination MAC address it will then flood the frame out all other ports. It will not forward frames with errors or with the same source and destination. When we connect a hub to a switch port, the switch will associate all MAC addresses of devices connected to that hub with that port.

A switch port can operate in full-duplex mode which allows is to alternately send and receive data simultaneously. They can also work in half-duplex mode allowing it to alternately send and receive data but not simultaneously.

Switches attempt to autonegotiate the speed and either full- or half-duplex transmission when devices connect. If the device doesn't support autonegotiation, the switch will default to the speed of the other device and half-duplex. We can turn autonegotiation off and manually set a switch to full or half duplex and speed of the connection.

Switches can operate in store and forward mode which means that the entire frame is received before sending plus computes the CRC (introduces latency). It can also use cut-through mode in which switches look at the first part of the frame (destination address) and immediately beings forwarding the frame out the approprate port. We also have modified cut-through, known as fragment-free switching. This means checking the first 64 bytes before forwarding the frame. Ethernet specs state that collisions should be detected during the first 64 bytes of the frame, late collissions are still possible.
Switches use Spanning Tree Protocol (STP) to avoid switching loops and set ports as blocking, listening, learning or forwarding. This is needed when you have redundant links between switches, which is normal in modern network design.

To summarize we can use Layer 2 switches for address learning, packet forwarding and filtering, loop avoidance with the Spanning Tree Protocol.

Day 25: Media Access Control

2010-01-03T09:55:00.000-08:00

Ethernet media access control (MAC) defines how a transmission is prepared for the phsycial media, when a device can transmit over the wire and to decypher received transmissions.

An Ethernet frame is an OSI layer 2 PDU. Its maximum size is 64 bits and hosts do not process frames that are larger than 1518 bytes (giants) or smaller than 64 bits (runts).

As a reminder the MAC address consists of 12 hexadecimal digits and is 48 bits or 6 bytes. Cisco prefers to group them in three groups of 4 digits, for example: 01:23:45:67:89:ab

It's important to remember that only hosts with an IP address use an ARP request to find the destination MAC and create a socket to identify the device.

Let's discuss CSMA/CD (Carrier Sense Multiple Access Collision Detect):
many stations can transmit on the same cable with CSMA/CD and no station has priority over another (multiple access). Before a station transmits, it listens on the wire (carrier sense) to make sure that no other station is transmitting. If a collision occurs, the transmitting stations detect the collission and run a backoff algorithm, its a random time that each station waits before retransmitting.

Collision domains can be increased by switches (and bridges) because switches filter and forward frames based on source and destination MACs. That ability is also called microsegmentation of the network. Switches still forward all frames with FFFF:FFFF:FFFF as destination MAC address because it's a broadcast frame. Only routers do not forward these BC's. So, each switch port is its own collision domain and routers break up broadcast domains!

Layer 2 switches have these four advantages over bridges:

A high-speed backplane that enables multiple simultaneous conversations to occur.
Data-buffering capabilities that store and forward packets to the correct ports or port.
Higher port densities versus bridges.
Lower latency than bridges. Layer 2 switches are implemented in hardware, allowing millions of bits per second to be transmitted at the same time.

Day 26: Network Physical Media

2010-01-03T09:15:00.000-08:00

Before finally moving on to working with swiches, we can review a bit by viewing a short study video available at the Cisco Learning Home page:

Understanding the TCP/IP Internet Layer:
https://learningnetwork.cisco.com/docs/DOC-1301

A directed-broadcast address is an address that has all 1s in the host field. It allows the network administrator to address every host on a subnet. When directed broadcast is enable (directed-broadcast command) a router translate of layer 3 broadcast into layer 2 broadcast. It can be use to target all host in subnet to perform remote management or administration services (WOL, DHCP relay).

Unshielded twisted-pair (UTP) cabling is a type of twisted-pair cable that relies solely on the cancellation effects produced by the twisted wire pairs to limit electromagnetic interference (EMI) and radio frequency interference (RFI). UTP cable is often installed using an RJ-45 connector, and UTP cabling must follow precise specifications dictating how many twists are required per meter of cable. The advantages of UTP are ease of installation and low cost. A disadvantage of UTP is that it is more prone to EMI than other types of media.
Shielded twisted-pair (STP) cable combines the twisting techniques of UTP, but each pair of wires is wrapped in a metallic foil. The four pairs of wires are then wrapped in a metallic braid or foil. STP reduces electrical noise and EMI. STP is installed with an STP data connector but can also use an RJ-45 connector. An advantage of STP is that it is more resistant to outside interference; a disadvantage is that it is more expensive and difficult to install.
Both UTP and STP have a maximum cable length of 100m.

A coaxial cable carries electrical signals over a copper wire and is capable of longer lengths than UTP.
Fiber-optic cables send and receive data with pulses of light. Multimode is less expensive than single-mode but cannnot go such long distances (2000m for multimode).

TIA/EIA defines the wiring schemes T568A and T568B for network cables.
A straight-through cable is used to connect unlike devices, like switch to router, hub to pc, switch to pc - think of it things that are meant to be connected! They're wired the same way at both ends. This cable uses pins 1, 2, 3, and 6. The send and receive wires are not crossed.
Crossover cables are used to connect like devices, like pc to pc, hub to hub, switch to switch but also hub to switch! It's a cable that has the send and receive wires crossed at one of the ends. In a Category 5 cable, the 1 and 3 wires are switched and the 2 and 6 wires are switched at one end of the cable.
A console cable is used to connect to the console port on a router or switch for configuring the device. It's also called a rolled cable.
A serial cable is used to connect a router to an Internet connection.

Ethernet IEEE 802.3 (10BASE or baseband signal rate of 10Mbps)

10BASE2: Known as thin Ethernet, this specification uses thin coaxial cable as its medium and provides access for multiple stations on the same segments.
10BASE5: Called thick Ethernet, this specification uses a thick coaxial cable as its medium. The maximum segment length of 10BASE5 is over twice that of 10BASE2.
10BASE-T: This specification provides access for a single station only, so all stations connect to a switch or hub. The physical topology of 10BASE-T is that of a star network. It uses unshielded twisted-pair (UTP) cable Category 3, 4, 5, and 5e as its network medium.

Fast Ethernet IEEE 802.3u (raises Ethernet standard of 10Mbps to 100Mbps)

100BASE-FX: Uses two strands of multimode fiber-optic cable as its medium and has a maximum segment length of 400 meters.
100BASE-T: Defines UTP as its medium and has a maximum segment length of 100 meters.
100BASE-T4: Uses four pairs of Cat 3 to 5 UTP as its medium. It maximum segment length is 100 meters.
100BASE-TX: Specifies two pairs of UTP or shielded twisted-pair (STP) cable as its medium with a maximum segment distance of 100 meters.

We also have these Gigabit possibilities:

1000BASE-T: 100 meters
1000BASE-LX: 550 meters for multimode fiber, 10 km for single-mode fiber
1000BASE-SX: 250 meters for multimode fiber, 550 meters for single-mode fiber
1000BASE-CX: 25 meter

Day 27: Troubleshooting and LAN versus WAN

2010-01-01T05:59:00.000-08:00

The OSI and TCP/IP models provide an excellent framework for troubleshooting. You can isolate the network issues to a particular layer and test the protocols and configurations for that layer.
You can work top down, starting with the application layer (are other apps working?), or bottom up, are the problems caused by media connections or power to a device. Experienced troubleshooters will often begin at the layer indicated by the symptoms of a particular problem, this is called divide and conquer. In addition to this you could troubleshoot through trail and error or substitution.

ipconfig shows the IP configuration.
ping tests the network layer connectivity between devices.
tracert tests connectivity and displays each hop.
netstat shows current TCP/IP network connections to the device and protocol statistics.
nslookup queries the configured name serve for DNS information.

As a reminder of yesterday: a physical topology represents the location of the hardware and the logical topology represents how the devices use the network.
LANs today often represent the logical grouping of hosts for a single organization. Network administrators typically refer to the network they maintain in their building(s) as a LAN or a private intranet. LANs support high data transfer rates over Ethernet or wireless protocols in a smaller geographic area.
A wide-area-network (WAN) provides relatively lower data transfer rates over a larger geographical area. These connectivities can be symmetric or assymetric. An assymetric connection typically has a faster download speed than upload speed. Symmetric connections on the other hand provide the same upload an download speed.

These are some WAN connections:

A point-to-point (PPP) connection provides a specific dedicated path through the TSP network to connect two LANs over large distances.
A circuit-switched WAN connection allows the client to create and close connections over the TSP network (uses the entire connection), operates lke a phone call - an example is ISDN.
A packet-switched WAN connection allows multiple clients to share a single connection (uses a virtual circuit). An example is Frame Relay.

WANs operate at the physical and data link layers of the OSI model.

Day 28: Network Diagrams and Topology

2009-12-31T14:25:00.000-08:00

A physical topology displays actual device and wiring locations to help you efficiently locate and troubleshoot devices - we have bus, ring, mesh, star or extended star topologies. It maps the location of OSI Layer 1 devices and media. So it refers to the physical layout of devices and network media.
A logical map of the network topology groups hosts and devices by how they use the network. A logical topology map displays hostnames, address groups, network access and applications on a network. The logical topology identifies the Layer 1 devices but focuses on the Layer 3 addressing, access and upper-layer applications, regardless of location. It refers to the logical paths in which data accesses the media and transmits packets accross it. Ethernet uses a logical bus topology and either a physical bus or star topology.

The backbone for the Internet are IXPs (Internet Exchange Points) and NAPs (Network Access Points), ISPs use these to connect to each other.

An Ethernet address or media access control (MAC) address provides a unique identity for a host but does not provide information about the host's location, typically burned into the adapter and usually displayed in a hexadeximal format. The first 24 bits are vendor specific (OUI), the other are vendor assigned. The Internet Protocol (IP) address identifies the location of a host in a divided hierarchical network - remember: access, distribution and core layer.

A hub is a multiport device that simply regenerates a received signal to all ports except the port where the signal is received. The bandwith is shared and only one device can communicate at a time. All connected devices are in the same collission domain. Even with a collision will the hub forward the frame with errors out all ports where it'll be discarded by the NIC.

A switch is also a multiport device that reads each frame's MAC address, maintains a MAC table of which hosts are attached to which port, and forwards frames based on the destination MAC address. Bandwith is not shared between the switch creates temporary circuits, so each port is its own collision domain! When a MAC is not yet learned the swith'll flood the frame out all other ports. Frames with errors or with same source and destination will not be forwarded.

Switches have these advantages over bridges:

a high-speed backplane that enables multiple simultaneous conversations to occur.
data-buffering capabilities that store and forward packets to the correct ports or port.
higher port densities versus bridges.
lower latency than bridges. Layer 2 switches are implemented in hardware, allowing millions of bits per second to be transmitted at the same time.

A network with switches and hubs form a single broadcast domain. Broadcast messages (to all other hosts on a network) use all F's as the destination MAC address. When only the IP address of the destination is known , the sending host can use address resolution protocol (ARP) - also check my other post concerning gratuitious arp. ARP is a local broadcast sent to all devices on the local segment to find the MAC address of a host.

Remember these things about routers:

they connect networks and route packets to their destination networks.
routers can look at the MAC address to determine a frame's destination, but also decapsulate the frame to look at the destination IP address located in the header of the IP packet.
routers look at the network portion of the destination IP address, re-encapsulate the packet and forward it to its destination.
routers maintain a routing table of connected networks, it's referenced to determine which interface connects to thet destination network.
routers do not forward frames with a broadcast MAC address, so each port is its own broadcast domain. It's clear now that routers divide broadcast domains.
routers drop packets when it has no entry for a destination network (use a default route).

A Lan segment is a network connection made by a single unbroken network cable, they are limited by physical distance. You can extend it by using hubs, repeaters, bridges and switches.

Day 29: Layered Model Protocols

2009-12-30T11:29:00.000-08:00

The IEEE 802.3 Committee develops the standards for Ethernet technologies, here are some important ones:

DIX: Digital Intel and Xerox for 10Mbps over coaxial cable
IEEE 802.3 10BASE-5: 10Mbs baseband over coaxial cable (thicknet), 500m distance
IEEE 802.3a 10BASE-2: 10Mbs baseband over coaxial cable (thinnet), 200m distance
IEEE 802.3i 10BASE-T: 10Mbs baseband over twisted-pair copper, 100m distance
IEEE 802.3j 10BASE-F: 10Mbs baseband over fiber
IEEE 802.3u 100BASE-T: 100Mbs baseband over twisted pair
IEEE 802.3z 1000BASE-X: 1 Gbps baseband over fiber
IEEE 802.3an 10G BASE-T: 10Gbps over twisted pair

The two most common Transport layer protocols are TCP (protocol number 6) and User Datagram Protocol (UDP, protocol number 17). UDP, in contrary to TCP does not acknowledge or retransmit segments. These transport layer protocols use ports to identify a service. The client uses a destination port, source port (16 bits and unregistered in the 1025 to 65535 range), destination IP address and source IP address to create a socket that identificies the server and service. The combination of a port and Layer 3 IP address creates a socket.

21 - FTP, client makes request on server on port 21 (command), server responds with data on port 20 (data transfer)
22 - SSH
23 - Telnet
25 - SMTP
53 - DNS
67 - DHCP, messages from a client to a server are sent to the 'DHCP server' port (67), and DHCP messages from a server to a client are sent to the 'DHCP client' port (68)
69 - TFTP
80 - HTTP
110 - POP3
143 - IMAP4
161 - SNMP
443 - HTTPS, uses Secure Socket Layer (SSL)
520 - RIP

Many well-known applications have assignments to well-known ports, the range for these well-known or registered ports is 0 to 1023. Applications will use these as destination but a client will dynamically select a port as source from the range 1024 to 65535.
TCP is a connection-oriented protocol, while UDP is connectionless and more a best-effort attempt. TCP uses a three-way handshake, this is summarized in sending a SYN request, SYN-ACK reply and the ACK to conmplete the connection. TCP is reliable with acknowledgment, checksums, timers, retransmission, windowing, flow control, packet sequencing. UDP is unreliable and if needed other layers should implement reliability. Off course, this means that TCP has more overhead. Reliability is measured by the mean time between failures (MTBF) and mean time to repair (MTTR), redundant hardware/connections helps a lot.

Remember that DNS uses both UDP and TCP to send messages, the larger or more important exchanges of information (for example zone transfers), TCP will be used because of its reliability and ability to handle messages of any size.

Remember that IP is a connectionless protocol, uses hierarchical addressing, delivers data on a best-effort basis and has no built-in data recovery.

Session multiplexing is provided by the transport layer. It multiplexes several sessions onto one logical link and keeps track of which messages belong to which sessions (session layer). An example is a single computer with one IP address that has several websites open at once.

Windowing (flow control) allows the sender to transmit a specified number of unacknowledged segments. The window field is a number that implies the maximum number of unacknowledged bytes allowed outstanding at any time.

Ethernet 802.3 is based on the CSMA/CD process, specifies the physical layer and the MAC portion of the data link layer.

The NIC communicates with the network through a serial connection and communicates with the computer through a parallel connection.

Four functions of ICMP are flow control, detect unreachable destinations, redirect routes and check remote hosts.

Day 30: Layered Model Applications

2009-12-29T11:46:00.000-08:00

Don't forget to distinguish between the Open Systems Interconnection (OSI) model and the Transmission Control Protocol/Internet Protocol (TCP/IP) model - stacks made up of layers.

The TCP/IP model has four layers:

Application layer (http, data)
Transport layer (TCP, UDP, segments)
Internet layer (IP, ICMP, ARP, RARP, packets)
Network acces layer (frames, bits)

The OSI model has seven layers:

Application (ftp, http, dns, dhcp, snmp, telnet, smtp, data)
Presentation (mime, ssl, shells, ascii, .txt, also known as the translator, data)
Session (SQL, API, RPC, NetBIOS, data)
Transport (TCP, UDP, segments)
Network (IP, NAT, packets)
Data link (MAC, error correction, FDDI, HDLC, Frame Relay, frames)
Physical (bits)

If you compare both models, its important to remember that the Network access layer of TCP/IP is the same as the first two OSI-layers (data link and physical)!
The OSI upper layers deal with the data's format, organization and communication. The lower layers implement protocols to transport and route data across a network.
Don't forget that a layered model has several benefits: helps design of protocols, interoperability of vendors, changing one technology without affecting other layers, common terminology to teach and learn.

The data link layer has two sublayers to provide physical media indepedence: the upper logical link control (LLC) layer and the lower media access control (MAC) layer. The Ethernet protocol operates at the data link and physical layer of the OSI model!
LLC: what to do with a packet after it is receive.
MAC: how data is placed and transported over the physical wire.

The layers communicate with each other using service access points (SAP) and protocol data units (PDU).
Encapsulation wraps data with the necessary protocol information before network transmission.

Day 31: Network Components and Operation

2009-12-28T10:31:00.000-08:00

We have a three-layer hierarchical model:

Access layer devices that connect hosts on a LAN to provide users with access (hubs, bridges and switches).
Distribution layer devices that provide connectivity between LANs, obviously we find routers here.
Core layer devices that provide high-speed connectivity between distribution layer devices.

A hub is an ethernet networking device with multiple ports that regenerates a signal it receives on one port to all other ports. The bandwith is shared by all devices and if two send at the same time we get collisions. Think of it as a multiport repeater.

The switch is a multiport networking device that looks at the destination physical address of a received frame on one port to forward the frame to the port where that host is connected. Communication is through temporary circuits, avoiding collisions.

A bridge is a two-port switch that can be used to divide a large, hub-based collision domain.

Routers look at the destination IP address of a received packet and forward the packet to its destination network. They also determine the best path for a packet to its destination network.

Interconnections are a physical component that provides a means for data to travel accross the network, this includes NICs, network media and connectors.
Remember that collaborations and databates are two of the most common network applications.
Batch applications are started and complete on their own without further interaction, Interactive apps are requested from a server by a user who then waits for a reply.
A physical topology defines the physical components of the network like cables, devices while the logical topology defines the data path of the network.
Passive attack refers to monitoring and gathering data, close-in is also gaining close proximity for a wireless tap. Active is trying to break or bypass security. Access attacks are exploiting known flaws (passwords, man-in-the-middle, trojan horses, etc.).
Always use SSH (or SSL and IPsec) because it encrypts all data, telnet sends it all in clear text.

About networks: a main office can have hundreds or thousands of people who depend on network access. Its a connected collection of devices that can communicate with each other and the purpose is to create a means to provide all workers with access to all information and components that are accessible by the network.
The purpose of network interconnections is to provide a means for data to travel from one point to another.
The main threath to a closed network is misuse by employees.

31 Days Before Your CCENT Certification

2009-12-28T10:06:00.000-08:00

I took the ICND1 course at globalknowledge which was quite good and to reinforce everything I decided to follow the book "31 Days Before Your CCENT Certification". I'll try to post summaries for most of the days.

Other stuff I'll use are CBT Nuggets, CCNA Flash Cards, Packet Tracer, GNS3 and the Cisco Learning Network page.

There are loads of good sites which I'll try to share as well.

Ok, let's start!

Gratuitous ARP

2009-12-20T10:24:00.000-08:00

Gratuitous ARP could mean both gratuitous ARP request or gratuitous ARP reply. Gratuitous in this case means a request/reply that is not normally needed according to the ARP specification (RFC 826) but could be used in some cases. A gratuitous ARP request is an Address Resolution Protocol request packet where the source and destination IP are both set to the IP of the machine issuing the packet and the destination MAC is the broadcast address ff:ff:ff:ff:ff:ff. Ordinarily, no reply packet will occur. A gratuitous ARP reply is a reply to which no request has been made.

Full explanation can be found at wireshark:
http://wiki.wireshark.org/Gratuitous_ARP

difference between banner login and banner motd

2009-12-20T06:54:00.000-08:00

Both are shown before login but banner motd is shown first.

For banner login you need to have the login command. If you configure no login under the line config, the login banner will never show.

The following config:
banner login ^C
This is a login banner
^C
banner motd ^C
This is a MOTD banner
^C
!
line con 0
password cisco
login

will give this output when connecting to the console:

This is a MOTD banner

This is a login banner

User Access Verification
Password: