Professional Documents
Culture Documents
Table of Contents
0. Hall of Fame for Revision 2.0 and above: See end of the FAQ:
0.1 Where can I obtain the FAQ:
1. How can I contact cisco?
2. What is this newsgroup?
3. What does ``cisco'' stand for?
4. How do I save the configuration of a cisco?
5. Where can I get ancillary software for my cisco?
6. Is there a World-Wide-Web (www) information source?
7. How can I get my cisco to talk to a third party router over
8. How can I get my cisco to talk to a 3rd-party router over Frame Relay?
9. How can I use debugging?
10. How can I use NTP (Network Time Protocol) with my cisco?
11. Sample cisco NTP Configurations
12. How do I avoid the annoying DNS lookup if I have misspelled a command?
13. Tracing bad routing information
14. How to use access lists
15. The cisco boot process
16. Where can I get cisco hardware?
17. Where can I get IETF documents (RFCs, STDs, etc.)?
18. Future features in cisco software
19. How do cisco routers rate performance-wise?
20. How are packets switched?
21. How does one interpret buffer statistics?
22. How should I restrict access to my router?
23. What can I do about source routing?
24. Is there a block of private IP addresses I can use?
25. Is DHCP supported?
26. Where can I get cisco documentation?
27. What's the latest software for the CSC/3?
28. What IP routing protocol should I use?
29. How do I interpret the output of ``show version''?
30. What is the maximum number of Frame Relay PVCs?
31. How much memory is necessary to telnet to a cisco router?
32. Where can I purchase flash RAM?
33. When are static routes redistributed?
34. When is the next hop of a route considered ``reachable''?
35. How do name and phone number of ``dialer map'' interfere?
36. What's the purpose of the network command?
37. What is VLSM?
38. What are some methods for conserving IP addresses for serial lines?
******************************************************************************
New questions/answers for revision 2.00 starts from here!
******************************************************************************
39. Flash upgrade issues for Cisco 2500 series routers
40. How do I prevent my switch ports from going into ErrDisable state?
41. How do I configure a router to act as a Frame-Relay Switch?
42. What are the different types of memory used by Cisco Routers?
43. How do I load the Documentation CD (UniverseCD) on Windows 2000?
44. How dow I load a large image on a 2500 *lab* router?
45. Daisy-chaining reverse telnet Aux-to-Console ports
46. What Windows chatter could bring up and ISDN line?
47. How do I make NTP packets so it's only interesting on router bootup?
48. How do I setup Lock & Key ACL?
49. How do I telnet to a specific VTY line/
50. Is there a better (free) tftp server than the one by Cisco?
51. How do I use the Cisco Documentation CD (UniverseCD) under Linux?
52. How do I NAT on a single Cisco 2503 Ethernet interface
53. How do I hide a summarized OSPF router from one ABR to another?
54. What is the pinout for the Console port on a 2518?
55. How do I find the "real" IOS name when the file is in DOS format?
56. How do I setup Windows 2000 and IPSec to PIX FIrewall
57. How do I use tftpdnld via Ethernet port on a 2600?
58. How do I setup MultiLinkPPP?
59. How much memory is taken up by BGP routes?
60. What is the difference between a CiscoPro model and a regular one?
61. How do I stop my router from looking for cisconet.cfg or network-config?
62. How do I setup DHCP service on my router?
63. How do I configure a trasparent proxy redirecting on CISCO router?
64. How do I use the PCMCIA slot in my 2500 router?
65. What cable do I use on 1900 switch with a DB9 Console connector?
66. How do I use a route-map to limit redistribution in OSPF?
67. How do I connect 675 DSL units back to back?
68. How do I format the PCMCIA card on a 3600?
69. How do I read Token Ring Mac and RIF?
70. How are Ethernet MAC addresses transmitted?
71. Why are the 46th and the 47th bit significant in Ethernet MAC address?
72. Why can't I upload an IOS image on to my flash on my 2500 router?
73. How do I configure my router so it becomes a DHCP CLIENT?
74. Does my Cisco terminal server send a BREAK signal on reboot?
75. How do I access the Console port on an AccessPro (AP-EC) card?
76. How do you setup a simple Priority Queuing?
77. What are the pro's and con's of using two ISP/BGP providers?
78. How do I tell the difference between the differen 2900 XL switches?
79. How do I suppress the transmission of PPP frames from when dialing in?
80. Where can I get mzmaker to compress my IOS?
81. What is the meaning of in/out in reference to an access-list?
82. How do I remove the /32 - host - route when a PPP link comes up?
83. How do I forward DHCP broadcasts to my DHCP server?
84. How do I use the ip-helper command to facilitate DHCP use?
85. How do I send L2 traffic through a tunnel?
86. How do I sort my IP Addresses using Unix tools??
87. Why is measuring collisions meaningless endeavour?
88. How do I stop password-recovery on my routers?
89. How do I setup a Multilink PPP?
90. How do I setup ppp callback with dialer-pool?
91. My configs are too large. What can I do?
92. What does Frame-relay LMI and Encapsulation really do/mean?
93. How do I make a T1 Cross-over cable?
94. Can I use a router to simulate BRI switch? (Also see question 101)
95. How do I use Policy Based Routing?
96. How do I setup a VPN tunnel using pre-shared keys?
97. Why does one packet always get dropped on the last hop of traceroute?
98. How to setup NAT'ing based on outgoing interface to two different ISPs.
99. How do I use IPX over DDR?
100. How can I automatically ping a range of IP addresses in Wintel world?
See also question 115.
101. Sample config of using VIC BRI interfaces as an ISDN switch.
102. How do I do X25 over ISDN D channel?
103. What can I do to remove SAP Type 640 on my routers?
104. What kind of memory does the 2500 use?
105. How do I make an Ethernet Cross-over cable?
106. How do I use NBAR to block NIMDA?
107. What is a FECN/BECN and does it mean anything?
108. How do I stop logging (and generating snmp trap) for up/down interfaces?
109. How do I setup the variables to do tftpdnld in rommon?
110. How do I get the memory-usage on the Vip-Card
111. What is the order of operation in terms how a packet is processed?
112. What are the differnt T1 jack type codes?
113. How do I show just one interface's configuration?
114. How can I search CCO for IS-IS related information?
115. How can I script a network reachability test? See also question 100.
116. How can I access the console port on my MSFC in my 6500?
117. How do I access my MSFC/Router in my 6509?
118. Where can I find a list of undocumented IOS commands?
119. Where can I find information on securing or hardening Cisco routers?
120. How can I connect two Cisco routers back to back through the AUX ports?
121. How do I use Secure Shell (SSH) on Cisco devices?
122. Can I use a /31 address space for my serial point-to-point interfaces?
133. How do i see log messages on the router console?
134. What is my overhead of using IPSec
135. What is the pinout for the DB9 to RJ45 connector?
136. Should I use a T1, Cable modem or DSL for Internet connections?
137. How do I change the time length of 15 mins that is used when
displaying the Show ISDN history command?
138. Why do I see "double" characters when I telnet into my router?
139. How do I see power-supply failures via SNMP?
140. How do I change the timer for tx/rxload when doing "show int" command?
141. How do I setup SLIP on my Cisco terminal servers?
142. How do I setup FR End-to-End keepalives?
143. What basic information do I need to setup a T1 from my ISP?
144. How do I setup NAT and Port forwarding?
145. Where can I buy some Back-to-Back serial cables?
146. How can I policy-route router generated packets?
147. Is there another way to upload my IOS w/o a tftp server?
148. What does the keyword EXTENDABLE mean when doing NAT?
149. Where can I get some third party icons for my Visio program?
150. Can you help me interpret the output fomr "Looking Glass" (BGP?)
151. When using Tunnel with an interface that has an ACL, what happens?
152. Do I need a Xover cable when using 1000Base-T?
153. How dow I break the "Rule of Ten" for BGP Load balancing?
154. How do I only accept a 0/0 Route but advertise my 30 addresses via BGP?
todo:
[Update the Todo section. How ironic!]
Actual content.
**************************************************************************
From: Question 0.1
Date: 10 February 2002
Subject: Where can I obtain/View the FAQ
Answer by: N/A
A. You can use any Usenet (Newsgroup) reader to read comp.dcom.sys.cisco
or alt.certification.cisco
B. http://www.networkingunlimited.com/CiscoFAQ.html
C. http://www.evolutiontechnical.com/cisco-faq/index.htm
D. http://mrubino.com:8080/cdsc-faq
**************************************************************************
From: Question 1
Date: 31 October 1994
Subject: How can I contact cisco?
Corporate address:
cisco Systems
170 West Tasman Drive
San Jose, CA 95134
The following phone numbers are available:
Technical Assistance Center (TAC) +1 800 553 2447
(553 24HR)
+1 800 553 6387
+1 408 526 8209
Customer Service (Documentation, Warranty & +1 800 553 6387
Contract Services, Order Status
Engineering +1 800 553 2447
(553 24HR)
On-site Services, Time & Materials Service +1 800 829 2447
(829 24HR)
Corporate number / general +1 408 526 4000
Corporate FAX (NOT tech support) +1 408 526 4100
The above 800 numbers are US/Canada only.
cisco can also be contacted via e-mail:
tac@cisco.com Technical Assistance Center
tac-euro@cisco.com European TAC
cs-rep@cisco.com Literature and administrative (?) requests
cs@cisco.com *UNRELIABLE*, special-interest, ``non-support''
Please follow the directions available on CIO before doing this.
cisco provides an on-line service for information about their routers
and other products, called CIO (cisco Information Online). telnet to
cio.cisco.com for more details.
The collective experience of this FAQ indicates that it is far wiser to
open a case using e-mail than FAXes, which may be mislaid, shredded,
etc.
For those of you still in the paperfull office (unlike the rest of us),
cisco Systems' new corporate address is:
170 West Tasman Drive
San Jose, CA 95134
Mail to tac@cisco.com should include your service contract number, your name,
telephone number, a brief one line problem/question description, and a
case priority in the first 5 lines. For example:
Cisco service contract number 92snt1234a
First and last name Jane Doe
Best number to contact you 415-555-1234
Problem/question description Cannot see Appletalk zones
Case Priority 3
CASE PRIORITIES are defined as one of the following:
Pri 1 Production network down, critical business impact
Pri 2 Production net seriously degraded, serious impact
Pri 3 Network degraded, noticeable impact to business
Pri 4 General information, non production problems
**************************************************************************
From: Question 2
Date: 26 July 1994
Subject: What is this newsgroup?
comp.dcom.sys.cisco, which is gatewayed to the mailing list
cisco@spot.colorado.edu, is a newsgroup for discussion of cisco
hardware, software, and related issues. Remember that you can also
consult with cisco technical support.
This newsgroup is not an official cisco support channel, and should
not be relied upon for answers, particularly answers from cisco
Systems employees.
Until recently, the mailing list was gatewayed into the newsgroup,
one-way. It is possible that this arrangement may resume at somet time
in the future.
**************************************************************************
From: Question 3
Date: 31 October 1994
Subject: What does ``cisco'' stand for?
cisco folklore time:
At one point in time, the first letter in cisco Systems was a
lowercase ``c''. At present, various factions within the company have
adopted a capital ``C'', while fierce traditionalists (as well as some
others) continue to use the lowercase variant, as does the cisco
Systems logo. This FAQ has chosen to use the lowercase variant
throughout.
cisco is not C.I.S.C.O. but is short for San Francisco, so the story
goes. Back in the early days when the founders Len Bosack and Sandy
Lerner and appropriate legal entities were trying to come up with a
name they did many searches for non similar names, and always came up
with a name which was denied. Eventually someone suggested ``cisco''
and the name wasn't taken (although SYSCO may be confusingly similar
sounding). There was an East Coast company which later was using the
``CISCO'' name (I think they sold in the IBM marketplace) they ended
up having to not use the CISCO abberviation. Today many people spell
cisco with a capital ``C'', citing problems in getting the lowercase
``c'' right in publications, etc. This lead to at least one amusing
article headlined ``Cisco grows up''. This winter we will celebrate
our 10th year.
[This text was written in July of 1994 -jhawk]
**************************************************************************
From: Question 4
Date: 31 October 1994
Subject: How do I save the configuration of a cisco?
If you have a tftp server available, you can create a file on the
server for your router to write to, and then use the write network
command. From a typical unix system:
mytftpserver$ touch /var/spool/tftpboot/myconfig
mytftpserver$ chmod a+w /var/spool/tftpboot/myconfig
myrouter#write net
Remote host [10.7.0.63]? 10.7.0.2
Name of configuration file to write [myrouter-confg]? myconfig
Write file foobar on host 10.7.0.2? [confirm] y
Additionally, there's a Macintosh TFTP server available:
ftp://nic.switch.ch/software/mac/peterlewis/tftpd-100.sit.hqx
Additionally, you can also use expect, available from:
ftp://ftp.uu.net/languages/tcl/expect/expect.tar.gz
ftp://ftp.cme.nist.gov/expect/expect.tar.gz
or, in shar form from ftpeng.cisco.com.
Expect allows you to write a script which telnets to the router and
performs a ``write terminal'' command, or any other arbitrary set of
command(s), using a structured scripting language (Tcl).
**************************************************************************
From: Question 5
Date: 5 July 1994
Subject: Where can I get ancillary software for my cisco?
Try ftping to
ftp://ftpeng.cisco.com/pub
It's a hodgepodge collection of useful stuff, some maintained and some
not. Some is also available from
ftp://cio.cisco.com
Vikas Aggarwal has a very customised tacacsd:
A new version of xtacacsd is available via anonymous FTP from:
ftp://ftp.navya.com/pub/vikas/xtacacsd-3.5.shar.gz
**************************************************************************
From: Question 6
Date: 28 April 1996
Subject: Is there a World-Wide-Web (www) information source?
You can try the WWW page for this FAQ:
http://www.panix.com/cisco-faq/
or the cisco Educational Archive (CEA) home page:
http://sunsite.unc.edu/cisco/cisco-home.html
or the cisco Information Online (CIO) home page:
http://www.cisco.com/
**************************************************************************
From: Question 7
Date: 5 July 1994
Subject: How can I get my cisco to talk to a third party router over
a serial link?
You need to tell your cisco to use the same link-level protocol as the
other router; by default, ciscos use a rather bare variant of HDLC
(High-level Data Link Control) all link-level protocols use at some
level/layer or another. To make your cisco operate with most other
routers, you need to change the encapsulation from HDLC to PPP on the
relevant interfaces. For instance:
sewer-cgs#conf t
Enter configuration commands, one per line.
Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z
interface serial 1
encapsulation ppp
^Z
sewer-cgs#sh int s 1
Serial 1 is administratively down, line protocol is down
Hardware is MCI Serial
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
^^^^^^^^^^^^^^^^^^^^^^^^^^
[...]
If you're still having trouble, you might wish to turn on serial interface
debugging:
sewer-cgs#ter mon
sewer-cgs#debug serial-interface
**************************************************************************
From: Question 8
Date: 27 July 1994
Subject: How can I get my cisco to talk to a 3rd-party router over Frame Relay?
You should tell your cisco to use ``encapsulation frame-relay ietf''
(instead of ``encapsulation frame-relay'') on your serial interface
that's running frame relay if your frame relay network contains a
diverse set of manufacturers' routers. The keyword ``ietf'' specifies
that your cisco will use RFC1294-compliant encapsulation, rather than
the default, RFC1490-compliant encapsulation (other products, notably
Novell MPR 2.11, use a practice sanctioned by 1294 but deemed verbotten
by 1490, namely padding of the nlpid). If only a few routers in your
frame relay cloud require this, then you can use the default
encapsulation on everything and specify the exceptions with the
frame-relay map command:
frame-relay map ip 10.1.2.3 56 broadcast ietf
^^^^
(ietf stands for Internet Engineering Task Force, the body which
evaluates Standards-track RFCs; this keyword is a misnomer as both
RFC1294 and RFC1490 are ietf-approved, however 1490 is most recent and
is a Draft Standard (DS), whereas 1294 is a Proposed Standard (one step
beneath a DS), and is effectively obsolete).
**************************************************************************
From: Question 9
Date: 26 July 1994
Subject: How can I use debugging?
sl-panix-1>sh logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 66 messages logged
Monitor logging: level debugging, 0 messages logged
Trap logging: level debugging, 69 message lines logged
Logging to 198.7.0.2, 69 message lines logged
sl-panix-1>
If you have syslog going to a host somewhere and you then set about a
nice long debug session from a term your box is doing double work and
sending every debug message to your syslog server. Additionally, if you
turn on something that provides copious debugging output, be careful
that you don't overflow your disk (``debug ip-rip'' is notorious for
this).
One solution to this is to only log severity ``info'' and higher:
sl-panix-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
logging trap info
The other solution is to just be careful and remember to turn off
debugging. This is easy enough with:
sl-panix-1#undebug all
If you have a heavily loaded box, you should be aware that debugging
can load your router. The console has a higher priority than a vty so
don't debug from the console; instead, disable console logging:
cix-west.cix.net#conf t
Enter configuration commands, one per line. End with CNTL/Z.
no logging console
Then always debug from a vty. If the box is busy and you are a little
too vigorous with debugging and the box is starting to sink, quickly
run, don't walk to your console and kill the session on the vty. If
you are on the console your debugging has top prioority and then the
only way out is the power switch. This of course makes remote
debugging a real sweaty palms adventure especially on a crowded box.
Caveat debugger!
Also, if you for some reason forget what the available debug commands
are and don't have a manual handy, remember that's what on-line help
is for. Under pre 9.21 versions, ``debug ?'' lists all commands. Under
9.21 and above, that gives you general categories, and you can check
for more specific options by specifying the category: ``debug ip ?''.
As a warning, the ``logging buffered'' feature causes all debug
streams to be redirected to an in-memory buffer, so be careful using
that.
Lastly, if you're not sure what debugging criteria you need, you can
try ``debug all''. BE CAREFUL! It is way useful, but only in a very
controlled environment, where you can turn off absolutely everything
you're not interested in. Saves a lot of thinking. Turning it on on
a busy box can quickly cause meltdown.
**************************************************************************
From: Question 10
Date: 5 July 1994
Subject: How can I use NTP (Network Time Protocol) with my cisco?
>What level of software is required for NTP support in
>a cisco router?
9.21 or above.
>Which cisco routers support NTP?
It is a software feature exclusively. Anything that supports
9.21 or 10 will run NTP (when running that s/w).
>How do I set it up?
The basic hook is:
ntp server <host> [version n]
or
ntp peer <host> [version n]
depending on whether you want a client/server or peer relationship.
There's a bunch of other stuff available for MD5 authentication,
broadcast, access control, etc. You can also use the
context-sensitive help feature to puzzle it out; try ``ntp ?'' in
config mode.
You'll also want to play with the SHOW NTP * router commands. Here
are two examples.
EXAMPLE 1:
router# show ntp assoc
address ref clock st when poll reach delay offset disp
+~128.9.2.129 .WWVB. 1 109 512 377 97.8 -2.69 26.7
*~132.249.16.1 .GOES. 1 309 512 357 55.4 -1.34 27.5
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
EXAMPLE 2:
router#show ntp stat
Clock is synchronized, stratum 2, reference is 132.249.16.1
nominal freq is 250.0000 Hz, actual freq is 249.9981 Hz, precision is 2**19
reference time is B1A8852D.B69201EE (12:36:13.713 PDT Tue Jun 14 1994)
clock offset is -1.34 msec, root delay is 55.40 msec
root dispersion is 41.29 msec, peer dispersion is 28.96 msec
For particular cisco NTP questions, feel free to ask in comp.dcom.sys.cisco.
For broader NTP info, see ftp://louie.udel.edu:pub/ntp/doc. The file
clock.txt in that directory has info about various public NTP servers.
There is also information on radio time receivers that can be
connected to an NTP server (this is handy on private networks, if you
have an entire campus to get chiming, or if you become a hard core
chimer).
The ``ntp clock-period'' command is added automagically to jump-start
the NTP frequency compensation when the box is rebooted. This is
essentially a representation of the frequency of the crystal used as
the local timebase, and may take several days to calculate otherwise.
(Do a ``write mem'' after a week or so to save a good value.)
Caveat of obsolecence: Note that the CS-500 will not be able to
achieve quite the same level of accuracy as other platforms, since its
hardware clock resolution is roughly 242Hz instead of the 1MHz
available on other platforms. In practice this shouldn't matter for
anyone other than true time geeks.
**************************************************************************
From: Question 11
Date: 5 July 1994
Subject: Sample cisco NTP Configurations
You will need to substitute your own NTP peers, timezones, and GMT
offsets into the examples below, of course. Example 1 is in US Central
Time Zone, while example 3 is in US Pacific Time Zone. Both account
for normal US Daylight Savings Time practices.
EXAMPLE 1 (Charley Kline):
...
clock timezone CST -6
clock summer-time CDT recurring
ntp source eth 0
ntp peer <host1>
ntp peer <host2>
ntp peer <host3>
...
**************************************************************************
From: Question 12
Date: 5 July 1994
Subject: How do I avoid the annoying DNS lookup if I have misspelled a command?
By default, all lines are configured to automatically try a telnet
connection if the first word in a input line is not recognized as a
valid command. You can disable this by setting ``transport preferred
none'' on every line (con, aux and vty). For instance:
sl-panix-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
line vty 0 10
transport preferred none
You can see the number of vty's currently configuered with ``show lines''
Also, you can suspend connect attempts with ^^ followed by ``x'', ie
shift-cntrl-6 x.
[It has been suggested that ``no ip ipname-lookup'' to turn off IEN116
helps. I think this is the default -jhawk ]
**************************************************************************
From: Question 13
Date: 31 Oct 1994
Subject: Tracing bad routing information
or: How do I find out which non-cisco systems on my networks generate IP-RIP
information without letting them mess up my routing tables.
Here you could work with a default administrative distance.
Administrative distance is the basis upon which the cisco prefers
routing information of one protocol over another. In this example:
router rip
network 192.125.254.0
distance 255
distance 120 192.125.254.17 ! list all valid RIP suppliers
[...]
the value 255 has the implicit meaning of not putting this information
into the routing table. Therefore, setting an administrative distance
of 255 means that all RIP suppliers are by default accepted but their
information is not put into the routing table. The administrative
distance for the router 192.125.244.17 has been reset to the default
(for RIP) of 120, causing its routes to be accepted into the routing table.
Then you can look them up with ``show ip protocols'' and restore the
original administrative distance for the ones you want to fill in the
routing table.
The same results can be acheived with an ip access-list, but with
that, ``show ip protocols'' will only show the valid ones. But often
it is more useful to see which systems were generating routing
information at all.
This trick works for other routing protocols as well, but please select
the proper adminstrative distance (rather than 120) for the protocol
you're using.
**************************************************************************
From: Question 14
Date: 5 July 1994
Subject: How to use access lists
[The following is wholesale included; at some point it'll
probably be editted a bit and reformatted... -jhawk ]
Frequently Asked Questions
contributed by Howard C. Berkowitz
PSC International
hcb@world.std.com
@clark.net [probably will be my permanent
personal account]
PSC's domain is in mid-setup
Where in the router are access lists applied?
IP Specific
-----------
Can the ``operand'' field be used with a protocol keyword of IP to filter
on protocol ID?
No. Operand filtering only works for TCP and UDP port numbers.
How can I prevent traffic for a certain Internet application to flow in
one direction but not the other?
Remember that Internet applications flow from client port to server
port. Denying traffic from port 23, for example, blocks flow from the
client to the server.
+-------------------+
| |
A----------->| |----------->B
|1 2|
<------------| |<-----------
| |
+-------------------+
If we deny traffic to Port 23 of address B by placing a filter at
interface 2, we have blocked A's ability to telnet to B, but not B's
ability to telnet to A. A second filter at interface A would be needed
to block telnet in both directions.
Assume that we only have the filter at interface 2. Telnets to A
from B will not be affected because the filter at 2 does not check
incoming traffic.
-------
With the arrival of in-bound access lists in 9.21, it should be noted
that both inbound and access lists are about equally efficient, in
case any of you were wondering.
**************************************************************************
From: Question 16
Date: 18 July 1994
Subject: Where can I get cisco hardware?
Try calling 800-553-NETS and asking for your local sales office.
That's probably the best plan.
**************************************************************************
From: Question 17
Date: 18 April 1995
Subject: Where can I get IETF documents (RFCs, STDs, etc.)?
Where and how to get new RFCs
RFCs may be obtained via EMAIL or FTP from many RFC Repositories. The
Primary Repositories will have the RFC available when it is first
announced, as will many Secondary Repositories. Some Secondary
Repositories may take a few days to make available the most recent
RFCs.
Primary Repositories:
Sweden
------
Host: sunic.sunet.se
Directory: rfc
Host: chalmers.se
Directory: rfc
Germany
-------
Site: EUnet Germany
Host: ftp.Germany.EU.net
Directory: pub/documents/rfc
France
------
Site: Institut National de la Recherche en Informatique
et Automatique (INRIA)
Address: info-server@inria.fr
Notes: RFCs are available via email to the above
address. Info Server manager is Mireille
Yamajako (yamajako@inria.fr).
Netherlands
-----------
Site: EUnet
Host: mcsun.eu.net
Directory: rfc
Notes: RFCs in compressed format.
France
------
Site: Centre d'Informatique Scientifique et Medicale
(CISM)
Contact: ftpmaint@univ-lyon1.fr
Host: ftp.univ-lyon1.fr
Directories: pub/rfc/* Classified by hundreds
pub/mirrors/rfc Mirror of Internic
Notes: Files compressed with gzip. Online
decompression done by the FTP server.
Finland
-------
Site: FUNET
Host: funet.fi
Directory: rfc
Notes: RFCs in compressed format. Also provides
email access by sending mail to
archive-server@funet.fi.
Norway
------
Host: ugle.unit.no
Directory: pub/rfc
Denmark
-------
Site: University of Copenhagen
Host: ftp.denet.dk
Directory: rfc
United States
-------------
Site: cerfnet
Contact: help@cerf.net
Host: nic.cerf.net
Directory: netinfo/rfc
Site: NASA NAIC
Contact: rfc-updates@naic.nasa.gov
Host: naic.nasa.gov
Directory: files/rfc
Site: NIC.DDN.MIL (DOD users only)
Contact: NIC@nic.ddn.mil
Host: NIC.DDN.MIL
Directory: rfc/rfcnnnn.txt
Note: DOD users only may obtain RFC's via FTP
from NIC.DDN.MIL. Internet users should NOT
use this source due to inadequate connectivity.
Site: uunet
Contact: James Revell <revell@uunet.uu.net>
Host: ftp.uu.net
Directory: inet/rfc
UUNET Archive
-------------
UUNET archive, which includes the RFC's, various IETF documents,
and other information regarding the internet, is available to the
public via anonymous ftp (to ftp.uu.net) and anonymous uucp, and
will be available via an anonymous kermit server soon. Get the
file /archive/inet/ls-lR.Z for a listing of these documents.
Any site in the US running UUCP may call +1 900 GOT SRCS and use
the login "uucp". There is no password. The phone company will
bill you at $0.50 per minute for the call. The 900 number only
works from within the US.
**************************************************************************
From: Question 18
Date: 22 April 1996
Subject: Future features in cisco software
[This could be more fleshed out (still!)]
Kerberos and RADIUS in 11.1
RIP version 2 in 11.1 (allows VSM, etc.)
Policy-based routing (routing based on source address or interface, or just
about anything else you want) in 11.0 *released*
PPP Multilink in 11.0(3) *released*
Frame Relay payload compression in 11.0(4) *released*
IPX Per-Host load balancing in 11.1
**************************************************************************
From: Question 19
Date: 27 July 1994
Subject: How do cisco routers rate performance-wise?
People often ask about performance of the cisco routers and are shyed
away from answering their questions because we don't know where to send
them.
Scott Bradner keeps the results of his performance tests on the
Internet. You can find them for ftp on the system hsdndev.harvard.edu
in the /pub/ndtl. There is a README file in that directory that
explains what is available. In addition, cisco has just started
publishing a piece of literature called ``The Harvard Benchmark Test
Results: Summary of cisco Systems Performance''. The only number I
can find on the doc is Lit. #700901. Don't know if you can order it
by this number, but at least there's a title to go on.
**************************************************************************
From: Question 20
Date: 22 April 1996
Subject: How are packets switched?
There are 3 basic types of switching (in order of increasing performance).
process switching
fast switching
autonomous switching
Process and fast switching support inbound and outbound, simple and
extended, access lists. Of course, for fast switching, such lists only
restrict traffic on the particular fast-switched interface.
Autonomous switching is done in the switch processor, a microcoded device that
is capable of switching IP, IPX, and bridging packets in the 100kpps range.
This is known as the "SP" card on the 7000 and the CBUS controller on the AGS+.
Encapsulation support is rather limited (Ethernet, HDLC, HSSI...).
The cisco 7000 also supports:
silicon switching
Silicon switching is done in the silicon switching engine (creative, eh? ;-).
The silicon switch processor (SSP) is the board which combines both the
switch processor and a silicon switching engine.
The SSP supports simple and extended outbound access lists in 10.3 and later.
The SSP supports simple and extended inbound access lists in 11.1 and later.
The cisco 75xx series supports:
"optimal" switching (cruddy name, eh?)
"flow" switching
"distributed" switching
* "optimal" switching (cruddy name, eh?)
The 7500 platform does not have a separate SP or SSP card, rather the RISC
processor on the "integrated route/switch processor card (IRSP)" handles
switching directly, similar to the 4000 series routers. There are several
hardware and software enhancements made though to increase the throughput to
a level that is several times above what you would normally get from "fast"
switching. Everything that "fast" switching supports is supported in
"optimal" switching.
* "flow" switching
Basicly the "optimal" switching method, however things have been front-ended
with an additional small "flow" cache. This flow cache contains information
about source/destination addresses & ports which allow the router to make more
informed queueing decisions and process access lists faster. This is a win in
routers that would tend to carry a reasonably small number of flows at any one
time, such as what you would expect in a corporate network or in a smaller
internet service provider network. It's unclear if there are any advantages
in a large internet backbone.
* "distributed" switching
cisco has announced a new type of interface-processor card, called a "VIP"
available in the 7500 platform that is intelligent enough to switch packets
with no intervention on the part of the IRSP card. This once again separates
switching from routing, as in the earlier CBUS/SP/SSP design.
There are some undocumented commands that are useful for obtaining
per-interface statistics on what sort of switching was performed.
For instance:
frobozz-magic-robot>sh int atm4/0 switch
ATM4/0
Throttle count: 0
Protocol Path Pkts In Chars In Pkts Out Chars Out
IP Process 104851 7669968 116378 11180988
Cache misses 35826
Fast 0 0 0 0
Auton/SSE 0 0 0 0
frobozz-magic-robot>sh int atm4/0 stat
ATM4/0
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 105024 7679155 116422 11184108
Route cache/FIB 0 0 0 0
Distributed cache 0 0 0 0
Total 105024 7679155 116422 11184108
**************************************************************************
From: Question 21
Date: 31 October 1994
Subject: How does one interpret buffer statistics?
Buffer statistics may be obtained with:
mit2-gw.near.net>sh buffers
Buffer elements:
433 in free list (500 max allowed)
82320311 hits, 0 misses, 0 created
Small buffers, 104 bytes (total 202, permanent 120):
185 in free list (20 min, 250 max allowed)
34289219 hits, 4297 misses, 1307 trims, 1389 created
Middle buffers, 600 bytes (total 104, permanent 90):
102 in free list (10 min, 200 max allowed)
6829533 hits, 1432 misses, 483 trims, 497 created
Big buffers, 1524 bytes (total 90, permanent 90):
90 in free list (5 min, 300 max allowed)
3403884 hits, 56 misses, 1 trims, 1 created
Large buffers, 5024 bytes (total 5, permanent 5):
5 in free list (0 min, 30 max allowed)
49984 hits, 13 misses, 20 trims, 20 created
Huge buffers, 18024 bytes (total 0, permanent 0):
0 in free list (0 min, 4 max allowed)
0 hits, 0 misses, 0 trims, 0 created
5683 failures (0 no memory)
You can interpret them:
Total Number of buffers of that size that exist.
Free Number of free buffers.
Max Maximum size that the free list can grow to before we start
throwing them away.
Hit Buffer got used.
Miss Someone requested a buffer and we had to go carve it up out of
free memory. If we couldn't because we were at interrupt
level, it's also an allocation failure. If we couldn't
because we were out of memory, then it's also a ``no memory''
failure.
Trim There are more free buffers on the free list than there need
to be and we threw some away.
Create Number of buffers we created after a miss.
**************************************************************************
From: Question 22
Date: 22 April 1996
Subject: How should I restrict access to my router?
Many admins are concerned about unauthorized access to their routers
from malicious people on the Internet; one way to prevent this
is to restrict access to your router on the basis of IP address.
Many people do this, however it should be noted that a significant number
of network service providers allow unrestricted access to their routers
to allow others to debug, examine routes, etc. If you're comfortable doing
this, so much the better, and we thank you!
If you wish to restrict access to your router, select a free IP access
list (numbered from 1-100) -- enter ``sh access-list'' to see those
numbers in use.
yourrouter#sh access-list
Standard IP access list 5
permit 192.94.207.0, wildcard bits 0.0.0.255
Next, enter the IP addresses you wish to allow access to your router
from; remember that access lists contain an implicit "deny everything"
at the end, so there is no need to include that. In this case, 30
is free:
yourrouter#conf t
Enter configuration commands, one per line. End with CNTL/Z.
yourrouter(config)#access-list 30 permit 172.30.0.0 0.0.255.255
yourrouter(config)#^Z
(This permits all IP addreses in the network 172.30.0.0, i.e. 172.30.*.*).
Enter multiple lines for multiple addresses; be sure that you don't
restrict the address you may be telnetting to the router from.
Next, examine the output of ``sh line'' for all the vty's (Virtual ttys)
that you wish to apply the access list to. In this example, I want
lines 2 through 12:
yourrouter#sh line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns
0 CTY - - - - - 0 0 0/0
1 AUX 9600/9600 - - - - - 1 3287605 1/0
* 2 VTY 9600/9600 - - - - 7 55 0 0/0
3 VTY 9600/9600 - - - - 7 4 0 0/0
4 VTY 9600/9600 - - - - 7 0 0 0/0
5 VTY 9600/9600 - - - - 7 0 0 0/0
6 VTY 9600/9600 - - - - 7 0 0 0/0
7 VTY 9600/9600 - - - - 7 0 0 0/0
8 VTY 9600/9600 - - - - 7 0 0 0/0
9 VTY 9600/9600 - - - - 7 0 0 0/0
10 VTY 9600/9600 - - - - 7 0 0 0/0
11 VTY 9600/9600 - - - - - 0 0 0/0
12 VTY 9600/9600 - - - - - 0 0 0/0
Algorithms
----------
DUAL DV with diffusing update algorithm (Garcia-Luna-Aceves et al)
DV Distance Vector (Bellman-Ford)
PV "Path Vector"
SPF Shortest-path-first (Dijkstra)
Metrics
-------
A metric is how the protocol measures the network to determine the
"best" path.
"Speed" refers typically to link speed, not available bandwidth.
"Arb." indicates that the metrics are arbitrary and configurable.
HELLO tried to use available bandwidth by monitoring round-trip delay,
but was not generally successful at this.
Metrics are not directly exchangable when redistributing routing
information from one protocol to another. IGRP and EIGRP use
compatible and automatically convertable metrics.
Convergence
-----------
Qualitatively, convergence measures how fast routers using this
protocol will adapt to changes in the topology of the network.
"Unstb" indicates a protocol which in general never decided on a
stable configuration but continually oscillated between alternatives.
Complexity
----------
An observation of how complex the protocol is to implement.
Multipath
---------
Multipath indicates whether the protocol support and transport
multiple equal- or different- cost pathways across between endpoints?
[*] indicates that BGP4 supports multipath for IBGP (Internal BGP, a
full mesh of all border routers within an AS), but not for EBGP
(External BGP).
Variable netmask (Var-netmask)
**************************************************************************
Indicates whether the protocol allows for and transports different
masks for the subnets of a routed network.
**************************************************************************
From: Question 29
Date: 18 April 1995
Subject: How do I interpret the output of ``show version''?
Typing ``show version'' or ``show hardware'' yields a response like:
prospect-gw.near.net>sh version
Cisco Internetwork Operating System Software
IOS (tm) GS Software (GS7), Experimental Version 10.2(11829) [pst 113]
System-type (imagename) Version major.minor(release.interim)[who] Desc
System-type: type of system the software is designed to run on.
imagename: The name of the image. This is different (slightly) for
run-from-rom, run-from-flash, and run-from-ram images, and also
for subset images which both were and will be more common.
"Version": text changes slightly. For example, if an engineer gives you
a special version of software to try out a bug fix, this will say
experimental version.
Major: Major version number. Changes (in theory) when there have been
major feature additions and changes to the softare.
Minor: minor version number. Smaller but still signficant feature added.
(in reality, cisco is not very sure what the difference between
"major" and "minor" is, and sometimes politics gets in the way,
but either of these "incrementing" indicates feature additions.)
EXCEPT: 9.14, 9.17, and 9.1 are all somewhat similar. 9.1 is
the base, 9.14 adds specical feature for low end systems, 9.17
added special features specific the high end (cisco-7000) This
was an experiment that we are trying not to repeat.
release: increments (1 2 3 4 ...) for each maintenance release of released
software. Increments for every compile in some other places.
interim: increments on every build of the "release tree", which happens
weekly for each release, but is only made into a generically
shipping maintenance release every 7 to 8 weeks or so.
[who]: who built it. Has "fc 1" or similar for released software.
has something like [billw 101] for test software built Bill
Westfield (billw@cisco.com).
Desc: additional description.
The idea is that the image name and version number UNIQUELY identify
a set of sources and debugging information somewhere back at cisco,
should anything go wrong.
Copyright (c) 1986-1995 by cisco Systems, Inc.
Compiled Thu 09-Mar-95 23:54 by tli
Image text-base: 0x00001000, data-base: 0x00463EB0
Copyright, compilation date (and by whom), as well as the
starting address of the image.
ROM: System Bootstrap, Version 5.0(7), RELEASE SOFTWARE
ROM: GS Software (GS7), Version 10.0(7), RELEASE SOFTWARE (fc1)
The version of ROM bootstrap software, and the version of IOS
in ROM.
prospect-gw.near.net uptime is 2 weeks, 4 days, 18 hours, 38 minutes
System restarted by reload
How long the router has been up, and why it restarted.
System image file is "sse-current", booted via flash
How the router was booted.
RP (68040) processor with 16384K bytes of memory.
Type of processor.
G.703/E1 software, Version 1.0.
X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.
Bridging software.
ISDN software, Version 1.0.
Various software options compiled in.
1 Silicon Switch Processor.
2 EIP controllers (8 Ethernet).
2 FSIP controllers (16 Serial).
1 MIP controller (1 T1).
8 Ethernet/IEEE 802.3 interfaces.
16 Serial network interfaces.
128K bytes of non-volatile configuration memory.
4096K bytes of flash memory sized on embedded flash.
Hardware configuration.
Configuration register is 0x102
Lastly, the "configuration register", which may be set via
software in current releases...
**************************************************************************
From: Question 30
Date: 22 April 1996
Subject: What is the maximum number of Frame Relay PVCs?
This is covered fairly thoroughly in Product Info/Product
Bulletin/Frame Relay Broadcast Queue, Cisco Product Bulletin # 256,
available on CIO.
Via the web (requires CIO username and pasword)
http://cio.cisco.com/warp/customer/417/38.html
An excerpt:
(Virtual Interfaces)
It should be noted that in the IOS (Internetworking Operating System)
10.0 software there is a limit of 256 Virtual and physical
interfaces. Hence, if each DLCI is given its own virtual interface,
the router is limited to 256 DLCIs. This restriction is expected to be
removed in a future release.
In most scenarios, it is not necessary that each DLCI have its own
Virtual Interface. In particular, IP has the facility which allows
disabling of split-horizon routing and hence does not require Virtual
Interfaces to support partial mesh topologies.
(Appendix 1: How many DLCIs Can Cisco Support on an Interface?)
This question is similar to the question of how many PCs can you put
on an Ethernet. In general, you can put a lot more than you should
given performance and availability constraints.
When dimensioning a router in a large network, the following issues
should be considered:
DLCI Address Space: The only hard limits are the roughly 1000 DLCI
limit due to the 10 bit DLCI address space in the Frame Relay frame
header.
LMI Status Update: The LMI protocol requires that all status reports
fit into a single packet and generally limits the number of DLCIs to
less than 800.
Max DLCIs (approx) (MTU -20)/5,
where MTU is the MTU size in bytes on the Frame Relay link.
**************************************************************************
From: Question 31
Date: 18 April 1995
Subject: How much memory is necessary to telnet to a cisco router?
In order to login to a cisco router, it needs to have at least 64k
of contiguous free memory.
**************************************************************************
From: Question 32
Date: 18 April 1995
Subject: Where can I purchase flash RAM?
There are two varieties:
MEM-1X8F 8meg
MEM-2X8F 16meg
******************************* 2500 ********************************
******************************* 8M Flash ********************************
PRODUCT# QTY
-------- ---
MEM-1X8F 1
MEM-2X8F 2
Part Number: 16-0975-01
Description: IC,FEPROM, 2Mx32,100ns,SIM80 SC: P REV: A0 S/UM: EA P/UM: EA
VENDOR
ITM MANUFACTURER'S PART CODE MANUFACTURER'S NAME
--- -------------------- ----------
**************************************************************************
1- 1 SM732C2000B-10 KITTING01 SMART MODULE
*******************************************************************************
*******************************************************************************
Start of rev 2.00 section!
*******************************************************************************
*******************************************************************************
**************************************************************************
From: Question 39
Date: 02 February 2002
Subject: Flash upgrade issues for Cisco 2500 series routers
Answer by: Terry Kennedy <terry@gate.tmk.com>
> When I remove the original flash and replace it with ether one or both of
> the new flash chips, I get the following error on boot upand the router ends
> up in boot mode.:
> ERR: Invalid chip id 0x80B5 (reversed = 0x1AD ) detected in System flash
This has to be the most common FAQ for this group. You have non-Intel
flash chips on your new SIMMs and boot ROMs that are too old to know about
the different access method for the flash chips you have.
You need to either get the (free, call TAC) BOOT-2500= ROM upgrade from
Cisco, or exchange the flash SIMMs for ones using Intel chips. Note that
Intel no longer makes those chips, which is why everybody has this prob-
lem.
**************************************************************************
From: Question 40
Date: 02 February 2002
Subject: How do I prevent my switch ports from going into ErrDisable state?
Answer by: "bt" <@speakeasy.org>
The 2 commands that are in the newer CatOS (5.4+) to automatically recover from
errdisable are:
* set errdisable-timeout enable <reason>
* set errdisable-timeout interval <seconds>
the <reason> can be 1) bpdu-guard, 2) channel-misconfig, 3) duplex-mismatch,
4) udld 5) other and 6) all.
The <seconds> defaults to 300 seconds, you could make that more aggressive,
down to 30.
if you want, you can disable the errordetection as well:
* set errordetection portcounters disable
by default it's on for portcounters and disabled for memory and inband
management.
But please keep in mind that you need to fix the problem. The ports are going
into ErrDisable mode for a reason!
**************************************************************************
From: Question 41
Date: 02 February 2002
Subject: How do I configure a router to act as a Frame-Relay Switch?
Answer by: From: "BM" <bmorgan@dont.spam.me.ieee.org>
config t
1
frame-relay switching
!
interface Serial0
no ip address
no keepalive
encapsulation frame-relay
clockrate 64000
frame-relay intf-type dce
! In the config below, the 102 is the DLCI that will be
! presented to the router connected to this - S0 -
! interface. 201 is the DLCI that is mapped to S1
frame-relay route 102 interface Serial1 201
frame-relay route 103 interface Serial2 301
interface Serial1
no ip address
no keepalive
encapsulation frame-relay
clockrate 64000
frame-relay intf-type dce
frame-relay route 201 interface Serial0 102
frame-relay route 203 interface Serial2 302
interface Serial2
no ip address
no keepalive
encapsulation frame-relay
clockrate 64000
frame-relay intf-type dce
frame-relay route 301 interface Serial0 103
frame-relay route 302 interface Serial1 203
________ ______
| FR SW |_S2______S0_| R3 |
|_______ | |______|
S0 / \ S1
/ \
/ \
S0 __/___ _\_S0__
| R1 | | R2 |
|_____| |_______|
R1 S0, R2 S0 and R3 S0 will be on the same subnet. You can treat it as p2mp.
I put all the DCE ends of the cables on the Frame Switch, so clock rate is
defined there. However, this is not a requirement. The FR Switch router
does not need to have the DCE end. Regardless of the gender of the cable,
however, the "frame-relay intf-type dce" is required. I defined the DLCIs
as Source Router + 0 + Destination Router. So if the circuit goes from
R1 to R3 it's DLCI 103. From R3 to R1 it's DLCI 301. You get the idea.
**************************************************************************
From: Question 42
Date: 02 February 2002
Subject: What are the different types of memory used by Cisco Routers?
Answer by: Michael Shorts <mshorts@cisco.com>
The 2500 Series and 7204 VXR have the same types of memory, but they are
implemented in different physical packages:
ROMMON - This is the initial bootstrap for the router.
Boot Helper - This is a subset of IOS that is used to update software or
network boot. The 2500 implements the ROMMON and boot helper in a set of two
ROMs. The 7204VXR has ROMMON in a ROM and boot helper in a piece of flash
memory on the I/O controller called boot flash.
Main memory - This is used to hold routing tables, and IOS variables. In the
7204 VXR, IOS itself is also resident in main memory. The 2500 Series
usually runs the IOS directly in flash.
Shared memory - This is the memory that holds packet buffers. On the 2500
Series, this is part of the same physical memory as main memory. On the 7204
VXR, it's separate memory.
Flash memory - This memory holds the IOS image. On the 2500 Series, there
are two flash SIMM sockets (max 16 MB). On the 7204VXR, there are PCMCIA
slots on the I/O controller which can take a 128 MB flash disk.
Configuration memory (NVRAM) - This is the memory that holds the IOS
configuration. In the 2500 Series, it's a 32 KB EEPROM. On the 7204VXR it is
128 KB battery backed up SRAM on the I/O controller.
**************************************************************************
From: Question 43
Date: 02 February 2002
Subject: How do I load the Documentation CD (UniverseCD) on Windows 2000?
Answer by: "Alberto Colmenero" <san@mobilix.dk>
Finally to reorder a CD
The Cisco Documentation CD is also available online at:
http://www.cisco.com/univercd/home/home.htm
**************************************************************************
From: Question 44
Date: 02 February 2002
Subject: How dow I load a large image on a 2500 *lab* router?
Answer by: vcjones@NetworkingUnlimited.com (Vincent C Jones)
For production work (support by Cisco required) you need 16M Flash
to run 12.0 or 12.1 Enterprise. If you don't need Cisco support, 12.0
Enterprise is small enough (about 10M) to run from RAM (upgrading to
16M of RAM is MUCH cheaper than upgrading to 16M of flash) using a
compressed image in the 8M of flash you do have.
12.1 Enterprise is 14M so it must be run from flash (otherwise there is
not enough RAM remaining to even complete loading of the OS).
Check the release notes on www.cisco.com for the IOS release you want to
use. If the actual size of the IOS plus the minimum recommended RAM
totals less than 16MB, you can run compressed or boot from TFTP without
expanding flash. Check deja-news on google if you are unclear on how to
run a compressed image on the 2500, it is a frequent request and
hopefully will turn up in the renovated FAQ when Hansang gets a chance
to publish it.
**************************************************************************
From: Question 45
Date: 02 February 2002
Subject: daisy-chaining reverse telnet console-aux ports
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
> I've hooked 4 routers together in a lab and I'm daisy-chaining them
> aux --> console and using reverse telnet to get to them...
>
> However when I get to the fourth router and do a CTRL-SHFT-6 X,
> I get back to the first router. If I kill the AUX line, then initiate the
> reverse telnet again, I fall through router 2 and 3 to 4 again...
> Is there an easy way to fall back one router at a time?
> or should I not bother to do this?
You have two options. One is to use a different escape character on the
second (third, fourth etc) console (and/or vty)
conf t
line con 0 /* or vyt 0 4 */
escape-character 23
This will let you use CTRL-W then X to break out reverse telnet.
Or
You can use CTRL-SHFT-6, CTRL-SHFT-6, X to come back to the second
session, and CTRL-SHFT-6, CTRL-SHFT-6, CTRL-SHFT-6, X to come back to the
third session, etc.
**************************************************************************
From: Question 46
Date: 02 February 2002
Subject: What Windows chatter could bring up and ISDN line?
Answer by: "Phillip Remaker" <remaker@cisco.com>
> ...we get multiple spurious dial-ups after every intended one.
> The first unwanted one occurs about 20 minutes after the intended one,
> and the subsequent unwanted ones about every 20 minutes after that.
> All last exactly 200 seconds, which is the configured router hangup
> time.
> Does anyone have any idea what might be causing these?
Yep. See http://support.microsoft.com/support/kb/articles/Q135/3/60.asp
for all of the periodic packet transmissions associated with Windows
Networking.
Dialer access lists will not help you, since identifying information is too
deep inside the packet and therefor indistinguishable from real traffic 8-(.
**************************************************************************
From: Question 47
Date: 02 February 2002
Subject: How do I make NTP packets so it's only interesting on router bootup?
Answer by: Paul J Murphy <paul@murph.org>
!
access-list 101 permit udp any any eq ntp time-range sntp-dial
access-list 101 deny udp any any eq ntp
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
time-range sntp-dial
absolute end 00:00 01 January 2000
!
The time there doesn't really matter as long as it is later than the
epoch time for the device in question, and earlier than the current
time. 01/01/2000 was just the arbitrary choice I made last time I
configured that.
With that config, NTP will bring up the line if and only if the clock
on the Cisco has not already been set.
For an unattended installation which may not dial up very frequently,
it may be worth using a time-range which allows dialling once per day
to keep the clock reasonably well synced. If your usage pattern
results in the line coming up frequently, that is an unnecessary
step. Constructing an appropriate time-range statement is left as an
exercise for the reader.
If it's a small single user LAN, it's considered polite to avoid the
stratum-1 servers. Most ISPs should provide NTP servers for customer
use, eg try ntp.<isp>.net, timehost.<isp>.net, ntp0.<isp>.net,
ntp1.<isp>.net, etc. Apart from not overloading valuable global
resources, using a NTP server local to your ISP will probably provide
a more stable time service due to lower latency between the client and
server.
See also http://www.get-time.org/ for the UK government NTP initiative
(Greenwich Electronic Time).
**************************************************************************
From: Question 48
Date: 02 February 2002
Subject: How do I setup Lock & Key ACL? Or punch temporary holes in my
ACL if someone authenticates to my router?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
**************************************************************************
From: Question 49
Date: 02 February 2002
Subject: How do I telnet to a specific VTY line?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
See "rotary" example in question 48.
**************************************************************************
From: Question 50
Date: 02 February 2002
Subject: Is there a better (free) tftp server than the one by Cisco?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
3CDv2r10.zip file located at:
http://support.3com.com/software/utilities_for_windows_32_bit.htm
**************************************************************************
From: Question 51
Date: 02 February 2002
Subject: How do I use the Cisco Documentation CD (UniverseCD) under Linux?
Answer by: Vincent C Jones VCJones@NetworkingUnlimited.com
Another option is to suffer like us Linux users and forego the
ability to search the CD (but hey, for that you can go online). The
technique below works fine if your platform can run an Apache web
server. Note the update for more recent CD's which use bzip2 rather
than gzip compression.
**************************************************************************
Update added July 15, 2000 by Dr Vincent C Jones, PE:
Starting July 2000 or so, the encoding switched to bzip2. So change
the apache entries to "x-bzip" and add bzip entries if required to
/opt/netscape/Netscape.ad as shown below.
*encodingFilters: \
x-compress : : .Z : uncompress -c \n\
compress : : .Z : uncompress -c \n\
x-bzip : : .bz,.bz2 : bzip2 -cdq \n\
bzip : : .bz,.bz2 : bzip2 -cdq \n\
x-gzip : : .z,.gz : gzip -cdq \n\
gzip : : .z,.gz : gzip -cdq \n
**************************************************************************
Update added June 10, 2001 by Dr Vincent C Jones, PE:
Newer versions of Netscape do not use a Netscape.ad file. Instead, the
changes can be made to ~/.Xdefaults. Note that these changes CANNOT be
added from Netscape using edit/preferences.
**************************************************************************
From: Question 52
Date: 02 February 2002
Subject: How do I NAT on a single Cisco 2503 Ethernet interface
Answer by: "Pawel Sikora" <psi@polbox.WYCIEP-TO.pl>
interface Loopback0
ip address 10.0.255.1 255.255.255.0
ip nat inside
!
interface Ethernet0
ip address 10.0.0.1 255.255.255.0 secondary
ip address xxx.yyy.zzz.ttt 255.255.255.248
ip nat outside
ip policy route-map LOOPNAT
!
ip nat inside source list 1 interface Ethernet0 overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
route-map LOOPNAT permit 10
match ip address 1
set interface Loopback0
!
------------------------
Note that Lo0 interface may have any ip address.
**************************************************************************
From: Question 53
Date: 02 February 2002
Subject: How do I hide a summarized OSPF router from one ABR to another?
Answer by: Alex Bakhtin <bakhtin@amt.ru>
area 1 range x.x.x.x x.x.x.x not-advertise
**************************************************************************
From: Question 54
Date: 02 February 2002
Subject: What is the pinout for the Console port on a 2518?
Answer by: Michael Shorts (mshorts@cisco.com)
The CISCO2518 has a console port on the hub card which is a different pinout
than the standard Cisco console (the hub card is an OEM from another company)
The pinout is:
Management Console Pinout
RJ-45 pin
Description
Direction
DB-25 pin
1
TxD
output
3
2
GND
-
7
3
RTS
output
5
4
CTS
input
4
5
DTR
output
6
6
DSR
input
20
7
shield
-
-
8
RxD
input
2
Note that the console port does not support RTS/CTS hardware flow control.
**************************************************************************
From: Question 55
Date: 02 February 2002
Subject: How do I find the "real" IOS name when the file is in DOS format?
Answer by: Terry Kennedy <terry@gate.tmk.com>
Given:
> -rw-rw-r-- 1 jomo sol3 8465736 May 30 08:49 aaa1324.bin
> -rw-rw-r-- 1 jomo sol3 7891164 May 30 08:49 aaa1325.bin
> -rw-rw-r-- 1 jomo sol3 7347200 May 30 10:46 aaa1326.bin
Try "strings aaa1234.bin". You should see something like:
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.0(9), RELEASE SOFTWARE (fc1)
near the end, mixed in with all the other junk. If these are compressed
(mz-style) images, you'll have to unzip them first. Ignore the warning that
says something like:
(9:44) gate:/tmp# unzip c5300-j-mz.120-8.bin
Archive: c5300-j-mz.120-8.bin
warning [c5300-j-mz.120-8.bin]: 19376 extra bytes at beginning or within
zipfile
(attempting to process anyway)
inflating: C5300-J-.BIN
and then grep the resulting file.
**************************************************************************
From: Question 56
Date: 02 February 2002
Subject: How do I setup Windows 2000 and IPSec to PIX FIrewall
Answer by: "Steven Griffin" <segjr@gte.net>
To describe how to use the Local Security Policy MMC in W2K would take a
long time. So, the config I will share with you is the 'dial-up' one I
mentioned before. In this posting I will detail the bare minimum needed to
get a W2K client working with a PIX firewall running v6.01 software. For
simplicity I use a preshared key for authentication. Since I have to embed
this key into the script I use it makes the configuration open and thus
vulnerable. However, you should be able to tweak the configuration from this
to meet your own security needs. The W2K IPSec client supports certificates
as well as preshared keys so a "secure" version of this config is
attainable.
The configuration script I eked (it isn't beautiful code) out is actually
written in Perl. If you would like to re-write it in the old DOS batch file
format, please do so. Otherwise, you should find a copy of Perl for NT/W2K.
I use the version found at http://www.activestate.com. The Perl script I
show here is documented as to what it does. The MS ipsecpol.exe program
that you have to use has it's own documentation which you should read. For
the PIX I give you only the crypto, isakmp, and sysopt commands you need to
issue to your PIX to make this config work. The config assumes that the PIX
has NAT enabled.
Ok, enough blabber, here it is... I hope it is helpful!
For the purposes of this 'demo' config. The PIX Firewall will have
192.168.0.1 as it's outside IP. The inside network will be the 10.0.X.X
network. The inside router will be 10.0.0.1
Quick Network Schematic:
[W2K] --> [Dial-Up WAN adapter (DHCP assigned address)] --->
[Internet]---->[PIX Firewall(192.168.0.1)] ---> [Internal LAN
(10.0.X.X)] --> [Inside Router (10.0.0.1)]
The PIX firewall commands needed are:
sysopt connection permit-ipsec
sysopt connection permit-l2tp
sysopt ipsec pl-compatible
crypto ipsec transform-set W2K esp-des esp-md5-hmac
crypto ipsec transform-set W2K mode transport
crypto dynamic-map W2KDynamic 11 set transform-set W2K
crypto map W2K-Map 23 ipsec-isakmp dynamic W2KDynamic
crypto map W2K-Map interface outside
isakmp identity address
isakmp key gobbeldygook address 0.0.0.0 netmask 0.0.0.0
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 1
isakmp policy 11 lifetime 28800
isakmp enable outside
The Perl script I wrote is as follows. I execute this script everytime I
establish a connection with my dial-up ISP. It then sets up the IPSec tunnel
using my current ISP assigned IP Address.
#begin listing
# IPSecInit.pl
# Written by: Steven Griffin Jr.
# Date: 6 June, 2001.
# Note: The basis of this code came from the PERL documentation site.
# The original snippets came from the links below.
# http://www.perldoc.com/perl5.6/lib/Net/hostent.html
# http://www.perldoc.com/perl5.6/lib/Net/Ping.html
# I should put this in POD format at somepoint but I am in a hurry right
now.
use Net::hostent;
use Socket;
#Two Variables: One for the local IP Address and one for the VPN Server
#This script assumes that the VPN Server has a static IP
$localipaddress, $VPNHostIP='192.168.0.1';
#The following section of code discerns the IP address of host provided
#in the command line arguements. The default is the localhost.
#NOTE: The code section is smart and gives you a routable IP (if available)
and not just 127.0.0.1
# This section is pretty much identical to the one found on the PERL
documentation site.
# I just added an assignment of the discerned ipaddress to the
$localipaddress variable.
# I also changed the @ARGV assignment to 'localhost' instead of
'netscape.com'
@ARGV = ('localhost') unless @ARGV;
for $host ( @ARGV ) {
unless ($h = gethost($host)) {
warn "$0: no such host: $host\n";
next;
}
printf "\n%s is %s%s\n",
$host,
lc($h->name) eq lc($host) ? "" : "*really* ",
$h->name;
print "\taliases are ", join(", ", @{$h->aliases}), "\n"
if @{$h->aliases};
if ( @{$h->addr_list} > 1 ) {
my $i;
for $addr ( @{$h->addr_list} ) {
printf "\taddr #%d is [%s]\n", $i++, inet_ntoa($addr);
}
} else {
#my modification is on the next line.
printf "\taddress is [%s]\n", $localipaddress= inet_ntoa($h->addr);
}
if ($h = gethostbyaddr($h->addr)) {
if (lc($h->name) ne lc($host)) {
printf "\tThat addr reverses to host %s!\n", $h->name;
$host = $h->name;
redo;
}
}
}
#This next section is a very modified version of the Ping example on the
Perl Documentation Website.
#Now that we know our IP address, we can setup the IPSec tunnel.
#First we try and ping our VPN server.
use Net::Ping;
$p = Net::Ping->new("icmp");
print "\nCan I see my firewall? ";
if ($p->ping($VPNHostIP) )
{
print "Yes\nAttempting to initialize IPSec Connection";
#Now that we can see our server, lets stop and start the W2K IPSec Policy
Agent.
#This deletes any 'dynamic' IPSec policies that may have been in effect
before.
print "\nResetting IPSec Policy Agent";
$cmdstring='Net Stop "IPSec Policy Agent"';
system($cmdstring);
$cmdstring='Net Start "IPSec Policy Agent"';
system($cmdstring);
#Now we issue the ipsecpol command to setup the tunnel to our VPN Server.
#The ipsecpol command line utility can be found on Microsoft's Website.
# http://www.microsoft.com/downloads/release.asp?ReleaseID=29167
# or
#
http://download.microsoft.com/download/win2000platform/ipsecpol/1.00.0.0/NT5
/EN-US/ipsecpol_setup.exe
#MS requires two ipsecpol commands be issued in order to setup a tunnel.
#One for the inbound traffic and one for the outbound traffic.
# For this Tunnel I used the following settings:
# The IPSec filter '-f' is for the 10.0.0.0 255.255.0.0 network to My IP
Address.
# The tunnel setting '-t' is either My IP Address or the VPN Server's IP
Address.
# The security method list '-s' is for DES-MD5-1
# The security negotiation setting '-n' is for ESP[DES,MD5]
# We are using QuickMode key exchange '-1k' rekeys after 10 quick modes
'10q'
# We are using perfect forward secrecy '-1p'
# For authentication we are using a preshared key '-a'
# NOTE: the preshared key must be enclosed in double quotes
# See the documentation of the utility for further details.
print "\nSetup IPSec Tunnel";
#This sets-up the inbound leg of the tunnel. We are filtering all traffic
inbound from 10.0.X.X to our IP address.
#The critical part of this statement is that the -t arguement must contain
our local IP.
$cmdstring = 'ipsecpol -f 10.0.*.*='.$localipaddress.' -t
'.$localipaddress.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a
PRESHARE:"gobbeldygook"';
printf "\n%s",$cmdstring;
system($cmdstring);
#This sets-up the outbound leg of the tunnel. We are filtering all
traffic outbound to 10.0.X.X from our IP address.
#The critical part of this statement is that the -t arguement must contain
the VPN Server's IP Address.
$cmdstring = 'ipsecpol -f '.$localipaddress.'=10.0.*.* -t
'.$VPNHostIP.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a
PRESHARE:"gobbeldygook"';
printf "\n%s\n",$cmdstring;
system($cmdstring);
#Now that we have issued our commands. We should test the network and see
if we can see inside it.
#The internal router is the easiest target. Here it is 10.0.0.1.
#We first do a ping just so that the IPSec tunnel with negotiate. W2K does
not setup the tunnel
# until you actually try and send traffic to a IPSec filtered IP address.
#Now we do another ping and tell the user what happened.
print "\nTrying to ping internal network: ";
$p->ping("10.0.0.1");
if ($p->ping("10.0.0.1"))
{
print "Success\n";
sleep(1);
} else {
print "Failure\n";
sleep(1);
}
} else {
# If we reach this point, we could not see our VPN Server's external IP
address from our ISP.
print "No\nTry redialing your ISP";
sleep(3);
}
$p->close();
#end listing
**************************************************************************
From: Question 57
Date: 02 February 2002
Subject: How do I use tftpdnld via Ethernet port on a 2600?
Answer by: "Joel" <joelyung@yeah.net>
**************************************************************************
From: Question 58
Date: 02 February 2002
Subject: How do I setup MultiLinkPPP?
Answer by: "Patrick M. Hausen" <hausen@nospam.de>
multilink PPP without virtual template
int Multilink1
description multilink bundle
ip unnumbered Loopback0
ppp multilink
multilink-group 1
!
int Ser0
description first T1 line
encaps ppp
ppp multi
multilink-group 1
!
int Ser1
description second T1 line
encaps ppp
ppp multi
multilink-group 1
Again, recent software necessary: at least 12.0T or 12.1
or one of the ISP branches (12.0S).
**************************************************************************
From: Question 59
Date: 02 February 2002
Subject: How much memory is taken up by BGP routes?
Answer by: "Laron Swapp" <laron.d.swapp@intel.com>
**************************************************************************
From: Question 60
Date: 02 February 2002
Subject: What is the difference between a CiscoPro model and a regular one?
Answer by: Michael Shorts <mshorts@cisco.com>
It depends on the model. With some models, it's just a different paint
color. Other models have a special key that restricts the software
images that can be used (for those, there is a "cookie programming"
utility to turn it into a "regular" unit).
**************************************************************************
From: Question 61
Date: 02 February 2002
Subject: How do I stop my router from looking for cisconet.cfg or
network-config?
Answer by: vcjones@NetworkingUnlimited.com (Vincent C Jones)
Look up "service config" in the manual (available on www.cisco.com if
you do not have a local copy). Turn it off using the command "no service
config" in configuration mode.
**************************************************************************
From: Question 62
Date: 02 February 2002
Subject: How do I setup DHCP service on my router?
Answer by: Dave Phelps <tippenring@nospam.bigfoot.com>
Here is my 1601 performing as a DHCP server config...
The static pool is how I use DHCP to assign the same IP to the same PC
each time, essentially a static IP address assignment. The only other
requirement would be that on the interface DHCP requests will be
received, if you have an inbound ACL, bootp must be permitted.
ip dhcp excluded-address 192.168.3.1 192.168.3.9
!
ip dhcp pool dhcp-pool
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
netbios-node-type b-node
dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee
!
ip dhcp pool static-pool
host 192.168.3.2 255.255.255.0
client-identifier 0100.00c5.0cbd.7e
client-name main_pc
default-router 192.168.3.1
dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee
**************************************************************************
From: Question 63
Date: 02 February 2002
Subject: How do I configure a trasparent proxy redirecting on CISCO router?
Answer by: alan@internal.wj.com (Alan Strassberg)
**************************************************************************
From: Question 64
Date: 02 February 2002
Subject: How do I use the PCMCIA slot in my 2500 router?
Answer by: "Josh Duffek" <joshd@cisco.com>
That slot is not used anymore. It was used about four years ago to load
boot helper code or feature set upgrades.
**************************************************************************
From: Question 65
Date: 02 February 2002
Subject: What cable do I use on 1900 switch with a DB9 Console connector?
Answer by: "aros.net" <nelson@aros.net>
Hi, Thanks for the help. Just so anyone searching the achieves will find
the answer, for an old catalyst 1900 switch a db9 female to db9 female null
modem cable works great and solved my console connection problem.
For the search engines the terminal program was returning. ATQ0H0 and
ATQ0Z0 on a old cisco catalyst 1900 switch.
**************************************************************************
From: Question 40
Date: 02 February 2002
Subject: How do I use a route-map to limit redistribution in OSPF?
Answer by: hbae_@_nyc.rr.com.REMOVE_ (Hansang Bae)
**************************************************************************
From: Question 68
Date: 02 February 2002
Subject: How do I connect 675 DSL units back to back?
Answer by: "Josh Duffek" <joshd@cisco.com>
Well I found out that you can hookup other DSL boxes back to back...here is
part of an email I found on it:
you need:
'dsl equipment-type CO' on one side and
'dsl equipment-type CPE' on the other
Here is a working example from the lab:
(The distance limitation should be the same
as the one found in the docs)
also, you can run 'debug dsl-phy' a new
command to look at the trainup.
(CO side, an 828)
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl equipment-type CO
dsl operating-mode GSHDSL symmetric annex A
dsl linerate AUTO
!
interface ATM0.1 point-to-point
ip address 1.1.1.2 255.255.255.0
pvc 1/33
encapsulation aal5snap
!
!
(CPE side, a SOHO78)
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex A
dsl linerate AUTO
!
interface ATM0.1 point-to-point
ip address 1.1.1.1 255.255.255.0
pvc 1/33
encapsulation aal5snap
!
**************************************************************************
From: Question 68
Date: 02 February 2002
Subject: How do I format the PCMCIA card on a 3600?
Answer by: "Brian" <nondogmatist@hotmail.com>
Thanks guys. The "erase slot0" turned the trick. I appreciate the help.
**************************************************************************
From: Question 69
Date: 02 February 2002
Subject: How do I read Token Ring Mac and RIF?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
> Of the following Token Ring Source MAC addresses, which one indicates to
> receiving hosts that RIF is present.
> A.0007.7816.fe58
> B.1007.7816.fe54
> C.7007.7816.fe54
> D.8007.7816.fe58
> E.3007.7816.fe54
>
> The correct answer is D and here is the explanation: "When a RIF is present,
> the first bit of the source MAC addresse is set to 1. Therefore, any address
> that begins with 8 through f denotes that a RIF will follow the source MAC
> address."
>
> Here is my analysis:
> 8:1000 9:1001 a:1010 b:1011 c:1100 d:1101 e:1110 f:1111
>
> Fine, we see that the first bit is set to 1 and a RIF will follows. My
> confusion is this: Is 8007.7816.fe58 is actually a MAC address that is seen
> on the other side? I thought we suppose to swap the MAC address if
> configured with RSRB or SRT?
You swap the bits in the MAC because Ethernet is canonical and TR is non-
canonical. There would be no translation in TR to TR. And by
definition, if the otherside saw the item D as the address, it would have
to be TR as there are no RIFs in Ethernet world.
In Etherenet, the 47th place bit (first one from the left if the MAC was
written in binary) represents whether this is a Group or Individual mac
address. All group addresses (including the broadcast) will have this
set to a binary 1. The 46th place bit (second one from the left if the
MAC was written in binary) represents the Globally Unique or Locally
Assigned bit.
If you change your MAC, it should set the 46th bit. (of course many
drivers do not do this these days).
The part that can get confusing is that Most Significant *BYTE* is
transmitted first. But within that byte, the Least significant *BIT* is
transmitted first. For those of you who dealt with ODI drivers in DOS
days, whenever you loaded up the LSL.com, it said ....LSB Mode.... That
signified that it was running in Least Significant Bit mode. Just a bit
of trivia for you trivial buffs.
Here's a concrete example:
Let's say my MAC address on this machine is: 08-10-A4-C5-B3-4D
How would this get transmitted? Well, we know that 08 will go first
(it's the most significant *byte*), then 10, then A4 etc. So when 08
gets transmitted, remember that it's the LSBit that hits the wire
first... so
08 in binary is: 00001000
So the transmission order is 0, 0, 0, 1, 0,0,0,0.
I'll skip the 10 since it's equally uninteresting. Moving on to A4
A4 in binary is: 10100100.
So the transmission order is 0, 0, 1, 0,0,1,0,1
**************************************************************************
From: Question 70
Date: 02 February 2002
Subject: How are Ethernet MAC addresses transmitted?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
See quesiton 69.
**************************************************************************
From: Question 71
Date: 02 February 2002
Subject: Why are the 46th and the 47th bit significant in Ethernet MAC address?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
See quesiton 69.
**************************************************************************
From: Question 72
Date: 02 February 2002
Subject: Why can't I upload an IOS image on to my flash on my 2500 router?
Answer by: Michael Shorts <mshorts@cisco.com>
> i took one from another 2500, same label E28F008SA and unfortunalely,
> same ERROR MESSAGE while issuing COPY TFTP FLASH from config-reg
> 0x2101
The flash in your system is not recognized by the boot ROM. You can upgrade
your boot ROM (Cisco part BOOT-2500=) or use flash that is compatible (Intel).
**************************************************************************
From: Question 73
Date: 02 February 2002
Subject: How do I configure my router so it becomes a DHCP CLIENT?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
If you have 12.1(2)T or better and you need:
C800, C100x, C1400, C160x, C17x0, C25xx, C26xx, C36xx, C4x00, C64xx,
C7x00, C8500, and C12000
UBR900, UBR7200
MC3810
The interface command is "ip address dhcp"
**************************************************************************
From: Question 74
Date: 02 February 2002
Subject: Does my Cisco terminal server send a BREAK signal on reboot?
Answer by: Aaron@Cisco.COM (Aaron Leonard)
2611's or 2511's? The NM-A async modules do NOT exhibit the break-on-poweroff
problem. See http://www.conserver.com/consoles/breakinfo.html
for an independent report.
**************************************************************************
From: Question 75
Date: 02 February 2002
Subject: How do I access the Console port on an AccessPro (AP-EC) card?
Answer by: levinm@iserv.net (Martin H. Levin)
I have had similar problems accessing the console on the AccessPro
card. I read somewhere that the AccessPro has a problem with Windows,
which during the boot probes the serial ports looking for the mouse.
My answer to ths has been to put the card in an old 486 and use dos
with an old terminal program to access the AP-EC card. It works! I
have two AP-EC cards in the same machine, which I have initially
configured using com ports 1 and 2 and switch the terminal program
from com1 to com2 and back as I need to set up the two cards. Once
set up the console on each card can be reached through the aux port.
The problem with the Windows has been handy, since this setup doesn't
allow for entry into monitor when the password is lost (or you get a
bad secrets message). After much effort and reading the Windows
problem message, I took the card out of the DOS machine, put it into a
Windows machine and sure enough the damn thing went into monitor mode
and I has able to recover/reset the password.
**************************************************************************
From: Question 76
Date: 02 February 2002
Subject: How do you setup a simple Priority Queuing?
Answer by: Richard Gallagher <rgallagh@cisco.com>
**************************************************************************
From: Question 77
Date: 02 February 2002
Subject: What are the pro's and con's of using two ISP/BGP providers?
Answer by: vcjones@NetworkingUnlimited.com (Vincent C Jones)
>Why would you use BGP with 2 Internet T1 vs using equal cost
>static routing? What's the pros and cons? Thank you.
This question (or variations on it) get hashed out fairly routinely on
this newsgroup, hopefully Hansang will be able to include a brief
discussion in the FAQ even though it is not a Cisco specific problem.
The answer in a nutshell is: It depends.
If each T1 goes to a different ISP, then you must use BGP to have the
same public address regardless of route taken.
If each T1 goes to the same ISP and load sharing and ease of
setup/management is more important than availability, then go with
static routes.
If the T1 links do not support end-to-end keepalives, go with BGP to
avoid black holes.
If the T1 links go to different POPs of the same ISP, use BGP and
indicator routes to detect ISP segmentation.
If the T1 links go to geographically diverse POPs, then BGP with full or
local routes may improve routing efficiency.
For more detail, see the blurb I wrote for O'Reilly on the topic at
http://www.oreillynet.com/pub/a/network/2001/05/11/multihoming.html
(for those reading this out of the archives at a future date, a
more detailed version of this paper will be appearing as a White
Paper on my web site, but it will not be there until late Summer).
Chapter 8 of my book walks you through all the alternatives from
two T1s between a single router at your site and a single router
at the ISP, to two T1's between separate routers at your site to
two different ISPs. For how to get the most out of BGP, including
load sharing and efficiency considerations (my book only considers
availability), read Halabi's book.
If none of the above makes sense to you, hire a competent consultant
to walk you through the alternatives and their tradeoffs.
**************************************************************************
From: Question 78
Date: 02 February 2002
Subject: How do I tell the difference between the differen 2900 XL switches?
Answer by: Terry Kennedy <terry@gate.tmk.com>
> There are two versions of the Catalyst 2900 switch - the
> 2900 XL and the 2900 M XL. The 'M' model has two
> spots above the ethernet ports for the GBIC modules
> to slide into. The 'M' is about twice the height of the
> non-M switch.
And it's even more confusing than that. Older 2900XL M-series had 16
ports and less memory and can't run current software, so it is likely
that the Gigabit Ethernet modules wouldn't work in those units.
A handy way to tell if a 2900XL can run current software is to look
at the port numbers next to the LED's on the base unit. If the numbers
are yellow, it can run current software. If they're white or just etched
in the plastic without any color, the switch is stuck running the older
software. Note that you have to look at the ports on the base unit - it
is possible to have a V-series expansion module with yellow numbers in-
stalled in an older M-series switch.
**************************************************************************
From: Question 79
Date: 02 February 2002
Subject: How do I suppress the transmission of PPP frames from when dialing in?
Answer by: Aaron@Cisco.COM (Aaron Leonard)
As far as suppressing the transmission of PPP frames from
the 3640 side ... you can do it this way:
interface group-async1 ! or whatever interface you're using
ppp direction callin ! hidden command
ppp lcp delay 60
ppp lcp fast-start
This will cause PPP to refrain from sending frames for 60s
after the interface comes up ... then when it receives a
frame from the peer, it will start LCP.
**************************************************************************
From: Question 80
Date: 02 February 2002
Subject: What kind of memory can I use to upgrade my 2500 series router?
Answer by: Terry Kennedy <terry@gate.tmk.com>
The RAM is standard 72-pin parity 70ns FPM w/ tin leads, while the
flash is the generic Cisco flash. If you have older boot ROMs, you'll want
to make sure you get Intel chips or the ROMs won't recognize them. Or you
could upgrade the ROMs - Cisco part number BOOT-2500=, allegedly free.
> Any suggestions for a decent memory supplier for this?
I used to use Kingston when I had 25xx's. But MemoryX seems to be less
expensive these days: (http://www.memoryx.net/routers.html)
**************************************************************************
From: Question 80
Date: 02 February 2002
Subject: Where can I get mzmaker to compress my IOS?
Answer by: "MikeN" <miken@mail.ikano.com>
http://www.mcseco-op.com/mzmaker.htm
**************************************************************************
From: Question 81
Date: 02 February 2002
Subject: What is the meaning of in/out in reference to an access-list?
Answer by: rodd@panix.com (Rod Dorman)
**************************************************************************
From: Question 82
Date: 02 February 2002
Subject: How do I remove the /32 - host - route when a PPP link comes up?
Answer by: Richard Gallagher <rgallagh@cisco.com>
To get rid of this host route, try the following command on both ends of the
link:
no peer neighbor-route
**************************************************************************
From: Question 83
Date: 02 February 2002
Subject: How do I forward DHCP broadcasts to my DHCP server?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
> We are a Canadian company with an American office. We have a Cisco router
> at each office connected via a T1 line. We have a DHCP server at our
> Canadian office, and we would like it to also delgate IPs to our american
> office. Is this possible? If so, what must be done?
**************************************************************************
From: Question 84
Date: 02 February 2002
Subject: How do I use the ip-helper command to facilitate DHCP use?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
See Question 83 (answer #2)
**************************************************************************
From: Question 84
Date: 02 February 2002
Subject: How do I send L2 traffic through a tunnel?
Answer by: mortimer_mouse@mailandnews.com (Mortimer Mouse)
> Thanks for answering my post, the current problem I have is I need to send
> Layer2 type traffic through a tunnel ... is this possible ?
Sure. See...
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/inter_c
/icdlogin.htm#xtocid292793
> I enabled bridging on both routers and created a bridge group and that
> seems to work fine I can see my netbeui traffic passing ....
> The problem is I have to be able to encapsulate netbeui or any other Layer2
> type protocol and encapsulate within a IP packet.
The usual way to do this is using a GRE tunnel between two routers,
and configuring an additional loopback interface on each router as the
source interface for the tunnel traffic, as below. Here, each router
has a bridge group defined which allows certain traffic only as stated
in the 200-series ACL onto the loopback interface. In this case it's
LAT only - you will need to check the LSAP protocol number(s) for
netbios/netbeui as I can't remember these off-hand. Once the traffic
is forwarded from the LAN interface onto the loopback, it is
encapsulated into IP GRE and forwarded to the far router.
--------------------------
/ \
Tunnel0| |Tunnel0
| |
LAN--------Router A-------WAN Cloud-------Router B--------LAN
Eth0 Ser0 Ser0 Eth0
Router A
--------
int e0
ip address 192.168.100.254 255.255.255.0
bridge-group 1
int loop0
no ip address
bridge-group 1
bridge-group 1 output-type-list 200
int tunnel 0
tunnel source interface loopback0
tunnel destination 192.168.200.254
access-list 200 permit 0x6000 0x600f
Router B
--------
int e0
ip address 192.168.200.254 255.255.255.0
bridge-group 1
int loop0
no ip address
bridge-group 1
bridge-group 1 output-type-list 200
int tunnel0
tunnel source interface loopback0
tunnel destination 192.168.100.254
access-list 200 permit 0x6000 0x600f
**************************************************************************
From: Question 86
Date: 02 February 2002
Subject: How do I sort my IP Addresses using Unix tools?
Answer by: Paul Koch <paul.koch@statscout.com>
> The subject says it all. Am looking for an Excel 2000, or less, macro to
> sort IP addresses. The problem is Excel sort doesn't "understand"
> 192.028..005.001 vs. 192.28.5.1.
Do you have to use Excel. Yuck!
A random thought. If your data could have the address also in hex or decimal
in another column, then a sort would be simple.
Simple under Unix :-)
cat datafile | sort -t "." -n +0 +1 +2 +3
or even just
cat datafile | sort -t "." -n
**************************************************************************
From: Question 87
Date: 02 February 2002
Subject: Why is measuring collisions meaningless endeavour?
Answer by: rich@richseifert.com (Rich Seifert)
**************************************************************************
From: Question 88
Date: 02 February 2002
Subject: How do I stop password-recovery on my routers?
Answer by: Michael Shorts <mshorts@cisco.com>
"Password-recovery" might not be the best description. The feature locks out
all access to the ROMMON.
You can do this on a 2600/3600 with the global configuration command "no
service password-recovery".
The feature is indeed tied to the ROMMON. You must have a minimum ROMMON
version 11.1(17)AA on the 3600, as well as minimum IOS 11.2(12)P or 11.3(3)T.
All ROMMON versions on the 2600 support this feature.
**************************************************************************
From: Question 89
Date: 02 February 2002
Subject: How can I prevent SYN-Flood attack using CAR?
Answer by: "John Kaberna" <jkaberna@netcginc.com>
We are talking about all different kinds of floods (ICMP, SYN, UDP, etc)
throughout this post. Actually he did say that Sprint can filter on their
end. I included in a different post the link to configure CAR to limit SYN
attacks using web traffic as an example. Your solution looks like it would
work too as their are multiple ways to configure traffic shaping.
Configure rate limiting for SYN packets.
Refer to the following example:
interface {int}
rate-limit output access-group 153 45000000 100000 100000 conform-action
transmit exceed-action drop
rate-limit output access-group 152 1000000 100000 100000 conform-action
transmit exceed-action drop
access-list 152 permit tcp any host eq www
access-list 153 permit tcp any host eq www established
In the above example, replace:
**************************************************************************
From: Question 89
Date: 02 February 2002
Subject: How do I setup a Multilink PPP?
Answer by: domesjoe@ljusdal.net
**************************************************************************
From: Question 90
Date: 02 February 2002
Subject: How do I setup ppp callback with dialer-pool?
Answer by: news@tvolk.de (Thomas Volk)
This is a real hard stuff to do ppp callback with dialer-pool, there a
some command are missing in your config, look at my example....
(also see: www.cisco.com/warp/public/cc/pd/ifaa/pa/much/tech/althb_wp.htm)
!
username router1 callback-dialstring 749410 password 0 ect
!
interface BRI0/0
no ip address
no ip directed-broadcast
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp callback accept
ppp authentication chap
!
interface BRI0/1
no ip address
no ip directed-broadcast
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp callback accept
ppp authentication chap
!
interface Dialer1
ip unnumbered FastEthernet0/0
no ip directed-broadcast
encapsulation ppp
dialer remote-name router1
dialer pool 1
dialer enable-timeout 2
dialer string 749410 class test1
dialer-group 1
ppp authentication chap
!
!
map-class dialer test1
dialer callback-server username
dialer-list 1 protocol ip permit
**************************************************************************
From: Question 91
Date: 02 February 2002
Subject: My configs are too large. What can I do?
Answer by: Michael Shorts <mshorts@cisco.com>
**************************************************************************
From: Question 92
Date: 02 February 2002
Subject: What does Frame-relay LMI and Encapsulation really do/mean?
Answer by: John Agosta <jagosta@interaccess.com>
**************************************************************************
From: Question 93
Date: 02 February 2002
Subject: How do I make a T1 Cross-over cable?
Answer by: Aaron@Cisco.COM (Aaron Leonard)
For *T1* I've used the following pinouts for
crossovers:
T1/E1 crossover (for PRI and CAS back-to-back connection):
RJ-45 ----- RJ-45
1 ----- 4
2 ----- 5
4 ----- 1
5 ----- 2
RJ-45 ----- DB-15
1 ----- 1
2 ----- 9
4 ----- 3
5 ----- 11
DB-15 ----- DB-15
1 ----- 3
3 ----- 1
9 ----- 11
11 ----- 9
For E1 (assuming RJ-48 aka RJ-45), the pinouts would be the same
as for T1, except that I guess you need to have pins 3 and 6
(shield/ground) connected.
I don't suppose I should be pointing people to Juniper's web
site, but anyway ... http://www.juniper.net/techpubs/hardware/m160/m160-
picinstall/html/pinout5.html
**************************************************************************
From: Question 94
Date: 02 February 2002
Subject: Can I use a router to simulate BRI switch?
Answer by: Aaron@Cisco.COM (Aaron Leonard)
In current IOS (12.1(3)T and above, I think), you can configure PRIs
back-to-back between routers: configure one side to be network side
(isdn protocol-emulate network) and the other to be user side (default;
isdn protocol-emulate user). The supported switchtypes are primary-net5
and primary-ni.
As the original posting had alluded, we have SOME support
for network-side BRI - but this is only on certain VIC
cards due to hardware restrictions -
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft
/121limit/121x/121xi/121xi_3/dt_brint.htm
**************************************************************************
From: Question 95
Date: 02 February 2002
Subject: How do I use Policy Based Routing?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
Keep in mind that Policy routing works on the INBOUND interface. If you think
about it, it makes sense. The decision to hand off the packet has to be made
as it's coming into the router and not on the egress interface.
**************************************************************************
From: Question 96
Date: 02 February 2002
Subject: How do I setup a VPN tunnel using pre-shared keys?
Answer by: "Ian M" <ian.mulvihill.no.spam@computer.org>
Dror-John is right. There is a LOT to know about when you get into
encryption, and like any other branch of this industry knowing the hows &
whys will help your configs and troubleshooting enormously.
The CCO IPSec Product Support page has a wealth of useful info and examples.
www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:IPSec
RFCs 2401-2412 are not too taxing either. I've added below a very basic
example using pre-shared keys, DES encryption and SHA-1 hashing algorithm.
Site 1 is 10.0.1.0/24, site 2 10.0.2.0/24 and the serial i/fs 10.0.4.0/30 (&
assumes you have sub-i/fs). Names and things in capitals.
Router1(config)#
!
crypto isakmp policy 1
! Define your ISAKMP policy settings
group 2
! 'group' defines the modulus for Diffie-Hellman calculation.
! Default is group 1, less CPU work, but less secure.
authentication pre-share
crypto isakmp key SHARED_KEY_HERE address 10.0.4.2
! Your shared key, and what peer i/f it's used for.
!
crypto ipsec transform-set TS1 ah-sha-hmac esp-des
! Define what happens to the traffic. AH & ESP are two IPSec protocols.
!
crypto map TO_SITE_2 10 ipsec-isakmp
! Define crypto-map
set peer 10.0.4.2
! The other side
set transform-set TS1
! Which transform-set to use
match address 150
! What traffic to include
!
interface Serial1/0.0
ip address 10.0.4.1 255.255.255.252
crypto map TO_SITE_2
! Apply the crypto-map to the i/f
!
access-list 150 permit ip 10.0.1.0 0.0.0.255 any
! Include traffic coming from here. I've said anything going out, for
! there may be places beyond Site 2, but Cisco says this can cause
! problems for multicast traffic. This also assumes no traffic will be
! going to Site 2 from somewhere else _through_ Site 1. Perhaps
! best to err on the more specific side. However it is a good idea
! to not include your serial i/fs, so you can still get at the far router
! if there's a problem.
Router2(config)#
!
crypto isakmp policy 1
group 2
authentication pre-share
crypto isakmp key SHARED_KEY_HERE address 10.0.4.1
!
crypto ipsec transform-set TS1 ah-sha-hmac esp-des
!
crypto map TO_SITE_1 10 ipsec-isakmp
set peer 10.0.4.1
set transform-set TS1
match address 150
!
interface Serial1/0.0
ip address 10.0.4.2 255.255.255.252
crypto map TO_SITE_1
!
access-list 150 permit ip 10.0.2.0 0.0.0.255 any
**************************************************************************
From: Question 97
Date: 02 February 2002
Subject: Why does one packet always get dropped on the last hop of traceroute?
Answer by: Aaron@Cisco.COM (Aaron Leonard)
And the winner is ... Max. Inspired by (I think) sec. 4.3.2.8 in
RFC-1812, we rate-limit our ICMP message generation to 1/sec/destination.
This can be adjusted by the "ip icmp rate-limit unreachable" command.
More interesting than simply causing an oddity for traceroute,
ICMP rate-limiting can cause intermittent PMTUD blackholes
(or I should say perhaps "PMTUD brownholes".) If you're doing
PMTUD (as alas anyone running Windows defaults to), then you
might want to ease the rate limit on DF unreachables.
**************************************************************************
From: Question 98
Date: 02 February 2002
Subject: How to setup NATing based on outgoing interface to two different ISPs.
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
> > We just installed a T1 to the Internet to co-exist with our Cablemodem. I
> am looking at ways to implement this. We currently have a Cisco 2621 with
> the T1 connection and a Linux Box Masqing cablemodem Internet access now.
> My question is, what would be the best way to implement this?
>
> I proposed we connect the Cablemodem into the 2621 (FEthernet interface)
> next to the T1 connection (separate ISP's btw) and NAT.
That will work. But you need to use route-maps to match the outgoing
interface (or next-hop) when you define your NAT pool. In a nutshell:
int fa0/0
ip addr blah
ip nat outside
!
int fa0/1
ip addr blah
ip nat outside
!
ip nat poop ISP1 ISP1_Valid_range_here prefix-length blah
ip nat pool Cable Cable_Valid_range_here prefix-length blah
!
! These uses below are allowed to use the NAT service.
access-list 1 permit 10.0.0.0 0.255.255.255
!
route-map ISP1 perm 10
match ip addr 1
match interface fa0/0
!
route-map Cable perm 10
match ip addr 1
match interfa fa0/1
**************************************************************************
From: Question 99
Date: 02 February 2002
Subject: How do I use IPX over DDR?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
> i have a special problem with ipx. i want to connect a remote ipx
> segement over an DDV with two dedicated routers, the backup is DDR
> 128kbit/s line also with to dedicated routers.
> now my problem how can i change the ipx rip update information for the
> remote ipx segment. in ip rip there is a possibility to take a command
> like offset-list.
> any ideas?
You can use floating static default routes along with an access list to
deny the chatty traffic. For example:
int bri0
ipx watchdog-spoof
ipx spx-spoof
!
! Turn off IPX route-cache so the above spoofs will work
no ipx route-cache
!
!Define what should kick up this BRI line
!
dialer-group 1
!
! /* other pertinent config here */
!
!
! Make IPX RIP uninteresting
access-list 901 deny any any all any rip
!
! Make SAP uninteresting
access-list 901 deny any any all any sap
!
! Make NetWare Serialization packets uninteresting
access-list 901 deny any any all any 457
!
! Everything else can kick up the line
access-list 901 permit any any all any all
!
dialer-list 1 protocol ipx list 901
**************************************************************************
From: Question 100
Date: 02 February 2002
Subject: How can I automatically ping a range of IP addresses in Wintel world?
Answer by: "Gregg Branham" <greggb@altusnet.com>
**************************************************************************
From: Question 101
Date: 02 February 2002
Subject: Sample config of using VIC BRI interfaces as an ISDN switch.
Answer by: "John Paul Morrison" <johnpaulmorrison@Hotmail.com>
Enter this under stupid router tricks (it's got to be more expensive than an
ISDN emulator, but not if you've got the parts lying around).
Switch: Cisco 2600 or 3600 with NM-2V and VIC-2BRI-S/T-TE (NT should work
too), IOS 12.1.5T9 R1, R2: Cisco with ISDN BRI S/T interface. IOS 12.x
R1----S/T crossover cable----Switch----S/T crossover----R2
These configs let you do ISDN BRI dialup between two routers,
using a third router as an ISDN switch. Call setup is flakey but otherwise
it seems to work once the call is up.
Switch config, for ISDN dial (and X.25 over ISDN D-channel thrown in too)
!
isdn switch-type basic-net3
x25 routing
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255 ! whatever
!
interface BRI1/0
description to R1
no ip address
isdn switch-type basic-net3
isdn overlap-receiving
isdn protocol-emulate network
isdn layer1-emulate network
isdn incoming-voice voice
isdn x25 dchannel
isdn skipsend-idverify
!
! Basic X.25 over D channel, so you can run pad commands
! For always on, see the Cisco docs
!
interface BRI1/0:0
no ip address
ip mtu 1514
no ip mroute-cache
x25 address 5552000
clns mtu 1514
!
interface BRI1/1
description to R2
no ip address
isdn switch-type basic-net3
isdn protocol-emulate network
isdn layer1-emulate network
isdn incoming-voice voice
isdn skipsend-idverify
!
interface BRI1/1:0
no ip address
ip mtu 1514
no ip mroute-cache
x25 address 5551000
clns mtu 1514
!
x25 route 5551111 interface BRI1/1:0
x25 route 5552222 interface BRI1/0:0
!
voice-port 1/0/0
!
voice-port 1/0/1
!
dial-peer voice 1 pots
incoming called-number 6045551111
destination-pattern 6045552222
direct-inward-dial
port 1/0/0
!
dial-peer voice 2 pots
incoming called-number 6045552222
destination-pattern 6045551111
direct-inward-dial
port 1/0/1
!
dial-peer voice 10 voip
destination-pattern 6045552222
session target ipv4:10.0.0.1
codec clear-channel
!
dial-peer voice 20 voip
destination-pattern 6045551111
session target ipv4:10.0.0.1
codec clear-channel
!
R1, R2 config (just reverse the 5551111/5552222 and 1.1.1.1/1.1.1.2)
!
isdn switch-type basic-net3
!
interface BRI0/0
ip address 1.1.1.1 255.255.255.0
encapsulation ppp
dialer string 6045552222 class DOV
dialer-group 1
isdn switch-type basic-net3
isdn incoming-voice data
isdn calling-number 6045551111
isdn x25 dchannel
!
interface BRI0/0:0
no ip address
ip mtu 1514
no ip mroute-cache
x25 address 5551111
!
map-class dialer DOV
dialer voice-call
dialer-list 1 protocol ip permit
!
**************************************************************************
From: Question 102
Date: 02 February 2002
Subject: How do I do X25 over ISDN D channel?
Answer by: "John Paul Morrison" <johnpaulmorrison@Hotmail.com>
**************************************************************************
From: Question 103
Date: 02 February 2002
Subject: What can I do to remove SAP Type 640 on my routers?
Answer by: rtrgod@yahoo.com (Lee)
Check out these links for how to turn off the 640 SAP:
http://support.microsoft.com/support/kb/articles/Q142/5/33.asp
http://support.microsoft.com/support/kb/articles/Q171/3/07.ASP
IMHO the 640 SAPs were M$'s way to mess with Novell. If you have two
MS workstations configured with the same name then all the Novell
consoles get flooded with 'server xxx was <net.node> is <net.node>'
msgs (or some such. It's been a long time since we've had that
problem :-)
MS will generate 64E SAPs also :-( I block them all. ie.
access-list 1006 deny FFFFFFFF 640
access-list 1006 deny FFFFFFFF 64E
access-list 1006 permit FFFFFFFF 0
access-list 1030 deny FFFFFFFF 30C
access-list 1030 deny FFFFFFFF 45A
access-list 1030 deny FFFFFFFF 535
access-list 1030 deny FFFFFFFF 640
access-list 1030 deny FFFFFFFF 64E
access-list 1030 permit FFFFFFFF
interface <user subnet>
ipx input-sap-filter 1006
interface <WAN link>
ipx output-sap-filter 1030
! local area printing only
**************************************************************************
From: Question 104
Date: 02 February 2002
Subject: What kind of memory does the 2500 use?
Answer by: Terry Kennedy <terry@gate.tmk.com>
**************************************************************************
From: Question 105
Date: 02 February 2002
Subject: How do I make an Ethernet Cross-over cable?
Answer by: "Lindsay Druett" <lindsay@hnpl.net>
**************************************************************************
From: Question 107
Date: 02 February 2002
Subject: What is a FECN/BECN and does it mean anything?
Answer by: Bernie <Bernie@weekend.com>
First, when you use FR, it is not over a host to router connection.
FR is going to be router to ingress-FR-switch through cloud to
egress-FR-switch to destination-router. With that in mind, what you
have to worry about with exceeding your CIR is the ingress FR switch.
FECN and BECNs are different mechanisms which I will explain in a
minute.
Let me explain the algorithm that FR switches use to police your
bandwidth usage. It is a token/credit system that is implemented on
the *ingress* FR switch (so the ingress switch is the traffic cop).
Keep in mind that everything that I am about to describe occurs
entirely within the FR switch, so when I say that you are given tokens
to transmit, I mean that in the software of the FR switch these tokens
are kept track of, not that the FR switch transmits tokens to your
router to use for each frame. I'm going to start with a simple
scenario in which you only have a CIR and an EIR of 0. Anyway, every
second (which is the default interval, or Tc for those that want the
real term) you get Bc tokens which is essentially permission to
transmit that many tokens worth of data over the time of that second.
Bc tokens decrement against the CIR, which is to say that Bc tokens
are used to regulate the CIR not the EIR (I will describe Be tokens
later). At the end of the second you are given more tokens for use
during the next second. Every time the FR switch receives data from
the router, it subtracts tokens. What happens if you run out of
tokens is that every frame will be discarded until the next interval
at which point you get more tokens. If it receives a frame marked
with a DE bit, it should discard it automatically.
However, most people don't buy FR service with a EIR of zero. In this
case where you have a CIR and an EIR, the token credit system is a
little more complex. Every time interval (Tc) you get Bc tokens and
Be tokens. In the case that you are not setting the DE on any frames,
data received by the FR switch decrements credits from the Bc pool
until exhausted. Suppose the FR switch now receives a frame but there
are no Bc tokens left (you will get more Bc tokens in the next time
interval) at the time. The FR switch will check for a Be token, and
if you have one, it will mark the DE field and transmit the frame
across the network and decrement tokens from the Be pool. Keep in
mind that the Be pool represents your burst capabilities over and
above the CIR. IOW, Be tokens keep track of the EIR and Bc tokens
keep track of the CIR. Suppose the Be pool is exhausted and the Bc
pool is exhausted and another frame arrives. It is dropped, period.
At the next time interval you will get more Bc and Be tokens to use.
What happens if you mark your own DE frames? Well, when the ingress
FR switch receives a non DE-marked frame, it will subtract against the
Bc token pool. If it receives a DE-marked frame, it will subtract
against the Be token pool. If it receives a non DE-marked frame but
there are no Bc tokens left, the FR switch will mark it DE, transmit
it and subtract Be tokens. If it receives any frame (regardless of DE
or non DE-marked) and there are no Bc or Be tokens left, the frame is
dropped. So really the use of marking your own DE frames simply
allows you to be the master of your own destiny by categorizing your
own data intelligently instead of letting the FR switch do it based
simply on the order of arrival. And the reason you want to mark your
own packets has to do with how the network handles congestion (see
below where I talk about BECN, etc.)
A couple of points are worth making. First, you cannot accumulate
tokens over time. There is a maximum amount which is the value of the
committed burst (Bc) and this value has a mathematical relationship
with the CIR (CIR = Bc/Tc also EIR = Be/Tc). In almost all cases Tc
is set to 1 second, so the result is that CIR = Bc and EIR = Be. So
if you have the maximum number of tokens in your Bc token pool (max
amount = Bc), and you send no frames for the next hour, you will still
only have Bc amount of tokens when you send the next frame. Second,
the above description is not 100% accurate so don't use it to teach a
class of newbie students. I simplified a number of things for the
sake of getting the concepts across, and in the process I sacrificed
the accuracy of some of the information. For instance, you don't get
a lump of tokens all at once as I described--in reality, your tokens
replenish gradually over the Tc interval. Third, you only need a
single token (which represents a byte of data) to transmit a frame.
So if you are out of Bc tokens and you only have one Be token left,
even if you send a 1500 byte frame, it will still be transmitted as DE
and the last token will be subtracted.
>> Say I have a CIR of 512 Kbps. Say the users in the site are generating 2
>> Mbps data (internet surfing, email, etc) and I'm not using Discard
>> Eligible(because I wouldn't know how to set that up anyway)
>>
>> Hear is my guesswork. The routers may try to send more than 256kbps. The
>> switches will start sending FECN's and BECN's.
They shouldn't start generating FECNs and BECNs unless some FR switch
along the path is overloaded, and this (in theory) shouldn't happen
since you are well below your CIR. IOW, the network should be
engineered to be able to handle everyone's CIR on a statistical basis.
If this were to happen on a regular basis, I would configure my router
to ignore BECNs/FECNs because I am paying for a CIR of 512k, and I'll
be darned if I'll let my NSP force my routers to throttle back when I
am only using half of my CIR. They are "committing" to 512k, so I
want my 512k, not "256k if the network feels like it".
>> The routers will slow down sending rates. If a user is sending data to
>> a router faster than it can route, what will it do? Does TCP Window sizes
>> and acknowledgements between the PC's limit the rate at which the router
>> will receive data, so that it is unlikely ever to be too busy?
Remember that TCP windowing is an end-to-end mechanism, so routers in
between aren't part of the equation. PC's rarely send data *to* a
router, but rather *through* a router. So if a user is sending data
through a router faster than it can route, the buffers in the router
fill up, overflow, and packets get dropped, resulting in
retransmissions, and therefore the starting over of the TCP windowing
size.
>> If data is dropped by the router using DE, will the TCP resend process
>> between the PC's be the normal recovery process?
Routers don't drop DE frames. That is a FR switch function, not a
router function. But, yes, ultimately TCP is the process by which
lost packets will be retransmitted.
**************************************************************************
From: Question 108
Date: 02 February 2002
Subject: How do I stop logging (generating snmp trap) for up/down interfaces?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
**************************************************************************
From: Question 109
Date: 02 February 2002
Subject: How do I setup the variables to do tftpdnld in rommon?
Answer by: "Niloupi" <niloupi@NOSPAM.sympatico.ca>
You can use tftp, if available ... if not no luck ... xmodem using console
or another flash. and I think you can upgrade boot rom to support the
command tftpdlnd but not sure about it:
IP_ADDRESS=10.1.1.16
IP_SUBNET_MASK=255.255.255.0
DEFAULT_GATEWAY=10.1.1.2
TFTP_SERVER=10.1.1.2
TFTP_FILE=ios.bin
FE_SPEED_MODE=0
TFTP_VERBOSE=1
tftpdnld -d
**************************************************************************
From: Question 110
Date: 02 February 2002
Subject: How do I get the memory-usage on the Vip-Card
Answer by: Christophe Fillot <cf@utc.fr>
**************************************************************************
From: Question 111
Date: 02 February 2002
Subject: What is the order of operation in terms how a packet is processed?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
**************************************************************************
From: Question 40
Date: 02 February 2002
Subject: What are the differnt T1 jack type codes?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
RJ48-BLAH where BLAH ==
"C" Identifies a surface or flushmounted jack.
"W" Identifies a wallmounted jack.
"S" Identifies a single-line jack.
"M" Identifies a multi-line jack.
"X" Identifies a complex multi-line or series-type jack.
"X" variety can automatically loop up the line if you pull out the cable
so it's usually call a "smartjack"
**************************************************************************
From: Question 113
Date: 02 February 2002
Subject: How do I show just one interface's configuration?
Answer by: "harry" <ccie@blueyonder.co.uk>
My all time favourite "trick" is "show run int xx"" where x is the interface
in question
**************************************************************************
From: Question 114
Date: 02 February 2002
Subject: How can I search CCO for IS-IS related information?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
Searching the CCO for IS-IS is a bit of a pain since you have two stop
words and a hypen! So search the CCO for:
+is-+is
**************************************************************************
From: Question 115
Date: 02 February 2002
Subject: How can I script a network reachability test?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
Today a trouble ticket was elevated to our design team. It seems a bunch
of users are locking up while using Outlook with OpenMail servers. Not
sure if it was network, Outlook, OpenMail server, or combination of the
above. Since the users were somewhat senior level folks, it was not
realistic to have to jot down detailed notes about when it happened etc.
Since the PCs were all Wintel based, I wrote this in a hurry to include in
their "START" menu. Not being able to use Unix tools pretty much tied my
hands, and I didn't put in a lot of error checking, but hey, I only had
about 30 minutes to whip this up.
Although it's a bit simple hope you find it somewhat useful.
------ BEGIN BATCH FILE ----
TITLE TESTING THE NETWORK
@echo off
cls
echo.
echo.
echo.
echo.
echo.
echo **********************************************************
echo **********************************************************
echo **********************************************************
echo * *
echo * *
echo * Running network test........ *
echo * This windows will close automatically when *
echo * the testing has been completed. *
echo * *
echo * Please call XYZ at XYZ if you have any questions *
echo * *
echo * *
echo **********************************************************
echo **********************************************************
echo **********************************************************
:
: Create a temp folder for our use and start with some flower
: box delimeters
:
if not exist c:\mailte$t md c:\mailte$t
echo ***************************************>> c:\mailte$t\%username%.txt
echo ***************************************>> c:\mailte$t\%username%.txt
:
: Pipe in some blank lines and date time stamp.
echo. >> c:\mailte$t\%username%.txt
echo.|date | find /i "current" >> c:\mailte$t\%username%.txt
echo.|time | find /i "current" >> c:\mailte$t\%username%.txt
echo. >> c:\mailte$t\%username%.txt
:
: Start a trace route w/o Rev-DNS lookups to our servers.
: The server name is given as a command line argument.
echo TRACE ROUTING TO %1 >>c:\mailte$t\%username%.txt
tracert -d %1.blah.foobar.com >>c:\mailte$t\%username%.txt
echo. >> c:\mailte$t\%username%.txt
:
: ping with max sized ICMP packets
echo PINGING to %1 >>c:\mailte$t\%username%.txt
:
:!!!unwrap the next two lines!!!
ping -L 1472 %1.blah.foobar.com | find /i "Reply from"
>>c:\mailte$t\%username%.txt
:
echo. >> c:\mailte$t\%username%.txt
echo. >> c:\mailte$t\%username%.txt
:
: Now ftp it to the 2.104 server using the script file
: C:\ftpcmd.txt
:
ftp -s:c:\ftpcmd.txt x.x.2.104
exit
**************************************************************************
From: Question 116
Date: 02 February 2002
Subject: How can I access the console port on my MSFC in my 6500?
Answer by: "Brian V" <harleydavidson1.diespammer@mediaone.nospam.net>
Yes, I've done it many times. I believe the cable is a plain ole ethernet
cable, no need to make anything special, just make sure you have a regular
patch cable. You'll actually need two of them. One for your laptops nic
card (so you can tftp the new image). One for the console connection. Theres
actually 2 rj45 ports on the sup board. Ones for the pfc and one for the
msfc. I have to rebuild a couple of data centers this morning that has a
couple 6509's in it.
It's the jack labeled P7, it's the one to the far right of the motherboard.
It uses a straight thru, plain ole ethernet cable. There only two jacks
inside, so it's pretty straight forward. If you want the pics, ping me
offline and I'll email em to you.
**************************************************************************
From: Question 117
Date: 02 February 2002
Subject: How do I access my MSFC/Router in my 6509?
Answer by: Roberto Piersante (rp67@libero.it)
From supervisor1 reset module 15, then "switch console" and send a break:
switch(enable) reset 15
Unsaved configuration on module 15 will be lost
Do you want to continue (y/n) [n]? y
2000 Jun 23 06:36:59 %SYS-5-MOD_RESET:Module 15 reset from Console//
Resetting module 15...
switch(enable) switch console
Trying Router-15...
Connected to Router-15.
Type ^C^C^C to switch back...
/* (A break-sequence has been sent here) */
monitor: command "boot" aborted due to user interrupt
rommon 1 >
Also look this link:
http://www.cisco.com/warp/public/474/pswdrec_6000MSFC.html
**************************************************************************
From: Question 118
Date: 10 February 2002
Subject: Where can I find a list of undocumented IOS commands?
Answer by: "ozzig" <billybellend2000@yahoo.MYPANTScom>
http://www.boerland.com/dotu/
**************************************************************************
From: Question 119
Date: 10 February 2002
Subject: Where can I find information on securing or hardening Cisco routers?
Answer by: "James R. Quinn" <jquinn@jquinn.org>
Cisco Router Hardening Step-by-Step
http://rr.sans.org/firewall/router2.php
Improving Security on Cisco Routers:
http://www.cisco.com/warp/public/707/21.html
Cisco PSIRT Advisories
http://www.cisco.com/warp/public/707/advisory.html
Cisco's Security Technical Tips
http://www.cisco.com/warp/public/707/index.shtml
Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks
http://www.cisco.com/warp/public/707/newsflash.html
Characterizing and Tracing Packet Floods Using Cisco Routers
http://www.cisco.com/warp/public/707/22.html
Denial of Service (DoS) Attack Resources
http://www.denialinfo.com/
**************************************************************************
From: Question 120
Date: 10 February 2002
Subject: How can I connect two Cisco routers back to back through the AUX
ports?
Answer by: "James R. Quinn" <jquinn@jquinn.org>
**************************************************************************
From: Question 121
Date: 02 February 2002
Subject: How do I use Secure Shell (SSH) on Cisco devices?
Answer by: "James R. Quinn" <jquinn@jquinn.org>
**************************************************************************
From: Question 123
Date: 29 May 2002
Subject: How do i see log messages on the router console?
Answer by: "Phillip Remaker" <remaker@cisco.com>
Log messages are broken into 7 levels, and they can go to 3 places:
- Console (console logging)
- Monitor (any line configured with "monitor" or with the "terninal monitor"
exec command)
- trap (syslog)
The command to turn up log messages is "logging (place) (level)"
In your case, you probably want
logging console informational
for minumum messages or
logging console debug
for debugging messages.
Tip: console logging is disabled by default because the console serial port
makes 1 interrupt per character, and has the highest prioriy of any
interrupt on the box. If you want to do console logging, you should
probably also rate limit the messages, since an uncontrolled flood of
messages to the console can literally cause the box to slow to a crawl and
fail.
In most cases, it is a better idea to telnet to the box, and debug using
'monitor' logging and "terminal monitor" on the vty.
**************************************************************************
From: Question 124
Date: 29 May 2002
Subject: What is my overhead of using IPSec
Answer by: alan@internal.wj.com (Alan Strassberg)
**************************************************************************
From: Question 125
Date: 29 May 2002
Subject: What is the pinout for the DB9 to RJ45 connector?
Answer by: "ferg" <ferg@somewhere.com>
ok, I just tested the pinouts of a DB9-RJ45 adapter that I have her...this
is what I found:
DB9 RJ45
1 - nothing
2 - 6
3 - 3
4 - 2
5 - 4&5 together
6 - 7
7 - 1
8 - 8
9 - nothing
**************************************************************************
From: Question 126
Date: 29 May 2002
Subject: Should I use a T1, Cable modem or DSL for Internet connections?
Answer by: vcjones@NetworkingUnlimited.com (Vincent Jones)
This question comes up often enough it probably should be in the
FAQ. Each has its advantages and each has its weaknesses. Which is
best will depend upon the specific business requirements and how the
network is used.
T1/E1 - Providers tend to treat T1's as serious business products. They
tend to be better managed and service response to outages is usually
quick. Data rate is a constant, if you order 1.544Mbps, you get 1.544
Mbps in both directions. (Note: fractional T1 may be available with
asymmetric capacity provisioned).
DSL - Providers consider this a "consumer grade" offering. Users
experience has been more frequent outages. More important, response
to failures that do occur tends to be slow, particularly if the local
telco providing the copper is competing with the DSL provider. ADSL
provides asymmetric data rates, but "business grade" offerings,
such as IDSL and SDSL provide the same data rates both upstream and
downstream. High data rates are only available to users close to the
telephone central office.
Cable - Shared medium subject to fluctuating bandwidth availability.
Reliability will depend upon the local cable company, and can vary
widely. On average, tends to be about as available as DSL. Only
available in areas wired for cable TV, which could limit availability
in business parks and other non-residencial areas. Also only available
where the cable franchise has chosen to offer the service.
Other Considerations (feel free to add ones I've missed)
Provisioning of redundant connectivity for servers offered to the
public versus internal users browsing the Internet versus VPNs for
cost savings all have very different requirements and solutions
suitable for one may not work with the others.
BGP support for multihoming is typically only available on T1
links. But then again, if you're only surfing or VPNing there are
easier ways to get redundancy that do not require BGP.
In most markets, you can buy a lot of ISDN backup for the price
difference between DSL/Cable and T1.
Many DSL/Cable providers will block VPN and inbound traffic to your
servers unless you purchase their premium "business" service. Make
sure the conditions of service are compatible with your needs.
DSL is rarely good backup for T1 because both share the same single
points of failure in the telco local loop provisioning. Cable can
provide more diversity as a backup, but may still be sharing common
single points of failure such as power poles.
**************************************************************************
From: Question 127
Date: 29 May 2002
Subject: How do I change the time length of 15 mins that is used when
displaying the Show ISDN history command?
Answer by: John Zwaanswijk
You can try the command isdn-mib retain-timer
**************************************************************************
From: Question 128
Date: 29 May 2002
Subject: Why do I see "double" characters when I telnet into my router?
Answer by: Barry Margolin <barmar@genuity.net>
>I have a 2500 router, and it's display double commands as shown below.
>cclloocckk rraattee 6644000000
>what can I do to fix it. Thanks.
Looks to me like you have local echoing configured on your terminal
emulator. Turn it off and let the router do all the echoing.
**************************************************************************
From: Question 129
Date: 29 May 2002
Subject: How do I see power-supply failures via SNMP?
Answer by: "Hennen, David" <David.Hennen@gtech.com>
**************************************************************************
From: Question 130
Date: 29 May 2002
Subject: How do I change the timer for tx/rxload when doing "show int" command?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
**************************************************************************
From: Question 131
Date: 29 May 2002
Subject: How do I setup SLIP on my Cisco terminal servers?
Answer by: Aaron@Cisco.COM (Aaron Leonard)
Here's an example:
interface async 1
encapsulation slip ! the default
ip unnumbered ether0
peer default ip address 10.1.2.3
async mode interactive
line 1
speed 19200 ! or whatever
flowcontrol hardware ! or whatever - but not software!
stopbits 1
modem dialin ! assuming that the DTE's DTR is wired to our DSR
**************************************************************************
From: Question 132
Date: 29 May 2002
Subject: How do I setup FR End-to-End keepalives?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
I believe so. Just so we're clear (to the original poster) bandwidth on
demand is the ability to kick up a line when you reach a certain threshold.
floating static can't be used since the lower admin-distance route will
never get a chance to float up.
FR e-t-e can be setup as follows:
int s0/0
blah
frame-relay class end-to-end-keepalive
blah
!
map-class frame-relay end-to-end-keepalive
frame-relay end-to-end keepalive mode bidirectional
**************************************************************************
From: Question 133
Date: 29 May 2002
Subject: What basic information do I need to setup a T1 from my ISP?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
Tell them "I'm going to use B8ZS and ESF and I'll provide the clocking"
> What must I decide for myself?
IP address and encapsulation type (ppp or hdlc - the default)
> What commands are going to get me operational?
On the router that will provide the clocking (only one side needs to provide
clocking)
enable
conf t
interface s0/0 ! or wherever you have the WIC1-DSU-T1
! Have this router provide the clocking. Alternative is to take it
! from the line on both sides and have the Telco provide the clocking.
!
service-module t1 clock source internal
!
!Use ESF framing as opposed to Superframe (D4) ESF is the default,
!
service-module t1 framing esf
!
!Use B8ZS (Binary 8, zero substitution as opposed to
! AMI - Alternate Mark Inversion. B8ZS is the default.
!
service-module t1 linecode b8zs
!
use ppp when connecting to a non-cisco router. HDLC is the default
!
encapsulation ppp
!
ip addres 192.168.1.1 255.255.255.0
no shut
**************************************************************************
From: Question 134
Date: 29 May 2002
Subject: How do I setup NAT and Port forwarding?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
int e0/0
desc This is the inside address using RFC address
ip addr 10.1.1.1 255.255.255.0
ip nat inside
!
int s0/0
desc This goes to the ISP using assigned address x.x.x.1/30
ip address x.x.x.1 255.255.255.252
ip nat outside
!
! Next line determines who will get to use the NAT
! Anyone coming from 10.1.1.0 address will be NATed.
access-list 1 permit 10.1.1.0 0.0.0.255
!
! Next line assumes that you want to use one IP for everyone
! and use the port address translation. In your case, you could
! actually use one to one translation.
!
ip nat inside source list 1 interface serial0/0 overload
!
!Set up a static translation so you can telnet into your server
!Assume your server is at 10.1.1.5
!
ip nat inside source static tcp 10.1.1.5 23 x.x.x.1 23
!
!or forward http traffic to your 10.1.1.4 server
!
ip nat inside source static tcp 10.1.1.4 80 x.x.x.1 80
**************************************************************************
From: Question 135
Date: 29 May 2002
Subject: Where can I buy some Back-to-Back serial cables?
Answer by: vcjones@NetworkingUnlimited.com (Vincent Jones)
www.pacificcable.com
www.anthonypanda.com
**************************************************************************
From: Question 136
Date: 29 May 2002
Subject: How can I policy-route router generated packets?
Answer by: "Erick B." <erickbe@yahoo.com>
**************************************************************************
From: Question 137
Date: 29 May 2002
Subject: Is there another way to upload my IOS w/o a tftp server?
Answer by: "Paul Lalonde" <plalonde2@cogeco.ca>
Here's what I do when I need to upgrade a router's IOS and I don't have LAN
or sync serial access to it for TFTP purposes.
1. Plug the following code into the router to configure it for PPP on the
AUX port:
interface Async1
ip address 192.168.255.254 255.255.255.252
encapsulation ppp
no ip route-cache
async default routing
async mode dedicated
!
ip default-gateway 192.168.255.253
!
line con 0
line aux 0
no exec
exec-timeout 0 0
modem InOut
transport input all
stopbits 1
rxspeed 38400
txspeed 38400
flowcontrol hardware
2. Configure a "dialup networking" entry on my Windows PC using the
NULL-MODEM driver available from the following Cisco URL:
http://www.cisco.com/warp/public/471/103.html
Configure the dialup networking entry to use 192.168.255.253 as the IP
address of the dialing interface.
3. Start up the TFTP server on my Windows PC.
4. Connect to the router from my Windows PC using the dialup networking
entry.
5. Open up the router console and use regular TFTP commands to pull the
image across.
Depending on what family of router you have (2500, 2600) your AUX port will
accommodate up to 38400 (older families) or 115200 (newer families).
**************************************************************************
From: Question 138
Date: 29 May 2002
Subject: What does the keyword EXTENDABLE mean when doing NAT?
Answer by: Josh Duffek (jduffek@cisco.com)
From: http://www.cisco.com/warp/public/701/60.html
"Extendable" static translations:
The extendable keyword allows the user to configure several ambiguous
static translations, where an ambiguous translations are translations with
the same
local or global address.
ip nat inside source static <localaddr> <globaladdr> extendable
Some customers want to use more than one service provider and
translate into each provider's address space. You can use route-maps to
base the selection
of global address pool on output interface as well as an access-list
match. Following is an example:
ip nat pool provider1-space ...
ip nat pool provider2-space ...
ip nat inside source route-map provider1-map pool provider1-space
ip nat inside source route-map provider2-map pool provider2-space
!
route-map provider1-map permit 10
match ip address 1
match interface Serial0/0
!
route-map provider2-map permit 10
match ip address 1
match interface Serial0/1
.
.
.
Once that is working, they might also want to define static mappings
for a particular host using each provider's address space. The software
does not allow two static translations with the same local address, though,
because it is ambiguous from the inside. The router will accept these static
translations and resolve the ambiguity by creating full translations (all
addresses and ports) if the static translations are marked as "extendable". For
a new outside-to-inside flow, the appropriate static entry will act as a
template for a full translation. For a new inside-to-outside flow, the dynamic
route-map rules will be used to create a full translation.
**************************************************************************
From: Question 139
Date: 29 May 2002
Subject: Where can I get some third party icons for my Visio program?
Answer by: "Mike Gortych" <mgortych@ntplx.com>
Check out www.altimatech.com they sell a product called netzoom that has a
great cisco library that they keep up to date, they even take requests!
**************************************************************************
From: Question 140
Date: 29 May 2002
Subject: Can you help me interpret the output fomr "Looking Glass" (BGP?)
Answer by: Barry Margolin <barmar@genuity.net>
>I am learning BGP.
>I notice a lot of our engineers where I work use looking glass at
>www.traceroute.org to get answers to a lot of their questions.
>Unfortunately it's hard to get them to give me a seminar.
>Looking glass isn't covered in my cisco press books.
>I am having a hard time grasping when I would need to use looking
>glass.
>and particularly how to use it.
>
>I put in an ameritrade address and it gives me the following.
>
>Query: bgp
>Addr: 64.236.2.194
>BGP routing table entry for 64.236.0.0/16, version 89281795
>Paths: (2 available, best #2)
> Not advertised to any peer
> 1668
> 66.185.128.93 (metric 445601) from 165.117.1.194 (165.117.1.194)
> Origin IGP, metric 4294967294, localpref 105, valid, internal
> Community: 2548:177 2548:209 2548:666 3706:115
> 1668
> 66.185.128.51 (metric 410701) from 165.117.1.166 (165.117.1.166)
> Origin IGP, metric 4294967294, localpref 105, valid, internal,
>best
> Community: 2548:177 2548:317 2548:666 3706:164
>
>
>What peer problems would arise where I may need this information?
>especially considering I would need to have a peer address to put in
>in the first place.
This is usually used to confirm that a route is being advertised by the
proper ISP. You don't put peer addresses in, you put destination network
addresses in.
>I see there are communities. not sure who the community members are or
>what the parameters contained in the community attribs are. Any way to
>find out?
Most communities don't have standard meanings. Each AS assigns meanings to
the communities that it cares about. By convention, communities are formed
by concatenating the ASN that's using the community with a second number
that the AS network administrators assign, so the communities shown above
are meaningful to AS 2548 and AS 3706. Communities are often used by ISPs
to allow their customers to influence routing parameters; for instance, the
customer can often send communities that control what localpref the ISP
assigns to the routes.
>Any good hints/web-links on how to use or get the most out of the
>looking glass site would be appreciated.
There's nothing really special about the looking glass, it's just showing
you the output of "show ip bgp" (and other router commands). It's no
different from doing it on your own routers, but the looking glass lets you
do it from outside your network, so you can tell whether a problem is
specific to your network or more widespread.
**************************************************************************
From: Question 141
Date: 29 May 2002
Subject: When using Tunnel with an interface that has an ACL, what happens?
Answer by: Barry Margolin <barmar@genuity.net>
**************************************************************************
From: Question 142
Date: 29 May 2002
Subject: Do I need a Xover cable when using 1000Base-T?
Answer by: rich@richseifert.com (Rich Seifert)
> It guess it depends on the 1000baseT NICs. On mine, I've used both a
> crossover cable and a stright thru cable just fine to connect two NICs.
> They autonegotiate
>
Correct. First of all, 1000BASE-T *requires* Auto-Negotiation; it isn't
designed to work without it. Second, most 1000BASE-T equipment implements a
function that detects whether the cable is straight-through or crossover,
and automatically configures itself to work either way. (During the startup
training, it can tell how the pairs are connected, and connect each pair to
the appropriate decoder module.)
**************************************************************************
From: Question 143
Date: 29 May 2002
Subject: How dow I break the "Rule of Ten" for BGP Load balancing?
Answer by: "Cajun" <cajun@cyberspace.org>
That's not true. BGP WILL join two lines AND load balance across them. The
trick is, you have to make every single one of the "Rule of Ten" rules
equal; which is not a difficult thing to do. Weights, MED's, Local Prefence,
AS-Path, etc, will all most likely be identical, provided both T1's come
from the same provider (yes, I know he said they're different providers.)
You can load-balance with BGP across two links, provided the links terminate
on the same router on both end. With everything else being equal, BGP will
snag on the last rule, using the IP address of the interfaces to decide
which path to take. All you have to do is break that last rule and you're
home free.
Here's how you do it:
1) Place static routes on each router pointing across each link to get to
the other's loopback address.
2) Set up your neighbor statements with each other's loopback address.
3) Put in a neighbor statement with an update-source of your loopback
address.
4) Enter another neighbor statement with ebgp-multihop.
BAM! You're done. You've just now broken the "Rule of Ten." BGP will have no
choice but to enter two routes into the routing table, which will load
balance.
**************************************************************************
From: Question 144
Date: 29 May 2002
Subject: How do I only accept a 0/0 Route but advertise my 30 addresses via BGP?
Answer by: Barry Margolin <barmar@genuity.net>
**************************************************************************
From: Question 145
Date: 29 May 2002
Subject: Should I turn off console loggin??
Answer by: "Phillip Remaker" <remaker@cisco.com>
crashinfo reads from the log buffer, not the console itself. If you want to
have console messages included in crashinfo, you may turn on logging console
BUT you also want to be sure logging buffered is on. Once logging buffered
is on, console messages do not go to the physical console port and the
interrupt problem is circumvented.
**************************************************************************
**************************************************************************
HALL OF FAME FOR VERSION 2.0 AND ABOVE
**************************************************************************
**************************************************************************