100 CÂU HỎI KỸ THUẬT VỀ MẠNG CISCO THUỜNG GẶP

8/3/2019 100 CU HI K THUT V MNG CISCO THUNG GP

1/125

100 CU HI K THUT V MNG CISCO THUNG GP

**************************************************************************

From: Question 1

Subject: What does ``cisco'' stand for?

cisco folklore time:

At one point in time, the first letter in cisco Systems was a lowercase ``c''. At present,various factions within the company have adopted a capital ``C'', while fierce traditionalists(as well as some others) continue to use the lowercase variant, as does the cisco Systemslogo. This FAQ has chosen to use the lowercase variant throughout.

cisco is not C.I.S.C.O. but is short for San Francisco, so the story goes. Back in the earlydays when the founders Len Bosack and Sandy Lerner and appropriate legal entities weretrying to come up with a name they did many searches for non similar names, and alwayscame up

with a name which was denied. Eventually someone suggested ``cisco'' and the name wasn'ttaken (although SYSCO may be confusingly similar sounding). There was an East Coastcompany which later was using the ``CISCO'' name (I think they sold in the IBMmarketplace) they ended up having to not use the CISCO abberviation. Today many peoplespell cisco with a capital ``C'', citing problems in getting the lowercase ``c'' right inpublications, etc. This lead to at least one amusing article headlined ``Cisco grows up''. Thiswinter we will celebrate our 10th year.

[This text was written in July of 1994 -jhawk]

**************************************************************************

From: Question 2

Subject: How do I save the configuration of a cisco?


2/125

If you have a tftp server available, you can create a file on the server for your router to writeto, and then use the write network command. From a typical unix system:

mytftpserver$ touch /var/spool/tftpboot/myconfig

mytftpserver$ chmod a+w /var/spool/tftpboot/myconfig

myrouter#copy running-config tftp

Remote host [10.7.0.63]? 10.7.0.2

Name of configuration file to write [myrouter-confg]? myconfig

Write file foobar on host 10.7.0.2? [confirm] y

**************************************************************************

From: Question 3

Subject: How can I get my cisco to talk to a third party router over a serial link?

You need to tell your cisco to use the same link-level protocol as the other router; bydefault, ciscos use a rather bare variant of HDLC (High-level Data Link Control) all link-level protocols use at some level/layer or another. To make your cisco operate with mostother routers, you need to change the encapsulation from HDLC to PPP on the

relevant interfaces. For instance:

sewer-cgs#conf t

Enter configuration commands, one per line.

Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z


3/125

interface serial 1

encapsulation ppp

^Z

sewer-cgs#sh int s 1

Serial 1 is administratively down, line protocol is down

Hardware is MCI Serial

MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255

Encapsulation PPP, loopback not set, keepalive set (10 sec)

^^^^^^^^^^^^^^^^^^^^^^^^^^

[...]

If you're still having trouble, you might wish to turn on serial interface debugging:

sewer-cgs#ter mon

sewer-cgs#debug serial-interface

**************************************************************************

From: Question 4

Subject: How can I get my cisco to talk to a 3rd-party router over Frame Relay?


4/125

You should tell your cisco to use `èncapsulation frame-relay ietf'' (instead of`èncapsulation frame-relay'') on your serial interface that's running frame relay if yourframe relay network contains a diverse set of manufacturers' routers. The keyword `ìetf''specifies that your cisco will use RFC1294-compliant encapsulation, rather than the default,

RFC1490-compliant encapsulation (other products, notably Novell MPR 2.11, use a practicesanctioned by 1294 but deemed verbotten by 1490, namely padding of the nlpid). If only afew routers in your frame relay cloud require this, then you can use the defaultencapsulation on everything and specify the exceptions with the frame-relay map command:

frame-relay map ip 10.1.2.3 56 broadcast ietf

^^^^

(ietf stands for Internet Engineering Task Force, the body which evaluates Standards-trackRFCs; this keyword is a misnomer as both RFC1294 and RFC1490 are ietf-approved,however 1490 is most recent and is a Draft Standard (DS), whereas 1294 is a ProposedStandard (one step beneath a DS), and is effectively obsolete).

**************************************************************************

From: Question 5

Subject: How can I use debugging?

The ``terminal monitor'' command directs your cisco to send debugging output to thecurrent session. It's necessary to turn this on each time you telnet to your router to viewdebugging information. After that, you must specify the specific types of debugging youwish to turn on; please note that these stay on or off until changed, or until the routerreboots, so remember to turn them off when you're done.

Debugging messages are also logged to a host if you have trap logging enabled on yourcisco. You can check this like so:

sl-panix-1>sh logging
http://www.faqs.org/rfcs/rfc1294.htmlhttp://www.faqs.org/rfcs/rfc1490.htmlhttp://www.faqs.org/rfcs/rfc1294.htmlhttp://www.faqs.org/rfcs/rfc1490.htmlhttp://www.faqs.org/rfcs/rfc1490.htmlhttp://www.faqs.org/rfcs/rfc1294.htmlhttp://www.faqs.org/rfcs/rfc1490.htmlhttp://www.faqs.org/rfcs/rfc1294.html


5/125

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)

Console logging: level debugging, 66 messages logged

Monitor logging: level debugging, 0 messages logged

Trap logging: level debugging, 69 message lines logged

Logging to 198.7.0.2, 69 message lines logged

sl-panix-1>

If you have syslog going to a host somewhere and you then set about a nice long debug

session from a term your box is doing double work and sending every debug message toyour syslog server. Additionally, if you turn on something that provides copious debuggingoutput, be careful that you don't overflow your disk (``debug ip-rip'' is notorious for this).

One solution to this is to only log severity ``info'' and higher:

sl-panix-1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

logging trap info

The other solution is to just be careful and remember to turn off debugging. This is easyenough with:

sl-panix-1#undebug all

If you have a heavily loaded box, you should be aware that debugging can load your router.The console has a higher priority than a vty so don't debug from the console; instead,disable console logging:


6/125

cix-west.cix.net#conf t


no logging console

Then always debug from a vty. If the box is busy and you are a little too vigorous withdebugging and the box is starting to sink, quickly run, don't walk to your console and killthe session on the vty. If you are on the console your debugging has top prioority and thenthe only way out is the power switch. This of course makes remote debugging a real sweatypalms adventure especially on a crowded box.

**************************************************************************

From: Question 6

Subject: How do I avoid the annoying DNS lookup if I have misspelled a command?

Use the command

No ip domain-lookup

**************************************************************************

From: Question 7

Subject: How to use access lists

Where in the router are access lists applied?

In general, Basic access lists are executed as filters on outgoing interfaces. Newer releases


7/125

of the cisco code, such as 9.21 and 10, do have increased ability to filter on incoming ports.Certain special cases, such as broadcasts and bridged traffic, can be filtered on incominginterfaces in earlier releases. There are also special cases involving console access.

Rules, written as ACCESS-LIST statements, are global for the entire cisco box; they areactivated on individual outgoing interfaces by ACCESS-GROUP subcommands of theINTERFACE major command. Filters are applied after traffic has entered on an incominginterface and gone through a routing process; traffic that originates in a router (e.g., telnetsfrom the console port) is not subject to

filtering.

+-------------------+

| GLOBAL |

| |

| Routing |

| ^ v Access |

| ^ v Lists |

+-^--v--------^---v-+

| ^ v ^ v |

| ^ v ^ v |

A----------->|-| |>>>>Access >>----------->B

|1 Group 2 |


8/125

+-------------------+

Some types of ``filter,'' using ``filter'' as a broader class than ACCESS-LIST, can operate onincoming traffic. For example, the INPUT- SAP-FILTER used for Novell networks isapplied to Service Advertisement Packets (SAP) seen at incoming interfaces. In general,incoming filtering can only be done for ``system'' rather than user traffic.

Rules of thumb in defining access lists.

First, define what you want to do and in which directions. An informal drawing is a goodfirst step. As opposed to the usual connectivity drawings among routers, it's often

convenient to draw unidirectional links between routers.

Second, informally write out your filtering rules. In general, it is best to go from mostspecific to least specific. Modify the order of writing things to minimize the number of rulesneeded.

Third, determine which rules need to be on which routers.

Explicitly consider the direction of flow, and the possible existence of additional paths thatcould inadvertently bypass a filter.

Can a cisco router be a ``true'' firewall?

This depends on the definition of firewall. Some writers (e.g., Gene Spafford in _PracticalUNIX Security_) define a firewall as a host on which an ``inside'' and/or an ``outside''application process run, with application-level code linking the two. For example, afirewall might provide FTP access to the outside world, but it would not also provide directFTP service to the inside world. To place a file on the FTP external server, a designateduser would explicitly log onto the FTP server, transfer a file to the server, and log off. Thefirewall prevents direct FTP connectivity between the inside and outside networks; only

indirect, application-level connectivity is allowed. Firewalls of this sort are complementedby chokes, which filter on network addresses and/or port numbers. Cisco routers cannot doapplication-level control with access control lists. Other authors do not distinguish betweenchokes and filters. Using the loose definition that a firewall is anything that selectivelyblocks access from the inside to the outside, routers can be firewalls.

IP Specific


9/125

-----------

Can the ``operand'' field be used with a protocol keyword of IP to filter on protocol ID?

No. Operand filtering only works for TCP and UDP port numbers.

How can I prevent traffic for a certain Internet application to flow in one direction but notthe other?

Remember that Internet applications flow from client port to server port. Denying trafficfrom port 23, for example, blocks flow from the client to the server.

+-------------------+

| |

A----------->| |----------->B

|1 2|


10/125

**************************************************************************

From: Question 8

Subject: The cisco boot process

What really happens when a cisco router boots, from boot start to live interfaces?

First it boots the ROM os version. It reads the config. Now, it realizes that you want tonetboot. It loads the netbooted copy in on top of itself. It then re-initializes the box and re-reads the config. Manly, yes, but we like it too....

[[ Ummm... in particular it loads the netbooted copy in as WELL as itself, decompresses it,if necessary, and THEN loads on top of itself. Note that this is important because it tellsyou what the memory requirements are for netbooting: RAM for ROM image (if it's a runfrom RAM image), plus dynamic data structures, plus RAM for netbooted image. ]]

The four ways to boot and what happens (sort of):

I (from bootstrap mode)

The ROM monitor is running. The I command causes the ROM monitor to walk all of thehardware in the bus and reset it with a brute force hammer. If the bits in the config registersay to auto-boot, then goto B

B (from bootstrap mode)

Load the OS from ROM. If a name is given, tell that image to start silently and then load a

new image. If the boot system command is given, then start silently and load a new image.

powercycle

Does some delay stuff to let the power settle. Goto I.

reload (from the EXEC)


11/125

Goto I.

**************************************************************************

From: Question 09

Subject: How should I restrict access to my router?

Many admins are concerned about unauthorized access to their routers from maliciouspeople on the Internet; one way to prevent this is to restrict access to your router on the

basis of IP address.

Many people do this, however it should be noted that a significant number of networkservice providers allow unrestricted access to their routers to allow others to debug,examine routes, etc. If you're comfortable doing this, so much the better, and we thank you!

If you wish to restrict access to your router, select a free IP access list (numbered from 1-

100) -- enter ``sh access-list'' to see those numbers in use.

yourrouter#sh access-list

Standard IP access list 5

permit 192.94.207.0, wildcard bits 0.0.0.255

Next, enter the IP addresses you wish to allow access to your router from; remember that

access lists contain an implicit "deny everything" at the end, so there is no need to includethat. In this case, 30 is free:

yourrouter#conf t


12/125


yourrouter(config)#access-list 30 permit 172.30.0.0 0.0.255.255

yourrouter(config)#^Z

(This permits all IP addreses in the network 172.30.0.0, i.e. 172.30.*.*). Enter multiple linesfor multiple addresses; be sure that you don't restrict the address you may be telnetting tothe router from.

Next, examine the output of ``sh line'' for all the vty's (Virtual ttys) that you wish to apply

the access list to. In this example, I want lines 2 through 12:

yourrouter#sh line

Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns

0 CTY - - - - - 0 0 0/0

1 AUX 9600/9600 - - - - - 1 3287605 1/0

* 2 VTY 9600/9600 - - - - 7 55 0 0/0

3 VTY 9600/9600 - - - - 7 4 0 0/0

4 VTY 9600/9600 - - - - 7 0 0 0/0

5 VTY 9600/9600 - - - - 7 0 0 0/0

6 VTY 9600/9600 - - - - 7 0 0 0/0

7 VTY 9600/9600 - - - - 7 0 0 0/0

8 VTY 9600/9600 - - - - 7 0 0 0/0

9 VTY 9600/9600 - - - - 7 0 0 0/0

10 VTY 9600/9600 - - - - 7 0 0 0/0


13/125

11 VTY 9600/9600 - - - - - 0 0 0/0

12 VTY 9600/9600 - - - - - 0 0 0/0

Apply the access list to the relevant lines:

yourrouter#conf t


yourrouter(config)#line 2 12

yourrouter(config-line)# access-class 30 in

yourrouter(config-line)# Z

(This apply access list 30 to lines 2 through 12. It's important to restrict access to the auxport (line 1) if you have a device (such as a CSU/DSU) plugged into it.a)

Be sure to save your configuration with ``copy run start

Please note that access lists for incoming telnet connections do NOT cause your router toperform significant CPU work, unlike access lists on interfaces.

**************************************************************************

From: Question 10

Subject: What can I do about source routing?

What *is* source routing?
http://groups.google.com/groups?group=it.ahttp://groups.google.com/groups?group=it.a


14/125

Soure routing is an IP option which allows the originator of a packet to specify what paththat packet will take, and what path return packets sent back to the originator will take.

Source routing is useful when the default route that a connection will take fails or issuboptimal for some reason, or for network diagnostic purposes. For more information onsource routing, see RFC791.

Unfortunately, source routing is often abused by malicious users on the Internet (andelsewhere), and used to make a machine (A), think it is talking to a different machine (B),when it is really talking to a third machine (C). This means that C has control over B's ipaddress for some purposes.

The proper way to fix this is to configure machine A to ignore source-routed packets whereappropriate. This can be done for most unix variants by installing a package such as WietseVenema, ,'s tcp_wrapper:

ftp://cert.org:pub/tools/tcp_wrappers

For some operating systems, a kernel patch is required to make this work correctly (notablySunOS 4.1.3). Also, there is an unofficial kernel patch available for SunOS 4.1.3 whichturns all source routing off; I'm not sure where this is available, but I believe it was posted

to the firewalls list by Brad Powell soimetime in mid-1994.

If disabling source routing on all your clients is not posssible, a last resort is to disable it atyour router. This will make you unable to use ``traceroute -g'' or ``telnet@hostname1:hostname2'', both of which use LSRR (Loose Source Record Route, 2 IPoptions, the first of which is a type of source routing), but may be necessary for some. If so,you can do this with

foo-e-0#conf t


foo-e-0(config)#no ip source-route

foo-e-0(config)#^Z
http://www.faqs.org/rfcs/rfc791.htmlmailto:[email protected]://www.faqs.org/rfcs/rfc791.htmlmailto:[email protected]


15/125

It is somewhat unfortunate that you cannot be selective about this; it disables all forwardingof source-routed packets through the router, for all interfaces, as well as source-routed

packets to the router (the last is unfortunate for the purposes of ``traceroute -g'').

**************************************************************************

From: Question 11

Subject: Is there a block of private IP addresses I can use?

In any event, RFC 1918 documents the allocation of the following addresses for use by``private internets'':

10.0.0.0 - 10.255.255.255

172.16.0.0 - 172.31.255.255

192.168.0.0 - 192.168.255.255

Most importantly, it is vital that nothing using these addresses should ever connect to theglobal Internet, or have plans to do so. Please read the above RFCs before consideringimplementing such a policy.

As an additional note, some Internet providers provide network-management services,statistics gathering, etc. It is unlikely (if at all possible) that they would be willing toperform those services if you choose to utilize private address space.

With the increasing popularity and reliability of address translation gateways, this practiceis becoming more widely accepted. Cisco has acquired Network Translation, whomanufacture such a product. It is now available as the Cisco Private Internet Exchange.With it, you can use any addressing you want on your private internet, and the gateway willinsure that the invalid

addresses are converted before making out onto the global Internet. It also makes a good
http://www.faqs.org/rfcs/rfc1918.htmlhttp://www.faqs.org/rfcs/rfc1918.html


16/125

firewall. Information on this product is available at

http://www.cisco.com/warp/public/751/pix/index.html

**************************************************************************

**************************************************************************

From: Question 12

Subject: How do I interpret the output of ``show version''?

Typing ``show version'' or ``show hardware'' yields a response like:

prospect-gw.near.net>sh version

Cisco Internetwork Operating System Software

IOS (tm) GS Software (GS7), Experimental Version 10.2(11829) [pst 113]

System-type (imagename) Version major.minor(release.interim)[who] Desc

System-type: type of system the software is designed to run on.

imagename: The name of the image. This is different (slightly) for

run-from-rom, run-from-flash, and run-from-ram images, and also

for subset images which both were and will be more common.

"Version": text changes slightly. For example, if an engineer gives you

a special version of software to try out a bug fix, this will say
http://www.cisco.com/warp/public/751/pix/index.htmlhttp://www.cisco.com/warp/public/751/pix/index.html


17/125

experimental version.

Major: Major version number. Changes (in theory) when there have been

major feature additions and changes to the softare.

Minor: minor version number. Smaller but still signficant feature added.

(in reality, cisco is not very sure what the difference between

"major" and "minor" is, and sometimes politics gets in the way,

but either of these "incrementing" indicates feature additions.)

EXCEPT: 9.14, 9.17, and 9.1 are all somewhat similar. 9.1 is

the base, 9.14 adds specical feature for low end systems, 9.17

added special features specific the high end (cisco-7000) This

was an experiment that we are trying not to repeat.

release: increments (1 2 3 4 ...) for each maintenance release of released

software. Increments for every compile in some other places.

interim: increments on every build of the "release tree", which happens

weekly for each release, but is only made into a generically

shipping maintenance release every 7 to 8 weeks or so.

[who]: who built it. Has "fc 1" or similar for released software.

has something like [billw 101] for test software built Bill

Westfield ([email protected]).

Desc: additional description.

The idea is that the image name and version number UNIQUELY identify
mailto:[email protected]:[email protected]


18/125

a set of sources and debugging information somewhere back at cisco,

should anything go wrong.

Copyright (c) 1986-1995 by cisco Systems, Inc.

Compiled Thu 09-Mar-95 23:54 by tli

Image text-base: 0x00001000, data-base: 0x00463EB0

Copyright, compilation date (and by whom), as well as the

starting address of the image.

ROM: System Bootstrap, Version 5.0(7), RELEASE SOFTWARE

ROM: GS Software (GS7), Version 10.0(7), RELEASE SOFTWARE (fc1)

The version of ROM bootstrap software, and the version of IOS

in ROM.

prospect-gw.near.net uptime is 2 weeks, 4 days, 18 hours, 38 minutes

System restarted by reload

How long the router has been up, and why it restarted.

System image file is "sse-current", booted via flash


19/125

How the router was booted.

RP (68040) processor with 16384K bytes of memory.

Type of processor.

G.703/E1 software, Version 1.0.

X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.

Bridging software.

ISDN software, Version 1.0.

Various software options compiled in.

1 Silicon Switch Processor.

2 EIP controllers (8 Ethernet).

2 FSIP controllers (16 Serial).

1 MIP controller (1 T1).

8 Ethernet/IEEE 802.3 interfaces.

16 Serial network interfaces.

128K bytes of non-volatile configuration memory.

4096K bytes of flash memory sized on embedded flash.


20/125

Hardware configuration.

Configuration register is 0x102

Lastly, the "configuration register", which may be set via

software in current releases...

**************************************************************************

From: Question 13

Subject: When are static routes redistributed?

In the simple case, any static route *in the routing table* is redistributed if the ``redistribute

static'' command is used, and some filter (set with either ``route-map'' or ``distribute-listout'') doesn't filter it out.

Whether the static route gets into routing table depends on:

Whether the next hop address is reachable (if you use static route pointing to a next hop)

OR Whether the interface is up (if you use static route pointing to an interface).

If one of these is true, an attempt is made to add the route to the routing table; whether thatsucceeds depends on the administrative distance of the route -- a lower administrativedistance (the route is "closer") than a preexisting route will cause the preexisting route to be


21/125

overwritten.

**************************************************************************

From: Question 14

Subject: When is the next hop of a route considered ``reachable''?

When a static route is added, or during an important event (eg: interface up/downtransition), the next hop for a route is looked up from the routing table (i.e. recursiverouting). As a consequence, if a route which is depended upon for evaluation of the nexthop of a static route goes away, a mechanism is required to remove that (now-invalid) static

route. Scanning all static routes each time the routing table changes is too expensive, soinstead, a period timer is used. One a minute, static routes are added and removed from therouting table based on the routes they depend upon. It should be noted that a particular staticroute will be reevaluated when its interface transitions up or down.

*************************************************************************

From: Question 15

Subject: How do name and phone number of ``dialer map'' interfere?

How do name and phone number of `dialer map' interfere?

We use the telephone number first actually. If the caller id matches the telephone numberto call, then you don't need the 'name' parameter with a phone number. I realized that theabove is ambiguous, so let's do this. You have:

dialer map ip x.x.x.x name

is used for incoming authentication. It can be either the hostname, for PAP andCHAP, or it can be a number as returned by caller id. If this is not there, and it is animcoming call, and there is caller id, we will compare against to see if thatmatches.

*************************************************************************


22/125

*

From: Question 16

Subject: What's the purpose of the network command?

>* what is the real purpose of the network subcommand of

> router commands? When do I not want to include a network

> I know about?

The real purpose of the 'network' sub-command of the router commands is to indicate what

networks that this router is connected to are to be advertised in the indicated routingprotocol or protocol domain. For example, if OSPF and EIGRP are configured, somesubnets may be advertised in one and some in the other. The network command enables oneto do this.

An example of such a case is a secure subnet. Imagine the case where a set of subnets arepermitted to communicate within a campus, but one of the buildings is intended to beinaccessible from the outside. By placing the secure subnet in its own network number andnot advertising the number, the subnet is enabled to communicate with other subnets on the

same router, but is unreachable from any other router, barring static routes. This can beextended by using a different routing protocol or routing protocol domain for the securenetwork; subnets on the various routers within the secure domain are mutually reachable,and routes from the non-secure domain may be leaked into the secure domain, but thesecure domain is invisible to the outside world.

**************************************************************************

From: Question 17

Subject: What is VLSM?

A Variable Length Subnet Mask (VLSM) is a means of allocating IP addressing resourcesto subnets according to their individual need rather than some general network-wide rule.


23/125

Of the IP routing protocols supported by Cisco, OSPF, Dual IS-IS, BGP-4, and EIGRPsupport "classless" or VLSM routes.

Historically, EGP depended on the IP address class definitions, and actually exchangednetwork numbers (8, 16, or 24 bit fields) rather than IP addresses (32 bit numbers); RIP andIGRP exchanged network and subnet numbers in 32 bit fields, the distinction betweennetwork number, subnet number, and host number being a matter of convention and notexchanged inthe routing protocols. More recent protocols (see VLSM) carry either a prefixlength (number of contiguous bits in the address) or subnet mask with each address,indicating what portion of the 32 bit field is the address being routed on.

A simple example of a network using variable length subnet masks is found in Ciscoengineering. There are several switches in the engineering buildings, configured with FDDIand Ethernet interfaces and numbered in order to support 62 hosts on each switched subnet;in actuality, perhaps 15-30 hosts (printers, workstations, disk servers) are physicallyattached to each. However, many engineers also have ISDN or Frame Relay links to home,and a small subnet there. These home offices typically have a router or two and an Xterminal or workstation; they may have a PC or Macintosh as well. As such, they areusually configured to support 6 hosts, and a few are configured for 14. The point to pointlinks are generally unnumbered.

Using "one size fits all" addressing schemes, such as are found in RIP or IGRP, the homeoffices would have to be configured to support 62 hosts each; using numbers on the point topoint links would further compound the address bloat.

One configures the router for Variable Length Subnet Masking by configuring the router touse a protocol (such as OSPF or EIGRP) that supports this, and configuring the subnetmasks of the various interfaces in the 'ip address' interface sub-command. To use supernets,one must further

configure the use of 'ip classless' routes.

**************************************************************************

From: Question 18


24/125

Subject: What are some methods for conserving IP addresses for serial lines?

VLSM and unnumbered point to point interfaces are the obvious ways. The 'ip unnumbered'subcommand indicates another interface or sub-interface whose address is used as the IPsource address on messages that the router originates on the unnumbered interface, such astelnet or routing messages. By doing this, the router is reachable for management purposes(via the

address of the one numbered interface) but consumes no IP addresses at all for itsunnumbered links.

**************************************************************************

From: Question 19

Subject: Flash upgrade issues for Cisco 2500 series routers

> When I remove the original flash and replace it with ether one or both of

> the new flash chips, I get the following error on boot upand the router ends

> up in boot mode.:

> ERR: Invalid chip id 0x80B5 (reversed = 0x1AD ) detected in System flash

This has to be the most common FAQ for this group. You have non-Intel flash chips onyour new SIMMs and boot ROMs that are too old to know about the different accessmethod for the flash chips you have.

You need to either get the (free, call TAC) BOOT-2500= ROM upgrade from Cisco, or

exchange the flash SIMMs for ones using Intel chips. Note that Intel no longer makes thosechips, which is why everybody has this prob-lem.

**************************************************************************

From: Question 21


25/125

Subject: How do I configure a router to act as a Frame-Relay Switch?

config t

1

frame-relay switching

!

interface Serial0

no ip address

no keepalive

encapsulation frame-relay

clockrate 64000

frame-relay intf-type dce

! In the config below, the 102 is the DLCI that will be

! presented to the router connected to this - S0 -

! interface. 201 is the DLCI that is mapped to S1

frame-relay route 102 interface Serial1 201


interface Serial1

no ip address

no keepalive



26/125

clockrate 64000




interface Serial2

no ip address

no keepalive


clockrate 64000




________ ______

| FR SW |_S2______S0_| R3 |

|_______ | |______|

S0 / \ S1

/ \

/ \

S0 __/___ _\_S0__

| R1 | | R2 |


27/125

|_____| |_______|

R1 S0, R2 S0 and R3 S0 will be on the same subnet. You can treat it as p2mp. I put all theDCE ends of the cables on the Frame Switch, so clock rate is defined there. However, thisis not a requirement. The FR Switch router does not need to have the DCE end. Regardlessof the gender of the cable, however, the "frame-relay intf-type dce" is required. I definedthe DLCIs as Source Router + 0 + Destination Router. So if the circuit goes from R1 to R3it's DLCI 103. From R3 to R1 it's DLCI 301.

**************************************************************************

From: Question 22

Subject: What are the different types of memory used by Cisco Routers?

The 2500 Series and 7204 VXR have the same types of memory, but they are implementedin different physical packages:

ROMMON - This is the initial bootstrap for the router.

Boot Helper - This is a subset of IOS that is used to update software or network boot. The2500 implements the ROMMON and boot helper in a set of two ROMs. The 7204VXR hasROMMON in a ROM and boot helper in a piece of flash memory on the I/O controllercalled boot flash.

Main memory - This is used to hold routing tables, and IOS variables. In the 7204 VXR,IOS itself is also resident in main memory. The 2500 Series usually runs the IOS directly inflash.

Shared memory - This is the memory that holds packet buffers. On the 2500 Series, this ispart of the same physical memory as main memory. On the 7204 VXR, it's separatememory.


28/125

Flash memory - This memory holds the IOS image. On the 2500 Series, there are two flashSIMM sockets (max 16 MB). On the 7204VXR, there are PCMCIA slots on the I/O

controller which can take a 128 MB flash disk.

Configuration memory (NVRAM) - This is the memory that holds the IOS configuration. Inthe 2500 Series, it's a 32 KB EEPROM. On the 7204VXR it is 128 KB battery backed upSRAM on the I/O controller.

**************************************************************************

From: Question 23

Subject: How do I load the Documentation CD (UniverseCD) on Windows 2000?

Doc CD Content appears garbled:

The Doc CD content is compressed - it requires Verity to decompress it. This is why Verityis used on the Doc CD. What has happened is you've tried to directly open up index.html offthe CD into your browser, and this is not possible todo. The CD must be accessed through

the Verity Web Publisher through:

http://127.0.0.1:8080/home/home.htm

This is the startup address that is launched when you click on "Launch CD."

Windows 2000 and Doc CD: Pre-July 2000 Documentation CDs do not work on Windows2000 out of the box. They will cause "Search.exe" to crash when run under Win2k.

There is a fix that sometimes works for these CDs at:

http://www.cisco.com/warp/public/620/ioscd.html.

This fix MUST be done BEFORE you install the CD. If the CD has already been installed,then uninstall it, delete c:\cisco, make this registry change, then re-install the Doc CD.(boththe Browser Software Installer and The Documentation CD
http://127.0.0.1:8080/home/home.htmhttp://www.cisco.com/warp/public/620/ioscd.htmlhttp://127.0.0.1:8080/home/home.htmhttp://www.cisco.com/warp/public/620/ioscd.html


29/125

(I have tried this on My labtop which is running windows 2000 and it worked fine but I hadto delete c:\Cisco first and Lunch the Browers software Installer CD (1) first then theDocument CD(2) (my version of CD was Nov 1999)

(I have already sent this one to you did you delete c:\Cisco and lunch both CDs)

Other fixs are shown

The Doc CD starts up to about:blank

There are two alternate fixes for this:

1. After launching the Doc CD, put in http://127.0.0.1:8080/home/home.htm for the address,

and then add it to your favorites.

-

or

-

2. This is a 4-step fix:

A. Ensure that search.exe is not running.

B. Edit the installed search.ini (c:\CISCO\search.ini).

C. Change the line 'Browser=c:\program files\internet explorer\iexplore.exe'

to 'Browser=msie'

D. Launch the CD.

Nothing happens when I click Launch CD

The usual cause for this is that you've installed a post-July 2000

Documentation CD over the top of a previous Doc CD.

The fix for this is to:
http://127.0.0.1:8080/home/home.htmhttp://127.0.0.1:8080/home/home.htm


30/125

1. Uninstall the Doc CD from the control panel->add/remove programs.

2. Delete c:\cisco

3. Reinstall the Doc CD.

Finally to reorder a CD

The Cisco Documentation CD is also available online at:

http://www.cisco.com/univercd/home/home.htm

*************************************************************************

*

From: Question 24

Subject: How dow I load a large image on a 2500 *lab* router?

For production work (support by Cisco required) you need 16M Flash to run 12.0 or 12.1Enterprise. If you don't need Cisco support, 12.0 Enterprise is small enough (about 10M) torun from RAM (upgrading to 16M of RAM is MUCH cheaper than upgrading to 16M offlash) using a compressed image in the 8M of flash you do have.

12.1 Enterprise is 14M so it must be run from flash (otherwise there is not enough RAMremaining to even complete loading of the OS).

Check the release notes on www.cisco.com for the IOS release you want to use. If the actualsize of the IOS plus the minimum recommended RAM totals less than 16MB, you can runcompressed or boot from TFTP without expanding flash. Check deja-news on google if youare unclear on how to run a compressed image on the 2500, it is a frequent request andhopefully will turn up in the renovated FAQ when Hansang gets a chance to publish it.

**************************************************************************

From: Question 25
http://www.cisco.com/univercd/home/home.htmhttp://www.cisco.com/univercd/home/home.htm


31/125

Subject: daisy-chaining reverse telnet console-aux ports

> I've hooked 4 routers together in a lab and I'm daisy-chaining them

> aux --> console and using reverse telnet to get to them...

>

> However when I get to the fourth router and do a CTRL-SHFT-6 X,

> I get back to the first router. If I kill the AUX line, then initiate the

> reverse telnet again, I fall through router 2 and 3 to 4 again...

> Is there an easy way to fall back one router at a time?

> or should I not bother to do this?

You have two options. One is to use a different escape character on the second (third,fourth etc) console (and/or vty)

conf t

line con 0 /* or vyt 0 4 */

escape-character 23

This will let you use CTRL-W then X to break out reverse telnet.

Or

You can use CTRL-SHFT-6, CTRL-SHFT-6, X to come back to the second


32/125

session, and CTRL-SHFT-6, CTRL-SHFT-6, CTRL-SHFT-6, X to come back to the

third session, etc.

**************************************************************************

From: Question 26

Subject: How do I setup Lock & Key ACL? Or punch temporary holes in my ACL ifsomeone authenticates to my router?

username foobar password cisco

!

int s0

ip address 1.1.1.1 255.255.0.0

ip access-group 101 in

! /* or port 22 for ssh */

access-list 101 permit tcp any host 1.1.1.1 eq telnet

access-list 101 dynamic foobar permit ip any any

!

line vty 0 2

login local

autocommand access-enable host timeout 5

line vty 3 4

login local

rotary 1


33/125

The first access list allows telnet into the router. Your users will telnet into router andauthenticate with username foobar and password "cisco"

The router will then immediately disconnect the telnet session. When they successfullyauthenticate, an access list with their source IP will be added to the dynamic list. Basically,if they authenticate correctly, they can come in to the inside network. After 5 mins ofinactivty the entry will be deleted from the access list.

The vty 3 and 4 are using the rotary command so that you can telnet to your router with the

command: "telnet 1.1.1.1 3001" This takes you to vty 3 (or 4). This way, you can telnetinto the router and actually manage it. A very subtle but VERY important point. If youforget this, you'll be making a trip to use the console port.

*************************************************************************

From: Question 27

Subject: How do I telnet to a specific VTY line?

See "rotary" example in question 48.

**************************************************************************

From: Question 28

Subject: Is there a better (free) tftp server than the one by Cisco?

3CDv2r10.zip file located at:

http://support.3com.com/software/utilities_for_windows_32_bit.htm

**************************************************************************
http://support.3com.com/software/utilities_for_windows_32_bit.htmhttp://support.3com.com/software/utilities_for_windows_32_bit.htm


34/125

From: Question 28

Subject: How do I NAT on a single Cisco 2503 Ethernet interface

interface Loopback0

ip address 10.0.255.1 255.255.255.0

ip nat inside

!

interface Ethernet0

ip address 10.0.0.1 255.255.255.0 secondary

ip address xxx.yyy.zzz.ttt 255.255.255.248

ip nat outside

ip policy route-map LOOPNAT

!

ip nat inside source list 1 interface Ethernet0 overload

!

access-list 1 permit 10.0.0.0 0.255.255.255

!

route-map LOOPNAT permit 10

match ip address 1

set interface Loopback0

!

------------------------


35/125

Note that Lo0 interface may have any ip address.

**************************************************************************

From: Question 29

Subject: How do I hide a summarized OSPF router from one ABR to another?

area 1 range x.x.x.x x.x.x.x not-advertise

**************************************************************************

From: Question 30

Subject: How do I setup Windows 2000 and IPSec to PIX FIrewall

To describe how to use the Local Security Policy MMC in W2K would take a

long time. So, the config I will share with you is the 'dial-up' one I

mentioned before. In this posting I will detail the bare minimum needed to

get a W2K client working with a PIX firewall running v6.01 software. For

simplicity I use a preshared key for authentication. Since I have to embed

this key into the script I use it makes the configuration open and thus

vulnerable. However, you should be able to tweak the configuration from this

to meet your own security needs. The W2K IPSec client supports certificates

as well as preshared keys so a "secure" version of this config is

attainable.

The configuration script I eked (it isn't beautiful code) out is actually written in Perl. If you


36/125

would like to re-write it in the old DOS batch file format, please do so. Otherwise, youshould find a copy of Perl for NT/W2K. I use the version found at http://www.activestate.com.The Perl script I show here is documented as to what it does. The MS ipsecpol.exe programthat you have to use has it's own documentation which you should read. For the PIX I give

you only the crypto, isakmp, and sysopt commands you need to issue to your PIX to makethis config work. The config assumes that the PIX

has NAT enabled.

Ok, enough blabber, here it is... I hope it is helpful!

For the purposes of this 'demo' config. The PIX Firewall will have

192.168.0.1 as it's outside IP. The inside network will be the 10.0.X.X

network. The inside router will be 10.0.0.1

Quick Network Schematic:

[W2K] --> [Dial-Up WAN adapter (DHCP assigned address)] --->

[Internet]---->[PIX Firewall(192.168.0.1)] ---> [Internal LAN

(10.0.X.X)] --> [Inside Router (10.0.0.1)]

The PIX firewall commands needed are:

sysopt connection permit-ipsec

sysopt connection permit-l2tp

sysopt ipsec pl-compatible
http://www.activestate.com/http://www.activestate.com/http://www.activestate.com/


37/125

crypto ipsec transform-set W2K esp-des esp-md5-hmac

crypto ipsec transform-set W2K mode transport

crypto dynamic-map W2KDynamic 11 set transform-set W2K

crypto map W2K-Map 23 ipsec-isakmp dynamic W2KDynamic

crypto map W2K-Map interface outside

isakmp identity address

isakmp key gobbeldygook address 0.0.0.0 netmask 0.0.0.0

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption des

isakmp policy 11 hash md5

isakmp policy 11 group 1

isakmp policy 11 lifetime 28800

isakmp enable outside

The Perl script I wrote is as follows. I execute this script everytime I

establish a connection with my dial-up ISP. It then sets up the IPSec tunnel

using my current ISP assigned IP Address.

#begin listing


38/125

# IPSecInit.pl

# Written by: Steven Griffin Jr.

# Date: 6 June, 2001.

# Note: The basis of this code came from the PERL documentation site.

# The original snippets came from the links below.

# http://www.perldoc.com/perl5.6/lib/Net/hostent.html

# http://www.perldoc.com/perl5.6/lib/Net/Ping.html

# I should put this in POD format at somepoint but I am in a hurry right

now.

use Net::hostent;

use Socket;

#Two Variables: One for the local IP Address and one for the VPN Server

#This script assumes that the VPN Server has a static IP

$localipaddress, $VPNHostIP='192.168.0.1';

#The following section of code discerns the IP address of host provided

#in the command line arguements. The default is the localhost.

#NOTE: The code section is smart and gives you a routable IP (if available)
http://www.perldoc.com/perl5.6/lib/Net/hostent.htmlhttp://www.perldoc.com/perl5.6/lib/Net/Ping.htmlhttp://www.perldoc.com/perl5.6/lib/Net/hostent.htmlhttp://www.perldoc.com/perl5.6/lib/Net/Ping.html


39/125

and not just 127.0.0.1

# This section is pretty much identical to the one found on the PERL

documentation site.

# I just added an assignment of the discerned ipaddress to the

$localipaddress variable.

# I also changed the @ARGV assignment to 'localhost' instead of

'netscape.com'

@ARGV = ('localhost') unless @ARGV;

for $host ( @ARGV ) {

unless ($h = gethost($host)) {

warn "$0: no such host: $host\n";

next;

}

printf "\n%s is %s%s\n",

$host,

lc($h->name) eq lc($host) ? "" : "*really* ",

$h->name;

print "\taliases are ", join(", ", @{$h->aliases}), "\n"

if @{$h->aliases};

if ( @{$h->addr_list} > 1 ) {

my $i;


40/125

for $addr ( @{$h->addr_list} ) {

printf "\taddr #%d is [%s]\n", $i++, inet_ntoa($addr);

}

} else {

#my modification is on the next line.

printf "\taddress is [%s]\n", $localipaddress= inet_ntoa($h->addr);

}

if ($h = gethostbyaddr($h->addr)) {

if (lc($h->name) ne lc($host)) {

printf "\tThat addr reverses to host %s!\n", $h->name;

$host = $h->name;

redo;

}

}

}

#This next section is a very modified version of the Ping example on the

Perl Documentation Website.

#Now that we know our IP address, we can setup the IPSec tunnel.

#First we try and ping our VPN server.


41/125

use Net::Ping;

$p = Net::Ping->new("icmp");

print "\nCan I see my firewall? ";

if ($p->ping($VPNHostIP) )

{

print "Yes\nAttempting to initialize IPSec Connection";

#Now that we can see our server, lets stop and start the W2K IPSec Policy

Agent.

#This deletes any 'dynamic' IPSec policies that may have been in effect

before.

print "\nResetting IPSec Policy Agent";

$cmdstring='Net Stop "IPSec Policy Agent"';

system($cmdstring);

$cmdstring='Net Start "IPSec Policy Agent"';

system($cmdstring);

#Now we issue the ipsecpol command to setup the tunnel to our VPN Server.

#The ipsecpol command line utility can be found on Microsoft's Website.

# http://www.microsoft.com/downloads/release.asp?ReleaseID=29167

# or

#
http://www.microsoft.com/downloads/release.asp?ReleaseID=29167http://www.microsoft.com/downloads/release.asp?ReleaseID=29167


42/125

http://download.microsoft.com/download/win2000platform/ipsecpol/1.00.0.0/NT5

/EN-US/ipsecpol_setup.exe

#MS requires two ipsecpol commands be issued in order to setup a tunnel.

#One for the inbound traffic and one for the outbound traffic.

# For this Tunnel I used the following settings:

# The IPSec filter '-f' is for the 10.0.0.0 255.255.0.0 network to My IP

Address.

# The tunnel setting '-t' is either My IP Address or the VPN Server's IP

Address.

# The security method list '-s' is for DES-MD5-1

# The security negotiation setting '-n' is for ESP[DES,MD5]

# We are using QuickMode key exchange '-1k' rekeys after 10 quick modes

'10q'

# We are using perfect forward secrecy '-1p'

# For authentication we are using a preshared key '-a'

# NOTE: the preshared key must be enclosed in double quotes

# See the documentation of the utility for further details.

print "\nSetup IPSec Tunnel";

#This sets-up the inbound leg of the tunnel. We are filtering all traffic

inbound from 10.0.X.X to our IP address.
http://download.microsoft.com/download/win2000platform/ipsecpol/1.00.0.0/NT5http://download.microsoft.com/download/win2000platform/ipsecpol/1.00.0.0/NT5


43/125

#The critical part of this statement is that the -t arguement must contain

our local IP.

$cmdstring = 'ipsecpol -f 10.0.*.*='.$localipaddress.' -t

'.$localipaddress.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a

PRESHARE:"gobbeldygook"';

printf "\n%s",$cmdstring;

system($cmdstring);

#This sets-up the outbound leg of the tunnel. We are filtering all

traffic outbound to 10.0.X.X from our IP address.

#The critical part of this statement is that the -t arguement must contain

the VPN Server's IP Address.

$cmdstring = 'ipsecpol -f '.$localipaddress.'=10.0.*.* -t

'.$VPNHostIP.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a

PRESHARE:"gobbeldygook"';

printf "\n%s\n",$cmdstring;

system($cmdstring);

#Now that we have issued our commands. We should test the network and see

if we can see inside it.

#The internal router is the easiest target. Here it is 10.0.0.1.


44/125

#We first do a ping just so that the IPSec tunnel with negotiate. W2K does

not setup the tunnel

# until you actually try and send traffic to a IPSec filtered IP address.

#Now we do another ping and tell the user what happened.

print "\nTrying to ping internal network: ";

$p->ping("10.0.0.1");

if ($p->ping("10.0.0.1"))

{

print "Success\n";

sleep(1);

} else {

print "Failure\n";

sleep(1);

}

} else {

# If we reach this point, we could not see our VPN Server's external IP

address from our ISP.

print "No\nTry redialing your ISP";

sleep(3);

}

$p->close();

#end listing

*************************************************************************


45/125

*

From: Question 32

Subject: How do I use tftpdnld via Ethernet port on a 2600?

Press Ctrl+Break on the terminal keyboard within 60 seconds of the power-up

to put the router into ROMMON.

rommon 1 > IP_ADDRESS=172.15.19.11

rommon 2 > IP_SUBNET_MASK=255.255.255.0

rommon 3 > DEFAULT_GATEWAY=172.16.19.1

rommon 4 > TFTP_SERVER=172.15.20.10

rommon 5 > TFTP_FILE=/tftpboot/c2600-i-mz

rommon 6 > tftpdnld

**************************************************************************

From: Question 33

Subject: How do I setup MultiLinkPPP?

multilink PPP without virtual template

int Multilink1

description multilink bundle

ip unnumbered Loopback0


46/125

ppp multilink

multilink-group 1

!

int Ser0

description first T1 line

encaps ppp

ppp multi

multilink-group 1

!

int Ser1

description second T1 line

encaps ppp

ppp multi

multilink-group 1

Again, recent software necessary: at least 12.0T or 12.1

or one of the ISP branches (12.0S).

**************************************************************************

From: Question 34

Subject: How much memory is taken up by BGP routes?

As a reference, please see the following from


47/125

http://www.cisco.com/warp/public/459/

I'd like to drill down another level to decide why each entry contains 240 bytes! Tech Tip:How Much Memory Does Each BGP Route Consume?

Each Border Gateway Protocol (BGP) entry takes about 240 bytes of memory in

the BGP table and another 240 bytes in the IP routing table. Each BGP path

takes about 110 bytes.

**************************************************************************

From: Question 35

Subject: How do I stop my router from looking for cisconet.cfg or

network-config?

Look up "service config" in the manual (available on www.cisco.com if

you do not have a local copy). Turn it off using the command "no service

config" in configuration mode.

**************************************************************************

From: Question 36

Subject: How do I setup DHCP service on my router?

Here is my 1601 performing as a DHCP server config...

The static pool is how I use DHCP to assign the same IP to the same PCeach time,essentially a static IP address assignment. The only other requirement would be that on the
http://www.cisco.com/warp/public/459/http://www.cisco.com/warp/public/459/


48/125

interface DHCP requests will be received, if you have an inbound ACL, bootp must bepermitted.

ip dhcp excluded-address 192.168.3.1 192.168.3.9

!

ip dhcp pool dhcp-pool

network 192.168.3.0 255.255.255.0

default-router 192.168.3.1

netbios-node-type b-node

dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee

!

ip dhcp pool static-pool

host 192.168.3.2 255.255.255.0

client-identifier 0100.00c5.0cbd.7e

client-name main_pc

default-router 192.168.3.1

dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee

**************************************************************************

From: Question 37

Subject: How do I configure a trasparent proxy redirecting on CISCO router?


49/125

>It is possible to configure an trasparent proxy redirecting on CISCO router?

>I would like to redirect all www requests from specific IP addresses to

>other IP address and other port.

A route-map does the IP redirection nicely, I've used it for http and smtp. Not sure aboutswitching ports simultaneously with the same route map, but you could fix this with 'ipfw'or similar on the host. Be sure you have 'ip route-cache policy' enabled to save CPU on theinterface. WCCP is another option.

http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.5

**************************************************************************

From: Question 38

Subject: How do I use a route-map to limit redistribution in OSPF?

! /* match only 172.16.10.x and 172.16.11.0 subnets */

!

access-list 1 permit 172.16.10.0 0.0.1.255

!

!

! /* use access-list 1 to determine what gets matched */

!

route-map LoopbacksOnly permit 10

match ip address 1

!

!
http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.5http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.5


50/125

! /* redistribute connected networks, any and all subnets, */

! /* and seed it as E2 type. Note that throughout your */

! /* OSPF domain, your loopbacks will have a metric of 20 */

! /* 20 is the default metric when you redistribute into */

! /* OSPF. Except for BGP routes which get a metric of 1. */

! /* Also use the route-map LoopbacksOnly to selectively */

! /* redistribute only the ones we want to redistribute. */

!

router ospf 200

redistribute connected subnets metric-type E2 route-map LooopbacksOnly

**************************************************************************

From: Question 39

Subject: How do I connect 675 DSL units back to back?

Well I found out that you can hookup other DSL boxes back to back...here is

part of an email I found on it:

you need:

'dsl equipment-type CO' on one side and

'dsl equipment-type CPE' on the other

Here is a working example from the lab:


51/125

(The distance limitation should be the same

as the one found in the docs)

also, you can run 'debug dsl-phy' a new

command to look at the trainup.

(CO side, an 828)

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl equipment-type CO

dsl operating-mode GSHDSL symmetric annex A

dsl linerate AUTO

!

interface ATM0.1 point-to-point

ip address 1.1.1.2 255.255.255.0

pvc 1/33

encapsulation aal5snap

!

!


52/125

(CPE side, a SOHO78)

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl equipment-type CPE

dsl operating-mode GSHDSL symmetric annex A

dsl linerate AUTO

!

interface ATM0.1 point-to-point

ip address 1.1.1.1 255.255.255.0

pvc 1/33

encapsulation aal5snap

!

**************************************************************************

From: Question 40

Subject: Why can't I upload an IOS image on to my flash on my 2500 router?

> i took one from another 2500, same label E28F008SA and unfortunalely,

> same ERROR MESSAGE while issuing COPY TFTP FLASH from config-reg


53/125

> 0x2101

The flash in your system is not recognized by the boot ROM. You can upgrade

your boot ROM (Cisco part BOOT-2500=) or use flash that is compatible (Intel).

**************************************************************************

From: Question 41

Subject: How do I configure my router so it becomes a DHCP CLIENT?

If you have 12.1(2)T or better and you need:

C800, C100x, C1400, C160x, C17x0, C25xx, C26xx, C36xx, C4x00, C64xx,

C7x00, C8500, and C12000

UBR900, UBR7200

MC3810

The interface command is "ip address dhcp"

**************************************************************************

From: Question 42

Subject: How do you setup a simple Priority Queuing?

I would take a look at priority queuing, see the link below:


54/125

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr

/qos_c/qcprt2/qcdpq.htm

A simple config for your case would be:

priority-list 1 protocol ip high tcp telnet

priority-list 1 default medium

interface Ethernet1

ip address 10.1.1.1 255.0.0.0

no ip directed-broadcast

priority-group 1

**************************************************************************

From: Question 43

Subject: What are the pro's and con's of using two ISP/BGP providers?

>Why would you use BGP with 2 Internet T1 vs using equal cost

>static routing? What's the pros and cons? Thank you.

The answer in a nutshell is: It depends.

If each T1 goes to a different ISP, then you must use BGP to have the same public address
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcrhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr


55/125

regardless of route taken.

If each T1 goes to the same ISP and load sharing and ease of setup/management is moreimportant than availability, then go with static routes.

If the T1 links do not support end-to-end keepalives, go with BGP to avoid black holes.

If the T1 links go to different POPs of the same ISP, use BGP and indicator routes to detectISP segmentation.

If the T1 links go to geographically diverse POPs, then BGP with full or local routes mayimprove routing efficiency.

For more detail, see the blurbhttp://www.oreillynet.com/pub/a/network/2001/05/11/multihoming.html

(for those reading this out of the archives at a future date, a more detailed version of thispaper will be appearing as a White Paper on my web site, but it will not be there until lateSummer). Chapter 8 of my book walks you through all the alternatives from two T1sbetween a single router at your site and a single router at the ISP, to two T1's betweenseparate routers at your site to two different ISPs. For how to get the most out of BGP,including load sharing and efficiency considerations (my book only considers

availability), read Halabi's book.

If none of the above makes sense to you, hire a competent consultant to walk you throughthe alternatives and their tradeoffs.

***** The O'Reilly article follows: *****
http://www.oreillynet.com/pub/a/network/2001/05/11/multihoming.htmlhttp://www.oreillynet.com/pub/a/network/2001/05/11/multihoming.html


56/125

by Vincent Jones 05/11/2001

Many organizations depend upon Internet connectivity to support critical applications. Onepopular approach for improving Internet connectivity is to connect to more than oneInternet service provider (ISP), a technique called multi-homing.

Multi-homing can be very effective for ensuring continuous connectivity -- eliminating theISP as a single point of failure -- and it can be cost effective as well. However, your multi-homing strategy must be carefully planned to ensure that you actually improve connectivity

for your company, not degrade it.

THE CONCEPT OF PHYSICAL DIVERSITY

First, I want to discuss the network components that can affect overall connectivity.Because most network failures are due to problems in the WAN links, it does little good toconnect to a second ISP if both ISP links are carried over the same communications circuit.Even if independent circuits are used -- if they are not physically diverse they will still besubject to common failure events such as construction work inside your building or digging

in the street outside.

Providing complete physical diversity can be difficult and expensive, but the requirement isnot limited to ISP connections. All critical network links for internal communicationsshould also be diversified. Assuming an otherwise well- designed internal network, theeasiest way to achieve physical diversity in your ISP connections is to connect from twodifferent locations that are already well-connected to each other. But they must be farenough apart that they don't share any common communications facilities to either ISP.

REDIRECTING TRAFFIC USING THE BORDER GATEWAY PROTOCOL

Once physical connectivity is in place, you need to make it useful. Taking advantage ofredundant links requires two conditions to always be present. First, you must be able todetect when a link has failed. Second, you must have a mechanism for redirecting trafficthat would normally flow across a failed link to take a different path that is still functional.


57/125

In a multi-homing environment, both tasks are normally achieved by running BorderGateway Protocol (BGP) between your routers and those of the ISPs.

BGP is often assumed to mean complex configurations on expensive, high-end routers tohandle the huge routing tables required to fully describe the Internet. However, dependingupon the specific application requirements and the degree of load-balancing you wantacross all available links, it may be practical to implement multi-homing using the smallestrouters you have available that are capable of handling the traffic load.

In other words, implementing multi-homing doesn't have to be an all-or-nothing choice.There are choices you can make along the way based upon the equipment you have

available and the level of connectivity you need to provide.

DETERMINING LEVEL OF CONNECTIVITY REQUIRED

At one extreme, when your goal is to simply to provide internal users with

access to the Internet, you don't need to run BGP at all. As long as the link layer protocolsupports the exchange of keep-alive messages from router to router, link failure will bedetected by the link layer protocol. Floating

static routes can then reliably direct all outbound traffic to a working ISP

link.

Network Address Translation (NAT) is then used to send outbound packets with a

source IP address associated by the ISP with that outbound link. Return traffic

will automatically come back via the same working link because that link is the

only link servicing that address range.

Of course this approach will not work if you are providing services to the outside world, asthe addresses associated with the failed link will disappear. Similarly, connections that were


58/125

established over the link that failed will need to be reconnected. However, for manyapplications this impact is minor.

For example, a typical web surfer would merely need to hit the "page refresh" button. Thisapproach is also sufficient to provide high-availability virtual private networks (VPN)across the Internet if you use a routing protocol such as OSPF to detect and route aroundfailed IPSec tunnels.

The other extreme would be when you need to support a common IP address range

using both ISPs. Then you need to run BGP. This will normally be the case any time your

applications include providing services to Internet users, such as access to a commondatabase. You will need to arrange for both ISPs to accept your BGP advertisements of yourIP address prefixes. Then your ISPs need to advertise those address prefixes to the rest ofthe Internet.

Getting your address prefixes advertised is usually not a problem. You do, however, have touse care in your configuration to ensure that you do not inadvertently advertise any otheraddress prefixes. In particular, you must ensure that you do not advertise yourself as a pathbetween the two ISPs. This could cause your links to be consumed by transit traffic of no

interest to you. More challenging is setting up your advertisements so that incoming trafficis reasonably balanced between the ISP links. Achieving that can be difficult at best, andnearly impossible at worse.

CHOOSE THE RIGHT ROUTE FOR YOU

The final decision is determining which routes to accept from each ISP. This can range frommerely accepting a default route (used to detect if the link is up or down) to accepting allroutes (so called "running defaultless"). The former is usually insufficient, because it does

not protect you from an ISP which has an internal failure cutting them off from the rest ofthe Internet. The latter requires using "carrier-class" routers with lots of memory installed(and therefore more expensive). Fortunately, there are some "in-between" choices.

Rather than using a simple default route, you can use a conditional default


59/125

route to protect against ISP failure behind the ISP's router that serves you. A

conditional default route is a default route that is defined by a router only if a specificaddress is already in that router's routing table. Each ISP is only used for a default route if it

is advertising one or more routes that indicate it is receiving advertisements from the rest ofthe Internet. That way, you will always use a default route which promises to be useful.

Another option is to have the ISP send you just its local routes. That way, you can optimizeyour outbound routing to avoid sending packets that could be locally delivered to the wrongISP, adding to delivery delays. Care must be taken when using this option, however,because some ISPs have so many local routes that there is no cost benefit in the size of therouters required to handle them compared to running defaultless.

Options can also be combined. In many cases, taking local routes and a conditional defaultroute will provide all the availability benefits of running defaultless, while still allowing theuse of low-cost routers. As is always the case in networking, a good understanding of therequirements and the available capabilities is essential to maximizing cost-effectiveness.

**************************************************************************

From: Question 44

Subject: What kind of memory can I use to upgrade my 2500 series router?

The RAM is standard 72-pin parity 70ns FPM w/ tin leads, while the flash is the genericCisco flash. If you have older boot ROMs, you'll want to make sure you get Intel chips orthe ROMs won't recognize them. Or you could upgrade the ROMs - Cisco part numberBOOT-2500=, allegedly free.

> Any suggestions for a decent memory supplier for this?

I used to use Kingston when I had 25xx's. But MemoryX seems to be less expensive thesedays: (http://www.memoryx.net/routers.html)
http://www.memoryx.net/routers.htmlhttp://www.memoryx.net/routers.html


60/125

**************************************************************************

From: Question 45

Subject: Where can I get mzmaker to compress my IOS?

http://www.mcseco-op.com/mzmaker.htm

**************************************************************************

From: Question 46

Subject: What is the meaning of in/out in reference to an access-list?

>Can anyone point me to a good description of the difference between "in"

>and "out" in applying an access list to an interface? Even the good

>books seem to only devote a sentence to the difference between them.

The simplest explanition I've seen is: Crawl into your router and look towards the interface.If the packets are going away from you they're outbound. If they're hitting you in theforehead their inbound.

**************************************************************************

From: Question 47

Subject: How do I remove the /32 - host - route when a PPP link comes up?

To get rid of this host route, try the following command on both ends of the
http://www.mcseco-op.com/mzmaker.htmhttp://www.mcseco-op.com/mzmaker.htm


61/125

link:

no peer neighbor-route

**************************************************************************

From: Question 48

Subject: How do I forward DHCP broadcasts to my DHCP server?

> We are a Canadian company with an American office. We have a Cisco router

> at each office connected via a T1 line. We have a DHCP server at our

> Canadian office, and we would like it to also delgate IPs to our american

> office. Is this possible? If so, what must be done?

You have some choices.

1) Run DHCP on the remote router. This will prevent the dhcp requests from comingacross the WAN. The downside is that only certain IOSes support running dhcp and is a bitmore work for the router.

2) You can enable bootp forwarding or dhcp relaying. This can be accomplished by using"ip helper-address DHCP_SERVER_IP_HERE" interface command. But using helper-address turns on a lot of unnecessary UDP forwarding so you need to lock it down first.

So:


62/125

conf t

no ip forward-protocol udp tftp

no ip forward-protocol udp dns

no ip forward-protocol udp time

no ip forward-protocol udp netbios-ns

no ip forward-protocol udp netbios-dgm

no ip forward-protocol udp tacacs

ip forward-protocol udp bootpc

!

interface ethernet0/0

ip helper-address YOUR_REMOTE_DHCP_SERVER_IP_HERE

**************************************************************************

From: Question 49

Subject: How do I send L2 traffic through a tunnel?

> Thanks for answering my post, the current problem I have is I need to send

> Layer2 type traffic through a tunnel ... is this possible ?

Sure. See...

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/inter_c

/icdlogin.htm#xtocid292793
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/inter_chttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/inter_c


63/125

> I enabled bridging on both routers and created a bridge group and that

> seems to work fine I can see my netbeui traffic passing ....

> The problem is I have to be able to encapsulate netbeui or any other Layer2

> type protocol and encapsulate within a IP packet.

The usual way to do this is using a GRE tunnel between two routers, and configuring an

additional loopback interface on each router as the source interface for the tunnel traffic, asbelow. Here, each router has a bridge group defined which allows certain traffic only asstated in the 200-series ACL onto the loopback interface. In this case it's LAT only - youwill need to check the LSAP protocol number(s) for netbios/netbeui as I can't rememberthese off-hand. Once the traffic is forwarded from the LAN interface onto the loopback, itis encapsulated into IP GRE and forwarded to the far router.

--------------------------

/ \

Tunnel0| |Tunnel0

| |

LAN--------Router A-------WAN Cloud-------Router B--------LAN

Eth0 Ser0 Ser0 Eth0

Router A

--------

int e0


64/125

ip address 192.168.100.254 255.255.255.0

bridge-group 1

int loop0

no ip address

bridge-group 1

bridge-group 1 output-type-list 200

int tunnel 0

tunnel source interface loopback0

tunnel destination 192.168.200.254

access-list 200 permit 0x6000 0x600f

Router B

--------

int e0

ip address 192.168.200.254 255.255.255.0

bridge-group 1

int loop0


65/125

no ip address

bridge-group 1

bridge-group 1 output-type-list 200

int tunnel0

tunnel source interface loopback0

tunnel destination 192.168.100.254

access-list 200 permit 0x6000 0x600f

**************************************************************************

From: Question 50

Subject: Why is measuring collisions meaningless endeavour?

> A more useful calculation would be to multiply collisions by

> 704 and then divide that by 10000000 * t, to show the total overhead

> percentage used by collision detection. 704 is the number of

> bit-times consumed by a collision - 96 bittimes of interframe gap,

> 512 bits of collision, an additional 96 bittimes of interframe gap,

> next packet is ready to transmit.

First of all, you shouldn't count the interframe gap twice. The collision event uses aninterframe gap, but the next one actually belongs to the next frame; it would be therewhether or not a collision occured.


66/125

More important, 511 bit times is the MAXIMUM time consumed by a collision in theabsolute worst-case. This requires a network with maximum extent--longest possible cables,

maximum repeaters, etc.--and devices with absolute worst-case timing parameters. In mostsmall networks (e.g., a single 10BASE-T hub), nearly all collisions occur during thepreamble, and the time consumed by the collision is just 96+64+32=192 bit-times(IFG+Preamble+Jam).

Unless you know the precise instant in which each collision occurs, you cannot calculate thebandwidth "lost" to collisions.

(By the way, the maximum collision fragment is 511 bits, not 512--at 512 bits, it becomes avalid frame.)

In addition, while some Ethernet controllers do return a collision count as part of thetransmit status for each frame, many do not provide the SNMP/RMON driver with the exactnumber of collisions. Instead, the status indicates one of:

* OK (no deferral required, no collisions encountered)

* Deferred (deferral required, but no collisions encountered)

* 1 collision (one collision encountered, with or without deferral)

* >1 collision (more than one collision encountered, with or without deferral)

* Excessive collisions (16 collisions encountered)

* Late collision (collision encountered after 511 bits transmitted)

With this type of controller, you cannot distinguish a frame that encountered two collisionsfrom one that encountered fifteen. so it is hard to estimate the bandwidth "lost" due tocollisions.


67/125

Finally, I will reiterate my position that collision rates are a virtually useless metric fordetermining network performance. (See my earlier post on this subject.)

Seifert's Law of Networking #21: Measurements of unimportant parameters are

meaningless.

-- Note added by Hansang Bae --

In the WORST case scenario (i.e. the stations are at the maximum distance apart) a collisionwill take up to 84 byte-times to resolve itself. 64 bytes (minimum Ethernet size+FCS), 8

bytes for the preamble, and 12 bytes for the IFG.

84bytes is 672bits. It takes .1 microsecond to transmit one bit (10Mb/s =10,000,000bits/sec= 10,000bits/millisecond =10bits/microsecond = 1 bit/0.1microsecond) So the total timespent on one collision event is 67.2 microsecond (672bits * .1 microsecond) Now considergetting 100 collisions per second. So 100 X 67.2microsecond is 6,720 microsecond or 6.72millisecond. 6.72ms/1sec comes out to .672% (6.72ms/1sec = .00672, in percentage, that's .672%) That means that 99.328% of the channel is still available for data.

Here's another way to look at it. For every successful transmission, there was an equalnumber of collisions. This is 1:1 ratio or 100% collision rate. Or equivalently, 50% of theframes that goes out the NIC are collisions.

Assume that we are talking about an FTP transfer. Typically, FTP will use the 1518 maxsize and there will be an ACK (Acknowledgement) for every two packets. So you would seetwo 1518 frames and one ACK for both. So in a collision free world, we would see 2 frames

of 1518 bytes and one ACK of 64 bytes. Throw in the preamble/SFD and the IFG to the mixand you get 2*(1518 + 8Preamble + 12 IFG) + 1*(64) = 3,140 bytes.

Now if we have 3 collisions (one collision for each successful frame) then you have to addanother 3*84 (three frames taking up 84byte times - see #5 above). This comes out to 3,144


68/125

+ (3*84) = 3,396. So the ratio is 3,140/3,396 = .9246 or 92.46%.

That means even with 100% collision rate, we only lose about 7.53% of the bandwidth.Hardly anything to worry about! In the real world, you can expect 33% collision rate for anFTP session. Also for smaller size frames, the % of wasted bandwidth would be muchgreater. But then again, only large transfers tax Ethernet networks.

**************************************************************************

From: Question 51

Subject: How do I stop password-recovery on my routers?

"Password-recovery" might not be the best description. The feature locks out all access tothe ROMMON.

You can do this on a 2600/3600 with the global configuration command "no servicepassword-recovery".

The feature is indeed tied to the ROMMON. You must have a minimum ROMMON version11.1(17)AA on the 3600, as well as minimum IOS 11.2(12)P or 11.3(3)T.

All ROMMON versions on the 2600 support this feature.

**************************************************************************

From: Question 52

Subject: How can I prevent SYN-Flood attack using CAR?

We are talking about all different kinds of floods (ICMP, SYN, UDP, etc) throughout this


69/125

post. Actually he did say that Sprint can filter on their end. I included in a different postthe link to configure CAR to limit SYN attacks using web traffic as an example. Yoursolution looks like it would work too as their are multiple ways to configure traffic shaping.

Configure rate limiting for SYN packets. Refer to the following example:

interface {int}

rate-limit output access-group 153 45000000 100000 100000 conform-action

transmit exceed-action drop

rate-limit output access-group 152 1000000 100000 100000 conform-action

transmit exceed-action drop

access-list 152 permit tcp any host eq www

access-list 153 permit tcp any host eq www established

In the above example, replace:

45000000 with the maximum link bandwidth

1000000 with a value that is between 50% and 30% of the SYN flood rate burst

normal and burst max rates with accurate values

Note that if you set the burst rate greater than 30%, many legitimate SYNs may be dropped.To get an idea of where to set the burst rate, use the show interfaces rate-limit command todisplay the conformed and exceeded rates for the interface. Your objective is to rate-limitthe SYNs as little as necessary to get things working again.


70/125

WARNING: It is recommended that you first measure amount of SYN packets duringnormal state (before attacks occur) and use those values to limit. Review the numberscarefully before deploying this measure.

If an SYN attack is aimed against a particular host, consider installing an IP filteringpackage on that host. One such package is IP Filter. This can be found onhttp://coombs.anu.edu.au/ipfilter/ Refer to IP Filter Examples for implementation details.

**************************************************************************

From: Question 53

Subject: How do I setup a Multilink PPP?

You have to create a virtual-template interface with ip address information PPP then createan virtual-access interface whith that address

!

multilink virtual-template 1

!

interface Virtual-Template1

ip unnumbered Loopback0 or ip address

no ip mroute-cache

ppp multilink

!

interface Serial0

no ip address
http://coombs.anu.edu.au/ipfilter/http://coombs.anu.edu.au/ipfilter/


71/125

encapsulation ppp

no fair-queue

ppp multilink

!

interface Serial1

no ip address

encapsulation ppp

no fair-queue

ppp multilink

**************************************************************************

From: Question 54

Subject: How do I setup ppp callback with dialer-pool?

This is a real hard stuff to do ppp callback with dialer-pool, there a some c

Documents

100 CÂU HỎI KỸ THUẬT VỀ MẠNG CISCO THUỜNG GẶP