APIPA: Automatic Private IP Addressing

Have you ever found that you could not pull up a web page, and while troubleshooting the problem you found an unexpected IP address of 169.254.x.x? What did you later find out the trouble was? I will bet a dollar that for some reason, your computer could not find the DHCP server.

Windows and Apple computers (and some Linux flavors) have a default setting in the operating system that is based on international standards. When the interface is configured for DHCP but is unable to receive a response from a DHCP server, the OS automatically configures the interface with an address.

First of all, I assume you know what an IP address is. And you know what DHCP is? Let's keep this short and sweet and you can look up the details in Wikipedia later on if you need. An IP address is what ubniquely identifies your computer on the internet; without an IP address, you can be found. Imagine if your house did not have an address; how would you get any mail?

DHCP stands for Dynamic Host Configuration Protocol. You can either configure your network interface for DHCP or assign it a static address. If you assign static, that means you have to manually assign an address on every PC, one at a time. If you administer 100 PC's, that can get complex and time consuming. DHCP allows each PC to request an address from a server (as well as the Gateway and DNS addresses). This allows the administrator to set up one server, let the PC's configure themselves, and go home early.

However, cables break. Segments fail. Routers and servers fail. Stuff happens. If your PC is configured for DHCP, it sends out a request, and it never hears a reply, what can it do?

Well, it could just continually transmit requests; however, this consumes resources and becomes pointless after a few minutes. It could cause a hardware failure if this scenario was not planned for by the design engineers. It could disable the interface; however, when the DHCP server becomes available you are at a disadvantage--especially if you are a novice without support.

The solution is to allow APIPA to assign a private address to the network interface. This simply ends the DHCP request process and keeps the interface alive. Later, when the DHCP server is functional, the interface will automatically discover it at reconfigure itself. Windows will assign an APIPA address and attempt to discover the DHCP server every 3 minutes (5 minutes if the DHCP lease expired while connected) by default.

APIPA is an IANA (Internet Assigned Numbers Authority) standard, which means that it is applicable to the internet as a whole. The IANA has assigned the IP range of 168.254.0.0 through 169.254.255.255 as APIPA addresses only. These addresses are not routable and can be used by anyone without registering. However, without a functional DHCP server, you probably have bigger troubles on your hands than addressing.

MCDST

I am well on my way now to the MCDST, or Microsoft Certified Desktop Support Technician. This consists of two exams, the 70-271 and the 70-272. Both of those tests cover your ability to install, upgrade, and support Windows XP. Passing either one of them will make you an MCP, or Microsoft Certified Professional. That adds another line to your resume and another Logo to your email signature but doesn't really impress anyone.

After passing both of them, you earn the MCDST. That still isn't much, but it is something. Three more tests later (70-270, 70-290, and 70-291) and you are an MCSA, or Microsoft Certified Systems Administrator. This is a more common and slightly more impressive cert. The crowning achievement is the MCSE, but I have my eye on other achievements.

My company is encouraging us to get the MCDST. My company pays the bills, I like the job, and the MCDST is not far off of my career goals. Therefore, that is my current focus. I am using "Skillsoft" CBT's (Computer Based Training) to study for the 70-271. I am also using resources on the Microsoft websites, especially Technet. I am hoping that will be sufficient for these entry-level tests. Since this is not a lifelong dream, I am trying to avoid coughing up my own cash for the certification.

What I really want is to study security, beginning with firewalls. I would like to pass the Cisco 642-552 "Securing Network Devices", with an eye on the FIrewall Specialist cert, and then the CCSP "Cisco Certified Security Professional".

However, I am also keeping an eye on the big picture. I cannot do everything I want all at once without neglecting my family. Achieving my goals at the expense of my family seems like ultimate failure. Also, I feel a need for a graduate degree to expand my future options. Therefore, I have begun my MBA studies at Baker University. Finally, I need to play besides work, so I am training for a marathon in 2008. I also waste an hour or so a day in front of my TV, but I often watch documentaries to feel smart while being lazy.

If you are interested in the MSDST, stay tuned. I will let you know how the study goes and what the exam is like.

CCNA Obtained

On October 30, 2007, I obtained my CCNA. That was the original point of this blog; to aid me in my pursuit of my CCNA. However, this blog will continue on as I develop myself.

Now that I have my CCNA, I have a taste for Certifications. It is like a Shark; normally, they don't view humans as a source of sustenance. However, once they have tasted an arm or a leg, they will come back for more. At least, that is what I learned by watching Jaws.

Certification is only meaningful if you make it so. I am not making more money today, nor I am truly a better engineer just because I have certificate and wallet card from Cisco. However, my thinking is a little different. I am more confident. I have a sense of accomplishment from setting and achieving a goal. I also have more ammunition when presenting myself as an expert in a situation: Cisco says that I am a CCNA, what have you got?

My company wants us to obtain our Microsoft Desktop Support Technician certificate (MCDST). It is not something I am excited about, but it won't hurt. It consists of the 70-271 and 70-272 exams, and covers your skill at supporting Windows XP on individual PCs in workgroup and domain networks. Passing either exam designates you as a Microsoft Certified Professional (MCP), which is another line on your resume and another logo under your email signature. Successfully passing both exams gets you the MCDST, which will make my VP happy.

Three more tests after that and you are a Microsoft Certified System Administrator (MCSA). That is a little more interesting to me. From MCSA to Microsoft Certified Systems Engineer (MCSE) is just a few more tests. Combining MCSE with a Cisco specialist certification will definitely help out in the marketplace.

Which brings me to what I want to do. I want to get up to speed on firewalls. I have a lot to learn on routers and switches, but I am competent enough now to get the job done. I am not very knowledgeable on VPNs and security using firewalls. In the future, I would like to spend a lot more time on network security. Therefore, in 2008 I will work earnestly towards passing the Cisco 642-552 Securing Network Devices (SND) exam. This will extend my CCNA certification past October 30, 2010. It will also count towards a Cisco Firewall Specialist designation, and ultimately towards the Cisco Certified Security Professional (CCSP), which is like gold.

I have to pay the bills, and my current job is doing that well, so I am buckling down on the 70-271 right now. I hope to pass that during my two weeks of vacation at the end of November. That exam will spell out the rest of my journey. If it is as easy as I hope, then I will complete my MCDST by January and then focus on the Cisco SND exam. If the 70-271 is tricky and requires more brain cells than I am willing to commit, I will scrap it and try to convince the powers that be that my SND is much more valuable to them. Stay tuned.

Classfull / Classless Routing

There are three main classes of IP addresses. You know about A, B, and C already, right? If not, you are lost already; this is not the post for you. You need to gain an understanding of IP addresses before you venture further. It is painfully boring, but it is information you will use on a daily basis in the networking world. Just Google or Wiki "IP addressing and subnetting".

Your Cisco router is classfull by default. This means that it will obey the conventions of the IP classes when routing. If you have configured RIP as your routing protocol and enabled the network 172.16.0.0 for broadcasts, then your router will assume that the interface with an address on 172.16.0.0 will be able to route all 172.16.0.0 traffic.

Here is the problem: Let's say that Fastethernet 0/0 on your router is at 172.16.1.1 with a 255.255.255.0 address. This means that it is attached to a network that includes 172.16.1.1 through 172.16.1.255, right?

Now, your router is also attached to a 10.10.10.0 network, which attaches to a remote router with an interface in the 172.16.99.0 network (/24 or 255.255.255.0 subnet mask, as well.) Therefore, the remote router (which shares RIP updates with your router) can get to 172.16.99.1 through 172.16.99.255 and your local router knows this; you can see it in the routing table.

The point of using RIP is so that your router and the remote router talk to each other and share this information, right? So, if your local router receives a packet destined for 172.16.99.100 it should look in its routing table and see that the most specific match is to use the 10.10.10.0 network and route the packet to the remote router, which has a directly connected interface in the 172.16.99.0 network. However, if you have left the router defaulted to "classfull", this will not happen.

If your router is operating as classfull, it will take a packet destined for 172.16.99.100 and only look at the "172.16" portion. That is bacause those are the only octets relevant in a class B address. If it is only looking at the first two octets when it makes its routing decision, the router will choose the directly connected interface with "172.16" every time--even though that interface does not have access to 172.16.99.100. Stupid router.

If you want to make your router a free spirit, throw out the conventions of classfull routing, break all the rules, and find its way to 172.16.99.100, you need to enter the following command:

Router(config)#ip classless

Your router will no longer have any class, just like you. More importantly, your router will look for a more specific match in its routing table, taking into account the subnets that it knows about through RIP.

IGRP Facts

Interior Gateway Routing Protocol (IGRP) is an improvement on RIP, but just barely. I have never seen it in use in the field, nor have I ever read someone claiming that IGRP is the best protocol for a specific purpose. Basically, it is an option on Cisco routers so you need to know about it if you are studying for certification, but you will probably never need this information in real life.

Real world routing protocol advice: if you have a small, simple network use RIP to dynamically share routing information among routers. If you have a large, complex network and/or security is a concern, use EIGRP. The other protocols (IGRP, OSPF, and IS-IS) are just about worthless in comparison to RIP and EIGRP. The only caveat to this is if you are connecting your network to a non-Cisco powered network. In that case, your routing protocol will be dictated by the capabilities of the neighbor router, and OSPF may be your best choice here. Let's hope that never happens to you.

IGRP Facts

I just want to share a few quick facts about IGRP that you may not know which will help when you sit for a Cisco certification:

-The components of the IGRP routing metric are bandwidth, delay, reliability, load, and MTU.

-IGRP differs from rip because IGRP is more suitable for large networks, it uses a more flexible metric for route selection, and it can select multiple non-equal paths to a destination.

-When you configure IGRP for un-equal cost load-balancing, you must observe several rules. First, The maximum paths you can set is 6. Second, The next-hop must be closer to your destination than the local router, according to the local router's best path. Third, the alternate path metrics must be within a specified variance of the best local metric.

Quit Buggin Me

There is a command that I so rarely need that I sometimes forget its syntax when I do need it.

Have you ever been on a router where someone left debugging on? Perhaps it was you, or it was the last dial-in support jerk who did what he had to do and left the debug on because...why would he care if debugging is on, he's out of it.

Anyhow, debugging is on and scrolling crap accross your screen so fast you can't remember where you were in the command you are typing out. Remember this gem:

router#no debug all

Do yourself, and the next guy, a favor: remember to enter that command when you resolve the issue you had debuggin on for, huh?

My Favorite Router Commands

I hate to wait for anything, and I hate for anything to slow my momentum when I am trying to get something done. Unfortunately, Cisco routers, by default, are designed to make me mad.

First of all, they are designed to lookup every single command you type--or mis-type. First, the router looks in its own database of known commands. It then goes out to a domain server to look for additional commands. If you have not established a domain server (why would you?) then it goes to 255.255.255.255 and waits for someone to respond to the request. Of course, no one will. After an eternity (I think it is 30 seconds) it times out. If you are fast but inaccurate, you will see this alot and it will drive you nuts. Fortunately, there is a remedy:

Router(config)#no ip domain-lookup

That one is going to save me from having a full head of gray by the time I am 40.

Another thing that drives me batty is when the router is scrolling errors while I am trying to read an output or type in a long command. If an interface is bouncing or EIGRP is running into issues, I would rather the router wait until I am done typing before it scrolls its lines of complaint. Therefore, when I am configuring the logins for console and vty, I add the following line:
Router(config-line)#logging synchronous