However, we only want records where there is a duplicate across the first four fields.  To do so we construct a query to join the table “to itself”, and use the ROWID reserved word, as in:

SELECT t1.entity_no
,t1.origination_type
,t1.cif_id
,t1.object_id
,t1.acct_id
,t1.acct_type
,t1.acct_number
FROM add_cycle_accts t1
WHERE ROWID >
     (SELECT MIN(ROWID)
     FROM add_cycle_accts t2
     WHERE t1.entity_no = t2.entity_no
     AND t1.origination_type = t2.origination_type
     AND t1.cif_id = t2.cif_id
     AND t1.object_id = t2.object_id)
AND t1.entity_no = '000100'
ORDER BY t1.cif_id

Notice that the WHERE clause of the inner query creates a join based on the fields we defined as important.  All records with duplicates across those first 4 fields will be returned.

TABLE t1
ENTITY_NO       CHAR(6 BYTE)
ACCT_TYPE       CHAR(4 BYTE) 
ACCT_NUMBER     CHAR(20 BYTE) 
PERIOD_TYPE     CHAR(1 BYTE) 
PERIOD         CHAR(6 BYTE) 
BALANCE_TYPE   CHAR(2 BYTE) 
BALANCE_CODE   CHAR(6 BYTE) 
ENDING_BALANCE NUMBER(16,2) 
INTEREST_RATE   NUMBER(10,6) 
ACCRUAL_DAYS   NUMBER(6,0)    
BASIS           CHAR(2 BYTE)
ACCRUED_AMOUNT NUMBER(16,6) 
ACCRUED_BALANCE NUMBER(16,6)  
ACCRUED_PAID   NUMBER(16,2)

TABLE t2
ENTITY_NO                CHAR(6 BYTE)
ACCT_TYPE                CHAR(4 BYTE)
ACCT_NUMBER              CHAR(20 BYTE)
DESCRIPTION              VARCHAR2(512 BYTE)
COMP_CONSTRUCTION        CHAR(10 BYTE)
STATUS                  CHAR(4 BYTE)

TABLE t3
ENTITY_NO                   CHAR(6 BYTE)
ACCT_TYPE                   CHAR(4 BYTE)
COMP_CONSTRUCTION           CHAR(10 BYTE)
DESCRIPTION                 VARCHAR2(128 BYTE)
INTEREST_FUNCTIONS_ALLOWED CHAR(1 BYTE)

Now that we have the tables defined, we extract our data for a little test.  We want to get all rows from t1 where “accrued_balance > 0″, but we have other exclusions for t1 as well, as shown in the SQL below.  We also have to filter rows from t1 based on only certain fields in other joined tables.  We only want rows where “status < ’0009′” from t2, and “INTEREST_FUNCTIONS_ALLOWED = ’0′” from t3.  So, to get an idea of what we need to look for, we build the following relatively straight-forward query joining the 3 tables and listing the exclusions.

SELECT t1.ACCT_TYPE
,t1.ACCT_NUMBER
,t1.ACCRUED_BALANCE
,t2.DESCRIPTION
,t3.DESCRIPTION
FROM t1
INNER JOIN t2 ON t2.ENTITY_NO = t1.ENTITY_NO
AND t2.ACCT_TYPE = t1.ACCT_TYPE
AND t2.ACCT_NUMBER = t1.ACCT_NUMBER
INNER JOIN t3 ON t3.ENTITY_NO = t2.ENTITY_NO
AND t3.ACCT_TYPE = t2.ACCT_TYPE
AND t3.COMP_CONSTRUCTION = t2.COMP_CONSTRUCTION
WHERE t1.ENTITY_NO = '000100'
AND t1.BALANCE_TYPE = '02'
AND t1.PERIOD_TYPE = '0'
AND t1.PERIOD = '001496'
AND t1.ACCRUED_BALANCE > 0
AND t1.ACCT_TYPE = '0001'
AND t2.STATUS < '0009'
AND t3.INTEREST_FUNCTIONS_ALLOWED = '0'
ORDER BY t1.ACCT_TYPE
,t1.ACCT_NUMBER;

NOTE:  IN THE QUERY ABOVE, T3 IS JOINED TO T2, NOT TO T1.

We have an idea of what we want to select, but the point of this post is to UPDATE one of those fields using the query above as a basis for our selection criteria.  Specifically, we want to set the ”accrued_balance” in t1 to ’0′ based on those selection criteria.  However, we can’t just UPDATE with a JOIN defined.  We have to re-arrange the JOINs to become WHERE EXISTS clauses, as in the following:

UPDATE t1
SET t1.ACCRUED_BALANCE = 0
WHERE EXISTS (SELECT *
     FROM t2
     WHERE EXISTS (SELECT *
          FROM t3
          WHERE t3.ENTITY_NO = t2.ENTITY_NO
          AND t3.ACCT_TYPE = t2.ACCT_TYPE
          AND t3.COMP_CONSTRUCTION = t2.COMP_CONSTRUCTION
          AND t3.INTEREST_FUNCTIONS_ALLOWED = '0'
          )
     AND t2.ENTITY_NO = t1.ENTITY_NO
     AND t2.ACCT_TYPE = t1.ACCT_TYPE
     AND t2.ACCT_NUMBER = t1.ACCT_NUMBER
     AND t2.STATUS < '0009'
     )
AND t1.ENTITY_NO = '000100'
AND t1.BALANCE_TYPE = '02'
AND t1.PERIOD_TYPE = '0'
AND t1.PERIOD = '001496'
AND t1.ACCRUED_BALANCE > 0
AND t1.ACCT_TYPE = '0001';

Note above how the fields used in the JOIN clauses are now used in a WHERE statement of a sub-query.  Also, note that any WHERE statements from the original query that pertain to a specific table have to be moved to the table specific SELECT/WHERE section of the query.  For example, “t3.INTEREST_FUNCTIONS_ALLOWED = 0″ is now in the WHERE statement for the t3 table SELECT.

That’s it.  Of course if you want to SET more than one field to some other value, just add more statements directly after “t1.accrued_balance = 0″.

Now, I haven’t taken the CCNA test yet, but I have completed the book.  Let me say this, the book is not all that bad.  I like the simplified writing, there’s a tear-out “remember me” card and a CD with some practice questions.  Most of the example questions aren’t bad, but some of them are in serious need of a fact-checker and/or an editor who knows what he/she is doing.  To put it simply, the questions and answer choices simply don’t match some of the drawings shown.

Point in fact is the diagram below.  I reproduced it because I hated this question in the book, and I hated it again when it showed up on the CD.  The CD has a “practice” exam mode and a PDF of the entire book (any of you studying for these tests know all about these things; I don’t have to go into detail).  Anyway, I pop in the CD today, install the test software, start my first test, and low-and-behold, the test questions ARE EXACTLY THE SAME AS IN THE BOOK.  Now, I appreciate the PDF, I appreciate the timer in the software to tell me if I’m going too slow, but for crying-out-loud, if you’re going to provide a CD, CAN’T YOU FOLKS PUT IN SOME DIFFERENT QUESTIONS?  Enough of that; on to the diagram.

Ok, I didn’t cut-and-paste from the PDF.  I recreated it in Visio to keep from getting sued.  Trust me, all the information in the book diagram is in the diagram above.  To which we add some configuration information, such as:

RouterA
interface fastethernet 3/1
ip address 172.16.64.1 255.255.252.0
interface serial0/0
ip address 172.16.22.190 255.255.252.0
ip route 172.16.128.0 255.255.252.0 172.16.24.185

RouterB
interface fastethernet 0/0
ip address 172.16.128.1 255.255.252.0
interface serial 0/0
ip address 172.16.24.185 255.255.252.0
ip route 172.16.64.0 255.255.252.0 172.16.22.190

And now, for the question.  “Why are you (at 172.16.64.201) unable to access the website (at 172.16.129.48)?”  From which your choices are:

1. The static route is incorrect on Router A.
2. The serial 0/0 on Router A is on a network different from bri0/0 on Router B.
3. The server is on a network different from fastethernet 0/0 on Router B.
4. The static route on Router B is incorrect.
5. Your computer uses an invalid IP address.

Ok, what’s your answer?  As a studying CCNA I’ll tell you that the static routes on both routers are correct, and. that “your computer” is using a perfectly valid IP address.  So, that leaves questions #2 and 3.  I’ll also tell you that /22 means that there are 4 valid subnets, on boundaries of a multiple of 64, starting at 0 in the 3rd octet.  So, my valid subnet values in the 3rd octet are 0,64,128, and 192, meaning that my Router B and workstatation are on the SAME subnet.  Therefore question #3 is not correct.

That leaves #2.  Now, look closely.  Where on the diagram is the “BRI 0/0″ interface?  Where in the configuration is the “BRI 0/0″ interface?  If I’m scanning through questions on a TIMED EXAM and I see an answer concerning an interface that’s NOT PRESENT ON THE DIAGRAM OR IN THE CONFIGURATION, then my time optimization skills will kick in and eliminate that question right off the bat. 

As you probably know, timed test taking is as much about time management as it is about actual knowledge.  I hope some of you can look at the configuration and easily and timely eliminate questions #3 and #5 as possible answers.  However, most of us have to go through the hassle of figuring out network addresses and subnet masks and valid address ranges, etc.  That takes time.

When I approach this question, as a test-taking strategy, if I can look at the configuration and the diagram and easily see that the static routes are correct, I have just improved my “guessing” odds from 20% to 33% (that is, from 1 in 5 to 1 in 3).  If I can eliminate the question concerning a “phantom” interface, I’ve improved my odds all the way to 50%, and I’ve taken virtually no time at all to do it.  Therefore, all I have to do is concentrate my TIME on questions #3 and #5.  But as it turns out, questions #3 and #5 are both FALSE.  So, now, where do I go?  I eliminated #s 1 and 4 right off the bat looking at the diagram.  I eliminated #2 becasue it’s talking about an interface that’s not anywhere to be seen.  Now, I have gone through the TIME it takes to figure out whether or not #s 3 and 5 are correct and it turns out they are both FALSE as well.

The answer key indicates that serial 0/0 of Router B is on a different network than serial 0/0 of Router A.  So, the answer key has terminology to match the configurations, but the question doesn’t.  That PISSES ME OFF.  If you’re going to write a book expecting people to take TIMED tests based on the knowledge gleaned from the book, MAKE DAMN SURE THE SAMPLE QUESTIONS ARE RIGHT.  And, if you’re going to provide some CD full of stuff, don’t waste my time (or your costs) and make it 100% THE SAME AS THE BOOK (yes, the question is worded incorrectly in the printed version, the PDF version, and on the test-taking application).  Mix it up a little; make it something new and fresh.

From Dennis Miller, “Of course, that’s just my opinion.  I could be wrong.”

• no service config

Of course, having your trusty router go to the network for a confiuration file each time it reboots may be a security issue for you, so it’s normally turned off.  If you want to drop the excessive TFTP hits, turn it off on your systems.

1. Cisco 2511 (TERM-1)- Console port terminal server
2. PDU
3. <blank>
4. Cisco 1841 (RTR-1)
5. Cisco 1841 (RTR-2)
6. Cisco 2960 (SW-1)
7. Cisco 2950 (SW-2)
8. <blank>
9. Cisco 1841 (RTR-3)
10. Cisco 1760 (RTR-4)
11. Cisco 3661 (RTR-6) – 5 units
12. Cisco 3661 (RTR-6) – 5 units
13. Cisco 3661 (RTR-6) – 5 units
14. Cisco 3661 (RTR-6) – 5 units
15. Cisco 3661 (RTR-6) – 5 units

RTR-5 is a Cisco 871 that just sits on the top of the rack.

RTR-1 is an older 1841 that doesn’t have rack mount holes drilled, so I had to purchase a tray type mount.  The tray is larger than 1 unit, so that blank has to be left.  Plus, the PDU is mounted facing the front so it’s easy to turn off and on, and having the blank allows me to route power cables from the back.

SW-2 is more of a center-mount switch and thus sticks out further from the others.  Having a blank below it makes it easier to get to the next device, RTR-3.  That means, when it’s all over with, I have 1 (maybe 2) units available in the rack.  Not much from where I started.

I have routers 1-5 running EIGRP on an “internal” interface, and OSPF on an “external” interface.  All the interfaces currently used are Ethernet, which are run through two different switches, though I could have set up separate VLANs and run it through one.  RTR-6 is still in transit, but it will be the frame relay/WAN when it’s all said and done.

The 2511 was a real treat to configure.  I haven’t worked with 2500 series routers in quite some time.  If any of you don’t know what an AUI adapter is, well, you’re probably a 20 year old snot-nosed kid fresh out of tech school who needs to get some blisters on his/her fingers before being given any real responsibility.  If you DO know what an AUI adapter is, you’re probably an over-the-hill geezer like myself.  In either case, if you purloin a 2509/11 as a terminal server, don’t forget to order the AUI for it.  Oh, and go get an octal console cable as well.  If you’re going for your CCNA and have a home lab, the terminal server is no doubt over-kill.  If you’re looking at one of the mid-tier or higher certifications, save yourself some wear and tear on console ports/cables and go get a terminal server.

NTP works in a hierarchical fashion called a “stratum”.  Devices with a lower stratum are supposed to be closer to “real” time than devices with a higher stratum.  Within your own network, you can probably envision something similar.  Let’s assume you DON’T have an internal clock device and that you have a network similar to the following:

NTP Example

Here we have a nice little corporate network.  Tracing from the outside-in we have an external router, followed by a firewall, followed by a multi-layer switch connecting some servers and an internal router connecting to a private WAN.  We have a few devices that we want to put NTP on, so let’s start with the external router.

Now, depending on the devices used, I’d probably make my firewall the master NTP device in this diagram, but for arguments sake, let’s say it’s the external router.  If I want to make it the NTP master for the rest of my network, I’d start at “config t”:

• clock timezone CST -6 – This is not an NTP command, but it does determine the offset for this device from UTC.  So that my log timestamps show the correct localtime, I’ll include this.   I live in the USA Central timezone, which is 6 hours from UTC.  Pick your timezone accordingly.
• clock summer-time CDT recurring – Again, this is not an NTP command, but it does allow the router to change to daylight savings time on the appropriate day.
• ntp master 10 – With this command, I tell the router to make its internal clock an NTP master.  Then, I tell it to give it a stratum of “10″, which is not very high.  Basically, I want to use my internal clock as a master only in the case one of the other NTP servers (see below) is not available.
• ntp update-calendar – This allows NTP to update the calendar chip on the router.
• ntp source l0 – This optional command tells IOS to set the source IP address of any NTP packets sent equal to the IP address of the Loopback0 interface.  Otherwise, the NTP packet source is equal to the IP address of the interfaces the packet is transmitted through.
• ntp server a.b.c.d – Pick at least 3 different NTP servers from the public NTP server list
• ntp server e.f.g.h
• ntp server w.x.y.z

Now, check to see if the clock on the device is working properly.  The easiest command is “sh clock” which will tell you if the clock is set correctly or not.  To see whether NTP is working or not, you can “sh ntp status” which as I write this looks like:

Clock is synchronized, stratum 2, reference is 64.202.112.75
nominal freq is 250.0000 Hz, actual freq is 250.0195 Hz, precision is 2**24
reference time is CD93111B.B53900A2 (09:30:51.707 CDT Fri Apr 17 2009)
clock offset is 0.0061 msec, root delay is 0.03 msec
root dispersion is 0.02 msec, peer dispersion is 0.00 msec
loopfilter state is ‘CTRL’ (Normal Controlled Loop), drift is -0.000078065 s/s
system poll interval is 64, last update was 314 sec ago.

Notice the very first line above that says “Clock is synchronized”.  That means NTP is working.  Also, note the first line says “stratum 2″ which means my router is now a stratum 2 NTP server, since it is getting its NTP updates from a stratum 1 server.  To get more detail on who I’m synchronizing to, use “sh ntp assoc”, which for me looks like:

#sh ntp assoc

  address         ref clock       st   when   poll reach  delay  offset   disp
 ~127.127.1.1     .LOCL.           9     10     16   377  0.000   0.000  0.256
+~64.73.32.134    64.73.0.9        2      7     64   377  0.000  -0.660  2.904
+~128.138.188.172 .ACTS.           1     33     64   377  0.000 -16.713  1.144
*~64.202.112.75   .CDMA.           1      8     64   377  0.000   6.124  5.401
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

In the output above you can see that my local clock (127.127.1.1) is “configured” but has a stratum of 9, which means it won’t be used unless the others are unavailable.  I have three NTP servers defined from the public list, and one of them (64.73.32.134) is a stratum 2 server, whereas the remaining two are stratum 1 servers.  I am currently getting clock updates from 64.202.112.75 identified by the * in the above output.

So, now we have our external router synchronized with some public time servers, and its’ time is set correctly.  What about the rest of the network?  Back on our diagram, let’s take a look at the configuration on that switch, which will look like:

• clock timezone CST -6 – I still need to set the clock to the correct timezone offset.
• clock summer-time CDT recurring – I also want my switch to update its clock based on daylight savings time.
• ntp server 10.1.240.1 – I simply point my switch to the loopback0 interface of the external router.  Of course, in this network my firewall has to allow the communication.

That’s about it.  Of course, you can develop more complete hierarchies, maybing making the switch in the above diagram a stratum 4 server, the internal WAN router as a stratum 5 getting its updates from the switch, the remote locations on the private WAN link as stratum 6 servers getting updates from the central WAN router and feeding more devices down the chain, etc., etc., etc.  You get the idea.

If you’d like some more reading on NTP direct from Cisco, take a look at this.  Now, go out and get your network device clocks synchronized.

SSH provides for encryption of administrative commands as they are sent to a terminal device (such as a router or switch) and provides for a somewhat rudimentary form of device authentication.  When a client (your PC running an SSH client, such as Putty) connects to a new server (your switch or router) the client receives the hosts’ “fingerprint”, or public key part of a public/private key pair.  The client will store the public key and on subsequent connections compare the stored public key to the public key presented at the next login time.  If the two match, the user is assured that he/she is communicating with the same device as in the initial session.  If the keys don’t match the client is warned that the public key has changed.  The user should proceed with caution.

From the paragraph above it’s obvious that you need to get a public/private key pair in IOS before SSH can be enabled.  However, there are four (4) other prerequisites that have to be met before SSH can be enabled.

1. Your device (switch, router) must be capable of supporting SSH.  For switches, models 1950 and up (2950, 2960, 3550, 3560, 3750, 4xxx, 6500) should be fine.  For routers, any ISR router (870, 1800, 2800, 3800) and most 2600s should be capable.
2. Your IOS must support SSH.  SSH used to be provided in “security” images only, but in newer revisions is being migrated down to virtually all code.
3. You must have a hostname defined, such as hostname RTR-1.
4. You must have a domain name defined, such as ip domain-name jatb.net.

Once these prerequisites are met, you can enable your device for SSH.  To do so, start at “config t”:

• crypto key generate rsa – This command will prompt for a few more items, noticeably a modulus length.  On my 1841, lengths between 360 and 2048 can be chosen.  Keep in mind that some longer lengths may not be supported in all clients.  I normally pick 1024, but have also successfully used 1536.   Once this command is finished, SSH version 1.99 will be enabled on your device.
• ip ssh version 2 – There are some cryptographic security problems with versions of SSH earlier than 2, so be sure you specify version 2.
• line vty 0 15 – After enabling SSH, you’re going to want to apply it to your router/switch vty ports so.  So, once you’re in line configuration mode, execute the following command and test your SSH connection.
• transport input ssh telnet – This command enables both SSH and Telnet to your VTY ports.  Try SSH and once you’re satisfied it works, go back to line configuration mode and execute transport input ssh to limit your connections to only SSH inbound.

There are, of course, other commands to change authentication timeouts and other such nuances you can explore.  This document walks you through a few of them.  To ensure SSH is enabled on a device, type sh ip ssh.  To see if any SSH sessions are in use, use sh ssh.  Once “transport input ssh” is in place on all your devices, you can worry about one less security issue.

Start by creating the ACL that will allow and disallow internal traffic to be NATted.

• ip access-list extended NAT_TRANSLATION_OUT

   remark B02 Loopback to B011 Loopback

   deny   ip host 10.2.249.1 host 10.1.249.1

   remark B02 DATA Only

   permit ip 10.2.3.0 0.0.0.255 any

In the ACL above, we have specifically disallowed traffic between two loopback addresses (10.2.249.1 locally and 10.1.249.1 on the remote end) from participating in NAT.  In situations where you are running a VPN tunnel on the same interface as your external NAT interface (see below), you’ll want to exclude tunneled traffic from NAT.  Further, we have defined only traffic from a specific local subnet (10.2.3.0/24) as being able to be NATted.

After we’ve determined what internal traffic to NAT and what not to, we need to create a route map statement to match the traffic of the ACL.

• route-map NAT_TRANS_RMAP permit 1

   match ip address NAT_TRANSLATION_OUT

Above we have created a route map with a “permit” verb and told it to match any addressing in the ACL we initially defined.  Next, we create the NAT statement.

• ip nat inside source route-map NAT_TRANS_RMAP interface FastEthernet4 overload

Here we have created an “inside” NAT using our route-map as a source and using interface “FastEthernet4″ as an overload.  “Overload” simply means we are going to create multiple outbound NATs all using a single external source address equal to “FastEthernet4″.  More simply, we’re going to use port-address-translation and hide all traffic behind one single “external” address.

Now, all that is well and good, but we still haven’t really started trying to NAT.  We have to apply the statements to the proper  interfaces.

• interface FastEthernet0/0.3

• description PC VLAN

• encapsulation dot1Q 3

• ip address 10.2.3.1 255.255.255.0

• <lines deleted>

• ip nat inside

• <lines deleted>

And, for the external side, we need

• interface FastEthernet0/4

•  description TO ISP

•  ip address w.x.y.z 255.255.255.248

•  <lines deleted>

•  ip nat outside

•  <lines deleted>

That’s it.  Simple inside-to-outside NAT in IOS.  When you need to see if it’s working or not, create a connection from the local subnet that you have allowed, and try to connect to something that should be NATted.  If you’re NATting to an Internet connection, a browser session should do.  When you need to see what’s going on on the router “sh ip nat transl” is your best bet.