Professional Documents
Culture Documents
100 Câu Hỏi Kỹ Thuật Về Mạng Cisco Thuờng Gặp
100 Câu Hỏi Kỹ Thuật Về Mạng Cisco Thuờng Gặp
**************************************************************************
From: Question 1
Subject: What does ``cisco'' stand for?
cisco is not C.I.S.C.O. but is short for San Francisco, so the story goes. Back in the early
days when the founders Len Bosack and Sandy Lerner and appropriate legal entities were
trying to come up with a name they did many searches for non similar names, and always
came up
with a name which was denied. Eventually someone suggested ``cisco'' and the name wasn't
taken (although SYSCO may be confusingly similar sounding). There was an East Coast
company which later was using the ``CISCO'' name (I think they sold in the IBM
marketplace) they ended up having to not use the CISCO abberviation. Today many people
spell cisco with a capital ``C'', citing problems in getting the lowercase ``c'' right in
publications, etc. This lead to at least one amusing article headlined ``Cisco grows up''. This
winter we will celebrate our 10th year.
[This text was written in July of 1994 -jhawk]
**************************************************************************
From: Question 2
Subject: How do I save the configuration of a cisco?
If you have a tftp server available, you can create a file on the server for your router to write
to, and then use the write network command. From a typical unix system:
mytftpserver$ touch /var/spool/tftpboot/myconfig
mytftpserver$ chmod a+w /var/spool/tftpboot/myconfig
You need to tell your cisco to use the same link-level protocol as the other router; by
default, ciscos use a rather bare variant of HDLC (High-level Data Link Control) all linklevel protocols use at some level/layer or another. To make your cisco operate with most
other routers, you need to change the encapsulation from HDLC to PPP on the
relevant interfaces. For instance:
sewer-cgs#conf t
Enter configuration commands, one per line.
Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z
interface serial 1
encapsulation ppp
^Z
sewer-cgs#sh int s 1
If you're still having trouble, you might wish to turn on serial interface debugging:
sewer-cgs#ter mon
sewer-cgs#debug serial-interface
**************************************************************************
From: Question 4
Subject: How can I get my cisco to talk to a 3rd-party router over Frame Relay?
You should tell your cisco to use ``encapsulation frame-relay ietf'' (instead of
``encapsulation frame-relay'') on your serial interface that's running frame relay if your
frame relay network contains a diverse set of manufacturers' routers. The keyword ``ietf''
specifies that your cisco will use RFC1294-compliant encapsulation, rather than the default,
RFC1490-compliant encapsulation (other products, notably Novell MPR 2.11, use a practice
sanctioned by 1294 but deemed verbotten by 1490, namely padding of the nlpid). If only a
few routers in your frame relay cloud require this, then you can use the default
encapsulation on everything and specify the exceptions with the frame-relay map command:
**************************************************************************
From: Question 5
Subject: How can I use debugging?
The ``terminal monitor'' command directs your cisco to send debugging output to the
current session. It's necessary to turn this on each time you telnet to your router to view
debugging information. After that, you must specify the specific types of debugging you
wish to turn on; please note that these stay on or off until changed, or until the router
reboots, so remember to turn them off when you're done.
Debugging messages are also logged to a host if you have trap logging enabled on your
cisco. You can check this like so:
sl-panix-1>sh logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 66 messages logged
Monitor logging: level debugging, 0 messages logged
If you have syslog going to a host somewhere and you then set about a nice long debug
session from a term your box is doing double work and sending every debug message to
your syslog server. Additionally, if you turn on something that provides copious debugging
output, be careful that you don't overflow your disk (``debug ip-rip'' is notorious for this).
One solution to this is to only log severity ``info'' and higher:
sl-panix-1#conf t
The other solution is to just be careful and remember to turn off debugging. This is easy
enough with:
sl-panix-1#undebug all
If you have a heavily loaded box, you should be aware that debugging can load your router.
The console has a higher priority than a vty so don't debug from the console; instead,
disable console logging:
cix-west.cix.net#conf t
Enter configuration commands, one per line. End with CNTL/Z.
no logging console
Then always debug from a vty. If the box is busy and you are a little too vigorous with
debugging and the box is starting to sink, quickly run, don't walk to your console and kill
the session on the vty. If you are on the console your debugging has top prioority and then
the only way out is the power switch. This of course makes remote debugging a real sweaty
palms adventure especially on a crowded box.
**************************************************************************
From: Question 6
Subject: How do I avoid the annoying DNS lookup if I have misspelled a command?
No ip domain-lookup
**************************************************************************
From: Question 7
Subject: How to use access lists
In general, Basic access lists are executed as filters on outgoing interfaces. Newer releases
of the cisco code, such as 9.21 and 10, do have increased ability to filter on incoming ports.
Certain special cases, such as broadcasts and bridged traffic, can be filtered on incoming
interfaces in earlier releases. There are also special cases involving console access.
Rules, written as ACCESS-LIST statements, are global for the entire cisco box; they are
activated on individual outgoing interfaces by ACCESS-GROUP subcommands of the
INTERFACE major command. Filters are applied after traffic has entered on an incoming
interface and gone through a routing process; traffic that originates in a router (e.g., telnets
from the console port) is not subject to
filtering.
+-------------------+
|
GLOBAL
| Routing
|^ v
Access |
|^ v
Lists |
+-^--v--------^---v-+
|^ v
^ v|
|^ v
^ v|
Group 2 |
<------------|
|<-----------
+-------------------+
Some types of ``filter,'' using ``filter'' as a broader class than ACCESS-LIST, can operate on
incoming traffic. For example, the INPUT- SAP-FILTER used for Novell networks is
applied to Service Advertisement Packets (SAP) seen at incoming interfaces. In general,
incoming filtering can only be done for ``system'' rather than user traffic.
Remember that Internet applications flow from client port to server port. Denying traffic
from port 23, for example, blocks flow from the client to the server.
+-------------------+
|
A----------->|
|1
|----------->B
2|
<------------|
|
|<----------|
+-------------------+
**************************************************************************
From: Question 8
Subject: The cisco boot process
What really happens when a cisco router boots, from boot start to live interfaces?
First it boots the ROM os version. It reads the config. Now, it realizes that you want to
netboot. It loads the netbooted copy in on top of itself. It then re-initializes the box and rereads the config. Manly, yes, but we like it too....
[[ Ummm... in particular it loads the netbooted copy in as WELL as itself, decompresses it,
if necessary, and THEN loads on top of itself. Note that this is important because it tells
you what the memory requirements are for netbooting: RAM for ROM image (if it's a run
from RAM image), plus dynamic data structures, plus RAM for netbooted image. ]]
Load the OS from ROM. If a name is given, tell that image to start silently and then load a
new image. If the boot system command is given, then start silently and load a new image.
powercycle
Does some delay stuff to let the power settle. Goto I.
reload (from the EXEC)
Goto I.
**************************************************************************
From: Question 09
Many admins are concerned about unauthorized access to their routers from malicious
people on the Internet; one way to prevent this is to restrict access to your router on the
basis of IP address.
Many people do this, however it should be noted that a significant number of network
service providers allow unrestricted access to their routers to allow others to debug,
examine routes, etc. If you're comfortable doing this, so much the better, and we thank you!
If you wish to restrict access to your router, select a free IP access list (numbered from 1100) -- enter ``sh access-list'' to see those numbers in use.
yourrouter#sh access-list
Standard IP access list 5
permit 192.94.207.0, wildcard bits 0.0.0.255
Next, enter the IP addresses you wish to allow access to your router from; remember that
access lists contain an implicit "deny everything" at the end, so there is no need to include
that. In this case, 30 is free:
yourrouter#conf t
Enter configuration commands, one per line. End with CNTL/Z.
yourrouter(config)#access-list 30 permit 172.30.0.0 0.0.255.255
yourrouter(config)#^Z
(This permits all IP addreses in the network 172.30.0.0, i.e. 172.30.*.*). Enter multiple lines
for multiple addresses; be sure that you don't restrict the address you may be telnetting to
Next, examine the output of ``sh line'' for all the vty's (Virtual ttys) that you wish to apply
the access list to. In this example, I want lines 2 through 12:
yourrouter#sh line
Tty Typ
0 CTY
Noise Overruns
0/0
1 AUX 9600/9600 -
1 3287605
* 2 VTY 9600/9600 -
55
3 VTY 9600/9600 -
0/0
4 VTY 9600/9600 -
0/0
5 VTY 9600/9600 -
0/0
6 VTY 9600/9600 -
0/0
7 VTY 9600/9600 -
0/0
8 VTY 9600/9600 -
0/0
9 VTY 9600/9600 -
0/0
10 VTY 9600/9600 -
0/0
11 VTY 9600/9600 -
0/0
12 VTY 9600/9600 -
0/0
1/0
0/0
yourrouter#conf t
Enter configuration commands, one per line. End with CNTL/Z.
yourrouter(config)#line 2 12
yourrouter(config-line)# access-class 30 in
yourrouter(config-line)# ^Z
(This apply access list 30 to lines 2 through 12. It's important to restrict access to the aux
port (line 1) if you have a device (such as a CSU/DSU) plugged into it.a)
Soure routing is an IP option which allows the originator of a packet to specify what path
that packet will take, and what path return packets sent back to the originator will take.
Source routing is useful when the default route that a connection will take fails or is
suboptimal for some reason, or for network diagnostic purposes. For more information on
source routing, see RFC791.
Unfortunately, source routing is often abused by malicious users on the Internet (and
elsewhere), and used to make a machine (A), think it is talking to a different machine (B),
when it is really talking to a third machine (C). This means that C has control over B's ip
address for some purposes.
The proper way to fix this is to configure machine A to ignore source-routed packets where
appropriate. This can be done for most unix variants by installing a package such as Wietse
Venema, <wietse@wzv.win.tue.nl>,'s tcp_wrapper:
ftp://cert.org:pub/tools/tcp_wrappers
For some operating systems, a kernel patch is required to make this work correctly (notably
SunOS 4.1.3). Also, there is an unofficial kernel patch available for SunOS 4.1.3 which
turns all source routing off; I'm not sure where this is available, but I believe it was posted
to the firewalls list by Brad Powell soimetime in mid-1994.
If disabling source routing on all your clients is not posssible, a last resort is to disable it at
your router. This will make you unable to use ``traceroute -g'' or ``telnet
@hostname1:hostname2'', both of which use LSRR (Loose Source Record Route, 2 IP
options, the first of which is a type of source routing), but may be necessary for some. If so,
you can do this with
foo-e-0#conf t
Enter configuration commands, one per line. End with CNTL/Z.
foo-e-0(config)#no ip source-route
foo-e-0(config)#^Z
It is somewhat unfortunate that you cannot be selective about this; it disables all forwarding
of source-routed packets through the router, for all interfaces, as well as source-routed
packets to the router (the last is unfortunate for the purposes of ``traceroute -g'').
**************************************************************************
From: Question 11
Subject: Is there a block of private IP addresses I can use?
In any event, RFC 1918 documents the allocation of the following addresses for use by
``private internets'':
10.0.0.0
- 10.255.255.255
172.16.0.0
- 172.31.255.255
192.168.0.0
- 192.168.255.255
Most importantly, it is vital that nothing using these addresses should ever connect to the
global Internet, or have plans to do so. Please read the above RFCs before considering
implementing such a policy.
With the increasing popularity and reliability of address translation gateways, this practice
is becoming more widely accepted. Cisco has acquired Network Translation, who
manufacture such a product. It is now available as the Cisco Private Internet Exchange.
With it, you can use any addressing you want on your private internet, and the gateway will
insure that the invalid
addresses are converted before making out onto the global Internet. It also makes a good
firewall. Information on this product is available at
http://www.cisco.com/warp/public/751/pix/index.html
**************************************************************************
**************************************************************************
From: Question 12
Subject: How do I interpret the output of ``show version''?
prospect-gw.near.net>sh version
Cisco Internetwork Operating System Software
IOS (tm) GS Software (GS7), Experimental Version 10.2(11829) [pst 113]
EXCEPT: 9.14, 9.17, and 9.1 are all somewhat similar. 9.1 is
the base, 9.14 adds specical feature for low end systems, 9.17
added special features specific the high end (cisco-7000) This
was an experiment that we are trying not to repeat.
release: increments (1 2 3 4 ...) for each maintenance release of released
software. Increments for every compile in some other places.
interim: increments on every build of the "release tree", which happens
weekly for each release, but is only made into a generically
shipping maintenance release every 7 to 8 weeks or so.
[who]: who built it. Has "fc 1" or similar for released software.
has something like [billw 101] for test software built Bill
Westfield (billw@cisco.com).
Desc: additional description.
The idea is that the image name and version number UNIQUELY identify
a set of sources and debugging information somewhere back at cisco,
should anything go wrong.
How long the router has been up, and why it restarted.
Type of processor.
Hardware configuration.
**************************************************************************
From: Question 13
Subject: When are static routes redistributed?
In the simple case, any static route *in the routing table* is redistributed if the ``redistribute
static'' command is used, and some filter (set with either ``route-map'' or ``distribute-list
out'') doesn't filter it out.
Whether the static route gets into routing table depends on:
Whether the next hop address is reachable (if you use static route pointing to a next hop)
OR Whether the interface is up (if you use static route pointing to an interface).
If one of these is true, an attempt is made to add the route to the routing table; whether that
succeeds depends on the administrative distance of the route -- a lower administrative
distance (the route is "closer") than a preexisting route will cause the preexisting route to be
overwritten.
**************************************************************************
From: Question 14
Subject: When is the next hop of a route considered ``reachable''?
When a static route is added, or during an important event (eg: interface up/down
transition), the next hop for a route is looked up from the routing table (i.e. recursive
routing). As a consequence, if a route which is depended upon for evaluation of the next hop
of a static route goes away, a mechanism is required to remove that (now-invalid) static
route. Scanning all static routes each time the routing table changes is too expensive, so
instead, a period timer is used. One a minute, static routes are added and removed from the
routing table based on the routes they depend upon. It should be noted that a particular static
route will be reevaluated when its interface transitions up or down.
*************************************************************************
From: Question 15
Subject: How do name and phone number of ``dialer map'' interfere?
We use the telephone number first actually. If the caller id matches the telephone number to
call, then you don't need the 'name' parameter with a phone number. I realized that the
above is ambiguous, so let's do this. You have:
dialer map ip x.x.x.x name <param1> <phone-num>
<param1> is used for incoming authentication. It can be either the hostname, for PAP and
CHAP, or it can be a number as returned by caller id. If this is not there, and it is an
imcoming call, and there is caller id, we will compare against <phone-num> to see if that
matches.
**************************************************************************
From: Question 16
Subject: What's the purpose of the network command?
>* what is the real purpose of the network subcommand of
> router commands? When do I not want to include a network
> I know about?
The real purpose of the 'network' sub-command of the router commands is to indicate what
networks that this router is connected to are to be advertised in the indicated routing
protocol or protocol domain. For example, if OSPF and EIGRP are configured, some
subnets may be advertised in one and some in the other. The network command enables one
to do this.
An example of such a case is a secure subnet. Imagine the case where a set of subnets are
permitted to communicate within a campus, but one of the buildings is intended to be
inaccessible from the outside. By placing the secure subnet in its own network number and
not advertising the number, the subnet is enabled to communicate with other subnets on the
same router, but is unreachable from any other router, barring static routes. This can be
extended by using a different routing protocol or routing protocol domain for the secure
network; subnets on the various routers within the secure domain are mutually reachable,
and routes from the non-secure domain may be leaked into the secure domain, but the
secure domain is invisible to the outside world.
**************************************************************************
From: Question 17
Subject: What is VLSM?
Historically, EGP depended on the IP address class definitions, and actually exchanged
network numbers (8, 16, or 24 bit fields) rather than IP addresses (32 bit numbers); RIP and
IGRP exchanged network and subnet numbers in 32 bit fields, the distinction between
network number, subnet number, and host number being a matter of convention and not
exchanged inthe routing protocols. More recent protocols (see VLSM) carry either a prefix
length (number of contiguous bits in the address) or subnet mask with each address,
indicating what portion of the 32 bit field is the address being routed on.
A simple example of a network using variable length subnet masks is found in Cisco
engineering. There are several switches in the engineering buildings, configured with FDDI
and Ethernet interfaces and numbered in order to support 62 hosts on each switched subnet;
in actuality, perhaps 15-30 hosts (printers, workstations, disk servers) are physically
attached to each. However, many engineers also have ISDN or Frame Relay links to home,
and a small subnet there. These home offices typically have a router or two and an X
terminal or workstation; they may have a PC or Macintosh as well. As such, they are usually
configured to support 6 hosts, and a few are configured for 14. The point to point links are
generally unnumbered.
Using "one size fits all" addressing schemes, such as are found in RIP or IGRP, the home
offices would have to be configured to support 62 hosts each; using numbers on the point to
point links would further compound the address bloat.
One configures the router for Variable Length Subnet Masking by configuring the router to
use a protocol (such as OSPF or EIGRP) that supports this, and configuring the subnet
masks of the various interfaces in the 'ip address' interface sub-command. To use supernets,
one must further
configure the use of 'ip classless' routes.
**************************************************************************
From: Question 18
Subject: What are some methods for conserving IP addresses for serial lines?
VLSM and unnumbered point to point interfaces are the obvious ways. The 'ip unnumbered'
subcommand indicates another interface or sub-interface whose address is used as the IP
source address on messages that the router originates on the unnumbered interface, such as
telnet or routing messages. By doing this, the router is reachable for management purposes
(via the
address of the one numbered interface) but consumes no IP addresses at all for its
unnumbered links.
**************************************************************************
From: Question 19
Subject: Flash upgrade issues for Cisco 2500 series routers
> When I remove the original flash and replace it with ether one or both of
> the new flash chips, I get the following error on boot upand the router ends
> up in boot mode.:
> ERR: Invalid chip id 0x80B5 (reversed = 0x1AD ) detected in System flash
This has to be the most common FAQ for this group. You have non-Intel flash chips on
your new SIMMs and boot ROMs that are too old to know about the different access
method for the flash chips you have.
You need to either get the (free, call TAC) BOOT-2500= ROM upgrade from Cisco, or
exchange the flash SIMMs for ones using Intel chips. Note that Intel no longer makes those
chips, which is why everybody has this prob-lem.
**************************************************************************
From: Question 21
Subject: How do I configure a router to act as a Frame-Relay Switch?
config t
1
frame-relay switching
!
interface Serial0
no ip address
no keepalive
encapsulation frame-relay
clockrate 64000
frame-relay intf-type dce
! In the config below, the 102 is the DLCI that will be
! presented to the router connected to this - S0 ! interface. 201 is the DLCI that is mapped to S1
frame-relay route 102 interface Serial1 201
frame-relay route 103 interface Serial2 301
interface Serial1
no ip address
no keepalive
encapsulation frame-relay
clockrate 64000
frame-relay intf-type dce
frame-relay route 201 interface Serial0 102
frame-relay route 203 interface Serial2 302
interface Serial2
no ip address
no keepalive
encapsulation frame-relay
clockrate 64000
________
______
| FR SW |_S2______S0_| R3 |
|_______ |
S0 /
|______|
\ S1
S0 __/___
| R1 |
|_____|
_\_S0__
| R2 |
|_______|
R1 S0, R2 S0 and R3 S0 will be on the same subnet. You can treat it as p2mp. I put all the
DCE ends of the cables on the Frame Switch, so clock rate is defined there. However, this
is not a requirement. The FR Switch router does not need to have the DCE end. Regardless
of the gender of the cable, however, the "frame-relay intf-type dce" is required. I defined
the DLCIs as Source Router + 0 + Destination Router. So if the circuit goes from R1 to R3
it's DLCI 103. From R3 to R1 it's DLCI 301.
**************************************************************************
From: Question 22
Subject: What are the different types of memory used by Cisco Routers?
The 2500 Series and 7204 VXR have the same types of memory, but they are implemented
Main memory - This is used to hold routing tables, and IOS variables. In the 7204 VXR,
IOS itself is also resident in main memory. The 2500 Series usually runs the IOS directly in
flash.
Shared memory - This is the memory that holds packet buffers. On the 2500 Series, this is
part of the same physical memory as main memory. On the 7204 VXR, it's separate
memory.
Flash memory - This memory holds the IOS image. On the 2500 Series, there are two flash
SIMM sockets (max 16 MB). On the 7204VXR, there are PCMCIA slots on the I/O
controller which can take a 128 MB flash disk.
Configuration memory (NVRAM) - This is the memory that holds the IOS configuration. In
the 2500 Series, it's a 32 KB EEPROM. On the 7204VXR it is 128 KB battery backed up
SRAM on the I/O controller.
**************************************************************************
From: Question 23
Subject: How do I load the Documentation CD (UniverseCD) on Windows 2000?
The Doc CD content is compressed - it requires Verity to decompress it. This is why Verity
is used on the Doc CD. What has happened is you've tried to directly open up index.html off
the CD into your browser, and this is not possible todo. The CD must be accessed through
the Verity Web Publisher through:
http://127.0.0.1:8080/home/home.htm
This is the startup address that is launched when you click on "Launch CD."
Windows 2000 and Doc CD: Pre-July 2000 Documentation CDs do not work on Windows
2000 out of the box. They will cause "Search.exe" to crash when run under Win2k.
There is a fix that sometimes works for these CDs at:
http://www.cisco.com/warp/public/620/ioscd.html.
This fix MUST be done BEFORE you install the CD. If the CD has already been installed,
then uninstall it, delete c:\cisco, make this registry change, then re-install the Doc CD.(both
the Browser Software Installer and The Documentation CD
(I have tried this on My labtop which is running windows 2000 and it worked fine but I had
to delete c:\Cisco first and Lunch the Browers software Installer CD (1) first then the
Document CD(2) (my version of CD was Nov 1999)
(I have already sent this one to you did you delete c:\Cisco and lunch both CDs)
Other fixs are shown
The Doc CD starts up to about:blank
There are two alternate fixes for this:
1. After launching the Doc CD, put in http://127.0.0.1:8080/home/home.htm for the address,
and then add it to your favorites.
or
-
Finally to reorder a CD
The Cisco Documentation CD is also available online at:
http://www.cisco.com/univercd/home/home.htm
**************************************************************************
From: Question 24
Subject: How dow I load a large image on a 2500 *lab* router?
For production work (support by Cisco required) you need 16M Flash to run 12.0 or 12.1
Enterprise. If you don't need Cisco support, 12.0 Enterprise is small enough (about 10M) to
run from RAM (upgrading to 16M of RAM is MUCH cheaper than upgrading to 16M of
12.1 Enterprise is 14M so it must be run from flash (otherwise there is not enough RAM
remaining to even complete loading of the OS).
Check the release notes on www.cisco.com for the IOS release you want to use. If the actual
size of the IOS plus the minimum recommended RAM totals less than 16MB, you can run
compressed or boot from TFTP without expanding flash. Check deja-news on google if you
are unclear on how to run a compressed image on the 2500, it is a frequent request and
hopefully will turn up in the renovated FAQ when Hansang gets a chance to publish it.
**************************************************************************
From: Question 25
Subject: daisy-chaining reverse telnet console-aux ports
> I've hooked 4 routers together in a lab and I'm daisy-chaining them
> aux --> console and using reverse telnet to get to them...
>
> However when I get to the fourth router and do a CTRL-SHFT-6 X,
> I get back to the first router. If I kill the AUX line, then initiate the
> reverse telnet again, I fall through router 2 and 3 to 4 again...
> Is there an easy way to fall back one router at a time?
> or should I not bother to do this?
You have two options. One is to use a different escape character on the second (third,
fourth etc) console (and/or vty)
conf t
line con 0 /* or vyt 0 4 */
escape-character 23
This will let you use CTRL-W then X to break out reverse telnet.
Or
The first access list allows telnet into the router. Your users will telnet into router and
authenticate with username foobar and password "cisco"
The router will then immediately disconnect the telnet session. When they successfully
authenticate, an access list with their source IP will be added to the dynamic list. Basically,
if they authenticate correctly, they can come in to the inside network. After 5 mins of
inactivty the entry will be deleted from the access list.
The vty 3 and 4 are using the rotary command so that you can telnet to your router with the
command: "telnet 1.1.1.1 3001" This takes you to vty 3 (or 4). This way, you can telnet
into the router and actually manage it. A very subtle but VERY important point. If you
forget this, you'll be making a trip to use the console port.
*************************************************************************
From: Question 27
Subject: How do I telnet to a specific VTY line?
**************************************************************************
From: Question 28
Subject: How do I NAT on a single Cisco 2503 Ethernet interface
interface Loopback0
ip address 10.0.255.1 255.255.255.0
ip nat inside
!
interface Ethernet0
ip address 10.0.0.1 255.255.255.0 secondary
ip address xxx.yyy.zzz.ttt 255.255.255.248
ip nat outside
ip policy route-map LOOPNAT
!
ip nat inside source list 1 interface Ethernet0 overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
route-map LOOPNAT permit 10
match ip address 1
set interface Loopback0
!
-----------------------Note that Lo0 interface may have any ip address.
**************************************************************************
From: Question 29
Subject: How do I hide a summarized OSPF router from one ABR to another?
To describe how to use the Local Security Policy MMC in W2K would take a
long time. So, the config I will share with you is the 'dial-up' one I
mentioned before. In this posting I will detail the bare minimum needed to
get a W2K client working with a PIX firewall running v6.01 software. For
The configuration script I eked (it isn't beautiful code) out is actually written in Perl. If you
would like to re-write it in the old DOS batch file format, please do so. Otherwise, you
should find a copy of Perl for NT/W2K. I use the version found at http://www.activestate.com.
The Perl script I show here is documented as to what it does. The MS ipsecpol.exe program
that you have to use has it's own documentation which you should read. For the PIX I give
you only the crypto, isakmp, and sysopt commands you need to issue to your PIX to make
this config work. The config assumes that the PIX
has NAT enabled.
For the purposes of this 'demo' config. The PIX Firewall will have
192.168.0.1 as it's outside IP. The inside network will be the 10.0.X.X
network. The inside router will be 10.0.0.1
#begin listing
# IPSecInit.pl
# Written by: Steven Griffin Jr.
# Date: 6 June, 2001.
# Note: The basis of this code came from the PERL documentation site.
# The original snippets came from the links below.
# http://www.perldoc.com/perl5.6/lib/Net/hostent.html
# http://www.perldoc.com/perl5.6/lib/Net/Ping.html
# I should put this in POD format at somepoint but I am in a hurry right
now.
use Net::hostent;
use Socket;
#Two Variables: One for the local IP Address and one for the VPN Server
#This script assumes that the VPN Server has a static IP
$localipaddress, $VPNHostIP='192.168.0.1';
if (lc($h->name) ne lc($host)) {
printf "\tThat addr reverses to host %s!\n", $h->name;
$host = $h->name;
redo;
}
}
}
#This next section is a very modified version of the Ping example on the
Perl Documentation Website.
#Now that we know our IP address, we can setup the IPSec tunnel.
#First we try and ping our VPN server.
use Net::Ping;
$p = Net::Ping->new("icmp");
print "\nCan I see my firewall? ";
if ($p->ping($VPNHostIP) )
{
print "Yes\nAttempting to initialize IPSec Connection";
#Now that we can see our server, lets stop and start the W2K IPSec Policy
Agent.
#This deletes any 'dynamic' IPSec policies that may have been in effect
before.
print "\nResetting IPSec Policy Agent";
$cmdstring='Net Stop "IPSec Policy Agent"';
system($cmdstring);
#Now we issue the ipsecpol command to setup the tunnel to our VPN Server.
#The ipsecpol command line utility can be found on Microsoft's Website.
# http://www.microsoft.com/downloads/release.asp?ReleaseID=29167
# or
#
http://download.microsoft.com/download/win2000platform/ipsecpol/1.00.0.0/NT5
/EN-US/ipsecpol_setup.exe
#This sets-up the inbound leg of the tunnel. We are filtering all traffic
inbound from 10.0.X.X to our IP address.
#The critical part of this statement is that the -t arguement must contain
our local IP.
$cmdstring = 'ipsecpol -f 10.0.*.*='.$localipaddress.' -t
'.$localipaddress.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a
PRESHARE:"gobbeldygook"';
printf "\n%s",$cmdstring;
system($cmdstring);
#This sets-up the outbound leg of the tunnel. We are filtering all
traffic outbound to 10.0.X.X from our IP address.
#The critical part of this statement is that the -t arguement must contain
the VPN Server's IP Address.
$cmdstring = 'ipsecpol -f '.$localipaddress.'=10.0.*.* -t
'.$VPNHostIP.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a
PRESHARE:"gobbeldygook"';
printf "\n%s\n",$cmdstring;
system($cmdstring);
#Now that we have issued our commands. We should test the network and see
if we can see inside it.
#The internal router is the easiest target. Here it is 10.0.0.1.
#We first do a ping just so that the IPSec tunnel with negotiate. W2K does
not setup the tunnel
# until you actually try and send traffic to a IPSec filtered IP address.
#Now we do another ping and tell the user what happened.
print "\nTrying to ping internal network: ";
$p->ping("10.0.0.1");
if ($p->ping("10.0.0.1"))
{
print "Success\n";
sleep(1);
} else {
print "Failure\n";
sleep(1);
}
} else {
# If we reach this point, we could not see our VPN Server's external IP
address from our ISP.
print "No\nTry redialing your ISP";
sleep(3);
}
$p->close();
#end listing
**************************************************************************
From: Question 32
Subject: How do I use tftpdnld via Ethernet port on a 2600?
From: Question 33
Subject: How do I setup MultiLinkPPP?
int Multilink1
description multilink bundle
ip unnumbered Loopback0
ppp multilink
multilink-group 1
!
int Ser0
description first T1 line
encaps ppp
ppp multi
multilink-group 1
!
int Ser1
description second T1 line
encaps ppp
ppp multi
multilink-group 1
I'd like to drill down another level to decide why each entry contains 240 bytes! Tech Tip:
How Much Memory Does Each BGP Route Consume?
Each Border Gateway Protocol (BGP) entry takes about 240 bytes of memory in
the BGP table and another 240 bytes in the IP routing table. Each BGP path
takes about 110 bytes.
**************************************************************************
From: Question 35
Subject: How do I stop my router from looking for cisconet.cfg or
network-config?
**************************************************************************
From: Question 37
Subject: How do I configure a trasparent proxy redirecting on CISCO router?
A route-map does the IP redirection nicely, I've used it for http and smtp. Not sure about
switching ports simultaneously with the same route map, but you could fix this with 'ipfw'
or similar on the host. Be sure you have 'ip route-cache policy' enabled to save CPU on the
interface. WCCP is another option.
http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.5
**************************************************************************
From: Question 38
Subject: How do I use a route-map to limit redistribution in OSPF?
! /* match only 172.16.10.x and 172.16.11.0 subnets */
!
access-list 1 permit 172.16.10.0 0.0.1.255
!
!
! /* use access-list 1 to determine what gets matched */
!
route-map LoopbacksOnly permit 10
match ip address 1
!
!
! /* redistribute connected networks, any and all subnets, */
! /* and seed it as E2 type. Note that throughout your
*/
*/
*/
*/
*/
!
router ospf 200
redistribute connected subnets metric-type E2 route-map LooopbacksOnly
**************************************************************************
From: Question 39
Subject: How do I connect 675 DSL units back to back?
Well I found out that you can hookup other DSL boxes back to back...here is
part of an email I found on it:
you need:
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl equipment-type CO
dsl operating-mode GSHDSL symmetric annex A
dsl linerate AUTO
!
interface ATM0.1 point-to-point
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex A
dsl linerate AUTO
!
interface ATM0.1 point-to-point
ip address 1.1.1.1 255.255.255.0
pvc 1/33
encapsulation aal5snap
!
**************************************************************************
From: Question 40
Subject: Why can't I upload an IOS image on to my flash on my 2500 router?
> i took one from another 2500, same label E28F008SA and unfortunalely,
> same ERROR MESSAGE while issuing COPY TFTP FLASH from config-reg
> 0x2101
The flash in your system is not recognized by the boot ROM. You can upgrade
your boot ROM (Cisco part BOOT-2500=) or use flash that is compatible (Intel).
**************************************************************************
From: Question 41
Subject: How do I configure my router so it becomes a DHCP CLIENT?
UBR900, UBR7200
MC3810
The interface command is "ip address dhcp"
**************************************************************************
From: Question 42
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr
/qos_c/qcprt2/qcdpq.htm
interface Ethernet1
ip address 10.1.1.1 255.0.0.0
no ip directed-broadcast
priority-group 1
**************************************************************************
From: Question 43
Subject: What are the pro's and con's of using two ISP/BGP providers?
>Why would you use BGP with 2 Internet T1 vs using equal cost
>static routing? What's the pros and cons? Thank you.
If each T1 goes to a different ISP, then you must use BGP to have the same public address
regardless of route taken.
If each T1 goes to the same ISP and load sharing and ease of setup/management is more
important than availability, then go with static routes.
If the T1 links do not support end-to-end keepalives, go with BGP to avoid black holes.
If the T1 links go to different POPs of the same ISP, use BGP and indicator routes to detect
ISP segmentation.
If the T1 links go to geographically diverse POPs, then BGP with full or local routes may
improve routing efficiency.
(for those reading this out of the archives at a future date, a more detailed version of this
paper will be appearing as a White Paper on my web site, but it will not be there until late
Summer). Chapter 8 of my book walks you through all the alternatives from two T1s
between a single router at your site and a single router at the ISP, to two T1's between
separate routers at your site to two different ISPs. For how to get the most out of BGP,
including load sharing and efficiency considerations (my book only considers
availability), read Halabi's book.
If none of the above makes sense to you, hire a competent consultant to walk you through
Many organizations depend upon Internet connectivity to support critical applications. One
popular approach for improving Internet connectivity is to connect to more than one
Internet service provider (ISP), a technique called multi-homing.
Multi-homing can be very effective for ensuring continuous connectivity -- eliminating the
ISP as a single point of failure -- and it can be cost effective as well. However, your multihoming strategy must be carefully planned to ensure that you actually improve connectivity
for your company, not degrade it.
Providing complete physical diversity can be difficult and expensive, but the requirement is
not limited to ISP connections. All critical network links for internal communications
should also be diversified. Assuming an otherwise well- designed internal network, the
easiest way to achieve physical diversity in your ISP connections is to connect from two
different locations that are already well-connected to each other. But they must be far
enough apart that they don't share any common communications facilities to either ISP.
Network Address Translation (NAT) is then used to send outbound packets with a
source IP address associated by the ISP with that outbound link. Return traffic
will automatically come back via the same working link because that link is the
Of course this approach will not work if you are providing services to the outside world, as
the addresses associated with the failed link will disappear. Similarly, connections that were
established over the link that failed will need to be reconnected. However, for many
applications this impact is minor.
For example, a typical web surfer would merely need to hit the "page refresh" button. This
approach is also sufficient to provide high-availability virtual private networks (VPN)
across the Internet if you use a routing protocol such as OSPF to detect and route around
failed IPSec tunnels.
The other extreme would be when you need to support a common IP address range
using both ISPs. Then you need to run BGP. This will normally be the case any time your
applications include providing services to Internet users, such as access to a common
database. You will need to arrange for both ISPs to accept your BGP advertisements of your
IP address prefixes. Then your ISPs need to advertise those address prefixes to the rest of
the Internet.
Getting your address prefixes advertised is usually not a problem. You do, however, have to
use care in your configuration to ensure that you do not inadvertently advertise any other
address prefixes. In particular, you must ensure that you do not advertise yourself as a path
between the two ISPs. This could cause your links to be consumed by transit traffic of no
interest to you. More challenging is setting up your advertisements so that incoming traffic
is reasonably balanced between the ISP links. Achieving that can be difficult at best, and
nearly impossible at worse.
(and therefore more expensive). Fortunately, there are some "in-between" choices.
Rather than using a simple default route, you can use a conditional default
route to protect against ISP failure behind the ISP's router that serves you. A
conditional default route is a default route that is defined by a router only if a specific
address is already in that router's routing table. Each ISP is only used for a default route if it
is advertising one or more routes that indicate it is receiving advertisements from the rest of
the Internet. That way, you will always use a default route which promises to be useful.
Another option is to have the ISP send you just its local routes. That way, you can optimize
your outbound routing to avoid sending packets that could be locally delivered to the wrong
ISP, adding to delivery delays. Care must be taken when using this option, however,
because some ISPs have so many local routes that there is no cost benefit in the size of the
routers required to handle them compared to running defaultless.
Options can also be combined. In many cases, taking local routes and a conditional default
route will provide all the availability benefits of running defaultless, while still allowing the
use of low-cost routers. As is always the case in networking, a good understanding of the
requirements and the available capabilities is essential to maximizing cost-effectiveness.
**************************************************************************
From: Question 44
Subject: What kind of memory can I use to upgrade my 2500 series router?
The RAM is standard 72-pin parity 70ns FPM w/ tin leads, while the flash is the generic
Cisco flash. If you have older boot ROMs, you'll want to make sure you get Intel chips or
the ROMs won't recognize them. Or you could upgrade the ROMs - Cisco part number
BOOT-2500=, allegedly free.
I used to use Kingston when I had 25xx's. But MemoryX seems to be less expensive these
days: (http://www.memoryx.net/routers.html)
**************************************************************************
From: Question 45
Subject: Where can I get mzmaker to compress my IOS?
http://www.mcseco-op.com/mzmaker.htm
**************************************************************************
From: Question 46
Subject: What is the meaning of in/out in reference to an access-list?
The simplest explanition I've seen is: Crawl into your router and look towards the interface.
If the packets are going away from you they're outbound. If they're hitting you in the
forehead their inbound.
**************************************************************************
From: Question 47
Subject: How do I remove the /32 - host - route when a PPP link comes up?
To get rid of this host route, try the following command on both ends of the
link:
no peer neighbor-route
**************************************************************************
From: Question 48
Subject: How do I forward DHCP broadcasts to my DHCP server?
> We are a Canadian company with an American office. We have a Cisco router
> at each office connected via a T1 line. We have a DHCP server at our
> Canadian office, and we would like it to also delgate IPs to our american
> office. Is this possible? If so, what must be done?
1) Run DHCP on the remote router. This will prevent the dhcp requests from coming
across the WAN. The downside is that only certain IOSes support running dhcp and is a bit
more work for the router.
2) You can enable bootp forwarding or dhcp relaying. This can be accomplished by using
"ip helper-address DHCP_SERVER_IP_HERE" interface command. But using helperaddress turns on a lot of unnecessary UDP forwarding so you need to lock it down first.
So:
conf t
no ip forward-protocol udp tftp
no ip forward-protocol udp dns
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip forward-protocol udp bootpc
!
interface ethernet0/0
ip helper-address YOUR_REMOTE_DHCP_SERVER_IP_HERE
**************************************************************************
From: Question 49
Subject: How do I send L2 traffic through a tunnel?
> Thanks for answering my post, the current problem I have is I need to send
> Layer2 type traffic through a tunnel ... is this possible ?
Sure. See...
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/inter_c
/icdlogin.htm#xtocid292793
> I enabled bridging on both routers and created a bridge group and that
> seems to work fine I can see my netbeui traffic passing ....
> The problem is I have to be able to encapsulate netbeui or any other Layer2
> type protocol and encapsulate within a IP packet.
The usual way to do this is using a GRE tunnel between two routers, and configuring an
additional loopback interface on each router as the source interface for the tunnel traffic, as
below. Here, each router has a bridge group defined which allows certain traffic only as
stated in the 200-series ACL onto the loopback interface. In this case it's LAT only - you
will need to check the LSAP protocol number(s) for netbios/netbeui as I can't remember
these off-hand. Once the traffic is forwarded from the LAN interface onto the loopback, it
is encapsulated into IP GRE and forwarded to the far router.
-------------------------/
Tunnel0|
|Tunnel0
Router A
--------
Ser0
Ser0
Eth0
int e0
ip address 192.168.100.254 255.255.255.0
bridge-group 1
int loop0
no ip address
bridge-group 1
bridge-group 1 output-type-list 200
int tunnel 0
tunnel source interface loopback0
tunnel destination 192.168.200.254
Router B
--------
int e0
ip address 192.168.200.254 255.255.255.0
bridge-group 1
int loop0
no ip address
bridge-group 1
bridge-group 1 output-type-list 200
int tunnel0
tunnel source interface loopback0
tunnel destination 192.168.100.254
First of all, you shouldn't count the interframe gap twice. The collision event uses an
interframe gap, but the next one actually belongs to the next frame; it would be there
More important, 511 bit times is the MAXIMUM time consumed by a collision in the
absolute worst-case. This requires a network with maximum extent--longest possible cables,
maximum repeaters, etc.--and devices with absolute worst-case timing parameters. In most
small networks (e.g., a single 10BASE-T hub), nearly all collisions occur during the
preamble, and the time consumed by the collision is just 96+64+32=192 bit-times
(IFG+Preamble+Jam).
Unless you know the precise instant in which each collision occurs, you cannot calculate the
bandwidth "lost" to collisions.
(By the way, the maximum collision fragment is 511 bits, not 512--at 512 bits, it becomes a
valid frame.)
In addition, while some Ethernet controllers do return a collision count as part of the
transmit status for each frame, many do not provide the SNMP/RMON driver with the exact
number of collisions. Instead, the status indicates one of:
With this type of controller, you cannot distinguish a frame that encountered two collisions
from one that encountered fifteen. so it is hard to estimate the bandwidth "lost" due to
collisions.
Finally, I will reiterate my position that collision rates are a virtually useless metric for
determining network performance. (See my earlier post on this subject.)
Seifert's Law of Networking #21: Measurements of unimportant parameters are
meaningless.
-- Note added by Hansang Bae -In the WORST case scenario (i.e. the stations are at the maximum distance apart) a collision
will take up to 84 byte-times to resolve itself. 64 bytes (minimum Ethernet size+FCS), 8
bytes for the preamble, and 12 bytes for the IFG.
Here's another way to look at it. For every successful transmission, there was an equal
number of collisions. This is 1:1 ratio or 100% collision rate. Or equivalently, 50% of the
frames that goes out the NIC are collisions.
Assume that we are talking about an FTP transfer. Typically, FTP will use the 1518 max size
and there will be an ACK (Acknowledgement) for every two packets. So you would see two
1518 frames and one ACK for both. So in a collision free world, we would see 2 frames of
1518 bytes and one ACK of 64 bytes. Throw in the preamble/SFD and the IFG to the mix
and you get 2*(1518 + 8Preamble + 12 IFG) + 1*(64) = 3,140 bytes.
Now if we have 3 collisions (one collision for each successful frame) then you have to add
another 3*84 (three frames taking up 84byte times - see #5 above). This comes out to 3,144
+ (3*84) = 3,396. So the ratio is 3,140/3,396 = .9246 or 92.46%.
That means even with 100% collision rate, we only lose about 7.53% of the bandwidth.
Hardly anything to worry about! In the real world, you can expect 33% collision rate for an
FTP session. Also for smaller size frames, the % of wasted bandwidth would be much
greater. But then again, only large transfers tax Ethernet networks.
**************************************************************************
From: Question 51
Subject: How do I stop password-recovery on my routers?
"Password-recovery" might not be the best description. The feature locks out all access to
the ROMMON.
You can do this on a 2600/3600 with the global configuration command "no service
password-recovery".
The feature is indeed tied to the ROMMON. You must have a minimum ROMMON version
11.1(17)AA on the 3600, as well as minimum IOS 11.2(12)P or 11.3(3)T.
All ROMMON versions on the 2600 support this feature.
**************************************************************************
From: Question 52
Subject: How can I prevent SYN-Flood attack using CAR?
We are talking about all different kinds of floods (ICMP, SYN, UDP, etc) throughout this
post. Actually he did say that Sprint can filter on their end. I included in a different post the
link to configure CAR to limit SYN attacks using web traffic as an example. Your solution
looks like it would work too as their are multiple ways to configure traffic shaping.
Configure rate limiting for SYN packets. Refer to the following example:
interface {int}
rate-limit output access-group 153 45000000 100000 100000 conform-action
transmit exceed-action drop
rate-limit output access-group 152 1000000 100000 100000 conform-action
transmit exceed-action drop
WARNING: It is recommended that you first measure amount of SYN packets during
normal state (before attacks occur) and use those values to limit. Review the numbers
carefully before deploying this measure.
You have to create a virtual-template interface with ip address information PPP then create
an virtual-access interface whith that address
!
multilink virtual-template 1
!
interface Virtual-Template1
ip unnumbered Loopback0 or ip address
no ip mroute-cache
ppp multilink
!
interface Serial0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
!
interface Serial1
no ip address
encapsulation ppp
no fair-queue
ppp multilink
**************************************************************************
From: Question 54
Subject: How do I setup ppp callback with dialer-pool?
This is a real hard stuff to do ppp callback with dialer-pool, there a some command are
missing in your config, look at my example.... (also see:
www.cisco.com/warp/public/cc/pd/ifaa/pa/much/tech/althb_wp.htm)
!
username router1 callback-dialstring 749410 password 0 ect
!
interface BRI0/0
no ip address
no ip directed-broadcast
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp callback accept
ppp authentication chap
!
interface BRI0/1
no ip address
no ip directed-broadcast
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp callback accept
ppp authentication chap
!
interface Dialer1
ip unnumbered FastEthernet0/0
no ip directed-broadcast
encapsulation ppp
dialer remote-name router1
dialer pool 1
dialer enable-timeout 2
dialer string 749410 class test1
dialer-group 1
ppp authentication chap
!
!
map-class dialer test1
dialer callback-server username
dialer-list 1 protocol ip permit
**************************************************************************
From: Question 55
Subject: My configs are too large. What can I do?
The IOS configuration in the 2600 Series is stored in a 32 KB EEPROM. The ROMMON
reserves 3 KB, leaving 29 KB for the IOS.You can use the "service compress-config"
command to compress the configuration in the EEPROM. You can also load the
configuration file from a TFTP server.
**************************************************************************
From: Question 56
Subject: What does Frame-relay LMI and Encapsulation really do/mean?
I think there is some confusion here about frame relay "encapsulation" and frame relay
"lmi" (heartbeat/keepalives). Frame relay encapsulation is indeed significant end-to-end
through the "cloud" between communicating DTE (router) equipment. Cisco encapsulation
inserts an ethernet "type field" immediately after the 2 byte frame header which contains the
DLCI, FECN, BECN, and DE fields. IETF (RFC 1490) encapsulation does not use ethernet
type fields to identify the payload of the frame. Instead, IETF calls for the use of NLPID
codes (Network Layer Protocol Identifiers) which are common in the OSI environment.
NLPIDs are to be used when the payload has an NLPID assigned to it.(like IP) The NLPID
(CC, in the case of IP) will follow an Unnumbered Information UI control field, 03. If the
payload does not have an NLPID assigned to it, (like IPX) then IETF suggests that an OUI
field (organizationally unique identifier) followed by an ethernet type code (8137 for
example, if IPX) will be used. Much like an 802.3 frame with SNAP, the type code of 8137
will be offset further into the frame, and not found immediately after the 2 byte frame
header.
This encapsulation must be understood by the communicating routers at either edge of the
'cloud.' The cloud itself does not care what type of "encapsulation" is being used. It is
strictly a DTE-DTE issue.
LMI is a link intergrity and PVC status verification protocol that IS locally significant
between the router and the network interface. This protocol comes in 3 flavors: the
'original' Stratacom' (aka cisco) version, ANSI's T1.617 Annex D, and CCITT/ITU Q.933
Annex A. These protocols are often collectively referred to as "LMI." It is possible to run
one version of LMI on the East User-Network Interface (UNI) and another version on the
West UNI, as these protocols simply identify the status of the UNI link and the PVCs found
on that link. Encapsulation, however, must match between the DTEs. It is interesting to
note, however, that Cisco routers are smart enough to interpret the 'encapsulation' type
being used on incoming frames. If both DTEs are Cisco routers, one router 'can' use Cisco
encapsulation while the other router uses "IETF." The ability to communicate with Cisco
routers using different encapsulation schemes gives the "appearance" that the encapsulation
is locally significant. In fact, this (cisco) ability to
communicate is made possible by the smarts cisco builds into its implementation.
When any other vendor's DTE is involved, communications will fail if the "encapsulation"
on both DTEs is not identical. Even if one of the routers is a cisco. (Unless, of course, the
other vendor saw fit to build in the smarts that cisco has done. But I am not aware of any
vendor that has this capability other than cisco....)
Hex protocol traces are available if any one would like to see.....
**************************************************************************
From: Question 58
Subject: How do I make a T1 Cross-over cable?
For E1 (assuming RJ-48 aka RJ-45), the pinouts would be the same as for T1, except that I
guess you need to have pins 3 and 6 (shield/ground) connected.
I don't suppose I should be pointing people to Juniper's web site, but anyway ...
http://www.juniper.net/techpubs/hardware/m160/m160-picinstall/html/pinout5.html
**************************************************************************
From: Question 59
Subject: Can I use a router to simulate BRI switch?
In current IOS (12.1(3)T and above, I think), you can configure PRIs back-to-back between
routers: configure one side to be network side (isdn protocol-emulate network) and the other
to be user side (default; isdn protocol-emulate user). The supported switchtypes are
primary-net5
and primary-ni.
As the original posting had alluded, we have SOME support for network-side BRI - but this
is only on certain VIC cards due to hardware restrictions http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft
/121limit/121x/121xi/121xi_3/dt_brint.htm
**************************************************************************
From: Question 60
Subject: How do I use Policy Based Routing?
Keep in mind that Policy routing works on the INBOUND interface. If you think about it, it
makes sense. The decision to hand off the packet has to be made as it's coming into the
router and not on the egress interface.
if not, do a
sho ip policy
**************************************************************************
From: Question 61
Subject: How do I setup a VPN tunnel using pre-shared keys?
Dror-John is right. There is a LOT to know about when you get into encryption, and like
any other branch of this industry knowing the hows & whys will help your configs and
troubleshooting enormously. The CCO IPSec Product Support page has a wealth of useful
info and examples. www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?
p=Internetworking:IPSec
RFCs 2401-2412 are not too taxing either. I've added below a very basic example using
pre-shared keys, DES encryption and SHA-1 hashing algorithm. Site 1 is 10.0.1.0/24, site 2
10.0.2.0/24 and the serial i/fs 10.0.4.0/30 (& assumes you have sub-i/fs). Names and things
in capitals.
Router1(config)#
!
crypto isakmp policy 1
! Define your ISAKMP policy settings
group 2
! 'group' defines the modulus for Diffie-Hellman calculation.
! Default is group 1, less CPU work, but less secure.
authentication pre-share
crypto isakmp key SHARED_KEY_HERE address 10.0.4.2
! Your shared key, and what peer i/f it's used for.
!
crypto ipsec transform-set TS1 ah-sha-hmac esp-des
! Define what happens to the traffic. AH & ESP are two IPSec protocols.
!
crypto map TO_SITE_2 10 ipsec-isakmp
! Define crypto-map
set peer 10.0.4.2
! The other side
set transform-set TS1
! Which transform-set to use
match address 150
Router2(config)#
!
crypto isakmp policy 1
group 2
authentication pre-share
crypto isakmp key SHARED_KEY_HERE address 10.0.4.1
!
crypto ipsec transform-set TS1 ah-sha-hmac esp-des
!
crypto map TO_SITE_1 10 ipsec-isakmp
set peer 10.0.4.1
set transform-set TS1
match address 150
!
interface Serial1/0.0
ip address 10.0.4.2 255.255.255.252
crypto map TO_SITE_1
!
access-list 150 permit ip 10.0.2.0 0.0.0.255 any
**************************************************************************
From: Question 62
Subject: Why does one packet always get dropped on the last hop of traceroute?
And the winner is ... Max. Inspired by (I think) sec. 4.3.2.8 in RFC-1812, we rate-limit our
ICMP message generation to 1/sec/destination. This can be adjusted by the "ip icmp ratelimit unreachable" command. More interesting than simply causing an oddity for traceroute,
ICMP rate-limiting can cause intermittent PMTUD blackholes (or I should say perhaps
"PMTUD brownholes".) If you're doing PMTUD (as alas anyone running Windows
defaults to), then you might want to ease the rate limit on DF unreachables.
**************************************************************************
From: Question 63
Subject: How to setup NATing based on outgoing interface to two different ISPs.
>
ISP1
>
CableModem
>
>
--------------
>
Cisco 2621
>
|
---------------------------------
>
>
Firewall
>
Mail Server
> > We just installed a T1 to the Internet to co-exist with our Cablemodem. I
> am looking at ways to implement this. We currently have a Cisco 2621 with
> the T1 connection and a Linux Box Masqing cablemodem Internet access now.
> My question is, what would be the best way to implement this?
>
> I proposed we connect the Cablemodem into the 2621 (FEthernet interface)
That will work. But you need to use route-maps to match the outgoing interface (or nexthop) when you define your NAT pool. In a nutshell:
int fa0/0
ip addr blah
ip nat outside
!
int fa0/1
ip addr blah
ip nat outside
!
ip nat poop ISP1 ISP1_Valid_range_here prefix-length blah
ip nat pool Cable Cable_Valid_range_here prefix-length blah
!
! These uses below are allowed to use the NAT service.
access-list 1 permit 10.0.0.0 0.255.255.255
!
route-map ISP1 perm 10
match ip addr 1
match interface fa0/0
!
Enter this under stupid router tricks (it's got to be more expensive than an ISDN emulator,
but not if you've got the parts lying around).
Switch: Cisco 2600 or 3600 with NM-2V and VIC-2BRI-S/T-TE (NT should work too),
IOS 12.1.5T9 R1, R2: Cisco with ISDN BRI S/T interface. IOS 12.x
These configs let you do ISDN BRI dialup between two routers, using a third router as an
ISDN switch. Call setup is flakey but otherwise it seems to work once the call is up.
Switch config, for ISDN dial (and X.25 over ISDN D-channel thrown in too)
!
isdn switch-type basic-net3
x25 routing
!
interface Loopback0
!
interface BRI1/1
description to R2
no ip address
isdn switch-type basic-net3
isdn protocol-emulate network
isdn layer1-emulate network
isdn incoming-voice voice
isdn skipsend-idverify
!
interface BRI1/1:0
no ip address
ip mtu 1514
no ip mroute-cache
x25 address 5551000
clns mtu 1514
!
x25 route 5551111 interface BRI1/1:0
x25 route 5552222 interface BRI1/0:0
!
voice-port 1/0/0
!
voice-port 1/0/1
!
dial-peer voice 1 pots
incoming called-number 6045551111
destination-pattern 6045552222
direct-inward-dial
port 1/0/0
!
dial-peer voice 2 pots
incoming called-number 6045552222
destination-pattern 6045551111
direct-inward-dial
port 1/0/1
!
dial-peer voice 10 voip
destination-pattern 6045552222
session target ipv4:10.0.0.1
codec clear-channel
!
dial-peer voice 20 voip
destination-pattern 6045551111
session target ipv4:10.0.0.1
codec clear-channel
!
!
isdn switch-type basic-net3
!
interface BRI0/0
ip address 1.1.1.1 255.255.255.0
encapsulation ppp
dialer string 6045552222 class DOV
dialer-group 1
isdn switch-type basic-net3
isdn incoming-voice data
isdn calling-number 6045551111
isdn x25 dchannel
!
interface BRI0/0:0
no ip address
ip mtu 1514
no ip mroute-cache
**************************************************************************
From: Question 65
Subject: What kind of memory does the 2500 use?
1 to 3
2 to 6
3 to 1
6 to 2
4 to 7
5 to 8
7 to 4
8 to 5
Basically in a traditional cross-over, which is a 10 BaseT and a 100 BaseTX, you are
swapping the Green Pair with the Orange Pair, but not so commonly, you have a 100
BaseT4 cross-over cable (which just happens to also be a 1000 BaseT cross-over cable), not
only do you swap over the Green and Orange Pair, but you also swap over the Blue and
Brown Pair.
The silly part is that in Cisco's Documentation, it show the schematic on a traditional crossover cable, but you will see the pin-outs of the 1000BaseT Interface.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/2950_wc/hig
/hgcable.htm#xtocid42327
See: http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml
> Here's my working config (with thanks to John Kaberna and Chris
set ip dscp 1
>
> interface Serial0/0
> ip access-group 101 in
**************************************************************************
From: Question 68
Subject: What is a FECN/BECN and does it mean anything?
First, when you use FR, it is not over a host to router connection. FR is going to be router to
ingress-FR-switch through cloud to egress-FR-switch to destination-router. With that in
mind, what you have to worry about with exceeding your CIR is the ingress FR switch.
FECN and BECNs are different mechanisms which I will explain in a minute.
Let me explain the algorithm that FR switches use to police your bandwidth usage. It is a
token/credit system that is implemented on the *ingress* FR switch (so the ingress switch is
the traffic cop). Keep in mind that everything that I am about to describe occurs entirely
within the FR switch, so when I say that you are given tokens to transmit, I mean that in the
software of the FR switch these tokens are kept track of, not that the FR switch transmits
tokens to your router to use for each frame. I'm going to start with a simple scenario in
which you only have a CIR and an EIR of 0. Anyway, every second (which is the default
interval, or Tc for those that want the real term) you get Bc tokens which is essentially
permission to transmit that many tokens worth of data over the time of that second.
Bc tokens decrement against the CIR, which is to say that Bc tokens are used to regulate the
CIR not the EIR (I will describe Be tokens later). At the end of the second you are given
more tokens for use during the next second. Every time the FR switch receives data from
the router, it subtracts tokens. What happens if you run out of tokens is that every frame
will be discarded until the next interval at which point you get more tokens. If it receives a
frame marked with a DE bit, it should discard it automatically.
However, most people don't buy FR service with a EIR of zero. In this case where you have
a CIR and an EIR, the token credit system is a little more complex. Every time interval (Tc)
you get Bc tokens and Be tokens. In the case that you are not setting the DE on any frames,
data received by the FR switch decrements credits from the Bc pool until exhausted.
Suppose the FR switch now receives a frame but there are no Bc tokens left (you will get
more Bc tokens in the next time interval) at the time. The FR switch will check for a Be
token, and if you have one, it will mark the DE field and transmit the frame across the
network and decrement tokens from the Be pool. Keep in mind that the Be pool represents
your burst capabilities over and above the CIR. IOW, Be tokens keep track of the EIR and
Bc tokens keep track of the CIR. Suppose the Be pool is exhausted and the Bc pool is
exhausted and another frame arrives. It is dropped, period. At the next time interval you
will get more Bc and Be tokens to use.
What happens if you mark your own DE frames? Well, when the ingress FR switch
receives a non DE-marked frame, it will subtract against the Bc token pool. If it receives a
DE-marked frame, it will subtract against the Be token pool. If it receives a non DEmarked frame but there are no Bc tokens left, the FR switch will mark it DE, transmit it and
subtract Be tokens. If it receives any frame (regardless of DE or non DE-marked) and there
are no Bc or Be tokens left, the frame is dropped. So really the use of marking your own
DE frames simply allows you to be the master of your own destiny by categorizing your
own data intelligently instead of letting the FR switch do it based simply on the order of
arrival. And the reason you want to mark your
own packets has to do with how the network handles congestion (see below where I talk
about BECN, etc.)
A couple of points are worth making. First, you cannot accumulate tokens over time. There
is a maximum amount which is the value of the committed burst (Bc) and this value has a
mathematical relationship with the CIR (CIR = Bc/Tc also EIR = Be/Tc). In almost all
cases Tc is set to 1 second, so the result is that CIR = Bc and EIR = Be. So if you have the
maximum number of tokens in your Bc token pool (max amount = Bc), and you send no
frames for the next hour, you will still only have Bc amount of tokens when you send the
next frame. Second, the above description is not 100% accurate so don't use it to teach a
class of newbie students. I simplified a number of things for the sake of getting the
concepts across, and in the process I sacrificed the accuracy of some of the information.
For instance, you don't get a lump of tokens all at once as I described--in reality, your
tokens replenish gradually over the Tc interval. Third, you only need a single token (which
represents a byte of data) to transmit a frame. So if you are out of Bc tokens and you only
have one Be token left, even if you send a 1500 byte frame, it will still be transmitted as DE
and the last token will be subtracted.
Ok, so how does the FR network handle DE or non-DE frames? Different vendors of FR
switches may be designed to operate differently, but I believe the following is the normal
behavior. If a node within the cloud starts to experience *mild* congestion, it starts setting
the FECN, BECN, or both bits on frames traversing the node. Routers connected to the FR
cloud that receive BECN bits should slow their transmission by buffering frames and
sending them slightly later. Routers that receive FECN bits might (if there is a way) signal
the sending router to slow transmission by buffering its frames. If a node starts
experiencing moderate congestion, it will start dropping frames marked DE. At heavy and
severe congestion levels, the node will start dropping other traffic as well. Depending on
vendor, there may be many levels of priority traffic (i.e. gold vs.
bronze customers) to determine exactly which frames to drop before others when
experiencing heavy and severe levels of congestion.
>> Say I have a CIR of 512 Kbps. Say the users in the site are generating 2
>> Mbps data (internet surfing, email, etc) and I'm not using Discard
>> Eligible(because I wouldn't know how to set that up anyway)
>>
>> Hear is my guesswork. The routers may try to send more than 256kbps. The
>> switches will start sending FECN's and BECN's.
They shouldn't start generating FECNs and BECNs unless some FR switch along the path is
overloaded, and this (in theory) shouldn't happen since you are well below your CIR. IOW,
the network should be engineered to be able to handle everyone's CIR on a statistical basis.
If this were to happen on a regular basis, I would configure my router to ignore
BECNs/FECNs because I am paying for a CIR of 512k, and I'll be darned if I'll let my NSP
force my routers to throttle back when I am only using half of my CIR. They are
"committing" to 512k, so I want my 512k, not "256k if the network feels like it".
>> The routers will slow down sending rates. If a user is sending data to
>> a router faster than it can route, what will it do? Does TCP Window sizes
>> and acknowledgements between the PC's limit the rate at which the router
>> will receive data, so that it is unlikely ever to be too busy?
>> If data is dropped by the router using DE, will the TCP resend process
>> between the PC's be the normal recovery process?
Routers don't drop DE frames. That is a FR switch function, not a router function. But,
yes, ultimately TCP is the process by which lost packets will be retransmitted.
**************************************************************************
From: Question 70
Subject: How do I stop logging (generating snmp trap) for up/down interfaces?
**************************************************************************
From: Question 71
Subject: How do I setup the variables to do tftpdnld in rommon?
You can use tftp, if available ... if not no luck ... xmodem using console or another flash.
and I think you can upgrade boot rom to support the command tftpdlnd but not sure about it:
IP_ADDRESS=10.1.1.16
IP_SUBNET_MASK=255.255.255.0
DEFAULT_GATEWAY=10.1.1.2
TFTP_SERVER=10.1.1.2
TFTP_FILE=ios.bin
FE_SPEED_MODE=0
TFTP_VERBOSE=1
tftpdnld -d
**************************************************************************
From: Question 72
Subject: What is the order of operation in terms how a packet is processed?
1) compression/decompression
2) Encryption
3) Inbound ACL
4) Unicast revese path checking
5) Input rate limiting
6) Broadcast handling (ip helpers)
7) Decrement TTL
8) Inspect sybstem (FW features)
9) Outside to Inside NAT
10) Handle router alert flags in the IP header
11) Search for outbound interface in the routing table
12) Policy routing
13) Handel web cache redirects
14) Inside to Outside NAT
15) Encryption
16) Output ACL
17) Final Inspect check
18) TCP Intercept processing.
**************************************************************************
From: Question 73
Subject: What are the differnt T1 jack type codes?
"X" variety can automatically loop up the line if you pull out the cable
so it's usually call a "smartjack"
**************************************************************************
From: Question 74
Subject: How do I show just one interface's configuration?
My all time favourite "trick" is "show run int xx"" where x is the interface in question
**************************************************************************
From: Question 75
Subject: How can I script a network reachability test?
Today a trouble ticket was elevated to our design team. It seems a bunch of users are
locking up while using Outlook with OpenMail servers. Not sure if it was network,
Outlook, OpenMail server, or combination of the above. Since the users were somewhat
senior level folks, it was not realistic to have to jot down detailed notes about when it
happened etc.
Since the PCs were all Wintel based, I wrote this in a hurry to include in their "START"
menu. Not being able to use Unix tools pretty much tied my hands, and I didn't put in a lot
of error checking, but hey, I only had about 30 minutes to whip this up.
echo *
echo *
*
*
echo *
echo *
echo *
echo **********************************************************
echo **********************************************************
echo **********************************************************
:
: Create a temp folder for our use and start with some flower
: box delimeters
:
if not exist c:\mailte$t md c:\mailte$t
echo ***************************************>> c:\mailte$t\%username%.txt
echo ***************************************>> c:\mailte$t\%username%.txt
:
: Pipe in some blank lines and date time stamp.
echo. >> c:\mailte$t\%username%.txt
echo.|date | find /i "current" >> c:\mailte$t\%username%.txt
echo.|time | find /i "current" >> c:\mailte$t\%username%.txt
echo. >> c:\mailte$t\%username%.txt
:
: Start a trace route w/o Rev-DNS lookups to our servers.
: The server name is given as a command line argument.
C:\ftpcmd.txt
:
ftp -s:c:\ftpcmd.txt x.x.2.104
exit
cisco
cisco1
put c:\mailte$t\*.txt
bye
exit
Basically, it's
username
password
ftp command
ftp command
etc. etc.
**************************************************************************
From: Question 76
Subject: Where can I find a list of undocumented IOS commands?
http://www.boerland.com/dotu/
**************************************************************************
From: Question 77
Subject: Where can I find information on securing or hardening Cisco routers?
**************************************************************************
From: Question 78
Subject: How can I connect two Cisco routers back to back through the AUX ports?
Using the AUX Port on Cisco Routers for IP/IPX Router Communications
http://www.networkingunlimited.com/white006.html
**************************************************************************
From: Question 79
Subject: How do I use Secure Shell (SSH) on Cisco devices?
**************************************************************************
From: Question 80
Subject: Can I use a /31 address space for my serial point-to-point interfaces?
It depends. If you have 12.2.x release of IOS, you can use /31 address.
For example:
interface Serial5/1
ip address 192.168.1.1 255.255.255.254
/122t2/ft31addr.htm
**************************************************************************
From: Question 81
Subject: How do i see log messages on the router console?
Log messages are broken into 7 levels, and they can go to 3 places:
- Console (console logging)
- Monitor (any line configured with "monitor" or with the "terninal monitor"
exec command)
- trap (syslog)
The command to turn up log messages is "logging (place) (level)"
In your case, you probably want logging console informational for minumum messages or
Tip: console logging is disabled by default because the console serial port makes 1 interrupt
per character, and has the highest prioriy of any interrupt on the box. If you want to do
console logging, you should probably also rate limit the messages, since an uncontrolled
flood of messages to the console can literally cause the box to slow to a crawl and fail. In
most cases, it is a better idea to telnet to the box, and debug using 'monitor' logging and
"terminal monitor" on the vty.
**************************************************************************
From: Question 82
Subject: What is my overhead of using IPSec
esp-des/esp-md5-hmac = 56 bytes
esp-3des/esp-sha-hmac = 56 bytes
esp-des/ah-sha-hmac = 68 bytes
esp-des/ah-md5-hmac = 68 bytes
esp-des/ah-sha-hmac/esp-sha-hmac = 80 bytes
For example I use ESP over AH with a GRE tunnel in tunnel mode.
20 (IP header) + 24 (AH header) + 16 (ESP header) + 4 (GRE) +2 (ESP trailer)
My MTU is 1500 - 66 = 1434
**************************************************************************
From: Question 83
Subject: What is the pinout for the DB9 to RJ45 connector?
ok, I just tested the pinouts of a DB9-RJ45 adapter that I have her...this
is what I found:
DB9
RJ45
- nothing
4&5 together
- nothing
**************************************************************************
From: Question 84
Subject: Should I use a T1, Cable modem or DSL for Internet connections?
This question comes up often enough it probably should be in the FAQ. Each has its
advantages and each has its weaknesses. Which is best will depend upon the specific
business requirements and how the network is used.
T1/E1 - Providers tend to treat T1's as serious business products. They tend to be better
managed and service response to outages is usually quick. Data rate is a constant, if you
order 1.544Mbps, you get 1.544 Mbps in both directions. (Note: fractional T1 may be
available with asymmetric capacity provisioned).
DSL - Providers consider this a "consumer grade" offering. Users experience has been more
frequent outages. More important, response to failures that do occur tends to be slow,
particularly if the local telco providing the copper is competing with the DSL provider.
ADSL provides asymmetric data rates, but "business grade" offerings, such as IDSL and
SDSL provide the same data rates both upstream and downstream. High data rates are only
available to users close to the telephone central office.
Cable - Shared medium subject to fluctuating bandwidth availability. Reliability will depend
upon the local cable company, and can vary widely. On average, tends to be about as
available as DSL. Only available in areas wired for cable TV, which could limit availability
in business parks and other non-residencial areas. Also only available where the cable
franchise has chosen to offer the service.
Provisioning of redundant connectivity for servers offered to the public versus internal users
browsing the Internet versus VPNs for cost savings all have very different requirements and
solutions suitable for one may not work with the others.
BGP support for multihoming is typically only available on T1 links. But then again, if
you're only surfing or VPNing there are easier ways to get redundancy that do not require
BGP.
In most markets, you can buy a lot of ISDN backup for the price difference between
DSL/Cable and T1. Many DSL/Cable providers will block VPN and inbound traffic to your
servers unless you purchase their premium "business" service. Make sure the conditions of
service are compatible with your needs.
DSL is rarely good backup for T1 because both share the same single points of failure in the
telco local loop provisioning. Cable can provide more diversity as a backup, but may still be
sharing common single points of failure such as power poles.
**************************************************************************
From: Question 85
Subject: How do I change the time length of 15 mins that is used when displaying the Show
ISDN history command?
>I have a 2500 router, and it's display double commands as shown below.
>cclloocckk rraattee 6644000000
Looks to me like you have local echoing configured on your terminal emulator. Turn it off
and let the router do all the echoing.
**************************************************************************
From: Question 87
Subject: How do I see power-supply failures via SNMP?
the first one tells the switch to send traps on chassis events, like a power
supply failing. the second tells the switch where to send the trap
**************************************************************************
From: Question 88
Subject: How do I change the timer for tx/rxload when doing "show int" command?
I believe so. Just so we're clear (to the original poster) bandwidth on
demand is the ability to kick up a line when you reach a certain threshold.
floating static can't be used since the lower admin-distance route will
never get a chance to float up.
int s0/0
blah
frame-relay class end-to-end-keepalive
blah
!
map-class frame-relay end-to-end-keepalive
frame-relay end-to-end keepalive mode bidirectional
**************************************************************************
From: Question 90
Subject: How do I setup NAT and Port forwarding?
int e0/0
desc This is the inside address using RFC address
ip addr 10.1.1.1 255.255.255.0
ip nat inside
!
int s0/0
desc This goes to the ISP using assigned address x.x.x.1/30
ip address x.x.x.1 255.255.255.252
ip nat outside
!
! Next line determines who will get to use the NAT
! Anyone coming from 10.1.1.0 address will be NATed.
access-list 1 permit 10.1.1.0 0.0.0.255
!
! Next line assumes that you want to use one IP for everyone
! and use the port address translation. In your case, you could
! actually use one to one translation.
!
ip nat inside source list 1 interface serial0/0 overload
!
!Set up a static translation so you can telnet into your server
!Assume your server is at 10.1.1.5
!
ip nat inside source static tcp 10.1.1.5 23 x.x.x.1 23
!
**************************************************************************
From: Question 91
Subject: How can I policy-route router generated packets?
Here's what I do when I need to upgrade a router's IOS and I don't have LAN
or sync serial access to it for TFTP purposes.
1. Plug the following code into the router to configure it for PPP on the AUX port:
interface Async1
ip address 192.168.255.254 255.255.255.252
encapsulation ppp
no ip route-cache
async default routing
async mode dedicated
!
ip default-gateway 192.168.255.253
!
line con 0
line aux 0
no exec
exec-timeout 0 0
modem InOut
transport input all
stopbits 1
rxspeed 38400
txspeed 38400
flowcontrol hardware
Configure the dialup networking entry to use 192.168.255.253 as the IP ddress of the
dialing interface.
Depending on what family of router you have (2500, 2600) your AUX port will
accommodate up to 38400 (older families) or 115200 (newer families).
**************************************************************************
From: Question 93
Subject: What does the keyword EXTENDABLE mean when doing NAT?
From: http://www.cisco.com/warp/public/701/60.html
"Extendable" static translations:
The extendable keyword allows the user to configure several ambiguous static translations,
where an ambiguous translations are translations with the same local or global address.
ip nat inside source static <localaddr> <globaladdr> extendable
Some customers want to use more than one service provider and translate into each
provider's address space. You can use route-maps to base the selection of global address
pool on output interface as well as an access-list match. Following is an example:
Once that is working, they might also want to define static mappings for a particular host
using each provider's address space. The software does not allow two static translations with
the same local address, though, because it is ambiguous from the inside. The router will
accept these static translations and resolve the ambiguity by creating full translations (all
addresses and ports) if the static translations are marked as "extendable". For a new
outside-to-inside flow, the appropriate static entry will act as a template for a full
translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to
create a full translation.
**************************************************************************
From: Question 94
Subject: Where can I get some third party icons for my Visio program?
Check out www.altimatech.com they sell a product called netzoom that has a great cisco
>
>
>
> 1668
>
>
>best
>
>
>
>What peer problems would arise where I may need this information?
>especially considering I would need to have a peer address to put in
>in the first place.
This is usually used to confirm that a route is being advertised by the proper ISP. You don't
put peer addresses in, you put destination network addresses in.
>I see there are communities. not sure who the community members are or
>what the parameters contained in the community attribs are. Any way to
>find out?
Most communities don't have standard meanings. Each AS assigns meanings to the
communities that it cares about. By convention, communities are formed by concatenating
the ASN that's using the community with a second number that the AS network
administrators assign, so the communities shown above are meaningful to AS 2548 and AS
3706. Communities are often used by ISPs to allow their customers to influence routing
parameters; for instance, the
customer can often send communities that control what localpref the ISP assigns to the
routes.
>Any good hints/web-links on how to use or get the most out of the
>looking glass site would be appreciated.
There's nothing really special about the looking glass, it's just showing you the output of
"show ip bgp" (and other router commands). It's no different from doing it on your own
routers, but the looking glass lets you do it from outside your network, so you can tell
whether a problem is
specific to your network or more widespread.
>Query: bgp
>Addr: 216.202.0.0
>It is a Genuity address.
>
>Here is the output below.
>Could someone explain
>" Advertised to non peer-group peers:
>
That's a BGP neighbor of the looking glass router, which the router will share this route
with.
>Also Genuity actually owns AS number "1" (Very prestigious).
>from the first entry
>"4.24.7.77 (metric 345601) from 165.117.1.127"
> it looks like Genuity 4.24.x.x is learning this from Digex
>165.117.1.127
>Why would Genuity learn their own address from Digex.
No, it means that *this* router (Digex's router at MAE-EAST) learned the route from
165.117.1.127. Since Digex doesn't connect to Genuity at MAE-EAST (tier 1 ISPs use
private peering amongst each other, we only use the public exchanges to connect with
smaller ISPs), it has to learn Genuity routes via the Digex backbone.
>Also could I assume that just because there is no path with AOL in it
>that AOL doesn't have a path to them?
No. The looking glass is just showing the routes from Digex to the destination. Why would
traffic from Digex to Genuity go through AOL?
**************************************************************************
From: Question 96
Subject: When using Tunnel with an interface that has an ACL, what happens?
>Is the access-list applied on the ethernet0 inbound although filter the
>tunnel traffic ?
Yes. When traffic arrives, it will first be processed by the ethernet interface's inbound
access list. If it is permitted in, the router will then de-encapsulate the tunnel traffic, and it
will be processed by the tunnel interface's inbound access list.
**************************************************************************
From: Question 97
Subject: Do I need a Xover cable when using 1000Base-T?
Answer by: rich@richseifert.com (Rich Seifert)
> It guess it depends on the 1000baseT NICs. On mine, I've used both a
> crossover cable and a stright thru cable just fine to connect two NICs.
> They autonegotiate
That's not true. BGP WILL join two lines AND load balance across them. The trick is, you
have to make every single one of the "Rule of Ten" rules equal; which is not a difficult thing
to do. Weights, MED's, Local Prefence, AS-Path, etc, will all most likely be identical,
provided both T1's come from the same provider (yes, I know he said they're different
providers.) You can load-balance with BGP across two links, provided the links terminate
on the same router on both end. With everything else being equal, BGP will snag on the last
rule, using the IP address of the interfaces to decide which path to take. All you have to do
is break that last rule and you're home free.
BAM! You're done. You've just now broken the "Rule of Ten." BGP will have no choice but
to enter two routes into the routing table, which will load balance.
**************************************************************************
From: Question 99
Subject: How do I only accept a 0/0 Route but advertise my 30 addresses via BGP?
Crashinfo reads from the log buffer, not the console itself. If you want to have console
messages included in crashinfo, you may turn on logging console BUT you also want to be
sure logging buffered is on. Once logging buffered is on, console messages do not go to the
physical console port and the interrupt problem is circumvented.
You should turn it off unless you are using logging buffered. It is off by default in modern
IOS versions.
Yes. But again, it will only save information from 'logging buffered.' So if you want the information,
you can turn on logging console, but only if you also use logging buffered....