Thursday, March 29, 2012

Singe Area OSPF Routing Example

The Open Shortest Path First routing protocol is a critical piece of knowledge for any networking professional working in an enterprise environment. Most major networking certifications covering routing and switching including the Cisco Certified Network Associate (CCNA), Cisco Certified Network Professional (CCNP), and Cisco Certified Internetwork Expert (CCIE) extensively test OSPF knowledge and skills. OSPF is the most popular dynamic routing protocol used in complex enterprise networks. This example will demonstrate the concepts and configuration involved with setting up a single area OSPF network. This lab is built using Dynamips/GNS3 and shows configuration using Ethernet as the layer 2 switching protocol between the routers. Frame Relay will be covered in a different post because there are special issues involving network types and non-broadcast multiaccess (NBMA) networks.

For our topology we will be demonstrating basic OSPF routing using 2 virtual Cisco c7200 routers and 2 Cisco c3725 routers configured in the following topology. There is also another c3725 router that is being used as an Ethernet Switch in the virtual topology:



There are two ways to configure OSPF for IPv4 networks. OSPF can be configured directly on the interface or using the global router ospf command. Most organizations develop standards for using one or the other, since troubleshooting complexity can increase if both are used throughout a network. If both are specified, the interface configuration takes precedence over the global configuration.

Let's start out by configuring the necessary interfaces in the backbone area (area 0):
Router Configuration
R1 interface GigabitEthernet0/0
 ip address 192.168.0.1 255.255.255.252
!
interface FastEthernet1/0
 ip address 10.0.0.1 255.255.255.248
!
R2 interface GigabitEthernet0/0
 ip address 192.168.0.2 255.255.255.252
!
interface FastEthernet1/0
 ip address 10.0.0.2 255.255.255.248
!
R3 interface FastEthernet0/0
 ip address 10.0.0.3 255.255.255.248
!
R4 interface FastEthernet0/1
 ip address 10.0.0.4 255.255.255.248
!

Next, configure the routing protocols on the 4 routers:

Router OSPF Configuration
R1 router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 auto-cost reference-bandwidth 1000
 network 10.0.0.0 0.0.0.7 area 0
 network 192.168.0.0 0.0.0.3 area 0
!
R2 router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 auto-cost reference-bandwidth 1000
 network 10.0.0.0 0.0.0.7 area 0
 network 192.168.0.0 0.0.0.3 area 0
!
R3 router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 auto-cost reference-bandwidth 1000
 network 10.0.0.0 0.0.0.7 area 0
!
R4 router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 auto-cost reference-bandwidth 1000
 network 10.0.0.0 0.0.0.7 area 0
!

Why did we change the default bandwidth used in the OSPF metric calculation? In this case, we have Gigabit Ethernet interfaces and using the default reference bandwidth of 100 Mb/s, the Fast Ethernet and Gigabit Ethernet interfaces would have the exact same cost of 1. See OSPF Cost/Metric Calculation for more details.  Additionally, we statically set the router IDs. If we did not do this, then the router id would be determined by the following, listed from highest precedence to lowest precedence:
  • Statically assigned OSPF router ID (highest)
  • Highest IPv4 address of up/up loopback interface
  • Highest IPv4 address of up/up interface on router (lowest)
If the OSPF process can't determine a valid router ID (this happens when none of the above are configured or in native IPv6 implementations of OSPF with no RID specified), the OSPF process does not start. Note also that the ospf process IDs in the configuration above do not have to match, but sometimes this can be convenient on larger networks if multiple OSPF routing domains are used.

With the configuration above, the OSPF database consists of 6 LSAs: 4 router LSAs (type 1) and 2 transit networks (type 2 LSAs):

R3#show ip ospf database

            OSPF Router with ID (3.3.3.3) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         493         0x80000007 0x000A13 2
2.2.2.2         2.2.2.2         486         0x80000007 0x00E52D 2
3.3.3.3         3.3.3.3         76          0x80000007 0x00A44C 1
4.4.4.4         4.4.4.4         533         0x80000005 0x006A7F 1

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.0.4        4.4.4.4         77          0x80000005 0x00905E
192.168.0.2     2.2.2.2         737         0x80000003 0x00FDBD



In this instance, the OSPF database is not fully optimized because the Gi0/0 interfaces for R1 and R2 are point to point IP links. We can reduce the size of the OSPF database in this example by setting the OSPF network type to point-to-point. Even with the /30 (255.255.255.252) mask, OSPF still considers this a broadcast network. To resolve this on R1 and R2:


R1(config)#Interface GigabitEthernet 0/0
R1(config-if)#ip ospf network point-to-point


After making this change on R1 and R2, we now have the OSPF database reduced to 5 total LSAs:


R3#show ip ospf database

            OSPF Router with ID (3.3.3.3) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         97          0x80000008 0x0017F1 3
2.2.2.2         2.2.2.2         15          0x80000008 0x00DC26 3
3.3.3.3         3.3.3.3         447         0x80000007 0x00A44C 1
4.4.4.4         4.4.4.4         904         0x80000005 0x006A7F 1

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.0.4        4.4.4.4         448         0x80000005 0x00905E


Something else worth noting is that in a single area, OSPF only propagates type 1 and type 2 LSAs. An Area Border Router (ABR) autonomous system border router (ASBR) is required to see any of the other LSA types that are related to unicast routing.


See Also
The Road to the CCIE
The OSPF Stub Area

Wednesday, March 28, 2012

Personal Cash Flow Basics

Personal financial literacy is the first step towards developing true financial security and realizing a dream of quitting a job or having a comfortable retirement. I received an MBA in accounting and now I use my knowledge to help others. People and businesses have a lot of difficulty managing cash flow. Even though most people have an idea of what they make and spend, timing issues can occasionally cause bounced checks, rejected payments, and other issues. In the worst cases, individuals resort to using credit cards or payday loans to smooth income, but this tends to cause more problems than it solves.

You might ask what makes me an authority on cash flow? Besides having an MBA and a strong background in economics, finance, and accounting, I am one of the few people in the world who has never had a missed or late payment. Among other things, my credit reports routinely show no negative items and no late payments. Looking back over my late high school years and college years this is astonishing because I made many of the mistakes that young people make with credit (e.g. eating out on credit cards, financing a car through the dealership, "12 months with no interest," etc.). Ultimately I made it through because I had a good sense of cash flow management and effectively managed inflows and outflows. I even had the foresight through the cash flow modeling process to change jobs to higher paying positions months in advance of upcoming financial issues (due to rent increases and other major changes in expense composition).

This post will be less about the statement of cash flows than cash flow planning because individuals are forced to operate on the cash basis of accounting either indirectly or directly. Planning and timing are more important than retrospective analysis for individuals. Businesses use a statement of cash flow to show how cash actually moves in and out of a business since the numbers on an income statement differ significantly from actual cash flow. The income statement includes a lot of non-cash items like depreciation, certain unrealized gains and losses, and really unintuitive things around consolidation and pensions that do not affect cash (or distort the actual change in cash). For the most part, individuals prepare their balance sheets and income statements on the cash basis or on a fair value basis (vs. the historic basis that companies use). This basis typically reflects:
  • Income/expenses measured on the receipt/disbursement of cash
  • Fair value of investments, vehicles, and real estate property if they were to be converted to cash (sold). Changes in fair value recorded directly in equity.
  • Settlement amount required for liabilities (e.g. pay off a mortgage or car loan today)
Going back to the bookkeeping example, John Doe would immediately expense all of the prepaid insurance under the cash basis when he wrote the check instead of making adjusting entries. Interest would also be treated differently on the income statement example because the loan payment and the interest would both be expended instead of offsetting the principal payment against the liability on the balance sheet.

So why does cash flow timing cause so many problems?

Let's take a simple example where John Doe starts a new job that pays around $4,000/month after taxes and he is paid on the last working day of the month. I use this example because I faced the exact same situation with my last job change where I changed from bi-weekly to monthly pay. Let's also say that John Doe has $3500 of bills that are mostly due on the 1st, 7th, 15th, and 28th days of the month. Before John can even take the job, he needs to have $3,500 in cash sitting in checking or savings, or else he will be stuck incurring $3,500 in payday loans or credit card debt during the first month of working in order to cover bills. This is a bad situation to encounter. Typically cash inflows spike throughout the month (for biweekly employees) and the average individual can handle a pay lag of 2 weeks much more easily than 1 month. Planning a missed paycheck (especially a monthly one) can be very difficult if things are tight.

Ultimately the key to controlling cash and preventing late payments is to identify all inflows and outflows and the day(s) of the month that they need to occur. Then a spreadsheet or database can be kept that shows the projected amount of money that needs to be kept in an account at any point in time based on budgeted inflows and outflows to support on-time payments for everything. It is not necessary to track things down to the day. For many years, I used a spreadsheet that showed by-weekly inflows/outflows and I showed all outflows going out the pay period before they were due. Additionally I used the conditional formatting feature of Excel to tel me if my projected account balance was ever below a minimum threshold (in my case I chose $100). Using this strategy I could also easily plan out debt payoff scenarios and understand what was left to go to savings and other purchases.

If cash outflows are systematically greater than inflows, then changes need to be made. Bills need to be reduced or a higher income needs to be sought from a job change or a business expansion.

Good cash flow management is only part of a solid financial picture, effort also needs to be made to ensure that expenses (not necessarily cash flows) are kept below monthly revenues so that bigger replacement purchases (ex. cars, appliances, computers, etc.) don't create a balance sheet problem when they need to be made.

See Also
Retirement in the 21st Century
The Personal Balance Sheet
The Personal Income Statement
Basic Bookkeeping for Everyone

Basic Bookkeeping for Everyone

Personal financial literacy is the first step towards developing true financial security and realizing a dream of quitting a job or having a comfortable retirement. I received an MBA in accounting and now I use my knowledge to help others. In this post, I'll cover some of the basic transactions that an individual is likely to see and how they impact the personal income statement and balance sheet. It is necessary to understand the basics of the personal income statement and balance sheet before reading this post, as some of the meaning may be lost without understanding the financial statements that these transactions affect.

Accountants spend a lot of time thinking about the recognition and economic measurement surrounding a set of business events. Bookkeepers focus on the proper entry of data into the main operational financial records: the general ledger and the general journal.  The journal tracks specific events as they affect different accounts and the ledger keeps track of the balances in each account. Operationally, information first appears in the journal and is then transferred to the ledger. The entries in the journal, creatively called "journal entries," illustrate different events like these:
  • Pay day
  • Taking out a new loan
  • Paying off a loan
  • Prepaying car insurance or health insurance
  • Paying other normal bills
  • Buying/Selling a house or a car
Journal entries are a list of accounts along with a debit or credit amount. Each transaction affects a minimum of two accounts (this is where the term "double entry bookkeeping" originates). The individual parts of a journal entry may affect an account that exists on the income statement or on the balance sheet. A fundamental identity for journal entries is the following:

debits = credits

This confuses a lot of people when they first explore the concept, but it becomes clearer with examples. Let's return to our friend, John Doe...

John gets paid $1500 for working for a week:
                     Dr.    Cr. 
Cash                1050
Tax Withheld         450
     Wage Income           1500 
   (to reflect pay day) 
In this case, we know that our cash in the bank increased by 1050. Cash is an asset that exists on the balance sheet. Tax withheld is either an expense or an asset, depending on your philosophy. In my case, I argue that it is an expense because you ultimately never see it and it doesn't do anything besides hurt your purchasing power. If you consider it an expense, it goes on the income statement; if you consider it a pre-paid expense, then it is on the balance sheet. Wage income is clearly a personal revenue account and exists on the income statement.

Next, John buys a house for $200,000 and pays $10,000 down with a $190,000 mortgage:

                     Dr.    Cr. 
Home              200,000
     Cash                  10,000
     Mortgage              190,000 
   (to reflect home purchase)
 
In this case, only the balance sheet is affected. The home is recorded for the purchase price, cash is reduced by $10,000, and a new liability, "Mortgage," is created for the principal value of the note. Interest is calculated periodically and is handled in a separate journal entry. We will consider loans for real estate, vehicles, and credit cards in a future post. As a final example, let's look at the purchase of a 6 month health insurance policy:

                             Dr.    Cr. 
Pre-paid health insurance    6,000 
      Cash                          6,000 
   (recorded for purchase of insurance policy) 

The examples above demonstrate the mechanics of transactions that happen at a discrete point in time, but at the end of a period there are entries that need to be made to adjust accounts that have changed due to the passage of time. These include things like interest on loans, changes in pre-paid expenses, accruals of new expenses (e.g. utilities, cable TV, rent in some cases). Below is an example of John's usage of pre-paid health insurance:

For the next 6 months, John would expense a portion of the health insurance policy at the end of the month:
                                 Dr.    Cr. 
Health insurance expense       1,000
     Pre-paid health insurance        1,000 
   (to reflect use of a month of coverage) 
 
Journal entries aren't typically complicated to figure out, the exercise typically involves identification of accounts and then an evaluation of the amounts that get applied. Assets, losses, and expenses increase with debits and decrease with credits. Liabilities, equity, revenues, and gains increase with credits and decrease with debits. In future posts I will typically directly state that we are increasing or decreasing an account, rather than referring to debit amounts and credit amounts.

Finally at the end of the month, income statement accounts are zeroed out and applied to accounts on the balance sheet (typically personal equity accounts). This allows the balance sheet to reflect the financial position for a person at a point in time (typically at the end of a week, month, quarter, or year). The main closing entry is a credit (or debit) of the difference between income and expense (or expense and income if expenses > income) to the personal equity account on the balance sheet.

Managing personal finances using double entry methods may seem cumbersome, but it allows an individual to stay close to their finances and understand the effects of each transaction on their overall financial and economic position. It also provides a framework for an individual or family to use to evaluate the effects of different possible purchases. Finally, the usefulness of double entry methods is that they allow an individual or family to manage their finances more along the lines that a business would (though businesses and governments are subject to rules that individuals are not).

See Also
Retirement in the 21st Century
The Personal Balance Sheet
The Personal Income Statement

Tuesday, March 27, 2012

The Personal Income Statement

Personal financial literacy is the first step towards developing true financial security and realizing a dream of quitting a job or having a comfortable retirement. In my last post I covered the basics of the personal balance sheet and how an individual's assets and liabilities look at a point in time. I also showed a couple of examples including a graduating student and a homeowner with an underwater mortgage. In this post, we will work more with the flows that affect the personal balance sheet: revenue, expenses, gains, and losses.

From a business perspective, revenues are different from gains in that revenues arise from a business' primary operating activities while gains arise from events that are not considered primary activities. For example, Best Buy would recognize revenue on merchandise that is sold in its stores while they might recognize a gain when a building is sold (in this case, it is assumed that the purchase and sale of real estate isn't one of Best Buy's primary operating activities). The same analogy holds for expenses and losses. Companies recognize expenses when they engage in activities that reduce the organization's economic resources and the activities that are closely related to the organization's primary purpose. Losses are often tied to events that are not routine and infrequent in nature.

One of the causes of difficulty for the lower and middle classes is that it is a lot easier to generate expenses and losses than it is to generate revenues and gains. A good example of this is that an individual could choose to eat out every night in a given week and triple their food expense, while they will receive the exact same paycheck that week. Businesses have a lot more flexibility to drive revenues and gains and are not limited in the same ways as individuals (upwards or downwards). For most people, the goal should be to operate more like a business than an individual for all things related to finance. This is also why there is an extraordinary and growing wealth gap in the world. The richest individuals are able to operate their finances in the exact same way that businesses operate, where there is no limit on upward potential. Most individuals are limited by the raises that their employers are willing to pay them, and increasing that amount is virtually impossible in an employer driven labor market.

Let's look at the mechanics of an income statement. An income statement differs from a balance sheet in that it shows how revenues, expenses, gains, and losses occur over a period where a balance sheet shows assets and liabilities at a point in time. Revenues and gains typically add to assets (e.g. more cash in the bank) while expenses and losses decrease assets (e.g. depreciation) or increase liabilities (e.g. credit cards).

Let's look at an example personal income statement for a guy named John Doe assuming the following:
  • John makes $1,500 per week (before taxes)
  • John's taxes take about 30% of his income
  • John spends the following
    • $2,000/month on rent and utilities
    • $450/month on doggie day care (because his landlord does not allow pets)
    • $200/week on food
    • $200/month on gas
    • $120/month for cell phone
    • $120/month for Internet and Cable TV
    • $300/month on student loans (20% of this is interest)

Let's determine if John is making any money after expenses. We will prepare an income statement that shows a typical month.

        Monthly Statement of Income
                John Doe
      For the Period Ended 3/31/2012

Wage Revenue                        6,000
Taxes Deducted                1,800
Wages, Net                          4,200

Rent and Utility Expense      2,000
Food Expense                    800
Doggie day care                 450
Fuel Expense                    200
Cell Phone Expense              120
Cable/Internet Expense          120
Student Loan Interest Expense    60

Total Expenses                      3,750

Net Income (Loss)                     450  
 
But wait... I've read a financial statement... aren't taxes subtracted at the end?  For businesses... yes... but no for individuals. Why? Think about it, although you may have negotiated $78,000 at the end of your last job search, you really only see a maximum of about $58,500 actually go through your bank account (the rest is a somewhat fictitious amount that appears at the end of the year on your W-2). The government knows that nobody would pay taxes at the end of the year if they weren't taken out of the paycheck, so legislation has been passed to make withholding mandatory for most individuals and they impose immediate and severe penalties on businesses that fail to send payroll taxes in to the state and federal government. Taxes are typically calculated values, but in this case it makes more sense to either create an asset (called taxes withheld in the personal balance sheet) or make an adjustment at the end of the year that reduces the total year expense by the amount of the refund expected. I prefer the latter approach.

Imagine what you could do over the course of a year with an additional $19,500, even if it had to be paid at the end of the year. Gains could be generated from the purchase and sale of stocks or interest income could be generated from bonds... but these doors are closed for the majority of people. The money could even be used as a down payment on a car or home and then taken out as a secured loan at the end of the year.

Another interesting thing to note is that the student loan interest expense is only $60. This is due to the fact that only 20% of the $300 cash outlay is interest. The other $240 is a reduction in the principal of the loan (and this is applied against the corresponding student loan liability on John's personal balance sheet). We'll look at working with loan calculations in more depth in a future post.

Ultimately the personal income statement tells you how much money you have made or lost for a given period of time. Figure out your expenses and debt service and see how they compare to your income. The answer may surprise you... I didn't touch on gains and losses yet because these are less straightforward than simply determining revenue and expenses. As we continue our discussion on assets and liabilities, I will cover more detailed scenarios involving gains and losses on homes, cars, stocks, bonds, and a number of other assets. I will also explore the darker area of gains and losses on liabilities.

See Also
The Personal Balance Sheet
Retirement in the 21st Century

Monday, March 26, 2012

The Personal Balance Sheet

The average individual is in a lot of trouble with his/her personal balance sheet. Since the financial crisis started in 2007 and 2008, the average value of an individual's assets has dropped dramatically and the value of an individual's liability has increased substantially. Personal financial literacy is the first step towards developing true financial security and realizing a dream of quitting a job or having a comfortable retirement. In my previous post, I describe how most retirement advisers give fundamentally flawed advice about managing cash flows in the retirement years.

The balance sheet is the main starting point for understanding finances. It was my starting point when I was working on my MBA and the educational requirements for the CPA exam and it is a logical starting point to show people how finances work from the bottom up. In my previous post, I described some regular activities in terms of stocks and flows and the balance sheet represents the stocks at a single point in time. Ultimately the balance sheet follows the fundamental accounting equation:

Assets = Liabilities + Equity

Conceptually, this means that everything that has an economic value or can produce some sort of future economic benefit (assets) are composed of the owner's economic interest (equity) and items that will trigger future economic sacrifices (liabilities). Common assets on a set of personal financial statements are cash, receivables (typically salary or interest from bonds and insured savings), real estate, retirement savings, and vehicles. Common examples of liabilities are student loans, mortgages, credit cards, and most regular expenses like auto insurance, utilities, etc. Equity gets interesting in the business context, but for a personal financial statement is mainly a placeholder for showing the difference between assets and liabilities and can reasonably be thought of as wealth at a point in time.

Let's look at a couple of examples. The first example is a college student that financed his/her education with loans and is about to graduate. This student also purchased a new car to get to a job. Assume that the student is at the end of an apartment lease and used $5,000 on a credit card on eating out over 5 years.

Assets Liabilities Equity
Cash (checking account): $1000 Car Loan: $15,000
Car: $15,000 Credit Card: $5,000

Student Loan: $100,000



Total Assets: $16,000 Total Liabilities: $120,000 Total Equity: ($104,000)

This is a bad way to start out, I know a lot of people who have ended up here and the graduating classes for the foreseeable future will have the same sort of financial position. The main difference between the people I graduated with and the people in the newer graduating classes are that the newer graduates will be dealing with an unemployment rate of more than 8% and few job prospects that will pay the amount required to service the liabilities generated from being a student. Ultimately this cost will either be taken by private investors or taxpayers when students default on education loans after a failed job search.

Let's look at an example of a homeowner who isn't currently under water with their loan. Assume they bought their house 10 years ago for $200,000 at a rate of 6% and  have just paid off a car with a carrying value of $10,000. This homeowner has no other liabilities. His/her financial position, not including rainy day/retirement savings, might look like this:

Assets Liabilities Equity
Cash: $3,000 Home Mortgage: $167,371.45
Car: $10,000

Home: 200,000




Total Assets: $213,000 Total Liabilities: $167,371.45 Total Equity: $45,628.55

What's interesting here is that the homeowner has paid almost $144,000 to generate about $32,000 in equity (meaning that $112,000 of interest has been paid on a $200,000 home over 10 years, see this post for how this is calculated). Yikes!

What if this homeowner bought in 2007 and had their home depreciate to a value of $100,000:

Assets Liabilities Equity
Cash: $3,000 Home Mortgage: $167,371.45
Car: $10,000

Home: 100,000




Total Assets: $113,000 Total Liabilities: $167,371.45 Total Equity: ($54,371.45)

In this case the owner has paid more interest than the home is worth (same amount as above) and they are underwater on the home loan. Is it any wonder that they simply walk away at this point. Anyway, what we see here is that the financial situations of typical people are more difficult than most people understand, especially politicians who were hand picked from Wall Street. Understanding the personal balance sheet is the first step to controlling and improving personal finances.

See Also,
Retirement in the 21st Century
How Much Interest Are You Paying?

Retirement in the 21st Century

I'm always amazed by the number of articles that I read that discuss the impending Social Security crisis and the retirement savings crisis in the country. As the baby boomer generation starts getting into the older ages and is unable to retire, the country will have an unemployment spike involving older individuals and will have a huge public policy problem to determine how to take care of all of the would-be retirees who have either no savings or vastly insufficient savings to sustain them for the later years.

Ultimately one of the major challenges (or opportunities) is that the world has shifted to the defined contribution model for retirement (IRA, 401k, etc), but the mentality of the average individual remains the defined benefit (also known as pension). People still believe that someone, whether it is the government or a company, will cover their retirement years for them. This isn't the case... social security has all but failed fiscally, companies are restructuring and eliminating pensions, and even the state and federal government is asking people to voluntarily reduce their pension benefit. Ultimately, people are being asked to take responsibility for their own financial care and feeding.

This creates a problem for the average individual because it requires an investment of time and effort into developing strong financial literacy. Additionally, effort needs to be taken by people to understand how different financial instruments (stocks, bonds, derivatives, etc.) and how the economy as a whole works. It also doesn't help that the average financial adviser/planner subscribes to a fundamentally flawed view that retirees need to use savings in place of income in the retirement/post retirement years.

This last statement probably surprises a lot of people... "Why would he say that?"

Let's take a step back and think about the basic concepts of assets, liabilities, revenues, and expenses... or really more fundamentally stocks and flows. I'll cover assets, liabilities, revenues, and expenses in a lot more detail in future posts.

From a financial standpoint a stock is a store of value, such as cash under the mattress, in a savings account or IRA, or in a hard asset like a home. The fair market value of a portfolio can also be considered a stock. Liabilities such as credit cards, mortgages, car loans, etc. can also be considered stocks, but these stocks work against you. For the majority of people, there is a combination of both and the average American has a negative net worth from a personal financial standpoint.

Financial flows are represented by income and expenditures, these can be income from working, dividends, bond coupons, etc. Some common expenditures are debt service payments (mortgage, car loans, and credit cards, etc.) and regular bills (car insurance, health insurance, utilities, food, taxes, etc). Naturally, any surplus of income is added to an existing stock, such as the cash pile under the mattress. Any surplus in expenses reduces an existing stock or increases a negative stock (such as a credit card or other loan). Flows ultimately determine what is financially possible.

I will focus on income because it is the main determinant in purchasing power and the quality of retirement living. Income is either active (working) or passive (from direct or indirect investment). Direct investment means owning a business and investing in the tangible (machinery, etc) and intangible (customer databases, patents, trademarks) assets of the business. Indirect investment comes from owning a financial instrument or investing in a business that is not directly managed or overseen (via a board of directors seat).

So back to the retirement question, why is the strategy sold by financial/retirement advisers fundamentally flawed?

The average retirement adviser recommends substituting income through the sale of assets during retirement. This could be the partial liquidation of a stock/bond portfolio or could be something like a reverse mortgage on a home. This poses a problem because once the stock is gone, there is nothing left to use. Ultimately that same asset could be used to generate an income (use a home for rental income, reinvest in more bonds, reinvest dividends, etc.), but the main problem exists that the income generated from these assets is insufficient to support the average individual during retirement.

Ultimately, when the asset is sold, no further income can be generated from it.

The secret to comfortably retiring in the 21st century is going to be the successful creation of passive income sources and the active management of personal finances. This also requires a fundamental mind shift to think about things the way an accountant or an investment fund manager would.

I'll use this as an anchor for other posts in the series, so bookmark this page or follow my blog for the latest and greatest.

Retirement in the 21st Century

Sunday, March 25, 2012

Comprehensive OSPF Cost Example

The Open Shortest Path First routing protocol is a critical piece of knowledge for any networking professional working in an enterprise environment. Most major networking certifications covering routing and switching including the Cisco Certified Network Associate (CCNA), Cisco Certified Network Professional (CCNP), and Cisco Certified Internetwork Expert (CCIE) extensively test OSPF knowledge and skills. OSPF is the most popular dynamic routing protocol used in complex enterprise networks as an interior gateway protocol (IGP). This post will provide a comprehensive example of the OSPF metric calculation and how different configurations impact the metric for type-1 and type-2 routes. The OSPF lab is configured in Dynamips/GNS3 using 5 Cisco c3725 routers laid out in the topology below. For more information on how the OSPF metric is determined, see OSPF Cost/Metric Calculation.

As I described in a previous post, there are really three main types of metrics considered in OSPF:
  • Intra-area and summary cost
  • External/NSSA type 1 cost
  • External/NSSA type 2 cost
In the topology below, we have a backbone area and two non-backbone areas (one a regular area and one a totally not so stubby [totally NSSA] area).

We have two routing domains running the routing information protocol (RIP) and the routing domain running Open Shortest Path First (OSPF). To get our external routes into OSPF, we redistribute RIP into OSPF on R1 and R2. The RIP routes from R1 are propagated through the OSPF domain (until R02) and the RIP routes from R2 are only propagated through the no-summary NSSA area as N1/N2 routes, then they become E1/E2 routes in area 0 and beyond.

For the initial part of the lab, get the basic OSPF configuration and RIP redistribution set up. In this instance, I use a route map on R1 and R2 to set the following:

172.16.1.0/24 Metric type 1, initial cost 100
172.16.2.0/24 Metric type 2, cost 100
192.168.1.0/24 Metric type 1, initial cost 100
192.168.2.0/24 Metric type 2, cost 100

There are multiple ways to achieve this configuration, but I use a route map and prefix lists. Here are the relevant configuration commands for R1

!
router ospf 1
 redistribute rip subnets route-map set-ospf-metric-type
 network 10.0.0.0 0.255.255.255 area 1
!
ip prefix-list match-172-16-1 seq 5 permit 172.16.1.0/24
!
ip prefix-list match-172-16-2 seq 5 permit 172.16.2.0/24
!
route-map set-ospf-metric-type permit 10
 match ip address prefix-list match-172-16-1
 set metric 100
 set metric-type type-1
!
route-map set-ospf-metric-type permit 20
 match ip address prefix-list match-172-16-2
 set metric 100
 set metric-type type-2
!


And for R2:
!
router ospf 1
 log-adjacency-changes
 area 2 nssa no-summary
 redistribute rip subnets route-map set-ospf-metric
 network 10.0.3.0 0.0.0.255 area 2
!
ip prefix-list match-192-168-1 seq 5 permit 192.168.1.0/24
!
ip prefix-list match-192-168-2 seq 5 permit 192.168.2.0/24
!
route-map set-ospf-metric permit 10
 match ip address prefix-list match-192-168-1
 set metric 100
 set metric-type type-1
!
route-map set-ospf-metric permit 20
 match ip address prefix-list match-192-168-2
 set metric 100
 set metric-type type-2
!


Looking at the Area Border Router (ABR) routing tables, it is clear that the E1/N1 cost increases as it is propagated through the network, but the E2/N2 cost remains what it was initially set to.

From R01:

R01#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 2 subnets
O E1    172.16.1.0 [110/110] via 10.0.2.1, 00:12:14, FastEthernet0/1
O E2    172.16.2.0 [110/100] via 10.0.2.1, 00:12:14, FastEthernet0/1
     10.0.0.0/24 is subnetted, 4 subnets
C       10.0.2.0 is directly connected, FastEthernet0/1
O IA    10.0.3.0 [110/30] via 10.0.0.2, 01:57:47, FastEthernet0/0
C       10.0.0.0 is directly connected, FastEthernet0/0
O       10.0.1.0 [110/20] via 10.0.0.2, 01:57:47, FastEthernet0/0
O E1 192.168.1.0/24 [110/130] via 10.0.0.2, 01:57:47, FastEthernet0/0
O E2 192.168.2.0/24 [110/100] via 10.0.0.2, 01:57:49, FastEthernet0/0


From R02:

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 2 subnets
O E1    172.16.1.0 [110/130] via 10.0.1.1, 00:00:02, FastEthernet0/0
O E2    172.16.2.0 [110/100] via 10.0.1.1, 00:00:02, FastEthernet0/0
     10.0.0.0/24 is subnetted, 4 subnets
O IA    10.0.2.0 [110/30] via 10.0.1.1, 00:00:02, FastEthernet0/0
C       10.0.3.0 is directly connected, FastEthernet0/1
O       10.0.0.0 [110/20] via 10.0.1.1, 00:00:02, FastEthernet0/0
C       10.0.1.0 is directly connected, FastEthernet0/0
O N1 192.168.1.0/24 [110/110] via 10.0.3.2, 03:44:00, FastEthernet0/1
O N2 192.168.2.0/24 [110/100] via 10.0.3.2, 03:44:00, FastEthernet0/1


For internal routes, it is easy to see that the cost increases as the advertisement propagates from the source.

OSPF Cost for Summary Routes

Summary external routes can be created on autonomous system border routers (ASBRs) using the OSPF summary-address router configuration command. External summary route cost is determined according to the following rules:
  • If all summary components are E2/N2 routes, the summary is considered E2/N2 and is advertised with the lowest metric (cost) of the summarized routes
  • If any of the summarized routes are E1/N1 routes, the summary is considered E1/N1 and is initially advertised with the lowest cost/metric of any of the summarized routes. As the LSA is propagated, the new metric follows regular E1/N1 rules.  
For routes within the OSPF routing domain that are summarized at the area border routers (ABRs) using the area range command, the metric advertised with the summary is the lowest metric of any of the summarized routes.

See Also,
The Road to the CCIE
OSPF Cost/Metric Calculation

Friday, March 23, 2012

OSPF Cost/Metric Calculation

The Open Shortest Path First routing protocol is a critical piece of knowledge for any networking professional working in an enterprise environment. Most major networking certifications covering routing and switching including the Cisco Certified Network Associate (CCNA), Cisco Certified Network Professional (CCNP), and Cisco Certified Internetwork Expert (CCIE) extensively test OSPF knowledge and skills. OSPF is the most popular dynamic routing protocol used in complex enterprise networks as an interior gateway protocol (IGP). This example will demonstrate the concepts and configuration involved with metrics in an OSPF network. I utilize a Cisco c7200 in Dynamips/GNS3 to provide syntax examples in the post below.

Understanding OSPF Cost

Internal Route OSPF Cost

OSPF uses a value called cost for its metric when determining the metric for a particular routing prefix. OSPF defines the cost for a particular prefix according to the following formula:

OSPF cost = cost from LSA + (incoming interface bandwidth/reference bandwidth)

OSPF uses 100 Mb/s for its default reference bandwidth on Cisco routers, but on routers that use Gigabit Ethernet or 10 Gigabit Ethernet, this value should be changed both on the router and everywhere else in the OSPF network. This can be changed using the auto-cost reference-bandwidth  command:

R1(config-router)#auto-cost reference-bandwidth ?
  <1-4294967>  The reference bandwidth in terms of Mbits per second


Note that this is the configured bandwidth on the interface, not the actual bandwidth. The following table shows the OSPF cost for different link types and reference bandwidths:
Link Type 100M (default) Reference Bandwidth 1G Reference Bandwidth 10G Reference Bandwidth
56k serial 1785 17857 178571
64k serial 1562 15625 156250
T1 (1.544 Mbps serial) 64 647 6476
E1 (2.048 Mbps serial) 48 488 4882
Ethernet 10 100 1000
Fast Ethernet 1 10 100
Gigabit Ethernet 1 1 10

The OSPF cost can also be manually set for an interface with the ip ospf cost interface subcommand.

R1(config-if)#ip ospf cost ?
  <1-65535>  Cost

The OSPF cost of an outgoing interface is not added to an outgoing LSA, rather the receiving router adds its own interface cost to the cost that was advertised in the LSA (and propagates that cost to other routers). In this way, the total cost is the cost of each outgoing interface on each router between a particular router and the router connected to a specific prefix.

The OSPF cost can be set for connected networks being advertised into OSPF using the ip ospf cost interface command. It is also possible to set the OSPF cost for a connected route using a route map and redistributing connected networks, though this causes the route to be considered an external route and the metric is determined initially by the set clause of the route map and propagated according to whether it is considered a type 1 external route or a type 2 external route (type 2 is default on the Cisco IOS platform).

It should also be noted that the bandwidth interface configuration command (which has no actual effect on available bandwidth) can modify the OSPF cost for an interface by overriding the bandwidth inferred from the interface type.

Inter-Area and External Route OSPF Cost and Path Selection

Inter-area routes add the cost of the ABR to reach a particular network with the cost to reach an ABR.

External routes redistributed into OSPF are either considered type 2 or type 1 external routes. Type 2 is default and the cost used to determine the shortest path to the advertised network is solely the cost advertised by the ASBR for the prefix (not by the cost to reach any intermediate ABRs or other routers). For type 1 routes, routers add the cost to get to the ASBR to the cost advertised by the ASBR to determine the metric for the route as well as the cost to reach any intermediate ABRs or other routers.

Most of the examples that show routing differences between type 1 and type 2 external routes are theoretical. There aren't very many drivers from a network design standpoint to implement multiple interior gateway routing protocols in a new network or in a network that is being re-engineered or transitioning between routing protocols (ex. RIP -> OSPF or EIGRP -> OSPF). The drivers that do exist mainly involve migrations due to mergers and acquisitions or in high complexity service provider scenarios (mainly interior to a service provider's network or involved with layer 3 carrier MPLS solutions). For VoIP design, EIGRP and OSPF can both be tuned to have subsecond convergence assuming the correct level of redundancy exists in the network and redistribution is not typically required.  

When thinking about OSPF costs, it is important to think about how OSPF chooses routes because the rules may supercede cost in a few different scenarios:
  • OSPF prefers intra-area routes to inter-area routes, regardless of cost
  • OSPF routes across area zero without routing across a non-backbone area if at all possible
  • Finally, OSPF routes to the destination without traversing area 0
This creates challenges with design and troubleshooting because flows may take a non-intuitive path if two non-backbone areas are directly connected with a lower cost than the cost across a backbone area, or if there is a high cost route through the backbone area and a low cost route that traverses the backbone area and a non-backbone area. Special care should be taken with regard to link failures and different external routing scenarios.

See Also
The Road to the CCIE

Thursday, March 22, 2012

OSPF Concepts: Areas and LSA Types

OSPF (Open Shortest Path First) is the most popular interior gateway protocol (IGP) used in private networks today. Because of its widespread use, it is one of the most important topics for individuals pursuing any of the mainstream networking certifications available. Both Cisco and Juniper extensively test on OSPF concepts and configuration for their exams at the entry level, intermediate level, and advanced level. Since I have more Cisco background than Juniper, I will describe OSPF concepts and configuration from the standpoint of the Cisco Internetwork Operating System (IOS). Since I am pursuing the second highest Cisco certification, the Cisco Certified Internetwork Expert (CCIE), I will develop both simple and advanced labs and examples with Dynamips/GNS3 involving basic and advanced configuration scenarios. For now, I will describe OSPF version 2 which is currently used for IPv4 networks. At a future time, I will develop a similar set of posts that describes OSPFv3 and IPv6.

Open Shortest Path First is a link state protocol, meaning that it propagates information about individual links (and their connected subnets) and each router builds a complete view of the attached network (really the OSPF area, but more on this later...). Each router analyzes the information in the OSPF link state database and makes its own decision on the best way to route traffic to a particular destination. Compare this with a distance vector protocol such as RIPv2 where each router has no view of the topology beyond the first hop, but only knows the distance (for RIP this is hop count) to reach a subnet that was advertised by the neighboring router. No computation is necessary beyond knowing which next hop has the lowest hop count to a specific destination.

OSPF Areas

Areas are the name given to a set of routers that has a complete view of the link states in any given area. OSPF uses a two layer hierarchy of consisting of a backbone area (area 0) and one or more non-backbone areas. For small networks, it is possible that only a single area is used. Each interface/subinterface can be part of a single OSPF area. All areas other than the backbone area must connect directly to the backbone area (or connect via an OSPF virtual link). Since the routers in a single area have a complete view of the topology, adding more routers to an area increases the size of the OSPF database in memory and increases the time that the shortest path first (SPF) algorithm takes to run. Specifics with each type of area: normal area, stub area, totally stubby area, not so stubby area (NSSA), and totally not so stubby area will be discussed in their own posts.

OSPF LSA Types

Routers in an OSPF area propagate reachable subnets via link state advertisements (LSAs). Within an individual area Type 1 (link) and type 2 (transit network) LSAs help routers develop a complete topology view. Between areas type 3 (summary) and type 4 (autonomous system border router summary [ASBR summary]) LSAs are propagated. Type 5 LSAs are generated and propagated for external routes (those completely outside of OSPF). Type 7 LSAs are used to represent external routes in not so stubby areas (NSSAs). Each of these LSA types and their appearance in the OSPF database will be described in more detail and demonstrated in future configuration examples.

See Also,
The Road to the CCIE

Wednesday, March 21, 2012

Troubleshooting 0x7E SYSTEM_THREAD_EXCEPTION_NOT_HANDLED

The Debugging Tools for Windows are required to analyze crash dump files. If you do not have the Debugging Tools for Windows installed or dump files are not being generated on system crash, see this post for installation/configuration instructions:
http://mikemstech.blogspot.com/2011/11/windows-crash-dump-analysis.html

0x0000007E SYSTEM_THREAD_EXCEPTION_NOT_HANDLED is a common bug check (blue screen of death) on the Windows platform (Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, and Windows 8). This bug check also occurs with an exception code of 0x1000007E. This error indicates a general kernel mode exception that the error handler did not catch. Parameter 1 identifies the exception code that will provide more insight into the cause of the issue. A couple of the common ones are given below:

Exception Code Description
0x80000002: STATUS_DATATYPE_MISALIGNMENT This exception code indicates that an object was not properly aligned with its pointer. This often occurs if a programmer incorrectly calculates the pointer address of an object in an array or other data structure. The error code lookup tool shows the following for this error:

{EXCEPTION}
Alignment Fault
A datatype misalignment was detected in a load or store instruction.
0x80000003: STATUS_BREAKPOINT This error, if encountered outside of development, indicates a really sloppy software release management process by the driver's developers. Software developer use breakpoints to examine the state of an application at a specific point of execution. Often this is to identify the contents of the variables associated with a specific program at a point of execution. This exception itself indicates that a programmer was working on an issue in the code, but left a breakpoint (which generates an exception to stop execution and pass control to the debugger) in the code that was encountered by the system. The error code lookup tool shows the following for this error:

{EXCEPTION}
Breakpoint
A breakpoint has been reached.
0xC0000005: STATUS_ACCESS_VIOLATION This indicates that memory corruption occurred at some level. This is typically due to a driver corrupting the memory/system state and another driver or the system kernel identifying the issue at a later time. The FAULTING_MODULE in WinDbg is not reliable for this exception code. The error code lookup tool shows the following for this error:

The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
0xC0000006: STATUS_IN_PAGE_ERROR This error indicates an I/O error that possibly points to a hardware issue. The error code lookup tool shows the following for this error:

The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx".

Troubleshooting SYSTEM_THREAD_EXCEPTION_NOT_HANDLED is fairly straightforward. For error codes other than 0xc0000005 (STATUS_ACCESS_VIOLATION), the faulting module indicated by kd/Windbg reports the driver (or possibly a related driver in the case of generic drivers like netio.sys and ndis.sys) that needs to be upgraded/downgraded/changed.

The following examples will give troubleshooting ideas for 0xC0000005 and 0xC0000006.

0xC0000006 STATUS_IN_PAGE_ERROR


STATUS_IN_PAGE_ERROR indicates that a memory page(s) were not written to disk or read from the disk due to an IO error. There are various causes for IO errors, but the memory and hard drive should be examined for issues. Below is an example analysis of a dump involving this substatus:


0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000006, The exception code that was not handled
Arg2: 8c3c1532, The address that the exception occurred at
Arg3: 9b2a5398, Exception Record Address
Arg4: 9b2a4f70, Context Record Address

Debugging Details:
------------------


OVERLAPPED_MODULE: Address regions for 'ZTEusbmdm6k' and 'USBSTOR.SYS' overlap

EXCEPTION_CODE: (NTSTATUS) 0xc0000006 - The instruction at 0x%p referenced memory 
                                        at 0x%p. The required data was not placed 
                                        into memory because of an I/O error status 
                                        of 0x%x.

FAULTING_IP: 
nvlddmkm+3a5532
8c3c1532 8b1f            mov     ebx,dword ptr [edi]

EXCEPTION_RECORD:  9b2a5398 -- (.exr 0xffffffff9b2a5398)
ExceptionAddress: 8c3c1532 (nvlddmkm+0x003a5532)
   ExceptionCode: c0000006 (In-page I/O error)
  ExceptionFlags: 00000000
NumberParameters: 3
   Parameter[0]: 00000000
   Parameter[1]: 85e40000
   Parameter[2]: c0000010
Inpage operation failed at 85e40000, due to I/O error c0000010

CONTEXT:  9b2a4f70 -- (.cxr 0xffffffff9b2a4f70)
eax=00000002 ebx=00000000 ecx=92544000 edx=002b0c70 esi=9b2a54bc edi=85e40000
eip=8c3c1532 esp=9b2a5460 ebp=9b2a546c iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
nvlddmkm+0x3a5532:
8c3c1532 8b1f            mov     ebx,dword ptr [edi]  ds:0023:85e40000=????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000006 - The instruction at 0x%p referenced memory 
                                    at 0x%p. The required data was not placed 
                                    into memory because of an I/O error status 
                                    of 0x%x.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  85e40000

EXCEPTION_PARAMETER3:  c0000010

IO_ERROR: (NTSTATUS) 0xc0000010 - The specified request is not a valid operation 
                                  for the target device.

BUGCHECK_STR:  0x7E

EXCEPTION_STR:  0xc0000006_c0000010

FOLLOWUP_IP: 
+3a5532
85e40000 ??              ???

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: hardware_disk

IMAGE_NAME:  hardware_disk

DEBUG_FLR_IMAGE_TIMESTAMP:  0

STACK_COMMAND:  kb

FAILURE_BUCKET_ID:  0x7E_IMAGE_hardware_disk

BUCKET_ID:  0x7E_IMAGE_hardware_disk

Followup: MachineOwner
---------
 
 
In this particular error, the IO operation failed with 0xC0000010 (STATUS_INVALID_DEVICE_REQUEST: The specified request is not a valid operation for the target device).

0xC0000005 STATUS_ACCESS_VIOLATION


For most bug check codes, 0xC0000005 indicates that the memory and system state have been corrupted (resulting in a crash when the memory corruption is detected). For the majority of crashes with substatus of 0xC0000005, the issue occurs when the memory is corrupted, but the system crashes when the corruption is detected by another driver or the system memory manager. This typically results in another driver (or the kernel itself) getting blamed for the issue (as shown below). Empirically, there is a high probability of a video driver (ATI or Nvidia) being blamed (though this may or may not be true from the explanation above). Below is a typical analysis of a dump showing substatus 0xC0000005 where the error is blamed on the kernel (nt):


0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 828d1fb0, The address that the exception occurred at
Arg3: 8a743b48, Exception Record Address
Arg4: 8a743720, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced 
                                 memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
nt!IopGetFileObjectExtension+f
828d1fb0 8b448104        mov     eax,dword ptr [ecx+eax*4+4]

EXCEPTION_RECORD:  8a743b48 -- (.exr 0xffffffff8a743b48)
ExceptionAddress: 828d1fb0 (nt!IopGetFileObjectExtension+0x0000000f)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 5a035b09
Attempt to read from address 5a035b09

CONTEXT:  8a743720 -- (.cxr 0xffffffff8a743720)
eax=00000001 ebx=84ffff80 ecx=5a035b01 edx=00000000 esi=00000800 edi=85676020
eip=828d1fb0 esp=8a743c10 ebp=8a743c10 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
nt!IopGetFileObjectExtension+0xf:
828d1fb0 8b448104        mov     eax,dword ptr [ecx+eax*4+4] ds:0023:5a035b09=????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced 
                       memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  5a035b09

READ_ADDRESS: GetPointerFromAddress: unable to read from 829a8848
Unable to read MiSystemVaType memory at 82987e40
 5a035b09 

FOLLOWUP_IP: 
nt!IopGetFileObjectExtension+f
828d1fb0 8b448104        mov     eax,dword ptr [ecx+eax*4+4]

BUGCHECK_STR:  0x7E

LAST_CONTROL_TRANSFER:  from 828ccc12 to 828d1fb0

STACK_TEXT:  
8a743c10 828ccc12 00000001 00000000 00000800 nt!IopGetFileObjectExtension+0xf
8a743c24 82a7092d 84ffff80 848ac3c0 84ffff68 nt!IoGetRelatedDeviceObject+0x50
8a743c6c 82a61601 84ffff80 84ffff80 84ffff68 nt!IopDeleteFile+0x32
8a743c84 828b7d40 00000000 000c0000 00000000 nt!ObpRemoveObjectRoutine+0x59
8a743c98 828b7cb0 84ffff80 82a66fe1 85b64b18 nt!ObfDereferenceObjectWithTag+0x88
8a743ca0 82a66fe1 85b64b18 85b64b40 829aa980 nt!ObfDereferenceObject+0xd
8a743ccc 828a0f04 85b64b18 00000000 00000000 nt!MiSegmentDelete+0x191
8a743d28 828a1225 848b4020 00000000 00000000 nt!MiProcessDereferenceList+0xdb
8a743d50 82a47fda 00000000 abe63408 00000000 nt!MiDereferenceSegmentThread+0xc5
8a743d90 828f01d9 828a115e 00000000 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!IopGetFileObjectExtension+f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4e02a389

STACK_COMMAND:  .cxr 0xffffffff8a743720 ; kb

FAILURE_BUCKET_ID:  0x7E_nt!IopGetFileObjectExtension+f

BUCKET_ID:  0x7E_nt!IopGetFileObjectExtension+f

Followup: MachineOwner
--------- 
 

For issues involving STATUS_ACCESS_VIOLATION, troubleshooting usually starts with these steps:
  • Rule out a hardware issue with the memory or hard drive
  • Enable driver verifier and analyze the dumps after the system crashes again
  • Examine the loaded modules (run the "lm nt" debugger command) and BIOS (!sysinfo machineid) and look for older versions that need to be upgraded
  • Finally, if the system is under warranty/support, contact the manufacturer as it might be a known issue with a resolution provided by the manufacturer

See Also
Windows Crash Dump Analysis



Thursday, March 8, 2012

Kerberos Password Policies Made Easy

Password policies are typically part of an organization's larger security policy and dictate items such as:
  • Minimum password length
  • Number of character classes
  • Which character classes are used
  • Use of dictionary words
  • Minimum password age
  • Maximum password age
  • Number of invalid password attempts
  • Lockout and duration of lockout
The last two items of the list actually apply to an internal security control known as a clipping level. A clipping level (such as the maximum number of invalid password attempts before an account is locked out) greatly reduces the feasibility of a brute force password attack against a given authentication source because it increases the risk of detection by the user who owns the account and greatly reduces the number of password attempts that can occur during a given period of time.

Here is an example of how clipping levels reduce the number of password attempts in a given period of time. Say the organization only allows 3 invalid password attempts and locks a principal from authenticating for 10 minutes. Assume the attacker can carry out 1000 authentication attempts per minute without the clipping level. To achieve the same 1000 authentication attempts with the clipping level, the account would be locked out for around 3330 minutes (~2.31 days). This results in an average rate 0f 0.3 authentications per minute. As the length and complexity of a password increase, the average number of attempts increases significantly to the point that an attacker is effectively forced to use other methods to obtain a password (such as social engineering or key logging). Assuming that the correct preventative and detective controls are in place, an attacker will be forced to try to find another way to compromise a system/network.

The two main Kerberos distributions in use, MIT Kerberos V and Microsoft Active Directory, both allow password complexity and clipping levels to be set by policy. Microsoft Active Directory password policies can be set by default in the Default Domain Controllers Group Policy Object (GPO) and can be set in the Local Security Policy administrative tool for workgroup (non-domain) systems. In Active Directory, the default GPO precedence does not allow password policies to be set in the Default Domain Policy GPO and policies defined in the Default Domain Policy GPO will be overwritten.

For MIT Kerberos V KDCs, the password policies are stored as part of the database (and are propagated via slave KDC propagation) and are associated with principals. Creating a policy is relatively straightforward using the add_policy command in kadmin/kadmin.local.

For older versions (1.6.3 in this example) of MIT Kerb, no automatic unlock feature was implemented:

kadmin.local:  add_policy
usage; add_policy [options] policy
        options are:
                [-maxlife time] [-minlife time] [-minlength length]
                [-minclasses number] [-history number]


For newer versions (1.10 in this example), the feature is implemented as part of the password policy:

kadmin.local:  addpol
usage; add_policy [options] policy
        options are:
                [-maxlife time] [-minlife time] [-minlength length]
                [-minclasses number] [-history number]
                [-maxfailure number] [-failurecountinterval time]
                [-lockoutduration time]

By default, no policy is applied when a principal is created:

kadmin.local:  ank burrm
WARNING: no policy specified for burrm@MIKESBLOG.LAN; defaulting to no policy
Enter password for principal "burrm@MIKESBLOG.LAN":
Re-enter password for principal "burrm@MIKESBLOG.LAN":
Principal "burrm@MIKESBLOG.LAN" created.


If you create a policy named "default" then it will be applied to all new principals (but not applied to existing ones):

kadmin.local:  addpol -minlength 12 -minclasses 2 default
kadmin.local:  add_principal burrm2 
NOTICE: no policy specified for burrm2@MIKESBLOG.LAN; assigning "default"
Enter password for principal "burrm2@MIKESBLOG.LAN":
Re-enter password for principal "burrm2@MIKESBLOG.LAN":
Principal "burrm2@MIKESBLOG.LAN" created.
kadmin.local:  getprinc burrm2
Principal: burrm2@MIKESBLOG.LAN
Expiration date: [never]
Last password change: Thu Mar 08 14:24:03 MST 2012
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Mar 08 14:24:03 MST 2012 (burrm/admin@MIKESBLOG.LAN)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: default


The principal created before is not affected by the creation of the new default policy:

kadmin.local:  getprinc burrm
Principal: burrm@MIKESBLOG.LAN
Expiration date: [never]
Last password change: Thu Mar 08 14:09:25 MST 2012
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Mar 08 14:09:25 MST 2012 (burrm/admin@MIKESBLOG.LAN)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]


A dictionary file can be used globally and is specified by the dict_file option in the [realms] section of the kdc.conf file. It should be noted that if a principal is created with a policy, the password has to conform to the policy. Also, if a principal  To set a weaker password (sometimes used by tier 1 staff when a user forgets his/her password), the policy must be cleared with the modprinc -clearpolicy command before a weak temporary password can be set. A way for a tier 1 help desk technician to reset a password could be the following:

kadmin:  modprinc -clearpolicy burrm2
Principal "burrm2@MIKESBLOG.LAN" modified.
kadmin:  cpw -pw "temp123" burrm2
Password for "burrm2@MIKESBLOG.LAN" changed.
kadmin:  modprinc -policy default -pwexpire yesterday burrm2
Principal "burrm2@MIKESBLOG.LAN" modified.


This clears the policy temporarily, changes the password to something easily communicated, then reinstates the policy and forces the user to change password at next use. There is a high probability that this should just be incorporated into a helpdesk script because it may be difficult for tier 1 staff to remember and properly execute all of the steps. Additionally the steps may be undesirable because the tier 1 staff would need somewhat elevated permissions with kadmin to make the changes. If policies are assigned, users/admins will likely encounter the following errors when changing passwords:

Not long enough:

kadmin.local:  cpw burrm2
Enter password for principal "burrm2":
Re-enter password for principal "burrm2":
change_password: Password is too short while changing password for "burrm2@MIKESBLOG.LAN".


Not complex enough:

kadmin.local:  cpw burrm2
Enter password for principal "burrm2":
Re-enter password for principal "burrm2":
change_password: Password does not contain enough character classes while changing password for "burrm2@MIKESBLOG.LAN".


Previously used:

kadmin.local:  cpw burrm2
Enter password for principal "burrm2":
Re-enter password for principal "burrm2":
change_password: Cannot reuse password while changing password for "burrm2@MIKESBLOG.LAN".


Password policies are pretty simple to set up and serve as a valuable tool to help reduce the risk of compromise due to brute force attacks. Use them wisely, because users will tend to do insecure things with overly complex passwords and passwords that need to be changed frequently including writing them on post-it notes, whiteboards, and pads of paper. Some people may tape them to a monitor or place them in a drawer or under a keyboard. In many ways, an overly harsh password policy is worse than not having a password policy and actually serves to hurt organizational information security instead of helping it.

See Also,
Deploying a Kerberos KDC in Ubuntu 11.10 or Fedora 15

Monday, March 5, 2012

Cisco Frame Relay Switching Lab: Fully Meshed PVCs

This post is somewhat a continuation of my previous post that provided an introduction to frame relay switching and acts as an alternate post to my lab that shows switching for partially meshed PVCs. This post will aim to show the logic around configuring fully meshed permanent virtual circuits (PVCs) for 4 customer sites using a single provider Frame Relay switch. This Cisco frame relay lab is configured in Dynamips/GNS3 with 5 Cisco c3725 routers utilizing WIC-2T cards.



The Provider Frame Relay Switch Configuration


If you have been following along with the two-site and three-site example, then this should be fairly straightforward as we are only increasing the number of PVCs. As the number of PVCs increase, the focus shifts to ensuring that DLCIs are being translated accurately as frames pass through the provider network (in this case FRS). If a company truly wants a full mesh, then it will require n(n-1)/2 PVCs where n is the number of sites, and this quickly becomes very expensive for many sites. Most companies settle on a partial mesh topology or a combination of frame relay with other WAN technologies.  

! Note: Some output omitted
!
frame-relay switching
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 clock rate 2000000
 frame-relay intf-type dce
 frame-relay route 102 interface Serial0/1 201
 frame-relay route 103 interface Serial0/2 301
 frame-relay route 104 interface Serial0/3 401
!
interface Serial0/1
 no ip address
 encapsulation frame-relay
 clock rate 2000000
 frame-relay intf-type dce
 frame-relay route 201 interface Serial0/0 102
 frame-relay route 203 interface Serial0/2 302
 frame-relay route 204 interface Serial0/3 402
!
interface Serial0/2
 no ip address
 encapsulation frame-relay
 clock rate 2000000
 frame-relay intf-type dce
 frame-relay route 301 interface Serial0/0 103
 frame-relay route 302 interface Serial0/1 203
 frame-relay route 304 interface Serial0/3 403
!
interface Serial0/3
 no ip address
 encapsulation frame-relay
 clock rate 2000000
 frame-relay intf-type dce
 frame-relay route 401 interface Serial0/0 104
 frame-relay route 402 interface Serial0/1 204
 frame-relay route 403 interface Serial0/2 304
!

The Customer Perspective


The customer has an ever-growing number of choices of how to configure IP connectivity as the number of sites increase. As I presented in the three site example, the customer needs to choose between point-to-pojnt and multipoint subinterfaces based on how they are planning and using IP addresses within the network. Point-to-point subinterfaces require a unique IP network to be created for the devices at each end of a PVC while multipoint subinterfaces allow the same IP network to be used for all of the connected devices. The table below shows how quickly the number of required IP networks increases as the number of sites increases:

Number of Sites (Full Mesh) IP Networks (PtP Subinterfaces) = n(n-1)/2 IP Networks (MP Subinterfaces)
2 1 1
3 3 1
4 6 1
5 10 1
6 15 1
7 21 1
8 28 1
9 36 1
10 45 1
11 55 1

Most companies and network engineers still think in terms of classful networks and use class C (/24) networks for simplicity. Given that a Class C (/24) network can only be subnetted to 64 point to point networks (/30 network mask), multiple class C networks would need to be planned for a mesh of 12 or more sites. As the number of sites increase, the value of multipoint subinterfaces becomes far more apparent. Unless routes are being summarized, it is more desirable from a routing protocol standpoint to have multipoint subinterfaces defined because it limits the memory and processing capability that is required by routing updates (or limits the effort required to maintain static routes).  For this reason, I will only continue with a discussion of multipoint subinterfaces. See my 3 site example for a discussion of point-to-point subinterfaces.

Configuration from the customer perspective is fairly straightforward. For this example, all of the customer edge devices participating in the frame relay network will have IP addresses in the 192.168.1.0/28 range.

CE1 Serial 0/0.1 192.168.1.1
CE2 Serial 0/0.1 192.168.1.2
CE3 Serial 0/0.1 192.168.1.3
CE4 Serial 0/0.1 192.168.1.4

Since we are using multipoint subinterfaces, frame-relay map commands need to be used to map IP addresses to DLCIs (since the LMI messages exchanged between the edge devices and the frame-relay switch have no knowledge of anything at or above layer 3). The relevant configuration sections for each customer edge router are shown below:

CE1

!
interface Serial0/0
 no ip address
 encapsulation frame-relay
!
interface Serial0/0.1 multipoint
 ip address 192.168.1.1 255.255.255.240
 frame-relay map ip 192.168.1.2 102
 frame-relay map ip 192.168.1.3 103
 frame-relay map ip 192.168.1.4 104
 frame-relay interface-dlci 102
 frame-relay interface-dlci 103
 frame-relay interface-dlci 104
!

CE2

!
interface Serial0/0
 no ip address
 encapsulation frame-relay
!
interface Serial0/0.1 multipoint
 ip address 192.168.1.2 255.255.255.240
 frame-relay map ip 192.168.1.1 201
 frame-relay map ip 192.168.1.3 203
 frame-relay map ip 192.168.1.4 204
 frame-relay interface-dlci 201
 frame-relay interface-dlci 203
 frame-relay interface-dlci 204
!

CE3

!
interface Serial0/0
 no ip address
 encapsulation frame-relay
!
interface Serial0/0.1 multipoint
 ip address 192.168.1.3 255.255.255.240
 frame-relay map ip 192.168.1.1 301
 frame-relay map ip 192.168.1.2 302
 frame-relay map ip 192.168.1.4 304
 frame-relay interface-dlci 301
 frame-relay interface-dlci 302
 frame-relay interface-dlci 304
!


CE4

!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 clock rate 2000000
!
interface Serial0/0.1 multipoint
 ip address 192.168.1.4 255.255.255.240
 snmp trap link-status
 frame-relay map ip 192.168.1.1 401
 frame-relay map ip 192.168.1.2 402
 frame-relay map ip 192.168.1.3 403
 frame-relay interface-dlci 401
 frame-relay interface-dlci 402
 frame-relay interface-dlci 403
!

Verification of the above topology relies on using ICMP echo (ping). See the note below for configuring broadcast capability.

Broadcasts on Frame-Relay Links

The map commands in the configuration snippets above do not allow broadcast reliant protocols such as CDP to run. To allow these types of protocols to run properly and send broadcasts on the frame-relay PVCs, the frame-relay map command needs to be specified with the map command. Here are examples of modifying the above configurations to allow broadcasts between CE1 and CE2,

CE1(config-subif)#no frame-relay map ip 192.168.1.2 102
CE1(config-subif)#frame-relay map ip 192.168.1.2 102 broadcast

CE2(config-subif)#no frame-relay map ip 192.168.1.1 201
CE2(config-subif)#frame-relay map ip 192.168.1.1 201 broadcast

Now, broadcasts can be sent between CE1 and CE2, and other protocols that use broadcasts at layer 2 can run over the multipoint subinterface. Note that Cisco Discovery Protocol (CDP) is not supported over multipoint subinterfaces.

See Also,
Introduction to Frame Relay Switching
Cisco Frame Relay Switching Lab: Partially Meshed PVCs