FAQ po materialam FIDO-konferencii RU.CISCO
Dannyj FAQ sostavlen po materialam FIDO-konferencii RU.CISCO,
newsgroup comp.dcom.sys.cisco, spiska rassylki inet-admins
i drugih istochnikov.
Spasibo vsem obitatelyam ehi RU.CISCO.
Spasibo vsem, kto prisylal ssylki, pary q/a.
Pytayushchijsya inogda vesti FAQ - Dmitriy Yermakov, dyer@sut.ru, 2:5030/1115
Data poslednej modifikacii - 17 yanvarya 2001.
Dopolneniya, ispravleniya luchshe prisylat' na dyer@sut.ru
http://cube.sut.ru/~dyer/faq/cisco.html
Tekstovaya versiya
ftp://ftp.east.ru/pub/inet-admins/cisco.txt
DISCLAIMER.
Sostavitel' dannogo teksta ne yavlyaetsya Cisco-guru
i ne osushchestvlyaet tech-support by e-mail or netmail.
0. Obshchie voprosy
1. Sync,Async,AUX,Callback
2. FR
3. X25
4. ACL
5. Traffic-shape
6. Routing
7. TACACS,RADIUS,AAA
8. Memory
9. NTP, TZ
10. NAT
11. Telco, ISDN
13. SNMP
14. Cables
15. TROUBLESHOOTING
97. Software
98. IOS Black Lis/White List/Recommendations
99. Misc
Zametki na polyah
===========================================================
===========================================================
0.1>Q: Gde mozhno chto-to pochitat' pro Cisco ?
>A: horom :)
UniverCD, idushchij v postavke.
http://www.cisco.com i
http://www-europe.cisco.com
[11.09.2000] Po povodu UniverCD.
A>:(Dmitry Morozovsky) 'Novye' DocCD ot Cisco - gzip-compressed
------- httpd.conf:
Action text/gzipped /cgi-bin/gzcat.cgi?
AddHandler text/gzipped .html .htm
------- gzcat.cgi:
#!/bin/sh -
echo "Content-type: text/html"
echo ""
HF=${DOCUMENT_ROOT}/$REQUEST_URI
if [ -r $HF ]; then
gzcat -f $HF
else
echo "No such file, sorry"
fi
>A: Po povodu ustanovki pod Win2k (Sergey Zarubin)
From: "Evan Wagner"
Newsgroups: comp.dcom.sys.cisco
Subject: Re: Windows 2000 & Cisco CD
Date: Thu, 20 Apr 2000 23:04:18 -0400
To get the Cisco documentation to work under Windows 2000:
Run regedit
Export your registry (as a precaution)
Locate the Windows 2000 Registry Key:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/IE4/Setup/Path
Change the value from "%programfiles%\Internet Explorer" to the location
where IE is installed on your system, for example "D:\Program Files\Internet
Explorer"
Uninstall the Cisco Documentation CD
Delete the old install directory
Reinstall the Cisco documentation CD and you should be good to go.
>A: Aleksandr Rainchik
Cisco Systems and Cisco Routers in a Nutshell
http://www.clark.net/pub/rbenn/cisco.html
Est' takoj zamechatel'nyj server: McGraw-Hill Beta Books
http://www.pbg.mcgraw-hill.com/betabooks/betabooks-home.html
>A: (Dmitriy Yermakov)
Koe-kakie konkretnye primery konfigov est' na
Relkome
http://relcom.eu.net/INFO/NOC-IP/FAQ/faq.html
DEOle
http://www.deol.ru/~bog/work/cisco_access.html
Sample Configurations na www.cisco.com
http://www.cisco.com/warp/public/700/tech_configs.html
Guide to Cisco Router Configuration
http://www.primenet.com/~web/router/cisco-configuration.html
Cisco routery i bor'ba s nimi v bibliotete M.Moshkova
http://www.parkline.ru/Library/koi/CISCO/
TACACS-FAQ - http://www.easynet.de/tacacs-faq
Spisok AV-pairs dlya TACACS - http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt23/csnt23ug/ap_tacac.htm
CISCO-FAQ - comp.dcom.sys.cisco Frequently Asked Questions
http://cube.sut.ru/~dyer/faq/cisco-networking-faq.txt i
ftp://ftp.east.ru/pub/inet-admins/cisco-networking-faq.txt
CISCO-FAQ na servere Cisco - http://www.cisco.com/warp/public/458/index.shtml
Arhiv mailing-list inet-admins http://info.east.ru/win/inetadm.html gde tozhe est' voprosy/otvety. I ne tol'ko po Cisco.
Nebol'shoj FAQ http://www.sunshine.dp.ua/os/reports/ciscofaq.html
Stat'i s soobshcheniyami iz RU.CISCO na http://www.opennet.ru/base/cisco
[07.09.2000] >A: Martin McFlySr
Poisk po kiske na dvizhke Google http://cisco.google.com/cisco
[18.09.2000] Obzor literatury Cisco Press "S.Zaytsev"
0.2>Q: Gde vzyat' arhiv RU.CISCO ?
>A: (Dmitriy Yermakov)
http://www.dejanews.com :)
0.3>Q: Gde vzyat' svezhij IOS ?
>A: (Denis Saveliev)
Beta versii lezhat na ftp://ftpeng.cisco.com/isp
P.S. (DY) Voobshchem-to IOS ne besplaten.
[13.06.2000] 0.4>Q: CHto takoe NetFlow i s chem ego edyat ?
>A: (DY)
Podrobnee ob etom mozhno pochitat' na Cisco http://www.cisco.com/warp/public/732/netflow
Programmy dlya sborki i obrabotki statistiki NetFlow.
http://www.auckland.ac.nz/net/NeTraMet
http://www.caida.org/Tools/Cflowd
Na etih zhe sajtah est' eshche ssylki, no eti - kazhetsya samye populyarnye.
Est' eshche http://www.ipmeter.com
(billing) nuzhen NeTraMet.
[05.09.2000]I eshche ssylochka http://www.switch.ch/tf-tant/floma/software.html#netflow
>A: (Vladislav Nebolsine)
Primery konfiguracii -
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t3/policyrt.htm
tam zhe ssylki na dopolnitel'nuyu dokumentaciyu.
===========================================================
===========================================================
1.1>Q: Podskazhite kak na Cisco 2509 sdelat' vhod s modemov na IFCICO !
>A: (Dmitriy Yermakov)
Pri ispol'zovanii TACACS sm. nizhe.
username **EMSI_INQC816 nopassword
username **EMSI_INQC816 autocommand telnet [host] [port_ifcico] /stream
neobhobimost' nalichiya klyuchika /stream luchshe proverit' opytnym putem
po povodu
banner login # **EMSI_REQA77E #
nado/ne nado k okonchatel'nomu resheniyu ne prishli
u menya eto est'
>A: (Alecsey Gusev)
username **EMSI_INQC816 nopassword noescape
username **EMSI_INQC816 autocommand telnet
username **EMSI_INQC816**EMSI_INQC816q. nopassword noescape
username **EMSI_INQC816**EMSI_INQC816q. autocommand telnet
username **EMSI_INQC816q nopassword noescape
username **EMSI_INQC816q autocommand telnet
username **EMSI_TZP16B2 nopassword noescape
username **EMSI_TZP16B2 autocommand telnet
ne nuzhen banner login # **EMSI_REQA77E #
>A: (Alecsey Gusev)
Dlya Argus'a nado dobavit' pol'zovatelya **EMSI_TZP16B2,
argus pervym delom posylaet eto.
[19.07.2000] (Sergei Shumakov) takogo argus tochno ne delaet. vot eto
-TZP16B2-
on poslat' mozhet, no tol'ko posle togo, kak pojmal **EMSI_REQA77E.
>A: patchik dlya ifcico (Maksim Malchuk)
*** session.c.orig Wed Dec 27 16:22:31 1995
- --- session.c Tue Feb 13 08:48:13 1996
***************
*** 163,168 ****
- --- 163,170 ----
SM_ERROR;
}
+ PUTSTR("**EMSI_INQC816\r");
+
p=buf;
/*PUTSTR(" \r");*/
PUTCHAR('\r');
1.2>Q: Dialout service for unix ili kak pricepit' port NAS'a k chemu nibud'.
>A: Alex Tutubalin, Vadim Mikhailov
Win95/NT
http://www.cisco.com - dialout serice ili kak tam ego.
FreeBSD,Linux
modemu-0.0.1 |muliruet /dev/ttyXX cherez lyuboj telnet.
Dlya ciski eto budet inversnyj telnet na port 2000+n.
Ho faksy vryad li cherez eto poshlesh', hotya kto ego znaet?
(AT): Ha 2000+n poptu net flow control. A dialout hodit na 6000+n.
nettty - gde-to v rajone http://www.livingston.com
>A: (Leonid Kirillov)
Pod Win'95/3.x/NT problema reshaetsya pri pomoshchi
http://www.cisco.com/univercd/cc/td/doc/product/access/dialout/index.htm.
Sposob resheniya problemy pod DOSom neizvesten.
1.3>Q: Mozhno-li kak-nibud' organizovat' popadanie ne na opredelennuyu liniyu,
a na pervuyu svobodnuyu, skazhem? Mne dumaetsya, chto eto mozhno kak-to
organizovat' cherez ob®edinenie mozhet, v Dialer Group? Voobshche, interesno;)
>A: (Vasily Ivanov)
5000+nomer
chepez ustanovlenyj rotary na nuzhnyh liniyah.
1.4>Q: Hotelos' nemnogogo - pricepit' modem na AUX. Propisal emu sleduyushchee:
line aux 0
location TESTING
access-class 1 in
password line anything
script reset reset-modem
modem InOut
transport preferred none
transport input all
transport output none
stopbits 1
rxspeed 19200
txspeed 19200
flowcontrol hardware
Zajdya telnetom na etot modem, naruzhu pozonit' ya mogu, a zvonyu na nego
snaruzhi - tishina, modem podnimaet trubku i molchit, posle chego
otvalivaet. Hikakih promptov, nichego. Ostal'nye vosem' modemov
rabotayut normal'no.
Kuda mne pnut' kisku, chtoby ona priznala AUX? IOS 11.2.
>A: (Sergey Zhuk)
line aux 0
login local
modem Dialin
terminal-type vt100
stopbits 1
rxspeed 38400
txspeed 38400
flowcontrol hardware
vot... rabotaet...
s inout tozhe rabotaet...
1.5>Q: CHto za nomera 20xx, 40xx, 60xx portov na Cisco ?
>A: (Dmitri Beloslioudtsev)
A eto raznye rezhimy raboty telnet:
Telnet port 20xx
Telnet raw port 40xx
Telnet binary port 60xx
A>: (Eugene Zhilitsky)
Porty 30hh, 50hh, 70hh - to zhe samoe, no dlya rotary.
1.6>Q: A ne podskazhet li vseznayushchij All, kak v kiske 2503 nastpoit' AUX
popt dlya podklyucheniya k nemu modema s vydelennoj liniej. Ha
mapshputepe s dpugoj stopony vydelenki ostalis' tol'ko asinhponnye
popty.
>A: (Dmitry Morozovsky)
int a0
ip unn e0
enc ppp
keep 10
asy mode dedicated
asy def rou
asy dyn rou
li a 0
speed 38400
flow hard
esc NONE
stopbits 1
Plyus konfiguraciya modema (dlya reverse telnet nuzhny modem inout & tran in
telnet)
1.7>Q: Kak zastavit' rabotat' NT, Win c kiskoj po nul'-modemu ?
>A: (Alexander Karpoff)
ppp cherez Zelaksy i s 95, i s NT rabotayut bez problem.
A nado vsego-to shodit' na http://www.mindspring.com/~kewells/net/
i skachat' neobhodimye *.inf.
[19.07.2000] (zaruba@artelecom.ru)
predpochitayu skachivat' s ftp://ftp.zelax.ru/pub/soft/mdmzelax.inf
http://www.zelax.ru/faq/faq76.html
P.S. (DY) govoryat eshche chto, mozhno postavit' na NT vmesto modema - X.25 pad.
P.P.S. (DY) najti mdm3640t.inf ili vzyat' tut - http://cube.sut.ru/~dyer/faq/mdm3640t.inf.txt s kur'erami - rabotaet :)
>A: (DY) A vot bolee polnyj sposob (otkopan gde-to u menya na diske)
=============================================================================
* Area : RU.WINDOWS.NT (RU.WINDOWS.NT)
* From : Dmitry Vashkovsky, 2:5020/168.121 (Pyatnica Sentyabr' 26 1997 19:23)
* Subj : NT&vydelennaya liniya
=============================================================================
VB> Kak sdelat' %SUBJ%?
VB> Est' NT4+SP3+RAS&Routing+Motorola Premier 33.6
Predlagayu variant resheniya kotoryj rabotaet u menya s maya i proveren moimi
znakomymi, u nih tozhe rabotaet na ura :)
I tak provajder predostavil vam vydelennyyu liniyu na kotoroj s vashej storony
visit modem, pri vklyuchenii on srazu podklyuchaetsya k provajderu
i nikakimi obychnymi sredstvami nt ego neudaetsya uvidet'. Srazu skazhu, chto v
resurskite po etomu povodu napisano vsego dve strochki, chto vy dolzhny rabotat'
po null modem, eto pochti pravil'no. Ha samom dele vy imitiruete x25.
Pervoe chto vy dolzhny sdelat' sohranit' na vsyakij sluchaj iz direktorii ras svoj
fajl pad.inf i vmesto nego polozhit' novyj ya vzyal iz nt3.51 fajl modem.inf i
otredaktiroval ego (tol'ko v nem! v nt4 net podhodyashchego opisanie null modem)
vybrosil iz nego opisaniya vseh modemov ostavil tol'ko nekotoruyu obshchuyu
informaciyu i otredaktirovannoe pod neobhodimuyu nam situaciyu opisanie
nulmodema, privozhu etu chat' polnost'yu
;----------------------------------------
[Null Modem 33600]
CALLBACK_TIME=10
DEFAULTOFF=
MAXCARRIERBPS=33600
MAXCONNECTBPS=33600
COMMAND=
CONNECT=
;----------------------------------------
poyavivshemsya menyu vybiraem Install X25 Pad gde v predlagaemom menyu estestvenno
vybiraem Null Modem, dalee podtverzhdaem vse, chto mozhno ne zabyv skazat', chto
dannoe ustrojstvo rabotaet tol'ko na dial out i po prodotokolu tcp/ip :)
nastraivaya dialup v chasti posvyashchennoj h25 u vas neskol'ko strok v pervoj s
pomoshch'yu strelki vniz vybiraete vash nulmodem v ostal'nyh pishite lyubuyu erundu (ya
nakpisal imya provajdera). Vse mozhete spokojno rabotat'. Tol'ko ne zabud'te v
opisanii porta ukazat' tuzhe skorost', chto i opisanii nulmodema. Esli vam negde
vzyat' modem.inf ot nt3.51 mozhete zabrat' moj uzhe otredaktirovannyj pad.inf
(pravda pod 19200, nu da cifirki perebit' ne slozhno) u menya po
ftp:\\www.advance.com.ru on tam lezhit pryamo v korne.
Dmitry dva@skydive.ru http:\\www.advance.com.ru/skydiver
ZY: posle togo kak u vas vse zarabotaet ne zabud'te ugostit' menya pivom
=============================================================================
>A: (DY)
Provozivshis' kakoe-to vremya s http://www.mindspring.com/~kewells/net/
poshel neskol'ko drugim putem.
Pishu po pamyati, chto vspomnil.
So storony kiski -
modemcap entry usr_ll:FD=&f1&l1:AA=A
line X
modem autoconfigure type usr_ll
So storony Win,WinNT
Stavyatsya normal'nye drajvera ot ustanovlenogo modema.
Konfigurim modem
AT&F1
AT&W
Variant 1.
V nastrojkah modema (tam gde chto-to tipa advanced/extra settings)
stavim strochku inicializacii AT&L1
Variant 2.
V strochke s telefonom stavim X3T1
(v takom variante pozhaluj budet rabotat' lyuboj modem,
kotoryj i ne umeet po pasportu rezhim Leased Line)
I eshche o tom zhe - http://www.psc.ru/sergey/TehSerenada/CISCO/ONLINE/wint4ll.html
1.8>Q: A znaet li kto-nibud' , mozhno li peredavat' zvonyashchemu abonentu adresa
DNS avtomaticheski s kisy ? YA slyshal , chto takoe byvaet.
>A: (Sergiy Zhuk)
async-bootp dns-server 192.168.3.100 192.168.3.110
eto DNS ^^^
async-bootp nbns-server 192.168.3.2 192.168.2.2
a eto netbios (wins)
1.9>Q: Stoit kiska 3640 u kotoroj ustanovlen modul' Mica-modem na 30 modemov i
modul' E1 soedinennyj s ATS. Kogda ya delayu komandu sh use to vizhu kartinku takogo plana
> 66 tty 66 pupkin ...
> 55 tty 55 vasya ...
Kak mne uznat' po kakomu tajmslotu v potoke E1 vyshel pol'zovatel' t.e.
sushchestvuet li privyazka line k bchannel, esli net to mozhno li eto zdelat'.
>A: (Andrew Lun)
sh modem csm
1.10>Q: Imeetsya Cisco 1005. Posledovatel'nyj port skonfigurirovan
kak sinhronnyj. Podskazhite, pls, kak ee zastavit' rabotat' s asihronnym modemom?
>A: (Dmitry Morozovsky)
Dlya 1005 sync-async pereklyuchaetsya softom.
Hachinaya s 2520/2522 -- komandoj physical-layer async na interfejse
(kstati, polezno pomnit', chto pri etom menyaetsya SNMP nomer interfejsa).
1.11>Q: Probros uucp-shnikov.
>A: (DY) pro RADIUS vzyato iz inet-admins, za tochnost' ne ruchayus'.
a. NAS, TACACS/RADIUS
TACACS:
group = uucp {
default service = permit
service = exec {
noescape = true
autocmd = "telnet aaa.bbb.ccc.ddd 540 /stream"
}
}
Dlya RADIUS, (Dmitry Morozovsky)
/var/spool/uucp/public/.rhosts:
nas0 ciscoTS
nas1 ciscoTS
(Basil Dolmatov) - NAS prihodit so specificheskim imenem "ciscoTS"...
Imenno ego i nado razreshat'...
NAS: (Taras Heychenko)
rlogin trusted-remoteuser-source local
rlogin trusted-localuser-source local
b. Clients
sys ot taylor-uucp
myname client
system host
time any
call-login uuclient
call-password cl.password
port port1
phone XXXXXXX
chat sername: \L\r assword: \P\r ogin: \L\r sword: \P\r
system.pat ot UUPC/@
200 gGt N g(%L_GWSIZE%,%L_GPSIZE%)/g(%R_GWSIZE%,%R_GPSIZE%) ""
\W20\c name--name--name \p\p\L sword:-\L-sword:-\L-sword:-\L-sword: \p\P
->-> \crlogin\sUUHOST\r ogin--ogin--ogin \p\p\L sword:-\L-sword:-\L-sword: \p\P
UUHOST zamenit' na svoe
Dlya sluchaya s autocommand "->-> \crlogin\sUUHOST\r " mozhno vykinut'
1.12>Q: Obratnyj zvonok s Cisco v Windows
>A: (Vyacheslav V. Fedorov)
Ha Cisco 2511:
version 11.
service exec-callback
...
aaa authentication login execcheck tacacs+
aaa authentication ppp ppp_list tacacs+
...
interface Async2
ip unnumbered Ethernet0
ip tcp header-compression passive
encapsulation ppp
async mode interactive
peer default ip address x.x.x.x
ppp callback initiate
ppp authentication chap ppp_list
....
line 2
autoselect during-login
autoselect ppp
script modem-off-hook offhook
script callback idc
login authentication execcheck
modem InOut
transport input all
escape-character NONE
callback forced-wait 30
callback nodsr-wait 10000
stopbits 1
rxspeed 57600
txspeed 57600
flowcontrol hardware
.....
Ha servere gde tacacs+:
V fajle tacacs.config
user= mylogin {
global = cleartext "xxxxxxxxxx"
service=ppp protocol = lcp {
callback-dialstring = 388888
}
service=ppp protocol=ip {
}
service=exec {
callback-dialstring = 388888
callback-line=2
nocallback-verify=1
}
}
>A: (Dmitry Valdov)
Dlya togo, chtob yuzer mog vvodit' nomer, iz takaksa dolzhno prihodit'
callback-dialstring = ""
V obshchem:
cisco:
service exec-callback (eto nuzhno tol'ko v sluchae, esli predpolagaetsya
ispol'zovat' callback so skriptami.)
....
chat-script dial ABORT ERROR TIMEOUT 50 "" "AT" "OK" "ATD\T" "CONNECT"
....
interface group-async 1
ppp authentication pap
ppp callback accept
...
line 1 60
script callback micadial
rotary 1
callback forced-wait 10
autoselect during-login
autoselect ppp
.....
V takakse:
group = callback {
.....
service ppp protocol = lcp {
callback-dialstring = ""
callback-rotary = 1
nocallback-verify = 1
}
}
user ..... {
member = callback service = exec {
.....
callback-dialstring = "" nocallback-verify = 1 callback-rotary = 1
}
}
Mastdajka sama VSEGDA zaprashivaet callback po cbcp pri lyubom zvonke s nee. Esli ej ne
otkazyvayut, to ono zaprashivaet nomer telefona. Dlya HT nado eto vse ukazat' v
yavnom vide.
>A: (Andy Igoshin)
ftp://ftp.vsu.ru/pub/hardware/cisco/callback
1.13>Q: Kak svyazat' dve Kiski po E1?
>A: (Gosha Zafievsky), prislal (Oleh Hrynchuk)
Konfig ppimepno sleduyushchij (odinakovyj v sluchae 5300 & 3600):
controller E1 ZZZ
linecode hdb3 |
framing CRC4 | |ti dva papametpa zavisyat ot kanaloobp. obopudovaniya
clock source line primary | Ha 3600 est' tol'ko v 12.0
channel-group 1 timeslots 1-31
interface serialZZZ:1
encapsulation hdlc
ip address a.b.c.d x.y.z.t
ip route 0.0.0.0 0.0.0.0 serialZZZ:1
CHto podstavlyaetsya vmesto ZZZ zavisit ot konkpetnoj zhelezki...
1.14>Q: Mozhno li opganizovat' IP kanal chepez AUX popt s ppyamym podklyucheniem
k SOM'u na HT (dumayu chepez nul'-modem), ili ya mnogo hochu?
>A: (??), prislal (Oleh Hrynchuk)
Net problem. Nedavno samomu ponadobilos' - u cisco3640 ne bylo Ethernet.
Nemnogo prishlos' povozit'sya s kabelem, raspajka takaya
RJ-45 - DB-25
1-5
2-6,8
3-3
4-7
5-7
6-2
7-20
8-4
Vse ostal'noe kak obychno na asin. portu.
[13.06.2000] 1.14>Q: Kak luchshe nastroit' modem na async portu ?
>A: (Mathey M. Teplov)
YA, naprimer, da i mnogie voobshche sovetuyut sdelat' tak:
1) ubivaesh' modem autoconfigure putem propisyvaniya no modem autoconfigure
2) inicializiruesh' liniyu, kak 115200 8,n,1
!
chat-script RESET_SCRIPT ABORT BUSY ABORT ERROR ABORT "NO CARRIER" ABORT "NO ANSWER" AT&F1 OK
!
line x
speed 115200
databits 8
flowcontrol hardware
stopbits 1
parity none
no modem autoconfigure
script reset RESET_SCRIPT
!
i posle etogo zhestko propisyvaesh' v F1 profil' v Courier sleduyushchee:
&A3&B1&C1&D2&G2&H1&I0&K1&L0&M4&N0&P1&R2&S0&T5&X0&Y0%N6
i vystavlyaesh' na nem dzhampera daby on gruzilsya iz F1.
Provereno na gor'kom opyte.
[05.09.2000] 1.15>Q: Callback na linuh
>A: (Eugene Crosser)
http://www.tartu.customs.ee/linux/callback.shtml
YA sam ne proveryal. Ha moj vkus skript krivoj, no ideya yasna.
===========================================================
===========================================================
2.1>Q: Frame Relay & Unnumbered interface
Kto-to nekotopoe vpemya nazad tut pisal, chto IP unnumbered na
FrameRelay subinterfaces ne byvaet. A u menya poluchilos'.
>A: (Alex Tutubalin)
Ppimepno tak:
Interface Serial 0
no ip address
frame-relay lmi-type ansi
Interface Serial 0.1 point-to-point
frame-relay interface-dlci 16 ietf
ip unnumbered ethernet 0
ip route 192.168.111.48 255.255.255.240 Serial 0.1
C dpugoj stopony stoit FreeBSD + Cronyx Sigma-22.
Tam vse sdelano ppimepno tak:
cxconfig cx0 hdlc fr +extclock
ifconfig cx0 192.128.111.49 195.54.222.201
route add default 192.168.111.201
.49 - Ethernet na etoj zhe mashine
.201 - Ethernet na Cisco
>A: (Alex Zinin)
V sluchae s unnumbered inkapsulyaciya igraet tol'ko kosvennuyu
rol'. A sabinterfejsy -- lish' chastnyj sluchaj.
Obshchee pravilo takoe -- ip unnumbered mozhno stavit' tol'ko na
interfejsah, kotorye Cisco rassmatrivaet kak p-t-p.
Dlya WAN interfejsov tip opredelyaetsya inkapsulyaciej.
T.e. hdlc - ptp, ppp-ptp, slip-ptp, fr-ptm, x25-ptm, smds-ptm
Otdel'nyj sluchaj -- dialer. On ne menyaet tipa interfejsa
i rabotaet isklyuchitel'no samostoyatel'no poverh data-link
urovnya.
V sluchae zhe s sabinterfejsami, vy mozhete razbit' odin
fizicheskij p-t-m na neskol'ko p-t-p i p-t-m interfejsov.
Sootvetstvenno na p-t-p mozhno ispol'zovat' unnumbered.
===========================================================
===========================================================
Avtor otvetov - Eugene Zhilitsky, esli ne ukazano inoe.
3.1>Q:
[DOS-COM1]--a1[Cisco2509]--[Cisco2522]-- -[?]--[UNIX-APP]
Ha Cisco2522 vypolnyaetsya translyaciya TCP v X.25, a 2509 prosto
delaet telnet na transliruemyj adres. HO, zabrat' s UHIHmashiny
mozhno, a polozhit' net.
Proboval translyacii i binary i stream, i telnet /stream i s inymi
parametrami i to i drugoe. I profajl yuzal tipa
x29 profile aaaa 2:0 3:0 4:100 7:21 11:14, v plane eksperimenta.
>A: (Eugene Zhilitsky)
4:100 - eto ochen' ploho, nepolnye pakety budut uhodit' tol'ko cherez 100*0.05=5 sekund!
1. translyaciya i telnet dolzhny byt' stream.
2. x29 profile aaa 1:0 2:0 3:2 4:5 5:0 8:0 9:0 10:0 12:0 15:0 22:0
3:2 - eto dlya "profilaktiki", chtoby po ^M pakety uhodili srazu zhe, inogda
eto meshaet (v ochen' redkih special'nyh prilozheniyah). Mozhno stavit' 3:0.
3. na asinhronnom portu (a1[Cisco2509]), k kotoromu podklyuchena dosovaya tachka:
escape-character NONE
telnet transparent
4. Dlya yuzera, kotorym dosovaya tachka zahodit na pervuyu cisku - noesc.
5. Ha vseh vty, kotorye mogut ispol'zovat'sya dlya translyacii nado takzhe:
escape-character NONE
telnet transparent
6. Vezde vmesto etih dvuh strok mozhno ispol'zovat' odnu:
terminal-type download
|tot sposob podskazali guru iz RU.CISCO (kto konkretno ne pomnyu :-(.
Hu vrode by bol'she nichego ne zabyl :-))))) Dolzhno rabotat'.
3.2>Q: Kak nastraivat' h25?
>A: Est' prostoe empiricheskoe pravilo: vse parametry labp (hdlc) i h25 dolzhny
byt' odinakovymi na oboih koncah linka, krome logicheskogo DTE/DCE -
on dolzhen byt' _raznym_. Krome togo, ne nado zabyvat', chto razmer paketa na
vtorom urovne (lapb) na Ciske ukazyvaetsya v _bitah_,
a u bol'shinstva drugih proizvoditelej - v _bajtah_.
3.3>Q: Horosho, no na moem h25-box'e est' parametr "Gruppa logicheskih kanalov",
a v Ciske ya takogo ne nashel. CHto delat'?
>A: Kazhdaya edinica v etom parametre dobavlyaet 256 k nomeru logicheskogo
kanala. Haprimer, na h25-box'e takie parametry:
Gruppa logicheskih kanalov - 4
Homer pervogo Two-way VC - 1
Kolichestvo Two-way VC - 16
Togda na Ciske nado vystavit':
x25 ltc 1025
x25 htc 1040
3.4>Q: YA propisal translyaciyu h25-TSR, no ona ne rabotaet, Ciska vmesto nee
vydaet Username: (zapuskaetsya exec). CHto delat'?
>A: U vas dlya translyacii ispol'zuetsya takoj zhe h25 adres kak i v x25
address na Serial. Ispol'zovanie Call User Data (cud) v translyacii ne
spasaet. Adresa dolzhny byt' raznymi, naprimer, rasshir'te h25 adres v
translyacii s pomoshch'yu podadresov.
3.5>Q: Iz-za mestnyh uslovij ispol'zovat' podadresa ya ne mogu.
>A: Togda prosto udalite x25 address iz konfiguracii Serial. |tot parametr
ispol'zuetsya v ishodyashchih paketah vyzova kak adres istochnika. Esli ego udalit',
to pakety vyzova budut uhodit' s pustym adresom istochnika.
Prakticheski vse h25 seti trebuyut, chtoby adres istochnika byl ukazan pravil'no,
libo byl pustym, tak chto vse dolzhno rabotat' i bez nego.
3.6>Q: Ura! Translyaciya zarabotala. Ho zadacha pomenyalas', nado chtoby na vyzov s
Call User Data (cud) zapuskalas' translyaciya, a na vyzov po tomu zhe adresu
bez cud zapuskalsya exec.
>A: Propishite etot adres cherez
x25 routing
x25 route alias Serial
3.7>Q: Hi y kogo net nastpoek Cisco <--> Eicon po X.25.
Hotya by s stopony Cisco.
PPP i Frame Relay polychilos', a vot X.25 nikak. A nado.
>A: (john gladkih)
direct connection?
interface Serial1
description x.25 4 m$ eXchange
bandwidth 5
no ip address
no ip directed-broadcast
encapsulation x25 dce ietf
no ip mroute-cache
x25 address ADDRESS
x25 htc 32
x25 win 7
x25 wout 7
x25 accept-reverse
x25 nonzero-dte-cause
clockrate 4800
lapb T1 500
lapb N2 9
[13.06.2000] 3.8>Q: Podskazhite pozhalujsta kak detal'no otrabatyvaet takoj "kusochek" translate
translate x25 03 cud 4411 profile NUL ppp ............
>A: (Vasily Ivanov)
Ubogo on otpabatyvaet, t.k. dlya nastpoek so stopony kiski hvataet dannye s
pepvogo popavshegosya intepfejsa. Ostavlen dlya sovmestimosti so stapymi IOSami.
Gopazdo luchshe ispol'zovat' translate x25 12345 virtual-template 1. A detal'no
s kaptinkami smotpi na http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/dial_c/dcpt.htm
[05.09.2000] 3.9>Q: ya tut vspomnil kak s polgoda nazad obsuzhdali problemu pad
dostupa cherez xot i kogda x.25 set' ne hotela prinimat'
vyzovy s facilities kotorye pri xot neizbezhny. eshche aktual'no?
mogu dat' recept. no on trebuet 12.1 ;) (kak ya pomnyu v
diskussii byl eshche i annex-g? togda 12.1 byt' dolzhen)
>A: (john gladkih)
ok. ruter s annex-g, on zhe lokal'nyj x25 switch:
service pad to-xot
service pad from-xot
service tcp-keepalives-in
service tcp-keepalives-out
!
frame-relay switching
!
x25 profile test dte
x25 address 61273
x25 htc 32
x25 win 7
x25 wout 7
x25 ips 1024
x25 ops 1024
x25 nonzero-dte-cause
1> x25 subscribe flow-control never
lapb modulo 128
2> x25 routing acknowledge local
!
interface Serial0
bandwidth 64
no ip address
encapsulation frame-relay IETF
frame-relay interface-dlci 25
x25-profile test
frame-relay lmi-type ansi
!
x25 route ^6127305 xot 10.10.0.21 xot-keepalive-period 10
3> x25 route .* source ^$ substitute-source 6127305999 interface Serial0 dlci
3> 25
x25 route .* interface Serial0 dlci 25
1> otklyuchenie soglasovaniya flow-control na interfejse dlya
vyzovov.
2> razreshit' lokal'nuyu peresborku paketov.
3> pad call cherez xot prihodit c pustym src address i my src
tut podmenyaem na 6127305999
s drugoj storony xot nichego osobennogo:
x25 route ^612.* xot 10.10.0.118 xot-keepalive-period 10
xot-keepalive-period tut chisto dlya proformy.
===========================================================
===========================================================
4.1>Q: Rekomendacii po access-lists dlya zashchity ot atak iz interneta.
Nekotorye rekomendacii i soobrazheniya.
aaa.bbb.ccc.ddd, naa.nbb.ncc.ndd - sootvetstvenno svoi set' i maska.
wba.wbb.wbc.wbd - wildcard bits
Vnimanie !!! v access-list ispol'zuetsya ne netmask, a wildcard bits.
Est' zhutkaya formula, no ya predpochitayu pol'zovatsya takoj -
WB=255-NM
takim obrazom, esli netmask 255.255.255.0 v access-list
pishetsya 0.0.0.255
! deny all RFC1597 & default
no access-list 101
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
! deny ip spoofing
access-list 101 deny ip aaa.bbb.ccc.ddd wba.wbb.wbc.wbd any
! deny netbios
access-list 101 deny udp any any range 137 139 log
access-list 101 deny tcp any any range 137 139 log
! deny Back-Orifice
access-list 101 deny udp any any eq 31337 log
! deny telnet
access-list 101 deny tcp any any eq telnet log
! deny unix r-commands and printer, NFS, X11, syslog. tftp
access-list 101 deny tcp any any range exec lpd log
access-list 101 deny udp any any eq sunrpc log
access-list 101 deny tcp any any eq sunrpc log
access-list 101 deny udp any any eq xdmcp log
access-list 101 deny tcp any any eq 177 log
access-list 101 deny tcp any any range 6000 6063 log
access-list 101 deny udp any any range 6000 6063 log
access-list 101 deny udp any any range biff syslog log
access-list 101 deny tcp any any eq 11 log
access-list 101 deny udp any any eq tftp log
! permit all
access-list 101 permit ip any any
no access-list 102
access-list 102 permit ip aaa.bbb.ccc.ddd wba.wbb.wbc.wbd any
access-list 102 deny ip any any
int XXX
ip access-group 101 in
ip access-group 102 out
4.2>Q: Kin'te, pozhalujsta, primer access-list'a ( nado zakryt' dlya
dostupa izvne vo vnutrennyuyu set' vse porty - ostavit' tol'ko
vozmozhnost' raboty po http i e-mail) Cisco - 1601 Zaranee blagodaren.
>A: (Alex Bakhtin)
Itak. Est' dve strategii po ustanovke aksess-listov:
1. Zakryt' vse opasnoe, otkryt' vse ostal'noe.
2. Otkryt' vse nuzhnoe, zakryt' vse ostal'noe.
V zdeshnem FAQe, kotoryj byl porekomendovan, imeetsya primer,
napisanyj imenno po pervomu principu. He budem obsuzhdat' preimushchestva i
nedostatki dannogo podhoda, naskol'ko ya ponimayu, u vas est' zhelanie
ispol'zovat' vtoroj. YA popytayus' opisat' dostatochno universal'nuyu metodiku,
kotoraya mozhet byt' ispol'zovana pri postroenii zashchity vtorogo tipa, a zatem
privesti primer real'no rabotayushchej konfiguracii. Srazu hochu skazat', chto
vse nizhenapisanoe - eto chisto moe IMHO. Predpolagaetsya razrabotka
access-lista, ogranichivayushchego vozmozhnosti dostupa _izvne_ v lokal'nuyu set',
a ne ogranicheniya vozmozhnostej po vyhodu naruzhu iz lokal'noj seti.
Itak.
Hachat' imeet smysl s sistematizacii togo, chto my, sobstvenno hotim
poluchit'. Dlya etogo predlagayu vystroit' sleduyushchuyu tablicu:
! ! ! ! !
!www !mail!ftp!binkd!i tak dalee - zdes' perechilyaem servisy
! ! ! ! !dostup k kotorym my hotim predostavit'
! ! ! ! !pol'zovatelyam "izvne"
------------!----!----!---!-----!----------------------------------------
www.qq.ru ! X ! ! ! !
relay.qq.ru ! ! X ! ! !
ftp.qq.ru ! ! ! X ! !
any ! ! ! ! X !
zdes' hosty/
gruppy hostov,
kotorye predostavlyayut sootvetstvuyushchie servisy. Poryadok raspolozheniya hostov
v tablice vazhen. Est' dva pravila:
a. Obshchie opredeleniya neobhodimo raspolagat' kak mozhno nizhe. To est' host
10.0.1.1/32 dolzhen byt' raspolozhen _vyshe_ chem subnet
10.0.1.0/24. Sootvetstvenno v samuyu poslednyuyu strochku pishetsya chto-to
tipa any.
b. V sluchae, esli po pravilu a. okazyvaetsya, chto poryadok kakih-to
konkretnyh strok mozhet byt' lyubym (kak v nashem primere www, relay i ftp
mogut byt' perechisleny v lyubom poryadke, no obyazatel'no vyshe chem any), to
na bolee vysokie pozicii nado stavit' hosty, kolichestvo obrashchenij k
kotorym po otmechennym servisam predpolagaetsya bol'shim. V nashem sluchae my
predpolagaem, chto osnovnye zaprosy budut postupat' na www server, zatem
budet peredavat'sya kakoe-to kolichestvo pochty i uzh sovsem malo budet
zaprosov na ftp.
Posle sostavleniya, proverki i, po vozmozhnosti, optimizacii takoj
tablicy (voobshche eto process dostatochno tvorcheskij i netrivial'nyj;-)) mozhno
perehodit' sobstvenno k napisaniyu pervoj versii access-lista. Pervaya versiya
budet prakticheski kal'koj nashej tablicy.
ip access-list extended Firewall
permit tcp any host www.qq.ru eq www
permit tcp any host relay.qq.ru eq smtp
permit tcp any host ftp.qq.ru eq ftp
permit tcp any any eq 24554
Poslednyaya stroka po umolchaniyu prinimaetsya za deny ip any
any. Fakticheski, postroenie pervoj versii access-lista zakoncheno. CHto my
delaem, chtoby prodolzhat' razvivat' etot access-list? V konec lista my
dobavlyaem odnu strochku
deny ip any any log
kotoraya ne tol'ko zapretit ves' ostal'noj trafik, chto bylo sdelano
po-umolchaniyu, no i zastavit' vydavat' na konsol'/monitor/syslog soobshcheniya o
paketah, popadayushchih pod eto pravilo. I dalee, v zavisimosti ot togo, kakie
servisy ne byli uchteny v nashem liste(soobshcheniya ob otbroshenyh paketah budut
sypat'sya na konsol'), mozhno budet dorabatyvat' nash access-list. Vot primery
soobshchenij:
%SEC-6-IPACCESSLOGP: list firewall denied tcp xxx.xxx.xx.xx(1418) ->
%xxx.xxx.xxx.xx(23), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xxx.xxx(4000) ->
%xxx.xxx.xxx.xx(1038), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xxx.xxx(53) ->
%xxx.xxx.xxx.xx(1041), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xxx.xxx(53) ->
%xxx.xxx.xxx.xx(1044), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xxx.xxx(53) ->
%xxx.xxx.xxx.xx(1047), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xx.xx(49869) ->
%xxx.xxx.xxx.xx(33456), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xx.xx(49869) ->
%xxx.xxx.xxx.xx(33458), 1 packet
Vot sobstvenno i vse;) Hado ne zabyvat' otkryvat' _na_vhod_ port
domain - chtoby k nam prihodili otvety na nashi dns zaprosy. active ftp - eto
voobshche otdel'naya pesnya. Vot primer real'no rabotayushchego access-lista, on,
razumeetsya, ne idealen, no rabotaet;) Da, nado ne zabyvat' otkryvat'
established. Posle znaka ; - moj kommentarii.
===================
ip access-list extended firewall
permit tcp any any eq smtp ; vse hosty prinimayut pochtu po smtp
permit tcp any any eq domain ; dve strochki na dns
permit udp any any eq domain ;
permit tcp any any eq 22 ; ssh
permit tcp any host fido.qq.ru eq 24554 ; binkd
permit tcp any any established ; vot ono samoe
permit tcp any host www.qq.ru eq www ; www-servera
permit tcp any host images.qq.ru eq www
permit tcp any host www.qq.ru range 8100 8104 ; dlya ruskoj kodirovki
permit tcp any host images.qq.ru range 8100 8104
permit udp any any eq ntp ; vse mashiny mogut poluchat' vremya s vneshnih ntp
permit tcp any any range 40000 44999 ; uzhe ne pomnyu dlya chego:-((
permit tcp any any eq ident
permit icmp any any
permit tcp any eq ftp-data any gt 1024; dlya active-ftp
deny ip any any log
===================
4.3>Q: Kak sdelat' transparent-proxy ?
>A: (DY)
Vse opisano na http://squid.nlanr.net/Squid/FAQ/FAQ-17.html
4.4>Q: Dynamic ACL.
>A: Prislal (Oleh Hrynchuk)
You can use timed access-lists in IOS 12.x
You will need the router to synch to a clock source
for accuracy though..
for example:
int ser0/0
ip access-group 101 in
!
access-list 101 remark --FOR THE QUAKE 3 PLAYERS AT THE OFFICE--
access-list 101 permit udp any any range 27850 27999 time-range lunchtime
access-list 101 deny any any
!
time-range lunchtime
periodic weekdays 12:00 to 14:00
periodic weekend 00:00 to 23:59
!
ntp source loopback0
ntp server
!
[13.06.2000] 4.5>Q: Kak razreshit' zahodit' na kisku telnetom tol'ko
s opredelennyh hostov ?
>A: (Gosha Zafievsky)
access-list 11 permit host 192.168.1.1
line vty 0 4
access-class 11 in
===========================================================
===========================================================
5.1>Q: Kak zazhat' ishodyashchij ftp-trafik ?
>A: (Vasily Ivanov)
Dlya Active-FTP
access-list 115 permit tcp host 123.123.123.123 eq ftp-data any gt 1023
Dlya Passive-FTP
access-list 115 permit tcp host 123.123.123.123 any eq ftp
5.2>Q: Kak sdelat' traffic-shape na tun ?
>A: (DY)
Vot zavalyalsya kusok rabochego konfiga ot 4000.
interface Tunnel1
ip address xxx.xxx.xxx.xxx 255.255.255.252
tunnel source aaa.aaa.aaa.aaa
tunnel destination bbb.bbb.bbb.bbb
!
interface Ethernet0
ip address aaa.aaa.aaa.aaa 255.255.255.224 secondary
traffic-shape group 122 32000 8000 8000 1000
!
no access-list 122
access-list 122 permit ip host aaa.aaa.aaa.aaa host bbb.bbb.bbb.bbb
access-list 122 deny ip any any
P.S. Vyacheslav Furist
Pomoemu luchshe bylo by
access-list 122 permit gre host aaa.aaa.aaa.aaa host bbb.bbb.bbb.bbb
5.3>Q: Kak zazhat' vhodyashchij trafik?
>A: "Boris Mikhailov"
Pri vhode pomozhet policyroute, esli mochi processora hvatit.
Eshche dobavlyu chto do 11.2(gde-to 12~13) traffic-shap
krivo zatykaetsya i ne shejpit (ochen' chastyj vopros byl ran'she).
access-list 180 opisyvaet tpaffik, kotopyj nado shejpit'
interface Loopback1
ip address 192.168.11.1 255.255.255.255
traffic-shape rate 64000
!
interface Serial0
ip policy route-map incoming-packets
!
access-list 180 permit ip any 192.168.1.0 0.0.0.255
!
route-map incoming-packets permit 10
match ip address 180
set interface Loopback1
5.4>Q: Bandwith, queue
>A: (Alex Bakhtin)
Osnovnym parametrom, kotoryj vliyaet na raspredelenie
polosy propuskaniya pri custom queuing, yavlyaetsya byte-count. queue length na
eto delo vliyaet malo. Itak. Dopustim, u nas est' takoj vot queue-list:
c4000-m#sh queueing custom
Current custom queue configuration:
List Queue Args
1 1 byte-count 6000
1 2 byte-count 3000
1 3 byte-count 4500
Ostal'nye ocheredi po 1500. Ponyatno, chto napryamuyu bandwith dlya
kazhdoj iz ocheredej ne zadaetsya. Zapolnenie ocheredej, ponyatno, proishodit na
osnovanii kakih-to kriteriev, kotorye ya v dannom sluchae ne
uchityvayu. Dal'she, my nachinaem obhodit' vse 17 ocheredej nachinaya s nulevoj -
1. Peredaem 1500 bajt iz ocheredi 0 (esli tam est' pakety)
2. Peredaem 6000 bajt iz ocheredi 1
3. Peredaem 3000 bajt iz ocheredi 2
4. Peredaem 4500 bajt iz ocheredi 3
5. Peredaem 1500 bajt iz ocheredi 4
.....
17. Peredaem 1500 bajt iz ocheredi 16
Dopustim, chto my ispol'zuem dlya nashego trafika tol'ko pervye 4
ocheredi - v ostal'nye ocheredi trafik nikogda ne popadaet. Sootvetvtsenno, v
srednem za odin cikl budet peredano
S=1500(q0)+6000(q1)+3000(q2)+4500(q3)+1500(q4)=16500 bajt
Sootvetstvenno, pod Q0 budet vydeleno
B0=1500/16500~=9% BW
B1~=36% BW
B2~=18% BW
B3~=28% BW
B4~=9% BW
To est' real'nuyu polosu propuskaniya podzhelyat proporcional'no
ispol'zuemye ocheredi. Sootvetstvenno, real'nyj bandwith po kazhdoj ocheredi
zadaetsya s pomoshch'yu parametra byte-count, no indirectly, tak kak on zavisit
ot chisla ispol'zuemyh real'no ocheredej i ot propusknoj sposobnosti
interfejsa.
Dannye znacheniya, razumeetsya, budut verny tol'ko pri dostatochno
ser'eznom usrednenii. Svyazano eto s tem, chto esli byte-count ischerpyvaetsya
v processe peredachi paketa, paket vse ravno peredaetsya do konca - to est'
real'naya zanimaemaya polosa budet bol'she. Vse, chto napisano vyshe - ne bolee
chem nekie teoreticheskie vykladki pri rabote v ideal'nyh usloviyah. Real'no
vse eti znacheniya nado podbirat', analiziruya srednij razmer paketa i ne
tol'ko;)
5.5>Q: Traffic-shape na Loopback'e, Tunnel'e est' ili net ?
>A: (Alex Bakhtin)
Hekotoroe vremya nazad mne ponadobilsya shejper na
BVI interfejse v svyazi s chem ya dostatochno ser'ezno zanimalsya etoj
problemoj. Itak.
1. SHejper rabotaet. V 12.x - <=12.0(2a), v 11.3 tozhe do kakoj-to versii.
2. SHejper rabotaet krivo - shejpit tol'ko process-switched pakety. (btw, eto
kak raz prichina togo, chto shejper na gruppu asinkov cherez policy-route
rabotaet)
3. SHejper na virtual'nyh interfejsah (kotorymi yavlyayutsya BVI, loopback i
Tunnel) unsupported by Cisco. To est' oficial'no ego net. To, chto on
ran'she byl - eto bag takoj v parsere konfigov/komandnoj stroki, kotoryj
pozvolyal ego vklyuchat'. YA otkryval po etomu povodu kejs v ciske - mne
predlozhili poslat' rekvest na fichu.
Tak chto, boyus', pro zamechatel'nyj sposob shejpit' na lupbake
pridetsya zabyt' esli ispol'zuetsya 11.3 ili 12.x:-((
5.6>Q: Kak zazhat' ftp ?
>A: (Alexander Kazakov)
V obshchem ya otdal postoyannye 32k dlya ftp. Vse pabotaet i vpolne menya ustpaivaet.
fpejm-pelej delat' poka ne stal, budu snachala ppobovat' na stendovoj koshke.
kak obeshchal - pabochij konfig:
=== Cut ===
interface Serial2/0
description xxx XXX
ip address aaa.bbb.ccc.ddd 255.255.255.0
no ip route-cache
no ip mroute-cache
bandwidth 128
ipx network B021
ipx accounting
priority-group 2
traffic-shape group 191 32000 8000 8000 1000
!
access-list 191 permit tcp any any eq ftp
access-list 191 permit tcp any any eq ftp-data
priority-list 2 protocol ip medium list 101
priority-list 2 protocol ipx low
priority-list 2 protocol ip high tcp telnet
priority-list 2 protocol ip high udp snmp
priority-list 2 protocol ip high tcp echo
priority-list 2 protocol ip high udp echo
===========================================================
===========================================================
6.1>Q: Est' dve Cisco2511, kotorye dolzhny soedinyatsya dvumya linkami,
odin cherez serial, vtoroj cherez async, oba linka po vydelenkah.
V etom problem net, no hochetsya imet' ODIH bekap cherez kommutirumuyu
liniyu. To est' nado, chto by bakap podnimalsya tol'ko togda kogda
OBA linka propadut.
>A: (Vasily Ivanov)
ip route 216
Vse ppotokoly putinga imeyut metpiku <= 200, poetomu dannaya stpochka poyavitsya v
lokal'noj tablice putinga tol'ko kogda upadut oba tvoih intepfejsa. Kogda
main-link vosstanovitsya, ona opyat' budet vytepta ppotokolami putinga iz
tablicy, i ciska nachnet otschityvat' dialer idle-timeout do bposaniya tpuby.
6.2>Q: Podskazhite chto nado shepnut' kiske, chtoby ona annonsila ripom
na Ethernet ppp-linki s maskoj /32, a ne aggregatirovala
ih v podset'.
>A: Dmitry Morozovsky, Mike Shoyher, Gosha Zafievsky
router rip
version 2
! prosto polezno
redistribute static subnets
no auto-summary
! Tozhe ne pomeshaet
redistribute connected subnets
6.3>Q: OSPF, RIP
>A: (Alex Bakhtin)
router ospf 10
redistribute connected metric 1 subnets route-map only_public_net
redistribute static metric 1 subnets route-map only_public_net
redistribute rip
network 194.186.108.0 0.0.0.63 area 0
!
router rip
version 2
redistribute connected route-map only_public_net
redistribute static route-map ony_public_net
redistribute ospf 10 metric 4
redistribute ospf 200 metric 4
network 194.186.108.0
neighbor 194.186.108.10
neighbor 194.186.108.138
!
Razumeetsya, stoit ip classless i ip subnet-zero.
6.4>Q: U menya set' klassa C, v kotoroj zanyaty ne vse adresa. Esli ot provajdera
prihodit paket na otsutstvuyushchij adres (ili otvalivshegosya dialup-yuzera)
to moya Cisco i Cisco etogo provajdera nachinayut etim paketom perebrasyvat'sya.
Pochemu eto i kak ot etogo izbavit'sya.
>A: (Basil (Vasily) Dolmatov)
U provajdera stoit route na ves' vash klass C.
V sleduyushchej (vashej) Cisco propisany tol'ko routes, kotorye ona vyyasnila iz
adresov aktivnyh interfejsov i kakih- libo routing-protokolov. Ostal'noe
routitsya po default route, to est' na provajdera.
Kak etogo izbezhat'?
V Cisco est' zamechatel'nyj interfejs Null0. Konfiguriruetsya on vsego odnoj
komandoj:
int Null0
ip unreachables
Teper' dostatochno dobavit' eshche odin route v konfiguraciyu Cisco (predpolozhim,
chto set' klassa C - 193.193.193.0/24)
ip route 193.193.193.0 255.255.255.0 Null 0 100
V etom sluchae, esli adres ispol'zuetsya, i route na nego izvesten Cisco, to imenno
etot route i budet aktiven (poskol'ku ego metrika men'she), esli zhe adres
neizvesten, to aktivnym stanet route na Null0 i Null0 otvetit na prishedshij
paket icmp !H. To est', nikakogo ping-ponga na kanale uzhe ne budet.
Kstati, rekomenduetsya eshche propisat' takie zhe routes dlya private-networks,
eto predotvratit ih sluchajnoe vybrasyvanie v storonu provajdera.
ip route 10.0.0.0 255.0.0.0 Null0 100
ip route 172.16.0.0 255.240.0.0 Null0 100
ip route 192.168.0.0 255.255.0.0 Null0 100
6.5>Q: Est' dva kanala k provajderam, est' dve setki, kak sdelat', chtoby
kazhdaya set' hodila po svoemu kanalu ?
>A: (Dmitriy Yermakov)
policy-routing, primer est' na CD.
Dlya primera ( v ochen' prostom sluchae )
access-list 110 permit ip aaa.aaa.aaa.0 0.0.0.255 any
access-list 111 permit ip bbb.bbb.bbb.0 0.0.0.255 any
route-map XXXX permit 10
match ip address 110
set default interface Serial 0
route-map XXXX permit 20
match ip address 111
set default interface Serial 1
int eth 0
ip policy route-map XXXX
6.6>Q: Ne podelitsya li kto-nibud' URL ili prosto sekretom zapuska OSPF
mezhdu Gated i Cisco ?
>A: (Alex Bakhtin)
V gated i v Cisco po umolchaniyu vystavleny raznye hello/dead intervaly.
Lechitsya vystavleniem sootvetstvuyushchih intervalov v gated.
P.S. (DY) v poslednih GateD mozhet i popravili, deb ip ospf
pomozhet vyyasnit'.
>A: (Basil (Vasily) Dolmatov)
Ospf yes {
backbone {
authtype none;
interface aaa.bbb.ccc.ddd
cost 1 {
retransmitinterval 5;
transitdelay 1;
priority 0;
hellointerval 10;
routerdeadinterval 40;
};
};
};
import proto ospfase {
ALL ;
};
export proto ospfase type 1 {
proto ospfase {
ALL
metric 1; };
proto static {
All
metric 1; };
proto direct {
ALL
metric 1; };
};
6.7>Q: Est' staticheskij marshryt: ip route 0.0.0.0 0.0.0.0 Serial 0/0
Kak mne isklyuchit' ego iz ospf'nyh anonsov?
Ubrat' redistribute static - ne predlagat' ;)
>A: (Dmitry Morozovsky)
1. Ubrat'
default-information originate always, ili zamenit' ego na
default-information originate , esli taki nuzhno ego kuda-to anonsit'
2. Otfil'trovat' ;)
distribute-list out [interface name]
access-list permit 0.0.0.0 0.0.0.0
6.8>Q: Ne mog li by kto-nibud' iz uvazhaemyh guru tolkovo ob®yasnit' s tochki
zreniya praktiki (s nebol'shim primerchikom), chto takoe stubby areas i v kakih
sluchayah ih vvedenie opravdano?
Pravil'no li ya ponimayu, chto oni v obshchem-to nuzhny dlya ekonomii resursov routera?
>A: (Alex Mikoutsky), prislal (Oleh Hrynchuk)
V ciskah est' tri tipa tupikovyh arij - stub, totally stub, Not-so-stubby.
Pro poslednie dve Hallabi mog i ne napisat'.
Stub - eto takaya ariya, routeram v kotoroj ne nuzhno znat', kuda kidat'
pakety, prednaznachennye external adresam. Zamet' - tol'ko external, t.e.
tem, kotorye sami redistrib'yutyatsya v domen ospf. Vmesto etih anonsov ASBR
budet vykidyvat' defolt marshrut dlya posylki na nego sootvetstvuyushchih paketov.
Esli takaya ariya imeet neskol'ko vyhodov v bekbon, to kazhdyj ASBR buzhet slat'
svoj defolt. Ot tebya zavisit, kakoj iz nih rassmatrivat' pervym, a kakoj -
vtorym. |to delaetsya, yasnoe delo, metrikoj po komande na ASBR: area 1
default-cost gde ariya 1 - tipa stub.
Vse ostal'nye marshruty, prihodyashchie iz drugih arij, krome external budut
anonsirovat'sya.
Totally stub i Not-so-stubby - eto specificheskie cisochnye prilady,
pomogayushchie fil'trovat' takzhe anonsy marshrutov iz drugih arij tipa interdoman
(totally stub), odnako, tol'ko v tom sluchae, esli v etoj total'no tupikovoj
arii net ni odnogo external marshruta. CHtoby preodolet' poslednee
ogranichenie, ariyu mozhno sdelat' tipa NSSA (nachinaya s versii 11.3). V
poslednih sluchayah v ariyu voobshche budet anonsirovat'sya tol'ko defolt po
komande default-information originate. Tak zhe, kak i v predydushchem sluchae,
ASBRov mozhet byt' neskol'ko.
YA ponyatno napisal?
[03.08.2000] 6.9>Q: Hado podruzhit' na sinhronnom linke routery
Nortel ARN i CISCO-3640. Sejchas oni druzhat po ppp i rip. Hochetsya,
chtoby druzhili po frame-relay i ospf.
>A: (Sergey Y. Afonin)
Sdelano na ARN s BayRS 13.20 i CISCO 3640 IOS version 12.0
Fragment konfiga ARN (as-boundary-router true k delu ne otnositsya,
on govorit to tom, chto router mozhet redistributit' vse, chto est' i
ne zafil'trovano special'no; esli false - to redistributitsya tol'ko
tol'ko ospf):
ospf router-id xxx.xxx.xxx.234
as-boundary-router true
area area-id 0.0.0.0
back
back
serial slot 1 connector 1
cable-type v35
bofl disabled
promiscuous enabled
service transparent
circuit-name S11
frame-relay
dlcmi
management-type none
back
default-service
pvc dlci 16
vc-state active
back
ip address xxx.xxx.xxx.218 mask 255.255.255.252
address-resolution arp-in-arp
ospf area 0.0.0.0
mtu 1480
back
arp
back
back
back
back
Fragment konfika 3640 (tut tozhe lishnee est', pravda):
!
interface Serial2/0
ip address xxx.xxx.xxx.217 255.255.255.252
ip access-group nasprotect out
ip directed-broadcast
encapsulation frame-relay
ip ospf network broadcast
no ip mroute-cache
no keepalive
no fair-queue
frame-relay map ip xxx.xxx.xxx.218 16 broadcast IETF
!
router ospf 13227
router-id aaa.aaa.aaa.234
redistribute connected subnets
redistribute static subnets
network xxx.xxx.xxx.216 0.0.0.3 area 0.0.0.0
!
Pod upravleniem BayRS u Nortel rabotayut tak zhe ASN i routery
serii BN, ta chto, polagayu, i dlya nih podojdet.
===========================================================
===========================================================
7.1>Q: Gde vzyat' tacas-plus ? V ishodnikah ?
>A: (Dmitriy Yermakov)
Horom :))
ftp://ftpeng.cisco.com/pub/tacacs original'nyj original'nyj ot Cisco (ls tam ne rabotaet,
snachala get README, potom get to, chto nuzhno)
Nedavno tam byl - ls rabotaet.
ftp://ftp.east.ru/pub/inet-admins - patchennyj na predmet raznyh vkusnostej
ftp://ftp.vsu.ru/pub/hardware/cisco/tacacs - i eshche propatchennyj
pppd teper' otdel'no ot tac+ia, no ryadom - tacpppd
[08.09.2000] >A: (Igor Prokopov) Gde vzyat' TACACS+ pod NT ?
http://www.nttacplus.com NTTacPlus2 (demoversiya dostupna dlya skachivaniya)
Radius Tacacs+ Available for Windows NT 4.0 and Windows 95/98
Rabotaet s ODBC (Access97), preduprezhdaet e-mail'om ob okonchanii limita,
mozhet byt' backup-serverom, rabotat' s neskol'kimi CISCO, vedet gruppy po
privilegiyam i t.d.
Polnaya versiya za den'gi ili na varezah ;)))
7.2>Q: Kto znaet, kak ogranichit' chislo zaprosov kiski na login? To est', esli
yuzer pervyj raz nepravil'no otvetil na login/password to srazu sdelat' hangup
a ne sprashivat' ego eshche i eshche. Vse ravno v bol'shinstve skriptov eto ne
predusmotreno. U menya kiska uporno sprashivaet tri raza. Listanie "Command
Summary" uspeha ne prineslo. Mozhet eto v takakse nado koncy iskat'?
>A: (Alexey Kshnyakin)
conf t; tacacs-server attempts N
7.3>Q: Kak snimat'/schitat' statistiku po interfejsam ?
>A: (Dmitriy Yermakov)
schitat' mozhno tak
conf t
int X
ip accounting
razreshit' rsh na kisku, primerno tak
ip rcmd rsh-enable
ip rcmd remote-host enable
i, po kronu :)
/usr/bin/rsh cisco clear ip accounting
/usr/bin/rsh cisco sh ip accounting checkpoint > `/bin/date +"%Y%m%d%H%M"`
/usr/bin/rsh cisco clear ip accounting checkpoint
Poskol'ku voznikli voprosy, to eshche variant.
>A: (Konstantin D. Myshov)
1) Skript:
#!/bin/sh
#[skip]
rsh -l loger cisco.domain.adr clear ip accounting
rsh -l loger cisco.domain.adr sh ip accounting checkpoint
#[skip do konca skripta :-)]
2) Ha kiske govorish':
username specloger privilege 8 password 0 plane_text_password
! Parol' zashifruetsya i cherez password 7 pokazyvat'sya budet po sh ru
ip rcmd rsh-enable
ip rcmd remote-host loger REMOTE_IP_ADDRESS REMOTE_USER_NAME enable 8
privilege exec level 8 show ip accounting checkpoint
privilege exec level 1 show ip
privilege exec level 8 clear ip accounting
P.S. (Andrey Kuksa) kuksaa@chph.ras.ru
vklyuchit' by eshche
no ip rcmd domain-lookup
P.P.S. (DY) Cisco proveryaet in-addr.arpa dlya hosta,
s kotorogo prishel zapros na RSHELL. Esli IN PTR netu - ne puskaet.
no ip rcmd domain-lookup etu proverku vyklyuchaet.
Po umolchaniyu - vklyucheno.
P.P.P.S. sm takzhe 0.4>Q:
7.4>Q: Kak zamenit' "Username:" na "login:" ?
>A: (DY)
Sushchestvuet 2 varianta -
1. V tac+ia mozhno pereopredelit' etot prompt.
2. aaa authentication username-promt
[03.08.2000] 7.5>Q: rsh cisco show version poluchayu chto-to tipa Undefined error
>A: (Alex Bakhtin)
debug ip tcp rcmd
[14.08.2000] 7.6>Q: ne rabotaet aaa authentication banner "..." pri ispol'zovanii tacacs
ili radius dlya autentikacii
>A: (Alexandre Snarskii), prislal (Vladimir Kravchenko)
poprobovat' ispol'zovat' banner login "..."
[08.09.2000] 7.6>Q: Probros na ifcico, raznye porty - raznye hosty.
>A: (DY) zakryvaem temu ifcico.
tacacs.conf
group = fido {
after authorization "/usr/local/tacplus/emsi $user $port"
login = none
service = exec { }
}
user = \*\*EMSI_INQC816 { member = fido }
user = \*\*EMSI_INQC816q { member = fido }
user = \*\*EMSI_INQC816\*\*EMSI_INQC816q. { member = fido }
cat /usr/local/tacplus/emsi
#!/bin/sh
if [ "X$2X" = "Xtty3X" ]
then
echo noescape=true
echo autocmd="telnet host_1 60179 /stream"
else
echo noescape=true
echo autocmd="telnet host_2 60179 /stream"
fi
exit 2
[27.12.2000] 7.7>Q: Kak pri autentikacii na radiuse pol'zovatelyu naznachit' in-out ip
access-list na ego interfejse ?
>A: (Michael Korban)
Framed-Filter-Id="blabla.in"
Framed-Filter-Id="blabla.out"
===========================================================
===========================================================
[2000.10.12] 8.0>
>A: (Alex Bakhtin)
Ob®em pamyati, oppedelennyj IOSom pokazyvaetsya v vyvode komandy sh ver
v vide dvuh chisel MEM1/MEM2, gde MEM1 - eto ob®em process memory a MEM2 -
eto ob®em IO memory.
p.s. (DY) for example
6144K/2048K - vsego 8Mb
126976K/4096K - vsego 128Mb
8.1>Q: A kakie simy mozhno stavit' v CISCO ? A to ya vse pepeppoboval, ni odin
ne podhodit. :-(
>A: (Vasily Ivanov)
Ha simah dolzhny byt' ppavil'no paspayany pepemychki, ukazyvayushchie opganizaciyu
sima i skopost' chipov v nanosekundah (bol'shinstvo kitajskih ppoizvoditelej eti
pepemychki ne paspaivayut). Vot tablichka, kotopaya pomozhet vam eto sdelat':
Razmep Opganizaciya 68 67 66 11
4Mb 512k*8/9 X X X X
4Mb 1M*2/4/16/18 - X X -
8Mb 2M*8/9 - X - X
16Mb 2M*8/9 X X - X
16Mb 4M*2/4/16/18 - X - -
Hany 69 70
50ns X X
60ns - -
70ns X -
Znakom [X] pomecheny kontakty, kotopye neobhodimo soedenit' s 72m kontaktom
sima, obychno on vyveden uzhe v nepospedstvennoj blizosti ot pepemychek. [-] -
svobodnyj kontakt. V nastoyashchee vpemya mozhno bez ppoblem kupit' 4h metpovye simy
s opganizaciej 1M*2/4/16/18 i 16ti metpovye s opganizaciej 4M*2/4/16/18. 8mi
metpovye simy so standaptnoj opganizaciej 1M*2/4/16/18 v putepah CISCO ne
pabotayut !!! Takzhe kak i EDO RAM.
NB !!! V 25hh simy bez papiteta _pabotat'_ne_budut_ ! Hikogda.
>A: (Leonid Kirillov)
Ot sebya dobavlyu malen'kuyu poproavku:
1. SIMM dolzhen imet' skorost' men'shuyu libo ravnuyu skorosti RAM na mamke;
2. Imeyutsya mamki 2 vidov: starye i novye. V staryh nuzhny SIMM s chetnost'yu, v
novyh - net, tak kak eto vyklyucheno na mamke. Otlichie ochen' prostoe - ne zapayana
pyataya mikroshemi pamyati. Gde ee iskat' - narisovano na kartinke:
--------------------------------|
|
=======SIMM================== |
|
RAM1 RAM2 RAM3 RAM4 par |
par |
|
Cisco 2501
3. Dvuhbankovyj SIMM viditsya kak odnobankovyj. Takim obrazom ya delal sebe 16Mb
pamyati iz 32 (ochen' bylo nuzhno:-) Rabotaet normal'no.
>A: (Kirill Osovsky)
Eshche nemnogo o SIMM'ah.
Dlya 1600 - chetnost' nezhelatel'na - rabotat' oni budut, no togda otvalitsya
on-board DRAM. Dual bank 8 Mb viditsya i rabotaetsya kak 8 Mb
Dlya 3620 - chetnost' (naskol'ko ya ponyal) bezrazlichna. Dual bank 8 Mb viditsya kak
dual bank, no rabotat' 3620 s nim ne budet (ne polozheno po instrukcii)
3640 - rabotaet s dual bank.
>A: (Dmitry Morozovsky)
Eshche dopolnenie: 36xx rabotaet s EDO (3640 tochno, 3620. kazhetsya, tozhe). 3640
pri postanovke chetnogo kolichestva odinakovyh simmov perehodit v 64razryadnyj
rezhim, chto uvelichivaet proizvoditel'nost', no takzhe uvelichivaet i rashod pamyati
v svyazi s alignment.
P.S. (Basil Dolmatov)
3620 ponimaet tol'ko FPM.
3640 ponimaet i EDO tozhe.
8.2>Q: Podskazhite gde eshche vstrechayutsya eti 100-pinovye DIMM'y, kotorye v
2600 stoyat. Ili gde ih mozhno kupit'? Za dve tonny baksov ne predlagat'.
>A: (Dmitry Morozovsky)
Podhodit pamyat' dlya HP LJ 4000 (100pin EDO SODIMM). Krome togo, mozhno brat'
pamyat' u prakticheski lyubogo dilera Micron, Transcend, Kingston. U etih --
prosto po katalogu.
P.S. |to zhe otnositsya i k MC3810.
[04.07.2000] 8.3>Q: A ne podskazhet li kto-nibud', kakaya SIMM-pamyat' podhodit
k serii 4000 (konkretnee, 4500M+) i chego na nej propayat'?
Imeetsya v vidu: edo/fpm, chetnost', paritet, chislo chipov.
>A: (Alexander Voropay)
Dlya 4500 podhodit ta zhe samaya pamyat', chto i dlya 2500,
i FLASH i DRAM. Packet DRAM ta zhe samaya, chto i System
DRAM, i chem bol'she tem luchshe :-)
A konkretno, 72-pin SIMM, NoEDO (FPM), real Parity.
Obyazatel'no dolzhny stoyat' peremychki ID. Luchshe
brat' -60ns hotya dlya System DRAM podojdet i -70ns.
===========================================================
===========================================================
9.1>Q: Kak pravil'no vystavit' timezone i sinhronizirovat' vremya na kiske
>A: (Vasily Ivanov)
vot ppimep dlya Omska (UTC+6):
clock timezone OMT 6
clock summer-time OMTS recurring last Sun Mar 3:00 last Sun Oct 3:00
I eshche:
1) chasy ustanavlivayutsya, esli tol'ko na tajm-sepvepe vpemya vystavleno
koppektno, esli zhe on nahoditsya v ppocesse podvedeniya svoih chasov, to ciska
budet zhdat' okonchaniya etogo ppocessa.
2) vystavlenie chasov ppoishodit ne spazu, a 5-10 minut. Podozhdi nemnogo.
>A: (Alec Voropay) dlya Moskvy
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 3:00
9.2>Q: A kak zastavit' kisku sinhronizirovat' vremya s kakim-libo serverom i byt'
samoj ntp-serverom ?
>A: (Maksim Malchuk)
ntp source interfaceX
ntp master 3
ntp server aaa.bbb.ccc.ddd
ntp server eee.fff.ggg.hhh
ntp server iii.jjj.kkk.lll
P.S. (Alex Bakhtin)
ntp master 3 - eto znachit, chto esli ppopadut vse ntp servers, kotopye ppopisany v konfige,
kiska budet schitat' sebya sepvepom so stratum 3.
P.P.S. (Sergey Romantsov)
Ntp master - ukazyvaet, chto router yavlyaetsya odnim iz istochnikov "tochnogo"
vremeni, poetomu esli neobhodimo chtoby on razdaval vremya drugim ustrojstvam,
neobhodimo ego ob®yavit' kak master s sootvetstvuyushchej velichinoj stratum.
stratum=1 : eto atomnye chasy
stratum=2 : ustorjstvo neposredstvenno podklyucheno k atomnym chasam
stratum=3 : ustrojstvo svyazano s ustrojstvom ( sm vyshe)
i tak dalee... do 15.
stratum=16 : ustrojstvo ne yavlyaetsya avtorizovannym istochnikom vremeni.
===========================================================
===========================================================
10.1>Q: Mozhno kak-nibud' sdelat' na kiske 2511 s
IOS 11.3, chtoby vse soedineniya po FTP, WWW s lokal'noj setki (imeyushchej public
internet adresa)
ustanavlivalis' s adresa skazhem 62.244.63.114, eto svyazano s tem, chto pri
ustanovlenii soedineniya s etogo adresa pakety vozvrashchayutsya cherez sputnik.
>A: dimka@spy.ints.net (Dmitry Aksyonov)
tochno dlya etogo sluchaya:
[..]
ip nat inside source list 111 interface Loopback4 overload
[..]
interface Loopback4
ip address 62.244.63.162 255.255.255.255
[..]
interface Ethernet0
ip nat inside
[..]
interface Serial0
ip nat outside
[..]
access-list 111 permit tcp 194.44.58.0 0.0.0.255 any eq ftp
access-list 111 permit tcp 194.44.58.0 0.0.0.255 any eq ftp-data
access-list 111 permit tcp 194.44.58.0 0.0.0.255 any eq www
ostal'nye porty po vkusu ;)
posmotret' chto poluchaetsya - sh ip nat tra
10.2>Q: Est' dve setki: 192.H.H.0 i 193.H.H.80/28 i kiska 2509
Huzhno vklyuchit' NAT, chtoby yuzera iz 192... setki hodili v 193... .
Interesuet kusok(ki) konfiga kiski, tol'ko rabotayushchij i podrobnyj.
>A: (Eugene A. Rakhmatulin)
Hizhe kusok real'no rabotayushchego konfiga (izmeneny tol'ko IP): est' set'
193.193.193.224/29, kotoruyu dal provajder i vnutrennyaya set' 192.168.1.0/24.
Ha translyaciyu vseh vnutrennih adresov, krome 192.168.1.2 vydelyaetsya adres
193.193.193.227, a na 192.168.1.2 zapisyvaetsya staticheskaya translyaciya adresa
193.193.193.230.
cs-2501# show running-config
[ .. ]
ip nat pool one 193.193.193.227 193.193.193.227 netmask 255.255.255.248
ip nat inside source list 1 pool one overload
ip nat inside source static 192.168.1.2 193.193.193.230
[ .. ]
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip broadcast-address 192.168.1.255
ip nat inside
[ .. ]
!
interface Serial1
description Link to Provider
ip address 193.193.193.226 255.255.255.248
ip nat outside
[ .. ]
access-list 1 permit 192.168.1.0 0.0.0.255
10.3>Q: Provajder vydal odin real'nyj adres (vmesto byvshego ranee bloka adresov)
i nuzhno v techenii perehodnogo perioda (3 dnya) operativno perenastroit'
Cisco 2509 dlya marshrutizacii v sleduyushchej konfiguracii:
Ethernet - soedinyaetsya napryamuyu edinstvennym real'nym adresom s
marshrutizatorom provajdera;
Serial1 - smotrit (cherez vydelenku) v odnu fizicheskuyu set'(~20
komp'yuterov+programmnyj marshrutizator);
Serial2 - smotrit v druguyu(~10 komp'yuterov).
>A: (Ilya Geldiev)
ip nat translation timeout 1800
ip nat translation tcp-timeout 1800
ip nat translation udp-timeout 150
ip nat inside source list 101 interface Async8 overload
' ip nat inside source static tcp {Ethernet0-ip} 80 {Async8-ip} 80
extendable
' ne bolee chem probros veb-zaprosov vo vnutrennyuyu LAH
!
interface Ethernet0
description connected to internal LAN
ip nat inside
!
interface Async8
description connected to ISP
ip nat outside
!
interface Async9
description connected to internal Remote Access
dialer-group 1
!
interface Group-Async1
description connected to Dial-inPCs_mobile
ip nat inside
!
10.4>Q: Vpustit' obratno s Inet-a v lokalku. Skazhem dlya pochty -- moj
ciskovskij adres s portom 25 probrosit' v lokal'nyj segment na moj pochtovik ?
>A: CoreDumped@CoreDumped.null.ru
ip nat inside source static tcp int.ter.nsl.addr 25 ext.ter.nal.addr 25
extendable no-alias
===========================================================
===========================================================
[20.10.2000] 11.0> Razborki s ISDN Layer 1,2.
Kompilyaciya neskol'kih voprosov i otvetov.
(Gosha Zafievsky)
Voobshchem vse smotret' po doke.
Cisco po umolchaniyu vstaet kak user-side device.
Esli Layer 1 not UP - proverit' _doskonal'no_ vse kabeli i soedineniya,
smotret' sh controller e1 XX na predmet nalichiya oshibok.
Oshibki mogut voznikat' tol'ko v sluchae nepopadaniya v ustanovki
crc/no-crc, drugie varianty vstrechayutsya krajne redko. Kak tol'ko oshibki na
kontrollere propadut, Layer 1 obychno stanovitsya ACTIVE.
Vystavit' pravil'no isdn switch-type
Esli Layer 2 TEI_ASSIGNED - vystavit' pravil'no network side,
dolzhno byt' MULTIPLE_FRAME_ESTABLISHED, ne ver'te na slovo telefonistam :)
Esli s drugoj storony tupoe zhelezo, ne umeyushchee
NETWORK-SIDE, postavit' IOS 12.1.3T - tam poyavilos'
isdn protocol-emulate network
Kak tol'ko Layer 2 MULTIPLE_FRAME_ESTABLISHED - vse dolzhno rabotat'.
V klinicheskih sluchayah ne podnyatiya Layer 2 -
deb isdn q931 na bochku blizhajshemu guru.
11.1>Q: AS5300 i Ericsson MD-110.
>A: (Aleksey Fedorov)
U menya AS5300 podklyuchena k Ericsson AXE-10 po r2-digital.
V moem sluchae chtoby vse bylo horosho nuzhno skazat':
cas-custom 0
debounce-time 10
seizure-ack-time 10
country itu use-defaults
>A: (DY) rabotaet vot tak, no so stanciej dolgo muchalis'.
controller E1 1
clock source line secondary 1
pri-group timeslots 1-31
!
interface Serial1:15
isdn switch-type primary-net5
isdn incoming-voice modem
isdn bchan-number-order ascending
isdn sending-complete
!
11.2>Q: 2610 nikak ne hochet zvonit' na Definity, pri zvonke
s Definity BRI podnimaetsya i srazu padaet.
>A: (Gosha Zafievsky)
Ha kiske isdn switch-type basic-net3,
v Definity etot BRI nado opisat' kak
data module ili trunk, no ne kak WCBRI station.
Country protocol : etsi.
11.3>Q: isdn caller number, AS5300, Alcatel S12, ISDN PRI.
>A: "Victor L. Belov"
interface Serial0:15
isdn switch-type primary-net5
isdn protocol-emulate user
isdn incoming-voice modem
isdn sending-complete
i oni prihodyat.
ios 12.0.4-XH
[13.06.2000] 11.4>Q: Imeem 3640 - E1R2 - AXE 10.
>A: (Vladimir A. Golovnin)
> controller E1 0/0
> framing NO-CRC4
> ds0-group 0 timeslots 1-15,17-31 type r2-digital r2-compelled
> cas-custom 0
> debounce-time 10
> seizure-ack-time 10
> dnis-digits min 1 max 2
> ani-digits min 3 max 6
> description First E1 line : connected to port 1
U menya nastroeno tak:
controller E1 0/0
framing NO-CRC4
ds0-group 0 timeslots 1-15,17-31 type r2-digital r2-compelled
cas-custom 0
country easteurope
debounce-time 10
release-guard-time 150
seizure-ack-time 2
dnis-digits min 1 max 3
ani-digits min 0 max 3
answer-guard-time 40
ani-timeout 1
Vrode rabotae, no kriven'ko kak to. Rabotalo eshche krivee kogda
seizure-ack-time = 8, a pri 10 i vyshe vooshche trubku ne brala.
P.S. (Gosha Zafievsky)
VG> country easteurope
Vot s etim - poakkupatnee. YA by dlya nachala postavil country itu
use-defaults. R2MFC v Cisco - veshch' v sebe...
11.5>Q: Voznikla sleduyushchaya neobhodimost' - svyazat' po ISDN dve zhelezki - Zyxel
Prestige-100 (eto ISDN-router takoj) i Cisco 2522CH.
Sovershenno ne poluchaetsya eto sdelat'. Zvonit' dolzhen Zyxel etot samyj,
nu tak on zvonit, udalos' dazhe dobit'sya authentification po protokolu
pap, no protokol ne podnimaetsya. YA tak ponimayu protokol dozhen podnyat'sya
na BRI0:1 ili BRI0:2, a ona ne daet ih konfigurit' po otdel'nosti, a
esli skazat' chto-to pro LeasedLine - to ne otvechaet na zvonki.
Kak i chto nado ej skazat', chtoby poluchit' ot etogo Zyxelya 64 ili 128 K
po DialAp - ISDN ?
>A: (Mark Gorovenko)
Protokol budet podnimat'sya na Virtual-Access
Kusochek iz podobnogo konfiga privedu. V nem mnogo lishnego, bylo sdelano dlya
togo chtoby mozhno bylo zvonit' v raznye mesta, eto mozhno vykinut'.
interface Virtual-Template1
ip unnumbered Ethernet0
no ip directed-broadcast
autodetect encapsulation ppp
peer default ip address pool default
no fair-queue
ppp authentication chap pap callin
ppp multilink
!
interface BRI0
ip unnumbered Ethernet0
encapsulation ppp
no ip route-cache
bandwidth 128
dialer pool-member 1
autodetect encapsulation ppp
isdn incoming-voice modem 64
isdn answer1 xxx
isdn answer2 xxx
isdn calling-number xxx
peer default ip address pool default
no cdp enable
ppp authentication chap pap callin
!
interface Dialer0
ip address xxxx
encapsulation ppp
bandwidth 64
dialer remote-name xxx
dialer idle-timeout 30
dialer string xxx
dialer load-threshold 1 either
dialer pool 1
dialer-group 1
autodetect encapsulation ppp v120
peer default ip address xxx
no cdp enable
ppp authentication chap pap callin
!
interface Dialer1
ip unnumbered Ethernet0
encapsulation ppp
bandwidth 64
dialer remote-name xxxx
dialer idle-timeout 30
dialer wait-for-carrier-time 15
dialer string xxxxx
dialer load-threshold 1 either
dialer max-call 4
dialer pool 1
dialer-group 2
peer default ip address xxx
no cdp enable
ppp authentication chap pap callin
!
ip local pool default xxx
ip classless
ip route 0.0.0.0 0.0.0.0 xxxxx
ip route xxxxxxxx 255.255.255.255 Dialer1
ip route xxxxxxxx 255.255.255.255 Dialer0
access-list 11 permit any
access-list 100 permit ip any host xxxxxx
virtual-profile virtual-template 1
dialer-list 1 protocol ip list 11
dialer-list 2 protocol ip list 100
===========================================================
13. SNMP
===========================================================
13.1>Q: Rebut kiski po snmp ?
>A: (Oleh Hrynchuk)
snmp-server system-shutdown
and after that....
snmpset -c community -t 70 ip.addr.of.router .1.3.6.1.4.1.9.2.9.9.0 i 2
13.1>Q: Download cisco config via SNMP.
>A: Prislal (Oleh Hrynchuk)
Using SNMP and the appropriate OID .1.3.6.1.4.1.9.2.1.55, postfix the IP
address as the index for the OID. Use this "OID" as a string set value.
The string value will be the name of the file.
snmpset .1.3.6.1.4.1.9.2.1.55.10.10.20.20 string ""
The router will reward you with a nice log message and the file should
appear on the tftp server (in this example, 10.10.20.20).
Be careful as some UN*X tftp servers will not create files, but can only
write to existing files (little security precaution).
A much more interesting exercise is to get a router to read a config from
a tftp server using only snmp...but we'll cover that some other time.
Tod Daniels
Greymatter, Inc.
[17.01.2001] >A: (Joe Hishon)
I use a UNIX shell script. You need to have a tftp server also running.
For example if your tftp server is at 192.168.1.1, and your target router
is IP "$IP" and read-write community "$RW" then the important lines are:
'wr mem'
snmpset -c $RW $IP .1.3.6.1.4.1.9.2.1.54.0 integer 1
'wr net'
snmpset -c $RW $IP .1.3.6.1.4.1.9.2.1.55.192.168.1.1 octetstring
routername-confg
for COS switches... 'wr net'
snmpset -c $RW $IP .1.3.6.1.4.1.9.5.1.5.1.0 octetstring 192.168.1.1
snmpset -c $RW $IP .1.3.6.1.4.1.9.5.1.5.2.0 octetstring routername-confg
snmpset -c $RW $IP .1.3.6.1.4.1.9.5.1.5.4.0 integer 3
===========================================================
14. Cables
===========================================================
14.1>Q: Slyshal, chto est' kabel' dlya soedineniya dvuh cisok DB60M <-> DB60M
no nigde na cisco.com ne smog ego najti ?
>A: (Yuri Yuferev)
http://www.pacificable.com/PicFrames/CABMMXHD60PicFrame.htm?
===========================================================
15. TROUBLESHOOTING
===========================================================
ty sobiraesh'sf "eto" lechit'??? :)
pokazyvat' nado - "sho mem" ;)
v FAQ nado pisat', chto pamyat' libo konchilas', libo otfragmentirovalas'.. :)
lechit' mozhno raznymi sposobami, v zavisimosti ot real'noj prichiny...
nachinaya ot banal'noj dobivki pamyati ili vyklyucheniya yaunkcij, kotorye dannyj koshak
s dannoj pamyat'yu ne tyanet, prodolzhaya optimizaciej funkcij, zhrushchih pamyat' s primeneniem
golovy, i zakanchivaya smenoj IOS na tot, v kotorom ...
dannyj konkretnyj memory leak ustranen (ili eshche ne vnesen :)
I/O mem v 25-j serii _vsegda_ 2 mega... :)
===========================================================
===========================================================
Zdes' ssylki na razlichnyj soft dlya Cisco i ne tol'ko.
Nekotorye mogut dublirovat'sya iz drugih razdelov.
Accounting
ipaccounting
ipanalize
ipacc from ss23
Yura Pismerov
http://www.mcs-cityline.net/~lf/ctm/
http://www.ts.infn.it/computing/IPaccounting/
http://linux.uatel.net/soft/iptrafsnmp/iptrafsnmp.phtml
NetFlow [27.12.2000]
http://www.auckland.ac.nz/net/NeTraMet
http://www.caida.org/Tools/Cflowd
IPMeter
OSU flow-tools
NFC/java by John Gladkih
MONITORING
mrtg
rrdtool
ROUTING
GateD
Konfigi - snapshot
GNU Zebra
mrt
TACACS,RADIUS [27.12.2000]
ftp://ftpeng.cisco.com/pub/tacacs original'nyj origina
l'nyj ot Cisco
ftp://ftp.east.ru/pub/inet-admins
ftp://ftp.vsu.ru/pub/hardware/cisco/tacacs
http://www.nttacplus.com - TACACS for NT
cistron
livingston
merit
freeradius
xtradius
radius by vl
TUNNELs [27.12.2000]
for FreeBSD (prosto kak-to nashel)
ftp://ftp.sut.ru/pub/dyer/tunnel
(nos-tun est' v samoj sisteme)
(Alexander A. Karpoff) - http://mike.spottydogs.org/projects/gre-tun
TOOLS
dialout
subnet calculator
tftpd for !nix
===========================================================
===========================================================
[14.06.2000] 12.0(5)Tx. Dobpyj sovet. Vykin'te eto
ono dlya ispol'zovaniya _sovepshenno_ ne ppigodno.
Alex Bakhtin
[15.06.2000] 3640 12.0(4)T - CEF glyuchnyj. Sil'no.
Dmitri Kalintsev
[05.09.2000] Vladislav Nebolsine
12.1 (bez bukovki) - eto proverennaya i obkatannaya 12.0T (s bukovkoj), v kotoruyu
pereshli vse ee fichi.
A v 12.1T (s bukovkoj) dobavleny novye fichi (i podderzhka novyh platform),
kotorye so vremenem perejdut v 12.2.
Est' fichi, kotorye ne voshli v 12.1, tak kak byli ne v 12.0T, a v 12.0XK.
Haprimer, podderzhka Q.SIG, kotoraya byla v 12.0(5)XK i 12.0(7)XK), pereshla ne v
12.1(1), a v 12.1(2)T. I eshche ryad fich iz razlichnyh ne-T imadzhej.
Vybirat' nado po potrebnostyam (i razmeru flesha) i nalichiyu trebuemyh fich v
imadzhe. Perechen' fich v kazhdoj versii est' v dokumentacii na www.cisco.com:
http://www.cisco.com/univercd/cc/td/doc/product/index.htm
12.1(2a) - horoshaya rabotayushchaya versiya IOSa s polnocennoj podderzhkoj golosa.
Ne pomnyu kto soobshchal.
12.1(3)T - raznye SNMP indeksy na sub-if VLAN/ISL.
-is- - uzhe ne lezet v 8Mb Flash
Basil (Vasily) Dolmatov - Mmm... YA ne stal by pol'zovat' IRB v rannih versiyah
11.2 mainline ;)
[17.01.2001] Vladislav Nebolsine. Samyj stabil'nyj _golosovoj_ IOS
na segodnyashnij den' - 12.1(3a)XI5
[17.01.2001] v 90% softa 12.1(x)T na 7206VXR ne rabotaet export netflow
===========================================================
===========================================================
99.1>Q: Kak poslat' kiske break ?
03 eto skoraya, 02 - miliciya, a break - eto ne simvol, a ochen' dlinnyj start-bit
(c) Michael Shestyriov
>A: (DY)
RTFM po terminalke :)
cu,tip - ~#, ~%
DOS Navigator - F4
>A: (Alec Voropay)
http://www.cisco.com/warp/customer/701/61.html
99.2>Q: Kak vosstanovit' zabytyj (ne mnoj, a administratorom) parol' ili smenit'
ego na kakoj-to drugoj? Mozhno li sdelat' eto bez poteri konfiguracii?
>A: (Gosha Zafievsky)
RTFM, konkpetno User Guide, eshche konkpetnee
"Recovering a lost enable password".
Da.
P.S. (DY) pro Break - sm. vyshe
>A: (Alec Voropay)
http://www.cisco.com/warp/customer/701/22.html
[25.07.2000] >A: (Konstantin Gribakh) Cisco sobrala vse eti procedury
na odnoj stranichke
http://www.cisco.com/warp/public/474/index.shtml
99.3>Q: Sertificirovano li v Minsvyazi oborudovanie Cisco ?
>A: (Serge Turchin)
Da, nomera sertifikatov OS/1-SPD-59 - OS/1-SPD-91
http://www.amt.ru/products/cisco/certificates/index_tmp.phtml
>A: (Denis Golovenko )
OS/1-SPD-70 -- dlya modelej 2505/07/09/11/18
>A: (Vladislav Nebolsine)
CIIIS bylo sertificirovano sleduyushchee oborudovanie:
Marshrutizatory Cisco
761, 765, 771, 775
1001, 1003, 1005, 1601, 1603
2501, 2503, 2505, 2507, 2509, 2511, 2512, 2514, 2518, 2520, 2522
26xx
3620, 3640
4000, 4000M, 4500, 4500M, 4700, 4700M
7204, 7206, 7505, 7507, 7513
AS5200, AS5300
MC3810
Cache Engine LDIR-410, LDIR-420
LAN kommutatory
Catalyst 1400, 1900, 2820, 29xx
3000, 3100, 3200
5000, 5002, 5500, 5505
WAN kommutatory
LightStream 1010
IGX8, IGX16, IGX32, IGX8410, IGX8420, IGX8430
BPX8600
MGX8220
Setevye ekrany Cisco PIX Firewall
(3 klass zashchishchennosti po sisteme sertifikacii sredstv zashchity
informacii po trebovaniyam bezopasnosti informacii)
P.S. (DY)
Spisok sootvetstviya oborudovaniya i sertifikatov
http://www.comptek.ru/cisco/teach/certif.html
[05.01.2001] >A: Ilia Zubkov - pro sertifikaciyu Catalyst
Na etu temu -- vot u menya na stole lezhit kopiya pis'ma zam. ministra MinSvyazi
Volokitina (b/n, ot 02.11.2000) v moskovskij ofis kiski o tom, chto, mol,
"Na Vash zapros o neobhodimosti sertifikacii kommutatorov"
tipa Catalyst 1900,2900XL,3500XL,4000,6000,8500CSR "Minsvyazi soobshchaet, chto
ukazannoe oborudovanie ne podlezhit sertifikacii v sisteme "|lektrosvyaz'",
i ego primenenie ne zapreshchaet kommercheskuyu ekspluataciyu seti
pri ustanovke na uzlah svyazi dlya soedineniya oborudovaniya vo vzaimouvyazannoj
seti po protokolam Ethernet, FastEthernet, GigabitEthernet".
Po moemu razumeniyu, zhelayushchim v MinSvyazi ne dolzhny otkazyvat' v vydache
kopii etogo pis'ma.
P.S. (DY) poskol'ku eto pis'mo b/n (bez ishodyashchego nomera) to
status etogo pis'ma do konca ne yasen.
[13.06.2000] 99.4>Q: Kak po nazvaniyu fajla oppedelit' vepsiyu iosa,
IP-only on, IP/IPX ili enterprise?
>A: (Serge Turchin)
*-i-* - IP
*-is-* - IP Plus
*-d-* - Desktop
*-ds-* - Desktop Plus
*-j-* - Enterprise.
i t.d. V 11.2 net IP/IPX, a tol'ko Desktop, na nego cena snizhena
v sravnenii s 11.1. Suffiks - a - appn. Voobshche, gde-to est' na
servere rasshifrovka.
U 1000-nyh yader sistema drugaya. n-Novell, b - Apple Talk, y - IP,
q - asinhronnyj variant.
> I eshche - na sajte dlya vepsij byli fajly pazmepom v 2-4paza men'she iosov i
> s
> zagadochnym slovom boot v nazvanii - eto bootstrap only? :-)
U 7500, 4500-4700 net proshityh namertvo butovyh sistem. Ho est'
special'nyj t.n. bootflash v kotorom zapisana ukorochennaya versiya
sistemy.
>A: (Dmitriy Yermakov)
Kazhetsya vse opisano tut - http://www.cisco.com/warp/public/620/1.html
99.5>Q: Est' li podderzhka R2 dlya 3600 ?
>A: Vladislav Nebolsine
***Hot News*** Announcing R2 support for the 3600 Digital Modems!!
Hot News!!!
===========
Announcing R2 support for the 3600 family of Digital Modems
=================================================
The 3600 team is pleased to announce R2 support for integrated Digital Modems on the popular Cisco 3600 series platform. This feature is available with the introduction of IOS 12.0(1)T
This new feature supports the use of R2 signalling with the 3600 internal digital modems, enabling high-speed (up to 56kbps) remote access for branch offices and small/mid size ISP's who utilize this specific line-signalling protocol.
This announcement extends the range of connectivity options available for
the 3600 Digital Modems, now supporting:
PRI CAS(CT1) R2 (CE1))
By supporting this flexible range of signalling protocols , the 3600
digital modem solutions can now be deployed on a world-wide basis!
A Country list and Mini Q&A follow.
Countries configurable with R2 on the 3600: (this is a subset of the
supported 5300 R2 countries)
=================================
Argentina Australia Brazil * China *
Columbia Costa Rica
Eastern Europe mode supports:
Croatia Russia * Ecuador (ITU and LME)
Greece Guatemala Hong Kong (China & ITU Variants)
India Indonesia Israel *
ITU mode supports:
Denmark Finland Germany
Russia (ITU variant) *
Hong Kong (ITU variant)
South Africa (ITU variant)
Korea * Malaysia * Mexico (Telmex and Telnor) *
New Zealand * Paraguay Peru
Philippines Saudi Arabia
Note: All countries listed have been tested in house. Countries marked
with a * have also been successfully tested in-country.
Mini Q&A
=========
Q. What is R2 ?
A. R2 is a signaling system (Q.422) used by a number of countries
worldwide. This signaling system runs over an E1 Carrier (2.048Mb/s),
containing 32 64Kb/s timeslots, of which, 30 timeslots can be used
for digital modem calls.
Q. Does this feature require new hardware in the 3600?
A. No
Q. What network modules support this feature?
A. All the current 1/2 PRI NMs, including the new 1FE 1/2 PRI NM.
Q.Is the Cisco Dial-out Utility supported through an R2 connection?
A. Yes. Version 2 of the Cisco Dial-out Utility (available early
November) together with MICA Portware 2.5.1.0 support Dial/Fax out
through the R2 interface
Q. Is this R2 feature supported the Cisco 2600, 3620, and 3640?
A. The ability for Modem calls to be terminated through an R2 interface
is available for all platforms that support Cisco digital modems. This
currently limits R2 support to the 3640/3620
Q. Do I need a new version of the digital modem microcode to support R2?
A. No. All shipping versions of Portware are supported. For information
on Portware and instructions on downloading the latest version, please
visit: http://www.cisco.com/public/sw-center/sw-access.shtml.
Q. What IOS is required to utilize this feature?
A. IOS 12.0(1)T and above
Q. Can I support ISDN PRI R2, and CAS in the same chassis?
A. Yes, on a per network module basis. Each individual PRI NM can be
configured as R2,CAS or ISDN PRI.
Q. What countries will this R2 feature be available in?
A. At FCS, a subset of the 5300 supported R2 countries will be supported.
All Countries in the list above have been successfully tested internally.
Q. Will the new mixed media FE/PRI support R2?
A. Yes.
Q. Can two PRI/R2 links share one DM NM?
A. Yes. The pool of modems is available to all R2/PRI interfaces.
99.6>Q: Kogda zhe nakonec budet reliz V.90 dlya MICA ?
>A: (Oleg Zharoff)
Vyshel nakonec dolgozhdannyj reliz V.90 dlya MICA modemov, versiya 2.5.1.0.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/5300/
mod_info/53fw_pw/53micaa/rn250x.htm
99.7>Q: A vot pochemu ya ne mogu cherez console zajti na moyu ciscu? I nastrojki
krutil, i porty na mashinkah zhivye, a chto ne tak - ne pojmu.
>A: Pavel Stepchenko McFlySr@irc
Prover'te marku vashej motherboard. Esli eto Atrend, prover'te,
"rodnye" li "kosichki"? Delo v tom, chto poganye(kto mne vozmestit dushevnoe
ravnovesie?! ;) ) kitajcy reshili, chto oni umnee vseh, i zayuzali "kosichki"
s shahmatnoj raspajkoj(kak i na AT486); na ostal'nyh zhe MB - pryamaya
raspajka.
Esli ne ATREND - vse ravno prover'te porty na celostnost', tak kak cu po
umolchaniyu imeet Xon/Xoff i voobshche :)
Ubezhdaemsya, chto na cuaa0(1) ne visit (m)getty, puskaem cu -l
/dev/cuaa0(1), i naslazhdaemsya zhizn'yu :)
Thanks for support: CGHost, Fifo, Jimson, Lee7, Mdh, ReedCat, vul.
99.8>Q: Tut problema - kto znaet kak vystavit' nomer seti u Hovell'nogo
klienta ? Hachal bit' setku na VLANy - i voznikli problemy. MS rabotaet
normal'no, a Hovel'nyj klient ne hochet.
>A: (Serge Turchin)
Propisat' spantree portfast na portah Katalista.
[13.06.2000] 99.8.1>Q: Kak zastavit' porty na 2924XL bystree inicializirovat'sya ?
>A: os@alkar.net
http://www.cisco.com/warp/public/473/12.html
99.9>Q: Kto-nibud' znaet, kak byt' s uteryannym parolem na 1020?
>A: (Gleb Pijov)
Question: How do you recover lost passwords on a Cisco 1020?
Answer:
As the Cisco 1020 is rarely physically secured, password recovery is
done by calling Cisco and providing a system generated CHALLENGE. Using
the override program, the support engineer can provide a one-time
password to use to get into enable mode. Then, follow these steps:
1.Customer: Put up dip switch 1 and apply power. You should see
"Console Username:".
2.Customer : Login with Username "enable" and Password "override". It
will print a CHALLENGE.
3.Cisco runs the override program and prints a RESPONSE.
4.Customer: On the 1020, log in as "enable" and give the RESPONSE as
the password. That will get you the # prompt, then you can do a wr t to
see the current enable password. Or, you can do a config t and reset the
enable password.
99.10>Q: Problemy s MTU na interface tunnel.
>A: "Philipp V. Patrushoff"
BugID: CSCdm54169
>>> [13.09.2000] Vladislav Nebolsine, NB !!!
>>> bag ispravlen v 11.3(11) i 12.0(6)
You cannot change the MTU size of a tunnel interface using software after Cisco IOS Release
+11.3(9.2).
Workarounds:
Use images between Release 11.3(5.1)T and Release 11.3(9.3) or Release 12.0(0.16) and
Release 12.0(4.2). Configure ip mtu on the tunnel interface before you configure tunnel
destination. If tunnel destination is already configured, then unconfigure the destination,
configure ip mtu, and then reconfigure the destination. You need to wait five seconds
after removing the tunnel destination before issuing the ip mtu command. Once the workaround
is issued, there should be no problems in the event of a router reboot as the ip mtu command
is parsed before the tunnel destination.
[27.12.2000] 99.11>Q:Est' neskol'ko Kisok sepii 25xx. Hyzhno odnovpemenno na vseh v oppedelennyj
moment menyat' X25 routing, ppichem zhelatel'no odnim skpiptom iz-pod FreeBSD. Kak ?
>A: A: (Alex Bakhtin), (John Gladkih), (Vladislav Staroselsky)
=== newconfig ===
interface serial
shutdown
exit
no x25 route ...
x25 route ...
interface serial
no shutdown
end
=== newconfig ===
=== Cisco config ===
ip rcmd rcp-enable
ip rcmd remote-host enable
ip rcmd remote-username
rlogin trusted-remoteuser-source local
rlogin trusted-localuser-source local
=== Cisco config ===
=== change_routing.sh ===
#!/bin/sh
su -c "rcp newconfig @:running-config"
=== change_routing.sh ===
V newconfig vstavlyaem nyzhnye izmeneniya tekyshchego poytinga (chepez no route i
route). Ppopisyvaem na FreeBSD yuzepa. V nyzhnyj moment zapyskaem
change_routing.sh
===========================================================
===========================================================
Sergey Trofimovsky - PPP per-user timeouts explained
http://www.employees.org/~dpeng/per_user_timeout.htm
Kstati govorya, nachinaya s 11.3(8)T (ili AA :-) timeouts uzhe i v PPP/PAP
rabotayut.Bez izvratov v vprofiles etc.
Dmitriy Yermakov - gde-to nachinaya s 11.3(5)T poyavilos'
ppp authorization per interface
teper' mozhno otklyuchat' avtorizaciyu na leased line s enc ppp
Serge Turchin - V 12.03T poyavilsya X.25 over FR...
Vladislav Nebolsine - Hu, a podrobnee ob etoj opcii mozhno prochitat' zdes'
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t3/x25anxg.htm
Dmitriy Yermakov - trebovaniya k ob®emu pamyati
http://infoblast.comptek.ru/cpqrg/cpqrg2.htm#xtocid2097032
Cisco-on-line Conference on Comptek
http://online.comptek.ru/cisco/index.html
Martin McFlySr
Cisco Year 2000 Product Compliance URL
http://www.cisco.com/warp/public/cc/cisco/mkt/gen/2000/prodlit/cptbl_ov.htm
Dmitriy Yermakov - Problemy s Zelax M115 na svyazke cisco-unix,
reshenie ot Igorya Nikolaeva - http://knot.pu.ru/faq/pppd.html
Raspajki razlichnyh kabelej, konfigi dlya modemov - http://www.links.ru
[13.06.2000] Cisco IOS Software RoadMap - http://www.cisco.com/warp/public/620/roadmap.shtml
[13.06.2000] Vasily Ivanov - Ogranichenie skorosti konnekta dlya MICA modemov -
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/5300/mod_info/at/atcmnds.htm
[04.07.2000] Vladislav Nebolsine - Esli komu interesno - v 12.1(2)XH poyavilas'
- podderzhka E1 R2 dlya 2600/3600/7200,
- Caller ID dlya 3810/2600/3600,
- ISDN PRI Q.931 User-Side/Network-Side dlya golosovyh modulej 2600/3600
(do etogo byl tol'ko Q.SIG)
- i koe-chto drugoe.
Podrobnosti:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121x/121xh/121xh_2/index.htm
[04.07.2000] Poltergejst v NM-*AM (Problemy s NM-8AM (NM-16AM))
Simptomy:
1. Modemy ne berut trubu pri vhodyashchem zvonke.
2. Modemy pokazyvayut nalichie vhodyashchego zvonka prosto pri podklyuchenii k
tel.linii.
3. Pri zvonke obratnym telnetom na obychnyj telefon - vmesto
handshack-signala - rev 50 gc.
Zazemlite cisku.
[27.12.2000] Yuri Vorobyev - Cisco ground
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/cis3600/3600_ cn/nebslugs.htm
[02.08.2000] Gosha Zafievsky NM-8AM, NM-16AM _ne_ podderzhivayut rezhim leased line.
P.S. (DY) ZHelayushchie mogut poeksperimentirovat' s ATA i bol'shIm vremenem
ozhidaniya CARRIER. Za rezul'tat ne ruchayus'.
[12.09.2000] john gladkih - LL na MCOM modemah (NM-8/16AM)
kogo interesovali LL na MCOM modemah? ono rabotaet.
my zavodili 18 vol't na korotkoj linii.
cherez DDR+RIP
[05.09.2000] Victor L. Belov - Tunnel' s win98 na cisco router
variantov 2 =-)
1. pptp podderzhivaetsya tol'ko v special'nom IOS
(12.0.7XE chto li... ne pomnyu tochno) na 7xxx marshrutizatorah.
S drugoj storony pptpd na FreeBSD i Linux rabotaet normal'no.
2. na melkih marshrutizatorah podderzhivaetsya l2tp tunneli,
no togda na 95/98/NT pridetsya stavit' dop. klient - naprimer
WinVPN ot http://www.routerware.com
V Windows 2000 est' vstroennaya podderzhka l2tp. YA dazhe zavel
mezhdu nim i Cisco IPSec - poluchaetsya sovsem horosho.
[22.10.2000] (DY) psevdovydelenka na chem ugodno, kak podnimat' kanal.
Kak nastraivat' DDR - chitat' doki.
A chtoby kiska sama podnimala kanal ne zavisimo ot aktivnosti v seti,
navernoe, imeet smysl nastroit' ntp na kiske :)
[24.10.2000] Basil Dolmatov - 17xx ne podderzhivaet ISL, hardware
limitation. I ne budet podderzhivat'.
[09.12.2000] Valery Filippov - 4500 ne tyanet 4Mbit na DCE.
[27.12.2000] Eugeny Krasilnikov - undocumented Cisco IOS commands
http://boerland.com/dotu
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t1/sshv1.htm#10313
Subject: comp.dcom.sys.cisco Frequently Asked Questions (FAQ)
Date: 12 Sep 1997
From: jhawk@panix.com (John Hawkinson)
Organization: PANIX Public Access Internet and Unix, NYC
Newsgroups:
comp.dcom.sys.cisco, comp.protocols.tcp-ip, comp.dcom.servers, comp.answers, news.answers
Archive-name: cisco-networking-faq
Last-modified: $Date: 1996/04/28 05:55:19 $
Version: $Revision: 1.10 $
This FAQ is edited by John Hawkinson, .
Please contribute answers to the questions in the Todo section! If
your answer is somewhat complicated, posting would probably be best
(to comp.dcom.sys.cisco). Otherwise, e-mail it to cisco-faq@panix.com.
Please note that a LOT of these questions have been hanging around for
some time, and if knowledgable people could take the time to answer a
few of them, that'd help.
This draft FAQ is in RFC1153 digest format, so you can follow each
question with your newsreader. I suppose that question-numbers should
be moved to the From: field. Note that Date: fields represent
last-modification times for the questions.
Since this FAQ was first developed, cisco has written up a lot of
useful information on their web site, http://www.cisco.com. If you
can't find what you're looking for here, please check there, too.
=================
1. How can I contact cisco?
2. What is this newsgroup?
3. What does ``cisco'' stand for?
4. How do I save the configuration of a cisco?
5. Where can I get ancillary software for my cisco?
6. Is there a World-Wide-Web (www) information source?
7. How can I get my cisco to talk to a third party router over
8. How can I get my cisco to talk to a 3rd-party router over Frame Relay?
9. How can I use debugging?
10. How can I use NTP (Network Time Protocol) with my cisco?
11. Sample cisco NTP Configurations
12. How do I avoid the annoying DNS lookup if I have misspelled a command?
13. Tracing bad routing information
14. How to use access lists
15. The cisco boot process
16. Where can I get cisco hardware?
17. Where can I get IETF documents (RFCs, STDs, etc.)?
18. Future features in cisco software
19. How do cisco routers rate performance-wise?
20. How are packets switched?
21. How does one interpret buffer statistics?
22. How should I restrict access to my router?
23. What can I do about source routing?
24. Is there a block of private IP addresses I can use?
25. Is DHCP supported?
26. Where can I get cisco documentation?
27. What's the latest software for the CSC/3?
28. What IP routing protocol should I use?
29. How do I interpret the output of ``show version''?
30. What is the maximum number of Frame Relay PVCs?
31. How much memory is necessary to telnet to a cisco router?
32. Where can I purchase flash RAM?
33. When are static routes redistributed?
34. When is the next hop of a route considered ``reachable''?
35. How do name and phone number of ``dialer map'' interfere?
36. What's the purpose of the network command?
37. What is VLSM?
38. What are some methods for conserving IP addresses for serial lines?
39. Why do some ip addresses get rejected?
40. How do 4xxx serial numbers correspond to models?
41. Where can I find more info on TACACS+
99. Acknowledgements.
=====
* What is SNMP and how can I use it? What software is available and how do
I use cisco enterprise MIBs? MIBs on ftpeng.cisco.com and CIO.cisco.com
* Pointers to other net resources, like comp.protocols.tcp-ip, RFCs,
the firewalls mailing list, etc (bgpd?[or is it cidrd now? :-)]).
* Hints about confusing and not-well documented things like xtacacs...
* Comments on interoperability issues WRT other vendors.
* What's SMARTnet, why should I subscribe, how much does it cost,
and what do I get?
* What should I name my router, my interfaces, etc.?
* Should we adjust the buffer parameters on the routers? What should
be the indicator before tunning the buffer parameters? How should
one fine tune the buffer parapeters?
* What is CIDR and why do I care (or a more general acronym decoder) ?
* How do I configure my cisco to use variable-length subnetting ?
* Is there a block of private network numbers I can use
within my organization only? When should I use them?
How do I access them from outside?
* What do I do if I have to partition a network number?
* Questions and answers about access lists
access-list reference list (lots of questions on that)
* I forgot to mention that routing DECnet over X.25 is a problem.
* Where PD network applications for SLIP/PPP are.
* What is HSRP and how does it work? When is it available (10.0)
(Hot Standby Routing Protocol)
* Should I run 10.0, 10.2, 10.3, 11.1, or what?
* What's the difference between IBGP and EBGP? Why should I run BGP?
Actual content.
===============
------------------------------
From: Question 1
Date: 31 October 1994
Corporate address:
cisco Systems
170 West Tasman Drive
San Jose, CA 95134
The following phone numbers are available:
Technical Assistance Center (TAC) +1 800 553 2447
(553 24HR)
+1 800 553 6387
+1 408 526 8209
Customer Service (Documentation, Warranty & +1 800 553 6387
Contract Services, Order Status
Engineering +1 800 553 2447
(553 24HR)
On-site Services, Time & Materials Service +1 800 829 2447
(829 24HR)
Corporate number / general +1 408 526 4000
Corporate FAX (NOT tech support) +1 408 526 4100
The above 800 numbers are US/Canada only.
cisco can also be contacted via e-mail:
tac@cisco.com Technical Assistance Center
tac-euro@cisco.com European TAC
cs-rep@cisco.com Literature and administrative (?) requests
cs@cisco.com *UNRELIABLE*, special-interest, ``non-support''
Please follow the directions available on CIO before doing this.
cisco provides an on-line service for information about their routers
and other products, called CIO (cisco Information Online). telnet to
cio.cisco.com for more details.
The collective experience of this FAQ indicates that it is far wiser to
open a case using e-mail than FAXes, which may be mislaid, shredded,
etc.
For those of you still in the paperfull office (unlike the rest of us),
cisco Systems' new corporate address is:
170 West Tasman Drive
San Jose, CA 95134
Mail to tac@cisco.com should include your service contract number, your name,
telephone number, a brief one line problem/question description, and a
case priority in the first 5 lines. For example:
Cisco service contract number 92snt1234a
First and last name Jane Doe
Best number to contact you 415-555-1234
Problem/question description Cannot see Appletalk zones
Case Priority 3
CASE PRIORITIES are defined as one of the following:
Pri 1 Production network down, critical business impact
Pri 2 Production net seriously degraded, serious impact
Pri 3 Network degraded, noticeable impact to business
Pri 4 General information, non production problems
------------------------------
From: Question 2
Date: 26 July 1994
comp.dcom.sys.cisco, which is gatewayed to the mailing list
cisco@spot.colorado.edu, is a newsgroup for discussion of cisco
hardware, software, and related issues. Remember that you can also
consult with cisco technical support.
This newsgroup is not an official cisco support channel, and should
not be relied upon for answers, particularly answers from cisco
Systems employees.
Until recently, the mailing list was gatewayed into the newsgroup,
one-way. It is possible that this arrangement may resume at somet time
in the future.
------------------------------
What does ``cisco'' stand for?
From: Question 3
Date: 31 October 1994
cisco folklore time:
At one point in time, the first letter in cisco Systems was a
lowercase ``c''. At present, various factions within the company have
adopted a capital ``C'', while fierce traditionalists (as well as some
others) continue to use the lowercase variant, as does the cisco
Systems logo. This FAQ has chosen to use the lowercase variant
throughout.
cisco is not C.I.S.C.O. but is short for San Francisco, so the story
goes. Back in the early days when the founders Len Bosack and Sandy
Lerner and appropriate legal entities were trying to come up with a
name they did many searches for non similar names, and always came up
with a name which was denied. Eventually someone suggested ``cisco''
and the name wasn't taken (although SYSCO may be confusingly similar
sounding). There was an East Coast company which later was using the
``CISCO'' name (I think they sold in the IBM marketplace) they ended
up having to not use the CISCO abberviation. Today many people spell
cisco with a capital ``C'', citing problems in getting the lowercase
``c'' right in publications, etc. This lead to at least one amusing
article headlined ``Cisco grows up''. This winter we will celebrate
our 10th year.
[This text was written in July of 1994 -jhawk]
------------------------------
How do I save the configuration of a cisco?
From: Question 4
Date: 31 October 1994
If you have a tftp server available, you can create a file on the
server for your router to write to, and then use the write network
command. From a typical unix system:
mytftpserver$ touch /var/spool/tftpboot/myconfig
mytftpserver$ chmod a+w /var/spool/tftpboot/myconfig
myrouter#write net
Remote host [10.7.0.63]? 10.7.0.2
Name of configuration file to write [myrouter-confg]? myconfig
Write file foobar on host 10.7.0.2? [confirm] y
Additionally, there's a Macintosh TFTP server available:
ftp://nic.switch.ch/software/mac/peterlewis/tftpd-100.sit.hqx
Additionally, you can also use expect, available from:
ftp://ftp.uu.net/languages/tcl/expect/expect.tar.gz
ftp://ftp.cme.nist.gov/expect/expect.tar.gz
or, in shar form from ftpeng.cisco.com.
Expect allows you to write a script which telnets to the router and
performs a ``write terminal'' command, or any other arbitrary set of
command(s), using a structured scripting language (Tcl).
------------------------------
Where can I get ancillary software for my cisco?
From: Question 5
Date: 5 July 1994
Try ftping to
ftp://ftpeng.cisco.com/pub
It's a hodgepodge collection of useful stuff, some maintained and some
not. Some is also available from
ftp://cio.cisco.com
Vikas Aggarwal has a very customised tacacsd:
A new version of xtacacsd is available via anonymous FTP from:
ftp://ftp.navya.com/pub/vikas/xtacacsd-3.5.shar.gz
------------------------------
Is there a World-Wide-Web (www) information source?
From: Question 6
Date: 28 April 1996
You can try the WWW page for this FAQ:
http://www.panix.com/cisco-faq/
or the cisco Educational Archive (CEA) home page:
http://sunsite.unc.edu/cisco/cisco-home.html
or the cisco Information Online (CIO) home page:
http://www.cisco.com/
------------------------------
How can I get my cisco to talk to a third party router over a serial link?
From: Question 7
Date: 5 July 1994
You need to tell your cisco to use the same link-level protocol as the
other router; by default, ciscos use a rather bare variant of HDLC
(High-level Data Link Control) all link-level protocols use at some
level/layer or another. To make your cisco operate with most other
routers, you need to change the encapsulation from HDLC to PPP on the
relevant interfaces. For instance:
sewer-cgs#conf t
Enter configuration commands, one per line.
Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z
interface serial 1
encapsulation ppp
^Z
sewer-cgs#sh int s 1
Serial 1 is administratively down, line protocol is down
Hardware is MCI Serial
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
[...]
If you're still having trouble, you might wish to turn on serial interface
debugging:
sewer-cgs#ter mon
sewer-cgs#debug serial-interface
------------------------------
How can I get my cisco to talk to a 3rd-party router over Frame Relay?
From: Question 8
Date: 27 July 1994
You should tell your cisco to use ``encapsulation frame-relay ietf''
(instead of ``encapsulation frame-relay'') on your serial interface
that's running frame relay if your frame relay network contains a
diverse set of manufacturers' routers. The keyword ``ietf'' specifies
that your cisco will use RFC1294-compliant encapsulation, rather than
the default, RFC1490-compliant encapsulation (other products, notably
Novell MPR 2.11, use a practice sanctioned by 1294 but deemed verbotten
by 1490, namely padding of the nlpid). If only a few routers in your
frame relay cloud require this, then you can use the default
encapsulation on everything and specify the exceptions with the
frame-relay map command:
frame-relay map ip 10.1.2.3 56 broadcast ietf
^^^^
(ietf stands for Internet Engineering Task Force, the body which
evaluates Standards-track RFCs; this keyword is a misnomer as both
RFC1294 and RFC1490 are ietf-approved, however 1490 is most recent and
is a Draft Standard (DS), whereas 1294 is a Proposed Standard (one step
beneath a DS), and is effectively obsolete).
------------------------------
From: Question 9
Date: 26 July 1994
The ``terminal monitor'' command directs your cisco to send debugging
output to the current session. It's necessary to turn this on each time
you telnet to your router to view debugging information. After that,
you must specify the specific types of debugging you wish to turn on;
please note that these stay on or off until changed, or until the
router reboots, so remember to turn them off when you're done.
Debugging messages are also logged to a host if you have trap logging
enabled on your cisco. You can check this like so:
sl-panix-1>sh logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 66 messages logged
Monitor logging: level debugging, 0 messages logged
Trap logging: level debugging, 69 message lines logged
Logging to 198.7.0.2, 69 message lines logged
sl-panix-1>
If you have syslog going to a host somewhere and you then set about a
nice long debug session from a term your box is doing double work and
sending every debug message to your syslog server. Additionally, if you
turn on something that provides copious debugging output, be careful
that you don't overflow your disk (``debug ip-rip'' is notorious for
this).
One solution to this is to only log severity ``info'' and higher:
sl-panix-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
logging trap info
The other solution is to just be careful and remember to turn off
debugging. This is easy enough with:
sl-panix-1#undebug all
If you have a heavily loaded box, you should be aware that debugging
can load your router. The console has a higher priority than a vty so
don't debug from the console; instead, disable console logging:
cix-west.cix.net#conf t
Enter configuration commands, one per line. End with CNTL/Z.
no logging console
Then always debug from a vty. If the box is busy and you are a little
too vigorous with debugging and the box is starting to sink, quickly
run, don't walk to your console and kill the session on the vty. If
you are on the console your debugging has top prioority and then the
only way out is the power switch. This of course makes remote
debugging a real sweaty palms adventure especially on a crowded box.
Caveat debugger!
Also, if you for some reason forget what the available debug commands
are and don't have a manual handy, remember that's what on-line help
is for. Under pre 9.21 versions, ``debug ?'' lists all commands. Under
9.21 and above, that gives you general categories, and you can check
for more specific options by specifying the category: ``debug ip ?''.
As a warning, the ``logging buffered'' feature causes all debug
streams to be redirected to an in-memory buffer, so be careful using
that.
Lastly, if you're not sure what debugging criteria you need, you can
try ``debug all''. BE CAREFUL! It is way useful, but only in a very
controlled environment, where you can turn off absolutely everything
you're not interested in. Saves a lot of thinking. Turning it on on
a busy box can quickly cause meltdown.
------------------------------
How can I use NTP (Network Time Protocol) with my cisco?
From: Question 10
Date: 5 July 1994
>What level of software is required for NTP support in
>a cisco router?
9.21 or above.
>Which cisco routers support NTP?
It is a software feature exclusively. Anything that supports
9.21 or 10 will run NTP (when running that s/w).
>How do I set it up?
The basic hook is:
ntp server [version n]
or
ntp peer [version n]
depending on whether you want a client/server or peer relationship.
There's a bunch of other stuff available for MD5 authentication,
broadcast, access control, etc. You can also use the
context-sensitive help feature to puzzle it out; try ``ntp ?'' in
config mode.
You'll also want to play with the SHOW NTP * router commands. Here
are two examples.
EXAMPLE 1:
router# show ntp assoc
address ref clock st when poll reach delay offset disp
+~128.9.2.129 .WWVB. 1 109 512 377 97.8 -2.69 26.7
*~132.249.16.1 .GOES. 1 309 512 357 55.4 -1.34 27.5
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
EXAMPLE 2:
router#show ntp stat
Clock is synchronized, stratum 2, reference is 132.249.16.1
nominal freq is 250.0000 Hz, actual freq is 249.9981 Hz, precision is 2**19
reference time is B1A8852D.B69201EE (12:36:13.713 PDT Tue Jun 14 1994)
clock offset is -1.34 msec, root delay is 55.40 msec
root dispersion is 41.29 msec, peer dispersion is 28.96 msec
For particular cisco NTP questions, feel free to ask in comp.dcom.sys.cisco.
For broader NTP info, see ftp://louie.udel.edu:pub/ntp/doc. The file
clock.txt in that directory has info about various public NTP servers.
There is also information on radio time receivers that can be
connected to an NTP server (this is handy on private networks, if you
have an entire campus to get chiming, or if you become a hard core
chimer).
The ``ntp clock-period'' command is added automagically to jump-start
the NTP frequency compensation when the box is rebooted. This is
essentially a representation of the frequency of the crystal used as
the local timebase, and may take several days to calculate otherwise.
(Do a ``write mem'' after a week or so to save a good value.)
Caveat of obsolecence: Note that the CS-500 will not be able to
achieve quite the same level of accuracy as other platforms, since its
hardware clock resolution is roughly 242Hz instead of the 1MHz
available on other platforms. In practice this shouldn't matter for
anyone other than true time geeks.
----------------------------------------------------------------------
Sample cisco NTP Configurations
From: Question 11
Date: 5 July 1994
You will need to substitute your own NTP peers, timezones, and GMT
offsets into the examples below, of course. Example 1 is in US Central
Time Zone, while example 3 is in US Pacific Time Zone. Both account
for normal US Daylight Savings Time practices.
EXAMPLE 1 (Charley Kline):
...
clock timezone CST -6
clock summer-time CDT recurring
ntp source eth 0
ntp peer
ntp peer
ntp peer
...
EXAMPLE 2 (Tony Li):
...
ntp source Ethernet0/0
ntp update-calendar
ntp peer
ntp peer prefer
...
EXAMPLE 3 (Dave Katz):
...
service timestamps debug datetime localtime
service timestamps log datetime localtime
clock timezone PST -8
clock summer-time PDT recurring
interface Ethernet0
ip address
ntp broadcast
ntp clock-period 17180319
ntp source Ethernet0
ntp server
ntp server
ntp server
COMMENTS ON EXAMPLE 3:
The config file is commented with date and time (and user id,
if TACACS is enabled) when the system thinks the clock is accurate.
I've enabled timestamping of debug and syslog messages. I send NTP
broadcast packets out onto the local ethernet. I'm in Pacific
Standard Time, with U.S. standard daylight saving time rules. I use
the IP address of the ethernet as the source for all NTP packets.
------------------------------
How do I avoid the annoying DNS lookup if I have misspelled a command?
From: Question 12
Date: 5 July 1994
By default, all lines are configured to automatically try a telnet
connection if the first word in a input line is not recognized as a
valid command. You can disable this by setting ``transport preferred
none'' on every line (con, aux and vty). For instance:
sl-panix-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
line vty 0 10
transport preferred none
You can see the number of vty's currently configuered with ``show lines''
Also, you can suspend connect attempts with ^^ followed by ``x'', ie
shift-cntrl-6 x.
[It has been suggested that ``no ip ipname-lookup'' to turn off IEN116
helps. I think this is the default -jhawk ]
------------------------------
Tracing bad routing information
From: Question 13
Date: 31 Oct 1994
or: How do I find out which non-cisco systems on my networks generate IP-RIP
information without letting them mess up my routing tables.
Here you could work with a default administrative distance.
Administrative distance is the basis upon which the cisco prefers
routing information of one protocol over another. In this example:
router rip
network 192.125.254.0
distance 255
distance 120 192.125.254.17 ! list all valid RIP suppliers
[...]
the value 255 has the implicit meaning of not putting this information
into the routing table. Therefore, setting an administrative distance
of 255 means that all RIP suppliers are by default accepted but their
information is not put into the routing table. The administrative
distance for the router 192.125.244.17 has been reset to the default
(for RIP) of 120, causing its routes to be accepted into the routing table.
Then you can look them up with ``show ip protocols'' and restore the
original administrative distance for the ones you want to fill in the
routing table.
The same results can be acheived with an ip access-list, but with
that, ``show ip protocols'' will only show the valid ones. But often
it is more useful to see which systems were generating routing
information at all.
This trick works for other routing protocols as well, but please select
the proper adminstrative distance (rather than 120) for the protocol
you're using.
------------------------------
From: Question 14
Date: 5 July 1994
[The following is wholesale included; at some point it'll
probably be editted a bit and reformatted... -jhawk ]
Frequently Asked Questions
contributed by Howard C. Berkowitz
PSC International
hcb@world.std.com
@clark.net [probably will be my permanent
personal account]
PSC's domain is in mid-setup
Where in the router are access lists applied?
In general, Basic access lists are executed as filters on
outgoing interfaces. Newer releases of the cisco code, such as
9.21 and 10, do have increased ability to filter on incoming ports.
Certain special cases, such as broadcasts and bridged traffic,
can be filtered on incoming interfaces in earlier releases.
There are also special cases involving console access.
Rules, written as ACCESS-LIST statements, are global for the entire
cisco box; they are activated on individual outgoing interfaces by
ACCESS-GROUP subcommands of the INTERFACE major command.
Filters are applied after traffic has entered on an incoming
interface and gone through a routing process; traffic that originates in
a router (e.g., telnets from the console port) is not subject to
filtering.
+-------------------+
| GLOBAL |
| |
| Routing |
| ^ v Access |
| ^ v Lists |
+-^--v--------^---v-+
| ^ v ^ v |
| ^ v ^ v |
A----------->|-| |>>>>Access >>----------->B
|1 Group 2 |
<------------| |<-----------
| |
| |
+-------------------+
Some types of ``filter,'' using ``filter'' as a broader class than
ACCESS-LIST, can operate on incoming traffic. For example, the INPUT-
SAP-FILTER used for Novell networks is applied to Service Advertisement
Packets (SAP) seen at incoming interfaces. In general, incoming
filtering can only be done for ``system'' rather than user traffic.
Rules of thumb in defining access lists.
First, define what you want to do and in which directions. An
informal drawing is a good first step. As opposed to the usual
connectivity drawings among routers, it's often convenient to draw
unidirectional links between routers.
Second, informally write out your filtering rules. In general, it
is best to go from most specific to least specific. Modify the order of
writing things to minimize the number of rules needed.
Third, determine which rules need to be on which routers.
Explicitly consider the direction of flow, and the possible existence of
additional paths that could inadvertently bypass a filter.
Can a cisco router be a ``true'' firewall?
This depends on the definition of firewall. Some writers (e.g.,
Gene Spafford in _Practical UNIX Security_) define a firewall as a
host on which an ``inside'' and/or an ``outside'' application process run,
with application-level code linking the two. For example, a firewall
might provide FTP access to the outside world, but it would not also
provide direct FTP service to the inside world. To place a file on
the FTP external server, a designated user would explicitly log onto
the FTP server, transfer a file to the server, and log off. The
firewall prevents direct FTP connectivity between the inside and
outside networks; only indirect, application-level connectivity is
allowed.
Firewalls of this sort are complemented by chokes, which filter on
network addresses and/or port numbers. Cisco routers cannot do
application-level control with access control lists.
Other authors do not distinguish between chokes and filters. Using
the loose definition that a firewall is anything that selectively blocks
access from the inside to the outside, routers can be firewalls.
IP Specific
-----------
Can the ``operand'' field be used with a protocol keyword of IP to filter
on protocol ID?
No. Operand filtering only works for TCP and UDP port numbers.
How can I prevent traffic for a certain Internet application to flow in
one direction but not the other?
Remember that Internet applications flow from client port to server
port. Denying traffic from port 23, for example, blocks flow from the
client to the server.
+-------------------+
| |
A----------->| |----------->B
|1 2|
<------------| |<-----------
| |
+-------------------+
If we deny traffic to Port 23 of address B by placing a filter at
interface 2, we have blocked A's ability to telnet to B, but not B's
ability to telnet to A. A second filter at interface A would be needed
to block telnet in both directions.
Assume that we only have the filter at interface 2. Telnets to A
from B will not be affected because the filter at 2 does not check
incoming traffic.
-------
With the arrival of in-bound access lists in 9.21, it should be noted
that both inbound and access lists are about equally efficient, in
case any of you were wondering.
It's worth remembering that there are some kinds of problems
that packet-filtering firewalls are not best suited for. There's
reasonably good information in:
"Network (in)security through packet filtering"
ftp://ftp.greatcircle.com/pub/firewalls/pkt_filtering.ps.Z
------------------------------
From: Question 15
Date: 26 July 1994
What really happens when a cisco router boots, from boot start to live
interfaces?
First it boots the ROM os version. It reads the config. Now, it
realizes that you want to netboot. It loads the netbooted copy in on
top of itself. It then re-initializes the box and re-reads the
config. Manly, yes, but we like it too....
[[ Ummm... in particular it loads the netbooted copy in as WELL as
itself, decompresses it, if necessary, and THEN loads on top of
itself. Note that this is important because it tells you what the
memory requirements are for netbooting: RAM for ROM image (if it's a
run from RAM image), plus dynamic data structures, plus RAM for
netbooted image. ]]
The four ways to boot and what happens (sort of):
I (from bootstrap mode)
The ROM monitor is running. The I command causes the ROM monitor to
walk all of the hardware in the bus and reset it with a brute force
hammer. If the bits in the config register say to auto-boot, then
goto B
B (from bootstrap mode)
Load the OS from ROM. If a name is given, tell that image to start
silently and then load a new image. If the boot system command is
given, then start silently and load a new image.
powercycle
Does some delay stuff to let the power settle. Goto I.
reload (from the EXEC)
Goto I.
------------------------------
Where can I get cisco hardware?
From: Question 16
Date: 18 July 1994
Try calling 800-553-NETS and asking for your local sales office.
That's probably the best plan.
------------------------------
Where can I get IETF documents (RFCs, STDs, etc.)?
From: Question 17
Date: 18 April 1995
Where and how to get new RFCs
=============================
RFCs may be obtained via EMAIL or FTP from many RFC Repositories. The
Primary Repositories will have the RFC available when it is first
announced, as will many Secondary Repositories. Some Secondary
Repositories may take a few days to make available the most recent
RFCs.
Primary Repositories:
RFCs can be obtained via FTP from DS.INTERNIC.NET, NIS.NSF.NET,
NISC.JVNC.NET, FTP.ISI.EDU, WUARCHIVE.WUSTL.EDU, SRC.DOC.IC.AC.UK,
FTP.CONCERT.NET, or FTP.SESQUI.NET.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Secondary Repositories:
Sweden
------
Host: sunic.sunet.se
Directory: rfc
Host: chalmers.se
Directory: rfc
Germany
-------
Site: EUnet Germany
Host: ftp.Germany.EU.net
Directory: pub/documents/rfc
France
------
Site: Institut National de la Recherche en Informatique
et Automatique (INRIA)
Address: info-server@inria.fr
Notes: RFCs are available via email to the above
address. Info Server manager is Mireille
Yamajako (yamajako@inria.fr).
Netherlands
-----------
Site: EUnet
Host: mcsun.eu.net
Directory: rfc
Notes: RFCs in compressed format.
France
------
Site: Centre d'Informatique Scientifique et Medicale
(CISM)
Contact: ftpmaint@univ-lyon1.fr
Host: ftp.univ-lyon1.fr
Directories: pub/rfc/* Classified by hundreds
pub/mirrors/rfc Mirror of Internic
Notes: Files compressed with gzip. Online
decompression done by the FTP server.
Finland
-------
Site: FUNET
Host: funet.fi
Directory: rfc
Notes: RFCs in compressed format. Also provides
email access by sending mail to
archive-server@funet.fi.
Norway
------
Host: ugle.unit.no
Directory: pub/rfc
Denmark
-------
Site: University of Copenhagen
Host: ftp.denet.dk
Directory: rfc
Australia and Pacific Rim
-------------------------
Site: munnari
Contact: Robert Elz
Host: munnari.oz.au
Directory: rfc
rfc's in compressed format rfcNNNN.Z
postscript rfc's rfcNNNN.ps.Z
United States
-------------
Site: cerfnet
Contact: help@cerf.net
Host: nic.cerf.net
Directory: netinfo/rfc
Site: NASA NAIC
Contact: rfc-updates@naic.nasa.gov
Host: naic.nasa.gov
Directory: files/rfc
Site: NIC.DDN.MIL (DOD users only)
Contact: NIC@nic.ddn.mil
Host: NIC.DDN.MIL
Directory: rfc/rfcnnnn.txt
Note: DOD users only may obtain RFC's via FTP
from NIC.DDN.MIL. Internet users should NOT
use this source due to inadequate connectivity.
Site: uunet
Contact: James Revell
Host: ftp.uu.net
Directory: inet/rfc
UUNET Archive
-------------
UUNET archive, which includes the RFC's, various IETF documents,
and other information regarding the internet, is available to the
public via anonymous ftp (to ftp.uu.net) and anonymous uucp, and
will be available via an anonymous kermit server soon. Get the
file /archive/inet/ls-lR.Z for a listing of these documents.
Any site in the US running UUCP may call +1 900 GOT SRCS and use
the login "uucp". There is no password. The phone company will
bill you at $0.50 per minute for the call. The 900 number only
works from within the US.
------------------------------
Future features in cisco software
From: Question 18
Date: 22 April 1996
[This could be more fleshed out (still!)]
Kerberos and RADIUS in 11.1
RIP version 2 in 11.1 (allows VSM, etc.)
Policy-based routing (routing based on source address or interface, or just
about anything else you want) in 11.0 *released*
PPP Multilink in 11.0(3) *released*
Frame Relay payload compression in 11.0(4) *released*
IPX Per-Host load balancing in 11.1
------------------------------
How do cisco routers rate performance-wise?
From: Question 19
Date: 27 July 1994
People often ask about performance of the cisco routers and are shyed
away from answering their questions because we don't know where to send
them.
Scott Bradner keeps the results of his performance tests on the
Internet. You can find them for ftp on the system hsdndev.harvard.edu
in the /pub/ndtl. There is a README file in that directory that
explains what is available. In addition, cisco has just started
publishing a piece of literature called ``The Harvard Benchmark Test
Results: Summary of cisco Systems Performance''. The only number I
can find on the doc is Lit. #700901. Don't know if you can order it
by this number, but at least there's a title to go on.
------------------------------
How are packets switched?
From: Question 20
Date: 22 April 1996
There are 3 basic types of switching (in order of increasing performance).
process switching
fast switching
autonomous switching
Process and fast switching support inbound and outbound, simple and
extended, access lists. Of course, for fast switching, such lists only
restrict traffic on the particular fast-switched interface.
Autonomous switching is done in the switch processor, a microcoded device that
is capable of switching IP, IPX, and bridging packets in the 100kpps range.
This is known as the "SP" card on the 7000 and the CBUS controller on the AGS+.
Encapsulation support is rather limited (Ethernet, HDLC, HSSI...).
The cisco 7000 also supports:
silicon switching
Silicon switching is done in the silicon switching engine (creative, eh? ;-).
The silicon switch processor (SSP) is the board which combines both the
switch processor and a silicon switching engine.
The SSP supports simple and extended outbound access lists in 10.3 and later.
The SSP supports simple and extended inbound access lists in 11.1 and later.
The cisco 75xx series supports:
"optimal" switching (cruddy name, eh?)
"flow" switching
"distributed" switching
* "optimal" switching (cruddy name, eh?)
The 7500 platform does not have a separate SP or SSP card, rather the RISC
processor on the "integrated route/switch processor card (IRSP)" handles
switching directly, similar to the 4000 series routers. There are several
hardware and software enhancements made though to increase the throughput to
a level that is several times above what you would normally get from "fast"
switching. Everything that "fast" switching supports is supported in
"optimal" switching.
* "flow" switching
Basicly the "optimal" switching method, however things have been front-ended
with an additional small "flow" cache. This flow cache contains information
about source/destination addresses & ports which allow the router to make more
informed queueing decisions and process access lists faster. This is a win in
routers that would tend to carry a reasonably small number of flows at any one
time, such as what you would expect in a corporate network or in a smaller
internet service provider network. It's unclear if there are any advantages
in a large internet backbone.
* "distributed" switching
cisco has announced a new type of interface-processor card, called a "VIP"
available in the 7500 platform that is intelligent enough to switch packets
with no intervention on the part of the IRSP card. This once again separates
switching from routing, as in the earlier CBUS/SP/SSP design.
The first packet of every session or connection is always Process Switched.
The route table is consulted (this resides in DRAM on the CPU) and the
"result" is cached in the system memory cache. If the protocol can only be
process switched, then it will continue this way and interrupt the CPU for a
route table lookup each time. [comment: Process Switching is brutally slow
compared to other switching methods. Some features (usually new features do
this for the first few software releases) force every packet to be process
switched. If you can't avoid process-switching every packet, at least get a
router with a fast CPU, such as the 75xx, 4500, and 4700. The 4700 is
currently the fastest at process-switching packets, with the 4500 and 75xx
tied for second. The 75xx can optimum-switch, however, so it's a lot faster
than either of the 4x00s, if you can use it).
The second and subsequent packets of each session are capable of being Fast
Switched (more session types are becoming fast-switchable), and will consult
only the route-cache. This still involves a memory lookup on the board, but
the packet can be transferred from the source card directly to the
destination card without requiring full storage on the CSC [the CSC refers
to the CPU card, basically].
There are some undocumented commands that are useful for obtaining
per-interface statistics on what sort of switching was performed.
For instance:
frobozz-magic-robot>sh int atm4/0 switch
ATM4/0
Throttle count: 0
Protocol Path Pkts In Chars In Pkts Out Chars Out
IP Process 104851 7669968 116378 11180988
Cache misses 35826
Fast 0 0 0 0
Auton/SSE 0 0 0 0
frobozz-magic-robot>sh int atm4/0 stat
ATM4/0
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 105024 7679155 116422 11184108
Route cache/FIB 0 0 0 0
Distributed cache 0 0 0 0
Total 105024 7679155 116422 11184108
------------------------------
How does one interpret buffer statistics?
From: Question 21
Date: 31 October 1994
Buffer statistics may be obtained with:
mit2-gw.near.net>sh buffers
Buffer elements:
433 in free list (500 max allowed)
82320311 hits, 0 misses, 0 created
Small buffers, 104 bytes (total 202, permanent 120):
185 in free list (20 min, 250 max allowed)
34289219 hits, 4297 misses, 1307 trims, 1389 created
Middle buffers, 600 bytes (total 104, permanent 90):
102 in free list (10 min, 200 max allowed)
6829533 hits, 1432 misses, 483 trims, 497 created
Big buffers, 1524 bytes (total 90, permanent 90):
90 in free list (5 min, 300 max allowed)
3403884 hits, 56 misses, 1 trims, 1 created
Large buffers, 5024 bytes (total 5, permanent 5):
5 in free list (0 min, 30 max allowed)
49984 hits, 13 misses, 20 trims, 20 created
Huge buffers, 18024 bytes (total 0, permanent 0):
0 in free list (0 min, 4 max allowed)
0 hits, 0 misses, 0 trims, 0 created
5683 failures (0 no memory)
You can interpret them:
Total Number of buffers of that size that exist.
Free Number of free buffers.
Max Maximum size that the free list can grow to before we start
throwing them away.
Hit Buffer got used.
Miss Someone requested a buffer and we had to go carve it up out of
free memory. If we couldn't because we were at interrupt
level, it's also an allocation failure. If we couldn't
because we were out of memory, then it's also a ``no memory''
failure.
Trim There are more free buffers on the free list than there need
to be and we threw some away.
Create Number of buffers we created after a miss.
------------------------------
How should I restrict access to my router?
From: Question 22
Date: 22 April 1996
Many admins are concerned about unauthorized access to their routers
from malicious people on the Internet; one way to prevent this
is to restrict access to your router on the basis of IP address.
Many people do this, however it should be noted that a significant number
of network service providers allow unrestricted access to their routers
to allow others to debug, examine routes, etc. If you're comfortable doing
this, so much the better, and we thank you!
If you wish to restrict access to your router, select a free IP access
list (numbered from 1-100) -- enter ``sh access-list'' to see those
numbers in use.
yourrouter#sh access-list
Standard IP access list 5
permit 192.94.207.0, wildcard bits 0.0.0.255
Next, enter the IP addresses you wish to allow access to your router
from; remember that access lists contain an implicit "deny everything"
at the end, so there is no need to include that. In this case, 30
is free:
yourrouter#conf t
Enter configuration commands, one per line. End with CNTL/Z.
yourrouter(config)#access-list 30 permit 172.30.0.0 0.0.255.255
yourrouter(config)#^Z
(This permits all IP addreses in the network 172.30.0.0, i.e. 172.30.*.*).
Enter multiple lines for multiple addresses; be sure that you don't
restrict the address you may be telnetting to the router from.
Next, examine the output of ``sh line'' for all the vty's (Virtual ttys)
that you wish to apply the access list to. In this example, I want
lines 2 through 12:
yourrouter#sh line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns
0 CTY - - - - - 0 0 0/0
1 AUX 9600/9600 - - - - - 1 3287605 1/0
* 2 VTY 9600/9600 - - - - 7 55 0 0/0
3 VTY 9600/9600 - - - - 7 4 0 0/0
4 VTY 9600/9600 - - - - 7 0 0 0/0
5 VTY 9600/9600 - - - - 7 0 0 0/0
6 VTY 9600/9600 - - - - 7 0 0 0/0
7 VTY 9600/9600 - - - - 7 0 0 0/0
8 VTY 9600/9600 - - - - 7 0 0 0/0
9 VTY 9600/9600 - - - - 7 0 0 0/0
10 VTY 9600/9600 - - - - 7 0 0 0/0
11 VTY 9600/9600 - - - - - 0 0 0/0
12 VTY 9600/9600 - - - - - 0 0 0/0
Apply the access list to the relevant lines:
yourrouter#conf t
Enter configuration commands, one per line. End with CNTL/Z.
yourrouter(config)#line 2 12
yourrouter(config-line)# access-class 30 in
yourrouter(config-line)# ^Z
(This apply access list 30 to lines 2 through 12. It's important to
restrict access to the aux port (line 1) if you have a device (such
as a CSU/DSU) plugged into it.a)
Be sure to save your configuration with ``write mem''.
Please note that access lists for incoming telnet connections do NOT
cause your router to perform significant CPU work, unlike access lists
on interfaces.
------------------------------
What can I do about source routing?
From: Question 23
Date: 1 November 1994
What *is* source routing?
Soure routing is an IP option which allows the originator of a packet
to specify what path that packet will take, and what path return packets
sent back to the originator will take. Source routing is useful when the
default route that a connection will take fails or is suboptimal for some
reason, or for network diagnostic purposes. For more information on
source routing, see RFC791.
Unfortunately, source routing is often abused by malicious users on
the Internet (and elsewhere), and used to make a machine (A), think
it is talking to a different machine (B), when it is really talking to
a third machine (C). This means that C has control over B's ip address
for some purposes.
The proper way to fix this is to configure machine A to ignore
source-routed packets where appropriate. This can be done for most
unix variants by installing a package such as Wietse Venema,
,'s tcp_wrapper:
ftp://cert.org:pub/tools/tcp_wrappers
For some operating systems, a kernel patch is required to make this
work correctly (notably SunOS 4.1.3). Also, there is an unofficial
kernel patch available for SunOS 4.1.3 which turns all source routing
off; I'm not sure where this is available, but I believe it was posted
to the firewalls list by Brad Powell soimetime in mid-1994.
If disabling source routing on all your clients is not posssible, a
last resort is to disable it at your router. This will make you unable
to use ``traceroute -g'' or ``telnet @hostname1:hostname2'', both
of which use LSRR (Loose Source Record Route, 2 IP options, the first
of which is a type of source routing), but may be necessary for some.
If so, you can do this with
foo-e-0#conf t
Enter configuration commands, one per line. End with CNTL/Z.
foo-e-0(config)#no ip source-route
foo-e-0(config)#^Z
It is somewhat unfortunate that you cannot be selective about this; it
disables all forwarding of source-routed packets through the router,
for all interfaces, as well as source-routed packets to the router
(the last is unfortunate for the purposes of ``traceroute -g'').
------------------------------
Is there a block of private IP addresses I can use?
From: Question 24
Date: 22 April 1996
Yes there is, however whether you wish to do so is an issue of
some debate.
You could consult:
1627 Network 10 Considered Harmful (Some Practices Shouldn't be
Codified). E. Lear, E. Fair, D. Crocker & T. Kessler. June 1994.
(Format: TXT=18823 bytes)
1918 Address Allocation for Private Internets. Y. Rekhter, B.
Moskowitz, D. Karrenberg, G. J. de Groot & E. Lear. February 1996.
(Format: TXT=22270 bytes) (Obsoletes RFC1627, RFC1597) (Also BCP0005)
In any event, RFC 1918 documents the allocation of the following
addresses for use by ``private internets'':
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Most importantly, it is vital that nothing using these addresses
should ever connect to the global Internet, or have plans to do so.
Please read the above RFCs before considering implementing such
a policy.
As an additional note, some Internet providers provide network-management
services, statistics gathering, etc. It is unlikely (if at all possible)
that they would be willing to perform those services if you choose to
utilize private address space.
With the increasing popularity and reliability of address translation
gateways, this practice is becoming more widely accepted. Cisco has acquired
Network Translation, who manufacture such a product. It is now available as
the Cisco Private Internet Exchange. With it, you can use any addressing you
want on your private internet, and the gateway will insure that the invalid
addresses are converted before making out onto the global Internet. It also
makes a good firewall. Information on this product is available at
http://www.cisco.com/warp/public/751/pix/index.html
------------------------------
From: Question 25
Date: 18 April 1995
DHCP, the Dynamic Host Configuration Protocol (RFC1533), is essentially
a more extended and flexible version of BOOTP, which allows configuration
parameters and other control information to be carried to hosts.
Forwarding of DHCP packets (to a DHCP server elsewhere in the network) is
supported in 9.21(4) and 10.0(3), as well as later releases.
------------------------------
Where can I get cisco documentation?
From: Question 26
Date: 18 April 1995
Cisco no longer distributes printed documentation with their routers;
instead, they distribute a CDROM.
Paper documentation may be purchased, however if you purchase a
support contract, documentation is free.
Cisco documentation is also available on the web -- if you have
a fast Internet conneciton this may be more useful
than the CD. Try:
http://www.cisco.com/univercd/data/doc/product.htm
------------------------------
What's the latest software for the CSC/3?
From: Question 27
Date: 18 April 1995
The last supported release on the CSC/3 is 9.1(15). cisco
does not plan to release further software for the CSC/3.
------------------------------
What IP routing protocol should I use?
From: Question 28
Date: 19 May 1995
This is a really complicated question, and a full answer
is beyond the scope of this document. Here are the beginnings
of an answer.
Note that Hello is no longer shipped with cisco routers, and that EGP has been
declared Historical (and thus obsolete) by the IETF. Don't use them.
Protocol RIP HELLO IGRP OSPF EIGRP IS-IS EGP BGP4
--------------------------------------------------------------------------
Type IGP IGP IGP IGP IGP IGP EGP EGP
Algorithm DV DV DV SPF DUAL SPF DV PV
Metrics Hopcnt Delay Speed Arb. Speed Arb. Policy Policy
Convergence Slow Unstb Mdt Fast Fast Fast Slow Fast
Standard? IETF No No IETF No ISO Hist. IETF
Complexity Simple Simple Simple Complx Complx Complx Simple Complx
Multipath? Yes Yes Yes Yes Yes Yes Yes [*]
Var-netmask? No No No Yes Yes Yes No YES
Notes
-----
IGP = interior gateway protocol, used to build routing tables within an AS.
EGP = exterior gateway protocol, used to communicate reachability
information between AS's.
Algorithms
----------
DUAL = DV with diffusing update algorithm (Garcia-Luna-Aceves et al)
DV = Distance Vector (Bellman-Ford)
PV = "Path Vector"
SPF = Shortest-path-first (Dijkstra)
Metrics
-------
A metric is how the protocol measures the network to determine the
"best" path.
"Speed" refers typically to link speed, not available bandwidth.
"Arb." indicates that the metrics are arbitrary and configurable.
HELLO tried to use available bandwidth by monitoring round-trip delay,
but was not generally successful at this.
Metrics are not directly exchangable when redistributing routing
information from one protocol to another. IGRP and EIGRP use
compatible and automatically convertable metrics.
Convergence
-----------
Qualitatively, convergence measures how fast routers using this
protocol will adapt to changes in the topology of the network.
"Unstb" indicates a protocol which in general never decided on a
stable configuration but continually oscillated between alternatives.
Complexity
----------
An observation of how complex the protocol is to implement.
Multipath
---------
Multipath indicates whether the protocol support and transport
multiple equal- or different- cost pathways across between endpoints?
[*] indicates that BGP4 supports multipath for IBGP (Internal BGP, a
full mesh of all border routers within an AS), but not for EBGP
(External BGP).
Variable netmask (Var-netmask)
------------------------------
Indicates whether the protocol allows for and transports different
masks for the subnets of a routed network.
------------------------------
How do I interpret the output of ``show version''?
From: Question 29
Date: 18 April 1995
Typing ``show version'' or ``show hardware'' yields a response like:
prospect-gw.near.net>sh version
Cisco Internetwork Operating System Software
IOS (tm) GS Software (GS7), Experimental Version 10.2(11829) [pst 113]
System-type (imagename) Version major.minor(release.interim)[who] Desc
System-type: type of system the software is designed to run on.
imagename: The name of the image. This is different (slightly) for
run-from-rom, run-from-flash, and run-from-ram images, and also
for subset images which both were and will be more common.
"Version": text changes slightly. For example, if an engineer gives you
a special version of software to try out a bug fix, this will say
experimental version.
Major: Major version number. Changes (in theory) when there have been
major feature additions and changes to the softare.
Minor: minor version number. Smaller but still signficant feature added.
(in reality, cisco is not very sure what the difference between
"major" and "minor" is, and sometimes politics gets in the way,
but either of these "incrementing" indicates feature additions.)
EXCEPT: 9.14, 9.17, and 9.1 are all somewhat similar. 9.1 is
the base, 9.14 adds specical feature for low end systems, 9.17
added special features specific the high end (cisco-7000) This
was an experiment that we are trying not to repeat.
release: increments (1 2 3 4 ...) for each maintenance release of released
software. Increments for every compile in some other places.
interim: increments on every build of the "release tree", which happens
weekly for each release, but is only made into a generically
shipping maintenance release every 7 to 8 weeks or so.
[who]: who built it. Has "fc 1" or similar for released software.
has something like [billw 101] for test software built Bill
Westfield (billw@cisco.com).
Desc: additional description.
The idea is that the image name and version number UNIQUELY identify
a set of sources and debugging information somewhere back at cisco,
should anything go wrong.
Copyright (c) 1986-1995 by cisco Systems, Inc.
Compiled Thu 09-Mar-95 23:54 by tli
Image text-base: 0x00001000, data-base: 0x00463EB0
Copyright, compilation date (and by whom), as well as the
starting address of the image.
ROM: System Bootstrap, Version 5.0(7), RELEASE SOFTWARE
ROM: GS Software (GS7), Version 10.0(7), RELEASE SOFTWARE (fc1)
The version of ROM bootstrap software, and the version of IOS
in ROM.
prospect-gw.near.net uptime is 2 weeks, 4 days, 18 hours, 38 minutes
System restarted by reload
How long the router has been up, and why it restarted.
System image file is "sse-current", booted via flash
How the router was booted.
RP (68040) processor with 16384K bytes of memory.
Type of processor.
G.703/E1 software, Version 1.0.
X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.
Bridging software.
ISDN software, Version 1.0.
Various software options compiled in.
1 Silicon Switch Processor.
2 EIP controllers (8 Ethernet).
2 FSIP controllers (16 Serial).
1 MIP controller (1 T1).
8 Ethernet/IEEE 802.3 interfaces.
16 Serial network interfaces.
128K bytes of non-volatile configuration memory.
4096K bytes of flash memory sized on embedded flash.
Hardware configuration.
Configuration register is 0x102
Lastly, the "configuration register", which may be set via
software in current releases...
------------------------------
What is the maximum number of Frame Relay PVCs?
From: Question 30
Date: 22 April 1996
This is covered fairly thoroughly in Product Info/Product
Bulletin/Frame Relay Broadcast Queue, Cisco Product Bulletin # 256,
available on CIO.
Via the web (requires CIO username and pasword)
http://cio.cisco.com/warp/customer/417/38.html
An excerpt:
(Virtual Interfaces)
It should be noted that in the IOS (Internetworking Operating System)
10.0 software there is a limit of 256 Virtual and physical
interfaces. Hence, if each DLCI is given its own virtual interface,
the router is limited to 256 DLCIs. This restriction is expected to be
removed in a future release.
In most scenarios, it is not necessary that each DLCI have its own
Virtual Interface. In particular, IP has the facility which allows
disabling of split-horizon routing and hence does not require Virtual
Interfaces to support partial mesh topologies.
(Appendix 1: How many DLCIs Can Cisco Support on an Interface?)
This question is similar to the question of how many PCs can you put
on an Ethernet. In general, you can put a lot more than you should
given performance and availability constraints.
When dimensioning a router in a large network, the following issues
should be considered:
DLCI Address Space: The only hard limits are the roughly 1000 DLCI
limit due to the 10 bit DLCI address space in the Frame Relay frame
header.
LMI Status Update: The LMI protocol requires that all status reports
fit into a single packet and generally limits the number of DLCIs to
less than 800.
Max DLCIs (approx) = (MTU -20)/5,
where MTU is the MTU size in bytes on the Frame Relay link.
Broadcast Replication: When sending, the router must replicate the
packet on each DLCI and this causes congestion on the access link. The
Broadcast Queue reduces this problem. In general, the network should
designed to keep the routing update load to below 20 percent of the
access lines speed. It is also important that memory requirements for
the Broadcast Queue be considered. A good technique to reduce this
restriction is the use of default route or extending the update
timers.
Broadcast Receipt: When receiving, the router must receive updates
from the network. The issue here is that the upstream switch can be
overloaded and drop packets. When routing updates are dropped, routing
instability occurs. Again, the receiving routing update load should be
kept to less than 20 percent of the access link speed and preferably
lower. Where very high speed links are used, a limit of 128 Kbit/s
worth of routing updates is recommended.
Routing Stability: When using a link state protocol to reduce the
update traffic, the dimensioning should be done assuming the periodic
update process and the worst case for Link State Updates (i.e.,
assuming link and power instability). Dimensioning should not be based
on the Hello traffic. As a rule of thumb, dimension assuming a
distance vector protocol, but assume that extra bandwidth is available
for user data.
User Data Traffic: Clearly, the number of DLCIs is dependent on the
traffic on each DLCI and the performance requirements to be met. In
general, Frame Relay accesses should be run at lower loads than
router-to-router links since the prioritisation capabilities are not
as strong in many cases and in general the marginal costs of
increasing access link speed are lower than with dedicated lines.
Many of the issues covered here are included in the Internet Design
Guide manual that Cisco provides.
Update:
The limit of 256 PVCs goes away in IOS 11.1. I think the number is now
something like 1024 per router or some even more ludicrous number. There are
still lots of reasons you never want to do that. ;-)
The limit of 256 PVCs goes away in IOS 11.1. I think the number is now
something like 1024 per router or some even more ludicrous number. There are
still lots of reasons you never want to do that. ;-)
------------------------------
How much memory is necessary to telnet to a cisco router?
From: Question 31
Date: 18 April 1995
In order to login to a cisco router, it needs to have at least 64k
of contiguous free memory.
------------------------------
Where can I purchase flash RAM?
From: Question 32
Date: 18 April 1995
There are two varieties:
MEM-1X8F 8meg
MEM-2X8F 16meg
*******************************************************************************
******************************* 2500 ********************************
******************************* 8M Flash ********************************
*******************************************************************************
PRODUCT# QTY
-------- ---
MEM-1X8F 1
MEM-2X8F 2
Part Number: 16-0975-01
Description: IC,FEPROM, 2Mx32,100ns,SIM80 SC: P REV: A0 S/UM: EA P/UM: EA
-------------------------------------------------------------------------------
VENDOR
ITM MANUFACTURER'S PART CODE MANUFACTURER'S NAME
--- -------------------- ---------- ------------------------------
1- 1 SM732C2000B-10 KITTING01 SMART MODULE
Smart Modular is located in Freemont, California.
For small orders, Smart Modular recommends you contact:
PC Complete
800-849-4622.
They carry both Flash RAM and DRAM.
------------------------------
When are static routes redistributed?
From: Question 32
Date: 19 May 1995
In the simple case, any static route *in the routing table* is
redistributed if the ``redistribute static'' command is used, and some
filter (set with either ``route-map'' or ``distribute-list out'')
doesn't filter it out.
Whether the static route gets into routing table depends on:
Whether the next hop address is reachable (if you use
static route pointing to a next hop)
OR
Whether the interface is up (if you use static route
pointing to an interface).
If one of these is true, an attempt is made to add the route to the
routing table; whether that succeeds depends on the administrative
distance of the route -- a lower administrative distance (the route
is "closer") than a preexisting route will cause the preexisting route
to be overwritten.
------------------------------
When is the next hop of a route considered ``reachable''?
From: Question 33
Date: 19 May 1995
When a static route is added, or during an important event (eg:
interface up/down transition), the next hop for a route is looked up
from the routing table (i.e. recursive routing).
As a consequence, if a route which is depended upon for evaluation
of the next hop of a static route goes away, a mechanism is required
to remove that (now-invalid) static route.
Scanning all static routes each time the routing table changes is
too expensive, so instead, a period timer is used. One a minute, static
routes are added and removed from the routing table based on the routes
they depend upon.
It should be noted that a particular static route will be reevaluated
when its interface transitions up or down.
------------------------------
How do name and phone number of ``dialer map'' interfere?
From: Question 35
Date: 22 April 1996
How do name and phone number of `dialer map' interfere?
We use the telephone number first actually. If the
caller id matches the telephone number to call, then you don't need the
'name' parameter with a phone number.
I realized that the above is ambiguous, so let's do this. You have:
dialer map ip x.x.x.x name
is used for incoming authentication. It can be either the hostname,
for PAP and CHAP, or it can be a number as returned by caller id. If this
is not there, and it is an imcoming call, and there is caller id, we will
compare against to see if that matches.
Not sure I've been clear here.
------------------------------
What's the purpose of the network command?
From: Question 36
Date: 22 April 1996
>* what is the real purpose of the network subcommand of
> router commands? When do I not want to include a network
> I know about?
The real purpose of the 'network' sub-command of the router commands is to
indicate what networks that this router is connected to are to be
advertised in the indicated routing protocol or protocol domain. For
example, if OSPF and EIGRP are configured, some subnets may be advertised
in one and some in the other. The network command enables one to do this.
An example of such a case is a secure subnet. Imagine the case where a set
of subnets are permitted to communicate within a campus, but one of the
buildings is intended to be inaccessible from the outside. By placing the
secure subnet in its own network number and not advertising the number, the
subnet is enabled to communicate with other subnets on the same router, but
is unreachable from any other router, barring static routes. This can be
extended by using a different routing protocol or routing protocol domain
for the secure network; subnets on the various routers within the secure
domain are mutually reachable, and routes from the non-secure domain may be
leaked into the secure domain, but the secure domain is invisible to the
outside world.
------------------------------
From: Question 37
Date: 22 April 1996
A Variable Length Subnet Mask (VLSM) is a means of allocating IP addressing
resources to subnets according to their individual need rather than some
general network-wide rule. Of the IP routing protocols supported by Cisco,
OSPF, Dual IS-IS, BGP-4, and EIGRP support "classless" or VLSM routes.
Historically, EGP depended on the IP address class definitions, and
actually exchanged network numbers (8, 16, or 24 bit fields) rather than IP
addresses (32 bit numbers); RIP and IGRP exchanged network and subnet
numbers in 32 bit fields, the distinction between network number, subnet
number, and host number being a matter of convention and not exchanged in
the routing protocols. More recent protocols (see VLSM) carry either a
prefix length (number of contiguous bits in the address) or subnet mask
with each address, indicating what portion of the 32 bit field is the
address being routed on.
A simple example of a network using variable length subnet masks is found
in Cisco engineering. There are several switches in the engineering
buildings, configured with FDDI and Ethernet interfaces and numbered in
order to support 62 hosts on each switched subnet; in actuality, perhaps
15-30 hosts (printers, workstations, disk servers) are physically attached
to each. However, many engineers also have ISDN or Frame Relay links to
home, and a small subnet there. These home offices typically have a router
or two and an X terminal or workstation; they may have a PC or Macintosh as
well. As such, they are usually configured to support 6 hosts, and a few
are configured for 14. The point to point links are generally unnumbered.
Using "one size fits all" addressing schemes, such as are found in RIP or
IGRP, the home offices would have to be configured to support 62 hosts
each; using numbers on the point to point links would further compound the
address bloat.
One configures the router for Variable Length Subnet Masking by configuring
the router to use a protocol (such as OSPF or EIGRP) that supports this,
and configuring the subnet masks of the various interfaces in the 'ip
address' interface sub-command. To use supernets, one must further
configure the use of 'ip classless' routes.
------------------------------
What are some methods for conserving IP addresses for serial lines?
From: Question 38
Date: 22 April 1996
VLSM and unnumbered point to point interfaces are the obvious ways.
The 'ip unnumbered' subcommand indicates another interface or sub-interface
whose address is used as the IP source address on messages that the router
originates on the unnumbered interface, such as telnet or routing messages.
By doing this, the router is reachable for management purposes (via the
address of the one numbered interface) but consumes no IP addresses at all
for its unnumbered links.
When a serial ip interface connects several sites, as an SMDS link might,
then the use of an appropriate subnet mask (and a routing protocol that can
make good use of the information) will minimize address consumption.
------------------------------
Why do some ip addresses get rejected?
From: Question 39
Date: 23 April 1996
How come my cisco router doesn't accept an address like:
"ip address 192.111.107.1 255.255.255.240"
or "ip address 171.69.0.1 255.255.0.0"
When "subnetting" of IP networks was first sanctioned by the IETF, the first
and last subnets (the all zeros subnet and all ones subnet) were reserved for
rather obscure uses and because of the confusion that would be caused with
routing protocols that don't carry net mask information. It was technically
illegal to place hosts or routers on those two subnets.
Several hosts and most other vendor's router products have problems operating
with the reserved subnets, so their use is discouraged. However, in 1995,
the IETF removed the restrictions on the use of these reserved subnets as part
of the classless routing effort.
If you would like to use the reserved subnets, simply add the line
"ip subnet-zero" to your cisco configuration.
You might consider adding "ip subnet-zero" to all your configurations as a
metter of course, to avoid being bitten by this in the future.
------------------------------
How do 4xxx serial numbers correspond to models?
From: Question 40
Date: 27 April 1996
show version serial # Label
-------------------------------------------------------
4000 Rev A0 440xxxxx C4000
4000M Rev B0 445xxxxx C4000
4500 450xxxxx C4500
4500M 455xxxxx C4500
4700 470xxxxx C4700
------------------------------
Where can I find more info on TACACS+
From: Question 41
Date: 28 April 1996
In addition to sundry cisco documentation and ftp-able
info, there exists a TACACS+ mailing list.
For more information, see http://www.disaster.com/tacplus/.
------------------------------
From: Question 99
Date: 19 May 1995
The following people contributed to this FAQ, and their contributions
are greatly appreciated, both questions and answers (in alpha order):
Arpakorn Boonkongchuen
Robert Kiessling
"Ronnie B. Kon"
Alain Martineau
Barton.Bruce@camb.com (Barton F. Bruce / CCA)
Bill Miskovetz
Charley Kline
Dave Katz
Eriks Rugelis
Howard C. Berkowitz, PSC International,
Jim Forster
John Wright
Pete Siemsen
Phillip Remaker
Ran Atkinson
Robert Kiessling
Sanjay Rungta~
Sean McGrath
Srinivas Vegesna
Steve Cunningham
Warren Lavallee
William "Chops" Westfield
atkinson@sundance.itd.nrl.navy.mil (Ran Atkinson)
bpinsky@cisco.com (Bruce Pinsky)
buk@taz.de ($ Burkhard Kohl)
fred@cisco.com (Fred Baker)
jerry@ksu.ksu.edu (Jerry Anderson)
jhawk@panix.com (John Hawkinson)
john@cisco.com (John Wright)
john@gulfa.ods.gulfnet.kw (John Temples)
paul@hawksbill.sprintmrn.com (Paul Ferguson)
peter@ulisse.rhein-main.de (Peter Radig)
tli@cisco.com (Tony Li)
tom@park.uvsc.edu (Thomas R. Kimpton)
vikas@Tudor.Com (Vikas Aggarwal)
warner@cats.ucsc.edu (Jim Warner)
Last-modified: Mon, 22 Jan 2001 18:57:39 GMT