Linux monitoring, log and traffic analysis

First of all, here is a good link with a comprehensive list of monitoring tools for Linux:
20 Linux System Monitoring Tools Every SysAdmin Should Know

Monitoring performance

• top - standard utility for monitoring CPU, processes, memory and load average.
• htop - enhanced top program, it's more comfortable, I think.
• ps - command can be used to monitor memory and CPU too, for example: ps ux
• free - shows information about RAM. Usually, the most interesting is amount of free RAM in megabytes without buffers:

server:/home/user#free -m
total used free shared buffers cached
Mem: 2003 1330 673 0 83 865
-/+ buffers/cache: 381 1621
Swap: 3514 0 3514

 
In our example amount of free RAM is 1621 megabytes.

• Load average - consist of 3 numbers: load average for last 1,5 and 15 minutes. The load average tries to measure the number of active processes at any time. As a measure of CPU utilization, the load average is simplistic, poorly defined, but far from useless. A system with one program running CPU-intensive tasks has a load average of 1. Higher load averages reflect programs competing for available CPU time. You can also find the current load average via the uptime command, which displays the load average along with information on how long the computer has been running. The load average can be useful in detecting runaway processes. For instance, if a system normally has a load average of 0.5 but it suddenly gets stuck at a load average of 2.5, a couple of CPU-hogging processes may have hung—that is, become unresponsive. Hung processes sometimes needlessly consume a lot of CPU time. You can use top to locate these processes and, if necessary, kill them.


• uptime


• sar - very powerful tool, it can monitor almost all parameters, including disk, network, ram, cpu….. It launches periodically and stores statistics in /var/log/atsar.


• iostat - monitors nfs, cpu and disks.


• vmstat - monitors virtual memory.


• hdparm - shows information about hard disk, tests HDD speed


• hddtemp - shows HDD temprature


• smartd - SMART Disk Monitoring Daemon


• Monitorix

logs analysis

• logcheck


• logwatch

users monitoring

• w


• whoami


• who


• last


• lastlog


• finger

traffic analysis

• iptraf - very cool programm. It's interactive, it monitors in real time various network parameters.


• iftop - monitors bandwidth by hosts


• bwm-ng - very simple command-line interactive bandwidth monitor


• tc - monitors and shape traffic


• dsniff - package of various tools, including urlsnarf - for monitoring HTTP requests in real time


• ntop


• darkstat - very nice traffic graphing tool with embedded web server.


• Bandwidth Monitoring Tools For Linux

Security

• OSSEC -  Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.


• OSSIM - Open Source Security Information Management.


• Samhain

RIP, RIP2, IS-IS

RIP

• Performs autosummarization by default


• Doesn't support manual route summarization


• Doesn't support authentication


• Sends periodic routing updates over the broadcast


• Four equal paths are supported by default (6 maximum)

RIP2

• Is best for VLSM and minimum overhead.


• Support manual route summarization


• Performs autosummarization by default


• Multicast 224.0.0.9, FF02::9


• Supports authentication

IS-IS

• Link state


• Supports VLSM


• Doesn't support auto summarization


• Supports manual summarization

EIGRP(Enhanced Interior Gateway Routing Protocol)

Some facts

• It’s enhanced distance-vector protocol.


• It’s classless.


• Supports manual route summarization


• Performs autosummarization by default


• Network layer.


• The range of valid AS numbers is 1 through 65,535


• The fastest convergence


• It uses the concept of an autonomous system.


• Wildcards are used


• Supports MD5 auth


• It’s hybrid routing protocol because it has characteristics of both distance-vector and link-state protocols.


• EIGRP has a maximum hop count of 255 (the default is set to 100).


• It provides routing support for multiple Network layer protocols: IP, IPX, AppleTalk, and now IPv6


• Communication via Reliable Transport Protocol (RTP) - Cisco proprietary protocol, is used for transmitting EIGRP messages between routers. It can provide reliable packet delivery when necessary, by using sequence number, acknowledgement, and retransmission with unicast (a packet will be retransmitted up to 16 times if no acknowledgement is received, before declaring the neighbor router is dead).


• Diffusing Update Algorithm (DUAL).It is used to determine a route to network, when successor failed and there is no feasible successors. This algoritm just asks neighbor routers for route.


• Technologies: Split horizon, Poison Reverse.


• Conseptions:

1. Reported distance - distance to the remote network, reported by the neighbor router.


2. Feasible distance - This is the best metric along all paths to a remote network, including the metric to the neighbor that is advertising that remote network. This is the route that you will find in the routing table because it is considered the best path.


3. Successor - next hop router with the best metric, is placed in routing table of router, there might be several successors, if they have equal metrics.


4. Feasible successor - backup next hop router. EIGRP will keep up to six feasible successors in the topology table. If a nonsuccessor route’s RD is less than the FD, the route is a feasible successor route.

• All data is stored in three tables:

1. Neighbor table - stores data about neighboring routers.


2. Topology table – stores contains the aggregation of the routing tables gathered from all directly connected neighbors. There also may be successors and feasible successors for some routes in this table. Destination may be passive or active. Passive means that route is stable. Active means that route is updating. In Cisco routers route may be: Passive, Active, Update, Query, Reply.


3. Routing table – contains all actual routes with their successors and possible feasible successors, if load balancing is enabled.

• It uses 4 metrics(by default delay and bandwidrth are used):

1. Total Delay (the sum of all the delay values for all links in the route, with a unit of “tens of microseconds.”)


2. Minimum Bandwidth ( the lowest-bandwidth link in the route,using a unit of kilobits per second)


3. Reliability (number in range 1 to 255; 255 being most reliable)


4. Load (number in range 1 to 255; 255 being saturated)

• The router uses formula to calculate overall metric:

metric=(107/least-bandwidth + cumulative delay)*256

Bandwidth - kilobits per second.

Delay - tens of microseconds

In this case k1=1,k2=0,k3=1,k4=0,k5=0 by default(only Bandwidth and Delay is used). You can change their value with command:

Router(config-router)#metric weights …

• Administrative distance - 90 for internal route(in one AS) an 170 for external route(in different AS or from other protocol).


• Multicast 224.0.0.10 for Hello messages, but updates can also be sent to unicast address. FF02::A for IPv6.


• EIGRP can provide equal-cost load balancing of up to four links by default, but it is possible to use 16 links with command:

(config-router)#maximum-paths

• EIGRP can provide unequal-cost load balancing with command

variance.

• First routers have to establish neighborship , to do it, three conditions must be met:

1. Hello or ACK received


2. AS numbers match


3. Identical metrics (K values)


4. Auth passed


5. The same subnet

Show commands

show ip eigrp topology all-links

Shows all routes, not only successors and feasable successors.

Debuging

debug eigrp packets

Displays the contents of EIGRP packets.

debug eigrp fsm

Displays changes to the EIGRP successor and feasible successor routes.

debug ip eigrp

Displays similar output to the debug eigrp packets command, but specifically for IP.

EIGRP packet types

• Hello packet It is used for discovering neighbors and maintaining neighbor relationship. It is sent to neighbors periodically (hello interval). The default hello interval is: Non-broadcast multi-access (NBMA) network with bandwidth Other networks (e.g. Ethernet, point-to-point serial links, high speed frame relay, etc.) - 5 seconds . A neighbor is assumed dead if no hello message from that neighbor is received before the hold timer expires (default = 3 times of the hello timer value). All routes learned from that neighbor will also be deleted. Neighbor routers can use different hello and hold-time intervals. A router informs the neighbors its hold-time interval through hello packets. It is sent as multicast. Acknowledgement is not required (i.e. unreliable delivery).


• Update packet It is used for sending routing information to neighbors as follows: Full routing updates (i.e. the whole topology table) during initialization of the routing process. Incremental routing updates (i.e. routing updates about the paths that have been changed) when there is a change in the network topology or metric. It is sent to the relevant routers as unicast or multicast. Acknowledgement is required (i.e. reliable delivery).


• Query packet It is used for querying neighbors if they have feasible successors for a destination network. It is sent during a diffusing computation (to be explained later in this Section). It is sent as multicast. Acknowledgement is required (i.e. reliable delivery).


• Reply packet It is used for replying a query with the requested routing information (e.g. information of the best path to the destination network, or destination unreachable). It is sent as unicast. Acknowledgement is required (i.e. reliable delivery).


• Acknowledgement (ACK) packet It is used for acknowledging the receipt of an update / query / reply packet. It is sent as unicast. Acknowledgement is not required (i.e. unreliable delivery).


• Redistribution is required when more than one EIGRP session or process is running and they are identified with different ASNs. Redistribution shares topology information between EIGRP sessions.

OSPF routing protocol

Some facts

• Supports variable-length subnet masking (VLSM, CIDR)
• Reduces the routing overhead using areas
• Doesn't perform route autosummarization by default
• Supports manual route summarization
• OSPF allows only equal cost load balancing
• It is Interior Gateway Protocol(IGP)
• OSPF uses the SPF algorithm, conceived by a mathematician named Dijkstra.
• It supports IP and IPv6
• The area-id can be an integer between 0 and 4294967295
• Link layer
• Uses Dijkstra SPF algorithm
• Unlimited hop count
• OSPF is supposed to be designed in a hierarchical fashion, which basically means that you can separate the larger internetwork into smaller internetworks called areas. The following are reasons for creating OSPF in a hierarchical design:

1. To decrease routing overhead
2. To speed up convergence
3. To confine network instability to single areas of the network

• Uses areas, area 0 is a backbone area
• By default support 4 equal routes to one destination in routing table. It can also be configured with:

Router(config-router)#maximum-paths number

• Multicast addresses 224.0.0.5 (all SPF/link state routers, also known as AllSPFRouters) and 224.0.0.6 (all Designated Routers, AllDRouters) are reserved for OSPF (RFC 2328) and FF02::5, FF02::6 for IPv6
• The router types are attributes of an OSPF process. A given physical router may have one or more OSPF processes. OSPF defines the following router types:

1. Area border router (ABR) - Routers that connect other areas to the backbone area within an AS.ABR is a router that connects one or more OSPF areas to the main backbone network. It is considered a member of all areas it is connected to. An ABR keeps multiple copies of the link-state database in memory, one for each area to which that router is connected.


2. Autonomous system border router (ASBR) - An ASBR is a router that is connected to more than one AS and that exchanges routing information with routers in other ASs. ASBRs typically also run a non-IGP routing protocol (e.g., BGP), or use static routes, or both. An ASBR is used to distribute routes received from other ASs throughout its own AS.


3. Internal router (IR) - An IR is a router that has only OSPF neighbor relationships with routers in the same area.


4. Backbone router (BR)

• An area border router is always a backbone router, but a backbone router is not necessarily an area border router

Becoming neighbors

• To become neighbors:

1. The same area ID
2. Authentication – the same password
3. The same hello and dead intervals
4. Subnet mask and subnet

• Hello packets every 10 seconds, are addressed to 224.0.0.5
• Dead interval is 4 * Hello intervals - 40 seconds. “Down” in neighbor table

Neighbor states:

1. Down
2. Init
3. 2 way
4. Full

DR & BDR

• DR and BDR are elected on broadcast and non-broadcast multi-access networks
• To elect DR priority on interface is used(show ip ospf interface), if priority is identical, router ID is used
• Router with the highest OSPF priority setting becomes the DR.
• A priority setting of 0 means that the router does not participate in the election and can never become the DR or BDR.
• The range of priority values that allow a router to be a candidate are 1 through 255.

Router ID (RID) is:

• router-id rid OSPF subcommand OR
• The highest numeric IP address among the up/up loopback interfaces OR
• The highest IP address of logical interface configured on the router

Path cost

• Calculate routes based on Bandwidth
• OSPF router collects link-state information to construct the entire network topology of so-called “areas” from which it computes the shortest path tree for each route using a method based on Dijkstra's algorithm
• The cost of the entire path is the sum of the costs of the outgoing interfaces along the path
• Cisco uses a simple equation of 108/bandwidth(in bits)
• OSPF has an administrative distance of 110
• * In contrast to the Routing Information Protocol (RIP) or the Border Gateway Protocol (BGP), OSPF does not use TCP or UDP but uses IP directly, via IP protocol 89. OSPF handles its own error detection and correction, therefore negating the need for TCP or UDP functions
• The OSPF Protocol can operate securely between routers, optionally using a clear-text password or using MD5 to authenticate peers before forming adjacencies and before accepting link-state advertisements (LSA)
• As a link state routing protocol, OSPF establishes and maintains neighbour relationships in order to exchange routing updates with other routers. The neighbour relationship table is called an adjacency database in OSPF. Provided that OSPF is configured correctly, OSPF forms neighbour relationships only with the routers directly connected to it. The routers that it forms a neighbour relationship with must be in the same area as the interface with which it is using to form a neighbor relationship. An interface can only belong to a single area
• An OSPF network is divided into areas, which have 32-bit area identifiers commonly, but not always, written in the dotted decimal format of an IP address. Area identifiers are not IP addresses and may duplicate, without conflict, any IP address. While most OSPF implementations will right-justify an area number written in other than dotted decimal format (e.g., area 1), it is wise always to use dotted decimal formats. Most implementations would expand area 1 to the area identifier 0.0.0.1, but some have been known to expand it as 1.0.0.0. These are logical groupings of routers whose information may be summarized towards the rest of the network
• There are 4 types of areas: backbone, stub area, totally stubby area, not-so-stubby area
• Each router has a router identifier, customarily written in the dotted decimal format (e.g.: 1.2.3.4) of an IP address

Configuration

router ospf 1(zero is unacceptable)
Router(config-router)# network 192.168.10.0 0.0.0.255 area 0

Show commands

show ip ospf - display details of all OSPF routing processes enabled on a router.

show ip ospf interface - display interface-specific OSPF information.

show ip ospf neighbor - display all OSPF neighbors.

show ip ospf database - display all different OSPF route types that are currently known by the router.

X server in Linux: facts and tips

Some facts:

• X service accepts connections on port number 6000+display number, for example fourth display will be on 6004/TCP port.


• You can start X using startx script or XDMCP(X Display Manager Control Protocol) server, such as kdm, xdm or gdm.


• startx - bash script, is a front end to xinit that provides a somewhat nicer user interface for running a single session of the X Window System. It is often run with no arguments. It uses user's .xinitrc file.


• xinit - is used to start the X Window System server and a first client program.


• xterm - terminal for X enviroment


• When X application is started, it connects to X display(specified in DISPLAY environment variable). Display consists of three parts: host:display number:screen number, for example: osiris:0.0 If display number is zero, then application will connect to 6000 TCP port, if display number is 1, then to 6001 TCP port and so on....

Launch X applications remotely via network

Suppose, we want to launch gcalctool on computer A from computer B. First, wee need to allow connections to X server on computer B from network. To accomplish this, X server must be launched without "notcp" option. Usually X is started via display manager. For example, consider GDM. In GDM configuration file change DisallowTCP=true to false.

Next add computer A to acl on computer B:

xhost +A

Then login via telnet or ssh to computer A from computer B and change DISPLAY environmental variable:

export DISPLAY=B:0.0

After this launch gcalctool on computer A and you will see calculator on computer B :)

Encrypt X connections with SSH

SSH protocol can tunnel other protocols. It can be used to encrypt and compress X connections:

ssh -C -X user@server

After login, you can launch X applications. Using SSH is the most preferable way to launch X applications remotely. First it is secure. Second it is more comfortable: you don't need to use xhost, allow connections to X server and edit DISPLAY variable.

Tips

• Start another X server in virtual terminal 8

startx -- :1 vt8

• Reconfigure X server. In Debian:

/etc/init.d/kdm stop

dpkg-reconfigure xserver-xorg

• In other distributions:

# cd /etc/X11/ && Xorg -configure

• Display information about X:

xdpyinfo

• Obtain detailed technical information about a specific window:

xwininfo

• Read all the fonts in the current directory and creates a fonts.scale file:

mkfontscale

• Combine the fonts.scale file with the fonts.dir file, creating it if it doesn’t already exist

mkfontdir

• Add the font path to a running system:

$ xset fp+ /your/font/directory

$ xset fp rehash

• Select an X core font for display

xfontsel

• Cause Xft to run through its font directories and create index files:

fc-cache

• Select what XDMCP server to use, in Fedora: /etc/sysconfig/desktop file, in openSUSE: /etc/sysconfig/displaymanager, in Debian and Ubuntu via SysV startup script


• XDM’s main configuration file is /etc/X11/xdm/xdm-config


• Make screenshot of remote X server:

xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm

Most graphic viewers can open xpm files.

Routing

Router functions

• Packet switching


• Packet filtering


• Internetwork communication


• Path selection

Routing protocols

Routing protocol functions:

• Learn routing information about IP subnets from other neighboring routers


• Advertise routing information about IP subnets to other neighboring routers


• If more than one possible route exists to reach one subnet, pick the best route based on a metric


• If the network topology changes—for example, a link fails—react by advertising that some routes have failed, and pick a new currently best route. This process is called convergence.)

Classfull and classless routing

This is the essence of classful routing: If one part of a major network is known, but the subnet toward which the packet is destined within that major network is unknown, the packet is dropped, even a default route is configured.

ip classless command will save you

The ip route command has two basic formats. The command can refer to a next-hop IP address. Alternately, for static routes that use point-to-point serial links, the command can list the outgoing interface instead of the next-hop IP address.

Static routing

Using static routes is appropriate with stub networks, for example the route from provider to client.

Distance vector loop prevention

• Route poisoning - when route fails, router sends this route with metric 16(infinity)


• Split horizon - In routing updates sent out interface X, do not include routing information about routes that refer to interface X as the outgoing interface. Poison reverse is used in Cisco instead of it.


• Triggered update - when a route fails, do not wait for the next periodic update. Instead, send an immediate triggered update listing the poisoned route.


• Poison reverse - when learning of a failed route, suspend split-horizon rules for that route, and advertise a poisoned route.


• Holddown - the holddown process tells a router to ignore new information about the failed route, for a time period called the holddown time

Default gateway

There are 3 methods to configure default gateway:

• ip default-gateway. It should only be used when ip routing is disabled on the Cisco router.


• ip default-network. When you configure ip default-network the router considers routes to that network for installation as the gateway of last resort on the router. For every network configured with ip default-network, if a router has a route to that network, that route is flagged as a candidate default route.


• ip route 0.0.0.0 0.0.0.0

Configuring default gateway

Troubleshooting

show ip protocols

Shows the parameters and current state of the active routing protocol process.

IPv6

IPv6 advantages

• Address assignment features
• Aggregation
• No need for NAT/PAT
• IPsec
• Header improvements
• Transition tools

IPv6 is assigned by ICANN

ICANN > Regional Internet Registry (RIR) > ISP

Representing IPv6 Addresses

• If quartet consists of all zeros, you can leave only one zero
• Represent 1 or more consecutive quartets of all hex 0s with a double colon (::), but only for one such occurrence in a given address
• The last/third major part is the host part of the address, called the interface ID in IPv6, and is meant to uniquely identify a host inside a subnet.

Prefix types

• Registry prefix: By ICANN to an RIR
• ISP prefix: By an RIR to an ISP
• Site prefix: By an ISP to a customer (site)
• Subnet prefix: By an enterprise engineer for each individual link

Addresses assignment

• 2000::/3 - unicast global addresses
• FF00::/8 - multicast
• FF02::2 - All routers on this link - multicast for router solicitation (RS) messages
• FF02::1 - All IPv6 nodes on this link - multicast for router advertisment(RA) messages
• FD00::/8 - unique local unicast addresses
• FE80::/10 - link local addresses. IPv6 uses these addresses when sending packets over the local subnet; routers never forward packets destined for link local addresses to other subnets. The host uses its link local address as the source IP address in the RS message. This address is calculated by host: first ten bits is 1111111010, next 54 bits is 0, and the last 64 bits is EUI. Interestingly, routers normally use link local addresses as the next-hop IP address in IPv6 routes, rather than the neighboring router’s global unicast or unique local unicast address.
• ::1 (127 binary 0s and a 1) - loopback
• :: - inknown address

Address configuration

• Stateful DHCP - the same as IPv4 DHCP, but instead of broadcast, multicast is used, FF02::1:2 - has been reserved in IPv6 to be used by hosts to send packets to an unknown DHCP server, with the routers working to forward these packets to the appropriate DHCP server
• EUI-64 - configuration of ip address based on mac address. Splits MAC into two 3 byte halfs and inserts between them FFFE. Also 7th bit in the first byte of MAC is set to 1
• Stateless DHCP - is most useful in conjunction with stateless autoconfiguration. It can supply DNS server ip address. It can't supply host IP address. It doesn't remember state information.
• Stateless autoconfiguration - a host dynamically learns the /64 prefix used on the subnet, and then calculates the rest of its address by using an EUI-64 interface ID based on its network interface card (NIC) MAC address. IPv6 Neighbor Discovery Protocol (NDP) is used to discover the prefix used on the LAN. Stateless autoconfiguration uses two NDP messages, namely router solicitation (RS) and router advertisement (RA) messages, to discover the IPv6 prefix used on a LAN
• Static assignment - full address or EUI-64(this is when last 64 bit of IPv6 address are filled with MAC address of the interface. MAC address is splitted into 2 3-byte parts and FFFE is inserted between them. Seventh bit in first byte of MAC must be 1)

Configuration

ipv6 unicast-routing global command

ipv6 router rip name global configuration command

ipv6 address address/prefix-length [eui-64] interface command

ipv6 rip name enable interface subcommand

Transition

• Dual stack
• Tunneling (if both end hosts support IPv6): IPv6 packet sent by a host is encapsulated into an IPv4 packet
• Manually configured tunnels (MCT) - creates staticly with hands.Dynamic 6to4 tunnels - created dynamicly, based on the destination IPv6 address
• Intra-site Automatic Tunnel Addressing Protocol (ISATAP) - Another dynamic tunneling method, typically used inside an enterprise. Unlike 6to4 tunnels, ISATAP tunnels do not work if IPv4 NAT is used between the tunnel endpoints
• Teredo tunneling - tunnel between host, directly
• NAT-PT (Network Address Translation–Protocol Translation) - communication between IPv4 only and IPv6 only hosts. Router configured with NAT-PT must know what IPv6 address to translate to which IPv4 address and vice versa. And like traditional NAT, NAT-PT allows static definition, dynamic NAT, and dynamic PAT, which can be used to conserve IPv4 addresses configured

IP

IP uses packets or L3 PDU.

Network Address Classes

• A class 1-126. First bit is zero(0)


• B class 128-191 second bit is zero (10)


• C class 192-223 third bit is zero (110)


• D class 224-239 224.0.0.0 and goes through 239.255.255.255 – multicast addresses.


• E class 240-255

Some facts

• Network address of all 0s is reserved and interpreted to mean “this network or segment.”


• Network address of all 1s is reserved and interpreted to mean “all networks.”


• Network 127.0.0.1 is reserved for loopback tests. Designates the local node and allows that node to send a test packet to itself without generating network traffic.


• Node address of all 0s Interpreted to mean “network address” or any host on specified network.


• Node address of all 1s Interpreted to mean “all nodes” on the specified network; for example, 128.2.255.255 means “all nodes” on network 128.2 (Class B address)


• Entire IP address set to all 0s Used by Cisco routers to designate the default route. Could also mean “any network.”


• Entire IP address set to all 1s (same as 255.255.255.255)Broadcast to all nodes on the current network; sometimes called an “all 1s broadcast” or limited broadcast.


• ip subnet zero - you can use 0 subnet in configuration.


• Configuring default gateway in Cisco
  

Reserved IP Address Space

• Class A 10.0.0.0 through 10.255.255.255


• Class B 172.16.0.0 through 172.31.255.255


• Class C 192.168.0.0 through 192.168.255.255


• 127.0.0.1


• 169.254.0.0/16 – auto configuration ip addresses.

Addresses that can't be used as unicasts:

• 127 network


• 224-239


• 240-255


• Subnet number


• Subnet broadcast

Troubleshooting

• Shows detailed information about interfaces with ip configured.

show ip interfaces

• Shows short information about interfaces(no subnet mask) with ip configured.

show ip interfaces brief

Access lists

Another post from times when I was preparing to my CCNA exam. This time my notes about ACLs in Cisco routers.

• ACLs provide IP route filtering


• ACLs identify interesting traffic for DDR


• ACLs provide lists for NAT


• 1-99 standard lists


• 100-199 and 2000–2699 extended lists


• For extended acls filter packets as close to the source as possible


• For standard acls filter packets as close to the destination as possible


• One access list can be configured per direction for each layer 3(IP, IPX…) protocol on interface

Configure ACL on line:

line vty 0 4

access class 3 in

Configure ACL on interface:

ip access-group

Show which access list and which direction is set:

show ip interface

Jabber

Configure ejabberd with AD integration

Ejabberd installation and operation guide

Another how to configure ejabberd with AD integration and shared roster(in russian)

Configure shared roster in ejabberd

Install Bandersnatch to log messages in ejabberd

Watch list of registered users:

ejabberdctl --node ejabberd@hostname vhost host.ru registered-users

Backup ejabberd database:

ejabberdctl backup path_to_file

DNS SRV records for jabber service. In BIND format.

For clients:

_xmpp-client._tcp.domain.com. IN SRV 0 0 42783 jabber.domain.com

For servers:

_jabber._tcp.domain.com. IN SRV 0 0 5269 jabber.domain.com.\\ _xmpp-server._tcp.domain.com. IN SRV 0 0 5269 jabber.domain.com.

WiFi

802.11a

5 GHz

54 Mbit/s max

OFDM

35 m

Channels (nonoverlapped) 23(12)

max speed distance 65-75 ft

max distance 190 ft

802.11b

2.4 GHz

11 Mbit/s Max

DSSS

38 m

Channels (nonoverlapped) 11(3)

max speed distance 150 ft

max distance 350 ft

802.11g

2,4 GHz

54 Mbit/s max

OFDM, DSSS(11 Mbit/s)

38 m

Channels (nonoverlapped) 11(3)

max speed distance 90 ft

max distance 300 ft

802.11h - Extension of the 802.11a

23 non-overlapping channels

5 GHz

54 Mbit/s max

OFDM

35 m.

Two extensions: Transmit Power Control (TPC) and Dynamic Frequency Selection (DFS).

DFS – monitors operating channel, if it discovers signal, than it abandon this range.

TPC – regulates transmit power.

Security standards

WEP (Wired Equivalent Privacy)

It uses the stream cipher RC4 for confidentiality and the CRC-32 checksum for integrity.

Two methods of authentication can be used with WEP: Open System authentication and Shared Key authentication.

Static Preshared Keys (PSK), than nobody changes

Easily cracked keys: only 64 bits and only 40 from them are unique.

Remedies: SSID Cloaking and MAC Filtering.

WPA (Wi-Fi Protected Access)

It includes the option to use dynamic key exchange, using the Temporal Key Integrity Protocol (TKIP) and Message Integrity Check (MIC) algorithm.

WPA (Wi-Fi Protected Access)2(802.11i):

Dynamic key exchange

802.1x authentication

AES encryption

Classes of encoding

Frequency Hopping Spread Spectrum (FHSS) - not in use now days.

Direct Sequence Spread Spectrum (DSSS) This band has a bandwidth of 82 MHz, with a range from 2.402 GHz to 2.483 GHz. This band can have 11 different overlapping DSSS channels. 1,6 and 11 channels are nonoverlapping. Designed for 2,4 Ghz.

Orthogonal Frequency Division Multiplexing (OFDM)

Modes of operating

Ad-hoc. It uses Independent Basic Service Set (IBSS).

Infrastructure. Devices in an infrastructure WLAN cannot send frames directly to each other; instead, they send frames to the AP, which can then in turn forward the frames to another WLAN device.Infrastructure mode supports two sets of services, called service sets. The first, called a Basic Service Set (BSS), uses a single AP to create the wireless LAN. The other, called Extended Service Set (ESS), uses more than one AP, often with overlapping cells to allow roaming in a larger area.

Possible reasons of bad signals

Cordless phones

metal file cabinets

antenna type or direction

Other

Adaptive Wireless Path Protocol (AWPP) is a Cisco's proprietary protocol for wireless mesh networks. It dynamically discovers neighboring radios and calculates the quality of all possible paths to a wired network. An optimal path is established through a mesh of wireless nodes to a wired gateway and these calculations are continuously updated, allowing paths to change and optimize as traffic patterns on wireless links change. Furthermore, a self-configuring and self-healing wireless mesh backhaul is created.

Lightweight Access Point Protocol or LWAPP is the name of a protocol that can control multiple Wi-Fi wireless access points at once. This can reduce the amount of time spent on configuring, monitoring or troubleshooting a large network. The system will also allow network administrators to closely analyze the network. The lightweight access point will send Layer 2 Lightweight Access Point (LWAPP) mode discovery request messages. If the attempt fails, the LAP will try Layer 3 LWAPP WLC discovery

One key measurement for interference is the Signal-to-Noise Ratio (SNR). This calculation measures the WLAN signal as compared to the other undesired signals (noise) in the same space. The higher the SNR, the better the WLAN devices can send data successfully.

A WLAN client that is operating in half-duplex mode will delay all clients in that WLAN.

Process order that the client and access point goes through to create a connection: probe request/response, authentication request/response, association request/response

STP & RSTP

STP - 802.1d

RSTP - 802.1w

Problems without STP:

• Broadcast storms


• MAC table instability


• Multiple frame transmission

The most important Fields in the STP Hello BPDU:

• Root switch id


• Sender switch id


• Path cost to root switch from sender

Port states of STP

• Blocked


• Listening - during this state root switch, root ports and designated ports are elected.


• Learning - STP leaves the interface in each interim state(listen and learn) for a time equal to the forward delay(15 seconds by default) timer.


• Forwarding


• Disabled

Costs

The less cost is the best path is.

• 10 mbit – 100


• 100 mbit – 19


• 1Gbit – 4


• 10Gbit – 2

Stages in building spanning tree

• Select a root bridge. The default priority of Cisco switches is 32768. After power on all switches in network start to send BPDUs.If switch recieves BPDU with id less then his own id, then it stops sending it's own BPDU and starts to forward BPDU from switch with less id. It forwards them as Hello timer configured on root switch.


• Determine the least cost paths to the root bridge


• Designated ports are choose using bridged ID or port number if many ports of one switch are connected to 1 segment. Segment – part of lan divided by router, switch or bridge. All access ports – designated ports.


• Disable all other root paths. Any active port that is not a root port or a designated port is a blocked port.

STP requires a waiting period of MaxAge (default 20 seconds) before reacting to some events, whereas RSTP only has to wait 3*Hello (default 6 seconds). Additionally, RSTP eliminates the forward delay (default 15 seconds) time in both Listening and Learning States. Traditional STP convergence has essentially three time periods, each of which RSTP improves upon. These three waiting periods of (by default) 20, 15, and 15 seconds create 802.1d STP’s relatively slow convergence, and the reduction or elimination of these waiting periods makes RSTP convergence occur quickly. RSTP convergence times are typically less than 10 seconds. In some cases, they can be as low as 1 to 2 seconds.

STP features

• Portfast - switch port immediatly from blocking state to forwarding state.

switchx(config-if)#spanning-tree portfast

switchx(config)#spanning-tree portfast default

switchx# show running-config interface

• BPDUGuard – turns port to error state if this port with portfast enabled receives BPDU packet.

switchx(config-if)#spanning-tree bpduguard enable

• BPDUfilter – filtering will immediately take a port out of PortFast if it receives a BPDU and force the port to be part of the STP topology again.


• Root Guard - when the switch interface with Root Guard enabled receives a superior BPDU from the neighboing switch — a BPDU that has a lower/better bridge ID—the switch with Root Guard reacts. It disables the interface.


• UplinkFast - allows a switch to find alternate paths to the root bridge before the primary link fails. This means that if the primary link fails, the secondary link would come up more quickly: the port wouldn’t wait for the normal STP convergence time of 50 seconds.

S1(config)#spanning-tree uplinkfast

• EtherChannel misconfig guard


• Loopguard Default


• BackboneFast

S1(config)#spanning-tree backbonefast

Configuration

• Set priority:

spanning-tree vlan vlan-id priority priority

• Set switch as root. This command changes the base priority to 24,576:

spanning-tree vlan vlan-id root {primary | secondary}

• This command sets the switch’s base priority to 28,672 regardless of the current root’s current priority value.

spanning-tree vlan vlan-id root secondary

• Set cost for vlan interfaces:

spanning-tree vlan vlan-id cost cost

Summary

• One root bridge per broadcast domain


• One root port per non root bridge


• One designated port per segment


• Nondesignated ports are unused

Some facts about RSTP

• RSTP calls the Blocking State the Discarding State.


• RSTP only has to wait 3*Hello (default 6 seconds).


• RSTP convergence times are typically less than 10 seconds. In some cases, they can be as low as 1 to 2 seconds.


• Uses special RSTP messages.

RSTP characterizes the types of physical connectivity in a campus LAN into three different types:

• Link-type point-to-point – switch to switch


• Link-type shared – switch to hub


• Edge-type – switch to PC

Port states:

• Discarding


• Learning


• Forwarding

Port roles:

• Root port


• Designated port


• Alternate port - identifies a switch’s best alternative to its current RP


• Backup port - applies only when a single switch has two links to the same segment (collision domain - hub).

Switch forwards BPDUs out the port in Forwarding State and gets the same BPDU back on the port that is in Discarding State. So SW2 knows it has an extra connection to that segment, called a backup port.

Process of changing root port:

• Switch recieves BPDU with better root path


• Switch blocks all other link-type ports - this process is called synchronization.


• Switch negotiates with other switch, what sends the better BPDU.


• As a result of negotiation they start forwarding data

Multiple instances of STP and RSTP

• Per-VLAN Spanning Tree Plus (PVST+) – Cisco proprietary feature for using STP in VLANS. It is possible to use it as load balancing tool, configuring traffic for one VLAN through one trunk and other VLAN for another trunk.


• Rapid Per-VLAN Spanning Tree (RPVST) or Per-VLAN Rapid Spanning Tree (PVRST). This is cisco feature for using RSTP in vlans. 802.1w


• The IEEE standard (802.1s) is often called either Multiple Spanning Trees (MST) or Multiple Instances of Spanning Trees (MIST). MIST allows the definition of multiple instances of RSTP, with each VLAN being associated with a particular instance.

(config)#spanning-tree mode {mst | rapid-pvst | pvst}

Etherchannel

Two versions: Cisco’s proprietary Port Aggregation Protocol (PAgP) and IEEE standard Link Aggregation Protocol (LACP).

16 ports max, 1600 Mbps or 16oo Gbps.

All interfaces in each EtherChannel must be the same speed and duplex, and both ends of the channel must be configured as either a Layer 2 or Layer 3 interface.

It is possible to aggregate ports from different switches using Split Multi-Link Trunking (SMLT) or Cisco Virtual Switching System or combine two cisco switches into stack.

The “no switchport” command is required to change interface from layer2 to layer3 mode.

SW1(config)#int fa 0/17

SW1(config-if)#channel-group 1 mode on

SW1#show etherchannel 1 summary

Troubleshooting

show spanning-tree active|interfaces|detail|summary|vlan

debug spanning-tree events

Switching

Layer 2 switching provides the following:

• Hardware-based bridging (ASIC)


• Wire speed


• Low latency


• Low cost

Switch functions at layer 2:

• Address learning


• Forward/filter decision


• Loop avoidance

Internal processing variations:

• Store and forward - the switch must recieve the entire frame before forwarding the first bit of the frame.


• Cut through - switch starts sending frame as soon as possible. It may cause errors, because frame check sequence(FCS) is in the Ethernet trailer.


• Fragment free (Adaptive cut-through) - works the same as cut through, but it waits to recieve the first 64 bytes of frame. 64 because collision in CSMA/CD should be detected during first 64 bytes.

VPN

3 types of VPN:

• Remote access - allow remote users like telecommuters to securely access the corporate network wherever and whenever they need to.


• Site to site - or intranet VPNs, allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive WAN connections like Frame Relay.


• Extranet - allow an organization’s suppliers, partners, and customers to be connected to the corporate network in a limited way for business-to-business (B2B) communications.

PPP

Features:

• Synchronous and asynchronous links.


• Consist of 3 protocols: HDLC, LCP, NCP


• A protocol type in the header


• Built-in authentication CHAP, PAP(controlled by LCP - Link Control Protocol).


• Control protocols for each higher level protocols.


• It uses Control Protocol (CP) for controlling Layer 3 protocols and LCP for link configuration.

LCP features:

• Magic number for looped link detection. The link may be looped, this means, that router receives back info, that it sent. Router detects loop by using magic number in LCP message. Every router has it's own magic number.


• Link Quality Monitoring (LQM) for error detection


• Multilink PPP for multilink support


• Multilink Starting with IOS version 11.1, multilink is supported on PPP links with Cisco routers. This option makes several separate physical paths appear to be one logical path at layer 3. For example, two T1s running multilink PPP would show up as a single 3Mbps path to a layer 3 routing protocol.

PAP and CHAP for authentication

Configure PPP:

hostname R1

interface s0/0

encapsulation ppp

ppp authentication chap

username remote_hostname password 0 share_password

Troubleshoot ppp:

debug ppp authentication

Very detailed explonation of how chap authentication works on Cisco routers:

http://www.ciscosystems.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml

Configure PPPoE:

R1(config)#int f0/0

R1(config-if)#pppoe enable group global

R1(config-if)#pppoe-client dial-pool-number 1

interface Dialer0

ip address negotiated

ip mtu 1452

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname host

ppp chap password 0 pass

Frame relay

Some facts:

• It’s set of standarts.
• Based on X.25 technology.
• It is is a packet-switched technology.
• Frame Relay networks are called nonbroadcast multiaccess (NBMA) networks. More than 2 devices can be attached to the network, but you can't send broadcast. Also, because Frame Relay is multiaccess, it requires the use of an address that identifies to which remote router each frame is addressed.
• DTE sends keepalive messages using Local Management Interface (LMI) protocol.
• The routers are considered DTE, and the Frame Relay switches are data communications equipment (DCE).
• Predefined VCs are called permanent virtual circuits (PVC).
• Routers use the data-link connection identifier (DLCI) as the Frame Relay address
• Switched virtual circuit (SVC) - A VC that is set up dynamically when needed. An SVC can be equated to a dial connection in concept.
• Data terminal equipment (DTE) - DTEs are connected to a Frame Relay service from a telecommunications company. They typically reside at sites used by the company buying the Frame Relay service.
• Data communication equipment (DCE) - Frame Relay switches are DCE devices. DCEs are also known as data circuit-terminating equipment. DCEs are typically in the service provider’s network.
• Access link - The leased line between the DTE and DCE.
• Access rate (AR) - The speed at which the access link is clocked. This choice affects the connection’s price.
• Committed Information Rate (CIR) - The speed at which bits can be sent over a VC, according to the business contract between the customer and provider.
• Data-link connection identifier (DLCI) - A Frame Relay address used in Frame Relay headers to identify the VC. In DLCI the header has a single DLCI field, not both Source and Destination DLCI fields.
• Local Management Interface (LMI) - The protocol used between a DCE and DTE to manage the connection. Signaling messages for SVCs, PVC status messages, and keepalives are all LMI messages.
• Each VC has a CIR, which is a guarantee by the provider that a particular VC gets at least that much bandwidth.
• When there are PVCs between each pair of sites; this is called a full-mesh Frame Relay network.
• When not all pairs have a direct PVC, it is called a partial-mesh network.

There are 3 LMI standards:

• Cisco
• ITU
• ANSI

Frame-relay lmi-type interface subcommand is used to configure LMI type. A Frame Relay-connected router encapsulates each Layer 3 packet inside a Frame Relay header and trailer before it is sent out an access link. The header and trailer are defined by the Link Access Procedure Frame Bearer Services (LAPF) specification, ITU Q.922-A.

LAPF Header Information LAPF trailer
LAPF header consist of:

• DLCI – 10 bits


• Forward Explicit Congestion Notification (FECN) – 1 bit. This bit is set by router or DCE. It means, that this frame itself has experienced congection.


• Backward Explicit Congestion Notification (BECN) – 1bit - is sent to router, when this router makes congestion.


• Discard Eligibility (DE) – 1 bit - is set to frames with unimportant traffic, the provider can discard this packets, if there is congestion.

BUT there is no protocol type field, there are 2 solutions about this:

• LAPF header, Cisco, Packet,LAPF trailer


• LAPF header, RFC 1490, Packet, LAPF trailer

Two types of encapsulation:

• encapsulation frame-relay ietf


• encapsulation frame-relay cisco

DTEs use and react to the fields specified by these two types of encapsulation, but Frame Relay switches ignore these fields. Because the frames flow from DTE to DTE, both DTEs should agree on the encapsulation used. The switches don’t care. However, each VC can use a different encapsulation. In the configuration, the encapsulation created by Cisco is called cisco, and the other one is called ietf.

Addressing

Local addressing is significant only on local access link on one PVC. Global addressing is simply a way of choosing DLCI numbers when planning a Frame Relay network so that working with DLCIs is much easier. Because local addressing is a fact, global addressing does not change these rules. Source DTE puts DLCI of destination DTE to the header, and the last switch, that is directly connected to the destination DTE, changes DLCI to the source DTE.

The sender treats the DLCI field as a destination address, using the destination’s global DLCI in the header.
The receiver thinks of the DLCI field as the source address, because it contains the global DLCI of the frame’s sender.
It is possible address to physical interface, multipoint or point-to-point subinterfaces.

Network Layer Concerns

3 ways of assigning ip addresses:

• One subnet containing all Frame Relay DTEs


• One subnet per VC - hub and spoke technologie - it avoids split horizon issues.


• A hybrid of the first two options

There is no capability exists for a Frame Relay DTE to send a single frame into the Frame Relay network and have that frame replicated and delivered across multiple VCs to multiple destinations. However, routers need to send broadcasts for several features to work. In particular, routing protocol updates are either broadcasts or multicasts. To map DLCI to ip Inverse ARP is used. Inverse ARP dynamically creates a mapping between the Layer 3 address (for example, the IP address) and the Layer 2 address (the DLCI). After the VC is up, each router announces its network layer address by sending an Inverse ARP message over that VC. To map staticly, you need to enter interface sub command, for instant:

frame-relay map ip 199.1.1.2 52 broadcast

The broadcast keyword is required when the router needs to send broadcasts or multicasts to the neighboring router — for example, to support routing protocol messages such as Hellos.

Configuring Frame Relay

Full meshed with 1 i p network:

interface serial0/0/0

encapsulation frame-relay

ip address 199.1.1.2 255.255.255.0

The LMI type is automatically sensed.

The (default) encapsulation is Cisco instead of IETF.

PVC DLCIs are learned via LMI status messages.

Inverse ARP is enabled (by default) and is triggered when the status message declaring that the VCs are up is received.

Change lmi:

frame-relay lmi-type ansi

Change encapsulation on all VCs on interface:

interface serial0/0/0

encapsulation frame-relay ietf

Change encapsulation for one VC:

frame-relay interface-dlci 53 ietf

Static mapping:

no frame-relay inverse-arp

frame-relay map ip 199.1.1.2 52 broadcast

The broadcast keyword is required when the router needs to send broadcasts or multicasts to the neighboring router—for example, to support routing protocol messages such as Hellos

A Partially Meshed Network with One IP Subnet Per VC

interface serial 0/0/0.1 point-to-point

ip address 140.1.1.2 255.255.255.0

frame-relay interface-dlci 51

Another way to map dlci to subinterface:

frame-relay map ip 140.1.1.2 52 broadcast

First physical interface subcommand encapsulation frame-relay. Then configure ip address(ip address interface subcommand). Define lmi type with frame relay lmi-type command. Manually map ip to DLCI frame-relay map ip.

The LMI setting is a per-physical-interface setting, even if subinterfaces are used, so the frame-relay lmi-type command is always a subcommand under the physical interface.

Show commands:

Show interfaces – shows all info about interface

Show frame-relay pvc - shows information about all PVCs.

Show frame-relay map - it shows IP-to-DLCI mappings.

Show frame-relay lmi

Interface serial 0/1/0.0 point-to point Frame-relay interface-dlci 53 - This command is typically used for subinterfaces DLCI is configured for every sub interface. Cisco IOS software needs to associate the correct PVC with the correct subinterface. This is accomplished with the frame-relay interface-dlci command. In case of sub interfaces DLCI is destination DLCI. This is Global sheme of addressing. If there is only one DLCI on main site router, than this is Global Addressing.

WAN

WAN technologies

• Frame Relay – old technology, it is replaced by MPLS nowadays
• ISDN
• LAPB
• LAPD
• HDLC
• PPP
• PPPoE
• Cable
• DSL
• MPLS
• ATM

Some facts:

• T1 - 1,544 Mbit/s


• T3 - 44.736 Mbit/s


• Local loop - telco cable between your home and telco central office


• Analog modems and DSL both support symmeric and asymmenric transfers


• Default encapsulation is HDLC


• All HDLC versions are proprietary


• PPP is industry standard. It can be used to create point-to-point links between different vendors’ equipment. It uses a Network Control Protocol field in the Data Link header to identify the Network layer protocol and allows authentication and multi-link connections to be run over asynchronous and synchronous links


• DCE – modems


• DTE – computers, laptops, routers


• DCE side determined by cable


• Add clocking to DCE side only


• A CSU/DSU (Channel Service Unit/Data Service Unit) is a digital-interface device used to connect a Data Terminal Equipment device or DTE, such as a router, to a digital circuit, for example a T1 or T3 line


• A CSU/DSU operates at the physical layer (layer 1) of the OSI model. CSU/DSUs are also made as separate physical products: CSUs and DSUs


• RS-232 end of the cable connets to CSU/DSU, on the router side cable is router specific


• Digital lines require both a channel service unit (CSU) and a data service unit (DSU). The CSU provides termination for the digital signal and ensures connection integrity through error correction and line monitoring. The DSU converts the data encoded in the digital circuit into synchronous serial data for connection to a DTE device.

user#config t

user(config)#interface serial 0

user(config-if)#clock rate 64000

• By default, Cisco routers are all data terminal equipment (DTE) devices, which means that you must configure an interface to provide clocking if you need it to act like a DCE device. Again, you would not provide clocking on a production T1 connection, for example, because you would have a CSU/DSU connected to your serial interface.

Todd(config-if)#clock rate ?

Speed (bits per second)

• To determine the type of the device: DTE or DCE, show controllers command is used:

user#sh controllers s0/2/0

Interface Serial0/2/0

Hardware is GT96K

DCE V.35, clock rate 1000000

• New ISR routers automatically detect DCE connections and set the clock rate to 2000000.


• Setting bandwith:

user#config t

user(config)#int s0/0/0

user(config-if)#bandwidth ?

1-10000000 Bandwidth in kilobits

inherit Specify that bandwidth is inherited

receive Specify receive-side bandwidth

user(config-if)#bandwidth 1000

• Bandwidth command is configured in kilobits.

FastEthernet0/0 is up, line protocol is up

• The first parameter refers to the Physical layer, and it’s up when it receives carrier detect.


• The second parameter refers to the Data Link layer, and it looks for keepalives from the con- necting end. (Keepalives are used between devices to make sure connectivity has not dropped.)


• Default band-width (BW) on all Cisco serial links: 1.544Kbps

VLAN

Some facts:

• Breaks up broadcast domains in a layer 2 switch internetwork


• Inter-Switch Link (ISL) - it’s used for Fast Ethernet and Gigabit Ethernet links only


• Minimum speed for trunk – 100 Mbps


• ISL fully encapsulates the original Ethernet frame in a trunking header


• Configuring vlans on switch is possible in transparent and server mode


• Access link is only part of one VLAN and is referred to as the “native VLAN” of the port


• All switches must use the same native VLAN. Native VLAN is connected with a port, not with a switch


• “router on a stick.” – when router routes all vlans


• VLANs can greatly simplify adding, moving, or changing hosts on the network

VLAN Trunking Protocol (VTP) Layer 2

• Default VTP mode is server


• The link between the switches must be operating as a VLAN trunk (ISL or 802.1Q).


• The two switches’ case-sensitive VTP domain name must match.


• If configured on at least one of the switches, the two switches’ case-sensitive VTP password must match.


• VTP only learns about normal-range VLANs, with VLAN IDs 1 to 1005; VLANs with IDs greater than 1005 are called extended-range VLANs and they’re not stored in the VLAN database.


• VLAN IDs 1 and 1002 to 1005 are automatically created on all switches and can’t be removed.


• VTP gives you a way to preserve bandwidth by configuring it to reduce the amount of broadcasts, multicasts, and unicast packets. This is called pruning.


• Extended-range VLANs (VLAN IDs1006 to 4094) can’t be pruned


• VTP servers and clients also send periodic VTP messages every 5 minutes, in case any newly added switches need to know the VLAN configuration.


• The default VTP configuration on Cisco switches is VTP server mode with a null domain name.


• After configuring a domain name, that switch immediately starts sending VTP updates over all its trunks.


• If a switch that still has a (default) null domain name receives a VTP update—which by definition lists a domain name—and no password was used by the sending switch, the receiving switch starts using that VTP domain name.

Dynamic Tranking protocol (DTP)

• Dynamic Trunking protocol, port may be in auto, desirable or on state.

(interface) switchport mode dynamic [auto | desirable]

• on - ntunking is on and sending DTP packets.


• desireable - These links would like to become trunk links and will send DTP signals that attempt to initiate a trunk. They will only become trunk links if the other side responds to the DTP signal.


• auto – doesn’t send DTP packets, becomes trunk, if receives DTP packet.

Troubleshooting

R1#show vlan
R1#show vlan brief
R1#show interfaces switchport
R1#show interfaces trunk

Ethernet & Cisco

Most popular Ethernet standards:

• IEEE 802.3u – Fast Ethernet
• IEEE 802.3z – Gigabit Ethernet over fiber optic
• IEEE 802.3ab – Gigabit Ethernet over twisted pair
• IEEE 802.3ae – 10 Gigabit Ethernet over fiber
• IEEE 802.3an – 10 Gigabit Ethernet over UTP

Some facts:

• There are no collisions in full-duplex mode.
• A dedicated switch port is required for each full-duplex node.
• The host network card and the switch port must be capable of operating in full-duplex mode.
• Runts are packets that are discarded because they are smaller than the medium's minimum packet size. Any Ethernet packet that is less than 64 bytes is considered a runt. In half-duplex environments, it is possible for both the switch and the connected device to sense the wire and transmit at exactly the same time and result in a collision. Collisions can cause runts, FCS, and alignment errors, caused when the frame is not completely copied to the wire, which results in fragmented frames. Runts are the result of collisions, faulty NIC's, duplex mismatch, IEEE 802.1Q (dot1q), or an Inter-Switch Link Protocol (ISL) configuration issue.
• Microsegmentation - segmentation of a collision domain into as many segments as there are circuits, minus one (#segments = #circuits - 1). This microsegmentation performed by the switch cuts the collision domain down so that only two nodes coexist within each collision domain. This way, collisions are decreased and only the two NICs which are directly connected via a point-to-point link are contending for the medium.
• If you want to implement a network medium that is not susceptible to elec-tromagnetic interference (EMI), fiber-optic cable provides a more secure, long-distance cable that is not susceptible to EMI at high speeds.
• Hub and switch can enlarge the area covered by a single LAN segment.
• If the duplex settings do not match on the ends of an Ethernet segment, the switch interface will still be in a connect (up/up) state. In this case, the interface works, but it may work poorly, with poor performance, and with symptoms of intermittent problems.
• Only show interfaces status shows whether or not auto negotiation is on.
• Autonegotiation is disabled if speed and duplex is configured.
• If the speed is not known, use 10 Mbps, half duplex.
• If the speed is somehow known to be 10 or 100 Mbps, default to use half duplex.
• If the speed is somehow known to be 1000 Mbps, default to use full duplex.
• Cisco switches can determine speed in a couple of ways even when IEEE standard autonegotiation fails. First, the switch knows the speed if the speed interface subcommand was manually configured. Additionally, even when IEEE autonegotiation fails, Cisco switches can automatically sense the speed used by the device on the other end of the cable, and can use that speed based on the electrical signals on the cable.

Lan problems

• They usually can be found using counters of  show interfaces
• Excessive interference on the cable - can cause the various input error counters to keep growing larger, especially the CRC counter. In particular, if the CRC errors grow, but the collisions counters do not, the problem may simply be interference on the cable.
• Duplex mismatch - collisions and late collision counters could keep growing
• Jabber - collisions and late collision counters could keep growing
• In particular, a significant problem exists if the collision counters show that more than 1% of all the output frames have collided.

MAC

MAC address is 48 bit or 6 bytes:

• Individual Group Bit
• Global/local bit or universal/local bit: 0 administered by IEEE, 1 by local
• 22 bits left of Organizational Unique Identifier (OUI)
• 24 bits vendor assigned

The most popular type of frame is Ethernet II:

• Dest addr 6 bytes
• Source addr 6 bytes
• Type 2 bytes - type of protocol
• Data
• FCS – frame check sequence - crc

Three types of twisted pair:

• Straight-through cable (PC, router, access point to switch, hub)
• Crossover cable (PC to PC, PC to router, switch to switch, hub to hub, switch to hub, router to roter)
• Rolled cable (PC to cisco console)

Network topologies

There are three basic categories of network topologies:

• physical topologies
• signal topologies
• logical topologies

There are six basic types of topology in networks:

• Bus topology
• Star topology
• Ring topology: double ring - max redundancy
• Mesh topology - max redundancy
• Tree topology
• Hybrid topology

OSI, DoD & TCP/IP

Some notes on this topic, made during CCNA preparation
OSI model
There are 7 layers:

Application layer
Application layer is acting as an interface between the actual application programs. It chooses and determines the availability of communicating partners along with the resources necessary to make the connection, coordinates partnering applications, and forms a consensus on procedures for controlling data integrity and error recovery. The Application layer is responsible for finding the network resources broadcast from a server and adding flow control and error control

VoIP needs better jitter, loss and delay, then for a example HTTP. VoIP typically requires less bandwidth than data applications.

Presentation layer
Presents data, for example encryption.

Session layer
Keeps different applications data separate.

Transport layer
Provides reliable or unreliable delivery, performs error correction before retransmit.

The Transport layer segments and reassembles data into a data stream.
Flow Control - The purpose of flow control is to provide a means for the receiver to govern the amount of data sent by the sender. Types of flow control:

• Buffering
• Windowing
• Congestion avoidance
• Connection-Oriented Communication
• Multiplexing/Demultiplexing
• Windowing - Windows are used to control the amount of outstanding, unacknowledged data segments.

Acknowledgments
TCP uses a concept called forward acknowledgment, in which the acknowledgment field in the header lists the next-expected byte, not the last-received byte.

P.S UDP provides only multiplexing/demultiplexing and it is very useful, when no error recovery is needed(VoIP). UDP also require less network and CPU resources. UDP does not provide ordered data transfer.

Network layer
Provides logical addressing

Datalink layer

• Combines packets into bytes and bytes into frames
• Provides access to media using MAC(Media Access Control) address
• Performs error detection, BUT not correction
• This layer handles error notification, network topology, and flow control(optional)
• Media Access Control (MAC) 802.3 defines how packets are placed on the media
• Logical Link Control (LLC) 802.2 is responsible for identifying Network layer protocols and then encapsulating them.
• An LLC header tells the Data Link layer what to do with a packet once a frame is received.
• Data Link (LLC sublayer) uses service access points.

Physical layer
Moves bits between devices, specifies voltage, wire speed and pin-out of cables.

DoD model

There are 3 layers:

• Application
• Host to host
• Internet

TCP/IP model

There are 4 layers:

• Application
• Transport
• Internet
• Network access